Elastic Compute Service:Alibaba Cloud Linux image requirements

Disk partitions

When you partition disks for images during image creation, make sure that the following requirements are met:

• Disk resizing

  • Disks are divided into logical partitions based on physical partitions. The last logical partition on each disk is used as the root partition, which prevents system disk partition failures.

  • For operating systems that support online disk resizing, we recommend that you install the cloud-utils-growpart package and use the growpart utility to extend partitions to occupy available disk space. For more information, see Extend the partitions and file systems of disks on a Linux instance.

• Swap partitions

  When you create images, do not use swap partitions.

• Disk mounting

  You must configure UUIDs in the fstab and grub files. For more information, see Configure UUIDs in the fstab file to automatically mount data disks and How to Modify the File Disk Identifier to UUID in a Linux Image Grub File.

  Important

  If the fstab file is incorrectly configured for an ECS instance, the instance may fail to run as expected after the instance is restarted.

• Disk sizes

  The system disk size is at least 20 GiB.

• Image boot modes

  To adapt to instance types that support a specific boot mode, we recommend that you configure the boot mode in your on-premises image. When you import the image to Alibaba Cloud, you must specify the boot mode supported by the image.

  • For information about how to configure boot mode settings when you create an on-premises image, see Create a virtual machine and install an operating system.

  • For information about how to specify a boot mode when you import an image to Alibaba Cloud, see Import a custom image.

  • To query the boot mode supported by an instance type, call the DescribeInstanceTypes operation and check the SupportedBootModes value in the response.

  Note

  If your on-premises image supports both the BIOS and UEFI mode, you can specify the UEFI-Preferred mode when you import the image to Alibaba Cloud. The image can adapt to the boot modes of all instance types. This reduces the costs of image creation.

Required software and tools

• Install the virtio driver

  Before you release an image, make sure that the virtio driver is installed for the image and that the virtio driver is added to temporary file systems. The virtio driver ensures that the image can be used as expected on ECS instances. For more information, see Install the virtio driver.

• Install the NVMe driver

  ECS instance families of newer generations, such as ecs.g8i and ecs.g7se, allow disks to be attached by using the Non-Volatile Memory Express (NVMe) protocol. If you want to use your on-premises image to create ECS instances of one of the preceding instance families and ensure that the instances run as expected, install the NVMe driver on the image. For more information, see How do I install the NVMe driver for a custom image? When you import the image to Alibaba Cloud, set the NVMe Drive parameter to Supported. For more information, see Modify the attributes and tags of an image.

• Install cloud-init

  When you create images, install cloud-init to ensure that the ECS instances that run the images can be initialized. For more information, see Install cloud-init. We recommend that you install cloud-init 23.2.2. This version allows you to access instance metadata in security hardening mode, which ensures the security of instance metadata.

  Note

  If you want to use cloud-init to change passwords, make sure that the operating system kernel of your image supports the CONFIG_FW_CFG_SYSFS feature. By default, Linux community kernel 4.6 and later and CentOS kernel 3.10.0-826.el7 and later support the CONFIG_FW_CFG_SYSFS feature. To check whether this feature is supported, run the grep -nr CONFIG_FW_CFG_SYSFS /boot/config-$(uname -r) command on the source server of the image. If the command output contains CONFIG_FW_CFG_SYSFS=y, the kernel of the image supports the CONFIG_FW_CFG_SYSFS feature.

• Install Cloud Assistant

  When you create images, install Cloud Assistant. Cloud Assistant is a native automated O&M tool developed for ECS. Cloud Assistant allows you to batch run commands, such as shell, PowerShell, and batch commands, to execute various tasks on ECS instances in a password-free manner without the need to log on to the instances or use jump servers. You can use Cloud Assistant to perform automated O&M tasks, poll processes, install or uninstall software, start or stop services, and install patches or security updates. For more information, see Install Cloud Assistant Agent.

• Use Security Center to protect the source servers of images

  When you create images, we recommend that you use Alibaba Cloud Security Center to protect your servers. Security Center provides security capabilities such as alert notifications, virus detection and removal, webshell detection and removal, client protection, and image scanning to protect your cloud assets and on-premises servers.

System configurations

• Configure the clock

  The hardware clock of an image can be in Coordinated Universal Time (UTC) or in the local time zone. Use UTC time when you create images. Sample commands:

  cat > /etc/adjtime << EOF
  0.0 0 0.0
  0
  UTC
  EOF
  
  timedatectl set-local-rtc 0

  For more information, see Linux time and time zones.

• Configure the sshd service

  When you create images, configure the sshd service.

  sshd is a Linux service that is used to remotely log on to and manage a Linux operating system. sshd uses SSH to establish encrypted communication channels and secure remote logons. In the following example, perform the following modifications to the /etc/ssh/sshd_config file:

  UseDNS no
  AddressFamily inet 
  SyslogFacility AUTHPRIV 
  PermitRootLogin yes 
  PasswordAuthentication yes 

• Configure the chrony service or NTP service

  When you create images, we recommend that you configure the chrony service or Network Time Protocol (NTP) service.

  chrony and NTP are network protocols that are used for synchronizing computer clocks with time sources to ensure time accuracy and prevent issues that are caused by time discrepancies.

  Sample commands used to configure the chrony service

  chrony_file=/etc/chrony.conf
  cat >$chrony_file <<EOF
  # Use Alibaba NTP server
  # Public NTP
  # Alicloud NTP
  
  
  server ntp.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
  server ntp.aliyun.com minpoll 4 maxpoll 10 iburst
  server ntp1.aliyun.com minpoll 4 maxpoll 10 iburst
  server ntp1.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
  server ntp10.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
  server ntp11.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
  server ntp12.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
  server ntp2.aliyun.com minpoll 4 maxpoll 10 iburst
  server ntp2.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
  server ntp3.aliyun.com minpoll 4 maxpoll 10 iburst
  server ntp3.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
  server ntp4.aliyun.com minpoll 4 maxpoll 10 iburst
  server ntp4.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
  server ntp5.aliyun.com minpoll 4 maxpoll 10 iburst
  server ntp5.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
  server ntp6.aliyun.com minpoll 4 maxpoll 10 iburst
  server ntp6.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
  server ntp7.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
  server ntp8.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
  server ntp9.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
  
  # Ignore stratum in source selection.
  stratumweight 0.05
  
  # Record the rate at which the system clock gains/losses time.
  driftfile /var/lib/chrony/drift
  
  # Enable kernel RTC synchronization.
  rtcsync
  
  # In first three updates step the system clock instead of slew
  # if the adjustment is larger than 10 seconds.
  makestep 10 3
  
  # Allow NTP client access from local network.
  #allow 192.168/16
  
  # Listen for commands only on localhost.
  bindcmdaddress 127.0.0.1
  bindcmdaddress ::1
  
  # Disable logging of client accesses.
  noclientlog
  
  # Send a message to syslog if a clock adjustment is larger than 0.5 seconds.
  logchange 0.5
  
  logdir /var/log/chrony
  #log measurements statistics tracking
  EOF

  Sample commands used to configure the NTP service

  ntp_conf=/etc/ntp.conf
      cat > $ntp_conf << EOF
  driftfile  /var/lib/ntp/drift
  pidfile    /var/run/ntpd.pid
  logfile    /var/log/ntp.log
  
  
  # Access Control Support
  restrict    default kod nomodify notrap nopeer noquery
  restrict -6 default kod nomodify notrap nopeer noquery
  restrict 127.0.0.1
  restrict 192.168.0.0 mask 255.255.0.0 nomodify notrap nopeer noquery
  restrict 172.16.0.0 mask 255.240.0.0 nomodify notrap nopeer noquery
  restrict 100.64.0.0 mask 255.192.0.0 nomodify notrap nopeer noquery
  restrict 10.0.0.0 mask 255.0.0.0 nomodify notrap nopeer noquery
  
  
  # local clock
  server 127.127.1.0
  fudge  127.127.1.0 stratum 10
  
  restrict ntp.aliyun.com nomodify notrap nopeer noquery
  restrict ntp.cloud.aliyuncs.com nomodify notrap nopeer noquery
  restrict ntp1.aliyun.com nomodify notrap nopeer noquery
  restrict ntp1.cloud.aliyuncs.com nomodify notrap nopeer noquery
  restrict ntp10.cloud.aliyuncs.com nomodify notrap nopeer noquery
  restrict ntp11.cloud.aliyuncs.com nomodify notrap nopeer noquery
  restrict ntp12.cloud.aliyuncs.com nomodify notrap nopeer noquery
  restrict ntp2.aliyun.com nomodify notrap nopeer noquery
  restrict ntp2.cloud.aliyuncs.com nomodify notrap nopeer noquery
  restrict ntp3.aliyun.com nomodify notrap nopeer noquery
  restrict ntp3.cloud.aliyuncs.com nomodify notrap nopeer noquery
  restrict ntp4.aliyun.com nomodify notrap nopeer noquery
  restrict ntp4.cloud.aliyuncs.com nomodify notrap nopeer noquery
  restrict ntp5.aliyun.com nomodify notrap nopeer noquery
  restrict ntp5.cloud.aliyuncs.com nomodify notrap nopeer noquery
  restrict ntp6.aliyun.com nomodify notrap nopeer noquery
  restrict ntp6.cloud.aliyuncs.com nomodify notrap nopeer noquery
  restrict ntp7.cloud.aliyuncs.com nomodify notrap nopeer noquery
  restrict ntp8.cloud.aliyuncs.com nomodify notrap nopeer noquery
  restrict ntp9.cloud.aliyuncs.com nomodify notrap nopeer noquery
  
  
  server ntp.aliyun.com iburst minpoll 4 maxpoll 10
  server ntp.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
  server ntp1.aliyun.com iburst minpoll 4 maxpoll 10
  server ntp1.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
  server ntp10.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
  server ntp11.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
  server ntp12.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
  server ntp2.aliyun.com iburst minpoll 4 maxpoll 10
  server ntp2.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
  server ntp3.aliyun.com iburst minpoll 4 maxpoll 10
  server ntp3.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
  server ntp4.aliyun.com iburst minpoll 4 maxpoll 10
  server ntp4.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
  server ntp5.aliyun.com iburst minpoll 4 maxpoll 10
  server ntp5.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
  server ntp6.aliyun.com iburst minpoll 4 maxpoll 10
  server ntp6.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
  server ntp7.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
  server ntp8.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
  server ntp9.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
  EOF

• Configure the MOTD service

  When you create images, we recommend that you configure the Message of the Day (MOTD) service.

  The MOTD service is a Linux feature that is used to display a message or an announcement when you log on to a Linux operating system. Sample command:

  echo -e "\nWelcome to Alibaba Cloud Elastic Compute Service !  \n" > /etc/motd

• Disable the Firewalld service

  When you create images, we recommend that you disable the Firewalld service. Firewalld is a firewall management service for Linux operating systems. Security groups instead of Firewalld provide protection in the cloud. Sample commands:

  systemctl stop firewalld
  systemctl disable firewalld

• Configure the pip repository

  If the pip repository is configured, we recommend that you use the address of the Alibaba Cloud pip repository to obtain the most recent software package from Alibaba Cloud. Sample content in the ~/.pip/pip.conf file:

  [global]
  index-url=http://mirrors.cloud.aliyuncs.com/pypi/simple/
  
  [install]
  trusted-host=mirrors.cloud.aliyuncs.com

• Configure the network settings

  If NetworkManager or a network service is used, configure the /etc/sysconfig/network-scripts/ifcfg-eth0 file.

  DEVICE=eth0
  BOOTPROTO=dhcp
  ONBOOT=yes

  For information about other network service configurations, see Configure a secondary ENI.

kernel parameter configurations

• Configure the kernelopt parameter

  When you create images, configure the kernelope kernel parameters of the GRand Unified Bootloader (GRUB) to ensure that the operating systems can start as expected. In the following example, a Debian operating system is used.

  1. In the /etc/default/grub file, add the following data to the GRUB_CMDLINE_LINUX= line.

     • x86_64 architecture

       net.ifnames=0 console=tty0 console=ttyS0,115200n8

     • Arm64 architecture

       net.ifnames=0 console=tty0 console=ttyAMA0,115200n8 

  2. Run the sudo update-grub2 command to allow GRUB configurations to take effect.

     Note

     The path of the GRUB configuration file varies based on the operating system. For more information, see How do I install the NVMe driver for a custom image?

• Configure sysctl parameters

  When you create images, we recommend that you configure sysctl parameters to adjust and optimize the runtime parameters of the Linux kernel.

  1. Perform the following modifications in the /etc/sysctl.conf file:

     vm.swappiness = 0
     kernel.sysrq = 1
     
     net.ipv4.neigh.default.gc_stale_time = 120
     
     net.ipv4.conf.all.rp_filter = 0
     net.ipv4.conf.default.rp_filter = 0
     net.ipv4.conf.default.arp_announce = 2
     net.ipv4.conf.lo.arp_announce = 2
     net.ipv4.conf.all.arp_announce = 2
     
     net.ipv4.tcp_max_tw_buckets = 5000
     net.ipv4.tcp_syncookies = 1
     net.ipv4.tcp_max_syn_backlog = 1024
     net.ipv4.tcp_synack_retries = 2
     net.ipv4.tcp_slow_start_after_idle = 0

  2. Run the sudo sysctl -p command to allow kernel parameter modifications to take effect.

System security recommendations

To improve system security, take note of the following items before you import custom images to Alibaba Cloud:

• Lock out the root account. This ensures that even if a root password is set, other users cannot log on to the system by using the root account and password.

• To disable the password-based logon, change the PasswordAuthentication parameter.

  Note

  If you set a root password for instance initialization, you may set the PasswordAuthentication parameter to yes, which indicates that the password-based logon is enabled.

Sample code:

  dst=/etc/ssh/sshd_config
  sed -i 's/^SyslogFacility.*//' $dst
  sed -i 's/^PermitRootLogin.*//' $dst
  sed -i 's/^PasswordAuthentication.*//' $dst

  echo UseDNS no >> $dst
  echo SyslogFacility AUTHPRIV >> $dst
  echo PasswordAuthentication no >> $dst

  passwd -l root
  sed -i -e 's/root:[^:]*:/root:*:/g' /etc/shadow

Clear image information

Before independent software vendors (ISVs) release images, the ISVs can clear historical records and logs based on their business requirements.