Creating a Linux Agent Image
Preparing an ECS
Prepare a Linux ECS using a public image.
Set a password for the ECS. Install Python 3 on the ECS if it is not included in the public image.
Preparing Scripts
For details, see Creating Scripts in Agent Images.
Modifying the ECS
- Install necessary components.
Install Python dependencies. Below is just an example. Install the latest version of Python.
yum install python36 ln -s /usr/bin/python36 /usr/bin/python3 yum install python36-setuptools wget https://files.pythonhosted.org/packages/ae/e8/2340d46ecadb1692a1e455f13f75e596d4eab3d11a57446f08259dee8f02/pip-10.0.1.tar.gz tar xvf pip-10.0.1.tar.gz cd pip-10.0.1 python3 setup.py install pip3 install requests
- Modify the /etc/rc.local file.
ln -s /etc/rc.d/rc.local /etc/rc.local #If files /etc/rc.d/rc.local and /etc/rc.local are not linked t each other in the public image, the scripts may not be executed at startup. chmod 766 /etc/rc.d/rc.local
- Install basic system components.
yum install expect yum install lvm2 yum install dosfstools #mkfs.vfat is supported. rpm -ivh grub-0.97-99.el6.x86_64.rpm #This component is only needed when the servers to be migrated use GRUB 1. Download this component at the grub official website.
- Modify /etc/mke2fs.conf.
Delete 64bit from the ext4 item. Otherwise, GRUB 1 may fail to be installed in the Ext4 file system.
- Change partition UUIDs.
- Detach the system disk from the ECS and attach it to a temporary ECS as a data disk.
- On the temporary ECS, use uuidgen to generate new UUIDs and use tune2fs –U to assign new UUIDs to partitions.
- Run the blkid command on the temporary ECS to query the UUID of each partition.
- Run the uuidgen command to generate a new UUID.
- Run the tune2fs -U <New_UUID> <Device> or xfs_admin -U <New_UUID> <Device> command to assign the new UUID to the partition on the data disk.
- Change the UUID of the partition in /etc/fstab and /boot/grub2/grub.cfg to the newly assigned UUID.
This is to ensure that OS in the agent image disk can be started.
- Attach the disk back to the original ECS as the system disk and test whether the OS can start up.
- Run the blkid command on the temporary ECS to query the UUID of each partition.
- Transfer the smsMetadataAgent folder where stores the necessary scripts to the ECS and enable these scripts to automatically run at startup. For details, see Creating Scripts in Agent Images.
- Modify the sshd configuration file to disable password login.
- Delete residual settings. Ensure that there is no /data directory, there are no SMS log files in the /root directory, and there are no residual certificates in the /etc/ssh directory.
(Optional) Hardening Security
- Add the following content to the sshd_config file.
MaxAuthTries 6 LoginGraceTime 60 PasswordAuthentication no
- Disable history.
- Start the Shell and run the following command:
sudo nano ~/.bashrc
- Add the following content to the end of the file:
unset HISTFILE
- Save the file and exit. Run the following command for the modification to take effect:
source ~/.bashrc
- Start the Shell and run the following command:
- Prevent brute-force attacks.
Add the content below to the /etc/pam.d/password-auth file. The content is contained in Huawei Cloud EulerOS by default.
auth sufficient pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=60
This can prevent any user from login for 30 seconds after 3 failed login attempts.
- Set the password complexity requirements.
In the /etc/pam.d/system-auth file, append enforce_for_root minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 to the end of the row that starts with password requisite pam_pwquality.so try_first_pass.
password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
- Change the umask value. Change the value of umask to 027. The umask command is used to set the default permissions on files and directories.
- Open the Shell and run the following command to open the .bashrc file:
nano ~/.bashrc
- Add the following content to the end of the file:
umask 027
- Save and close the file. Run the following command to make the change take effect:
source ~/.bashrc
- Open the Shell and run the following command to open the .bashrc file:
- Delete residual system tools because keeping them only increases the attack surface of the system and mislead security software.
Delete the following residual tools:
- tcpdump, sniffer, Wireshark, Netcat, and other WinPcap-based sniffing tools
- gdb, strace, readelf, cpp, gcc, dexdump, mirror, JDK, and other self-developed tools or scripts used only in the development and debugging phase
Creating an Image
- Log in the IMS console.
- Click Create Image.
- Create a system disk image for the ECS as prompted.
- View the ID of the created image.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.