Help Center/
Server Migration Service/
Best Practices/
Customizing Agent Images/
Creating a Linux Agent Image
Updated on 2026-01-13 GMT+08:00
Creating a Linux Agent Image
Preparing an ECS
Prepare a Linux ECS using a public image.
Set a password for the ECS. Install Python 3 on the ECS if it is not included in the public image.
Preparing Scripts
For details, see Creating Scripts in Agent Images.
Modifying the ECS
- Install necessary components.
Install Python dependencies. Below is just an example. Install the latest version of Python.
yum install python36 ln -s /usr/bin/python36 /usr/bin/python3 yum install python36-setuptools wget https://files.pythonhosted.org/packages/ae/e8/2340d46ecadb1692a1e455f13f75e596d4eab3d11a57446f08259dee8f02/pip-10.0.1.tar.gz tar xvf pip-10.0.1.tar.gz cd pip-10.0.1 python3 setup.py install pip3 install requests
- Modify the /etc/rc.local file.
ln -s /etc/rc.d/rc.local /etc/rc.local #In some public images, /etc/rc.local may not be properly linked to /etc/rc.d/rc.local, which can result in the rc.local script not being executed during the startup. chmod 766 /etc/rc.d/rc.local
- Install basic system components.
yum install expect yum install lvm2 yum install dosfstools #mkfs.vfat is supported. rpm -ivh grub-0.97-99.el6.x86_64.rpm #This component is only needed when the servers to be migrated use GRUB 1. Download this component at the GRUB official website.
- Modify /etc/mke2fs.conf.
Delete 64bit from the ext4 item. Otherwise, GRUB 1 may fail to be installed on an Ext4 file system.
- Change partition UUIDs.
- Detach the system disk from the ECS and attach it to a temporary ECS as a data disk.
- On the temporary ECS, use uuidgen to generate new UUIDs and use tune2fs –U to assign new UUIDs to partitions.
- Run the blkid command on the temporary ECS to query the UUID of each partition.
- Run the uuidgen command to generate a new UUID.
- Run the tune2fs -U <new_UUID> <device> or xfs_admin -U <new_UUID> <device> command to assign the new UUID to a partition.
- Change the UUID of the partition in /etc/fstab and /boot/grub2/grub.cfg to the newly assigned UUID.
If partition UUIDs change, you must update the corresponding UUIDs in /etc/fstab and /boot/grub2/grub.cfg. Otherwise, the system may fail to boot.
- Attach the disk back to the original ECS as the system disk and test whether the OS can start up.
- Run the blkid command on the temporary ECS to query the UUID of each partition.
- Transfer the smsMetadataAgent folder where stores the necessary scripts to the ECS and enable these scripts to automatically run at startup. For details, see Creating Scripts in Agent Images.
- Modify the sshd configuration file to disable password login.
- Delete residual settings. Ensure that there is no /data directory, there are no SMS log files in the /root directory, and there are no residual certificates in the /etc/ssh directory.
(Optional) Hardening Security
- Add the following content to the sshd_config file.
MaxAuthTries 6 LoginGraceTime 60 PasswordAuthentication no
- Disable history.
- Start the terminal and run the following command:
sudo nano ~/.bashrc
- Add the following content to the end of the file:
unset HISTFILE
- Save the file and exit. Run the following command for the modification to take effect:
source ~/.bashrc
- Start the terminal and run the following command:
- Prevent brute-force attacks.
Add the content below to the /etc/pam.d/password-auth file. The content is contained in Huawei Cloud EulerOS by default.
auth sufficient pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=60
This can prevent any user from login for 30 seconds after 3 failed login attempts.
- Set the password complexity requirements.
In the /etc/pam.d/system-auth file, append enforce_for_root minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 to the end of the row that starts with password requisite pam_pwquality.so try_first_pass.
password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
- Change the umask value to 027. The umask command is used to set the default permissions on files and directories.
- Open the terminal and run the following command to open the .bashrc file:
nano ~/.bashrc
- Add the following content to the end of the file:
umask 027
- Save and close the file. Run the following command to make the change take effect:
source ~/.bashrc
- Open the terminal and run the following command to open the .bashrc file:
- Delete residual system tools because keeping them only increases the attack surface of the system and mislead security software.
Delete the following residual tools:
- tcpdump, sniffer, Wireshark, Netcat, and other WinPcap-based sniffing tools
- gdb, strace, readelf, cpp, gcc, dexdump, mirror, JDK, and other self-developed tools or scripts used only in the development and debugging phase
Creating an Image
- Sign in to the Huawei Cloud console, search for IMS, and access the IMS console.
- Click Create Image.
- Create a system disk image from the ECS as prompted.
- Obtain the ID of the created image.
Parent topic: Customizing Agent Images
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
The system is busy. Please try again later.
