Creating a Linux Agent Image
Preparing an ECS
Prepare a Linux ECS using a public image.
Set a password for the ECS. Install Python 3 on the ECS if it is not included in the public image.
Preparing Scripts
For details, see Creating Scripts in Agent Images.
Modifying the ECS
- Install necessary components.
Install Python dependencies. Below is just an example. Install the latest version of Python.
yum install python36 ln -s /usr/bin/python36 /usr/bin/python3 yum install python36-setuptools wget https://files.pythonhosted.org/packages/ae/e8/2340d46ecadb1692a1e455f13f75e596d4eab3d11a57446f08259dee8f02/pip-10.0.1.tar.gz tar xvf pip-10.0.1.tar.gz cd pip-10.0.1 python3 setup.py install pip3 install requests
- Modify the /etc/rc.local file.
ln -s /etc/rc.d/rc.local /etc/rc.local #If files /etc/rc.d/rc.local and /etc/rc.local are not linked t each other in the public image, the scripts may not be executed at startup. chmod 766 /etc/rc.d/rc.local
- Install basic system components.
yum install expect yum install lvm2 yum install dosfstools #mkfs.vfat is supported. rpm -ivh grub-0.97-99.el6.x86_64.rpm #This component is only needed when the servers to be migrated use GRUB 1. Download this component at the grub official website.
- Modify /etc/mke2fs.conf.
Delete 64bit from the ext4 item. Otherwise, GRUB 1 may fail to be installed in the Ext4 file system.
- Change partition UUIDs.
- Detach the system disk from the ECS and attach it to a temporary ECS as a data disk.
- On the temporary ECS, use uuidgen to generate new UUIDs and use tune2fs –U to assign new UUIDs to partitions.
- Run the blkid command on the temporary ECS to query the UUID of each partition.
- Run the uuidgen command to generate a new UUID.
- Run the tune2fs -U <New_UUID> <Device> or xfs_admin -U <New_UUID> <Device> command to assign the new UUID to the partition on the data disk.
- Change the UUID of the partition in /etc/fstab and /boot/grub2/grub.cfg to the newly assigned UUID.
This is to ensure that OS in the agent image disk can be started.
- Attach the disk back to the original ECS as the system disk and test whether the OS can start up.
- Run the blkid command on the temporary ECS to query the UUID of each partition.
- Transfer the smsMetadataAgent folder where stores the necessary scripts to the ECS and enable these scripts to automatically run at startup. For details, see Creating Scripts in Agent Images.
- Modify the sshd configuration file to disable password login.
- Delete residual settings. Ensure that there is no /data directory, there are no SMS log files in the /root directory, and there are no residual certificates in the /etc/ssh directory.
(Optional) Hardening Security
- Add the following content to the sshd_config file.
MaxAuthTries 6 LoginGraceTime 60 PasswordAuthentication no
- Disable history.
- Start the Shell and run the following command:
sudo nano ~/.bashrc
- Add the following content to the end of the file:
unset HISTFILE
- Save the file and exit. Run the following command for the modification to take effect:
source ~/.bashrc
- Start the Shell and run the following command:
- Prevent brute-force attacks.
Add the content below to the /etc/pam.d/password-auth file. The content is contained in Huawei Cloud EulerOS by default.
auth sufficient pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=60
This can prevent any user from login for 30 seconds after 3 failed login attempts.
- Set the password complexity requirements.
In the /etc/pam.d/system-auth file, append enforce_for_root minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 to the end of the row that starts with password requisite pam_pwquality.so try_first_pass.
password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
- Change the umask value. Change the value of umask to 027. The umask command is used to set the default permissions on files and directories.
- Open the Shell and run the following command to open the .bashrc file:
nano ~/.bashrc
- Add the following content to the end of the file:
umask 027
- Save and close the file. Run the following command to make the change take effect:
source ~/.bashrc
- Open the Shell and run the following command to open the .bashrc file:
- Delete residual system tools because keeping them only increases the attack surface of the system and mislead security software.
Delete the following residual tools:
- tcpdump, sniffer, Wireshark, Netcat, and other WinPcap-based sniffing tools
- gdb, strace, readelf, cpp, gcc, dexdump, mirror, JDK, and other self-developed tools or scripts used only in the development and debugging phase
Creating an Image
- Log in the IMS console.
- Click Create Image.
- Create a system disk image for the ECS as prompted.
- View the ID of the created image.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot