Preparing Linux Template VMs

Test­ed on Cen­tOS.

The orig­i­nal arti­cle is Prepar­ing Lin­ux Tem­plate VMs, please read that first! This arti­cle is for preser­va­tion and my own per­son­al use.

Step 1: Clean out yum and apt caches.

/usr/bin/yum clean all
apt-get clean

Step 2: Force the logs to rotate.

/usr/sbin/logrotate –f /etc/logrotate.conf
/bin/rm –f /var/log/-???????? /var/log/.gz

Step 3: Clear the audit log & wtmp.

/bin/cat /dev/null > /var/log/audit/audit.log
/bin/cat /dev/null > /var/log/wtmp

This whole /dev/null busi­ness is also a trick that lets you clear a file with­out restart­ing the process asso­ci­at­ed with it, use­ful in many more sit­u­a­tions than just tem­plate-build­ing.

Step 4: Remove the udev persistent device rules.

/bin/rm -f /etc/udev/rules.d/70*

Step 5: Remove the traces of the template MAC address and UUIDs.

/bin/sed -i ‘/^(HWADDR|UUID)=/d’ /etc/sysconfig/network-scripts/ifcfg-eth0
Just remov­ing unique iden­ti­fiers from the tem­plate so the cloned VM gets its own.

Step 6: Clean /tmp out.

/bin/rm –rf /tmp/*
/bin/rm –rf /var/tmp/*

Under nor­mal, non-tem­plate cir­cum­stances you real­ly don’t ever want to run rm on /tmp like this. Use tmp­watch or any man­ner of safer ways to do this, since there are attacks peo­ple can use by leav­ing sym­links and what­not in /tmp that rm might tra­verse (“whoops, I don’t have an /etc/passwd any­more!”). Plus, users and process­es might actu­al­ly be using /tmp, and it’s impo­lite to delete their files. How­ev­er, this is your tem­plate image, and if there are peo­ple attack­ing your tem­plate you should recon­sid­er how you’re doing busi­ness. Real­ly.

Step 7: Remove the SSH host keys.

/bin/rm –f /etc/ssh/key

If you don’t do this all your VMs will have all the same keys, which has neg­a­tive secu­ri­ty impli­ca­tions.

Step 8: Remove the root user’s shell history

/bin/rm -f ~root/.bash_history
unset HISTFILE
No sense in keep­ing this his­to­ry around, it’s irrel­e­vant to the cloned VM.

Share
This entry was posted in Linux, OpenNebula and tagged , . Bookmark the permalink.

Comments are closed.