Preparing Linux Template VMs

Tested on CentOS.

The original article is Preparing Linux Template VMs, please read that first! This article is for preservation and my own personal use.

Step 1: Clean out yum and apt caches.

/usr/bin/yum clean all
apt-get clean

Step 2: Force the logs to rotate.

/usr/sbin/logrotate –f /etc/logrotate.conf
/bin/rm –f /var/log/-???????? /var/log/.gz

Step 3: Clear the audit log & wtmp.

/bin/cat /dev/null > /var/log/audit/audit.log
/bin/cat /dev/null > /var/log/wtmp

This whole /dev/null business is also a trick that lets you clear a file without restarting the process associated with it, useful in many more situations than just template-building.

Step 4: Remove the udev persistent device rules.

/bin/rm -f /etc/udev/rules.d/70*

Step 5: Remove the traces of the template MAC address and UUIDs.

/bin/sed -i ‘/^(HWADDR|UUID)=/d’ /etc/sysconfig/network-scripts/ifcfg-eth0
Just removing unique identifiers from the template so the cloned VM gets its own.

Step 6: Clean /tmp out.

/bin/rm –rf /tmp/*
/bin/rm –rf /var/tmp/*

Under normal, non-template circumstances you really don’t ever want to run rm on /tmp like this. Use tmpwatch or any manner of safer ways to do this, since there are attacks people can use by leaving symlinks and whatnot in /tmp that rm might traverse (“whoops, I don’t have an /etc/passwd anymore!”). Plus, users and processes might actually be using /tmp, and it’s impolite to delete their files. However, this is your template image, and if there are people attacking your template you should reconsider how you’re doing business. Really.

Step 7: Remove the SSH host keys.

/bin/rm –f /etc/ssh/key

If you don’t do this all your VMs will have all the same keys, which has negative security implications.

Step 8: Remove the root user’s shell history

/bin/rm -f ~root/.bash_history
No sense in keeping this history around, it’s irrelevant to the cloned VM.

This entry was posted in Linux, OpenNebula and tagged , . Bookmark the permalink.

Comments are closed.