Alibaba Cloud image specifications (Linux)

更新时间:
复制 MD 格式

Before you import a custom image to Alibaba Cloud or publish it on Alibaba Cloud Marketplace, ensure that the image meets the specifications in this topic and passes compatibility tests with ECS instance types. Following these specifications improves the availability and import efficiency of your custom images, helping you create ECS instances tailored to your business needs. This topic describes the specifications for creating Linux images.

Disk partitions

The disk partitions must meet the following requirements.

  • Disk resizing

    • Use physical partitions to partition the disk. The root partition must be the last partition to prevent failures when resizing the system disk.

    • For systems that support online resizing of cloud disks, use the growpart command to resize the partition. To do so, you must install the cloud-utils-growpart package. For more information, see Resize partitions and file systems (Linux).

  • Swap partition

    Do not create a swap partition.

  • LVM management

    Do not use Logical Volume Management (LVM) for disk partitions.

  • Disk mounting

    You must use UUIDs to configure the fstab and grub files. For more information, see Use a UUID to automatically mount a data disk in the /etc/fstab file and Modify the disk partition identification method to UUID in the GRUB configuration file.

    Important

    If the fstab file is configured incorrectly, the ECS instance may fail to start after a restart.

  • Disk size

    The minimum capacity of the system disk is 20 GiB.

  • Set the image boot mode

    To ensure compatibility with instance types that use different boot modes, configure the boot mode (BIOS or UEFI) for your local image. When you import the image, ensure that the boot mode you select matches the actual boot mode of the image.

    Note

    If your local image supports both BIOS and UEFI, you can set the boot mode to UEFI-Preferred. The image can then automatically adapt to the boot modes of all instance types, which also helps reduce the cost of creating images.

Required software and tools

  • Install the virtio driver

    Before you publish the image, ensure that the virtio driver is installed and added to the initial RAM file system (initramfs). The virtio driver is required for the image to run on Alibaba Cloud instances. For more information, see Install virtio drivers.

  • Install the NVMe driver

    Newer generations of ECS instance families, such as ecs.g8i and ecs.g7se, mount cloud disks by using the NVMe protocol. The image must have the NVMe driver installed, or instances created from it will fail to boot. To ensure that you can use the image to create these types of ECS instances, we recommend that you install the NVMe driver on your local image. For instructions, see Install the NVMe driver for a custom image. After you import the image, set the NVMe Driver property of the image to Supported. For more information, see Modify the properties and tags of an image.

  • Install cloud-init

    You must install cloud-init to initialize the ECS instances created from the image. For more information, see Install cloud-init. We recommend that you install cloud-init 23.2.2 or later to support metadata access in security-hardened mode. This ensures the security of instance metadata access.

    Note

    Using cloud-init to modify a password requires that the operating system kernel supports the CONFIG_FW_CFG_SYSFS feature. This feature is supported by default in Linux community kernel versions 4.6 and later, and in CentOS kernel versions 3.10.0-826.el7 and later. You can run the grep -nr CONFIG_FW_CFG_SYSFS /boot/config-$(uname -r) command on the server that uses the image. If the command output contains CONFIG_FW_CFG_SYSFS=y, the kernel in the image supports the CONFIG_FW_CFG_SYSFS feature.

  • Install Cloud Assistant

    You must install the Cloud Assistant Agent when you create the image. Cloud Assistant is a native automation tool for ECS that lets you run commands (such as Shell, PowerShell, and Bat commands) in batches without requiring a password, logon, or jump server. You can use Cloud Assistant to run automated O&M scripts, poll processes, install or uninstall software, start or stop services, and install patches or security updates. For more information, see Install the Cloud Assistant Agent.

  • Secure the server

    When you create an image, we recommend that you use Security Center to secure your server. Security Center provides a comprehensive suite of security capabilities, including alert notifications, malware scanning and removal, webshell detection and removal, client self-protection, and image vulnerability scanning, to fully protect your cloud assets and on-premises servers.

System configuration

  • Configure the clock

    The hardware clock of an image supports UTC and LocalTime time zones. When you create an image, you must use the standard Coordinated Universal Time (UTC) mode. The following sample code shows how to configure the clock:

    cat > /etc/adjtime << EOF
    0.0 0 0.0
    0
    UTC
    EOF
    
    timedatectl set-local-rtc 0

    For more information, see Linux time and time zones.

  • Configure the SSHD service

    You must configure the SSHD service.

    The SSHD service is used to remotely log in to and manage Linux systems, and uses the SSH protocol for encrypted communication. An example of modifying the configuration in /etc/ssh/sshd_config is as follows:

    UseDNS no
    AddressFamily inet 
    SyslogFacility AUTHPRIV 
    PermitRootLogin yes 
    PasswordAuthentication yes 
  • Configure the Chrony or NTP service

    When you create an image, we recommend that you configure either the Chrony service or the NTP service.

    Chrony and NTP are tools used to synchronize computer clocks and prevent time drift. The following shows sample commands:

    Chrony service

    chrony_file=/etc/chrony.conf
    cat >$chrony_file <<EOF
    # Use Alibaba NTP server
    # Public NTP
    # Alicloud NTP
    
    
    server ntp.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
    server ntp.aliyun.com minpoll 4 maxpoll 10 iburst
    server ntp1.aliyun.com minpoll 4 maxpoll 10 iburst
    server ntp1.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
    server ntp10.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
    server ntp11.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
    server ntp12.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
    server ntp2.aliyun.com minpoll 4 maxpoll 10 iburst
    server ntp2.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
    server ntp3.aliyun.com minpoll 4 maxpoll 10 iburst
    server ntp3.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
    server ntp4.aliyun.com minpoll 4 maxpoll 10 iburst
    server ntp4.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
    server ntp5.aliyun.com minpoll 4 maxpoll 10 iburst
    server ntp5.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
    server ntp6.aliyun.com minpoll 4 maxpoll 10 iburst
    server ntp6.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
    server ntp7.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
    server ntp8.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
    server ntp9.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
    
    # Ignore stratum in source selection.
    stratumweight 0.05
    
    # Record the rate at which the system clock gains/losses time.
    driftfile /var/lib/chrony/drift
    
    # Enable kernel RTC synchronization.
    rtcsync
    
    # In first three updates step the system clock instead of slew
    # if the adjustment is larger than 10 seconds.
    makestep 10 3
    
    # Allow NTP client access from local network.
    #allow 192.168/16
    
    # Listen for commands only on localhost.
    bindcmdaddress 127.0.0.1
    bindcmdaddress ::1
    
    # Disable logging of client accesses.
    noclientlog
    
    # Send a message to syslog if a clock adjustment is larger than 0.5 seconds.
    logchange 0.5
    
    logdir /var/log/chrony
    #log measurements statistics tracking
    EOF

    NTP service

    ntp_conf=/etc/ntp.conf
        cat > $ntp_conf << EOF
    driftfile  /var/lib/ntp/drift
    pidfile    /var/run/ntpd.pid
    logfile    /var/log/ntp.log
    
    
    # Access Control Support
    restrict    default kod nomodify notrap nopeer noquery
    restrict -6 default kod nomodify notrap nopeer noquery
    restrict 127.0.0.1
    restrict 192.168.0.0 mask 255.255.0.0 nomodify notrap nopeer noquery
    restrict 172.16.0.0 mask 255.240.0.0 nomodify notrap nopeer noquery
    restrict 100.64.0.0 mask 255.192.0.0 nomodify notrap nopeer noquery
    restrict 10.0.0.0 mask 255.0.0.0 nomodify notrap nopeer noquery
    
    
    # local clock
    server 127.127.1.0
    fudge  127.127.1.0 stratum 10
    
    restrict ntp.aliyun.com nomodify notrap nopeer noquery
    restrict ntp.cloud.aliyuncs.com nomodify notrap nopeer noquery
    restrict ntp1.aliyun.com nomodify notrap nopeer noquery
    restrict ntp1.cloud.aliyuncs.com nomodify notrap nopeer noquery
    restrict ntp10.cloud.aliyuncs.com nomodify notrap nopeer noquery
    restrict ntp11.cloud.aliyuncs.com nomodify notrap nopeer noquery
    restrict ntp12.cloud.aliyuncs.com nomodify notrap nopeer noquery
    restrict ntp2.aliyun.com nomodify notrap nopeer noquery
    restrict ntp2.cloud.aliyuncs.com nomodify notrap nopeer noquery
    restrict ntp3.aliyun.com nomodify notrap nopeer noquery
    restrict ntp3.cloud.aliyuncs.com nomodify notrap nopeer noquery
    restrict ntp4.aliyun.com nomodify notrap nopeer noquery
    restrict ntp4.cloud.aliyuncs.com nomodify notrap nopeer noquery
    restrict ntp5.aliyun.com nomodify notrap nopeer noquery
    restrict ntp5.cloud.aliyuncs.com nomodify notrap nopeer noquery
    restrict ntp6.aliyun.com nomodify notrap nopeer noquery
    restrict ntp6.cloud.aliyuncs.com nomodify notrap nopeer noquery
    restrict ntp7.cloud.aliyuncs.com nomodify notrap nopeer noquery
    restrict ntp8.cloud.aliyuncs.com nomodify notrap nopeer noquery
    restrict ntp9.cloud.aliyuncs.com nomodify notrap nopeer noquery
    
    
    server ntp.aliyun.com iburst minpoll 4 maxpoll 10
    server ntp.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
    server ntp1.aliyun.com iburst minpoll 4 maxpoll 10
    server ntp1.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
    server ntp10.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
    server ntp11.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
    server ntp12.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
    server ntp2.aliyun.com iburst minpoll 4 maxpoll 10
    server ntp2.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
    server ntp3.aliyun.com iburst minpoll 4 maxpoll 10
    server ntp3.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
    server ntp4.aliyun.com iburst minpoll 4 maxpoll 10
    server ntp4.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
    server ntp5.aliyun.com iburst minpoll 4 maxpoll 10
    server ntp5.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
    server ntp6.aliyun.com iburst minpoll 4 maxpoll 10
    server ntp6.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
    server ntp7.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
    server ntp8.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
    server ntp9.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
    EOF
  • Configure the MOTD service

    When you create an image, we recommend that you configure the Message of the Day (MOTD) service.

    The MOTD service in Linux displays a message after a user logs on. The following shows a sample command:

    echo -e "\nWelcome to Alibaba Cloud Elastic Compute Service ! \n" > /etc/motd
  • Disable the Firewalld service

    We recommend that you disable the Firewalld service. Firewalld is a service that manages firewall rules in Linux. You can disable the local firewall because security groups provide protection in the cloud. The following shows sample commands:

    systemctl stop firewalld
    systemctl disable firewalld
  • Configure the pip source

    If a PIP source is configured on your system, we recommend that you use the Alibaba Cloud PIP source address to obtain the latest software packages. The content of the ~/.pip/pip.conf file is as follows:

    [global]
    index-url=http://mirrors.cloud.aliyuncs.com/pypi/simple/
    
    [install]
    trusted-host=mirrors.cloud.aliyuncs.com
  • Configure the network

    If you use NetworkManager or the network service, configure the /etc/sysconfig/network-scripts/ifcfg-eth0 file as follows:

    DEVICE=eth0
    BOOTPROTO=dhcp
    ONBOOT=yes

    For information about how to configure other network services, see Configure a secondary elastic network interface.

Kernel parameters

  • Configure kernelopt

    You must configure the kernel boot parameters in GRUB to ensure the system starts correctly. The following example shows the commands for a Debian system:

    1. In the /etc/default/grub file, add the following information to the GRUB_CMDLINE_LINUX= line.

      • x86_64 architecture

        net.ifnames=0 console=tty0 console=ttyS0,115200n8
      • Arm64 architecture

        net.ifnames=0 console=tty0 console=ttyAMA0,115200n8 
    2. Run the sudo update-grub2 command to apply the GRUB configuration.

      Note

      The path of the GRUB configuration file and the command to apply the configuration vary based on the operating system. For more information, see Install the NVMe driver for a custom image.

  • Configure sysctl

    We recommend that you configure sysctl parameters to tune and optimize Linux kernel behavior.

    1. Modify the /etc/sysctl.conf file as follows.

      vm.swappiness = 0
      kernel.sysrq = 1
      
      net.ipv4.neigh.default.gc_stale_time = 120
      
      net.ipv4.conf.all.rp_filter = 0
      net.ipv4.conf.default.rp_filter = 0
      net.ipv4.conf.default.arp_announce = 2
      net.ipv4.conf.lo.arp_announce = 2
      net.ipv4.conf.all.arp_announce = 2
      
      net.ipv4.tcp_max_tw_buckets = 5000
      net.ipv4.tcp_syncookies = 1
      net.ipv4.tcp_max_syn_backlog = 1024
      net.ipv4.tcp_synack_retries = 2
      net.ipv4.tcp_slow_start_after_idle = 0
    2. Run the sudo sysctl -p command to make the changes to the kernel parameters take effect.

System security recommendations

To improve system security, we recommend taking the following actions before you import the image:

  • Lock the root account. This prevents direct logon to the system by using the root password, even if a password is set.

  • Disable password-based logon by changing the SSH PasswordAuthentication setting.

    Note

    If you set a root password during instance initialization, PasswordAuthentication for SSH may be enabled by default.

The following shows sample code:

  dst=/etc/ssh/sshd_config
  sed -i 's/^SyslogFacility.*//' $dst
  sed -i 's/^PermitRootLogin.*//' $dst
  sed -i 's/^PasswordAuthentication.*//' $dst

  echo UseDNS no >> $dst
  echo SyslogFacility AUTHPRIV >> $dst
  echo PasswordAuthentication no >> $dst

  passwd -l root
  sed -i -e 's/root:[^:]*:/root:*:/g' /etc/shadow

Image information cleanup

Before you publish the image, clear sensitive information, such as command history and logs.