Personal tools
You are here: Home Linux Xen CentOS CentOS v7.0 Xen VM Image
 

CentOS v7.0 Xen VM Image

Notes on manually creating a minimal CentOS 7 VM image.

 

/etc/fstab

Change the '/etc/fstab' to use labels (rather than uuids)

LABEL=/         /                       ext4    defaults        1 1
LABEL=swap      swap                    swap    defaults        0 0

Change the kernel boot parameters to also use a label based root (i.e. 'root=LABEL=/')

 

Packages

Delete unused packages:

# yum erase 'iwl*firmware' 'libertas*firmware' 'alsa*firmware' iprutils

Add useful diagnostic utilities:

# yum install man mlocate wget screen mtr bind-utils net-tools unzip psmisc yum-cron logwatch

admin user

Add an administration user that can sudo without a password. Add an account

  1. with a long random unknown password
  2. a member of the 'wheel' group
# adduser -G wheel --password `openssl rand -hex 32` -c "Greg" greg

Add the users ssh public key(s)

# su greg -c "umask 022 ; mkdir -p ~/.ssh ; vi ~/.ssh/authorized_keys"

Configure sudo to allow members of the wheel group to run commands without a password. Run 'visudo':

%wheel  ALL=(ALL)       NOPASSWD: ALL

ssh

 

protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

PermitRootLogin  no
AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePrivilegeSeparation sandbox
KeepAlive no
ClientAliveInterval 15
ClientAliveCountMax 9
SyslogFacility AUTHPRIV
Subsystem       sftp    /usr/libexec/openssh/sftp-server

Restart sshd

# systemctl restart sshd.service

Network Manager

This image is intented for servers/appliances with simple static network requirements. Disable Network Manager & avahi.

# systemctl stop NetworkManager.service
# systemctl disable NetworkManager.service
# systemctl stop avahi-daemon.service
# systemctl disable avahi-daemon.service

Tuned

Change the 'tuned' profile to virtual-guest:

# tuned-adm profile virtual-guest

Residual: Given a static tuned profile is selected, determine if it best to shut down the tuned daemon as it may consume more resources than it saves.

Network

Manually confiure /etc/resolv. Note that only the first three nameserver get used. Use IPv6 ULA/RFC-1918 addresses which should be less likely to be renumbered.

domain lucidsolutions.co.nz
search lucidsolutions.co.nz

nameserver fd0c:898b:471c:2::5
nameserver fd0c:898b:471c:c::2
nameserver 10.20.2.5
nameserver 10.20.12.2

/etc/sysconfig/network-scripts/ifcfg-eth0 (Note: the router is configured with an IPv6 address of fe80::1/64 on all network segments)

DEVICE=eth0
ONBOOT=yes
NM_CONTROLLED=no
TYPE=Ethernet
BOOTPROTO=static

# IPv4
IPADDR=10.20.x.2
GATEWAY=10.20.x.1
NETWORK=10.20.x.0
BROADCAST=10.20.x.255
NETMASK=255.255.255.0
NOZEROCONF=yes
MTU=9000

# IPv6
IPV6ADDR=2001:4428:225:x::2/64
IPV6ADDR_SECONDARIES=fd0c:898b:471c:x::2/64
IPV6_DEFAULTGW=fe80::1%eth0
IPV6_AUTOCONF=no
IPV6_MTU=9000

Postfix

Postfix is installed as part of the base minimal configuration. Change the configuration in '/etc/postfix/main.cf':
Settings Description
myorigin = $mydomain
Mail from the virtual machine comes from user@lucidsiolutions.co.nz
relayhost = $mydomain All mail goes via the local SMTP smarthost. VM's won't be configured to sign mail or be listed in the SPF record.

Proxy

Configure static proxy support through the environment. Applications can also use WPAD.

cat >> /etc/profile.d/proxy.sh <<EOF
export http_proxy=http://proxy.lucidsolutions.co.nz:3128/
export https_proxy=http://proxy.lucidsolutions.co.nz:3128/
export ftp_proxy=http://proxy.lucidsolutions.co.nz:3128/
export no_proxy="127.0.0.1, localhost, 10.20.*, fd0c:898b:471c:*"
EOF

In theory pam_env should load this file, but it doesn't:

cat >> /etc/environment <<EOF
http_proxy=http://proxy.lucidsolutions.co.nz:3128/
https_proxy=http://proxy.lucidsolutions.co.nz:3128/
ftp_proxy=http://proxy.lucidsolutions.co.nz:3128/
no_proxy=127.0.0.1, localhost, 10.20.*, fd0c:898b:471c:*
EOF

Firewall

Although I would be keen to use the default 'firewalld', it just doesn't seem to be there yet.

# yum install iptables-services iptables-utils 
# systemctl disable firewalld.service
# systemctl stop firewalld.service
# systemctl enable iptables.service
# systemctl enable ip6tables.service
# systemctl start iptables.service
# systemctl start ip6tables.service

Add the default firewall configuration files from the appendices. Add 'nf_conntrack_ftp' to /etc/sysconfig/iptables-config and /etc/sysconfig/ip6tables-config.

yum-cron

Enable updates to be applied:

# sed -ie 's/apply_updates = no/apply_updates = yes/' /etc/yum/yum-cron.conf

Links

Appendices

 

iptables

#
# firewall config for xen vm
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:icmpForward - [0:0]
:icmpIn - [0:0]
:icmpOut - [0:0]
:tcpForward - [0:0]
:tcpIn - [0:0]
:tcpOut - [0:0]
:udpForward - [0:0]
:udpIn - [0:0]
:udpOut - [0:0]
#
#
# Drop any NEW tcp sessions that don't have a syn bit
-A tcpIn      -p tcp -m tcp ! --syn -m state --state NEW -j DROP
#
#  Established connections
#  -----------------------
#
# TCP
-A tcpForward -p tcp -m tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A tcpForward -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate RELATED -j ACCEPT
-A tcpIn      -p tcp -m tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A tcpIn      -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate RELATED -j ACCEPT
-A tcpOut     -p tcp -m tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A tcpOut     -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate RELATED -j ACCEPT
#
# UDP
-A udpForward -p udp -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A udpForward -p udp -m udp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate RELATED -j ACCEPT
-A udpIn      -p udp -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A udpIn      -p udp -m udp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate RELATED -j ACCEPT
-A udpOut     -p udp -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A udpOut     -p udp -m udp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate RELATED -j ACCEPT
#
# ICMP
-A icmpForward -p icmp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A icmpIn      -p icmp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A icmpOut     -p icmp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# SSH in
-A tcpIn -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
#
-A tcpOut -p tcp -m tcp --dport 80   -m conntrack --ctstate NEW -j ACCEPT
-A tcpOut -p tcp -m tcp --dport 443  -m conntrack --ctstate NEW -j ACCEPT
-A tcpOut -p tcp -m tcp --dport 3128 -m conntrack --ctstate NEW -j ACCEPT
#
# Mail out
-A tcpOut -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT
#
# DNS out
-A tcpOut -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A udpOut -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT

#
# ICMP - echo request
-A icmpIn      -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A icmpOut     -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
#
#  Append the chains to the main chains
#  ====================================
#
-A INPUT   --source 127.0.0.1 --destination 127.0.0.1 -j ACCEPT
-A OUTPUT  --source 127.0.0.1 --destination 127.0.0.1 -j ACCEPT
#
-A FORWARD -p tcp                 -j tcpForward
-A INPUT   -p tcp                 -j tcpIn
-A OUTPUT  -p tcp                 -j tcpOut
-A FORWARD -p udp                 -j udpForward
-A INPUT   -p udp                 -j udpIn
-A OUTPUT  -p udp                 -j udpOut
-A FORWARD -p icmp                -j icmpForward
-A INPUT   -p icmp                -j icmpIn
-A OUTPUT  -p icmp                -j icmpOut
#
# log, drop, and drop again anything not explicitly allowed
-A INPUT   -j LOG --log-prefix "vm-in "
-A OUTPUT  -j LOG --log-prefix "vm-out "
-A FORWARD -j LOG --log-prefix "vm-forward "
#
-A INPUT   --jump DROP
-A OUTPUT  --jump DROP
-A FORWARD --jump DROP
COMMIT

ip6tables

#
# IPv6 firewall config for xen vm
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:icmpIn - [0:0]
:icmpOut - [0:0]
:tcpIn - [0:0]
:tcpOut - [0:0]
:udpIn - [0:0]
:udpOut - [0:0]
#
# Drop any NEW tcp sessions that don't have a syn bit
-A tcpIn      -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j DROP
#
#  Established connections
#  -----------------------
#
# TCP
-A tcpIn      -p tcp -m tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A tcpIn      -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate RELATED -j ACCEPT
-A tcpOut     -p tcp -m tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A tcpOut     -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate RELATED -j ACCEPT
#
# UDP
-A udpIn      -p udp -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A udpIn      -p udp -m udp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate RELATED -j ACCEPT
-A udpOut     -p udp -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A udpOut     -p udp -m udp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate RELATED -j ACCEPT
#
# ICMP
-A icmpIn      -p icmpv6 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A icmpOut     -p icmpv6 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# SSH in
-A tcpIn -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT

# http/squid
-A tcpOut -p tcp -m tcp --dport 3128 -m conntrack --ctstate NEW -j ACCEPT
-A tcpOut -p tcp -m tcp --dport 80   -m conntrack --ctstate NEW -j ACCEPT
-A tcpOut -p tcp -m tcp --dport 443  -m conntrack --ctstate NEW -j ACCEPT

# SMTP out
-A tcpOut -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT

# DNS out
-A tcpOut -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A udpOut -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT


# ICMP
# ====

# type #1
-A icmpIn  -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A icmpOut -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
# type #2
-A icmpIn  -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-A icmpOut -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
# type #3
-A icmpIn  -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-A icmpOut -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
# type #4
-A icmpIn  -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
-A icmpOut -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT

# type #128/129
-A icmpIn  -p icmpv6 --icmpv6-type echo-request -j ACCEPT
-A icmpOut -p icmpv6 --icmpv6-type echo-request -j ACCEPT
-A icmpIn  -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
-A icmpOut -p icmpv6 --icmpv6-type echo-reply -j ACCEPT

# type #134
-A icmpIn  -p icmpv6 --source fe80::/10 --icmpv6-type 134 -j ACCEPT

# Neighbor solicatation
-A icmpIn  -p icmpv6 --icmpv6-type 135 -j ACCEPT
-A icmpOut -p icmpv6 --icmpv6-type 135 -j ACCEPT
-A icmpIn  -p icmpv6 --icmpv6-type 136 -j ACCEPT
-A icmpOut -p icmpv6 --icmpv6-type 136 -j ACCEPT

# type #134
-A icmpOut -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
-A icmpIn  -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT

# type #135
-A icmpOut -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
-A icmpIn  -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT

# type #136
-A icmpOut -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
-A icmpIn  -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT

# type #137
-A icmpOut -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
-A icmpIn  -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT


# type #143
-A icmpIn  -p icmpv6 --source      fe80::/10 --icmpv6-type 143 -j ACCEPT
-A icmpOut -p icmpv6 --destination ff02::/16 --icmpv6-type 143 -j ACCEPT
#
#  Append the chains to the main chains
#  ====================================
#
-A INPUT   --source ::1/128 --destination ::1/128 -j ACCEPT
-A OUTPUT  --source ::1/128 --destination ::1/128 -j ACCEPT
#
-A INPUT   -p tcp                 -j tcpIn
-A OUTPUT  -p tcp                 -j tcpOut
-A INPUT   -p udp                 -j udpIn
-A OUTPUT  -p udp                 -j udpOut
-A INPUT   -p icmpv6              -j icmpIn
-A OUTPUT  -p icmpv6              -j icmpOut
#
# log, drop, and drop again anything not explicitly allowed
-A INPUT   -j LOG --log-prefix "vm-6in "
-A OUTPUT  -j LOG --log-prefix "vm-6out "
-A FORWARD -j LOG --log-prefix "vm-6forward "
#
-A INPUT   --jump DROP
-A OUTPUT  --jump DROP
-A FORWARD --jump DROP
COMMIT

 

Document Actions