Alibaba Cloud Linux image requirements - Elastic Compute Service

Before you import custom images to Alibaba Cloud or release custom images in the Alibaba Cloud Marketplace, the images must meet the image requirements and pass tests on compatibility with Elastic Compute Service (ECS) instance types. This helps improve the availability and import efficiency of custom images and facilitates the subsequent creation of ECS instances that meet various business requirements. This topic describes the requirements for Alibaba Cloud Linux images.

Disk partitions

When you partition disks for Alibaba Cloud images during image creation, make sure that the following requirements are met:

Disk resizing
- Disks are divided into logical partitions based on physical partitions. The last logical partition on each disk is used as the root partition, which prevents system disk partition failures.
- For operating systems that support online disk resizing, we recommend that you install the cloud-utils-growpart package and use the growpart utility to extend partitions to occupy available disk space. For more information, see Extend the partitions and file systems of disks on a Linux instance.
Swap partitions
When you create images, do not use swap partitions.
Disk mounting
You must configure UUIDs in the fstab and grub files. For more information, see Configure UUIDs in the fstab file to automatically mount data disks and How to Modify the File Disk Identifier to UUID in a Linux Image Grub File.
Important
If the fstab file is incorrectly configured for an ECS instance, the instance may fail to run as expected after the instance is restarted.
Disk sizes
The system disk size must be set to at least 20 GiB.

Required software and tools

Install the virtio driver
Before you release an image, make sure that the virtio driver is installed for the image and that the virtio driver is added to temporary file systems. The virtio driver ensures that the image can be used as expected on ECS instances. For more information, see Install the virtio driver.
Install the NVMe driver
Specific instance families, such as ecs.g7se, ecs.c7se, and ecs.r7se, allow disks to be attached by using the Non-Volatile Memory Express (NVMe) protocol. If you want to use an image to create ECS instances of one of the preceding instance families and ensure that the instances run as expected, install the NVMe driver on the image. For more information, see How do I install the NVMe driver for a custom image?
Install cloud-init
When you create images, install cloud-init to ensure that the ECS instances that run the images can be initialized. For more information, see Install cloud-init.
Note
If you want to use cloud-init to change passwords, make sure that the operating system kernel of your image supports the CONFIG_FW_CFG_SYSFS feature. By default, Linux community kernel 4.6 and later and CentOS kernel 3.10.0-826.el7 and later support the CONFIG_FW_CFG_SYSFS feature. To check whether this feature is supported, run the grep -nr CONFIG_FW_CFG_SYSFS /boot/config-$(uname -r) command on the source server of the image. If the command output contains CONFIG_FW_CFG_SYSFS=y, the kernel of the image supports the CONFIG_FW_CFG_SYSFS feature.
Install Cloud Assistant
When you create images, install Cloud Assistant. Cloud Assistant is a native automated O&M tool developed for ECS. Cloud Assistant allows you to batch run commands, such as shell, PowerShell, and batch commands, to execute various tasks on ECS instances in a password-free manner without the need to log on to the instances or use jump servers. You can use Cloud Assistant to perform automated O&M tasks, poll processes, install or uninstall software, start or stop services, and install patches or security updates. For more information, see Install Cloud Assistant Agent.
Use Security Center to protect the source servers of images
When you create images, we recommend that you use Alibaba Cloud Security Center to protect your servers. Security Center provides security capabilities such as alert notifications, virus detection and removal, webshell detection and removal, client protection, and image scanning to protect your cloud assets and on-premises servers.

System configurations

Configure the clock
The hardware clock of an image can be in Coordinated Universal Time (UTC) or in the local time zone. Use UTC time when you create images. Sample commands:
```
cat > $dst << EOF
0.0 0 0.0
0
UTC
EOF

timedatectl set-local-rtc 0
```
For more information, see Linux time and time zones.
Configure the sshd service
When you create images, configure the sshd service.
sshd is a Linux service that is used to remotely log on to and manage a Linux operating system. sshd uses SSH to establish encrypted communication channels and secure remote logons. In the following example, perform the following modifications to the /etc/ssh/sshd_config file:
```
UseDNS no
AddressFamily inet 
SyslogFacility AUTHPRIV 
PermitRootLogin yes 
PasswordAuthentication yes 
```

Configure the chrony service or NTP service

When you create images, we recommend that you configure the chrony service or Network Time Protocol (NTP) service.

chrony and NTP are network protocols that are used for synchronizing computer clocks with time sources to ensure time accuracy and prevent issues that are caused by time discrepancies.

Sample commands used to configure the chrony service

chrony_file=/etc/chrony.conf
cat >$chrony_file <<EOF
# Use Alibaba NTP server
# Public NTP
# Alicloud NTP


server ntp.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
server ntp.aliyun.com minpoll 4 maxpoll 10 iburst
server ntp1.aliyun.com minpoll 4 maxpoll 10 iburst
server ntp1.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
server ntp10.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
server ntp11.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
server ntp12.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
server ntp2.aliyun.com minpoll 4 maxpoll 10 iburst
server ntp2.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
server ntp3.aliyun.com minpoll 4 maxpoll 10 iburst
server ntp3.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
server ntp4.aliyun.com minpoll 4 maxpoll 10 iburst
server ntp4.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
server ntp5.aliyun.com minpoll 4 maxpoll 10 iburst
server ntp5.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
server ntp6.aliyun.com minpoll 4 maxpoll 10 iburst
server ntp6.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
server ntp7.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
server ntp8.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst
server ntp9.cloud.aliyuncs.com minpoll 4 maxpoll 10 iburst

# Ignore stratum in source selection.
stratumweight 0.05

# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift

# Enable kernel RTC synchronization.
rtcsync

# In first three updates step the system clock instead of slew
# if the adjustment is larger than 10 seconds.
makestep 10 3

# Allow NTP client access from local network.
#allow 192.168/16

# Listen for commands only on localhost.
bindcmdaddress 127.0.0.1
bindcmdaddress ::1

# Disable logging of client accesses.
noclientlog

# Send a message to syslog if a clock adjustment is larger than 0.5 seconds.
logchange 0.5

logdir /var/log/chrony
#log measurements statistics tracking
EOF

Sample commands used to configure the NTP service

ntp_conf=/etc/ntp.conf
    cat > $ntp_conf << EOF
driftfile  /var/lib/ntp/drift
pidfile    /var/run/ntpd.pid
logfile    /var/log/ntp.log


# Access Control Support
restrict    default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict 192.168.0.0 mask 255.255.0.0 nomodify notrap nopeer noquery
restrict 172.16.0.0 mask 255.240.0.0 nomodify notrap nopeer noquery
restrict 100.64.0.0 mask 255.192.0.0 nomodify notrap nopeer noquery
restrict 10.0.0.0 mask 255.0.0.0 nomodify notrap nopeer noquery


# local clock
server 127.127.1.0
fudge  127.127.1.0 stratum 10

restrict ntp.aliyun.com nomodify notrap nopeer noquery
restrict ntp.cloud.aliyuncs.com nomodify notrap nopeer noquery
restrict ntp1.aliyun.com nomodify notrap nopeer noquery
restrict ntp1.cloud.aliyuncs.com nomodify notrap nopeer noquery
restrict ntp10.cloud.aliyuncs.com nomodify notrap nopeer noquery
restrict ntp11.cloud.aliyuncs.com nomodify notrap nopeer noquery
restrict ntp12.cloud.aliyuncs.com nomodify notrap nopeer noquery
restrict ntp2.aliyun.com nomodify notrap nopeer noquery
restrict ntp2.cloud.aliyuncs.com nomodify notrap nopeer noquery
restrict ntp3.aliyun.com nomodify notrap nopeer noquery
restrict ntp3.cloud.aliyuncs.com nomodify notrap nopeer noquery
restrict ntp4.aliyun.com nomodify notrap nopeer noquery
restrict ntp4.cloud.aliyuncs.com nomodify notrap nopeer noquery
restrict ntp5.aliyun.com nomodify notrap nopeer noquery
restrict ntp5.cloud.aliyuncs.com nomodify notrap nopeer noquery
restrict ntp6.aliyun.com nomodify notrap nopeer noquery
restrict ntp6.cloud.aliyuncs.com nomodify notrap nopeer noquery
restrict ntp7.cloud.aliyuncs.com nomodify notrap nopeer noquery
restrict ntp8.cloud.aliyuncs.com nomodify notrap nopeer noquery
restrict ntp9.cloud.aliyuncs.com nomodify notrap nopeer noquery


server ntp.aliyun.com iburst minpoll 4 maxpoll 10
server ntp.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp1.aliyun.com iburst minpoll 4 maxpoll 10
server ntp1.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp10.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp11.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp12.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp2.aliyun.com iburst minpoll 4 maxpoll 10
server ntp2.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp3.aliyun.com iburst minpoll 4 maxpoll 10
server ntp3.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp4.aliyun.com iburst minpoll 4 maxpoll 10
server ntp4.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp5.aliyun.com iburst minpoll 4 maxpoll 10
server ntp5.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp6.aliyun.com iburst minpoll 4 maxpoll 10
server ntp6.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp7.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp8.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp9.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
EOF

Configure the MOTD service
When you create images, we recommend that you configure the Message of the Day (MOTD) service.
The MOTD service is a Linux feature that is used to display a message or an announcement when you log on to a Linux operating system. Sample command:
```
echo -e "\nWelcome to Alibaba Cloud Elastic Compute Service !  \n" > /etc/motd
```
Disable the Firewalld service
When you create images, we recommend that you disable the Firewalld service. Firewalld is a firewall management service for Linux operating systems. Security groups instead of Firewalld provide protection in the cloud. Sample commands:
```
systemctl stop firewalld
systemctl disable firewalld
```
Configure the pip repository
If the pip repository is configured, we recommend that you use the address of the Alibaba Cloud pip repository to obtain the most recent software package from Alibaba Cloud. Sample content in the ~/.pip/pip.conf file:
```
[global]
index-url=http://mirrors.cloud.aliyuncs.com/pypi/simple/

[install]
trusted-host=mirrors.cloud.aliyuncs.com
```
Configure the network settings
If NetworkManager or a network service is used, configure the /etc/sysconfig/network-scripts/ifcfg-eth0 file.
```
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
```
For information about other network service configurations, see Configure a secondary ENI.

kernel parameter configurations

Configure the kernelopt parameter
When you create images, configure the kernelope kernel parameters of the GRand Unified Bootloader (GRUB) to ensure that the operating systems can start as expected. In the following example, a Debian operating system is used.
1. In the /etc/default/grub file, add the following data to the GRUB_CMDLINE_LINUX= line.
  - x86_64 architecture
```
net.ifnames=0 console=tty0 console=ttyS0,115200n8
```
  - Arm64 architecture
```
net.ifnames=0 console=tty0 console=ttyAMA0,115200n8 
```
2. Run the sudo update-grub2 command to allow GRUB configurations to take effect.
  Note
  The path of the GRUB configuration file varies based on the operating system. For more information, see How do I install the NVMe driver for a custom image?

Configure sysctl parameters

When you create images, we recommend that you configure sysctl parameters to adjust and optimize the runtime parameters of the Linux kernel.

Perform the following modifications in the /etc/sysctl.conf file:

vm.swappiness = 0
kernel.sysrq = 1

net.ipv4.neigh.default.gc_stale_time = 120

net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2

net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_slow_start_after_idle = 0

Run the sudo sysctl -p command to allow kernel parameter modifications to take effect.

System security recommendations

To improve system security, take note of the following items before you import custom images to Alibaba Cloud:

Lock out the root account. This ensures that even if a root password is set, other users cannot log on to the system by using the root account and password.
To disable the password-based logon, change the PasswordAuthentication parameter.
Note
If you set a root password for instance initialization, you may set the PasswordAuthentication parameter to yes, which indicates that the password-based logon is enabled.

Sample code:

  dst=/etc/ssh/sshd_config
  sed -i 's/^SyslogFacility.*//' $dst
  sed -i 's/^PermitRootLogin.*//' $dst
  sed -i 's/^PasswordAuthentication.*//' $dst

  echo UseDNS no >> $dst
  echo SyslogFacility AUTHPRIV >> $dst
  echo PasswordAuthentication no >> $dst

  passwd -l root
  sed -i -e 's/root:[^:]*:/root:*:/g' /etc/shadow

Clear image information

Before independent software vendors (ISVs) release images, the ISVs can clear historical records and logs based on their business requirements.