操作步骤
1、安装KVM套件
用于制作镜像的宿主机环境,需安装KVM套件。
yum install qemu-kvm qemu-img python-virtinst virt-install libvirt
libvirt-python virt-manager libvirt-client bridge-utils -y
yum install guestfish libguestfs-bash-completion libguestfs-winsupport
libguestfs-tools -y
#vncos
yum group install "GNOME Desktop" -y
2、打开云镜像文件
使用云镜像文件制作的方法,按如下步骤打开云镜像文件。
如果使用iso文件安装,可以按下文安装iso。
例如获取的CentOS 7.9的云镜像文件为:CentOS-7-x86_64-GenericCloud-2009.qcow2。
# /root/ /usr/local/src/
cp CentOS-7-x86_64-GenericCloud-2009.qcow2 /usr/local/src/centos79.qcow2
cd /usr/local/src/
#root
guestfish --rw -a ./centos79.qcow2
run
list-filesystems
mount /dev/sda1 /
vi /etc/shadow
#shellrootopenssl passwd -1 xxxpass
# xxxxxxxxxxxxshellshadowroot
#centos 6:
vi /etc/grub.conf #GRUB_CMDLINE_LINUX
console=tty0
vi /etc/shadow #root
vi /etc/cloud/cloud.cfg #disable_root0
quit #guestfish
chown qemu:qemu centos79.qcow2
创建虚拟机xml配置文件vi CentOS79.xml。
由于制作过程中,虚拟机需要能连接外网yum下载包,因此可以配置使用KVM默认的NAT网络或桥接网络。
如果使用NAT网络,先通过virsh net-list;virsh net-dumpxml xxx查询确认默认的NAT虚拟网络名,然后虚拟机xml中的source network='xxx'配置为该网络名。
<domain type='kvm'>
<name>centos79</name>
<memory unit='GiB'>2</memory>
<vcpu placement='static'>1</vcpu>
<os>
<type arch='x86_64' machine='pc'>hvm</type>
<boot dev='hd'/>
</os>
<devices>
<emulator>/usr/libexec/qemu-kvm</emulator>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/usr/local/src/centos79.qcow2'/>
<target dev='vda' bus='virtio'/>
</disk>
<interface type='network'>
<source network='default'/>
<model type='virtio'/>
</interface>
<channel type='unix'>
<target type='virtio' name='org.qemu.guest_agent.0'/>
</channel>
<graphics type='vnc' port='25911' autoport='no' listen='0.0.0.0'>
<listen type='address' address='0.0.0.0'/>
</graphics>
<console type='pty'>
<source path='/dev/pts/7'/>
<target type='virtio' port='1'/>
</console>
<serial type='pty'>
<source path='/dev/pts/6'/>
<target type='isa-serial' port='0'/>
</serial>
</devices>
</domain>
启动虚拟机。
chown qemu:qemu cento79.xml
virsh define centos79.xml
virsh start centos79
通过VNC客户端比如VNC Viewer,连接宿主机ip的25911端口,登录虚拟机。
CentOS 7/8使用更改的root密码登录;CentOS 6免密登录,但登录后首先执行passwd root修改root密码。
3、安装系统
如果使用iso,按如下步骤安装系统。
例如iso文件存放在/root下,创建系统盘:
注意系统盘尽量8g以下,避免virtual size太大导致创建虚拟机过程耗时过久。
qemu-img create -f qcow2 /usr/local/src/centos79.qcow2 8G
chown qemu:qemu /usr/local/src/centos79.qcow2
chown qemu:qemu /usr/local/src/CentOSxxxxxx.iso
创建虚拟机xml配置文件vi CentOS79.xml。
由于制作过程中,虚拟机需要能连接外网yum下载包,因此可以配置使用KVM默认的NAT网络或桥接网络。
如果使用NAT网络,先通过virsh net-list;virsh net-dumpxml xxx查询确认默认的NAT虚拟网络名,然后虚拟机xml中的source network='xxx'配置为该网络名。
<domain type='kvm'>
<name>centos79</name>
<memory unit='GiB'>2</memory>
<vcpu>1</vcpu>
<os>
<type arch='x86_64'>hvm</type>
<boot dev='cdrom'/>
<boot dev='hd'/>
</os>
<clock sync="localtime"/>
<devices>
<emulator>/usr/libexec/qemu-kvm</emulator>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2' cache='none'/>
<source file='/usr/local/src/centos79.qcow2'/>
<target dev='hda' bus='ide'/>
</disk>
<disk type='file' device='cdrom'>
<source file='/usr/local/src/CentOSxxxxxx.iso'/>
<target dev='hdb' bus='ide'/>
<readonly/>
</disk>
<interface type='network'>
<source network='default'/>
</interface>
<channel type='unix'>
<source mode='bind' path='/var/lib/libvirt/qemu/org.qemu.guest_agent.0'/>
<target type='virtio' name='org.qemu.guest_agent.0'/>
<address type='virtio-serial' controller='0' bus='0' port='1'/>
</channel>
<graphics type='vnc' port='25911' autoport='no' listen='0.0.0.0'>
<listen type='address' address='0.0.0.0'/>
</graphics>
</devices>
</domain>
启动虚拟机。
chown qemu:qemu centos79.xml
virsh define centos79.xml
virsh start centos79
通过VNC客户端比如VNC Viewer,连接宿主机ip的25911端口,进行安装。
特别注意安全需要,安装过程不能创建普通用户,root密码必须根据安全要求设置复杂密码。
- 系统语言需选择英文,否则会导致cloudinit-utils-growpart初始化时无法自动扩系统盘根分区。
- 时区需要选择国内,比如Asia/shanghai;kdump需要开启。
- 勾选dhcp获取ip,后续安装完成后,可优先通过ssh连到虚拟机,方便复制后续操作命令。
- 软件包选项中,使用minimal最小化安装,勾选“Development Tools”开发包组,以及“Compatibility Libraries”兼容包组。
- 主机名选项中,按默认localhost.localdomain。
- 建立分区选项中,使用“standard partition”标准分区,不使用lvm,并删除swap分区,保证根分区在整个系统盘的末尾分区,这样后续才能使用cloud-init growparts自动扩容根分区。
- 格式化,高版本的系统比如7.9等,可以使用xfs,低版本比如centos 7.1,建议用ext4,否则cloud-init扩盘可能不生效。(或者所有版本都统一用ext4)
安装完成后,首先确认弹出cdrom的iso镜像,点界面的重启看能否自动弹出(一般自动弹出),若不行可以按如下操作手动弹出磁盘,再重启vm:
virsh detach-disk --type cdrom --mode readonly centos79 hdb # virsh
edit centos79iso
virsh reboot centos79 # virsh
destroy centos79 virsh start centos79
4、检查内核
检查内核是否支持Virtio网卡、磁盘驱动。
若缺少,需要重新编译内核。一般linux发行版都支持。
grep -i virtio /boot/config-$(uname -r)
lsinitrd /boot/initramfs-$(uname -r).img | grep virtio
5、配置操作
删除弱密码用户,调整时区、检查主机名,调整软件源,启用network manager。
userdel -r user #cat /etc
/passwd |grep bash root
# utf8
locale
echo $LANG
#utf8 localectl set-locale LANG=en_US.utf8
timedatectl set-timezone Asia/Shanghai #centos78
cp -i /usr/share/zoneinfo/Asia/Shanghai /etc/localtime #centos6
hostnamectl status #centos78 localhost.localdomain
cat /etc/sysconfig/network #centos6 localhost.localdomain
# centos6localdomainlocalhost.localdomain.localdomainreboot
#centos7 epel
yum install wget -y
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-
7.repo
#centos6 minorver6.10
minorver=6.10
sudo sed -e "s|^mirrorlist=|#mirrorlist=|g" \
-e "s|^#baseurl=http://mirror.centos.
org/centos/\$releasever|baseurl=https://mirrors.aliyun.com/centos-vault
/$minorver|g" \
-i.bak \
/etc/yum.repos.d/CentOS-*.repo
yum install wget -y
#centos 6 epel
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epelarchive-6.repo
#centos8 minorver8.2.2004
minorver=8.2.2004
sudo sed -e "s|^mirrorlist=|#mirrorlist=|g" \
-e "s|^#baseurl=http://mirror.centos.
org/\$contentdir/\$releasever|baseurl=https://mirrors.aliyun.com/centosvault/$minorver|g" \
-i.bak \
/etc/yum.repos.d/CentOS-*.repo
yum install wget -y
#centos 8 epel
yum install -y https://mirrors.aliyun.com/epel/epel-release-latest-8.
noarch.rpm
sed -i 's|^#baseurl=https://download.
example/pub|baseurl=https://mirrors.aliyun.com|' /etc/yum.repos.d/epel*
sed -i 's|^metalink|#metalink|' /etc/yum.repos.d/epel*
#centos78 networkmanager
yum install NetworkManager -y
systemctl start NetworkManager && systemctl enable NetworkManager &&
systemctl status NetworkManager
安装acpid电源管理包,禁用zeroconf路由,安装qemu-guest-agent,配置console控制台输出。
#cloud-initzeroconflinux169.254.0.0
echo "NOZEROCONF=yes" >>/etc/sysconfig/network
#centos 78 acpid
yum install acpid -y
systemctl enable acpid
#centos 6 acpid
yum install acpid -y
/etc/init.d/acpid start
chkconfig acpid on
#centos 78 qemu-ga
yum install qemu-guest-agent -y
systemctl enable qemu-guest-agent
#centos 6 qemu-ga
yum install qemu-guest-agent -y
/etc/init.d/qemu-ga start
chkconfig qemu-ga on
#centos78 console
cat /boot/grub2/grub.cfg #
vi /etc/default/grub
GRUB_CMDLINE_LINUXrhgb quiet console=tty0 console=ttyS0,115200n8
grub2-mkconfig -o /boot/grub2/grub.cfg
# arm64 efi grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg
reboot
cat /proc/cmdline #
#centos 6 console
console=tty0 console=ttyS0,115200
grub-install /dev/vda #grub
#
yum install unzip zip man parted -y
yum install usbutils gdisk parted ntfs-3g ntfs-3g-devel -y # usb
yum install numactl numactl-libs numactl-devel -y
yum group install "Compatibility Libraries" -y
yum group install "Development Tools" -y
sed -i 's/=enforcing/=permissive/' /etc/selinux/config
setenforce 0
yum install curl wget -y
yum install net-tools traceroute lsof tcpdump iotop -y
yum install bash-completion -y
yum install pciutils -y # gpu
update-pciids
systemctl start serial-getty@ttyS0.service
systemctl enable serial-getty@ttyS0.service
systemctl status serial-getty@ttyS0.service
6、网络配置
#centos 78
vi ifcfg-eth0 #
TYPE=Ethernet
BOOTPROTO=dhcp
DEVICE=eth0
NAME=eth0
ONBOOT=yes
USERCTL=yes
PEERDNS=yes
IPV6INIT=yes
PERSISTENT_DHCLIENT="1"
cat /boot/grub2/grub.cfg #net.ifnames=0 biosdevname=0iso
vi /etc/default/grub #GRUB_CMDLINE_LINUX
net.ifnames=0 biosdevname=0
grub2-mkconfig -o /boot/grub2/grub.cfg
# arm64 efi grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg
reboot
cat /proc/cmdline #
#centos 6
rm -f /etc/udev/rules.d/70-persistent-net.rules
PRIMARY_INTERFACE=$(ip route list match 0.0.0.0 | awk 'NR==1 {print
$5}')
sed -i '/UUID/d' /etc/sysconfig/network-scripts/ifcfg-$PRIMARY_INTERFACE
sed -i '/HWADDR/d' /etc/sysconfig/network-scripts
/ifcfg-$PRIMARY_INTERFACE
/etc/init.d/network restart
7、配置cloud-init
#centos 78
yum install cloud-init -y
yum install cloud-utils cloud-utils-growpart -y
sed -i "s/disable_root.*/disable_root\: 0/;s/ssh_pwauth.*/ssh_pwauth\: 0
/" /etc/cloud/cloud.cfg #rootssh
vi /etc/cloud/cloud.cfg #
systemctl enable cloud-init
systemctl list-unit-files |grep -i cloud #cloudinitenable
# centos 6
yum install cloud-init cloud-utils cloud-utils-growpart -y
yum install dracut-kernel dracut dracut-modules-growroot -y
sed -i "s/disable_root.*/disable_root\:0/;s/ssh_pwauth.*/ssh_pwauth\: 0
/" /etc/cloud/cloud.cfg
vi /etc/cloud/cloud.cfg #
chkconfig --list |grep -i cloud #cloudiniton
dracut -f
8、安全加固
基于安全团队提供的基线,根据实际情况调整,没有全部使用。
#firewalld
yum install firewalld -y
systemctl enable firewalld
systemctl start firewalld
firewall-cmd --list-all
vi /etc/login.defs #908
PASS_MAX_DAYS 90
PASS_MIN_LEN 8
PASS_WARN_AGE 10
vi /etc/security/pwquality.conf #3
minclass = 3
vi /etc/pam.d/su #wheelsu
auth required pam_wheel.so use_uid
usermod -L nobody #usermod -U nobodycentos 8nobody
usermod -L ftp
echo "export TMOUT=600"> /etc/profile.d/timeout.sh #10
systemctl enable rsyslog
vi /etc/logrotate.conf #10
rotate 10
chkconfig --list |egrep "telnet|sendmail|klogin|kshell|ntalk|tftp"
systemctl list-unit-files | egrep
"telnet|sendmail|klogin|kshell|ntalk|tftp"
openjdk11
rpm -qa |grep jdk
9、检查版本,清理系统
cat /etc/centos-release #release
# centos 7
rm -rf /tmp/*
rm -f /etc/udev/rules.d/70-persistent-net.rules
rm -f /var/log/wtmp /var/log/btmp /var/log/anaconda/*
cd /var/log
for i in cron dmesg dmesg.old lastlog maillog messages pm-powersave.log
secure Xorg.0.log Xorg.0.log.old Xorg.9.log Xorg.9.log.old
do
true > $i
done
dmesg -c
echo >/root/.bash_history
# centos 6
rm -rf /tmp/*
rm -f /var/log/wtmp /var/log/btmp /var/log/anaconda/*
cd /var/log
for i in cron dmesg dmesg.old lastlog maillog messages pm-powersave.log
secure Xorg.0.log Xorg.0.log.old Xorg.9.log Xorg.9.log.old
do
true > $i
done
dmesg -c
echo > /root/.bash_history
rm -f /etc/udev/rules.d/70-persistent-net.rules
PRIMARY_INTERFACE=$(ip route list match 0.0.0.0 | awk 'NR==1 {print
$5}')
sed -i '/UUID/d' /etc/sysconfig/network-scripts/ifcfg-$PRIMARY_INTERFACE
sed -i '/HWADDR/d' /etc/sysconfig/network-scripts
/ifcfg-$PRIMARY_INTERFACE
# cloudinit
yum clean all
cloud-init clean # cloud-init
rm -rf /var/lib/cloud
history -c #
10、关机,压缩镜像
#
halt -p
#
virt-sysprep -a centos79.qcow2
# yum install libguestfs-tools -y
#
qemu-img convert -p -c -O qcow2 centos79.qcow2 centos79-compress.qcow2
#
qemu-img check centos79-compress.qcow2
以上完成后,centos79-compress.qcow2 即为可用。
11、上传镜像
路径:登录iStack Cloud->工作区->运营平台。
使用说明:
- 选择【运营管理】导航栏,点击【集群管理】二级菜单,选择集群,进入具体的集群。
- 点击【虚拟机镜像】菜单,选择【私有镜像】,点击【上传镜像】按钮,上传制作好的镜像。
- 在【云产品】开通虚拟机的时候可以选择对应的镜像。
