- 1:登录运维面
- 2:进入右下角导航栏快速访问,点击ServiceOM(shanghai) 跳转到新的窗口
- 3:点击资源里的镜像资源
- 4:公共镜像流程
- 5:填写注册镜像信息
- 6:选择本地光盘通过HTTPS方式上传
- 7:注册镜像上传中
- 8:可用区选择 az6.dc ——运维管理区
- 9:选择刚刚注册的IOS镜像
- 10:规格选择已有的最小规格4C8G 系统盘选择使用云磁盘
- ">
- 11:使用默认az6后端存储
- 12:修改默认网卡信息 点击修改 项目选择 service 网络选择 external_om 关闭安全组 其它保持默认
- 13:设置虚拟机模板名称
- 14:最后再次确认所有信息
- 15:确认查看镜像制作日志
- 16:点击资源 选择计算机资源 找到刚刚创建的虚拟机 点击它打开它 使用VNC登录虚拟机界面 开始部署系统
- 17:语言选择English 开始自定义部署Linux系统
- 18: 在计算资源里 点击更多挂载UVP VMTools
- 19:系统部署完成后使用终端ssh连接部署UVP VMTools 和 Cloud-Init 先关闭系统防火墙
- 20:挂载UVP VMTools
- 21:ssh 终端登录系统 挂载镜像文件
- 22:安装vmtools
- 23:安装cloud-init
- 24:安装一键修改密码插件
- 25:部署jdk环境
- 26:模板优化
- 27:系统安全加固
- 28:升级openssh
- 29:关闭虚拟机转换镜像并同步到公共镜像区
1:登录运维面
2:进入右下角导航栏快速访问,点击ServiceOM(shanghai) 跳转到新的窗口
3:点击资源里的镜像资源
制作镜像流程:
具体请参考用户指南手册12章<镜像服务>
4:公共镜像流程
注册镜像
创建规格
创建虚拟机
安装vmtools
制作镜像
5:填写注册镜像信息
规格要求请填写
虚拟化:KVM
CPU:X86
操作系统:Linux
内存:4GB
磁盘:10GB
上传方式:HTTPS
磁盘设备类型:virtio
6:选择本地光盘通过HTTPS方式上传
最小磁盘:
使用该镜像创建虚拟机时,对于虚拟机磁盘大小的最低要求。
ISO格式镜像:
Windows操作系统,建议最小磁盘不小于60G。
Linux操作系统,建议最小磁盘不小于20G。
非ISO格式镜像:
不小于制作镜像时使用的虚拟机磁盘大小。
最小内存:
使用该镜像创建的弹性云服务器内存大小的最低要求:
若不限制最小内存,租户界面申请弹性云服务器时可以选择到所有内存大小的规格;
若设置为具体值,租户界面申请弹性云服务器时只能选择到内存大小大于设置值的规格。
设备类型:
系统磁盘读写数据时与主机通讯的总线类型。
建议优先选择virtio;若业务要求使用scsi类型的磁盘,需要选择scsi(virtio类型磁盘性能略优于scsi类型磁盘,ide类型磁盘性能较差)。
注册非ISO格式的Windows系统镜像时,若已安装UVP VMTools,建议选择virtio;否则,需要选择为ide。
7:注册镜像上传中
8:可用区选择 az6.dc ——运维管理区
9:选择刚刚注册的IOS镜像
10:规格选择已有的最小规格4C8G 系统盘选择使用云磁盘
11:使用默认az6后端存储
12:修改默认网卡信息 点击修改 项目选择 service 网络选择 external_om 关闭安全组 其它保持默认
关闭安全组
13:设置虚拟机模板名称
14:最后再次确认所有信息
15:确认查看镜像制作日志
16:点击资源 选择计算机资源 找到刚刚创建的虚拟机 点击它打开它 使用VNC登录虚拟机界面 开始部署系统
17:语言选择English 开始自定义部署Linux系统
18: 在计算资源里 点击更多挂载UVP VMTools
19:系统部署完成后使用终端ssh连接部署UVP VMTools 和 Cloud-Init 先关闭系统防火墙
20:挂载UVP VMTools
21:ssh 终端登录系统 挂载镜像文件
22:安装vmtools
复制uvp vmtools到虚拟机/opt目录下
mkdir -p /mnt/image-tools
mount /dev/sr1 /mnt/image-tools
cd /mnt/image-tools/
mkdir -p /opt/image-tools
cp -r /mnt/image-tools/linux /opt/image-tools
cd /opt/image-tools/linux
chmod +x *.sh
umount /mnt/image-tools
rm -rf /root/vmtools-2.5.0.156.tar.bz2
23:安装cloud-init
修改cloud-init文件init.py文件 导致主机名添加 .novalocal
修复文件位置
/opt/cloudinit/lib/python2.7/site-packages/cloud_init-18.2-py2.7.egg/cloudinit/sources
rm -rf init.pyc
rm -rf /var/lib/cloud/
rm -rf /var/log/cloud-init
检查配置文件
cloud-init init —local
修改日志 handlers=cloudLogHandler
vim /etc/cloud/cloud.cfg.d/05_logging.cfg
[logger_cloudinit]level=DEBUGqualname=cloudinithandlers=cloudLogHandlerpropagate=1
vim /etc/cloud/cloud.cfg
# make up a hostname (LP: #475354) in format ip-xx.xx.xx.xx316 lhost = self.metadata['local-hostname']317 if util.is_ipv4(lhost):318 toks = []319 if resolve_ip:320 toks = util.gethostbyaddr(lhost)321322 if toks:323 toks = str(toks).split('.')324 else:325 toks = ["ip-%s" % lhost.replace(".", "-")]326 else:327 toks = lhost.split(".novalocal")328329 if len(toks) > 1:330 hostname = toks[0]331 #domain = '.'.join(toks[1:])332 else:333 hostname = toks[0]334335 if fqdn and domain != defdomain:336 return "%s.%s" % (hostname, domain)337 else:338 return hostname
优化配置文件
[root@uat-devops sources]# cat /etc/cloud/cloud.cfg# The top level settings are used as module# and system configuration.# A set of users which may be applied and/or used by various modules# when a 'default' entry is found it will reference the 'default_user'# from the distro configuration specified belowusers:- name: rootlock_passwd: false# If this is set, 'root' will not be able to ssh in and they# will get a message to login instead as the default $userdisable_root: 0mount_default_fields: [~, ~, 'auto', 'defaults,nofail', '0', '2']resize_rootfs_tmp: /devssh_deletekeys: 0ssh_genkeytypes: ~ssh_pwauth: 1network:config: disableddatasource_list: ['ConfigDrive', 'OpenStack']manage_etc_hosts: localhost# This will cause the set+update hostname module to not operate (if true)preserve_hostname: false# Example datasource config# datasource:# Ec2:# metadata_urls: [ 'blah.com' ]# timeout: 5 # (defaults to 50 seconds)# max_wait: 10 # (defaults to 120 seconds)# The modules that run in the 'init' stagecloud_init_modules:- ssh- migrator- seed_random- bootcmd- write-files- growpart- resizefs- disk_setup- mounts- set_hostname- update_hostname- update_etc_hosts- ca-certs- rsyslog- users-groups# The modules that run in the 'config' stagecloud_config_modules:- ssh-import-id- locale- set-passwords- ntp- timezone- disable-ec2-metadata- runcmd# The modules that run in the 'final' stagecloud_final_modules:- package-update-upgrade-install- puppet- chef- mcollective- salt-minion- rightscale_userdata- scripts-vendor- scripts-per-once- scripts-per-boot- scripts-per-instance- scripts-user- ssh-authkey-fingerprints- keys-to-console- phone-home- final-message- power-state-change# System and/or distro specific settings# (not accessible to handlers/transforms)system_info:# This will affect which distro class gets useddistro: centos# Default user name + that default users groups (if added/used)default_user:name: centoslock_passwd: Truegecos: centos Cloud Usergroups: [wheel, adm, systemd-journal]sudo: ["ALL=(ALL) NOPASSWD:ALL"]shell: /bin/bash# Other config here will be given to the distro class and/or path classespaths:cloud_dir: /var/lib/cloud/templates_dir: /etc/cloud/templates/ssh_svcname: sshd#openstackdatasource:OpenStack:metadata_urls: ['http://169.254.169.254']max_wait: 120timeout: 50[root@uat-devops sources]#
24:安装一键修改密码插件
64位操作系统(X86场景)
12.10.2.8 安装一键式密码重置插件(支撑 X86 架构)
wget http://ap-southeast-1-cloud-reset-pwd.obs.myhwclouds.com/linux/64/reset_pwd_agent/CloudResetPwdAgent.zip
mkdir -p /opt/image-tools/linux/pkgs/reset-pwd
mv CloudResetPwdAgent.zip /opt/image-tools/linux/pkgs/reset-pwd/
cd /opt/image-tools/linux
sh reset-pwd.sh
25:部署jdk环境
cd /tmptar xf jdk-8u191-linux-x64.tar.gz -C /usr/localln -s /usr/local/jdk1.8.0_191/ /usr/local/jdkrm -rf /usr/bin/javaln -s /usr/local/jdk/bin/java /usr/bin/javacp /etc/profile /etc/profile.bakcat >> /etc/profile << EOFexport JAVA_HOME=/usr/local/jdkexport CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jarexport PATH=$JAVA_HOME/bin:$PATHEOFsource /etc/profilerm -rf /tmp/jdk-8u191-linux-x64.tar.gzjava -version
26:模板优化
修改网卡信息并清空网络规则70-persistent-ipoib.rules文件
加速虚拟机启动
清空临时文件和历史命令记录 history -c
rm -rf /etc/udev/rules.d/70-persistent-ipoib.rules
datasource:OpenStack:metadata_urls: ['http://169.254.169.254']max_wait: 120timeout: 50
禁用dns自动更新 PEERDNS=”no”
cat << EOF > /etc/sysconfig/network-scripts/ifcfg-eth0DEVICE=eth0NAME=eth0BOOTPROTO=dhcpONBOOT=yesSTARTMODE=onbootPERSISTENT_DHCLIENT=yesTYPE=EthernetPEERDNS=noPROXY_METHOD=noneBROWSER_ONLY=noDEFROUTE=yesIPV4_FAILURE_FATAL=noIPV6INIT=noEOF
删除虚拟网卡
nmcli connection delete virbr0
nmcli device delete virbr0
修复jdk bug
mv /dev/random /dev/random.bak;ln -s /dev/urandom /dev/random
27:系统安全加固
#!/bin/bash############################################################ #### Script Name : security for Redhat7.0~7.6 #### By:Eren 2020-05-21 #### #############################################################创建系统运维用户chrootuser=chrootif ! id $user;thengroupadd -g 700 $useruseradd -g 700 -u 700 -m -G $user $userecho "chroot:1qaz@WSX" |chpasswdecho "user $user is created"fi#设置系统最小化开机启动项目for serv in ` systemctl list-unit-files | grep enabled|awk '{print $1}'`;do systemctl disable $serv ;donefor serv in autovt@.service crond.service getty@.service irqbalance.service kdump.service auditd.service microcode.service rsyslog.service sshd.service sysstat.service systemd-readahead-collect.service systemd-readahead-drop.service systemd-readahead-replay.service NetworkManager.service tuned.service lvm2-lvmetad.socket lvm2-lvmpolld.socket default.target cloud-init-local.service cloud-init.service cloud-init.target cloud-final.service vm-agent.service multi-user.target;do systemctl enable $serv;done#设置单用户启动systemctl set-default multi-user.target#删除机器系统重启快捷键rm -f /usr/lib/systemd/system/ctrl-alt-del.target#设置NTP服务器cp /etc/chrony.conf /etc/chrony.conf.baksed -i 's/^server/#server/g' /etc/chrony.confsed -i '/#server 3/a\server 10.182.200.100' /etc/chrony.confecho "leapsecmode slew" >>/etc/chrony.confsystemctl restart chronydsystemctl enable chronyd#设置文件系统打开文件数##limitscat>>/etc/security/limits.conf<<EOF* soft nproc 20480* hard nproc 20480* hard nofile 20480* soft nofile 20480EOFsed -i "s/* soft nproc 20480/#* soft nproc 20480/g" /etc/security/limits.d/20-nproc.conf#设置系统目录权限chmod 400 /etc/crontabchmod 400 /etc/securetty#chmod 600 /boot/grub/grub.confchmod 644 /etc/hosts.allowchmod 644 /etc/hosts.denychmod 600 /etc/inittabchmod 644 /etc/login.defschmod 644 /etc/profilechmod 644 /etc/bashrcchmod 744 /usr/bin/consolehelper#设置系统密码策略#cp /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-ac.bak#sed -i '/password requisite pam_pwquality.so.*$/s//& minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1/' /etc/pam.d/system-auth-ac#sed -i '/password sufficient pam_unix.so.*$/s//& remeber=3/' /etc/pam.d/system-auth-ac#cp /etc/pam.d/password-auth-ac /etc/pam.d/password-auth-ac.bak#sed -i '/password requisite pam_pwquality.so.*$/s//& minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1/' /etc/pam.d/password-auth-ac#sed -i '/password sufficient pam_unix.so.*$/s//& remeber=3/' /etc/pam.d/password-auth-ac/sbin/authconfig --passminlen=8 --update/sbin/authconfig --enablereqdigit --update/sbin/authconfig --enablereqlower --update/sbin/authconfig --enablerequpper --update/sbin/authconfig --enablereqother --update#设置系统账户有效时间cp /etc/login.defs /etc/login.defs.baksed -ie 's/PASS_MAX_DAYS\t99999/PASS_MAX_DAYS\t90/' /etc/login.defssed -ie 's/PASS_MIN_LEN\t5/PASS_MIN_LEN\t8/' /etc/login.defs#避免记录不存在用户的登录信息,避免用户误输入导致密码泄露echo "LOG_UNKFAIL_ENAB yes" >> /etc/login.defs#配置用户密码尝试次数为6次,超过6次后登录会话自动登出,避免自动连续暴力破解echo "LOGIN_RETRIES 6" >> /etc/login.defs#记录用户上次登录时间,用户登录时给予提示echo "LASTLOG_ENAB yes" >> /etc/login.defs#ssh访问时超出密码失败次数后锁定用户5分钟cp /etc/pam.d/login /etc/pam.d/login.baksed -i '/#%PAM/a\auth required pam_tally2.so deny=6 unlock_time=300' /etc/pam.d/logincp /etc/pam.d/sshd /etc/pam.d/sshd.baksed -i '/#%PAM/a\auth required pam_tally2.so deny=6 unlock_time=300' /etc/pam.d/sshd##sshdcp /etc/ssh/sshd_config /etc/ssh/sshd_config.baksed -i 's/^PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_configsed -i '/#Banner none/a\Banner /etc/issue.net' /etc/ssh/sshd_configsed -i 's/^#UseDNS no/UseDNS no/' /etc/ssh/sshd_config#sed -i 's/^UsePAM yes/UsePAM no/' /etc/ssh/sshd_configsed -i 's/^#Port 22/Port 22/' /etc/ssh/sshd_configecho 'Authorized users only! All activity may be monitored and reported!'> /etc/motdcp /etc/issue /etc/issue_`date +\%Y\%m\%d`cp /etc/issue.net /etc/issue.net_`date +\%Y\%m\%d`echo 'Be sure you are authorized to access this system!' > /etc/issueecho 'Be sure you are authorized to access this system!' > /etc/issue.net#profileecho "export TMOUT=600" >> /etc/profileecho 'export HISTTIMEFORMAT="%F %T `whoami` " ' >>/etc/profilesed -i "s/export HISTFILESIZE=.*/export HISTFILESIZE=10000/g" /etc/profile#关闭SELINUXcp /etc/sysconfig/selinux /etc/sysconfig/selinux.baksed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config#rc-localchmod +x /etc/rc.d/rc.localsystemctl enable rc-local#kernel参数调优cat>>/etc/sysctl.conf<<EOFnet.ipv4.conf.all.arp_ignore = 0net.ipv4.conf.default.arp_ignore = 0net.ipv4.conf.all.arp_filter = 0net.ipv4.conf.default.arp_filter = 0net.ipv4.conf.all.rp_filter = 1net.ipv4.conf.all.log_martians =0net.ipv4.conf.default.log_martians = 0net.ipv4.conf.all.promote_secondaries = 0net.ipv4.ip_no_pmtu_disc = 1net.ipv4.conf.all.forwarding = 0net.ipv4.conf.default.forwarding = 0Net.ipv4.icmp_echo_ignore_broadcasts = 1net.ipv4.conf.all.accept_source_route = 0net.ipv4.conf.default.accept_source_route = 0net.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0net.ipv4.tcp_timestamps = 0net.ipv4.icmp_ignore_bogus_error_responses = 1net.ipv4.conf.all.proxy_arp = 0net.ipv4.conf.default.proxy_arp = 0net.ipv4.tcp_max_syn_backlog = 4096net.ipv4.tcp_syncookies = 1net.ipv4.tcp_fin_timeout = 60net.ipv4.ip_forward = 0net.ipv4.tcp_keepalive_time = 150net.ipv4.tcp_keepalive_probes = 5net.ipv4.tcp_keepalive_intvl = 6EOFsysctl -p &>/dev/null#rsyslogecho "*.err;auth.info /var/adm/messages" >>/etc/rsyslog.confsystemctl restart sshd.serviceecho "------ Modify is OK ------"
28:升级openssh
#!/bin/bash###By:Eren 2020-05-26cd /tmp/opensshrm -rf /etc/yum.repos.d/*.repoyum -y localinstall /tmp/openssh/*.rpmcd /tmp/openssh/openssl-1.1.1g/./config --prefix=/usr/local/ssl sharedmake && make installecho "/usr/local/ssl/lib" >> /etc/ld.so.conf/sbin/ldconfig -vmv /usr/bin/openssl /usr/bin/openssl.oldln -s /usr/local/ssl/bin/openssl /usr/bin/opensslln -s /usr/local/ssl/include/openssl /usr/include/opensslln -s /usr/local/ssl/lib/libssl.so /usr/local/lib64/libssl.sostrings /usr/local/lib64/libssl.so |grep OpenSSL/usr/bin/openssl versioncp /etc/pam.d/sshd /etc/pam.d/sshd.oldcp /etc/ssh/sshd_config /etc/ssh/sshd_config.oldcd /tmp/openssh/openssh-8.3p1/install -v -m700 -d /var/lib/sshdchown -v root:sys /var/lib/sshd./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-openssl-includes=/usr/local/ssl/lib --with-privsep-path=/var/lib/sshd --with-ssl-dir=/tmp/openssh/openssl-1.1.1gmake && make installcat /tmp/openssh/sshd_config >/etc/ssh/sshd_configchmod 600 /etc/ssh/ssh_host_rsa_keychmod 600 /etc/ssh/ssh_host_ecdsa_keychmod 600 /etc/ssh/ssh_host_ed25519_keyrm -rf /usr/lib/systemd/system/sshd.servicesystemctl daemon-reloadcp /tmp/openssh/openssh-8.3p1/contrib/redhat/sshd.init /etc/init.d/sshd/etc/init.d/sshd restartchkconfig --add sshd/etc/init.d/sshd statusssh -V
29:关闭虚拟机转换镜像并同步到公共镜像区
若有收获,就点个赞吧
0 人点赞
