Creating a Linux-based product image to upload to Cloud Marketplace
To add a product for Yandex Compute Cloud to the Marketplace, you need to upload the image to Yandex Cloud. The products can be based on Linux. This section will help you create an image based on Linux OS.
If you wish to add a product for Yandex Managed Service for Kubernetes, follow the relevant instructions.
Creating an image
Images of products placed in the Marketplace must meet the requirements.
If you do not have a VM image, create one:
- Use Packer. The image is automatically uploaded to Compute Cloud.
For creating an image, we recommend the following:- As a base image, use an image from the Yandex Cloud public catalog.
- See examples of packer recipes
. - Automate VM image builds using Jenkins.
- Use other tools that are convenient for you. In this case, you need to upload an image to Compute Cloud.
The supported formats include Qcow2
, VMDK
, RAW
, and VHD
.
Image requirements
Boot disk images must meet the following requirements:
- The
virtio-net
,virtio-blk
, andvirtio-pci
drivers are installed. If you are going to attach file storages to your VM, you also need to install thevirtiofs
driver. For more information, refer to this guide. - The
ttyS0
terminal (COM1 port) is set up as a serial console. For more information, refer to this guide. - The network interface runs correctly when starting a VM and obtains the IP address via DHCP.
- The
cloud-init
package is installed and configured to work with our metadata service. To install the package for CentOS, run thesudo yum install cloud-init
command. To install it for Debian or Ubuntu, runsudo apt update && sudo apt install -y cloud-init
. - If you created an image based on an Amazon Machine Image (AMI), verification of the cloud platform where the VM instance is run is disabled in the
cloud-init
settings. For more information, refer to this guide. - In the system firewall settings, the minimum required set of ports for running your applications and a port for SSH access (by default, 22 TCP) are open.
- The SSH server starts automatically at VM startup.
- Services running your application are resistant to VM reboots.
- The boot disk uses MBR partitioning.
- The disk is mounted by its UUID rather than by name.
- The file system is not encrypted.
For instructions on how to configure the OS to meet the requirements, see Preparing your disk image.
To use the image for a Marketplace product, also follow these steps:
-
Clean up:
- The
/tmp
,/var/tmp
, and/var/log
directories. - The package manager cache.
.bash_history
for all users.- The data on configurations previously received via DHCP (
dhcp.leases
anddhcp.log
). - The
/etc/machine-id
file.
- The
-
Make sure that:
-
The image only has the system users that the applications need.
-
Password-based access via SSH is disabled for all users. They must log in using a key obtained from the metadata service.
-
There are no pre-generated SSH keys or passwords in the image.
Warning
Application passwords must be generated when the VM starts to enable a user to change them when logging in for the first time via the serial console or SSH.
-
The
/etc/sudoers*
file has no extra privileges configured for users.
-
-
Use the supplemental guidelines for configuring images for the Marketplace:
- The
/etc/fstab
configuration file is missing the lines to connect swap.
- The
Checking your image
You can clean up and check the system by the yc-image-cleanup.sh
You should run the yc-image-cleanup.sh
script inside the image as a root
user.
The yc-image-cleanup.sh
script does not check the product image for compliance with all requirements and is not compatible with all distributions. Before uploading the image to the Marketplace, you'll need to perform additional checks yourself. To learn whether yc-image-cleanup.sh
supports your distribution, run the script with the -o
option. For the supported distributions, the script prints the distribution name and version and detects the package manager. If the distribution is not supported, the resulting line will be Unsupported OS/distribution; can't determine package manager type
.
To clean up a VM before creating an image from it, run the command:
./yc-image-cleanup.sh -c
Warning
The cleanup command deletes some files and directories. Before running it, make sure that you have backups of important data.
Before the cleanup, you can set the YCCLEANUP_SYS_USER
environment variable by specifying the name of the system user who must be deleted together with the home folder during the cleaning. For example, in Ubuntu, the system user is ubuntu
, in CentOS — centos
. In some cases, the system user may be cloud-user
or some other user. In the YCCLEANUP_SYS_USER
variable, you can even specify the user executing the script. In this case, an error message is displayed, but the user is still deleted. If the YCCLEANUP_SYS_USER
variable is not set, no user is deleted.
To check the image for compliance with some requirements, run the command:
./yc-image-cleanup.sh -d
To check the VM that you created from the image, run the command:
./yc-image-cleanup.sh -t
If your system design doesn't allow for any verification when starting with the -t
key, you can disable this verification. The list of disabled checks is passed in the -s
option in the format: yc-image-cleanup.sh -s <spec1>,<spec2> -t
. You can disable checks using the specifiers:
users-locked-nocheck
: Disables the verification that password authentication should be disabled for all users and you can log in to the VM only by the key.empty-history-nocheck
: Disables the verification that the bash history should be empty for all users.one-auth-user-nocheck
: Disables the verification that only one user besidesroot
can have an entry inauthorized_keys
. This user can be the only one specified in metadata.one-auth-key-nocheck
: Disables the verification that each user has no more than one entry inauthorized_keys
. This verification isn't passed if any user with an entry inauthorized_keys
has not been deleted from the original image.no-private-keys-nocheck
: Disables the verification that no user has any files of the "public key — private key" pair in the.ssh
folder in the home folder.no-passwords-nocheck
: Disables the verification that password authentication is turned off in thesshd
configuration file.
You can run the yc-image-cleanup.sh
script with the -t
key in verbose
mode to display the details of the verification process. When running with details for each verification stage, invalid configuration parameter values or a list of users who failed the check is displayed. Detail mode is supported only by the normal
level. To run the verification script in detail mode, run the command (the keys must follow the specified order):
./yc-image-cleanup.sh -v normal -t
To view all available script parameters and all environment variables that affect its execution, run the command:
./yc-image-cleanup.sh -h