Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Creating a Linux-based product image to upload to Cloud Marketplace

Written by
Updated at August 12, 2024

To add a product for Yandex Compute Cloud to the Marketplace, you need to upload the image to Yandex Cloud. The products can be based on Linux. This section will help you create an image based on Linux OS.

If you wish to add a product for Yandex Managed Service for Kubernetes, follow the relevant instructions.

Creating an image

Images of products placed in the Marketplace must meet the requirements.

If you do not have a VM image, create one:

  • Use Packer. The image is automatically uploaded to Compute Cloud.
    For creating an image, we recommend the following:
  • Use other tools that are convenient for you. In this case, you need to upload an image to Compute Cloud.

The supported formats include Qcow2, VMDK, RAW, and VHD.

Image requirements

Boot disk images must meet the following requirements:

  • The virtio-net, virtio-blk, and virtio-pci drivers are installed. If you are going to attach file storages to your VM, you also need to install the virtiofs driver. For more information, refer to this guide.
  • The ttyS0 terminal (COM1 port) is set up as a serial console. For more information, refer to this guide.
  • The network interface runs correctly when starting a VM and obtains the IP address via DHCP.
  • The cloud-init package is installed and configured to work with our metadata service. To install the package for CentOS, run the sudo yum install cloud-init command. To install it for Debian or Ubuntu, run sudo apt update && sudo apt install -y cloud-init.
  • If you created an image based on an Amazon Machine Image (AMI), verification of the cloud platform where the VM instance is run is disabled in the cloud-init settings. For more information, refer to this guide.
  • In the system firewall settings, the minimum required set of ports for running your applications and a port for SSH access (by default, 22 TCP) are open.
  • The SSH server starts automatically at VM startup.
  • Services running your application are resistant to VM reboots.
  • The boot disk uses MBR partitioning.
  • The disk is mounted by its UUID rather than by name.
  • The file system is not encrypted.

For instructions on how to configure the OS to meet the requirements, see Preparing your disk image.

To use the image for a Marketplace product, also follow these steps:

  1. Clean up:

    • The /tmp, /var/tmp, and /var/log directories.
    • The package manager cache.
    • .bash_history for all users.
    • The data on configurations previously received via DHCP (dhcp.leases and dhcp.log).
    • The /etc/machine-id file.

  2. Make sure that:

    • The image only has the system users that the applications need.

    • Password-based access via SSH is disabled for all users. They must log in using a key obtained from the metadata service.

    • There are no pre-generated SSH keys or passwords in the image.

      Warning

      Application passwords must be generated when the VM starts to enable a user to change them when logging in for the first time via the serial console or SSH.

    • The /etc/sudoers* file has no extra privileges configured for users.

  3. Use the supplemental guidelines for configuring images for the Marketplace:

    • The /etc/fstab configuration file is missing the lines to connect swap.

Checking your image

You can clean up and check the system by the yc-image-cleanup.sh script.

You should run the yc-image-cleanup.sh script inside the image as a root user.

The yc-image-cleanup.sh script does not check the product image for compliance with all requirements and is not compatible with all distributions. Before uploading the image to the Marketplace, you'll need to perform additional checks yourself. To learn whether yc-image-cleanup.sh supports your distribution, run the script with the -o option. For the supported distributions, the script prints the distribution name and version and detects the package manager. If the distribution is not supported, the resulting line will be Unsupported OS/distribution; can't determine package manager type.

To clean up a VM before creating an image from it, run the command:

./yc-image-cleanup.sh -c

Warning

The cleanup command deletes some files and directories. Before running it, make sure that you have backups of important data.

Before the cleanup, you can set the YCCLEANUP_SYS_USER environment variable by specifying the name of the system user who must be deleted together with the home folder during the cleaning. For example, in Ubuntu, the system user is ubuntu, in CentOS — centos. In some cases, the system user may be cloud-user or some other user. In the YCCLEANUP_SYS_USER variable, you can even specify the user executing the script. In this case, an error message is displayed, but the user is still deleted. If the YCCLEANUP_SYS_USER variable is not set, no user is deleted.

To check the image for compliance with some requirements, run the command:

./yc-image-cleanup.sh -d

To check the VM that you created from the image, run the command:

./yc-image-cleanup.sh -t

If your system design doesn't allow for any verification when starting with the -t key, you can disable this verification. The list of disabled checks is passed in the -s option in the format: yc-image-cleanup.sh -s <spec1>,<spec2> -t. You can disable checks using the specifiers:

  • users-locked-nocheck: Disables the verification that password authentication should be disabled for all users and you can log in to the VM only by the key.
  • empty-history-nocheck: Disables the verification that the bash history should be empty for all users.
  • one-auth-user-nocheck: Disables the verification that only one user besides root can have an entry in authorized_keys. This user can be the only one specified in metadata.
  • one-auth-key-nocheck: Disables the verification that each user has no more than one entry in authorized_keys. This verification isn't passed if any user with an entry in authorized_keys has not been deleted from the original image.
  • no-private-keys-nocheck: Disables the verification that no user has any files of the "public key — private key" pair in the .ssh folder in the home folder.
  • no-passwords-nocheck: Disables the verification that password authentication is turned off in the sshd configuration file.

You can run the yc-image-cleanup.sh script with the -t key in verbose mode to display the details of the verification process. When running with details for each verification stage, invalid configuration parameter values or a list of users who failed the check is displayed. Detail mode is supported only by the normal level. To run the verification script in detail mode, run the command (the keys must follow the specified order):

./yc-image-cleanup.sh -v normal -t

To view all available script parameters and all environment variables that affect its execution, run the command:

./yc-image-cleanup.sh -h
Previous
Subscription
Next
Creating a product for Managed Service for Kubernetes