ProHoster > Blog > Administrasyon an > Kreye pwòp imaj ou ak pi bon kalite CentOS 8.1 nan nwaj Amazon la

Kreye pwòp imaj ou ak pi bon kalite CentOS 8.1 nan nwaj Amazon la

Gid sa a se yon "fouchèt" ki gen menm non atik sou CentOS 5.9, epi li pran an kont karakteristik nouvo eksplwatasyon an. Kounye a pa gen okenn imaj ofisyèl Centos8 ki soti nan centos.org nan AWS Marketplace.

Kòm ou konnen, nan nwaj Amazon yo lanse ka vityèl ki baze sou imaj (sa yo rele AMI). Amazon bay yon gwo kantite yo; ou ka itilize tou imaj piblik ki prepare pa twazyèm pati, pou ki founisè nwaj la, nan kou, pa pote okenn responsablite. Men pafwa ou bezwen yon imaj sistèm pwòp ak paramèt ki nesesè yo, ki pa nan lis la nan imaj.

Lè sa a, sèl fason pou soti se fè pwòp AMI ou.

Dokimantasyon ofisyèl la dekri fason kreye yon "ami ki apiye nan magazen enstans".

Dezavantaj nan apwòch sa a se ke imaj la fini ap bezwen tou konvèti nan yon "EBS-te apiye AMI". Epitou vo anyen se Cockpit Image Builder. Li pral pèmèt ou kreye imaj koutim, nan Klima oswa WEB Entèfas mòd, men lè ou deja gen Centos 8.

Nan atik sa a pral diskite sou fason pou kreye pwòp AMI ki apiye EBS ou nan nwaj Amazon san etap entèmedyè.

Aksyon plan

  • Prepare anviwònman an
  • Enstale yon sistèm pwòp epi fè paramèt ki nesesè yo
  • Pran yon snapshot nan disk la
  • Enskri AMI

Prepare anviwònman an

Pou rezon nou yo, nenpòt ofisyèl Centos 7 egzanp nenpòt fòm, menm t2.micro. Ou ka kouri li atravè CLI a:

aws ec2 run-instances 
  --image-id ami-4bf3d731 
  --region us-east-1 
  --key-name alpha 
  --instance-type t2.micro 
  --subnet-id subnet-240a8618 
  --associate-public-ip-address 
  --block-device-mappings DeviceName=/dev/sda1,Ebs={VolumeSize=8} 
  --block-device-mappings DeviceName=/dev/sdb,Ebs={VolumeSize=4}

Kòmandman an pral ogmante yon egzanp nan VPC a ki espesifye subnet-id ki dwe. Sourezo a sipoze piblik, ak SG 'default' pèmèt tout bagay.

Koulye a, ann konekte nan egzanp lan atravè ssh, mete ajou sistèm nan, enstale dnf epi rekòmanse:

sudo yum update -y && sudo yum install -y dnf && sudo reboot

Tout lòt operasyon yo pral fèt soti nan root.

Enstale pwòp Centos 8.1

Layout sistèm dosye ak patisyon aliye

DEVICE=/dev/xvdb
ROOTFS=/rootfs
parted -s ${DEVICE} mktable gpt
parted -s ${DEVICE} mkpart primary ext2 1 2
parted -s ${DEVICE} set 1 bios_grub on
parted -s ${DEVICE} mkpart primary xfs 2 100%

mkfs.xfs -L root ${DEVICE}2
mkdir -p $ROOTFS
mount ${DEVICE}2 $ROOTFS

mkdir $ROOTFS/{proc,sys,dev,run}
mount --bind /proc $ROOTFS/proc
mount --bind /sys $ROOTFS/sys
mount --bind /dev $ROOTFS/dev
mount --bind /run $ROOTFS/run

Kreye yon pye bwa anyè

Sistèm RPM a pèmèt ou fasil epi byen vit prepare yon pye bwa anyè pou pwochen eksplwatasyon an:

PKGSURL=http://mirror.centos.org/centos/8/BaseOS/x86_64/os/Packages
rpm --root=$ROOTFS --initdb
rpm --root=$ROOTFS -ivh 
  $PKGSURL/centos-release-8.1-1.1911.0.8.el8.x86_64.rpm 
  $PKGSURL/centos-gpg-keys-8.1-1.1911.0.8.el8.noarch.rpm 
  $PKGSURL/centos-repos-8.1-1.1911.0.8.el8.x86_64.rpm

dnf --installroot=$ROOTFS --nogpgcheck --setopt=install_weak_deps=False 
   -y install audit authselect basesystem bash biosdevname coreutils 
   cronie curl dnf dnf-plugins-core dnf-plugin-spacewalk dracut-config-generic 
   dracut-config-rescue e2fsprogs filesystem firewalld glibc grub2 grubby hostname 
   initscripts iproute iprutils iputils irqbalance kbd kernel kernel-tools 
   kexec-tools less linux-firmware lshw lsscsi ncurses network-scripts 
   openssh-clients openssh-server passwd plymouth policycoreutils prefixdevname 
   procps-ng  rng-tools rootfiles rpm rsyslog selinux-policy-targeted setup 
   shadow-utils sssd-kcm sudo systemd util-linux vim-minimal xfsprogs 
   chrony cloud-init

Mwen konsidere li pi bon pou egzekite dènye kòmandman an nan fason sa a, pa enstale pakè espesifik, epi asire w ke ou inyore pakè yo rekòmande.

Si ou vle, ou ka itilize yon bagay tankou sa a:

dnf --installroot=$ROOTFS groupinstall base core 
    --excludepkgs "NetworkManager*" 
     -e "i*-firmware"

В yum нет --excludepkgs, ak anvan mwen te oblije enstale gwoup ak Lè sa a, retire pakè yo.

Lis pakè ak gwoup depandan yo ka wè ak kòmandman an dnf group info core pou yon gwoup core.

OS dosye personnalisation

Ann kreye konfigirasyon pou rezo a, fstab, grub2 epi sèvi ak adrès entèn 169.254 AWS pou DNS ak NTP.

cat > $ROOTFS/etc/resolv.conf << HABR
nameserver 169.254.169.253
HABR

cat > $ROOTFS/etc/sysconfig/network << HABR
NETWORKING=yes
NOZEROCONF=yes
HABR

cat > $ROOTFS/etc/sysconfig/network-scripts/ifcfg-eth0  << HABR
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=dhcp
HABR

cat > $ROOTFS/etc/fstab << HABR
LABEL=root / xfs defaults,relatime 1 1
HABR

sed -i  "s/cloud-user/centos/" $ROOTFS/etc/cloud/cloud.cfg
echo "server 169.254.169.123 prefer iburst minpoll 4 maxpoll 4" >> $ROOTFS/etc/chrony.conf
sed -i "/^pool /d" $ROOTFS/etc/chrony.conf
sed -i "s/^AcceptEnv/# /" $ROOTFS/etc/ssh/sshd_config

cat > $ROOTFS/etc/default/grub << HABR
GRUB_TIMEOUT=1
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="crashkernel=auto console=ttyS0,115200n8 console=tty0 net.ifnames=0 biosdevname=0"
GRUB_DISABLE_RECOVERY="true"
GRUB_ENABLE_BLSCFG=true
HABR

Se isit la, nan GRUB_CMDLINE_LINUX, mwen rekòmande pou presize selinux=0, pou moun ki toujou pè SELinux.

Rebati initramfs nan chroot

Apre ou fin modifye dosye grub ak fstab, ou bezwen rebati.
Nou fè aktyalizasyon a:

KERNEL=$(ls $ROOTFS/lib/modules/) 
chroot $ROOTFS dracut -f -v /boot/initramfs-$KERNEL.img $KERNEL
chroot $ROOTFS grub2-mkconfig -o /boot/grub2/grub.cfg
chroot $ROOTFS grub2-install $DEVICE
chroot $ROOTFS update-crypto-policies --set FUTURE

Isit la update-crypto-policies - si ou vle, pou paranoya a :)

Pou "vann", ou ka fè sa:

chroot $ROOTFS fips-mode-setup --enable
chroot $ROOTFS grub2-mkconfig -o /boot/grub2/grub.cfg
chroot $ROOTFS grub2-install $DEVICE

Apre chaje eksplwatasyon an, lòd la update-crypto-policies --show pral bay Fip.

Autostart ak netwayaj fatra

chroot $ROOTFS systemctl enable network.service
chroot $ROOTFS systemctl enable sshd.service
chroot $ROOTFS systemctl enable cloud-init.service
chroot $ROOTFS systemctl mask tmp.mount
dnf --installroot=$ROOTFS clean all
truncate -c -s 0 $ROOTFS/var/log/*.log
rm -rf var/lib/dnf/*
touch $ROOTFS/.autorelabel

autorelabel - bezwen otomatikman enstale dosye kontèks SELinux sou premye bòt.

Koulye a, ann demonte disk la:

sync
umount $ROOTFS/{proc,sys,dev,run}
umount $ROOTFS

Enskripsyon AMI

Pou jwenn ami nan yon disk ebs, premye bezwen pran yon snapshot nan disk la:

aws ec2 create-snapshot 
    --volume-id vol-09f26eba4c50da110  --region us-east-1 
    --description 'centos-release-8.1-1.1911.0.8 4.18.0-147.5.1 01'

Ou pral oblije rete tann pou kèk tan. Ann tcheke estati a lè l sèvi avèk SnapshotId resevwa a:

aws ec2   describe-snapshots  --region us-east-1 --snapshot-ids snap-0b665542fc59e58ed

Lè nou jwenn li "State": "completed", ou ka anrejistre yon AMI epi fè li piblik:

aws ec2 register-image 
    --region us-east-1 
    --name 'CentOS-8.1-1.1911.0.8-minimal' 
    --description 'centos-release-8.1-1.1911.0.8 4.18.0-147.5.1 01' 
    --virtualization-type hvm --root-device-name /dev/sda1 
    --block-device-mappings '[{"DeviceName":"/dev/sda1","Ebs": { "SnapshotId": "snap-0b665542fc59e58ed", "VolumeSize":4,  "DeleteOnTermination": true, "VolumeType": "gp2"}}]' 
    --architecture x86_64 --sriov-net-support simple --ena-support

aws ec2 modify-image-attribute 
    --region us-east-1 
    --image-id ami-011ed2a37dc89e206 
    --launch-permission 'Add=[{Group=all}]'

Se tout. Koulye a, ou ka lanse egzanp.

Nan fason sa a, ou ka kreye yon imaj, gen plis chans, ak nenpòt distribisyon Linux. Omwen egzakteman Debian (itilize debootstrap pou enstale yon sistèm pwòp) ak fanmi RHEL la.

MIZAJOU Baze sou demann lektè yo. Pwosesis sa a ka otomatize pakè, Otomatize sèlman. Isit la Yo prezante yon modèl egzanp.

Sous: www.habr.com

Add nouvo kòmantè