ProHoster > Blog > Boshqaruv > Tasviringizni tozalik bilan yarating CentOS Amazon Cloudā€™da 8.1

Tasviringizni tozalik bilan yarating CentOS Amazon Cloudā€™da 8.1

Ushbu qo'llanma xuddi shu nomdagi "vilka" dir maqolalar atrofida CentOS 5.9 versiyasida taqdim etilgan va yangi OT xususiyatlarini hisobga olgan. Hozirda AWS Marketplaceā€™da rasmiy tasvir mavjud emas. Centos8 dan centos.org.

Ma'lumki, Amazon bulutida virtual nusxalar tasvirlar asosida ishga tushiriladi (deb nomlangan AMI). Amazon ularning ko'p sonini taqdim etadi, shuningdek, siz uchinchi shaxslar tomonidan tayyorlangan ommaviy tasvirlardan foydalanishingiz mumkin, buning uchun bulut provayderi, albatta, hech qanday javobgarlikni o'z zimmasiga olmaydi. Lekin ba'zan sizga kerakli parametrlarga ega toza tizim tasviri kerak bo'ladi, bu tasvirlar ro'yxatida yo'q.

Keyin yagona yo'l - o'z AMI-ni yaratish.

Rasmiy hujjatlar tasvirlangan jarayon "namunalar do'koni tomonidan qo'llab-quvvatlanadigan AMI" ni yaratish.

Ushbu yondashuvning kamchiliklari shundaki, tayyor tasvirni "EBS tomonidan qo'llab-quvvatlanadigan AMI" ga aylantirish kerak bo'ladi. Bundan tashqari, Cockpit Image Builder ham e'tiborga loyiqdir. Bu sizga maxsus tasvirlarni yaratishga imkon beradi CLI yoki WEB GUI rejim, lekin sizda allaqachon mavjud bo'lganda Centos 8.

Oraliq qadamlarsiz Amazon bulutida EBS tomonidan qo'llab-quvvatlanadigan AMI-ni qanday yaratish ushbu maqolada muhokama qilinadi.

Harakat rejasi

  • Atrof-muhitni tayyorlang
  • Toza tizimni o'rnating va kerakli sozlamalarni bajaring
  • Diskning rasmini oling
  • AMI ro'yxatdan o'ting

Atrof muhitni tayyorlash

Bizning maqsadlarimiz uchun har qanday rasmiy misol Centos 7 har qanday shakl, hatto t2.micro. Siz uni CLI orqali ishga tushirishingiz mumkin:

aws ec2 run-instances 
  --image-id ami-4bf3d731 
  --region us-east-1 
  --key-name alpha 
  --instance-type t2.micro 
  --subnet-id subnet-240a8618 
  --associate-public-ip-address 
  --block-device-mappings DeviceName=/dev/sda1,Ebs={VolumeSize=8} 
  --block-device-mappings DeviceName=/dev/sdb,Ebs={VolumeSize=4}

Buyruq ko'rsatilgan pastki tarmoq identifikatori tegishli bo'lgan VPCdagi misolni ko'taradi. Quyi tarmoq ommaviy bo'lishi kerak va SG "standart" hamma narsaga ruxsat beradi.

Keling, ssh orqali misolga kiramiz, tizimni yangilaymiz, o'rnatamiz dnf va qayta ishga tushiring:

sudo yum update -y && sudo yum install -y dnf && sudo reboot

Barcha keyingi operatsiyalar dan amalga oshiriladi root.

Toza o'rnatish Centos 8.1

Fayl tizimining joylashuvi va bo'limlarni o'rnatish

DEVICE=/dev/xvdb
ROOTFS=/rootfs
parted -s ${DEVICE} mktable gpt
parted -s ${DEVICE} mkpart primary ext2 1 2
parted -s ${DEVICE} set 1 bios_grub on
parted -s ${DEVICE} mkpart primary xfs 2 100%

mkfs.xfs -L root ${DEVICE}2
mkdir -p $ROOTFS
mount ${DEVICE}2 $ROOTFS

mkdir $ROOTFS/{proc,sys,dev,run}
mount --bind /proc $ROOTFS/proc
mount --bind /sys $ROOTFS/sys
mount --bind /dev $ROOTFS/dev
mount --bind /run $ROOTFS/run

Kataloglar daraxtini yaratish

RPM tizimi kelajakdagi OT uchun katalog daraxtini osongina va tezda tayyorlashga imkon beradi:

PKGSURL=http://mirror.centos.org/centos/8/BaseOS/x86_64/os/Packages
rpm --root=$ROOTFS --initdb
rpm --root=$ROOTFS -ivh 
  $PKGSURL/centos-release-8.1-1.1911.0.8.el8.x86_64.rpm 
  $PKGSURL/centos-gpg-keys-8.1-1.1911.0.8.el8.noarch.rpm 
  $PKGSURL/centos-repos-8.1-1.1911.0.8.el8.x86_64.rpm

dnf --installroot=$ROOTFS --nogpgcheck --setopt=install_weak_deps=False 
   -y install audit authselect basesystem bash biosdevname coreutils 
   cronie curl dnf dnf-plugins-core dnf-plugin-spacewalk dracut-config-generic 
   dracut-config-rescue e2fsprogs filesystem firewalld glibc grub2 grubby hostname 
   initscripts iproute iprutils iputils irqbalance kbd kernel kernel-tools 
   kexec-tools less linux-firmware lshw lsscsi ncurses network-scripts 
   openssh-clients openssh-server passwd plymouth policycoreutils prefixdevname 
   procps-ng  rng-tools rootfiles rpm rsyslog selinux-policy-targeted setup 
   shadow-utils sssd-kcm sudo systemd util-linux vim-minimal xfsprogs 
   chrony cloud-init

Men oxirgi buyruqni ma'lum paketlarni o'rnatish orqali bajarishni optimal deb hisoblayman va tavsiya etilgan paketlarni e'tiborsiz qoldirmang.

Agar xohlasangiz, shunga o'xshash narsalarni ishlatishingiz mumkin:

dnf --installroot=$ROOTFS groupinstall base core 
    --excludepkgs "NetworkManager*" 
     -e "i*-firmware"

Š’ yum yo'q --excludepkgs, va oldin guruhlarni o'rnatishim va paketlarni olib tashlashim kerak edi.

Buyruq yordamida paketlar va qaram guruhlar ro'yxatini ko'rish mumkin dnf group info core bir guruh uchun core.

OS faylini sozlash

Keling, tarmoq, fstab, grub2 uchun konfiguratsiyalarni yarataylik va DNS va NTP uchun AWS ichki 169.254 manzillaridan foydalanamiz.

cat > $ROOTFS/etc/resolv.conf << HABR
nameserver 169.254.169.253
HABR

cat > $ROOTFS/etc/sysconfig/network << HABR
NETWORKING=yes
NOZEROCONF=yes
HABR

cat > $ROOTFS/etc/sysconfig/network-scripts/ifcfg-eth0  << HABR
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=dhcp
HABR

cat > $ROOTFS/etc/fstab << HABR
LABEL=root / xfs defaults,relatime 1 1
HABR

sed -i  "s/cloud-user/centos/" $ROOTFS/etc/cloud/cloud.cfg
echo "server 169.254.169.123 prefer iburst minpoll 4 maxpoll 4" >> $ROOTFS/etc/chrony.conf
sed -i "/^pool /d" $ROOTFS/etc/chrony.conf
sed -i "s/^AcceptEnv/# /" $ROOTFS/etc/ssh/sshd_config

cat > $ROOTFS/etc/default/grub << HABR
GRUB_TIMEOUT=1
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="crashkernel=auto console=ttyS0,115200n8 console=tty0 net.ifnames=0 biosdevname=0"
GRUB_DISABLE_RECOVERY="true"
GRUB_ENABLE_BLSCFG=true
HABR

Aynan shu yerda, GRUB_CMDLINE_LINUX da, SE dan hali ham qo'rqadiganlar uchun selinux=0 ni belgilashni tavsiya qilaman.Linux.

Initramflarni chrootda qayta tiklash

Grub va fstab fayllarini tahrir qilgandan so'ng, siz qayta tiklashingiz kerak.
Biz yangilashni amalga oshiramiz:

KERNEL=$(ls $ROOTFS/lib/modules/) 
chroot $ROOTFS dracut -f -v /boot/initramfs-$KERNEL.img $KERNEL
chroot $ROOTFS grub2-mkconfig -o /boot/grub2/grub.cfg
chroot $ROOTFS grub2-install $DEVICE
chroot $ROOTFS update-crypto-policies --set FUTURE

shu yerda update-crypto-policies - ixtiyoriy, paranoyak uchun :)

"Sotish" uchun siz buni qilishingiz mumkin:

chroot $ROOTFS fips-mode-setup --enable
chroot $ROOTFS grub2-mkconfig -o /boot/grub2/grub.cfg
chroot $ROOTFS grub2-install $DEVICE

Operatsion tizimni yuklagandan so'ng, buyruq update-crypto-policies --show FIPS chiqaradi.

Avtomatik ishga tushirish va axlatni tozalash

chroot $ROOTFS systemctl enable network.service
chroot $ROOTFS systemctl enable sshd.service
chroot $ROOTFS systemctl enable cloud-init.service
chroot $ROOTFS systemctl mask tmp.mount
dnf --installroot=$ROOTFS clean all
truncate -c -s 0 $ROOTFS/var/log/*.log
rm -rf var/lib/dnf/*
touch $ROOTFS/.autorelabel

autorelabel ā€” SE ni avtomatik o'rnatish uchun zarurLinux birinchi yuklanishdagi fayl konteksti.

Endi diskni ajratamiz:

sync
umount $ROOTFS/{proc,sys,dev,run}
umount $ROOTFS

AMI ro'yxatdan o'tish

Ebs diskidan ami olish uchun avvalo diskning suratini olishingiz kerak:

aws ec2 create-snapshot 
    --volume-id vol-09f26eba4c50da110  --region us-east-1 
    --description 'centos-release-8.1-1.1911.0.8 4.18.0-147.5.1 01'

Siz biroz vaqt kutishingiz kerak bo'ladi. Qabul qilingan SnapshotId yordamida holatni tekshiramiz:

aws ec2   describe-snapshots  --region us-east-1 --snapshot-ids snap-0b665542fc59e58ed

Qachon olamiz "State": "completed", siz AMIni ro'yxatdan o'tkazishingiz va uni hammaga ochiq qilishingiz mumkin:

aws ec2 register-image 
    --region us-east-1 
    --name 'CentOS-8.1-1.1911.0.8-minimal' 
    --description 'centos-release-8.1-1.1911.0.8 4.18.0-147.5.1 01' 
    --virtualization-type hvm --root-device-name /dev/sda1 
    --block-device-mappings '[{"DeviceName":"/dev/sda1","Ebs": { "SnapshotId": "snap-0b665542fc59e58ed", "VolumeSize":4,  "DeleteOnTermination": true, "VolumeType": "gp2"}}]' 
    --architecture x86_64 --sriov-net-support simple --ena-support

aws ec2 modify-image-attribute 
    --region us-east-1 
    --image-id ami-011ed2a37dc89e206 
    --launch-permission 'Add=[{Group=all}]'

Ana xolos. Endi siz misollarni ishga tushirishingiz mumkin.

Shu tarzda siz, ehtimol, har qanday rasm bilan tasvir yaratishingiz mumkin Linux-tarqatish. Hech bo'lmasa, albatta. Debian (toza tizimni o'rnatish uchun debotstrap dan foydalanish) va RHEL oilasi.

UPDATE O'quvchilarning so'rovlari asosida. Bu jarayonni avtomatlashtirish mumkin Packer, Faqat avtomatlashtirish. shu yerda Misol shablon taqdim etiladi.

Manba: www.habr.com

DDoS himoyasi, VPS VDS serverlari bo'lgan saytlar uchun ishonchli hosting sotib oling šŸ”„ DDoS himoyasi, VPS VDS serverlari bilan ishonchli veb-sayt xostingini sotib oling | ProHoster