Configuring Imported Images

This guide shows you how to install the guest environment and optimize your boot disk images for the Compute Engine environment. Complete these steps after you import an existing image.

Contents

Install the Compute Engine Linux Guest Environment

The Linux Guest Environment tools give your instances the following benefits:

  • Accounts daemon to setup and manage user accounts, and to enable SSH key based authentication.
  • Clock skew daemon to keep the system clock in sync after VM start and stop events.
  • Disk expand scripts to expand the VM root partition for boot disks with CentOS/RHEL 6 and 7 operating systems.
  • Instance setup scripts to execute VM configuration scripts during boot.
  • IP forwarding daemon that integrates network load balancing with forwarding rule changes into the guest.
  • Metadata scripts to run user provided scripts at VM startup and shutdown.
  • Network setup service to enable multiple network interfaces on boot.

Install the guest environment tools after you import an existing image. If you install the guest environment before you import the image, it can cause your system to lose network connectivity.

Debian 8


Add the public repo key to your system:

curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -

Add a source list file /etc/apt/sources.list.d/google-cloud.list:

sudo tee /etc/apt/sources.list.d/google-cloud.list << EOM
deb http://packages.cloud.google.com/apt google-cloud-compute-jessie main
deb http://packages.cloud.google.com/apt google-cloud-packages-archive-keyring-jessie main
EOM

Install the packages to maintain the public key over time:

sudo apt-get update && sudo apt-get install google-cloud-packages-archive-keyring

Install the google-compute-engine-jessie, google-compute-engine-init-jessie, and google-config-jessie packages:

sudo apt-get update && sudo apt-get install -y google-config-jessie google-compute-engine-jessie google-compute-engine-init-jessie

CentOS/RHEL 6 and 7


Add the yum repo to a repo file /etc/yum.repos.d/google-cloud.repo for either EL6 or EL7. Change DIST to either 6 or 7 respectively:

DIST=7

sudo tee /etc/yum.repos.d/google-cloud.repo << EOM
[google-cloud-compute]
name=Google Cloud Compute
baseurl=https://packages.cloud.google.com/yum/repos/google-cloud-compute-el${DIST}-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg
       https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
EOM

Install the google-compute-engine, google-compute-engine-init, and google-config packages:

sudo yum install -y google-compute-engine google-compute-engine-init google-config

Other


For other distributions, download and build the guest environment from the source on GitHub.

Configure your imported image for Compute Engine

You can run your boot disk image in Compute Engine without additional changes, but you can optimize the image so that it runs optimally within Compute Engine and has access to all Compute Engine features.

  • Edit the ntp.conf file to include only the server metadata.google.internal iburst Google NTP server entry.

  • Set the timezone to UTC:

    sudo ln -sf /usr/share/zoneinfo/UTC /etc/localtime
    
  • To ensure high performance network capability, use the following recommended network configurations:

    • Use the ISC DHCP client.
    • Set the DHCP MTU to 1460. The Compute Engine DHCP server serves this parameter as the interface-mtu option, which most clients respect.
    • Disable IPv6, which is not supported on Compute Engine.
    • Remove persistent network rules to prevent the instance from remembering MAC addresses. For example:

      rm -f /etc/udev/rules.d/70-persistent-net.rules
      
    • Disable the operating system firewall unless you need to restrict outbound traffic. Compute Engine provides a firewall for inbound traffic. For more information on firewalls, read the Networking and Firewalls documentation.

  • Configure SSH access to the base image:

    • Disable root ssh login.
    • Disable password authentication.
    • Disable host based authentication.
    • Enable strict host key checking.
    • Use ServerAliveInterval to keep connections open.
    • Remove SSH keys from your image so that others canot access the public or private keys in your image. Use Compute Engine to manage SSH keys on instances instead.

      rm /etc/ssh/*
      
    • Edit the /etc/ssh/ssh_config file to use the following configuration:

      Host *
      Protocol 2
      ForwardAgent no
      ForwardX11 no
      HostbasedAuthentication no
      StrictHostKeyChecking no
      Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
      Tunnel no
      
      # Google Compute Engine times out connections after 10 minutes of inactivity.
      # Keep alive ssh connections by sending a packet every 7 minutes.
      ServerAliveInterval 420
      
    • Edit the /etc/ssh/sshd_config file to use the following configuration:

      # Disable PasswordAuthentication as ssh keys are more secure.
      PasswordAuthentication no
      
      # Disable root login, using sudo provides better auditing.
      PermitRootLogin no
      
      PermitTunnel no
      AllowTcpForwarding yes
      X11Forwarding no
      
      # Compute times out connections after 10 minutes of inactivity.  Keep alive
      # ssh connections by sending a packet every 7 minutes.
      ClientAliveInterval 420
      

After you configure and optimize your boot disk on Compute Engine, create a new image from that boot disk so that you can create new instances from a fully-optimized version of the image rather than configuring each instance every time you create it.

Configure security best practices

You should always provide a secure operating system environment, but it can be difficult to strike a balance between a secure and accessible environment. Insecure virtual machines are vulnerable to attack and can consume expensive resources. Google strongly recommends that your images comply with the following security best practices:

  • Minimize the amount of software installed by default (e.g. perform a minimal install of the OS).
  • Enable automatic updates.
  • By default, all network services disabled except for SSH, DHCP, and NTPD. You can allow a mail server, such as Postfix, to run if it is only accepting connections from localhost.
  • Do not allow externally listening ports except for sshd.
  • Install the denyhosts package to help prevent SSH brute-force login attempts.
  • Remove all unnecessary non-user accounts from the default install.
  • Set the shell of all non-user accounts to /sbin/nologin or /usr/sbin/nologin (depending on where your OS installed nologin) in /etc/passwd.
  • Configure your OS to use salted SHA512 for passwords in /etc/shadow.
  • Set up and configure pam_cracklib for strong passwords.
  • Set up and configure pam_tally to lock out accounts for 5 minutes after 3 failures.
  • Configure the root account to be locked by default in /etc/shadow. Run the following command to lock the root account:

    usermod -L root

  • Deny root in /etc/ssh/sshd_config by adding the following line:

    PermitRootLogin no

  • Create AppArmor or SELinux profiles for all default running network-facing services.

  • Use file system capabilities where possible to remove the need for the S*ID bit and to provide more granular control.
  • Enable compiler and runtime exploit mitigations when compiling network-facing software. For example, here are some of the mitigations that the GNU Compiler Collection (GCC) offers and how to enable them:
    • Stack smash protection: Enable this with -fstack-protector. By default, this option protects functions with a stack-allocated buffer longer than eight bytes. To increase protection by covering functions with buffers of at least four bytes, add --param=ssp-buffer-size=4.
    • Address space layout randomization (ASLR): Enable this by building a position-independent executable with -fPIC -pie.
    • Glibc protections: Enable these protections with -D_FORTIFY_SOURCE=2.
    • Global Offset Table (GOT) protection: Enable this runtime loader feature with -Wl,-z,relro,-z,now.
    • Compile-time errors for missing format strings: -Wformat -Wformat-security -Werror=format-security
  • Disable CAP_SYS_MODULE which allows for loading and unloading of kernel modules. This feature is deprecated in the linux kernel. To disable this feature:

    echo 1 > /proc/sys/kernel/modules_disabled

  • Remove the kernel symbol table:

    sudo rm /boot/System.map

What's next

Send feedback about...

Compute Engine Documentation