After you manually import a virtual disk to Compute Engine, you need to optimize those images so they can use features specific to the Compute Engine environment.
Install the Compute Engine guest environment
You must install the guest environment to use key features of Compute Engine.
Install the guest environment on the running VM instance you created after manually importing your existing image. Access the VM instance via SSH with a user account you created before importing it or via Interactive Serial Console to perform the installation.
Configure your imported image for Compute Engine
You can run your boot disk image in Compute Engine without additional changes, but you can optimize the image so that it runs optimally within Compute Engine and has access to all Compute Engine features.
ntp.conffile to include only the
server metadata.google.internal iburstGoogle NTP server entry.
Set the timezone to UTC:
sudo ln -sf /usr/share/zoneinfo/UTC /etc/localtime
To ensure high performance network capability, use the following recommended network configurations:
- Use the ISC DHCP client.
- Set the DHCP MTU to 1460. The Compute Engine DHCP server serves
this parameter as the
interface-mtuoption, which most clients respect.
- Disable IPv6, which is not supported on Compute Engine.
Remove persistent network rules to prevent the instance from remembering MAC addresses. For example:
rm -f /etc/udev/rules.d/70-persistent-net.rules
Disable the operating system firewall unless you have specific requirements not supported by Compute Engine Firewall Rules. Compute Engine provides a firewall for inbound and outbound traffic. For more information on firewalls, read the Firewalls documentation.
To ensure high performance network and disk capability, disable or remove the
irqbalancedaemon. This daemon does not correctly balance IRQ requests for the guest operating systems on virtual machine instances. Instead, use the scripts that are part of the guest environment to correctly balance IRQ settings for virtual CPU's.
Configure SSH access to the base image:
- Disable root ssh login.
- Disable password authentication.
- Disable host based authentication.
- Enable strict host key checking.
ServerAliveIntervalto keep connections open.
Remove SSH keys from your image so that others cannot access the public or private keys in your image. Use Compute Engine to manage access to instances instead.
/etc/ssh/ssh_configfile to use the following configuration:
Host * Protocol 2 ForwardAgent no ForwardX11 no HostbasedAuthentication no StrictHostKeyChecking no Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc Tunnel no # Google Compute Engine times out connections after 10 minutes of inactivity. # Keep alive ssh connections by sending a packet every 7 minutes. ServerAliveInterval 420
/etc/ssh/sshd_configfile to use the following configuration:
# Disable PasswordAuthentication as ssh keys are more secure. PasswordAuthentication no # Disable root login, using sudo provides better auditing. PermitRootLogin no PermitTunnel no AllowTcpForwarding yes X11Forwarding no # Compute times out connections after 10 minutes of inactivity. Keep alive # ssh connections by sending a packet every 7 minutes. ClientAliveInterval 420
After you configure and optimize your boot disk on Compute Engine, create a new image from that boot disk so that you can create new instances from a fully-optimized version of the image rather than configuring each instance every time you create it.
Configure security best practices
You should always provide a secure operating system environment, but it can be difficult to strike a balance between a secure and accessible environment. Insecure virtual machines are vulnerable to attack and can consume expensive resources. Google strongly recommends that your images comply with the following security best practices:
- Minimize the amount of software installed by default (e.g. perform a minimal install of the OS).
- Enable automatic updates.
- By default, all network services disabled except for SSH, DHCP, and NTPD. You can allow a mail server, such as Postfix, to run if it is only accepting connections from localhost.
- Do not allow externally listening ports except for sshd.
- Install the denyhosts package to help prevent SSH brute-force login attempts.
- Remove all unnecessary non-user accounts from the default install.
- Set the shell of all non-user accounts to
/usr/sbin/nologin(depending on where your OS installed nologin) in
- Configure your OS to use salted SHA512 for passwords in
- Set up and configure pam_cracklib for strong passwords.
- Set up and configure pam_tally to lock out accounts for 5 minutes after 3 failures.
Configure the root account to be locked by default in
/etc/shadow. Run the following command to lock the root account:
usermod -L root
Deny root in
/etc/ssh/sshd_configby adding the following line:
Use file system capabilities where possible to remove the need for the S*ID bit and to provide more granular control.
Enable compiler and runtime exploit mitigations when compiling network-facing software. For example, here are some of the mitigations that the GNU Compiler Collection (GCC) offers and how to enable them:
- Stack smash protection: Enable this with
-fstack-protector. By default, this option protects functions with a stack-allocated buffer longer than eight bytes. To increase protection by covering functions with buffers of at least four bytes, add
- Address space layout randomization (ASLR): Enable this by building a
position-independent executable with
- Glibc protections: Enable these protections with
- Global Offset Table (GOT) protection: Enable this runtime loader
- Compile-time errors for missing format strings:
-Wformat -Wformat-security -Werror=format-security
- Stack smash protection: Enable this with
CAP_SYS_MODULEwhich allows for loading and unloading of kernel modules. This feature is deprecated in the linux kernel. To disable this feature:
echo 1 > /proc/sys/kernel/modules_disabled
Remove the kernel symbol table:
sudo rm /boot/System.map