Archive

HowTo: Build and Use Fedora 20 for/on Google Cloud

So, in my last post, I promised to post these instructions. As if I ever kept secrets from you!

Update: Please, visit my repo where you can find the updated code: https://github.com/renich/gce-images

So, here's the magic:

Initialize (last post)

This takes care of setup. Read and follow instructions carefully. Obviously, you need to take care of billing settings and stuff when you create the account. In fact, probably, you need to create the account prior to login. Let's see how it goes if you haven't. Let me know on the comments.

# setup google cloud sdk
curl https://sdk.cloud.google.com | bash

# activate google cloud in current shell
source ~/.bash_profile

# login
gcloud auth login --no-launch-browser

# activate it
source ~/.bash_profile

setup script (unfinished)

This one is needed by virt-builder in order to edit the distro according to Google's recommendations. It is not finished yet. It just works. I will update this part as soon as I'm finished.

#!/usr/bin/env bash
# WARNING!
# Please, do not run this script by it's own. It can destroy some of your configuration.
# This script is a setup script for the guest we're creating.

# hosts
cat < < 'EOF' > /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
169.254.169.254 metadata.google.internal metadata

EOF

# networking
rm -fr /etc/sysconfig/networking
rm -f /etc/udev/rules.d/70-persistent-net.rules

cat < < 'EOF' > /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE=Ethernet
DEVICE="eth0"
NAME="eth0"
ONBOOT="yes"
BOOTPROTO="dhcp"
IPV4_FAILURE_FATAL="yes"
DEFROUTE="yes"
MTU="1460"
DNS1="208.67.222.222"
DNS2="8.8.8.8"

EOF

# ntp
sed -ri '/^server [1-3]\.fedora.*$/d' /etc/ntp.conf
sed -ri 's@^server 0\.fedora.*$@server metadata.google.internal iburst@' /etc/ntp.conf

# disable firewall
systemctl disable firewalld.service
systemctl disable iptables.service

# yum updates
sed -ri 's@apply_updates = no@apply_updates = yes@' /etc/yum/yum-cron.conf

# ssh config
## delete the keys
rm /etc/ssh/ssh_host_key
rm /etc/ssh/ssh_host_rsa_key*
rm /etc/ssh/ssh_host_dsa_key*
rm /etc/ssh/ssh_host_ecdsa_key*

## patch sshd_config
patch sshd_config.test < <( cat << 'EOF'
18,19c18,19
< #AddressFamily any
< #ListenAddress 0.0.0.0
---
> AddressFamily inet
> ListenAddress 0.0.0.0
48c48
< #PermitRootLogin yes
---
> PermitRootLogin without-password
78c78
< PasswordAuthentication yes
---
> PasswordAuthentication yes
114c114
< #AllowTcpForwarding yes
---
> AllowTcpForwarding no
127c127
< #ClientAliveInterval 0
---
> ClientAliveInterval 420
133c133
< #PermitTunnel no
---
> PermitTunnel no
EOF
)

# kernel
## remove symbol table
rm -f /boot/System.map*

## configuration
### strongly recommended
cat < < 'EOF' > /etc/sysctl.d/11-google-strongly_recommended.conf
# Google-recommended kernel parameters

# Reboot the machine soon after a kernel panic.
kernel.panic=10

# Addresses of mmap base, heap, stack and VDSO page are randomized.
kernel.randomize_va_space=2

# Ignore ICMP redirects from non-GW hosts
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.secure_redirects=1
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.default.secure_redirects=1

# Ignore source-routed packets
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0

# Log spoofed, source-routed, and redirect packets
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1

# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks.
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1

# Don't pass traffic between networks or act as a router
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.ip_forward=0

# Ignore ICMP broadcasts to avoid participating in Smurf attacks
net.ipv4.icmp_echo_ignore_broadcasts=1

# Ignore bad ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses=1

# RFC 1337 fix
net.ipv4.tcp_rfc1337=1

# Turn on SYN-flood protections.  Starting with 2.6.26, there is no loss
# of TCP functionality/features under normal conditions.  When flood
# protections kick in under high unanswered-SYN load, the system
# should remain more stable, with a trade off of some loss of TCP
# functionality/features (e.g. TCP Window scaling).
net.ipv4.tcp_syncookies=1

EOF

cat < < 'EOF' > /etc/sysctl.d/12-google-recommended.conf
# provides protection from ToCToU races
fs.protected_hardlinks=1

# provides protection from ToCToU races
fs.protected_symlinks=1

# makes locating kernel addresses more difficult
kernel.kptr_restrict=1

# set ptrace protections
kernel.yama.ptrace_scope=1

# set perf only available to root
kernel.perf_event_paranoid=2

EOF


# google things
# todo:
#   * google-daemon depends on syslog.service; which does not exist in fedora

exit 0

Name this one "setup". The build commands should be able to access the setup script.

build

Ok, this one takes care of building stuff. We will use the mighty virt-builder; from libguestfs-tools-c; by Mr. Richard WM Jones!

By the way, analyze and change accordingly. Do NOT copy/paste it. Understand it first, change it and use it.

#!/usr/bin/env bash

date=$( date +%Y%m%d%H%M%S )
project='evalinux-test'

# f1-micro
# g1-small
# n1-highcpu-2
# n1-highcpu-4
# n1-highcpu-8
# n1-highcpu-16
# n1-highmem-2
# n1-highmem-4
# n1-highmem-8
# n1-highmem-16
# n1-standard-1
# n1-standard-2
# n1-standard-4
# n1-standard-8
# n1-standard-16
machine_type='n1-highcpu-8'

# asia-east1-a
# asia-east1-b
# europe-west1-a
# europe-west1-b
# us-central1-a
# us-central1-b
zone='us-central1-b'

# virt-builder -l
## centos-6
## cirros-0.3.1
## debian-6
## debian-7
## fedora-18
## fedora-19
## fedora-20
## rhel-7rc
## scientificlinux-6
## ubuntu-10.04
## ubuntu-12.04
## ubuntu-14.04
os='fedora-20'

# Your Google Storage
gs='fedora-images'

function ask_continue {
    # skip for now
    return
    shopt -s extglob

    echo -n 'Do you want to continue?: '
    read answer

    if [[ "${answer,,}" != @(yes|y|yep|sure|aha|yeah|yea) ]]; then
        exit 0;
    fi
}

# build image
echo 'building...'
virt-builder \
    --format raw \
    --size 10G \
    --timezone Etc/UTC \
    --password-crypto sha512 \
    --root-password password:fedoraadminpass \
    --install "irqbalance,openssh-server,openssh-clients,rsync,git,ntp,python,yum-plugin-fastestmirror,yum-plugin-merge-conf,yum-plugin-remove-with-leaves" \
    --install "yum-cron-daily,yum-utils" \
    --firstboot setup \
    --update \
    --selinux-relabel \
    -o disk.raw \
    ${os}

echo
echo 'done building. Next: compress'
ask_continue

# compress
echo 'compressing...'
tar -Szcf ${date}-image.${os}.tar.gz disk.raw

echo
echo 'done compressing. Next: upload'
ask_continue

# upload
echo 'uploading...'
gsutil cp ./${date}-image.${os}.tar.gz gs://${gs}

echo
echo 'done uploading. Next: add image'
ask_continue

# add test image
echo 'adding image...'
gcutil --project=${project} addimage ${os}-v${date} gs://${gs}/${date}-image.${os}.tar.gz

echo
echo 'done adding image. Next: create instance'
ask_continue

# create test instance
gcutil --project=${project} addinstance \
    --image=${os}-v${date} \
    --machine_type=${machine_type} \
    --zone=${zone} \
    ${os}-v${date}-test

echo 'done creating instance.'

exit 0

This sample script will generate an 8 CPU, ~8 GB RAM, 10 GB HDD instance @ USA. Tweak it if you need something else.