Open Telekom Cloud for Business Customers

Open Telekom Cloud Image Factory - image modifications

Open Telekom Cloud images are modified public Distribution images - what are the changes?

You don't need to be worried about getting a black box image, if you use Open Telekom Cloud prepared images instead your own or vendor images. 
This blog will give you a detailed information about the changes we made to the original vendor images. 
There are no secrets at all. All changes are made for one of these goals:

- Technical preparation for running on Open Telekom Cloud -> cloud configuration 
-> performance 
-> features 
- Security                                                     -> image hardening 
- Useabilty                                                   -> additional packages

The short way

Simply read the Open Telekom Cloud hardening script. 
Nearly all additional hardening will be done from script. It runs while creating the images. 
After the image build the script is not deleted, so you can have a look at it:

hardening.sh
 opensuse: /usr/local/sbin/basic_hardening_opensuse.sh
 sles11: /usr/local/sbin/basic_hardening_sles11.sh
 ubuntu: /usr/local/sbin/basic_hardening_ubuntu.sh

The long way

You go on a guided tour with us by reading the following pages of this blog...

Needs for linux images

First looking on your ECS you can discoverer some packages, which would not be installed in base vendor images. 
Some of them are only added to make system more useable. Some of them are important to 
get a vendor image running as an image in Open Telekom Cloud. If you delete them, your ECS Server gets in trouble. 
Dont' delete them:

cloud-init -> cloud configuration: cloud-init
cloud-utils -> cloud configuration: cloud-init
cloud-initramfs-growroot / growpart -> cloud configuration: cloud-init
s3cmd -> cloud configuration: manage object storage via s3
uvp-monitor -> features: cloud-eye
ntp -> hardening: time synchronisation
dnsutils -> hardening: name resolution 

Cloud configuration

To get your ECS customized as you have specified in Open Telekom Cloud dashboard you need cloud-init to configure your system. 
In addition to your configuration some changes are made per default:

  • add an user: linux
  • set default password for linux : cloud.1234
  • lock login for user root (only via console)
  • disable ssh login with password
  • deploy your ssh key for user root and user linux (if you choose)

You should change the password for user linux next time. This default is set to make first login simpler.

  • Don't forget to change password for user linux! ;-)

  
You will find all Open Telekom Cloud cloud-init configuration in

# /etc/cloud/cloud.cfg

You can also change or add this config file. But be aware, that cloud-init isn't only be used while the system iss created, but during runtime and after every reboot too. 
Example: you decide to resize your root-filesystem and you trigger that via Open Telekom Cloud dashboard:

  • cloud-init   ->  search for module growpart
  • growpart   ->  search for package growpart
  • growpart   ->  resizes you root-fs

So, if you make changes here and something goes wrong, it is a good idea to look at cloud.cfg.

Performance

Basically Open Telekom Cloud uses Xen as hypervisor. 
Starting an ECS with an unprepared image will detect its virtual network device as a default Realtek TRL8139 device. This is slow. 
To get more performance for your interfaces use the xen netfront network module. 
Same thing for the block devices. There you can use a special blkfront module too.

Ubuntu, RedHat, Debian

# cat /etc/modules
 xen-netfront
 xen-blkfront

You can check if modules are loaded:

# lsmod |grep xen
 xen_netfront 26038 0
 xen_blkfront 25614 2

SLES, OpenSuSE

For SuSE these modules are called xen_vbd for block-device and xen_vnif for network. Additionally you need a seperate module named xen_platform_pci. So you can check on SuSE:

# lsmod |grep xen
 xen_vnif 45056 0
 xen_balloon 20480 1 xen_vnif
 xen_vbd 32768 3
 xen_platform_pci 106496 3 xen_balloon,xen_vnif,xen_vbd

Info:  Time goes on. Actual OS with actual kernel should have implemented this modules native. No need to load this modules extra.

Hardening

Kernel Parameter

All thing done for hardening are described above or can be read in the hardening script itself. 
After the image build the script is not deleted, so you can have a look at it:

# hardening.sh

# hardening.sh
 
opensuse: /usr/local/sbin/basic_hardening_opensuse.sh
 sles11: /usr/local/sbin/basic_hardening_sles11.sh
 ubuntu: /usr/local/sbin/basic_hardening_ubuntu.sh
                   (...)

but short: some changes are done at kernel parameter, like tcp and Memory

DNS - resolv.conf

Images are preconfigured:

# /etc/resolv.conf
 search openstacklocal
 nameserver 100.125.4.25
 nameserver 217.150.148.149

If you want to configure other nameservers or if you have some trouble with nameresolution, 
then you should read the following steps about DNS on Open Telekom Cloud.

A short trip in advance 
DNS can be a simple configuration and it is in Open Telekom Cloud. 
But it will get you in trouble, when you dont' think about name resolution at all. Searching for errors at the wrong places for hours ...

Example: Upgrading your repository cache (apt-get update, zypper up, ...): 
You run in timeouts and search errors in repository config instead repairing the DNS resolution. You got unexpected errors, try a look at your DNS resolution is no waste of time:

To check if DNS resolution is working you can simple test it:

# nslookup cloud.telekom.de

Server: 100.125.4.25 
Address:        100.125.4.25#53

Non-authoritative answer:
Name:   cloud.telekom.de
Address: 62.157.140.212

If it doesn't show you the IP Address under cloud.telekom.de, you should check your DNS config. 
If it doesn't reply immdediatly, you should check your DNS config. 
If you don't have nslookup you can use a simple ping to check:

# ping cloud.telekom.de

PING cloud.telekom.de (62.157.140.212) 56(84) bytes of data.

Prerequisite: DHCP activated (default)

After starting an ECS nameservice is preconfigured like below:

# /etc/resolv.conf
 search openstacklocal
 nameserver 100.125.4.25
 nameserver 217.150.148.149

Where does this parameter come from? -> from DHCP server

resolv paramter:

  • search -  fixed configured into DHCP server. no way to change via Open Telekom Cloud dashboard
  • nameserver -  configured in Open Telekom Cloud. You can change it via Open Telekom Cloud dashboard (or manual - not recommended)

  
Configure DNS manually 
ECS images are configured to get /etc/resolv.conf automatically from Open Telekom Cloud metadata service. 
You can edit this file manual and set your own config. As soon as you change it manually 
the automation it will not work anymore. 
But you can still configure parameters manually without loosing automation working.

Better way: configure parameter search

Set search parameter in DHCP or network configuration. As soon as the DNS config was build automatically it will use these parameter too.

@Ubuntu/Debian:

# /etc/dhcp/dhclient.conf


append domain-name " eu-de.otc-service.com eu-de.otc.t-systems.com otc.t-systems.com";

@SLES + @OpenSuSE:

# /etc/sysconfig/network/config:

NETCONFIG_FORCE_REPLACE="no"
 # if set ="yes" resolv.conf will be overriden ever you restart network (or reboot)
NETCONFIG_DNS_STATIC_SEARCHLIST="exlampledomain.com otc.t-systems.com"
 # set search for: "exlampledomain.com otc.t-systems.com"

Better way: configure parameter nameserver

You can also do that in the same files as for search parameter. This sets parameter for this on ECS server. But to get it work for all 
servers in this subnet, set it via the Open Telekom Cloud dashboard.

You ECS belongs to a VCS subnet. Your Primary NIC is configured in this subnet. 
See its configuration on Open Telekom Cloud dashboard VPC -> Subnets

Here you can not only see configured subnets, but configure your DNS server


Image Factory configuration

Little Warning: DHCP - OFF 
(per default DHCP is activated) 
You have the possibillity to shut it off.  But be aware that no auto configuration works at all in that subnet.

  • new created ECS does not work (they get no network and cant't be configured initially)
  • existing ECS cant' reload network
  • existing ECS booting takes long and there will be no network

=> DHCP=ON is a good choise.

Timeserver

Open Telekom Cloud infrastructur owns two NTP servers, which are preconfigured in all images

  • server ntp01.eu-de.otc-service.com
  • server ntp02.eu-de.otc-service.com
    Timezone: Europe/Berlin

SSH

  • locked login for user root (only via console)
  • disabled ssh login with password
  • allow ssh-agent to forward your ssh keys
  • allow forwarding your x11-screen

# /etc/ssh/sshd_config
PermitRootLogin without-password 
PasswordAuthentication no
X11Forwarding yes
X11UseLocalhost yes
AllowAgentForwarding                 # yes <- older images are disabled
PermitEmptyPasswords
 

Repositories

vendor Images default:    public vendor images url 
Open Telekom Cloud images default:          internal repository server

Open Telekom Cloud internal repository servers

  • 1:1 mirror from public standard urls
  • updated each night

Open Telekom Cloud images are preconfigured for Open Telekom Cloud internal repository servers - NOT for puplic URLs 
you can change to public vendore URLs as you like.

Why not configure standard public URLs in images?

Creating an ECS can be done with or without public ip address. 
ECS without a public IP address has no access to internet and therefore no access to public repository URLs. 
To be able to upgrade servers and to install packages per default they are configured to use internal repo mirrors, which 
can be connected under any circumstances

If you have lost the internal configuration and want to get it. Here are the defaults:

OpenSuse

# /etc/zypp/repos.d/openSUSE_Leap_42.1_OSS.repo
 [openSUSE_Leap_42.1_OSS]
 name=openSUSE_Leap_42.1_OSS
 baseurl=http://smt01-suse.eu-de.otc-service.com/repo/RPMMD/opensuse_oss_leap
 type=rpm-md
 enabled=1
 autorefresh=1
  gpgcheck=1
# cat /etc/zypp/repos.d/openSUSE_Leap_42.1_OSS_Updates.repo
 [openSUSE_Leap_42.1_OSS_Updates]
 enabled=1
 autorefresh=1
 baseurl=http://smt01-suse.eu-de.otc-service.com/repo/RPMMD/opensuse_leap_updates
 type=rpm-md
 autorefresh=1
  gpgcheck=1
# cat /etc/zypp/repos.d/home_garloff_OTC_Leap_42.1.repo
  [home:garloff:OTC_Leap_42.1]
 name=home:garloff:OTC_Leap_42.1
 baseurl=http://download.opensuse.org/repositories/home:garloff:OTC/openSUSE_Leap_42.1/
 type=rpm-md
 enabled=1
 autorefresh=1
 gpgcheck=1

SLES

# cat /etc/zypp/repos.d/SLES11SP4.repo [SLES11SP4]
 name=SLES11SP4
 baseurl=http://smt01-suse.eu-de.otc-service.com/repo/RCE/SLES11-SP4-Pool/sle-11-x86_64
 type=rpm-md
 enabled=1
 autorefresh=1
  gpgcheck=1
# cat /etc/zypp/repos.d/UPDATES-SLES11SP4.repo
 [UPDATES-SLES11SP4]
 enabled=1
 autorefresh=1
 baseurl=http://smt01-suse.eu-de.otc-service.com/repo/RCE/SLES11-SP4-Updates/sle-11-x86_64
  type=rpm-md
# cat /etc/zypp/repos.d/home_garloff_OTC_SLE11SP4.repo
  [home:garloff:OTC_SLE11-SP4]
 name=home:garloff:OTC_SLE11-SP4
 baseurl=http://download.opensuse.org/repositories/home:/garloff:/OTC/SLE_11_SP4/
 type=rpm-md
 enabled=1
 autorefresh=1
 gpgcheck=1

Ubuntu

# cat /etc/apt/sources.list

deb http://eu-de-02.tsystems.clouds.archive.ubuntu.com/ubuntu/ trusty main restricted 
deb-src http://eu-de-02.tsystems.clouds.archive.ubuntu.com/ubuntu/ trusty main restricted
deb http://eu-de-02.tsystems.clouds.archive.ubuntu.com/ubuntu/ trusty-updates main restricted
deb-src http://eu-de-02.tsystems.clouds.archive.ubuntu.com/ubuntu/ trusty-updates main restricted
deb http://eu-de-02.tsystems.clouds.archive.ubuntu.com/ubuntu/ trusty universe
deb-src http://eu-de-02.tsystems.clouds.archive.ubuntu.com/ubuntu/ trusty
deb http://eu-de-02.tsystems.clouds.archive.ubuntu.com/ubuntu/ trusty-updates universe
deb-src http://eu-de-02.tsystems.clouds.archive.ubuntu.com/ubuntu/ trusty-updates universe
deb http://eu-de-02.tsystems.clouds.archive.ubuntu.com/ubuntu/ trusty multiverse
deb-src http://eu-de-02.tsystems.clouds.archive.ubuntu.com/ubuntu/ trusty
deb http://eu-de-02.tsystems.clouds.archive.ubuntu.com/ubuntu/ trusty-updates multiverse
deb-src http://eu-de-02.tsystems.clouds.archive.ubuntu.com/ubuntu/ trusty-updates multiverse
deb http://eu-de-02.tsystems.clouds.archive.ubuntu.com/ubuntu/ trusty-backports main restricted universe multiverse
deb-src http://eu-de-02.tsystems.clouds.archive.ubuntu.com/ubuntu/ trusty-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu trusty-security main
deb-src http://security.ubuntu.com/ubuntu trusty-security main
deb http://security.ubuntu.com/ubuntu trusty-security universe
deb-src http://security.ubuntu.com/ubuntu trusty-security universe

DEBIAN

# cat /etc/apt/sources.list

RedHat


# cat /etc/yum.repos.d/OBS-OTC.repo
 [OBS-OTC]
 name=OBS-OTC
 baseurl=http://download.opensuse.org/repositories/home:/garloff:/OTC/CentOS_6/
 gpgcheck=1
 enabled=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OBS-OTC
# cat /etc/yum.repos.d/rhel-source.repo
 [rhel-source]
 name=Red Hat Enterprise Linux $releasever - $basearch - Source
baseurl=ftp://ftp.redhat.com/pub/redhat/linux/enterprise/$releasever/en/os/SRPMS/
 enabled=0
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
rhel-source-beta]
 name=Red Hat Enterprise Linux $releasever Beta - $basearch - Source
 baseurl=ftp://ftp.redhat.com/pub/redhat/linux/beta/$releasever/en/os/SRPMS/
 enabled=0
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release


OEL

# cat /etc/yum.repos.d/OBS-OTC.repo
 [OBS-OTC]
 name=OBS-OTC
 baseurl=http://download.opensuse.org/repositories/home:/garloff:/OTC/CentOS_6/
 gpgcheck=1
 enabled=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OBS-OTC
# cat /etc/yum.repos.d/Oracle-Base.repo
 #Oracle base
 [base]
 name=Oracle-67-Base
 baseurl=http://public-yum.oracle.com/repo/OracleLinux/OL6/7/base/x86_64
 gpgcheck=1
 enabled=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
#optional
 [optional]
 name=Oracle-67-Optional
 baseurl=http://public-yum.oracle.com/repo/OracleLinux/OL6/latest/x86_64/
 gpgcheck=1
 enabled=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Oracle

CentOS

# cat /etc/yum.repos.d/CentOS-Base.repo
 #centos base
 [base]
 name=CentOS-67-Base
 baseurl=http://smt01-suse.eu-de.otc-service.com/repo/RPMMD/centos_67
 gpgcheck=1
 enabled=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#released updates
 [updates]
 name=CentOS-67-Updates
 baseurl=http://smt01-suse.eu-de.otc-service.com/repo/RPMMD/centos_67_updates
 gpgcheck=1
 enabled=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
# cat /etc/yum.repos.d/OBS-OTC.repo
 [OBS-OTC]
 name=OBS-OTC
 baseurl=http://download.opensuse.org/repositories/home:/garloff:/OTC/CentOS_6/
 gpgcheck=1
 enabled=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OBS-OTC

Features

Cloud-Eye

Monitoring your ECS and shows graphs in dashboard 
Dashboard -> Cloud Eye 
needs package: uvp-monitor

Cloud Eye

Additional Packages

We have described the most important installed packages and configurations to you. But it makes no sense to provide you a list
of all installed packages, because this will change from time to time. 
You will not find the list in the hardening script. There are two options to get the list:

Tips

@OpenSuSE: 
This is no change from Open Telekom Cloud, but its a value of potential trouble 
firewall: no special firewall rules are provided by Open Telekom Cloud, but be aware of

a preconfigured firewall is running

  • all outgoing traffic is allowed
  • ping is allowed
  • incoming traffic is denied, instead of port 22

If you get problem with connecting your ECS you have to check your local firewall on ECS: 
# iptables -L -n

example

# iptables -L input_ext
 Chain input_ext (1 references)
 target prot opt source destination
 DROP all -- anywhere anywhere PKTTYPE = broadcast -> this is your restriction
 ACCEPT icmp -- anywhere anywhere icmp source-quench
 ACCEPT icmp -- anywhere anywhere icmp echo-request
 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
 DROP all -- anywhere anywhere PKTTYPE = multicast
 DROP all -- anywhere anywhere PKTTYPE = broadcast

If you are unsure with firewall you can disable it, to try your connection:

# stop firewall
 # /sbin/rcSuSEfirewall2 stop [start, status]

Learnings & key findings

Open Telekom Cloud images need to have:

  • ... installed a little number of cloud packages
  • ... configured cloud-init
  • ... activated DHCP
  • ... configured NTP

Open Telekom Cloud images adds optional

  • ... restricted ssh
  • ... add internal repository server (for using without public ip)
  • ... activate modules for performace
  • ... install uvp-Monitor

Outlook

Creating Private Images 
Migrate ECS2 from AWS into Open Telekom Cloud (the image way) 
Image Roadmap 
Windows Images @ Open Telekom Cloud


Sabrina Müller Sabrina Müller is currently working as product developer for Open Telekom Cloud. At the Deutsche Telekom AG she built up backend projects in the Data Center Management and ensured the operation. Main focus: Solaris. After a change to the Developing & Testing the department she built up a new automated platform on XEN basis for virtual systems and migrated the existing hardware to the virtual world. In parallel she developed a fully automated Cloud platform on OpenStack basis for internal Telekom customers.

Book now and claim starting credit of EUR 250* (code: 4UOTC250)
24/7 Service
Take advantage of our consulting services!

Our experts will be happy to help you.

We will answer any questions you have regarding testing, booking and usage – free and tailored to your needs. Try it out today!

Hotline: 24 hours a day, seven days a week 

0800 33 04477 from Germany
00800 44 556 600 from abroad

* Voucher can be redeemed until June 30, 2020. Please contact us when using the voucher for booking. The discount is only valid for customers with a billing address in Germany and expires two months after conclusion of the contract. The credit is deducted according to the valid list prices as per the service description. Payment of the credit in cash is excluded.


  • Test it today – with no obligation and free of charge

    Book now and claim starting credit of EUR 250*
    Code: 4UOTC250

    Book now

  • Telefon

    Free expert hotline

    Our certified cloud experts provide you with personal service free of charge.

    0800 33 04477 (from Germany)

    24 hours a day, seven days a week

  • E-Mail

    Our customer service is available free of charge via E-Mail

    Write an E-Mail

  • Arrange an appointment

    Our Open Telekom Cloud experts provide you with free, non-binding and idividual support

    Arrange an appointment