After youmanually import a virtual disk toCompute Engine, you need to optimize those images so they can usefeatures specific to the Compute Engine environment.

Contents

Install the Compute Engine guest environment

You must install theguest environment before you can usekey features of Compute Engine. To find out when you need to manuallyinstall the guest environment, seewhen to manually install or update the guest environment.

Install the guest environmenton the running VM instance you created aftermanually importing your existing image.To perform the installation, access the VM instance via SSH with a useraccount you created before importing it or byinteracting with the Serial Console.

Important: Install the guest environmentafter you have imported yourexisting image. The guest environment makes configuration changes to theinstance that are specific to Compute Engine.Important: Failure to install the guest environment on a VM instancecreated from an imported image results in key features ofCompute Engine being unavailable to the instance. For example, youwon't be able to use all of the methods forconnecting to Linux instances,and the instance might be unable to participate inload balancing configurations.

Configure your imported image for Compute Engine

You can run your boot disk image in Compute Engine withoutadditional changes, but you can also further optimize the image so that it runsoptimally within Compute Engine and has access to allCompute Engine features.

• Edit thentp.conf file to include only theserver metadata.google.internal iburst Google NTP server entry.

• Set the timezone to UTC:

  sudo ln -sf /usr/share/zoneinfo/UTC /etc/localtime

• To ensure high performance network capability, use the following recommendednetwork configurations:

  • Use theISC DHCP client.
  • Set the DHCP MTU to the network MTU. The Compute Engine DHCPserver serves this parameter as theinterface-mtu option, which mostclients respect. For more information about network MTUs, see themaximum transmission unit overview.
  • If you don't plan toconfigure IPv6addresses, disableIPv6.

  • Remove persistent network rules to prevent the instance from rememberingMAC addresses. For example:

    rm -f /etc/udev/rules.d/70-persistent-net.rules

  • Disable the operating system firewall unless you have specificrequirements not supported by Compute Engine Firewall Rules.Compute Engine provides a firewall forinbound and outbound traffic. For more information about firewalls, seeFirewall rules overview.

• To ensure high performance network and disk capability, disable or removetheirqbalance daemon. This daemon does not correctly balance IRQ requestsfor the guest operating systems on virtual machine (VM) instances. Instead,use the scripts that are part of theguest environment to correctly balanceIRQ settings for virtual CPUs.

• Configure SSH access to the base image:

  • Disable root ssh login.
  • Disable password authentication.
  • Disable host-based authentication.
  • Enable strict, host-key checking.
  • UseServerAliveInterval to keep connections open.

  • Remove SSH keys from your image so that others can't access the publicor private keys in your image. Instead, use Compute Engine tomanage access to instances.

  • Edit the/etc/ssh/ssh_config file to use the following configuration:

    Host *Protocol 2ForwardAgent noForwardX11 noHostbasedAuthentication noStrictHostKeyChecking noCiphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbcTunnel no# Compute Engine times out connections after 10 minutes of inactivity.# Keep alive ssh connections by sending a packet every 7 minutes.ServerAliveInterval 420

  • Edit the/etc/ssh/sshd_config file to use the following configuration:

    # Disable PasswordAuthentication because ssh keys are more secure.PasswordAuthentication no# Disable root login. Using sudo provides better auditing.PermitRootLogin noPermitTunnel noAllowTcpForwarding yesX11Forwarding no# Compute Engine times out connections after 10 minutes of inactivity.# Keep alive ssh connections by sending a packet every 7 minutes.ClientAliveInterval 420

After you configure and optimize your boot disk on Compute Engine,create an image from that boot disk so that you can create instances froma fully-optimized version of the image rather than having to configure eachinstance every time you create it.

Configure security best practices

You should always provide a secure operating system environment, but it canbe difficult to strike a balance between a secure and an accessible environment.Virtual machines that are vulnerable to attack can consume expensiveresources. Google strongly recommends that your images comply with thefollowing security best practices:

• Minimize the amount of software installed by default (for example, perform aminimal install of the OS).
• Enable automatic updates.
• By default, disable all network services except for SSH, DHCP, and NTPD.You can allow a mail server, such as Postfix, to run if it is onlyaccepting connections from localhost.
• Do not allow externally listening ports except for sshd.
• Install thedenyhosts package to help prevent SSH brute-force login attempts.
• Remove all unnecessary non-user accounts from the default install.
• In/etc/passwd, set the shell of all non-user accounts to/sbin/nologin or/usr/sbin/nologin (depending on where your OS installed nologin).
• Configure your OS to use salted SHA512 for passwords in/etc/shadow.
• Set up and configurepam_cracklib for strong passwords.
• Set up and configurepam_tally tolock out accounts for 5 minutes after 3 failures.

• In/etc/shadow, configure the root account to be locked by default. Runthe following command to lock the root account:

  usermod -L root

• Deny root in/etc/ssh/sshd_config by adding the following line:

  PermitRootLogin no

• CreateAppArmor orSELinux profiles for all default running network-facing services.

• Use file system capabilities where possible to remove the need for the S*IDbit and to provide more granular control.

• Enable compiler and runtime exploit mitigations when compiling network-facingsoftware. For example, here are some of the mitigations that theGNU Compiler Collection (GCC) offers and how to enable them:

  • Stack smash protection: Enable this with-fstack-protector.By default, this option protects functions with a stack-allocated bufferlonger than eight bytes. To increase protection by covering functionswith buffers of at least four bytes, add--param=ssp-buffer-size=4.
  • Address space layout randomization (ASLR):Enable this by building a position-independent executable with-fPIC -pie.
  • Glibc protections: Enable these protections with-D_FORTIFY_SOURCE=2.
  • Global Offset Table (GOT) protection: Enable this runtime loaderfeature with-Wl,-z,relro,-z,now.
  • Compile-time errors for missing format strings:-Wformat -Wformat-security -Werror=format-security

• DisableCAP_SYS_MODULE,which allows for loading and unloading of kernel modules. To disable thisfeature, edit the/etc/sysctl.conf file and include the following setting:

  kernel.modules_disabled = 1

• Remove thekernel symbol table:

  sudo rm /boot/System.map

What's next

• After your image is ready for production,create a final versionof that custom image andinclude the image in an image familyso that you can easily manage updated versions of the custom image.
• Learn how tostart an instance from an image.