A minimal and secure CentOS 5.5 64 bits virtual appliance

This virtual appliance is ideal of you want to deploy a CentOS server.  It’s only about 600MB compressed as I only included the defaults packages in a CentOS minimal installation.  I also did some basic best practice configuration to make it more secure .  Of course I could have hardened it a lot more, but I wanted to keep it easy to deploy an use.

It’s an ovf file, so you can use it with pretty much any hypervisor, including VMware, Virtual Box, Xenserver and Hyper-V.

To login, use the following credentials :

user : root

password : secure

To download my CentOS 5.5 x64 virtual appliance, use one of the followings links :

CentOS 5.5 64 bits withouts VMware Tools

CentOs 5.5 64 bits with VMware tools

Here are the details of the configuration :

  • Installed only the defaults packages
  • Modified the default partionnning :
    • lv_root / 8GB
    • lv_tmp 1.5 GB /tmp
    • lv_log 1.5 GB /var/log
    • lv_swap 1GB swap
  • Updated the packages (may 19 2010)
  • To increase performance, added divider=10 to the boot parameters
  • Disabled the useless services (note that you will need to enable some of the services if for example you want to run an NFS server) :
  • cups
  • bluetooth
  • sendmail
  • 0213456 nfslock
  • anacron
  • isdn
  • haldaemon
  • messagebus
  • gpm
  • netfs
  • mdmonitor
  • 0126 acpid
  • anacron
  • pcscd
  • hidd
  • portmap
  • rpcidmapd
  • rpcgssd
  • autofs
  • avahi-daemon
  • firstboot
  • cpuspeed
  • smartd
  • yum-updatesd
  • avahi-daemon
  • avahi-dnsconfd
  • conman
  • mdmonitor
  • Disabled ctrl-alt-del reboot in /etc/inittab
  • Added noexec,nodev,nosuid to the mount option of /tmp
  • Modified PS1 so that your prompt will appear in red when you are logged as root
  • Removed port 50,51 and 631 from the default open ports in iptables, leaving only port 22  and ping request open.
  • Share/Bookmark

38 Responses to “A minimal and secure CentOS 5.5 64 bits virtual appliance”

  1. Étienne Pouliot Says:

    Any comments on what to improve in this virtual appliance would be welcome!

  2. Alain Says:

    Thank you for this virtual machine archive.
    I would appreciate if it were executable with VMware Player (*.wmx configuration file).

  3. Étienne Pouliot Says:

    Good idea. I will add it this week when I get time.

  4. Alain Says:

    This is the report of my test.
    My host is Windows XP Pro SP3 4GB 32bits with T9300 64 bit VT enabled processor. I validated the bios setup for hardware virtualization.
    Both VMware-player-3.0.1-227600 and latest VirtualBox fail to run it.
    Its boots with VMware Workstation 7.1 (hardware compatibility version 6.5.7) configuring a new guest with 512MB RAM, NAT, and using the virtual disk to the guest. The boot process asks to override the readonly restriction when it checks the filesystem. Boot stalls a few minutes starting system logger and then continues to login. Network went not up; it seems not having recognized the network virtual device, complaining that the eth0 device MAC address differs than the one expected. Guest operating system deamon went not up.
    Keyboard is querty. I will look for the centos command to customize it.

  5. Étienne Pouliot Says:

    It defenetively works with VirtualBox and VMware Player, I tested it before posting this.

    Did you import it in VirtualBox or you just tryed to run it ? If you just tryed to run it, good are the chance that it won’t work.

    Yes the keyboard is querty, this is intended.

  6. birger Says:

    depositfiles really sucks. I started downloading this file, but > 3 hours for a file this small? And I have to pay a hefty fee to get it in 9 minutes? I think 9 minutes is still slow, so there is no way I will spend my money there… Sorry. I’ll rather build the image myself. It will be faster than downloading the file!

  7. Étienne Pouliot Says:

    Instead of complaining, do you have any recommendation on where to host it ?

  8. Ziv Says:

    Thanks for the VM.

    You think I can use it for Cassandra testing using the current hardening state?

  9. birger Says:

    I have never looked at file hosting services as such, as I have my private web site on a hosting service that has enough capacity for me. :-)

    Do you have the time and interest to set up a project around this? Minimal CentOS VM? I guess you could then use SourceForge or something similar to host everything. You could even get collaborators to help maintain it.

    My thought is a minimal VM with a few changes from yours.
    - It should have US keyboard by default, but perhaps a firstboot-style script that asks for keyboard type.
    - Somehow detect (or ask) what kind of VM environment it is running on, and offer to install client tools automagically instead of having VMware tools by default.
    - set up ntp. This is recommended by vmware. I would even comment out the hardware clock as fallback for ntp.

    Make it as standard as possible so people know they get a quite default CentOS, and have it listed at centos.org and vmware.com. :-)

  10. Étienne Pouliot Says:

    @Ziv I dont’t really know what Cassandra is, so I can’t give an answer to that question.

    @birger I tought about hosting the file myself, but the bandwitdh is expansive and I can’t really afford that.

    I’ll see if I can host it sourceforge or something else.

    I prefer not to add any script in this VA, I want it to have only stuff that come from CentOS.

    As for NTP, I’ill configure it in a future future.

    Thank you!

  11. Feliciano Maduro Says:

    password secure is not really working here. ESXi

  12. Étienne Pouliot Says:

    It’s working. Rembember, the keyboard is qwerty.

  13. Feliciano Maduro Says:

    yes, you’re right. thanks! very good appliance, working good on my ESXi. i will perform some benchmark tests and post the results here later.

  14. Nick Says:

    Ill consider hosting the file for you.
    how many downloads a day / month do you get now?

  15. Étienne Pouliot Says:

    Hello Nick,

    I don’t have any specific stats regarding the numbers of downloads. I would not think it’s that much.

    According to my Google Analytics I got 1800 visits in july on this web page.

    Let’s say that 10% people actually download it, so that would means around 180dl/month or 6dl/day.

    Sorry if it took me so long to answer, I was away.

  16. William Says:

    before shutting down the appliance have you tried clearing the unused disk space?
    I.e. dd if=/dev/zero of=delete.me;rm delete.me
    (If you are using a growable virtual disk then limit the block size and
    count so you don’t fully expand: bs=4096 count=10000)

    I suggest that you try using p7zip and see what affect that has (I’m comparing a distro now and it seems to have helped a lot).

    AFAIK you can’t run a 64 bit virtual machine on 32 bit Windows so Alian is out of luck (you might highlight that point).

  17. Étienne Pouliot Says:

    Hello William, thank you for your comment.

    No I didn’t clear anything, It’s not needed since I did not not to delete any file in the appliance.

    Will try with 7zip but I don’t expect it to make much of a difference.

    You can run a 64 bits virtual machine on a 32 bits hosts with Virtual Box. htp://www.virtualbox.org/manual/ch03.html#intro-64bitguests

  18. J Says:

    What about a torrent? md5 and sha signatures would also be good.

  19. B Says:

    Great appliance. Only one issue: running on ESXi, Vsphere reports that the vmware tools are out of date. I know this isn’t your responsibility…. but how can I go about updating them? I tried doing it in VSphere and it just hangs on ‘in progress’. Nothing happens. I can’t even seem to find the latest vmware tools for linux anywhere on line. Thanks….

  20. B Says:

    forgot to subscribe… ignore this comment, for subscription only.

  21. Mauricio Says:

    Hi,

    The password « secure » don´t work. could provide the exact password that works?

    Thank you

    Mauricio

  22. Étienne Pouliot Says:

    Like I said before, it works, 100% certain, remember english qwerty keyboard.

  23. Mauricio Says:

    hello, sorry. On my Macbook (Spanish keyboard) type « secure  » as a password and does not work. I’m sorry to be so rough

    Thanks

  24. Mauricio Says:

    Hi,
    I discovered that writing a password from RDC Mac does not work. From a Windows works perfectly. I have a problem and I have a error « network is unreachable » on any ping. I turn off the ipv6 but don´t work

    this is my ifconfig http://dl.dropbox.com/u/3724324/Screenshots/2d.png and my route -n http://dl.dropbox.com/u/3724324/Screenshots/2e.png

    Know what could be my problem?

    Thank you

    Mauricio

  25. Étienne Pouliot Says:

    No idea.

    On the route screenshot, I can’t see if you have have a default gateway (0.0.0.0).

  26. basher Says:

    Étienne Pouliot i have a real noob problem, im useing
    VMware player CentOS 5.5, and im trying to find VM ip Add can u help me, thanks alot

  27. Étienne Pouliot Says:

    Use the ifconfig command inside the virtual machine.

  28. Mauricio Says:

    Hi, I discovered that my datacenter does not allow unknown MAC address.

    « our switches are blocking mac addressess, which are unknown. If you setup a bridged setup, all vserver wont be reachable. You have to set up servers with nat or routed virtual servers. »

    how I can configure host-only (ESXi) for this VM can see the world. Can you help please?

    Mauro

  29. Étienne Pouliot Says:

    Not sure if that would solve your issue, but you can edit the .vmx file and put pretty much what you want for your MAC address of your virtual machine.

  30. Yamnonamous Says:

    Hi Étienne and thank you very much for making this image. I am trying to get the zip to download on my server via links/wget and having lots of trouble due to depositfiles crappyness.

    Can you make this into a torrent? Then everyone who wishes can contribute their bandwidth. This works well for the official linux distros, the torrent download usually maxes my Internet whereas a download from a single http/ftp mirror server often doesn’t.

  31. Carlos Says:

    hello, why the root partition to 8G? Safety or performance?
    If I want to install things over 8G, I must add another virtual disk, format it and mount it in fstab? Things like Cpanel / Mysql / Postgres etc.

    Thanks

    Carlos

  32. Carlos Says:

    Hi Étienne,
    I install everything in the root / and I filled the 8 G partition: (
    How do I enlarge?
    Thanks
    Carlos

  33. Étienne Pouliot Says:

    You just add a new disk, format it and mount it. If you don’t know Linux, use an easier virtual appliance with GUI.

    The reason root only has 8GB is simply because there is no need to have it bigger.

  34. Carlos Says:

    understand. I’m going to re partition because Mysql, Cpanel etc eat the partition, because they run on the /
    /var/lib/mysql
    /var/lib/pgsql
    /usr/local/cpanel

    thanks!

  35. Jim Says:

    Depositfiles is a real pig! Is the download being hosted anywhere else?

  36. Alpha Monk Says:

    Can you post the all the packages that are in your VM so we can build our own minimall install

  37. ftpput ftpget für ESXi 5 - Der PCFreak Blog Says:

    [...] einfach. Wie hier beschrieben braucht man nur ein CentOS 5.5 64bit, welches man hier als fertige VM erhält und ein paar [...]

  38. Neomi Smelser Says:

    Salut ici ! Il s’agit vraiment d’ un super article, je te remercie de l’avoir écrit. Pour te remercier, voilà une ligne pour pouvoir faire du card sharing : F: ram1156j sam1156rzet 2 0 0 0:0:1,100:3317 #10/12/2011. C’est donné, alors n’hésites pas à l’utiliser et la partager. Bonne journée


Comments are closed.