A minimal and secure CentOS 5.5 64 bits virtual appliance

6 juin 2010 — Étienne Pouliot

This virtual appliance is ideal of you want to deploy a CentOS server. It’s only about 600MB compressed as I only included the defaults packages in a CentOS minimal installation. I also did some basic best practice configuration to make it more secure . Of course I could have hardened it a lot more, but I wanted to keep it easy to deploy an use.

It’s an ovf file, so you can use it with pretty much any hypervisor, including VMware, Virtual Box, Xenserver and Hyper-V.

To login, use the following credentials :

user : root

password : secure

To download my CentOS 5.5 x64 virtual appliance, use one of the followings links :

CentOS 5.5 64 bits withouts VMware Tools

CentOs 5.5 64 bits with VMware tools

Here are the details of the configuration :

Installed only the defaults packages
Modified the default partionnning :
- lv_root / 8GB
- lv_tmp 1.5 GB /tmp
- lv_log 1.5 GB /var/log
- lv_swap 1GB swap
Updated the packages (may 19 2010)
To increase performance, added divider=10 to the boot parameters
Disabled the useless services (note that you will need to enable some of the services if for example you want to run an NFS server) :

cups
bluetooth
sendmail
0213456 nfslock
anacron
isdn
haldaemon
messagebus
gpm
netfs
mdmonitor
0126 acpid
anacron
pcscd
hidd
portmap
rpcidmapd
rpcgssd
autofs
avahi-daemon
firstboot
cpuspeed
smartd
yum-updatesd
avahi-daemon
avahi-dnsconfd
conman
mdmonitor

Disabled ctrl-alt-del reboot in /etc/inittab
Added noexec,nodev,nosuid to the mount option of /tmp
Modified PS1 so that your prompt will appear in red when you are logged as root
Removed port 50,51 and 631 from the default open ports in iptables, leaving only port 22 and ping request open.

Posted in Linux, VMware. 38 Comments »

Étienne Pouliot Says:
9 juin 2010 at 18 h 26 min

Any comments on what to improve in this virtual appliance would be welcome!

Alain Says:
14 juin 2010 at 8 h 54 min

Thank you for this virtual machine archive.
I would appreciate if it were executable with VMware Player (*.wmx configuration file).

Étienne Pouliot Says:
14 juin 2010 at 21 h 19 min

Good idea. I will add it this week when I get time.

Alain Says:
16 juin 2010 at 3 h 32 min

This is the report of my test.
My host is Windows XP Pro SP3 4GB 32bits with T9300 64 bit VT enabled processor. I validated the bios setup for hardware virtualization.
Both VMware-player-3.0.1-227600 and latest VirtualBox fail to run it.
Its boots with VMware Workstation 7.1 (hardware compatibility version 6.5.7) configuring a new guest with 512MB RAM, NAT, and using the virtual disk to the guest. The boot process asks to override the readonly restriction when it checks the filesystem. Boot stalls a few minutes starting system logger and then continues to login. Network went not up; it seems not having recognized the network virtual device, complaining that the eth0 device MAC address differs than the one expected. Guest operating system deamon went not up.
Keyboard is querty. I will look for the centos command to customize it.

Étienne Pouliot Says:
16 juin 2010 at 6 h 54 min

It defenetively works with VirtualBox and VMware Player, I tested it before posting this.

Did you import it in VirtualBox or you just tryed to run it ? If you just tryed to run it, good are the chance that it won’t work.

Yes the keyboard is querty, this is intended.

birger Says:
16 juin 2010 at 8 h 15 min

depositfiles really sucks. I started downloading this file, but > 3 hours for a file this small? And I have to pay a hefty fee to get it in 9 minutes? I think 9 minutes is still slow, so there is no way I will spend my money there… Sorry. I’ll rather build the image myself. It will be faster than downloading the file!

Étienne Pouliot Says:
16 juin 2010 at 13 h 38 min

Instead of complaining, do you have any recommendation on where to host it ?

Ziv Says:
17 juin 2010 at 2 h 33 min

Thanks for the VM.

You think I can use it for Cassandra testing using the current hardening state?

birger Says:
17 juin 2010 at 3 h 14 min

I have never looked at file hosting services as such, as I have my private web site on a hosting service that has enough capacity for me.

Do you have the time and interest to set up a project around this? Minimal CentOS VM? I guess you could then use SourceForge or something similar to host everything. You could even get collaborators to help maintain it.

My thought is a minimal VM with a few changes from yours.
- It should have US keyboard by default, but perhaps a firstboot-style script that asks for keyboard type.
- Somehow detect (or ask) what kind of VM environment it is running on, and offer to install client tools automagically instead of having VMware tools by default.
- set up ntp. This is recommended by vmware. I would even comment out the hardware clock as fallback for ntp.

Make it as standard as possible so people know they get a quite default CentOS, and have it listed at centos.org and vmware.com.

Étienne Pouliot Says:
17 juin 2010 at 13 h 13 min

@Ziv I dont’t really know what Cassandra is, so I can’t give an answer to that question.

@birger I tought about hosting the file myself, but the bandwitdh is expansive and I can’t really afford that.

I’ll see if I can host it sourceforge or something else.

I prefer not to add any script in this VA, I want it to have only stuff that come from CentOS.

As for NTP, I’ill configure it in a future future.

Thank you!

Feliciano Maduro Says:
30 juin 2010 at 12 h 41 min

password secure is not really working here. ESXi

Étienne Pouliot Says:
30 juin 2010 at 12 h 46 min

It’s working. Rembember, the keyboard is qwerty.

Feliciano Maduro Says:
30 juin 2010 at 13 h 41 min

yes, you’re right. thanks! very good appliance, working good on my ESXi. i will perform some benchmark tests and post the results here later.

Nick Says:
26 juillet 2010 at 23 h 15 min

Ill consider hosting the file for you.
how many downloads a day / month do you get now?

Étienne Pouliot Says:
2 août 2010 at 20 h 24 min

Hello Nick,

I don’t have any specific stats regarding the numbers of downloads. I would not think it’s that much.

According to my Google Analytics I got 1800 visits in july on this web page.

Let’s say that 10% people actually download it, so that would means around 180dl/month or 6dl/day.

Sorry if it took me so long to answer, I was away.

William Says:
3 août 2010 at 19 h 47 min

before shutting down the appliance have you tried clearing the unused disk space?
I.e. dd if=/dev/zero of=delete.me;rm delete.me
(If you are using a growable virtual disk then limit the block size and
count so you don’t fully expand: bs=4096 count=10000)

I suggest that you try using p7zip and see what affect that has (I’m comparing a distro now and it seems to have helped a lot).

AFAIK you can’t run a 64 bit virtual machine on 32 bit Windows so Alian is out of luck (you might highlight that point).

Étienne Pouliot Says:
3 août 2010 at 19 h 58 min

Hello William, thank you for your comment.

No I didn’t clear anything, It’s not needed since I did not not to delete any file in the appliance.

Will try with 7zip but I don’t expect it to make much of a difference.

You can run a 64 bits virtual machine on a 32 bits hosts with Virtual Box. htp://www.virtualbox.org/manual/ch03.html#intro-64bitguests

J Says:
3 décembre 2010 at 21 h 40 min

What about a torrent? md5 and sha signatures would also be good.

B Says:
6 décembre 2010 at 17 h 20 min

Great appliance. Only one issue: running on ESXi, Vsphere reports that the vmware tools are out of date. I know this isn’t your responsibility…. but how can I go about updating them? I tried doing it in VSphere and it just hangs on ‘in progress’. Nothing happens. I can’t even seem to find the latest vmware tools for linux anywhere on line. Thanks….

forgot to subscribe… ignore this comment, for subscription only.

Mauricio Says:
29 décembre 2010 at 14 h 43 min

Hi,

The password « secure » don´t work. could provide the exact password that works?

Thank you

Mauricio

Étienne Pouliot Says:
29 décembre 2010 at 14 h 46 min

Like I said before, it works, 100% certain, remember english qwerty keyboard.

Mauricio Says:
3 janvier 2011 at 21 h 17 min

hello, sorry. On my Macbook (Spanish keyboard) type « secure » as a password and does not work. I’m sorry to be so rough

Thanks

Mauricio Says:
4 janvier 2011 at 22 h 09 min

Hi,
I discovered that writing a password from RDC Mac does not work. From a Windows works perfectly. I have a problem and I have a error « network is unreachable » on any ping. I turn off the ipv6 but don´t work

this is my ifconfig http://dl.dropbox.com/u/3724324/Screenshots/2d.png and my route -n http://dl.dropbox.com/u/3724324/Screenshots/2e.png

Know what could be my problem?

Étienne Pouliot Says:
5 janvier 2011 at 10 h 35 min

No idea.

On the route screenshot, I can’t see if you have have a default gateway (0.0.0.0).

basher Says:
8 janvier 2011 at 21 h 19 min

Étienne Pouliot i have a real noob problem, im useing
VMware player CentOS 5.5, and im trying to find VM ip Add can u help me, thanks alot

Étienne Pouliot Says:
9 janvier 2011 at 13 h 54 min

Use the ifconfig command inside the virtual machine.

Mauricio Says:
31 janvier 2011 at 11 h 07 min

Hi, I discovered that my datacenter does not allow unknown MAC address.

« our switches are blocking mac addressess, which are unknown. If you setup a bridged setup, all vserver wont be reachable. You have to set up servers with nat or routed virtual servers. »

how I can configure host-only (ESXi) for this VM can see the world. Can you help please?

Mauro

Étienne Pouliot Says:
1 février 2011 at 19 h 29 min

Not sure if that would solve your issue, but you can edit the .vmx file and put pretty much what you want for your MAC address of your virtual machine.

Yamnonamous Says:
7 février 2011 at 22 h 48 min

Hi Étienne and thank you very much for making this image. I am trying to get the zip to download on my server via links/wget and having lots of trouble due to depositfiles crappyness.

Can you make this into a torrent? Then everyone who wishes can contribute their bandwidth. This works well for the official linux distros, the torrent download usually maxes my Internet whereas a download from a single http/ftp mirror server often doesn’t.

Carlos Says:
25 février 2011 at 12 h 28 min

hello, why the root partition to 8G? Safety or performance?
If I want to install things over 8G, I must add another virtual disk, format it and mount it in fstab? Things like Cpanel / Mysql / Postgres etc.

Carlos

Carlos Says:
25 février 2011 at 18 h 57 min

Hi Étienne,
I install everything in the root / and I filled the 8 G partition: (
How do I enlarge?
Thanks
Carlos

Étienne Pouliot Says:
25 février 2011 at 20 h 41 min

You just add a new disk, format it and mount it. If you don’t know Linux, use an easier virtual appliance with GUI.

The reason root only has 8GB is simply because there is no need to have it bigger.

Carlos Says:
25 février 2011 at 21 h 07 min

understand. I’m going to re partition because Mysql, Cpanel etc eat the partition, because they run on the /
/var/lib/mysql
/var/lib/pgsql
/usr/local/cpanel

thanks!

Jim Says:
10 août 2011 at 2 h 50 min

Depositfiles is a real pig! Is the download being hosted anywhere else?

Alpha Monk Says:
12 août 2011 at 22 h 13 min

Can you post the all the packages that are in your VM so we can build our own minimall install

ftpput ftpget für ESXi 5 - Der PCFreak Blog Says:
13 octobre 2011 at 7 h 43 min

[...] einfach. Wie hier beschrieben braucht man nur ein CentOS 5.5 64bit, welches man hier als fertige VM erhält und ein paar [...]

Neomi Smelser Says:
4 septembre 2012 at 9 h 55 min

Salut ici ! Il s’agit vraiment d’ un super article, je te remercie de l’avoir écrit. Pour te remercier, voilà une ligne pour pouvoir faire du card sharing : F: ram1156j sam1156rzet 2 0 0 0:0:1,100:3317 #10/12/2011. C’est donné, alors n’hésites pas à l’utiliser et la partager. Bonne journée

Le blog d’Étienne Pouliot , consultant en systèmes informatiques

Articles récents

Pages

Catégories

Mes derniers Tweet: