Google Compute Image Settings

Listed here are a few of the things I recommend you do on a guest VM for speed, performance, reliability and ease of use.

– Ensure virtio drivers are loaded, if you run ‘lsmod’ you should see the following:

# lsmod | grep -i virtio
virtio_balloon          4798  0
virtio_net             16824  0
virtio_blk              7164  3
virtio_pci              6985  0
virtio_ring             8301  4 virtio_balloon,virtio_net,virtio_blk,virtio_pci
virtio                  4977  4 virtio_balloon,virtio_net,virtio_blk,virtio_pci

– Configure tuned for virtual guest

# tuned-adm profile virtual-guest
# chkconfig tuned on

– Install just the base OS to start off, in order to ensure a lean VM, this would be @Base group.

– Set the timezone to UTC unless a local timezone is needed. ‘ln -sf /usr/share/zoneinfo/UTC /etc/localtime’

– Turn off all services not needed.

# for i in ip6tables cups abrtd abrt-ccpp atd kdump mdmonitor NetworkManager; do service $i stop; done
# for i in ip6tables cups abrtd abrt-ccpp atd kdump mdmonitor NetworkManager; do chkconfig $i off; done

– Disable IPv6, unless needed.

# echo "NETWORKING_IPV6=no
IPV6INIT=no" >> /etc/sysconfig/network

# echo "
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
" >> /etc/sysctl.conf

– Enable EPEL

rpm -Uhv http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

– Configure NTP

– Turn on syn-flood protection ‘net.ipv4.tcp_syncookies=1’ in /etc/sysctl.conf

– Ignore source-routed packets
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0

– Ignore ICMP redirects from non-GW hosts
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=1
net.ipv4.conf.default.secure_redirects=1

– Don’t pass traffic between networks or act as a router
net.ipv4.ip_forward=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0

– Turn on Source Address Verification in all interfaces to prevent some spoofing attacks.
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1

– Ignore ICMP broadcasts to avoid participating in Smurf attacks
net.ipv4.icmp_echo_ignore_broadcasts=1

– Ignore bad ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses=1

– Log spoofed, source-routed, and redirect packets
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1

– RFC 1337 fix
net.ipv4.tcp_rfc1337=1

– Addresses of mmap base, heap, stack and VDSO page are randomized
kernel.randomize_va_space=2

– Reboot the machine soon after a kernel panic.
kernel.panic=10

– provides protection from ToCToU races
fs.protected_hardlinks=1

– provides protection from ToCToU races
fs.protected_symlinks=1

– makes locating kernel addresses more difficult
kernel.kptr_restrict=1

– set ptrace protections
kernel.yama.ptrace_scope=1

– set perf only available to root
kernel.perf_event_paranoid=2

Note: Kernel settings information is from the GCE guide.

Syed Ali

Random Thoughts from an SRE Manager

Google Compute Image Settings

Leave a comment Cancel reply

Share this:

Leave a comment Cancel reply