4 snf-image is split in two components: The main program running on the Ganeti
5 host, with full root privilege (*snf-image* previously *snf-image-host*), and a
6 part running inside an unprivileged, helper VM (*snf-image-helper*).
11 This part implements the Ganeti OS interface. It extracts the Image onto the
12 Ganeti-provided block device, using streaming block I/O (dd with oflag=direct),
13 then passes control to snf-image-helper running inside a helper VM. The helper
14 VM is created using KVM, runs as an unprivileged user, nobody by default.
16 There is no restriction on the distribution running inside the helper VM, as
17 long as it executes the snf-image-helper component automatically upon bootup.
18 The snf-image-update-helper script is provided with snf-image to automate the
19 creation of a helper VM image based on Debian Stable, using multistrap.
21 The snf-image-helper component is spawned inside a specific hardware
24 * The VM features a virtual floppy, containing an ext2 filesystem with all
25 parameters needed for image customization.
26 * The hard disk of the VM being deployed is accessible as the first virtio
28 * All kernel/console output is redirected to the first virtual serial console,
29 and eventually finds its way into the OS definition log files that Ganeti
31 * The helper VM is expected to output "SUCCESS" to its second serial port if
32 image customization was successful inside the VM.
33 * In any other case, execution of the helper VM or snf-image-helper has
35 * The helper VM is expected to shutdown automatically once it is done. Its
36 execution is time-limited; if it has not terminated after a number of
37 seconds, configurable via /etc/default/snf-image, it is sent a SIGTERM
40 KVM is currently a dependency for snf-image, meaning it is needed to spawn the
41 helper VM. There is no restriction on the hypervisor used for the actual Ganeti
42 instances. This is not a strict requirement; KVM could be replaced by qemu,
43 doing full CPU virtualization without any kernel support for spawning the
49 This part runs inside the helper VM and undertakes customization of the VM
50 being deployed using a number of hooks, or tasks. The tasks run in an
51 environment, specified by rules found in a virtual floppy, placed there by
52 *snf-image*. *snf-image-helper* uses runparts to run tasks found under
53 */usr/lib/snf-image-helper/tasks* by default
55 Graphical Representation
56 ^^^^^^^^^^^^^^^^^^^^^^^^
58 The architecture is presented below:
60 .. image:: /images/arch.png
62 Image Configuration Tasks
63 ^^^^^^^^^^^^^^^^^^^^^^^^^
65 Configuration tasks are scripts called by snf-image-helper to accomplish
66 various configuration steps on the newly created instance. See below for a
67 description of each one of them:
69 **FixPartitionTable**: Enlarges the last partition in the partition table of
70 the instance, to consume all the available space and optionally adds a swap
73 **FilesystemResizeUnmounted**: Extends the file system of the last partition to
74 cover up the whole partition. This only works for ext{2,3,4} file systems. Any
75 other file system type is ignored and a warning is triggered. The task will
76 fail if *SNF_IMAGE_DEV* environmental variable is missing.
78 **MountImage**: Mounts the nth partition of *SNF_IMAGE_DEV*, which is specified
79 by *SNF_IMAGE_PROPERTY_ROOT_PARTITION* variable under the directory specified
80 by *SNF_IMAGE_TARGET*. The script will fail if any of those 3 variables has a
83 **AddSwap**: Formats the swap partion added by *FixPartitionTable* task and
84 adds an appropriate swap entry in the system's ``/etc/fstab``. The script will
85 only run if *SNF_IMAGE_PROPERTY_SWAP* is present and will fail if
86 *SNF_IMAGE_TARGET* in not defined.
88 **DeleteSSHKeys**: For linux images, this script will clear out any ssh keys
89 found in the image and for debian, it will recreate them too. In order to find
90 the ssh keys, the script looks in default locations (/etc/ssh/ssh_*_key) and
91 also parses ``/etc/ssh/sshd_config`` file if present. The script will fail if
92 *SNF_IMAGE_TARGET* is not set.
94 **DisableRemoteDesktopConnections**: This script temporary disables RDP
95 connections in windows instances by changing the value *fDenyTSConnection*
96 registry key. RDP connections will be enabled back during the specialize pass
97 of the Windows setup. The task will fail if *SNF_IMAGE_TARGET* is not defined.
99 **InstallUnattend**: Installs the Unattend.xml files in windows images. This is
100 needed by windows in order to perform an unattended setup. The
101 *SNF_IMAGE_TARGET* variables needs to be present for this task to run.
103 **SELinuxAutorelabel**: Creates *.autorelabel* file in RedHat images. This is
104 needed if SELinux is enabled to enforce an automatic file system relabeling at
105 the next boot. The only enviromental variable required by this task is
108 **AssignHostname**: Assigns or changes the hostname in a Linux or Windows
109 image. The task will fail if the Linux distribution is not supported. For now,
110 we support Debian, Redhat, Slackware, SUSE and Gentoo derived distros. The
111 hostname is read from *SNF_IMAGE_HOSTNAME* variable. In addition to the latter,
112 *SNF_IMAGE_TARGET* is also required.
114 **ChangePassword**: Changes the password for a list of users. For Linux systems
115 this is accomplished by directly altering the image's ``/etc/shadow`` file. For
116 Windows systems a script is injected into the VM's hard disk. This script will
117 be executed during the specialize pass of the Windows setup. The list of users
118 whose passwords will changed is determined by the *SNF_IMAGE_PROPERTY_USERS*
119 variable (see :ref:`image-properties`). For this task to run *SNF_IMAGE_TARGET*
120 and *SNF_IMAGE_PASSWORD* variables need to be present.
122 **FilesystemResizeMounted**: Injects a script into a Windows image file system
123 that will enlarge the last file system to cover up the whole partition. The
124 script will run during the specialize pass of the Windows setup. If the
125 *SNF_IMAGE_TARGET* variable is missing, the task will fail.
127 **EnforcePersonality**: Injects the files specified by the
128 *SNF_IMAGE_PROPERTY_OSFAMILY* variable into the file system. If the variable is
129 missing a warning is produced. The only environmental variable required is
132 **UmountImage**: Umounts the file system previously mounted by MountImage. The
133 only environmental variable required is *SNF_IMAGE_TARGET*.
136 +-------------------------------+---+--------------------------------------------+--------------------------------------------------+
137 | | | Dependencies | Enviromental Variables [#]_ |
138 + Name | +------------------+-------------------------+-------------------------+------------------------+
139 | |Pr.| Run-After | Run-Before | Required | Optional |
140 +===============================+===+==================+=========================+=========================+========================+
141 |FixPartitionTable |10 | |FilesystemResizeUnmounted|DEV | |
142 +-------------------------------+---+------------------+-------------------------+-------------------------+------------------------+
143 |FilesystemResizeUnmounted |20 |FixPartitionTable |MountImage |DEV | |
144 +-------------------------------+---+------------------+-------------------------+-------------------------+------------------------+
145 |MountImage |30 | |UmountImage |DEV | |
147 | | | | |PROPERTY_ROOT_PARTITION | |
148 +-------------------------------+---+------------------+-------------------------+-------------------------+------------------------+
149 |AddSwap |40 |MountImage |EnforcePersonality |TARGET |PROPERTY_OSFAMILY |
150 | | | | | |PROPERTY_SWAP |
151 +-------------------------------+---+------------------+-------------------------+-------------------------+------------------------+
152 |DeleteSSHKeys |40 |MountImage |EnforcePersonality |TARGET |PROPERTY_OSFAMILY |
153 +-------------------------------+---+------------------+-------------------------+-------------------------+------------------------+
154 |DisableRemoteDesktopConnections|40 |EnforcePersonality|UmountImage |TARGET |PROPERTY_OSFAMILY |
155 +-------------------------------+---+------------------+-------------------------+-------------------------+------------------------+
156 |InstallUnattend |40 |MountImage |EnforcePersonality |TARGET |PROPERTY_OSFAMILY |
157 +-------------------------------+---+------------------+-------------------------+-------------------------+------------------------+
158 |SELinuxAutorelabel |40 |MountImage |EnforcePersonality |TARGET |PROPERTY_OSFAMILY |
159 +-------------------------------+---+------------------+-------------------------+-------------------------+------------------------+
160 |AssignHostname |50 |InstallUnattend |EnforcePersonality |TARGET | |
161 | | | | |HOSTNAME |PROPERTY_OSFAMILY |
162 +-------------------------------+---+------------------+-------------------------+-------------------------+------------------------+
163 |ChangePassword |50 |InstallUnattend |EnforcePersonality |TARGET |PROPERTY_USERS |
164 | | | | |PASSWORD |PROPERTY_OSFAMILY |
165 +-------------------------------+---+------------------+-------------------------+-------------------------+------------------------+
166 |FilesystemResizeMounted |50 |InstallUnattend |EnforcePersonality |TARGET |PROPERTY_OSFAMILY |
167 +-------------------------------+---+------------------+-------------------------+-------------------------+------------------------+
168 |EnforcePersonality |60 |MountImage |UmountImage |TARGET |PERSONALITY |
169 | | | | | |PROPERTY_OSFAMILY |
170 +-------------------------------+---+------------------+-------------------------+-------------------------+------------------------+
171 |UmountImage |80 |MountImage | |TARGET | |
172 +-------------------------------+---+------------------+-------------------------+-------------------------+------------------------+
174 .. [#] all environmental variables are prefixed with *SNF_IMAGE_*
projects / snf-image / blob