creating a VMware CentOS 7 Template


This post will help your creating a CentOS 7 Template for VMware.

Getting started

Install CentOS 7 on any VMware virtualization product with “Minimal Install” for the software selection. You can find the most recent install image here.
Please use a VM hardware version of 10, if you want to deploy your CentOS template to vSphere 5.5 or vCloud Air.

After successful installation login and upgrade packages to the latest version:

# upgrade
yum -y upgrade

# reboot if a new kernel was installed
init 6

Customization

The template will not have a root password nor an admin user password. You will require a private SSH key to login into the VM.

The following lines can either be copied and pasted into a shell or issued step by step:

# some variables
export ADMIN_USER="admin"
export ADMIN_PUBLIC_KEY="your public ssh key"

# install necessary and helpful components
yum -y install net-tools nano deltarpm wget bash-completion yum-plugin-remove-with-leaves yum-utils

# install VM tools and perl for VMware VM customizations
yum -y install open-vm-tools perl

# Stop logging services
systemctl stop rsyslog
service auditd stop

# Remove old kernels
package-cleanup -y --oldkernels --count=1

# Clean out yum
yum clean all

# Force the logs to rotate & remove old logs we don’t need
/usr/sbin/logrotate /etc/logrotate.conf --force
rm -f /var/log/*-???????? /var/log/*.gz
rm -f /var/log/dmesg.old
rm -rf /var/log/anaconda

# Truncate the audit logs (and other logs we want to keep placeholders for)
cat /dev/null > /var/log/audit/audit.log
cat /dev/null > /var/log/wtmp
cat /dev/null > /var/log/lastlog
cat /dev/null > /var/log/grubby

# Remove the traces of the template MAC address and UUIDs
sed -i '/^\(HWADDR\|UUID\)=/d' /etc/sysconfig/network-scripts/ifcfg-e*

# enable network interface onboot
sed -i -e 's@^ONBOOT="no@ONBOOT="yes@' /etc/sysconfig/network-scripts/ifcfg-e*

# Clean /tmp out
rm -rf /tmp/*
rm -rf /var/tmp/*

# Remove the SSH host keys
rm -f /etc/ssh/*key*

# configure sshd_config to only allow Pubkey Authentication
sed -i -r 's/^#?(PermitRootLogin|PasswordAuthentication|PermitEmptyPasswords) (yes|no)/\1 no/' /etc/ssh/sshd_config
sed -i -r 's/^#?(PubkeyAuthentication) (yes|no)/\1 yes/' /etc/ssh/sshd_config

# add user 'ADMIN_USER'
adduser $ADMIN_USER

# add public SSH key
mkdir -m 700 /home/$ADMIN_USER/.ssh
chown $ADMIN_USER:$ADMIN_USER /home/$ADMIN_USER/.ssh
echo $ADMIN_PUBLIC_KEY > /home/$ADMIN_USER/.ssh/authorized_keys
chmod 600 /home/$ADMIN_USER/.ssh/authorized_keys
chown $ADMIN_USER:$ADMIN_USER /home/$ADMIN_USER/.ssh/authorized_keys

# add support for ssh-add
echo 'eval $(ssh-agent) > /dev/null' >> /home/$ADMIN_USER/.bashrc

# add user 'ADMIN_USER' to sudoers
echo "$ADMIN_USER    ALL = NOPASSWD: ALL" > /etc/sudoers.d/$ADMIN_USER
chmod 0440 /etc/sudoers.d/$ADMIN_USER

# Remove the root user’s SSH history
rm -rf ~root/.ssh/
rm -f ~root/anaconda-ks.cfg

# remove the root password
passwd -d root

# for support guest customization of CentOS 7 in vSphere 5.5 and vCloud Air
# mv /etc/redhat-release /etc/redhat-release.old && touch /etc/redhat-release && echo 'Red Hat Enterprise Linux Server release 7.0 (Maipo)' > /etc/redhat-release

# Remove the root user’s shell history
history -cw

# shutdown
init 0

Notes

Starting with Open VM Tools 9.10 the deployPkg (open-vm-tools-deploypkg) is not needed anymore. Please see VMware support for Open VM Tools.

CentOS 7 is only supported starting with vSphere 6. As a workaround to deploy your CentOS template to vSphere 5.5 or vCloud Air and use VM customization, please uncomment the line to modify /etc/redhat-release.


Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

5 thoughts on “creating a VMware CentOS 7 Template

    • Christopher Banck
      Christopher Banck Post author

      Yes, I’m using CentOS 7.2.
      If you are using vSphere 5.5, have you modified /etc/redhat-release? The line is uncommented and only necessary for vSphere versions earlier than vSphere 6, which supports CentOS 7 natively.

  • Avatar
    swaroop

    Hi i am Swaroop, we had an existing centos 6 template. I am cloning from the centos 6 template using java code (vsphere api). When is power on the cloned server i am able to successfully assign a desired ip address using customization spec from the code like (CustomizationFixedIp fixedIp = new CustomizationFixedIp();
    fixedIp.setIpAddress(“192.168.5.140”);
    CustomizationIPSettings customizationIPSettings = new CustomizationIPSettings();
    customizationIPSettings.setIp(fixedIp);)
    We created a new Centos 7 template and when i clone, i am able to assign the desired ip-address or no ip-address is assigned. When is go to edit settings of the cloned centos 7 server the network adapter is not ticked. While in cloned centos 6 server the network adapter is automatically ticked .

    What do you suggest or think what might be the difference in the templates centos 6 and 7. I even compared the network scripts eth01 and network file and replicated the same on to centos 7 template and still same issue. But when i manually clone from the vsphere client the vmware is able to assign a random ip address. Note: when cloning from java for centos 6 template the network adapter is getting ticked and for centos 7 it is not getting ticked. Kindly need you help or suggestions.

    • Avatar
      swaroop

      Sorry there are some typing errors,
      When i power on the cloned server i am able to successfully assign a desired ip address which is preset using customisation spec from the code like

      We created a new Centos 7 template and when i cloned a server, i am not able to assign the desired ip-address or no ip-address is assigned. When i go to edit settings of the cloned centos 7 server the network adapter is not ticked. While in cloned centos 6 server the network adapter is automatically ticked .

  • Avatar
    level6

    It is bad habit to use “init 6” to restart a unix box. The runlevels/targets can be redefined on any host. As well, some discrepancy may exist between default runlevels in older flavors of unix. The “shutdown” command, or even a “sync;sync;reboot” are safer to use everywhere.

    If you must take the shortcut of typing “init 6”, then you should also be checking /etc/inittab or /usr/lib/systemd/system/runlevel6.target each time to make sure that runlevel 6 is indeed defined as reboot… thus making it a not-so-short-cut. 🙂

    This is actually one of the main questions I ask about in interviews of unix sysadmins to help determine whether they are junior or senior level. It’s that important.