Oracle Cloud Infrastructure Documentation

Guidelines for Images

When you create an image list in Oracle Cloud Infrastructure Marketplace, ensure that the images you create for the listing comply with the relevant guidelines.

Mandatory Guidelines for Linux Images

The following table lists the mandatory image guidelines and corresponding error code. Each guideline must be followed. Before an image is published to Oracle Cloud Infrastructure Marketplace, each image is validated against each of the following mandatory guidelines.

Error Code Description
S01 SSH host keys must be unique to each instance. Use the oci-image-cleanup utility provided by the oci-utils package on GitHub. This will remove all SSH host keys, so that they are regenerated on first boot.
S08 Images must ingest an SSH public key provided by a customer as part of the instance launch process. Ensure the image is cloud-init enabled.
S10 Any authorized_keys files must only contain keys provided by the user when the instance is launched. Use the oci-image-cleanup utility provided by the oci-utils package on GitHub.
S14 Root user login must be disabled. At least 1 of the following 3 conditions must be met:
  • The root user's login shell must be set to /sbin/nologin.
  • The SSH service config /etc/ssh/sshd_config must not permit root login. Manually configure the following setting:
    PermitRootLogin no
  • All entries in the /root/.ssh/authorized_keys file must contain 
    no-port-forwarding, no-agent-forwarding,
                        no-X11-forwarding.
    The root user must not have usable entries in the authorized_keys file. Use the oci-image-cleanup utility provided by the oci-utils package on GitHub.

    By default, Oracle Cloud Infrastructure instances that are launched from cloud-init enabled images add the forwarding options and use the command option of the authorized_keys file to effectively disable any user-provided SSH key for the root user. The code below is a sample of the authorized_keys file created by Oracle Cloud Infrastructure using cloud-init:

    no-port-forwarding,
no-agent-forwarding,
no-X11-forwarding,
command="echo 'Please login as the user \"opc\" rather than the user \"root\".';echo;sleep 10"
S16 Images must not have any operating system level users configured with a password and MUST NOT have an empty password.
G01 Image must boot for all compatible shapes. Manually verify by successfully launching instances for each compatible shape.
G03 Image must not have any hard-coded MAC addresses. Empty the /etc/udev/rules.d/70-persistent-net.rules file.
G05 DHCP must be enabled. Ensure it is configured manually. Ensuring you can SSH into an instance of this image confirms that DHCP is enabled.
G08 Ensure that the image does not use Instance Metadata Service v1 (IMDSv1). If the image uses IMDSv1 endpoints, Oracle recommends that you disable IMDSv1 and upgrade to IMDSv2. See Upgrading to the Instance Metadata Service v2 in Oracle Cloud Infrastructure documentation.

Mandatory Guidelines for Windows Images

Error Code Description
W01 Before creating a custom Windows image, you must generalize the Windows instance using Sysprep. See Creating a Generalized Image.
W02 The opc account must not be preserved when running Sysprep generalize. See Creating a Generalized Image.
G08 Ensure that the image does not use Instance Metadata Service v1 (IMDSv1). If the image uses IMDSv1 endpoints, Oracle recommends that you disable IMDSv1 and upgrade to IMDSv2. See Upgrading to the Instance Metadata Service v2 in Oracle Cloud Infrastructure documentation.

Recommended Guidelines for Linux Images

The following guidelines are recommended for images listed in Oracle Cloud Infrastructure Marketplace. Each guideline is considered a best practice that should be followed if possible.

Error Code Description
S02 Mandatory Access Control (MAC) should be enabled. See https://www.linux.com/news/securing-linux-mandatory-access-controls.
S03 An Operating System (OS) Firewall should be enabled and configured to block any ports not specifically required as indicated in the listing documentation.
S04 All sensitive data such as passwords and private keys should be removed. This type of data can often be found in log files, source code, or build artifacts. To remove such files, use the oci-image-cleanup utility provided by the oci-utils package on GitHub.
S07 cloud-init packages should be available for use during instance launch.
S11 Configure the SSH service to prevent password-based login. Manually configure the following settings:
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
S15 Image software should be updated as part of the final packaging process.
S17 Application passwords should not be hard-coded. Any passwords should be uniquely generated the first time the instance launches:
G02 Images should run in paravirtualized mode. Images may run in native mode. Images should not run in emulated mode.
G04 Any network managers should be stopped. See https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/3/html/Installation_and_Configuration_Guide/Disabling_Network_Manager.html.
G06 Images should utilize the NTP service provided by Oracle Cloud Infrastructure. See Configuring the Oracle Cloud Infrastructure NTP Service for an Instance.
G07 Images should have iSCSI timeout values set for proper boot volume connectivity. See https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Online_Storage_Reconfiguration_Guide/iscsi-modifying-link-loss-behavior-root.html.