If you cannot find an existing ServerTemplate from the MultiCloud Marketplace that you can clone and modify to meet your own needs, it's strongly recommended that you start your custom ServerTemplate development with one of the "base" ServerTemplates that already contain the minimum set of scripts and alerts for optimized server management through the RightScale management platform. For example, the ServerTemplate contains scripts for setting up monitoring on the server so that you can view the real-time graphs in the Dashboard and create alert specifications for automation. It also contains a set of best practices alerts that are preconfigured under the Alerts tab.
Minimum Scripts for Best Practices
The "Base" ServerTemplate contains the minimum set of scripts that are required for optimal server management within the RightScale management platform. It's recommended that you do not delete any of these scripts from a ServerTemplate unless you are an advanced user and are aware of the ramifications.
The minimum set of scripts in the "Base" ServerTemplate are found in most ServerTemplates published by RightScale and perform the following setup operations:
- rightscale::setup_security_updates - Sets up package manager software so that security updates can be applied a running server. After booting and installing the packages, the relevant software repositories (e.g. Epel and Ubuntu Precise) are unfrozen so that security updates can be installed by the 'rightscale::do_security_updates' script. Once security updates are enabled (Enable security updates = enable) they can not be disabled. By default, security updates are disabled at the ServerTemplate level. Set this input accordingly prior to launching the server.
- rightscale::install_rightimage_extras - Installs the Rightscale rightimage extras package that many of our ServerTemplates and Images expect by default.
- logging::default - By default, logs are configured to be saved locally on the instance in /var/log/messages (/var/log/syslog for Ubuntu) however, you can configure the server to send its log data to a remote server by setting the "Logging" inputs appropriately at launch time.
- sys_firewall::default - Configures iptables on the server for firewall purposes. By default, the 'Firewall' input is enabled, which opens TCP ports 22, 80, 443 to any IP address (0.0.0.0/0).
- sys_ntp::default - Installs and configures a Network Time Protocol (NTP) client on the server to synchronize the time clock between an instance and RightScale's core servers, which is necessary for accurate audit entry timestamps.
- rightscale::setup_server_tags - Sets machine tags that are common to all RightScale managed servers. (e.g. rs_logging:state=active, rs_login:state=active, rs_monitoring:state=active)
- rightscale::setup_timezone - Sets the system timezone on the instance.
- rightscale::setup_monitoring - Enables the instance for monitoring by RightScale's core servers so that real-time data can be collected from the instance and graphs can be displayed in the RightScale dashboard under the related Monitoring tabs. This script is also required for setting up alerts for alert escalations and autoscaling.
- rightscale::setup_cloud - Configures several cloud specific functions needed by Rightscale's templates and images.
- rightscale::install_tools - Installs RightScale's core instance tools.
- block_device::setup_ephemeral - If the cloud provider of the instance does not support the use of mountable volumes for data storage, it creates, formats, and mounts a brand new block device on the instance's ephemeral drive. The script does nothing on instances in clouds that support volumes. (e.g. EC2)
- sys::setup_swap - Creates and activates a swap file based on the selected size (in GB). Default swap size is 0.5 GB. Note: The swap added to the instance by this file will be in addition to any swap defined in the image.
- rightscale::setup_security_update_monitoring - Configures a collectd plugin that monitors for available security updates, which in turn will place a tag on the instance ( ) and trigger an alert to the account owner informing them that security update(s) are available for this instance. See Apply System Security Updates in the Base Servertemplate for Linux (Chef) Runbook for more details.
- rightscale::do_security_updates - This script is only run if security updates are enabled (Enable security updates = enable). The latest security patches are downloaded and installed. Non-security related software updates are not installed. If a reboot of the instance is required to complete an update, the 'rs_monitoring:reboot_required=true' tag is added to the server as a reminder that you must manually reboot the instance to complete the update.
As a general best practice, any new scripts that you add to the ServerTemplate should be added to the bottom of the existing boot script list.
Security and Firewall Permissions
Iptables is enabled by default on all servers regardless of whether or not the cloud provider supports cloud-specific firewall services such as security groups. (e.g. AWS EC2)
22, 80, 443
By default, the 'sys_firewall::default' boot script configures iptables on the instance with the following TCP ports open to all IPs (0.0.0.0/0) by default.
- 22 - SSH access
- 80 - HTTP access
- 443 - HTTPS access (SSL)
Note: For more information about iptables, refer to the Linux documentation.
To create additional firewall permissions to allow or deny access, you can use the sys_firewall::setup_rule script. For detailed instructions, see the Base ServerTemplate for Linux (Chef) (v13 Infinity) - Runbook.
By default, the logging::default script configures a server to store log data locally (/var/log/messages or /var/log/syslog). But when you terminate the instance, all of its logs will be lost. So, if it's necessary to preserve log data after an instance is terminated, you can easily configure the server to send its logs to a central logging server or service by setting a few required inputs.
There are a few different types of logging configurations.
- Logs stored locally on the instance (default)
- Logs are sent to a remote server or service
- Production: Use your own dedicated logging server or a third party logging service or application such as Loggly or Splunk.
- Development & Test: If backups are not required and you simply want a centralized logging destination for all of your instances, you can use an rsyslog ServerTemplate published by RightScale. See Logging with rsyslog Beta (v13 Infinity).