Oracle Cloud Infrastructure Documentation

Oracle-Provided Images

An image is a template of a virtual hard drive. The image determines the operating system and other software for an instance. The following table lists the images that are available in Oracle Cloud Infrastructure. For specific image and kernel version details, along with changes between versions, see Oracle-Provided Image Release Notes.

Image Name Description
Oracle Linux 7 Unbreakable Enterprise Kernel Release 4 Oracle-Linux-7.x-<date>-<number>

The Unbreakable Enterprise Kernel (UEK) is Oracle's optimized operating system kernel for demanding Oracle workloads.

GPU shapes are supported with this image.

Oracle Linux 6 Unbreakable Enterprise Kernel Release 4 Oracle-Linux-6.x-<date>-<number>

The Unbreakable Enterprise Kernel (UEK) is Oracle's optimized operating system kernel for demanding Oracle workloads.

CentOS 7 CentOS-7-<date>-<number>

CentOS is a free, open-source Linux distribution suitable for use in enterprise cloud environments. For more information, see https://www.centos.org/.

CentOS 6 CentOS-6.x-<date>-<number>

CentOS is a free, open-source Linux distribution that is suitable for use in enterprise cloud environments. For more information, see https://www.centos.org/.

X7 shapes are not supported with this image.

Ubuntu 18.04 LTS

Canonical-Ubuntu-18.04-<date>-<number>

Ubuntu is a free, open-source Linux distribution that is suitable for use in the cloud. For more information, see https://www.ubuntu.com.

Ubuntu 16.04 LTS

Canonical-Ubuntu-16.04-<date>-<number>

Ubuntu is a free, open-source Linux distribution that is suitable for use in the cloud. For more information, see https://www.ubuntu.com.

GPU shapes are supported with this image.

Ubuntu 14.04 LTS

Canonical-Ubuntu-14.04-<date>-<number>

Ubuntu is a free, open-source Linux distribution that is suitable for use in the cloud. For more information, see https://www.ubuntu.com.

Windows Server 2016 Windows-Server-2016-<edition>-Gen2.<date>-<number>

Windows Server 2016 supports running production Windows workloads on Oracle Cloud Infrastructure.

GPU shapes are supported with this image, however you need to install the appropriate GPU drivers from NVIDIA.

Windows Server 2012 R2 Windows-Server-2012-R2-<edition>-<gen>.<date>-<number>

Windows Server 2012 R2 supports running production Windows workloads on Oracle Cloud Infrastructure.

GPU shapes are supported with this image, however you need to install the GPU drivers from NVIDIA.

Windows Server 2008 R2 - Virtual Machine (VM) Windows-Server-2008-R2-Enterprise-Edition-VM-<date>-<number>

Windows Server 2008 R2 Enterprise Edition supports running production Windows workloads on Oracle Cloud Infrastructure.

You also can create custom images of your boot disk OS and software configuration for launching new instances.

Essential Firewall Rules

Warning

Windows 2008 Server R2 images do not support restricting certain firewall rules for local principals, such as "Administrators", so any authenticated user on an instance can make outgoing connections to the iSCSI network endpoints (169.254.0.2:3260, 169.254.2.0/24:3260) that serve the instance's boot and block volumes.

All Oracle-provided images include rules that allow only "root" on Linux instances or "Administrators" on Windows Server 2012 R2 and Windows Server 2016 instances to make outgoing connections to the iSCSI network endpoints (169.254.0.2:3260, 169.254.2.0/24:3260) that serve the instance's boot and block volumes.

  • Oracle recommends that you do not reconfigure the firewall on your instance to remove these rules. Removing these rules allows non-root users or non-administrators to access the instance’s boot disk volume.

  • Oracle recommends that you do not create custom images without these rules unless you understand the security risks.

  • Running Uncomplicated Firewall (UFW) on Ubuntu images may cause issues with these rules, so Oracle recommends that you do not enable UFW on your instances. See Ubuntu Instance fails to reboot after enabling Uncomplicated Firewall (UFW) for more information.

User Data

Oracle-provided images provide you with the ability to run custom scripts or provide custom metadata when the instance launches. To do this, you specify a custom startup script in the Create Instance dialog's User Data field. For more information about startup scripts, see cloud-init for Linux-based images and cloudbase-init for Windows-based images.

OS Updates for Linux Images

Oracle Linux and CentOS images are preconfigured to let you install and update packages from the repositories on the Oracle public Yum server. The repository configuration file is in the /etc/yum.repos.d directory on your instance. You can install, update, and remove packages by using the Yum utility.

Note

OS Security Updates for Oracle Linux and CentOS images

Oracle Linux and CentOS images are updated regularly with the necessary patches, but after you launch an instance using these images, you are responsible for applying the required OS security updates published through the Oracle public Yum server. For more information, see Installing and Using the Yum Security Plugin.

The Ubuntu image is preconfigured with suitable repositories to allow you to install, update, and remove packages.

Note

OS Security Updates for the Ubuntu image

After you launch an instance using the Ubuntu image, you are responsible for applying the required OS security updates using the sudo apt-get upgrade command.

Linux Kernel Updates

Oracle Linux images on Oracle Cloud Infrastructure include Oracle Linux Premier Support at no extra cost. This gives you all the services included with Premier Support including Oracle Ksplice. Ksplice enables you to apply important security and other critical kernel updates without a reboot. For more information, see About Oracle Ksplice and Ksplice Overview.

Ksplice is only available for Linux instances launched on or after February 15, 2017. For instances launched prior to August 25, 2017, you must install it prior to running it. See Installing and Running Oracle Ksplice for more information.

Note

Ksplice Support

Oracle Ksplice is not supported for CentOS and Ubuntu images, or on Linux images launched prior to February 15 2017.

Linux Image Details

Users

For instances created using Oracle Linux and CentOS images, the user name opc is created automatically. The opc user has sudo privileges and is configured for remote access over the SSH v2 protocol using RSA keys. The SSH public keys that you specify while creating instances are added to the /home/opc/.ssh/authorized_keys file.

For instances created using the Ubuntu image, the user name ubuntu is created automatically. The ubuntu user has sudo privileges and is configured for remote access over the SSH v2 protocol using RSA keys. The SSH public keys that you specify while creating instances are added to the /home/ubuntu/.ssh/authorized_keys file.

Note that root login is disabled.

Remote Access

Access to the instance is permitted only over the SSH v2 protocol. All other remote access services are disabled.

Firewall Rules

Instances created using Oracle-provided images have a default set of firewall rules which allow only SSH access. Instance owners can modify those rules as needed, but must not restrict link local traffic to address 169.254.0.2 in accordance with the warning at the top of this page.

Be aware that Networking uses security lists to control packet-level traffic in and out of the instance. When troubleshooting access to an instance, make sure both the security lists associated with the instance's subnet and the instance's firewall rules are set correctly.

Cloud-init Compatibility

Instances created using Oracle-provided images are compatible with Cloud-init. When launching an instance with the Core Services API, you can pass Cloud-init directives with the metadata parameter. For more information, see LaunchInstance.

OCI Utilities

Instances created using Oracle Linux include a pre-installed set of utilties that are designed to make it easier to work with Oracle Linux images. These utilities consist of a service component and related command line tools.

The following table summarizes the components that are included in the OCI utilities.

Name Description
ocid The service component of oci-utils. This normally runs as a daemon started via systemd. This service scans for changes in the iSCSI and VNIC device configurations and caches the OCI metadata and public IP address of the instance.
oci-iscsi-config Used to display and configure iSCSI devices attached to a compute instance. If no command line options are specified, lists devices that need attention.
oci-metadata Displays metadata for the compute instance. If no command line options are specified, lists all available metadata. Metadata includes the instance OCID, display name, compartment, shape, region, availability domain, creation date, state, image, and any custom metadata that you provide, such as an SSH public key.
oci-network-config Lists or configures Virtual Network Interface Cards (VNICs) attached to the compute instance. Lists the current Virtual Network Interface Cards (VNICs) provisioned in the cloud and configured on the instance. When a secondary VNIC is provisioned in the cloud, it must be explicitly configured on the instance using this script or similar commands.
oci-public-ip Displays the public IP address of the current system in either human-readable or JSON format.

For more detailed information, see the OCI Utilities reference.

Windows OS Updates for Windows Images

Windows images include the Windows Update utility, which you can run to get the latest Windows updates from Microsoft. You have to configure the security list on the subnet on which the instance is running to allow instances to access Windows update servers.

Windows Image Details

Users

For instances created using Oracle-provided Windows images, the user name opc is created automatically. When you launch an instance using the Windows image, Oracle Cloud Infrastructure will generate an initial, one-time password that you can retrieve using the console or API. This password must be changed after you initially log on.

Remote Access

Access to the instance is permitted only through a Remote Desktop connection.

Firewall Rules

Instances created using the Windows image have a default set of firewall rules which allow Remote Desktop protocol or RDP access on port 3389. Instance owners can modify these rules as needed, but must not restrict link local traffic to 169.254.169.253 for the instance to activate with Microsoft Key Management Service (KMS). This is how the instance stays active and licensed.

Be aware that Networking uses security lists to control packet-level traffic in and out of the instance. When troubleshooting access to an instance, make sure both the security lists associated with the instance's subnet and the instance's firewall rules are set correctly.

User Data on Windows Images

On Windows images custom user data scripts are executed using cloudbase-init, which is the equivalent of cloud-init on Linux-based images. All Oracle-provided Windows images on Oracle Cloud Infrastructure include cloudbase-init installed by default. When an instance launches, cloudbase-init runs PowerShell, batch scripts, or additional user data content. See cloudbase-init Userdata for information about supported content types.

You can use user data scripts to perform various tasks, such as:

  • Enable GPU support using a custom script to install the applicable GPU driver.

  • Add or update local user accounts.

  • Join the instance to a domain controller.

  • Install certificates into the certificate store.

  • Copy any required application workload files from the Object Storage service directly to the instance.

Windows Remote Management

Windows Remote Management (WinRM) is enabled by default on Oracle-provided Windows images. WinRM provides you with the capability to remotely manage the operating system.

To use WinRM you need to add a stateful ingress rule for TCP traffic on destination port 5986.

Warning

Opening this port allows WinRM connections from public IP addresses. To only allow access from instances within the VCN ensure that this port is open on the appropriate security lists for the appropriate subnets. For more information, see Security Recommendations.

To enable WinRM access
To use WinRM on an instance