Guide to build an OpenStack image for Security Onion.


This image will use the Security Onion ISO, install the ISO to a disk and then create an OpenStack compatable image from that installation.

  1. Start a new instance that has enough resources to setup an OpenStack image of Security Onion

  2. Download latest Security Onion

  3. Start SO on the image under qemu

  4. install cloud-init

Configure environment to build the instance

I used a Debian instance that did not come with a GUI. Install the LXDE desktop environment for a lightweight window manager.

$ sudo apt-get install task-lxde-desktop

Use Horizon to attach a new volume to the OpenStack instance. Format the attached volume for the ext4 filesystem.

$ mkfs.ext4 DEVICE

Mount the new filesystem


Download latest Security Onion

Create a new raw image file on the mount point

$ sudo qemu-img create

Start security onion using the following KVM command:

kvm -m 4096 \
-drive file=./so_test.raw,if=virtio,format=raw \
-drive file=/home/user/so_create/securityonion-,media=cdrom,index=1 \
-net nic,model=virtio \
-net user \

This will display a qemu window that will display the Security Onion instance

Begin the installation, choose 'Download Updates'

Choose 'Use LVM' when prompted.

Use parameters: admin
Computer name: computer
Username: so_admin

Choose a memorable password that is sufficiently complex

Setup will not take some time copying the files to the disk.

Once setup is complete, login to the Security Onion instance and install the necessary packages

$ sudo apt-get update
$ sudo apt-get install cloud-utils cloud-initramfs-growroot

For Security Onion 16, rsync and openssh-server are already installed.

Boot Security Onion without the ISO image loaded

kvm -m 4096 \
-drive file=./so_test.raw,if=virtio,format=raw \
-net nic,model=virtio \
-net user \

Start a root shell

$ sudo su

Configure MySQL not to prompt for root password

# echo "debconf debconf/frontend select noninteractive" | debconf-set-selections

Remove MAC Address

# echo "" > /lib/udev/rules.d/75-persistent-net-generator.rules

Disable Firewall

Edit file /etc/init/ufw.conf and comment out lines 9-11 that have to do with starting UFW by placing a # before the lines.

Enable Boot Log

Edit the /etc/default/grub and set the following parameter

# update-grub

Edit Cloud-init

May need to install the cloud-init package

# dpkg-reconfigure cloud-init

Only select the EC2 data source

Edit the file /etc/cloud/cloud.cfg for the username created to login

    distro: ubuntu
        name: so_admin

Final Steps

Shutdown the Security Onion instance and on the host OS perform the following

May need to install libguestfs-tool package to perform the sysprep

$ virt-sysprep -a IMAGE_NAME
$ virt-sparsify --compress IMAGE_NAME IMAGE_NAME_CLOUD

I needed to convert from RAW to QCOW2 format to compress the image. Also had to specify a 'tmp' directory because my current tmp directory did not have enough space.

$ virt-sparsify --convert qcow2 --compress IMAGE_NAME.raw IMAGE_NAME_CLOUD.qcow2 --tmp .