6,534
edits
Changes
created (not finished yet)
This article summarizes the experience of creating Ubunty Gutsy Gibbon (a.k.a. 7.10) template for OpenVZ.
Template creation is based on debootstrap, and the procedure is similar to [[Debian template creation]], but it differs in some subtle details.
== Prerequisites ==
=== debootstrap ===
You have to have a debootstrap working for Gutsy, i.e. you should have
* debootstrap and its dependencies
* /usr/lib/debootstrap/scripts/gutsy file
The simplest way to have it all is to work on an Ubunty Gutsy system (be it on a real machine or inside a VE). If you don't have debootstrap installed, this is the command to install it:
# apt-get install debootstrap
=== vzctl ===
You need vzctl-3.0.19 or later to work with Ubuntu Gutsy Gibbon. If vzctl-3.0.18 or earlier is used, you will not be able to run your VE. See {{bug|662}} for details.
== Creating template ==
=== Running debootstrap ===
Create some directory:
# mkdir gutsy-chroot
Run debootstrap to install a minimal Ubunty Gutsy system into that directory:
# debootstrap --arch ''ARCH'' gutsy gutsy-chroot
Substitute your architecture instead of ''ARCH''. For example, for AMD64/x86_64, use <code>amd64</code> or for ia64, use <code>ia64</code>. For i386 you do not have to give this option.
=== Preparing/starting a VE ===
Now then you have an installation created by debootstrap, you can run it as a VE. In the example below VE ID of 777 is used; of course you can use any other non-allocated ID.
==== Moving installation to VE private area ====
You should move the contents of gutsy-chroot directory into new VE private area, like this:
# mkdir /vz/private/777
# mv gutsy-chroot/ /vz/private/777
==== Setting VE config ====
An initial config for the [[VE]] is needed:
# vzctl set 777 --applyconfig vps.basic --save
==== Setting VE OSTEMPLATE ====
Also, we need <tt>OSTEMPLATE</tt> to be set in VE configuration file, for the [[vzctl]] to work properly.
# echo "OSTEMPLATE=ubuntu-7.10" >> /etc/vz/conf/777.conf
==== Setting VE IP address ====
For the [[VE]] to be able to download updates from the Internet, we need a valid IP address for it:
# vzctl set 777 --ipadd x.x.x.x --save
{{Note|if you use private IP for the VE, you have to set up NAT as described in [[Using NAT for VE with private IPs]].}}
==== Setting DNS server for VE ====
For the [[VE]] to be able to download updates from the Internet, we also need to specify a DNS for it:
# vzctl set 777 --nameserver x.x.x.x --save
Instead of <code>x.x.x.x</code>, specify the same IP that you have in your <code>/etc/resolv.conf</code>.
==== Starting VE ====
Now start the VE:
# vzctl start 777
=== Modify the installation ===
You have to do some things in order to modify the installation to better suit the environment it will be run in (i.e. a VE).
First, enter a VE:
# vzctl enter 777
{{Warning|Do not run the commands below on the hardware node, they are only to be run within the VE!}}
==== Remove unneeded packages ====
Some packages does not make sense in a VE. Remove those:
[VE]# dpkg -P ubuntu-minimal wpasupplicant wireless-tools \
udev pcmciautils initramfs-tools volumeid console-setup \
xkb-data usbutils mii-diag alsa-base alsa-utils ethtool \
module-init-tools linux-sound-base console-tools \
console-terminus busybox-initramfs libvolume-id0
Clean up after udev:
[VE]# rm -fr /lib/udev
==== Disable getty ====
On a usual Linux system, getty is running on a virtual terminals, which a VE does not have.
There are two ways to disable it:
First way:
[VE]# rm /etc/event.d/tty*
Second way:
[VE]# dpkg -P system-services
Second way can be dangerous for future versions of system-services, but it's OK for now since the only service they carry is running gettys.
==== Set sane permissions for /root directory ====
[VE]# chmod 700 /root
==== Disable root login ====
[VE]# usermod -L root
==== Get new security updates ====
[VE]# apt-get update && apt-get upgrade
<small>This didn't show anything for me, but might do something in the future.</small>
==== Install some more packages ====
[VE]# apt-get install ssh quota
Feel free to add packages which you want to have in a default template to this command.
==== Fix SSH host keys ====
This is only useful if you installed SSH above. Each individual [[VE]] should have its own pair of SSH host keys. The code below will wipe out the existing SSH keys and instruct the newly-created [[VE]] to create new SSH keys on first boot.
<!-- please DO NOT remove <pre>...</pre> pair of tags below,
otherwise quotes after -N (-N '') are not visible -->
<pre>
rm -f /etc/ssh/ssh_host_*
cat << EOF > /etc/rc2.d/S15ssh_gen_host_keys
#!/bin/sh
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ''
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ''
rm -f \$0
EOF
chmod a+x /etc/rc2.d/S15ssh_gen_host_keys
</pre>
==== Disable <code>sync()</code> for syslog ====
Turn off doing <tt>sync()</tt> on every write for <code>syslog</code>'s log files, to improve overall I/O performance.
In Ubuntu this is already done for most log files and levels, so you can omit this step if you know what you are doing.
<!-- DO NOT remove <pre> here, it's useful -->
<pre>[VE]# sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' /etc/syslog.conf</pre>
==== Fix <code>/etc/mtab</code> ====
Link <code>/etc/mtab</code> to <code>/proc/mounts</code>, so <code>df</code> and friends will work:
[VE]# rm -f /etc/mtab
[VE]# ln -s /proc/mounts /etc/mtab
After that, it would make sense to disable <code>mtab.sh</code> script which messes with <code>/etc/mtab</code>:
[VE]# update-rc.d -f mtab.sh remove
==== Get rid of tmpfs mounts ====
[VE]# sed -ie '/tmpfs/d' /etc/init.d/mountkernfs.sh
==== Disable some services ====
In most of the cases you don't want klogd to run -- the only exception is if you configure iptables to log some events -- so you can disable it:
[VE]# update-rc.d -f klogd remove
==== Clean packages ====
After installing packages, you'll have some junk packages laying around in your cache. Since you don't want your template to have those, this command will wipe them out.
[VE]# apt-get clean
Now everything is done. Exit from the template and go back to the hardware node.
[VE]# exit
<big><big>To be continued</big></big>
Template creation is based on debootstrap, and the procedure is similar to [[Debian template creation]], but it differs in some subtle details.
== Prerequisites ==
=== debootstrap ===
You have to have a debootstrap working for Gutsy, i.e. you should have
* debootstrap and its dependencies
* /usr/lib/debootstrap/scripts/gutsy file
The simplest way to have it all is to work on an Ubunty Gutsy system (be it on a real machine or inside a VE). If you don't have debootstrap installed, this is the command to install it:
# apt-get install debootstrap
=== vzctl ===
You need vzctl-3.0.19 or later to work with Ubuntu Gutsy Gibbon. If vzctl-3.0.18 or earlier is used, you will not be able to run your VE. See {{bug|662}} for details.
== Creating template ==
=== Running debootstrap ===
Create some directory:
# mkdir gutsy-chroot
Run debootstrap to install a minimal Ubunty Gutsy system into that directory:
# debootstrap --arch ''ARCH'' gutsy gutsy-chroot
Substitute your architecture instead of ''ARCH''. For example, for AMD64/x86_64, use <code>amd64</code> or for ia64, use <code>ia64</code>. For i386 you do not have to give this option.
=== Preparing/starting a VE ===
Now then you have an installation created by debootstrap, you can run it as a VE. In the example below VE ID of 777 is used; of course you can use any other non-allocated ID.
==== Moving installation to VE private area ====
You should move the contents of gutsy-chroot directory into new VE private area, like this:
# mkdir /vz/private/777
# mv gutsy-chroot/ /vz/private/777
==== Setting VE config ====
An initial config for the [[VE]] is needed:
# vzctl set 777 --applyconfig vps.basic --save
==== Setting VE OSTEMPLATE ====
Also, we need <tt>OSTEMPLATE</tt> to be set in VE configuration file, for the [[vzctl]] to work properly.
# echo "OSTEMPLATE=ubuntu-7.10" >> /etc/vz/conf/777.conf
==== Setting VE IP address ====
For the [[VE]] to be able to download updates from the Internet, we need a valid IP address for it:
# vzctl set 777 --ipadd x.x.x.x --save
{{Note|if you use private IP for the VE, you have to set up NAT as described in [[Using NAT for VE with private IPs]].}}
==== Setting DNS server for VE ====
For the [[VE]] to be able to download updates from the Internet, we also need to specify a DNS for it:
# vzctl set 777 --nameserver x.x.x.x --save
Instead of <code>x.x.x.x</code>, specify the same IP that you have in your <code>/etc/resolv.conf</code>.
==== Starting VE ====
Now start the VE:
# vzctl start 777
=== Modify the installation ===
You have to do some things in order to modify the installation to better suit the environment it will be run in (i.e. a VE).
First, enter a VE:
# vzctl enter 777
{{Warning|Do not run the commands below on the hardware node, they are only to be run within the VE!}}
==== Remove unneeded packages ====
Some packages does not make sense in a VE. Remove those:
[VE]# dpkg -P ubuntu-minimal wpasupplicant wireless-tools \
udev pcmciautils initramfs-tools volumeid console-setup \
xkb-data usbutils mii-diag alsa-base alsa-utils ethtool \
module-init-tools linux-sound-base console-tools \
console-terminus busybox-initramfs libvolume-id0
Clean up after udev:
[VE]# rm -fr /lib/udev
==== Disable getty ====
On a usual Linux system, getty is running on a virtual terminals, which a VE does not have.
There are two ways to disable it:
First way:
[VE]# rm /etc/event.d/tty*
Second way:
[VE]# dpkg -P system-services
Second way can be dangerous for future versions of system-services, but it's OK for now since the only service they carry is running gettys.
==== Set sane permissions for /root directory ====
[VE]# chmod 700 /root
==== Disable root login ====
[VE]# usermod -L root
==== Get new security updates ====
[VE]# apt-get update && apt-get upgrade
<small>This didn't show anything for me, but might do something in the future.</small>
==== Install some more packages ====
[VE]# apt-get install ssh quota
Feel free to add packages which you want to have in a default template to this command.
==== Fix SSH host keys ====
This is only useful if you installed SSH above. Each individual [[VE]] should have its own pair of SSH host keys. The code below will wipe out the existing SSH keys and instruct the newly-created [[VE]] to create new SSH keys on first boot.
<!-- please DO NOT remove <pre>...</pre> pair of tags below,
otherwise quotes after -N (-N '') are not visible -->
<pre>
rm -f /etc/ssh/ssh_host_*
cat << EOF > /etc/rc2.d/S15ssh_gen_host_keys
#!/bin/sh
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ''
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ''
rm -f \$0
EOF
chmod a+x /etc/rc2.d/S15ssh_gen_host_keys
</pre>
==== Disable <code>sync()</code> for syslog ====
Turn off doing <tt>sync()</tt> on every write for <code>syslog</code>'s log files, to improve overall I/O performance.
In Ubuntu this is already done for most log files and levels, so you can omit this step if you know what you are doing.
<!-- DO NOT remove <pre> here, it's useful -->
<pre>[VE]# sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' /etc/syslog.conf</pre>
==== Fix <code>/etc/mtab</code> ====
Link <code>/etc/mtab</code> to <code>/proc/mounts</code>, so <code>df</code> and friends will work:
[VE]# rm -f /etc/mtab
[VE]# ln -s /proc/mounts /etc/mtab
After that, it would make sense to disable <code>mtab.sh</code> script which messes with <code>/etc/mtab</code>:
[VE]# update-rc.d -f mtab.sh remove
==== Get rid of tmpfs mounts ====
[VE]# sed -ie '/tmpfs/d' /etc/init.d/mountkernfs.sh
==== Disable some services ====
In most of the cases you don't want klogd to run -- the only exception is if you configure iptables to log some events -- so you can disable it:
[VE]# update-rc.d -f klogd remove
==== Clean packages ====
After installing packages, you'll have some junk packages laying around in your cache. Since you don't want your template to have those, this command will wipe them out.
[VE]# apt-get clean
Now everything is done. Exit from the template and go back to the hardware node.
[VE]# exit
<big><big>To be continued</big></big>
