6,534
edits
Changes
reverted back to using VE; template update moved to a separate article; enlarged template creation; added testing and cleanup
Create some directory:
[HW]# mkdir gutsy-chroot
Run debootstrap to install a minimal Ubunty Gutsy system into that directory:
[HW]# debootstrap [--arch ''ARCH''] gutsy gutsy-chroot
If ARCH of VE0 is equal to VE, than you can skip the --arch option, but if you need to build a VZ an OS Template with template for another ''ARCH arch can be'', specify it explicitly:* for AMD64/x86_64, use <code>amd64</code>* for IA64, use <code>ia64</code>* for i386 <code>i386</code>
==== Setting VE config ====
An initial config for the [[VE]] is needed:
# vzctl set 777 --applyconfig vps.basic --save
==== Setting VE OSTEMPLATE ====Also, we need <code>OSTEMPLATE</code> to be set in VE configuration file, for the [[vzctl]] to work properly. # echo "OSTEMPLATE=ubuntu-7.10" >> /etc/vz/conf/777.conf ==== Setting VE IP address ====For the [[VE]] to be able to download updates from the Internet, we need a valid IP address for it: # vzctl set 777 --ipadd x.x.x.x --save {{Note|if you use private IP for the VE, you have to set up NAT as described in [[Using NAT for VE with private IPs]].}} ==== Setting DNS server for the VE ====For the [[VE]] to be able to download updates from the Internet, we also need to specify a DNS for it: # vzctl set 777 --nameserver x.x.x.x --save Instead of <code>x.x.x.x</code>, specify the same IP that you have in your <code>/etc/resolv.conf</code>. ==== Starting VE ====Now start the VE: # vzctl start 777 === Modify the installation === You have to do some things in order to modify the installation to better suit the environment it will be run in (i.e. a VE). First, enter a VE: # vzctl enter 777 {{Warning|Do not run the commands below on the hardware node, they are only to be run within the VE!}} ==== Remove unneeded packages ====
Some packages does not make sense in a VE. Remove those:
[VE]# rm -fr /lib/udev
==== Disable getty ====
On a usual Linux system, getty is running on a virtual terminals, which a VE does not have.
Second way can be dangerous for future versions of system-services, but it's OK for now since the only service they carry is running gettys.
==== Set sane permissions for /root directory ====
[VE]# chmod 700 /root
==== Disable root login ====
[VE]# usermod -L root
==== Get new security updates ====
[VE]# apt-get update && apt-get upgrade
<small>This didn't show anything for me, but might do something in the future.</small>
==== Install some more packages ====
[VE]# apt-get install ssh quota
Feel free to add packages which you want to have in a default template to this command.
==== Fix SSH host keys ====
This is only useful if you installed SSH above. Each individual [[VE]] should have its own pair of SSH host keys. The code below will wipe out the existing SSH keys and instruct the newly-created [[VE]] to create new SSH keys on first boot.
==== Disable <code>sync()</code> for syslog ====
Turn off doing <tt>sync()</tt> on every write for <code>syslog</code>'s log files, to improve overall I/O performance.
<pre>[VE]# sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' /etc/syslog.conf</pre>
==== Fix <code>/etc/mtab</code> ====
Link <code>/etc/mtab</code> to <code>/proc/mounts</code>, so <code>df</code> and friends will work:
[VE]# rm -f /etc/mtab
[VE]# update-rc.d -f mtab.sh remove
==== Get rid of tmpfs mounts ====
[VE]# sed -ie '/tmpfs/d' /etc/init.d/mountkernfs.sh
==== Disable some services ====
In most of the cases you don't want klogd to run -- the only exception is if you configure iptables to log some events -- so you can disable it:
[VE]# update-rc.d -f klogd remove
=== Clean packages = Hostname ====After installing packages, you'll have some junk packages laying around in your cache. Since you don't want your template to have those, this command will wipe them out.Set proper hostname: [VE]# apt-get cleanecho "localhost" > /etc/hostname
==== Set propper hostname and file /etc/hosts====
[VE]# echo "127.0.0.1 localhost.localdomain localhost" > /etc/hosts
==== Remove nameserver(s) ====
Remove DNS entries:
[VE]# > /etc/resolv.conf
Now everything is done. Exit from the template and go back to the hardware node.
[VE]# exit
== Build precreated VZ OS Template Preparing for and packing template cache == The following commands are to be run in the host system (i.e. not inside a VE). We don't need an IP for the VE anymore, and we definitely do not need it in template cache, so remove it: [HW]# vzctl set 777 --ipdel all --save Stop the VE: [HW]# vzctl stop 777 Change dir to the VE private: [HW]# cd /vz/private/777 Now create a cached OS tarball. In the command below, you'll want to replace <arch> with your architecture (i386, amd64, ia64, etc). [VE0HW]# tar -xzf czf /var/lib/vz/template/cache/ubuntu-7.10-<arch>-minimal.tar.gz . Look at the resulting tarball to see its size is sane: # ls -lh /vz/template/cache -rw-r--r-- 1 root root 51M Apr 10 03:16 debian-4.0-i386-minimal.tar.gz == Testing template cache ==We can now create a VE based on the just-created template cache. Be sure to change <tt>i386</tt> to your architecture just like you did when you named the tarball above. [HW]# vzctl create 123456 --ostemplate ubuntu-7.10-<arch>-minimal Now make sure that your new VE it works: [HW]# vzctl start 123456 [HW]# vzctl exec 123456 ps axf You should see that a few processes are running.
Other tests that could be done are:
[HW]# vzctl enter 123456
[VE]# dpkg -l
[VE]# logout
[HW]#
Feel free to do more tests.
== Update a VE OS Template Final cleanup ==Stop and remove the test VE you just created: [HW]# vzctl stop 123456 Chroot to your debstrapped system[HW]# vzctl destroy 123456 [VE0HW]# cd <dir>; chroot rm -f /etc/vz/conf/123456./conf.destroyed
Finally, let's remove the VE we used for OS template cache creation: Update and Install updates[HW]# vzctl destroy 777 [VEHW] # apt-get update && aptrm -get upgradef /etc/vz/conf/777.conf.destroyed