== Creating a new Host Template Cachefor HostGIS Linux 4.x or Slackware 11.x/12.x==
This process uses VMWare to install the OS into a VM, then to trim down the VM's contents to only those items suitable for a VPS/VE environment, then to save a snapshot of the system as a host template cache for use in OpenVZ.
This document focuses on HostGIS Linux (a Slackware derivative) but aside from the specifics about installation settings, it should be 99% applicable to Slackware as well.
***** CREATING THE VM
Start by creating a new === Create the VM in VMWare. The stats can be minimal, and thereis no need to create the entire disk at once during the setup. * Create the disk as SCSI.===
Then install HGL. * Create a small partition at the end of the disk for swap. Some swap is technically necessaryTechnically, but since you'll never in fact be using it, could probably do this on a few MB should be fine. * Set the passwords to 'password' * Do set the timezone properly. The internal clock does not use UTC/GMT. * Select the default mousehardware PC without VMWare, but do NOT enable GPM at startup. * Hostname: template Domain: internal.lan * IP config: as appropriate for your LAN * Nameserver: noReboot into your new HGL installVMWare does make it more convenient.
Now we want to tweak it into Start by creating a usable templatenew VM in VMWare.Go ahead * The disk and login RAM stats can be minimal, as the system will never see live use.* There is no need to create the entire disk at once during the VMsetup.* Create the disk as SCSI.
Then install HGL.
* Create a small partition at the end of the disk for swap. Some swap is technically necessary, but since you'll never in fact be using it, a few MB should be fine.
* Set the passwords to 'password'
* Do set the timezone properly. The internal clock does not use UTC/GMT.
* Select the default mouse, but do NOT enable GPM at startup.
* Hostname: template Domain: internal.lan
* IP config: as appropriate for your LAN
* Nameserver: no
Reboot into your new HGL install, and log in.
***** UPGRADES AND SECURITY PATCHES
The default HGL you used may require some software to be reinstalled, since new versions
and critical bugfixes may have been released since that version of HGL was released.
Follow these instructions, and also update them as necessary for the appropriate versions
and to remove paragraphs when a revision of HGL comes out that no longer requires them.
# HGL 4.2 - no necessary upgrades as of Nov 29 2007
***** REPLACE INETD WITH XINETD
Inetd is good but minimal. Xinetd offers security features, such as restricting service
to only certain IPs, and only listening on certain interfaces,.
removepkg inetd
rm -f /etc/inetd.conf* /etc/rc.d/rc.inetd
cd /tmp
wget --header="Host: xinetd.org" http://204.152.188.37/xinetd-2.3.14.tar.gz
tar zxvf xinetd*.gz
cd xinetd*
./configure --prefix=/usr --sysconfdir=/etc
make && make install
mkdir /etc/xinetd.d
cat >> /etc/rc.d/rc.local <<EOF
# xinetd/usr/sbin/xinetdEOFcat > /etc/xinetd.conf <<EOFdefaults{ log_type = SYSLOG daemon notice log_on_success = HOST EXIT DURATION log_on_failure Delete unnecessary stuff = HOST ATTEMPT instances = 30 cps = 50 10}includedir /etc/xinetd.dEOF
<code>
# kernel, kernel modules, documentation, mount points
rm -rf /lib/modules /boot /dev/.udev /usr/doc /usr/info /media
# packages not applicable to a VPS setting, or which we don't use at HostGIS # e.g. phpMyAdmin and phpPgAdmin are security holes cd /var/log/packages for pkg in \ hotplug-* hdparm-* devmapper-* udev-* usbutils-*pciutils-*module-init-tools-*\ mdadm-*floppy-* lvm2-* NAGIOS: THE HEALTHphpMyAdmin-MONITORING SYSTEM* phppgAdmin-* raidtools-* reiserfsprogs-* \ smartmontools-* sysfsutils-* syslinux-* wireless_tools.* quota-* iptables-* do removepkg $pkg ; done
groupadd nagios # most folks don't use GeoServer, so disable it by defaultuseradd -g nagios -d chmod 644 /usretc/local/nagios -m nagiosecho "nrpe 5666/tcp # Nagios NRPE" >> /etcrc.d/servicesrc.geoserver
cd /tmpwget http://superb-east.dl.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.10.tar.gztar zxvf nagios-plugins-*.tar.gz ; cd nagios-plugins-*./configure && make all && make installcd /tmp # prune init's gettywget http://umn.dl.sourceforge.net/sourceforge vi /nagiosetc/nrpe-2.10.tar.gzinittab # delete everything after entry l6 (runlevel 6)tar zxvf nrpe-2.10.tar.gz ; cd nrpe-2.10./configure && make && cp src/nrpe /usr/local/nagios/nrpe init q
for plugin in \ # clean out the fstab and mtab files check_wave check_users check_ups check_time check_tcp check_swap check_ssh check_ssmtp \ check_spop check_simap check_smtp check_sensors check_rpc check_real check_pop check_ping \ check_overcr check_oracle check_nwstat check_nt check_nntps check_nntp check_nagios \ check_mysql_query check_mrtgtraf check_mrtg check_log check_jabber check_ircd \ check_imap check_ifstatus check_ifoperstatus check_icmp check_http check_ftp check_flexlm \ check_file_age check_dummy check_disk_smb check_dig check_dhcp check_clamd check_by_ssh \ check_breeze check_apt check_udpdo ( cd /etc ; rm -f fstab mtab ; ln -s ../usrproc/localmounts mtab ) echo "proc /nagiosproc proc defaults 0 0" >> /libexecetc/$plugin ; donefstab echo "devpts /dev/pts devpts mode=0620 0 0" >> /etc/fstab
cat > # the startup sequence and services, even the firewall cd /usretc/local/nagios/nrperc.d rm -f rc.gpm-sample rc.gpm rc.hotplug rc.ip_forward rc.modules \ rc.scanluns rc.serial rc.udev rc.sysvinit rc.cfg <<EOFfirewall vi rc.syslog # NRPE Config Filedelete all mentions of klogdpid_file=/var/run/nrpe vi rc.pidlocal # delete smartd and inetddebug=0 vi rc.M # delete the setterm entrycommand_timeout=60 vi rc.S # delete the MOTD clobberingconnection_timeout=300</code>
# And now the list of allowed check-commands:
command[check_disk]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -m /
command[check_dns]=/usr/local/nagios/libexec/check_dns www.google.com
command[check_load]=/usr/local/nagios/libexec/check_load -w 5,5,5 -c 8,8,8
command[check_mailq]=/usr/local/nagios/libexec/check_mailq -w 10 -c 20
command[check_mysql]=/usr/local/nagios/libexec/check_mysql -d gisdata -H localhost -u gisdata -p password
command[check_pgsql]=/usr/local/nagios/libexec/check_pgsql -d gisdata -H localhost -l gisdata -p password
command[check_ntp]=/usr/local/nagios/libexec/check_ntp -H pool.ntp.org
command[check_crond]=/usr/local/nagios/libexec/check_procs -u root -c 1: --command=crond
command[check_syslogd]=/usr/local/nagios/libexec/check_procs -u root -c 1:1 --command=syslogd
command[check_xinetd]=/usr/local/nagios/libexec/check_procs -u root -c 1:1 --command=xinetd
EOF
cat > /etc/xinetd.d/nrpe <<EOF# description: NRPE for Nagiosservice nrpe{ socket_type = stream protocol = tcp wait Fix permissions and ownerships = no user = nagios server = /usr/local/nagios/nrpe server_args = -c /usr/local/nagios/nrpe.cfg --inetd only_from = __HOSTIP__}EOF
chown -R nagios:nagios /usr/local/nagioschmod -R o-rwx /usr/local/nagioschmod go-rwx /etc/xinetd.d ***** OTHER UNNECESSARY STUFF # kernel, kernel modules, documentation, mount pointsrm -rf /lib/modules /boot /dev/.udev /usr/doc /usr/info /media # packages not applicable to a VPS setting, or which we don't use at HostGIS# e.g. phpMyAdmin and phpPgAdmin are security holescd /var/log/packagesfor pkg in \ hotplug-* hdparm-* devmapper-* udev-* usbutils-* pciutils-* module-init-tools-* \ mdadm-* floppy-* lvm2-* phpMyAdmin-* phppgAdmin-* raidtools-* reiserfsprogs-* \ smartmontools-* sysfsutils-* syslinux-* wireless_tools.* quota-* iptables-*do removepkg $pkg ; done # most folks don't use GeoServer, so disable it by defaultchmod 644 /etc/rc.d/rc.geoserver # prune init's gettyvi /etc/inittab # delete everything after entry l6 (runlevel 6)init q # clean out the fstab and mtab files( cd /etc ; rm -f fstab mtab ; ln -s ../proc/mounts mtab )echo "proc /proc proc defaults 0 0" <code>> /etc/fstabecho "devpts /dev/pts devpts mode=0620 0 0" >> /etc/fstab # the startup sequence and services, even the firewallcd /etc/rc.drm -f rc.gpm-sample rc.hotplug rc.ip_forward rc.modules rc.scanluns rc.serial rc.udev rc.sysvinit rc.firewallvi rc.syslog # delete all mentions of klogdvi rc.local # delete smartd and inetdvi rc.M # delete the setterm entryvi rc.S # delete the MOTD clobbering # blow away the network configuration with dummy strings for later replacement# replace the IP address with __IPADDRESS_# replace the netmask with __NETMASK__# replace the GATEWAY with __GATEWAY__vi /etc/rc.d/rc.inet1.conf ***** BASIC FILE SECURITY SETTINGS
# clear out old/dummy SSL certificates
chmod g+rx /var/spool/mqueue
# disable the root and user accounts# by changing the password for root and user to a ! character.vi </etc/shadowcode>
***** REBOOTING== Changes to rc scripts ==
A VPS cannot actually reboot, since there's no power switch to power-cycle the machine
Also, the /etc/mtab file should point to /proc/mounts so it can detect the / filesystem.
<code>
vi /etc/rc.d/rc.6
rm -f /etc/mtab ; ln -s /proc/mounts /etc/mtab
</code>
***** DELETING AND BLANKING SETTINGS== Blanking settings ==
Lastly, you'll want to delete or blank out a bunch of files so they start fresh
when the VE is booted for its first time.
<code>
# stop all services
killall named proftpd
killall xinetd
# blow away the network configuration with dummy strings for later replacement
# replace the IP address with __IPADDRESS_
# replace the netmask with __NETMASK__
# replace the GATEWAY with __GATEWAY__
vi /etc/rc.d/rc.inet1.conf
# disable the root and user accounts
# by changing the password for root and user to a ! character.
vi /etc/shadow
# refresh the 'locate' cache
rm -rf /tmp/*
</code>
== Zipping it up into a cache image ==
***** CREATING THE A VE CACHE IMAGEcache is just a tar.gz file of the entire filesystem, excluding some very dynamic stuff which gets populated by the OS at runtime anyway:
A VE cache is just a tar.gz file of the entire filesystem. So creating them is simple!<code>
tar zcvf /tmp/HostGIS_Linux_4.2_64bit.tar.gz --exclude='/sys/*' --exclude='/proc/*' --exclude='/tmp/*' /
Ta-da! That's your new VE template cache. Just SFTP it to the VE server and you're all set!</code>
