2,253
 edits
Changes
m
Robot: Automated text replacement  (-VE +container)
* <code>/usr/lib/debootstrap/scripts/gutsy</code> file
The simplest way to have it all is to work on an Ubuntu Gutsy system (be it on a real machine or inside a VEcontainer). If you don't have <code>debootstrap</code> installed, this is the command to install it:
 # apt-get install debootstrap
=== vzctl ===
You need vzctl-3.0.22 or later to work with Ubuntu Gutsy Gibbon. If vzctl-3.0.18 or earlier is used, you will not be able to run your Ubuntu Gutsy VEcontainer. See {{bug|662}} for details.
Note: Older versions of vzctl are working if you install <code>sysvinit</code> (which will remove <code>upstart</code>). The only problem I had was the network did not start, so I added "/etc/init.d/networking restart" to /etc/re.local.
 [HW]# debootstrap [--arch ''ARCH''] gutsy gutsy-chroot 
If ARCH of CT0 is equal to VEcontainer, you can skip the --arch option, but if you need to build an OS template for another ''ARCH'', specify it explicitly:
* for AMD64/x86_64, use <code>amd64</code>
* for IA64, use <code>ia64</code>
* for i386 <code>i386</code>
=== Preparing/starting a VE container ===
Now then you have an installation created by <code>debootstrap</code>, you can run it as a VEcontainer. In the example below CT ID of 777 is used; of course you can use any other non-allocated ID.
{{Note|an alternative way is using chroot instead of running a VEcontainer. This is not recommended because of security concerns.}}
==== Moving installation to VE container private area ====
You should move the contents of gutsy-chroot directory into new VE container private area, like this:
 # mv gutsy-chroot /vz/private/777
==== Setting VE container config ====An initial config for the [[VEcontainer]] is needed:
 # vzctl set 777 --applyconfig vps.basic --save
==== Setting VE container OSTEMPLATE ====Also, we need <code>OSTEMPLATE</code> to be set in VE container configuration file, for the [[vzctl]] to work properly.
 # echo "OSTEMPLATE=ubuntu-7.10" >> /etc/vz/conf/777.conf
==== Setting VE container IP address ====For the [[VEcontainer]] to be able to download updates from the Internet, we need a valid IP address for it:
 # vzctl set 777 --ipadd x.x.x.x --save
{{Note|if you use private IP for the VEcontainer, you have to set up NAT as described in [[Using NAT for VE container with private IPs]].}}
==== Setting DNS server for the VE container ====For the [[VEcontainer]] to be able to download updates from the Internet, we also need to specify a DNS for it:
 # vzctl set 777 --nameserver x.x.x.x --save
Instead of <code>x.x.x.x</code>, specify the same IP that you have in your <code>/etc/resolv.conf</code>.
==== Starting VE container ====Now start the VEcontainer:
 # vzctl start 777
=== Modify the installation ===
You have to do some things in order to modify the installation to better suit the environment it will be run in (i.e. a VEcontainer).
First, enter a VEcontainer:
 # vzctl enter 777
{{Warning|Do not run the commands below on the hardware node, they are only to be run within the VEcontainer!}}
==== Remove unneeded packages ====
Some packages does not make sense in a VEcontainer, or are really optional. Remove those:
 [VEcontainer]# dpkg -P ubuntu-minimal wpasupplicant wireless-tools \
   udev pcmciautils initramfs-tools volumeid console-setup \
   xkb-data usbutils mii-diag alsa-base alsa-utils ethtool \
Clean up after udev:
 [VEcontainer]# rm -fr /lib/udev
==== Disable getty ====
On a usual Linux system, getty is running on a virtual terminals, which a VE container does not have. So, having getty running doesn't make sense; more to say, it complains it can not open terminal device and this clutters the logs.
So, first of all we stop all getty processes:
 [VEcontainer]# initctl stop tty{1,2,3,4,5,6}
Next, we disable running getty. This can be done in two ways:
First way:
 [VEcontainer]# rm /etc/event.d/tty*
Second way:
 [VEcontainer]# dpkg -P system-services
Second way can be dangerous for future versions of system-services, but it's OK for now since the only service they carry is running gettys.
====  Set sane permissions for /root directory ====
 [VEcontainer]# chmod 700 /root
==== Disable root login ====
 [VEcontainer]# usermod -L root
==== "fake-modprobe" needed for IPv6 adresses ====
 [VEcontainer]# ln -s /bin/true /sbin/modprobe
<small>On setup IPv6, the command "modprobe -Q IPv6" is called, which fails without the "fake-modprobe"</small>
==== Get new security updates ====
 [VEcontainer]# apt-get update && apt-get upgrade
<small>This didn't show anything for me, but might do something in the future.</small>
==== Install some more packages ====
 [VEcontainer]# apt-get install ssh quota
Feel free to add packages which you want to have in a default template to this command.
==== Fix SSH host keys ====
This is only useful if you installed SSH above.  Each individual [[VEcontainer]] should have its own pair of SSH host keys.  The code below will wipe out the existing SSH keys and instruct the newly-created [[VEcontainer]] to create new SSH keys on first boot.
<!-- please DO NOT remove <pre>...</pre> pair of tags below,
<!-- DO NOT remove <pre> here, it's useful -->
 <pre>[VEcontainer]# sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' /etc/syslog.conf</pre>
==== Fix <code>/etc/mtab</code> ====
Link <code>/etc/mtab</code> to <code>/proc/mounts</code>, so <code>df</code> and friends will work:
 [VEcontainer]# rm -f /etc/mtab [VEcontainer]# ln -s /proc/mounts /etc/mtab
After that, it would make sense to disable <code>mtab.sh</code> script which messes with <code>/etc/mtab</code>:
 [VEcontainer]# update-rc.d -f mtab.sh remove
In most of the cases you don't want klogd to run -- the only exception is if you configure iptables to log some events -- so you can disable it:
 [VEcontainer]# update-rc.d -f klogd remove
==== Hostname ====
Set proper hostname:
 [VEcontainer]# echo "localhost" > /etc/hostname
==== Set /etc/hosts ====
 [VEcontainer]# echo "127.0.0.1 localhost.localdomain localhost" > /etc/hosts
==== Add ptys to /dev ====
This is needed in case /dev/pts will not me mounted after VE container start. In case /dev/ttyp* and /dev/ptyp* files are present, and LEGACY_PTYS support is enabled in the kernel, vzctl will still be able to enter VEcontainer.
 [VEcontainer]# cd /dev && /sbin/MAKEDEV ptyp
==== Remove nameserver(s) ====
Remove DNS entries:
 [VEcontainer]# > /etc/resolv.conf
==== Clean packages ====
After installing packages, you'll have some junk packages laying around in your cache.  Since you don't want your template to have those, this command will wipe them out.
 [VEcontainer]# apt-get clean
==== Cleaning up log files ====
 [VEcontainer]# cd /var/log [VEcontainer]# > messages; > auth.log; > kern.log; > bootstrap.log [VEcontainer]# > dpkg.log; > syslog; > daemon.log; > apt/term.log [VEcontainer]# rm -f *.0 *.1
==== Anything else? ====
Think of what else could be done to better suit your needs.
==== Exit from the VE container ====
Now everything is done.  Exit from the template and go back to the hardware node.
 [VEcontainer]# exit
== Preparing for and packing template cache ==
The following commands are to be run in the host system (i.e. not inside a VEcontainer).
We don't need an IP for the VE container anymore, and we definitely do not need it in template cache, so remove it:
 [HW]# vzctl set 777 --ipdel all --save
Stop the VEcontainer:
 [HW]# vzctl stop 777
Change dir to the VE container private:
 [HW]# cd /vz/private/777
== Testing template cache ==
We can now create a VE container based on the just-created template cache.  Be sure to change <tt>i386</tt> to your architecture just like you did when you named the tarball above.
 [HW]# vzctl create 123456 --ostemplate ubuntu-7.10-<arch>-minimal
Now make sure that your new VE container it works:
 [HW]# vzctl start 123456
 [HW]# vzctl exec 123456 ps axf
Other tests that could be done are:
 [HW]# vzctl enter 123456
 [VEcontainer]# ps axf [VEcontainer]# mount [VEcontainer]# dpkg -l [VEcontainer]# logout
 [HW]#
== Final cleanup ==
Stop and remove the test VE container you just created:
 [HW]# vzctl stop 123456
 [HW]# vzctl destroy 123456
 [HW]# rm -f /etc/vz/conf/123456.conf.destroyed
Finally, let's remove the VE container we used for OS template cache creation:
 [HW]# vzctl destroy 777
 [HW]# rm -f /etc/vz/conf/777.conf.destroyed
