OpenVZ Virtuozzo Containers Wiki - User contributions [en]

Debian template creation

2015-05-19T05:45:05Z

Boernie: /* Preparing for and packing template cache */

These are rough instructions of how to manually create basic Debian template cache, which can be used to create OpenVZ [[VE]]s based on Debian.

{{Warning|The recommended way is '''not to follow''' the below instructions, but to use the official Debian templates, modifying those to your needs.}}

'''Notes:'''
* You shouldn't be running as root, but as a user that is permitted to use sudo instead. It's a dangerous idea, run as root at your peril.
* Anywhere you see <tt>/vz</tt>, you might really need to use <tt>/var/lib/vz</tt> instead, especially on a Debian Etch host.
* Anywhere you see <tt>http://http.us.debian.org/debian/</tt>, you can substitute your favorite Debian mirror. ([http://www.debian.org/mirror/list List of official Debian Mirrors])
* See also: <tt>/usr/share/doc/vzctl/README.Debian</tt> in the ''vzctl'' Debian package

== Prerequisites ==

You need to have a working copy of <tt>debootstrap</tt> running on your hardware node.

For Debian:
sudo apt-get install debootstrap

For Gentoo:
sudo emerge debootstrap

For Fedora (at least Fedora 8 have it, not sure about earlier versions):
sudo yum install debootstrap

For other distros you might need to install it from sources, or search for an appropriate package for your distribution. An RPM is available on the [http://forum.openvz.org/index.php?t=tree&th=142&mid=584 OpenVZ Forum].

== Bootstrapping Debian ==

You can install different releases of Debian into a VE's private directory using the debootstrap command.

The command parameters are:

debootstrap --arch ARCH NAME DIRECTORY URL

Specify your architecture instead of <tt>i386</tt> if you're using something other than i386/x86. For example, for AMD64/x86_64, use <tt>amd64</tt> or for ia64, use <tt>ia64</tt>. You can use http or ftp in the URL.

We use VE ID of 777 for this example, but it can be any unused ID.

=== Wheezy (current stable) ===

debootstrap --arch i386 wheezy /vz/private/777 http://http.us.debian.org/debian/
or
debootstrap --arch amd64 wheezy /vz/private/777 http://ftp.us.debian.org/debian/

=== Squeeze (current oldstable) ===

debootstrap --arch i386 squeeze /vz/private/777 http://http.us.debian.org/debian/
or
debootstrap --arch amd64 squeeze /vz/private/777 ftp://ftp.us.debian.org/debian/

=== Lenny (old release) ===

debootstrap --arch i386 lenny /vz/private/777 http://archive.debian.org/debian/

=== Etch (old release) ===

debootstrap --arch i386 etch /vz/private/777 http://http.us.debian.org/debian/

=== Sarge (very old release) ===

debootstrap sarge /vz/private/777 http://archive.debian.org/debian

== Preparing the HN network ==
Append the following lines to /etc/sysctl.conf, adjust to taste and then execute "sysctl -p" for them to take effect.
### OpenVZ settings

# On Hardware Node enable packet forwarding to forward
# packets between the HN network interfaces and venet.
# Proxy arp is needed when CT is in a different subnet
# or when using veth AND veth is not bridged to a HN
# interface. When veth is bridged to a HN interface,
# the CT handles its own arps.

net.ipv4.conf.default.forwarding=1
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.ip_forward=1

# Enables source route verification
net.ipv4.conf.all.rp_filter = 1

# Enables the magic-sysrq key
kernel.sysrq = 1

# TCP Explict Congestion Notification
net.ipv4.tcp_ecn = 0

# we do not want all our interfaces to send redirects
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0

== Preparing and starting the VE ==

=== Setting VE config ===
First, we need a config for the [[VE]]:
sudo vzctl set 777 --applyconfig vps.basic --save

On debian squeeze only the following worked for me (''confirmed''), because the standard template names in /etc/vz/conf have changed.
sudo vzctl set 777 --applyconfig basic --save

=== Setting VE OSTEMPLATE ===
Also, we need <tt>OSTEMPLATE</tt> to be set in VE configuration file, for [[vzctl]] to work properly.

sudo sh -c 'echo OSTEMPLATE=\"debian-6.0\"' >> /etc/vz/conf/777.conf

=== Setting VE IP address ===
For the [[VE]] to be able to download updates from the Internet, we need a valid IP address for it:
sudo vzctl set 777 --ipadd x.x.x.x --save

{{Note|if you use private IP for the VE, you might have to set up NAT as described in [[Using NAT for VE with private IPs]].}}

=== Setting DNS server for VE ===
For the [[VE]] to be able to download updates from the Internet, we also need to specify a DNS for it:
sudo vzctl set 777 --nameserver x.x.x.x --save

=== Creating /dev/ptmx ===
The ptmx character device should normally exist, but if it doesn't, create one.
sudo mknod --mode 666 /var/lib/vz/private/777/dev/ptmx c 5 2

=== Starting VE ===
Now start the VE:
sudo vzctl start 777

== Customizing the installation ==
A few things need to be done inside a newly created VE for it to become suitable for OpenVZ. Enter the VE to begin the configuration (note: if running a wheezy container on a squeeze hardware node, you'll need to manually install a newer version of vzctl (the one from wheezy will be fine - http://packages.debian.org/wheezy/vzctl) due to this bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683454 - without making this change, the enter command will hang). Exporting the path is optional.
sudo vzctl enter 777
export PATH=/sbin:/usr/sbin:/bin:/usr/bin

{{Warning|Do not run the commands below on the hardware node, they are only to be run within the VE!}}

=== Set Debian repositories ===
The list shown is for wheezy, and downloading from US located servers - adjust your release name and mirror location as necessary
cat <<EOF > /etc/apt/sources.list
deb http://http.us.debian.org/debian wheezy main contrib
deb http://security.debian.org wheezy/updates main contrib
deb http://http.us.debian.org/debian wheezy-updates main
## backports - ONLY IF YOU KNOW WHAT YOU DO
# deb http://http.us.debian.org/debian-backports/ wheezy-backports main
EOF

=== Get new security updates ===
apt-get update
apt-get upgrade

=== Install some more packages ===
Installing packages could be an interactive process so the system might ask some questions. You can install more packages if you'd like. For example:
apt-get install ssh quota less

=== Set sane permissions for <tt>/root</tt> directory ===
chmod 700 /root

=== Disable root login ===
This will disable root login by default.
usermod -L root

=== Disable getty ===
Disable running <tt>getty</tt>s on terminals as a VE does not have any:
sed -i -e '/getty/d' /etc/inittab

=== Disable <tt>sync()</tt> for syslog ===
Turn off doing <tt>sync()</tt> on every write for <tt>syslog</tt>'s log files, to improve I/O performance:
<pre>sed -i -e 's@$[[:space:]]$$/var/log/$@\1-\2@' /etc/*syslog.conf</pre>

=== Fix <tt>/etc/mtab</tt> ===
Link <tt>/etc/mtab</tt> to <tt>/proc/mounts</tt>, so <tt>df</tt> and friends will work:
rm -f /etc/mtab
ln -s /proc/mounts /etc/mtab

=== Remove some unneeded packages ===
If you have any packages you'd like to remove, now's the time for it. Here's an example — note that not all of those packages are installed by default in Debian Squeeze (although they were in earlier versions):

dpkg --purge modutils ppp pppoeconf pppoe pppconfig module-init-tools

=== Disable services ===

Do not start some services, stick to bare minimum. This step is release dependent.

==== for Jessie ====

<source lang="bash">
# turn off and stop some services
for i in bind9 quotarpc fetchmail ondemand rsync uuidd wide-dhcpv6-client; do
systemctl stop $i
systemctl disable $i
done

# for upstart services comment out the start on in confs
for i in nmbd smbd samba-ad-dc rpcbind; do
systemctl disable $i
done
</source>

==== for Squeeze ====

update-rc.d-insserv -f klogd remove
update-rc.d-insserv -f quotarpc remove
update-rc.d-insserv -f exim4 remove
update-rc.d-insserv -f inetd remove

==== for older releases (Lenny, Sarge etc.) ====

update-rc.d -f klogd remove
update-rc.d -f quotarpc remove
update-rc.d -f exim4 remove
update-rc.d -f inetd remove

=== Fix SSH host keys ===
This is only useful if you installed SSH. Each individual [[VE]] should have its own pair of SSH host keys. The code below will wipe out the existing SSH keys and instruct the newly-created [[VE]] to create new SSH keys on first boot.

==== for Jessie ====

<source lang="bash">
# Save /etc/rc.local copy
mv /etc/rc.local /etc/rc.local.orig

# ssh host keys hack
echo "#!/bin/sh
rm -f etc/ssh/ssh_host_*
/usr/bin/ssh-keygen -t rsa -N '' -f /etc/ssh/ssh_host_rsa_key
/usr/bin/ssh-keygen -t dsa -N '' -f /etc/ssh/ssh_host_dsa_key
/usr/bin/ssh-keygen -t rsa1 -N '' -f /etc/ssh/ssh_host_key
/usr/bin/ssh-keygen -t ecdsa -N '' -f /etc/ssh/ssh_host_ecdsa_key
/usr/bin/ssh-keygen -t ed25519 -N '' -f /etc/ssh/ssh_host_ed25519_key
systemctl restart ssh
mv -f /etc/rc.local.orig /etc/rc.local
" > /etc/rc.local

chmod a+x /etc/rc.local
</source>

==== for Squeeze ====

rm -f /etc/ssh/ssh_host_*

<source lang="bash">
cat << EOF > /etc/init.d/ssh_gen_host_keys
#!/bin/sh
### BEGIN INIT INFO
# Provides: Generates new ssh host keys on first boot
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop:
# Short-Description: Generates new ssh host keys on first boot
# Description: Generates new ssh host keys on first boot
### END INIT INFO
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ""
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ""
insserv -r /etc/init.d/ssh_gen_host_keys
rm -f \$0
EOF
</source>
chmod a+x /etc/init.d/ssh_gen_host_keys
insserv /etc/init.d/ssh_gen_host_keys

==== for older releases (Lenny, Sarge etc.) ====


<source lang="bash">
rm -f /etc/ssh/ssh_host_*
cat << EOF > /etc/rc2.d/S15ssh_gen_host_keys
#!/bin/bash
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ''
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ''
rm -f \$0
EOF
chmod a+x /etc/rc2.d/S15ssh_gen_host_keys
</source>

=== Change timezone ===

You might want to change timezone if you do not live in $UTC. The following example is for Germany

<source lang="bash">
ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime
</source>
or even better
<source lang="bash">
dpkg-reconfigure tzdata
</source>

=== Create vzfifo script (for Jessie only) ===

This step is required '''for Jessie only''' (and is handled automatically by vzctl for earlier Debian releases). It ensures that <code>vzctl start --wait</code> works as expected.

<source lang="bash">
# Create vzfifo service
cat >> /lib/systemd/system/vzfifo.service << EOF
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.

[Unit]
Description=Tell that Container is started
ConditionPathExists=/proc/vz
ConditionPathExists=!/proc/bc
After=multi-user.target quotaon.service quotacheck.service

[Service]
Type=forking
ExecStart=/bin/touch /.vzfifo
TimeoutSec=0
RemainAfterExit=no
SysVStartPriority=99

[Install]
WantedBy=multi-user.target
EOF

# Enable service
for service in vzfifo; do
systemctl enable $service > /dev/null 2>&1
done
</source>

=== Clean packages ===
After installing packages, you'll have some junk packages laying around in your cache. Since you don't want your template to have those, this command will wipe them out.
apt-get --purge clean

Now everything is done. Exit from the template and go back to the hardware node.
exit

== Preparing for and packing template cache ==

We don't need an IP for the VE anymore, and we definitely do not need it in template cache, so remove it:
sudo vzctl set 777 --ipdel all --save

Also, remove DNS server and search domain information from ''/etc/resolv.conf'' file '''in VE''':
sudo editor /vz/private/777/etc/resolv.conf

Also, remove ''/etc/hostname'' file '''in VE''':
sudo rm -f /vz/private/777/etc/hostname

Stop the VE:
sudo vzctl stop 777

Go to the VE directory:
cd /vz/private/777

For newer OpenVZ kernel and [[ploop]] VE: (mount VE)
mkdir /mnt/new_template
mount -t ploop /vz/private/777/root.hdd/DiskDescriptor.xml /mnt/new_template
cd /mnt/new_template

Now create a cached OS tarball. In the command below, you'll want to replace <tt>i386</tt> with your architecture (i386, amd64, ia64, etc).
sudo tar --numeric-owner -zcf /vz/template/cache/debian-5.0-i386-minimal.tar.gz .

For newer OpenVZ kernel and [[ploop]] VE: (unmount VE)
umount /mnt/template

Look at the resulting tarball to see its size is sane:
# ls -lh /vz/template/cache
-rw-r--r-- 1 root root 51M Apr 10 03:16 debian-5.0-i386-minimal.tar.gz

== Checking if template cache works ==
We can now create a VE based on the just-created template cache. Be sure to change <tt>i386</tt> to your architecture just like you did when you named the tarball above.
sudo vzctl create 123456 --ostemplate debian-5.0-i386-minimal

Now make sure that it works:
sudo vzctl start 123456
sudo vzctl exec 123456 ps ax

You should see that a few processes are running.

== Final cleanup ==
Stop and remove the test VE you just created:
sudo vzctl stop 123456
sudo vzctl destroy 123456
sudo rm /etc/vz/conf/123456.conf.destroyed

Finally, let's remove the VE we used for OS template cache creation:
sudo vzctl destroy 777
sudo rm /etc/vz/conf/777.conf.destroyed

You might want to edit /etc/vz/vz.conf and change DEF_OSTEMPLATE to the name of the template you use most often so that you don't have to specify the template when creating a VE.
DEF_OSTEMPLATE="debian-6.0-i386-minimal"
If you use iptables, you might want to include additional modules in the list for IPTABLES in /etc/vz/vz.conf. See ''man vzctl'' for a list of available modules.

[[Category: HOWTO]]
[[Category: Templates]]
[[Category: Debian]]

A managed OpenVZ installation

2009-07-21T07:47:40Z

Boernie:

This article will show a managed installation of OpenVZ based on Debian Lenny (Debian 5.0) and some other interesting software pieces like PuppetMaster. It is mainly written to show how to manage more than one OpenVZ server in a production environment.

==Pre-Requirements==

You should know this software, because it is used during the setup.

If you have any further questions, please feel free to contact us.

Software list:
* Debian Installer and preseed <ref>http://wiki.debian.org/DebianInstaller/Preseed</ref>
* Apt-Proxy <ref>http://apt-proxy.sourceforge.net/</ref>
* Private Debian repository <ref>http://mirrorer.alioth.debian.org/</ref>
* Puppet Master <ref>http://reductivelabs.com/products/puppet/</ref>

==The Debian preseed setup==

At first some basics. To use a so called "preseed" file it is good to know what it is. The Debian installation is done with the "Debian Installer", short d-i. This d-i normally is a ncurses based console application that asks you some questions about your timezone, your partition setup, your network and so on. All this questions could be answered trough a preseed file. In this file some or all questions could be answered.

Now it is good to know that if you do not answer a question or if a question pops up which is not in the preseed file, the d-i waits until you give a right answer. So it is a really good thing because you could leave something open and use the same preseed file for different hardware boxes e.g. one hardware has one network interface, another hardware has four network interfaces.

Also it is good to know that you can use the preseed file to answer questions from any Debian package which is using the debconf interface, for example postfix.

===How to start the preseed setup===

Simply download the Netinstall CD from a Debian mirror put it in your cdrom-drive and boot the server. After booting from the CD you should see the Debian Grub Boot menu. In this menu you should select the "Advanced Option" and in the following menu place your cursor on "Automated install" - '''but do not press enter!'''

You have to edit this boot menu entry by pressing the '''TAB''' key. Now you can append the '''URL''' option to the end of this boot line. Now press enter and continue the setup. Here is an example and a screen shot.

URL=http://yourserver:yourport/yourpreseedfile

[[Image:Notbuu_1_preseed.png|200px|thumb|Grub menu screen]]

As an example here is our preseed file:

===During the preseed setup===

If the d-i faces a question where it finds no answer in the preseed file it will hold until you answer the question. The d-i will not cancel the installation process.

This is an interesting feature because you could use one file for different hardware setups. For example, if you have not configured that the d-i always uses the eth0 device during setup and there is more then one network card in your hardware, the d-i will wait until you choose one device.

[[Image:Notbuu_2_preseed.png|200px|thumb|d-i wait for answer]]

====Additional informations====

At our site we use different preseed files for different purposes. As example one preseed for VMWare (Guest) servers etc...
All our preseed files are placed on a webserver but you should know that it is also possible to integrate the preseed process into a self made Debian installation medium.

==The apt-proxy==

The Debian Netinstall CD covers only a minimal system. So if you need more packages like rsync or others you have to connect to the internet. Without choosing a Debian mirror during the setup, the setup could not continue. If you use Debian OpenVZ Servers and Debian based Virtual Private Server at your site, you should use an apt-proxy to cache the downloaded packages. After the first setup this will speed up your installation time by factors!

The apt-proxy setup is as easy as 1-2-3 go.

Here is the preseed file, please note that I have removed the comments but I make some explanations for clearer understanding:

<pre>
d-i debian-installer/locale string en_US.UTF8
d-i console-keymaps-at/keymap select de-latin1-nodeadkeys
d-i netcfg/choose_interface select auto
d-i netcfg/dhcp_timeout string 60
d-i netcfg/get_hostname string unassigned-hostname
d-i netcfg/get_domain string unassigned-domain
d-i netcfg/wireless_wep string
d-i mirror/country string enter information manually

#This is our APT-PROXY address
d-i mirror/http/hostname string youraptproxy:9999

d-i mirror/http/directory string /debian
d-i mirror/suite string stable
d-i clock-setup/ntp boolean true

#NTP Server
d-i clock-setup/ntp-server string yourtimeserver

#The partition setup, be careful!
#By default the OpenVZ debian packages are using /var/lib/vz
d-i partman-auto/method string lvm
d-i partman-auto/purge_lvm_from_device boolean true
d-i partman-lvm/confirm boolean true
d-i partman-auto/expert_recipe string \
boot-root :: \
150 150 150 ext3 \
$primary{ } $bootable{ } \
method{ format } format{ } \
use_filesystem{ } filesystem{ ext3 } \
mountpoint{ /boot } \
. \
5120 5120 5120 ext3 \
$primary{ } method{ format } format{ } \
use_filesystem{ } filesystem{ ext3 } \
mountpoint{ / } \
. \
500 10000 1000000000 ext3 \
method{ format } format{ } $lvmok{ } \
use_filesystem{ } filesystem{ ext3 } \
mountpoint{ /var } \
. \
4096 4096 4096 linux-swap \
method{ swap } format{ } $lvmok { } \
.
d-i partman/confirm_write_new_label boolean true
d-i partman/choose_partition \
select Finish partitioning and write changes to disk
d-i partman/confirm boolean true
d-i clock-setup/utc boolean true
d-i time/zone string Europe/Vienna
d-i apt-setup/non-free boolean true
d-i apt-setup/contrib boolean true
d-i apt-setup/security_host youraptproxy:9999

#Our private internal repository for some packages
d-i apt-setup/local0/repository string \
http://yourprivaterepository:10000/debian hns stable
d-i apt-setup/local0/key string http://yourprivaterepository:10000/PublicKey
d-i passwd/make-user boolean false

#The encrypted root password (this is only an example :) )
d-i passwd/root-password-crypted password $1$v4rfe7wv$gEkbCLxCPhKaj92s.uJbD1
d-i grub-installer/only_debian boolean true
d-i grub-installer/with_other_os boolean true
tasksel tasksel/first multiselect standard

#Additional base packages
d-i pkgsel/include string openssh-server build-essential vim snmpd lib32z1-dev rsync ntp ntpdate
d-i finish-install/reboot_in_progress note
d-i cdrom-detect/eject boolean false
xserver-xorg xserver-xorg/autodetect_monitor boolean true
xserver-xorg xserver-xorg/config/monitor/selection-method \
select medium
xserver-xorg xserver-xorg/config/monitor/mode-list \
select 1024x768 @ 60 Hz

#Packages that gets installed AFTER the base installation
#hns* packages are build by our own to fasten the setup and management
d-i preseed/late_command string apt-install hp-health hp-snmp-agents hpsmh \
hp-smh-templates hpacucli cpqacuxe ethtool linux-headers-2.6-openvz-amd64 \
linux-image-2.6-openvz-amd64 vzctl vzquota hns-zabbix-agentd hns-openvz-common \
hns-openvz-ubuntu-hosting hns-puppet firmware-qlogic
</pre>

==The private Debian repository==

In our case the private repository is an essential factor because it will provide you with a fast software roll out, replicable software and consistent system state trough a large number of setups.

It is quite easy to setup your own repository with reprepro <ref>http://mirrorer.alioth.debian.org/</ref> and it is really useful.

As you can see in the preseed file we have a lot of this packages in our repository. Some examples:

*hns-zabbix-agentd
:is used for the automated installation of the Zabbix System Monitoring Agent.<ref>http://www.zabbix.com/</ref>
*hns-openvz-common
:creates a backup cronjob and installs a backup script
:installs a set of scripts for Zabbix monitoring and therefore depends on the hns-zabbix-agentd package
*hns-openvz-ubuntu-hosting
:installs our pre-created Ubuntu<ref>http://www.ubuntu.com/</ref> template for automated guest-installation
*hns-puppet
:installs the PuppetMaster client

==The Puppet Master configuration management==

If your preseeded setup was successful you have to configure your fresh server to fit your expectations. At our site we have ten OpenVZ servers in different countries and it is really important that they have the same configuration.

To make life easier we decided to use a configuration management like cfengine<ref>http://www.cfengine.org/</ref> but not as complex in setup and management. We found our solution in Puppet Master.

The only dependency Puppet Master has is Ruby. This should be installable on every distribution in minutes.

After the installation you have to configure the Puppet Master to do things. Typically this means accepting the public private key pair and doing some configuration stuff. At our site we use Puppet Master to manage an installation of about 100 servers.

One thing it does is to change the sysctl.conf file.

To get a feeling for it here is an configuration example (only OpenVZ server hosts):

<pre>

# ALL----- OPENVZ
node "yourserver1.yourdns.com", "yourserver2.yourdns.com", "yourserver3.yourdns.com", "yourserver4.yourdns.com", "yourserver5.yourdns.com", "yourserver6.yourdns.com", "yourserver7.yourdns.com"{
file { "/etc/aliases":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/aliases",
}
exec { "subscribe-newaliases":
command => "/usr/bin/newaliases && /bin/echo NEALIASSES",
subscribe => File["/etc/aliases"],
refreshonly => true,
logoutput => true
}

file { "/etc/apt/sources.list":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/apt/sources.list"
}
file { "/root/.ssh/authorized_keys2":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/root/authorized_keys2"
}
file { "/etc/vim/vimrc":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/vim/vimrc"
}
file { "/etc/vz/conf/ve-vps.10.conf-sample":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/vz/conf/ve-vps.10.conf-sample"
}
file { "/etc/sysctl.conf":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/sysctl.conf"
}
exec { subscribe-sysctl:
command => "/sbin/sysctl -p && /bin/echo SYSCTL EXECUTED",
logoutput => true,
refreshonly => true,
subscribe => file["/etc/sysctl.conf"]
}
file { "/etc/ntp.conf":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/ntp.conf"
}
file { "/root/.bashrc":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/root/bashrc"
}
file { "/srv/exim_config.sh":
mode => 744,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/srv/exim_config.sh"
}
exec { subscribe-exim_config:
command => "/srv/exim_config.sh && /usr/sbin/update-exim4.conf && /etc/init.d/exim4 restart && /bin/echo EXIM_CONFIG",
logoutput => true,
refreshonly => true,
subscribe => file["/srv/exim_config.sh"]
}
file { "/etc/default/snmpd":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/default/snmpd"
}
exec { subscribe-snmpd_config:
command => "/etc/init.d/snmpd restart && /bin/echo SNMPD_CONFIG",
logoutput => true,
refreshonly => true,
subscribe => file["/etc/default/snmpd"]
}
}
</pre>

==Further information==

For further information on the particular tools like apt-proxy/Debian repository/... we will add some documentation links!
Write us if you have questions or if you want to see practical documentations on some of the tools.

==References==
<references/>

A managed OpenVZ installation

2009-07-21T07:45:08Z

Boernie:

This article will show a managed installation of OpenVZ based on Debian Lenny (Debian 5.0) and some other interesting software pieces like PuppetMaster. It is mainly written to show how to manage more than one OpenVZ server in a production environment.

==Pre-Requirements==

You should know this software, because it is used during the setup.

If you have any further questions, please feel free to contact us.

Software list:
* Debian Installer and preseed <ref>http://wiki.debian.org/DebianInstaller/Preseed</ref>
* Apt-Proxy <ref>http://apt-proxy.sourceforge.net/</ref>
* Private Debian repository <ref>http://mirrorer.alioth.debian.org/</ref>
* Puppet Master <ref>http://reductivelabs.com/products/puppet/</ref>

==The Debian preseed setup==

At first some basics. To use a so called "preseed" file it is good to know what it is. The Debian installation is done with the "Debian Installer", short d-i. This d-i normally is a ncurses based console application that asks you some questions about your timezone, your partition setup, your network and so on. All this questions could be answered trough a preseed file. In this file some or all questions could be answered.

Now it is good to know that if you do not answer a question or if a question pops up which is not in the preseed file, the d-i waits until you give a right answer. So it is a really good thing because you could leave something open and use the same preseed file for different hardware boxes e.g. one hardware has one network interface, another hardware has four network interfaces.

Also it is good to know that you can use the preseed file to answer questions from any Debian package which is using the debconf interface, for example postfix.

===How to start the preseed setup===

Simply download the Netinstall CD from a Debian mirror put it in your cdrom-drive and boot the server. After booting from the CD you should see the Debian Grub Boot menu. In this menu you should select the "Advanced Option" and in the following menu place your cursor on "Automated install" - '''but do not press enter!'''

You have to edit this boot menu entry by pressing the '''TAB''' key. Now you can append the '''URL''' option to the end of this boot line. Now press enter and continue the setup. Here is an example and a screen shot.

URL=http://yourserver:yourport/yourpreseedfile

[[Image:Notbuu_1_preseed.png|200px|thumb|Grub menu screen]]

As an example here is our preseed file:

===During the preseed setup===

If the d-i faces a question where it finds no answer in the preseed file it will hold until you answer the question. The d-i will not cancel the installation process.

This is an interesting feature because you could use one file for different hardware setups. For example, if you have not configured that the d-i always uses the eth0 device during setup and there is more then one network card in your hardware, the d-i will wait until you choose one device.

[[Image:Notbuu_2_preseed.png|200px|thumb|d-i wait for answer]]

====Additional informations====

At our site we use different preseed files for different purposes. As example one preseed for VMWare (Guest) servers etc...
All our preseed files are placed on a webserver but you should know that it is also possible to integrate the preseed process into a self made Debian installation medium.

==The apt-proxy==

The Debian Netinstall CD covers only a minimal system. So if you need more packages like rsync or others you have to connect to the internet. Without choosing a Debian mirror during the setup, the setup could not continue. If you use Debian OpenVZ Servers and Debian based Virtual Private Server at your site, you should use an apt-proxy to cache the downloaded packages. After the first setup this will speed up your installation time by factors!

The apt-proxy setup is as easy as 1-2-3 go.

Here is the preseed file, please note that I have removed the comments but I make some explanations for clearer understanding:

<pre>
d-i debian-installer/locale string en_US.UTF8
d-i console-keymaps-at/keymap select de-latin1-nodeadkeys
d-i netcfg/choose_interface select auto
d-i netcfg/dhcp_timeout string 60
d-i netcfg/get_hostname string unassigned-hostname
d-i netcfg/get_domain string unassigned-domain
d-i netcfg/wireless_wep string
d-i mirror/country string enter information manually

#This is our APT-PROXY address
d-i mirror/http/hostname string youraptproxy:9999

d-i mirror/http/directory string /debian
d-i mirror/suite string stable
d-i clock-setup/ntp boolean true

#NTP Server
d-i clock-setup/ntp-server string yourtimeserver

#The partition setup, be careful!
#By default the OpenVZ debian packages are using /var/lib/vz
d-i partman-auto/method string lvm
d-i partman-auto/purge_lvm_from_device boolean true
d-i partman-lvm/confirm boolean true
d-i partman-auto/expert_recipe string \
boot-root :: \
150 150 150 ext3 \
$primary{ } $bootable{ } \
method{ format } format{ } \
use_filesystem{ } filesystem{ ext3 } \
mountpoint{ /boot } \
. \
5120 5120 5120 ext3 \
$primary{ } method{ format } format{ } \
use_filesystem{ } filesystem{ ext3 } \
mountpoint{ / } \
. \
500 10000 1000000000 ext3 \
method{ format } format{ } $lvmok{ } \
use_filesystem{ } filesystem{ ext3 } \
mountpoint{ /var } \
. \
4096 4096 4096 linux-swap \
method{ swap } format{ } $lvmok { } \
.
d-i partman/confirm_write_new_label boolean true
d-i partman/choose_partition \
select Finish partitioning and write changes to disk
d-i partman/confirm boolean true
d-i clock-setup/utc boolean true
d-i time/zone string Europe/Vienna
d-i apt-setup/non-free boolean true
d-i apt-setup/contrib boolean true
d-i apt-setup/security_host youraptproxy:9999

#Our private internal repository for some packages
d-i apt-setup/local0/repository string \
http://yourprivaterepository:10000/debian hns stable
d-i apt-setup/local0/key string http://yourprivaterepository:10000/PublicKey
d-i passwd/make-user boolean false

#The encrypted root password (this is only an example :) )
d-i passwd/root-password-crypted password $1$v4rfe7wv$gEkbCLxCPhKaj92s.uJbD1
d-i grub-installer/only_debian boolean true
d-i grub-installer/with_other_os boolean true
tasksel tasksel/first multiselect standard

#Additional base packages
d-i pkgsel/include string openssh-server build-essential vim snmpd lib32z1-dev rsync ntp ntpdate
d-i finish-install/reboot_in_progress note
d-i cdrom-detect/eject boolean false
xserver-xorg xserver-xorg/autodetect_monitor boolean true
xserver-xorg xserver-xorg/config/monitor/selection-method \
select medium
xserver-xorg xserver-xorg/config/monitor/mode-list \
select 1024x768 @ 60 Hz

#Packages that gets installed AFTER the base installation
#hns* packages are build by our own to fasten the setup and management
d-i preseed/late_command string apt-install hp-health hp-snmp-agents hpsmh \
hp-smh-templates hpacucli cpqacuxe ethtool linux-headers-2.6-openvz-amd64 \
linux-image-2.6-openvz-amd64 vzctl vzquota hns-zabbix-agentd hns-openvz-common \
hns-openvz-ubuntu-hosting hns-puppet firmware-qlogic
</pre>

==The private Debian repository==

In our case the private repository is an essential factor because it will provide you with a fast software roll out, replicable software and consistent system state trough a large number of setups.

It is quite easy to setup your own repository with reprepro <ref>http://mirrorer.alioth.debian.org/</ref> and it is really useful.

As you can see in the preseed file we have a lot of this packages in our repository. Some examples:

*hns-zabbix-agentd
:is used for the automated installation of the Zabbix System Monitoring Agent.<ref>http://www.zabbix.com/</ref>
*hns-openvz-common
:creates a backup cronjob and installs a backup script
:installs a set of scripts for Zabbix monitoring and therefore depends on the hns-zabbix-agentd package
*hns-openvz-ubuntu-hosting
:installs our pre-created Ubuntu<ref>http://www.ubuntu.com/</ref> template for automated guest-installation
*hns-puppet
:installs the PuppetMaster client

==The Puppet Master configuration management==

If your preseeded setup was successful you have to configure your fresh server to fit your expectations. At our site we have ten OpenVZ servers in different countries and it is really important that they have the same configuration.

To make life easier we decided to use a configuration management like cfengine<ref>http://www.cfengine.org/</ref> but not as complex in setup and management. We found our solution in Puppet Master.

The only dependency Puppet Master has is Ruby. This should be installable on every distribution in minutes.

After the installation you have to configure the Puppet Master to do things. Typically this means accepting the public private key pair and doing some configuration stuff. At our site we use Puppet Master to manage an installation of about 100 servers.

One thing it does is to change the sysctl.conf file.

To get a feeling for it here is an configuration example (only OpenVZ server hosts):

<pre>

# ALL----- OPENVZ
node "yourserver1.yourdns.com", "yourserver2.yourdns.com", "yourserver3.yourdns.com", "yourserver4.yourdns.com", "yourserver5.yourdns.com", "yourserver6.yourdns.com", "yourserver7.yourdns.com"{
file { "/etc/aliases":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/aliases",
}
exec { "subscribe-newaliases":
command => "/usr/bin/newaliases && /bin/echo NEALIASSES",
subscribe => File["/etc/aliases"],
refreshonly => true,
logoutput => true
}

file { "/etc/apt/sources.list":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/apt/sources.list"
}
file { "/root/.ssh/authorized_keys2":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/root/authorized_keys2"
}
file { "/etc/vim/vimrc":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/vim/vimrc"
}
file { "/etc/vz/conf/ve-vps.10.conf-sample":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/vz/conf/ve-vps.10.conf-sample"
}
file { "/etc/sysctl.conf":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/sysctl.conf"
}
exec { subscribe-sysctl:
command => "/sbin/sysctl -p && /bin/echo SYSCTL EXECUTED",
logoutput => true,
refreshonly => true,
subscribe => file["/etc/sysctl.conf"]
}
file { "/etc/ntp.conf":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/ntp.conf"
}
file { "/root/.bashrc":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/root/bashrc"
}
file { "/srv/exim_config.sh":
mode => 744,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/srv/exim_config.sh"
}
exec { subscribe-exim_config:
command => "/srv/exim_config.sh && /usr/sbin/update-exim4.conf && /etc/init.d/exim4 restart && /bin/echo EXIM_CONFIG",
logoutput => true,
refreshonly => true,
subscribe => file["/srv/exim_config.sh"]
}
file { "/etc/default/snmpd":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/default/snmpd"
}
exec { subscribe-snmpd_config:
command => "/etc/init.d/snmpd restart && /bin/echo SNMPD_CONFIG",
logoutput => true,
refreshonly => true,
subscribe => file["/etc/default/snmpd"]
}
}
</pre>

==Further information==

For further information on the particular tools like APT-Proxy/Debian Repository/... we will add some documentation links!
Write us if you have questions or if you want to see practical documentations on some of the tools.

==References==
<references/>

A managed OpenVZ installation

2009-07-21T07:42:07Z

Boernie:

This article will show a managed installation of OpenVZ based on Debian Lenny (Debian 5.0) and some other interesting software pieces like PuppetMaster. It is mainly written to show how to manage more than one OpenVZ server in a production environment.

==Pre-Requirements==

You should know this software, because it is used during the setup.

If you have any further questions, please feel free to contact us.

Software list:
* Debian Installer and preseed <ref>http://wiki.debian.org/DebianInstaller/Preseed</ref>
* Apt-Proxy <ref>http://apt-proxy.sourceforge.net/</ref>
* Private Debian repository <ref>http://mirrorer.alioth.debian.org/</ref>
* Puppet Master <ref>http://reductivelabs.com/products/puppet/</ref>

==The Debian preseed setup==

At first some basics. To use a so called "preseed" file it is good to know what it is. The Debian installation is done with the "Debian Installer", short d-i. This d-i normally is a ncurses based console application that asks you some questions about your timezone, your partition setup, your network and so on. All this questions could be answered trough a preseed file. In this file some or all questions could be answered.

Now it is good to know that if you do not answer a question or if a question pops up which is not in the preseed file, the d-i waits until you give a right answer. So it is a really good thing because you could leave something open and use the same preseed file for different hardware boxes e.g. one hardware has one network interface, another hardware has four network interfaces.

Also it is good to know that you can use the preseed file to answer questions from any Debian package which is using the debconf interface, for example postfix.

===How to start the preseed setup===

Simply download the Netinstall CD from a Debian mirror put it in your cdrom-drive and boot the server. After booting from the CD you should see the Debian Grub Boot menu. In this menu you should select the "Advanced Option" and in the following menu place your cursor on "Automated install" - '''but do not press enter!'''

You have to edit this boot menu entry by pressing the '''TAB''' key. Now you can append the '''URL''' option to the end of this boot line. Now press enter and continue the setup. Here is an example and a screen shot.

URL=http://yourserver:yourport/yourpreseedfile

[[Image:Notbuu_1_preseed.png|200px|thumb|Grub menu screen]]

As an example here is our preseed file:

===During the preseed setup===

If the d-i faces a question where it finds no answer in the preseed file it will hold until you answer the question. The d-i will not cancel the installation process.

This is an interesting feature because you could use one file for different hardware setups. For example, if you have not configured that the d-i always uses the eth0 device during setup and there is more then one network card in your hardware, the d-i will wait until you choose one device.

[[Image:Notbuu_2_preseed.png|200px|thumb|d-i wait for answer]]

====Additional informations====

At our site we use different preseed files for different purposes. As example one preseed for VMWare (Guest) servers etc...
All our preseed files are placed on a webserver but you should know that it is also possible to integrate the preseed process into a self made Debian installation medium.

==The apt-proxy==

The Debian Netinstall CD covers only a minimal system. So if you need more packages like rsync or others you have to connect to the internet. Without choosing a Debian mirror during the setup, the setup could not continue. If you use Debian OpenVZ Servers and Debian based Virtual Private Server at your site, you should use an apt-proxy to cache the downloaded packages. After the first setup this will speed up your installation time by factors!

The apt-proxy setup is as easy as 1-2-3 go.

Here is the preseed file, please note that I have removed the comments but I make some explanations for clearer understanding:

<pre>
d-i debian-installer/locale string en_US.UTF8
d-i console-keymaps-at/keymap select de-latin1-nodeadkeys
d-i netcfg/choose_interface select auto
d-i netcfg/dhcp_timeout string 60
d-i netcfg/get_hostname string unassigned-hostname
d-i netcfg/get_domain string unassigned-domain
d-i netcfg/wireless_wep string
d-i mirror/country string enter information manually

#This is our APT-PROXY address
d-i mirror/http/hostname string youraptproxy:9999

d-i mirror/http/directory string /debian
d-i mirror/suite string stable
d-i clock-setup/ntp boolean true

#NTP Server
d-i clock-setup/ntp-server string yourtimeserver

#The partition setup, be careful!
#By default the OpenVZ debian packages are using /var/lib/vz
d-i partman-auto/method string lvm
d-i partman-auto/purge_lvm_from_device boolean true
d-i partman-lvm/confirm boolean true
d-i partman-auto/expert_recipe string \
boot-root :: \
150 150 150 ext3 \
$primary{ } $bootable{ } \
method{ format } format{ } \
use_filesystem{ } filesystem{ ext3 } \
mountpoint{ /boot } \
. \
5120 5120 5120 ext3 \
$primary{ } method{ format } format{ } \
use_filesystem{ } filesystem{ ext3 } \
mountpoint{ / } \
. \
500 10000 1000000000 ext3 \
method{ format } format{ } $lvmok{ } \
use_filesystem{ } filesystem{ ext3 } \
mountpoint{ /var } \
. \
4096 4096 4096 linux-swap \
method{ swap } format{ } $lvmok { } \
.
d-i partman/confirm_write_new_label boolean true
d-i partman/choose_partition \
select Finish partitioning and write changes to disk
d-i partman/confirm boolean true
d-i clock-setup/utc boolean true
d-i time/zone string Europe/Vienna
d-i apt-setup/non-free boolean true
d-i apt-setup/contrib boolean true
d-i apt-setup/security_host youraptproxy:9999

#Our private internal repository for some packages
d-i apt-setup/local0/repository string \
http://yourprivaterepository:10000/debian hns stable
d-i apt-setup/local0/key string http://yourprivaterepository:10000/PublicKey
d-i passwd/make-user boolean false

#The encrypted root password (this is only an example :) )
d-i passwd/root-password-crypted password $1$v4rfe7wv$gEkbCLxCPhKaj92s.uJbD1
d-i grub-installer/only_debian boolean true
d-i grub-installer/with_other_os boolean true
tasksel tasksel/first multiselect standard

#Additional base packages
d-i pkgsel/include string openssh-server build-essential vim snmpd lib32z1-dev rsync ntp ntpdate
d-i finish-install/reboot_in_progress note
d-i cdrom-detect/eject boolean false
xserver-xorg xserver-xorg/autodetect_monitor boolean true
xserver-xorg xserver-xorg/config/monitor/selection-method \
select medium
xserver-xorg xserver-xorg/config/monitor/mode-list \
select 1024x768 @ 60 Hz

#Packages that gets installed AFTER the base installation
#hns* packages are build by our own to fasten the setup and management
d-i preseed/late_command string apt-install hp-health hp-snmp-agents hpsmh \
hp-smh-templates hpacucli cpqacuxe ethtool linux-headers-2.6-openvz-amd64 \
linux-image-2.6-openvz-amd64 vzctl vzquota hns-zabbix-agentd hns-openvz-common \
hns-openvz-ubuntu-hosting hns-puppet firmware-qlogic
</pre>

==The private Debian repository==

In our case the private repository is an essential factor because it will provide you with a fast software roll out, replicable software and consistent system state trough a large number of setups.

It is quite easy to setup your own repository with reprepro <ref>http://mirrorer.alioth.debian.org/</ref> and it is really useful.

As you can see in the preseed file we have a lot of this packages in our repository. Some examples:

*hns-zabbix-agentd
:is used for the automated installation of the Zabbix System Monitoring Agent.<ref>http://www.zabbix.com/</ref>
*hns-openvz-common
:creates a backup cronjob and installs a backup script
:installs a set of scripts for Zabbix monitoring and therefore depends on the hns-zabbix-agentd package
*hns-openvz-ubuntu-hosting
:installs our pre-created Ubuntu<ref>http://www.ubuntu.com/</ref> template for automated guest-installation
*hns-puppet
:installs the PuppetMaster client

==The Puppet Master configuration management==

If your preseeded setup was successful you have to configure your fresh server to fit your expectations. At our site we have ten OpenVZ servers in different countries and it is really important that they have the same configuration.

To make life easier we decided to use a configuration management like cfengine<ref>http://www.cfengine.org/</ref> but not as complex in setup and management. We found our solution in Puppet Master.

The only dependency Puppet Master has is Ruby. This should be installable on every distribution in minutes.

After the installation you have to configure the Puppet Master to do things. Typically this means accepting the public private key pair and doing some configuration stuff. At our site we use Puppet Master to manage an installation of about 100 servers.

One thing it does is to change the sysctl.conf file.

To get a feeling for it here is an configuration example (only OpenVZ server hosts):

<pre>

# ALL----- OPENVZ
node "yourserver1.yourdns.com", "yourserver2.yourdns.com", "yourserver3.yourdns.com", "yourserver4.yourdns.com", "yourserver5.yourdns.com", "yourserver6.yourdns.com", "yourserver7.yourdns.com"{
file { "/etc/aliases":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/aliases",
}
exec { "subscribe-newaliases":
command => "/usr/bin/newaliases && /bin/echo NEALIASSES",
subscribe => File["/etc/aliases"],
refreshonly => true,
logoutput => true
}

file { "/etc/apt/sources.list":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/apt/sources.list"
}
file { "/root/.ssh/authorized_keys2":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/root/authorized_keys2"
}
file { "/etc/vim/vimrc":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/vim/vimrc"
}
file { "/etc/vz/conf/ve-vps.10.conf-sample":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/vz/conf/ve-vps.10.conf-sample"
}
file { "/etc/sysctl.conf":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/sysctl.conf"
}
exec { subscribe-sysctl:
command => "/sbin/sysctl -p && /bin/echo SYSCTL EXECUTED",
logoutput => true,
refreshonly => true,
subscribe => file["/etc/sysctl.conf"]
}
file { "/etc/ntp.conf":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/ntp.conf"
}
file { "/root/.bashrc":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/root/bashrc"
}
file { "/srv/exim_config.sh":
mode => 744,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/srv/exim_config.sh"
}
exec { subscribe-exim_config:
command => "/srv/exim_config.sh && /usr/sbin/update-exim4.conf && /etc/init.d/exim4 restart && /bin/echo EXIM_CONFIG",
logoutput => true,
refreshonly => true,
subscribe => file["/srv/exim_config.sh"]
}
file { "/etc/default/snmpd":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/default/snmpd"
}
exec { subscribe-snmpd_config:
command => "/etc/init.d/snmpd restart && /bin/echo SNMPD_CONFIG",
logoutput => true,
refreshonly => true,
subscribe => file["/etc/default/snmpd"]
}
}
</pre>

==Furthure information==

For furthure information on the particular tools like APT-Proxy/Debian Repository/... we will add some documentation links!

==References==
<references/>

A managed OpenVZ installation

2009-07-21T07:39:01Z

Boernie:

A managed OpenVZ installation

2009-07-21T07:31:03Z

Boernie:

This article will show a managed installation of OpenVZ based on Debian Lenny (Debian 5.0) and some other interesting software pieces like PuppetMaster. It is mainly written to show how to manage more than one OpenVZ server in a production environment.

==Pre-Requirements==

You should know this software, because it is used during the setup.

If you have any further questions, please feel free to contact us.

Software list:
* Debian Installer and preseed <ref>http://wiki.debian.org/DebianInstaller/Preseed</ref>
* Apt-Proxy <ref>http://apt-proxy.sourceforge.net/</ref>
* Private Debian repository <ref>http://mirrorer.alioth.debian.org/</ref>
* Puppet Master <ref>http://reductivelabs.com/products/puppet/</ref>

==The Debian preseed setup==

At first some basics. To use a so called "preseed" file it is good to know what it is. The Debian installation is done with the "Debian Installer", short d-i. This d-i normally is a ncurses based console application that asks you some questions about your timezone, your partition setup, your network and so on. All this questions could be answered trough a preseed file. In this file some or all questions could be answered.

Now it is good to know that if you do not answer a question or if a question pops up which is not in the preseed file, the d-i waits until you give a right answer. So it is a really good thing because you could leave something open and use the same preseed file for different hardware boxes e.g. one hardware has one network interface, another hardware has four network interfaces.

Also it is good to know that you can use the preseed file to answer questions from any Debian package which is using the debconf interface, for example postfix.

===How to start the preseed setup===

Simply download the Netinstall CD from a Debian mirror put it in your cdrom-drive and boot the server. After booting from the CD you should see the Debian Grub Boot menu. In this menu you should select the "Advanced Option" and in the following menu place your cursor on "Automated install" - '''but do not press enter!'''

You have to edit this boot menu entry by pressing the '''TAB''' key. Now you can append the '''URL''' option to the end of this boot line. Now press enter and continue the setup. Here is an example and a screen shot.

URL=http://yourserver:yourport/yourpreseedfile

[[Image:Notbuu_1_preseed.png|200px|thumb|Grub menu screen]]

As an example here is our preseed file:

===During the preseed setup===

If the d-i faces a question where it finds no answer in the preseed file it will hold until you answer the question. The d-i will not cancel the installation process.

This is an interesting feature because you could use one file for different hardware setups. For example, if you have not configured that the d-i always uses the eth0 device during setup and there is more then one network card in your hardware, the d-i will wait until you choose one device.

[[Image:Notbuu_2_preseed.png|200px|thumb|d-i wait for answer]]

====Additional informations====

At our site we use different preseed files for different purposes. As example one preseed for VMWare (Guest) servers etc...
All our preseed files are placed on a webserver but you should know that it is also possible to integrate the preseed process into a self made Debian installation medium.

==The apt-proxy==

The Debian Netinstall CD covers only a minimal system. So if you need more packages like rsync or others you have to connect to the internet. Without choosing a Debian mirror during the setup, the setup could not continue. If you use Debian OpenVZ Servers and Debian based Virtual Private Server at your site, you should use an apt-proxy to cache the downloaded packages. After the first setup this will speed up your installation time by factors!

The apt-proxy setup is as easy as 1-2-3 go.

Here is the preseed file, please note that I have removed the comments but I make some explanations for clearer understanding:

<pre>
d-i debian-installer/locale string en_US.UTF8
d-i console-keymaps-at/keymap select de-latin1-nodeadkeys
d-i netcfg/choose_interface select auto
d-i netcfg/dhcp_timeout string 60
d-i netcfg/get_hostname string unassigned-hostname
d-i netcfg/get_domain string unassigned-domain
d-i netcfg/wireless_wep string
d-i mirror/country string enter information manually

#This is our APT-PROXY address
d-i mirror/http/hostname string youraptproxy:9999

d-i mirror/http/directory string /debian
d-i mirror/suite string stable
d-i clock-setup/ntp boolean true

#NTP Server
d-i clock-setup/ntp-server string yourtimeserver

#The partition setup, be careful!
#By default the OpenVZ debian packages are using /var/lib/vz
d-i partman-auto/method string lvm
d-i partman-auto/purge_lvm_from_device boolean true
d-i partman-lvm/confirm boolean true
d-i partman-auto/expert_recipe string \
boot-root :: \
150 150 150 ext3 \
$primary{ } $bootable{ } \
method{ format } format{ } \
use_filesystem{ } filesystem{ ext3 } \
mountpoint{ /boot } \
. \
5120 5120 5120 ext3 \
$primary{ } method{ format } format{ } \
use_filesystem{ } filesystem{ ext3 } \
mountpoint{ / } \
. \
500 10000 1000000000 ext3 \
method{ format } format{ } $lvmok{ } \
use_filesystem{ } filesystem{ ext3 } \
mountpoint{ /var } \
. \
4096 4096 4096 linux-swap \
method{ swap } format{ } $lvmok { } \
.
d-i partman/confirm_write_new_label boolean true
d-i partman/choose_partition \
select Finish partitioning and write changes to disk
d-i partman/confirm boolean true
d-i clock-setup/utc boolean true
d-i time/zone string Europe/Vienna
d-i apt-setup/non-free boolean true
d-i apt-setup/contrib boolean true
d-i apt-setup/security_host youraptproxy:9999

#Our private internal repository for some packages
d-i apt-setup/local0/repository string \
http://yourprivaterepository:10000/debian hns stable
d-i apt-setup/local0/key string http://yourprivaterepository:10000/PublicKey
d-i passwd/make-user boolean false

#The encrypted root password (this is only an example :) )
d-i passwd/root-password-crypted password $1$v4rfe7wv$gEkbCLxCPhKaj92s.uJbD1
d-i grub-installer/only_debian boolean true
d-i grub-installer/with_other_os boolean true
tasksel tasksel/first multiselect standard

#Additional base packages
d-i pkgsel/include string openssh-server build-essential vim snmpd lib32z1-dev rsync ntp ntpdate
d-i finish-install/reboot_in_progress note
d-i cdrom-detect/eject boolean false
xserver-xorg xserver-xorg/autodetect_monitor boolean true
xserver-xorg xserver-xorg/config/monitor/selection-method \
select medium
xserver-xorg xserver-xorg/config/monitor/mode-list \
select 1024x768 @ 60 Hz

#Packages that gets installed AFTER the base installation
#hns* packages are build by our own to fasten the setup and management
d-i preseed/late_command string apt-install hp-health hp-snmp-agents hpsmh \
hp-smh-templates hpacucli cpqacuxe ethtool linux-headers-2.6-openvz-amd64 \
linux-image-2.6-openvz-amd64 vzctl vzquota hns-zabbix-agentd hns-openvz-common \
hns-openvz-ubuntu-hosting hns-puppet firmware-qlogic
</pre>

==The private Debian repository==

In our case the private repository is an essential factor because it will provide you with a fast software roll out, replicable software and consistent system state trough a large number of setups.

It is quite easy to setup your own repository with reprepro <ref>http://mirrorer.alioth.debian.org/</ref> and it is really useful.

As you can see in the preseed file we have a lot of this packages in our repository. Some examples:

*hns-zabbix-agentd
:is used for the automated installation of the Zabbix System Monitoring Agent.<ref>http://www.zabbix.com/</ref>
*hns-openvz-common
:creates a backup cronjob and installs a backup script
:installs a set of scripts for Zabbix monitoring
*hns-openvz-ubuntu-hosting
:installs our pre-created Ubuntu<ref>http://www.ubuntu.com/</ref> template
*hns-puppet
:installs the PuppetMaster client

==The Puppet Master configuration management==

If your preseeded setup was successful you have to configure your fresh server to fit your expectations. At our site we have ten OpenVZ servers in different countries and is really important that they have the same configuration.

To make life easier we decided to use a configuration management like cfengine<ref>http://www.cfengine.org/</ref> but not as complex in setup and management. We found our solution in Puppet Master.

The only dependency Puppet Master has is Ruby. This should be installable on every distribution in minutes.

After the installation you have to configure the Puppet Master to do things. Typically this means accepting the public private key pair and doing some configuration stuff. At our site use Puppet Master to manage an installation of about 100 servers.

One thing it does is to change the sysctl.conf file.

To get a feeling for it here is an configuration example (only OpenVZ server hosts):

<pre>

# ALL----- OPENVZ
node "yourserver1.yourdns.com", "yourserver2.yourdns.com", "yourserver3.yourdns.com", "yourserver4.yourdns.com", "yourserver5.yourdns.com", "yourserver6.yourdns.com", "yourserver7.yourdns.com"{
file { "/etc/aliases":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/aliases",
}
exec { "subscribe-newaliases":
command => "/usr/bin/newaliases && /bin/echo NEALIASSES",
subscribe => File["/etc/aliases"],
refreshonly => true,
logoutput => true
}

file { "/etc/apt/sources.list":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/apt/sources.list"
}
file { "/root/.ssh/authorized_keys2":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/root/authorized_keys2"
}
file { "/etc/vim/vimrc":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/vim/vimrc"
}
file { "/etc/vz/conf/ve-vps.10.conf-sample":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/vz/conf/ve-vps.10.conf-sample"
}
file { "/etc/sysctl.conf":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/sysctl.conf"
}
exec { subscribe-sysctl:
command => "/sbin/sysctl -p && /bin/echo SYSCTL EXECUTED",
logoutput => true,
refreshonly => true,
subscribe => file["/etc/sysctl.conf"]
}
file { "/etc/ntp.conf":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/ntp.conf"
}
file { "/root/.bashrc":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/root/bashrc"
}
file { "/srv/exim_config.sh":
mode => 744,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/srv/exim_config.sh"
}
exec { subscribe-exim_config:
command => "/srv/exim_config.sh && /usr/sbin/update-exim4.conf && /etc/init.d/exim4 restart && /bin/echo EXIM_CONFIG",
logoutput => true,
refreshonly => true,
subscribe => file["/srv/exim_config.sh"]
}
file { "/etc/default/snmpd":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/default/snmpd"
}
exec { subscribe-snmpd_config:
command => "/etc/init.d/snmpd restart && /bin/echo SNMPD_CONFIG",
logoutput => true,
refreshonly => true,
subscribe => file["/etc/default/snmpd"]
}
}
</pre>

==References==
<references/>

A managed OpenVZ installation

2009-07-21T07:29:23Z

Boernie:

This article will show a managed installation of OpenVZ based on Debian Lenny (Debian 5.0) and some other interesting software pieces like PuppetMaster. It is mainly written to show how to manage more than one OpenVZ server in a production environment.

==Pre-Requirements==

You should know this software, because it is used during the setup.

If you have any further questions, please feel free to contact us.

Software list:
* Debian Installer and preseed <ref>http://wiki.debian.org/DebianInstaller/Preseed</ref>
* Apt-Proxy <ref>http://apt-proxy.sourceforge.net/</ref>
* Private Debian repository <ref>http://mirrorer.alioth.debian.org/</ref>
* Puppet Master <ref>http://reductivelabs.com/products/puppet/</ref>

==The Debian preseed setup==

At first some basics. To use a so called "preseed" file it is good to know what it is. The Debian installation is done with the "Debian Installer", short d-i. This d-i normally is a ncurses based console application that asks you some questions about your timezone, your partition setup, your network and so on. All this questions could be answered trough a preseed file. In this file some or all questions could be answered.

Now it is good to know that if you do not answer a question or if a question pops up which is not in the preseed file, the d-i waits until you give a right answer. So it is a really good thing because you could leave something open and use the same preseed file for different hardware boxes e.g. one hardware has one network interface, another hardware has four network interfaces.

Also it is good to know that you can use the preseed file to answer questions from any Debian package which is using the debconf interface, for example postfix.

===How to start the preseed setup===

Simply download the Netinstall CD from a Debian mirror put it in your cdrom-drive and boot the server. After booting from the CD you should see the Debian Grub Boot menu. In this menu you should select the "Advanced Option" and in the following menu place your cursor on "Automated install" - '''but do not press enter!'''

You have to edit this boot menu entry by pressing the '''TAB''' key. Now you can append the '''URL''' option to the end of this boot line. Now press enter and continue the setup. Here is an example and a screen shot.

URL=http://yourserver:yourport/yourpreseedfile

[[Image:Notbuu_1_preseed.png|200px|thumb|Grub menu screen]]

As an example here is our preseed file:

===During the preseed setup===

If the d-i faces a question where it finds no answer in the preseed file it will hold until you answer the question. The d-i will not cancel the installation process.

This is an interesting feature because you could use one file for different hardware setups. For example, if you have not configured that the d-i always uses the eth0 device during setup and there is more then one network card in your hardware, the d-i will wait until you choose one device.

[[Image:Notbuu_2_preseed.png|200px|thumb|d-i wait for answer]]

====Additional informations====

At our site we use different preseed files for different purposes. As example one preseed for VMWare (Guest) servers etc...
All our preseed files are placed on a webserver but you should know that it is also possible to integrate the preseed process into a self made Debian installation medium.

==The apt-proxy==

The Debian Netinstall CD covers only a minimal system. So if you need more packages like rsync or others you have to connect to the internet. Without choosing a Debian mirror during the setup, the setup could not continue. If you use Debian OpenVZ Servers and Debian based Virtual Private Server at your site, you should use an apt-proxy to cache the downloaded packages. After the first setup this will speed up your installation time by factors!

The apt-proxy setup is as easy as 1-2-3 go.

Here is the preseed file, please note that I have removed the comments but I make some explanations for clearer understanding:

<pre>
d-i debian-installer/locale string en_US.UTF8
d-i console-keymaps-at/keymap select de-latin1-nodeadkeys
d-i netcfg/choose_interface select auto
d-i netcfg/dhcp_timeout string 60
d-i netcfg/get_hostname string unassigned-hostname
d-i netcfg/get_domain string unassigned-domain
d-i netcfg/wireless_wep string
d-i mirror/country string enter information manually

''#This is our APT-PROXY address''
d-i mirror/http/hostname string youraptproxy:9999

d-i mirror/http/directory string /debian
d-i mirror/suite string stable
d-i clock-setup/ntp boolean true

''#NTP Server''
d-i clock-setup/ntp-server string yourtimeserver

''#The partition setup – be careful!
#By default the OpenVZ debian packages are using /var/lib/vz''
d-i partman-auto/method string lvm
d-i partman-auto/purge_lvm_from_device boolean true
d-i partman-lvm/confirm boolean true
d-i partman-auto/expert_recipe string \
boot-root :: \
150 150 150 ext3 \
$primary{ } $bootable{ } \
method{ format } format{ } \
use_filesystem{ } filesystem{ ext3 } \
mountpoint{ /boot } \
. \
5120 5120 5120 ext3 \
$primary{ } method{ format } format{ } \
use_filesystem{ } filesystem{ ext3 } \
mountpoint{ / } \
. \
500 10000 1000000000 ext3 \
method{ format } format{ } $lvmok{ } \
use_filesystem{ } filesystem{ ext3 } \
mountpoint{ /var } \
. \
4096 4096 4096 linux-swap \
method{ swap } format{ } $lvmok { } \
.
d-i partman/confirm_write_new_label boolean true
d-i partman/choose_partition \
select Finish partitioning and write changes to disk
d-i partman/confirm boolean true
d-i clock-setup/utc boolean true
d-i time/zone string Europe/Vienna
d-i apt-setup/non-free boolean true
d-i apt-setup/contrib boolean true
d-i apt-setup/security_host youraptproxy:9999

''#Our private internal repository for some packages''
d-i apt-setup/local0/repository string \
http://yourprivaterepository:10000/debian hns stable
d-i apt-setup/local0/key string http://yourprivaterepository:10000/PublicKey
d-i passwd/make-user boolean false

''#The encrypted root password (this is only an example :) )''
d-i passwd/root-password-crypted password $1$v4rfe7wv$gEkbCLxCPhKaj92s.uJbD1
d-i grub-installer/only_debian boolean true
d-i grub-installer/with_other_os boolean true
tasksel tasksel/first multiselect standard

''#Additional base packages''
d-i pkgsel/include string openssh-server build-essential vim snmpd lib32z1-dev rsync ntp ntpdate
d-i finish-install/reboot_in_progress note
d-i cdrom-detect/eject boolean false
xserver-xorg xserver-xorg/autodetect_monitor boolean true
xserver-xorg xserver-xorg/config/monitor/selection-method \
select medium
xserver-xorg xserver-xorg/config/monitor/mode-list \
select 1024x768 @ 60 Hz

''#Packages that gets installed AFTER the base installation
#hns* packages are build by our own to fasten the setup and management''
d-i preseed/late_command string apt-install hp-health hp-snmp-agents hpsmh \
hp-smh-templates hpacucli cpqacuxe ethtool linux-headers-2.6-openvz-amd64 \
linux-image-2.6-openvz-amd64 vzctl vzquota hns-zabbix-agentd hns-openvz-common \
hns-openvz-ubuntu-hosting hns-puppet firmware-qlogic
</pre>

==The private Debian repository==

In our case the private repository is an essential factor because it will provide you with a fast software roll out, replicable software and consistent system state trough a large number of setups.

It is quite easy to setup your own repository with reprepro <ref>http://mirrorer.alioth.debian.org/</ref> and it is really useful.

As you can see in the preseed file we have a lot of this packages in our repository. Some examples:

*hns-zabbix-agentd
:is used for the automated installation of the Zabbix System Monitoring Agent.<ref>http://www.zabbix.com/</ref>
*hns-openvz-common
:creates a backup cronjob and installs a backup script
:installs a set of scripts for Zabbix monitoring
*hns-openvz-ubuntu-hosting
:installs our pre-created Ubuntu<ref>http://www.ubuntu.com/</ref> template
*hns-puppet
:installs the PuppetMaster client

==The Puppet Master configuration management==

If your preseeded setup was successful you have to configure your fresh server to fit your expectations. At our site we have ten OpenVZ servers in different countries and is really important that they have the same configuration.

To make life easier we decided to use a configuration management like cfengine<ref>http://www.cfengine.org/</ref> but not as complex in setup and management. We found our solution in Puppet Master.

The only dependency Puppet Master has is Ruby. This should be installable on every distribution in minutes.

After the installation you have to configure the Puppet Master to do things. Typically this means accepting the public private key pair and doing some configuration stuff. At our site use Puppet Master to manage an installation of about 100 servers.

One thing it does is to change the sysctl.conf file.

To get a feeling for it here is an configuration example (only OpenVZ server hosts):

<pre>

# ALL----- OPENVZ
node "yourserver1.yourdns.com", "yourserver2.yourdns.com", "yourserver3.yourdns.com", "yourserver4.yourdns.com", "yourserver5.yourdns.com", "yourserver6.yourdns.com", "yourserver7.yourdns.com"{
file { "/etc/aliases":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/aliases",
}
exec { "subscribe-newaliases":
command => "/usr/bin/newaliases && /bin/echo NEALIASSES",
subscribe => File["/etc/aliases"],
refreshonly => true,
logoutput => true
}

file { "/etc/apt/sources.list":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/apt/sources.list"
}
file { "/root/.ssh/authorized_keys2":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/root/authorized_keys2"
}
file { "/etc/vim/vimrc":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/vim/vimrc"
}
file { "/etc/vz/conf/ve-vps.10.conf-sample":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/vz/conf/ve-vps.10.conf-sample"
}
file { "/etc/sysctl.conf":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/sysctl.conf"
}
exec { subscribe-sysctl:
command => "/sbin/sysctl -p && /bin/echo SYSCTL EXECUTED",
logoutput => true,
refreshonly => true,
subscribe => file["/etc/sysctl.conf"]
}
file { "/etc/ntp.conf":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/ntp.conf"
}
file { "/root/.bashrc":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/root/bashrc"
}
file { "/srv/exim_config.sh":
mode => 744,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/srv/exim_config.sh"
}
exec { subscribe-exim_config:
command => "/srv/exim_config.sh && /usr/sbin/update-exim4.conf && /etc/init.d/exim4 restart && /bin/echo EXIM_CONFIG",
logoutput => true,
refreshonly => true,
subscribe => file["/srv/exim_config.sh"]
}
file { "/etc/default/snmpd":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/default/snmpd"
}
exec { subscribe-snmpd_config:
command => "/etc/init.d/snmpd restart && /bin/echo SNMPD_CONFIG",
logoutput => true,
refreshonly => true,
subscribe => file["/etc/default/snmpd"]
}
}
</pre>

==References==
<references/>

A managed OpenVZ installation

2009-07-21T07:14:05Z

Boernie:

This article will show a managed installation of OpenVZ based on Debian Lenny (Debian 5.0) and some other interesting software pieces like PuppetMaster. It is mainly written to show how to manage more than one OpenVZ server in a production environment.

==Pre-Requirements==

You should know this software, because it is used during the setup.

If you have any further questions, please feel free to contact us.

Software list:
* Debian Installer and preseed <ref>http://wiki.debian.org/DebianInstaller/Preseed</ref>
* Apt-Proxy <ref>http://apt-proxy.sourceforge.net/</ref>
* Private Debian repository <ref>http://mirrorer.alioth.debian.org/</ref>
* Puppet Master <ref>http://reductivelabs.com/products/puppet/</ref>

==The Debian preseed setup==

At first some basics. To use a so called "preseed" file it is good to know what it is. The Debian installation is done with the "Debian Installer", short d-i. This d-i normally is a ncurses based console application that asks you some questions about your timezone, your partition setup, your network and so on. All this questions could be answered trough a preseed file. In this file some or all questions could be answerd.

Now it is good to know that if you do not answer a question or if a question pops up which is not in the preseed file, the d-i wait until you give a right answer. So it is a really good thing because you could leave some thing open and use the same preseed file for different hardware boxes e.g. one hardware have one network interface, another hardware has four network interfaces.

Also it is good to know that you can use the preseed file to answer questions from any Debian package which is using the debconf interface, for example postfix.

===How to start the preseed setup===

Simply download the Netinstall CD from a Debian mirror put it in your drive an boot the computer. After booting from the CD you should see the Debian Grub Boot menu. In this menu you should select the "Advanced Option" and in the following menu place your cursor on "Automated install" - '''but do not press enter!'''

You have to edit this boot menu entry by pressing the '''TAB''' key. Now you can append the '''URL''' option to the end of this boot line. Now press enter and continue the setup. Here is an example and a screen shot.

URL=http://yourserver:yourport/yourpreseedfile

[[Image:Notbuu_1_preseed.png|200px|thumb|Grub menu screen]]

As example here is our preseed file:

===During the preseed setup===

If the d-i faces a question where it founds no answer in the preseed file it will hold on until you answer the question. The d-i will not cancel the installation process.

This is an interesting feature because you could use one file for different hardware setups. For example, if you have not configured that the d-i to always use the eth0 device during setup and there is more then one network card in your hardware, the d-i will wait until you choose one device.

[[Image:Notbuu_2_preseed.png|200px|thumb|d-i wait for answer]]

====Additional informations====

At our site we use different preseed files for different purposes. As example one preseed for VMWare servers etc...
All our preseed files are placed on a webserver but you should know that it is also possible to integrate the preseed process into a self made Debian installation medium.

==The apt-proxy==

The Debian Netinstall CD covers only a minimal system. So if you need more packages like rsync or others you have to connect to the internet. Without choosing a Debian mirror during the setup, the setup could not continue. If you use Debian OpenVZ Servers and Debian based Virtual Private Server at your site, you should use an apt-proxy to cache the downloaded packages. After the first setup this will speed up your installation time by factors!

The apt-proxy setup is as easy as 1-2-3 go.

Here is the preseed file, please note the I have removed the comments but I make some explanations for clearer understanding:

<pre>
d-i debian-installer/locale string en_US.UTF8
d-i console-keymaps-at/keymap select de-latin1-nodeadkeys
d-i netcfg/choose_interface select auto
d-i netcfg/dhcp_timeout string 60
d-i netcfg/get_hostname string unassigned-hostname
d-i netcfg/get_domain string unassigned-domain
d-i netcfg/wireless_wep string
d-i mirror/country string enter information manually
#This is our APT-PROXY address
d-i mirror/http/hostname string youraptproxy:9999
d-i mirror/http/directory string /debian
d-i mirror/suite string stable
d-i clock-setup/ntp boolean true
#NTP Server
d-i clock-setup/ntp-server string yourtimeserver
#The partition setup – be careful!
#By default the OpenVZ debian packages are using /var/lib/vz
d-i partman-auto/method string lvm
d-i partman-auto/purge_lvm_from_device boolean true
d-i partman-lvm/confirm boolean true
d-i partman-auto/expert_recipe string \
boot-root :: \
150 150 150 ext3 \
$primary{ } $bootable{ } \
method{ format } format{ } \
use_filesystem{ } filesystem{ ext3 } \
mountpoint{ /boot } \
. \
5120 5120 5120 ext3 \
$primary{ } method{ format } format{ } \
use_filesystem{ } filesystem{ ext3 } \
mountpoint{ / } \
. \
500 10000 1000000000 ext3 \
method{ format } format{ } $lvmok{ } \
use_filesystem{ } filesystem{ ext3 } \
mountpoint{ /var } \
. \
4096 4096 4096 linux-swap \
method{ swap } format{ } $lvmok { } \
.
d-i partman/confirm_write_new_label boolean true
d-i partman/choose_partition \
select Finish partitioning and write changes to disk
d-i partman/confirm boolean true
d-i clock-setup/utc boolean true
d-i time/zone string Europe/Vienna
d-i apt-setup/non-free boolean true
d-i apt-setup/contrib boolean true
d-i apt-setup/security_host youraptproxy:9999
#Our private internal repository for some packages
d-i apt-setup/local0/repository string \
http://yourprivaterepository:10000/debian hns stable
d-i apt-setup/local0/key string http://yourprivaterepository:10000/PublicKey
d-i passwd/make-user boolean false
#The encrypted root password (this is only an example :) )
d-i passwd/root-password-crypted password $1$v4rfe7wv$gEkbCLxCPhKaj92s.uJbD1
d-i grub-installer/only_debian boolean true
d-i grub-installer/with_other_os boolean true
tasksel tasksel/first multiselect standard
#Additional base packages
d-i pkgsel/include string openssh-server build-essential vim snmpd lib32z1-dev rsync ntp ntpdate
d-i finish-install/reboot_in_progress note
d-i cdrom-detect/eject boolean false
xserver-xorg xserver-xorg/autodetect_monitor boolean true
xserver-xorg xserver-xorg/config/monitor/selection-method \
select medium
xserver-xorg xserver-xorg/config/monitor/mode-list \
select 1024x768 @ 60 Hz
#Packages that gets installed AFTER the base installation
#hns* packages are build by our own to fasten the setup and management
d-i preseed/late_command string apt-install hp-health hp-snmp-agents hpsmh \
hp-smh-templates hpacucli cpqacuxe ethtool linux-headers-2.6-openvz-amd64 \
linux-image-2.6-openvz-amd64 vzctl vzquota hns-zabbix-agentd hns-openvz-common \
hns-openvz-ubuntu-hosting hns-puppet firmware-qlogic
</pre>

==The private Debian repository==

In our case the private repository is an essential factor because it will provide you with a fast software roll out, replicable software and consistent system state trough a large number of setups.

It is quite easy to setup your own repository with reprepro <ref>http://mirrorer.alioth.debian.org/</ref> and it is really useful.

As you can see in the preseed file we have a lot of this packages in our repository. Some examples:

*hns-zabbix-agentd
:is used for the automated installation of the Zabbix System Monitoring Agent.<ref>http://www.zabbix.com/</ref>
*hns-openvz-common
:creates a backup cronjob and installs a backup script
:installs a set of scripts for Zabbix monitoring
*hns-openvz-ubuntu-hosting
:installs our pre-created Ubuntu<ref>http://www.ubuntu.com/</ref> template
*hns-puppet
:installs the PuppetMaster client

==The Puppet Master configuration management==

If your preseeded setup was successful you have to configure your fresh server to fit your expectations. At our site we have ten OpenVZ servers in different countries and is really important that they have the same configuration.

To make life easier we decided to use a configuration management like cfengine<ref>http://www.cfengine.org/</ref> but not as complex in setup and management. We found our solution in Puppet Master.

The only dependency Puppet Master has is Ruby. This should be installable on every distribution in minutes.

After the installation you have to configure the Puppet Master to do things. Typically this means accepting the public private key pair and doing some configuration stuff. At our site use Puppet Master to manage an installation of about 100 servers.

One thing it does is to change the sysctl.conf file.

To get a feeling for it here is an configuration example (only OpenVZ server hosts):

<pre>

# ALL----- OPENVZ
node "yourserver1.yourdns.com", "yourserver2.yourdns.com", "yourserver3.yourdns.com", "yourserver4.yourdns.com", "yourserver5.yourdns.com", "yourserver6.yourdns.com", "yourserver7.yourdns.com"{
file { "/etc/aliases":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/aliases",
}
exec { "subscribe-newaliases":
command => "/usr/bin/newaliases && /bin/echo NEALIASSES",
subscribe => File["/etc/aliases"],
refreshonly => true,
logoutput => true
}

file { "/etc/apt/sources.list":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/apt/sources.list"
}
file { "/root/.ssh/authorized_keys2":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/root/authorized_keys2"
}
file { "/etc/vim/vimrc":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/vim/vimrc"
}
file { "/etc/vz/conf/ve-vps.10.conf-sample":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/vz/conf/ve-vps.10.conf-sample"
}
file { "/etc/sysctl.conf":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/sysctl.conf"
}
exec { subscribe-sysctl:
command => "/sbin/sysctl -p && /bin/echo SYSCTL EXECUTED",
logoutput => true,
refreshonly => true,
subscribe => file["/etc/sysctl.conf"]
}
file { "/etc/ntp.conf":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/ntp.conf"
}
file { "/root/.bashrc":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/root/bashrc"
}
file { "/srv/exim_config.sh":
mode => 744,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/srv/exim_config.sh"
}
exec { subscribe-exim_config:
command => "/srv/exim_config.sh && /usr/sbin/update-exim4.conf && /etc/init.d/exim4 restart && /bin/echo EXIM_CONFIG",
logoutput => true,
refreshonly => true,
subscribe => file["/srv/exim_config.sh"]
}
file { "/etc/default/snmpd":
mode => 644,
owner => root,
group => root,
source => "puppet://yourpuppetmaster/files/openvz-hosts/etc/default/snmpd"
}
exec { subscribe-snmpd_config:
command => "/etc/init.d/snmpd restart && /bin/echo SNMPD_CONFIG",
logoutput => true,
refreshonly => true,
subscribe => file["/etc/default/snmpd"]
}
}
</pre>

==References==
<references/>

User:Boernie

2009-07-16T08:37:36Z

Boernie: New page: MySandbox

[[MySandbox]]