OpenVZ Virtuozzo Containers Wiki - User contributions [en]

Talk:Download/template/precreated

2008-12-24T01:26:25Z

Echelon:

Just added a note to the article that the Debian images are still insecure. It would be better to replace the images with corrected ones, but I have no idea who to contact. --[[User:Bluehorn|Bluehorn]] 09:42, 5 July 2008 (EDT)

The Centos 5 minimal x86-64 image appears to be lacking in many ways. Most importantly it doesn't set up /dev properly. I'm going to test out the Centos 5 not-so minimal image. --[[User:cbsmith|cbsmith]] 17:53 22 Sept 2008 (PDT)

I have built an i386 Debian Lenny template for download, and has been verified working at this time. http://www.fuzzyconcepts.net/openvz/debian-5.0-i386-fc1.tar.gz --[[User:Echelon|Echelon]] 20:26 23 Dec 2008 (EST)

Ubuntu Gutsy template creation

2007-12-17T10:34:26Z

Echelon: /* vzctl */ More typos

[[Category: HOWTO]]
[[Category: Templates]]
[[Category: Ubuntu]]

This article summarizes the experience of creating Ubunty Gutsy Gibbon (a.k.a. 7.10) template for OpenVZ.

Template creation is based on debootstrap, and the procedure is similar to [[Debian template creation]], but it differs in some subtle details.

== Prerequisites ==

=== debootstrap ===
You have to have a debootstrap working for Gutsy, i.e. you should have
* debootstrap and its dependencies
* /usr/lib/debootstrap/scripts/gutsy file

The simplest way to have it all is to work on an Ubunty Gutsy system (be it on a real machine or inside a VE). If you don't have debootstrap installed, this is the command to install it:

# apt-get install debootstrap

On a Gentoo Linux, debootstrap is also available, this is how you can install it:

# emerge debootstrap

=== vzctl ===

You need vzctl-3.0.19 or later to work with Ubuntu Gutsy Gibbon. If vzctl-3.0.18 or earlier is used, you will not be able to run your VE. See {{bug|662}} for details.

Note: Older versions of vzctl have worked for me IF you install sysvinit (which will remove upstart). The only problem I had was the network did not start, so I added "/etc/init.d/networking restart" to /etc/re.local.

== Creating template ==

=== Running debootstrap ===

Create a working directory:

[HW]# mkdir gutsy-chroot

Run debootstrap to install a minimal Ubunty Gutsy system into that directory:

[HW]# debootstrap [--arch ''ARCH''] gutsy gutsy-chroot

If ARCH of VE0 is equal to VE, you can skip the --arch option, but if you need to build an OS template for another ''ARCH'', specify it explicitly:
* for AMD64/x86_64, use <code>amd64</code>
* for IA64, use <code>ia64</code>
* for i386 <code>i386</code>

=== Preparing/starting a VE ===

Now then you have an installation created by <code>debootstrap</code>, you can run it as a VE. In the example below VE ID of 777 is used; of course you can use any other non-allocated ID.

{{Note|an alternative way is using chroot instead of running a VE. This is not recommended because of security concerns.}}

==== Moving installation to VE private area ====

You should move the contents of gutsy-chroot directory into new VE private area, like this:

# mv gutsy-chroot /vz/private/777

==== Setting VE config ====
An initial config for the [[VE]] is needed:
# vzctl set 777 --applyconfig vps.basic --save

==== Setting VE OSTEMPLATE ====
Also, we need <code>OSTEMPLATE</code> to be set in VE configuration file, for the [[vzctl]] to work properly.

# echo "OSTEMPLATE=ubuntu-7.10" >> /etc/vz/conf/777.conf

==== Setting VE IP address ====
For the [[VE]] to be able to download updates from the Internet, we need a valid IP address for it:
# vzctl set 777 --ipadd x.x.x.x --save

{{Note|if you use private IP for the VE, you have to set up NAT as described in [[Using NAT for VE with private IPs]].}}

==== Setting DNS server for the VE ====
For the [[VE]] to be able to download updates from the Internet, we also need to specify a DNS for it:
# vzctl set 777 --nameserver x.x.x.x --save

Instead of <code>x.x.x.x</code>, specify the same IP that you have in your <code>/etc/resolv.conf</code>.

==== Starting VE ====
Now start the VE:
# vzctl start 777

=== Modify the installation ===

You have to do some things in order to modify the installation to better suit the environment it will be run in (i.e. a VE).

First, enter a VE:
# vzctl enter 777

{{Warning|Do not run the commands below on the hardware node, they are only to be run within the VE!}}

==== Remove unneeded packages ====

Some packages does not make sense in a VE, or are really optional. Remove those:

[VE]# dpkg -P ubuntu-minimal wpasupplicant wireless-tools \
udev pcmciautils initramfs-tools volumeid console-setup \
xkb-data usbutils mii-diag alsa-base alsa-utils ethtool \
module-init-tools linux-sound-base console-tools \
console-terminus busybox-initramfs libvolume-id0 \
ntpdate eject libasound2 pciutils tasksel tasksel-data \
laptop-detect

Note that the above list of packages may be too extensive. Say, if you want to use <code>tasksel</code> tool, do not remove it — but then you have to let laptop-detect stay.

Clean up after udev:

[VE]# rm -fr /lib/udev

==== Disable getty ====
On a usual Linux system, getty is running on a virtual terminals, which a VE does not have. So, having getty running doesn't make sense; more to say, it complains it can not open terminal device and this clutters the logs.

So, first of all we stop all getty processes:

[VE]# initctl stop tty{1,2,3,4,5,6}

Next, we disable running getty. This can be done in two ways:

First way:
[VE]# rm /etc/event.d/tty*

Second way:
[VE]# dpkg -P system-services

Second way can be dangerous for future versions of system-services, but it's OK for now since the only service they carry is running gettys.

==== Set sane permissions for /root directory ====

[VE]# chmod 700 /root

==== Disable root login ====

[VE]# usermod -L root

==== Get new security updates ====

[VE]# apt-get update && apt-get upgrade

<small>This didn't show anything for me, but might do something in the future.</small>

==== Install some more packages ====

[VE]# apt-get install ssh quota

Feel free to add packages which you want to have in a default template to this command.

==== Fix SSH host keys ====
This is only useful if you installed SSH above. Each individual [[VE]] should have its own pair of SSH host keys. The code below will wipe out the existing SSH keys and instruct the newly-created [[VE]] to create new SSH keys on first boot.


<pre>
rm -f /etc/ssh/ssh_host_*
cat << EOF > /etc/rc2.d/S15ssh_gen_host_keys
#!/bin/sh
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ''
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ''
rm -f \$0
EOF
chmod a+x /etc/rc2.d/S15ssh_gen_host_keys
</pre>

==== Disable <code>sync()</code> for syslog ====

Turn off doing <tt>sync()</tt> on every write for <code>syslog</code>'s log files, to improve overall I/O performance.
In Ubuntu this is already done for most log files and levels, so you can omit this step if you know what you are doing.


<pre>[VE]# sed -i -e 's@$[[:space:]]$$/var/log/$@\1-\2@' /etc/syslog.conf</pre>

==== Fix <code>/etc/mtab</code> ====
Link <code>/etc/mtab</code> to <code>/proc/mounts</code>, so <code>df</code> and friends will work:
[VE]# rm -f /etc/mtab
[VE]# ln -s /proc/mounts /etc/mtab

After that, it would make sense to disable <code>mtab.sh</code> script which messes with <code>/etc/mtab</code>:
[VE]# update-rc.d -f mtab.sh remove

==== Disable some services ====

In most of the cases you don't want klogd to run -- the only exception is if you configure iptables to log some events -- so you can disable it:

[VE]# update-rc.d -f klogd remove

==== Hostname ====
Set proper hostname:
[VE]# echo "localhost" > /etc/hostname

==== Set /etc/hosts ====

[VE]# echo "127.0.0.1 localhost.localdomain localhost" > /etc/hosts

==== Add ptys to /dev ====

This is needed in case /dev/pts will not me mounted after VE start. In case /dev/ttyp* and /dev/ptyp* files are present, and LEGACY_PTYS support is enabled in the kernel, vzctl will still be able to enter VE.

[VE]# cd /dev && /sbin/MAKEDEV ptyp

==== Remove nameserver(s) ====

Remove DNS entries:
[VE]# > /etc/resolv.conf

==== Clean packages ====
After installing packages, you'll have some junk packages laying around in your cache. Since you don't want your template to have those, this command will wipe them out.
[VE]# apt-get clean

==== Cleaning up log files ====

[VE]# cd /var/log
[VE]# > messages; > auth.log; > kern.log; > bootstrap.log
[VE]# > dpkg.log; > syslog; > daemon.log; > apt/term.log
[VE]# rm -f *.0 *.1

==== Anything else? ====

Think of what else could be done to better suit your needs.

==== Exit from the VE ====

Now everything is done. Exit from the template and go back to the hardware node.

[VE]# exit

== Preparing for and packing template cache ==

The following commands are to be run in the host system (i.e. not inside a VE).

We don't need an IP for the VE anymore, and we definitely do not need it in template cache, so remove it:
[HW]# vzctl set 777 --ipdel all --save

Stop the VE:
[HW]# vzctl stop 777

Change dir to the VE private:
[HW]# cd /vz/private/777

Now create a cached OS tarball. In the command below, you'll want to replace <arch> with your architecture (i386, amd64, ia64, etc). '''Note the space and the dot at the end of the command'''.
[HW]# tar czf /vz/template/cache/ubuntu-7.10-<arch>-minimal.tar.gz .

Look at the resulting tarball to see its size is sane:
# ls -lh /vz/template/cache
-rw-r--r-- 1 root root 53M Nov 15 12:40 ubuntu-7.10-i386-minimal.tar.gz

== Testing template cache ==
We can now create a VE based on the just-created template cache. Be sure to change <tt>i386</tt> to your architecture just like you did when you named the tarball above.
[HW]# vzctl create 123456 --ostemplate ubuntu-7.10-<arch>-minimal

Now make sure that your new VE it works:
[HW]# vzctl start 123456
[HW]# vzctl exec 123456 ps axf

You should see that a few processes are running.

Other tests that could be done are:
[HW]# vzctl enter 123456
[VE]# ps axf
[VE]# mount
[VE]# dpkg -l
[VE]# logout
[HW]#

Feel free to do more tests.

== Final cleanup ==
Stop and remove the test VE you just created:
[HW]# vzctl stop 123456
[HW]# vzctl destroy 123456
[HW]# rm -f /etc/vz/conf/123456.conf.destroyed

Finally, let's remove the VE we used for OS template cache creation:
[HW]# vzctl destroy 777
[HW]# rm -f /etc/vz/conf/777.conf.destroyed

== Updating the template cache ==

See [[Updating Ubuntu template]]

Ubuntu Gutsy template creation

2007-12-17T10:33:48Z

Echelon: /* vzctl */ Fixing typo

[[Category: HOWTO]]
[[Category: Templates]]
[[Category: Ubuntu]]

This article summarizes the experience of creating Ubunty Gutsy Gibbon (a.k.a. 7.10) template for OpenVZ.

Template creation is based on debootstrap, and the procedure is similar to [[Debian template creation]], but it differs in some subtle details.

== Prerequisites ==

=== debootstrap ===
You have to have a debootstrap working for Gutsy, i.e. you should have
* debootstrap and its dependencies
* /usr/lib/debootstrap/scripts/gutsy file

The simplest way to have it all is to work on an Ubunty Gutsy system (be it on a real machine or inside a VE). If you don't have debootstrap installed, this is the command to install it:

# apt-get install debootstrap

On a Gentoo Linux, debootstrap is also available, this is how you can install it:

# emerge debootstrap

=== vzctl ===

You need vzctl-3.0.19 or later to work with Ubuntu Gutsy Gibbon. If vzctl-3.0.18 or earlier is used, you will not be able to run your VE. See {{bug|662}} for details.

Note: Older versions of vzctl have worked for me IF you install sysvinit (which will remove upstart). The only problme I had was the network did not start, so I added "/etc/init.d/networking restart" to /etc/re.local.

== Creating template ==

=== Running debootstrap ===

Create a working directory:

[HW]# mkdir gutsy-chroot

Run debootstrap to install a minimal Ubunty Gutsy system into that directory:

[HW]# debootstrap [--arch ''ARCH''] gutsy gutsy-chroot

If ARCH of VE0 is equal to VE, you can skip the --arch option, but if you need to build an OS template for another ''ARCH'', specify it explicitly:
* for AMD64/x86_64, use <code>amd64</code>
* for IA64, use <code>ia64</code>
* for i386 <code>i386</code>

=== Preparing/starting a VE ===

Now then you have an installation created by <code>debootstrap</code>, you can run it as a VE. In the example below VE ID of 777 is used; of course you can use any other non-allocated ID.

{{Note|an alternative way is using chroot instead of running a VE. This is not recommended because of security concerns.}}

==== Moving installation to VE private area ====

You should move the contents of gutsy-chroot directory into new VE private area, like this:

# mv gutsy-chroot /vz/private/777

==== Setting VE config ====
An initial config for the [[VE]] is needed:
# vzctl set 777 --applyconfig vps.basic --save

==== Setting VE OSTEMPLATE ====
Also, we need <code>OSTEMPLATE</code> to be set in VE configuration file, for the [[vzctl]] to work properly.

# echo "OSTEMPLATE=ubuntu-7.10" >> /etc/vz/conf/777.conf

==== Setting VE IP address ====
For the [[VE]] to be able to download updates from the Internet, we need a valid IP address for it:
# vzctl set 777 --ipadd x.x.x.x --save

{{Note|if you use private IP for the VE, you have to set up NAT as described in [[Using NAT for VE with private IPs]].}}

==== Setting DNS server for the VE ====
For the [[VE]] to be able to download updates from the Internet, we also need to specify a DNS for it:
# vzctl set 777 --nameserver x.x.x.x --save

Instead of <code>x.x.x.x</code>, specify the same IP that you have in your <code>/etc/resolv.conf</code>.

==== Starting VE ====
Now start the VE:
# vzctl start 777

=== Modify the installation ===

You have to do some things in order to modify the installation to better suit the environment it will be run in (i.e. a VE).

First, enter a VE:
# vzctl enter 777

{{Warning|Do not run the commands below on the hardware node, they are only to be run within the VE!}}

==== Remove unneeded packages ====

Some packages does not make sense in a VE, or are really optional. Remove those:

[VE]# dpkg -P ubuntu-minimal wpasupplicant wireless-tools \
udev pcmciautils initramfs-tools volumeid console-setup \
xkb-data usbutils mii-diag alsa-base alsa-utils ethtool \
module-init-tools linux-sound-base console-tools \
console-terminus busybox-initramfs libvolume-id0 \
ntpdate eject libasound2 pciutils tasksel tasksel-data \
laptop-detect

Note that the above list of packages may be too extensive. Say, if you want to use <code>tasksel</code> tool, do not remove it — but then you have to let laptop-detect stay.

Clean up after udev:

[VE]# rm -fr /lib/udev

==== Disable getty ====
On a usual Linux system, getty is running on a virtual terminals, which a VE does not have. So, having getty running doesn't make sense; more to say, it complains it can not open terminal device and this clutters the logs.

So, first of all we stop all getty processes:

[VE]# initctl stop tty{1,2,3,4,5,6}

Next, we disable running getty. This can be done in two ways:

First way:
[VE]# rm /etc/event.d/tty*

Second way:
[VE]# dpkg -P system-services

Second way can be dangerous for future versions of system-services, but it's OK for now since the only service they carry is running gettys.

==== Set sane permissions for /root directory ====

[VE]# chmod 700 /root

==== Disable root login ====

[VE]# usermod -L root

==== Get new security updates ====

[VE]# apt-get update && apt-get upgrade

<small>This didn't show anything for me, but might do something in the future.</small>

==== Install some more packages ====

[VE]# apt-get install ssh quota

Feel free to add packages which you want to have in a default template to this command.

==== Fix SSH host keys ====
This is only useful if you installed SSH above. Each individual [[VE]] should have its own pair of SSH host keys. The code below will wipe out the existing SSH keys and instruct the newly-created [[VE]] to create new SSH keys on first boot.


<pre>
rm -f /etc/ssh/ssh_host_*
cat << EOF > /etc/rc2.d/S15ssh_gen_host_keys
#!/bin/sh
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ''
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ''
rm -f \$0
EOF
chmod a+x /etc/rc2.d/S15ssh_gen_host_keys
</pre>

==== Disable <code>sync()</code> for syslog ====

Turn off doing <tt>sync()</tt> on every write for <code>syslog</code>'s log files, to improve overall I/O performance.
In Ubuntu this is already done for most log files and levels, so you can omit this step if you know what you are doing.


<pre>[VE]# sed -i -e 's@$[[:space:]]$$/var/log/$@\1-\2@' /etc/syslog.conf</pre>

==== Fix <code>/etc/mtab</code> ====
Link <code>/etc/mtab</code> to <code>/proc/mounts</code>, so <code>df</code> and friends will work:
[VE]# rm -f /etc/mtab
[VE]# ln -s /proc/mounts /etc/mtab

After that, it would make sense to disable <code>mtab.sh</code> script which messes with <code>/etc/mtab</code>:
[VE]# update-rc.d -f mtab.sh remove

==== Disable some services ====

In most of the cases you don't want klogd to run -- the only exception is if you configure iptables to log some events -- so you can disable it:

[VE]# update-rc.d -f klogd remove

==== Hostname ====
Set proper hostname:
[VE]# echo "localhost" > /etc/hostname

==== Set /etc/hosts ====

[VE]# echo "127.0.0.1 localhost.localdomain localhost" > /etc/hosts

==== Add ptys to /dev ====

This is needed in case /dev/pts will not me mounted after VE start. In case /dev/ttyp* and /dev/ptyp* files are present, and LEGACY_PTYS support is enabled in the kernel, vzctl will still be able to enter VE.

[VE]# cd /dev && /sbin/MAKEDEV ptyp

==== Remove nameserver(s) ====

Remove DNS entries:
[VE]# > /etc/resolv.conf

==== Clean packages ====
After installing packages, you'll have some junk packages laying around in your cache. Since you don't want your template to have those, this command will wipe them out.
[VE]# apt-get clean

==== Cleaning up log files ====

[VE]# cd /var/log
[VE]# > messages; > auth.log; > kern.log; > bootstrap.log
[VE]# > dpkg.log; > syslog; > daemon.log; > apt/term.log
[VE]# rm -f *.0 *.1

==== Anything else? ====

Think of what else could be done to better suit your needs.

==== Exit from the VE ====

Now everything is done. Exit from the template and go back to the hardware node.

[VE]# exit

== Preparing for and packing template cache ==

The following commands are to be run in the host system (i.e. not inside a VE).

We don't need an IP for the VE anymore, and we definitely do not need it in template cache, so remove it:
[HW]# vzctl set 777 --ipdel all --save

Stop the VE:
[HW]# vzctl stop 777

Change dir to the VE private:
[HW]# cd /vz/private/777

Now create a cached OS tarball. In the command below, you'll want to replace <arch> with your architecture (i386, amd64, ia64, etc). '''Note the space and the dot at the end of the command'''.
[HW]# tar czf /vz/template/cache/ubuntu-7.10-<arch>-minimal.tar.gz .

Look at the resulting tarball to see its size is sane:
# ls -lh /vz/template/cache
-rw-r--r-- 1 root root 53M Nov 15 12:40 ubuntu-7.10-i386-minimal.tar.gz

== Testing template cache ==
We can now create a VE based on the just-created template cache. Be sure to change <tt>i386</tt> to your architecture just like you did when you named the tarball above.
[HW]# vzctl create 123456 --ostemplate ubuntu-7.10-<arch>-minimal

Now make sure that your new VE it works:
[HW]# vzctl start 123456
[HW]# vzctl exec 123456 ps axf

You should see that a few processes are running.

Other tests that could be done are:
[HW]# vzctl enter 123456
[VE]# ps axf
[VE]# mount
[VE]# dpkg -l
[VE]# logout
[HW]#

Feel free to do more tests.

== Final cleanup ==
Stop and remove the test VE you just created:
[HW]# vzctl stop 123456
[HW]# vzctl destroy 123456
[HW]# rm -f /etc/vz/conf/123456.conf.destroyed

Finally, let's remove the VE we used for OS template cache creation:
[HW]# vzctl destroy 777
[HW]# rm -f /etc/vz/conf/777.conf.destroyed

== Updating the template cache ==

See [[Updating Ubuntu template]]

Hosting providers

2007-12-17T01:34:40Z

Echelon: /* US Providers */

OpenVZ makes for a great hosting platform for VPS hosting (See [[VPS vs Dedicated]] for a comparison of VPS vs Dedicated) The providers below offer VPS services using OpenVZ:

== US Providers ==

* [http://www.silverrack.com/ SilverRack VPS Hosting] - SilverRack provides affordable VPS hosting using the OpenVZ platform.
* [http://www.buyavps.com/ BuyAVPS] - BuyAVPS provides stable yet affordable VPS hosting with a great support staff.