OpenVZ Virtuozzo Containers Wiki - User contributions [en]

User:INFOMAN

2008-01-07T01:20:10Z

INFOMAN: New page: OpenVZ newbie

OpenVZ newbie

Quick installation (legacy)

2008-01-07T01:06:05Z

INFOMAN: There is nothing for debian on this page

This document briefly describes the steps needed to install OpenVZ on your (RPM based) machine. For '''Debian''' based systems see [[Installation on Debian]].

This document is also available in the following languages: [http://forum.openvz.org/index.php?t=tree&goto=35&#msg_35 French], [http://forum.openvz.org/index.php?t=tree&goto=1805&#msg_1805 German],
[http://wiki.openvz.jp Japanese],
[[Quick_installation_(Spanish)|Spanish]].

OpenVZ consists of a kernel, user-level tools, and VE templates. This guide tells how to install the kernel and the tools.

== Requirements ==
This guide assumes you are running recent release of Fedora Core (like FC5) or RHEL/CentOS 4. Currently, OpenVZ kernel tries to support the same hardware that Red Hat kernels support. For full hardware compatibility list, see [http://www.swsoft.com/en/products/virtuozzo/hcl/ Virtuozzo HCL].

=== Filesystems ===
It is recommended to use a separate partition for VEs private directories (by default /vz/private/<veid>). The reason why you should do so is that if you wish to use OpenVZ per-VE disk quota, you won't be able to use usual Linux disk quotas on the same partition. Bear in mind, that per-VE quota in this context includes not only pure per-VE quota, but also usual Linux disk quota used in VE, not on [[HN]].

At least try to avoid using root partition for VEs, because the root user of VE will be able to overcome 5% disk space barrier in some situations. This way HN root partition can be completely filled and it will break the system.

OpenVZ per-VE disk quota is supported only for ext2/ext3 filesystems. So use one of these filesystems (ext3 is recommended) if you need per-VE disk quota.

=== rpm or yum? ===

In case you have yum utility available on your system, you may want to use it effectively to install and update OpenVZ packages. In case you don't have yum, or don't want to use it, you can use plain old rpm. Instructions for both rpm and yum are provided below.

=== yum pre-setup ===
If you want to use yum, you should set up OpenVZ yum repository first.

Download [http://download.openvz.org/openvz.repo openvz.repo] file and put it to your <code>/etc/yum.repos.d/</code> repository. This can be achieved by the following commands, as root:
<pre>
# cd /etc/yum.repos.d
# wget http://download.openvz.org/openvz.repo
# rpm --import http://download.openvz.org/RPM-GPG-Key-OpenVZ
</pre>

In case you can not cd to /etc/yum.repos.d, it means either yum is not installed on your system, or yum version is too old. In that case, just stick to rpm installation method.

== Kernel installation ==

{{Note|In case you want to recompile the kernel yourself rather than use the one provided by OpenVZ, see [[kernel build]].}}

First, you need to choose what “flavor” of the kernel you want to install. Please refer to [[Kernel flavors]] for more information.

=== Using yum ===
Run the following command
<pre>
# yum install ovzkernel[-flavor]
</pre>

Here <code>[-flavor]</code> is optional, and can be <code>-smp</code> or <code>-enterprise</code>. Refer to [[kernel flavors]] for more info.

=== Using rpm ===
Get the kernel binary RPM from the [http://openvz.org/download/kernel/ Download » Kernel] page, or directly from [http://download.openvz.org/kernel/ download.openvz.org/kernel], or from one of its [[Download mirrors|mirrors]]. You need only one kernel RPM so please [[Kernel flavors|choose the appropriate one]] depending on your hardware.

Next, install the kernel RPM you chose:

<pre>
# rpm -ihv ovzkernel[-flavor]*.rpm
</pre>

Here <code>[-flavor]</code> is optional, and can be <code>-smp</code> or <code>-enterprise</code>. Refer to [[kernel flavors]] for more info.

{{Note|<tt>rpm -U</tt> (where <tt>-U</tt> stands for ''upgrade'') should '''not''' be used, otherwise all currently installed kernels will be uninstalled.}}

== Configuring the bootloader ==

In case GRUB is used as the boot loader, it will be configured automatically: lines similar to these will be added to the <tt>/boot/grub/grub.conf</tt> file:

<pre>
title Fedora Core (2.6.8-022stab029.1)
root (hd0,0)
kernel /vmlinuz-2.6.8-022stab029.1 ro root=/dev/sda5 quiet rhgb vga=0x31B
initrd /initrd-2.6.8-022stab029.1.img
</pre>
Change <tt>Fedora Core</tt> to <tt>OpenVZ</tt> (just for clarity reasons, so the OpenVZ kernels will not be mixed up with non-OpenVZ ones). Remove extra arguments from the kernel line, leaving only the <tt>root=...</tt> parameter. The modifed portion of <tt>/etc/grub.conf</tt> should look like this:

<pre>
title OpenVZ (2.6.8-022stab029.1)
root (hd0,0)
kernel /vmlinuz-2.6.8-022stab029.1 ro root=/dev/sda5
initrd /initrd-2.6.8-022stab029.1.img
</pre>

== Configuring ==

Please make sure the following steps are performed before rebooting into OpenVZ kernel.

=== sysctl ===

There are a number of kernel parameters that should be set for OpenVZ to work correctly. These parameters are stored in <tt>/etc/sysctl.conf</tt> file. Here is the relevant part of the file; please edit it accordingly.

<pre>
# On Hardware Node we generally need
# packet forwarding enabled and proxy arp disabled
net.ipv4.ip_forward = 1
net.ipv4.conf.default.proxy_arp = 0
# Enables source route verification
net.ipv4.conf.all.rp_filter = 1
# Enables the magic-sysrq key
kernel.sysrq = 1
# TCP Explict Congestion Notification
#net.ipv4.tcp_ecn = 0
# we do not want all our interfaces to send redirects
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0
</pre>

=== SELinux ===

SELinux should be disabled. To that effect, put the following line to <code>/etc/sysconfig/selinux</code>:
<pre>
SELINUX=disabled
</pre>

=== Conntracks ===

In the stable OpenVZ kernels (those that are 2.6.8-based) netfilter connection tracking for [[VE0]] is disabled by default. If you have a stateful firewall enabled on the host node (it is there by default) you should either disable it, or enable connection tracking for [[VE0]].

To enable conntracks for VE0, add the following line to <code>/etc/modprobe.conf</code> file:
<pre>
options ip_conntrack ip_conntrack_enable_ve0=1
</pre>

{{Note|In kernels later than 2.6.8, connection tracking is enabled by default.}}

== Rebooting into OpenVZ kernel ==

Now reboot the machine and choose "OpenVZ" on the boot loader menu. If the OpenVZ kernel has been booted successfully, proceed to installing the user-level tools for OpenVZ. If you are installing on x86_64 CentOS or Fedora system, you may want to continue the setup process using the [[Install_OpenVZ_on_a_x86_64_system_Centos-Fedora|x86_64 guide]].

== Installing the utilities ==

OpenVZ needs some user-level tools installed. Those are:

; vzctl
: A utility to control OpenVZ VPSs (create, destroy, start, stop, set parameters etc.)
; vzquota
: A utility to manage quotas for VPSs. Mostly used indirectly (by vzctl).

=== Using yum ===

<pre>
# yum install vzctl vzquota
</pre>

=== Using rpm ===

Download the binary RPMs of these utilities from [http://openvz.org/download/utils/ Download » Utils], or directly from [http://download.openvz.org/utils/ download.openvz.org/utils], or from one of its [[Download mirrors|mirrors]]. Install them:

<pre>
# rpm -Uhv vzctl*.rpm vzquota*.rpm
</pre>

If rpm complains about unresolved dependencies, you'll have to satisfy them first, then repeat the installation.

When all the tools are installed, start the OpenVZ subsystem.

== Starting OpenVZ ==

As root, execute the following command:

<pre>
# /sbin/service vz start
</pre>

This will load all the needed OpenVZ kernel modules. This script should also start all the VPSs marked to be auto-started on machine boot (there aren't any yet).

During the next reboot, this script should be executed automatically.

== Next steps ==

OpenVZ is now set up on your machine. To load OpenVZ kernel by default, edit the default line in the /boot/grub/grub.conf file to point to the OpenVZ kernel. For example, if the OpenVZ kernel is the first kernel mentioned in the file, put it as default 0. See man grub.conf for more details.

The next step is to prepare the [[OS template]]: please continue to [[OS template cache preparation]] document.

[[Category: Installation]]
[[Category: HOWTO]]

Category:Debian

2008-01-07T01:05:02Z

INFOMAN: New page: Debian

Debian

Ubuntu Gutsy template creation

2008-01-07T00:00:08Z

INFOMAN: /* debootstrap */ 0.x versions do not contain scripts for gutsy

[[Category: HOWTO]]
[[Category: Templates]]
[[Category: Ubuntu]]

This article summarizes the experience of creating Ubunty Gutsy Gibbon (a.k.a. 7.10) template for OpenVZ.

Template creation is based on debootstrap, and the procedure is similar to [[Debian template creation]], but it differs in some subtle details.

== Prerequisites ==

=== debootstrap ===
You have to have a <code>debootstrap</code> working for Gutsy, i.e. you should have
* <code>debootstrap</code> and its dependencies
* <code>/usr/lib/debootstrap/scripts/gutsy</code> file

The simplest way to have it all is to work on an Ubuntu Gutsy system (be it on a real machine or inside a VE). If you don't have <code>debootstrap</code> installed, this is the command to install it:

# apt-get install debootstrap

On a Gentoo Linux, <code>debootstrap</code> is also available, this is how you can install it:

# emerge \>=debootstrap-1.0.0

Possible you will first need to add it to package.keywords.

On a Fedora system (at least Fedora 8, not sure about earlier versions):

# yum install debootstrap

=== vzctl ===

You need vzctl-3.0.22 or later to work with Ubuntu Gutsy Gibbon. If vzctl-3.0.18 or earlier is used, you will not be able to run your Ubuntu Gutsy VE. See {{bug|662}} for details.

Note: Older versions of vzctl are working if you install <code>sysvinit</code> (which will remove <code>upstart</code>). The only problem I had was the network did not start, so I added "/etc/init.d/networking restart" to /etc/re.local.

== Creating template ==

=== Running debootstrap ===

Create a working directory:

[HW]# mkdir gutsy-chroot

Run debootstrap to install a minimal Ubunty Gutsy system into that directory:

[HW]# debootstrap [--arch ''ARCH''] gutsy gutsy-chroot

If ARCH of VE0 is equal to VE, you can skip the --arch option, but if you need to build an OS template for another ''ARCH'', specify it explicitly:
* for AMD64/x86_64, use <code>amd64</code>
* for IA64, use <code>ia64</code>
* for i386 <code>i386</code>

=== Preparing/starting a VE ===

Now then you have an installation created by <code>debootstrap</code>, you can run it as a VE. In the example below VE ID of 777 is used; of course you can use any other non-allocated ID.

{{Note|an alternative way is using chroot instead of running a VE. This is not recommended because of security concerns.}}

==== Moving installation to VE private area ====

You should move the contents of gutsy-chroot directory into new VE private area, like this:

# mv gutsy-chroot /vz/private/777

==== Setting VE config ====
An initial config for the [[VE]] is needed:
# vzctl set 777 --applyconfig vps.basic --save

==== Setting VE OSTEMPLATE ====
Also, we need <code>OSTEMPLATE</code> to be set in VE configuration file, for the [[vzctl]] to work properly.

# echo "OSTEMPLATE=ubuntu-7.10" >> /etc/vz/conf/777.conf

==== Setting VE IP address ====
For the [[VE]] to be able to download updates from the Internet, we need a valid IP address for it:
# vzctl set 777 --ipadd x.x.x.x --save

{{Note|if you use private IP for the VE, you have to set up NAT as described in [[Using NAT for VE with private IPs]].}}

==== Setting DNS server for the VE ====
For the [[VE]] to be able to download updates from the Internet, we also need to specify a DNS for it:
# vzctl set 777 --nameserver x.x.x.x --save

Instead of <code>x.x.x.x</code>, specify the same IP that you have in your <code>/etc/resolv.conf</code>.

==== Starting VE ====
Now start the VE:
# vzctl start 777

=== Modify the installation ===

You have to do some things in order to modify the installation to better suit the environment it will be run in (i.e. a VE).

First, enter a VE:
# vzctl enter 777

{{Warning|Do not run the commands below on the hardware node, they are only to be run within the VE!}}

==== Remove unneeded packages ====

Some packages does not make sense in a VE, or are really optional. Remove those:

[VE]# dpkg -P ubuntu-minimal wpasupplicant wireless-tools \
udev pcmciautils initramfs-tools volumeid console-setup \
xkb-data usbutils mii-diag alsa-base alsa-utils ethtool \
module-init-tools linux-sound-base console-tools \
console-terminus busybox-initramfs libvolume-id0 \
ntpdate eject libasound2 pciutils tasksel tasksel-data \
laptop-detect

{{Note|On removing the deb-package "module-init-tools", a fake-modprobe is needed for IPv6 adresses, see below!}}

Note that the above list of packages may be too extensive. Say, if you want to use <code>tasksel</code> tool, do not remove it — but then you have to let laptop-detect stay.

Clean up after udev:

[VE]# rm -fr /lib/udev

==== Disable getty ====
On a usual Linux system, getty is running on a virtual terminals, which a VE does not have. So, having getty running doesn't make sense; more to say, it complains it can not open terminal device and this clutters the logs.

So, first of all we stop all getty processes:

[VE]# initctl stop tty{1,2,3,4,5,6}

Next, we disable running getty. This can be done in two ways:

First way:
[VE]# rm /etc/event.d/tty*

Second way:
[VE]# dpkg -P system-services

Second way can be dangerous for future versions of system-services, but it's OK for now since the only service they carry is running gettys.

==== Set sane permissions for /root directory ====

[VE]# chmod 700 /root

==== Disable root login ====

[VE]# usermod -L root

==== "fake-modprobe" needed for IPv6 adresses ====

[VE]# ln -s /bin/true /sbin/modprobe

<small>On setup IPv6, the command "modprobe -Q IPv6" is called, which fails without the "fake-modprobe"</small>

==== Get new security updates ====

[VE]# apt-get update && apt-get upgrade

<small>This didn't show anything for me, but might do something in the future.</small>

==== Install some more packages ====

[VE]# apt-get install ssh quota

Feel free to add packages which you want to have in a default template to this command.

==== Fix SSH host keys ====
This is only useful if you installed SSH above. Each individual [[VE]] should have its own pair of SSH host keys. The code below will wipe out the existing SSH keys and instruct the newly-created [[VE]] to create new SSH keys on first boot.


<pre>
rm -f /etc/ssh/ssh_host_*
cat << EOF > /etc/rc2.d/S15ssh_gen_host_keys
#!/bin/sh
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ''
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ''
rm -f \$0
EOF
chmod a+x /etc/rc2.d/S15ssh_gen_host_keys
</pre>

==== Disable <code>sync()</code> for syslog ====

Turn off doing <tt>sync()</tt> on every write for <code>syslog</code>'s log files, to improve overall I/O performance.
In Ubuntu this is already done for most log files and levels, so you can omit this step if you know what you are doing.


<pre>[VE]# sed -i -e 's@$[[:space:]]$$/var/log/$@\1-\2@' /etc/syslog.conf</pre>

==== Fix <code>/etc/mtab</code> ====
Link <code>/etc/mtab</code> to <code>/proc/mounts</code>, so <code>df</code> and friends will work:
[VE]# rm -f /etc/mtab
[VE]# ln -s /proc/mounts /etc/mtab

After that, it would make sense to disable <code>mtab.sh</code> script which messes with <code>/etc/mtab</code>:
[VE]# update-rc.d -f mtab.sh remove

==== Disable some services ====

In most of the cases you don't want klogd to run -- the only exception is if you configure iptables to log some events -- so you can disable it:

[VE]# update-rc.d -f klogd remove

==== Hostname ====
Set proper hostname:
[VE]# echo "localhost" > /etc/hostname

==== Set /etc/hosts ====

[VE]# echo "127.0.0.1 localhost.localdomain localhost" > /etc/hosts

==== Add ptys to /dev ====

This is needed in case /dev/pts will not me mounted after VE start. In case /dev/ttyp* and /dev/ptyp* files are present, and LEGACY_PTYS support is enabled in the kernel, vzctl will still be able to enter VE.

[VE]# cd /dev && /sbin/MAKEDEV ptyp

==== Remove nameserver(s) ====

Remove DNS entries:
[VE]# > /etc/resolv.conf

==== Clean packages ====
After installing packages, you'll have some junk packages laying around in your cache. Since you don't want your template to have those, this command will wipe them out.
[VE]# apt-get clean

==== Cleaning up log files ====

[VE]# cd /var/log
[VE]# > messages; > auth.log; > kern.log; > bootstrap.log
[VE]# > dpkg.log; > syslog; > daemon.log; > apt/term.log
[VE]# rm -f *.0 *.1

==== Anything else? ====

Think of what else could be done to better suit your needs.

==== Exit from the VE ====

Now everything is done. Exit from the template and go back to the hardware node.

[VE]# exit

== Preparing for and packing template cache ==

The following commands are to be run in the host system (i.e. not inside a VE).

We don't need an IP for the VE anymore, and we definitely do not need it in template cache, so remove it:
[HW]# vzctl set 777 --ipdel all --save

Stop the VE:
[HW]# vzctl stop 777

Change dir to the VE private:
[HW]# cd /vz/private/777

Now create a cached OS tarball. In the command below, you'll want to replace <arch> with your architecture (i386, amd64, ia64, etc). '''Note the space and the dot at the end of the command'''.
[HW]# tar czf /vz/template/cache/ubuntu-7.10-<arch>-minimal.tar.gz .

Look at the resulting tarball to see its size is sane:
# ls -lh /vz/template/cache
-rw-r--r-- 1 root root 53M Nov 15 12:40 ubuntu-7.10-i386-minimal.tar.gz

== Testing template cache ==
We can now create a VE based on the just-created template cache. Be sure to change <tt>i386</tt> to your architecture just like you did when you named the tarball above.
[HW]# vzctl create 123456 --ostemplate ubuntu-7.10-<arch>-minimal

Now make sure that your new VE it works:
[HW]# vzctl start 123456
[HW]# vzctl exec 123456 ps axf

You should see that a few processes are running.

Other tests that could be done are:
[HW]# vzctl enter 123456
[VE]# ps axf
[VE]# mount
[VE]# dpkg -l
[VE]# logout
[HW]#

Feel free to do more tests.

== Final cleanup ==
Stop and remove the test VE you just created:
[HW]# vzctl stop 123456
[HW]# vzctl destroy 123456
[HW]# rm -f /etc/vz/conf/123456.conf.destroyed

Finally, let's remove the VE we used for OS template cache creation:
[HW]# vzctl destroy 777
[HW]# rm -f /etc/vz/conf/777.conf.destroyed

== Updating the template cache ==

See [[Updating Ubuntu template]]