Gentoo template creation

2011-11-15T13:11:22Z

Jschmidt: /* Make /etc/mtab a symlink to /proc/mounts */

This page is about making a template cache for OpenVZ container from Gentoo Linux. The method is basically the same as described in [[Slackware template creation]] article.

== Download stage3 ==

We will make the template from a stage3 file. An OpenVZ OS template should be an archive (.tar.gz) of the root of a working system, but without the kernel and some files. You can download stage3 from the nearest mirror here: http://www.gentoo.org/main/en/mirrors.xml.

== Create directory for the new container and unarchive stage3 ==

<pre>
mkdir /vz/private/777
tar -xjf /root/stage3-i686-2008.0_beta2.tar.bz2 -C /vz/private/777
</pre>

== Create CT config ==
Now you need to create the configuration file for the container, 777.conf:

<pre>
vzctl set 777 --applyconfig vps.basic --save
</pre>

== Edit CT config ==

Add the following to <code>/etc/vz/conf/777.conf</code>:
<pre>
OSTEMPLATE="gentoo"
</pre>

Creation of container at end of this HowTo obeys quota limits and might exceed
those limits set in <code>vps.basic</code> by default (at least encountered with Gentoo
10.1 release). Thus it might be required to increase limits now. The following
values are providing 2 GiByte soft limit with 2.5 GiByte hard limit:
<pre>
DISKSPACE="2097152:2621440"
</pre>

After that you copy that configuration file turning it into a sample configuration for later use:

<pre>
# cp /etc/vz/conf/777.conf /etc/vz/conf/ve-gentoo.conf-sample
</pre>

== Make /etc/mtab a symlink to /proc/mounts ==
The container's root filesystem is mounted by the host system, not the guest — and therefore root fs will not appear in <code>/etc/mtab</code>. It will lead to a non-working <code>df</code> command. To fix, link /etc/mtab to /proc/mounts.
<pre>
rm -f /vz/private/777/etc/mtab
ln -s /proc/mounts /vz/private/777/etc/mtab
</pre>
After replacing <code>/etc/mtab</code> with a symlink to <code>/proc/mounts</code>, you will always have up-to-date information of what is mounted in <code>/etc/mtab</code>. You will, however, have an error on boot (in <code>/var/log/init.log</code>) that can be safely ignored: <code>* /etc/mtab is not updateable [ !! ]</code>

== Replace /etc/fstab ==

<pre>
echo "proc /proc proc defaults 0 0" > /vz/private/777/etc/fstab
</pre>

We need only <code>/proc</code> to be mounted at boot time.

== Edit /etc/inittab and /etc/init.d/halt.sh ==

Edit <code>/vz/private/777/etc/inittab</code> and put a hash mark (#) at the beginning of the lines containing:

<pre>c?:1235:respawn:/sbin/agetty 38400 tty? linux</pre>

Edit <code>/vz/private/777/etc/init.d/halt.sh</code> and put a hash mark (#) at the beginning of the lines containing:

<pre>sulogin -t 10 /dev/console</pre>

This prevents <code>getty</code> and login from starting on ttys that do not exist in containers.

== Edit /etc/shadow ==

Edit <code>/vz/private/777/etc/shadow</code> and change root's password in the first line to an exclamation mark (!):

<pre>root:!:10071:0:::::</pre>

This will disable root login until the password is changed with <code>vzctl set CTID --userpasswd root:password</code>.

== Disable unneeded init scripts ==

The checkroot and consolefont init scripts should not be started inside containers:

<pre>
rm /vz/private/777/etc/runlevels/boot/checkroot
rm /vz/private/777/etc/runlevels/boot/consolefont
</pre>

== Edit /sbin/rc ==

Edit <code>/vz/private/777/sbin/rc</code> and put a hash mark (#) at the beginning of line 244 (your line number may be different):

<pre># try mount -n ${mntcmd:--t sysfs sysfs /sys -o noexec,nosuid,nodev}</pre>

This prevents the container from attempting to mount <code>/sys</code>.

To ensure that this change isn't automatically overwritten on update, add the following to <code>/vz/private/777/etc/make.conf</code>:

<pre>CONFIG_PROTECT="/sbin/rc"</pre>

== Set up udev ==

Using udev you will have problems since some devices nodes are not created.
For example sshd will fail to start since /dev/random and /dev/urandom are missing.
So it's recommended to disable udev.
Edit <code>/vz/private/777/etc/conf.d/rc</code> and change the <code>RC_DEVICES</code> line to:
<pre>
RC_DEVICES="static"
</pre>

If you want to enable udev read on.

Create some device nodes needed to enter a container:

<pre>
cd /vz/private/777/lib
mknod udev/devices/ttyp0 c 3 0
mknod udev/devices/ptyp0 c 2 0
mknod udev/devices/ptmx c 5 2
</pre>

Edit <code>/vz/private/777/etc/conf.d/rc</code> and change the <code>RC_DEVICES</code> and <code>RC_DEVICE_TARBALL</code> lines to:

<pre>
RC_DEVICES="udev"
RC_DEVICE_TARBALL="no"
</pre>

You have to leave the directory you are in for the next step to be OK, otherwise you will get this error message:
vzquota : (error) Quota on syscall for 777: Device or resource busy
vzquota on failed [3]

<pre>
cd /
</pre>

== Edit /etc/pam.d/chpasswd ==

Some changes are required for successful setting user's password with <code>vzctl</code> util.
Edit <code>/vz/private/777/etc/pam.d/chpasswd</code> and change the <code>password</code> lines to:

<pre>
password required pam_unix.so md5 shadow
</pre>

== Test ==

<pre>
vzctl start 777
vzctl enter 777
</pre>

You can check running services:

<pre>
rc-status -a
</pre>

All services in boot and default runlevels must be started.

Enable SSH daemon if required:

<pre>
rc-update add sshd default
</pre>

{{Warning|'''Do not start sshd''' in template container as it would create server's pair of keys then shared among all containers instantiated later.}}

Next leave container pressing Ctrl+D and stop it:

<pre>
vzctl stop 777
</pre>

== Making distfiles and portage tree of the host system available in a container ==

{{Warning|This step is optional and will result in shared files between containers! These steps can save space on disk but trade isolation and security... consider your options carefully!}}

To install software into a container with portage, you should mount <code>/usr/portage</code> into the container with the "bind" option. Do the following on the host after the container is started:

<pre>
mkdir /vz/root/777/usr/portage
mount -o bind /usr/portage /vz/root/777/usr/portage
</pre>

If your <code>/usr/portage/distfiles</code> directory resides on a different partition than your <code>/usr/portage</code> directory, do the following:

<pre>
mount -n -o bind /usr/portage/distfiles /vz/root/777/usr/portage/distfiles
</pre>

Now, to install a package into a container, you just need to enter the container using <code>vzctl enter</code> and run

<pre>
emerge package_name
</pre>

while you have all the needed files in the <code>/usr/portage/distfiles</code> of host system.

For security reasons, you should have these directories mounted only while installing software into a container.

{{Note|you have to <code>umount /vz/root/777/usr/portage/distfiles</code> before trying to stop your container.}}

== Dedicated installation of portage ==

If you decide not to share portage with host as described before, you'll still need a portage installed into your container.

Get latest snapshot of portage tree from your favourite mirror (http://www.gentoo.org/main/en/mirrors.xml) and extract it into <code>/vz/private/777/usr</code>:

<pre>
# wget <your-mirro>/snapshots/portage-latest.tar.bz2
# tar xjf portage-latest.tar.bz2 -C /vz/private/777/usr
</pre>

== Host system portage tree and distfiles in read-only mode ==

You can safely share portage tree from the host system among all Gentoo VPSs by mounting it in read-only mode and defining dedicated <code>distfiles</code> directory. All files in regular <code>distfiles</code> directory will be also available to guest containers.

Create <code>/etc/vz/conf/vps.mount</code> to mount RO portage to all Gentoo guests or <code>/etc/vz/conf/<vps id>.mount</code> to mount portage tree only to particular container:

<pre>
#!/bin/bash
source /etc/vz/vz.conf
source ${VE_CONFFILE}
if [ -d /vz/root/$VEID/usr/portage ]; then
mount -n --bind -o ro /vz/portage /vz/root/$VEID/usr/portage
fi
</pre>

Make it executable:

<pre>
chmod u+x /etc/vz/conf/vps.mount
</pre>

Add the following strings to the <code>/vz/private/777/etc/make.conf</code>:

<pre>
PORTAGE_RO_DISTDIRS="/usr/portage/distfiles"
DISTDIR="/usr/portage_distfiles"
</pre>

You should update host-node portage tree on regular basis to keep it up to date because <code>emerge --sync</code> won't work inside guest container.

== Create the template cache file ==

<pre>
cd /vz/private/777/
tar --numeric-owner -czf /vz/template/cache/gentoo.tar.gz *
</pre>

== Test the new template cache file ==

Create a new container from the template file:

<pre>
vzctl create 800 --config gentoo --ipadd 192.168.0.10 --hostname testvps
</pre>

If the container was created successfully, try to start it:

<pre>
vzctl start 800
</pre>

If it started, and you can enter it using

<pre>
vzctl enter 800
</pre>

congratulations, you've got a working Gentoo template!

== Log in over SSH ==

Leave container by hitting Ctrl+D. To log in over SSH now, you need to set root's password in running container first:

<pre>
vzctl set 800 --userpasswd root:secret
</pre>

Of course, you should use different password (replacing <code>secret</code> above) obeying common rules for strong passwords. After that container is ready for login over SSH

<pre>
ssh root@192.168.0.10
</pre>

[[Category: HOWTO]]
[[Category: Templates]]
[[Category: Gentoo]]

OpenVZ Virtuozzo Containers Wiki - User contributions [en]

Gentoo template creation