Installation on Debian/old

2008-06-07T14:49:59Z

Sawtooth: /* Repository setup */

OpenVZ consists of a kernel, user-level tools, and container templates.

This guide tells how to install the kernel and the tools on [http://www.debian.org Debian] stable.

== Requirements ==

=== Filesystems ===
It is recommended to use a separate partition for container private
directories (by default <code>/var/lib/vz/private/<CTID></code>). The reason why you should do so is that if you wish to use OpenVZ per-container disk quota, you won't be able to use usual Linux disk quotas on the same partition. Bear in mind that per-container quota in this context includes not only pure per-container quota but also usual Linux disk quota used in container, not on [[HN]].

At least try to avoid using root partition for containers because the root user of container will be able to overcome the 5% disk space barrier in some situations. If the HN root partition is completely filled, it will break the system.

OpenVZ per-container disk quota is supported only for ext2/ext3 filesystems so use one of these filesystems (ext3 is recommended) if you need per-container disk quota.

=== Repository setup ===

At the moment two different repositories are online at http://download.openvz.org:

; by Ola Lundqvist <opal@debian.org>
: (OpenVZ kernels only)
: apt-uri http://download.openvz.org/debian

; by Thorsten Schifferdecker <tsd@debian.systs.org>
: apt-uri http://download.openvz.org/debian-systs
: (Mirror of OpenVZ Repository from http://debian.systs.org/)

{{Note|The next steps use the repository at http://download.openvz.org/debian-systs; the actual OpenVZ Tools for Debian exist only as unstable builds, see http://packages.debian.org/vzctl}}

{{Note|By default, on Ubuntu systems root tasks are executed with [https://help.ubuntu.com/community/RootSudo sudo]}}

This can be achieved by the following commands, as root or as privileged "sudo" user
<pre>
# echo -e "\ndeb http://download.openvz.org/debian-systs etch openvz" >> /etc/apt/sources.list
# wget -q http://download.openvz.org/debian-systs/dso_archiv_signing_key.asc -O- | apt-key add - && apt-get update
</pre>

There is even an '''lenny''' repository with kernel 2.6.24. '''Use it at your own risk!'''
<pre>
# echo -e "\ndeb http://download.openvz.org/debian-systs lenny openvz" >> /etc/apt/sources.list
# wget -q http://download.openvz.org/debian-systs/dso_archiv_signing_key.asc -O- | apt-key add - && apt-get update
</pre>

== Kernel installation ==

{{Note|In case you want to recompile the OpenVZ kernel yourself on Debian, see [[Compiling the OpenVZ kernel (the Debian way)]].}}

First, you need to choose what kernel you want to install.

{| class="wikitable"
|+'''OpenVZ Kernel list built with kernel config from http://download.openvz.org'''
! Kernel !! Description !! Hardware !! Debian Architecture
|-
! ovzkernel-2.6.18
| uniprocessor
| up to 4GB of RAM
| i386 and amd64
|-
! ovzkernel-2.6.18-smp
| symmetric multiprocessor
| up to 4 GB of RAM
| i386 and amd64
|-
! ovzkernel-2.6.18-enterprise
| SMP + PAE support + 4/4GB split
| up to 64 GB of RAM
| i386 only
|}

{| class="wikitable"
|+'''OpenVZ Kernel list built with official Debian kernel config and OpenVZ Settings'''
! Kernel !! Description !! Hardware !! Debian Architecture
|-
! fzakernel-2.6.18-686
| uni- and multiprocessor
| up to 4GB of RAM
| i386
|-
! fzakernel-2.6.18-686-bigmem
| symmetric multiprocessor
| up to 64 GB of RAM
| i386
|-
! fzakernel-2.6.18-amd64
| uni- and multiprocessor
|
| amd64
|-
|}

<pre>
# apt-get install <kernel>
</pre>

=== Configuring the bootloader ===

In case GRUB is used as the boot loader, it will be configured automatically, or execute update-grub; lines similar to these will be added to the <tt>/boot/grub/menu.lst</tt> file:

<pre>
[...]
title Debian GNU/Linux, kernel 2.6.18-ovz-028stab051.1-686
root (hd0,1)
kernel /vmlinuz-2.6.18-ovz-028stab051.1-686 root=/dev/sda5 ro vga=791
initrd /initrd.img-2.6.18-ovz-028stab051.1-686
savedefault
[...]
</pre>

{{Note|per default on debian/ubuntu, a 2.6.22 kernel will boot before a 2.6.18, please check manually the grub boot order. See man update-grub for more details}}

=== Rebooting into OpenVZ kernel ===

{{Warning|Before you restart your Server, keep in mind, that your system has all needed modules enabled; booting from your harddisk (e.g. hardware modules, raid system(s), lvm2 etc). May you need a INITRD (initramdisk) or compile needed kernel modules statically in.}}

Now reboot the machine and choose the OpenVZ Linux Kernel on the boot loader menu. If the OpenVZ kernel has been booted successfully, proceed to installing the user-level tools for OpenVZ.

== Installing the user-level tools ==

OpenVZ needs some user-level tools installed. Those are:

; vzctl
: A utility to control OpenVZ containers (create, destroy, start, stop, set parameters etc.)
; vzquota
: A utility to manage quotas for containers. Mostly used indirectly (by vzctl).

<pre>
# [sudo] apt-get install vzctl vzquota
</pre>

== Configuring ==

=== sysctl ===

There are a number of kernel parameters that should be set for OpenVZ to work correctly. These parameters are stored in <tt>/etc/sysctl.conf</tt> file. Here is the relevant part of the file; please edit it accordingly.

{{Note|vzctl version from debian-systs, automate changing sysctl options for openvz}}

<pre>
[...]

# On Hardware Node we generally need
# packet forwarding enabled and proxy arp disabled

net.ipv4.conf.default.forwarding=1
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.ip_forward=1

# Enables source route verification
net.ipv4.conf.all.rp_filter = 1

# Enables the magic-sysrq key
kernel.sysrq = 1

# TCP Explict Congestion Notification
#net.ipv4.tcp_ecn = 0

# we do not want all our interfaces to send redirects
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0

[...]
</pre>

# [sudo] sysctl -p

{{Note|You can make a symlink from /var/lib/vz to /vz as backward
compatibility to OpenVZ as installed in other distributions
(Debian vz root directory is /var/lib/vz to be FHS-compliant.}}

# [sudo] ln -s /var/lib/vz /vz

=== OS templates ===

To install a container, you need OS template(s).

Precreated templates can be found [http://download.openvz.org/contrib/template/precreated/ here].

You can create your own templates, see
[[Debian template creation]], [[Ubuntu Gutsy template creation] and [[Category:Templates]].

{{Note|Setup your prefered standard OS Template : edit the /etc/vz/vz.conf}}

# [sudo] apt-get install vzctl-ostmpl-debian

== Additional User Tools ==

; vzprocps
: A set of utilities to provide system information (vzps and vztop)

; [[vzdump]]
: A utility to backup and restore container.

# [sudo] apt-get install vzprocps vzdump

== Use it! ==

After installing the OpenVZ kernel, user tools and a minimal OS template
to create a first container and do some
[[basic operations in OpenVZ environment]]. Read the [[download:doc/OpenVZ-Users-Guide.pdf]], browse this wiki.

== SECURE IT ! ==

Now comes a small advice from someone who got his debian 4.0 container hacked by some script kiddies with a ssh brute-force method within a day after deployment. I believed naively that iptables was active on boot of the container as I had used webmin inside the VE to activate iptables on boot.

That is not so! Although webmin shows that iptables (Linux Firewall) is active on boot, it is not. You need to make a startup script for iptables as described further down.

Now see what rules are already configured. Issue this command inside your container:

iptables -L

The output will be similar to this:

Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

This allows anyone access to anything from anywhere.

=== New iptables rules ===

Let's tighten that up a bit by creating a test iptables file:

nano /etc/iptables.test.rules

In this file enter some basic rules:

*filter

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allows SSH connections for script kiddies
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
-A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT

# Now you should read up on iptables rules and consider whether ssh access
# for everyone is really desired. Most likely you will only allow access from certain IPs.

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

That may look complicated, but look at each section at a time. You will see that it simply shuts all ports except the ones we have allowed - which in this case are ports 80 and 443 (the standard web browser ports) and the SSH port defined earlier.

Activate these new rules:

iptables-restore < /etc/iptables.test.rules

And see the difference:

iptables -L

Now the output tells us that only the ports defined above are open. All the others are closed.

Once you are happy, save the new rules to the master iptables file:

iptables-save > /etc/iptables.up.rules

To make sure the iptables rules are started on a reboot we'll create a new file:

nano /etc/network/if-pre-up.d/iptables

Add these lines to it:

#!/bin/bash
/sbin/iptables-restore < /etc/iptables.up.rules

The file needs to be executable so change the permissions:

chmod +x /etc/network/if-pre-up.d/iptables

[[Category: HOWTO]]
[[Category: Debian]]
[[Category: Installation]]

OpenVZ Virtuozzo Containers Wiki - User contributions [en]

Installation on Debian/old