Editing Ubuntu Gutsy template creation
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 2: | Line 2: | ||
[[Category: Templates]] | [[Category: Templates]] | ||
[[Category: Ubuntu]] | [[Category: Ubuntu]] | ||
+ | |||
This article summarizes the experience of creating Ubunty Gutsy Gibbon (a.k.a. 7.10) template for OpenVZ. | This article summarizes the experience of creating Ubunty Gutsy Gibbon (a.k.a. 7.10) template for OpenVZ. | ||
Line 9: | Line 10: | ||
=== debootstrap === | === debootstrap === | ||
− | You have to have a | + | You have to have a debootstrap working for Gutsy, i.e. you should have |
− | * | + | * debootstrap and its dependencies |
− | * | + | * /usr/lib/debootstrap/scripts/gutsy file |
− | The simplest way to have it all is to work on an | + | The simplest way to have it all is to work on an Ubunty Gutsy system (be it on a real machine or inside a VE). If you don't have debootstrap installed, this is the command to install it: |
# apt-get install debootstrap | # apt-get install debootstrap | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
=== vzctl === | === vzctl === | ||
− | You need vzctl-3.0. | + | You need vzctl-3.0.19 or later to work with Ubuntu Gutsy Gibbon. If vzctl-3.0.18 or earlier is used, you will not be able to run your VE. See {{bug|662}} for details. |
− | |||
− | |||
== Creating template == | == Creating template == | ||
Line 39: | Line 26: | ||
=== Running debootstrap === | === Running debootstrap === | ||
− | Create | + | Create some directory: |
[HW]# mkdir gutsy-chroot | [HW]# mkdir gutsy-chroot | ||
Line 47: | Line 34: | ||
[HW]# debootstrap [--arch ''ARCH''] gutsy gutsy-chroot | [HW]# debootstrap [--arch ''ARCH''] gutsy gutsy-chroot | ||
− | If ARCH of | + | If ARCH of VE0 is equal to VE, you can skip the --arch option, but if you need to build an OS template for another ''ARCH'', specify it explicitly: |
* for AMD64/x86_64, use <code>amd64</code> | * for AMD64/x86_64, use <code>amd64</code> | ||
* for IA64, use <code>ia64</code> | * for IA64, use <code>ia64</code> | ||
* for i386 <code>i386</code> | * for i386 <code>i386</code> | ||
− | === Preparing/starting a | + | === Preparing/starting a VE === |
− | Now then you have an installation created by <code>debootstrap</code>, you can run it as a | + | Now then you have an installation created by <code>debootstrap</code>, you can run it as a VE. In the example below VE ID of 777 is used; of course you can use any other non-allocated ID. |
− | {{Note|an alternative way is using chroot instead of running a | + | {{Note|an alternative way is using chroot instead of running a VE. This is not recommended because of security concerns.}} |
− | ==== Moving installation to | + | ==== Moving installation to VE private area ==== |
− | You should move the contents of gutsy-chroot directory into new | + | You should move the contents of gutsy-chroot directory into new VE private area, like this: |
− | # mv gutsy-chroot /vz/private/777 | + | # mkdir /vz/private/777 |
+ | # mv gutsy-chroot/ /vz/private/777 | ||
− | ==== Setting | + | ==== Setting VE config ==== |
− | An initial config for the [[ | + | An initial config for the [[VE]] is needed: |
# vzctl set 777 --applyconfig vps.basic --save | # vzctl set 777 --applyconfig vps.basic --save | ||
− | ==== Setting | + | ==== Setting VE OSTEMPLATE ==== |
− | Also, we need <code>OSTEMPLATE</code> to be set in | + | Also, we need <code>OSTEMPLATE</code> to be set in VE configuration file, for the [[vzctl]] to work properly. |
# echo "OSTEMPLATE=ubuntu-7.10" >> /etc/vz/conf/777.conf | # echo "OSTEMPLATE=ubuntu-7.10" >> /etc/vz/conf/777.conf | ||
− | ==== Setting | + | ==== Setting VE IP address ==== |
− | For the [[ | + | For the [[VE]] to be able to download updates from the Internet, we need a valid IP address for it: |
# vzctl set 777 --ipadd x.x.x.x --save | # vzctl set 777 --ipadd x.x.x.x --save | ||
− | {{Note|if you use private IP for the | + | {{Note|if you use private IP for the VE, you have to set up NAT as described in [[Using NAT for VE with private IPs]].}} |
− | ==== Setting DNS server for the | + | ==== Setting DNS server for the VE ==== |
− | For the [[ | + | For the [[VE]] to be able to download updates from the Internet, we also need to specify a DNS for it: |
# vzctl set 777 --nameserver x.x.x.x --save | # vzctl set 777 --nameserver x.x.x.x --save | ||
Instead of <code>x.x.x.x</code>, specify the same IP that you have in your <code>/etc/resolv.conf</code>. | Instead of <code>x.x.x.x</code>, specify the same IP that you have in your <code>/etc/resolv.conf</code>. | ||
− | ==== Starting | + | ==== Starting VE ==== |
− | Now start the | + | Now start the VE: |
# vzctl start 777 | # vzctl start 777 | ||
=== Modify the installation === | === Modify the installation === | ||
− | You have to do some things in order to modify the installation to better suit the environment it will be run in (i.e. a | + | You have to do some things in order to modify the installation to better suit the environment it will be run in (i.e. a VE). |
− | First, enter a | + | First, enter a VE: |
# vzctl enter 777 | # vzctl enter 777 | ||
− | {{Warning|Do not run the commands below on the hardware node, they are only to be run within the | + | {{Warning|Do not run the commands below on the hardware node, they are only to be run within the VE!}} |
+ | |||
==== Remove unneeded packages ==== | ==== Remove unneeded packages ==== | ||
− | Some packages does not make sense in a | + | Some packages does not make sense in a VE. Remove those: |
− | [ | + | [VE]# dpkg -P ubuntu-minimal wpasupplicant wireless-tools \ |
udev pcmciautils initramfs-tools volumeid console-setup \ | udev pcmciautils initramfs-tools volumeid console-setup \ | ||
xkb-data usbutils mii-diag alsa-base alsa-utils ethtool \ | xkb-data usbutils mii-diag alsa-base alsa-utils ethtool \ | ||
module-init-tools linux-sound-base console-tools \ | module-init-tools linux-sound-base console-tools \ | ||
console-terminus busybox-initramfs libvolume-id0 \ | console-terminus busybox-initramfs libvolume-id0 \ | ||
− | ntpdate | + | ntpdate |
− | |||
− | |||
− | |||
− | |||
− | |||
Clean up after udev: | Clean up after udev: | ||
− | [ | + | [VE]# rm -fr /lib/udev |
==== Disable getty ==== | ==== Disable getty ==== | ||
− | On a usual Linux system, | + | On a usual Linux system, getty is running on a virtual terminals, which a VE does not have. |
− | |||
− | |||
− | |||
− | |||
− | + | There are two ways to disable it: | |
First way: | First way: | ||
− | [ | + | [VE]# rm /etc/event.d/tty* |
Second way: | Second way: | ||
− | [ | + | [VE]# dpkg -P system-services |
− | Second way can be dangerous for future versions of | + | Second way can be dangerous for future versions of system-services, but it's OK for now since the only service they carry is running gettys. |
==== Set sane permissions for /root directory ==== | ==== Set sane permissions for /root directory ==== | ||
− | [ | + | [VE]# chmod 700 /root |
==== Disable root login ==== | ==== Disable root login ==== | ||
− | [ | + | [VE]# usermod -L root |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
==== Get new security updates ==== | ==== Get new security updates ==== | ||
− | [ | + | [VE]# apt-get update && apt-get upgrade |
<small>This didn't show anything for me, but might do something in the future.</small> | <small>This didn't show anything for me, but might do something in the future.</small> | ||
Line 156: | Line 130: | ||
==== Install some more packages ==== | ==== Install some more packages ==== | ||
− | [ | + | [VE]# apt-get install ssh quota |
Feel free to add packages which you want to have in a default template to this command. | Feel free to add packages which you want to have in a default template to this command. | ||
==== Fix SSH host keys ==== | ==== Fix SSH host keys ==== | ||
− | This is only useful if you installed SSH above. Each individual [[ | + | This is only useful if you installed SSH above. Each individual [[VE]] should have its own pair of SSH host keys. The code below will wipe out the existing SSH keys and instruct the newly-created [[VE]] to create new SSH keys on first boot. |
<!-- please DO NOT remove <pre>...</pre> pair of tags below, | <!-- please DO NOT remove <pre>...</pre> pair of tags below, | ||
Line 175: | Line 149: | ||
chmod a+x /etc/rc2.d/S15ssh_gen_host_keys | chmod a+x /etc/rc2.d/S15ssh_gen_host_keys | ||
</pre> | </pre> | ||
+ | |||
==== Disable <code>sync()</code> for syslog ==== | ==== Disable <code>sync()</code> for syslog ==== | ||
Line 182: | Line 157: | ||
<!-- DO NOT remove <pre> here, it's useful --> | <!-- DO NOT remove <pre> here, it's useful --> | ||
− | <pre>[ | + | <pre>[VE]# sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' /etc/syslog.conf</pre> |
==== Fix <code>/etc/mtab</code> ==== | ==== Fix <code>/etc/mtab</code> ==== | ||
Link <code>/etc/mtab</code> to <code>/proc/mounts</code>, so <code>df</code> and friends will work: | Link <code>/etc/mtab</code> to <code>/proc/mounts</code>, so <code>df</code> and friends will work: | ||
− | [ | + | [VE]# rm -f /etc/mtab |
− | [ | + | [VE]# ln -s /proc/mounts /etc/mtab |
After that, it would make sense to disable <code>mtab.sh</code> script which messes with <code>/etc/mtab</code>: | After that, it would make sense to disable <code>mtab.sh</code> script which messes with <code>/etc/mtab</code>: | ||
− | [ | + | [VE]# update-rc.d -f mtab.sh remove |
+ | |||
+ | ==== Get rid of tmpfs mounts ==== | ||
+ | |||
+ | [VE]# sed -ie '/tmpfs/d' /etc/init.d/mountkernfs.sh | ||
==== Disable some services ==== | ==== Disable some services ==== | ||
Line 196: | Line 175: | ||
In most of the cases you don't want klogd to run -- the only exception is if you configure iptables to log some events -- so you can disable it: | In most of the cases you don't want klogd to run -- the only exception is if you configure iptables to log some events -- so you can disable it: | ||
− | [ | + | [VE]# update-rc.d -f klogd remove |
==== Hostname ==== | ==== Hostname ==== | ||
Set proper hostname: | Set proper hostname: | ||
− | [ | + | [VE]# echo "localhost" > /etc/hostname |
==== Set /etc/hosts ==== | ==== Set /etc/hosts ==== | ||
− | [ | + | [VE]# echo "127.0.0.1 localhost.localdomain localhost" > /etc/hosts |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
==== Remove nameserver(s) ==== | ==== Remove nameserver(s) ==== | ||
Remove DNS entries: | Remove DNS entries: | ||
− | [ | + | [VE]# > /etc/resolv.conf |
==== Clean packages ==== | ==== Clean packages ==== | ||
After installing packages, you'll have some junk packages laying around in your cache. Since you don't want your template to have those, this command will wipe them out. | After installing packages, you'll have some junk packages laying around in your cache. Since you don't want your template to have those, this command will wipe them out. | ||
− | [ | + | [VE]# apt-get clean |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
==== Anything else? ==== | ==== Anything else? ==== | ||
− | Think of what else could be done | + | Think of what else could be done (like cleaning up log files, root history, …). |
− | ==== Exit from the | + | ==== Exit from the VE ==== |
Now everything is done. Exit from the template and go back to the hardware node. | Now everything is done. Exit from the template and go back to the hardware node. | ||
− | [ | + | [VE]# exit |
== Preparing for and packing template cache == | == Preparing for and packing template cache == | ||
− | The following commands are to be run in the host system (i.e. not inside a | + | The following commands are to be run in the host system (i.e. not inside a VE). |
− | We don't need an IP for the | + | We don't need an IP for the VE anymore, and we definitely do not need it in template cache, so remove it: |
[HW]# vzctl set 777 --ipdel all --save | [HW]# vzctl set 777 --ipdel all --save | ||
− | Stop the | + | Stop the VE: |
[HW]# vzctl stop 777 | [HW]# vzctl stop 777 | ||
− | Change dir to the | + | Change dir to the VE private: |
[HW]# cd /vz/private/777 | [HW]# cd /vz/private/777 | ||
− | Now create a cached OS tarball. In the command below, you'll want to replace <arch> with your architecture (i386, amd64, ia64, etc) | + | Now create a cached OS tarball. In the command below, you'll want to replace <arch> with your architecture (i386, amd64, ia64, etc). |
− | [HW]# tar | + | [HW]# tar czf /var/lib/vz/template/cache/ubuntu-7.10-<arch>-minimal.tar.gz . |
Look at the resulting tarball to see its size is sane: | Look at the resulting tarball to see its size is sane: | ||
# ls -lh /vz/template/cache | # ls -lh /vz/template/cache | ||
− | -rw-r--r-- 1 root root | + | -rw-r--r-- 1 root root 51M Apr 10 03:16 debian-4.0-i386-minimal.tar.gz |
== Testing template cache == | == Testing template cache == | ||
− | We can now create a | + | We can now create a VE based on the just-created template cache. Be sure to change <tt>i386</tt> to your architecture just like you did when you named the tarball above. |
[HW]# vzctl create 123456 --ostemplate ubuntu-7.10-<arch>-minimal | [HW]# vzctl create 123456 --ostemplate ubuntu-7.10-<arch>-minimal | ||
− | Now make sure that your new | + | Now make sure that your new VE it works: |
[HW]# vzctl start 123456 | [HW]# vzctl start 123456 | ||
[HW]# vzctl exec 123456 ps axf | [HW]# vzctl exec 123456 ps axf | ||
Line 270: | Line 236: | ||
Other tests that could be done are: | Other tests that could be done are: | ||
[HW]# vzctl enter 123456 | [HW]# vzctl enter 123456 | ||
− | [ | + | [VE]# dpkg -l |
− | + | [VE]# logout | |
− | |||
− | [ | ||
[HW]# | [HW]# | ||
Line 279: | Line 243: | ||
== Final cleanup == | == Final cleanup == | ||
− | Stop and remove the test | + | Stop and remove the test VE you just created: |
[HW]# vzctl stop 123456 | [HW]# vzctl stop 123456 | ||
[HW]# vzctl destroy 123456 | [HW]# vzctl destroy 123456 | ||
[HW]# rm -f /etc/vz/conf/123456.conf.destroyed | [HW]# rm -f /etc/vz/conf/123456.conf.destroyed | ||
− | Finally, let's remove the | + | Finally, let's remove the VE we used for OS template cache creation: |
[HW]# vzctl destroy 777 | [HW]# vzctl destroy 777 | ||
[HW]# rm -f /etc/vz/conf/777.conf.destroyed | [HW]# rm -f /etc/vz/conf/777.conf.destroyed |