Difference between revisions of "Deploying Debian VEs without Templates"
(url changed. Old one not working any more) |
(SEO spam removed) |
||
Line 31: | Line 31: | ||
=== Templates are of questionable security === | === Templates are of questionable security === | ||
− | Pre-built templates, especially those which can be downloaded from the internet, are of doubtful trustworthiness. | + | Pre-built templates, especially those which can be downloaded from the internet, are of doubtful trustworthiness. It's trivial to open backdoors, install keyloggers or run DDoS clients if you have full control of the binaries which are going to be run in a VE. |
=== It's not needed after all === | === It's not needed after all === |
Revision as of 21:01, 1 June 2011
Installing Debian Virtual Environments without relying on a precreated template has many advantages and a few drawbacks. This article tries to outline those factors and provide a possible solution to reduce the amount of work needed for template-less Debian deployments.
Contents
Templates
Templates are at the heart of the OpenVZ VE creation process. A "template cache" is basically a tarball consisting of a minimum operating system installation of a given Linux flavor.
Reasons for pre-built templates
Very fast VE deployment
Deploying a new VE with a tarball reduces the work needed to extracting said tar archive, so the deployment speed can't be any faster. It's possible that certain vzfs optimizations rely on templates being deployed from a specific cached template.
Template can contain complex modifications
Since templates can contain any files with any given content, you can deploy heavily modified VEs without any problems.
Access to a package repository
Running a bootstrapper instead of using templates requires access to a package repository, which might not be feasible in certain environments.
Reasons against pre-built templates
Management of tarballs can be tedious
Managing templates in a non-trivial environment can become it's own demanding task, if taken seriously. The templates have to be updated constantly to reflect new security updates or operating system point releases. And with every updated template, said templates have to be distributed to all Hardware Nodes where they are used.
Experience has shown, that quality is one of the first things being cut in operations/production environments when being time constrained, so preventing one source of constant work improves quality and security instantly and irrevocably.
Templates are of questionable security
Pre-built templates, especially those which can be downloaded from the internet, are of doubtful trustworthiness. It's trivial to open backdoors, install keyloggers or run DDoS clients if you have full control of the binaries which are going to be run in a VE.
It's not needed after all
With Debian, there is no reason to actually use pre-built templates if you're not time-constrained in the deployment process and have other means of managing your configuration.
Since debootstrap is the tool at the core of every Debian installation it doesn't matter if it's run by the Debian Installer, during template creation, by hand or even in a completely different Linux distribution.
Management of configuration files by means of templates is a non-sustainable way of doing Configuration Management. In environments with few (if any) changes this can work out nicely, but in more agile/complex environments a proper Configuration Management solution should be used.
Basic Steps
The basic steps needed to deploy Debian VEs are outlined in Debian template creation.
A working solution
To automate the process of deploying VEs with debootstrap a bit of shell-scripting glue is needed.
A work-in-progress version of such a tool can be found at https://github.com/terrorobe/vzstuff. To get a local copy you will need to install git and then run the following command:
git clone git://github.com/terrorobe/vzstuff.git
Following the instructions in the README file should get you started nicely.