= Sarge-Dapper (Stable) ={{Warning|The OpenVZ packages at http://debian.systs.org/ aimed majority of the content on this page only applies to install OpenVZ in a easy wayolder, some task are done unsupported Debian versions and is archived on install process!this page for historical reasons only. '''The page you need is [[Installation on Debian]].'''}}
== edit apt source settings ==Add to your "/etc/apt/sourcesOpenVZ consists of a kernel, user-level tools, and container templates.list"
<pre>This guide tells how to install the kernel and the tools on [http://www.debian.org Debian] Etch or Lenny/Squeeze. For Squeeze, use the Lenny directions. For Wheezy (7.0), use the vzctl package included in wheezy, together with the Wheezy OpenVZ kernels from [http://download.openvz.org/debian/ http://download.openvz.org/debian/]. deb Alternatively reduced functionality may be possible using the stock Debian Wheezy kernel (based on kernel.org version 3.2) and [[Vzctl_for_upstream_kernel]]. You may also wish to check the information on [http://wiki.debian.systs.org/ sarge openvzOpenVz the Debian wiki]. For Etch users, this document explains how to partially upgrade to Debian Lenny and install from lenny repositories ('''use this options at your risk'''). == Requirements == === Filesystems ===It's recommended that you use a separate partition for container privatedirectories (by default <code>/prevar/lib/vz/private/<CTID></code>). The reason for this is that if you wish to use the OpenVZ per-container disk quota, you won't be able to use usual Linux disk quotas on the same partition. Bear in mind that "per-container quota" in this context includes not only pure per-container quota but also the usual Linux disk quota used in container, not on the [[HN]]. At the very least try to avoid using the root partition for containers, because the root user of a container will be able to overcome the 5% disk space barrier in some situations. If the HN root partition is completely filled, it will break the system. OpenVZ per-container disk quota is supported only for ext2/ext3 filesystems; therefore it makes sense to use one of these filesystems (ext3 is recommended) if you need per-container disk quota.
and get the new package lists=== Repository setup (Etch only) ===
<pre># apt-get update</pre>'''If you are using Debian Lenny, this step in no longer required. Openvz kernel packages and tools are available on main repository.'''
==== 1. Using openvz.org repositories ====
== precompiled kernel images At the moment two different repositories are online at debian.systs.org (dso) ==The kernel-images on debianhttp://download.systsopenvz.org (dso) use the same kernel-config taken from OpenVZ.(most kernel-modules are built-in!):
If there is more than one CPU available ; by Ola Lundqvist <opal@debian.org>: (or a CPU with hyperthreadingOpenVZ kernels only), use the kernel-smp deb.If there is more than 4 Gb of RAM available, use the kernel: apt-enterprise deburi http://download.Otherwise, use the plain kernel deb (kernel)openvz.org/debian
{| class="wikitable"; by Thorsten Schifferdecker <tsd@debian.systs.org>|+'''Kernel flavors list'''! Kernel type !! Description !! Hardware !! Use case|: apt-! uri http://download.openvz.org/debian-systs| uniprocessor| up to 4GB : (Mirror of RAM||-! -smp| symmetric multiprocessor| up to 4 GB of RAM| 10-20 VPSs|-! -entnosplit| SMP + PAE support| up to 64 GB of RAM| 10-30 VPSs|-! -enterprise| SMP + PAE support + 4OpenVZ Repository from http://debian.systs.org/4GB split| up to 64 GB of RAM| >20-30 VPSs|})
kernel-image{{Note|The next steps use the repository at http: i368 and amd64<pre> ovzkernel-2//download.6openvz.9 ovzkernelorg/debian-2.6.9-enterprise ovzkernel-2.6.9-entnosplit ovzkernel-2systs; the actual OpenVZ Tools for Debian exist only as unstable builds, see http://packages.6debian.9-smporg/vzctl}}
ovzkernel-2{{Note|By default, on Ubuntu systems root tasks are executed with [https://help.6ubuntu.18 ovzkernel-2.6.18-enterprise ovzkernel-2.6.18-smp<com/community/pre>RootSudo sudo]}}
i386 only:This can be done via the following commands, as root or as privileged "sudo" user
<pre>
ovzkernel# echo -2e "\ndeb http://download.6openvz.18org/debian-enterprise systs etch openvz" >> /etc/apt/sources.list# wget -q http://download.openvz.org/debian-systs/dso_archiv_signing_key.asc -O- | apt-key add - && apt-get update
</pre>
OpenVZ tool==== 2. Using Debian repositories (supgrade to lenny) for i386 and amd64==== There is even a '''lenny''' repository with kernel 2.6.28. '''Use it at your own risk!''' Add lenny repositories to your '''/etc/apt/sources.list'''
<pre>
vzctldeb http://DEBIAN-MIRROR/debian/ testing main vzquota vzprocps vzdumpdeb http://DEBIAN-MIRROR/debian-security/ testing/updates main
</pre>
template(s) for i368 and amd64 Enlarge apt-cache adding to '''/etc/apt/apt.conf''' this line: Debian 3.1 Minimal
<pre>
vzctlAPT::Cache-ostmpl-debianLimit "100000000";
</pre>
== installing the kernel-images, toolset Give etch package priority over lenny packages. Edit '''/etc/apt/preferences''' and debian-os-template =set like this:<pre>Package: *Pin: release a=etchExamplePin-Priority: install the stable OpenVZ kernel, tools and Debian OS Template700
# aptitude install ovzkernelPackage: *Pin: release a=lennyPin-2.6.9 vzctl vzquota vzdump vzctl-ostmpl-debianPriority: 650</pre>
Then '''apt-get update && apt-get dist-upgrade''' to upgrade to lenny.
Maybe you need to update your "linux-loader" (can be configured at /etc/kernel-img.conf)== Kernel installation ==
for the "GRUB": === Wheezy and Lenny ===
# {{Note|The best kernel to use is [[Download/sbinkernel/grubrhel6|RHEL6-update based]]. Please see [[Install_kernel_from_RPM_on_Debian_6.0]]}}
=== Etch ===
Reboot in your new Debian Stable OpenVZ System==== 1. Using openvz kernel repositories ====
# reboot{{Note|In case you want to recompile the OpenVZ kernel yourself on Debian, see [[Compiling the OpenVZ kernel (the Debian way)]].}}
First, you need to choose what kernel you want to install.
That{| class="wikitable"|+'s all ''OpenVZ Kernel list built with kernel config from http://download.openvz.org'''! Kernel !! Description !! Hardware !! Debian Architecture|-! ovzkernel-2.6.18| uniprocessor| up to 4GB of RAM| i386 and amd64|-! ovzkernel-2.6.18-smp| symmetric multiprocessor| up to 4 GB of RAM| i386 and amd64|-! ovzkernel-2.6.18-)enterprise| SMP + PAE support + 4/4GB split| up to 64 GB of RAM| i386 only|}
Now it{| class="wikitable"|+''s time to setup your VE's OpenVZ Kernel list built with the minimal official Debian kernel config and OpenVZ Settings'''! Kernel !! Description !! Hardware !! DebianArchitecture|-! fzakernel-32.1 Template, create new one or download another precreated OS6.18-686| uni- and multiprocessor| up to 4GB of RAM| i386|-Template! fzakernel-2.6.18-686-bigmem| symmetric multiprocessor| up to 64 GB of RAM| i386|-! fzakernel-2.6.18-amd64| uni- and multiprocessor| | amd64|-|}
= Etch (Testing) =<pre>OpenVZ is now a part of Debian Etch (a.k.a. "testing") repository. # apt-get install <kernel></pre>
== install === Configuring the kernel-image bootloader =====
=== precompiled kernel images at download.openvz.org ===Can In case GRUB is used as the boot loader, it will be configured automatically, or execute update-grub; lines similar to these will be found at http:added to the <tt>/boot/grub/download.openvzmenu.org/kernel/debian/etchlst</tt> file:
<pre>
List of precompiled kernel-images linux-image-2[.6.18-openvz-486_02_i386.deb] linux-image- title Debian GNU/Linux, kernel 2.6.18-openvzovz-686_02_i386028stab051.deb1-686 root (hd0,1) linux-image kernel /vmlinuz-2.6.18-openvzovz-amd64_01_amd64028stab051.deb1-686 root=/dev/sda5 ro vga=791 linux-image initrd /initrd.img-2.6.18-openvzovz-ia64_01_ia64028stab051.deb linux-image1-2.6.18-openvz-k7_02_i386.deb686 linux-image-2.6.18-openvz-sparc64-smp_01_sparc.deb savedefault linux-image-2[.6.18-openvz-sparc64_01_sparc.deb ]
</pre>
Example: Installing an OpenVZ precompiled Debian Kernel-Image for an i686: <pre> # wget http://download.openvz.org/kernel/{{Note|per default on debian/etch/linux-image-ubuntu, a 2.6.18-openvz-686_02_i386.deb # dpkg -i linux-image-22 kernel will boot before a 2.6.18, please check manually the grub boot order. See man update-openvz-686_02_i386.deb</pre>grub for more details}}
=== precompiled kernel images at debian.systs.org == Installing the user-level tools =====
Add to your "/etc/apt/sourcesOpenVZ needs some user-level tools installed.list"Those are:
<pre>; vzctl deb http://debianA utility to control OpenVZ containers (create, destroy, start, stop, set parameters etc.systs); vzquota: A utility to manage quotas for containers. Mostly used indirectly (by vzctl).org/ etch openvz</pre>
Add the signing key of debian.systs.org (dso) apt-keyring, (need root permissions)
<pre>
# wget http://debian.systs.org/dso_archiv_signing_key.asc -q -O - | [sudo] apt-key add -get install vzctl vzquota
</pre>
and get the new package lists==== 2 Using Debian lenny repositories ====
If you upgrade to lenny, you can search openvz kernel and can install with:
<pre>
# apt-get updateinstall linux-image-openvz-686
</pre>
linux-image (version 028stab023.1)this command will install latest kernel and all required packages like:
<pre>
ovzkernelapt-get install iproute libatm1 linux-image-2.6.18 (i386 and amd64) ovzkernel26-1-2.6.18openvz-686 linux-image-smp (i386 and amd64) ovzkernelopenvz-2.6.18686 rsync vzctl vzquota libcgroup-enterprise only (i386)dev
</pre>
and will arrange grub bootloader properly.
# apt-get install <linux-image>=== Rebooting into OpenVZ kernel ===
=== or build {{Warning|Before you restart your Server, verify that your system has all needed modules enabled in order to boot your own kernel-image harddisk (e.g. hardware modules, raid system(s), lvm2 etc). You may need an INITRD (debian wayinitramdisk) ===or to compile needed kernel modules statically.}}
To install Now reboot the kernel-source machine and choose the OpenVZ Linux Kernel on the boot loader menu. If the OpenVZ kernel patchhas been booted successfully, run:<pre> # aptproceed to installing the user-get install kernel-package linux-source-2.6level tools for OpenVZ.18 kernel-patch-openvz libncurses5-dev</pre>
=== Confirm proper installation ===
Unpack the kernel-source1. Kernel:
<pre>
# cd /usr/srcuname -r # tar xjf linux-source-2.6.18.tar.bz226-1-openvz-686 # cd linux-source-2.6.18
</pre>
You need a kernel config2.You can use the config of the debian-Openvz kernelfacility:
<pre>
# cp /boot/config-2.6.18-3-686 .configps ax | grep vz 2349 ? S 0:00 [vzmond]
</pre>
Or get a 23.6.18 kernel config from httpA network interface for containers://download.openvz.org/kernel/devel/current/configs/
<pre>
# wget httpifconfig venet0 Link encap://download.openvz.org/kernel/devel/current/configs/kernelUNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-2.6.1800-028test01000-i68600 UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.config.ovz -O 0 B) TX bytes:0 (0.config0 B)
</pre>
== Configuring ==
=== sysctl ===
Now you can apply openvz There are a number of kernel patch and modify your kernel-config:parameters that should be set for OpenVZ to work correctly. These parameters are stored in <prett> # ../kernel-patches/alletc/apply/openvz # make menuconfigsysctl.conf</prett>file. Here is the relevant part of the file; please edit it accordingly.
{{Note|vzctl version from debian-systs, automatically inserts these options at the last of <tt>/etc/sysctl.conf</tt>, except for net.ipv4.ip_forward}}
You need following OpenVZ kernel config settings:
<pre>
(taken from a OpenVZ Kernel 2[.6.18-028test010.1 on 686)]
Filesystem# On Hardware Node we generally need\_ [*] Second extended fs support (CONFIG_EXT2_FS)\_ [*] Ext3 journalling file system support (CONFIG_EXT3_FS)\_ [*] Quota Support (CONFIG_QUOTA) \_ [*] Compatibility with older quotactl interface (CONFIG_QUOTA_COMPAT) \_ [*]Quota format v2 support (CONFIG_QFMT_V2)\_ [*] VPS filesystem (CONFIG_SIM_FS)\_ [*] Virtuozzo Disk Quota support (CONFIG_VZ_QUOTA) \-> [*] Per-user # packet forwarding enabled and per-group quota in Virtuozzo quota partitions (VZ_QUOTA_UGID)proxy arp disabled
OpenVZ net.ipv4.conf. (what else :-)default.forwarding=1\_[*] Virtual Environment support (CONFIG_VE)net.ipv4.conf.default.proxy_arp=0 \_ <M> VE calls interface (CONFIG_VE_CALLS) \_ <M> VE networking (CONFIG_VE_NETDEV) \_ <M> Virtual ethernet device (CONFIG_VE_ETHDEV) \_ <M> VE device (CONFIG_VZ_DEV) \_ [*] VE netfiltering (CONFIG_VE_IPTABLES) \_ <M> VE watchdog module (CONFIG_VZ_WDOG) \_ <M> Checkpointing & restoring Virtual Environments (CONFIG_VZ_CHECKPOINT)net.ipv4.ip_forward=1
User resources # Enables source route verificationnet.ipv4.conf. (User Beancounters)\_ [*] Enable user resource accounting (CONFIG_USER_RESOURCE)\_ [*] Account physical memory usage ( CONFIG_USER_RSS_ACCOUNTING)\_ [*] Account disk IO (CONFIG_UBC_IO_ACCT)\_ [*] Account swap usage (CONFIG_USER_SWAP_ACCOUNTING)\_ [*] Report resource usage in /proc (CONFIG_USER_RESOURCE_PROC)\_ [*] User resources debug features (CONFIG_UBC_DEBUG)\_ [*] Debug kmemsize with cache counters (CONFIG_UBC_DEBUG_KMEM)</pre>all.rp_filter=1
# Enables the magic-sysrq key
kernel.sysrq=1
<pre># TCP Explict Congestion Notification INFO: Better to build the kernel-headers as well, so afterward other kernel-modules can built without whole kernel tree (e.g#net. drbd -> drbd0ipv4.7-module-source) See also : # make-kpkg --targets</pre>tcp_ecn=0
# we do not want all our interfaces to send redirects
net.ipv4.conf.default.send_redirects=1
net.ipv4.conf.all.send_redirects=0
Compile your Kernel (as user root, or you need the --rootcmd!)<pre> # make-kpkg --append_to_version=-1-openvz --added_patches=openvz --revision=1 --initrd binary-arch or all above with one step # make-kpkg --append_to_version=-1-openvz --added_patches=openvz --revision=1 --initrd --config menuconfig binary-arch[...]
</pre>
# [sudo] sysctl -p
Install the kernel and update initramfs:{{Note|You can make a symlink from /var/lib/vz to /vz as backward<pre>compatibility to OpenVZ as installed in other distributions # dpkg -i ..(Debian vz root directory is /var/lib/linux-image-2.6.18-1-openvz_1_i386.deb # update-initramfs -c vz to be FHS-k 2compliant.6.18-1-openvz</pre>}}
<pre> INFO: update # [sudo] ln -initramfs is done, when make-kpkg is use with --initrd option INFO: update-grub can be configured by s /var/etclib/kernel-img.conf<vz /pre>vz
Update the bootloader (when not done above)=== OS templates ===
GRUB :{{Note|Support of OS templates on 64 bit hosts is somewhat limited for the time being, so that not all tools or features are available - please see [[Making template tools to work on x86_64]] and [[Install OpenVZ on a x86 64 system Centos-Fedora]] for additional details and information on possible workarounds}}
# /usr/sbin/update-grubTo install a container, you need OS template(s).
INFOPrecreated templates can be found [http: since the Debian ETCH-release the location of update-grub is moved from /sbin/update-grub to wiki.openvz.org/usrDownload/sbintemplate/update-grub !precreated here] and [http://download.openvz.org/contrib/template/precreated/ here].
You can create your own templates, see
[[Debian template creation]], [[Ubuntu Gutsy template creation]] and [[:Category: Templates]].
== install {{Note|Setup your prefered standard OS Template : edit the toolset ==/etc/vz/vz.conf}}
You need the toolset for manage # [sudo] apt-ing OpenVZ Virtual Enviromennt (VE)get install vzctl-ostmpl-debian-5.0-i386-minimal
<pre> # apt-get install vzctl vzquota</pre>== Additional User Tools ==
; vzprocps
: A set of utilities to provide system information (vzps and vztop)
== modify needed settings ==; [[vzdump]]: A utility to backup and restore container.
a Debian Way: # [sudo] apt-get install vzprocps vzdump
If you want network access for the virtual server then you need to enable IP forwarding. Set "ip_forward" to yes in /etc/network/option.
# editor /etc/network/optionsOn Debian squeeze, vzdump seems packaged in standard aptline. For lenny, See [[Backup_of_a_running_container_with_vzdump]]
== Secure it ==
In some cases If you may need want to enable proxy_arp for the network devices that you want secure your virtual hosts to be accessible on.You can add this container with individual firewall rules (instead or additionally to a specific interface in securing the network configuration (/etc/network/interfaceshost node) by then you must run iptables inside the following lines, replace %DEV% with your device name (iecontainer. This works slightly different than on a physical server. eth0)So make sure that you check that iptables rules are indeed applied as expected inside the container.
Example:Iptables modules required by the container must be specified in the general vz.conf file or the vzXXX.conf file of the container.
<pre>[Add the following line into vz.conf to activate the respective iptables modules for all containers..]# device: %DEV%iface %DEV% inet static address 192.168.0.2 netmask 255.255.255.0 network 192.168.2.0 broadcast 192.168.2.255 gateway 192.168.2.1
up sysctl -w net.ipv4.conf.%DEV%.proxy_arp=0 pre-down sysctl -w net.ipv4.conf.%DEV%.proxy_arp IPTABLES=1"ip_tables ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl [...]</pre>ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_LOG ipt_conntrack ipt_helper ipt_state iptable_nat ip_nat_ftp ip_nat_irc ipt_TOS"
or use the [[http:/etc/network/if-up/ and /etc/network/if-downwiki.debian.dorg/ directories. <pre> INFO: # man 5 interfaces (to read more about debian's network interface configuration for ifup and ifdown) INFO: Please add to use DebianFirewall][Configure]] your iptable rules inside the magic-sysrq key, to your /etc/sysctlcontainer.conf</pre>
{{Warning|Note that iptables rules inside the container are not applied automatically as on a (plain) OpenVZ Linux Way:physical server by starting the iptables module! Follow the instructions below}}
Add settings to "To make sure the iptables rules are applied on a startup/etc/sysctl.conf"reboot we'll create a new file:
< nano /etc/network/if-pre> # On Hardware Node we generally need # packet forwarding enabled and proxy arp disabled net.ipv4.ip_forward = 1 net.ipv4.conf.default-up.proxy_arp = 0d/iptables
# Enables source route verification net.ipv4.conf.all.rp_filter = 1Add these lines to it:
# Enables the magic-sysrq key!/bin/bash kernel/sbin/iptables-restore < /etc/iptables.up.sysrq = 1rules
# TCP Explict Congestion Notification # net.ipv4.tcp_ecn = 0The file needs to be executable so change the permissions:
# we do not want all our interfaces to send redirects net.ipv4.conf.default.send_redirects = 1 net.ipv4.conf.all.send_redirects = 0 </pre> <pre> INFO: Suggestion: Please make a symlink from /varchmod +x /libetc/vz to network/vz as backward compability to Main OpenVZ (Debian vz root directory is installed FHSif-like to /var/lib/vz) # ln pre-s up.d/var/lib/vz /vz</pre>iptables
Start iptables
'''Before you restart your Server, keep in mind, that your system has all needed modules enabled; booting from your harddisk (e.g. hardware modules, raid system(s), lvm2 /etc). May you need a INITRD (initramdisk) or compile needed kernel modules statically in/init.'''d/iptables start
If the startup shows errors then you have probably not activated the needed iptables modules. See above.
# rebootCheck inside the container that your iptables rules are indeed applied:
iptables -L
If the rules do not show up as you would expect on a physical server then you might not have activated the needed iptables modules.
That's all== Start it!==
Now it's time to create a OS Template or download another precreated OS-Template # [sudo] /etc/init.d/vz start
This does not make the vz system automatically start at boot time. For automatic start:
INFO: Suggestions: Setup your default OS Template in /etc/# [sudo] update-rc.d vz/vz.confdefaults 98
== Use it! ==
After installing the OpenVZ kernel, user tools and a minimal OS template
to create a first container and do some [[basic operations in OpenVZ environment]]. Read the [[download:doc/OpenVZ-Users-Guide.pdf]], browse this wiki.
[[Category: HOWTO]]
[[Category: Debian]]
[[Category: Installation]]