Difference between revisions of "Ubuntu Gutsy template creation"

From OpenVZ Virtuozzo Containers Wiki
Jump to: navigation, search
m (Clean packages)
(upgrade to an easier install process with chroot)
Line 32: Line 32:
 
Run debootstrap to install a minimal Ubunty Gutsy system into that directory:
 
Run debootstrap to install a minimal Ubunty Gutsy system into that directory:
  
  # debootstrap --arch ''ARCH'' gutsy gutsy-chroot
+
  # debootstrap [--arch ''ARCH''] gutsy gutsy-chroot  
  
Substitute your architecture instead of ''ARCH''. For example, for AMD64/x86_64, use <code>amd64</code> or for ia64, use <code>ia64</code>. For i386 you do not have to give this option.
+
If ARCH of VE0 is equal to VE, than you can skip the arch option, but if you need to build a VZ OS Template with another ARCH arch can be:
  
=== Preparing/starting a VE ===
+
Substitute your architecture instead of ''ARCH'':
  
Now then you have an installation created by debootstrap, you can run it as a VE. In the example below VE ID of 777 is used; of course you can use any other non-allocated ID.
+
AMD64/x86_64, use <code>amd64</code>
 +
ia64, use <code>ia64</code>
 +
i386 <code>i386</code>
  
==== Moving installation to VE private area ====
+
=== chrooting ===
  
You should move the contents of gutsy-chroot directory into new VE private area, like this:
+
Without createing a running VE for building a VE OS Template it's another way : chroot
  
  # mkdir /vz/private/777
+
  [VE0]# cd gutsy-chroot; chroot ./
# mv gutsy-chroot/ /vz/private/777
 
  
==== Setting VE config ====
+
[VE]# mount -t proc none /proc
An initial config for the [[VE]] is needed:
 
# vzctl set 777 --applyconfig vps.basic --save
 
  
==== Setting VE OSTEMPLATE ====
 
Also, we need <tt>OSTEMPLATE</tt> to be set in VE configuration file, for the [[vzctl]] to work properly.
 
  
# echo "OSTEMPLATE=ubuntu-7.10" >> /etc/vz/conf/777.conf
+
=== Remove unneeded packages ===
 
 
==== Setting VE IP address ====
 
For the [[VE]] to be able to download updates from the Internet, we need a valid IP address for it:
 
# vzctl set 777 --ipadd x.x.x.x --save
 
 
 
{{Note|if you use private IP for the VE, you have to set up NAT as described in [[Using NAT for VE with private IPs]].}}
 
 
 
==== Setting DNS server for VE ====
 
For the [[VE]] to be able to download updates from the Internet, we also need to specify a DNS for it:
 
# vzctl set 777 --nameserver x.x.x.x --save
 
 
 
Instead of <code>x.x.x.x</code>, specify the same IP that you have in your <code>/etc/resolv.conf</code>.
 
 
 
==== Starting VE ====
 
Now start the VE:
 
# vzctl start 777
 
 
 
=== Modify the installation ===
 
 
 
You have to do some things in order to modify the installation to better suit the environment it will be run in (i.e. a VE).
 
 
 
First, enter a VE:
 
# vzctl enter 777
 
 
 
{{Warning|Do not run the commands below on the hardware node, they are only to be run within the VE!}}
 
 
 
==== Remove unneeded packages ====
 
  
 
Some packages does not make sense in a VE. Remove those:
 
Some packages does not make sense in a VE. Remove those:
Line 96: Line 66:
 
  [VE]# rm -fr /lib/udev
 
  [VE]# rm -fr /lib/udev
  
==== Disable getty ====
+
=== Disable getty ===
 
On a usual Linux system, getty is running on a virtual terminals, which a VE does not have.
 
On a usual Linux system, getty is running on a virtual terminals, which a VE does not have.
  
Line 103: Line 73:
 
First way:
 
First way:
 
  [VE]# rm /etc/event.d/tty*
 
  [VE]# rm /etc/event.d/tty*
 +
 
Second way:
 
Second way:
 
  [VE]# dpkg -P system-services
 
  [VE]# dpkg -P system-services
Line 108: Line 79:
 
Second way can be dangerous for future versions of system-services, but it's OK for now since the only service they carry is running gettys.
 
Second way can be dangerous for future versions of system-services, but it's OK for now since the only service they carry is running gettys.
  
====  Set sane permissions for /root directory ====
+
===  Set sane permissions for /root directory ===
  
 
  [VE]# chmod 700 /root
 
  [VE]# chmod 700 /root
  
==== Disable root login ====
+
=== Disable root login ===
  
 
  [VE]# usermod -L root
 
  [VE]# usermod -L root
  
==== Get new security updates ====
+
=== Get new security updates ===
  
 
  [VE]# apt-get update && apt-get upgrade
 
  [VE]# apt-get update && apt-get upgrade
Line 122: Line 93:
 
<small>This didn't show anything for me, but might do something in the future.</small>
 
<small>This didn't show anything for me, but might do something in the future.</small>
  
==== Install some more packages ====
+
=== Install some more packages ===
  
 
  [VE]# apt-get install ssh quota
 
  [VE]# apt-get install ssh quota
Line 128: Line 99:
 
Feel free to add packages which you want to have in a default template to this command.
 
Feel free to add packages which you want to have in a default template to this command.
  
==== Fix SSH host keys ====
+
=== Fix SSH host keys ===
 
This is only useful if you installed SSH above.  Each individual [[VE]] should have its own pair of SSH host keys.  The code below will wipe out the existing SSH keys and instruct the newly-created [[VE]] to create new SSH keys on first boot.
 
This is only useful if you installed SSH above.  Each individual [[VE]] should have its own pair of SSH host keys.  The code below will wipe out the existing SSH keys and instruct the newly-created [[VE]] to create new SSH keys on first boot.
  
Line 145: Line 116:
  
  
==== Disable <code>sync()</code> for syslog ====
+
=== Disable <code>sync()</code> for syslog ===
  
 
Turn off doing <tt>sync()</tt> on every write for <code>syslog</code>'s log files, to improve overall I/O performance.
 
Turn off doing <tt>sync()</tt> on every write for <code>syslog</code>'s log files, to improve overall I/O performance.
Line 153: Line 124:
 
  <pre>[VE]# sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' /etc/syslog.conf</pre>
 
  <pre>[VE]# sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' /etc/syslog.conf</pre>
  
==== Fix <code>/etc/mtab</code> ====
+
=== Fix <code>/etc/mtab</code> ===
 
Link <code>/etc/mtab</code> to <code>/proc/mounts</code>, so <code>df</code> and friends will work:
 
Link <code>/etc/mtab</code> to <code>/proc/mounts</code>, so <code>df</code> and friends will work:
 
  [VE]# rm -f /etc/mtab
 
  [VE]# rm -f /etc/mtab
Line 161: Line 132:
 
  [VE]# update-rc.d -f mtab.sh remove
 
  [VE]# update-rc.d -f mtab.sh remove
  
==== Get rid of tmpfs mounts ====
+
=== Get rid of tmpfs mounts ===
  
 
  [VE]# sed -ie '/tmpfs/d' /etc/init.d/mountkernfs.sh
 
  [VE]# sed -ie '/tmpfs/d' /etc/init.d/mountkernfs.sh
  
==== Disable some services ====
+
=== Disable some services ===
  
 
In most of the cases you don't want klogd to run -- the only exception is if you configure iptables to log some events -- so you can disable it:
 
In most of the cases you don't want klogd to run -- the only exception is if you configure iptables to log some events -- so you can disable it:
Line 171: Line 142:
 
  [VE]# update-rc.d -f klogd remove
 
  [VE]# update-rc.d -f klogd remove
  
==== Clean packages ====
+
=== Clean packages ===
 
After installing packages, you'll have some junk packages laying around in your cache.  Since you don't want your template to have those, this command will wipe them out.
 
After installing packages, you'll have some junk packages laying around in your cache.  Since you don't want your template to have those, this command will wipe them out.
 
  [VE]# apt-get clean
 
  [VE]# apt-get clean
  
 +
Set propper hostname and file /etc/hosts
  
Set propper hostname and file /etc/hosts
 
 
  [VE]# echo "localhost" > /etc/hostname
 
  [VE]# echo "localhost" > /etc/hostname
 
  [VE]# echo "127.0.0.1 localhost.localdomain localhost" > /etc/hosts
 
  [VE]# echo "127.0.0.1 localhost.localdomain localhost" > /etc/hosts
Line 186: Line 157:
  
 
Now everything is done.  Exit from the template and go back to the hardware node.
 
Now everything is done.  Exit from the template and go back to the hardware node.
 +
 +
[VE]# umount /proc
 
  [VE]# exit
 
  [VE]# exit
  
<big><big>To be continued</big></big>
+
== Build precreated VZ OS Template ==
 +
 +
[VE0]# tar -xzf /var/lib/vz/template/cache/ubuntu-7.10-<arch>-minimal.tar.gz ./
 +
 
 +
 
 +
 
 +
== Update a VE OS Template ==
 +
 +
Chroot to your debstrapped system
 +
[VE0]# cd <dir>; chroot ./
 +
 
 +
Update and Install updates
 +
[VE] # apt-get update && apt-get upgrade
 +
 
 +
Cleanup
 +
[VE] # apt-get clean
 +
 
 +
Clean unused log files, .bash_history etc.
 +
[VE] # exit
 +
 +
Build your updated VE OS Template
 +
[VE0]# tar -xzf /var/lib/vz/template/cache/ubuntu-7.10-<arch>-minimal.tar.gz ./

Revision as of 20:49, 14 November 2007


This article summarizes the experience of creating Ubunty Gutsy Gibbon (a.k.a. 7.10) template for OpenVZ.

Template creation is based on debootstrap, and the procedure is similar to Debian template creation, but it differs in some subtle details.

Prerequisites

debootstrap

You have to have a debootstrap working for Gutsy, i.e. you should have

  • debootstrap and its dependencies
  • /usr/lib/debootstrap/scripts/gutsy file

The simplest way to have it all is to work on an Ubunty Gutsy system (be it on a real machine or inside a VE). If you don't have debootstrap installed, this is the command to install it:

# apt-get install debootstrap

vzctl

You need vzctl-3.0.19 or later to work with Ubuntu Gutsy Gibbon. If vzctl-3.0.18 or earlier is used, you will not be able to run your VE. See OpenVZ Bug #662 for details.

Creating template

Running debootstrap

Create some directory:

# mkdir gutsy-chroot

Run debootstrap to install a minimal Ubunty Gutsy system into that directory:

# debootstrap [--arch ARCH] gutsy gutsy-chroot 

If ARCH of VE0 is equal to VE, than you can skip the arch option, but if you need to build a VZ OS Template with another ARCH arch can be:

Substitute your architecture instead of ARCH:

AMD64/x86_64, use amd64
ia64, use ia64
i386 i386

chrooting

Without createing a running VE for building a VE OS Template it's another way : chroot

[VE0]# cd gutsy-chroot; chroot ./
[VE]# mount -t proc none /proc


Remove unneeded packages

Some packages does not make sense in a VE. Remove those:

[VE]# dpkg -P ubuntu-minimal wpasupplicant wireless-tools \
  udev pcmciautils initramfs-tools volumeid console-setup \
  xkb-data usbutils mii-diag alsa-base alsa-utils ethtool \
  module-init-tools linux-sound-base console-tools \
  console-terminus busybox-initramfs libvolume-id0 \
  ntpdate

Clean up after udev:

[VE]# rm -fr /lib/udev

Disable getty

On a usual Linux system, getty is running on a virtual terminals, which a VE does not have.

There are two ways to disable it:

First way:

[VE]# rm /etc/event.d/tty*

Second way:

[VE]# dpkg -P system-services

Second way can be dangerous for future versions of system-services, but it's OK for now since the only service they carry is running gettys.

Set sane permissions for /root directory

[VE]# chmod 700 /root

Disable root login

[VE]# usermod -L root

Get new security updates

[VE]# apt-get update && apt-get upgrade

This didn't show anything for me, but might do something in the future.

Install some more packages

[VE]# apt-get install ssh quota

Feel free to add packages which you want to have in a default template to this command.

Fix SSH host keys

This is only useful if you installed SSH above. Each individual VE should have its own pair of SSH host keys. The code below will wipe out the existing SSH keys and instruct the newly-created VE to create new SSH keys on first boot.

rm -f /etc/ssh/ssh_host_*
cat << EOF > /etc/rc2.d/S15ssh_gen_host_keys
#!/bin/sh
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ''
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ''
rm -f \$0
EOF
chmod a+x /etc/rc2.d/S15ssh_gen_host_keys


Disable sync() for syslog

Turn off doing sync() on every write for syslog's log files, to improve overall I/O performance. In Ubuntu this is already done for most log files and levels, so you can omit this step if you know what you are doing.

[VE]# sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' /etc/syslog.conf

Fix /etc/mtab

Link /etc/mtab to /proc/mounts, so df and friends will work:

[VE]# rm -f /etc/mtab
[VE]# ln -s /proc/mounts /etc/mtab

After that, it would make sense to disable mtab.sh script which messes with /etc/mtab:

[VE]# update-rc.d -f mtab.sh remove

Get rid of tmpfs mounts

[VE]# sed -ie '/tmpfs/d' /etc/init.d/mountkernfs.sh

Disable some services

In most of the cases you don't want klogd to run -- the only exception is if you configure iptables to log some events -- so you can disable it:

[VE]# update-rc.d -f klogd remove

Clean packages

After installing packages, you'll have some junk packages laying around in your cache. Since you don't want your template to have those, this command will wipe them out.

[VE]# apt-get clean

Set propper hostname and file /etc/hosts

[VE]# echo "localhost" > /etc/hostname
[VE]# echo "127.0.0.1 localhost.localdomain localhost" > /etc/hosts

Remove DNS entries:

[VE]# > /etc/resolv.conf

Maybe clean up logfile, root history etc.

Now everything is done. Exit from the template and go back to the hardware node.

[VE]# umount /proc
[VE]# exit

Build precreated VZ OS Template

[VE0]# tar -xzf /var/lib/vz/template/cache/ubuntu-7.10-<arch>-minimal.tar.gz ./


Update a VE OS Template

Chroot to your debstrapped system
[VE0]# cd <dir>; chroot ./
Update and Install updates
[VE] # apt-get update && apt-get upgrade
Cleanup
[VE] # apt-get clean
Clean unused log files, .bash_history etc.
[VE] # exit

Build your updated VE OS Template
[VE0]# tar -xzf /var/lib/vz/template/cache/ubuntu-7.10-<arch>-minimal.tar.gz ./