Difference between revisions of "Gentoo template creation"

From OpenVZ Virtuozzo Containers Wiki
Jump to: navigation, search
m (Create directory for the new VE and unarchive stage3)
(VE -> container; fixed headings level; some formatting fixes)
Line 1: Line 1:
This page is about making a template cache for OpenVZ VE from Gentoo Linux. The method is basically the same as described in [[Slackware template creation]] article.
+
This page is about making a template cache for OpenVZ container from Gentoo Linux. The method is basically the same as described in [[Slackware template creation]] article.
  
===Download stage3===
+
== Download stage3 ==
  
 
We will make the template from a stage3 file. An OpenVZ OS template should be an archive (.tar.gz) of the root of a working system, but without the kernel and some files. You can download stage3 from the nearest mirror here: http://www.gentoo.org/main/en/mirrors.xml.
 
We will make the template from a stage3 file. An OpenVZ OS template should be an archive (.tar.gz) of the root of a working system, but without the kernel and some files. You can download stage3 from the nearest mirror here: http://www.gentoo.org/main/en/mirrors.xml.
  
===Create directory for the new VE and unarchive stage3 ===
+
== Create directory for the new container and unarchive stage3 ==
  
 
<pre>
 
<pre>
Line 12: Line 12:
 
</pre>
 
</pre>
  
===Create VE config===
+
== Create CT config ==
Now you need to create the configuration file for the VE, 777.conf:  
+
Now you need to create the configuration file for the container, 777.conf:  
  
 
<pre>
 
<pre>
Line 19: Line 19:
 
</pre>
 
</pre>
  
===Edit VE config===
+
== Edit CT config ==
  
 
Add the following to <code>/etc/vz/conf/777.conf</code>:
 
Add the following to <code>/etc/vz/conf/777.conf</code>:
 
<pre>
 
<pre>
DISTRIBUTION="gentoo"
 
 
OSTEMPLATE="gentoo"
 
OSTEMPLATE="gentoo"
 
</pre>
 
</pre>
  
===Make /etc/mtab a symlink to /proc/mounts===
+
== Make /etc/mtab a symlink to /proc/mounts ==
The VE root filesystem is mounted by the host system, not the guest -- and therefore root fs will not appear in /etc/mtab. It will lead to a non-working df command.  
+
The container's root filesystem is mounted by the host system, not the guest and therefore root fs will not appear in <code>/etc/mtab</code>. It will lead to a non-working <code>df</code> command. To fix, link /etc/mtab to /proc/mounts.
 
<pre>
 
<pre>
 
rm -f /vz/private/777/etc/mtab
 
rm -f /vz/private/777/etc/mtab
Line 35: Line 34:
 
After replacing <code>/etc/mtab</code> with a symlink to <code>/proc/mounts</code>, you will always have up-to-date information of what is mounted in <code>/etc/mtab</code>.
 
After replacing <code>/etc/mtab</code> with a symlink to <code>/proc/mounts</code>, you will always have up-to-date information of what is mounted in <code>/etc/mtab</code>.
  
===Replace /etc/fstab===
+
== Replace /etc/fstab ==
  
 
<pre>
 
<pre>
Line 43: Line 42:
 
We need only <code>/proc</code> to be mounted at boot time.
 
We need only <code>/proc</code> to be mounted at boot time.
  
===Edit /etc/inittab===
+
== Edit /etc/inittab ==
  
 
Edit <code>/vz/private/777/etc/inittab</code> and put a hash mark (#) at the beginning of the lines containing:
 
Edit <code>/vz/private/777/etc/inittab</code> and put a hash mark (#) at the beginning of the lines containing:
Line 49: Line 48:
 
<pre>c?:1235:respawn:/sbin/agetty 38400 tty? linux</pre>
 
<pre>c?:1235:respawn:/sbin/agetty 38400 tty? linux</pre>
  
This prevents <code>getty</code> and login from starting on ttys that do not exist in VEs.
+
This prevents <code>getty</code> and login from starting on ttys that do not exist in containers.
  
===Edit /etc/shadow===
+
== Edit /etc/shadow ==
  
 
Edit <code>/vz/private/777/etc/shadow</code> and change root's password in the first line to an exclamation mark (!):  
 
Edit <code>/vz/private/777/etc/shadow</code> and change root's password in the first line to an exclamation mark (!):  
Line 57: Line 56:
 
<pre>root:!:10071:0:::::</pre>
 
<pre>root:!:10071:0:::::</pre>
  
This will disable root login until the password is changed with <code>vzctl set VEID --userpasswd root:password</code>.
+
This will disable root login until the password is changed with <code>vzctl set CTID --userpasswd root:password</code>.
  
===Disable unneeded init scripts===
+
== Disable unneeded init scripts ==
  
The checkroot and consolefont init scripts should not be started inside VEs:
+
The checkroot and consolefont init scripts should not be started inside containers:
  
 
<pre>
 
<pre>
Line 68: Line 67:
 
</pre>
 
</pre>
  
===Edit /sbin/rc===
+
== Edit /sbin/rc ==
  
 
Edit <code>/vz/private/777/sbin/rc</code> and put a hash mark (#) at the beginning of line 244 (your line number may be different):
 
Edit <code>/vz/private/777/sbin/rc</code> and put a hash mark (#) at the beginning of line 244 (your line number may be different):
Line 74: Line 73:
 
<pre># try mount -n ${mntcmd:--t sysfs sysfs /sys -o noexec,nosuid,nodev}</pre>
 
<pre># try mount -n ${mntcmd:--t sysfs sysfs /sys -o noexec,nosuid,nodev}</pre>
  
This prevents the VE from attempting to mount <code>/sys</code>.
+
This prevents the container from attempting to mount <code>/sys</code>.
  
 
To ensure that this change isn't automatically overwritten on update, add the following to <code>/vz/private/777/etc/make.conf</code>:
 
To ensure that this change isn't automatically overwritten on update, add the following to <code>/vz/private/777/etc/make.conf</code>:
Line 80: Line 79:
 
<pre>CONFIG_PROTECT = /sbin/rc</pre>
 
<pre>CONFIG_PROTECT = /sbin/rc</pre>
  
===Set up udev===
+
== Set up udev ==
  
 
<div class="previewnote"><p><strong>NOTE: udev-state does not exists anymore!! ../lib/udev/state and ../lib/udev/devices are empty directories now... maybe someone knows how to handle it the right way?</strong></p></div>
 
<div class="previewnote"><p><strong>NOTE: udev-state does not exists anymore!! ../lib/udev/state and ../lib/udev/devices are empty directories now... maybe someone knows how to handle it the right way?</strong></p></div>
  
Delete <code>/lib/udev-state/devices.tar.bz2</code> and create some device nodes needed to enter a VE:
+
Delete <code>/lib/udev-state/devices.tar.bz2</code> and create some device nodes needed to enter a container:
  
 
<pre>
 
<pre>
Line 100: Line 99:
 
</pre>
 
</pre>
  
You have to leave the directory you are in for the next step to be OK, otherwise you will get this error message : <br>
+
You have to leave the directory you are in for the next step to be OK, otherwise you will get this error message:
vzquota : (error) Quota on syscall for 777: Device or resource busy <br>
+
vzquota : (error) Quota on syscall for 777: Device or resource busy
vzquota on failed [3] <br>
+
vzquota on failed [3]
  
 
<pre>
 
<pre>
Line 108: Line 107:
 
</pre>
 
</pre>
  
===Test===
+
== Test ==
  
 
<pre>
 
<pre>
Line 121: Line 120:
 
</pre>
 
</pre>
  
All services in boot and default runlevels must be started. If everything all right, stop the VE:
+
All services in boot and default runlevels must be started. If everything all right, stop the container:
  
 
<pre>
 
<pre>
Line 127: Line 126:
 
</pre>
 
</pre>
  
===Making distfiles and portage tree of the host system available in a VE===
+
== Making distfiles and portage tree of the host system available in a container ==
  
{{Warning|This step is optional and will result in shared files between VEs! These steps can save space on disk but trade isolation and security... consider your options carefully!}}
+
{{Warning|This step is optional and will result in shared files between containers! These steps can save space on disk but trade isolation and security... consider your options carefully!}}
  
To install software into a VE with portage, you should mount <code>/usr/portage</code> into the VE with the "bind" option. Do the following on the host after the VE is started:
+
To install software into a container with portage, you should mount <code>/usr/portage</code> into the container with the "bind" option. Do the following on the host after the container is started:
  
 
<pre>
 
<pre>
Line 144: Line 143:
 
</pre>
 
</pre>
  
Now, to install a package into a VE, you just need to enter the VE using <code>vzctl enter</code> and run
+
Now, to install a package into a container, you just need to enter the container using <code>vzctl enter</code> and run
  
 
<pre>
 
<pre>
Line 152: Line 151:
 
while you have all the needed files in the <code>/usr/portage/distfiles</code> of host system.
 
while you have all the needed files in the <code>/usr/portage/distfiles</code> of host system.
  
For security reasons, you should have these directories mounted only while installing software into a VE.
+
For security reasons, you should have these directories mounted only while installing software into a container.
  
{{Note|you have to <code>umount /vz/root/777/usr/portage/distfiles</code> before trying to stop your VE.}}
+
{{Note|you have to <code>umount /vz/root/777/usr/portage/distfiles</code> before trying to stop your container.}}
  
===Create the template cache file===
+
== Create the template cache file ==
  
 
<pre>
 
<pre>
Line 163: Line 162:
 
</pre>
 
</pre>
  
===Test the new template cache file===
+
== Test the new template cache file ==
  
Create a new VE from the template file:
+
Create a new container from the template file:
  
 
<pre>
 
<pre>
Line 171: Line 170:
 
</pre>
 
</pre>
  
If the VE was created successfully, try to start it:  
+
If the container was created successfully, try to start it:  
  
 
<pre>
 
<pre>

Revision as of 07:58, 19 May 2008

This page is about making a template cache for OpenVZ container from Gentoo Linux. The method is basically the same as described in Slackware template creation article.

Download stage3

We will make the template from a stage3 file. An OpenVZ OS template should be an archive (.tar.gz) of the root of a working system, but without the kernel and some files. You can download stage3 from the nearest mirror here: http://www.gentoo.org/main/en/mirrors.xml.

Create directory for the new container and unarchive stage3

mkdir /vz/private/777
tar -xjf /root/stage3-i686-2008.0_beta2.tar.bz2 -C /vz/private/777

Create CT config

Now you need to create the configuration file for the container, 777.conf:

vzctl set 777 --applyconfig vps.basic --save

Edit CT config

Add the following to /etc/vz/conf/777.conf:

OSTEMPLATE="gentoo"

Make /etc/mtab a symlink to /proc/mounts

The container's root filesystem is mounted by the host system, not the guest — and therefore root fs will not appear in /etc/mtab. It will lead to a non-working df command. To fix, link /etc/mtab to /proc/mounts.

rm -f /vz/private/777/etc/mtab
ln -s /proc/mounts /vz/private/777/etc/mtab

After replacing /etc/mtab with a symlink to /proc/mounts, you will always have up-to-date information of what is mounted in /etc/mtab.

Replace /etc/fstab

echo "proc /proc proc defaults 0 0" > /vz/private/777/etc/fstab

We need only /proc to be mounted at boot time.

Edit /etc/inittab

Edit /vz/private/777/etc/inittab and put a hash mark (#) at the beginning of the lines containing:

c?:1235:respawn:/sbin/agetty 38400 tty? linux

This prevents getty and login from starting on ttys that do not exist in containers.

Edit /etc/shadow

Edit /vz/private/777/etc/shadow and change root's password in the first line to an exclamation mark (!):

root:!:10071:0:::::

This will disable root login until the password is changed with vzctl set CTID --userpasswd root:password.

Disable unneeded init scripts

The checkroot and consolefont init scripts should not be started inside containers:

rm /vz/private/777/etc/runlevels/boot/checkroot
rm /vz/private/777/etc/runlevels/boot/consolefont

Edit /sbin/rc

Edit /vz/private/777/sbin/rc and put a hash mark (#) at the beginning of line 244 (your line number may be different):

# try mount -n ${mntcmd:--t sysfs sysfs /sys -o noexec,nosuid,nodev}

This prevents the container from attempting to mount /sys.

To ensure that this change isn't automatically overwritten on update, add the following to /vz/private/777/etc/make.conf:

CONFIG_PROTECT = /sbin/rc

Set up udev

NOTE: udev-state does not exists anymore!! ../lib/udev/state and ../lib/udev/devices are empty directories now... maybe someone knows how to handle it the right way?

Delete /lib/udev-state/devices.tar.bz2 and create some device nodes needed to enter a container:

cd /vz/private/777/lib
rm udev-state/devices.tar.bz2
mknod udev/devices/ttyp0 c 3 0
mknod udev/devices/ptyp0 c 2 0
mknod udev/devices/ptmx c 5 2

Edit /vz/private/777/etc/conf.d/rc and change the RC_DEVICES line to:

RC_DEVICES="static"

You have to leave the directory you are in for the next step to be OK, otherwise you will get this error message:

vzquota : (error) Quota on syscall for 777: Device or resource busy
vzquota on failed [3]
cd /

Test

vzctl start 777
vzctl enter 777

You can check running services:

rc-status -a

All services in boot and default runlevels must be started. If everything all right, stop the container:

vzctl stop 777

Making distfiles and portage tree of the host system available in a container

Warning.svg Warning: This step is optional and will result in shared files between containers! These steps can save space on disk but trade isolation and security... consider your options carefully!

To install software into a container with portage, you should mount /usr/portage into the container with the "bind" option. Do the following on the host after the container is started:

mkdir /vz/root/777/usr/portage
mount -o bind /usr/portage /vz/root/777/usr/portage

If your /usr/portage/distfiles directory resides on a different partition than your /usr/portage directory, do the following:

mount -n -o bind /usr/portage/distfiles /vz/root/777/usr/portage/distfiles

Now, to install a package into a container, you just need to enter the container using vzctl enter and run

emerge package_name

while you have all the needed files in the /usr/portage/distfiles of host system.

For security reasons, you should have these directories mounted only while installing software into a container.

Yellowpin.svg Note: you have to umount /vz/root/777/usr/portage/distfiles before trying to stop your container.

Create the template cache file

cd /vz/private/777/
tar czf /vz/template/cache/gentoo.tar.gz *

Test the new template cache file

Create a new container from the template file:

vzctl create 800 --ostemplate gentoo --ipadd 192.168.0.10 --hostname testvps

If the container was created successfully, try to start it:

vzctl start 800

If it started, and you can ssh in, congratulations, you've got a working Gentoo template!