Difference between revisions of "Deploying Debian VEs without Templates"
|  (→Management of tarballs can be tedious) |  (→Tarballs are of questionable security) | ||
| Line 29: | Line 29: | ||
| Experience has shown, that quality is one of the first things being cut in operations/production environments when being time constrained, so preventing one source of constant work improves quality and security instantly and irrevocably. | Experience has shown, that quality is one of the first things being cut in operations/production environments when being time constrained, so preventing one source of constant work improves quality and security instantly and irrevocably. | ||
| − | ===  | + | === Templates are of questionable security === | 
| Pre-built templates, especially those which can be downloaded from the internet, are of doubtful trustworthiness. It's trivial to open backdoors, install keyloggers or run DDoS clients if you have full control of the binaries which are going to be run in a VE. | Pre-built templates, especially those which can be downloaded from the internet, are of doubtful trustworthiness. It's trivial to open backdoors, install keyloggers or run DDoS clients if you have full control of the binaries which are going to be run in a VE. | ||
Revision as of 20:57, 29 November 2008
Installing Debian Virtual Environments without relying on a precreated template has many advantages and a few drawbacks. This article tries to outline those factors and provide a possible solution to reduce the amount of work needed for template-less Debian deployments.
Contents
Templates
Templates are at the heart of the OpenVZ VE creation process. A "template cache" is basically a tarball consisting of a minimum operating system installation of a given Linux flavor.
Reasons for pre-built templates
Very fast VE deployment
Deploying a new VE with a tarball reduces the work needed to extracting said tar archive, so the deployment speed can't be any faster. It's possible that certain vzfs optimizations rely on templates being deployed from a specific cached template.
Template can contain complex modifications
Since templates can contain any files with any given content, you can deploy heavily modified VEs without any problems.
Access to a package repository
Running a bootstrapper instead of using templates requires access to a package repository, which might not be feasible in certain environments.
Reasons against pre-built templates
Management of tarballs can be tedious
Managing templates in a non-trivial environment can become it's own demanding task, if taken seriously. The templates have to be updated constantly to reflect new security updates or operating system point releases. And with every updated template, said templates have to be distributed to all Hardware Nodes where they are used.
Experience has shown, that quality is one of the first things being cut in operations/production environments when being time constrained, so preventing one source of constant work improves quality and security instantly and irrevocably.
Templates are of questionable security
Pre-built templates, especially those which can be downloaded from the internet, are of doubtful trustworthiness. It's trivial to open backdoors, install keyloggers or run DDoS clients if you have full control of the binaries which are going to be run in a VE.
It's not needed after all
With Debian, there is no reason to actually use pre-built templates if you're not time-constrained in the deployment process and have other means of managing your configuration, since debootstrap is the tool at the core of every Debian installation and it doesn't matter if it's run by the Installer, by hand or a completely different distribution.
Basic Steps
The basic steps needed to deploy Debian VEs are outlined in Debian template creation.
A working solution
To automate the process of deploying VEs with debootstrap a bit of shell-scripting glue is needed.
A work-in-progress version of such a tool can be found at https://workbench.amd.co.at/hg/vzstuff/. To get a local copy you need a mercurial client installed and then run the following command:
hg clone -r stable https://workbench.amd.co.at/hg/vzstuff/
Following the instructions in the README file should get you started nicely.
