Difference between revisions of "Debian template creation"

From OpenVZ Virtuozzo Containers Wiki
Jump to: navigation, search
(Use http.us.debian.org consistently)
(ctcreate to ctctl)
 
(103 intermediate revisions by 35 users not shown)
Line 1: Line 1:
These are rough instructions of how to manually create basic Debian Etch (4.0) template cache, which can be used to create OpenVZ [[VE]]s based on Debian Etch (4.0). (see also <tt>/usr/share/doc/vzctl/README.Debian</tt> in the ''vzctl'' Debian package)
+
These are rough instructions of how to manually create basic Debian template cache, which can be used to create OpenVZ [[VE]]s based on Debian.
 +
 
 +
{{Note|'''[https://downloads.actiu.net/ctctl/ ctctl]''' is an automated helper to create and customize Debian templates.}}
 +
 
 +
{{Warning|The recommended way is '''not to follow''' the below instructions, but to use the official Debian templates, modifying those to your needs. Some template + container creation helpers are recommended at page [[Deploying Debian VEs without Templates]].}}
  
 
'''Notes:'''
 
'''Notes:'''
Line 5: Line 9:
 
* Anywhere you see <tt>/vz</tt>, you might really need to use <tt>/var/lib/vz</tt> instead, especially on a Debian Etch host.
 
* Anywhere you see <tt>/vz</tt>, you might really need to use <tt>/var/lib/vz</tt> instead, especially on a Debian Etch host.
 
* Anywhere you see <tt>http://http.us.debian.org/debian/</tt>, you can substitute your favorite Debian mirror.  ([http://www.debian.org/mirror/list List of official Debian Mirrors])
 
* Anywhere you see <tt>http://http.us.debian.org/debian/</tt>, you can substitute your favorite Debian mirror.  ([http://www.debian.org/mirror/list List of official Debian Mirrors])
 +
* See also: <tt>/usr/share/doc/vzctl/README.Debian</tt> in the ''vzctl'' Debian package
  
 +
== Prerequisites ==
  
== Prerequisites ==
 
 
You need to have a working copy of <tt>debootstrap</tt> running on your hardware node.
 
You need to have a working copy of <tt>debootstrap</tt> running on your hardware node.
  
Line 27: Line 32:
 
The command parameters are:
 
The command parameters are:
  
   debootstrap --arch ARCH NAME DIRECTORY URL
+
   debootstrap --arch ARCH NAME DIRECTORY [URL]
 +
 
 +
Specify your architecture instead of <tt>i386</tt> if you're using something other than i386/x86.  For example, for AMD64/x86_64, use <tt>amd64</tt> or for ia64, use <tt>ia64</tt>. You can use http or ftp in the URL.
 +
 
 +
We use VE ID of 777 for this example, but it can be any unused ID.
 +
 
 +
=== Stretch (current stable) ===
 +
net-tools,ifupdown (not in debootstrap base set) provide ifconfig,ifup; required by OpenVZ to enable venet networking.
 +
 
 +
debootstrap --arch i386 --include=net-tools,ifupdown stretch /vz/private/777
 +
or
 +
debootstrap --arch amd64 --include=net-tools,ifupdown stretch /vz/private/777
 +
 
 +
=== Jessie (current oldstable) ===
 +
 
 +
debootstrap --arch i386 jessie /vz/private/777 http://http.us.debian.org/debian/
 +
or
 +
debootstrap --arch amd64 jessie /vz/private/777 http://ftp.us.debian.org/debian/
 +
 
 +
=== Wheezy (old release) ===
 +
 
 +
debootstrap --arch i386 wheezy /vz/private/777 http://http.us.debian.org/debian/
 +
or
 +
debootstrap --arch amd64 wheezy /vz/private/777 http://ftp.us.debian.org/debian/
 +
 
 +
=== Squeeze (old release) ===
 +
 
 +
debootstrap --arch i386 squeeze /vz/private/777 http://http.us.debian.org/debian/
 +
or
 +
debootstrap --arch amd64 squeeze /vz/private/777 ftp://ftp.us.debian.org/debian/
  
Specify your architecture instead of <tt>i386</tt> if you're using something other than i386/x86.  For example, for AMD64/x86_64, use <tt>amd64</tt> or for ia64, use <tt>ia64</tt>.
+
=== Lenny (old release) ===
  
We use VE ID of 777 for this example; surely it can be any other unused ID.
+
debootstrap --arch i386 lenny /vz/private/777 http://archive.debian.org/debian/
  
=== Etch (current Debian stable) ===
+
=== Etch (very old release) ===
  
 
  debootstrap --arch i386 etch /vz/private/777 http://http.us.debian.org/debian/
 
  debootstrap --arch i386 etch /vz/private/777 http://http.us.debian.org/debian/
  
=== Sarge (old release) ===
+
=== Sarge (deeply old release) ===
 
 
debootstrap sarge /vz/private/777 http://http.us.debian.org/debian
 
  
=== Woody (very old release) ===
+
debootstrap sarge /vz/private/777 http://archive.debian.org/debian
  
debootstrap woody /vz/private/777 http://archive.debian.org/
+
== Preparing the HN network ==
 +
Append the following lines to /etc/sysctl.conf, adjust to taste and then execute "sysctl -p" for them to take effect.
 +
### OpenVZ settings
 +
 +
# On Hardware Node enable packet forwarding to forward
 +
# packets between the HN network interfaces and venet.
 +
# Proxy arp is needed when CT is in a different subnet
 +
# or when using veth AND veth is not bridged to a HN
 +
# interface. When veth is bridged to a HN interface,
 +
# the CT handles its own arps.
 +
 +
net.ipv4.conf.default.forwarding=1
 +
net.ipv4.conf.default.proxy_arp = 0
 +
net.ipv4.ip_forward=1
 +
 +
# Enables source route verification
 +
net.ipv4.conf.all.rp_filter = 1
 +
 +
# Enables the magic-sysrq key
 +
kernel.sysrq = 1
 +
 +
# TCP Explict Congestion Notification
 +
net.ipv4.tcp_ecn = 0
 +
 +
# we do not want all our interfaces to send redirects
 +
net.ipv4.conf.default.send_redirects = 1
 +
net.ipv4.conf.all.send_redirects = 0
  
 
== Preparing and starting the VE ==
 
== Preparing and starting the VE ==
Line 50: Line 108:
 
First, we need a config for the [[VE]]:
 
First, we need a config for the [[VE]]:
 
  sudo vzctl set 777 --applyconfig vps.basic --save
 
  sudo vzctl set 777 --applyconfig vps.basic --save
 +
 +
On debian squeeze only the following worked for me (''confirmed''), because the standard template names in /etc/vz/conf have changed.
 +
sudo vzctl set 777 --applyconfig basic --save
  
 
=== Setting VE OSTEMPLATE ===
 
=== Setting VE OSTEMPLATE ===
Also, we need <tt>OSTEMPLATE</tt> to be set in VE configuration file, for the [[vzctl]] to work properly.
+
Also, we need <tt>OSTEMPLATE</tt> to be set in VE configuration file, for [[vzctl]] to work properly.
  
  sudo sh -c 'echo "OSTEMPLATE=debian-4.0" >> /etc/vz/conf/777.conf'
+
  sudo sh -c 'echo OSTEMPLATE=\"debian-6.0\"' >> /etc/vz/conf/777.conf
  
 
=== Setting VE IP address ===
 
=== Setting VE IP address ===
Line 60: Line 121:
 
  sudo vzctl set 777 --ipadd x.x.x.x --save
 
  sudo vzctl set 777 --ipadd x.x.x.x --save
  
{{Note|if you use private IP for the VE, you have to set up NAT as described in [[Using NAT for VE with private IPs]].}}
+
{{Note|if you use private IP for the VE, you might have to set up NAT as described in [[Using NAT for VE with private IPs]].}}
  
 
=== Setting DNS server for VE ===
 
=== Setting DNS server for VE ===
 
For the [[VE]] to be able to download updates from the Internet, we also need to specify a DNS for it:
 
For the [[VE]] to be able to download updates from the Internet, we also need to specify a DNS for it:
 
  sudo vzctl set 777 --nameserver x.x.x.x --save
 
  sudo vzctl set 777 --nameserver x.x.x.x --save
 +
 +
=== Creating /dev/ptmx  ===
 +
The ptmx character device should normally exist, but if it doesn't, create one.
 +
sudo mknod --mode 666 /var/lib/vz/private/777/dev/ptmx c 5 2
  
 
=== Starting VE ===
 
=== Starting VE ===
Line 71: Line 136:
  
 
== Customizing the installation ==
 
== Customizing the installation ==
A few things need to be done inside a newly created VE for it to become suitable for OpenVZ. All those things are done inside the VE, so first command is:
+
A few things need to be done inside a newly created VE for it to become suitable for OpenVZ. Enter the VE to begin the configuration (note: if running a wheezy container on a squeeze hardware node, you'll need to manually install a newer version of vzctl (the one from wheezy will be fine - http://packages.debian.org/wheezy/vzctl) due to this bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683454 - without making this change, the enter command will hang). Exporting the path is optional.
 
  sudo vzctl enter 777
 
  sudo vzctl enter 777
 
  export PATH=/sbin:/usr/sbin:/bin:/usr/bin
 
  export PATH=/sbin:/usr/sbin:/bin:/usr/bin
Line 78: Line 143:
  
 
=== Set Debian repositories ===
 
=== Set Debian repositories ===
 +
The list shown is for wheezy, and downloading from US located servers - adjust your release name and mirror location as necessary
 
  cat <<EOF > /etc/apt/sources.list
 
  cat <<EOF > /etc/apt/sources.list
  deb http://http.us.debian.org/debian etch main contrib
+
  deb http://http.us.debian.org/debian wheezy main contrib
  deb http://security.debian.org etch/updates main contrib
+
  deb http://security.debian.org wheezy/updates main contrib
 +
deb http://http.us.debian.org/debian wheezy-updates main
 +
## backports - ONLY IF YOU KNOW WHAT YOU DO
 +
# deb http://http.us.debian.org/debian-backports/ wheezy-backports main
 
  EOF
 
  EOF
  
Line 89: Line 158:
 
=== Install some more packages ===
 
=== Install some more packages ===
 
Installing packages could be an interactive process so the system might ask some questions.  You can install more packages if you'd like.  For example:
 
Installing packages could be an interactive process so the system might ask some questions.  You can install more packages if you'd like.  For example:
  apt-get install ssh quota
+
  apt-get install ssh quota less
  
 
=== Set sane permissions for <tt>/root</tt> directory ===
 
=== Set sane permissions for <tt>/root</tt> directory ===
Line 104: Line 173:
 
=== Disable <tt>sync()</tt> for syslog ===
 
=== Disable <tt>sync()</tt> for syslog ===
 
Turn off doing <tt>sync()</tt> on every write for <tt>syslog</tt>'s log files, to improve I/O performance:
 
Turn off doing <tt>sync()</tt> on every write for <tt>syslog</tt>'s log files, to improve I/O performance:
  <pre>sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' /etc/syslog.conf</pre>
+
  <pre>sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' /etc/*syslog.conf</pre>
  
 
=== Fix <tt>/etc/mtab</tt> ===
 
=== Fix <tt>/etc/mtab</tt> ===
Line 112: Line 181:
  
 
=== Remove some unneeded packages ===
 
=== Remove some unneeded packages ===
If you have any packages you'd like to remove, now's the time for it.  Here's an example:
+
If you have any packages you'd like to remove, now's the time for it.  Here's an example — note that not all of those packages are installed by default in Debian Squeeze (although they were in earlier versions):
  dpkg --purge modutils ppp pppoeconf pppoe pppconfig
+
 
 +
  dpkg --purge modutils ppp pppoeconf pppoe pppconfig module-init-tools
  
 
=== Disable services ===
 
=== Disable services ===
Do not start some services, stick to bare minimum:
+
 
 +
Do not start some services, stick to bare minimum. This step is release dependent.
 +
 
 +
==== for Jessie ====
 +
 
 +
<source lang="bash">
 +
# turn off and stop some services
 +
for i in bind9 quotarpc fetchmail ondemand rsync uuidd wide-dhcpv6-client; do
 +
        systemctl stop $i
 +
        systemctl disable $i
 +
done
 +
 
 +
# for upstart services comment out the start on in confs
 +
for i in nmbd smbd samba-ad-dc rpcbind; do
 +
        systemctl disable $i
 +
done
 +
</source>
 +
 
 +
==== for Squeeze ====
 +
 
 +
update-rc.d-insserv -f klogd remove
 +
update-rc.d-insserv -f quotarpc remove
 +
update-rc.d-insserv -f exim4 remove
 +
update-rc.d-insserv -f inetd remove
 +
 
 +
==== for older releases (Lenny, Sarge etc.) ====
 +
 
 
  update-rc.d -f klogd remove
 
  update-rc.d -f klogd remove
 
  update-rc.d -f quotarpc remove
 
  update-rc.d -f quotarpc remove
Line 124: Line 220:
 
=== Fix SSH host keys ===
 
=== Fix SSH host keys ===
 
This is only useful if you installed SSH.  Each individual [[VE]] should have its own pair of SSH host keys.  The code below will wipe out the existing SSH keys and instruct the newly-created [[VE]] to create new SSH keys on first boot.
 
This is only useful if you installed SSH.  Each individual [[VE]] should have its own pair of SSH host keys.  The code below will wipe out the existing SSH keys and instruct the newly-created [[VE]] to create new SSH keys on first boot.
 +
 +
==== for Jessie ====
 +
 +
<source lang="bash">
 +
# Save /etc/rc.local copy
 +
mv /etc/rc.local /etc/rc.local.orig
 +
 +
# ssh host keys hack
 +
echo "#!/bin/sh
 +
rm -f etc/ssh/ssh_host_*
 +
/usr/bin/ssh-keygen -t rsa -N '' -f /etc/ssh/ssh_host_rsa_key
 +
/usr/bin/ssh-keygen -t dsa -N '' -f /etc/ssh/ssh_host_dsa_key
 +
/usr/bin/ssh-keygen -t rsa1 -N '' -f /etc/ssh/ssh_host_key
 +
/usr/bin/ssh-keygen -t ecdsa -N '' -f /etc/ssh/ssh_host_ecdsa_key
 +
/usr/bin/ssh-keygen -t ed25519 -N '' -f /etc/ssh/ssh_host_ed25519_key
 +
systemctl restart ssh
 +
mv -f /etc/rc.local.orig /etc/rc.local
 +
" > /etc/rc.local
 +
 +
chmod a+x /etc/rc.local
 +
</source>
 +
 +
==== for Squeeze ====
 +
 +
rm -f /etc/ssh/ssh_host_*
 +
<!-- please do not remove <source>...</source> pair of tags below,
 +
    otherwise quotes after -N (-N '') are not visible -->
 +
<source lang="bash">
 +
cat << EOF > /etc/init.d/ssh_gen_host_keys
 +
#!/bin/sh
 +
### BEGIN INIT INFO
 +
# Provides:          Generates new ssh host keys on first boot
 +
# Required-Start:    $remote_fs $syslog
 +
# Required-Stop:    $remote_fs $syslog
 +
# Default-Start:    2 3 4 5
 +
# Default-Stop:
 +
# Short-Description: Generates new ssh host keys on first boot
 +
# Description:      Generates new ssh host keys on first boot
 +
### END INIT INFO
 +
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ""
 +
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ""
 +
insserv -r /etc/init.d/ssh_gen_host_keys
 +
rm -f \$0
 +
EOF
 +
</source>
 +
chmod a+x /etc/init.d/ssh_gen_host_keys
 +
insserv /etc/init.d/ssh_gen_host_keys
 +
 +
==== for older releases (Lenny, Sarge etc.) ====
  
 
<!-- please do not remove <source>...</source> pair of tags below,
 
<!-- please do not remove <source>...</source> pair of tags below,
Line 136: Line 281:
 
EOF
 
EOF
 
chmod a+x /etc/rc2.d/S15ssh_gen_host_keys
 
chmod a+x /etc/rc2.d/S15ssh_gen_host_keys
 +
</source>
 +
 +
=== Change timezone ===
 +
 +
You might want to change timezone if you do not live in $UTC. The following example is for Germany
 +
 +
<source lang="bash">
 +
ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime
 +
</source>
 +
or even better
 +
<source lang="bash">
 +
dpkg-reconfigure tzdata
 +
</source>
 +
 +
=== Create vzfifo script (for Jessie only) ===
 +
 +
This step is required '''for Jessie only''' (and is handled automatically by vzctl for earlier Debian releases). It ensures that <code>vzctl start --wait</code> works as expected.
 +
 +
<source lang="bash">
 +
# Create vzfifo service
 +
cat >> /lib/systemd/system/vzfifo.service << EOF
 +
#  This file is part of systemd.
 +
#
 +
#  systemd is free software; you can redistribute it and/or modify it
 +
#  under the terms of the GNU General Public License as published by
 +
#  the Free Software Foundation; either version 2 of the License, or
 +
#  (at your option) any later version.
 +
 +
[Unit]
 +
Description=Tell that Container is started
 +
ConditionPathExists=/proc/vz
 +
ConditionPathExists=!/proc/bc
 +
After=multi-user.target quotaon.service quotacheck.service
 +
 +
[Service]
 +
Type=forking
 +
ExecStart=/bin/touch /.vzfifo
 +
TimeoutSec=0
 +
RemainAfterExit=no
 +
SysVStartPriority=99
 +
 +
[Install]
 +
WantedBy=multi-user.target
 +
EOF
 +
 +
# Enable service
 +
for service in vzfifo; do
 +
        systemctl enable $service > /dev/null 2>&1
 +
done
 
</source>
 
</source>
  
Line 151: Line 345:
  
 
Also, remove DNS server and search domain information from ''/etc/resolv.conf'' file '''in VE''':
 
Also, remove DNS server and search domain information from ''/etc/resolv.conf'' file '''in VE''':
  sudo nano /vz/private/777/etc/resolv.conf
+
  sudo editor /vz/private/777/etc/resolv.conf
 +
 
 +
Also, remove ''/etc/hostname'' file '''in VE''':
 +
sudo rm -f /vz/private/777/etc/hostname
  
 
Stop the VE:
 
Stop the VE:
Line 160: Line 357:
  
 
Now create a cached OS tarball.  In the command below, you'll want to replace <tt>i386</tt> with your architecture (i386, amd64, ia64, etc).
 
Now create a cached OS tarball.  In the command below, you'll want to replace <tt>i386</tt> with your architecture (i386, amd64, ia64, etc).
  sudo tar -zcf /vz/template/cache/debian-4.0-i386-minimal.tar.gz .
+
  sudo tar --numeric-owner -zcf /vz/template/cache/debian-5.0-i386-minimal.tar.gz .
  
 
Look at the resulting tarball to see its size is sane:
 
Look at the resulting tarball to see its size is sane:
 
  # ls -lh /vz/template/cache
 
  # ls -lh /vz/template/cache
  -rw-r--r--  1 root root  51M Apr 10 03:16 debian-4.0-i386-minimal.tar.gz
+
  -rw-r--r--  1 root root  51M Apr 10 03:16 debian-5.0-i386-minimal.tar.gz
  
 
== Checking if template cache works ==
 
== Checking if template cache works ==
 
We can now create a VE based on the just-created template cache.  Be sure to change <tt>i386</tt> to your architecture just like you did when you named the tarball above.
 
We can now create a VE based on the just-created template cache.  Be sure to change <tt>i386</tt> to your architecture just like you did when you named the tarball above.
  sudo vzctl create 123456 --ostemplate debian-4.0-i386-minimal
+
  sudo vzctl create 123456 --ostemplate debian-5.0-i386-minimal
  
 
Now make sure that it works:
 
Now make sure that it works:
Line 185: Line 382:
 
  sudo vzctl destroy 777
 
  sudo vzctl destroy 777
 
  sudo rm /etc/vz/conf/777.conf.destroyed
 
  sudo rm /etc/vz/conf/777.conf.destroyed
 +
 +
You might want to edit /etc/vz/vz.conf and change DEF_OSTEMPLATE to the name of the template you use most often so that you don't have to specify the template when creating a VE.
 +
DEF_OSTEMPLATE="debian-6.0-i386-minimal"
 +
If you use iptables, you might want to include additional modules in the list for IPTABLES in /etc/vz/vz.conf. See ''man vzctl'' for a list of available modules.
  
 
[[Category: HOWTO]]
 
[[Category: HOWTO]]
 
[[Category: Templates]]
 
[[Category: Templates]]
 
[[Category: Debian]]
 
[[Category: Debian]]

Latest revision as of 09:24, 28 January 2020

These are rough instructions of how to manually create basic Debian template cache, which can be used to create OpenVZ VEs based on Debian.

Yellowpin.svg Note: ctctl is an automated helper to create and customize Debian templates.
Warning.svg Warning: The recommended way is not to follow the below instructions, but to use the official Debian templates, modifying those to your needs. Some template + container creation helpers are recommended at page Deploying Debian VEs without Templates.

Notes:

  • You shouldn't be running as root, but as a user that is permitted to use sudo instead. It's a dangerous idea, run as root at your peril.
  • Anywhere you see /vz, you might really need to use /var/lib/vz instead, especially on a Debian Etch host.
  • Anywhere you see http://http.us.debian.org/debian/, you can substitute your favorite Debian mirror. (List of official Debian Mirrors)
  • See also: /usr/share/doc/vzctl/README.Debian in the vzctl Debian package

Prerequisites

You need to have a working copy of debootstrap running on your hardware node.

For Debian:

sudo apt-get install debootstrap

For Gentoo:

sudo emerge debootstrap

For Fedora (at least Fedora 8 have it, not sure about earlier versions):

sudo yum install debootstrap

For other distros you might need to install it from sources, or search for an appropriate package for your distribution. An RPM is available on the OpenVZ Forum.

Bootstrapping Debian

You can install different releases of Debian into a VE's private directory using the debootstrap command.

The command parameters are:

 debootstrap --arch ARCH NAME DIRECTORY [URL]

Specify your architecture instead of i386 if you're using something other than i386/x86. For example, for AMD64/x86_64, use amd64 or for ia64, use ia64. You can use http or ftp in the URL.

We use VE ID of 777 for this example, but it can be any unused ID.

Stretch (current stable)

net-tools,ifupdown (not in debootstrap base set) provide ifconfig,ifup; required by OpenVZ to enable venet networking.

debootstrap --arch i386 --include=net-tools,ifupdown stretch /vz/private/777
or
debootstrap --arch amd64 --include=net-tools,ifupdown stretch /vz/private/777

Jessie (current oldstable)

debootstrap --arch i386 jessie /vz/private/777 http://http.us.debian.org/debian/
or
debootstrap --arch amd64 jessie /vz/private/777 http://ftp.us.debian.org/debian/

Wheezy (old release)

debootstrap --arch i386 wheezy /vz/private/777 http://http.us.debian.org/debian/
or
debootstrap --arch amd64 wheezy /vz/private/777 http://ftp.us.debian.org/debian/

Squeeze (old release)

debootstrap --arch i386 squeeze /vz/private/777 http://http.us.debian.org/debian/
or
debootstrap --arch amd64 squeeze /vz/private/777 ftp://ftp.us.debian.org/debian/

Lenny (old release)

debootstrap --arch i386 lenny /vz/private/777 http://archive.debian.org/debian/

Etch (very old release)

debootstrap --arch i386 etch /vz/private/777 http://http.us.debian.org/debian/

Sarge (deeply old release)

debootstrap sarge /vz/private/777 http://archive.debian.org/debian

Preparing the HN network

Append the following lines to /etc/sysctl.conf, adjust to taste and then execute "sysctl -p" for them to take effect.

### OpenVZ settings

# On Hardware Node enable packet forwarding to forward
# packets between the HN network interfaces and venet.
# Proxy arp is needed when CT is in a different subnet
# or when using veth AND veth is not bridged to a HN
# interface. When veth is bridged to a HN interface,
# the CT handles its own arps.

net.ipv4.conf.default.forwarding=1
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.ip_forward=1

# Enables source route verification
net.ipv4.conf.all.rp_filter = 1

# Enables the magic-sysrq key
kernel.sysrq = 1

# TCP Explict Congestion Notification
net.ipv4.tcp_ecn = 0

# we do not want all our interfaces to send redirects
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0

Preparing and starting the VE

Setting VE config

First, we need a config for the VE:

sudo vzctl set 777 --applyconfig vps.basic --save

On debian squeeze only the following worked for me (confirmed), because the standard template names in /etc/vz/conf have changed.

sudo vzctl set 777 --applyconfig basic --save

Setting VE OSTEMPLATE

Also, we need OSTEMPLATE to be set in VE configuration file, for vzctl to work properly.

sudo sh -c 'echo OSTEMPLATE=\"debian-6.0\"' >> /etc/vz/conf/777.conf

Setting VE IP address

For the VE to be able to download updates from the Internet, we need a valid IP address for it:

sudo vzctl set 777 --ipadd x.x.x.x --save
Yellowpin.svg Note: if you use private IP for the VE, you might have to set up NAT as described in Using NAT for VE with private IPs.

Setting DNS server for VE

For the VE to be able to download updates from the Internet, we also need to specify a DNS for it:

sudo vzctl set 777 --nameserver x.x.x.x --save

Creating /dev/ptmx

The ptmx character device should normally exist, but if it doesn't, create one.

sudo mknod --mode 666 /var/lib/vz/private/777/dev/ptmx c 5 2

Starting VE

Now start the VE:

sudo vzctl start 777

Customizing the installation

A few things need to be done inside a newly created VE for it to become suitable for OpenVZ. Enter the VE to begin the configuration (note: if running a wheezy container on a squeeze hardware node, you'll need to manually install a newer version of vzctl (the one from wheezy will be fine - http://packages.debian.org/wheezy/vzctl) due to this bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683454 - without making this change, the enter command will hang). Exporting the path is optional.

sudo vzctl enter 777
export PATH=/sbin:/usr/sbin:/bin:/usr/bin
Warning.svg Warning: Do not run the commands below on the hardware node, they are only to be run within the VE!

Set Debian repositories

The list shown is for wheezy, and downloading from US located servers - adjust your release name and mirror location as necessary

cat <<EOF > /etc/apt/sources.list
deb http://http.us.debian.org/debian wheezy main contrib
deb http://security.debian.org wheezy/updates main contrib
deb http://http.us.debian.org/debian wheezy-updates main
## backports - ONLY IF YOU KNOW WHAT YOU DO
# deb http://http.us.debian.org/debian-backports/ wheezy-backports main
EOF

Get new security updates

apt-get update
apt-get upgrade

Install some more packages

Installing packages could be an interactive process so the system might ask some questions. You can install more packages if you'd like. For example:

apt-get install ssh quota less

Set sane permissions for /root directory

chmod 700 /root

Disable root login

This will disable root login by default.

usermod -L root

Disable getty

Disable running gettys on terminals as a VE does not have any:

sed -i -e '/getty/d' /etc/inittab

Disable sync() for syslog

Turn off doing sync() on every write for syslog's log files, to improve I/O performance:

sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' /etc/*syslog.conf

Fix /etc/mtab

Link /etc/mtab to /proc/mounts, so df and friends will work:

rm -f /etc/mtab
ln -s /proc/mounts /etc/mtab

Remove some unneeded packages

If you have any packages you'd like to remove, now's the time for it. Here's an example — note that not all of those packages are installed by default in Debian Squeeze (although they were in earlier versions):

dpkg --purge modutils ppp pppoeconf pppoe pppconfig module-init-tools

Disable services

Do not start some services, stick to bare minimum. This step is release dependent.

for Jessie

# turn off and stop some services
for i in bind9 quotarpc fetchmail ondemand rsync uuidd wide-dhcpv6-client; do
        systemctl stop $i
        systemctl disable $i
done

# for upstart services comment out the start on in confs
for i in nmbd smbd samba-ad-dc rpcbind; do
        systemctl disable $i
done

for Squeeze

update-rc.d-insserv -f klogd remove
update-rc.d-insserv -f quotarpc remove
update-rc.d-insserv -f exim4 remove
update-rc.d-insserv -f inetd remove

for older releases (Lenny, Sarge etc.)

update-rc.d -f klogd remove
update-rc.d -f quotarpc remove
update-rc.d -f exim4 remove
update-rc.d -f inetd remove

Fix SSH host keys

This is only useful if you installed SSH. Each individual VE should have its own pair of SSH host keys. The code below will wipe out the existing SSH keys and instruct the newly-created VE to create new SSH keys on first boot.

for Jessie

# Save /etc/rc.local copy
mv /etc/rc.local /etc/rc.local.orig

# ssh host keys hack
echo "#!/bin/sh
rm -f etc/ssh/ssh_host_*
/usr/bin/ssh-keygen -t rsa -N '' -f /etc/ssh/ssh_host_rsa_key
/usr/bin/ssh-keygen -t dsa -N '' -f /etc/ssh/ssh_host_dsa_key
/usr/bin/ssh-keygen -t rsa1 -N '' -f /etc/ssh/ssh_host_key
/usr/bin/ssh-keygen -t ecdsa -N '' -f /etc/ssh/ssh_host_ecdsa_key
/usr/bin/ssh-keygen -t ed25519 -N '' -f /etc/ssh/ssh_host_ed25519_key
systemctl restart ssh
mv -f /etc/rc.local.orig /etc/rc.local
" > /etc/rc.local

chmod a+x /etc/rc.local

for Squeeze

rm -f /etc/ssh/ssh_host_*
cat << EOF > /etc/init.d/ssh_gen_host_keys
#!/bin/sh
### BEGIN INIT INFO
# Provides:          Generates new ssh host keys on first boot
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:
# Short-Description: Generates new ssh host keys on first boot
# Description:       Generates new ssh host keys on first boot
### END INIT INFO
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ""
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ""
insserv -r /etc/init.d/ssh_gen_host_keys
rm -f \$0
EOF
chmod a+x /etc/init.d/ssh_gen_host_keys
insserv /etc/init.d/ssh_gen_host_keys

for older releases (Lenny, Sarge etc.)

rm -f /etc/ssh/ssh_host_*
cat << EOF > /etc/rc2.d/S15ssh_gen_host_keys
#!/bin/bash
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ''
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ''
rm -f \$0
EOF
chmod a+x /etc/rc2.d/S15ssh_gen_host_keys

Change timezone

You might want to change timezone if you do not live in $UTC. The following example is for Germany

ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime

or even better

dpkg-reconfigure tzdata

Create vzfifo script (for Jessie only)

This step is required for Jessie only (and is handled automatically by vzctl for earlier Debian releases). It ensures that vzctl start --wait works as expected.

# Create vzfifo service
cat >> /lib/systemd/system/vzfifo.service << EOF
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU General Public License as published by
#  the Free Software Foundation; either version 2 of the License, or
#  (at your option) any later version.

[Unit]
Description=Tell that Container is started
ConditionPathExists=/proc/vz
ConditionPathExists=!/proc/bc
After=multi-user.target quotaon.service quotacheck.service

[Service]
Type=forking
ExecStart=/bin/touch /.vzfifo
TimeoutSec=0
RemainAfterExit=no
SysVStartPriority=99

[Install]
WantedBy=multi-user.target
EOF

# Enable service
for service in vzfifo; do
        systemctl enable $service > /dev/null 2>&1
done

Clean packages

After installing packages, you'll have some junk packages laying around in your cache. Since you don't want your template to have those, this command will wipe them out.

apt-get clean

Now everything is done. Exit from the template and go back to the hardware node.

exit

Preparing for and packing template cache

We don't need an IP for the VE anymore, and we definitely do not need it in template cache, so remove it:

sudo vzctl set 777 --ipdel all --save

Also, remove DNS server and search domain information from /etc/resolv.conf file in VE:

sudo editor /vz/private/777/etc/resolv.conf

Also, remove /etc/hostname file in VE:

sudo rm -f /vz/private/777/etc/hostname

Stop the VE:

sudo vzctl stop 777

Go to the VE directory:

cd /vz/private/777

Now create a cached OS tarball. In the command below, you'll want to replace i386 with your architecture (i386, amd64, ia64, etc).

sudo tar --numeric-owner -zcf /vz/template/cache/debian-5.0-i386-minimal.tar.gz .

Look at the resulting tarball to see its size is sane:

# ls -lh /vz/template/cache
-rw-r--r--  1 root root  51M Apr 10 03:16 debian-5.0-i386-minimal.tar.gz

Checking if template cache works

We can now create a VE based on the just-created template cache. Be sure to change i386 to your architecture just like you did when you named the tarball above.

sudo vzctl create 123456 --ostemplate debian-5.0-i386-minimal

Now make sure that it works:

sudo vzctl start 123456
sudo vzctl exec 123456 ps ax

You should see that a few processes are running.

Final cleanup

Stop and remove the test VE you just created:

sudo vzctl stop 123456
sudo vzctl destroy 123456
sudo rm /etc/vz/conf/123456.conf.destroyed

Finally, let's remove the VE we used for OS template cache creation:

sudo vzctl destroy 777
sudo rm /etc/vz/conf/777.conf.destroyed

You might want to edit /etc/vz/vz.conf and change DEF_OSTEMPLATE to the name of the template you use most often so that you don't have to specify the template when creating a VE.

DEF_OSTEMPLATE="debian-6.0-i386-minimal"

If you use iptables, you might want to include additional modules in the list for IPTABLES in /etc/vz/vz.conf. See man vzctl for a list of available modules.