Difference between revisions of "Ubuntu Gutsy template creation"

This article summarizes the experience of creating Ubunty Gutsy Gibbon (a.k.a. 7.10) template for OpenVZ.

Template creation is based on debootstrap, and the procedure is similar to Debian template creation, but it differs in some subtle details.

Prerequisites

debootstrap

You have to have a debootstrap working for Gutsy, i.e. you should have

• debootstrap and its dependencies
• /usr/lib/debootstrap/scripts/gutsy file

The simplest way to have it all is to work on an Ubunty Gutsy system (be it on a real machine or inside a VE). If you don't have debootstrap installed, this is the command to install it:

# apt-get install debootstrap

vzctl

You need vzctl-3.0.19 or later to work with Ubuntu Gutsy Gibbon. If vzctl-3.0.18 or earlier is used, you will not be able to run your VE. See OpenVZ Bug #662 for details.

Creating template

Running debootstrap

Create some directory:

[HW]# mkdir gutsy-chroot

Run debootstrap to install a minimal Ubunty Gutsy system into that directory:

[HW]# debootstrap [--arch ARCH] gutsy gutsy-chroot 

If ARCH of VE0 is equal to VE, you can skip the --arch option, but if you need to build an OS template for another ARCH, specify it explicitly:

• for AMD64/x86_64, use amd64
• for IA64, use ia64
• for i386 i386

Preparing/starting a VE

Now then you have an installation created by debootstrap, you can run it as a VE. In the example below VE ID of 777 is used; of course you can use any other non-allocated ID.

Note: an alternative way is using chroot instead of running a VE. This is not recommended because of security concerns.

Moving installation to VE private area

You should move the contents of gutsy-chroot directory into new VE private area, like this:

# mkdir /vz/private/777
# mv gutsy-chroot/ /vz/private/777

Setting VE config

An initial config for the VE is needed:

# vzctl set 777 --applyconfig vps.basic --save

Setting VE OSTEMPLATE

Also, we need OSTEMPLATE to be set in VE configuration file, for the vzctl to work properly.

# echo "OSTEMPLATE=ubuntu-7.10" >> /etc/vz/conf/777.conf

Setting VE IP address

For the VE to be able to download updates from the Internet, we need a valid IP address for it:

# vzctl set 777 --ipadd x.x.x.x --save

Note: if you use private IP for the VE, you have to set up NAT as described in Using NAT for VE with private IPs.

Setting DNS server for the VE

For the VE to be able to download updates from the Internet, we also need to specify a DNS for it:

# vzctl set 777 --nameserver x.x.x.x --save

Instead of x.x.x.x, specify the same IP that you have in your /etc/resolv.conf.

Starting VE

Now start the VE:

# vzctl start 777

Modify the installation

You have to do some things in order to modify the installation to better suit the environment it will be run in (i.e. a VE).

First, enter a VE:

# vzctl enter 777

Warning: Do not run the commands below on the hardware node, they are only to be run within the VE!

Remove unneeded packages

Some packages does not make sense in a VE. Remove those:

[VE]# dpkg -P ubuntu-minimal wpasupplicant wireless-tools \
  udev pcmciautils initramfs-tools volumeid console-setup \
  xkb-data usbutils mii-diag alsa-base alsa-utils ethtool \
  module-init-tools linux-sound-base console-tools \
  console-terminus busybox-initramfs libvolume-id0 \
  ntpdate

Clean up after udev:

[VE]# rm -fr /lib/udev

Disable getty

On a usual Linux system, getty is running on a virtual terminals, which a VE does not have.

There are two ways to disable it:

First way:

[VE]# rm /etc/event.d/tty*

Second way:

[VE]# dpkg -P system-services

Second way can be dangerous for future versions of system-services, but it's OK for now since the only service they carry is running gettys.

Set sane permissions for /root directory

[VE]# chmod 700 /root

Disable root login

[VE]# usermod -L root

Get new security updates

[VE]# apt-get update && apt-get upgrade

This didn't show anything for me, but might do something in the future.

Install some more packages

[VE]# apt-get install ssh quota

Feel free to add packages which you want to have in a default template to this command.

Fix SSH host keys

This is only useful if you installed SSH above. Each individual VE should have its own pair of SSH host keys. The code below will wipe out the existing SSH keys and instruct the newly-created VE to create new SSH keys on first boot.

rm -f /etc/ssh/ssh_host_*
cat << EOF > /etc/rc2.d/S15ssh_gen_host_keys
#!/bin/sh
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ''
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ''
rm -f \$0
EOF
chmod a+x /etc/rc2.d/S15ssh_gen_host_keys

Disable sync() for syslog

Turn off doing sync() on every write for syslog's log files, to improve overall I/O performance. In Ubuntu this is already done for most log files and levels, so you can omit this step if you know what you are doing.

[VE]# sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' /etc/syslog.conf

Fix /etc/mtab

Link /etc/mtab to /proc/mounts, so df and friends will work:

[VE]# rm -f /etc/mtab
[VE]# ln -s /proc/mounts /etc/mtab

After that, it would make sense to disable mtab.sh script which messes with /etc/mtab:

[VE]# update-rc.d -f mtab.sh remove

Get rid of tmpfs mounts

[VE]# sed -ie '/tmpfs/d' /etc/init.d/mountkernfs.sh

Disable some services

In most of the cases you don't want klogd to run -- the only exception is if you configure iptables to log some events -- so you can disable it:

[VE]# update-rc.d -f klogd remove

Hostname

Set proper hostname:

[VE]# echo "localhost" > /etc/hostname

Set /etc/hosts

[VE]# echo "127.0.0.1 localhost.localdomain localhost" > /etc/hosts

Remove nameserver(s)

Remove DNS entries:

[VE]# > /etc/resolv.conf

Clean packages

After installing packages, you'll have some junk packages laying around in your cache. Since you don't want your template to have those, this command will wipe them out.

[VE]# apt-get clean

Anything else?

Think of what else could be done (like cleaning up log files, root history, …).

Exit from the VE

Now everything is done. Exit from the template and go back to the hardware node.

[VE]# exit

Preparing for and packing template cache

The following commands are to be run in the host system (i.e. not inside a VE).

We don't need an IP for the VE anymore, and we definitely do not need it in template cache, so remove it:

[HW]# vzctl set 777 --ipdel all --save

Stop the VE:

[HW]# vzctl stop 777

Change dir to the VE private:

[HW]# cd /vz/private/777

Now create a cached OS tarball. In the command below, you'll want to replace <arch> with your architecture (i386, amd64, ia64, etc).

[HW]# tar czf /var/lib/vz/template/cache/ubuntu-7.10-<arch>-minimal.tar.gz .

Look at the resulting tarball to see its size is sane:

# ls -lh /vz/template/cache
-rw-r--r--  1 root root  51M Apr 10 03:16 debian-4.0-i386-minimal.tar.gz

Testing template cache

We can now create a VE based on the just-created template cache. Be sure to change i386 to your architecture just like you did when you named the tarball above.

[HW]# vzctl create 123456 --ostemplate ubuntu-7.10-<arch>-minimal

Now make sure that your new VE it works:

[HW]# vzctl start 123456
[HW]# vzctl exec 123456 ps axf

You should see that a few processes are running.

Other tests that could be done are:

[HW]# vzctl enter 123456
[VE]# dpkg -l
[VE]# logout
[HW]#

Feel free to do more tests.

Final cleanup

Stop and remove the test VE you just created:

[HW]# vzctl stop 123456
[HW]# vzctl destroy 123456
[HW]# rm -f /etc/vz/conf/123456.conf.destroyed

Finally, let's remove the VE we used for OS template cache creation:

[HW]# vzctl destroy 777
[HW]# rm -f /etc/vz/conf/777.conf.destroyed

Updating the template cache

See Updating Ubuntu template