Difference between revisions of "Gentoo template creation"
m (→Create directory for the new VE and unarchive stage3) |
(VE -> container; fixed headings level; some formatting fixes) |
||
Line 1: | Line 1: | ||
− | This page is about making a template cache for OpenVZ | + | This page is about making a template cache for OpenVZ container from Gentoo Linux. The method is basically the same as described in [[Slackware template creation]] article. |
− | + | == Download stage3 == | |
We will make the template from a stage3 file. An OpenVZ OS template should be an archive (.tar.gz) of the root of a working system, but without the kernel and some files. You can download stage3 from the nearest mirror here: http://www.gentoo.org/main/en/mirrors.xml. | We will make the template from a stage3 file. An OpenVZ OS template should be an archive (.tar.gz) of the root of a working system, but without the kernel and some files. You can download stage3 from the nearest mirror here: http://www.gentoo.org/main/en/mirrors.xml. | ||
− | + | == Create directory for the new container and unarchive stage3 == | |
<pre> | <pre> | ||
Line 12: | Line 12: | ||
</pre> | </pre> | ||
− | + | == Create CT config == | |
− | Now you need to create the configuration file for the | + | Now you need to create the configuration file for the container, 777.conf: |
<pre> | <pre> | ||
Line 19: | Line 19: | ||
</pre> | </pre> | ||
− | + | == Edit CT config == | |
Add the following to <code>/etc/vz/conf/777.conf</code>: | Add the following to <code>/etc/vz/conf/777.conf</code>: | ||
<pre> | <pre> | ||
− | |||
OSTEMPLATE="gentoo" | OSTEMPLATE="gentoo" | ||
</pre> | </pre> | ||
− | + | == Make /etc/mtab a symlink to /proc/mounts == | |
− | The | + | The container's root filesystem is mounted by the host system, not the guest — and therefore root fs will not appear in <code>/etc/mtab</code>. It will lead to a non-working <code>df</code> command. To fix, link /etc/mtab to /proc/mounts. |
<pre> | <pre> | ||
rm -f /vz/private/777/etc/mtab | rm -f /vz/private/777/etc/mtab | ||
Line 35: | Line 34: | ||
After replacing <code>/etc/mtab</code> with a symlink to <code>/proc/mounts</code>, you will always have up-to-date information of what is mounted in <code>/etc/mtab</code>. | After replacing <code>/etc/mtab</code> with a symlink to <code>/proc/mounts</code>, you will always have up-to-date information of what is mounted in <code>/etc/mtab</code>. | ||
− | + | == Replace /etc/fstab == | |
<pre> | <pre> | ||
Line 43: | Line 42: | ||
We need only <code>/proc</code> to be mounted at boot time. | We need only <code>/proc</code> to be mounted at boot time. | ||
− | + | == Edit /etc/inittab == | |
Edit <code>/vz/private/777/etc/inittab</code> and put a hash mark (#) at the beginning of the lines containing: | Edit <code>/vz/private/777/etc/inittab</code> and put a hash mark (#) at the beginning of the lines containing: | ||
Line 49: | Line 48: | ||
<pre>c?:1235:respawn:/sbin/agetty 38400 tty? linux</pre> | <pre>c?:1235:respawn:/sbin/agetty 38400 tty? linux</pre> | ||
− | This prevents <code>getty</code> and login from starting on ttys that do not exist in | + | This prevents <code>getty</code> and login from starting on ttys that do not exist in containers. |
− | + | == Edit /etc/shadow == | |
Edit <code>/vz/private/777/etc/shadow</code> and change root's password in the first line to an exclamation mark (!): | Edit <code>/vz/private/777/etc/shadow</code> and change root's password in the first line to an exclamation mark (!): | ||
Line 57: | Line 56: | ||
<pre>root:!:10071:0:::::</pre> | <pre>root:!:10071:0:::::</pre> | ||
− | This will disable root login until the password is changed with <code>vzctl set | + | This will disable root login until the password is changed with <code>vzctl set CTID --userpasswd root:password</code>. |
− | + | == Disable unneeded init scripts == | |
− | The checkroot and consolefont init scripts should not be started inside | + | The checkroot and consolefont init scripts should not be started inside containers: |
<pre> | <pre> | ||
Line 68: | Line 67: | ||
</pre> | </pre> | ||
− | + | == Edit /sbin/rc == | |
Edit <code>/vz/private/777/sbin/rc</code> and put a hash mark (#) at the beginning of line 244 (your line number may be different): | Edit <code>/vz/private/777/sbin/rc</code> and put a hash mark (#) at the beginning of line 244 (your line number may be different): | ||
Line 74: | Line 73: | ||
<pre># try mount -n ${mntcmd:--t sysfs sysfs /sys -o noexec,nosuid,nodev}</pre> | <pre># try mount -n ${mntcmd:--t sysfs sysfs /sys -o noexec,nosuid,nodev}</pre> | ||
− | This prevents the | + | This prevents the container from attempting to mount <code>/sys</code>. |
To ensure that this change isn't automatically overwritten on update, add the following to <code>/vz/private/777/etc/make.conf</code>: | To ensure that this change isn't automatically overwritten on update, add the following to <code>/vz/private/777/etc/make.conf</code>: | ||
Line 80: | Line 79: | ||
<pre>CONFIG_PROTECT = /sbin/rc</pre> | <pre>CONFIG_PROTECT = /sbin/rc</pre> | ||
− | + | == Set up udev == | |
<div class="previewnote"><p><strong>NOTE: udev-state does not exists anymore!! ../lib/udev/state and ../lib/udev/devices are empty directories now... maybe someone knows how to handle it the right way?</strong></p></div> | <div class="previewnote"><p><strong>NOTE: udev-state does not exists anymore!! ../lib/udev/state and ../lib/udev/devices are empty directories now... maybe someone knows how to handle it the right way?</strong></p></div> | ||
− | Delete <code>/lib/udev-state/devices.tar.bz2</code> and create some device nodes needed to enter a | + | Delete <code>/lib/udev-state/devices.tar.bz2</code> and create some device nodes needed to enter a container: |
<pre> | <pre> | ||
Line 100: | Line 99: | ||
</pre> | </pre> | ||
− | You have to leave the directory you are in for the next step to be OK, otherwise you will get this error message : | + | You have to leave the directory you are in for the next step to be OK, otherwise you will get this error message: |
− | vzquota : (error) Quota on syscall for 777: Device or resource busy | + | vzquota : (error) Quota on syscall for 777: Device or resource busy |
− | vzquota on failed [3] | + | vzquota on failed [3] |
<pre> | <pre> | ||
Line 108: | Line 107: | ||
</pre> | </pre> | ||
− | + | == Test == | |
<pre> | <pre> | ||
Line 121: | Line 120: | ||
</pre> | </pre> | ||
− | All services in boot and default runlevels must be started. If everything all right, stop the | + | All services in boot and default runlevels must be started. If everything all right, stop the container: |
<pre> | <pre> | ||
Line 127: | Line 126: | ||
</pre> | </pre> | ||
− | + | == Making distfiles and portage tree of the host system available in a container == | |
− | {{Warning|This step is optional and will result in shared files between | + | {{Warning|This step is optional and will result in shared files between containers! These steps can save space on disk but trade isolation and security... consider your options carefully!}} |
− | To install software into a | + | To install software into a container with portage, you should mount <code>/usr/portage</code> into the container with the "bind" option. Do the following on the host after the container is started: |
<pre> | <pre> | ||
Line 144: | Line 143: | ||
</pre> | </pre> | ||
− | Now, to install a package into a | + | Now, to install a package into a container, you just need to enter the container using <code>vzctl enter</code> and run |
<pre> | <pre> | ||
Line 152: | Line 151: | ||
while you have all the needed files in the <code>/usr/portage/distfiles</code> of host system. | while you have all the needed files in the <code>/usr/portage/distfiles</code> of host system. | ||
− | For security reasons, you should have these directories mounted only while installing software into a | + | For security reasons, you should have these directories mounted only while installing software into a container. |
− | {{Note|you have to <code>umount /vz/root/777/usr/portage/distfiles</code> before trying to stop your | + | {{Note|you have to <code>umount /vz/root/777/usr/portage/distfiles</code> before trying to stop your container.}} |
− | + | == Create the template cache file == | |
<pre> | <pre> | ||
Line 163: | Line 162: | ||
</pre> | </pre> | ||
− | + | == Test the new template cache file == | |
− | Create a new | + | Create a new container from the template file: |
<pre> | <pre> | ||
Line 171: | Line 170: | ||
</pre> | </pre> | ||
− | If the | + | If the container was created successfully, try to start it: |
<pre> | <pre> |
Revision as of 07:58, 19 May 2008
This page is about making a template cache for OpenVZ container from Gentoo Linux. The method is basically the same as described in Slackware template creation article.
Contents
- 1 Download stage3
- 2 Create directory for the new container and unarchive stage3
- 3 Create CT config
- 4 Edit CT config
- 5 Make /etc/mtab a symlink to /proc/mounts
- 6 Replace /etc/fstab
- 7 Edit /etc/inittab
- 8 Edit /etc/shadow
- 9 Disable unneeded init scripts
- 10 Edit /sbin/rc
- 11 Set up udev
- 12 Test
- 13 Making distfiles and portage tree of the host system available in a container
- 14 Create the template cache file
- 15 Test the new template cache file
Download stage3
We will make the template from a stage3 file. An OpenVZ OS template should be an archive (.tar.gz) of the root of a working system, but without the kernel and some files. You can download stage3 from the nearest mirror here: http://www.gentoo.org/main/en/mirrors.xml.
Create directory for the new container and unarchive stage3
mkdir /vz/private/777 tar -xjf /root/stage3-i686-2008.0_beta2.tar.bz2 -C /vz/private/777
Create CT config
Now you need to create the configuration file for the container, 777.conf:
vzctl set 777 --applyconfig vps.basic --save
Edit CT config
Add the following to /etc/vz/conf/777.conf
:
OSTEMPLATE="gentoo"
Make /etc/mtab a symlink to /proc/mounts
The container's root filesystem is mounted by the host system, not the guest — and therefore root fs will not appear in /etc/mtab
. It will lead to a non-working df
command. To fix, link /etc/mtab to /proc/mounts.
rm -f /vz/private/777/etc/mtab ln -s /proc/mounts /vz/private/777/etc/mtab
After replacing /etc/mtab
with a symlink to /proc/mounts
, you will always have up-to-date information of what is mounted in /etc/mtab
.
Replace /etc/fstab
echo "proc /proc proc defaults 0 0" > /vz/private/777/etc/fstab
We need only /proc
to be mounted at boot time.
Edit /etc/inittab
Edit /vz/private/777/etc/inittab
and put a hash mark (#) at the beginning of the lines containing:
c?:1235:respawn:/sbin/agetty 38400 tty? linux
This prevents getty
and login from starting on ttys that do not exist in containers.
Edit /etc/shadow
Edit /vz/private/777/etc/shadow
and change root's password in the first line to an exclamation mark (!):
root:!:10071:0:::::
This will disable root login until the password is changed with vzctl set CTID --userpasswd root:password
.
Disable unneeded init scripts
The checkroot and consolefont init scripts should not be started inside containers:
rm /vz/private/777/etc/runlevels/boot/checkroot rm /vz/private/777/etc/runlevels/boot/consolefont
Edit /sbin/rc
Edit /vz/private/777/sbin/rc
and put a hash mark (#) at the beginning of line 244 (your line number may be different):
# try mount -n ${mntcmd:--t sysfs sysfs /sys -o noexec,nosuid,nodev}
This prevents the container from attempting to mount /sys
.
To ensure that this change isn't automatically overwritten on update, add the following to /vz/private/777/etc/make.conf
:
CONFIG_PROTECT = /sbin/rc
Set up udev
NOTE: udev-state does not exists anymore!! ../lib/udev/state and ../lib/udev/devices are empty directories now... maybe someone knows how to handle it the right way?
Delete /lib/udev-state/devices.tar.bz2
and create some device nodes needed to enter a container:
cd /vz/private/777/lib rm udev-state/devices.tar.bz2 mknod udev/devices/ttyp0 c 3 0 mknod udev/devices/ptyp0 c 2 0 mknod udev/devices/ptmx c 5 2
Edit /vz/private/777/etc/conf.d/rc
and change the RC_DEVICES
line to:
RC_DEVICES="static"
You have to leave the directory you are in for the next step to be OK, otherwise you will get this error message:
vzquota : (error) Quota on syscall for 777: Device or resource busy vzquota on failed [3]
cd /
Test
vzctl start 777 vzctl enter 777
You can check running services:
rc-status -a
All services in boot and default runlevels must be started. If everything all right, stop the container:
vzctl stop 777
Making distfiles and portage tree of the host system available in a container
Warning: This step is optional and will result in shared files between containers! These steps can save space on disk but trade isolation and security... consider your options carefully! |
To install software into a container with portage, you should mount /usr/portage
into the container with the "bind" option. Do the following on the host after the container is started:
mkdir /vz/root/777/usr/portage mount -o bind /usr/portage /vz/root/777/usr/portage
If your /usr/portage/distfiles
directory resides on a different partition than your /usr/portage
directory, do the following:
mount -n -o bind /usr/portage/distfiles /vz/root/777/usr/portage/distfiles
Now, to install a package into a container, you just need to enter the container using vzctl enter
and run
emerge package_name
while you have all the needed files in the /usr/portage/distfiles
of host system.
For security reasons, you should have these directories mounted only while installing software into a container.
Note: you have to umount /vz/root/777/usr/portage/distfiles before trying to stop your container.
|
Create the template cache file
cd /vz/private/777/ tar czf /vz/template/cache/gentoo.tar.gz *
Test the new template cache file
Create a new container from the template file:
vzctl create 800 --ostemplate gentoo --ipadd 192.168.0.10 --hostname testvps
If the container was created successfully, try to start it:
vzctl start 800
If it started, and you can ssh in, congratulations, you've got a working Gentoo template!