Gentoo template creation
This page is about making a template cache for OpenVZ container from Gentoo Linux. The method is basically the same as described in Slackware template creation article.
Contents
- 1 Download stage3
- 2 Create directory for the new container and unarchive stage3
- 3 Create CT config
- 4 Edit CT config
- 5 Make /etc/mtab a symlink to /proc/mounts
- 6 Replace /etc/fstab
- 7 Edit /etc/inittab
- 8 Edit /etc/shadow
- 9 Disable unneeded init scripts
- 10 Edit /sbin/rc
- 11 Set up udev
- 12 Test
- 13 Making distfiles and portage tree of the host system available in a container
- 14 Create the template cache file
- 15 Test the new template cache file
Download stage3
We will make the template from a stage3 file. An OpenVZ OS template should be an archive (.tar.gz) of the root of a working system, but without the kernel and some files. You can download stage3 from the nearest mirror here: http://www.gentoo.org/main/en/mirrors.xml.
Create directory for the new container and unarchive stage3
mkdir /var/lib/vz/private/777 tar -xjf /root/stage3-i686-2008.0_beta2.tar.bz2 -C /var/lib/vz/private/777
Create CT config
Now you need to create the configuration file for the container, 777.conf:
vzctl set 777 --applyconfig vps.basic --save
Edit CT config
Add the following to /etc/vz/conf/777.conf:
OSTEMPLATE="gentoo"
Make /etc/mtab a symlink to /proc/mounts
The container's root filesystem is mounted by the host system, not the guest — and therefore root fs will not appear in /etc/mtab. It will lead to a non-working df command. To fix, link /etc/mtab to /proc/mounts.
rm -f /var/lib/vz/private/777/etc/mtab ln -s /proc/mounts /var/lib/vz/private/777/etc/mtab
After replacing /etc/mtab with a symlink to /proc/mounts, you will always have up-to-date information of what is mounted in /etc/mtab.
Replace /etc/fstab
echo "proc /proc proc defaults 0 0" > /var/lib/vz/private/777/etc/fstab
We need only /proc to be mounted at boot time.
Edit /etc/inittab
Edit /var/lib/vz/private/777/etc/inittab and put a hash mark (#) at the beginning of the lines containing:
c?:1235:respawn:/sbin/agetty 38400 tty? linux
This prevents getty and login from starting on ttys that do not exist in containers.
Edit /etc/shadow
Edit /var/lib/vz/private/777/etc/shadow and change root's password in the first line to an exclamation mark (!):
root:!:10071:0:::::
This will disable root login until the password is changed with vzctl set CTID --userpasswd root:password.
Disable unneeded init scripts
The checkroot and consolefont init scripts should not be started inside containers:
rm /var/lib/vz/private/777/etc/runlevels/boot/checkroot rm /var/lib/vz/private/777/etc/runlevels/boot/consolefont
Edit /sbin/rc
Edit /var/lib/vz/private/777/sbin/rc and put a hash mark (#) at the beginning of line 244 (your line number may be different):
# try mount -n ${mntcmd:--t sysfs sysfs /sys -o noexec,nosuid,nodev}
This prevents the container from attempting to mount /sys.
To ensure that this change isn't automatically overwritten on update, add the following to /var/lib/vz/private/777/etc/make.conf:
CONFIG_PROTECT = /sbin/rc
Set up udev
Using udev you will have problems since some devices nodes are not created.
For example sshd will fail to start since /dev/random and /dev/urandom are missing.
So it's recommended to disable udev.
Edit /var/lib/vz/private/777/etc/conf.d/rc and change the RC_DEVICES line to:
RC_DEVICES="static"
If you want to enable udev read on.
Create some device nodes needed to enter a container:
cd /var/lib/vz/private/777/lib mknod udev/devices/ttyp0 c 3 0 mknod udev/devices/ptyp0 c 2 0 mknod udev/devices/ptmx c 5 2
Edit /var/lib/vz/private/777/etc/conf.d/rc and change the RC_DEVICES and RC_DEVICE_TARBALL lines to:
RC_DEVICES="udev" RC_DEVICE_TARBALL="no"
You have to leave the directory you are in for the next step to be OK, otherwise you will get this error message:
vzquota : (error) Quota on syscall for 777: Device or resource busy vzquota on failed [3]
cd /
Test
vzctl start 777 vzctl enter 777
You can check running services:
rc-status -a
All services in boot and default runlevels must be started. If everything all right, stop the container:
vzctl stop 777
Making distfiles and portage tree of the host system available in a container
|
Warning: This step is optional and will result in shared files between containers! These steps can save space on disk but trade isolation and security... consider your options carefully! |
To install software into a container with portage, you should mount /usr/portage into the container with the "bind" option. Do the following on the host after the container is started:
mkdir /var/lib/vz/root/777/usr/portage mount -o bind /usr/portage /var/lib/vz/root/777/usr/portage
If your /usr/portage/distfiles directory resides on a different partition than your /usr/portage directory, do the following:
mount -n -o bind /usr/portage/distfiles /var/lib/vz/root/777/usr/portage/distfiles
Now, to install a package into a container, you just need to enter the container using vzctl enter and run
emerge package_name
while you have all the needed files in the /usr/portage/distfiles of host system.
For security reasons, you should have these directories mounted only while installing software into a container.
|
Note: you have to umount /var/lib/vz/root/777/usr/portage/distfiles before trying to stop your container.
|
Create the template cache file
cd /var/lib/vz/private/777/ tar czf /var/lib/vz/template/cache/gentoo.tar.gz *
Test the new template cache file
Create a new container from the template file:
vzctl create 800 --ostemplate gentoo --ipadd 192.168.0.10 --hostname testvps
If the container was created successfully, try to start it:
vzctl start 800
If it started, and you can ssh in, congratulations, you've got a working Gentoo template!
