Open main menu

OpenVZ Virtuozzo Containers Wiki β

Gentoo template creation

Revision as of 01:12, 23 October 2011 by 175.145.236.161 (talk) (Test the new template cache file)

This page is about making a template cache for OpenVZ container from Gentoo Linux. The method is basically the same as described in Slackware template creation article.

Contents

Download stage3

We will make the template from a stage3 file. An OpenVZ OS template should be an archive (.tar.gz) of the root of a working system, but without the kernel and some files. You can download stage3 from the nearest mirror here: http://www.gentoo.org/main/en/mirrors.xml.

Create directory for the new container and unarchive stage3

mkdir /vz/private/777
tar -xjf /root/stage3-i686-2008.0_beta2.tar.bz2 -C /vz/private/777

Create CT config

Now you need to create the configuration file for the container, 777.conf:

vzctl set 777 --applyconfig vps.basic --save

Edit CT config

Add the following to /etc/vz/conf/777.conf:

OSTEMPLATE="gentoo"

Creation of container at end of this HowTo obeys quota limits and might exceed those limits set in vps.basic by default (at least encountered with Gentoo 10.1 release). Thus it might be required to increase limits now. The following values are providing 2 GiByte soft limit with 2.5 GiByte hard limit:

DISKSPACE="2097152:2621440"

After that you copy that configuration file turning it into a sample configuration for later use:

# cp /etc/vz/conf/777.conf /etc/vz/conf/ve-gentoo.conf-sample

Make /etc/mtab a symlink to /proc/mounts

The container's root filesystem is mounted by the host system, not the guest — and therefore root fs will not appear in /etc/mtab. It will lead to a non-working df command. To fix, link /etc/mtab to /proc/mounts.

rm -f /vz/private/777/etc/mtab
ln -s /proc/mounts /vz/private/777/etc/mtab

After replacing /etc/mtab with a symlink to /proc/mounts, you will always have up-to-date information of what is mounted in /etc/mtab.

Replace /etc/fstab

echo "proc /proc proc defaults 0 0" > /vz/private/777/etc/fstab

We need only /proc to be mounted at boot time.

Edit /etc/inittab and /etc/init.d/halt.sh

Edit /vz/private/777/etc/inittab and put a hash mark (#) at the beginning of the lines containing:

c?:1235:respawn:/sbin/agetty 38400 tty? linux

Edit /vz/private/777/etc/init.d/halt.sh and put a hash mark (#) at the beginning of the lines containing:

sulogin -t 10 /dev/console

This prevents getty and login from starting on ttys that do not exist in containers.

Edit /etc/shadow

Edit /vz/private/777/etc/shadow and change root's password in the first line to an exclamation mark (!):

root:!:10071:0:::::

This will disable root login until the password is changed with vzctl set CTID --userpasswd root:password.

Disable unneeded init scripts

The checkroot and consolefont init scripts should not be started inside containers:

rm /vz/private/777/etc/runlevels/boot/checkroot
rm /vz/private/777/etc/runlevels/boot/consolefont

Edit /sbin/rc

Edit /vz/private/777/sbin/rc and put a hash mark (#) at the beginning of line 244 (your line number may be different):

# try mount -n ${mntcmd:--t sysfs sysfs /sys -o noexec,nosuid,nodev}

This prevents the container from attempting to mount /sys.

To ensure that this change isn't automatically overwritten on update, add the following to /vz/private/777/etc/make.conf:

CONFIG_PROTECT="/sbin/rc"

Set up udev

Using udev you will have problems since some devices nodes are not created. For example sshd will fail to start since /dev/random and /dev/urandom are missing. So it's recommended to disable udev. Edit /vz/private/777/etc/conf.d/rc and change the RC_DEVICES line to:

RC_DEVICES="static"


If you want to enable udev read on.

Create some device nodes needed to enter a container:

cd /vz/private/777/lib
mknod udev/devices/ttyp0 c 3 0
mknod udev/devices/ptyp0 c 2 0
mknod udev/devices/ptmx c 5 2

Edit /vz/private/777/etc/conf.d/rc and change the RC_DEVICES and RC_DEVICE_TARBALL lines to:

RC_DEVICES="udev"
RC_DEVICE_TARBALL="no"

You have to leave the directory you are in for the next step to be OK, otherwise you will get this error message:

vzquota : (error) Quota on syscall for 777: Device or resource busy
vzquota on failed [3]
cd /

Edit /etc/pam.d/chpasswd

Some changes are required for successful setting user's password with vzctl util. Edit /vz/private/777/etc/pam.d/chpasswd and change the password lines to:

password required pam_unix.so md5 shadow

Test

vzctl start 777
vzctl enter 777

You can check running services:

rc-status -a

All services in boot and default runlevels must be started.

Enable SSH daemon if required:

rc-update add sshd default
  Warning: Do not start sshd in template container as it would create server's pair of keys then shared among all containers instantiated later.

Next leave container pressing Ctrl+D and stop it:

vzctl stop 777

Making distfiles and portage tree of the host system available in a container

  Warning: This step is optional and will result in shared files between containers! These steps can save space on disk but trade isolation and security... consider your options carefully!

To install software into a container with portage, you should mount /usr/portage into the container with the "bind" option. Do the following on the host after the container is started:

mkdir /vz/root/777/usr/portage
mount -o bind /usr/portage /vz/root/777/usr/portage

If your /usr/portage/distfiles directory resides on a different partition than your /usr/portage directory, do the following:

mount -n -o bind /usr/portage/distfiles /vz/root/777/usr/portage/distfiles

Now, to install a package into a container, you just need to enter the container using vzctl enter and run

emerge package_name

while you have all the needed files in the /usr/portage/distfiles of host system.

For security reasons, you should have these directories mounted only while installing software into a container.

  Note: you have to umount /vz/root/777/usr/portage/distfiles before trying to stop your container.


Dedicated installation of portage

If you decide not to share portage with host as described before, you'll still need a portage installed into your container.

Get latest snapshot of portage tree from your favourite mirror (http://www.gentoo.org/main/en/mirrors.xml) and extract it into /vz/private/777/usr:

# wget <your-mirro>/snapshots/portage-latest.tar.bz2
# tar xjf portage-latest.tar.bz2 -C /vz/private/777/usr

Host system portage tree and distfiles in read-only mode

You can safely share portage tree from the host system among all Gentoo VPSs by mounting it in read-only mode and defining dedicated distfiles directory. All files in regular distfiles directory will be also available to guest containers.

Create /etc/vz/conf/vps.mount to mount RO portage to all Gentoo guests or /etc/vz/conf/<vps id>.mount to mount portage tree only to particular container:

#!/bin/bash
source /etc/vz/vz.conf
source ${VE_CONFFILE}
if [ -d /vz/root/$VEID/usr/portage ]; then
    mount -n --bind -o ro /vz/portage /vz/root/$VEID/usr/portage
fi

Make it executable:

chmod u+x /etc/vz/conf/vps.mount


Add the following strings to the /vz/private/777/etc/make.conf:

PORTAGE_RO_DISTDIRS="/usr/portage/distfiles"
DISTDIR="/usr/portage_distfiles"

You should update host-node portage tree on regular basis to keep it up to date because emerge --sync won't work inside guest container.

Create the template cache file

cd /vz/private/777/
tar --numeric-owner -czf /vz/template/cache/gentoo.tar.gz *

Thanks for writing such an easy-to-understand atrcile on this topic.

Log in over SSH

Leave container by hitting Ctrl+D. To log in over SSH now, you need to set root's password in running container first:

vzctl set 800 --userpasswd root:secret

Of course, you should use different password (replacing secret above) obeying common rules for strong passwords. After that container is ready for login over SSH

ssh root@192.168.0.10