Open main menu

OpenVZ Virtuozzo Containers Wiki β

Ubuntu Gutsy template creation

Revision as of 08:24, 22 July 2012 by 92.42.8.2 (talk) (Modify the installation)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

This article summarizes the experience of creating Ubunty Gutsy Gibbon (a.k.a. 7.10) template for OpenVZ.

Template creation is based on debootstrap, and the procedure is similar to Debian template creation, but it differs in some subtle details.

Contents

PrerequisitesEdit

debootstrapEdit

You have to have a debootstrap working for Gutsy, i.e. you should have

  • debootstrap and its dependencies
  • /usr/lib/debootstrap/scripts/gutsy file

The simplest way to have it all is to work on an Ubuntu Gutsy system (be it on a real machine or inside a container). If you don't have debootstrap installed, this is the command to install it:

# apt-get install debootstrap

On a Gentoo Linux, debootstrap is also available, this is how you can install it:

# emerge \>=debootstrap-1.0.0

Note you need at least version 1.0.0, since earlier versions do not have Ubuntu scripts. So, possible you will first need to add it to package.keywords, like this:

# echo dev-util/debootstrap >> /etc/portage.package.keywords

On a Fedora system (at least Fedora 8, not sure about earlier versions):

# yum install debootstrap

vzctlEdit

You need vzctl-3.0.22 or later to work with Ubuntu Gutsy Gibbon. If vzctl-3.0.18 or earlier is used, you will not be able to run your Ubuntu Gutsy container. See OpenVZ Bug #662 for details.

Note: Older versions of vzctl are working if you install sysvinit (which will remove upstart). The only problem I had was the network did not start, so I added "/etc/init.d/networking restart" to /etc/re.local.

Creating templateEdit

Running debootstrapEdit

Create a working directory:

[HW]# mkdir gutsy-chroot

Run debootstrap to install a minimal Ubunty Gutsy system into that directory:

[HW]# debootstrap [--arch ARCH] gutsy gutsy-chroot 

If ARCH of CT0 is equal to container, you can skip the --arch option, but if you need to build an OS template for another ARCH, specify it explicitly:

  • for AMD64/x86_64, use amd64
  • for IA64, use ia64
  • for i386 i386

Preparing/starting a containerEdit

Now then you have an installation created by debootstrap, you can run it as a container. In the example below CT ID of 777 is used; of course you can use any other non-allocated ID.

  Note: an alternative way is using chroot instead of running a container. This is not recommended because of security concerns.

Moving installation to container private areaEdit

You should move the contents of gutsy-chroot directory into new container private area, like this:

# mv gutsy-chroot /vz/private/777

Setting container configEdit

An initial config for the container is needed:

# vzctl set 777 --applyconfig vps.basic --save

Setting container OSTEMPLATEEdit

Also, we need OSTEMPLATE to be set in container configuration file, for the vzctl to work properly.

# echo "OSTEMPLATE=ubuntu-7.10" >> /etc/vz/conf/777.conf

Setting container IP addressEdit

For the container to be able to download updates from the Internet, we need a valid IP address for it:

# vzctl set 777 --ipadd x.x.x.x --save
  Note: if you use private IP for the container, you have to set up NAT as described in Using NAT for container with private IPs.

Setting DNS server for the containerEdit

For the container to be able to download updates from the Internet, we also need to specify a DNS for it:

# vzctl set 777 --nameserver x.x.x.x --save

Instead of x.x.x.x, specify the same IP that you have in your /etc/resolv.conf.

Starting containerEdit

Now start the container:

# vzctl start 777

Modify the installationEdit

You have to do some things in order to modify the installation to better suit the environment it will be run in (i.e. a container).

First, enter a container:

# vzctl enter 777
  Warning: Do not run the commands below on the hardware node, they are only to be run within the container!

Remove unneeded packagesEdit

Some packages does not make sense in a container, or are really optional. Remove those:

[container]# dpkg -P ubuntu-minimal wpasupplicant wireless-tools \
  udev pcmciautils initramfs-tools volumeid console-setup \
  xkb-data usbutils mii-diag alsa-base alsa-utils ethtool \
  module-init-tools linux-sound-base console-tools \
  console-terminus busybox-initramfs libvolume-id0 \
  ntpdate eject libasound2 pciutils tasksel tasksel-data \
  laptop-detect
  Note: On removing the deb-package "module-init-tools", a fake-modprobe is needed for IPv6 addresses, see below!

Note that the above list of packages may be too extensive. Say, if you want to use tasksel tool, do not remove it — but then you have to let laptop-detect stay.

Clean up after udev:

[container]# rm -fr /lib/udev

Disable gettyEdit

On a usual Linux system, getty is running on a virtual terminals, which a container does not have. So, having getty running doesn't make sense; more to say, it complains it can not open terminal device and this clutters the logs.

So, first of all we stop all getty processes:

[container]# initctl stop tty{1,2,3,4,5,6}

Next, we disable running getty. This can be done in two ways:

First way:

[container]# rm /etc/event.d/tty*

Second way:

[container]# dpkg -P system-services

Second way can be dangerous for future versions of system-services, but it's OK for now since the only service they carry is running gettys.

Set sane permissions for /root directoryEdit

[container]# chmod 700 /root

Disable root loginEdit

[container]# usermod -L root

"fake-modprobe" needed for IPv6 addressesEdit

[container]# ln -s /bin/true /sbin/modprobe

On setup IPv6, the command "modprobe -Q IPv6" is called, which fails without the "fake-modprobe"

Get new security updatesEdit

[container]# apt-get update && apt-get upgrade

This didn't show anything for me, but might do something in the future.

Install some more packagesEdit

[container]# apt-get install ssh quota

Feel free to add packages which you want to have in a default template to this command.

Fix SSH host keysEdit

This is only useful if you installed SSH above. Each individual container should have its own pair of SSH host keys. The code below will wipe out the existing SSH keys and instruct the newly-created container to create new SSH keys on first boot.

rm -f /etc/ssh/ssh_host_*
cat << EOF > /etc/rc2.d/S15ssh_gen_host_keys
#!/bin/sh
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ''
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ''
rm -f \$0
EOF
chmod a+x /etc/rc2.d/S15ssh_gen_host_keys

Disable sync() for syslogEdit

Turn off doing sync() on every write for syslog's log files, to improve overall I/O performance. In Ubuntu this is already done for most log files and levels, so you can omit this step if you know what you are doing.

[container]# sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' /etc/syslog.conf

Fix /etc/mtabEdit

Link /etc/mtab to /proc/mounts, so df and friends will work:

[container]# rm -f /etc/mtab
[container]# ln -s /proc/mounts /etc/mtab

After that, it would make sense to disable mtab.sh script which messes with /etc/mtab:

[container]# update-rc.d -f mtab.sh remove

Disable some servicesEdit

In most of the cases you don't want klogd to run -- the only exception is if you configure iptables to log some events -- so you can disable it:

[container]# update-rc.d -f klogd remove

HostnameEdit

Set proper hostname:

[container]# echo "localhost" > /etc/hostname

Set /etc/hostsEdit

[container]# echo "127.0.0.1 localhost.localdomain localhost" > /etc/hosts

Add ptys to /devEdit

This is needed in case /dev/pts will not me mounted after container start. In case /dev/ttyp* and /dev/ptyp* files are present, and LEGACY_PTYS support is enabled in the kernel, vzctl will still be able to enter container.

[container]# cd /dev && /sbin/MAKEDEV ptyp

Remove nameserver(s)Edit

Remove DNS entries:

[container]# > /etc/resolv.conf

Clean packagesEdit

After installing packages, you'll have some junk packages laying around in your cache. Since you don't want your template to have those, this command will wipe them out.

[container]# apt-get clean

Cleaning up log filesEdit

[container]# cd /var/log
[container]# > messages; > auth.log; > kern.log; > bootstrap.log
[container]# > dpkg.log; > syslog; > daemon.log; > apt/term.log
[container]# rm -f *.0 *.1

Anything else?Edit

Think of what else could be done to better suit your needs.

Exit from the containerEdit

Now everything is done. Exit from the template and go back to the hardware node.

[container]# exit

Preparing for and packing template cacheEdit

The following commands are to be run in the host system (i.e. not inside a container).

We don't need an IP for the container anymore, and we definitely do not need it in template cache, so remove it:

[HW]# vzctl set 777 --ipdel all --save

Stop the container:

[HW]# vzctl stop 777

Change dir to the container private:

[HW]# cd /vz/private/777

Now create a cached OS tarball. In the command below, you'll want to replace <arch> with your architecture (i386, amd64, ia64, etc). Note the space and the dot at the end of the command.

[HW]# tar --numeric-owner -czf /vz/template/cache/ubuntu-7.10-<arch>-minimal.tar.gz .

Look at the resulting tarball to see its size is sane:

# ls -lh /vz/template/cache
-rw-r--r-- 1 root root   53M Nov 15 12:40 ubuntu-7.10-i386-minimal.tar.gz

Testing template cacheEdit

We can now create a container based on the just-created template cache. Be sure to change i386 to your architecture just like you did when you named the tarball above.

[HW]# vzctl create 123456 --ostemplate ubuntu-7.10-<arch>-minimal

Now make sure that your new container it works:

[HW]# vzctl start 123456
[HW]# vzctl exec 123456 ps axf

You should see that a few processes are running.

Other tests that could be done are:

[HW]# vzctl enter 123456
[container]# ps axf
[container]# mount
[container]# dpkg -l
[container]# logout
[HW]#

Feel free to do more tests.

Final cleanupEdit

Stop and remove the test container you just created:

[HW]# vzctl stop 123456
[HW]# vzctl destroy 123456
[HW]# rm -f /etc/vz/conf/123456.conf.destroyed

Finally, let's remove the container we used for OS template cache creation:

[HW]# vzctl destroy 777
[HW]# rm -f /etc/vz/conf/777.conf.destroyed

Updating the template cacheEdit