Open main menu

OpenVZ Virtuozzo Containers Wiki β

Changes

Creating a template cache : Slackware or HostGIS Linux

890 bytes removed, 16:58, 30 November 2007
nearing the final version!
== Delete unnecessary stuff ==
 
A lot of packages aren't relevant to a VPS setting, e.g. floppy disk utilities and kernel modules, even getty listening on the console.
<code>
rm -rf /lib/modules /boot /dev/.udev /usr/doc /usr/info /media
# packages not applicable to a VPS setting, or which we don't use at HostGIS # e.g. phpMyAdmin and phpPgAdmin are security holes
cd /var/log/packages
for pkg in \
hotplug-* hdparm-* devmapper-* udev-* usbutils-* pciutils-* module-init-tools-* \
mdadm-* floppy-* lvm2-* phpMyAdmin-* phppgAdmin-* raidtools-* reiserfsprogs-* \
smartmontools-* sysfsutils-* syslinux-* wireless_tools.* quota-* iptables-*
do removepkg $pkg ; done
 
# most folks don't use GeoServer, so disable it by default
chmod 644 /etc/rc.d/rc.geoserver
# prune init's getty
echo "devpts /dev/pts devpts mode=0620 0 0" >> /etc/fstab
# the startup sequence and services, even the firewall
cd /etc/rc.d
rm -f rc.gpm-sample rc.gpm rc.hotplug rc.ip_forward rc.modules \
rc.scanluns rc.serial rc.udev rc.sysvinit rc.firewall
vi rc.syslog # delete all mentions of klogd
vi rc.local # delete smartd and inetd
vi rc.M # delete the setterm entry
vi rc.S # delete the MOTD clobbering
 
</code>
<code>
# clear out old/dummy SSL certificates mv /etc/ssl/openssl.cnf /tmp ; rm -r /etc/ssl/* ; mv /tmp/openssl.cnf /etc/ssl # fix file permissionsfind / -mount -nouser -exec chown root {} \; &find / -mount -nogroup -exec chgrp root {} \; &for i in \ /bin/ping /bin/mount /bin/ping6 /bin/umount /usr/bin/chfn \ /usr/bin/chsh /usr/bin/crontab /usr/bin/chage /usr/bin/traceroute6 /usr/bin/traceroute \ /usr/bin/expiry /usr/bin/newgrp /usr/bin/passwd /usr/bin/gpasswd \ /usr/libexec/ssh-keysign /usr/libexec/pt_chown /usr/bin/wall /usr/bin/write do chmod u-s $i ; done # fix Apache's configuration:# add ServerTokens prod# go to the htdocs Directory definition and change Indexes to -Indexes# delete the entries for phpmyadmin and phppgadminvi /etc/apache/httpd.conf # keep FTP users chrooted:echo "" >> /etc/proftpd.confecho "# keep all users chrooted to their homedir" >> /etc/proftpd.confecho "DefaultRoot ~" >> /etc/proftpd.conf
# allow the mailq to be checked by anybody:fix file permissions find / -mount -nouser -exec chown root {} \; & find / -mount -nogroup -exec chgrp smmsp root {} \; & for i in \ /bin/ping /bin/mount /bin/ping6 /bin/umount /usr/bin/chfn \ /usr/bin/chsh /usr/bin/crontab /usr/bin/chage /usr/bin/traceroute6 /varusr/spoolbin/mqueuetraceroute \chmod g+rx /usr/bin/expiry /usr/bin/newgrp /usr/bin/passwd /usr/bin/gpasswd \ /usr/libexec/ssh-keysign /usr/libexec/pt_chown /usr/bin/wall /varusr/spoolbin/mqueuewrite do chmod u-s $i ; done
</code>
== Changes to rc scripts ==
A VPS cannot actually reboot, since there's no power switch to power-cycle the machineafter the VE has been shut down. OpenVZ emulates this effect rebooting with an external cronjobcalled vpsreboot (see /etc/cron.d/vz). In order to reboot a VPS that has been shut downand which is expecting a reboot, the shutdown sequence must create a dummy file named called /rebootin within the VPS's filesystem. Also, and emulates the /etc/mtab file should point by pointing it to /proc/mounts so it can detect So, some small changes are necessary to the / filesystemrc scripts.
<code>
# somewhere in rc.6 add this command: touch /reboot
vi /etc/rc.d/rc.6
And add these two lines near the start:
# create the reboot flag so we get rebooted automatically
touch /reboot
# somewhere in rc.M, add this command: rm -f /etc/mtab ; ln -s /proc/mounts /etc/mtab
vi /etc/rc.d/rc.M
And add these two lines near the start:
# replace the mtab file with a link to /proc/mounts so OpenVZ can find the / filesystem
rm -f /etc/mtab ; ln -s /proc/mounts /etc/mtab
</code>
<code>
# stop all services apachectl stop killall syslogd klogd udevd crond /etc/rc.d/rc.sendmail stop /etc/rc.d/rc.inetd stop /etc/webmin/stop /etc/rc.d/rc.pgsql stop /etc/rc.d/rc.mysqld stop killall named proftpdkillall xinetd
# blow away the network configuration with dummy strings for later replacement # replace the IP address with __IPADDRESS_ # replace the netmask with __NETMASK__ # replace the GATEWAY with __GATEWAY__ vi /etc/rc.d/rc.inet1.conf
# disable the root and user accounts # by changing the password for root and user to a ! character. vi /etc/shadow
# refresh the 'locate' cache /etc/cron.daily/slocate
# blank out the system logfiles for logfile in \ /var/log/messages /var/log/syslog /var/log/debug /var/log/secure \ /var/log/maillog /var/log/spooler /var/log/proftpd.log /var/log/xinetd.log \ /var/log/dmesg /var/log/faillog /var/log/lastlog /var/log/wtmp \ /var/log/apache/access_log /var/log/apache/error_log \ /var/log/webmin/miniserv.error /var/log/webmin/miniserv.pid do cp /dev/null $logfile ; done rmdir /var/log/sa
# clear the SSH host key rm -f /etc/ssh/ssh_host_*
# database server logfiles rm -f /var/lib/mysql/*.err /var/lib/pgsql/logfile
# delete vi backup files, bash_history files, and other small application crud unset HISTFILE find / -name '*~' \ -o -name .bash_history \ -o -name .gnupg \ -o -name .lesshst \ -o -name .viminfo \ -o -name .rnd \ -delete
# the junk anything under /tmp rm -rf /tmp/*
</code>
24
edits