Debian template creation
These are rough instructions of how to manually create minimal Debian Sarge (3.1) template cache, which can be used to create OpenVZ VEs based on Debian Sarge (3.1).
Contents
- 1 Prerequisites
- 2 Bootstrapping Debian
- 3 Preparing and starting the VE
- 4 Customizing the installation
- 4.1 Convert the system to use shadow passwords
- 4.2 Get new security updates
- 4.3 Install some more packages
- 4.4 Disable root login
- 4.5 Disable getty
- 4.6 Put sane permissions for /root directory
- 4.7 Disable sync() for syslog
- 4.8 Fix /etc/mtab
- 4.9 Remove some unneeded packages
- 4.10 Disable services
- 4.11 Fix SSH host keys
- 4.12 Clean packages
- 5 Preparing for and packing template cache
- 6 Checking if template cache works
- 7 Final cleanups
Prerequisites
I have used OpenVZ on a Gentoo Linux for this work, but any distribution is fine, as long as you can have a working debootstrap utility on it.
For Gentoo, run
emerge debootstrap
For other distros you might need to install it from sources, or google for an appropriate package for your distro. Some rpms are avaialable from [1].
Bootstrapping Debian
All the commands below are executed from the root shell. We use VE ID of 777 for this example; surely it can be any other unused ID.
For Debian Sarge on an x86 (a.k.a. i386) architecture:
debootstrap --arch i386 sarge /vz/private/777 http://ftp.freenet.de/debian
For Debian Sarge on an x86_64 (a.k.a. AMD64) architecture (Sarge/amd64 is not official so we have to use another repository):
debootstrap --arch amd64 sarge /vz/private/777 http://amd64.debian.net/debian
Preparing and starting the VE
Setting VE config
First, we need a config for the VE:
vzctl set 777 --applyconfig vps.basic --save
Setting VE OSTEMPLATE
Also, we need OSTEMPLATE to be set, for the vzctl to work properly.
For Gentoo host system:
echo "OSTEMPLATE=debian-3.1" >> /etc/vz/777.conf
For Debian host system:
echo "OSTEMPLATE=debian-3.1" >> /etc/vz/conf/777.conf
For other systems:
echo "OSTEMPLATE=debian-3.1" >> /etc/sysconfig/vz-scripts/777.conf
Setting VE IP address
For the VE to be able to download updates from network, we need a valid IP address for it:
vzctl set 777 --ipadd x.x.x.x --save
Setting Debian repositories
For x86_64:
cat << EOF > /vz/private/777/etc/apt/sources.list deb http://amd64.debian.net/debian stable main contrib non-free deb http://security.debian.org stable/updates main contrib non-free EOF
For i386:
cat << EOF > /vz/private/777/etc/apt/sources.list deb http://ftp.freenet.de/debian stable main contrib non-free deb http://security.debian.org stable/updates main contrib non-free EOF
Starting VE
Now start the VE:
vzctl start 777
Customizing the installation
A few things needs to be done inside a newly created VE for it to become suitable for OpenVZ. All those things are done inside the VE, so first command is vzctl enter.
Note: Do not run these commands inside host system, they are only for VE! |
vzctl enter 777 export PATH=/sbin:/usr/sbin:/bin:/usr/bin
Convert the system to use shadow passwords
pwconv
Get new security updates
apt-get update apt-get upgrade
Install some more packages
This could be an interactive process so the system would ask some questions. Here you can add more packages you like to be present, like less, vim etc.
apt-get install ssh quota
Disable root login
usermod -L root
Note: The root login will be enabled back then you use vzctl set VEID --userpasswd root:xxxx. |
Disable getty
Disable running gettys on terminals as a VE does not have any:
sed -i -e '/getty/d' /etc/inittab
Put sane permissions for /root directory
chmod 700 /root
Disable sync() for syslog
Turn off doing sync() on every write for syslog's log files, to improve I/O performance:
sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' /etc/syslog.conf
Fix /etc/mtab
Link /etc/mtab to /proc/mounts, so df and stuff will work:
rm -f /etc/mtab ln -s /proc/mounts /etc/mtab
Remove some unneeded packages
dpkg --purge modutils dpkg --purge ppp pppoeconf pppoe pppconfig
Disable services
Do not start some services, stick to bare minimum:
update-rc.d -f klogd remove update-rc.d -f quotarpc remove update-rc.d -f exim4 remove update-rc.d -f inetd remove
Fix SSH host keys
SSH host keys should be created later, upon the first VE start:
rm -f /etc/ssh/ssh_host_* cat << EOF > /etc/rc2.d/S15ssh_gen_host_keys #!/bin/bash ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N '' ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N '' rm -f \$0 EOF chmod a+x /etc/rc2.d/S15ssh_gen_host_keys
Clean packages
apt-get clean
Now everything is done. Exit from the VE by pressing Ctrl-D (or typing exit).
Preparing for and packing template cache
We don't need an IP for the VE anymore, and we definitely do not need it in template cache, so remove it:
vzctl set 777 --ipdel all --save
Stop the VE:
vzctl stop 777
Go to the VE directory:
cd /vz/private/777
Now create a cached OS tarball.
For i386:
tar czf /vz/template/cache/debian-3.1-i386-minimal.tar.gz .
For AMD64:
tar czf /vz/template/cache/debian-3.1-x86_64-minimal.tar.gz .
Look at the resulting tarball to see its size is sane:
# ls -lh /vz/template/cache/de* -rw-r--r-- 1 root root 42M Nov 17 23:50 /vz/template/cache/debian-3.1-x86_64-minimal.tar.gz
Checking if template cache works
We can now create a VE based on the just-created template cache.
For x86_64:
vzctl create 1002 --ostemplate debian-3.1-x86_64-minimal
For i386:
vzctl create 1002 --ostemplate debian-3.1-i386-minimal
Now check that it works:
vzctl start 1002 vzctl exec 1002 ps ax
You should see that a few processes are running.
Final cleanups
Let's stop and remove the VE we used to test a new cache:
vzctl stop 1002 vzctl destroy 1002
Finally, let's remove the VE we used for OS template cache creation:
vzctl destroy 777