Deploying Debian VEs without Templates

From OpenVZ Virtuozzo Containers Wiki
Revision as of 20:57, 29 November 2008 by Robe (talk | contribs) (Tarballs are of questionable security)
Jump to: navigation, search

Installing Debian Virtual Environments without relying on a precreated template has many advantages and a few drawbacks. This article tries to outline those factors and provide a possible solution to reduce the amount of work needed for template-less Debian deployments.


Templates

Templates are at the heart of the OpenVZ VE creation process. A "template cache" is basically a tarball consisting of a minimum operating system installation of a given Linux flavor.


Reasons for pre-built templates

Very fast VE deployment

Deploying a new VE with a tarball reduces the work needed to extracting said tar archive, so the deployment speed can't be any faster. It's possible that certain vzfs optimizations rely on templates being deployed from a specific cached template.

Template can contain complex modifications

Since templates can contain any files with any given content, you can deploy heavily modified VEs without any problems.

Access to a package repository

Running a bootstrapper instead of using templates requires access to a package repository, which might not be feasible in certain environments.

Reasons against pre-built templates

Management of tarballs can be tedious

Managing templates in a non-trivial environment can become it's own demanding task, if taken seriously. The templates have to be updated constantly to reflect new security updates or operating system point releases. And with every updated template, said templates have to be distributed to all Hardware Nodes where they are used.

Experience has shown, that quality is one of the first things being cut in operations/production environments when being time constrained, so preventing one source of constant work improves quality and security instantly and irrevocably.

Templates are of questionable security

Pre-built templates, especially those which can be downloaded from the internet, are of doubtful trustworthiness. It's trivial to open backdoors, install keyloggers or run DDoS clients if you have full control of the binaries which are going to be run in a VE.

It's not needed after all

With Debian, there is no reason to actually use pre-built templates if you're not time-constrained in the deployment process and have other means of managing your configuration, since debootstrap is the tool at the core of every Debian installation and it doesn't matter if it's run by the Installer, by hand or a completely different distribution.


Basic Steps

The basic steps needed to deploy Debian VEs are outlined in Debian template creation.

A working solution

To automate the process of deploying VEs with debootstrap a bit of shell-scripting glue is needed.

A work-in-progress version of such a tool can be found at https://workbench.amd.co.at/hg/vzstuff/. To get a local copy you need a mercurial client installed and then run the following command:

 hg clone -r stable https://workbench.amd.co.at/hg/vzstuff/


Following the instructions in the README file should get you started nicely.