Editing Creating a template cache : Slackware or HostGIS Linux

Jump to: navigation, search

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision Your text
Line 1: Line 1:
This process uses VMware to install the OS into a VM, then to trim down the VM's contents to only those items suitable for a [[VE]] environment, then to save a snapshot of the system as a host template cache for use in OpenVZ.
+
Creating a new Host Template Cache
 +
for HostGIS Linux 4.x or Slackware 11.x/12.x
  
This document focuses on HostGIS Linux (a Slackware derivative) but aside from the specifics about installation settings, it should be 99% applicable to Slackware as well.
+
This process uses VMWare to install the OS into a VM, then to trim down the VM's contents to only those items suitable for a VPS/VE environment, then to save a snapshot of the system as a host template cache for use in OpenVZ.
  
  
== Create the VM in VMware ==
+
***** CREATING THE VM
  
Technically, you could probably do this on a hardware PC without VMware, but VMware does make it more convenient.
+
Start by creating a new VM in VMWare. The stats can be minimal, and there
 +
is no need to create the entire disk at once during the setup.
 +
  * Create the disk as SCSI.
  
Start by creating a new VM in VMware.
+
Then install HGL.
* The disk and RAM stats can be minimal, as the system will never see live use.
+
  * Create a small partition at the end of the disk for swap. Some swap
* There is no need to create the entire disk at once during the setup.
+
    is technically necessary, but since you'll never in fact be using it,
* Create the disk as SCSI.
+
    a few MB should be fine.
 +
  * Set the passwords to 'password'
 +
  * Do set the timezone properly. The internal clock does not use UTC/GMT.
 +
  * Select the default mouse, but do NOT enable GPM at startup.
 +
  * Hostname:  template  Domain: internal.lan
 +
  * IP config:  as appropriate for your LAN
 +
  * Nameserver: no
 +
Reboot into your new HGL install.
 +
 
 +
Now we want to tweak it into a usable template.
 +
Go ahead and login to the VM.
 +
 
 +
 
 +
 
 +
***** UPGRADES AND SECURITY PATCHES
 +
 
 +
The default HGL you used may require some software to be reinstalled, since new versions
 +
and critical bugfixes may have been released since that version of HGL was released.
 +
Follow these instructions, and also update them as necessary for the appropriate versions
 +
and to remove paragraphs when a revision of HGL comes out that no longer requires them.
 +
 
 +
# HGL 4.2 - no necessary upgrades as of Nov 29 2007
 +
 
 +
 
 +
 
 +
***** REPLACE INETD WITH XINETD
 +
 
 +
Inetd is good but minimal. Xinetd offers security features, such as restricting service
 +
to only certain IPs, and only listening on certain interfaces,.
 +
 
 +
removepkg inetd
 +
rm -f /etc/inetd.conf* /etc/rc.d/rc.inetd
 +
 
 +
cd /tmp
 +
wget --header="Host: xinetd.org" http://204.152.188.37/xinetd-2.3.14.tar.gz
 +
tar zxvf xinetd*.gz
 +
cd xinetd*
 +
./configure --prefix=/usr --sysconfdir=/etc
 +
make && make install
 +
mkdir /etc/xinetd.d
 +
cat >> /etc/rc.d/rc.local <<EOF
 +
 
 +
# xinetd
 +
/usr/sbin/xinetd
 +
EOF
 +
cat > /etc/xinetd.conf <<EOF
 +
defaults
 +
{
 +
        log_type        = SYSLOG daemon notice
 +
        log_on_success  = HOST EXIT DURATION
 +
        log_on_failure  = HOST ATTEMPT
 +
        instances      = 30
 +
        cps            = 50 10
 +
}
 +
includedir /etc/xinetd.d
 +
EOF
 +
 
 +
 
 +
 
 +
***** NAGIOS: THE HEALTH-MONITORING SYSTEM
 +
 
 +
groupadd nagios
 +
useradd -g nagios -d /usr/local/nagios -m nagios
 +
echo "nrpe            5666/tcp  # Nagios NRPE" >> /etc/services
 +
 
 +
cd /tmp
 +
wget http://superb-east.dl.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.10.tar.gz
 +
tar zxvf nagios-plugins-*.tar.gz ; cd nagios-plugins-*
 +
./configure && make all && make install
 +
cd /tmp
 +
wget http://umn.dl.sourceforge.net/sourceforge/nagios/nrpe-2.10.tar.gz
 +
tar zxvf nrpe-2.10.tar.gz ; cd nrpe-2.10
 +
./configure && make && cp src/nrpe /usr/local/nagios/nrpe
 +
 
 +
for plugin in \
 +
  check_wave check_users check_ups check_time check_tcp check_swap check_ssh check_ssmtp \
 +
  check_spop check_simap check_smtp check_sensors check_rpc check_real check_pop check_ping \
 +
  check_overcr check_oracle check_nwstat check_nt check_nntps check_nntp check_nagios \
 +
  check_mysql_query check_mrtgtraf check_mrtg check_log check_jabber check_ircd \
 +
  check_imap check_ifstatus check_ifoperstatus check_icmp check_http check_ftp check_flexlm \
 +
  check_file_age check_dummy check_disk_smb check_dig check_dhcp check_clamd check_by_ssh \
 +
  check_breeze check_apt check_udp
 +
do rm -f /usr/local/nagios/libexec/$plugin ; done
 +
 
 +
cat > /usr/local/nagios/nrpe.cfg <<EOF
 +
# NRPE Config File
 +
pid_file=/var/run/nrpe.pid
 +
debug=0
 +
command_timeout=60
 +
connection_timeout=300
 +
 
 +
# And now the list of allowed check-commands:
 +
command[check_disk]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -m /
 +
command[check_dns]=/usr/local/nagios/libexec/check_dns www.google.com
 +
command[check_load]=/usr/local/nagios/libexec/check_load -w 5,5,5 -c 8,8,8
 +
command[check_mailq]=/usr/local/nagios/libexec/check_mailq -w 10 -c 20
 +
command[check_mysql]=/usr/local/nagios/libexec/check_mysql -d gisdata -H localhost -u gisdata -p password
 +
command[check_pgsql]=/usr/local/nagios/libexec/check_pgsql -d gisdata -H localhost -l gisdata -p password
 +
command[check_ntp]=/usr/local/nagios/libexec/check_ntp -H pool.ntp.org
 +
command[check_crond]=/usr/local/nagios/libexec/check_procs -u root -c 1: --command=crond
 +
command[check_syslogd]=/usr/local/nagios/libexec/check_procs -u root -c 1:1 --command=syslogd
 +
command[check_xinetd]=/usr/local/nagios/libexec/check_procs -u root -c 1:1 --command=xinetd
 +
EOF
 +
 
 +
cat > /etc/xinetd.d/nrpe <<EOF
 +
# description: NRPE for Nagios
 +
service nrpe
 +
{
 +
  socket_type    = stream
 +
  protocol        = tcp
 +
  wait            = no
 +
  user            = nagios
 +
  server          = /usr/local/nagios/nrpe
 +
  server_args    = -c /usr/local/nagios/nrpe.cfg --inetd
 +
  only_from      = __HOSTIP__
 +
}
 +
EOF
 +
 
 +
chown -R nagios:nagios /usr/local/nagios
 +
chmod -R o-rwx /usr/local/nagios
 +
chmod go-rwx /etc/xinetd.d
 +
 
 +
 
 +
 
 +
 
 +
***** OTHER UNNECESSARY STUFF
 +
 
 +
# kernel, kernel modules, documentation, mount points
 +
rm -rf /lib/modules /boot /dev/.udev /usr/doc /usr/info /media
  
Then install HGL.
+
# packages not applicable to a VPS setting, or which we don't use at HostGIS
* Create a small partition at the end of the disk for swap. Some swap is technically necessary, but since you'll never in fact be using it, a few MB should be fine.
+
# e.g. phpMyAdmin and phpPgAdmin are security holes
* Set the passwords to 'password'
+
cd /var/log/packages
* Do set the timezone properly. The internal clock does not use UTC/GMT.
+
for pkg in \
* Select the default mouse, but do NOT enable GPM at startup.
+
  hotplug-* hdparm-* devmapper-* udev-* usbutils-* pciutils-* module-init-tools-* \
* Hostname: template
+
  mdadm-* floppy-* lvm2-* phpMyAdmin-* phppgAdmin-* raidtools-* reiserfsprogs-* \
* Domain: internal.lan
+
  smartmontools-* sysfsutils-* syslinux-* wireless_tools.* quota-* iptables-*
* IP config: as appropriate for your LAN
+
do removepkg $pkg ; done
* Nameserver: no
 
  
Reboot into your new HGL install, and log in.
+
# most folks don't use GeoServer, so disable it by default
 +
chmod 644 /etc/rc.d/rc.geoserver
  
== Delete unnecessary stuff ==
+
# prune init's getty
 +
vi  /etc/inittab # delete everything after entry l6 (runlevel 6)
 +
init q
  
A lot of packages aren't relevant to a VЕ setting, e.g. floppy disk utilities and kernel modules, even getty listening on the console.
+
# clean out the fstab and mtab files
 +
( cd /etc ; rm -f fstab mtab ; ln -s ../proc/mounts mtab )
 +
echo "proc    /proc      proc    defaults    0  0" >> /etc/fstab
 +
echo "devpts  /dev/pts  devpts  mode=0620  0  0" >> /etc/fstab
  
<code>
+
# the startup sequence and services, even the firewall
 +
cd /etc/rc.d
 +
rm -f rc.gpm-sample rc.hotplug rc.ip_forward rc.modules rc.scanluns  rc.serial rc.udev rc.sysvinit rc.firewall
 +
vi rc.syslog    # delete all mentions of klogd
 +
vi rc.local    # delete smartd and inetd
 +
vi rc.M        # delete the setterm entry
 +
vi rc.S        # delete the MOTD clobbering
  
  # kernel, kernel modules, documentation, mount points
+
# blow away the network configuration with dummy strings for later replacement
  rm -rf /lib/modules /boot /dev/.udev /usr/doc /usr/info /media
+
#    replace the IP address with __IPADDRESS_
 +
#    replace the netmask with __NETMASK__
 +
#    replace the GATEWAY with __GATEWAY__
 +
vi /etc/rc.d/rc.inet1.conf
  
  # packages not applicable to a VE
 
  cd /var/log/packages
 
  for pkg in \
 
    hotplug-* hdparm-* devmapper-* udev-* usbutils-* pciutils-* module-init-tools-* \
 
    mdadm-* floppy-* lvm2-* raidtools-* reiserfsprogs-* \
 
    smartmontools-* sysfsutils-* syslinux-* wireless_tools.* quota-* iptables-*
 
  do removepkg $pkg ; done
 
  
  # prune init's getty
 
  vi  /etc/inittab # delete everything after entry l6 (runlevel 6)
 
  init q
 
  
  # clean out the fstab and mtab files
+
***** BASIC FILE SECURITY SETTINGS
  ( cd /etc ; rm -f fstab mtab ; ln -s ../proc/mounts mtab )
 
  echo "proc    /proc      proc    defaults    0  0" >> /etc/fstab
 
  echo "devpts  /dev/pts  devpts  mode=0620  0  0" >> /etc/fstab
 
  
  # the startup sequence and services
+
# clear out old/dummy SSL certificates
  cd /etc/rc.d
+
mv /etc/ssl/openssl.cnf /tmp ; rm -r /etc/ssl/* ; mv /tmp/openssl.cnf /etc/ssl
  rm -f rc.gpm-sample rc.gpm rc.hotplug rc.ip_forward rc.modules \
 
        rc.scanluns  rc.serial rc.udev rc.sysvinit
 
  vi rc.syslog    # delete all mentions of klogd
 
  vi rc.M        # delete the setterm entry
 
  vi rc.S        # delete the MOTD clobbering
 
  
</code>
+
# fix file permissions
 +
find / -mount -nouser -exec chown root {} \; &
 +
find / -mount -nogroup -exec chgrp root {} \; &
 +
for i in \
 +
  /bin/ping /bin/mount /bin/ping6 /bin/umount /usr/bin/chfn \
 +
  /usr/bin/chsh /usr/bin/crontab /usr/bin/chage /usr/bin/traceroute6 /usr/bin/traceroute \
 +
  /usr/bin/expiry /usr/bin/newgrp /usr/bin/passwd /usr/bin/gpasswd \
 +
  /usr/libexec/ssh-keysign /usr/libexec/pt_chown /usr/bin/wall /usr/bin/write
 +
  do chmod u-s $i ; done
  
 +
# fix Apache's configuration:
 +
# add ServerTokens prod
 +
# go to the htdocs Directory definition and change Indexes to -Indexes
 +
# delete the entries for phpmyadmin and phppgadmin
 +
vi /etc/apache/httpd.conf
  
== Fix permissions and ownerships ==
+
# keep FTP users chrooted:
 +
echo "" >> /etc/proftpd.conf
 +
echo "# keep all users chrooted to their homedir" >> /etc/proftpd.conf
 +
echo "DefaultRoot ~" >> /etc/proftpd.conf
  
<code>
+
# allow the mailq to be checked by anybody:
 +
chgrp smmsp /var/spool/mqueue
 +
chmod g+rx /var/spool/mqueue
  
  # clear out old/dummy SSL certificates
+
# disable the root and user accounts
  mv /etc/ssl/openssl.cnf /tmp ; rm -r /etc/ssl/* ; mv /tmp/openssl.cnf /etc/ssl
+
# by changing the password for root and user to a ! character.
 +
vi /etc/shadow
  
  # set an ownership on any unowned files
 
  find / -mount -nouser -exec chown root {} \; &
 
  find / -mount -nogroup -exec chgrp root {} \; &
 
  
  # remove the setuid bit from programs which nobody else should use
 
  # you may want to review this list first, as some folks want their users
 
  # able to edit cronjobs and to change their own passwords, etc.
 
  for i in \
 
    /bin/ping /bin/mount /bin/ping6 /bin/umount /usr/bin/chfn \
 
    /usr/bin/chsh /usr/bin/crontab /usr/bin/chage /usr/bin/traceroute6 /usr/bin/traceroute \
 
    /usr/bin/expiry /usr/bin/newgrp /usr/bin/passwd /usr/bin/gpasswd \
 
    /usr/libexec/ssh-keysign /usr/libexec/pt_chown /usr/bin/wall /usr/bin/write
 
    do chmod u-s $i ; done
 
  
</code>
+
***** REBOOTING
  
== Changes to rc scripts ==
+
A VPS cannot actually reboot, since there's no power switch to power-cycle the machine
 +
after the VE has been shut down. OpenVZ emulates this effect with an external cronjob
 +
called vpsreboot (see /etc/cron.d/vz). In order to reboot a VPS that has been shut down
 +
and which is expecting a reboot, the shutdown sequence must create a file named /reboot
 +
in the VPS's filesystem.
  
OpenVZ emulates rebooting with an external cronjob called vpsreboot and a dummy file called /reboot within the VE, and emulates the /etc/mtab file by pointing it to /proc/mounts So, some small changes are necessary to the rc scripts.
+
Also, the /etc/mtab file should point to /proc/mounts so it can detect the / filesystem.
  
<code>
+
vi /etc/rc.d/rc.6
 +
And add these two lines near the start:
 +
# create the reboot flag so we get rebooted automatically
 +
touch /reboot
  
  # somewhere in rc.6 add this command: touch /reboot
+
vi /etc/rc.d/rc.M
  vi /etc/rc.d/rc.6
+
And add these two lines near the start:
 +
# replace the mtab file with a link to /proc/mounts so OpenVZ can find the / filesystem
 +
rm -f /etc/mtab ;  ln -s /proc/mounts /etc/mtab
  
  # somewhere in rc.M, add this command: rm -f /etc/mtab ;  ln -s /proc/mounts /etc/mtab
 
  vi /etc/rc.d/rc.M
 
  
</code>
 
  
== Blanking settings ==
+
***** DELETING AND BLANKING SETTINGS
  
 
Lastly, you'll want to delete or blank out a bunch of files so they start fresh
 
Lastly, you'll want to delete or blank out a bunch of files so they start fresh
 
when the VE is booted for its first time.
 
when the VE is booted for its first time.
  
<code>
+
# stop all services
 
+
apachectl stop
  # stop all services
+
killall syslogd klogd udevd crond
  apachectl stop
+
/etc/rc.d/rc.sendmail stop
  killall syslogd klogd udevd crond
+
/etc/webmin/stop
  /etc/rc.d/rc.sendmail stop
+
/etc/rc.d/rc.pgsql stop
  /etc/rc.d/rc.inetd stop
+
/etc/rc.d/rc.mysqld stop
  /etc/webmin/stop
+
killall named proftpd
  /etc/rc.d/rc.pgsql stop
+
killall xinetd
  /etc/rc.d/rc.mysqld stop
 
  killall named proftpd
 
 
 
  # blow away the network configuration with dummy strings for later replacement
 
  #    replace the IP address with __IPADDRESS_
 
  #    replace the netmask with __NETMASK__
 
  #    replace the GATEWAY with __GATEWAY__
 
  vi /etc/rc.d/rc.inet1.conf
 
  
  # disable the root and user accounts
+
# refresh the 'locate' cache
  # by changing the password for root and user to a ! character.
+
/etc/cron.daily/slocate
  vi /etc/shadow
 
  
  # refresh the 'locate' cache
+
# blank out the system logfiles
  /etc/cron.daily/slocate
+
for logfile in \
 +
    /var/log/messages /var/log/syslog /var/log/debug /var/log/secure \
 +
    /var/log/maillog /var/log/spooler /var/log/proftpd.log /var/log/xinetd.log \
 +
    /var/log/dmesg /var/log/faillog /var/log/lastlog /var/log/wtmp \
 +
    /var/log/apache/access_log /var/log/apache/error_log \
 +
    /var/log/webmin/miniserv.error /var/log/webmin/miniserv.pid
 +
do cp /dev/null $logfile ; done
 +
rmdir /var/log/sa
  
  # blank out the system logfiles
+
# clear the SSH host key
  for logfile in \
+
rm -f /etc/ssh/ssh_host_*
      /var/log/messages /var/log/syslog /var/log/debug /var/log/secure \
 
      /var/log/maillog /var/log/spooler /var/log/proftpd.log /var/log/xinetd.log \
 
      /var/log/dmesg /var/log/faillog /var/log/lastlog /var/log/wtmp \
 
      /var/log/apache/access_log /var/log/apache/error_log \
 
      /var/log/webmin/miniserv.error /var/log/webmin/miniserv.pid
 
  do cp /dev/null $logfile ; done
 
  rmdir /var/log/sa
 
  
  # clear the SSH host key
+
# database server logfiles
  rm -f /etc/ssh/ssh_host_*
+
rm -f /var/lib/mysql/*.err /var/lib/pgsql/logfile
  
  # database server logfiles
+
# delete vi backup files, bash_history files, and other small application crud
  rm -f /var/lib/mysql/*.err /var/lib/pgsql/logfile
+
unset HISTFILE
 +
find / -name '*~' \
 +
    -o -name .bash_history \
 +
    -o -name .gnupg \
 +
    -o -name .lesshst \
 +
    -o -name .viminfo \
 +
    -o -name .rnd \
 +
    -delete
  
  # delete vi backup files, bash_history files, and other small application crud
+
# the junk under /tmp
  unset HISTFILE
+
rm -rf /tmp/*
  find / -name '*~' \
 
      -o -name .bash_history \
 
      -o -name .gnupg \
 
      -o -name .lesshst \
 
      -o -name .viminfo \
 
      -o -name .rnd \
 
      -delete
 
  
  # anything under /tmp
 
  rm -rf /tmp/*
 
  
</code>
 
  
  
== Zipping it up into a cache image ==
+
***** CREATING THE VE CACHE IMAGE
  
A CT cache is just a tar.gz file of the entire filesystem, excluding some very dynamic stuff which gets populated by the OS at runtime anyway:
+
A VE cache is just a tar.gz file of the entire filesystem. So creating them is simple!
  
  tar --numeric-owner -zcvf /tmp/HostGIS_Linux_4.2_64bit.tar.gz --exclude='/sys/*' --exclude='/proc/*' --exclude='/tmp/*' /
+
tar zcvf /tmp/HostGIS_Linux_4.2_64bit.tar.gz --exclude='/sys/*' --exclude='/proc/*' --exclude='/tmp/*' /
  
[[Category: Templates]]
+
Ta-da! That's your new VE template cache. Just SFTP it to the VE server and you're all set!

Please note that all contributions to OpenVZ Virtuozzo Containers Wiki may be edited, altered, or removed by other contributors. If you don't want your writing to be edited mercilessly, then don't submit it here.
 If you are going to add external links to an article, read the External links policy first!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)
Retrieved from "https://wiki.openvz.org/Creating_a_template_cache_:_Slackware_or_HostGIS_Linux"