Editing Creating a template cache : Slackware or HostGIS Linux
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
− | This process uses | + | == Creating a new Host Template Cache for HostGIS Linux 4.x or Slackware 11.x/12.x == |
+ | |||
+ | This process uses VMWare to install the OS into a VM, then to trim down the VM's contents to only those items suitable for a VPS/VE environment, then to save a snapshot of the system as a host template cache for use in OpenVZ. | ||
This document focuses on HostGIS Linux (a Slackware derivative) but aside from the specifics about installation settings, it should be 99% applicable to Slackware as well. | This document focuses on HostGIS Linux (a Slackware derivative) but aside from the specifics about installation settings, it should be 99% applicable to Slackware as well. | ||
− | == Create the VM in | + | === Create the VM in VMWare === |
− | Technically, you could probably do this on a hardware PC without | + | Technically, you could probably do this on a hardware PC without VMWare, but VMWare does make it more convenient. |
− | Start by creating a new VM in | + | Start by creating a new VM in VMWare. |
* The disk and RAM stats can be minimal, as the system will never see live use. | * The disk and RAM stats can be minimal, as the system will never see live use. | ||
* There is no need to create the entire disk at once during the setup. | * There is no need to create the entire disk at once during the setup. | ||
Line 18: | Line 20: | ||
* Do set the timezone properly. The internal clock does not use UTC/GMT. | * Do set the timezone properly. The internal clock does not use UTC/GMT. | ||
* Select the default mouse, but do NOT enable GPM at startup. | * Select the default mouse, but do NOT enable GPM at startup. | ||
− | * Hostname: template | + | * Hostname: template Domain: internal.lan |
− | + | * IP config: as appropriate for your LAN | |
− | * IP config: as appropriate for your LAN | ||
* Nameserver: no | * Nameserver: no | ||
Reboot into your new HGL install, and log in. | Reboot into your new HGL install, and log in. | ||
+ | |||
== Delete unnecessary stuff == | == Delete unnecessary stuff == | ||
− | |||
− | |||
<code> | <code> | ||
Line 34: | Line 34: | ||
rm -rf /lib/modules /boot /dev/.udev /usr/doc /usr/info /media | rm -rf /lib/modules /boot /dev/.udev /usr/doc /usr/info /media | ||
− | # packages not applicable to a | + | # packages not applicable to a VPS setting, or which we don't use at HostGIS |
+ | # e.g. phpMyAdmin and phpPgAdmin are security holes | ||
cd /var/log/packages | cd /var/log/packages | ||
for pkg in \ | for pkg in \ | ||
hotplug-* hdparm-* devmapper-* udev-* usbutils-* pciutils-* module-init-tools-* \ | hotplug-* hdparm-* devmapper-* udev-* usbutils-* pciutils-* module-init-tools-* \ | ||
− | mdadm-* floppy-* lvm2-* raidtools-* reiserfsprogs-* \ | + | mdadm-* floppy-* lvm2-* phpMyAdmin-* phppgAdmin-* raidtools-* reiserfsprogs-* \ |
smartmontools-* sysfsutils-* syslinux-* wireless_tools.* quota-* iptables-* | smartmontools-* sysfsutils-* syslinux-* wireless_tools.* quota-* iptables-* | ||
do removepkg $pkg ; done | do removepkg $pkg ; done | ||
+ | |||
+ | # most folks don't use GeoServer, so disable it by default | ||
+ | chmod 644 /etc/rc.d/rc.geoserver | ||
# prune init's getty | # prune init's getty | ||
Line 51: | Line 55: | ||
echo "devpts /dev/pts devpts mode=0620 0 0" >> /etc/fstab | echo "devpts /dev/pts devpts mode=0620 0 0" >> /etc/fstab | ||
− | # the startup sequence and services | + | # the startup sequence and services, even the firewall |
cd /etc/rc.d | cd /etc/rc.d | ||
rm -f rc.gpm-sample rc.gpm rc.hotplug rc.ip_forward rc.modules \ | rm -f rc.gpm-sample rc.gpm rc.hotplug rc.ip_forward rc.modules \ | ||
− | rc.scanluns rc.serial rc.udev rc.sysvinit | + | rc.scanluns rc.serial rc.udev rc.sysvinit rc.firewall |
vi rc.syslog # delete all mentions of klogd | vi rc.syslog # delete all mentions of klogd | ||
+ | vi rc.local # delete smartd and inetd | ||
vi rc.M # delete the setterm entry | vi rc.M # delete the setterm entry | ||
vi rc.S # delete the MOTD clobbering | vi rc.S # delete the MOTD clobbering | ||
− | |||
</code> | </code> | ||
Line 66: | Line 70: | ||
<code> | <code> | ||
− | + | # clear out old/dummy SSL certificates | |
− | + | mv /etc/ssl/openssl.cnf /tmp ; rm -r /etc/ssl/* ; mv /tmp/openssl.cnf /etc/ssl | |
− | + | # fix file permissions | |
− | + | find / -mount -nouser -exec chown root {} \; & | |
− | + | find / -mount -nogroup -exec chgrp root {} \; & | |
+ | for i in \ | ||
+ | /bin/ping /bin/mount /bin/ping6 /bin/umount /usr/bin/chfn \ | ||
+ | /usr/bin/chsh /usr/bin/crontab /usr/bin/chage /usr/bin/traceroute6 /usr/bin/traceroute \ | ||
+ | /usr/bin/expiry /usr/bin/newgrp /usr/bin/passwd /usr/bin/gpasswd \ | ||
+ | /usr/libexec/ssh-keysign /usr/libexec/pt_chown /usr/bin/wall /usr/bin/write | ||
+ | do chmod u-s $i ; done | ||
− | + | # fix Apache's configuration: | |
− | + | # add ServerTokens prod | |
− | + | # go to the htdocs Directory definition and change Indexes to -Indexes | |
− | + | # delete the entries for phpmyadmin and phppgadmin | |
− | + | vi /etc/apache/httpd.conf | |
− | + | ||
− | + | # keep FTP users chrooted: | |
− | + | echo "" >> /etc/proftpd.conf | |
− | + | echo "# keep all users chrooted to their homedir" >> /etc/proftpd.conf | |
+ | echo "DefaultRoot ~" >> /etc/proftpd.conf | ||
+ | |||
+ | # allow the mailq to be checked by anybody: | ||
+ | chgrp smmsp /var/spool/mqueue | ||
+ | chmod g+rx /var/spool/mqueue | ||
</code> | </code> | ||
+ | |||
== Changes to rc scripts == | == Changes to rc scripts == | ||
− | OpenVZ emulates | + | A VPS cannot actually reboot, since there's no power switch to power-cycle the machine |
+ | after the VE has been shut down. OpenVZ emulates this effect with an external cronjob | ||
+ | called vpsreboot (see /etc/cron.d/vz). In order to reboot a VPS that has been shut down | ||
+ | and which is expecting a reboot, the shutdown sequence must create a file named /reboot | ||
+ | in the VPS's filesystem. | ||
+ | |||
+ | Also, the /etc/mtab file should point to /proc/mounts so it can detect the / filesystem. | ||
<code> | <code> | ||
− | + | vi /etc/rc.d/rc.6 | |
− | + | And add these two lines near the start: | |
+ | # create the reboot flag so we get rebooted automatically | ||
+ | touch /reboot | ||
− | + | vi /etc/rc.d/rc.M | |
− | + | And add these two lines near the start: | |
+ | # replace the mtab file with a link to /proc/mounts so OpenVZ can find the / filesystem | ||
+ | rm -f /etc/mtab ; ln -s /proc/mounts /etc/mtab | ||
</code> | </code> | ||
+ | |||
== Blanking settings == | == Blanking settings == | ||
Line 106: | Line 133: | ||
<code> | <code> | ||
− | + | # stop all services | |
− | + | apachectl stop | |
− | + | killall syslogd klogd udevd crond | |
− | + | /etc/rc.d/rc.sendmail stop | |
− | + | /etc/webmin/stop | |
− | + | /etc/rc.d/rc.pgsql stop | |
− | + | /etc/rc.d/rc.mysqld stop | |
− | + | killall named proftpd | |
− | + | killall xinetd | |
− | + | # blow away the network configuration with dummy strings for later replacement | |
− | + | # replace the IP address with __IPADDRESS_ | |
− | + | # replace the netmask with __NETMASK__ | |
− | + | # replace the GATEWAY with __GATEWAY__ | |
− | + | vi /etc/rc.d/rc.inet1.conf | |
− | + | # disable the root and user accounts | |
− | + | # by changing the password for root and user to a ! character. | |
− | + | vi /etc/shadow | |
− | + | # refresh the 'locate' cache | |
− | + | /etc/cron.daily/slocate | |
− | + | # blank out the system logfiles | |
− | + | for logfile in \ | |
− | + | /var/log/messages /var/log/syslog /var/log/debug /var/log/secure \ | |
− | + | /var/log/maillog /var/log/spooler /var/log/proftpd.log /var/log/xinetd.log \ | |
− | + | /var/log/dmesg /var/log/faillog /var/log/lastlog /var/log/wtmp \ | |
− | + | /var/log/apache/access_log /var/log/apache/error_log \ | |
− | + | /var/log/webmin/miniserv.error /var/log/webmin/miniserv.pid | |
− | + | do cp /dev/null $logfile ; done | |
− | + | rmdir /var/log/sa | |
− | + | # clear the SSH host key | |
− | + | rm -f /etc/ssh/ssh_host_* | |
− | + | # database server logfiles | |
− | + | rm -f /var/lib/mysql/*.err /var/lib/pgsql/logfile | |
− | + | # delete vi backup files, bash_history files, and other small application crud | |
− | + | unset HISTFILE | |
− | + | find / -name '*~' \ | |
− | + | -o -name .bash_history \ | |
− | + | -o -name .gnupg \ | |
− | + | -o -name .lesshst \ | |
− | + | -o -name .viminfo \ | |
− | + | -o -name .rnd \ | |
− | + | -delete | |
− | + | # the junk under /tmp | |
− | + | rm -rf /tmp/* | |
</code> | </code> | ||
Line 163: | Line 190: | ||
== Zipping it up into a cache image == | == Zipping it up into a cache image == | ||
− | A | + | A VE cache is just a tar.gz file of the entire filesystem, excluding some very dynamic stuff which gets populated by the OS at runtime anyway: |
+ | |||
+ | <code> | ||
− | + | tar zcvf /tmp/HostGIS_Linux_4.2_64bit.tar.gz --exclude='/sys/*' --exclude='/proc/*' --exclude='/tmp/*' / | |
− | + | </code> |