Difference between revisions of "Creating a template cache : Slackware or HostGIS Linux"

Revision as of 16:48, 30 November 2007

Creating a new Host Template Cache for HostGIS Linux 4.x or Slackware 11.x/12.x

This process uses VMWare to install the OS into a VM, then to trim down the VM's contents to only those items suitable for a VPS/VE environment, then to save a snapshot of the system as a host template cache for use in OpenVZ.

This document focuses on HostGIS Linux (a Slackware derivative) but aside from the specifics about installation settings, it should be 99% applicable to Slackware as well.

Create the VM in VMWare

Technically, you could probably do this on a hardware PC without VMWare, but VMWare does make it more convenient.

Start by creating a new VM in VMWare.

The disk and RAM stats can be minimal, as the system will never see live use.
There is no need to create the entire disk at once during the setup.
Create the disk as SCSI.

Then install HGL.

Create a small partition at the end of the disk for swap. Some swap is technically necessary, but since you'll never in fact be using it, a few MB should be fine.
Set the passwords to 'password'
Do set the timezone properly. The internal clock does not use UTC/GMT.
Select the default mouse, but do NOT enable GPM at startup.
Hostname: template Domain: internal.lan
IP config: as appropriate for your LAN
Nameserver: no

Reboot into your new HGL install, and log in.

Delete unnecessary stuff

 # kernel, kernel modules, documentation, mount points
 rm -rf /lib/modules /boot /dev/.udev /usr/doc /usr/info /media

 # packages not applicable to a VPS setting, or which we don't use at HostGIS
 # e.g. phpMyAdmin and phpPgAdmin are security holes
 cd /var/log/packages
 for pkg in \
    hotplug-* hdparm-* devmapper-* udev-* usbutils-* pciutils-* module-init-tools-* \
    mdadm-* floppy-* lvm2-* phpMyAdmin-* phppgAdmin-* raidtools-* reiserfsprogs-* \
    smartmontools-* sysfsutils-* syslinux-* wireless_tools.* quota-* iptables-*
 do removepkg $pkg ; done

 # most folks don't use GeoServer, so disable it by default
 chmod 644 /etc/rc.d/rc.geoserver

 # prune init's getty
 vi  /etc/inittab # delete everything after entry l6 (runlevel 6)
 init q

 # clean out the fstab and mtab files
 ( cd /etc ; rm -f fstab mtab ; ln -s ../proc/mounts mtab )
 echo "proc     /proc      proc     defaults    0  0" >> /etc/fstab
 echo "devpts   /dev/pts   devpts   mode=0620   0  0" >> /etc/fstab

 # the startup sequence and services, even the firewall
 cd /etc/rc.d
 rm -f rc.gpm-sample rc.gpm rc.hotplug rc.ip_forward rc.modules \
       rc.scanluns  rc.serial rc.udev rc.sysvinit   rc.firewall
 vi rc.syslog    # delete all mentions of klogd
 vi rc.local     # delete smartd and inetd
 vi rc.M         # delete the setterm entry
 vi rc.S         # delete the MOTD clobbering

Fix permissions and ownerships

clear out old/dummy SSL certificates

mv /etc/ssl/openssl.cnf /tmp ; rm -r /etc/ssl/* ; mv /tmp/openssl.cnf /etc/ssl

fix file permissions

find / -mount -nouser -exec chown root {} \; &
find / -mount -nogroup -exec chgrp root {} \; &
for i in \

  /bin/ping /bin/mount /bin/ping6 /bin/umount /usr/bin/chfn \
  /usr/bin/chsh /usr/bin/crontab /usr/bin/chage /usr/bin/traceroute6 /usr/bin/traceroute \
  /usr/bin/expiry /usr/bin/newgrp /usr/bin/passwd /usr/bin/gpasswd \
  /usr/libexec/ssh-keysign /usr/libexec/pt_chown /usr/bin/wall /usr/bin/write
  do chmod u-s $i ; done

fix Apache's configuration:
add ServerTokens prod
go to the htdocs Directory definition and change Indexes to -Indexes
delete the entries for phpmyadmin and phppgadmin

vi /etc/apache/httpd.conf

keep FTP users chrooted:

echo "" >> /etc/proftpd.conf
echo "# keep all users chrooted to their homedir" >> /etc/proftpd.conf
echo "DefaultRoot ~" >> /etc/proftpd.conf

allow the mailq to be checked by anybody:

chgrp smmsp /var/spool/mqueue
chmod g+rx /var/spool/mqueue

Changes to rc scripts

A VPS cannot actually reboot, since there's no power switch to power-cycle the machine after the VE has been shut down. OpenVZ emulates this effect with an external cronjob called vpsreboot (see /etc/cron.d/vz). In order to reboot a VPS that has been shut down and which is expecting a reboot, the shutdown sequence must create a file named /reboot in the VPS's filesystem.

Also, the /etc/mtab file should point to /proc/mounts so it can detect the / filesystem.

vi /etc/rc.d/rc.6 And add these two lines near the start:

create the reboot flag so we get rebooted automatically

touch /reboot
vi /etc/rc.d/rc.M
And add these two lines near the start:

replace the mtab file with a link to /proc/mounts so OpenVZ can find the / filesystem

rm -f /etc/mtab ;  ln -s /proc/mounts /etc/mtab

Blanking settings

Lastly, you'll want to delete or blank out a bunch of files so they start fresh when the VE is booted for its first time.

stop all services

apachectl stop
killall syslogd klogd udevd crond
/etc/rc.d/rc.sendmail stop
/etc/webmin/stop
/etc/rc.d/rc.pgsql stop
/etc/rc.d/rc.mysqld stop
killall named proftpd
killall xinetd

blow away the network configuration with dummy strings for later replacement
replace the IP address with __IPADDRESS_
replace the netmask with __NETMASK__
replace the GATEWAY with __GATEWAY__

vi /etc/rc.d/rc.inet1.conf

disable the root and user accounts
by changing the password for root and user to a ! character.

vi /etc/shadow

refresh the 'locate' cache

/etc/cron.daily/slocate

blank out the system logfiles

for logfile in \

   /var/log/messages /var/log/syslog /var/log/debug /var/log/secure \
   /var/log/maillog /var/log/spooler /var/log/proftpd.log /var/log/xinetd.log \
   /var/log/dmesg /var/log/faillog /var/log/lastlog /var/log/wtmp \
   /var/log/apache/access_log /var/log/apache/error_log \
   /var/log/webmin/miniserv.error /var/log/webmin/miniserv.pid

do cp /dev/null $logfile ; done
rmdir /var/log/sa

clear the SSH host key

rm -f /etc/ssh/ssh_host_*

database server logfiles

rm -f /var/lib/mysql/*.err /var/lib/pgsql/logfile

delete vi backup files, bash_history files, and other small application crud

unset HISTFILE
find / -name '*~' \

   -o -name .bash_history \
   -o -name .gnupg \
   -o -name .lesshst \
   -o -name .viminfo \
   -o -name .rnd \
   -delete

the junk under /tmp

rm -rf /tmp/*

Zipping it up into a cache image

A VE cache is just a tar.gz file of the entire filesystem, excluding some very dynamic stuff which gets populated by the OS at runtime anyway:

tar zcvf /tmp/HostGIS_Linux_4.2_64bit.tar.gz --exclude='/sys/*' --exclude='/proc/*' --exclude='/tmp/*' /

Difference between revisions of "Creating a template cache : Slackware or HostGIS Linux"

Revision as of 16:48, 30 November 2007

Contents

Creating a new Host Template Cache for HostGIS Linux 4.x or Slackware 11.x/12.x

Create the VM in VMWare

Delete unnecessary stuff

Fix permissions and ownerships

Changes to rc scripts

Blanking settings

Zipping it up into a cache image

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Services

Donate

Tools

@@ Line 1: / Line 1: @@
-Creating a new Host Template Cache
+== Creating a new Host Template Cache for HostGIS Linux 4.x or Slackware 11.x/12.x ==
-for HostGIS Linux 4.x or Slackware 11.x/12.x
 This process uses VMWare to install the OS into a VM, then to trim down the VM's contents to only those items suitable for a VPS/VE environment, then to save a snapshot of the system as a host template cache for use in OpenVZ.
+This document focuses on HostGIS Linux (a Slackware derivative) but aside from the specifics about installation settings, it should be 99% applicable to Slackware as well.
-***** CREATING THE VM
-Start by creating a new VM in VMWare. The stats can be minimal, and there
+=== Create the VM in VMWare ===
-is no need to create the entire disk at once during the setup.
-   * Create the disk as SCSI.
-Then install HGL.
+Technically, you could probably do this on a hardware PC without VMWare, but VMWare does make it more convenient.
-  * Create a small partition at the end of the disk for swap. Some swap
-    is technically necessary, but since you'll never in fact be using it,
-    a few MB should be fine.
-  * Set the passwords to 'password'
-  * Do set the timezone properly. The internal clock does not use UTC/GMT.
-  * Select the default mouse, but do NOT enable GPM at startup.
-  * Hostname:  template   Domain: internal.lan
-  * IP config:  as appropriate for your LAN
-  * Nameserver: no
-Reboot into your new HGL install.
-Now we want to tweak it into a usable template.
+Start by creating a new VM in VMWare.
-Go ahead and login to the VM.
+* The disk and RAM stats can be minimal, as the system will never see live use.
+* There is no need to create the entire disk at once during the setup.
+* Create the disk as SCSI.
+Then install HGL.
+* Create a small partition at the end of the disk for swap. Some swap is technically necessary, but since you'll never in fact be using it, a few MB should be fine.
+* Set the passwords to 'password'
+* Do set the timezone properly. The internal clock does not use UTC/GMT.
+* Select the default mouse, but do NOT enable GPM at startup.
+* Hostname:  template   Domain: internal.lan
+* IP config:  as appropriate for your LAN
+* Nameserver: no
+Reboot into your new HGL install, and log in.
-***** UPGRADES AND SECURITY PATCHES
-The default HGL you used may require some software to be reinstalled, since new versions
-and critical bugfixes may have been released since that version of HGL was released.
-Follow these instructions, and also update them as necessary for the appropriate versions
-and to remove paragraphs when a revision of HGL comes out that no longer requires them.
-# HGL 4.2 - no necessary upgrades as of Nov 29 2007
-***** REPLACE INETD WITH XINETD
-Inetd is good but minimal. Xinetd offers security features, such as restricting service
-to only certain IPs, and only listening on certain interfaces,.
-removepkg inetd
-rm -f /etc/inetd.conf* /etc/rc.d/rc.inetd
-cd /tmp
-wget --header="Host: xinetd.org" http://204.152.188.37/xinetd-2.3.14.tar.gz
-tar zxvf xinetd*.gz
-cd xinetd*
-./configure --prefix=/usr --sysconfdir=/etc
-make && make install
-mkdir /etc/xinetd.d
-cat >> /etc/rc.d/rc.local <<EOF
-# xinetd
+== Delete unnecessary stuff ==
-/usr/sbin/xinetd
-EOF
-cat > /etc/xinetd.conf <<EOF
-defaults
-{
-        log_type        = SYSLOG daemon notice
-        log_on_success  = HOST EXIT DURATION
-        log_on_failure  = HOST ATTEMPT
-        instances       = 30
-        cps             = 50 10
-}
-includedir /etc/xinetd.d
-EOF
+<code>
+  # kernel, kernel modules, documentation, mount points
+  rm -rf /lib/modules /boot /dev/.udev /usr/doc /usr/info /media
-***** NAGIOS: THE HEALTH-MONITORING SYSTEM
+  # packages not applicable to a VPS setting, or which we don't use at HostGIS
+  # e.g. phpMyAdmin and phpPgAdmin are security holes
+  cd /var/log/packages
+  for pkg in \
+     hotplug-* hdparm-* devmapper-* udev-* usbutils-* pciutils-* module-init-tools-* \
+     mdadm-* floppy-* lvm2-* phpMyAdmin-* phppgAdmin-* raidtools-* reiserfsprogs-* \
+     smartmontools-* sysfsutils-* syslinux-* wireless_tools.* quota-* iptables-*
+  do removepkg $pkg ; done
-groupadd nagios
+  # most folks don't use GeoServer, so disable it by default
-useradd -g nagios -d /usr/local/nagios -m nagios
+  chmod 644 /etc/rc.d/rc.geoserver
-echo "nrpe             5666/tcp  # Nagios NRPE" >> /etc/services
-cd /tmp
+  # prune init's getty
-wget http://superb-east.dl.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.10.tar.gz
+  vi  /etc/inittab # delete everything after entry l6 (runlevel 6)
-tar zxvf nagios-plugins-*.tar.gz ; cd nagios-plugins-*
+  init q
-./configure && make all && make install
-cd /tmp
-wget http://umn.dl.sourceforge.net/sourceforge/nagios/nrpe-2.10.tar.gz
-tar zxvf nrpe-2.10.tar.gz ; cd nrpe-2.10
-./configure && make && cp src/nrpe /usr/local/nagios/nrpe
-for plugin in \
+  # clean out the fstab and mtab files
-   check_wave check_users check_ups check_time check_tcp check_swap check_ssh check_ssmtp \
+  ( cd /etc ; rm -f fstab mtab ; ln -s ../proc/mounts mtab )
-   check_spop check_simap check_smtp check_sensors check_rpc check_real check_pop check_ping \
+  echo "proc     /proc      proc     defaults    0  0" >> /etc/fstab
-   check_overcr check_oracle check_nwstat check_nt check_nntps check_nntp check_nagios \
+  echo "devpts   /dev/pts   devpts   mode=0620   0  0" >> /etc/fstab
-   check_mysql_query check_mrtgtraf check_mrtg check_log check_jabber check_ircd \
-   check_imap check_ifstatus check_ifoperstatus check_icmp check_http check_ftp check_flexlm \
-   check_file_age check_dummy check_disk_smb check_dig check_dhcp check_clamd check_by_ssh \
-   check_breeze check_apt check_udp
-do rm -f /usr/local/nagios/libexec/$plugin ; done
-cat > /usr/local/nagios/nrpe.cfg <<EOF
+  # the startup sequence and services, even the firewall
-# NRPE Config File
+  cd /etc/rc.d
-pid_file=/var/run/nrpe.pid
+  rm -f rc.gpm-sample rc.gpm rc.hotplug rc.ip_forward rc.modules \
-debug=0
+        rc.scanluns  rc.serial rc.udev rc.sysvinit   rc.firewall
-command_timeout=60
+  vi rc.syslog    # delete all mentions of klogd
-connection_timeout=300
+  vi rc.local     # delete smartd and inetd
+  vi rc.M         # delete the setterm entry
+  vi rc.S         # delete the MOTD clobbering
+</code>
-# And now the list of allowed check-commands:
-command[check_disk]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -m /
-command[check_dns]=/usr/local/nagios/libexec/check_dns www.google.com
-command[check_load]=/usr/local/nagios/libexec/check_load -w 5,5,5 -c 8,8,8
-command[check_mailq]=/usr/local/nagios/libexec/check_mailq -w 10 -c 20
-command[check_mysql]=/usr/local/nagios/libexec/check_mysql -d gisdata -H localhost -u gisdata -p password
-command[check_pgsql]=/usr/local/nagios/libexec/check_pgsql -d gisdata -H localhost -l gisdata -p password
-command[check_ntp]=/usr/local/nagios/libexec/check_ntp -H pool.ntp.org
-command[check_crond]=/usr/local/nagios/libexec/check_procs -u root -c 1: --command=crond
-command[check_syslogd]=/usr/local/nagios/libexec/check_procs -u root -c 1:1 --command=syslogd
-command[check_xinetd]=/usr/local/nagios/libexec/check_procs -u root -c 1:1 --command=xinetd
-EOF
-cat > /etc/xinetd.d/nrpe <<EOF
+== Fix permissions and ownerships ==
-# description: NRPE for Nagios
-service nrpe
-{
-   socket_type     = stream
-   protocol        = tcp
-   wait            = no
-   user            = nagios
-   server          = /usr/local/nagios/nrpe
-   server_args     = -c /usr/local/nagios/nrpe.cfg --inetd
-   only_from       = __HOSTIP__
-}
-EOF
-chown -R nagios:nagios /usr/local/nagios
+<code>
-chmod -R o-rwx /usr/local/nagios
-chmod go-rwx /etc/xinetd.d
-***** OTHER UNNECESSARY STUFF
-# kernel, kernel modules, documentation, mount points
-rm -rf /lib/modules /boot /dev/.udev /usr/doc /usr/info /media
-# packages not applicable to a VPS setting, or which we don't use at HostGIS
-# e.g. phpMyAdmin and phpPgAdmin are security holes
-cd /var/log/packages
-for pkg in \
-   hotplug-* hdparm-* devmapper-* udev-* usbutils-* pciutils-* module-init-tools-* \
-   mdadm-* floppy-* lvm2-* phpMyAdmin-* phppgAdmin-* raidtools-* reiserfsprogs-* \
-   smartmontools-* sysfsutils-* syslinux-* wireless_tools.* quota-* iptables-*
-do removepkg $pkg ; done
-# most folks don't use GeoServer, so disable it by default
-chmod 644 /etc/rc.d/rc.geoserver
-# prune init's getty
-vi  /etc/inittab # delete everything after entry l6 (runlevel 6)
-init q
-# clean out the fstab and mtab files
-( cd /etc ; rm -f fstab mtab ; ln -s ../proc/mounts mtab )
-echo "proc     /proc      proc     defaults    0  0" >> /etc/fstab
-echo "devpts   /dev/pts   devpts   mode=0620   0  0" >> /etc/fstab
-# the startup sequence and services, even the firewall
-cd /etc/rc.d
-rm -f rc.gpm-sample rc.hotplug rc.ip_forward rc.modules rc.scanluns  rc.serial rc.udev rc.sysvinit rc.firewall
-vi rc.syslog    # delete all mentions of klogd
-vi rc.local     # delete smartd and inetd
-vi rc.M         # delete the setterm entry
-vi rc.S         # delete the MOTD clobbering
-# blow away the network configuration with dummy strings for later replacement
-#    replace the IP address with __IPADDRESS_
-#    replace the netmask with __NETMASK__
-#    replace the GATEWAY with __GATEWAY__
-vi /etc/rc.d/rc.inet1.conf
-***** BASIC FILE SECURITY SETTINGS
 # clear out old/dummy SSL certificates
@@ Line 211: / Line 98: @@
 chmod g+rx /var/spool/mqueue
-# disable the root and user accounts
+</code>
-# by changing the password for root and user to a ! character.
-vi /etc/shadow
+== Changes to rc scripts ==
-***** REBOOTING
 A VPS cannot actually reboot, since there's no power switch to power-cycle the machine
@@ Line 226: / Line 110: @@
 Also, the /etc/mtab file should point to /proc/mounts so it can detect the / filesystem.
+<code>
 vi /etc/rc.d/rc.6
@@ Line 237: / Line 123: @@
 rm -f /etc/mtab ;  ln -s /proc/mounts /etc/mtab
+</code>
-***** DELETING AND BLANKING SETTINGS
+== Blanking settings ==
 Lastly, you'll want to delete or blank out a bunch of files so they start fresh
 when the VE is booted for its first time.
+<code>
 # stop all services
@@ Line 253: / Line 142: @@
 killall named proftpd
 killall xinetd
+# blow away the network configuration with dummy strings for later replacement
+#    replace the IP address with __IPADDRESS_
+#    replace the netmask with __NETMASK__
+#    replace the GATEWAY with __GATEWAY__
+vi /etc/rc.d/rc.inet1.conf
+# disable the root and user accounts
+# by changing the password for root and user to a ! character.
+vi /etc/shadow
 # refresh the 'locate' cache
@@ Line 286: / Line 185: @@
 rm -rf /tmp/*
+</code>
+== Zipping it up into a cache image ==
-***** CREATING THE VE CACHE IMAGE
+A VE cache is just a tar.gz file of the entire filesystem, excluding some very dynamic stuff which gets populated by the OS at runtime anyway:
-A VE cache is just a tar.gz file of the entire filesystem. So creating them is simple!
+<code>
 tar zcvf /tmp/HostGIS_Linux_4.2_64bit.tar.gz --exclude='/sys/*' --exclude='/proc/*' --exclude='/tmp/*' /
-Ta-da! That's your new VE template cache. Just SFTP it to the VE server and you're all set!
+</code>