Creating This process uses VMware to install the OS into a new Host Template CacheVM, then to trim down the VM's contents to only those items suitable for HostGIS Linux 4.x or Slackware 11.x/12a [[VE]] environment, then to save a snapshot of the system as a host template cache for use in OpenVZ.x
This process uses VMWare to install the OS into document focuses on HostGIS Linux (a VM, then to trim down Slackware derivative) but aside from the VM's contents to only those items suitable for a VPS/VE environmentspecifics about installation settings, then it should be 99% applicable to save a snapshot of the system Slackware as a host template cache for use in OpenVZwell.
***** CREATING THE == Create the VMin VMware ==
Technically, you could probably do this on a hardware PC without VMware, but VMware does make it more convenient. Start by creating a new VM in VMWareVMware. * The disk and RAM stats can be minimal, and thereas the system will never see live use.* There is no need to create the entire disk at once during the setup. * Create the disk as SCSI.
Then install HGL.
* Create a small partition at the end of the disk for swap. Some swap is technically necessary, but since you'll never in fact be using it, a few MB should be fine. * Set the passwords to 'password' * Do set the timezone properly. The internal clock does not use UTC/GMT. * Select the default mouse, but do NOT enable GPM at startup. * Hostname: template * Domain: internal.lan * IP config: as appropriate for your LAN * Nameserver: noReboot into your new HGL install.
Now we want to tweak it Reboot into a usable template.Go ahead your new HGL install, and login to the VMlog in.
== Delete unnecessary stuff ==
A lot of packages aren't relevant to a VŠ setting, e.g. floppy disk utilities and kernel modules, even getty listening on the console.
***** UPGRADES AND SECURITY PATCHES<code>
The default HGL you used may require some software to be reinstalled # kernel, since new versionsand critical bugfixes may have been released since that version of HGL was released.Follow these instructionskernel modules, documentation, and also update them as necessary for the appropriate versionsmount pointsand to remove paragraphs when a revision of HGL comes out that no longer requires them rm -rf /lib/modules /boot /dev/.udev /usr/doc /usr/info /media
# HGL 4packages not applicable to a VE cd /var/log/packages for pkg in \ hotplug-* hdparm-* devmapper-* udev-* usbutils-* pciutils-* module-init-tools-* \ mdadm-* floppy-* lvm2-* raidtools-* reiserfsprogs-* \ smartmontools-* sysfsutils-* syslinux-* wireless_tools.2 * quota-* iptables- no necessary upgrades as of Nov 29 2007* do removepkg $pkg ; done
# prune init's getty
vi /etc/inittab # delete everything after entry l6 (runlevel 6)
init q
# clean out the fstab and mtab files
( cd /etc ; rm -f fstab mtab ; ln -s ../proc/mounts mtab )
echo "proc /proc proc defaults 0 0" >> /etc/fstab
echo "devpts /dev/pts devpts mode=0620 0 0" >> /etc/fstab
***** REPLACE INETD WITH XINETD # the startup sequence and services cd /etc/rc.d rm -f rc.gpm-sample rc.gpm rc.hotplug rc.ip_forward rc.modules \ rc.scanluns rc.serial rc.udev rc.sysvinit vi rc.syslog # delete all mentions of klogd vi rc.M # delete the setterm entry vi rc.S # delete the MOTD clobbering
Inetd is good but minimal. Xinetd offers security features, such as restricting service to only certain IPs, and only listening on certain interfaces,.</code>
removepkg inetd
rm -f /etc/inetd.conf* /etc/rc.d/rc.inetd
cd /tmpwget --header="Host: xinetd.org" http://204.152.188.37/xinetd-2.3.14.tar.gztar zxvf xinetd*.gzcd xinetd*./configure --prefix=/usr --sysconfdirFix permissions and ownerships ==/etcmake && make installmkdir /etc/xinetd.dcat >> /etc/rc.d/rc.local <<EOF
# xinetd/usr/sbin/xinetdEOFcat <code> /etc/xinetd.conf <<EOFdefaults{ log_type = SYSLOG daemon notice log_on_success = HOST EXIT DURATION log_on_failure = HOST ATTEMPT instances = 30 cps = 50 10}includedir /etc/xinetd.dEOF
# clear out old/dummy SSL certificates
mv /etc/ssl/openssl.cnf /tmp ; rm -r /etc/ssl/* ; mv /tmp/openssl.cnf /etc/ssl
# set an ownership on any unowned files
find / -mount -nouser -exec chown root {} \; &
find / -mount -nogroup -exec chgrp root {} \; &
***** NAGIOS: THE HEALTH # remove the setuid bit from programs which nobody else should use # you may want to review this list first, as some folks want their users # able to edit cronjobs and to change their own passwords, etc. for i in \ /bin/ping /bin/mount /bin/ping6 /bin/umount /usr/bin/chfn \ /usr/bin/chsh /usr/bin/crontab /usr/bin/chage /usr/bin/traceroute6 /usr/bin/traceroute \ /usr/bin/expiry /usr/bin/newgrp /usr/bin/passwd /usr/bin/gpasswd \ /usr/libexec/ssh-MONITORING SYSTEMkeysign /usr/libexec/pt_chown /usr/bin/wall /usr/bin/write do chmod u-s $i ; done
groupadd nagiosuseradd -g nagios -d </usr/local/nagios -m nagiosecho "nrpe 5666/tcp # Nagios NRPE" >code> /etc/services
cd /tmpwget http://superb-east.dl.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.10.tar.gztar zxvf nagios-plugins-*.tar.gz ; cd nagios-plugins-*./configure && make all && make installcd /tmpwget http://umn.dl.sourceforge.net/sourceforge/nagios/nrpe-2.10.tar.gztar zxvf nrpe-2.10.tar.gz ; cd nrpe-2.10./configure && make && cp src/nrpe /usr/local/nagios/nrpe== Changes to rc scripts ==
for plugin in \ check_wave check_users check_ups check_time check_tcp check_swap check_ssh check_ssmtp \ check_spop check_simap check_smtp check_sensors check_rpc check_real check_pop check_ping \ check_overcr check_oracle check_nwstat check_nt check_nntps check_nntp check_nagios \ check_mysql_query check_mrtgtraf check_mrtg check_log check_jabber check_ircd \ check_imap check_ifstatus check_ifoperstatus check_icmp check_http check_ftp check_flexlm \ check_file_age check_dummy check_disk_smb check_dig check_dhcp check_clamd check_by_ssh \ check_breeze check_apt check_udpdo rm -f OpenVZ emulates rebooting with an external cronjob called vpsreboot and a dummy file called /usrreboot within the VE, and emulates the /localetc/nagiosmtab file by pointing it to /libexecproc/$plugin ; donemounts So, some small changes are necessary to the rc scripts.
cat <code> /usr/local/nagios/nrpe.cfg <<EOF# NRPE Config Filepid_file=/var/run/nrpe.piddebug=0command_timeout=60connection_timeout=300
# And now the list of allowed check-commandssomewhere in rc.6 add this command:command[check_disk]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -m touch /rebootcommand[check_dns]=/usr vi /localetc/nagios/libexec/check_dns wwwrc.google.comcommand[check_load]=/usr/local/nagios/libexec/check_load -w 5,5,5 -c 8,8,8command[check_mailq]=/usr/local/nagios/libexec/check_mailq -w 10 -c 20command[check_mysql]=/usr/local/nagios/libexec/check_mysql -d gisdata -H localhost -u gisdata -p passwordcommand[check_pgsql]=/usr/local/nagios/libexec/check_pgsql -d gisdata -H localhost -l gisdata -p passwordcommand[check_ntp]=/usr/local/nagios/libexec/check_ntp -H pool.ntprc.orgcommand[check_crond]=/usr/local/nagios/libexec/check_procs -u root -c 1: --command=crondcommand[check_syslogd]=/usr/local/nagios/libexec/check_procs -u root -c 1:1 --command=syslogdcommand[check_xinetd]=/usr/local/nagios/libexec/check_procs -u root -c 1:1 --command=xinetdEOF6
cat > # somewhere in rc.M, add this command: rm -f /etc/xinetd.dmtab ; ln -s /nrpe <<EOF# description: NRPE for Nagiosservice nrpe{ socket_type = stream protocol = tcp wait = no user = nagios server = proc/usrmounts /localetc/nagios/nrpemtab server_args = -c vi /usretc/local/nagiosrc.d/nrperc.cfg --inetd only_from = __HOSTIP__}EOFM
chown -R nagios:nagios </usr/local/nagioschmod -R o-rwx /usr/local/nagioschmod go-rwx /etc/xinetd.d ***** OTHER UNNECESSARY STUFF # kernel, kernel modules, documentation, mount pointsrm -rf /lib/modules /boot /dev/.udev /usr/doc /usr/info /media # packages not applicable to a VPS setting, or which we don't use at HostGIS# e.g. phpMyAdmin and phpPgAdmin are security holescd /var/log/packagesfor pkg in \ hotplug-* hdparm-* devmapper-* udev-* usbutils-* pciutils-* module-init-tools-* \ mdadm-* floppy-* lvm2-* phpMyAdmin-* phppgAdmin-* raidtools-* reiserfsprogs-* \ smartmontools-* sysfsutils-* syslinux-* wireless_tools.* quota-* iptables-*do removepkg $pkg ; done # most folks don't use GeoServer, so disable it by defaultchmod 644 /etc/rc.d/rc.geoserver # prune init's gettyvi /etc/inittab # delete everything after entry l6 (runlevel 6)init q # clean out the fstab and mtab files( cd /etc ; rm -f fstab mtab ; ln -s ../proc/mounts mtab )echo "proc /proc proc defaults 0 0" code>> /etc/fstabecho "devpts /dev/pts devpts mode=0620 0 0" >> /etc/fstab # the startup sequence and services, even the firewallcd /etc/rc.drm -f rc.gpm-sample rc.hotplug rc.ip_forward rc.modules rc.scanluns rc.serial rc.udev rc.sysvinit rc.firewallvi rc.syslog # delete all mentions of klogdvi rc.local # delete smartd and inetdvi rc.M # delete the setterm entryvi rc.S # delete the MOTD clobbering # blow away the network configuration with dummy strings for later replacement# replace the IP address with __IPADDRESS_# replace the netmask with __NETMASK__# replace the GATEWAY with __GATEWAY__vi /etc/rc.d/rc.inet1.conf ***** BASIC FILE SECURITY SETTINGS # clear out old/dummy SSL certificatesmv /etc/ssl/openssl.cnf /tmp ; rm -r /etc/ssl/* ; mv /tmp/openssl.cnf /etc/ssl # fix file permissionsfind / -mount -nouser -exec chown root {} \; &find / -mount -nogroup -exec chgrp root {} \; &for i in \ /bin/ping /bin/mount /bin/ping6 /bin/umount /usr/bin/chfn \ /usr/bin/chsh /usr/bin/crontab /usr/bin/chage /usr/bin/traceroute6 /usr/bin/traceroute \ /usr/bin/expiry /usr/bin/newgrp /usr/bin/passwd /usr/bin/gpasswd \ /usr/libexec/ssh-keysign /usr/libexec/pt_chown /usr/bin/wall /usr/bin/write do chmod u-s $i ; done # fix Apache's configuration:# add ServerTokens prod# go to the htdocs Directory definition and change Indexes to -Indexes# delete the entries for phpmyadmin and phppgadminvi /etc/apache/httpd.conf # keep FTP users chrooted:echo "" >> /etc/proftpd.confecho "# keep all users chrooted to their homedir" >> /etc/proftpd.confecho "DefaultRoot ~" >> /etc/proftpd.conf # allow the mailq to be checked by anybody:chgrp smmsp /var/spool/mqueuechmod g+rx /var/spool/mqueue # disable the root and user accounts# by changing the password for root and user to a ! character.vi /etc/shadow ***** REBOOTING A VPS cannot actually reboot, since there's no power switch to power-cycle the machineafter the VE has been shut down. OpenVZ emulates this effect with an external cronjobcalled vpsreboot (see /etc/cron.d/vz). In order to reboot a VPS that has been shut downand which is expecting a reboot, the shutdown sequence must create a file named /rebootin the VPS's filesystem. Also, the /etc/mtab file should point to /proc/mounts so it can detect the / filesystem. vi /etc/rc.d/rc.6And add these two lines near the start:# create the reboot flag so we get rebooted automaticallytouch /reboot vi /etc/rc.d/rc.MAnd add these two lines near the start:# replace the mtab file with a link to /proc/mounts so OpenVZ can find the / filesystemrm -f /etc/mtab ; ln -s /proc/mounts /etc/mtab
== Blanking settings ==
Lastly, you'll want to delete or blank out a bunch of files so they start fresh
when the VE is booted for its first time.
***** DELETING AND BLANKING SETTINGS<code>
Lastly, you'll want to delete or blank out a bunch of files so they start fresh # stop all serviceswhen the VE is booted for its first time apachectl stop killall syslogd klogd udevd crond /etc/rc.d/rc.sendmail stop /etc/rc.d/rc.inetd stop /etc/webmin/stop /etc/rc.d/rc.pgsql stop /etc/rc.d/rc.mysqld stop killall named proftpd
# stop all servicesblow away the network configuration with dummy strings for later replacementapachectl stop # replace the IP address with __IPADDRESS_killall syslogd klogd udevd crond # replace the netmask with __NETMASK__/etc/rc.d/rc.sendmail stop/etc/webmin/stop # replace the GATEWAY with __GATEWAY__ vi /etc/rc.d/rc.pgsql stop/etc/rc.d/rcinet1.mysqld stopkillall named proftpdkillall xinetdconf
# refresh disable the 'locate' cacheroot and user accounts # by changing the password for root and user to a ! character. vi /etc/cron.daily/slocateshadow
# blank out refresh the system logfiles'locate' cachefor logfile in \ /var/log/messages /var/log/syslog /var/log/debug /var/log/secure \ /var/log/maillog /var/log/spooler /var/log/proftpd.log /var/log/xinetd.log \ /var/log/dmesg /var/log/faillog /var/log/lastlog /var/log/wtmp \ /var/log/apache/access_log /var/log/apache/error_log \ /var/log/webmin/miniserv.error /var/log /webminetc/miniservcron.piddo cp /dev/null $logfile ; donermdir /var/logdaily/saslocate
# clear blank out the SSH host keysystem logfilesrm -f for logfile in \ /var/log/messages /var/log/syslog /var/log/debug /var/log/secure \ /var/log/maillog /var/log/spooler /var/log/proftpd.log /var/log/xinetd.log \ /var/log/dmesg /var/log/faillog /var/log/lastlog /var/log/wtmp \ /var/log/apache/access_log /var/log/apache/error_log \ /var/log/webmin/miniserv.error /var/log/webmin/miniserv.pid do cp /dev/null $logfile ; done rmdir /etcvar/sshlog/ssh_host_*sa
# database server logfilesclear the SSH host key rm -f /varetc/lib/mysqlssh/ssh_host_*.err /var/lib/pgsql/logfile
# delete vi backup files, bash_history files, and other small application cruddatabase server logfilesunset HISTFILEfind rm -f /var/lib/mysql/ -name '*~' \ -o -name .bash_history \ -o -name .gnupg \ -o -name .lesshst \ -o -name .viminfo \ -o -name .rnd \ -deleteerr /var/lib/pgsql/logfile
# the junk under delete vi backup files, bash_history files, and other small application crud unset HISTFILE find /tmp-name '*~' \ -o -name .bash_history \ -o -name .gnupg \ -o -name .lesshst \ -o -name .viminfo \rm -rf /tmp/*o -name .rnd \ -delete
# anything under /tmp
rm -rf /tmp/*
</code>
***** CREATING THE VE CACHE IMAGE== Zipping it up into a cache image ==
A VE CT cache is just a tar.gz file of the entire filesystem. So creating them is simple!, excluding some very dynamic stuff which gets populated by the OS at runtime anyway:
tar --numeric-owner -zcvf /tmp/HostGIS_Linux_4.2_64bit.tar.gz --exclude='/sys/*' --exclude='/proc/*' --exclude='/tmp/*' /
Ta-da! That's your new VE template cache. Just SFTP it to the VE server and you're all set![[Category: Templates]]