Difference between revisions of "Creating a template cache : Slackware or HostGIS Linux"

From OpenVZ Virtuozzo Containers Wiki
Jump to: navigation, search
(Zipping it up into a cache image: use --numeric-owner option for tar)
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
== Creating a new Host Template Cache for HostGIS Linux 4.x or Slackware 11.x/12.x ==
+
This process uses VMware to install the OS into a VM, then to trim down the VM's contents to only those items suitable for a [[VE]] environment, then to save a snapshot of the system as a host template cache for use in OpenVZ.
 
 
This process uses VMWare to install the OS into a VM, then to trim down the VM's contents to only those items suitable for a VPS/VE environment, then to save a snapshot of the system as a host template cache for use in OpenVZ.
 
  
 
This document focuses on HostGIS Linux (a Slackware derivative) but aside from the specifics about installation settings, it should be 99% applicable to Slackware as well.
 
This document focuses on HostGIS Linux (a Slackware derivative) but aside from the specifics about installation settings, it should be 99% applicable to Slackware as well.
  
  
=== Create the VM in VMWare ===
+
== Create the VM in VMware ==
  
Technically, you could probably do this on a hardware PC without VMWare, but VMWare does make it more convenient.
+
Technically, you could probably do this on a hardware PC without VMware, but VMware does make it more convenient.
  
Start by creating a new VM in VMWare.
+
Start by creating a new VM in VMware.
 
* The disk and RAM stats can be minimal, as the system will never see live use.
 
* The disk and RAM stats can be minimal, as the system will never see live use.
 
* There is no need to create the entire disk at once during the setup.
 
* There is no need to create the entire disk at once during the setup.
Line 20: Line 18:
 
* Do set the timezone properly. The internal clock does not use UTC/GMT.
 
* Do set the timezone properly. The internal clock does not use UTC/GMT.
 
* Select the default mouse, but do NOT enable GPM at startup.
 
* Select the default mouse, but do NOT enable GPM at startup.
* Hostname: template   Domain: internal.lan
+
* Hostname: template
* IP config: as appropriate for your LAN
+
* Domain: internal.lan
 +
* IP config: as appropriate for your LAN
 
* Nameserver: no
 
* Nameserver: no
  
 
Reboot into your new HGL install, and log in.
 
Reboot into your new HGL install, and log in.
  
 +
== Delete unnecessary stuff ==
  
== Delete unnecessary stuff ==
+
A lot of packages aren't relevant to a VЕ setting, e.g. floppy disk utilities and kernel modules, even getty listening on the console.
  
 
<code>
 
<code>
Line 34: Line 34:
 
   rm -rf /lib/modules /boot /dev/.udev /usr/doc /usr/info /media
 
   rm -rf /lib/modules /boot /dev/.udev /usr/doc /usr/info /media
  
   # packages not applicable to a VPS setting, or which we don't use at HostGIS
+
   # packages not applicable to a VE
  # e.g. phpMyAdmin and phpPgAdmin are security holes
 
 
   cd /var/log/packages
 
   cd /var/log/packages
 
   for pkg in \
 
   for pkg in \
 
     hotplug-* hdparm-* devmapper-* udev-* usbutils-* pciutils-* module-init-tools-* \
 
     hotplug-* hdparm-* devmapper-* udev-* usbutils-* pciutils-* module-init-tools-* \
     mdadm-* floppy-* lvm2-* phpMyAdmin-* phppgAdmin-* raidtools-* reiserfsprogs-* \
+
     mdadm-* floppy-* lvm2-* raidtools-* reiserfsprogs-* \
 
     smartmontools-* sysfsutils-* syslinux-* wireless_tools.* quota-* iptables-*
 
     smartmontools-* sysfsutils-* syslinux-* wireless_tools.* quota-* iptables-*
 
   do removepkg $pkg ; done
 
   do removepkg $pkg ; done
 
  # most folks don't use GeoServer, so disable it by default
 
  chmod 644 /etc/rc.d/rc.geoserver
 
  
 
   # prune init's getty
 
   # prune init's getty
Line 55: Line 51:
 
   echo "devpts  /dev/pts  devpts  mode=0620  0  0" >> /etc/fstab
 
   echo "devpts  /dev/pts  devpts  mode=0620  0  0" >> /etc/fstab
  
   # the startup sequence and services, even the firewall
+
   # the startup sequence and services
 
   cd /etc/rc.d
 
   cd /etc/rc.d
 
   rm -f rc.gpm-sample rc.gpm rc.hotplug rc.ip_forward rc.modules \
 
   rm -f rc.gpm-sample rc.gpm rc.hotplug rc.ip_forward rc.modules \
         rc.scanluns  rc.serial rc.udev rc.sysvinit   rc.firewall
+
         rc.scanluns  rc.serial rc.udev rc.sysvinit
 
   vi rc.syslog    # delete all mentions of klogd
 
   vi rc.syslog    # delete all mentions of klogd
  vi rc.local    # delete smartd and inetd
 
 
   vi rc.M        # delete the setterm entry
 
   vi rc.M        # delete the setterm entry
 
   vi rc.S        # delete the MOTD clobbering
 
   vi rc.S        # delete the MOTD clobbering
 +
 
</code>
 
</code>
  
Line 70: Line 66:
 
<code>
 
<code>
  
# clear out old/dummy SSL certificates
+
  # clear out old/dummy SSL certificates
mv /etc/ssl/openssl.cnf /tmp ; rm -r /etc/ssl/* ; mv /tmp/openssl.cnf /etc/ssl
+
  mv /etc/ssl/openssl.cnf /tmp ; rm -r /etc/ssl/* ; mv /tmp/openssl.cnf /etc/ssl
  
# fix file permissions
+
  # set an ownership on any unowned files
find / -mount -nouser -exec chown root {} \; &
+
  find / -mount -nouser -exec chown root {} \; &
find / -mount -nogroup -exec chgrp root {} \; &
+
  find / -mount -nogroup -exec chgrp root {} \; &
for i in \
 
  /bin/ping /bin/mount /bin/ping6 /bin/umount /usr/bin/chfn \
 
  /usr/bin/chsh /usr/bin/crontab /usr/bin/chage /usr/bin/traceroute6 /usr/bin/traceroute \
 
  /usr/bin/expiry /usr/bin/newgrp /usr/bin/passwd /usr/bin/gpasswd \
 
  /usr/libexec/ssh-keysign /usr/libexec/pt_chown /usr/bin/wall /usr/bin/write
 
  do chmod u-s $i ; done
 
  
# fix Apache's configuration:
+
  # remove the setuid bit from programs which nobody else should use
# add ServerTokens prod
+
  # you may want to review this list first, as some folks want their users
# go to the htdocs Directory definition and change Indexes to -Indexes
+
  # able to edit cronjobs and to change their own passwords, etc.
# delete the entries for phpmyadmin and phppgadmin
+
  for i in \
vi /etc/apache/httpd.conf
+
    /bin/ping /bin/mount /bin/ping6 /bin/umount /usr/bin/chfn \
 
+
    /usr/bin/chsh /usr/bin/crontab /usr/bin/chage /usr/bin/traceroute6 /usr/bin/traceroute \
# keep FTP users chrooted:
+
    /usr/bin/expiry /usr/bin/newgrp /usr/bin/passwd /usr/bin/gpasswd \
echo "" >> /etc/proftpd.conf
+
    /usr/libexec/ssh-keysign /usr/libexec/pt_chown /usr/bin/wall /usr/bin/write
echo "# keep all users chrooted to their homedir" >> /etc/proftpd.conf
+
    do chmod u-s $i ; done
echo "DefaultRoot ~" >> /etc/proftpd.conf
 
 
 
# allow the mailq to be checked by anybody:
 
chgrp smmsp /var/spool/mqueue
 
chmod g+rx /var/spool/mqueue
 
  
 
</code>
 
</code>
 
  
 
== Changes to rc scripts ==
 
== Changes to rc scripts ==
  
A VPS cannot actually reboot, since there's no power switch to power-cycle the machine
+
OpenVZ emulates rebooting with an external cronjob called vpsreboot and a dummy file called /reboot within the VE, and emulates the /etc/mtab file by pointing it to /proc/mounts So, some small changes are necessary to the rc scripts.
after the VE has been shut down. OpenVZ emulates this effect with an external cronjob
 
called vpsreboot (see /etc/cron.d/vz). In order to reboot a VPS that has been shut down
 
and which is expecting a reboot, the shutdown sequence must create a file named /reboot
 
in the VPS's filesystem.
 
 
 
Also, the /etc/mtab file should point to /proc/mounts so it can detect the / filesystem.
 
  
 
<code>
 
<code>
  
vi /etc/rc.d/rc.6
+
  # somewhere in rc.6 add this command: touch /reboot
And add these two lines near the start:
+
  vi /etc/rc.d/rc.6
# create the reboot flag so we get rebooted automatically
 
touch /reboot
 
  
vi /etc/rc.d/rc.M
+
  # somewhere in rc.M, add this command: rm -f /etc/mtab ;  ln -s /proc/mounts /etc/mtab
And add these two lines near the start:
+
  vi /etc/rc.d/rc.M
# replace the mtab file with a link to /proc/mounts so OpenVZ can find the / filesystem
 
rm -f /etc/mtab ;  ln -s /proc/mounts /etc/mtab
 
  
 
</code>
 
</code>
 
  
 
== Blanking settings ==
 
== Blanking settings ==
Line 133: Line 106:
 
<code>
 
<code>
  
# stop all services
+
  # stop all services
apachectl stop
+
  apachectl stop
killall syslogd klogd udevd crond
+
  killall syslogd klogd udevd crond
/etc/rc.d/rc.sendmail stop
+
  /etc/rc.d/rc.sendmail stop
/etc/webmin/stop
+
  /etc/rc.d/rc.inetd stop
/etc/rc.d/rc.pgsql stop
+
  /etc/webmin/stop
/etc/rc.d/rc.mysqld stop
+
  /etc/rc.d/rc.pgsql stop
killall named proftpd
+
  /etc/rc.d/rc.mysqld stop
killall xinetd
+
  killall named proftpd
  
# blow away the network configuration with dummy strings for later replacement
+
  # blow away the network configuration with dummy strings for later replacement
#    replace the IP address with __IPADDRESS_
+
  #    replace the IP address with __IPADDRESS_
#    replace the netmask with __NETMASK__
+
  #    replace the netmask with __NETMASK__
#    replace the GATEWAY with __GATEWAY__
+
  #    replace the GATEWAY with __GATEWAY__
vi /etc/rc.d/rc.inet1.conf
+
  vi /etc/rc.d/rc.inet1.conf
  
# disable the root and user accounts
+
  # disable the root and user accounts
# by changing the password for root and user to a ! character.
+
  # by changing the password for root and user to a ! character.
vi /etc/shadow
+
  vi /etc/shadow
  
# refresh the 'locate' cache
+
  # refresh the 'locate' cache
/etc/cron.daily/slocate
+
  /etc/cron.daily/slocate
  
# blank out the system logfiles
+
  # blank out the system logfiles
for logfile in \
+
  for logfile in \
    /var/log/messages /var/log/syslog /var/log/debug /var/log/secure \
+
      /var/log/messages /var/log/syslog /var/log/debug /var/log/secure \
    /var/log/maillog /var/log/spooler /var/log/proftpd.log /var/log/xinetd.log \
+
      /var/log/maillog /var/log/spooler /var/log/proftpd.log /var/log/xinetd.log \
    /var/log/dmesg /var/log/faillog /var/log/lastlog /var/log/wtmp \
+
      /var/log/dmesg /var/log/faillog /var/log/lastlog /var/log/wtmp \
    /var/log/apache/access_log /var/log/apache/error_log \
+
      /var/log/apache/access_log /var/log/apache/error_log \
    /var/log/webmin/miniserv.error /var/log/webmin/miniserv.pid
+
      /var/log/webmin/miniserv.error /var/log/webmin/miniserv.pid
do cp /dev/null $logfile ; done
+
  do cp /dev/null $logfile ; done
rmdir /var/log/sa
+
  rmdir /var/log/sa
  
# clear the SSH host key
+
  # clear the SSH host key
rm -f /etc/ssh/ssh_host_*
+
  rm -f /etc/ssh/ssh_host_*
  
# database server logfiles
+
  # database server logfiles
rm -f /var/lib/mysql/*.err /var/lib/pgsql/logfile
+
  rm -f /var/lib/mysql/*.err /var/lib/pgsql/logfile
  
# delete vi backup files, bash_history files, and other small application crud
+
  # delete vi backup files, bash_history files, and other small application crud
unset HISTFILE
+
  unset HISTFILE
find / -name '*~' \
+
  find / -name '*~' \
    -o -name .bash_history \
+
      -o -name .bash_history \
    -o -name .gnupg \
+
      -o -name .gnupg \
    -o -name .lesshst \
+
      -o -name .lesshst \
    -o -name .viminfo \
+
      -o -name .viminfo \
    -o -name .rnd \
+
      -o -name .rnd \
    -delete
+
      -delete
  
# the junk under /tmp
+
  # anything under /tmp
rm -rf /tmp/*
+
  rm -rf /tmp/*
  
 
</code>
 
</code>
Line 190: Line 163:
 
== Zipping it up into a cache image ==
 
== Zipping it up into a cache image ==
  
A VE cache is just a tar.gz file of the entire filesystem, excluding some very dynamic stuff which gets populated by the OS at runtime anyway:
+
A CT cache is just a tar.gz file of the entire filesystem, excluding some very dynamic stuff which gets populated by the OS at runtime anyway:
 
 
<code>
 
  
tar zcvf /tmp/HostGIS_Linux_4.2_64bit.tar.gz --exclude='/sys/*' --exclude='/proc/*' --exclude='/tmp/*' /
+
  tar --numeric-owner -zcvf /tmp/HostGIS_Linux_4.2_64bit.tar.gz --exclude='/sys/*' --exclude='/proc/*' --exclude='/tmp/*' /
  
</code>
+
[[Category: Templates]]

Latest revision as of 10:55, 19 October 2009

This process uses VMware to install the OS into a VM, then to trim down the VM's contents to only those items suitable for a VE environment, then to save a snapshot of the system as a host template cache for use in OpenVZ.

This document focuses on HostGIS Linux (a Slackware derivative) but aside from the specifics about installation settings, it should be 99% applicable to Slackware as well.


Create the VM in VMware[edit]

Technically, you could probably do this on a hardware PC without VMware, but VMware does make it more convenient.

Start by creating a new VM in VMware.

  • The disk and RAM stats can be minimal, as the system will never see live use.
  • There is no need to create the entire disk at once during the setup.
  • Create the disk as SCSI.

Then install HGL.

  • Create a small partition at the end of the disk for swap. Some swap is technically necessary, but since you'll never in fact be using it, a few MB should be fine.
  • Set the passwords to 'password'
  • Do set the timezone properly. The internal clock does not use UTC/GMT.
  • Select the default mouse, but do NOT enable GPM at startup.
  • Hostname: template
  • Domain: internal.lan
  • IP config: as appropriate for your LAN
  • Nameserver: no

Reboot into your new HGL install, and log in.

Delete unnecessary stuff[edit]

A lot of packages aren't relevant to a VЕ setting, e.g. floppy disk utilities and kernel modules, even getty listening on the console. 

 # kernel, kernel modules, documentation, mount points
 rm -rf /lib/modules /boot /dev/.udev /usr/doc /usr/info /media

 # packages not applicable to a VE
 cd /var/log/packages
 for pkg in \
    hotplug-* hdparm-* devmapper-* udev-* usbutils-* pciutils-* module-init-tools-* \
    mdadm-* floppy-* lvm2-* raidtools-* reiserfsprogs-* \
    smartmontools-* sysfsutils-* syslinux-* wireless_tools.* quota-* iptables-*
 do removepkg $pkg ; done

 # prune init's getty
 vi  /etc/inittab # delete everything after entry l6 (runlevel 6)
 init q

 # clean out the fstab and mtab files
 ( cd /etc ; rm -f fstab mtab ; ln -s ../proc/mounts mtab )
 echo "proc     /proc      proc     defaults    0  0" >> /etc/fstab
 echo "devpts   /dev/pts   devpts   mode=0620   0  0" >> /etc/fstab

 # the startup sequence and services
 cd /etc/rc.d
 rm -f rc.gpm-sample rc.gpm rc.hotplug rc.ip_forward rc.modules \
       rc.scanluns  rc.serial rc.udev rc.sysvinit
 vi rc.syslog    # delete all mentions of klogd
 vi rc.M         # delete the setterm entry
 vi rc.S         # delete the MOTD clobbering


Fix permissions and ownerships[edit]

 # clear out old/dummy SSL certificates
 mv /etc/ssl/openssl.cnf /tmp ; rm -r /etc/ssl/* ; mv /tmp/openssl.cnf /etc/ssl

 # set an ownership on any unowned files
 find / -mount -nouser -exec chown root {} \; &
 find / -mount -nogroup -exec chgrp root {} \; &

 # remove the setuid bit from programs which nobody else should use
 # you may want to review this list first, as some folks want their users
 # able to edit cronjobs and to change their own passwords, etc.
 for i in \
   /bin/ping /bin/mount /bin/ping6 /bin/umount /usr/bin/chfn \
    /usr/bin/chsh /usr/bin/crontab /usr/bin/chage /usr/bin/traceroute6 /usr/bin/traceroute \
    /usr/bin/expiry /usr/bin/newgrp /usr/bin/passwd /usr/bin/gpasswd \
    /usr/libexec/ssh-keysign /usr/libexec/pt_chown /usr/bin/wall /usr/bin/write
    do chmod u-s $i ; done

Changes to rc scripts[edit]

OpenVZ emulates rebooting with an external cronjob called vpsreboot and a dummy file called /reboot within the VE, and emulates the /etc/mtab file by pointing it to /proc/mounts So, some small changes are necessary to the rc scripts. 

 # somewhere in rc.6 add this command: touch /reboot
 vi /etc/rc.d/rc.6

 # somewhere in rc.M, add this command: rm -f /etc/mtab ;  ln -s /proc/mounts /etc/mtab
 vi /etc/rc.d/rc.M

Blanking settings[edit]

Lastly, you'll want to delete or blank out a bunch of files so they start fresh when the VE is booted for its first time. 

 # stop all services
 apachectl stop
 killall syslogd klogd udevd crond
 /etc/rc.d/rc.sendmail stop
 /etc/rc.d/rc.inetd stop
 /etc/webmin/stop
 /etc/rc.d/rc.pgsql stop
 /etc/rc.d/rc.mysqld stop
 killall named proftpd

 # blow away the network configuration with dummy strings for later replacement
 #    replace the IP address with __IPADDRESS_
 #    replace the netmask with __NETMASK__
 #    replace the GATEWAY with __GATEWAY__
 vi /etc/rc.d/rc.inet1.conf

 # disable the root and user accounts
 # by changing the password for root and user to a ! character.
 vi /etc/shadow

 # refresh the 'locate' cache
 /etc/cron.daily/slocate

 # blank out the system logfiles
 for logfile in \
     /var/log/messages /var/log/syslog /var/log/debug /var/log/secure \
     /var/log/maillog /var/log/spooler /var/log/proftpd.log /var/log/xinetd.log \
     /var/log/dmesg /var/log/faillog /var/log/lastlog /var/log/wtmp \
     /var/log/apache/access_log /var/log/apache/error_log \
     /var/log/webmin/miniserv.error /var/log/webmin/miniserv.pid
 do cp /dev/null $logfile ; done
 rmdir /var/log/sa

 # clear the SSH host key
 rm -f /etc/ssh/ssh_host_*

 # database server logfiles
 rm -f /var/lib/mysql/*.err /var/lib/pgsql/logfile

 # delete vi backup files, bash_history files, and other small application crud
 unset HISTFILE
 find / -name '*~' \
     -o -name .bash_history \
     -o -name .gnupg \
     -o -name .lesshst \
     -o -name .viminfo \
     -o -name .rnd \
     -delete

 # anything under /tmp
 rm -rf /tmp/*


Zipping it up into a cache image[edit]

A CT cache is just a tar.gz file of the entire filesystem, excluding some very dynamic stuff which gets populated by the OS at runtime anyway: 

 tar --numeric-owner -zcvf /tmp/HostGIS_Linux_4.2_64bit.tar.gz --exclude='/sys/*' --exclude='/proc/*' --exclude='/tmp/*' /
Retrieved from "https://wiki.openvz.org/index.php?title=Creating_a_template_cache_:_Slackware_or_HostGIS_Linux&oldid=7606"