Difference between revisions of "Creating a template cache : Slackware or HostGIS Linux"
(→Zipping it up into a cache image: use --numeric-owner option for tar) |
|||
(6 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | + | This process uses VMware to install the OS into a VM, then to trim down the VM's contents to only those items suitable for a [[VE]] environment, then to save a snapshot of the system as a host template cache for use in OpenVZ. | |
− | |||
− | This process uses | ||
This document focuses on HostGIS Linux (a Slackware derivative) but aside from the specifics about installation settings, it should be 99% applicable to Slackware as well. | This document focuses on HostGIS Linux (a Slackware derivative) but aside from the specifics about installation settings, it should be 99% applicable to Slackware as well. | ||
− | + | == Create the VM in VMware == | |
− | Technically, you could probably do this on a hardware PC without | + | Technically, you could probably do this on a hardware PC without VMware, but VMware does make it more convenient. |
− | Start by creating a new VM in | + | Start by creating a new VM in VMware. |
* The disk and RAM stats can be minimal, as the system will never see live use. | * The disk and RAM stats can be minimal, as the system will never see live use. | ||
* There is no need to create the entire disk at once during the setup. | * There is no need to create the entire disk at once during the setup. | ||
Line 20: | Line 18: | ||
* Do set the timezone properly. The internal clock does not use UTC/GMT. | * Do set the timezone properly. The internal clock does not use UTC/GMT. | ||
* Select the default mouse, but do NOT enable GPM at startup. | * Select the default mouse, but do NOT enable GPM at startup. | ||
− | * Hostname: | + | * Hostname: template |
− | * IP config: | + | * Domain: internal.lan |
+ | * IP config: as appropriate for your LAN | ||
* Nameserver: no | * Nameserver: no | ||
Reboot into your new HGL install, and log in. | Reboot into your new HGL install, and log in. | ||
+ | == Delete unnecessary stuff == | ||
− | + | A lot of packages aren't relevant to a VЕ setting, e.g. floppy disk utilities and kernel modules, even getty listening on the console. | |
<code> | <code> | ||
Line 34: | Line 34: | ||
rm -rf /lib/modules /boot /dev/.udev /usr/doc /usr/info /media | rm -rf /lib/modules /boot /dev/.udev /usr/doc /usr/info /media | ||
− | # packages not applicable to a | + | # packages not applicable to a VE |
− | |||
cd /var/log/packages | cd /var/log/packages | ||
for pkg in \ | for pkg in \ | ||
hotplug-* hdparm-* devmapper-* udev-* usbutils-* pciutils-* module-init-tools-* \ | hotplug-* hdparm-* devmapper-* udev-* usbutils-* pciutils-* module-init-tools-* \ | ||
− | mdadm-* floppy-* lvm2 | + | mdadm-* floppy-* lvm2-* raidtools-* reiserfsprogs-* \ |
smartmontools-* sysfsutils-* syslinux-* wireless_tools.* quota-* iptables-* | smartmontools-* sysfsutils-* syslinux-* wireless_tools.* quota-* iptables-* | ||
do removepkg $pkg ; done | do removepkg $pkg ; done | ||
− | |||
− | |||
− | |||
# prune init's getty | # prune init's getty | ||
Line 55: | Line 51: | ||
echo "devpts /dev/pts devpts mode=0620 0 0" >> /etc/fstab | echo "devpts /dev/pts devpts mode=0620 0 0" >> /etc/fstab | ||
− | # the startup sequence and services | + | # the startup sequence and services |
cd /etc/rc.d | cd /etc/rc.d | ||
rm -f rc.gpm-sample rc.gpm rc.hotplug rc.ip_forward rc.modules \ | rm -f rc.gpm-sample rc.gpm rc.hotplug rc.ip_forward rc.modules \ | ||
− | rc.scanluns rc.serial rc.udev rc.sysvinit | + | rc.scanluns rc.serial rc.udev rc.sysvinit |
vi rc.syslog # delete all mentions of klogd | vi rc.syslog # delete all mentions of klogd | ||
− | |||
vi rc.M # delete the setterm entry | vi rc.M # delete the setterm entry | ||
vi rc.S # delete the MOTD clobbering | vi rc.S # delete the MOTD clobbering | ||
+ | |||
</code> | </code> | ||
Line 70: | Line 66: | ||
<code> | <code> | ||
− | # clear out old/dummy SSL certificates | + | # clear out old/dummy SSL certificates |
− | mv /etc/ssl/openssl.cnf /tmp ; rm -r /etc/ssl/* ; mv /tmp/openssl.cnf /etc/ssl | + | mv /etc/ssl/openssl.cnf /tmp ; rm -r /etc/ssl/* ; mv /tmp/openssl.cnf /etc/ssl |
− | # | + | # set an ownership on any unowned files |
− | find / -mount -nouser -exec chown root {} \; & | + | find / -mount -nouser -exec chown root {} \; & |
− | find / -mount -nogroup -exec chgrp root {} \; & | + | find / -mount -nogroup -exec chgrp root {} \; & |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | # | + | # remove the setuid bit from programs which nobody else should use |
− | # | + | # you may want to review this list first, as some folks want their users |
− | # | + | # able to edit cronjobs and to change their own passwords, etc. |
− | + | for i in \ | |
− | + | /bin/ping /bin/mount /bin/ping6 /bin/umount /usr/bin/chfn \ | |
− | + | /usr/bin/chsh /usr/bin/crontab /usr/bin/chage /usr/bin/traceroute6 /usr/bin/traceroute \ | |
− | + | /usr/bin/expiry /usr/bin/newgrp /usr/bin/passwd /usr/bin/gpasswd \ | |
− | + | /usr/libexec/ssh-keysign /usr/libexec/pt_chown /usr/bin/wall /usr/bin/write | |
− | + | do chmod u-s $i ; done | |
− | |||
− | |||
− | |||
− | |||
− | |||
</code> | </code> | ||
− | |||
== Changes to rc scripts == | == Changes to rc scripts == | ||
− | + | OpenVZ emulates rebooting with an external cronjob called vpsreboot and a dummy file called /reboot within the VE, and emulates the /etc/mtab file by pointing it to /proc/mounts So, some small changes are necessary to the rc scripts. | |
− | |||
− | called vpsreboot | ||
− | and | ||
− | |||
− | |||
− | |||
<code> | <code> | ||
− | vi /etc/rc.d/rc.6 | + | # somewhere in rc.6 add this command: touch /reboot |
− | + | vi /etc/rc.d/rc.6 | |
− | |||
− | |||
− | + | # somewhere in rc.M, add this command: rm -f /etc/mtab ; ln -s /proc/mounts /etc/mtab | |
− | + | vi /etc/rc.d/rc.M | |
− | |||
− | rm -f /etc/mtab ; ln -s /proc/mounts /etc/mtab | ||
</code> | </code> | ||
− | |||
== Blanking settings == | == Blanking settings == | ||
Line 133: | Line 106: | ||
<code> | <code> | ||
− | # stop all services | + | # stop all services |
− | apachectl stop | + | apachectl stop |
− | killall syslogd klogd udevd crond | + | killall syslogd klogd udevd crond |
− | /etc/rc.d/rc.sendmail stop | + | /etc/rc.d/rc.sendmail stop |
− | /etc/webmin/stop | + | /etc/rc.d/rc.inetd stop |
− | /etc/rc.d/rc.pgsql stop | + | /etc/webmin/stop |
− | /etc/rc.d/rc.mysqld stop | + | /etc/rc.d/rc.pgsql stop |
− | killall named proftpd | + | /etc/rc.d/rc.mysqld stop |
− | + | killall named proftpd | |
− | # blow away the network configuration with dummy strings for later replacement | + | # blow away the network configuration with dummy strings for later replacement |
− | # replace the IP address with __IPADDRESS_ | + | # replace the IP address with __IPADDRESS_ |
− | # replace the netmask with __NETMASK__ | + | # replace the netmask with __NETMASK__ |
− | # replace the GATEWAY with __GATEWAY__ | + | # replace the GATEWAY with __GATEWAY__ |
− | vi /etc/rc.d/rc.inet1.conf | + | vi /etc/rc.d/rc.inet1.conf |
− | # disable the root and user accounts | + | # disable the root and user accounts |
− | # by changing the password for root and user to a ! character. | + | # by changing the password for root and user to a ! character. |
− | vi /etc/shadow | + | vi /etc/shadow |
− | # refresh the 'locate' cache | + | # refresh the 'locate' cache |
− | /etc/cron.daily/slocate | + | /etc/cron.daily/slocate |
− | # blank out the system logfiles | + | # blank out the system logfiles |
− | for logfile in \ | + | for logfile in \ |
− | + | /var/log/messages /var/log/syslog /var/log/debug /var/log/secure \ | |
− | + | /var/log/maillog /var/log/spooler /var/log/proftpd.log /var/log/xinetd.log \ | |
− | + | /var/log/dmesg /var/log/faillog /var/log/lastlog /var/log/wtmp \ | |
− | + | /var/log/apache/access_log /var/log/apache/error_log \ | |
− | + | /var/log/webmin/miniserv.error /var/log/webmin/miniserv.pid | |
− | do cp /dev/null $logfile ; done | + | do cp /dev/null $logfile ; done |
− | rmdir /var/log/sa | + | rmdir /var/log/sa |
− | # clear the SSH host key | + | # clear the SSH host key |
− | rm -f /etc/ssh/ssh_host_* | + | rm -f /etc/ssh/ssh_host_* |
− | # database server logfiles | + | # database server logfiles |
− | rm -f /var/lib/mysql/*.err /var/lib/pgsql/logfile | + | rm -f /var/lib/mysql/*.err /var/lib/pgsql/logfile |
− | # delete vi backup files, bash_history files, and other small application crud | + | # delete vi backup files, bash_history files, and other small application crud |
− | unset HISTFILE | + | unset HISTFILE |
− | find / -name '*~' \ | + | find / -name '*~' \ |
− | + | -o -name .bash_history \ | |
− | + | -o -name .gnupg \ | |
− | + | -o -name .lesshst \ | |
− | + | -o -name .viminfo \ | |
− | + | -o -name .rnd \ | |
− | + | -delete | |
− | # | + | # anything under /tmp |
− | rm -rf /tmp/* | + | rm -rf /tmp/* |
</code> | </code> | ||
Line 190: | Line 163: | ||
== Zipping it up into a cache image == | == Zipping it up into a cache image == | ||
− | A | + | A CT cache is just a tar.gz file of the entire filesystem, excluding some very dynamic stuff which gets populated by the OS at runtime anyway: |
− | |||
− | |||
− | tar zcvf /tmp/HostGIS_Linux_4.2_64bit.tar.gz --exclude='/sys/*' --exclude='/proc/*' --exclude='/tmp/*' / | + | tar --numeric-owner -zcvf /tmp/HostGIS_Linux_4.2_64bit.tar.gz --exclude='/sys/*' --exclude='/proc/*' --exclude='/tmp/*' / |
− | + | [[Category: Templates]] |
Latest revision as of 10:55, 19 October 2009
This process uses VMware to install the OS into a VM, then to trim down the VM's contents to only those items suitable for a VE environment, then to save a snapshot of the system as a host template cache for use in OpenVZ.
This document focuses on HostGIS Linux (a Slackware derivative) but aside from the specifics about installation settings, it should be 99% applicable to Slackware as well.
Contents
Create the VM in VMware[edit]
Technically, you could probably do this on a hardware PC without VMware, but VMware does make it more convenient.
Start by creating a new VM in VMware.
- The disk and RAM stats can be minimal, as the system will never see live use.
- There is no need to create the entire disk at once during the setup.
- Create the disk as SCSI.
Then install HGL.
- Create a small partition at the end of the disk for swap. Some swap is technically necessary, but since you'll never in fact be using it, a few MB should be fine.
- Set the passwords to 'password'
- Do set the timezone properly. The internal clock does not use UTC/GMT.
- Select the default mouse, but do NOT enable GPM at startup.
- Hostname: template
- Domain: internal.lan
- IP config: as appropriate for your LAN
- Nameserver: no
Reboot into your new HGL install, and log in.
Delete unnecessary stuff[edit]
A lot of packages aren't relevant to a VЕ setting, e.g. floppy disk utilities and kernel modules, even getty listening on the console.
# kernel, kernel modules, documentation, mount points
rm -rf /lib/modules /boot /dev/.udev /usr/doc /usr/info /media
# packages not applicable to a VE
cd /var/log/packages
for pkg in \
hotplug-* hdparm-* devmapper-* udev-* usbutils-* pciutils-* module-init-tools-* \
mdadm-* floppy-* lvm2-* raidtools-* reiserfsprogs-* \
smartmontools-* sysfsutils-* syslinux-* wireless_tools.* quota-* iptables-*
do removepkg $pkg ; done
# prune init's getty
vi /etc/inittab # delete everything after entry l6 (runlevel 6)
init q
# clean out the fstab and mtab files
( cd /etc ; rm -f fstab mtab ; ln -s ../proc/mounts mtab )
echo "proc /proc proc defaults 0 0" >> /etc/fstab
echo "devpts /dev/pts devpts mode=0620 0 0" >> /etc/fstab
# the startup sequence and services
cd /etc/rc.d
rm -f rc.gpm-sample rc.gpm rc.hotplug rc.ip_forward rc.modules \
rc.scanluns rc.serial rc.udev rc.sysvinit
vi rc.syslog # delete all mentions of klogd
vi rc.M # delete the setterm entry
vi rc.S # delete the MOTD clobbering
Fix permissions and ownerships[edit]
# clear out old/dummy SSL certificates
mv /etc/ssl/openssl.cnf /tmp ; rm -r /etc/ssl/* ; mv /tmp/openssl.cnf /etc/ssl
# set an ownership on any unowned files
find / -mount -nouser -exec chown root {} \; &
find / -mount -nogroup -exec chgrp root {} \; &
# remove the setuid bit from programs which nobody else should use
# you may want to review this list first, as some folks want their users
# able to edit cronjobs and to change their own passwords, etc.
for i in \
/bin/ping /bin/mount /bin/ping6 /bin/umount /usr/bin/chfn \
/usr/bin/chsh /usr/bin/crontab /usr/bin/chage /usr/bin/traceroute6 /usr/bin/traceroute \
/usr/bin/expiry /usr/bin/newgrp /usr/bin/passwd /usr/bin/gpasswd \
/usr/libexec/ssh-keysign /usr/libexec/pt_chown /usr/bin/wall /usr/bin/write
do chmod u-s $i ; done
Changes to rc scripts[edit]
OpenVZ emulates rebooting with an external cronjob called vpsreboot and a dummy file called /reboot within the VE, and emulates the /etc/mtab file by pointing it to /proc/mounts So, some small changes are necessary to the rc scripts.
# somewhere in rc.6 add this command: touch /reboot
vi /etc/rc.d/rc.6
# somewhere in rc.M, add this command: rm -f /etc/mtab ; ln -s /proc/mounts /etc/mtab
vi /etc/rc.d/rc.M
Blanking settings[edit]
Lastly, you'll want to delete or blank out a bunch of files so they start fresh when the VE is booted for its first time.
# stop all services
apachectl stop
killall syslogd klogd udevd crond
/etc/rc.d/rc.sendmail stop
/etc/rc.d/rc.inetd stop
/etc/webmin/stop
/etc/rc.d/rc.pgsql stop
/etc/rc.d/rc.mysqld stop
killall named proftpd
# blow away the network configuration with dummy strings for later replacement
# replace the IP address with __IPADDRESS_
# replace the netmask with __NETMASK__
# replace the GATEWAY with __GATEWAY__
vi /etc/rc.d/rc.inet1.conf
# disable the root and user accounts
# by changing the password for root and user to a ! character.
vi /etc/shadow
# refresh the 'locate' cache
/etc/cron.daily/slocate
# blank out the system logfiles
for logfile in \
/var/log/messages /var/log/syslog /var/log/debug /var/log/secure \
/var/log/maillog /var/log/spooler /var/log/proftpd.log /var/log/xinetd.log \
/var/log/dmesg /var/log/faillog /var/log/lastlog /var/log/wtmp \
/var/log/apache/access_log /var/log/apache/error_log \
/var/log/webmin/miniserv.error /var/log/webmin/miniserv.pid
do cp /dev/null $logfile ; done
rmdir /var/log/sa
# clear the SSH host key
rm -f /etc/ssh/ssh_host_*
# database server logfiles
rm -f /var/lib/mysql/*.err /var/lib/pgsql/logfile
# delete vi backup files, bash_history files, and other small application crud
unset HISTFILE
find / -name '*~' \
-o -name .bash_history \
-o -name .gnupg \
-o -name .lesshst \
-o -name .viminfo \
-o -name .rnd \
-delete
# anything under /tmp
rm -rf /tmp/*
Zipping it up into a cache image[edit]
A CT cache is just a tar.gz file of the entire filesystem, excluding some very dynamic stuff which gets populated by the OS at runtime anyway:
tar --numeric-owner -zcvf /tmp/HostGIS_Linux_4.2_64bit.tar.gz --exclude='/sys/*' --exclude='/proc/*' --exclude='/tmp/*' /