Difference between revisions of "Creating a template cache : Slackware or HostGIS Linux"
(very raw initial version) |
(→Zipping it up into a cache image: use --numeric-owner option for tar) |
||
(9 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | + | This process uses VMware to install the OS into a VM, then to trim down the VM's contents to only those items suitable for a [[VE]] environment, then to save a snapshot of the system as a host template cache for use in OpenVZ. | |
− | This document | + | This document focuses on HostGIS Linux (a Slackware derivative) but aside from the specifics about installation settings, it should be 99% applicable to Slackware as well. |
− | |||
− | |||
− | |||
− | + | == Create the VM in VMware == | |
− | Start by creating a new VM in | + | Technically, you could probably do this on a hardware PC without VMware, but VMware does make it more convenient. |
− | is no need to create the entire disk at once during the setup. | + | |
− | + | Start by creating a new VM in VMware. | |
+ | * The disk and RAM stats can be minimal, as the system will never see live use. | ||
+ | * There is no need to create the entire disk at once during the setup. | ||
+ | * Create the disk as SCSI. | ||
Then install HGL. | Then install HGL. | ||
− | + | * Create a small partition at the end of the disk for swap. Some swap is technically necessary, but since you'll never in fact be using it, a few MB should be fine. | |
− | + | * Set the passwords to 'password' | |
− | + | * Do set the timezone properly. The internal clock does not use UTC/GMT. | |
− | + | * Select the default mouse, but do NOT enable GPM at startup. | |
− | + | * Hostname: template | |
− | + | * Domain: internal.lan | |
− | + | * IP config: as appropriate for your LAN | |
− | + | * Nameserver: no | |
− | |||
− | |||
− | + | Reboot into your new HGL install, and log in. | |
− | |||
+ | == Delete unnecessary stuff == | ||
+ | A lot of packages aren't relevant to a VЕ setting, e.g. floppy disk utilities and kernel modules, even getty listening on the console. | ||
− | + | <code> | |
− | + | # kernel, kernel modules, documentation, mount points | |
− | + | rm -rf /lib/modules /boot /dev/.udev /usr/doc /usr/info /media | |
− | |||
− | |||
− | # | + | # packages not applicable to a VE |
+ | cd /var/log/packages | ||
+ | for pkg in \ | ||
+ | hotplug-* hdparm-* devmapper-* udev-* usbutils-* pciutils-* module-init-tools-* \ | ||
+ | mdadm-* floppy-* lvm2-* raidtools-* reiserfsprogs-* \ | ||
+ | smartmontools-* sysfsutils-* syslinux-* wireless_tools.* quota-* iptables-* | ||
+ | do removepkg $pkg ; done | ||
+ | # prune init's getty | ||
+ | vi /etc/inittab # delete everything after entry l6 (runlevel 6) | ||
+ | init q | ||
+ | # clean out the fstab and mtab files | ||
+ | ( cd /etc ; rm -f fstab mtab ; ln -s ../proc/mounts mtab ) | ||
+ | echo "proc /proc proc defaults 0 0" >> /etc/fstab | ||
+ | echo "devpts /dev/pts devpts mode=0620 0 0" >> /etc/fstab | ||
− | + | # the startup sequence and services | |
+ | cd /etc/rc.d | ||
+ | rm -f rc.gpm-sample rc.gpm rc.hotplug rc.ip_forward rc.modules \ | ||
+ | rc.scanluns rc.serial rc.udev rc.sysvinit | ||
+ | vi rc.syslog # delete all mentions of klogd | ||
+ | vi rc.M # delete the setterm entry | ||
+ | vi rc.S # delete the MOTD clobbering | ||
− | + | </code> | |
− | |||
− | |||
− | |||
− | + | == Fix permissions and ownerships == | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | <code> | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
+ | # clear out old/dummy SSL certificates | ||
+ | mv /etc/ssl/openssl.cnf /tmp ; rm -r /etc/ssl/* ; mv /tmp/openssl.cnf /etc/ssl | ||
+ | # set an ownership on any unowned files | ||
+ | find / -mount -nouser -exec chown root {} \; & | ||
+ | find / -mount -nogroup -exec chgrp root {} \; & | ||
− | + | # remove the setuid bit from programs which nobody else should use | |
+ | # you may want to review this list first, as some folks want their users | ||
+ | # able to edit cronjobs and to change their own passwords, etc. | ||
+ | for i in \ | ||
+ | /bin/ping /bin/mount /bin/ping6 /bin/umount /usr/bin/chfn \ | ||
+ | /usr/bin/chsh /usr/bin/crontab /usr/bin/chage /usr/bin/traceroute6 /usr/bin/traceroute \ | ||
+ | /usr/bin/expiry /usr/bin/newgrp /usr/bin/passwd /usr/bin/gpasswd \ | ||
+ | /usr/libexec/ssh-keysign /usr/libexec/pt_chown /usr/bin/wall /usr/bin/write | ||
+ | do chmod u-s $i ; done | ||
− | + | </code> | |
− | |||
− | |||
− | + | == Changes to rc scripts == | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | OpenVZ emulates rebooting with an external cronjob called vpsreboot and a dummy file called /reboot within the VE, and emulates the /etc/mtab file by pointing it to /proc/mounts So, some small changes are necessary to the rc scripts. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | <code> | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | # | + | # somewhere in rc.6 add this command: touch /reboot |
− | + | vi /etc/rc.d/rc.6 | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | # somewhere in rc.M, add this command: rm -f /etc/mtab ; ln -s /proc/mounts /etc/mtab | |
− | + | vi /etc/rc.d/rc.M | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | </code> | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
+ | == Blanking settings == | ||
+ | Lastly, you'll want to delete or blank out a bunch of files so they start fresh | ||
+ | when the VE is booted for its first time. | ||
− | + | <code> | |
− | + | # stop all services | |
− | + | apachectl stop | |
+ | killall syslogd klogd udevd crond | ||
+ | /etc/rc.d/rc.sendmail stop | ||
+ | /etc/rc.d/rc.inetd stop | ||
+ | /etc/webmin/stop | ||
+ | /etc/rc.d/rc.pgsql stop | ||
+ | /etc/rc.d/rc.mysqld stop | ||
+ | killall named proftpd | ||
− | # | + | # blow away the network configuration with dummy strings for later replacement |
− | + | # replace the IP address with __IPADDRESS_ | |
− | + | # replace the netmask with __NETMASK__ | |
− | + | # replace the GATEWAY with __GATEWAY__ | |
− | + | vi /etc/rc.d/rc.inet1.conf | |
− | /etc/rc.d/rc. | ||
− | |||
− | |||
− | |||
− | # | + | # disable the root and user accounts |
− | /etc/ | + | # by changing the password for root and user to a ! character. |
+ | vi /etc/shadow | ||
− | # | + | # refresh the 'locate' cache |
− | + | /etc/cron.daily/slocate | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | # | + | # blank out the system logfiles |
− | + | for logfile in \ | |
+ | /var/log/messages /var/log/syslog /var/log/debug /var/log/secure \ | ||
+ | /var/log/maillog /var/log/spooler /var/log/proftpd.log /var/log/xinetd.log \ | ||
+ | /var/log/dmesg /var/log/faillog /var/log/lastlog /var/log/wtmp \ | ||
+ | /var/log/apache/access_log /var/log/apache/error_log \ | ||
+ | /var/log/webmin/miniserv.error /var/log/webmin/miniserv.pid | ||
+ | do cp /dev/null $logfile ; done | ||
+ | rmdir /var/log/sa | ||
− | # | + | # clear the SSH host key |
− | rm -f / | + | rm -f /etc/ssh/ssh_host_* |
− | # | + | # database server logfiles |
− | + | rm -f /var/lib/mysql/*.err /var/lib/pgsql/logfile | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | # | + | # delete vi backup files, bash_history files, and other small application crud |
− | + | unset HISTFILE | |
+ | find / -name '*~' \ | ||
+ | -o -name .bash_history \ | ||
+ | -o -name .gnupg \ | ||
+ | -o -name .lesshst \ | ||
+ | -o -name .viminfo \ | ||
+ | -o -name .rnd \ | ||
+ | -delete | ||
+ | # anything under /tmp | ||
+ | rm -rf /tmp/* | ||
+ | </code> | ||
− | + | == Zipping it up into a cache image == | |
− | A | + | A CT cache is just a tar.gz file of the entire filesystem, excluding some very dynamic stuff which gets populated by the OS at runtime anyway: |
− | tar zcvf /tmp/HostGIS_Linux_4.2_64bit.tar.gz --exclude='/sys/*' --exclude='/proc/*' --exclude='/tmp/*' / | + | tar --numeric-owner -zcvf /tmp/HostGIS_Linux_4.2_64bit.tar.gz --exclude='/sys/*' --exclude='/proc/*' --exclude='/tmp/*' / |
− | + | [[Category: Templates]] |
Latest revision as of 10:55, 19 October 2009
This process uses VMware to install the OS into a VM, then to trim down the VM's contents to only those items suitable for a VE environment, then to save a snapshot of the system as a host template cache for use in OpenVZ.
This document focuses on HostGIS Linux (a Slackware derivative) but aside from the specifics about installation settings, it should be 99% applicable to Slackware as well.
Contents
Create the VM in VMwareEdit
Technically, you could probably do this on a hardware PC without VMware, but VMware does make it more convenient.
Start by creating a new VM in VMware.
- The disk and RAM stats can be minimal, as the system will never see live use.
- There is no need to create the entire disk at once during the setup.
- Create the disk as SCSI.
Then install HGL.
- Create a small partition at the end of the disk for swap. Some swap is technically necessary, but since you'll never in fact be using it, a few MB should be fine.
- Set the passwords to 'password'
- Do set the timezone properly. The internal clock does not use UTC/GMT.
- Select the default mouse, but do NOT enable GPM at startup.
- Hostname: template
- Domain: internal.lan
- IP config: as appropriate for your LAN
- Nameserver: no
Reboot into your new HGL install, and log in.
Delete unnecessary stuffEdit
A lot of packages aren't relevant to a VЕ setting, e.g. floppy disk utilities and kernel modules, even getty listening on the console.
# kernel, kernel modules, documentation, mount points
rm -rf /lib/modules /boot /dev/.udev /usr/doc /usr/info /media
# packages not applicable to a VE
cd /var/log/packages
for pkg in \
hotplug-* hdparm-* devmapper-* udev-* usbutils-* pciutils-* module-init-tools-* \
mdadm-* floppy-* lvm2-* raidtools-* reiserfsprogs-* \
smartmontools-* sysfsutils-* syslinux-* wireless_tools.* quota-* iptables-*
do removepkg $pkg ; done
# prune init's getty
vi /etc/inittab # delete everything after entry l6 (runlevel 6)
init q
# clean out the fstab and mtab files
( cd /etc ; rm -f fstab mtab ; ln -s ../proc/mounts mtab )
echo "proc /proc proc defaults 0 0" >> /etc/fstab
echo "devpts /dev/pts devpts mode=0620 0 0" >> /etc/fstab
# the startup sequence and services
cd /etc/rc.d
rm -f rc.gpm-sample rc.gpm rc.hotplug rc.ip_forward rc.modules \
rc.scanluns rc.serial rc.udev rc.sysvinit
vi rc.syslog # delete all mentions of klogd
vi rc.M # delete the setterm entry
vi rc.S # delete the MOTD clobbering
Fix permissions and ownershipsEdit
# clear out old/dummy SSL certificates
mv /etc/ssl/openssl.cnf /tmp ; rm -r /etc/ssl/* ; mv /tmp/openssl.cnf /etc/ssl
# set an ownership on any unowned files
find / -mount -nouser -exec chown root {} \; &
find / -mount -nogroup -exec chgrp root {} \; &
# remove the setuid bit from programs which nobody else should use
# you may want to review this list first, as some folks want their users
# able to edit cronjobs and to change their own passwords, etc.
for i in \
/bin/ping /bin/mount /bin/ping6 /bin/umount /usr/bin/chfn \
/usr/bin/chsh /usr/bin/crontab /usr/bin/chage /usr/bin/traceroute6 /usr/bin/traceroute \
/usr/bin/expiry /usr/bin/newgrp /usr/bin/passwd /usr/bin/gpasswd \
/usr/libexec/ssh-keysign /usr/libexec/pt_chown /usr/bin/wall /usr/bin/write
do chmod u-s $i ; done
Changes to rc scriptsEdit
OpenVZ emulates rebooting with an external cronjob called vpsreboot and a dummy file called /reboot within the VE, and emulates the /etc/mtab file by pointing it to /proc/mounts So, some small changes are necessary to the rc scripts.
# somewhere in rc.6 add this command: touch /reboot
vi /etc/rc.d/rc.6
# somewhere in rc.M, add this command: rm -f /etc/mtab ; ln -s /proc/mounts /etc/mtab
vi /etc/rc.d/rc.M
Blanking settingsEdit
Lastly, you'll want to delete or blank out a bunch of files so they start fresh when the VE is booted for its first time.
# stop all services
apachectl stop
killall syslogd klogd udevd crond
/etc/rc.d/rc.sendmail stop
/etc/rc.d/rc.inetd stop
/etc/webmin/stop
/etc/rc.d/rc.pgsql stop
/etc/rc.d/rc.mysqld stop
killall named proftpd
# blow away the network configuration with dummy strings for later replacement
# replace the IP address with __IPADDRESS_
# replace the netmask with __NETMASK__
# replace the GATEWAY with __GATEWAY__
vi /etc/rc.d/rc.inet1.conf
# disable the root and user accounts
# by changing the password for root and user to a ! character.
vi /etc/shadow
# refresh the 'locate' cache
/etc/cron.daily/slocate
# blank out the system logfiles
for logfile in \
/var/log/messages /var/log/syslog /var/log/debug /var/log/secure \
/var/log/maillog /var/log/spooler /var/log/proftpd.log /var/log/xinetd.log \
/var/log/dmesg /var/log/faillog /var/log/lastlog /var/log/wtmp \
/var/log/apache/access_log /var/log/apache/error_log \
/var/log/webmin/miniserv.error /var/log/webmin/miniserv.pid
do cp /dev/null $logfile ; done
rmdir /var/log/sa
# clear the SSH host key
rm -f /etc/ssh/ssh_host_*
# database server logfiles
rm -f /var/lib/mysql/*.err /var/lib/pgsql/logfile
# delete vi backup files, bash_history files, and other small application crud
unset HISTFILE
find / -name '*~' \
-o -name .bash_history \
-o -name .gnupg \
-o -name .lesshst \
-o -name .viminfo \
-o -name .rnd \
-delete
# anything under /tmp
rm -rf /tmp/*
Zipping it up into a cache imageEdit
A CT cache is just a tar.gz file of the entire filesystem, excluding some very dynamic stuff which gets populated by the OS at runtime anyway:
tar --numeric-owner -zcvf /tmp/HostGIS_Linux_4.2_64bit.tar.gz --exclude='/sys/*' --exclude='/proc/*' --exclude='/tmp/*' /