Difference between revisions of "Debian template creation"

From OpenVZ Virtuozzo Containers Wiki
Jump to: navigation, search
(Fix SSH host keys in Squeeze when using dependency-based booting)
(Customizing the installation)
Line 112: Line 112:
 
  sudo vzctl start 777
 
  sudo vzctl start 777
  
== Customizing the installation ==
+
Thanky Thanky for all this good ifomnration!
A few things need to be done inside a newly created VE for it to become suitable for OpenVZ. Enter the VE to begin the configuration. Exporting the path is optional.
 
sudo vzctl enter 777
 
export PATH=/sbin:/usr/sbin:/bin:/usr/bin
 
 
 
{{Warning|Do not run the commands below on the hardware node, they are only to be run within the VE!}}
 
 
 
=== Set Debian repositories ===
 
cat <<EOF > /etc/apt/sources.list
 
deb http://http.us.debian.org/debian squeeze main contrib
 
deb http://security.debian.org squeeze/updates main contrib
 
deb http://http.us.debian.org/debian squeeze-updates main
 
## backports - ONLY IF YOU KNOW WHAT YOU DO
 
# deb http://http.us.debian.org/debian-backports/ squeeze-backports main
 
EOF
 
 
 
=== Get new security updates ===
 
apt-get update
 
apt-get upgrade
 
 
 
=== Install some more packages ===
 
Installing packages could be an interactive process so the system might ask some questions.  You can install more packages if you'd like.  For example:
 
apt-get install ssh quota less
 
 
 
=== Set sane permissions for <tt>/root</tt> directory ===
 
chmod 700 /root
 
 
 
=== Disable root login ===
 
This will disable root login by default.
 
usermod -L root
 
 
 
=== Disable getty ===
 
Disable running <tt>getty</tt>s on terminals as a VE does not have any:
 
sed -i -e '/getty/d' /etc/inittab
 
 
 
=== Disable <tt>sync()</tt> for syslog ===
 
Turn off doing <tt>sync()</tt> on every write for <tt>syslog</tt>'s log files, to improve I/O performance:
 
<pre>sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' /etc/*syslog.conf</pre>
 
 
 
=== Fix <tt>/etc/mtab</tt> ===
 
Link <tt>/etc/mtab</tt> to <tt>/proc/mounts</tt>, so <tt>df</tt> and friends will work:
 
rm -f /etc/mtab
 
ln -s /proc/mounts /etc/mtab
 
 
 
=== Remove some unneeded packages ===
 
If you have any packages you'd like to remove, now's the time for it.  Here's an example — note that not all of those packages are installed by default in Debian Squeeze (although they were in earlier versions):
 
dpkg --purge modutils ppp pppoeconf pppoe pppconfig module-init-tools
 
 
 
=== Disable services ===
 
Do not start some services, stick to bare minimum:
 
update-rc.d -f klogd remove
 
update-rc.d -f quotarpc remove
 
update-rc.d -f exim4 remove
 
update-rc.d -f inetd remove
 
 
 
For dependency-based boot sequence introduced with Squeeze type:
 
 
 
update-rc.d-insserv -f klogd remove
 
update-rc.d-insserv -f quotarpc remove
 
update-rc.d-insserv -f exim4 remove
 
update-rc.d-insserv -f inetd remove
 
 
 
=== Fix SSH host keys ===
 
This is only useful if you installed SSH.  Each individual [[VE]] should have its own pair of SSH host keys.  The code below will wipe out the existing SSH keys and instruct the newly-created [[VE]] to create new SSH keys on first boot.
 
 
 
<!-- please do not remove <source>...</source> pair of tags below,
 
    otherwise quotes after -N (-N '') are not visible -->
 
<source lang="bash">
 
rm -f /etc/ssh/ssh_host_*
 
cat << EOF > /etc/rc2.d/S15ssh_gen_host_keys
 
#!/bin/bash
 
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ''
 
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ''
 
rm -f \$0
 
EOF
 
chmod a+x /etc/rc2.d/S15ssh_gen_host_keys
 
</source>
 
 
 
{{Note|This will not work using the dependency-based boot sequence introduced with Squeeze. See the section below. }}
 
 
 
=== Fix SSH host keys in Squeeze when using dependency-based booting ===
 
 
 
rm -f /etc/ssh/ssh_host_*
 
<!-- please do not remove <source>...</source> pair of tags below,
 
    otherwise quotes after -N (-N '') are not visible -->
 
<source lang="bash">
 
cat << EOF > /etc/init.d/ssh_gen_host_keys
 
#!/bin/sh
 
### BEGIN INIT INFO
 
# Provides:          Generates new ssh host keys on first boot
 
# Required-Start:    $remote_fs $syslog
 
# Required-Stop:    $remote_fs $syslog
 
# Default-Start:    2 3 4 5
 
# Default-Stop:
 
# Short-Description: Generates new ssh host keys on first boot
 
# Description:      Generates new ssh host keys on first boot
 
### END INIT INFO
 
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ""
 
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ""
 
insserv -r /etc/init.d/ssh_gen_host_keys
 
rm -f \$0
 
EOF
 
</source>
 
chmod a+x /etc/init.d/ssh_gen_host_keys
 
insserv /etc/init.d/ssh_gen_host_keys
 
 
 
=== Change timezone ===
 
 
 
You might want to change timezone if you do not live in $UTC. The following example is for Germany
 
 
 
<source lang="bash">
 
ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime
 
</source>
 
or even better
 
<source lang="bash">
 
dpkg-reconfigure tzdata
 
</source>
 
 
 
=== Clean packages ===
 
After installing packages, you'll have some junk packages laying around in your cache.  Since you don't want your template to have those, this command will wipe them out.
 
apt-get --purge clean
 
 
 
Now everything is done.  Exit from the template and go back to the hardware node.
 
exit
 
  
 
== Preparing for and packing template cache ==
 
== Preparing for and packing template cache ==

Revision as of 01:34, 21 October 2011

These are rough instructions of how to manually create basic Debian Etch (4.0) template cache, which can be used to create OpenVZ VEs based on Debian Etch (4.0). (see also /usr/share/doc/vzctl/README.Debian in the vzctl Debian package)

Notes:

  • You shouldn't be running as root, but as a user that is permitted to use sudo instead. It's a dangerous idea, run as root at your peril.
  • Anywhere you see /vz, you might really need to use /var/lib/vz instead, especially on a Debian Etch host.
  • Anywhere you see http://http.us.debian.org/debian/, you can substitute your favorite Debian mirror. (List of official Debian Mirrors)


Prerequisites

Warning.svg Warning: if you want to use ext4 file system for /vz, use nodelalloc option in /etc/fstab, otherwise it will crash. See OpenVZ Bug #1509 and its duplicates for details.

You need to have a working copy of debootstrap running on your hardware node.

For Debian: 

sudo apt-get install debootstrap

For Gentoo: 

sudo emerge debootstrap

For Fedora (at least Fedora 8 have it, not sure about earlier versions): 

sudo yum install debootstrap

For other distros you might need to install it from sources, or search for an appropriate package for your distribution. An RPM is available on the OpenVZ Forum.

Bootstrapping Debian

You can install different releases of Debian into a VE's private directory using the debootstrap command.

The command parameters are: 

 debootstrap --arch ARCH NAME DIRECTORY URL

Specify your architecture instead of i386 if you're using something other than i386/x86. For example, for AMD64/x86_64, use amd64 or for ia64, use ia64. You can use http or ftp in the URL.

We use VE ID of 777 for this example, but it can be any unused ID.

Squeeze (current Debian stable)

debootstrap --arch i386 squeeze /vz/private/777 http://http.us.debian.org/debian/
or
debootstrap --arch amd64 squeeze /vz/private/777 ftp://ftp.us.debian.org/debian/

Lenny (Debian oldstable)

debootstrap --arch i386 lenny /vz/private/777 http://http.us.debian.org/debian/
or
debootstrap --arch amd64 lenny /vz/private/777 ftp://ftp.us.debian.org/debian/

Etch (old release)

debootstrap --arch i386 etch /vz/private/777 http://http.us.debian.org/debian/

Sarge (very old release)

debootstrap sarge /vz/private/777 http://archive.debian.org/debian

Preparing the HN network

Append the following lines to /etc/sysctl.conf, adjust to taste and then execute "sysctl -p" for them to take effect. 

### OpenVZ settings

# On Hardware Node we generally need packet
# forwarding enabled and proxy arp disabled

net.ipv4.conf.default.forwarding=1
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.ip_forward=1

# Enables source route verification
net.ipv4.conf.all.rp_filter = 1

# Enables the magic-sysrq key
kernel.sysrq = 1

# TCP Explict Congestion Notification
net.ipv4.tcp_ecn = 0

# we do not want all our interfaces to send redirects
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0

Preparing and starting the VE

Setting VE config

First, we need a config for the VE: 

sudo vzctl set 777 --applyconfig vps.basic --save

On debian squeeze only the following worked for me (confirmed), because the standard template names in /etc/vz/conf have changed. 

sudo vzctl set 777 --applyconfig basic --save

Setting VE OSTEMPLATE

Also, we need OSTEMPLATE to be set in VE configuration file, for vzctl to work properly. 

sudo sh -c 'echo OSTEMPLATE=\"debian-5.0\"' >> /etc/vz/conf/777.conf

Setting VE IP address

For the VE to be able to download updates from the Internet, we need a valid IP address for it: 

sudo vzctl set 777 --ipadd x.x.x.x --save
Yellowpin.svg Note: if you use private IP for the VE, you might have to set up NAT as described in Using NAT for VE with private IPs.

Setting DNS server for VE

For the VE to be able to download updates from the Internet, we also need to specify a DNS for it: 

sudo vzctl set 777 --nameserver x.x.x.x --save

Creating /dev/ptmx

The ptmx character device should normally exist, but if it doesn't, create one. 

sudo mknod --mode 666 /var/lib/vz/private/777/dev/ptmx c 5 2

Starting VE

Now start the VE: 

sudo vzctl start 777

Thanky Thanky for all this good ifomnration!

Preparing for and packing template cache

We don't need an IP for the VE anymore, and we definitely do not need it in template cache, so remove it: 

sudo vzctl set 777 --ipdel all --save

Also, remove DNS server and search domain information from /etc/resolv.conf file in VE: 

sudo nano /vz/private/777/etc/resolv.conf

Also, remove /etc/hostname file in VE: 

sudo rm -f /vz/private/777/etc/hostname

Stop the VE: 

sudo vzctl stop 777

Go to the VE directory: 

cd /vz/private/777

Now create a cached OS tarball. In the command below, you'll want to replace i386 with your architecture (i386, amd64, ia64, etc). 

sudo tar --numeric-owner -zcf /vz/template/cache/debian-5.0-i386-minimal.tar.gz .

Look at the resulting tarball to see its size is sane: 

# ls -lh /vz/template/cache
-rw-r--r--  1 root root  51M Apr 10 03:16 debian-5.0-i386-minimal.tar.gz

Checking if template cache works

We can now create a VE based on the just-created template cache. Be sure to change i386 to your architecture just like you did when you named the tarball above. 

sudo vzctl create 123456 --ostemplate debian-5.0-i386-minimal

Now make sure that it works: 

sudo vzctl start 123456
sudo vzctl exec 123456 ps ax

You should see that a few processes are running.

Final cleanup

Stop and remove the test VE you just created: 

sudo vzctl stop 123456
sudo vzctl destroy 123456
sudo rm /etc/vz/conf/123456.conf.destroyed

Finally, let's remove the VE we used for OS template cache creation: 

sudo vzctl destroy 777
sudo rm /etc/vz/conf/777.conf.destroyed

You might want to edit /etc/vz/vz.conf and change DEF_OSTEMPLATE to the name of the template you use most often so that you don't have to specify the template when creating a VE. 

DEF_OSTEMPLATE="debian-5.0-i386-minimal"

If you use iptables, you might want to include additional modules in the list for IPTABLES in /etc/vz/vz.conf. See man vzctl for a list of available modules.

Retrieved from "https://wiki.openvz.org/index.php?title=Debian_template_creation&oldid=11421"