Changes

These are rough instructions of how to manually create minimal basic Debian Sarge (3.1) template cache, which can be used to create OpenVZ [[VE]]s based on Debian Sarge . {{Note|'''[https://downloads.actiu.net/ctctl/ ctctl]''' is an automated helper to create and customize Debian templates.}} {{Warning|The recommended way is '''not to follow''' the below instructions, but to use the official Debian templates, modifying those to your needs. Some template + container creation helpers are recommended at page [[Deploying Debian VEs without Templates]].}} '''Notes:'''* You shouldn't be running as root, but as a user that is permitted to use sudo instead. It's a dangerous idea, run as root at your peril.* Anywhere you see <tt>/vz</tt>, you might really need to use <tt>/var/lib/vz</tt> instead, especially on a Debian Etch host.* Anywhere you see <tt>http://http.us.debian.org/debian/</tt>, you can substitute your favorite Debian mirror. (3[http://www.1debian.org/mirror/list List of official Debian Mirrors])* See also: <tt>/usr/share/doc/vzctl/README.Debian</tt> in the ''vzctl'' Debian package

For Gentoo, runYou need to have a working copy of <prett>emerge debootstrap</prett>running on your hardware node.

For Debian: sudo apt-get install debootstrap For Gentoo: sudo emerge debootstrap For Fedora (at least Fedora 8 have it, not sure about earlier versions): sudo yum install debootstrap For other distros you might need to install it from sources, or google search for an appropriate package for your distrodistribution. Some rpms are avaialable from An RPM is available on the [http://peopleforum.debianopenvz.org/~blade/install/debootstrap/index.php?t=tree&th=142&mid=584 OpenVZ Forum].

For You can install different releases of Debian Sarge on an 'into a VE's private directory using the debootstrap command. The command parameters are:  debootstrap --arch ARCH NAME DIRECTORY [URL] Specify your architecture instead of <tt>i386</tt> if you're using something other than i386/x86''' (a.k For example, for AMD64/x86_64, use <tt>amd64</tt> or for ia64, use <tt>ia64</tt>. You can use http or ftp in the URL. We use VE ID of 777 for this example, but it can be any unused ID.a === Stretch (current stable) ===net-tools,ifupdown (not in debootstrap base set) provide ifconfig,ifup; required by OpenVZ to enable venet networking. '''  debootstrap --arch i386'''--include=net-tools,ifupdown stretch /vz/private/777 or debootstrap --arch amd64 --include=net-tools,ifupdown stretch /vz/private/777 === Jessie (current oldstable) architecture===  debootstrap --arch i386 jessie /vz/private/777 http://http.us.debian.org/debian/ or debootstrap --arch amd64 jessie /vz/private/777 http://ftp.us.debian.org/debian/ === Wheezy (old release) ===<pre> debootstrap --arch i386 sarge wheezy /vz/private/777 http://http.us.debian.org/debian/ or debootstrap --arch amd64 wheezy /vz/private/777 http://ftp.freenetus.debian.deorg/debian/ === Squeeze (old release) === < debootstrap --arch i386 squeeze /vz/private/777 http://http.us.debian.org/debian/ or debootstrap --arch amd64 squeeze /vz/private/777 ftp://ftp.us.debian.org/debian/pre>

For Debian Sarge on an '''x86_64''' === Lenny (aold release) ===  debootstrap --arch i386 lenny /vz/private/777 http://archive.kdebian.a. '''AMD64''') architecture org/debian/ === Etch (Sarge/amd64 is not official so we have to use another repositoryvery old release):===<pre> debootstrap --arch amd64 i386 etch /vz/private/777 http://http.us.debian.org/debian/ === Sarge (deeply old release) ===  debootstrap sarge /vz/private/777 http://amd64archive.debian.netorg/debian<== Preparing the HN network ==Append the following lines to /pre>etc/sysctl.conf, adjust to taste and then execute "sysctl -p" for them to take effect. ### OpenVZ settings # On Hardware Node enable packet forwarding to forward # packets between the HN network interfaces and venet. # Proxy arp is needed when CT is in a different subnet # or when using veth AND veth is not bridged to a HN # interface. When veth is bridged to a HN interface, # the CT handles its own arps. net.ipv4.conf.default.forwarding=1 net.ipv4.conf.default.proxy_arp = 0 net.ipv4.ip_forward=1 # Enables source route verification net.ipv4.conf.all.rp_filter = 1 # Enables the magic-sysrq key kernel.sysrq = 1 # TCP Explict Congestion Notification net.ipv4.tcp_ecn = 0 # we do not want all our interfaces to send redirects net.ipv4.conf.default.send_redirects = 1 net.ipv4.conf.all.send_redirects = 0

<pre> sudo vzctl set 777 --applyconfig vps.basic --save<On debian squeeze only the following worked for me (''confirmed''), because the standard template names in /etc/vz/pre>conf have changed. sudo vzctl set 777 --applyconfig basic --save

Also, we need <tt>OSTEMPLATE</tt> to be set in VE configuration file, for the [[vzctl]] to work properly.

<pre> sudo sh -c 'echo "OSTEMPLATE=\"debian-36.10\" ' >> /etc/vz/conf/777.conf</pre>

For the [[VE]] to be able to download updates from networkthe Internet, we need a valid IP address for it:<pre> sudo vzctl set 777 --ipadd x.x.x.x --save</pre>

{{Note|if you use private IP for the VE, you might have to set up NAT as described in [[Using NAT for VE with private IPs]].}} === Setting Debian repositories DNS server for VE ===For '''x86_64'''the [[VE]] to be able to download updates from the Internet, we also need to specify a DNS for it:<pre>cat << EOF > /vz/private/ sudo vzctl set 777/etc/apt/sources--nameserver x.listdeb http://amd64x.debianx.net/debian stable main contrib nonx -freedeb http://security.debian.org stable/updates main contrib non-freeEOF</pre>save

For '''i386''':<pre>cat << EOF > === Creating /vzdev/private/777/etc/apt/sourcesptmx ===The ptmx character device should normally exist, but if it doesn't, create one.listdeb http: sudo mknod --mode 666 /var/ftp.freenet.delib/debian stable main contrib non-freedeb http:vz/private/security.debian.org stable777/updates main contrib non-freeEOF<dev/pre>ptmx c 5 2

<pre> sudo vzctl start 777</pre>

A few things needs to be done inside a newly created VE for it to become suitable for OpenVZ. All those things are done inside the VE, so first command is <tt>vzctl enter</tt>.{{NoteWarning|Do not run these the commands inside host systembelow on the hardware node, they are only for to be run within the VE!}} <pre>vzctl enter 777export PATH=/sbin:/usr/sbin:/bin:/usr/bin</pre>

=== Convert the system to use shadow passwords Set Debian repositories ===The list shown is for wheezy, and downloading from US located servers - adjust your release name and mirror location as necessary cat <pre<EOF >/etc/apt/sources.list deb http://http.us.debian.org/debian wheezy main contribpwconv deb http://security.debian.org wheezy/updates main contrib< deb http://http.us.debian.org/debian wheezy-updates main ## backports - ONLY IF YOU KNOW WHAT YOU DO # deb http://http.us.debian.org/debian-backports/pre>wheezy-backports main EOF

<pre> apt-get update apt-get upgrade</pre>

This Installing packages could be an interactive process so the system would might ask some questions. Here you You can add install more packages if you 'd like to be present, like <tt>less</tt>, <tt>vim</tt> etc. For example: <pre> apt-get install ssh quota</pre>less

=== Disable Set sane permissions for <tt>/root login</tt> directory ===<pre>usermod -L chmod 700 /root</pre>

{{Note|The === Disable root login ===This will be enabled back then you use <tt>vzctl set ''VEID'' disable root login by default. usermod --userpasswd L root:''xxxx''</tt>.}}

<pre> sed -i -e '/getty/d' /etc/inittab</pre> === Put sane permissions for <tt>/root</tt> directory ===<pre>chmod 700 /root</pre>

<pre>sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' /etc/*syslog.conf</pre>

Link <tt>/etc/mtab</tt> to <tt>/proc/mounts</tt>, so <tt>df</tt> and stuff friends will work:<pre> rm -f /etc/mtab ln -s /proc/mounts /etc/mtab</pre>

<pre> dpkg --purge modutilsdpkg --purge ppp pppoeconf pppoe pppconfig</pre>module-init-tools

 Do not start some services, stick to bare minimum:. This step is release dependent. ==== for Jessie ==== <source lang="bash"># turn off and stop some servicesfor i in bind9 quotarpc fetchmail ondemand rsync uuidd wide-dhcpv6-client; do systemctl stop $i systemctl disable $idone # for upstart services comment out the start on in confsfor i in nmbd smbd samba-ad-dc rpcbind; do systemctl disable $idone<pre/source> ==== for Squeeze ====  update-rc.d -insserv -f klogd remove update-rc.d -insserv -f quotarpc remove update-rc.d -insserv -f exim4 remove update-rc.d -insserv -f inetd remove</pre>==== for older releases (Lenny, Sarge etc.) ====  update-rc.d -f klogd remove update-rc.d -f quotarpc remove update-rc.d -f exim4 remove update-rc.d -f inetd remove

This is only useful if you installed SSH. Each individual [[VE]] should have its own pair of SSH host keys should be . The code below will wipe out the existing SSH keys and instruct the newly-created later, upon the first [[VE]] startto create new SSH keys on first boot. ==== for Jessie ==== <source lang="bash"># Save /etc/rc.local copymv /etc/rc.local /etc/rc.local.orig # ssh host keys hackecho "#!/bin/shrm -f etc/ssh/ssh_host_*/usr/bin/ssh-keygen -t rsa -N '' -f /etc/ssh/ssh_host_rsa_key/usr/bin/ssh-keygen -t dsa -N '' -f /etc/ssh/ssh_host_dsa_key/usr/bin/ssh-keygen -t rsa1 -N '' -f /etc/ssh/ssh_host_key/usr/bin/ssh-keygen -t ecdsa -N '' -f /etc/ssh/ssh_host_ecdsa_key/usr/bin/ssh-keygen -t ed25519 -N '' -f /etc/ssh/ssh_host_ed25519_keysystemctl restart sshmv -f /etc/rc.local.orig /etc/rc.local" > /etc/rc.local chmod a+x /etc/rc.local</source>  ==== for Squeeze ====  rm -f /etc/ssh/ssh_host_*<!-- please do not remove <source>...</source> pair of tags below, otherwise quotes after -N (-N '') are not visible --><source lang="bash">cat << EOF > /etc/init.d/ssh_gen_host_keys#!/bin/sh### BEGIN INIT INFO# Provides: Generates new ssh host keys on first boot# Required-Start: $remote_fs $syslog# Required-Stop: $remote_fs $syslog# Default-Start: 2 3 4 5# Default-Stop:# Short-Description: Generates new ssh host keys on first boot# Description: Generates new ssh host keys on first boot### END INIT INFOssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ""ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ""insserv -r /etc/init.d/ssh_gen_host_keysrm -f \$0EOF</source> chmod a+x /etc/init.d/ssh_gen_host_keys insserv /etc/init.d/ssh_gen_host_keys ==== for older releases (Lenny, Sarge etc.) ==== <!-- please do not remove <source>...</source> pair of tags below, otherwise quotes after -N (-N '') are not visible --><presource lang="bash">

</presource> === Change timezone === You might want to change timezone if you do not live in $UTC. The following example is for Germany <source lang="bash">ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime</source>or even better<source lang="bash">dpkg-reconfigure tzdata</source> === Create vzfifo script (for Jessie only) === This step is required '''for Jessie only''' (and is handled automatically by vzctl for earlier Debian releases). It ensures that <code>vzctl start --wait</code> works as expected. <source lang="bash"># Create vzfifo servicecat >> /lib/systemd/system/vzfifo.service << EOF# This file is part of systemd.## systemd is free software; you can redistribute it and/or modify it# under the terms of the GNU General Public License as published by# the Free Software Foundation; either version 2 of the License, or# (at your option) any later version. [Unit]Description=Tell that Container is startedConditionPathExists=/proc/vzConditionPathExists=!/proc/bcAfter=multi-user.target quotaon.service quotacheck.service [Service]Type=forkingExecStart=/bin/touch /.vzfifoTimeoutSec=0RemainAfterExit=noSysVStartPriority=99 [Install]WantedBy=multi-user.targetEOF # Enable servicefor service in vzfifo; do systemctl enable $service > /dev/null 2>&1done</source>

<pre>After installing packages, you'll have some junk packages laying around in your cache. Since you don't want your template to have those, this command will wipe them out. apt-get clean</pre>

Now everything is done. Exit from the VE by pressing Ctrl-D (or typing <tt>template and go back to the hardware node. exit</tt>).

<pre> sudo vzctl set 777 --ipdel all --save<Also, remove DNS server and search domain information from ''/etc/resolv.conf'' file '''in VE''': sudo editor /vz/private/777/etc/resolv.conf Also, remove ''/etc/hostname'' file '''in VE''': sudo rm -f /vz/private/777/etc/pre>hostname

<pre> sudo vzctl stop 777</pre>

<pre> cd /vz/private/777</pre> Now create a cached OS tarball. For '''i386''':<pre>tar czf /vz/template/cache/debian-3.1-i386-minimal.tar.gz .</pre>

For Now create a cached OS tarball. In the command below, you'''AMD64''':ll want to replace <tt>i386<pre/tt>with your architecture (i386, amd64, ia64, etc). sudo tar czf --numeric-owner -zcf /vz/template/cache/debian-35.10-x86_64i386-minimal.tar.gz .</pre>

<pre> # ls -lh /vz/template/cache/de* -rw-r--r-- 1 root root 42M Nov 17 23 51M Apr 10 03:50 /vz/template/cache/16 debian-35.10-x86_64i386-minimal.tar.gz</pre>

We can now create a VE based on the just-created template cache. For '''x86_64'''Now make sure that it works:<pre> sudo vzctl create 1002 --ostemplate debian-3.1-x86_64-minimal</pre> For '''i386''':<pre>start 123456 sudo vzctl create 1002 --ostemplate debian-3.1-i386-minimal</pre>exec 123456 ps ax

== Final cleanups cleanup ==Stop and remove the test VE you just created: sudo vzctl stop 123456 sudo vzctl destroy 123456 sudo rm /etc/vz/conf/123456.conf.destroyed

LetFinally, let's stop and remove the VE we used to test a new for OS template cachecreation:<pre>vzctl stop 1002 sudo vzctl destroy 1002777< sudo rm /etc/vz/conf/pre>777.conf.destroyed

Finally, letYou might want to edit /etc/vz/vz.conf and change DEF_OSTEMPLATE to the name of the template you use most often so that you don's remove t have to specify the template when creating a VE we used for OS template cache creation:.<pre> DEF_OSTEMPLATE="debian-6.0-i386-minimal"If you use iptables, you might want to include additional modules in the list for IPTABLES in /etc/vz/vz.conf. See ''man vzctl destroy 777</pre>'' for a list of available modules.