Installation on Debian 9

From OpenVZ Virtuozzo Containers Wiki
Revision as of 10:19, 7 October 2017 by Narcisgarcia (talk | contribs) (How to remove metadata_csum from a mounted partition)
Jump to: navigation, search

This is a guide to install OpenVZ 6 (legacy) on your Debian 9 "Stretch" (amd64 or i386) machine.

Yellowpin.svg Note: The best and latest Debian version for OpenVZ 6 is Devuan 1.0, but Debian 9 makes really easy the coexistence of OVZ and unprivileged LXC containers.
Current commercial version of OpenVZ (Virtuozzo 7) is not installable on Devuan or Debian because is developed as an independent GNU/Linux distribution

Volumes and file systems

It is recommended to use a separate partition for containers (by default /var/lib/vz) and format it to compatible ext4.

Ext4

Debian 9 installer (and tools by default) formats Ext4 with new features, and concrete "metadata_csum" is incompatible with OpenVZ6 kernel. Then it's necessary to boot without requiring the mount of volumes with "metadata_csum". Ordered alternatives:

  1. After a fresh Debian 9 install, remove metadata_csum feature from filesystems.
  2. Upgrade from Debian 8 to Debian 9 (metadata_csum not inherited)
  3. Root volume (/ and others) as Ext3 and deploy /var/lib/vz in a later created Ext4 volume, without metadata_csum.
  4. Use Ext3

How to remove metadata_csum from a mounted partition

If your host altready mounts r/w volumes on boot and you can't tune2fs+e2fsck because volumes are in use, this is the solution (example for /dev/sda1):

  • First check if the partition is affected.
Volume=/dev/sda1
sudo dumpe2fs -h $Volume 2>/dev/null | grep -e metadata_csum
  • If last command didn't return a line with metadata_csum, nothing to do. Otherwise, continue:
echo copy_exec /sbin/e2fsck | sudo tee -a /usr/share/initramfs-tools/hooks/fsck
echo copy_exec /sbin/tune2fs | sudo tee -a /usr/share/initramfs-tools/hooks/fsck
Script=/etc/initramfs-tools/scripts/local-premount/tune
echo '#!/bin/sh' | sudo tee $Script
echo 'if [ "$1" = "prereqs" ] ; then exit 0 ; fi' | sudo tee -a $Script
echo e2fsck -f $Volume | sudo tee -a $Script
echo tune2fs -O -metadata_csum $Volume | sudo tee -a $Script
echo e2fsck -f $Volume | sudo tee -a $Script
sudo chmod a+x $Script
sudo update-initramfs -u -k all
  • Reboot and check that metadata_csum disappeared:
sudo reboot
(...)
Volume=/dev/sda1
sudo dumpe2fs -h $Volume 2>/dev/null | grep -e metadata_csum
  • Restore initrd behaviour
sudo rm /etc/initramfs-tools/scripts/local-premount/tune
sudo apt --reinstall install initramfs-tools-core
sudo update-initramfs -u -k all

This recipe is useful for any volume that can't be neither unmounted nor remounted readonly.

How to remove metadata_csum from a not mounted partition

This procedure can be applied when partition can be mounted readonly

  • Example for /dev/sda9
sudo e2fsck -f /dev/sda9
sudo tune2fs -O -metadata_csum /dev/sda9
sudo e2fsck -f /dev/sda9

How to format a volume to be a compatible Ext4

  • Example for /dev/sda9
sudo mkfs -t ext4 -O -metadata_csum /dev/sda9

btrfs

You might want btrfs to use per-directory (subvolume) quotas for other simfs/dir containers, such as LXC. Only vzquota doesn't work on a btrfs volume; for OVZ containers it's better to mount /var/lib/vz to an Ext4 volume.

Debian 9 installer (and tools by default) formats btrfs with modern features as: mixed-bg, extref, skinny-metadata, no-holes. All of these are incompatible with OpenVZ6 kernel. Then it's necessary to boot without requiring the mount of volumes with these attributes. Ordered alternatives:

  1. Pre-format compatible btrfs for a fresh Debian 9 install on root volume (/ and others) and deploy /var/lib/vz in a later created Ext4 volume. Debian 9 installer must not format btrfs but "keep existing data" as allowed in manual partitioning stage.
  2. Use compatible Ext4 volumes and deploy later the secondary btrfs partitions.

How to format a volume to be a compatible btrfs

  • Example for /dev/sda1
sudo mkfs -t btrfs -O ^mixed-bg,^extref,^skinny-metadata,^no-holes /dev/sda1

You must not format btrfs with Debian installer because features cannot be disabled after.

Change Systemd to SystemV

Yellowpin.svg Note: Warning! This operation can make some desktop software to stop working.
sudo apt install sysvinit-core sysvinit-utils
# Must boot with SystemV to release Systemd
sudo reboot
sudo apt --auto-remove remove systemd
echo -e 'Package: *systemd*\nPin: release *\nPin-Priority: -1\n' | sudo tee /etc/apt/preferences.d/avoid-systemd

Register OVZ updated repository

RepoFile=/etc/apt/sources.list.d/openvz.list
RepoUrl=http://download.openvz.org/debian
echo "deb $RepoUrl jessie main" | sudo tee "$RepoFile"
echo "deb $RepoUrl wheezy main" | sudo tee -a "$RepoFile"
wget -qO - http://ftp.openvz.org/debian/archive.key | sudo apt-key add -
sudo apt-get --allow-unauthenticated update

As of July 2017, release key at openvz.org site is invalid, and last command will complain:

W: GPG error: http://download.openvz.org/debian jessie Release: The following signatures were invalid: DA2458173935F9DE9B76BA7547B5DBAB0FCA9BAC
W: The repository 'http://download.openvz.org/debian jessie Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://download.openvz.org/debian wheezy Release: The following signatures were invalid: DA2458173935F9DE9B76BA7547B5DBAB0FCA9BAC
W: The repository 'http://download.openvz.org/debian wheezy Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

You can continue.

Yellowpin.svg Note: For more info about Debian repositories, see http://download.openvz.org/debian.

Install packages

KPackage="linux-image-openvz-$(dpkg --print-architecture)"
sudo apt --allow-unauthenticated --install-recommends install $KPackage vzdump ploop initramfs-tools dirmngr
if [ ! -d /vz ] ; then sudo ln -s /var/lib/vz/ /vz ; fi
  • Create file /etc/vz/vznet.conf with the following line:
EXTERNAL_SCRIPT="/usr/sbin/vznetaddbr"
  • Optionally you can set containers completely stop when service stops at /etc/vz/vz.conf
VE_STOP_MODE=stop

Reboot into OpenVZ kernel

Yellowpin.svg Note: At boot manager, in "Advanced options for Debian GNU/Linux", you will find kernels named "2.6.32-openvz". Select the first listed.
sudo reboot

Check the OpenVZ processes are running:

sudo ps ax | grep -v 'grep' | grep 'vzmond'

Set OpenVZ as default to boot

Because of GRUB2 default criteria, default kernel to boot can still be the one from Debian's repository (non OVZ). Probably you don't want this behaviour; once you've booted fine into OpenVZ kernel, you can remove other unuseful kernels:

Packages="$(apt list --installed 'linux-image-*' 2>/dev/null | grep -e '^linux-image-' | grep -ve 'openvz' | cut -f 1 -d '/')"
sudo apt --autoremove remove $Packages

Download OS templates

This step is optional, vzctl is able to download templates on demand.

An OS template is a GNU distribution for Linux, installed into a container and then packed into a gzipped tarball. Using such a cache, a new container can be created in a minute.

# Register official container templates:
OpenvzKey="$(echo $(sudo gpg --batch --search-keys security@openvz.org 2>&1 | grep -ie ' key.*created' | sed -e 's|key|@|g' | cut -f 2 -d '@') | cut -f 1 -d ' ' | cut -f 1 -d ',')"
sudo gpg --recv-keys $OpenvzKey
sudo vztmpl-dl --gpg-check --list-remote
# Example:
sudo vztmpl-dl --gpg-check debian-8.0-x86_64-minimal

Alternatively, you can also download precreated template caches from Download » Template » Precreated, or from one of the mirrors. Put those tarballs as-is (no unpacking needed) to the /vz/template/cache/ directory.

Next steps

OpenVZ is now set up on your machine. Follow on to basic operations in OpenVZ environment document.

See also