Editing Ubuntu Gutsy template creation

Jump to: navigation, search

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision Your text
Line 2: Line 2:
 
[[Category: Templates]]
 
[[Category: Templates]]
 
[[Category: Ubuntu]]
 
[[Category: Ubuntu]]
 +
 
This article summarizes the experience of creating Ubunty Gutsy Gibbon (a.k.a. 7.10) template for OpenVZ.
 
This article summarizes the experience of creating Ubunty Gutsy Gibbon (a.k.a. 7.10) template for OpenVZ.
  
Line 13: Line 14:
 
* <code>/usr/lib/debootstrap/scripts/gutsy</code> file
 
* <code>/usr/lib/debootstrap/scripts/gutsy</code> file
  
The simplest way to have it all is to work on an Ubuntu Gutsy system (be it on a real machine or inside a container). If you don't have <code>debootstrap</code> installed, this is the command to install it:
+
The simplest way to have it all is to work on an Ubuntu Gutsy system (be it on a real machine or inside a VE). If you don't have <code>debootstrap</code> installed, this is the command to install it:
  
 
  # apt-get install debootstrap
 
  # apt-get install debootstrap
Line 21: Line 22:
 
  # emerge \>=debootstrap-1.0.0
 
  # emerge \>=debootstrap-1.0.0
  
Note you need at least version 1.0.0, since earlier versions do not have Ubuntu scripts. So, possible you will first need to add it to package.keywords, like this:
+
Possible you will first need to add it to package.keywords.
 
 
# echo dev-util/debootstrap >> /etc/portage.package.keywords
 
  
 
On a Fedora system (at least Fedora 8, not sure about earlier versions):
 
On a Fedora system (at least Fedora 8, not sure about earlier versions):
Line 31: Line 30:
 
=== vzctl ===
 
=== vzctl ===
  
You need vzctl-3.0.22 or later to work with Ubuntu Gutsy Gibbon. If vzctl-3.0.18 or earlier is used, you will not be able to run your Ubuntu Gutsy container. See {{bug|662}} for details.
+
You need vzctl-3.0.22 or later to work with Ubuntu Gutsy Gibbon. If vzctl-3.0.18 or earlier is used, you will not be able to run your Ubuntu Gutsy VE. See {{bug|662}} for details.
  
 
Note: Older versions of vzctl are working if you install <code>sysvinit</code> (which will remove <code>upstart</code>). The only problem I had was the network did not start, so I added "/etc/init.d/networking restart" to /etc/re.local.
 
Note: Older versions of vzctl are working if you install <code>sysvinit</code> (which will remove <code>upstart</code>). The only problem I had was the network did not start, so I added "/etc/init.d/networking restart" to /etc/re.local.
Line 47: Line 46:
 
  [HW]# debootstrap [--arch ''ARCH''] gutsy gutsy-chroot  
 
  [HW]# debootstrap [--arch ''ARCH''] gutsy gutsy-chroot  
  
If ARCH of CT0 is equal to container, you can skip the --arch option, but if you need to build an OS template for another ''ARCH'', specify it explicitly:
+
If ARCH of VE0 is equal to VE, you can skip the --arch option, but if you need to build an OS template for another ''ARCH'', specify it explicitly:
 
* for AMD64/x86_64, use <code>amd64</code>
 
* for AMD64/x86_64, use <code>amd64</code>
 
* for IA64, use <code>ia64</code>
 
* for IA64, use <code>ia64</code>
 
* for i386 <code>i386</code>
 
* for i386 <code>i386</code>
  
=== Preparing/starting a container ===
+
=== Preparing/starting a VE ===
  
Now then you have an installation created by <code>debootstrap</code>, you can run it as a container. In the example below CT ID of 777 is used; of course you can use any other non-allocated ID.
+
Now then you have an installation created by <code>debootstrap</code>, you can run it as a VE. In the example below VE ID of 777 is used; of course you can use any other non-allocated ID.
  
{{Note|an alternative way is using chroot instead of running a container. This is not recommended because of security concerns.}}
+
{{Note|an alternative way is using chroot instead of running a VE. This is not recommended because of security concerns.}}
  
==== Moving installation to container private area ====
+
==== Moving installation to VE private area ====
  
You should move the contents of gutsy-chroot directory into new container private area, like this:
+
You should move the contents of gutsy-chroot directory into new VE private area, like this:
  
 
  # mv gutsy-chroot /vz/private/777
 
  # mv gutsy-chroot /vz/private/777
  
==== Setting container config ====
+
==== Setting VE config ====
An initial config for the [[container]] is needed:
+
An initial config for the [[VE]] is needed:
 
  # vzctl set 777 --applyconfig vps.basic --save
 
  # vzctl set 777 --applyconfig vps.basic --save
  
==== Setting container OSTEMPLATE ====
+
==== Setting VE OSTEMPLATE ====
Also, we need <code>OSTEMPLATE</code> to be set in container configuration file, for the [[vzctl]] to work properly.
+
Also, we need <code>OSTEMPLATE</code> to be set in VE configuration file, for the [[vzctl]] to work properly.
  
 
  # echo "OSTEMPLATE=ubuntu-7.10" >> /etc/vz/conf/777.conf
 
  # echo "OSTEMPLATE=ubuntu-7.10" >> /etc/vz/conf/777.conf
  
==== Setting container IP address ====
+
==== Setting VE IP address ====
For the [[container]] to be able to download updates from the Internet, we need a valid IP address for it:
+
For the [[VE]] to be able to download updates from the Internet, we need a valid IP address for it:
 
  # vzctl set 777 --ipadd x.x.x.x --save
 
  # vzctl set 777 --ipadd x.x.x.x --save
  
{{Note|if you use private IP for the container, you have to set up NAT as described in [[Using NAT for container with private IPs]].}}
+
{{Note|if you use private IP for the VE, you have to set up NAT as described in [[Using NAT for VE with private IPs]].}}
  
==== Setting DNS server for the container ====
+
==== Setting DNS server for the VE ====
For the [[container]] to be able to download updates from the Internet, we also need to specify a DNS for it:
+
For the [[VE]] to be able to download updates from the Internet, we also need to specify a DNS for it:
 
  # vzctl set 777 --nameserver x.x.x.x --save
 
  # vzctl set 777 --nameserver x.x.x.x --save
  
 
Instead of <code>x.x.x.x</code>, specify the same IP that you have in your <code>/etc/resolv.conf</code>.
 
Instead of <code>x.x.x.x</code>, specify the same IP that you have in your <code>/etc/resolv.conf</code>.
  
==== Starting container ====
+
==== Starting VE ====
Now start the container:
+
Now start the VE:
 
  # vzctl start 777
 
  # vzctl start 777
  
 
=== Modify the installation ===
 
=== Modify the installation ===
  
You have to do some things in order to modify the installation to better suit the environment it will be run in (i.e. a container).
+
You have to do some things in order to modify the installation to better suit the environment it will be run in (i.e. a VE).
  
First, enter a container:
+
First, enter a VE:
 
  # vzctl enter 777
 
  # vzctl enter 777
  
{{Warning|Do not run the commands below on the hardware node, they are only to be run within the container!}}
+
{{Warning|Do not run the commands below on the hardware node, they are only to be run within the VE!}}
 +
 
 
==== Remove unneeded packages ====
 
==== Remove unneeded packages ====
  
Some packages does not make sense in a container, or are really optional. Remove those:
+
Some packages does not make sense in a VE, or are really optional. Remove those:
  
  [container]# dpkg -P ubuntu-minimal wpasupplicant wireless-tools \
+
  [VE]# dpkg -P ubuntu-minimal wpasupplicant wireless-tools \
 
   udev pcmciautils initramfs-tools volumeid console-setup \
 
   udev pcmciautils initramfs-tools volumeid console-setup \
 
   xkb-data usbutils mii-diag alsa-base alsa-utils ethtool \
 
   xkb-data usbutils mii-diag alsa-base alsa-utils ethtool \
Line 109: Line 109:
 
   laptop-detect
 
   laptop-detect
  
{{Note|On removing the deb-package "module-init-tools", a fake-modprobe is needed for IPv6 addresses, see below!}}
+
{{Note|On removing the deb-package "module-init-tools", a fake-modprobe is needed for IPv6 adresses, see below!}}
  
 
Note that the above list of packages may be too extensive. Say, if you want to use <code>tasksel</code> tool, do not remove it — but then you have to let laptop-detect stay.
 
Note that the above list of packages may be too extensive. Say, if you want to use <code>tasksel</code> tool, do not remove it — but then you have to let laptop-detect stay.
Line 115: Line 115:
 
Clean up after udev:
 
Clean up after udev:
  
  [container]# rm -fr /lib/udev
+
  [VE]# rm -fr /lib/udev
  
 
==== Disable getty ====
 
==== Disable getty ====
On a usual Linux system, <code>getty</code> is running on a virtual terminals, which a container does not have. So, having <code>getty</code> running doesn't make sense; more to say, it complains it can not open terminal device and this clutters the logs.
+
On a usual Linux system, getty is running on a virtual terminals, which a VE does not have. So, having getty running doesn't make sense; more to say, it complains it can not open terminal device and this clutters the logs.
  
So, first of all we stop all <code>getty</code> processes:
+
So, first of all we stop all getty processes:
  
  [container]# initctl stop tty{1,2,3,4,5,6}
+
  [VE]# initctl stop tty{1,2,3,4,5,6}
  
Next, we disable running <code>getty</code>. This can be done in two ways:
+
Next, we disable running getty. This can be done in two ways:
  
 
First way:
 
First way:
  [container]# rm /etc/event.d/tty*
+
  [VE]# rm /etc/event.d/tty*
  
 
Second way:
 
Second way:
  [container]# dpkg -P system-services
+
  [VE]# dpkg -P system-services
  
Second way can be dangerous for future versions of <code>system-services</code>, but it's OK for now since the only service they carry is running <code>getty</code>s.
+
Second way can be dangerous for future versions of system-services, but it's OK for now since the only service they carry is running gettys.
  
 
====  Set sane permissions for /root directory ====
 
====  Set sane permissions for /root directory ====
  
  [container]# chmod 700 /root
+
  [VE]# chmod 700 /root
  
 
==== Disable root login ====
 
==== Disable root login ====
  
  [container]# usermod -L root
+
  [VE]# usermod -L root
  
==== "fake-modprobe" needed for IPv6 addresses ====
 
  
  [container]# ln -s /bin/true /sbin/modprobe
+
==== "fake-modprobe" needed for IPv6 adresses ====
 +
 
 +
  [VE]# ln -s /bin/true /sbin/modprobe
  
 
<small>On setup IPv6, the command "modprobe -Q IPv6" is called, which fails without the "fake-modprobe"</small>
 
<small>On setup IPv6, the command "modprobe -Q IPv6" is called, which fails without the "fake-modprobe"</small>
Line 150: Line 151:
 
==== Get new security updates ====
 
==== Get new security updates ====
  
  [container]# apt-get update && apt-get upgrade
+
  [VE]# apt-get update && apt-get upgrade
  
 
<small>This didn't show anything for me, but might do something in the future.</small>
 
<small>This didn't show anything for me, but might do something in the future.</small>
Line 156: Line 157:
 
==== Install some more packages ====
 
==== Install some more packages ====
  
  [container]# apt-get install ssh quota
+
  [VE]# apt-get install ssh quota
  
 
Feel free to add packages which you want to have in a default template to this command.
 
Feel free to add packages which you want to have in a default template to this command.
  
 
==== Fix SSH host keys ====
 
==== Fix SSH host keys ====
This is only useful if you installed SSH above.  Each individual [[container]] should have its own pair of SSH host keys.  The code below will wipe out the existing SSH keys and instruct the newly-created [[container]] to create new SSH keys on first boot.
+
This is only useful if you installed SSH above.  Each individual [[VE]] should have its own pair of SSH host keys.  The code below will wipe out the existing SSH keys and instruct the newly-created [[VE]] to create new SSH keys on first boot.
  
 
<!-- please DO NOT remove <pre>...</pre> pair of tags below,
 
<!-- please DO NOT remove <pre>...</pre> pair of tags below,
Line 175: Line 176:
 
chmod a+x /etc/rc2.d/S15ssh_gen_host_keys
 
chmod a+x /etc/rc2.d/S15ssh_gen_host_keys
 
</pre>
 
</pre>
 +
  
 
==== Disable <code>sync()</code> for syslog ====
 
==== Disable <code>sync()</code> for syslog ====
Line 182: Line 184:
  
 
<!-- DO NOT remove <pre> here, it's useful -->
 
<!-- DO NOT remove <pre> here, it's useful -->
  <pre>[container]# sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' /etc/syslog.conf</pre>
+
  <pre>[VE]# sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' /etc/syslog.conf</pre>
  
 
==== Fix <code>/etc/mtab</code> ====
 
==== Fix <code>/etc/mtab</code> ====
 
Link <code>/etc/mtab</code> to <code>/proc/mounts</code>, so <code>df</code> and friends will work:
 
Link <code>/etc/mtab</code> to <code>/proc/mounts</code>, so <code>df</code> and friends will work:
  [container]# rm -f /etc/mtab
+
  [VE]# rm -f /etc/mtab
  [container]# ln -s /proc/mounts /etc/mtab
+
  [VE]# ln -s /proc/mounts /etc/mtab
  
 
After that, it would make sense to disable <code>mtab.sh</code> script which messes with <code>/etc/mtab</code>:
 
After that, it would make sense to disable <code>mtab.sh</code> script which messes with <code>/etc/mtab</code>:
  [container]# update-rc.d -f mtab.sh remove
+
  [VE]# update-rc.d -f mtab.sh remove
 +
 
 +
 
  
 
==== Disable some services ====
 
==== Disable some services ====
Line 196: Line 200:
 
In most of the cases you don't want klogd to run -- the only exception is if you configure iptables to log some events -- so you can disable it:
 
In most of the cases you don't want klogd to run -- the only exception is if you configure iptables to log some events -- so you can disable it:
  
  [container]# update-rc.d -f klogd remove
+
  [VE]# update-rc.d -f klogd remove
  
 
==== Hostname ====
 
==== Hostname ====
 
Set proper hostname:
 
Set proper hostname:
  [container]# echo "localhost" > /etc/hostname
+
  [VE]# echo "localhost" > /etc/hostname
  
 
==== Set /etc/hosts ====
 
==== Set /etc/hosts ====
  
  [container]# echo "127.0.0.1 localhost.localdomain localhost" > /etc/hosts
+
  [VE]# echo "127.0.0.1 localhost.localdomain localhost" > /etc/hosts
  
 
==== Add ptys to /dev ====
 
==== Add ptys to /dev ====
  
This is needed in case /dev/pts will not me mounted after container start. In case /dev/ttyp* and /dev/ptyp* files are present, and LEGACY_PTYS support is enabled in the kernel, vzctl will still be able to enter container.
+
This is needed in case /dev/pts will not me mounted after VE start. In case /dev/ttyp* and /dev/ptyp* files are present, and LEGACY_PTYS support is enabled in the kernel, vzctl will still be able to enter VE.
  
  [container]# cd /dev && /sbin/MAKEDEV ptyp
+
  [VE]# cd /dev && /sbin/MAKEDEV ptyp
  
 
==== Remove nameserver(s) ====
 
==== Remove nameserver(s) ====
  
 
Remove DNS entries:
 
Remove DNS entries:
  [container]# > /etc/resolv.conf
+
  [VE]# > /etc/resolv.conf
  
 
==== Clean packages ====
 
==== Clean packages ====
 
After installing packages, you'll have some junk packages laying around in your cache.  Since you don't want your template to have those, this command will wipe them out.
 
After installing packages, you'll have some junk packages laying around in your cache.  Since you don't want your template to have those, this command will wipe them out.
  [container]# apt-get clean
+
  [VE]# apt-get clean
  
 
==== Cleaning up log files ====
 
==== Cleaning up log files ====
  
  [container]# cd /var/log
+
  [VE]# cd /var/log
  [container]# > messages; > auth.log; > kern.log; > bootstrap.log
+
  [VE]# > messages; > auth.log; > kern.log; > bootstrap.log
  [container]# > dpkg.log; > syslog; > daemon.log; > apt/term.log
+
  [VE]# > dpkg.log; > syslog; > daemon.log; > apt/term.log
  [container]# rm -f *.0 *.1
+
  [VE]# rm -f *.0 *.1
  
 
==== Anything else? ====
 
==== Anything else? ====
Line 232: Line 236:
 
Think of what else could be done to better suit your needs.
 
Think of what else could be done to better suit your needs.
  
==== Exit from the container ====
+
==== Exit from the VE ====
  
 
Now everything is done.  Exit from the template and go back to the hardware node.
 
Now everything is done.  Exit from the template and go back to the hardware node.
  
  [container]# exit
+
  [VE]# exit
  
 
== Preparing for and packing template cache ==
 
== Preparing for and packing template cache ==
  
The following commands are to be run in the host system (i.e. not inside a container).
+
The following commands are to be run in the host system (i.e. not inside a VE).
  
We don't need an IP for the container anymore, and we definitely do not need it in template cache, so remove it:
+
We don't need an IP for the VE anymore, and we definitely do not need it in template cache, so remove it:
 
  [HW]# vzctl set 777 --ipdel all --save
 
  [HW]# vzctl set 777 --ipdel all --save
  
Stop the container:
+
Stop the VE:
 
  [HW]# vzctl stop 777
 
  [HW]# vzctl stop 777
  
Change dir to the container private:
+
Change dir to the VE private:
 
  [HW]# cd /vz/private/777
 
  [HW]# cd /vz/private/777
  
 
Now create a cached OS tarball.  In the command below, you'll want to replace <arch> with your architecture (i386, amd64, ia64, etc). '''Note the space and the dot at the end of the command'''.
 
Now create a cached OS tarball.  In the command below, you'll want to replace <arch> with your architecture (i386, amd64, ia64, etc). '''Note the space and the dot at the end of the command'''.
  [HW]# tar --numeric-owner -czf /vz/template/cache/ubuntu-7.10-<arch>-minimal.tar.gz .
+
  [HW]# tar czf /vz/template/cache/ubuntu-7.10-<arch>-minimal.tar.gz .
  
 
Look at the resulting tarball to see its size is sane:
 
Look at the resulting tarball to see its size is sane:
Line 259: Line 263:
  
 
== Testing template cache ==
 
== Testing template cache ==
We can now create a container based on the just-created template cache.  Be sure to change <tt>i386</tt> to your architecture just like you did when you named the tarball above.
+
We can now create a VE based on the just-created template cache.  Be sure to change <tt>i386</tt> to your architecture just like you did when you named the tarball above.
 
  [HW]# vzctl create 123456 --ostemplate ubuntu-7.10-<arch>-minimal
 
  [HW]# vzctl create 123456 --ostemplate ubuntu-7.10-<arch>-minimal
  
Now make sure that your new container it works:
+
Now make sure that your new VE it works:
 
  [HW]# vzctl start 123456
 
  [HW]# vzctl start 123456
 
  [HW]# vzctl exec 123456 ps axf
 
  [HW]# vzctl exec 123456 ps axf
Line 270: Line 274:
 
Other tests that could be done are:
 
Other tests that could be done are:
 
  [HW]# vzctl enter 123456
 
  [HW]# vzctl enter 123456
  [container]# ps axf
+
  [VE]# ps axf
  [container]# mount
+
  [VE]# mount
  [container]# dpkg -l
+
  [VE]# dpkg -l
  [container]# logout
+
  [VE]# logout
 
  [HW]#
 
  [HW]#
  
Line 279: Line 283:
  
 
== Final cleanup ==
 
== Final cleanup ==
Stop and remove the test container you just created:
+
Stop and remove the test VE you just created:
 
  [HW]# vzctl stop 123456
 
  [HW]# vzctl stop 123456
 
  [HW]# vzctl destroy 123456
 
  [HW]# vzctl destroy 123456
 
  [HW]# rm -f /etc/vz/conf/123456.conf.destroyed
 
  [HW]# rm -f /etc/vz/conf/123456.conf.destroyed
  
Finally, let's remove the container we used for OS template cache creation:
+
Finally, let's remove the VE we used for OS template cache creation:
 
  [HW]# vzctl destroy 777
 
  [HW]# vzctl destroy 777
 
  [HW]# rm -f /etc/vz/conf/777.conf.destroyed
 
  [HW]# rm -f /etc/vz/conf/777.conf.destroyed

Please note that all contributions to OpenVZ Virtuozzo Containers Wiki may be edited, altered, or removed by other contributors. If you don't want your writing to be edited mercilessly, then don't submit it here.
 If you are going to add external links to an article, read the External links policy first!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)

Templates used on this page:

Retrieved from "https://wiki.openvz.org/Ubuntu_Gutsy_template_creation"