Ubuntu Gutsy template creation

From OpenVZ Virtuozzo Containers Wiki
Revision as of 20:49, 14 November 2007 by Curx (talk | contribs) (upgrade to an easier install process with chroot)
Jump to: navigation, search


This article summarizes the experience of creating Ubunty Gutsy Gibbon (a.k.a. 7.10) template for OpenVZ.

Template creation is based on debootstrap, and the procedure is similar to Debian template creation, but it differs in some subtle details.

Prerequisites

debootstrap

You have to have a debootstrap working for Gutsy, i.e. you should have

  • debootstrap and its dependencies
  • /usr/lib/debootstrap/scripts/gutsy file

The simplest way to have it all is to work on an Ubunty Gutsy system (be it on a real machine or inside a VE). If you don't have debootstrap installed, this is the command to install it: 

# apt-get install debootstrap

vzctl

You need vzctl-3.0.19 or later to work with Ubuntu Gutsy Gibbon. If vzctl-3.0.18 or earlier is used, you will not be able to run your VE. See OpenVZ Bug #662 for details.

Creating template

Running debootstrap

Create some directory: 

# mkdir gutsy-chroot

Run debootstrap to install a minimal Ubunty Gutsy system into that directory: 

# debootstrap [--arch ARCH] gutsy gutsy-chroot

If ARCH of VE0 is equal to VE, than you can skip the arch option, but if you need to build a VZ OS Template with another ARCH arch can be:

Substitute your architecture instead of ARCH: 

AMD64/x86_64, use amd64
ia64, use ia64
i386 i386

chrooting

Without createing a running VE for building a VE OS Template it's another way : chroot 

[VE0]# cd gutsy-chroot; chroot ./

[VE]# mount -t proc none /proc


Remove unneeded packages

Some packages does not make sense in a VE. Remove those: 

[VE]# dpkg -P ubuntu-minimal wpasupplicant wireless-tools \
  udev pcmciautils initramfs-tools volumeid console-setup \
  xkb-data usbutils mii-diag alsa-base alsa-utils ethtool \
  module-init-tools linux-sound-base console-tools \
  console-terminus busybox-initramfs libvolume-id0 \
  ntpdate

Clean up after udev: 

[VE]# rm -fr /lib/udev

Disable getty

On a usual Linux system, getty is running on a virtual terminals, which a VE does not have.

There are two ways to disable it:

First way: 

[VE]# rm /etc/event.d/tty*

Second way: 

[VE]# dpkg -P system-services

Second way can be dangerous for future versions of system-services, but it's OK for now since the only service they carry is running gettys.

Set sane permissions for /root directory

[VE]# chmod 700 /root

Disable root login

[VE]# usermod -L root

Get new security updates

[VE]# apt-get update && apt-get upgrade

This didn't show anything for me, but might do something in the future.

Install some more packages

[VE]# apt-get install ssh quota

Feel free to add packages which you want to have in a default template to this command.

Fix SSH host keys

This is only useful if you installed SSH above. Each individual VE should have its own pair of SSH host keys. The code below will wipe out the existing SSH keys and instruct the newly-created VE to create new SSH keys on first boot. 

rm -f /etc/ssh/ssh_host_*
cat << EOF > /etc/rc2.d/S15ssh_gen_host_keys
#!/bin/sh
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ''
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ''
rm -f \$0
EOF
chmod a+x /etc/rc2.d/S15ssh_gen_host_keys


Disable sync() for syslog

Turn off doing sync() on every write for syslog's log files, to improve overall I/O performance. In Ubuntu this is already done for most log files and levels, so you can omit this step if you know what you are doing. 

[VE]# sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' /etc/syslog.conf

Fix /etc/mtab

Link /etc/mtab to /proc/mounts, so df and friends will work: 

[VE]# rm -f /etc/mtab
[VE]# ln -s /proc/mounts /etc/mtab

After that, it would make sense to disable mtab.sh script which messes with /etc/mtab: 

[VE]# update-rc.d -f mtab.sh remove

Get rid of tmpfs mounts

[VE]# sed -ie '/tmpfs/d' /etc/init.d/mountkernfs.sh

Disable some services

In most of the cases you don't want klogd to run -- the only exception is if you configure iptables to log some events -- so you can disable it: 

[VE]# update-rc.d -f klogd remove

Clean packages

After installing packages, you'll have some junk packages laying around in your cache. Since you don't want your template to have those, this command will wipe them out. 

[VE]# apt-get clean

Set propper hostname and file /etc/hosts 

[VE]# echo "localhost" > /etc/hostname
[VE]# echo "127.0.0.1 localhost.localdomain localhost" > /etc/hosts

Remove DNS entries: 

[VE]# > /etc/resolv.conf

Maybe clean up logfile, root history etc.

Now everything is done. Exit from the template and go back to the hardware node. 

[VE]# umount /proc
[VE]# exit

Build precreated VZ OS Template

[VE0]# tar -xzf /var/lib/vz/template/cache/ubuntu-7.10-<arch>-minimal.tar.gz ./


Update a VE OS Template

Chroot to your debstrapped system
[VE0]# cd <dir>; chroot ./

Update and Install updates
[VE] # apt-get update && apt-get upgrade

Cleanup
[VE] # apt-get clean

Clean unused log files, .bash_history etc.
[VE] # exit

Build your updated VE OS Template
[VE0]# tar -xzf /var/lib/vz/template/cache/ubuntu-7.10-<arch>-minimal.tar.gz ./
Retrieved from "https://wiki.openvz.org/index.php?title=Ubuntu_Gutsy_template_creation&oldid=3598"