Debian template creation
These are rough instructions of how to manually create basic Debian template cache, which can be used to create OpenVZ VEs based on Debian.
|Warning: The recommended way is not to follow the below instructions, but to use the official Debian templates, modifying those to your needs.|
- You shouldn't be running as root, but as a user that is permitted to use sudo instead. It's a dangerous idea, run as root at your peril.
- Anywhere you see /vz, you might really need to use /var/lib/vz instead, especially on a Debian Etch host.
- Anywhere you see http://http.us.debian.org/debian/, you can substitute your favorite Debian mirror. (List of official Debian Mirrors)
- See also: /usr/share/doc/vzctl/README.Debian in the vzctl Debian package
- 1 Prerequisites
- 2 Bootstrapping Debian
- 3 Preparing the HN network
- 4 Preparing and starting the VE
- 5 Customizing the installation
- 5.1 Set Debian repositories
- 5.2 Get new security updates
- 5.3 Install some more packages
- 5.4 Set sane permissions for /root directory
- 5.5 Disable root login
- 5.6 Disable getty
- 5.7 Disable sync() for syslog
- 5.8 Fix /etc/mtab
- 5.9 Remove some unneeded packages
- 5.10 Disable services
- 5.11 Fix SSH host keys
- 5.12 Change timezone
- 5.13 Create vzfifo script (for Jessie only)
- 5.14 Clean packages
- 6 Preparing for and packing template cache
- 7 Checking if template cache works
- 8 Final cleanup
You need to have a working copy of debootstrap running on your hardware node.
sudo apt-get install debootstrap
sudo emerge debootstrap
For Fedora (at least Fedora 8 have it, not sure about earlier versions):
sudo yum install debootstrap
For other distros you might need to install it from sources, or search for an appropriate package for your distribution. An RPM is available on the OpenVZ Forum.
You can install different releases of Debian into a VE's private directory using the debootstrap command.
The command parameters are:
debootstrap --arch ARCH NAME DIRECTORY URL
Specify your architecture instead of i386 if you're using something other than i386/x86. For example, for AMD64/x86_64, use amd64 or for ia64, use ia64. You can use http or ftp in the URL.
We use VE ID of 777 for this example, but it can be any unused ID.
Wheezy (current stable)
debootstrap --arch i386 wheezy /vz/private/777 http://http.us.debian.org/debian/ or debootstrap --arch amd64 wheezy /vz/private/777 http://ftp.us.debian.org/debian/
Squeeze (current oldstable)
debootstrap --arch i386 squeeze /vz/private/777 http://http.us.debian.org/debian/ or debootstrap --arch amd64 squeeze /vz/private/777 ftp://ftp.us.debian.org/debian/
Lenny (old release)
debootstrap --arch i386 lenny /vz/private/777 http://archive.debian.org/debian/
Etch (old release)
debootstrap --arch i386 etch /vz/private/777 http://http.us.debian.org/debian/
Sarge (very old release)
debootstrap sarge /vz/private/777 http://archive.debian.org/debian
Preparing the HN network
Append the following lines to /etc/sysctl.conf, adjust to taste and then execute "sysctl -p" for them to take effect.
### OpenVZ settings # On Hardware Node enable packet forwarding to forward # packets between the HN network interfaces and venet. # Proxy arp is needed when CT is in a different subnet # or when using veth AND veth is not bridged to a HN # interface. When veth is bridged to a HN interface, # the CT handles its own arps. net.ipv4.conf.default.forwarding=1 net.ipv4.conf.default.proxy_arp = 0 net.ipv4.ip_forward=1 # Enables source route verification net.ipv4.conf.all.rp_filter = 1 # Enables the magic-sysrq key kernel.sysrq = 1 # TCP Explict Congestion Notification net.ipv4.tcp_ecn = 0 # we do not want all our interfaces to send redirects net.ipv4.conf.default.send_redirects = 1 net.ipv4.conf.all.send_redirects = 0
Preparing and starting the VE
Setting VE config
First, we need a config for the VE:
sudo vzctl set 777 --applyconfig vps.basic --save
On debian squeeze only the following worked for me (confirmed), because the standard template names in /etc/vz/conf have changed.
sudo vzctl set 777 --applyconfig basic --save
Setting VE OSTEMPLATE
Also, we need OSTEMPLATE to be set in VE configuration file, for vzctl to work properly.
sudo sh -c 'echo OSTEMPLATE=\"debian-6.0\"' >> /etc/vz/conf/777.conf
Setting VE IP address
For the VE to be able to download updates from the Internet, we need a valid IP address for it:
sudo vzctl set 777 --ipadd x.x.x.x --save
|Note: if you use private IP for the VE, you might have to set up NAT as described in Using NAT for VE with private IPs.|
Setting DNS server for VE
For the VE to be able to download updates from the Internet, we also need to specify a DNS for it:
sudo vzctl set 777 --nameserver x.x.x.x --save
The ptmx character device should normally exist, but if it doesn't, create one.
sudo mknod --mode 666 /var/lib/vz/private/777/dev/ptmx c 5 2
Now start the VE:
sudo vzctl start 777
Customizing the installation
A few things need to be done inside a newly created VE for it to become suitable for OpenVZ. Enter the VE to begin the configuration (note: if running a wheezy container on a squeeze hardware node, you'll need to manually install a newer version of vzctl (the one from wheezy will be fine - http://packages.debian.org/wheezy/vzctl) due to this bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683454 - without making this change, the enter command will hang). Exporting the path is optional.
sudo vzctl enter 777 export PATH=/sbin:/usr/sbin:/bin:/usr/bin
|Warning: Do not run the commands below on the hardware node, they are only to be run within the VE!|
Set Debian repositories
The list shown is for wheezy, and downloading from US located servers - adjust your release name and mirror location as necessary
cat <<EOF > /etc/apt/sources.list deb http://http.us.debian.org/debian wheezy main contrib deb http://security.debian.org wheezy/updates main contrib deb http://http.us.debian.org/debian wheezy-updates main ## backports - ONLY IF YOU KNOW WHAT YOU DO # deb http://http.us.debian.org/debian-backports/ wheezy-backports main EOF
Get new security updates
apt-get update apt-get upgrade
Install some more packages
Installing packages could be an interactive process so the system might ask some questions. You can install more packages if you'd like. For example:
apt-get install ssh quota less
Set sane permissions for /root directory
chmod 700 /root
Disable root login
This will disable root login by default.
usermod -L root
Disable running gettys on terminals as a VE does not have any:
sed -i -e '/getty/d' /etc/inittab
Disable sync() for syslog
Turn off doing sync() on every write for syslog's log files, to improve I/O performance:
sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' /etc/*syslog.conf
Link /etc/mtab to /proc/mounts, so df and friends will work:
rm -f /etc/mtab ln -s /proc/mounts /etc/mtab
Remove some unneeded packages
If you have any packages you'd like to remove, now's the time for it. Here's an example — note that not all of those packages are installed by default in Debian Squeeze (although they were in earlier versions):
dpkg --purge modutils ppp pppoeconf pppoe pppconfig module-init-tools
Do not start some services, stick to bare minimum. This step is release dependent.
# turn off and stop some services for i in bind9 quotarpc fetchmail ondemand rsync uuidd wide-dhcpv6-client; do systemctl stop $i systemctl disable $i done # for upstart services comment out the start on in confs for i in nmbd smbd samba-ad-dc rpcbind; do systemctl disable $i done
update-rc.d-insserv -f klogd remove update-rc.d-insserv -f quotarpc remove update-rc.d-insserv -f exim4 remove update-rc.d-insserv -f inetd remove
for older releases (Lenny, Sarge etc.)
update-rc.d -f klogd remove update-rc.d -f quotarpc remove update-rc.d -f exim4 remove update-rc.d -f inetd remove
Fix SSH host keys
This is only useful if you installed SSH. Each individual VE should have its own pair of SSH host keys. The code below will wipe out the existing SSH keys and instruct the newly-created VE to create new SSH keys on first boot.
# Save /etc/rc.local copy mv /etc/rc.local /etc/rc.local.orig # ssh host keys hack echo "#!/bin/sh rm -f etc/ssh/ssh_host_* /usr/bin/ssh-keygen -t rsa -N '' -f /etc/ssh/ssh_host_rsa_key /usr/bin/ssh-keygen -t dsa -N '' -f /etc/ssh/ssh_host_dsa_key /usr/bin/ssh-keygen -t rsa1 -N '' -f /etc/ssh/ssh_host_key /usr/bin/ssh-keygen -t ecdsa -N '' -f /etc/ssh/ssh_host_ecdsa_key /usr/bin/ssh-keygen -t ed25519 -N '' -f /etc/ssh/ssh_host_ed25519_key systemctl restart ssh mv -f /etc/rc.local.orig /etc/rc.local " > /etc/rc.local chmod a+x /etc/rc.local
rm -f /etc/ssh/ssh_host_*
cat << EOF > /etc/init.d/ssh_gen_host_keys #!/bin/sh ### BEGIN INIT INFO # Provides: Generates new ssh host keys on first boot # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: # Short-Description: Generates new ssh host keys on first boot # Description: Generates new ssh host keys on first boot ### END INIT INFO ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N "" ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N "" insserv -r /etc/init.d/ssh_gen_host_keys rm -f \$0 EOF
chmod a+x /etc/init.d/ssh_gen_host_keys insserv /etc/init.d/ssh_gen_host_keys
for older releases (Lenny, Sarge etc.)
rm -f /etc/ssh/ssh_host_* cat << EOF > /etc/rc2.d/S15ssh_gen_host_keys #!/bin/bash ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N '' ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N '' rm -f \$0 EOF chmod a+x /etc/rc2.d/S15ssh_gen_host_keys
You might want to change timezone if you do not live in $UTC. The following example is for Germany
ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime
or even better
Create vzfifo script (for Jessie only)
This step is required for Jessie only (and is handled automatically by vzctl for earlier Debian releases). It ensures that
vzctl start --wait works as expected.
# Create vzfifo service cat >> /lib/systemd/system/vzfifo.service << EOF # This file is part of systemd. # # systemd is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. [Unit] Description=Tell that Container is started ConditionPathExists=/proc/vz ConditionPathExists=!/proc/bc After=multi-user.target quotaon.service quotacheck.service [Service] Type=forking ExecStart=/bin/touch /.vzfifo TimeoutSec=0 RemainAfterExit=no SysVStartPriority=99 [Install] WantedBy=multi-user.target EOF # Enable service for service in vzfifo; do systemctl enable $service > /dev/null 2>&1 done
After installing packages, you'll have some junk packages laying around in your cache. Since you don't want your template to have those, this command will wipe them out.
apt-get --purge clean
Now everything is done. Exit from the template and go back to the hardware node.
Preparing for and packing template cache
We don't need an IP for the VE anymore, and we definitely do not need it in template cache, so remove it:
sudo vzctl set 777 --ipdel all --save
Also, remove DNS server and search domain information from /etc/resolv.conf file in VE:
sudo editor /vz/private/777/etc/resolv.conf
Also, remove /etc/hostname file in VE:
sudo rm -f /vz/private/777/etc/hostname
Stop the VE:
sudo vzctl stop 777
Go to the VE directory:
Now create a cached OS tarball. In the command below, you'll want to replace i386 with your architecture (i386, amd64, ia64, etc).
sudo tar --numeric-owner -zcf /vz/template/cache/debian-5.0-i386-minimal.tar.gz .
Look at the resulting tarball to see its size is sane:
# ls -lh /vz/template/cache -rw-r--r-- 1 root root 51M Apr 10 03:16 debian-5.0-i386-minimal.tar.gz
Checking if template cache works
We can now create a VE based on the just-created template cache. Be sure to change i386 to your architecture just like you did when you named the tarball above.
sudo vzctl create 123456 --ostemplate debian-5.0-i386-minimal
Now make sure that it works:
sudo vzctl start 123456 sudo vzctl exec 123456 ps ax
You should see that a few processes are running.
Stop and remove the test VE you just created:
sudo vzctl stop 123456 sudo vzctl destroy 123456 sudo rm /etc/vz/conf/123456.conf.destroyed
Finally, let's remove the VE we used for OS template cache creation:
sudo vzctl destroy 777 sudo rm /etc/vz/conf/777.conf.destroyed
You might want to edit /etc/vz/vz.conf and change DEF_OSTEMPLATE to the name of the template you use most often so that you don't have to specify the template when creating a VE.
If you use iptables, you might want to include additional modules in the list for IPTABLES in /etc/vz/vz.conf. See man vzctl for a list of available modules.