]>
Commit | Line | Data |
---|---|---|
328c390e DM |
1 | vzctl for Debian (dso) |
2 | ---------------------- | |
3 | ||
4 | See http://openvz.org/ for information to OpenVZ ! | |
5 | ||
6 | The debian.systs.org-Flavour (-dso) comes with some changes to the origin : | |
7 | ||
8 | * On install and remove process: the sysctl modification are done automatically. | |
9 | * Default dist-scripts is set to debian. | |
10 | * Default OS-Template is a Debian Template, not a Fedora! | |
11 | * /etc/init.d/vz script can be used with [b|d]ash and debian's busybox, | |
12 | which make smaller system possible. | |
13 | ||
14 | TODO: | |
15 | ----- | |
16 | * inspect all relevant script, when using without shell "bash" | |
17 | * use the right program syntax, i.e ip a l -> ip addr show | |
18 | * Useing debconf as config interface, for some OpenVZ settings ? | |
19 | ||
20 | ||
21 | Network configuration: | |
22 | ---------------------- | |
23 | ||
24 | If you want network access for the virtual servers (VE), | |
25 | you need some sysctl settings. | |
26 | See file /etc/sysctl.conf. | |
27 | ||
28 | Relevant settings: | |
29 | ||
30 | #-- OpenVZ begin --# | |
31 | ||
32 | # On Hardware Node we generally need | |
33 | # packet forwarding enabled and proxy arp disabled | |
34 | net.ipv4.conf.default.forwarding=1 | |
35 | net.ipv4.conf.default.proxy_arp = 0 | |
36 | ||
37 | # Enables source route verification | |
38 | net.ipv4.conf.all.rp_filter = 1 | |
39 | ||
40 | # Enables the magic-sysrq key | |
41 | kernel.sysrq = 1 | |
42 | ||
43 | # TCP Explict Congestion Notification | |
44 | net.ipv4.tcp_ecn = 0 | |
45 | ||
46 | # we do not want all our interfaces to send redirects | |
47 | net.ipv4.conf.default.send_redirects = 1 | |
48 | net.ipv4.conf.all.send_redirects = 0 | |
49 | ||
50 | #-- OpenVZ end --# | |
51 | ||
52 | ||
53 | In some cases you may need to enable proxy_arp for the network devices | |
54 | that you want your virtual hosts to be accessible on. | |
55 | ||
56 | sysctl -w net.ipv4.conf.$DEV.proxy_arp=1 | |
57 | ||
58 | You can add this to a specific interface in the network configuration | |
59 | (/etc/network/interfaces) by the following lines, i.e. : | |
60 | ||
61 | [...] | |
62 | # device: %DEV% # DEVICE | |
63 | iface %DEV% inet static # use static IP handling | |
64 | address 192.168.1.1 # IP_ADDRESS | |
65 | netmask 255.255.255.0 # NETWORK MASK | |
66 | network 192.168.1.0 # NETWORK | |
67 | broadcast 192.168.2.255 # BROADCAST | |
68 | gateway 192.168.1.1 # GATEWAY | |
69 | ||
70 | up sysctl -w net.ipv4.conf.%DEV%.proxy_arp=0 | |
71 | pre-down sysctl -w net.ipv4.conf.%DEV%.proxy_arp=1 | |
72 | [...] | |
73 | ||
74 | Replace %DEV% with your device name (ie. eth0). | |
75 | ||
76 | See man-page: man interfaces | |
77 | ||
78 | ||
79 | Note: | |
80 | ||
81 | OpenVZ use a FAKENET for venet devices in VE, defined at | |
82 | /etc/vz/dists/script/functions: | |
83 | ||
84 | * FAKEGATEWAY=192.0.2.1 | |
85 | * FAKEGATEWAYNET=192.0.2.0 | |
86 | ||
87 | ||
88 | File structure: | |
89 | --------------- | |
90 | ||
91 | The functionality that openvz provide require that a directory structure is | |
92 | created. On a Debian installation it is by default located in /var/lib/vz, | |
93 | which is different from the normal OpenVZ /vz directory. | |
94 | ||
95 | So create a symbolic link from /var/lib/vz to /vz: | |
96 | ||
97 | ln -s /var/lib/vz /vz | |
98 | ||
99 | ||
100 | ||
101 | Create an OpenVZ OS Template: | |
102 | ---------------------------- | |
103 | ||
104 | You can find more information on the openvz wiki pages | |
105 | http://wiki.openvz.org/Debian_template_creation. | |
106 | ||
107 | Below is one example on how to create a OS Template. | |
108 | with debootstrap : Debian 4.0 (aka etch) on i386 | |
109 | ||
110 | Example: TemplateDIR: /var/lib/vz/tempate/debian/4.0/i386 | |
111 | Mirror(s): use a German mirror: -> ftp.de.debian.org, | |
112 | ||
113 | debootstrap \ | |
114 | --exclude=modutils,module-init-tools,pciutils,laptop-detect,dmidecode \ | |
115 | --include=iproute,ssh,psmisc,quota \ | |
116 | --arch i386 \ | |
117 | etch \ | |
118 | /var/lib/vz/tempate/debian/4.0/i386 \ | |
119 | http://ftp.de.debian.org/debian | |
120 | ||
121 | HINT: Please use a debian mirror: | |
122 | ||
123 | http://ftp.<mirror>.debian.org/debian | |
124 | e.g. <mirror>: | |
125 | de -> German | |
126 | dk -> Denmark | |
127 | ru -> Rusland | |
128 | ... | |
129 | ||
130 | Read more at http://www.debian.org/mirror/list | |
131 | ||
132 | ||
133 | When debootstrap has finished successfully the OS Template need | |
134 | a configuration: | |
135 | ||
136 | 01. SET hostname, to localhost | |
137 | ||
138 | echo localhost > /var/lib/vz/tempate/debian/4.0/i386/etc/hostname | |
139 | ||
140 | ||
141 | 02. Disable getty in /etc/inittab | |
142 | ||
143 | sed -i -e '/getty/d' /var/lib/vz/tempate/debian/4.0/i386/etc/inittab | |
144 | ||
145 | ||
146 | 03. Link /etc/mtab to /proc/mtab to make mount work as expected. | |
147 | ||
148 | rm -f /var/lib/vz/tempate/debian/4.0/i386/etc/mtab | |
149 | ln -s /proc/mounts /var/lib/vz/tempate/debian/4.0/i386/etc/mtab | |
150 | ||
151 | ||
152 | 04. Add secuity related Stuff to /etc/apt/sources.list: | |
153 | ||
154 | echo "deb http://ftp.de.debian.org/debian-security etch/updates main" \ | |
155 | >> /var/lib/vz/tempate/debian/4.0/i386/etc/apt/sources.list | |
156 | ||
157 | Hint: Or use a mirror (See. Hint above!) | |
158 | ||
159 | ||
160 | 05. Add a ve-start-ssh-keygen-script: | |
161 | ||
162 | cat << EOF > /var/lib/vz/tempate/debian/4.0/i386/rc2.d/S15ssh_gen_host_keys | |
163 | #!/bin/bash | |
164 | ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N '' | |
165 | ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N '' | |
166 | rm -f \$0 | |
167 | EOF | |
168 | ||
169 | chroot /var/lib/vz/tempate/debian/4.0/i386/ chmod a+x /etc/rc2.d/S15ssh_gen_host_keys | |
170 | or | |
171 | chmod a+x /var/lib/vz/tempate/debian/4.0/i386/etc/rc2.d/S15ssh_gen_host_keys | |
172 | ||
173 | ||
174 | 06. Disable root login and fix permission of /root | |
175 | ||
176 | chroot /var/lib/vz/tempate/debian/4.0/i386/ usermod -L root | |
177 | chmod 700 /var/lib/vz/tempate/debian/4.0/i386/root | |
178 | ||
179 | ||
180 | 07. Create symbolic link for modutils, pciutils | |
181 | ||
182 | chroot /var/lib/vz/tempate/debian/4.0/i386/ ln -s /bin/true /sbin/modprobe | |
183 | chroot /var/lib/vz/tempate/debian/4.0/i386/ ln -s /bin/true /sbin/insmod | |
184 | chroot /var/lib/vz/tempate/debian/4.0/i386/ ln -s /bin/true /sbin/rmmod | |
185 | chroot /var/lib/vz/tempate/debian/4.0/i386/ ln -s /bin/true /sbin/lsmod | |
186 | chroot /var/lib/vz/tempate/debian/4.0/i386/ ln -s /bin/true /usr/bin/lspci | |
187 | ||
188 | 08. Remove quotarpc from start levels | |
189 | ||
190 | chroot /var/lib/vz/tempate/debian/4.0/i386/ update-rc.d -f quotarpc remove | |
191 | ||
192 | 09. Update your packages: | |
193 | ||
194 | chroot /var/lib/vz/tempate/debian/4.0/i386 apt-get update | |
195 | chroot /var/lib/vz/tempate/debian/4.0/i386 apt-get upgrade | |
196 | ||
197 | HINT: Set your timezone setting to your needs. | |
198 | HINT: On an ssh (security!) update you need to clean | |
199 | the precreated ssh_keys again! (See 5.) | |
200 | ||
201 | ||
202 | 10. Make your OS-Template more shrink-able | |
203 | ||
204 | cd /var/lib/vz/tempate/debian/4.0/i386/ | |
205 | ||
206 | # clean resolv.conf | |
207 | echo "etc/resolv.conf" >> ../exclude.i386 | |
208 | ||
209 | # clean /root/.bash_history and .aptitude | |
210 | echo "root/.aptitude" >> ../exclude.i386 | |
211 | echo "root/.bash_history" >> ../exclude.i386 | |
212 | ||
213 | # clear /tmp | |
214 | find tmp/ -mindepth 1 >> ../exclude.i386 | |
215 | ||
216 | # clear /var/log/ | |
217 | echo "var/log/aptitude" >> ../exclude.i386 | |
218 | echo "var/log/dpkg.log" >> ../exclude.i386 | |
219 | ||
220 | # clear unused apt-get files | |
221 | find var/cache/apt/ -type f ! -name "lock" >> ../exclude.i386 | |
222 | find var/lib/apt/ -type f ! -name "lock" >> ../exclude.i386 | |
223 | find var/lib/aptitude/ -type f >> ../exclude.i386 | |
224 | ||
225 | # clean generated ssh_keys | |
226 | find etc/ssh/ -type -f -name '*host*' >> ../exclude.i386 | |
227 | ||
228 | # For better handling the user root bash-settings: | |
229 | # cp etc/skel/.bash* to root/ | |
230 | ||
231 | 11. Create OS Template | |
232 | ||
233 | tar -X ../exclude.i386 -czf /var/lib/vz/template/cache/debian-4.0-i386-minimal.tar.gz ./ | |
234 | ||
235 | ||
236 | 12. Use your created OS-Template building a VE | |
237 | ||
238 | Hint: Set your default OS Template in /etc/vz/vz.conf | |
239 | TEMPLATE="debian-4.0-i386-minimal.tar.gz", so you need | |
240 | no --ostemplate option use default templates on VE_Create! | |
241 | ||
242 | vzctl create <VEID> --ostemplate debian-4.0-i386-minimal | |
243 | ||
244 | vzctl set <VEID> --nameserver <add_you_first_nameserver_ip> \ | |
245 | --nameserver <add_you_second_nameserver_ip> \ | |
246 | --searchdomain <add_your_search_domain> \ | |
247 | --ipadd <add_an_ip> \ | |
248 | --save | |
249 | ||
250 | vzctl set <VEID> --userpasswd root:xxxx | |
251 | ||
252 | vzctl start <VEID> | |
253 | ||
254 | Read more on man-page(s): man vzctl | |
255 | ||
256 | ||
257 | 13. Update your OpenVZ OS Template: | |
258 | ||
259 | Goto Step 09. and rebuild your OS-Template again ! | |
260 | ||
261 | ||
262 | -- Proxmox Support Team <support@proxmox.com>, Mon, 2 May 2011 12:19:51 +0200 |