projects / vzctl.git / blame
| Commit | Line | Data |
|---|---|---|
| 328c390e DM |
1 | vzctl for Debian (dso) |
| 2 | ---------------------- | |
| 3 | ||
| 4 | See http://openvz.org/ for information to OpenVZ ! | |
| 5 | ||
| 6 | The debian.systs.org-Flavour (-dso) comes with some changes to the origin : | |
| 7 | ||
| 8 | * On install and remove process: the sysctl modification are done automatically. | |
| 9 | * Default dist-scripts is set to debian. | |
| 10 | * Default OS-Template is a Debian Template, not a Fedora! | |
| 11 | * /etc/init.d/vz script can be used with [b|d]ash and debian's busybox, | |
| 12 | which make smaller system possible. | |
| 13 | ||
| 14 | TODO: | |
| 15 | ----- | |
| 16 | * inspect all relevant script, when using without shell "bash" | |
| 17 | * use the right program syntax, i.e ip a l -> ip addr show | |
| 18 | * Useing debconf as config interface, for some OpenVZ settings ? | |
| 19 | ||
| 20 | ||
| 21 | Network configuration: | |
| 22 | ---------------------- | |
| 23 | ||
| 24 | If you want network access for the virtual servers (VE), | |
| 25 | you need some sysctl settings. | |
| 26 | See file /etc/sysctl.conf. | |
| 27 | ||
| 28 | Relevant settings: | |
| 29 | ||
| 30 | #-- OpenVZ begin --# | |
| 31 | ||
| 32 | # On Hardware Node we generally need | |
| 33 | # packet forwarding enabled and proxy arp disabled | |
| 34 | net.ipv4.conf.default.forwarding=1 | |
| 35 | net.ipv4.conf.default.proxy_arp = 0 | |
| 36 | ||
| 37 | # Enables source route verification | |
| 38 | net.ipv4.conf.all.rp_filter = 1 | |
| 39 | ||
| 40 | # Enables the magic-sysrq key | |
| 41 | kernel.sysrq = 1 | |
| 42 | ||
| 43 | # TCP Explict Congestion Notification | |
| 44 | net.ipv4.tcp_ecn = 0 | |
| 45 | ||
| 46 | # we do not want all our interfaces to send redirects | |
| 47 | net.ipv4.conf.default.send_redirects = 1 | |
| 48 | net.ipv4.conf.all.send_redirects = 0 | |
| 49 | ||
| 50 | #-- OpenVZ end --# | |
| 51 | ||
| 52 | ||
| 53 | In some cases you may need to enable proxy_arp for the network devices | |
| 54 | that you want your virtual hosts to be accessible on. | |
| 55 | ||
| 56 | sysctl -w net.ipv4.conf.$DEV.proxy_arp=1 | |
| 57 | ||
| 58 | You can add this to a specific interface in the network configuration | |
| 59 | (/etc/network/interfaces) by the following lines, i.e. : | |
| 60 | ||
| 61 | [...] | |
| 62 | # device: %DEV% # DEVICE | |
| 63 | iface %DEV% inet static # use static IP handling | |
| 64 | address 192.168.1.1 # IP_ADDRESS | |
| 65 | netmask 255.255.255.0 # NETWORK MASK | |
| 66 | network 192.168.1.0 # NETWORK | |
| 67 | broadcast 192.168.2.255 # BROADCAST | |
| 68 | gateway 192.168.1.1 # GATEWAY | |
| 69 | ||
| 70 | up sysctl -w net.ipv4.conf.%DEV%.proxy_arp=0 | |
| 71 | pre-down sysctl -w net.ipv4.conf.%DEV%.proxy_arp=1 | |
| 72 | [...] | |
| 73 | ||
| 74 | Replace %DEV% with your device name (ie. eth0). | |
| 75 | ||
| 76 | See man-page: man interfaces | |
| 77 | ||
| 78 | ||
| 79 | Note: | |
| 80 | ||
| 81 | OpenVZ use a FAKENET for venet devices in VE, defined at | |
| 82 | /etc/vz/dists/script/functions: | |
| 83 | ||
| 84 | * FAKEGATEWAY=192.0.2.1 | |
| 85 | * FAKEGATEWAYNET=192.0.2.0 | |
| 86 | ||
| 87 | ||
| 88 | File structure: | |
| 89 | --------------- | |
| 90 | ||
| 91 | The functionality that openvz provide require that a directory structure is | |
| 92 | created. On a Debian installation it is by default located in /var/lib/vz, | |
| 93 | which is different from the normal OpenVZ /vz directory. | |
| 94 | ||
| 95 | So create a symbolic link from /var/lib/vz to /vz: | |
| 96 | ||
| 97 | ln -s /var/lib/vz /vz | |
| 98 | ||
| 99 | ||
| 100 | ||
| 101 | Create an OpenVZ OS Template: | |
| 102 | ---------------------------- | |
| 103 | ||
| 104 | You can find more information on the openvz wiki pages | |
| 105 | http://wiki.openvz.org/Debian_template_creation. | |
| 106 | ||
| 107 | Below is one example on how to create a OS Template. | |
| 108 | with debootstrap : Debian 4.0 (aka etch) on i386 | |
| 109 | ||
| 110 | Example: TemplateDIR: /var/lib/vz/tempate/debian/4.0/i386 | |
| 111 | Mirror(s): use a German mirror: -> ftp.de.debian.org, | |
| 112 | ||
| 113 | debootstrap \ | |
| 114 | --exclude=modutils,module-init-tools,pciutils,laptop-detect,dmidecode \ | |
| 115 | --include=iproute,ssh,psmisc,quota \ | |
| 116 | --arch i386 \ | |
| 117 | etch \ | |
| 118 | /var/lib/vz/tempate/debian/4.0/i386 \ | |
| 119 | http://ftp.de.debian.org/debian | |
| 120 | ||
| 121 | HINT: Please use a debian mirror: | |
| 122 | ||
| 123 | http://ftp.<mirror>.debian.org/debian | |
| 124 | e.g. <mirror>: | |
| 125 | de -> German | |
| 126 | dk -> Denmark | |
| 127 | ru -> Rusland | |
| 128 | ... | |
| 129 | ||
| 130 | Read more at http://www.debian.org/mirror/list | |
| 131 | ||
| 132 | ||
| 133 | When debootstrap has finished successfully the OS Template need | |
| 134 | a configuration: | |
| 135 | ||
| 136 | 01. SET hostname, to localhost | |
| 137 | ||
| 138 | echo localhost > /var/lib/vz/tempate/debian/4.0/i386/etc/hostname | |
| 139 | ||
| 140 | ||
| 141 | 02. Disable getty in /etc/inittab | |
| 142 | ||
| 143 | sed -i -e '/getty/d' /var/lib/vz/tempate/debian/4.0/i386/etc/inittab | |
| 144 | ||
| 145 | ||
| 146 | 03. Link /etc/mtab to /proc/mtab to make mount work as expected. | |
| 147 | ||
| 148 | rm -f /var/lib/vz/tempate/debian/4.0/i386/etc/mtab | |
| 149 | ln -s /proc/mounts /var/lib/vz/tempate/debian/4.0/i386/etc/mtab | |
| 150 | ||
| 151 | ||
| 152 | 04. Add secuity related Stuff to /etc/apt/sources.list: | |
| 153 | ||
| 154 | echo "deb http://ftp.de.debian.org/debian-security etch/updates main" \ | |
| 155 | >> /var/lib/vz/tempate/debian/4.0/i386/etc/apt/sources.list | |
| 156 | ||
| 157 | Hint: Or use a mirror (See. Hint above!) | |
| 158 | ||
| 159 | ||
| 160 | 05. Add a ve-start-ssh-keygen-script: | |
| 161 | ||
| 162 | cat << EOF > /var/lib/vz/tempate/debian/4.0/i386/rc2.d/S15ssh_gen_host_keys | |
| 163 | #!/bin/bash | |
| 164 | ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N '' | |
| 165 | ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N '' | |
| 166 | rm -f \$0 | |
| 167 | EOF | |
| 168 | ||
| 169 | chroot /var/lib/vz/tempate/debian/4.0/i386/ chmod a+x /etc/rc2.d/S15ssh_gen_host_keys | |
| 170 | or | |
| 171 | chmod a+x /var/lib/vz/tempate/debian/4.0/i386/etc/rc2.d/S15ssh_gen_host_keys | |
| 172 | ||
| 173 | ||
| 174 | 06. Disable root login and fix permission of /root | |
| 175 | ||
| 176 | chroot /var/lib/vz/tempate/debian/4.0/i386/ usermod -L root | |
| 177 | chmod 700 /var/lib/vz/tempate/debian/4.0/i386/root | |
| 178 | ||
| 179 | ||
| 180 | 07. Create symbolic link for modutils, pciutils | |
| 181 | ||
| 182 | chroot /var/lib/vz/tempate/debian/4.0/i386/ ln -s /bin/true /sbin/modprobe | |
| 183 | chroot /var/lib/vz/tempate/debian/4.0/i386/ ln -s /bin/true /sbin/insmod | |
| 184 | chroot /var/lib/vz/tempate/debian/4.0/i386/ ln -s /bin/true /sbin/rmmod | |
| 185 | chroot /var/lib/vz/tempate/debian/4.0/i386/ ln -s /bin/true /sbin/lsmod | |
| 186 | chroot /var/lib/vz/tempate/debian/4.0/i386/ ln -s /bin/true /usr/bin/lspci | |
| 187 | ||
| 188 | 08. Remove quotarpc from start levels | |
| 189 | ||
| 190 | chroot /var/lib/vz/tempate/debian/4.0/i386/ update-rc.d -f quotarpc remove | |
| 191 | ||
| 192 | 09. Update your packages: | |
| 193 | ||
| 194 | chroot /var/lib/vz/tempate/debian/4.0/i386 apt-get update | |
| 195 | chroot /var/lib/vz/tempate/debian/4.0/i386 apt-get upgrade | |
| 196 | ||
| 197 | HINT: Set your timezone setting to your needs. | |
| 198 | HINT: On an ssh (security!) update you need to clean | |
| 199 | the precreated ssh_keys again! (See 5.) | |
| 200 | ||
| 201 | ||
| 202 | 10. Make your OS-Template more shrink-able | |
| 203 | ||
| 204 | cd /var/lib/vz/tempate/debian/4.0/i386/ | |
| 205 | ||
| 206 | # clean resolv.conf | |
| 207 | echo "etc/resolv.conf" >> ../exclude.i386 | |
| 208 | ||
| 209 | # clean /root/.bash_history and .aptitude | |
| 210 | echo "root/.aptitude" >> ../exclude.i386 | |
| 211 | echo "root/.bash_history" >> ../exclude.i386 | |
| 212 | ||
| 213 | # clear /tmp | |
| 214 | find tmp/ -mindepth 1 >> ../exclude.i386 | |
| 215 | ||
| 216 | # clear /var/log/ | |
| 217 | echo "var/log/aptitude" >> ../exclude.i386 | |
| 218 | echo "var/log/dpkg.log" >> ../exclude.i386 | |
| 219 | ||
| 220 | # clear unused apt-get files | |
| 221 | find var/cache/apt/ -type f ! -name "lock" >> ../exclude.i386 | |
| 222 | find var/lib/apt/ -type f ! -name "lock" >> ../exclude.i386 | |
| 223 | find var/lib/aptitude/ -type f >> ../exclude.i386 | |
| 224 | ||
| 225 | # clean generated ssh_keys | |
| 226 | find etc/ssh/ -type -f -name '*host*' >> ../exclude.i386 | |
| 227 | ||
| 228 | # For better handling the user root bash-settings: | |
| 229 | # cp etc/skel/.bash* to root/ | |
| 230 | ||
| 231 | 11. Create OS Template | |
| 232 | ||
| 233 | tar -X ../exclude.i386 -czf /var/lib/vz/template/cache/debian-4.0-i386-minimal.tar.gz ./ | |
| 234 | ||
| 235 | ||
| 236 | 12. Use your created OS-Template building a VE | |
| 237 | ||
| 238 | Hint: Set your default OS Template in /etc/vz/vz.conf | |
| 239 | TEMPLATE="debian-4.0-i386-minimal.tar.gz", so you need | |
| 240 | no --ostemplate option use default templates on VE_Create! | |
| 241 | ||
| 242 | vzctl create <VEID> --ostemplate debian-4.0-i386-minimal | |
| 243 | ||
| 244 | vzctl set <VEID> --nameserver <add_you_first_nameserver_ip> \ | |
| 245 | --nameserver <add_you_second_nameserver_ip> \ | |
| 246 | --searchdomain <add_your_search_domain> \ | |
| 247 | --ipadd <add_an_ip> \ | |
| 248 | --save | |
| 249 | ||
| 250 | vzctl set <VEID> --userpasswd root:xxxx | |
| 251 | ||
| 252 | vzctl start <VEID> | |
| 253 | ||
| 254 | Read more on man-page(s): man vzctl | |
| 255 | ||
| 256 | ||
| 257 | 13. Update your OpenVZ OS Template: | |
| 258 | ||
| 259 | Goto Step 09. and rebuild your OS-Template again ! | |
| 260 | ||
| 261 | ||
| 262 | -- Proxmox Support Team <support@proxmox.com>, Mon, 2 May 2011 12:19:51 +0200 |