Debian Squeeze as an OpenZV Template

OpenVZ Logo

OpenVZ is used for Virtualization and is both light weight (minimal software on the host, guests have small footprints on the hard drive, and minimal use of RAM) and fast (native speed).

Although I have been using Ubuntu as an OpenVZ guest, I have decided to give Debian a try.

Debian has a few advantages and Debian Squeeze seems “stable enough”.

IMHO the primary advantage of Debian is that the boot (init) scripts basically work as expected “out of the box” (although you can tweak them and remove a few, such as hwclock and some of the mount scripts). In fact, IMO, Debian is easier to install and configure as an openvz template then Centos, Fedora, or Ubuntu.

The other advantage of Debian, Squeeze will be actively supported for a long time (such long term support is appreciated server side). If you wish Long Term Support, consider Centos or Ubuntu 10.04 as alternates.

One note on the naming convention I used in this walk-through :

I use the Proxmox naming convention:

<OS>-<OSVERSION>-<NAME>_<VERSION>_<ARCH>.tar.gz

Use debootstrap to install a minimal base

1. Lets’ start with a minimal base using debootstrap .

debootstrap --variant=minbase --arch amd64 squeeze /vz/private/777

2. Next, set up a workspace using a minimal openvz template configuration.

# Apply a basic configuration to the nascent template:
vzctl set 777 --applyconfig basic.conf --save

#Add a template name to the configuration file
echo “OSTEMPLATE=debian-6.0-minimal_6.0_amd64″ >> /etc/vz/conf/777.conf

#Add an ipaddress and nameserver.
vzctl set 777 --ipadd 192.168.0.77 --nameserver 192.168.0.1 --save

3. Start the template. This is a convenient way to mount proc, sysfs, and devpts (used in the chroot step below). You may mount these manually if you prefer (but do not forget to then un-mount them when you are done).

vzctl start 777

Fix networking

Initially the template did not have networking, so first we need to chroot into the template (rather then using vzctl) and do a little configuration.

Networking does not work initially, so we need to fix it by installing some additional packages using chroot.

1. Chroot into the template.

chroot /vz/private/777 /bin/bash

2. Install some additional applications:

apt-get install -y apt-utils console-setup iproute netbase procps quota iputils-ping vim

  • Select keyboard layout (I choose USA)
  • Select Encoding to use on the console (I used UTF-8)

3. Optional packages: iptables , locate, nano, wget. other ?

apt-get install iptables locate nano wget

4. Disable tty. tty do not apply to templates and if you check the logs you will see quite a few error messages.

Edit /etc/inittab and comment out tty

#1:2345:respawn:/sbin/getty 38400 tty1
#2:23:respawn:/sbin/getty 38400 tty2
#3:23:respawn:/sbin/getty 38400 tty3
#4:23:respawn:/sbin/getty 38400 tty4
#5:23:respawn:/sbin/getty 38400 tty5
#6:23:respawn:/sbin/getty 38400 tty6

5. Exit the chroot and restart the container. You will now be able to enter the container using vzctl rather then using chroot.

# Exit the chroot
exit

# Stop and re-start the template
vzctl stop 777
vzctl start 777

# Enter the template with vzctl
vzctl enter 777

Configuration

You may now customize the container by installing additional packages or services, adding users, etc. In this tutorial I am keeping to a minimal base.

1. Install any “optional” applications or services. Depending on your preferences you may wish to add (apache, mysql, php, cron, etc) or remove (sudo, add-user, openssh-server) to this list:

apt-get install -y adduser nano openssh-blacklist openssh-blacklist-extra openssh-server sudo

2. Set the locale.

apt-get install locales
dpkg-reconfigure locales

  • Select your locale (I used 136 “en_US.UTF-8 UTF-8″ )
  • Select your default locale (I used 2 “en_US.UTF-8″

Edit edit /etc/default/locale and add (edit) these lines:

LANG="en_US.UTF-8"
LANGUAGE="en_US.UTF-8"
LC_ALL="C"
LC_CTYPE="C"

3. Install syslog-ng or rsyslog (personally I prefer syslog-ng in OpenVZ Templates as it seems to work better with iptables).

apt-get install -y syslog-ng

4. Optional – Modprobe does not work in Openvz templates, so I remove it and replace it with a link to /bin/true . Modprobe may not be installed, and in that event, skip this (optional) step.

rm /sbin/modprobe
ln -s /bin/true /sbin/modprobe

5. Optional – Privatize the root account.

chmod 700 /root

6. Add any alises you wish to your ~/.bashrc. Personally at a minimum I use :

alias ll="ls -l"
alias la="ls -A"
alias nano="nano -w"
alias cp="cp -i"
alias mv="mv -i"
alias rm="rm -i"

Package the template

1. Generate unique ssh host keys.

If you installed openssh-server, I strongly suggest you use the “S15ssh_gen_host_keys” script to automatically generate a unique set of ssh host keys for each openvz template.

This script runs once, the first time you start a new container, and then self destructs.

Run these commands in the TEMPLATE , not the host.

# clean your packages
apt-get clean
apt-get autoremove

#Generate a unique set of ssh (host) keys.
rm -f /etc/ssh/ssh_host_*

cat << EOF > /etc/rc2.d/S15ssh_gen_host_keys
#!/bin/sh
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ''
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ''
rm -f \$0
EOF

chmod a+x /etc/rc2.d/S15ssh_gen_host_keys

2. Review and disable any unnecessary boot scripts. Personally I disable exim4, keep it if you wish.

update-rc.d -f exim4 remove

You can almost certainly remove additional init scripts, hwclock and several mount scripts, but they do not seem to cause problems, so you may also leave them (as I did in this tutorial). If you do not understand the init script, or if you have to ask, best leave it.

3. Clear the log files.

rm /var/log/bootstrap.log
rm /var/log/dmesg.*
> /etc/resolv.conf \
echo localhost > /etc/hostname \
> /var/log/messages; > /var/log/auth.log; > /var/log/cron.log; > /var/log/error; \
> /var/log/syslog; > /var/log/daemon.log; > rm -f /var/log/*.0 /var/log/*.1

Package the template

1. Exit the template.

exit

On the HOST stop the template and package.

vzctl set 777 --ipdel all --nameserver ' ' --save
vzctl stop 777

2. Package with tar.

cd /vz/private/777
tar --numeric-owner -vzcf /vz/template/cache/debian-6.0-minimal_6.0_amd64.tar.gz .

This naming convention is for Proxmox. See this thread for a discussion. You may of course use any name you wish so long as the file ends with ” .tar.gz ” (without quotes).

3. Test the template.

sudo vzctl create 888 --ostemplate debian-6.0-minimal_6.0_amd64
sudo vzctl set 888 --ipadd 192.168.0.88 --nameserver 192.168.0.1 --hostname debian-test-minimal --save
sudo vzctl start 888

4. If all went well you should have a working Debian squeeze template.

ping -c4 192.168.1.88
vzctl enter 888

QED

Hope this worked well for you. Debian is very popular as an openvz guest and I would assume precreated templates will be available on the openvz site once Squeeze is officially released.

I am always looking for comments or feedback on my templates.

This entry was posted in Linux and tagged , . Bookmark the permalink.

5 Responses to Debian Squeeze as an OpenZV Template

  1. “debootstrap –variant=minbase” is handy, I had used it without when following http://wiki.openvz.org/Debian_template_creation.

    Also, I wonder if “–arch amd64″ makes sense for the containers.
    What’s the benefit?
    Given that you are unlikely to hit any memory limits, does it improve performance? (the host is amd64, running the 2.6.32 kernel from Debian)

  2. 1. You can restart a container using “restart”:
    vzctl restart 777

    2. You can disable tty like this:
    sed -i -e ‘/getty/d’ /etc/inittab (see http://wiki.openvz.org/Debian_template_creation#Disable_getty)

    3. Can you elaborate on “personally I prefer syslog-ng in OpenVZ Templates as it seems to work better with iptables”?

    4. I would not install ssh in the template by default: there’s no reason to have ssh in a basic container for me, and it removes the need to handle the generated keys.

    Thanks for these instructions.
    I think it would be nice to merge anything new/improved into the openvz wiki page (see above).

  3. foo says:

    Please note that OpenVZ is deprecated and squeeze will be the last release to support it. You should move on to LXC.

  4. bodhi.zazen says:

    @foo

    As you can see from previous blog entries, I have tried LXC and although I agree, LXC is the way of the future, but IMO it is not ready for prime time yet, at least I would not use it in a “Production” environment.

    LXC is in very rapid development and has several issues, not the least of which is the lack of documentation.

    Debian squeeze + the latest openvz patch = openvz remains a viable solution.

  5. bodhi.zazen says:

    @ Daniel Hahler : Thank you for your comments.

    +1 minbase =)

    Honestly I do not notice a difference in performance between 32 and 64 bit templates and I think it is a personal choice. Others feel strong one way or another.

    There is nothing wrong with a 32 bit template, and it will be slightly smaller.

    Similar with syslog-ng. If you are not familiar with it take it for a spin. I think it depends on how much or little you wish to customize your logs.

    The main issue I had with iptables was with UFW.

    http://blog.bodhizazen.net/linux/how-to-use-ufw-in-openvz-templates/

    I would not mind updating the openvz wiki, let me see how the debian template performs and see if I receive any additional feedback.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>