OpenVZ Forum


Home » Mailing lists » Users » Scientific Linux 5.7 OS Templates in contrib
Scientific Linux 5.7 OS Templates in contrib [message #43474] Wed, 14 September 2011 20:20 Go to next message
dowdle is currently offline  dowdle
Messages: 261
Registered: December 2005
Location: Bozeman, Montana
Senior Member
From: *coe.montana.edu
Greetings,

As you my have noticed CentOS 5.7 and Scientific Linux 5.7 both came out today... as did updated official OS Templates from the OpenVZ project. Thanks Kir!

I found a short recipe ( http://scientificlinuxforum.org/index.php?showtopic=13&h l=bold) for converting a CentOS host to a Scientific Linux host and decided to give it a try. It worked great. I created a CentOS 5.6 container, followed the recipe and when I was done I had a Scientific Linux 5.7 container. I had to add a couple of extra packages that aren't mentioned in the recipe and I was able to ignore those packages needed for a desktop system (mostly desktop logos and branding stuff).

The final products are a i386 and an x86_64 contributed SL 5.7 OS Template. You can find them in the usual place (http://download.openvz.org/template/precreated/contrib/):

scientific-5-i386-default-5.7-20110914.tar.gz 14-Sep-2011 16:15 157M
scientific-5-i386-default-5.7-20110914.tar.gz.asc 14-Sep-2011 16:15 198
scientific-5-x86_64-default-5.7-20110914.tar.gz 14-Sep-2011 16:18 162M
scientific-5-x86_64-default-5.7-20110914.tar.gz.asc 14-Sep-2011 16:18 198

I hope to update my contributed Fedora, CentOS and SL 6 OS Templates soon too.

Enjoy,
--
Scott Dowdle
704 Church Street
Belgrade, MT 59714
(406)388-0827 [home]
(406)994-3931 [work]


--
TYL, Scott Dowdle
Belgrade, Montana, USA
Re: Scientific Linux 5.7 OS Templates in contrib [message #43475 is a reply to message #43474] Wed, 14 September 2011 20:55 Go to previous messageGo to next message
Kelvin Raywood is currently offline  Kelvin Raywood
Messages: 1
Registered: September 2011
Junior Member
From: *parallels.com
Scott Dowdle wrote:
> ...
> The final products are a i386 and an x86_64 contributed SL 5.7 OS Template.

Thanks very much for these Scott. This is much appreciated.

I just wanted to mention one thing that I got bitten by recently with a
template from contrib.

In the official templates, /etc/shadow has * in the encrypted-password
field for root so that you can't login as root using a password.
In April, an early SL-6.0 template was contributed
(scientificlinux-6.0-x86.tar.gz Apr-11-2011) which has an encrypted
password string for root.

We normally disable password access to root in /etc/ssh/sshd_config via
"PermitRootLogin without-password" and use ssh keys or "vzctl enter" to
get root access so didn't notice that the machine had a root password
enabled. Also, since it was our first SL-6 container, we didn't have
our deployment procedure sorted out properly and this was the
sshd_config part.

It didn't take long for some spider to find the machine and guess the
password. An IRC robot was installed and /root/.ssh/authorized_keys was
overwritten. We noticed fairly quickly and then cracked the password
string.

Anyway, we learned our lesson but I think it would also be good practice
for contributors to check that their template does not have a root password.

Oh yeah - the cracked password ... password

--
Kel Raywood
TRIUMF
Vancouver BC
Re: Scientific Linux 5.7 OS Templates in contrib [message #43476 is a reply to message #43475] Wed, 14 September 2011 21:36 Go to previous messageGo to next message
kir is currently offline  kir
Messages: 1645
Registered: August 2005
Location: Moscow, Russia
Senior Member

From: *parallels.com
Indeed there is a specific set of actions to be performed on a newly created
container which is to be used to make a template. This includes:
- log files truncation;
- yum/apt database cleanup;
- adjustments to cron jobs and init.d services;
- making sure ssh keys are unique (this is specific to Debian, maybe Ubuntu
-- they generate key pairs on SSH package installation not the first run);
- disabling root login (usermod -L root should be sufficient, although it's
always better to check);
- removing getty entries from inittab (or its upstart/systemd analog) —
since there are no terminals in CT;
- making sure syslogd don't do sync () for each log line written (this ruins
I/O performance if you have tens or hundreds of CTs);
- proper software repository configuration;
- (optional) removal of unneeded packages (like kernel) just for the sake of
disk space savings (this is usually done by creating stub "dummy" packages
that virtually provide the stuff required by other packages but not really
needed;
- (optional) removal of some extra stuff like locale data;
- linking /etc/mtab to /proc/mounts (although it might not be needed);
- something else I can't remember at the moment.

Then, some things are performed by vzctl's postcteate.sh script which is run
during vzctl create. This, among other things, include crontab times
randomization, to prevent all CTs to run say cron.daily jobs at the same
time.

Hope that helps,
Kir.

--
Sent from my Android phone
On Sep 15, 2011 12:57 AM, "Kelvin Raywood" <kray@triumf.ca> wrote:
> Scott Dowdle wrote:
>> ...
>> The final products are a i386 and an x86_64 contributed SL 5.7 OS
Template.
>
> Thanks very much for these Scott. This is much appreciated.
>
> I just wanted to mention one thing that I got bitten by recently with a
> template from contrib.
>
> In the official templates, /etc/shadow has * in the encrypted-password
> field for root so that you can't login as root using a password.
> In April, an early SL-6.0 template was contributed
> (scientificlinux-6.0-x86.tar.gz Apr-11-2011) which has an encrypted
> password string for root.
>
> We normally disable password access to root in /etc/ssh/sshd_config via
> "PermitRootLogin without-password" and use ssh keys or "vzctl enter" to
> get root access so didn't notice that the machine had a root password
> enabled. Also, since it was our first SL-6 container, we didn't have
> our deployment procedure sorted out properly and this was the
> sshd_config part.
>
> It didn't take long for some spider to find the machine and guess the
> password. An IRC robot was installed and /root/.ssh/authorized_keys was
> overwritten. We noticed fairly quickly and then cracked the password
> string.
>
> Anyway, we learned our lesson but I think it would also be good practice
> for contributors to check that their template does not have a root
password.
>
> Oh yeah - the cracked password ... password
>
> --
> Kel Raywood
> TRIUMF
> Vancouver BC
>


Kir Kolyshkin
http://static.openvz.org/userbars/openvz-developer.png
Re: Scientific Linux 5.7 OS Templates in contrib [message #43477 is a reply to message #43474] Thu, 15 September 2011 03:24 Go to previous messageGo to next message
samiam is currently offline  samiam
Messages: 15
Registered: July 2011
Junior Member

From: *parallels.com
What is the procedure for submitting an OpenVZ image to the contributed
OpenVZ templates?

- Sam

2011/9/14 Scott Dowdle <dowdle@montanalinux.org>

> Greetings,
>
> As you my have noticed CentOS 5.7 and Scientific Linux 5.7 both came out
> today... as did updated official OS Templates from the OpenVZ project.
> Thanks Kir!
>
> I found a short recipe (
> http://scientificlinuxforum.org/index.php?showtopic=13&h l=bold) for
> converting a CentOS host to a Scientific Linux host and decided to give it a
> try. It worked great. I created a CentOS 5.6 container, followed the
> recipe and when I was done I had a Scientific Linux 5.7 container. I had to
> add a couple of extra packages that aren't mentioned in the recipe and I was
> able to ignore those packages needed for a desktop system (mostly desktop
> logos and branding stuff).
>
> The final products are a i386 and an x86_64 contributed SL 5.7 OS Template.
> You can find them in the usual place (
> http://download.openvz.org/template/precreated/contrib/):
>
> scientific-5-i386-default-5.7-20110914.tar.gz 14-Sep-2011 16:15
> 157M
> scientific-5-i386-default-5.7-20110914.tar.gz.asc 14-Sep-2011 16:15
> 198
> scientific-5-x86_64-default-5.7-20110914.tar.gz 14-Sep-2011 16:18
> 162M
> scientific-5-x86_64-default-5.7-20110914.tar.gz.asc 14-Sep-2011 16:18
> 198
>
> I hope to update my contributed Fedora, CentOS and SL 6 OS Templates soon
> too.
>
> Enjoy,
> --
> Scott Dowdle
> 704 Church Street
> Belgrade, MT 59714
> (406)388-0827 [home]
> (406)994-3931 [work]
Re: Scientific Linux 5.7 OS Templates in contrib [message #43482 is a reply to message #43477] Thu, 15 September 2011 15:25 Go to previous message
dowdle is currently offline  dowdle
Messages: 261
Registered: December 2005
Location: Bozeman, Montana
Senior Member
From: *coe.montana.edu
Sam,

----- Original Message -----
> What is the procedure for submitting an OpenVZ image to the
> contributed OpenVZ templates?

You can give me and/or Kir a URL where we can download your OS Template(s)... and some basic information to associate with it (website with info on it if available, email address of creator). Then we can download it and put it in the contrib section.

TYL,
--
Scott Dowdle
704 Church Street
Belgrade, MT 59714
(406)388-0827 [home]
(406)994-3931 [work]


--
TYL, Scott Dowdle
Belgrade, Montana, USA
Previous Topic: cPanel and RHEL6 openvz quotas not working
Next Topic: yum: [Errno -3] Error performing checksum
Goto Forum:
  


Current Time: Tue Nov 19 21:40:27 GMT 2019