Create a new VM from a non-Proxmox appliance template

I love Proxmox Virtual Environment when it comes to manage my own “Cloud”. However, the version I run (v1.9) has some issues with  non-compliant appliance templates. So if I just copy or wget templates to the cache folder then the Proxmox web GUI marks these as “– unknown –” and they seem not to be usable to create new virtual machines.

Don’t bother… switch to good old bash and execute the following command with the template of your choice. Note, you should also substitute the rootpasswd string with some meaningful salt/hash combination.

/usr/bin/pvectl vzcreate 600 --disk 20 --ostemplate local:vztmpl/ubuntu-12.04-x86.tar.gz --rootpasswd $1$gs0UfL2E$ZQaAAAAAAAAAAAAAAA84/G1 --hostname ve600.example.com --nameserver 123.123.123.123 --nameserver 124.124.124.124 --searchdomain example.com --onboot yes --ipset 10.11.12.13 --swap 256 --mem 256 --cpus 1

Switch back to your web console and enjoy your newly created playground.

Advertisement

Forward mails to specific servers (Postfix transport)

I was struggling to efficiently forward the OpenVZ hosts local e-mails to an private VE (MTA) since that system is bound to an IP address from a private range (192.168.x.x). Basically, I just wanted to have all mail for example.com to be routed to that “internal” mail server. In the end, postfix manuals led me to a simple solution. Thus, add the following lines to the postfix configuration files.

/etc/postfix/main.cf

transport_maps = hash:/etc/postfix/transport

/etc/postfix/transport

example.com  smtp:192.168.1.1

To make sure your changes are being applied, run the following commands

# postmap /etc/postfix/transport
# postfix reload

The above lines cause postfix to forward mail targeting example.com to the MTA with IP 192.168.1.1. Make sure, the recipient mail server does accept incoming connections (I had to adjust the postgrey whitelist)

Backup VE in OpenVZ on CentOS

Unfortunately, the CentOS 5.5 final release and repositories do not support vzdump out of the box. However, some research and hints in other blogs finally led me to a running solutions.

wget http://download.openvz.org/contrib/utils/vzdump/vzdump-1.2-4.noarch.rpm
wget http://dag.wieers.com/rpm/packages/cstream/cstream-2.7.4-3.el4.rf.x8664.rpm
wget http://dag.wieers.com/rpm/packages/perl-LockFile-Simple/perl-LockFile-Simple-0.206-1.el5.rf.noarch.rpm

rpm -i cstream-2.7.4-3.el4.rf.x8664.rpm
rpm -i perl-LockFile-Simple-0.206-1.el5.rf.noarch.rpm
rpm -i vzdump-1.2-4.noarch.rpm

 

export PERL5LIB=/usr/share/perl5/

That’s it.

vzdump --suspend --compress --all --mailto cybr@haite.ch

INFO: Starting Backup of VM 103 (openvz)
INFO: CTID 103 exist mounted running
INFO: status = CTID 103 exist mounted running
INFO: backup mode: suspend
INFO: bandwidth limit: 10240 KB/s
INFO: starting first sync /vz/private/103/ to /vz/dump/vzdump-openvz-103-20100906-211257.tmp
...

Clone an OpenVZ VE

Upgrade system to clone
hn# vzctl start veid-to-clone
hn# vzctl enter veid-to-clone
ve# yum update
ve# exit
hn# vzctl stop veid-to-clone

Run clone script with required attributes
hn# ./clone.sh
Usage ./clone.sh old_id new_id new_ip

hn# ./clone.sh 1 123 192.168.1.123
Stopping ve1...
Unable to stop: container is not running
Copying configuration...
Cloneing ve1...
Updateing ve123 configuration...
Starting clone...
Starting container ...
Initializing quota ...
Container is mounted
Adding IP address(es): 192.168.1.123
Setting CPU units: 1000
Configure meminfo: 65536
Set hostname: ve123.example.com
File resolv.conf was modified
Container start in progress...
Starting origin ve...
Starting container ...
Container is mounted
Adding IP address(es): 192.168.1.1
Setting CPU units: 1000
Configure meminfo: 65536
Set hostname: ve1.example.com
File resolv.conf was modified
Container start in progress...
Done.

Be aware that the script automatically stops and starts the origin VE as well as the cloned VE. Clone bash script below

#! /bin/bash

if [ $# != 3 ]; then
echo "Usage $0 old_id new_id new_ip"
exit 0
fi

OLDVE=$1
NEWVE=$2
IP=$3

echo "Stopping ve$OLDVE..."
vzctl stop $OLDVE
echo "Copying configuration..."
mkdir /vz/root/$NEWVE
cp /etc/vz/conf/$OLDVE.conf /etc/vz/conf/$NEWVE.conf
mkdir /vz/private/$NEWVE
echo "Cloneing ve$OLDVE..."
pushd /vz/private/$OLDVE; tar c --numeric-owner * | tar x --numeric-owner -C /vz/private/$NEWVE; popd
echo "Updateing ve$NEWVE configuration..."
cat /etc/vz/conf/$OLDVE.conf | grep -v "IP_ADDRESS" | grep -v "HOSTNAME" > /etc/vz/conf/clone.conf
echo "IP_ADDRESS="$IP"" >> /etc/vz/conf/clone.conf
echo "HOSTNAME="ve$NEWVE.haite.ch"" >> /etc/vz/conf/clone.conf
mv /etc/vz/conf/clone.conf /etc/vz/conf/$NEWVE.conf
echo "Starting clone..."
vzctl start $NEWVE
echo "Starting origin ve..."
vzctl start $OLDVE
echo "Done."

Allow an OpenVZ VE to Act as NTP Server

Common VEs are not allowed to update the system time
ve# ntpdate time.example.com
22 May 02:39:11 ntpdate[1895]: step-systime: Operation not permitted

Add the required privilege to a dedicated NTP VE
hn# vzctl stop 123
Stopping container ...
Container was stopped
Container is unmounted

hn# vzctl set 123 --capability sys_time:on --save
Saved parameters for CT 123

hn# vzctl start 123 Starting container ...
Container is mounted
Adding IP address(es): 192.168.1.123
Setting CPU units: 1000
Configure meminfo: 65536
Set hostname: ve123.example.com
File resolv.conf was modified
Container start in progress...

Try again…
hn# vzctl enter 123
entered into CT 123

ve# ntpdate time.example.com
22 May 02:43:04 ntpdate[3743]: step time server 12.12.12.12 offset -1.458977 sec

Forward Ports to Private VEs (DNAT)

Use network address translation (DNAT) to forward ports to virtual machines which are connected in a private subnet (e.g. 192.168.1.0/24). The following statement will forward all packets received at the HN eth0 interface on port 443 to the virtual interface with address 192.168.1.123, port 443.

hn# iptables -A PREROUTING -t nat -i eth0 -p tcp -d 12.12.12.12 --dport 443 -j DNAT --to-dest 192.168.1.123:443

Make sure you specified the HN interface address (-d) otherwise request of all VEs will be sent to the specified destination host as well. Use the following command to list iptables NAT rules

hn# iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 12.12.12.12 tcp dpt:80 to:192.168.1.123:443
...