Linux optimize

Install OpenVZ on CentOS to create a virtual container

Vincent Danen shows you how to install OpenVZ on CentOS. OpenVZ is an OS-level virtualization product that allows you to completely isolate processes from each other, increase security by keeping bits separate, and tightly control resource utilization.

A number of virtualization products exist for Linux. They range from free to commercial, basic to industrial-strength. Most will allow you to virtualize any operating system on a Linux host.

One virtualization product that is different from the others is OpenVZ. It will only do Linux-on-Linux virtualization as it is an OS-level virtualization product, where others are machine or hardware virtualization products. Essentially, OpenVZ is a glorified Linux chroot or BSD jail system that allows you to completely isolate processes from each other, increase security by keeping bits separate, and tightly control resource utilization. OpenVZ refers to these "virtual machines" as containers, virtual private servers (VPS), or virtual environments (VE).

As a result, OpenVZ is much lighter on system resources than full virtualization products like VMware or Xen.

Installing OpenVZ is quite simple. It requires a special kernel to provide the virtualization support it needs, and this can be obtained easily via the OpenVZ project itself. While the kernels are meant for RHEL4 and RHEL5, they will work on CentOS and track the upstream kernels quite closely.

To begin, you must download the OpenVZ repository control file in order for yum to become aware of the repository, and import the repository's GPG signing key.

This can be done by executing:

# cd /etc/yum.repos.d/
# curl -OL http://download.openvz.org/openvz.repo
# rpm --import http://download.openvz.org/RPM-GPG-Key-OpenVZ
# yum update

The final command downloads the repository metadata for the OpenVZ repositories. By default, only the RHEL5 and utils repositories are enabled; you can enable other repositories if you are interested in trying newer kernels. For CentOS 5, be sure to use the RHEL5 repository.

To install the OpenVZ kernel, execute:

# yum install ovzkernel.x86_64

Substitute "x86_64" above for "i386" if you are running a 32-bit system. Once the kernel is installed, edit /boot/grub/grub.conf to make sure that the entry for the OpenVZ kernel is the default (if it is the first entry in the file, make sure that default=0 is set; if it is the third entry, use default=2; it should be the first entry, however).

Next, edit /etc/sysctl.conf and add:

net.ipv4.ip_forward = 1
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.all.rp_filter = 1
kernel.sysrq = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0

This will enable IPv4 forwarding, disable the proxy arp, enable source route verification, and disable all of the interfaces from sending redirects. It also enables the magic sysrq key. Some of these options may already be defined; if so, simply comment any you find earlier in the file.

You will also need to disable SELinux by setting SELINUX=disabled in /etc/sysconfig/selinux.

Now reboot the system. When it comes back up, install the OpenVZ utilities:

# yum install vzctl.x86_64 vzquota.x86_64

You do not need to specify the architecture on a 32-bit system; specifying it on the x86_64 platform is desirable; otherwise, it will want to install both the i386 and x86_64 packages.

Once this is done, execute:

# service vz start

Installation is complete and you are ready to set up your first OpenVZ virtual machine. I'll look at creating an OpenVZ container in the future; in the meantime you can look at the OpenVZ wiki to read about how to create OS templates. Let me know if you have any specific questions about OpenVZ.

Get the PDF version of this tip here.

Delivered each Tuesday, TechRepublic's free Linux and Open Source newsletter provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

10 comments
jwhitby3
jwhitby3

While I'm glad to see this technology FINALLY added to Linux, as it is very useful, Zones and containers have been in Solaris 10, I believe since it was first released. I'm not pickin on the Linux guys here, it really is awesome and it's great to see it in Linux...Now for the ZFS and D-trace

knura
knura

Good article. After reading it, I am planning to try it first amongst other VM platforms [KVM, Xen, and parallels (eval. version)] on our new server (with 8GB RAM and 4*160GB (RAID10) HDDs)

Photogenic Memory
Photogenic Memory

It seems similar? Also why do I have to disable SElinux to get it to work? It's there to protect me, correct? I'm kinda of an intermediate(barely) with Linux but there's Xenserver that'll do the same thing? Why recommend OpenVZ over that?

bob
bob

I actually did the reverse, I installed a CENTOS VPS (Virtual Private Server) using OpenVZ on a Debian 5 server to replace my OpenWebMail server that got damaged during a Debian upgrade. The templates provided by OpenVZ are very definitely MINIMAL! And do require a lot of installs to bring them up to adequate server capable machines. However, the OpenVZ was the simplist Virtualization I had used to date. I was able to complete the Full installation from more than 1100 miles away from the physical hardware, using SSH only. I also installed the full version of Webmin on the VPS so managing the VPS was easier once installed. I had to rethink my iptables, but was able to perform a functional port redirection from/to the internet using only 6 lines so as to activate webmail:80 webmin:2210 ssh:2200 This was a great solution for me and I am impressed. I also installed on the HOST system, the WebVZ, a neat web interface to monitor, create, backup, and other admin tools of VPS's installed on the HOST. I found all sorts of Virtualization Solustions for a graphical interface, but this OpenVZ was a perfect choice for non gui installs. I highly recommend this product and I intend to use it again in my future server virtualizations. Also, a great added note --- the "Container" can be backed up and restored to another HOST fairly easily.

NineTom
NineTom

Now, It works by I use "rpm" instead of "yum". Follows : rpm -ihv ovzkernel-2.6.18-128.2.1.e15.028stab064.7.i686.rpm rpm -ihv vzyum-2.4.0-11.noarch.rpm rpm -ihv vzctl*.rpm vzquota*.rpm vzpkg*.rpm My test machine use CPU 32 bits. Thanks

vdanen
vdanen

OpenVZ is much lighter on the resources than Xen (or any other virtualization software), largely because it does not need to virtualize hardware. As for disabling SELinux... to be honest I've forgotten why I made that recommendation. I'm sure there was an error or something preventing me from doing.. something. I think I will have to revisit this for a future tip on how to use SELinux with OpenVZ. In the meantime, you can probably get away with setting SELinux to non-enforcing rather than disabled.

bob
bob

I would like to clarify that running an APPLICATION in a jailed environment is not what OpenVZ or other Virtual Server Applications do. OpenVZ installs FULL Servers that can run many applications, jailed or otherwise, on a completely separate server(s) on a single HOST (the machine that "hosts" the virtual servers). Selinux is another issue and there are instructions for handling it. Each virtual server installed by OpenVZ is a "PRIVATE" server and does require special iptable instructions running on the "HOST" so that the VPS (Virtual Private Server) can be accessed from the Internet, otherwise access must be first granted to the host and then the VPS accessed through a "vzctl enter xxx" command executed on the Host.

bob
bob

I looked at XEN and it appeared to be almost impossible for me to perform the installation without physical access to the machine. I may have been wrong, but it looked like it would not work properly without that physical access. I have used many Virtual products previously and this was my first encounter with OpenVZ. I currently use: Virtualbox on Windows and Linux, VmWare Workstation on Windows and Linux, VMWare Server (free) on Linux, Fusion on Mac OSx, QEMU on Mac OSx, and now OpenVZ. I have found the OpenVZ to be the easiest to install and configure and I found XEN to be the most complex and confusing and therefor I have avoided it. I have a few hundred servers running on the Internet, both virtual and physical and they run Debian, SUSE, Red Hat, Centos, Ubuntu, Slackware and others as I see which OS works the best for ME to run my server applications which range from DNS-Bind, Sendmail, Openwebmail, Apache1x and Apache2x, etc. I also run virtual desktops on LinuxOS and use NXClient and NXServers on them. I love the wonderful technology available today! And I loved OS-2 Warp running Wordperfect5.1 for DOS back in the days!!! On a 8MB 486 machine! Bob

vdanen
vdanen

Ahhh... I see the problem now and why you need to disable it. The OpenVZ kernels do not have SELinux support enabled. So regardless of selinux settings, even if you had it set to enforcing, it would do nothing because it looks like the OpenVZ-supplied kernels do not even build SELinux support. What would be nice is if OpenVZ was included in the mainline kernel so that you *could* have both enabled (there may be technical reasons why you can't though... I'd have to get a test system and recompile the OpenVZ kernel myself to know for sure). Maybe this has changed with later OpenVZ kernels, but with CentOS5/RHEL5 at least, it doesn't look like it's possible. Someone please correct me if I'm wrong. (Also, the OpenVZ site itself indicates disabling SELinux is required, but they neglect to mention that they don't even compile in the support to their kernels).