OpenVZ, who doesn’t know it? It’s been used (and abused) for many, many years in the hosting industry and it’s still out there going strong. Being a operation system-level virtualization technology, there are no hardware requirements in order to be able to run OpenVZ. OpenVZ creates virtualized environments known as containers. These containers are not completely isolated. For example, a process that runs on the guest is displayed on the host node’s ToP. This is one of the powers of OpenVZ: it’s simplicity and the fact that there’s hardly any overhead. A container has limits (like RAM or Disk), but those limits are not reserved anywhere. So, you can assign much more resources to container than you have available. That’s also one of OpenVZ’s weaknesses, it’s easily oversold.
Like it or not, OpenVZ is a nice piece of technology and it’s perfect for creating a virtualized environment with hardly any overhead. But, what would you do with it as a non-provider?
There’s many things you can do with it, actually. For example, it’s great for a development machine or a testing environment: you can create and destroy containers as often as you like or keep them around (but powered off) for when you need them. It can also be used to facilitate easy migrations: if you “wrap” your entire machine with OpenVZ, you can just tar the OpenVZ container, move it and deploy it on a new host machine. OpenVZ runs fine on dedicated servers, but also on KVM machines, making it even cheaper to get a machine to run OpenVZ on. I’ve actually tested this tutorial on a KVM machine with 2 IPs (you can do with 1 IP and use only internal networking, but it’s more work and more IPs allow more world-reachable machines).
This is what you need for this tutorial: a dedicated server or a KVM machine with a fresh install of CentOS 6 (64-bit, minimal installation preferred), at least 2 IPs in the same subnet and a bit of time.
Installing OpenVZ has recently gotten a lot simpler lately. No more editing /etc/sysctl.conf, it’s being done for you! OpenVZ is currently modernizing themselves in order to support newer kernels (they currently run on a pretty old kernel, still from the 2.6.x-series while Linux is at 3.10.x), so this process will get even simpler in the future.
First thing you need to do, is install the OpenVZ kernel. This is a patched kernel using the RHEL kernel as an upstream source. In order to install the kernel, we need to add the OpenVZ YUM sources, and to do that, we need wget. So, install wget first:
yum install wget
Then fetch the repo file:
wget -P /etc/yum.repos.d/ http://ftp.openvz.org/openvz.repo
And finally add the repository’s key:
rpm –import http://ftp.openvz.org/RPM-GPG-Key-OpenVZ
You’re now ready to install the kernel. No worries, it’s really simple:
yum install vzkernel
That’s it! Now, do not reboot! We first need to install additional packages that will put everything where it’s supposed to be and get you a working installation. These packages are ‘vzctl’, used for managing containers, ‘vzquota’, to control disk quotas, and ‘ploop’, a “new” filesystem management method for OpenVZ.
Let’s install the additional OpenVZ packages:
yum install vzctl vzquota ploop
Once that’s done, reboot! It should automatically load the OpenVZ kernel. To check whether you rebooted in the right kernel, run:
And it should output something like:
Linux hostname.example.net 2.6.32-042stab081.8 #1 SMP Mon Sep 30 16:52:24 MSK 2013 x86_64 x86_64 x86_64 GNU/Linux
The ’042stab81.8′ part should match the latest stable version on openvz.org, in this case: https://wiki.openvz.org/Download/kernel/rhel6/042stab081.8.
That’s it, you’ve installed OpenVZ! Now let’s create your first container!
Creating a container isn’t hard, it’s actually really simple. I’m going to create a venet container, which has a virtual networking device. Another option is a veth container, which will use a bridge on the host to route traffic through and which puts network control in the hands of the guest (and gives it an actual network interface). A venet container is easier to create, though, and it’s sufficient for most purposes.
Before we can create a container, we need a template to use. OpenVZ provides official templates themselves:http://openvz.org/Download/template/cache. I’ve chosen the ubuntu template for my example. Go to /vz/template/cache/ and download the template:
Now, create the container:
vzctl create 101 –ostemplate ubuntu-12.04-x86_64
What we do here, is we tell vzctl to create a container with as ID ’101′. This ID is later used for all commands with vzctl and should be a number that equals or is over 100 (everything below 100 is used for OpenVZ internal purposes). With the –ostemplate flag, you point vzctl to the right template. The name is the full name of the template download minus the ‘.tar.gz’. When this command is finished running, let’s add an IP to the container:
vzctl set 101 –ipadd 192.0.2.1 –save
This IP address should be assigned to your server but not used on it. So if you have a KVM with 2 IPs, just configure one IP on the host node and leave the other(s) alone. The second (or any other) IP can be used in the command above and will be automatically configured. The –save makes the setting persistent in the containers configuration file.
Finally, add a nameserver (I’ve used Google’s public DNS server here):
vzctl set 101 –nameserver 184.108.40.206 –save
And start your new container:
vzctl start 101
That’s it! Your container is running. Now, to get connectivity, you need to either add IPtables rules or shut IPtables down. I highly recommend the former, so, open up /etc/sysconfig/iptables and make sure that this block:
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
Looks like this:
:FORWARD ACCEPT [0:0]
-P FORWARD ACCEPT
:OUTPUT ACCEPT [0:0]
And that this line:
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
Is commented out and looks like this:
#-A FORWARD -j REJECT –reject-with icmp-host-prohibited
Now, restart IPtables:
And you should be good. What we have done here, is accept all forwarded traffic through IPtables and made sure pinging was not being blocked. Your container should be reachable from the internet.
Now, to get in your container, enter:
vzctl enter 101
And you chroot into your new container. As you may have noticed, we haven’t set any limits for our new container. It used defaults, so it has 256MB RAM, 512MB vSwap and 2GB disk space. This is defined in the container’s configuration file, which can be found at /etc/vz/conf/101.conf. Each container gets a config file there, with the container ID as its name. You can both edit this file or use vzctl to modify your container’s resources. Feel free to play around with this a bit!
That’s it, you’ve just set up OpenVZ on your server and added your first container!
Like usual, there’s a lot more to tell about OpenVZ: configuration options, adding IPv6, using VETH or configuring private networking. I’m probably going to cover some of these topics in a future tutorial. The OpenVZ website (http://openvz.org) has a lot of information, so be sure to check that out!
Up next time: Setting up nginx, PHP-FPM and MariaDB!