How To Create A Debian Wheezy (Testing) OpenVZ Template

Version 1.0
Author: Falko Timme
Follow me on Twitter

This tutorial explains how to create an OpenVZ template for Debian Wheezy (Debian Testing) that you can use to create virtual Debian Wheezy machines under OpenVZ. I searched for a Debian Wheezy OpenVZ template, but couldn't find one, that's why I decided to create it myself. This guide can also be used for creating Debian Lenny templates and templates for recent Ubuntu versions.

I do not issue any guarantee that this will work for you!


1 Preliminary Note

This guide is based on Debian template creation, but was adjusted to Debian Wheezy. I assume you are using a Debian-based OpenVZ host, for example as shown in this guide: Installing And Using OpenVZ On Debian Squeeze (AMD64)


2 Preparing The Host System

Host System:

These steps have to be carried out on the host system!

We need deboostrap to install the Wheezy guest, so make sure it is installed:

apt-get install debootstrap

Next make sure that /vz is a symlink to /var/lib/vz:

ln -s /var/lib/vz /vz

Now we install the 64bit version of Debian Wheezy in the /vz/private/777 directory (I will use 777 as the container ID of the Wheezy guest; you are free to use any other unused ID; for example, if you use the ID 123, change the directory to /vz/private/123).

debootstrap --arch amd64 wheezy /vz/private/777

If you want to create a template for i386, the command must look as follows:

debootstrap --arch i386 wheezy /vz/private/777

Make sure you use a Debian mirror that is close to you. I use the German mirror; you can replace de with your country code, for example for France or for the USA.

Afterwards, open /etc/sysctl.conf...

vi /etc/sysctl.conf

... and append the following settings:

### OpenVZ settings

# On Hardware Node we generally need packet
# forwarding enabled and proxy arp disabled

net.ipv4.conf.default.proxy_arp = 0

# Enables source route verification
net.ipv4.conf.all.rp_filter = 1

# Enables the magic-sysrq key
kernel.sysrq = 1

# TCP Explict Congestion Notification
net.ipv4.tcp_ecn = 0

# we do not want all our interfaces to send redirects
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0


sysctl -p

for the changes to take effect.

Next we apply a basic OpenVZ configuration to our container:

vzctl set 777 --applyconfig basic --save

You will see the following warning which you can ignore:

[email protected]:~# vzctl set 777 --applyconfig basic --save
WARNING: /etc/vz/conf/777.conf not found: No such file or directory
Saved parameters for CT 777
[email protected]:~#

The last command has created a new /etc/vz/conf/777.conf for our container. We need to add the OSTEMPLATE variable to it which we can do as follows:

sh -c 'echo OSTEMPLATE=\"debian-7.0\"' >> /etc/vz/conf/777.conf

Replace debian-7.0 with the appropriate value for the distribution you use for your new template, like debian-6.0 for Debian Squeeze or ubuntu-11.04 for Ubuntu 11.04.

Next we add a free IP from our subnet to the new container and set at least one nameserver so that the container has access to the Internet. I'm in the 192.168.0.x net, so I assign the IP to the container, and I make it use Google's nameservers ( and

vzctl set 777 --ipadd --save
vzctl set 777 --nameserver --nameserver --save

Next check if /var/lib/vz/private/777/dev/ptmx exists:

ls -l /var/lib/vz/private/777/dev/ptmx

Output should be as follows:

[email protected]:~# ls -l /var/lib/vz/private/777/dev/ptmx
crw-rw-rw- 1 root tty 5, 2 Mar  4 12:53 /var/lib/vz/private/777/dev/ptmx
[email protected]:~#

If it does not exist, create it as follows:

mknod --mode 666 /var/lib/vz/private/777/dev/ptmx c 5 2

Now we start the container...

vzctl start 777

... and enter it:

vzctl enter 777


3 Preparing The Container


These stepd have to be carried out in the container!

Set the PATH variable as follows:

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Open /etc/apt/sources.list...

vi /etc/apt/sources.list

... and make it look as follows (again, make sure you use a Debian mirror close to you):

deb wheezy main contrib
deb wheezy/updates main contrib

Update the package database...

apt-get update

... and install the latest updates:

apt-get upgrade

Now you can install all packages that you'd like to provide with your OpenVZ template. A minimal set of packages could be as follows:

apt-get install ssh quota less vim-nox

Assign the correct permissions to the /root directory:

chmod 700 /root

If you want to disable the root login, run

usermod -L root

Personally, I prefer to have a root login, so I omit this command.

Next, we disable getty, sync() for syslog, and fix /etc/mtab:

sed -i -e '/getty/d' /etc/inittab
sed -i -e '[email protected]\([[:space:]]\)\(/var/log/\)@\1-\[email protected]' /etc/*syslog.conf
rm -f /etc/mtab
ln -s /proc/mounts /etc/mtab

Now it's time to remove all packages that you don't want to provide with your template, for example as follows:

dpkg --purge modutils ppp pppoeconf pppoe pppconfig module-init-tools

Next we remove the system startup links for a few services:

update-rc.d-insserv -f klogd remove
update-rc.d-insserv -f quotarpc remove
update-rc.d-insserv -f exim4 remove
update-rc.d-insserv -f inetd remove

Each container created from this template should have its own pair of SSH keys, therefore we delete the SSH keys of this container...

rm -f /etc/ssh/ssh_host_*

... and create a script that automatically creates a new pair of SSH keys on first boot:

vi /etc/init.d/ssh_gen_host_keys
# Provides:          Generates new ssh host keys on first boot
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:
# Short-Description: Generates new ssh host keys on first boot
# Description:       Generates new ssh host keys on first boot
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ""
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ""
insserv -r /etc/init.d/ssh_gen_host_keys
rm -f \$0

Make the script executable and add system startup links:

chmod a+x /etc/init.d/ssh_gen_host_keys
insserv /etc/init.d/ssh_gen_host_keys

Next adjust your timezone:

dpkg-reconfigure tzdata

Clean up your package cache:

apt-get --purge clean

Then exit the container:



4 Cleaning Up, Creating The Template, And Testing

Host System:

These steps have to be carried out on the host system!

Now we remove the IP address, nameservers, and hostname from the container:

vzctl set 777 --ipdel all --save
cat /dev/null > /vz/private/777/etc/resolv.conf
rm -f /vz/private/777/etc/hostname

Stop the container...

vzctl stop 777

... and go to the container directory:

cd /vz/private/777

Now we create our template as follows:

tar --numeric-owner -zcf /vz/template/cache/debian-7.0-amd64-minimal.tar.gz .

(Don't forget the dot at the end!)

Take a look at the /vz/template/cache directory, you should find your new template there (beside any other templates):

ls -lh /vz/template/cache
[email protected]:/vz/private/777# ls -lh /vz/template/cache
total 194M
-rw-r--r-- 1 root root  80M Feb  7  2011 debian-6.0-amd64-minimal.tar.gz
-rw-r--r-- 1 root root 114M Sep  1 22:55 debian-7.0-amd64-minimal.tar.gz
[email protected]:/vz/private/777#

Congratulations, you have just created your first OpenVZ template!

Now let's create a container from this template for testing purposes - I use the container ID 888 here:

vzctl create 888 --ostemplate debian-7.0-amd64-minimal

Start it...

vzctl start 888

... and check if it's running successfully by checking its process list - if it did not start you should get no process list.

vzctl exec 888 ps ax
[email protected]:/vz/private/777# vzctl exec 888 ps ax
    1 ?        Ss     0:00 init [2]
  316 ?        Sl     0:00 /usr/sbin/rsyslogd -c5
  326 ?        Ss     0:00 /usr/sbin/cron
  335 ?        Ss     0:00 /usr/bin/dbus-daemon --system
  344 ?        Ss     0:00 /usr/sbin/sshd
  358 ?        Rs     0:00 ps ax
[email protected]:/vz/private/777#

Ok, it's working as expected, so we can stop and remove this test container:

vzctl stop 888
vzctl destroy 888
rm /etc/vz/conf/888.conf.destroyed

We also don't need the container anymore from which we created our template, so we can remove it as well:

vzctl destroy 777
rm /etc/vz/conf/777.conf.destroyed

If you want to use your new template as the default template when you create new containers (so that you don't have to specify --ostemplate debian-7.0-amd64-minimal in the vzctl create command), modify the DEF_OSTEMPLATE variable in /etc/vz/vz.conf as follows:

vi /etc/vz/vz.conf


Share this page:

Suggested articles

2 Comment(s)

Add comment


By: Vyacheslav

Thanks a lot!

By: Slayer

In "vi /etc/init.d/ssh_gen_host_keys", the correct is "rm -f $0" instead "rm -f \$0", only you using cat <<EOF> is necessary backslash before $0.


But here, ssh_gen_host_keys dont start after the boot :(