All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Templating for KVM : Trimming The Fat
Hey there LowEndTalk,
Just wanted to get a quick consensus on if the following is acceptable:
[[email protected] ~]# python ps_mem.py Private + Shared = RAM used Program 320.0 KiB + 79.5 KiB = 399.5 KiB auditd 656.0 KiB + 98.5 KiB = 754.5 KiB crond 492.0 KiB + 279.0 KiB = 771.0 KiB mingetty (6) 728.0 KiB + 127.0 KiB = 855.0 KiB init 264.0 KiB + 689.5 KiB = 953.5 KiB udevd (2) 952.0 KiB + 106.5 KiB = 1.0 MiB rsyslogd 1.1 MiB + 115.5 KiB = 1.2 MiB bash 2.9 MiB + 908.5 KiB = 3.8 MiB sshd (2) --------------------------------- 9.8 MiB =================================
[[email protected] ~]# free -m total used free shared buffers cached Mem: 238 51 186 0 2 14 -/+ buffers/cache: 34 204 Swap: 0 0 0
[[email protected] ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/VolGroup-LogVol00 4.7G 761M 3.7G 17% / /dev/vda1 248M 33M 203M 14% /boot
[[email protected] ~]# ioping -c10 /boot ... --- /boot (ext4 /dev/vda1) ioping statistics --- 10 requests completed in 9.0 s, 208.3 k iops, 813.8 MiB/s min/avg/max/mdev = 3 us / 4 us / 5 us / 0 us
[[email protected] ~]# ioping -c10 /boot -s 64k ... --- /boot (ext4 /dev/vda1) ioping statistics --- 10 requests completed in 9.0 s, 44.2 k iops, 2.7 GiB/s min/avg/max/mdev = 17 us / 22 us / 25 us / 2 us
We are preparing another round of completely up-to-date templates for all of our Linux Operating Systems (and maybe even for some other OSes, we're not quite sure yet.) The above is the output of various commands from our os-linux_centos_6.5-x86_64
template, which is not meant to be minimal by any means, having the following base packages:
http://pastie.org/private/u2bul9loty8qtiyqm95sg
So the question is, what can we remove to further improve the image? What optimizations would you like to see put in place by default on the image that would not already be there from the Minimal installation (via a normal media for example.)
We have applied the RedHat recommended tuned profiles, as well as various tweaks optimized for 10Gbps internal links and use with VirtIO networking and storage, but are a bit stumped as to how we could further optimization the images.
We will be releasing the template, as well as full instructions as to how we get it to here, in our Provider Template Database which we plan to release later this month. Specifically designed for providers to have stable and up to date templates from which to provide their customers services, or to distill their own appliances from. As well, the PTD is great for consumers and end-user customers as well, as they can pick and choose appliances to use with any provider that allows you to upload your own templates or ISO installation media.
EDIT: The template's current sealed size is 255.98M , and contains contextualization scripts to support any host environment's contextualization engine / metadata provider (including cloud-init and OpenNebula's one-context scripts.)
Comments
@GoodHosting great work on squeezing template.
Thanks @drserver, we plan to release these templates as free to download and use for KVM, both types of XEN, and a few other platforms that are capable of running a similar format of disk image. (Hell, you could probably use them for OpenVZ even, although some repackaging would be required of course.)
Nice! Can't wait to for the release, another great product from GoodHosting.
@lewissue you should probably stop before you get banned...
I honestly can't tell if that one is sarcastic or not, as we have a pretty unlucky history so far; but strive to do better over time. As per this thread, I'd like community input on how to further strip down the installations, there's not any details about the PTD really (that's not the point of the post, haha.)
Not sarcasm mate.
Ahh, thanks then. Any ideas on how we can improve the images further?
As well, does anyone have any specific appliance or distro requests?
Are you going for minimal RAM usage? If yes you can also replace OpenSSH, rsyslogd and probably bash with less RAM hungry alternatives. But that might create compability issues
The idea is to provide Minimalistic (but not "bare minimal") templates that contains all the necessary system tools and functions required to use a system, which include things like iproute, arpping, busybox and other tools that might be required if one would need to debug their system's networking, disk, or something else. That's why the images come with a crash kernel and kdump / busybox installed; as debugging tools.
Now sure, we could offer alternative "bare minimal" templates too; but we would like to start out with minimalist templates that just about anyone can use, without any major drawbacks (such as compatability issues, or bloat.) That is why we are only adding additional packages where we think they are required, and not just 'nice'.
That being said, I have removed the following unnecessary packages:
wget (can be installed easily if required.), arp-scan (not required), a few firmware packages that were obsolete / not required by any standard hypervisor that I'm aware of existing, nano (simply not required, can be installed if needed, vim comes with CentOS anyways.)
The reason that we opened with the RAM usage being minimalistic, is that these templates are meant to be built for any resources (we've been thinking of an offer for a 64MB yearly KVM for example, which would require very lean templates like this.) As such, many system services that are unnecessary are simply disabled by default, and can be re-enabled easily by the user if they want them.
Thread cleaned up.
I think that's the best way to go. Minimal to me just means it's not loaded with much more than core system functions + ssh, a couple tools included like wget/nano never hurt. I just don't want a whole web server package and samba and bind and a bunch of other crap in there.
I typically have this problem with OpenVZ hosts, some create their own templates while others just use the defaults and there are always holes in the defaults. With their Debian minimal templates I'm always reconfiguring locales and inevitably need to install dialog or something else within the first 40 seconds.
wget/nano seem small enough that I feel they should just be included, but it's not a hassle to install those later.
Looks like you're on the right track though. Strip it down but don't start replacing stuff with the 'low memory' alternatives, would just create tons of headaches for you and your customers.
>
Agreed, as I have seen many OpenVZ templates come pre-installed with Apache (seriously guys, what were you thinking?) That's just the most obvious example that comes to mind; but I know there are other offending templates out there that a lot of people use.
That is definitely the idea, if someone want's an ultra low memory system, then I think they are better off using tuxlite, minix, or one of the other obscure *nix distributions that we also plan on packaging and adding to the repository we'll provide. We do want most of our CLI images to work on our minimum plan however, the 256M KVM. I would not expect some... (CentOS 7 for example( to work on 64M KVM without some major services being removed (due to the systemd bloat.)
The GUI packages shoot for a more modest 384M-512M for older distributions (CentOS 6, Debian 6, etc.) and (sadly, due to CentOS 7) around 768M-1024M for some of the more bloated distributions using the latest bloatware desktop packages.
Kill auditd? For a quick .3MB saving?
Heh, but that would require making changes that would go against the security of a standard linux distribution. For this reason, we decided not to touch SELinux or AppArmour; as anyone using that distribution should be the one to make that choice (if they want to use it or not.) And users that do not make any decision at all, should get the best out of the security provided by the base system (such as the default level of SELinux or AppArmour if it's included in that distro, or auditd, etcetera.)
We may have more "hardened" alternative templates in the repository too, for those that are security paranoid, including software such as fail2ban and shorewall pre-installed.
I am more interested in the stuff that gets added when you install a full GUI like Kubuntu.
Lots of stuff related to bluetooth, wireless and sound are good start. Any ideas?
Idk about others but I'm usually not using openldap or sqlite, are they deps?
I'm honestly not sure why OpenLDAP was there, but some funky stuff started happening when I attempted to remove sqlite (I would assume it's a dependency somewhere, but I'm not entirely sure of what; as yum didn't remove anything else when I asked it to remove sqlite.)
libc.so (GLIBC) shows as a dependency on my system, probably
acting up?
So, here's another question guys:
Should I recompile base packages (ones that offer no difference in comparability) such as offering a bash4 pre-installed (side-installed into /opt/ of course) as the default shell, so that you get the bonuses of having that, but none of the drawbacks? Or should that only be included on (yet another) alternative template (something like "CentOS + Niceties")
As well, I've almost finished the CentOS 7 equiv. of the above, and will post results.
Here are the unfortunate results for CentOS 7...
What a bloated Operating System
CentOS 7 came out the worst on every test.
Resulting Image Size: 358M [ 376273920 bytes ]
You can actually get rid of: avahi-daemon, NetworkManager, tuned, and firewalld.
Instead of NetworkManager, just use the good old "network" service. It's still there waiting for you to remove NetworkManager
firewalld is just a front end for iptables, I don't think it's required.
edit: But yes, I do agree it's more bloated than CentOS 6... and that's very unfortunate. Starting to look like Ubuntu :P
I wouldn't remove them (as they are included in the upstream "minimal" installation, and my intent is not to strip down the installation past what can easily be installed. I won't skimp on basic security services / software. )
That being said, I could disable some of these services from the standard boot, and offer them as simple one-command re-enable (./revert-template firewalld for example, to revert it to the upstream standard configuration and boot-up.)
tuned is enabled and installed on all the templates, as KVM benefits greatly from tuned's automatic
virtual-guest
tuning, which can automatically apply a lot of obvious systemctl tweaks based on system loads; it's a nice thing to have that doesn't hurt the system too much either way.