[pve-devel] Create template from CT

Dietmar Maurer dietmar at proxmox.com
Thu Mar 6 06:31:17 CET 2014 

> >Installing software that way is a bad idea. I always create debian
> >packages before installing something.
> 
> That is not correct. One example is any software from Oracle.com - it needs
> to be installed using the Oracle installer because it makes many config files
> which are specific to the target environment.

Oracle should really provide packages.

>  In addition, what if the target
> CT is not Debian? 

Then you need an RPM package.

> The same issue exists with RPMs btw. Using a Debian
> package would not be supported by the vendor as a method of install and be
> a huge undertaking to do in the first place.
> 
> >> So are you saying that
> >> because there is nothing written down on OpenVZ, Proxmox will not
> >> support this feature? I basically want to create a template from an existing
> CT.
> 
> >IMHO creating a OpenVZ template is always a manual process, because you
> >need to carefully remove unwanted files/data/daemons.
> 
> If it's created from an existing template, what is there to remove? I'm not
> talking about creating a template from scratch here - as that's not really
> possible anyway using just a CT. I'm talking about creating a new template
> from an existing CT.

secret keys, passwords, unique ids, IPs, logs, ....

> I'd really like to get this feature available in Proxmox as every time I create a
> new template I have to SSH to the box and tar the CT folder. It's such a
> simple process and it drives me crazy every time I have to SSH to the box.
> 
> Is there any way of getting this feature into Proxmox - even if it means
> completely changing how it's implemented, or is this just a no-go from the
> start?

I see the following problems with this approach:

1.) Our security model assumes the OpenVZ templates do not contain secrets (templates
are readable by all storage users). So a simply copy of existing VMs is likely
to leak passwords and other secret data!

2.) Many software packages (and admins) copy IP addresses or hostname into
configuration files. This will lead to non-functional templates.

3.) Containers can contain custom network configs (veth, ...). . This will also 
lead to non-functional templates.

Point 1 is a no-go for me.

More information about the pve-devel mailing list