Best Practices for cPanel Virtualization Templates


Last modified: April 10, 2020

Overview

While we recommend and support the use of the usual cPanel & WHM installation process, it may require more time than is necessary for Virtual Private Server (VPS) and Virtual Machine (VM) hosts. Instead, you can provision VPS or VM systems with a templated cPanel & WHM environment.

Note:

If you offer template installations of cPanel & WHM, we recommend that you become a cPanel Partner.

  • cPanel Partners can use our API to automatically provision their own cPanel & WHM, CloudLinux™, and KernelCare licenses through their billing system.

  • cPanel Partners can also enable or disable some very specific options within WHM.

  • For more information, see our Partner NOC requirements.

Get a development license

Before you begin, apply for a free development license via our Developer License Application.

  • Apply for one license per template.

  • IP addresses are specific to each template.

Create a minimal installation for templating

When you create templates, we recommend:

  • Creating only 64-bit templates. cPanel & WHM does not support 32-bit systems.

  • Keeping templates small (virtual disks of 10 GB or smaller). After you convert the template for a customer’s VPS, use your virtualization software to automatically expand its virtual disk capacity to a 20 GB minimum.

Pre-installation configuration files

More:
  • We provide extensive documentation on preconfiguring cPanel & WHM. For more information, read our Installation Guide.

  • In most cases, preconfiguring these files removes the need to log in to the VPS or VM before you grant access to your customer.

We recommend that you customize the following files:

Update configuration settings — /etc/cpupdate.conf

This file allows you to configure cPanel & WHM’s release tier and other update settings.


Update download location settings — /etc/cpsources.conf

This file determines the locations that your server downloads updates from.

  • By default, cPanel & WHM servers retrieve updates directly from cPanel, L.L.C. through our httpupdate.cpanel.net pool of update servers.

  • If you are a cPanel Partner with your own FastUpdate server, you can edit the HTTPDUPDATE setting to only update from that FastUpdate server:

    HTTPUPDATE=fastupdate.example.com

  • For more information, read our Customize Your Installation documentation.


Basic server settings — /etc/wwwacct.conf

This file contains basic server information for cPanel & WHM, including the IP address, nameservers, and home directory.


cPanel & WHM configuration settings — /var/cpanel/cpanel.config

This file contains extensive configuration options for cPanel & WHM.

  • This includes most of the settings that appear in WHM’s Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings) as well as other settings throughout cPanel & WHM.

  • For more information, read our The cpanel.config File documentation.


cPanel & WHM installation

After you finish preconfiguring your installation, you can install cPanel & WHM. For more information, read our Installation Guide.

Post-installation tasks

After you have successfully installed cPanel & WHM, you can set new defaults. You can also secure SSH or update your security configuration.

Warning:
  • We recommend that you do not log in to WHM while making the template. If you do, remove the /etc/.whostmgrft file before publishing the template.

  • Do not shut down the VM to create the template until after you perform these steps.

Prevent locked licenses

To ensure that cPanel, L.L.C. doesn’t lock your development license, we strongly recommend creating one VM per template and maintaining it. This will:

  • Require one license and one IP address per templating VM.

  • Ensure that cPanel, L.L.C. doesn’t lock your license or licenses.

  • Allow you to start the VM again to perform updates.

Run the following commands to ensure that cPanel, L.L.C. does not lock your license:

  • /scripts/restartsrv_chkservd --stop
  • /scripts/restartsrv_cpsrvd --stop
  • rm -f /usr/local/cpanel/cpanel.lisc

The following BASH script runs these commands:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#!/bin/bash

readonly PROGNAME=$(basename $0)
readonly PROGDIR=$(readlink -m $(dirname $0))
readonly ARGS="$@"

is_file() {
    local file=$1
    [[ -f $file  ]]
}

is_dir() {
    local dir=$1
    [[ -d $dir  ]]
}

main() {
    is_dir /usr/local/cpanel \
    && /scripts/restartsrv_cpsrvd --stop \
    && /scripts/restartsrv_chkservd --stop
    is_file /usr/local/cpanel/cpanel.lisc \
        && rm -f /usr/local/cpanel/cpanel.lisc
    is_file /etc/.whostmgrft \
        && rm -f /etc/.whostmgrft
    echo "You should now shut down this instance and generate the template."
}

main

Avoid security vulnerabilities

To avoid security issues before you finalize your template:

  • Remove the generated SSH host keys and temporary files.

  • Clear the hostname from within the operating system and the /etc/wwwacct.conf file.

Finalize your template

Your templates must meet, and we recommend that they exceed, our system requirements. Most providers offer a few different templates.

Note:

Each VPS or VM needs a SWAP file or partition. Partitions must have at least 256 MB.

Finalization tasks

After you finish the post-installation tasks, and before you deploy your VPS or VM, finalize your template. Make certain to perform each of the following actions:

  • Update the ADDR value in the /etc/wwwacct.conf file with the main IP address for the VPS or VM.

  • Automatically run the /usr/local/cpanel/bin/set_hostname script on the first boot of the image before any cPanel & WHM services start. You can either randomize the hostname or set the hostname based on your customer’s choice.

  • If you run a 1:1 NAT environment, run the /scripts/build_cpnat script to build your NAT file.

  • Run the /scripts/rebuildhttpdconf script to rebuild your Apache configuration with the correct addresses.

The following BASH script performs all of these tasks except for updating the ADDR value:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#!/bin/bash

readonly PROGNAME=$(basename $0)
readonly PROGDIR=$(readlink -m $(dirname $0))
readonly ARGS="$@"
readonly HOSTNAME=$(hostname --fqdn)
readonly CPHULKPASS=$(/usr/local/cpanel/3rdparty/bin/perl -MCpanel::PasswdStrength::Generate -e 'print Cpanel::PasswdStrength::Generate::generate_password(14)')
readonly MSECPASS=$(/usr/local/cpanel/3rdparty/bin/perl -MCpanel::PasswdStrength::Generate -e 'print Cpanel::PasswdStrength::Generate::generate_password(14)')
readonly ESTATSPASS=$(/usr/local/cpanel/3rdparty/bin/perl -MCpanel::PasswdStrength::Generate -e 'print Cpanel::PasswdStrength::Generate::generate_password(14)')
readonly LPROTPASS=$(/usr/local/cpanel/3rdparty/bin/perl -MCpanel::PasswdStrength::Generate -e 'print Cpanel::PasswdStrength::Generate::generate_password(14)')
readonly RCUBEPASS=$(/usr/local/cpanel/3rdparty/bin/perl -MCpanel::PasswdStrength::Generate -e 'print Cpanel::PasswdStrength::Generate::generate_password(14)')
readonly MYSQLPASS=$(/usr/local/cpanel/3rdparty/bin/perl -MCpanel::PasswdStrength::Generate -e 'print Cpanel::PasswdStrength::Generate::generate_password(14)')

is_file() {
    local file=$1
    [[ -f $file  ]]
}

is_dir() {
    local dir=$1
    [[ -d $dir  ]]
}

main() {
    is_dir /usr/local/cpanel \
        && /usr/local/cpanel/bin/set_hostname ${HOSTNAME} \
        && /usr/local/cpanel/bin/checkallsslcerts --allow-retry \
        && /scripts/build_cpnat \
        && /scripts/rebuildhttpdconf \
        && /scripts/mysqlpasswd root ${MYSQLPASS} \
    is_file /var/cpanel/hulkd/password \
        && /scripts/mysqlpasswd cphulkd ${CPHULKPASS} \
        && echo -e "user=\"cphulkd\"\npass=\"${CPHULKPASS}\"">/var/cpanel/hulkd/password \
        && /scripts/restartsrv_cphulkd
    is_file /var/cpanel/modsec_db_pass \
        && /scripts/mysqlpasswd modsec ${MSECPASS} \
        && echo ${MSECPASS} >/var/cpanel/modsec_db_pass
    is_file /var/cpanel/roundcubepass \
        && /scripts/mysqlpasswd roundcube ${RCUBEPASS} \
        && echo ${RCUBEPASS} >/var/cpanel/roundcubepass
    is_file /var/cpanel/eximstatspass \
        && /scripts/mysqlpasswd eximstats ${ESTATSPASS} \
        && echo ${ESTATSPASS} >/var/cpanel/eximstatspass \
        && /scripts/restartsrv_eximstats
    is_file /var/cpanel/leechprotectpass \
        && /scripts/mysqlpasswd leechprotect ${LPROTPASS} \
        && echo ${LPROTPASS} >/var/cpanel/leechprotectpass
}

main

Deployment tasks

When you deploy the customer’s VPS, you must automatically update some files.

  • If you use the libguestfs virt-sysprep command, you can do this via the --firstboot or --firstboot-command options.

    Warning:

    If you use a tool such as libguestfs virt-sysprep to help finalize your template, ensure that you do not accidentally remove any user accounts or cron jobs.

  • If you do not use the libguestfs command, consult your hypervisor’s documentation for an alternative option to run scripts or commands upon first boot.

Updating your templates over time

As cPanel, L.L.C. releases updates, you will need to update your templates.

  • To avoid this situation, plan regular updates on all of your templates.

  • To run a cPanel & WHM update for your template, run the following commands:

    1
    2
    
    yum update -y
    /scripts/upcp

Important:

Before you shut down the VM or VPS to recreate the template, run the same commands from the Prevent locked licenses section above. If you don’t, your license may become locked.

Common OpenVZ and Virtuozzo issues

You may experience some common issues when you use OpenVZ or Virtuozzo.

Hostnames

On CentOS, CloudLinux, or Red Hat® Enterprise Linux® 7, your hostname may not meet the requirement for a Fully Qualified Domain Name (FQDN).

  • Virtuozzo controls the hostname via the VPS configuration (the --hostname option for the vzctl or prlctl commands).

  • If you set the hostname manually, Virtuozzo will reset the hostname on the next reboot. Make sure to set up the full hostname correctly after you provision the VM. cPanel & WHM requires an FQDN.

Quotas

OpenVZ and Virtuozzo require you to enable second-level quotas, which can cause quota-initiation issues. For more information, read:

Jailshell

Jailshell requires specific steps to enable a full proc mount. For more information, read our How to Troubleshoot Jailshell Problems on a Virtuozzo or OpenVZ VPS documentation.

Additional Documentation