Difference between revisions of "Diskless netboot"
| Line 40: | Line 40: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
mkdir -p /srv/nfsroot | mkdir -p /srv/nfsroot | ||
| + | chmod -R 777 /srv/nfsroot | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 55: | Line 56: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
| − | /srv/nfsroot 192.168.2. | + | /srv/nfsroot 192.168.2.*(rw,async,insecure,no_subtree_check) |
</syntaxhighlight> | </syntaxhighlight> | ||
| − | Adjust "192.168.2. | + | Adjust "192.168.2.*" to your own network address |
| + | |||
| + | * rw : Allow clients to read as well as write access | ||
| + | * ro : Read only access | ||
| + | * insecure : Tells the NFS server to use unpriveledged ports (ports > 1024). | ||
| + | * no_subtree_check : If the entire volume (/users) is exported, disabling this check will speed up transfers. | ||
| + | * async : async will speed up transfers. | ||
| + | |||
| Line 67: | Line 75: | ||
You must restrict the access to your NFS server by a firewall script and filtering BEFORE reaching the LAN ! | You must restrict the access to your NFS server by a firewall script and filtering BEFORE reaching the LAN ! | ||
| + | |||
| + | |||
| + | |||
| + | NFS is using dynamic ports numbers because it runs over '''rpcbind'''. Making NFS using specifics port is a pain in the ass !! :( | ||
| + | |||
| + | So, instead of that you should allow your LAN communication. | ||
| + | |||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | IPTABLES=`which iptables` | ||
| + | LAN_ADDRESS="192.168.2.0/24" | ||
| + | |||
| + | # Allow LAN communication | ||
| + | $IPTABLES -A INPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT | ||
| + | $IPTABLES -A OUTPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT | ||
| + | |||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | ==Management== | ||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | service nfs-kernel-server {status|start|stop|restart} | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | ==Test the server== | ||
| + | |||
| + | |||
| + | Install the NFS v4 client: | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | apt-get install nfs-common | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | To mount the default path: | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | mount -t nfs nfs-server:/ /mnt | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | You'll see: "/mnt/srv/nfsroot" | ||
| + | |||
| + | |||
| + | It's better to do: | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | mount -t nfs nfs-server:/srv/nfsroot /mnt | ||
| + | </syntaxhighlight> | ||
Revision as of 14:42, 22 May 2014
Diskless server / workstation using netboot
NFS is a technology that allow you to share some files and folders over the network. So:
- All the clients will share the installation, configuration files and so on.
- Each client will run a dedicated instance of the operating system
- Logs will be centralized on the common NFS server - so we don't loose data on each reboot.
You must have a working DHCP server + NetBoot before starting this part.
Requirements:
Contents
Installation
NFS support
apt-get install nfs-kernel-server nfs-commonDebootstrap (manage netboot image)
apt-get install debootstrap
NFS server setup
Preparation
You have to create a dedicated folder on your server where you will host the client image.
mkdir -p /srv/nfsroot
chmod -R 777 /srv/nfsroot
Configuration
The NFS configuration is done in the /etc/exports file
vim /etc/exports
Add something like that:
/srv/nfsroot 192.168.2.*(rw,async,insecure,no_subtree_check)
Adjust "192.168.2.*" to your own network address
- rw : Allow clients to read as well as write access
- ro : Read only access
- insecure : Tells the NFS server to use unpriveledged ports (ports > 1024).
- no_subtree_check : If the entire volume (/users) is exported, disabling this check will speed up transfers.
- async : async will speed up transfers.
Security
Like TFTP, this part is insecure !
You must restrict the access to your NFS server by a firewall script and filtering BEFORE reaching the LAN !
NFS is using dynamic ports numbers because it runs over rpcbind. Making NFS using specifics port is a pain in the ass !! :(
So, instead of that you should allow your LAN communication.
IPTABLES=`which iptables`
LAN_ADDRESS="192.168.2.0/24"
# Allow LAN communication
$IPTABLES -A INPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT
$IPTABLES -A OUTPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT
Management
service nfs-kernel-server {status|start|stop|restart}
Test the server
Install the NFS v4 client:
apt-get install nfs-common
To mount the default path:
mount -t nfs nfs-server:/ /mntYou'll see: "/mnt/srv/nfsroot"
It's better to do:
mount -t nfs nfs-server:/srv/nfsroot /mnt
