Difference between revisions of "Diskless netboot"
(→NFS client image) |
|||
| Line 170: | Line 170: | ||
| − | |||
| − | + | ==Configure client distribution== | |
| + | |||
| + | |||
| + | ===Access distribution=== | ||
| − | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
# "mount" the system | # "mount" the system | ||
chroot /srv/nfsroot/trusty/ | chroot /srv/nfsroot/trusty/ | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | From here you can perform operation as if you were on a separate machine. | ||
| + | |||
| + | Only the current distribution (= the client one) will be affected. | ||
| + | |||
| + | |||
| + | |||
| + | ===Adjust default login/password=== | ||
| + | |||
| + | First of all, you have to create / adjust the default user. | ||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
# Add new user | # Add new user | ||
adduser <username> | adduser <username> | ||
# Add user to sudoers group | # Add user to sudoers group | ||
usermod -a -G sudo <username> | usermod -a -G sudo <username> | ||
| − | |||
| − | |||
</syntaxhighlight> | </syntaxhighlight> | ||
| + | |||
| + | Now you can use that user: | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | su <username> | ||
| + | sudo -s | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | You can check that you really are in the "Virtual machine" by checking "/srv/". It should be empty ! | ||
| + | ===Update sources.list and install key packages=== | ||
| + | |||
| + | Your client need to have some key packages in order to work. | ||
| + | |||
| + | Without these package even the NetBoot will fail !! | ||
| + | |||
| + | |||
| + | First of all: edit your sources.list | ||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | apt-get install vim | ||
| + | vim /etc/apt/sources.list | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | Put the following: | ||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | ### Custom repositories list | ||
| + | # | ||
| + | # May 2014 - Guillaume Diaz | ||
| + | # This is an ajdustement of the default "debootstrap" sources.list | ||
| + | # This is required to provided update, security and advanced tools to all our clients | ||
| + | # | ||
| + | |||
| + | # Official repositories | ||
| + | deb http://se.archive.ubuntu.com/ubuntu/ trusty main restricted universe multiverse | ||
| + | deb http://se.archive.ubuntu.com/ubuntu/ trusty-updates main restricted universe multiverse | ||
| + | deb http://security.ubuntu.com/ubuntu trusty-security main restricted universe multiverse | ||
| + | |||
| + | # Official updates | ||
| + | deb http://se.archive.ubuntu.com/ubuntu/ trusty-backports main restricted universe multiverse | ||
| + | |||
| + | # Canonical partners | ||
| + | deb http://archive.canonical.com/ubuntu trusty partner | ||
| + | |||
| + | # Community partners | ||
| + | deb http://extras.ubuntu.com/ubuntu trusty main | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | Update your package list: | ||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | apt-get update && apt-get upgrade | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | |||
| + | Now, you can install the basic programs: | ||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | apt-get update && apt-get upgrade | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | # NFS client. This is ABSOLUTELY MANDATORY ! That's the only way to mount the /root | ||
| + | apt-get install nfs-common | ||
| + | |||
| + | # NFS is a bit low, and if you're using many client it might result in time faults. | ||
| + | # You must install NTP to overcome this !! | ||
| + | apt-get install ntp ntpdate | ||
| + | |||
| + | # Basic set of utilities | ||
| + | apt-get install unzip zip | ||
| + | apt-get install make autoconf automake cpp gcc build-essential | ||
| + | apt-get install htop | ||
| + | apt-get install python3 | ||
| + | |||
| + | # JAVA (that is required for my application) | ||
| + | # Depending on your target usage you might not need it. | ||
| + | add-apt-repository ppa:webupd8team/java | ||
| + | apt-get update && apt-get upgrade | ||
| + | apt-get install oracle-java7-installer oracle-jdk7-installer | ||
| + | </syntaxhighlight> | ||
=Custom NetBoot configuration= | =Custom NetBoot configuration= | ||
Revision as of 10:31, 23 May 2014
Diskless server / workstation using netboot
NFS is a technology that allow you to share some files and folders over the network. So:
- All the clients will share the installation, configuration files and so on.
- Each client will run a dedicated instance of the operating system
- Logs will be centralized on the common NFS server - so we don't loose data on each reboot.
You must have a working DHCP server + NetBoot before starting this part.
Requirements:
Contents
Installation
NFS support
apt-get install nfs-kernel-server nfs-commonDebootstrap (manage netboot image)
apt-get install debootstrap
NFS server setup
Preparation
You have to create a dedicated folder on your server where you will host the client image.
mkdir -p /srv/nfsroot
chmod -R 777 /srv/nfsroot
Configuration
The NFS configuration is done in the /etc/exports file
vim /etc/exports
Add something like that:
/srv/nfsroot 192.168.2.0/24(ro,no_root_squash,async,insecure,no_subtree_check)
Adjust "192.168.2.0/24" to your own network address
- rw : Allow clients to read as well as write access
- ro : Read only access
- insecure : Tells the NFS server to use unpriveledged ports (ports > 1024).
- no_subtree_check : If the entire volume (/users) is exported, disabling this check will speed up transfers.
- async : async will speed up transfers.
- no_root_squash: This phrase allows root to connect to the designated directory.
- NOTE -
It's always a good idea to use Read-Only if you plan to share this disk.
That will avoid user to mess with your image!
Security
Like TFTP, this part is insecure !
You must restrict the access to your NFS server by a firewall script and filtering BEFORE reaching the LAN !
NFS is using dynamic ports numbers because it runs over rpcbind. Making NFS using specifics port is a pain in the ass !! :(
So, instead of that you should allow your LAN communication.
IPTABLES=`which iptables`
LAN_ADDRESS="192.168.2.0/24"
# Allow LAN communication
$IPTABLES -A INPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT
$IPTABLES -A OUTPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT
Management
service nfs-kernel-server {status|start|stop|restart}
Test the server
Install the NFS v4 client:
apt-get install nfs-common
To mount the default path:
mount -t nfs nfs-server:/ /mntYou'll see: "/mnt/srv/nfsroot"
It's better to do:
mount -t nfs nfs-server:/srv/nfsroot /mnt
NFS client image
There are different way to setup a NFS client image.
The main ones are:
- debootstrap
- copying the install from your server
- Manual install on a client, then, when the system is ready, copy everything to the NFS share
Debootstrap: setup client distribution
Setup distribution folder
You have to create one target for each distribution you want to serve:
mkdir -p /srv/nfsroot/trusty
chmod -R 777 /srv/nfsroot/trusty- NOTES -
- The folder name should match your NetBoot settings. Folder name = a LABEL in the NetBoot config.
- The folder name should match a Linux (Debian like) distribution name
Populate the content
cd /srv/nfsroot/trusty
debootstrap trusty /srv/nfsroot/trusty
Configure client distribution
Access distribution
# "mount" the system
chroot /srv/nfsroot/trusty/From here you can perform operation as if you were on a separate machine.
Only the current distribution (= the client one) will be affected.
Adjust default login/password
First of all, you have to create / adjust the default user.
# Add new user
adduser <username>
# Add user to sudoers group
usermod -a -G sudo <username>
Now you can use that user:
su <username>
sudo -sYou can check that you really are in the "Virtual machine" by checking "/srv/". It should be empty !
Update sources.list and install key packages
Your client need to have some key packages in order to work.
Without these package even the NetBoot will fail !!
First of all: edit your sources.list
apt-get install vim
vim /etc/apt/sources.list
Put the following:
### Custom repositories list
#
# May 2014 - Guillaume Diaz
# This is an ajdustement of the default "debootstrap" sources.list
# This is required to provided update, security and advanced tools to all our clients
#
# Official repositories
deb http://se.archive.ubuntu.com/ubuntu/ trusty main restricted universe multiverse
deb http://se.archive.ubuntu.com/ubuntu/ trusty-updates main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu trusty-security main restricted universe multiverse
# Official updates
deb http://se.archive.ubuntu.com/ubuntu/ trusty-backports main restricted universe multiverse
# Canonical partners
deb http://archive.canonical.com/ubuntu trusty partner
# Community partners
deb http://extras.ubuntu.com/ubuntu trusty main
Update your package list:
apt-get update && apt-get upgrade
Now, you can install the basic programs:
apt-get update && apt-get upgrade
# NFS client. This is ABSOLUTELY MANDATORY ! That's the only way to mount the /root
apt-get install nfs-common
# NFS is a bit low, and if you're using many client it might result in time faults.
# You must install NTP to overcome this !!
apt-get install ntp ntpdate
# Basic set of utilities
apt-get install unzip zip
apt-get install make autoconf automake cpp gcc build-essential
apt-get install htop
apt-get install python3
# JAVA (that is required for my application)
# Depending on your target usage you might not need it.
add-apt-repository ppa:webupd8team/java
apt-get update && apt-get upgrade
apt-get install oracle-java7-installer oracle-jdk7-installerCustom NetBoot configuration
Basic configuration
You can setup your own netboot configuration.
To do so, you can re-use one of the syslinux templates:
# Create folders
mkdir /var/lib/tftpboot/custom
mkdir /var/lib/tftpboot/custom/pxelinux.cfg
# Create configuration files
cp /usr/lib/syslinux/pxelinux.0 /var/lib/tftpboot/custom
The pxelinux.cfg folder is mandatory. Inside you can provide:
- configuration for a specific IP @ or hostname
- configuration for a group
- default configuration (required)
Create the default configuration file:
vim /var/lib/tftpboot/custom/pxelinux.cfg/default
Put the following:
# Ubuntu 14.04
LABEL TRUSTY
kernel trusty/vmlinuz
initrd trusty/initrd.img
# Set NFS share as default root
append root=/dev/nfs nfsroot=192.168.2.2:/srv/nfsroot/trusty
# Prompt user for selection
PROMPT 0
TIMEOUT 30- Each LABEL is a specific configuration that will displayed on the NetBoot menu.
- PROMPT 1 = enable user prompt so you can choose the configuration
- TIMEOUT 30 = timeout (in seconds) before the default option is choosen
Note that I used a reference to "trusty/", that's a folder I need to create later on.
Create boot files
mkdir /var/lib/tftpboot/custom/trusty
# Copy current boot files
cp /boot/vmlinuz-3.2.0-4-amd64 /var/lib/tftpboot/custom/trusty/
cp /boot/initrd.img-3.2.0-4-amd64 /var/lib/tftpboot/custom/trusty/
# Create symlinks
ln -s /var/lib/tftpboot/custom/trusty/vmlinuz-3.2.0-4-amd64 /var/lib/tftpboot/custom/trusty/vmlinuz
ln -s /var/lib/tftpboot/custom/trusty/initrd.img-3.2.0-4-amd64 /var/lib/tftpboot/custom/trusty/initrd.img
- NOTES -
- Adjust the 3.2.0-4 kernel number to the version you are using
- Do NOT use symlinks !! It won't work !!
- Don't forget to set all the rights ("chmod 777"). See the Security section below.
Text menu:
cp /usr/lib/syslinux/menu.c32 /var/lib/tftpboot/custom/
Graphic menu:
cp /usr/lib/syslinux/vesamenu.c32 /var/lib/tftpboot/custom/
cp /mySuperPicture/logo.png /var/lib/tftpboot/custom/pxelinux.cfg/The associate picture must be a PNG 800x600 picture and MUST be named logo.png.
Configure boot options
Then edit the PXE boot file:
vim /var/lib/tftpboot/custom/pxelinux.cfg/default
Put:
#### GENERIC OPTIONS #####
# Enable text menu
#DEFAULT menu.c32
# Enable graphical menu
DEFAULT vesamenu.c32
# Prompt for user input? (0 = choose from menu, 1 = you can type anything)
PROMPT 0
# Allow or not the user to left the menu (1 = user is locked to the menu)
NOESCAPE 1
# Time before using default option
TIMEOUT 50
#### Menu settings #####
MENU TITLE my super netboot menu
MENU BACKGROUND pxelinux.cfg/logo.png
MENU WIDTH 80
MENU ROWS 14
MENU MARGIN 10
#### Distributions #####
# Ubuntu 14.04
LABEL trusty
MENU LABEL Ubuntu 14.04 (trusty)
MENU DEFAULT
# Kernel and boot files
KERNEL trusty/vmlinuz
initrd trusty/initrd.img
### Boot options
# Set NFS share as default root
APPEND root=/dev/nfs nfsroot=192.168.2.2:/srv/nfsroot/trusty
# Installation disk
MENU LABEL rescue disk
# Kernel and boot files
KERNEL trusty/vmlinuz
initrd rescue/amd64/initrd.img
Note all the "MENU" commands + PROMPT 0
Security notes
in order to work you must adjust the rights of your "/var/lib/tftpboot/".
chmod -R 777 /var/lib/tftpboot
References
Ubuntu diskless how-to: https://help.ubuntu.com/community/DisklessUbuntuHowto Super video tutorials:
