Difference between revisions of "Diskless netboot"

Line 48: Line 48:
 
/tftpboot/nfs/pxelinux.cfg/                # PXE configuration(s)
 
/tftpboot/nfs/pxelinux.cfg/                # PXE configuration(s)
 
/tftpboot/nfs/pxelinux.cfg/default        # default PXE configuration
 
/tftpboot/nfs/pxelinux.cfg/default        # default PXE configuration
 +
 +
#### Kernel file
 +
/tftpboot/nfs/kernel/vmlinuz
 +
/tftpboot/nfs/kernel/initrd.img
  
 
#### NFS  
 
#### NFS  
 
# This is where the runnable will be. Each image will be in a dedicated folder.
 
# This is where the runnable will be. Each image will be in a dedicated folder.
/tftpboot/nfs/images/                    
+
/tftpboot/nfs/images/                  
                                         
+
 
 +
# Debian 7.x [Wheezy]
 +
/tftpboot/nfs/images/wheezy/ 
  
 
# Ubuntu 14.04 [Trusty]  
 
# Ubuntu 14.04 [Trusty]  
 
/tftpboot/nfs/images/trusty/                   
 
/tftpboot/nfs/images/trusty/                   
/tftpboot/nfs/images/trusty/vmlinuz            # specific kernel for ubuntu 14.04 distribution
 
/tftpboot/nfs/images/trusty/initrd.img        # specific initrd for ubuntu 14.04 distribution
 
  
 
</syntaxhighlight>
 
</syntaxhighlight>
Line 97: Line 101:
 
mkdir -p /tftpboot/nfs/pxelinux.cfg
 
mkdir -p /tftpboot/nfs/pxelinux.cfg
 
mkdir -p /tftpboot/nfs/images
 
mkdir -p /tftpboot/nfs/images
 +
mkdir -p /tftpboot/nfs/kernel
 
chmod -R 777 /tftpboot/nfs
 
chmod -R 777 /tftpboot/nfs
 
</syntaxhighlight>
 
</syntaxhighlight>
Line 201: Line 206:
  
  
==Debootstrap: setup client distribution==
+
==Setup client distribution==
  
  
Line 210: Line 215:
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
mkdir -p /tftpboot/nfs/images/trusty
 
mkdir -p /tftpboot/nfs/images/trusty
 +
mkdir -p /tftpboot/nfs/images/wheezy
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Line 219: Line 225:
 
===Populate the content===
 
===Populate the content===
  
<syntaxhighlight lang="bash">
+
'''Debian 7.x'''
cd /tftpboot/nfs/images/trusty
 
debootstrap trusty /tftpboot/nfs/images/trusty
 
</syntaxhighlight>
 
 
 
 
 
 
 
==Configure client distribution==
 
 
 
 
 
===Access distribution===
 
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
# "mount" the system
+
cd /tftpboot/nfs/images/wheezy
chroot /tftpboot/nfs/images/trusty/
+
debootstrap wheezy /tftpboot/nfs/images/wheezy
 
</syntaxhighlight>
 
</syntaxhighlight>
 
From here you can perform operation as if you were on a separate machine.
 
 
Only the current distribution (= the client one) will be affected.
 
 
  
  
===Adjust default login/password===
 
  
First of all, you have to create / adjust the default user.  
+
'''Ubuntu 14.04'''
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
# Add new user
+
cd /tftpboot/nfs/images/trusty
adduser <username>
+
debootstrap trusty /tftpboot/nfs/images/trusty
# Add user to sudoers group
 
usermod -a -G sudo <username>
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
Now you can use that user:
 
<syntaxhighlight lang="bash">
 
su <username>
 
sudo -s
 
</syntaxhighlight>
 
  
You can check that you really are in the "Virtual machine" by checking "/srv/". It should be empty !
+
==Configure client distribution==
 
 
 
 
 
 
===Update sources.list and install key packages===
 
 
 
Your client need to have some key packages in order to work. Without these package even the NetBoot will fail !!
 
 
 
 
 
First of all: edit your sources.list
 
 
 
<syntaxhighlight lang="bash">
 
apt-get install vim
 
vim /etc/apt/sources.list
 
</syntaxhighlight>
 
 
 
 
 
Put the following:
 
 
 
<syntaxhighlight lang="bash">
 
### Custom repositories list
 
#
 
# May 2014 - Guillaume Diaz
 
# This is an ajdustement of the default "debootstrap" sources.list
 
# This is required to provided update, security and advanced tools to all our clients
 
#
 
 
 
# Official repositories
 
deb http://se.archive.ubuntu.com/ubuntu/ trusty main restricted universe multiverse
 
deb http://se.archive.ubuntu.com/ubuntu/ trusty-updates main restricted universe multiverse
 
deb http://security.ubuntu.com/ubuntu trusty-security main restricted universe multiverse
 
  
# Official updates
+
* Manual configuration: [[Diskless image configuration - manual setup]]
deb http://se.archive.ubuntu.com/ubuntu/ trusty-backports main restricted universe multiverse
 
  
# Canonical partners
+
* Automatic [Puppet || Chef] configuration: [[Diskless image configuration - script setup]]
deb http://archive.canonical.com/ubuntu trusty partner
 
 
 
# Community partners
 
deb http://extras.ubuntu.com/ubuntu trusty main
 
</syntaxhighlight>
 
 
 
 
 
Update your package list:
 
 
 
<syntaxhighlight lang="bash">
 
apt-get update && apt-get upgrade
 
</syntaxhighlight>
 
 
 
 
 
 
 
Now, you can install the basic programs:
 
 
 
<syntaxhighlight lang="bash">
 
# NFS client. This is ABSOLUTELY MANDATORY ! That's the only way to mount the /root
 
apt-get install nfs-common
 
apt-get install initramfs-tools
 
 
 
# NFS is a bit low, and if you're using many client it might result in time faults.
 
# You must install NTP to overcome this !!
 
apt-get install ntp ntpdate
 
 
 
# Basic set of utilities
 
apt-get install unzip zip
 
apt-get install make autoconf automake cpp gcc build-essential
 
apt-get install htop
 
apt-get install python3
 
 
 
# Advanced APT manager (require to add repository from command line)
 
apt-get install software-properties-common python-software-properties
 
 
 
 
 
# JAVA (that is required for my application)
 
# Depending on your target usage you might not need it.
 
add-apt-repository ppa:webupd8team/java
 
apt-get update && apt-get upgrade
 
apt-get install oracle-java7-installer oracle-jdk7-installer
 
</syntaxhighlight>
 
 
 
 
 
===Adjust bash and vim configuration===
 
 
 
Edit your VIM configuration:
 
<syntaxhighlight lang="bash">
 
vim /etc/vim/vimrc
 
</syntaxhighlight>
 
 
 
Enable dark background, set nu, set ruler
 
 
 
 
 
 
 
Edit your bash configuration files to adjust the alias and enable auto-completion:
 
<syntaxhighlight lang="bash">
 
vim /etc/bash.bashrc
 
vim /home/<username>/.bashrc
 
vim /root/.bashrc
 
</syntaxhighlight>
 
 
 
 
 
 
 
===Install a local kernel===
 
 
 
To install a local kernel, you have to:
 
* mount /proc
 
* unpack linux-headers-generic
 
* unpack linux-image-generic
 
 
 
 
 
<syntaxhighlight lang="bash">
 
mount /proc
 
apt-get install -y linux-headers-generic
 
apt-get install -y linux-image-generic
 
</syntaxhighlight>
 
 
 
 
 
Check that you have some symlinks in /, either create them:
 
<syntaxhighlight lang="bash">
 
ln -s /boot/vmlinuz-3.5.0-21-generic /vmlinuz       
 
ln -s /boot/initrd.img-3.5.0-21-generic /initrd.img
 
</syntaxhighlight>
 
 
 
!! Don't forget to adjust the number to your actual version !!
 
 
 
 
 
 
 
===Edit mount points (/etc/fstab)===
 
 
 
You must edit the mount points to get the client working!
 
 
 
<syntaxhighlight lang="bash">
 
vim /etc/fstab
 
</syntaxhighlight>
 
 
 
 
 
<syntaxhighlight lang="bash">
 
/proc    /proc    proc    defaults  0 0
 
/sys    /sys    sysfs  defaults  0 0
 
/dev/nfs /        nfs    defaults  1 1
 
</syntaxhighlight>
 
 
 
 
 
 
 
 
 
===Adjust network configuration===
 
 
 
Up to this point the client will already have got a DHCP address through the NetBoot process.
 
 
 
Therefore, you should prevent users / services from changing that automatic configuration.
 
 
 
 
 
Edit the config file:
 
 
 
<syntaxhighlight lang="bash">
 
vim /etc/network/interfaces
 
</syntaxhighlight>
 
 
 
 
 
Put:
 
 
 
<syntaxhighlight lang="bash">
 
## Manual override of the debootstrap shipped configuration
 
#
 
# Version 1.0 - May 2014 - Guillaume Diaz
 
#
 
 
 
# Loopback
 
auto lo
 
iface lo inet loopback
 
 
 
# Keep the NetBoot configuration
 
iface eth0 inet manual
 
 
 
# Intel NUC trick - as the NUC uses "em1" instead of "eth0"
 
iface em1 inet manual
 
</syntaxhighlight>
 
 
 
 
 
 
 
===Run clients in diskless NFS mode===
 
 
 
Now you are (finally) ready to tell the client to run in diskless mode!
 
Edit the config file:
 
 
 
<syntaxhighlight lang="bash">
 
vim /etc/initramfs-tools/initramfs.conf
 
</syntaxhighlight>
 
 
 
 
 
Set the following values:
 
 
 
<syntaxhighlight lang="bash">
 
MODULES = netboot
 
BOOT    = nfs
 
</syntaxhighlight>
 
 
 
 
 
Apply changes:
 
 
 
<syntaxhighlight lang="bash">
 
update-initramfs -u
 
</syntaxhighlight>
 
 
 
 
 
 
 
===Exit client distro===
 
 
 
 
 
<syntaxhighlight lang="bash">
 
umount /proc
 
exit
 
</syntaxhighlight>
 
  
  
Line 513: Line 290:
 
TFTP_ADDRESS="0.0.0.0:69"
 
TFTP_ADDRESS="0.0.0.0:69"
 
TFTP_USERNAME="tftp"
 
TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/pxe-boot/"
+
TFTP_DIRECTORY="/tftpboot/nfs"
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Line 532: Line 309:
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
# Create folders
 
# Create folders
mkdir /pxe-boot/pxelinux.cfg/
+
mkdir /tftpboot/nfs/pxelinux.cfg/
  
 
# Create configuration files
 
# Create configuration files

Revision as of 16:47, 3 June 2014

Diskless server / workstation using netboot


NFS is a technology that allow you to share some files and folders over the network. So:

  • All the clients will share the installation, configuration files and so on.
  • Each client will run a dedicated instance of the operating system
  • Logs will be centralized on the common NFS server - so we don't loose data on each reboot.

You must have a working DHCP server + NetBoot before starting this part.


Requirements:


Optional:


Aim

In order to be super effective:

  • Each client distribution will have its own kernel support (vmlinuz + initrd.img files)
  • All the distributions will be under the same root
  • Both NFS and TFTP will share the same root folder
  • The user will be able to choose the O.S to use using a PXE menu


Target folder tree:

# TFTP root
/tftpboot/                                 

# Ubuntu installation NetBoot disk
/tftpboot/rescue/                          

###############
# Network bootable image(s) using NFS technology
################
/tftpboot/nfs/             

#### Boot file            
/tftpboot/nfs/pxelinux.0                   # Initial boot file - only use to load the PXE NetBoot manager
/tftpboot/nfs/{menu.c32 || vesamenu.c32}   # PXE interactive menu managers (text or graphical)
/tftpboot/nfs/pxelinux.cfg/                # PXE configuration(s)
/tftpboot/nfs/pxelinux.cfg/default         # default PXE configuration

#### Kernel file
/tftpboot/nfs/kernel/vmlinuz
/tftpboot/nfs/kernel/initrd.img

#### NFS 
# This is where the runnable will be. Each image will be in a dedicated folder.
/tftpboot/nfs/images/                    

# Debian 7.x [Wheezy] 
/tftpboot/nfs/images/wheezy/   

# Ubuntu 14.04 [Trusty] 
/tftpboot/nfs/images/trusty/



Installation

NFS support

apt-get install nfs-kernel-server nfs-common

Debootstrap (manage netboot image)

apt-get install debootstrap


Initramfs (to manage "virtual disks")

apt-get install initramfs-tools



NFS server setup

Preparation

You have to create a dedicated folder on your server where you will host the client image.

mkdir -p /tftpboot/nfs/pxelinux.cfg
mkdir -p /tftpboot/nfs/images
mkdir -p /tftpboot/nfs/kernel
chmod -R 777 /tftpboot/nfs


Configuration

The NFS configuration is done in the /etc/exports file

vim /etc/exports


Add something like that:

  /tftpboot/nfs     192.168.2.0/24(ro,no_root_squash,no_subtree_check,async,insecure)


Adjust "192.168.2.0/24" to your own network address

  • rw : Allow clients to read as well as write access
  • ro : Read only access
  • insecure : Tells the NFS server to use unpriveledged ports (ports > 1024).
  • no_subtree_check : If the entire volume (/users) is exported, disabling this check will speed up transfers.
  • async : async will speed up transfers.
  • no_root_squash: This phrase allows root to connect to the designated directory.


- NOTE -

It's always a good idea to use Read-Only if you plan to share this disk.

That will avoid user to mess with your image!


Security

Like TFTP, this part is insecure !

You must restrict the access to your NFS server by a firewall script and filtering BEFORE reaching the LAN !


NFS is using dynamic ports numbers because it runs over rpcbind. Making NFS using specifics port is a pain in the ass !! :(

So, instead of that you should allow your LAN communication.


    IPTABLES=`which iptables`
    LAN_ADDRESS="192.168.2.0/24"

    # Allow LAN communication
    $IPTABLES -A INPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT
    $IPTABLES -A OUTPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT


Management

service nfs-kernel-server {status|start|stop|restart}


Test the server

Install the NFS v4 client:

apt-get install nfs-common


To mount the default path:

mount -t nfs nfs-server:/ /mnt

You'll see: "/mnt/tftpboot/nfs"


It's better to do:

mount -t nfs nfs-server:/tftpboot/nfs /mnt



NFS client image

There are different way to setup a NFS client image.

The main ones are:

  • debootstrap
  • copying the install from your server
  • Manual install on a client, then, when the system is ready, copy everything to the NFS share


Setup client distribution

Setup distribution folder

You have to create one target for each distribution you want to serve:

mkdir -p /tftpboot/nfs/images/trusty
mkdir -p /tftpboot/nfs/images/wheezy

- NOTES -

  • The folder name should match your NetBoot settings. Folder name = a LABEL in the NetBoot config.
  • The folder name should match a Linux (Debian like) distribution name


Populate the content

Debian 7.x

cd /tftpboot/nfs/images/wheezy
debootstrap wheezy /tftpboot/nfs/images/wheezy


Ubuntu 14.04

cd /tftpboot/nfs/images/trusty
debootstrap trusty /tftpboot/nfs/images/trusty


Configure client distribution


Backup distribution

You can create an archive of your current distribution for later restore / re-use.


Compression

cd /tftpboot/nfs/images
tar cvpjf trusty.tar.bz2 ./trusty


Restoration

cd /tftpboot/nfs/images
tar -xvjf trusty.tar.bz2



Adjust TFTP root

You must adjust the TFTP root to match the NFS root !!

vim /etc/default/tftpd-hpa


Adjust the file like that:

RUN_DAEMON="yes"
OPTIONS="--secure"
TFTP_ADDRESS="0.0.0.0:69"
TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/tftpboot/nfs"


Notice the RUN_DAEMON instruction + the new TFTP_DIRECTORY


Custom NetBoot configuration

Basic configuration

You can setup your own netboot configuration.

To do so, you can re-use one of the syslinux templates:

# Create folders
mkdir /tftpboot/nfs/pxelinux.cfg/

# Create configuration files
cp /usr/lib/syslinux/pxelinux.0 /pxe-boot/


The pxelinux.cfg folder is mandatory. Inside you can provide:

  • configuration for a specific IP @ or hostname
  • configuration for a group
  • default configuration (required)


Create the default configuration file:

vim /pxe-boot/pxelinux.cfg/default


Put the following:

# Ubuntu 14.04
LABEL TRUSTY
    kernel images/trusty/vmlinuz
    # Set NFS share as default root 
    append boot=nfs root=/dev/nfs initrd=images/trusty/initrd.img nfsroot=192.168.2.2:/pxe-boot/images/trusty

# Prompt user for selection
PROMPT 0

TIMEOUT 30
  • Each LABEL is a specific configuration that will displayed on the NetBoot menu.
  • PROMPT 1 = enable user prompt so you can choose the configuration
  • TIMEOUT 30 = timeout (in seconds) before the default option is choosen


Note that I used a reference to "trusty/", that's a folder I need to create later on.


Advanced menu

Install menu manager

Text menu:

cp /usr/lib/syslinux/menu.c32 /pxe-boot/


Graphic menu:

cp /usr/lib/syslinux/vesamenu.c32 /pxe-boot/
cp /mySuperPicture/logo.png /pxe-boot/pxelinux.cfg/

The associate picture must be a PNG 800x600 picture.


Configure boot options

Then edit the PXE boot file:

vim /pxe-boot/pxelinux.cfg/default


Put:

#### GENERIC OPTIONS #####
# Enable text menu
#DEFAULT menu.c32
# Enable graphical menu
DEFAULT vesamenu.c32
# Prompt for user input? (0 = choose from menu, 1 = you can type anything)
PROMPT 0
# Allow or not the user to left the menu (1 = user is locked to the menu)
NOESCAPE 1
# Time before using default option
TIMEOUT 50


#### Menu settings #####
MENU TITLE my super netboot menu
MENU BACKGROUND pxelinux.cfg/logo.png
MENU WIDTH 80
MENU ROWS 14
MENU MARGIN 10


#### Distributions #####
# Ubuntu 14.04
LABEL trusty
    MENU LABEL Ubuntu 14.04 (trusty)
    MENU DEFAULT
    # Kernel and boot files
    KERNEL images/trusty/vmlinuz
    ### Boot options
    # Set NFS share as default root 
    append boot=nfs root=/dev/nfs initrd=images/trusty/initrd.img nfsroot=192.168.2.2:/pxe-boot/images/trusty

# Debian wheezy
    MENU LABEL Debian Wheezy
    # Kernel and boot files
    KERNEL images/wheezy/vmlinuz
    append boot=nfs root=/dev/nfs initrd=images/wheezy/initrd.img nfsroot=192.168.2.2:/pxe-boot/images/wheezy


Note all the "MENU" commands + PROMPT 0


Security notes

in order to work you must adjust the rights of your "/var/lib/tftpboot/".

chmod 777 /pxe-boot/*
chmod 777 /pxe-boot/pxelinux.cfg/*



DHCP note

Don't forget to adjust your DHCP configuration if you plan to serve a specific file for a client!

vim /etc/dhcp/dhcp.conf



References

Ubuntu diskless how-to: https://help.ubuntu.com/community/DisklessUbuntuHowto Super video tutorials: