Diff for "Desktop/PXE"

Differences between revisions 9 and 10
Revision 9 as of 2010-03-05 19:58:54
Size: 9577
Editor: martenvijn
Comment:
Revision 10 as of 2010-03-05 20:01:06
Size: 9641
Editor: martenvijn
Comment:
Deletions are marked like this. Additions are marked like this.
Line 4: Line 4:
'''Current deployment has more than 70 client desktops on one server (having a load of 0)''' '''The deployment has currently more than 70 clients desktops booting via PXE on a readonly squashfs image, from one NFS/TFTP server (having a load of 0)'''

Goal

The deployment has currently more than 70 clients desktops booting via PXE on a readonly squashfs image, from one NFS/TFTP server (having a load of 0)

Offering a desktop based Ubuntu GNU/Linux for about 100 desktops, booting over a local network from one single image. This image needs to be customized for our users (mathematicians and students) at the Mathematical Institute of Leiden University, The Netherlands. Authentication is done via Kerberos and LDAP. The home directories are mounted over NFS.

Audience

Unix admins:

  • shell scripting (debugging/patching / diffing)
  • ubuntu / debian experiance for some time

  • understanding the "AS IS" section in the license .

  • use this on a non production machine
  • make backups, duh
  • below in this page is my email address, use it wisely only, preferably for improvement and patches.

What is written here, will not work off the shelf. To make it work you have to customize it, in the end can save you a lot of time.

Setup

Our setup has to offer:

  • NFS mounted home directories
  • authentication/authorisation via Kerberos/LDAP
  • tex / lyx / kyle
  • mutt / pine / elm
  • fully usable Gnome / KDE / Xfce4 / fluxbox
  • access to Linux and Windows terminal servers
  • large amount of fonts

Ubuntu Karmic 9.10 is used as a base.

Documentation used:

Environment:

  • raid1 Ubuntu NFS/PXE server
  • raid1 + raid5 Ubuntu build/test host
  • Gb network with several VLANs

  • about 100 ASRock nettop clients

The main focus is the staging environment, keeping staging and production separate. For this howto I won't describe the production server, since they are mostly the same. But as a habit, I never build on production servers since one error in the build script could give me, and some hundred users, a bad day. This actually happened, one day my build server did not reboot any more. The build script escaped to the root and the initrd.img was replaced.....

As a policy, I use LTS on servers, you could possibly use Karmic here too, but I did not test that. There more ways to do this, there are possibly a dozen alternative ways.

IMHO this is not a beginners howto.

Networks

  • 192.168.1.0/24 => external (uplink)

  • 192.168.2.0/24 => internal (pxeboot)

Server setup

Install the build host with 3 raid1 partitions:

  • raid1
    • md0 /
    • md1 swap
    • md2 /tmp
    • md3 /var/
    • md4 /usr
  • raid5
    • md5 /data

Or choose another appropriate setup.

Packages

First install some packages 

apt-get install dhcp3-server tftpd-hpa nfs-kernel-server syslinux debootstrap

Networking

Content of /etc/network/interfaces: 

auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
        address 192.168.1.2
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255
        gateway 192.168.1.1 

auto eth1
iface eth1 inet static
        address 192.168.2.1
        netmask 255.255.255.0
        network 192.168.2.0
        broadcast 192.168.2.254

Content of /etc/dhcp3/dhcpd.conf: 

DHCPDARGS=eth1; 
ddns-update-style none;
option domain-name "test.example.com";
option domain-name-servers 192.168.1.1; 
default-lease-time 600;
max-lease-time 7200;
authoritative;
log-facility local7;

subnet 192.168.2.0 netmask 255.255.255.0 {
        range 192.168.2.100 192.168.2.200;
        option routers 192.168.2.1;
        filename "pxelinux.0";
        next-server 192.168.2.1;
        }

NAT and forwarding

Content of /etc/rc.local (there must be a proper way to do this): 

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

Content of /etc/exports: 

/data/tftpboot/ *(no_subtree_check,ro,no_root_squash,async)
/data/home/ *(no_subtree_check,rw,no_root_squash,async)

Content of /etc/default/tftpd-hpa: 

RUN_DAEMON="yes"
OPTIONS="-l -s /data/tftpboot"

# prep pxe 

mkdir -p /data/tftpboot/pxelinux.cfg
cp /usr/lib/syslinux/pxelinux.0 /data/tftpboot/
cp /usr/lib/syslinux/menu.c32 /data/tftpboot/
cp /usr/lib/syslinux/vesamenu.c32 /data/tftpboot/

Content of /data/tftpboot/pxelinux.cfg/default : 

menu INCLUDE pxelinux.cfg/graphics.cfg
DEFAULT vesamenu.c32
NOESCAPE 1
ALLOWOPTIONS 0
boot label in /data/tftpboot
LABEL Karmic 
        MENU LABEL Karmic Production
        MENU DEFAULT
        KERNEL karmic/vmlinuz
        APPEND quiet splash initrd=karmic/initrd.img boot=casper netboot=nfs raid=noautodetect root=/dev/nfs nfsroot=192.168.2.1:/data/tftpboot/karmic ip=dhcp rw --

Content of /data/tftpboot/pxelinux.cfg/graphics.cfg: 

MENU TITLE PXE Menu
menu color tabmsg 37;40      #80ffffff #00000000
menu color hotsel 30;47      #40000000 #20ffffff
menu color sel 30;47         #40000000 #20ffffff
menu color scrollbar 30;47   #40000000 #20ffffff
MENU WIDTH 80
MENU MARGIN 20 
MENU ROWS 20 
MENU TABMSGROW 18
MENU CMDLINEROW 18
MENU ENDROW 2
MENU MASTER PASSWD vingerhoed
MENU PASSWORDROW 24 
MENU PASSWORDMARGIN 20 
MENU PASSPROMPT Enter Password:
MENU TIMEOUTROW 20
MENU TIMEOUTROW 13
MENU VSHIFT 3 
NOESCAPE 1
ALLOWOPTIONS 0
PROMPT 0
TIMEOUT 60

Heads up Keep an eye on the options, and make sure your understand the documentation! Setting bad options here may allow a user to escape from the loader menu and start a shell as root instead of invoking init. This would give one access to all user files on NFS, which would only make you popular to a very limited set of people (and not at all popular to many others). 

NOESCAPE 
ALLOWOPTIONS
PROMPT

Read more about PXELinux how to get nice menus and more.

Starting services

/etc/init.d/tftpd-hpa restart
/etc/init.d/nfs-kernel-server
/etc/init.d/dhcp3-server

Testing

Fetch a Ubuntu live and mount 

todo

Local mirror

Read this info and execute the next commands: 

apt-get install apt-mirror apache2
vi /etc/apt/mirror.list # configure it to put every thing in /data/mirror/
like this:
set base_path /data/mirror
mkdir -p /data/mirror/skel /data/mirror/mirror /data/mirror/var

Run apt-mirror: 

apt-mirror

Add it to cron: 

vi /etc/cron.d/apt-mirror 
and remove the # from the last line

Add to apache: assuming everything is in /data/mirror/

Be sure you use the correct Alias and replace the XX for a working directory!

In /etc/apache2/sites-enabled/mirror: 

Alias /ubuntu/ "/data/mirror/mirror/XX.archive.ubuntu.com/ubuntu/"
<Directory "/data/mirror/mirror">
        Options Indexes FollowSymLinks
        Order allow,deny
        Allow from all
        AllowOverride None
</Directory>

Restart apache: 

/etc/init.d/apache2 restart

Test the mirror: 

apt-get install lynx
lynx http://localhost/ubuntu/

Here a sample tarbal:

So download it and untar it.

Now you should be able to use the buildscript:

IMPORTANT 

Read and understand:
 * config.txt. 
 * build.sh  
 * LICENSE.txt

Make sure are not on a production machine and you made backups

explantion of the files:

  • config.txt
    • A lot configuration options
    • a error handling funtion
  • build.sh builds:
    • kernel
    • initrd
    • installation dir
    • squashfs files
  • preseed.txt.
    • setting build environment for build tree
  • dpkg*
    • dpkg-set-selections_fastbuild.txt is a sample file
    • dpkg-set-selections_full.txt is a sample file
    • dpkg-set-selections.txt, file use by build.sh
  • kernel.config is a sample kernel configation file, kernel must have
    • initrd (casper)
    • nfsroot
    • able fetch an ipnumber by dhcp
    • driver for networkcards.

Getting it to work

With the TREE option you can add/utilize:

  • logings + passwords
  • kiosk functions
  • root ssh keys

We add:

  • ldap
  • kerberos
  • ssh-keys
  • nfs mounts for homedirs
  • nfs mounts for software
  • printer settings
  • postfix settings

Details of this are not public.

HELP

This is pre-alpha, ment as an example to feed unix admins creativity.

From you should be able the work yourself into it as you a unix admin.

Patches, Tips, better Ubuntu Practices are more than welkom.

send an email to mvn at math dot leidenuniv dot nl

Future plans

  • liveusb-drives mounting over insecure networks
  • booting over https

Desktop/PXE (last edited 2014-06-23 22:17:44 by c-69-246-122-238)