XS Install Server

From OLPC
Revision as of 16:55, 8 April 2011 by Timmoody (talk | contribs) (Created page with '=XS Install Server= This page explains how to set up a cobbler install server for the purpose of installing multiple XS SchoolServers. If you only need to install a small number…')
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

XS Install Server

This page explains how to set up a cobbler install server for the purpose of installing multiple XS SchoolServers. If you only need to install a small number of XS servers once, this is probably overkill. However, if you have a large number or need to install many times for testing, you may benefit from this approach. The features that I like most are:

  • Unattended installation of XS server.
  • Simultaneous installation of multiple XS servers up to one less than number of ports available on switch.
  • Ability to easily modify kickstart file and include library files.
  • Simple boot media works with any version of XS install and only needed during physical boot, so can be shared among multiple target machines.

Caveats and Limitations

The kickstart file below contains two settings for the School Server that some may find objectionable from a security point of view. The first is that selinux is disabled. This is the case in the original XS 0.6 kickstart file and I retained it because I use older hardware that selinux sometimes gives problems. The second is that a user (me) is automatically added to the server. However, this is simply an automation of the instructions given in the XS wiki. The existing install media arbitrarily assigns the Ethernet adapters to eth0 and eth1. So it can happen that the connection from which the install took place, which should be WAN, gets reassigned to eth1 which is LAN. I have included a script xs-chknics that attempts to figure out whether the install connection is eth0 and reverse if this is not the case. It works in my test environment, but it it does not work in yours, you must simply physically reverse the connections.

Architecture

The following is based on the constraints that my main network is 192.168.0.x and the SchoolServer expects the internal school network to be 172.x.x.x. I set up a FC 12, dual-homed server with eth0 listening on 192.168.0.160 for management from my main network and eth1 on 10.1.0.1 to serve bootp requests from machines intended to become XS servers. Eth1 is connected to a switch into which multiple such XS machines can be plugged. Target XS machines boot into a PXE environment from which the Install Server directs the installation of the XS server. The management and installation network interfaces could be reversed, but neither can use 172.x.x.x.

Installation Server Setup

The installation procedure below is based on FC 12 and also works on FC 14.

Install a working FC

I took the defaults and added Web Server.

Fix up eth0 and eth1

  • Files are in /etc/sysconfig/network-scripts
  • Give eth0 a fixed IP Address on your management network
  • Set ONBOOT=yes, BOOTPROTO=none, and make sure GATEWAY and DNS1 are valid.
  • Give eth1 a fixed IP Address on your installation network, probably ending in .1
  • Set ONBOOT=yes, BOOTPROTO=none

Here are my config files (HWADDR should be different) :

  • Ifcfg-eth0
# VIA Technologies, Inc. VT6105/VT6106S [Rhine-III]
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:17:9A:BB:E4:1E
ONBOOT=yes
IPADDR=192.168.0.160
NETMASK=255.255.255.0
NETWORK=192.168.0.0
BROADCAST=192.168.0.255
GATEWAY=192.168.0.1
DNS1=192.168.0.1
  • Ifcfg-eth1
# VIA Technologies, Inc. VT6105/VT6106S [Rhine-III]
DEVICE=eth1
HWADDR=00:1B:11:C3:74:E0
ONBOOT=yes
IPADDR=10.1.0.1
NETMASK=255.255.255.0
TYPE=Ethernet
BOOTPROTO=none
  • Reboot

Turn off SELINUX

  • in /etc/selinux/config change SELINUX=enforcing to SELINUX= disabled
  • I had to turn this off as too many things were not working.
  • Reboot

Install dhcpd

yum install dhcp (the service package is dhcp, not dhcpd)

Install vsftpd

yum install vsftpd

Set Services ON

chkconfig --level 2345 httpd on
chkconfig --level 2345 dhcpd on
chkconfig --level 2345 vsftpd on

Install cobbler

yum install cobbler
yum install cobbler-web

Install updates

yum update – takes a long time

Configure iptables

Edit /etc/sysconfig/iptables to include FTP, DNS, DHCP, TFTP, NTP, HTTP/HTTPS and ports for cobbler and koan:

-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 68 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 69 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 69 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 25150 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited

in /etc/sysconfig/iptables-config change IPTABLES_MODULES="" to IPTABLES_MODULES="nf_conntrack_ftp" – this seems to be a quirk of both FC 12 and 14.

reboot

Configure Cobbler

cobbler check – this will tell you what areas require configuration
cobbler get-loaders (for me this failed several times before succeeding because file could not be downloaded)

in /etc/cobbler/settings set the following parameters:

manage_dhcp: 1
next_server: 10.1.0.1 (or the address of your server)
server: 10.1.0.1 (or the address of your server)

Change 'disable' to 'no' in /etc/xinetd.d/tftp Change 'disable' to 'no' in /etc/xinetd.d/rsync

in /etc/cobbler/modules.conf under [authentication]

set module = authn_configfile

if you want to change the default cobbler password of cobbler you can run

htdigest /etc/cobbler/users.digest "Cobbler" <new password>

restart cobbler

service cobblerd restart

Configure DHCP Template

Edit /etc/cobbler/dhcp.template to change the subnet section (only) to your configuration. In my case this is

subnet 10.1.0.0 netmask 255.255.255.0 {
    option routers             10.1.0.1;
    option domain-name-servers 10.1.0.1;
    option subnet-mask         255.255.255.0;
    option domain-name         "example.org";
    range dynamic-bootp        10.1.0.50 10.1.0.99;

and leave the rest as it is. Note that I have put in the example.org domain name.

Cobbler sync will probably not work before you do this as the dhcp server will not restart.

cobbler sync
cobbler check – this will still complain about the default root password for installs, but I manage this through the XS kickstart file, so I don’t change it.

At this point you should be able to log onto the cobbler web interface at http://<server ip address>/cobbler_web/ as cobbler with whatever password you set.

Set Up XS Distro

The XS distro iso does not have the image and isolinux versions needed for a network install, so we combine the FC9 iso files with the packages and repodata from the OLPC-School-Server iso. This section will need to change with new releases of the XS, especially if based on newer versions of Fedora. For XS 0.6 on FC9 I did the following:

mkdir /srv/iso (or any location you like)

Get Fedora-9-i386-DVD.iso onto /srv/iso. Get OLPC-School-Server-0.6-i386.iso onto /srv/iso.

mkdir /mnt/dvd
mkdir /mnt/dvd2
mount -ro loop,context=system_u:object_r:httpd_sys_content_t:s0 /srv/iso/Fedora-9-i386-DVD.iso /mnt/dvd
mount -ro loop,context=system_u:object_r:httpd_sys_content_t:s0 /srv/iso/OLPC-School-Server-0.6-i386.iso /mnt/dvd2

Create a working distro directory. Can be anywhere you like, but I used /srv/distros

mkdir /srv/distros
mkdir /srv/distros/XS-0.6-i386

Copy images and isolinux from FC9

cp -r /mnt/dvd/images/ /srv/distros/XS-0.6-i386/images/
cp -r /mnt/dvd/isolinux/ /srv/distros/XS-0.6-i386/isolinux/

Copy Packages, repodata, and kickstart file from XS-0.6-i386. I also renamed the kickstart file to distinguish it from the default distro. We will modify the kickstart file later.

cp -r /mnt/dvd2/Packages/ /srv/distros/XS-0.6-i386/Packages/
cp -r /mnt/dvd2/repodata/ /srv/distros/XS-0.6-i386/repodata/
cp -r /mnt/dvd2/ks.cfg /srv/distros/XS-0.6-i386/xs-ks.cfg

Import XS Distro into Cobbler

Now we can import the XS distro into cobbler. This can be slow. (An attempt to import FC 12 DVD did not complete after more than 4 hours.)

cobbler import --path=/srv/distros/XS-0.6-i386 --name=XS-0.6-i386

If you now log into cobbler (http://<server ip address>/cobbler_web/) you will see that this distro has been created (along with a xen version).

Configure XS Kickstart File

First we must point the cobbler profile for our distro at the proper kickstart file (xs-ks.cfg). Navigate using the cobbler web interface to Profiles and click on XS-0.6-i386. Replace the contents of the Kickstart field with

/var/www/cobbler/ks_mirror/XS-0.6-i386/xs-ks.cfg

and click save.

Now we can add some changes to xs-ks.cfg to support unattended install and the copying of library and other files. In order to be able to set the root password automatically I generated an encrypted password to include in the kickstart file by typing

openssl passwd -1 <root password>

Make a Backup and then Edit the kickstart file by typing

cd /var/www/cobbler/ks_mirror/XS-0.6-i386/
mv xs-ks.cfg xs-ks.cfg.ORIG
nano xs-ks.cfg

Here is mine with the lines added or changed in bold. Be careful to change the root password hash and note that the three lines in section ## Enable/Disable some services must be a single line in the file

###
###  Kickstart file for OLPC XS School Server software
###
###  Modified to use cobbler installation server
###
###  Non-interactive
###
###  can delete the following two lines
### Make it interactive - so these are 'seed' values
### interactive

# Use text mode install
text

# Use network installation
url --url=http://10.1.0.1/cblr/links/XS-0.6-i386
# If any cobbler repo definitions were referenced in the kickstart profile, include them here.
repo --name=source-1 --baseurl=http://10.1.0.1/cobbler/ks_mirror/XS-0.6-i386

# Provide some defaults - change these for your environment
lang en_US.UTF-8
keyboard us
timezone --utc America/New_York
auth --useshadow --enablemd5
selinux --disabled
# network --device eth0 --bootproto dhcp --onboot=on --hostname schoolserver 

# Reboot after installation
reboot

#Root password - use openssl passwd -1 <root password> to get encryption string
rootpw --iscrypted $1$HFnEFRSA$0/93Jp3CT14nmSDAqCX2r/

#  We enable the firewall, even though we are going to overwrite
#  what anaconda leaves behind
firewall --enabled

### X?
#skipx

## Enable/Disable some services up front - this should be a single line
services --enabled=dhcdbd,network,sshd,haldaemon,hddtemp,smartd,anacron,crond,atd,incron,iptables,avahi-daemon,dhcpd,named,ntpd,aiccu,messagebus,
pgsql-xs,httpd,ejabberd --disabled=netfs,nfs,nfslock,rpcbind,rpcgssd,rpcidmapd,rpcsvcgssd,
avahi-dnsconfd,radvd,ip6tables,dc_client,dc_server,squid,autofs,gpm,yum-updatesd

###
### disk partitioning...
###
# clear out sda without qualms...
clearpart --drives=sda

# Small Disk Support:       (xs #7241)
# If space >~10GiB then the sizes are
#       /boot       100 MiB
#       /             8 GiB
#       swap          2 GiB
#       /library    fills all remaining capicity
# If space is limited, partition sizes are reduced.
# Smallest supported capacity is ~5GiB when no livecd-creator --uncompressed-size argument is
# specified (defaults to 4096).
# Using livecd-creator --uncompressed-size=2048 allows installation on ~3GiB disks (not tested yet).
bootloader --location=mbr --append="rhgb quiet"
clearpart --linux --drives=sda
part /boot --fstype ext3 --size=100 --ondisk=sda
part / --fstype ext3 --size=2048 --maxsize=8192 --grow --ondisk=sda
# size of pv.6 must be at least enough to fit /library size and swap size
part pv.6 --size=1025 --grow --ondisk=sda
volgroup VolGroup00 --pesize=32768 pv.6
# Kickstart raises an error if logvol --size=0
logvol /library --fstype ext3 --name=LogVol00 --vgname=VolGroup00 --size=1 --grow
logvol swap --fstype swap --name=LogVol01 --vgname=VolGroup00 --size=1024 --maxsize=2048 --grow

%packages  --nobase

# School server core services metapackage
xs-pkgs
xs-config

xs-release
-fedora-release
##-fedora-logos

bash
kernel
passwd
policycoreutils
chkconfig
authconfig
rootfiles
@admin-tools
-gnome-packagekit
-selinux-policy-targeted
#anaconda-runtime

%end

%post

# create a user with ssh login

adduser timm
mkdir ~timm/.ssh
cd ~timm/.ssh
wget http://10.1.0.1/publickeys/timm/authorized_keys
cd ..
chown -R timm:timm ~timm/.ssh

# get library
pushd /library
wget -r -nH --cut-dirs=1 ftp://anonymous:guest@10.1.0.1/library
popd

# load any scripts to run during installation
pushd /root
wget -r -nH ftp://anonymous:guest@10.1.0.1/scripts
chmod -R u+x scripts
popd

cp /root/scripts/xs-public.conf /etc/httpd/conf.d/

# try to figure out if eth0/eth1 are wan/lan and run swap_nics if necessary
# pass broadcast address of install server
pushd /root
/root/scripts/xs-chknics 10.1.0.255
popd

# Configure the domain name - set your domain here
/etc/sysconfig/olpc-scripts/domain_config example.org

# turn off firstboot for XS builds
echo "RUN_FIRSTBOOT=NO" > /etc/sysconfig/firstboot

# if anaconda has overwritten config files from xs-config
# those will appear dirty - git can restore them to the last
# committed version, discarding the bad state
pushd /etc
for FPATH in sysconfig/network-scripts/ifcfg-eth{0,1}; do
   if [ -e "$FPATH" ]; then
       git checkout -- "$FPATH"
   fi
done
popd

%end

Configure Files to Copy to XS

SSH Authentication

Create /var/www/html/publickeys. I put my authorized_keys file in /var/www/html/publickeys/timm using wget from my server in order for the ks script to retrieve it for ssh login to the target XS.

Configure vsftpd

Make a Backup and then Edit the vsftpd.conf file to allow anonymous ftp of library and other files onto the target XS.

cd /etc/vsftpd/
mv vsftpd.conf vsftpd.conf.ORIG
nano vsftpd.conf

Replace the contents with the following:

#
# Sample anonymous FTP server configuration
#
# Mandatory directives
#
listen=YES
local_enable=NO
anonymous_enable=YES
write_enable=NO
anon_root=/var/ftp/pub
#
# Optional directives
#
anon_max_rate=2048000
xferlog_enable=YES
listen_address=10.1.0.1
listen_port=21

Install Scripts and Files

Create the following directories under /var/ftp/pub

  • scripts
  • library/public

Copy any scripts or config files into /var/ftp/pub/scripts. I have:

  • xs-public.conf which contains
# put in /etc/httpd/conf.d/
Alias /public "/library/public"
<Directory /library/public>
  Order allow,deny
  Allow from all
  Options Indexes FollowSymLinks
  AllowOverride None
</Directory>

The kickstart file copies this to /etc/httpd/conf.d/ on the target XS

  • xs-chknics which swaps nics if eth0 is not WAN and contains
#!/usr/bin/python
# xs-chknics
# xs network-config chooses an arbitrary nic as eth0
# see if it is the same as our install nic and swap if not

import commands, syslog, os, sys

# Get Broadcast Address to Search For as Argument
# This is the mask of the network from which the PXE boot took place

if len(sys.argv) != 2:
        print 'Usage: %s <broadcast address>' % (sys.argv[0])
        sys.exit(1)

BrdAddr = float(sys.argv[1])

# Find the mac of the nic from which we installed

ethdata = commands.getoutput( '/sbin/ip addr show' )

nics = ethdata.split ('\n')

for index in range(len(nics)):
  if nics[index].find('eth0:') >= 0:
    parsed = nics[index+1].split()
    eth0mac = parsed[1]
    parsed = nics[index+2].split()
    eth0ip = parsed[1]
    eth0brd = parsed[3]

  elif nics[index].find('eth1:') >= 0:
    parsed = nics[index+1].split()
    eth1mac = parsed[1]
    parsed = nics[index+2].split()
    eth1ip = parsed[1]
    eth1brd = parsed[3]

if eth0brd == BrdAddr:
   installmac = eth0mac
elif eth1brd == BrdAddr:
   installmac = eth1mac
else:
   installmac = 0

# if we didn't find our broadcast address all bets are off so leave things alone

if installmac != 0:
  eth0rulelink = commands.getoutput( 'cat  /etc/udev/rules.d/70-persistent-net.rules | grep eth0' )
  split1 = eth0rulelink.split('ATTR{address}=="')
  split2 = split1[1].split('"')
  eth0rulemac = split2[0]
  if eth0rulemac != installmac:
    rc = commands.getstatusoutput('/usr/bin/xs-swapnics')
  • Add any other scripts you want to run as part of the XS installation process

Library Files

Copy any library directories into /var/ftp/pub/library/public. These will appear as http://schoolserver/public

Configure PXE

Server Menu and Default Distro

Make the XS-0.6-i386 distro the default install and shorten the timeout by editing /etc/cobbler/pxe/pxedefault.template to read (changes in bold)

DEFAULT menu
PROMPT 0
MENU TITLE Cobbler | http://fedorahosted.org/cobbler
TIMEOUT 50
TOTALTIMEOUT 6000
ONTIMEOUT XS-0.6-i386

LABEL local
        MENU LABEL (local)
        MENU DEFAULT
        LOCALBOOT 0

$pxe_menu_items

MENU end

Now run

cobbler sync

Boot Media for XS Target Machine(s)

Once the install server is running it will listen for dhcp requests and if a bootp request is included it will respond with a linux image that will boot and co-ordinate with cobbler to perform a network install of the XS distro. The XS target machine simply needs boot media that can run a Pre-execution Environment (PXE) to use the installed nic to make a bootp request. This can be any media that the target machine supports for booting, floppy, CD, DVD, or USB. Because my target XS machine is old it has a floppy and can not boot from USB, so I created a floppy boot disk to start the PXE. Instructions for creating the boot media are at http://etherboot.org/wiki/removable. I used the utility from http://rom-o-matic.net/ to create a boot floppy image and then wrote it to the floppy disk with rawrite from http://www.chrysocome.net/rawwrite.

Putting it all together

  • Connect the LAN site of the install server to a switch
  • Connect the WAN port on the target machine(s) to the same switch
  • Do not connect the LAN port on the target machine(s) to anything.
  • Boot the target machine with the PXE media
  • After a couple of minutes or when you see disk activity remove the PXE media and boot another machine

Resources

I didn’t find these all that helpful, but here they are anyway.