The purpose of this post is to create a system from where network installations can occur. A remote system will boot to the network, receive IP information from a DHCP server and boot Linux from a TFTP server. The TFTP server will provide the required packages for a Linux install. The network install server will be configured to synchronize with an external CentOS 6.6 repo two times per week via rsync. This will keep all packages up to date. Kickstart scripts can be maintained and stored on this server so that they can be easily modified for different server installs. For example, a Bro server requires additional packages aside from the base install. There would be a “Bro Install” option that is selectable from the network boot menu that installs all relevant packages via the bro.ks kickstart script. Additionally, kickstart scripts will be used to pre and post configure systems to get them into a ready to be worked with state. This includes but is not limited to:
– Setting a static IP
– Configuring Management
– Automatic Updates
– Setting the Hostname
– Joining a domain
Some of the commands below are line wrapped. You may need to paste in a different text editor to format before pasting into a Linux terminal.
To start, build a minimal install of CentOS 6.6. Then install the required packages:
yum -y install rsync httpd vixie-cron dhcp tftp-server syslinux make perl
Create a script to pull down the CentOS 6.6 repository. Exclude iso and i386 data.
cat /etc/cron.weekly/update-centos #!/bin/sh # Replace this information with your mirror information MIRROR=rsync://mirror.anl.gov/centos/6.6 LOCALDIR=/var/www/html/centos/6.6 for i in extras os updates; do rsync -avH --exclude "i386" $MIRROR/$i $LOCALDIR #rsync -aH $MIRROR/$i $LOCALDIR done
Set permissions on the file:
chmod 0755 update-centos
Create a directory to house the repo and run the script:
mkdir -p /var/www/html/centos/6.6 ./update-centos &
It will take several hours to pull down the entire repo.
Install the jobs in /etc/crontab and start cron. This will enable our repository to be updated weekly.
cat /etc/crontab SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root HOME=/ 01 * * * * root run-parts /etc/cron.hourly 02 4 * * * root run-parts /etc/cron.daily 22 4 * * 0 root run-parts /etc/cron.weekly 42 4 1 * * root run-parts /etc/cron.monthly
service crond start chkconfig crond on
Allow Apache through iptables, start it and set it to on boot.
cd /var/www/html/centos
ln -s 6.6 6 iptables -I INPUT -m state --state new -m tcp -p tcp --dport 80 -j ACCEPT service iptables save service httpd start chkconfig httpd on
Configure a local yum repository to point to the rsync one. You could also create one to point to Spacewalk.
cd /etc/yum.repos.d perl -npe '/mirrorlist=.*repo=os/ && s/^/#/' -i CentOS-Base.repo perl -npe '/mirrorlist=.*repo=updates/ && s/^/#/' -i CentOS-Base.repo perl -npe '/#baseurl=.*/os// && s/^#//' -i CentOS-Base.repo perl -npe '/#baseurl=.*/updates// && s/^#//' -i CentOS-Base.repo perl -npe '/^baseurl=/ && s/mirror.centos.org/IP.OF.BOOT.SERVER/' -i CentOS-Base.repo
Start DHCP, enable on boot and add firewall rules.
chkconfig dhcpd on service dhcpd start iptables -I INPUT -i eth0 -p udp --dport 67 --sport 68 -j ACCEPT service iptables save
Create Subnet ranges in DHCP for all networks like below:
cat /etc/dhcp/dhcpd.conf subnet 10.1.1.0 netmask 255.255.255.0 { range 10.1.1.20 10.1.1.60; default-lease-time 86400; max-lease-time 86400; option routers 10.1.1.2; option ip-forwarding off; option broadcast-address 10.1.1.255; option subnet-mask 255.255.255.0; option domain-name-servers 4.2.2.2; allow booting; allow bootp; next-server 10.1.1.90; filename "/pxelinux.0"; }
The following takes place after the repo sync has completed:
Copy the appropriate files to the tftpboot directory.
cd /var/lib/tftpboot cp /usr/share/syslinux/pxelinux.0 . cp /usr/share/syslinux/vesamenu.c32 . mkdir -p pxelinux.cfg centos/x86_64 CENTOS=/var/www/html/centos/6/os cp $CENTOS/x86_64/images/pxeboot/* centos/x86_64
Create a 640×480 JPG to be used as a boot splash and place this file in /var/lib/tftpboot
Edit the PXE boot menu at /var/lib/tftpboot/pxelinux.cfg/default
DEFAULT vesamenu.c32 PROMPT 0 TIMEOUT 300 ONTIMEOUT localdisk MENU TITLE Network PXE Boot MENU BACKGROUND splash.png LABEL localdisk MENU LABEL ^Boot HDD. OTHER OPTIONS REINSTALL OS! MENU DEFAULT LOCALBOOT 0 LABEL install_64bit MENU LABEL ^CentOS 6.6 (64-bit) Install KERNEL centos/x86_64/vmlinuz APPEND ks=http://IP.OF.BOOT.SERVER/ks/Centos64.ks initrd=centos/x86_64/initrd.img ramdisk_size=100000 LABEL install_64bit MENU LABEL ^CentOS 6.5 (64-bit) Install KERNEL centos/x86_64/vmlinuz APPEND ks=http://IP.OF.BOOT.SERVER/ks/Centos6.5_64.ks initrd=centos/x86_64/initrd.img ramdisk_size=100000
Create firewall rules for TFTP, start and turn on upon boot.
iptables -I INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 69 -j ACCEPT iptables -I INPUT -i eth0 -m udp -p udp --dport 69 -j ACCEPT service iptables save chkconfig tftp on service xinetd restart
Create a directory for scripts.
mkdir /var/www/html/ks cd /var/www/html/ks
Place your sudoers file under /var/www/html/ks/sudoers
cp /etc/sudoers /var/www/html/ks
Create a kickstart script under /var/www/html/ks. The name has to match what’s in the boot menu above.
Example:
cat /var/www/html/ks/Centos64.ks ########################################## # Kickstart Script for Base Install # ########################################## # Install or upgrade install # GUI or text based install text # Installation source url --url http://IP.OF.BOOT.SERVER/centos/6.6/os/x86_64 # Language lang en_US.UTF-8 keyboard us # Time options timezone Etc/GMT # Network Options network --noipv6 --onboot=yes --bootproto dhcp # Authentication options authconfig --enableshadow --enablemd5 rootpw --iscrypted asdfasdf;lkasjdf;laksjdfl;askjdfl;kasjf # Firewall options firewall --disabled # Selinux options selinux --disabled # Additional package repos repo --name=a-base --baseurl=http://mirrors.kernel.org/centos/6.6/os/x86_64/ repo --name=a-extras --baseurl=http://mirrors.kernel.org/centos/6.6/extras/x86_64/ repo --name=a-updates --baseurl=http://mirrors.kernel.org/centos/6.6/updates/x86_64/ repo --name=epel --baseurl=http://download.fedoraproject.org/pub/epel/6/x86_64/ # Install bootloader bootloader --location=mbr --driveorder=sda --append="crashkernel=auth rhgb" # Clear the MBR zerombr # Disk Partitioning clearpart --all --initlabel part swap --fstype="swap" --size=1024 part / --asprimary --fstype="ext4" --grow --size=1 # Reboot after install reboot ##################### # Package Selection # ##################### %packages --nobase --excludedocs # Required Packages %packages @console-internet @hardware-monitoring @large-systems @network-tools @performance @perl-runtime @security-tools @server-platform @system-admin-tools @system-management-snmp @directory-client @development @server-platform-devel gcc cloog-ppl cpp glibc-devel glibc-headers mpfr ppl openssl-devel openldap-devel make certmonger nss-pam-ldapd openldap-clients pam_ldap aide expect nmap screen nc -ipa-client -ypbind -wireless-tools -alsa-lib -alsa-utils -gstreamer-plugins-base -phonon-backend-gstreamer -qt-x11 -redhat-lsb -redhat-lsb-graphics -cups -foomatic -foomatic-db -foomatic-db-ppds -redhat-lsb-printing -fprintd -fprintd-pam -xorg-x11-drv-ati-firmware -xorg-x11-font-utils -qt -qt-sqlite -abrt -abrt-addon-ccpp -abrt-addon-kerneloops -abrt-addon-python -abrt-cli -abrt-plugin-logger -abrt-plugin-mailx -abrt-plugin-rhtsupport -abrt-plugin-sosreport -dhclient -ghostscript -ghostscript-fonts -ypbind -yp-tools -samba-common -samba-client -rpcbind -nfs-utils -nfs-utils-lib -foomatic-db-filesystem -gettext -gstreamer -gstreamer-tools -ivtv-firmware -ipw2100-firmware -ipw2200-firmware -iwl100-firmware -iwl1000-firmware -iwl3945-firmware -iwl4965-firmware -iwl5000-firmware -iwl5150-firmware -iwl6000-firmware -iwl6000g2a-firmware -iwl6000g2b-firmware -iwl6050-firmware -libXtst -libXv -libertas-usb8388-firmware -mesa-dri-drivers -mesa-libGL -mesa-libGLU -netxen-firmware -nfs4-acl-tools -poppler -poppler-utils -poppler-data -ql2100-firmware -ql2200-firmware -ql23xx-firmware -ql2400-firmware -ql2500-firmware -rfkill -rt73usb-firmware -rt61pci-firmware #autofs # Bro Dependencies #cmake #make #gcc #gcc-c++ #flex #bison #libpcap-devel #openssl-devel #python-devel #swig #zlib-devel #file-devel #libpcap #bind-libs #zlib #python #libcurl #gawk #GeoIP #gperftools-libs #@development #bind-devel #git #libcurl-devel #GeoIP-devel #python-devel #gperftools-devel # Remove the following packages -efibootmgr -b43-openfwwf -*firmware -iscsi* -fcoe* ################################## # Pre installation configuration # ################################## %pre ################################### # Post Installation configuration # ################################### %post --log=/root/install-post.log ( PATH=/bin:/sbin:/usr/bin:/usr/sbin export PATH echo "Converting DHCP to static IP address" DEVICE=`route -n|grep '^0.0.0.0'|awk '{print $8}'` IPADDR=`ifconfig $DEVICE|grep 'inet addr:'|awk '{sub(/addr:/,""); print $2}'` NETMASK=`ifconfig $DEVICE|grep 'Mask'|awk '{sub(/Mask:/,""); print $4}'` NETWORK=`ipcalc $IPADDR -n $NETMASK|awk -F= '{print $2}'` GATEWAY=`route -n|grep '^0.0.0.0'|awk '{print $2}'` HWADDR=`ifconfig $DEVICE|grep 'HWaddr'|awk '{print $5}'` cat <<EOF >/etc/sysconfig/network NETWORKING=yes HOSTNAME=$HOSTNAME GATEWAY=$GATEWAY EOF cat <<EOF >/etc/sysconfig/network-scripts/ifcfg-$DEVICE DEVICE=$DEVICE BOOTPROTO=static IPADDR=$IPADDR NETMASK=$NETMASK ONBOOT=yes HWADDR=$HWADDR EOF echo "Updating sudoers" wget -O /etc/sudoers http://10.1.1.90/ks/sudoers chmod 0440 /etc/sudoers chown root.root /etc/sudoers echo "Configuring NTP" ntpdate 0.rhel.pool.ntp.org 1.rhel.pool.ntp.org chkconfig ntpdate on echo "Configuring LDAP Authentication" #Join via realm and sssd #realm join AD.EXAMPLE.COM echo "Configuring LDAP autofs Boot-time" #chkconfig nscd on #chkconfig autofs on echo "Updating YUM Repositories" cd /etc/yum.repos.d perl -npe '/mirrorlist=.*repo=os/ && s/^/#/' -i /etc/yum.repos.d/CentOS-Base.repo perl -npe '/mirrorlist=.*repo=updates/ && s/^/#/' -i /etc/yum.repos.d/CentOS-Base.repo perl -npe '/^#baseurl=.*/os// && s/^#//' -i CentOS-Base.repo perl -npe '/^#baseurl=.*/updates// && s/^#//' -i CentOS-Base.repo perl -npe '/^baseurl/ && s/mirror.centos.org/IP.OF.BOOT.SERVER/' -i CentOS-Base.repo yum -y update --skip-broken ) 2>&1 >/root/install-post-sh.log %end
To get your root password run this:
grep 'root' /etc/shadow | awk -F: '{print $2}'
Enable DHCP relay agent on all firewalls. See this link for more details.
http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116265-configure-product-00.html
dhcprelay server DHCP.SERVER.IP outside dhcprelay enable inside dhcprelay setroute inside dhcprelay timeout 60
Verify
ASA# show dhcprelay statistics DHCP UDP Unreachable Errors: 1 DHCP Other UDP Errors: 0 Packets Relayed BOOTREQUEST 0 DHCPDISCOVER 1 DHCPREQUEST 1 DHCPDECLINE 0 DHCPRELEASE 0 DHCPINFORM 0 BOOTREPLY 0 DHCPOFFER 1 DHCPACK 1 DHCPNAK 0
Make sure your DHCP server has all the subnets configured for use, and all firewalls have DHCP relay enabled.
PXE Boot your system to the network and enjoy.
0 Comments