CentOS PXE Boot Server

The purpose of this post is to create a system from where network installations can occur. A remote system will boot to the network, receive IP information from a DHCP server and boot Linux from a TFTP server. The TFTP server will provide the required packages for a Linux install. The network install server will be configured to synchronize with an external CentOS 6.6 repo two times per week via rsync. This will keep all packages up to date. Kickstart scripts can be maintained and stored on this server so that they can be easily modified for different server installs. For example, a Bro server requires additional packages aside from the base install. There would be a “Bro Install” option that is selectable from the network boot menu that installs all relevant packages via the bro.ks kickstart script. Additionally, kickstart scripts will be used to pre and post configure systems to get them into a ready to be worked with state. This includes but is not limited to:
– Setting a static IP
– Configuring Management
– Automatic Updates
– Setting the Hostname
– Joining a domain
Some of the commands below are line wrapped. You may need to paste in a different text editor to format before pasting into a Linux terminal.

To start, build a minimal install of CentOS 6.6. Then install the required packages:

yum -y install rsync httpd vixie-cron dhcp tftp-server syslinux make perl

Create a script to pull down the CentOS 6.6 repository. Exclude iso and i386 data.

cat /etc/cron.weekly/update-centos
#!/bin/sh
# Replace this information with your mirror information
MIRROR=rsync://mirror.anl.gov/centos/6.6
LOCALDIR=/var/www/html/centos/6.6

for i in extras os updates; do
    rsync -avH --exclude "i386" $MIRROR/$i $LOCALDIR
    #rsync -aH $MIRROR/$i $LOCALDIR
done

Set permissions on the file:

chmod 0755 update-centos

Create a directory to house the repo and run the script:

mkdir -p /var/www/html/centos/6.6

./update-centos &

It will take several hours to pull down the entire repo.

Install the jobs in /etc/crontab and start cron. This will enable our repository to be updated weekly.

cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly

service crond start

chkconfig crond on

Allow Apache through iptables, start it and set it to on boot.

cd /var/www/html/centos

ln -s 6.6 6

iptables -I INPUT -m state --state new -m tcp -p tcp --dport 80 -j ACCEPT

service iptables save

service httpd start

chkconfig httpd on

Configure a local yum repository to point to the rsync one. You could also create one to point to Spacewalk.

cd /etc/yum.repos.d

perl -npe '/mirrorlist=.*repo=os/ && s/^/#/' -i CentOS-Base.repo

perl -npe '/mirrorlist=.*repo=updates/ && s/^/#/' -i CentOS-Base.repo

perl -npe '/#baseurl=.*/os// && s/^#//' -i CentOS-Base.repo

perl -npe '/#baseurl=.*/updates// && s/^#//' -i CentOS-Base.repo

perl -npe '/^baseurl=/ && s/mirror.centos.org/IP.OF.BOOT.SERVER/' -i CentOS-Base.repo

Start DHCP, enable on boot and add firewall rules.

chkconfig dhcpd on

service dhcpd start

iptables -I INPUT -i eth0 -p udp --dport 67 --sport 68 -j ACCEPT

service iptables save

Create Subnet ranges in DHCP for all networks like below:

cat /etc/dhcp/dhcpd.conf

subnet 10.1.1.0 netmask 255.255.255.0 {
range 10.1.1.20 10.1.1.60;
default-lease-time 86400;
max-lease-time 86400;
option routers 10.1.1.2;
option ip-forwarding off;
option broadcast-address 10.1.1.255;
option subnet-mask 255.255.255.0;
option domain-name-servers 4.2.2.2;
allow booting;
allow bootp;
next-server 10.1.1.90;
filename "/pxelinux.0";
}

The following takes place after the repo sync has completed:

Copy the appropriate files to the tftpboot directory.

cd /var/lib/tftpboot

cp /usr/share/syslinux/pxelinux.0 .

cp /usr/share/syslinux/vesamenu.c32 .

mkdir -p pxelinux.cfg centos/x86_64

CENTOS=/var/www/html/centos/6/os

cp $CENTOS/x86_64/images/pxeboot/* centos/x86_64

Create a 640×480 JPG to be used as a boot splash and place this file in /var/lib/tftpboot

Edit the PXE boot menu at /var/lib/tftpboot/pxelinux.cfg/default

DEFAULT vesamenu.c32
PROMPT 0
TIMEOUT 300
ONTIMEOUT localdisk
MENU TITLE Network PXE Boot
MENU BACKGROUND splash.png
LABEL localdisk
MENU LABEL ^Boot HDD. OTHER OPTIONS REINSTALL OS!
MENU DEFAULT
LOCALBOOT 0
LABEL install_64bit
MENU LABEL ^CentOS 6.6 (64-bit) Install
KERNEL centos/x86_64/vmlinuz
APPEND ks=http://IP.OF.BOOT.SERVER/ks/Centos64.ks initrd=centos/x86_64/initrd.img ramdisk_size=100000
LABEL install_64bit
MENU LABEL ^CentOS 6.5 (64-bit) Install
KERNEL centos/x86_64/vmlinuz
APPEND ks=http://IP.OF.BOOT.SERVER/ks/Centos6.5_64.ks initrd=centos/x86_64/initrd.img ramdisk_size=100000

Create firewall rules for TFTP, start and turn on upon boot.

iptables -I INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 69 -j ACCEPT
iptables -I INPUT -i eth0 -m udp -p udp --dport 69 -j ACCEPT
service iptables save
chkconfig tftp on
service xinetd restart

Create a directory for scripts.

mkdir /var/www/html/ks
cd /var/www/html/ks

Place your sudoers file under /var/www/html/ks/sudoers

cp /etc/sudoers /var/www/html/ks

Create a kickstart script under /var/www/html/ks. The name has to match what’s in the boot menu above.

Example:

cat /var/www/html/ks/Centos64.ks

##########################################
# Kickstart Script for Base Install #
##########################################
# Install or upgrade
install
# GUI or text based install
text
# Installation source
url --url http://IP.OF.BOOT.SERVER/centos/6.6/os/x86_64
# Language
lang en_US.UTF-8
keyboard us
# Time options
timezone Etc/GMT
# Network Options
network --noipv6 --onboot=yes --bootproto dhcp
# Authentication options
authconfig --enableshadow --enablemd5
rootpw --iscrypted asdfasdf;lkasjdf;laksjdfl;askjdfl;kasjf
# Firewall options
firewall --disabled
# Selinux options
selinux --disabled
# Additional package repos
repo --name=a-base --baseurl=http://mirrors.kernel.org/centos/6.6/os/x86_64/
repo --name=a-extras --baseurl=http://mirrors.kernel.org/centos/6.6/extras/x86_64/
repo --name=a-updates --baseurl=http://mirrors.kernel.org/centos/6.6/updates/x86_64/
repo --name=epel --baseurl=http://download.fedoraproject.org/pub/epel/6/x86_64/
# Install bootloader
bootloader --location=mbr --driveorder=sda --append="crashkernel=auth rhgb"
# Clear the MBR
zerombr
# Disk Partitioning
clearpart --all --initlabel
part swap --fstype="swap" --size=1024
part / --asprimary --fstype="ext4" --grow --size=1
# Reboot after install
reboot

#####################
# Package Selection #
#####################
%packages --nobase --excludedocs
# Required Packages
%packages
@console-internet
@hardware-monitoring
@large-systems
@network-tools
@performance
@perl-runtime
@security-tools
@server-platform
@system-admin-tools
@system-management-snmp
@directory-client
@development
@server-platform-devel
gcc
cloog-ppl
cpp
glibc-devel
glibc-headers
mpfr
ppl
openssl-devel
openldap-devel
make
certmonger
nss-pam-ldapd
openldap-clients
pam_ldap
aide
expect
nmap
screen
nc
-ipa-client
-ypbind
-wireless-tools
-alsa-lib
-alsa-utils
-gstreamer-plugins-base
-phonon-backend-gstreamer
-qt-x11
-redhat-lsb
-redhat-lsb-graphics
-cups
-foomatic
-foomatic-db
-foomatic-db-ppds
-redhat-lsb-printing
-fprintd
-fprintd-pam
-xorg-x11-drv-ati-firmware
-xorg-x11-font-utils
-qt
-qt-sqlite
-abrt
-abrt-addon-ccpp
-abrt-addon-kerneloops
-abrt-addon-python
-abrt-cli
-abrt-plugin-logger
-abrt-plugin-mailx
-abrt-plugin-rhtsupport
-abrt-plugin-sosreport
-dhclient
-ghostscript
-ghostscript-fonts
-ypbind
-yp-tools
-samba-common
-samba-client
-rpcbind
-nfs-utils
-nfs-utils-lib
-foomatic-db-filesystem
-gettext
-gstreamer
-gstreamer-tools
-ivtv-firmware
-ipw2100-firmware
-ipw2200-firmware
-iwl100-firmware
-iwl1000-firmware
-iwl3945-firmware
-iwl4965-firmware
-iwl5000-firmware
-iwl5150-firmware
-iwl6000-firmware
-iwl6000g2a-firmware
-iwl6000g2b-firmware
-iwl6050-firmware
-libXtst
-libXv
-libertas-usb8388-firmware
-mesa-dri-drivers
-mesa-libGL
-mesa-libGLU
-netxen-firmware
-nfs4-acl-tools
-poppler
-poppler-utils
-poppler-data
-ql2100-firmware
-ql2200-firmware
-ql23xx-firmware
-ql2400-firmware
-ql2500-firmware
-rfkill
-rt73usb-firmware
-rt61pci-firmware
#autofs

# Bro Dependencies
#cmake
#make
#gcc
#gcc-c++
#flex
#bison
#libpcap-devel
#openssl-devel
#python-devel
#swig
#zlib-devel
#file-devel
#libpcap
#bind-libs
#zlib
#python
#libcurl
#gawk
#GeoIP
#gperftools-libs
#@development
#bind-devel
#git
#libcurl-devel
#GeoIP-devel
#python-devel
#gperftools-devel

# Remove the following packages
-efibootmgr
-b43-openfwwf
-*firmware
-iscsi*
-fcoe*

##################################
# Pre installation configuration #
##################################
%pre

###################################
# Post Installation configuration #
###################################
%post --log=/root/install-post.log
(

PATH=/bin:/sbin:/usr/bin:/usr/sbin
export PATH

echo "Converting DHCP to static IP address"
DEVICE=`route -n|grep '^0.0.0.0'|awk '{print $8}'`
IPADDR=`ifconfig $DEVICE|grep 'inet addr:'|awk '{sub(/addr:/,""); print $2}'`
NETMASK=`ifconfig $DEVICE|grep 'Mask'|awk '{sub(/Mask:/,""); print $4}'`
NETWORK=`ipcalc $IPADDR -n $NETMASK|awk -F= '{print $2}'`
GATEWAY=`route -n|grep '^0.0.0.0'|awk '{print $2}'`
HWADDR=`ifconfig $DEVICE|grep 'HWaddr'|awk '{print $5}'`

cat <<EOF >/etc/sysconfig/network
NETWORKING=yes
HOSTNAME=$HOSTNAME
GATEWAY=$GATEWAY
EOF

cat <<EOF >/etc/sysconfig/network-scripts/ifcfg-$DEVICE
DEVICE=$DEVICE
BOOTPROTO=static
IPADDR=$IPADDR
NETMASK=$NETMASK
ONBOOT=yes
HWADDR=$HWADDR
EOF

echo "Updating sudoers"
wget -O /etc/sudoers http://10.1.1.90/ks/sudoers
chmod 0440 /etc/sudoers
chown root.root /etc/sudoers

echo "Configuring NTP"
ntpdate 0.rhel.pool.ntp.org 1.rhel.pool.ntp.org
chkconfig ntpdate on

echo "Configuring LDAP Authentication"
#Join via realm and sssd
#realm join AD.EXAMPLE.COM

echo "Configuring LDAP autofs Boot-time"
#chkconfig nscd on
#chkconfig autofs on

echo "Updating YUM Repositories"
cd /etc/yum.repos.d
perl -npe '/mirrorlist=.*repo=os/ && s/^/#/' -i /etc/yum.repos.d/CentOS-Base.repo
perl -npe '/mirrorlist=.*repo=updates/ && s/^/#/' -i /etc/yum.repos.d/CentOS-Base.repo
perl -npe '/^#baseurl=.*/os// && s/^#//' -i CentOS-Base.repo
perl -npe '/^#baseurl=.*/updates// && s/^#//' -i CentOS-Base.repo
perl -npe '/^baseurl/ && s/mirror.centos.org/IP.OF.BOOT.SERVER/' -i CentOS-Base.repo
yum -y update --skip-broken


) 2>&1 >/root/install-post-sh.log

%end

To get your root password run this:

grep 'root' /etc/shadow | awk -F: '{print $2}'

Enable DHCP relay agent on all firewalls. See this link for more details.

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116265-configure-product-00.html

dhcprelay server DHCP.SERVER.IP outside
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 60

Verify

ASA# show dhcprelay statistics
DHCP UDP Unreachable Errors: 1
DHCP Other UDP Errors: 0

Packets Relayed
BOOTREQUEST 0
DHCPDISCOVER 1
DHCPREQUEST 1
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 0

BOOTREPLY 0
DHCPOFFER 1
DHCPACK 1
DHCPNAK 0

Make sure your DHCP server has all the subnets configured for use, and all firewalls have DHCP relay enabled.

PXE Boot your system to the network and enjoy.