2 # Copyright (C) 2018 Ian Kelling
4 # This program is free software; you can redistribute it and/or
5 # modify it under the terms of the GNU General Public License
6 # as published by the Free Software Foundation; either version 2
7 # of the License, or (at your option) any later version.
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
14 # You should have received a copy of the GNU General Public License
15 # along with this program; if not, write to the Free Software
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18 x
="$(readlink -f "$BASH_SOURCE")"; source "${x%/*}/bash-trace"
20 [[ $EUID == 0 ]] ||
exec sudo
-E "${BASH_SOURCE[0]}" "$@"
22 LC_USEBASHRC
=t
; . ~
/.bashrc
26 usage: ${0##*/} [-h|--help] [BASE_CODENAME] [ARCH]
27 install fai-server on the current machine
29 Initial setup of a fai server. works on localhost. Set's the current ip
30 as the tftp server. I vaguely remember that using a hostname does not
31 work. Separate from running this, faiserver needs to be setup in dns to
32 point to whatever host this is run on.
34 Default BASE_CODENAME is buster. Default ARCH is 64. The script expects corresponding
35 $BASEFILE_DIR/${UPCASED_BASE_CODENAME}${ARCH}.tar.(gz|xz) to exist, and it must have been
36 generated around the same time as the nfsroot, at least so it has the
40 Note: there is a bug in 5.9.4, fixed by adding
43 Note: in t9, there is a bug in recent fai packages (eg 2021+), where
44 unshare uses a too new argument. I was able to fix it by
45 just going to the site of the error and changing unshare to
46 chroot like it used to be, but I'm not bothering to make
47 any persistent fix, since I'm now on t10. If it ever came
48 up again, using an old fai package would also work.
50 /usr/sbin/fai-make-nfsroot:503, before apt-get update
61 e
() { echo "+ $@"; "$@"; }
67 if [[ $base == [[:upper
:]] ]]; then
68 echo $0: error
: use lowercase base
72 basefile
=($BASEFILE_DIR/${base^^}${arch^^}.
tar.gz
)
73 sed="sed -ri --follow-symlinks"
75 if [[ ! -e $basefile ]]; then
76 printf "%s\n" "$0: error basefile=$basefile does not exist" >&2
80 if [[ ! -d $BASEFILE_DIR ]]; then
81 printf "%s\n" "$0: error BASEFILE_DIR=$BASEFILE_DIR does not exist" >&2
86 if ! type -p wget
&>/dev
/null
; then
87 apt-get
install -y wget
91 [[ $
(dpkg
--print-architecture) == armhf
]]
94 # fai on ubuntu only has official support using the universe repo, but newer
95 # tends to have less bugs.
96 wget
-O - https
://fai-project.org
/download
/2BF8D9FE074BCDE4.asc | apt-key add
-
100 stretch|buster|bullseye
)
101 if ! grep -qFx "deb https://fai-project.org/download $base koeln" /etc
/apt
/sources.list.d
/fai.list
; then
104 cat >/etc
/apt
/sources.list.d
/fai.list
<<EOF
105 deb https://fai-project.org/download $base koeln
109 echo "$0: error: script needs updating for new base" >&2
114 f
=/var
/cache
/apt
/pkgcache.bin
;
116 cachetime
=$
(stat
-c %Y
$f );
118 limittime
=$
(( now
- 60*60*2 ))
119 if (( cachtime
> limittime
)); then
128 # Relevant packages from fai-quickstart depends and fai-server recommends.
129 # I especially do not wait isc-dhcp-server or an inetd. Also excludes
130 # nfs-kernel-server. On an android chroot, we don\'t have nfs in the
131 # kernel, or the ability to install it.
132 # xorriso is for running fai-cd -a, not strictly need for fai-server
133 # perl-tk is for fai-monitor-gui
134 pkgs
=(fai-doc tftpd-hpa
tar reprepro squashfs-tools binutils xorriso perl-tk
)
135 if modprobe nfsd
&>/dev
/null
; then
136 pkgs
+=(nfs-kernel-server
)
142 e apt-get
install -y ${pkgs[@]}
143 # confnew since we edit /etc/fai/NFSROOT in an automated way
144 # fai-client is already a fai-server dependency, but make sure it gets upgraded
145 e apt-get
install --no-install-recommends -y -o Dpkg
::Options
::=--no-force-confdef -o Dpkg
::Options
::=--force-confnew fai-server fai-client
147 r
=http
://http.us.debian.org
/debian
148 # like default, but scrap httpredir, and nonfree.
149 # All my systems should be able to get along without nonfree
150 # for a base working system afaik.
152 cat >/etc
/fai
/apt
/sources.list
<<EOF
153 deb $r $base main contrib
156 ### begin setup security repo ###
159 cat >>/etc
/fai
/apt
/sources.list
<<EOF
160 deb http://security.debian.org/debian-security $base/updates main contrib
164 # new naming convention
165 cat >>/etc
/fai
/apt
/sources.list
<<EOF
166 deb http://security.debian.org/debian-security $base-security main contrib
169 ### end setup security repo ###
172 cat >>/etc
/fai
/apt
/sources.list
<<EOF
173 # use fai repo. it's commented in the defaults. it's got bug fixes.
174 # and may contain newer packages.
175 deb http://fai-project.org/download $base koeln
178 ## Get latest kernel and btrfs for dealing with btrfs issues.
179 # if [[ $base == buster ]]; then
180 # cat >>/etc/fai/apt/sources.list <<'EOF'
181 # deb http://ftp.debian.org/debian buster-backports main
183 # # note, fai doesn\'t look at /etc/fai/apt/preferences.d
184 # cat >/etc/fai/apt/preferences <<'EOF'
185 # Package: linux-* firmware-linux-free btrfs-progs
186 # Pin: release a=buster-backports
192 $sed -f - /etc
/fai
/nfsroot.conf
<<EOF
193 $ a FAI_ROOTPW='$(</q/root/shadow/standard)'
195 $ a SSH_IDENTITY=/root/.ssh/home.pub
197 s,^( *FAI_DEBOOTSTRAP=).*,\1"$base $r",
198 # add --arch amd64. this is needed on arm system which is
199 # used to install amd64 clients. On amd64 servers, it's redundant.
200 # disabled for now, since creating fai nfsroot on my arm machine
202 #/--arch amd64/!s/^(\s*FAI_DEBOOTSTRAP_OPTS=")/\1--arch amd64 /
205 $sed 's/#LOGUSER/LOGUSER/' /etc
/fai
/fai.conf
206 $sed -i '/^LOGUSER=/d' /etc
/fai
/fai.conf
207 $sed -i '/^FAI_FLAGS=/d' /etc
/fai
/fai.conf
208 echo "FAI_FLAGS=verbose" >>/etc
/fai
/fai.conf
209 # note if this isnt set, the user isnt created
210 echo "LOGUSER=fai" >>/etc
/fai
/fai.conf
212 # from man fai-make-nfsroot,
213 # figured out after partitioning ignored my crypt partition
216 cedit
/etc
/fai
/NFSROOT
<<'EOF' || [[ $? == 1 ]]
217 # inserted by faserver-setup
220 # default one is linux-image-server, doesnt exist anymore
222 # default is btrfs-tools which doesnt exist anymore
225 # got an error in error.log about not having gpg.
226 # system seemed to still install ok, so i havent tested if this fixes it.
234 # background: Can't build the nfsroot on my arm system now. First,
235 # fai-make-nfsroot won't work out of the box. One idea to make it work
236 # is by installing qemu-user-static, then copying qemu-x86_64-static
237 # into the nfsroot, and prepending it to chroot commands in
238 # fai-make-nfsroot, but that fails in odd ways. ls has permissions
239 # problems on reading directories, various programs segfault
240 # immediately, cat can't open a file, etc.
242 NFSROOT
=/srv
/fai
/nfsroot
243 TFTPROOT
=/srv
/tftp
/fai
245 # test if our copy of setup_tftp has changed in fai-make-nfsroot,
246 # and if not, run it.
253 pxebin
=$NFSROOT/usr
/lib
/syslinux
/pxelinux
.0
255 rm -f $NFSROOT/boot
/*.bak
256 mkdir
-p $TFTPROOT/pxelinux.cfg
257 if ! chmod a
+r
$NFSROOT/boot
/initrd.img-
*; then
258 echo "$0: error: No initrd was created. Check the package name of the linux-image package in /etc/fai/NFSROOT."
261 cp -p $v $NFSROOT/boot
/vmlinu?
-* $NFSROOT/boot
/initrd.img-
* $TFTPROOT
262 cp -u $pxebin $TFTPROOT
263 if [ -f $NFSROOT/usr
/lib
/syslinux
/modules
/bios
/ldlinux.c32
]; then
264 cp -u $NFSROOT/usr
/lib
/syslinux
/modules
/bios
/ldlinux.c32
$TFTPROOT
266 if [ X
$verbose = X1
]; then
267 echo "TFTP environment prepared. Enable DHCP and start the TFTP daemon on root $TFTPROOT."
270 diff -u <(type setup_tftp
) <(cat <(sed -n '/^setup_tftp(){/,/^}/p' $
(which fai-make-nfsroot
) ) - <<'EOF' |bash
276 # -g causes skipping set_root_pw() in fai-make-nfsroot, -ag
277 # is the only way to make it run without chrooting. the options
278 # seem contradictory, but it works.
282 # note, this copies the -B arg to
283 # /srv/fai/nfsroot/var/tmp/base.tar.xz
284 e fai-setup
-evf -B $basefile
285 # fai-setup expert mode avoids writing to /var/log/fai/variables
286 # at least config_src is needed for autodiscover
287 $sed '/^FAI_CONFIGDIR|^FAI_CONFIG_SRC|^LOGUSER/d' /var
/log
/fai
/variables
288 tee -a /var
/log
/fai
/variables
<<'EOF'
290 FAI_CONFIGDIR=/srv/fai/config
291 FAI_CONFIG_SRC=nfs://faiserver/srv/fai/config
293 # make the faiserver also the apt proxy server
294 apt-get
-y install apt-cacher-ng
297 rm -f /srv
/fai
/nfsroot
/root
/.ssh
/known_hosts
298 if [[ $HOSTNAME == kd
]]; then
299 keyscan_arg
="-p 8989"
301 key
=$
(ssh-keyscan
$keyscan_arg localhost |
& grep -o "ecdsa-sha2-nistp256.*")
302 for ip
in faiserver $
(ip addr show up|
grep -w '^ *inet' |
awk '{print $2}'| cut
-d / -f 1 |
grep -vF 127.0.0.1); do
303 echo "$ip $key" >>/srv
/fai
/nfsroot
/root
/.ssh
/known_hosts
309 # https://wiki.archlinux.org/index.php/working_with_the_serial_console
310 # at runtime, running this from ssh worked:
311 # https://unix.stackexchange.com/questions/242778/what-is-the-easiest-way-to-configure-serial-port-on-linux
312 # stty -F /dev/ttyS0 115200 cs8 -cstopb -parenb
313 # /sbin/agetty 115200 ttyS0 linux
314 # dated info, but validation that this might work on debian:
315 # https://help.ubuntu.com/community/SerialConsoleHowto
316 # note in the nfsroot, systemd is not running.
317 echo "c0:2345:respawn:/sbin/agetty 115200 ttyS0 linux" >>/srv
/fai
/nfsroot
/etc
/inittab
319 # initially did the basic fai-chboot -Iv $std_arg default
320 # but found in console that it wanted to mount nfsroot
321 # to be the same as my dhcp server.
322 # Figured out to change the root= parameter from googling,
323 # and seeing fai-chboot -L
324 # using hostname failed.
325 # for -f, combined the 2 defaults so it will reboot and print to screen.
327 # Add debug to -f flag for more verbose output.
330 # background on choosing apt-cacher-ng:
331 # googling around a bit finds 2 main solutions:
332 # http://askubuntu.com/questions/3503/best-way-to-cache-apt-downloads-on-a-lan
333 # apt-cacher-ng doesn\'t have zeroconf.
334 # It touts having minimal dependencies, but I don\'t care.
335 # The downside to squid-deb-proxy is that it\'s config is for specific repos,
336 # you have to add all the repos you use.
337 # That is the main reason I use apt-cacher-ng.
338 # It has a web portal, at http://faiserver:3142/acng-report.html
341 # random fai note: as far as I can tell, profiles are just for putting
342 # in a selectable boot menu, which I don\'t want.
344 # the logsave prompted because the hostname faiserver was uknown.
345 # Here it was faiserver.lan when running from a faiserver vm.
346 # When running from a normal host with faiserver alias, it was the normal hosts name.
347 $sed 's/(^[^,]+,)\S+/\1faiserver/' /srv
/fai
/nfsroot
/root
/.ssh
/known_hosts
348 # ditch the logo banner up top which screws with less.
349 touch /srv
/fai
/nfsroot
/.nocolorlogo