X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=README;h=5dd5d3df4bae069724be8c98f2469fcc2897e999;hb=cef9b6ede5c1e028bed1b4dc7895f5dfa121ad6b;hp=974fcc879eef8bab726bcec91267f954aeb6e914;hpb=a027429011d313e0d9156fef9451f5a55a588163;p=automated-distro-installer diff --git a/README b/README index 974fcc8..5dd5d3d 100644 --- a/README +++ b/README @@ -1,25 +1,44 @@ -Multi-boot/distro btrfs provisioning +PXE install w multi-boot, btrfs & Libreboot support Some things are specific to my home network, and uses files with secrets -that are not in this repo. Uses pxe or pxe-kexec (on libreboot, I have -not added a pxe rom, I use a minimal debian stable subvolume which acts -like a pxe rom). I use this for bare metal and vms, and two scripts -which can run post boot so I use them on vps distributed image as well. - -Features people may find useful: installs encrypted trisquel belanos, , -debian jessie, debian stretch, ubuntu 16.04, and arch (havne't done -recently, probably a bit broken), in a multi-boot setup using multiple +that are not in this repo. I use this for bare metal and vms, and two +scripts which can run post boot so I use them on vps distributed image +as well. + +Features people may find useful: installs encrypted trisquel, debian, +ubuntu, arch, and parabola (archlike install is likely broken, I've only +done pxe boots recently), in a multi-boot setup using multiple subvolumes of a single btrfs filesystem. Utilizes multiple disks, with scripts to automatically decrypt on intentional reboots, but not after shutdown or power loss. +Normal install mode for fai is using pxe, but on a libreboot system, +there is no pxe. The pxe in a normal computer is nonfree +firmware. Alternatives to normal pxe that I've tried: + +* libreboot + seabios + ipxe + +* Use a live cd to call pxe-kexec, this is described later in this file. + +* Use the fai autodiscover iso. This is more automated, so nicer. + +* Use an install method above to setup a gnu/linux disk partition that + coordinates with libreboot grub to acts like a pxe boot using + kexec. The boot process takes a bit longer than normal pxe. This is + the bootstrap partition in my scripts. + +Things I haven't tried: + +* The bios chip has enough room for an initrd. This could be setup to + work like the partition I use to kexec, but it would be faster, and + not require installing to disk. + The partititioning and filesystem script is at -fai/config/hooks/partition.DEFAULT. Other debian based distros at least -as new as ubuntu 14.04 should work fine, and I'm planning to add Fedora -support. Disks are grouped as ssd or hdd and raided in raid 1 or raid 0 -per configuration. The base partitions are divided into boot, swap, and -root, (only boot is unencrypted). There are scripts to resize those -partitions post-provision and while the system is running. +fai/config/hooks/partition.DEFAULT. Disks are grouped as ssd or hdd and +raided in raid 1 or raid 0 per configuration. The base partitions are +divided into boot, swap, and root, (only boot is unencrypted). There are +scripts to resize those partitions post-provision and while the system +is running. People who use fai may find these things as useful examples: it uses dnsmasq (on a openwrt machine) for dhcp instead of the isc @@ -45,29 +64,68 @@ Some of the scripts have dependencies for some simple obvious utility scripts from https://iankelling.org/git, and of course there are some hostnames that are specific to my network. -All scripts meant to be used directly are listed here: +# Per-host/install configuration + +Before doing a fai install, you will need to populate a class file. I +use one called 51-multi-boot, which you can see example of in +fai/config/class/50-host-classes. + + + +Before doing a fai install, you will need to populate /q/root/luks and +/q/root/shadow, see their references. You might also want to copy +existing /etc/ssh/*host* to +/p/c/machine_specific/HOST/filesystem/etc/ssh. -# Scripts to setup the environment for the install +host-* luks keyfiles generated like: +head -c 2048 /dev/urandom | od | s dd of=/q/root/luks/host-demohost -arch-pxe # Setup arch pxe boot server from an arch base image +Configuration of which luks key to use is in +fai/config/hooks/partition.DEFAULT + +Configuration of which (if any) shadow file to use is in +fai/config/distro-install-common/end +and which shadow file / luks file(s) to copy into the new machine depends +on fai-redep arguments. + +# Scripts (meant to be used directly): + + +# Setup the environment for the install + +# create tiny autodiscover cd +# todo: with fai-revm at least, this complains about missing vmlinuz. need to fix this. +fai-redep && sudo fai-cd -g $PWD/grub.cfg.autodiscover -f -A $BASEFILE_DIR/autodiscover.iso +# create normal fai cd (replace TARGET_HOSTNAME) +fai-redep -t TARGET_HOSTNAME && sudo fai-cd -M -g $PWD/grub.cfg.netinst-noreboot -f $BASEFILE_DIR/netinst.iso +# note, may need to set hostname, depending on config, +# and some other things for environment not on your lan +# for example see fai/config/class/LINODE.var. See linode notes below. + +mymk-basefile # Create basefiles for various distros +archlike-pxe # Setup pxe boot server from an archlike base image fai-redep # Deploy fai configuration to host "faiserver" -faiserver-revm # using pxe & preseed, create a vm which is a fai server faiserver-uninstall # uninstall fai-server faiserver-setup # install fai-server on the current machine -myfai-chboot # setup fai tftp and nfs. useful with pxe-kexec -pxe-server # disable/enable pxe dhcp, tfp, and nfs -wrt-setup-remote # setup my router in general: dhcp, dns, etc. +myfai-chboot # setup fai tftp and nfs. useful for doing pxe-kexec +pxe-server # disable/enable pxe dhcp, tfp, and nfs. calls myfai-chboot +wrt-setup # setup my router in general: dhcp, dns, etc. -# Scripts to do a distro install +# Script to do a distro install -arch-init-remote # install arch after it's been booted into it's setup env +faiserver-revm # using pxe & preseed, create a vm which is a fai server dsfull # install & post-install a new fai distro -fai-kexec # kexec to fai tftp server that pxe would normally point to +arch-init-remote # install arch after it's been booted into it's setup env +live-kexec # Kexec this or a remote machine using host faiserver. also + useful to run as curl live-kexec|bash + + +# Test scripts + arch-revm # test arch install on a fresh vm fai-revm # test fai install on a fresh vm -live-kexec # fai kexec from upstream live cds, e.g. curl live-kexec|bash # Scripts to call after a distro install for various reasons @@ -80,8 +138,123 @@ faiserver-disable # Disable the fai nfs server exports fresize # resize swap or boot partitions in a host -License stuff: -The license for the project is GPLv2 or later, mostly because fai is -and I periodically rebase off their example setup for debian. Also, -there is a modified encrypt.upstream, which is from the cryptsetup -package in arch, which is under the same license. +# Replacing a raid 10 disk + +# i expect better results with newer kernel and btrfs progs than the default stretch +fai-server buster + +pxe-server -S HOST fai + +# btrfs replace or delete. prefer replace. to setup partitions on replacement drive: +scp fai-wrapper HOST: +ssh root@HOST +. fai-wrapper +export SPECIAL_DISK=/dev/REPLACEMENT_DEV +/var/lib/fai/config/hooks/partition.DEFAULT + + +ssh root@HOST +for x in /target/* /target; do umount $x; done +cat >p +PASSWORD HERE(ctrl-d ctrl-d) +cd /dev/disk/by-id/ +for d in ata*part1; do cryptsetup luksOpen -d /root/p $d crypt_dev_$d; done +x=(/dev/mapper/*part1); mount -o subvol=root_trisquelflidas $x /mnt +# btrfs fi show /mnt +# btrfs replace start -f /dev/mapper/OLD_DEV /dev/mapper/NEW_DEV /mnt +# btrfs replace status /mnt +# nohup btrfs dev delete /dev/sde1 /mnt +mount -o subvol=boot_trisquelflidas /dev/sda3 /mnt/boot +# also replace or delete disk for boot +for x in dev proc sys; do mount -o bind /$x /mnt/$x; done +chroot /mnt /bin/bash +# replace disk in fstab +# replace disk in /etc/crypttab +update-grub +update-initramfs -u +mount /a +/a/exe/keyscript-on +exit +reboot + + +# Expected output in fai logs + +For flidas, when installing systemd, this error happens, and it's +a superflous upstream bug based on reading the post install script: + +addgroup: The group `systemd-journal' already exists as a system group. Exiting. +Operation failed: No such file or directory + + +# linode notes + +* create 2 disks, installer (3000 mb, raw), boot (remaining, raw) +* create 2 profiles w direct boot, no helpers: + * installer (sda=boot, sdb=installer, boot dev=sdb) + * boot (sda=boot) +* Boot into rescue mode, ssh in with lish, + curl url_to_some_fai_cd_created_image | dd of=/dev/sda + poweroff +* boot into installer. +* Lish shows console, at the end of install, it gives prompt because + logs failed to save remotely, check the logs, then reboot into boot + profile if all is well. If that doesn't happen, turn off lassie in + settings. + + +# ubuntu notes + +For someone who really needed ubuntu on host tp, otherwise they would +end up on a non-gnu os, and I didn't want to figure out how to get all +the default software installed, I did the following: + +# On remote host: +# install etiona +cd /b/fai +# set 51-multi-boot to set classes outside of fai-wrapper conditional, including NOWIPE +. fai-wrapper +./fai/config/hooks/partition.DEFAULT + +# on local host +# install ubuntu 20.04 using virt-install +s virt-install --os-variant=ubuntu16.04 --cdrom ubuntu-20.04-desktop-amd64.iso --disk path=u2004.qcow2 -r 2048 --vcpus 1 -n u2004 +sudo qemu-img create -o preallocation=metadata -f qcow2 u2004.qcow2 15G +modprobe nbd +qemu-nbd --connect=/dev/nbd0 u2004.qcow2 -f qcow2 +s mount /dev/nbd0p5 /mnt/1 +s rsync -avhSAXP --numeric-ids /mnt/1/ root@tp:/mnt/root/root_ubuntubionic + +# on remote host: +# mount boot and root to /mnt/1 +sudo -i +cd /mnt/1 +cp /tmp/fai/crypttab etc +cp /tmp/fstab etc +chrbind +chroot . +# install programs from /a/bin/fai/fai/config/package_config/STANDARD: +apt install openssh-client openssh-server cryptsetup keyutils btrfs-progs console-setup kbd pciutils usbutils unattended-upgrades initramfs-tools-core dropbear-initramfs +exit +# install authorized keys in dropbear and .ssh folder +chroot . +grub-install --no-floppy $(grub-probe -tdrive -d /dev/sda3) +update-grub +grub-bios-setup -d /boot/grub/i386-pc -s /dev/sda +exit +umount proc +umount dev +umount sys +reboot + + +# TODO +Change arch to archlike and to support arch and parabola + + +# License + +The license for the project is GPLv2 or later, mostly because fai is and +I periodically merge the upstream example config, which contains small +scripts. Also, there is a modified encrypt.upstream, which is from the +cryptsetup package in arch, which is under the same license.