FreeLinuxPC.org and a neat Cobbler trick/idea (WIP)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The UCLUG guys at FreeLinuxPC.org have a warehouse of 600 computers they are setting up to give away to kids that need them.

Before this happens, they need to be securely erased. Now, we have instructions for using Cobbler to PXE DBAN (a secure erasure tool), and they could set up one network for erasure and another network for installation, but, at least theoretically, is it possible for Cobbler to install one OS (DBAN) and then install another right afterwards, using the Cobbler API to switch between them at reboot, so you don't have to move machines between networks or issue any cobbler commands at all? The theory is yes, though we're figuring this out.

This is a fun problem, a good cause, and a chance to abuse the Cobbler API some. Here goes...

Scenario:
   -- You have a bunch of new machines come in off trucks
-- You need Cobbler records for each of them (per MAC), but do not want to record them manually
   -- Each new machine should be securely erased.
   -- After the machine is erased, it should get a new OS.
   -- once the final OS is installed, the system should not be PXE'd again

Proposed Solution: -- First create two cobbler scripts using the Cobbler XMLRPC Read-Write API (to be provided later...stay tuned) -- add_system.cgi, which detects the MAC from HTTP vars and adds it to cobbler -- change_profile.cgi, which detects the MAC and takes a "profile" parameter, sets the system record for the MAC to the given profile
-- Create a cobbler profile called "default"
-- the default profile has "kssendmac" in the kernel args so the scripts can find the MAC
      -- wget http://cobbler.example.org/cgi-bin/add_system.cgi
-- second wget to http://cobbler.example.org/cgi-bin/change_profile.cgi?profile=erase
      -- it does not call nopxe.cgi
-- Create a second cobbler profile called "erase"
   -- modified DBAN initrd
-- it first makes a wget to http://cobbler.example.org/cgi-bin/change_profile?profile=productionOS
   -- then it erases the machine and rebo
   -- it does not call nopxe.cgi
-- "productionOS" is the final profile.
-- it calls nopxe.cgi in post (already available in Cobbler) to stop the boot loop chain

So basically, with a couple of scripts written in Cobbler API, we can boot a system three times, chaining what gets installed each
time.

I think the scripts above are interesting enough to be used on a wider basis -- particularly the idea of making sure all MACs get a cobbler system record. The "change profile" scripts are a bit of a security problem, but not in this case as it's a limited use network. Either way, I plan on polishing these up a bit, explaining them further on the Wiki, and making them more generally useful.

--Michael

_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/et-mgmt-tools

[Index of Archives]     [Fedora Users]     [Fedora Legacy List]     [Fedora Maintainers]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux