The UCLUG guys at FreeLinuxPC.org have a warehouse of 600 computers they
are setting up to give away to kids that need them.
Before this happens, they need to be securely erased. Now, we have
instructions for using Cobbler to PXE DBAN (a secure erasure
tool), and they could set up one network for erasure and another network
for installation, but, at least theoretically, is it possible for Cobbler
to install one OS (DBAN) and then install another right afterwards,
using the Cobbler API to switch between them at reboot, so you don't have
to move machines between networks or issue any cobbler commands at
all? The theory is yes, though we're figuring this out.
This is a fun problem, a good cause, and a chance to abuse the Cobbler
API some. Here goes...
Scenario:
-- You have a bunch of new machines come in off trucks
-- You need Cobbler records for each of them (per MAC), but do not
want to record them manually
-- Each new machine should be securely erased.
-- After the machine is erased, it should get a new OS.
-- once the final OS is installed, the system should not be PXE'd again
Proposed Solution:
-- First create two cobbler scripts using the Cobbler XMLRPC Read-Write
API (to be provided later...stay tuned)
-- add_system.cgi, which detects the MAC from HTTP vars and adds it
to cobbler
-- change_profile.cgi, which detects the MAC and takes a "profile"
parameter, sets the system record for the MAC to the given profile
-- Create a cobbler profile called "default"
-- the default profile has "kssendmac" in the kernel args so the
scripts can find the MAC
-- wget http://cobbler.example.org/cgi-bin/add_system.cgi
-- second wget to
http://cobbler.example.org/cgi-bin/change_profile.cgi?profile=erase
-- it does not call nopxe.cgi
-- Create a second cobbler profile called "erase"
-- modified DBAN initrd
-- it first makes a wget to
http://cobbler.example.org/cgi-bin/change_profile?profile=productionOS
-- then it erases the machine and rebo
-- it does not call nopxe.cgi
-- "productionOS" is the final profile.
-- it calls nopxe.cgi in post (already available in Cobbler) to stop
the boot loop chain
So basically, with a couple of scripts written in Cobbler API, we can
boot a system three times, chaining what gets installed each
time.
I think the scripts above are interesting enough to be used on a wider
basis -- particularly the idea of making sure all MACs get a cobbler system
record. The "change profile" scripts are a bit of a security problem,
but not in this case as it's a limited use network. Either way, I plan
on polishing these up a bit, explaining them further on the Wiki, and
making them more generally useful.
--Michael
_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/et-mgmt-tools
