Kickstart a cobbler server on Fedora 9 (and create offspring)


How many systems do you administer ?



If you've ever had to install more than a trivial amount of operating systems, you know how to appreciate good automated installation systems. Most (if not all) Linux distributions noticed this and started building automated installation systems. Debian has FAI and preseeding, Solaris has Jumpstart and Redhat has Kickstart. I must admit I took a stab at this problem myself by preseeding a Debian installation CD, but I've noticed that it takes too much of my time to rebuild the installation CD every time a new Debian release happens.



Lucky for me, Kickstart can supposedly be used to automate other linux installations. That's why I've been looking at Kickstart lately. And what can I say ? It works.



So here we go ! Imagine this: I need to install 500 servers, all with different configurations.
I create 500 kickstart files, each defining the setup of a single system. Then I... walk up to every of my 500 systems, put in a CD, boot it, tell it where the kickstart file is and let the thing install.


Allright, I can see some problems right there.





Man, administering systems is hard. In this light, it's a good thing I don't actually have to administer 500 systems. But the guys at Redhat probably do and they came up with their next great idea.




Cobbler: Provisioning made easy



Almost 9 years ago, Intel invented the Preboot eXecution Environment (PXE), which allows eg diskless computers to boot over network without any user interaction. As part of the boot process, the BIOS might try several disks, CD-drives and floppydisk stations to try and boot, after which it can ask a networkcard to do the same. The networkcard will then try to locate a suitable server from which it can get data to boot up with.



Setting up a TFTP server to do this is not that difficult, but some other steps are involved that combine many small easy tasks into a very big time-consuming list of tasks. This is where cobbler comes in.



Cobbler is a provisioning infrastructure that takes care of all the underlying details and components for you. After installing and configuring cobbler, you basically tell it which CD you want to "publish" through PXE and it just happens. Clients booting through PXE will then get a nice menu where they can select what the want to boot. Even better, you can tell cobbler about a specific system in advance (by registering its MAC address for example) and then that system won't see a menu at all, it will just boot into whatever you specify.


giggity

Right, let's look at how cobbler works



Cobbler concepts



There are 3 concepts that pop up all the time and that I needed to understand. I will describe them here as I understand them, AT NO EXTRA COST. You can thank me later.




Distributions

This is pretty much self explanatory. A distribution is a ... If I want to install a Centos 5 on a i386 somewhere, I need to make a "distribution" containing the Centos 5 DVD which I can name "Centos 5 i386"

Profiles

This is what you get when you pack a distribution together with a kickstart file. If I want to install a Centos 5 with an apache and SSH server on it, I make a kickstart file for it and glue it together with a "Centos 5" distribution and call that a "Centos 5 Webserver+SSH" profile.

Systems

Associating a certain physical system with a profile happens through a "System" specification. If I want to install my cute yellow 486 here under the table using the "Centos 5 Webserver+SSH" profile, I need to make a system specification by specifying the MAC-address, IP and hostname (tweety) I want for this server. Then I call this system "tweety"






Here's a little scheme to show how these things fit together. You can have several distributions (in pinkish red), each of which can have several profiles associated with it (green), each of which can have several systems to it (yellow).

Lab setup




On to the practical side of cobbler. I'm going to setup a cobbler server on Fedora 9 and use that to install another system using Fedora 9 aswell. All of this will be done in Virtualbox.






The cobbler server will be named "vishnu" and it will have 2 networkcards: eth0 will be connected to an internet-connected network with DHCP on it. eth1 will be connected to a private network without any traffic on it (static IP). The private network has IP-range 172.16.1.0/24




The machine to be installed using cobbler, has no name really. It has 1 networkcard connected to the private network and boots PXE.



Kickstarting the cobbler server: vishnu



Installing cobbler is fairly simple. Install the base operating system, then use yum to install cobbler, edit some configfiles and you're done. This doesn't include adding distributions or profiles though.




But wait a minute. Do I really want to install vishnu manually ? Booting the CD and going through the installation process after which I have to login, install packages and edit configfiles ?
Of course not. This is exactly what kickstart was created for, so let's use it.



This is the kickstart file I use for vishnu:



#version=F9
install
text
cdrom
lang en_US.UTF-8
keyboard us
timezone --utc Europe/Brussels


# network settings
network --device eth0 --bootproto dhcp --hostname vishnu
network --device eth1 --bootproto static --ip 172.16.1.1 --netmask 255.255.255.0

# root account
authconfig --enableshadow --passalgo=sha512
rootpw --iscrypted $1$6cEAJbnh$TdRTNKsAnwE/PYw3dk/o20

# security
#firewall --enabled --ssh --dhcp --trust eth1
firewall --disabled
selinux --enforcing

# partitioning and bootloader
clearpart --all
autopart
bootloader --location=mbr

# reboot when done
reboot

%packages --nobase
acl
acpid
anacron
attr
authconfig
bind-utils
cronie
cyrus-sasl-plain
dhclient
ed
efibootmgr
eject
file
gpm
grub
hdparm
kbd
kernel
man
nc
nss_db
openssh-clients
openssh-server
prelink
rng-utils
selinux-policy-targeted
sendmail
setserial
setuptool
symlinks
system-config-firewall-tui
tcpdump
time
traceroute
vim-minimal
wget
which
yum-utils
%end

%post

# disable selinux
fpath=/etc/selinux/config
cp $fpath $fpath.orig
cat $fpath.orig | sed 's/^SELINUX=.*/SELINUX=disabled/' > $fpath

# enable networking, since we removed networkmanager
chkconfig network on

# provide good ls colors for a dark background
ln -s /etc/DIR_COLORS /root/.dir_colors

# now install some muchneeded packages
yum install -y bash-completion cobbler dhcp syslinux vim-enhanced

# setting server and next_server in /etc/cobbler/settings
fpath=/etc/cobbler/settings
cp $fpath $fpath.orig
cat $fpath.orig | sed 's/127.0.0.1/172.16.1.1/g' | sed 's/manage_dhcp:.*/manage_dhcp: 1/' > $fpath

# Must enable selinux boolean to enable Apache and web services components
setsebool -P httpd_can_network_connect true

# enable tftp
fpath=/etc/xinetd.d/tftp
cp $fpath $fpath.orig
cat $fpath.orig | sed 's/disable.*=.*/disable = no/' > $fpath

# start httpd at boot
chkconfig httpd on

# change default password "cobbler" to "trial"
for f in /etc/cobbler/*.ks;
do
cp $f $f.orig
cat $f.orig | sed 's/rootpw --iscrypted.*/rootpw --iscrypted \\\$1\\\$MZmukub3\\\$SMFCloWQ\/d2jhTC3nZOEK0/' > $f
done

# only do DHCP on eth1
fpath=/etc/sysconfig/dhcpd
cp $fpath $fpath.orig
cat $fpath.orig | sed 's/DHCPARGS=.*/DHCPARGS=eth1/' > $fpath

# eth1 network is 172.16.1.0/24
fpath=/etc/cobbler/dhcp.template
cp $fpath $fpath.orig
cat $fpath.orig | sed 's/192.168.1/172.16.1/g' | grep -v "option routers" > $fpath

# start dhcpd at boot
chkconfig dhcpd on

# sync config
cobbler sync

%end

Download http://data.singularity.be/rh/vishnu-20080718


No need to fire up john to crack this crypted password, its "trial"



Note that I specified a list of packages to install (%packages section) and told kickstart not to install anything else, not even the base system. There is no real-life use for this. The only purpose I had for stripping down a bare Fedora 9 install to the bare minimum, was minimizing installation time.



The other noteworthy part in this kickstart file is the %post section, which contains a script to be executed on the installed machine after installation completes. Here is what it does:




Disable selinux

By default, Fedora 9 switches on SELinux which is a good thing. However, apache was having problems with SELinux when I mounted a DVD under its documentroot. Because I don't have extensive SELinux knowledge to fix this, I took the cheesy way out and just disabled it. Note that you can also just put "selinux --disabled" in the kickstart file, but this way I have an excuse to try and fix my setup later...

Enable networking

This one is pretty silly and I suspect it is a Fedora bug. Because I have stripped down Fedora to the bare minimum, NetworkManager was not installed. I would have expected that Fedora took a moment to think about that and then enable networking without NetworkManager. But it didn't so I have to enable it manually.

Installing needed packages

Install cobbler and friends. Also install bash-completion (I'm a huge fan of bash-completion and am thrilled to have learned that bash-completion scripts will be included in future versions of cobbler!) and vim-enhanced

Fix some settings

After installing cobbler, one would normally run "cobbler check" and fix everything cobbler complains about. Well, I did that in the script.

only do DHCP on eth1

I'm a network administrator and my kind has a serious disgust of rogue DHCP servers on our networks. (So much in fact that I have wirecutters in my desk to cut through UTP cable from offending users). Since this cobbler setup deploys a DHCP server, make sure it only runs on the private network where it belongs: eth1

Modify the dhcp.template file

The private network will use a DHCP range of 172.16.1.0/24

switch on the dhcpd server

.. so it will start at boot

cobbler sync

This command will generate configfiles for all cobbler components from templates and such.



To use this kickstart file, boot a Fedora 9 DVD in a virtual machine with 2 networkcards of which eth0 is connected to a DHCP-enabled and internetconnected network. Then at the isolinux menu, press tab and add the following:




ks=http://data.singularity.be/rh/vishnu-20080718 ksdevice=eth0





In my lab, it takes only 9 minutes and 10 seconds after I press enter on the commandline above untill I get to vishnu's login prompt.





Vishnu's first offspring: localhost




Before we can create cobbler offspring, we need to setup a distribution and such. Normally when importing a distribution, cobbler copies all necessary files to the local disk. But I think that's a bit overkill for a simple labsetup like this. So instead, I will mount the DVD and make it available over HTTP.



Log in to vishnu and execute these commands:



mkdir /var/www/cobbler/mounted
mount /dev/cdrom /var/www/cobbler/mounted
cobbler import --name=F9 --mirror=/var/www/cobbler/mounted/ --available-as=http://172.16.1.1/cobbler/mounted/
cobbler distro edit --name=F9-i386 --ksmeta="tree=http://@@server@@/cobbler/mounted"
cobbler profile edit --name=F9-i386 --kickstart=/etc/cobbler/sample.ks
cobbler sync


Breaking it down with explanations


mkdir /var/www/cobbler/mounted

... creates a mountpoint for the Fedora 9 DVD



mount /dev/cdrom /var/www/cobbler/mounted

... mount the DVD there



cobbler import --name=F9 --mirror=/var/www/cobbler/mounted/ --available-as=http://172.16.1.1/cobbler/mounted/

... import the distribution, but tell cobbler to not mirror it and instead send the client to the given URL. This URL is the reason why the DVD is mounted under the apache documentroot.



cobbler distro edit --name=F9-i386 --ksmeta="tree=http://@@server@@/cobbler/mounted"

... tell cobbler how to fill in the "$tree" variable for this distribution. Normally this is handled by "cobbler import", but this is not a normal setup so we need to fix it manually (for now)


cobbler profile edit --name=F9-i386 --kickstart=/etc/cobbler/sample.ks

... for some reason, cobbler gives an error with the above import command and does not link a kickstart file to the F9-i386 profile. Fixing this manually as well, probably a bug, this is what the error looked like:




[root@vishnu ~]# cobbler import --name=F9 --mirror=/var/www/cobbler/mounted/ --available-as=http://172.16.1.1/cobbler/mounted/
---------------- (adding distros)
- scanning /var/www/cobbler/mounted for architecture info
- kernel header found: kernel-headers-2.6.25-14.fc9.i386.rpm
- creating new distro: F9-i386
- creating new profile: F9-i386
- scanning /var/www/cobbler/mounted for architecture info
- kernel header found: kernel-headers-2.6.25-14.fc9.i386.rpm
- creating new distro: F9-xen-i386
- creating new profile: F9-xen-i386
---------------- (associating kickstarts)
- finding default kickstart template for fedora 9.0
/var/www/cobbler/mounted/, /var/www/cobbler/mounted, -1
Error: possible symlink traversal?: /var/www/cobbler/mounted
[root@vishnu ~]#


cobbler sync

... and sync cobbler configs



Now you're done !
Boot a fresh machine using PXE and you should get a nice menu like this:





Select F9-i386 and press enter. The installation process should take over and do everything automatically from there on.




PS: And what about hiring an army of monkeys with typewriters to generate the kickstart files ? There's a solution for that too. It's called puppet, but that's a story for a later time.