One of the most widely used network installation setups is done through a kickstart server. Anyone who has ever built a Linux server from scratch knows this is a time consuming process. Kickstart enables you to perform automated installations with flexible options, including pre-install and post-install package customization, custom scripting, logging, and more. By automating the installation of servers you can also scale a server farm quickly. This tutorial covers the basics for setting up a kickstart server and performing a network install.
Using a Lab for Testing
It is always better to test anything new in a lab environment so you can ensure things will go smoothly when deploying them in a live environment later on. For this tutorial I’m going to use VirtualBox for building out the kickstart server and new client server. You can use any virtualization software you’d like, but VirtualBox happens to be free and easy. If you don’t already have it setup you’ll need to take care of that first. For more information on VirtualBox or its setup, refer to the following links:
Version Differences
Currently there are two branches of Red Hat/Centos being used in production environments; version 5.x and 6.x. Both of these versions differ in their setup and configuration requirements so they aren’t interchangeable for the purposes of this tutorial. This tutorial specifically covers the Red Hat/Centos 5.x branch. In addition you will need to use version 5.5 or later in order to complete this tutorial.
Installing the Server
To get started we’ll create a new VirtualBox guest and install Centos. Use the following settings when creating your new VM:
- VM Name – KS-01
- VM OS – Linux (Red Hat 64-bit)
- 1024 GB RAM
- 20 GB Hard Drive (SATA Controller)
- Virtual CD/DVD – Centos 5.x
- Network Adapter One – Internal Network
- Network Adapter Two – Host-only Adapter
Once your guest VM is setup, double-click to power on the system. At this point your can either wait for the virtual CD drive to be detected or press F12 and then 'C' to force a boot from the virtual CD; either way the installer for Centos will begin. Follow all of the instructions to get the OS installed to your specific preferences. Here are the settings I have chosen for my install:
- System Hostname – Kickstart01
- Hard Drive – Default Layout
- Network Adapter One – DHCP/Active on Boot
- Network Adapter Two – DHCP/Active on Boot
- Packages – Base (no gnome or other desktop packages)
Network Interfaces
You may notice when you boot your system up for the first time that there will be an error with bringing the first network interface online. The reason for this is because during installation I configured the VM to use a DHCP address. There aren’t any existing DHCP servers within my internal network so the interface will be unable to acquire an IP address. To rectify this you’ll need setup a static IP address for eth0.
Configure a Static IP
Step 1: Open the config file for eth0:
# nano /etc/sysconfig/network-scripts/ifcfg-eth0
Step 2: Remove everything in the file except the MAC address (HWADDR), and replace it with the following:
DEVICE=eth0
BOOTPROTO=static
IPADDR=192.168.1.10
NETMASK=255.255.255.0
ONBOOT=yes
Step 3: Save the file and exit your text editor.
Step 4: Now restart the network service for the changes to occur:
# service network restart
Shutting down interface eth0: [FAILED]
Shutting down interface eth1: [ OK ]
Bringing up loopback interface: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
Bringing up interface eth1:
or eth1... done. [ OK ]
Determining IP information
f
You will now have two IP addresses that you can use on this system:
- eth0 – 192.168.1.10
- eth1 – 192.168.56.101
A static IP is required so your kickstart clients will know where to look when trying to install the OS later on. The eth1 address is assigned from an internal DHCP server that is configured when you install VirtualBox. If you don’t want to work with the VM window you can connect via SSH to eth1 from your host system. The eth1 adapter is only available from your host system, while eth0 is available to your entire internal network (which only consists of this server at the moment).
Web Server Setup
After your OS has been installed on the server successfully you’ll need to choose which installation type you’d like to use for your kickstart server. There are three different methods to choose from:
For this tutorial I’ll be using the HTTP method as it offers the quickest and easiest setup process. The other two methods offer more flexibility, but require more complexity to implement. Because we are using a lab environment that is cut off from the internet, we’ll need to mount the Centos ISO in order to install any new packages.
Setup a Local Repository
Step 1: Start by mounting the ISO file:
# mount /dev/cdrom /media
mount: block device /dev/cdrom is write-protected, mounting read-only
Step 2: Since we are locked into the lab, remove all existing repositories:
# cd /etc/yum.repos.d/
# rm -f *.repo
Step 3: Create a new local repository in /etc/yum.repos.d/ and save it as local.repo (use any text editor):
[Local-Media]
name=CentOS-$releasever - Media
baseurl=file:///media/
gkey=file:
gpgcheck=1
enabled=1
g
p///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
Step 4: Clean out the old cache:
# yum clean all
Step 5: List the current repositories to let the system populate the new repository metadata:
# yum repolist
Now that our local repository is setup properly we'll need to install all the required packages for the kickstart server in order to use the HTTP method. As I mentioned earlier, this is the easiest method to use and as such only requires a single package to get going.
Install all Required Packages
Step 1: Install the httpd package, which is required to setup an Apache web server:
# yum install -y httpd
Step 2: Verify that the package was installed successfully:
# rpm -qa | grep httpd
Enable the Service on Boot
Step 1: Enable the service to start during system boot:
# chkconfig httpd on
Step 2: Verify:
# chkconfig --list httpd
httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Our web server is now successfully setup, however the service is purposely not running just yet.
Kickstart Setup
Now we'll need to turn our attention to putting all the necessary files in place for the client installation to occur properly. Our ISO file should still be mounted so we can pull all the required files and put them into the correct directory structure to be served up by the Apache web server.
Create the Directory Structure
Step 1: Move into the public web directory (default for Apache):
# cd /var/www/html
Step 2: Create the required directories:
# mkdir -p pub/kickstart
Copy the Centos ISO
Step 1: Copy the required files into the new /pub directory:
# cp -R /media/* /var/www/html/pub/
This copy process should take some time as you are copying the entire contents of the ISO (about 4 GB of data). When the copy has completed, verify that your /pub and /media directories are identical.
Creating the Kickstart File
Each client system that you wish to install will require a kickstart file in order to know what to install. Kickstart files can be very generic or extremely customized. You will need to create a kickstart file and make sure that it's accessible from the web server for the client to access. Earlier we created the /pub/kickstart directory, which we'll use to segregate our kickstart files (this also makes them easier to work with as the number of kickstart files increases). I'll provide you with a basic kickstart file that you can use to get started.
| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465 |
# Kickstart file for a basic install.
install
# Specifies the language
lang en_US.UTF-8
# Specifies the keyboard layout
keyboard us
# Skip Red Hat key input (disabled for Centos)
# key --skip
# Forces the text installer to be used (saves on time because a GUI doesn’t need to be loaded)
text
# Skips the display of any GUI during install
skipx
# Used with an HTTP install to specify where the install files are located
url --url http://192.168.1.10/pub/
# Assign a static IP address upon first boot & set the hostname
network --device eth0 --hostname KS-Client --bootproto=static --ip=192.168.1.100 --netmask=255.255.255.0
# Give the second interface a DHCP address (if you are not using a second interface comment this line out)
network --device eth1 --bootproto=dhcp
# Set the root password
rootpw --iscrypted <encrypt_password>
# Enable the firewall and open port 22 for SSH remote administration
firewall --enabled --port=22:tcp
# Setup security and SELinux levels
authconfig --enableshadow --enablemd5
selinux --permissive
# Set the timezone
timezone --utc America/New_York
# Create the bootloader in the MBR with drive sda being the drive to install it on
bootloader --location=mbr --driveorder=sda
# Wipe all partitions and build them with the info below
clearpart --drives=sda --all --initlabel
# Create a 100MB /boot partition
part /boot --fstype ext3 --size=100
# Create a 5GB / partition
part / --fstype ext3 --size=5000
# Create a 2GB swap
part swap --size=2000
# Use the rest of the free space on disk to create the /home partition
part /home --fstype ext3 --size=100 --grow
# Install the Base and Core software packages, plus OpenSSH server & client
# This is the bare minimum for a system to run (with remote access via SSH)
%packages
@ Core
@ Base
openssh-clients
openssh-server
|
Save the above kickstart file as sample.cfg in the /pub/kickstart directory. The sample.cfg file is commented to explain what is going on at each step in the install process. The only thing missing from oursample.cfg kickstart file is the encrypted root password. I purposely left this out so you can generate your own.
Generate a root Password
Step 1: Create the root password:
# openssl passwd -1
Password:
- Password:
$1$jp8guC
Verifying
vs$T8IiVIAlBUzxvvz8DaEcq.
Step 2: Take the encrypted hash and insert it into your sample.cfg kickstart file:
rootpw --iscrypted $1$jp8guCvs$T8IiVIAlBUzxvvz8DaEcq.
Step 3: Once again, save the file.
Your sample.cfg kickstart file is now complete.
Server Security
To finish up with the kickstart server you'll need to adjust the default security settings which don't allow HTTP connections through the firewall.
Adjust the Firewall to Allow HTTP Connections
Step 1: Use the iptables command to create a new firewall rule:
# iptables -I RH-Firewall-1-INPUT 5 -p tcp --dport 80 -j ACCEPT
Step 2: Save the new firewall rule:
# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
Step 3: Restart the firewall service for the new rule to take effect:
# service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Applying iptables firewall rules: [ OK ]
Unloading iptables modules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]
Step 4: Verify that the new rule appears in the output of the firewall rules file:
# cat /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
T ACCEPT [115:13140]
:FORWARD ACCEPT [0:0]
:OUTP
U:RH-Firewall-1-INPUT - [0:0]
T
-A FORWARD -j RH-Firewall-1-I
-A INPUT -j RH-Firewall-1-INP
UNPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A R
-A RH-Firewall-1-INPUT -p icmp -m icmp --icm
pH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
PUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m t
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-I
Ncp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1
-
Your firewall should now be configured properly for HTTP connections. The final adjustment you will need to make depends on the state of SELinux. SELinux comes enabled by default (unless you disabled it during installation), and you'll need to modify one of the SELinux booleans in order to allow HTTP connections.
Adjust SELinux
Step 1: Before anything you should check the status of SELinux to find out which mode it is in:
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
from config file: targeted
Policy version: 21
Policy
Here you can see mine is enabled, but if your status shows permissive or disabled you can skip right to the end of this section. If your SELinux is also enabled then you have two options; disable the required boolean (simplest option) or change the state of SELinux to permissive/disabled (requires a reboot). I'll show you how to do both options here.
Option A - Disable SELinux Completely
Step 1: Open the SELinux config file with any editor:
# nano /etc/selinux/config
Step 2: Change the first option from enforcing to permissive or disabled:
SELINUX=disabled
Step 3: Reboot the system for changes to take effect:
# shutdown -r now
Option B - Disable the Required SELinux Boolean
Step 1: Query the boolean for its current value:
# getsebool -a | grep httpd_disable
httpd_disable_trans --> off
Step 2: Adjust the current value:
# setsebool -P httpd_disable_trans=1
Step 3: Verify the value has changed:
# getsebool -a | grep httpd_disable
httpd_disable_trans --> on
Once all your security settings are in place it is finally time to start up the Apache web service.
Start the Web Service
Step 1: Start up Apache:
# service httpd start
Step 2: Verify the service is running correctly:
# service httpd status
httpd (pid 3206) is running...
Now everything should be in place. The kickstart server has been built, the kickstart file is in place, and you are ready to boot up your client to start testing a kickstart installation.
Client Installation
For the client installation you'll first need to create a new VM. Similar to the kickstart server, here are the settings that I'm using:
- VM Name - Client-01
- VM OS - Linux (Red Hat 64-bit)
- 512 GB RAM
- 8 GB Hard Drive (SATA Controller)
- Virtual CD/DVD - Centos Netinstall
- Network Adapter One - Internal Network
- Network Adapter Two - Host-only Adapter
Make sure to note the differences here. I'm using less RAM, a smaller hard drive, and the Centos netinstall ISO. The netinstall ISO is used to boot the system up to the point where it can connect to the HTTP server, download the kickstart file, and then hand off installation to the installer.
WARNING - You must use the same version Centos ISO and Netinstall ISO. For example if you copied the Centos 5.5 ISO into your /pub directory, you must use Centos 5.5 netinstall ISO as well. If you don't use the same version ISO the kickstart installation will fail!
It is possible to automate the installation process further using a PXE boot server, but that is covered in another tutorial. With the new VM ready to go, double-click to power it on. The boot screen will appear and you'll need to enter the command to start the installer:
boot: linux text ks=http://192.168.1.10/pub/kickstart/sample.cfg append ip=192.168.1.100 netmask=255.255.255.0 ksdevice=eth0
WARNING - The above example is all one line.
This command tells the system to load the Linux kernel, start a kickstart installation using the URL provided, and assign a static IP address to the system. The ksdevice lets the installer know we want to us the eth0 adapter to pull all the files over HTTP. The static IP is required so the client system can communicate with the kickstart server via the HTTP protocol. Once you press enter your job is done; sit back and watch the installer work. Make sure to take note of any errors or issues that arise during the install process (if any). If you do run into any errors, try to retrace all your files and ensure everything is in the right place. Kickstart errors tend to be very cryptic, even for the most basic errors. If all goes well you should have a new client system up and running in around ten minutes! You can take this tutorial even further by setting up a DHCP server and PXE boot in order to fully automate the process.
No comments:
Post a Comment