mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-04 23:50:27 +00:00
Retire old diskless setup scripts
These scripts predate /etc/rc.diskless* and use a different scheme. A comment was added to them back in 2002 noting they were 3 years old at that point. Reviewed by: emaste Differential Revision: https://reviews.freebsd.org/D41951
This commit is contained in:
parent
97232e04ca
commit
7736786b08
|
@ -51,6 +51,12 @@
|
||||||
# xargs -n1 | sort | uniq -d;
|
# xargs -n1 | sort | uniq -d;
|
||||||
# done
|
# done
|
||||||
|
|
||||||
|
# 2023xxxx
|
||||||
|
OLD_FILES+=usr/share/examples/diskless/ME
|
||||||
|
OLD_FILES+=usr/share/examples/diskless/README.BOOTP
|
||||||
|
OLD_FILES+=usr/share/examples/diskless/README.TEMPLATING
|
||||||
|
OLD_FILES+=usr/share/examples/diskless/clone_root
|
||||||
|
|
||||||
# 20230905
|
# 20230905
|
||||||
OLD_FILES+=usr/share/doc/legal/realtek_rtw88_firmware.LICENCE
|
OLD_FILES+=usr/share/doc/legal/realtek_rtw88_firmware.LICENCE
|
||||||
|
|
||||||
|
|
|
@ -11,7 +11,6 @@ LDIRS= BSD_daemon \
|
||||||
IPv6 \
|
IPv6 \
|
||||||
bootforth \
|
bootforth \
|
||||||
csh \
|
csh \
|
||||||
diskless \
|
|
||||||
drivers \
|
drivers \
|
||||||
etc \
|
etc \
|
||||||
find_interface \
|
find_interface \
|
||||||
|
@ -74,13 +73,6 @@ SE_BOOTFORTH= \
|
||||||
SE_DIRS+= csh
|
SE_DIRS+= csh
|
||||||
SE_CSH= dot.cshrc
|
SE_CSH= dot.cshrc
|
||||||
|
|
||||||
SE_DIRS+= diskless
|
|
||||||
SE_DISKLESS= \
|
|
||||||
ME \
|
|
||||||
README.BOOTP \
|
|
||||||
README.TEMPLATING \
|
|
||||||
clone_root
|
|
||||||
|
|
||||||
SE_DIRS+= drivers
|
SE_DIRS+= drivers
|
||||||
SE_DRIVERS= \
|
SE_DRIVERS= \
|
||||||
README \
|
README \
|
||||||
|
|
|
@ -1,52 +0,0 @@
|
||||||
IMPORTANT NOTE:
|
|
||||||
|
|
||||||
As of Feb. 11, 2002 (and indeed, for quite some time before that),
|
|
||||||
the /etc/rc.diskless{1,2} scripts support a slightly different
|
|
||||||
diskless boot process than the one documented in the rest of
|
|
||||||
this file (which is 3 years old).
|
|
||||||
|
|
||||||
I am not deleting the information below because it contains some
|
|
||||||
useful background information on diskless operation, but for the
|
|
||||||
actual details you should look at /etc/rc.diskless1, /etc/rc.diskless2,
|
|
||||||
and the /usr/share/examples/diskless/clone_root script which can
|
|
||||||
be useful to set up clients and server for diskless boot.
|
|
||||||
|
|
||||||
--- $FreeBSD$ ---
|
|
||||||
------------------------------------------------------------------------
|
|
||||||
|
|
||||||
When templating, /conf/ME is typically a softlink to
|
|
||||||
/conf/<appropriate-machine>. When doing a diskless boot, /conf/ME is
|
|
||||||
retargeted by /etc/rc.diskless1 from pointing to the server to pointing
|
|
||||||
to the client's directory, /conf/<ip-address-of-client>. The retargeting
|
|
||||||
is accomplished through an MFS -o union mount.
|
|
||||||
|
|
||||||
When templating, this softlink should be different for each machine.
|
|
||||||
When doing a diskless boot, this softlink is typically part of the / NFS
|
|
||||||
mount from the server and points to the server's conf directory, but gets
|
|
||||||
retargeted during the /etc/rc.diskless1 phase.
|
|
||||||
|
|
||||||
System-wide configuration files must generally be targeted through /conf/ME.
|
|
||||||
For example, your /etc/rc.conf.local should become a softlink to
|
|
||||||
/conf/ME/rc.conf.local and your real rc.conf.local should go into the
|
|
||||||
appropriate /conf/<appropriate-machine> directory. This is also true of
|
|
||||||
/etc/rc.local, /etc/fstab, /etc/syslog.conf, /etc/ccd.conf, /etc/ipfw.conf,
|
|
||||||
/etc/motd, /etc/resolv.conf, and possibly even /etc/ttys ( if you want
|
|
||||||
to start an X session up on boot on certain of your machines ).
|
|
||||||
|
|
||||||
When templating, you duplicate your / and /usr partitions on each machine's
|
|
||||||
local disk from a single master ( assuming /var and /home reside elsewhere ),
|
|
||||||
EXCEPT for the /conf/ME softlink. The /conf/ME softlink is the only thing
|
|
||||||
on / that should be different for each machine.
|
|
||||||
|
|
||||||
There are often categories of configuration files. For example, all of your
|
|
||||||
shell machines may use one resolv.conf while all of your mail proxies may
|
|
||||||
use another. Configuration files can be categorized fairly easily through
|
|
||||||
/conf/HT.<category> directories. You put the actual configuration file in
|
|
||||||
/conf/HT.<category> and make a softlink from
|
|
||||||
/conf/ME/<appropriate-machines>/config-file to "../HT.<category/config-file".
|
|
||||||
This means that access to these files tends to run through more then one
|
|
||||||
softlink. The advantage is that for all the complexity of your /conf
|
|
||||||
directory hierarchy, most of your common config files exist in only one place
|
|
||||||
in reality.
|
|
||||||
|
|
||||||
|
|
|
@ -1,172 +0,0 @@
|
||||||
IMPORTANT NOTE:
|
|
||||||
|
|
||||||
As of Feb. 11, 2002 (and indeed, for quite some time before that),
|
|
||||||
the /etc/rc.diskless{1,2} scripts support a slightly different
|
|
||||||
diskless boot process than the one documented in the rest of
|
|
||||||
this file (which is 3 years old).
|
|
||||||
|
|
||||||
I am not deleting the information below because it contains some
|
|
||||||
useful background information on diskless operation, but for the
|
|
||||||
actual details you should look at /etc/rc.diskless1, /etc/rc.diskless2,
|
|
||||||
and the /usr/share/examples/diskless/clone_root script which can
|
|
||||||
be useful to set up clients and server for diskless boot.
|
|
||||||
|
|
||||||
--- $FreeBSD$ ---
|
|
||||||
------------------------------------------------------------------------
|
|
||||||
|
|
||||||
BOOTP configuration mechanism
|
|
||||||
|
|
||||||
Matthew Dillon
|
|
||||||
dillon@backplane.com
|
|
||||||
|
|
||||||
BOOTP kernels automatically configure the machine's IP address, netmask,
|
|
||||||
optional NFS based swap, and NFS based root mount. The NFS server will
|
|
||||||
typically export a shared read-only /, /usr, and /var to any number of
|
|
||||||
workstations. The shared read-only root is typically either the server's
|
|
||||||
own root or, if you are more security conscious, a contrived root.
|
|
||||||
|
|
||||||
The key issue with starting up a BOOTP kernel is that you typically want
|
|
||||||
to export read-only NFS partitions from the server, yet still be able to
|
|
||||||
customize each workstation ( or not ).
|
|
||||||
|
|
||||||
/etc/rc.diskless1 is responsible for doing core mounts and for retargeting
|
|
||||||
/conf/ME ( part of the read-only root NFS mount ) to /conf/$IP_OF_CLIENT.
|
|
||||||
/etc/rc.conf.local and /etc/rc.local, along with other machine-specific
|
|
||||||
configuration files, are typically softlinks to /conf/ME/<filename>.
|
|
||||||
|
|
||||||
In the BOOTP workstation /conf/$IP/rc.conf.local, you must typically
|
|
||||||
turn *OFF* most of the system option defaults in /etc/rc.conf as well
|
|
||||||
as do additional custom configuration of your environment
|
|
||||||
|
|
||||||
The /usr/src/share/examples/diskless directory contains a typical
|
|
||||||
X session / sshd based workstation configuration. The directories
|
|
||||||
involved are HT.DISKLESS/ and 192.157.86.12/.
|
|
||||||
|
|
||||||
Essentially, the $IP/ directory ( which rc.diskless looks for in
|
|
||||||
/conf/$IP/ ) contains all the junk. The HT.DISKLESS directory exists
|
|
||||||
to hold common elements of your custom configuration so you do not have
|
|
||||||
to repeat those elements for each workstation. The example /conf
|
|
||||||
structure included here shows how to create a working sshd setup ( so
|
|
||||||
you can sshd into the diskless workstation ), retarget xdm's pid and error
|
|
||||||
files to R+W directories if /usr is mounted read-only, and retarget
|
|
||||||
syslogd and other programs. This example is not designed to run out of
|
|
||||||
the box and some modifications are required.
|
|
||||||
|
|
||||||
>> NOTE << HT.DISKLESS/ttys contains the typical configuration required
|
|
||||||
to bring X up at boot time. Essentially, it runs xdm in the foreground
|
|
||||||
with the appropriate arguments rather then a getty on ttyv0. You must
|
|
||||||
run xdm on ttyv0 in order to prevent xdm racing with getty on a virtual
|
|
||||||
terminal. Such a race can cause your keyboard to be directed away from
|
|
||||||
the X session, essentially making the session unusable.
|
|
||||||
|
|
||||||
Typically you should start with a clean slate by tar-copying this example
|
|
||||||
directory to /conf and then hack on it in /conf rather then in
|
|
||||||
/usr/share/examples/diskless.
|
|
||||||
|
|
||||||
BOOTP CLIENT SETUP
|
|
||||||
|
|
||||||
Here is a typical kernel configuration. If you have only one ethernet
|
|
||||||
interface you do not need to wire BOOTP to a specific interface name.
|
|
||||||
BOOTP requires NFS and NFS_ROOT, and our boot scripts require MFS. If
|
|
||||||
your /tmp is *not* a softlink to /var/tmp, the scripts also require NULLFS
|
|
||||||
|
|
||||||
# BootP
|
|
||||||
#
|
|
||||||
options BOOTP # Use BOOTP to obtain IP address/hostname
|
|
||||||
options BOOTP_NFSROOT # NFS mount root filesystem using BOOTP info
|
|
||||||
options "BOOTP_NFSV3" # Use NFS v3 to NFS mount rootoptions
|
|
||||||
options BOOTP_COMPAT # Workaround for broken bootp daemons.
|
|
||||||
#options "BOOTP_WIRED_TO=de0"
|
|
||||||
|
|
||||||
options MFS # Memory File System
|
|
||||||
options NFS # Network Filesystem
|
|
||||||
options NFS_ROOT # Nfs can be root
|
|
||||||
options NULLFS # nullfs to map /var/tmp to /tmp
|
|
||||||
|
|
||||||
BOOTP SERVER SETUP
|
|
||||||
|
|
||||||
The BOOTP server must be running on the same logical LAN as the
|
|
||||||
BOOTP client(s). You need to setup two things:
|
|
||||||
|
|
||||||
(1) You need to NFS-export /, /usr, and /var.
|
|
||||||
|
|
||||||
(2) You need to run a BOOTP server. DHCPD can do this.
|
|
||||||
|
|
||||||
|
|
||||||
NFS Export:
|
|
||||||
|
|
||||||
Here is an example "/etc/exports" file.
|
|
||||||
|
|
||||||
/ -ro -maproot=root: -network 192.157.86.0 -mask 255.255.255.192
|
|
||||||
/usr -ro -maproot=root: -network 192.157.86.0 -mask 255.255.255.192
|
|
||||||
/var -ro -maproot=root: -network 192.157.86.0 -mask 255.255.255.192
|
|
||||||
|
|
||||||
In order to be an NFS server, the server must run portmap, mountd,
|
|
||||||
nfsd, and rpc.statd. The standard NFS server options in /etc/rc.conf
|
|
||||||
will work ( you should put your overrides in /etc/rc.conf.local on the
|
|
||||||
server and not edit the distribution /etc/rc.conf, though ).
|
|
||||||
|
|
||||||
BOOTP Server:
|
|
||||||
|
|
||||||
This configuration file "/etc/dhcpd.conf" example is for
|
|
||||||
the '/usr/ports/net/isc-dhcp' dhcpd port.
|
|
||||||
|
|
||||||
subnet 192.157.86.0 netmask 255.255.255.192 {
|
|
||||||
# range if you want to run the core dhcpd service of
|
|
||||||
# dynamic IP assignment, but it is not used with BOOTP
|
|
||||||
# workstations
|
|
||||||
range 192.157.86.32 192.157.86.62;
|
|
||||||
|
|
||||||
# misc configuration.
|
|
||||||
#
|
|
||||||
option routers 192.157.86.2;
|
|
||||||
option domain-name-servers 192.157.86.2;
|
|
||||||
|
|
||||||
server-name "apollo.fubar.com";
|
|
||||||
option subnet-mask 255.255.255.192;
|
|
||||||
option domain-name-servers 192.157.86.2;
|
|
||||||
option domain-name "fubar.com";
|
|
||||||
option broadcast-address 192.157.86.63;
|
|
||||||
option routers 192.157.86.2;
|
|
||||||
}
|
|
||||||
|
|
||||||
host test1 {
|
|
||||||
hardware ethernet 00:a0:c9:d3:38:25;
|
|
||||||
fixed-address 192.157.86.11;
|
|
||||||
option root-path "192.157.86.2:/";
|
|
||||||
option option-128 "192.157.86.2:/images/swap";
|
|
||||||
}
|
|
||||||
|
|
||||||
host test2 {
|
|
||||||
# hardware ethernet 00:e0:29:1d:16:09;
|
|
||||||
hardware ethernet 00:10:5a:a8:94:0e;
|
|
||||||
fixed-address 192.157.86.12;
|
|
||||||
option root-path "192.157.86.2:/";
|
|
||||||
option option-128 "192.157.86.2:/images/swap";
|
|
||||||
}
|
|
||||||
|
|
||||||
SWAP. This example includes options to automatically BOOTP configure
|
|
||||||
NFS swap on each workstation. In order to use this capabilities you
|
|
||||||
need to NFS-export a swap directory READ+WRITE to the workstations.
|
|
||||||
|
|
||||||
You must then create a swap directory for each workstation you wish to
|
|
||||||
assign swap to. In this example I created a dummy user 'lander' and
|
|
||||||
did an NFS export of /images/swap enforcing a UID of 'lander' for
|
|
||||||
all accesses.
|
|
||||||
|
|
||||||
apollo:/usr/ports/net# ls -la /images/swap
|
|
||||||
total 491786
|
|
||||||
drwxr-xr-x 2 root wheel 512 Dec 28 07:00 .
|
|
||||||
drwxr-xr-x 8 root wheel 512 Jan 20 10:54 ..
|
|
||||||
-rw-r--r-- 1 lander wheel 33554432 Dec 23 14:35 swap.192.157.86.11
|
|
||||||
-rw-r--r-- 1 lander wheel 335544320 Jan 24 16:55 swap.192.157.86.12
|
|
||||||
-rw-r--r-- 1 lander wheel 134217728 Jan 21 17:19 swap.192.157.86.6
|
|
||||||
|
|
||||||
A swap file is best created with dd:
|
|
||||||
|
|
||||||
# create a 32MB swap file for a BOOTP workstation
|
|
||||||
dd if=/dev/zero of=swap.IPADDRESS bs=1m count=32
|
|
||||||
|
|
||||||
It is generally a good idea to give your workstations some swap space,
|
|
||||||
but not a requirement if they have a lot of memory.
|
|
||||||
|
|
|
@ -1,301 +0,0 @@
|
||||||
IMPORTANT NOTE:
|
|
||||||
|
|
||||||
As of Feb. 11, 2002 (and indeed, for quite some time before that),
|
|
||||||
the /etc/rc.diskless{1,2} scripts support a slightly different
|
|
||||||
diskless boot process than the one documented in the rest of
|
|
||||||
this file (which is 3 years old).
|
|
||||||
|
|
||||||
I am not deleting the information below because it contains some
|
|
||||||
useful background information on diskless operation, but for the
|
|
||||||
actual details you should look at /etc/rc.diskless1, /etc/rc.diskless2,
|
|
||||||
and the /usr/share/examples/diskless/clone_root script which can
|
|
||||||
be useful to set up clients and server for diskless boot.
|
|
||||||
|
|
||||||
--- $FreeBSD$ ---
|
|
||||||
------------------------------------------------------------------------
|
|
||||||
|
|
||||||
TEMPLATING machine configurations
|
|
||||||
|
|
||||||
Matthew Dillon
|
|
||||||
dillon@backplane.com
|
|
||||||
|
|
||||||
This document describes a general mechanism by which you can template
|
|
||||||
/ and /usr. That is, to keep a 'master template' of / and /usr on a
|
|
||||||
separate machine which is then used to update the rest of your machines.
|
|
||||||
|
|
||||||
Generally speaking, you can't simply mirror /. You might be able to
|
|
||||||
get away with mirroring /usr. There are two main problems involved with
|
|
||||||
templating:
|
|
||||||
|
|
||||||
(1) Avoiding overwriting run-time generated files
|
|
||||||
|
|
||||||
By default, the system maintains a number of files in the root
|
|
||||||
partition. For example, sendmail will dbm /etc/aliases into
|
|
||||||
/etc/aliases.db. vipw or chpass or other password related routines
|
|
||||||
will regenerate the password dbm's /etc/spwd.db, /etc/pwd.db, and
|
|
||||||
passwd. /etc/namedb/s might contain generated secondaries. And
|
|
||||||
so forth.
|
|
||||||
|
|
||||||
The templating mechanism must avoid copying over such files.
|
|
||||||
|
|
||||||
(2) Customizing machines.
|
|
||||||
|
|
||||||
Customizing machines is actually considerably simpler. You create
|
|
||||||
a configuration hierarchy and convert the configuration files that
|
|
||||||
have to be customized into softlinks that run through a special
|
|
||||||
softlink in the configuration directory. This will work for every
|
|
||||||
configuration file except possibly /etc/master.passwd
|
|
||||||
|
|
||||||
For example, /etc/resolv.conf would be turned into a softlink to
|
|
||||||
/conf/ME/resolv.conf, and /conf/ME itself would be a softlink to
|
|
||||||
/conf/<HOSTNAME>. The actual resolv.conf configuration file
|
|
||||||
would reside in /conf/<HOSTNAME>.
|
|
||||||
|
|
||||||
If you have a lot of hosts, some configuration files may be commonly
|
|
||||||
classified. For example, all your shell machines might have the
|
|
||||||
same /etc/resolv.conf. The solution is to make
|
|
||||||
/conf/<HOSTNAME>/resolv.conf a softlink to a common directory, say
|
|
||||||
/conf/HT.SHELL/resolv.conf. It may sound a little messy, but this
|
|
||||||
sort of categorization actually makes the sysadmins job much, much
|
|
||||||
easier.
|
|
||||||
|
|
||||||
The /conf/ directory hierarchy is stored on the template and
|
|
||||||
distributed to all the machines along with the rest of the root
|
|
||||||
partition.
|
|
||||||
|
|
||||||
This type of customization is taken from my direct experience
|
|
||||||
instituting such a system at BEST. At the time, BEST had over 45
|
|
||||||
machines managed from a single template.
|
|
||||||
|
|
||||||
RUN-TIME GENERATED OR MODIFIED FILES IN / or /USR
|
|
||||||
|
|
||||||
/etc/aliases.db
|
|
||||||
/etc/master.passwd
|
|
||||||
/etc/spwd.db
|
|
||||||
/etc/pwd.db
|
|
||||||
/etc/passwd
|
|
||||||
/etc/namedb/s
|
|
||||||
/root/.history
|
|
||||||
/root/.ssh/identity
|
|
||||||
/root/.ssh/identity.pub
|
|
||||||
/root/.ssh/random_seed
|
|
||||||
/root/.ssh/known_hosts
|
|
||||||
/conf/ME
|
|
||||||
/kernel* ( note 2 )
|
|
||||||
/dev ( note 3 )
|
|
||||||
/var ( note 4 )
|
|
||||||
/home ( note 4 )
|
|
||||||
/lost+found
|
|
||||||
|
|
||||||
/usr/lost+found
|
|
||||||
/usr/home ( note 4 )
|
|
||||||
/usr/crash ( note 5 )
|
|
||||||
/usr/obj ( note 5 )
|
|
||||||
/usr/ports ( note 5 )
|
|
||||||
/usr/src ( note 5 )
|
|
||||||
/usr/local/crack ( note 5 )
|
|
||||||
/usr/local/lib/X11/xdm/xdm-errors ( note 6 )
|
|
||||||
/usr/local/lib/X11/xdm/xdm-pid ( note 6 )
|
|
||||||
/usr/local/etc/ssh_host_key ( note 6 )
|
|
||||||
/usr/local/etc/ssh_host_key.pub ( note 6 )
|
|
||||||
/usr/local/etc/ssh_random_seed ( note 6 )
|
|
||||||
|
|
||||||
/conf/ME ( note 7 )
|
|
||||||
|
|
||||||
note 2: You typically want to update kernels manually and *NOT*
|
|
||||||
template them as a safety measure. This also allows you to run
|
|
||||||
different kernels on different machines or.
|
|
||||||
|
|
||||||
note 3: /dev must be updated manually. Some devices, such as tty's and
|
|
||||||
pty's, use the access and/or modify time and/or user/group
|
|
||||||
operationally and regenerating the devices on the fly would be
|
|
||||||
bad.
|
|
||||||
|
|
||||||
note 4: /var and /home are usually separately mounted partitions and
|
|
||||||
thus would not fall under the template, but as a safety measure
|
|
||||||
the template copier refuse to copy directories named 'home'.
|
|
||||||
|
|
||||||
note 5: These are directories that are as often created directly on
|
|
||||||
/usr as they are separately-mounted partitions. You typically
|
|
||||||
do not want to template such directories.
|
|
||||||
|
|
||||||
note 6: Note that you can solve the problem of xdm and sshd creating
|
|
||||||
files in /usr. With xdm, edit /usr/local/lib/xdm/xdm-config
|
|
||||||
and change the errorLogFile and pidFile config lines.
|
|
||||||
|
|
||||||
With sshd, add 'HostKey' and 'RandomSeed' directives to specify
|
|
||||||
/var/db for the location of the host key and run-time sshd
|
|
||||||
random seed:
|
|
||||||
|
|
||||||
HostKey /var/db/ssh_host_key
|
|
||||||
RandomSeed /var/db/ssh_random_seed
|
|
||||||
|
|
||||||
note 7: In this example, /conf/ME is the machine customizer and must
|
|
||||||
be pointed to the /conf/<full-host-name>/ directory, which is
|
|
||||||
different for each machine. Thus, the /conf/ME softlink
|
|
||||||
should never be overwritten by the templating copy.
|
|
||||||
|
|
||||||
|
|
||||||
TYPICAL CUSTOMIZED CONFIGURATION SOFTLINKS
|
|
||||||
|
|
||||||
The following files typically need to be turned into softlinks
|
|
||||||
to /conf/ME/<filename>:
|
|
||||||
|
|
||||||
/etc/ccd.conf -> /conf/ME/ccd.conf
|
|
||||||
/etc/ipfw.conf ...
|
|
||||||
/etc/fstab
|
|
||||||
/etc/motd
|
|
||||||
/etc/resolv.conf
|
|
||||||
/etc/aliases
|
|
||||||
/etc/sendmail.cw
|
|
||||||
/etc/organization
|
|
||||||
/etc/named.conf
|
|
||||||
/etc/rc.conf.local
|
|
||||||
/etc/printcap
|
|
||||||
/etc/inetd.conf
|
|
||||||
/etc/login.conf
|
|
||||||
/etc/gettytab
|
|
||||||
/etc/ntp.conf
|
|
||||||
/etc/exports
|
|
||||||
/root/.k5login -> /conf/ME/root/.k5login
|
|
||||||
|
|
||||||
And, of course, /conf/ME is usually a softlink to the appropriate
|
|
||||||
/conf/<full-host-name>/. Depending on your system configuration,
|
|
||||||
there may be other files not listed above that you have to worry about.
|
|
||||||
|
|
||||||
In many cases, /conf/ME/filename is itself a softlink to
|
|
||||||
"../HT.xxxx/filename", where HT.xxxx is something like HT.STD ... this
|
|
||||||
added complexity actually makes it easier to manage multiple
|
|
||||||
classifications of machines.
|
|
||||||
|
|
||||||
DELETION OF FILES
|
|
||||||
|
|
||||||
Any file found on the template destination that does not exist in the
|
|
||||||
source and is not listed as an exception by the source should be deleted.
|
|
||||||
However, deletion can be dangerous and cpdup will ask for confirmation
|
|
||||||
by default. Once you know you aren't going to blow things up, you can
|
|
||||||
turn this feature off and update your systems automatically from cron.
|
|
||||||
|
|
||||||
By formalizing the delete operation, you can be 100% sure that it is
|
|
||||||
possible to recreate / and /usr on any machine with only the original
|
|
||||||
template and a backup of the ( relatively few ) explicitly-excepted
|
|
||||||
files. The most common mistake a sysop makes is to make a change to a
|
|
||||||
file in / or /usr on a target machine instead of the template machine.
|
|
||||||
If the target machine is updated once a night from cron, the sysop
|
|
||||||
quickly learns not to do this ( because his changes get overwritten
|
|
||||||
overnight ). With a manual update, these sorts of mistakes can propagate
|
|
||||||
for weeks or months before they are caught.
|
|
||||||
|
|
||||||
TEMPLATE COPYING AND SAFETY
|
|
||||||
THE CPDUP PROGRAM
|
|
||||||
|
|
||||||
The 'cpdup' program is a program which efficiently duplicates a directory
|
|
||||||
tree. The program copies source to destination, duplicating devices,
|
|
||||||
softlinks, hardlinks, files, modification times, uid, gid, flags, perms,
|
|
||||||
and so forth. The program incorporates several major features:
|
|
||||||
|
|
||||||
* The program refuses, absolutely, to cross partition boundaries.
|
|
||||||
i.e. if you were copying the template /usr from an NFS mount to
|
|
||||||
your /usr, and you had a mount point called /usr/home, the
|
|
||||||
template copying program would *NOT* descend into /usr/home on
|
|
||||||
the destination.
|
|
||||||
|
|
||||||
This is a safety.
|
|
||||||
|
|
||||||
* The program accesses a file called .cpignore in each directory
|
|
||||||
it descends into on the source to obtain a list of exceptions
|
|
||||||
for that directory -- that is, files not to copy or mess with.
|
|
||||||
|
|
||||||
This is a templating function.
|
|
||||||
|
|
||||||
* The program refuses to delete a directory on the destination
|
|
||||||
being replaced by a softlink or file on the source.
|
|
||||||
|
|
||||||
This is a safety mechanism
|
|
||||||
|
|
||||||
* The program is capable of maintaining MD5 check cache files and
|
|
||||||
doing an MD5 check between source and destination during the
|
|
||||||
scan.
|
|
||||||
|
|
||||||
* The program is capable of deleting files/directories on the
|
|
||||||
destination that do not exist on the source, but asks for
|
|
||||||
confirmation by default.
|
|
||||||
|
|
||||||
This is a templating and a safety mechanism.
|
|
||||||
|
|
||||||
* The program uses a copy-to-tmp-and-rename methodology allowing
|
|
||||||
it to be used to update live filesystems.
|
|
||||||
|
|
||||||
This is a templating mechanism.
|
|
||||||
|
|
||||||
* The program, by default, tries to determine if a copy is required
|
|
||||||
by checking modify times, file size, perms, and other stat
|
|
||||||
elements. If the elements match, it does not bother to copy
|
|
||||||
( unless an MD5 check is being made, in which case it must read
|
|
||||||
the destination file ).
|
|
||||||
|
|
||||||
You typically run cpdup on the target machine. The target machine
|
|
||||||
temporarily mounts the template machine's / and /usr via NFS, read-only,
|
|
||||||
and runs cpdup to update / and /usr. If you use this methodology note
|
|
||||||
that THERE ARE SECURITY CONSIDERATIONS! See 'SECURITY CONSIDERATIONS WITH
|
|
||||||
NFS' below.
|
|
||||||
|
|
||||||
Whatever script you use that does the NFS mounts should ensure that the
|
|
||||||
mount succeeded before continuing with the cpdup.
|
|
||||||
|
|
||||||
You should create .cpignore files in the appropriate directories on the
|
|
||||||
template machine's / and /usr partitions so as not to overwrite active
|
|
||||||
files on the target. The most critical .cpignore files should be
|
|
||||||
protected with 'chflags schg .cpignore'. Specifically, the ones in /
|
|
||||||
and /etc, but possibly others as well. For example, the .cpignore
|
|
||||||
hierarchy for protect /root is:
|
|
||||||
|
|
||||||
# /root/.cpignore contains
|
|
||||||
.history
|
|
||||||
|
|
||||||
# /root/.ssh/.cpignore contains
|
|
||||||
random_seed
|
|
||||||
known_hosts
|
|
||||||
authorized_keys
|
|
||||||
identity
|
|
||||||
identity.pub
|
|
||||||
|
|
||||||
WHEN INITIALLY CONVERTING A TARGET MACHINE TO USE TEMPLATING, ALWAYS
|
|
||||||
MAKE A FULL BACKUP OF THE TARGET MACHINE FIRST! You may accidentally
|
|
||||||
delete files on the target during the conversion due to forgetting to
|
|
||||||
enter items into appropriate .cpignore files on the source.
|
|
||||||
|
|
||||||
SECURITY CONSIDERATIONS WITH NFS ROOT EXPORT FROM TEMPLATE MACHINE
|
|
||||||
SECURITY CONSIDERATIONS WITH NFS USR EXPORT FROM TEMPLATE MACHINE
|
|
||||||
|
|
||||||
There are some serious security considerations that must be taken into
|
|
||||||
account when exporting / and /usr on the template machine.
|
|
||||||
|
|
||||||
* only export read-only
|
|
||||||
|
|
||||||
* the password file ( aka vipw ) may not contain any crypted passwords
|
|
||||||
at all. You MUST use ssh or kerberos to access the template machine.
|
|
||||||
|
|
||||||
You can get away with giving only root a crypted password, but only
|
|
||||||
if you disallow network root logins and only allow direct root
|
|
||||||
logins on the console.
|
|
||||||
|
|
||||||
* The machine's private ssh_host_key usually resides in /usr/local/etc.
|
|
||||||
You must move this key to /var/db. You can softlink link so no
|
|
||||||
modification of sshd_config is required.
|
|
||||||
|
|
||||||
* The machine's private ~root/.ssh/identity file is also exposed by
|
|
||||||
the NFS export, you should move this file to /var/db as well and
|
|
||||||
put a softlink in ~root/.ssh.
|
|
||||||
|
|
||||||
* DON'T EXPORT /var ! Either that, or don't put the private keys
|
|
||||||
in /var/db ... put them somewhere else.
|
|
||||||
|
|
||||||
* You may want to redirect the location of the random_seed file, which
|
|
||||||
can be done by editing ~root/.ssh/sshd_config and
|
|
||||||
/usr/local/etc/sshd_config so it is not exposed either.
|
|
||||||
|
|
||||||
-Matt
|
|
||||||
Matthew Dillon
|
|
||||||
dillon@backplane.com
|
|
||||||
|
|
|
@ -1,137 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
#
|
|
||||||
# (C) 2001 Luigi Rizzo, Gabriele Cecchetti
|
|
||||||
# <Standard BSD copyright>
|
|
||||||
# Revised 2001.04.16
|
|
||||||
#
|
|
||||||
#
|
|
||||||
# clone root filesystem for diskless root stuff
|
|
||||||
#
|
|
||||||
# usage
|
|
||||||
# clone_root all to do a full copy (e.g. bin, sbin...)
|
|
||||||
# clone_root update to recreate /var (including devices)
|
|
||||||
# clone_root to copy /conf and password-related files
|
|
||||||
#
|
|
||||||
# This script assumes that you use a shared readonly root and /usr
|
|
||||||
# partition. The script creates a partial clone of the root partition,
|
|
||||||
# and puts it into ${DEST} (defaults to /diskless_root ) on the server,
|
|
||||||
# where it is read.
|
|
||||||
#
|
|
||||||
# To run a diskless install you need to do the following:
|
|
||||||
#
|
|
||||||
# create /conf/default/etc/fstab
|
|
||||||
# this will replace the standard /etc/fstab and should contain
|
|
||||||
# as a minimum the following lines
|
|
||||||
# ${SERVER}:${DEST} / nfs ro 0 0
|
|
||||||
# ${SERVER}:/usr /usr nfs ro 0 0
|
|
||||||
# proc /proc procfs rw 0 0
|
|
||||||
#
|
|
||||||
# create /conf/default/etc/rc.conf
|
|
||||||
# this will replace the standard rc.conf and should contain
|
|
||||||
# the startup options for the diskless client. Most likely
|
|
||||||
# you will not need to set hostname and ifconfig_* because these
|
|
||||||
# will be already set by the startup code. You will also
|
|
||||||
# probably need to set local_startup="" so that the server's
|
|
||||||
# local startup files will not be used.
|
|
||||||
#
|
|
||||||
# create a kernel config file in /sys/i386/conf/DISKLESS with
|
|
||||||
# options MD_ROOT
|
|
||||||
# options BOOTP
|
|
||||||
# options BOOTP_NFSROOT
|
|
||||||
# options BOOTP_COMPAT
|
|
||||||
# and do a full build of the kernel.
|
|
||||||
# If you use the firewall, remember to default to open or your kernel
|
|
||||||
# will not be able to send/receive the bootp packets.
|
|
||||||
#
|
|
||||||
# On the server:
|
|
||||||
# enable NFS server and set /etc/exports as
|
|
||||||
# ${DEST} -maproot=0 -alldirs <list of diskless clients>
|
|
||||||
# /usr -alldirs
|
|
||||||
#
|
|
||||||
# enable bootpd by uncommenting the bootps line in /etc/inetd.conf
|
|
||||||
# and putting at least the following entries in /etc/bootptab:
|
|
||||||
# .default:\
|
|
||||||
# hn:ht=1:vm=rfc1048:\
|
|
||||||
# :sm=255.255.255.0:\
|
|
||||||
# :sa=${SERVER}:\
|
|
||||||
# :gw=${GATEWAY}:\
|
|
||||||
# :rp="${SERVER}:${DEST}":
|
|
||||||
#
|
|
||||||
# client1:ha=0123456789ab:tc=.default
|
|
||||||
#
|
|
||||||
# and make sure that client1 is listed in /etc/hosts
|
|
||||||
|
|
||||||
# VARIABLES:
|
|
||||||
# some manual init is needed here.
|
|
||||||
# DEST the diskless_root dir (goes into /etc/bootptab and /etc/exports
|
|
||||||
# on the server)
|
|
||||||
DEST=/diskless_root
|
|
||||||
|
|
||||||
# you should not touch these vars:
|
|
||||||
# SYSDIRS system directories and mountpoints
|
|
||||||
# DIRS mountpoints (empty dirs)
|
|
||||||
# PWFILES files related to passwords
|
|
||||||
# TOCOPY files and dirs to copy from root partition
|
|
||||||
|
|
||||||
SYSDIRS="dev proc root usr var"
|
|
||||||
DIRS="cdrom home mnt"
|
|
||||||
PWFILES="master.passwd passwd spwd.db pwd.db"
|
|
||||||
TOCOPY="bin boot compat etc modules sbin stand sys"
|
|
||||||
|
|
||||||
init_diskless_root() {
|
|
||||||
echo "Cleaning old diskless root ($DEST)"
|
|
||||||
cd /
|
|
||||||
rm -rf ${DEST} && echo "Old diskless root removed."
|
|
||||||
echo "Creating $DEST..."
|
|
||||||
mkdir -p $DEST && echo "New diskless root created."
|
|
||||||
echo "+++ Now copy original tree from / ..."
|
|
||||||
ex=""
|
|
||||||
(cd / ; tar -clf - ${TOCOPY} ) | (cd $DEST; tar xvf - )
|
|
||||||
#(cd / ; find -x dev | cpio -o -H newc ) | \
|
|
||||||
# (cd $DEST; cpio -i -H newc -d )
|
|
||||||
echo "+++ Fixing permissions on some objects"
|
|
||||||
chmod 555 $DEST/sbin/init
|
|
||||||
}
|
|
||||||
|
|
||||||
update_conf_and_pw() {
|
|
||||||
echo "+++ Copying files in /conf and password files"
|
|
||||||
(cd ${DEST} ; rm -rf conf )
|
|
||||||
(cd / ; tar clf - conf ) | (cd ${DEST}; tar xvf - )
|
|
||||||
mkdir -p ${DEST}/conf/etc # used to mount things
|
|
||||||
(cd /etc ; tar cvf - ${PWFILES} ) | (cd ${DEST}/etc ; tar xf - )
|
|
||||||
}
|
|
||||||
|
|
||||||
update() {
|
|
||||||
echo "+++ update: create mountpoints and device entries, kernel"
|
|
||||||
for i in ${SYSDIRS} ${DIRS}
|
|
||||||
do
|
|
||||||
rm -r -f ${DEST}/$i
|
|
||||||
mkdir -p ${DEST}/$i && chown root:wheel ${DEST}/$i && echo -n "$i "
|
|
||||||
done
|
|
||||||
echo "."
|
|
||||||
ln -s /var/tmp ${DEST}/tmp
|
|
||||||
echo "+++ Copying kernel from /sys/compile/DISKLESS"
|
|
||||||
cp /sys/compile/DISKLESS/kernel $DEST/kernel
|
|
||||||
echo "."
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# Main entry point
|
|
||||||
case $1 in
|
|
||||||
all) # clean and reinstall the whole diskless_root
|
|
||||||
init_diskless_root
|
|
||||||
update
|
|
||||||
update_conf_and_pw
|
|
||||||
;;
|
|
||||||
|
|
||||||
update) # clean and rebuild mountpoints and device entries
|
|
||||||
update
|
|
||||||
update_conf_and_pw
|
|
||||||
;;
|
|
||||||
|
|
||||||
*) # copy /conf and password files
|
|
||||||
update_conf_and_pw
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
exit 0
|
|
||||||
### end of file ###
|
|
Loading…
Reference in a new issue