Installing Debian GNU/Linux Over a Network

We describe a system to install Debian/GNU Linux to a network of PC and Macs, from a central server.

Summary

Commands to set it all up on a Debian machine that is assumed to have dnsmasq running as a DHCP server/

$ wget http://ftp.nl.debian.org/debian/dists/stretch/main/installer-amd64/current/images/netboot/netboot.tar.gz
$ sudo mkdir -p /srv/tftp
$ sudo tar --directory=/srv/tftp -xf netboot.tar.gz

$ git clone git://git.ipxe.org/ipxe.git
$ cd ipxe/src
$ make bin-x86_64-efi/ipxe.efi
$ sudo cp bin-x86_64-efi/ipxe.efi /srv/tftp

$ sudo awk -i inplace "/menuentry 'Install' {/{print\"\
menuentry 'Pre-seeded Install' {\n\
    set background_color=black\n\
    linux    /debian-installer/amd64/linux vga=788 \
debian-installer/locale=en_AU \
keyboard-configuration/xkb-keymap=us \
netcfg/get_domain=local \
mirror/protocol=http \
mirror/country=manual \
mirror/http/hostname=10.0.1.1:3142 \
mirror/http/directory=/debian mirror/http/proxy=\\\"\\\" \
apt-setup/non-free=true \
apt-setup/contrib=true \
clock-setup/ntp-server=10.0.1.1 \
clock-setup/utc=true \
time/zone=Australia/Sydney \
tasksel/include=\\\"standard ssh-server print-server gnome-desktop\\\" \
popularity-contest/participate=false --- quiet\n\
    initrd   /debian-installer/amd64/initrd.gz\n\
}\
\"}1" /srv/tftp/debian-installer/amd64/grub/grub.cfg

$ sudo cp /usr/lib/grub/x86_64-efi/modinfo.sh /srv/tftp/debian-installer/amd64/grub/x86_64-efi/modinfo.sh
$ sudo cp /usr/lib/grub/x86_64-efi/memdisk.mod /srv/tftp/debian-installer/amd64/grub/x86_64-efi/memdisk.mod
$ sudo cp /usr/lib/grub/x86_64-efi/tar.mod /srv/tftp/debian-installer/amd64/grub/x86_64-efi/tar.mod
$ sudo cp /usr/lib/grub/x86_64-efi/kernel.img /srv/tftp/debian-installer/amd64/grub/x86_64-efi/kernel.img
$ grub-mkstandalone -O x86_64-efi --directory=/srv/tftp/debian-installer/amd64/grub/x86_64-efi \
  --modules="efinet http font" -o grub2_standalone_x64.efi \
  /boot/grub/grub.cfg=/srv/tftp/debian-installer/amd64/grub/grub.cfg \
  /boot/grub/font.pf2=/srv/tftp/debian-installer/amd64/grub/font.pf2 \
  /debian-installer/amd64/initrd.gz=/srv/tftp/debian-installer/amd64/initrd.gz \
  /debian-installer/amd64/linux=/srv/tftp/debian-installer/amd64/linux
$ sudo cp grub2_standalone_x64.efi /srv/tftp

$ sudo echo -e "\
dhcp-boot=pxelinux.0
enable-tftp
tftp-root=/srv/tftp
" > /etc/dnsmasq.d/pxe.conf

$ sudo echo -e "\
dhcp-vendorclass=set:appleBootIntel,AAPLBSDPC/i386

dhcp-option=net:appleBootIntel,60,"AAPLBSDPC"
dhcp-boot=tag:appleBootIntel,ipxe.efi

dhcp-match=set:informDiscoverType,43,02:02:01
tag-if=set:informDiscover,tag:appleBootIntel,tag:informDiscoverType
dhcp-option=net:informDiscover,43,08:04:81:00:00:67

dhcp-match=set:informListType,43,01:01:01
tag-if=set:informList,tag:appleBootIntel,tag:informListType
dhcp-option=net:informList,43,01:01:01:04:02:ff:00:07:04:81:00:00:67:08:04:81:00:00:67:09:0b:81:00:00:67:06:44:65:62:69:61:6e

dhcp-match=set:informSelectType,43,01:01:02
tag-if=set:informSelect,tag:appleBootIntel,tag:informSelectType
dhcp-option=net:informSelect,43,01:01:02:08:04:81:00:00:67

dhcp-match=set:bootingX86-64Efi,option:client-arch,7
dhcp-boot=tag:bootingX86-64Efi,grub2_standalone_x64.efi
" > /etc/dnsmasq.d/bsdp.conf

$ sudo systemctl restart dnsmasq.service

How it Works (Short)

Get Debian netboot archive and unpack it to /srv/tftp.

Install iPXE to /srv/tftp. This is needed because the TFTP client in a Mac typically doesn't support negotiation of block sizes, and so cannot transfer a file longer than 32MB. A standalone GRUB EFI image, required futher down, is larger than 32MB.

Add an entry to the GRUB configuration file, to add preseeding of the Debian Installer questions, providing answers in advance as kernel boot parameters. This largely automates the install on machines which boot in EFI mode (eg. Apples).

Bundle GRUB, its configuration, a font file, the linux kernel and initial RAM disk into a single standalone EFI executable. This allows everything that the Debian Installer needs to be loaded as a single file from TFTP and run from the RAM of the client machine. We have to do this since GRUB doesn't seem to be able to access a TFTP based file system.

Configure dnsmasq to act as a PXE server. This can be used to install Debian on PCs which use BIOS mode for network booting. The boot file is /srv/tftp/pxelinux.0.

Configure dnsmasq to act as an BSDP server, the network boot protocol used by Apple. The BSDP implementation here is complete and robust, in that it can handle booting via either the BSDP menu using INFORM LIST and INFORM SELECT packets or the quicker method of making an offer of an image in response to a DHCP DISCOVER packet. Apples use UEFI mode rather than BIOS mode, so booting is done using GRUB, which can run in the UEFI environment. GRUB can't access the TFTP server, so everything it needs has to be bundled into a single (large) EFI image. This image is too large for the Mac's TFTP client to handle, so we first boot the iPXE bootloader (/srv/tftp/ipxe.efi), which is small enough for the Mac's TFTP client to handle. iPXE then chain loads the larger standalone GRUB image (/srv/tftp/grub2_standalone_x64.efi) via TFTP. GRUB then boots the Debian Installer's Linux kernel.

TODO: Preseeding for PXE. Make preseed file and add to tftp root. Add seed file to GRUB image root. Might need to add seed URL/filename to d-i kernel invocation? Deprecate kernal parameter preseeding, though need to add an option with no presseding by killing the preseed URL?

TODO: Try standard iPXE.efi

How it Works (Long)

Caveats

Preparing an iMac to join the school network

First remove the firmware password, so we can access the boot menu and chose to boot from the network:

1. Remove one RAM DIMM from the iMac.
2. Boot the iMac, whilst holding down the COMMAND+OPTION+P+R key combination.
3. Wait for the startup chime to sound 3 times
4. Release the keys.
5. Once booted shut the machine down.
6. Replace the RAM DIMM.
7. The password is now removed and you can enter the boot menu by holding down OPTION-R or do a network boot by holding the N key down during start up.

Ref: http://osxdaily.com/2009/10/19/bypass-mac-firmware-password/

Preparing a MacBook to join the school network

Perform a network boot by holding down the 'N' during start up. The Debian installation will start. Choose a preseeded install, which will provide sensible default answers to most questions during installation. For partitioning, delete the large HFS+ partation containing OS X, leaving the EFI partition intact and the recovery partition intact, then choose guided partitioning using the largest free contiguous space and all files on one partition.

Note that ipxe currently has a problem whereby it often (but not always) hangs whilst initialising the MacBook's Network Interface. It's not clear whether the problem is with iPXE or the MacBook's EFI firmware. Either way, one just has to keep trying over and over until iPXE does actually start the Debian Installer.

Preparing a PC to join the school network

Enter the BIOS and make sure that PXE booting from the network is enabled. Start the computer and enter the boot menu (F12 on a Dell). Choose network boot and the Debian Installer will start. Choose a preseeded install, which will provide sensible default answers to most questions during installation. For partitioning, choose to use the entire disk with and all files on one partition.

cfengine

sudo apt-get install cfengine3

Put promises in /var/lib/cfengine3/inputs/promises.cf

Edit /etc/defaults/cfengine3 and set
RUN_CFMONITORD=1
RUN_CFSERVERD=1
RUN_CFEXECD=1
then restart the cfengine3 service: systemctl restart cfengine3

Edit /var/lib/cfengine3/masterfiles/controls/def.cf and add the line
"10.0.1.0/24",
to the variable "acl" in bundle common def. This gives permission for machines on the network to access the policy hub.

On each machine: cf-agent --bootstrap 10.0.1.1