I've got a fun puzzle. I've got a large set of remote machines that I need to re-image, all of which need to have the same image when I'm done. However, for various reasons I can't rely on having anyone on-site physically touch them (client locations, many of which are locked and unattended). They're all Linux boxes (various versions of CentOS for the base operating system), and I have root access via ssh. They've also got different hardware setups (the new image can work with any of the processors or motherboards we have deployed, though). All of them have a boot partition (sda1 - grub based), a system partition (sda2), and a swap partition (sda3). Some of them have others as well, but it's OK if I nuke those (I can back up and restore anything not explicitly temporary in our documentation).
I've figured out a way to use Clonezilla to do this in the case where I have two hard disks (Quick summary: make a fully-auto ISO disk image of clonezilla that contains the new image set to redo sda and then reboot, scp it to the remote machine, use dd to put that on the second disk, tell the first disk to boot the second disk, then reboot the machine - it comes up, the first disk boot tells the second disk to boot, which is the clonezilla ISO; the clonezilla iso does the full auto overwrite of the first disk, then reboots; when it comes up on the first disk again, it has the new image).
What I'm trying to puzzle out right now is how to do the same thing in the case where I don't have a second hard disk. I'm thinking I might be able to shut down all services to free up memory, turn off the swap, put something in the swap partition, and direct the server to boot off of that... however, my iso image size from the two-disk method is about 4 GB, and my swap size is as low as 979,956 kilobytes (as reported by top). I've got some sensitive things on the image as well (ssl certs and such). Would it perhaps be possible to, say, make a clonezilla image that:
1) Has a decryption key already built-in (I can transmit the image securely, and can largely trust the end-point, so this isn't a problem for me),
2) Grabs encrypted image files off of an http server (rather than locally),
3) Use those and the decryption key to replace all contents on sda2, and
4) Modifies grub on sda1 to boot sda2
Because if I can get it to do that, I can set up grub to point at sda3, replace sda3 with that clonezilla image, then reboot the machine to complete the re-image.
Does anyone happen to know how I might go about 1-4 (or similar)?
Thank you.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I don't really trust security across the internet on NFS or SAMBA, a local device is of course not going to work here (there won't be one that won't be overwritten - and not all of these machines will have sufficient RAM to just load the whole thing). So I either need to have no authentication on the repository and use an encrypted image - in which case, I need help figuring out how to tell the customized clonezilla live what decryption key to use... and I'll need help with that (I am not sure where it's hiding). Alternately, I can set up authentication on https/ssh, but then again: I need to figure out how to tell the the clonezilla image the correct authentication information without anyone standing at the machine. How do I pull that off?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Ah, there we go. Username and password info are taken from stdin, so echo can do it; thus, I can build a script that looks something like:
echo -e "$DAVFSUSER\n$DAVFSPASS" | /bin/mount -t davfs -o ro "https://$URL" "$MOUNTDIR"
(after assigning the appropriate variables, of course), and run that script in one of the ocs_preruns.
However, networking isn't on by default. I can harvest the IP info off of the source machine (not all locations will have a DHCP server)... how do I turn on networking in a clonezilla shell script?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Ah, there we go. Again, after setting the relevant variables (which I can harvest off the source image readily enough), I can use:
# Create resolve.conf (does not exist on default clonezilla image)
echo -n > /etc/resolve.conf
for IP in 8.8.8.8 8.8.4.4 4.2.2.1 4.2.2.2 4.2.2.3 4.2.2.4 4.2.2.5 4.2.2.6
do
echo nameserver $IP >> /etc/resolve.conf
done
# assume we haven't found one that works
THISWORKS=false
# Check all likely devices, given my hardware options
for DEV in eth{0..9}
do
# Make sure the device actually exists before doing anything with it
if /sbin/ifconfig -a | grep $DEV &> /dev/null
then
# Set the IP and mask for this device
/sbin/ifconfig $DEV $IP netmask $MASK up
# Set the GW for this device
/sbin/route add default gw $GATEWAY
# Try it ten times to see if it works.
# (Cards can take a bit to initialize sometimes.)
for C in {1..10}
do
# Test is a ping
if ping -c 10 -I $DEV 8.8.8.8
then
# Stop the first time it does.
THISWORKS=true
break
fi
done
# It worked, so don't bother checking the other devices.
[ "$THISWORKS" = "true" ] && break
# Clean out old IP info
/sbin/ifconfig $DEV down
# clean out the old route info
/sbin/route del target $GATEWAY
fi
done
if [ "$THISWORKS" = "false" ]
then
# Put abort stuff here
fi
... and if they're set up for dhcp (easy to determine), I can just call /sbin/dhclient and call it a day. Nifty! This can work.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
It would be nice to have two distinct barriers to access, though... where do I find the password logic for encrypted images so that I can tell it to just use some decryption key/password that I'll upload with the image, rather than asking the local user...
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello all,
I've got a fun puzzle. I've got a large set of remote machines that I need to re-image, all of which need to have the same image when I'm done. However, for various reasons I can't rely on having anyone on-site physically touch them (client locations, many of which are locked and unattended). They're all Linux boxes (various versions of CentOS for the base operating system), and I have root access via ssh. They've also got different hardware setups (the new image can work with any of the processors or motherboards we have deployed, though). All of them have a boot partition (sda1 - grub based), a system partition (sda2), and a swap partition (sda3). Some of them have others as well, but it's OK if I nuke those (I can back up and restore anything not explicitly temporary in our documentation).
I've figured out a way to use Clonezilla to do this in the case where I have two hard disks (Quick summary: make a fully-auto ISO disk image of clonezilla that contains the new image set to redo sda and then reboot, scp it to the remote machine, use dd to put that on the second disk, tell the first disk to boot the second disk, then reboot the machine - it comes up, the first disk boot tells the second disk to boot, which is the clonezilla ISO; the clonezilla iso does the full auto overwrite of the first disk, then reboots; when it comes up on the first disk again, it has the new image).
What I'm trying to puzzle out right now is how to do the same thing in the case where I don't have a second hard disk. I'm thinking I might be able to shut down all services to free up memory, turn off the swap, put something in the swap partition, and direct the server to boot off of that... however, my iso image size from the two-disk method is about 4 GB, and my swap size is as low as 979,956 kilobytes (as reported by top). I've got some sensitive things on the image as well (ssl certs and such). Would it perhaps be possible to, say, make a clonezilla image that:
1) Has a decryption key already built-in (I can transmit the image securely, and can largely trust the end-point, so this isn't a problem for me),
2) Grabs encrypted image files off of an http server (rather than locally),
3) Use those and the decryption key to replace all contents on sda2, and
4) Modifies grub on sda1 to boot sda2
Because if I can get it to do that, I can set up grub to point at sda3, replace sda3 with that clonezilla image, then reboot the machine to complete the re-image.
Does anyone happen to know how I might go about 1-4 (or similar)?
Thank you.
Yes, of course if you can trust the end-point, then you can have a customized Clonezilla live to do that. There are some references you can refer to:
http://drbl.org/faq/fine-print.php?path=./2_System/81_add_prog_in_filesystem-squashfs.faq#81_add_prog_in_filesystem-squashfs.faq
http://clonezilla.org/fine-print-live-doc.php?path=./clonezilla-live/doc/99_Misc/00_live-boot-parameters.doc#00_live-boot-parameters.doc
Steven
Sorry it took me so long to reply; just got back from vacation. Thank you for replying.
From http://clonezilla.org/fine-print-live-doc.php?path=./clonezilla-live/doc/99_Misc/00_live-boot-parameters.doc#00_live-boot-parameters.doc
"ssh server: ssh://[user@]host[:port]/path (No password can be assigned in URI)
webdav server: http|https://host[:port]/path (No username and password can be assigned in URI)"
and
"if authentication is required, it will prompt you."
I don't really trust security across the internet on NFS or SAMBA, a local device is of course not going to work here (there won't be one that won't be overwritten - and not all of these machines will have sufficient RAM to just load the whole thing). So I either need to have no authentication on the repository and use an encrypted image - in which case, I need help figuring out how to tell the customized clonezilla live what decryption key to use... and I'll need help with that (I am not sure where it's hiding). Alternately, I can set up authentication on https/ssh, but then again: I need to figure out how to tell the the clonezilla image the correct authentication information without anyone standing at the machine. How do I pull that off?
Ah, there we go. Username and password info are taken from stdin, so echo can do it; thus, I can build a script that looks something like:
echo -e "$DAVFSUSER\n$DAVFSPASS" | /bin/mount -t davfs -o ro "https://$URL" "$MOUNTDIR"
(after assigning the appropriate variables, of course), and run that script in one of the ocs_preruns.
However, networking isn't on by default. I can harvest the IP info off of the source machine (not all locations will have a DHCP server)... how do I turn on networking in a clonezilla shell script?
Ah, there we go. Again, after setting the relevant variables (which I can harvest off the source image readily enough), I can use:
# Create resolve.conf (does not exist on default clonezilla image) echo -n > /etc/resolve.conf for IP in 8.8.8.8 8.8.4.4 4.2.2.1 4.2.2.2 4.2.2.3 4.2.2.4 4.2.2.5 4.2.2.6 do echo nameserver $IP >> /etc/resolve.conf done # assume we haven't found one that works THISWORKS=false # Check all likely devices, given my hardware options for DEV in eth{0..9} do # Make sure the device actually exists before doing anything with it if /sbin/ifconfig -a | grep $DEV &> /dev/null then # Set the IP and mask for this device /sbin/ifconfig $DEV $IP netmask $MASK up # Set the GW for this device /sbin/route add default gw $GATEWAY # Try it ten times to see if it works. # (Cards can take a bit to initialize sometimes.) for C in {1..10} do # Test is a ping if ping -c 10 -I $DEV 8.8.8.8 then # Stop the first time it does. THISWORKS=true break fi done # It worked, so don't bother checking the other devices. [ "$THISWORKS" = "true" ] && break # Clean out old IP info /sbin/ifconfig $DEV down # clean out the old route info /sbin/route del target $GATEWAY fi done if [ "$THISWORKS" = "false" ] then # Put abort stuff here fi... and if they're set up for dhcp (easy to determine), I can just call /sbin/dhclient and call it a day. Nifty! This can work.
It would be nice to have two distinct barriers to access, though... where do I find the password logic for encrypted images so that I can tell it to just use some decryption key/password that I'll upload with the image, rather than asking the local user...