diff options
| author | Jon Clausen <jac@nordu.net> | 2018-07-16 14:52:56 +0200 |
|---|---|---|
| committer | Jon Clausen <jac@nordu.net> | 2018-07-16 14:52:56 +0200 |
| commit | f7c422941f67c7df60724368c0e3770b94faa491 (patch) | |
| tree | a9a68ca4030c7a35c28c0e452ab9a5bae83bbec6 /README | |
| parent | 09632c0f8b69528f238bd850be27afa33fc1206b (diff) | |
added README
Diffstat (limited to 'README')
| -rw-r--r-- | README | 63 |
1 files changed, 63 insertions, 0 deletions
@@ -0,0 +1,63 @@ +This is all very proof of concept, so assumptions about things are everywhere. + +The main goal is to be able to bootstrap the Supermicro SYS-5018D-FN8T 1U +servers from scratch, with as little human intervention as possible. + +The kickstart template and scripts here accomplish that, up to and including +cosmos bootstrap. + +c02vp1:ndn-boot-img-stuffs jac$ tree +. +|-- adapt-ks-template +|-- create-boot-floppy +|-- ks-template +| `-- hw +| `-- supermicro +| `-- SYS-5018D-FN8T +| `-- dtn-10g.ks +`-- prep-boot-floppy-and-ks-config + +Run the wrapper script with options, something like this: + +jac@u1804-01:~$ ./bin/prep-boot-floppy-and-ks-config --host dtn-10g-01 \ + -D nordu.net -I 109.105.122.136 -M 255.255.255.192 -G 109.105.122.129 \ + --sec-ip 10.10.10.4 --sec-nm 255.255.255.0 + +and out come the floppy image and a tailor made kickstart config: + +jac@u1804-01:~$ ls -l /var/www/html/install/dtn-10g-01.d/ +total 576 +-rw-rw-r-- 1 jac jac 1474560 Jul 16 13:53 dtn-10g-01.img +jac@u1804-01:~$ ls -l /var/www/html/install/ks/dtn-10g-01.ks +-rw-rw-r-- 1 jac jac 3161 Jul 16 13:54 /var/www/html/install/ks/dtn-10g-01.ks + + +The floppy image can now be uploaded to the SYS-5018D IPMI, and the system be +set to boot from this image. + +When the system boots, it will now retrieve kernel+initrd from the install +server - in this case the same as the kickstart server - as well as the +kickstart config, and run the install accordingly. + +In order to have some sort of verification that things have not been tampered +with, the 'cosmos hash' is built into the boot floppy. If the boot floppy is +copied from the web server using scp, and uploaded to the IPMI using https, +it is reasonable to assume that integrity is preserved. + +When the install kernel is booted, it is given the cosmos hash as a cmdline +option. + +The kernel does not recognize this option, and therefore ignores it, but; + +When the install comes to an end, the hash can be read from the kernel command +line and passed to cosmos bootstrap. The nifty thing is that this ensures that +the hash cannot be lost or mangled, since the kernel commandline cannot be +changed once the kernel is running. + +Hence integrity is ensured all the way from the generation of the boot floppy, +through system install, right up to cosmos bootstrap. + +Cosmos boostrap can be skipped by passing --cosmos-hash=disabled to the script, +when generating the boot image. + + |