[debian-lan-devel] Post Installation Issues
Afif Elghraoui
aelghrao at rohan.sdsu.edu
Fri Feb 13 09:02:58 UTC 2015
Hi, Andi,
On الخميس 12 شباط 2015 01:40, Andreas B. Mundt wrote:
> The default for Debian-LAN clients is to boot locally. To install, I
> enable the (BIOS) boot menu on the client (and then use something like
> F12 to boot from the network). Then let FAI do the installation and boot
> locally again to start the installed system.
>
> However, this can be changed by using fai-chboot (-d / -e IIRC) on the
> server to switch to localboot respectively pxeboot.
>
> This can be done automatically too, but it opens some security
> concerns, cf. [1] and the discussion in the thread.
>
> It should also be possible to offer a pxe boot menu which allows you
> to choose a FAI pxe installation but by default boots from the local
> disk after some timeout. It depands a bit on the situation what is
> appropriate (students lab, number of hosts, accessibility, security
> aspects, etc ...).
Oh, ok, this makes sense. We will probably just put fai-chboot -d
<hostname> in the post-install script We're also changing the default
FAI_FLAGS for the pxe configuration templates to include 'reboot' to
have the machines automatically restart after installation. Thanks for
the link to that thread.
> Ah, I had this issue here too. I haven't explored it yet, but it
> seems that for some reason the script [2] fails to work properly. (In
> some cases?) The log /var/log/dhcpd-keytab.log should tell you what
> happened. This script is kind of an ugly hack. It tries to copy the
> keytab to the client, both during installation and after the first
> boot of the installed machine. As soon as the keytab has been copied
> 'somewhere', it is marked as 'tainted' so if someone triggers this
> mechanism maliciously (by faking a MAC address), the sysadmin notifies
> the prior use. Depending on the situation, he can then take actions
> (create a new keytab or re-use it manually).
This is helpful information. We'll work on debugging this a little and
get back to you if we find anything.
Thanks and regards,
Afif
More information about the debian-lan-devel
mailing list