Configuring automated install services

Introduction

This page describes how Alexis Huxley installed and configures an install server.

Prologue

  1. Run the following commands as root: 
    TFTP_ROOTDIR=/srv/tftp
DHCPDCONF_FILE=/etc/dhcp/dhcpd.conf
DHCPD_PACKAGE=isc-dhcp-server
MDI_MODROOT=$HOME/opt/mdi
  2. If you have not already moved ~/mdi into ~/opt/mdi then do so now.

Main procedure

  1. Install and configure the PXE server by running: 
    apt-get install $DHCPD_PACKAGE dnsutils atftpd syslinux-common
service openbsd-inetd restart
> $DHCPDCONF_FILE
cp /usr/lib/syslinux/pxelinux.0 $TFTP_ROOTDIR
chmod 644 $TFTP_ROOTDIR/pxelinux.0
mkdir -p $TFTP_ROOTDIR/pxelinux.cfg
rm -fr $TFTP_ROOTDIR/pxe-images
#  ln won't work as atftpd does a chroot
#ln -s $MDI_MODROOT/lib/pxe-images $TFTP_ROOTDIR/pxe-images
rsync -ax --delete $MDI_MODROOT/lib/pxe-images/ $TFTP_ROOTDIR/pxe-images/
  2. Install and configure the web server by running: 
    apt-get install apache2-mpm-worker
mkdir /var/www/preseed-files
mkdir /var/www/mditgz-files
  3. Install PAA by running: 
    apt-get install paa          #  should already be installed
service apache2 reload       #  only needed if paa was not already installed
  4. PAA needs to be configured, but there are two ways to do this, depending on whether you have access to the old MDI-based install server or not.
    If you do have access then configure PAA pretty painlessly by:

    1. transfer the ~/.paa.sqlite file from the old MDI-based install server to this one
    2. on the old install server, move ~/.paa/paa.sqlite out of the way, so that the old install server does not try to update mirrors at the same time as the new install server.
    3. ensure access to the local repos, mirrors, freezes, indirects are as per on the old MDI-based install server
    4. copy over the contents of /var/lib/paa from the old MDI-based install server to this one
    5. run: 
      service apache2 reload

    If you do not have access to the old MDI-based install server then:

    1. run: 
      cd /usr/share/doc/paa/examples
AUTOPAA_MODE=server ./autopaa
    2. delete unwanted mirrors and repositories
    3. add missing repositories and mirrors
    4. add missing hosts
    5. set up indirects
  5. Initialise MDI by running: 
    ~/opt/mdi/bin/mdi-release
~/opt/mdi/bin/mdi init
  6. Debmirror wants the appropriate GPG keys in ~/.gnupg. The best way to do this is to:
    1. Run: 
      paa -v mirror ALL-REPOS

      This may produce errors like this:

      gpgv: keyblock resource `/root/.gnupg/trustedkeys.gpg': file open error
gpgv: WARNING: multiple signatures detected.  Only the first will be checked.
gpgv: Signature made Sat 04 May 2013 02:31:50 PM CEST using RSA key ID 473041FA
[GNUPG:] ERRSIG AED4B06F473041FA 1 2 00 1367670710 9
[GNUPG:] NO_PUBKEY AED4B06F473041FA
gpgv: Can't check signature: public key not found
    2. Note the public key IDs that cause problems (in the above example it is 473041FA.)
    3. Add all bad keys to the GPG configuration, which debmirror requires, by running: 
      while read KEY; do
    apt-key export $KEY | gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg \
        -q --import -
done

      and enter the bad keys, one per line, finishing by pressing CTRL-D.

    4. Repeat this step until there are no such errors.
  7. A similar issue exists resulting in error messages like this one: 
    gpgv: Signature made Sat 12 Oct 2013 02:02:10 PM CEST using RSA key ID 46925553
[GNUPG:] ERRSIG 8B48AD6246925553 1 8 00 1381579330 9
[GNUPG:] NO_PUBKEY 8B48AD6246925553
gpgv: Can't check signature: public key not found
gpgv: Signature made Sat 12 Oct 2013 02:03:44 PM CEST using RSA key ID 65FFB764
[GNUPG:] ERRSIG 6FB2A1C265FFB764 1 8 00 1381579424 9
[GNUPG:] NO_PUBKEY 6FB2A1C265FFB764
gpgv: Can't check signature: public key not found

    The way to fix this is to run:

    cd /tmp
wget http://ftp-master.debian.org/keys/archive-key-{5,6,7}.0.asc
gpg --no-default-keyring --keyring trustedkeys.gpg --import

    (This was taken in part from this website and in part from debmirror(1).)

  8. As a workaround for BTS#808216, edit /usr/bin/debmirror and replace this: 
        elsif (m/^SHA1-Patches:/m) {
      while (defined($_ = )) {
        last if (!m/^\s/m);
        ($sha1, $size, $file) = m/^\s+([A-Za-z0-9]+)\s+(\d+)\s+(.*)/m;
        $diff_sha1{$file} = $sha1;
        $diff_size{$file} = $size;
      }
    }
  }
  close(INDEX);

    with this:

        elsif (m/^SHA1-Patches:/m) {
      while (defined($_ = )) {
        last if (!m/^\s/m);
        ($sha1, $size, $file) = m/^\s+([A-Za-z0-9]+)\s+(\d+)\s+(.*)/m;
        $diff_sha1{$file} = $sha1;
        $diff_size{$file} = $size;
      }
    }
    else {
      $_ = ;
    }   
  }
  close(INDEX);

Weening the new install server off the old install server

This section also gets the new install server using the mirrors created by paa run on the new install server.

  1. Update DNS so that references to the install server (i.e. in my case ‘install.pasta.net’) refer to the new install server.
  2. Run: 
    service nscd restart
  3. As a test, run: 
    apt-file update

    If the freezes that this host is directed to were created with squeeze’s debmirror (as would happen if the install server used to install this install server ran squeeze), then expect error messages like:

    Ignoring source without Contents File:
  http://security.debian.org/dists/wheezy/updates/contrib/Contents-amd64.gz
Ignoring source without Contents File:
  http://security.debian.org/dists/wheezy/updates/main/Contents-amd64.gz
Ignoring source without Contents File:
  http://security.debian.org/dists/wheezy/updates/non-free/Contents-amd64.gz
Ignoring source without Contents File:
  http://install.pasta.net/debian-wheezy.bigoli/dists/wheezy/contrib/Contents-amd64.gz
Ignoring source without Contents File:
  http://install.pasta.net/debian-wheezy.bigoli/dists/wheezy/main/Contents-amd64.gz
Ignoring source without Contents File:
  http://install.pasta.net/debian-wheezy.bigoli/dists/wheezy/non-free/Contents-amd64.gz
Ignoring source without Contents File:
  http://install.pasta.net/localprivate-deb.bigoli/dists/wheezy/main/Contents-amd64.gz
Ignoring source without Contents File:
  http://install.pasta.net/localpublic-deb.bigoli/dists/wheezy/main/Contents-amd64.gz
Ignoring source without Contents File:
  http://install.pasta.net/multimedia-wheezy.bigoli/dists/wheezy/main/Contents-amd64.gz
Ignoring source without Contents File:
  http://install.pasta.net/multimedia-wheezy.bigoli/dists/wheezy/non-free/Contents-amd64.gz
  4. Run: 
    for REPO in debian-wheezy localprivate-deb localpublic-deb multimedia-wheezy; do
    paa -v freeze $REPO
done
paa indirect ALL-REPOS $(uname -n) NEWEST-FREEZE
  5. As a test, run this command again: 
    apt-file update

    There should now definitely not be any errors as above. Actually the error does persist! I’m not sure why! debmirror(1) suggests that use of ‘--getcontents --diff=mirror‘ should fix this, but it does not.

Epilogue

This section is pretty site-specific; it is something I should so, but probably not something you should do.

  1. Ensure the install server has rights to create storage on storage servers and VMs on VM servers; for me, this means creating a key pair by running: 
    rm -f ~/.ssh/id_dsa*
ssh-keygen -q -t dsa -N "" -f ~/.ssh/id_dsa

    and then copying the public key into ~/.ssh/authorized_keys on fiori and torchio. (Since MDI is not using the ‘virsh’ plugin at the moment, this is not actually needed yet.)

  2. I need bs in order to complete the insertion of new DEBs into local repositories, so run: 
    apt-get install bs
echo "export BS_CONFIG=/home/alexis/dev/def/bs/doc/examples/bs-alexis.conf" >> ~/.profile
. ~/.profile
  3. User ‘alexis’ should run: 
    OLD_INSTALL_SERVER=gnocchi
NEW_INSTALL_SERVER=bigoli
cd ~/dev/def/bs/doc/examples
make clean
perl -pi -e "s/$OLD_INSTALL_SERVER/$NEW_INSTALL_SERVER/g" *
make

Testing

  1. Shut down the old install server.
  2. Install a new system using the new install server.

See also