setup-storage - preserving LUKS partitions possible?

[Andreas Heinlein]

Hello,

I have the following disk config:

disk_config disk1 disklabel:msdos bootable:1 align-at:1 fstabkey:uuid 
preserve_lazy:6
primary  /boot 1024 ext4    rw
logical  - 30720    -   -
logical  - 4-   -   -

disk_config lvm
vg vg1 disk1.5
vg1-root  /    23552    ext4    rw,errors=remount-ro
vg1-swap  - 4096    -   -
vg1-tmp   - 1024    -   -
vg1-varlog  /var/log    2048    ext4    rw

disk_config cryptsetup
tmp   - /dev/vg1/tmp    ext2    -
swap    -   /dev/vg1/swap   swap    -
luks   /media/daten  disk1.6 ext4    acl createopts="-L Daten"

When reinstalling, setup-storage tells me that it will preserve /dev/sda6, but 
nevertheless LUKS-formats it again and creates a new filesystem.
Apparently, "preserve" options are not available for cryptsetup blocks, at 
least according to the manpage. Is there any way to accomplish this?

Thanks,
Andreas

Re: Secure deploy of keys

[Andreas Heinlein]

Hello,

I would be very interested if you find any solutions. By design, the FAI config 
space has to be somewhere where it is accessible without access control 
(anonymous NFS or whatever), and everything within it obviously has to be 
readable.

I guess you will need to find other solutions. As for the SSH keys, I am 
currently trying to publish SSH keys in DNS so clients can verify them. Haven't 
tested yet what happens when the client already has a (different) key in its 
known_hosts file, though.

Bye,
Andreas

Am 13.12.22 um 14:47 schrieb Diego Zuccato:
> Hello all.
>
> What's the recommended way to deploy (or re-deploy) security-sensitive 
> objects (just to say one: private ssh key to avoid client warnings when 
> redeploying a server)?
>
> TIA

Weird generated hostname

[Andreas Heinlein]

Hello,

I watched some weird behaviour of FAI today. It occurs when the IP address is 
assigned by DHCP and no hostname is supplied on the kernel command line.

I remember that FAI used to generate hostnames like '192-168-10-123' in that 
case.

Now it is '127-0-0-1/8 192-168-10-123'. Yes, including the slash and the space.

This leads to problems e.g. with apt-key; it wants to generate a temporary 
directory like '/etc/apt/trusted.gpg./.. Since the hostname contains 
a slash and a space, this fails and subsequently the whole installation fails.

I cannot tell when exactly this changed; usually our existing hosts have 
hostnames assigend with DHCP, only sometimes we install new machines without 
assigning a hostname first.

Bye,
Andreas

Re: dracut error during nfsroot update

[Andreas Heinlein]

Are you sure this works on upgrade, too?

I called it with

fai-make-nfsroot -k -N -p -P -v

Bye,
Andreas

Am 19.06.20 um 09:29 schrieb Thomas Lange:
> That shouldn't be necessary. fai-make-nfsroot should install dracut-live
> and dracut-squash automatically.

Re: dracut error during nfsroot update

[Andreas Heinlein]

Hello,

no I did not know that. But we were using FAI 5.9.4, dracut within the nfsroot 
was 050+35-4.

What helped was manually installing dracut-live in the nfsroot. Now everything 
works.

Bye,
Andreas

Am 18.06.20 um 12:54 schrieb Thomas Lange:
> Have you read this?
> https://lists.uni-koeln.de/pipermail/linux-fai/2020-April/012479.html
>
>
>>>>>> On Tue, 16 Jun 2020 09:31:46 +0200, Andreas Heinlein  
>>>>>> said:
> > Hello,
> > when trying to upgrade the nfsroot, we get
>
> >> dracut: Generating /boot/initrd.img-4.19.0-9-amd64
> >> dracut: dracut module 'livenet' cannot be found or installed.
> >> dpkg: error processing package dracut (--configure):
> >>    subprocess installed post-installation script returned error exit
> >> status 1
>

dracut error during nfsroot update

[Andreas Heinlein]

Hello,

when trying to upgrade the nfsroot, we get

> dracut: Generating /boot/initrd.img-4.19.0-9-amd64
> dracut: dracut module 'livenet' cannot be found or installed.
> dpkg: error processing package dracut (--configure):
>   subprocess installed post-installation script returned error exit
> status 1

The nfsroot is based on Debian 10. I have found a similar problem on this list 
from 2017 
(https://lists.uni-koeln.de/pipermail/linux-fai/2017-June/011735.html). The 
solution then was to include curl in the nfsroot. Curl is installed in our 
nfsroot, we are using the NFSROOT list shipped with the current version.

Any ideas how to find out what is missing?

Thanks,
Andreas

Re: Upgrade error in nfsroot

[Andreas Heinlein]

Hello,

I have to correct myself: upgrading the nfsroot worked, but the NFS root is not 
functional now. When booting, it says "cannot execute /etc/init.d/rcS". Indeed, 
/etc/init.d/rcS does not exist.

Is rcS supposed to be a real file or a link somewhere?

Thanks,

Andreas

Am 26.02.20 um 08:31 schrieb Andreas Heinlein:
> Hello,
>
> when upgrading FAI inside the nfsroot with 'fai-make-nfsroot -v -k -N', I got:
>
> Preparing to unpack .../15-fai-nfsroot_5.9.2_all.deb ...
> dpkg-divert: error: 'diversion of /etc/init.d/rcS to /etc/init.d/rcS.orig by 
> fai-nfsroot' clashes with 'diversion of /etc/init.d/rcS to 
> /etc/init.d/rcS.distrib by fai-nfsroot'
> dpkg: error processing archive 
> /tmp/apt-dpkg-install-hXzBfK/15-fai-nfsroot_5.9.2_all.deb (--unpack):
>  new fai-nfsroot package pre-installation script subprocess returned error 
> exit status 2
>
> when upgrading FAI from 5.9.1 to 5.9.2
>
> I had to manually chroot to the nfsroot and remove the diversion, then it 
> worked. Maybe this should be included in the preinst script.
>
> Bye,
>
> Andreas
>
>

Upgrade error in nfsroot

[Andreas Heinlein]

Hello,

when upgrading FAI inside the nfsroot with 'fai-make-nfsroot -v -k -N', I got:

Preparing to unpack .../15-fai-nfsroot_5.9.2_all.deb ...
dpkg-divert: error: 'diversion of /etc/init.d/rcS to /etc/init.d/rcS.orig by 
fai-nfsroot' clashes with 'diversion of /etc/init.d/rcS to 
/etc/init.d/rcS.distrib by fai-nfsroot'
dpkg: error processing archive 
/tmp/apt-dpkg-install-hXzBfK/15-fai-nfsroot_5.9.2_all.deb (--unpack):
 new fai-nfsroot package pre-installation script subprocess returned error exit 
status 2

when upgrading FAI from 5.9.1 to 5.9.2

I had to manually chroot to the nfsroot and remove the diversion, then it 
worked. Maybe this should be included in the preinst script.

Bye,

Andreas

Re: fai-sed exit code

[Andreas Heinlein]

Am 13.01.20 um 13:04 schrieb Thomas Lange:
> I can add such an option, which I already have with fcopy.
> I a shell script, you can use this code to always get exit 0 from a command.
>
> fai-sed .. || true

That is true, but this means that no error will get caught, not even syntax 
errors, file not found etc.

Andreas

Re: fai-sed exit code

[Andreas Heinlein]

Am 10.01.20 um 16:02 schrieb Thomas Lange:
> I want to distinguish if fai-sed has nothing to change or changed the
> file. Therefore in one the cases it has to return and exit code != 0.
>
> Do you have any better idea?

If you want to do this, no, I have no better idea. You would have to exit any 
script using fai-sed with "exit 0" at the end, or the fai master process will 
treat the script as failed.

Maybe you could add a "-q" switch to fai-sed that will turn off that behaviour 
for those who don't need it?

Andreas

fai-cd 5.9 grub-mkstandalone error

[Andreas Heinlein]

Hi,

I just tried the fai-cd command from FAI 5.9. After creating the squashfs, I 
get:

grub-mkstandalone: error: cannot make temporary directory: No such file or 
directory.

I can see that /tmp/grub.cfg exists in the nfsroot. From what I saw in fai-cd, 
the next step would be:

chroot $NFSROOT grub-mkstandalone \
    --format=x86_64-efi \
    --output=/tmp/bootx64.efi \
    --locales="" --fonts="" \
    "boot/grub/grub.cfg=/tmp/grub.cfg"

If I run that command directly from the shell, it works and creates 
/tmp/bootx64.efi in the NFSROOT.

Any idea what might be causing this?

Thanks,

Andreas

fai-sed exit code

[Andreas Heinlein]

Hello,

can you explain the purpose of fai-sed exiting with '1' if the file was 
changed? By default, this would mean a script *fails* with this exit code if a 
file was actually changed.

Would also be nice to update the example scripts to use fai-sed instead of sed.

Thanks,

Andreas

Re: FAI and Debian Buster (was Re: New ISO images available)

[Andreas Heinlein]

Hello,

indeed, 5.8.4 fixes both problems. Should have tried that first; sorry
for the inconvenience.

Andreas

Am 02.04.19 um 09:57 schrieb Thomas Lange:
>>>>>> On Tue, 2 Apr 2019 08:28:18 +0200, Andreas Heinlein  
>>>>>> said:
> > I don't really need ISO images, but if someone has been successful on
> > installing buster with FAI, I'd be happy to hear.
> I've done several buster installations for a client using buster.
>
> > I am currently in the first testing stages, and I am having some trouble
> > with grub and lvm2. It seems there are some new problems related to
> > installing within a chroot. Problem is 1) that update-grub hangs forever
> > and 2) lvm2 postinst hangs with error messages like "WARNING: Device
> > /dev/sda1 not initialized in udev database even after waiting 1000
> > microseconds."
>
> > The first seems to be related to os-prober, the latter seems due to some
> > changes in lvm2. I found posts on Arch Linux forums that suggest that
> > you need /run/lvm available within the chroot, but it looks like it
> > already is when installing with FAI.
> This is already fixed in FAI 5.8.4.
> I'm not sure if it also fixed the first one.
>
> From the changelog:
>   * updatebase: mount /run/udev into /target, Closes: #925247
>

FAI and Debian Buster (was Re: New ISO images available)

[Andreas Heinlein]

Am 28.03.19 um 15:52 schrieb Thomas Lange:
> What about your interest in having ISO images using buster? I like to
> get some feedback if you prefere stable releases or also want to have
> ISO for Debian testing.

I don't really need ISO images, but if someone has been successful on
installing buster with FAI, I'd be happy to hear.

I am currently in the first testing stages, and I am having some trouble
with grub and lvm2. It seems there are some new problems related to
installing within a chroot. Problem is 1) that update-grub hangs forever
and 2) lvm2 postinst hangs with error messages like "WARNING: Device
/dev/sda1 not initialized in udev database even after waiting 1000
microseconds."

The first seems to be related to os-prober, the latter seems due to some
changes in lvm2. I found posts on Arch Linux forums that suggest that
you need /run/lvm available within the chroot, but it looks like it
already is when installing with FAI.

References:

https://bbs.archlinux.org/viewtopic.php?id=242594

https://unix.stackexchange.com/questions/105389/arch-grub-asking-for-run-lvm-lvmetad-socket-on-a-non-lvm-disk

Thanks,

Andreas

Re: Questions regarding PACKAGES remove

[Andreas Heinlein]

Am 21.03.19 um 18:40 schrieb Thomas Lange:
> Hi Andreas,
>
> I wonder why you get this error, because apt-get says it does not even
> know this package. If I like to remove a package that's in the
> database I get this output
>
> veedel[~]# apt-get purge moon-buggy
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> Package 'moon-buggy' is not installed, so not removed
> 0 upgraded, 0 newly installed, 0 to remove and 16 not upgraded.
>
> Maybe you may have removed some sources.list entries, so apt-get
> complains about unknown packages.

Hello,

your are right, the root of the problem is that these packages have been
removed completely from debian stable. These are XUL style firefox
extensions which are not supported in recent firefox versions anymore.
So the debian maintainers obviously decided, instead of providing a
dummy transitional package, to completely remove them. I have never
before seen a package being removed from stable... So now it looks like
they never existed, even though machines installed earlier still have
them installed.

But this is, hopefully, a special case that will not happen again, so I
will solve this by using a script instead. This is not a bug in FAI.

Thank you for your help.

Andreas

Questions regarding PACKAGES remove

[Andreas Heinlein]

Hello,

I now have my first use of "PACKAGES remove" in the FAI configuration,
and I have come across two smaller problems:

1. The behaviour is not "idempotent", i.e. I get an error when the
packages to remove are already removed. This is the case quite often
since we use FAI also for softupdates, and I want to keep the "PACKAGES
remove" section for some time until I am sure that all clients have run
the softupdate at least once.

I get this in fai.log:

install_packages: executing chroot /target apt-get -y -o
Dpkg::Options::=--force-confdef -o Dpkg::Options::=--force-confnew
--purge remove xul-ext-adblock-plus
xul-ext-adblock-plus-element-hiding-helper xul-ext-noscript
Reading package lists...
Building dependency tree...
Reading state information...
E: Unable to locate package xul-ext-adblock-plus
E: Unable to locate package xul-ext-adblock-plus-element-hiding-helper
E: Unable to locate package xul-ext-noscript
ERROR: 25600 25600
ERROR: chroot /target apt-get -y -o Dpkg::Options::=--force-confdef -o
Dpkg::Options::=--force-confnew --purge remove xul-ext-adblock-plus
xul-ext-adblock-plus-element-hiding-helper xul-ext-noscript  return code 100

This doesn't seem to be much of a problem now, but I don't know what
happens if only one of the packages in question is already removed and
the others are not. More important is that it results in a non-empty
error.log and thus a seemingly unsuccessful installation in general.

2. fai-mirror complains that it doesn't know how to deal with "PACKAGES
remove". It doesn't include these packages either, so it is harmless but
may be easily correctable.

Bye,

Andreas

Re: Network interface names

[Andreas Heinlein]

Am 12.10.2018 um 17:09 schrieb Steffen Grunewald:
> Hi,
>
> I've learned that I may "fix" the device interface names using a rules file
> in /etc/udev/rules.d, to avoid susprises after the installation.
> While adding some special parameters to the kernel command line didn't work,
> udev does its job reliably outside of FAI.
> What I still haven't found is which magic FAI uses to avoid the renaming
> to "predictable network interface names" (a term that's completely misleading
> to me as I'm unable to predict the network names if I'm given a brand-new
> machine). Thomas, can you shed some light on this?
> My plan is to read the (old-style) interface names assigned by FAI, then
> create a $target/etc/udev/rules.d/70-persistent-net.rules file from that
> information. Is there a hidden trap? When is it best to write that file?
>
> Thanks,
>  Steffen
Hello,

probably not exactly what you were asking, but you can turn off
"predictable network interface names" by adding "net.ifnames=0" to the
kernel command line, e.g. in /etc/default/grub (add it to
GRUB_CMDLINE_LINUX_DEFAULT).

Bye,
Andreas

Re: Compatibility when installing APT keys

[Andreas Heinlein]

Am 21.05.2018 um 11:27 schrieb Thomas Lange:
> I would like to hear more opinions from others about the solution b)
> which seems to be ok for me.
As I also came across this problem: yes, I think this is a good solution.

Besides that, Derek's solution is quite beautiful. From the gnupg manpage:
"--dearmor
  Pack or unpack an arbitrary input  into/from  an  OpenPGP 
ASCII
  armor.   This is a GnuPG extension to OpenPGP and in
general not
  very useful."

It seems he has just proven the manpage wrong ;-)

Bye,
Andreas

Re: GRUB EFI blues - Debian 9/FAI 5.3.6

[Andreas Heinlein]

Am 18.04.2018 um 10:14 schrieb tt-...@kky.ttu.ee:
>
> I can second to that. I installed a SuperMicro X10SLM-F based server
> last month and did not find any option in the BIOS to PXE-boot FAI
> into UEFI mode. Ended up using disklabel:gpt-bios and GRUB_PC. I did
> not try to boot off an USB stick, so it is worth investigating if an
> option exists for booting that in UEFI mode.
>
>  
>
> From my experiments I was left with the impression that it is not easy
> (or even possible) to “cross-install” UEFI-boot-capable disk if the
> system was booted into legacy (BIOS) mode. If someone has found a way
> to do it, I would also appreciate suggestions.
>
>  
>
> Regards,
>
> Toomas
>
>  
>
> *From:*linux-fai <linux-fai-boun...@uni-koeln.de> *On Behalf Of
> *Andreas Heinlein
> *Sent:* Wednesday, April 18, 2018 9:56 AM
> *To:* linux-fai@uni-koeln.de
> *Subject:* Re: GRUB EFI blues - Debian 9/FAI 5.3.6
>
>  
>
> Am 18.04.2018 um 00:28 schrieb Bob Apodaca:
>
> I think the first issue is FAI is setting the GRUB_PC class
> instead of the GRUB_EFI class and I'm not sure why.
>
> I am pretty sure this depends on how the installation was started.
> That means you will have to boot your FAI installation using UEFI as
> well. This can be a bit tricky if you want to install from network - I
> also tried setting up PXE with UEFI some time ago and failed.
> Bye,
> Andreas
>
I am pretty sure it is not possible to set up grub-efi correctly when
booted in legacy mode. While it is possible to detect that we are
actually running an EFI-capable machine (dmidecode or lshw can detect
that), we cannot access the efi variables under /sys/efi since the
firmware doesn't expose them to the host when running under CSM aka
"Legacy mode".

Booting from USB with UEFI is possible, in fact I have such a USB device
here somewhere. But I need to remember what I did, it was not (yet)
completed in FAI at that time. I remember I wanted to make some patches
available, but never found the time. This is almost a year ago now. What
you basically need is a small FAT partition preferrably of type 'ef'
(EFI Boot Partition) on the USB drive, which contains a grub efi image
as EFI/BOOT/BOOTX64.EFI. That image can be created with grub-mkimage and
needs to include at least all modules for reading the "main" partition
and the grub.cfg on it. That will be mostly ext filesystem and msdos
partition table, I think. That image should also include an embedded
config file with a one-liner like
configfile (hd0,msdos1)
if the main partition is the second on the USB drive.

I will try to find this again and post it here.

Bye,
Andreas

Re: GRUB EFI blues - Debian 9/FAI 5.3.6

[Andreas Heinlein]

Am 18.04.2018 um 00:28 schrieb Bob Apodaca:
>
> I think the first issue is FAI is setting the GRUB_PC class instead of
> the GRUB_EFI class and I'm not sure why.
>
I am pretty sure this depends on how the installation was started. That
means you will have to boot your FAI installation using UEFI as well.
This can be a bit tricky if you want to install from network - I also
tried setting up PXE with UEFI some time ago and failed.
Bye,
Andreas

Additional repository keys

[Andreas Heinlein]

Hello,

it seems I missed some change in the behaviour of adding apt keys. I
have several apt keys in the config space in packages/.asc. The
fai-guide says these are being added via apt-key add, and I remember it
was that way in the past.

Today I noticed with FAI 5.6, that these files seem to be copied over to
/etc/apt/trusted.gpg.d instead. This works with Debian 9, but does not
with Debian 8. The apt version in Debian 8 requires the keys to be in
binary format and have the extension .gpg. I still need to be able to
install jessie clients with a stretch nfsroot, though.

Would it be possible to patch FAI to copy over .gpg files as well?

Thanks,
Andreas

Re: setup-storage fails on blank disk

[Andreas Heinlein]

Am 03.01.2018 um 17:28 schrieb Holger Parplies:
> Hi,
>
> Andreas Heinlein wrote on 2018-01-03 13:53:40 +0100 [setup-storage fails on 
> blank disk]:
>> [...]
>> I have encountered a problem with setup-storage which occurs only when
>> the disk is blank, i.e. wiped with nwipe/dban or brand new. It then
>> fails on creating the LVM; running 'pvcreate' returns 'cannot open
>> /dev/sda5 exclusively'.
> this is probably unrelated, but is there any reason to put the LVM PV inside
> a "logical" volume? DOS extended partitions seem to be the worst hack ever
> invented to get around a limitation in a bad design, yet they repeatedly
> and apparently unnecessarily pop up in quoted disk_configs:
>
>> [...]
>> This is your disk_config file:
>> # generic disk configuration for one small disk
>> # disk size from 500Mb up to what you can buy today
>> #
>> #   [extra options]
>>
>> disk_config disk1 disklabel:msdos bootable:1 preserve_lazy:6 align-at:1M 
>> fstabkey:uuid 
>> primary  /boot  300  ext4rw  createopts="-O 
>> ^64bit,^metadata_csum"
>> logical  -  29500-3  -   -
>> logical  /media/daten  1024- ext4acl createopts="-O 
>> ^64bit,^metadata_csum -L Daten"
> I count three partitions, which would work perfectly with primary partitions
> (furthermore, you are using LVM to have an arbitrary number of named and
> dynamic "volumes" (i.e. partitions) anyway, so if you needed more, LVM would
> be the superior mechanism; of course, your specific requirements may vary).
> Ok, you are preserving a logical partition, so in this particular case you'd
> actually need to stick with logical partitions, but the partition in question
> is ext4, not FAT-based, so it doesn't appear to be a legacy Windoze issue.
>
> My point: am I missing something, and there is some obscure benefit of putting
> an LVM container within an extended-partition-container (such as hiding it
> from something), or is it simply a common misconception that you for some
> reason cannot or should not put an LVM PV (or even several individual native
> Linux partitions - such as /, /var and /tmp) into primary partitions -
> assuming you only need upto four of them (and, obviously, assuming you are
> still using MSDOS partition tables)?
>
> Or, differently: for a *blank disk*, you obviously won't be preserving sda6,
> and you probably aren't referencing it by partition number ("fstabkey:uuid"),
> so does using 'primary' instead of 'logical' for all three partitions change
> anything concerning the error you are experiencing?
>
> Hope that helps someone (perhaps me ;-) ...
>
> Regards,
> Holger
Hello,

yes, you are right - in some way, this *is* a legacy windows issue that
has developed over time. In fact, the preserved partition once was a FAT
partition as long as we had dualboot installations on these machines. We
finally removed the dualboot two or three years ago and chose to format
this partition ext4 instead. Why we didn't move to primary partitions or
put it within the LVM at that time - I don't know.

On the other hand, up to now we had no problems with that, so no urge to
change anything. If you think it might help, I could try changing this.

Bye,
Andreas

setup-storage fails on blank disk

[Andreas Heinlein]

Hello,

I have encountered a problem with setup-storage which occurs only when
the disk is blank, i.e. wiped with nwipe/dban or brand new. It then
fails on creating the LVM; running 'pvcreate' returns 'cannot open
/dev/sda5 exclusively'. I have attached the fai.log with all the details.
When I reboot the machine, which now has a partition table in place,
everything works fine. Same for reinstalling machines which were already
installed with earlier versions of FAI.
I can't exactly tell which FAI version we had in use when we last set up
a brand new machine - might be 5.3, might be even earlier, so the error
may already exist for a while.

Thanks,
Andreas
 -
   Fully Automatic Installation  -  FAI

   5.5   (c) 1999-2017
   Thomas Lange  
 -

Calling task_confdir
Kernel currently running: Linux 4.9.0-4-amd64 x86_64 GNU/Linux
Kernel parameters: BOOT_IMAGE=vmlinuz-4.9.0-4-amd64 initrd=initrd.img-4.9.0-4-amd64 ip=dhcp root=/srv/fai/nfsroot rootovl FAI_FLAGS=verbose,createvt,sshd FAI_ACTION=install quiet FAI_CONFIG_SRC=nfs://***/srv/fai/config
Reading /tmp/fai/boot.log
FAI_FLAGS: verbose createvt sshd
Setting SERVER=***. Value extracted from FAI_CONFIG_SRC.
Can't connect to monserver on *** port 4711. Monitoring disabled.
FAI_CONFIG_SRC is set to nfs://***/srv/fai/config
Configuration space ***:/srv/fai/config mounted to /var/lib/fai/config
Source hook: setup.DEFAULT.sh
setup.DEFAULT.sh OK.
Calling task_setup
FAI_FLAGS: verbose createvt sshd
 3 Jan 13:08:06 ntpdate[991]: step time server *** offset -0.064882 sec
Press ctrl-c to interrupt FAI and to get a shell
Starting FAI execution - 20180103_130806
Calling task_defclass
fai-class: Defining classes.
Executing /var/lib/fai/config/class/01-classes.
01-classes   OK.
Executing /var/lib/fai/config/class/10-base-classes.
10-base-classes  OK.
Executing /var/lib/fai/config/class/20-hwdetect.sh.
Loading kernel module mptspi
Loading kernel module dm-mod
Loading kernel module md-mod
Loading kernel module aes
Loading kernel module dm-crypt
2: eth0:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:5e:c0:3e brd ff:ff:ff:ff:ff:ff
inet 172.16.9.236/24 brd 172.16.9.255 scope global eth0
inet6 fe80::a00:27ff:fe5e:c03e/64 scope link 
New disklist: sda
20-hwdetect.sh   OK.
Executing /var/lib/fai/config/class/40-parse-profiles.sh.
40-parse-profiles.sh OK.
Executing /var/lib/fai/config/class/41-warning.sh.
41-warning.shOK.
Executing /var/lib/fai/config/class/50-host-classes.
50-host-classes  OK.
Executing /var/lib/fai/config/class/58-hardware.
58-hardware  OK.
Executing /var/lib/fai/config/class/60-misc.
60-misc  OK.
List of all classes:  DEFAULT LINUX AMD64 DHCPC PRECISE PRECISE_HOMI GERMAN FAICLIENT GRUB_PC ... LAST
Calling task_defvar
Executing PRECISE.var
++ FAI_ALLOW_UNSIGNED=1
++ CONSOLEFONT=
++ KEYMAP=us-latin1
++ UTC=yes
++ TIMEZONE=Europe/Berlin
++ ROOTPW=X
++ MODULESLIST='usbkbd ehci-hcd ohci-hcd uhci-hcd usbhid psmouse fuse'
++ SUDO_FORCE_REMOVE=yes
++ MAXPACKAGES=1
++ UCF_FORCE_CONFFOLD=1
Executing GERMAN.var
++ KEYMAP=de-latin1-nodeadkeys
Defining variables from additional.var
++ disklist='sda '
Loading keymap(s) de-latin1-nodeadkeys ...done.
Calling task_action
FAI_ACTION: install
Performing FAI installation. All data may be overwritten!
Calling task_install
Calling task_partition
Starting setup-storage 2.1
Using config file: /var/lib/fai/config/disk_config/PRECISE
Parted could not read a disk label (new disk?)
Executing: parted -s /dev/sda mklabel msdos
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
Creating directory "/run/lock/lvm"
No volume groups found.
Executing: parted -s /dev/sda mklabel msdos
Executing: parted -s /dev/sda mkpart primary "ext3" 1048576B 315621375B
Executing: parted -s /dev/sda set 1 boot on
Executing: parted -s /dev/sda mkpart extended "" 315621376B 42949672959B
Executing: parted -s /dev/sda mkpart logical "" 316669952B 31380733951B
Executing: parted -s /dev/sda mkpart logical "ext3" 31381782528B 42949672959B
Executing: mkfs.ext4 -O ^64bit,^metadata_csum /dev/sda1
Executing: mkfs.ext4 -O ^64bit,^metadata_csum -L Daten /dev/sda6
Executing: parted -s /dev/sda set 5 lvm on
Executing: pvcreate -ff -y  /dev/sda5
(STDERR)   WARNING: Failed to connect to lvmetad. Falling back to device scanning.
(STDERR)   Can't open /dev/sda5 exclusively.  Mounted filesystem?
Command had non-zero exit code

This is your disk_config file:
# generic disk configuration for one small disk
# disk size from 500Mb up to what you can buy today
#
#   [extra options]

disk_config disk1 disklabel:msdos bootable:1 preserve_lazy:6 align-at:1M fstabkey:uuid 
primary  /boot	   300	ext4	rw	createopts="-O 

Re: Multiple debian editions on debian stretch server

[Andreas Heinlein]

Am 16.08.2017 um 22:20 schrieb Thomas Lange:
>> On Wed, 16 Aug 2017 17:07:02 -0300, "Fco Z."  said:
> > I am in the process of upgrading old servers (hardware). Currently the 
> server
> > is with debian jessie and the hosts also with debian jessie.
>
> > If I install debian stretch as a server, can I still install debian 
> jessie on
> > the hosts? Or I keep on debian jessie for server.All this thinking to 
> future
> > upgrade for hosts to debian stretch.
> You can upgrade the server to stretch, but you should make a backup
> of the nfsroot used for jessie installations. You can then have two
> nfsroots, one for the stretch one for the jessie installation.
> A jessie installation may also run from an stretch nfsroot, but it may
> cause some problems. So using the old nfsroot for your jessie
> installations is the best way to do it. And then build a new stretch
> nfsroot using the new FAI version for your stretch installations.
>
We have switched from Ubuntu 12.04 LTS this year to Debian jessie. Both
installs ran fine at the same time from a jessie nfsroot. I am currently
testing stretch on the clients, and this too uses the same jessie
nfsroot. So yes, your approach is probably the safest, but it may not be
necessary at all.

Andreas

Re: Bug#868267: fai-client: fetch-basefile breaks for hostnames with hyphens

[Andreas Heinlein]

Am 26.07.2017 um 15:51 schrieb Thomas Lange:
>> On Thu, 13 Jul 2017 17:41:56 -0400, Arcady Genkin  
>> said:
> > guessing that the hyphen in the host name is causing the problem (the 
> hostname
> > is "eddie-vm.teach.cs.toronto.edu" which defines a FAI class of the 
> same name).
> Hi Arcady,
>
> the problem is, that FAI class names should not contain a hyphen. IIRC
> this was done because cfengine classes also do not allow hyphens, but
> underscore.
>
> One solution would be to substitute the hyphen in the hostname into a
> underscore, which is allowed in FAI classes.
>
> I fear we will break more things if we allow hyphens in class names.
>
> Any comments on this from the mailing list (CC)?
I have a large number of hosts here with hyphens in their hostname, and
they all install with FAI just fine. I am even using the implicit
host-name classes for some hosts, but admittedly not with cfengine. But
there are cfengine scripts with other class names that run just fine on
these hosts.

If there really is a potential problem, converting hyphen to underscore
in implicit classes derived from hostnames is probably the best idea.
Underscores are not allowed in hostnames, so there can be no collision
with another host named 'eddie_vm'. I could live with that.

Andreas

Re: FAI and invoke-rc.d: policy-rc.d denied execution of restart

[Andreas Heinlein]

Am 05.07.2017 um 23:24 schrieb Nat Sincheler:
> In doing an FAI build of stretch we are seeing several messages of the
> form
>
> Running in chroot, ignoring request.
> invoke-rc.d: policy-rc.d denied execution of restart.
>
>
> For example:
> 
> ...
> Setting up libmagic1:amd64 (1:5.30-1) ...
> Setting up rsync (3.1.2-1) ...
> Running in chroot, ignoring request.
> invoke-rc.d: policy-rc.d denied execution of restart.
> Created symlink
> /etc/systemd/system/multi-user.target.wants/rsync.service →
> /lib/systemd/system/rsync.service.
> Setting up tmpreaper (1.6.13+nmu1+b2) ...
> ...
> 
>
>
> What does this error message mean? Can it be safely ignored?
>
>
This is the desired behavior in this case. This means that invoke-rc.d
is *not* restarting services after installation/update, even though some
installation script requested, because we are installing within a chroot
instead of the "real" system.

Bye,
Andreas

Re: Fwd: Adding Macs with FAI

[Andreas Heinlein]

Am 16.06.2017 um 22:33 schrieb BMIRC System Administrator:
> Hello,
>
> We are trying to create an FAI CD with FAI 5 that can boot in EFI
> mode, however from our research, it does not appear that FAI supports
> EFI booting. We are trying to install a Mac machine with FAI so that
> we can add this machine to our cluster and since the Macs don't
> support PXE, we are trying to make an FAI CD that is EFI bootable.
>
> Has anyone successfuly made an FAI CD that can boot in EFI mode or had
> success adding a Mac OS client with FAI through other means?
>
> Thanks

I created an EFI compatible FAI-CD last week... I just wanted to test it
a little before publishing the necessary changes here. So far it works
for me with both 64bit and 32bit EFI firmwares. It does not support
secure boot, though. I had problems with the grub menu in EFI mode,
however. For some weird reason the menu was all black, i.e. invisible,
except for the currently highlighted line. The same grub.cfg works with
GRUB-PC as usual.

There are also some changes necessary to the installation; some are
already prepared in the current FAI version but they're not complete.

I will try to find some time next week to do that, at least I can share
the necessary changes here.

Bye,

Andreas

Re: creating asc key files

[Andreas Heinlein]

Am 12.04.2017 um 22:07 schrieb Thomas Lange:
> IIRC, I did it using this command
>
> gpg -a --export --export-options export-clean la...@debian.org > my.asc
>
> Maye use export-minimal instead of export-clean

This will export the key from your personal keyring; the OP wants to
export from apt's keyring. So it should be:

gpg -a --keyring /etc/apt/trusted.gpg --export --export-options export-clean 
la...@debian.org > my.asc

Bye,
Andreas 

Re: script to execute after reboot

[Andreas Heinlein]

Am 14.03.2017 um 15:21 schrieb John G Heim:
> What I do is to run an fai softupdate via a line in cron upon reboot.
>
> @REBOOT root fai --class=POSTINSTALL softupdate
>
> Kind of nice to do an FAI softupdate after every reboot -- especially
> the 1st one after the initial install. Over the years, I've moved more
> and more stuff into the post install softupdate. This has 2 benefits.
> First, the initial install takes only 5 to 10 minutes. Secondly, I can
> almost do a normal install from a CD and do the softupdate and get the
> same results as if I did a fai install in the first place.
> So essentially what I am suggesting is that you run your script after
> every reboot, not just the first one. It can be very convenient to
> have a script that is run after each reboot. Personally, I update that
> script via an fai softupdate. In other words, the softupdate is
> updating the next softupdate. That can get tricky. Make a mistake and
> the softupdates come to a screeching halt. Then you have to figure out
> some way to copy a repaired script to all your fai machines. I did
> that once or twice early on but now I haven't messed it up in years.
>
>
>
>
> On 03/14/2017 07:49 AM, jan.dre...@bertelsmann.de wrote:
>> Hi,
>>
>> I have a script with some commands that should be executed on first
>> reboot after installation only. Now I could put a call to it into
>> rc.local and delete it afterwards, but I’m sure I have seen a more
>> elegant solution directly with FAI. Could someone point my nose to
>> the right direction?
>>
>> Thanks in advance,
>> Jan Dreyer
>>
I have written a startup job for systemd to run scripts in a directory
/etc/runonce.d and then delete the script. It is not very sophisticated
yet, namely it deletes the job no matter whether it exited successfully
or not. I can post it tomorrow, when I'm back at work.

I also run softupdates, but I prefer to run them at shutdown instead of
startup. Running at startup has the advantage that the machine is always
up-to-date (except for kernel updates), including machines which haven't
been powered on for weeks or even months. But it has the disadvantage of
blocking the users' work, something which I absolutely hate about the
way Win* implements its updates.

BTW, this (running jobs once at startup) is something I have been
missing in Linux all these years. Sadly enough, Windows can just do
that. I wish that 'at @reboot...' would work, but it doesn't :-(

Bye,

Andreas

fai-mirror, fai-cd and backports

[Andreas Heinlein]

Hello,

we are currently using FAI to install Ubuntu 12.04 on our clients, using
a Debian Wheezy server with FAI 4.2.5. We are also using fai-cd to
create installation media for some offsite machines.

We need to take some specific packages from the backports repository,
namely hplip.

If I add 'hplip/precise-backports' to the packages file, this works for
the normal installation, but it does not for the CDs. The reason is that
fai-mirror creates a new repository named 'cskoeln', so FAI/apt cannot
find the 'precise-backports' repo when running from CD.
I could use apt-pinning instead by creating a respective file in
${target}/etc/apt/preferences.d right before task_instsoft. This would,
however, make it neccessary to make fai-mirror use the same pinning when
creating the mirror. I have not found a way of doing that short of
directly editing the script, which I would rather not do.

Any ideas how to solve this cleanly?

Thanks,
Andreas

Re: fai-mirror, fai-cd and backports

[Andreas Heinlein]

Am 18.11.2014 um 11:02 schrieb Thomas Lange:
 On Tue, 18 Nov 2014 09:30:01 +0100, Andreas Heinlein aheinl...@gmx.com 
 said:
  If I add 'hplip/precise-backports' to the packages file, this works for
  the normal installation, but it does not for the CDs. The reason is that
  fai-mirror creates a new repository named 'cskoeln', so FAI/apt cannot
  find the 'precise-backports' repo when running from CD.

  Any ideas how to solve this cleanly?
 No. Currently fai-mirror can not keep the information about the
 repositories where it downloaded the packages. It builds a complete new
 package repository structur. Is there a tool that can do it better?

I found a solution with a slight modification to fai-mirror. Patch is
attached. I added a '-P' option to fai-mirror which allows to copy a
specified APT preferences file to $aptcache/etc/apt/preferences before
creating the mirror.

If I add this to a file 'aptpref'

Package: hplip
Pin: release a=precise-backports
Pin-Priority: 500

and call fai-mirror with ... -P aptpref ..., then the mirror ends up
with hplip_3.13.9... which is from precise-backports. This is enough for
me, don't know if someone else finds this useful.

Bye,
Andreas

--- fai-mirror.orig	2014-09-29 14:46:03.0 +
+++ fai-mirror	2014-11-18 11:24:00.471899682 +
@@ -186,7 +186,7 @@
 verbose=0
 add=1
 qflag=-qq
-while getopts a:Bvhx:pc:C:m: opt ; do
+while getopts a:Bvhx:pc:C:m:P: opt ; do
 case $opt in
 a) arch=$OPTARG ;;
 B) add=0 ;;
@@ -197,6 +197,7 @@
 m) MAXPACKAGES=$OPTARG;;
 p) preserve=1;;
 v) verbose=1; vflag=-v; qflag='';;
+P) aptpref=$OPTARG;; 
 ?) die 1 Unknown option;;
 esac
 done
@@ -250,6 +251,9 @@
 # TODO: use -p to preserve sources.list
 sed -e 's/file:/copy:/' $cfdir/apt/sources.list  $aptcache/etc/apt/sources.list
 
+if [ -f $aptpref ]; then
+cp $aptpref $aptcache/etc/apt/preferences
+fi
 echo Getting package information
 apt-get $qflag $aptoptions update /dev/null
 

Re: Error in setup-storage in FAI 4.1

[Andreas Heinlein]

Am 20.06.2014 14:29, schrieb Thomas Neumann:
 Hello Andreas

 Please try this patch against an unmodified
'fai-setup-storage_4.2_all.deb' and
 install libcapture-tiny-perl. You can also remove liblinux-lvm-perl if
you
 want.

 This patch is a bit larger then actually necessary since I modified
the debug
 output a bit and added 2 helper functions 'update_devicetree()' and
 'execute()'. These helpers are not mandatory but it should be seen as an
 investment for the future.

Moving this to FAI devel as Thomas Lange requested. I tested your
solution and I am happy to say it works for me - both with and without
preserving LV's.

Bye,
Andreas

Re: Error in setup-storage in FAI 4.1

[Andreas Heinlein]

Am 19.06.2014 23:17, schrieb Thomas Neumann:
 We (Kerim and I) are currently working on getting liblinux-lvm-perl
 patched upstream. If this does not work, we will prepare a new Debian
 version of this library.

 I strongly recommend to drop Linux::LVM completely, because the required
 functionality is very easily reimplemented:

I appreciate the idea of dropping Linux::LVM, your approach appears
easier to me.

Has anyone ever thought about not parsing vgdisplay output at all and
using liblvm instead? There seems to be little documentation about it,
but it looks to me like the clean way to do this. Unfortunately, there
seems to be no perl interface to it, so someone needed to write it.

Bye,
Andreas

fai-mirror and conflicting packages

[Andreas Heinlein]

Hello,

does anyone know of a faster way to get conflicting packages in a
partial mirror created with fai-mirror, than using MAXPACKAGES=1?

I need to include both 'grub-pc' and 'grub-efi-amd64' in the mirror.
Downloading everything with MAXPACKAGES=1 downloads ca. 1500
packages in one swoop in about 20 minutes, but leaves out grub-efi-amd64
because of the conflict. Downloading with MAXPACKAGES=1 should allow
this, but takes ages (I stopped after 4 hours).

Thanks,
Andreas

Re: Error in setup-storage in FAI 4.1

[Andreas Heinlein]

Am 18.06.2014 16:59, schrieb Thomas Neumann:
 Patch is attached, it was built against the 4.2 package. I haven't checked
 what happens if you try anything funny. May need some additional
adjustments
 (e.g. for preserving volumes).
Definitely needs some adjustments for preserving volumes. For me, that's
the whole point of trying to get setup-storage to work with LVM - as
long as I do not need to preserve anything, I can always do a 'dd
if=/dev/zero of=/dev/sda bs=1M count=10' in a hook for task_partition.

We're using a wheezy chroot here at the moment, with LVM 2.02.95-8,
liblinux-lvm-perl 0.17-1 plus the patch from Roland Dieterich (won't
work without it) and FAI 4.2 plus your patches.

Before your patches, we always reached the wipefs bug (missing '/dev' in
device name). Now, on the second run, we get:

Preserved partition /dev/sda5 does not end at a cylinder boundary,
parted may fail to restore the partition!
/dev/sda5 will be preserved
/dev/sda2 will be resized
vg1/home will be preserved
Cannot satisfy pre-depends for true:
vgchange_a_n_VG_vg1,self_cleared_/dev/vg1//dev/vg1/home,self_cleared_/dev/vg1//dev/vg1/root,self_cleared_/dev/vg1//dev/vg1/swap,self_cleared_/dev/vg1//dev/vg1/tmp,self_cleared_/dev/vg1//dev/vg1/varlog
-- system left untouched
Error in task partition. Code: 710
Traceback: task_error task_partition task task_install task task_action
task main

Our disk_config:

disk_config disk1 disklabel:msdos bootable:1 align-at:1 fstabkey:uuid
primary /boot   250-300 ext4rw
logical -   15000-  -   -

disk_config lvm preserve_lazy:vg1-home
vg vg1 disk1.5
vg1-root/ 8192-12000ext4
rw,errors=remount-ro
vg1-swapswap  1024-2048 swap rw
vg1-tmp /tmp  500-1024  ext4 rw,nosuid
vg1-varlog  /var/log  500-1024  ext4 rw
vg1-home/home   1024-   ext4 rw

I can only guess from the error message that there is a '/dev/vg1/'
prepended twice to the LV names. Maybe this is easy to fix, but I am not
very familiar with perl.

Bye,
Andreas

Re: Error in setup-storage in FAI 4.1

[Andreas Heinlein]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello,

I'd like to ask again if there has been any progress with getting
setup-storage to work with LVM again? Following my bug report (#740929)
from March, there has been a response but so far I found no solution
which works for me.

To summarize again: we need to be able to run setup-storage on a
previously installed machine with an existing LVM. We need to be able to
keep a LV of this LVM so we cannot just wipe everything out beforehand.

What I have tried so far:

Use liblinux-lvm-perl 0.16-2 (which includes a patch from Thomas Lange):
now setup-storage chokes on 'wipefs -a vg1/swap', which I think should
have read 'wipefs -a /dev/vg1/swap'.

Use liblinux-lvm-perl 0.17-1 (from the FAI repos, apparently with
Thomas' patch removed again):
gives the same 'Use of uninitialized value $lvn in hash element at
/usr/share/perl5/LVM.pm line 300.' which I described before.

Use liblinux-lvm-perl 0.17-1 with a patch from Roland Dieterich applied
(https://rt.cpan.org/Public/Bug/Display.html?id=94991):
Gives the wipefs bug again.

There are a number of reports around these problems, each referencing
one another, but I lost my way somewhere through this... Is there any
real solution for this?

Thanks,
Andreas
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlODAp8ACgkQThbQnGmVB2881AD+JyjI8vlQCHOF3sRCpDzKTNnc
Qs0MP42dpyk0oxl7rOgA/3m+BKO1LWZLBoox3qVe/B4SZcJgr3/4Gcep1MvUZ1n6
=F0Xt
-END PGP SIGNATURE-

Error in setup-storage in FAI 4.1

[Andreas Heinlein]

Hello,

yesterday I finally started migrating from FAI 3.4.8 and a squeeze 
chroot to FAI 4.1 with a wheezy chroot (Server itself is still squeeze 
for several reasons).
I could successfully perform an initial install of a test client (using 
a blank disk), but a second run (i.e. without 'initial' and with the 
previous partitions and data on disk) gave:


...
Creating directory /etc/lvm/backup
Creating volume group backup /etc/lvm/backup/vg1 (seqno 5).
Use of uninitialized value $lvn in hash element at 
/usr/share/perl5/LVM.pm line 300.

Exiting subroutine via next at /usr/share/perl5/Linux/LVM.pm line 301.
Exiting subroutine via next at /usr/share/perl5/Linux/LVM.pm line 301.
Exiting subroutine via next at /usr/share/perl5/Linux/LVM.pm line 301.
Label not found for next LVINF at /usr/share/perl5/Linux/LVM.pm line 301
Error in task partition. Code: 710
Traceback: task_error task_partition task task_install task task_action 
task main

...

The disk_config used is:

disk_config disk1 disklabel:msdos bootable:1 align-at:1 fstabkey:uuid
primary /boot   300 ext4rw
logical -   1024-   -   -

disk_config lvm
vg vg1 disk1.5
vg1-root  / 8192-12000  ext4 rw,errors=remount-ro
vg1-swap  swap  1024-2048   swap rw
vg1-tmp  /tmp  500-1024ext4 rw,nosuid
vg1-varlog  /var/log  500-1024 ext4 rw

Any ideas?

Thanks,
Andreas

Re: Error in setup-storage in FAI 4.1

[Andreas Heinlein]

Hello,

yes, I am using liblinux-lvm-perl 0.17-1, which comes from the FAI 
repos. But I don't quite get the point of the bug report, it describes a 
different problem which apparently does not occur in Ubuntu precise 
(which is what I am installing, if that matters). ROOT_PARTITION ends up 
being set to ROOT_PARTITION=${ROOT_PARTITION:-/dev/vg1/root}


Anyway, the reports says it is fixed in 4.0.8, so it should be fixed in 
4.1, right?


I agree that this also seems to be a parsing problem, from what I 
understand after looking at LVM.pm, the variable $lvn is supposed to 
contain a Logical Volume Name, which it apparently does not at the point 
where the error occurs.


I tried with kernels 3.2.0-4-686-pae (from wheezy) and 3.12-0.bpo.1-486 
(from wheezy-backports), made no difference.


I tried again with liblinux-lvm-perl 0.16-1, which then gives a 
different error. It is


Cannot satisfy pre-depends for true: 
vgchange_a_n_VG_vg1,pv_sigs_removed_vg1,self_cleared_root,self_cleared_swap,self_cleared_tmp,self_cleared_varlog 
-- system left untouched


Would be glad to help here.

Thanks,
Andreas

Re: FAI-CD to usb stick from Windows

[Andreas Heinlein]

Am 18.12.2011 14:16, schrieb david touzeau:

Dear

I there a procedure/way from Microsoft Windows user to transform a ISO
generated by fai-cd to an usb stick without using linux ?

Not sure which bootloader fai-cd uses. If it's Syslinux/Isolinux, you 
should be able to convert the ISO to a hybrid image. There's a version 
of isohybrid for windows linked here:

http://chakra-project.org/bbs/viewtopic.php?pid=16306#p16306

If it's GRUB, however, I'm pretty lost. There is grub4dos, it should be 
possible to write the ISO to a thumb drive (or copy the ISOs contents) 
and get grub to boot that, but I don't know how.


Bye,
Andreas

Re: Weird fai-mirror problems

[Andreas Heinlein]

Am 13.05.2011 01:34, schrieb Michael Tautschnig:
 Hi Andreas,

 Not that I could help too much with fai-mirror, but ...

 [...]
 result. Only deleting aptcache and .apt-move as well and recreating the
 mirror from scratch helped.

 [...]

 does this actually mean that (1) you updated an existing mirror and (2) the
 problem did not occur again? If so, was there maybe some problem in the 
 initial
 build of the mirror, while not necessarily so in the second run? 

No, the other way round. Create a mirror from scratch - works. Try to
update it - does not work anymore. Tried several times, with different
classes and from different masters, same result every time.
 Well, and AFAIK
 there is no support for updating an existing mirror. There's only a feature
 request for that one:

 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=61766
Sad to hear that.  I'll be re-creating the mirror from scratch every
time now.

Thanks for your help.

Andreas

Weird fai-mirror problems

[Andreas Heinlein]

Hello,

I have problems with fai-mirror not generating a correct Packages
file. I noticed that e.g. ubuntu-restricted-extras was not installed on
the target machines because they could not find a package by that name.

A look into the directory created by fai-mirror showed that
.../pool/u/ubuntu-restricted-extras_...deb existed, but there was no
entry in .../dists/lucid/main/binary-i386/Packages. I deleted pool and
dists from the mirror directory and ran fai-mirror again, with the same
result. Only deleting aptcache and .apt-move as well and recreating the
mirror from scratch helped.

I also noticed that before, there were also directories
.../dists/lucid/universe/binary-i386 and
.../dists/lucid/non-free/binary-i386; they did not exist anymore when
the mirror was rebuilt correctly.

Any ideas where to look?

Thanks,
Andreas

Re: fai softupdate and cron

[Andreas Heinlein]

Am 01.12.2010 15:09, schrieb Michael Tautschnig:
 Hi,

 I want after installation the clients have 'fai -N softupdtate' in their
 cron entry. What to do?
 
 Use fcopy to copy a crontab file or edit the crontab file in one of your
 scripts. That said, I'm not sure whether doing unsupervised updates is 
 generally
 a good idea. I once had broken DNS server packages hose my entire system via
 updates of all DNS servers running in parallel. Sure, untested updates is a
 no-go in critical systems anyway.

 Best regards,
 Michael
   
You might consider using some kind of release lock like wo do. We are
using NFS mounts for /home, and I have created a little init script
which will run on shutdown (Runlevel 0) and check if
/home/fai-update-timestamp is newer than the folder which
/var/log/fai/localhost/last-softupdate points to, and run a softupdate
only if it is.
This way, I can test updates and release them to the clients by touch
/home/fai-update-timestamp on the server.

I can post the init script if you like.

Bye,
Andreas

Re: gpg errors

[Andreas Heinlein]

Am 09.11.2010 21:45, schrieb Martin Konrad:
 It seems the keys are not available if I chroot to the NFSROOT. 
Correct. These keys need to be in $NFSROOT/etc/apt/trusted.gpg
 Maybe that's 
 why the script failes?
   
Like Thomas said, no? From what you wrote, it looks like yo haven't
installed any kernels in the nfsroot. It just means the script tries to
copy kernels from the nfsroot to your tftp-dir and cannot find one.
Actually, even that is no real failure, as you could as well provide the
kernel and initrd by some other means.

Bye,
Andreas

Re: gpg errors

[Andreas Heinlein]

Am 10.11.2010 11:15, schrieb Martin Konrad:
 Hi,
   
 It seems the keys are not available if I chroot to the NFSROOT.
   
 Correct. These keys need to be in $NFSROOT/etc/apt/trusted.gpg
 
 Are they added automatically to this file?

 chroot $NFSROOT apt-key list

 does not report any keys of third party repositories. Do I need to use a hook 
 to add those keys to the NFSROOT?

 Martin

   
Well, since I do not add new repositories very often, and use the same
ones from my server and the to-be-installed-clients, I just do 'cp
/etc/apt/trusted.gpg /srv/fai/nfsroot/live/filesystem.dir/etc/apt/' on
the server whenever I add a new repository and its key.

Andreas

Re: task_updatebase and force-confold

[Andreas Heinlein]

Am 29.10.2010 12:55, schrieb Michael Tautschnig:
 Am 26.10.2010 14:39, schrieb Michael Tautschnig:
 
 Hello,

 thanks for the advice. I did both manually, i.e. edit ucf.conf and
 create /etc/apt/apt.conf.d/90fai with DPkg-Options --force-confdef and
 --force-confold, then ran fai -v -N softupdate. I verified the DPKG
 configuration with apt-config. fai-client still asks this question and
 softupdate stops. Do you know of any further places where to look?

 
 
 [...]

 Ok, thanks a lot for checking; could you post a relevant excerpt of your 
 logs?
 Might make things a bit more precise...

 Thanks a lot,
 Michael

   
   
 Hello,

 I have attached fai.log and variables.log.
 DEBIAN_FRONTEND=noninteractive ist set.

 
 Well, I still think that the ucf configuration is not appropriate. Could you 
 try

 export UCF_FORCE_CONFFOLD=1

 in one of your class/*.var files being appropriate for this client?

 Thanks a lot,
 Michael

   
That seemed to work, at least on the test machine. Should work
elsewhere, too; I will post if not.

Thank you very much,
Andreas

Re: task_updatebase and force-confold

[Andreas Heinlein]

Hello,

thanks for the advice. I did both manually, i.e. edit ucf.conf and
create /etc/apt/apt.conf.d/90fai with DPkg-Options --force-confdef and
--force-confold, then ran fai -v -N softupdate. I verified the DPKG
configuration with apt-config. fai-client still asks this question and
softupdate stops. Do you know of any further places where to look?

Thanks,
Andreas

Am 25.10.2010 16:36, schrieb Michael Tautschnig:
 Hello,

 can someone tell me how aptitude is called in task_updatebase? I cannot
 find it in the logs. I have the feeling it is *not* called with
 --force-confdef --force-confold, like during task_instsoft? The reason
 I'm asking is that I was trying to update a machine with softupdate,
 which was running fai-client 3.3.5. During task_updatebase, aptitude
 asks whether to keep the old config or install the new one, and
 softupdate stops there.

 This is bad, since we are usually running softupdates unattended during
 shutdown. What would be the quickest fix for this?

 
 Could you please take a look at
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=313397
 and see whether this helps to solve your problem? It does for me, at least. 
 But
 apparently I failed to convince other people that this is fix is necessary.

 Thanks a lot,
 Michael

   

task_updatebase and force-confold

[Andreas Heinlein]

Hello,

can someone tell me how aptitude is called in task_updatebase? I cannot
find it in the logs. I have the feeling it is *not* called with
--force-confdef --force-confold, like during task_instsoft? The reason
I'm asking is that I was trying to update a machine with softupdate,
which was running fai-client 3.3.5. During task_updatebase, aptitude
asks whether to keep the old config or install the new one, and
softupdate stops there.

This is bad, since we are usually running softupdates unattended during
shutdown. What would be the quickest fix for this?

Thanks,
Andreas

Recursive fcopy and permissions

[Andreas Heinlein]

Hello,

short question:

fcopy -Bir -m root,root,0777

only applies the permissions to files, but not to directories, right? I
agree this makes sense because fcopy -Bir -m root,root,0666 would make
the directories unusable if it did. But this should be documented more
clearly in the man page, even better there could be a switch for
directory permissions, too.

Bye,
Andreas

Re: setup-storage and encrypted LVM

[Andreas Heinlein]

Am 18.06.2010 11:58, schrieb Michael Tautschnig:
 Hello,

 I'd like to (almost) fully encrypt a system using LUKS and LVM. That is,
 one small unencrypted /boot and a large partition, which is encrypted
 with luks, which in turn is the physical volume for the LVM containg
 several LVs. My disk config looks like this:

 disk_config disk1 disklabel_msdos bootable:1
 primary /boot 300 ext3 -
 logical - 1024- - -

 disk_config cryptsetup
 luks - /dev/sda5 - -

 disk_config lvm
 vg vg1 *missing*
 vg1-root / 10240 ext4 rw,errors=remount-ro
 vg1-swap swap 2048 swap defaults
 vg1-tmp /tmp 1024 ext3 defaults
 vg1-home /home 1024- ext4 defaults

 What am I supposed to put as *missing*? In other words, how do I
 reference the encrypted LUKS partition?

 
 The way this is *supposed* to work, if I remember it correctly, is that you 
 just
 use /dev/sda5 and setup-storage will take care of the renaming thing 
 internally.
 Now there may be points where I this is not done properly, so please expect
 bugs; if you do come across such issues it would be great if you could let me
 know and send along a debug log.

 Thanks a lot,
 Michael

   
Hello,

after quite some time I have to come back to this again. Indeed this
seems to work halfway through, but not quite right yet. I have attached
fai.log up to the point where it fails. Apparently setup-storage is
creating an unencrypted LVM and filesystems on it first and then creates
the crypt'ed volume; instead of the other way round. Can you have a look
at this?

Thanks,
Andreas


fai.log.gz
Description: GNU Zip compressed data

Re: setup-storage and preserving partitions

[Andreas Heinlein]

Am 16.06.2010 10:23, schrieb Thomas Lange:

  On Wed, 16 Jun 2010 09:39:23 +0200, Andreas Heinlein 
  aheinl...@gmx.com said:
  
 
   disk_config disk1 disklabel:msdos bootable:1 preserve_reinstall:7
   primary10240/ext4rw,errors=remount-ro
   logical2048swapswap-
   logical1024/tmpext3defaults
   logical1024-/media/datenext4acl
 
   Preserving works when installing without initial, but when 
  installing
   a new machine with initial Flag given, setup-storage still complains
   that /dev/sda7 cannot be preserved because it does not exist, instead 
  of
   creating it.
  Please give us some parts of the log files. Without log files,
  debugging is very difficult.
 

   
Hello,

I think I found the problem - I tried to redefine FAI_FLAGS using a
hook, and append initial if no partition sda7 with ext4 filesystem can
be found. That way I would not have to deal with changing boot setup for
new clients, and I would really like to keep it that way

Appending to FAI_FLAGS seems to work, I get
echo $FAI_FLAGS
verbose sshd createvt reboot initial
on the console after setup-storage dies,

but variables.log says
FAI_FLAGS='verbose sshd createvt reboot'

If I append initial to FAI_FLAGS on the boot command line, everything
works and variables.log says
FAI_FLAGS='verbose sshd createvt reboot initial'

The hook I am using is called partition.MYCLASS.source.

I am appending a log of a run where it did not work.

Thanks,
Andreas




install-20100616_114813.tar.bz2
Description: application/bzip

Re: setup-storage and preserving partitions

[Andreas Heinlein]

Am 16.06.2010 10:23, schrieb Thomas Lange:
 On Wed, 16 Jun 2010 09:39:23 +0200, Andreas Heinlein aheinl...@gmx.com 
 said:
 
  disk_config disk1 disklabel:msdos bootable:1 preserve_reinstall:7
  primary10240/ext4rw,errors=remount-ro
  logical2048swapswap-
  logical1024/tmpext3defaults
  logical1024-/media/datenext4acl

  Preserving works when installing without initial, but when installing
  a new machine with initial Flag given, setup-storage still complains
  that /dev/sda7 cannot be preserved because it does not exist, instead of
  creating it.
 Please give us some parts of the log files. Without log files,
 debugging is very difficult.

   
Hello,

I think I found the problem - I tried to redefine FAI_FLAGS using a
hook, and append initial if no partition sda7 with ext4 filesystem can
be found. That way I would not have to deal with changing boot setup for
new clients, and I would really like to keep it that way

Appending to FAI_FLAGS seems to work, I get
echo $FAI_FLAGS
verbose sshd createvt reboot initial
on the console after setup-storage dies,

but variables.log says
FAI_FLAGS='verbose sshd createvt reboot'

If I append initial to FAI_FLAGS on the boot command line, everything
works and variables.log says
FAI_FLAGS='verbose sshd createvt reboot initial'

The hook I am using is called partition.MYCLASS.source.

I am appending a log of a run where it did not work.

Thanks,
Andreas



install-20100616_114813.tar.bz2
Description: application/bzip

setup-storage and encrypted LVM

[Andreas Heinlein]

Hello,

I'd like to (almost) fully encrypt a system using LUKS and LVM. That is,
one small unencrypted /boot and a large partition, which is encrypted
with luks, which in turn is the physical volume for the LVM containg
several LVs. My disk config looks like this:

disk_config disk1 disklabel_msdos bootable:1
primary /boot 300 ext3 -
logical - 1024- - -

disk_config cryptsetup
luks - /dev/sda5 - -

disk_config lvm
vg vg1 *missing*
vg1-root / 10240 ext4 rw,errors=remount-ro
vg1-swap swap 2048 swap defaults
vg1-tmp /tmp 1024 ext3 defaults
vg1-home /home 1024- ext4 defaults

What am I supposed to put as *missing*? In other words, how do I
reference the encrypted LUKS partition?

Thanks,
Andreas

German locale in NFSROOT

[Andreas Heinlein]

Hello,

I need a german locale environment in the NFSROOT, I think. I have some
scripts which set gconf values on the clients using

$ROOTCMD gconftool-2 --direct --config-source
xml:readwrite:/etc/gconf/gconf.defaults.xml /foo/bar...

Some of the values are strings containing german umlauts. This works
fine under the running system, but fails when FAI runs the script during
installation (Invalid byte sequence in conversion input).

So I guess I need the german locale within the NFSROOT. How do I do this?

Thanks,
Andreas

Installing a Samba Domain Member

[Andreas Heinlein]

Hello,

I need to set up some clients using FAI which will become members of a
Samba controlled Windows Domain. I have managed to do it, following
Samba by example, but there are two questions remaining how to do it
with FAI:

1. After installation, I need to run %ROOTCMD net rpc join -U
root%rootpassword and %ROOTCMD smbpasswd -W ldap-admin-password. This
works, but currently the passwords are in cleartext within the scripts.
Since the FAI configspace is on NFS, with root squashing enabled, I
cannot chmod these scripts 0700, since root on the client will read
the scripts as nobody. What would be the best way to pass these passwords?

2. I also need to run wbinfo --set-auth-user=root%rootpassword on the
client. Apart from above problem, wbinfo expects a running winbindd
running on the real system, i.e. not from the live NFS root. I
currently run this manually after installation. How could I do this
using FAI?

Thanks,
Andreas

Re: setup-storage: ext4

[Andreas Heinlein]

Andreas Heinlein schrieb:
 Hello,

 another question regarding setup-storage: apparently it does not (yet)
 work with ext4. I tried to create a ext4 partition, but the
 corresponding parted mkpart ext4 exits with 1. Looks like parted
 cannot deal with ext4 as filesystem type. As I understand, it should
 as well be possible to just call parted with ext3 as filesystem type and
 still run mkfs.ext4 later on. This would need a patch for setup-storage,
 though.

 Is there a way around this using hooks?

 Bye,
 Andreas
   
Forget about this one, I updated the nfsroot and installed kernel
2.6.30-1-486 from lenny-backports and it works now.

Andreas

setup-storage does not create crypttab

[Andreas Heinlein]

I have defined encrypted swap and tmp like this

disk_config lvm
vg vg1 disk1.6
vg1-swapswap:encrypt2048swapsw
vg1-tmp /tmp:encrypt1024ext2rw
...

This works during setup, two device-mapper devices crypt_dev_vg1_tmp and 
crypt_dev_vg1_swap are created and written to fstab, but no crypttab is 
generated. I am doing this now with a script, but from taking a look at 
setup-storage source it looks like it shoud create a correct crypttab, right?

Andreas

Re: setup-storage does not create crypttab

[Andreas Heinlein]

Michael Tautschnig schrieb:
 I have defined encrypted swap and tmp like this

 disk_config lvm
 vg vg1 disk1.6
 vg1-swap swap:encrypt2048swapsw
 vg1-tmp  /tmp:encrypt1024ext2rw
 ...

 This works during setup, two device-mapper devices crypt_dev_vg1_tmp and 
 crypt_dev_vg1_swap are created and written to fstab, but no crypttab is 
 generated. I am doing this now with a script, but from taking a look at 
 setup-storage source it looks like it shoud create a correct crypttab, right?

 

 Indeed it should, yes :-) Hmm, are you using the experimental FAI version or
 3.2.20 or something? Looking at my experimental patch named
 setup-storage_full-crypto-support the comment induces that it might not work 
 on
 LVM devices without this patch :-) That means:

 - Are you using the experimental builds or the stable release?
 - Would you be willing to test the experimental version in this case?
 - If so, I'd happily merge that patch into mainline as I just left it in the
   experimental branch because it had not seen sufficient testing.

 Thanks a lot,
 Michael
   
I am using the stable packages (3.2.20) from the lenny repository. I
would give the experimental version a try.

Bye,
Andreas

Re: setup-storage: resizing ntfs

[Andreas Heinlein]

Michael Tautschnig schrieb:
 Hello,

 I have a question about resizing with setup-storage in general and
 specifically regarding ntfs. We currently have Windows-only machines
 with 12GB sda1 (primary, C:, NTFS) and the rest sda2 (primary, D:,
 NTFS). We'd like to keep sda1 as it is and, if possible, resize sda2 to
 make room for a new sda3 which will contain the FAI/Linux installation.

 I currently have:
 disk_config disk1 preserve_always:1,2 disklabel:msdos bootable:1
 primary   -   0   -   -
 primary   /windows 10240-81920:resize   ntfs   -
 primary   / 20480   ext3   rw

 I tried experimenting with resize in the disk_config line and/or the
 partition; I have installed ntfsprogs into the nfsroot, but I cannot get
 it to work. Specifically, setup-storage tells it is retaining sda1, but
 then always tells me the disk is too small. Is this at all possible?

 

 You must remove 2 from preserve_always and replace ntfs with - in your
 /windows line, then it should work.

 Best,
 Michael

 PS.: NTFS may cause several other problems as well - you've got a backup, 
 don't
 you?
I am using a test machine, no data to lose ;-)
Your solution works, but only with fixed sizes. The next step would be
to have a variable size. What I want is to shrink the existing sda2 just
enough to make room for the (fixed size) root partition (+swap, I forgot
in the above listing). Unfortunately, this

primary   /windows 10240-81920:resize   ntfs   -
does not work, setup-storage complains about not enough space when using this 
on a 60GB hard drive. It tells me it requires something like (sda1 + 81920 + 
20480). Looks like it is trying to always use the maximum size. Omitting the 
upper limit does not work, either. Only this works:
primary   /windows 10240:resize   ntfs   -

If this is a limitation of setup storage, would there be a way using a hook?

Thanks,
Andreas

setup-storage: ext4

[Andreas Heinlein]

Hello,

another question regarding setup-storage: apparently it does not (yet)
work with ext4. I tried to create a ext4 partition, but the
corresponding parted mkpart ext4 exits with 1. Looks like parted
cannot deal with ext4 as filesystem type. As I understand, it should
as well be possible to just call parted with ext3 as filesystem type and
still run mkfs.ext4 later on. This would need a patch for setup-storage,
though.

Is there a way around this using hooks?

Bye,
Andreas

setup-storage: resizing ntfs

[Andreas Heinlein]

Hello,

I have a question about resizing with setup-storage in general and
specifically regarding ntfs. We currently have Windows-only machines
with 12GB sda1 (primary, C:, NTFS) and the rest sda2 (primary, D:,
NTFS). We'd like to keep sda1 as it is and, if possible, resize sda2 to
make room for a new sda3 which will contain the FAI/Linux installation.

I currently have:
disk_config disk1 preserve_always:1,2 disklabel:msdos bootable:1
primary   -   0   -   -
primary   /windows 10240-81920:resize   ntfs   -
primary   / 20480   ext3   rw

I tried experimenting with resize in the disk_config line and/or the
partition; I have installed ntfsprogs into the nfsroot, but I cannot get
it to work. Specifically, setup-storage tells it is retaining sda1, but
then always tells me the disk is too small. Is this at all possible?

Thanks,
Andreas

Purging unlisted packages

[Andreas Heinlein]

Hello,

I have a question regarding take-over of clients not initially
installed with FAI. Is it possible to purge any packages *not* listed in
package_config during softupdate? I have read that one should not just
remove a package from the list that was previously installed, but
instead prepend it with a '-' sign. But what if you do not know exactly
which packages were previously installed and want to just remove any
installed but unlisted package?

Thank you,
Andreas