So... The netboot works, we can move onto the LRP side of it.
The following is a modified version of a file included with the Etherboot distribution, the original file can be found in the contrib/mklrpnb directory. The new file is extractdach.pl and can be viewed here or as the workable perl script in Section 4.2 . There are some variables that need setting up first, so read the source.
On the first pass it will extract the lrp files to a base directory ( this is currently /usr/src/LRP/lrp-firewall ), within this newly created directory will be the expanded Dachstein distribution. It is now our working directory and will form the basis of the new distribution.
Additionally on the first pass the script will modify /linuxrc so that it does not try to mount and read the non-existent *.lrp files ( these are now transferred over the network in the lrp.nb file). It also creates a /var/lib/lrpkg/package file which is built when using the floppy method. This file allows the configuration files for the packages to be viewed using lrcfg on the netbooted machine.
Finally the script changes a boot error message to reflect the fact that this modified distribution cannot do backups, not entirely necessary but ...
With this netboot method, all mods are done to the expanded distribution in $dachnew. When the changes are ready to be tested then the extractdach.pl script is run a second ( third, fourth... whatever ) time to build the netbootable images. These images will be in /tftpboot/firewall/ as required by the /etc/dhcpd.conf and /etc/xinetd.d/tftp config files and is set by the extractdach.pl variable $tftpboot
The LRP source image can be read by extractdach.pl at any stage, it does not have to be the original version but instead can be a backup copy of an existing (working) install. You will need to transfer this image onto the hard-drive with...
dd < fd0u1680 > same_string_as_$image_in_extractdach.pl |
for the 1.680meg image. If the path and filename are not the same as the $image location then copy it over so that the script can do the rest of the work. If you want to be sure you got something from the disk then use the following command to view it under /mnt/floppy...
mount -t msdos -o ro,loop same_string_as_$image_in_extractdach.pl /mnt/floppy |
#!/usr/bin/perl -w
#
# A program to make a netbootable image from a LRP firewall floppy
#
# Tested on a Dachstein Linux floppy image available from
# http://lrp1.steinkuehler.net/ or via http://leaf.sourceforge.net/
# The most recent version of this script and a companion HowTo is available at
# http://members.optushome.com.au/graybeard/linux/netboot.html
#
# Modified from the mklrpnb file found in the contrib/mklrpnb directory of the
# Etherboot source at http://etherboot.sourceforge.net/
#
# Modifications by Glenn McK <graybeard(at)users.sourceforge.net>
# $Id: etherbootdach.sgml,v 1.1 2002/04/27 08:33:13 graybeard Exp $
#####################################
# this entry will need changing
#$image = "/home/graybeard/etherboot/dachstein-v1.0.2-1680.bin";
$image = "/home/graybeard/etherboot/optustein/dachstein-v1.0.2-1680.bin";
#$image = "/home/graybeard/etherboot/bootdisk.bin";
# these can remain, but change them if desired
#
# the next argument defaults to firewall if no other name is passed via the
# command line, this will be the directory where distribution will be expanded
# under $base and also the directory in /tftpboot for lrp.nb
my $uniqdir = shift || 'firewall';
$mntdir = "/mnt/floppy"; # where the above image file can be mounted
$tftpbase = "/tftpboot";
$tftpboot = "$tftpbase/$uniqdir"; # where the netboot images will be available
$base = "/usr/src/LRP";
$dachorg = "$base/dach-org-$uniqdir"; # a copy required to make the distribution
$dachnew = "$base/lrp-$uniqdir"; # the base files for the new distribution
$packages = "$dachnew/var/lib/lrpkg"; # list to allow lrcfg to display Packages
# everything below should be okay
######################################
if ( !-e $image ) {
print
"\n\tA valid LRP file and directory are required\n\tdownload one then edit $0\n\n";
exit 1;
}
if ( !-d $base ) {
mkdir( $base, 0700 );
}
if ( !-d $dachorg ) {
mkdir( $dachorg, 0700 );
}
if ( !-d $dachnew ) {
mkdir( $dachnew, 0700 );
`umount $mntdir`;
`mount -t msdos -o ro,loop $image $mntdir`;
`cp -vr $mntdir/* $dachorg/`;
@cfg = `cat $mntdir/syslinux.cfg`;
unless ( defined(@cfg) ) {
print "Cannot find syslinux.cfg on $mntdir\n";
exit 1;
}
print "cfg = @cfg\n";
($append) = grep( /append/, @cfg ); # find the append= line
print "append = \n$append\n";
chomp($append); # remove trailing newline
$append =~ s/append=//; # remove the append= at beginning
print "strip append = \n$append\n\n";
@args = split ( / /, $append ); # split into arguments at whitespace
($root) = grep( /^initrd=/, @args ); # find the initrd= argument
$root =~ s/^initrd=//; # remove the initrd= at beginning
$root =~ s/\.lrp$//; # cleanup for paclages list
print "strip initrd = \n$root\n\n";
($lrp) = grep( /^LRP=/, @args ); # find the LRP= argument
$lrp =~ s/^LRP=//; # remove the LRP= at beginning
print "strip LRP =\n$lrp\n\n";
@lrp = split ( /,/, $lrp ); # split into filenames at ,
unshift ( @lrp, $root ); # prepend the root LRP filename
@pack = @lrp;
print "LRP =\n@lrp\n\n";
$append = '';
foreach $i (@args) { # rebuild the append string
next if ( $i =~ /^initrd=/ ); # minus the unneeded parameters
next if ( $i =~ /^LRP=/ );
next if ( $i =~ /^boot=/ );
next if ( $i =~ /^PKGPATH=/ );
print "$i = i\n";
$append .= "$i ";
}
print "final append = \n$append\n";
chdir($dachnew) or die "$dachnew: $!\n";
foreach $i (@lrp) {
$i .= '.lrp' if $i !~ /\.lrp$/;
print "\n\n\nUnpacking $i\n";
system("ln -svf $dachorg/$i ${dachorg}/${i}.tar.gz");
chmod 0600, "$dachorg/$i";
system("cat $mntdir/$i | tar zxvf -");
}
# create file for lrcfg to display packages
open( PACKAGES, ">$packages/packages" )
|| print "unable to modify $packages:$!\n";
foreach $line (@pack) {
print PACKAGES "$line\n";
}
close PACKAGES;
# prevent previous file from being overwritten during installation
# and also mess with some values in /linuxrc to hide non errors
open( LINUXRC, "$packages/root.linuxrc" );
@text = <LINUXRC>;
close LINUXRC;
open( LINUXRC, ">$packages/root.linuxrc" );
foreach $line (@text) {
$line =~ s/PFX\/packages/PFX\/packages-old \
\t\t\t\t# packages changed to packages-old for netboot setup/;
$line =~
s/^rc=1/# rc=1 changed to rc=0 to suppress error messages for netboot setup \
rc=0/;
$line =~
s/echo -n \" \(nf\!\)\"/#echo -n \" \(nf\!\)\" changed to reflect ToDo list \
\t\t\techo -n \" netboot setup - No backups possible from this machine - ToFix ?"/;
print LINUXRC $line;
}
close LINUXRC;
# swap interfaces around in network config file
# eth1 is the new external eth0 is OUR internal server access
open( NETWORK, "$dachnew/etc/network.conf" )
|| print "Unable to modify NETWORK:$!\n";
@text = <NETWORK>;
close NETWORK;
open( NETWORK, ">$dachnew/etc/network.conf" )
|| print "Unable to modify NETWORK:$!\n";
foreach $line (@text) {
$line =~ s/eth0/eth00/;
$line =~ s/eth1/eth0/;
$line =~ s/eth00/eth1/;
print NETWORK $line;
}
close NETWORK;
`echo $append > $dachorg/appendstr`;
`umount /mnt/floppy`;
print "\nThe files have been extracted to $dachnew\n";
system("ls -al $dachnew");
}
else {
print "\n\n\t$image \n \thas already been extracted to $dachnew \
\tNow skipping to the next step where the netboot file\
\twill be created.\n";
$append = `cat $dachorg/appendstr`;
print "\nThe new append string will be...\n$append\n";
chdir($dachnew);
if ( !-d $tftpbase ) {
mkdir( $tftpbase, 0710 );
system("chgrp nobody $tftpbase");
}
unlink($tftpboot);
# these permissions really need changing to something secure
mkdir( $tftpboot, 0710 );
system("chgrp nobody $tftpboot");
print "\tRepacking to $tftpboot/lrp.lrp\n";
system("tar zcf $tftpboot/lrp.lrp *");
print "\tExtracting kernel image from $dachorg\n";
system("cat $dachorg/linux > $tftpboot/lrp.ker");
print "\tCreating netboot image $tftpboot/lrp.nb\n";
system(
"mknbi-linux --append='$append' --output=$tftpboot/lrp.nb $tftpboot/lrp.ker $tftpboot/lrp.lrp"
);
chmod 0604, "$tftpboot/lrp.nb", "$tftpboot/lrp.ker", "$tftpboot/lrp.lrp";
print "\nThese netboot files are in $tftpboot\n";
system("ls -al $tftpboot");
print "\n The owner and permissions for $tftpboot \
and files should be checked for security. The above\
permissions assume that tftp is running chroot (nobody)
drwx--r--- root:nobody /tftpboot\n\n";
}
exit 0; |
The LRP files have the extension .lrp which are tar.gz files in disguise; so to add a module to your new distribution you need to download the appropriate *.lrp file and rename it to have the extension .tar.gz. Once that's done then extract the enclosed files to the /usr/src/LRP/lrp-firewall directory and update /var/lib/lrpkg/packages as this file contains the names of any modules installed. If you fail to add the entry to packages it will not display in lrcfg. We cannot use the script directly for backup to the tftp server, however it is still useful and the absence of those entries could cause confusion later.
weblet.lrp becomes weblet.tar.gz lastly the /usr/src/LRP/lrp-firewall/var/packages file is updated with the name weblet |
Time to move on to the second part of the project, or was it the first?
On the router - firewall if you accept the default name - you will need to configure the machine to get an assigned IP from your ISP, as well as setting up routing and configuring the firewall.
The usual deal when running an LRP machine from floppy, hard drive or whatever, is to execute lrcfg and follow the menus till all the configurations are done. In our case lrcfg will not be quite as useful, there are no backups available from this menu for starters; but it can serve as a useful prompt to work out which files to modify back on the tftp server.
If you install the ssh.lrp module this will make available the scp command for the transfer of files between machines. This will assist in keeping the two versions (client and server) synced
The firewall script was not my friend but we get along Okay now :-) Back when I was running Eigerstein I wimped it and just ran my own script after the machine booted up, bypassing all that scripting work the LRP team have done. Eventually though I decided to use it, in truth the dynamic IPs we now get with Optus forced the rethink. It was worth the effort to understand it
To assist with configuring Dachstein, the README network.txt is invaluable and has a useful section labeled "IP FILTER SETUP"
I'll add to this section as needed and may even upload an image suitable for the Optus network, but later........Perhaps the scripts are needed first but this HowTo is primarily about Netbooting the Dachstein/Eigerstein distributions. and if I don't get this page uploaded now it will take another six months to do.
We've now got the start of a compact setup. To run headless should be the next step to save space and also for convenience.
We are also able to get most of our boot messages with a serial console. To do this we set up minicom to run on the internal machine, with a null modem cable between the serial ports; that's between the router and minicom --- not between the.... Ah forget it..;-)
The Eigerstein HowTos have a quick rundown on enabling the serial port. You need to replace the kernel that came with the 1.68 meg floppy with one that supports a serial console during boot up, if you want all the console output.
Basically.... Rename linux-2.2.19-3-LEAF-normal.zImage.upx to linux and replace the file in $dachorg. Add the serial module to /etc/modules then edit /etc/inittab by adding the appropriate strings to $dachorg/appendstr ( view the extractdach.pl script to find it )
For example purposes only, this is the $dachorg/appendstr that I use ....
load_ramdisk=1 initrd_archive=minix ramdisk_size=6144 root=/dev/ram0 console=ttyS1,115200n8 |
along with this in /etc/inittab
T1:23:respawn:/sbin/getty -L ttyS1 115200 vt102 |
additionally you may need to comment out the terminals otherwise you will get the infamous INIT: Id "1" respawning too: fast disabled for 5 minutes message if you elected to remove the video card from the machine.
# Format: # <id>lt;runlevels>lt;action>lt;process> #1:2345:respawn:/sbin/getty 38400 tty1 #2:23:respawn:/sbin/getty 38400 tty2 |
finally /etc/securetty needs an entry to enable root access to /dev/ttyS1
ttyS1 |
This will give a serial console on ttyS01 ( com b or async 2 .) When the serial connection is fully enabled everything will be displayed from the moment the bootrom takes control to when shutdown displays "Power down". The only thing missing is the ability to configure the BIOS, a small loss considering the gain.
Catching the boot process at the bootrom start-up also allows the menu feature to be used. If you have configured this menu then the netboot can be bypassed and a local drive mounted instead.
If you opt for the full serial setup ( replacing the kernel as outlined above ) then you will also need to set the Etherboot options appropriately when configuring it. Using rom-o-matic the following options will need due attention.
CONSOLE_SERIAL
set for serial console.
CONSOLE_DUAL
set for CRT and serial console, see comment at -DANSIESC and -DGFX
COMCONSOLE:
set port, e.g. 0x3F8
CONSPEED:
set speed, e.g. 57600
COMPARM:
set Line Control Register value for data bits, stop bits and parity.
|
There will be NO other console with the above configuration, if you want a keyboard and monitor for the initial setup process then the serial HowTo is your friend. Briefly :- insert console=tty0 into the $dachorg/appendstr string, like so....
load_ramdisk=1 initrd_archive=minix ramdisk_size=6144 root=/dev/ram0 console=tty0 console=ttyS1,115200n8 |
and leave those terminal entries uncommented within the inittab file.
If you can score yourself a 16550A uart chip for the serial port then do so. These seem to be rather scarce but are a slightly quicker on throughput as the Serial HowTo explains. However the common 16450 is quite usable considering what we are expecting from it.
cat /var/log/messages | grep ttyS ttyS00 at 0x03f8 (irq = 4) is a 16550A ttyS01 at 0x02f8 (irq = 3) is a 16550A |
The serial cable (null modem) I use is a DTE<=>DTE using 7 wires, but a better description lies at the nullmodem site in the form of the first image, or the one labeled "Common Null-Modem Connection"
There are a few terminal clients around, I have used minicom and it's almost satisfactory ;-)
One BIG advantage of a serial connection is that when you run something such as tcpdump over the remote link, there is no need to hit yourself with the cluestick afterwards. You did install ssh as well?
Depending on the motherboard you may be able to ditch the video card, the floppy and hard drive can go along with the i/o card - unless the serial port is soldered to it. Try it and see! If the only complaint from the BIOS is a series of annoying beeps just disconnect the speaker lead.
Removing unnecessary cards will reduce power consumption along with the amount of heat produced.
READ and take HEED of the warning on the power supply BEFORE OPENING it and modding the internals. The voltages ARE LETHAL and you DO need to KNOW what you are doing. |
Braver people than I have disconnected the fan from the computers power-supply unit :-) I was able to get a power supply that used a thermistor circuit in the fans power lead and have used this instead. It works well and the fan operates at a reduced speed, if the box ever gets hot the sensor should detect it and increase the speed (cooling) accordingly.
I have back traced the circuit in my supply and it can be found at Section 7.2, but visit the following links to get a better background and also other, perhaps more appropriate, designs.
Keeping the Fans Quiet - Power Control Methods Has a wealth of information and good links
One of the above links is unfortunately broken but it still lives here
This circuit is very close to the money and gives a good description as well.
Under the heading "Optional very dangerous" (at the bottom of that page) is an interesting idea. I would not do it myself, however the addition of some extra (small) holes in the top cover could be a suitable compromise.
Obviously the thermistor has to be placed in a position that allows it to perform some speed regulation for the required temperatures, placing it directly on the heatsink or in the bottom corner of the power supply box would be two useless extremes.
DO NOT work on the Power Supply with the box OPEN AND switched ON. Even if recently turned off the capacitors may still HOLD enough CHARGE to supply 240 volts |