Previous: twist.html Next: dhcpd.html

TFTPROOT and Netboot Files

Given that we will be controlling booting using a "bootme" file retrieved by tftp, and further that will want to maintain a unique bootme file for each machine in the cluster, we need system wide policies for manipulating the files in these directories to keep things manageable.

When MacOS is set to boot with a symbolic link of bootme to bootmacos, then this will be the only file retrieved by tftp. However, when linux boots there will a total of four files to be retrieved. Five during a linux install.

Here is what the link structure looks like under the current policy (described below) when MacOS is set to boot:

root@master:~# ls -l /tftpboot/192.168.2.2
total 0
lrwxrwxrwx    1 root     root           12 Dec  5 15:09 bootlinux -> ../bootlinux
lrwxrwxrwx    1 www-data www-data       12 Dec 28 19:07 bootme -> ../bootmacos
lrwxrwxrwx    1 root     root           16 Dec 10 22:57 initrd.gz -> ../test-splat.gz
lrwxrwxrwx    1 root     root           19 Nov 23 17:13 vmlinux -> ../vmlinux-allnodes
lrwxrwxrwx    1 root     root            9 Nov 10 23:53 yaboot -> ../yaboot
lrwxrwxrwx    1 www-data www-data       28 Dec 28 19:05 yaboot.conf -> ../yaboot.conf-Install_Linux

A total of six files. A possible five for linux, and the one for macos.

File by file description:

bootlinux: This allows one to boot a machine into linux even though it is set on $master-server to boot MacOS. Known as the linux boot trick.
bootme: Filename programmed into the OF boot-device setting. We change this link between ../bootlinux and ../bootmacos to set the machine to boot MacOS or Linux respectively.
initrd.gz: Miniature compressed root filesystem image which performs the initial linux installation on a prepared virgin slave. Sucker!
vmlinux: The linux kernel itself.
yaboot: The yaboot bootstrap program.
yaboot.conf: Configuration file for yaboot. Used as "second switch" to set Linux to run from the hard drive, or to be installed.

*** SECURITY ALERT ***

Note that two files belong to user and group "www-data", while the rest to root. Also note that the IP named directories are all user "www-data" ownership, but NOT the /tftpboot directory.

root@master:~# ls -ld /tftpboot/192.168.2.2
drwxr-xr-x    2 www-data root         4096 Dec 28 19:07 /tftpboot/192.168.2.2
root@master:~# ls -ld /tftpboot/
drwxr-xr-x   72 root     root         4096 Dec 28 00:17 /tftpboot/

Yes this is a security problem. If anyone gets access to the "www-data" user via the apache web server (which runs as user and group "www-data"), then they have write access to the per machine tftp directories, and the restriction in /tftpboot is meaningless. This is a big TODO in terms of making this more secure. I have accepted this at this time, provided the following precautions are taken:

Restrict apache (web server) and cgi access to the internal network only. (see apache.txt)
Restrict tftp access to the internal network only (see hosts.allow)

THESE ARE VERY IMPORTANT. I can not stress this too much. It only takes one night of log watching to see that all servers, and services are constantly being probed from the internet.

Allowing the www-data user any kind of write access anywhere is a very real and serious security threat, yet this is exactly what we do to make manipulating these links easy with apache and cgi.

It is a tradeoff between security and useability. The most secure computer system is one that is turned off and disassembled.

*** END SECURITY ALERT ***

Ok, so the reason those two files/links were owned by "www-data" is indeed because we will use a cgi/web interface to manipulate them. The remaining links do not need to be manipulated and should be owned by root to prevent changes by the "www-data" user.

Switching "bootme" between pointing to /tftpboot/bootmacos (hence ../bootmacos above), and /tftpboot/bootlinux achieves the desired per machine switch at boot time betweent .. MacOS and Linux. Of course.

The second file that we manipulate frequently is the yaboot.conf file. This is used to manipulate how linux is booted in finer grained detail. The two main modes we switch between are "Install_Linux" and Linux_hda11".

Here is where some policy is needed to make things easy. The cgi's will look for and manipulate any file in the /tftpboot directory of the form "yaboot.conf-foo" where the hyphen ('-') seperates the base file name from our instance name. The instance name must not contain any hyphens, and should consist of alphanumeric characters and the underscore ('_') only. Anything else is not supported and may have unpredictable results.

Furthermore, no files should be kept in the per IP unique subdirs of /tftpboot except for symbolic links to the real files in /tftpboot. This greatly simplifies administration, since adhering to this policy forces you to choose generic names in the subdirs, which can be hardcoded into the cgi's and boot programs (yaboot looks for yaboot.conf for instance). Then you can manipulate a second symbolic link in /tftpboot if you wish to point to a specific instance and thereby change all machines settings at once.

Think of the /tftpboot directory as a class, and the subdirs as instances of that class. This model could be extended to keep per machine configuration information as well, thereby coming up with a generic network wide system management platform. Note the 130.60.99.155 subdir, which is a G4 cube, not part of the cluster. This was part of an experiment along these lines.

OBSOLETE - Use the script twist.sh to create this directory hierachy. TODO - It does not yet populate /tftpboot with the real files though. FART obsoletes twist.sh incorporating it transparently into the installation process.

Peter