PXE Notes

!BashCommand.sh

curl -s https://gist.githubusercontent.com/ilude/bf6d435352610528794d5cac4a0845a1/raw/%21ImageSetup.sh | /bin/bash -s | tee build.log

!ImageSetup.sh

#!/bin/bash
sudo rm -rf chroot initramfs

echo "debootstrap into chroot"
sudo debootstrap \
    --arch=amd64 \
    --variant=minbase \
    bionic \
    chroot \
    http://us.archive.ubuntu.com/ubuntu/

echo "chroot into chroot"
sudo chroot chroot <<'EOF'

mkdir /etc/systemd/system/[email protected]
cat > /etc/systemd/system/[email protected]/noclear.conf << CHEOF
[Service]
TTYVTDisallocate=no
CHEOF

echo "Mounting internal special filesystems"
mount none -t proc /proc
mount none -t sysfs /sys
mount none -t devpts /dev/pts

export HOME=/root
export LC_ALL=C
export DEBIAN_FRONTEND=noninteractive

echo "set default hostname"
echo "ubuntu-fs-live" > /etc/hostname

echo "setup apt sources"
cat <<CHEOF > /etc/apt/sources.list
deb http://us.archive.ubuntu.com/ubuntu/ bionic main restricted universe multiverse 
deb-src http://us.archive.ubuntu.com/ubuntu/ bionic main restricted universe multiverse
deb http://us.archive.ubuntu.com/ubuntu/ bionic-security main restricted universe multiverse 
deb-src http://us.archive.ubuntu.com/ubuntu/ bionic-security main restricted universe multiverse
deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates main restricted universe multiverse 
deb-src http://us.archive.ubuntu.com/ubuntu/ bionic-updates main restricted universe multiverse    
CHEOF

# Avoiding unnecessary packages
# Since we are trying to make this system as minimal as possible, 
# we should make sure only the required packages are installed without 
# having to provide the --no-install-recommends option every time
echo "set default apt to --no-install-recommends"
cat <<- 'CHEOF' >> /etc/apt/apt.conf.d/99local
APT::Install-Suggests "0";
APT::Install-Recommends "0";
CHEOF

echo "prevent packages from installing unwanted locales"
cat <<- 'CHEOF' > /etc/dpkg/dpkg.cfg.d/01_nolocales
path-exclude /usr/share/locale/*
path-include /usr/share/locale/en*
CHEOF

echo "prevent documentation from being installed by apt-get"
cat <<- 'CHEOF' > /etc/dpkg/dpkg.cfg.d/01_nodocs
path-exclude /usr/share/doc/*
path-include /usr/share/doc/*/copyright
path-exclude /usr/share/man/*
path-exclude /usr/share/groff/*
path-exclude /usr/share/info/*
path-exclude /usr/share/lintian/*
path-exclude /usr/share/linda/*
CHEOF

echo "apt-get update"
apt-get update

echo "installing minimum required packages"  
apt-get install -y apt-transport-https apt-utils bash ca-certificates curl dbus gpg-agent sudo systemd-sysv wget

echo "apt-get dist-upgrade"
apt-get dist-upgrade -y

echo "installing base packages"
curl -sSl https://gist.githubusercontent.com/ilude/bf6d435352610528794d5cac4a0845a1/raw/BasePackages.sh \
  | bash -s
  
apt-get purge -y cryptsetup 
echo "setup locales"
dpkg-reconfigure locales 
dpkg-reconfigure tzdata
locale-gen en_US.UTF-8

echo "generating machine-id"
dbus-uuidgen > /etc/machine-id
ln -fs /etc/machine-id /var/lib/dbus/machine-id
dpkg-divert --local --rename --add /sbin/initctl
ln -s /bin/true /sbin/initctl

curl -sSl https://gist.github.com/ilude/e2342829a97c3c3d3da5f9c73976c4ec/raw/netplay.yml \
    -o /etc/netplan/01-interface.yaml
# sudo netplan apply

sed \
    -e 's/^#PermitRootLogin yes/PermitRootLogin no/' \
    -e 's/PermitRootLogin yes/PermitRootLogin no/' \
    -e 's/^#PermitRootLogin prohibit-password/PermitRootLogin no/' \
    -e 's/^#PermitEmptyPasswords yes/PermitEmptyPasswords no/' \
    -e 's/PermitEmptyPasswords yes/PermitEmptyPasswords no/' \
    -e 's/^#PasswordAuthentication yes/PasswordAuthentication no/' \
    -e 's/PasswordAuthentication yes/PasswordAuthentication no/' \
    -e 's/^#X11Forwarding yes/X11Forwarding no/' \
    -e 's/X11Forwarding yes/X11Forwarding no/' \
    -e 's/^#IgnoreRhosts yes/IgnoreRhosts yes/' \
    -e 's/IgnoreRhosts yes/IgnoreRhosts yes/' \
    -e 's/^#HostbasedAuthentication no/HostbasedAuthentication no/' \
    -e 's/HostbasedAuthentication no/HostbasedAuthentication no/' \
    -e 's/^#AllowTcpForwarding yes/AllowTcpForwarding no/' \
    -e 's/AllowTcpForwarding yes/AllowTcpForwarding no/' \
    -e 's/^#ServerKeyBits 1024/ServerKeyBits 2048/' \
    -e 's/^#LoginGraceTime 2m/LoginGraceTime 30/g' \
    -e 's/^#StrictModes yes/StrictModes yes/g' \
    -e 's/^#PubkeyAuthentication yes/PubkeyAuthentication yes/g' \
    -e 's/^#RhostsRSAAuthentication no/RhostsRSAAuthentication no/g' \
    -e 's/^#IgnoreUserKnownHosts no/IgnoreUserKnownHosts yes/g' \
    -e 's/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation yes/' \
	 /etc/ssh/sshd_config

curl -sSl https://gist.githubusercontent.com/ilude/e2342829a97c3c3d3da5f9c73976c4ec/raw/gitconfig -o /etc/gitconfig
curl -sSl https://gist.githubusercontent.com/ilude/e2342829a97c3c3d3da5f9c73976c4ec/raw/git-prompt.sh -o /etc/profile.d/git-prompt.sh
chmod 644 /etc/gitconfig
chmod +x /etc/profile.d/git-prompt.sh

# creat default user
export USER=clueless
#add service group/user
addgroup $USER
useradd $USER --create-home --shell /bin/bash -g $USER
mkdir -p /home/$USER/.ssh
curl -sSl https://gist.githubusercontent.com/ilude/e2342829a97c3c3d3da5f9c73976c4ec/raw/authorized_keys_limited \
    -o /home/$USER/.ssh/authorized_keys
chmod 700 /home/$USER/.ssh
chown $USER:$USER /home/$USER -R
chmod 600 $HOME/.ssh/*
echo "$USER ALL=(ALL) NOPASSWD:ALL" | sudo tee --append /etc/sudoers

cat << CHEOF >> $HOME/.profile
alias dc=docker-compose
alias l='ls --color -lha --group-directories-first'
CHEOF

# make sure the root account is disabled
# we will use sudo
passwd -dl root

# Install docker
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable edge"
apt-get update
apt-get install docker-ce -y 
groupadd docker
usermod -aG docker $USER
ln -s /etc/systemd/system/docker.service /etc/systemd/system/multi-user.target.wants/docker.service
curl -sSl https://raw.githubusercontent.com/docker/docker-ce/master/components/cli/contrib/completion/bash/docker \
    -o /etc/bash_completion.d/docker.sh

# Install docker-compose
curl -s https://api.github.com/repos/docker/compose/releases/latest \
  | grep browser_download_url \
  | grep docker-compose-Linux-x86_64 \
  | cut -d '"' -f 4 \
  | wget -qi -
chmod +x docker-compose-Linux-x86_64
mv docker-compose-Linux-x86_64 /usr/local/bin/docker-compose
docker-compose --version
curl -sSL https://raw.githubusercontent.com/docker/compose/master/contrib/completion/bash/docker-compose -o /etc/bash_completion.d/docker-compose

# Setting for redis to behave during background saves
echo "vm.overcommit_memory = 1" | sudo tee --append /etc/sysctl.conf
echo "net.core.somaxconn = 1024" | sudo tee --append /etc/sysctl.conf

# disable ip6
echo "net.ipv6.conf.all.disable_ipv6=1" | sudo tee --append /etc/sysctl.conf
echo "net.ipv6.conf.default.disable_ipv6=1" | sudo tee --append /etc/sysctl.conf

tee -a /etc/systemd/system/disable-hugepages.service >/dev/null <<'CHEOF'
[Unit]
Description="Disable Transparent Hugepage"
Before=docker.service      
[Service]
Type=oneshot
ExecStart=/bin/bash -c 'echo never > /sys/kernel/mm/transparent_hugepage/enabled'
ExecStart=/bin/bash -c 'echo never > /sys/kernel/mm/transparent_hugepage/defrag'
[Install]
RequiredBy=docker.service
CHEOF
ln -s /etc/systemd/system/disable-hugepages.service /etc/systemd/system/multi-user.target.wants/disable-hugepages.service

curl -s https://gist.githubusercontent.com/ilude/2cf7a3b7712378c6b9bcf1e1585bf70f/raw/setup%2520node_exporter \
  | grep -v "^sudo systemctl" | bash -s
ln -s /etc/systemd/system/node_exporter.service /etc/systemd/system/multi-user.target.wants/node_exporter.service

# sed -e 's/^MODULES=most/MODULES=netboot/' /etc/initramfs-tools/initramfs.conf
# dpkg-reconfigure initramfs-tools
# update-initramfs -u
# if above fails use
# mkinitramfs -o /boot/inirrd.img-$(uname --release)

# Cleanup apt cache
apt-get -y autoremove --purge
apt-get -y clean
apt-get -y autoclean

# Now, we can trim some disk space by deleting unused locales
find /usr/share/locale -mindepth 1 -maxdepth 1 ! -name 'en*' -exec rm -r {} \;

# Also delete any documentation files that are already on the system 
find /usr/share/doc -depth -type f ! -name copyright -delete
find /usr/share/doc -empty -delete
rm -rf /usr/share/man /usr/share/groff /usr/share/info /usr/share/lintian /usr/share/linda /var/cache/*

# Remove Bash history
unset HISTFILE
rm -f /root/.bash_history
rm -f /home/${SSH_USER}/.bash_history

# Clean up log files
find /var/log -type f | while read f; do echo -ne '' > "${f}"; done;

echo "==> Clearing last login information"
>/var/log/lastlog
>/var/log/wtmp
>/var/log/btmp

echo "==> Cleaning up tmp"
rm -rf \
    /tmp/* \
    ~/.bash_history \
    /var/lib/apt/lists/* \
    /var/log/* \
    var/tmp/*  

truncate -s 0 /etc/machine-id
rm /sbin/initctl
dpkg-divert --rename --remove /sbin/initctl

umount -lf /proc
umount -lf /sys
umount -lf /dev/pts

exit
EOF

mkdir build

# sudo mv chroot/boot/initrd* ./initrd
rm -f chroot/boot/initrd*
sudo mv chroot/boot/vmlinuz* ./build/vmlinuz

mkdir -p initramfs/bin
curl -sSl https://www.busybox.net/downloads/binaries/1.31.0-defconfig-multiarch-musl//busybox-x86_64 -o initramfs/bin/busybox
chmod +x initramfs/bin/busybox
curl -sSl https://gist.github.com/ilude/bf6d435352610528794d5cac4a0845a1/raw/init -o initramfs/init
chmod +x initramfs/init

cd chroot
sudo tar Jcvf ../initramfs/rootfs.tar.xz .
cd ..

cd initramfs
find . -print0 | cpio --null -ov --format=newc | gzip -9 > ../build/initramfs.gz
cd ..
sudo chown -R $USER:$USER build    

echo
echo
echo "cp build/*  ~/netboot/assets/test/"
echo
echo
echo 'Completed!'
echo
echo

!PXE Notes

# setup ip forwarding between interfaces
# https://askubuntu.com/a/1051803

# list ubuntu server packages
apt-cache show server^ | grep '^Package:' | sed 's/Package: //' | sort -u

# list installed packages
dpkg -l | grep ^ii | sed 's_  _\t_g' | cut -f 2 

BasePackages.sh

#!/bin/bash

apt-get install -y \
acl \
apparmor \
apport \
apport-symptoms \
aufs-tools \
base-files \
base-passwd \
bash \
bash-completion \
bcache-tools \
binutils \
binutils-common:amd64 \
binutils-x86-64-linux-gnu \
bsdmainutils \
bsdutils \
busybox-static \
bzip2 \
casper \
cgroupfs-mount \
cifs-utils \
console-setup \
console-setup-linux \
coreutils \
cpio \
cron \
curl \
dash \
debianutils \
diffutils \
dirmngr \
dmeventd \
dmidecode \
dmsetup \
dnsutils \
file \
findutils \
fuse \
gawk \
git \
grep \
gzip \
hdparm \
hostname \
htop \
info \
iproute2 \
iptables \
iputils-ping \
iputils-tracepath \
irqbalance \
iso-codes \
klibc-utils \
kmod \
language-pack-en \
less \
linux-base \
linux-firmware \
live-boot \
locales \
login \
lsb-base \
lsb-release \
lshw \
lsof \
ltrace \
lvm2 \
lxcfs \
lxd \
lxd-client \
make \
mdadm \
mlocate \
mount \
nano \
net-tools \
netbase \
netcat-openbsd \
netplan.io \
networkd-dispatcher \
nplan \
ntp \
openssh-client \
openssh-server \
openssl \
overlayroot \
passwd \
powermgmt-base \
procps \
psmisc \
rsync \
rsyslog \
screen \
sed \
software-properties-common \
strace \
sudo \
sysvinit-utils \
tar \
tcpdump \
telnet \
time \
tmux \
tzdata \
ubuntu-minimal \
udev \
ufw \
ureadahead \
usbutils \
util-linux \
uuid-runtime \
wget \
zerofree 

dnsmasq.conf

interface=eth1

dhcp-range=192.168.25.100,192.168.25.254,12h
log-dhcp

#enable-tftp
#tftp-root=/vagrant/tftp
#dhcp-boot=pxelinux.0,linuxhint-s20,192.168.50.1
#pxe-prompt="Press F8 for PXE Network boot.", 2
#pxe-service=x86PC, "Install OS via PXE",pxelinux

dhcp-match=set:bios,60,PXEClient:Arch:00000
dhcp-boot=tag:bios,netboot.xyz.kpxe,,192.168.25.1
dhcp-match=set:efi32,60,PXEClient:Arch:00002
dhcp-boot=tag:efi32,netboot.xyz.efi,,192.168.25.1
dhcp-match=set:efi32-1,60,PXEClient:Arch:00006
dhcp-boot=tag:efi32-1,netboot.xyz.efi,,192.168.25.1
dhcp-match=set:efi64,60,PXEClient:Arch:00007
dhcp-boot=tag:efi64,netboot.xyz.efi,,192.168.25.1
dhcp-match=set:efi64-1,60,PXEClient:Arch:00008
dhcp-boot=tag:efi64-1,netboot.xyz.efi,,192.168.25.1
dhcp-match=set:efi64-2,60,PXEClient:Arch:00009
dhcp-boot=tag:efi64-2,netboot.xyz.efi,,192.168.25.1

init

#!/bin/busybox sh

# Dump to sh if something fails
error() {
	echo "Jumping into the shell..."
	setsid cttyhack sh
}

# Populate /bin with binaries from busybox
/bin/busybox --install /bin

mkdir -p /proc
mount -t proc proc /proc

mkdir -p /sys
mount -t sysfs sysfs /sys

mkdir -p /sys/dev
mkdir -p /var/run
mkdir -p /dev

mkdir -p /dev/pts
mount -t devpts devpts /dev/pts

# Populate /dev
echo /bin/mdev > /proc/sys/kernel/hotplug
mdev -s

mkdir -p /newroot
mount -t tmpfs -o size=1500m tmpfs /newroot || error

echo "Extracting rootfs... "
xz -d -c -f rootfs.tar.xz | tar -x -f - -C /newroot || error

mount --move /sys /newroot/sys
mount --move /proc /newroot/proc
mount --move /dev /newroot/dev

exec switch_root /newroot /sbin/init || error