http://andatche.com/ andatche.com 2013-09-18T00:00:00Z Ben Arblaster http://andatche.com/ tag:andatche.com,2013-09-18:/blog/2013/09/pgp-key-BC430B14-revoked/ PGP key BC430B14 revoked 2013-09-18T00:00:00Z 2013-09-18T00:00:00Z <p>I have revoked my PGP key <code>BC430B14</code> (fingerprint <code>58A8 46A9 8CC1 792F 2028 9D2B 5D74 9169 BC43 0B14</code>), which has been superseded by key <code>E54AC47A</code> (fingerprint <code>7A25 B9CB D644 A3F5 5615 B193 A545 5B42 E54A C47A</code>). Please update your keyrings as necessary.</p> <pre>-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.13 (Darwin) Comment: GPGTools - http://gpgtools.org mQINBEsdexUBEADPIC5t0+TyOwEYAhpG3VYArTQGpqiHqhg7WbJTcY51/KCPpWI6 Pyxu0VXVBQCl9x68Y/6parZ2m7MFnYd0dePs45R6ttWQr3RV6r2Ygh7ODTEVINg3 51GjqMauHj0fScfGaSG6vdBTw0kYNgtKBdOxK1enrawDmEkt5BkKQGlRPGQX/d/y WcRvcMCKg/6O3LjVXYvc3w+63Z0eDYz74WcVTUPaJU0lI2tOBUFIXTMEJgYLZIzf AX6M/Td7JE2rQ/0dxU/YMfXtfouM2zMbQ9ChLgb9boCTss4K9WYhO+p1qZVZZQsF UugxGYgm89MbDluRyO4G329aI5NP8sAefDSDJ8aTYQoTfx/VuSpGfdLtvbBWWCGJ 6LAG1fnTR1GgmABJkRlBzi/tajSBNi6QNPPVvDVjAEasORACe5Glq3o5e9/I/V+t 3XyESYDli24akFDnCo0mayt6D80C11U/vlxgHTzaHR9PZsVZmw3YsH8u/EyJtqp9 V9Jy0beXj/LvTgWbL6aUgVTDV5V/qJWUtOWQM74TQRbDVhwGYWo47RuLirXM/6Bd FeWKK0DF3ToXWeuLtRGk/GF14ympa/Z7iIU0joQrxRRvXWCu73CtsCsULaOjKHDf R6o2s29yUnyFCeRffhkZmRORxdh32hHmOrUofeG5TUygbl7vyYla+UYePQARAQAB tCNCZW4gQXJibGFzdGVyIDxiZW5AYnJpZ2h0Ym94LmNvLnVrPokCOQQTAQIAIwIb AwYLCQgHAwIEFQIIAwQWAgMBAh4BAheABQJSOcTkAhkBAAoJEKVFW0LlSsR64AgP /jvzdcrHoPNFrTEnVygU+2iX8iC+pY2G242cGgFKTXhU9U4lkRcMMy6L1BBFHFBH RDAmGyVhQOqPz1U70PVYD03GoExsJwAM8Mry8MBUsJB6iUiXpCZdj4lASHaHn219 dTj+/f1VHTSesBGvs1882zfSH6Wy4bgFZoN3vxXcNfq/kbcXqEQ03dOOPpyvMmLb 7g1DN5Eq8PehUcYNbmxVjd5zUNaFnGCHu82nJDk6gVPVAsMaItmMuu6bAgHtJ81R UC1nvH77k3FTUsSpn1rr4LBqYEfm0vCLvR5Iiqh4G/UKSrzk946VErD/u4vHATBE iZGA431ROcL02bGynAihBUE1v+Cgvkqfaad75PJ/yOgCx/2C3bJYlNN9T1ngfT0v LPy5FGp+/4CP0BK3VxfDVynXpgqu1AXgdzumblp+9i8K633hm7o723galP6SGhMf 21BA+mOpFTHUR7UwhcJ3YToNA8WU42b7GD56XL4EutFKsp8CNGQVfWXzSr+63NHA 1mtUt/oGyK0kGcXJiBReErIplZUusIuVEnnbXLG34Qr59qvAhsyQf+wHVG1v2dUt kYzDrBpYL2Lx6XgxBhjT5n3w1o/10DzKOI979+zGysWzyLqdJcT4B2iU51mO/p9b 4qhrXzh6L6f8dXyNKJKNlAxExWX5CG7uAFWRDwkYOPJXiEYEEBECAAYFAlI5yMEA CgkQXXSRabxDCxQsswCgjn3nHIqke+8RSltKFbMEUmTssZ0AnjrmWktppkoVHZIX jQZ8bvZpwNCxtCJCZW4gQXJibGFzdGVyIDxhbmRhdGNoZUBnbWFpbC5jb20+iQI4 BBMBAgAiBQJSOcICAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRClRVtC 5UrEeit4D/44hj6BFlKrJlEXunt89CH8ckyvoHfKEVIyoMdx2UyhNFP1zIkqkqyv /gzeqQ7S6wMkHXsrPTDgfLjyC65fl9VYZ55bHklnT7KXZuiKHlmPRaOwCRvjJuy3 yYugIWkzgubozFPEsAdek4qaXl1iUdTJIEv9LdwQ0nbvx0in4STlmGykdtjpIkEI dHGn3mYR1n2IAZnVKfUXUs6ncRDj6xgpYTnOuc6Vqb6gV36fNocr7hc+WtRhYzSH WrKxqO7gdwfFTbbktVMdO4tdhaRR+pn5N0BSQcXeE1wTsp509ey9HLe0q7zgawUm 5DFK86ryWNnsCMZst5tsipv1X75xQlomJ50ZcqJ3zqldk2CnoTePXPSOy8F9/0sK NxPKyWnOPKbTep67oeLalAuA7BxyOSSsu5J/XzG8F0bS7O3jrSucu0SCNkXEdhpe VraM424ULLxW/V1SXbhjIRY0VLOGl5vvb48cLSm2cOujEsaLTSoFc/kpTLdjxN+t GsA+v3G7goNRQCB3FKRilZsv5Coyxn1YqPl0KevSIx655JloeALXfkDwl5LO7Jme dnzqWyVBf+oUa6y8CJWIF2GbWEKU+6u6cznt0u5YExY1lG3kFHM7W3m3w01AjaIq qhPM5eCmMCcJaGV1zCeN0btC3Gq5hRiyF1h+RRdNnFhw4VugB1zpwohGBBARAgAG BQJSOcjRAAoJEF10kWm8QwsUHSkAniy3osuB0nm22RmfAp0k0Y7uKZguAKCscjz8 4OuTyW4DmMCM4Tvvz31YqLQgQmVuIEFyYmxhc3RlciA8YmVuQGFuZGF0Y2hlLmNv bT6JAjgEEwECACIFAlI5wewCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJ EKVFW0LlSsR6g4MP/1iS/IsUSfs+mxKJmCa9omHFs36wSrMHQRWCIDywSEQycTFZ g63VaqX5GAO/+Y8XgouZ8st97Ls23ZGqZ0fTiGG8Q/nCgbgCOqGqtKfJPc+sWn73 jCOGHr0RQrlYGd7mcYbR7Zd+KvAQD5pYXdIx50AWI3oyep+eoZUNkro36De2U7Bs s06j54F+PeCSciS4UIYLC89T9uGVqY44B0yRtgetfF3Tcx4B19ykUKUtLslUJjCg TliXrBsZK9hC77FRNfJrdyt6/51ijwGngpCELUBidYPaohShSMWCuQOcDZTBizCQ 5lxUTcfoZeyZkbeL/2Tki5fcu+lEcHGUQVNUTc+trZrnJZCHZk+tpZtohcUa8awG QOiNb6BiV29/iq4+TSlOOAtV1SSKAlcsuHF077Dp2OoP5el4RBvbOLrhOZc+KPr1 AFUGzVAPuQgUdIkuufHfAZy1q2lECkqn5WnR+6np8fja64vALg/kpxyVWzMuHZ9c SMXU1ixbUSL6VS5GbWmwmfFdMWCnqP7yrsKTjzA0r95YUhbtzcnM1WHrRlUcTkMs tja+ge3mDKDRlllqylElt3Ls1V/Dp+NbNdIBfxiXoxPJNyl8DoKDgV+fYgd8Q7Uw NaCXCX+1BqTlmTA27c9yf/x6sHteH45TT+P8H7Vrcv+7R5HJjLCjNzm6OwRXiEYE EBECAAYFAlI5yNoACgkQXXSRabxDCxRJyQCfak7FcKaTI8+pbO4BS4yt82foJDAA n3pHMq0trq01KnQmQR8Egg2dq3ZPuQINBEsdexUBEAC9cmlQgGD3kejG7aECklqI xdRQujLXoY651IPaeB1Euen2/5ODvafd3o4Dm0a/bblwvJp137w0b9LHvru+TBt+ zNB2uLYweYKmzyMMTlm8UcMOj9nRNPhzepDPYWwqPsGFLG1lZlUrgVKp6Ah10CPk k7RofF2PH/EGEYXLMW02GYhaxIujCkBeVbF5zOYJKS/t+TUqXlJUlTk4JhXFbfgR K0JbnMTGI5tttHKyMhFd5aj6GXx1iJpJdbZhc3a8VC7Jo8/Zp27hLcltyEbi9NxV v9KVFAB1dg6Px2OG/iKf5k7nLooykqbMlmOpaOw0G/NUPH07HWoUeiX8tpoSYnhY rhiEh4wY7SwzimuCtT3A54iTpzeK7F+0dL8RcuTRv5GbjTiTeiixCTHJe8mCMb34 IAHMzC8vbVp9vt3Kzo7Sr/+xkpL617qT2JY47qHdczNoOcmJLXcz+jit6o49W5NQ q2F+ZfISFkDn3o1YIqqRfGiJJz+QP4tcCaoZ+/072iGOqLUlmI7QBdFDPQW8fvIg QKj6bcJm3pBuz296E0cvWA3Pf6dvHRiNwGq8e0JoTk9Rpgr+8LLkg7hT2Cfe0Skg ZHaa2pUi1ORIw59eiI8YLiPq0yT3QOpLxxKvbV8ZngrnGDne28ZbnO/9XEZ7Vqmk M6dr8c69s+eDLUdpBS3yTQARAQABiQIfBBgBAgAJBQJLHXsVAhsMAAoJEKVFW0Ll SsR63xEP/AsZZdLGDndI7lNiU+iHwoZqsmPc0VxTEDK972rf7E24wASyNxzORC2D pbHSvZ3ATK79DZO2doQBBDqri7yti3MLXme7PbGvid69z8fo3U0izcK642BB6BR4 nYAii7aoFuDzyZYUd4/70Lp1PiuYLVvc4zqHYxIHYYGqH4nZkjO0qG6yjM8WD/3j 8FtctzKnYqZSMDX03Wr6eKuDrfBSfdMDxwNMNLxBvSkNsVwgNw3u4g1qIMjc0awy 68MI+F9F2Irhdi9Zx+RNGvx5VKIcvu8LETKWExDr0Kh0fJmQ26LzlnJfSEmUMNzh z5Xpan/5Wa3Qra9GgCIiFByK65WCE/n3YS9kAOmikNDFrTgg1AUhRW15yPzoOT8x X4ociT8FAeMBOL0+wgHPDwN0jp/qhYi90TwT1nW3ESfauFtDjLxCGmfv5wrxmBHF rBYFh7mvSqEBNhZDY3KS1bZtIERSUmrDw7zkgve07G2i4hzvt+NJUb7bVwW5Ew/r dHebn9ehuwj/213jQaP27g8mxJwNE1Nqxwpg5wAvBhS5oxytWJeliNaKYeRmFbOg qnvqlf/dYjL7EO7I0bgVx3UUJmDbWW1SGEdxX7C0cJaPSEgDpuDhgPVsRptnZb9Q Vc+ydwXYYmBMdhIhpJl3f4oCjLuBq7T0401pthecmIDwlRPZdjK8 =UVbt -----END PGP PUBLIC KEY BLOCK-----</pre> tag:andatche.com,2012-12-28:/blog/2012/12/new-otr-keys/ New OTR keys 2012-12-28T00:00:00Z 2012-12-28T00:00:00Z <p>I’ve generated new OTR keys for both my Jabber accounts, new fingerprints are as follows.</p> <p>andatche@gmail.com - <code>EB519946 DE62C9E8 B325D928 42525D1E BD94395F</code></p> <p>ben@brightbox.co.uk - <code>BE7840F3 06D4F37D F18C945F 33A99318 BB8C674E</code></p> <p>Please (re)verify as required.</p> tag:andatche.com,2012-02-10:/blog/2012/02/fixing-ssl-ca-certificates-with-openssl-from-macports/ Fixing SSL CA certificates with OpenSSL from MacPorts 2012-02-10T00:00:00Z 2012-02-10T00:00:00Z <p>If you’ve installed OpenSSL from <a href="http://www.macports.org/">MacPorts</a> (or anything that depends on it), you’ve probably come across issues with verifying SSL certificates in applications built against it.</p> <pre>ben@spud:~$ lftp acc-xxxxx@ftp.library.gb1.brightbox.com Fatal error: SSL_connect: unable to get local issuer certificate</pre> <pre> ben@spud:~$ openssl s_client -connect ftp.library.gb1.brightbox.com:21 -starttls ftp -CApath /opt/local/etc/openssl/ CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify error:num=20:unable to get local issuer certificate verify return:0 </pre> <p>That’s because MacPorts doesn’t provide a CA root certificate bundle package (such as the <code>ca-certificates</code> Ubuntu package) and in its default configuration the <code>openssl</code> package can’t talk to the OS X keychain, where the system CA certificates are kept.</p> <p>Helpfully, the <a href="http://curl.haxx.se/">cURL</a> project provides it’s own CA cert bundle we can use, generated from the <a href="http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1">mozilla root certificates</a>, which is available in macports.</p> <p>Simply install <code>curl-ca-bundle</code></p> <pre> sudo port install curl-ca-bundle </pre> <p>Then symlink the bundle into <code>/opt/local/etc/openssl</code>, the default CApath for MacPorts-installed OpenSSL.</p> <pre> sudo ln -s /opt/local/share/curl/curl-ca-bundle.crt /opt/local/etc/openssl/cert.pem </pre> <p><strong>EDIT:</strong> As one <a href="http://andatche.com/blog/2012/02/fixing-ssl-ca-certificates-with-openssl-from-macports/#comment-710528627">commenter</a> noted, the above step is no longer necessary. MacPorts’ <code>curl-ca-bundle @7.24.0</code> now creates the symlink during installation.</p> <p>Voilà, working CA cert verification!</p> <pre>ben@spud:~$ openssl s_client -connect ftp.library.gb1.brightbox.com:21 -starttls ftp -CApath /opt/local/etc/openssl/ CONNECTED(00000003) depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority verify return:1 depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA verify return:1 depth=0 serialNumber = FIUwKm3apULSSy7J9sGT8i0NxIprVlhV, C = GB, O = ftp.library.gb1.brightbox.com, OU = GT02477604, OU = See www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated - RapidSSL(R), CN = ftp.library.gb1.brightbox.com verify return:1</pre> tag:andatche.com,2012-02-07:/blog/2012/02/disabling-rfc4941-ipv6-privacy-extensions-in-windows/ Disabling RFC 4941 IPv6 Privacy Extensions in Windows 2012-02-07T00:00:00Z 2012-02-07T00:00:00Z <p><a href="http://www.ietf.org/rfc/rfc4941.txt">RFC 4941</a> defines a series of Privacy Extensions for Stateless Address Autoconfiguration in IPv6. Typically, hosts using IPv6 <abbr title="Stateless Address Autoconfiguration">SLAAC</abbr> configure an address using the network prefix advertised by the router in combination with the <a href="">EUI-64</a> IEEE interface identifier (MAC address) of the physical interface. Because addresses generated using <abbr title="Stateless Address Autoconfiguration">SLAAC</abbr> contain an embedded interface identifier, which remains constant over time, it becomes possible to correlate seemingly unrelated activity using this identifier. RFC 4941 aims to address this by using short-lived, randomly generated identifiers to form addresses instead.</p> <p>Normally, when using privacy extensions it’s typical to maintain the EUI-64 derived address on an interface for inbound connections while using RFC 4941 temporary addresses when establishing outbound connections. This offers a balance between privacy and the convenience of static addressing and is the default when using RFC 4941 on Linux or OS X.</p> <p>By default, Windows Vista, Windows 7 and Windows Server 2008 generate random interface IDs for non-temporary autoconfigured IPv6 addresses, including public and link-local addresses, rather than using EUI-64 derived interface IDs.<sup id="fnref:1"><a href="#fn:1" rel="footnote">1</a></sup> While these are permanent, so don’t change, this leads to potential confusion when a host’s expected EUI-64 derived address is unreachable!</p> <p>Thankfully it’s trivial to disable this behaviour, fire up cmd.exe and issue the following.</p> <pre> netsh interface ipv6 set global randomizeidentifiers=disabled store=active netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent </pre> <p>In addition to this, the RFC states that the use of temporary addresses should be disabled by default.</p> <blockquote> <p>The use of temporary addresses may cause unexpected difficulties with some applications. [snip] Consequently, the use of temporary addresses SHOULD be disabled by default in order to minimize potential disruptions. Individual applications, which have specific knowledge about the normal duration of connections, MAY override this as appropriate.</p> </blockquote> <p>Windows Vista and Windows 7 ignore the advice of the RFC and also configure temporary global or unique local addresses as per RFC 4941 (OS X also does this since 10.7). This behaviour is disabled by default on Windows Server 2008.</p> <p>To disable privacy extensions entirely, fire up cmd.exe and issue the following.</p> <pre> netsh interface ipv6 set privacy state=disabled store=active netsh interface ipv6 set privacy state=disabled store=persistent </pre> <p>The changes will take immediate effect without needing to reboot, they’ll also persist after a reboot.</p> <div class="footnotes"> <ol> <li id="fn:1"> <p><a href="http://technet.microsoft.com/en-us/magazine/2007.08.cableguy.aspx">The Cable Guy: IPv6 Autoconfiguration in Windows Vista</a><a href="#fnref:1" rel="reference">&#8617;</a></p> </li> </ol> </div> tag:andatche.com,2012-01-13:/blog/2012/01/now-with-nanoc/ Now with Nanoc! 2012-01-13T00:00:00Z 2012-01-13T00:00:00Z <p>For a while now, I’ve been meaning to take a look at <a href="http://nanoc.stoneship.org/">Nanoc</a>. For the uninitiated, it’s a static [web]site generator written in Ruby.</p> <blockquote> <p>nanoc is a tool that runs on your local computer and compiles documents written in formats such as Markdown, Textile, Haml… into a static web site consisting of simple HTML files, ready for uploading to any web server.</p> </blockquote> <p>The idea is to replace the server-side smarts of a content management system with a ‘one-shot’ compilation process to static HTML each time something changes, while maintaining the convinience of templating, pagination, feeds, markup filtering, dynamic content etc. This has several advantages; no server-side security vulnerabilities (SQL injection etc.), no need for language runtimes, great performance and simple deployment. It does however mean any run-time dynamic stuff must be done solely client-side.</p> <p>Previously, when building simple sites I’ve often relied on <a href="http://wordpress.org/">Wordpress</a>, of which I’ve never been a huge lover, as it was the path of least-resistance. The frequent security issues and need to write/run PHP are a hassle however and I’ve been looking for a better solution for a while.</p> <p>I finally found some time over Christmas to get started with Nanoc and I’ve since rewritten this site using it, with a new cleaner layout and some HTML5 goodness to boot. It’s still a work in progress but I’ve got most of what I need working now including blogging (archive generation, atom feeds, tags, comments etc.), static asset management, sitemap generation and simple deployment. Nanoc provides some of these features out of the box but a few of them require extending Nanoc by writing <a href="http://nanoc.stoneship.org/docs/4-basic-concepts/#helpers" title="Nanoc helpers">helpers</a>, which thankfully is <a href="http://nanoc.stoneship.org/docs/5-advanced-concepts/#writing-helpers" title="Writing Nanoc helpers">very easy</a>. I took some inspiration from the <a href="https://github.com/brightbox/brightbox-nanoc-helpers">Brightbox Nanoc Helpers</a> gem and wrote some helpers to provide some of the functionality I need, which I’ll detail in future posts and release in due course.</p> <p>Content is written in <a href="http://daringfireball.net/projects/markdown/">Markdown</a> and/or erb and processed using the <a href="http://kramdown.rubyforge.org">kramdown</a> filter while the layouts are written in erb. Compilation and deployment is handled by a simple set of rake tasks that build the static HTML and uses rsync+ssh to copy it to the webserver. I’ve made use of Twitter’s <a href="http://twitter.github.com/bootstrap/">Bootstrap CSS</a> library and <a href="http://jquery.com/">jQuery</a> as a foundation for the layout, styling and typography. Blog comments are provided using <a href="http://disqus.com">Disqus</a> and I use <a href="http://git-scm.com/">git</a> for version control of the whole thing. The code is on <a href="https://github.com/andatche/andatche.com">Github</a>.</p> <p>I still have a couple of things to work out like full-text searching and how best to enable blogging on-the-go (phone, ipad etc.) but I have some ideas in mind (using dropbox, Linux’ inotify and git post-commit hooks).</p> tag:andatche.com,2011-04-19:/blog/2011/04/pxe-booting-servers-on-brightbox-cloud/ PXE booting servers on Brightbox cloud 2011-04-19T00:00:00Z 2011-04-19T00:00:00Z <p>I’ve been playing with PXE booting servers on the <a href="http://beta.brightbox.com/beta">Brightbox cloud</a> over the last few days, which is rather cool! It’s also incredibly useful for building OS images which can be snapshotted and registered for later use. It’s quite simple really, here’s a quick guide.</p> <p>If you haven’t already, go ahead and register for the cloud beta, read through the docs about getting started and make yourself familiar with the basics of the command line client.</p> <p>First let’s build a new server to PXE boot using the command line client.</p> <pre>ben@spud:~$ brightbox-servers create -n "PXE Boot" img-2ab98 INFO: client_id: ben Creating a nano (typ-4nssg) server with image Ubuntu Lucid 10.04 server (img-2ab98) id status type zone created_on image_id cloud_ips name ------------------------------------------------------------------------------ srv-m1tgj creating nano gb1-b 2011-04-18 img-2ab98 PXE Boot ------------------------------------------------------------------------------</pre> <p>It doesn’t really matter which image you choose at this point, if you’re PXE booting an installer it’s likely you’ll be erasing and repartitioning the disk anyway (there’ll be some blank images available soon). If you’re intending to snapshot the server for registration as a machine image later, it’s best to use the smallest disk possible as this will be the minimum required for your image later on. In this case we’re using a nano, the default, with a 20GB disk.</p> <p>Once the server has finished creating, activate its web-based console so we can get to the POST screen.</p> <pre>ben@spud:~$ brightbox-servers activate_console srv-m1tgj INFO: client_id: ben Activating console for server srv-m1tgj url token expires ----------------------------------------------------------------------------- https://srv-m1tgj.console.gb1.brightbox.com mk6rr2z8 2011-04-18T23:33:12Z -----------------------------------------------------------------------------</pre> <p>Fire up your web browser and login to the console. Once logged in hit the “Send CtrlAltDel” button in the right hand corner and wait for the machine to reboot. During the POST, hit Ctrl-B when you see “Press Ctrl-B to configure gPXE” to start <a href="http://etherboot.org/wiki/start">gPXE</a>.</p> <p><img class="centered" title="Brightbox PXE boot console" src="/assets/img/blog/2011/console.png" alt="Brightbox PXE boot console" /></p> <p>gPXE is a GPL’d replacement for proprietary PXE boot ROMs that has lots of nice features, including the ability to boot from HTTP, which we’re going to make use of here.</p> <p>There are a number of choices when it comes to deciding exactly what we’d like to boot from here, I’ll cover 3 options that are useful for image building.</p> <ul> <li>Booting a preprepared initrd and kernel image</li> <li>Booting an ISO with memdisk</li> <li>Chain loading with <a href="http://www.netboot.me/">netboot.me</a></li> </ul> <p>Before we do anything else though, we need to get network connectivity inside the gPXE environment. We can make use of dhcp to automatically configure everything for us.</p> <pre>gPXE&gt; dhcp net0</pre> <p>Now we’re ready to boot something.</p> <h3>Booting a preprepared initrd and kernel image</h3> <p>A number of Linux distributions provide initrd and kernel images that are preprepared for PXE booting into an installer or rescue environment including Debian, Ubuntu, RHEL, the System Rescue CD and many others. This is particularly easy with Red Hat derived distributions, here we’ll boot the Scientific Linux 6.0 installer though the same procedure could easily be used for CentOS, Fedora, RHEL etc.</p> <p>Most Red Hat derivatives provide the required kernel and initrd on their download mirrors, which can usually be found under <code>os/images/pxeboot/</code> in the desired version and architecture directory. Go ahead and browse the mirror of your favourite RH clone and locate the vmlinuz and initrd.img for your preferred version and architecture and make a not of their URLs, in this case</p> <p><code>http://ftp.scientificlinux.org/linux/scientific/6.0/i386/os/images/pxeboot/vmlinuz</code> <code>http://ftp.scientificlinux.org/linux/scientific/6.0/i386/os/images/pxeboot/initrd.img</code></p> <p>Next, we need to tell gPXE where to find our kernel and initrd.</p> <pre>gPXE&gt; kernel http://ftp.scientificlinux.org/linux/scientific/6.0/i386/os/images/pxeboot/vmlinuz &gt; http://ftp.scientificlinux.org/linux/scientific/6.0/i386/os/images/pxeboot/vmlinuz.......... gPXE&gt; initrd http://ftp.scientificlinux.org/linux/scientific/6.0/i386/os/images/pxeboot/initrd.img &gt; http://ftp.scientificlinux.org/linux/scientific/6.0/i386/os/images/pxeboot/initrd.img............... ..................................................</pre> <p>It can take quite a long time for them to download, particularly if the initrd.img is large, gPXE’s TCP stack isn’t really tuned for performance. It’s generally a lot quicker if you use a mirror that’s geographically close (to the UK in this case), latency seems to have a huge impact. Anyway, once the downloads have finished, we’re ready to boot!</p> <pre>gPXE&gt; boot</pre> <p><img class="centered" src="/assets/img/blog/2011/anaconda.png" alt="Anaconda, installing Scientific Linux 6.0" title="Anaconda, installing Scientific Linux 6.0" /></p> <p>If everything has gone to plan, you should seen the kernel boot messages scrolling by then the anaconda installer starting up. Success!</p> <p>Now it’s just a case of completing the installation procedure and rebooting into your new install. In the case of RH derivatives, anaconda will ask a few simple questions on language and keyboard layout before asking “What type of media contains the installation image?” To keep the PXE boot initrd small, it doesn’t include everything required to complete the installation so we need to tell anaconda where to find the rest of what it needs. Choose the URL option then complete the network configuration options, when asked for the URL, enter the path of the <code>os/</code> directory from the mirror we used previously, in this case <code>http://ftp.scientificlinux.org/linux/scientific/6.0/i386/os</code>.</p> <p>That’s it! Go and make a coffee while you wait for the installation to complete.</p> <h3>Booting an ISO with memdisk</h3> <p>Not all operating systems are kind enough to provide native PXE boot support. Often, the only available installation media for an OS is a cd/dvd or ISO image, particularly in the case of Microsoft Windows. Unfortunately PXE does not support booting from an ISO natively (boo!).</p> <p><img class="centered" src="/assets/img/blog/2011/debian.png" alt="Debian Installer" title="Debian Installer" /></p> <p>Never fear, <a href="http://syslinux.zytor.com/wiki/index.php/MEMDISK">memdisk</a> to the rescue! Memdisk, from the SYSLINUX project, is designed to allow booting legacy operating systems. “MEMDISK can boot floppy images, hard disk images and some ISO images.” Unfortunately memdisk’s support for booting ISOs is somewhat <a href="http://syslinux.zytor.com/wiki/index.php/MEMDISK#INT_13h_access:_Not_all_images_will_boot_completely.21">limited</a> so YMMV. Here, we’ll boot the Debian netboot installer ISO.</p> <p>It’s important to make note of a few issues here when choosing an ISO to boot. Memdisk will load the entire ISO into a ram disk before booting, so it’s important you use a server with enough ram to contain the entire ISO and still leave enough free memory for the installation to complete successfully. A large DVD ISO will require <strong>lots</strong> of memory! Also, as previously mentioned, gPXE’s TCP stack is not tuned for performance, downloading a large ISO can take a <strong>very</strong> long time! Using a fast, geographically close mirror will help.</p> <p>First though, we need a PXE bootable memdisk! The nice folks at <a href="http://www.slitaz.org/en/">SliTaz GNU/Linux</a> provide just such a thing on their download mirror at <code>http://distro.ibiblio.org/slitaz/pxe/memdisk</code>, which we’ll make use of.</p> <p>First, we need to tell gPXE to use the memdisk image as the kernel it should boot from.</p> <pre>gPXE&gt; kernel http://distro.ibiblio.org/slitaz/pxe/memdisk &gt; http://distro.ibiblio.org/slitaz/pxe/memdisk..............</pre> <p>Next, we tell gPXE to use the ISO we’d like to boot as the initrd, in this case we’re using the Debian netboot iso from <code>http://ftp.nl.debian.org/debian/dists/squeeze/main/installer-i386/current/images/netboot/mini.iso</code></p> <pre>gPXE&gt; initrd http://ftp.nl.debian.org/debian/dists/squeeze/main/installer-i386/current/images/netboot/mini.iso &gt; http://ftp.nl.debian.org/debian/dists/squeeze/main/installer-i386/current/images/netboot/mini.iso....... ...........................................................................</pre> <p>Now is probably a good time to go make coffee, while you wait for the ISO to download. Once it’s finished, we’re ready to boot!</p> <pre>gPXE&gt; boot</pre> <p>If the ISO is supported and everything has worked correctly, it should now be booting!</p> <h3>Chain loading with netboot.me</h3> <p>As ever, I’ve saved the easiest option until last! :) <a href="http://www.netboot.me/">netboot.me</a> is an awesome service that “allows you to boot nearly any operating system or utility on any computer with a wired internet connection.” They provide a custom built PXE environment which includes an easy-to-navigate menu system offering the ability to boot a number of games, OS installers, live OSes and system tools over the internet with little effort.</p> <p>The best thing is, we can chain load the netboot.me PXE environment over HTTP directly from gPXE with a single command! The PXE environment is available via HTTP at <code>http://static.netboot.me/gpxe/netbootme.kpxe</code> so all we have to do it tell gPXE to chain load it.</p> <pre>gPXE&gt; chain http://static.netboot.me/gpxe/netbootme.kpxe &gt; http://static.netboot.me/gpxe/netbootme.kpxe.................</pre> <p>gPXE will download and boot the netboot.me environment, after waiting a few seconds for netboot.me to start you should be presented with the main menu, which is fairly self-explanatory. Time to reward yourself with a game of nethack! :)</p> <p><img class="centered" src="/assets/img/blog/2011/netboot.me_.png" alt="netboot.me menu" title="netboot.me menu" /></p> <h3>Finishing off</h3> <p>So, you’ve finished installing your shiny new OS, but what to do now?! Before customising anything on the fresh installation, you might want to make a snapshot of the server to use for building new servers in future, certainly a lot quicker than PXE booting!</p> <p>(NOTE: You may need to make some alterations to the image after installing and before snapshotting if you want to use the snapshot for building new servers later. Often things like networking config, hostname etc. are configured statically during the installation procedure, these will need to be changed/removed.)</p> <p>First, we’ll take a snapshot of the server</p> <pre>ben@spud:~$ brightbox-servers snapshot srv-m1tgj INFO: client_id: ben Snapshotting server srv-m1tgj</pre> <p>Next, need to find the id of the newly created snapshot.</p> <pre>ben@spud:~$ brightbox-images list ... img-o031h acc-vhba2 snapshot 2011-04-19 creating 20480 Snapshot of srv-m1tgj 19 Apr 13:16 (i686)</pre> <p>Once the snapshot is finished creating, the <code>/images</code> directory of your account’s FTP library will contain a gzipped copy of the snapshot, in this case <code>img-o031h.gz</code>. You can go ahead and start building images from the snapshot using its id right away!</p> <pre>ben@spud:~$ brightbox-servers create img-o031h</pre> <h3>Conclusion</h3> <p>I’ve covered some of the basic aspects of PXE booting using gPXE on the Brightbox cloud here, which should be enough to use for OS installation and system rescue. There are also lots of things I haven’t covered, it’s possible to do many weird and wonderful things with gPXE that are beyond the scope of this post, perhaps I’ll cover them in the future. ;)</p> tag:andatche.com,2011-01-05:/blog/2011/01/er-welcome-back/ Er, welcome back! 2011-01-05T00:00:00Z 2011-01-05T00:00:00Z <p>In a hasty decision to better organise my online life for the new year and encourage me to blog a bit more, I’ve finally got round to getting some sort of website back online. 2010 brought lots of new-then-quickly-abandoned projects I’d like to resurrect, I’m hoping that talking/blogging about them will help me stay interested and perhaps raise a bit of interest in some of them from other people. How successful this will be remains to be seen!</p>