andatche.com

PGP key BC430B14 revoked

2013-09-18T00:00:00Z

I have revoked my PGP key BC430B14 (fingerprint 58A8 46A9 8CC1 792F 2028 9D2B 5D74 9169 BC43 0B14), which has been superseded by key E54AC47A (fingerprint 7A25 B9CB D644 A3F5 5615 B193 A545 5B42 E54A C47A). Please update your keyrings as necessary.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.13 (Darwin)
Comment: GPGTools - http://gpgtools.org

mQINBEsdexUBEADPIC5t0+TyOwEYAhpG3VYArTQGpqiHqhg7WbJTcY51/KCPpWI6
Pyxu0VXVBQCl9x68Y/6parZ2m7MFnYd0dePs45R6ttWQr3RV6r2Ygh7ODTEVINg3
51GjqMauHj0fScfGaSG6vdBTw0kYNgtKBdOxK1enrawDmEkt5BkKQGlRPGQX/d/y
WcRvcMCKg/6O3LjVXYvc3w+63Z0eDYz74WcVTUPaJU0lI2tOBUFIXTMEJgYLZIzf
AX6M/Td7JE2rQ/0dxU/YMfXtfouM2zMbQ9ChLgb9boCTss4K9WYhO+p1qZVZZQsF
UugxGYgm89MbDluRyO4G329aI5NP8sAefDSDJ8aTYQoTfx/VuSpGfdLtvbBWWCGJ
6LAG1fnTR1GgmABJkRlBzi/tajSBNi6QNPPVvDVjAEasORACe5Glq3o5e9/I/V+t
3XyESYDli24akFDnCo0mayt6D80C11U/vlxgHTzaHR9PZsVZmw3YsH8u/EyJtqp9
V9Jy0beXj/LvTgWbL6aUgVTDV5V/qJWUtOWQM74TQRbDVhwGYWo47RuLirXM/6Bd
FeWKK0DF3ToXWeuLtRGk/GF14ympa/Z7iIU0joQrxRRvXWCu73CtsCsULaOjKHDf
R6o2s29yUnyFCeRffhkZmRORxdh32hHmOrUofeG5TUygbl7vyYla+UYePQARAQAB
tCNCZW4gQXJibGFzdGVyIDxiZW5AYnJpZ2h0Ym94LmNvLnVrPokCOQQTAQIAIwIb
AwYLCQgHAwIEFQIIAwQWAgMBAh4BAheABQJSOcTkAhkBAAoJEKVFW0LlSsR64AgP
/jvzdcrHoPNFrTEnVygU+2iX8iC+pY2G242cGgFKTXhU9U4lkRcMMy6L1BBFHFBH
RDAmGyVhQOqPz1U70PVYD03GoExsJwAM8Mry8MBUsJB6iUiXpCZdj4lASHaHn219
dTj+/f1VHTSesBGvs1882zfSH6Wy4bgFZoN3vxXcNfq/kbcXqEQ03dOOPpyvMmLb
7g1DN5Eq8PehUcYNbmxVjd5zUNaFnGCHu82nJDk6gVPVAsMaItmMuu6bAgHtJ81R
UC1nvH77k3FTUsSpn1rr4LBqYEfm0vCLvR5Iiqh4G/UKSrzk946VErD/u4vHATBE
iZGA431ROcL02bGynAihBUE1v+Cgvkqfaad75PJ/yOgCx/2C3bJYlNN9T1ngfT0v
LPy5FGp+/4CP0BK3VxfDVynXpgqu1AXgdzumblp+9i8K633hm7o723galP6SGhMf
21BA+mOpFTHUR7UwhcJ3YToNA8WU42b7GD56XL4EutFKsp8CNGQVfWXzSr+63NHA
1mtUt/oGyK0kGcXJiBReErIplZUusIuVEnnbXLG34Qr59qvAhsyQf+wHVG1v2dUt
kYzDrBpYL2Lx6XgxBhjT5n3w1o/10DzKOI979+zGysWzyLqdJcT4B2iU51mO/p9b
4qhrXzh6L6f8dXyNKJKNlAxExWX5CG7uAFWRDwkYOPJXiEYEEBECAAYFAlI5yMEA
CgkQXXSRabxDCxQsswCgjn3nHIqke+8RSltKFbMEUmTssZ0AnjrmWktppkoVHZIX
jQZ8bvZpwNCxtCJCZW4gQXJibGFzdGVyIDxhbmRhdGNoZUBnbWFpbC5jb20+iQI4
BBMBAgAiBQJSOcICAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRClRVtC
5UrEeit4D/44hj6BFlKrJlEXunt89CH8ckyvoHfKEVIyoMdx2UyhNFP1zIkqkqyv
/gzeqQ7S6wMkHXsrPTDgfLjyC65fl9VYZ55bHklnT7KXZuiKHlmPRaOwCRvjJuy3
yYugIWkzgubozFPEsAdek4qaXl1iUdTJIEv9LdwQ0nbvx0in4STlmGykdtjpIkEI
dHGn3mYR1n2IAZnVKfUXUs6ncRDj6xgpYTnOuc6Vqb6gV36fNocr7hc+WtRhYzSH
WrKxqO7gdwfFTbbktVMdO4tdhaRR+pn5N0BSQcXeE1wTsp509ey9HLe0q7zgawUm
5DFK86ryWNnsCMZst5tsipv1X75xQlomJ50ZcqJ3zqldk2CnoTePXPSOy8F9/0sK
NxPKyWnOPKbTep67oeLalAuA7BxyOSSsu5J/XzG8F0bS7O3jrSucu0SCNkXEdhpe
VraM424ULLxW/V1SXbhjIRY0VLOGl5vvb48cLSm2cOujEsaLTSoFc/kpTLdjxN+t
GsA+v3G7goNRQCB3FKRilZsv5Coyxn1YqPl0KevSIx655JloeALXfkDwl5LO7Jme
dnzqWyVBf+oUa6y8CJWIF2GbWEKU+6u6cznt0u5YExY1lG3kFHM7W3m3w01AjaIq
qhPM5eCmMCcJaGV1zCeN0btC3Gq5hRiyF1h+RRdNnFhw4VugB1zpwohGBBARAgAG
BQJSOcjRAAoJEF10kWm8QwsUHSkAniy3osuB0nm22RmfAp0k0Y7uKZguAKCscjz8
4OuTyW4DmMCM4Tvvz31YqLQgQmVuIEFyYmxhc3RlciA8YmVuQGFuZGF0Y2hlLmNv
bT6JAjgEEwECACIFAlI5wewCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJ
EKVFW0LlSsR6g4MP/1iS/IsUSfs+mxKJmCa9omHFs36wSrMHQRWCIDywSEQycTFZ
g63VaqX5GAO/+Y8XgouZ8st97Ls23ZGqZ0fTiGG8Q/nCgbgCOqGqtKfJPc+sWn73
jCOGHr0RQrlYGd7mcYbR7Zd+KvAQD5pYXdIx50AWI3oyep+eoZUNkro36De2U7Bs
s06j54F+PeCSciS4UIYLC89T9uGVqY44B0yRtgetfF3Tcx4B19ykUKUtLslUJjCg
TliXrBsZK9hC77FRNfJrdyt6/51ijwGngpCELUBidYPaohShSMWCuQOcDZTBizCQ
5lxUTcfoZeyZkbeL/2Tki5fcu+lEcHGUQVNUTc+trZrnJZCHZk+tpZtohcUa8awG
QOiNb6BiV29/iq4+TSlOOAtV1SSKAlcsuHF077Dp2OoP5el4RBvbOLrhOZc+KPr1
AFUGzVAPuQgUdIkuufHfAZy1q2lECkqn5WnR+6np8fja64vALg/kpxyVWzMuHZ9c
SMXU1ixbUSL6VS5GbWmwmfFdMWCnqP7yrsKTjzA0r95YUhbtzcnM1WHrRlUcTkMs
tja+ge3mDKDRlllqylElt3Ls1V/Dp+NbNdIBfxiXoxPJNyl8DoKDgV+fYgd8Q7Uw
NaCXCX+1BqTlmTA27c9yf/x6sHteH45TT+P8H7Vrcv+7R5HJjLCjNzm6OwRXiEYE
EBECAAYFAlI5yNoACgkQXXSRabxDCxRJyQCfak7FcKaTI8+pbO4BS4yt82foJDAA
n3pHMq0trq01KnQmQR8Egg2dq3ZPuQINBEsdexUBEAC9cmlQgGD3kejG7aECklqI
xdRQujLXoY651IPaeB1Euen2/5ODvafd3o4Dm0a/bblwvJp137w0b9LHvru+TBt+
zNB2uLYweYKmzyMMTlm8UcMOj9nRNPhzepDPYWwqPsGFLG1lZlUrgVKp6Ah10CPk
k7RofF2PH/EGEYXLMW02GYhaxIujCkBeVbF5zOYJKS/t+TUqXlJUlTk4JhXFbfgR
K0JbnMTGI5tttHKyMhFd5aj6GXx1iJpJdbZhc3a8VC7Jo8/Zp27hLcltyEbi9NxV
v9KVFAB1dg6Px2OG/iKf5k7nLooykqbMlmOpaOw0G/NUPH07HWoUeiX8tpoSYnhY
rhiEh4wY7SwzimuCtT3A54iTpzeK7F+0dL8RcuTRv5GbjTiTeiixCTHJe8mCMb34
IAHMzC8vbVp9vt3Kzo7Sr/+xkpL617qT2JY47qHdczNoOcmJLXcz+jit6o49W5NQ
q2F+ZfISFkDn3o1YIqqRfGiJJz+QP4tcCaoZ+/072iGOqLUlmI7QBdFDPQW8fvIg
QKj6bcJm3pBuz296E0cvWA3Pf6dvHRiNwGq8e0JoTk9Rpgr+8LLkg7hT2Cfe0Skg
ZHaa2pUi1ORIw59eiI8YLiPq0yT3QOpLxxKvbV8ZngrnGDne28ZbnO/9XEZ7Vqmk
M6dr8c69s+eDLUdpBS3yTQARAQABiQIfBBgBAgAJBQJLHXsVAhsMAAoJEKVFW0Ll
SsR63xEP/AsZZdLGDndI7lNiU+iHwoZqsmPc0VxTEDK972rf7E24wASyNxzORC2D
pbHSvZ3ATK79DZO2doQBBDqri7yti3MLXme7PbGvid69z8fo3U0izcK642BB6BR4
nYAii7aoFuDzyZYUd4/70Lp1PiuYLVvc4zqHYxIHYYGqH4nZkjO0qG6yjM8WD/3j
8FtctzKnYqZSMDX03Wr6eKuDrfBSfdMDxwNMNLxBvSkNsVwgNw3u4g1qIMjc0awy
68MI+F9F2Irhdi9Zx+RNGvx5VKIcvu8LETKWExDr0Kh0fJmQ26LzlnJfSEmUMNzh
z5Xpan/5Wa3Qra9GgCIiFByK65WCE/n3YS9kAOmikNDFrTgg1AUhRW15yPzoOT8x
X4ociT8FAeMBOL0+wgHPDwN0jp/qhYi90TwT1nW3ESfauFtDjLxCGmfv5wrxmBHF
rBYFh7mvSqEBNhZDY3KS1bZtIERSUmrDw7zkgve07G2i4hzvt+NJUb7bVwW5Ew/r
dHebn9ehuwj/213jQaP27g8mxJwNE1Nqxwpg5wAvBhS5oxytWJeliNaKYeRmFbOg
qnvqlf/dYjL7EO7I0bgVx3UUJmDbWW1SGEdxX7C0cJaPSEgDpuDhgPVsRptnZb9Q
Vc+ydwXYYmBMdhIhpJl3f4oCjLuBq7T0401pthecmIDwlRPZdjK8
=UVbt
-----END PGP PUBLIC KEY BLOCK-----

New OTR keys

2012-12-28T00:00:00Z

I’ve generated new OTR keys for both my Jabber accounts, new fingerprints are as follows.

ben@andatche.com - 9AB4973E EFBBFFC3 06A41E17 D6A82F1C 6027AF5F

ben@brightbox.co.uk - BE7840F3 06D4F37D F18C945F 33A99318 BB8C674E

Please (re)verify as required.

Fixing SSL CA certificates with OpenSSL from MacPorts

2012-02-10T00:00:00Z

If you’ve installed OpenSSL from MacPorts (or anything that depends on it), you’ve probably come across issues with verifying SSL certificates in applications built against it.

ben@spud:~$ lftp acc-xxxxx@ftp.library.gb1.brightbox.com
Fatal error: SSL_connect: unable to get local issuer certificate

ben@spud:~$ openssl s_client -connect ftp.library.gb1.brightbox.com:21 -starttls ftp -CApath /opt/local/etc/openssl/
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0

That’s because MacPorts doesn’t provide a CA root certificate bundle package (such as the ca-certificates Ubuntu package) and in its default configuration the openssl package can’t talk to the OS X keychain, where the system CA certificates are kept.

Helpfully, the cURL project provides it’s own CA cert bundle we can use, generated from the mozilla root certificates, which is available in macports.

Simply install curl-ca-bundle

sudo port install curl-ca-bundle

Then symlink the bundle into /opt/local/etc/openssl, the default CApath for MacPorts-installed OpenSSL.

sudo ln -s /opt/local/share/curl/curl-ca-bundle.crt /opt/local/etc/openssl/cert.pem

EDIT: The above step is no longer necessary. MacPorts’ curl-ca-bundle @7.24.0 now creates the symlink during installation.

Voilà, working CA cert verification!

ben@spud:~$ openssl s_client -connect ftp.library.gb1.brightbox.com:21 -starttls ftp -CApath /opt/local/etc/openssl/
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = FIUwKm3apULSSy7J9sGT8i0NxIprVlhV, C = GB, O = ftp.library.gb1.brightbox.com, OU = GT02477604, OU = See www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated - RapidSSL(R), CN = ftp.library.gb1.brightbox.com
verify return:1

Disabling RFC 4941 IPv6 Privacy Extensions in Windows

2012-02-07T00:00:00Z

RFC 4941 defines a series of Privacy Extensions for Stateless Address Autoconfiguration in IPv6. Typically, hosts using IPv6 SLAAC configure an address using the network prefix advertised by the router in combination with the EUI-64 IEEE interface identifier (MAC address) of the physical interface. Because addresses generated using SLAAC contain an embedded interface identifier, which remains constant over time, it becomes possible to correlate seemingly unrelated activity using this identifier. RFC 4941 aims to address this by using short-lived, randomly generated identifiers to form addresses instead.

Normally, when using privacy extensions it’s typical to maintain the EUI-64 derived address on an interface for inbound connections while using RFC 4941 temporary addresses when establishing outbound connections. This offers a balance between privacy and the convenience of static addressing and is the default when using RFC 4941 on Linux or OS X.

By default, Windows Vista, Windows 7 and Windows Server 2008 generate random interface IDs for non-temporary autoconfigured IPv6 addresses, including public and link-local addresses, rather than using EUI-64 derived interface IDs.¹ While these are permanent, so don’t change, this leads to potential confusion when a host’s expected EUI-64 derived address is unreachable!

Thankfully it’s trivial to disable this behaviour, fire up cmd.exe and issue the following.

netsh interface ipv6 set global randomizeidentifiers=disabled store=active
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent

In addition to this, the RFC states that the use of temporary addresses should be disabled by default.

The use of temporary addresses may cause unexpected difficulties with some applications. [snip] Consequently, the use of temporary addresses SHOULD be disabled by default in order to minimize potential disruptions. Individual applications, which have specific knowledge about the normal duration of connections, MAY override this as appropriate.

Windows Vista and Windows 7 ignore the advice of the RFC and also configure temporary global or unique local addresses as per RFC 4941 (EDIT: OS X also does this since 10.7, so do many Linux distros). This behaviour is disabled by default on Windows Server 2008.

To disable privacy extensions entirely, fire up cmd.exe and issue the following.

netsh interface ipv6 set privacy state=disabled store=active
netsh interface ipv6 set privacy state=disabled store=persistent

The changes will take immediate effect without needing to reboot, they’ll also persist after a reboot.

The Cable Guy: IPv6 Autoconfiguration in Windows Vista ↩

Now with Nanoc!

2012-01-13T00:00:00Z

For a while now I’ve been meaning to take a look at Nanoc. For the uninitiated, it’s a static [web]site generator written in Ruby.

Nanoc is a tool that runs on your local computer and compiles documents written in formats like Markdown, Textile or Haml into a static site consisting of simple HTML files, ready for uploading to any web server.

The idea is to replace the server-side smarts of a content management system with a ‘one-shot’ compilation to static HTML each time something changes, while maintaining the convinience of templating, pagination, markup filtering and dynamic content etc. This has several advantages; no server-side security vulnerabilities (SQL injection etc.), no need for language runtimes, great performance and simple deployment. The downside is that any run-time dynamic stuff must be done client-side with Javascript.

Previously when building simple sites, I’ve often relied on Wordpress, as it was the path of least-resistance. The frequent security issues and need to write/run PHP are a hassle however, so I’ve been looking for a better solution.

I finally found some time over Christmas to rewrite this site with Nanoc, with a new cleaner layout and some HTML5 goodness to boot. It’s still a work in progress but I’ve got most of what I need working now including article publication (archive generation, atom feeds, tags, comments etc.), static assets, sitemap generation and simple deployment. Nanoc provides some of these features out of the box but a few of them require extending Nanoc by writing helpers, which thankfully is very easy. I took some inspiration from the Brightbox Nanoc Helpers gem and wrote some helpers of my own to provide the functionality I need, which I’ll detail in future posts and release in due course.

Content is written in Markdown and processed using the kramdown filter, while the layouts are written in erb. Compilation and deployment is handled by a simple set of rake tasks that build the static HTML and use rsync+ssh to copy it to the webserver. I’ve made use of Twitter’s Bootstrap CSS library and jQuery as a foundation for the layout, styling and typography. Blog comments are provided using Disqus and I use git for version control of the whole thing. The code is on Github.

I still have a couple of things left to work out, like full-text searching and writing on-the-go (phone, ipad etc.), but I have some ideas in mind (using dropbox, Linux’ inotify and git post-commit hooks).

PXE booting servers on Brightbox cloud

2011-04-19T00:00:00Z

This guide is now somewhat out of date. For more recent information please consult the Brightbox Cloud docs instead.

I’ve been playing with PXE booting servers on Brightbox cloud over the last few days, which is rather cool! It’s also incredibly useful for building OS images which can be snapshotted and registered for later use. It’s quite simple really, here’s a quick guide.

If you haven’t already, go ahead and register for the cloud beta, read through the docs about getting started and make yourself familiar with the basics of the command line client.

First let’s build a new server to PXE boot using the command line client.

ben@spud:~$ brightbox-servers create -n "PXE Boot" img-2ab98
INFO: client_id: ben
Creating a nano (typ-4nssg) server with image Ubuntu Lucid 10.04 server (img-2ab98)

 id         status    type  zone   created_on  image_id   cloud_ips  name    
------------------------------------------------------------------------------
 srv-m1tgj  creating  nano  gb1-b  2011-04-18  img-2ab98             PXE Boot
------------------------------------------------------------------------------

It doesn’t really matter which image you choose at this point, if you’re PXE booting an installer it’s likely you’ll be erasing and repartitioning the disk anyway (there’ll be some blank images available soon). If you’re intending to snapshot the server for registration as a machine image later, it’s best to use the smallest disk available, as this will be the minimum required for your image later on. In this case we’re using a nano, the default, with a 20GB disk.

Once the server has finished creating, activate its web-based console so we can get to the POST screen.

ben@spud:~$ brightbox-servers activate_console srv-m1tgj
INFO: client_id: ben
Activating console for server srv-m1tgj

 url                                          token     expires             
-----------------------------------------------------------------------------
 https://srv-m1tgj.console.gb1.brightbox.com  mk6rr2z8  2011-04-18T23:33:12Z
-----------------------------------------------------------------------------

Fire up your web browser and login to the console. Once logged in hit the “Send CtrlAltDel” button in the right hand corner and wait for the machine to reboot. During the POST, hit Ctrl-B when you see “Press Ctrl-B to configure gPXE” to start gPXE.

gPXE is a GPL’d replacement for proprietary PXE boot ROMs that has lots of nice features, including the ability to boot from HTTP, which we’re going to make use of here.

There are a number of choices when it comes to deciding exactly what we’d like to boot from, I’ll cover three options that are useful for image building.

Booting a preprepared initrd and kernel image
Booting an ISO with memdisk
Chain loading with netboot.me

Before we do anything else though, we need to get network connectivity inside the gPXE environment. We can make use of dhcp to automatically configure everything for us.

gPXE> dhcp net0

Now we’re ready to boot something.

Booting a preprepared initrd and kernel image

A number of Linux distributions provide initrd and kernel images that are preprepared for PXE booting into an installer or rescue environment including Debian, Ubuntu, RHEL, the System Rescue CD and many others. This is particularly easy with Red Hat derived distributions, here we’ll boot the Scientific Linux 6.0 installer though the same procedure could easily be used for CentOS, Fedora, RHEL etc.

Most Red Hat derivatives provide the required kernel and initrd on their download mirrors, which can usually be found under os/images/pxeboot/ in the desired version and architecture directory. Go ahead and browse the mirror of your favourite RH clone and locate the vmlinuz and initrd.img for your preferred version and architecture and make a not of their URLs, in this case

http://ftp.scientificlinux.org/linux/scientific/6.0/i386/os/images/pxeboot/vmlinuz http://ftp.scientificlinux.org/linux/scientific/6.0/i386/os/images/pxeboot/initrd.img

Next, we need to tell gPXE where to find our kernel and initrd.

gPXE> kernel http://ftp.scientificlinux.org/linux/scientific/6.0/i386/os/images/pxeboot/vmlinuz
> http://ftp.scientificlinux.org/linux/scientific/6.0/i386/os/images/pxeboot/vmlinuz..........

gPXE> initrd http://ftp.scientificlinux.org/linux/scientific/6.0/i386/os/images/pxeboot/initrd.img
> http://ftp.scientificlinux.org/linux/scientific/6.0/i386/os/images/pxeboot/initrd.img...............
..................................................

It can take quite a long time for them to download, particularly if the initrd.img is large. gPXE’s TCP stack isn’t tuned for performance. It’s generally a lot quicker if you use a mirror that’s geographically close (to the UK in this case), as latency has a significant impact on performance due to gPXE’s lack of TCP window scaling.

Anyway, once the downloads have finished, we’re ready to boot!

gPXE> boot

If everything has gone to plan, you should seen the kernel boot messages scrolling by then the anaconda installer starting up. Success!

Now it’s just a case of completing the installation procedure and rebooting into your new install. In the case of RH derivatives, anaconda will ask a few simple questions on language and keyboard layout before asking “What type of media contains the installation image?” To keep the PXE boot initrd small, it doesn’t include everything required to complete the installation so we need to tell anaconda where to find the rest of what it needs. Choose the URL option then complete the network configuration options, when asked for the URL, enter the path of the os/ directory from the mirror we used previously, in this case http://ftp.scientificlinux.org/linux/scientific/6.0/i386/os.

That’s it! Go and make a coffee while you wait for the installation to complete.

Booting an ISO with memdisk

Not all operating systems are kind enough to provide native PXE boot support. Often, the only available installation media for an OS is a cd/dvd or ISO image, particularly in the case of Microsoft Windows. Unfortunately PXE does not support booting from an ISO natively (boo!).

Never fear, memdisk to the rescue! Memdisk, from the SYSLINUX project, is designed to allow booting legacy operating systems. “MEMDISK can boot floppy images, hard disk images and some ISO images.” Unfortunately memdisk’s support for booting ISOs is somewhat limited so YMMV. Here, we’ll boot the Debian netboot installer ISO.

It’s important to make note of a few issues here when choosing an ISO to boot. Memdisk will load the entire ISO into a ram disk before booting, so it’s important you use a server with enough ram to contain the entire ISO and still leave enough free memory for the installation to complete successfully. A large DVD ISO will require lots of memory! Also, as previously mentioned, gPXE’s TCP stack is not tuned for performance, downloading a large ISO can take a very long time! Using a fast, geographically close mirror will help.

First though, we need a PXE bootable memdisk! The nice folks at SliTaz GNU/Linux provide just such a thing on their download mirror at http://distro.ibiblio.org/slitaz/pxe/memdisk, which we’ll make use of.

First, we need to tell gPXE to use the memdisk image as the kernel it should boot from.

gPXE> kernel http://distro.ibiblio.org/slitaz/pxe/memdisk
> http://distro.ibiblio.org/slitaz/pxe/memdisk..............

Next, we tell gPXE to use the ISO we’d like to boot as the initrd, in this case we’re using the Debian netboot iso from http://ftp.nl.debian.org/debian/dists/squeeze/main/installer-i386/current/images/netboot/mini.iso

gPXE> initrd http://ftp.nl.debian.org/debian/dists/squeeze/main/installer-i386/current/images/netboot/mini.iso
> http://ftp.nl.debian.org/debian/dists/squeeze/main/installer-i386/current/images/netboot/mini.iso.......
...........................................................................

Now is probably a good time to go make coffee, while you wait for the ISO to download. Once it’s finished, we’re ready to boot!

gPXE> boot

If the ISO is supported and everything has worked correctly, it should now be booting!

Chain loading with netboot.me

As ever, I’ve saved the easiest option until last! :) netboot.me is an awesome service that “allows you to boot nearly any operating system or utility on any computer with a wired internet connection.” They provide a custom built PXE environment which includes an easy-to-navigate menu system offering the ability to boot a number of games, OS installers, live OSes and system tools over the internet with little effort.

The best thing is, we can chain load the netboot.me PXE environment over HTTP directly from gPXE with a single command! The PXE environment is available via HTTP at http://static.netboot.me/gpxe/netbootme.kpxe so all we have to do it tell gPXE to chain load it.

gPXE> chain http://static.netboot.me/gpxe/netbootme.kpxe
> http://static.netboot.me/gpxe/netbootme.kpxe.................

gPXE will download and boot the netboot.me environment, after waiting a few seconds for netboot.me to start you should be presented with the main menu, which is fairly self-explanatory. Time to reward yourself with a game of nethack! :)

Finishing off

So, you’ve finished installing your shiny new OS, but what to do now?! Before customising anything on the fresh installation, you might want to make a snapshot of the server to use for building new servers in future, certainly a lot quicker than PXE booting!

(NOTE: You may need to make some alterations to the image after installing and before snapshotting if you want to use the snapshot for building new servers later. Often things like networking config, hostname etc. are configured statically during the installation procedure, these will need to be changed/removed.)

First, we’ll take a snapshot of the server

ben@spud:~$ brightbox-servers snapshot srv-m1tgj
INFO: client_id: ben
Snapshotting server srv-m1tgj

Next, need to find the id of the newly created snapshot.

ben@spud:~$ brightbox-images list
...
img-o031h  acc-vhba2  snapshot  2011-04-19  creating  20480  Snapshot of srv-m1tgj 19 Apr 13:16 (i686)

Once the snapshot is finished creating, the /images directory of your account’s FTP library will contain a gzipped copy of the snapshot, in this case img-o031h.gz. You can go ahead and start building images from the snapshot using its id right away!

ben@spud:~$ brightbox-servers create img-o031h

Conclusion

I’ve covered some of the basic aspects of PXE booting using gPXE on the Brightbox cloud here, which should be enough to use for OS installation and system rescue. There are also lots of things I haven’t covered, it’s possible to do many weird and wonderful things with gPXE that are beyond the scope of this post, perhaps I’ll cover them in the future. ;)

Er, welcome back!

2011-01-05T00:00:00Z

In a hasty decision to better organise my online life and to encourage me to write more, I’ve finally got round to getting my website back online. 2010 brought lots of new-then-quickly-abandoned projects I’d like to resurrect, I’m hoping that talking/blogging about them will help me stay interested and perhaps raise a bit of interest in some of them from other people. How successful this will be remains to be seen!