title: “Configure PXE (Network Boot) installation Server on CentOS 7.x”
date: 2019-02-12T09:38:46
slug: configure-pxe-network-boot-installation-server-on-centos-7-x

yum install dhcp tftp tftp-server syslinux vsftpd xinetd

vi /etc/dhcp/dhcpd.conf

# DHCP Server Configuration file.

ddns-update-style interim;
ignore client-updates;
authoritative;
allow booting;
allow bootp;
allow unknown-clients;

# internal subnet for my DHCP Server
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.200 10.0.0.250;
option domain-name-servers 10.0.0.1;
option domain-name "openstack.local";
option routers 10.0.0.1;
option broadcast-address 10.0.0.255;
default-lease-time 600;
max-lease-time 7200;
next-server 10.0.0.5;
}

host controller.openstack.local {
 hardware ethernet 52:54:00:37:2a:4e;
 option host-name controller;
 fixed-address 10.0.0.11;
 filename "pxelinux.0";
}

vi /etc/xinetd.d/tftp
service tftp
{
 socket\_type = dgram
 protocol = udp
 wait = yes
 user = root
 server = /usr/sbin/in.tftpd
 server\_args = -s /var/lib/tftpboot
 disable = no
 per\_source = 11
 cps = 100 2
 flags = IPv4
}

cp -v /usr/share/syslinux/pxelinux.0 /var/lib/tftpboot
cp -v /usr/share/syslinux/menu.c32 /var/lib/tftpboot
cp -v /usr/share/syslinux/memdisk /var/lib/tftpboot
cp -v /usr/share/syslinux/mboot.c32 /var/lib/tftpboot
cp -v /usr/share/syslinux/chain.c32 /var/lib/tftpboot
mkdir /var/lib/tftpboot/pxelinux.cfg
mkdir /var/lib/tftpboot/networkboot

Mount Centos  ISO and copy content to /var/ftp/pub/

mount /dev/cdrom /mnt
cd /mnt/
cp -av \* /var/ftp/pub/

cp /mnt/images/pxeboot/vmlinuz /var/lib/tftpboot/networkboot/
cp /mnt/images/pxeboot/initrd.img /var/lib/tftpboot/networkboot/

Generate Root Password

openssl passwd -1 Pxe@123#
$1$e2wrcGGX$tZPQKPsXVhNmbiGg53MN41

Create kickstart file (Replace Password and URLs)

vi /var/ftp/pub/centos7.cfg

#platform=x86, AMD64, or Intel EM64T
#version=DEVEL
# Firewall configuration
firewall --disabled
# Install OS instead of upgrade
install
# Use FTP installation media
url --url="ftp://10.0.0.5/pub/"
# Root password
rootpw --iscrypted $1$B8PHMhWg$89J2kxGGtxIc/RdA9/3OI1
# System authorization information
auth useshadow passalgo=sha512
# Use graphical install
graphical
firstboot disable
# System keyboard
keyboard de
# System language
lang en\_US
# SELinux configuration
selinux disabled
# Installation logging level
logging level=info
# System timezone
timezone Europe/Amsterdam
# System bootloader configuration
bootloader location=mbr
ignoredisk --only-use=sda
clearpart --all --initlabel
part swap --asprimary --fstype="swap" --size=1024 --ondisk=sda
part /boot --fstype xfs --size=300 --ondisk=sda
part pv.01 --size=1 --grow --ondisk=sda
volgroup root\_vg01 pv.01
logvol / --fstype xfs --name=lv\_01 --vgname=root\_vg01 --size=1 --grow
%packages

@^minimal
@core
%end
network --device=eth0 --bootproto=dhcp
network --device=eth1 --bootproto=static
%addon com\_redhat\_kdump --disable --reserve-mb='auto'

%end
%post
rpm -Uvh https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm
yum -y install salt-minion
yum -y update
systemctl enable salt-minion
systemctl start salt-minion
echo "10.0.0.5 salt" >> /etc/hosts
sed -i -e 's/GRUB\_CMDLINE\_LINUX=.\*/GRUB\_CMDLINE\_LINUX="rd.lvm.lv=root\_vg01\/lv\_01 rhgb quiet net.ifnames=0 biosdevname=0"/' /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg
echo "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin" >> /var/spool/cron/root
echo "@reboot salt-call state.apply > /tmp/out 2>&1" >> /var/spool/cron/root
%end
reboot

Create a PXE menu file

vi /var/lib/tftpboot/pxelinux.cfg/default

default menu.c32
prompt 0
timeout 30
MENU TITLE LinuxTechi.com PXE Menu
LABEL centos7\_x64
MENU LABEL CentOS 7\_X64
KERNEL /networkboot/vmlinuz
APPEND initrd=/networkboot/initrd.img inst.repo=ftp://10.0.0.5/pub ks=ftp://10.0.0.5/pub/centos7.cfg net.ifnames=0 biosdevname=0

Start Services

systemctl start xinetd
systemctl enable xinetd
systemctl start dhcpd.service
systemctl enable dhcpd.service
systemctl start vsftpd
systemctl enable vsftpd

Allow FTP connection (selinux)

setsebool -P allow\_ftpd\_full\_access 1

Allow Connections (Firewall)

firewall-cmd --add-service=ftp --permanent
firewall-cmd --add-service=dhcp --permanent
firewall-cmd --add-port=69/tcp --permanent
firewall-cmd --add-port=69/udp --permanent
firewall-cmd --add-port=4011/udp --permanent
firewall-cmd --add-port=4506/tcp --permanent
firewall-cmd --reload

Salt installieren

rpm -Uvh https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm
yum -y install salt-master epel-release git
yum install python-pip
pip install --upgrade pip

export VERSION=develop
for s in $(python -c "import site; print(' '.join(site.getsitepackages()))"); do
 pip install --install-option="--prefix=" --upgrade --force-reinstall -I \
 -t "$s" git+https://github.com/salt-formulas/reclass.git@${VERSION};
done

mkdir -p /srv/salt/inventory/{classes,hosts}
mkdir -p /srv/salt/pillar/{file\_tree,roots/base}
mkdir -p /srv/salt/state/base/basenode

[root@localhost ~]# tree /srv/salt/
/srv/salt/
├── inventory
│   ├── classes
│   └── hosts
│   └── controller.openstack.yml
├── pillar
│   ├── file\_tree
│   └── roots
│   └── base
└── state
 └── base
 └── basenode
 └── init.sls

10 directories, 2 files

vi /srv/salt/state/base/basenode/init.sls

mc:
 pkg.installed

vi /srv/salt/inventory/hosts/controller.openstack.yml

environment:
 base classes: {}
 applications:
 - basenode

vi /etc/salt/master.d/01-master.conf

keep\_jobs: 24
max\_open\_files: 16384
open\_mode: True
auto\_accept: True
state\_top: top.sls
reclass: &reclass
 storage\_type: yaml\_fs
 inventory\_base\_uri: /srv/salt/inventory
 nodes\_uri: hosts
 classes\_uri: classes
 class\_mappings: []
master\_tops:
 reclass: \*reclass
state\_output: changes
file\_roots:
 base:
 - /srv/salt/state/base
env\_order:
 - base
hash\_type: sha256
file\_ignore\_regex:
 - '/\.svn($|/)'
 - '/\.git($|/)'
file\_ignore\_glob:
 - '\*.pyc'
 - '\*/somefolder/\*.bak'
 - '\*.swp'
fileserver\_backend:
 - roots
pillar\_roots:
 base:
 - /srv/salt/pillar/roots/base
ext\_pillar:
 - reclass:
 storage\_type: yaml\_fs
 inventory\_base\_uri: /srv/salt/inventory
 nodes\_uri: hosts
 classes\_uri: classes
 class\_mappings: []
 - file\_tree:
 root\_dir: /srv/salt/pillar/file\_tree
 follow\_dir\_links: False
 keep\_newline: True
pillar\_source\_merging\_strategy: smart
log\_level: warning

systemctl enable salt-master
systemctl start salt-master

NFS Freigabe für Salt Scripte

yum -y install nfs-utils
#firewall-cmd --permanent --zone=public --add-service=ssh
firewall-cmd --permanent --zone=public --add-service=nfs
firewall-cmd --reload
systemctl enable nfs-server.service
systemctl start nfs-server.service
/etc/exports
/srv/salt/ 10.0.0.0/24(rw,sync,no\_subtree\_check)
exportfs -a

Am Client:

sudo mount -o soft -t nfs 10.0.0.5:/srv/salt/ /home/tay/openstack/salt

Install Vault

yum install unzip
curl https://releases.hashicorp.com/vault/1.0.3/vault\_1.0.3\_linux\_amd64.zip -o vault\_1.0.3\_linux\_amd64.zip
unzip vault\_1.0.3\_linux\_amd64.zip
mv vault /usr/bin/
export VAULT\_ADDR='http://10.0.0.5:8200'
vi /root/vault.hcl
backend "file" {
 path = "/var/lib/vault"
}
listener "tcp" {
 address = "0.0.0.0:8200"
 tls\_disable = 1
}
vault server -config=/root/vault.hcl &
vault operator init

Unseal Key 1: hiR5fSIEaS5NErWwmH/KGpwo1UDROL4nW5SyCwk6kMNm
Unseal Key 2: iYJrQ3UCIuuqwonQJWu4JoLj+/ElQfrKxtnEfd/H83rC
Unseal Key 3: 6+sPo592bAA9n5VCz9agyIW7Xrsb5dBsP7YEpK9gdP6c
Unseal Key 4: fxKfoRb6IWL5+07X25AmoHGbjwypX7592VydbBl3jpPU
Unseal Key 5: ItaavrSMOR8Qn3Q2wd7BDEVd76k2NDczstZnqWyWndKw

Initial Root Token: s.5qhccbKwytnpX5sEjLDBp3hg

3 Times: until Unseal Progress 2/3 is 3/3:
vault operator unseal
vault login <Initial Root Token>
vault write secret/openstack/RABBIT\_PASS password="abc123"

Create Salt Token (Read and List)
vi salt-policy.hcl
path "openstack/\*" {
 capabilities = ["read", "list"]
}
path "auth/\*" {
 capabilities = ["read", "list","sudo","create","update","delete"]
}

vault policy write salt-policy salt-policy.hcl
vault token create -policy=salt-policy

Key Value
token s.PCGMAcQTrN505EA8BIB3dLku
token\_accessor avIpcDUGvSTJMUmb910eXTUG
token\_duration 768h
token\_renewable true
token\_policies ["default" "salt-policy"]
identity\_policies []
policies ["default" "salt-policy"]

Create Entries

for NAME in ADMIN\_PASS CINDER\_DBPASS CINDER\_PASS DASH\_DBPASS DEMO\_PASS GLANCE\_DBPASS GLANCE\_PASS KEYSTONE\_DBPASS METADATA\_SECRET NEUTRON\_DBPASS NEUTRON\_PASS NOVA\_DBPASS NOVA\_PASS PLACEMENT\_PASS PLACEMENT\_DBPASS RABBIT\_PASS
do
 PW=`openssl rand -hex 10`
 vault write secret/openstack/${NAME} password=${PW}
done

vi /etc/salt/master.d/vault.conf (with token from 2nd step obove – vault token create -policy=salt-policy )

vault:
 url: http://10.0.0.5:8200
 auth:
 method: token
 token: s.mIeRDNYMeGhJv2W5e96DGr7z
 policies:
 - salt-policy

vi salt-policy.hcl

path "secret/\*" {
 capabilities = ["read", "list"]
}
path "auth/\*" {
 capabilities = ["read", "list","sudo","create","update","delete"]
}