Wednesday, February 27, 2013

PXE boot WINPE

As part of our new Windows 7/AD deployment, SCCM is being used to control the imaging process of desktop computers.

We already have a comprehensive set of PXE enabled boot options so we needed a way to integrate the SCCM tools into our existing PXE setup.

The existing setup is syslinux(pxelinux) 3.11 on CentOS 5, ISC dhcpd and tftp.

We have several Linux live CDs, memtest, novell tools, DOS and chain booting to another (novell) server.

Our Microsoft team provide a bootable CD which we can use to image desktop machines and on some subnets they now provide the ability to PXE boot. Initially I hoped we could just chain boot to the SCCM server but that does not work.

After much research and testing I worked out a process using wimboot. Based on instructions found on http://ipxe.org/howto/sccm and http://forum.ipxe.org/showthread.php?tid=5745 I managed to write a script which converts a CD (ISO image).

The pxelinux entry is:
LABEL ad
com32 ad/linux.c32
append ad/wimboot initrd=ad/winpe.cpio


The files are in a tftp subdirectory called ad

linux.c32 is part of syslinux. I am using version 4.02 which was copied from a CentOS 6 server.

wimboot is available for download from ipxe.

winpe.cpio is a file we are going to create using my script below.

I also required a copy of bootmgr.exe which should be available on your microsoft tftp server but I was unable to find it and in the end I got a copy from our Mircosoft team.

Finally, I needed a copy of wimlib which has a linux version of the imagex tool. I was unable to find a RPM of this package and I just built it from source using the --without-ntfs-3g. (The source comes with .spec files so an RPM should be easy to build).

So here is my script:
convert_cd_into_pxe.sh:
#!/bin/bash
# Written by John Newbigin jnewbigin@chrysocome.net
ISO=x86_PROD_MS.iso

MNTPNT=wim
SCCMFILES=iso

IMAGEX=./wimlib-1.2.5/imagex

unalias cp

if [ "$(whoami)" = "root" ] ; then

   if [ ! -f bootmgr.exe ] ; then
      echo "You need a copy of bootmgr.exe"
      exit 1
   fi
   umount $SCCMFILES
   mkdir $SCCMFILES
   mkdir $MNTPNT
   mount -o loop $ISO $SCCMFILES

   cp $SCCMFILES/boot/bcd BCD
   cp $SCCMFILES/boot/boot.sdi .
   cp $SCCMFILES/sources/boot.wim .


   $IMAGEX mountrw boot.wim 1 $MNTPNT

   cp -drv $SCCMFILES/sms/* $MNTPNT/sms/
   umount $SCCMFILES
   rmdir $SCCMFILES

   ARCH=$(grep TsBootShell.exe $MNTPNT/Windows/System32/winpeshl.ini | cut -d \\ -f 4)
   # edit winpeshl.ini
   perl -pi -e "s|.*$ARCH.*|\"wscript.exe\",\"%SYSTEMDRIVE%\\\\sms\\\\bin\\\\$ARCH\\\\bootstrap.vbs\"|" $MNTPNT/Windows/System32/winpeshl.ini

   # install bootstrap.vbs
   cat > $MNTPNT/sms/bin/$ARCH/bootstrap.vbs << END
Set os = WScript.CreateObject ( "WScript.Shell" )
os.Run "%COMSPEC%", 7, false
os.Run "%COMSPEC% /c title Initialising... && wpeinit " & _
"&& net start dnscache", 1, true
os.Run WScript.ScriptFullName & "\..\TsmBootStrap.exe /env:WinPE " & _
"/configpath:%SYSTEMDRIVE%\sms\data", 1, true
END

   $IMAGEX unmount $MNTPNT --commit
   rmdir $MNTPNT

   ls BCD bootmgr.exe boot.sdi boot.wim | cpio --create -H newc > winpe.cpio
   rm BCD boot.sdi boot.wim
  
else
   echo "You must be root to run this script"
   exit 1
fi


I hope this is of use to someone.

Saturday, February 23, 2013

Puppet tip

I have a custom puppet type called iptables. Not surprisingly it is used to build iptables rules.

Recently I was setting up a router which required MASQUERADING a few virtual network interfaces. I found that the module was lacking the ability to negate a match. For example I wanted a rule:
-A FORWARD ! -s 192.168.1.0/24 -i vnet -j DROP

It seemed like a simple task to add in the ability to insert the !. After all it is mostly just string manipulation.

My puppet setup already has pluginsync enabled and working so I though deploying my changes would be easy too.

I managed to make my changes (even though ruby is quite a foreign language to me). When I ran puppet I could see the changes being pulled down to the client but alas, it did not work correctly.

I checked with several web pages which try to explain how easy it is to add new properties and everything I was doing was correct.

After wasting hours tinkering in the ruby code I had the idea to restart the puppet master and bang, it started working.

Seems so obvious in hindsight.

Monday, February 4, 2013

udev tip

From time to time I have to write some udev rules but I always struggle to work out which magic strings are required.

It does not help that every version of udev seems to change everything.

I have found a command for modern versions which helps work out what is required:

udevadm info -e

From there you can find out everything there is available to identify your devices.

The udev 'rule' is then a series of commands separated by a comma (,). You can test for equality with == and set properties with either = or :=. When you use := your value can not be overridden by another rule. For example:

SUBSYSTEM=="video4linux", MODE:="0666"

Will match all video devices and set the permissions to be world read write.

If you save that into a file called /etc/udev/rules.d/99-v4l2.rules
you can then apply it with the command:
udevadm trigger


There is much more which can be done but that is enough to get started. The names of the keys which can be set is actually listed in the man page man 7 udev but it be quite confusing to follow without examples.

Next time I have to work on flashcache I will try and blog about the new GOTO style rules :-(

Friday, February 1, 2013

Telstra error message

Recently I phoned my parents and I got an unusual error. It was a recorded voice message saying 'S3MA 1 4'.

Now that seemed a bit cryptic to me so I though I would write it down and look up what it means. It played a few times while I was writing it down and then to my surprise, Dad answered the phone.

Clearly something weird going on in the bowels of the phone exchange. Google did not have much to say on the topic so I put the word out to a contact who work at Telstra.

Apparently it is uncommon so it was hard to find but they concluded that it means 'Not connected to network'. Exactly what is not connected I don't know but I guess it became connected and then the call went through.

Some further research shows that S3MA is the name of Signalling Point ISPC Code 5-012-1 which is operated by PowerTel. That does not tell me much either.http://www.google.com/search?q=ispc+s3ma
but I guess the connection between the two telcos was offline for a short period. Once they were reconnected, the call was placed. This probably happens all the time and no one notices.