How to Create a Backup Server: Using Clonezilla and PXE - Part 2

April 1, 2019 @lazlo Linux 0

This is a two part article that was adapted from the ODROID forum. The first half can be found at https://magazine.odroid.com/article/how-to-create-a-backup-server-using-clonezilla-and-pxe-part-1/.

PXElinux

In both of the previous examples we have configured DHCP to tell a PXE client trying to boot to download the file named “pxelinux.0” from a specific server. This file is part of the pxelinux package of boot loaders. So go ahead and install pxelinux on the same system you will be installing tftp-hpa on. You can find the Syslinux homepage at https://www.syslinux.org/wiki/index.php ... ux_Project and the pxelinux docs at https://www.syslinux.org/wiki/index.php?title=PXELINUX If you ever have plans for expanding your PXE server beyond this little Clonezilla exercise consider studying it.

Setting up tftp-hpa and making Clonezilla bootable over the network

The tftp-hpa package is a very small, lightweight FTP server used almost exclusively for booting over a network. It is light on security so don’t deploy it in a hostile environment unless you have another layer or two of security covering it. Because it is so lightweight configuration is pretty simple but not very standardized. The most important option is setting the root folder for tftpd. A lot of people use some place like /var/lib/tftpboot or /srv/tftpboot or even /opt/tftpboot. I have seen example configs that just have the user create the directory /tftp but I think it’s better not to clutter / with more top level directories. In the end I chose /srv/tftp.root just because I wanted it to stand out in my mind. After you have it installed pick a location, create the directory, and then edit the config file. The config file location varies pretty widely depending on the disto you are using. It could be /etc/default/tftpd-hpa or /etc/xinetd.d/tftp, or even /etc/conf.d/in.tftpd so you will need to consult your distros documentation to make sure you have if configured right. For the purposes of this HOWTO I will use /var/lib/tftpboot as the root directory.

First, lets get pxeliunx.0 in place. It’s installed location will again depend on your distro but it will usually be somewhere is /usr/share or /usr/lib. After we copy it over we will create one directory to hold the files we extract from the Clonezilla .zip file and another directory to hold our boot parameters. 

$ sudo cp /usr/lib/PXELINUX/pxelinux.0 /var/lib/tftpboot
$ sudo mkdir /var/lib/tftpboot/cz
$ sudo mkdir /var/lib/tftpboot/pxelinux.cfg
Next copy over the Clonezilla zip file, extract it, and copy a few files into place: 
$ sudo cp /path/to/clonezilla-live-2.6.0-37-amd64.zip /var/lib/tftpboot/cz/
$ cd /var/lib/tftpboot/cz/
$ sudo unzip -X *.zip
$ sudo cp /var/lib/tftpboot/cz/syslinux/*.c32 /var/lib/tftpboot
Then we create the PXE bootloader config file. For this HOWTO it will be nothing fancy, or even very pretty. It will just load what we tell it to after a 10 second countdown: 
$ cd /var/lib/tftpboot/pxelinux.cfg
$ sudo nano default
Place the following in the “default” config file and don't forget to change the IP address in the last line. As a side note, I found this template somewhere online a while back and I don’t remember where or I would give credit: 
# The default menu style - using vesa menu in this example
DEFAULT vesamenu.c32
# If you have a png image in the tftpr directory you can specify it here like so:
# Menu Background image.png
# Prompt user for selection
prompt 0

#Global label identifier
label Clonezilla
        # Set this entry as the default selection
        menu default
        # Actual viewable label text
        MENU LABEL Clonezilla
        # The timeout for the entry is a bit unclear, but 100 should be equivalent to 10 Seconds.  
        TIMEOUT 100
        TOTALTIMEOUT 100
        # The kernel image to load.  This entry would actually reside at /var/lib/tftpboot/cz/live/vmlinuz   
    #The path is relative to /var/lib/tftpboot or your tftp root directory
        kernel cz/live/vmlinuz
        # The initrd relative to the /var/lib/tftpboot directory and specifying the netboot server, protocol, and file
        # In this example the tftp protocol is used on server 192.168.123.1.  The file is filesystem.squashfs
        append initrd=cz/live/initrd.img boot=live username=user union=overlay config components quiet noswap edd=on nomodeset nodmraid locales= keyboard-layouts= ocs_live_run="ocs-live-general" ocs_live_extra_param="" ocs_live_batch=no net.ifnames=0 nosplash noprompt fetch=tftp://192.168.123.1/cz/live/filesystem.squashfs
Now restart the tftpd service and boot a client computer with PXE. It should work.

Extra PXE Reading

https://help.ubuntu.com/community/UbuntuLTSP/ProxyDHCP <== An Oldie but a Goodie https://clonezilla.org/livepxe.php <== The Document that Inspired this HOWTO https://clonezilla.org/clonezilla-SE/ <== Setting up a Dedicated Clonezilla Server for Large Scale Deployment https://wiki.gentoo.org/wiki/Home_router <== Using dnsmasq and iptables to turn a server with two NICs into a router

Part Three: Creating a File Server With the Network File System

The most common file sharing protocol in the entire *nix ecosystem has to be the Network File System. NFS is what you could call ancient technology. The first versions were developed in-house by Sun Microsystems in 1984. It will soon reach it’s 35th birthday and it’s last major revision was in 2016. So why is a file sharing protocol that old still in use? Well, for the same reason the wheel is still in use. It just works. You can use NFS to share your users’ /home directories from a single server so than no matter what *nix system they log into on your network they will have the exact same contents in /home/user-name. You can use NFS to store the root file systems of diskless workstations or virtual machine images. Basically, any part of a *nix computer’s file system can reside remotely on an NFS server. The network share can be mounted at boot time from an entry in /etc/fstab or by hand with the “mount” command.

NFS is not perfect. Back in 1980’s most software development efforts were focused of “works by default” and not on “secure by default.” Although there have been attempts add security to NFS over the last twenty years none of the solutions proposed has been both easy to set up and easy to maintain. So there really is no standard at this point for securing NFS by default. There is a cool proposal (https://tools.ietf.org/html/draft-cel-nfsv4-rpc-tls-01) that could make a huge impact if it gets adopted. For now I think you are safest installing your NFS file server behind a good firewall and restricting access to it with a sane configuration file. If you have the time to learn you can look into LDAP and Kerberos or even RPCSEC GSS.

Almost every modern Linux distro has the NFS server build into it’s kernel as a module. What is missing is the user-space interface to configure and control it. In Debian the package is called nfs-kernel-server and in most other distros it is named nfs-utils. Go ahead and install it now.

The next step is to decide where your File Server will store the backups and create the directory. For this HOWTO I will use /srv/backups as the shared directory. First we will create the directory and change it’s ownership to least privileged user and group: 

$ sudo mkdir /srv/backups
$ sudo chown nobody:nogroup /srv/backups
The configuration file /etc/exports controls what directories are shared and in what ways users and/or computers can access them. A copy of the man page for /etc/exports is available by visiting https://linux.die.net/man/5/exports or by executing “man exports” in a bash shell.

The exports file has three section per line. It starts with the directory to be shared by the server, followed by who may access it and kind of share options and access that person will have. As an example: 

/foo/bar    lazlo(rw,sync,root_squash)
Means that I have read/write access to /foo/bar, the server will synchronize any pending disk writes before accepting a new one, and if anyone takes action on this share as root their uid and gid will be changed from root:root (0:0) to nobody:nogroup (65535:65535) for the given action. 
Another example:

/home/lazlo    *(r,no_root_squash)
At this point you can restart the NFS service and mount your share on a remote system. Test it by creating some files and directories and then running “ls -al” to make sure that everything is owned by nobody:nogroup. To manually mount the share on Linux Client you will need to install the NFS client package "nfs-common" on Debian based systems. The "nfs-utils" package for most the distros includes both the client and server programs. Once you have installed in you can make a new subdirectory in your home folder and mount the share (don't forget change the IP address in the example): 
$ mkdir nfstest
$ sudo mount -t nfs 192.168.123.1:/srv/backups ./nfstest
$ mkdir nfstest/testdir
$ dd if=/dev/zero of=nfstest/testdir/testfile bs=1M count=10000 status=progress
Once that is done check the ownership: 
$ ls -al nfstest/testdir
The file owner should be nobody and the group should be nogroup. If that is the case, congratulations: you are ready to use your File Server with Clonezilla.

Extra Reading

If you have the desire or the need you can tune NFS in a wide variety of ways to best suit your environment. A simple search on Google for “nfs tuning guide” will give you a great foundation. Just remember that there are such a things as “over tuning” and “a point of diminishing returns.”

Be the first to comment

Leave a Reply