Linux based Mac BSDP and NetBoot Server

July 3, 2014

The Goal

So in my continuing deletion of all things Apple Server, I am tasking myself with also getting rid of our BSDP NetBoot server for Mac clients. Our setup is simple. We don’t do any thin-client stuff. We have a number of NetInstall images and a single “thin-client” image for System Diagnostics (has a few helpful utilities). I have heard rumor that Deploy Studio can act as a BSDP server (Apple’s netboot protocol), but it is also a bit overkill for what I need. So let’s just see if Linux comes to the rescue.

For those that just want to check out the BSDP project, head over to github and you can check out the code there.

The Plan

Here is what we are going to build:

  • Ubuntu 14.04 (what is with Ubuntu and their minor version numbers?).
  • Network volume access (AFP and SMB) for loading NetBoot images.
  • Netatalk for AFP connections.
  • Samba for SMB connections (my directory server does not currently have the Samba schema, so I have not installed it yet).
  • BSDP server.
  • TFTP server for kernel images.
  • HTTP server for disk images.
  • NFS server for disk images.

The Process

Okay, so we start with an Ubuntu 14.04 Server install. I love server installs. No GUI to take up space or CPU cycles and a really small footprint to my VM system. During the install process we installed the OpenSSH server and nothing else.

Support Packages

Now lets add in some packaged requirements:

sudo apt-get install tftpd-hpa apache2 apache2-utils netatalk git nfs-kernel-server python-configparser

Next we need to create a place to store all the netboot files. I recommend you use a dedicated hard drive/partition for this and set it up to mount at boot at the appropriate location, but this is up to you and an exercise for you to perform yourself. Anyway we are going to put everything under the /netboot folder. The commands below create the needed paths and set appropriate permissions so they are group-owned by the admin group, group writable and ownership/permissions are sticky(inherited) when new files are created.

sudo mkdir /netboot /netboot/Images /netboot/Clients
sudo chgrp adm /netboot/Images /netboot/Clients
sudo chmod g+w /netboot/Images /netboot/Clients
sudo chmod +s /netboot/Images /netboot/Clients

We also need a user for the netboot clients to connect as. Apple’s NetBoot solution uses 50 different user accounts for this, I think maybe as some sort of security to make it difficult for one user to look at another user’s files. This is only used for diskless booting (i.e. booting the entire live machine via NetBoot rather than just an install image) and the only time I use those is for testing, so there are no user files to be worried about. Anyway we will be creating just a single netboot user. When asked for the password, enter whatever you like (letters and numbers only), just write it down somewhere as you will need it later in the process when you configure the BSDP server.

sudo useradd -M netboot
sudo passwd netboot

TFTP Server

Please note in the command above that we are using the tftpd-hpa package, not the standard tftpd package. The HPA TFTP server includes support for some TFTP options that the basic tftpd package does not, and newer Mac clients need these options to NetBoot correctly. Edit the /etc/default/tftpd-hpa file and change the TFTP_DIRECTORY value to match the line below:

TFTP_DIRECTORY=”/netboot/Images”

After that is done execute the following command to reload the configuration for the TFTP server:

sudo service tftpd-hpa restart

Your TFTP server is now ready to serve up the kernel boot images.

Netatalk (AFP)

Next setup Netatalk to share the same folder via AFP.

sudo nano /etc/netatalk/AppleVolumes.default

Go to the bottom of the file and comment out the Home Directory line and add these new lines below it. This will share the Images folder and make it accessible only to members of the adm group (admin group on Ubuntu), the second line will share the Clients folder for diskless boot clients that need a shadow image for writing and make it accessible by the netboot user and the admin group. If you are using a directory server for authenticating your (admin) users then include the group your admin users belong to below instead of adm.

/netboot/Images “NetBoot” allow:@adm
/netboot/Clients “NetBootClients” allow:netboot,@adm

Finally you need to restart the netatalk service to apply the changes.

sudo service netatalk restart

Apache (WWW)

By default Apache shares a folder that is not as helpful to us, so lets update the config file.

sudo nano /etc/apache2/sites-available/000-default

Find the DocumentRoot line and change the path to /netboot/Images. Below that line add the following.

<Directory /netboot/Images>
    Options None
    AllowOverride None
    Require all granted
</Directory>

Finally reload the Apache configuration.

sudo apachectl graceful

NFS Server

Most network boot images are configured to use NFS because it is faster. We need to share the /netboot/Images folder for NFS so that those images can work as well.

sudo nano /etc/exports

Once in the editor add the following line to the config file:

/netboot/Images *(ro,no_subtree_check,no_root_squash,insecure)

After the file has been edited we need to reload the configuration so the new directory is exported. If you have not rebooted your server yet since installing the packages, we also need to manually start the NFS service.

sudo exportfs -a
sudo service nfs-kernel-server start

BSDP Server

We need to get the source code for the server from git and then run the install script. From your home directory run the following commands. This will install everything under /usr/local.

git clone http://github.com/cabal95/pybsdp
cd pybsdp
sudo ./install.sh

Next edit the config file at /etc/pybsdp.conf and update the paths and username/password to match your configuration. Finally we need to start the pybsdp service (it is set to run at boot, but it has not been started yet).

sudo service pybsdp start

Results

You should now be able to connect to your netboot server via AFP and select the Images sharepoint. Drop a NBI in there and, with a little luck, it will show up in your netboot selection list when you hold down the Option key.

I have tested this configuration with the following images and it works correctly over both NFS and HTTP:

  • 10.6.3 Install
  • 10.8.5 Install
  • 10.9.0 Install
  • 10.9.3 Diskless Boot (note, this requires either a very new computer or a hack to the boot image. This is not a bug in this program but in the way Apple is building their kernel caches. Standard TFTP cannot load a file greater than 32MB, which the kernel cache in the latest version is greater than 32MB).

Thoughts

The BSDP server is an ongoing project. This doesn’t mean it is under active development but there will likely be small future improvements. Right now it listens and responds on all active interfaces. It would be good to have config file options limiting which interfaces it responds on. These are not necessary for me right away so I will probably hit them later. The code is functional but I will likely find some bugs and fix them as they come up.

How well this whole system would work under heavy load as a diskless boot server I don’t know, that is not something I will test. We have a single diskless boot image and it is strictly for diagnosing problems. It has some hardware test tools and data recovery tools. Everything else we NetBoot is install images. For that, it seems to work fantastic.