FOG – Serveur Debian

L’article suivant présente l’installation d’un serveur FOG 1.5.4 sur distribution Debian Stretch 9.5, pour le clonage, le déploiement et la gestion d’un parc informatique.
 

Installation des pré-requis

Avant l’installation de la distribution Debian, il est préférable de créer les partitions suivantes (partitionnement manuel) : /boot de 1 GB, / (root) de plus de 30 GB, swap de la taille de la RAM et enfin /images de 50GB, cette dernière pour le stockage des images capturée à déployer.
 

Certains paquets installés, comme terminator, sont ici à titre optionnel.

# apt-get update
# apt-get upgrade
# apt-get install sudo tree terminator resolvconf dnsutils isc-dhcp-server ntp ntpstat git

 

Paramétrage réseau de la VM sous VirtualBox

# nano /etc/hosts
127.0.0.1	localhost
192.168.1.10	fogserver.opensharing.priv	fogserver
# nano /etc/host.conf
order hosts, bind
multi on
# nano /etc/network/interfaces
auto lo
iface lo inet loopback

allow-hotplug enp0s3
iface enp0s3 inet static
	address 192.168.1.10
	netmask 255.255.255.0
	network 192.168.1.0
	broadcast 192.168.1.255
	gateway 192.168.1.1
	dns-nameservers 8.8.8.8 8.8.4.4
# nano /etc/bash.bashrc
alias ifconfig='ip addr'
# source /etc/bash.bashrc
# systemctl restart networking
# ifup enp0s3

 

Service DHCP basique

# cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.orig
# nano /etc/dhcp/dhcpd.conf
authoritative;
update-static-leases off;
ignore client-updates;
default-lease-time 600;
max-lease-time 7200;
db-time-format local;
log-facility local7;

subnet 192.168.1.0 netmask 255.255.255.0 {
        option subnet-mask 255.255.255.0;
        option routers 192.168.1.1;
        option domain-name-servers 8.8.8.8, 8.8.4.4;
        pool {
                range 192.168.1.100 192.168.1.199;
                allow unknown-clients;
        }
	host win7-client1 {
		hardware ethernet 08:00:27:86:cc:b1;
		fixed-address 192.168.1.200;
	}
}

next-server 192.168.1.10;
filename "undionly.kpxe";
# nano /etc/default/isc-dhcp-server
INTERFACESv4="enp0s3"
# systemctl restart isc-dhcp-server
# systemctl enable isc-dhcp-server

 

Paramétrage du service NTP

# nano /etc/ntp.conf

Vérifier que :

pool 0.debian.pool.ntp.org iburst
pool 1.debian.pool.ntp.org iburst
pool 2.debian.pool.ntp.org iburst
pool 3.debian.pool.ntp.org iburst

Et ajouter en fin de fichier :

restrict 192.168.1.0 netmask 255.255.255.0 nomodify notrap
server 127.127.0.1
fudge 127.127.0.1 stratum 10

Optionnel (cas d’un fuseau horaire mal défini) :

# rm -f /etc/localtime
# ln -s /usr/share/zoneinfo/Europe/London /etc/localtime
# systemctl restart ntp
# systemctl enable ntp

Vérification du bon fonctionnement du service NTP :

# timedatectl
[...]
 Network time on: yes
NTP synchronized: yes
[...]
# ntpstat
synchronised to NTP server (85.199.214.100) at stratum 2 
   time correct to within 214 ms
   polling server every 64 s
# ntpq -pn

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 0.debian.pool.n .POOL.          16 p    -   64    0    0.000    0.000   0.000
 1.debian.pool.n .POOL.          16 p    -   64    0    0.000    0.000   0.000
 2.debian.pool.n .POOL.          16 p    -   64    0    0.000    0.000   0.000
 3.debian.pool.n .POOL.          16 p    -   64    0    0.000    0.000   0.000
+213.251.53.217  193.0.0.229      2 u   47   64    3   26.459  -44.130  25.273
+195.195.221.100 .GPS.            1 u   45   64    3   42.107  -44.116  27.831
#206.108.0.132   .PPS.            1 u   43   64    3   98.158  -46.388  29.277
+85.199.214.98   .GPS.            1 u   43   64    3   20.811  -47.295  31.447
*85.199.214.100  .GPS.            1 u   43   64    3   23.190  -46.144  29.599
+139.59.199.215  82.69.223.180    2 u   44   64    3   22.395  -45.591  29.877
-95.215.175.2    192.146.137.13   3 u   41   64    3   28.765  -42.120  29.293
-134.0.16.1      195.66.241.3     2 u   41   64    3   18.889  -46.715  31.105
-178.79.152.182  87.242.168.84    2 u   40   64    3   20.219  -48.064  29.557
-109.74.206.120  140.203.204.77   2 u   38   64    3   29.336  -47.921  31.323
-213.171.220.65  82.110.47.117    2 u   39   64    3   27.762  -35.820  29.345
 80.177.149.123  .GPS.            1 u   33   64    1   55.299  -50.126   4.119

 

Installation du serveur FOG proprement dit

# mkdir git
# cd git
# git clone https://github.com/FOGProject/fogproject.git
# cd fogproject/bin
# ./installfog.sh
   +------------------------------------------+
   |     ..#######:.    ..,#,..     .::##::.  |
   |.:######          .:;####:......;#;..     |
   |...##...        ...##;,;##::::.##...      |
   |   ,#          ...##.....##:::##     ..:: |
   |   ##    .::###,,##.   . ##.::#.:######::.|
   |...##:::###::....#. ..  .#...#. #...#:::. |
   |..:####:..    ..##......##::##  ..  #     |
   |    #  .      ...##:,;##;:::#: ... ##..   |
   |   .#  .       .:;####;::::.##:::;#:..    |
   |    #                     ..:;###..       |
   |                                          |
   +------------------------------------------+
   |      Free Computer Imaging Solution      |
   +------------------------------------------+
   |  Credits: http://fogproject.org/Credits  |
   |       http://fogproject.org/Credits      |
   |       Released under GPL Version 3       |
   +------------------------------------------+

What version of Linux would you like to run the installation for?
Choice: [2] 2 ( 2: Debian Based Linux (Debian, Ubuntu, Kubuntu, Edubuntu )

What type of installation would you like to do? [N/s (Normal/Storage)] N
Normal Server: (Choice N) 
          This is the typical installation type and
          will install all FOG components for you on this
          machine.  Pick this option if you are unsure what to pick.

What is the IP address to be used by this FOG Server? [192.168.1.10] Enter

Would you like to change the default network interface from enp0s3?
If you are not sure, select No. [y/N] N

Would you like to setup a router address for the DHCP server? [Y/n] Y
What is the IP address to be used for the router on the DHCP server? [192.168.1.1] Enter

Would you like DHCP to handle DNS? [Y/n] Y
What DNS address should DHCP allow? [8.8.8.8]

Would you like to use the FOG server for DHCP service? [y/N] N

This version of FOG has internationalization support,
would you like to install the additional language packs? [y/N] y

Résumé des informations fournies :

 * Here are the settings FOG will use:
 * Base Linux: Debian
 * Detected Linux Distribution: Debian GNU/Linux
 * Server IP Address: 192.168.1.10
 * Server Subnet Mask: 255.255.255.0
 * Interface: enp0s3
 * Installation Type: Normal Server
 * Internationalization: 1
 * Image Storage Location: /images
 * Using FOG DHCP: No
 * DHCP will NOT be setup but you must setup your
 | current DHCP server to use FOG for PXE services.
 * On a Linux DHCP server you must set: next-server and filename

Installation des paquets suivants :

apache2 bc build-essential cpp
curl g++ gawk gcc
genisoimage gettext gzip htmldoc
isolinux lftp libapache2-mod-php7.0 libc6
libcurl3 liblzma-dev m4 mysql-client
mysql-server net-tools nfs-kernel-server openssh-server
php7.0 php7.0-bcmath php7.0-cli php7.0-curl
php7.0-fpm php7.0-gd php7.0-json php7.0-mbstring
php7.0-mcrypt php7.0-mysql php7.0-mysqlnd php-gettext
sysv-rc-conf tar tftpd-hpa tftp-hpa
unzip vsftpd wget xinetd
zlib1g
Is the MySQL password blank? (Y/n) Y

Puis le schema de la base de données va être installé.
Pour cela, lorsque cela est demandé, se connecter à l’adresse suivante :

http://fogserver/fog/management


Valider avec Install/Update Now pour lancer l’installation du schema de la base de données.
 

Installation terminée :

   http://fogserver/fog/management

   Default User Information
   Username: fog
   Password: password


 

 
L’installation précédente a généré un fichier /opt/fog/.fogsettings du type :

## Start of FOG Settings
## Created by the FOG Installer
## Find more information about this file in the FOG Project wiki:
##     https://wiki.fogproject.org/wiki/index.php?title=.fogsettings
## Version: 1.5.4
## Install time: lun. 05 nov. 2018 23:58:04 GMT
ipaddress='192.168.1.10'
copybackold='0'
interface='enp0s3'
submask='255.255.255.0'
routeraddress='192.168.1.1'
plainrouter='192.168.1.1'
dnsaddress='8.8.8.8'
username='fog'
password='bYhJGvsenUP+OxlU7MzQXj/t3bk8UG4nhtXSCZsXZG0='
osid='2'
osname='Debian'
dodhcp='N'
bldhcp='0'
dhcpd='isc-dhcp-server'
blexports='1'
installtype='N'
snmysqluser='root'
snmysqlpass=''
snmysqlhost='localhost'
installlang='1'
storageLocation='/images'
fogupdateloaded=1
docroot='/var/www/'
webroot='/fog/'
caCreated='yes'
httpproto='http'
startrange=''
endrange=''
bootfilename='undionly.kpxe'
packages='apache2 bc build-essential cpp curl g++ gawk gcc genisoimage \
gettext gzip htmldoc isolinux lftp libapache2-mod-php7.0 libc6 libcurl3 \
liblzma-dev m4 mysql-client mysql-server net-tools nfs-kernel-server \
openssh-server php7.0 php7.0-bcmath php7.0-cli php7.0-curl php7.0-fpm \
php7.0-gd php7.0-json php7.0-mbstring php7.0-mcrypt php7.0-mysql \
php-gettext sysv-rc-conf tar tftpd-hpa tftp-hpa unzip vsftpd wget xinetd zlib1gl '
noTftpBuild=''
notpxedefaultfile=''
sslpath='/opt/fog/snapins/ssl/'
backupPath='/home/'
php_ver='7.0'
php_verAdds='-7.0'
sslprivkey='/opt/fog/snapins/ssl//.srvprivate.key'
## End of FOG Settings

Il est possible d’automatiser l’installation à partir du fichier précédent :

./installfog.sh -y

 

(Optionnel) Script lançant les services FOG de manière différée

# systemctl disable FOG{MulticastManager,Scheduler,SnapinReplicator,ImageReplicator}
# systemctl disable nfs-server
# systemctl disable rpcbind
# nano /etc/rc.local
#!/bin/bash

sleep 30
touch /var/lock/subsys/local
systemctl start nfs-server
systemctl start rpcbind
systemctl start FOGMulticastManager
systemctl start FOGScheduler
systemctl start FOGSnapinReplicator
systemctl start FOGImageReplicator
exit 0
# chmod +x /etc/rc.local
# reboot

 

Modifier le mot de passe de connexion à la base de données

# mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 10
Server version: 10.1.26-MariaDB-0+deb9u1 Debian 9.1

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [mysql]> update user set plugin='mysql_native_password' where user='root';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0

MariaDB [mysql]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [mysql]> quit;
Bye

Il faut maintenant définir un mot de passe pour root et corriger quelques paramètres de sécurité par défaut.

# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] Y
New password: 
Re-enter new password: 
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] Y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] Y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] Y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] Y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

Le mot de passe de root doit maintenant être indiqué dans le fichier suivant :

/var/www/html/fog/lib/fog/config.class.php

 

Ajout d’un client existant

A partir d’un client existant, par exemple Windows 7, il est nécessaire d’installer l’agent FOG se trouvant à l’adresse suivante :

http://fogserver/fog/client

Il s’agit de l’exécutable SmartIntaller.exe, nécessitant au préalable l’installation de .NET 4.0.30319.
 
Ensuite nous pouvons créer une image, capturer l’image d’un client, déployer une image sur un nouveau client, etc…
 
Pour un lab de test, il est préférable de mettre les VMs dans un réseau interne et d’avoir un serveur DNS primaire fonctionnel ou que les VMs concernées soient renseignées dans les fichiers /etc/hosts respectifs (y compris les clients sinon le message "Unable to install CA certificate" est observé lors de l’installation de l’agent FOG).
 

Rmq : Il est à noter que dans un environnement virtuel, les spécifications techniques de la machine hôte peuvent provoquer des incompatibilités matérielles bloquantes au démarrage des machines clientes :
 

 

Références

Fermer le menu