问题[pxe-boot](server)

我已经设置了一个 pxe 服务器，并想从中启动客户端主机。我根据https://wiki.debian.org/PXEBootInstall教程来 pxe 启动 debian 安装程序。

我们知道，pxe 服务器由 dhcp 服务器和 tftp 服务器组成。两者都可以工作。当我将客户端启动到普通的 linux 操作系统时，它可以获取一个 ipv4 地址，并通过 tftp 从服务器下载文件。但是当我启动到 pxe 时，通过在启动菜单中选择相应的选项，它会获取 ip 地址，但不会尝试下载任何文件。我在服务器上使用 tcpdump 和“journalctl -b0 -u tftpd”来获取一些信息。它没有显示客户端通过 tftp 获取文件的任何尝试。

最有趣的一点是，另一台计算机（一台旧的 Fujitsu Esprimo）能够从该服务器进行 pxe 启动。但我想启动一台“HP Elite Tower 800 G9 台式电脑”，它的行为与之前解释的一样。我想到，提供的文件可能适用于老式 bios，不适合较新的 uefi。但我排除了这种可能性，因为客户端甚至没有尝试下载该文件。但谁知道呢，这仍然是可以想象的。

我尝试更改 bios-config（F10），因为这是一个可行的解决方案。我的 uefi-config 的当前状态如下

Advanced > Boot Options > Network (PXE) Boot, enabled
Advanced > Boot Options > Network Boot TFTP Window Size, has value 1
Advanced > Boot Options > UEFI Boot Order, all options except 'NETWORK BOOT: IPV4 Network' are disabled

Security > TPM Embedded Security > TPM Device, Hidden

所以这是 dhcp 服务器 dnsmasq 的配置文件。

interface=enp0s31f6
domain=ftpdom.com
dhcp-range=192.168.0.3,192.168.0.253,255.255.255.0,1h
dhcp-boot=pxelinux.0,pxeserver,192.168.0.2

dhcp-host=bc:0f:f3:c4:[...],set:allowed,192.168.0.167
dhcp-ignore=#known


enable-tftp
tftp-root=/srv/tftp
pxe-service=x86PC, "PXELINUX (BIOS)", "pxelinux.0"
pxe-service=X86-64_EFI,"PXE (UEFI)","grubx64.efi"

pxe-service=2, "PXELINUX (0002-EFI)", "grubx64.efi"
pxe-service=6, "PXELINUX (0006-EFI)", "grubx64.efi"
pxe-service=7, "PXELINUX (0007-EFI)", "grubx64.efi"
pxe-service=8, "PXELINUX (0008-EFI)", "grubx64.efi"
pxe-service=9, "PXELINUX (0009-EFI)", "grubx64.efi"

客户端启动时的输出是

>>>Start PXE over IPv4
   Station IP address is 192.168.0.167
PXE (UEFI)
PXELINUX (0007-EFI)

我正在尝试设置 DHCP 故障转移，并允许从其中一台 DHCP 服务器进行 PXE 引导。根据 DHCP 规范的要求，我为“常规”DHCP 和 PXE 启动设置了单独的池。我的故障转移配置工作正常，但应该响应 PXE 请求的 DHCP 配置不再工作。

背景：我最近升级到了 AlmaLinux 9（从 CentOS 7），它运行 ISC DHCP 4.4。在旧配置中，我没有 DHCP 故障转移，并且允许从整个池进行 PXE 引导。由于我们站点的硬件故障历史记录，我想设置 DHCP 故障转移。

出于此配置的目的，我们将应该响应 PXE 请求的系统称为“主”DHCP 服务器。/etc/dhcp/dhcpd/conf这是该服务器的一个片段。请注意，我设置了一个单独的池来处理 PXE/BOOTP 查询。（请原谅这些评论的说教语气。它们是为我做系统管理员工作的。）

authoritative; # Send out acknowledgements to DHCP client queries.

failover peer "dhcp-failover" {
  primary; # declare this to be the primary server
  address 10.4.7.9;
  port 647;
  peer address 10.4.7.210;
  peer port 647;
  # How many seconds to wait before we assume that the other has failed.
  max-response-delay 30;
  # How many BNDUPD messages to send before receiving BNDACK.
  max-unacked-updates 10;
  # How many seconds to wait before disabling load balancing.
  load balance max seconds 3;
  # Maximum Client Lead Time = How long a lease may be renewed
  # without contacting the other DHCP peer.
  mclt 1800;
  # The split between primary and secondary. 128 means a
  # 50% split between peers; 255 means the primary handles
  # everything until it fails. 
  split 128;
}

# This is the primary DHCP server. Respond to BOOTP requests.
allow booting;
allow bootp;

option domain-name "company.example.com";
option time-offset -18000; # Eastern Standard Time

# Is this a DHCP query (as opposed to a BOOTP query)?
class "dhcp" {
      match if exists dhcp-message-type;
}
class "pxe" {
      match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
}

subnet 10.4.0.0 netmask 255.255.0.0 {
    default-lease-time 86400; # one day (in seconds)
    option subnet-mask 255.255.0.0;
    option broadcast-address 10.4.255.255;
    option routers 10.4.0.1;
    option domain-name-servers 10.4.7.7, 10.4.7.29; 
    option domain-name "company.example.com";
    option time-offset -18000; # Eastern Standard Time
    option ntp-servers 10.4.7.105, 10.4.7.7, 10.4.7.29;

    pool {
         failover peer "dhcp-failover";
         deny dynamic bootp clients;
         deny members of "pxe";
         range 10.4.45.1 10.4.45.250; # DHCP pool on private network
    }
    # A separate pool for BOOTP services.
    pool {
         range dynamic-bootp 10.4.45.251 10.4.45.255; # DHCP pool on private network
         allow dynamic bootp clients;
         deny members of "dhcp";
         allow members of "pxe";
         next-server 10.4.7.9;    # On which system the bootp filename is located.

         if substring (option vendor-class-identifier, 0, 9) = "PXEClient" {

            if substring(option vendor-class-identifier,15,5) = "00007" {
               log(info,"UEFI PXE Boot - private network");
               filename "pxelinux/grubx64.efi"; # The file to load for EFI systems.
               }
            else {
                log(info,"BIOS PXE Boot - private network");
                filename "pxelinux.0"; # The file to load via bootp for BIOS systems.
                }
        }
    }
}

这是来自/etc/dhcp/dhcpd.conf故障转移/辅助/非 PXE 服务器：

authoritative; # Send out acknowledgements to DHCP client queries. 

failover peer "dhcp-failover" {
  secondary; # declare this to be the secondary server
  address 10.4.7.210;
  port 647;
  peer address 10.4.7.9;
  peer port 647;
  # How many seconds to wait before we assume that the other has failed.
  max-response-delay 30;
  # How many BNDUPD messages to send before receiving BNDACK.
  max-unacked-updates 10;
  # How many seconds to wait before disabling load balancing.
  load balance max seconds 3;
}

# Make sure that this failover DHCP server does _not_
# respond to bootp.
deny bootp;

option domain-name "company.example.com";
option time-offset -18000; # Eastern Standard Time

# Is this a DHCP query (as opposed to a BOOTP query)?
class "dhcp" {
      match if exists dhcp-message-type;
}
class "pxe" {
      match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
}

subnet 10.4.0.0 netmask 255.255.0.0 {
    default-lease-time 86400; # one day (in seconds)
    option subnet-mask 255.255.0.0;
    option broadcast-address 10.4.255.255;
    option routers 10.4.0.1;
    option domain-name-servers 10.4.7.7, 10.4.7.29; 
    option domain-name "company.example.com";
    option time-offset -18000; # Eastern Standard Time
    option ntp-servers 10.4.7.105, 10.4.7.7, 10.4.7.29;

    # Note that there are a few IP addresses in the range of the primary
    # server that are not included here. This is for BOOTP, which is
    # not handled by the secondary server.
    pool {
         failover peer "dhcp-failover";
         deny dynamic bootp clients;     
         deny members of "pxe";
         range 10.4.45.1 10.4.45.250; # DHCP pool on private network
    }
}

我知道我对“dhcp”和“pxe”类做得太过了。我在尝试解决问题时添加了它们。除了引入下面的日志消息之外，它们没有任何作用peer holds all free leases。

这是我在“主”服务器的日志中看到的内容。请注意，这52:54:00:31:f2:7f是我设置为通过 PXE 启动的测试系统的 MAC 地址，然后它“放弃”并从磁盘启动。

Sep  8 14:20:46 dhcpd dhcpd[17922]: DHCPDISCOVER from 52:54:00:31:f2:7f via enp7s0: peer holds all free leases
Sep  8 14:20:49 dhcpd dhcpd[17922]: DHCPDISCOVER from 52:54:00:31:f2:7f via enp7s0: peer holds all free leases
Sep  8 14:20:57 dhcpd dhcpd[17922]: DHCPDISCOVER from 52:54:00:31:f2:7f via enp7s0: peer holds all free leases
Sep  8 14:21:13 dhcpd dhcpd[17922]: DHCPDISCOVER from 52:54:00:31:f2:7f via enp7s0: peer holds all free leases

这是来自“辅助”服务器上的日志。这与客户端首次启动时大约一分钟的延迟是一致的，因为它试图找到 PXE 服务器，直到它从操作系统启动切换到以通常的方式获取 DHCP 地址。

Sep  8 14:20:46 dhcpdsec dhcpd[67768]: DHCPDISCOVER from 52:54:00:31:f2:7f via enp7s0: peer holds all free leases
Sep  8 14:20:46 dhcpdsec dhcpd[67768]: bind update on 10.4.45.183 from dhcp-failover rejected: incoming update is less critical than outgoing update
Sep  8 14:20:49 dhcpdsec dhcpd[67768]: DHCPDISCOVER from 52:54:00:31:f2:7f via enp7s0: peer holds all free leases
Sep  8 14:20:57 dhcpdsec dhcpd[67768]: DHCPDISCOVER from 52:54:00:31:f2:7f via enp7s0: peer holds all free leases
Sep  8 14:21:13 dhcpdsec dhcpd[67768]: DHCPDISCOVER from 52:54:00:31:f2:7f via enp7s0: peer holds all free leases
Sep  8 14:22:03 dhcpdsec dhcpd[67768]: DHCPREQUEST for 10.4.45.183 from 52:54:00:31:f2:7f via enp7s0
Sep  8 14:22:04 dhcpdsec dhcpd[67768]: DHCPACK on 10.4.45.183 to 52:54:00:31:f2:7f via enp7s0

通过在早期测试中的反复尝试，我确认 的值substring (option vendor-class-identifier, 0, 9)确实是PXEClient。

我已经尝试停止两台机器上的 dhcpd 守护进程并手动编辑 in 的52:54:00:31:f2:7f条目/var/lib/dhcpd/dhcpd.leases。不用找了。

有任何想法吗？

编辑：我想到，发布我以前的 DHCP 配置（无需故障转移）可能会有所帮助。PXE 启动工作正常：

subnet 10.4.0.0 netmask 255.255.0.0 {
    range dynamic-bootp 10.4.45.1 10.4.45.254; # DCHP pool on private network
    default-lease-time 86400; # one day (in seconds)
    option subnet-mask 255.255.0.0;
    option broadcast-address 10.4.255.255;
    option routers 10.4.0.1;
    option domain-name-servers 10.4.7.7, 10.4.7.29; 
    option domain-name "nevis.columbia.edu";
    option time-offset -18000; # Eastern Standard Time
    option ntp-servers 10.4.7.105, 10.4.7.7, 10.4.7.29;
    next-server 10.4.7.9;    # On which system the bootp filename is located.

    if substring (option vendor-class-identifier, 0, 9) = "PXEClient" {

        if substring(option vendor-class-identifier,15,5) = "00007" {
            log(info,"UEFI PXE Boot - private network");
            filename "pxelinux/grubx64.efi"; # The file to load for EFI systems.
            }
        else {
            log(info,"BIOS PXE Boot - private network");
            filename "pxelinux.0"; # The file to load via bootp for BIOS systems.
        }
    }
}

我在网络中的 Windows 服务器上安装了 WDS 和 MDT。WDS 服务器与客户端计算机位于同一子网上。尝试通过 PXE 启动 LiteTouch 时，我的 VMware 虚拟机出现以下错误：

我不知道如何摆脱错误。我试过了：

1. 在 MDT 中重新创建 LiteTouch 启动映像并将其重新导入 WDS。
2. 多次重启 WDS/MDT 服务器。
3. E1000E在和之间切换客户端 VM 的适配器类型VMXNET3。
4. 删除并重新安装 VM 上的硬盘驱动器。

关于我应该如何进行故障排除的任何其他想法？

我正在使用带有 grub 的 netboot/pxeboot。

menuentry "Install Ubuntu 20.04" {
  set gfxpayload=keep
  echo 'Loading vmlinuz ...'
  linux  /tftp/vmlinuz ip=dhcp netboot=nfs nfsroot=10.0.0.20:/data/netboot/nfs/ubuntu2004/ boot=casper toram noquiet splash=off console=tty0 console=ttyS1,57600n8 ---
  echo 'Loading initrd, this takes a long time ...'
  initrd /tftp/initrd
}

它工作正常，但是，通过 tftp 加载 initrd 需要很长时间（30 多分钟）。我想压缩（gz/bz2）这个文件以节省一些文件传输时间。

我看到了一些例子，指的是initrd.gz（一个例子：https ://unix.stackexchange.com/questions/217002/which-iso-file-vmlinuz-and-initrd-gz-to-use-for-installing- centos-from-multiboo）但是当我试图用 gzip 压缩文件并使用它时，我收到一个错误，例如：

[   12.543547] VFS: Cannot open root device "(null)" or unknown-block(0,0): error -6
[   12.558487] Please append a correct "root=" boot option; here are the available partitions:
[   12.575161] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)

有没有办法压缩这个文件，以便它可以传输更小的文件大小，并在尝试挂载根 fs 之前将其解压缩？

或者，有没有办法通过不同的协议（HTTP/FTP/SFTP/SCP/etc）传输它？

我正在从 WDS 迁移到 MDT。我将在同一个盒子上安装 MDT 和 WDS。我没有理解的概念是，在此过程中，客户端 pxe 将引导到 MDT 服务而不是已经建立的 WDS 实例？

提前致谢！

我正在尝试 PXE 引导由 VMware Workstation 在我的本地计算机上制作的虚拟机。在一个单独的子网上，我有 PXE 服务器和 DHCP 服务器。我不想使用 TFTP 服务器或使用 IP Helpers。

当我启动虚拟机时，它会从 DHCP 服务器接收 IP 地址，但随后会搜索 TFTP 服务器，该服务器不在网络上，我不想创建一个。

我希望它直接从 DCHP 服务器到 PXE 服务器以找到它的操作系统并启动。我怎样才能做到这一点？

我们通过 pxeboot 安装了许多不同的服务器（主要是戴尔）。首次安装操作系统后，UEFI 启动顺序会自动更改，以允许操作系统作为第一个启动选项加载。

这对于想要一次性构建单个主机的普通人来说效果很好，但是在不断重建事物的实验室环境中，这会导致很大的问题。无论如何，安装后是否可以禁用操作系统安装以更改 UEFI 中的引导顺序。

本文对此进行了更多讨论 https://arstechnica.com/civis/viewtopic.php?f=21&t=1474353并讨论了它可能是 uefi 规范，但对此没有肯定的答案。

有没有办法在安装操作系统后不允许修改 UEFI 引导序列？

我正在尝试完全自动化地预置 debian 11 netinstall。我在这里阅读了许多文档：

这是我的引导行（来自 grub.cfg）

set default="autoinstall"
set timeout=3

menuentry "Debian 11 Fully Automated UEFI LVM LUKS BTRFS Remote Decrypt DEBUG TTY4" --id autoinstall {
        set background_color=black
        linux    /debian-installer/amd64/linux auto=true url=tftp://192.168.1.100/preseed/debseed11_crypt.cfg net.ifnames=0 biosdevname=0 ipv6.disable=1 language=en locale=en_US.UTF-8 keymap=fr vga=788 noprompt DEBCONF_DEBUG=5 --- quiet
        initrd   /debian-installer/amd64/initrd.gz
}

这是我的预置文件：

#### Preseed preconfiguration file (for Debian buster)
### Partman early command
### Kernal parameter
#d-i debian-installer/add-kernel-opts string net.ifnames=0 biosdevname=0 hostname=unassigned-hostname domain=unassigned-domain
#d-i debconf/priority critical

#d-i debian-installer/add-kernel-opts string net.ifnames=0 biosdevname=0 console=ttyS0,19200n8
### Localization
d-i debian-installer/locale string en_US
d-i debian-installer/language string en
d-i debian-installer/country string US
#d-i debian-installer/locale string en_US.UTF-8 fr_FR.UTF-8
d-i localechooser/supported-locales multiselect en_US.UTF-8, fr_FR.UTF-8

### Keyboard selection
d-i keyboard-configuration/xkb-keymap select fr

###  Network configuration

# Netcfg choisira une interface connectée si possible. Cela empêchera
# # d'afficher une liste s'il y a plusieurs interfaces.
d-i netcfg/choose_interface select auto

#d-i netcfg/choose_interface select eth0
d-i netcfg/use_dhcp string true
d-i netcfg/link_wait_timeout string 10
d-i netcfg/dhcp_timeout string 60

#d-i netcfg/disable_autoconfig boolean true

d-i netcfg/dhcp_failed note
#d-i netcfg/dhcp_options select auto

#Configure network manually
# IPv4 Static network configuration
#d-i netcfg/get_ipaddress string 192.168.1.120
#d-i netcfg/get_netmask string 255.255.255.0
#d-i netcfg/get_gateway string 192.168.1.1
#d-i netcfg/get_nameservers string 192.168.1.1
#d-i netcfg/confirm_static boolean true

# Set a hostname
#d-i netcfg/get_hostname string zhurong
#d-i netcfg/get_domain string planet.mars
# Force a hostname
#d-i netcfg/hostname string zhurong.planet.mars
# Disable that annoying WEP key dialog
d-i netcfg/wireless_wep string


d-i netcfg/get_hostname unassigned-hostname 
d-i netcfg/get_domain unassigned-domain
d-i netcfg/get_hostname seen true
d-i netcfg/get_domain seen true

### Mirror settings
d-i mirror/country string manual
d-i mirror/http/hostname string httpredir.debian.org
d-i mirror/http/directory string /debian
d-i mirror/http/proxy string

### Account setup
# Skip creation of a normal user account
d-i passwd/make-user boolean false
# Set root password
# or encrypted using a crypt(3)  hash.
d-i passwd/root-password-crypted password $6$47Cx5oMpkh66eYNI$LV76xupgkvZ3rHJCq1NgXKzp3bBDv6g0FmMiSvmUp1jqaIkTEz5F6eA.SRhBzyPReVQEnzZWwFWSdKGBBn.tE1

### Clock and time zone setup
# Set hardware clock to UTC
d-i clock-setup/utc boolean true
# Set timezone
d-i time/zone string Europe/Paris
# Use NTP clock during installation
d-i clock-setup/ntp boolean true

### Partitioning
# LVM LUKS method

# Inhibit partman to fill the disk with random data 
d-i partman-auto-crypto/erase_disks boolean false

#d-i partman/early_command \
#       string dd if=/dev/zero of=/dev/sda bs=512 count=1
d-i partman-auto/method string crypto
d-i partman-lvm/device_remove_lvm boolean true
d-i partman-md/device_remove_md boolean true
d-i partman-lvm/confirm boolean true
d-i partman-auto-lvm/guided_size string max
d-i partman-auto-lvm/new_vg_name string debian
d-i partman-auto/disk string /dev/vda
d-i partman-auto/choose_recipe select boot-crypto
d-i partman-crypto/passphrase       password  aaabbbccc
d-i partman-crypto/passphrase-again password  aaabbbccc
d-i partman-auto/expert_recipe string \
boot-crypto :: \
  1024 1024 1024 ext4 \
          $primary{ } $bootable{ } \
          method{ format } format{ } \
          use_filesystem{ } filesystem{ ext4 } \
          mountpoint{ /boot } \
  . \
  8192 8192 8192 linux-swap \
          $lvmok{ } lv_name{ swap } \
          in_vg { debian } \
          method{ swap } format{ } \
  . \
  80896 80896 1000000 btrfs \
          $lvmok{ } lv_name{ root } \
          in_vg { debian } \
          method{ format } format{ } \
          use_filesystem{ } filesystem{ btrfs } \
          mountpoint{ / } \
   . \

#d-i partman-basicfilesystems/no_mount_point boolean false
d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true

d-i partman-md/confirm boolean true
d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true

### Apt setup
d-i apt-setup/cdrom/set-first boolean false
d-i apt-setup/cdrom/set-next boolean false
d-i apt-setup/cdrom/set-failed boolean false
d-i apt-setup/services-select multiselect security, updates
d-i apt-setup/security_host string security.debian.org
### Package selection
tasksel tasksel/first multiselect standard
# Individual additional packages to install
d-i pkgsel/include string openssh-server vim tmux tcpdump dropbear-initramfs cryptsetup-initramfs python3.9
d-i pkgsel/upgrade select full-upgrade
d-i pkgsel/update-policy select none
d-i pkgsel/updatedb boolean true
popularity-contest popularity-contest/participate boolean false


### GRUB STUFF
d-i grub-installer/only_debian boolean true
d-i grub-installer/bootdev  string default

# Note: options passed to the installer will be added automatically. 
#d-i debian-installer/add-kernel-opts string nousb

# Optional password for grub, either in clear text
# #d-i grub-installer/password password r00tme
# #d-i grub-installer/password-again password r00tme
# # or encrypted using an MD5 hash, see grub-md5-crypt(8).
# #d-i grub-installer/password-crypted password [MD5 hash]
#
# # Use the following option to add additional boot parameters for the
# # installed system (if supported by the bootloader installer).
# # Note: options passed to the installer will be added automatically.
# #d-i debian-installer/add-kernel-opts string nousb
#
# ### Finishing up the installation
# # Avoid that last message about the install being complete.
d-i finish-install/reboot_in_progress note


d-i preseed/late_command string \
  mkdir -p -m 700 /target/root/.ssh; \
  echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEe3gF//znGIzq30frI6O9qDn5eM6uqEZZlx7mR5SiS" > /target/root/.ssh/authorized_keys; \
  in-target chown --recursive root:root /root/.ssh; \
  in-target chmod 0644 /root/.ssh/authorized_keys; \
  in-target update-alternatives --set editor /usr/bin/vim.basic; \
  in-target passwd --expire root; \
  in-target echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEe3gF//znGIzq30frI6O9qDn5eM6uqEZZlx7mR5SiS' > /etc/dropbear-initramfs/authorized_keys; \
  in-target sed -i '/*PasswordAuthentication*/c\PasswordAuthentication no' /etc/ssh/sshd_config; \
  in-target sed -i '/*PasswordAuthentication*/c\PasswordAuthentication no' /etc/ssh/sshd_config; \
  in-target systemctl enable --now sshd; \
  in-target sed -i '/*DROPBEAR_OPTIONS=*/c\DROPBEAR_OPTIONS="-I 300 -j -k -p 22 -s -c /bin/cryptroot-unlock "' /etc/dropbear-initramfs/config; \
  in-target sed -i '/*IP=*/c\IP="dhcp"' /etc/initramfs-tools/initramfs.conf; \
  in-target update-initramfs -u;
#

目前我得到 debien 安装程序要求我：

• 主机名
• 域名

我只是想摆脱这些问题。这是我尝试过的：

• 我尝试在 pxe 服务器上的命令行内核选项中使用 priority=critical。
• 我将我的 dhcpd 服务器配置为管理此特定主机的主机名域名。

host curiosity {
hardware ethernet 12:34:45:12:34:56;
fixed-address 192.168.1.90;
option host-name "curiosity";
option domain-name "planet.mars";
}

我知道我可以设置主机名/域变量，一切都会好起来的，但我想制作一个非常通用的预置来部署在多个服务器上。

一些帮助或线索将不胜感激。

提前谢谢你。

编辑：已解决：

顺便说一句，第一个 preseed 并不完美。如果有人对此感兴趣，那就更好了。

它通过 ssh DEBUG TTY4 实现全自动 Debian 11 UEFI LUKS BTRFS 远程解密

#### Preseed preconfiguration file (for Debian bullseye)

# Debian 11 Fully Automated UEFI LVM LUKS BTRFS Remote Decrypt via ssh DEBUG # TTY4


### Partman early command
### Kernel parameter
#d-i debian-installer/add-kernel-opts string net.ifnames=0 biosdevname=0 hostname=unassigned-hostname domain=unassigned-domain
#d-i debconf/priority critical

#d-i debian-installer/add-kernel-opts string net.ifnames=0 biosdevname=0 console=ttyS0,19200n8
### Localization
d-i debian-installer/locale string en_US
d-i debian-installer/language string en
d-i debian-installer/country string US
#d-i debian-installer/locale string en_US.UTF-8 fr_FR.UTF-8
d-i localechooser/supported-locales multiselect en_US.UTF-8, fr_FR.UTF-8

### Keyboard selection
d-i keyboard-configuration/xkb-keymap select fr

###  Network configuration

# Netcfg choisira une interface connectée si possible. Cela empêchera
# # d'afficher une liste s'il y a plusieurs interfaces.
d-i netcfg/choose_interface select auto

#d-i netcfg/choose_interface select eth0
d-i netcfg/use_dhcp string true
d-i netcfg/link_wait_timeout string 10
d-i netcfg/dhcp_timeout string 60

#d-i netcfg/disable_autoconfig boolean true

d-i netcfg/dhcp_failed note
#d-i netcfg/dhcp_options select auto

#Configure network manually
# IPv4 Static network configuration
#d-i netcfg/get_ipaddress string 192.168.1.120
#d-i netcfg/get_netmask string 255.255.255.0
#d-i netcfg/get_gateway string 192.168.1.1
#d-i netcfg/get_nameservers string 192.168.1.1
#d-i netcfg/confirm_static boolean true

# Set a hostname
#d-i netcfg/get_hostname string zhurong
#d-i netcfg/get_domain string planet.mars
# Force a hostname
#d-i netcfg/hostname string zhurong.planet.mars
# Disable that annoying WEP key dialog
d-i netcfg/wireless_wep string

#d-i netcfg/get_hostname=install
d-i netcfg/get_hostname unassigned-hostname 
d-i netcfg/get_domain unassigned-domain
d-i netcfg/get_hostname seen true
d-i netcfg/get_domain seen true

### Mirror settings
d-i mirror/country string manual
d-i mirror/http/hostname string httpredir.debian.org
d-i mirror/http/directory string /debian
d-i mirror/http/proxy string

### Account setup
# Skip creation of a normal user account
d-i passwd/make-user boolean false
# Set root password
# or encrypted using a crypt(3)  hash.
d-i passwd/root-password-crypted password $6$47Cx5oMpkh999YNI$XG76xupgkvZ3rHJCq1NgXKzp3bBfIuj0FmMiSvmUp1jqaIkTEz5F6eA.SRhBzyPReVQEnzZWwFWSdYGCBn.tE1

### Clock and time zone setup
# Set hardware clock to UTC
d-i clock-setup/utc boolean true
# Set timezone
d-i time/zone string Europe/Paris
# Use NTP clock during installation
d-i clock-setup/ntp boolean true

### Partitioning
# LVM LUKS method

# Inhibit partman to fill the disk with random data 
d-i partman-auto-crypto/erase_disks boolean false

#d-i partman/early_command \
#       string dd if=/dev/zero of=/dev/sda bs=512 count=1

# Force UEFI booting ('BIOS compatibility' will be lost). Default: false.
d-i partman-efi/non_efi_system boolean false
# Ensure the partition table is GPT - this is required for EFI
d-i partman-partitioning/choose_label string gpt
d-i partman-partitioning/default_label string gpt

d-i partman-auto/method string crypto
d-i partman-lvm/device_remove_lvm boolean true
d-i partman-md/device_remove_md boolean true
d-i partman-lvm/confirm boolean true
d-i partman-auto-lvm/guided_size string max
d-i partman-auto-lvm/new_vg_name string debian
d-i partman-auto/disk string /dev/sda
d-i partman-auto/choose_recipe select boot-crypto
d-i partman-crypto/passphrase       password  aabbcc
d-i partman-crypto/passphrase-again password  aabbcc
d-i partman-auto/expert_recipe string \
boot-crypto :: \
  512 50 512 fat32 \
          $primary{ } $bootable{ } \
          method{ efi } format{ } \
          mountpoint{ /boot/efi } \
  . \
  1024 1024 1024 ext4 \
          $primary{ } $bootable{ } \
          method{ format } format{ } \
          use_filesystem{ } filesystem{ ext4 } \
          mountpoint{ /boot } \
  . \
  8192 8192 8192 linux-swap \
          $lvmok{ } lv_name{ swap } \
          in_vg { debian } \
          method{ swap } format{ } \
  . \
  80896 80896 1000000 btrfs \
          $lvmok{ } lv_name{ root } \
          in_vg { debian } \
          method{ format } format{ } \
          use_filesystem{ } filesystem{ btrfs } \
          mountpoint{ / } \
  . \

#d-i partman-basicfilesystems/no_mount_point boolean false
d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true

d-i partman-md/confirm boolean true
d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true

### Apt setup
d-i apt-setup/cdrom/set-first boolean false
d-i apt-setup/cdrom/set-next boolean false
d-i apt-setup/cdrom/set-failed boolean false
d-i apt-setup/services-select multiselect security, updates
d-i apt-setup/security_host string security.debian.org
### Package selection
tasksel tasksel/first multiselect standard
# Individual additional packages to install
d-i pkgsel/include string openssh-server vim tmux tcpdump dropbear-initramfs cryptsetup-initramfs python3.9
d-i pkgsel/upgrade select full-upgrade
d-i pkgsel/update-policy select none
d-i pkgsel/updatedb boolean true
popularity-contest popularity-contest/participate boolean false


### GRUB STUFF
d-i grub-installer/only_debian boolean true
d-i grub-installer/bootdev  string default

# Note: options passed to the installer will be added automatically. 
#d-i debian-installer/add-kernel-opts string nousb

# Optional password for grub, either in clear text
# #d-i grub-installer/password password r00tme
# #d-i grub-installer/password-again password r00tme
# # or encrypted using an MD5 hash, see grub-md5-crypt(8).
# #d-i grub-installer/password-crypted password [MD5 hash]
#
# # Use the following option to add additional boot parameters for the
# # installed system (if supported by the bootloader installer).
# # Note: options passed to the installer will be added automatically.
# #d-i debian-installer/add-kernel-opts string nousb
#
# ### Finishing up the installation
# # Avoid that last message about the install being complete.
d-i finish-install/reboot_in_progress note


d-i preseed/late_command string \
  mkdir -p -m 700 /target/root/.ssh; \
  echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEe3gF//znGIzq30frI6O9qDn5eM6uqEZZlx7mR5SiS" > /target/root/.ssh/authorized_keys; \
  in-target chown --recursive root:root /root/.ssh; \
  in-target chmod 0644 /root/.ssh/authorized_keys; \
  in-target update-alternatives --set editor /usr/bin/vim.basic; \
  

d-i preseed/late_command string \
  mkdir -p -m 700 /target/root/.ssh; \
  echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEe3gF//znGIzq30frI6O9qDn5eM6uqEZZlx7mR5SiS" > /target/root/.ssh/authorized_keys; \
  in-target chown --recursive root:root /root/.ssh; \
  in-target chmod 0644 /root/.ssh/authorized_keys; \
  in-target update-alternatives --set editor /usr/bin/vim.basic; \
  echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEe3gF//znGIzq30frI6O9qDn5eM6uqEZZlx7mR5SiS' > /target/etc/dropbear-initramfs/authorized_keys; \
  echo 'PasswordAuthentication no' >> /target/etc/ssh/sshd_config.d/setup; \
  echo 'PermitRootLogin prohibit-password' >> /etc/ssh/sshd_config.d/setup; \
  echo 'auto eno1' >> /target/etc/network/interfaces; \
  sed -i 's/eth0/eno1/g' /target/etc/network/interfaces; \
  in-target systemctl enable --now sshd; \
  echo 'DROPBEAR_OPTIONS="-I 300 -j -k -p 22 -s -c /bin/cryptroot-unlock"' >> /target/etc/dropbear-initramfs/config; \
  echo 'IP="dhcp"' >> /target/etc/initramfs-tools/initramfs.conf; \
  in-target update-initramfs -u;

#  in-target passwd --expire root; \

解决 ！

在自动安装服务器时，我不明白如何解决先有鸡还是先有蛋的问题。

我有一系列可以通过 PXE 重建的服务器。当一台机器被重建时，它会从一个 Apache 服务器加载它需要的所有设置——包括它在以后使用不同服务时用来验证自己的私有证书。此 Apache 服务器通过其 IP 地址识别客户端，以便为它们提供用于给定服务器的配置或证书，或者拒绝提供它。

但是，客户端的 IP 地址可能会被欺骗。MAC地址也一样，如果在某个时候我也添加了这种验证。

为了安全地获取其配置和私有证书，通过 PXE 引导的机器应该已经有一个证书，它可以在与 Apache 服务器通信时使用它。但是，这看起来不太可能，因为从 PXE 引导的机器要么是全新的，要么会在安装过程中格式化其磁盘。

我错过了什么吗？如何在没有欺骗风险的情况下识别新机器？

我应该使用包含私钥的始终连接的 USB 密钥吗？或者还有其他选择吗？

我是否需要创建特殊配置才能通过网络 pxe 引导安装具有 uefi 的 ubuntu 服务器？我的引导服务器上有默认的 pxelinux.0 文件。安装新硬件后，我检查了文件系统/sys/firmware/efi/vars/，并且 uefi 文件夹中有文件。有了这个，我的系统应该在 uefi 下运行。

由于我在互联网上找到了一些关于如何设置 uefi pxe 引导服务器的说明，我现在不太清楚这是否真的需要，因为没有它似乎也可以工作。Ubuntu – 仅使用 pxelinux 文件设置 PXE 服务器 Bios & UEFI 支持