Novell Home

Keeping Students from meddling with the PXE Menu

Novell Cool Solutions: Tip
By Ryan Veety

Digg This - Slashdot This

Posted: 24 Feb 2006
 

ENVIRONMENT:
OES Linux SP2
ZENworks 7 Linux
Windows XP workstations

PROBLEM: ZENworks preboot services does not provide password protection for PXE menu options.

SOLUTION: In my K-12 school we use ZENworks 7 on an OES Linux server for workstation imaging. All workstations are set to PXE boot by default, making life easy for technicians to re-image or diagnose computers. Since upgrading to ZEN 7 the ability to edit the PXE menu has saved countless hours of technicians' time. I setup menu options to test the computer's memory and hard drive, so now common problems are diagnosed in the field and fixed sooner. The one problem I've had is the inability to keep students out of the PXE menu.

I solved this by using PXELINUX instead of the ZENworks preboot service.

WARNING: Using this method will disable automatic workstation imaging. This is fine for my environment but may not be for yours. If you need automatic imaging it should be possible by making the default option boot nvlnbp.sys instead of localboot, but I haven't tried this. Then disable the PXE menu option in ConsoleOne.

I used syslinux version 3.20-pre6 because it supports the new "MENU SHIFTKEY" option. Download the syslinux source on your SLES server, or get whatever is the latest version at the time. To compile it, do the following:

  tar xvfj syslinux-3.20-pre6.tar.bz2
  cd syslinux-3.20-pre6
  make

Now create the directory tree for your imaging environment (as root):

mkdir -p /tftpboot/boot
  mkdir /tftpboot/pxelinux.cfg
  cp pxelinux.0 com32/modules/menu.c32 /tftpboot
  cp memdisk /tfpboot/boot

Copy the Linux imaging disk images from your existing ZENworks environment. I copied mine from ZENworks 7 for Linux which had the files in /srv/tftp.

cp /srv/tftp/boot/* /tftpboot/boot

Install a tftp server on your SLES box. I used atftp 0.7cvs which is installable from YaST. I also tried tftp 0.36 from YaST and that did not work - the imaging environment failed to boot properly. The novell-tftp server included with ZENworks also works fine. Just be sure to use the runlevel editor to ensure only one tftp server is set to run.

Now setup your PXELINUX config file. Use your favorite text editor to create /tftpboot/pxelinux.cfg/default. Mine looks like this (passwords and IPs changed to protect the innocent):

DEFAULT menu.c32
PROMPT 0
TIMEOUT 100
NOESCAPE 1

MENU SHIFTKEY 1
MENU TITLE MVCSD PXE Boot Menu
MENU MASTER PASSWD $4$V/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

LABEL local
        MENU LABEL Local Boot
        MENU DEFAULT
        localboot 0

LABEL imaging
        MENU LABEL ZENWorks Imaging
        MENU PASSWD $4$V/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        kernel boot/linux
        append 5 initrd=boot/initrd mode=2 rootimage=/root install=tftp://xx.xx.xx.xx/boot vga=0 tftptimeout=50

LABEL maint
        MENU LABEL ZENWorks Maintinance
        MENU PASSWD $4$V/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        kernel boot/linux
        append 5 initrd=boot/initrd mode=5 rootimage=/root install=tftp://xx.xx.xx.xx/boot vga=0 tftptimeout=50

LABEL memtest
        MENU LABEL Memory Tester
        kernel boot/memtest

LABEL hdtest
        MENU LABEL Physical Drive Test
        MENU PASSWD $4$V/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        kernel boot/memdisk
        append initrd=boot/drivetest.img

LABEL ntfspro
        MENU LABEL NTFS Utilities
        MENU PASSWD $4$V/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        kernel boot/memdisk
        append initrd=boot/ntfs_pro.img

The important parts for me are:

PROMPT 0
TIMEOUT 100
NOESCAPE 1

MENU SHIFTKEY 1

By doing this I didn't have to re-train technicians. The computer will, by default, boot from the hard drive and show the PXE menu if you hold down on Ctrl-Alt (SYSLINUX considers any of Shift, Alt, Caps-Lock, or Scroll-Lock as SHIFTKEY) just like Novell's nvlnbp.sys. The password hash is generated by sha1pass in syslinux. Go back to your syslinux compiled source directory and run ./sha1pass "your password" and copy the output to the MENU PASSWD lines.

The menu options I setup are the two usual ZENworks imaging options along with some diagnostic tools. You can download them all for free:

The final step is to setup your DHCP server to provide the PXE options to the workstations. Disable your ZENworks preboot services and setup these options in your DHCP server. I use ISC DHCPD v3.02, so configuration for your particular DHCP server may differ. I added the following to my dhcpd.conf (again, IPs have been changed):

option space PXE;
option PXE.mtftp-ip               code 1 = ip-address;

option space pxelinux;
option pxelinux.magic      code 208 = string;
option pxelinux.configfile code 209 = text;
option pxelinux.pathprefix code 210 = text;
option pxelinux.reboottime code 211 = unsigned integer 32;

class "pxeclients" {
    match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";

    site-option-space "pxelinux";
    option pxelinux.magic f1:00:74:7e;
    if exists dhcp-parameter-request-list {
        # Always send the PXELINUX options (specified in hexadecimal)
        option dhcp-parameter-request-list = concat(option dhcp-parameter-request-list,d0,d1,d2,d3);
    }
    option pxelinux.configfile "pxelinux.cfg/default";
    option pxelinux.reboottime 30;

    option vendor-class-identifier "PXEClient";
    vendor-option-space PXE;

    option PXE.mtftp-ip 0.0.0.0;
    filename "pxelinux.0";
    next-server xx.xx.xx.xx;
}

Make sure the next-server option has the IP of your tftp server. Also edit /tftpboot/boot/settings.txt and set the PROXYADDR to the IP of your imaging server.

DISCLAIMER: This setup has worked for me, but it's complicated to setup and many parts are customized for my environment. Please don't attempt this unless you are very comfortable working with config files in Linux and are willing to troubleshoot problems.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell