debian9自动化部署Fully Automatic Installation（FAI）

FAI是debian wiki推荐的自动化部署工具https://wiki.debian.org/FAI，FAI官网网址为http://fai-project.org

准备工作：已部署好的debian9，使用的版本为debian9.6.0。主机ip地址：192.168.1.99

配置FAI软件仓库

root@fai-server:~# vim /etc/apt/sources.list

联网的情况下使用国内软件仓库，这边使用国内中科大debian仓库:

以下为sources.list中的内容

deb https://mirrors.ustc.edu.cn/debian/ stretch main contrib non-free
deb https://mirrors.ustc.edu.cn/debian/ stretch-updates main contrib non-free
deb https://mirrors.ustc.edu.cn/debian/ stretch-backports main contrib non-free
deb https://mirrors.ustc.edu.cn/debian-security/ stretch/updates main contrib non-free
deb http://mirrors.ustc.edu.cn/docker-ce/linux/debian stretch stable

也可配置本地仓库（借助apt-mirror软件实现）:

root@fai-server:~# apt-get -y install apt-mirror

修改apt-mirror的配置文件，配置软件仓库同步的源

root@fai-server:~# cat /etc/apt/mirror.list
############# config ##################
#set base_path    /debian9_mirror
#set mirror_path  $base_path/mirrorset skel_path    $base_path/skelset var_path     $base_path/varset cleanscript $var_path/clean.sh
# set defaultarch  <running host architecture>
# set postmirror_script $var_path/postmirror.shset run_postmirror 0
set nthreads     20
set _tilde 0
#
############# end config ##############
deb http://ftp.hk.debian.org/debian stretch main contrib non-free
deb http://ftp.hk.debian.org/debian stretch-updates main contrib non-free
deb http://ftp.hk.debian.org/debian stretch-backports main contrib non-free
deb https://download.docker.com/linux/debian stretch stable
clean http://ftp.hk.debian.org/debian
clean https://download.docker.com/linux/debian

deb源根据自己的实际情况设置，这边添加的debian9（debian官方香港地址）的stretch、stretch-updates和stretch-backports的源（下载速度比中科大的快，不知道为什么-_-||）以及docker的软件仓库。

配置完成后退出，执行apt-mirror即可自动下载，数据量较大。
大小约为debian9：74G左右；docker-ce：692M左右

root@fai-server:~# du -h --max-depth=1 /debian_mirror/mirror/
692M    /debian_mirror/mirror/download.docker.com
74G     /debian_mirror/mirror/ftp.hk.debian.org
74G     /debian_mirror/mirror/

软件仓库同步完成后，借助apache变成可访问的软件源

root@fai-server:~# apt-get -y install apache2

做软连接至apache的html目录下

root@fai-server:~# ln -s /debian9_mirror/mirror/ftp.hk.debian.org/debian /var/www/html/debian
root@fai-server:~# ln -s /debian9_mirror/mirror/download.docker.com/linux/debian /var/www/html/docker

修改source.list

root@fai-server:~# cat /etc/apt/sources.list
deb http://192.168.1.99/debian stretch main contrib non-free
deb http://192.168.1.99/debian stretch-updates main contrib non-free
deb http://192.168.1.99/debian stretch-backports main non-free contrib
deb http://192.168.1.99/docker stretch stable

更新软件仓库。由于docker软件仓库没有gpg秘钥，会报错，可从https://download.docker.com/linux/debian/gpg 安装gpg秘钥文件。

为后面本地部署方便，可将该文件放apache的html目录下供本地机器下载使用，在需求安装docker-ce的服务器上执行“curl -fsSL http://192.168.1.99/gpg | apt-key add -”，
再执行apt-get update就不会报错了

准备工作完成后开始部署faiserver

安装软件包

root@fai-server:~# wget -O - https://fai-project.org/download/074BCDE4.asc | apt-key add -
root@fai-server:~# echo "deb http://fai-project.org/download stretch koeln" > /etc/apt/sources.list.d/fai.list
root@fai-server:~# apt-get update
root@fai-server:~# apt-get install aptitude -y
root@fai-server:~# aptitude install fai-quickstart -y
root@fai-server:~# apt-get install qemu-user-static -y

配置DHCP服务(ipv4指定网卡，注释ipv6)

root@fai-server:~# cat /etc/default/isc-dhcp-server
...
...
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
#       Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="enp0s3"
#INTERFACESv6=""

根据自身情况配置dhcp服务，next-server为tftp服务器的ip

root@fai-server:~# cat /etc/dhcp/dhcpd.conf
...
...
# This is a very basic subnet declaration.subnet 192.168.1.0 netmask 255.255.255.0 {range 192.168.1.20 192.168.1.90;next-server 192.168.1.99;filename "fai/pxelinux.0";option routers 192.168.1.1;option domain-name-servers 192.168.1.1;
}
...
...

DHCP配置错误日志路径为/var/log/daemon.log，有问题可自行通过这个日志排除.

配置TFTP服务

root@fai-server:~# sed -i 's/0.0.0.0:69/192.168.1.99:69/' /etc/default/tftpd-hpa

配置fai的source.list（fai-steup -v时，从本地软件仓库拉取数据）

root@fai-server:~# cat /etc/apt/sources.list > /etc/fai/apt/sources.list

配置fai-nfs服务

FAI_DEBOOTSTRAP：在创建nfsroot这个目录文件时，需要从指定的软件仓库下载debian的镜像和此版本debian所依赖的软件包，如果有本地的debian软件仓库，可指定为本地的软件仓库。

FAI_ROOTPW：为设定的新装机器开机密码，该密码对应明文为fai。如要修改，可通过命名mkpasswd生成新的MD5填入

root@fai-server:~# apt-get install whois -y
root@fai-server:~# echo "password" | mkpasswd -m md5 -s

生成的密文即为password的MD5码，填入即可替换默认的fai密码

NFSROOT_ETC_HOSTS值为faiserver的IP

root@fai-server:~# cat /etc/fai/nfsroot.conf
# For a detailed description see nfsroot.conf(5)# "<suite> <mirror>" for debootstrap
FAI_DEBOOTSTRAP="stretch http://192.168.1.99/debian"
FAI_ROOTPW='$1$ab9BtYz3$rmjVoBEilyld2TWF3fw9G.'NFSROOT=/srv/fai/nfsroot
TFTPROOT=/srv/tftp/fai
NFSROOT_HOOKS=/etc/fai/nfsroot-hooks/
NFSROOT_ETC_HOSTS="192.168.1.99"
FAI_DEBOOTSTRAP_OPTS="--exclude=info"# Configuration space
FAI_CONFIGDIR=/srv/fai/debian9_config

创建FAI安装所需的文件（通过互联网的话，根据软件仓库传输的实际情况，需要花费一定时间，如果是本地软件仓库的话，很快就能结束，如果软件仓库中软件有问题，可能会报错，就需要自己去排查问题，就我遇到的问题而言，为软件下载残缺导致，将那个文件从官方仓库下载替换后即解决了。重新执行fai-setup -v时，要删除/srv/fai/下所有的文件才能执行）

确认hosts下本机ip的hostname存在，否则fai-setup -v时会不创建ssh秘钥，导致自动安装最后卡chboot and savelog阶段，虽然不影响安装，但需要手动干预，才能完成安装。

root@fai-server:~# cat /etc/hosts
192.168.1.99    fai-server
...

部署fai

root@fai-server:~# fai-setup -v
Adding system user `fai' (UID 110) ...
Adding new user `fai' (UID 110) with group `nogroup' ...
Creating home directory `/var/log/fai/remote-logs' ...
Generating public/private rsa key pair.
Your identification has been saved in /var/log/fai/remote-logs/.ssh/id_rsa.
Your public key has been saved in /var/log/fai/remote-logs/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:YzXCxhaSvntjGmI5PuX0Z9V7H1NGIX2xTiUodoH+Dig fai@fai-server
The key's randomart image is:
+---[RSA 2048]----+
|      ...  ..+ooo|
|      .+ .+ o .o=|
|     .  *ooo   oo|
|      .o o..  o. |
|       .S. . . .o|
|     .E.... o ...|
|    =+.+   +   + |
|   o.oo.= o . . +|
|    ...+ +     .o|
+----[SHA256]-----+
Generating public/private ed25519 key pair.
Your identification has been saved in /var/log/fai/remote-logs/.ssh/id_ed25519.
Your public key has been saved in /var/log/fai/remote-logs/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:WOhJEuh49et8WM8/5ahozXr+XOCUCxEwd0ZseHOYaBc fai@fai-server
The key's randomart image is:
+--[ED25519 256]--+
|   ..   o.o=E+   |
|  . .. . o++O .  |
| o ...o ...+ o   |
|. o  +.+   . .   |
| .    +.S . +    |
|      . .  + o.  |
|     o o =  o+.  |
|      + o.*.o..  |
|       oo+o++.   |
+----[SHA256]-----+
Adding 192.168.1.99,fai-server to known_hosts.
Adding 172.17.0.1 to known_hosts.
/var/log/fai/remote-logs/.ssh/known_hosts created.
/var/log/fai/remote-logs/.ssh/authorized_keys created.
...
...
...
FAI packages and related packages inside the nfsroot:
dracut             044+241-3
dracut-network     044+241-3
fai-client         5.3.6
fai-nfsroot        5.3.6
fai-setup-storage  5.3.6
Waiting for background jobs to finish
[1]+  Done                    nice xz -q $NFSROOT/var/tmp/base.tar  (wd: /srv/fai/nfsroot)
fai-make-nfsroot finished properly.
Log file written to /var/log/fai/fai-make-nfsroot.log
Your initial config space is now located in /srv/fai/debian9_config
Please don't forget to fill out the FAI questionnaire after you've finished your project with FAI.FAI setup finished.
Log file written to /var/log/fai/fai-setup.log

创建PXE启动配置文件

root@fai-server:~# fai-chboot -IBv -u nfs://192.168.1.99/srv/fai/debian9_config default
Booting kernel vmlinuz-4.9.0-8-amd64append initrd=initrd.img-4.9.0-8-amd64 ip=dhcpFAI_FLAGS=verbose,sshd,reboot FAI_CONFIG_SRC=nfs://192.168.1.99/srv/fai/debian9_configdefault has no IP in hex default
Writing file /srv/tftp/fai/pxelinux.cfg/default for default

编辑生成的启动配置文件

label XXXX就是关联下方kernel的启动内核，可一对一配置多个。安装启动时boot会提示，输入XXXX，就会从指定的内核启动。可设置时间参数（timeout 60）、默认启动内核参数（default XXXX）。

默认只有default、label两个参数，只有一个内核的话，不需要修改。

如果服务器第一启动项为网卡，那么会没有询问，直接自动安装系统，要小心。全新安装时可通过设置第一启动项为硬盘，第二启动项为网卡，这样硬盘没有启动引导的情况下会从网卡启动，安装结束后硬盘中有了系统引导，就不会从网卡启动了，避免了无限重装，同时也不需要人工干预。

root@fai-server:~# cat /srv/tftp/fai/pxelinux.cfg/default
# generated by fai-chboot for host default with IP no IP
default fai-generatedlabel fai-generated
kernel vmlinuz-4.9.0-8-amd64
append initrd=initrd.img-4.9.0-8-amd64 ip=dhcp LOGUSER=fai root=192.168.1.99:/srv/fai/nfsroot:vers=3 rootovl  FAI_FLAGS=verbose,sshd,reboot FAI_CONFIG_SRC=nfs://192.168.1.99/srv/fai/debian9_config FAI_ACTION=install

配置磁盘分区

root@fai-server:~# cat /srv/fai/debian9_config/disk_config/FAIBASE
# example of new config file for setup-storage
#
# <type> <mountpoint> <size>   <fs type> <mount options> <misc options>disk_config disk1 disklabel:msdos bootable:1 fstabkey:uuidlogical swap   8G  swap  sw
primary /      100-100%   ext4  rw,noatime,errors=remount-ro

根据自己的需求设置预安装软件

root@fai-server:~#  cat /srv/fai/debian9_config/package_config/DEBIAN
PACKAGES install-norec
apt-transport-https # is only needed for stretch
debconf-utils
file
less
linuxlogo
rsync
openssh-client openssh-server
time
procinfo
nullmailer
eject
locales
console-setup kbd
pciutils usbutils
unattended-upgrades
vim
wget
software-properties-common
ca-certificates
curl
docker-ce
qemu-kvm
libvirt-clients
libvirt-daemon-system
bridge-utils
libguestfs-tools
virtinst
libosinfo-bin
ssh
...
...

配置默认时区、root初始密码、普通账号等

root@fai-server:~# cat /srv/fai/debian9_config/class/FAIBASE.var
# default values for installation. You can override them in your *.var files# allow installation of packages from unsigned repositories
FAI_ALLOW_UNSIGNED=1# Set UTC=yes if your system clock is set to UTC (GMT), and UTC=no if not.
UTC=yes
TIMEZONE=Asia/Shanghai# the hash of the root password for the new installed linux system
# pw is "fai"
ROOTPW='$1$ab9BtYz3$rmjVoBEilyld2TWF3fw9G.'# errors in tasks greater than this value will cause the installation to stop
STOP_ON_ERROR=700# set parameter for install_packges(8)
MAXPACKAGES=800# a user account will be created
username=service
USERPW='$1$ab9BtYz3$rmjVoBEilyld2TWF3fw9G.'

重启相关服务

root@fai-server:~# /etc/init.d/networking restart
root@fai-server:~# /etc/init.d/isc-dhcp-server restart
root@fai-server:~# /etc/init.d/tftpd-hpa restart
root@fai-server:~# /etc/init.d/rpcbind restart
root@fai-server:~# /etc/init.d/nfs-kernel-server restart

测试自动化系统安装

略

自定义自动化部署脚本

fai在自动部署系统时，是依赖fai服务端的各类脚本实现，脚本在/srv/fai/debian9_config/scripts下各个相应的目录中，LAST目录是系统部署最后需要执行的脚本，但由于此次用于安装的是debian，为管理方便，将自定义的部署脚本放在DEBIAN目录下

root@fai-server:~# ls /srv/fai/debian9_config/scripts/DEBIAN/
10-rootpw        20-capabilities  30-interface     40-misc          50-start

50-start即为自定义的脚本，在该脚本中，修改了ssh的禁用密码登陆和设置ssh秘钥登陆、加入部分软件源的key，以及创建的部分linux配置文件和启动脚本。

部署脚本的写法与寻常脚本区别不大，唯一的区别应该是路径问题，由于在部署过程中，磁盘是挂载状态使用的，所以路径有变化，参照系统自带脚本，在真实路径前加入$target即可，参考范例如下

sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' $target/etc/ssh/sshd_config
...
mkdir -p $target/root/.ssh
touch $target/root/.ssh/authorized_keys
chmod 600 $target/root/.ssh/authorized_keys

参考文档

https://blog.51cto.com/7938217/1701161
http://fai-project.org/fai-guide/
https://blog.51cto.com/7938217/1701161
https://blog.cavebeat.org/2017/07/local-apt-mirror-for-debian-stretch/

转载于:https://www.cnblogs.com/wendong1991/p/10797233.html