Do you use PXE/DHCP Booting at work?

[Matt-Page]

Hi,

I've been tasked with coming up with a solution to implement PXE as a method of re-imaging devices.

Currently, we use bootable floppy/USB disks with Norton ghost but this is such an unreliable media type. I work for a retail company with 160 outlets, of which will have between 12 to 100 devices per outlet.

I'd like to know how other people do this? I understand the basics of how it works (Booting using DHCP) but would like to know what client you use on the server, how you configure it, etc.

 

[paradigm]

Client on the server? Bit of a contradiction in terms there

We use WDS (Windows Deployment Services) now we are on Server 2008 R2, before which we used RIS (Remote Installation Services) on Server 2003 R2.

 

[Deleted member 77746]

SCCM + WDS + PXE Boot / F12 = Dream !

 

[Matt-Page]

I'll look into those. I want it to work so that you boot a device up, choose the onboard NIC as the boot device, device then downloads the boot disk and prompts for username/password. Device then downloads and extracts image.

The server with the DHCP/PXE service is Windows 2008. The devices requiring the image are Windows XP POS Ready.

It seems with the above mentioned WDS that you can push an image out to a device. Do you need the machine booted and on the network to do this? Can it do it via MAC address?

 

[Matt-Page]

Ah it seems you need all of the servers hosting the image to be in a AD domain. We haven't and wont be able to do that. Shame, looked like a nice product.

Any other reccommendations?

 

[paradigm]

What version of Ghost do you currently use? I thought most versions of Ghost came with PXE boot options. I seem to recall that the version I used to have came with 3Com's PXE Server software.

 

[bigredshark]

Well you can write what you want to be booted as a PXE environment, we have a system which works two ways...either you enter the server's MAC in a config file on the server with the OS, IP address, etc you want to image it with next time it PXE boots and and it automatically does that. Or you manually select what OS from a splash screen. Work nicely for builds combined with iLo/DRAC in the servers.

All built in house of course so not much help...but illustrates what can be done

 

[GhostlyPea]

We set up CloneZilla running on Ubuntu server, works well enough but its only for a very small non-ctirical operation, hence why its freeware.

- Pea0n

 

[J.B]

When I was a sysadmin I used FOG which was ok but the interface was tedious and it never seemed to cope very well with being restarted for some reason.

WDS worked much better but we never got round to trying to use it outside the test environment.

 

[Skidilliplop]

Clonezilla/DRBL (diskless remote boot linux).
Works very reliably, is free, and dead easy to set up. Even does NAT so you can have PCs join domains etc from within the factory network.
It also supports multicast imaging for mass deployments

Last mass deployment I did with it had a full XP + software build on the domain within 7 minutes, and with multicast I could do as many machines as I wanted with no performance deficit. Though space restraints in the lab area limited it to about 10 at a time.

 

[opethdisciple]

Yea we do pxe booting here.

We use a tftp linux program that downloads an image from the system (xp with unattended file + drivers already integrated in to os).

LDAP mac address based xp license deployement.

Then we also use an open source applications deployement system that takes care of the majority of the programs when the machines starts up for the first time.

 

[ecksmen]

While a WDS server needs to be on a domain, it doesnt need to be the DHCP server. We built one WDS server within a VM environment and its also a dedicated domain controller / AD domain soley for deployment. This has been cloned out to use in several build areas. As its only used for builds concerns over duplicate SIDs etc... aren't there.

Hell, we've used WDS on laptops before to deploy servers on an ad hoc basis. The key is DHCP more so than anything and that the client supports PXE.

 

[Matt-Page]

I'm tearing my hair out with this, I found a good solution using Freeware and products we already have:

DualServer for the DHCP server service which is nice and simple to configure using the ini file (http://sourceforge.net/projects/dhcp-dns-server/)

Then using either 3COM Symantec Gost for the PXE TFTP (http://www.symantec.com/business/support/index?page=content&id=TECH107441&key=52020&actp=LIST) or part of our Computer Aassociates DSM suite which has imagine /PXE capabilites.

The kick in the face I've just received is PCI Complience issues. Namely using TFTP and not SFTP, etc.

Does anyone else work in a PCI Compliant (Payment Card Industry) enviroment? It literally just deflates any ideas you have and says NO!

 

[Skidilliplop]

I'm tearing my hair out with this, I found a good solution using Freeware and products we already have:

DualServer for the DHCP server service which is nice and simple to configure using the ini file (http://sourceforge.net/projects/dhcp-dns-server/)

Then using either 3COM Symantec Gost for the PXE TFTP (http://www.symantec.com/business/support/index?page=content&id=TECH107441&key=52020&actp=LIST) or part of our Computer Aassociates DSM suite which has imagine /PXE capabilites.

The kick in the face I've just received is PCI Complience issues. Namely using TFTP and not SFTP, etc.

Does anyone else work in a PCI Compliant (Payment Card Industry) enviroment? It literally just deflates any ideas you have and says NO!

That shouldn't be a compliance issue in an isolated factory area anyway however to please the compliance nazis... It's a non-secure protocol but the stuff being transferred isn't controlled data. It's just chunks of the imaging software and OS kernel needed to boot the PC, which are freely available outside of your organisation anyway.
In terms of the actual hard drive image which could contains controlled data, this can be encrypted when you create it and will only be decrypted on the client PC as it's imaging.
So you could argue that the stream is encrypted at the application level rather than the protocol level.

 

[dynamis_dk]

I don't use anything which is in a full always active setup but I have software on my laptop I used to PXE boot machines for cloning. Basically:

1) Laptop into network at the site i'm at
2) software setup to boot a bootable CD image I've created (which contains ghost and my server mappings for the .gho images etc)
3) set device (i.e. tabletPC with no cdrom etc) to book from PXE, it finds PXE server running on my laptop, boots to PXE and loads the bootable CD image. Then I just select the image I want from the drive mappings and away it goes.

Not a great system but works well when faced with a bunch of tabletPC's with no CD.

Normally day to day, I just use a bootable CD with the drivers on I need, running Ghostcast Server on a Server 2008 box which hosts the images.

 

[Matt-Page]

That shouldn't be a compliance issue in an isolated factory area anyway however to please the compliance nazis... It's a non-secure protocol but the stuff being transferred isn't controlled data. It's just chunks of the imaging software and OS kernel needed to boot the PC, which are freely available outside of your organisation anyway.
In terms of the actual hard drive image which could contains controlled data, this can be encrypted when you create it and will only be decrypted on the client PC as it's imaging.
So you could argue that the stream is encrypted at the application level rather than the protocol level.

Our enviroment is in retail stores, and the devices being imaged are POS devices. The O/S is standard (XP POS Ready), but the application is company specific.
Is it possible to encrypt .gho images, and then use the ghost.exe to decrypt it once it's downloaded it to the device? I've had a quick google of this and not found much.

I don't use anything which is in a full always active setup but I have software on my laptop I used to PXE boot machines for cloning. Basically:

1) Laptop into network at the site i'm at
2) software setup to boot a bootable CD image I've created (which contains ghost and my server mappings for the .gho images etc)
3) set device (i.e. tabletPC with no cdrom etc) to book from PXE, it finds PXE server running on my laptop, boots to PXE and loads the bootable CD image. Then I just select the image I want from the drive mappings and away it goes.

Not a great system but works well when faced with a bunch of tabletPC's with no CD.

Normally day to day, I just use a bootable CD with the drivers on I need, running Ghostcast Server on a Server 2008 box which hosts the images.

Yes, we use something similar for when our technitions are onsite. Unfortunately it is not them that re-image the devices, it is normally store staff who are not IT trained or savvy. Our current solution:

- Staff call to make bootable floppy disk
- Staff takes disk to device, and reboots it
- Disk loads DOS, network driver, net, etc and maps a drive to a server hosting the image
- ghost.exe is then called to grab the image, pull it down, extract it and reboot the device
- Device is then configured (IP, device name, company specific config, etc) using a bespoke configuration tool

The problem is, floppy disks are a tiresome unreliable media which can be lost, changed, etc. I spend far too much time supporting that and I want to move on to using DHCP.

The problem is challenges I've received regarding security and PCI regulations:

- TFTP is not secure (So I'd need another method of downloading the boot disk image, can you use SFTP for this?)
- DHCP is not a supported/secure protocol (I've got around this by saying it will only be running when a device is being imaged and then stopped)

I'm stuggling to find an alternative to TFTP or PXE in general. Any suggestions?