diff --git a/_includes/smb.conf.txt b/_includes/smb.conf.txt new file mode 100644 index 00000000..757a7175 --- /dev/null +++ b/_includes/smb.conf.txt @@ -0,0 +1,13 @@ +[global] + server role = standalone + log level = 5 + load printers = no + security = USER + map to guest = Bad User + guest account = nobody +[DISTRO] + path = /var/www/cobbler + public = yes + browseable = yes + writeable = no + printable = no diff --git a/_posts/2025/2025-04-07-Cobbler-v3.3.7-Ubuntu-Deployment-Guide.md b/_posts/2025/2025-04-07-Cobbler-v3.3.7-Ubuntu-Deployment-Guide.md index 4e4457f2..c0bcd800 100644 --- a/_posts/2025/2025-04-07-Cobbler-v3.3.7-Ubuntu-Deployment-Guide.md +++ b/_posts/2025/2025-04-07-Cobbler-v3.3.7-Ubuntu-Deployment-Guide.md @@ -25,7 +25,7 @@ Starting where the [Beginner's guide](/blog/2024/11/12/Cobbler-v3.3.6-Beginners- - Despite my efforts (and unlike the [Beginner's Guide](/blog/2024/11/12/Cobbler-v3.3.6-Beginners-Guide.html)) **Ubuntu 20.04 PXE clients will require an internet connection** at the time of installation, since the `fallback: offline-install` option is not available in that version's `cloud-init` implementation and was only introduced as of [Ubuntu 22.04 release](https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes/24668).. - - Also unlike my [other](/blog/2024/12/02/Cobbler-v3.3.7-Debian-Deployment-Guide.html/) [guides](/blog/2025/02/05/Cobbler-v3.3.7-OpenSUSE-Deployment-Guide.html), this PXE deployment will use the installation media (ISO file) instead of a repo mirror when installing the target OS *(except for Ubuntu 20.04, however it still requires to use the ISO file in PXE process, so it's very similar and consistent)*, so even though the distribution will be imported as usual, it's important to make the ISO file available over HTTP as well. + - Also unlike my [other](/blog/2024/12/02/Cobbler-v3.3.7-Debian-Deployment-Guide.html) [guides](/blog/2025/02/05/Cobbler-v3.3.7-OpenSUSE-Deployment-Guide.html), this PXE deployment will use the installation media (ISO file) instead of a repo mirror when installing the target OS *(except for Ubuntu 20.04, however it still requires to use the ISO file in PXE process, so it's very similar and consistent)*, so even though the distribution will be imported as usual, it's important to make the ISO file available over HTTP as well. ## Cobbler Server Prep @@ -250,7 +250,7 @@ cobbler sync - Cobbler is normally a dynamic and responsive app that implements many options, parameters, and configurations on-demand through `edit|add|remove|etc...` actions, not requiring a `cobbler sync` to commit most changes. However, it is recommended to run `cobbler sync` after any changes to a Cobbler Distro/Profile/System when using Cobbler sync-triggers in this manner *(editing DHCP configs, boot options, etc...)*, unless you're absolutely certain otherwise. - - Cobbler recommends writing triggers as Python modules and has a lot of good info in their [docs](https://cobbler.readthedocs.io/en/latest/user-guide/extending-cobbler.html#about), but I have only written bash scripts that slowly but surely accomplish my needs. + - Cobbler recommends writing triggers as Python modules and has a lot of good info in their [docs](https://cobbler.readthedocs.io/en/latest/user-guide/extending-cobbler.html#about), but the "old-style" bash script triggers used in this guide will get the job done, *slowly.* 1. Troubleshooting the installation diff --git a/_posts/2025/2025-04-14-Cobbler-v3.3.7-Windows-Deployment-Guide.md b/_posts/2025/2025-04-14-Cobbler-v3.3.7-Windows-Deployment-Guide.md new file mode 100644 index 00000000..0314842e --- /dev/null +++ b/_posts/2025/2025-04-14-Cobbler-v3.3.7-Windows-Deployment-Guide.md @@ -0,0 +1,279 @@ +--- +layout: post +title: Cobbler (v3.3.7) Windows Deployment Guide +author: Sus-Admin +summary: Deploying Microsoft Windows 10 & 11 via PXE network boot. +--- + +This guide assumes that you have a Fedora 34 server or workstation system configured to run Cobbler v3.3.7 similarly to the [Beginner's guide](/blog/2024/11/12/Cobbler-v3.3.6-Beginners-Guide.html). + +## Table of Contents +{:.no_toc} + +1. TOC +{:toc} + +## Objective + +Starting where the [Beginner's guide](/blog/2024/11/12/Cobbler-v3.3.6-Beginners-Guide.html) left off, further configure the Cobbler v3.3.7 server to deploy both Windows 10 and Windows 11 via PXE network boot, using the same system and network environment. This guide assumes that you still have `selinux` and `firewalld` configured and enabled as described in the Beginner's guide. + +### Caveats + +1. **IMPORTANT:** Issues were encountered running the PXE client as a VirtualBox VM with UEFI firmware, so instead it is recommended to run the PXE client on physical *(bare metal)* hardware or as a [VMWare Workstation/Fusion](https://blogs.vmware.com/workstation/2024/05/vmware-workstation-pro-now-available-free-for-personal-use.html) VM for UEFI installations. + + - More info on the issues encountered in the **Tips & Troubleshooting** section below. + + - If running the PXE client as a VMWare VM it is recommended to also run the Cobbler Server under the same VMWare host or another bare metal machine, using the same specs/settings as described in the [Beginner's guide](/blog/2024/11/12/Cobbler-v3.3.6-Beginners-Guide.html). + + - Your experience may differ depending on your hardware and Windows and VirtualBox software versions and settings. + +1. This guide assumes you have already acquired the Windows 10 and 11 64-bit ISO installation files by using the [Windows 10](https://www.microsoft.com/en-us/software-download/windows10) and [Windows 11](https://www.microsoft.com/en-us/software-download/windows11) Media Creation Tool, which requires an existing Windows 10 or 11 system to create *(like the VirtualBox Host described in the [Beginner's guide](/blog/2024/11/12/Cobbler-v3.3.6-Beginners-Guide.html))* + + - Also on the Windows 11 download page linked above is the minumum system requirements for installing Windows 11, which include UEFI Secure Boot and TPM support, making a *supported* installation to a VM an advanced topic beyond the scope of this guide. + + - This guide will provide a workaround for those requirements as a proof of concept, but additional information on deploying via PXE with Secure Boot enabled can be found in Cobbler's [official docs](https://cobbler.readthedocs.io/en/v3.3.7/user-guide/wingen.html). + +## Cobbler Server Prep + +Enable the Windows support features as well as iPXE configs in Cobbler. + +### Dependencies + +Install some additional [dependencies](https://cobbler.readthedocs.io/en/v3.3.7/user-guide/wingen.html#installation-quickstart-guide) required by Cobbler + +```shell +yum install -y samba python-hivex python-pefile wimlib-utils python3-ldap openldap-servers openldap-clients +systemctl enable smb +``` + +### Cobbler Server Settings + +Enable Windows support in Cobbler's settings, as well as ipxe, if not enabled already + +```shell +sed -i 's/windows_enabled: false/windows_enabled: true/' /etc/cobbler/settings.d/windows.settings +sed -i "s/enable_ipxe: false/enable_ipxe: true/" /etc/cobbler/settings.yaml +systemctl restart cobblerd +``` + +Download the `wimboot` image from iPXE's GitHub to the Cobbler `loaders` directory and sync cobbler + +- Also, be sure to link the approriate bootloader images to the Cobbler `loaders` directory if not done already *(since the PXE software included with VMWare Workstation/Fusion and VirtualBox VMs do not support downloads via HTTP)*. + +```shell +wget https://github.com/ipxe/wimboot/releases/latest/download/wimboot -P /var/lib/cobbler/loaders +ln -s /usr/share/ipxe/undionly.kpxe /var/lib/cobbler/loaders/. +ln -s /usr/share/ipxe/ipxe-x86_64.efi /var/lib/cobbler/loaders/. +ln -s /usr/share/ipxe/ipxe-snponly-x86_64.efi /var/lib/cobbler/loaders/. +cobbler sync +``` + +Edit the `/etc/samba/smb.conf` file to match the below text-block + +{% capture file %}{% include smb.conf.txt path="_includes/smb.conf.txt" %}{% endcapture %} +{% assign lines = file | newline_to_br | strip_newlines | split: "
" %} +{% for line in lines %}{{ line | prepend: " " }} +{% endfor %} + +> More info on this service and configuration in the **Tips & Troubleshooting** section below + +Enable and start the smb service + +```shell +systemctl enable --now smb +``` + +Now, fix the `dhcp.template` file to properly detect PXE client firmware type during DHCP and enable iPXE chainloading for a more reliable experience on PXE clients. + +```shell +sed -i 's,filename "http://\\\$cobbler_server/cblr/svc/op/ipxe/system/\\\$iface.owner";,filename "http://\$cobbler_server/cblr/svc/op/ipxe/system/\$iface.owner";\\n } else if exists system-arch and option system-arch = 00:07 {\\n filename "ipxe-x86_64.efi";\\n } else if exists system-arch and option system-arch = 00:08 {\\n filename "ipxe-x86_64.efi";\\n } else if exists system-arch and option system-arch = 00:09 {\\n filename "ipxe-x86_64.efi";,' /etc/cobbler/dhcp.template +``` + +- The above command should edit the below **original** text block to match the following **updated** block in the resulting `dhcp.template` file: + + - **original** + + #if $iface.enable_ipxe: + if exists user-class and option user-class = "iPXE" { + filename "http://$cobbler_server/cblr/svc/op/ipxe/system/$iface.owner"; + } else { + filename "undionly.kpxe"; + } + #end if + + - **updated** + + #if $iface.enable_ipxe: + if exists user-class and option user-class = "iPXE" { + filename "http://$cobbler_server/cblr/svc/op/ipxe/system/$iface.owner"; + } else if exists system-arch and option system-arch = 00:07 { + filename "ipxe-x86_64.efi"; + } else if exists system-arch and option system-arch = 00:08 { + filename "ipxe-x86_64.efi"; + } else if exists system-arch and option system-arch = 00:09 { + filename "ipxe-x86_64.efi"; + } else { + filename "undionly.kpxe"; + } + #end if + + +Finally, enable SELinux and Firewalld allowances for SMB server + +```shell +setsebool -P samba_export_all_ro 1 +setsebool -P cobbler_use_cifs 1 + +firewall-cmd --permanent --zone=cobbler --add-service=samba +firewall-cmd --reload +``` + +## Windows 10 PXE Deployment + +mount the Windows 10 installation media and import the distro into cobbler: + +```shell +mkdir /mnt/Windows10 +mount -o ro,loop ~/Downloads/Win10_22H2_English_x64.iso /mnt/Windows10 +cobbler import --name Win10 --path /mnt/Windows10 +``` + +**If the PXE client will use legacy-BIOS firmware** *(MBR partition scheme)* instead of UEFI, toggle `uefi` to `false` in the Cobbler Profile autoinstallation metadata: + +```shell +cobbler profile edit --name Win10-x86_64 --autoinstall-meta 'uefi'='false' --in-place +``` + +> More info in Cobbler's [official docs](https://cobbler.readthedocs.io/en/v3.3.7/user-guide/wingen.html). + +Finally, create a new Cobbler System to PXE boot and automatically install Windows 10 Pro, replacing the *"aa:bb:cc:dd:ee:ff"* with the MAC address of your PXE client, being sure not to use a duplicate MAC or IP addresse of any other Cobbler System, then sync up Cobbler. + +```shell +cobbler system add --name Win10 --profile Win10-x86_64 --mac-address "aa:bb:cc:dd:ee:ff" --netboot-enabled true --enable-ipxe true +cobbler sync +``` + +The **PXE Client** VM can now be powered on, and should automatically boot to PXE and install Windows 10 to the VM HDD using the "autounattended.xml" answerfile template. + +- See the **Tips & Troubleshooting** section below for a fix for an issue encountered on the PXE client during the `start-net.cmd` script on both VirualBox and VMWare VMs + +## Windows 11 PXE Deployment + +First use the following commands to edit the `startnet.template` file in order to bypass Windows 11 hardware requirements for the PXE client. + +- note that `unix2dos` will properly terminate the lines of text individually. + +```shell +CMD1=$(echo 'reg add HKLM\\SYSTEM\\Setup\\LabConfig /v BypassSecureBootCheck /t REG_DWORD /d 1 /f' | unix2dos) +CMD2=$(echo 'reg add HKLM\\SYSTEM\\Setup\\LabConfig /v BypassTPMCheck /t REG_DWORD /d 1 /f' | unix2dos) +CMD3=$(echo 'reg add HKLM\\SYSTEM\\Setup\\LabConfig /v BypassRAMCheck /t REG_DWORD /d 1 /f' | unix2dos) +CMD4=$(echo 'reg add HKLM\\SYSTEM\\Setup\\LabConfig /v BypassCPUCheck /t REG_DWORD /d 1 /f' | unix2dos) +CMD5=$(echo 'reg add HKLM\\SYSTEM\\Setup\\LabConfig /v BypassStorageCheck /t REG_DWORD /d 1 /f' | unix2dos) +CMD6=$(echo '\$distro_share\\sources\\setup.exe \$unattended' | unix2dos) +sudo sed -i -E "s,^#else.?$,#else if \$os_version == \"11\"\n${CMD1}\n${CMD2}\n${CMD3}\n${CMD4}\n${CMD5}\n${CMD6}\n#else," /etc/cobbler/windows/startnet.template +``` + +Now, take similar steps as with Windows 10 to import and automatically deploy Windows 11 Pro over PXE. + +```shell +mkdir /mnt/Windows11 +mount -o ro,loop ~/Downloads/Win11_24H2_English_x64.iso /mnt/Windows11 +cobbler import --name Win11 --path /mnt/Windows11 +cobbler system add --name Win11 --profile Win11-x86_64 --mac-address "aa:bb:cc:dd:ee:ff" --netboot-enabled true --enable-ipxe true +cobbler sync +``` + +The **PXE Client** VM can now be powered on, and should automatically boot to PXE and install Windows 11 to the VM HDD using the "autounattended.xml" answerfile template. + +- See the **Tips & Troubleshooting** section below for a fix for an issue encountered on the PXE client during the `start-net.cmd` script on both VirualBox and VMWare VMs + +## Tips & Troubleshooting + +1. The [Cobbler 3.3.6 Beginner's guide](/blog/2024/11/12/Cobbler-v3.3.6-Beginners-Guide.html) **Tips & Troubleshooting** section contains some basic recommendations and limitations of Cobbler which will not be repeated here. + +1. **VirtualBox Issues** + + - Specifially, the `ipxe-x86_64.efi` bootloader would fail to "initialize devices" and even though using the `ipxe-snponly-x86_64.efi` bootloader instead would load properly, the PXE client VM would *usually* just hang when downloading on of the WinPE files (i.e. `wimboot`, `boot.sdi`, `bootmgr.exe`, `bcd`, `winpe.wim`) + + - Tried several troubleshooting steps and could not get a consisten fix: + + - Tried different virtual network adapters. + + - Using the "Paravirtualized Network (virtio-net)" adapter did resove this issue with the iPXE boot process and load into the WinPE/wimboot image successfully, but then did not detect any network adapters and failed to begin Window Setup, and further troubleshooting would be beyond the scope of this guide. + + - Tried installing the appropriate VirtualBox Extensions for my version of VB. + + - Disabled Memory Isolation in Windows Security on VirtualBox Host. + + - Tried with and without "Virtual Machine Platform" and "Windows Hypervisor Platform" Windows Features installed/enabled. + + - Found no relevant entries/errors in VirtualBox VM logs and nothing abnormal in Cobbler server logs (HTTP, TFTP, DHCP). + + - A live Windows OS installation can be converted from MBR (legacy-BIOS) to GPT (UEFI) via powershell commands, which can be used as a workaround for compatibility with VirtualBox VM UEFI firmware + + - source: [https://www.windowscentral.com/how-convert-mbr-disk-gpt-move-bios-uefi-windows-10](https://www.windowscentral.com/how-convert-mbr-disk-gpt-move-bios-uefi-windows-10). + +1. **start-net.cmd issue** + + - The `smb` linux service used to host the installation files for the PXE client on the Cobbler server would be unresponsive during some installations, primarily when running the `startnet.cmd` script on the PXE client to start Windows Setup, which caused the installation to stall and error-out occasionally. + + - After reading through the manpage (`man smb.conf`) and trying several different configurations the problem persisted; make the following edit to the `startnet.template` file to account for this occasional unresponsiveness/lag from the SMB server when booting into setup by first probing the SMB share until it responds. + + ```shell + CMD=$(echo 'dir \$distros_dir || GOTO wno20' | unix2dos) + sed -i "s,net use z:,${CMD}\nnet use z:," /etc/cobbler/windows/startnet.template + ``` + +1. References + + - [https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-automation-overview?view=windows-11](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-automation-overview?view=windows-11) + + - [https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/automate-windows-setup?view=windows-11](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/automate-windows-setup?view=windows-11) + + - [https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/](https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/) + + - [https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/wsim/answer-files-overview](https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/wsim/answer-files-overview) + + - [https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs?view=windows-11](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs?view=windows-11) + + - [https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs?view=windows-11](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs?view=windows-11) + + - [https://learn.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-sample-unattend-xml-file](https://learn.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-sample-unattend-xml-file) + + - [https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/oobexml-in-windows-11](https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/oobexml-in-windows-11) + + - [https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/customize-oobe-in-windows-11](https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/customize-oobe-in-windows-11) + + - [https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/configure-oobexml?view=windows-11&preserve-view=true](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/configure-oobexml?view=windows-11&preserve-view=true) + + - [https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/oobexml-settings?view=windows-11](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/oobexml-settings?view=windows-11) + + - [https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/how-oobexml-works?view=windows-11](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/how-oobexml-works?view=windows-11) + + - [https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-useraccounts](https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-useraccounts) + + - [https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-unattendedjoin-identification-joindomain](https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-unattendedjoin-identification-joindomain) + + - [https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-oobe-vmmodeoptimizations-skipadministratorprofileremoval](https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-oobe-vmmodeoptimizations-skipadministratorprofileremoval) + + - [https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-oobe-hideonlineaccountscreens](https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-oobe-hideonlineaccountscreens) + + - [https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs) + + - [https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs?view=windows-10](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs?view=windows-10) + + - [https://learn.microsoft.com/en-us/windows/deployment/configure-a-pxe-server-to-load-windows-pe](https://learn.microsoft.com/en-us/windows/deployment/configure-a-pxe-server-to-load-windows-pe) + + - [https://ipxe.org/howto/winpe](https://ipxe.org/howto/winpe) + + - [https://cobbler.readthedocs.io/en/latest/user-guide/wingen.html](https://cobbler.readthedocs.io/en/latest/user-guide/wingen.html) + + - [https://cobbler.readthedocs.io/en/latest/code-autodoc/cobbler.modules.html#module-cobbler.modules.sync_post_wingen](https://cobbler.readthedocs.io/en/latest/code-autodoc/cobbler.modules.html#module-cobbler.modules.sync_post_wingen) + + - [https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/winpe-intro?view=windows-10](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/winpe-intro?view=windows-10) + + - [https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/automate-windows-setup?view=windows-10](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/automate-windows-setup?view=windows-10) + + - [https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-automation-overview?view=windows-10#implicit-answer-file-search-order](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-automation-overview?view=windows-10#implicit-answer-file-search-order) + + - [https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-command-line-options?view=windows-10](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-command-line-options?view=windows-10)