Re: [debian-knoppix] [projet annouce] :nroppix : nfs read only Knoppix

To: Olivier Archer <olivier.archer@infini.fr>
Cc: debian-knoppix@linuxtag.org
Subject: Re: [debian-knoppix] [projet annouce] :nroppix : nfs read only Knoppix
From: Chris Liechti <cliechti@gmx.net>
Date: Mon, 24 Nov 2003 01:33:00 +0100
Message-id: <[🔎] 3FC151BC.3090309@gmx.net>
In-reply-to: <[🔎] 3FBC0561.8010401@infini.fr>
References: <[🔎] 3FBC0561.8010401@infini.fr>

my previous reply was off list only, forgot to use reply all...

i'll try to give a very short summary, some new comments and a patch below.

he mounts an uncompressed filesystem read only over the network, almostlike the terminalserver (altough that one works like the CD, with /cdromcomming from the server, with the compressed KNOPPIX)

advatage, you can easily customize it and skip the recompressing for thecloop image. (altough the compression has the advantage that ittransfers faster over the net)loading it over the network also the plus point that there is no sizerestriction to a CDROM.

in either way, it's a nice technic to boot diskless clients or testremasters.


Olivier Archer wrote:

nroppix is an attempt to run knoppix with *no* cdrom but with a networkacces. many nroppix client can share the same nroppix server. its a tinyproject. its a rewritiing of /linuxrc and al in the root image

[...]

nroppix is desined to allow many diskless clients to share the samelinux chrooted distribution (like multi diskless knoppix client) or to


this is almost that was the knoppix terminal server does.

the diference is that the terminalservers linuxrc tries to mount thecompressed KNOPPIX filesystem on the /cdrom (which is in turn mountedfrom NFS, not the real cdrom)

that means that with a small change to linuxrc, it possible to mount anuncompressed KNOPPIX. the attched patch does that. it mounts the NFSshare to /KNOPPIX directly and skips the loop mount part.

to apply the patch, either patch the linuxrc in the terminalservertemplates, or loop mount the created minirot.gz and patch it there(altough it's not so easy to patch the etherboot image)


> provide a robust server configuration with there / mounted by
> read-only nfs (debian woody).

i dont think that this is "robust", well yes keeping as much as possibleread only on a server (especialy when its exposed to the internet) is agood idea, even better if you can make all logs write only, so that theycannot be forged if an attack succeeds.

but running it from NFS is not a good idea. NFS is not known to be asecure protocol, it's good enough for a LAN, but not for the internet.somebody could interfere with the NFS protocol and inject bad packets ormalicious data. in fact, any network filesystem is probably not secureenough for a server. even if it's encrypted, it opens the server for DOSattacks and cause failure because data cannot be read.


chris

*** linuxrc.terminalserver	2002-11-08 01:30:12.000000000 +0100
--- linuxrc.nfsdisk	2003-04-04 04:34:02.000000000 +0200
***************
*** 244,250 ****
  	"${MAGENTA}$NFSDIR${BLUE}...${NORMAL}"
      /static/mount -t nfs -o \
  	ro,rsize=8192,wsize=8192,hard,intr$SECUREOPTIONS \
!         "${NFSDIR}" /cdrom > /dev/null 2>&1  && MOUNTED="yes"
  
  	# unsuccessful? Blank out NFSDIR and see if pump does better
  	[ -z "$MOUNTED" ] && echo "${RED}Failed.${NORMAL}" && NFSDIR=
--- 244,250 ----
  	"${MAGENTA}$NFSDIR${BLUE}...${NORMAL}"
      /static/mount -t nfs -o \
  	ro,rsize=8192,wsize=8192,hard,intr$SECUREOPTIONS \
!         "${NFSDIR}" /KNOPPIX > /dev/null 2>&1  && MOUNTED="yes"
  
  	# unsuccessful? Blank out NFSDIR and see if pump does better
  	[ -z "$MOUNTED" ] && echo "${RED}Failed.${NORMAL}" && NFSDIR=
***************
*** 274,285 ****
   # try mounting it, first with "/knoppix"
   echo -n "${CRE}${BLUE}Trying to mount CD on ${MAGENTA}$NFSROOT${BLUE}...${NORMAL}"
   /static/mount -t nfs -o ro,rsize=8192,wsize=8192,hard,intr$SECUREOPTIONS \
!   "${NFSROOT}:/knoppix" /cdrom > /dev/null 2>&1  && NFSDIR="${NFSROOT}:/knoppix"
  
  # then with "/cdrom"
   [ -z "$NFSDIR" ] && /static/mount -t nfs -o \
    ro,rsize=8192,wsize=8192,hard,intr$SECUREOPTIONS \
!   "${NFSROOT}:/cdrom" /cdrom > /dev/null 2>&1  && NFSDIR="${NFSROOT}:/cdrom"
  
   [ -n "$NFSDIR" ] && MOUNTED="yes"
  fi
--- 274,285 ----
   # try mounting it, first with "/knoppix"
   echo -n "${CRE}${BLUE}Trying to mount CD on ${MAGENTA}$NFSROOT${BLUE}...${NORMAL}"
   /static/mount -t nfs -o ro,rsize=8192,wsize=8192,hard,intr$SECUREOPTIONS \
!   "${NFSROOT}:/knoppix" /KNOPPIX > /dev/null 2>&1  && NFSDIR="${NFSROOT}:/knoppix"
  
  # then with "/cdrom"
   [ -z "$NFSDIR" ] && /static/mount -t nfs -o \
    ro,rsize=8192,wsize=8192,hard,intr$SECUREOPTIONS \
!   "${NFSROOT}:/cdrom" /KNOPPIX > /dev/null 2>&1  && NFSDIR="${NFSROOT}:/cdrom"
  
   [ -n "$NFSDIR" ] && MOUNTED="yes"
  fi
***************
*** 292,298 ****
  	    "(aka \"192.168.0.1:/cdrom\"): ${NORMAL}"
  	read NFSDIR
  	/static/mount -t nfs -o ro,rsize=8192,wsize=8192,hard,intr$SECUREOPTIONS \
! 	    "$NFSDIR" /cdrom > /dev/null 2>&1  && MOUNTED="true"
  	[ -n "$MOUNTED" ] && break
      done
  }
--- 292,298 ----
  	    "(aka \"192.168.0.1:/cdrom\"): ${NORMAL}"
  	read NFSDIR
  	/static/mount -t nfs -o ro,rsize=8192,wsize=8192,hard,intr$SECUREOPTIONS \
! 	    "$NFSDIR" /KNOPPIX > /dev/null 2>&1  && MOUNTED="true"
  	[ -n "$MOUNTED" ] && break
      done
  }
***************
*** 300,313 ****
  [ -n "$MOUNTED" ] && echo "${GREEN}OK.${NORMAL}"
  [ -z "$MOUNTED" ] && dropshell
  
! FOUND_KNOPPIX=""
! if test -f /cdrom/KNOPPIX/KNOPPIX
! then
! echo -n "${CRE} ${GREEN}Accessing KNOPPIX CDROM image at ${MAGENTA}$NFSDIR${GREEN}...${NORMAL}"
! FOUND_KNOPPIX="true"
! else
! dropshell
! fi
  
  # Harddisk-installed script part version has been removed
  # (KNOPPIX can be booted directly from HD now).
--- 300,315 ----
  [ -n "$MOUNTED" ] && echo "${GREEN}OK.${NORMAL}"
  [ -z "$MOUNTED" ] && dropshell
  
! FOUND_KNOPPIX="yes"
! 
! #FOUND_KNOPPIX=""
! #if test -f /cdrom/KNOPPIX/KNOPPIX
! #then
! #echo -n "${CRE} ${GREEN}Accessing KNOPPIX CDROM image at ${MAGENTA}$NFSDIR${GREEN}...${NORMAL}"
! #FOUND_KNOPPIX="true"
! #else
! #dropshell
! #fi
  
  # Harddisk-installed script part version has been removed
  # (KNOPPIX can be booted directly from HD now).
***************
*** 315,322 ****
  # DEBUG
  # echo "6" > /proc/sys/kernel/printk
  
! insmod /modules/cloop.o file=/cdrom/KNOPPIX/KNOPPIX
! mountit /dev/cloop /KNOPPIX "-o ro$SECUREOPTIONS" || FOUND_KNOPPIX=""
  
  # Final test if everything succeeded.
  if test -n "$FOUND_KNOPPIX"
--- 317,324 ----
  # DEBUG
  # echo "6" > /proc/sys/kernel/printk
  
! #insmod /modules/cloop.o file=/cdrom/KNOPPIX/KNOPPIX
! #mountit /dev/cloop /KNOPPIX "-o ro$SECUREOPTIONS" || FOUND_KNOPPIX=""
  
  # Final test if everything succeeded.
  if test -n "$FOUND_KNOPPIX"

Reply to:

References:
- [debian-knoppix] [projet annouce] :nroppix : nfs read only Knoppix
  - From: Olivier Archer <olivier.archer@infini.fr>

Prev by Date: [debian-knoppix] Re: Playing asx files with Knoppix
Next by Date: [debian-knoppix] Persistent Home
Previous by thread: [debian-knoppix] [projet annouce] :nroppix : nfs read only Knoppix
Next by thread: [debian-knoppix] [projet annouce] :nroppix : nfs read only Knoppix
Index(es):
- Date
- Thread