Re: [debian-knoppix] [projet annouce] :nroppix : nfs read only Knoppix
my previous reply was off list only, forgot to use reply all...
i'll try to give a very short summary, some new comments and a patch below.
he mounts an uncompressed filesystem read only over the network, almost
like the terminalserver (altough that one works like the CD, with /cdrom
comming from the server, with the compressed KNOPPIX)
advatage, you can easily customize it and skip the recompressing for the
cloop image. (altough the compression has the advantage that it
transfers faster over the net)
loading it over the network also the plus point that there is no size
restriction to a CDROM.
in either way, it's a nice technic to boot diskless clients or test
remasters.
Olivier Archer wrote:
nroppix is an attempt to run knoppix with *no* cdrom but with a network
acces. many nroppix client can share the same nroppix server. its a tiny
project. its a rewritiing of /linuxrc and al in the root image
[...]
nroppix is desined to allow many diskless clients to share the same
linux chrooted distribution (like multi diskless knoppix client) or to
this is almost that was the knoppix terminal server does.
the diference is that the terminalservers linuxrc tries to mount the
compressed KNOPPIX filesystem on the /cdrom (which is in turn mounted
from NFS, not the real cdrom)
that means that with a small change to linuxrc, it possible to mount an
uncompressed KNOPPIX. the attched patch does that. it mounts the NFS
share to /KNOPPIX directly and skips the loop mount part.
to apply the patch, either patch the linuxrc in the terminalserver
templates, or loop mount the created minirot.gz and patch it there
(altough it's not so easy to patch the etherboot image)
> provide a robust server configuration with there / mounted by
> read-only nfs (debian woody).
i dont think that this is "robust", well yes keeping as much as possible
read only on a server (especialy when its exposed to the internet) is a
good idea, even better if you can make all logs write only, so that they
cannot be forged if an attack succeeds.
but running it from NFS is not a good idea. NFS is not known to be a
secure protocol, it's good enough for a LAN, but not for the internet.
somebody could interfere with the NFS protocol and inject bad packets or
malicious data. in fact, any network filesystem is probably not secure
enough for a server. even if it's encrypted, it opens the server for DOS
attacks and cause failure because data cannot be read.
chris
*** linuxrc.terminalserver 2002-11-08 01:30:12.000000000 +0100
--- linuxrc.nfsdisk 2003-04-04 04:34:02.000000000 +0200
***************
*** 244,250 ****
"${MAGENTA}$NFSDIR${BLUE}...${NORMAL}"
/static/mount -t nfs -o \
ro,rsize=8192,wsize=8192,hard,intr$SECUREOPTIONS \
! "${NFSDIR}" /cdrom > /dev/null 2>&1 && MOUNTED="yes"
# unsuccessful? Blank out NFSDIR and see if pump does better
[ -z "$MOUNTED" ] && echo "${RED}Failed.${NORMAL}" && NFSDIR=
--- 244,250 ----
"${MAGENTA}$NFSDIR${BLUE}...${NORMAL}"
/static/mount -t nfs -o \
ro,rsize=8192,wsize=8192,hard,intr$SECUREOPTIONS \
! "${NFSDIR}" /KNOPPIX > /dev/null 2>&1 && MOUNTED="yes"
# unsuccessful? Blank out NFSDIR and see if pump does better
[ -z "$MOUNTED" ] && echo "${RED}Failed.${NORMAL}" && NFSDIR=
***************
*** 274,285 ****
# try mounting it, first with "/knoppix"
echo -n "${CRE}${BLUE}Trying to mount CD on ${MAGENTA}$NFSROOT${BLUE}...${NORMAL}"
/static/mount -t nfs -o ro,rsize=8192,wsize=8192,hard,intr$SECUREOPTIONS \
! "${NFSROOT}:/knoppix" /cdrom > /dev/null 2>&1 && NFSDIR="${NFSROOT}:/knoppix"
# then with "/cdrom"
[ -z "$NFSDIR" ] && /static/mount -t nfs -o \
ro,rsize=8192,wsize=8192,hard,intr$SECUREOPTIONS \
! "${NFSROOT}:/cdrom" /cdrom > /dev/null 2>&1 && NFSDIR="${NFSROOT}:/cdrom"
[ -n "$NFSDIR" ] && MOUNTED="yes"
fi
--- 274,285 ----
# try mounting it, first with "/knoppix"
echo -n "${CRE}${BLUE}Trying to mount CD on ${MAGENTA}$NFSROOT${BLUE}...${NORMAL}"
/static/mount -t nfs -o ro,rsize=8192,wsize=8192,hard,intr$SECUREOPTIONS \
! "${NFSROOT}:/knoppix" /KNOPPIX > /dev/null 2>&1 && NFSDIR="${NFSROOT}:/knoppix"
# then with "/cdrom"
[ -z "$NFSDIR" ] && /static/mount -t nfs -o \
ro,rsize=8192,wsize=8192,hard,intr$SECUREOPTIONS \
! "${NFSROOT}:/cdrom" /KNOPPIX > /dev/null 2>&1 && NFSDIR="${NFSROOT}:/cdrom"
[ -n "$NFSDIR" ] && MOUNTED="yes"
fi
***************
*** 292,298 ****
"(aka \"192.168.0.1:/cdrom\"): ${NORMAL}"
read NFSDIR
/static/mount -t nfs -o ro,rsize=8192,wsize=8192,hard,intr$SECUREOPTIONS \
! "$NFSDIR" /cdrom > /dev/null 2>&1 && MOUNTED="true"
[ -n "$MOUNTED" ] && break
done
}
--- 292,298 ----
"(aka \"192.168.0.1:/cdrom\"): ${NORMAL}"
read NFSDIR
/static/mount -t nfs -o ro,rsize=8192,wsize=8192,hard,intr$SECUREOPTIONS \
! "$NFSDIR" /KNOPPIX > /dev/null 2>&1 && MOUNTED="true"
[ -n "$MOUNTED" ] && break
done
}
***************
*** 300,313 ****
[ -n "$MOUNTED" ] && echo "${GREEN}OK.${NORMAL}"
[ -z "$MOUNTED" ] && dropshell
! FOUND_KNOPPIX=""
! if test -f /cdrom/KNOPPIX/KNOPPIX
! then
! echo -n "${CRE} ${GREEN}Accessing KNOPPIX CDROM image at ${MAGENTA}$NFSDIR${GREEN}...${NORMAL}"
! FOUND_KNOPPIX="true"
! else
! dropshell
! fi
# Harddisk-installed script part version has been removed
# (KNOPPIX can be booted directly from HD now).
--- 300,315 ----
[ -n "$MOUNTED" ] && echo "${GREEN}OK.${NORMAL}"
[ -z "$MOUNTED" ] && dropshell
! FOUND_KNOPPIX="yes"
!
! #FOUND_KNOPPIX=""
! #if test -f /cdrom/KNOPPIX/KNOPPIX
! #then
! #echo -n "${CRE} ${GREEN}Accessing KNOPPIX CDROM image at ${MAGENTA}$NFSDIR${GREEN}...${NORMAL}"
! #FOUND_KNOPPIX="true"
! #else
! #dropshell
! #fi
# Harddisk-installed script part version has been removed
# (KNOPPIX can be booted directly from HD now).
***************
*** 315,322 ****
# DEBUG
# echo "6" > /proc/sys/kernel/printk
! insmod /modules/cloop.o file=/cdrom/KNOPPIX/KNOPPIX
! mountit /dev/cloop /KNOPPIX "-o ro$SECUREOPTIONS" || FOUND_KNOPPIX=""
# Final test if everything succeeded.
if test -n "$FOUND_KNOPPIX"
--- 317,324 ----
# DEBUG
# echo "6" > /proc/sys/kernel/printk
! #insmod /modules/cloop.o file=/cdrom/KNOPPIX/KNOPPIX
! #mountit /dev/cloop /KNOPPIX "-o ro$SECUREOPTIONS" || FOUND_KNOPPIX=""
# Final test if everything succeeded.
if test -n "$FOUND_KNOPPIX"
Reply to: