Jamf Nation Community

ops · ‎07-02-2014

Hey all,
I had thought my Netboot server was set up correctly. I can boot to it and access the JSS no problem. My issue is I can't unmount my Macintosh HD disk. I have diskless selected but no dice. When I boot off the network I'm still using local resources.

This means I can't image any computers through Netboot. Any suggestions? What might I be overlooking?

Thanks,
Jason

ops · ‎07-16-2014

Finally got this working.

I spoke with JAMF Support, but it looks like NetBoot is not supported with my set up. Our company uses a Linux-based JDS and this set up is not supported with JAMF's NetBooting solutions:

"Right now, it's an OS X only solution, and we'll hopefully see one for Linux JDSes soon (unfortunately, I don't have a time table on that, though)." https://jamfnation.jamfsoftware.com/discussion.html?id=10819

So here's how I've managed this.

I have a Mac mini running OSX Server that I'm using to serve my images. I created a NetRestore image using SIU.

My image is very simple and just includes an up-to-date OSX installation and an administrator account. I also created a QuickAdd package using recon and put that in a directory within /Library/Preferences. Finally, I included a script and launchd that runs the QuickAdd in the background on first boot. The script also creates a text document (exatt.newmachine.plist) containing the string 'true' within this directory. After running the package it hits my JSS with a 'jamf recon' and then finally a 'jamf policy'.

sudo update_dyld_shared_cache -force
sudo jamf RemoveFramework
sudo rm /Library/Keychains/apsd.keychain
installer -pkg /Library/Preferences/fghost/QuickAdd.pkg -target /
echo true > /Library/Preferences/fghost/exatt.newmachine.plist
sudo jamf recon
sudo jamf policy
sudo launchctl unload -w /Library/LaunchDaemons/com.jamfenroll.firstrun.plist

The recon helps the JSS see the 'true' document, assign an Extension Attribute, and group the machine into a smart group (new machines). From there, the subsequent 'jamf policy' tells this machine to start doing whatever is scoped to this Smart Group (change admin password/icon, install printers/software, etc.).

A final policy is scoped in to change the value of the exatt.newmachine.plist to 'false' and call another 'jamf recon'. The machine leaves the group and is now imaged, includes whatever packages I decided on, and is ready for a new user. Success!

So glad to get this working. Its a bit of a crude workaround, but its working solidly and by scoping policies to the smart group it stays 'thin' enough to be scalable until Linux-based JDSs are supported.

Regards,
Jason

I should note that the rc.netboot config mentioned above is no longer necessary with this set up.

Resources:
SIU Primer
https://wiki.cmich.edu/groups/imaging/wiki/751d7/Creating_an_imaging_workflow.html

Article about creating LaunchD plists
http://powercycled.wordpress.com/2012/04/25/spoof-mac-address-from-boot-using-launchd/

JAMF nation resources used to create my install script
https://jamfnation.jamfsoftware.com/discussion.html?id=9576
https://jamfnation.jamfsoftware.com/discussion.html?id=8225

Many thanks to Amanda Wulff and Justin Wetzel who put up with me throughout this whole process.

View solution in original post

Grant_Klingbeil · ‎07-02-2014

Hi Jason,

If you'd like to get diskless working, this article has been really helpful for that:
http://www.macos.utah.edu/documentation/administration/setup_netboot_service_on_mac_os_x_10.6.x_clie...

Another option is to use Casper NetInstall Creator that has just gone through a major overhaul:
https://jamfnation.jamfsoftware.com/viewProduct.html?id=13&view=info

With NetInstall, the image is diskless by nature, so we shouldn't have any unmounting issues.

ops · ‎07-02-2014

I'll try the NetInstall Creator and post results. I've already followed all the steps on the utah.edu article, but for some reason its still using resources on the local drive.

Thanks for the help, I'll post my results when I've made a new netinstall image.

ops · ‎07-03-2014

After creating an image with the NetInstall Creator, my first attempt to NetBoot a brand new Mac results in a Kernel Panic. I solve this problem by changing the share from NFS to HTTP through the NetInstall preferences of the OSX Server.

So now it boots into Casper Netinstall and has the nifty Casper background. Casper Imaging loads right up, but I'm still plagued with problems. When I attempt to mount my Distribution Point I get this error:

There was a problem connecting to the server "jss.ourservername.org"

I'm then told to contact my system administrator. Awesome. I am the system administrator so I'm a little flummoxed. Why is it having this issue?

Thanks,
Jason

Orleck · ‎07-03-2014

@ops we had to modify our rc.netboot file differently than the utah article, but we also had to run the kernel cache script on the net boot set as well. that got us working, below is the rc.netboot we're using...

#!/bin/sh
##
# Copyright 2002-2009 Apple Inc.
#
# This script configures NetBoot
##

. /etc/rc.common

#
# This script has been modified to support diskless or RAM disk netboot
#
# Revised: July 14th, 2011
# Revised by: Richard Glaser
#
# For more information or give feedback or file bugs...
# See web site...
#
# https://urldefense.proofpoint.com/v1/url?u=http://www.macos.utah.edu/documentation/administration/setup_netboot_service_on_mac_os_x_10.6.x_client.html&k=vE6vJ%2F6us6MO2E%2BCdRJaLw%3D%3D%0A&r=VFhO9JYJWcOhnTUo2uF5R5ByOLQ2%2BxE6fekfDdhVWSU%3D%0A&m=v013bP8lMiOUEU0ON9pi6%2BUvRsp013xJTOP5doPMYEA%3D%0A&s=11aa3dd823c9c9235372c977b59a320888e89880f2b38f2c2abeea223bb4f3da
#

# # Define: NETBOOT_SHADOW
#
# Purpose:
# To change the behavior of the system when choosing a netboot shadow
# to use.
#
# Values:
# -NETWORK- Try to use the network for the shadow file, if
# that fails, use the local drive
# -NETWORK_ONLY- Only use the network, fail if not available
# -LOCAL- Use the local drive for the shadow file, if that
# fails, use the network
# -LOCAL_ONLY- Only use the local drive for the shadow, fail if
# not available

NETBOOT_MOUNT=/var/netboot

# Change to "-LOCAL_ONLY-" to use RAM Disk instead of network
NETBOOT_SHADOW=-LOCAL_ONLY-

# NETBOOT_SHADOW=${NETBOOT_SHADOW:-NETWORK-}
# There is a bug in the default variable assignment, it loses the the beginning "-"
# So, it never correctly assigns the variable or branch in the case statement in the # do_start() sub-routine and always gets assigned to the "* )" branch.

Failed()
{ echo rc.netboot: $1 echo rc.netboot: $1 > /dev/console sleep 5 exit 1
}

common_start()
{ netboot_dir=$1 netboot_shadow=$2 if [ "${netboot_dir}" = "" ] ; then Failed "netboot_dir is empty" fi if [ "${netboot_shadow}" = "" ] ; then Failed "netboot_shadow is empty" fi netboot_shadow="${netboot_dir}/${netboot_shadow}" if ! mkdir -p "${netboot_dir}" ; then Failed "create ${netboot_dir} failed" fi chmod 700 "${netboot_dir}" mount -u -o ro / root_device=$(mount | sed -n 's:/dev/(.) on / .:1:p') case "${root_device}" in vn*) if ! touch "${netboot_shadow}" ; then Failed "create ${netboot_shadow} failed" fi chmod 600 "${netboot_shadow}" if ! /usr/libexec/vndevice shadow "/dev/r${root_device}" "${netboot_shadow}" ; then Failed "vndevice shadow failed" fi ;; "") Failed "root device unknown" ;; *) if ! touch "${netboot_shadow}" ; then Failed "failed to create shadow ${netboot_shadow}" fi chmod 600 "${netboot_shadow}" if ! /usr/bin/nbdst -recycle "${root_device}" "${netboot_shadow}" ; then Failed "nbdst failed" fi ;; esac
}

local_mount()
{
# tries=0
# limit=11
# while [ $tries -lt $limit ]; do
# tries=$(( tries + 1 ))
# volinfo=autodiskmount -F 2>/dev/null
# if [ $? -ne 0 ]; then
# if [ $tries -lt $limit ]; then
# echo "Waiting for local drives..."
# echo "Waiting for local drives (retry ${tries}/$(( limit - 1 )))..." > /dev/console
# sleep 5
# else
# echo "autodiskmount -F found no local drives"
# return 1
# fi
# else
# tries=$limit
# fi
# done
# set ${volinfo}
# devname=$1
# fstype=$2
#
# mount -t "${fstype}" -o nosuid,nodev "/dev/${devname}" "${NETBOOT_MOUNT}" 2>&1
# if [ $? -ne 0 ]; then
# echo "mount of ${devname} failed"
# return 1
# fi volinfo=autodiskmount -F 2>/dev/null RAMDisk "${NETBOOT_MOUNT}" common_start "${NETBOOT_MOUNT}/.com.apple.NetBootX" shadowfile return 0
}

#
# Create a RAM disk with same perms as mountpoint
#

RAMDisk()
{ mntpt=$1 rdsize=500000 echo "Creating RAM Disk for $mntpt" dev=hdik -drivekey system-image=yes -nomount ram://$rdsize if [ $? -eq 0 ] ; then newfs_hfs $dev # save & restore fs permissions covered by the mount eval `/usr/bin/stat -s $mntpt` mount -t hfs -o union -o nobrowse $dev $mntpt chown $st_uid:$st_gid $mntpt chmod $st_mode $mntpt fi
}

network_mount()
{ mount_from=$(ipconfig netbootoption shadow_mount_path 2>&1) if [ $? -ne 0 ]; then echo "no network shadow mount path available" return 1 fi shadow_path=$(ipconfig netbootoption shadow_file_path 2>&1) if [ $? -ne 0 ]; then echo "no network shadow file path available" return 1 fi case "${mount_from}" in afp:) fstype=afp kextutil -v 0 /System/Library/Filesystems/AppleShare/asp_tcp.kext kextutil -v 0 /System/Library/Filesystems/AppleShare/afpfs.kext ;; nfs:) fstype=nfs;; *) echo "unknown network filesystem mount from ${mount_from}" return 1 ;; esac mount -t "${fstype}" -o nobrowse "${mount_from}" "${NETBOOT_MOUNT}" if [ $? -ne 0 ]; then echo "mount -t ${fstype} -o nobrowse ${mount_from} ${NETBOOT_MOUNT} failed" return 1 fi common_start "${NETBOOT_MOUNT}" "${shadow_path}" return 0
}

do_start()
{ case "${NETBOOT_SHADOW}" in -LOCAL_ONLY- ) err=$(local_mount) if [ $? -ne 0 ]; then Failed "${err}" fi ;; -LOCAL- ) err=$(local_mount) if [ $? -ne 0 ]; then err=$(network_mount) if [ $? -ne 0 ]; then Failed "Could not find a local or network drive" fi fi ;; -NETWORK_ONLY-) err=$(network_mount) if [ $? -ne 0 ]; then Failed "${err}" fi ;;

* ) err=$(network_mount) if [ $? -ne 0 ]; then err=$(local_mount) if [ $? -ne 0 ]; then Failed "Could not find a network or local drive" fi fi ;; esac

}

do_init()
{ # attach the shadow file to the root disk image do_start

# make sure the root filesystem is clean fsck -p || fsck -fy || Failed "Could not clean root filesystem"

# make it writable mount -uw /

# adjust /private/var/vm to point to the writable area (if not diskless) swapdir=/private/var/vm mounted_from=$(mount | sed -n 's:(.) on ./var/netboot.:1:p') case "${mounted_from}" in /dev/) netboot_dir="${NETBOOT_MOUNT}/.com.apple.NetBootX" if [ -d "${netboot_dir}" ]; then rm -rf "${swapdir}" ln -s "${netboot_dir}" "${swapdir}" fi ;; *) ;; esac

# set the ComputerName based on what the NetBoot server told us it was machine_name=$(ipconfig netbootoption machine_name 2>&1) if [ $? -ne 0 ]; then echo "no machine name option available" else echo "Setting ComputerName to ${machine_name}" scutil --set ComputerName "${machine_name}" fi
}

if [ $# -lt 1 ] ; then exit 0
fi

command=$1

shift

case "${command}" in init) do_init $@ ;;
esac

##
# Exit
##
exit 0

ops · ‎07-03-2014

Thanks for the advice. Gave it a go, but no joy with the NetInstall image, still refusing my authentication.

Just to see what would happen, I pulled up my older image from before NetInstall. I punched your code into the rc.netboot file and I was able to unmount the disk. Awesome! So for anyone stumbling into this thread looking to unmount a netboot disk, use that code for your rc.netboot file. My troubles are not over though.

Booted into my original nbi (not created with NetInstall Creator), I attempted to run a config on the drive. I then got a request from the Mac asking me to authenticate to the JSS. It rejected my authentication and spit out the same message as before about being unable to reach the JSS. Now when I boot the Mac, it can't boot to the local drive or the recovery partition. So It's able to unmount the drive and wipe it, but can't reach my JDS for whatever reason. Any clues on where to start troubleshooting?

Thanks again,
Jason

clifhirtle · ‎07-09-2014

Assuming not an issue with bug in auth to SMB shares (https://jamfnation.jamfsoftware.com/article.html?id=74)?

ops · ‎07-16-2014

Finally got this working.

I spoke with JAMF Support, but it looks like NetBoot is not supported with my set up. Our company uses a Linux-based JDS and this set up is not supported with JAMF's NetBooting solutions:

"Right now, it's an OS X only solution, and we'll hopefully see one for Linux JDSes soon (unfortunately, I don't have a time table on that, though)." https://jamfnation.jamfsoftware.com/discussion.html?id=10819

So here's how I've managed this.

I have a Mac mini running OSX Server that I'm using to serve my images. I created a NetRestore image using SIU.

My image is very simple and just includes an up-to-date OSX installation and an administrator account. I also created a QuickAdd package using recon and put that in a directory within /Library/Preferences. Finally, I included a script and launchd that runs the QuickAdd in the background on first boot. The script also creates a text document (exatt.newmachine.plist) containing the string 'true' within this directory. After running the package it hits my JSS with a 'jamf recon' and then finally a 'jamf policy'.

sudo update_dyld_shared_cache -force
sudo jamf RemoveFramework
sudo rm /Library/Keychains/apsd.keychain
installer -pkg /Library/Preferences/fghost/QuickAdd.pkg -target /
echo true > /Library/Preferences/fghost/exatt.newmachine.plist
sudo jamf recon
sudo jamf policy
sudo launchctl unload -w /Library/LaunchDaemons/com.jamfenroll.firstrun.plist

The recon helps the JSS see the 'true' document, assign an Extension Attribute, and group the machine into a smart group (new machines). From there, the subsequent 'jamf policy' tells this machine to start doing whatever is scoped to this Smart Group (change admin password/icon, install printers/software, etc.).

A final policy is scoped in to change the value of the exatt.newmachine.plist to 'false' and call another 'jamf recon'. The machine leaves the group and is now imaged, includes whatever packages I decided on, and is ready for a new user. Success!

So glad to get this working. Its a bit of a crude workaround, but its working solidly and by scoping policies to the smart group it stays 'thin' enough to be scalable until Linux-based JDSs are supported.

Regards,
Jason

I should note that the rc.netboot config mentioned above is no longer necessary with this set up.

Resources:
SIU Primer
https://wiki.cmich.edu/groups/imaging/wiki/751d7/Creating_an_imaging_workflow.html

Article about creating LaunchD plists
http://powercycled.wordpress.com/2012/04/25/spoof-mac-address-from-boot-using-launchd/

JAMF nation resources used to create my install script
https://jamfnation.jamfsoftware.com/discussion.html?id=9576
https://jamfnation.jamfsoftware.com/discussion.html?id=8225

Many thanks to Amanda Wulff and Justin Wetzel who put up with me throughout this whole process.

Jamf Nation Community

Netboot Questions