Posted on 07-02-2014 08:17 AM
Hey all,
I had thought my Netboot server was set up correctly. I can boot to it and access the JSS no problem. My issue is I can't unmount my Macintosh HD disk. I have diskless selected but no dice. When I boot off the network I'm still using local resources.
This means I can't image any computers through Netboot. Any suggestions? What might I be overlooking?
Thanks,
Jason
Solved! Go to Solution.
Posted on 07-16-2014 03:34 PM
Finally got this working.
I spoke with JAMF Support, but it looks like NetBoot is not supported with my set up. Our company uses a Linux-based JDS and this set up is not supported with JAMF's NetBooting solutions:
"Right now, it's an OS X only solution, and we'll hopefully see one for Linux JDSes soon (unfortunately, I don't have a time table on that, though)." https://jamfnation.jamfsoftware.com/discussion.html?id=10819
So here's how I've managed this.
I have a Mac mini running OSX Server that I'm using to serve my images. I created a NetRestore image using SIU.
My image is very simple and just includes an up-to-date OSX installation and an administrator account. I also created a QuickAdd package using recon and put that in a directory within /Library/Preferences. Finally, I included a script and launchd that runs the QuickAdd in the background on first boot. The script also creates a text document (exatt.newmachine.plist) containing the string 'true' within this directory. After running the package it hits my JSS with a 'jamf recon' and then finally a 'jamf policy'.
sudo update_dyld_shared_cache -force
sudo jamf RemoveFramework
sudo rm /Library/Keychains/apsd.keychain
installer -pkg /Library/Preferences/fghost/QuickAdd.pkg -target /
echo true > /Library/Preferences/fghost/exatt.newmachine.plist
sudo jamf recon
sudo jamf policy
sudo launchctl unload -w /Library/LaunchDaemons/com.jamfenroll.firstrun.plist
The recon helps the JSS see the 'true' document, assign an Extension Attribute, and group the machine into a smart group (new machines). From there, the subsequent 'jamf policy' tells this machine to start doing whatever is scoped to this Smart Group (change admin password/icon, install printers/software, etc.).
A final policy is scoped in to change the value of the exatt.newmachine.plist to 'false' and call another 'jamf recon'. The machine leaves the group and is now imaged, includes whatever packages I decided on, and is ready for a new user. Success!
So glad to get this working. Its a bit of a crude workaround, but its working solidly and by scoping policies to the smart group it stays 'thin' enough to be scalable until Linux-based JDSs are supported.
Regards,
Jason
I should note that the rc.netboot config mentioned above is no longer necessary with this set up.
Resources:
SIU Primer
https://wiki.cmich.edu/groups/imaging/wiki/751d7/Creating_an_imaging_workflow.html
Article about creating LaunchD plists
http://powercycled.wordpress.com/2012/04/25/spoof-mac-address-from-boot-using-launchd/
JAMF nation resources used to create my install script
https://jamfnation.jamfsoftware.com/discussion.html?id=9576
https://jamfnation.jamfsoftware.com/discussion.html?id=8225
Many thanks to Amanda Wulff and Justin Wetzel who put up with me throughout this whole process.
Posted on 07-02-2014 08:28 AM
Hi Jason,
If you'd like to get diskless working, this article has been really helpful for that:
http://www.macos.utah.edu/documentation/administration/setup_netboot_service_on_mac_os_x_10.6.x_clie...
Another option is to use Casper NetInstall Creator that has just gone through a major overhaul:
https://jamfnation.jamfsoftware.com/viewProduct.html?id=13&view=info
With NetInstall, the image is diskless by nature, so we shouldn't have any unmounting issues.
Posted on 07-02-2014 11:38 AM
I'll try the NetInstall Creator and post results. I've already followed all the steps on the utah.edu article, but for some reason its still using resources on the local drive.
Thanks for the help, I'll post my results when I've made a new netinstall image.
Posted on 07-03-2014 09:45 AM
After creating an image with the NetInstall Creator, my first attempt to NetBoot a brand new Mac results in a Kernel Panic. I solve this problem by changing the share from NFS to HTTP through the NetInstall preferences of the OSX Server.
So now it boots into Casper Netinstall and has the nifty Casper background. Casper Imaging loads right up, but I'm still plagued with problems. When I attempt to mount my Distribution Point I get this error:
There was a problem connecting to the server "jss.ourservername.org"
I'm then told to contact my system administrator. Awesome. I am the system administrator so I'm a little flummoxed. Why is it having this issue?
Thanks,
Jason
Posted on 07-03-2014 09:53 AM
@ops we had to modify our rc.netboot file differently than the utah article, but we also had to run the kernel cache script on the net boot set as well. that got us working, below is the rc.netboot we're using...
#!/bin/sh
##
# Copyright 2002-2009 Apple Inc.
#
# This script configures NetBoot
##
. /etc/rc.common
#
# This script has been modified to support diskless or RAM disk netboot
#
# Revised: July 14th, 2011
# Revised by: Richard Glaser
#
# For more information or give feedback or file bugs...
# See web site...
#
# https://urldefense.proofpoint.com/v1/url?u=http://www.macos.utah.edu/documentation/administration/setup_netboot_service_on_mac_os_x_10.6.x_client.html&k=vE6vJ%2F6us6MO2E%2BCdRJaLw%3D%3D%0A&r=VFhO9JYJWcOhnTUo2uF5R5ByOLQ2%2BxE6fekfDdhVWSU%3D%0A&m=v013bP8lMiOUEU0ON9pi6%2BUvRsp013xJTOP5doPMYEA%3D%0A&s=11aa3dd823c9c9235372c977b59a320888e89880f2b38f2c2abeea223bb4f3da
#
#
# Define: NETBOOT_SHADOW
#
# Purpose:
# To change the behavior of the system when choosing a netboot shadow
# to use.
#
# Values:
# -NETWORK- Try to use the network for the shadow file, if
# that fails, use the local drive
# -NETWORK_ONLY- Only use the network, fail if not available
# -LOCAL- Use the local drive for the shadow file, if that
# fails, use the network
# -LOCAL_ONLY- Only use the local drive for the shadow, fail if
# not available
NETBOOT_MOUNT=/var/netboot
# Change to "-LOCAL_ONLY-" to use RAM Disk instead of network
NETBOOT_SHADOW=-LOCAL_ONLY-
# NETBOOT_SHADOW=${NETBOOT_SHADOW:-NETWORK-}
# There is a bug in the default variable assignment, it loses the the beginning "-"
# So, it never correctly assigns the variable or branch in the case statement in the
# do_start() sub-routine and always gets assigned to the "* )" branch.
Failed()
{
echo rc.netboot: $1
echo rc.netboot: $1 > /dev/console
sleep 5
exit 1
}
common_start()
{
netboot_dir=$1
netboot_shadow=$2
if [ "${netboot_dir}" = "" ] ; then
Failed "netboot_dir is empty"
fi
if [ "${netboot_shadow}" = "" ] ; then
Failed "netboot_shadow is empty"
fi
netboot_shadow="${netboot_dir}/${netboot_shadow}"
if ! mkdir -p "${netboot_dir}" ; then
Failed "create ${netboot_dir} failed"
fi
chmod 700 "${netboot_dir}"
mount -u -o ro /
root_device=$(mount | sed -n 's:/dev/(.) on / .:1:p')
case "${root_device}" in
vn*)
if ! touch "${netboot_shadow}" ; then
Failed "create ${netboot_shadow} failed"
fi
chmod 600 "${netboot_shadow}"
if ! /usr/libexec/vndevice shadow "/dev/r${root_device}" "${netboot_shadow}" ; then
Failed "vndevice shadow failed"
fi
;;
"")
Failed "root device unknown"
;;
*)
if ! touch "${netboot_shadow}" ; then
Failed "failed to create shadow ${netboot_shadow}"
fi
chmod 600 "${netboot_shadow}"
if ! /usr/bin/nbdst -recycle "${root_device}" "${netboot_shadow}" ; then
Failed "nbdst failed"
fi
;;
esac
}
local_mount()
{
# tries=0
# limit=11
# while [ $tries -lt $limit ]; do
# tries=$(( tries + 1 ))
# volinfo=autodiskmount -F 2>/dev/null
# if [ $? -ne 0 ]; then
# if [ $tries -lt $limit ]; then
# echo "Waiting for local drives..."
# echo "Waiting for local drives (retry ${tries}/$(( limit - 1 )))..." > /dev/console
# sleep 5
# else
# echo "autodiskmount -F found no local drives"
# return 1
# fi
# else
# tries=$limit
# fi
# done
# set ${volinfo}
# devname=$1
# fstype=$2
#
# mount -t "${fstype}" -o nosuid,nodev "/dev/${devname}" "${NETBOOT_MOUNT}" 2>&1
# if [ $? -ne 0 ]; then
# echo "mount of ${devname} failed"
# return 1
# fi
volinfo=autodiskmount -F 2>/dev/null
RAMDisk "${NETBOOT_MOUNT}"
common_start "${NETBOOT_MOUNT}/.com.apple.NetBootX" shadowfile
return 0
}
#
# Create a RAM disk with same perms as mountpoint
#
RAMDisk()
{
mntpt=$1
rdsize=500000
echo "Creating RAM Disk for $mntpt"
dev=hdik -drivekey system-image=yes -nomount ram://$rdsize
if [ $? -eq 0 ] ; then
newfs_hfs $dev
# save & restore fs permissions covered by the mount
eval `/usr/bin/stat -s $mntpt`
mount -t hfs -o union -o nobrowse $dev $mntpt
chown $st_uid:$st_gid $mntpt
chmod $st_mode $mntpt
fi
}
network_mount()
{
mount_from=$(ipconfig netbootoption shadow_mount_path 2>&1)
if [ $? -ne 0 ]; then
echo "no network shadow mount path available"
return 1
fi
shadow_path=$(ipconfig netbootoption shadow_file_path 2>&1)
if [ $? -ne 0 ]; then
echo "no network shadow file path available"
return 1
fi
case "${mount_from}" in
afp:)
fstype=afp
kextutil -v 0 /System/Library/Filesystems/AppleShare/asp_tcp.kext
kextutil -v 0 /System/Library/Filesystems/AppleShare/afpfs.kext
;;
nfs:) fstype=nfs;;
*) echo "unknown network filesystem mount from ${mount_from}"
return 1
;;
esac
mount -t "${fstype}" -o nobrowse "${mount_from}" "${NETBOOT_MOUNT}"
if [ $? -ne 0 ]; then
echo "mount -t ${fstype} -o nobrowse ${mount_from} ${NETBOOT_MOUNT} failed"
return 1
fi
common_start "${NETBOOT_MOUNT}" "${shadow_path}"
return 0
}
do_start()
{
case "${NETBOOT_SHADOW}" in
-LOCAL_ONLY- )
err=$(local_mount)
if [ $? -ne 0 ]; then
Failed "${err}"
fi
;;
-LOCAL- )
err=$(local_mount)
if [ $? -ne 0 ]; then
err=$(network_mount)
if [ $? -ne 0 ]; then
Failed "Could not find a local or network drive"
fi
fi
;;
-NETWORK_ONLY-)
err=$(network_mount)
if [ $? -ne 0 ]; then
Failed "${err}"
fi
;;
* ) err=$(network_mount) if [ $? -ne 0 ]; then err=$(local_mount) if [ $? -ne 0 ]; then Failed "Could not find a network or local drive" fi fi ;; esac
}
do_init()
{
# attach the shadow file to the root disk image
do_start
# make sure the root filesystem is clean fsck -p || fsck -fy || Failed "Could not clean root filesystem"
# make it writable mount -uw /
# adjust /private/var/vm to point to the writable area (if not diskless) swapdir=/private/var/vm mounted_from=$(mount | sed -n 's:(.) on ./var/netboot.:1:p') case "${mounted_from}" in /dev/) netboot_dir="${NETBOOT_MOUNT}/.com.apple.NetBootX" if [ -d "${netboot_dir}" ]; then rm -rf "${swapdir}" ln -s "${netboot_dir}" "${swapdir}" fi ;; *) ;; esac
# set the ComputerName based on what the NetBoot server told us it was
machine_name=$(ipconfig netbootoption machine_name 2>&1)
if [ $? -ne 0 ]; then
echo "no machine name option available"
else
echo "Setting ComputerName to ${machine_name}"
scutil --set ComputerName "${machine_name}"
fi
}
if [ $# -lt 1 ] ; then
exit 0
fi
command=$1
shift
case "${command}" in
init)
do_init $@
;;
esac
##
# Exit
##
exit 0
Posted on 07-03-2014 12:56 PM
Thanks for the advice. Gave it a go, but no joy with the NetInstall image, still refusing my authentication.
Just to see what would happen, I pulled up my older image from before NetInstall. I punched your code into the rc.netboot file and I was able to unmount the disk. Awesome! So for anyone stumbling into this thread looking to unmount a netboot disk, use that code for your rc.netboot file. My troubles are not over though.
Booted into my original nbi (not created with NetInstall Creator), I attempted to run a config on the drive. I then got a request from the Mac asking me to authenticate to the JSS. It rejected my authentication and spit out the same message as before about being unable to reach the JSS. Now when I boot the Mac, it can't boot to the local drive or the recovery partition. So It's able to unmount the drive and wipe it, but can't reach my JDS for whatever reason. Any clues on where to start troubleshooting?
Thanks again,
Jason
Posted on 07-09-2014 01:48 PM
Assuming not an issue with bug in auth to SMB shares (https://jamfnation.jamfsoftware.com/article.html?id=74)?
Posted on 07-16-2014 03:34 PM
Finally got this working.
I spoke with JAMF Support, but it looks like NetBoot is not supported with my set up. Our company uses a Linux-based JDS and this set up is not supported with JAMF's NetBooting solutions:
"Right now, it's an OS X only solution, and we'll hopefully see one for Linux JDSes soon (unfortunately, I don't have a time table on that, though)." https://jamfnation.jamfsoftware.com/discussion.html?id=10819
So here's how I've managed this.
I have a Mac mini running OSX Server that I'm using to serve my images. I created a NetRestore image using SIU.
My image is very simple and just includes an up-to-date OSX installation and an administrator account. I also created a QuickAdd package using recon and put that in a directory within /Library/Preferences. Finally, I included a script and launchd that runs the QuickAdd in the background on first boot. The script also creates a text document (exatt.newmachine.plist) containing the string 'true' within this directory. After running the package it hits my JSS with a 'jamf recon' and then finally a 'jamf policy'.
sudo update_dyld_shared_cache -force
sudo jamf RemoveFramework
sudo rm /Library/Keychains/apsd.keychain
installer -pkg /Library/Preferences/fghost/QuickAdd.pkg -target /
echo true > /Library/Preferences/fghost/exatt.newmachine.plist
sudo jamf recon
sudo jamf policy
sudo launchctl unload -w /Library/LaunchDaemons/com.jamfenroll.firstrun.plist
The recon helps the JSS see the 'true' document, assign an Extension Attribute, and group the machine into a smart group (new machines). From there, the subsequent 'jamf policy' tells this machine to start doing whatever is scoped to this Smart Group (change admin password/icon, install printers/software, etc.).
A final policy is scoped in to change the value of the exatt.newmachine.plist to 'false' and call another 'jamf recon'. The machine leaves the group and is now imaged, includes whatever packages I decided on, and is ready for a new user. Success!
So glad to get this working. Its a bit of a crude workaround, but its working solidly and by scoping policies to the smart group it stays 'thin' enough to be scalable until Linux-based JDSs are supported.
Regards,
Jason
I should note that the rc.netboot config mentioned above is no longer necessary with this set up.
Resources:
SIU Primer
https://wiki.cmich.edu/groups/imaging/wiki/751d7/Creating_an_imaging_workflow.html
Article about creating LaunchD plists
http://powercycled.wordpress.com/2012/04/25/spoof-mac-address-from-boot-using-launchd/
JAMF nation resources used to create my install script
https://jamfnation.jamfsoftware.com/discussion.html?id=9576
https://jamfnation.jamfsoftware.com/discussion.html?id=8225
Many thanks to Amanda Wulff and Justin Wetzel who put up with me throughout this whole process.