Univention PXE Net install got stuck

Hello everyone,

we are trying to install a univention master completely preseeded.

So far so good, the debian installer runs through all steps.

But after successful grub installation, the whole process just stops.

Any ideas?

Kind regards,
René

Hallo erstmal,
Hast du mit einem USB-Stick probiert?
Wenn ich dich Richtig verstehe, versuchst du UCS mit einem PXE Server zu Installieren.
Wenn du es noch nicht getan hast, dann lade über die Univention Webseite das ISO-image runter und Installierst es mit einem USB-stick, damit habe ich mein System Installiert.
Gibt es irgendwelche Fehlermeldungen? wenn es im Installationsprozess fehler gibt (egal wo), such nach diesen Fehler oder nach den Fehlercode.

Hello,

ich habe schon ziemlich viele UCS Systeme installiert, also daran scheitert es nicht.

Es geht hier wirklich um eine komplett automatisierte (preseeded) Installation übers Netzwerk.

Fehlermeldung gibt es keine:

Ich habe die PXE und Preseed Config hier einmal angehängt.

ucs-pxelinux.txt (217 Bytes) ucs-master-preseed.txt (5.4 KB)

lg

Ich habe so eben mit bekommen, dass das Univention Setup sehr wohl weiter läuft.

Wenn ich auf dem Screen wie oben im Bild in die Konsole wechsle, sehe ich unter /target/var/log/univention wie das Setup weiter läuft, allerdings gibt es keinen grafischen Output.

Das sind scheinbar die letzten Zeilen:

Wieder ein Stück weiter.

Die Installation läuft problemlos durch.

Auch das Univention Setup läuft danach los, und konfiguriert das System entsprechend der uss settings im preseed file.

Allerdings gibt es Probleme beim bind9 service.

Zum einen existiert /etc/bind9/univention.conf nicht, wodurch named-checkconfig bereits einen Fehler wirft und der dns Service gar nicht richtig starten kann.

Die rndc controll settings unter /etc/bind9/named.conf sind meines erachtens falsch, als Controll-Port ist hier 55555 angegeben, laut join log, wird aber laufend versucht Port 953 zu verwenden.

Lege ich die univention.conf via touch an, und ändere den Controll Port auf 953 lässt sich bind9 problemlos starten, und ein aufruf über “rndc status” klappt auch.

Allerdings geht es im Join Log immer noch nicht wirklich weiter.

Note: Das alles natürlich in einer chroot Session aus dem noch laufenden Installers heraus.

Könnte es sich hier um eine Bug handeln?

Nach etwa 2 Stunden läuft der restliche Join durch und das System startet in ein fertig installiertes System, allerdins nicht komplett sauber gejoint.

lg

1. As you already noticed Univention System Setup (USS) starts in the background after GRUB has been setup. USS itself does not send it’s own message to the front-end and so the last message from GRUB remains. You can switch to (Text-)console 4 so see USS running.

2. Setting up an UCS Master is tricky (and officially not supported), as setting up the Master is quiet different from setting up all other UCS roles: The later roles assume already running DNS, LDAP, … services, but the Master cannot. Therefore univention-join is never executed on the Master and the equivalent code is sprinkled over different locations in the code, mainly in USS setup-join.sh.

But setting up a Master can be done and actually I’m doing this on a regular basis to setup our UCS training environments.

The main issue with setting up the Master is that many services must be started while the installer is still in its chroot environment, where Debian normally disables starting any service: The installation gets stuck as USS assumes several services to be running, but actually they are not because of the chroot environment. This happens because the package post-installation scripts are required by Debian policy to use invoke-rc.d to start/stop services, which in turn asks policy-rc.d if the action is allowed. In the chroot environment all actions are denied (by default).
This is further complicated by the fact, that UCS still has not transitioned fully from runit to systemd and you have to also start runit during the installation, as systemd is not used during the installation but legacy SysV-Init (with runit for process supervision). Otherwise Univention Directory Listener (UDL) and Univention Directory Notifier (UDN) are not started.

Try inserting the following line into your profile:

d-i partman/early_command string sed -i 's/invoke-rc.d univention-runit/service univention-runit/' /var/lib/dpkg/info/di-univention-net-installer.postinst

You can test your seed/preseed.cfg file more easily by running it in a virtual machine with Qemu with something like this:

# Use the text-install instead of the graphical gkt/ one
# Make sure the kernel matches the ucs444 version in you preseed.cfg!
wget http://updates.software-univention.de/pxe/4.4-4/amd64/debian-installer/amd64/linux
wget http://updates.software-univention.de/pxe/4.4-4/amd64/debian-installer/amd64/initrd.gz
# Create empty test image
qemu-img create -f qcow2 test.qcow2 10G
# Run Qemu
qemu-system-x86_64 \
  -machine q35,accel=kvm -m 2048 -cpu host \
  -vga virtio -display gtk \
  -net nic,model=virtio -net user,tftp=seed/ \
  -drive file=test.qcow2,if=virtio,media=dirk,cache=unsafe,format=qcow2 \
  -kernel linux -initrd initrd.gz \
  -append 'auto=true priority=critical url=tftp://10.0.2.2/preseed.cfg' \
  -no-reboot
# You can switch consoles with Alt-Left/Right
# Use `chroot /target bin/bash` for debugging the chroot

After the installation re-run the same command without the 3 last lines -kernel … -no-reboot to test your installation.

Oh god thank you

That did the trick, and thank you for the detailed explanation.

The setup is now finishied within a half hour and looks good afterwards.

The join scripts are executed, and the master seems to be setup correctly, exactly how we need it.

One further question.

Let me explain our use case first.

We are developing an automation, to deploy several customer platforms fully unattended at our datacenter, this includes standard linux distros and also univention servers.
The first one was the ucs master, which now works.

During the deployment, we use an separate network interface (vlan) which has access to the deployment servers (a debian vm with a dhcp and tftp server, and an ucs server without any ucs services nor a domain, for the ucs-net-installer and the ucs repository)

For univention we preseed the correct network configuration (for the main LAN) via uss variables in the preseed file, which works without any problems.

After the setup is finished, we place a rc.local script under /etc/ which connects to our deployment backend, and further tells the backend, that the installation is now finished.
The backend then removes the deployment network interface from the vm, and informs the customer, that the new vm is now set up.

Now my question is, how to deploy further ucs machines in the deployed customer network?
Is it also possible, to preseed the domain information’s and join user?

All the best,
René

Is it also possible, to preseed the domain information’s and join user?

In the past this was possible using some profile variables; see old Extended installation documentation
. But reading the current code of setup-join.sh shows that the code to pass the account and its credentials was removed some years ago.
I’d recommend to run the installation with auto_join disabled and then doing an univention-join -dcaccount Administrator -dcpwd <(printf '%s' 'very-secret-password') afterwards.

Hello,

okay, i will try this.

Just to be sure… if i want to setup and join a Slave Server, i run the installer with univention-system-setup-boot uss/server/role string domaincontroller_slave in the preseed file and uss/start/join set to false.

With an post script i then call univention-join -dcaccount Administrator -dcpwd <(printf '%s' 'very-secret-password' after the first reboot in the fresh installed system?

Yes, that should work: I remember doing it like this in the past, but have not tested it currently. Might me that you need to write the credentials to a file instead of using the <(printf…)-trick.
Another option would be to use our KVM images in Appliance-Mode: It’s a default setup where the Debian-Installer part has already been executed and the VM is suspended when next Univention System Setup (USS) starts. We use that image all the time for our nightly test runs as it saves some time. Basically you ssh in as user root with a default password, place the profile at /var/cache/univention-system-setup/profile and execute /usr/lib/univention-system-setup/scripts/setup-join.sh.
We also had cloud-init support, but that is currently broken,

Wonderful, works without any problems, thanks for the hint.

And here’s the next question:

How should we request core licenses?
We need that, that we can install complete setups from scratch including apps which require a license.
The customer has to buy a license afterwards from us (when everything is set up)

Where do we get an account at the licensing server? https://license.univention.de/shop/order/

Edit:
2nd question.

the trick with <(printf) seems to work for univention-app install to …
But even, it doesn’t work how it should.

For example it i try to install kopano core, the installer roles back after a while.
The breakpoint is the question for the password of root@dc.example.com for master packages installation.

is there a way, to predefine that password?

Contact vertrieb@univention.de

Have a look at utils.sh. Maybe you need to invoke univention-app install --noninteractive --only-master-packages "$app" on the master directly (I’m not an univention-app expert, maybe @dwiesent knows more details).

The answer to this can be found in the help text of univention-app itself:

$ univention-app install -h
usage: univention-app install [-h] [--noninteractive] [--username USERNAME]
                              [--pwdfile PWDFILE]
                              [--set KEY=VALUE [KEY=VALUE ...]] [--dry-run]
                              [--do-not-revert] [--only-master-packages]
                              [--do-not-install-master-packages-remotely]
                              [--do-not-pull-image]
                              app

Install an app

positional arguments:
  app                   The ID of the App

optional arguments:
  -h, --help            show this help message and exit
  --noninteractive      Do not prompt for anything, just agree or skip
  --username USERNAME   The username used for registering the app. Default:
                        Administrator
  --pwdfile PWDFILE     Filename containing the password for registering the
                        app. See --username
  --set KEY=VALUE [KEY=VALUE ...]
                        Sets the configuration variable. Example: --set
                        some/variable=value some/other/variable="value 2"
  --dry-run             Perform only a dry-run. App state is not touched
  --do-not-revert       Do not revert the installation when it fails. May
                        leave the system in an undesired state
  --only-master-packages
                        Install only master packages
  --do-not-install-master-packages-remotely
                        Do not install master packages on DC master and DC
                        backup systems
  --do-not-pull-image   Do not pull the image of a Docker App. Instead, the
                        image is assumed to be already in place

PS: giving https://github.com/univention/schulangebot a closer look could be beneficial in your situation as well. while it has a focus on school deployments it uses a lot of the building blocks you need for your automated deployment as well.