Last updated 2008/03/18
Return to the Suffield Academy Network Documentation Homepage
A printable version of this document is also available.
All recent models of Macintosh computer have the ability to be NetBooted, where the computer boots its operating system off of a special server on the network. This approach has several advantages in a managed setting, including the ability to manage software and OS settings in lab environments and not needing to clean public machines manually (as changes are lost after reboots).
Here at Suffield, we do not have many public labs (each student has their own laptop). We primarily use NetBoot as a "rescue disk" for computers. By booting off of the network, the internal hard drive can be examined, repaired, erased, or reimaged with fresh software. Our NetBoot image contains various file repair utilities, as well as installers and system imaging software.
This document describes how to set up a NetBoot server that will service clients. Additionally, we describe how to build a "rescue disk" to serve to clients for repairs and system imaging.
Note: we mainly use our NetBoot image for booting damaged machines and repairing or reimaging them. Reimaging is done using a program called NetRestore. While we discuss the installation of NetRestore in this document, it only covers the use of the client. For more information about setting up NetRestore on the server, and for information on building images to install on client machines, see our HOWTO on creating NetRestore images.
To provide NetBoot services to your network, you'll need a machine running Mac OS X Server. These instructions assume version 10.4, though they should work equally well for 10.3. (10.2 is significantly different, however, so these instructions will not work for that version.) You should use an unlimited client license version of OS X, or else you will only be able to boot a limited number of machines simultaneously.
Please refer to Apple's documentation regarding the specifications of the server hardware itself. Depending on the number of clients, image size, network speed, and other factors, you may need to scale up your hardware. As our server is lightly used (fewer than 15 clients booted simultaneously), we get by with a G4 500Mhz machine with mirrored IDE drives for storage and SCSI for client data.
Begin by installing and configuring a machine running Mac OS X Server. Disable any services you will not be using. At a minimum, however, you must be running AFP, DHCP, and NetBoot to run a NetBoot server.
(Note: on Mac OS X Server 10.3, the DHCP service must also be enabled, even if it serves no actual addresses. This bizzare requirement has been dropped as of 10.4.)
Apple automatically configures a few sharepoints via AFP when you enable NetBoot. You should not alter or remove these sharepoints at any time.
You do not need to make any special changes to AFP to use NetBoot by itself. However, if you plan to use NetRestore for system imaging, you will need to create a sharepoint for the saved disk image files. Create a folder (or volume) on the server, and share it via AFP. You may wish to create a new user account that has access to this share, and disable guests (this prevents people from getting access to the raw image files). You can use the Workgroup Manager tool for these tasks.
In Server Admin, click on the NFS item. Confirm that the NFS service is running. If you plan to have a heavily loaded server, you may wish to increase the number of server daemon processes.
In Server Admin, click on the NetBoot item. You should see an overview status of the other services that NetBoot depends on. Ensure that these services are shown as running (except DHCP, if your network already has a DHCP server).
Click on the Settings tab at the bottom of the window. Under the General tab, you'll have a few choices on how to store client data and images. Note that "images" here refers to images that the clients will boot off of, not system restore images.
Check the box(es) for the drives you wish to use for the different types of data. If possible, split up the data between drives (this helps with speed).
At this point, you don't have any images to serve via NetBoot, so there are no other settings to change. See the next section for information on creating a NetBoot image that clients can start up from.
If you're booting your clients on the same subnet as the server, you should be set to go. However, if you're going to be booting accross subnets, you'll need to do a little more work.
Because NetBoot discovery requests are sent from the client using
DHCP, packets from the client must be forwarded on to the server. If
you have Cisco equipment, you must use the ip helper-address
statement in your router configuration to forward the packets.
For example, if your server is on VLAN 10 with IP address 172.16.10.100 and your client is on VLAN 20, your configuration should look something like this:
interface Vlan10 description Server VLAN ip address 172.16.10.1 interface Vlan20 description Client VLAN ip address 172.16.20.1 ip helper-address 172.16.10.100
This tells the router to forward broadcast packets accross VLANs to the address you specify. By default, DHCP packets are forwarded, along with other common broadcast traffic. See your network equipment manuals for more information on the default forwarded ports.
Additionally, you must ensure that you are not blocking any traffic between the clients and the server. NetBoot images are served via TFTP, AFP, HTTP, or NFS, so these ports (and any "return" ports for protocols such as NFS) must be open. If your setup doesn't seem to be working, try opening all ports to confirm that the problem isn't networking-related.
Using NetBoot, we can create a "rescue disk" that can boot client computers that are damaged or that need system software installation. This is a simple way to keep all your system utilities in a single place, and makes repairing and restoring systems very easy.
To build your rescue image, you'll need a machine to install the software on. We'll call this machine the master machine.
Your master machine should be the best computer available to you. Macintosh computers will often run systems from computers that are more recent, but the reverse is not always true.
You may wish to use a firewire drive to build the system image. This prevents you from having to erase a production machine, and makes loading the image onto the NetBoot server very easy. Alternately, you may prepare the image on a machine's internal hard drive, and then boot it into Firewire Target Mode to transfer the image.
You will be installing a system from scratch onto this machine. Make sure you've backed everything up, in case something goes wrong.
Begin by booting the master machine with the latest installation media you have.
You should choose a full Erase and Install option from the installer to ensure that you do not have any leftover cruft from the previous system.
Additionally, you should choose to perform a Custom Install. On the customization screen, deselect any options that are not necessary. This includes Additional Fonts, Language Translations, and Additional Applications. These things all take up space, and are not needed for our repair image.
Let the installation complete, and register the computer as you normally would.
When the computer boots up, bring the machine up to date with the latest software using the Software Update utility. Reboot as necessary.
You should install any site-specific OS updates (printer settings, Stuffit Expander, menu bar widgets, remote desktop settings, etc) before proceeding to software installation.
Below we describe how to install the standard suite of repair software used by Suffield Academy. Before you begin, you may wish to create a "manuals" folder on your desktop as a central location for software documentation.
Download the latest version of NetRestore from the Bombich home page:
Copy the entire NetRestore distribution folder into the Applications folder on the master machine. You should not copy the items individually; they must all be in the same folder.
Launch NetRestore and confirm that the settings are correct. Since this is a NetBootable image (and therefore cannot be modified at boot time), we store our NetRestore preferences on a web server.
Go to the NetRestore menu and select Remote Settings. At the bottom of the window, type in the URL for the parameters and configurations files on the server. Respectively, these values are:
http://veronica.suffieldacademy.org/netrestore-parameters-{arch}.plist
http://veronica.suffieldacademy.org/netrestore-configurations-{arch}.plist
Replace {arch} with the type of machine (ppc or i386).
Quit and relaunch NetRestore, and confirm that the new settings have taken effect.
For more information on editing remote preference files, see our NetRestore setup instructions.
Owing to a bug in NetRestore (starting with 3.0.3), the "lock" icon may not function properly when run from a NetBooted system. We've filed a bug report:
http://forums.bombich.com/viewtopic.php?t=5624
But have not heard any response back. If the bug is still present on your system (we've confirmed it in the current version, 3.3), we have a workaround:
Download Sudo-NetRestore Package
Essentially, this little application starts up NetRestore using "sudo" so that the program has root privileges. This makes authentication uneccessary, and so works around the lock issue.
The application has a hard-coded path and password built into it (the
password must be specified to sudo). If you need to build your
own version, it is fairly simple to do:
#!/bin/sh echo "PASSWORD" | sudo -S /Applications/NetRestore/NetRestore.app/Contents/MacOS/NetRestore &
Hopefully, the NetRestore guys will fix this bug soon, so this workaround won't be needed.
CCC is useful for backing up users' hard drives before reimaging them. CCC is not universal, but should work with OS X 10.4.2 and above.
Copy DiskWarrior from the original media into the Applications folder on the master machine. Also, copy the manual for DiskWarrior into the "manuals" folder for future reference.
Launch the program once to ensure that it is correctly installed.
Copy FileSalvage from the original media into the Applications folder on the master machine. Also, copy the manual for FileSalvage into the "manuals" folder for future reference.
Launch the program. On the first time through, it will prompt you to activate the registration for the software. Enter in the correct information and quit the program when it has been registered.
Run the TechTool Pro installer from the original media and install it onto the master machine. Start the program and register it properly. If necessary, download any updated versions of the software from the company's web site and run the update installers.
Copy any manuals from the media into the "manuals" folder for future reference.
Drag SoftRAID from its installation media into the Applications folder on the master machine. Also, copy the manual for SoftRAID into the "manuals" folder for future reference.
Launch the program. If prompted, update any drivers on the system (restarting if necessary).
This program may be found on any Mac OS X installer disk. It is used to lock or unlock the firmware on the computer.
This program is included on Mac OS X server machines, and is used to create Netboot sets. We put it on our image to make it easier to create Netboot sets from any machine.
We keep a folder of double-clickable bookmarks on the server in the Tech Repair folder. Copy this folder onto the desktop of the master machine so users can quickly access them.
We keep the latest edition of Fix A Troubled Mac on the ser in the Tech Repair folder. Copy the document onto the desktop of the master machine so users can quickly access it.
To save space on the image, you should delete any applications and files you know you will not need. Good candidates include the iLife suite, any games, obscure utilities (ColorSync, ODBC, etc), screen savers, background pictures, sample media, and developer tool samples.
To easily identify a computer that has been NetBooted, it is helpful to have a special background image. Suffield has such an image, stored in the Tech Repair folder on the server.
To install an image on the master machine, copy it onto the computer
and name it Aqua Blue.jpg. Move the file into the folder
/Library/Desktop Pictures/, replacing any existing version.
If you do not see the new screen on reboot, you may need to open the Display preference pane and explicitly change the background to the new image.
By default, our DHCP server advertises an LDAP server to all booted clients. This LDAP server helps with network authentication, servers, printers, and other centralized services.
Because the rescue image is not really multi-user, we don't need many of these authentication-related services. Additionally, they just slow down the operation of the system when not needed. Therefore, we disable these services for the rescue image.
To disable LDAP authentication, open the Directory Access program
in /Applications/Utilities. Authenticate (if necessary) by
clicking on the lock icon. Click the LDAPv3 service and click the
configure button to access the settings. In the window that
appears, deselect the
Add DHCP-supplied LDAP servers to automatic search policies
checkbox. Click OK to save your changes.
For diskless-NetBooted machines, all virtual memory must be stored on the server, and sent over the network. Because the network is extremely slow, this can be a major performance hit.
At the same time, virtual memory is vital to the proper functioning of the system. If a system exhausts physical memory and has no virtual memory to fall back on, it will thrash, hang, and die.
We've chosen to turn off virtual memory on systems with 1GB of physical RAM (or more). For most repair operations, this is enough memory to "get the job done", without needing the costly overhead of swapping via the network.
To do this, edit the file /etc/rc and add the following just above
the line that says echo "Starting virtual memory":
physmem=$(sysctl -n hw.memsize)
if [ "${physmem}" -lt 1073741824 ]; then
Basically, that tells the computer to only execute the VM code if there's less than 1024MB or RAM (you may tweak the number to any value you like; just specify the number in bytes).
We also need to close the if statement that we started, so moved
down a few lines and insert the following just below the line that
says /sbin/dynamic_pager ${encryptswap} -F ${swapdir}/swapfile:
else echo "Machine has at least 1GB of RAM; disabling virtual memory" fi
That prints a message if VM is disabled, and closes the if statement.
Spotlight is a metadata-indexing program that runs all the time on OS X 10.4. Because this causes unneeded disk thrash, we disable it for all disks on startup.
To do this, edit /etc/hostconfig and find the line that starts
with SPOTLIGHT. Change the value to -NO-, as shown below:
SPOTLIGHT=-NO-
Save your changes to the file.
By default, Mac OS X comes with conservative networking settings that do not maximize performance over fast (100Mb/s and up) links. Since most of our NetBooted machines will be on a link that is at least this fast, we apply some tweaks to increase the performance of the networking stack.
To do this, edit (or create, if it does not exist) the file
/etc/sysctl.conf. Add the following lines:
net.inet.tcp.mssdflt=1460 net.inet.tcp.sendspace=1048576 net.inet.tcp.recvspace=1048576 net.inet.udp.recvspace=65535 net.inet.udp.maxdgram=57344 kern.ipc.maxsockbuf=10485760 net.inet.tcp.rfc1323=1 net.inet.tcp.newreno=1 net.inet.tcp.always_keepalive=1 net.inet.tcp.keepidle=3600 net.inet.tcp.keepintvl=150 net.inet.tcp.slowstart_flightsize=4
As always, you may wish to comment the lines to make future edits easier.
At this point, you should have a disk with a fully-functional NetBoot image on it. You must now connect this disk to a machine with Apple's System Image Utility installed on it (it is included with Mac OS X Server).
The simplest way to do this is to connect the master image directly to the NetBoot server via firewire. If your image is on a firewire drive, simply connect it. If your image is built directly on a master machine, boot the machine into firewire target disk mode and connect it. Then:
/var/vm/, cache files, etc).
If you used System Image Utility to create an image directly into your NetBoot server folder, then the image is installed and ready to be used.
If you saved the image elsewhere, you must copy it into the SPxxx
folder on your NetBoot server. The folder name varies depending on
how many volumes you have enabled to host NetBoot images. In most
cases, the folder is called SP0 and is located in
/Library/NetBoot/ on the main drive.
If you want this image to be the default NetBoot image, use Server Admin to set this image to be the default.
The moment of truth! NetBoot one of your client machines to your new image and test out the software.
If your client machines won't NetBoot correctly, confirm that there are no firewall or ACL problems between the client and server machines. Recall that a proper NetBoot requires DHCP, TFTP, NFS, and AFP to work properly. Here are the symptoms of one of these protocols not working:
If your clients boot, test the software and confirm that they are all properly running and registered. Once that's done, you're all set!
It is widely anticipated that version 10.5 of Mac OS X (aka "Leopard") will be universal. That is, a single installation of 10.5 will boot both the older PowerPC-based macs, and also the new Intel-based macs.
Until 10.5 comes out, however, it is still possible to build universal images of Mac OS X under 10.4. This section documents how to do this.
Before you build a universal image, keep the following in mind:
We use a universal build for one thing: netbooting machines so they can be repaired or imaged. The universal boot simplifies the process for our workers (they don't see different things on different platforms). At the same time, this isn't a "production" system (it's only used until the system is repaired), so we don't worry about support issues from Apple or needing to run Software Update.
We've read several listserver posts and articles online:
The pioneers of this technique used Radmind to create their images. We don't have a radmind infrastructure set up, so we opted for the technique refined in the final link shown above.
Basically, people noticed that the Intel builds of Mac OS X 10.4 were mostly universal; the only thing preventing them from working on PowerPC macs was the lack of drivers for the PowerPC platform.
So, they first created a PowerPC install, and then overwrote it with an equivalent Intel install. The idea was that the PowerPC-specific bits would remain (as they had no Intel counterparts that would overwrite them), and all the universal Intel parts would replace the PowerPC code that wasn't universal.
Turns out this works, and that's exactly what we do here.
You'll need two machines for this: one PowerPC and one Intel. Additionally, you'll need system installer disks for each so you can install the same base system on each machine.
You'll also find an external hard drive to be handy, so you can install the combined system on it and move it between machines.
On both of your machines, install the same system with the same install options (again, since this is a repair/restore image, you can leave out many of the drivers, languages, fonts, iLife programs, and other cruft that you don't need).
Run Software Update and bring both machines up to the same version of the system.
We don't recommend making any customizations yet; you can do that once you've combined the installs into a universal build.
Now it's time to combine your two installations.
Copy all of the files from the PowerPC installation onto your external drive. We use CarbonCopyCloner in file-copy (not disk-image) mode to do this. You could also probably use asr in file-copy mode as well.
Once that's done, connect the drive to your Intel machine and do the exact same thing. Note that order is important here; we want to overwrite the PowerPC stuff with the universal Intel stuff, not the other way around!
Once the files are copied, you should now have a universal build of Mac OS X on your external drive.
Boot your PowerPC machine off of your new universal build. Install any PowerPC-specific software that you have and customize it appropriately. See the previous section for details on software to install.
Shut down the machine and move the drive to your Intel mac. Boot it from the universal build, and add any universal or Intel-specific software to your image.
Finally, customize the image with any settings, backgrounds, or other tweaks that you'd like the image to have.
Now it's time to build the NetBoot set. Using System Image Utility, build the image just as you would with a regular disk.
Once the build is complete, go into the folder where you saved the
NetBoot image. There is a file called NBImageInfo.plist. Edit
this file and look for the following section:
<key>Architectures</key>
<array>
<string>i386</string>
</array>
Change it so that it has an entry for both architectures:
<key>Architectures</key>
<array>
<string>ppc</string>
<string>i386</string>
</array>
Additionally, delete the entire DisabledSystemIdentifiers and its
associated array of values. This will allow the image to boot any
machine.
Save your changes, and activate the NetBoot set in Server Admin. You should see in Server Admin that the image is listed as universal, and you should be able to boot any model of machine from it.
Test your image, and then deploy it for regular use.