Last updated 2009/11/07
Return to the Suffield Academy Network Documentation Homepage
A printable version of this document is also available.
All recent models of Macintosh computer have the ability to be NetBooted, where the computer boots its operating system off of a special server on the network. This approach has several advantages in a managed setting, including the ability to manage software and OS settings in lab environments and not needing to clean public machines manually (as changes are lost after reboots).
Here at Suffield, we do not have many public labs (each student has their own laptop). We primarily use NetBoot as a "rescue disk" for computers. By booting off of the network, the internal hard drive can be examined, repaired, erased, or reimaged with fresh software. Our NetBoot image contains various file repair utilities, as well as installers and system imaging software.
This document describes how to set up a NetBoot server that will service clients. Additionally, we describe how to build a "rescue disk" to serve to clients for repairs and system imaging.
Note: we mainly use our NetBoot image for booting damaged machines and repairing or reimaging them. Reimaging is done using a program called DeployStudio.
To provide NetBoot services to your network, you'll need a machine running Mac OS X Server. These instructions assume version 10.5, though they should work equally well for later versions. You should use an unlimited client license version of OS X, or else you will only be able to boot a limited number of machines simultaneously.
Please refer to Apple's documentation regarding the specifications of the server hardware itself. Depending on the number of clients, image size, network speed, and other factors, you may need to scale up your hardware. As our server is lightly used (fewer than 15 clients booted simultaneously), we get by with a single G5 XServe.
Begin by installing and configuring a machine running Mac OS X Server. Disable any services you will not be using. At a minimum, however, you must be running AFP and NetBoot to run a NetBoot server.
Apple automatically configures a few sharepoints via AFP when you enable NetBoot. You should not alter or remove these sharepoints at any time.
You do not need to make any special changes to AFP to use NetBoot by itself. However, if you plan to use DeployStudio for system imaging, you will need to create a sharepoint for the saved disk image files, either on the netboot server or on another server running AFP. We have elected to share the DeployStudio repository on our primary file server (which has more space and bandwidth).
In Server Admin, click on the NFS item. Confirm that the NFS service is running. If you plan to have a heavily loaded server, you may wish to increase the number of server daemon processes.
In Server Admin, click on the NetBoot item. You should see an overview status of the other services that NetBoot depends on. Ensure that these services are shown as running (except DHCP, if your network already has a DHCP server).
Click on the Settings tab at the bottom of the window. Under the General tab, you'll have a few choices on how to store client data and images. Note that "images" here refers to images that the clients will boot off of, not system restore images.
Check the box(es) for the drives you wish to use for the different types of data. If possible, split up the data between drives (this helps with speed).
At this point, you don't have any images to serve via NetBoot, so there are no other settings to change. See the next section for information on creating a NetBoot image that clients can start up from.
If you're booting your clients on the same subnet as the server, you should be set to go. However, if you're going to be booting accross subnets, you'll need to do a little more work.
Because NetBoot discovery requests are sent from the client using
DHCP, packets from the client must be forwarded on to the server. If
you have Cisco equipment, you must use the ip helper-address
statement in your router configuration to forward the packets.
For example, if your server is on VLAN 10 with IP address 172.16.10.100 and your client is on VLAN 20, your configuration should look something like this (we use Juniper switches):
forwarding-options {
helpers {
bootp {
server 172.16.10.100;
interface vlan.20;
}
}
}
This tells the router to forward broadcast packets accross VLANs to the address you specify. By default, DHCP packets are forwarded, along with other common broadcast traffic. See your network equipment manuals for more information on the default forwarded ports.
Additionally, you must ensure that you are not blocking any traffic between the clients and the server. NetBoot images are served via TFTP, AFP, HTTP, or NFS, so these ports (and any "return" ports for protocols such as NFS) must be open. If your setup doesn't seem to be working, try opening all ports to confirm that the problem isn't networking-related.
Using NetBoot, we can create a "rescue disk" that can boot client computers that are damaged or that need system software installation. This is a simple way to keep all your system utilities in a single place, and makes repairing and restoring systems very easy.
To build your rescue image, you'll need a machine to install the software on. We'll call this machine the master machine.
Your master machine should be the best computer available to you. Macintosh computers will often run systems from computers that are more recent, but the reverse is not always true.
You may wish to use an external drive to build the system image. This prevents you from having to erase a production machine, and makes loading the image onto the NetBoot server very easy. Alternately, you may prepare the image on a machine's internal hard drive, and then boot it into Target Mode to transfer the image.
You will be installing a system from scratch onto this machine. Make sure you've backed everything up, in case something goes wrong.
Begin by booting the master machine with the latest installation media you have.
You should choose a full Erase and Install option from the installer to ensure that you do not have any leftover cruft from the previous system.
Additionally, you should choose to perform a Custom Install. On the customization screen, deselect any options that are not necessary. This includes Additional Fonts, Language Translations, and Additional Applications. These things all take up space, and are not needed for our repair image.
When the installation completes, reboot. Register the computer as usual and create a generic admin account with an insecure password (you'll be sharing this password with anyone who uses the image, so it shouldn't be something you don't want to give out.)
Run Software Update and install any pending updates. Reboot as necessary, and continue running until no further updates are pending.
Show Connected Servers.
New Finder windows should open Applications.
Sidebar should only show Hard Disks, External Disks, CDs, DVDs, and iPods, Connected Servers, Home, and Applications.
Show all file extensions.
Spotlight is a resource hog, and not useful in a repair image. You can disable it by running the following commands:
For Mountain Lion (10.8):
launchctl unload -w /System/Library/LaunchAgents/com.apple.metadata.mdwrite.plist launchctl unload -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist launchctl unload -w /System/Library/LaunchDaemons/com.apple.metadata.mds.scan.plist launchctl unload -w /System/Library/LaunchDaemons/com.apple.metadata.mds.spindump.plist chmod 600 /System/Library/CoreServices/Search.bundle/Contents/MacOS/Search
Additionally, we don't want to allow bonjour requests to or from netbooted machines. Add the following firewall rules to deny Bonjour traffic at the bottom of /etc/pf.conf:
block quick proto udp from any to any port 5353
You'll need to enable the firewall service:
launchctl load -w /System/Library/com.apple.pfctl.plist
After a reboot, the following should turn up empty (no received advertisements from other computers):
dns-sd -B
Safe Sleep keeps a large file (the size of physical RAM) on the boot volume to allow for hibernation. This is a huge performance hit, so we disable it for our repair image.
Add the following to /etc/rc.local
pmset -a hibernatemode 0
To prevent every netbooted computer from having the same name (and popping up an annoying warning to the user), add the following to /etc/rc.local
scutil --set LocalHostName "NetBoot-$(date -u +%s)" scutil --set ComputerName "Repair and Restore $(date -u +%s)"
To easily identify a computer that has been NetBooted, it is helpful to have a special background image. Suffield has such an image, stored in the Tech Repair folder on the server.
To install an image on the master machine, copy it onto the computer
and name it DefaultDesktop.jpg. Move the file into the folder
/System/Library/CoreServices/, replacing any existing version.
Open the System Preferences and make the following changes:
Set appearance and colors to Graphite.
Set the desktop to the replaced DefaultDesktop you installed earlier.
Set the screen saver to Computer Name, and enable Show with clock. Have the screen saver start after 30 minutes.
Have the doc appear on the left-hand side of the screen, with size small enough to fit all the icons.
Set the hot corners as follows:
Uncheck all items under the General tab.
Check Show displays in menu bar.
Set the Computer Sleep time to Never. Set the Display sleep time to 1 hour.
Change the battery status menu to show estimated time.
Add the Multimedia Lab printer.
Disable the AirPort card (netbooted machines have a hardwired connection, so there's no need for Airport).
Set the computer to autologin to the root account, using the password you specified earlier.
Set the clock automatically to ntp.suffieldacademy.org.
Confirm that the time zone is set correctly.
Turn on showing the time with seconds.
Disable checking for updates.
Turn off, and disable showing status in the menu bar.
Below we describe how to install the standard suite of repair software used by Suffield Academy.
Download the latest stable version of DeployStudio:
Launch the installer, and choose Customize.
Select only the mandatory greyed-out options.
Install the software.
Add DeployStudio Runtime from the Utilities folder into the dock.
Run DeployStudio Runtime and set the server and login credentials. Set the password to be saved for future use. The server address is: 8
http://jango.suffieldacademy.org:60080/
Go into Keychain Access and double-click the saved credentials for DeployStudio. Ensure that Allow all applications to access this item is selected under Access Control.
Start DeployStudio Runtime and confirm that the credentials have been saved correctly. Log in and confirm that everything is working as planned.
Copy DiskWarrior from the original media into the Applications folder on the master machine. Add it to the dock.
Launch the program once to ensure that it is correctly installed.
Copy DataRescue II from the original media into the Applications folder on the master machine. Add it to the dock.
Launch the program. On the first time through, it will prompt you to activate the registration for the software. Enter in the correct information and quit the program when it has been registered.
Run the TechTool Pro installer from the original media and install it onto the master machine. Start the program and register it properly. If any updates are available, install them as well.
Reboot the machine, and disable the active protection in the Tech Tools system preference.
This program may be found on any Mac OS X installer disk. It is used to lock or unlock the firmware on the computer.
This program is located in /System/Library/CoreServices. Drag it from there to the dock to make it easier to create Netboot sets from any machine.
Show the status bar.
Show the tab bar.
In the preferences, set the default home page to:
http://web.suffieldacademy.org/ils/crc/
Save downloaded files to the Desktop.
For Bookmarks, only include Bonjour, and disable all collections.
Set RSS never to update.
Disable all forms AutoFill.
Clear the history, empty the cache, and quit.
Set the Terminal to "Pro".
Set dimensions to 80x40.
Set the window to close when the shell exits cleanly.
To save space on the image, you should delete any applications and files you know you will not need. Good candidates include the iLife suite, any games, obscure utilities (ColorSync, ODBC, etc), screen savers, background pictures, sample media, and developer tool samples.
Delete /private/var/vm/sleepimage
Download and run Monolingual (monolingual.sourceforge.net) to remove all but English localizations from the machine.
At this point, you should have a disk with a fully-functional NetBoot image on it. You must now connect this disk to a machine with Apple's System Image Utility installed on it (it is included with Mac OS X Server).
The simplest way to do this is to connect the master image directly to the NetBoot server via firewire. If your image is on a firewire drive, simply connect it. If your image is built directly on a master machine, boot the machine into firewire target disk mode and connect it. Then:
/var/vm/, cache files, etc).
The resulting NetBoot bundle will work, but the resulting disk is squeezed to only hold the contents of the disk (no room for expansion). Fortunately, you can replace the NetBoot.dmg file inside the bundle with another disk image. This command-line version creates a compressed disk image with plenty of extra space on it:
hdiutil create -size 15g -srcfolder "/Volumes/NetBootMasterSource" \ -volname "Repair and Restore" -format UDZO -scrub \ "/Volumes/mumble/NetBoot-compressed-$(date +%Y%m%d).dmg"
If you used System Image Utility to create an image directly into your NetBoot server folder, then the image is installed and ready to be used.
If you saved the image elsewhere, you must copy it into the SPxxx
folder on your NetBoot server. The folder name varies depending on
how many volumes you have enabled to host NetBoot images. In most
cases, the folder is called SP0 and is located in
/Library/NetBoot/ on the main drive.
If you want this image to be the default NetBoot image, use Server Admin to set this image to be the default.
The moment of truth! NetBoot one of your client machines to your new image and test out the software.
If your client machines won't NetBoot correctly, confirm that there are no firewall or ACL problems between the client and server machines. Recall that a proper NetBoot requires DHCP, TFTP, NFS, and AFP to work properly. Here are the symptoms of one of these protocols not working:
If your clients boot, test the software and confirm that they are all properly running and registered. Once that's done, you're all set!