Boot and Nuke

How to set up a DBAN PXE boot server


This mini-howto describes how to build a server that provides PXE boot to workstations on the network, and wipes all their disks. It's an attempt to automate Darik's Boot and Nuke for when you need to wipe multiple PCs, and mimics EBAN - Enterprise Boot And Nuke, the commercial version of DBAN, but without its advanced features (reporting, compliance, ...)

This page combines DBAN with a PXE boot server to allow you to

This will allow you to :

Step 1 : a pxe boot server - dnsmasq for dhcp, and tftp

refer to PXE boot server HOWTO. Essentially, you're setting up dnsmasq with dnsmasq.conf like this :

/etc/dnsmasq.conf
	enabletftp=true
	dhcp-boot=/var/tftpboot/pxelinux.0
	

You may want to add the debian netboot installer, because it can serve as a simple but effective test to see if everything is working, and its pxelinux config files provide scaffolding for the DBAN boot.

Step 2 : a DBAN boot server

Assuming you used debian's netboot installer to test the pxe boot setup, the next step is now to replace this by an unpacked DBAN .iso image or DBAN CD, and configure syslinux / pxelinux to relect this change.

	# remove debian installer but leave pxelinux.0 in place

	cd /var/tftpboot/
	rm pxelinux.0 pxelinux.cfg
	cp debian-installer/i386/pxelinux.0 pxelinux.0
	rm -r debian-installer


	# unpack a DBAN iso  
        mount -o loop /srv/lvm/sharedfiles/diskimg/dban_1_0_7_i386.iso /media/cdrom
   
		#alternatively, mount a DBAN CD
		## mount /dev/cdrom /media/cdrom          

	# mount the dban .ima image file
    	mount -o loop /media/cdrom/dban_1_0_7_i386.ima /mnt
    
    
	# copy the boot files to the pxe boot folder and replace syslinux.cfg by pxelinux.cfg
    
	cp -r /mnt/* /var/tftpboot
    
	mkdir /var/tftpboot/pxelinux.cfg
    	mv syslinux.cfg pxelinux.cfg/default
    
    	chmod -R 777 *
        chown -R nobody *


	umount /mnt /media/cdrom

That's it. you can test now to verify that a client PC will load DBAN from the server. The default is an interactive session so you will not automatically wipe the disks of your testmachine (see dban options in pxelinux.cfg/default

usage

  1. connect dban server to a switch + start it
  2. connect computers to the network switch where DBAN server is at
  3. turn computer on, hit KEY to modify boot order or access BIOS setup as needed. Make the machine do a (PXE) network boot (eg "boot from NIC")
  4. watch dban load, select or confirm wipe methods and options as needed
  5. there is no 5

this setup does not do logging or progress monitoring. At best, you can follow syslog or daemon.log to see what's happening, but that is limited to dhcp and tftp feedback.

 
	# use multiple TTYs as needed (Ctrl+Alt+F[1-6])

        tail -f /var/log/syslog

	

server customization and maintenance

One of the main advantages of a PXE boot server over a collection of DBAN CDs, is that you can easily modify the defaults with which DBAN will start, and that these will apply automatically to all clients that boot from it. So how is this done ?

This is done by editing the boot options in <tftp directory>/pxelinux.cfg/default. One of these options calls the program "dwipe", and that program also accepts options (-m method, -r rounds, ...).
What you do is any suiteable combination of

pxelinux.cfg/default
PROMPT=1
default=custom
 
 
# This label will be started if you just push enter at the boot prompt, or if you set the PROMPT option above to zero.
#DEFAULT dban
DEFAULT custom
 
 
LABEL     custom
KERNEL     kernel.bzi
APPEND initrd=initrd.gz root=/dev/ram0 init=/rc nuke="dwipe --autonuke --verify off"  silent
 
# the original default is "dban" - runs an interactive dban session

You may also want to modify the DBAN boot prompt (in 'warning.txt') to reflect your customization, ag if you've changed the defaults to an unattended autonuke

warning.txt (boot prompt)
  
  ****************************************************************************
  * Defaults to 'autonuke' - When you hit ENTER, ALL disks will be wiped     *
  * There will be NO FURTHER WARNINGS - Wipe starts as soon as you hit ENTER *
  *                                                                          *
  *       Turn computer off NOW  or all data will be deleted                 *
  ****************************************************************************

logging etc

It should be possible to collect logs at the server, eg in an NFS share or by tftp upload. That would require additional shell commands to run at boot, possibly by adding the relevant commands in scripts /config files inside the initrd.gz filesystem.


Koen Noens
October 2010