BootCD v3.x Technical Documentation
Table of Contents
This document describes in detail how the PlanetLab boot CD is built and operates when running on a node. Older boot CDs, including 2.x cds, are not the focus of this document, and are no longer being deployed on production systems.
Since the early days of PlanetLab, all production nodes are configured during setup to only start up off of the cdrom, with a PlanetLab boot cd always left in the drive. The intention is to allow a machine to be able to restart into a known environment, for debugging system problems, or as a way to still access the machine but not have any potentially compromised code to run if the system is believed to be compromised.
All 3.x boot cd source code is located in the repository 'bootcd_v3' on the PlanetLab CVS system. For information on how to access CVS, consult the PlanetLab website. Unless otherwise noted, all file references refer to this repository.
The operation of the boot cd, when a machine is started off of one, is fairly straightforward. Essentially, it loads a Linux kernel, configures the hardware and network, and fetches a signed script to execute. This generic operation allows for the boot cds to be used for any number of operations, whether they are installing machines or debug problems.
The full operation of a boot cd, from the moment it is booted, is described in the following diagram.
Ensuring that the boot cd provided a secure node boot mechanism was a primary concern during its development. The following requirements we used:
Accomplishing 1. is fairly easy: simply require the cds to be burned onto a write once media. Once that is accomplished, it is up to local site administrators to ensure physical security of the node so the cd is not switched out. Further work may be done by executed scripts to validate a boot cd, if necessary (though not currently implemented).
Number two is accomplished through the use of SSL certificates. The PlanetLab Central boot server, running Apache at the time of this writing, uses a self signed SSL certificate. The boot cd, for each server it is to contact (a primary server, and a backup server), contains the CA certificates for those servers. Using the URL downloading tool curl, the scripts on the cd can ensure they are contacting a PlanetLab boot server, and not someone attempting to spoof one.
Number is accomplished through the use of GPG public and private keys. There exists at PlanetLab Central a GPG private key that is used to sign the scripts downloaded and executed by the cd. The public key is located on the cd, and used to validate the signatures of the packages before execution.
After the Linux kernel is loaded, the first operation is to load the applicable hardware modules for devices on the system, including network drivers, disk drivers, and any others. This process is nearly identical to the process the BootManager uses. During the initial boot cd build process, the script sources/merge_hw_table.py from the bootmanager repository is invoked to create a lookup table to map PCI ids onto kernel modules. For more information about how this script operates, consult the BootManager technical documentation.
Previous PlanetLab boot cds were essentially boot cds from other projects, modified for use with PlanetLab. With the introduction of version 3.0 of the boot cd, they are now built from scratch. By doing this, we can ensure that the packages contain on the cd are fully up to date, only the packages we need for booting operations are installed (thus reducing the cd size), and the hardware detection mechanisms match that of the node installer (BootManager).
Though the cds are built from scratch, the process to build a cd is relatively simple, and are as follows:
The default configuration built above produces a boot cd that is configured to contact the primary PlanetLab boot servers. To build a custom boot cd that contacts a different server, with a different SSL certificate and GPG key, you will need to create a custom configuration:
The configuration file for builds (the default being located at configurations/default/configuration, contains the following values that can be modified to result in a custom build boot cd:
With regard to file paths: for the locations of the keys, certificates, and optionally node configuration files, it is easiest to place these files inside the directory with the bootcd configuration file, and simply use the name of the file for the value. See the default configuration file for an example.
The packages used during the build process, by default, are downloaded from the current PlanetLab Central boot server. To change this, the file yum.conf, in the checked out bootcd_v3 directory, will need to be modified. The yumgroups.xml file, also located in the same directory, is used by the build process to identify which packages should be placed on the resultant cd image. This file should be located in one of the yum rpm repositories specified in yum.conf.