End-to-end fixes for Blancco Drive Eraser PXE flow uncovered by chasing
"reports never reach SMB share" across two air-gapped sites:
playbook/blancco-init.sh:
* Drop silent || true on wget of preferences.xml + config.xml. Fail
loud with shell-drop if download or marker grep fails. Background:
airootfs /opt/scripts/validate_preferences.sh restores
/albus/preferences.save (factory defaults, empty network_share) if
xmllint fails. wget failure made every report silently land nowhere.
* Clobber /albus/preferences.save with the same served file so even if
the validator fallback fires, the SMB target survives.
* Bind-mount /dev/null over /sys/power/{state,disk,mem_sleep,autosleep}
before switch_root. Albus's license-retry path writes /sys/power/state
directly (bypassing systemd targets); this is the last-line block.
* /dev/null symlinks for sleep/suspend/hibernate systemd targets in the
airootfs overlay + logind drop-in with IdleAction/Handle*=ignore.
Three independent layers because cmdline systemd.mask alone is bypassed
by direct /sys/power/state writes.
* xinitrc.d/00-no-screen-blank.sh runs xset s off -dpms + setterm
-blank 0 -powerdown 0 so the Blancco GUI doesn't blank during long
erasures.
* Removed the 20-failsafeDriver.conf "modesetting" pin. modesetting
needs DRM/KMS which we disable on kernel cmdline; "vesa" also failed
on NVIDIA. With the pin gone Xorg auto-picks fbdev which uses the
kernel framebuffer from vga=normal - works across Intel, AMD, and
older NVIDIA without nouveau.
playbook/pxe_server_setup.yml:
* dnsmasq.conf: explicit empty-value dhcp-option=3 + dhcp-option=6.
Without them, dnsmasq defaults to sending its own IP as router AND
DNS. Commenting the configured-value lines did NOT disable the push
(root cause of "wired keeps picking up 10.9.100.1 as gateway").
* Split the Blancco config.img extraction and preferences.xml deploy
into separate tasks. The previous shell-with-creates: gate caused
playbook re-runs to skip the prefs deploy entirely after first run.
* Added a validation task that runs python3 xml parse + grep on the
deployed preferences.xml to fail the playbook at deploy time if the
SMB markers are missing.
* Added Environment=TZ=America/New_York to the pxe-webapp systemd
service so report mtimes and audit log render in Eastern time even
if the Python process is started before timedatectl converges.
webapp:
* services/blancco_report.py: parse Blancco's XML report format
(recursive <entries name="..."> walker) into a friendly dict.
* templates/report_view.html: Bootstrap "Drive Erasure Certificate"
layout - hero summary, customer + system cards, per-drive cards with
step-by-step erasure timeline, document signing footer with
integrity hash detail.
* /reports/view/<filename> route + View button on the reports list
(XML reports only; PDFs still download).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Companion to the previous commit (4550d43). Three files that should have
been in the same commit but got left out of `git add`:
- .gitignore: negate rule for boot-tools/blancco/grub-blancco.cfg so the
tracked cfg (source of truth for grubx64.efi rebuilds) survives
the blanket boot-tools/ ignore.
- playbook/blancco-init.sh: rewritten for modprobe-with-deps, full NIC
driver coverage, set -x trace to /dev/console, dmesg + PCI-device +
/proc/modules dump + interactive shell on "no NIC after 60s".
Replaces the narrow insmod-loop version that silently hung on
unsupported NICs.
- playbook/pxe_server_setup.yml "Build Blancco PXE initramfs" task now
sweeps the full drivers/net/ tree (ethernet + phy + mdio + usb + fddi
+ wan) plus overlay / squashfs / loop / ptp / libphy / mii deps, runs
depmod to regenerate modules.dep inside the initramfs (required for
modprobe dependency resolution), and symlinks the full applet list
blancco-init.sh needs (modprobe, insmod, dmesg, find, env, etc).
Result: ~20 MB initramfs vs the old 2 MB narrow build.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
User reports Blancco was working before our mirror/session activity
today - then my attempted fixes (grubx64.efi rebuild, kexec-initrd
driver sweep, verbose blancco-init.sh) made it worse:
- First attempt (narrow igc driver add) did not help because the
switch-root path was not the one actually loaded by grubx64.efi's
embedded config.
- Second attempt (swapped grub embedded config to Ubuntu-kernel path)
got further, but then kexec-initrd modules failed on insmod.
- Third attempt (full ethernet tree sweep) pulled in broken ancient
drivers (winbond-840, w5100-spi, xirc2ps_cs) that failed with
unknown-symbol errors and prevented good drivers from loading.
Full revert: .gitignore, blancco-init.sh, pxe_server_setup.yml back to
the pre-session commit 6dcf832 state. Removes boot-tools/blancco/grub-
blancco.cfg from git (it was only added this session).
Runtime on both PXE servers was also restored: grubx64.efi and
kexec-initrd.img reverted from the .bak files taken before each
modification this session.
Whatever was there before today is now restored byte-for-byte on both
servers. If there is still a Blancco boot issue on specific modern
hardware that the user needs to fix, we will diagnose that narrowly
against the actual failure mode on that specific machine, not by
making sweeping preemptive changes.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Previous approach listed ~6 specific drivers (e1000e, igb, tg3, bnx2,
bnxt_en, b44) and silenced insmod errors (2>/dev/null). On modern Dell
fleet (Latitude 5330/5440, Pro-series, newer OptiPlex) this missed
igc (Intel I225/I226) entirely, and for the drivers we did include,
dependency modules they need at insmod time (libeth, libie, dca,
i2c-algo-bit, macsec, mii, libphy, ptp, ...) were never bundled.
insmod does not resolve dependencies, so NIC drivers that need
helpers failed to load silently.
playbook/pxe_server_setup.yml (kexec-initrd build):
- Sweep the whole drivers/net/ethernet tree (~170 drivers, all
vendors, ~15 MB total). Drivers for hardware not present skip
without binding.
- Add common helper dirs: drivers/net/{phy,mdio}, drivers/i2c/algos,
drivers/dca, drivers/ptp, net/macsec, drivers/ssb.
- overlay.ko kept.
playbook/blancco-init.sh:
- Load helpers BEFORE main NIC drivers (libeth/libie, dca,
i2c-algo-bit, macsec, mii, ssb, libphy, mdio*, phy*, ptp*),
then iterate remaining modules.
- Remove 2>/dev/null on insmod so actual failures surface on the
boot console.
- Print kernel version + /sys/class/net before/after driver load,
plus dmesg grep for NIC driver activity.
- On "no interface found" failure, dump dmesg tail and drop to a
busybox shell for manual debug rather than just hanging.
Separate from this commit but related: kexec-initrd.img on both PXE
servers (.1 and .2) was rebuilt inline with these changes. Pre-rebuild
binary kept as kexec-initrd.img.bak-<timestamp>.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Switch to Blancco native kernel (vmlinuz-bde-linux) for hardware compat
- Config.img preferences with BMC connection (classic.eu-west-1.blancco.cloud)
- Disable wired LAN in preferences so WiFi takes default route to BMC
- WiFi SSID INTERNETACCESS configured in plaintext in config.img
- Slim GRUB EFI (1.3MB standalone with minimal modules)
- Fix Windows line endings in blancco-init.sh
- Add extra NIC drivers to switch_root initramfs
- SSH enabled in modified airootfs.sfs (root:blancco)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
