ce604adcda
Single-site bay-stuck issue at WJ: GE Intune Report IP script filters
Get-NetIPAddress on StartsWith("10.") and posts everything matching
to the GE Tines webhook. Bays at WJ get the PXE LAN 10.9.100.x IP
captured and reported -> GE backend tags bays as on a non-corp 10.x
subnet -> dynamic group eligibility for SFLD policy never matches.
Other GE sites work because their PXE LANs aren't on 10.x at all.
Renumber PXE LAN to RFC1918 172.16.9.0/24 so the GE filter naturally
skips wired PXE addresses without any disable-NIC dance.
Server-side already in flight (netplan dual-bound, dnsmasq scope +
boot URL repointed, blancco preferences + grub.cfg + iPXE GetPxeScript
all sed'd to 172.16.9.1). This commit is the playbook / scripts /
docs side: 109 hits across 35 files sed'd in one shot.
After this lands + boot.wim is rebuilt + bays renumber off DHCP,
the 10.9.100.1 binding will be dropped from netplan as the final
cleanup step.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
121 lines
3.4 KiB
Plaintext
121 lines
3.4 KiB
Plaintext
#cloud-config
|
|
autoinstall:
|
|
version: 1
|
|
|
|
# Locale, keyboard, timezone
|
|
locale: en_US.UTF-8
|
|
keyboard:
|
|
layout: us
|
|
variant: ""
|
|
timezone: America/New_York
|
|
|
|
# Network: static IP for isolated PXE LAN (no internet/DHCP needed)
|
|
network:
|
|
version: 2
|
|
ethernets:
|
|
any-eth:
|
|
match:
|
|
name: "en*"
|
|
addresses:
|
|
- 172.16.9.1/24
|
|
dhcp4: false
|
|
dhcp6: false
|
|
optional: true
|
|
|
|
# Storage configuration
|
|
storage:
|
|
layout:
|
|
name: lvm
|
|
match:
|
|
size: largest
|
|
swap:
|
|
size: 0
|
|
|
|
# User identity
|
|
identity:
|
|
hostname: pxeserver
|
|
username: pxe
|
|
password: '$6$MV3UwfSxKqxDYCwt$2IPUfSvqpzUdH6QVKHfPH8I9E0SPqNCh0lLvn.D9btxhZUYmceOGcB51Ryfg1Fojlroin.qguSKYFoIDGUIC20'
|
|
|
|
# Enable SSH
|
|
ssh:
|
|
install-server: true
|
|
allow-pw: true
|
|
|
|
# Installer-stage late commands
|
|
late-commands:
|
|
# Step 1: Install deb packages from CIDATA USB
|
|
- |
|
|
curtin in-target --target=/target -- bash -c '
|
|
mkdir -p /mnt/cidata
|
|
CIDATA_DEV=$(blkid -L CIDATA)
|
|
if [ -n "$CIDATA_DEV" ]; then
|
|
mount "$CIDATA_DEV" /mnt/cidata
|
|
if compgen -G "/mnt/cidata/packages/*.deb" > /dev/null; then
|
|
cp /mnt/cidata/packages/*.deb /tmp/
|
|
dpkg -i /tmp/*.deb 2>/dev/null || true
|
|
dpkg -i /tmp/*.deb 2>/dev/null || true
|
|
dpkg --configure -a 2>/dev/null || true
|
|
if command -v nmcli >/dev/null; then
|
|
systemctl enable NetworkManager
|
|
fi
|
|
fi
|
|
umount /mnt/cidata
|
|
fi
|
|
'
|
|
|
|
# Step 2: Disable networkd-wait-online (hangs on air-gapped network)
|
|
- ln -sf /dev/null /target/etc/systemd/system/systemd-networkd-wait-online.service
|
|
|
|
# Step 3: Create first-boot.sh
|
|
- |
|
|
curtin in-target --target=/target -- bash -c '
|
|
cat <<"EOF" > /opt/first-boot.sh
|
|
#!/bin/bash
|
|
# Expand root LV to full disk BEFORE playbook (playbook copies ~130GB of drivers+PPKGs)
|
|
ROOT_DEV=$(findmnt -n -o SOURCE /)
|
|
ROOT_DISK=$(lsblk -n -o PKNAME "$(readlink -f "$ROOT_DEV")" | tail -1)
|
|
PV_PART=$(pvs --noheadings -o pv_name 2>/dev/null | tr -d "[:space:]" | head -1)
|
|
if [ -n "$ROOT_DISK" ] && [ -n "$PV_PART" ]; then
|
|
PART_NUM=$(echo "$PV_PART" | grep -o "[0-9]*$")
|
|
growpart "/dev/${ROOT_DISK}" "${PART_NUM}" 2>&1 || true
|
|
pvresize "$PV_PART" 2>&1 || true
|
|
fi
|
|
lvextend -r -l +100%FREE /dev/mapper/ubuntu--vg-ubuntu--lv 2>&1 || true
|
|
CIDATA_DEV=$(blkid -L CIDATA)
|
|
if [ -n "$CIDATA_DEV" ]; then
|
|
mkdir -p /mnt/usb
|
|
mount "$CIDATA_DEV" /mnt/usb
|
|
if compgen -G "/mnt/usb/packages/*.deb" > /dev/null; then
|
|
dpkg -i /mnt/usb/packages/*.deb 2>/dev/null || true
|
|
dpkg -i /mnt/usb/packages/*.deb 2>/dev/null || true
|
|
dpkg --configure -a 2>/dev/null || true
|
|
fi
|
|
if [ -f /mnt/usb/playbook/pxe_server_setup.yml ]; then
|
|
cd /mnt/usb/playbook
|
|
ansible-playbook -i localhost, -c local pxe_server_setup.yml
|
|
fi
|
|
umount /mnt/usb
|
|
fi
|
|
sed -i "s|^/opt/first-boot.sh.*|# &|" /etc/rc.local
|
|
EOF
|
|
chmod +x /opt/first-boot.sh
|
|
'
|
|
|
|
# Step 4: Create rc.local
|
|
- |
|
|
curtin in-target --target=/target -- bash -c '
|
|
cat <<"EOF" > /etc/rc.local
|
|
#!/bin/bash
|
|
/opt/first-boot.sh > /var/log/first-boot.log 2>&1 &
|
|
exit 0
|
|
EOF
|
|
chmod +x /etc/rc.local
|
|
'
|
|
|
|
user-data:
|
|
disable_root: false
|
|
|
|
refresh-installer:
|
|
update: no
|