Interactive Secure Eraser through PXE Boot

5.4 Interactive Secure Eraser through PXE Boot

On Exadata systems prior to Oracle Exadata X7-2, you can use Preboot Execution Environment (PXE) Boot when performing a Secure Eraser.

Note:

Starting with Oracle Exadata System Software release 19.1.0, the Secure Eraser package (secureeraser_label.zip) contains ISO images instead of NFS images.

Before you begin:

Download and install the latest Secure Eraser package available for your system.

To download the Secure Eraser package, examine the Supplemental Readme associated with your current Oracle Exadata System Software version. To find the Supplemental Readme associated with each Oracle Exadata System Software version, see Exadata Database Machine and Exadata Storage Server Supported Versions (My Oracle Support Doc ID 888828.1).
Make sure you have access to a PXE server where the nodes to be erased can boot from.
Make sure you have access to a NFS server that is accessible from all the nodes to be erased.
Make sure you have access to one of the nodes to be erased.

Copy the cell PXE image files initrd (initrd-version) and kernel (vmlinux-version) from the Secure Eraser package to the /tftpboot directory on the PXE server. For Oracle Exadata Database Machine X7 and later systems, the directory is /tftpboot/efi for grub2 and Secure Boot.
Create a file containing the names of the database servers and storage servers to be erased.

To generate this file, you can run the following command from one of the nodes to be erased, and verify the nodes in the files are the ones to be erased.
```
# ibhosts | awk '/S [0-9\.\,]*/ || /C [0-9\.\,]*/ {print $6}' | sed "s/\"//g" 
> nodes_to_be_erased
```
If you only want to erase one server, enter the name of the server into the nodes_to_be_erased file, for example Exa01celadm04.
Copy the dcli utility from the Secure Eraser package along with the file generated in step 2 to the PXE server.

Create a PXE configuration template called pxe_cfg.template to contain the following lines:

For all models prior to Oracle Exadata Database Machine X7-2 — grub:

For releases earlier than Oracle Exadata System Software release 19.1.0:

default linux
label linux
kernel vmlinux-nfs-12.2.1.1.0-161015-cell
append initrd=initrd-nfs-12.2.1.1.0-161015-cell.img dhcp pxe quiet loglevel=
0 secureeraser bootarea=diagnostics console=tty1 console=ttyS0,115200n8 logp
ath=10.133.42.221:/export/exadata_secure_eraser_certificate_dir

For Oracle Exadata System Software release 19.1.0 or later:

default linux
label linux
kernel vmlinux-iso-19.1.2.0.0-190111-cell
append initrd=initrd-iso-19.1.2.0.0-190111-cell.img dhcp pxe quiet loglevel=
0 secureeraser bootarea=diagnostics console=tty1 console=ttyS0,115200n8 logp
ath=10.133.42.221:/export/exadata_secure_eraser_certificate_dir

For a description of each component of the above task, refer to the appropriate topic in Automatic Secure Eraser through PXE Boot for your system.

For Oracle Exadata Database Machine X7-2 and newer models —grub2 / Secure Boot:

Note:

In the following example, the following parameters must be updated to match your environment:

kernel (the vmlinux file)
initrd (the initrd*.img file)
logpath

For Oracle Exadata System Software 18c (18.1.0):

set default 0
set timeout=10
menuentry 'ExadataLinux' {
  echo "Loading efi/vmlinuz"   
 linuxefi efi/vmlinux-nfs-18.1.0.0.0-170915.1 stit dhcp pxe boot-from=uefi 
quiet loglevel=0 bootarea=diagnostics console=ttyS0,115200n8 
logpath=10.133.42.221:/export/exadata_secure_eraser_certificate_dir   
  echo "Loading efi/initrd.img"   
  initrdefi efi/initrd-nfs-18.1.0.0.0-170915.1.img 
  echo "Booting installation kernel"
}

For Oracle Exadata System Software release 19.1.0 or later:

set default 0
set timeout=10
menuentry 'ExadataLinux' {
  echo "Loading efi/vmlinuz"   
 linuxefi efi/vmlinux-iso-19.1.2.0.0-190111 stit dhcp pxe boot-from=uefi 
quiet loglevel=0 bootarea=diagnostics console=ttyS0,115200n8 
logpath=10.133.42.221:/export/exadata_secure_eraser_certificate_dir   
  echo "Loading efi/initrd.img"   
  initrdefi efi/initrd-iso-19.1.2.0.0-190111.img 
  echo "Booting installation kernel"
}

For a description of each component of the task in this step, see Automatic Secure Eraser through PXE Boot.

This configuration file differs from the one in Automatic Secure Eraser through PXE Boot in that the secureeraser option is left out to indicate that the Secure Eraser process should not be triggered automatically. The rest of the file is the same.

On the PXE server, use the template file to generate a PXE configuration file. For all systems up to Oracle Exadata Database Machine X6-2, save the file in the /tftpboot/pxelinux.cfg/ directory for each of the nodes to be erased. For Oracle Exadata Database Machine X7-2 and newer systems, save the file in the /tftpboot/efi/pxelinux.cfg/ directory for each of the nodes to be erased.

The PXE configuration file name is the dash-separated MAC address of the node with the prefix 01-.

If the nodes to be erased are accessible, perform the following steps to automatically generate a PXE configuration file for each node based on the template:
1. Set up SSH equivalence with the nodes to be erased from the PXE server. The command will prompt for the root password of each node.
```
pxe_server# dcli -g nodes_to_be_erased -k -l root
```
2. Create a list of PXE configuration files, one for each node to be erased based on the configuration template.
```
pxe_server# dcli -g nodes_to_be_erased -l root "ip addr show eth0" | 
awk '/link\/ether/ {print "01:"$3}' | sed "s/:/-/g" | xargs -I {} 
cp pxe_cfg.template {}
```
If the nodes are not accessible, perform the following steps to generate a PXE configuration file for each node.
1. Manually collect the MAC address of the eth0 interface from each node and write them into a text file called mac_addresses. Write one MAC address per line. For example:
```
00:10:e0:62:c4:fa
00:10:e0:62:c2:8a
00:10:e0:62:b8:7c
00:10:e0:62:b8:3a
00:10:e0:62:c6:bc
```
2. Use the following command to create a list of PXE configuration file, one for each node to be erased based on the configuration template.
```
pxe_server# cat mac_addresses | sed "s/:/-/g;s/^/01-/g" | xargs -I {} cp 
pxe_cfg.template {}
```
In both cases, you should have a list of PXE configuration files, one for each node to be erased. For example, if the MAC addresses of the nodes in a quarter rack are 00:10:e0:62:c4:fa, 00:10:e0:62:c2:8a, 00:10:e0:62:b8:7c, 00:10:e0:62:b8:3a, and 00:10:e0:62:c6:bc, then you should get the following files:
```
01-00-10-e0-62-c4-fa
01-00-10-e0-62-c2-8a
01-00-10-e0-62-b8-7c
01-00-10-e0-62-b8-3a
01-00-10-e0-62-c6-bc
```
The files have the same content as the configuration template.

Check your specific PXE server requirements. Your PXE server may need slightly different names or settings.
Configure the nodes to boot from PXE and reboot the nodes.

If the nodes to be erased are accessible, run the following commands:
```
pxe_server# dcli -g nodes_to_be_erased -l root "ipmitool chassis bootdev pxe”

pxe_server# dcli -g nodes_to_be_erased -l root "reboot”
```
If the nodes are not accessible, then perform the following steps:
1. Create a file called iloms_to_be_reset containing the names of ILOMs. For example:
```
db1-ilom
db2-ilom
cell1-ilom
cell2-ilom
cell3-ilom
```
2. Configure the nodes to boot from PXE through ILOMs. The command will prompt for ILOM root password.
```
pxe_server# cat iloms_to_be_reset | xargs -I {} ipmitool -I lanplus -H {} 
-U root chassis bootdev pxe
```
3. Reboot the nodes from ILOMs. The command will prompt for ILOM root password.
```
pxe_server# cat iloms_to_be_reset | xargs -I {} ipmitool -I lanplus -H {} 
-U root chassis power cycle
```

If you get the following prompt on the remote or serial console, enter e at the prompt to enter the diagnostic shell:

Choose from following by typing letter in '()':
(e)nter interactive diagnostics shell. Must use credentials from Oracle
support to login (reboot or power cycle to exit the shell),
Select:e

If prompted, log in to the system as the root user.

If you require the password for the root user and do not have it, then contact Oracle Support Services.
```
localhost login: root
Password: *********
-sh-3.1#
```
Run the Secure Eraser utility to sanitize all devices or one type of device.
```
-sh-3.1# /usr/sbin/secureeraser -–erase --all --output=REMOTE_NFS_LOCATION
```
REMOTE_NFS_LOCATION is the remote NFS location in the format of IP:FILE_PATH. The Secure Eraser utility will automatically mount the remote NFS location and save the certificate there.

For example, to erase all installed devices, including hard drives, flash devices, persistent memory, internal USBs, and ILOM, and save the certificate at this NFS location: 10.133.42.221:/export/exadata_secure_eraser_certificate_dir:
```
-sh-3.1# /usr/sbin/secureeraser --erase --all --output=10.133.42.221:/export
/exadata_secure_eraser_certificate_dir
```
To erase just the hard drives:
```
-sh-3.1# /usr/sbin/secureeraser --erase --hdd --output=10.133.42.221:/export
/exadata_secure_eraser_certificate_dir
```
Note that it is important to point the output option to an NFS location so that the certificate can be saved properly.

You will be prompted with a list of devices to be erased and to confirm that you want to proceed with Secure Eraser.

A progress report, as shown in step 7 of Automatic Secure Eraser through PXE Boot for X7 and Later Systems, will be printed to the console every 10 seconds.

In interactive mode, the server will be left on after the specified devices are securely erased. You can power off the node from the diagnostic shell.

The web console will no longer be accessible if ILOM is reset. You can power off the server from the serial console or with the power button.

Related Topics

Secure Eraser Syntax

Parent topic: Securely Erasing Oracle Exadata