Install Fedora remotely using Live media

Say a friend or relative wants to install Fedora, but there are some wrinkles that make them less confident about running the installer themselves. For instance, they might want to save existing content without swapping out the hard drive, which involves shrinking filesystems, not for the inexperienced. This article walks you through a process that allows you to help them install remotely.

Naturally, they need to trust you a lot for this procedure (and you them), since they are giving you total access to the machine. I’ll call them “the client.”

Step 1. They need to download the Live Media from https://getfedora.org and write it to a USB stick.  I used the Cinnamon Spin, but nothing in this article should be specific to a Desktop Environment.   You’ll need to talk them through all this if needed.  There are also instructions on getfedora.org.

Step 2. The client inserts the USB drive into the machine to be installed and boost from USB.  The exact steps to enable USB boot are device specific, and beyond the scope of this article. You may want to make sure the client has access to their product documentation. Or you can ask them for the make and model number of their system, and look up the docs on the internet.

Step 3. Have them connect to the internet via local Wifi or Ethernet, and have them run Firefox to check that it is working.  Send them to this very article, so they can copy and paste relevant commands when you tell them to if needed.

Step 4. Now have them start a terminal from the menu.

[liveuser@localhost-live ~]$ passwd
Changing password for user liveuser.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[liveuser@localhost-live ~]$ sudo systemctl start sshd
[liveuser@localhost-live ~]$ ifconfig

Sshd will not allow remote logins with an empty password, so this step assigns a password, which the client will need to share with you. I suggest a series of simple but random words.

The Live media includes pidgin (or a similar chat client for other DEs). It would be helpful to have the client start pidgin and login to a trusted server. I suggest installing jabberd on a Fedora server with a public IP, and allowing open registration. I’ll skip the details for this article. With the client on pidgin with SSL on an XMPP server you trust/control, you can share the password more securely than over the phone.  (Installing OTR would be yet another step to talk them through.)

Now the order of business is to let you connect securely to the client machine.  Have the client share the output of the ifconfig command with you.  If he has a public IP4 or IP6, and you can connect to it, you can skip to step 6.  You can also save steps if they are on a LAN that doesn’t block ethertype 0xfc00 and other Cjdns nodes are on the LAN — but that’s unlikely enough we’ll skip the details.

Step 5. If you are here, your client is in “IP4 NAT jail”, and you need to help him escape by setting up a VPN.  The simplest VPN to setup is Cjdns, but since you don’t want to talk the client through setting even that up, you’ll also need a trusted machine accessible via IP4 on which you can give the client an unprivileged shell account for bootstrapping.  Have the client login to your server with an SSH remote tunnel:

[liveuser@localhost-live ~]$ ssh -R8022:localhost:22 username@shared.example.net
The authenticity of host 'shared.example.net' can't be established.
ECDSA key fingerprint is SHA256:kRfekGaa456ga34tddrgg8kZ3VmBbqlx6vZZwhcRpuc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'shared.example.net' (ECDSA) to the list of known hosts.
username@shared's password:
Last login: Wed Jan 23 18:15:38 2019 from 2001:db8:1234::1019
[theirlogin@shared ~]$

Now you can login to their machine and install Cjdns.  Login to shared.example.net and then into the client machine:

[yourlogin@shared ~]$ ssh -p8022 liveuser@localhost
liveuser@localhost's password:
Last login: Wed Jan 23 18:16:36 2019 from ::1
[liveuser@localhost-live ~]$

Install and configure Cjdns on the client, using these instructions if you are not already familar, and also on your own workstation if you haven’t already.  You could skip installing cjdns-tools and cjdns-selinux on the client since this is a temporarily setup.  But you’ll need the tools to help debug any glitches. 

Run ifconfig tun0 and copy the client’s Cjdns VPN IP to your local /etc/hosts file with a suitable nickname.  I’ll use the nickname h.client for this article. 

[you@yourworkstation ~] $ sudo su -
# echo fc3f:26b0:49ec:7bc7:a757:b6eb:1eae:714f h.client >>/etc/hosts

Verify that you can login to liveuser@h.client from your workstation, and then you can logout of your tunnel login.

Step 6. Install x2goserver on the client.  Tigervnc would be lighter weight for a limited machine, but x2go easily connects to the liveuser desktop so they can see what you are doing for education and transparency.  Some spins include a built-in remote desktop feature as well, but I like x2go. 

Run x2goclient on your workstation, and create a new session:

  • Session name: h.client
  • Host: h.client
  • Login: liveuser
  • Session type: Connect to local desktop

 Now you can do your expert stuff while the client watches. For shrinking existing partitions, I recommend installing gparted and running it before the live install.

Step 7. When the Live Install is finished, the newly installed root filesystem should still be mounted as /mnt/sysimage. Double check, then copy the cjdns config to the new system and enable sshd. Incoming port 22 should be open by default.

[liveuser@localhost-live ~]$ sudo cp /etc/cjdroute.conf /mnt/sysimage/etc 
[liveuser@localhost-live ~]$ sudo systemctl --root=/mnt/sysimage enable sshd

You should also install cjdns (or whatever VPN you used instead) on the new system so that the client doesn’t need to do the SSH rigamarole again after rebooting.

[liveuser@localhost-live ~]$ sudo dnf install cjdns --installroot=/mnt/sysimage 
[liveuser@localhost-live ~]$ sudo systemctl --root=/mnt/sysimage enable cjdns

Step 8. You should now be ready to reboot! If something goes wrong, your client can boot from the Live Media and do the SSH routine from step 5 again so you can diagnose what went wrong.


Photo by Steve Johnson on Unsplash.

Fedora Project community

18 Comments

  1. Osqui

    ifconfig is deprecated

    • True. I often use “ip addr” to just list the addresses. But is there a modern way to get the nice little report of that ifconfig spits out? I don’t use ifconfig to actually modify configuration anymore – but that report…

      • ip with several commands by the looks of it

      • Elliott S

        ip -statistics addr

        ? I’m not sure what exactly you want from the report.

        • That is close enough! Thanks. It’s cumbersome, but that is easily fixed with a shell alias. Now I’m trying to suss out the precise syntax to convince ip to print that for just one interface. No help please – I know it will be there in some form, it’s just that the obvious (e.g. append tun0 or dev tun0) never works with ip. It’s my morning read another programmers mind exercise…

        • This is what I came up with from your hint. Thanks again.

          $ cat ~/bin/ipconfig
          #!/bin/sh

          if [ $# -eq 0 ]; then
          ip -s addr
          else
          for i in “$@”; do
          ip -s addr show dev $i
          done
          fi

  2. svsv sarma

    If the client is so tech savvy and understands terminal usage as to download, create and boot a live-cd, he can as well install himself as the installation is self explanatory! He may be advised to use the entire disk and load GRUB or MBR as the case may be.
    He should have a reliable and high speed internet access too.
    However, the article is a good attempt to encourage remote control.

    • In the many times I’ve used this or similar procedures, the “client” is in fact perfectly capable of doing a normal, largely defaults, install. As mentioned in the intro, the usual wrinkle that needs some hand holding is preserving an existing system on the hard disk. Sometimes it is Windows™, sometimes Ubuntu™. A nice touch is adding a read-only mount for their old system to /etc/fstab so they can easily copy documents/photos/etc over.

  3. Pawa

    +1. Appreciate Stuart’s input.
    However, I will have to keep searching for ‘the console way’ of Fedora installation either on a local or remote machine. Might be that it is there in the article, yet stayed unnoticed.

  4. John

    Great article, thanks for sharing! I was glad to be introduced to Cjdns and x2go. I would have appreciated a tiny bit more detail on installing x2go server bits. For example, does your article assume x2goserver-xsession is installed in addition to x2goserver?

    • Only x2goserver is needed (it pulls in a bunch of other stuff – you might need to add some swap to accomodate it while running from the live media). The x2goserver-xsession subpackage is for parsing Xsession when starting desktop sessions – i.e. not attaching to an existing session.

  5. Just noticed two more misspellings.
    “boost” should be “boots”
    “temporarily” should be “temporary”

  6. Thorough and nicely explained guide mate, congrats (incidentally, I’m a fan of X2Go 🙂

    I believe this functionality should be wrapped into an app and shipped with the live image — of any GNU+Linux flavor.

    I feel this could be a fun weekend project, will definitely look into it.

  7. Gav

    I think I’ll just go to their desktop and drink their beer while i install for them….

  8. I tried this with a person not able to install themselves. I explained over the phone the phonetic alphabet, how to use a mouse to highlight and copy/paste text, how to press F12 as the machine is booting to select boot device, and many other things we take for granted. But, after several hours of hard work, we were ready for me to connect over the SSH tunnel and finish the job – but, I had neglected to get the password they assigned to liveuser early, and they had forgotten it.

    I should move the step of assigning a password to liveuser closer to where I login via the SSH tunnel.

  9. I actually ran into skipping step 4. When installing 2 or more machines, after the first one, just have then install cjdns and start it. Then have them read you the cjdns ip. (or use pidgin or fpaste).

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions

%d bloggers like this: