Ghost4Linux (or more accurately, GhostInLinux) is a collection of scripts, programs and kernel modules for network booting Norton Ghost on a given target machine and backing up or restoring that machine. It is built from a net booting Linux, which runs DosEmu, the DOS emulator for Linux, which in turn runs Norton Ghost with the appropriate options. It then automatically chooses the first drive and writes out its contents to an image. The image directory is a separate NFS file system, including a different machine. The overall result is a backup/restore system for NTFS and FAT file systems that can backup to/restore from a NFS file server.

What is required

1. The client machines must be PXE boot capable, with modern on board NICs this is not normally a problem as the boot rom is a bios option.

2. The server side of the above, a dhcp server and tftp server. The backup trigger script must have access to (and the ability to restart) the dhcpd server.

3. Need to prepare a Linux system that can be remotely booted. In my case a copy of my firewall machine was a good starting point.

4. Need to prepare a working bootable Ghost floppy, as I can't supply you with one. Norton Ghost 2003 is known to work. Ghost V8 is known to die shortly after starting ghost. Linux is used for the networking, so this only needs to know about hard drives, not dos network stacks. This is modified to take advantage of it running under emulation.

5. Minor but very essential programs like ether-wake and ethtool.

General idea

The overall idea is to use Linux for its network stack and general scripting capabilities to run a complete diskless system. It is only really diskless from the point of view of Linux, any harddisk in the system is a data sink or source that Linux itself does not care about. Once booted, we can then have a script run DosEmu, which can then be setup to autorun Ghost and backup the drive to image files.

The devil here is in the details: changing the dhcpd config so the system normally boots its HD based OS, but then loads the remote Linux system when required; checking the machine has started, and then changing the dhcpd config back to allow the user to boot into the native OS.

1.1. PXE on the client side

The client needs to have PXE capable boot rom, which allows it to boot without local data on the HD, or even a HD at all. If the motherboard has an on-board NIC, chances are there is a 'Boot ROM' option next to the 'Enable LAN' option. The boot order also needs changing so LAN is first, and a local harddisk is second.

1.2. dhcpd

The dhcpd configuration is all in /etc/dhcpd.conf, using the standard RedHat distro DHCP server (Written by Ted Lemon for Vixie Labs, ISC). The layout follows the form:
default-lease-time 86400;
max-lease-time 86400;
option routers;
option domain-name-servers;
option domain-name "flint";
option subnet-mask;
option broadcast-address;

subnet netmask { range ; }
host john { fixed-address; hardware ethernet 00:01:80:5C:37:D4; filename "nobackup"; }
host joe { fixed-address; hardware ethernet 00:20:ED:6F:30:61; filename "nobackup"; }
host linuxbox { fixed-address; hardware ethernet 00:01:80:53:FA:A6; filename "nobackup"; }
host fakebox { fixed-address; hardware ethernet 01:80:53:FA:A6:00; filename "pxelinux.0"; }

The layout of the last four lines is important, the backup script changes the "nobackup" filename to "pxelinux.0" as the first step into booting Linux remotely. The host name, IP, MAC address and filename must be valid as the backup script uses all these details at some point. The other lines are free format as far as the backup is concerned, and obviously must be adapted to your scenario.

Under normal operation, the client machine will boot up, DHCP would reply with the "nobackup" name, and the PXE boot would fail and then boot the local HD. When the backup script is run, it changes the dhcpd.conf, restarts the dhcpd daemon and sends a wake up packet to the MAC. The machine will then power on, boot the pxelinux.0 image (the next step), and meanwhile the script changes the dhcpd server back to "nobackup". The script creates a lock file so there are no race conditions when changing the daemon configuration.

1.3. tftp

PXE uses the tftp protocol to fetch files from the server. The setup here used the HP tftp server (tftp-hpa), not the RedHat supplied server. The backup script assumes the base path is /tftpboot , which is normally the default.

1.4. SYSLinux

The PXE boot process needs a loader to boot the Linux kernel, which is also an opportunity to pass arguments to the kernel. We use the same options for all machines (/tftpboot/pxelinux.cfg/default):
APPEND root=/dev/nfs nfsroot=,wsize=8192,rsize=8192,hard,intr ip=dhcp

PXELinux (part of SYSLinux) passes these options to the kernel found at /tfptboot/vmlinuz, so just remember when building a new kernel to update this copy of the kernel too.

2. Setting up a bootable Linux system.

When each backup client boots, its root directory is a directory on the server. The root needs to contain all the usual startup software that will allow it to boot up, startup networking (which is somehow separate from the NFS root that will already be running) and mount the backup image NFS mount. For debugging, a working ssh daemon might also be useful.

For my base system I used my firewall machine, which is a RedHat 7.3 install with many small additions and a kernel. This was simply copied to a subdirectory of the same machine, /home/pxe, which is the NFS root. The bash was something like:
cd /
mkdir /home/pxe
find / | grep -v "^/home/pxe/" | cpio -padmu /home/pxe/

Some of the large and unnecessary installed software, such as the browser and Java were then deleted. How much time you want to spend removing software is up to you, storage costs being what they are, there is no real point in deleting anything.

At this point it might be worth changing the root (chroot /home/pxe ; passwd), and setting the run level to 3 (vi /etc/inittab). Note, 'chroot /home/pxe' is a handy way of working on the NFS root.

3 Preparing a bootable Linux


Look at the NFS ROOT HOWTO for the details. In short, configure the kernel for an i386 processor (or the lowest common denominator) with IP auto configuration and NFS ROOT enabled and built into the kernel. Also, build into the kernel the NFS client options and the network cards. Modules are a bad idea for anything but optional extras. Your new kernel should be copied to this directory in /home/pxe/boot and to the /tftpboot directory.


Setup /etc/fstab to use the NFS drives as root and as the /backup mount point, which will later be used by Ghost. In my case this looks like:
PXEADDR:PXEBASE    /                nfs     wsize=8192,rsize=8192,hard,intr     0 0
none               /dev/pts         devpts  gid=5,mode=620  0 0
proc               /proc            proc    defaults        0 0
tmpfs              /tmp             tmpfs   size=128m       0 0
tmpfs              /var/tmp         tmpfs   size=128m       0 0
GHSTNFS            /backup          nfs  rsize=8192,wsize=8192,hard,intr,tcp  0 0

Where PXEADDR:PXEBASE refers to the NFS server and where on that machine the root can be found. GHSTNFS refers to the NFS server for backup images, it can be different to the PXE server. In my case, PXEADDR is (my firewall and dhcp server) and PXEBASE is /home/pxe. As we need to modify the dhcpd configuration and restart dhcpd, the backup scripts need to be on that machine. GHSTNFS ( is the file server, so it has storage space but nothing else.

Note also the use of tmpfs for temporary storage. The key words PXEADDR, PXEBASE and GHSTNFS are edited by the server side scripts, the actual values from the configuration file.


When a backup operation is started, separate directories are created for /etc and /var, this is the minimum necessary change. But, as we need those directories at boot time, it is a little awkward to create extra mount points and have separate /etc and /var mounted after / has been mounted. The solution is to use the --bind option of mount. The separate directories created by the backup script are in a directory accessible via the NFS mount of /home/pxe and called <client ip>/etc and <client ip>/var.

Consequently, the moment /etc/rc.sysinit is read, it is reading the original /home/pxe/etc/rc.sysinit. But, we add the lines:
echo "Binding custom /var and /etc"
ADDR=`/sbin/ifconfig eth0 | grep "inet addr:" | sed "s/.*inet addr: *\([0-9\.][0-9\.]*\) .*/\1/"`
mount --bind /${ADDR}etc /etc
mount --bind /${ADDR}var /var

just after / is remounted read/write.

So by the time rc.sysinit runs anything that will daemonise etc, it will be running from a now distinct /etc and /var.


The net effect of these steps should be a Linux system that operates entirely over NFS and uses around 50 megabytes for its individual /etc and /var. You should also have /backup available over NFS. You should check it all works as expected, Ghost needs all this to be setup.

4 Preparing Ghost

4.1 Setup DOSEmu

Download a copy of DOSEmu from, I used version 1.2.1 (stable) and then version 1.2.2 (stable), both without problems. It should be installed as root, for root, into /home/pxe (chroot into /home/pxe before building it).

4.2 Make a template boot disk

My boot disk uses MS-DOS as created by a Windows 98 machine. I've had reports of FreeDOS working. Format a bootable (with system files) floppy in Win98. Once you have a bootable disk (floppies being what they are, check that it works), create an image file of it with:
dd if=/dev/fd0 bs=512 of=/home/pxe/root/.dosemu/ghost.img

The correct path is important as all the scripts and DOSEmu asssume the image will be there.

4.3 Edit the boot disk

Mount the boot disk with:
mount -o loop /home/pxe/root/.dosemu/ghost.img /mnt/floppy
and edit AUTOEXEC.BAT to look like:
@echo off
SET TZ=GHO+00:00
echo Adding NFS dir as drive
lredir z: LINUX\FS\backup\BackUpName\
echo Loading...
echo > z:\BackUpName.sta
type a:ghosterr.txt >> z:\BackUpName.end
echo Ghost exited >> z:\BackUpName.end

The backup script creates individual boot disk images, and so BackUpCommand and BackUpName are replaced with the real command and name when needed.

You also need to copy some files to the boot disk, namely those used above (exitemu, lredir) to /mnt/floppy and GHOST.EXE (I used Norton Ghost 2003) to /mnt/floppy/ghost/.

When done, unmount the image with:
umount /mnt/floppy

4.4 Edit the DOSEmu config file

DOSEmu needs some configuration options to be set. These are:
$_cpu = "80586"
$_rdtsc = (on)
disk {wholedisk "/dev/hda"}

Although I've not tested it much, I suspect the $_cpu should match your kernel. With a 386 kernel, $_cpu = "80386" was stable, but then compiling a 586 kernel I had to also use $_cpu = "80586" to remain stable. The only symptom was hanging at one of a random few points during an image dump.

The _rdtsc line was added while testing for the processor issue. As we only use 586 or more processors, it seems like a good idea.

The wholedisk option lets Ghost see the real HD as a real HD. Contrary to the docs, this option is supported, they just consider it such a security risk that it is left undocumented. We want unrestricted access to the harddisk, so their security risk is our essential feature.

5.0 Other bits

5.1 Kernel module

When Ghost loads, it normally ask "Mark these drives as Ghost?". It does this even when run in batch mode, so is a small problem for our purposes as nobody will be there to select "Don't mark as Ghost". DOSEmu provides some options for sending key presses to the running program, but unfortunately they don't work with Ghost. This kernel module does the job instead, it sends key presses as if they were pressed on the keyboard, not far above the level of keyboard interrupt.

The source for the module is sendscancode.c. It can be compiled with:
chroot /home/pxe
cd /root
gcc -nostdinc -I/usr/src/linux/include -I/usr/lib/gcc-lib/i686-pc-linux-gnu/3.2.3/include sendscancode.c -c -o sendscancode.o
cp sendscancode.o /lib/modules/2.4.27/kernel/drivers/input/
depmod -ra

# and ignore the symbols msg

insmod sendscancode thechar=0xf ; sends a tab

It will probably be obvious that I don't really know how to write kernel modules. This is good enough, as it works and doesn't do anything bad for your health. If somebody knows how to program a module and wants to give me a better solution, I'd be happy to accept it.

5.2 Screen dump

As the backup/restore process will be left unattended, I thought it would be a good idea to have some log. The best way forward here was a screen dump of the running Ghost. The program rdvga.c does just that and is used by the client side scripts to keep a short recent history of what the screen looked like. It is in black and white, but it gives the general idea. Compile with:
gcc -Wall rdvga.c -o /home/pxe/root/rdvga

It will also be obvious that this is a massive hack and only works because ancient backward compatibility is still supporting an MGA screen (I /think/ thats why it works). It has been tested with recent Nvidia graphics cards and old cards of various makers.

A better solution would be using a kernel module to save out the real video memory, as it exists outside of user mode address space. If you know how to do that and send me a solution, I'd be happy to accept it.

5.3 etherwake and miitools

You also need the etherwake program (for sending magic wake up packets) and the miitools package, which contains ethtool that is essential for setting up a NIC to remote wake up. etherwake is used on the server side, so needs to be accessible there. ethtool is used on the client side, so needs to be accessible to /home/pxe.

5.4 netmon

This program monitors the rate of traffic flow ever a network connection. The main client side script uses this to detect problems during the Ghosting process. Its source is available here. As this is run by the client, it needs to be in (say) /home/pxe/bin.

6 The controlling bash scripts

The last few sections have described the programs and configuration that need to be present. This section talks about the high level scripts that pull it together.

6.1 Client side

There are two additional scripts on the client side, a modified /home/pxe/etc/rc.local which has this appended to the end:
# enable WOL for next time
/usr/local/sbin/ethtool -s eth0 wol g

# identify the name of the machine, as found in /etc/dhcpd.conf
MAC=`ifconfig eth0 | grep HWaddr | head -n 1 | sed "s/.*HWaddr //"`
BACKUP=`grep -i $MAC /etc/dhcpd.conf | head -n 1 | sed "s/^host  *\([^ ]*\) .*$/\1/"`

# start the script that runs and then monitors Ghost
export BACKUP
sleep 10
export BACKUP
/etc/init.d/ghost start
) &

Also on the client side is the main script that runs and then monitors Ghost. Obviously it needs to go in /home/pxe/etc/init.d because the above script expects it to be there. This script does all the real work of supporting Ghost, so chances are, if you miss something out then it will break here. It is this script that:
1. Copies /root/.dosemu/ghost.img to /root/.dosemu/ghost-<client hostname>.img and modifies the copy for use on this client.
2. Runs DOSEmu and points it at the new boot disk image.
3. Runs the key press simulation to skip the "Mark drives as Ghost?" message.
4. Monitors the network and hard drive access statistics for signs of a trouble, which can be implied by there being very little data flow on the network card or hard drive.
5. Takes screen shots at 1 minute intervals.
And finally,
6. If Ghost quits, for whatever reason, or the statistics indicate trouble, the machine is shutdown.

6.2 Server side

The server side scripts are fairly simple, as their main goals are:

1. Modify /etc/dhcpd.conf to boot Linux remotely rather than whatever is on the local harddisk.
2. Create copies of /home/pxe/{etc,var} called /home/pxe/<client IP>{etc,var}
3. Create the directories for the backup images and screen dumps.
4. Wake up the machine.
5. Undo the changes made to /etc/dhcpd.conf, so the machine now boots locally.
6. Make sure the machine came up, and then wait for it to shut down.

The server side scripts go in /home/pxe/root, but that is just to keep the ghost4linux system together in one place. The scripts are,, and But for and, the meaning of each is obvious. uses all the same mechanisms to bring up the machine, but doesn't run Ghost. Instead the machine is left running for an hour, giving you the chance to ssh into it and do whatever you like. Killing the running 'sleep 3600' will then shut down the machine within 20 seconds. also brings up the machine using all the same mechanisms, but runs Ghost with no parameters. This gives you the chance to fiddle with the user interface (ie do a disk to disk copy) without using any boot media.

All the scripts and programs are available here: ghost4linux-1.1.tar.gz

The scripts use a config file /etc/ghostrc to find the right paths. The client also uses this file, so it is copied into /home/pxe/etc by the server side scripts. The config file looks like this:

# IP and path to NFS mounted Linux client

# These two must be the same place or bad things will happen
GHSTBASE=/net/backup/    # image path rel to server
GHSTNFS=   # image path when mounted over NFS

# paths

and obviously needs to be edited for your environment.

To use, you would run:
cd /home/pxe/root
./ john
./ john

which should do everything required to backup the machine called john to the file server and then shut down john. The final line would use john to verify the image on the file server and then shut down john.

7.0 Other issues

Note that some ditributions will use different paths, or slightly different names for executables. ether-wake is the standard name, but under Debian it is etherwake. Also, RedHat's dhcpd startup script is /etc/init.d/dhcpd, but under Debian it is /etc/init.d/dhcp. The config file /etc/ghostrc is there to account for these differences.

The End

That should be all you need. If you want more explanation or have ideas, email me on greg at csc liv ac uk.

Ideally all this messing about could be reduced to a patch set agaisnt a small linux distribution. As this is a reasonably large amount of extra work, I'll only do it if several people ask.


  Initial release of complete HOWTO.

  Fixed some small typos. Added history and license sections.

  DOS limitations meant using hostnames as filenames broke too easily. As far as DOS is concerned, have now avoided all use dynamic filenames.
  Fixed broken links.
  Added link to tar ball containing all the scripts, calling it V1.1

  Clayton Craft pointed out a typo, Ghost V8 does not work with DosEmu.


This documentation is released under GNU FDL Version 1.2 or later. The programs are released under the GNU GPL.

Last changed 17/11/2005.