PXELinux chainboot into iPXE

TFTP is a slow protocol on high-latency networks, but if your hardware is supported by iPXE (http://ipxe.org/appnote/hardware_drivers) or if UNDI driver of the NIC is compatible with iPXE, it is possible to configure PXELinux to chainboot iPXE and continue booting via HTTP protocol which is fast and reliable.

In this scenario, a system is PXE-booted into PXELinux which chainloads iPXE which continue booting via HTTP. The scenario is:

  • hardware is turned on
  • PXE driver gets network credentials from DHCP
  • PXE driver gets PXELinux firmware from TFTP (pxelinux.0)
  • PXELinux searches for configuration file on TFTP
  • PXELinux chainloads iPXE (undionly-ipxe.0 or ipxe.lkrn)
  • iPXE gets network credentials from DHCP again
  • iPXE gets HTTP address from DHCP
  • iPXE chainloads the iPXE template from Foreman
  • iPXE loads kernel and init RAM disk of the installer

Requirements:

  • a host entry is created in Foreman
  • MAC address of the provisioning interface matches
  • provisioning interface of the host has a valid DHCP reservation
  • the host has special PXELinux template (below) associated
  • the host has iPXE template associated
  • hardware is capable of PXE booting
  • hardware NIC is compatible with iPXE

The iPXE project offers two options: using PXE interface (UNDI) or using built-in linux network card driver. Both options have pros and cons and each gives different results with different hardware cards. Some NIC adapters can be slow with UNDI, some are actually faster. Not all network cards will work with either or both ways.

A. Chainbooting iPXE directly

In this setup, iPXE uses build-in driver for network communication. Therefore this will only work on supported cards (see above)!

TFTP setup

Copy the iPXE firmware to the TFTP root directory:

cp /usr/share/ipxe/ipxe.lkrn /var/lib/tftpboot/

The source directory can be different on linux distributions, this is for Red Hats. The file is shipped in ipxe-bootimgs package.

Not all hardware is supported by iPXE drivers. In case of troubles, use latest development version build of iPXE:

wget -O /var/lib/tftpboot/ http://boot.ipxe.org/ipxe.lkrn

Do not use symbolic links as TFTP runs in chroot. When using SELinux, remember to correct file contexts:

restorecon -RvF /var/lib/tftpboot/

Foreman setup - PXELinux template

Configuration involves associating PXELinux and iPXE templates.

In your Foreman instance, go to "Provisioning templates" and create new template of PXELinux kind with the following contents:


DEFAULT linux
LABEL linux
KERNEL ipxe.lkrn
APPEND dhcp && chain <%= foreman_url('iPXE') %>
IPAPPEND 2

Recent version of Foreman ships with this template already under name "PXELinux chain iPXE".

Foreman setup - iPXE template

Associate iPXE template which ships with Foreman which is named 'Kickstart default iPXE' or 'Preseed default iPXE' containing something like:

#!ipxe
kernel <%= "#{@host.url_for_boot(:kernel)}" %> ks=<%= foreman_url("provision")%>
initrd <%= "#{@host.url_for_boot(:initrd)}" %>
boot

If there was a host associated with PXELinux templates, you may need to exit and re-enter Build state for the TFTP configuration to be redeployed. Recent versions of Foreman do this automatically on template save.

B. Chainbooting iPXE via UNDI

In this setup, iPXE uses UNDI for network communication. The hardware must support that.

TFTP setup

Copy the iPXE firmware to the TFTP root directory and rename it:

cp /usr/share/ipxe/undionly.kpxe /var/lib/tftpboot/undionly-ipxe.0

The source directory can be different on linux distributions, this is for Red Hats. The file is shipped in ipxe-bootimgs package.

Do not use symbolic links as TFTP runs in chroot. When using SELinux, remember to correct file contexts:

restorecon -RvF /var/lib/tftpboot/

TFTP setup (gPXELinux alternative)

This is alternative approach if none of the above configurations work or packages are not available.

Copy the gPXE firmware to the TFTP root directory:

cp /usr/share/syslinux/gpxelinuxk.0 /var/lib/tftpboot/

The source directory can be different on linux distributions, this is for Red Hats. The file is shipped in syslinux package.

Do not use symbolic links as TFTP runs in chroot. When using SELinux, remember to correct file contexts:

restorecon -RvF /var/lib/tftpboot/

Foreman setup - PXELinux template

In your Foreman instance, go to "Provisioning templates" and create new template of PXELinux kind with the following contents:


DEFAULT undionly-ipxe
LABEL undionly-ipxe
MENU LABEL iPXE UNDI
KERNEL undionly-ipxe.0
IPAPPEND 2

Recent version of Foreman ships with this template already under name "PXELinux chain iPXE UNDI".

Foreman setup - iPXE template

Associate iPXE template which ships with Foreman which is named 'Kickstart default iPXE' or 'Preseed default iPXE' containing something like:

#!ipxe
kernel <%= "#{@host.url_for_boot(:kernel)}" %> ks=<%= foreman_url("provision")%>
initrd <%= "#{@host.url_for_boot(:initrd)}" %>
boot

If there was a host associated with PXELinux templates, you may need to exit and re-enter Build state for the TFTP configuration to be redeployed. Recent versions of Foreman do this automatically on template save.

DHCP setup

The above configuration will lead to an endless loop of chainbooting iPXE firmware. To break this loop, configure DHCP server to hand over correct URL to iPXE to continue booting. In the /etc/dhcp/dhcpd.conf file change the "filename" global or subnet configuration as follows:


if exists user-class and option user-class = "iPXE" {
  filename "https://foreman:443/unattended/iPXE";
} else {
  filename "pxelinux.0";
}

On isolated networks, use Smart Proxy URL instead of Foreman when templates feature is enabled. If there are existing leases on the DHCP server, let them expire and restart the DHCP service. This can be also forced with


truncate /var/lib/dhcpd/dhcpd.leases
service dhcpd restart

C. Chainbooting virtual machines

Since most virtualization hypervisors use iPXE as the primary firmware for PXE booting, the above configuration will directly work without TFTP and PXELinux involved. This is known to work with libvirt, oVirt and RHEV. If the hypervisor is capable of replacing PXE firmware, it will work too (e.g. VMWare is documented at http://ipxe.org/howto/vmware). The workflow is simplified in this case:

  • VM is turned on
  • iPXE gets network credentials from DHCP again
  • iPXE gets HTTP address from DHCP
  • iPXE chainloads the iPXE template from Foreman
  • iPXE loads kernel and init RAM disk of the installer

To configure this, make sure your hypervisor is using iPXE, configure iPXE template for your host(s) and DHCP server to return valid URL:

Foreman setup - iPXE template

Associate iPXE template which ships with Foreman which is named 'Kickstart default iPXE' or 'Preseed default iPXE'. The contents is the same as in the workflows above. If there was a host associated with PXELinux templates, you may need to exit and re-enter Build state for the TFTP configuration to be redeployed. Recent versions of Foreman do this automatically on template save.

DHCP setup

Similarly to UNDI configuration, this will lead to an endless loop of chainbooting iPXE firmware. To break this loop, configure DHCP server to hand over correct URL to iPXE to continue booting. In the /etc/dhcp/dhcpd.conf file change the "filename" global or subnet configuration as follows:


if exists user-class and option user-class = "iPXE" {
  filename "https://foreman:443/unattended/iPXE";
} else {
  filename "pxelinux.0";
}

On isolated networks, use Smart Proxy URL instead of Foreman when templates feature is enabled. If there are existing leases on the DHCP server, let them expire and restart the DHCP service (see above).

ipxe.lkrn (389 KB) Alexander Chuzhoy, 12/16/2012 05:07 AM