Project

General

Profile

Fetch boot files via http instead of TFTP » History » Version 17

Lukas Zapletal, 05/30/2018 11:21 AM

1 10 Lukas Zapletal
h1. PXELinux chainboot into iPXE
2 1 Alexander Chuzhoy
3 14 Lukas Zapletal
{{toc}}
4
5 10 Lukas Zapletal
TFTP is a slow protocol on high-latency networks, but if your hardware is supported by iPXE (http://ipxe.org/appnote/hardware_drivers) or if UNDI driver of the NIC is compatible with iPXE, it is possible to configure PXELinux to chainboot iPXE and continue booting via HTTP protocol which is fast and reliable.
6 1 Alexander Chuzhoy
7 10 Lukas Zapletal
In this scenario, a system is PXE-booted into PXELinux which chainloads iPXE which continue booting via HTTP. The scenario is:
8
9
* hardware is turned on
10
* PXE driver gets network credentials from DHCP
11
* PXE driver gets PXELinux firmware from TFTP (pxelinux.0)
12
* PXELinux searches for configuration file on TFTP
13
* PXELinux chainloads iPXE (undionly-ipxe.0 or ipxe.lkrn)
14
* iPXE gets network credentials from DHCP again
15
* iPXE gets HTTP address from DHCP
16
* iPXE chainloads the iPXE template from Foreman
17
* iPXE loads kernel and init RAM disk of the installer
18
19
Requirements:
20
21
* a host entry is created in Foreman
22
* MAC address of the provisioning interface matches
23
* provisioning interface of the host has a valid DHCP reservation
24
* the host has special PXELinux template (below) associated
25
* the host has iPXE template associated
26
* hardware is capable of PXE booting
27
* hardware NIC is compatible with iPXE
28
29
The iPXE project offers two options: using PXE interface (UNDI) or using built-in linux network card driver. Both options have pros and cons and each gives different results with different hardware cards. Some NIC adapters can be slow with UNDI, some are actually faster. Not all network cards will work with either or both ways.
30
31 13 Lukas Zapletal
h2. A. Chainbooting iPXE directly
32 10 Lukas Zapletal
33 12 Lukas Zapletal
In this setup, iPXE uses build-in driver for network communication. Therefore this will only work on supported cards (see above)!
34 10 Lukas Zapletal
35 12 Lukas Zapletal
h3. TFTP setup
36 10 Lukas Zapletal
37 12 Lukas Zapletal
Copy the iPXE firmware to the TFTP root directory:
38 10 Lukas Zapletal
39 12 Lukas Zapletal
  cp /usr/share/ipxe/ipxe.lkrn /var/lib/tftpboot/
40 10 Lukas Zapletal
41 12 Lukas Zapletal
The source directory can be different on linux distributions, this is for Red Hats. The file is shipped in ipxe-bootimgs package.
42 1 Alexander Chuzhoy
43 15 Lukas Zapletal
Not all hardware is supported by iPXE drivers. In case of troubles, use latest development version build of iPXE:
44
45
  wget -O /var/lib/tftpboot/ http://boot.ipxe.org/ipxe.lkrn
46
47 12 Lukas Zapletal
Do not use symbolic links as TFTP runs in chroot. When using SELinux, remember to correct file contexts:
48 1 Alexander Chuzhoy
49 12 Lukas Zapletal
  restorecon -RvF /var/lib/tftpboot/
50 1 Alexander Chuzhoy
51 12 Lukas Zapletal
h3. Foreman setup - PXELinux template
52 1 Alexander Chuzhoy
53 12 Lukas Zapletal
Configuration involves associating PXELinux and iPXE templates.
54 1 Alexander Chuzhoy
55 12 Lukas Zapletal
In your Foreman instance, go to "Provisioning templates" and create new template of PXELinux kind with the following contents:
56 1 Alexander Chuzhoy
57 12 Lukas Zapletal
<pre><code>
58
DEFAULT linux
59
LABEL linux
60
KERNEL ipxe.lkrn
61
APPEND dhcp && chain <%= foreman_url('iPXE') %>
62
IPAPPEND 2
63
</code></pre>
64 1 Alexander Chuzhoy
65 12 Lukas Zapletal
Recent version of Foreman ships with this template already under name "PXELinux chain iPXE".
66 1 Alexander Chuzhoy
67 12 Lukas Zapletal
h3. Foreman setup - iPXE template
68 1 Alexander Chuzhoy
69 12 Lukas Zapletal
Associate iPXE template which ships with Foreman which is named 'Kickstart default iPXE' or 'Preseed default iPXE' containing something like:
70 1 Alexander Chuzhoy
71 12 Lukas Zapletal
<pre><code>#!ipxe
72
kernel <%= "#{@host.url_for_boot(:kernel)}" %> ks=<%= foreman_url("provision")%>
73
initrd <%= "#{@host.url_for_boot(:initrd)}" %>
74
boot
75
</code></pre>
76 10 Lukas Zapletal
77 12 Lukas Zapletal
If there was a host associated with PXELinux templates, you may need to exit and re-enter Build state for the TFTP configuration to be redeployed. Recent versions of Foreman do this automatically on template save.
78
79 13 Lukas Zapletal
h2. B. Chainbooting iPXE via UNDI
80 12 Lukas Zapletal
81
In this setup, iPXE uses UNDI for network communication. The hardware must support that.
82
83
h3. TFTP setup
84
85
Copy the iPXE firmware to the TFTP root directory and rename it:
86
87
  cp /usr/share/ipxe/undionly.kpxe /var/lib/tftpboot/undionly-ipxe.0
88
89
The source directory can be different on linux distributions, this is for Red Hats. The file is shipped in ipxe-bootimgs package.
90
91 1 Alexander Chuzhoy
Do not use symbolic links as TFTP runs in chroot. When using SELinux, remember to correct file contexts:
92 10 Lukas Zapletal
93 9 Lukas Zapletal
  restorecon -RvF /var/lib/tftpboot/
94 1 Alexander Chuzhoy
95 12 Lukas Zapletal
h3. TFTP setup (gPXELinux alternative)
96 10 Lukas Zapletal
97 12 Lukas Zapletal
This is alternative approach if none of the above configurations work or packages are not available.
98 10 Lukas Zapletal
99 12 Lukas Zapletal
Copy the gPXE firmware to the TFTP root directory:
100 10 Lukas Zapletal
101 12 Lukas Zapletal
  cp /usr/share/syslinux/gpxelinuxk.0 /var/lib/tftpboot/
102
103
The source directory can be different on linux distributions, this is for Red Hats. The file is shipped in syslinux package.
104
105
Do not use symbolic links as TFTP runs in chroot. When using SELinux, remember to correct file contexts:
106
107
  restorecon -RvF /var/lib/tftpboot/
108
109
h3. Foreman setup - PXELinux template
110
111 9 Lukas Zapletal
In your Foreman instance, go to "Provisioning templates" and create new template of PXELinux kind with the following contents:
112
113 1 Alexander Chuzhoy
<pre><code>
114
DEFAULT undionly-ipxe
115 9 Lukas Zapletal
LABEL undionly-ipxe
116 1 Alexander Chuzhoy
MENU LABEL iPXE UNDI
117
KERNEL undionly-ipxe.0
118 10 Lukas Zapletal
IPAPPEND 2
119 9 Lukas Zapletal
</code></pre>
120 1 Alexander Chuzhoy
121
Recent version of Foreman ships with this template already under name "PXELinux chain iPXE UNDI".
122
123 12 Lukas Zapletal
h3. Foreman setup - iPXE template
124 1 Alexander Chuzhoy
125 12 Lukas Zapletal
Associate iPXE template which ships with Foreman which is named 'Kickstart default iPXE' or 'Preseed default iPXE' containing something like:
126 1 Alexander Chuzhoy
127
<pre><code>#!ipxe
128
kernel <%= "#{@host.url_for_boot(:kernel)}" %> ks=<%= foreman_url("provision")%>
129
initrd <%= "#{@host.url_for_boot(:initrd)}" %>
130
boot
131
</code></pre>
132
133
If there was a host associated with PXELinux templates, you may need to exit and re-enter Build state for the TFTP configuration to be redeployed. Recent versions of Foreman do this automatically on template save.
134
135 12 Lukas Zapletal
h3. DHCP setup
136 1 Alexander Chuzhoy
137
The above configuration will lead to an endless loop of chainbooting iPXE firmware. To break this loop, configure DHCP server to hand over correct URL to iPXE to continue booting. In the /etc/dhcp/dhcpd.conf file change the "filename" global or subnet configuration as follows:
138
139 10 Lukas Zapletal
<pre><code>
140 9 Lukas Zapletal
if exists user-class and option user-class = "iPXE" {
141 13 Lukas Zapletal
  filename "https://foreman:443/unattended/iPXE";
142 1 Alexander Chuzhoy
} else {
143
  filename "pxelinux.0";
144
}
145
</code></pre>
146
147 12 Lukas Zapletal
On isolated networks, use Smart Proxy URL instead of Foreman when templates feature is enabled. If there are existing leases on the DHCP server, let them expire and restart the DHCP service. This can be also forced with
148 1 Alexander Chuzhoy
149 10 Lukas Zapletal
<pre><code>
150 1 Alexander Chuzhoy
truncate /var/lib/dhcpd/dhcpd.leases
151 10 Lukas Zapletal
service dhcpd restart
152
</code></pre>
153 11 Lukas Zapletal
154 13 Lukas Zapletal
h2. C. Chainbooting virtual machines
155 10 Lukas Zapletal
156 16 Lukas Zapletal
Since most virtualization hypervisors use iPXE as the primary firmware for PXE booting, the above configuration will directly work without TFTP and PXELinux involved. This is known to work with libvirt, oVirt and RHEV. If the hypervisor is capable of replacing PXE firmware, it will work too (e.g. VMWare is documented at http://ipxe.org/howto/vmware). There are two options.
157 1 Alexander Chuzhoy
158 16 Lukas Zapletal
h3. Foreman setup - iPXE template
159
160
Associate iPXE template which ships with Foreman which is named 'Kickstart default iPXE' or 'Preseed default iPXE'. The contents is the same as in the workflows above.
161
162
h3. DHCP setup - managed server
163
164
In this case, Foreman manages DHCP and reservation (IP address) is known in advance, therefore iPXE script can be found in Foreman DB and returned to a client:
165
166 1 Alexander Chuzhoy
* VM is turned on
167 16 Lukas Zapletal
* iPXE gets network credentials from DHCP
168
* iPXE gets filename option from DHCP (URL)
169 1 Alexander Chuzhoy
* iPXE chainloads the iPXE template from Foreman
170 16 Lukas Zapletal
* Foreman renders iPXE template for given host found by remote IP
171
* iPXE executed the script, loads kernel and init RAM disk of the installer
172 1 Alexander Chuzhoy
173 16 Lukas Zapletal
In the /etc/dhcp/dhcpd.conf file change the "filename" global or subnet configuration as follows:
174 1 Alexander Chuzhoy
175 16 Lukas Zapletal
<pre><code>
176
if exists user-class and option user-class = "iPXE" {
177
  filename "https://foreman:443/unattended/iPXE";
178
} else {
179
  filename "pxelinux.0";
180
}
181
</code></pre>
182 1 Alexander Chuzhoy
183 16 Lukas Zapletal
Certain iPXE builds might not be able to access via SSL/TLS, in that case use HTTP URL. On isolated networks, use Smart Proxy URL instead of Foreman but keep in mind templates smart-proxy feature must be enabled. If there are existing leases on the DHCP server, let them expire and restart the DHCP service (see above).
184 1 Alexander Chuzhoy
185 16 Lukas Zapletal
h3. DHCP setup - unmanaged server
186 1 Alexander Chuzhoy
187 16 Lukas Zapletal
In this case, Foreman cannot create DHCP reservation in advance. But an intermediate iPXE script can be deployed to report MAC address to find proper host:
188 1 Alexander Chuzhoy
189 16 Lukas Zapletal
* VM is turned on
190
* iPXE gets network credentials from DHCP
191
* iPXE gets filename option from DHCP (URL)
192
* iPXE loads the intermediate iPXE template from a HTTP server
193
* iPXE executes the intermediate script
194
* iPXE chainloads the iPXE template from Foreman with MAC address provided as a parameter
195
* Foreman renders iPXE template for given host found by remote IP
196
* iPXE executed the script, loads kernel and init RAM disk of the installer
197
198
Create the following script and put it somewhere on the network via HTTP so iPXE clients can access it.
199
200 1 Alexander Chuzhoy
<pre><code>
201 16 Lukas Zapletal
#!ipxe
202
# Intermediate iPXE script to report MAC address to Foreman
203
isset ${net0/mac} || goto no_nic
204
dhcp net0 || goto net1
205
chain https://foreman:443/unattended/iPXE?mac=${net0/mac} || goto net1
206
exit 0
207
208
:net1
209
isset ${net1/mac} || goto no_nic
210
dhcp net1 || goto net2
211
chain https://foreman:443/unattended/iPXE?mac=${net1/mac} || goto net2
212
exit 0
213
214
:net1
215
# Create as many copies as necessary (this will work up to 2 NICs)
216
217
:no_nic
218
echo Failed to chainload from any network interface
219
sleep 30
220
exit 1
221
</code></pre>
222
223
Let's use httpd on Foreman server for this purpose:
224
225 17 Lukas Zapletal
<pre><code>
226
# scp intermediate.ipxe root@foreman:/var/www/htdocs/pub/
227
</code></pre>
228 1 Alexander Chuzhoy
229 16 Lukas Zapletal
230 17 Lukas Zapletal
On an *unmanaged DHCP server* change filename option to be "https://foreman:443/pub/intermediate.ipxe". Instructions are different for various DHCP servers (like MS DHCP, Infoblox, Bluecoat) but if this was ISC DHCP, then simply change /etc/dhcp/dhcpd.conf file as follows:
231 16 Lukas Zapletal
232
<pre><code>
233 13 Lukas Zapletal
if exists user-class and option user-class = "iPXE" {
234 16 Lukas Zapletal
  filename "https://foreman:443/pub/intermediate.ipxe";
235 12 Lukas Zapletal
} else {
236
  filename "pxelinux.0";
237
}
238
</code></pre>
239
240 16 Lukas Zapletal
Certain iPXE builds might not be able to access via SSL/TLS, in that case use HTTP URL. On isolated networks, use Smart Proxy URL instead of Foreman but keep in mind templates smart-proxy feature must be enabled.