Fetch boot files via http instead of TFTP » History » Version 17
Lukas Zapletal, 05/30/2018 11:21 AM
1 | 10 | Lukas Zapletal | h1. PXELinux chainboot into iPXE |
---|---|---|---|
2 | 1 | Alexander Chuzhoy | |
3 | 14 | Lukas Zapletal | {{toc}} |
4 | |||
5 | 10 | Lukas Zapletal | TFTP is a slow protocol on high-latency networks, but if your hardware is supported by iPXE (http://ipxe.org/appnote/hardware_drivers) or if UNDI driver of the NIC is compatible with iPXE, it is possible to configure PXELinux to chainboot iPXE and continue booting via HTTP protocol which is fast and reliable. |
6 | 1 | Alexander Chuzhoy | |
7 | 10 | Lukas Zapletal | In this scenario, a system is PXE-booted into PXELinux which chainloads iPXE which continue booting via HTTP. The scenario is: |
8 | |||
9 | * hardware is turned on |
||
10 | * PXE driver gets network credentials from DHCP |
||
11 | * PXE driver gets PXELinux firmware from TFTP (pxelinux.0) |
||
12 | * PXELinux searches for configuration file on TFTP |
||
13 | * PXELinux chainloads iPXE (undionly-ipxe.0 or ipxe.lkrn) |
||
14 | * iPXE gets network credentials from DHCP again |
||
15 | * iPXE gets HTTP address from DHCP |
||
16 | * iPXE chainloads the iPXE template from Foreman |
||
17 | * iPXE loads kernel and init RAM disk of the installer |
||
18 | |||
19 | Requirements: |
||
20 | |||
21 | * a host entry is created in Foreman |
||
22 | * MAC address of the provisioning interface matches |
||
23 | * provisioning interface of the host has a valid DHCP reservation |
||
24 | * the host has special PXELinux template (below) associated |
||
25 | * the host has iPXE template associated |
||
26 | * hardware is capable of PXE booting |
||
27 | * hardware NIC is compatible with iPXE |
||
28 | |||
29 | The iPXE project offers two options: using PXE interface (UNDI) or using built-in linux network card driver. Both options have pros and cons and each gives different results with different hardware cards. Some NIC adapters can be slow with UNDI, some are actually faster. Not all network cards will work with either or both ways. |
||
30 | |||
31 | 13 | Lukas Zapletal | h2. A. Chainbooting iPXE directly |
32 | 10 | Lukas Zapletal | |
33 | 12 | Lukas Zapletal | In this setup, iPXE uses build-in driver for network communication. Therefore this will only work on supported cards (see above)! |
34 | 10 | Lukas Zapletal | |
35 | 12 | Lukas Zapletal | h3. TFTP setup |
36 | 10 | Lukas Zapletal | |
37 | 12 | Lukas Zapletal | Copy the iPXE firmware to the TFTP root directory: |
38 | 10 | Lukas Zapletal | |
39 | 12 | Lukas Zapletal | cp /usr/share/ipxe/ipxe.lkrn /var/lib/tftpboot/ |
40 | 10 | Lukas Zapletal | |
41 | 12 | Lukas Zapletal | The source directory can be different on linux distributions, this is for Red Hats. The file is shipped in ipxe-bootimgs package. |
42 | 1 | Alexander Chuzhoy | |
43 | 15 | Lukas Zapletal | Not all hardware is supported by iPXE drivers. In case of troubles, use latest development version build of iPXE: |
44 | |||
45 | wget -O /var/lib/tftpboot/ http://boot.ipxe.org/ipxe.lkrn |
||
46 | |||
47 | 12 | Lukas Zapletal | Do not use symbolic links as TFTP runs in chroot. When using SELinux, remember to correct file contexts: |
48 | 1 | Alexander Chuzhoy | |
49 | 12 | Lukas Zapletal | restorecon -RvF /var/lib/tftpboot/ |
50 | 1 | Alexander Chuzhoy | |
51 | 12 | Lukas Zapletal | h3. Foreman setup - PXELinux template |
52 | 1 | Alexander Chuzhoy | |
53 | 12 | Lukas Zapletal | Configuration involves associating PXELinux and iPXE templates. |
54 | 1 | Alexander Chuzhoy | |
55 | 12 | Lukas Zapletal | In your Foreman instance, go to "Provisioning templates" and create new template of PXELinux kind with the following contents: |
56 | 1 | Alexander Chuzhoy | |
57 | 12 | Lukas Zapletal | <pre><code> |
58 | DEFAULT linux |
||
59 | LABEL linux |
||
60 | KERNEL ipxe.lkrn |
||
61 | APPEND dhcp && chain <%= foreman_url('iPXE') %> |
||
62 | IPAPPEND 2 |
||
63 | </code></pre> |
||
64 | 1 | Alexander Chuzhoy | |
65 | 12 | Lukas Zapletal | Recent version of Foreman ships with this template already under name "PXELinux chain iPXE". |
66 | 1 | Alexander Chuzhoy | |
67 | 12 | Lukas Zapletal | h3. Foreman setup - iPXE template |
68 | 1 | Alexander Chuzhoy | |
69 | 12 | Lukas Zapletal | Associate iPXE template which ships with Foreman which is named 'Kickstart default iPXE' or 'Preseed default iPXE' containing something like: |
70 | 1 | Alexander Chuzhoy | |
71 | 12 | Lukas Zapletal | <pre><code>#!ipxe |
72 | kernel <%= "#{@host.url_for_boot(:kernel)}" %> ks=<%= foreman_url("provision")%> |
||
73 | initrd <%= "#{@host.url_for_boot(:initrd)}" %> |
||
74 | boot |
||
75 | </code></pre> |
||
76 | 10 | Lukas Zapletal | |
77 | 12 | Lukas Zapletal | If there was a host associated with PXELinux templates, you may need to exit and re-enter Build state for the TFTP configuration to be redeployed. Recent versions of Foreman do this automatically on template save. |
78 | |||
79 | 13 | Lukas Zapletal | h2. B. Chainbooting iPXE via UNDI |
80 | 12 | Lukas Zapletal | |
81 | In this setup, iPXE uses UNDI for network communication. The hardware must support that. |
||
82 | |||
83 | h3. TFTP setup |
||
84 | |||
85 | Copy the iPXE firmware to the TFTP root directory and rename it: |
||
86 | |||
87 | cp /usr/share/ipxe/undionly.kpxe /var/lib/tftpboot/undionly-ipxe.0 |
||
88 | |||
89 | The source directory can be different on linux distributions, this is for Red Hats. The file is shipped in ipxe-bootimgs package. |
||
90 | |||
91 | 1 | Alexander Chuzhoy | Do not use symbolic links as TFTP runs in chroot. When using SELinux, remember to correct file contexts: |
92 | 10 | Lukas Zapletal | |
93 | 9 | Lukas Zapletal | restorecon -RvF /var/lib/tftpboot/ |
94 | 1 | Alexander Chuzhoy | |
95 | 12 | Lukas Zapletal | h3. TFTP setup (gPXELinux alternative) |
96 | 10 | Lukas Zapletal | |
97 | 12 | Lukas Zapletal | This is alternative approach if none of the above configurations work or packages are not available. |
98 | 10 | Lukas Zapletal | |
99 | 12 | Lukas Zapletal | Copy the gPXE firmware to the TFTP root directory: |
100 | 10 | Lukas Zapletal | |
101 | 12 | Lukas Zapletal | cp /usr/share/syslinux/gpxelinuxk.0 /var/lib/tftpboot/ |
102 | |||
103 | The source directory can be different on linux distributions, this is for Red Hats. The file is shipped in syslinux package. |
||
104 | |||
105 | Do not use symbolic links as TFTP runs in chroot. When using SELinux, remember to correct file contexts: |
||
106 | |||
107 | restorecon -RvF /var/lib/tftpboot/ |
||
108 | |||
109 | h3. Foreman setup - PXELinux template |
||
110 | |||
111 | 9 | Lukas Zapletal | In your Foreman instance, go to "Provisioning templates" and create new template of PXELinux kind with the following contents: |
112 | |||
113 | 1 | Alexander Chuzhoy | <pre><code> |
114 | DEFAULT undionly-ipxe |
||
115 | 9 | Lukas Zapletal | LABEL undionly-ipxe |
116 | 1 | Alexander Chuzhoy | MENU LABEL iPXE UNDI |
117 | KERNEL undionly-ipxe.0 |
||
118 | 10 | Lukas Zapletal | IPAPPEND 2 |
119 | 9 | Lukas Zapletal | </code></pre> |
120 | 1 | Alexander Chuzhoy | |
121 | Recent version of Foreman ships with this template already under name "PXELinux chain iPXE UNDI". |
||
122 | |||
123 | 12 | Lukas Zapletal | h3. Foreman setup - iPXE template |
124 | 1 | Alexander Chuzhoy | |
125 | 12 | Lukas Zapletal | Associate iPXE template which ships with Foreman which is named 'Kickstart default iPXE' or 'Preseed default iPXE' containing something like: |
126 | 1 | Alexander Chuzhoy | |
127 | <pre><code>#!ipxe |
||
128 | kernel <%= "#{@host.url_for_boot(:kernel)}" %> ks=<%= foreman_url("provision")%> |
||
129 | initrd <%= "#{@host.url_for_boot(:initrd)}" %> |
||
130 | boot |
||
131 | </code></pre> |
||
132 | |||
133 | If there was a host associated with PXELinux templates, you may need to exit and re-enter Build state for the TFTP configuration to be redeployed. Recent versions of Foreman do this automatically on template save. |
||
134 | |||
135 | 12 | Lukas Zapletal | h3. DHCP setup |
136 | 1 | Alexander Chuzhoy | |
137 | The above configuration will lead to an endless loop of chainbooting iPXE firmware. To break this loop, configure DHCP server to hand over correct URL to iPXE to continue booting. In the /etc/dhcp/dhcpd.conf file change the "filename" global or subnet configuration as follows: |
||
138 | |||
139 | 10 | Lukas Zapletal | <pre><code> |
140 | 9 | Lukas Zapletal | if exists user-class and option user-class = "iPXE" { |
141 | 13 | Lukas Zapletal | filename "https://foreman:443/unattended/iPXE"; |
142 | 1 | Alexander Chuzhoy | } else { |
143 | filename "pxelinux.0"; |
||
144 | } |
||
145 | </code></pre> |
||
146 | |||
147 | 12 | Lukas Zapletal | On isolated networks, use Smart Proxy URL instead of Foreman when templates feature is enabled. If there are existing leases on the DHCP server, let them expire and restart the DHCP service. This can be also forced with |
148 | 1 | Alexander Chuzhoy | |
149 | 10 | Lukas Zapletal | <pre><code> |
150 | 1 | Alexander Chuzhoy | truncate /var/lib/dhcpd/dhcpd.leases |
151 | 10 | Lukas Zapletal | service dhcpd restart |
152 | </code></pre> |
||
153 | 11 | Lukas Zapletal | |
154 | 13 | Lukas Zapletal | h2. C. Chainbooting virtual machines |
155 | 10 | Lukas Zapletal | |
156 | 16 | Lukas Zapletal | Since most virtualization hypervisors use iPXE as the primary firmware for PXE booting, the above configuration will directly work without TFTP and PXELinux involved. This is known to work with libvirt, oVirt and RHEV. If the hypervisor is capable of replacing PXE firmware, it will work too (e.g. VMWare is documented at http://ipxe.org/howto/vmware). There are two options. |
157 | 1 | Alexander Chuzhoy | |
158 | 16 | Lukas Zapletal | h3. Foreman setup - iPXE template |
159 | |||
160 | Associate iPXE template which ships with Foreman which is named 'Kickstart default iPXE' or 'Preseed default iPXE'. The contents is the same as in the workflows above. |
||
161 | |||
162 | h3. DHCP setup - managed server |
||
163 | |||
164 | In this case, Foreman manages DHCP and reservation (IP address) is known in advance, therefore iPXE script can be found in Foreman DB and returned to a client: |
||
165 | |||
166 | 1 | Alexander Chuzhoy | * VM is turned on |
167 | 16 | Lukas Zapletal | * iPXE gets network credentials from DHCP |
168 | * iPXE gets filename option from DHCP (URL) |
||
169 | 1 | Alexander Chuzhoy | * iPXE chainloads the iPXE template from Foreman |
170 | 16 | Lukas Zapletal | * Foreman renders iPXE template for given host found by remote IP |
171 | * iPXE executed the script, loads kernel and init RAM disk of the installer |
||
172 | 1 | Alexander Chuzhoy | |
173 | 16 | Lukas Zapletal | In the /etc/dhcp/dhcpd.conf file change the "filename" global or subnet configuration as follows: |
174 | 1 | Alexander Chuzhoy | |
175 | 16 | Lukas Zapletal | <pre><code> |
176 | if exists user-class and option user-class = "iPXE" { |
||
177 | filename "https://foreman:443/unattended/iPXE"; |
||
178 | } else { |
||
179 | filename "pxelinux.0"; |
||
180 | } |
||
181 | </code></pre> |
||
182 | 1 | Alexander Chuzhoy | |
183 | 16 | Lukas Zapletal | Certain iPXE builds might not be able to access via SSL/TLS, in that case use HTTP URL. On isolated networks, use Smart Proxy URL instead of Foreman but keep in mind templates smart-proxy feature must be enabled. If there are existing leases on the DHCP server, let them expire and restart the DHCP service (see above). |
184 | 1 | Alexander Chuzhoy | |
185 | 16 | Lukas Zapletal | h3. DHCP setup - unmanaged server |
186 | 1 | Alexander Chuzhoy | |
187 | 16 | Lukas Zapletal | In this case, Foreman cannot create DHCP reservation in advance. But an intermediate iPXE script can be deployed to report MAC address to find proper host: |
188 | 1 | Alexander Chuzhoy | |
189 | 16 | Lukas Zapletal | * VM is turned on |
190 | * iPXE gets network credentials from DHCP |
||
191 | * iPXE gets filename option from DHCP (URL) |
||
192 | * iPXE loads the intermediate iPXE template from a HTTP server |
||
193 | * iPXE executes the intermediate script |
||
194 | * iPXE chainloads the iPXE template from Foreman with MAC address provided as a parameter |
||
195 | * Foreman renders iPXE template for given host found by remote IP |
||
196 | * iPXE executed the script, loads kernel and init RAM disk of the installer |
||
197 | |||
198 | Create the following script and put it somewhere on the network via HTTP so iPXE clients can access it. |
||
199 | |||
200 | 1 | Alexander Chuzhoy | <pre><code> |
201 | 16 | Lukas Zapletal | #!ipxe |
202 | # Intermediate iPXE script to report MAC address to Foreman |
||
203 | isset ${net0/mac} || goto no_nic |
||
204 | dhcp net0 || goto net1 |
||
205 | chain https://foreman:443/unattended/iPXE?mac=${net0/mac} || goto net1 |
||
206 | exit 0 |
||
207 | |||
208 | :net1 |
||
209 | isset ${net1/mac} || goto no_nic |
||
210 | dhcp net1 || goto net2 |
||
211 | chain https://foreman:443/unattended/iPXE?mac=${net1/mac} || goto net2 |
||
212 | exit 0 |
||
213 | |||
214 | :net1 |
||
215 | # Create as many copies as necessary (this will work up to 2 NICs) |
||
216 | |||
217 | :no_nic |
||
218 | echo Failed to chainload from any network interface |
||
219 | sleep 30 |
||
220 | exit 1 |
||
221 | </code></pre> |
||
222 | |||
223 | Let's use httpd on Foreman server for this purpose: |
||
224 | |||
225 | 17 | Lukas Zapletal | <pre><code> |
226 | # scp intermediate.ipxe root@foreman:/var/www/htdocs/pub/ |
||
227 | </code></pre> |
||
228 | 1 | Alexander Chuzhoy | |
229 | 16 | Lukas Zapletal | |
230 | 17 | Lukas Zapletal | On an *unmanaged DHCP server* change filename option to be "https://foreman:443/pub/intermediate.ipxe". Instructions are different for various DHCP servers (like MS DHCP, Infoblox, Bluecoat) but if this was ISC DHCP, then simply change /etc/dhcp/dhcpd.conf file as follows: |
231 | 16 | Lukas Zapletal | |
232 | <pre><code> |
||
233 | 13 | Lukas Zapletal | if exists user-class and option user-class = "iPXE" { |
234 | 16 | Lukas Zapletal | filename "https://foreman:443/pub/intermediate.ipxe"; |
235 | 12 | Lukas Zapletal | } else { |
236 | filename "pxelinux.0"; |
||
237 | } |
||
238 | </code></pre> |
||
239 | |||
240 | 16 | Lukas Zapletal | Certain iPXE builds might not be able to access via SSL/TLS, in that case use HTTP URL. On isolated networks, use Smart Proxy URL instead of Foreman but keep in mind templates smart-proxy feature must be enabled. |