Project

General

Profile

Fetch boot files via http instead of TFTP » History » Version 19

Lukas Zapletal, 06/22/2018 07:28 AM
iPXE does not support HTTPS in RHEL - removed

1 10 Lukas Zapletal
h1. PXELinux chainboot into iPXE
2 1 Alexander Chuzhoy
3 14 Lukas Zapletal
{{toc}}
4
5 10 Lukas Zapletal
TFTP is a slow protocol on high-latency networks, but if your hardware is supported by iPXE (http://ipxe.org/appnote/hardware_drivers) or if UNDI driver of the NIC is compatible with iPXE, it is possible to configure PXELinux to chainboot iPXE and continue booting via HTTP protocol which is fast and reliable.
6 1 Alexander Chuzhoy
7 10 Lukas Zapletal
In this scenario, a system is PXE-booted into PXELinux which chainloads iPXE which continue booting via HTTP. The scenario is:
8
9
* hardware is turned on
10
* PXE driver gets network credentials from DHCP
11
* PXE driver gets PXELinux firmware from TFTP (pxelinux.0)
12
* PXELinux searches for configuration file on TFTP
13
* PXELinux chainloads iPXE (undionly-ipxe.0 or ipxe.lkrn)
14
* iPXE gets network credentials from DHCP again
15
* iPXE gets HTTP address from DHCP
16
* iPXE chainloads the iPXE template from Foreman
17
* iPXE loads kernel and init RAM disk of the installer
18
19
Requirements:
20
21
* a host entry is created in Foreman
22
* MAC address of the provisioning interface matches
23
* provisioning interface of the host has a valid DHCP reservation
24
* the host has special PXELinux template (below) associated
25
* the host has iPXE template associated
26
* hardware is capable of PXE booting
27
* hardware NIC is compatible with iPXE
28
29
The iPXE project offers two options: using PXE interface (UNDI) or using built-in linux network card driver. Both options have pros and cons and each gives different results with different hardware cards. Some NIC adapters can be slow with UNDI, some are actually faster. Not all network cards will work with either or both ways.
30
31 13 Lukas Zapletal
h2. A. Chainbooting iPXE directly
32 10 Lukas Zapletal
33 12 Lukas Zapletal
In this setup, iPXE uses build-in driver for network communication. Therefore this will only work on supported cards (see above)!
34 10 Lukas Zapletal
35 12 Lukas Zapletal
h3. TFTP setup
36 10 Lukas Zapletal
37 12 Lukas Zapletal
Copy the iPXE firmware to the TFTP root directory:
38 10 Lukas Zapletal
39 12 Lukas Zapletal
  cp /usr/share/ipxe/ipxe.lkrn /var/lib/tftpboot/
40 10 Lukas Zapletal
41 12 Lukas Zapletal
The source directory can be different on linux distributions, this is for Red Hats. The file is shipped in ipxe-bootimgs package.
42 1 Alexander Chuzhoy
43 15 Lukas Zapletal
Not all hardware is supported by iPXE drivers. In case of troubles, use latest development version build of iPXE:
44
45
  wget -O /var/lib/tftpboot/ http://boot.ipxe.org/ipxe.lkrn
46
47 12 Lukas Zapletal
Do not use symbolic links as TFTP runs in chroot. When using SELinux, remember to correct file contexts:
48 1 Alexander Chuzhoy
49 12 Lukas Zapletal
  restorecon -RvF /var/lib/tftpboot/
50 1 Alexander Chuzhoy
51 12 Lukas Zapletal
h3. Foreman setup - PXELinux template
52 1 Alexander Chuzhoy
53 12 Lukas Zapletal
Configuration involves associating PXELinux and iPXE templates.
54 1 Alexander Chuzhoy
55 12 Lukas Zapletal
In your Foreman instance, go to "Provisioning templates" and create new template of PXELinux kind with the following contents:
56 1 Alexander Chuzhoy
57 12 Lukas Zapletal
<pre><code>
58
DEFAULT linux
59
LABEL linux
60
KERNEL ipxe.lkrn
61
APPEND dhcp && chain <%= foreman_url('iPXE') %>
62
IPAPPEND 2
63
</code></pre>
64 1 Alexander Chuzhoy
65 19 Lukas Zapletal
Recent version of Foreman (1.11) ships with this template already under name "PXELinux chain iPXE".
66 1 Alexander Chuzhoy
67 12 Lukas Zapletal
h3. Foreman setup - iPXE template
68 1 Alexander Chuzhoy
69 12 Lukas Zapletal
Associate iPXE template which ships with Foreman which is named 'Kickstart default iPXE' or 'Preseed default iPXE' containing something like:
70 1 Alexander Chuzhoy
71 12 Lukas Zapletal
<pre><code>#!ipxe
72
kernel <%= "#{@host.url_for_boot(:kernel)}" %> ks=<%= foreman_url("provision")%>
73
initrd <%= "#{@host.url_for_boot(:initrd)}" %>
74
boot
75
</code></pre>
76 10 Lukas Zapletal
77 19 Lukas Zapletal
If there was a host associated with PXELinux templates, you may need to exit and re-enter Build state for the TFTP configuration to be redeployed. Recent versions of Foreman (1.11) do this automatically on template save.
78 12 Lukas Zapletal
79 13 Lukas Zapletal
h2. B. Chainbooting iPXE via UNDI
80 12 Lukas Zapletal
81
In this setup, iPXE uses UNDI for network communication. The hardware must support that.
82
83
h3. TFTP setup
84
85
Copy the iPXE firmware to the TFTP root directory and rename it:
86
87
  cp /usr/share/ipxe/undionly.kpxe /var/lib/tftpboot/undionly-ipxe.0
88
89
The source directory can be different on linux distributions, this is for Red Hats. The file is shipped in ipxe-bootimgs package.
90
91 1 Alexander Chuzhoy
Do not use symbolic links as TFTP runs in chroot. When using SELinux, remember to correct file contexts:
92 10 Lukas Zapletal
93 9 Lukas Zapletal
  restorecon -RvF /var/lib/tftpboot/
94 1 Alexander Chuzhoy
95 12 Lukas Zapletal
h3. TFTP setup (gPXELinux alternative)
96 10 Lukas Zapletal
97 12 Lukas Zapletal
This is alternative approach if none of the above configurations work or packages are not available.
98 10 Lukas Zapletal
99 12 Lukas Zapletal
Copy the gPXE firmware to the TFTP root directory:
100 10 Lukas Zapletal
101 12 Lukas Zapletal
  cp /usr/share/syslinux/gpxelinuxk.0 /var/lib/tftpboot/
102
103
The source directory can be different on linux distributions, this is for Red Hats. The file is shipped in syslinux package.
104
105
Do not use symbolic links as TFTP runs in chroot. When using SELinux, remember to correct file contexts:
106
107
  restorecon -RvF /var/lib/tftpboot/
108
109
h3. Foreman setup - PXELinux template
110
111 9 Lukas Zapletal
In your Foreman instance, go to "Provisioning templates" and create new template of PXELinux kind with the following contents:
112
113 1 Alexander Chuzhoy
<pre><code>
114
DEFAULT undionly-ipxe
115 9 Lukas Zapletal
LABEL undionly-ipxe
116 1 Alexander Chuzhoy
MENU LABEL iPXE UNDI
117
KERNEL undionly-ipxe.0
118 10 Lukas Zapletal
IPAPPEND 2
119 9 Lukas Zapletal
</code></pre>
120 1 Alexander Chuzhoy
121 19 Lukas Zapletal
Recent version of Foreman (1.11) ships with this template already under name "PXELinux chain iPXE UNDI".
122 1 Alexander Chuzhoy
123 12 Lukas Zapletal
h3. Foreman setup - iPXE template
124 1 Alexander Chuzhoy
125 12 Lukas Zapletal
Associate iPXE template which ships with Foreman which is named 'Kickstart default iPXE' or 'Preseed default iPXE' containing something like:
126 1 Alexander Chuzhoy
127
<pre><code>#!ipxe
128
kernel <%= "#{@host.url_for_boot(:kernel)}" %> ks=<%= foreman_url("provision")%>
129
initrd <%= "#{@host.url_for_boot(:initrd)}" %>
130
boot
131
</code></pre>
132
133 19 Lukas Zapletal
If there was a host associated with PXELinux templates, you may need to exit and re-enter Build state for the TFTP configuration to be redeployed. Recent versions of Foreman (1.11) do this automatically on template save.
134 1 Alexander Chuzhoy
135 12 Lukas Zapletal
h3. DHCP setup
136 1 Alexander Chuzhoy
137
The above configuration will lead to an endless loop of chainbooting iPXE firmware. To break this loop, configure DHCP server to hand over correct URL to iPXE to continue booting. In the /etc/dhcp/dhcpd.conf file change the "filename" global or subnet configuration as follows:
138
139 10 Lukas Zapletal
<pre><code>
140 9 Lukas Zapletal
if exists user-class and option user-class = "iPXE" {
141 19 Lukas Zapletal
  filename "http://foreman:443/unattended/iPXE";
142 1 Alexander Chuzhoy
} else {
143
  filename "pxelinux.0";
144
}
145
</code></pre>
146
147 12 Lukas Zapletal
On isolated networks, use Smart Proxy URL instead of Foreman when templates feature is enabled. If there are existing leases on the DHCP server, let them expire and restart the DHCP service. This can be also forced with
148 1 Alexander Chuzhoy
149 10 Lukas Zapletal
<pre><code>
150 1 Alexander Chuzhoy
truncate /var/lib/dhcpd/dhcpd.leases
151 10 Lukas Zapletal
service dhcpd restart
152
</code></pre>
153 11 Lukas Zapletal
154 13 Lukas Zapletal
h2. C. Chainbooting virtual machines
155 10 Lukas Zapletal
156 18 Lukas Zapletal
Since most virtualization hypervisors use iPXE as the primary firmware for PXE booting, the above configuration will directly work without TFTP and PXELinux involved. This is known to work with libvirt, oVirt and RHEV. If the hypervisor is capable of replacing PXE firmware, it will work too (e.g. VMWare is documented at http://ipxe.org/howto/vmware).
157 1 Alexander Chuzhoy
158 18 Lukas Zapletal
This workflow will only work if *tokens are disabled*, to do that go to Administer - Settings and set "Token duration" to 0. There are two options.
159
160 16 Lukas Zapletal
h3. Foreman setup - iPXE template
161
162
Associate iPXE template which ships with Foreman which is named 'Kickstart default iPXE' or 'Preseed default iPXE'. The contents is the same as in the workflows above.
163
164
h3. DHCP setup - managed server
165
166
In this case, Foreman manages DHCP and reservation (IP address) is known in advance, therefore iPXE script can be found in Foreman DB and returned to a client:
167
168 1 Alexander Chuzhoy
* VM is turned on
169 16 Lukas Zapletal
* iPXE gets network credentials from DHCP
170
* iPXE gets filename option from DHCP (URL)
171 1 Alexander Chuzhoy
* iPXE chainloads the iPXE template from Foreman
172 16 Lukas Zapletal
* Foreman renders iPXE template for given host found by remote IP
173
* iPXE executed the script, loads kernel and init RAM disk of the installer
174 1 Alexander Chuzhoy
175 16 Lukas Zapletal
In the /etc/dhcp/dhcpd.conf file change the "filename" global or subnet configuration as follows:
176 1 Alexander Chuzhoy
177 16 Lukas Zapletal
<pre><code>
178
if exists user-class and option user-class = "iPXE" {
179 19 Lukas Zapletal
  filename "http://foreman:443/unattended/iPXE";
180 16 Lukas Zapletal
} else {
181
  filename "pxelinux.0";
182
}
183
</code></pre>
184 1 Alexander Chuzhoy
185 16 Lukas Zapletal
Certain iPXE builds might not be able to access via SSL/TLS, in that case use HTTP URL. On isolated networks, use Smart Proxy URL instead of Foreman but keep in mind templates smart-proxy feature must be enabled. If there are existing leases on the DHCP server, let them expire and restart the DHCP service (see above).
186 1 Alexander Chuzhoy
187 16 Lukas Zapletal
h3. DHCP setup - unmanaged server
188 1 Alexander Chuzhoy
189 16 Lukas Zapletal
In this case, Foreman cannot create DHCP reservation in advance. But an intermediate iPXE script can be deployed to report MAC address to find proper host:
190 1 Alexander Chuzhoy
191 16 Lukas Zapletal
* VM is turned on
192
* iPXE gets network credentials from DHCP
193
* iPXE gets filename option from DHCP (URL)
194
* iPXE loads the intermediate iPXE template from a HTTP server
195
* iPXE executes the intermediate script
196
* iPXE chainloads the iPXE template from Foreman with MAC address provided as a parameter
197
* Foreman renders iPXE template for given host found by remote IP
198
* iPXE executed the script, loads kernel and init RAM disk of the installer
199
200
Create the following script and put it somewhere on the network via HTTP so iPXE clients can access it.
201
202 1 Alexander Chuzhoy
<pre><code>
203 16 Lukas Zapletal
#!ipxe
204
# Intermediate iPXE script to report MAC address to Foreman
205
isset ${net0/mac} || goto no_nic
206
dhcp net0 || goto net1
207 19 Lukas Zapletal
chain http://foreman:443/unattended/iPXE?mac=${net0/mac} || goto net1
208 16 Lukas Zapletal
exit 0
209
210
:net1
211
isset ${net1/mac} || goto no_nic
212
dhcp net1 || goto net2
213 19 Lukas Zapletal
chain http://foreman:443/unattended/iPXE?mac=${net1/mac} || goto net2
214 16 Lukas Zapletal
exit 0
215
216
:net1
217
# Create as many copies as necessary (this will work up to 2 NICs)
218
219
:no_nic
220
echo Failed to chainload from any network interface
221
sleep 30
222
exit 1
223
</code></pre>
224
225
Let's use httpd on Foreman server for this purpose:
226
227 17 Lukas Zapletal
<pre><code>
228
# scp intermediate.ipxe root@foreman:/var/www/htdocs/pub/
229 1 Alexander Chuzhoy
</code></pre>
230 16 Lukas Zapletal
231 19 Lukas Zapletal
On an *unmanaged DHCP server* change filename option to be "http://foreman:443/pub/intermediate.ipxe". Instructions are different for various DHCP servers (like MS DHCP, Infoblox, Bluecoat) but if this was ISC DHCP, then simply change /etc/dhcp/dhcpd.conf file as follows:
232 16 Lukas Zapletal
233
<pre><code>
234 13 Lukas Zapletal
if exists user-class and option user-class = "iPXE" {
235 19 Lukas Zapletal
  filename "http://foreman:443/pub/intermediate.ipxe";
236 12 Lukas Zapletal
} else {
237
  filename "pxelinux.0";
238
}
239
</code></pre>
240 1 Alexander Chuzhoy
241
Certain iPXE builds might not be able to access via SSL/TLS, in that case use HTTP URL. On isolated networks, use Smart Proxy URL instead of Foreman but keep in mind templates smart-proxy feature must be enabled.
242 18 Lukas Zapletal
243
Warning: Foreman 1.17 and older will not accept "mac" HTTP option, unless bootdisk plugin is installed, so make sure it is present. Foreman 1.18 already accepts the "mac" option even if bootdisk plugin is not installed.