Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
documentation.suse.com / Documentation SUSE Linux Enterprise Desktop / Deployment Guide / Setting up an installation server / Setting up a UEFI HTTP Boot server
Applies to SUSE Linux Enterprise Desktop 15 SP6

15 Setting up a UEFI HTTP Boot server

This chapter describes how to set up and configure a UEFI HTTP Boot server.

15.1 Introduction

HTTP Boot combines DHCP, DNS and HTTP to make it possible to boot and deploy systems over the network. HTTP Boot can be used as a high-performance replacement for PXE. HTTP Boot allows to boot a server from a URI over HTTP, quickly transferring large files, such as the Linux kernel and root file system, from servers outside of your local network.

15.1.1 Configuring the client machine

Enabling HTTP Boot on a physical client machine depends on your specific hardware. Consult the documentation for further information on how to enable HTTP Boot on your particular machine.

15.1.2 Preparation

The setup described here uses 192.168.111.0/24 (IPv4) and 2001:db8:f00f:cafe::/64 (IPv6) IP subnets and the server IP addresses are 192.168.111.1(IPv4) and 2001:db8:f00f:cafe::1/64 (IPv6) as examples. Adjust these values to match your specific setup.

Install the following packages on the machine that you plan to use as an HTTP Boot server: dhcp-server, apache2 (or lighttpd), and dnsmasq.

15.2 Configuring the server

15.2.1 DNS server

While configuring the DNS server is optional, this does allow you to assign a user-friendly name to the HTTP Boot server. To set up the DNS server, add the following to the /etc/dnsmasq.conf file:

interface=eth0
addn-hosts=/etc/dnsmasq.d/hosts.conf

Assign a domain name to the IP addresses in the /etc/dnsmasq.d/hosts.conf file:

192.168.111.1 www.httpboot.local
2001:db8:f00f:cafe::1 www.httpboot.local

Start the DNS server.

systemctl start dnsmasq
Note
Note: Use the shim boot loader

Because of a change in UEFI 2.7, we recommend using a shim boot loader from SLE 15 or newer to avoid potential errors caused by the additional DNS node.

15.2.1.1 Configuring the DHCPv4 server

Before setting up the DHCP servers, specify the network interface for them in /etc/sysconfig/dhcpd:

DHCPD_INTERFACE="eth0"
DHCPD6_INTERFACE="eth0"

This way, the DHCP servers provide the service on the eth0 interface only.

To set up a DHCPv4 server for both PXE Boot and HTTP Boot, add the following configuration to the /etc/dhcpd.conf file:

option domain-name-servers 192.168.111.1;
option routers 192.168.111.1;
default-lease-time 14400;
ddns-update-style none;
class "pxeclients" {
  match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
  option vendor-class-identifier "PXEClient";
  next-server 192.168.111.1;
  filename "/bootx64.efi";
}
class "httpclients" {
  match if substring (option vendor-class-identifier, 0, 10) = "HTTPClient";
  option vendor-class-identifier "HTTPClient";
  filename "http://www.httpboot.local/sle/EFI/BOOT/bootx64.efi";
}
subnet 192.168.111.0 netmask 255.255.255.0 {
  range dynamic-bootp 192.168.111.100 192.168.111.120;
  default-lease-time 14400;
  max-lease-time 172800;
}

Note that the DHCPv4 server must use the HTTPClient parameter for the vendor class ID, as the client uses it to identify an HTTP Boot offer.

Start the DHCP daemon:

systemctl start dhcpd

15.2.1.2 Configuring the DHCPv6 server

To set up the DHCPv6 server, add the following configuration to /etc/dhcpd6.conf:

option dhcp6.bootfile-url code 59 = string;
option dhcp6.vendor-class code 16 = {integer 32, integer 16, string};
subnet6 2001:db8:f00f:cafe::/64 {
        range6 2001:db8:f00f:cafe::42:10 2001:db8:f00f:cafe::42:99;
        option dhcp6.bootfile-url "http://www.httpboot.local/sle/EFI/BOOT/bootx64.efi";
        option dhcp6.name-servers 2001:db8:f00f:cafe::1;
        option dhcp6.vendor-class 0 10 "HTTPClient";
}

This configuration defines the type of the boot URL, the vendor class, and other required options. Similar to the DHCPv4 settings, it is necessary to provide the boot URL, which must have an IPv6 address. It is also necessary to specify the vendor class option. In DHCPv6, it consists of the enterprise number and the vendor class data (length and the content). Since the HTTP Boot driver ignores the enterprise number, you can set it to 0. The content of the vendor class data needs to be HTTPClient; otherwise, the client ignores the offer.

The older HTTP Boot implementation, which does not follow RFC 3315, requires a different configuration:

option dhcp6.bootfile-url code 59 = string;
option dhcp6.vendor-class code 16 = string;
        subnet6 2001:db8:f00f:cafe::/64 {
        range6 2001:db8:f00f:cafe::42:10 2001:db8:f00f:cafe::42:99;
        option dhcp6.bootfile-url "http://www.httpboot.local/sle/EFI/BOOT/bootx64.efi;
	option dhcp6.name-servers 2001:db8:f00f:cafe::1;
	option dhcp6.vendor-class "HTTPClient";
}

Start the dhcpv6 daemon.

systemctl start dhcpd6
15.2.1.2.1 Setting up the DHCPv6 server for both PXE and HTTP boot

Using the following configuration, it is possible to configure the DHCPv6 server for both PXE Boot and HTTP Boot:

option dhcp6.bootfile-url code 59 = string;
option dhcp6.vendor-class code 16 = {integer 32, integer 16, string};

subnet6 2001:db8:f00f:cafe::/64 {
        range6 2001:db8:f00f:cafe::42:10 2001:db8:f00f:cafe::42:99;

        class "PXEClient" {
	        match substring (option dhcp6.vendor-class, 6, 9);
	}

        subclass "PXEClient" "PXEClient" {
	        option dhcp6.bootfile-url "tftp://[2001:db8:f00f:cafe::1]/bootloader.efi";
	}

	class "HTTPClient" {
	        match substring (option dhcp6.vendor-class, 6, 10);
	}

	subclass "HTTPClient" "HTTPClient" {
	        option dhcp6.bootfile-url "http://www.httpboot.local/sle/EFI/BOOT/bootx64.efi";
		option dhcp6.name-servers 2001:db8:f00f:cafe::1;
		option dhcp6.vendor-class 0 10 "HTTPClient";
	}
}

It is also possible to match the vendor class to a specific architecture, as follows:

class "HTTPClient" {
        match substring (option dhcp6.vendor-class, 6, 21);
	}

subclass "HTTPClient" "HTTPClient:Arch:00016" {
        option dhcp6.bootfile-url "http://www.httpboot.local/sle/EFI/BOOT/bootx64.efi";
	option dhcp6.name-servers 2001:db8:f00f:cafe::1;
	option dhcp6.vendor-class 0 10 "HTTPClient";
}

In this example, HTTPClient:Arch:00016 refers to an AMD64/Intel 64 HTTP Boot client. This configuration allows the server to serve different architectures simultaneously.

15.2.1.2.2 Configuring firewall

If DHCPv6 packets are dropped by the RP filter in the firewall, check its log. In case it contains the rpfilter_DROP entry, disable the filter using the following configuration in /etc/firewalld/firewalld.conf:

IPv6_rpfilter=no

15.2.1.3 Deploying a TFTP server (optional)

To provide support for both PXE Boot and HTTP Boot, deploy a TFTP server. Install the tftp and start the service:

 systemctl start tftp.socket
systemctl start tftp.service

It is also necessary to install a specific tftpboot-installation package for use with PXE Boot. Run the zypper se tftpboot command, to list of the available tftp-installation packages, then install the package for the desired system version and architecture, for example tftpboot-installation-SLE-15-SP3-x86_64 For example, tftpboot-installation-SLE-VERSION-x86_64 (replace VERSION with the actual version). Copy the content of the SLE-VERSION-x86_64 directory to the root directory of the TFTP server:

cp -r /usr/share/tftpboot-installation/SLE-VERSION-x86_64 /srv/tftpboot

For more information, refer to /usr/share/tftpboot-installation/SLE-VERSION-x86_64/README

15.2.1.4 Setting up the HTTP server

Create the sle/ directory under the /srv/www/htdocs/ directory and copy the entire content of the first system ISO image to the /srv/www/htdocs/sle/ directory. Then edit the /srv/www/htdocs/sle/EFI/BOOT/grub.cfg file. Use the following example as a reference:

timeout=60
default=1

menuentry 'Installation IPv4' --class opensuse --class gnu-linux --class gnu --class os {
    set gfxpayload=keep
    echo 'Loading kernel ...'
    linux /sle/boot/x86_64/loader/linux install=http://www.httpboot.local/sle
    echo 'Loading initial ramdisk ...'
    initrd /sle/boot/x86_64/loader/initrd
}

menuentry 'Installation IPv6' --class opensuse --class gnu-linux --class gnu --class os {
    set gfxpayload=keep
    echo 'Loading kernel ...'
    linux /sle/boot/x86_64/loader/linux install=install=http://www.httpboot.local/sle ipv6only=1 ifcfg=*=dhcp6,DHCLIENT6_MODE=managed
    echo 'Loading initial ramdisk ...'
    initrd /sle/boot/x86_64/loader/initrd
}
15.2.1.4.1 Configuring lighttpd

To enable the support for both IPv4 and IPv6 in lighttpd, modify /etc/lighttpd/lighttpd.conf as follows:

##
## Use IPv6?
##
#server.use-ipv6 = "enable"
$SERVER["socket"] == "[::]:80" {  }

Start the lighttpd daemon:

systemctl start lighttpd
15.2.1.4.2 Configuring apache2

Apache requires no additional configuration. Start the apache2 daemon:

systemctl start apache2

15.2.1.5 Enabling SSL support for the HTTP server (optional)

To use the HTTPS Boot, you need to convert an existing server certificate into the DER format and enroll it into the client's firmware.

Assuming you already have a certificate installed on your server, convert it into the DER format for use with the client using the following command:

openssl x509 -in CERTIFICATE.crt -outform der -out CERTIFICATE.der
15.2.1.5.1 Enroll the server certificate into the client firmware

The exact procedure of enrolling the converted certificate depends on the specific implementation of the client's firmware. For certain hardware, you need to enroll the certificate manually via the firmware UI using an external storage device with the certificate on it. Machines with Redfish support can enroll the certificate remotely. Consult the documentation for your specific hardware for more information on enrolling certificates.

15.2.1.5.2 Enabling SSL support in lighttpd

Since lighttpd needs the private key and the certificate in the same file, unify them using the following command:

cat CERTIFICATE.crt server.key > CERTIFICATE.pem

Copy CERTIFICATE.pem to the /etc/ssl/private/ directory.

cp server-almighty.pem /etc/ssl/private/
chown -R root:lighttpd /etc/ssl/private/server-almighty.pem
chmod 640 /etc/ssl/private/server-almighty.pem

Make sure that mod_openssl is listed in the server.modules section of the /etc/lighttpd/modules.conf file, for example:

server.modules = (
  "mod_access",
  "mod_openssl",
)

Add the following lines to SSL Support section in /etc/lighttpd/lighttpd.conf:

# IPv4
$SERVER["socket"] == ":443" {
    ssl.engine                 = "enable"
    ssl.pemfile                = "/etc/ssl/private/server-almighty.pem"
}
# IPv6
$SERVER["socket"] == "[::]:443" {
    ssl.engine                 = "enable"
    ssl.pemfile                = "/etc/ssl/private/server-almighty.pem"
}

Restart lighttpd to activate SSL support:

systemctl restart lighttpd
15.2.1.5.3 Enabling SSL support in Apache

Open the /etc/sysconfig/apache2 file and add the SSL flag as follows:

APACHE_SERVER_FLAGS="SSL"

Make sure that the ssl module is listed in APACHE_MODULES, for example:

Next, copy the private key and the certificate to the /etc/apache2/ directory.

cp server.key /etc/apache2/ssl.key/
chown wwwrun /etc/apache2/ssl.key/server.key
chmod 600 /etc/apache2/ssl.key/server.key
cp server.crt /etc/apache2/ssl.crt/

Create the ssl vhost configuration.

cd /etc/apache2/vhosts.d
cp vhost-ssl.template vhost-ssl.conf

Edit /etc/apache2/vhosts.d/vhost-ssl.conf to change the private key and the certificate:

SSLCertificateFile /etc/apache2/ssl.crt/server.crt
 SSLCertificateKeyFile /etc/apache2/ssl.key/server.key

Restart Apache to activate the SSL support:

systemctl restart apache2
15.2.1.5.4 Modify the DHCP configuration

Replace the http:// prefix with https:// in dhcpd.conf/dhcpd6.conf and restart the DHCP server.

systemctl restart dhcpd
systemctl restart dhcpd6

15.3 Booting the client via HTTP boot

If the firmware already supports HTTP boot, plug in the cable and choose the correct boot option.