15 Setting up a UEFI HTTP Boot server #
This chapter describes how to set up and configure a UEFI HTTP Boot server.
15.1 Introduction #
HTTP Boot combines DHCP, DNS and HTTP to make it possible to boot and deploy systems over the network. HTTP Boot can be used as a high-performance replacement for PXE. HTTP Boot allows to boot a server from a URI over HTTP, quickly transferring large files, such as the Linux kernel and root file system, from servers outside of your local network.
15.1.1 Configuring the client machine #
Enabling HTTP Boot on a physical client machine depends on your specific hardware. Consult the documentation for further information on how to enable HTTP Boot on your particular machine.
15.1.2 Preparation #
The setup described here uses 192.168.111.0/24 (IPv4) and 2001:db8:f00f:cafe::/64 (IPv6) IP subnets and the server IP addresses are 192.168.111.1(IPv4) and 2001:db8:f00f:cafe::1/64 (IPv6) as examples. Adjust these values to match your specific setup.
Install the following packages on the machine that you plan to use as an HTTP Boot server: dhcp-server, apache2 (or lighttpd), and dnsmasq.
15.2 Configuring the server #
15.2.1 DNS server #
While configuring the DNS server is optional, this does allow you to
assign a user-friendly name to the HTTP Boot server. To set up the DNS
server, add the following to the /etc/dnsmasq.conf
file:
interface=eth0 addn-hosts=/etc/dnsmasq.d/hosts.conf
Assign a domain name to the IP addresses in the
/etc/dnsmasq.d/hosts.conf
file:
192.168.111.1 www.httpboot.local 2001:db8:f00f:cafe::1 www.httpboot.local
Start the DNS server.
systemctl start dnsmasq
Because of a change in UEFI 2.7, we recommend using a shim boot loader from SLE 15 or newer to avoid potential errors caused by the additional DNS node.
15.2.1.1 Configuring the DHCPv4 server #
Before setting up the DHCP servers, specify the network interface for
them in /etc/sysconfig/dhcpd
:
DHCPD_INTERFACE="eth0" DHCPD6_INTERFACE="eth0"
This way, the DHCP servers provide the service on the
eth0
interface only.
To set up a DHCPv4 server for both PXE Boot and HTTP Boot, add the
following configuration to the /etc/dhcpd.conf
file:
option domain-name-servers 192.168.111.1; option routers 192.168.111.1; default-lease-time 14400; ddns-update-style none; class "pxeclients" { match if substring (option vendor-class-identifier, 0, 9) = "PXEClient"; option vendor-class-identifier "PXEClient"; next-server 192.168.111.1; filename "/bootx64.efi"; } class "httpclients" { match if substring (option vendor-class-identifier, 0, 10) = "HTTPClient"; option vendor-class-identifier "HTTPClient"; filename "http://www.httpboot.local/sle/EFI/BOOT/bootx64.efi"; } subnet 192.168.111.0 netmask 255.255.255.0 { range dynamic-bootp 192.168.111.100 192.168.111.120; default-lease-time 14400; max-lease-time 172800; }
Note that the DHCPv4 server must use the
HTTPClient
parameter for the vendor class ID, as
the client uses it to identify an HTTP Boot offer.
Start the DHCP daemon:
systemctl start dhcpd
15.2.1.2 Configuring the DHCPv6 server #
To set up the DHCPv6 server, add the following configuration to
/etc/dhcpd6.conf
:
option dhcp6.bootfile-url code 59 = string; option dhcp6.vendor-class code 16 = {integer 32, integer 16, string}; subnet6 2001:db8:f00f:cafe::/64 { range6 2001:db8:f00f:cafe::42:10 2001:db8:f00f:cafe::42:99; option dhcp6.bootfile-url "http://www.httpboot.local/sle/EFI/BOOT/bootx64.efi"; option dhcp6.name-servers 2001:db8:f00f:cafe::1; option dhcp6.vendor-class 0 10 "HTTPClient"; }
This configuration defines the type of the boot URL, the vendor
class, and other required options. Similar to the DHCPv4 settings, it
is necessary to provide the boot URL, which must have an IPv6
address. It is also necessary to specify the vendor class option. In
DHCPv6, it consists of the enterprise number and the vendor class
data (length and the content). Since the HTTP Boot driver ignores the
enterprise number, you can set it to 0
. The
content of the vendor class data needs to be
HTTPClient
; otherwise, the client ignores the
offer.
The older HTTP Boot implementation, which does not follow RFC 3315, requires a different configuration:
option dhcp6.bootfile-url code 59 = string; option dhcp6.vendor-class code 16 = string; subnet6 2001:db8:f00f:cafe::/64 { range6 2001:db8:f00f:cafe::42:10 2001:db8:f00f:cafe::42:99; option dhcp6.bootfile-url "http://www.httpboot.local/sle/EFI/BOOT/bootx64.efi; option dhcp6.name-servers 2001:db8:f00f:cafe::1; option dhcp6.vendor-class "HTTPClient"; }
Start the dhcpv6
daemon.
systemctl start dhcpd6
15.2.1.2.1 Setting up the DHCPv6 server for both PXE and HTTP boot #
Using the following configuration, it is possible to configure the DHCPv6 server for both PXE Boot and HTTP Boot:
option dhcp6.bootfile-url code 59 = string; option dhcp6.vendor-class code 16 = {integer 32, integer 16, string}; subnet6 2001:db8:f00f:cafe::/64 { range6 2001:db8:f00f:cafe::42:10 2001:db8:f00f:cafe::42:99; class "PXEClient" { match substring (option dhcp6.vendor-class, 6, 9); } subclass "PXEClient" "PXEClient" { option dhcp6.bootfile-url "tftp://[2001:db8:f00f:cafe::1]/bootloader.efi"; } class "HTTPClient" { match substring (option dhcp6.vendor-class, 6, 10); } subclass "HTTPClient" "HTTPClient" { option dhcp6.bootfile-url "http://www.httpboot.local/sle/EFI/BOOT/bootx64.efi"; option dhcp6.name-servers 2001:db8:f00f:cafe::1; option dhcp6.vendor-class 0 10 "HTTPClient"; } }
It is also possible to match the vendor class to a specific architecture, as follows:
class "HTTPClient" { match substring (option dhcp6.vendor-class, 6, 21); } subclass "HTTPClient" "HTTPClient:Arch:00016" { option dhcp6.bootfile-url "http://www.httpboot.local/sle/EFI/BOOT/bootx64.efi"; option dhcp6.name-servers 2001:db8:f00f:cafe::1; option dhcp6.vendor-class 0 10 "HTTPClient"; }
In this example, HTTPClient:Arch:00016
refers to
an AMD64/Intel 64 HTTP Boot client. This configuration allows the server
to serve different architectures simultaneously.
15.2.1.2.2 Configuring firewall #
If DHCPv6 packets are dropped by the RP filter in the firewall,
check its log. In case it contains the
rpfilter_DROP
entry, disable the filter using
the following configuration in
/etc/firewalld/firewalld.conf
:
IPv6_rpfilter=no
15.2.1.3 Deploying a TFTP server (optional) #
To provide support for both PXE Boot and HTTP Boot, deploy a TFTP server. Install the tftp and start the service:
systemctl start tftp.socket systemctl start tftp.service
It is also necessary to install a specific
tftpboot-installation package for use with PXE
Boot. Run the zypper se tftpboot
command, to list
of the available tftp-installation packages, then
install the package for the desired system version and architecture,
for example
tftpboot-installation-SLE-15-SP3-x86_64 For
example,
tftpboot-installation-SLE-VERSION-x86_64
(replace VERSION with the actual version).
Copy the content of the
SLE-VERSION-x86_64
directory to the root directory of the TFTP server:
cp -r /usr/share/tftpboot-installation/SLE-VERSION-x86_64 /srv/tftpboot
For more information, refer to
/usr/share/tftpboot-installation/SLE-VERSION-x86_64/README
15.2.1.4 Setting up the HTTP server #
Create the
sle/
directory under the /srv/www/htdocs/
directory
and copy the entire content of the first system ISO image to the
/srv/www/htdocs/sle/
directory. Then edit the
/srv/www/htdocs/sle/EFI/BOOT/grub.cfg
file. Use the following example as a reference:
timeout=60 default=1 menuentry 'Installation IPv4' --class opensuse --class gnu-linux --class gnu --class os { set gfxpayload=keep echo 'Loading kernel ...' linux /sle/boot/x86_64/loader/linux install=http://www.httpboot.local/sle echo 'Loading initial ramdisk ...' initrd /sle/boot/x86_64/loader/initrd } menuentry 'Installation IPv6' --class opensuse --class gnu-linux --class gnu --class os { set gfxpayload=keep echo 'Loading kernel ...' linux /sle/boot/x86_64/loader/linux install=install=http://www.httpboot.local/sle ipv6only=1 ifcfg=*=dhcp6,DHCLIENT6_MODE=managed echo 'Loading initial ramdisk ...' initrd /sle/boot/x86_64/loader/initrd }
15.2.1.4.1 Configuring lighttpd #
To enable the support for both IPv4 and IPv6 in lighttpd, modify
/etc/lighttpd/lighttpd.conf
as follows:
## ## Use IPv6? ## #server.use-ipv6 = "enable" $SERVER["socket"] == "[::]:80" { }
Start the lighttpd
daemon:
systemctl start lighttpd
15.2.1.4.2 Configuring apache2 #
Apache requires no additional configuration. Start the
apache2
daemon:
systemctl start apache2
15.2.1.5 Enabling SSL support for the HTTP server (optional) #
To use the HTTPS Boot, you need to convert an existing server
certificate into the DER
format and enroll it into
the client's firmware.
Assuming you already have a certificate installed on your server,
convert it into the DER
format for use with the
client using the following command:
openssl x509 -in CERTIFICATE.crt -outform der -out CERTIFICATE.der
15.2.1.5.1 Enroll the server certificate into the client firmware #
The exact procedure of enrolling the converted certificate depends on the specific implementation of the client's firmware. For certain hardware, you need to enroll the certificate manually via the firmware UI using an external storage device with the certificate on it. Machines with Redfish support can enroll the certificate remotely. Consult the documentation for your specific hardware for more information on enrolling certificates.
15.2.1.5.2 Enabling SSL support in lighttpd #
Since lighttpd needs the private key and the certificate in the same file, unify them using the following command:
cat CERTIFICATE.crt server.key > CERTIFICATE.pem
Copy
CERTIFICATE.pem
to
the /etc/ssl/private/
directory.
cp server-almighty.pem /etc/ssl/private/ chown -R root:lighttpd /etc/ssl/private/server-almighty.pem chmod 640 /etc/ssl/private/server-almighty.pem
Make sure that mod_openssl
is listed in the
server.modules
section of the
/etc/lighttpd/modules.conf
file, for example:
server.modules = ( "mod_access", "mod_openssl", )
Add the following lines to SSL Support
section
in /etc/lighttpd/lighttpd.conf
:
# IPv4 $SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/etc/ssl/private/server-almighty.pem" } # IPv6 $SERVER["socket"] == "[::]:443" { ssl.engine = "enable" ssl.pemfile = "/etc/ssl/private/server-almighty.pem" }
Restart lighttpd to activate SSL support:
systemctl restart lighttpd
15.2.1.5.3 Enabling SSL support in Apache #
Open the /etc/sysconfig/apache2
file and add
the SSL flag as follows:
APACHE_SERVER_FLAGS="SSL"
Make sure that the ssl
module is listed in
APACHE_MODULES
, for example:
Next, copy the private key and the certificate to the
/etc/apache2/
directory.
cp server.key /etc/apache2/ssl.key/ chown wwwrun /etc/apache2/ssl.key/server.key chmod 600 /etc/apache2/ssl.key/server.key cp server.crt /etc/apache2/ssl.crt/
Create the ssl vhost configuration.
cd /etc/apache2/vhosts.d cp vhost-ssl.template vhost-ssl.conf
Edit /etc/apache2/vhosts.d/vhost-ssl.conf
to
change the private key and the certificate:
SSLCertificateFile /etc/apache2/ssl.crt/server.crt SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
Restart Apache to activate the SSL support:
systemctl restart apache2
15.2.1.5.4 Modify the DHCP configuration #
Replace the http://
prefix with
https://
in
dhcpd.conf/dhcpd6.conf
and restart the DHCP
server.
systemctl restart dhcpd systemctl restart dhcpd6
15.3 Booting the client via HTTP boot #
If the firmware already supports HTTP boot, plug in the cable and choose the correct boot option.