Setting up an HTTP Boot server

Publication Date: 05 Dec 2024

WHAT?

This article shows you how to configure DNS, DHCP, and HTTP on a single machine to act as an HTTP Boot server.

WHY?

HTTP Boot can remotely install operating systems from an HTTP URL. While PXE can only deploy images to servers in a local subnet, HTTP Boot can deploy images to servers across different subnets in routed networks, and can quickly transfer larger files, such as the Linux kernel and root file system.

EFFORT

Approximately 30 minutes to set up an HTTP Boot server.

GOAL

Use this server to remotely install operating systems on clients that support HTTP Boot. Consult the relevant documentation for information on how to enable HTTP Boot on client machines.

REQUIREMENTS

SUSE Linux Enterprise Server is installed and up to date on your server.
Networking is configured on your server.
You have a SUSE Linux Enterprise Server ISO image available.
If you want to enable SSL support, you must have an SSL certificate installed on your server.

Revision History: Setting up an HTTP Boot server

1 Configuring the DNS server #

Configuring the DNS server allows you to assign a user-friendly name to the HTTP Boot server.

In this procedure, replace the example host names and IP addresses with the appropriate values for your server.

Install the dnsmasq package:
```
> sudo zypper install dnsmasq
```
Add the following lines to the /etc/dnsmasq.conf file:
```
interface=eth0
addn-hosts=/etc/hosts.conf
```

Assign a domain name to the IP addresses in the /etc/hosts.conf file:

192.168.111.1 www.httpboot.local
2001:db8:f00f:cafe::1 www.httpboot.local

Enable and start the DNS server:
```
> sudo systemctl enable --now dnsmasq
```

Note: Use the shim boot loader

Because of a change in UEFI 2.7, we recommend using a shim boot loader from SUSE Linux Enterprise 15 or newer to avoid potential errors caused by the additional DNS node.

2 Configuring the HTTP server #

The HTTP server provides the installation sources to clients.

Install the apache2 package:
```
> sudo zypper install apache2
```
In the root directory of the HTTP Boot server (/srv/www/htdocs/), create a subdirectory for the installation content. For example, /srv/www/htdocs/sle/:
```
> sudo mkdir /srv/www/htdocs/sle
```
Copy or extract all of the files from the ISO to the new directory.

To configure the boot menu, edit the /srv/www/htdocs/sle/EFI/BOOT/grub.cfg file using the following example as a reference:

 menuentry 'Installation IPv4' --class opensuse --class gnu-linux --class gnu --class os {
  set gfxpayload=keep
  echo 'Loading kernel ...'
  linuxefi /sle/boot/x86_64/loader/linux install=http://www.httpboot.local/sle
  echo 'Loading initial ramdisk ...'
  initrdefi /sle/boot/x86_64/loader/initrd
 }

 menuentry 'Installation IPv6' --class opensuse --class gnu-linux --class gnu --class os {
  set gfxpayload=keep
  echo 'Loading kernel ...'
  linuxefi /sle/boot/x86_64/loader/linux install=http://www.httpboot.local/sle ipv6only=1 ifcfg=*=dhcp6,DHCLIENT6_MODE=managed
  echo 'Loading initial ramdisk ...'
  initrdefi /sle/boot/x86_64/loader/initrd
 }

Enable and start apache2:
```
> sudo systemctl enable --now apache2
```

3 Configuring the DHCP server #

The DHCP server provides IP addresses and other networking information to clients.

In this procedure, replace the example IP addresses and subnets with the appropriate values for your system.

Install the dhcp-server package:
```
> sudo zypper install dhcp-server
```
Edit the /etc/sysconfig/dhcpd file to specify the network interface for the DHCPv4 and DHCPv6 servers:
```
DHCPD_INTERFACE="eth0"
DHCPD6_INTERFACE="eth0"
```

To configure the DHCPv4 server, edit the /etc/dhcpd.conf file using the following example as a reference:

option domain-name-servers 192.168.111.1;
option routers 192.168.111.1;
default-lease-time 14400;
ddns-update-style none;
subnet 192.168.111.0 netmask 255.255.255.0 {
  range dynamic-bootp 192.168.111.100 192.168.111.120;
  default-lease-time 14400;
  max-lease-time 172800;
  option vendor-class-identifier "HTTPClient"; 1
  filename "http://www.httpboot.local/sle/EFI/BOOT/bootx64.efi"; 2
}

1	The vendor class ID must be `HTTPClient`. The client uses this ID to identify an HTTP Boot offer.
2	The boot URL must point to the installation directory on the HTTP server.

To configure the DHCPv6 server, edit the /etc/dhcpd6.conf file using the following example as a reference:

option dhcp6.bootfile-url code 59 = string;
option dhcp6.vendor-class code 16 = {integer 32, integer 16, string};
subnet6 2001:db8:f00f:cafe::/64 {
        range6 2001:db8:f00f:cafe::42:10 2001:db8:f00f:cafe::42:99;
        option dhcp6.bootfile-url "http://www.httpboot.local/sle/EFI/BOOT/bootx64.efi"; 1
        option dhcp6.name-servers 2001:db8:f00f:cafe::1;
        option dhcp6.vendor-class 0 10 "HTTPClient"; 2
}

1	The boot URL must point to the installation directory on the HTTP server.
2	The vendor class option must consist of the enterprise number, the vendor class length, and the vendor class content. The HTTP Boot driver ignores the enterprise number, so you can set it to `0`. The vendor class length must `10`, and the content must be `HTTPClient`. The client uses this ID to identify an HTTP Boot offer.

Start the DHCP servers:

> sudo systemctl enable --now dhcpd
> sudo systemctl enable --now dhcpd6

4 Enabling SSL support for the HTTP server (optional) #

To use HTTPS Boot, you must convert an SSL certificate into the DER format and enroll it into the client's firmware.

This procedure assumes that you already have an SSL certificate installed on your server.

Convert the certificate into the DER format:

> sudo openssl x509 -in CERTIFICATE.crt -outform der -out CERTIFICATE.der

Enroll the server certificate into the client firmware. The procedure for enrolling the converted certificate depends on the client. For some hardware, you must enroll the certificate manually using an external storage device with the certificate on it. For machines with Redfish support, you can enroll the certificate remotely. Consult the documentation for your specific client for more information on enrolling certificates.
Edit the /etc/sysconfig/apache2 file to add the SSL flag:
```
APACHE_SERVER_FLAGS="SSL"
```

In the same file, ensure that the ssl module appears in the APACHE_MODULES list:

> sudo grep 'APACHE_MODULES.*ssl' /etc/sysconfig/apache2
APACHE_MODULES="actions alias auth_basic authn_core authn_file authz_host
authz_groupfile authz_core authz_user autoindex cgi dir env expires include
log_config mime negotiation setenvif ssl socache_shmcb userdir reqtimeout"

Copy the private key and the certificate to the /etc/apache2/ directory:

> sudo cp server.key /etc/apache2/ssl.key/
> sudo chown wwwrun /etc/apache2/ssl.key/server.key
> sudo chmod 600 /etc/apache2/ssl.key/server.key
> sudo cp server.crt /etc/apache2/ssl.crt/

Create the SSL vhost configuration:

> sudo cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts.d/vhost-ssl.conf

Edit the /etc/apache2/vhosts.d/vhost-ssl.conf file to change the private key and the certificate to the following values:
```
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
```
Restart Apache to activate the SSL support:
```
> sudo systemctl restart apache2
```

Replace the http:// prefix with https:// in the /etc/dhcpd.conf and /etc/dhcpd6.conf files:

filename "https://www.httpboot.local/sle/EFI/BOOT/bootx64.efi";

option dhcp6.bootfile-url "https://www.httpboot.local/sle/EFI/BOOT/bootx64.efi";

Restart the DHCP servers:

> sudo systemctl restart dhcpd
> sudo systemctl restart dhcpd6

5 Troubleshooting HTTP Boot #

This section helps you troubleshoot issues with HTTP Boot.

RP filter dropping DHCPv6 packets

If DHCPv6 packets are dropped by the RP filter in the firewall, check the firewall log. If it contains the rpfilter_DROP entry, disable the filter using the following configuration in /etc/firewalld/firewalld.conf:

IPv6_rpfilter=no

6 Legal Notice #

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”.

For SUSE trademarks, see https://www.suse.com/company/legal/. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks.

All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors, nor the translators shall be held liable for possible errors or the consequences thereof.