Setting up an HTTP Boot server
- WHAT?
This article shows you how to configure DNS, DHCP, and HTTP on a single machine to act as an HTTP Boot server.
- WHY?
HTTP Boot can remotely install operating systems from an HTTP URL. While PXE can only deploy images to servers in a local subnet, HTTP Boot can deploy images to servers across different subnets in routed networks, and can quickly transfer larger files, such as the Linux kernel and root file system.
- EFFORT
Approximately 30 minutes to set up an HTTP Boot server.
- GOAL
Use this server to remotely install operating systems on clients that support HTTP Boot. Consult the relevant documentation for information on how to enable HTTP Boot on client machines.
- REQUIREMENTS
SUSE Linux Enterprise Server is installed and up to date on your server.
Networking is configured on your server.
You have a SUSE Linux Enterprise Server ISO image available.
If you want to enable SSL support, you must have an SSL certificate installed on your server.
1 Configuring the DNS server #
Configuring the DNS server allows you to assign a user-friendly name to the HTTP Boot server.
In this procedure, replace the example host names and IP addresses with the appropriate values for your server.
Install the dnsmasq package:
>
sudo zypper install dnsmasq
Add the following lines to the
/etc/dnsmasq.conf
file:interface=eth0 addn-hosts=/etc/hosts.conf
Assign a domain name to the IP addresses in the
/etc/hosts.conf
file:192.168.111.1 www.httpboot.local 2001:db8:f00f:cafe::1 www.httpboot.local
Enable and start the DNS server:
>
sudo systemctl enable --now dnsmasq
Because of a change in UEFI 2.7, we recommend using a shim boot loader from SUSE Linux Enterprise 15 or newer to avoid potential errors caused by the additional DNS node.
2 Configuring the HTTP server #
The HTTP server provides the installation sources to clients.
Install the apache2 package:
>
sudo zypper install apache2
In the root directory of the HTTP Boot server (
/srv/www/htdocs/
), create a subdirectory for the installation content. For example,/srv/www/htdocs/sle/
:>
sudo mkdir /srv/www/htdocs/sle
Copy or extract all of the files from the ISO to the new directory.
To configure the boot menu, edit the
/srv/www/htdocs/sle/EFI/BOOT/grub.cfg
file using the following example as a reference:menuentry 'Installation IPv4' --class opensuse --class gnu-linux --class gnu --class os { set gfxpayload=keep echo 'Loading kernel ...' linuxefi /sle/boot/x86_64/loader/linux install=http://www.httpboot.local/sle echo 'Loading initial ramdisk ...' initrdefi /sle/boot/x86_64/loader/initrd } menuentry 'Installation IPv6' --class opensuse --class gnu-linux --class gnu --class os { set gfxpayload=keep echo 'Loading kernel ...' linuxefi /sle/boot/x86_64/loader/linux install=http://www.httpboot.local/sle ipv6only=1 ifcfg=*=dhcp6,DHCLIENT6_MODE=managed echo 'Loading initial ramdisk ...' initrdefi /sle/boot/x86_64/loader/initrd }
Enable and start
apache2
:>
sudo systemctl enable --now apache2
3 Configuring the DHCP server #
The DHCP server provides IP addresses and other networking information to clients.
In this procedure, replace the example IP addresses and subnets with the appropriate values for your system.
Install the dhcp-server package:
>
sudo zypper install dhcp-server
Edit the
/etc/sysconfig/dhcpd
file to specify the network interface for the DHCPv4 and DHCPv6 servers:DHCPD_INTERFACE="eth0" DHCPD6_INTERFACE="eth0"
To configure the DHCPv4 server, edit the
/etc/dhcpd.conf
file using the following example as a reference:option domain-name-servers 192.168.111.1; option routers 192.168.111.1; default-lease-time 14400; ddns-update-style none; subnet 192.168.111.0 netmask 255.255.255.0 { range dynamic-bootp 192.168.111.100 192.168.111.120; default-lease-time 14400; max-lease-time 172800; option vendor-class-identifier "HTTPClient"; 1 filename "http://www.httpboot.local/sle/EFI/BOOT/bootx64.efi"; 2 }
To configure the DHCPv6 server, edit the
/etc/dhcpd6.conf
file using the following example as a reference:option dhcp6.bootfile-url code 59 = string; option dhcp6.vendor-class code 16 = {integer 32, integer 16, string}; subnet6 2001:db8:f00f:cafe::/64 { range6 2001:db8:f00f:cafe::42:10 2001:db8:f00f:cafe::42:99; option dhcp6.bootfile-url "http://www.httpboot.local/sle/EFI/BOOT/bootx64.efi"; 1 option dhcp6.name-servers 2001:db8:f00f:cafe::1; option dhcp6.vendor-class 0 10 "HTTPClient"; 2 }
The boot URL must point to the installation directory on the HTTP server.
The vendor class option must consist of the enterprise number, the vendor class length, and the vendor class content. The HTTP Boot driver ignores the enterprise number, so you can set it to
0
. The vendor class length must10
, and the content must beHTTPClient
. The client uses this ID to identify an HTTP Boot offer.Start the DHCP servers:
>
sudo systemctl enable --now dhcpd
>
sudo systemctl enable --now dhcpd6
4 Enabling SSL support for the HTTP server (optional) #
To use HTTPS Boot, you must convert an SSL certificate into the DER
format and enroll it into the client's firmware.
This procedure assumes that you already have an SSL certificate installed on your server.
Convert the certificate into the
DER
format:>
sudo openssl x509 -in CERTIFICATE.crt -outform der -out CERTIFICATE.der
Enroll the server certificate into the client firmware. The procedure for enrolling the converted certificate depends on the client. For some hardware, you must enroll the certificate manually using an external storage device with the certificate on it. For machines with Redfish support, you can enroll the certificate remotely. Consult the documentation for your specific client for more information on enrolling certificates.
Edit the
/etc/sysconfig/apache2
file to add the SSL flag:APACHE_SERVER_FLAGS="SSL"
In the same file, ensure that the
ssl
module appears in theAPACHE_MODULES
list:>
sudo grep 'APACHE_MODULES.*ssl' /etc/sysconfig/apache2
APACHE_MODULES="actions alias auth_basic authn_core authn_file authz_host authz_groupfile authz_core authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl socache_shmcb userdir reqtimeout"Copy the private key and the certificate to the
/etc/apache2/
directory:>
sudo cp server.key /etc/apache2/ssl.key/
>
sudo chown wwwrun /etc/apache2/ssl.key/server.key
>
sudo chmod 600 /etc/apache2/ssl.key/server.key
>
sudo cp server.crt /etc/apache2/ssl.crt/
Create the SSL vhost configuration:
>
sudo cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts.d/vhost-ssl.conf
Edit the
/etc/apache2/vhosts.d/vhost-ssl.conf
file to change the private key and the certificate to the following values:SSLCertificateFile /etc/apache2/ssl.crt/server.crt SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
Restart Apache to activate the SSL support:
>
sudo systemctl restart apache2
Replace the
http://
prefix withhttps://
in the/etc/dhcpd.conf
and/etc/dhcpd6.conf
files:filename "https://www.httpboot.local/sle/EFI/BOOT/bootx64.efi";
option dhcp6.bootfile-url "https://www.httpboot.local/sle/EFI/BOOT/bootx64.efi";
Restart the DHCP servers:
>
sudo systemctl restart dhcpd
>
sudo systemctl restart dhcpd6
5 Troubleshooting HTTP Boot #
This section helps you troubleshoot issues with HTTP Boot.
- RP filter dropping DHCPv6 packets
If DHCPv6 packets are dropped by the RP filter in the firewall, check the firewall log. If it contains the
rpfilter_DROP
entry, disable the filter using the following configuration in/etc/firewalld/firewalld.conf
:IPv6_rpfilter=no
6 Legal Notice #
Copyright© 2006–2024 SUSE LLC and contributors. All rights reserved.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”.
For SUSE trademarks, see https://www.suse.com/company/legal/. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks.
All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors, nor the translators shall be held liable for possible errors or the consequences thereof.