Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]

Setting up a UEFI HTTP Boot server

Publication Date: 11/25/2021

1 Environment

This document applies to the following product and product versions:

  • SUSE Linux Enterprise Server 15 SP3, 15 SP2, 15 SP1, 15 GA, 12 SP5, 12 SP4, 12 SP3

2 Introduction

HTTP Boot can remotely install operating systems from an HTTP URL. While PXE can only deploy images to servers in a local subnet, HTTP Boot can deploy images to servers across different subnets in routed networks, and can quickly transfer larger files, such as the Linux kernel and root file system.

This article shows you how to configure DNS, DHCP, and HTTP on a single machine to act as an HTTP Boot server.

3 Requirements

  • SUSE Linux Enterprise Server is installed and up to date on your server.

  • Networking is configured on your server.

  • You have a SUSE Linux Enterprise Server ISO image available.

  • If you want to enable SSL support, you must have an SSL certificate installed on your server.

4 Configuring the DNS server

In this procedure, replace the example host names and IP addresses with the appropriate values for your server.

  1. Install the dnsmasq package:

    tux > sudo zypper install dnsmasq
  2. Add the following lines to the /etc/dnsmasq.conf file:

    interface=eth0
    addn-hosts=/etc/hosts.conf
  3. Assign a domain name to the IP addresses in the /etc/hosts.conf file:

    192.168.111.1 www.httpboot.local
    2001:db8:f00f:cafe::1 www.httpboot.local
  4. Enable and start the DNS server:

    tux > sudo systemctl enable --now dnsmasq
Note
Note: Use the shim boot loader

Because of a change in UEFI 2.7, we recommend using a shim boot loader from SUSE Linux Enterprise 15 or newer to avoid potential errors caused by the additional DNS node.

5 Configuring the HTTP server

  1. Install the apache2 package:

    tux > sudo zypper install apache2
  2. In the root directory of the HTTP Boot server (/srv/www/htdocs/), create a subdirectory for the installation content. For example, /srv/www/htdocs/sle/:

    tux > sudo mkdir /srv/www/htdocs/sle
  3. Copy or extract all of the files from the ISO to the new directory.

  4. To configure the boot menu, edit the /srv/www/htdocs/sle/EFI/BOOT/grub.cfg file using the following example as a reference:

     menuentry 'Installation IPv4' --class opensuse --class gnu-linux --class gnu --class os {
      set gfxpayload=keep
      echo 'Loading kernel ...'
      linuxefi /sle/boot/x86_64/loader/linux install=http://www.httpboot.local/sle
      echo 'Loading initial ramdisk ...'
      initrdefi /sle/boot/x86_64/loader/initrd
     }
    
     menuentry 'Installation IPv6' --class opensuse --class gnu-linux --class gnu --class os {
      set gfxpayload=keep
      echo 'Loading kernel ...'
      linuxefi /sle/boot/x86_64/loader/linux install=http://www.httpboot.local/sle ipv6only=1 ifcfg=*=dhcp6,DHCLIENT6_MODE=managed
      echo 'Loading initial ramdisk ...'
      initrdefi /sle/boot/x86_64/loader/initrd
     }
  5. Enable and start apache2:

    tux > sudo systemctl enable --now apache2

6 Configuring the DHCP server

In this procedure, replace the example IP addresses and subnets with the appropriate values for your system.

  1. Install the dhcp-server package:

    tux > sudo zypper install dhcp-server
  2. Edit the /etc/sysconfig/dhcpd file to specify the network interface for the DHCPv4 and DHCPv6 servers:

    DHCPD_INTERFACE="eth0"
    DHCPD6_INTERFACE="eth0"
  3. To configure the DHCPv4 server, edit the /etc/dhcpd.conf file using the following example as a reference:

    option domain-name-servers 192.168.111.1;
    option routers 192.168.111.1;
    default-lease-time 14400;
    ddns-update-style none;
    subnet 192.168.111.0 netmask 255.255.255.0 {
      range dynamic-bootp 192.168.111.100 192.168.111.120;
      default-lease-time 14400;
      max-lease-time 172800;
      option vendor-class-identifier "HTTPClient"; 1
      filename "http://www.httpboot.local/sle/EFI/BOOT/bootx64.efi"; 2
    }

    1

    The vendor class ID must be HTTPClient. The client uses this ID to identify an HTTP Boot offer.

    2

    The boot URL must point to the directory you created in Section 5, “Configuring the HTTP server”.

  4. To configure the DHCPv6 server, edit the /etc/dhcpd6.conf file using the following example as a reference:

    option dhcp6.bootfile-url code 59 = string;
    option dhcp6.vendor-class code 16 = {integer 32, integer 16, string};
    subnet6 2001:db8:f00f:cafe::/64 {
            range6 2001:db8:f00f:cafe::42:10 2001:db8:f00f:cafe::42:99;
            option dhcp6.bootfile-url "http://www.httpboot.local/sle/EFI/BOOT/bootx64.efi"; 1
            option dhcp6.name-servers 2001:db8:f00f:cafe::1;
            option dhcp6.vendor-class 0 10 "HTTPClient"; 2
    }

    1

    The boot URL must point to the directory you created in Section 5, “Configuring the HTTP server”.

    2

    The vendor class option must consist of the enterprise number, the vendor class length, and the vendor class content. The HTTP Boot driver ignores the enterprise number, so you can set it to 0. The vendor class length must 10, and the content must be HTTPClient. The client uses this ID to identify an HTTP Boot offer.

  5. Start the DHCP servers:

    tux > sudo systemctl enable --now dhcpd
    tux > sudo systemctl enable --now dhcpd6

7 Enabling SSL support for the HTTP server (optional)

HTTPS Boot is only supported on SUSE Linux Enterprise 15 and newer. To use HTTPS Boot, you must convert an SSL certificate into the DER format and enroll it into the client's firmware.

This procedure assumes that you already have an SSL certificate installed on your server.

  1. Convert the certificate into the DER format:

    tux > sudo openssl x509 -in CERTIFICATE.crt -outform der -out CERTIFICATE.der
  2. Enroll the server certificate into the client firmware. The procedure for enrolling the converted certificate depends on the client. For some hardware, you must enroll the certificate manually using an external storage device with the certificate on it. For machines with Redfish support, you can enroll the certificate remotely. Consult the documentation for your specific client for more information on enrolling certificates.

  3. Edit the /etc/sysconfig/apache2 file to add the SSL flag:

    APACHE_SERVER_FLAGS="SSL"
  4. In the same file, ensure that the ssl module appears in the APACHE_MODULES list:

    tux > sudo grep 'APACHE_MODULES.*ssl' /etc/sysconfig/apache2
    APACHE_MODULES="actions alias auth_basic authn_core authn_file authz_host
    authz_groupfile authz_core authz_user autoindex cgi dir env expires include
    log_config mime negotiation setenvif ssl socache_shmcb userdir reqtimeout"
  5. Copy the private key and the certificate to the /etc/apache2/ directory:

    tux > sudo cp server.key /etc/apache2/ssl.key/
    tux > sudo chown wwwrun /etc/apache2/ssl.key/server.key
    tux > sudo chmod 600 /etc/apache2/ssl.key/server.key
    tux > sudo cp server.crt /etc/apache2/ssl.crt/
  6. Create the SSL vhost configuration:

    tux > sudo cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts.d/vhost-ssl.conf
  7. Edit the /etc/apache2/vhosts.d/vhost-ssl.conf file to change the private key and the certificate to the following values:

    SSLCertificateFile /etc/apache2/ssl.crt/server.crt
    SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
  8. Restart Apache to activate the SSL support:

    tux > sudo systemctl restart apache2
  9. Replace the http:// prefix with https:// in the /etc/dhcpd.conf and /etc/dhcpd6.conf files:

    filename "https://www.httpboot.local/sle/EFI/BOOT/bootx64.efi";
    option dhcp6.bootfile-url "https://www.httpboot.local/sle/EFI/BOOT/bootx64.efi";
  10. Restart the DHCP servers:

    tux > sudo systemctl restart dhcpd
    tux > sudo systemctl restart dhcpd6

8 Summary

You can now use this server to remotely install operating systems on clients that support HTTP Boot. Consult the relevant documentation for information on how to enable HTTP Boot on client machines.

9 Troubleshooting

RP filter dropping DHCPv6 packets

If DHCPv6 packets are dropped by the RP filter in the firewall, check the firewall log. If it contains the rpfilter_DROP entry, disable the filter using the following configuration in /etc/firewalld/firewalld.conf:

IPv6_rpfilter=no

10 Next steps

  • Installing UEFI support (VMs)

  • Guest installation (VMs)

  • Remote installation

  • Booting the installation system

Print this page