Setting up a UEFI HTTP Boot server
1 Environment #
This document applies to the following product and product versions:
SUSE Linux Enterprise Server 15 SP3, 15 SP2, 15 SP1, 15 GA, 12 SP5, 12 SP4, 12 SP3
2 Introduction #
HTTP Boot can remotely install operating systems from an HTTP URL. While PXE can only deploy images to servers in a local subnet, HTTP Boot can deploy images to servers across different subnets in routed networks, and can quickly transfer larger files, such as the Linux kernel and root file system.
This article shows you how to configure DNS, DHCP, and HTTP on a single machine to act as an HTTP Boot server.
3 Requirements #
SUSE Linux Enterprise Server is installed and up to date on your server.
Networking is configured on your server.
You have a SUSE Linux Enterprise Server ISO image available.
If you want to enable SSL support, you must have an SSL certificate installed on your server.
4 Configuring the DNS server #
In this procedure, replace the example host names and IP addresses with the appropriate values for your server.
Install the dnsmasq package:
>sudo zypper install dnsmasqAdd the following lines to the
/etc/dnsmasq.conffile:interface=eth0 addn-hosts=/etc/hosts.conf
Assign a domain name to the IP addresses in the
/etc/hosts.conffile:192.168.111.1 www.httpboot.local 2001:db8:f00f:cafe::1 www.httpboot.local
Enable and start the DNS server:
>sudo systemctl enable --now dnsmasq
Because of a change in UEFI 2.7, we recommend using a shim boot loader from SUSE Linux Enterprise 15 or newer to avoid potential errors caused by the additional DNS node.
5 Configuring the HTTP server #
Install the apache2 package:
>sudo zypper install apache2In the root directory of the HTTP Boot server (
/srv/www/htdocs/), create a subdirectory for the installation content. For example,/srv/www/htdocs/sle/:>sudo mkdir /srv/www/htdocs/sleCopy or extract all of the files from the ISO to the new directory.
To configure the boot menu, edit the
/srv/www/htdocs/sle/EFI/BOOT/grub.cfgfile using the following example as a reference:menuentry 'Installation IPv4' --class opensuse --class gnu-linux --class gnu --class os { set gfxpayload=keep echo 'Loading kernel ...' linuxefi /sle/boot/x86_64/loader/linux install=http://www.httpboot.local/sle echo 'Loading initial ramdisk ...' initrdefi /sle/boot/x86_64/loader/initrd } menuentry 'Installation IPv6' --class opensuse --class gnu-linux --class gnu --class os { set gfxpayload=keep echo 'Loading kernel ...' linuxefi /sle/boot/x86_64/loader/linux install=http://www.httpboot.local/sle ipv6only=1 ifcfg=*=dhcp6,DHCLIENT6_MODE=managed echo 'Loading initial ramdisk ...' initrdefi /sle/boot/x86_64/loader/initrd }Enable and start
apache2:>sudo systemctl enable --now apache2
6 Configuring the DHCP server #
In this procedure, replace the example IP addresses and subnets with the appropriate values for your system.
Install the dhcp-server package:
>sudo zypper install dhcp-serverEdit the
/etc/sysconfig/dhcpdfile to specify the network interface for the DHCPv4 and DHCPv6 servers:DHCPD_INTERFACE="eth0" DHCPD6_INTERFACE="eth0"
To configure the DHCPv4 server, edit the
/etc/dhcpd.conffile using the following example as a reference:option domain-name-servers 192.168.111.1; option routers 192.168.111.1; default-lease-time 14400; ddns-update-style none; subnet 192.168.111.0 netmask 255.255.255.0 { range dynamic-bootp 192.168.111.100 192.168.111.120; default-lease-time 14400; max-lease-time 172800; option vendor-class-identifier "HTTPClient"; 1 filename "http://www.httpboot.local/sle/EFI/BOOT/bootx64.efi"; 2 }The vendor class ID must be
HTTPClient. The client uses this ID to identify an HTTP Boot offer.The boot URL must point to the directory you created in Section 5, “Configuring the HTTP server”.
To configure the DHCPv6 server, edit the
/etc/dhcpd6.conffile using the following example as a reference:option dhcp6.bootfile-url code 59 = string; option dhcp6.vendor-class code 16 = {integer 32, integer 16, string}; subnet6 2001:db8:f00f:cafe::/64 { range6 2001:db8:f00f:cafe::42:10 2001:db8:f00f:cafe::42:99; option dhcp6.bootfile-url "http://www.httpboot.local/sle/EFI/BOOT/bootx64.efi"; 1 option dhcp6.name-servers 2001:db8:f00f:cafe::1; option dhcp6.vendor-class 0 10 "HTTPClient"; 2 }The boot URL must point to the directory you created in Section 5, “Configuring the HTTP server”.
The vendor class option must consist of the enterprise number, the vendor class length, and the vendor class content. The HTTP Boot driver ignores the enterprise number, so you can set it to
0. The vendor class length must10, and the content must beHTTPClient. The client uses this ID to identify an HTTP Boot offer.Start the DHCP servers:
>sudo systemctl enable --now dhcpd>sudo systemctl enable --now dhcpd6
7 Enabling SSL support for the HTTP server (optional) #
HTTPS Boot is only supported on SUSE Linux Enterprise 15 and newer. To use HTTPS Boot, you
must convert an SSL certificate into the DER
format and enroll it into the client's firmware.
This procedure assumes that you already have an SSL certificate installed on your server.
Convert the certificate into the
DERformat:>sudo openssl x509 -in CERTIFICATE.crt -outform der -out CERTIFICATE.derEnroll the server certificate into the client firmware. The procedure for enrolling the converted certificate depends on the client. For some hardware, you must enroll the certificate manually using an external storage device with the certificate on it. For machines with Redfish support, you can enroll the certificate remotely. Consult the documentation for your specific client for more information on enrolling certificates.
Edit the
/etc/sysconfig/apache2file to add the SSL flag:APACHE_SERVER_FLAGS="SSL"
In the same file, ensure that the
sslmodule appears in theAPACHE_MODULESlist:>sudo grep 'APACHE_MODULES.*ssl' /etc/sysconfig/apache2APACHE_MODULES="actions alias auth_basic authn_core authn_file authz_host authz_groupfile authz_core authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl socache_shmcb userdir reqtimeout"Copy the private key and the certificate to the
/etc/apache2/directory:>sudo cp server.key /etc/apache2/ssl.key/>sudo chown wwwrun /etc/apache2/ssl.key/server.key>sudo chmod 600 /etc/apache2/ssl.key/server.key>sudo cp server.crt /etc/apache2/ssl.crt/Create the SSL vhost configuration:
>sudo cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts.d/vhost-ssl.confEdit the
/etc/apache2/vhosts.d/vhost-ssl.conffile to change the private key and the certificate to the following values:SSLCertificateFile /etc/apache2/ssl.crt/server.crt SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
Restart Apache to activate the SSL support:
>sudo systemctl restart apache2Replace the
http://prefix withhttps://in the/etc/dhcpd.confand/etc/dhcpd6.conffiles:filename "https://www.httpboot.local/sle/EFI/BOOT/bootx64.efi";option dhcp6.bootfile-url "https://www.httpboot.local/sle/EFI/BOOT/bootx64.efi";Restart the DHCP servers:
>sudo systemctl restart dhcpd>sudo systemctl restart dhcpd6
8 Summary #
You can now use this server to remotely install operating systems on clients that support HTTP Boot. Consult the relevant documentation for information on how to enable HTTP Boot on client machines.
9 Troubleshooting #
- RP filter dropping DHCPv6 packets
If DHCPv6 packets are dropped by the RP filter in the firewall, check the firewall log. If it contains the
rpfilter_DROPentry, disable the filter using the following configuration in/etc/firewalld/firewalld.conf:IPv6_rpfilter=no
10 Next steps #
Installing UEFI support (VMs)
Guest installation (VMs)
Remote installation
Booting the installation system