UEFI Httpboot Server Setup
-
- 1. 介紹
- 2. 準備工作
- 3. 配置伺服器
-
- 3.1 DNS 配置(Optional)
- 3.2 DHCPv4 服務配置
-
- 3.2.1 指定DHCP服務網絡接口
- 3.2.2 修改DHCPv4 配置檔案
- 3.2.3 啟動DHCPv4 服務
- 3.3 DHCPv6 服務配置
-
- 3.3.1 修改DHCPv6 配置檔案
- 3.3.2 啟動DHCPv6服務.
- 3.3.3 同時支援PXE引導和HTTP引導配置
- 3.4 防火牆配置
- 3.5 TFTP 服務配置(可選)
-
- 3.5.1 安裝tftp 包
- 3.5.2 修改tftp配置檔案
- 3.5.3 啟動tftp服務
- 3.5.4 服務驗證
- 3.6 http 服務配置
-
- 3.6.1 安裝http
- 3.6.2 開啟http服務
- 3.7 HTTPs服務配置 (Optional)
-
- 3.7.1 安裝依賴包
- 3.7.2 建立證書
- 3.7.3 修改ssl.conf
- 3.7.4 将證書拷貝到配置檔案中路徑相對應的目錄
- 3.7.5 重新開機Apache服務
- 3.7.6 修改dhcp配置檔案
- 3.7.7 将伺服器證書注冊到用戶端固件
- 3.8 系統鏡像拷貝
- 3.8 BootLoader檔案準備
- 3.9 引導菜單grub.cfg配置
- 4. KickStart自動安裝配置
-
- 4.1 kickstart 檔案制作
- 4.2 grub.cfg 菜單更新
- 5. 測試
-
- 5.1 IPV4 httpboot測試
- 5.2 IPV6 httpboot測試
1. 介紹
HTTPBoot 自 UEFI SPEC 2.5 起被添加,旨在取代 PXE 并提供更多功能。 實際上,HTTPBoot 的概念類似于 PXE。HTTP Boot 結合了 DHCP、DNS 和 HTTP, 它從 DHCP 伺服器的 HTTP URL 開始,并使用 HTTP 協定擷取資料。 此外,HTTPBoot 還支援 DNS。 使用 DNS可以從本地網絡之外的伺服器快速傳輸大檔案,例如 Linux 核心和根檔案系統,而 tftp (PXE) 僅适用于本地網絡。 本章介紹如何配置 UEFI HTTPBoot和HTTPsBoot伺服器。
2. 準備工作
-
Server
HTTPBoot 伺服器必須至少安裝以下軟體包:dhcp-server、httpd 和 dnsmasq。
注意:本文使用centos7.6 作為server端OS,httpboot 引導使用的suse15p1 iso中shim (bootx64.efi) IP 子網 192.168.0.0/26 (v4) 和 2001:db8:ffff:100::/64 (v6) 并假設伺服器 IP 位址為 192.168.0.5(v4) 和 2001:db8:f00f:cafe::1/64 (v6)。如有沖突,請調整相關設定。 -
Client
在Client BIOS固件中啟用 HTTPBoot。請參考主機闆或機器的說明書進行Enabled httpboot。
3. 配置伺服器
3.1 DNS 配置(Optional)
DNS 是可選的,但最好為您的伺服器提供一個衆所周知的名稱。 要設定 DNS 伺服器,請将以下行添加到 /etc/dnsmasq.conf
interface=eth0
addn-hosts=/etc/hosts.conf
在/etc/hosts.conf中建立IP位址的域名映射
192.168.15.1 www.httpboot.local
2001:db8:f00f:cafe::1 www.httpboot.local
啟動dns server
systemctl start dnsmasq
NOTE: 由于 UEFI 2.7 中的更改,我們建議使用 suse15 或更高版本的 shim 引導加載程式,以避免額外的 DNS 節點導緻的潛在錯誤。
3.2 DHCPv4 服務配置
3.2.1 指定DHCP服務網絡接口
在 /etc/sysconfig/dhcpd 中指定DHCP網絡接口, 加入如下内容,這樣,DHCP 伺服器隻在 eth0 接口上提供服務。
DHCPD_INTERFACE="eth0"
DHCPD6_INTERFACE="eth0"
3.2.2 修改DHCPv4 配置檔案
為 PXE 引導和 HTTP 引導設定 DHCPv4 伺服器,請将以下配置添加到 /etc/dhcp/dhcpd.conf 檔案:
option arch code 93 = unsigned integer 16;
option domain-name-servers 192.168.0.5;
default-lease-time 14400;
ddns-update-style none;
subnet 192.168.0.0 netmask 255.255.255.192 {
range 192.168.0.40 192.168.0.60;
option routers 192.168.0.39;
next-server 192.168.0.5;
default-lease-time 14400;
max-lease-time 172800;
class "pxeclients" {
match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
option vendor-class-identifier "PXEClient";
next-server 192.168.15.1;
if option arch = 00:07 or option arch = 00:09 {
filename "/uefi/shim.efi";
#filename "BOOTX64.efi";
} else {
filename "pxelinux.0";
}
}
class "httpclients" {
match if substring (option vendor-class-identifier, 0, 10) = "HTTPClient";
option vendor-class-identifier "HTTPClient";
filename "http://www.httpboot.local/httpboot/bootx64.efi";
#if option arch = 00:10 {
# option vendor-class-identifier "HTTPClient";
# filename "http://192.168.0.5/httpboot/bootx64.efi";
#}
}
}
NOTE: DHCPv4伺服器必須使用HTTPClient參數作為供應商類ID,因為客戶機使用該參數來辨別HTTP引導服務。
3.2.3 啟動DHCPv4 服務
systemctl start dhcpd
3.3 DHCPv6 服務配置
3.3.1 修改DHCPv6 配置檔案
請将以下配置添加到 /etc/dhcp/dhcpd6.conf:
option dhcp6.bootfile-url code 59 = string;
option dhcp6.vendor-class code 16 = {integer 32, integer 16, string};
subnet6 2001:db8:f00f:cafe::/64 {
range6 2001:db8:f00f:cafe::42:10 2001:db8:f00f:cafe::42:99;
option dhcp6.bootfile-url "http://www.httpboot.local/httpboot/bootx64.efi";
option dhcp6.name-servers 2001:db8:f00f:cafe::1;
option dhcp6.vendor-class 0 10 "HTTPClient";
}
此配置定義引導 URL 的類型、供應商類和其他必需選項。 與 DHCPv4 設定類似,需要提供引導 URL,該 URL 必須具有 IPv6 位址。 還需要指定供應商類别選項。 在 DHCPv6 中,它由企業号和供應商類别資料(長度和内容)組成。 由于HTTP Boot驅動忽略了企業号,可以設定為0。vendor類資料的内容必須是HTTPClient; 否則,客戶将忽略該提議。
較舊的 HTTP Boot 實作不遵循 RFC 3315,需要不同的配置:
option dhcp6.bootfile-url code 59 = string;
option dhcp6.vendor-class code 16 = string;
subnet6 2001:db8:f00f:cafe::/64 {
range6 2001:db8:f00f:cafe::42:10 2001:db8:f00f:cafe::42:99;
option dhcp6.bootfile-url "http://www.httpboot.local/uefi/shim.efi";
option dhcp6.name-servers 2001:db8:f00f:cafe::1;
option dhcp6.vendor-class "HTTPClient";
}
3.3.2 啟動DHCPv6服務.
systemctl start dhcpd6
3.3.3 同時支援PXE引導和HTTP引導配置
也可以為 PXE 引導和 HTTP 引導設定 DHCPV6 伺服器。 像這樣:
allow booting;
allow bootp;
option dhcp6.bootfile-url code 59 = string;
option dhcp6.client-arch-type code 61 = array of unsigned integer 16;
option dhcp6.vendor-class code 16 = {integer 32, integer 16, string};
subnet6 2001:db8:f00f:cafe::/64 {
range6 2001:db8:f00f:cafe::42:10 2001:db8:f00f:cafe::42:99;
option dhcp6.name-servers 2001:db8:f00f:cafe::1;
option dhcp6.domain-search "httpboot.com";
if option dhcp6.client-arch-type = 00:07 or option dhcp6.client-arch-type = 00:09 {
option dhcp6.bootfile-url "tftp://[2001:db8:f00f:cafe::1]/uefi/shim.efi";
#option dhcp6.bootfile-url "tftp://[2001:db8:f00f:cafe::1]/uefi/grubx64.efi";
}
else {
option dhcp6.bootfile-url "tftp://[2001:db8:f00f:cafe::1]/pxelinux.0";
}
if option dhcp6.client-arch-type = 00:10 {
option dhcp6.bootfile-url "http://[2001:db8:f00f:cafe::1]/uefi/shim.efi";
#option dhcp6.bootfile-url "http://[2001:db8:f00f:cafe::1]/uefi/grubx64.efi";
#option dhcp6.name-servers 2001:db8:ffff:100::10;
option dhcp6.vendor-class 0 10 "HTTPClient";
}
}
它還可以進一步比對不同架構的供應商級别。 例如,“HTTPClient:Arch:00016”表示一個x86_64 HTTPBoot用戶端
然後伺服器可以同時服務于不同的架構。
Reference: https://www.mail-archive.com/[email protected]/msg14683.html
3.4 防火牆配置
如果 DHCPv6 資料包被防火牆中的 RP 過濾器丢棄,請檢查其日志。 如果它包含 rpfilter_DROP 條目,請使用 /etc/firewalld/firewalld.conf 中的以下配置禁用過濾器:
IPv6_rpfilter=no
3.5 TFTP 服務配置(可選)
如果需要同時支援 PXE 和 HTTPBoot,則需要一個 tftp 伺服器。并将引導所需的BootLoader及pxeboot vmlinuz、initrd拷貝到tftp共享目錄。
3.5.1 安裝tftp 包
yum install tftp-server xinetd
3.5.2 修改tftp配置檔案
vim /etc/xinetd.d/tftp
# default: off
# description: The tftp server serves files using the trivial file transfer \
# protocol. The tftp protocol is often used to boot diskless \
# workstations, download configuration files to network-aware printers, \
# and to start the installation process for some operating systems.
service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s /var/lib/tftpboot # tftp 目錄
disable = no # 開啟tftp隻需要改為no
per_source = 11
cps = 100 2
flags = IPv4
}
TFTP是由xinetd這個super daemon所管理的,是以設定好TFTP之後,要啟動的是xinetd;
3.5.3 啟動tftp服務
systemctl restart tftp
systemctl enable tftp
systemctl restart xinetd
systemctl enable xinetd
3.5.4 服務驗證
netstat -untlp | grep :69
udp 0 0 0.0.0.0:69 0.0.0.0:* 6857/xinetd
3.6 http 服務配置
3.6.1 安裝http
```sh
yum install httpd
```
3.6.2 開啟http服務
```sh
systemctl restart httpd
systemctl enable httpd
```
3.7 HTTPs服務配置 (Optional)
TLS協定從UEFISpec 2.5開始被寫入其中,本節提供有關設定 UEFI HTTP over TLS (HTTPS) 引導的環境部署。
3.7.1 安裝依賴包
3.7.2 建立證書
# openssl req -newkey rsa:4096 -nodes -keyout server.key -x509 -days 365 -out server.crt
Generating a 4096 bit RSA private key
........................................++
................................................++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:SH
Organization Name (eg, company) [Default Company Ltd]:IEC
Organizational Unit Name (eg, section) []:FAE
Common Name (eg, your name or your server's hostname) []:*.httpboot.local
Email Address []:
由于我們選擇“.httpboot.local”作為域名,請使用“.httpboot.local”作為“Common Name”。
将證書轉換為用戶端的DER格式:
openssl x509 -in server.crt -outform der -out server.der
3.7.3 修改ssl.conf
# vim -n /etc/httpd/conf.d/ssl.conf
60 ServerName www.httpboot.local:443 #Edit ServerName
...
100 SSLCertificateFile /etc/pki/tls/certs/server.crt #change the private key
107 SSLCertificateKeyFile /etc/pki/tls/private/server.key #change the certificate
3.7.4 将證書拷貝到配置檔案中路徑相對應的目錄
# cp server.crt /etc/pki/tls/crets/
# cp server.key /etc/pki/tls/private/
3.7.5 重新開機Apache服務
3.7.6 修改dhcp配置檔案
将dhcpd.conf/dhcpd6.conf中的“http://”字首替換為“https://”,然後重新啟動dhcp伺服器。
# sed -i "s/http/https/g" /etc/dhcp/dhcpd.conf
# sed -i "s/http/https/g" /etc/dhcp/dhcpd.conf
# systemctl restart dhcpd
# systemctl restart dhcpd6
3.7.7 将伺服器證書注冊到用戶端固件
在使用HTTPS引導之前,您必須在用戶端注冊伺服器證書(server.der),否則用戶端将無法連接配接到伺服器。
要将伺服器證書注冊到實體機器中,可以通過插入包含證書檔案的U盤,然後進入BIOS Setup 頁面手動注冊。一些産品可以支援通過Redfish遠端注冊證書。有關注冊證書的詳細資訊,請參閱特定硬體的文檔,以下步驟僅供參考
- Copy server.crt 證書到U盤,并将USB接入SUT
- 進入BIOS Setup Enabled httpboot 并儲存重新開機
UEFI HTTPBoot Server Setup -
重新開機後再次進入BIOS Setup導入證書:
In BIOSsetup: Advanced ->Tls Auth Configuration -> Server CA Configuration, select Enroll Cert and Enrol Cert Using File
- 輸入cert guid 并選擇 “Commit Changes and Exit”
UEFI HTTPBoot Server Setup
Note: https://www.guidgenerator.com/online-guid-generator.aspx can be used to generate random guid.
6. 到 “Save & Exit” 頁面選擇 “Save Changes and Reset”.
7. 重新開機後按F12 選擇從networking boot.
3.8 系統鏡像拷貝
将系統 ISO 映像的全部内容複制到 /var/www/html/pxeimg 目錄。
[[email protected] ~]# mount -o loop CentOS-7.6-x86_64-DVD-1810.iso /mnt
mount: /dev/loop0 is write-protected, mounting read-only
[[email protected] ~]# cp -fr /mnt/* /var/www/html/pxeimg/centos/7.6/os/x86_64/
[[email protected] ~]# mount -o loop SLE-15-SP1-Full-x86_64-GM-Media1.iso /mnt
mount: /dev/loop0 is write-protected, mounting read-only
[[email protected] ~]# cp -fr /mnt/* /pxeimg/15sp1/
[[email protected] ~]# cd /var/www/html
[[email protected] html]# tree -L 2 pxeimg
pxeimg
├── 15sp1
│ ├── ARCHIVES.gz
│ ├── boot
│ ├── CD2
│ ├── ChangeLog
│ ├── CHECKSUMS
│ ├── CHECKSUMS.asc
│ ├── COPYRIGHT
│ ├── COPYRIGHT.de
│ ├── docu
│ ├── EFI
│ ├── gpg-pubkey-307e3d54-5aaa90a5.asc
│ ├── gpg-pubkey-39db7c82-5847eb1f.asc
│ ├── gpg-pubkey-50a3dd1c-50f35137.asc
│ ├── INDEX.gz
│ ├── ls-lR.gz
│ ├── media.1
│ ├── noarch
│ ├── README
│ ├── repodata
│ ├── suse_ptf_key.asc
│ └── x86_64
└── centos
└── 7.6
3.8 BootLoader檔案準備
本文使用的httpboot BootLoader為suse15p1 iso中提取的,挂載suse15p1 iso并将EFI/BOOT/*拷貝到/var/www/html/httpboot/ 目錄
[[email protected] ~]# cp /var/www/html
[[email protected] html]# mkdir httpboot
[[email protected] html]# cp /var/www/html/pxeimg/15sp1/EFI/BOOT/* /var/www/html/httpboot/
[[email protected] html]# tree httpboot/
httpboot/
├── bootx64.efi
├── grub.cfg
├── grub.efi
├── locale
│ └── en.mo
└── MokManager.efi
3.9 引導菜單grub.cfg配置
- grub.cfg檔案配置
[[email protected] ~]# vim /var/www/html/htttboot/grub.cfg timeout=60 default=1 ################################### IPv4 ################################################## menuentry 'Installation suse15p1 via httpboot[ipv4]' --class opensuse --class gnu-linux --class gnu --class os { set gfxpayload=keep echo 'Loading kernel ...' linuxefi /pxeimg/15sp1/boot/x86_64/loader/linux install=http://www.httpboot.local/pxeimg/15sp1 echo 'Loading initial ramdisk ...' initrdefi /pxeimg/15sp1/boot/x86_64/loader/initrd } menuentry 'Installation centos7.6 via httpboot[ipv4]' --class opensuse --class gnu-linux --class gnu --class os { set gfxpayload=keep echo 'Loading kernel ...' linuxefi /pxeimg/centos/7.6/os/x86_64/images/pxeboot/vmlinuz repo=http://www.httpboot.local/pxeimg/centos/7.6/os/x86_64 ip=dhcp dhcptimeout=300 echo 'Loading initial ramdisk ...' initrdefi /pxeimg/centos/7.6/os/x86_64/images/pxeboot/initrd.img } ################################### IPv6 ################################################## menuentry 'Installation suse15p1 via httpboot[ipv6]' --class opensuse --class gnu-linux --class gnu --class os { set gfxpayload=keep echo 'Loading kernel ...' linuxefi /pxeimg/15sp1/boot/x86_64/loader/linux install=http://www.httpboot.local/pxeimg/15sp1 ipv6only=1 ifcfg=*=dhcp6,DHCLIENT6_MODE=managed echo 'Loading initial ramdisk ...' initrdefi /pxeimg/15sp1/boot/x86_64/loader/initrd } menuentry 'Installation centos7.6 via httpboot[ipv6]' --class opensuse --class gnu-linux --class gnu --class os { set gfxpayload=keep echo 'Loading kernel ...' linuxefi /pxeimg/centos/7.6/os/x86_64/images/pxeboot/vmlinuz repo=http://www.httpboot.local/pxeimg/centos/7.6/os/x86_64 ip=dhcp6 echo 'Loading initial ramdisk ...' initrdefi /pxeimg/centos/7.6/os/x86_64/images/pxeboot/initrd.img }
4. KickStart自動安裝配置
4.1 kickstart 檔案制作
省略,請參考同系列文章“PXE Server Setup” 中的Kickstart配置章節
将制作好的kickstart 拷貝到http server目錄/var/www/html/kickstart下,并命名為“osname-ver-ks.cfg",如:centos-7.6-ks.cfg
4.2 grub.cfg 菜單更新
[[email protected] ~]# vim /var/www/html/htttboot/grub.cfg
timeout=60
default=1
################################### IPv4 ##################################################
menuentry 'Installation suse15p1 via httpboot[ipv4]' --class opensuse --class gnu-linux --class gnu --class os {
set gfxpayload=keep
echo 'Loading kernel ...'
linuxefi /pxeimg/15sp1/boot/x86_64/loader/linux install=http://192.168.0.5/pxeimg/15sp1
echo 'Loading initial ramdisk ...'
initrdefi /pxeimg/15sp1/boot/x86_64/loader/initrd
}
menuentry 'Installation centos7.6 httpboot[ipv4]' --class opensuse --class gnu-linux --class gnu --class os {
set gfxpayload=keep
echo 'Loading kernel ...'
linuxefi /pxeimg/centos/7.6/os/x86_64/images/pxeboot/vmlinuz ks=http://www.httpboot.local/kickstart/centos-7.6-ks.cfg ip=dhcp dhcptimeout=300
echo 'Loading initial ramdisk ...'
initrdefi /pxeimg/centos/7.6/os/x86_64/images/pxeboot/initrd.img
}
################################### IPv6 ##################################################
menuentry 'Installation suse15p1 via httpboot[ipv6]' --class opensuse --class gnu-linux --class gnu --class os {
set gfxpayload=keep
echo 'Loading kernel ...'
linuxefi /pxeimg/15sp1/boot/x86_64/loader/linux install=http://[2001:db8:ffff:100::10]/pxeimg/15sp1 ipv6only=1 ifcfg=*=dhcp6,DHCLIENT6_MODE=managed
echo 'Loading initial ramdisk ...'
initrdefi /pxeimg/15sp1/boot/x86_64/loader/initrd
}
menuentry 'Installation centos7.6 via httpboot[ipv6]' --class opensuse --class gnu-linux --class gnu --class os {
set gfxpayload=keep
echo 'Loading kernel ...'
linuxefi /pxeimg/centos/7.6/os/x86_64/images/pxeboot/vmlinuz ks=http://www.httpboot.local/kickstart/centos-7.6-ks.cfg ip=dhcp6
echo 'Loading initial ramdisk ...'
initrdefi /pxeimg/centos/7.6/os/x86_64/images/pxeboot/initrd.img
}
5. 測試
5.1 IPV4 httpboot測試
- UEFI httpboot
5.2 IPV6 httpboot測試
- UEFI httpboot
UEFI HTTPBoot Server Setup UEFI HTTPBoot Server Setup UEFI HTTPBoot Server Setup