Fedora network install via PXE boot

How do I install Fedora over the network using PXE boot?

Motivation: The BIOS of target system is simply not able to boot from USB mass storage devices. An alternative motivation is that booting over the network is just more convenient.

Challenge: The LAN already has a DHCP server that can’t be changed, i.e. one that does not support configuring PXE related options (it is part of a Fritz Box router).

Asked By: maxschlepzig

||

It is also possible to setup a Proxy DHCP service for PXE. Thus, the existing DHCP server does not need to be changed. A normal Linux system (e.g. a workstation) can then be used to host the preboot execution environment (PXE).

Following steps are necessary to setup a PXE for net-booting a Fedora network install image (assuming also a Fedora host):

Verify the Image

$ gpg --verify Fedora-Server-21-x86_64-CHECKSUM
$ sha256sum --check Fedora-Server-21-x86_64-CHECKSUM
Fedora-Server-netinst-x86_64-21.iso: OK

Mount the Image

mkdir /mnt/iso
mount -o loop Fedora-Server-netinst-x86_64-21.iso /mnt/iso

DHCP Setup

yum install dnsmasq tftp-server syslinux-tftpboot

The tftp-server package is just for creating the directory /var/lib/tftpboot, dnsmasq already has a tftp server integrated.

The config:

cat > /etc/dnsmasq.conf
interface=enp0s25
# and don't bind to 0.0.0.0
bind-interfaces
# extra logging
log-dhcp
dhcp-range=192.168.178.0,proxy
# first IP address is the one of the host
dhcp-boot=pxelinux.0,192.168.178.34,192.168.178.0
pxe-service=x86PC,"Automatic Network Boot",pxelinux
# Specify the IP address of another tftp server
enable-tftp
# default location of tftp-server on Fedora
tftp-root=/var/lib/tftpboot
# disable DNS
port=0

Start it:

systemctl start dnsmasq.service

Setup TFTP directory

Copy all needed files:

cp /mnt/iso/images/pxeboot/initrd.img /var/lib/tftpboot
cp /mnt/iso/images/pxeboot/vmlinuz /var/lib/tftpboot
cp /tftpboot/pxelinux.0 /var/lib/tftpboot
cp /tftpboot/vesamenu.c32 /var/lib/tftpboot
cp /tftpboot/ldlinux.c32 /var/lib/tftpboot
cp /tftpboot/libcom32.c32 /var/lib/tftpboot
cp /tftpboot/libutil.c32 /var/lib/tftpboot

Add config:

mkdir /var/lib/tftpboot/pxelinux.cfg
cat > /var/lib/tftpboot/pxelinux.cfg/default
default vesamenu.c32
prompt 0
# disable timeout
timeout 0
#timeout 600

# if file is missing, this is ignored
display boot.msg

label linux
  menu label Install Fedora 21 Server x86-64
  kernel vmlinuz
  append initrd=initrd.img inst.stage2=http://workstation.example.org/

Setup HTTP Server

yum install nginx

Configure instance:

cat > /etc/nginx/conf.d/iso.conf
  server {
      listen       80 default_server;
      server_name  localhost;
      root         /mnt/iso ;
      include /etc/nginx/default.d/*.conf;
  }

Disable the default instance/move it to a different port:

--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -43,7 +43,7 @@ http {
     include /etc/nginx/conf.d/*.conf;

     server {
-        listen       80 default_server;
+        listen       8080 default_server;
         server_name  localhost;
         root         /usr/share/nginx/html;

start the server:

systemctl start nginx.service

The Fedora installer (dracut) basically just needs to get one file from that
http server:

LiveOS/squashfs.img

Configure Firewalld

firewall-cmd --add-service=http
firewall-cmd --add-service=dhcp
firewall-cmd --add-service=tftp
firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=dhcp --permanent
firewall-cmd --add-service=tftp --permanent

Boot Clients

That’s it. Clients are know able to network boot via PXE and get the Fedora netinstall image.

Variations could be: Adding a kickstart file (and setting a timeout) for a fully automatic network install, configuring different PXE settings for different clients (based on the MAC address), etc.

Cleanup

The daemons can be stopped and the loopback image can be unmounted:

systemctl stop nginx.service
systemctl stop dnsmasq.service
umount /mnt/iso

Security Note

This method should only be executed in a trustful intranet because the netboot client gets its config and several images absolutely unsecured over TFTP and HTTP.

Answered By: maxschlepzig
Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.