In these days of cloud images being launched at the push of a button, and customised via heat patterns or user configuration scripts, network install via pxe boot seems to have dropped out of the news. As most home users will be using KVM virtual machines rather than running their own cloud infrastructure at home it still has a place, if you are creating a lot of new KVMs or even installing a new physical machine it is much easier to just network install rather than copy install ISO files about.
The documentation at https://docs.fedoraproject.org/en-US/fedora/f30/install-guide/advanced/Network_based_Installations/ provides a good starting guide, with the following main exceptions
- a major issue is the section on creating a boot menu for UEFI clients is wrong as the directory mentioned does not exist. I believe that file should be /var/lib/tftpboot/pxelinux.cfg/efidefault but am not 100% sure, I am sure following the instructions on the fedoraproject documentation page will not work; at the time this post was written anyway
- a minor issue is the ‘default’ example used references a kickstart file at example.com, which of course does not exist. Therefore copying the example provided should be considered a non-working example rather than a working solution
This post is based upon the documentation linked above, and provides additional configuration and customisation tips that will make the network install server more useful.
After following the fedoraproject dsocumentation and installing the shim and grub2-efi-x64 into an alternate root, after copying the required files out to the tftpboot directories you can simply remove the entire alternate root directory to clean up the packages without affecting your real root rpm databases.
The documentation does correctly say only one dhcp server should exist per network, so if your router is assigning dhcp addresses you should reconfigure it not to do so before starting the dchp server, or ensure your dhcp server is on an isolated network. Obviously if you reconfigure yiur router to no longer server dhcp assigned addresses that will prevent wireless devices such as your smart phone and smart TVs connecting to the router unless you have them configured with static ip-addresses so you may wish to do as I do and simply turn that feature off on your router only when your tftpboot server is running.
What the documentation does not mention in the example configuring the initial /etc/dhcp/dhcpd.conf is the significance of the “next-server” parameter, this parameter identifies the address of the server tftp will use to download the network boot files which may not be the same server as the dhcp server. It makes sense for it to be the same server but it does not have to be, the tftpboot packages could be installed on a completly different server to the dhcp server.
If you have devices using dhcp that you wish persistent ip-addresses assigned to these should be defined to the dhcp server with entries in /etc/dhcp/dhcpd.conf such as the below for each server, obviously you must use the correct MAC address. This will ensure whenever they request a dhcp assigned ip-address they are always given the same one.
host yourhostname1 {
hardware ethernet 52:54:00:67:ea:35;
fixed-address 192.168.1.189;
option host-name "yourhostname1";
}
The documentation at fedoraproject.org linked to above provides a non-working example for the default file in /var/lib/tftpboot/pxelinux.cfg, but I would also recomend adding another entry to the menu list to allow you to PXE boot a failed server into rescue mode when needed to avoid having to run around looking for a boot DVD. That entry is as below
label rescue30
menu label ^Boot F30 in rescue mode
kernel f30/vmlinuz
append initrd=f30/initrd.img ramdisk_size=9216 noapic acpi=off linux rescue
Also when replacing the non-working “server” entry with a custom one as below I found when testing it that during the install it defaults to being able to install all versions of F30 (desktop, lxe, server etc) from the closest mirror, not just the server software from the intsall media I put in place.
However thats not what I wanted so during install I changes the method from “closest mirror” to “url” and pasted the stage2 url I wanted to use which refreshed the software available list to just whats on the server install media (and allowed a install without going near the internet which is what I wanted).
label server
menu label ^Install Fedora 30 ( Any Flavor )
menu default
kernel f30/vmlinuz
append initrd=f30/initrd.img inst.stage2=http://192.168.1.175/tftpboot/install_ISO/Fedora-Server-dvd-x86_64-30-1.2/ ip=dhcp
The anaconda-ks.cfg file generated by the test install I just copied out to use as a starting point for a ks=xxx file for further tftp hands-off installs for virtual machines (minimal changes needed, such as change “clearpart none” to “clearpart all” and the pv definition being set to “–size=0 –grow” instaead of “–size=nnnn” to handle diferent disk sizes and addind a custom %post section).
Obviously the ‘default’ file needs to be updated to use working install sources, you can create local install sources based on the normal install media as I used in the example above. That is discussed in a later section.
Creating customised configurations for each server
As well as the default configuration file you have created you will probably want to create custom configurations per host; this is achieved by creating a file in that same directory /var/lib/tftpboot/pxelinux.cfg for the MAC address of each machine PXE booting that you would want to customise; the way it works is the PXE boot process will first look for a configuration file specific to the requesting MAC address and use it if found, if one is not found it will revert to using the default.
Using the MAC address in the example above the file we would create for that server would be 01-52-54-00-67-EA-35 and contain something like the below
prompt 1
default linux
timeout 100
label linux
kernel f30/vmlinuz
append initrd=f30/initrd.img ramdisk_size=9216 noapic acpi=off ks=http://192.168.1.175/tftpboot/configs/yourhostname1.cfg
# PXE boot for yourhostname1 mac addr
The obvious reason for creating a file per machine is that you can provide a customised kickstart file for each machine, as shown in the example above. The kickstart file does not have to reside on the tftpboot server, but it would make sense to keep everything controlled from one place. You can also place in a customised kickstart file something like “network –device eth0 –bootproto static –ip 192.168.1.101 –netmask 255.255.0.0 –gateway 192.168.1.1 –hostname=servername –activate” to ensure if you are re-installing a server it keeps the same network configuration.
Kickstart files should be used for servers with complex install requirements, the “%post” section of the kickstart file can do anything a shell script can do, customise configuration files, add additional repositories and packages, wget database backups or normal backups and recreate databases and filesystems etc. At one point my entire webserver was re-built that way with a simple reboot used to start at formatting the disks and recreate the entire environment from backups and was the method I used to migrate new changes from test to production and simply overwrite anything a hacker may have introduced, so kickstart is very powerfull.
In these days of software configuration management a Kickstart file can be as simple as the below, set the network config, set a root password, format the disks and install the boot loader, install minimal packages, then just start the puppet agent and let it install additional packages and do all the customisations… although if you do not have a handy puppet/chef/ansible server to do your configuration for you it can easily be done in scripting in the “%post” section, I have used kickstart files with well over 100 lines of scripting with no problems.
However you do need a kickstart config per server you intend to ‘hands-off’ install this way; depending on whether you installing a physical machine or KVM and even on hardware things like disk names change (hda/sda/vda) and ethernet names change, will not always be eth0.
#version=DEVEL
ignoredisk --only-use=vda
# System bootloader configuration
bootloader --location=mbr --boot-drive=vda
# Partition clearing information
clearpart --all --initlabel
# Use graphical install
graphical
# Use network installation
url --url="http://192.168.1.175/tftpboot/install_ISO/Fedora-Server-dvd-x86_64-30-1.2/"
# Keyboard layouts
keyboard --vckeymap=us --xlayouts='us'
# System language
lang en_NZ.UTF-8
# Network information
network --bootproto=dhcp --device=link --gateway=192.168.1.1 --hostname=localhost.localdomain --nameserver=192.168.1.1 --activate
# Root password
rootpw --iscrypted $6$AdsjmM2lq//fLiLu$n.Fx7hdO.inVPNsfqCRVsLv9QCYL5I0dcJcxjyZu766qOaGTd/0FSXPRzS8O2VDJAj9OOovEINycMiwuEKHiK/
# Run the Setup Agent on first boot
firstboot --enable
# Do not configure the X Window System
skipx
# System services
services --enabled="chronyd"
# System timezone
timezone Pacific/Auckland --isUtc
user --groups=wheel --name=mark --password=$6$s0l.7uikser6VGT5$PPuBEBS7aOrctU6Pr1HyP8DwUCyemRHTegQ5G9rEjMMNKjv530DSJtOQ8CTT5.XQhNMKQ9iWKAvOX3roLSSiR1 --iscrypted --gecos="Mark Dickinson"
# Disk partitioning information
part pv.111 --fstype="lvmpv" --ondisk=vda --size=0 --grow
part /boot --fstype="ext4" --ondisk=vda --size=1024
volgroup fedora_server00 --pesize=4096 pv.111
logvol swap --fstype="swap" --size=1024 --name=swap --vgname=fedora_server00
logvol / --fstype="ext4" --grow --size=1024 --grow --name=root --vgname=fedora_server00
%packages
@^server-product-environment
@editors
@guest-agents
@headless-management
%end
%addon com_redhat_kdump --disable --reserve-mb='128'
%end
%anaconda
pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty
pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok
pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty
%end
%post
(
dnf -y install rsyslog
systemctl enable rsyslog
systemctl start rsyslog
) 2>&1 >> /root/custom_install.log
%end
Obviously for interactive installs you do not need a kickstart file, not a unique MAC based configuration file. If there is no MAC named configuration file in /etc/tftpboot/pxelinix.cfg for a server the PXE boot will use the ‘default’ entry you have created which will perform a normal interactive install.
Using local install media
And back to that ‘default’ configuration. You will have seen when you copied the example from the fedoraproject website that the install sources are at download.fedoraproject.org (and at least one is non-working). If you are planning on doing a lot of installs (which you will be doing if you are testing kickstart files) you should create copies of the install media under your /var/lib/tftpboot directory to be accessed by URL so you can perform local installs.
You can in most cases just copy the contents of the install media into a local directory with a meaningful name. One thing to watch out for in doing so is that a ‘cp -rp’ will not copy all the files, there is a .treeinfo file on the server install DVD that must be copies specifically as the cp omits copying that hidden file. Another issue to be aware of is that the live desktop install media Fedora-WS-Live-30-1-2.iso only supports UEFI systems and will refuse to run on a bios system, it does not has a compatible .img file in the images directory for bios machines which is a pain.
To make your local copies accessable by URL simply install httpd and create the file /etc/httpd/conf.d/tftpboot.conf that contains the below and start the httpd service.
Alias /tftpboot /var/lib/tftpboot
AllowOverride None
# Allow open access:
Require all granted
Additional information you need to know
By default fedora server installs block all ports not explicitly opened, so you will need to “firewall-cmd –add-service tftp –permanent”, and “firewall-cmd –add-service tftp” to start using it immediately without restarting firewalld to pick up the new permanent rule. Also if you are using the same server to provide the install images you need to do the same for the “http” service.
There are no selinux rules to support tftp booting, quite possibly because there are so many different customisations you can do it would be impossible to cater for all uses, so they don’t. Despite this I did make an effort to create rules for my use, to the point there were zero AVC denial entries being logged, but I could still only get it working after a “setenforce 0”; so if you want to use network boot for installs ensure you have selinux in permissive mode.
And finally, you will have created lots of nice menu entries in your /var/lib/tftpboot/pxelinux.cfg/default file; but do not expect to see a menu. All you will see is a “boot:” prompt, at which point you can type in the entry you wish to use such as “server” to select from the menu… so you need to remember what they are, so don’t have too many entries in your default file :-).
And the bigest limitation of a network install is that Fedora30 needs at least 2Gb of memory assigned to the server being network booted, 1.5Gb is not enough to unpack the initramfs to perform the install.
