19 Setting up a UEFI HTTP Boot server #
This chapter describes how to set up and configure a UEFI HTTP Boot server.
19.1 Introduction #
HTTP Boot combines DHCP, DNS and HTTP to make it possible to boot and deploy systems over the network. HTTP Boot can be used as a high-performance replacement for PXE. HTTP Boot allows to boot a server from a URI over HTTP, quickly transferring large files, such as the Linux kernel and root file system, from servers outside of your local network.
19.1.1 Configuring the client machine #
Enabling HTTP Boot on a physical client machine depends on your specific hardware. Consult the documentation for further information on how to enable HTTP Boot on your particular machine.
19.1.2 Preparation #
The setup described here uses 192.168.111.0/24 (IPv4) and 2001:db8:f00f:cafe::/64 (IPv6) IP subnets and the server IP addresses are 192.168.111.1(IPv4) and 2001:db8:f00f:cafe::1/64 (IPv6) as examples. Adjust these values to match your specific setup.
Install the following packages on the machine that you plan to use as an HTTP Boot server: dhcp-server, apache2 (or lighttpd), and dnsmasq.
19.2 Configuring the server #
19.2.1 DNS server #
        While configuring the DNS server is optional, this does allow you to
        assign a user-friendly name to the HTTP Boot server. To set up the DNS
        server, add the following to the /etc/dnsmasq.conf
        file:
      
interface=eth0 addn-hosts=/etc/dnsmasq.d/hosts.conf
        Assign a domain name to the IP addresses in the
        /etc/dnsmasq.d/hosts.conf file:
      
192.168.111.1 www.httpboot.local 2001:db8:f00f:cafe::1 www.httpboot.local
Start the DNS server.
systemctl start dnsmasq
Because of a change in UEFI 2.7, we recommend using a shim boot loader from SLE 15 or newer to avoid potential errors caused by the additional DNS node.
19.2.1.1 Configuring the DHCPv4 server #
          Before setting up the DHCP servers, specify the network interface for
          them in /etc/sysconfig/dhcpd:
        
DHCPD_INTERFACE="eth0" DHCPD6_INTERFACE="eth0"
          This way, the DHCP servers provide the service on the
          eth0 interface only.
        
          To set up a DHCPv4 server for both PXE Boot and HTTP Boot, add the
          following configuration to the /etc/dhcpd.conf
          file:
        
option domain-name-servers 192.168.111.1;
option routers 192.168.111.1;
default-lease-time 14400;
ddns-update-style none;
class "pxeclients" {
  match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
  option vendor-class-identifier "PXEClient";
  next-server 192.168.111.1;
  filename "/bootx64.efi";
}
class "httpclients" {
  match if substring (option vendor-class-identifier, 0, 10) = "HTTPClient";
  option vendor-class-identifier "HTTPClient";
  filename "http://www.httpboot.local/sle/EFI/BOOT/bootx64.efi";
}
subnet 192.168.111.0 netmask 255.255.255.0 {
  range dynamic-bootp 192.168.111.100 192.168.111.120;
  default-lease-time 14400;
  max-lease-time 172800;
}
          Note that the DHCPv4 server must use the
          HTTPClient parameter for the vendor class ID, as
          the client uses it to identify an HTTP Boot offer.
        
Start the DHCP daemon:
          systemctl start dhcpd
        
19.2.1.2 Configuring the DHCPv6 server #
          To set up the DHCPv6 server, add the following configuration to
          /etc/dhcpd6.conf:
        
option dhcp6.bootfile-url code 59 = string;
option dhcp6.vendor-class code 16 = {integer 32, integer 16, string};
subnet6 2001:db8:f00f:cafe::/64 {
        range6 2001:db8:f00f:cafe::42:10 2001:db8:f00f:cafe::42:99;
        option dhcp6.bootfile-url "http://www.httpboot.local/sle/EFI/BOOT/bootx64.efi";
        option dhcp6.name-servers 2001:db8:f00f:cafe::1;
        option dhcp6.vendor-class 0 10 "HTTPClient";
}
          This configuration defines the type of the boot URL, the vendor
          class, and other required options. Similar to the DHCPv4 settings, it
          is necessary to provide the boot URL, which must have an IPv6
          address. It is also necessary to specify the vendor class option. In
          DHCPv6, it consists of the enterprise number and the vendor class
          data (length and the content). Since the HTTP Boot driver ignores the
          enterprise number, you can set it to 0. The
          content of the vendor class data needs to be
          HTTPClient; otherwise, the client ignores the
          offer.
        
The older HTTP Boot implementation, which does not follow RFC 3315, requires a different configuration:
option dhcp6.bootfile-url code 59 = string;
option dhcp6.vendor-class code 16 = string;
        subnet6 2001:db8:f00f:cafe::/64 {
        range6 2001:db8:f00f:cafe::42:10 2001:db8:f00f:cafe::42:99;
        option dhcp6.bootfile-url "http://www.httpboot.local/sle/EFI/BOOT/bootx64.efi;
	option dhcp6.name-servers 2001:db8:f00f:cafe::1;
	option dhcp6.vendor-class "HTTPClient";
}
          Start the dhcpv6 daemon.
        
systemctl start dhcpd6
19.2.1.2.1 Setting up the DHCPv6 server for both PXE and HTTP boot #
Using the following configuration, it is possible to configure the DHCPv6 server for both PXE Boot and HTTP Boot:
option dhcp6.bootfile-url code 59 = string;
option dhcp6.vendor-class code 16 = {integer 32, integer 16, string};
subnet6 2001:db8:f00f:cafe::/64 {
        range6 2001:db8:f00f:cafe::42:10 2001:db8:f00f:cafe::42:99;
        class "PXEClient" {
	        match substring (option dhcp6.vendor-class, 6, 9);
	}
        subclass "PXEClient" "PXEClient" {
	        option dhcp6.bootfile-url "tftp://[2001:db8:f00f:cafe::1]/bootloader.efi";
	}
	class "HTTPClient" {
	        match substring (option dhcp6.vendor-class, 6, 10);
	}
	subclass "HTTPClient" "HTTPClient" {
	        option dhcp6.bootfile-url "http://www.httpboot.local/sle/EFI/BOOT/bootx64.efi";
		option dhcp6.name-servers 2001:db8:f00f:cafe::1;
		option dhcp6.vendor-class 0 10 "HTTPClient";
	}
}It is also possible to match the vendor class to a specific architecture, as follows:
class "HTTPClient" {
        match substring (option dhcp6.vendor-class, 6, 21);
	}
subclass "HTTPClient" "HTTPClient:Arch:00016" {
        option dhcp6.bootfile-url "http://www.httpboot.local/sle/EFI/BOOT/bootx64.efi";
	option dhcp6.name-servers 2001:db8:f00f:cafe::1;
	option dhcp6.vendor-class 0 10 "HTTPClient";
}
            In this example, HTTPClient:Arch:00016 refers to
            an AMD64/Intel 64 HTTP Boot client. This configuration allows the server
            to serve different architectures simultaneously.
          
19.2.1.2.2 Configuring firewall #
            If DHCPv6 packets are dropped by the RP filter in the firewall,
            check its log. In case it contains the
            rpfilter_DROP entry, disable the filter using
            the following configuration in
            /etc/firewalld/firewalld.conf:
          
            IPv6_rpfilter=no
          
19.2.1.3 Deploying a TFTP server (optional) #
To provide support for both PXE Boot and HTTP Boot, deploy a TFTP server. Install the tftp and start the service:
systemctl start tftp.socket systemctl start tftp.service
          It is also necessary to install a specific
          tftpboot-installation package for use with PXE
          Boot. Run the zypper se tftpboot command, to list
          of the available tftp-installation packages, then
          install the package for the desired system version and architecture,
          for example
          tftpboot-installation-SLE-15-SP3-x86_64 For
          example,
          tftpboot-installation-SLE-VERSION-x86_64
          (replace VERSION with the actual version).
          Copy the content of the
          SLE-VERSION-x86_64
          directory to the root directory of the TFTP server:
        
          For more information, refer to
          /usr/share/tftpboot-installation/SLE-VERSION-x86_64/README
        
19.2.1.4 Setting up the HTTP server #
          Create the
          sle/
          directory under the /srv/www/htdocs/ directory
          and copy the entire content of the first system ISO image to the
          /srv/www/htdocs/sle/
          directory. Then edit the
          /srv/www/htdocs/sle/EFI/BOOT/grub.cfg
          file. Use the following example as a reference:
        
timeout=60
default=1
menuentry 'Installation IPv4' --class opensuse --class gnu-linux --class gnu --class os {
    set gfxpayload=keep
    echo 'Loading kernel ...'
    linux /sle/boot/x86_64/loader/linux install=http://www.httpboot.local/sle
    echo 'Loading initial ramdisk ...'
    initrd /sle/boot/x86_64/loader/initrd
}
menuentry 'Installation IPv6' --class opensuse --class gnu-linux --class gnu --class os {
    set gfxpayload=keep
    echo 'Loading kernel ...'
    linux /sle/boot/x86_64/loader/linux install=install=http://www.httpboot.local/sle ipv6only=1 ifcfg=*=dhcp6,DHCLIENT6_MODE=managed
    echo 'Loading initial ramdisk ...'
    initrd /sle/boot/x86_64/loader/initrd
}19.2.1.4.1 Configuring lighttpd #
            To enable the support for both IPv4 and IPv6 in lighttpd, modify
            /etc/lighttpd/lighttpd.conf as follows:
          
##
## Use IPv6?
##
#server.use-ipv6 = "enable"
$SERVER["socket"] == "[::]:80" {  }
            Start the lighttpd daemon:
          
systemctl start lighttpd
19.2.1.4.2 Configuring apache2 #
            Apache requires no additional configuration. Start the
            apache2 daemon:
          
systemctl start apache2
19.2.1.5 Enabling SSL support for the HTTP server (optional) #
          To use the HTTPS Boot, you need to convert an existing server
          certificate into the DER format and enroll it into
          the client's firmware.
        
          Assuming you already have a certificate installed on your server,
          convert it into the DER format for use with the
          client using the following command:
        
openssl x509 -in CERTIFICATE.crt -outform der -out CERTIFICATE.der
19.2.1.5.1 Enroll the server certificate into the client firmware #
The exact procedure of enrolling the converted certificate depends on the specific implementation of the client's firmware. For certain hardware, you need to enroll the certificate manually via the firmware UI using an external storage device with the certificate on it. Machines with Redfish support can enroll the certificate remotely. Consult the documentation for your specific hardware for more information on enrolling certificates.
19.2.1.5.2 Enabling SSL support in lighttpd #
Since lighttpd needs the private key and the certificate in the same file, unify them using the following command:
cat CERTIFICATE.crt server.key > CERTIFICATE.pem
            Copy
            CERTIFICATE.pem to
            the /etc/ssl/private/ directory.
          
cp server-almighty.pem /etc/ssl/private/ chown -R root:lighttpd /etc/ssl/private/server-almighty.pem chmod 640 /etc/ssl/private/server-almighty.pem
            Make sure that mod_openssl is listed in the
            server.modules section of the
            /etc/lighttpd/modules.conf file, for example:
          
server.modules = ( "mod_access", "mod_openssl", )
            Add the following lines to SSL Support section
            in /etc/lighttpd/lighttpd.conf:
          
# IPv4
$SERVER["socket"] == ":443" {
    ssl.engine                 = "enable"
    ssl.pemfile                = "/etc/ssl/private/server-almighty.pem"
}
# IPv6
$SERVER["socket"] == "[::]:443" {
    ssl.engine                 = "enable"
    ssl.pemfile                = "/etc/ssl/private/server-almighty.pem"
}Restart lighttpd to activate SSL support:
systemctl restart lighttpd
19.2.1.5.3 Enabling SSL support in Apache #
            Open the /etc/sysconfig/apache2 file and add
            the SSL flag as follows:
          
APACHE_SERVER_FLAGS="SSL"
            Make sure that the ssl module is listed in
            APACHE_MODULES, for example:
          
            Next, copy the private key and the certificate to the
            /etc/apache2/ directory.
          
cp server.key /etc/apache2/ssl.key/ chown wwwrun /etc/apache2/ssl.key/server.key chmod 600 /etc/apache2/ssl.key/server.key cp server.crt /etc/apache2/ssl.crt/
Create the ssl vhost configuration.
cd /etc/apache2/vhosts.d cp vhost-ssl.template vhost-ssl.conf
            Edit /etc/apache2/vhosts.d/vhost-ssl.conf to
            change the private key and the certificate:
          
SSLCertificateFile /etc/apache2/ssl.crt/server.crt SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
Restart Apache to activate the SSL support:
systemctl restart apache2
19.2.1.5.4 Modify the DHCP configuration #
            Replace the http:// prefix with
            https:// in
            dhcpd.conf/dhcpd6.conf and restart the DHCP
            server.
          
systemctl restart dhcpd systemctl restart dhcpd6
19.3 Booting the client via HTTP boot #
If the firmware already supports HTTP boot, plug in the cable and choose the correct boot option.