PXE-boot server – Summary – Part 5/5

Summary:

This will be the last post regarding PXE-boot series. What was done during build your own PXE-boot server is not secure, not optimized and not work as fast as it can, but the target was to create a working solution. Now I try to collect topics, where you can fine-tune and improve the actual setup.

OS-choose:

I choose openmediavault 2.1 as my target was an OS to create a multi-function server. If you want to implement just the PXE-part I recommend Red Hat / Red Hat-based (CentOS) OS, or Debian / Debian-based OS. If it will be targeted to any task I always recommend “netinstall” or “minimal” packages. These packages contain the most important applications which is the best choose in server environment. From one side it is very good as you don’t need to remove a lot of unnecessary application (with a normal installation you have a lot of them..) which are run with default settings what can cause security-issues as you don’t take care (because you don’t use) about it. While for minimal image you don’t need active internet connection, installed packages / applications are not the latest. With netinstall image you need an active internet connection, and the installer download the latest, minimal packages. For servers I do not recommend to install any desktop-manager / GUI, as you will handle it remotely (with terminal application). GUI also haven’t got the same opportunities to automatize tasks & don’t echo detailed error-message, & the last strongest argument (in my opinion) that these packages was not well-tested in server environment.

I don’t speak about windows until now. It is possible, but different from Linux. When I tried it under windows (2y ago) this TFTP+DHCP server application had a lot of bug. Sometimes stopped to running, or lose the connection with PXE-boot client. If you want you can try it, I think it is under continuously development, but under linux these applications are well-tested.

settings portability:

For PXE-section we used basically three application. “isc-dhcp-server”, “tftpd-hpa”, “samba”. All of them are available in most of linux operating system. But when you port setting in another environment, please take care for the following traps:

 – Always verify which version of application is in use & which version will be used after port settings! For example samba 3.x.x & samba 4.x.x configuration are very different. To solve these incompatible differences in most cases application’s author provide solution (migration script) for it.

 – These applications default behavior can be different in on another OS. Don’t left to verify with actual OS’s autostart-manager application that these processes was added successfully to autostart. This is a common case that user left to add it (I also left it sometimes. I always remember it when after reboot the process is not running 🙂 )

 – You always must to be know, where settings (configurations) & log-files stored. It depend, which OS is in use. To know it I recommend to read manual of processes, for example: man isc-dhcp-server

Security:

Yeah, this point was skipped while we create the infrastructure 🙂 So to be clear: Created PXE-boot system works, but fully insecure. To make it secure you have a lot option. I recommend to read & try possibilities related by used processes (samba, tftpd-hpa, isc-dhcp,…). OMV2.1’s web-UI also provide basic security-settings for shares, policy for users and so on… On OS-side you can also take care of sudoers, ownership, PAM, firewall-rules & like these. The most important rule that you choose complicated root password & never give it to another. Also change all of default passwords, & if necessary change default ports (SSH, TFTP, HTTP)but in this case always be safe & test after it, a lot of another application was not tested for this scenario, for example with another SSH-port.

As you can see, tons of possibilities are in your hand to make it secure, but keep in mind, that not every security-step is necessary in all cases, so first review your infrastructure, create a plan, what & which process / folder / file will be in use, and how can you control it with rules. I recommend first build, what you want, test it, then make it secure. Security options can be generate a lot of trouble (password mismatch; right-problems; lower/upper-case problem,…) for you if you never seen working what you built. I think, now you understand, why security was skipped.

If your network-card’s PXE-solution not work as expected:

In virtual-environment it is not a problem, but in real-hardware you will face problems, when vendor of network-card was not implemented correctly PXE-solution to ROM of card. In this case you don’t have a lot of possibilities, but I give one to you. For me the fastest & more stable solution was to create boot-pendrive which contain iPXE‘s bootable rom ISO. After it it replaces network-card’s rom temporary with working iPXE-rom. If you look around on website, you can see that you can build your own ROM-image what you can burn into card’s firmware. It is your choose what you need.

Improve speed & decrease ram reservation:

The speed for testing is okay in virtual-environment, but it can be more-faster. TFTP-protocol as I wrote it is an old, but always working method to boot machine over lan. The speed of it is like boot from an USB 2.0 pendrive (it depends also, which speed of network you have – 100Mbit/s VS 1Gbit/s), and also don’t forget, that tftp-booted images first copied to RAM, and host-machine extract this loaded file from RAM to RAM. So one image was placed twice in RAM which is important in low-mem machines. To solve this problem, one method is well written for winPE in this iPXE-site, which use HTTP-connection (also usable for other boot images not just for WinPE). This solution is chain-loaded to tftp-boot, not a replacement of it!

 – TFTP-boot method:

 – TFTP-boot + HTTP connection method:

With this improvement you speed up boot & free up memory, as not need anymore to copy boot-image to RAM.

You can also fine-tune tftp-server’s configuration-file to find the settings for fastest, stable connection (like play with block-size adjustment).

Improvement – Boot-manager:

Grub4dos (what is loaded by TFTP-server in client) is a function-rich application with continuously development / improvement. Here is a reference, how can you set password for menu, created animated or color background, loaded floppy / iso image, or anything, what you would like to do on it. You can play with it for weeks / months 🙂 . If you would make grub4dos-related tests, I recommend to create pen-drive with prepared grub4dos & test it with simple, lightweight, fast application, MobaLiveCD. It support USB-drive / boot-CD/DVD test also.

Download prepared VMs:

As I promised you can download the prepared VMs which was created during write this blog-series. Please use just for debug-purpose or to see that it will be work really :).  Before you download, a few hint to make it work:

 – When you import VMs, please don’t left to re-initialize MAC-ADDRESS. Just one-click and it can be prevent you from a lot of un-necessary debug.

 – For first run you might get an error message, regarding network-card. The reason is simple. The “Adapter 1” network-card of Media&PXE VM is a “Bridged Adapter”, where my Atheros wireless network-drive saved when I exported VM. Simply change it to your actual working network adapter (where DHCP-address will get).

 – You must have the latest Oracle VM Virtualbox Manager. The VMs was saved in version 5.1.12, but when I tried to run in version 5.1.8, TFTP-part of system was not worked (PXE-test VM was get ip from DHCP-server but TFTP couldn’t be booted). When I updated it to version 5.1.14, everything worked as expected. Conclusion: Use the latest Oracle VM 🙂

Here you can download “Media&PXE” & “PXE-test” VMs.

Useful links:

In here I collect a few web-site link which can be useful for you if you interested in usb / network boot.

 – RMPrep

 – reboot.pro

 – iPXE

 – Grub4dos (chinese lang, but latest packages)

As last words I would like to say thanks to the author of this (Hungarian lang.) post. She / He helped me to fill up missing knowledge with PXE-boot 🙂 Thank you for it.

 

Leave a Reply