PXE Boot not working properly from Storage Node

Sebastian Roth

@Silv4n said in PXE Boot not working properly from Storage Node:

It also tries to connect there still with HTTP

Edit /tftpboot/default.ipxe on the storage node and adjust the URL in the last line.

Though there is another thing that you need to fix I’d guess. I haven’t done a HTTPS enabled storage node setup in a while. But I’d think your iPXE binaries on the storage node do not include the correct cert yet.

As there was an issue in the build script of FOG 1.5.7 I’d suggest you do the following on your storage node:

• Make sure you have the whole CA copied form your master node to your storage node. It’s in /opt/fog/snapins/ssl/CA/ and includes hidden files, so make sure you grab all of it. Put that in the same location on the storage node and make sure ownership and rights are set exactly as they were before (compare ls -al output).
• Grab the iPXE build script from the latest FOG project development code branch and rebuild the iPXE binaries to include your CA cert:

sudo su -
cd /path/to/your/fogproject-source-dir/
cd utils/FOGiPXE
wget -O buildipxe.sh https://raw.githubusercontent.com/FOGProject/fogproject/dev-branch/utils/FOGiPXE/buildipxe.sh
chmod +x buildipxe.sh
./buildipxe.sh

• Keep an eye on this to be sure it doesn’t end with an error. Then copy the new binaries over to the destination:

cd ../../packages/tftp/
mkdir /tftpboot/arm64-efi
mkdir /tftpboot/10secdelay/arm64-efi
mkdir /tftpboot/10secdelay/i386-efi
find -type f -exec cp -Rfv {} /tftpboot/{} \;

• Make sure you edit /opt/fog/.fogproject and set httpproto='https' for when you re-run the FOG installer in the future.

I know this might seem overly complicated but from my point of view those steps are best suited in your current situation of half HTTP/HTTPS.

Silv4n

@Sebastian-Roth Ok, in /tftpboot/default.ipxe there currently is chain https://10.144.1.22/fog/service/ipxe/boot.php##params, so there is already https. Im’m gonna try now the cert gen etc.

Silv4n

@Sebastian-Roth So I’ve generated the new certs etc. and now I have a new error message (Permission denied):
https://imgur.com/a/yK4TwNZ

Silv4n

@Sebastian-Roth Oh, and I can access the file from the browser

Sebastian Roth

@Silv4n iPXE errors out and gives you a command line. Please run command certstat and post a picture of the output here.

Silv4n

@Sebastian-Roth https://imgur.com/a/YpoaNPz

Sebastian Roth

@Silv4n Oh well, I should have read the whole topic more closely and think about it a bit more. Copying the certs for Apache from the master server over will cause trouble because it’s got the wrong IP/DNS name in it.

In this case I’d suggest you re-run the installer on the storage node and tell it to recreate the Apache cert and key.

• Make sure have set httpproto='https' in /opt/fog/.fogproject!
• Run the installer like this: ./installfog.sh --recreate-keys

Silv4n

@Sebastian-Roth No problem, you’re helping me. With reinstall apache/php files or not?

Sebastian Roth

@Silv4n No, no need to reinstall apache/php stuff in this case! That part of the installer a left over from earlier. Won’t be asking in the next version anymore.

Silv4n

@Sebastian-Roth Thanks to the both of you, it worked!

Proof: https://imgur.com/a/FiqaZNd

george1421

@Sebastian-Roth So the root cause of this:

1. The fog install script does not honor https for storage node installs?
2. The fog installer did not provide the necessary command line switches when installing the storage node to enable https?

Sebastian Roth

@george1421 said in PXE Boot not working properly from Storage Node:

So the root cause of this:

The fog install script does not honor https for storage node installs?
The fog installer did not provide the necessary command line switches when installing the storage node to enable https?

As far as I can tell right now the only issue was that the storage node was not installed with HTTPS enabled in the first place and the buildipxe script in 1.5.7 has a bug that would not compile the cert into the binaries correctly (fixed for 1.5.8 already).

Silv4n

This post is deleted!