PXE Boot On Certain Computers
-
I’m able to get pxe boot working with our FOG server but have noticed that random computers are booting to it even though their hard drive is fine to boot from and the boot priority is set that the network boot is not the first in the list. I do have DHCP option 66 and 67 enabled on our DHCP server. I’m wanting to set it up in a way so that our IT department is the only ones that can have a computer boot to that server for imaging purposes. There maybe a setting i’m missing on our server or we need to reconfigure all of our computers in the bios.
-
@taylorcockrell This is interesting since I have not experienced this before. It has to be something related to the target computer to skip the hard drive that is defined first.
The only time I’ve seen an option to do this is when the firmware is configured for WoL and pxe boot is set there. So when the computer is woken up by WoL it pxe boots right away. This would be used for remote controlled imaging.
In your case when the target computer gets into the iPXE menu it should time out after 5 seconds and boots into the OS. Does it do this correctly even if it does boot into the iPXE menu?
-
@george1421 they run into a secure boot error which i’m needing to turn off on our machines if we are not currently using it. I did change the timeout for the main menu so that I could work on some testing for it. Do i need to change the main menu timeout back to 5 seconds so it will continue booting to the hard drive. This issue mostly happens when someone restarts their computer.
-
@taylorcockrell You don’t need to reset it back to 5 seconds. But the question was more around when the timeout happens will the target computer’s OS boot. Its not clear to me why the computer is skipping hard drive boot, to fail over to PXE booting. Is the hard drive not detected so it pxe boots? Then if it pxe boots through this method, will it boot through the iPXE menu into the OS. Or is the disk lost somewhere? That is the question.
-
@george1421 I could maybe start with disabling the secure boot and see what happens after that.
-
@taylorcockrell said in PXE Boot On Certain Computers:
start with disabling the secure boot and see what happens after that.
FWIW: FOG iPXE will not boot when secure boot is enabled. Turning off secure boot is a prerequisite to image with FOG.
-
@george1421 should I use a different boot file then? I’m currently using ipxe.efi for the dhcp option.
-
@taylorcockrell said in PXE Boot On Certain Computers:
should I use a different boot file then? I’m currently using ipxe.efi for the dhcp option.
Tha iPXE binary is usually fine for most UEFI hardware. If you see issue you can try snp.efi or snponly.efi as well.
-
@taylorcockrell Well lets make sure we don’t get the issues mixed here.
Your OP says that at random your computers are booting into FOG even though the hard drive is configured first in the boot order. That is a workstation issue. That is unrelated to FOG at this time, FOG is only servicing the pxe boot request that is being issued by the target computer.
The second issue is the boot loader. For uefi there are 2 main choices and a few others for niche issues. The ipxe.efi is akin to the linux kernel where it has all of the popular network drivers built in. Then there is snp.efi that only has the snp driver built in. The snp driver is typically universal because it uses the snp driver built into the network adapter. If you have really leading edge hardware I would recommend using the snp.efi boot loader. But again this is not your issue.
My question is around if the computer skips the local hard drive boot (for some reason) and it happens to end up in the iPXE menu, then by default it should try to boot the local hard drive. I’m asking is that bit happening. Thinking: that if the computer bypassed the hard drive for some reason, can iPXE exit to the hard drive or is there something wrong with the hard drive requiring a power cycle to fix it??
-
@george1421 so I did some more research and I wonder if it’s not technically booting the fog server but only throwing an error because of secure boot being enabled. The issue I’m going to run into is disabling secure boot on 400 computers in our company because it can’t be done remotely. Would it be easier to set up fog to do secure boot instead?
-
@taylorcockrell Fog doesn’t support secure booting directly. You can create new keys and add them to your target computers so it will see the fog binaries as valid, but again you have to touch 400 computers to import the keys.
Just to be clear you plan on unattended upgrade/reimaging 400 computers without IT intervention?
What manufacturer’s hardware do you use, Dell business class?
-
@george1421 No I want to be able to reimage a computer if we need to from any location but make it to where we can be the only ones that can connect to the fog server. We have Lenovo Thinkcentre Tiny PC’s for most of the computers.
-
@taylorcockrell Well there is no easy answer here. If you need secure boot enabled in your environment then you can create a self signed key and apply it to each workstation. Then you can sign both ipxe.efi and bzImage with the same key. Once that is done you can secure boot using FOG. I created a tutorial on this on the steps needed. For an opensource project its a bit impractical to get microsoft signed kernels and efi boot loaders to do it any other way. I wish there was a better solution.
In the case of the hardware, I know for Dell hardware you can use a Dell offered utility to modify the firmware from within the host OS. Thinking that you can turn off secure boot (which will break bitlocker, but you will reimage the computer anyway) then reboot the computer into PXE booting with FOG.
If you require an IT tech to sit in front of the computer to image it, then they can simply turn off secure boot and then boot into pxe booting via the uefi boot manager. The imaging tech would have the access and capabilities to disable secure boot prior to imaging.
