RE: Broken iPXE boot loader

@george1421 said in Broken iPXE boot loader:

@Mightmar I wonder if the devs for iPXE has changed something in the ipxe source code to cause this error message about autoexec.ipxe not found. This should be supplied by the fog project add on files. I’ll take a look at the compiler to see if something has changed. You should not see this error.

Reinstalling 1.5.10 will fix the error of the latest build of iPXE. Also you mentioned about a later version of FOG. Yes you can install that over 1.5.10 without issue. It should also have updated (but not the newest version of iPXE).

This is the first post I found searching autoexec.ipxe so replying here for future searchers.

This was an addition in a recent ipxe version, and is meant to be a way to add ipxe based functionality without needing to recompile ipxe in order to edit an embedded script (https://github.com/ipxe/ipxe/discussions/1237#discussioncomment-9847219), I can’t find the post/doc again but I remember reading in one place that ipxe added it as part of the hopes of getting a signed ipxe shim so users could use the signed shim and then use this script to add what they can’t embed. While technically we can create a blank file in /tftpboot/ i.e. just

#!ipxe

which will remove the error during boot, this can then cause kernel panics when loading into FOS. Why it does this is a bit of a mystery at the moment, maybe it’s adding to or replacing another part of our pxe menu scripts that causes something in loading the kernels to lose access to ramdisk drivers. But adding it can break everything, so for the time being, just ignore the error.

@gaptoothgonni Well darn, have you tried booting with snponly.efi instead of ipxe.efi? It wouldn’t make a ton of sense if that worked but something else to try.
If it’s booting to the wim though, it should just be getting the drivers from the wim unless ipxe somehow changes how they’re presented, which I don’t think it does but that’s also the only difference between where it’s working. Might be worth looking at https://github.com/ipxe/ipxe/discussions and seeing if anyone has had similar issues. Since you’re just using FOG to create the ipxe boot menu, it’s not likely anything within FOG that’s causing this. You could try ipxe’s pre-built boot files, though they won’t have the embedded fog stuff https://boot.ipxe.org/ but maybe will make a difference. There’s other ipxe efi files you can try too, or try an older one ( I think we still include some legacy ones in /tftpboot)

@pilipp_edv That should be enough I imagine, thanks for being thorough. I’ll take a look at the kernel config when I get a chance.

@pilipp_edv
Glad you got it figure out.
In case you aren’t aware, you can download that bzImage as a different name like bzImage-mmc and use that case sensitive name in the Host Kernel field on any host you have with the mmc and your other hosts can use the default latest.

Would you be willing to share more info on the make/model of these computers and or the make/model of the mmc controller and such? Although it could just be down to what driver versions are included by linux at the kernel level with different versions of the kernel, we can also check if there was a config change in what we include in the kernel between then and now that could have caused this.

@chunter2 Ah, yes that would do it.
That just becomes the default value when creating new hosts.
If you set it via a group, it will update those values on all hosts in a given group, but it doesn’t do that dynamically/perpetually.

@ramone As far as I am aware, no one ever volunteered to take up the docker image maintenance. It’s essentially dead.
I think it’s possible in theory, you would just need volumes for the fog directories that need to be static between updates like the database and images, though there would surely be other fun issues with ports to work out. I personally see the desire for it if you’re in an environment where you already have lots of containers as a standard in your infrastructure, but I like having it just on its own server.
Is it not an option to start with a docker image that doesn’t already have a database on the default port? Or are you saying the docker host already has a database on said port?
I’m also sure we could figure out using an external database as storagenodes already connect to an external database. I would think that using docker for adding storage nodes might make some sense as you could put them all on one server and use volumes to mount disks from different sources.
However, the more virtualization and containerization you add, the more complication arises. Already once just on a virtual server you may not be able to use multi-cast imaging unless you’re able to add igmp snooping in your virtual networking. I don’t know if containers have that same limitation or other limitations that could be introduced.

This isn’t really a great answer I realize, and I apologize for that, but there’s a lot to consider with changing infrastructure.

Anyway, something you might try is to create a /opt/fog/.fogsettings file before installing and put in these settings

snmysqlpass='password'
snmysqlhost='remoteHost'
snmysqluser='fogmaster'
mysqldbname='fog'

Then try the installer, no idea if it would work, but something to try as far as using an external database.

@gaptoothgonni So while this can be done, FOG is designed to capture an image from where windows is already installed and sysprep’d, not to boot to a wim. Of course it can be done, but I just wanted to make sure that’s clarified.

All that said, doing it that way may or may not get past your problem, because it may just be a client pc bios setting.
If you manually boot to that iso on a usb on that pc, does it see the disks?
That message generally means it’s missing the storage driver.
Does the host you’re trying to deploy to have VMD/RAID enabled in the bios settings?
It is possible, and not even that hard if you’re already customizing the iso, to add the storage driver to the wim. I’ve never used NTLite, but in powershell you can mount the wim of the image with Mount-WindowsImage and use Add-WindowsDriver to add the inf you need to that image. You probably need to mount the boot.wim and setup.wim images and add it there too as you’re booting to the boot.wim and using winpe. This page might also be helpful https://learn.microsoft.com/en-us/windows/deployment/update/media-dynamic-update#update-windows-installation-media

I would also say, if you’re going this route, to consider making a autounattend.xml if NTLite doesn’t do that, as it can automate the install of windows and then have it kick things off into provisioning. We customize an iso like this and use it to create and capture our base image in FOG.

I got a little off topic there, TL;DR
Make sure the disks are seen if you boot to the iso manually, if they are not, then adjust the bios/uefi settings to use AHCI mode for disks as it works universally. If the disks are seen when manually booting, then something else is causing it not to see the local hardware.

@chunter2 It does look like you’re on an older version of fog. Updating to the latest stable, dev-branch, or my favorite working-1.6 version may help.

But also, are you saying that you joined the domain, then unjoined and then captured an image of that? Generally you don’t want to join the domain where you’re capturing, it’s much cleaner if it’s never joined the domain.
Or are you saying you’re trying to re-join the domain on a normal host? This could be an issue on the host’s settings in fog, could that have been changed on accident? Maybe autofill from a password manager changed the domain and or domain join password?

Another Release(s)! 2506.9.22
https://github.com/darksidemilk/FogApi/releases/tag/2506.9.22

2506.9.19-22 are a slew of releases where I kept finding issues in broader tests right after I released each version. So apologies for the over-releasing there.

• Fixed send-fogimage to work with more use cases and utilize more parameters available to scheduled tasks like bypassbitlocker. Also simplified the parameter sets to avoid errors when using the command with different parameter sets.
• Also added links to PSGallery and chocolatey in each github release going forward.

Full Release Note History: https://fogapi.readthedocs.io/en/latest/ReleaseNotes/
Powershell Gallery Listing for this version: https://www.powershellgallery.com/packages/FogApi/2506.9.22
Chocolatey Package Listing for this version (may take 1-60 days from release to be approved by chocolatey moderators): https://community.chocolatey.org/packages/FogApi/2506.9.22

@Ced58 I use this model. It’s best to get either the official Lenovo usb c ethernet adapter or the proprietary Lenovo adapter for the special ethernet port on these. Also in the bios there’s a Mac pass through option that you want to set to internal or second Mac address. With the latest version of fog and kernel it should see that internal mac even if you share an adapter for imaging multiple of that device.

@joshua_mchugh George’s mention of using a post install script to do it is more advanced but very worth the effort. Having it domain joined via sysprep specialize simplifies things in the long run.
That being said, you’re probably misunderstooding groups, because they’re a little confusing. Groups in Fog do not dynamically update the OU of the host members, but it can be used to set the OU in bulk on members. There is a plugin to change the behavior of groups if you want, but I’d try it the normal way first.
But if you set the OU on the host, then when it joins the domain via the fog client, it will be in that OU. It will not move a host to a different OU, unless you do something like manually leave the domain and change the computer name and then the fog service will rename the computer back to what it is in fog and then join the domain in the set OU.

I personally use a post install script now that grabs the OU from to host and Injects that into my unattend file. I believe I’ve posted some examples in the past. If I remember tomorrow when I’m at a computer and not a phone, I’ll link them.

@John-L-Clark what version of fog are you running?
I would also suggest enabling the Mac address pass through.
You could also try an older ipxe file

@argylega have you restarted the Mariadb and apache services, or the whole server?
I also assume you mean you can’t login to the website. Is there anything in the apache error log?

@NoIPName Can you share your import csv perhaps? It seems to think it’s missing a value based on the error message. I will gladly test the same csv on my dev server and see if I get the same result so we can debug this more hands on.

@altitudehack The supported workaround would be to use 1 universal script that can just take the arguments of a command.
i.e. a simple powershell script like this

[CmdletBinding()]
param (
    [string]$exe,
    [string]$argz
)

start-process -filepath "$exe" -arguments "$argz"

There might be more needed there, but that’s the general idea.
Then you just use that same script each time you need it. Then lets say you call it runCmd.ps1

you would make a snapin with the powershell template and that runCmd.ps1 (once uploaded once you can create snapins with the existing file)
In the snapin arguments field you would put something like -exe "C:\program files\some program\uninstall.exe" -argz "/S"

@danieln
Check out the FogApi powershell module, links in my signature.
I even have functions for setting snapins already

https://fogapi.readthedocs.io/en/latest/commands/Set-FogSnapins
https://github.com/darksidemilk/FogApi/blob/master/FogApi/Public/Set-FogSnapins.ps1

and for starting snapins

https://github.com/darksidemilk/FogApi/blob/master/FogApi/Public/Start-FogSnapins.ps1
https://fogapi.readthedocs.io/en/latest/commands/Start-FogSnapins.ps1

https://github.com/darksidemilk/FogApi/blob/master/FogApi/Public/Start-FogSnapin.ps1
https://fogapi.readthedocs.io/en/latest/commands/Start-FogSnapin.ps1

@NoIPName Can you get to https://192.168.1.1/fog in a web browser without any cert is bad prompts?

Because pxe wants to use the ip address in the url you have to have the ip address san in the certificate that your fog web server is using.
That cert for the web server needs to be from the custom ca.
That public cert can also affect client communication if you change it in the default path from fog install.

@bwilli78 I would try ipxe.efi instead of snponly.efi for testing the pxe boot file route. .kpxe and .kkpxe boot files are for legacy systems that don’t support UEFI. However it sounds like you’re getting to the fog pxe boot menu so that’s an unlikely culprit.

Where in the process are you getting the kernel panic?
Are you queueing the imaging before hand or are you queuing it in the fog boot menu?

The general process is

1. Boot host to pxe
2. Host contacts pxe server defined in dhcp and requests pxe bootfile listed in dhcp
3. Host boots to the pxe file which takes it to the fog pxe boot menu
   a. If the host was queued for a task it downloads and boots the FOS kernel instead of the pxe boot menu
   b. Or, user selects a task and then host boots to FOS kernel to perform the action
4. Kernel loads into FOS and performs the task.

Where in this general overview are you seeing this error?

@lperoma What do you get running mariadb -V

@iljared98 I don’t suppose you’d be willing to share more on this config? What specific rights you gave the service account, did you have to do this whole thing https://support.microsoft.com/en-us/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1 related to this whole thing https://support.microsoft.com/en-us/topic/kb5020276-netjoin-domain-join-hardening-changes-2b65a0f3-1f4c-42ef-ac0f-1caaf421baf8 ?

I’ve previously attempted to create a standard user with such permissions, but I hadn’t tried a service account, that’s a grand idea. I would love to document the creation of a least privilege service account for fog domain operations.