Single iPXE Menu Entry for Both BIOS/UEFI

FOG version: 1.5.2

As I have been learning and using FOG I realized some options can only be used when the host has been booted BIOS or UEFI. For example, the included Memtest86+ can only run when the host was BIOS booted. Trying the menu option when UEFI booted results in errors. Alternatively, as per this post here, ESXi would only be supported out of the box when UEFI booted. I am sure there are many other examples of this.

It may also be that the parameters under BIOS and UEFI are just different. In other words the OS/Installer can run under either, but requires different parameters.

What I have found is its possible to use a single iPXE menu entry to cover using different parameters depending on how the host was booted. This is all done via the web GUI under Settings | iPXE Menu Item Settings (or for new entries ‘iPXE New Menu Entry’.

I altered the default fog.memtest entry, parameters field for example to the following:

iseq ${platform} pcbios && goto mem_bios || goto no_mem
:mem_bios
kernel memdisk initrd=memtest.bin iso raw
initrd memtest.bin
boot || goto MENU
:no_mem
prompt --timeout 30000 Host must be BIOS (not UEFI) booted for this option. Press any key to return to the menu... && goto MENU || goto MENU

The first line tests if the host was BIOS booted, if so it jumps to the ‘mem_bios’ label and executes the commands under that label, otherwise it goes to the ‘no_mem’ label and instead displays a prompt explaining why its not an option and then returning to the menu thus avoiding the error.

This results in 1 menu entry that changes behavior based on how the host was booted. I might even go as far as including in my entry descriptions some syntax/indicator of its compatibility, IE: “Memtest86+ (BIOS only)” so that its obvious to users without selecting it that it can only be used when BIOS booted.

Another example is my ESXi entry:

iseq ${platform} efi && goto esxi_efi || goto esxi_bios
:esxi_efi
kernel http://${fog-ip}/fog/os/esxi65/efi/boot/bootx64.efi -c http://${fog-ip}/fog/os/esxi65/efi/boot/boot.cfg
boot || goto MENU
:esxi_bios
prompt --timeout 30000 Host must be UEFI booted for this option. Press any key to return to the menu... && goto MENU || goto MENU

Similar to the above but the 1st line does the reverse test, is the host UEFI booted. The ‘:esxi_bios’ label and its commands could be altered as seen below if, for example, you compiled the ipxe kernel to include IMG_COMBOOT to support BIOS booting ESXi:

iseq ${platform} efi && goto esxi_efi || goto esxi_bios
:esxi_efi
kernel http://${fog-ip}/fog/os/esxi65/efi/boot/bootx64.efi -c http://${fog-ip}/fog/os/esxi65/efi/boot/boot.cfg
boot || goto MENU
:esxi_bios
kernel http://${fog-ip}/fog/os/esxi65/mboot.c32 -c http://${fog-ip}/fog/os/esxi65/boot.cfg
boot || goto MENU

In the above, we load ESXi one way if the host is UEFI booted and another if it was BIOS booted.
[Moderators Note]: I want to restate again that the mboot.c32 syslinux script will not boot using FOG Project supplied iPXE boot loaders (i.e. undionly.kpxe) since they are not complied by default with COM_BOOT enabled. YOU must compile the iPXE boot loader if you want syslinux support -Geo

---

I have so far only tried this with memtest and ESXi.

I also would love to see an option for a menu to be displayed or not based on this variable, IE: show the memtest86+ entry only when BIOS booted but not when UEFI booted, but have not found a way this is possible yet. Maybe the devs have some ideas as to if this is feasible?

I think that could really help make the menus a bit more flexible/dynamic. It could potentially be a set of check-boxes in the GUI for the menu entry: “BIOS”, “UEFI” or “Both” which would dictate if the menu entry is included for a host given how it was booted. Alternatively, maybe somehow tied into the ‘Menu Show With’ option.

In any case hopefully others find this useful.

From a security standpoint I dont see using NFS for imaging as an issue. As mentioned you can set it to allow only from a specific IP range. That should be enough to prevent issues (if a adversary is already on that subnet you have bigger issues). Especially if you dont have sensitive data in the share and if your FOG server is behind a firewall.

Samba would have the ability to allow only connecting from approved users or groups, the problem with that is passing the credentials to connect.

In Clonezilla I used to capture and deploy via SSH, which I really liked, but havent had any issues with how FOG handles it via NFS.

Your first warning, as it seems you have figured out, is I think kind of a basic way NFS works. Client machines have to be able to see/query the server for the share to use it. The second warning is just an extension of that, whats the point in knowing the share is on the server if you cant mount and use it.

@george1421 All good, got it!

This is what worked for me:

kernel http://${fog-ip}/fog/os/fedora/ws28/images/pxeboot/vmlinuz
initrd http://${fog-ip}/fog/os/fedora/ws28/images/pxeboot/initrd.img
imgargs vmlinuz initrd=initrd.img repo=http://${fog-ip}/fog/os/fedora/ws28
boot || goto MENU

my repo=http://${fog-ip}/fog/os/fedora/ws28 line is the path to where I have rsyncd the mirror path/releases/28/Workstation/x86_64/os/ to.

Thanks again.

@george1421 I can confirm ESXi 6.7 installs and boots without an issue.

I am going to proceed with mounting the ISO on the server for 6.5, copy its contents over into the proper place again, and see if it resolves anything.

If not, I am going to chalk it up to a compatibility issue between the R620, iPXE and ESXi 6.5 U1.

Here is my entry, this just boots up as if you put the disc in the host, should work UEFI or BIOS. I just did a new iPXE entry from the web GUI and placed this in the parameters.

kernel http://${fog-ip}/os/cz/live/vmlinuz
initrd http://${fog-ip}/os/cz/live/initrd.img
imgargs vmlinuz initrd=initrd.img vga=791 boot=live union=overlay components noprompt edd=on nomodeset nosplash config locales=en_US.UTF-8 keyboard-layouts=NONE fetch=http://${fog-ip}/os/cz/live/filesystem.squashfs ocs_prerun="" ocs_live_run="" ocs_live_batch="no"
boot || goto MENU

I have the Clonezilla CD contents at ${fog-ip}/os/cz/live which I have pointed httpd/apache to. You can replace http with tftp or whatever protocol you use for PXE booting.

Clonezilla has a list of parameters someplace that I used to help me work out the menu.

I am sure you have a good reason for using Clonezilla or wanting it, would you mind if I asked why?

I have it for old images captured using Clonezilla while I transitioned to FOG, but honestly dont need/use it anymore.

For those interested, this is the procedure I followed to update:

FOG 1.5.2 to 1.5.3
CentOS 7.5.1803

Altered a bit from https://wiki.fogproject.org/wiki/index.php/Upgrade_to_trunk
Initial install I followed this (just for reference, only needed for fresh install): https://wiki.fogproject.org/wiki/index.php?title=CentOS_7 (hence my cd line being to the directory the install directions mention)

cd ~/Downloads/git/fogproject
git pull
cd bin
sudo ./installfog.sh

A couple observations about the installer:

• It prompted to go to the url ‘ip/fog/management’ to update/create the database. Doing so just took me to the dashboard of my FOG server. I hit ‘enter’ back on the server to continue. Not sure if this prompt is just a remnant and can be ignored or if I skipped something important.
• On the step of ‘Setting up TFTP and PXE server…’ (wording may be different) it took about 5 minutes to compete. I was concerned it hung but gave it time and it moved on.
• At completion it incorrectly states my username and password as the default (fog/password). I logged out and into the web interface and checked the users section and my proper “old” username and password were there and no new user created so it appears the message is wrong.

I rebooted after completion and once back up everything seems to be in order looking at the web gui. If anything problematic crops up ill post back but seems to have went relatively smooth.

@quazz Alright that appears to work. symlinks in /var/www/html are working. Thank you!

@quazz said in HTTP Redirects After Upgrade 1.5.2 to 1.5.3:

@zer0cool I think it will redirect anything with url/fog so try going one directory higher.

Since I appear to be unable to mark moderators responses as the solution I have quoted your solution and will mark this solved. Thanks!

@tom-elliott I expected that may be the case. I did not mean to imply any issue, just observations in case someone is impatient (I almost tried a reboot while it was on #2).

Now its back to trying to get the colors of the menu the way I’d like (https://forums.fogproject.org/topic/11972/ipxe-menu-colors-help).

Thanks

@scojo said in New Fog Install, No Fog on Boot:

I am unable to get the FOG menu to show up.

Can you clarify this in specific terms, what does happen is more helpful than what doesnt happen.

• Does DHCP assign an IP?
• Does iPXE pull down the NBP file?
• Do you get an error?
• Does the computer do something after not presenting the menu? (beep, reboot, show something else, power off, etc)
• Do you have SELinux set to permissive mode?

What machines are you trying (make/model), what GPU are they using, how is the monitor connected (HDMI, DP, DVI, etc)?

@george1421 said in New Fog Install, No Fog on Boot:

Remember the prerequsites are to disable the OS’ firewall

I dont know about for other OS’s, but not CentOS 7. The instructions provide directions for opening the proper ports/services.

I re-deployed my image to the host so that I could see the log from deployment to when it stops working.

It appears as if the FOG client works just fine during hostname change, Windows activation, joins the domain/reboots and even runs my snapin assigned to the host which deletes the local user, does a gpupdate /force and reboots again. After that point I get the log posted above and it seems the FOG client cannot properly authenticate.

It appears as if it is able to reach the server as it gets the CA cert, but on the line Middleware::Communication POST URL: http://10.0.0.2/fog/management/index.php?sub=requestClientInfo&authorize&newService It then seems to fail with a message regarding being unable to decrypt AES.

I have tried multiple times doing the encryption reset option in the web gui for the host to no avail.

Not sure what I am missing here, any help would be great. Thanks