14 - PXE Network-Booting (incl. TFTP)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello world my name is Victor engelmann welcome back to the series on Professional Network design using Linux today I want to talk about pxe the pre-execution environment or Pixi for short that's a system that allows you to boot a machine like this laptop here without even having anything installed on the hard drive so you don't need a local bootloader or operating system you can just pull that over the network it's also called Network booting um yeah and that's what I'm going to show you today in theory you could actually use this to load your full operating system like that so you could load like something like I don't know um like just a little Linux kernel with an boot script that mounts some Network shares and yeah mount them to home and spin and clip and so on so you could in theory put your entire operating system into the network like that and yeah then even not even have a hard drive in your local machine you could just boot really completely over the network but that would be pretty slow so that's not something you would do in reality in reality what you do is you only boot an operating system installer like that okay and yeah then you don't have to to put the installer on an USB stick or burn it on a disk or whatever so and I mean if you have a large company you don't want to have something like 50 different USB sticks with maybe different versions of the installer and people therefore using different installers for installing machines right so yeah that's what you typically use pxe form and yeah let's Dive Right In how can we use that It's relatively simple honestly but um I actually wanted to make this video about a year ago already but uh I just couldn't get this running okay so um the problem back then I think was that I was running a d I had one big Network you know right now I have multiple little vlans I've showed you how to do that and um yeah back then everything was in one land and yeah the DHCP server of my fruits box was running and giving out IP addresses and yeah there's pxe booting it uses DHCP and yes supposedly you can just run multiple DHCP servers and um have this pxe on one of them and your normal IP assignment on a different one and it supposedly works but I absolutely couldn't get this to work so uh so if you are doing this either turn off your DHCP server and um yeah use a an ISC DHCP for example or a DNS mask DHCP whatever so just don't use a such a stock DHCP server that doesn't support it okay having multiple DHCP servers on the same network they won't play well together usually um yeah so again now everything is in a small vlans and the land that I'm doing this in the VLAN I'm doing this in now is does not have a Fritz box the hcp okay so that's not going to interfere okay so how does pxe work when you boot your machine the hardware has to support it and if you boot the machine you can tell your buyers to yeah boot over the network using pxe um and what your machine will then do is it will um well send in DHCP request outside of an operating system right you can do that on a blank machine with even without a hard drive so nothing has to be installed for this the hardware um it's it's like in the Bios heart coded into the bio side it can do a DHCP request without an operating system running under it okay so it does a DHCP request gets an IP address and that DHCP request can also tell you to it can also give you a tftp server that stands for trivial file transfer protocol um and then tell you to use a certain file name to boot from okay so this is these are two informations that can be sent with the DHCP answer and yeah the machine can then contact that tftp server pull that file and use that for booting Okay so let's do this so I've prepared a Raspberry Pi as a tftp server given it the hostname tftp server very creative and it has the IP address 10 190 55 because I'm doing this in VLAN 90. you know that's my IP addressing scheme 10 1 then the VLAN number and then something controlled with a DHCP server um now my laptop is also in VLAN 90 10 190 54 through a network cable so connected through cable I think that's important because I don't think that the BIOS would support this network stuff over Wi-Fi so it needs to be wired okay and yeah I've prepared an SSH server on the raspberry so oops sorry okay now I'm logged on to the Raspberry Pi and um yeah we now have to put here the file for the machine to boot from where do we get that I will use Debian for that here on debian.org this trip slash net inst EAD you have this installing Debian via the Internet and over here we have an entry for Network boot right over here you have images for CDs and USB sticks but over here we have an image for Network booting this is an amd64 architecture so I will go there and it put and hear this netboot.tar gz that's the file we need I will copy the link address and over here on the tftp server I will now download the file I just had a little problem downloading this file before because the raspberry wasn't configured to take the ntp server from the DHCP and yeah since I've blocked ntp in my firewall yeah the raspberry didn't have a correct time and that through of the SSL in the https and that's why the download failed something to keep in mind if you if you block ntp then you have to configure your at least your Linux machines to take the ntp servers from the DHCP replies otherwise your your time configuration won't be correct and yeah that can throw off SSL okay it's finished downloading and yeah now we have to make this available over the network for this I will install tftp Daemon Dash HPA okay and now we have to configure that it's configured in Etsy default tftp Dash HPA it doesn't have many options but yeah this tftp username that's actually not something for authentication of the client to the FTP server this is a username of a Linux user on the raspberry with whose credentials the servers will be running okay it's using tftp I think that's probably a user that's created in the installation of the of the server I'm guessing that this user has access to this directory and that this directory is also created in the installation tftp address well if the raspberry had multiple IP addresses then we could set the listen address like for example if we set this to 127001 then it would only accept local connections but of course that wouldn't make sense for Network booting just use colon 69 to set the part to 69. that's UDP packets by the way UDP Port 69 um if you are doing something with a firewall in between then that's when you have to open UDP Port 69 to the server okay and then further options tftp options for this you can look into the tftpd main page for example on debian.org here you have several options that you can put there one important setting maybe is down here this port range because the way tftp works is you send a request to download a file but unlike in HTTP for example where you get the result on the same network connection that you have established FTP and also tftp establish a connection back to you okay and this port range here specifies the The Source Port so you can give it a range and say hey I'm only allowing Source Parts between I don't know 6900 and 699 just so that you can control on your firewall that you allow packets in this port range but that's even a bit crazier than it sounds because let me show you in the rules here in my rules I have created this rule here that specifies that um The Source port I mean limiting Source part is normally not something you do in a firewall but when you do that then when you create the rule you even have to go to this advanced mode here to then be able to set the source Port range so that's really unconventional in uh today's networks but it's a relatively old protocol so yeah that's just the way it is another important option here is the secure option um so when you set the secure option then the client can send a request for a file and then the server will look for that file relative to this tftp directory okay so if you have a file directly in here let's say fubar.txt in here then the client can download that by requesting fubar.text and doesn't have to say give me a slash SRV tftp slash fubar.txt and I mean yeah the client shouldn't even know your directory structure here so that makes total sense to to use the secure option here okay let's see let's go to this directory now let's move the bootloader here since this directory belongs to the user tftp I will have to use sudo and I will change the the owner to tftp okay so now tftp is the owner of the file okay for testing purposes I will just create a file hello.txt okay I will change the owner of that file also okay now let's check the status of the tftp server okay it's running so let's try downloading this test file so I'm installing tftp Dash HPA on the laptop notice that here I don't have the D for the Daemon because I'm installing the client and not the server okay now name our service not known let's see if okay you don't have to put the colon there okay and now let's request that file okay Ctrl D to leave and yeah we've downloaded this hello txt so yeah the tftp server is running that's already good now um yeah now we have to unpack the bootloader okay we've unpacked things and notice this pxe linux.0 here that's actually the file that we want to give to the client so I'll delete hello txt I'm not owner of that it's a bit stupid that I'm logged in as Pi and working on files belonging to tftp but whatever um okay now everything belongs to the user tftp so tftp has access to all files so that the FTP server is then able to serve all these files in here okay I think the tftp server is complete now and yeah now we have to configure the DHCP server to uh yeah to tell my machine to to boot that um here on wiki.debian.org pxe boot install you'll find a lot of um options that you can use here next server that's the other server of the um that's an IP address of the tftp server and here file name pxe linux.0 that's a file that I just shown you to boot from but yeah in ISC DHCP you can also distinguish cases like you can give different file names for different architectures and stuff but yeah since I've had so much trouble in the past with this although I'm not doing this in a in a network with multiple DHCP servers I will still do it uh through the open sense configuration okay here under services dhcp4 VLAN 90. I'm running a DHCP server that serves IP addresses 10 190 50 to 200. giving a DNS server a Gateway domain name domain search list okay Network booting here so if you're looking at these options here they very much correspond to the options that you have here right so for different architectures you can set different file names here you can set different file names for different architectures okay next server IP I really don't know why they named it that I mean that such a generic name right so there's a CIP address of our tftp server I don't think it will do an DNS request so we will have to set the IP address default bios file name just like here pxe linux.0 and I will put it also here in the 64-bit file name for x64. you also have options for arm so if you want to network boot a raspberry or something and yeah maybe we should enable headquarting also okay save let's restart the service just to be sure and yeah now it should be able to boot over the network so let's try it out and pressing escape escape to get into the BIOS menu okay and in here I can now select Network pxe boot that might be different on your machine okay now you can see it's uh doing a DHCP request and now it's downloaded the file and here is a Debian installer that it's pulled over the network yeah and that's just a regular Debian installer as you know it okay so we have successfully booted the laptop over the network from a bootloader that's pulled over the network um you really shouldn't do this over an untrusted Network because yeah tftp is not secure and yeah this could be men in the middle and all sorts of things and also at least on my machine maybe that's just a hardware thing and your machine might be behave differently but when I Network boot this machine then well it does a DHCP request gets an IP address gets a tftp server but um yes if the tftp server was in a different network so the communication would have to go through a Gateway right I mean the DHCP server gives it a Gateway but it seems to ignore that um so it just yeah does an ARP request for the IP address of the tftp server and yeah when the tftp server is in a different network then that ARP request will not be answered right so at least with this laptop here I couldn't boot it um when the tftp server wasn't in the same VLAN okay that's what I want to point out and um you might be able to get away with some trickery um because in the end if the laptop sent an ARP request if the firewall could be configured to answer that ARP request was its own Mac address I think this would then get the laptop to send the at tftp request to the firewall and then the firewall would get it see hey this is not for me and forward it to the tftp server that might work but uh I personally haven't figured out how um how I can configure my firewall to do that right um so here on under interfaces virtual IPS settings here you can do something like a proxy ARP which sounds like it does what I want to do but I just couldn't get this to work so yeah keep that in mind um yeah maybe with some Network address translation or something you can get this running but yeah as I said running it on the same VLAN was the only way I could get this running and so when in doubt just put everything in the same VLAN okay that's all I wanted to show you today if you liked this video like it share it subscribe and see you next time

Info

Channel: Write your own Operating System

Views: 6,818

Rating: undefined out of 5

Keywords: pxe, network-boot, tftp

Id: xEkb-GXz3sY

Channel Id: undefined

Length: 29min 35sec (1775 seconds)

Published: Sun May 07 2023