Recommended way to setup Foreman to build NAT'd servers with iPXE

provisioning

#1

Hi all,

What would be the best (easiest, least work, most resilient) way to set up foreman to be able to provision servers behind a NAT proxy using iPXE?
We have been doing this for years with regular pxelinux which provisions by MAC.
In setting up foreman (1.15.6) for use with iPXE, I believe we setup things in the standard way: pxelinux loads undionly-ipxe.0 with tftp which then loads http://${next-server}/unattended/iPXE.
From looking around here, I’m guessing we need to install the foreman_bootdisk plugin and have ?mac=${net0/mac} appended to the above URL.

Is this correct? Any easier ways?

Thanks!
Howard


#2

Hey,

you don’t need necessary foreman_bootdisk, iPXE template type is in core.
Bootdisk does give you ability to generate ISO mages, but some users use
iPXE in RHEV/oVirt/libvirt/qemu and boot into installer directly. In that
case you only need to do some changes on DHCP server.

https://projects.theforeman.org/projects/foreman/wiki/Fetch_boot_files_via_http_instead_of_TFTP


#3

The real solution to this is “mutli-homing support”, recently I have been trying to add this to Core [1] but the discussion seems to have stalled recently :frowning:

You can workaround it for now by using a Host or Hostgroup parameter and modifying the templates to look for that parameter and use it when generating the URL if that parameter is specified.

[1] https://github.com/theforeman/foreman/pull/4561


#4

Or you can use HTTP(S) PROXY for your iPXE request, Foreman tries to match REMOTE IP with the host/template, that obviously does not work behind NAT, but if there is a HTTP PROXY setting X-Forwarded-For HTTP header, Foreman will pick this up. I wrote a blogpost recently on this topic (WIP link):

Disregard my first comment, I missed “NAT” in your text. Then generic/subnet disk can help you out as it sends the required MAC address along, yes. Or you can generate your own iPXE script and use it in similar way. Just make sure the host is in build mode.


#5

Thanks for the reply everyone. Izap,that blog post is good.

After playing around, I settled on using a snippet derived from the supplied “PXELinux chain iPXE”. This uses

KERNEL ipxe.lkrn
APPEND dhcp && chain <%= foreman_url('iPXE') %>

so the token is included when retrieving the ipxe script from foreman. We get the correct ipxe script for the host.

I think the token is better for us not only because of NAT but when we upgraded to 1.15 we had some duplicate IP’s and this caused other issues even for hosts not behind NAT.

Thanks again.