In order to provision linux on computers in remote locations with high network latency, I’m thinking of using the vpn router present at each site to act as a dhcp and tftp server.
The host would then load pxelinux, a pxelinux configuration and ipxe from the local router. All further communication is then done via HTTP served from the datacenter. Higher latencies and a flaky network should not matter with a HTTP connection in comparison to TFTP.
The smart-proxy TFTP module would need to be made pluggable and a new plugin could support uploading the tftp files to the router (running cisco’s ios).
The smart-proxy would need to connect to the router via ssh. My idea is to look into REX (via SSH or Ansible) to connect to the device and add a new cisco ios provider via a plugin.
One challenge will be the dhcp server, it’s very limited on an ios device and does not support breaking the infinite loop when chainloading iPXE. And I believe it does not support a specific configuration for clients. But it should be possible to just always send the next server and filename options and just initiate a host deployment via a pxelinux configuration.
Any thoughts or comments? Anything is highly appreciated. Do we know similar setups anywhere in the community?
Where would the smart proxy live? At the Foreman’s side, or in the vpn’s location? Should the upload be initiated from the proxy or the foreman server. If the proxy tftp plugin would talk to proxy’s rex plugin, we would need to count on this usage when maintaining the rex proxy plugin: currently the only user of that API is Foreman itself, so it’s good to have some thoughts about it.
I was thinking that it lives in the datacenter where Foreman lives (i.e. not in the remote location). My understanding would be that Foreman asks the SmartProxy to deploy the tftp files and the SmartProxy would then take care of this. Either write a file locally to disk or use ssh to deploy the file to the router. Unfortunately the smart-proxy cannot run on the router.
Well, as part of HTTP UEFI Boot we also implemented HTTP iPXE new PXE loader, therefore you may not need to break the infinite loop because you would load iPXE directly instead of chainbooting it from PXELinux:
Those patches are backportable, very small.
In regard to TFTP, isn’t easier to just use Fuse SSH? Having the TFTP directory mounted remotely would allow using regular TFTP module.
That sounds interesting. If I always boot iPXE with an embedded script that just asks Foreman for the actual script, I could decide what should be booted via Foreman templates.
That’s a good idea, but won’t work as the router does not support scp/sftp. The only thing you can do is issue a command like cp http://example.com/undionly.kpxe /path/to/undionly.kpxe to copy a file from http.