[SOLVED] Custom Arch netboot PXE local airgap network no internet

starfry · 2023-12-09 16:13:59

I would like to learn how I can create my own netboot to boot Arch from my local air-gapped (assume no internet connection) network. I want it to obtain everything necessary to boot essentially a custom build of the archiso from the local network.

I have DHCP, PXE and TFTP environment (using DNSMasq). I can netboot Arch over the internet (when connected).

I have a custom archiso and I can boot that from a USB stick.

I've looked at the README in the archiso repo, and the archiso, netboot and pxe pages in the wiki. I've searched in Gitlab, in this forum and the wider internet. However I am drawing a blank with respect to the steps I think I need: (a) to build a netboot image that points to my local servers and (b) to serve the required files from my local server.

As I understand it, I can't just netboot the iso image file, I need to break it out such that the booting system knows where (my server) to get the required files from.

I hope it's just a matter of using the same tools that are used to build the Arch netboot image and the current Arch install version.

I'm just stuck for a few pointers... I expect there is documentation for this but I've been unable to find it.

Pointers appreciated. Many thanks!

Last edited by starfry (2023-12-14 20:17:23)

ewaller · 2023-12-09 20:18:45

https://wiki.archlinux.org/title/Archiso

Also, in places where I require a system build air-gapped from the Internet, I create a separate partition containing all the packages I need for a full install. I do this by using pacman -Q to obtain a list of installed packages and (generally) copying them from a running system and building a custom local repo as described in that article.

starfry · 2023-12-09 20:45:20

Am I missing something on that page? I have already studied that but I don't think it describes booting the archiso over the local network?

I've already built an iso, and I already have a PXE/TFTP environment but I would like to PXE boot a machine and have it boot into my local (and customised) arch iso.
Once that boots, I already have a local package collection ready for it to install from.

ewaller · 2023-12-09 21:35:00

I think I missed that you want to do a PXE boot. You say boot over Internet, but I assume you meant Ethernet.

Maybe this article? https://wiki.archlinux.org/title/Netboot

nl6720 · 2023-12-10 08:48:18

You'll need a HTTP server too (or NFS or NBD, but let's stick to the simplest one).
You need to extract the ISO to a directory your webserver serves and then follow https://wiki.archlinux.org/title/Preboo … PXE_server to configure PXELINUX.

If you're building your own ISO for this, then you can avoid packing it in an ISO file by passing `-m netboot` to the mkarchiso command.

starfry · 2023-12-10 16:41:47

Thank you, that was the pointer I needed. I have it working now, but there were a few bumps along the way.

(1) I did mkarchiso --help to discover the arguments and took a look at the code (being a bash script). I note that -m can be given multiple times to specify multiple modes. So I thought I'd keep the ISO and get netboot as well. However -m iso -m netboot does not work. Looking at the code, I think this line is incorrect:

1855          m) read -r -a override_buildmodes <<< "${OPTARG}" ;;

because it overwrites rather than appending the override_buildmodes array. I changed it to make it work:

m) override_buildmodes+=("${OPTARG}");

If that's reasonable, and I am not missing something, I am happy to submit a merge request on Gitlab for it.

(2) My PXELINUX wasn't working, I had to upgrade it (to 6.03) and use lpxelinux.0 instead of pxelinux.0 (because the latter doesn't have http support)

(3) The archisobasedir=arch parameter cannot be omitted (because it defaults to arch anyway rather than just being undefined). The directory structure I opted for on the http server is like this

/archlinux/netboot/archlinux-2023.12.10-x86_64
/archlinux/netboot/latest -> archlinux-2023.12.10-x86_64

where the datestamped directory is a rename of the arch directory produced by mkarchiso. So I guess it's my fault that doesn't work because I renamed the directory: I had to use archisobasedir=. as a workaround however it would be nice if it could just be omitted.

(4) I had to pass cms_verify=n but I expect this is due to my iso build not signing; maybe I should work out how to do that.

(5) DNS didn't work. I found another thread that provided the solution to the DNS problem. Changing the SYSAPPEND value from 3 to 2 and adding ip=::: to the APPEND parameters gave me a successful boot.

My final PXELINUX menu config looks like this:

label archlocal 
  menu label Arch Linux x86_64 (NetBoot, local, with ZFS) 
  linux  http://repo/archlinux/netboot/latest/boot/x86_64/vmlinuz-linux 
  initrd http://repo/archlinux/netboot/latest/boot/intel-ucode.img,http://repo/archlinux/netboot/latest/boot/amd-ucode.img,http://repo/archlinux/netboot/latest/boot/x86_64/initramfs-linux.img 
  append ip=::: archisobasedir=. archiso_http_srv=http://repo/archlinux/netboot/latest/ cms_verify=n 
  sysappend 2

So I have it working

The other thing that I wanted to do was provide my own file like the netboot ipxe-arch.lkrn file, I can chain-load that file directly from my DNSMasq configuration, like this:

pxe-service=x86PC,ArchLinux NetBoot,ipxe-arch.5ee66f360339.pxe

I'd like to be able to do the same for my own netboot (instead of configuring PXELINUX on my boot server). Are there any instructions for that anywhere?

nl6720 · 2023-12-11 08:52:11

1) Specifying -m multiple times doesn't work, but you can pass a quoted string with all the modes to it:

$ mkarchiso -m 'iso netboot' ...

3) You could try

archisobasedir=latest archiso_http_srv=http://repo/archlinux/netboot/

4) If you're not using a code signing certificate then cms_verify=y will not work. Replace it with checksum=y so that it verifies the sha512 checksum.

5) I remember having to do that too.

starfry wrote:

The other thing that I wanted to do was provide my own file like the netboot ipxe-arch.lkrn file, I can chain-load that file directly from my DNSMasq configuration, like this:
pxe-service=x86PC,ArchLinux NetBoot,ipxe-arch.5ee66f360339.pxe
I'd like to be able to do the same for my own netboot (instead of configuring PXELINUX on my boot server). Are there any instructions for that anywhere?

The netboot images come from the ipxe package. You can look at the PKGBUILD to see how they're built. For the official ipxe-arch, it embeds the arch.ipxe script which chainloads https://ipxe.archlinux.org/releng/netbo … linux.ipxe (generated by archweb from https://github.com/archlinux/archweb/bl … inux.ipxe). The ipxe subdomain is used because ipxe needs weaker ciphers for HTTPS.

starfry · 2023-12-14 20:15:18

1, 3, 4 are all good thank you for the suggestions.

5. I have a custom ipxe-arch.pce file now, based on the ipxe PKGBUILD and archlinux.ipxe scripts. It needs refining for my local env but I have successfully built it and used it to boot

Thanks again for the pointers. Marking solved.

Arch Linux

#1 2023-12-09 16:13:59

[SOLVED] Custom Arch netboot PXE local airgap network no internet

#2 2023-12-09 20:18:45

Re: [SOLVED] Custom Arch netboot PXE local airgap network no internet

#3 2023-12-09 20:45:20

Re: [SOLVED] Custom Arch netboot PXE local airgap network no internet

#4 2023-12-09 21:35:00

Re: [SOLVED] Custom Arch netboot PXE local airgap network no internet

#5 2023-12-10 08:48:18

Re: [SOLVED] Custom Arch netboot PXE local airgap network no internet

#6 2023-12-10 16:41:47

Re: [SOLVED] Custom Arch netboot PXE local airgap network no internet

#7 2023-12-11 08:52:11

Re: [SOLVED] Custom Arch netboot PXE local airgap network no internet

#8 2023-12-14 20:15:18

Re: [SOLVED] Custom Arch netboot PXE local airgap network no internet

Board footer