Join Log in
Score:0
avatar Server

LibVirt: PXE-boot over HTTPS?

aq flag
OmarOthman

The title summarizes it all. I have a VM solution that involves LibVirt, QEmu, and KVM. PXE-boot over HTTP works, but doesn't work on HTTPS. There are no firewall problems, I've checked that already.

Everything is CentOS Linux.

Any ideas how to debug this? Googling doesn't lead me anywhere, just how to enable PXE-boot (which is done and works fine over HTTP).

169
0 + 0
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
It would be better if you show us relevant logs.
0
Reply
in flag
NiKiZe
Which version of Qemu are you using? Are you booting in pcbios or efi mode? Do you see any messages on screen when it fails?
0
Reply
cn flag
shearn89
If it works over HTTP but not HTTPS, then the issue sounds like it could be to do with firewalls (which you say you've checked - can another working server curl the HTTPS URL?), or with something like SSL. As @NiKiZe says, are there any error messages? My guess would be that the CA is self-signed and there are errors when retrieving the URL.
0
Reply
Score:0
avatar Server
aq flag
OmarOthman

OK, this ended up being quite interesting. Let me share the solution.

We actually maintain our own iPXE package at my company. It's just a fork of https://github.com/ipxe/ipxe where we adjust come configurations (like enabling HTTPS in my case), add our own certificate authority, etc. But we didn't build all the targets in the iPXE Makefile, just a few.

According to the NIC driver Qemu-KVM uses, you can use one of the targets in the Makefile. In our case, the relevant part of our VM configuration file (what you get by running virsh edit) was:

<interface type='bridge'>  
  <mac address='12:34:56:12:34:56'/>  
  <source bridge='br0'/>  
  <model type='virtio'/>  
  <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>

It's that "virtio" that got us to identify the proper target in the Makefile: bin/1af41000.rom. This was already used by Qemu-KVM, but of course it wasn't using our own. We updated the symlink after building that target to refer to our own, and that was it.

This article helped us figure out how to deal with the NIC drivers part.

0 + 0
in flag
NiKiZe
You should have provided the information about iPXE in your question, and when dealing with iPXE (and other things) Always include the actual error message. In the case of iPXE the error you got when trying to use https: proto would have shown you an ipxe.org url, which in turn more or less would have told you that the protocol was not enabled. http://ipxe.org/3c092003
0
Reply
aq flag
OmarOthman
@NiKiZe: That was not the case. The error message had a generic error code that was not useful.
0
Reply
in flag
NiKiZe
If you say that, then what was the actual error message?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.