Is PXE or iPXE or gPXE booting from a HVM possible?
487 views
Skip to first unread message
Rob Townley
Mar 28, 2014, 7:38:17 PM3/28/14
to qubes...@googlegroups.com
HVM with netboot.me.ISO and do CTRL-B to get the gPXE menu and run config to set a static network configuration, but still immediately fails.
iPXE.iso gave much better errors and provides URLs to errors. Their websites says the best error information is from ifstat after doing ifconf like so:
CTRL-B to get into iPXE menu:
iPXE> ifconf -c dhcp net0
iPXE> ifstat
[RXE: 8 x "Operation not supported (http://ipxe.org/3c086003)"]
Which means 8 rerror packets/frames were received.
i did not find anybridges in the netvm nor firewallvm so i imagine i have to add a bridge from the netvm to the HVM or something so that PXE can talk ethernet directly to the PXE/tFTP/NFS servers. Incidentaly, iPXE says to set set the delay to zero with brctl setfd br0 0 like http://ipxe.org/err/4c1060 indicates. Alternatives?
Is there a howto anywhere on PXE booting a HVM from within Qubes-OS?
Google does not come up with much when searching for qubes and PXE.
PXE is not mentioned on qubes-os.org at all.
Rob Townley
Mar 28, 2014, 7:59:44 PM3/28/14
to qubes...@googlegroups.com
Does cloning the original netvm to a netvmPXEbridge and then using the new netvm only when needed the right way to go?
Marek Marczykowski-Górecki
Mar 29, 2014, 11:23:21 AM3/29/14
to Rob.T...@gmail.com, qubes...@googlegroups.com
On 29.03.2014 00:38, Rob Townley wrote:
> HVM with netboot.me.ISO and do CTRL-B to get the gPXE menu and run config
> to set a static network configuration, but still immediately fails.
>
> iPXE.iso gave much better errors and provides URLs to errors. Their
> websites says the best error information is from *ifstat* after doing
> HVM with netboot.me.ISO and do CTRL-B to get the gPXE menu and run config
> to set a static network configuration, but still immediately fails.
>
> iPXE.iso gave much better errors and provides URLs to errors. Their
> *ifconf* like so:
>
> CTRL-B to get into iPXE menu:
>
> * iPXE> ifconf -c dhcp net0*
> CTRL-B to get into iPXE menu:
>
> * iPXE> ifstat *
>
> *[RXE: 8 x "Operation not supported (http://ipxe.org/3c086003
> <http://ipxe.org/3c086003>)"]*
>
> Which means 8 rerror packets/frames were received.
> i did not find anybridges in the netvm nor firewallvm so i imagine i have
> to add a bridge from the netvm to the HVM or something so that PXE can talk
> ethernet directly to the PXE/tFTP/NFS servers. Incidentaly, iPXE says to
> set set the delay to zero with *brctl setfd br0 0* like
> Which means 8 rerror packets/frames were received.
> i did not find anybridges in the netvm nor firewallvm so i imagine i have
> to add a bridge from the netvm to the HVM or something so that PXE can talk
> ethernet directly to the PXE/tFTP/NFS servers. Incidentaly, iPXE says to
> http://ipxe.org/err/4c1060 indicates. Alternatives?
I'm afraid it isn't such simple... DHCP server for HVM is provided by device
model stubdomain and it is very simple, featureless and not configurable.
Especially it doesn't have any way to provide TFTP server address and boot path.
But if you can set those parameters manually from iPXE cmdline it should work.
IP address and gateway still can be obtained via DHCP.
> Is there a howto anywhere on PXE booting a HVM from within Qubes-OS?
> Google does not come up with much when searching for qubes and PXE.
> PXE is not mentioned on qubes-os.org at all.
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Rob Townley
Mar 29, 2014, 7:32:01 PM3/29/14
to Marek Marczykowski-Górecki, qubes...@googlegroups.com
iPXE lets me bootup from http://boot.ipxe.org/boot/demo.php (which is an #!ipxe script) over the internet that boots a small version of Linux. Still having no luck with traditional tftp boot as i cannot get dhcp to work from within the HVM. Have to set IP configuration manually, but it still does not work. The iPXE website documents how to put network bootable images on a webserver and iPXE boot via http instead of tftp. Turning off tftp altogether is more secure anyway.
1.) Download http://boot.ipxe.org/ipxe.iso and copy it to an always running vm such as netvm.
2.) Create a HVM and add the ipxe.iso as a cdrom / harddrive. No firmware flashing required.
3.) Get ready to press CTRL-B to get into the iPXE menu.
4.) Get a network address by _one_ of the following three ways:
A. iPXE> ifconf -c dhcp net0
A. iPXE> ifconf -c dhcp net0
B. iPXE> config
C. iPXE> ifopen net0
iPXE> set net0/ip <ip assigned in Qubes Manager>
iPXE> set net0/ip <ip assigned in Qubes Manager>
iPXE> set net0/netmask 255.255.255.0
iPXE> set net0/gateway <gateway mentioned in Qubes Manager>
iPXE> set dns <enter dns from Qubes Manager>
5.) chain http://boot.ipxe.org/demo/boot.php
6.) You should see it download a bootable image and log you in as root. Not much can be done because it does not have an ethernet interface, but it does show iPXE booting is possible. If anyone knows how to get this to see a usable network interface, i would love to know.
p.s. i am really happy with how iPXE has organized their website for easy documentation. Error messages are ipxe.org/ERRORNUM. Commands are under http://ipxe.org/cmd/ ...
Alex Dubois
Mar 30, 2014, 3:15:55 AM3/30/14
to Rob.T...@gmail.com, Marek Marczykowski-Górecki, qubes...@googlegroups.com
Alex
I am not sure I understand the use case, could you clarify. how do you plan on securely boot the HVM (protect it from attacks originating from network).
--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
Visit this group at http://groups.google.com/group/qubes-users.
For more options, visit https://groups.google.com/d/optout.
Rob Townley
Apr 1, 2014, 12:32:54 PM4/1/14
to Alex Dubois, Marek Marczykowski-Górecki, qubes...@googlegroups.com
Correct, booting would be subject MITM injection of malicious code
because it is not in SSL or another form of encryption and
authentication. i used boot.ipxe.org as a test and it worked. Hopefully, there will be a SSL or SSH based iPXE boot
option someday. My use cases are mainly on a private LAN that i trust. Booting over the internet is of course insecure.
Frank Schäckermann
Nov 21, 2019, 2:19:45 AM11/21/19
to qubes-users
I know this is a very old post, but I have a couple of HVMs that I need to boot over the network to test an automated installation process.
Has anybody successfully done the above on Qubes OS 4.0?
I can get the HVM to boot the iPXE.iso and get into iPXEs command line and it sees the net0 interface that XEN provides, but I can not get it to see any other computer on the network. Going through the configuration using possibility C from above I can get ifstat to report the interface being up but no DNS lookup or ping goes anywhere and neither does any chain command.
I can't see anything coming into the firewall vm the HVM is connected to.
Is there any way for me to debug what is happening in the stubdomain since I suspect that something goes wrong there. Are there any logs I could check?
Thanks for any assistance!
Frank
Reply all
Reply to author
Forward
0 new messages