[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Netinstall over HTTPS with Custom Image


There’s a net install setup that I’m having trouble with that someone here might be able to help with. This environment has some fairly specific requirements that the existing documentation hasn’t been able to adequately help with. Essentially here is the scenario: 

We have a custom Debian Stretch image created using the Live Build environment and we want to be able to remotely install this image using PXE. However, in order to meet certain security requirements, the remote systems have to PXE boot over HTTPS. The images are delivered over an untrusted connection so TFTP, NFS, or CIFS won’t cut it. Additionally, encapsulating traffic in a VPN is not something that can done for variety of reasons in this specific circumstance.

The first idea we tried was using the fetch kernel parameter to point at a hosted copy of the custom image’s squashfs. This works great for booting the live system, but the installer doesn’t (appear to) recognize this kernel parameter. Additionally, the fetch parameter doesn’t support hostnames nor SSL so it was eliminated for not supporting our HTTPS requirement.

Based on my research, the best method I can find to satisfy our requirements is to embed a copy of the custom ISO in the initial RAM filesystem of the Debian installer. By specifying the path to ISO inside the initrd using the fromiso kernel parameter, the installer should mount the ISO instead of looking for a CDROM and install from that. However, that part doesn't seem to work as expected. I specify the fromiso kernel parameter and set it to the path of the ISO inside the initrd, but the installer doesn’t seem to find the ISO (I get an "installation failed because it could not detect a CDROM"-class error). I’ve checked the kernel boot messages and I can see the kernel parameter was set properly. Using the debug=1 parameter hasn't revealed anything particularly useful either.

My first thought is that some part of the installer has to be modified, but I'm not sure where to look for that or what modifications might be required.

Essentially, this is where I’m sort of stuck. I think I’m on the right track here, but if I’m going wildly in the wrong direction here I’m all ears for a better solution. If there’s anything you want me to clarify or try out, let me know and I’ll get back to you.


Nick Pleatsikas
Site Reliability Engineer, ByteDance
Email: nick.pleatsikas@bytedance.com

Reply to: