Using PXE to provision hosts
You can provision bare-metal instances with orcharhino using one of the following methods:
- Unattended Provisioning
- 
New hosts are identified by a MAC address and orcharhino Server provisions the host using a PXE boot process. 
- Unattended Provisioning with Discovery
- 
New hosts use PXE boot to load the orcharhino Discovery service. This service identifies hardware information about the host and lists it as an available host to provision. For more information, see Configuring the Discovery Service. 
- PXE-less Provisioning
- 
New hosts are provisioned with a boot disk or PXE-less discovery image that orcharhino Server generates. 
- PXE-less Provisioning with Discovery
- 
New hosts use an ISO boot disk that loads the orcharhino Discovery service. This service identifies hardware information about the host and lists it as an available host to provision. For more information, see Implementing PXE less Discovery. 
| Discovery workflows are only available when the Discovery plugin is installed. For more information, see Configuring the Discovery Service. | 
With orcharhino, you can perform both BIOS and UEFI based PXE provisioning. Both BIOS and UEFI interfaces work as interpreters between the operating system and firmware of a computer, initializing hardware components and starting the operating system at boot time.
In orcharhino provisioning, the PXE loader option defines the DHCP filename option to use during provisioning.
- 
For BIOS systems, select the PXELinux BIOS option to enable a provisioned host to download the pxelinux.0file over TFTP.
- 
For UEFI systems, select the Grub2 UEFI option to enable a TFTP client to download grubx64.efifile, or select the Grub2 UEFI HTTP option to enable an UEFI HTTP client to downloadgrubx64.efiwith the HTTP Boot feature.
orcharhino supports UEFI Secure Boot.
SecureBoot PXE loaders enable a client to download the shim.efi bootstrap boot loader that then loads the signed grubx64.efi.
Use the Grub2 UEFI SecureBoot PXE loader for PXE-boot provisioning or Grub2 UEFI HTTPS SecureBoot for HTTP-boot provisioning.
By default, you can provision operating systems from the vendor of the operating system of your orcharhino Server on Secure Boot enabled hosts. To provision operating systems on Secure Boot enabled hosts from different vendors, you have to provide signed shim and GRUB2 binaries provided by the vendor of your operating system. For more information, see Configuring orcharhino Proxy to provision Red Hat Enterprise Linux on Secure Boot enabled hosts.
For BIOS provisioning, you must associate a PXELinux template with the operating system. For UEFI provisioning, you must associate a PXEGrub2 template with the operating system. If you associate both PXELinux and PXEGrub2 templates, orcharhino deploys configuration files for both on a TFTP server, so that you can switch between PXE loaders easily.
Prerequisites for bare-metal provisioning
The requirements for bare-metal provisioning include:
- 
A orcharhino Proxy Server managing the network for bare-metal hosts. For unattended provisioning and discovery-based provisioning, orcharhino Server requires PXE server settings. For more information about networking requirements, see Configuring Networking. For more information about the Discovery service, Configuring the Discovery Service. 
- 
A bare-metal host or a blank VM. 
- 
Provide the installation medium for the operating systems that you want to use to provision hosts. You can use synchronized content repositories for Red Hat Enterprise Linux. For more information, see Syncing Repositories in Managing Content. 
- 
Provide an activation key for host registration. For more information, see Creating An Activation Key in Managing Content. 
For information about the security token for unattended and PXE-less provisioning, see Configuring the Security Token Validity Duration.
Configuring the security token validity duration
When performing any kind of provisioning, as a security measure, orcharhino automatically generates a unique token and adds this token to the OS installer recipe URL in the PXE configuration file (PXELinux, Grub2). By default, the token is valid for 360 minutes. When you provision a host, ensure that you reboot the host within this time frame. If the token expires, it is no longer valid and you receive a 404 error and the operating system installer download fails.
- 
In the orcharhino management UI, navigate to Administer > Settings, and click the Provisioning tab. 
- 
Find the Token duration option and click the edit icon and edit the duration, or enter 0to disable token generation. If token generation is disabled, an attacker can spoof client IP address and download OS installer recipe from orcharhino Server, including the encrypted root password.
Creating hosts with unattended provisioning
Unattended provisioning is the simplest form of host provisioning. You enter the host details on orcharhino Server and boot your host. orcharhino Server automatically manages the PXE configuration, organizes networking services, and provides the operating system and configuration for the host.
This method of provisioning hosts uses minimal interaction during the process.
To use the CLI instead of the orcharhino management UI, see the CLI procedure.
- 
In the orcharhino management UI, navigate to Hosts > Create Host. 
- 
In the Name field, enter a name for the host. 
- 
Optional: Click the Organization tab and change the organization context to match your requirement. 
- 
Optional: Click the Location tab and change the location context to match your requirement. 
- 
From the Host Group list, select a host group that you want to assign your host to. That host group will populate the form. 
- 
Click the Interfaces tab, and on the interface of the host, click Edit. 
- 
Verify that the fields are populated with values. Note in particular: - 
orcharhino automatically assigns an IP address for the new host. 
- 
In the MAC address field, enter a MAC address of the provisioning interface of the host. This ensures the identification of the host during the PXE boot process. 
- 
The Name from the Host tab becomes the DNS name. 
- 
Ensure that orcharhino automatically selects the Managed, Primary, and Provision options for the first interface on the host. If not, select them. 
 
- 
- 
Click OK to save. To add another interface, click Add Interface. You can select only one interface for Provision and Primary. 
- 
Click the Operating System tab, and verify that all fields contain values. Confirm each aspect of the operating system. 
- 
Optional: Click Resolve in Provisioning template to check the new host can identify the right provisioning templates to use. For more information about associating provisioning templates, see Provisioning templates. 
- 
Click the Parameters tab, and ensure that a parameter exists that provides an activation key. If not, add an activation key. 
- 
Click Submit to save the host details. For more information about network interfaces, see Adding network interfaces in Managing Hosts. 
This creates the host entry and the relevant provisioning settings. This also includes creating the necessary directories and files for PXE booting the bare-metal host. If you start the physical host and set its boot mode to PXE, the host detects the DHCP service of orcharhino Server’s integrated orcharhino Proxy, receives HTTP endpoint of the Kickstart tree and installs the operating system.
When the installation completes, the host also registers to orcharhino Server using the activation key and installs the necessary configuration and management tools from the orcharhino Client for Red Hat Enterprise Linux repository.
- 
Create the host with the hammer host createcommand:$ hammer host create \ --build true \ --enabled true \ --hostgroup "My_Host_Group" \ --location "My_Location" \ --mac "My_MAC_Address" \ --managed true \ --name "My_Host_Name" \ --organization "My_Organization"
- 
Ensure the network interface options are set using the hammer host interface updatecommand:$ hammer host interface update \ --host "_My_Host_Name_" \ --managed true \ --primary true \ --provision true 
Creating hosts with PXE-less provisioning
Some hardware does not provide a PXE boot interface. In orcharhino, you can provision a host without PXE boot. This is also known as PXE-less provisioning and involves generating a boot ISO that hosts can use. Using this ISO, the host can connect to orcharhino Server, boot the installation media, and install the operating system.
orcharhino also provides a PXE-less discovery service that operates without PXE-based services, such as DHCP and TFTP. For more information, see Implementing PXE less Discovery.
There are the following types of boot ISOs:
- Host image
- 
A boot ISO for the specific host. This image contains only the boot files that are necessary to access the installation media on orcharhino Server. The user defines the subnet data in orcharhino and the image is created with static networking. The image is based on iPXE boot firmware, only a limited number of network cards is supported. 
- Full host image
- 
A boot ISO that contains the kernel and initial RAM disk image for the specific host. This image is useful if the host fails to chainload correctly. The provisioning template still downloads from orcharhino Server. 
- Generic image
- 
A boot ISO that is not associated with a specific host. The ISO sends the host’s MAC address to orcharhino Server, which matches it against the host entry. The image does not store IP address details and requires access to a DHCP server on the network to bootstrap. This image is also available from the /disks/genericURL on your orcharhino Server, for example,https://orcharhino.example.com/disks/generic.
- Subnet image
- 
A boot ISO that is not associated with a specific host. The ISO sends the host’s MAC address to orcharhino Proxy Server, which matches it against the host entry. The image does not store IP address details and requires access to a DHCP server on the network to bootstrap. This image is generic to all hosts with a provisioning NIC on the same subnet. The image is based on iPXE boot firmware, only a limited number of network cards is supported. 
| The Full host image is based on SYSLINUX and Grub and works with most network cards. When using a Host image, Generic image, or Subnet image, see supported hardware on ipxe.org for a list of network card drivers expected to work with an iPXE-based boot disk. | 
Host image and Full host image contain provisioning tokens, therefore the generated image has limited lifespan. For more information about configuring security tokens, read Configuring the Security Token Validity Duration.
To use the CLI instead of the orcharhino management UI, see the CLI procedure.
- 
In the orcharhino management UI, navigate to Hosts > Create Host. 
- 
In the Name field, enter a name for the host. 
- 
Optional: Click the Organization tab and change the organization context to match your requirement. 
- 
Optional: Click the Location tab and change the location context to match your requirement. 
- 
From the Host Group list, select a host group that you want to assign your host to. That host group will populate the form. 
- 
Click the Interfaces tab, and on the interface of the host, click Edit. 
- 
Verify that the fields are populated with values. Note in particular: - 
orcharhino automatically assigns an IP address for the new host. 
- 
In the MAC address field, enter a MAC address of the provisioning interface of the host. This ensures the identification of the host during the PXE boot process. 
- 
The Name from the Host tab becomes the DNS name. 
- 
Ensure that orcharhino automatically selects the Managed, Primary, and Provision options for the first interface on the host. If not, select them. 
 
- 
- 
Click OK to save. To add another interface, click Add Interface. You can select only one interface for Provision and Primary. 
- 
Click the Operating System tab, and verify that all fields contain values. Confirm each aspect of the operating system. 
- 
Click Resolve in Provisioning Templates to check the new host can identify the right provisioning templates to use. For more information about associating provisioning templates, see Provisioning templates. 
- 
Click the Parameters tab, and ensure that a parameter exists that provides an activation key. If not, add an activation key. 
- 
Click Submit to save the host details. This creates a host entry and the host details page appears. 
- 
Download the boot disk from orcharhino Server. - 
For Host image, on the host details page, click the vertical ellipsis and select Host 'My_Host_Name' image. 
- 
For Full host image, on the host details page, click the vertical ellipsis and select Full host 'My_Host_Name' image. 
- 
For Generic image, navigate to Infrastructure > Subnets, click Boot disk and select Generic image. 
- 
For Subnet image, navigate to Infrastructure > Subnets, click the dropdown menu in the Actions column of the required subnet and select Subnet generic image. 
 
- 
- 
Write the ISO to a USB storage device using the ddutility orlivecd-toolsif required.
- 
When you start the host and boot from the ISO or the USB storage device, the host connects to orcharhino Server and starts installing operating system from its Kickstart tree. When the installation completes, the host also registers to orcharhino Server using the activation key and installs the necessary configuration and management tools from the orcharhino Client for Red Hat Enterprise Linux repository. 
- 
Create the host using the hammer host createcommand.$ hammer host create \ --build true \ --enabled true \ --hostgroup "My_Host_Group" \ --location "My_Location" \ --mac "My_MAC_Address" \ --managed true \ --name "My_Host_Name" \ --organization "My_Organization"
- 
Ensure that your network interface options are set using the hammer host interface updatecommand.$ hammer host interface update \ --host "My_Host_Name" \ --managed true \ --primary true \ --provision true
- 
Download the boot disk from orcharhino Server using the hammer bootdiskcommand:- 
For Host image: $ hammer bootdisk host --host My_Host_Name
- 
For Full host image: $ hammer bootdisk host \ --full true \ --host My_Host_Name
- 
For Generic image: $ hammer bootdisk generic
- 
For Subnet image: $ hammer bootdisk subnet --subnet My_Subnet_Name
 This creates a boot ISO for your host to use. 
- 
- 
Write the ISO to a USB storage device using the ddutility orlivecd-toolsif required.
- 
When you start the physical host and boot from the ISO or the USB storage device, the host connects to orcharhino Server and starts installing operating system from its Kickstart tree. When the installation completes, the host also registers to orcharhino Server using the activation key and installs the necessary configuration and management tools from the orcharhino Client for Red Hat Enterprise Linux repository. 
Creating hosts with UEFI HTTP boot provisioning
You can provision hosts from orcharhino using the UEFI HTTP Boot. This is the only method with which you can provision hosts in IPv6 network.
To use the CLI instead of the orcharhino management UI, see the CLI procedure.
- 
Ensure that you meet the requirements for HTTP booting. 
- 
On orcharhino Proxy that you use for provisioning, update the grub2-efipackage to the latest version:$ dnf upgrade grub2-efi
- 
Enable foreman-proxy-http,foreman-proxy-httpboot, andforeman-proxy-tftpfeatures.$ orcharhino-installer \ --foreman-proxy-http true \ --foreman-proxy-httpboot true \ --foreman-proxy-tftp true
- 
Ensure that the orcharhino Proxy has TFTP and HTTPBoot features recognized. In the orcharhino management UI, navigate to Infrastructure > orcharhino Proxies and click on orcharhino Proxy to see the list of recognized features. Click Refresh Features if any of the features are missing. 
- 
Ensure that orcharhino Proxy is associated with the provisioning subnet. In the orcharhino management UI, navigate to Infrastructure > Subnets > Edit Subnet > orcharhino Proxies and select the orcharhino Proxy for both TFTP and HTTPBoot options. 
- 
Click OK to save. 
- 
In the orcharhino management UI, navigate to Hosts > Create Host. 
- 
In the Name field, enter a name for the host. 
- 
Optional: Click the Organization tab and change the organization context to match your requirement. 
- 
Optional: Click the Location tab and change the location context to match your requirement. 
- 
From the Host Group list, select a host group that you want to assign your host to. That host group will populate the form. 
- 
Click the Interfaces tab, and on the interface of the host, click Edit. 
- 
Verify that the fields are populated with values. Note in particular: - 
orcharhino automatically assigns an IP address for the new host. 
- 
In the MAC address field, enter a MAC address of the provisioning interface of the host. This ensures the identification of the host during the PXE boot process. 
- 
The Name from the Host tab becomes the DNS name. 
- 
Ensure that orcharhino automatically selects the Managed, Primary, and Provision options for the first interface on the host. If not, select them. 
 
- 
- 
Click OK to save. To add another interface, click Add Interface. You can select only one interface for Provision and Primary. 
- 
Click the Operating System tab, and verify that all fields contain values. Confirm each aspect of the operating system. 
- 
From the PXE Loader list, select Grub2 UEFI HTTP. 
- 
Optional: Click Resolve in Provisioning template to check the new host can identify the right provisioning templates to use. For more information about associating provisioning templates, see Creating provisioning templates. 
- 
Click the Parameters tab, and ensure that a parameter exists that provides an activation key. If not, add an activation key. 
- 
Click Submit to save the host details. For more information about network interfaces, see Adding network interfaces in Managing Hosts. 
- 
Set the host to boot in UEFI mode from network. 
- 
Start the host. 
- 
From the boot menu, select Kickstart default PXEGrub2. 
This creates the host entry and the relevant provisioning settings. This also includes creating the necessary directories and files for UEFI booting the bare-metal host. When you start the physical host and set its boot mode to UEFI HTTP, the host detects the defined DHCP service, receives HTTP endpoint of orcharhino Proxy with the Kickstart tree and installs the operating system.
When the installation completes, the host also registers to orcharhino Server using the activation key and installs the necessary configuration and management tools from the orcharhino Client for Red Hat Enterprise Linux repository.
- 
On orcharhino Proxy that you use for provisioning, update the grub2-efipackage to the latest version:$ dnf upgrade grub2-efi
- 
Enable foreman-proxy-http,foreman-proxy-httpboot, andforeman-proxy-tftp truefeatures:$ orcharhino-installer \ --foreman-proxy-http true \ --foreman-proxy-httpboot true \ --foreman-proxy-tftp true
- 
Create the host with the hammer host createcommand.$ hammer host create \ --build true \ --enabled true \ --hostgroup "My_Host_Group" \ --location "My_Location" \ --mac "My_MAC_Address" \ --managed true \ --name "My_Host_Name" \ --organization "My_Organization" \ --pxe-loader "Grub2 UEFI HTTP"
- 
Ensure the network interface options are set using the hammer host interface updatecommand:$ hammer host interface update \ --host "My_Host_Name" \ --managed true \ --primary true \ --provision true
- 
Set the host to boot in UEFI mode from network. 
- 
Start the host. 
- 
From the boot menu, select Kickstart default PXEGrub2. 
This creates the host entry and the relevant provisioning settings. This also includes creating the necessary directories and files for UEFI booting the bare-metal host. When you start the physical host and set its boot mode to UEFI HTTP, the host detects the defined DHCP service, receives HTTP endpoint of orcharhino Proxy with the Kickstart tree and installs the operating system.
When the installation completes, the host also registers to orcharhino Server using the activation key and installs the necessary configuration and management tools from the orcharhino Client for Red Hat Enterprise Linux repository.
Configuring orcharhino Proxy to provision Red Hat Enterprise Linux on Secure Boot enabled hosts
Secure Boot follows a chain of trust from the start of the host to the loading of Linux kernel modules.
The first shim that is loaded determines which distribution can be booted or loaded by using a kexec system call until the next reboot.
To provision Red Hat Enterprise Linux on Secure Boot enabled hosts with the Grub2 UEFI SecureBoot and Grub2 UEFI HTTPS SecureBoot PXE loaders, you have to provide signed shim and GRUB2 binaries provided by the vendor of your operating system.
| You have to perform the following configuration steps on each TFTP proxy for a subnet to provision Secure Boot enabled hosts on that subnet. | 
The following example works for Red Hat Enterprise Linux on x86_64 architecture.
- 
Ensure that cpiois installed on your orcharhino Proxy.
- 
On your orcharhino Proxy, configure the directory to store the shim and GRUB2 binaries required for provisioning Secure Boot enabled hosts: $ orcharhino-installer --foreman-proxy-tftp-bootloader-universe My_Bootloader_DirectoryReplace My_Bootloader_Directory with the absolute path where you want to store the shim and GRUB2 binaries. 
- 
Set the path for the shim and GRUB2 binaries for the operating system of your host: $ BOOTLOADER_PATH="My_Bootloader_Directory/pxegrub2/redhat/default/x86_64"If you require specific versions of the shim and GRUB2 binaries for the version of the operating system of your host, replace defaultwith the Major and Minor version of the operating system separated by a dot. If no Minor version is set, replacedefaultwith the Major version.ATIX AG recommends to not use version-specific shim and GRUB2 binaries unless it is really necessary. 
- 
Create the directory to store the shim and GRUB2 binaries for the operating system of your host: $ install -o foreman-proxy -g foreman-proxy -d $BOOTLOADER_PATH
- 
Download the shim and GRUB2 packages for the operating system of your host: $ wget -O /tmp/grub2-efi-x64.rpm https://server.example.com/grub2-efi-x64.rpm $ wget -O /tmp/shim-x64.rpm https://server.example.com/shim-x64.rpmYou can download the grub2-efi-x64package from the Red Hat Enterprise Linux BaseOS repository published on your orcharhino Proxy. You can download theshim-x64package from the Red Hat Enterprise Linux BaseOS repository published on your orcharhino Proxy.
- 
Extract the shim and GRUB2 binaries: $ rpm2cpio /tmp/grub2-efi-x64.rpm | cpio -idv --directory /tmp $ rpm2cpio /tmp/shim-x64.rpm | cpio -idv --directory /tmp
- 
Make the shim and GRUB2 binaries available for host provisioning: $ cp /tmp/boot/efi/EFI/redhat/grubx64.efi $BOOTLOADER_PATH/grubx64.efi $ cp /tmp/boot/efi/EFI/redhat/shimx64.efi $BOOTLOADER_PATH/shimx64.efi $ ln -sr $BOOTLOADER_PATH/grubx64.efi $BOOTLOADER_PATH/boot.efi $ ln -sr $BOOTLOADER_PATH/shimx64.efi $BOOTLOADER_PATH/boot-sb.efi $ chmod 644 $BOOTLOADER_PATH/grubx64.efi $ chmod 644 $BOOTLOADER_PATH/shimx64.efi
- 
Verify the contents of your bootloader directory: $ tree My_Bootloader_Directory My_Bootloader_Directory └── pxegrub2 ├── redhat └── default └── x86_64 ├── boot.efi -> grubx64.efi ├── boot-sb.efi -> shimx64.efi ├── grubx64.efi └── shimx64.efi
- 
You can now provision Secure Boot enabled Red Hat Enterprise Linux hosts by using the Grub2 UEFI SecureBoot and Grub2 UEFI HTTPS SecureBoot PXE loaders. 
Deploying SSH keys during provisioning
Use this procedure to deploy SSH keys added to a user during provisioning. For information on adding SSH keys to a user, see Managing SSH Keys for a User in Administering orcharhino.
- 
In the orcharhino management UI, navigate to Hosts > Templates > Provisioning Templates. 
- 
Create a provisioning template, or clone and edit an existing template. For more information, see Creating provisioning templates. 
- 
In the template, click the Template tab. 
- 
In the Template editor field, add the create_userssnippet to the%postsection:<%= snippet('create_users') %>
- 
Select the Default checkbox. 
- 
Click the Association tab. 
- 
From the Application Operating Systems list, select an operating system. 
- 
Click Submit to save the provisioning template. 
- 
Create a host that is associated with the provisioning template or rebuild a host using the OS associated with the modified template. For more information, see Creating a Host in Managing Hosts. The SSH keys of the Owned by user are added automatically when the create_userssnippet is executed during the provisioning process. You can set Owned by to an individual user or a user group. If you set Owned by to a user group, the SSH keys of all users in the user group are added automatically.
| The text and illustrations on this page are licensed by ATIX AG under a Creative Commons Attribution Share Alike 4.0 International ("CC BY-SA 4.0") license. This page also contains text from the official Foreman documentation which uses the same license ("CC BY-SA 4.0"). |