ESXi: Silent installation by UEFI HTTP boot

Hi,

this post describes the silently installing of a ESXi server by a UEFI HTTP remote boot.

Installserver Debian 11 (10.10.220.10):

root@debdev ~ # apt install gnupg2 git
root@debdev ~ # wget https://nginx.org/keys/nginx_signing.key
root@debdev ~ # apt-key add nginx_signing.key
root@debdev ~ # vi /etc/apt/sources.list.d/nginx.list


deb https://nginx.org/packages/mainline/debian/ bullseye nginx
deb-src https://nginx.org/packages/mainline/debian/ bullseye nginx

root@debdev ~ # apt update 
root@debdev ~ # apt install nginx

nginx root to /var/www/html and restrict access, allow access to /esxi and /esxi-ks for the whole subnet.

root@debdev ~ # vi /etc/nginx/conf.d/default.conf


...
location / {
# root /usr/share/nginx/html;
root /var/www/html;
deny all;
index index.html index.htm;
}
location ~ ^/esxi/ {
autoindex off;
root /var/www/html;
allow 10.10.220.0/24;
deny all;
}
location ~ ^/esxi-ks/ {
autoindex off;
root /var/www/html;
allow 10.10.220.0/24;
deny all;
}
...

Copy ESXi ISO to Installaserver

pscp D:\Install\VMware-ESXi-7.0.3.update03-19193900-Fujitsu-v530-1.iso root@10.10.220.10:/root

Extract files

root@debdev ~ # mkdir /mnt/loop
root@debdev ~ # mount -o loop /root/VMware-ESXi-7.0.3.update03-19193900-Fujitsu-v530-1.iso /mnt/loop

Create folder in html root/esxi with version and build number

root@debdev ~ # mkdir -p /var/www/html/esxi/ESXi-7.0.3-19193900
root@debdev ~ # mkdir -p /var/www/html/esxi-ks/

Copy files from iso

root@debdev ~ # cp -r /mnt/loop/* /var/www/html/esxi/ESXi-7.0.3-19193900

Copy the bootloader. Copy bootx64.efi from the latest ESXi installationfiles. The bootloader has backward compatibility.

root@debdev ~ # cp /var/www/html/esxi/ESXi-7.0.3-19193900/efi/boot/bootx64.efi /var/www/html/esxi/mboot.efi

Modify boot.cfg, edit module pathes, kernel parameters, set prefix URL to your webserver server…

root@debdev ~ # chmod u+w /var/www/html/esxi/ESXi-7.0.3-19193900/boot.cfg
root@debdev ~ # vi /var/www/html/esxi/ESXi-7.0.3-19193900/boot.cfg

Remove all leading slashes from the filenames at parameters kernel= and modules=. Example

kernel=/b.b00 to kernel=b.b00
modules=/jumpstrt.gz --- /useropts.gz --- /features.gz... to modules=jumpstrt.gz --- useropts.gz --- features.gz

Usually / are only used by these both options so you can simply replace them

root@debdev ~ # sed -e's/\///g'  /var/www/html/esxi/ESXi-7.0.3-19193900/boot.cfg --in-place=.bak

Then add URL of the installation source

prefix=http://10.10.220.10/esxi/ESXi-7.0.3-19193900

From the kernelopt= option remove cdromBoot

kernelopt=runweasel

To use a silent/scripted installation add the ks= option to kernelopt= option and created the file (see above, later in the post)

kernelopt=runweasel ks=http://10.10.220.10/esxi-ks/ks.cfg

root@debdev ~ # touch /var/www/html/esxi-ks/ks.cfg

Setup Boot with UEFI, iPXE and http


The boot with iPXE has two steps. First iPXE must be booted by UEFI PXE from the computer, the second step iPXE sends also PXEboot request to the DHCP Serverwith a Userclass iPXE, dnsmasq recognize these requests and initiate the boot of mboot.efi.

Install dnsmasq

root@debdev ~ # apt install dnsmasq

Create a dnsmasq config /etc/dnsmasq.conf

# Disable DNS Server
port=0

# Enable DHCP logging
log-dhcp
log-debug
log-facility=/tmp/dns.log

# run as DHCP proxy
dhcp-range=10.10.220.10,proxy
dhcp-pxe-vendor=PXEClient,HTTPClient:Arch:00016
dhcp-vendorclass=set:efihttp,HTTPClient:Arch:00016
pxe-service=tag:efihttp,x86-64_EFI,"Netzwerk Boot",http://10.10.220.10/esxi/mboot.efi

dhcp-boot=tag:efihttp,http://10.10.220.10/esxi/mboot.efi
dhcp-option-force=tag:efihttp,60,HTTPClient

Note:According to standard, the vendor class field must have been set to PXEClient by the PXE client. If this isn’t set or set to different identifier dnsmasq does not respond to those clients. This can by fixed by setting “dhcp-pxe-vendor=PXEClient,HTTPClient:Arch:00016”.

There is an option to boot all Hosts from the same installer. Then copy boot.cfg and mboot.efi to the same directory

root@debdev ~ # cp /var/www/html/esxi/ESXi-7.0.3-19193900/boot.cfg /tftpboot

Or if want to create a boot directory for each host individually: Create an directory with the MAC Address and copy the boot.cfg file to it. Note the leading 01 prefix right before the MAC address in the folder name.

root@debdev ~ # /var/www/html/esxi/01-11-22-33-44-55-66
root@debdev ~ # cp /var/www/html/esxi/ESXi-7.0.3-19193900/boot.cfg /var/www/html/esxi/01-11-22-33-44-55-66

Then create a default ks script: /var/www/html/esxi-ks/ks.cfg.


# Accept the VMware End User License Agreement
vmaccepteula

# Set the root password for the DCUI and Tech Support Mode
rootpw myp@ssw0rd

# Install on the first local disk available on machine
install --firstdisk=local --overwritevmfs

keyboard German

# Set the network to DHCP on the first network adapter
network --bootproto=dhcp --device=vmnic0


To execute an individual ks script per host the script has to be created and the ks= parameter in boot.cfg must modified. See dnsmasg log which file is requested. Folder name is usually 01-MACAddress

...
kernelopt=runweasel ks=http://10.10.220.10/esxi-ks/01-11-22-33-44-55-66/ks.cfg
...

root@debdev ~ # mkdir /var/www/html/esxi-ks/01-11-22-33-44-55-66
root@debdev ~ # vi /var/www/html/esxi-ks/01-11-22-33-44-55-66/ks.cfg




# Accept the VMware End User License Agreement
vmaccepteula

# Network vmnic0
network --bootproto=static --ip=10.10.220.20 --gateway=10.10.220.1 --nameserver=10.10.220.250 --netmask=255.255.255.0 --hostname=myESXiHost.myDomain.org --device=vmnic0 --addvmportgroup=0

# Set the root password for the DCUI and Tech Support Mode
rootpw myp@ssw0rd

# Install on the first local disk available on machine
install --firstdisk=local --overwritevmfs

keyboard German

# Set the network to DHCP on the first network adapter
network --bootproto=dhcp --device=11:22:33:44:55:66

%firstboot --interpreter=busybox

# NTP
esxcli system ntp set -s myNTP.myDomain.org
esxcli system ntp set -e 1

reboot

Michael

Advertisment to support michlstechblog.info

Leave a Reply

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.