PXE Boot and TOEM problems

Samwell9854

Hello! Been using CloneDeploy for years, finally trying to migrate to TOEM. It was, and will be, used for (1) PXE boot menu, and (2) unicast/multicast image deployment on demand. (Almost all of the text written below is typed manually and may include typos.)

Done so far:

• Fresh install Windows Server 2022 STD (2nd time before posting here)
• Partially followed installation instructions here: https://docs.theopenem.com/latest, including steps under GETTING STARTED > Installation (E-Mail & LDAP tests successful - http://ip:8888/Provision/VerifyDb returns "60"), and steps under GETTING STARTED > Imaging / Cloning > Select An Imaging Environment > Building / Configuring The WIE >> Option 1: Build From the Web UI
• Running Toem Proxy DHCP in debug mode

!!! Note concerning the "Warning" about merging wie_builder\Builds\tftpboot !! Everything was merged, except one folder (future images created will be available without additional intervention) created with this PowerShell command

New-Item -Path 'C:\Program Files\Theopenem\tftpboot\boot' -Target 'C:\Program Files\Theopenem\Toems-API\private\wie_builder\Builds\tftpboot\boot' -ItemType SymbolicLink

First problem involves configuring the PXE Menu + Toems Proxy DHCP. Same problem here? https://forum.theopenem.com/topic/422/setting-up-pxe-booting?_=1694719002263&lang=en-US. Also, a video for how to configure Toems Proxy DHCP: https://youtu.be/041BeOI6_cc.
In Theopenem web page, under Admin Settings > PXE / Boot Menu > PXE Settings, changing the option Using Proxy DHCP: to Yes, Update PXE Settings throws this message:

Updated Settings Successfully, But Could Not Copy PXE Binaries On One Or More Com Servers. Check The Logs For More Info.

Under PXE / Boot Menu > Global Boot Menu, Actions, Create Boot Files returns "Complete".

Toems Proxy DHCP is being run with this config.txt file (renamed from config.ini, all IPs are replaced with the keyword ip), and with the PowerShell command

.\toems_dhcp_proxy.exe --debug

So far so good, until I attempt booting from a computer in EFI mode (no Legacy testing so far, though I doubt it will even be used nowadays). Editting the files under \tftpboot\proxy\{bios,efi64}\pxelinux.cfg\default.ipxe doesn't change anything in the resulting PXE menu, but editting this file \tftpboot\pxelinux.cfg\default.ipxe does. Log files further below.

Second problem concerns LDAP... scratch that, just tested right now and this time it works. I've completed the LDAP install in the order specified in the installation guide, compared to my first install which was configured later, and wouldn't work no matter what. For others who read this, LDAP users must be manually created in the web UI, and the option Use LDAP Authentication must be checked. Also, under Admin Settings > LDAP, the field LDAP Sync OU remains empty and must not contain the same as LDAP Base DN (https://forum.theopenem.com/topic/322/ldap-sync-issues?_=1694721602957), though this wasn't the solution on the first failed install attempt.

Third problem concerns the FrontEnd.log (ignore anything before 2023-09-14 15:00:00 which was during the setup process). Application Logs doesn't include anything relevant after setup, and Com Server Logs is empty. Are those error normal? As you can notice,v the logs don't include anything about the copied PXE binaries and "Check The Logs For More Info". Where are the logs for those "Logs For More Info" located? Here are a few unique sample messages included in the FrontEnd.log:

2023-09-14 15:11:26,391 [54] ERROR Toems_ApiCalls.ApiRequest Response Data Was Null For Resource: WieBuild/GetLastBuild/
2023-09-14 16:17:04,307 [8] ERROR Toems_ApiCalls.ApiRequest Response Data Was Null For Resource: Authorization/IsAuthorized/
2023-09-14 16:37:59,168 [32] ERROR Toems_ApiCalls.ApiRequest Response Data Was Null For Resource: FileSystem/GetSMBFreeSpace/

TL;DR (1) Enabling Proxy DHCP in PXE Settings doesn't use separate config files for bios-efi32-efi64 and uses instead \tftpboot\pxelinux.cfg\default.ipxe. How can it be fixed? (2) Many ERRORs in FrontEnd.log. Safe to ignore? Where are the logs for the error thrown after enabling Proxy DHCP?

Any additional info required? Just ask!

Thanks for the help!!

jonsjsbs

@samwell9854 Boiling your post down, I am new to TOEM also. But, that message about not being able to copy the binaries was one I had. Give IIS_IUSRS modify access to C:\Program Files\Theopenem\tftpboot

Thanks to mod

HTH.

Samwell9854

@jonsjsbs Right, I forgot about that fix as I did find it in the forums. My message wasn't long enough . This doesn't fix my issue as this permission is already set on the parent folder and inherited on all subdirectories. The following PowerShell command can confirm if this specific permission is missing (typed manually, sorry if there are typos):

Get-ChildItem -Path 'C:\Program Files\Theopenem\tftpboot' -Recurse | Get-Acl | Where-Object {'BUILTIN\IIS_IUSRS' -notin $_.Access.IdentityReference} | Select-Object -ExpandProperty Path

Microsoft.PowerShell.Core\FileSystem::C:\Program Files\Theopenem\tftpboot\TestAcl.txt

As you can see, I've created an example file TestMissingAcl.txt and removed BUILTIN\IIS_IUSRS from its permissions. It sure did show up in the result as the only one missing that permission. Do note that this doesn't test if the permission is indeed set to Modify (as I'm not that good with PowerShell ). I checked manually about 10 files/folders randomly, including under the SymbolicLink I've created.

jonsjsbs

@samwell9854 I would probably start with explicitly giving "Everyone" full permissions and be sure that the subfolders are inheriting the permissions properly. Then test. If it works, atleast you verified that its a permissions issue. Then you can switch back to IIS_IUSRS and making sure that the folder perms are correct. If it does not work with everyone having full permissions, I would be at a loss

Samwell9854

@jonsjsbs Added "Full Acces" permission to "Everyone" to the folder C:\Program Files\Theopenem, then validated (with at least 10 files/folders) that the subdirectories were inheriting the permissions. Finally, trying to disable, then enable Proxy DHCP still shows the error where the PXE Binaries could'nt be copied.

Consequently, I guess the file(s) to be copied (source) simply doesn't exist.

Samwell9854

For anyone interested, here is a solution (more accurately a workaround) for using different menus with Proxy DHCP depending on BIOS or EFI boot.

I stumbled on the solution as I was trying to add the command console to ipxe by rebuilding my own. My first build would result in a boot loop where ipxe would ask again for DHCP and load itself back again. ipxe.org has a solution for breaking the infinite loop, and this was the solution to using different menus.

Here's a little help to get started with rebuilding your own ipxe.efi:
Go to https://ipxe.org/download, make sure you have the necessary packages listed (gcc, binutils...), clone the repository git clone https://..., and go in the folder ipxe/src.
WARNING: At first, try to compile it the way it is before making changes, and if you do, don't make too many changes before trying to build it again as your changes will break the build.
Begin by editting the file config/general.h to enable/disable various features. Note that there are commented lines, and they begin with a variety of #define and #undef. Thus, enabling HTTPS means changing the line #undef DOWNLOAD_PROTO_HTTPS to #define DOWNLOAD_PROTO_HTTPS. As such, uncommenting a line may not be enough to enable the feature, same goes for commenting in a line may not be enough to disable the feature.
For BIOS boot, you may want to edit config/console.h. See an example here.
Create a file init.ipxe and add the following content:

#!ipxe
dhcp
chain proxy/efi64/pxelinux.cfg/default.ipxe

In true TOEM fashion, this should run the proper file which contains the menu for EFI64 boot. You may technically do anything you want here.
Finally, compile the ipxe file with the command make -j4 bin-x86_64-efi/ipxe.efi EMBED=init.ipxe, and this is the resulting file bin-x86_64-efi/ipxe.efi.