Boot Management
Warewulf uses iPXE to for network boot by default. As a tech preview, support for GRUB is also available, which adds support for secure boot.
Booting with iPXE
Booting with GRUB
Support for GRUB as a network bootloader (replacing iPXE) is available in Warewulf as a technology preview.
Instead of the iPXE starter a combination of shim and GRUB can be used with the advantage that secure boot can be used. That means that only the signed kernel of a distribution can be booted. This can be a huge security benefit for some scenarios.
In order to enable the grub boot method it has to be enabled in warewulf.conf.
warewulf:
grubboot: true
Nodes which are not known to Warewulf are booted with the shim/grub from the Warewulf server host.
Secure boot
If secure boot is enabled at every step a signature is checked and the boot process fails if this check fails. The shim typically only includes the key for a single operating system, which means that each distribution needs separate shim and grub executables. Warewulf extracts these binaries from the containers. If the node is unknown to Warewulf or can’t be identified during the TFTP boot phase, the shim/grub binaries of the host in which Warewulf is running are used.
Install shim and efi
shim.efi and grub.efi must be installed in the container for it to be booted by GRUB.
# wwctl container shell leap15.5
[leap15.5] Warewulf> zypper install grub2 shim
# wwctl container shell rocky9
[rocky9] Warewulf> dnf install shim-x64.x86_64 grub2-efi-x64.x86_64
These packages must also be installed on the Warewulf server host to enable node discovery using GRUB.
http boot
Modern EFI systems have the possibility to directly boot per http. The flow diagram is the following:
Warewulf delivers the initial shim.efi and grub.efi via http as taken directly from the node’s assigned container.