PXE-based

Airlock Gateway can be installed fully automatically via PXE. This section outlines the required steps and prerequisites for such an installation. The instructions provided represent one possible example—in practice, PXE setups may vary depending on your environment and infrastructure. A key part of the configuration involves kernel parameters (see Kernel parameters and below).

 
Notice

The following instructions apply to Airlock Gateway 8.5 and later versions.

Prerequisites

  • PXE server, consisting of:
    • DHCP server
    • TFTP server (referred to as 10.0.0.11 in the following)
  • HTTP server (referred to as 10.0.0.12 in the following)
  • Airlock Gateway ISO image
  • Target system configured for network boot via PXE (referred to as 10.0.0.51 in the following)

Overview of the PXE boot and installation process

  1. The system boots and contacts the DHCP server.
  2. The DHCP server assigns an IP address and provides a reference to the boot loader image located on the TFTP server.
  3. The system downloads the boot loader image and its boot configuration from the TFTP server, then executes it.
  4. The boot loader loads the kernel (vmlinuz) and initial RAM disk image (initrd), which contains the installer. It also passes the required kernel parameters from the boot configuration.
  5. The installer (Anaconda) starts and retrieves its kickstart configuration file from the HTTP server, then performs the installation accordingly.
  6. After installation, the system becomes accessible via SSH and is ready for further provisioning.

Setting up the DHCP server

The system can boot using either UEFI or legacy BIOS. The DHCP server setup differs depending on the boot method. Since there are various DHCP server implementations, the following example configurations use ISC DHCPD, a common choice on Linux systems. For both examples, this applies:

  • next-server specifies the IP address of the TFTP server.
  • filename refers to the boot loader file located on the TFTP server.

UEFI PXE boot configuration

  •  
    Example
    host myairlock {
        hardware ethernet 00:11:22:33:44:55;
        fixed-address 10.0.0.51;
        next-server 10.0.0.11;
        filename "pxe/myairlock/shimx64.efi";
}

BIOS PXE boot configuration

  •  
    Example
    host myairlock {
        hardware ethernet 00:11:22:33:44:55;
        fixed-address 10.0.0.51;
        next-server 10.0.0.11;
        filename "pxe/myairlock/pxelinux.0";
        option configfile "pxelinux.cfg";
}

Setting up the TFTP server

The setup here also differs slightly between UEFI and BIOS.

UEFI boot loader (GRUB2)

  • The files shimx64.efi and grubx64.efi must be made available on the TFTP server in the directory specified in the DHCP configuration—in this example: pxe/myairlock/.
  • These files can be copied from the Airlock Gateway ISO, located in /images/pxeboot/ and /EFI/BOOT/.
  • In the same directory, a grub.cfg file must also be created, with contents similar to the following (to be adapted as needed):
  •  
    Example
    set timeout=0
default=0

menuentry 'airlock-install' {
 linuxefi pxe/myairlock/vmlinuz alinst.interactive=0 inst.ks=http://10.0.0.12/netinstall/myairlock/airlock_install.cfg inst.repo=http://10.0.0.12/netinstall/myairlock/iso/ ip=10.0.0.51::10.0.0.1:255.255.255.0:myairlock:eth0:none alinst.rootpw=xxx alinst.adminpw=xxx
 initrdefi pxe/myairlock/initrd.img
}

  • This file contains the kernel parameters required to enable automated installation of Airlock Gateway.

 
Risk

The passwords set in the example above are stored in plain text. Since a TFTP server provides no protection, the passwords are inherently exposed during network boot.

  • Instead of plain-text passwords, use the alinst.sshkey= parameter for authentication whenever possible.
  • If you must use a plain-text password, generate it temporarily for the installation process only, and make sure to change it immediately after installation.

BIOS boot loader (PXELINUX)

  • The files pxelinux.0 and ldlinux.c32 must be made available on the TFTP server in the directory specified in the DHCP configuration—in this example: pxe/myairlock/.
  • These files can be copied from the Airlock Gateway ISO image, located in /images/pxeboot/ and /isolinux/.
  • In the same directory, a pxelinux.cfg file must also be created, with contents similar to the following (to be adapted as needed):
  •  
    Example
    PROMPT 0
TIMEOUT 0
DEFAULT airlock-install

LABEL airlock-install
 kernel vmlinuz
 append initrd=initrd.img -- alinst.interactive=0 inst.ks=http://10.0.0.12/netinstall/iso/airlock/kickstart/airlock_install.cfg inst.repo=http://10.0.0.12/netinstall/myairlock/iso/ ip=10.0.0.51::10.0.0.1:255.255.255.0:myairlock:eth0:none alinst.rootpw=xxx alinst.adminpw=xxx

  • This file contains the kernel parameters required to enable automated installation of Airlock Gateway. The relevant parameters are described below.

Note that the following files must be copied from the Airlock Gateway ISO image to the same directory as the boot loader (in this example: pxe/myairlock/):

  • images/pxeboot/vmlinuz
  • images/pxeboot/initrd.img

Hosting the installation resources on an HTTP server

Since the kickstart configuration file is included within the ISO image at /⁠airlock/⁠kickstart/⁠airlock_install.cfg, it will also be present on the HTTP server after extraction. Direct the installer to this file using the kernel parameter inst.ks=, and to the package source using inst.repo=.