efi

Simplified Nested ESXi installation in ESXi 7.0 Update 2 using HTTP Boot over VirtualEFI

03/22/2021 by William Lam 17 Comments

Deploying an ESXi scripted installation aka Kickstart running within a VM (Nested ESXi) has a number of benefits, especially for testing and development purposes. This was something I did regularly as a customer, especially with new releases of ESXi to ensure our existing automation scripts and processes continued to work before rolling out into production. ESXi kickstart itself is pretty straight forward, but the required supporting infrastructure (PXE Server, DHCP, TFTP, etc) that needs to be configured, especially for a greenfield deployment can often be challenging for new comers.

Even with an existing PXE infrastructure, it can often be difficult to configure or troubleshoot depending on your level of access which does not add any value in actually testing or automating the ESXi scripted installation process. In ESXi 7.0 Update 2, an enhancement was made to the Virtual Machine’s UEFI firmware called VirtualEFI that would enable ESXi to perform an HTTP Boot given the ESXi bootloader URL and without requiring any of the traditional PXE infrastructure.

To take advantage of this new capability, you just need to have a physical server running ESXi 7.0 Update 2 and a VM that is configured with the latest vHW19 compatibility. To configure HTTP boot, you will need to add the following two VM Advanced Settings:

networkBootProtocol – httpv4 or httpv6
networkBootUri – HTTP URL to the ESXi bootloader (bootx64.efi)

Disclaimer: Nested ESXi and Nested Virtualization is not officially supported by VMware

Quick Tip – How to create a Windows 2016 ISO supporting EFI boot w/o prompting to press a key

06/10/2016 by William Lam 4 Comments

We had a question this week from a customer that was looking automate the installation of the latest Windows 2016 Tech Preview running on vSphere. They were booting the ISO using the EFI firmware and found that they would always be prompted with the “Press any key to boot from CD or DVD ….” message as shown in the screenshot below.

This obviously was not ideal from an Automation standpoint and they were looking to see if there was a solution. Thanks to one of our EFI experts at VMware, Darius Davis, who noted that this has been a known Microsoft issue for some time now and there is even a TechNet article here describing the issue since Windows Server 2008. The only workaround to solve this problem was to re-master the Windows ISO to use the efisys_noprompt.bin instead of the default efisys.bin file.

Given this was not something I had done before and I was curious to see how difficult it really was. I did some digging around the Internet and to my surprise, it was actually pretty hard to find a straight forward article that walks you through on re-mastering a recent release of Windows yet alone on how to enable this EFI not prompt option. I was about to give up when I stumbled onto an article by Johan Arwidmark who outlines the steps to create a Windows 10 ISO from the Windows 10 ESD installer. Given the title of his article, I am guessing that others have also had a hard time finding the correct instructions and tools required to re-master an existing Windows ISO. Johan had a nice Powershell script that converts the Windows 10 ESD installer to an ISO and then using that image to re-master the final ISO.

Given that both Windows 2016 and even Windows 10 is available as an ISO download, we did not need the entire script. Only the last couple of lines of the script is what I was really interested in. Below is a modification of Johan’s script and you can see that instead of using the efisys.bin file, we will reference the efisys_noprompt.bin which will remove the prompting when booting the installer using the EFI firmware.

# Path to the Extracted or Mounted Windows ISO 
$ISOMediaFolder = 'E:\'

# Path to new re-mastered ISO
$ISOFile = 'C:\Users\lamw\Desktop\Windows2016.iso'

# Need to specify the root directory of the oscdimg.exe utility which you need to download
$PathToOscdimg = 'C:\Program Files\Windows AIK\Tools\PETools'

# Instead of pointing to normal efisys.bin, use the *_noprompt instead
$BootData='2#p0,e,b"{0}"#pEF,e,b"{1}"' -f "$ISOMediaFolder\boot\etfsboot.com","$ISOMediaFolder\efi\Microsoft\boot\efisys_noprompt.bin"

# re-master Windows ISO
Start-Process -FilePath "$PathToOscdimg\oscdimg.exe" -ArgumentList @("-bootdata:$BootData",'-u2','-udfver102',"$ISOMediaFolder","$ISOFile") -PassThru -Wait -NoNewWindow

# Path to the Extracted or Mounted Windows ISO

$ISOMediaFolder = 'E:\'

# Path to new re-mastered ISO

$ISOFile = 'C:\Users\lamw\Desktop\Windows2016.iso'

# Need to specify the root directory of the oscdimg.exe utility which you need to download

$PathToOscdimg = 'C:\Program Files\Windows AIK\Tools\PETools'

# Instead of pointing to normal efisys.bin, use the *_noprompt instead

$BootData='2#p0,e,b"{0}"#pEF,e,b"{1}"' -f "$ISOMediaFolder\boot\etfsboot.com","$ISOMediaFolder\efi\Microsoft\boot\efisys_noprompt.bin"

# re-master Windows ISO

Start-Process -FilePath "$PathToOscdimg\oscdimg.exe" -ArgumentList @("-bootdata:$BootData",'-u2','-udfver102',"$ISOMediaFolder","$ISOFile") -PassThru -Wait -NoNewWindow

To use the script, you will need to download and install the Windows Automation Installation Kit (AIK) which will provide you with the oscdimg.exe utility that will be used to re-master a new ISO. You will also need a copy of Windows 2016 or any other Windows ISO that you plan to re-master and disable the EFI prompting and lastly, there are three variables in the script that you will need to update.

ISOMediaFolder = This is the full path to either the extracted or mounted Windows ISO
ISOFile = This is the path to re-master ISO
PathToOscdimg = This is the path to the location of oscdimg.exe (you can use the default it if you install AIK under C:\)

The re-mastering process should not take too long. Once the re-mastered ISO has been created, you can now boot up your VM and you should see that you are no longer prompted with the message but rather booting straight into the installer as seen in the screenshot below. Hopefully this will help others who might have a need for this in the future as I know it as not as easy to find as I had hoped for initially.

UEFI PXE boot is possible in ESXi 6.0

10/09/2015 by William Lam 20 Comments

A couple of days ago I received an interesting question from fellow colleague Paudie O’Riordan, who works over in our Storage and Availability Business Unit at VMware. He was helping a customer who was interested in PXE booting/installing ESXi using UEFI which is short for Unified Extensible Firmware Interface. Historically, we only had support for PXE booting/installing ESXi using the BIOS firmware. You also could boot an ESXi ISO using UEFI, but we did not have support for UEFI when it came to booting/installing ESXi over the network using PXE and other variants such as iPXE/gPXE.

For those of you who may not know, UEFI is meant to eventually replace the legacy BIOS firmware. There are many benefits with using UEFI over BIOS, a recent article that does a good job of explaining the differences can be found here. In doing some research and pinging a few of our ESXi experts internally, I found that UEFI PXE boot support is actually possible with ESXi 6.0. Not only is it possible to PXE boot/install ESXi 6.x using UEFI, but the changes in the EFI boot image are also backwards compatible, which means you could potentially PXE boot/install an older release of ESXi.

Note: Auto Deploy still requires legacy BIOS firmware, UEFI is not currently supported today. This is something we will be addressing in the future, so stay tuned.

Not having worked with ESXi and UEFI before, I thought this would be a great opportunity for me to give this a try in my homelab which would also allow me to document the process in case others were interested. For my PXE server, I am using CentOS 6.7 Minimal (64-Bit) which runs both the DHCP and TFTP services but you can use any distro that you are comfortable with.

Step 1 – Download and install CentOS 6.7 Minimal (64-Bit)

Step 2 – Login to the CentOS system via terminal and perform the following commands which will update the system and install the DHCP and TFTP services:

yum -y update
yum -y install dhcp tftp-server

Step 3 – Download and upload an ESXi 6.x ISO to the CentOS system. In example here, I am using latest ESXi 6.0 Update 1 image (VMware-VMvisor-Installer-6.0.0.update01-3029758.x86_64.iso).

Step 4 – Extract the contents of the ESXi ISO to the TFTP directory by running the following commands:

mount -o loop VMware-VMvisor-Installer-6.0.0.update01-3029758.x86_64.iso /mnt/
cp -rf /mnt/ /var/lib/tftpboot/esxi60u1
umount /mnt/
rm VMware-VMvisor-Installer-6.0.0.update01-3029758.x86_64.iso

Step 5 – Copy the custom ESXi bootx64.efi bootloader image to the root of the extracted ESXi directory by running the following command:

cp /var/lib/tftpboot/esxi60u1/efi/boot/bootx64.efi /var/lib/tftpboot/esxi60u1/mboot.efi

Step 6 – Next, we need to edit our DHCP configuration file /etc/dhcp/dhcpd.conf to point our hosts to the mboot.efi image. Below is an example configuration and you will need to replace it with the network configuration of your environment. If you are running the TFTP server on another system, you will need to change the next-server property to the address of that system else you will just specify the same IP Address as the DHCP server.

default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;
authoritative;
log-facility local7;
allow booting;
allow bootp;
option client-system-arch code 93 = unsigned integer 16;

class "pxeclients" {
   match if substring(option vendor-class-identifier, 0, 9) = "PXEClient";
   # specifies the TFTP Server
   next-server 192.168.1.180;
   if option client-system-arch = 00:07 or option client-system-arch = 00:09 {
      # PXE over EFI firmware
      filename = "esxi60u1/mboot.efi";
   } else {
      # PXE over BIOS firmware
      filename = "esxi60u1/pxelinux.0";
   }
}

subnet 192.168.1.0 netmask 255.255.255.0 {
    option domain-name "primp-industries.com";
    option domain-name-servers 192.168.1.1;
    host vesxi60u1 {
        hardware ethernet 00:50:56:ad:f7:4b;
        fixed-address 192.168.1.199;
    }
}

default-lease-time 600;

max-lease-time 7200;

ddns-update-style none;

authoritative;

log-facility local7;

allow booting;

allow bootp;

option client-system-arch code 93 = unsigned integer 16;

class "pxeclients" {

match if substring(option vendor-class-identifier, 0, 9) = "PXEClient";

# specifies the TFTP Server

next-server 192.168.1.180;

if option client-system-arch = 00:07 or option client-system-arch = 00:09 {

# PXE over EFI firmware

filename = "esxi60u1/mboot.efi";

} else {

# PXE over BIOS firmware

filename = "esxi60u1/pxelinux.0";

}

subnet 192.168.1.0 netmask 255.255.255.0 {

option domain-name "primp-industries.com";

option domain-name-servers 192.168.1.1;

host vesxi60u1 {

hardware ethernet 00:50:56:ad:f7:4b;

fixed-address 192.168.1.199;

}

Step 7 – Next, we will need to edit our TFTP configuration file /etc/xinetd.d/tftp to enable the TFTP service by modifying the following line from yes to no:

disable = no

Step 8 – By default, the ESXi’s boot.cfg configuration file refers to all packages under / path. We will need to remove that reference and can easily do so by running the following command:

sed -i ‘s/\///g’ /var/lib/tftpboot/esxi60u1/boot.cfg

Step 9 – Finally, we need to restart both the TFTP (under xinetd) and DHCP services. For testing purposes, I have also disabled firewall for ipv4/ipv6, of course in a real production environment you will probably want to only open the ports required for TFTP/DHCP.

/etc/init.d/xinetd restart
/etc/init.d/dhcpd restart
/etc/init.d/iptables stop
/etc/init.d/ip6tables stop

We can now boot up either a physical host that is configured to use UEFI firmware OR we can also easily test using Nested ESXi. The only change we need to make to our ESXi VM is by setting the firmware mode from BIOS to EFI which can be done using the vSphere Web/C# Client as shown in the two screenshots below:

If everything was successfully configured, we should now see our system PXE boot into ESXi installer using UEFI as seen in the screenshot below.

If you run into any issues, I would recommend checking system logs on your PXE server (/var/log/messages) to see if there are any errors. You can also troubleshoot by manually using tftp client and connecting to your TFTP Server to ensure you are able to pull down the files such as the boot.cfg by running the following command:

tftp [PXE-SERVER]
get esxi60u1/boot.cfg

For additional resources on scripted installation of ESXi also referred to as Kickstart, be sure to take a look here. I also would like to give a big shoutout and thanks to Tim Mann, one of the Engineers responsible for adding UEFI support into ESXi and for answering some of my questions while I was setting up my environment.