pxe: arch-aware NBP + undionly.kpxe for legacy BIOS clients

Legacy-BIOS PXE clients booting Blancco reported "NBP is too big to fit in free base memory". Cause: dnsmasq unconditionally served ipxe.efi (~675KB EFI binary) which legacy BIOS PXE ROMs cannot execute and which exceeds their NBP cap. Fix: - Add undionly.kpxe (~70KB BIOS-mode iPXE, from boot.ipxe.org). - dnsmasq: dhcp-match on option:client-arch,0 (BIOS) -> undionly.kpxe; default (everything else, including UEFI x86_64 arch 7 and 9) keeps getting ipxe.efi. Tag form is reversible: if the match fails to evaluate, fallback is the working EFI path, not the new binary. - Ansible TFTP-copy loop: mirror undionly.kpxe alongside ipxe.efi. - .gitignore exception: track the open-source kpxe binary so the air-gapped USB build stays self-contained. UEFI clients unchanged. Blancco/Clonezilla/WinPE chain after the iPXE menu is identical regardless of which iPXE variant delivered it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 15:13:44 -04:00
parent 3896667c90
commit adc8d50e66
3 changed files with 17 additions and 4 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -30,6 +30,10 @@ boot-tools/

 # WinPE boot files (wimboot, boot.wim, BCD, ipxe.efi, etc.)
 boot-files/
+# Exception: track undionly.kpxe (open-source iPXE BIOS-mode NBP for
+# legacy PXE clients, ~70KB, from boot.ipxe.org). Makes air-gapped USB
+# build self-contained without a separate fetch step.
+!boot-files/undionly.kpxe

 # Python wheels for offline install (built by download-packages.sh)
 pip-wheels/
--- a/boot-files/undionly.kpxe
+++ b/boot-files/undionly.kpxe
--- a/playbook/pxe_server_setup.yml
+++ b/playbook/pxe_server_setup.yml
@@ -163,7 +163,15 @@
          # dhcp-option=6,8.8.8.8
          enable-tftp
          tftp-root={{ tftp_dir }}
-          dhcp-boot=ipxe.efi
+          # Arch-aware NBP: legacy BIOS PXE ROMs (client-arch=0) cannot run
+          # the EFI iPXE binary and report "NBP is too big to fit in free
+          # base memory" because ipxe.efi (~675KB) exceeds the BIOS PXE
+          # NBP cap. Serve undionly.kpxe (~70KB, BIOS-mode iPXE) to them
+          # instead. Everything else (UEFI x86_64 = arch 7 or 9, plus any
+          # future arches) keeps getting ipxe.efi - default-safe.
+          dhcp-match=set:bios,option:client-arch,0
+          dhcp-boot=tag:bios,undionly.kpxe
+          dhcp-boot=tag:!bios,ipxe.efi
          log-dhcp
          # Per-lease state cleanup: flush conntrack + port-445 sockets for
          # the client IP on add/del. Prevents "System error 53" when a PXE
@@ -727,6 +735,7 @@
        mode: '0755'
      loop:
        - ipxe.efi
+        - undionly.kpxe
      ignore_errors: yes

    - name: "Copy boot tool files from USB (Clonezilla, Blancco, Memtest)"