Hands on: Configuring Apple's NetBoot service, Part 1

Apple's NetBoot technology has been a staple part of Mac OS X Server since the latter's original release. NetBoot allows Mac clients to start and run applications using a server-hosted disk image instead of a physically mounted drive.

This allows consistency across large numbers of machines without software or updates having to be physically deployed on those clients. It can also provide an alternative boot mechanism if a Mac's internal hard drive fails or for troubleshooting problems. Technicians can easily boot from a NetBoot image that includes various troubleshooting tools.

All files that are created or modified during a NetBoot session -- including those created or modified by users, applications or the operating system -- are written to a shadow file stored either on the client's internal hard drive or on the server hosting the image. The shadow file allows system processes and applications that need to modify files as part of their operation to do so. The shadow file is destroyed when the computer is shut down or rebooted, so that the NetBoot client always returns to the configuration of the disk image.

NetBoot delivers a consistent configuration that users can't permanently modify, and the ability for administrators to modify a NetBoot disk image that can be deployed to all NetBoot clients. These characteristics make NetBoot an excellent platform for computers used in classrooms, computer labs and kiosks.

In addition to NetBoot, Mac OS X Server also provides NetInstall, which functions very much like NetBoot. The difference is that after NetInstall clients process the Mac OS X boot and kernel files, they do not continue booting from a Mac OS X disk image. Instead, clients will boot into the Mac OS X installer utility. This utility will then install either the contents of an existing disk image onto the client's hard drive or it will access a network-based copy of the Mac OS X install CD/DVD. The client will then proceed with the standard process for installing Mac OS X.

NetInstall images can be made from the Mac OS X install media or from an existing hard drive. If install media is used as the source for the image, NetInstall will behave much as if a user had booted from the install CD/DVD and will go through the standard installation process. If a hard drive image was used, NetInstall will clone that image onto the client's internal hard drive.

This offers an excellent way to deploy Mac OS X configurations, complete with installed applications and preferences, directly onto the hard drives of Mac clients. This is an excellent solution when you don't want the network or server overhead of a continuous NetBoot but need a simple way to roll out custom machine configurations either en masse as part of a new deployment, or individually as a troubleshooting method for problem machines.

System requirements

As you might expect, booting computers over the network using NetBoot or NetInstall requires a reasonably fast network. For its part, 100BaseT Ethernet of any sort will be enough for up to 10 clients. Apple recommends fully switched 100BaseT for 10 to 50 clients and Gigabit Ethernet for anything more than 50 clients. Even at the basic level, a faster network will result in better performance.

NetBoot does not work over wireless networks.

Client requirements are essentially the same as they are for Mac OS X in general: 128MB of RAM minimum. Hardware support for NetBoot was introduced with the original iMac in 1998 and has been included with all Macs released since, including Apple's Xserve.

Because NetBoot is a network-intensive service, it is best to use dedicated servers rather than running NetBoot with other services. In particular, network home directories and Open Directory services should be provided by servers other than NetBoot servers because of the demands that these services place on a server. A network environment that employs network home directories and Open Directory user accounts (hosted by servers other than the NetBoot server), however, work very well with NetBoot. They provide a way for users to easily save files without the effort of copying them to a server. This provides a consistent user experience across multiple computers, because user desktop and configuration files are stored in clients' home directories.

NetBoot process

Apple's NetBoot process differs from other network boot technologies and is based around a protocol called Boot Server Discovery Protocol (BSDP) that was loosely developed from Dynamic Host Configuration Protocol (DHCP) and BootP. The process relies on BSDP, DHCP and Trivial File Transfer Protocol (TFTP) to load Mac OS X boot files onto a client. It also relies on network broadcasts to locate available servers, meaning that it functions best when servers are located on the same subnet as clients.

Note: It is possible, though not always easy, to use NetBoot across subnets. Mike Bombich has developed a tool that simplifies the process somewhat.

The NetBoot/NetInstall process involves the following steps:

  • The computer is instructed to boot using NetBoot. This can be specified in the Startup Disk pane in System Preferences on the computer, or by certain start-up key combinations. For example, N will instruct the computer to boot from the first available NetBoot server. The Option key will display the Mac boot picker, which will include any bootable drives connected to the computer, as well as disk images from any available NetBoot servers.
  • The computer uses DHCP to request an IP address and related information for the NetBoot process.
  • The computer broadcasts a BSDP request on the local subnet to locate a NetBoot server; if a specific NetBoot image was specified, that information will be in the request.
  • NetBoot servers respond to the BSDP request with the server's IP address, along with information about the location of the appropriate disk image; if no image was specified, clients are directed to the image identified as the default image.
  • The computer uses TFTP to download the boot ROM file and initiate the Mac boot process.
  • The computer mounts and loads the appropriate image using either HTTP or Network File System (NFS); in general NFS is preferred and performs faster.
  • If the image is a NetBoot image, it fully loads Mac OS X and requests an IP address for the session via DHCP. If it is a NetInstall image, it launches the installer utility.

During the NetBoot process, clients will display a globe icon, which identifies that they are starting from a NetBoot or NetInstall image rather than from a local drive. If a NetBoot image is selected as a start-up disk and the server or image is not available, the computer will hang at start-up but will eventually time out and boot from a local disk if one is available. Detailed information about BSDP is available here.

NetBoot share points

NetBoot uses special share points and folders to host images and server-based shadow files. These share points are created automatically by the NetBoot service. When setting up the service, you can specify which available volumes will host NetBoot share points, which are created in /Library/NetBoot. The share point for images is called NetBootSPn, and the share point for clients is called NetBootClientsn, where n is the volume number of the hard drive or partition. The NetBoot image share point is shared by both Apple File Protocol (AFP) and NFS, while the shadow file share point is only shared or accessed using AFP.

Note: Booting Macs using Mac OS 9 images, no longer a common practice, relies on AFP.

When NetBoot images are created, the actual image file and related configuration files are stored in a folder containing the name of the image with an .nbi extension. This identifies the folder as containing a NetBoot image set. Traditionally, these folders, which are created with System Image Utility, are stored on the server that is running the NetBoot service. System Image Utility is installed along with Mac OS X Server.

It is possible, however, to store the NetBoot and NetInstall images on other NFS or HTTP servers. The images must still be created using System Image Utility, however; this creates the configuration files and .nbi folder on the NetBoot server, where they must continue to reside. The configuration files will then include a path to the image's location on the remote server. Once created, images must then be copied to the remote server.

When multiple volumes are enabled to host NetBoot share points, the service can perform load balancing. For client shadow files, the files are dynamically distributed among the share points as each client connects to the server. For image files, you must manually store the same image on each share point. Once that is done, the service will distribute the load by directing each client to each share point in sequential order.

If you're using multiple volumes for load balancing, ensure that the volumes are separate physical drives connected with different buses. Using two separate partitions of the same drive, for example, provides no advantage in performance and may actually slow access.

Load balancing can also be performed among multiple NetBoot servers, with all servers hosting the same images. To implement load balancing on a single server or across multiple servers, the numeric image ID assigned to the image during creation must be the same. When using multiple servers, use an image ID in the range of 4096 to 65535, because this identifies the image as being hosted by multiple servers. Lower numbers identify the image as being available only from a single server.

When selecting the image as a start-up disk, only one instance of a load-balanced image will be displayed.

Note: Part 2 of this series will cover the creation and management of images in greater detail.

Setting up the NetBoot service

Both NetBoot and NetInstall are managed by the NetBoot service. Administration of the service itself is performed with the Server Admin utility. This utility comes preinstalled with Mac OS X Server, and it can be installed from the Admin Tools disk (also included with OS X Server) on another Mac for remote management. The System Image Utility is used to create and manage the actual images. Before configuring the NetBoot service, however, it is important to ensure that the file services on which it depends are themselves configured and running. These file services can include NFS, HTTP, AFP and, if needed, server-based shadow files.

To configure the NetBoot service, launch Server Admin and select NetBoot for the appropriate server in the Computers & Services list; then select the settings pane (see Figure 1). The NetBoot service has four settings tabs: General, Images, Filters and Logging. Most of the administration process is handled with the General and Images tabs.

The General tab (Figure 1) allows you to select which active network ports the server will listen on for BSDP requests. If you have a server with multiple network ports, you can select any or all of them. If your network uses multiple subnets or virtual LANs, you can connect each port to a different network segment; this will allow a single server to provide NetBoot services to clients in various portions of your network.

The General tab also lists all available volumes and allows you to choose which ones will host NetBoot share points. As mentioned earlier, you should make sure each share point is hosted on a separate physical drive. If you use a separate boot volume, you will probably not want to use it for hosting share points. Ideally, NetBoot share points should be hosted on a RAID array or on a storage-area network to provide optimal performance. You can also specify the maximum number of AFP connections that NetBoot will support.

The Images tab (see Figure 2) displays the list of available images. You can use this tab to view information about each image, as well as to enable or disable images and to select the default image for the server. The default image is the one that will be used by clients when no image is identified, such as when the computer is started by holding down the N key.

The Filters tab allows you to restrict which computers are allowed to start up from images hosted on your NetBoot server. You can either explicitly block or explicitly allow computers access to the NetBoot service based on their MAC address. This tab also includes a search tool for locating MAC addresses of computers based on their host name; the tool also provides an option for importing a list of MAC addresses from a file. When creating images, you can also limit the ability to boot from a specific image to specific Apple hardware models.

The Logging tab allows you to configure what types of events are included in the service's logs. You can select all events, errors and warnings, or errors only. Once you have configured the various settings tabs and ensured that the needed file services are running, click the "Start Service" button in the toolbar to start the NetBoot process.

In addition to the Settings pane, you can select the buttons at the bottom of the NetBoot service's display to see an overview of the NetBoot service, a list of current clients and the service's logs. The overview displays the types of images being hosted and lets you know whether they are active. It also displays the status of the various services on which NetBoot relies.

Part 2 of this series will cover the process of creating NetBoot and NetInstall image sets using System Image Utility, as well as the process of maintaining and updating existing images.

Ryan Faas is a freelance writer and technology consultant specializing in Mac and multiplatform network issues. In addition to writing for Computerworld, he is a frequent contributor to InformIT.com. Ryan was also the co-author of O'Reilly's Essential Mac OS X Panther Server Administration. You can find more information about Ryan, his consulting services and his recently published work at www.ryanfaas.com and can e-mail him at ryan@ryanfaas.com.

Enterprise mobility 2018: UEM is the next step
Shop Tech Products at Amazon