With improvements to Parallels Desktop 19.3 I found myself ready to transition more of my Macintosh Rescue services to Apple Silicon so yesterday decided to virtualise my NetInstall service which was hosted on a Mac mini (2018) with an i7 processor. When macOS Sonoma was released I noticed that on the bootpd manpage the NAME section omitted NetBoot server and now only shows “bootpd – DHCP/BOOTP” ; this to me signalled that the deprecation of the NetBoot (NetInstall) service was imminent. To my surprise when I upgraded my NetBoot server to macOS Sonoma it still worked which lead me to believe that it would be fine at least until macOS 15, however I was wrong. With the macOS Sonoma 14.4 update I found that I could not get my test NetBoot clients to download their booter.
The Change
I verified that all the services were running using
sudo launchctl list | grep tftp
sudo launchctl list | grep boot
sudo launchctl list | grep nfs
sudo launchctl list | grep apache
After seeing that the services were running I started testing them individually:
- bootpd was working as the NetInstall images appear in a clients System Settings
- I was able to do mount_nfs on the NetBoot share
- I then tried to download a “test” file from /NetBoot/NetBootSP0 using tftp which appears to be the point of failure as I could not access that file.
What’s Changed in tftp
The NetBoot systems start by transferring a booter over tftp and that is via a symlink inside the /private/tftpboot folder on the server; so /private/tftpboot/NetBoot/NetBootSP0 > /Library/NetBoot/NetBootSP0
tftp is loaded by /System/Library/LaunchDaemons/tftp.plist which on a working setup will load /usr/libexec/tftp -i , on macOS 14.4 this is now /usr/libexec/tftp -s , and this is what causes the NetBoot to fail.
The -i means “Insecure” which means that tftp can use symlinks to share files outside of the tftpboot directory. -s means “Secure” and that restricts tftp strictly to serving the contents of the tftpboot folder and symlinks outside of that do not work which means that tftp cannot serve booter ‘s from /Library/NetBoot/NetBootSP0
Unfortunately due to macOS’s containerised filesystem which keeps system files read-only it is not possible to edit and save changes to /System/Library/LaunchDaemons/tftp.plist
At this point I made the decision to abandon NetBoot on macOS Sonoma and use macOS Ventura instead however there may be some workarounds (untested) for anyone determined to keep NetBoot services on macOS 14.4, until something else gets changed at least:
- You could could
cp /System/Library/LaunchDaemons/tftp.plist /Library/LaunchDaemons# then edit that changing the-ifor a-sthensudo launchctl load -w /Library/LaunchDaemons/tftp.plist# make sure you have stoped the previous tftp service first. - You could replace the NetBootSP0 symlink in
/private/tftboot/NetBootwith a real directory of the same name then copy the folder structure in the/Library/NetBoot/NetBootSP0folder and move the booter ‘s to where they correspond in the/Library/NetBoot/NetBootSP0folder; so effectively splitting your .nbi ‘s . I think this one would be very cumbersome.
My Solution
Since I’m using Parallels Desktop Pro to host my NetInstall service I have a choice of macOS releases and so I decided to use macOS Ventura which should see no new major updates, but will likely receive security updates into 2025. I shall write some documentation shortly describing how to transfer a NetBoot service to another Mac: NetInstall Service Transfer