End of NetInstall on macOS Sonoma 14.4

With improvements to Parallels Desktop 19.3 I found myself ready to transition more of my Macintosh Rescue services to Apple Silicon so yesterday decided to virtualise my NetInstall service which was hosted on a Mac mini (2018) with an i7 processor. When macOS Sonoma was released I noticed that on the bootpd manpage the NAME section omitted NetBoot server and now only shows “bootpd – DHCP/BOOTP” ; this to me signalled that the deprecation of the NetBoot (NetInstall) service was imminent. To my surprise when I upgraded my NetBoot server to macOS Sonoma it still worked which lead me to believe that it would be fine at least until macOS 15, however I was wrong. With the macOS Sonoma 14.4 update I found that I could not get my test NetBoot clients to download their booter.

The Change

I verified that all the services were running using

sudo launchctl list | grep tftp

sudo launchctl list | grep boot

sudo launchctl list | grep nfs

sudo launchctl list | grep apache

After seeing that the services were running I started testing them individually:

  • bootpd was working as the NetInstall images appear in a clients System Settings
  • I was able to do mount_nfs on the NetBoot share
  • I then tried to download a “test” file from /NetBoot/NetBootSP0 using tftp which appears to be the point of failure as I could not access that file.

What’s Changed in tftp

The NetBoot systems start by transferring a booter over tftp and that is via a symlink inside the /private/tftpboot folder on the server; so /private/tftpboot/NetBoot/NetBootSP0 > /Library/NetBoot/NetBootSP0

tftp is loaded by /System/Library/LaunchDaemons/tftp.plist which on a working setup will load /usr/libexec/tftp -i , on macOS 14.4 this is now /usr/libexec/tftp -s , and this is what causes the NetBoot to fail.

The -i means “Insecure” which means that tftp can use symlinks to share files outside of the tftpboot directory. -s means “Secure” and that restricts tftp strictly to serving the contents of the tftpboot folder and symlinks outside of that do not work which means that tftp cannot serve booter ‘s from /Library/NetBoot/NetBootSP0

Unfortunately due to macOS’s containerised filesystem which keeps system files read-only it is not possible to edit and save changes to /System/Library/LaunchDaemons/tftp.plist

At this point I made the decision to abandon NetBoot on macOS Sonoma and use macOS Ventura instead however there may be some workarounds (untested) for anyone determined to keep NetBoot services on macOS 14.4, until something else gets changed at least:

  • You could could cp /System/Library/LaunchDaemons/tftp.plist /Library/LaunchDaemons # then edit that changing the -i for a -s then sudo launchctl load -w /Library/LaunchDaemons/tftp.plist # make sure you have stoped the previous tftp service first.
  • You could replace the NetBootSP0 symlink in /private/tftboot/NetBoot with a real directory of the same name then copy the folder structure in the /Library/NetBoot/NetBootSP0 folder and move the booter ‘s to where they correspond in the /Library/NetBoot/NetBootSP0 folder; so effectively splitting your .nbi ‘s . I think this one would be very cumbersome.

My Solution

Since I’m using Parallels Desktop Pro to host my NetInstall service I have a choice of macOS releases and so I decided to use macOS Ventura which should see no new major updates, but will likely receive security updates into 2025. I shall write some documentation shortly describing how to transfer a NetBoot service to another Mac: NetInstall Service Transfer

Leave a Reply

Your email address will not be published. Required fields are marked *