aldengolab/pxe-grub-persistent-server-pattern
skills/pxe-grub-persistent-server-pattern/SKILL.md
Design pattern for running a persistent PXE/TFTP server that safely coexists with already-installed nodes. Use when: building PXE infrastructure that should stay always-on, designing automated bare-metal provisioning in GitOps/Kubernetes environments, or any PXE setup where UEFI boot order has network boot first. Eliminates boot loops without requiring UEFI firmware changes.
development
Updated Apr 10, 2026
$ install --global
skillsauthnpx skillsauth add aldengolab/lorist pxe-grub-persistent-server-patternInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 10, 2026, 3:32 AM107.9s2 files scanned
SKILL.md
- name:
- pxe-grub-persistent-server-pattern
- description:
- |
- with already-installed nodes. Use when:
- building PXE infrastructure that should
- author:
- Claude Code
- version:
- 1.0.0
- date:
- 2026-04-08
PXE GRUB Persistent Server Pattern
Problem
PXE servers typically require manual lifecycle management -- scale up to provision, scale down after. If left running, installed nodes re-enter the installer on reboot because UEFI boot order has network boot first.
Context / Trigger Conditions
- Designing PXE infrastructure for a datacenter, homelab, or cloud bare-metal
- PXE server is managed by GitOps (ArgoCD, Flux) with selfHeal/reconciliation
- UEFI firmware on target nodes has PXE as first boot option
- Want zero-touch operation after initial setup
Solution
The Pattern: GRUB Default-to-Exit
Make the GRUB menu default to an exit entry that returns control to UEFI firmware,
which then boots from the next entry (local disk):
set timeout=5
set default=0
menuentry "Boot from local disk" {
exit
}
menuentry "Install Ubuntu" {
linux /vmlinuz ...
initrd /initrd
}
How It Works
Installed node reboots
-> UEFI: PXE boot (first in order)
-> dnsmasq: responds with BOOTx64.EFI
-> shim -> GRUB -> shows menu
-> 5s timeout -> "Boot from local disk" (default)
-> GRUB exit -> UEFI: next boot entry -> local disk
-> Ubuntu boots normally
For new nodes, an operator selects "Install Ubuntu" during the 5s window.
Why Not efibootmgr?
efibootmgr modifies UEFI NVRAM to change boot order. In practice:
- Behavior varies across firmware implementations
curtin in-targetchroot doesn't mount/sys/firmware/efi/efivars- Running outside chroot in autoinstall late-commands is fragile
- Some firmware ignores or resets programmatic boot order changes
The GRUB exit pattern works at the bootloader level, which is firmware-agnostic.
GitOps Integration
With this pattern, the PXE server can run permanently:
- Set
replicas: 1in Helm values (not 0) - ArgoCD selfHeal won't disrupt provisioning by scaling down
- No manual
kubectl scaleneeded before/after provisioning - First-boot scripts on new nodes can always reach the provisioning API
Verification
- Installed node: PXE boots -> GRUB menu -> 5s -> boots locally (no intervention)
- New node: PXE boots -> GRUB menu -> operator selects install -> installer starts
Troubleshooting
When things go wrong, read references/troubleshooting.md for symptom-based diagnostics:
- Installed nodes re-enter installer despite default-to-exit
- Node boots locally but adds 5s delay on every reboot
- GitOps (ArgoCD) keeps scaling PXE server to 0
- New node can't select "Install" in time
Notes
- Adjust timeout for your environment (5s is good for console access, increase for remote KVM/IPMI where there's more latency)
- This pattern works with any GRUB-based PXE chain, not just Ubuntu
- For fully automated (no-operator) provisioning, extend the GRUB config to query
a provisioning API via GRUB's
httpmodule and auto-select based on MAC status - Alternative: dnsmasq MAC-based filtering (only respond to known-new MACs), but requires maintaining an allowlist and doesn't solve the boot-order problem
Related Skills
aldengolab/ubuntu-secureboot-pxe-netboot
development
VerifiedTrustedCommunity
Build a UEFI Secure Boot PXE netboot server for Ubuntu autoinstall. Use when: designing or implementing network boot infrastructure for automated Ubuntu provisioning with Secure Boot enabled. Covers the complete chain: signed shim+GRUB selection, TFTP layout, kernel parameters, autoinstall config requirements, and post-install bootstrapping scripts. Also applicable when debugging an existing PXE setup that uses the wrong GRUB binary or config paths.
SKILL.mdUpdated Apr 10, 2026
aldengolab/orwell-clear-writing
development
VerifiedTrustedCommunity
This skill governs all prose output — Claude's own responses, documentation, PR descriptions, commit messages, README content, comments, and any text the user asks to draft or edit. It should also be used when the user asks to "review my writing", "edit this for clarity", "make this clearer", "simplify this text", "rewrite this", "check my prose", "tighten this up", or "make this more concise". Based on George Orwell's "Politics and the English Language" (1946).
SKILL.mdUpdated Apr 10, 2026
aldengolab/k8s-hostnetwork-port-conflict
development
VerifiedTrustedCommunity
Debug Kubernetes pods using hostNetwork: true that crash with "Address already in use" or "failed to create listening socket for port N". Use when: (1) a hostNetwork pod container is in CrashLoopBackOff and logs show a port bind failure, (2) the port works fine in non-hostNetwork pods but fails with hostNetwork, (3) you need to identify which host-level process holds a port from within Kubernetes (no SSH). Covers /proc/net/udp inspection and kubectl debug node with nsenter.
SKILL.mdUpdated Apr 10, 2026
aldengolab/plan-review
development
VerifiedTrustedCommunity
Adversarial 3-stage review of an implementation plan before execution — checks completeness, security/best-practices, and multi-agent implementability. Use this skill whenever the user wants to validate, review, stress-test, or check an existing implementation plan before building or executing it. Trigger on phrases like "review the plan", "stress-test the plan", "is this plan ready", "check the plan", "validate the plan", "go through the plan", "find what's wrong with the plan", "is this ready for agents", "can subagents execute this", or any request to find gaps, security issues, or underspecified tasks in a plan that has already been written. Also trigger when the user has just finished /plan-implementation and is about to run /autonomous-plan-execution — the plan should be reviewed first. This skill is specifically for reviewing EXISTING plans, not for writing new ones (use plan-implementation for that), not for code review or PR review (use code-review for that), and not for debugging or post-deployment issues. If the user mentions a plan file, says "before we build", or asks whether phases can be parallelized, this skill almost certainly applies.
SKILL.mdUpdated Apr 3, 2026