DOCTEAM-2151 core.efi embedded prefix limitation and guidance for multi-environment sub-directory PXE setups

articles/sles-pxe-server-setup.asm.xml

@@ -45,10 +45,17 @@
     <merge>
       <title>Setting Up a PXE Boot Server</title>
       <revhistory xml:id="rh-sles-pxe-server-setup">
+        <revision><date>2026-03-30</date>
+          <revdescription>
+            <para>
+              Added a note on <filename>core.efi</filename> prefix limitation and guidance for multi-environment subdirectory PXE setups
+            </para>
+          </revdescription>
+        </revision>
         <revision><date>2026-03-18</date>
           <revdescription>
             <para>
-              Added note clarifying that TFTP is mandatory for ppc64le architectures
+              Added a note clarifying that TFTP is mandatory for &ppc64le; architectures
             </para>
           </revdescription>
         </revision>

tasks/sles-pxe-server-configure-grub2.xml

@@ -79,8 +79,8 @@
   <section xml:id="sles-pxe-server-configure-grub2-main-config">
     <title>Creating the &grub; configuration</title>
     <para>
-      The &grub; configuration file handles three main tasks: detecting the client's architecture, 
-      managing network interfaces and loading other configuration files. This modular 
+      The &grub; configuration file handles three main tasks: detecting the client's architecture,
+      managing network interfaces and loading other configuration files. This modular
       approach provides flexibility for different deployment scenarios.
     </para>
     <procedure xml:id="proc-create-main-grub-config">
@@ -663,6 +663,70 @@ EOF
       </procedure>
     </section>
   </section>
+  <section xml:id="sles-pxe-server-grub2-troubleshoot-multi-env">
+   <title>Multi-environment subdirectory setups</title>
+   <para>
+    If you want to serve multiple independent PXE environments from subdirectories under one TFTP root (for example,
+    <filename>/srv/tftpboot/<replaceable>ENV1</replaceable>/boot/...</filename> and
+    <filename>/srv/tftpboot/<replaceable>ENV2</replaceable>/boot/...</filename>), the standard
+    <filename>/boot</filename> prefix used throughout this guide must be replaced with your custom
+    prefix consistently in all of the following places. Missing even one will cause boot failures.
+   </para>
+   <itemizedlist>
+    <listitem>
+     <para>
+       <emphasis role="bold">DHCP boot file name</emphasis>&mdash;the boot filename delivered to the
+       client must include the custom prefix. For example,
+       <filename>/<replaceable>ENV1</replaceable>/boot/grub2/x86_64-efi/bootx64.efi</filename>.
+     </para>
+    </listitem>
+    <listitem>
+     <para>
+      <emphasis role="bold">nginx location alias</emphasis>&mdash;the <literal>location /boot</literal>
+      block in <filename>/etc/nginx/nginx.conf</filename> must be updated to expose the custom
+      prefix path.
+     </para>
+     </listitem>
+     <listitem>
+      <para>
+       <emphasis role="bold"><filename>grub.cfg</filename> source paths</emphasis>&mdash;the hardcoded
+       absolute paths inside <filename>/srv/tftpboot/boot/grub2/grub.cfg</filename>:
+      </para>
+<screen>source "${config}/${net_default_mac}/grub.cfg"</screen>
+<screen>source "${prefix}/menu.cfg"</screen>
+      <para>
+       Both must be updated to use the custom prefix.
+      </para>
+     </listitem>
+     <listitem>
+      <para>
+       <emphasis role="bold"><filename>menu.cfg</filename> paths</emphasis>&mdash;all
+       <filename>/boot/images/...</filename> paths inside <filename>menu.cfg</filename> must be
+       updated to use the custom prefix.
+      </para>
+     </listitem>
+     <listitem>
+      <para>
+       <emphasis role="bold">Per-MAC host configurations</emphasis>&mdash;if you use machine-specific configurations, the
+       <literal>source "/boot/grub2/menu.cfg"</literal> line inside each per-MAC <filename>grub.cfg</filename> must also be updated to use the custom prefix.
+      </para>
+     </listitem>
+     <listitem>
+      <para>
+       <emphasis role="bold">&selnx; file context</emphasis>&mdash;run <command>restorecon</command> on your custom path:
+      </para>
+<screen>&prompt.sudo;<command>restorecon -Rv /srv/tftpboot/<replaceable>ENV1</replaceable></command></screen>
+     </listitem>
+     <listitem>
+      <para>
+       <emphasis role="bold">&selnx; policy</emphasis>&mdash; running <command>setsebool -P
+       httpd_serve_cobbler_files=1</command> only covers the standard <filename>/boot</filename>
+       path. A custom &selnx; policy is required for a non-standard prefix. Use <command>ausearch -m avc -ts recent</command>
+       to identify denials and create the appropriate policy module.
+      </para>
+     </listitem>
+   </itemizedlist>
+  </section>
   <section xml:id="sles-pxe-server-configure-grub2-next-steps">
     <title>Next steps</title>
     <para>

tasks/sles-pxe-server-netboot-directories-uefi-secure-boot.xml

@@ -127,8 +127,22 @@
           <filename>/srv/tftpboot/boot/grub2/<replaceable>ARCH</replaceable>-efi/core.efi</filename>
           file installed by the <command>grub2-mknetdir</command> command for &x86-64; or &aarch64;
           architectures for UEFI PXE as well. However, they are <emphasis>not signed</emphasis> and
-          do not support &uefisecboot;. To optionally enable &uefisecboot; for the supported
-          &x86-64; and &aarch64; architectures, perform any of the following steps:
+          do not support &uefisecboot;.
+        </para>
+        <note>
+         <title><filename>core.efi</filename> and subdirectory setups</title>
+         <para>
+           The <filename>core.efi</filename> file generated by <command>grub2-mknetdir</command>
+           has <filename>/boot/grub2</filename> hardcoded as an embedded prefix. &grub; always
+           fetches modules and configuration from this prefix relative to the TFTP root,
+           regardless of where <filename>core.efi</filename> itself was loaded from. If you need
+           to serve multiple environments from subdirectories under one TFTP root, use
+           <filename>shim</filename> and <filename>grub.efi</filename> from the installation
+           media ISO or the <package>shim</package> package instead, as described below.
+         </para>
+        </note>
+        <para>
+         To optionally enable &uefisecboot; for the supported &x86-64; and &aarch64; architectures, perform any of the following steps:
         </para>
         <stepalternatives>
           <step>