DHCP Proxy for FOG
-
Hey Devs,
lately I have spent some time figuring out dnsmasq’s proxy mode and its PXE capabilities. I guess you all knew this already but I needed to see this live and in the source code to fully comprehend:
- dnsmasq’s dhcp-match is very powerful - almost like ISC-DHCP’s class matching definitions
- MacOS booting (BSDP) and serving different iPXE binaries depending on the client platform (BIOS/UEFI) is possible BUT only in non proxy mode
- As soon as you turn on proxy mode you are left alone with dnsmasq’s pxe-service directive which does not handle MacOS and PC UEFI well
So what are we left with from my point of view:
- Use ISC/Windows/dnsmasq(non proxy mode) DHCP. They are all capable to serve BIOS/UEFI as well as MacOS (untested with Windows DHCP) but won’t work for people who cannot modify their DHCP server
- Use Cruciable proxyDHCP (I am still testing this but it seams to do a pretty good job)
- Implement our own DHCP Proxy
There are interesting projects we could use as a starting point https://github.com/psychomario/pypxe or https://github.com/gmoro/proxyDHCPd if we want to go with Python. Or Cruciable proxyDHCP if we want to go with Mono/C#.
I am very interested to see what you all think of this. Where should we head?
-
I’m going to ask Simon Kelly about supporting EFI. If he doesn’t want to do it, I’ll take a look at the source and see how scary it looks.
Beyond that, I’d lean towards CrucibleWDS ProxyDHCP and port it to Mono, hit the build button and just see what happens.
-
It already builds with Mono…
-
Hi all, I’m the dev of CrucibleWDS proxy, let me know if you need any assistance with this. The latest version adds support for booting pc and apple devices together, it also supports Apple’s native NBI netboot process as well as iPXE. It is actually named CloneDeploy Proxy DHCP now. Here is the latest source.
https://github.com/cdadmin/clonedeploy/tree/master/clonedeploy_proxy_dhcpand latest binary
http://sourceforge.net/projects/cruciblewds/files/testing/cd_proxy_1.0.0.zip/downloadI have been using this reliably on CentOS and BSD for some time now. I can attach my init script if necessary.
-
-
Yes it works fine with Mono, you can just run the already compiled binary with Mono. I had a chat with Tom last night and he said someone in your group is going to try and improve it. Sounds good to me. I will attach my init script a little later so you can run it as a service.
-
@Uncle-Frank in the long run (for FOG 2.0) it’d be best to have a proxy dhcp written in Node.js in order to ensure universal compatibility. Judging by my initial impressions from CloneDeploy’s solution, it shouldn’t be overly difficult or unreasonable to achieve.
-
@Jbob Yeah, good point! You are absolutely right that if we are going to build a DHCP proxy we better have FOG 2.0 in mind and head that way.
A quick search revealed several projects which show that it shouldn’t be too hard to do: https://github.com/glaszig/node-dhcpd, https://github.com/apaprocki/node-dhcpjs, https://github.com/buschtoens/dhcp
And we could also use it in FOG 1.3.0 I reckon! What do you think?
Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)
Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG
-
@Uncle-Frank said:
And we could also use it in FOG 1.3.0 I reckon! What do you think?
That would be pretty amazing…
I’m just thinking right now of all the issues people here on the forums have with DHCP and ProxyDHCP - not having access to this or that, not having the correct configuration for this or that, and trying to get UEFI to work with dnsmasq… Having our own built in would be great.
However, I’d still say we should be able to turn it on or off - and pick if we want it or not via the install script. I would still rather use DHCP at work rather than ProxyDHCP for the moment. But in the same thought, I’d rather have ProxyDHCP at home simply because my little Cisco small business router uses a lot less power than a tower computer - and I have our critical internet access equipment (cable modem, router, access point) all on battery backup.
-
Message: 7
Date: Mon, 5 Oct 2015 22:53:50 +0100
From: Simon Kelley simon@thekelleys.org.uk
To: dnsmasq-discuss@lists.thekelleys.org.uk
Subject: Re: [Dnsmasq-discuss] ProxyDHCP with UEFI systems
Message-ID: 5612F16E.2040007@thekelleys.org.uk
Content-Type: text/plain; charset=windows-1252The problem in known, but not the solution. I did start working on that
about six months ago, but got bogged down in creating a test system.What would be really useful would be to find an implementation that
works with UEFI and proxy DHCP, and getting for packet captures to show
what should be sent.Cheers,
Simon.
On 03/10/15 01:03, Wayne Workman wrote:
Hello,
I’ve been trying to get dnsmasq to work as ProxyDHCP with UEFI enabled
systems. So far I’ve not had much luck.I originally thought it was a configuration issue, so I tried to include
every single architecture type and hand out an .efi file to it. I’ve
confirmed that DHCP Option 067 does get passed to the clients but they
simply will not network boot.This is the configuration I was trying:
port=0
log-dhcp
tftp-root=/tftpboot
dhcp-boot=,10.0.0.3,10.0.0.3
dhcp-option=17,/images
dhcp-option=vendor:PXEClient,6,2b
dhcp-no-override
pxe-prompt=“Press F8 for boot menu”, 3
pxe-service=X86PC, ?Boot from network?, ipxe
pxe-service=PC98, ?Boot from network? ipxe
pxe-service=IA64_EFI, ?Boot from network?, ipxe
pxe-service=Alpha, ?Boot from network?, ipxe
pxe-service=Arc_x86, ?Boot from network?, ipxe
pxe-service=Intel_Lean_Client, ?Boot from network?, ipxe
pxe-service=IA32_EFI, ?Boot from network?, ipxe
pxe-service=BC_EFI, ?Boot from network?, ipxe
pxe-service=Xscale_EFI, ?Boot from network?,
ipxe pxe-service=X86-64_EFI, ?Boot from network?, ipxe
dhcp-range=10.0.0.3,proxyI’m trying to get this going for fogproject.org
There is an ongoing conversation about it here:
https://forums.fogproject.org/topic/4628/undionly-kpxe-and-ipxe-efiThanks for any help, it would be greatly appreciated.
Wayne
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss -
I’m going to send him to CloneDeploy Proxy DHCP
-
Great to hear that he’s been onto this. But still I think it would be good to get our own proxy up as changes in dnsmasq will take months and years till they reach upstream in debian and all the other systems. What do you think?
Yeah pointing him to CloneDeploy Proxy DHCP is definitely a good hint. I am pretty sure that it has to do with PXE prompt which dnsmasq always sends (you cannot do PXE in proxy mode without it as far as I understand the source code) but most UEFI firmwares don’t seam to like it.
Edit: And dnsmasq does not allow dhcp-match in proxy mode which makes it impossible to use with Mac OS clients.
Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)
Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG
-
@Uncle-Frank I think we should still press forward with our own build of ProxyDHCP.
I just wanted to press the issue with dnsmasq and get the ball rolling - because I’d like to see a working ProxyDHCP included in Linux repos and OSs in the future.
More options are better than less options.
-
There is a little update on this topic. Although I didn’t have much time I’ve been playing with Node.js/Javascript code in the last too weeks and I have a pre-alpha version of a DHCP Proxy running. It’s able to attend my local isc-dhcpd as a proxy to boot normal BIOS PCs via PXE. The code is a big mess and there are still a lot of things to consider (EFI, MacOS and so forth) but we are on our way.
-
Next update on this: I ran into an annoying issue with the PXE ROM we have in most of our client PCs (Intel 82579LM GbE). Still working on this together with the iPXE devs. But BIOS and UEFI are both working!
-
This has FOG written all over it… just found this in my in-box from the dnsmasq newsletter (Simon sends them out about every day).
---------- Forwarded message ---------- From: <dnsmasq-discuss-request@lists.thekelleys.org.uk> Date: Nov 18, 2015 1:28 PM Subject: Dnsmasq-discuss Digest, Vol 126, Issue 14 To: <dnsmasq-discuss@lists.thekelleys.org.uk> Cc: Send Dnsmasq-discuss mailing list submissions to dnsmasq-discuss@lists.thekelleys.org.uk To subscribe or unsubscribe via the World Wide Web, visit http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss or, via email, send a message with subject or body 'help' to dnsmasq-discuss-request@lists.thekelleys.org.uk You can reach the person managing the list at dnsmasq-discuss-owner@lists.thekelleys.org.uk When replying, please edit your Subject line so it is more specific than "Re: Contents of Dnsmasq-discuss digest..." Today's Topics: 1. Re: dnsmasq proxy with uefi pxe not working (Michael Kuron) 2. Re: How small is a 'small network'? (Norman Gray) 3. question about the host-record= example (Olaf Hering) 4. Re: dnsmasq proxy with uefi pxe not working (Louis Garcia) ---------------------------------------------------------------------- Message: 1 Date: Wed, 18 Nov 2015 15:54:30 +0100 From: Michael Kuron <michael-lists@physcip.uni-stuttgart.de> To: dnsmasq-discuss@lists.thekelleys.org.uk Subject: Re: [Dnsmasq-discuss] dnsmasq proxy with uefi pxe not working Message-ID: <4D80900C-DB61-4F15-8179-3ED0B4361308@physcip.uni-stuttgart.de> Content-Type: text/plain; charset="utf-8" In proxy mode, you can leave out the dhcp-boot lines. Also, note that some hardware incorrectly reports an architecture of 9 (BC_EFI) instead of 7 (X86-64_EFI), so in general you?ll need to have lines for both in your config. I assume you?re using my patch from October 31st? The pxe-service line for EFI should not have a file extension, .efi is added automatically. Also, I?ve never needed dhcp-no-override or dhcp-option in proxy mode. A Wireshark trace on UDP ports 67, 68, 69 and 4011 is generally the most useful thing to help you debug the issue. Check if the server address and file name are correctly sent to the client and make sure it requests the TFTP download correctly. The log output you sent looks fine. Michael > On 17.11.2015, at 20:48, Louis Garcia <louisgtwo@gmail.com> wrote: > > I have a dns proxy running on F23 and configured for older BIOS pxe and all is working. On newer uefi I get a ip assigned and get to the "Press F8 for the Menu." After that everything quits and returns to the bios. Here is some info. If there are more debugging options let me know? I am running dnsmasq-2.75 with a patch from Michael Kuron earlier on this list. > > > /etc/dnsmasq.conf > > # Configuration file for dnsmasq: > > # Turn on the debugging > log-dhcp > > # Don't function as a DNS server > port=0 > > # kill multicast > dhcp-option=vendor:PXEClient,6,2b > > # Disable re-use of the DHCP servername and filename fields as extra > # option space. That's to avoid confusing some old or broken DHCP clients. > dhcp-no-override > > # This range(s) is for the public interface, where dnsmasq functions > # as a proxy DHCP server providing boot information but no IP leases. > # Any ip in the subnet will do, so you may just put your server NIC ip here. > dhcp-range=192.168.0.5,proxy > > # Set the boot filename for netboot/PXE. You will only need this if you want to > # boot machines over the network and you will need the built in TFTP server. > > # BIOS PXE clients > dhcp-boot=pxelinux.0 > > # UEFI PXE clients > dhcp-match=set:efi-x86_64,option:client-arch,7 > dhcp-boot=tag:efi-x86_64,uefi/shim.efi > > #pxe-prompt="What system shall I netboot?", timeout before first available action is taken: > pxe-prompt="Press F8 for the Menu.", 5 > > #Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server. > pxe-service=x86PC, "Install Fedora Workstation, (BIOS)", pxelinux > > #Loads <tftp-root>/uefi/shim.efi from dnsmasq TFTP server. > pxe-service=X86-64_EFI, "Boot From Network, (UEFI)", uefi/shim.efi > > # Enable dnsmasq's built-in TFTP server > enable-tftp > > # Set the root directory for files available via FTP. > tftp-root=/srv/tftpboot > > > logs: > > systemd[1]: Started DNS caching server.. > dnsmasq[1897]: started, version 2.75 DNS disabled > systemd[1]: Starting DNS caching server.... > dnsmasq[1897]: compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inotify > dnsmasq-dhcp[1897]: DHCP, proxy on subnet 192.168.0.5 > dnsmasq-tftp[1897]: TFTP root is /srv/tftpboot > dnsmasq-dhcp[1897]: 1005692705 available DHCP subnet: 192.168.0.5/255.255.255.0 <http://192.168.0.5/255.255.255.0> > dnsmasq-dhcp[1897]: 1005692705 vendor class: PXEClient:Arch:00007:UNDI:003016 > dnsmasq-dhcp[1897]: 1005692705 PXE(enp0s25) b8:ae:ed:73:6f:9b proxy > dnsmasq-dhcp[1897]: 1005692705 tags: efi-x86_64, enp0s25 > dnsmasq-dhcp[1897]: 1005692705 bootfile name: uefi/shim.efi > dnsmasq-dhcp[1897]: 1005692705 broadcast response > dnsmasq-dhcp[1897]: 1005692705 sent size: 1 option: 53 message-type 2 > dnsmasq-dhcp[1897]: 1005692705 sent size: 4 option: 54 server-identifier 192.168.0.5 > dnsmasq-dhcp[1897]: 1005692705 sent size: 9 option: 60 vendor-class 50:58:45:43:6c:69:65:6e:74 > dnsmasq-dhcp[1897]: 1005692705 sent size: 17 option: 97 client-machine-id 00:00:3f:65:c8:77:72:e3:11:93:4d:b8:ae:ed... > dnsmasq-dhcp[1897]: 1005692705 available DHCP subnet: 192.168.0.5/255.255.255.0 <http://192.168.0.5/255.255.255.0> > dnsmasq-dhcp[1897]: 1005692705 vendor class: PXEClient:Arch:00007:UNDI:003016 > dnsmasq-dhcp[1897]: 378552196 available DHCP subnet: 192.168.0.5/255.255.255.0 <http://192.168.0.5/255.255.255.0> > dnsmasq-dhcp[1897]: 378552196 vendor class: PXEClient:Arch:00007:UNDI:003016 > dnsmasq-dhcp[1897]: 378552196 PXE(enp0s25) b8:ae:ed:73:6f:9b proxy > dnsmasq-dhcp[1897]: 378552196 tags: efi-x86_64, enp0s25 > dnsmasq-dhcp[1897]: 378552196 bootfile name: uefi/shim.efi > dnsmasq-dhcp[1897]: 378552196 sent size: 1 option: 53 message-type 5 > dnsmasq-dhcp[1897]: 378552196 sent size: 4 option: 54 server-identifier 192.168.0.5 > dnsmasq-dhcp[1897]: 378552196 sent size: 9 option: 60 vendor-class 50:58:45:43:6c:69:65:6e:74 > dnsmasq-dhcp[1897]: 378552196 sent size: 17 option: 97 client-machine-id 00:00:3f:65:c8:77:72:e3:11:93:4d:b8:ae:ed... > dnsmasq-dhcp[1897]: 378552196 sent size: 38 option: 43 vendor-encap 06:01:08:0a:1d:05:50:72:65:73:73:20:46:38... > dnsmasq-dhcp[1897]: 1005692706 available DHCP subnet: 192.168.0.5/255.255.255.0 <http://192.168.0.5/255.255.255.0> > dnsmasq-dhcp[1897]: 1005692706 vendor class: PXEClient:Arch:00007:UNDI:003016 > dnsmasq-dhcp[1897]: 1005692706 PXE(enp0s25) b8:ae:ed:73:6f:9b proxy > dnsmasq-dhcp[1897]: 1005692706 tags: efi-x86_64, enp0s25 > dnsmasq-dhcp[1897]: 1005692706 bootfile name: uefi/shim.efi > dnsmasq-dhcp[1897]: 1005692706 broadcast response > dnsmasq-dhcp[1897]: 1005692706 sent size: 1 option: 53 message-type 2 > dnsmasq-dhcp[1897]: 1005692706 sent size: 4 option: 54 server-identifier 192.168.0.5 > dnsmasq-dhcp[1897]: 1005692706 sent size: 9 option: 60 vendor-class 50:58:45:43:6c:69:65:6e:74 > dnsmasq-dhcp[1897]: 1005692706 sent size: 17 option: 97 client-machine-id 00:00:3f:65:c8:77:72:e3:11:93:4d:b8:ae:ed... > dnsmasq-dhcp[1897]: 1005692706 available DHCP subnet: 192.168.0.5/255.255.255.0 <http://192.168.0.5/255.255.255.0> > dnsmasq-dhcp[1897]: 1005692706 vendor class: PXEClient:Arch:00007:UNDI:003016 > dnsmasq-dhcp[1897]: 735833248 available DHCP subnet: 192.168.0.5/255.255.255.0 <http://192.168.0.5/255.255.255.0> > dnsmasq-dhcp[1897]: 735833248 vendor class: PXEClient:Arch:00007:UNDI:003016 > dnsmasq-dhcp[1897]: 735833248 PXE(enp0s25) b8:ae:ed:73:6f:9b proxy > dnsmasq-dhcp[1897]: 735833248 tags: efi-x86_64, enp0s25 > dnsmasq-dhcp[1897]: 735833248 bootfile name: uefi/shim.efi > dnsmasq-dhcp[1897]: 735833248 sent size: 1 option: 53 message-type 5 > dnsmasq-dhcp[1897]: 735833248 sent size: 4 option: 54 server-identifier 192.168.0.5 > dnsmasq-dhcp[1897]: 735833248 sent size: 9 option: 60 vendor-class 50:58:45:43:6c:69:65:6e:74 > dnsmasq-dhcp[1897]: 735833248 sent size: 17 option: 97 client-machine-id 00:00:3f:65:c8:77:72:e3:11:93:4d:b8:ae:ed... > dnsmasq-dhcp[1897]: 735833248 sent size: 38 option: 43 vendor-encap 06:01:08:0a:1d:05:50:72:65:73:73:20:46:38... > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20151118/682d5089/attachment-0001.html> ------------------------------ -
Thanks for sharing this! Interesting that this guy actually sees the “Press F8 for the Menu.” coming up. Most EFI machines don’t like the menu option sent by dnsmasq. See here: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q1/009296.html
There is a little update on the dhcproxy I am working on. I got Mac OS X working as well. Status: BIOS-ok, UEFI-ok, Mac OS X-ok
Code is still a mess and this is just my setup/machines. Hope someone is willing to give this a try at some point. Send me a message if you’re keen.
-
@Sebastian-Roth Not sure if you’re still working on this but I’d really like to test. I’m building a server for my work and I have to use ProxyDHCP in our network.
-
@TheOverseer Thanks for asking! I didn’t have much time for the proxy DHCP stuff lately (as I’ll be moving and changing my job soon). I will try to give the code a bit of a cleanup in the next couple of days and will let you know. It’s written in javascript to run with node.js. Are you familiar with node.js? Installing modules with npm…?
-
@TheOverseer Sorry, took me a while to get things sorted. Here you can find the current version on github now (still alpha): https://github.com/FOGProject/node-dhcproxy
Should run on linux and windows after installing node.js. Extract the archive and take a look at README file for some more details. Run as root on linux (needed to listen on port 67).
Would be great if you can give some feedback on how this is working for you.
