DaemonForums  

Go Back   DaemonForums > Miscellaneous > Guides

Guides All Guides and HOWTO's.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th December 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default OpenBSD PXE boot and tftpd server setup

The following pxe-boot-prepare.sh script automates the manual steps to setup an OpenBSD box as tftpd(8) server for PXE network installs.

These steps are outlined in the OpenBSD FAQ entry 6.10 - How do I boot using PXE? (i386, amd64)

The FAQ does not mention (yet) that besides an optional /etc/boot.conf the latest incarnations of the OpenBSD installer also try to retrieve an /etc/random.seed. This script generates such a file so the installer can use it.

Features:
  • Check whether it is run with root privileges
  • Makes sure that either 'amd64' or 'i386' architecture is been specified
  • Uses /pxe as directory instead of the dyslexic nightmare /tftpdboot
  • If no trace of tftpd in /etc/rc.conf.local is found, it creates an entry to enable it. You can use then # /etc/rc.d/tftpd start to start the Trivial File Transfer Protocol daemon.
  • It assumes the same box also has a running web server, that serves the installation files from a local directory. This directory is used as source to copy the pxeboot and bsd.rd files into the PXE/TFTP directory.

    Although not being used by the installer, the INSTALL.amd64 or INSTALL.i386 is also copied as reminder for which architecture the files are meant.
  • Creates an /etc/random.seed in the PXE directory.
  • Generates an /etc/boot.conf that enables a serial console.
  • Creates a symbolic link auto_install to pxeboot so you can use autoinstall(8) for automatic installs.
  • Shows how to check if tftpd is running
  • The comment section gives some ideas what type of pf.conf(5) rules you need to pass tftpd traffic and how dhcpd can be configured,
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 25th December 2014 at 05:13 AM.
Reply With Quote
  #2   (View Single Post)  
Old 25th December 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default pxe-boot-prepare.sh script

The pxe-boot-prepare.sh script:
Code:
#!/bin/sh
# (c) J65nko daemonforums.org
# ISC license
#
# ---- prepare OpenBSD box as PXE boot server
# See http://www.openbsd.org/faq/faq6.html#PXE for the details
# If you use an 'install.conf' file for autoinstall(8) read that 
# man page for additional instructions on configuring the DHCP server

if [ "$(id -u)" -ne  0 ]; then 
    echo $0 error:  Requires root privilege, sorry, bailing out .... 
    exit 10 
fi

case "$1" in
amd64 | i386 )	ARCH="$1"
		 ;;
* )             echo "$0 : Please specify architecture ('amd64' or 'i386')" 
		exit 1
		 ;;
esac

# tftpboot is a dyslexic nightmare so we select another name here ....

PXE_DIR=/pxe
WEBDIR=/home/www/snapshots/${ARCH}
COM_SPEED=19200

echo Creating ${PXE_DIR}/etc ...
mkdir -p ${PXE_DIR}/etc

# --- enable tftpd daemon in /etc/rc.conf.local

FILE=/etc/rc.conf.local
#FILE=$(basename $FILE)

echo Checking for 'tftpd_flags' setting in "${FILE}" ...

if grep 'tftpd_flags=' ${FILE} ; then
   echo Trivial File Protocol Daemon  already mentioned in "${FILE}" 
   echo So please check it .... 
else 
   echo Updating ${FILE} to enable TFTP daemon..
   cat <<-END >>${FILE}
	# --- $(date) ---
	#tftpd_flags=NO          # for normal use: "[chroot dir]
	tftpd_flags=${PXE_DIR}
END
fi

echo "Creating ${PXE_DIR}/etc/random.seed for bootloader ..."
# -- code lifted from /etc/rc
#dd if=/dev/random of=${PXE_DIR}/etc/random.seed bs=512 count=1 status=none
dd if=/dev/random of=${PXE_DIR}/etc/random.seed bs=512 count=1 
chmod 644 ${PXE_DIR}/etc/random.seed

# See boot.conf(8) for the details 
 
FILE=${PXE_DIR}/etc/boot.conf
#FILE=$(basename ${FILE})

echo Creating ${FILE} ...
cat <<END >${FILE}
time
set image bsd.rd
stty com0 ${COM_SPEED}
set
set tty com0
set
END

echo Deleting  ${PXE_DIR}/INSTALL.\* ...
rm -f ${PXE_DIR}/INSTALL.*

echo Copying  'pxeboot', 'bsd.rd' and "INSTALL.${ARCH}" from ${WEBDIR} ....
# INSTALL.${ARCH} is not needed for PXE booting
# we use it only  as indicator for architecture

cp -p ${WEBDIR}/{pxeboot,bsd.rd,INSTALL.${ARCH}} ${PXE_DIR}

# -- for autoinstall(8). Ssee NOTE at end of script
# Not harmful  if you don't use autoinstall

echo "For autoinstall(8) creating symbolic link "${PXE_DIR}/auto_install" \
pointing to "${PXE_DIR}/pxeboot" ..."
ln -sf pxeboot ${PXE_DIR}/auto_install 


cat <<END
------- contents of ${PXE_DIR} -----------
$(ls -lR ${PXE_DIR})
--- contents of ${PXE_DIR}/etc/boot.conf --
$(cat ${PXE_DIR}/etc/boot.conf)
--------------------------------------
END

cat <<END
The tftpd program is located at $(which tftpd)

Start it with:

     $(which tftpd) ${PXE_DIR}
     or
     sudo /etc/rc.d/tftpd start

Then verify with "netstat" whether TFTP daemon is at port 69:

$ netstat -an -f inet -p udp

You should see something like this:

Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
udp          0      0  *.69                   *.*                   
-----------------------------------------------------------------------------

==== Output of "ps -aux | grep tftpd | grep -v grep":
$(ps -aux | grep tftpd | grep -v grep)

==== Output of "netstat -an -f inet -p udp":
$( netstat -an -f inet -p udp)
-----------------------------------------------------------------------------
END

#
# NOTE FOR PF USERS
#
# --- pf firewall rules for tftpd server (here 192.168.222.20)
# Like FTP, TFTP uses two communication channels. The command channel uses 
# destination port 69. The TFTP daemon listens on this port.
# A separate data channel is used to to transfer data via UDP. The TFTPD server
# and client negotiate the ports, and then the server initiates this channel.
# (just like active FTP ).
#
# A) You need to allow incoming udp traffic to port 69, on which the tftpd server
#    listens:
# 
# @39 pass in quick on egress inet proto udp from 192.168.222.0/24 to any port = 69
#   [ Evaluations: 1662      Packets: 28        Bytes: 1369        States: 0     ]
#   [ Inserted: uid 0 pid 7938 State Creations: 20    ]
# 
# B) For the data transfer outgoing UDP needs to be allowed
#    Here 192.168.222.230 is the TFTP client
#
# @32 pass out quick on egress inet proto udp from 192.168.222.20 to 192.168.222.230
#   [ Evaluations: 26        Packets: 310754    Bytes: 89595798    States: 0     ]
#
# If the TFTPD server is behind a firewall, you can use tftp-proxy(8)
# 
# From https://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol : 
# TFTP uses UDP as its transport protocol. A transfer request is
# always initiated targeting port 69, but the data transfer ports are
# chosen independently by the sender and receiver during the transfer
# initialization. The ports are chosen at random according to the
# parameters of the networking stack, typically from the range of
# ephemeral ports.
# ENDQUOTE
#  
# On OpenBSD  the ephemeral port range is defined
# with the following sysctl settings: 
#
#  net.inet.ip.porthifirst=49152
#  net.inet.ip.porthilast=65535
#
# However with OpenBSD TFTPD this does not seem like the case. 
# At least from my experience with PXE booting OpenBSD virtual
# guests under Linux Kernel-based Virtual Machine (KVM) as host
# So I gave up specifying a port range and just use the IP address range.
#
#
# QUOTE FROM  autoinstall(8):
#
#   On architectures where the 'filename' statement is used to provide the name
#   of the file to netboot it is necessary to create symbolic links called
#   'auto_install' and 'auto_upgrade' that point to the expected boot program and
#   to change the value of the filename statement in the dhcpd.conf(5) file
#   to be 'auto_instal' or 'auto_upgrade'.
#
#    Note that in these cases, the HTTP server and TFTP server must be on the
#    same machine.
# END QUOTE
#
# DHCPD configuration example:
#
#        host pxe-client {
#                hardware ethernet  52:54:00:aa:aa:01;
#                fixed-address 192.168.222.230;
#                #filename "pxeboot";
#                filename "auto_install";
#                next-server 192.168.222.20;
#        }
#

# --- end of script ---
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 25th December 2014 at 05:56 AM.
Reply With Quote
  #3   (View Single Post)  
Old 25th December 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default Example output and Download link

Output when run:
Code:
$ sudo pxe-boot-prepare.sh amd64                                                           
Creating /pxe/etc ...
Checking for tftpd_flags setting in /etc/rc.conf.local ...
   #tftpd_flags=NO          # for normal use: "[chroot dir]
   tftpd_flags=/pxe
Trivial File Protocol Daemon already mentioned in /etc/rc.conf.local
So please check it ....
Creating /pxe/etc/random.seed for bootloader ...
1+0 records in
1+0 records out
512 bytes transferred in 0.000 secs (7529412 bytes/sec)
Creating /pxe/etc/boot.conf ...
Deleting /pxe/INSTALL.* ...
Copying pxeboot, bsd.rd and INSTALL.amd64 from /home/www/snapshots/amd64 ....
For autoinstall(8) creating symbolic link /pxe/auto_install pointing to /pxe/pxeboot ...
------- contents of /pxe -----------
total 14272
-rw-r--r--  1 root  wheel    46518 Dec 23 20:18 INSTALL.amd64
lrwxr-xr-x  1 root  wheel        7 Dec 25 05:34 auto_install -> pxeboot
-rwxr-xr-x  1 root  wheel  7552369 Dec 23 20:18 bsd.rd
drwxr-xr-x  2 root  wheel      512 Dec 18 02:56 etc
-r-xr-xr-x  1 root  wheel    80972 Dec 23 20:02 pxeboot

/pxe/etc:
total 8
-rw-r--r--  1 root  wheel   59 Dec 25 05:34 boot.conf
-rw-------  1 root  wheel  512 Dec 25 05:34 random.seed
--- contents of /pxe/etc/boot.conf --
time
set image bsd.rd
stty com0 19200
set
set tty com0
set
--------------------------------------
The tftpd program is located at /usr/sbin/tftpd

Start it with:

     /usr/sbin/tftpd /pxe
     or
     sudo /etc/rc.d/tftpd start

Then verify with "netstat" whether TFTP daemon is at port 69:

$ netstat -an -f inet -p udp

You should see something like this:

Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
udp          0      0  *.69                   *.*                   
-----------------------------------------------------------------------------

==== Output of "ps -aux | grep tftpd | grep -v grep":
_tftpd   17590  0.0  0.1   572   624 ??  Is     7:58PM    0:00.00 /usr/sbin/tftpd /pxe

==== Output of "netstat -an -f inet -p udp":
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
udp          0      0  192.168.222.20.47717   37.139.24.95.123      
udp          0      0  *.69                   *.*                   
udp          0      0  192.168.222.20.39789   129.250.35.250.123    
udp          0      0  192.168.222.20.10462   185.10.50.162.123     
udp          0      0  192.168.222.20.34057   94.228.220.14.123     
udp          0      0  *.37947                *.*                   
udp          0      0  127.0.0.10.53          *.*                   
udp          0      0  192.168.222.20.53      *.*                   
udp          0      0  127.0.0.1.53           *.*                   
udp          0      0  *.514                  *.*                   
-----------------------------------------------------------------------------
Attached Files
File Type: sh pxe-boot-prepare.sh (6.0 KB, 191 views)
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 25th December 2014 at 05:53 AM.
Reply With Quote
  #4   (View Single Post)  
Old 25th December 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default Testing TFTPD with tcpdump

babab
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Tags
dhcp.conf, dhcpd, network boot, pxe boot

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD Multiple VPN Setup Dr-D OpenBSD Security 10 7th April 2014 10:50 AM
OpenBSD VPN Setup Dr-D OpenBSD Security 2 4th April 2014 01:23 PM
how setup arpwatch for OpenBSD mfaridi OpenBSD Packages and Ports 1 11th December 2008 05:22 PM
Freebsd server wont boot rpadilla FreeBSD General 5 11th June 2008 04:09 PM
Dual-boot laptop won't boot OpenBSD after upgrade to 4.3 kbeaucha OpenBSD Installation and Upgrading 17 30th May 2008 02:40 PM


All times are GMT. The time now is 06:38 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick