dnsmasq.conf: TFTP configuration improvement

[Stell0]

The dnsmasq.conf template creates for each interface a tftp configuration with IP specified from the interface. But it also creates a default global configuration if TFTP is enabled. This configuration takes the first green address, which is wrong because it should create a line for each interface. Since there is routing between greens, everything works fine anyway (unless the first green is disabled)

Steps to reproduce

• enable tftp in dnsmasq (config setprop dnsmasq tftp-status enabled)
• expand template and restart dnsmasq signal-event nethserver-dnsmasq-update
• check /etc/dnsmasq.conf

Expected behavior

I'd expect a tftp section to be like

#
# 80tftp
#
enable-tftp
tftp-root=/var/lib/tftpboot
dhcp-option=tag:e0,option:tftp-server,"192.168.11.1"
dhcp-option=tag:e2,option:tftp-server,"192.168.5.1"

Actual behavior

This is the current:

#
# 80tftp
#
enable-tftp
tftp-root=/var/lib/tftpboot
dhcp-option=66,"192.168.11.1"

Components

nethserver-dnsmasq-1.6.6-1.ns7.noarch

See also

https://github.com/nethesis/dev/issues/5502

[Stell0]

Test case 1:

• enable tftp in dnsmasq if it isn't config setprop dnsmasq tftp-status enabled
• expand template and restart dnsmasq signal-event nethserver-dnsmasq-update
• check that devices receive correct option 66

Test case 2:

• set a custom tftp server from NethServer interface
• check that devices receive correct option 66

[stephdl]

does it is ready for testing, I saw the QA but not the testing flag ?

[Stell0]

Not yet, PR isn't merged.

[nethbot]

in 7.5.1804/testing:

• nethserver-dnsmasq-1.6.6-1.4.g3801a2f.ns7.noarch.rpm

[stephdl]

Verification

• case 1 Failed state because the output is not what the QA expects : check that devices receive correct option 66

# rpm -qa | grep dnsmasq
nethserver-dnsmasq-1.6.6-1.ns7.noarch
dnsmasq-2.76-5.el7.x86_64

 config setprop dnsmasq tftp-status enabled
signal-event nethserver-dnsmasq-update

# cat /etc/dnsmasq.conf

#
# 30dhcp
#

# Enable the DHCP server. Addresses will be given out from the range
# <start-addr> to <end-addr> and from statically defined addresses
# given in dhcp-host options. 
# See db configuration getprop dnsmasq DhcpStatus

dhcp-range=set:eth0,192.168.56.1,192.168.56.254,255.255.255.0,86400
dhcp-option=tag:eth0,option:router,192.168.56.11
dhcp-lease-max=253

# Should be set when dnsmasq is definitely the only DHCP server on a
# network.
dhcp-authoritative

# Read dhcp reservations from dhcp-hostsfile. 
# See dhcp-hosts option for more informations.
dhcp-hostsfile=/etc/dnsmasq-dhcp-hosts

#
# 40bind
#
except-interface=enp0s3
except-interface=virbr0

#
# 50sssd -- the Samba Domain controller is
# the authoritative DNS for our realm/domain
# 
# server=//

#
# 80tftp
#
enable-tftp
tftp-root=/var/lib/tftpboot
dhcp-option=66,"192.168.56.11"

upgrade to testing

# rpm -qa | grep dnsmasq
dnsmasq-2.76-5.el7.x86_64
nethserver-dnsmasq-1.6.6-1.4.g3801a2f.ns7.noarch

# cat /etc/dnsmasq.conf

#
# 30dhcp
#

# Enable the DHCP server. Addresses will be given out from the range
# <start-addr> to <end-addr> and from statically defined addresses
# given in dhcp-host options. 
# See db configuration getprop dnsmasq DhcpStatus

dhcp-range=set:eth0,192.168.56.1,192.168.56.254,255.255.255.0,86400
dhcp-option=tag:eth0,option:router,192.168.56.11
dhcp-option=tag:eth0,option:tftp-server,"192.168.56.11"
dhcp-lease-max=253

# Should be set when dnsmasq is definitely the only DHCP server on a
# network.
dhcp-authoritative

# Read dhcp reservations from dhcp-hostsfile. 
# See dhcp-hosts option for more informations.
dhcp-hostsfile=/etc/dnsmasq-dhcp-hosts

#
# 40bind
#
except-interface=enp0s3
except-interface=virbr0

#
# 50sssd -- the Samba Domain controller is
# the authoritative DNS for our realm/domain
# 
# server=//

#
# 80tftp
#
enable-tftp
tftp-root=/var/lib/tftpboot

[stephdl]

VERIFICATION

• case2 Failed state because the QA states : check that devices receive correct option 66

# db dhcp show
eth0=range
    DhcpDNS=
    DhcpDomain=
    DhcpGatewayIP=
    DhcpLeaseTime=
    DhcpNTP=
    DhcpRangeEnd=192.168.56.254
    DhcpRangeStart=192.168.56.100
    DhcpTFTP=192.168.56.12
    DhcpWINS=
    status=enabled

# cat /etc/dnsmasq.conf

#
# 30dhcp
#

# Enable the DHCP server. Addresses will be given out from the range
# <start-addr> to <end-addr> and from statically defined addresses
# given in dhcp-host options. 
# See db configuration getprop dnsmasq DhcpStatus

dhcp-range=set:eth0,192.168.56.100,192.168.56.254,255.255.255.0,86400
dhcp-option=tag:eth0,option:router,192.168.56.11
dhcp-option=tag:eth0,option:tftp-server,"192.168.56.12"
dhcp-lease-max=154

# Should be set when dnsmasq is definitely the only DHCP server on a
# network.
dhcp-authoritative

# Read dhcp reservations from dhcp-hostsfile. 
# See dhcp-hosts option for more informations.
dhcp-hostsfile=/etc/dnsmasq-dhcp-hosts

#
# 40bind
#
except-interface=enp0s3
except-interface=virbr0

#
# 50sssd -- the Samba Domain controller is
# the authoritative DNS for our realm/domain
# 
# server=//

#
# 80tftp
#
enable-tftp
tftp-root=/var/lib/tftpboot

[Stell0]

the row

dhcp-option=tag:eth0,option:tftp-server,"192.168.56.12"

should send option 66 to clients. Can you try to sniff a dhcp response using wireshark to see if option 66 is actually sent to clients?

[stephdl]

@Stell0 check the png, no 66 options

[gsanchietti]

Test case 2 verified. Test case 1 failed: if tftp-status is set to enabled, blue interfaces do not expose the option 66

How to test it:

• start tcpdump on the server machine:

  tcpdump -vvv -i <interface> -s 1500 -nn port 67 and port 68

  On DHCP request, the response packet must contain a string like this:

  sname "192.168.56.100"[|bootp]

• use nmap on the client machine:

  yum install nmap -y
  wget https://svn.nmap.org/nmap/scripts/dhcp-discover.nse
  nmap -sU -p 67 --script=dhcp-discover.nse <server_ip>

  See also: https://nmap.org/nsedoc/scripts/dhcp-discover.html

[stephdl]

Verification

• created a tftp server with a gateway (two nics)
• start a vm with PXE
• tcdump the conversation

you can see the 66 otpions in the discover and the offer transaction

[nethbot]

in 7.5.1804/testing:

• nethserver-dnsmasq-1.6.6-1.6.g6db7b64.ns7.noarch.rpm

[stephdl]

verification 2 of https://github.com/NethServer/nethserver-dnsmasq/pull/15

# db dhcp show enp0s9

enp0s9=range
    DhcpDNS=
    DhcpDomain=
    DhcpGatewayIP=
    DhcpLeaseTime=
    DhcpNTP=
    DhcpRangeEnd=192.168.57.254
    DhcpRangeStart=192.168.57.1
    DhcpTFTP=192.168.59.1
    DhcpWINS=
    status=enabled

# db networks show enp0s9

enp0s9=ethernet
    FwInBandwidth=
    FwOutBandwidth=
    bootproto=none
    ipaddr=192.168.57.1
    netmask=255.255.255.0
    role=blue

# cat /etc/dnsmasq.conf

# Enable the DHCP server. Addresses will be given out from the range
# <start-addr> to <end-addr> and from statically defined addresses
# given in dhcp-host options. 
# See db configuration getprop dnsmasq DhcpStatus

dhcp-range=set:brdef,192.168.56.100,192.168.56.254,255.255.255.0,86400
dhcp-option=tag:brdef,option:router,192.168.56.11
dhcp-option=tag:brdef,option:tftp-server,192.168.56.11
dhcp-range=set:enp0s9,192.168.57.1,192.168.57.254,255.255.255.0,86400
dhcp-option=tag:enp0s9,option:router,192.168.57.1
dhcp-option=tag:enp0s9,option:tftp-server,"192.168.59.1"
dhcp-lease-max=407

# Should be set when dnsmasq is definitely the only DHCP server on a
# network.
dhcp-authoritative

# Read dhcp reservations from dhcp-hostsfile. 
# See dhcp-hosts option for more informations.
dhcp-hostsfile=/etc/dnsmasq-dhcp-hosts

#
# 40bind
#
except-interface=enp0s3
except-interface=virbr0

#
# 50sssd -- the Samba Domain controller is
# the authoritative DNS for our realm/domain
# 
# server=//

#
# 80tftp
#
enable-tftp
tftp-root=/var/lib/tftpboot

set verified

[nethbot]

in 7.5.1804/updates:

• nethserver-dnsmasq-1.6.7-1.ns7.noarch.rpm