Installing a PXE server using dnsmasq

Written by Robert -

This installation is based on Debian 9.

This manual requires dual network cards. One for accessing the storage where the pxe files are stored, the other for outputting DHCP, TFTP and FTP, which is required for our setup of PXE.

Debian installation

Install Debian as usual.

systemctl stop systemd-timesyncd
systemctl disable systemd-timesyncd

Network configuration

We need to setup a static IP for the network card that is used as the DHCP server.

vim /etc/network/interfaces

Add the following configuration:

allow-hotplug enp2s0
iface enp2s0 inet static
address 10.10.205.2
netmask 255.255.255.0
gateway 10.10.205.1

Change the network settings to whatever works in your environment.

TFTP

TFTP is handled by dnsmasq. The root directory of the TFTP part is specified in the configuration below. We do need to create the right directory:

mkdir /export
chmod 755 /export
echo user_allow_other >> /etc/fuse.conf
chown root:fuse /etc/fuse.conf
chmod 640 /etc/fuse.conf

Dnsmasq

Installation

apt-get install dnsmasq

Configuration

Backup the original documents:

cd /etc/
cp dnsmasq.conf dnsmasq.conf.original
cp -r dnsmasq.d dnsmasq.d.original

Open the dnsmasq.conf file:

vim dnsmasq.conf

Add the following lines, adjust these where needed:

except-interface=eno1 # this excludes that specific interface
listen-address=10.10.205.2 # your IP address
port=0 # disables the dns features
user=root # which user the service runs at
group=root # which group the service runs at
log-facility=/var/log/dnsmasq.log # i want logs
log-queries # for debugging
dhcp-range=enp2s0,10.10.205.120,10.10.205.20 0,255.255.255.0,1h # on interface, change accordingly, with range from - to, netmask and lease time
dhcp-option=3,10.10.205.1 # specifies the gateway
dhcp-boot=pxelinux.0 # filename for pxe boot
enable-tftp # we need tftp for pxe boot
tftp-root=/export/ # where the tftp files are

FTP

The way our setup works is that PXE boots directly from TFTP, but configurations are pulled from an FTP server. Because of this, we need to setup an anonymous FTP server. This way, we don't need authentication to pull configuration files from the server.

Installation

apt-get install proftpd-basic

Configuration

First we make a backup of the standard configuration:

cd /etc
cp -r proftpd proftpd.original

Let's setup the anonymous settings:

vim /etc/proftpd/conf.d/anon.conf

Add the following lines:

<Anonymous ~ftpuser>
# default ftp user
User ftp
# default ftp user group
Group ftp
# alias anonymous as ftp user
UserAlias anonymous ftp
# all files belong to ftp
DirFakeUser on ftp
DirFakeGroup on ftp
# Don't require a shell, ftp user doesn't need one
RequireValidShell off
# Finetune clients yourself, you can add more
Maxclients 10
# No writing
<Directory *>
<Limit WRITE>
DenyAll
</Limit>
</Directory>
</Anonymous>

Setup global settings:

vim /etc/proftpd/conf.d/custom.conf

Add the following lines:

# Users don't require valid shell accounts
<Global>
RequireValidShell off
</Global>
I don't require IPv6
UseIPv6 off
DefaultRoot ~ ftpuser
# limit login to the ftpuser group
<Limit LOGIN>
DenyGroup !ftpuser
</Limit>

Setup TLS settings to prevent authentication issues with the FTP client:

vim /etc/proftpd/conf.d/tls.conf

Add the following lines:

<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol TLSv1.2
TLSRSACertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
TLSRSACertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
TLSVerifyClient off
TLSRequired off
</IfModule>

Auto mounting sshfs

On new PXE server:

useradd -m -s /bin/false autossh su - autossh -s /bin/bash ssh-keygen

Add the the following line to the beginning of the id_rsa.pub:

no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-user-rc,no-pty

There should be a space between that line and ssh-rsa

On the server that shares the SSH directory:

useradd -m sshfs

Login as the sshfs user:

su - sshfs -s /bin/bash
cat .ssh/id_rsa.pub > .ssh/authorized_keys
chown sshfs:sshfs /home/sshfs -R
chmod o-rwx /home/sshfs -R
chmod go-w /home/sshfs
chmod 700 /home/sshfs/.ssh
chmod 644 /home/sshfs/.ssh/authorized_keys
chown sshfs:sshfs /home/sshfs/.ssh/authorized_keys
chown sshfs:sshfs /home/sshfs/.ssh
exit
service sshd restart

Mount the SSH directory:

sshfs -p 21112 sshfs@10.10.205.2:/usr/data/export /export -o allow_other

The folder should now be mounted. Now we need to mount this automatically.

Before we do this, we need to unmount it. exit out of the user, and unmount the folder:

umount /export

Because I want this mounted as a user, I'm going to use the crontab to mount it. Due to an issue with crontab under Debian, I'm going to let it wait a minute before mounting the folder.

As a root user, switch to the autossh user:

su - autossh -s /bin/bash

Add the following lines to mount.sh:

#!/bin/bash
sshfs -p 21112 sshfs@10.10.205.2:/usr/data/export /export -o allow_other

Now make the file executable:

chmod +x mount.sh

Let's add it to the crontab:

crontab -e

Add the following line:

@reboot sleep 60 && /home/autossh/mount.sh 2>&1 >> /home/autossh/mount.log

After a reboot, the folder should be automatically mounted.

NFS

We need to install the software first:

apt-get install nfs-common
apt-get install nfs-kernel-server

Now we can set it up.

vim /etc/exports

Add the following line:

/export/ 10.10.199.0/24(ro,async,no_root_squash,no_subtree_check,fsid=1)

Let's restart the service:

systemctl restart nfs-server.service

From another machine, we can now check if the export directory is visible:

root@computer:/etc# showmount -e 10.10.205.131
Export list for 10.10.205.131:
/export 10.10.199.0/24

Comments