[Dnsmasq-discuss] About UEFI PXE booting in proxy mode

Steven Shiau steven at nchc.org.tw
Sat Apr 1 08:07:03 BST 2017


Hi Doug,

Thanks. Simon mentioned to me: This is complicated and horrible (to
implement the mechanism). Therefore for the moment, no any solution for
using  "pxe-service" for both uEFI network booting and PXE in proxy mode
I believe.

Steven


On 2017/04/01 12:39, Doug Brown wrote:
> HI Steven,
>
> No -- because of grub's current inability to detect a proxy boot with
> UEFI, I don't think it's possible to get a proxy configuration to boot
> UEFI computers with grub, unless you play around with grub-mkstandalone
> to embed grub.cfg into grub.efi. I haven't had the time to play around
> with trying to make that configuration work.
>
> Doug
>
>
> On 3/31/2017 12:45 AM, Steven Shiau wrote:
>> Hi Doug,
>>
>> Thanks. However, what you mentioned is not in the proxy mode. Have you
>> successfully enable the proxy (relay) mode and it works for uEFI
>> network booting?
>>
>> Thanks.
>>
>> Steven
>>
>>
>> On 3/30/2017 PM 12:13, Doug Brown wrote:
>>> Hi Steven,
>>>
>>> If I find some free time, I might try tracing through the code to figure
>>> out why dnsmasq is throwing out the DHCP packets on port 4011 in the EFI
>>> + PXE configuration without a proxy. In the meantime, here is the
>>> configuration that works for me with dhcp-boot (assuming my dnsmasq
>>> server's IP address is 192.168.1.1):
>>>
>>> port=0
>>> log-dhcp
>>> enable-tftp
>>> tftp-root=/tftpboot
>>> dhcp-no-override
>>> dhcp-vendorclass=BIOS,PXEClient:Arch:00000
>>> dhcp-vendorclass=UEFI,PXEClient:Arch:00007
>>> dhcp-vendorclass=UEFI64,PXEClient:Arch:00009
>>> dhcp-boot=pxelinux.0,,192.168.1.1
>>> dhcp-boot=net:UEFI,shim.efi,,192.168.1.1
>>> dhcp-boot=net:UEFI64,shim.efi,,192.168.1.1
>>> dhcp-range=ens33,192.168.1.50,192.168.1.99,10h
>>>
>>> In this example, I'm using shim-signed (named as shim.efi) and
>>> grubnetx64.efi.signed (named as grubx64.efi) from Ubuntu, and it should
>>> properly boot a UEFI computer even if it has Secure Boot enabled. Shim
>>> downloads grubx64.efi, which then downloads grub.cfg.
>>>
>>> Hope this helps!
>>> Doug
>>>
>>>
>>> On 3/28/2017 11:46 PM, Steven Shiau wrote:
>>>> Hi Doug,
>>>>
>>>> Thanks for your explanation. Simon also emailed me after my post and
>>>> let me know where the problem is. The conclusion is this issue seems
>>>> not be easily fixed.
>>>> So the patch for grub will be applied after grub 2.02. Before that,
>>>> could you please show me the configuration file you confirmed it will
>>>> work by using dhcp-boot strategy?
>>>> Thank you very much.
>>>>
>>>> Steven
>>>>
>>>>
>>>> On 3/27/2017 AM 11:29, Doug Brown wrote:
>>>>> Hi Simon and Steven,
>>>>>
>>>>> I just found this recent thread while I was Googling for the exact
>>>>> same problem (UEFI clients won't boot in PXE mode, but BIOS clients
>>>>> will) and there was never any conclusion reached. I'm running into
>>>>> the exact same problem, and I can provide a pcap dump, which I have
>>>>> attached to this message. After the initial DHCP exchange, it shows
>>>>> four DHCP packets on port 4011 sent from the client which seem to be
>>>>> ignored by dnsmasq. Here is the configuration I am using with dnsmasq
>>>>> 2.76, based on Steven's original third example:
>>>>>
>>>>> port=0
>>>>> log-dhcp
>>>>> dhcp-no-override
>>>>> enable-tftp
>>>>> tftp-root=/tftpboot
>>>>> dhcp-range=ens33,192.168.7.100,192.168.7.200,10h
>>>>> pxe-service=X86PC, "Boot BIOS PXE", pxelinux.0
>>>>> pxe-service=BC_EFI, "Boot UEFI BC", grubx64.efi
>>>>> pxe-service=X86-64_EFI, "Boot UEFI X86-64", grubx64.efi
>>>>>
>>>>> If I switch to using the dhcp-boot strategy, everything works great
>>>>> on both BIOS and UEFI. But the above configuration using PXE doesn't
>>>>> seem to work properly with UEFI clients for some reason, and it seems
>>>>> to be a dnsmasq issue. It does work fine with BIOS clients though.
>>>>>
>>>>> I think I can answer Steven's earlier question as to why proxy PXE
>>>>> (example config #4) doesn't work with UEFI. The problem in that case
>>>>> is not due to dnsmasq at all -- it's correctly sending grub to the
>>>>> client. The problem is that grub doesn't know how to detect that it
>>>>> was loaded from a DHCP proxy, so it won't know where to download
>>>>> grub.cfg. Shim, which you can use as a first stage bootloader to load
>>>>> grub if you need to support Secure Boot, has the exact same problem.
>>>>> It only knows how to look at the original DHCP ack's boot info. The
>>>>> UEFI environment provides info about the proxy offer, but grub and
>>>>> shim don't look at it. See the following thread where a patch was
>>>>> submitted for grub:
>>>>>
>>>>> https://lists.gnu.org/archive/html/grub-devel/2016-04/msg00051.html
>>>>>
>>>>> I think it's probably possible to work around the proxy problem by
>>>>> using grub-mkstandalone to create a version of grub.efi that has an
>>>>> embedded intermediate grub.cfg that is coded to download the real
>>>>> grub.cfg from your server, as long as you don't need Secure Boot
>>>>> support.
>>>>>
>>>>> Either way, I still think there's something wrong with dnsmasq's PXE
>>>>> support because the example config above (non-proxy) doesn't work
>>>>> with any UEFI clients that I have tested, as shown by the pcap dump
>>>>> attached. Any ideas?
>>>>>
>>>>> Thanks,
>>>>> Doug
>>>>>
>>>>> On 1/26/2017 11:16 AM, Simon Kelley wrote:
>>>>>> There's no DHCP traffic in that capture. It appears to all be ssh.
>>>>>>
>>>>>> Wrong interface?
>>>>>>
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Simon.
>>>>>>
>>>>>>
>>>>>> On 24/01/17 08:50, Steven Shiau wrote:
>>>>>>> Hi Simon,
>>>>>>> Attached please find the dump file of the command "tcpdump -s 0 -w
>>>>>>> capturefile". Let me know if you need more info. Thank you very
>>>>>>> much.
>>>>>>> Steven
>>>>>>> On 1/24/2017 AM 05:25, Simon Kelley wrote: Thanks for the reply.
>>>>>>> Please could you repeat the tcpdump using the command
>>>>>>> tcpdump -s 0 -w capturefile
>>>>>>> and send me the resulting file? That has far more information than
>>>>>>> tcpdump prints.
>>>>>>> Cheers,
>>>>>>> Simon.
>>>>>>> On 20/01/17 08:39, Steven Shiau wrote:
>>>>>>>>>> Hi Simon,
>>>>>>>>>>
>>>>>>>>>> Thanks for your reply. I am answering you in the following.
>>>>>>>>>>
>>>>>>>>>> On 2017/01/20 06:47, Simon Kelley wrote:
>>>>>>>>>>> Your example 3 - I'm confused why that shouldn't work - the
>>>>>>>>>>> PXE client seems to be making further requests which are
>>>>>>>>>>> bring ignored. Would it be possible for you to get a packet
>>>>>>>>>>> dump of that exchange using tcpdump?
>>>>>>>>>> $ sudo tcpdump -ni ens38 'udp port 67 and udp port 68'
>>>>>>>>>> tcpdump: verbose output suppressed, use -v or -vv for full
>>>>>>>>>> protocol decode listening on ens38, link-type EN10MB
>>>>>>>>>> (Ethernet), capture size 262144 bytes 16:18:33.208355 IP
>>>>>>>>>> 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from
>>>>>>>>>> 00:0c:29:1d:9a:d1, length 347 16:18:36.205647 IP
>>>>>>>>>> 192.168.22.254.67 > 255.255.255.255.68: BOOTP/DHCP, Reply,
>>>>>>>>>> length 341 16:18:36.385548 IP 0.0.0.0.68 >
>>>>>>>>>> 255.255.255.255.67: BOOTP/DHCP, Request from
>>>>>>>>>> 00:0c:29:1d:9a:d1, length 359 16:18:36.386212 IP
>>>>>>>>>> 192.168.22.254.67 > 255.255.255.255.68: BOOTP/DHCP, Reply,
>>>>>>>>>> length 341 ^C 4 packets captured 4 packets received by filter
>>>>>>>>>> 0 packets dropped by kernel
>>>>>>>>>>
>>>>>>>>>>> Example 4 looks quite hopeful - the client is
>>>>>>>>>>> succerssfully downloading the bootx64.efi file (ignore the
>>>>>>>>>>> error before, that's just testing for the existance of the
>>>>>>>>>>> file.
>>>>>>>>>>>
>>>>>>>>>>> Can you see what's displayed on the client system at this
>>>>>>>>>>> point?
>>>>>>>>>> It's blank screen due to the background_image for grub is
>>>>>>>>>> not downloaded,  and in the end the grub shows no grub.cfg
>>>>>>>>>> error, as attached. That format is from the grub prefix we
>>>>>>>>>> added by: ======================================= set
>>>>>>>>>> prefix=(tftp)/grub-efi.cfg echo "Grub CPU and platform:
>>>>>>>>>> \$grub_cpu, \$grub_platform" echo 'Network status: '
>>>>>>>>>> net_ls_cards net_ls_addr net_ls_routes
>>>>>>>>>>
>>>>>>>>>> tr --set pretty_mac x: x- \$net_default_mac
>>>>>>>>>>
>>>>>>>>>> echo "Loading config file
>>>>>>>>>> \$prefix/grub.cfg-01-\$pretty_mac..." configfile
>>>>>>>>>> \$prefix/grub.cfg-01-\$pretty_mac
>>>>>>>>>>
>>>>>>>>>> echo "Loading config file
>>>>>>>>>> \$prefix/grub.cfg-\$net_default_ip..." configfile
>>>>>>>>>> \$prefix/grub.cfg-\$net_default_ip
>>>>>>>>>>
>>>>>>>>>> echo "Loading config file: \$prefix/grub.cfg" configfile
>>>>>>>>>> \$prefix/grub.cfg
>>>>>>>>>>
>>>>>>>>>> echo "Could not find config file
>>>>>>>>>> \$prefix/grub.cfg-\$pretty_mac,
>>>>>>>>>> \$prefix/grub.cfg-\$net_default_ip or \$prefix/grub.cfg!"
>>>>>>>>>> sleep 15 ======================================= This is
>>>>>>>>>> exactly the same problem as mentioned here:
>>>>>>>>>>
>>>>>> http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q4/010
>>>>>> 931
>>>>>>
>>>>>> .html
>>>>>>> i.e., only grub efi is downloaded, while the rest of required files
>>>>>>> are
>>>>>>>>>> not downloaded. As I mentioned for comparison, for non-proxy
>>>>>>>>>> mode with same configuration, it works well.
>>>>>>>>>>
>>>>>>>>>> Thanks again.
>>>>>>>>>>
>>>>>>>>>> Steven
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Dnsmasq-discuss mailing list
>>>>>>>>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>>>>>>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>>>>>>>>
>>>>>> _______________________________________________
>>>>>>>> Dnsmasq-discuss mailing list
>>>>>>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>>>>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>>>>
>>>>>>> _______________________________________________ Dnsmasq-discuss
>>>>>>> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
>>>>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Dnsmasq-discuss mailing list
>>>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>
>>> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

-- 
Steven Shiau <steven _at_ stevenshiau org>
Public Key Server PGP Key ID: 4096R/47CF935C
Fingerprint: 0240 1FEB 695D 7112 62F0  8796 11C1 12DA 47CF 935C




More information about the Dnsmasq-discuss mailing list