[ipxe-devel] ipxe-devel Digest, Vol 41, Issue 10
Jim Antoniou
jantoniou at gmail.com
Tue Oct 15 17:18:10 UTC 2013
> That said, let me explain the real situation ...
> The IT guys already have one DHCP server running per subnet. (for network
booting)
> I want to deploy my own PXE booting network, parallel to theirs to try
out iPXE.
> (which would point the PXE clients to *my* installation server, rather
than theirs.
> Having this feature allows me to test an alternate configuration even
when the machine's
> MAC address is present in the IT network.
> Regards,
> Shantanu
You can sorta, kinda do this with proxyDHCP but it still requires the
cooperation of your network team unless you're just doing this on one
subnet that has a proxyDHCP server running.
I'm with others and would not at all suggest you try to usurp the existing
network boot process but you can try this out say in a self-contained VM
network (VirtualBox, VMware, etc.). You could run a conventional DHCP
server (ISC, dnsmasq, etc.) from one VM then try out a proxyDHCP server in
another VM then try the network boot process from a third VM to get an idea
of how this works.
dnsmasq is the only proxyDHCP server I am aware of that works reliably.
Here's a dnsmasq configuration I've created for an iPXE-centric tool I'm
working on:
port=0
log-dhcp
dhcp-match=ipxe,175
dhcp-option=175,8:1:1
dhcp-boot=net:ipxe,
http://yourbootserver.domain.com/boot/ipxeboot/${net0/mac}
dhcp-boot=tag:!Iipxe,ipxe.0
enable-tftp
tftp-root=/tftpboot
dhcp-range=192.168.0.0,proxy,255.255.0.0
dhcp-range=10.0.0.0,proxy,255.0.0.0
dhcp-range=172.16.0.0,proxy,255.255.0.0
pxe-service=net:#ipxe,x86PC,"Network Boot Environment",ipxe-native
In a real-world production environment you'd have to have a DHCP relay
(i.e., ip helper) for every subnet pointing to this proxyDHCP server to
pass network boot parameters. You can have multiple IP helpers per subnet
so you could have one that actually hands the DHCP config and the other
that just passes proxyDHCP network boot parameters; example:
interface Vlan50
ip address 10.1.50.2 255.255.255.0
ip helper-address 10.1.1.5 (your standard company DHCP server)
ip helper-address 10.1.20.15 (your proxyDHCP server running dnsmasq)
no ip proxy-arp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
standby 50 ip 10.1.50.1
standby 50 priority 150
standby 50 preempt
end
Again, to be perfectly clear, if you already have a network boot
environment I don't envision your network/server guys will be OK with
someone trying to usurp the network boot process. They *might* go for it
if it's only for one subnet that maybe they give you as a sandbox.
You could also ask if you can put your iPXE bootstrap into whatever
existing network boot system they have in place. If they've already got
pxelinux it's quite trivial to add it; e.g.,
LABEL ipxe
MENU LABEL iPXE boot
KERNEL ipxe.0
They may or may not be OK with this but it could potentially just be a
hidden option.
And, of course, the lowest hanging fruit of the bunch is just boot off your
own iPXE ISO where you can specify whatever boot options you'd like
regardless of the existing DHCP environment. Naturally that negates all
the fun of true network bootstrapping but that said you do still get the
fun of using iPXE and all it can do.
Regards,
Jim Antoniou
On Tue, Oct 15, 2013 at 4:00 AM, <ipxe-devel-request at lists.ipxe.org> wrote:
> Send ipxe-devel mailing list submissions to
> ipxe-devel at lists.ipxe.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel
> or, via email, send a message with subject or body 'help' to
> ipxe-devel-request at lists.ipxe.org
>
> You can reach the person managing the list at
> ipxe-devel-owner at lists.ipxe.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of ipxe-devel digest..."
>
>
> Today's Topics:
>
> 1. Re: iPXE with specific list of DHCP server(s) (Michael Brown)
> 2. Re: iPXE with specific list of DHCP server(s) (Shantanu Gadgil)
> 3. Re: iPXE with specific list of DHCP server(s) (James A. Peltier)
> 4. Re: iPXE with specific list of DHCP server(s) (James A. Peltier)
> 5. Re: iPXE with specific list of DHCP server(s) (Marin Hannache)
> 6. Re: iPXE with specific list of DHCP server(s) (Gene Cumm)
> 7. undionly boot port (Larry Brigman)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 14 Oct 2013 15:10:06 +0100
> From: Michael Brown <mbrown at fensystems.co.uk>
> To: Shantanu Gadgil <shantanugadgil at yahoo.com>
> Cc: ipxe-devel at lists.ipxe.org
> Subject: Re: [ipxe-devel] iPXE with specific list of DHCP server(s)
> Message-ID: <525BFB3E.1050004 at fensystems.co.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 14/10/13 08:13, Shantanu Gadgil wrote:
> > I was wondering if I can *specify* the the DHCP server(s) that I want
> iPXE to accept OFFERs from (using IP address) and ignore others.
> > The situation is that there could be more than one DHCP server.
>
> There is no support for doing this in iPXE. Such a requirement would
> normally indicate that the network is misconfigured; what is the
> motivation for wanting this functionality?
>
> Michael
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 14 Oct 2013 11:39:19 -0700 (PDT)
> From: Shantanu Gadgil <shantanugadgil at yahoo.com>
> To: ipxe-devel at lists.ipxe.org
> Subject: Re: [ipxe-devel] iPXE with specific list of DHCP server(s)
> Message-ID:
> <1381775959.64904.YahooMailBasic at web141001.mail.bf1.yahoo.com>
> Content-Type: text/plain; charset=iso-8859-1
>
>
> --------------------------------------------
> On Mon, 10/14/13, Michael Brown <mbrown at fensystems.co.uk> wrote:
>
> On 14/10/13 08:13, Shantanu Gadgil
> wrote:
> > I was wondering if I can *specify* the the DHCP
> server(s) that I want iPXE to accept OFFERs from (using IP
> address) and ignore others.
> > The situation is that there could be more than one DHCP
> server.
>
> There is no support for doing this in iPXE.? Such a
> requirement would normally indicate that the network is
> misconfigured; what is the motivation for wanting this
> functionality?
>
> 'Misconfiguration' ... I don't think so! :)
> /If the dhclient protocol/config/whatever has a 'reject' setting, why
> can't it have a
> an 'accept_only' setting?/
>
> That said, let me explain the real situation ...
>
> The IT guys already have one DHCP server running per subnet. (for network
> booting)
>
> I want to deploy my own PXE booting network, parallel to theirs to try out
> iPXE.
> (which would point the PXE clients to *my* installation server, rather
> than theirs.
>
> Having this feature allows me to test an alternate configuration even when
> the machine's
> MAC address is present in the IT network.
>
> Regards,
> Shantanu
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 14 Oct 2013 14:51:01 -0700 (PDT)
> From: "James A. Peltier" <jpeltier at sfu.ca>
> To: Shantanu Gadgil <shantanugadgil at yahoo.com>
> Cc: ipxe-devel at ipxe.org
> Subject: Re: [ipxe-devel] iPXE with specific list of DHCP server(s)
> Message-ID:
> <104342734.434177757.1381787461211.JavaMail.root at jaguar10.sfu.ca>
> Content-Type: text/plain; charset=utf-8
>
> ----- Original Message -----
> |
> | --------------------------------------------
> | On Mon, 10/14/13, Michael Brown <mbrown at fensystems.co.uk> wrote:
> |
> | On 14/10/13 08:13, Shantanu Gadgil
> | wrote:
> | > I was wondering if I can *specify* the the DHCP
> | server(s) that I want iPXE to accept OFFERs from (using IP
> | address) and ignore others.
> | > The situation is that there could be more than one DHCP
> | server.
> |
> | There is no support for doing this in iPXE.? Such a
> | requirement would normally indicate that the network is
> | misconfigured; what is the motivation for wanting this
> | functionality?
> |
> | 'Misconfiguration' ... I don't think so! :)
> | /If the dhclient protocol/config/whatever has a 'reject' setting, why
> | can't it have a
> | an 'accept_only' setting?/
> |
> | That said, let me explain the real situation ...
> |
> | The IT guys already have one DHCP server running per subnet. (for
> | network booting)
> |
> | I want to deploy my own PXE booting network, parallel to theirs to
> | try out iPXE.
> | (which would point the PXE clients to *my* installation server,
> | rather than theirs.
> |
> | Having this feature allows me to test an alternate configuration even
> | when the machine's
> | MAC address is present in the IT network.
> |
> | Regards,
> | Shantanu
>
> Which is exactly a network misconfiguration. You're attempting to
> circumvent your IT Services infrastructure in favour of your own. If you
> want a test bed, set on up. You don't need a "real" network to test iPXE.
>
> --
> James A. Peltier
> Manager, IT Services - Research Computing Group
> Simon Fraser University - Burnaby Campus
> Phone : 778-782-6573
> Fax : 778-782-3045
> E-Mail : jpeltier at sfu.ca
> Website : http://www.sfu.ca/itservices
>
> ?A successful person is one who can lay a solid foundation from the bricks
> others have thrown at them.? -David Brinkley via Luke Shaw
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 14 Oct 2013 14:58:50 -0700 (PDT)
> From: "James A. Peltier" <jpeltier at sfu.ca>
> To: Shantanu Gadgil <shantanugadgil at yahoo.com>
> Cc: ipxe-devel at ipxe.org
> Subject: Re: [ipxe-devel] iPXE with specific list of DHCP server(s)
> Message-ID:
> <2058778954.434181918.1381787930625.JavaMail.root at jaguar10.sfu.ca>
> Content-Type: text/plain; charset=utf-8
>
> ----- Original Message -----
> | ----- Original Message -----
> | |
> | | --------------------------------------------
> | | On Mon, 10/14/13, Michael Brown <mbrown at fensystems.co.uk> wrote:
> | |
> | | On 14/10/13 08:13, Shantanu Gadgil
> | | wrote:
> | | > I was wondering if I can *specify* the the DHCP
> | | server(s) that I want iPXE to accept OFFERs from (using IP
> | | address) and ignore others.
> | | > The situation is that there could be more than one DHCP
> | | server.
> | |
> | | There is no support for doing this in iPXE.? Such a
> | | requirement would normally indicate that the network is
> | | misconfigured; what is the motivation for wanting this
> | | functionality?
> | |
> | | 'Misconfiguration' ... I don't think so! :)
> | | /If the dhclient protocol/config/whatever has a 'reject' setting,
> | | why
> | | can't it have a
> | | an 'accept_only' setting?/
> | |
> | | That said, let me explain the real situation ...
> | |
> | | The IT guys already have one DHCP server running per subnet. (for
> | | network booting)
> | |
> | | I want to deploy my own PXE booting network, parallel to theirs to
> | | try out iPXE.
> | | (which would point the PXE clients to *my* installation server,
> | | rather than theirs.
> | |
> | | Having this feature allows me to test an alternate configuration
> | | even
> | | when the machine's
> | | MAC address is present in the IT network.
> | |
> | | Regards,
> | | Shantanu
> |
> | Which is exactly a network misconfiguration. You're attempting to
> | circumvent your IT Services infrastructure in favour of your own.
> | If you want a test bed, set on up. You don't need a "real" network
> | to test iPXE.
> |
> | --
> | James A. Peltier
> | Manager, IT Services - Research Computing Group
> | Simon Fraser University - Burnaby Campus
> | Phone : 778-782-6573
> | Fax : 778-782-3045
> | E-Mail : jpeltier at sfu.ca
> | Website : http://www.sfu.ca/itservices
> |
> | ?A successful person is one who can lay a solid foundation from the
> | bricks others have thrown at them.? -David Brinkley via Luke Shaw
>
> I should mention the following. If you have a DHCP server that is local
> to the network and it answers faster than the IT Services DHCP server your
> requests *MAY* be answered by it first. However, you should only use such
> a configuration with the deny unknown-clients DHCP option so that your
> server doesn't answer requests for any other hosts other than your test
> hosts.
>
> Keep in mind that this is a big if your server answers first. You may end
> up getting a request from yours then a request from theirs than a request
> from theirs then a request from yours, not having ANY clue other than the
> server IP that's answering the request to know if your "testing" is working.
>
> To me, fundamentally your testing methodology is broken.
>
> --
> James A. Peltier
> Manager, IT Services - Research Computing Group
> Simon Fraser University - Burnaby Campus
> Phone : 778-782-6573
> Fax : 778-782-3045
> E-Mail : jpeltier at sfu.ca
> Website : http://www.sfu.ca/itservices
>
> ?A successful person is one who can lay a solid foundation from the bricks
> others have thrown at them.? -David Brinkley via Luke Shaw
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 15 Oct 2013 00:20:02 +0200
> From: Marin Hannache <mareo at mareo.fr>
> To: "James A. Peltier" <jpeltier at sfu.ca>
> Cc: ipxe-devel at ipxe.org
> Subject: Re: [ipxe-devel] iPXE with specific list of DHCP server(s)
> Message-ID: <20131014222002.GA23635 at prometheus.mareo.fr>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> On Mon, Oct 14, 2013 at 02:58:50PM -0700, James A. Peltier wrote:
> > Keep in mind that this is a big if your server answers first. You may
> end up
> > getting a request from yours then a request from theirs than a request
> from
> > theirs then a request from yours, not having ANY clue other than the
> server
> > IP that's answering the request to know if your "testing" is working.
>
> Make the rogue DHCP server send the "priority" setting should do the trick
> even
> if it does not answers first.
>
> This might be used as a workaround, but as James stated, you should do the
> testing part on a network you are in full control of. Howewer, if you
> choose to
> not follow this advice, make sure your server is configured as "not
> authoritative", failing to do so will make your DHCP server denying leases
> offered by the regular DHCP server.
>
> Regards,
>
> --
> Marin Hannache
>
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 14 Oct 2013 23:21:56 -0400
> From: Gene Cumm <gene.cumm at gmail.com>
> To: Shantanu Gadgil <shantanugadgil at yahoo.com>
> Cc: ipxe-devel at lists.ipxe.org
> Subject: Re: [ipxe-devel] iPXE with specific list of DHCP server(s)
> Message-ID:
> <CAD0RxekvArERTXYHSEYH56S-1Cw6-iSZA=
> TOk1nqWP1iNU2RNw at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Mon, Oct 14, 2013 at 2:39 PM, Shantanu Gadgil
> <shantanugadgil at yahoo.com> wrote:
>
> > The IT guys already have one DHCP server running per subnet. (for
> network booting)
> >
> > I want to deploy my own PXE booting network, parallel to theirs to try
> out iPXE.
> > (which would point the PXE clients to *my* installation server, rather
> than theirs.
>
> This actually is a clear misconfiguration UNLESS they're doing IP
> config and you're only doing PXE boot data (sname, file). It's
> allowed per PXE.
>
> Few things to keep in mind:
>
> - Talk with your IT department on how to do this right. It will save
> a lot of aggravation on both sides.
> - Be willing to accept that you may need to physically separate your
> PXE test system so it can't talk on the normal network.
> - Good switches have DHCP guard which will put the port that hears the
> DHCP reply into a non-forwarding state (linked but nothing works)
> - Some switches also have a MAC guard where they'll put a port that
> sees multiple MAC addresses into a non-forwarding state.
> - The passthrough port on a VoIP phone with passthrough can often be
> disabled with a checkbox.
> - They may have already set the DHCP priority
> - Why not set your clients to reject the known IT servers WHILE your
> server only sends replies to known clients?
> - Some Acceptable Use Policies include stipulations to the effect of
> disrupting network operations (which this is) and disciplinary
> measures including termination
> - If your network guy is extremely strict and saw one of your office
> ports in DHCP guard block, he'd probably issue a warning via the
> proper organization administrative channel, turn on all available
> guards and consider putting all of your ports into a special group
> that gets completely blocked (minus VoIP phone) if any port triggers a
> guard block, effectively turning off the network in your office
>
> > Having this feature allows me to test an alternate configuration even
> when the machine's
> > MAC address is present in the IT network.
>
> Use a separated network (physical, by VLAN or just a bunch of isolated
> VMs).
>
> --
> -Gene
>
>
> ------------------------------
>
> Message: 7
> Date: Mon, 14 Oct 2013 22:59:07 -0700
> From: Larry Brigman <larry.brigman at gmail.com>
> To: ipxe-devel at lists.ipxe.org
> Subject: [ipxe-devel] undionly boot port
> Message-ID:
> <
> CAJEEjpZpOk8N7KScab54mv5TOXYnMmjFA6Ly+b13Za7ewDeP_w at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> I'm trying to find the equivalent function that pxelinux provided
> or maybe it's not what I think it is.
>
> In the pxelinux configuration files
> I get a way to pass the ksdevice to a the kernel via
> ksdevice=bootif
> and this seems to be set with IPAPPEND 2
>
> Because the servers that I boot have as many as 18 interfaces,
> this process in pxelinux helps to remove some extra hand holding
> as the BIOS on these machines is configure to only pxeboot on
> a single interface.
>
> Watching ipxe load, I know that it knows which interface it loaded from.
> Is there anyway to make use of that data without going looping through all
> the interfaces.
>
> This would be easy if all the servers are the same but I have at least
> eight differently configured
> servers that we pxeboot on a regular basis. Lab install testing
> environment.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20131014/bf69ea0a/attachment-0001.html
> >
>
> ------------------------------
>
> _______________________________________________
> ipxe-devel mailing list
> ipxe-devel at lists.ipxe.org
> https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel
>
>
> End of ipxe-devel Digest, Vol 41, Issue 10
> ******************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20131015/a7a04652/attachment.htm>
More information about the ipxe-devel
mailing list