1.3.4 Configuring Dnsmasq to Support PXE Clients

Dnsmasq is designed to act as a DNS forwarder, DHCP server, and TFTP server for small networks. You can use dnsmasq as an alternative to configuring separate DHCP and TFTP services. For more information about dnsmasq, see the dnsmasq(8) manual page, /usr/share/doc/dnsmasq-version, and http://www.thekelleys.org.uk/dnsmasq/doc.html.

The dnsmasq server does not have to host the installation packages, you can use a separate network installation source.

To configure dnsmasq for PXE client installation requests:

  1. Install the dnsmasq package.

    # yum install dnsmasq
  2. Edit /etc/dnsmasq.conf and configure entries for PXE clients and other systems on the network, for example:

    interface=em1
    dhcp-range=10.0.0.101,10.0.0.200,6h
    dhcp-host=80:00:27:c6:a1:16,10.0.0.253,svr1,infinite
    dhcp-boot=pxelinux/pxelinux.0
    dhcp-match=set:efi-x86_64,option:client-arch,7
    dhcp-boot=tag:efi-x86_64,grubx64.efi
    enable-tftp
    tftp-root=/var/lib/tftpboot

    The lines in the sample configuration file do the following:

    interface=em1

    Listen for incoming client requests on interface em1 only.

    dhcp-range=10.0.0.101,10.0.0.200,6h

    Reserve a pool of generally available IP addresses in the range 10.0.0.101 through 10.0.0.200 on the 10.0.0/24 subnet with a six-hour lease.

    Note

    A dhcp-range setting is required to enable the DHCP service provided by dnsmasq. If you want to configure static addresses but not an address pool, specify a static network address and the keywords static and infinite, for example:

    dhcp-range=10.0.0.253,static,infinite
    dhcp-host=80:00:27:c6:a1:16,10.0.0.253,svr1,infinite

    Reserve the IP address 10.0.0.253 with infinite lease time for svr1, which is identified by the MAC address 08:00:27:c6:a1:16.

    dhcp-boot=pxelinux/pxelinux.0

    Specify the location of the boot loader file, in this case for BIOS-based PXE clients.

    If you want to use a separate TFTP server instead of dnsmasq, specify its IP address after the boot loader path, for example:

    dhcp-boot=pxelinux/pxelinux.0,10.0.0.11
    dhcp-boot=tag:efi-x86_64,grubx64.efi

    Specify the location of the boot loader file required by PXE clients identified with the tag efi‑x86_64, in this case UEFI-based PXE clients. The efi‑x86_64 tag is defined by the dhcp‑match=set:efi‑x86_64 line, which applies the tag to UEFI-based x86_64 clients (architecture code 7).

    This example specifies the grubx64.efi boot loader. If you need to support Secure Boot on UEFI clients, specify shim.efi as the boot loader.

    If you want to use a separate TFTP server instead of dnsmasq, specify its IP address after the boot loader path, for example:

    dhcp-boot=tag:efi-x86_64,grubx64.efi,10.0.0.11
    enable-tftp

    Enable the TFTP service provided by dnsmasq.

    tftp-root=/var/lib/tftpboot

    Specify the root directory for files served by TFTP. To prevent clients from accessing any file on the host, dnsmasq rejects requests that specify .. as a path element.

    For information on how to configure a separate TFTP server, see Section 1.3.3, “Configuring DHCP and TFTP Services to Support PXE Clients”.

  3. If you want dnsmasq to act as a caching-only name server, configure a name server entry for 127.0.0.1 that precedes other name server entries.

    Dnsmasq ignores the 127.0.0.1 entry and forwards DNS queries to the other listed name servers. If the NetworkManager service is enabled, you can configure name service entries by using the graphical applet, the nm-connection-editor utility, or the nm-tui utility. Otherwise, you can configure name server entries directly in /etc/resolv.conf, for example:

    nameserver 127.0.0.1
    nameserver 10.0.0.8
    nameserver 10.0.0.4

  4. Start the dnsmasq service, and configure it to start after a reboot.

    # systemctl start dnsmasq
    # systemctl enable dnsmasq

    If you make any changes to /etc/dnsmasq.conf, restart the dnsmasq service. You do not need to restart the service if you change the content of boot loader configuration files.

  5. Configure the firewall.

    • Configure the firewall to accept DHCP requests, for example:

      # firewall-cmd --zone=zone --add-port=67-68/udp
      # firewall-cmd --zone=zone --add-port=67-68/udp --permanent
    • If you enable the TFTP service in dnsmasq, configure the firewall to accept TFTP requests, for example:

      # firewall-cmd --zone=zone --add-service=tftp
      # firewall-cmd --zone=zone --add-service=tftp --permanent
    • If you want dnsmasq to act as a caching-only name server, configure the firewall to accept DNS requests:

      # firewall-cmd --zone=zone --add-service=dns
      # firewall-cmd --zone=zone --add-service=dns --permanent

To configure the dnsmasq TFTP service for PXE client installation requests:

  1. Obtain the boot loader files.

    PXE clients require a boot loader to load the Linux installation kernel (vmlinuz).

    For BIOS-based PXE clients, you can use the pxelinux.0 boot loader available in the syslinux package. To install this package:

    # yum install syslinux  

    For UEFI-based PXE clients, you can use the grubx64.efi boot loader available in the grub2‑efi package. If you need to support Secure Boot on clients, you also need the first-stage boot loader shim.efi, available in the shim package, so that the boot loader and kernel can be verified. Either download these packages to a temporary location, or copy them from the full installation ISO image. Then extract the contents of the packages:

    # cd /tempdir
    # rpm2cpio grub2-efi-version.rpm | cpio -idmv 
    # rpm2cpio shim-version.rpm | cpio -idmv
    Note

    If you need to support Secure Boot, make sure you specify shim.efi as the boot loader in your DHCP configuration in /etc/dnsmasq.conf.

  2. Create the directories used to contain the boot loaders and their configuration files as subdirectories of the TFTP server directory.

    For BIOS-based clients, create the pxelinux/pxelinux.cfg directories, for example:

    # mkdir -p /var/lib/tftpboot/pxelinux/pxelinux.cfg

    For UEFI-based clients, the dnsmasq TFTP server expects the boot loaders and configuration files to be in the root directory, for example /var/lib/tftpboot. You should ensure that this directory exists.

  3. Copy the boot loader files, the installation kernel (vmlinuz), and the ram-disk image file (initrd.img) to the TFTP server subdirectories.

    For BIOS-based clients, copy the BIOS boot loader file, the installation kernel, and the ram-disk image file to the pxelinux directory:

    # cp /usr/share/syslinux/pxelinux.0 /var/lib/tftpboot/pxelinux
    # wget http://10.0.0.11/OSimage/OL7/isolinux/vmlinuz -O /var/lib/tftpboot/pxelinux/vmlinuz
    # wget http://10.0.0.11/OSimage/OL7/isolinux/initrd.img -O /var/lib/tftpboot/pxelinux/initrd.img

    For UEFI-based clients, copy the UEFI boot loader files, the installation kernel, and the ram-disk image file to the root directory of the TFTP server:

    # cp /tempdir/boot/efi/EFI/redhat/grubx64.efi /var/lib/tftpboot
    # cp /tempdir/boot/efi/EFI/redhat/shim.efi /var/lib/tftpboot
    # cp /tempdir/boot/efi/EFI/redhat/MokManager.efi /var/lib/tftpboot
    # wget http://10.0.0.11/OSimage/OL7/isolinux/vmlinuz -O /var/lib/tftpboot/vmlinuz
    # wget http://10.0.0.11/OSimage/OL7/isolinux/initrd.img /var/lib/tftpboot/initrd.img
    Note

    You only need to copy the shim.efi and MokManager.efi files if you need to support Secure Boot on clients. The MokManager.efi provides utilities for managing the keys used to sign EFI binaries. Depending on your Grub 2 configuration, you could copy the installation kernel, and the ram-disk image file to a subdirectory.

    The above examples use HTTP to obtain the installation kernel and ram-disk images files from a separate network installation server. You could use a local copy of the files if the dnsmasq server also hosts the installation packages.

    To be able to install different operating system versions on PXE clients, you can rename the kernel and ram-disk image files, for example to vmlinuz-ol7 and initrd-ol7.img. Alternatively, you could copy the kernel and ram-disk image files to subdirectories such as efi/ol7 and pxelinux/ol7.

  4. Create the boot loader configuration files.

    As a minimum, you should create the default boot loader configuration files:

    pxelinux/pxelinux.cfg/default

    Default boot loader configuration file for BIOS-based PXE clients.

    grub.cfg

    Default boot loader configuration file for UEFI-based PXE clients.

    You can create additional client-specific boot loader configuration files in either pxelinux/pxelinux.cfg or to the root directory of the TFTP server, depending on whether the client is BIOS or UEFI-based. For more information, see:

  5. If SELinux is enabled in enforcing mode on your system and you configured a TFTP server directory other than /var/lib/tftpboot, use the semanage command to define the default file type of the TFTP server directory hierarchy as tftpdir_t and then use the restorecon command to apply the file type to the entire directory hierarchy, for example:

    # /usr/sbin/semanage fcontext -a -t tftpdir_t "/var/tftpboot(/.*)?"
    # /sbin/restorecon -R -v /var/tftpboot
    Note

    The semanage and restorecon commands are provided by the policycoreutils-python and policycoreutils packages.