Discussion:
[Dnsmasq-discuss] About UEFI PXE booting in proxy mode
Jr-Huang Shiau
2017-01-18 14:36:09 UTC
Permalink
Dear all,I am having the same issue as Juan García-Pardo described here:http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q4/010931.htmlOn Ubuntu 16.04, I use dnsmasq which is backported from Ubuntu 16.10:
dpkg -l dnsmasq
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-======================-================-================-=================================================
ii dnsmasq 2.76-5 all Small
caching DNS proxy and DHCP/TFTP server

I configured a PXE server, and disabled the isc-dhcp-server and tftpd-hpa so that I can test the
DHCP proxy function of dnsmasq.
1. When the attached config file "1-working-local.conf" is used as
/etc/dnsmasq.conf without DHCP proxy, both PXE or uEFI client boot
successfully.

2. When the attached config file "2-not-working-proxy.conf" is used as
/etc/dnsmasq.conf with DHCP proxy, both PXE or uEFI client can _NOT_
boot successfully. In the log file "2-not-working-proxy.log" you can see
either PXE or uEFI client fails to enter network booting.

3. When the attached config file "3-partial-working-local.conf" is used
as /etc/dnsmasq.conf without DHCP proxy, PXE client can boot
successfully. However, EFI client did not. The log file was attached as
"3-not-working-efi-local.log".

4. When the attached config file "4-partial-working-proxy.conf" is used
as /etc/dnsmasq.conf with DHCP proxy, PXE client can successfully enter
network booting, as shown in "4a-working-pxe-client-proxy.log". However,
for EFI network client, just "bootx64.efi" was downloaded, no other
files were downloaded, as shown in
"4b-not-working-efi-client-proxy.log". For comparison, you can see in
"1-working-efi-no-proxy.log", without DHCP proxy, the clients should
download grub config file "grub.cfg" and other files.

Therefore it seems there is some uEFI network booting issues, no
matter it's using proxy or not.

If you need me to do more tests or more info, please let me know.
Thank you very much.

Steven
Simon Kelley
2017-01-19 22:47:36 UTC
Permalink
Below is the reply I sent to your original mail to me. The reply
bounced, seemingly due to a misconfiguration of the MX record for your
domain. Hopefully this will get to you via the list.


Simon.


- ------------------------------------------------------------------------
- --------------

I can shed some light on this, but not give you a complete answer.

Firstly, your 2-not-working example fails because it's not using PXE.
PXE clients do sensible things when the "bootfile name" is set in DHCP
replies, which is what dhcp-boot does, but this isn't the complete PXE
protocol. Hence example one works. That trick doesn't work for
PXE-proxy, since you need the PXE protocol to do proxy. Any
configuration without pxe-service enabled will never work for PXE
proxy. That explains config 2.

Your example 3 - I'm confused why that shouldn't work - the PXE client
seems to be making further requests which are bring ignored. Would it
be possible for you to get a packet dump of that exchange using tcpdump?

Example 4 looks quite hopeful - the client is succerssfully
downloading the bootx64.efi file (ignore the error before, that's just
testing for the existance of the file.

Can you see what's displayed on the client system at this point?
Dear all, I am having the same issue as Juan García-Pardo described
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q4/010931
.html
On Ubuntu 16.04, I use dnsmasq which is backported from Ubuntu
16.10: dpkg -l dnsmasq Desired=Unknown/Install/Remove/Purge/Hold |
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Tri
g-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture
Description
+++-======================-================-================-=========
========================================
ii dnsmasq 2.76-5 all Small
caching DNS proxy and DHCP/TFTP server
I configured a PXE server, and disabled the isc-dhcp-server and
tftpd-hpa so that I can test the DHCP proxy function of dnsmasq.
1. When the attached config file "1-working-local.conf" is used as
/etc/dnsmasq.conf without DHCP proxy, both PXE or uEFI client boot
successfully.
2. When the attached config file "2-not-working-proxy.conf" is used
as /etc/dnsmasq.conf with DHCP proxy, both PXE or uEFI client can
_NOT_ boot successfully. In the log file "2-not-working-proxy.log"
you can see either PXE or uEFI client fails to enter network
booting.
3. When the attached config file "3-partial-working-local.conf" is
used as /etc/dnsmasq.conf without DHCP proxy, PXE client can boot
successfully. However, EFI client did not. The log file was
attached as "3-not-working-efi-local.log".
4. When the attached config file "4-partial-working-proxy.conf" is
used as /etc/dnsmasq.conf with DHCP proxy, PXE client can
successfully enter network booting, as shown in
"4a-working-pxe-client-proxy.log". However, for EFI network client,
just "bootx64.efi" was downloaded, no other files were downloaded,
as shown in "4b-not-working-efi-client-proxy.log". For comparison,
you can see in "1-working-efi-no-proxy.log", without DHCP proxy,
the clients should download grub config file "grub.cfg" and other
files.
Therefore it seems there is some uEFI network booting issues, no
matter it's using proxy or not.
If you need me to do more tests or more info, please let me know.
Thank you very much.
Steven
_______________________________________________ Dnsmasq-discuss
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Steven Shiau
2017-01-20 08:39:59 UTC
Permalink
Hi Simon,

Thanks for your reply. I am answering you in the following.
Post by Simon Kelley
Your example 3 - I'm confused why that shouldn't work - the PXE client
seems to be making further requests which are bring ignored. Would it
be possible for you to get a packet dump of that exchange using tcpdump?
$ sudo tcpdump -ni ens38 'udp port 67 and udp port 68'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens38, link-type EN10MB (Ethernet), capture size 262144 bytes
16:18:33.208355 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request
from 00:0c:29:1d:9a:d1, length 347
16:18:36.205647 IP 192.168.22.254.67 > 255.255.255.255.68: BOOTP/DHCP,
Reply, length 341
16:18:36.385548 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request
from 00:0c:29:1d:9a:d1, length 359
16:18:36.386212 IP 192.168.22.254.67 > 255.255.255.255.68: BOOTP/DHCP,
Reply, length 341
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
Post by Simon Kelley
Example 4 looks quite hopeful - the client is succerssfully
downloading the bootx64.efi file (ignore the error before, that's just
testing for the existance of the file.
Can you see what's displayed on the client system at this point?
It's blank screen due to the background_image for grub is not
downloaded, and in the end the grub shows no grub.cfg error, as
attached. That format is from the grub prefix we added by:
=======================================
set prefix=(tftp)/grub-efi.cfg
echo "Grub CPU and platform: \$grub_cpu, \$grub_platform"
echo 'Network status: '
net_ls_cards
net_ls_addr
net_ls_routes

tr --set pretty_mac x: x- \$net_default_mac

echo "Loading config file \$prefix/grub.cfg-01-\$pretty_mac..."
configfile \$prefix/grub.cfg-01-\$pretty_mac

echo "Loading config file \$prefix/grub.cfg-\$net_default_ip..."
configfile \$prefix/grub.cfg-\$net_default_ip

echo "Loading config file: \$prefix/grub.cfg"
configfile \$prefix/grub.cfg

echo "Could not find config file \$prefix/grub.cfg-\$pretty_mac,
\$prefix/grub.cfg-\$net_default_ip or \$prefix/grub.cfg!"
sleep 15
=======================================
This is exactly the same problem as mentioned here:
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q4/010931.html
i.e., only grub efi is downloaded, while the rest of required files are
not downloaded. As I mentioned for comparison, for non-proxy mode with
same configuration, it works well.

Thanks again.

Steven
--
Steven Shiau <steven _at_ stevenshiau org>
Public Key Server PGP Key ID: 4096R/47CF935C
Fingerprint: 0240 1FEB 695D 7112 62F0 8796 11C1 12DA 47CF 935C
Simon Kelley
2017-01-23 21:25:55 UTC
Permalink
Thanks for the reply. Please could you repeat the tcpdump using the
command

tcpdump -s 0 -w capturefile

and send me the resulting file? That has far more information than
tcpdump prints.


Cheers,

Simon.
Post by Steven Shiau
Hi Simon,
Thanks for your reply. I am answering you in the following.
Post by Simon Kelley
Your example 3 - I'm confused why that shouldn't work - the PXE
client seems to be making further requests which are bring
ignored. Would it be possible for you to get a packet dump of
that exchange using tcpdump?
verbose output suppressed, use -v or -vv for full protocol decode
listening on ens38, link-type EN10MB (Ethernet), capture size
BOOTP/DHCP, Request from 00:0c:29:1d:9a:d1, length 347
BOOTP/DHCP, Reply, length 341 16:18:36.385548 IP 0.0.0.0.68 >
255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:1d:9a:d1,
length 359 16:18:36.386212 IP 192.168.22.254.67 >
255.255.255.255.68: BOOTP/DHCP, Reply, length 341 ^C 4 packets
captured 4 packets received by filter 0 packets dropped by kernel
Post by Simon Kelley
Example 4 looks quite hopeful - the client is succerssfully
downloading the bootx64.efi file (ignore the error before, that's
just testing for the existance of the file.
Can you see what's displayed on the client system at this point?
It's blank screen due to the background_image for grub is not
downloaded, and in the end the grub shows no grub.cfg error, as
======================================= set
prefix=(tftp)/grub-efi.cfg echo "Grub CPU and platform: \$grub_cpu,
\$grub_platform" echo 'Network status: ' net_ls_cards net_ls_addr
net_ls_routes
tr --set pretty_mac x: x- \$net_default_mac
echo "Loading config file \$prefix/grub.cfg-01-\$pretty_mac..."
configfile \$prefix/grub.cfg-01-\$pretty_mac
echo "Loading config file \$prefix/grub.cfg-\$net_default_ip..."
configfile \$prefix/grub.cfg-\$net_default_ip
echo "Loading config file: \$prefix/grub.cfg" configfile
\$prefix/grub.cfg
echo "Could not find config file \$prefix/grub.cfg-\$pretty_mac,
\$prefix/grub.cfg-\$net_default_ip or \$prefix/grub.cfg!" sleep 15
======================================= This is exactly the same
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q4/010931
.html
i.e., only grub efi is downloaded, while the rest of required files are
Post by Steven Shiau
not downloaded. As I mentioned for comparison, for non-proxy mode
with same configuration, it works well.
Thanks again.
Steven
_______________________________________________ Dnsmasq-discuss
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Steven Shiau
2017-01-24 08:50:29 UTC
Permalink
Hi Simon,

Attached please find the dump file of the command "tcpdump -s 0 -w
capturefile". Let me know if you need more info.
Thank you very much.

Steven
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Thanks for the reply. Please could you repeat the tcpdump using the
command
tcpdump -s 0 -w capturefile
and send me the resulting file? That has far more information than
tcpdump prints.
Cheers,
Simon.
Post by Steven Shiau
Hi Simon,
Thanks for your reply. I am answering you in the following.
Post by Simon Kelley
Your example 3 - I'm confused why that shouldn't work - the PXE
client seems to be making further requests which are bring
ignored. Would it be possible for you to get a packet dump of
that exchange using tcpdump?
verbose output suppressed, use -v or -vv for full protocol decode
listening on ens38, link-type EN10MB (Ethernet), capture size
BOOTP/DHCP, Request from 00:0c:29:1d:9a:d1, length 347
BOOTP/DHCP, Reply, length 341 16:18:36.385548 IP 0.0.0.0.68 >
255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:1d:9a:d1,
length 359 16:18:36.386212 IP 192.168.22.254.67 >
255.255.255.255.68: BOOTP/DHCP, Reply, length 341 ^C 4 packets
captured 4 packets received by filter 0 packets dropped by kernel
Post by Simon Kelley
Example 4 looks quite hopeful - the client is succerssfully
downloading the bootx64.efi file (ignore the error before, that's
just testing for the existance of the file.
Can you see what's displayed on the client system at this point?
It's blank screen due to the background_image for grub is not
downloaded, and in the end the grub shows no grub.cfg error, as
======================================= set
prefix=(tftp)/grub-efi.cfg echo "Grub CPU and platform: \$grub_cpu,
\$grub_platform" echo 'Network status: ' net_ls_cards net_ls_addr
net_ls_routes
tr --set pretty_mac x: x- \$net_default_mac
echo "Loading config file \$prefix/grub.cfg-01-\$pretty_mac..."
configfile \$prefix/grub.cfg-01-\$pretty_mac
echo "Loading config file \$prefix/grub.cfg-\$net_default_ip..."
configfile \$prefix/grub.cfg-\$net_default_ip
echo "Loading config file: \$prefix/grub.cfg" configfile
\$prefix/grub.cfg
echo "Could not find config file \$prefix/grub.cfg-\$pretty_mac,
\$prefix/grub.cfg-\$net_default_ip or \$prefix/grub.cfg!" sleep 15
======================================= This is exactly the same
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q4/010931
.html
i.e., only grub efi is downloaded, while the rest of required files are
Post by Steven Shiau
not downloaded. As I mentioned for comparison, for non-proxy mode
with same configuration, it works well.
Thanks again.
Steven
_______________________________________________ Dnsmasq-discuss
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBCAAGBQJYhnTjAAoJEBXN2mrhkTWiHX8QAJhjmt1VYRoJ3DuaA6f3s9o+
Tpoie2+4VgFHf3q/wQjq+miQ+da75+0sii9UAdjBtAAHDgLdyzPJSxCHU3neKYYF
dY8ww789lJlUAyvmvKm7Pnv3psMWhy22WLxeJGFXPIz+DjpH+tatZ507ZTQ7946o
nbTPdnfOO5ADF/Spuors6ioB+cmyZD9cPASSvMUQm7EwunBpAORB2S11ZRbeqSb/
84EdzTTtWomq7oP4NtSV98SDo0sTH2MYQtF1ht4INlutQs/zOP6P7NuzdFFJLcb8
Bieq1FYWxK6x4FcTqNdw9SJJon/jRjoxhF3Lvovkwb/00RuQuJRHqHpw+laY6yNA
MGS5LOIps/fIP42gxs7zftgqvfXVMfBLPUDRS3G+IwOZeteKvzNGwV0LrGFGKcZZ
iRDRAIhWH8RImb6gSpt1YXNxyR6Or1m0IuqR+jvYPOjtmXBjRYupZ89B0FKHR9jv
r2tJKSVq/uJa4ScW5R8ezGxaQB8iVFFj6CKDWeWEKxb4NxJUYrJ8RVb1IhAxZJUg
6EqXAZ/tvsIDRlveXk1nMqJ12pJlA68mnLzQ4Z5yarGTsoi6zlLecyhQkThp/LxP
E4lGqyuJEamggwyLd0WUYH7TMqXimCd9Nyv36rurfDZOVbT3G/JaS980SkTbsjZ2
c6JPXEqLshQyjdbht/1b
=msps
-----END PGP SIGNATURE-----
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
--
Steven Shiau <steven _at_ stevenshiau org>
Public Key Server PGP Key ID: 4096R/47CF935C
Fingerprint: 0240 1FEB 695D 7112 62F0 8796 11C1 12DA 47CF 935C
Simon Kelley
2017-01-26 19:16:23 UTC
Permalink
There's no DHCP traffic in that capture. It appears to all be ssh.

Wrong interface?


Cheers,

Simon.
Post by Steven Shiau
Hi Simon,
Attached please find the dump file of the command "tcpdump -s 0 -w
capturefile". Let me know if you need more info. Thank you very
much.
Steven
On 1/24/2017 AM 05:25, Simon Kelley wrote: Thanks for the reply.
Please could you repeat the tcpdump using the command
tcpdump -s 0 -w capturefile
and send me the resulting file? That has far more information than
tcpdump prints.
Cheers,
Simon.
Post by Steven Shiau
Hi Simon,
Thanks for your reply. I am answering you in the following.
Post by Simon Kelley
Your example 3 - I'm confused why that shouldn't work - the
PXE client seems to be making further requests which are
bring ignored. Would it be possible for you to get a packet
dump of that exchange using tcpdump?
$ sudo tcpdump -ni ens38 'udp port 67 and udp port 68'
tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode listening on ens38, link-type EN10MB
(Ethernet), capture size 262144 bytes 16:18:33.208355 IP
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from
00:0c:29:1d:9a:d1, length 347 16:18:36.205647 IP
192.168.22.254.67 > 255.255.255.255.68: BOOTP/DHCP, Reply,
length 341 16:18:36.385548 IP 0.0.0.0.68 >
255.255.255.255.67: BOOTP/DHCP, Request from
00:0c:29:1d:9a:d1, length 359 16:18:36.386212 IP
192.168.22.254.67 > 255.255.255.255.68: BOOTP/DHCP, Reply,
length 341 ^C 4 packets captured 4 packets received by filter
0 packets dropped by kernel
Post by Simon Kelley
Example 4 looks quite hopeful - the client is
succerssfully downloading the bootx64.efi file (ignore the
error before, that's just testing for the existance of the
file.
Can you see what's displayed on the client system at this
point?
It's blank screen due to the background_image for grub is
not downloaded, and in the end the grub shows no grub.cfg
error, as attached. That format is from the grub prefix we
added by: ======================================= set
\$grub_cpu, \$grub_platform" echo 'Network status: '
net_ls_cards net_ls_addr net_ls_routes
tr --set pretty_mac x: x- \$net_default_mac
echo "Loading config file
\$prefix/grub.cfg-01-\$pretty_mac..." configfile
\$prefix/grub.cfg-01-\$pretty_mac
echo "Loading config file
\$prefix/grub.cfg-\$net_default_ip..." configfile
\$prefix/grub.cfg-\$net_default_ip
echo "Loading config file: \$prefix/grub.cfg" configfile
\$prefix/grub.cfg
echo "Could not find config file
\$prefix/grub.cfg-\$pretty_mac,
\$prefix/grub.cfg-\$net_default_ip or \$prefix/grub.cfg!"
sleep 15 ======================================= This is
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q4/010
931
.html
Post by Steven Shiau
i.e., only grub efi is downloaded, while the rest of required files are
Post by Steven Shiau
not downloaded. As I mentioned for comparison, for non-proxy
mode with same configuration, it works well.
Thanks again.
Steven
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Post by Steven Shiau
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________ Dnsmasq-discuss
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Doug Brown
2017-03-27 03:29:23 UTC
Permalink
Hi Simon and Steven,

I just found this recent thread while I was Googling for the exact same
problem (UEFI clients won't boot in PXE mode, but BIOS clients will) and
there was never any conclusion reached. I'm running into the exact same
problem, and I can provide a pcap dump, which I have attached to this
message. After the initial DHCP exchange, it shows four DHCP packets on
port 4011 sent from the client which seem to be ignored by dnsmasq. Here
is the configuration I am using with dnsmasq 2.76, based on Steven's
original third example:

port=0
log-dhcp
dhcp-no-override
enable-tftp
tftp-root=/tftpboot
dhcp-range=ens33,192.168.7.100,192.168.7.200,10h
pxe-service=X86PC, "Boot BIOS PXE", pxelinux.0
pxe-service=BC_EFI, "Boot UEFI BC", grubx64.efi
pxe-service=X86-64_EFI, "Boot UEFI X86-64", grubx64.efi

If I switch to using the dhcp-boot strategy, everything works great on
both BIOS and UEFI. But the above configuration using PXE doesn't seem
to work properly with UEFI clients for some reason, and it seems to be a
dnsmasq issue. It does work fine with BIOS clients though.

I think I can answer Steven's earlier question as to why proxy PXE
(example config #4) doesn't work with UEFI. The problem in that case is
not due to dnsmasq at all -- it's correctly sending grub to the client.
The problem is that grub doesn't know how to detect that it was loaded
from a DHCP proxy, so it won't know where to download grub.cfg. Shim,
which you can use as a first stage bootloader to load grub if you need
to support Secure Boot, has the exact same problem. It only knows how to
look at the original DHCP ack's boot info. The UEFI environment provides
info about the proxy offer, but grub and shim don't look at it. See the
following thread where a patch was submitted for grub:

https://lists.gnu.org/archive/html/grub-devel/2016-04/msg00051.html

I think it's probably possible to work around the proxy problem by using
grub-mkstandalone to create a version of grub.efi that has an embedded
intermediate grub.cfg that is coded to download the real grub.cfg from
your server, as long as you don't need Secure Boot support.

Either way, I still think there's something wrong with dnsmasq's PXE
support because the example config above (non-proxy) doesn't work with
any UEFI clients that I have tested, as shown by the pcap dump attached.
Any ideas?

Thanks,
Doug
Post by Simon Kelley
There's no DHCP traffic in that capture. It appears to all be ssh.
Wrong interface?
Cheers,
Simon.
Post by Steven Shiau
Hi Simon,
Attached please find the dump file of the command "tcpdump -s 0 -w
capturefile". Let me know if you need more info. Thank you very
much.
Steven
On 1/24/2017 AM 05:25, Simon Kelley wrote: Thanks for the reply.
Please could you repeat the tcpdump using the command
tcpdump -s 0 -w capturefile
and send me the resulting file? That has far more information than
tcpdump prints.
Cheers,
Simon.
Post by Steven Shiau
Hi Simon,
Thanks for your reply. I am answering you in the following.
Post by Simon Kelley
Your example 3 - I'm confused why that shouldn't work - the
PXE client seems to be making further requests which are
bring ignored. Would it be possible for you to get a packet
dump of that exchange using tcpdump?
$ sudo tcpdump -ni ens38 'udp port 67 and udp port 68'
tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode listening on ens38, link-type EN10MB
(Ethernet), capture size 262144 bytes 16:18:33.208355 IP
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from
00:0c:29:1d:9a:d1, length 347 16:18:36.205647 IP
192.168.22.254.67 > 255.255.255.255.68: BOOTP/DHCP, Reply,
length 341 16:18:36.385548 IP 0.0.0.0.68 >
255.255.255.255.67: BOOTP/DHCP, Request from
00:0c:29:1d:9a:d1, length 359 16:18:36.386212 IP
192.168.22.254.67 > 255.255.255.255.68: BOOTP/DHCP, Reply,
length 341 ^C 4 packets captured 4 packets received by filter
0 packets dropped by kernel
Post by Simon Kelley
Example 4 looks quite hopeful - the client is
succerssfully downloading the bootx64.efi file (ignore the
error before, that's just testing for the existance of the
file.
Can you see what's displayed on the client system at this point?
It's blank screen due to the background_image for grub is
not downloaded, and in the end the grub shows no grub.cfg
error, as attached. That format is from the grub prefix we
added by: ======================================= set
\$grub_cpu, \$grub_platform" echo 'Network status: '
net_ls_cards net_ls_addr net_ls_routes
tr --set pretty_mac x: x- \$net_default_mac
echo "Loading config file
\$prefix/grub.cfg-01-\$pretty_mac..." configfile
\$prefix/grub.cfg-01-\$pretty_mac
echo "Loading config file
\$prefix/grub.cfg-\$net_default_ip..." configfile
\$prefix/grub.cfg-\$net_default_ip
echo "Loading config file: \$prefix/grub.cfg" configfile
\$prefix/grub.cfg
echo "Could not find config file
\$prefix/grub.cfg-\$pretty_mac,
\$prefix/grub.cfg-\$net_default_ip or \$prefix/grub.cfg!"
sleep 15 ======================================= This is
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q4/010
931
.html
Post by Steven Shiau
i.e., only grub efi is downloaded, while the rest of required files are
Post by Steven Shiau
not downloaded. As I mentioned for comparison, for non-proxy
mode with same configuration, it works well.
Thanks again.
Steven
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Post by Steven Shiau
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________ Dnsmasq-discuss
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Steven Shiau
2017-03-29 06:46:49 UTC
Permalink
Hi Doug,

Thanks for your explanation. Simon also emailed me after my post and let
me know where the problem is. The conclusion is this issue seems not be
easily fixed.
So the patch for grub will be applied after grub 2.02. Before that,
could you please show me the configuration file you confirmed it will
work by using dhcp-boot strategy?
Thank you very much.

Steven
Post by Doug Brown
Hi Simon and Steven,
I just found this recent thread while I was Googling for the exact
same problem (UEFI clients won't boot in PXE mode, but BIOS clients
will) and there was never any conclusion reached. I'm running into the
exact same problem, and I can provide a pcap dump, which I have
attached to this message. After the initial DHCP exchange, it shows
four DHCP packets on port 4011 sent from the client which seem to be
ignored by dnsmasq. Here is the configuration I am using with dnsmasq
port=0
log-dhcp
dhcp-no-override
enable-tftp
tftp-root=/tftpboot
dhcp-range=ens33,192.168.7.100,192.168.7.200,10h
pxe-service=X86PC, "Boot BIOS PXE", pxelinux.0
pxe-service=BC_EFI, "Boot UEFI BC", grubx64.efi
pxe-service=X86-64_EFI, "Boot UEFI X86-64", grubx64.efi
If I switch to using the dhcp-boot strategy, everything works great on
both BIOS and UEFI. But the above configuration using PXE doesn't seem
to work properly with UEFI clients for some reason, and it seems to be
a dnsmasq issue. It does work fine with BIOS clients though.
I think I can answer Steven's earlier question as to why proxy PXE
(example config #4) doesn't work with UEFI. The problem in that case
is not due to dnsmasq at all -- it's correctly sending grub to the
client. The problem is that grub doesn't know how to detect that it
was loaded from a DHCP proxy, so it won't know where to download
grub.cfg. Shim, which you can use as a first stage bootloader to load
grub if you need to support Secure Boot, has the exact same problem.
It only knows how to look at the original DHCP ack's boot info. The
UEFI environment provides info about the proxy offer, but grub and
shim don't look at it. See the following thread where a patch was
https://lists.gnu.org/archive/html/grub-devel/2016-04/msg00051.html
I think it's probably possible to work around the proxy problem by
using grub-mkstandalone to create a version of grub.efi that has an
embedded intermediate grub.cfg that is coded to download the real
grub.cfg from your server, as long as you don't need Secure Boot support.
Either way, I still think there's something wrong with dnsmasq's PXE
support because the example config above (non-proxy) doesn't work with
any UEFI clients that I have tested, as shown by the pcap dump
attached. Any ideas?
Thanks,
Doug
Post by Simon Kelley
There's no DHCP traffic in that capture. It appears to all be ssh.
Wrong interface?
Cheers,
Simon.
Post by Steven Shiau
Hi Simon,
Attached please find the dump file of the command "tcpdump -s 0 -w
capturefile". Let me know if you need more info. Thank you very
much.
Steven
On 1/24/2017 AM 05:25, Simon Kelley wrote: Thanks for the reply.
Please could you repeat the tcpdump using the command
tcpdump -s 0 -w capturefile
and send me the resulting file? That has far more information than
tcpdump prints.
Cheers,
Simon.
Post by Steven Shiau
Hi Simon,
Thanks for your reply. I am answering you in the following.
Post by Simon Kelley
Your example 3 - I'm confused why that shouldn't work - the
PXE client seems to be making further requests which are
bring ignored. Would it be possible for you to get a packet
dump of that exchange using tcpdump?
$ sudo tcpdump -ni ens38 'udp port 67 and udp port 68'
tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode listening on ens38, link-type EN10MB
(Ethernet), capture size 262144 bytes 16:18:33.208355 IP
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from
00:0c:29:1d:9a:d1, length 347 16:18:36.205647 IP
192.168.22.254.67 > 255.255.255.255.68: BOOTP/DHCP, Reply,
length 341 16:18:36.385548 IP 0.0.0.0.68 >
255.255.255.255.67: BOOTP/DHCP, Request from
00:0c:29:1d:9a:d1, length 359 16:18:36.386212 IP
192.168.22.254.67 > 255.255.255.255.68: BOOTP/DHCP, Reply,
length 341 ^C 4 packets captured 4 packets received by filter
0 packets dropped by kernel
Post by Simon Kelley
Example 4 looks quite hopeful - the client is
succerssfully downloading the bootx64.efi file (ignore the
error before, that's just testing for the existance of the
file.
Can you see what's displayed on the client system at this point?
It's blank screen due to the background_image for grub is
not downloaded, and in the end the grub shows no grub.cfg
error, as attached. That format is from the grub prefix we
added by: ======================================= set
\$grub_cpu, \$grub_platform" echo 'Network status: '
net_ls_cards net_ls_addr net_ls_routes
tr --set pretty_mac x: x- \$net_default_mac
echo "Loading config file
\$prefix/grub.cfg-01-\$pretty_mac..." configfile
\$prefix/grub.cfg-01-\$pretty_mac
echo "Loading config file
\$prefix/grub.cfg-\$net_default_ip..." configfile
\$prefix/grub.cfg-\$net_default_ip
echo "Loading config file: \$prefix/grub.cfg" configfile
\$prefix/grub.cfg
echo "Could not find config file
\$prefix/grub.cfg-\$pretty_mac,
\$prefix/grub.cfg-\$net_default_ip or \$prefix/grub.cfg!"
sleep 15 ======================================= This is
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q4/010
931
.html
Post by Steven Shiau
i.e., only grub efi is downloaded, while the rest of required files are
Post by Steven Shiau
not downloaded. As I mentioned for comparison, for non-proxy
mode with same configuration, it works well.
Thanks again.
Steven
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Post by Steven Shiau
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________ Dnsmasq-discuss
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
--
Steven Shiau <steven _at_ stevenshiau org>
Public Key Server PGP Key ID: 4096R/47CF935C
Fingerprint: 0240 1FEB 695D 7112 62F0 8796 11C1 12DA 47CF 935C
Doug Brown
2017-03-30 04:13:31 UTC
Permalink
Hi Steven,

If I find some free time, I might try tracing through the code to figure
out why dnsmasq is throwing out the DHCP packets on port 4011 in the EFI
+ PXE configuration without a proxy. In the meantime, here is the
configuration that works for me with dhcp-boot (assuming my dnsmasq
server's IP address is 192.168.1.1):

port=0
log-dhcp
enable-tftp
tftp-root=/tftpboot
dhcp-no-override
dhcp-vendorclass=BIOS,PXEClient:Arch:00000
dhcp-vendorclass=UEFI,PXEClient:Arch:00007
dhcp-vendorclass=UEFI64,PXEClient:Arch:00009
dhcp-boot=pxelinux.0,,192.168.1.1
dhcp-boot=net:UEFI,shim.efi,,192.168.1.1
dhcp-boot=net:UEFI64,shim.efi,,192.168.1.1
dhcp-range=ens33,192.168.1.50,192.168.1.99,10h

In this example, I'm using shim-signed (named as shim.efi) and
grubnetx64.efi.signed (named as grubx64.efi) from Ubuntu, and it should
properly boot a UEFI computer even if it has Secure Boot enabled. Shim
downloads grubx64.efi, which then downloads grub.cfg.

Hope this helps!
Doug
Post by Steven Shiau
Hi Doug,
Thanks for your explanation. Simon also emailed me after my post and
let me know where the problem is. The conclusion is this issue seems
not be easily fixed.
So the patch for grub will be applied after grub 2.02. Before that,
could you please show me the configuration file you confirmed it will
work by using dhcp-boot strategy?
Thank you very much.
Steven
Post by Doug Brown
Hi Simon and Steven,
I just found this recent thread while I was Googling for the exact
same problem (UEFI clients won't boot in PXE mode, but BIOS clients
will) and there was never any conclusion reached. I'm running into
the exact same problem, and I can provide a pcap dump, which I have
attached to this message. After the initial DHCP exchange, it shows
four DHCP packets on port 4011 sent from the client which seem to be
ignored by dnsmasq. Here is the configuration I am using with dnsmasq
port=0
log-dhcp
dhcp-no-override
enable-tftp
tftp-root=/tftpboot
dhcp-range=ens33,192.168.7.100,192.168.7.200,10h
pxe-service=X86PC, "Boot BIOS PXE", pxelinux.0
pxe-service=BC_EFI, "Boot UEFI BC", grubx64.efi
pxe-service=X86-64_EFI, "Boot UEFI X86-64", grubx64.efi
If I switch to using the dhcp-boot strategy, everything works great
on both BIOS and UEFI. But the above configuration using PXE doesn't
seem to work properly with UEFI clients for some reason, and it seems
to be a dnsmasq issue. It does work fine with BIOS clients though.
I think I can answer Steven's earlier question as to why proxy PXE
(example config #4) doesn't work with UEFI. The problem in that case
is not due to dnsmasq at all -- it's correctly sending grub to the
client. The problem is that grub doesn't know how to detect that it
was loaded from a DHCP proxy, so it won't know where to download
grub.cfg. Shim, which you can use as a first stage bootloader to load
grub if you need to support Secure Boot, has the exact same problem.
It only knows how to look at the original DHCP ack's boot info. The
UEFI environment provides info about the proxy offer, but grub and
shim don't look at it. See the following thread where a patch was
https://lists.gnu.org/archive/html/grub-devel/2016-04/msg00051.html
I think it's probably possible to work around the proxy problem by
using grub-mkstandalone to create a version of grub.efi that has an
embedded intermediate grub.cfg that is coded to download the real
grub.cfg from your server, as long as you don't need Secure Boot support.
Either way, I still think there's something wrong with dnsmasq's PXE
support because the example config above (non-proxy) doesn't work
with any UEFI clients that I have tested, as shown by the pcap dump
attached. Any ideas?
Thanks,
Doug
Post by Simon Kelley
There's no DHCP traffic in that capture. It appears to all be ssh.
Wrong interface?
Cheers,
Simon.
Post by Steven Shiau
Hi Simon,
Attached please find the dump file of the command "tcpdump -s 0 -w
capturefile". Let me know if you need more info. Thank you very
much.
Steven
On 1/24/2017 AM 05:25, Simon Kelley wrote: Thanks for the reply.
Please could you repeat the tcpdump using the command
tcpdump -s 0 -w capturefile
and send me the resulting file? That has far more information than
tcpdump prints.
Cheers,
Simon.
Post by Steven Shiau
Hi Simon,
Thanks for your reply. I am answering you in the following.
Post by Simon Kelley
Your example 3 - I'm confused why that shouldn't work - the
PXE client seems to be making further requests which are
bring ignored. Would it be possible for you to get a packet
dump of that exchange using tcpdump?
$ sudo tcpdump -ni ens38 'udp port 67 and udp port 68'
tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode listening on ens38, link-type EN10MB
(Ethernet), capture size 262144 bytes 16:18:33.208355 IP
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from
00:0c:29:1d:9a:d1, length 347 16:18:36.205647 IP
192.168.22.254.67 > 255.255.255.255.68: BOOTP/DHCP, Reply,
length 341 16:18:36.385548 IP 0.0.0.0.68 >
255.255.255.255.67: BOOTP/DHCP, Request from
00:0c:29:1d:9a:d1, length 359 16:18:36.386212 IP
192.168.22.254.67 > 255.255.255.255.68: BOOTP/DHCP, Reply,
length 341 ^C 4 packets captured 4 packets received by filter
0 packets dropped by kernel
Post by Simon Kelley
Example 4 looks quite hopeful - the client is
succerssfully downloading the bootx64.efi file (ignore the
error before, that's just testing for the existance of the
file.
Can you see what's displayed on the client system at this point?
It's blank screen due to the background_image for grub is
not downloaded, and in the end the grub shows no grub.cfg
error, as attached. That format is from the grub prefix we
added by: ======================================= set
\$grub_cpu, \$grub_platform" echo 'Network status: '
net_ls_cards net_ls_addr net_ls_routes
tr --set pretty_mac x: x- \$net_default_mac
echo "Loading config file
\$prefix/grub.cfg-01-\$pretty_mac..." configfile
\$prefix/grub.cfg-01-\$pretty_mac
echo "Loading config file
\$prefix/grub.cfg-\$net_default_ip..." configfile
\$prefix/grub.cfg-\$net_default_ip
echo "Loading config file: \$prefix/grub.cfg" configfile
\$prefix/grub.cfg
echo "Could not find config file
\$prefix/grub.cfg-\$pretty_mac,
\$prefix/grub.cfg-\$net_default_ip or \$prefix/grub.cfg!"
sleep 15 ======================================= This is
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q4/010
931
.html
Post by Steven Shiau
i.e., only grub efi is downloaded, while the rest of required files are
Post by Steven Shiau
not downloaded. As I mentioned for comparison, for non-proxy
mode with same configuration, it works well.
Thanks again.
Steven
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Post by Steven Shiau
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________ Dnsmasq-discuss
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Steven Shiau
2017-03-31 07:45:33 UTC
Permalink
Hi Doug,

Thanks. However, what you mentioned is not in the proxy mode. Have you
successfully enable the proxy (relay) mode and it works for uEFI network
booting?

Thanks.

Steven
Post by Doug Brown
Hi Steven,
If I find some free time, I might try tracing through the code to figure
out why dnsmasq is throwing out the DHCP packets on port 4011 in the EFI
+ PXE configuration without a proxy. In the meantime, here is the
configuration that works for me with dhcp-boot (assuming my dnsmasq
port=0
log-dhcp
enable-tftp
tftp-root=/tftpboot
dhcp-no-override
dhcp-vendorclass=BIOS,PXEClient:Arch:00000
dhcp-vendorclass=UEFI,PXEClient:Arch:00007
dhcp-vendorclass=UEFI64,PXEClient:Arch:00009
dhcp-boot=pxelinux.0,,192.168.1.1
dhcp-boot=net:UEFI,shim.efi,,192.168.1.1
dhcp-boot=net:UEFI64,shim.efi,,192.168.1.1
dhcp-range=ens33,192.168.1.50,192.168.1.99,10h
In this example, I'm using shim-signed (named as shim.efi) and
grubnetx64.efi.signed (named as grubx64.efi) from Ubuntu, and it should
properly boot a UEFI computer even if it has Secure Boot enabled. Shim
downloads grubx64.efi, which then downloads grub.cfg.
Hope this helps!
Doug
Post by Steven Shiau
Hi Doug,
Thanks for your explanation. Simon also emailed me after my post and
let me know where the problem is. The conclusion is this issue seems
not be easily fixed.
So the patch for grub will be applied after grub 2.02. Before that,
could you please show me the configuration file you confirmed it will
work by using dhcp-boot strategy?
Thank you very much.
Steven
Post by Doug Brown
Hi Simon and Steven,
I just found this recent thread while I was Googling for the exact
same problem (UEFI clients won't boot in PXE mode, but BIOS clients
will) and there was never any conclusion reached. I'm running into
the exact same problem, and I can provide a pcap dump, which I have
attached to this message. After the initial DHCP exchange, it shows
four DHCP packets on port 4011 sent from the client which seem to be
ignored by dnsmasq. Here is the configuration I am using with dnsmasq
port=0
log-dhcp
dhcp-no-override
enable-tftp
tftp-root=/tftpboot
dhcp-range=ens33,192.168.7.100,192.168.7.200,10h
pxe-service=X86PC, "Boot BIOS PXE", pxelinux.0
pxe-service=BC_EFI, "Boot UEFI BC", grubx64.efi
pxe-service=X86-64_EFI, "Boot UEFI X86-64", grubx64.efi
If I switch to using the dhcp-boot strategy, everything works great
on both BIOS and UEFI. But the above configuration using PXE doesn't
seem to work properly with UEFI clients for some reason, and it seems
to be a dnsmasq issue. It does work fine with BIOS clients though.
I think I can answer Steven's earlier question as to why proxy PXE
(example config #4) doesn't work with UEFI. The problem in that case
is not due to dnsmasq at all -- it's correctly sending grub to the
client. The problem is that grub doesn't know how to detect that it
was loaded from a DHCP proxy, so it won't know where to download
grub.cfg. Shim, which you can use as a first stage bootloader to load
grub if you need to support Secure Boot, has the exact same problem.
It only knows how to look at the original DHCP ack's boot info. The
UEFI environment provides info about the proxy offer, but grub and
shim don't look at it. See the following thread where a patch was
https://lists.gnu.org/archive/html/grub-devel/2016-04/msg00051.html
I think it's probably possible to work around the proxy problem by
using grub-mkstandalone to create a version of grub.efi that has an
embedded intermediate grub.cfg that is coded to download the real
grub.cfg from your server, as long as you don't need Secure Boot support.
Either way, I still think there's something wrong with dnsmasq's PXE
support because the example config above (non-proxy) doesn't work
with any UEFI clients that I have tested, as shown by the pcap dump
attached. Any ideas?
Thanks,
Doug
Post by Simon Kelley
There's no DHCP traffic in that capture. It appears to all be ssh.
Wrong interface?
Cheers,
Simon.
Post by Steven Shiau
Hi Simon,
Attached please find the dump file of the command "tcpdump -s 0 -w
capturefile". Let me know if you need more info. Thank you very
much.
Steven
On 1/24/2017 AM 05:25, Simon Kelley wrote: Thanks for the reply.
Please could you repeat the tcpdump using the command
tcpdump -s 0 -w capturefile
and send me the resulting file? That has far more information than
tcpdump prints.
Cheers,
Simon.
Post by Steven Shiau
Hi Simon,
Thanks for your reply. I am answering you in the following.
Post by Simon Kelley
Your example 3 - I'm confused why that shouldn't work - the
PXE client seems to be making further requests which are
bring ignored. Would it be possible for you to get a packet
dump of that exchange using tcpdump?
$ sudo tcpdump -ni ens38 'udp port 67 and udp port 68'
tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode listening on ens38, link-type EN10MB
(Ethernet), capture size 262144 bytes 16:18:33.208355 IP
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from
00:0c:29:1d:9a:d1, length 347 16:18:36.205647 IP
192.168.22.254.67 > 255.255.255.255.68: BOOTP/DHCP, Reply,
length 341 16:18:36.385548 IP 0.0.0.0.68 >
255.255.255.255.67: BOOTP/DHCP, Request from
00:0c:29:1d:9a:d1, length 359 16:18:36.386212 IP
192.168.22.254.67 > 255.255.255.255.68: BOOTP/DHCP, Reply,
length 341 ^C 4 packets captured 4 packets received by filter
0 packets dropped by kernel
Post by Simon Kelley
Example 4 looks quite hopeful - the client is
succerssfully downloading the bootx64.efi file (ignore the
error before, that's just testing for the existance of the
file.
Can you see what's displayed on the client system at this point?
It's blank screen due to the background_image for grub is
not downloaded, and in the end the grub shows no grub.cfg
error, as attached. That format is from the grub prefix we
added by: ======================================= set
\$grub_cpu, \$grub_platform" echo 'Network status: '
net_ls_cards net_ls_addr net_ls_routes
tr --set pretty_mac x: x- \$net_default_mac
echo "Loading config file
\$prefix/grub.cfg-01-\$pretty_mac..." configfile
\$prefix/grub.cfg-01-\$pretty_mac
echo "Loading config file
\$prefix/grub.cfg-\$net_default_ip..." configfile
\$prefix/grub.cfg-\$net_default_ip
echo "Loading config file: \$prefix/grub.cfg" configfile
\$prefix/grub.cfg
echo "Could not find config file
\$prefix/grub.cfg-\$pretty_mac,
\$prefix/grub.cfg-\$net_default_ip or \$prefix/grub.cfg!"
sleep 15 ======================================= This is
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q4/010
931
.html
Post by Steven Shiau
i.e., only grub efi is downloaded, while the rest of required files are
Post by Steven Shiau
not downloaded. As I mentioned for comparison, for non-proxy
mode with same configuration, it works well.
Thanks again.
Steven
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Post by Steven Shiau
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________ Dnsmasq-discuss
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
--
Steven Shiau <steven _at_ stevenshiau org>
Public Key Server PGP Key ID: 4096R/47CF935C
Fingerprint: 0240 1FEB 695D 7112 62F0 8796 11C1 12DA 47CF 935C
Doug Brown
2017-04-01 04:39:11 UTC
Permalink
HI Steven,

No -- because of grub's current inability to detect a proxy boot with
UEFI, I don't think it's possible to get a proxy configuration to boot
UEFI computers with grub, unless you play around with grub-mkstandalone
to embed grub.cfg into grub.efi. I haven't had the time to play around
with trying to make that configuration work.

Doug
Post by Steven Shiau
Hi Doug,
Thanks. However, what you mentioned is not in the proxy mode. Have you
successfully enable the proxy (relay) mode and it works for uEFI
network booting?
Thanks.
Steven
Post by Doug Brown
Hi Steven,
If I find some free time, I might try tracing through the code to figure
out why dnsmasq is throwing out the DHCP packets on port 4011 in the EFI
+ PXE configuration without a proxy. In the meantime, here is the
configuration that works for me with dhcp-boot (assuming my dnsmasq
port=0
log-dhcp
enable-tftp
tftp-root=/tftpboot
dhcp-no-override
dhcp-vendorclass=BIOS,PXEClient:Arch:00000
dhcp-vendorclass=UEFI,PXEClient:Arch:00007
dhcp-vendorclass=UEFI64,PXEClient:Arch:00009
dhcp-boot=pxelinux.0,,192.168.1.1
dhcp-boot=net:UEFI,shim.efi,,192.168.1.1
dhcp-boot=net:UEFI64,shim.efi,,192.168.1.1
dhcp-range=ens33,192.168.1.50,192.168.1.99,10h
In this example, I'm using shim-signed (named as shim.efi) and
grubnetx64.efi.signed (named as grubx64.efi) from Ubuntu, and it should
properly boot a UEFI computer even if it has Secure Boot enabled. Shim
downloads grubx64.efi, which then downloads grub.cfg.
Hope this helps!
Doug
Post by Steven Shiau
Hi Doug,
Thanks for your explanation. Simon also emailed me after my post and
let me know where the problem is. The conclusion is this issue seems
not be easily fixed.
So the patch for grub will be applied after grub 2.02. Before that,
could you please show me the configuration file you confirmed it will
work by using dhcp-boot strategy?
Thank you very much.
Steven
Post by Doug Brown
Hi Simon and Steven,
I just found this recent thread while I was Googling for the exact
same problem (UEFI clients won't boot in PXE mode, but BIOS clients
will) and there was never any conclusion reached. I'm running into
the exact same problem, and I can provide a pcap dump, which I have
attached to this message. After the initial DHCP exchange, it shows
four DHCP packets on port 4011 sent from the client which seem to be
ignored by dnsmasq. Here is the configuration I am using with dnsmasq
port=0
log-dhcp
dhcp-no-override
enable-tftp
tftp-root=/tftpboot
dhcp-range=ens33,192.168.7.100,192.168.7.200,10h
pxe-service=X86PC, "Boot BIOS PXE", pxelinux.0
pxe-service=BC_EFI, "Boot UEFI BC", grubx64.efi
pxe-service=X86-64_EFI, "Boot UEFI X86-64", grubx64.efi
If I switch to using the dhcp-boot strategy, everything works great
on both BIOS and UEFI. But the above configuration using PXE doesn't
seem to work properly with UEFI clients for some reason, and it seems
to be a dnsmasq issue. It does work fine with BIOS clients though.
I think I can answer Steven's earlier question as to why proxy PXE
(example config #4) doesn't work with UEFI. The problem in that case
is not due to dnsmasq at all -- it's correctly sending grub to the
client. The problem is that grub doesn't know how to detect that it
was loaded from a DHCP proxy, so it won't know where to download
grub.cfg. Shim, which you can use as a first stage bootloader to load
grub if you need to support Secure Boot, has the exact same problem.
It only knows how to look at the original DHCP ack's boot info. The
UEFI environment provides info about the proxy offer, but grub and
shim don't look at it. See the following thread where a patch was
https://lists.gnu.org/archive/html/grub-devel/2016-04/msg00051.html
I think it's probably possible to work around the proxy problem by
using grub-mkstandalone to create a version of grub.efi that has an
embedded intermediate grub.cfg that is coded to download the real
grub.cfg from your server, as long as you don't need Secure Boot support.
Either way, I still think there's something wrong with dnsmasq's PXE
support because the example config above (non-proxy) doesn't work
with any UEFI clients that I have tested, as shown by the pcap dump
attached. Any ideas?
Thanks,
Doug
Post by Simon Kelley
There's no DHCP traffic in that capture. It appears to all be ssh.
Wrong interface?
Cheers,
Simon.
Post by Steven Shiau
Hi Simon,
Attached please find the dump file of the command "tcpdump -s 0 -w
capturefile". Let me know if you need more info. Thank you very
much.
Steven
On 1/24/2017 AM 05:25, Simon Kelley wrote: Thanks for the reply.
Please could you repeat the tcpdump using the command
tcpdump -s 0 -w capturefile
and send me the resulting file? That has far more information than
tcpdump prints.
Cheers,
Simon.
Post by Steven Shiau
Hi Simon,
Thanks for your reply. I am answering you in the following.
Post by Simon Kelley
Your example 3 - I'm confused why that shouldn't work - the
PXE client seems to be making further requests which are
bring ignored. Would it be possible for you to get a packet
dump of that exchange using tcpdump?
$ sudo tcpdump -ni ens38 'udp port 67 and udp port 68'
tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode listening on ens38, link-type EN10MB
(Ethernet), capture size 262144 bytes 16:18:33.208355 IP
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from
00:0c:29:1d:9a:d1, length 347 16:18:36.205647 IP
192.168.22.254.67 > 255.255.255.255.68: BOOTP/DHCP, Reply,
length 341 16:18:36.385548 IP 0.0.0.0.68 >
255.255.255.255.67: BOOTP/DHCP, Request from
00:0c:29:1d:9a:d1, length 359 16:18:36.386212 IP
192.168.22.254.67 > 255.255.255.255.68: BOOTP/DHCP, Reply,
length 341 ^C 4 packets captured 4 packets received by filter
0 packets dropped by kernel
Post by Simon Kelley
Example 4 looks quite hopeful - the client is
succerssfully downloading the bootx64.efi file (ignore the
error before, that's just testing for the existance of the
file.
Can you see what's displayed on the client system at this point?
It's blank screen due to the background_image for grub is
not downloaded, and in the end the grub shows no grub.cfg
error, as attached. That format is from the grub prefix we
added by: ======================================= set
\$grub_cpu, \$grub_platform" echo 'Network status: '
net_ls_cards net_ls_addr net_ls_routes
tr --set pretty_mac x: x- \$net_default_mac
echo "Loading config file
\$prefix/grub.cfg-01-\$pretty_mac..." configfile
\$prefix/grub.cfg-01-\$pretty_mac
echo "Loading config file
\$prefix/grub.cfg-\$net_default_ip..." configfile
\$prefix/grub.cfg-\$net_default_ip
echo "Loading config file: \$prefix/grub.cfg" configfile
\$prefix/grub.cfg
echo "Could not find config file
\$prefix/grub.cfg-\$pretty_mac,
\$prefix/grub.cfg-\$net_default_ip or \$prefix/grub.cfg!"
sleep 15 ======================================= This is
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q4/010
931
.html
Post by Steven Shiau
i.e., only grub efi is downloaded, while the rest of required files are
Post by Steven Shiau
not downloaded. As I mentioned for comparison, for non-proxy
mode with same configuration, it works well.
Thanks again.
Steven
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Post by Steven Shiau
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________ Dnsmasq-discuss
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Steven Shiau
2017-04-01 07:07:03 UTC
Permalink
Hi Doug,

Thanks. Simon mentioned to me: This is complicated and horrible (to
implement the mechanism). Therefore for the moment, no any solution for
using "pxe-service" for both uEFI network booting and PXE in proxy mode
I believe.

Steven
Post by Doug Brown
HI Steven,
No -- because of grub's current inability to detect a proxy boot with
UEFI, I don't think it's possible to get a proxy configuration to boot
UEFI computers with grub, unless you play around with grub-mkstandalone
to embed grub.cfg into grub.efi. I haven't had the time to play around
with trying to make that configuration work.
Doug
Post by Steven Shiau
Hi Doug,
Thanks. However, what you mentioned is not in the proxy mode. Have you
successfully enable the proxy (relay) mode and it works for uEFI
network booting?
Thanks.
Steven
Post by Doug Brown
Hi Steven,
If I find some free time, I might try tracing through the code to figure
out why dnsmasq is throwing out the DHCP packets on port 4011 in the EFI
+ PXE configuration without a proxy. In the meantime, here is the
configuration that works for me with dhcp-boot (assuming my dnsmasq
port=0
log-dhcp
enable-tftp
tftp-root=/tftpboot
dhcp-no-override
dhcp-vendorclass=BIOS,PXEClient:Arch:00000
dhcp-vendorclass=UEFI,PXEClient:Arch:00007
dhcp-vendorclass=UEFI64,PXEClient:Arch:00009
dhcp-boot=pxelinux.0,,192.168.1.1
dhcp-boot=net:UEFI,shim.efi,,192.168.1.1
dhcp-boot=net:UEFI64,shim.efi,,192.168.1.1
dhcp-range=ens33,192.168.1.50,192.168.1.99,10h
In this example, I'm using shim-signed (named as shim.efi) and
grubnetx64.efi.signed (named as grubx64.efi) from Ubuntu, and it should
properly boot a UEFI computer even if it has Secure Boot enabled. Shim
downloads grubx64.efi, which then downloads grub.cfg.
Hope this helps!
Doug
Post by Steven Shiau
Hi Doug,
Thanks for your explanation. Simon also emailed me after my post and
let me know where the problem is. The conclusion is this issue seems
not be easily fixed.
So the patch for grub will be applied after grub 2.02. Before that,
could you please show me the configuration file you confirmed it will
work by using dhcp-boot strategy?
Thank you very much.
Steven
Post by Doug Brown
Hi Simon and Steven,
I just found this recent thread while I was Googling for the exact
same problem (UEFI clients won't boot in PXE mode, but BIOS clients
will) and there was never any conclusion reached. I'm running into
the exact same problem, and I can provide a pcap dump, which I have
attached to this message. After the initial DHCP exchange, it shows
four DHCP packets on port 4011 sent from the client which seem to be
ignored by dnsmasq. Here is the configuration I am using with dnsmasq
port=0
log-dhcp
dhcp-no-override
enable-tftp
tftp-root=/tftpboot
dhcp-range=ens33,192.168.7.100,192.168.7.200,10h
pxe-service=X86PC, "Boot BIOS PXE", pxelinux.0
pxe-service=BC_EFI, "Boot UEFI BC", grubx64.efi
pxe-service=X86-64_EFI, "Boot UEFI X86-64", grubx64.efi
If I switch to using the dhcp-boot strategy, everything works great
on both BIOS and UEFI. But the above configuration using PXE doesn't
seem to work properly with UEFI clients for some reason, and it seems
to be a dnsmasq issue. It does work fine with BIOS clients though.
I think I can answer Steven's earlier question as to why proxy PXE
(example config #4) doesn't work with UEFI. The problem in that case
is not due to dnsmasq at all -- it's correctly sending grub to the
client. The problem is that grub doesn't know how to detect that it
was loaded from a DHCP proxy, so it won't know where to download
grub.cfg. Shim, which you can use as a first stage bootloader to load
grub if you need to support Secure Boot, has the exact same problem.
It only knows how to look at the original DHCP ack's boot info. The
UEFI environment provides info about the proxy offer, but grub and
shim don't look at it. See the following thread where a patch was
https://lists.gnu.org/archive/html/grub-devel/2016-04/msg00051.html
I think it's probably possible to work around the proxy problem by
using grub-mkstandalone to create a version of grub.efi that has an
embedded intermediate grub.cfg that is coded to download the real
grub.cfg from your server, as long as you don't need Secure Boot support.
Either way, I still think there's something wrong with dnsmasq's PXE
support because the example config above (non-proxy) doesn't work
with any UEFI clients that I have tested, as shown by the pcap dump
attached. Any ideas?
Thanks,
Doug
Post by Simon Kelley
There's no DHCP traffic in that capture. It appears to all be ssh.
Wrong interface?
Cheers,
Simon.
Post by Steven Shiau
Hi Simon,
Attached please find the dump file of the command "tcpdump -s 0 -w
capturefile". Let me know if you need more info. Thank you very
much.
Steven
On 1/24/2017 AM 05:25, Simon Kelley wrote: Thanks for the reply.
Please could you repeat the tcpdump using the command
tcpdump -s 0 -w capturefile
and send me the resulting file? That has far more information than
tcpdump prints.
Cheers,
Simon.
Post by Steven Shiau
Hi Simon,
Thanks for your reply. I am answering you in the following.
Post by Simon Kelley
Your example 3 - I'm confused why that shouldn't work - the
PXE client seems to be making further requests which are
bring ignored. Would it be possible for you to get a packet
dump of that exchange using tcpdump?
$ sudo tcpdump -ni ens38 'udp port 67 and udp port 68'
tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode listening on ens38, link-type EN10MB
(Ethernet), capture size 262144 bytes 16:18:33.208355 IP
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from
00:0c:29:1d:9a:d1, length 347 16:18:36.205647 IP
192.168.22.254.67 > 255.255.255.255.68: BOOTP/DHCP, Reply,
length 341 16:18:36.385548 IP 0.0.0.0.68 >
255.255.255.255.67: BOOTP/DHCP, Request from
00:0c:29:1d:9a:d1, length 359 16:18:36.386212 IP
192.168.22.254.67 > 255.255.255.255.68: BOOTP/DHCP, Reply,
length 341 ^C 4 packets captured 4 packets received by filter
0 packets dropped by kernel
Post by Simon Kelley
Example 4 looks quite hopeful - the client is
succerssfully downloading the bootx64.efi file (ignore the
error before, that's just testing for the existance of the
file.
Can you see what's displayed on the client system at this point?
It's blank screen due to the background_image for grub is
not downloaded, and in the end the grub shows no grub.cfg
error, as attached. That format is from the grub prefix we
added by: ======================================= set
\$grub_cpu, \$grub_platform" echo 'Network status: '
net_ls_cards net_ls_addr net_ls_routes
tr --set pretty_mac x: x- \$net_default_mac
echo "Loading config file
\$prefix/grub.cfg-01-\$pretty_mac..." configfile
\$prefix/grub.cfg-01-\$pretty_mac
echo "Loading config file
\$prefix/grub.cfg-\$net_default_ip..." configfile
\$prefix/grub.cfg-\$net_default_ip
echo "Loading config file: \$prefix/grub.cfg" configfile
\$prefix/grub.cfg
echo "Could not find config file
\$prefix/grub.cfg-\$pretty_mac,
\$prefix/grub.cfg-\$net_default_ip or \$prefix/grub.cfg!"
sleep 15 ======================================= This is
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q4/010
931
.html
Post by Steven Shiau
i.e., only grub efi is downloaded, while the rest of required files are
Post by Steven Shiau
not downloaded. As I mentioned for comparison, for non-proxy
mode with same configuration, it works well.
Thanks again.
Steven
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Post by Steven Shiau
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________ Dnsmasq-discuss
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
--
Steven Shiau <steven _at_ stevenshiau org>
Public Key Server PGP Key ID: 4096R/47CF935C
Fingerprint: 0240 1FEB 695D 7112 62F0 8796 11C1 12DA 47CF 935C
Loading...