Centos 7 dhcp 服务器不响应 UEFI PXE DISCOVER

tag-icon tag-icon linux centos pxe-boot dhcp-server isc-dhcp
Centos 7 dhcp 服务器不响应 UEFI PXE DISCOVER

我正在尝试将 Centos 7 服务器设置为 PXE(UEFI)的 dhcp 服务器。我尝试对 dhcpd.conf 文件进行几次更改,但似乎没有任何效果。

dhcpd.conf:

allow booting;
allow bootp;

max-lease-time 120;
default-lease-time 120;

option domain-name "domain.tld";
option domain-name-servers 192.168.1.9, 192.168.1.10;

option space pxe;
option pxe.magic code 208 = string;
option pxe.configfile code 209 = text;
option pxe.pathprefix code 210 = text;
option pxe.reboottime code 211 = unsigned integer 32;

option pxe.mtftp-ip code 1 = ip-address;
option pxe.mtftp-cport code 2 = unsigned integer 16;
option pxe.mtftp-sport code 3 = unsigned integer 16;
option pxe.mtftp-tmout code 4 = unsigned integer 8;
option pxe.mtftp-delay code 5 = unsigned integer 8;
option pxe.discovery-control code 6 = unsigned integer 8;
option pxe.discovery-mcast-addr code 7 = ip-address;


option architecture-type code 93 = unsigned integer 16;

class "pxe" {
  match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
  option vendor-class-identifier "PXEClient";
  vendor-option-space pxe;
  option pxe.mtftp-ip 0.0.0.0;

  if option architecture-type = 00:07 {
    filename "shim.efi";
  } else {
    filename "pxelinux/pxelinux.0";
  }
}

subnet 192.168.1.0 netmask 255.255.255.0 {
  not authoritative;
}

# PXE Network
########################################################################
subnet 172.16.10.0 netmask 255.255.255.0 {
  authoritative;
  allow unknown-clients;
  next-server 172.16.10.3;
  option routers 172.16.10.1;
  option broadcast-address 172.16.10.255;
  pool {
    range dynamic-bootp 172.16.10.10 172.16.10.49;
    allow members of "pxe";
  }
  pool {
    range 172.16.10.50 172.16.10.99;
    allow members of "pxe";
  }
  pool {
    range 172.16.10.100 172.16.10.149;
  }
}

host dev2 {
  hardware ethernet ec:f4:bb:d8:59:9f;
  option host-name "dev2.domain.tld";
}


host dev1 {
  hardware ethernet ec:f4:bb:bf:c8:e7;
  option host-name "dev1.domain.tld";
}

我尝试手动运行服务器以确保看到任何日志,但结果却是这样的:

[root@kickstart dhcp]# /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid -4 -d eth1
Internet Systems Consortium DHCP Server 4.2.5
Copyright 2004-2013 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Not searching LDAP since ldap-server, ldap-port and ldap-base-dn were not specified in the config file
Wrote 0 class decls to leases file.
Wrote 0 deleted host decls to leases file.
Wrote 0 new dynamic host decls to leases file.
Wrote 0 leases to leases file.
Listening on LPF/eth1/52:54:00:fa:4d:fc/172.16.10.0/24
Sending on   LPF/eth1/52:54:00:fa:4d:fc/172.16.10.0/24
Sending on   Socket/fallback/fallback-net

我还在服务器上运行了数据包跟踪。我看到 DHCP DISCOVER 数据包进来了,但从来没有响应。

<bash>$tcpdump -vvvvvvvvvvvvvvvvvvvvv -ttttt -i eth1

 00:37:05.338983 IP (tos 0x0, ttl 64, id 43032, offset 0, flags [none], proto UDP (17), length 375)
    0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from ec:f4:bb:d8:59:9f (oui Unknown), length 347, xid 0x777a345e, secs 12, Flags [Broadcast] (0x8000)
      Client-Ethernet-Address ec:f4:bb:d8:59:9f (oui Unknown)
      Vendor-rfc1048 Extensions
        Magic Cookie 0x63825363
        DHCP-Message Option 53, length 1: Discover
        MSZ Option 57, length 2: 1464
        Parameter-Request Option 55, length 35: 
          Subnet-Mask, Time-Zone, Default-Gateway, Time-Server
          IEN-Name-Server, Domain-Name-Server, Hostname, BS
          Domain-Name, RP, EP, RSZ
          TTL, BR, YD, YS
          NTP, Vendor-Option, Requested-IP, Lease-Time
          Server-ID, RN, RB, Vendor-Class
          TFTP, BF, GUID, Option 128
          Option 129, Option 130, Option 131, Option 132
          Option 133, Option 134, Option 135
        GUID Option 97, length 17: 0.68.69.76.76.84.0.16.57.128.75.180.192.79.67.52.50
        NDI Option 94, length 3: 1.3.16
        ARCH Option 93, length 2: 7
        Vendor-Class Option 60, length 32: "PXEClient:Arch:00007:UNDI:003016"
        END Option 255, length 0

一些其他系统信息:

<bash> $ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:59:e9:5d brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.203/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:fa:4d:fc brd ff:ff:ff:ff:ff:ff
    inet 172.16.10.3/24 brd 172.16.10.255 scope global eth1
       valid_lft forever preferred_lft forever


<bash>$ sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

<bash>$ firewall-cmd --state
not running

<bash>$ netstat -nap | grep dhcp
udp        0      0 0.0.0.0:67              0.0.0.0:*                           21050/dhcpd         
udp        0      0 0.0.0.0:67              0.0.0.0:*                           17697/dhcpd         
udp        0      0 0.0.0.0:67              0.0.0.0:*                           15042/dhcpd         
raw        0      0 0.0.0.0:1               0.0.0.0:*               7           21050/dhcpd         
raw        0      0 0.0.0.0:1               0.0.0.0:*               7           17697/dhcpd         
raw        0      0 0.0.0.0:1               0.0.0.0:*               7           15042/dhcpd         
unix  2      [ ]         DGRAM                    94586    15042/dhcpd          
unix  2      [ ]         DGRAM                    107361   17697/dhcpd          
unix  2      [ ]         DGRAM                    110207   21050/dhcpd     


<bash>$ iptables-save 
<bash>$

我不确定这是否/如何重要,但 PXE 服务器是在 Centos 7 虚拟机管理程序上运行的 KVM/QEMU。在主机上,em1 连接到 br1,em2 连接到 br2,em3 连接到 br3,em4 连接到 br4。每个 NIC 都连接到其自己的 VLAN 上的交换机。VM 的 eth0 连接到 br1,eth1 连接到 br4。

PXE客户端是一个物理服务器,这个PXE客户端和dhcp服务器之间有多个交换机。

更新:

(以上配置已更新):

我在网络上配置了一个标准 Linux 客户端,它能够获得租约。因此,这似乎与 UEFI PXE 客户端有关。以下是单个请求的 pcap:https://pastebin.com/hp6n1ExR (base64 编码)

答案1

我将把这个写下来作为答案,以防其他人遇到类似的问题。

首先,从您的问题来看,您的网络配置如下:

在主机上,em1 连接到 br1,em2 连接到 br2,em3 连接到 br3,em4 连接到 br4。每个 NIC 都连接到其自己的 VLAN 上的交换机。虚拟机的 eth0 连接到 br1,eth1 连接到 br4。

值得注意的是,这些都是“常规”接口(而非 VLAN 接口)。它们不期望传入的以太网帧带有任何 VLAN 标记。另一方面,我们从您的数据包捕获中看到传入的帧带有 VLAN 900 标记:

$ tshark -n -r packets
.
.
.
Ethernet II, Src: Dell_d8:59:9f (ec:f4:bb:d8:59:9f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
        Address: Broadcast (ff:ff:ff:ff:ff:ff)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
    Source: Dell_d8:59:9f (ec:f4:bb:d8:59:9f)
        Address: Dell_d8:59:9f (ec:f4:bb:d8:59:9f)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 900
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = DEI: Ineligible
    .... 0011 1000 0100 = ID: 900
    Type: IPv4 (0x0800)
.
.
.

这表明您的交换机配置错误(或者您的主机配置错误,这取决于我们如何看待事物):我们希望端口配置为接入端口——也就是说,将未标记的数据包从特定 VLAN 传送到您的主机的端口。

不幸的是,看起来好像端口配置为中继端口——也就是说,一个端口可以通过一个物理连接向您的主机传送多个 VLAN。

如果您的主机配置为需要访问端口,但以太网帧是使用 VLAN 标记传送的,则这些帧实际上会被您的主机“丢失”。

您可以在系统上配置 VLAN 端口:

ip link add link eth1 name eth1.900 type vlan id 900

或者,您可以将交换机端口配置为访问端口,具体说明因交换机而异。

相关内容