# Jailed DHCP server and TFTP handoff



## Beeblebrox (Feb 19, 2012)

I am using sysutils/ezjail to build a jailed pxeboot environment. I would like to run net/isc-dhcp42-server in the jail, but I am finding conflicting info about this. I have already configured and started jailed ntp, inetd (tftp), but of course need dhcp to complete the hand.

Method 1: Install dhcp normally (unjailed) then modify /etc/rc.conf:

```
dhcpd_jail_enable="YES"
dhcpd_rootdir="/usr/jails/pxeboot/var/db/dhcpd"
```
Best instructions I could find for this method: http://www.debian.md/cmds/dhcp_freebsd.html. Supporting evidence from post-install:


> WARNING: never edit the chrooted or jailed dhcpd.conf file but /usr/local/etc/dhcpd.conf instead which is always copied where needed upon startup.


Method 2: Install dhcp in the jail and modify devfsrules. First in /usr/local/etc/ezjail/pxeboot, set

```
export jail_thttpd_devfs_ruleset="devfsrules_jail_dhcp"
```
Then create /etc/devfs.rules with:

```
[devfsrules_jail_dhcp=1]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
#add path 'bpf*' unhide
add path net unhide
add path 'net/*' unhide
```
I really have no idea what all that means, but I have no firewall running on my system because it is not exposed to the outside. My jail has IP 192.168.2.1/24 and if I chroot to the jail environment and try starting dhcp I get error:

```
# service isc-dhcpd onestart
Warning: subnet 192.168.2.0/24 overlaps subnet 192.168.2.0/24
```
Best instructions I could find for this method (in German, but followable): http://www.asconix.com/howtos/freebsd/dhcp-server-freebsd-howto

I have one more criteria for the setup 
The jails will not be runnig all the time, so neither should dhcp - they should all start-up together - so Method2 is preferable, but if all fails I'll use a separate start-up script.


----------



## Beeblebrox (Feb 19, 2012)

I think I figured out the concept - both methods are valid. If you want dhcp to listen and respond to  non-jail addresses and all jailed IP's then Method1. If you want to limit dhcp to one or several jails, then Method2.

I'd like to get Method2 to work, if possible.


----------



## ecazamir (Feb 20, 2012)

A DHCP server can assign any address to a client, not necessarily a directly-connected one. A DHCP + dhcp-relay setup is an example, using a master DHCP server and one or more remote DHCP relays. 
If your clients are directly connected, the first DHCP response may succeed even if the assigned address is not 'directly connected' with the DHCP server, but the periodic lease updates may fail.

The message below may indicate a double subnet definition and is not related to the way dhcpd is started (jailed or not):

```
Warning: subnet 192.168.2.0/24 overlaps subnet 192.168.2.0/24
```

I never tested DHCP jailed, but I remember DHCP needs access to /dev/bpf to capture packets sent to 255.255.255.255, so you may need to uncomment 

```
#add path 'bpf*' unhide
```
 in your devfs_ruleset.


----------



## Beeblebrox (Feb 20, 2012)

Well, this is certainly strange... The DHCP server I have installed into the pxeboot jail is now able to start and is servicing dhcp requests. Only start-up error shown is:

```
dhcpd: unable to create icmp socket: Operation not permitted
```
And below error went away

```
Warning: subnet 192.168.2.0/24 overlaps subnet 192.168.2.0/24
```
This setup is for testing/Lab purpose, so I have 2 ethernet cards on the main machine. re0 is used for outside communication, wile fxp0 is used for the Lab network. When I decide to put the machine in "diskless server" mode I start the pxeboot jail, which brings up isc-dhcpd, ntpd, inetd, nfs inside the jail. It's not important at the moment whether the diskless clients have internet access or not, so I don't want to spend time learning (bpf + nat) right now. I'll be happy for now if I can get the diskless clients to boot into their jailed environment. pf is not running on the host network stack at the moment.

*1.* However now I get this error message. In retrospect, the reason dhcp failed to start the first time around was that I had already started ntpd BEFORE starting dhcp inside the jail ,and the 2 seem in conflict!

```
ntpd[1373]: unable to create socket on fxp0 (1) for 192.168.2.1#123
ntpd[1373]: bind() fd 22, family AF_INET, port 123, addr 192.168.2.1,
 in_classd=0 flags=0x19 fails: Address already in use
```
*2.* Also, when I try to boot with pxe from diskless client, it just hangs and there's nothing in the error log that gives any clue.

```
pxe_open: server addr: 192.168.2.1
pxe_open: server path: /
pxe_open: gateway ip: 192.168.2.1
```
Aaaand we just wait! This probably has something to do with it.

```
inetd[1434]: madvise() failed: Operation not permitted
```
My jails/pxeboot/usr/local/etc/dhcp.conf:

```
subnet 192.168.2.0 netmask 255.255.255.0 {
option domain-name "test.org";
range 192.168.2.3 192.168.2.9; 
option broadcast-address 192.168.2.255;
option domain-name-servers 192.168.2.1;
option routers 192.168.2.1;
}
group { # diskless clients
use-host-decl-names on;
next-server 192.168.2.1;	# TFTP server address
option root-path "nfs.test.org:/boot";  # NFS root
filename  "pxeboot";	# PXE boot loader filename /usr/jails/pxeboot/boot
  host wulf-n1 {
    fixed-address 192.168.2.7;
    hardware ethernet 00:01:6c:c0:83:e3;
	} 	}
```
My jails/pxeboot/etc/inetd.conf; TFTP started working when I replaced the last word as "*/*" (instead of /boot, pxeboot or /boot/pxeboot)

```
tftp	dgram	udp	wait	root	/usr/libexec/tftpd	tftpd -l -s /
```
Before I replaced it as /, I got "TFTP open timeout" error when booting.

I'm trying to boot from /boot/kernel placed inside the jail. So my questions are:
1. What are those errors (dhcpd & ntpd)? Do I have to place ntpd on a separate IP?
2. Why is TFTP timing out? The path seems correct?
3. I still have this sneaking suspicion that I did something wrong by placing the dhcp.conf file in /usr/jails/pxeboot/usr/local/etc.


----------



## ecazamir (Feb 20, 2012)

The DHCPD-related error "dhcpd: unable to create icmp socket: Operation not permitted" may be fixed setting 
	
	



```
security.jail.allow_raw_sockets=1
```
 in host's /etc/sysctl.conf.
The TFTP-related error may show that there's another TFTPD (or inetd) listening on the IP address assigned to the jail, on the jail host perhaps? Or, it is possible that NTPD too to require raw sockets.
dhcpd.conf should be placed on the host in the standard location (/usr/local/etc/dhcpd.conf is the default), relative to the root path of the jail where it is running. It's OK to place dhcpd.conf elsewhere, but in this case you should also set 
	
	



```
dhcpd_conf=/alternate/path/to/dhcpd.conf
```
 in /etc/rc.conf


----------



## Beeblebrox (Feb 20, 2012)

> dhcpd.conf should be placed on the host in the standard location ... relative to the root path of the jail where it is running


Well, that's the point - What's this message you get after installing the port about then?


> WARNING: never edit the chrooted or jailed dhcpd.conf file but /usr/local/etc/dhcpd.conf instead which is always copied where needed upon startup.



Got TFTP partially working & edited previous post accordingly. Latest log entries in /var/log/xferlog:

```
tftpd[2605]: Filename: '/boot/pxeboot'
tftpd[2605]: Mode: 'octet'
tftpd[2605]: Got ERROR packet: TFTP Aborted
tftpd[2607]: Filename: '/boot/pxeboot'
tftpd[2607]: Mode: 'octet'
tftpd[2607]: 192.168.2.7: read request for /boot/pxeboot: success
```


----------



## ecazamir (Feb 21, 2012)

Regardless of a jailed or non-jailed environment, the default location of dhcpd.conf is /usr/local/etc/dhcpd.conf. If it's running on the host, then it is /usr/local/etc/dhcpd.conf. If it's running on a jail, then the real location should be ${jail_root_dir}/usr/local/etc/dhcpd.conf, seen as /usr/local/etc/dhcpd.conf by the running jail.


```
****  WARNING: never edit the chrooted or jailed dhcpd.conf file but
      /usr/local/etc/dhcpd.conf instead which is always copied where
      needed upon startup.
```
The message is referring to a chrooted environment. isc-dhcpd startup script creates a copy of ${dhcpd_conf} in the chrooted environment, which is overwritten at the next dhcpd startup. Previous versions of isc-dhcpd-server used a startup method which allowed a chrooted *or jailed* startup, in a single-jailed-process manner, using the same 'copy (and overwrite) config' method, similar to a chrooted startup. The current version is no longer offering jailed startup support, but the message during install isn't modified since 3.1-ESV.

Perform some tests with the tftp server, check if the files can be downloaded by the client, so you can isolate where the problem is: on the PXE loader or on the tftp server. Use a tftp client to read some files. Also, you may need to compile the FreeBSD loader of the diskless clients with TFTP support, if your diskless clients are running FreeBSD.


----------



## Beeblebrox (Feb 21, 2012)

This section of the pxeboot process (dhcp + tftp) is solved and both are running nicely. Thanks again for your Input & help.


----------

