Centos 7 dhcp服务器未响应UEFI PXE发现

Question

我正在尝试将Centos 7服务器设置为PXE (UEFI)的dhcp服务器。我尝试了几次对dhcpd.conf文件的更改，但是似乎没有什么不同。

dhcpd.conf：

allow booting;
allow bootp;

max-lease-time 120;
default-lease-time 120;

option domain-name "domain.tld";
option domain-name-servers 192.168.1.9, 192.168.1.10;

option space pxe;
option pxe.magic code 208 = string;
option pxe.configfile code 209 = text;
option pxe.pathprefix code 210 = text;
option pxe.reboottime code 211 = unsigned integer 32;

option pxe.mtftp-ip code 1 = ip-address;
option pxe.mtftp-cport code 2 = unsigned integer 16;
option pxe.mtftp-sport code 3 = unsigned integer 16;
option pxe.mtftp-tmout code 4 = unsigned integer 8;
option pxe.mtftp-delay code 5 = unsigned integer 8;
option pxe.discovery-control code 6 = unsigned integer 8;
option pxe.discovery-mcast-addr code 7 = ip-address;


option architecture-type code 93 = unsigned integer 16;

class "pxe" {
  match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
  option vendor-class-identifier "PXEClient";
  vendor-option-space pxe;
  option pxe.mtftp-ip 0.0.0.0;

  if option architecture-type = 00:07 {
    filename "shim.efi";
  } else {
    filename "pxelinux/pxelinux.0";
  }
}

subnet 192.168.1.0 netmask 255.255.255.0 {
  not authoritative;
}

# PXE Network
########################################################################
subnet 172.16.10.0 netmask 255.255.255.0 {
  authoritative;
  allow unknown-clients;
  next-server 172.16.10.3;
  option routers 172.16.10.1;
  option broadcast-address 172.16.10.255;
  pool {
    range dynamic-bootp 172.16.10.10 172.16.10.49;
    allow members of "pxe";
  }
  pool {
    range 172.16.10.50 172.16.10.99;
    allow members of "pxe";
  }
  pool {
    range 172.16.10.100 172.16.10.149;
  }
}

host dev2 {
  hardware ethernet ec:f4:bb:d8:59:9f;
  option host-name "dev2.domain.tld";
}


host dev1 {
  hardware ethernet ec:f4:bb:bf:c8:e7;
  option host-name "dev1.domain.tld";
}

我试着手动运行服务器，以确保我看到了任何日志，但结果就是：

[root@kickstart dhcp]# /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid -4 -d eth1
Internet Systems Consortium DHCP Server 4.2.5
Copyright 2004-2013 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Not searching LDAP since ldap-server, ldap-port and ldap-base-dn were not specified in the config file
Wrote 0 class decls to leases file.
Wrote 0 deleted host decls to leases file.
Wrote 0 new dynamic host decls to leases file.
Wrote 0 leases to leases file.
Listening on LPF/eth1/52:54:00:fa:4d:fc/172.16.10.0/24
Sending on   LPF/eth1/52:54:00:fa:4d:fc/172.16.10.0/24
Sending on   Socket/fallback/fallback-net

我还在服务器上运行了一个数据包跟踪。我看到DHCP发现包进来了，但从来没有任何回应。

$tcpdump -vvvvvvvvvvvvvvvvvvvvv -ttttt -i eth1

 00:37:05.338983 IP (tos 0x0, ttl 64, id 43032, offset 0, flags [none], proto UDP (17), length 375)
    0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from ec:f4:bb:d8:59:9f (oui Unknown), length 347, xid 0x777a345e, secs 12, Flags [Broadcast] (0x8000)
      Client-Ethernet-Address ec:f4:bb:d8:59:9f (oui Unknown)
      Vendor-rfc1048 Extensions
        Magic Cookie 0x63825363
        DHCP-Message Option 53, length 1: Discover
        MSZ Option 57, length 2: 1464
        Parameter-Request Option 55, length 35: 
          Subnet-Mask, Time-Zone, Default-Gateway, Time-Server
          IEN-Name-Server, Domain-Name-Server, Hostname, BS
          Domain-Name, RP, EP, RSZ
          TTL, BR, YD, YS
          NTP, Vendor-Option, Requested-IP, Lease-Time
          Server-ID, RN, RB, Vendor-Class
          TFTP, BF, GUID, Option 128
          Option 129, Option 130, Option 131, Option 132
          Option 133, Option 134, Option 135
        GUID Option 97, length 17: 0.68.69.76.76.84.0.16.57.128.75.180.192.79.67.52.50
        NDI Option 94, length 3: 1.3.16
        ARCH Option 93, length 2: 7
        Vendor-Class Option 60, length 32: "PXEClient:Arch:00007:UNDI:003016"
        END Option 255, length 0

其他一些系统信息：

 $ip addr
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:59:e9:5d brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.203/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
3: eth1:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:fa:4d:fc brd ff:ff:ff:ff:ff:ff
    inet 172.16.10.3/24 brd 172.16.10.255 scope global eth1
       valid_lft forever preferred_lft forever


$ sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

$ firewall-cmd --state
not running

$ netstat -nap | grep dhcp
udp        0      0 0.0.0.0:67              0.0.0.0:*                           21050/dhcpd         
udp        0      0 0.0.0.0:67              0.0.0.0:*                           17697/dhcpd         
udp        0      0 0.0.0.0:67              0.0.0.0:*                           15042/dhcpd         
raw        0      0 0.0.0.0:1               0.0.0.0:*               7           21050/dhcpd         
raw        0      0 0.0.0.0:1               0.0.0.0:*               7           17697/dhcpd         
raw        0      0 0.0.0.0:1               0.0.0.0:*               7           15042/dhcpd         
unix  2      [ ]         DGRAM                    94586    15042/dhcpd          
unix  2      [ ]         DGRAM                    107361   17697/dhcpd          
unix  2      [ ]         DGRAM                    110207   21050/dhcpd     


$ iptables-save 
$ 

我不确定这是否重要，但是PXE服务器是一个运行在Centos 7管理程序上的KVM/QEMU。在主机上，em1连接到br1，em2连接到br2，em3连接到br3，em4连接到br4。每个网卡都连接到它自己的VLAN上的开关上。VM将eth0链接到br1，eth1链接到br4。

PXE客户端是一个物理服务器。这个PXE客户端和dhcp服务器之间有多个开关。

更新：

(上述配置更新)：

我在网络上配置了一个标准的linux客户机，它能够获得租约。因此，它似乎是关于UEFI客户端的。下面是单个请求的pcap：https://pastebin.com/hp6n1ExR (base64编码)

Answer 1

我要把这个写下来，以防其他人遇到类似的问题。

首先，从您的问题中可以看到以下网络配置：

在主机上，em1连接到br1，em2连接到br2，em3连接到br3，em4连接到br4。每个网卡都连接到它自己的VLAN上的开关上。VM将eth0链接到br1，eth1链接到br4。

值得注意的是，这些都是“常规的”--而不是VLAN --接口。他们不期望传入的以太网帧具有任何VLAN标记。另一方面，我们从您的数据包捕获中看到，传入帧被标记为VLAN 900：

$ tshark -n -r packets
.
.
.
Ethernet II, Src: Dell_d8:59:9f (ec:f4:bb:d8:59:9f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
        Address: Broadcast (ff:ff:ff:ff:ff:ff)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
    Source: Dell_d8:59:9f (ec:f4:bb:d8:59:9f)
        Address: Dell_d8:59:9f (ec:f4:bb:d8:59:9f)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 900
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = DEI: Ineligible
    .... 0011 1000 0100 = ID: 900
    Type: IPv4 (0x0800)
.
.
.

这意味着您的交换机配置错误(或者主机配置错误，取决于我们如何看待事物)：我们希望端口配置为存取端口 --也就是说，将无标记数据包从特定的VLAN传递到主机。

不幸的是，该端口似乎被配置为一个干线端口 --也就是说，一个可以通过单个物理连接向主机交付多个VLAN的端口。

如果您的主机被配置为期望有一个访问端口，但是以太网帧是用VLAN标记传送的，那么这些帧实际上将被主机“丢失”。

您可以在系统上配置VLAN端口：

ip link add link eth1 name eth1.900 type vlan id 900

或者您可以将您的交换机端口配置为访问端口，这些端口的说明因交换机而异。