From 7e914c73f3257f4ac9a8509f53b77cf16d8ba13b Mon Sep 17 00:00:00 2001 From: Julia Kreger Date: Tue, 8 Sep 2015 15:37:06 -0400 Subject: [PATCH] Revise TFTP settings and note configuration Revising the tftp settings to utilize tftp-hpa's secure mode and to have explicit file paths. Added note to give additional context with regards to tftp-hpa's user privilege behavior. Change-Id: I1f4c782de3851d1e86c22e972fb7c319b3ad07d0 --- playbooks/roles/bifrost-ironic-install/files/xinetd.tftp | 4 +++- .../roles/bifrost-ironic-install/templates/dnsmasq.conf.j2 | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/playbooks/roles/bifrost-ironic-install/files/xinetd.tftp b/playbooks/roles/bifrost-ironic-install/files/xinetd.tftp index e8568f273..bb983ede1 100644 --- a/playbooks/roles/bifrost-ironic-install/files/xinetd.tftp +++ b/playbooks/roles/bifrost-ironic-install/files/xinetd.tftp @@ -4,9 +4,11 @@ service tftp port = 69 socket_type = dgram wait = yes + # Note(TheJulia): While the line below looks incorrect, tftp-hpa changes it it's + # effective user by default to the nobody user. user = root server = /usr/sbin/in.tftpd - server_args = --map-file /tftpboot/map-file /tftpboot + server_args = -v -v -v -v -s --map-file /tftpboot/map-file /tftpboot disable = no flags = IPv4 } diff --git a/playbooks/roles/bifrost-ironic-install/templates/dnsmasq.conf.j2 b/playbooks/roles/bifrost-ironic-install/templates/dnsmasq.conf.j2 index 89794eb82..1cba55769 100644 --- a/playbooks/roles/bifrost-ironic-install/templates/dnsmasq.conf.j2 +++ b/playbooks/roles/bifrost-ironic-install/templates/dnsmasq.conf.j2 @@ -434,10 +434,10 @@ dhcp-range={{dhcp_pool_start}},{{dhcp_pool_end}},12h # filenames, the first loads gPXE, and the second tells gPXE what to # load. The dhcp-match sets the gpxe tag for requests from gPXE. dhcp-userclass=set:gpxe,"gPXE" -dhcp-boot=tag:gpxe,ipxe.pxe +dhcp-boot=tag:gpxe,/ipxe.pxe dhcp-match=set:ipxe,175 # iPXE sends a 175 option. -dhcp-boot=tag:!ipxe,undionly.kpxe +dhcp-boot=tag:!ipxe,/undionly.kpxe {% if testing %} dhcp-boot=http://192.168.122.1:{{nginx_port}}/boot.ipxe {% else %}