Existing DHCP server (dnsmasq) and Foreman TFTP/PXE - can they coexist?


#1

Problem: I want to deploy The Foreman to install and reinstall baremetal machines on my local network. My local network already uses dnsmasq for DHCP.

Foreman and Proxy versions: (Whatever the latest is, I have not installed The Foreman yet)

I have an existing network which uses DHCP managed by a dnsmasq server which I don’t want to change. However dnsmasq isn’t serving PXE or TFTP.

The servers that I want The Foreman to manage will have entries in the DHCP server. I can also add DHCP options like dnsmasq dhcp-option and dhcp-boot as may be required to point to The Foreman. (But what settings to add exactly?)

Is this a thing that is going to work, or is there some fundamental reason that The Foreman cannot work like this?


#2

Hey Rich, glad to see you with us!

Foreman (and it’s component called smart-proxy) is able to manage multiple DHCP server implementations. Our (puppet-based) installer will set you up ISC DHCP by default (it will not enable it for obvious reasons - you need to tell it). But we have smart-proxy modules for various DHCP servers including Infoblox, MSDHCP and - wait for it - dnsmasq. We just don’t have installer bits yet.

For TFTP it does not matter which service serves the directory, smart-proxy TFTP module just creates/deletes file in a directory it was told to, no tight integration with the TFTP service. By default we configure ISC TFTP via xinetd.

So the module you are looking for is fairly new, it was recently (last month) moved under theforeman github org and we are in progress of preparing RPMs (not yet done - http://yum.theforeman.org/plugins/nightly/el7/x86_64/ is anyone working on this?). Installation of proxy module is easy tho, it is just a rubygem you need to install and edit one YAML file.

This is not the only way of managing dnsmasq, there is embedded module called dhcp_virsh which is able to manage dnsmasq via virsh command, it it has limited features and “true” dnsmasq module is now preferred.

You can also manage DNS, there is similar module for dnsmasq DNS service. Both plugins simply modify configuration files and sends SIGHUP to the dnsmasq process to reload them.

If you prefer not to use those dnsmasq modules, there are several other options. You can use foreman_hooks plugin and create shell scripts to add DHCP entries or you can simply use unmanaged DHCP. It will work as long as you send the DHCP filename option (pxelinux or grub2 depending on which one you want to use) and next-server entry. But Foreman PXE workflow require an IP address to be reserved, you can simply enter dummy one or set IPAM to DB and let foreman to generate a dummy IP for you. Once Puppet or Ansible checks in via report, there is an Setting you can opt-in to update the IP address in Foreman inventory as well as Subnet.

Don’t hesitate to ping me (lzap) on freenode/rh networks if you need any assistance, I owe you a lot for your help with my many questions about booting, BIOS and EFI :slight_smile:


#3

One more thing, Foreman is able to identify incoming kickstart request by UUID (we call them tokens), they are enabled by default so don’t disable them. Otherwise it will fallback to Anaconda HTTP MAC address header if present. If you are installing non-RH distro then Foreman falls back to REMOTE IP identification and this is the point of failure for unmanaged DHCP server. Just for the record, as long as you keep tokens turned on, you are fine (Administer - Settings - Provisioning - Token duration).

For your POC I recommend you to install plain Foreman with zero plugins and disable DHCP/DNS/TFTP modules and also setup/foreman/discovery for now:

foreman-installer \
  --no-enable-foreman-plugin-bootdisk \
  --no-enable-foreman-plugin-discovery \
  --no-enable-foreman-plugin-setup \
  --no-enable-puppet \
  --enable-foreman-proxy \
  --foreman-proxy-puppet=false \
  --foreman-proxy-puppetca=false \
  --foreman-proxy-tftp=false \
  --foreman-proxy-dhcp=false \
  --foreman-proxy-dns=false

Then install dnsmasq rubygems and create configuration files in /etc/foreman-proxy to enable them. Enable TFTP module as well (shipped with smart-proxy itself), if you would tell the installer it would setup you tftp-server and xinetd which is not what you want to do.

Alternatively, you can install smart-proxy on your host with dnsmasq. You can use our installer or you can simply checkout git and use system Ruby 2.0+ and plain rubygems/bundler. It has minimum dependencies - that is the idea to be able to run it even on Windows or BSD. Then add the smart proxy into Foreman using the web UI.

Remember out installer is puppet-based, simply re-run it with changed options to post-install any module/plugin you want.


#4

I have another idea – It’s possible to tell dnsmasq to ignore certain machines (by MAC address). I could tell my main dnsmasq to ignore the machines that I want The Foreman to manage, so it wouldn’t sent any DHCP replies to them. However I’d have to then configure The Foreman’s DHCP server (whichever it is) to only respond to a set of known MAC addresses. I don’t know how feasible that is.


#5

In ISC you can definitely ignore some MAC addresses:

class "ignored" {
        match if substring(hardware,1,4) = 00:02;
}
pool {
        deny members of "ignored";
        range 192.168.172.100 192.168.172.149;
}

As you say, in dnsmasq there is also an “ignore” flag. I haven’t tried this myself, but it should work. However I cannot recommend this, the moment you forget to add a MAC address to your dnsmasq/ISC your mileage will vary. Two DHCP servers on the same network usually means “random” problems (sometimes it boot, sometimes it does not), no matter if you set one into authoritative mode. We’ve seen lots of users struggling with this.

Foreman was built from scratch to be the inventory of your servers, it is much easier to buy the idea and install smart proxy on all your TFTP/DHCP/DNS servers as we keep the dependencies on absolute minimum - it should work even on ARM as long as there’s Ruby available. In the worst case, you can export dnsmasq config files via NFS and modify the module to send the HUP signal over the wire.

What is your use case? Why you want to keep running your dnsmasq unmanaged? Foreman-created entries and other system or manually-created entries can co-exist each other just fine.


#6

@lzap is right, but it’s worth also mentioning that Foreman doesn’t directly manage the contents of the ISC dhcpd.conf file - it only reads it for pool/range info (writes only go to the lease file to create reservations). So it’s totally possible to configure it to ignore the hosts handled by DNSMasq. The downside is that we’ve no automation for that, so you’d need to figure out if it’s painful enough to manage some other way (Puppet perhaps?), or if it’s just a set-and-forget onetime thing.