Tftpd: read: Connection refused

I have a new Foreman 1.21.0 server deployed on Ubuntu 18.04.

I’m attempting to provision my first vSphere VM from this new instance. I’ve successfully created a VM through Foreman, and hit the ‘Build’ button. A new file was successfully deposited in /var/lib/tftpboot/pxelinux.cfg. Here, it’s named 01-00-50-56-AA-AA-AA:

root@foreman:~# ll /var/lib/tftpboot/pxelinux.cfg
total 16
drwxr-xr-x 2 foreman-proxy root          4096 Mar  8 01:46 ./
drwxr-xr-x 8 root          nogroup       4096 Jan 11 01:08 ../
-rw-r--r-- 1 foreman-proxy foreman-proxy  765 Mar  8 01:46 01-00-50-56-AA-AA-AA
-rw-r--r-- 1 foreman-proxy foreman-proxy 1048 Mar  8 01:23 default
root@foreman:~# 

After booting, the VM gets an IP address from the DHCP server, but throws the error PXE-E32: TFTP open timeout. The server side complains with this error:

Mar  8 01:46:50 foreman dhcpd[1175]: DHCPACK on 192.168.100.201 to 00:50:56:AA:AA:AA via ens224
Mar  8 01:46:50 foreman in.tftpd[3786]: tftpd: read: Connection refused
Mar  8 01:46:52 foreman in.tftpd[3789]: tftpd: read: Connection refused
Mar  8 01:46:56 foreman in.tftpd[3793]: tftpd: read: Connection refused
Mar  8 01:47:02 foreman in.tftpd[3796]: tftpd: read: Connection refused
Mar  8 01:47:10 foreman in.tftpd[3810]: tftpd: read: Connection refused
Mar  8 01:47:20 foreman in.tftpd[3815]: tftpd: read: Connection refused
Mar  8 01:47:56 foreman in.tftpd[3834]: tftpd: read: Connection refused

Any idea what’s going on here? Is the server unable to read something?

I did upgrade the Foreman instance from 1.20.x to 1.21.x yesterday, but I don’t think that is relevant.

Ah, I think it’s referring to my TFTP server. My Foreman host is dual homed, with one NIC on the public network (With a hostname like foreman.example.org) and a second NIC on our provisioning network (192.168.x.x).

The DHCP client was, I think, telling the provisioned host to connect to the Public IP of our Foreman host. I believe I fixed this with the following command:

foreman-installer --foreman-proxy-tftp-servername 192.168.100.10

However, I still seem to have a problem. The foreman-installer didn’t configure the TFTP server to listen on the private interface, at 192.168.100.10.

What did I do wrong?

foreman-installer.yml has the correct IP for the tftp_servername:

root@foreman:~# grep tftp /etc/foreman-installer/scenarios.d/foreman-answers.yaml
  tftp: true
  tftp_listen_on: https
  tftp_managed: true
  tftp_manage_wget: true
  tftp_syslinux_filenames:
  tftp_root: "/var/lib/tftpboot"
  tftp_dirs:
  - "/var/lib/tftpboot/pxelinux.cfg"
  - "/var/lib/tftpboot/grub"
  - "/var/lib/tftpboot/grub2"
  - "/var/lib/tftpboot/boot"
  - "/var/lib/tftpboot/ztp.cfg"
  - "/var/lib/tftpboot/poap.cfg"
  tftp_servername: 192.168.100.10
  tftp_replace_grub2_cfg: false
root@foreman:~#

And I see the same hostname in tftp.yml:

root@foreman:~# cat /etc/foreman-proxy/settings.d/tftp.yml
---
# TFTP management
:enabled: https
:tftproot: /var/lib/tftpboot
# Defines the TFTP Servername to use, overrides the name in the subnet declaration
:tftp_servername: 192.168.100.10
root@foreman:~#

But that didn’t seem to alter the IP used by the tftp server configuration:

root@foreman:~# cat /etc/default/tftpd-hpa
# /etc/default/tftpd-hpa

TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/var/lib/tftpboot"
TFTP_ADDRESS=":69"
TFTP_OPTIONS="--secure"
root@foreman:~#

Am I barking up the wrong tree?

Generally speaking, avoid multihomed Foreman at all costs. It creates quite many problems to solve.

Now, that error simply means the client is unable to talk to your TFTP server. Is the IP address correct and reachable from the client? Try to spawn a VM from image in that network and try to download a file using “tftp” command line client.

Is the daemon listening on the correct interface? Firewall in the way? If you use NAT along the way, you need to load special TFTP handling module because TFTP is session less (UDP).

1 Like

Unfortunately, that would be difficult in our environment, as our provisioning networks are usually separated from the production networks.

I’ll spin up another VM and attach it to this network and do some network troubleshooting that way.

So, just to close up here. This error happened because I had the wrong IP for the Foreman Proxy Gateway. Rerunning with foreman-installer --foreman-proxy-dhcp-gateway="x.y.z", where the x.y.z is the IP of my Foreman host, fixed the issue.

2 Likes