我正在尝试设置 DHCP 故障转移,并允许从其中一台 DHCP 服务器进行 PXE 引导。根据 DHCP 规范的要求,我为“常规”DHCP 和 PXE 启动设置了单独的池。我的故障转移配置工作正常,但应该响应 PXE 请求的 DHCP 配置不再工作。
背景:我最近升级到了 AlmaLinux 9(从 CentOS 7),它运行 ISC DHCP 4.4。在旧配置中,我没有 DHCP 故障转移,并且允许从整个池进行 PXE 引导。由于我们站点的硬件故障历史记录,我想设置 DHCP 故障转移。
出于此配置的目的,我们将应该响应 PXE 请求的系统称为“主”DHCP 服务器。/etc/dhcp/dhcpd/conf
这是该服务器的一个片段。请注意,我设置了一个单独的池来处理 PXE/BOOTP 查询。(请原谅这些评论的说教语气。它们是为我做系统管理员工作的。)
authoritative; # Send out acknowledgements to DHCP client queries.
failover peer "dhcp-failover" {
primary; # declare this to be the primary server
address 10.4.7.9;
port 647;
peer address 10.4.7.210;
peer port 647;
# How many seconds to wait before we assume that the other has failed.
max-response-delay 30;
# How many BNDUPD messages to send before receiving BNDACK.
max-unacked-updates 10;
# How many seconds to wait before disabling load balancing.
load balance max seconds 3;
# Maximum Client Lead Time = How long a lease may be renewed
# without contacting the other DHCP peer.
mclt 1800;
# The split between primary and secondary. 128 means a
# 50% split between peers; 255 means the primary handles
# everything until it fails.
split 128;
}
# This is the primary DHCP server. Respond to BOOTP requests.
allow booting;
allow bootp;
option domain-name "company.example.com";
option time-offset -18000; # Eastern Standard Time
# Is this a DHCP query (as opposed to a BOOTP query)?
class "dhcp" {
match if exists dhcp-message-type;
}
class "pxe" {
match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
}
subnet 10.4.0.0 netmask 255.255.0.0 {
default-lease-time 86400; # one day (in seconds)
option subnet-mask 255.255.0.0;
option broadcast-address 10.4.255.255;
option routers 10.4.0.1;
option domain-name-servers 10.4.7.7, 10.4.7.29;
option domain-name "company.example.com";
option time-offset -18000; # Eastern Standard Time
option ntp-servers 10.4.7.105, 10.4.7.7, 10.4.7.29;
pool {
failover peer "dhcp-failover";
deny dynamic bootp clients;
deny members of "pxe";
range 10.4.45.1 10.4.45.250; # DHCP pool on private network
}
# A separate pool for BOOTP services.
pool {
range dynamic-bootp 10.4.45.251 10.4.45.255; # DHCP pool on private network
allow dynamic bootp clients;
deny members of "dhcp";
allow members of "pxe";
next-server 10.4.7.9; # On which system the bootp filename is located.
if substring (option vendor-class-identifier, 0, 9) = "PXEClient" {
if substring(option vendor-class-identifier,15,5) = "00007" {
log(info,"UEFI PXE Boot - private network");
filename "pxelinux/grubx64.efi"; # The file to load for EFI systems.
}
else {
log(info,"BIOS PXE Boot - private network");
filename "pxelinux.0"; # The file to load via bootp for BIOS systems.
}
}
}
}
这是来自/etc/dhcp/dhcpd.conf
故障转移/辅助/非 PXE 服务器:
authoritative; # Send out acknowledgements to DHCP client queries.
failover peer "dhcp-failover" {
secondary; # declare this to be the secondary server
address 10.4.7.210;
port 647;
peer address 10.4.7.9;
peer port 647;
# How many seconds to wait before we assume that the other has failed.
max-response-delay 30;
# How many BNDUPD messages to send before receiving BNDACK.
max-unacked-updates 10;
# How many seconds to wait before disabling load balancing.
load balance max seconds 3;
}
# Make sure that this failover DHCP server does _not_
# respond to bootp.
deny bootp;
option domain-name "company.example.com";
option time-offset -18000; # Eastern Standard Time
# Is this a DHCP query (as opposed to a BOOTP query)?
class "dhcp" {
match if exists dhcp-message-type;
}
class "pxe" {
match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
}
subnet 10.4.0.0 netmask 255.255.0.0 {
default-lease-time 86400; # one day (in seconds)
option subnet-mask 255.255.0.0;
option broadcast-address 10.4.255.255;
option routers 10.4.0.1;
option domain-name-servers 10.4.7.7, 10.4.7.29;
option domain-name "company.example.com";
option time-offset -18000; # Eastern Standard Time
option ntp-servers 10.4.7.105, 10.4.7.7, 10.4.7.29;
# Note that there are a few IP addresses in the range of the primary
# server that are not included here. This is for BOOTP, which is
# not handled by the secondary server.
pool {
failover peer "dhcp-failover";
deny dynamic bootp clients;
deny members of "pxe";
range 10.4.45.1 10.4.45.250; # DHCP pool on private network
}
}
我知道我对“dhcp”和“pxe”类做得太过了。我在尝试解决问题时添加了它们。除了引入下面的日志消息之外,它们没有任何作用peer holds all free leases
。
这是我在“主”服务器的日志中看到的内容。请注意,这52:54:00:31:f2:7f
是我设置为通过 PXE 启动的测试系统的 MAC 地址,然后它“放弃”并从磁盘启动。
Sep 8 14:20:46 dhcpd dhcpd[17922]: DHCPDISCOVER from 52:54:00:31:f2:7f via enp7s0: peer holds all free leases
Sep 8 14:20:49 dhcpd dhcpd[17922]: DHCPDISCOVER from 52:54:00:31:f2:7f via enp7s0: peer holds all free leases
Sep 8 14:20:57 dhcpd dhcpd[17922]: DHCPDISCOVER from 52:54:00:31:f2:7f via enp7s0: peer holds all free leases
Sep 8 14:21:13 dhcpd dhcpd[17922]: DHCPDISCOVER from 52:54:00:31:f2:7f via enp7s0: peer holds all free leases
这是来自“辅助”服务器上的日志。这与客户端首次启动时大约一分钟的延迟是一致的,因为它试图找到 PXE 服务器,直到它从操作系统启动切换到以通常的方式获取 DHCP 地址。
Sep 8 14:20:46 dhcpdsec dhcpd[67768]: DHCPDISCOVER from 52:54:00:31:f2:7f via enp7s0: peer holds all free leases
Sep 8 14:20:46 dhcpdsec dhcpd[67768]: bind update on 10.4.45.183 from dhcp-failover rejected: incoming update is less critical than outgoing update
Sep 8 14:20:49 dhcpdsec dhcpd[67768]: DHCPDISCOVER from 52:54:00:31:f2:7f via enp7s0: peer holds all free leases
Sep 8 14:20:57 dhcpdsec dhcpd[67768]: DHCPDISCOVER from 52:54:00:31:f2:7f via enp7s0: peer holds all free leases
Sep 8 14:21:13 dhcpdsec dhcpd[67768]: DHCPDISCOVER from 52:54:00:31:f2:7f via enp7s0: peer holds all free leases
Sep 8 14:22:03 dhcpdsec dhcpd[67768]: DHCPREQUEST for 10.4.45.183 from 52:54:00:31:f2:7f via enp7s0
Sep 8 14:22:04 dhcpdsec dhcpd[67768]: DHCPACK on 10.4.45.183 to 52:54:00:31:f2:7f via enp7s0
通过在早期测试中的反复尝试,我确认 的值substring (option vendor-class-identifier, 0, 9)
确实是PXEClient
。
我已经尝试停止两台机器上的 dhcpd 守护进程并手动编辑 in 的52:54:00:31:f2:7f
条目/var/lib/dhcpd/dhcpd.leases
。不用找了。
有任何想法吗?
编辑:我想到,发布我以前的 DHCP 配置(无需故障转移)可能会有所帮助。PXE 启动工作正常:
subnet 10.4.0.0 netmask 255.255.0.0 {
range dynamic-bootp 10.4.45.1 10.4.45.254; # DCHP pool on private network
default-lease-time 86400; # one day (in seconds)
option subnet-mask 255.255.0.0;
option broadcast-address 10.4.255.255;
option routers 10.4.0.1;
option domain-name-servers 10.4.7.7, 10.4.7.29;
option domain-name "nevis.columbia.edu";
option time-offset -18000; # Eastern Standard Time
option ntp-servers 10.4.7.105, 10.4.7.7, 10.4.7.29;
next-server 10.4.7.9; # On which system the bootp filename is located.
if substring (option vendor-class-identifier, 0, 9) = "PXEClient" {
if substring(option vendor-class-identifier,15,5) = "00007" {
log(info,"UEFI PXE Boot - private network");
filename "pxelinux/grubx64.efi"; # The file to load for EFI systems.
}
else {
log(info,"BIOS PXE Boot - private network");
filename "pxelinux.0"; # The file to load via bootp for BIOS systems.
}
}
}
经过多次实验,我找到了答案:事实证明,池中访问控制语句的顺序很重要。
这是我原来的帖子中的类定义的重复:
以下是
subnet
适用于我的主 DHCP 服务器的定义。这与我原来的帖子中的配置之间的主要区别在于,range
与任何allow
ordeny
语句相比,语句的顺序,以及我"pxe"
首先定义池。原来的故障转移线保持不变。以下是我的辅助 DHCP 服务器配置中的修订
subnet
行,尽管这些更改可能并不重要:我现在已经有了 DHCP 故障转移和 PXE 启动的设置,用于安装/修复操作系统,可容纳 BIOS 和 EFI 系统。我希望其他人发现以上几行很有用!