I had tftp-secure when testing manually.  And I was running dnsmasq in the 

foreground as root in verbose mode so I could see what it was doing with respect 

to pxe requests.



I probably forgot the admonition about tftp-secure and assumed it was like the 

'-s' option on in.tftpd which does a chroot. Seems strange that dnsmasq would 

admonish running as root when syslinux-tftpboot installs its files as owned by root.



I didn't do anything with dnsmasq.conf. Instead, I added a dhcp.conf and 

pxe.conf to dnsmasq.d to do dhcp/dns and pxe.  I solved it by using the 

user=root directive.











On 5/17/19 10:33 AM, Tom H wrote:

> On Fri, May 17, 2019 at 3:07 PM Teh, Kenneth M.

> <[log in to unmask]> wrote:

>> On 5/16/19 9:23 PM, Orion Poplawski wrote:

>>> On 5/16/19 1:23 PM, Teh, Kenneth M. wrote:

>>>>

>>>> Systemd continues to baffle me.

>>>>

>>>> I've set up a router machine that provides pxe boot and tftp

>>>> services on a private network with dnsmasq. Pxeboot works if I

>>>> run dnsmasq manually, but not when I turn on the service with

>>>> systemctl.

>>>>

>>>> I can't think through its layers of obtuseness and would

>>>> appreciate someone with a fresher brain to point me in the right

>>>> direction.

>>>

>>> You don't give us much to work with. When you start it manually,

>>> what exactly do you run? What does 'journalctl -u dnsmasq' report?

>>> Anything else that might be relevant?

>>

>> Sorry. You're right. A moment of exasperation and frustration with

>> systemd whose bits of config/info are strewn all over the place

>> instead of everything in init.d. I guess I resent learning new ways

>> of doing old things. Must be my age. :)

>>

>> Turned out the problem is dnsmasq's tftp module has no permission

>> to read pxelinux.0 even though the file is 0644. Checked audit.log

>> for possible selinux problem. Nothing.

>>

>> Everything in /var/lib/tftpboot is selinux type tftpdir_rw_t except

>> for pxelinux.0 (plus a few more) which are cobbler_var_lib_t. Tried

>> an semanage fcontext/restorecon to change it just to see if dnsmasq

>> would read it. Doesn't change. Nothing in journalctl. Used chcon.

>> Changes it. But dnsmasq still cannot read the file.

>>

>> Finally set dnsmasq to run as root in its config. Works. Only thing

>> I can think of is dnsmasq which apparently runs as nobody when

>> started from systemd cannot read files it does not own.

> 

> 1) From the manpage

> 

> --tftp-secure

> Enable TFTP secure mode: without this, any file which is readable by

> the dnsmasq process under normal unix access-control rules is

> available via TFTP. When the --tftp-secure flag is given, only files

> owned by the user running the dnsmasq process are accessible. If

> dnsmasq is being run as root, different rules apply: --tftp-secure

> has no effect, but only files which have the world-readable bit set

> are accessible. It is not recommended to run dnsmasq as root with

> TFTP enabled, and certainly not without specifying --tftp-root. Doing

> so can expose any world-readable file on the server to any host on

> the net.

> 

> Are you using this option?

> 

> 2) When you were testing and running it manually, were you setting

> command-line options or were you simply using the options in

> "/etc/dnsmasq.conf" like the systemd unit?

>