Finnix is a great Linux live CD, based on Debian. It does not include an X server, and clocks in around 100MB in size (compressed).
Dnsmasq is a combination DNS, DHCP, TFTP service for small and medium size LANs.
Resources (RTFM):
How-to:
To start, get Finnix booted up. I used a virtual machine on Oracle VirtualBox with no virtual hard disk, 1GB ram, and 64bit OS setting. I used bridge mode networking as a preference; it won't matter here to make the boot image, but will be needed for testing later. You could use real hardware just as well,but you will need a way to copy files from the running OS (network, USB, etc). Why start Finnix? It has a tool to build the initrd you need, hassle-free. After you get Finnix started, run:
I chose to make the large initrd, thereby requiring no NFS exports for booting the distro - but requiring at least 512MB of RAM for machines that will boot it. The tool will output some details about ISC DHCP server configuration, but since we're using dnsmasq we'll just ignore that.
The files Finnix create are now in /srv/tftp/finnix
.
I used scp to bring them over to my machine running dnsmasq.
scp -r /srv/tftp/finnix user@your-dnsmasq-host:/srv/tftp/
The destination folder should now have this tree:
/srv/tftp/finnix
+-- [4.0K] /srv/tftp/finnix/boot
| +-- [4.0K] /srv/tftp/finnix/boot/grub
| | +-- [1.0K] /srv/tftp/finnix/boot/grub/loopback.cfg
| +-- [4.0K] /srv/tftp/finnix/boot/x86
| +-- [2.0K] /srv/tftp/finnix/boot/x86/boot.cat
| +-- [ 339] /srv/tftp/finnix/boot/x86/boot.msg
| +-- [ 20K] /srv/tftp/finnix/boot/x86/chain.c32
| +-- [1.1M] /srv/tftp/finnix/boot/x86/dos.imz
| +-- [1.0K] /srv/tftp/finnix/boot/x86/f1
| +-- [1.1K] /srv/tftp/finnix/boot/x86/f2
| +-- [333K] /srv/tftp/finnix/boot/x86/hdt.c32
| +-- [136M] /srv/tftp/finnix/boot/x86/initrd_net.xz
| +-- [2.4M] /srv/tftp/finnix/boot/x86/initrd.xz
| +-- [359K] /srv/tftp/finnix/boot/x86/ipxe
| +-- [2.4M] /srv/tftp/finnix/boot/x86/linux
| +-- [3.5M] /srv/tftp/finnix/boot/x86/linux64
| +-- [ 26K] /srv/tftp/finnix/boot/x86/memdisk
| +-- [158K] /srv/tftp/finnix/boot/x86/memtest
| +-- [ 54K] /srv/tftp/finnix/boot/x86/menu.c32
| +-- [210K] /srv/tftp/finnix/boot/x86/pci.ids
| +-- [4.0K] /srv/tftp/finnix/boot/x86/pxelinux
| | +-- [ 26K] /srv/tftp/finnix/boot/x86/pxelinux/pxelinux.0
| | +-- [3.5K] /srv/tftp/finnix/boot/x86/pxelinux/template.cfg
| +-- [ 16K] /srv/tftp/finnix/boot/x86/sbm.imz
| +-- [ 17K] /srv/tftp/finnix/boot/x86/splash.png
| +-- [149K] /srv/tftp/finnix/boot/x86/vesamenu.c32
+-- [ 26K] /srv/tftp/finnix/pxelinux.0
+-- [4.0K] /srv/tftp/finnix/pxelinux.cfg
+-- [3.5K] /srv/tftp/finnix/pxelinux.cfg/default
Configuring Dnsmasq:
Typically the configuration is located somewhere typically like /etc/dnsmasq.conf
.
Directives you'll be interested in:
# Set the boot filename for netboot/PXE. You will only need
# this is you want to boot machines over the network and you will need
# a TFTP server; either dnsmasq's built in TFTP server or an
# external one. (See below for how to enable the TFTP server.)
dhcp-boot=pxelinux.0
# Enable dnsmasq's built-in TFTP server
enable-tftp
# Set the root directory for files available via FTP.
tftp-root=/srv/tftpd/finnix
The default pxelinux.0
boot file is fine, as the Finnix tool names it that for you. The path setting is up to you: I used /srv/tftp/finnix
for my install. The tftp-secure
option is also your choice. If you enable it, the user running dnsmasq will have to own the files in your tftp root. On Debian 7, the user running the daemon is dnsmasq
. Either way, make sure dnsmasq has permission to read the files.
Check your config:
root@charon:~# dnsmasq --test
dnsmasq: syntax check OK.
Firewall:
If you are running an iptables firewall (and I hope you are!), you need to allow incoming UDP port 69 traffic. The general syntax for this is (modify with your configuration):
iptables -A INPUT -i $lan -s $your_net -p udp --dport 69 -J ACCEPT
// you probably have something like this rule established already:
iptables -A INPUT -i $lan -s $your_net -m state --state RELATED,ESTABLISHED -j ACCEPT
I have another rule in my setup that allows state RELATED, ESTABLISHED state traffic in from my LAN, too. The RELATED rule works with dnsmasq's tftpd implementation. Otherwise you would have to manually select a port range in the dnsmasq.conf and allow a big incoming range in the INPUT table. Beyond using -m state
, there is also an ip_conntrack_tftp
module that I did not test. The conntrack module will offer more fine-grained control. If you wanted to go ahead with a specific range anyways:
tftp-port-range=<start>,<end>
A TFTP server listens on a well-known port (69) for connection initiation, but it also uses a dynamically-allocated port for each connection. Normally these are allocated by the OS, but this option specifies a range of ports for use by TFTP transfers. This can be useful when TFTP has to traverse a firewall. The start of the range cannot be lower than 1025 unless dnsmasq is running as root. The number of concurrent TFTP connections is limited by the size of the port range.
If you use this, you will have to allow the incoming connection on your selected port range. But, as previously mentioned, the RELATED state rule knows what to do without specifying ports.
Testing:
I like to tail -f /var/log/syslog
on the dnsmasq host to watch the log file when testing for the first time. It can help track down path errors and the like. A few errors are normal and seem to be inherent to the Finnix netboot. This is a log of a successful netboot from my machine:
Feb 7 09:35:26 charon dnsmasq[9697]: started, version 2.62 cachesize 150
Feb 7 09:35:26 charon dnsmasq[9697]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack
Feb 7 09:35:26 charon dnsmasq-dhcp[9697]: DHCP, IP range 10.21.42.100 -- 10.21.42.200, lease time 12h
Feb 7 09:35:26 charon dnsmasq-tftp[9697]: TFTP root is /srv/tftp/finnix secure mode
Feb 7 09:35:26 charon dnsmasq[9697]: using local addresses only for domain frodo
Feb 7 09:35:26 charon dnsmasq[9697]: reading /etc/resolv.dnsmasq.conf
Feb 7 09:35:26 charon dnsmasq[9697]: using nameserver 8.8.4.4#53
Feb 7 09:35:26 charon dnsmasq[9697]: using nameserver 8.8.8.8#53
Feb 7 09:35:26 charon dnsmasq[9697]: using local addresses only for domain frodo
Feb 7 09:35:26 charon dnsmasq[9697]: read /etc/hosts - 6 addresses
Feb 7 09:35:51 charon dnsmasq-dhcp[9697]: DHCPDISCOVER(eth0) 08:00:27:4c:6b:18
Feb 7 09:35:51 charon dnsmasq-dhcp[9697]: DHCPOFFER(eth0) 10.21.42.117 08:00:27:4c:6b:18
Feb 7 09:35:53 charon dnsmasq-dhcp[9697]: DHCPREQUEST(eth0) 10.21.42.117 08:00:27:4c:6b:18
Feb 7 09:35:53 charon dnsmasq-dhcp[9697]: DHCPACK(eth0) 10.21.42.117 08:00:27:4c:6b:18
Feb 7 09:35:53 charon dnsmasq-tftp[9697]: error 0 TFTP Aborted received from 10.21.42.117
Feb 7 09:35:53 charon dnsmasq-tftp[9697]: failed sending /srv/tftp/finnix/pxelinux.0 to 10.21.42.117
Feb 7 09:35:53 charon dnsmasq-tftp[9697]: sent /srv/tftp/finnix/pxelinux.0 to 10.21.42.117
Feb 7 09:35:53 charon dnsmasq-tftp[9697]: file /srv/tftp/finnix/pxelinux.cfg/cf7f3014-0bfc-4c09-a9c2-c889f78a3fee not found
Feb 7 09:35:53 charon dnsmasq-tftp[9697]: file /srv/tftp/finnix/pxelinux.cfg/01-08-00-27-4c-6b-18 not found
Feb 7 09:35:53 charon dnsmasq-tftp[9697]: file /srv/tftp/finnix/pxelinux.cfg/0A152A75 not found
Feb 7 09:35:53 charon dnsmasq-tftp[9697]: file /srv/tftp/finnix/pxelinux.cfg/0A152A7 not found
Feb 7 09:35:53 charon dnsmasq-tftp[9697]: file /srv/tftp/finnix/pxelinux.cfg/0A152A not found
Feb 7 09:35:53 charon dnsmasq-tftp[9697]: file /srv/tftp/finnix/pxelinux.cfg/0A152 not found
Feb 7 09:35:53 charon dnsmasq-tftp[9697]: file /srv/tftp/finnix/pxelinux.cfg/0A15 not found
Feb 7 09:35:53 charon dnsmasq-tftp[9697]: file /srv/tftp/finnix/pxelinux.cfg/0A1 not found
Feb 7 09:35:53 charon dnsmasq-tftp[9697]: file /srv/tftp/finnix/pxelinux.cfg/0A not found
Feb 7 09:35:53 charon dnsmasq-tftp[9697]: file /srv/tftp/finnix/pxelinux.cfg/0 not found
Feb 7 09:35:53 charon dnsmasq-tftp[9697]: sent /srv/tftp/finnix/pxelinux.cfg/default to 10.21.42.117
Feb 7 09:35:53 charon dnsmasq-tftp[9697]: sent /srv/tftp/finnix/boot/x86/boot.msg to 10.21.42.117
Feb 7 09:35:54 charon dnsmasq-tftp[9697]: sent /srv/tftp/finnix/boot/x86/vesamenu.c32 to 10.21.42.117
Feb 7 09:35:54 charon dnsmasq-tftp[9697]: sent /srv/tftp/finnix/pxelinux.cfg/default to 10.21.42.117
Feb 7 09:35:54 charon dnsmasq-tftp[9697]: sent /srv/tftp/finnix/boot/x86/splash.png to 10.21.42.117
Feb 7 09:36:10 charon dnsmasq-tftp[9697]: sent /srv/tftp/finnix/boot/x86/linux64 to 10.21.42.117
We can test netboot on VirtualBox, too. In your virtual machine settings, under system, adjust the boot order to put network at the top - or hit F12 during VM startup and select network. You also need to use bridge mode networking: this way, the VM gets a DHCP lease from dnsmasq and not a NAT address from VirtualBox.
Unfortunately, there isn't an easy way to netboot over wifi - but almost every PC I've run into is netbootable via the onboard NIC (ethernet cable required).