I had tftp-secure when testing manually. And I was running dnsmasq in the foreground as root in verbose mode so I could see what it was doing with respect to pxe requests.
I probably forgot the admonition about tftp-secure and assumed it was like the '-s' option on in.tftpd which does a chroot. Seems strange that dnsmasq would admonish running as root when syslinux-tftpboot installs its files as owned by root. I didn't do anything with dnsmasq.conf. Instead, I added a dhcp.conf and pxe.conf to dnsmasq.d to do dhcp/dns and pxe. I solved it by using the user=root directive. On 5/17/19 10:33 AM, Tom H wrote: > On Fri, May 17, 2019 at 3:07 PM Teh, Kenneth M. > <00000864eace5c83-dmarc-requ...@listserv.fnal.gov> wrote: >> On 5/16/19 9:23 PM, Orion Poplawski wrote: >>> On 5/16/19 1:23 PM, Teh, Kenneth M. wrote: >>>> >>>> Systemd continues to baffle me. >>>> >>>> I've set up a router machine that provides pxe boot and tftp >>>> services on a private network with dnsmasq. Pxeboot works if I >>>> run dnsmasq manually, but not when I turn on the service with >>>> systemctl. >>>> >>>> I can't think through its layers of obtuseness and would >>>> appreciate someone with a fresher brain to point me in the right >>>> direction. >>> >>> You don't give us much to work with. When you start it manually, >>> what exactly do you run? What does 'journalctl -u dnsmasq' report? >>> Anything else that might be relevant? >> >> Sorry. You're right. A moment of exasperation and frustration with >> systemd whose bits of config/info are strewn all over the place >> instead of everything in init.d. I guess I resent learning new ways >> of doing old things. Must be my age. :) >> >> Turned out the problem is dnsmasq's tftp module has no permission >> to read pxelinux.0 even though the file is 0644. Checked audit.log >> for possible selinux problem. Nothing. >> >> Everything in /var/lib/tftpboot is selinux type tftpdir_rw_t except >> for pxelinux.0 (plus a few more) which are cobbler_var_lib_t. Tried >> an semanage fcontext/restorecon to change it just to see if dnsmasq >> would read it. Doesn't change. Nothing in journalctl. Used chcon. >> Changes it. But dnsmasq still cannot read the file. >> >> Finally set dnsmasq to run as root in its config. Works. Only thing >> I can think of is dnsmasq which apparently runs as nobody when >> started from systemd cannot read files it does not own. > > 1) From the manpage > > --tftp-secure > Enable TFTP secure mode: without this, any file which is readable by > the dnsmasq process under normal unix access-control rules is > available via TFTP. When the --tftp-secure flag is given, only files > owned by the user running the dnsmasq process are accessible. If > dnsmasq is being run as root, different rules apply: --tftp-secure > has no effect, but only files which have the world-readable bit set > are accessible. It is not recommended to run dnsmasq as root with > TFTP enabled, and certainly not without specifying --tftp-root. Doing > so can expose any world-readable file on the server to any host on > the net. > > Are you using this option? > > 2) When you were testing and running it manually, were you setting > command-line options or were you simply using the options in > "/etc/dnsmasq.conf" like the systemd unit? >