PXE boot a virtual machine with NAT connection to the host

If you have a notebook and you want to quickly deploy new virtual machines for testing, PXE boot is your friend.

On notebooks people are usally not using a bridged network but NAT instead. The DHCP server on the host that is managed by Libvirt needs to configured with the TFTP server and the boot file.

On my “mobile lab”, I’ve installed a virtual machine with a Redhat Satellite 5 where the other VMs get its content from. PXE boot files are managed by the bundled Cobbler Server.

To do so, edit the XML file of the default network (or any other NAT network):

notebook-hv:~# virsh net-edit default

Add the red marked line to the file. Replace 192.168.122.122 with the actual IP address of your PXE/TFTP server.

<network>
  <name>default</name>
  <uuid>d54b7049-254b-46b0-b434-db2a1481cbd3</uuid>
  <forward mode='nat'/>
  <bridge name='virbr0' stp='on' delay='0'/>
  <mac address='52:54:00:96:21:b5'/>
  <ip address='192.168.122.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.122.2' end='192.168.122.254'/>
      <bootp file='pxelinux.0' server='192.168.122.122'/>
    </dhcp>
  </ip>
</network>

And save it. The changes are with immediate effect, happy PXE-booting 🙂

Setting up a 6in4 tunnel with Fedora

Why using IPv6 Tunnels anyway?

Today, most Internet access providers are IPv6 enabled. However, unfortunately the majority of them do not provide a static /64 prefix, you will get it dynamically assigned. Some providers can assign you a static prefix for a surcharge.

That’s useless if you want to ensure end-to-end connectivity with your Gadgets at home.

Choosing a tunnel provider

Since 2004 I had my own IPv6 prefix from SixXS. Pretty sad that they are shutting down its services on 2017-06-06.

Time to look for an alternative. Wikipedia has a list of public tunnel brokers. Most brokers are providing only PoP’s in one country. For most users, the only option left is Hurricane Electric which offers tunnels to PoP’s on three continents in various cities.

Setup in Fedora

The whole setup is rather simple, there is just one thing you should keep in mind. The provided Client IPv6 Address is not in the same subnet as the Routed /64. You easily copy-paste the wrong address and you will end up in a nice routing loop. The difference is i.e. 2001:470:6c:something vs. 2001:470:6d:something, only the one character of difference. It was taking me more that an hour to figure out 😉

Tunnel configuration

Create a new interface for the tunnel.

cat >>/etc/sysconfig/network-scripts/ifcfg-he-ipv6 <<EOF
DEVICE=he-ipv6
TYPE=sit
BOOTPROTO=none
ONBOOT=yes
IPV6INIT=yes
# The IPv4 address depends on the PoP you choose
IPV6TUNNELIPV4=216.66.86.114
# That is the IPv6 address of the client, not from the routed prefix
IPV6ADDR=2001:db8:dead:beef::2/64
EOF

LAN interface configuration

In my case I use a bridge to be able to provide IPv6 connectivity not only for the LAN but for Wifi and VPN as well.

cat >>/etc/sysconfig/network-scripts/ifcfg-br0 <<EOF
DEVICE=br0
ONBOOT=yes
TYPE=Bridge
BOOTPROTO=none
IPADDR=192.168.100.1
NETMASK=255.255.255.0
IPV6_AUTOCONF=no
IPV6INIT=yes
IPV6TO4INIT=no
# That is a random IP from your routed /64 prefix. Usually just use the first one
IPV6ADDR=2001:db8:cafe:1::1/64
EOF

 

Enable IPv6 routing

echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.conf

Setting the default device for IPv6 routing

echo "IPV6_DEFAULTDEV=he-ipv6"  >> /etc/sysconfig/network

Setting up the Route Advertisement Daemon (RADVD

There are several ways of how to configure the clients with an IPv6 address. DHCP6, Static manual configuration and the most easy way is to use RADVD which tells the clients which prefix to use (prefix + fffe + MAC). The client itself adds the MAC address on top of the prefix.

Your clients will always get the same IPv6 address, this may be a privacy problem for you or not. In contrary to SixXS, Hurricane Electric does not provide your name and address to whois, only the city and the ZIP code is made public.

Install radvd if not yet done

router:~# dnf install radvd
router:~# systemctl enable radvd.service

Configuration for the example of the prefix 2001:db8:cafe:1/64

cat >> /etc/radvd.conf << EOF
 interface br0
 {
        AdvSendAdvert on;
        MinRtrAdvInterval 30;
        MaxRtrAdvInterval 100;
        AdvLinkMTU 1480;
        prefix 2001:db8:cafe:1::/64
        {
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr on;
        };
 
} ;
EOF

After restarting your network your done, have fun with IPv6 🙂

Setting up DNS

I’m not going into the details here. I’m using FreeIPA for DNS management, DNS entries are created automatically when you enroll your clients. The only thing you need to do is adding the prefix to be able to do reverse lookups.

[root@ipa1 ~]# ipa dnszone-add --name-from-ip=2001:db8:cafe::/64 --dynamic-update=true 
Zone name [0.0.0.0.e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa.]: 
  Zone name: 0.0.0.0.e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa.
  Active zone: TRUE
  Authoritative nameserver: ipa1.example.com.
  Administrator e-mail address: hostmaster
  SOA serial: 1490512663
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant EXAMPLE.COM krb5-subdomain 0.0.0.0.e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa. PTR;
  Dynamic update: TRUE
  Allow query: any;
  Allow transfer: none;
[root@ipa1 ~]# 

Reverse DNS delegation

Hurricane Electric allows you to delegate DNS lookups of your prefix to your DNS server(s). Make use of that is good practice.

Read further

Fancy stuff

If you finished setting up all your services such as DNS, HTTP, SMTP etc. with IPv6, get “certified” at https://ipv6.he.net/certification/cert-main.php and get a fancy batch like this: IPv6 Certification Badge for ldelouw

Have fun! 🙂

Using Unbound for recursive DNS lookup

Some organizations decide to use its internal authoritative DNS servers as recursive DNS because of easiness and reverse lookup of internal RFC 1918 networks works out of the box. That should be avoided for (at least) two reasons:

  • Cache poisoning can cause security nightmares
  • Authoritative answers are never cached and can cause a high load on the DNS servers.

Cache poisoning is a problem that can lead to severe problems, as more and more information is stored in DNS. Examples:

  • SSHFP entries for SSH fingerprint of servers
  • SRV entries for LDAP and Kerberos server autodetection

If an attacker can manipulate those kind of entries it can potentially be abused for redirecting users to fake authentication services.

There are some protective measures to avoid this kind of problems:

  • The usage of a separate recursive DNS infrastructure
  • Setting up DNSSEC and sign your DNS zones
  • The use of TLS for LDAP queries

This article is about how to set up recursive DNS servers, DNSSEC will be covered in a follow-up article.

Turning off recursion in authoritative DNS servers

In the option section of the bind DNS configuration make sure you have the following line in /etc/named.conf:

allow-recursion { none; };

If you are using a different DNS server software, check the vendor manual. After a restart, check if it is working as expected.

[luc@bond ~]$ dig www.example.com @ipa2.delouw.ch

; <<>> DiG 9.10.4-P6-RedHat-9.10.4-4.P6.fc25 <<>> www.example.com @ipa2.delouw.ch
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58272
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.example.com.               IN      A

;; Query time: 0 msec
;; SERVER: 192.168.100.106#53(192.168.100.106)
;; WHEN: Sat Apr 15 12:10:15 CEST 2017
;; MSG SIZE  rcvd: 44

[luc@bond ~]$ 

Using Unbound as recursive DNS

Unbound is very secure, lightweight and high performance DNS server for validating, recursion, and caching of queries. Its astonishing how easy it is to configure Unbound.

Installation on RHEL7, Fedora and probably other Linux and BSD distributions is easy:

recursor1:~# yum -y install unbound

For this example, all configuration is made in /etc/unbound/unbound.conf
First you must define on which IPs Unbound should listen. The default is localhost only.

interface: 0.0.0.0
interface: ::0

The next default that needs to be changed is the access control. Default to refuse all but localhost. In this example you will allow access from two of your RFC 1918 subnets and the RFC 3849 IPv6 range.

access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 192.168.1.0/24 allow
access-control: 192.168.2.0/24 allow
access-control: ::1 allow
access-control: 2001:DB8::/32 allow

Forward PTR queries to your RFC 1918 zones

Unbound has a nice default setting: It ignores any queries to RFC 1918 PTR queries to avoid sending queries to the blackhole servers.

In this example, we need to change the behavior to allow queries for our internal networks 192.168.1.0 and 192.168.2.0.

local-zone: "1.168.192.in-addr.arpa." transparent
local-zone: "2.168.192.in-addr.arpa." transparent

Next up: Forward this queries to our internal DNS server infrastructure (i.e IPA or MS-DNS or simply bind)

forward-zone:
        name: "1.168.192.in-addr.arpa."
        forward-host: ipa1.example.com
        forward-host: ipa2.example.com
        forward-host: ipa3.example.com

forward-zone:
        name: "2.168.192.in-addr.arpa."
        forward-host: ipa1.example.com
        forward-host: ipa2.example.com
        forward-host: ipa3.example.com

This will forward queries at random to DNS servers ipa1,ipa2 and ipa3.example.com. Add more servers as needed.

The final step is to (re)configure your clients to use the newly set up recursive DNS servers.

Have fun 🙂

Disabling NetworkManager on Servers and Workstations

Why not using NetworkManager in some cases

NetworkManager is a great tool for managing connectivity on Notebooks and other mobile devices, On server or desktop machines with a complex network setup such as a combination of bonding, bridging and VLAN its probably not the best choice, at least I was not able to configure it that way. This was some time ago (approx 1y), meanwhile it may have changed.

Removing NetworkManager

Unfortunately on a desktop system its impossible to get rid of NetworkManager, there are too many really weird dependencies. On servers without a GUI it is very easy to uninstall it, IIRC no drawbacks so far.

To remove NetworkManager run

system:~# yum remove NetworkManager

Be careful, there can a a lot of dependencies getting uninstalled as well. Handle with care.

Solution w/o removing NetworkManager

Disabling the NetworkManager itself is easy,

system:~# systemctl stop NetworkManager
system:~# systemctl disable NetworkManager
system:~# systemctl mask NetworkManager

Unfortunately the NetworkManager-wait-online.service Systemd unit file can not be disabled, its enabled even when systemctl status says its disabled. At the end this means that the boot process will take 30 seconds longer than needed, that is the timeout defined for /usr/bin/nm-online.

You can check the boot process which step is to blame for the long boot time with systemd-analyze blame.

system:~# systemd-analyze blame|grep NetworkManager
          30.060s NetworkManager-wait-online.service
system:~# 

Changing the Systemd unit file

Never ever edit a systemd unit file in /usr/lib/systemd/system/ as they get overwritten with the next software update (in this case NetworkManager).

You can simply copy the unit file to the systemd local config directory /etc/systemd/system.

system:~# cp NetworkManager-wait-online.service /etc/systemd/system

You now replace the /usr/bin/nm-online with /usr/bin/true which always exits with 0.

system:~# sed -i "s|/usr/bin/nm-online -s -q --timeout=30|/usr/bin/true|g" /etc/systemd/system/NetworkManager-wait-online.service

Reload the Systemd daemon

system:~# systemctl daemon-reload 

Ensure the Symlink is correct

system:~# systemctl disable NetworkManager-wait-online.service
system:~# systemctl enable NetworkManager-wait-online.service

Further reading

Have fun 🙂