josh/Vetting
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

pxe: switch dnsmasq to proxy-DHCP mode on the LAN
CI / Lint + build + test (push) Successful in 1m48s
Details
Release / release (push) Successful in 2m22s
Details

Browse Source 
Previously the orchestrator ran a full DHCP server on a dedicated
br-vetting bridge (10.77.0.0/24), which required a hypervisor-level
bridge + physical cabling onto that bridge for every repaired host.
Real-world bite: the LXC's br-vetting had no L2 path to the target
host's PXE NIC, so DHCPDISCOVERs never reached eth1 and PXE silently
timed out.

dnsmasq's proxy-DHCP mode is the idiomatic answer: it coexists with
the LAN's existing DHCP server (UniFi, etc.), never assigns an IP
itself, and only supplements the PXE options. No dedicated bridge,
no VLAN, no cabling changes \u2014 dnsmasq binds to the LAN interface
and layers option 66/67 + the PXE BINL on top of the real DHCP
exchange. The MAC allowlist still gates replies, so random LAN
clients booting from network get nothing.

Template switches dhcp-range=<start,end,lease> to
dhcp-range=<cidr>,proxy and replaces dhcp-boot= for first-boot ROM
clients with pxe-service= directives (the correct proxy-mode
chainload form). Validation drops the dhcp_range regex for a
net.ParseCIDR check on pxe.subnet. Config, production/example yaml,
and pxe-setup.sh swap --dhcp-range for --subnet.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Josh Wright
2026-04-18 12:02:49 -04:00
parent b809bf5f3e
commit 506c856046
7 changed files with 63 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/pxe/dnsmasq_test.go
+13 -13
View File
@@ -39,8 +39,8 @@ func goodCfg(t *testing.T, tftpRoot string) SupervisorConfig {
return SupervisorConfig{
Enabled: true,
Interface: existingInterface(t),
DHCPRange: "10.77.0.100,10.77.0.200,12h",
OrchestratorURL: "http://10.77.0.1:8080",
Subnet: "192.168.1.0/24",
OrchestratorURL: "http://192.168.1.2:8080",
TFTPRoot: tftpRoot,
}
}
@@ -128,26 +128,26 @@ func TestValidate_LiveDirEmptySkipsLiveChecks(t *testing.T) {
}
}
func TestValidate_MalformedDHCPRange(t *testing.T) {
func TestValidate_MalformedSubnet(t *testing.T) {
tftp := t.TempDir()
seedTFTP(t, tftp, "ipxe.efi", "undionly.kpxe")
cases := []struct {
name string
dhcp string
name string
subnet string
}{
{"single field", "10.77.0.100"},
{"two fields", "10.77.0.100,10.77.0.200"},
{"non-ip start", "hello,10.77.0.200,12h"},
{"empty lease", "10.77.0.100,10.77.0.200,"},
{"no mask", "192.168.1.0"},
{"bad ip", "hello/24"},
{"bad mask", "192.168.1.0/99"},
{"leftover dhcp_range form", "192.168.1.100,192.168.1.200,12h"},
}
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
cfg := goodCfg(t, tftp)
cfg.DHCPRange = tc.dhcp
cfg.Subnet = tc.subnet
s := NewSupervisor(cfg)
err := s.Validate()
if err == nil || !strings.Contains(err.Error(), "dhcp_range") {
t.Fatalf("expected dhcp_range error for %q, got: %v", tc.dhcp, err)
if err == nil || !strings.Contains(err.Error(), "pxe.subnet") {
t.Fatalf("expected pxe.subnet error for %q, got: %v", tc.subnet, err)
}
})
}
@@ -183,7 +183,7 @@ func TestValidate_AggregatesErrors(t *testing.T) {
if err == nil {
t.Fatalf("expected aggregated error")
}
for _, want := range []string{"pxe.interface", "pxe.tftp_root", "pxe.dhcp_range", "pxe.orchestrator_url"} {
for _, want := range []string{"pxe.interface", "pxe.tftp_root", "pxe.subnet", "pxe.orchestrator_url"} {
if !strings.Contains(err.Error(), want) {
t.Fatalf("expected %q in aggregated error, got: %v", want, err)
}