NIM - BOOTP, TFTP

BOOTPD:

This is the initial communication made between the NIM master and client during network boot. When a NIM client is configured to be booted from the NIM Master, the bootpd daemon will use the /etc/bootptab configuration file to pass information to the client (server, gateway IP..).
(to remove the entry from /etc/bootptab a NIM reset operation on the client machine is needed)

lssrc -ls inetd
bootps       /usr/sbin/bootpd         bootpd /etc/bootptab     active

grep bootps /etc/services
bootps                  67/tcp          # Bootstrap Protocol Server
bootps                  67/udp          # Bootstrap Protocol Server

tail /etc/bootptab
aix21.domain.com:bf=/tftpboot/aix21.domain.com:ip=10.200.50.56:ht=ethernet:sa=50.20.100.48:gw=10.200.50.1:sm=255.255.255.0:

The fields are separated with colon (:) and attributes are separated with equal sign (=):
    first field    - NIM client name
    bf        - boot file name
    ip        - NIM client IP address
    ht        - hardware type
    sa        - TFTP server address for the boot file
    gw        - gateway used by client to reach the server
    sm        - subnet mask for the nim client


For correct bootpd function:
1. bootpd must be running on the NIM master
2. NIM client and master must have correct ip information about each other
3. the /etc/bootptab must be populated correctly
4. If the master and client systems are on separate networks, the router must be set to forward bootp packets

------------------------------------

To trace a problem, bootpd has to be started in debug mode:

Enabling BOOTP debugging:
1. Comment out the bootps entry from the /etc/inetd.conf file on the server.
2. Stop all running bootpd processes (ps -ef | grep bootp --> kill -9 ..)
3. Restart inetd using the refresh -s inetd command.
4. Start bootpd from the command line, using the /usr/sbin/bootpd -s -d -d -d command (output will be on the screen)
(Some info may be logged in syslog.)

Disabling BOOTP debugging:
1. Stop all running bootpd processes (ps -ef | grep bootp --> kill -9 ..)
2. Uncomment out the bootps entry from the /etc/inetd.conf file on the server.
3. Restart inetd using the refresh -s inetd command.


------------------------------------
------------------------------------
------------------------------------


TFTPD (Trivial File Transfer Protocol):

When the NIM client has been rebooted for network boot, once bootp connection has successfully been achieved, the NIM master uses tftp for transfer. When the inetd daemon receives TFTP requests, it will start the tftpd daemon to service it, and start the transfer of the boot image file from the /tftpboot directory.

When a SPOT is created, network boot images are constructed in the /tftpboot directory using code from the newly created SPOT. When a client performs a network boot, it uses tftp to obtain a boot image from the server.

# ls -l /tftpboot
lrwxrwxrwx    1 root     system           34 Dec 19 18:36 aix21.domain.com -> /tftpboot/spot_5200-08.chrp.mp.ent
-rw-r--r--    1 root     system         1276 Dec 19 18:36 aix21.domain.com.info
-rw-r--r--    1 root     system      9379964 Dec  8 15:31 spot_5200-08.chrp.64.ent
-rw-r--r--    1 root     system      9260943 Dec  8 15:31 spot_5200-08.chrp.mp.ent
...

# lssrc -ls inetd
 tftp         /usr/sbin/tftpd          tftpd -n                 active

# grep tftp /etc/services
tftp                    69/udp          # Trivial File Transfer
tftp                    69/tcp          # Trivial File Transfer

The tftpd daemon uses the /etc/tftpaccess.ctl file to determine which directory hierarchy is allowed to share.
(As there is no authentication, in /etc/tftpaccess.ctl the tftpd daemon should be restricted to access only the /tftpboot directory.)

tftpd debug mode:
If the -v -s flag is set in /etc/inetd.conf (/usr/sbin/tftpd -v -s), tftpd will log som info in syslog.


These could be checked regarding TFTP on NIM master:

# grep tftp /etc/inetd.conf                            <--it should be uncommented (user nobody will start from inet, refresh -s inetd if needed)
tftp    dgram   udp6    SRC     nobody  /usr/sbin/tftpd tftpd -n   

# grep nobody /etc/passwd                              <--you can check if user nobody exist
nobody:!:4294967294:4294967294::/:/bin/false

# cat /etc/tftpaccess.ctl                              <--this contains which directory can be used by tftp
# NIM access for network boot
allow:/tftpboot                                        <--for NIM functions only this is needed

# ls -l /etc/tftpaccess.ctl                            <--this should be readable by group and other
-rw-r--r--  1 root  system    46 Jan 09 2012  /etc/tftpaccess.ctl

# ls -ld /tftpboot                                     <--this (and files in there) should be readable by group and other as well
drwxrwxr-x  2 root  system  4096 Jun 25 10:09 /tftpboot

# lssrc -t tftp                                        <--inetd is starting it, but manually you can start with "startsrc -t tftp"
Service       Command             Description         Status
 tftp         /usr/sbin/tftpd     tftpd -n            active

# lssrc -s tftpd                                       <--you can start manually with "startsrc -s tftpd"
Subsystem         Group            PID          Status
 tftpd            tcpip            16187642     active

# ps -ef | grep tftp                                   <--these processes should be there
  nobody  3735694 16187394   0 10:46:09 -  0:00 /usr/sbin/tftpd
    root 16187394  4522212   0 10:46:09 -  0:00 /usr/sbin/tftpd

---------------------------------------

Local test connection on NIM master:

# echo "This is a testfile." > /tftpboot/test           <--creating a test file in /tftpboot (add group and other read write if needed)

# tftp localhost                                        <--local tftp connection from NIM master

tftp> status                                            <--it will show connection status
Connected to loopback.
Mode: netascii Verbose: off Tracing: off
Max-timeout: 25 seconds

tftp> get /tftpboot/test test_local                      <--copying /tftpboot/test file to local directory as test_file
Received 21 bytes in 0.0 seconds                         <--it shows it was successful

---------------------------------------

Remote test connection from a client server:

# telnet <nimserver> 69                                 <--check if port 69 is available
# tftp <nimserver>                                      <--tftp connection to NIM server
tftp> get /tftpboot/test test_local                     <--copying /tftpboot/test file to local directory as test_file
Received 21 bytes in 0.0 seconds                        <--it shows it was successful

---------------------------------------

I had an issue, when tftpd could not be started:

# startsrc -s tftpd
0513-015 The tftpd Subsystem could not be started.
Please check subsystem resources and try again later.

# ls -l /usr/sbin/tftpd                                 <--check access right of tftpd (probably hardening made to look like this)
----------    1 root     system       172980 Sep 11 2012  /usr/sbin/tftpd

# chmod 555 /usr/sbin/tftpd                             <--I gave more permission

# startsrc -s tftpd                                     <--after that it was successful
0513-059 The tftpd Subsystem has been started. Subsystem PID is 16187394.

------------------------------------