Datacenter provisioning - Installation of the DCHP isc-dhcp-server - [Raspberry PI/Rock64]

(**) Translated with www.DeepL.com/Translator

[END OF LIFE] See the article I’ve replaced the DNS/DHCP service (Bind9/isc-dhcp-server) with Technitium DNS

[ LEVEL ] Beginner
This procedure allows the installation of the isc-dhcp-server service, which is the implementation of a DHCP (Dynamic Host Configuration Protocol) service.

[ MYTINYDC-IM INTEGRATION ] in progress… ( see datacenter manager )

Prerequisite

To carry out this operation you must :

  • have followed the procedure Datacenter Provisioning - Installing DNS Bind9
  • know how to execute a command in a Linux console
  • know how to use the “vi” editor
  • be connected “root” to the console, for sudo users: type sudo bash.

What is the purpose of a DHCP service on a network?

The DHCP service is responsible for distributing IP addresses to servers connected to the same network. This simplifies the administration task by centralizing all network information in one place. IP addresses can be distributed randomly or in a discriminating manner.
Once the address has been distributed to the server, the DHCP service will register the information from this server as well as the distributed IP address with the DNS service see previous chapter.

By default, the DHCP server assigns an IP address to the requester within the address range specified in the configuration file (randomly).
Therefore if a server changes its IP address you will always be able to find it by its DNS host name.
But where it gets complicated is in the firewalls.
It is possible to use qualified names in the firewall rules, but the firewall will convert this name to an IP address with the DNS information of the moment you apply the rules.
If one of the servers reboots and gets a different IP address than the previous one, the firewall rules will have to be reloaded throughout the entire Datacenter.

For this reason, and also for better traceability, it is preferable to assign fixed IP addresses to the servers. This will be done through the MAC address, which is supposed to be different for each network device. (more information on MAC addresses).

This Wikipédia article clearly explains the general operation of a DHCP service.

The Mytinydc implementation

Mytinydc uses the “isc-dhdp-server” service provided by the Debian package of the same name. This service supports all DHCP-related operations.

Installation of necessary packages

Execute the command :

apt-get -y install isc-dhcp-server

DHCP server settings

The following configuration is closely related to the configuration of the DNS server. After assigning the IP address to the requesting computer, the DHCP server will ask for the DNS service to be updated to include the information of the requesting computer: its host name, and its ip address.

Initially, we will limit access to this service to the network interface that supports this service.

Be careful, access to several DHCP services on the same network (authoritative) can have unexpected effects. By default, isc-dhcp-server listens on all interfaces. You have the possibility to restrict by specifying the listening interfaces in the “/etc/default/isc-dhcp-server” file. This file allows you to determine and dissociate IPV4 and IPV6. Not using IPV6, my file contains this :

INTERFACESv4="eth0"
INTERFACESv6=""

If you want to distribute multiple networks, you will need to list the interfaces separated by a space, as follows: INTERFACESvX="eth0 eth1 eth2". The server will be able to differentiate the network to be distributed according to the interface.

To be sure to limit the scope of action of this service, I use the Firewall functions, open only on the interface connected to the Datacenter.

Configuration file isc-dhcp-server

Below you will find the configuration for assigning a fixed IP address based on the applicant’s MAC address. In both cases, the DNS server configuration will be maintained by the DHCP server. The DNS service allows, by means of an authentication key, the updating of DNS information by a DHCP service.

In this documentation, the domain to be managed is named “mondc “, the network used is : 172.21.0.0/24 (255.255.255.0), the DNS server has the IP address 172.21.0.1, the file containing the DNS authentication key is located in /etc/bind/rndc.key see the previous chapter for the generation of this key.

Rappel : to implement this configuration, you must have followed and applied the procedures in the previous chapter and concerning the DNS part.

Open the file /etc/dhcp/dhcpd.conf, and replace the content with the following:

#-----------------
#  globals block
#-----------------
authoritative;
default-lease-time 3600;
max-lease-time 7200;
log-facility local7;
ddns-update-style interim;
include "/etc/bind/rndc.key";
update-static-leases on;
ignore client-updates;
deny unknown-clients;
#-----------------
#  zones block
#-----------------
zone mondc. {
	primary 172.21.0.1;
	key rndc-key;
}
zone 0.21.172.in-addr.arpa. {
	primary 172.21.0.1;
	key rndc-key;
}
#-----------------
#  subnets block
#-----------------
subnet 172.21.0.0 netmask 255.255.255.0 {
	ddns-domainname "mondc.";
	ddns-rev-domainname "in-addr.arpa";
	option broadcast-address 172.21.0.255;
	option subnet-mask 255.255.255.0;
	option routers 172.21.0.1;
	option domain-name-servers 172.21.0.1,208.67.222.222;
	option domain-name "mondc";
	range 172.21.0.2 172.21.0.20;
}
#-----------------
#  hosts block
#-----------------
host matrix {
	hardware ethernet xx:xx:xx:xx:xx:xx;
	fixed-address 172.21.0.1;
	option host-name matrix;
}
host postgres {
	hardware ethernet xx:xx:xx:xx:xx:xx;
	fixed-address 172.21.0.4;
	option host-name postgres;
}
host nextcloud {
	hardware ethernet xx:xx:xx:xx:xx:xx;
	fixed-address 172.21.0.6;
	option host-name nextcloud;
}

WARNING to respect the syntax, especially the “;” et “.”

Explanation of the global block

  • This DHCP server is alone on the network: authoritative
  • Lease renewal period (seconds): default-lease-time 3600
  • Max lease validity (seconds): max-lease-time 7200
  • Events will be logged in the syslog (see syslogd configuration): log-facility local7
  • dns update style (interim or the ad-hoc option that is no longer used) ddns-update-style interim
  • Location of the DNS authentication key file: include “/etc/bind/rndc.key”.
  • By default not enabled, this is the option to enable DNS update: update-static-leases on
  • Forbidden for the client to register with its own server name: ignore client-updates
  • Allows to forbid the attribution of an IP address to an unknown host (therefore requires to complete the hosts blocks): deny unknown-clients

Explanations of the subnets block

  • Network address: subnet 172.21.0.0 netmask 255.255.255.0
  • DNS forward domain to be updated: ddns-domainname “mondc.”
  • Donaine DNS reverse to be updated: ddns-rev-domainname “in-addr.arpa”
  • Broadcast address used on this network (usually the last address of the segment): broadcast-address option 172.21.0.255
  • Subnet mask (/24): subnet-mask option 255.255.255.0
  • Main network router: routers option 172.21.0.1
  • DNS servers to be used (datacenter DNS and optionally OPENDNS): option domain-name-servers 172.21.0.1,208.67.222.222.222
  • DNS domain to which the servers belong: option domain-name “mondc”.
  • Range of distributed addresses (here from 2 to 20 ) : range 172.21.0.2 172.21.0.20

Explanations of the hosts block

  • Beginning of the configuration block of a client: host nextcloud
  • Its MAC address: hardware ethernet xx:xx:xx:xx:xx
  • IP address that will be assigned to it : fixed-address 172.21.0.6
  • Server name for DNS registration : option host-name nextcloud

Opening communication ports (Firewall)

To offer this service, the server with DHCP service will have to listen and respond to the various requests from the client machines.

Protocol Port Direction Network Interfaces
UDP 67 Input Interface(s) connected to the datacenter switches
UDP 67 Output Interface(s) Connected to Datacenter Switches

At this stage, the DHCP service will know how to assign an IP address to a server located in the Datacenter, and register its name dynamically within the DNS service.

Interactions between the DHCP service and the DNS service.

Once the IP address has been assigned to the customer, the DHCP service will update the DNS services whose parameters are indicated in the configuration in an automated manner.

Service Start

The DHCP service is started with the command :

systemctl start isc-dhcp-server

Stoppage of service

The DHCP service is stopped with the command :

systemctl stop isc-dhcp-server

Restart service

The DHCP service is restarted with the command :

systemctl restart isc-dhcp-server

Statut du service

The status of the DHCP service is displayed by the command :

systemctl status isc-dhcp-server

Start-up and operating traces

You can view the events in the /var/log/syslog.

tail -f /var/log/syslog
# CTRL+C to stop

## Add a host To add a customer you need to get his MAC address.
Because DHCP service denies IP addresses to unknown hosts, the request for this type of client will be traced in the /var/log/syslog file.
This trace will show the MAC address of the server that was denied an IP address.
Start the visualization of the traces :

tail -f /var/log/syslog
# CTRL+C to stop

Boot the unknown unit on the network. Wait a few moments and you will see this type of event appear:

Sep 10 15:43:59 xxxxx dhcpd[27651]: DHCPDISCOVER from xx:xx:xx:xx:xx:xx via eth0: unknown client

By directly retrieving this MAC address from the logs, you now have all the necessary information to add a host in the DHCP configuration file (MAC address, DNS host name to assign to this machine, IP address to broadcast).

Add a block to the DCHP service configuration file /etc/dhcp/dhcpd.conf :

host monnouveauserveur {
	hardware ethernet xx:xx:xx:xx:xx:xx;
	fixed-address 172.21.0.7;
	option host-name nouveauserveur;
}

Replace “xx:xx:xx:xx:xx:xx:xx:xx” with its MAC address, “172.21.0.7” with its final IP address, “new server” with its DNS host name.

Save the change and restart the DHCP service.

## Functional test Start the DHPC service, connect to a server console, and execute the trace view command :

tail -f /var/log/syslog
  • Make sure the client is registered in the DHCP service configuration (host block with its MAC address).
  • Connect this server to the Datacenter network and power it on (this server must have a working operating system).
  • Wait a few moments and observe the events that appear in the log.
  • Once the IP address assignment operations and the dynamic registration with the DNS have been completed, stop viewing the log: ̀ press CTRL+C.
  • test the connection of this new server with the ping command: `ping [IP address assigned to the client server].
  • test the DNS record with the ping command: ping [server name]. Example for the server named “new server” with IP address 172.21.0.7 :
ping 172.21.0.7
ping nouveauserveur

Summary

Files used
/etc/default/isc-dhcp-server
/etc/dhcp/dhcpd.conf
Commands used
systemctl [ start | stop | restart ] isc-dhcp-serveer

Go further

  • The configuration of a DHCP service also allows servers to be booted over the network without the server having a hard disk (BOOTP, PXE). This will be the subject of a separate chapter.

(**) Translated with www.DeepL.com/Translator