Category Archives: Ubuntu

Ubuntu stuff.

Configuring a TFTP server on Ubuntu for switch upgrades and maintenance

Note: Community TFTP documentation is on the Ubuntu Wiki but this short guide adds extra steps to help secure and safeguard your TFTP server.

Every Data Centre Engineer should have a TFTP server somewhere on their network whether it be running on a production host or running on their own notebook for disaster recovery. And since TFTP is lightweight without any user authentication care should be taken to prevent access to or overwriting of critical files.

The following example is similar to the configuration I run on my personal Ubuntu notebook and home Ubuntu servers. This allows me to do switch firmware upgrades and backup configuration files regardless of environment since my notebook is always with me.

Step 1: Install TFTP and TFTP server

$ sudo apt update; sudo apt install tftp-hpa tftpd-hpa

Step 2: Configure TFTP server

The default configuration below allows switches and other devices to download files but, if you have predictable filenames, then anyone can download those files if you configure TFTP Server on your notebook. This can lead to dissemination of copyrighted firmware images or config files that may contain passwords and other sensitive information.

# /etc/default/tftpd-hpa

TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/var/lib/tftpboot"
TFTP_ADDRESS=":69"
TFTP_OPTIONS="--secure"

Instead of keeping any files directly in the /var/lib/tftpboot base directory I’ll use mktemp to create incoming and outgoing directories with hard-to-guess names. This prevents guessing common filenames.

First create an outgoing directory owned by root mode 755. Files in this directory should be owned by root to prevent unauthorized or accidental overwriting. You wouldn’t want your expensive Cisco IOS firmware image accidentally or maliciously overwritten.

$ cd /var/lib/tftpboot
$ sudo chmod 755 $(sudo mktemp -d XXXXXXXXXX --suffix=-outgoing)

Next create incoming directory owned by tftp mode 700 . This allows tftpd-hpa to create files in this directory if configured to do so.

$ sudo chown tftp:tftp $(sudo mktemp -d XXXXXXXXXX --suffix=-incoming)
$ ls -1
ocSZiwPCkH-outgoing
UHiI443eTG-incoming

Configure tftpd-hpa to allow creation of new files. Simply add –create to TFTP_OPTIONS in /etc/default/tftpd-hpa.

# /etc/default/tftpd-hpa

TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/var/lib/tftpboot"
TFTP_ADDRESS=":69"
TFTP_OPTIONS="--secure --create"

And lastly restart tftpd-hpa.

$ sudo /etc/init.d/tftpd-hpa restart
[ ok ] Restarting tftpd-hpa (via systemctl): tftpd-hpa.service.

Step 3: Firewall rules

If you have a software firewall enabled you’ll need to allow access to port 69/udp. Either add this rule to your firewall scripts if you manually configure iptables or run the following UFW command:

$ sudo ufw allow tftp

Step 4: Transfer files

Before doing a firmware upgrade or other possibly destructive maintenance I always backup my switch config and firmware.

cisco-switch#copy running-config tftp://192.168.0.1/UHiI443eTG-incoming/config-cisco-switch
Address or name of remote host [192.168.0.1]? 
Destination filename [UHiI443eTG-incoming/config-cisco-switch]? 
 
 !!
3554 bytes copied in 0.388 secs (9160 bytes/sec)
cisco-switch#copy flash:?
flash:c1900-universalk9-mz.SPA.156-3.M2.bin flash:ccpexp flash:cpconfig-19xx.cfg flash:home.shtml
flash:vlan.dat

cisco-switch#copy flash:c1900-universalk9-mz.SPA.156-3.M2.bin tftp://192.168.0.1/UHiI443eTG-incoming/c1900-universalk9-mz.SPA.156-3.M2.bin 
Address or name of remote host [192.168.0.1]? 
Destination filename [UHiI443eTG-incoming/c1900-universalk9-mz.SPA.156-3.M2.bin]? 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
85258084 bytes copied in 172.692 secs (493700 bytes/sec)

Files in incoming will be owned by tftp mode 666 (world writable) by default. Remember to move those files to your outgoing directory and change ownership to root mode 644 for safe keeping.

Once you’re sure your switch config and firmware is safely backed up it’s safe to copy new firmware to flash or do any other required destructive maintenance.

Step 5: Prevent TFTP access

It’s good practice on a notebook to deny services when not actively in-use. Assuming you have a software firewall be sure to deny access to your TFTP server when on the road or when connected to hostile networks.

$ sudo ufw deny tftp
Rule updated
Rule updated (v6)
$ sudo ufw status
Status: active

To Action From
-- ------ ----
CUPS ALLOW Anywhere 
OpenSSH DENY Anywhere 
69/udp DENY Anywhere 
CUPS (v6) ALLOW Anywhere (v6) 
OpenSSH (v6) DENY Anywhere (v6) 
69/udp (v6) DENY Anywhere (v6)

Wi-Fi regulatory domains are a pain

Managing multiple facilities across multiple continents can be a pain especially when Wi-Fi is involved. Different regions use different frequencies depending on regulatory domain. And, depending on your hardware vendor, compliant hardware could be backordered.

In my case, the Cisco Aironet 1140 Series Access Point (AIR-AP1142N-T-K9 802.11a/g/n Standalone AP; Int Ant; Taiwan C) is backordered by 4-6 weeks. I guess our Taipei 101 office is out of luck for a while unless I can find a different piece of compliant hardware.

Here are some miscellaneous regulatory notes for when I need to revisit this in the future:

HP Mini 1000 and 110 batteries on sale

For you mobile geeks out there HP Home currently has 3-cell batteries for the HP Mini 1000 and 110 on sale for 60% off as well as a $15-off coupon you can use (ACY93421). No idea how long this is going to last.

The 6-cell batteries are regular price but the coupon should also work.

Photo credit: http://www.flickr.com/photos/minami/ / CC BY-NC-SA 2.0

Upgrading Polycom firmware

If you have a mixed bag of Polycom kit in your office, be sure to check out the VoIP SIP Software Release Matrix to check on compatible versions. In our case, I chose SIP version 3.1.3RevC since it’s compatible with both the IP 430 and the IP 4000. I’ll probably bump up to SIP version 3.2.0 for the IP 430; just not today.

Also pay special attention to the release notes. Just because a Firmware version is on the download page for a particular model doesn’t mean it will work. We had to mix and match with Firmware version 4.1.3 for the IP 4000 and 4.2.0 for the IP 430. This is difficult (but not impossible) since pre-4.0 Firmware versions look for bootrom.ld instead of modelnumber.bootrom.ld in 4.0 and higher versions.
Continue reading Upgrading Polycom firmware

Totally unsupported Ubuntu 8.04 (Hardy Heron) installer for ServerBeach RapidRescue

The aging Red Hat Enterprise ES4 server I have colocated at ServerBeach was starting to get a bit crufty and I felt kind of dirty running RHEL instead of Ubuntu now that I’m working for Canonical. It was finally time to bring up a shiny new Dell PowerEdge 440 running Ubuntu 8.04 LTS Hardy Heron however ServerBeach does not yet officially support Ubuntu and will not do custom OS loads.

No problem. ServerBeach provides a brilliant tool called RapidRescue that allows you to reboot your server into a Linux recovery session and gives remote console access to the disks and hardware. I whipped together an awful hack to take advantage of this tool and automate the process of formatting the hard drives and debootstrapping an Ubuntu install. Not exactly elegant, but it gets the job done. 😀

Creating DOS floppies and USB thumbdrives for BIOS flashing

MS-DOS or another DOS derivative is still required for flashing the BIOS on some desktops, servers, notebooks, and mobile devices. These tools automate the creation of boot floppies and USB thumbdrives instead of fighting with tools like MKBT (Make Bootable).

Required Tools

Continue reading Creating DOS floppies and USB thumbdrives for BIOS flashing