A Complete Guide For Installing TFTP Server In CentOS 7

Since CentOS 7(or RedHat 7) is quite different from CentOS 6.x, most notes online for installing TFTP server in CentOS are obsolete already. This post not only summarizes the procedure of installing & configuring TFTP server, but also introduces a general strategy of configuring network services in CentOS 7.

1. Install tftp-server

TFTP server can be installed using following command, where xinetd is necessary.

sudo yum install tftp tftp-server* xinetd*

Then edit /etc/xinetd.d/tftp - set disable to no and add -c option into server_args if you need to upload files to TFTP server from client.

    service tftp
    {
    	socket_type		= dgram
    	protocol		= udp
    	wait			= yes
    	user			= root
    	server			= /usr/sbin/in.tftpd
    	server_args		= -c -s /tftpboot
    	disable			= no
    	per_source		= 11
    	cps			    = 100 2
    	flags			= IPv4
    }

In the above config file, the default TFTP root directory is set to /tftpboot/. So you need to create it before starting TFTP server:

sudo mkdir /tftpboot
sudo chmod -R 777 /tftpboot

2. Enable TFTP Service

The CentOS 7 services(systemd) can be configured from files under /usr/lib/systemd/system/. Go to this dir, and edit tftp.service as follows:

[root@localhost system]# cat tftp.service
[Unit]
Description=Tftp Server

[Service]
ExecStart=/usr/sbin/in.tftpd -c -s /tftpboot
StandardInput=socket

[Install]
WantedBy=multi-user.target

If the default tftp.service doesn’t have the [Install] unit, add it as above, because it’s required by systemd. Besides, the tftpd options also need to be changed in the ExecStart entry.

Then start services xinetd and tftp:

[root@localhost system]# systemctl start xinetd
[root@localhost system]# systemctl start tftp
[root@localhost system]# systemctl enable xinetd
[root@localhost system]# systemctl enable tftp

Command systemctl enable xxxx creates permanent link to services. So that services can be automatically started after reboot.

Although service commands are deprecated in CentOS 7, they are still available but simply redirected to systemctl. So you still can use service xinetd start and service tftp start to start xinetd and TFTP.

3. Configure SELinux

In CentOS 7, the SELinux is not supposed to be disabled(the system will abort booting if you disable SELinux). So the TFTP read and write must be allowed in SELinux. By default, the SELinux uses enforcing policy, which does not accept any change. To make any change to SELinux, first modify /etc/selinux/config and change the policy to permissive:

[bo@ucs-c200 notes]$ cat /etc/selinux/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 

Then reboot the system. After system boot up, check SELinux status:

[root@localhost system]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Then check the tftp permissions in SELinux:

[root@localhost bobyan]# getsebool -a | grep tftp
tftp_anon_write --> off
tftp_home_dir --> off

If the TFTP write is off as shown above, enable it with setsebool command:

[root@localhost bobyan]# sudo setsebool -P tftp_anon_write 1
[root@localhost bobyan]# sudo setsebool -P tftp_home_dir 1

Above changes to SELinux are permanent, so no need to change any SELinux config files any more.

4. Configure firewalld

Unlike CentOS 6.x, the firewalld is used to replace iptables as default firewall in CentOS 7. Fortunately, iptable config file /etc/sysconfig/iptables is also used by firewalld. So to allow TFTP services, following line should be added to /etc/sysconfig/iptables

-A INPUT -m state --state NEW -m udp -p udp -m udp --dport 69 -j ACCEPT

To allow TFTP port in firewalld, run command

sudo firewall-cmd --permanent --add-port=69/udp

To allow TFTP service:

sudo firewall-cmd --zone=public --add-service=tftp --permanent

Where the --permanent option is used to permanently enable the TFTP port.

Then restart firewalld using command firewall-cmd --reload. Actually this command is needed every time changing the firewall config.

To check the status or enable firewalld, following commands can be used:

systemctl status firewalld
systemctl enable firewalld
systemctl start firewalld