TFTP Server

The Trivial File Transfer Protocol (TFTP) is a particularly simple protocol for file transfer over a network.

In the opsi environment, the TFTP server provides the boot images for opsi clients. By default, opsi-tftpd-hpa is used for this purpose. This package is automatically installed as a dependency of opsi-server-full.

The opsi-tftpd-hpa service starts automatically at system startup. You can stop it with sudo systemctl stop opsi-tftpd-hpa.service and start it with sudo systemctl start opsi-tftpd-hpa.service.

TFTP does not provide authentication, encryption, or compression. Therefore, it should only be used in protected and trusted networks.

Configuration

Usually, the TFTP service starts with a verbose parameter, which provides basic logging in the systemd journal. For troubleshooting and analysis, you can adjust the log level individually:

sudo systemctl edit --full opsi-tftpd-hpa.service

In the editor, look for the line with ExecStart and replace -v with --verbosity <log-level>, e.g., --verbosity 7 for maximum details. Then restart the service:

sudo systemctl restart opsi-tftpd-hpa.service

Another important parameter is --blocksize <size>, which allows you to set the block size for file transfer. The block size can be between 512 and 65464 bytes. TFTP uses the UDP protocol, with each packet individually acknowledged. The protocol is susceptible to fragmentation, MTU issues, and packet loss. The choice of block size therefore affects both transfer speed and reliability:

  • Larger block sizes speed up the transfer but increase the risk of network issues.

  • Smaller block sizes are more robust but slower.

To change the block size, add --blocksize <size> to the ExecStart entry as described above, e.g., --blocksize 8192.

TFTP Ports and Firewall Configuration

The TFTP client first connects to port 69/udp on the server. For actual data transfer, dynamic transaction IDs (TIDs) are assigned, which serve as UDP ports in the range 1024 to 65535. Communication then takes place between the respective TID ports of client and server.

The server’s firewall must therefore be configured to allow incoming connections on port 69/udp for initial contact and to enable UDP communication between the TID ports. The easiest way to achieve this is with the kernel modules ip_conntrack_tftp or nf_conntrack_tftp, which monitor and manage the status of TFTP connections.

Troubleshooting TFTP

Check whether the TFTP server configuration is correct and whether the service is running. Test different block sizes to find the optimal setting for your network. The value 512 is particularly robust but slower.

With the following command, you can display the last 100 lines of the TFTP server log and continuously update the output:

journalctl -u opsi-tftpd-hpa -n 100 -f

In the log, you can see which clients are retrieving which files and whether any errors occur.