Hi, I’ve been searching around for being able to do kickstarts with self-signed ssl certs (like foreman uses) and haven’t come up with anything current on the topic.
It seems there’s a thread from 2015 regarding anaconda not supporting HTTPS for kickstarts. Yet, there’s a bug report indicating that it should if we disable ssl verification as a kernel param.
Enter this thread -
Where it was requested to build a list of params that could be put inside pxe_kernel_options for !RHEL systems…But I didn’t see anything more about it or a bug filed about it in my searching, so I’m not sure where it stands.
One kernel param useful here would be nosslverify, which would allow us to set the unattended url to https and use https on our local install media repos…all with self-signed certs.
Does that seem a reasonable use for this template param?
Yes to improving our clunky if-then template writing, just make sure all constructs you want to use work in safemode. When doing changes, please keep RHEL 4 compatibility if possible, it’s still supported version of RHEL (https://access.redhat.com/support/policy/updates/errata).
As you can see the noverifyssl option (check your spelling!) is mentioned for RHEL7 but not for RHEL6. While you could check this in Anaconda codebase or do a test, Red Hat docs are usually correct
I recall older versions of RHEL didn’t support it because of Anaconda. IIRC RHEL 5 and older simply can’t handle it. That’s why we have the unattended_url setting that defaults to http://FQDN. I think you can you can change that to https and apply the mentioned options. I have never used this so it might not be the correct instructions.
I’ve had to clone the epel, puppetlabs_repo, and PXE templates and customize them to make sure everything runs over ssl and points to our local mirrors. My provision template is already highly customized.
I was just hoping to be able to avoid doing the PXE template and use param data b/c there’s nothing in it that needs to be changed other than disabling the ssl verification… like no site specific urls or anything as with the other templates.
@lzap commented on the details of that param here: Using the <%= options %> or <%= pxe_kernel_options %> array in templates? regarding RedHat systems kernel module blacklist. I’m not sure in that context if RedHat refers to osfamily or operatingsystem. If it’s osfamily, then I can proceed to use it, since I really only care about RHEL, CentOS, and Scientific with regard to provisioning.
I want to stress out that the idea behind pxe_kernel_options is to introduce a generic OS-aware kernel command line renderer. If there is some “noverify” option in Debian, introduce new host parameter like ignore_ssl_provision and modify pxe_kernel_options method for Redhat and Debian OSes.