Enable SSL during kickstart?

Hi, I’ve been searching around for being able to do kickstarts with self-signed ssl certs (like foreman uses) and haven’t come up with anything current on the topic.

It seems there’s a thread from 2015 regarding anaconda not supporting HTTPS for kickstarts. Yet, there’s a bug report indicating that it should if we disable ssl verification as a kernel param.

Enter this thread -

Where it was requested to build a list of params that could be put inside pxe_kernel_options for !RHEL systems…But I didn’t see anything more about it or a bug filed about it in my searching, so I’m not sure where it stands.

One kernel param useful here would be nosslverify, which would allow us to set the unattended url to https and use https on our local install media repos…all with self-signed certs.

Does that seem a reasonable use for this template param?

That does seem reasonable to me. @ekohl / @lzap would you agree?

Yes to improving our clunky if-then template writing, just make sure all constructs you want to use work in safemode. When doing changes, please keep RHEL 4 compatibility if possible, it’s still supported version of RHEL (https://access.redhat.com/support/policy/updates/errata).

The best resource for Anaconda params IMHO are:

As you can see the noverifyssl option (check your spelling!) is mentioned for RHEL7 but not for RHEL6. While you could check this in Anaconda codebase or do a test, Red Hat docs are usually correct :blush:

I recall older versions of RHEL didn’t support it because of Anaconda. IIRC RHEL 5 and older simply can’t handle it. That’s why we have the unattended_url setting that defaults to http://FQDN. I think you can you can change that to https and apply the mentioned options. I have never used this so it might not be the correct instructions.

Yep, RHEL6 was the first version, it came in a y-release IIRC.

Yes, it’s working with unattended_url = https://…

I’ve had to clone the epel, puppetlabs_repo, and PXE templates and customize them to make sure everything runs over ssl and points to our local mirrors. My provision template is already highly customized.

I was just hoping to be able to avoid doing the PXE template and use param data b/c there’s nothing in it that needs to be changed other than disabling the ssl verification… like no site specific urls or anything as with the other templates.

Debian has also not got a great track record on this, so in general we’ve had to default to http for many OSs.

@Sean I think a host parameter that’s read by the default template makes sense. https://github.com/theforeman/community-templates/blob/develop/provisioning_templates/PXELinux/kickstart_default_pxelinux.erb#L60 is roughtly where it would go - would you be able to raise a bug or PR?

@Gwmngilfen Is there a serious problem with exposing the pxe_kernel_options to a broader range of uses? That options param is just added right next to pxe_kernel_options at https://github.com/theforeman/community-templates/blob/8fb3721dbdbbf4b1b982b077a77b80f6653d0c99/provisioning_templates/PXELinux/kickstart_default_pxelinux.erb#L68

@lzap commented on the details of that param here: Using the <%= options %> or <%= pxe_kernel_options %> array in templates? regarding RedHat systems kernel module blacklist. I’m not sure in that context if RedHat refers to osfamily or operatingsystem. If it’s osfamily, then I can proceed to use it, since I really only care about RHEL, CentOS, and Scientific with regard to provisioning.

That’s actually OS family, the Operatingsystem::Redhat class in our codebase.

I think it’s fine to open it up for general use. The quickest hack is to modify the final line to include arbitrary host parameters:

 APPEND initrd=<%= @initrd %> ks=<%= foreman_url('provision') %> <%= pxe_kernel_options %> <%= host_param('pxe_options') %> <%= ksoptions %>

But perhaps we need to be more nuanced? It could easily be merged into ksoptions further up the template, too.

I want to stress out that the idea behind pxe_kernel_options is to introduce a generic OS-aware kernel command line renderer. If there is some “noverify” option in Debian, introduce new host parameter like ignore_ssl_provision and modify pxe_kernel_options method for Redhat and Debian OSes.