Provisioning template rendering when login is enabled

With login disabled I can get the PXE or provision template for any host by
spoofing the IP like so:

http://foreman/unattended/PXELinux?spoof=10.120.134.134

When login is enabled I have to use the token like so:

http://foreman/unattended/PXELinux?token=55bd79de-4baf-4d2f-9ca1-4a41f0ee6494

The question is how can I query the token for a host? Also, I thought the
token was the same as the hosts certname, but it appears it just generated
and stored in the database.

I am writing a script to re-provision or rebuild a existing system to
Foreman. The workflow would go like this:

  1. Log into Foreman and create a new host (eventually just use the api)
  2. ssh to the system and run a script that:
    a. download the PXE template
    b. determine the vmlinux, initrd and kickstart file location from the
    PXE template
    c. download the vmlinux and initrd files
    d. Then add a entry to grub

Thanks

Indeed, they are, for security - knowing the token means anyone can
get the provisioning data for the host in question.

If the hosts are on the same network as foreman, then
"http://foreman/unattended/<type>" should work fine - Foreman can
detect the IP of the incoming request and match it to a known host in
it's database.

··· On 9 January 2013 17:31, Rodrique Heron wrote: > With login disabled I can get the PXE or provision template for any host by > spoofing the IP like so: > > http://foreman/unattended/PXELinux?spoof=10.120.134.134 > > When login is enabled I have to use the token like so: > > http://foreman/unattended/PXELinux?token=55bd79de-4baf-4d2f-9ca1-4a41f0ee6494 > > The question is how can I query the token for a host? Also, I thought the > token was the same as the hosts certname, but it appears it just generated > and stored in the database.

Thanks, much better than the hack I came up with.

··· On Wednesday, January 9, 2013 1:12:44 PM UTC-5, Greg Sutcliffe wrote: > > On 9 January 2013 17:31, Rodrique Heron <swy...@gmail.com > > wrote: > > With login disabled I can get the PXE or provision template for any host > by > > spoofing the IP like so: > > > > http://foreman/unattended/PXELinux?spoof=10.120.134.134 > > > > When login is enabled I have to use the token like so: > > > > > http://foreman/unattended/PXELinux?token=55bd79de-4baf-4d2f-9ca1-4a41f0ee6494 > > > > The question is how can I query the token for a host? Also, I thought > the > > token was the same as the hosts certname, but it appears it just > generated > > and stored in the database. > > Indeed, they are, for security - knowing the token means anyone can > get the provisioning data for the host in question. > > If the hosts are on the same network as foreman, then > "http://foreman/unattended/" should work fine - Foreman can > detect the IP of the incoming request and match it to a known host in > it's database. >