I'm currently integrating Foreman into our current production
environment and I'm trying to use it to deploy ESXi 5.5 (the actual
hypervisors). I am only using Foreman to control TFTP currently, along
with the templates. I am not using it to control DHCP.
In the PXE config file, for the ks boot parameter, I'm trying to use the
<%= foreman_url("provision") %> function. The issue is that I need to
assign a static IP to the new host, and the DHCP system only gives out
temporary IPs for pxeboot/kickstarting. So using just the straight
function causes Foreman to show a 404 because it doesn't know the DHCP
address the kickstart template is being requested from.
The template shows up fine if I'm in the Foreman web interface, using
the template link under the host with the "?spoof=x.x.x.x" query string.
I attempted to use the same query string, but with the "@host.ip" macro
for the IP in the PXE template, however that must require authentication
according to Foreman, and it redirects me to https.
Is there a way to disable that redirect so I can use the query string
without authenticating against the web interface?
Or is there a way I can find the kickstart file (generated dynamically
on request?) on the file system so I can just point the ks parameter to
an NFS share?
Any other thoughts? I realize my use case is a weird one.
Thanks guys.
···
--
_____________________
Phil Gardner
PGP Key ID 0xFECC890C
OTR Fingerprint 6707E9B8 BD6062D3 5010FE8B 36D614E3 D2F80538
You want to enable provisioning tokens, which automatically add a UUID
to the URL so Foreman can identify the machine contacting it. Do this
under More>Settings>token_duration and set it to a non-zero value, e.g.
60 (minutes).
These are enabled by default now in nightlies and Foreman 1.4.
···
On 12/11/13 23:16, Phil Gardner wrote:
> In the PXE config file, for the ks boot parameter, I'm trying to use the
> <%= foreman_url("provision") %> function. The issue is that I need to
> assign a static IP to the new host, and the DHCP system only gives out
> temporary IPs for pxeboot/kickstarting. So using just the straight
> function causes Foreman to show a 404 because it doesn't know the DHCP
> address the kickstart template is being requested from.
I don't think it is good idea to expose spoofing feature to the whole
network. This way, you expose all your settings including root password.
The way it is designed now is limiting this - attacker at least must fit
into the provisioning window and also spoof real IP address.
> Is there a way to disable that redirect so I can use the query
> string without authenticating against the web interface?
You could remove authentication/authorization filter in the
unattended_controller, but I wonder how are you going to put the IP
address in there on the host?
FWIW, I don't put the password in plain text in the KS, I use the
–iscrypted option. All of the other stuff in the KS is just configuring
the network, enabling vmotion, setting NTP, DNS, etc.
I don't understand your question though about putting the IP address on
the host. I am using the @host.ip in the template (works in the PXE
template too), which seems to work fine when I render the template with
?spoof=.
···
On 11/13/2013 04:05 AM, Lukas Zapletal wrote:
> Phil,
>
> I don't think it is good idea to expose spoofing feature to the whole
> network. This way, you expose all your settings including root password.
> The way it is designed now is limiting this - attacker at least must fit
> into the provisioning window and also spoof real IP address.
>
>> Is there a way to disable that redirect so I can use the query
>> string without authenticating against the web interface?
>
> You could remove authentication/authorization filter in the
> unattended_controller, but I wonder how are you going to put the IP
> address in there on the host?
>
–
Phil Gardner
PGP Key ID 0xFECC890C
OTR Fingerprint 6707E9B8 BD6062D3 5010FE8B 36D614E3 D2F80538
Interesting. So is there a UUID function/macro that I can use in the
kickstart URL? Or maybe I'm not understanding how that is supposed to
work. How do I make the system present the UUID in a way that Foreman
can figure out which system it actually is?
···
On 11/13/2013 04:09 AM, Dominic Cleal wrote:
> On 12/11/13 23:16, Phil Gardner wrote:
>> In the PXE config file, for the ks boot parameter, I'm trying to use the
>> <%= foreman_url("provision") %> function. The issue is that I need to
>> assign a static IP to the new host, and the DHCP system only gives out
>> temporary IPs for pxeboot/kickstarting. So using just the straight
>> function causes Foreman to show a 404 because it doesn't know the DHCP
>> address the kickstart template is being requested from.
>
> You want to enable provisioning tokens, which automatically add a UUID
> to the URL so Foreman can identify the machine contacting it. Do this
> under More>Settings>token_duration and set it to a non-zero value, e.g.
> 60 (minutes).
>
> These are enabled by default now in nightlies and Foreman 1.4.
>
–
Phil Gardner
PGP Key ID 0xFECC890C
OTR Fingerprint 6707E9B8 BD6062D3 5010FE8B 36D614E3 D2F80538
How does this work, do we have a documentation about that?
Even when setting UUID, Foreman must determine the box anyway somehow. I
am interested about how this is done.
···
On Wed, Nov 13, 2013 at 09:09:18AM +0000, Dominic Cleal wrote:
> You want to enable provisioning tokens, which automatically add a UUID
> to the URL so Foreman can identify the machine contacting it. Do this
> under More>Settings>token_duration and set it to a non-zero value, e.g.
> 60 (minutes).
>
> These are enabled by default now in nightlies and Foreman 1.4.
···
On 11/13/2013 09:27 AM, Phil Gardner wrote:
> On 11/13/2013 04:09 AM, Dominic Cleal wrote:
>> On 12/11/13 23:16, Phil Gardner wrote:
>>> In the PXE config file, for the ks boot parameter, I'm trying to use the
>>> <%= foreman_url("provision") %> function. The issue is that I need to
>>> assign a static IP to the new host, and the DHCP system only gives out
>>> temporary IPs for pxeboot/kickstarting. So using just the straight
>>> function causes Foreman to show a 404 because it doesn't know the DHCP
>>> address the kickstart template is being requested from.
>>
>> You want to enable provisioning tokens, which automatically add a UUID
>> to the URL so Foreman can identify the machine contacting it. Do this
>> under More>Settings>token_duration and set it to a non-zero value, e.g.
>> 60 (minutes).
>>
>> These are enabled by default now in nightlies and Foreman 1.4.
>>
>
> Interesting. So is there a UUID function/macro that I can use in the
> kickstart URL? Or maybe I'm not understanding how that is supposed to
> work. How do I make the system present the UUID in a way that Foreman
> can figure out which system it actually is?
>
–
Phil Gardner
PGP Key ID 0xFECC890C
OTR Fingerprint 6707E9B8 BD6062D3 5010FE8B 36D614E3 D2F80538
foreman_url() when you call it from the PXELinux template will
automatically append the token to any URLs it generates. Enabling it
and then switching build mode on your host(s) to regenerate their PXE
menus should be enough to get it working.
···
On 13/11/13 14:27, Phil Gardner wrote:
> On 11/13/2013 04:09 AM, Dominic Cleal wrote:
>> On 12/11/13 23:16, Phil Gardner wrote:
>>> In the PXE config file, for the ks boot parameter, I'm trying to use the
>>> <%= foreman_url("provision") %> function. The issue is that I need to
>>> assign a static IP to the new host, and the DHCP system only gives out
>>> temporary IPs for pxeboot/kickstarting. So using just the straight
>>> function causes Foreman to show a 404 because it doesn't know the DHCP
>>> address the kickstart template is being requested from.
>>
>> You want to enable provisioning tokens, which automatically add a UUID
>> to the URL so Foreman can identify the machine contacting it. Do this
>> under More>Settings>token_duration and set it to a non-zero value, e.g.
>> 60 (minutes).
>>
>> These are enabled by default now in nightlies and Foreman 1.4.
>>
>
> Interesting. So is there a UUID function/macro that I can use in the
> kickstart URL? Or maybe I'm not understanding how that is supposed to
> work. How do I make the system present the UUID in a way that Foreman
> can figure out which system it actually is?
This works great btw. Completely accomplished what I was going for. I
appreciate the help. Here is my ESXi 5.5 PXE template for anyone that is
googling around with the ISO contents in the TFTP root in the /esxi_5.5
folder (using the modified boot.cfg file) -
···
On 11/13/2013 09:33 AM, Phil Gardner wrote:
> On 11/13/2013 09:27 AM, Phil Gardner wrote:
>> On 11/13/2013 04:09 AM, Dominic Cleal wrote:
>>> On 12/11/13 23:16, Phil Gardner wrote:
>>>> In the PXE config file, for the ks boot parameter, I'm trying to use
>>>> the
>>>> <%= foreman_url("provision") %> function. The issue is that I need to
>>>> assign a static IP to the new host, and the DHCP system only gives out
>>>> temporary IPs for pxeboot/kickstarting. So using just the straight
>>>> function causes Foreman to show a 404 because it doesn't know the DHCP
>>>> address the kickstart template is being requested from.
>>>
>>> You want to enable provisioning tokens, which automatically add a UUID
>>> to the URL so Foreman can identify the machine contacting it. Do this
>>> under More>Settings>token_duration and set it to a non-zero value, e.g.
>>> 60 (minutes).
>>>
>>> These are enabled by default now in nightlies and Foreman 1.4.
>>>
>>
>> Interesting. So is there a UUID function/macro that I can use in the
>> kickstart URL? Or maybe I'm not understanding how that is supposed to
>> work. How do I make the system present the UUID in a way that Foreman
>> can figure out which system it actually is?
>>
>
> Well nevermind, found my answer with a quick google search:
>
> http://projects.theforeman.org/projects/foreman/wiki/Unattended_installations#Installation-on-NATProxied-networks
>
>
> Thanks for the tip, will give this a shot. If it works, I see about
> adding that function to the wiki in the template section -
> http://projects.theforeman.org/projects/foreman/wiki/TemplateWriting
>
–
Phil Gardner
PGP Key ID 0xFECC890C
OTR Fingerprint 6707E9B8 BD6062D3 5010FE8B 36D614E3 D2F80538
This should already work via ks=<%= foreman_url("provision")%> which will
automatically add the token when tokens are enabled. Hardcoding the URL is
fine to a point, but you'll have to go update all your templates if the URL
to Foreman ever changes
Greg
···
On 13 November 2013 15:17, Phil Gardner wrote:
