Unattended install behind a firewall

Greetings,
I have been struggling with trying to get an unattended kickstart script
to work using a web proxy. Has anyone had experience and success doing
this?

I am unclear how to use the http_proxy snippet inside a kickstart or if
that's what it's purpose is at all. I am able to adjust the url and repo
lines in the kickstart template (well, a copy of the default) adding some
logic like inside the http_proxy snippet to selectively add a
–proxy=<http_proxy> to the end of those lines. That seems to work to
allow the system to reach my install media server, but the installs
eventually fail.

··· -- Sean M. Alderman Senior Engineer, UDit Systems Integration and Engineering University of Dayton

I'm no Kickstart expert, but I did get a Fedora install running using a
caching proxy (so web access was available, but not preferred :P). I had to
do a few tricks:

  1. Set the proxy in the kickstart template (you seem to have got that one)
  2. Set the proxy in the PXElinux template
  3. I noticed that the Stage2.img download doesn't obey proxy directives, so
    I had to download the stage2 file myself, but it somewhere internal, and
    use the option to specify the stage2 URL in the PXElinux template.

I think that was everything - it was a while ago :wink:

Greg

··· On 19 July 2013 23:10, Sean Alderman wrote:

Greetings,
I have been struggling with trying to get an unattended kickstart script
to work using a web proxy. Has anyone had experience and success doing
this?

I am unclear how to use the http_proxy snippet inside a kickstart or if
that’s what it’s purpose is at all. I am able to adjust the url and repo
lines in the kickstart template (well, a copy of the default) adding some
logic like inside the http_proxy snippet to selectively add a
–proxy=<http_proxy> to the end of those lines. That seems to work to
allow the system to reach my install media server, but the installs
eventually fail.

Thanks Greg!

I've dumped my kickstart profile into pastebin. [1] In case anyone would
like to see it. My Install Media is one of my own servers, but it's not
reachable through the firewall for build targets on the secure subnet with
out using our squid proxy. I do have a dedicated smart-proxy running tftp
and dhcp locally on this secure subnet… The dhcp/tftp stuff works like a
charm with the default PXE template, perhaps I need to try a CentOS install
through this before doing the Oracle Linux. The install seems to fail with
Oracle when trying to get access to repomd.xml files for non-critical repos
that are distributed with Oracle Linux - like UEK2, HighAvailability, and
LoadBalancer. The xml files are accessible…I can even download them with
wget build target's shell if I export proxy info. Is there a way to get
the http_proxy snippet to load for the build target as a pre-script so that
the server has the proper environment as it's being built maybe?

Maybe I need to make my smart-proxy a repository server as well.

[1] http://pastebin.com/tuLwTjvR

··· -- Sean M. Alderman Senior Engineer, UDit Systems Integration and Engineering University of Dayton

On Mon, Jul 22, 2013 at 6:36 AM, Greg Sutcliffe greg.sutcliffe@gmail.comwrote:

On 19 July 2013 23:10, Sean Alderman salderman1@udayton.edu wrote:

Greetings,
I have been struggling with trying to get an unattended kickstart
script to work using a web proxy. Has anyone had experience and success
doing this?

I am unclear how to use the http_proxy snippet inside a kickstart or if
that’s what it’s purpose is at all. I am able to adjust the url and repo
lines in the kickstart template (well, a copy of the default) adding some
logic like inside the http_proxy snippet to selectively add a
–proxy=<http_proxy> to the end of those lines. That seems to work to
allow the system to reach my install media server, but the installs
eventually fail.

I’m no Kickstart expert, but I did get a Fedora install running using a
caching proxy (so web access was available, but not preferred :P). I had to
do a few tricks:

  1. Set the proxy in the kickstart template (you seem to have got that one)
  2. Set the proxy in the PXElinux template
  3. I noticed that the Stage2.img download doesn’t obey proxy directives,
    so I had to download the stage2 file myself, but it somewhere internal, and
    use the option to specify the stage2 URL in the PXElinux template.

I think that was everything - it was a while ago :wink:

Greg


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/groups/opt_out.

Ok, so I flipped the OS back to CentOS and built just fine. Install
Mediums for both OS's live on the same local server, so it's definitely
something hokey with Oracle Linux - Short answer seems to be convince the
firewall guys to allow access to my repository and don't use the proxy.

An interesting caveat came about though. I noticed under building with
CentOS that when the host uses the proxy and notifies Foreman that he's
built, Foreman responds with a 404…

Because Foreman see the client as the proxy not as the build server. :slight_smile:
Quickly fixed by adding a --no-proxy to the wget command.

Again, thanks for your help Greg!

··· -- Sean M. Alderman Senior Engineer, UDit Systems Integration and Engineering University of Dayton

On Mon, Jul 22, 2013 at 11:43 AM, Sean Alderman salderman1@udayton.eduwrote:

Thanks Greg!

I’ve dumped my kickstart profile into pastebin. [1] In case anyone would
like to see it. My Install Media is one of my own servers, but it’s not
reachable through the firewall for build targets on the secure subnet with
out using our squid proxy. I do have a dedicated smart-proxy running tftp
and dhcp locally on this secure subnet… The dhcp/tftp stuff works like a
charm with the default PXE template, perhaps I need to try a CentOS install
through this before doing the Oracle Linux. The install seems to fail with
Oracle when trying to get access to repomd.xml files for non-critical repos
that are distributed with Oracle Linux - like UEK2, HighAvailability, and
LoadBalancer. The xml files are accessible…I can even download them with
wget build target’s shell if I export proxy info. Is there a way to get
the http_proxy snippet to load for the build target as a pre-script so that
the server has the proper environment as it’s being built maybe?

Maybe I need to make my smart-proxy a repository server as well.

[1] http://pastebin.com/tuLwTjvR


Sean M. Alderman
Senior Engineer, UDit Systems Integration and Engineering
University of Dayton

On Mon, Jul 22, 2013 at 6:36 AM, Greg Sutcliffe greg.sutcliffe@gmail.comwrote:

On 19 July 2013 23:10, Sean Alderman salderman1@udayton.edu wrote:

Greetings,
I have been struggling with trying to get an unattended kickstart
script to work using a web proxy. Has anyone had experience and success
doing this?

I am unclear how to use the http_proxy snippet inside a kickstart or
if that’s what it’s purpose is at all. I am able to adjust the url and
repo lines in the kickstart template (well, a copy of the default) adding
some logic like inside the http_proxy snippet to selectively add a
–proxy=<http_proxy> to the end of those lines. That seems to work to
allow the system to reach my install media server, but the installs
eventually fail.

I’m no Kickstart expert, but I did get a Fedora install running using a
caching proxy (so web access was available, but not preferred :P). I had to
do a few tricks:

  1. Set the proxy in the kickstart template (you seem to have got that
    one)
  2. Set the proxy in the PXElinux template
  3. I noticed that the Stage2.img download doesn’t obey proxy directives,
    so I had to download the stage2 file myself, but it somewhere internal, and
    use the option to specify the stage2 URL in the PXElinux template.

I think that was everything - it was a while ago :wink:

Greg


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/groups/opt_out.