Windows provisioning

Hi All,

I'm using Foreman to provision Windows baremetal hosts.

I'm using Foreman to define the host and parameters, the TFTP request on
Foreman server passes it to WDS, WDS supplies the initial setup image and
also the install image.

I have edited the setup image to pull the unattend.xml from forman (as the
provision script).

I have also configured the setup image to grab a finish script from foreman
on first boot, to configure the public network and install puppet.

I run into an issue where, in order for Windows setup to progress, I have
to set the flag built to true during the first setup pass (i.e. before the
first reboot) otherwise it is stuck in a reimaging boot loop. This is ok
until i try and grab the finish script.

I'm unable to grab the finish script after the server is booted. I have
been using the X-RHN-PROVISIONING-MAC-0 header to set the MAC address as
foreman doesnt know the IP the server will end up with. That is ok for the
provision and built flag, however doesn't work for the finish script.
Getting the following error when attempting:

Started GET "/unattended/finish" for 10.250.0.133 at 2014-11-18 14:29:44
+1100
Processing by UnattendedController#finish as /
Found svr9.<<removed>>
Filter chain halted as :allowed_to_install? rendered or redirected
Completed 405 Method Not Allowed in 9ms (ActiveRecord: 2.0ms)

I then did some checking and the finish script is only exposed when the
build flag is set to true.

I then attempted using using a curl request with basic auth.

curl -k -u admin:<removed>
https://foreman.<removed>/unattended/finish?hostname=svr9.<removed>

This also is failing and trying to redirect to the login page.

<html><body>You are being <a
href="https://foreman.<removed>/users/login">redirected</a>.</body></html>

Any ideas or suggestions would be greatly appreciated?

Cheers

Chris

> I then did some checking and the finish script is only exposed when the
> build flag is set to true.

Actually, all the templates should only be exposed when build=true.
All requests should fail without that.

> I then attempted using using a curl request with basic auth.
>
> curl -k -u admin:<removed>
> https://foreman.<removed>/unattended/finish?hostname=svr9.<removed>

If you can get the provision template, the you should be able to add a
"foreman_url('finish')" call to the provision. This will be expanded
to a url specific to that host, including a one-time build token that
uniquely identifies the host (eg
https://foreman/unattended/finish?token=12345…).

That token can be supplied for any of the unattended actions, just
like the RHN-MAC header, such as /built. Therefore (and I'm not
familiar with Windows provisioning, so bear with me), I would expect a
workflow like:

Host is put in build mode by an admin
Host is rebooted and starts installation
Host gets provision script and notes the token in the url (even if it
doesn't use the url direct at this stage)
Host uses token to get finish script
Host uses token to hit /unattended/built (which removes the build flag
and permits a normal reboot)

An example of how we use foreman_url can be found here:

https://github.com/theforeman/community-templates/blob/master/preseed/PXELinux.erb#L20
which leads to
https://github.com/theforeman/community-templates/blob/master/preseed/provision.erb#L142
which leads to
https://github.com/theforeman/community-templates/blob/master/preseed/finish.erb#L42
which marks the build complete

Hope that helps! If it does, would you be prepared to write up some
Windows provisioning notes? We get a lot of people asking, and we have
no real idea of how to make it work

Greg

Hey Greg,

Thanks for the response.

Unfortunately there is a spanner in the works for the workflow and it
behaves more like this:

Host is put in build mode by an admin
Host is rebooted and starts installation
Host gets provision script and notes the token in the url (even if it
doesn't use the url direct at this stage)

*Host uses token to hit /unattended/built (which removes the build flag and
permits a normal reboot) *
Host reboots to continue installation.
Host reboots again to finish installation.
Host uses token to get finish script

I'm still exploring ways of downloading the finish script and attempting to
write it to the disk before the first reboot, however Windows setup runs
scripts before the installation process occurs, so disks are not formatted
and partitioned yet.

I have got the ok from my employer to write up some Windows documentation.
Where would be the most appropriate place to write it?

Our current build process for Windows is

1. Server setup manually using the Foreman UI (currently testing pushing
   hosts in from our Portal system via API)
2. Replaced TFTP server included with Foreman with more recent version
   that allows chaining to Windows Deployment Services WDS)
3. Server boots, gets punted from Foreman TFTP to WDS.
4. WDS provides boot.wim that has some Foreman hooks baked into it.
5. boot.wim loads the Windows setup utility.
6. Windows setup download the unattended.xml from Foreman and tells
   Foreman that it is built (assumes success, need to work on this)
7. Server downloads the correct image from WDS. Windows image also has
   some foreman hooks baked into it.
8. Windows is build according to the generated unattended.xml and
   reboots.
9. Server reboots and downloads finish script to run. Finish script
   installs puppet agent and configures public network.
10. Server should now be marked as built but not working due to step 6
    and 8.

Currently have tested building Windows 2008 R2 Standard but the process
should also work with Windows 2012 as well.

Cheers,

Chris

> Hey Greg,
>
> Thanks for the response.
>
> Unfortunately there is a spanner in the works for the workflow and it
> behaves more like this:
>
> Host is put in build mode by an admin
> Host is rebooted and starts installation
> Host gets provision script and notes the token in the url (even if it
> doesn't use the url direct at this stage)
> Host uses token to hit /unattended/built (which removes the build flag
> and permits a normal reboot)
> Host reboots to continue installation.
> Host reboots again to finish installation.
> Host uses token to get finish script
>
> I'm still exploring ways of downloading the finish script and attempting to
> write it to the disk before the first reboot, however Windows setup runs
> scripts before the installation process occurs, so disks are not formatted
> and partitioned yet.
>
> Our current build process for Windows is
>
> Server setup manually using the Foreman UI (currently testing pushing hosts
> in from our Portal system via API)
> Replaced TFTP server included with Foreman with more recent version that
> allows chaining to Windows Deployment Services WDS)
> Server boots, gets punted from Foreman TFTP to WDS.
> WDS provides boot.wim that has some Foreman hooks baked into it.
> boot.wim loads the Windows setup utility.
> Windows setup download the unattended.xml from Foreman and tells Foreman
> that it is built (assumes success, need to work on this)
> Server downloads the correct image from WDS. Windows image also has some
> foreman hooks baked into it.
> Windows is build according to the generated unattended.xml and reboots.
> Server reboots and downloads finish script to run. Finish script installs
> puppet agent and configures public network.
> Server should now be marked as built but not working due to step 6 and 8.

Oh that's a bummer. So, if I grok you, the issue is that you need to
boot twice before telling Foreman the build is complete? If so, one
option might be to do something with iPXE. It's possible to do
something like:

• Server placed in build mode
• TFTP file is written containing instructions to boot iPXE
• Server boots iPXE, which is configured to retrieve an iPXE script
  from Foreman (/unattended/iPXE)
• iPXE script determines this is first build (TBD how it does this,
  maybe via a parameter in Foreman?)
• iPXE punts to WDS and proceeds
• WIM image has hook to perform some kind of update so that iPXE will
  know about the second boot
• Server reboots
• iPXE script determines it's now the second boot, punts to localboot
• Finish script is applied
• Finish script sends built notification, iPXE TFTP file is replaced
  with localboot

Would that work? The nice thing here is that iPXE is an arbitrary
script, so pretty much anythng goes as to what it queries and how it
determines the boot state.

> I have got the ok from my employer to write up some Windows documentation.
> Where would be the most appropriate place to write it?

Awesome! I'd start with a page on the wiki[1], and then link to it
from the Tips & Trics page. Once it's polished, we can consider
moving it to the manual.

Greg

Well I got the Windows build working a bit better now.

Solved my issue by writing a ruby web service that generates a finish
script by making calls into the Foreman API.

I chose to use this intermediate layer so i wouldnt need to pass a
username/password for Foreman down to clients.

The request from the client includes the hostname and mac addresses of the
primary and secondary interfaces and uses those to validate a client before
passing back the finish script.

Still running into issues though

Anyone got any idea how to get the unencrypted root password from the
foreman API? Trying to set a password for a Windows deployment. I don't
think the password is stored in a reversible format though
Windows expects the password in the unattended.xml file in a base64 format.

Still working on the doco, however moving house this week and havent been
able to devote as much time as i would have liked.

Cheers,

Chris

any comments?

No. Maybe except that after 5 years things have changed a bit, you need to try out. Welcome to the community