Categories

• Technical Help

  Get help with your FOG system.

  FOG Problems Hardware Compatibility Windows Problems Linux Problems Mac Problems General Problems
  12k Topics

  114k Posts

  K

  @Tom-Elliott
  I’ve been using FOG myself for well over 10 years now. With each new generation of PCs (this is now the third), I’ve completely rebuilt the FOG server and then simply used it throughout the PCs’ lifespan. Without any major updates… (never change a running system). The PCs and the FOG server are separated from the rest of the school network by an IPFire firewall. No unknown devices can connect to my network. All allowed MAC addresses are registered on the switch. Access from unknown MAC addresses is not possible.

  Yes, I’ve been having all these problems ever since switching to the new PCs. First, the NVMe issues (deleting my second hard drive in the system), …

  I need to figure something out: school lets out here in a week. At the start of the semester, I’ll have to deploy a new image to the PCs. Right now, nothing is working at all! As things stand, I’ll have to deploy the new image via Clonzilla again and manually install the “necessary snap-ins” on the PCs.

  Here’s the process so far:
  -) Initial installation on the newly set up Debian system:
  git clone https://github.com/fogproject/fogproject.git
  -) No snap-ins were directly transferred from the old system; instead, they were re-uploaded, all PCs were re-added, and all groups were reinstalled. In other words, nothing was directly transferred from the old FOG. After encountering problems with the first FOG server (hardware issues—the whole process was repeated with different hardware)
  -) After the NVMe issues, I updated the download and reinstalled it:
  cd fogproject
  git checkout dev-branch
  git pull

  So yeah, right now I’m trying everything—I’ve got nothing to lose.

  I work in a secure environment—FTP and TFTP are old, proven concepts. I’m not really a big fan of making things “even more secure,” and that’s not the point here… I find even the whole thing with the snap-ins’ hash values tedious. Why can’t I just log in to the Fog server via SSH, fix the snap-in, and be done with it? No, I have to upload it again via the web interface… The filename can’t be the same…

  The database is now backed up using phpMyAdmin.

  cd fogproject
  git checkout working-1.6
  git pull
  userdel fogproject
  fogproject/bin/installfog.sh

  c144ed44-e0e8-4787-8988-30ba240a4052-grafik.png

  Press [Enter] key when database is updated/installed.

  Update fogstorage database password…OK

  Granting access to fogstorage database user…Skipped

  Setting up storage…OK

  Setting up and starting DHCP Server…Skipped

  Configuring default iPXE file…OK

  Setting up and starting TFTP Server…OK

  Setting up and starting VSFTP Server…OK

  Setting up FOG Snapins…OK

  Setting up UDPCast…OK

  Configuring UDPCast…OK

  Building UDPCast…OK

  Installing UDPCast…OK

  Installing FOG System Scripts…OK

  Configuring FOG System Services

  Setting permissions on FOGMulticastManager.service script…OK

  Enabling FOGMulticastManager.service Service…OK

  Setting permissions on FOGImageReplicator.service script…OK

  Enabling FOGImageReplicator.service Service…OK

  Setting permissions on FOGSnapinReplicator.service script…OK

  Enabling FOGSnapinReplicator.service Service…OK

  Setting permissions on FOGScheduler.service script…OK

  Enabling FOGScheduler.service Service…OK

  Setting permissions on FOGPingHosts.service script…OK

  Enabling FOGPingHosts.service Service…OK

  Setting permissions on FOGSnapinHash.service script…OK

  Enabling FOGSnapinHash.service Service…OK

  Setting permissions on FOGImageSize.service script…OK

  Enabling FOGImageSize.service Service…OK

  Setting permissions on FOGFileDeleter.service script…OK

  Enabling FOGFileDeleter.service Service…OK

  Setting up FOG Services…OK

  Creating FOG cache directory…OK

  Starting FOGMulticastManager.service Service…OK

  Starting FOGImageReplicator.service Service…OK

  Starting FOGSnapinReplicator.service Service…OK

  Starting FOGScheduler.service Service…OK

  Starting FOGPingHosts.service Service…OK

  Starting FOGSnapinHash.service Service…OK

  Starting FOGImageSize.service Service…OK

  Starting FOGFileDeleter.service Service…OK

  Setting up NFS configuration file…OK

  Setting up exports file…OK

  Setting up and starting RPCBind…OK

  Setting up and starting NFS Server…OK

  Ensuring node username and passwords match…Done

  Setting up FOG External Reporting…Done

  Setup complete

  You can now login to the FOG Management Portal using
  the information listed below. The login information
  is only if this is the first install.

  This can be done by opening a web browser and going to:

  http://192.168.0.196/fog/management

  Default User Information
  Username: fog
  Password: password

  Changed configurations:

  The FOG installer changed configuration files and created the
  following backup files from your original files:

  /etc/exports <=> /etc/exports.1782208473 /opt/fog/reporting/report.sh <=> /opt/fog/reporting/report.sh.1782208473
• Announcements

  Get the latest news on what's happening.

  Security Advisories
  184 Topics

  825 Posts

  A

  @Tom-Elliott I really appreciate that you are putting effort into providing more frequent releases, which makes it easier for everyone to deploy new security fixes in time. Keep up the good work!

• General Topics

  View tutorials or talk about FOG in general.

  General Tutorials
  2k Topics

  19k Posts

  K

  @Florent Hi Florent,

  I actually have been meaning to look into this some more, but the likely answer is no, or at least, not entirely. The way that support works is, you download a signed iPXE 2.0 binary from iPXE and a copy of their signed shim. That shim is signed with the Microsoft keys and trusts the iPXE signing keys. What this means in practical terms is, all the steps above would still need to occur, it’s just that the signing of the iPXE binary is managed by iPXE, and you don’t need to enroll a key to boot iPXE.

  That said, I would imagine this only covers you for booting iPXE, any chainloaded binaries would still need to be signed either with Microsoft’s key or a MOK key you’ve enrolled on the machine. In FOG’s case this means the FOS kernel has to be signed and trusted on the system, in addition to any other binaries (for example memtest, refind) you plan to boot via FOG.

  The other likely blocker is the build itself. Naturally, only iPXE can sign binaries that the iPXE Shim will support. Currently the FOG installer actually builds a slightly modified iPXE binary from source. While I’m unsure if these are all that different from the pre-built binaries from 2.0 in terms of support and functionality, it would at the very least need to be changed to instead pull the iPXE 2.0 binaries.

  I don’t think any of these are particularly hard to overcome or deal with though. The bottom line is, 2.0 makes it easier, but only to a point. To get real proper Secure Boot support in FOG, they’ll likely need to generate their own signing keys, and start signing at least the FOS kernels (if not iPXE itself) and update FOG to include shim support somehow.

  That said, for basic support, I doubt they would need to go the full mile and get a Microsoft approved signing key, I think distributing a certificate/key you can enroll via MokManager and using a pre-existing signed shim (like the iPXE provided one) would more than suffice for most usecases. I’m not sure how difficult it would actually be to implement any of this into FOG, that’s a question for someone who knows PHP and is more familiar with the FOG codebase than I.

  Sorry if that’s a bit long winded, it’s not an easy topic to distill. Hope that helps though.

• Developers

  Report bugs, request features, or get the latest progress.

  General Feature Request Bug Reports
  2k Topics

  21k Posts

  K

  @Valer Hi Valer,

  You can see my tutorial on using Secure boot with Shim, and my thoughts on what 2.0 means for Secure Boot with FOG here: http://forums.fogproject.org/post/158170