@george1421 made it into all one script, even the mkkeys.sh

#!/bin/bash apt-get update apt-get upgrade -y apt-get install -y openssl efitools gnu-efi git build-essential help2man libssl-dev perl -e'use CPAN; install "File::Slurp"' mkdir -p /opt/fog/secureboot/efikeys cat << EOF > /opt/fog/secureboot/mkkeys.sh #!/bin/bash # Copyright (c) 2015 by Roderick W. Smith # Updated 26-Nov-2021 by George1421 for the FOG Project # Licensed under the terms of the GPL v3 NAME=FOGProjectSB openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout efikeys/PK.key \ -out efikeys/PK.crt -days 3650 -nodes -sha256 openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME KEK/" -keyout efikeys/KEK.key \ -out efikeys/KEK.crt -days 3650 -nodes -sha256 openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME DB/" -keyout efikeys/DB.key \ -out efikeys/DB.crt -days 3650 -nodes -sha256 openssl x509 -in efikeys/PK.crt -out efikeys/PK.cer -outform DER openssl x509 -in efikeys/KEK.crt -out efikeys/KEK.cer -outform DER openssl x509 -in efikeys/DB.crt -out efikeys/DB.cer -outform DER GUID=`python3 -c 'import uuid; print(str(uuid.uuid1()))'` echo $GUID > efikeys/myGUID.txt cert-to-efi-sig-list -g $GUID efikeys/PK.crt efikeys/PK.esl cert-to-efi-sig-list -g $GUID efikeys/KEK.crt efikeys/KEK.esl cert-to-efi-sig-list -g $GUID efikeys/DB.crt efikeys/DB.esl rm -f efikeys/noPK.esl touch efikeys/noPK.esl sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ -k efikeys/PK.key -c efikeys/PK.crt PK efikeys/PK.esl efikeys/PK.auth sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ -k efikeys/PK.key -c efikeys/PK.crt PK efikeys/noPK.esl efikeys/noPK.auth sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ -k efikeys/PK.key -c efikeys/PK.crt KEK efikeys/KEK.esl efikeys/KEK.auth sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ -k efikeys/KEK.key -c efikeys/KEK.crt db efikeys/DB.esl efikeys/DB.auth chmod 0600 efikeys/*.key echo "" echo "" echo "For use with KeyTool, copy the *.auth and *.esl files to a FAT USB" echo "flash drive or to your EFI System Partition (ESP)." echo "For use with most UEFIs' built-in key managers, copy the *.cer files;" echo "but some UEFIs require the *.auth files." echo "" EOF chmod a+x /opt/fog/secureboot/mkkeys.sh cd /opt/fog/secureboot/ ./mkkeys.sh git clone git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git cd /opt/fog/secureboot/efitools make mkdir -p /opt/fog/secureboot/hwkeys cd /opt/fog/secureboot/ efi-readvar -v PK -o /opt/fog/secureboot/hwkeys/hw_PK.esl efi-readvar -v KEK -o /opt/fog/secureboot/hwkeys/hw_KEK.esl efi-readvar -v db -o /opt/fog/secureboot/hwkeys/hw_db.esl efi-readvar -v dbx -o /opt/fog/secureboot/hwkeys/hw_dbx.esl chmod 666 /opt/fog/secureboot/hwkeys/* cp /opt/fog/secureboot/efikeys/* /opt/fog/secureboot/efitools/ cp /opt/fog/secureboot/hwkeys/* /opt/fog/secureboot/efitools/ cd /opt/fog/secureboot/efitools cat hw_db.esl > DB.esl cat hw_KEK.esl > KEK.esl cat hw_dbx.esl > dbx.esl rm LockDown*efi LockDown.so LockDown.o make cp LockDown-signed.efi EnrollKeys.efi mkdir -p /tftpboot cp /opt/fog/secureboot/efitools/EnrollKeys.efi /tftpboot mv /var/www/html/fog/service/ipxe/bzImage /var/www/html/fog/service/ipxe/bzImage-unsigned sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /var/www/html/fog/service/ipxe/bzImage /var/www/html/fog/service/ipxe/bzImage-unsigned mv /var/www/html/fog/service/ipxe/bzImage32 /var/www/html/fog/service/ipxe/bzImage32-unsigned sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /var/www/html/fog/service/ipxe/bzImage32 /var/www/html/fog/service/ipxe/bzImage32-unsigned mv /var/www/html/fog/service/ipxe/refind.efi /var/www/html/fog/service/ipxe/refind-unsigned.efi sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /var/www/html/fog/service/ipxe/refind.efi /var/www/html/fog/service/ipxe/refind-unsigned.efi mv /tftpboot/ipxe.efi /tftpboot/ipxe-unsigned.efi sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /tftpboot/ipxe.efi /tftpboot/ipxe-unsigned.efi mv /tftpboot/snponly.efi /tftpboot/snponly-unsigned.efi sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /tftpboot/snponly.efi /tftpboot/snponly-unsigned.efi mv /tftpboot/snp.efi /tftpboot/snp-unsigned.efi sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /tftpboot/snp.efi /tftpboot/snp-unsigned.efi

@jmvela2x Well this thread has been going on for 5 days now and I’m not sure I’ve done a good job explaining how FOG works.

With DHCP Profiles setup with the same computer.

BIOS Computer -> BIOS PXE Boot -> undionly.kpxe will be sent to target computer -> the global value of FOG Settings value contained in [BOOT EXIT TYPE] will be used -> SANBOOT for its Exit mode

UEFI Computer -> UEFI PXE Boot -> ipxe.efi will be sent to target computer -> the global value of FOG Settings value contained in [EFI BOOT EXIT TYPE] will be used -> REFIND_EFI for its Exit mode

This process works 99.9% of the time. The oneoffs that you might find would be UEFI based computers with quirky firmware or hardware.

turns out that the image had to be set to “Multiple partition image - single disk (not resizeable)”

@Sebastian-Roth for future reference, I will be sure to mention version numbers

Everything else worked including the .xml file.

Thank you for the assistance!! 🙂

@lgwapnitsky The advanced menu is something that you have to create by hand. Its creation is a bit more prehistoric than the rest of FOG. You create your Advanced menu via a text file and then paste the contents into a field in the FOG Settings page. I’d really like to see the Advanced menu integrated into the standard iPXE menu maker to make things easier for the FOG Admins. Maybe in time…

@duncan
removed the storage node and it seems to be working now.

Il try to rebuild the node and test again.

@sebastian-roth
Ping results showed it would drop completely once the PC froze. And by froze I mean it would completely freeze all of the sudden, not gradually. I ended up checked the RAM, and it turns out one of the sticks was bad so instead of a total of 16gb I had 12gb. I had my Fog server with 4gb of ram and the Windows VM 8gb, so no memory left for the actual PC running it all. Just lowered RAM on windows vm to 4gb and it’s all fine. I can now continue with my testing!!
Anyways, thanks for the reply, love seeing how helpful the FOG mods are!

@daansterckx There are a couple of things you want to check:

When the PC boots up, does it show the correct FOG server IP somewhere on the screen? On the FOG server run the following commands and post output here: ls -al /tftpboot/undionly* ps ax | grep -e xinet -e tftp netstat -antup | grep "LISTEN" | grep "69"

@jochenc98 What device is your dhcp server? Please state the manufacturer and version/model.

@george1421
changed to pm.max_spare_servers = 35
other paramaters had the correct value

The hardware :
PowerEdge R440
Intel® Xeon® Silver 4208 CPU @ 2.10GHz
memory size: 16GiB
network BCM57412 NetXtreme-E 10Gb

Just cross linking github issues here:
https://github.com/FOGProject/fogproject/issues/454
https://github.com/FOGProject/fogproject/issues/453

@lse said in Unable to capture image of w10 vm:

i do not know why it says at the end access is denied.

Not sure either…

Looking at the pictures they both show the very same size. While it’s not impossible I still find it suspicious. Maybe updating iPXE didn’t work as expected. Please run ls -al /tftpboot/ipxe.efi on your FOG server and post output here.

As for the rest, as long as it works in your organization there is no need to change because of what some dude on the internet says. From personal experience continuing to update a single golden image renders the image very messy and a bit bloated over time. But if it works for you, then there is no need to change.

Don’t get me wrong- I know that’s not an optimal way to work long term and we’re working on other solutions. I’m not disagreeing with that, I just don’t think there’s an actual problem with the MFT specifically. I’m not an expert on imaging or NTSF by any means though, so I could be wrong. I’m not trying to be hostile, I just want to understand since the MFT seems well below normal tolerance for Windows.

@sebastian-roth said in fog management console is blank:

You might want to take a look at @Wayne-Workman’s great install stats as well as the latest auto installer tests.

You can add AlmaLinux 8 and RockyLinux 8 to this list as I have tested those manually lately using dev-branch.

Very thanks for your advices.
I will to read Wayne-Workman’s postes and try with AlmaLinux 8 or RockyLinux 8.

Thanks

@george1421 said in Securing FOG Boot Options?:

@jra Now that I’ve had my second cup of coffee this morning I can explain it a bit more.

What the advanced menu and advanced.php does is insert a menu you create when advanced.php is called. You have to hand code the advanced menu and insert the text into a field in FOG Configuration->FOG Settings PXE Advanced Menu field. That field is then inserted after the #ipxe you saw when you called advanced.php directly (like I had you do).

I don’t have the skills to do this, but it would be great if you could construct the advanced menu like you do the standard iPXE menus by just changing the Menu Show with field, to “Show on Advanced menu”. Then you could move standard menu item behind the advanced menu right from the gui. That sounds like a logical feature to have, but right now the FOG Project doesn’t have the developer time to add that feature.

Right right - ok I’m with you. Have the workaround though and for now even the non-splash menu is functional, in the sense that curious students here can’t amuse themselves doing goofy imaging.

I am appreciative of the help so thanks much there. 🙂

I know that this is an old thread but please can a moderator link this to?

https://forums.fogproject.org/topic/12838/change-the-default-images-location

I found the former by Google and this fixed my installation.

Please feel free to delete my comment. I wont be offended!

Thanks.

@fgutvar multicasting is very much dependent on your infrastructure. Multicast packets are normally blocked crossing your vlan routers this is by design. For multicasting across subnets there is typically a multicast router in place. This can be the same or different than your vlan router. The processing of unicast and multicast routing are different. Some standard IP routers have an igmp proxy service that will run. It functions much like a dhcp-relay or dhcp-helper service does, but the igmp proxy listens for multicast traffic and not dhcp traffic.

@george1421 : Thank you very much.

In fact i’m used to regular pxe server and we use fog mostly for the cloning feature for windows Workstations.

To deal with Ubuntu workstations i like to do iso booting + pxe , this way i can mix/test configurations (preseed.cfg) of installation process quickly/easily directly from our gitea.

By the way i use fog as the main pxe server even for servers with debian based installations.

After this part of deployment ansible is the king of the hill to do all basics/complex tasks.

Can i modify the topic’s title with SOLVED ? Can i edit my posts to remove the domain’s informations ?

Regards.

@noobfogger said in Backgroundchange dont work -> black:

can anyone send me an custom background .png that i can test it?

http://boot.ipxe.org/texture.png
https://ipxe.org/_media/logos/ipxe-large.png

Both are used for testing by the iPXE team and should work. Though I have to say I have not tested those myself lately.

In ubuntu server 21.10 i had to change something in ~/fogproject-master/lib/ubuntu/config.sh -> “php-gettext” to “php-php-gettext” -> is maybe that the reason?

No, definitely not.

@psicodelico FOG was not made to support setups with more than s single network interface. While you can manually fiddle with things to make some scenarios work I am not sure this is true in your case. You probably need to explain in more detail what your setup looks like. Especially why your FOG server had 10 interfaces. You seem to want to combine FOG server and router in one system from what we know so far. Not a great thing to do I reckon.

Thank you sir