• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    FOG 1.5.6 Officially Released

    Scheduled Pinned Locked Moved Announcements
    29 Posts 8 Posters 15.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Tom ElliottT
      Tom Elliott
      last edited by Sebastian Roth

      https://news.fogproject.org/fog-1-5-6-officially-released/

      Update hint:
      An issue was found in 1.5.6 that calls for an early next release to fix that. Find the details here if you run into problems with FTP connections on kernel updates or storage nodes in 1.5.6: https://github.com/FOGProject/fogproject/issues/311

      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

      1 Reply Last reply Reply Quote 4
      • A
        astrugatch
        last edited by

        Add hostname for SSL certificate generation.

        For this feature does it just read the host file on the machine or can I set this with a flag during install? I don’t currently have the FQDN in my host file, I just access it via our DNS server.

        1 Reply Last reply Reply Quote 0
        • Wayne WorkmanW
          Wayne Workman
          last edited by

          This is really great, way to go FOG team!

          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
          Daily Clean Installation Results:
          https://fogtesting.fogproject.us/
          FOG Reporting:
          https://fog-external-reporting-results.fogproject.us/

          1 Reply Last reply Reply Quote 0
          • S
            Sebastian Roth Moderator
            last edited by

            @astrugatch said in FOG 1.5.6 Officially Released:

            Add hostname for SSL certificate generation.
            For this feature does it just read the host file on the machine or can I set this with a flag during install? I don’t currently have the FQDN in my host file, I just access it via our DNS server.

            The installer grabs the name from the system and then asks if you are happy with that or want to manually change it.

            Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

            Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

            A 1 Reply Last reply Reply Quote 0
            • fry_pF
              fry_p Moderator
              last edited by

              Well done boys! I’ll be sure to give my server a good ol’ update soon!

              Like open source community computing? Why not do it for a good cause?
              Use your computer/server for humanitarian projects when it is idle!
              https://join.worldcommunitygrid.org?recruiterId=1026912

              1 Reply Last reply Reply Quote 0
              • A
                astrugatch @Sebastian Roth
                last edited by

                @Sebastian-Roth

                Does this only happen on first install? I did an upgrade from 1.5.5 and didn’t see this question.

                1 Reply Last reply Reply Quote 0
                • S
                  Sebastian Roth Moderator
                  last edited by Sebastian Roth

                  @astrugatch said in FOG 1.5.6 Officially Released:

                  Does this only happen on first install? I did an upgrade from 1.5.5 and didn’t see this question.

                  You are absolutely right. Seems like I have missed this important case altogether, arggghhhh!

                  The easiest route for you is editing /opt/fog/.fogsettings now. After running the 1.5.6 installer once you should have an “empty” hostname setting in there: hostname='' -> Just change the hostname to whatever you want it to be and re-run the installer.

                  Pushed a fix to dev-branch. Hope this is appropriate for the next releases.

                  Edit: More fixes pushed after testing this.

                  Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                  Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                  A 1 Reply Last reply Reply Quote 1
                  • A
                    astrugatch @Sebastian Roth
                    last edited by

                    @Sebastian-Roth

                    That worked. Still needed to set the force ssl flag though. SSL should probably be the default given the AD credentials that get entered into the site for a lot of users.

                    1 Reply Last reply Reply Quote 0
                    • Matthieu JacquartM
                      Matthieu Jacquart
                      last edited by Matthieu Jacquart

                      Hi,

                      Each time I tried to reinstall Fog since 1.5.6, I’ve got this error message and I had to delete user “fogproject”, is this normal behavior ?

                       * Setting up fogproject user................................../var/log/lastlog: Aucun fichier ou dossier de ce type
                      Already exists
                      
                      The account "fogproject" already exists and has been used to
                      logon and work on this machine. We highly recommend you NOT
                      use this account for your work as it is supposed to be a
                      system account!
                      
                      Please remove the account "fogproject" manually before running
                      the installer again. Run: userdel fogproject
                      

                      Fog 1.5.9.138
                      Debian 11
                      Vmware ESXi

                      Tom ElliottT 1 Reply Last reply Reply Quote 0
                      • Tom ElliottT
                        Tom Elliott @Matthieu Jacquart
                        last edited by

                        @Matthieu-Jacquart Do you have an account named “fogproject”?

                        We moved to using fogproject as opposed to fog for the system account as too many times people use ‘fog’ as their account name when they create their fog server.

                        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                        Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                        Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                        Matthieu JacquartM 1 Reply Last reply Reply Quote 0
                        • Matthieu JacquartM
                          Matthieu Jacquart @Tom Elliott
                          last edited by

                          @Tom-Elliott No, I just have a “fog” user account.
                          If I tried to reinstall fog, I’ve got this message, I delete “fogproject” user and it works, and next install same message I have to delete fogproject user…

                          Fog 1.5.9.138
                          Debian 11
                          Vmware ESXi

                          1 Reply Last reply Reply Quote 0
                          • S
                            Sebastian Roth Moderator
                            last edited by

                            Open up the discussion. Should FOG install as SSL by default? What potential pitfalls could we face?

                            Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                            Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                            george1421G 1 Reply Last reply Reply Quote 0
                            • george1421G
                              george1421 Moderator @Sebastian Roth
                              last edited by

                              @Sebastian-Roth said in FOG 1.5.6 Officially Released:

                              Should FOG install as SSL by default?

                              SSL between FOG Client and fog server yes. SSL between fog webui and IT management station ~. One of the things we are seeing with modern web browsers is that they are not liking self signed certificates. So every site you go to that has a self signed certificate you get the warning and have to click through a few screens to get to the site that employs a self signed certificate. Now if fog could use one of those fee root traceable ssl certificates (like from lets encrypt) and then created the FOG SSL certificate using that then the IT admins would not get the browser nag messages. If fog did implement http ssl, would there also be value in ftps for ftp communications?

                              Beyond SSL there are a few things that FOG developers could do it improve FOG’s security stance (i.e. mysql, secure password, firewall, etc).

                              Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                              Wayne WorkmanW 1 Reply Last reply Reply Quote 0
                              • Wayne WorkmanW
                                Wayne Workman @george1421
                                last edited by Wayne Workman

                                @george1421 said in FOG 1.5.6 Officially Released:

                                Now if fog could use one of those fee root traceable ssl certificates (like from lets encrypt) and then created the FOG SSL certificate using that then the IT admins would not get the browser nag messages.

                                using Let’s Encrypt for FOG installation wouldn’t work in >98% of cases because those fog servers are not open to inbound traffic from the internet. They couldn’t pass the DNS http challenge/response.

                                Mostly, FOG is used at universities and public school districts. While I can see a university maybe already having a self-signed cert installed in the OS’s trust store, it’s not my experience or observation that public schools do this. While I’m 100% fully on-board with end-to-end encryption all the time everywhere, I feel it’d only be an unwanted hurdle to jump for most FOG users that are just trying to get some computers imaged.

                                Perhaps it could be made easier to setup SSL, rather than forcing it? Perhaps make it optional, and defaulting to ‘no’.

                                At any rate, this is just my 2 cents.

                                Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                                Daily Clean Installation Results:
                                https://fogtesting.fogproject.us/
                                FOG Reporting:
                                https://fog-external-reporting-results.fogproject.us/

                                1 Reply Last reply Reply Quote 0
                                • S
                                  Sebastian Roth Moderator
                                  last edited by Sebastian Roth

                                  @george1421 @Wayne-Workman Thanks for your thoughts on this! Definitely helpful to get some more inspiration on this topic.

                                  I guess we need to distinguish between different communications when talking about SSL. As George mentioned there are two (or actually three) different things communicating, one fog-client to FOG server, the other one IT admin web browser to FOG web UI and as third communicator there is iPXE to load the boot menu. The fog-client is using it’s own encryption protocol (HTTP within an encrypted tunnel based on certificates similar to HTTPS but not exactly like it!) since years and switching that to the official HTTPS standard is doable but not planned at the moment. The encryption used is state of the art and as strong as HTTS (SSL/TLS) is.

                                  We transfer login password, AD credentials (when configuring those) and other things like that on the web UI communication and I definitely see that securing this should be easy to accomplish for users who want/need it. But we still default to plain HTTP partly because we provide pre-compiled iPXE binaries that cannot include a SSL CA trust certificate as every FOG server in the world generates it’s own CA on the first install. So delivering pre-compiled iPXE binaries is not possible. I have added a script (utils/FOGiPXE/buildipxe.sh) some time ago that is called to compile a full set of HTTPS enabled iPXE binaries embedding the “personal” FOG server CA into them. This works in most cases but it’s quite a heavy challenge if something goes wrong and we need to guide people through debugging this.

                                  Perhaps it could be made easier to setup SSL, rather than forcing it? Perhaps make it optional, and defaulting to ‘no’.

                                  Ok, that would be just renaming the option from force-ssl to use-ssl and ask for it as an installer question I reckon. Could do.

                                  One of the things we are seeing with modern web browsers is that they are not liking self signed certificates. So every site you go to that has a self signed certificate you get the warning and have to click through a few screens to get to the site that employs a self signed certificate.

                                  True, but let’s encrypt is not an option here as Wayne already explained. Maybe we should make it easier (provide a tool) to import the CA certificate into the browser store to get rid of the self signed messages. Not sure if that might cause other issues for users?!

                                  Beyond SSL there are a few things that FOG developers could do it improve FOG’s security stance (i.e. mysql, secure password, firewall, etc).

                                  Definitely a good point!!! Should fix that before we get into encrypting everything.

                                  Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                                  Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                                  A 1 Reply Last reply Reply Quote 2
                                  • A
                                    astrugatch @Sebastian Roth
                                    last edited by astrugatch

                                    @Sebastian-Roth @george1421 @Wayne-Workman

                                    While I agree that the self signed warnings are annoying; from a security standpoint it is still better and common for many self hosted services. Web communication should be secure even if it is less convenient. The fact FOG has so much power over clients (forcing re-installs, running snapins) means that the login to the web ui HAS to be encrypted. Most management services default to self signed and provide the option to replace with a thirdparty / external cert. Adding a UI element to streamline this (eg upload third party cert and restart fog from the UI) would make it more user friendly. This is the default with JAMF (tomcat) and Solarwinds.

                                    I do agree that looking at requiring a mysql password and configuring the firewall should be addressed too.

                                    1 Reply Last reply Reply Quote 0
                                    • Wayne WorkmanW
                                      Wayne Workman
                                      last edited by

                                      It’s worth noting that FOG is open source and runs on Linux and Apache. There’s a thousand articles on the internet about applying SSL to Apache. Anyone can secure their FOG installation with a self signed cert, or an organization-trusted cert. One could even say that securing things with SSL is the admin’s job.

                                      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                                      Daily Clean Installation Results:
                                      https://fogtesting.fogproject.us/
                                      FOG Reporting:
                                      https://fog-external-reporting-results.fogproject.us/

                                      A 1 Reply Last reply Reply Quote 0
                                      • A
                                        astrugatch @Wayne Workman
                                        last edited by

                                        @Wayne-Workman

                                        I agree that applying a cert in Apache is simple but I also believe the best experience is to meet a minimum level of security out of the box so to speak. Honestly I would say that moving the require https out of the installer flags and making it one of the dialogues (like the questions about network config) would be good enough. At least then new users (even ones following random out of date guides online most of which don’t reference the installer script flags) would be able to choose.

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          Sebastian Roth Moderator
                                          last edited by

                                          @astrugatch said in FOG 1.5.6 Officially Released:

                                          Adding a UI element to streamline this (eg upload third party cert and restart fog from the UI) would make it more user friendly. This is the default with JAMF (tomcat) and Solarwinds.

                                          As discussed here it’s not as easy as it sounds: https://forums.fogproject.org/topic/12926/fog-behind-reverse-proxy

                                          But I am with you that we should encourage more people to make it more secure and one important step would be to ask within the installer. Just not sure yet if we make the default choice yes or no.

                                          Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                                          Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                                          A george1421G 2 Replies Last reply Reply Quote 0
                                          • A
                                            astrugatch @Sebastian Roth
                                            last edited by

                                            @Sebastian-Roth

                                            To be clear I’m mostly speaking about the web UI right now. But the client would be important too. The way JAMF handles the migration is that it continues to use its internal CA and distributes the new cert to the machines on check in. It keeps track of those that have received the cert and compares that to its list of enrolled machines. When all machines have received the cert there is a UI element that goes from red to green letting you know that the server can now be switched to communicate via the external CA.

                                            1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 1 / 2
                                            • First post
                                              Last post

                                            143

                                            Online

                                            12.3k

                                            Users

                                            17.4k

                                            Topics

                                            155.8k

                                            Posts
                                            Copyright © 2012-2025 FOG Project