First install - Secure boot and some pointers to info please
-
At the beginning of my fog journey, so hello all,
I’ve got various machines already booting to the fog menu but wanted to rule out potential problems with my setup please, as a couple of machines aren’t behaving.
I’m reading through a lot of information but conscious that I’m reading quite a lot of out of date info on my travels (and chasing my own tail a little) so thought I’d respectfully ask for some guidance.
Usage won’t be large scale - mixed windows/ *nix environment, maybe osx later. UEFI and BIOS.
It’s more that I have a lot of different machines to manage for myself/ friends/ family, rather than an office of hundreds. I’m constantly creating and tearing down virt machines for learning, so I’m seeing if fog can centralise some of the initial install here - ansible can take over a lot from there.
Plus, you know, learning.Questions:
1 - Secure Boot
An HP 450 G3 laptop is being a slight pain. It works if I disable secure boot butas I’m looking to use this with bitlocker that isn’t ideal, especially as there will be other machines in a similar position, just haven’t tested them yet.With secure boot enabled I can see it quickly flashes
Downloading NBP file Succeed to download NBP File.And then boots to the hard drive, ignoring the fog menu
I can see here that George mentions there’s a way to shim this but am having trouble finding instructions on this.
2 -Hyper-V
Gen 2 machines seem to work ok.
Gen 1 (with legacy network adapter) - get’s stuck at iPXE initialising devices… photo attached (hopefully)
Probably no loss (my proxmox works fine) but I wanted to check it wasn’t a problem in my setup and just interested in why.
I’ve read several historic posts on old versions not working but wanted to check if this is still a known problem please?3 - Dual boot
Reading up on this next so just thought I’d check if there are any good guides as I suspect this will be full of gotchas, and mentioning it in case it’s relevant for the secure boot part.4- Wiki Edit
Forgive this please as I know the point of a wiki is to change it myself (and appears lazy to ask someone to do it) but I think the above makes clear I’m not at that level of confidence with this yet.
May I humbly suggest that on the dnsmasq proxy page the 3 links at the top are put down the bottom. As a newbie you feel you should check them but they just take you in a loop of isc/ legacy information.
The good content you need is on this page directly below these links. Perhaps also a quick reference to pi-hole just so it comes up in searches.Appreciate there’s a lot here so shout if I should delete and do seperate posts.
Huge thanks for taking the time to read and thank you for all the hard work makiing this.---------- Some information on setup ----------------
Fog 1.5.8 on an Ubuntu 19.10 hyper-v VM using dnsmasq as proxy to a pihole server, config below.No changes in dnsmasq to pi-hole server for fog - other than setting up reserved IP for machine.
root@fog:~# cat /etc/dnsmasq.d/ cat: /etc/dnsmasq.d/: Is a directory root@fog:~# cat /etc/dnsmasq.d/ltsp.conf # Don't function as a DNS server: port=0 # Log lots of extra information about DHCP transactions. log-dhcp # Set the root directory for files available via FTP. tftp-root=/tftpboot # The boot filename, Server name, Server Ip Address dhcp-boot=undionly.kpxe,,192.168.21.28 # Disable re-use of the DHCP servername and filename fields as extra # option space. That's to avoid confusing some old or broken DHCP clients. dhcp-no-override # inspect the vendor class string and match the text to set the tag dhcp-vendorclass=BIOS,PXEClient:Arch:00000 dhcp-vendorclass=UEFI32,PXEClient:Arch:00006 dhcp-vendorclass=UEFI,PXEClient:Arch:00007 dhcp-vendorclass=UEFI64,PXEClient:Arch:00009 # Set the boot file name based on the matching tag from the vendor class (above) dhcp-boot=net:UEFI32,i386-efi/ipxe.efi,,192.168.21.28 dhcp-boot=net:UEFI,ipxe.efi,,192.168.21.28 dhcp-boot=net:UEFI64,ipxe.efi,,192.168.21.28 # PXE menu. The first part is the text displayed to the user. The second is the timeout, in seconds. pxe-prompt="Booting FOG Client", 3 # The known types are x86PC, PC98, IA64_EFI, Alpha, Arc_x86, # Intel_Lean_Client, IA32_EFI, BC_EFI, Xscale_EFI and X86-64_EFI # This option is first and will be the default if there is no input from the user. pxe-service=X86PC, "Boot to FOG", undionly.kpxe pxe-service=X86-64_EFI, "Boot to FOG UEFI", ipxe.efi pxe-service=BC_EFI, "Boot to FOG UEFI PXE-BC", ipxe.efi dhcp-range=192.168.21.28,proxy#!ipxe set fog-ip 192.168.21.28 set fog-webroot fog set boot-url http://${fog-ip}/${fog-webroot} cpuid --ext 29 && set arch x86_64 || set arch i386 goto get_console :console_set colour --rgb 0x00567a 1 || colour --rgb 0x00567a 2 || colour --rgb 0x00567a 4 || cpair --foreground 7 --background 2 2 || goto MENU :alt_console cpair --background 0 1 || cpair --background 1 2 || goto MENU :get_console console --picture http://192.168.21.28/fog/service/ipxe/bg.png --left 100 --right 80 && goto console_set || goto alt_console :MENU menu colour --rgb 0xff0000 0 || cpair --foreground 1 1 || cpair --foreground 0 3 || cpair --foreground 4 4 || item --gap Host is NOT registered! item --gap -- ------------------------------------- item fog.local Boot from hard disk item fog.memtest Run Memtest86+ item fog.reginput Perform Full Host Registration and Inventory item fog.reg Quick Registration and Inventory item fog.deployimage Deploy Image item fog.multijoin Join Multicast Session item fog.sysinfo Client System Information (Compatibility) choose --default fog.local --timeout 3000 target && goto ${target} :fog.local sanboot --no-describe --drive 0x80 || goto MENU :fog.memtest kernel memdisk initrd=memtest.bin iso raw initrd memtest.bin boot || goto MENU :fog.reginput kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=http://192.168.21.28/fog/ consoleblank=0 rootfstype=ext4 storage=192.168.21.28:/images/ storageip=192.168.21.28 nvme_core.default_ps_max_latency_us=0 loglevel=4 mode=manreg imgfetch init_32.xz boot || goto MENU :fog.reg kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=http://192.168.21.28/fog/ consoleblank=0 rootfstype=ext4 storage=192.168.21.28:/images/ storageip=192.168.21.28 nvme_core.default_ps_max_latency_us=0 loglevel=4 mode=autoreg imgfetch init_32.xz boot || goto MENU :fog.deployimage login params param mac0 ${net0/mac} param arch ${arch} param username ${username} param password ${password} param qihost 1 isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme param sysuuid ${uuid} :fog.multijoin login params param mac0 ${net0/mac} param arch ${arch} param username ${username} param password ${password} param sessionJoin 1 isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme param sysuuid ${uuid} :fog.sysinfo kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=http://192.168.21.28/fog/ consoleblank=0 rootfstype=ext4 storage=192.168.21.28:/images/ storageip=192.168.21.28 nvme_core.default_ps_max_latency_us=0 loglevel=4 mode=sysinfo imgfetch init_32.xz boot || goto MENU :bootme chain -ar http://192.168.21.28/fog/service/ipxe/boot.php##params || goto MENU autoboot``` -
-
Secure boot. You have to disable secure boot to boot with a non-signed kernel. The shim no longer works because of increased security around secure boot. The FOS kernel as well as iPXE needs to be signed by microsoft or the shim signed by microsoft and then the shim checked to see if the FOS kernel and iPXE are signed. For an opensource project having the kernels signed by microsoft every time gets to be a bit expensive. So you need to disable secure boot. I know that with the Dells you can use CCTK to enable secure boot after imaging. I assume HP has a similar firmware interface tool. Also remember that your golden image must not have bitlocker enabled before image capture. If its turned on your deployed image will not function correctly.
-
Hyper-V… what more can I say. Its temperamental depending on the version of your host OS.
-
-
OK, thanks for coming back George. Reply is hugely appreciated and saved me a lot of second guessing. Cheers.
-
@beardedfool If you want to go secure boot there might be a way using your own custom Certificate Authority to roll out things. I haven’t done this myself and can’t give you any details. You’d need to talk to @Lee-Rowlett about this. First checkout his posts here: https://forums.fogproject.org/topic/13832/secureboot-issues
