Securing FOG Boot Options?

JRA · Jan 12, 2022, 3:54 AM

Morning all,

Have an issue in FOG 1.5.9 where, no matter what I change in the web GUI I can’t seem to “lock down” the options in the boot menu (eg restrict normal users getting access to perform full host registration or inventory.)

Any good places to fiddle around on that?

Ideally I’d like the whole menu options hidden until a key is pressed, can that be done also?

Thanks much any and everyone.

JRA · Jan 12, 2022, 11:21 AM

Ok getting a little further with it, but think on the other hand it’s getting ever more broken.

I can hide the PXE menu (although I really do want my nice little splash screen background image back to be honest) but setting a key (eg F9) to bring up the PXE options, logging in to the prompt which appears I get a chainloading error and it boots to first disk.

Is there any way to fix this and to hide all the menu options behind a single login option on the splash screen instead?

Thanks all.

JRA · Jan 12, 2022, 3:51 PM

Previously had FOG working on 18.04 on a former network so reinstalled the server from scratch.

That ran 1.5.7 so I installed that version of FOG also.

I am now proficient enough (sorta) to hide the menu options behind the Advanced login by setting the options in the iPXE Menu Customization page in the web gui.

What is KILLING me though is I still get the same stupid thing; “Chainloading failed, hit ‘s’ for the iPXE shell”

Has anyone got even the first idea where to start with this?

Thanks hugely if you can help me out. It’s not been an awesome day.

george1421 · Jan 12, 2022, 3:55 PM

@jra said in Securing FOG Boot Options?:

What is KILLING me though is I still get the same stupid thing; “Chainloading failed, hit ‘s’ for the iPXE shell”

You get this when the iPXE menu first comes up? When or what action causes the chain loading error?

JRA · Jan 12, 2022, 3:58 PM

@george1421 I’m hiding the option to image etc PCs behind the Advanced login options (this is a school so kids will delight themselves imaging or b0rking PCs all day if it’s not locked down a bit.)

Logging in to the advanced options from the PXE/background image splash screen menu options bring the chainloading message up. Across now two versions of FOG and Ubuntu server.

Never seen it before on any network.

undionly.kpxe is in DHCP as ipxe.pxe just sits at a prompt for a tftp server (?) - however entering the IP of the FOG server and continuing I get the same chainloading message. If that’s even a hint.

Thanks much for the reply there.

george1421 · Jan 12, 2022, 4:08 PM

@jra If you could post a screen shot of the error because the context of the error is almost as helpful as the error itself.

So the error is because of the rendering of the advanced menu? Since I have not worked with the advanced menu at all I don’t know exactly where to drive. BUT I can say if you point a browser at http://<fog_server_ip>/fog/service/ipxe/boot.php?mac=00:00:00:00:00:00 That will send the programming language behind the iPXE menu. Lets start by posting that results here for the next steps.

undionly.kpxe vs ipxe.efi. This file needs to be sent correctly based on the target computer that is pxe booting. SO, let me ask you what device is your dhcp server (mfg and model)?

JRA · Jan 12, 2022, 4:27 PM

@george1421 Thanks much there.

Not sure if it’s because of the rendering of it specifically, but confirming I do only see that using the advanced menu options. If there were some way to obfuscate all the options students here would find “interesting” I’d certainly take it.

Ok, so the message is as follows. I enter the username and password to access the advanced options and get this:

And the text from the URL is:

*#!ipxe
set fog-ip 10.134.60.60
set fog-webroot fog
set boot-url http://${fog-ip}/${fog-webroot}
cpuid --ext 29 && set arch x86_64 || set arch i386
goto get_console
:console_set
colour --rgb 0x00567a 1 ||
colour --rgb 0x00567a 2 ||
colour --rgb 0x00567a 4 ||
cpair --foreground 7 --background 2 2 ||
goto MENU
:alt_console
cpair --background 0 1 ||
cpair --background 1 2 ||
goto MENU
:get_console
console --picture http://10.134.60.60/fog/service/ipxe/bg.png --left 100 --right 80 && goto console_set || goto alt_console
:MENU
menu
colour --rgb 0xff0000 0 ||
cpair --foreground 1 1 ||
cpair --foreground 0 3 ||
cpair --foreground 4 4 ||
item --gap Host is NOT registered!
item --gap -- -------------------------------------
item fog.local Boot from hard disk
item fog.multijoin Join Multicast Session
item fog.advancedlogin Advanced Menu fog.advancedlogin
choose --default fog.local --timeout 5000 target && goto ${target}
:fog.local
sanboot --no-describe --drive 0x80 || goto MENU
:fog.multijoin
login
params
param mac0 ${net0/mac}
param arch ${arch}
param username ${username}
param password ${password}
param sessionJoin 1
isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
param sysuuid ${uuid}
:fog.advancedlogin
login
params
param mac0 ${net0/mac}
param arch ${arch}
param username ${username}
param password ${password}
param advLog 1
isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
param sysuuid ${uuid}
:bootme
chain -ar http://10.134.60.60/fog/service/ipxe/boot.php##params ||
goto MENU
autoboot*

Any clues in all that?

Cheers again for the help.

Also DHCP server is a HyperV VM on server 2012R2.

george1421 · Jan 12, 2022, 4:32 PM

@jra OK I’m going to send you back to the well with new info. Now instead of using boot.php lets use advanced.php

Edit: Wait don’t do this I need to fix the url: http://<fog_server_ip>/fog/service/ipxe/advanced.php?mac=00:00:00:00:00:00

Edit2: OK lets use this URL: http://10.134.60.60/fog/service/ipxe/boot.php?mac=00:00:00:00:00:00&arch=x86_64&username=fog&password=password&advLog=1

You need to change the username and password values to match what is correct for your fog server. This above url should generate the advanced menu, where the chain is failing.

JRA · Jan 12, 2022, 4:41 PM

@george1421

@george1421 said in Securing FOG Boot Options?:

http://<fog_server_ip>/fog/service/ipxe/advanced.php?mac=00:00:00:00:00:00

Hehe, think we crossed edits there!

From the first edit url I only have:

#!ipxe

From the second edit url I have:

#!ipxe
set fog-ip 10.134.60.60
set fog-webroot fog
set boot-url http://${fog-ip}/${fog-webroot}
chain -ar http://10.134.60.60/fog/service/ipxe/advanced.php
cpuid --ext 29 && set arch x86_64 || set arch i386
goto get_console
:console_set
colour --rgb 0x00567a 1 ||
colour --rgb 0x00567a 2 ||
colour --rgb 0x00567a 4 ||
cpair --foreground 7 --background 2 2 ||
goto MENU
:alt_console
cpair --background 0 1 ||
cpair --background 1 2 ||
goto MENU
:get_console
console --picture http://10.134.60.60/fog/service/ipxe/bg.png --left 100 --right 80 && goto console_set || goto alt_console
:MENU
menu
colour --rgb 0xff0000 0 ||
cpair --foreground 1 1 ||
cpair --foreground 0 3 ||
cpair --foreground 4 4 ||
item --gap Host is NOT registered!
item --gap – -------------------------------------
item fog.local Boot from hard disk
item fog.multijoin Join Multicast Session
item fog.advancedlogin Advanced Menu fog.advancedlogin
choose --default fog.local --timeout 5000 target && goto ${target}
:fog.local
sanboot --no-describe --drive 0x80 || goto MENU
:fog.multijoin
login
params
param mac0 ${net0/mac}
param arch ${arch}
param username ${username}
param password ${password}
param sessionJoin 1
isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
param sysuuid ${uuid}
:fog.advancedlogin
login
params
param mac0 ${net0/mac}
param arch ${arch}
param username ${username}
param password ${password}
param advLog 1
isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
param sysuuid ${uuid}
:bootme
chain -ar http://10.134.60.60/fog/service/ipxe/boot.php##params ||
goto MENU
autoboot

george1421 · Jan 12, 2022, 4:57 PM

@jra Well this is interesting and unexpected.

From the second URL, it looks like something injected the chain at the head of the menu and its calling advanced.php as in the first url I gave you.

#!ipxe
set fog-ip 10.134.60.60
set fog-webroot fog
set boot-url http://${fog-ip}/${fog-webroot}
>> chain -ar http://10.134.60.60/fog/service/ipxe/advanced.php
cpuid --ext 29 && set arch x86_64 || set arch i386
goto get_console

Now the first URL I gave you only returned this:

#!ipxe

Which is an incomplete ipxe menu. So I’m wondering if you have something not configured correctly for the advanced menu. Again I don’t use the advanced menu so I can’t tell you what is wrong, but I can tell you from an iPXE standpoint that is not a complete ipxe script because there is nothing to do here.

JRA · Jan 12, 2022, 6:06 PM

@george1421

Ok very strange then. Especially as it has persisted across two versions of Ubuntu and two versions of FOG also. I’ve never seen it before either, FOG’s just always been kinda “ok” to set up.

How do I proceed though? I’m a bit stuck on what to do.

george1421 · Jan 12, 2022, 7:05 PM

@jra said in Securing FOG Boot Options?:

Especially as it has persisted across two versions of Ubuntu and two versions of FOG also

My intent isn’t to be snarky here but stating fact. You are also persistent between the installs and menu fails. I’ve had this issue with other things in the past too. We can’t rule out that the web ui is letting you do something that causes the advanced menu to fail. I’ll see if I can duplicate this on my dev box later tonight. I have not needed the advanced menu so I don’t have any experience with it.

JRA · Jan 13, 2022, 2:49 AM

@george1421 said in Securing FOG Boot Options?:

@jra said in Securing FOG Boot Options?:

Especially as it has persisted across two versions of Ubuntu and two versions of FOG also

My intent isn’t to be snarky here but stating fact. You are also persistent between the installs and menu fails. I’ve had this issue with other things in the past too. We can’t rule out that the web ui is letting you do something that causes the advanced menu to fail. I’ll see if I can duplicate this on my dev box later tonight. I have not needed the advanced menu so I don’t have any experience with it.

No not feeling you were snarky at all, didn’t read it as such either. However, limited in the mischief I can potentially cause when all I’m doing are basic installs and accessing menu options, plus having had FOG work perfectly before in two production environments, I can’t understand why it isn’t now, especially as I persisted across those also. Genuinely genuinely also not being snarky back, I am grateful for the help.

I can live with the pre-splash hidden options for now and we can suck it up. It’s at least functional there which is what matters.

If you get any insights do let me know as and when.

Thanks again George.

george1421 · Jan 13, 2022, 11:17 AM

@george1421 for reference: https://forums.fogproject.org/topic/12339/help-with-advanced-menu-with-login

I’ll fill in a bit more detail later this AM. But I got the same error as you did. I looked into the code and didn’t understand what the fog devs were doing. I found the above link and now understand. The advanced menu doesn’t work the way one might think.

lets use this example based page to create the advanced page.

#!ipxe
set fog-ip 192.168.112.116
set fog-webroot fog
set boot-url http://${fog-ip}/${fog-webroot}
cpuid --ext 29 && set arch x86_64 || set arch i386
goto get_console
:console_set
colour --rgb 0x00567a 1 ||
colour --rgb 0x00567a 2 ||
colour --rgb 0x00567a 4 ||
cpair --foreground 7 --background 2 2 ||
goto MENU
:alt_console
cpair --background 0 1 ||
cpair --background 1 2 ||
goto MENU
:get_console
console --picture http://192.168.112.116/fog/service/ipxe/bg.png --left 100 --right 80 && goto console_set || goto alt_console
:MENU
menu
colour --rgb 0xff0000 0 ||
cpair --foreground 1 1 ||
cpair --foreground 0 3 ||
cpair --foreground 4 4 ||
item --gap Host is NOT registered!
item --gap -- -------------------------------------
item fog.local Boot from hard disk
item fog.memtest Run Memtest86+
item fog.reginput Perform Full Host Registration and Inventory
item fog.reg Quick Registration and Inventory
item fog.deployimage Deploy Image
item fog.multijoin Join Multicast Session
item fog.sysinfo Client System Information (Compatibility)
item fog.advanced Advanced Menu
item os.Debian.10.7L Debian 10.7 Live
item fog.keyenroll FOG Secure Boot Enrollment
choose --default fog.local --timeout 3000 target && goto ${target}
:fog.local
sanboot --no-describe --drive 0x80 || goto MENU
:fog.memtest
kernel memdisk initrd=memtest.bin iso raw
initrd memtest.bin
boot || goto MENU
:fog.reginput
kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=http://192.168.112.116/fog/ consoleblank=0 rootfstype=ext4 NFSv4=1 NFSTLS=1 storage=192.168.112.116:/images/ storageip=192.168.112.116 nvme_core.default_ps_max_latency_us=0 loglevel=4 mode=manreg
imgfetch init_32.xz
boot || goto MENU
:fog.reg
kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=http://192.168.112.116/fog/ consoleblank=0 rootfstype=ext4 NFSv4=1 NFSTLS=1 storage=192.168.112.116:/images/ storageip=192.168.112.116 nvme_core.default_ps_max_latency_us=0 loglevel=4 mode=autoreg
imgfetch init_32.xz
boot || goto MENU
:fog.deployimage
login
params
param mac0 ${net0/mac}
param arch ${arch}
param username ${username}
param password ${password}
param qihost 1
isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
param sysuuid ${uuid}
:fog.multijoin
login
params
param mac0 ${net0/mac}
param arch ${arch}
param username ${username}
param password ${password}
param sessionJoin 1
isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
param sysuuid ${uuid}
:fog.sysinfo
kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=http://192.168.112.116/fog/ consoleblank=0 rootfstype=ext4 NFSv4=1 NFSTLS=1 storage=192.168.112.116:/images/ storageip=192.168.112.116 nvme_core.default_ps_max_latency_us=0 loglevel=4 mode=sysinfo
imgfetch init_32.xz
boot || goto MENU
:fog.advanced
chain -ar http://192.168.112.116/fog/service/ipxe/advanced.php || goto MENU
:os.Debian.10.7L
kernel tftp://${fog-ip}/debian/10.7L/vmlinuz
initrd tftp://${fog-ip}/debian/10.7L/initrd
imgargs vmlinuz dhcp boot=live components fetch=http://${fog-ip}/os/debian/10.7L/filesystem.squashfs
boot || goto MENU
param sysuuid ${uuid}
:fog.keyenroll
chain tftp:/${fog-ip}/EnrollKeys.efi
echo Rebooting the system in 8 seconds
sleep 5
reboot
param sysuuid ${uuid}
:bootme
chain -ar http://192.168.112.116/fog/service/ipxe/boot.php##params ||
goto MENU
autoboot

The other option would be to not use the advanced menu, but just apply a login requirement on each standard ipxe menu item.

JRA · Jan 13, 2022, 12:31 PM

@george1421

Thanks much for all that George. Ok I’ll knock that into shape at some stage.

…just confirming paste that text you put up into /var/www/fog/service/ipxe/advanced.php, that right? Sorry I need a coffee!

george1421 · Jan 13, 2022, 3:20 PM

@jra Now that I’ve had my second cup of coffee this morning I can explain it a bit more.

What the advanced menu and advanced.php does is insert a menu you create when advanced.php is called. You have to hand code the advanced menu and insert the text into a field in FOG Configuration->FOG Settings PXE Advanced Menu field. That field is then inserted after the #ipxe you saw when you called advanced.php directly (like I had you do).

I don’t have the skills to do this, but it would be great if you could construct the advanced menu like you do the standard iPXE menus by just changing the Menu Show with field, to “Show on Advanced menu”. Then you could move standard menu item behind the advanced menu right from the gui. That sounds like a logical feature to have, but right now the FOG Project doesn’t have the developer time to add that feature.

JRA · Jan 13, 2022, 3:20 PM

@george1421 said in Securing FOG Boot Options?:

@jra Now that I’ve had my second cup of coffee this morning I can explain it a bit more.

What the advanced menu and advanced.php does is insert a menu you create when advanced.php is called. You have to hand code the advanced menu and insert the text into a field in FOG Configuration->FOG Settings PXE Advanced Menu field. That field is then inserted after the #ipxe you saw when you called advanced.php directly (like I had you do).

I don’t have the skills to do this, but it would be great if you could construct the advanced menu like you do the standard iPXE menus by just changing the Menu Show with field, to “Show on Advanced menu”. Then you could move standard menu item behind the advanced menu right from the gui. That sounds like a logical feature to have, but right now the FOG Project doesn’t have the developer time to add that feature.

Right right - ok I’m with you. Have the workaround though and for now even the non-splash menu is functional, in the sense that curious students here can’t amuse themselves doing goofy imaging.

I am appreciative of the help so thanks much there.

Securing FOG Boot Options?

153

12.0k

17.3k

155.2k