• Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
  • Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

Securing FOG Boot Options?

Scheduled Pinned Locked Moved
FOG Problems
2
17
1.1k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    JRA
    last edited by JRA Jan 12, 2022, 3:54 AM Jan 12, 2022, 9:47 AM

    Morning all,

    Have an issue in FOG 1.5.9 where, no matter what I change in the web GUI I can’t seem to “lock down” the options in the boot menu (eg restrict normal users getting access to perform full host registration or inventory.)

    Any good places to fiddle around on that?

    Ideally I’d like the whole menu options hidden until a key is pressed, can that be done also?

    Thanks much any and everyone.

    1 Reply Last reply Reply Quote 0
    • J
      JRA
      last edited by Jan 12, 2022, 11:21 AM

      Ok getting a little further with it, but think on the other hand it’s getting ever more broken.

      I can hide the PXE menu (although I really do want my nice little splash screen background image back to be honest) but setting a key (eg F9) to bring up the PXE options, logging in to the prompt which appears I get a chainloading error and it boots to first disk.

      Is there any way to fix this and to hide all the menu options behind a single login option on the splash screen instead?

      Thanks all.

      1 Reply Last reply Reply Quote 0
      • J
        JRA
        last edited by Jan 12, 2022, 3:51 PM

        Previously had FOG working on 18.04 on a former network so reinstalled the server from scratch.

        That ran 1.5.7 so I installed that version of FOG also.

        I am now proficient enough (sorta) to hide the menu options behind the Advanced login by setting the options in the iPXE Menu Customization page in the web gui.

        What is KILLING me though is I still get the same stupid thing; “Chainloading failed, hit ‘s’ for the iPXE shell”

        Has anyone got even the first idea where to start with this?

        Thanks hugely if you can help me out. It’s not been an awesome day.

        G 1 Reply Last reply Jan 12, 2022, 3:55 PM Reply Quote 0
        • G
          george1421 Moderator @JRA
          last edited by Jan 12, 2022, 3:55 PM

          @jra said in Securing FOG Boot Options?:

          What is KILLING me though is I still get the same stupid thing; “Chainloading failed, hit ‘s’ for the iPXE shell”

          You get this when the iPXE menu first comes up? When or what action causes the chain loading error?

          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

          J 1 Reply Last reply Jan 12, 2022, 3:58 PM Reply Quote 1
          • J
            JRA @george1421
            last edited by Jan 12, 2022, 3:58 PM

            @george1421 I’m hiding the option to image etc PCs behind the Advanced login options (this is a school so kids will delight themselves imaging or b0rking PCs all day if it’s not locked down a bit.)

            Logging in to the advanced options from the PXE/background image splash screen menu options bring the chainloading message up. Across now two versions of FOG and Ubuntu server.

            Never seen it before on any network.

            undionly.kpxe is in DHCP as ipxe.pxe just sits at a prompt for a tftp server (?) - however entering the IP of the FOG server and continuing I get the same chainloading message. If that’s even a hint.

            Thanks much for the reply there.

            G 1 Reply Last reply Jan 12, 2022, 4:08 PM Reply Quote 0
            • G
              george1421 Moderator @JRA
              last edited by Jan 12, 2022, 4:08 PM

              @jra If you could post a screen shot of the error because the context of the error is almost as helpful as the error itself.

              So the error is because of the rendering of the advanced menu? Since I have not worked with the advanced menu at all I don’t know exactly where to drive. BUT I can say if you point a browser at http://<fog_server_ip>/fog/service/ipxe/boot.php?mac=00:00:00:00:00:00 That will send the programming language behind the iPXE menu. Lets start by posting that results here for the next steps.

              undionly.kpxe vs ipxe.efi. This file needs to be sent correctly based on the target computer that is pxe booting. SO, let me ask you what device is your dhcp server (mfg and model)?

              Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

              J 1 Reply Last reply Jan 12, 2022, 4:27 PM Reply Quote 1
              • J
                JRA @george1421
                last edited by george1421 Jan 12, 2022, 10:33 AM Jan 12, 2022, 4:27 PM

                @george1421 Thanks much there.

                Not sure if it’s because of the rendering of it specifically, but confirming I do only see that using the advanced menu options. If there were some way to obfuscate all the options students here would find “interesting” I’d certainly take it.

                Ok, so the message is as follows. I enter the username and password to access the advanced options and get this:

                alt text

                And the text from the URL is:

                *#!ipxe
                set fog-ip 10.134.60.60
                set fog-webroot fog
                set boot-url http://${fog-ip}/${fog-webroot}
                cpuid --ext 29 && set arch x86_64 || set arch i386
                goto get_console
                :console_set
                colour --rgb 0x00567a 1 ||
                colour --rgb 0x00567a 2 ||
                colour --rgb 0x00567a 4 ||
                cpair --foreground 7 --background 2 2 ||
                goto MENU
                :alt_console
                cpair --background 0 1 ||
                cpair --background 1 2 ||
                goto MENU
                :get_console
                console --picture http://10.134.60.60/fog/service/ipxe/bg.png --left 100 --right 80 && goto console_set || goto alt_console
                :MENU
                menu
                colour --rgb 0xff0000 0 ||
                cpair --foreground 1 1 ||
                cpair --foreground 0 3 ||
                cpair --foreground 4 4 ||
                item --gap Host is NOT registered!
                item --gap -- -------------------------------------
                item fog.local Boot from hard disk
                item fog.multijoin Join Multicast Session
                item fog.advancedlogin Advanced Menu fog.advancedlogin
                choose --default fog.local --timeout 5000 target && goto ${target}
                :fog.local
                sanboot --no-describe --drive 0x80 || goto MENU
                :fog.multijoin
                login
                params
                param mac0 ${net0/mac}
                param arch ${arch}
                param username ${username}
                param password ${password}
                param sessionJoin 1
                isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
                isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
                param sysuuid ${uuid}
                :fog.advancedlogin
                login
                params
                param mac0 ${net0/mac}
                param arch ${arch}
                param username ${username}
                param password ${password}
                param advLog 1
                isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
                isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
                param sysuuid ${uuid}
                :bootme
                chain -ar http://10.134.60.60/fog/service/ipxe/boot.php##params ||
                goto MENU
                autoboot*
                

                Any clues in all that?

                Cheers again for the help.

                Also DHCP server is a HyperV VM on server 2012R2.

                G 1 Reply Last reply Jan 12, 2022, 4:32 PM Reply Quote 0
                • G
                  george1421 Moderator @JRA
                  last edited by george1421 Jan 12, 2022, 10:39 AM Jan 12, 2022, 4:32 PM

                  @jra OK I’m going to send you back to the well with new info. Now instead of using boot.php lets use advanced.php

                  Edit: Wait don’t do this I need to fix the url: http://<fog_server_ip>/fog/service/ipxe/advanced.php?mac=00:00:00:00:00:00

                  Edit2: OK lets use this URL: http://10.134.60.60/fog/service/ipxe/boot.php?mac=00:00:00:00:00:00&arch=x86_64&username=fog&password=password&advLog=1

                  You need to change the username and password values to match what is correct for your fog server. This above url should generate the advanced menu, where the chain is failing.

                  Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                  J 1 Reply Last reply Jan 12, 2022, 4:41 PM Reply Quote 0
                  • J
                    JRA @george1421
                    last edited by Jan 12, 2022, 4:41 PM

                    @george1421

                    @george1421 said in Securing FOG Boot Options?:

                    http://<fog_server_ip>/fog/service/ipxe/advanced.php?mac=00:00:00:00:00:00

                    Hehe, think we crossed edits there!

                    From the first edit url I only have:

                    #!ipxe

                    From the second edit url I have:

                    #!ipxe
                    set fog-ip 10.134.60.60
                    set fog-webroot fog
                    set boot-url http://${fog-ip}/${fog-webroot}
                    chain -ar http://10.134.60.60/fog/service/ipxe/advanced.php
                    cpuid --ext 29 && set arch x86_64 || set arch i386
                    goto get_console
                    :console_set
                    colour --rgb 0x00567a 1 ||
                    colour --rgb 0x00567a 2 ||
                    colour --rgb 0x00567a 4 ||
                    cpair --foreground 7 --background 2 2 ||
                    goto MENU
                    :alt_console
                    cpair --background 0 1 ||
                    cpair --background 1 2 ||
                    goto MENU
                    :get_console
                    console --picture http://10.134.60.60/fog/service/ipxe/bg.png --left 100 --right 80 && goto console_set || goto alt_console
                    :MENU
                    menu
                    colour --rgb 0xff0000 0 ||
                    cpair --foreground 1 1 ||
                    cpair --foreground 0 3 ||
                    cpair --foreground 4 4 ||
                    item --gap Host is NOT registered!
                    item --gap – -------------------------------------
                    item fog.local Boot from hard disk
                    item fog.multijoin Join Multicast Session
                    item fog.advancedlogin Advanced Menu fog.advancedlogin
                    choose --default fog.local --timeout 5000 target && goto ${target}
                    :fog.local
                    sanboot --no-describe --drive 0x80 || goto MENU
                    :fog.multijoin
                    login
                    params
                    param mac0 ${net0/mac}
                    param arch ${arch}
                    param username ${username}
                    param password ${password}
                    param sessionJoin 1
                    isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
                    isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
                    param sysuuid ${uuid}
                    :fog.advancedlogin
                    login
                    params
                    param mac0 ${net0/mac}
                    param arch ${arch}
                    param username ${username}
                    param password ${password}
                    param advLog 1
                    isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
                    isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
                    param sysuuid ${uuid}
                    :bootme
                    chain -ar http://10.134.60.60/fog/service/ipxe/boot.php##params ||
                    goto MENU
                    autoboot

                    G 1 Reply Last reply Jan 12, 2022, 4:57 PM Reply Quote 0
                    • G
                      george1421 Moderator @JRA
                      last edited by george1421 Jan 12, 2022, 11:02 AM Jan 12, 2022, 4:57 PM

                      @jra Well this is interesting and unexpected.

                      From the second URL, it looks like something injected the chain at the head of the menu and its calling advanced.php as in the first url I gave you.

                      #!ipxe
                      set fog-ip 10.134.60.60
                      set fog-webroot fog
                      set boot-url http://${fog-ip}/${fog-webroot}
                      >> chain -ar http://10.134.60.60/fog/service/ipxe/advanced.php
                      cpuid --ext 29 && set arch x86_64 || set arch i386
                      goto get_console
                      

                      Now the first URL I gave you only returned this:

                      #!ipxe
                      

                      Which is an incomplete ipxe menu. So I’m wondering if you have something not configured correctly for the advanced menu. Again I don’t use the advanced menu so I can’t tell you what is wrong, but I can tell you from an iPXE standpoint that is not a complete ipxe script because there is nothing to do here.

                      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                      J 1 Reply Last reply Jan 12, 2022, 6:06 PM Reply Quote 0
                      • J
                        JRA @george1421
                        last edited by Jan 12, 2022, 6:06 PM

                        @george1421

                        Ok very strange then. Especially as it has persisted across two versions of Ubuntu and two versions of FOG also. I’ve never seen it before either, FOG’s just always been kinda “ok” to set up.

                        How do I proceed though? I’m a bit stuck on what to do.

                        G 1 Reply Last reply Jan 12, 2022, 7:05 PM Reply Quote 0
                        • G
                          george1421 Moderator @JRA
                          last edited by Jan 12, 2022, 7:05 PM

                          @jra said in Securing FOG Boot Options?:

                          Especially as it has persisted across two versions of Ubuntu and two versions of FOG also

                          My intent isn’t to be snarky here but stating fact. You are also persistent between the installs and menu fails. I’ve had this issue with other things in the past too. We can’t rule out that the web ui is letting you do something that causes the advanced menu to fail. I’ll see if I can duplicate this on my dev box later tonight. I have not needed the advanced menu so I don’t have any experience with it.

                          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                          J G 2 Replies Last reply Jan 13, 2022, 8:48 AM Reply Quote 1
                          • J
                            JRA @george1421
                            last edited by JRA Jan 13, 2022, 2:49 AM Jan 13, 2022, 8:48 AM

                            @george1421 said in Securing FOG Boot Options?:

                            @jra said in Securing FOG Boot Options?:

                            Especially as it has persisted across two versions of Ubuntu and two versions of FOG also

                            My intent isn’t to be snarky here but stating fact. You are also persistent between the installs and menu fails. I’ve had this issue with other things in the past too. We can’t rule out that the web ui is letting you do something that causes the advanced menu to fail. I’ll see if I can duplicate this on my dev box later tonight. I have not needed the advanced menu so I don’t have any experience with it.

                            No not feeling you were snarky at all, didn’t read it as such either. However, limited in the mischief I can potentially cause when all I’m doing are basic installs and accessing menu options, plus having had FOG work perfectly before in two production environments, I can’t understand why it isn’t now, especially as I persisted across those also. Genuinely genuinely also not being snarky back, I am grateful for the help.

                            I can live with the pre-splash hidden options for now and we can suck it up. It’s at least functional there which is what matters.

                            If you get any insights do let me know as and when.

                            Thanks again George.

                            1 Reply Last reply Reply Quote 0
                            • G
                              george1421 Moderator @george1421
                              last edited by Jan 13, 2022, 11:17 AM

                              @george1421 for reference: https://forums.fogproject.org/topic/12339/help-with-advanced-menu-with-login

                              I’ll fill in a bit more detail later this AM. But I got the same error as you did. I looked into the code and didn’t understand what the fog devs were doing. I found the above link and now understand. The advanced menu doesn’t work the way one might think.

                              lets use this example based page to create the advanced page.

                              #!ipxe
                              set fog-ip 192.168.112.116
                              set fog-webroot fog
                              set boot-url http://${fog-ip}/${fog-webroot}
                              cpuid --ext 29 && set arch x86_64 || set arch i386
                              goto get_console
                              :console_set
                              colour --rgb 0x00567a 1 ||
                              colour --rgb 0x00567a 2 ||
                              colour --rgb 0x00567a 4 ||
                              cpair --foreground 7 --background 2 2 ||
                              goto MENU
                              :alt_console
                              cpair --background 0 1 ||
                              cpair --background 1 2 ||
                              goto MENU
                              :get_console
                              console --picture http://192.168.112.116/fog/service/ipxe/bg.png --left 100 --right 80 && goto console_set || goto alt_console
                              :MENU
                              menu
                              colour --rgb 0xff0000 0 ||
                              cpair --foreground 1 1 ||
                              cpair --foreground 0 3 ||
                              cpair --foreground 4 4 ||
                              item --gap Host is NOT registered!
                              item --gap -- -------------------------------------
                              item fog.local Boot from hard disk
                              item fog.memtest Run Memtest86+
                              item fog.reginput Perform Full Host Registration and Inventory
                              item fog.reg Quick Registration and Inventory
                              item fog.deployimage Deploy Image
                              item fog.multijoin Join Multicast Session
                              item fog.sysinfo Client System Information (Compatibility)
                              item fog.advanced Advanced Menu
                              item os.Debian.10.7L Debian 10.7 Live
                              item fog.keyenroll FOG Secure Boot Enrollment
                              choose --default fog.local --timeout 3000 target && goto ${target}
                              :fog.local
                              sanboot --no-describe --drive 0x80 || goto MENU
                              :fog.memtest
                              kernel memdisk initrd=memtest.bin iso raw
                              initrd memtest.bin
                              boot || goto MENU
                              :fog.reginput
                              kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=http://192.168.112.116/fog/ consoleblank=0 rootfstype=ext4 NFSv4=1 NFSTLS=1 storage=192.168.112.116:/images/ storageip=192.168.112.116 nvme_core.default_ps_max_latency_us=0 loglevel=4 mode=manreg
                              imgfetch init_32.xz
                              boot || goto MENU
                              :fog.reg
                              kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=http://192.168.112.116/fog/ consoleblank=0 rootfstype=ext4 NFSv4=1 NFSTLS=1 storage=192.168.112.116:/images/ storageip=192.168.112.116 nvme_core.default_ps_max_latency_us=0 loglevel=4 mode=autoreg
                              imgfetch init_32.xz
                              boot || goto MENU
                              :fog.deployimage
                              login
                              params
                              param mac0 ${net0/mac}
                              param arch ${arch}
                              param username ${username}
                              param password ${password}
                              param qihost 1
                              isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
                              isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
                              param sysuuid ${uuid}
                              :fog.multijoin
                              login
                              params
                              param mac0 ${net0/mac}
                              param arch ${arch}
                              param username ${username}
                              param password ${password}
                              param sessionJoin 1
                              isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
                              isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
                              param sysuuid ${uuid}
                              :fog.sysinfo
                              kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=http://192.168.112.116/fog/ consoleblank=0 rootfstype=ext4 NFSv4=1 NFSTLS=1 storage=192.168.112.116:/images/ storageip=192.168.112.116 nvme_core.default_ps_max_latency_us=0 loglevel=4 mode=sysinfo
                              imgfetch init_32.xz
                              boot || goto MENU
                              :fog.advanced
                              chain -ar http://192.168.112.116/fog/service/ipxe/advanced.php || goto MENU
                              :os.Debian.10.7L
                              kernel tftp://${fog-ip}/debian/10.7L/vmlinuz
                              initrd tftp://${fog-ip}/debian/10.7L/initrd
                              imgargs vmlinuz dhcp boot=live components fetch=http://${fog-ip}/os/debian/10.7L/filesystem.squashfs
                              boot || goto MENU
                              param sysuuid ${uuid}
                              :fog.keyenroll
                              chain tftp:/${fog-ip}/EnrollKeys.efi
                              echo Rebooting the system in 8 seconds
                              sleep 5
                              reboot
                              param sysuuid ${uuid}
                              :bootme
                              chain -ar http://192.168.112.116/fog/service/ipxe/boot.php##params ||
                              goto MENU
                              autoboot
                              

                              The other option would be to not use the advanced menu, but just apply a login requirement on each standard ipxe menu item.

                              Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                              J 1 Reply Last reply Jan 13, 2022, 12:31 PM Reply Quote 1
                              • J
                                JRA @george1421
                                last edited by Jan 13, 2022, 12:31 PM

                                @george1421

                                Thanks much for all that George. Ok I’ll knock that into shape at some stage.

                                …just confirming paste that text you put up into /var/www/fog/service/ipxe/advanced.php, that right? Sorry I need a coffee!

                                G 1 Reply Last reply Jan 13, 2022, 12:50 PM Reply Quote 0
                                • G
                                  george1421 Moderator @JRA
                                  last edited by Jan 13, 2022, 12:50 PM

                                  @jra Now that I’ve had my second cup of coffee this morning I can explain it a bit more.

                                  What the advanced menu and advanced.php does is insert a menu you create when advanced.php is called. You have to hand code the advanced menu and insert the text into a field in FOG Configuration->FOG Settings PXE Advanced Menu field. That field is then inserted after the #ipxe you saw when you called advanced.php directly (like I had you do).

                                  I don’t have the skills to do this, but it would be great if you could construct the advanced menu like you do the standard iPXE menus by just changing the Menu Show with field, to “Show on Advanced menu”. Then you could move standard menu item behind the advanced menu right from the gui. That sounds like a logical feature to have, but right now the FOG Project doesn’t have the developer time to add that feature.

                                  Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                                  J 1 Reply Last reply Jan 13, 2022, 3:20 PM Reply Quote 1
                                  • J
                                    JRA @george1421
                                    last edited by Jan 13, 2022, 3:20 PM

                                    @george1421 said in Securing FOG Boot Options?:

                                    @jra Now that I’ve had my second cup of coffee this morning I can explain it a bit more.

                                    What the advanced menu and advanced.php does is insert a menu you create when advanced.php is called. You have to hand code the advanced menu and insert the text into a field in FOG Configuration->FOG Settings PXE Advanced Menu field. That field is then inserted after the #ipxe you saw when you called advanced.php directly (like I had you do).

                                    I don’t have the skills to do this, but it would be great if you could construct the advanced menu like you do the standard iPXE menus by just changing the Menu Show with field, to “Show on Advanced menu”. Then you could move standard menu item behind the advanced menu right from the gui. That sounds like a logical feature to have, but right now the FOG Project doesn’t have the developer time to add that feature.

                                    Right right - ok I’m with you. Have the workaround though and for now even the non-splash menu is functional, in the sense that curious students here can’t amuse themselves doing goofy imaging.

                                    I am appreciative of the help so thanks much there. 🙂

                                    1 Reply Last reply Reply Quote 0
                                    • J jblomquist referenced this topic on Mar 28, 2023, 4:19 PM
                                    • 1 / 1
                                    1 / 1
                                    • First post
                                      12/17
                                      Last post

                                    153

                                    Online

                                    12.0k

                                    Users

                                    17.3k

                                    Topics

                                    155.2k

                                    Posts
                                    Copyright © 2012-2024 FOG Project