rocky linux 9.6 quirks & php 8
-
@ rodluz @Tom-Elliott
After some effort on the install script I got FOG working on my rocky 9.6 set up with a few caveats.
-
I had to install many of the packages manually, like php, mysql, tftp due to selinux and firewalls (including hardware firewalls) so ended up with PHP 8.0.30-3 on this system. This version of PHP does not have a seperate JSON package.
-
I installed 1.5.10.1698 from the stable branch. I plan on trying from the dev branch later to see if that will resolve my issues.
-
I had to do some work to get tftp and pxe to work correctly. I’ll lay this out here.
-
created a symlink from /var/lib/tftpboot > /tftpboot
-
enabled and started the tftp service manually - systemctl enable tftp & systemctl start tftp
-
then created a file in /etc/systemd/system/tftp.socket.d/override.conf (after making a directory “/tftp.socket.d” and giving that directory proper ownership & permissions) with the following code:
[Socket]
ListenDatagram=69[Service]
ExecStart=
ExecStart=/usr/sbn/in.tftpf --foreground --secure /tftpboot- reloading the systemd service daemon - “systemctl daemon-reload” & “systemctl restart tftp.socket”
The server would then pxeboot at least BIOS at this point.
Now what doesn’t work is that:
The Web UI currently seems to have php conflicts. I installed php-8.0.30-3 and the modules connected to this when installing the server. The web UI has a quirk on the FOG configuration page when you have a button for DefaultMember FOG Version: () it is not printing the version of FOG or the versions of bzimage or init.xz files and in checking using curl http://ip-address-of-server/fog/service/getversion.php - i ony see - 1.5.10.1698
here is a picture of the error
This isn’t a big deal for me at the moment a I can capture and deploy an image. but I think there should be a way to fix it. I wanted to check if the php version is the issue or if I should use a dev branch (I kind of don’t want to)
-
-
@mrowand This is strange to me, since I installed Rocky yesterday so I could do some testing.
I ran an install of Rocky 9 and Rocky 10 and didn’t have to make any single change to the installer for things to install perfectly fine.
I’m not sure why you’re having issues but in both rocky 10 and 9, php version is by default 8 so I’m unsure what you’re asking about.
I’m not able to replicate the issues that you’re describing. To be fair, I’m not behind all your same firewalls, but based on your information I’m unable to replicate any issues between Rocky 9 or 10 and with PHP 8.0
I didn’t need to manually install any packages. I installed dev-branch right away because of security and what not, but as far as package changes, there haven’t been any between stable and dev-branch.
Now, tftp starts using fog-tftp.socket (so it will only turn on as requested rather than constantly running in the background).
It looks like your firewall is preventing outgoing access to the internet or other devices on your network (likely firewall-cmd needs to have http/https services added:
sudo firewall-cmd --zone=public --add-service=http sudo firewall-cmd --zone=public --add-service=https(So you can see the version of your fog server.
Then again I don’t know your environment.
-
Thank you for getting back to me so fast.
Definitely an issue with external firewalls or selinux. I had the install script bug on things mainly with any of the “remi” repos so is why I installed manually. any of these packages were installed with “appstream” and not “remi”
in any event I am not using this server on the internet so have disabled the firewall service.
For example the PHP I installed was 8.0.30 on the “appstream” repo and the remi repo has a 8.4.13. I think the version of PHP was giving me this problem. In order to get the default member FOG version button to work I had to comment out the line FOGCore::checkAuthAndCSRF in /var/www/html/fog/status/kernelvers.php - If I put the uncomment it out, the button then does not show the versions. So I can recreate it with my set up. when it doesn’t work, I checked pressing F12 in my browser in developer mode and can see that the “/var/www/html/fog/status/kernelvers.php” has a 403 forbidden error.
I’ve attached a picture here:
Maybe a security setting (selinux and firewalld are both disabled) but since this is rocky possibly I need to do commands to permit these?
Before I did this temp fix with the commenting out, I tested a new “/var/www/html/fog/status/kernelvers.php” file (after making a backup of the original to see if this could be fixed) and that broke the FOG Version information script (I get a “Failed to get latest info” - which as the server is not on the internet is fine, other than I would get in bold red letters “This is not the latest version of FOG before” - which is the only bug I seemed to have. Since I did this it is not a “FOG” issue per se, but could the version of php have something to do with it?
I saved the file created for “/var/www/html/fog/status/kernelvers.php” (I saved it as a text file) which broke this function (i revered to the original as this was a test)
This is the original file (saved as a text file) with the comment out the line FOGCore::checkAuthAndCSRF:
As to my pxe problem. I removed the change in /etc/systemd/system/tftp.socket.d/override.conf and pxe is working fine now which is strange but I did do a lot of other steps in troubleshooting which I forget now which probably is what actually fixed it.
I can provide the logs but in a nutshell I think the issues I have is that I installed different versions of the software than the installer does or selinux is still somehow blocking this.
Matt
-
@mrowand The whole point of the checkAuthAndCSRF is to prevent unauthorized access. Based on the message I’m seeing, the 403 forbidden is happening because it’s crossing origin to get the data or the CSRF token isn’t passing correctly:
Here’s the code that validates:
// Optional defense-in-depth: Origin/Referer check for state-changing requests public static function checkOrigin(array $allowedOrigins): void { $method = strtoupper($_SERVER['REQUEST_METHOD'] ?? 'GET'); if (!in_array($method, ['POST','PUT','PATCH','DELETE'], true)) { return; } $origin = $_SERVER['HTTP_ORIGIN'] ?? null; $referer = $_SERVER['HTTP_REFERER'] ?? null; if ($origin) { foreach ($allowedOrigins as $allowed) { if (stripos($origin, $allowed) === 0) { return; } } http_response_code(403); echo _('Forbidden (disallowed Origin)'); exit; } elseif ($referer) { foreach ($allowedOrigins as $allowed) { if (stripos($referer, $allowed) === 0) { return; } } http_response_code(403); echo _('Forbidden (disallowed Referer)'); exit; } // If neither header is present, you can decide to be strict or lenient. // Often lenient to avoid breaking weird client setups. }I suspect your console has more information leading to the specific error that was hit.
ultimately the code is working as expected and there’s something in your environment causing the issue. Now, to be fair, you said you installed Stable, and Dev-branch has a fix of which I admit I missed.
If you’re willing/able to install the dev-branch I suspect you’ll see this is working much better.
