Deployment task never finishes without error



  • fog 1.5.2 @ubuntu 16.04 LTS

    I deploy linux and windows images where my windows images contain NTFS primary and bitlocker encrypted secondary partitions.
    At first I cloned the windows images same like my linux images ("Multiple Partition Image - All Disks (not resizable) (3) ").
    Once i saw that fog has an issue with that (only some seconds before the cloned target reboots one can see an error) . So I changed for the windows part to “Raw Image, sector by sector DD”. The cloned images work with that, it only takes more time.

    BUT: In the end of that cloning the same error still exists. As an result I get EVERY deployment not noticed by the fog server. I have to kill all deployment tasks by hand after the clone target reboots.
    That means for every cloned target all attached snapins fall as long as the task still lives and the task is pending.

    What is the right solution for that?



  • Disable Bitlocker was no alternative. That’s the result of my tests today.

    At first I tried to only unlock the bitlocked drive, but this will not withstand a reboot. So my unlocked image gets locked again when I reboot.

    When I disable BL that means I have to remove the BL encryption, so that the dd in funcs.sh ( dd if=$part bs=512 count=1 2>&1 | grep -i ‘-FVE-FS-’ ) is not able to find the BL-signature.
    But that would mean I have to deploy truly clean images and encrypt EVERY deployed image afterwards. This is a no-go. It costs time in encryption and (even worse) it creates one dedicated key for every new deployed computer.
    We need to use one remotely stored key for all deployed computers. That makes best sense in our use-case an I cannot change that decission. TPM will not work for us and would no make sense either as we need to have that mentioned key. Windows update will not hesitate us here … its an embedded W7 for dedicated systems.

    Finally I patched funcs.sh (uncommented that bitlocker check) and made a new init.xz of it.

    So my remaining question here:

    How I have to use the setupcomplete.cmd correctly in terms of:

    1. receive the new hostname . Here my first attempt was to wait some time as I observed that snappins take about some minutes until they get delivered … Will that naming take same time?
    2. set a static IP which depends from hostname ( I already have prepared a batch file for that …)

    Will that all have to go into setupcomplete.cmd?
    How and when will that get executed?

    Regards


  • Moderator

    I’m pretty sure that check was implemented because of issues with BitLocker partitions. (primarily resizing, iirc). Are you trying to capture with the resizable image type? Won’t work with a BitLocker partition.

    I also question how secure a BitLocker partition is when you can unlock them on multiple PCs with one key?


  • Moderator

    @jla said in Deployment task never finishes without error:

    a) disable Bitlocker before capturing -> so I deliver always unencrypted images to clients. This is not what we intended.
    I would have to have a script in the Autostart which automatically encrypts the unencrypted drive when the cloned image starts. This makes more work for + leaves a security hole.

    This is where I would focus. I would store the image on the FOG server in an unencrypted state. There are advantages here since the image size will be smaller on the fog server, it will capture and deploy faster and could size to the size of the destination computer hard drive if you captured with single disk resizable option.

    Now the question is what to do? Of course disable bitlocker before you capture. Then capture and deploy you image, in the setupcomplete.cmd batch file turn bitlocker back on. No need for a first login step unless you already do that step for other tasks. The setupcomplete.cmd step is good enough.

    Since you use bitlocker I have a question for you. Do you expect a bitlocker protected file system captured on one computer to work when deployed to a second computer? While I don’t use bitlocker I would expect no since the destination computer TPM chip certificate would not match the source computer TPM chip. I have seen sometimes even a windows update will upset bitlocker and you have to go through a key recovery process. I would think even if you were able to clone this disk you would have no joy on the target system.



  • @george1421 :
    Now I deployed again and have caught the error:
    In the end the FOG console tells:
    Found bitlocker signature in /dev/sda2 header. Please disable BITLOCKER before capturing an image ( isBitlockedPartition)

    The program is right; its locked. But this is no problem for me.
    I see two chances
    a) disable Bitlocker before capturing -> so I deliver always unencrypted images to clients. This is not what we intended.
    I would have to have a script in the Autostart which automatically encrypts the unencrypted drive when the cloned image starts. This makes more work for + leaves a security hole.

    b) find a way to ignore that unneeded error. Is there some way to mask out this checking at FOG-side?

    What’s best?


  • Moderator

    @jla said in Deployment task never finishes without error:

    BUT: In the end of that cloning the same error still exists. As an result I get EVERY deployment not noticed by the fog server. I have to kill all deployment tasks by hand after the clone target reboots.

    Ok I read your original post to quickly. What is this error you speak of? Is the error displayed during the fog deployment step or is the error shown by windows? If error in fog, please post a clear picture of the error message taken with a mobile phone. That will give us a better idea of the error you see.



  • At which point do I change the image definition settings?
    Finally my cloned images work.

    The stuff is more complex then I have told at first; the primary partition I clone is NTFS and contains “win7-embedded” - from here windows boots virtual harddrives (vhd) which build my drive “C:” which is of type “MS Virtual Disk SCSI Device”. That drive I want to slightly adopt/tune with snapins.

    The Bitlocker partition is another harddrive which contains protected stuff which gets unlocked later. Unlocking works, content is accessible.

    Why my deployment-tasks never finish w/o errors?


  • Moderator

    Well you can not change the image definition settings once an image has been captured because the image is saved (compressed) using a specific format.

    BUT, you should have a bigger issue to manage. If you have a bitlocker protected disk, you can not move that to another computer and expect it to work. That is kind of the point of disk encryption. If you use the TPM chip, then bitlocker will contain that key and prevent the OS from booting on other hardware. Also if you are using bitlocker and these are domain joined machines (already when captured) you will have many more issues.


 

409
Online

41.6k
Users

12.1k
Topics

114.4k
Posts