• Morning all,

    Have an issue in FOG 1.5.9 where, no matter what I change in the web GUI I can’t seem to “lock down” the options in the boot menu (eg restrict normal users getting access to perform full host registration or inventory.)

    Any good places to fiddle around on that?

    Ideally I’d like the whole menu options hidden until a key is pressed, can that be done also?

    Thanks much any and everyone.


  • @george1421 said in Securing FOG Boot Options?:

    @jra Now that I’ve had my second cup of coffee this morning I can explain it a bit more.

    What the advanced menu and advanced.php does is insert a menu you create when advanced.php is called. You have to hand code the advanced menu and insert the text into a field in FOG Configuration->FOG Settings PXE Advanced Menu field. That field is then inserted after the #ipxe you saw when you called advanced.php directly (like I had you do).

    I don’t have the skills to do this, but it would be great if you could construct the advanced menu like you do the standard iPXE menus by just changing the Menu Show with field, to “Show on Advanced menu”. Then you could move standard menu item behind the advanced menu right from the gui. That sounds like a logical feature to have, but right now the FOG Project doesn’t have the developer time to add that feature.

    Right right - ok I’m with you. Have the workaround though and for now even the non-splash menu is functional, in the sense that curious students here can’t amuse themselves doing goofy imaging.

    I am appreciative of the help so thanks much there. 🙂

  • Moderator

    @jra Now that I’ve had my second cup of coffee this morning I can explain it a bit more.

    What the advanced menu and advanced.php does is insert a menu you create when advanced.php is called. You have to hand code the advanced menu and insert the text into a field in FOG Configuration->FOG Settings PXE Advanced Menu field. That field is then inserted after the #ipxe you saw when you called advanced.php directly (like I had you do).

    I don’t have the skills to do this, but it would be great if you could construct the advanced menu like you do the standard iPXE menus by just changing the Menu Show with field, to “Show on Advanced menu”. Then you could move standard menu item behind the advanced menu right from the gui. That sounds like a logical feature to have, but right now the FOG Project doesn’t have the developer time to add that feature.


  • @george1421

    Thanks much for all that George. Ok I’ll knock that into shape at some stage.

    …just confirming paste that text you put up into /var/www/fog/service/ipxe/advanced.php, that right? Sorry I need a coffee!

  • Moderator

    @george1421 for reference: https://forums.fogproject.org/topic/12339/help-with-advanced-menu-with-login

    I’ll fill in a bit more detail later this AM. But I got the same error as you did. I looked into the code and didn’t understand what the fog devs were doing. I found the above link and now understand. The advanced menu doesn’t work the way one might think.

    lets use this example based page to create the advanced page.

    #!ipxe
    set fog-ip 192.168.112.116
    set fog-webroot fog
    set boot-url http://${fog-ip}/${fog-webroot}
    cpuid --ext 29 && set arch x86_64 || set arch i386
    goto get_console
    :console_set
    colour --rgb 0x00567a 1 ||
    colour --rgb 0x00567a 2 ||
    colour --rgb 0x00567a 4 ||
    cpair --foreground 7 --background 2 2 ||
    goto MENU
    :alt_console
    cpair --background 0 1 ||
    cpair --background 1 2 ||
    goto MENU
    :get_console
    console --picture http://192.168.112.116/fog/service/ipxe/bg.png --left 100 --right 80 && goto console_set || goto alt_console
    :MENU
    menu
    colour --rgb 0xff0000 0 ||
    cpair --foreground 1 1 ||
    cpair --foreground 0 3 ||
    cpair --foreground 4 4 ||
    item --gap Host is NOT registered!
    item --gap -- -------------------------------------
    item fog.local Boot from hard disk
    item fog.memtest Run Memtest86+
    item fog.reginput Perform Full Host Registration and Inventory
    item fog.reg Quick Registration and Inventory
    item fog.deployimage Deploy Image
    item fog.multijoin Join Multicast Session
    item fog.sysinfo Client System Information (Compatibility)
    item fog.advanced Advanced Menu
    item os.Debian.10.7L Debian 10.7 Live
    item fog.keyenroll FOG Secure Boot Enrollment
    choose --default fog.local --timeout 3000 target && goto ${target}
    :fog.local
    sanboot --no-describe --drive 0x80 || goto MENU
    :fog.memtest
    kernel memdisk initrd=memtest.bin iso raw
    initrd memtest.bin
    boot || goto MENU
    :fog.reginput
    kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=http://192.168.112.116/fog/ consoleblank=0 rootfstype=ext4 NFSv4=1 NFSTLS=1 storage=192.168.112.116:/images/ storageip=192.168.112.116 nvme_core.default_ps_max_latency_us=0 loglevel=4 mode=manreg
    imgfetch init_32.xz
    boot || goto MENU
    :fog.reg
    kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=http://192.168.112.116/fog/ consoleblank=0 rootfstype=ext4 NFSv4=1 NFSTLS=1 storage=192.168.112.116:/images/ storageip=192.168.112.116 nvme_core.default_ps_max_latency_us=0 loglevel=4 mode=autoreg
    imgfetch init_32.xz
    boot || goto MENU
    :fog.deployimage
    login
    params
    param mac0 ${net0/mac}
    param arch ${arch}
    param username ${username}
    param password ${password}
    param qihost 1
    isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
    isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
    param sysuuid ${uuid}
    :fog.multijoin
    login
    params
    param mac0 ${net0/mac}
    param arch ${arch}
    param username ${username}
    param password ${password}
    param sessionJoin 1
    isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
    isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
    param sysuuid ${uuid}
    :fog.sysinfo
    kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=http://192.168.112.116/fog/ consoleblank=0 rootfstype=ext4 NFSv4=1 NFSTLS=1 storage=192.168.112.116:/images/ storageip=192.168.112.116 nvme_core.default_ps_max_latency_us=0 loglevel=4 mode=sysinfo
    imgfetch init_32.xz
    boot || goto MENU
    :fog.advanced
    chain -ar http://192.168.112.116/fog/service/ipxe/advanced.php || goto MENU
    :os.Debian.10.7L
    kernel tftp://${fog-ip}/debian/10.7L/vmlinuz
    initrd tftp://${fog-ip}/debian/10.7L/initrd
    imgargs vmlinuz dhcp boot=live components fetch=http://${fog-ip}/os/debian/10.7L/filesystem.squashfs
    boot || goto MENU
    param sysuuid ${uuid}
    :fog.keyenroll
    chain tftp:/${fog-ip}/EnrollKeys.efi
    echo Rebooting the system in 8 seconds
    sleep 5
    reboot
    param sysuuid ${uuid}
    :bootme
    chain -ar http://192.168.112.116/fog/service/ipxe/boot.php##params ||
    goto MENU
    autoboot
    

    The other option would be to not use the advanced menu, but just apply a login requirement on each standard ipxe menu item.


  • @george1421 said in Securing FOG Boot Options?:

    @jra said in Securing FOG Boot Options?:

    Especially as it has persisted across two versions of Ubuntu and two versions of FOG also

    My intent isn’t to be snarky here but stating fact. You are also persistent between the installs and menu fails. I’ve had this issue with other things in the past too. We can’t rule out that the web ui is letting you do something that causes the advanced menu to fail. I’ll see if I can duplicate this on my dev box later tonight. I have not needed the advanced menu so I don’t have any experience with it.

    No not feeling you were snarky at all, didn’t read it as such either. However, limited in the mischief I can potentially cause when all I’m doing are basic installs and accessing menu options, plus having had FOG work perfectly before in two production environments, I can’t understand why it isn’t now, especially as I persisted across those also. Genuinely genuinely also not being snarky back, I am grateful for the help.

    I can live with the pre-splash hidden options for now and we can suck it up. It’s at least functional there which is what matters.

    If you get any insights do let me know as and when.

    Thanks again George.

  • Moderator

    @jra said in Securing FOG Boot Options?:

    Especially as it has persisted across two versions of Ubuntu and two versions of FOG also

    My intent isn’t to be snarky here but stating fact. You are also persistent between the installs and menu fails. I’ve had this issue with other things in the past too. We can’t rule out that the web ui is letting you do something that causes the advanced menu to fail. I’ll see if I can duplicate this on my dev box later tonight. I have not needed the advanced menu so I don’t have any experience with it.


  • @george1421

    Ok very strange then. Especially as it has persisted across two versions of Ubuntu and two versions of FOG also. I’ve never seen it before either, FOG’s just always been kinda “ok” to set up.

    How do I proceed though? I’m a bit stuck on what to do.

  • Moderator

    @jra Well this is interesting and unexpected.

    From the second URL, it looks like something injected the chain at the head of the menu and its calling advanced.php as in the first url I gave you.

    #!ipxe
    set fog-ip 10.134.60.60
    set fog-webroot fog
    set boot-url http://${fog-ip}/${fog-webroot}
    >> chain -ar http://10.134.60.60/fog/service/ipxe/advanced.php
    cpuid --ext 29 && set arch x86_64 || set arch i386
    goto get_console
    

    Now the first URL I gave you only returned this:

    #!ipxe
    

    Which is an incomplete ipxe menu. So I’m wondering if you have something not configured correctly for the advanced menu. Again I don’t use the advanced menu so I can’t tell you what is wrong, but I can tell you from an iPXE standpoint that is not a complete ipxe script because there is nothing to do here.


  • @george1421

    @george1421 said in Securing FOG Boot Options?:

    http://<fog_server_ip>/fog/service/ipxe/advanced.php?mac=00:00:00:00:00:00

    Hehe, think we crossed edits there!

    From the first edit url I only have:

    #!ipxe

    From the second edit url I have:

    #!ipxe
    set fog-ip 10.134.60.60
    set fog-webroot fog
    set boot-url http://${fog-ip}/${fog-webroot}
    chain -ar http://10.134.60.60/fog/service/ipxe/advanced.php
    cpuid --ext 29 && set arch x86_64 || set arch i386
    goto get_console
    :console_set
    colour --rgb 0x00567a 1 ||
    colour --rgb 0x00567a 2 ||
    colour --rgb 0x00567a 4 ||
    cpair --foreground 7 --background 2 2 ||
    goto MENU
    :alt_console
    cpair --background 0 1 ||
    cpair --background 1 2 ||
    goto MENU
    :get_console
    console --picture http://10.134.60.60/fog/service/ipxe/bg.png --left 100 --right 80 && goto console_set || goto alt_console
    :MENU
    menu
    colour --rgb 0xff0000 0 ||
    cpair --foreground 1 1 ||
    cpair --foreground 0 3 ||
    cpair --foreground 4 4 ||
    item --gap Host is NOT registered!
    item --gap – -------------------------------------
    item fog.local Boot from hard disk
    item fog.multijoin Join Multicast Session
    item fog.advancedlogin Advanced Menu fog.advancedlogin
    choose --default fog.local --timeout 5000 target && goto ${target}
    :fog.local
    sanboot --no-describe --drive 0x80 || goto MENU
    :fog.multijoin
    login
    params
    param mac0 ${net0/mac}
    param arch ${arch}
    param username ${username}
    param password ${password}
    param sessionJoin 1
    isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
    isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
    param sysuuid ${uuid}
    :fog.advancedlogin
    login
    params
    param mac0 ${net0/mac}
    param arch ${arch}
    param username ${username}
    param password ${password}
    param advLog 1
    isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
    isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
    param sysuuid ${uuid}
    :bootme
    chain -ar http://10.134.60.60/fog/service/ipxe/boot.php##params ||
    goto MENU
    autoboot

  • Moderator

    @jra OK I’m going to send you back to the well with new info. Now instead of using boot.php lets use advanced.php

    Edit: Wait don’t do this I need to fix the url: http://<fog_server_ip>/fog/service/ipxe/advanced.php?mac=00:00:00:00:00:00

    Edit2: OK lets use this URL: http://10.134.60.60/fog/service/ipxe/boot.php?mac=00:00:00:00:00:00&arch=x86_64&username=fog&password=password&advLog=1

    You need to change the username and password values to match what is correct for your fog server. This above url should generate the advanced menu, where the chain is failing.


  • @george1421 Thanks much there.

    Not sure if it’s because of the rendering of it specifically, but confirming I do only see that using the advanced menu options. If there were some way to obfuscate all the options students here would find “interesting” I’d certainly take it.

    Ok, so the message is as follows. I enter the username and password to access the advanced options and get this:

    alt text

    And the text from the URL is:

    *#!ipxe
    set fog-ip 10.134.60.60
    set fog-webroot fog
    set boot-url http://${fog-ip}/${fog-webroot}
    cpuid --ext 29 && set arch x86_64 || set arch i386
    goto get_console
    :console_set
    colour --rgb 0x00567a 1 ||
    colour --rgb 0x00567a 2 ||
    colour --rgb 0x00567a 4 ||
    cpair --foreground 7 --background 2 2 ||
    goto MENU
    :alt_console
    cpair --background 0 1 ||
    cpair --background 1 2 ||
    goto MENU
    :get_console
    console --picture http://10.134.60.60/fog/service/ipxe/bg.png --left 100 --right 80 && goto console_set || goto alt_console
    :MENU
    menu
    colour --rgb 0xff0000 0 ||
    cpair --foreground 1 1 ||
    cpair --foreground 0 3 ||
    cpair --foreground 4 4 ||
    item --gap Host is NOT registered!
    item --gap -- -------------------------------------
    item fog.local Boot from hard disk
    item fog.multijoin Join Multicast Session
    item fog.advancedlogin Advanced Menu fog.advancedlogin
    choose --default fog.local --timeout 5000 target && goto ${target}
    :fog.local
    sanboot --no-describe --drive 0x80 || goto MENU
    :fog.multijoin
    login
    params
    param mac0 ${net0/mac}
    param arch ${arch}
    param username ${username}
    param password ${password}
    param sessionJoin 1
    isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
    isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
    param sysuuid ${uuid}
    :fog.advancedlogin
    login
    params
    param mac0 ${net0/mac}
    param arch ${arch}
    param username ${username}
    param password ${password}
    param advLog 1
    isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
    isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
    param sysuuid ${uuid}
    :bootme
    chain -ar http://10.134.60.60/fog/service/ipxe/boot.php##params ||
    goto MENU
    autoboot*
    

    Any clues in all that?

    Cheers again for the help.

    Also DHCP server is a HyperV VM on server 2012R2.

  • Moderator

    @jra If you could post a screen shot of the error because the context of the error is almost as helpful as the error itself.

    So the error is because of the rendering of the advanced menu? Since I have not worked with the advanced menu at all I don’t know exactly where to drive. BUT I can say if you point a browser at http://<fog_server_ip>/fog/service/ipxe/boot.php?mac=00:00:00:00:00:00 That will send the programming language behind the iPXE menu. Lets start by posting that results here for the next steps.

    undionly.kpxe vs ipxe.efi. This file needs to be sent correctly based on the target computer that is pxe booting. SO, let me ask you what device is your dhcp server (mfg and model)?


  • @george1421 I’m hiding the option to image etc PCs behind the Advanced login options (this is a school so kids will delight themselves imaging or b0rking PCs all day if it’s not locked down a bit.)

    Logging in to the advanced options from the PXE/background image splash screen menu options bring the chainloading message up. Across now two versions of FOG and Ubuntu server.

    Never seen it before on any network.

    undionly.kpxe is in DHCP as ipxe.pxe just sits at a prompt for a tftp server (?) - however entering the IP of the FOG server and continuing I get the same chainloading message. If that’s even a hint.

    Thanks much for the reply there.

  • Moderator

    @jra said in Securing FOG Boot Options?:

    What is KILLING me though is I still get the same stupid thing; “Chainloading failed, hit ‘s’ for the iPXE shell”

    You get this when the iPXE menu first comes up? When or what action causes the chain loading error?


  • Previously had FOG working on 18.04 on a former network so reinstalled the server from scratch.

    That ran 1.5.7 so I installed that version of FOG also.

    I am now proficient enough (sorta) to hide the menu options behind the Advanced login by setting the options in the iPXE Menu Customization page in the web gui.

    What is KILLING me though is I still get the same stupid thing; “Chainloading failed, hit ‘s’ for the iPXE shell”

    Has anyone got even the first idea where to start with this?

    Thanks hugely if you can help me out. It’s not been an awesome day.


  • Ok getting a little further with it, but think on the other hand it’s getting ever more broken.

    I can hide the PXE menu (although I really do want my nice little splash screen background image back to be honest) but setting a key (eg F9) to bring up the PXE options, logging in to the prompt which appears I get a chainloading error and it boots to first disk.

    Is there any way to fix this and to hide all the menu options behind a single login option on the splash screen instead?

    Thanks all.

335
Online

9.1k
Users

15.7k
Topics

145.8k
Posts