The tale of two client programs
-
It would be nice to have a server-agnostic heartbeat client that could be pre-installed to an image, instead of the full-blown server-tied client.
Then the FOG server on that subnet would pick up that ping and list those machines that don’t have the full client installed. This would then allow the technician to be able to push the client on to those machines via the web interface at their convenience.
-
Joe Schmitt Senior Developerlast edited by Joe Schmitt Jul 28, 2016, 10:54 AM Jul 28, 2016, 4:48 PM
Nope. If it was server agnostic then what we have created is a rootkit capable of being hijacked by anyone.
What would be better is if you setup your certificate heirachy. In an ideal world (I.e. fog 2.0) storage nodes would receive a key from the server that allows clients to connect directly to it. For 1.3.0 you would need to manually set it up so all storage nodes have the same root CA keg and then call the SSL regen command. You could also setup intermediate CA keys for the storage nodes if you wanted to do it properly and remove some of the security issues of the desribed method above.
-
@Joe-Schmitt a write up on that would be great. I want to do this at work, I’ll work on it.
-
So the server name is entirely irrelevant to the key data that is saved to the client ? The name is only used to direct the installer to where to fetch the key from?
-
@sudburr Yep. Name or IP.
-
@Joe-Schmitt What if the heartbeat responder was password protected ?
-
At that point it would be adding complexity for the sake of complexity. If you could mass deploy the heartbeat then you can mass deploy a script to install the client.
-
This post is deleted! -
@sudburr I can see that post you removed, It uses TCP.
Also, see here:
https://wiki.fogproject.org/wiki/index.php?title=FOG_Client#Maintain_Control_Of_Hosts_When_Building_New_ServerThat is oriented for migrating to a new server, but it’s the same thing to just move certs to another server for use there too.