fogman4

fogman4

Thank you for your response as always it’s fast and relevant.
As you notice english’s not my native language i’ll try to be clear.

There are 2 differents servers: old one (deb10) and new one (deb11) . I installed a fresh new Debian 11 OS on a VM to do some tests on another facility. I keep the older (debian 10) fog server on the main site.
Debian 11 is the OS of the FOG server 1.5.9 119. The target comptuter is booting a ubuntu 20.04.3 iso via NFS.
I’m automating installing Ubuntu 20.04.3 with (debian) preseed which works like a charm on the older server. I’m not confortable with doing image capture/deploy with ubuntu. I want to keep control over specific setting for several workstations whithout doing a capture/deploy cycle each time i do some tests.

You’re right it’s a redirection and you know what ? I’m a complete dumbass :

diff 001-fog.conf 001-fogm.conf

5,6c5,7
<     ServerName 192.168.1.200
<     ServerAlias fogdeb10.ad.atdqm.tech
---
>     KeepAlive Off
>     ServerName 10.17.1.220
>     ServerAlias fogm.ad.atdqm.tech
8,13c9,14
<     RewriteEngine Off
< #    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
< #    RewriteRule .* - [F]
< #    RewriteRule /management/other/ca.cert.der$ - [L]
< #    RewriteCond %{HTTPS} off
< #    RewriteRule (.*) https://%{HTTP_HOST}/$1 [R,L]
---
>     RewriteEngine On
>     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
>     RewriteRule .* - [F]
>     RewriteRule /management/other/ca.cert.der$ - [L]
>     RewriteCond %{HTTPS} off
>     RewriteRule (.*) https://%{HTTP_HOST}/$1 [R,L]
20,21c21,22
<     ServerName 192.168.1.200
<     ServerAlias fogdeb10.ad.atdqm.tech
---
>     ServerName 10.17.1.220
>     ServerAlias fogm.ad.atdqm.tech
24c25
<     SSLProtocol all -SSLv3 +TLSv1.3
---
>     SSLProtocol all -SSLv3 -SSLv2

I got the exact same problem few times ago and you and @Sebastian-Roth already helped me out !

Right here :

https://forums.fogproject.org/topic/15760/uefi-boot-pxe-preseed-ubuntu20-04-via-nfs-with-https-preseed?_=1641557754413

I just adapt the the apache conf of new FOG and it works perfectly ! Now i just feel stupid.

Thank you very much and sorry for the convenience.

Best regards.

fogman4

@george1421 : Thank you very much.

In fact i’m used to regular pxe server and we use fog mostly for the cloning feature for windows Workstations.

To deal with Ubuntu workstations i like to do iso booting + pxe , this way i can mix/test configurations (preseed.cfg) of installation process quickly/easily directly from our gitea.

By the way i use fog as the main pxe server even for servers with debian based installations.

After this part of deployment ansible is the king of the hill to do all basics/complex tasks.

Can i modify the topic’s title with SOLVED ? Can i edit my posts to remove the domain’s informations ?

Regards.

fogman4

I tried to change my apache conf from :

<VirtualHost *:80>
    <FilesMatch "\.php$">
        SetHandler "proxy:fcgi://127.0.0.1:9000/"
    </FilesMatch>
    KeepAlive Off
    ServerName 192.168.1.200
    ServerAlias fog-pi.ad.atdqm.tech
    DocumentRoot /var/www/
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]
    RewriteRule /management/other/ca.cert.der$ - [L]
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}/$1 [R,L]
</VirtualHost>
<VirtualHost *:443>
    KeepAlive Off
    <FilesMatch "\.php$">
        SetHandler "proxy:fcgi://127.0.0.1:9000/"
    </FilesMatch>
    ServerName 192.168.1.200
    ServerAlias fog-pi.ad.atdqm.tech
    DocumentRoot /var/www/
    SSLEngine On
    SSLProtocol all -SSLv3 -SSLv2
    SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
#    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    SSLHonorCipherOrder On
    SSLCertificateFile /var/www/fog//management/other/ssl/srvpublic.crt
    SSLCertificateKeyFile /opt/fog/snapins/ssl//.srvprivate.key
    SSLCACertificateFile /var/www/fog//management/other/ca.cert.pem
    <Directory /var/www/fog/>
        DirectoryIndex index.php index.html index.htm
    </Directory>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]
    RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
    RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d
    RewriteRule ^/fog/(.*)$ /fog/api/index.php [QSA,L]
</VirtualHost>

by allowing all cipher/algo with this

SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL

didn’t work.

fogman4

thanks @Tom-Elliott for your answer.

I’m confused i think i did not explained my problem clearly.

Debian 12 is my fog server 192.168.1.200

It serves ubuntu iso’s files via nfs , kernels initramfs via tftp and preseed via http(s).

Ubuntu are workstations i need to deploy Ubuntu iso files are on nfs si i don’t really understand.

Should i copy the fog ca in the iso’s nfs directory ?

Looks weird because i never needed this.

My browser works flawlessly with the certificate.

The only problem is when the boot option tries to get the preseed file via https.

the folder /opt/fog/snapins/ssl contains :

drwxrwxrwx 3 fogproject www-data 4,0K  4 juin   2020 .
drwxrwxrwx 3 fogproject www-data 4,0K  4 juin   2020 ..
drwxrwxrwx 2 fogproject www-data 4,0K  4 juin   2020 CA
-rwxrwxrwx 1 fogproject www-data   98 22 avril 14:13 ca.cnf
-rwxrwxrwx 1 fogproject www-data 1,7K  4 juin   2020 fog.csr
-rwxrwxrwx 1 fogproject www-data  232  4 juin   2020 req.cnf
-rwxrwxrwx 1 fogproject www-data 3,2K  4 juin   2020 .srvprivate.key

If i need to regenerate cert i don’t want to mess somewhere.

i tried to copy the file : /opt/fog/snapins/ssl/CA/.fogCA.pem in /etc/ssl/certs/ and /usr/local/share/ca-certificates/ on the server and update-ca-certificates with no success.

i’m puzzled. Maybe it’s an algorith problem as openssl seems to warn

fogman4

@george1421

sorry for the years delay . i ended up by setting http:// instead of https:// and it worked.

fogman4

Re : UEFI boot pxe preseed Ubuntu20.04 via NFS with https preseed.

Hey folks hope you’re doing well

I got this problem with my fog server.

I upgraded debian 10 > 11 > 12 apache is not happy with the CA.

I reinstalled fog using the already existing .fogsettings and fog seems ok as i access the Webui via https without problem.

now i got this error when trying to deploy a custom ipxe menu

here is the menu :

kernel tftp://${fog-ip}/os/ubuntu/20.04D/vmlinuz
initrd tftp://${fog-ip}/os/ubuntu/20.04D/initrd
imgargs vmlinuz initrd=initrd root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/images/os/ubuntu/ locale=fr_FR.UTF-8 net.ifnames=0 biosdevname=0 ipv6.disable=1 keyboard-configuration/layoutcode=fr ip=dhcp rw hostname=DEPLOY1 domain=my.super.domain automatic-ubiquity url=https://${fog-ip}/autoinstall/ubuntu/ubiseed_20_all.cfg debian-installer/allow_unauthenticated_ssl=true DEBCONF_DEBUG=5
boot || goto MENU

the preseed need to be fetched via https but fails :

ERROR : cannot verify 192.168.1.200's certificate, issued by 'CN=FOG Server CA'

on apache logs i have :

[Mon Apr 22 16:58:18.308677 2024] [ssl:info] [pid 17451] SSL Library Error: error:0A000076:SSL routines::no suitable signature algorithm
[Mon Apr 22 16:58:18.308736 2024] [ssl:info] [pid 17451] [client 192.168.1.133:50613] AH01998: Connection closed to child 2 with abortive shutdown (server 192.168.1.200:443)
[Mon Apr 22 16:58:18.322694 2024] [ssl:info] [pid 17452] [client 192.168.1.133:50614] AH01964: Connection to child 3 established (server 192.168.1.200:443)
[Mon Apr 22 16:58:18.323173 2024] [ssl:info] [pid 17452] [client 192.168.1.133:50614] AH02008: SSL library error 1 in handshake (server 192.168.1.200:443)

Do i need to regenerate certificates on fog ?

when i do a wget from any client :

wget --connect-timeout=5 -c http://192.168.1.200/autoinstall/ubuntu/ubiseed_20_all.cfg -P Downloads/

i have :

--2024-04-22 17:21:32--  http://192.168.1.200/autoinstall/ubuntu/ubiseed_20_all.cfg
Connecting to 192.168.1.200:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://192.168.1.200//autoinstall/ubuntu/ubiseed_20_all.cfg [following]
--2024-04-22 17:21:32--  https://192.168.1.200//autoinstall/ubuntu/ubiseed_20_all.cfg
Connecting to 192.168.1.200:443... connected.
ERROR: The certificate of ‘192.168.1.200’ is not trusted.
ERROR: The certificate of ‘192.168.1.200’ doesn't have a known issuer.

if i try with :

wget --no-check-certificate --connect-timeout=5 -c https://192.168.1.200/autoinstall/ubuntu/ubiseed_20_all.cfg -P Downloads/

it works.

--2024-04-22 17:24:21--  https://192.168.1.200/autoinstall/ubuntu/ubiseed_20_all.cfg
Connecting to 192.168.1.200:443... connected.
WARNING: The certificate of ‘192.168.1.200’ is not trusted.
WARNING: The certificate of ‘192.168.1.200’ doesn't have a known issuer.
HTTP request sent, awaiting response... 200 OK
Length: 24414 (24K)
Saving to: ‘Downloads/ubiseed_20_all.cfg’

If some wizard passing by could give me some hints it would be terrific.

Thanks

fogman4

@george1421 : Thank you very much.

In fact i’m used to regular pxe server and we use fog mostly for the cloning feature for windows Workstations.

To deal with Ubuntu workstations i like to do iso booting + pxe , this way i can mix/test configurations (preseed.cfg) of installation process quickly/easily directly from our gitea.

By the way i use fog as the main pxe server even for servers with debian based installations.

After this part of deployment ansible is the king of the hill to do all basics/complex tasks.

Can i modify the topic’s title with SOLVED ? Can i edit my posts to remove the domain’s informations ?

Regards.

fogman4

@george1421 : Hi George

Thank you for your response as always it’s fast and relevant.
As you notice english’s not my native language i’ll try to be clear.

There are 2 differents servers: old one (deb10) and new one (deb11) . I installed a fresh new Debian 11 OS on a VM to do some tests on another facility. I keep the older (debian 10) fog server on the main site.
Debian 11 is the OS of the FOG server 1.5.9 119. The target comptuter is booting a ubuntu 20.04.3 iso via NFS.
I’m automating installing Ubuntu 20.04.3 with (debian) preseed which works like a charm on the older server. I’m not confortable with doing image capture/deploy with ubuntu. I want to keep control over specific setting for several workstations whithout doing a capture/deploy cycle each time i do some tests.

You’re right it’s a redirection and you know what ? I’m a complete dumbass :

diff 001-fog.conf 001-fogm.conf

5,6c5,7
<     ServerName 192.168.1.200
<     ServerAlias fogdeb10.ad.atdqm.tech
---
>     KeepAlive Off
>     ServerName 10.17.1.220
>     ServerAlias fogm.ad.atdqm.tech
8,13c9,14
<     RewriteEngine Off
< #    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
< #    RewriteRule .* - [F]
< #    RewriteRule /management/other/ca.cert.der$ - [L]
< #    RewriteCond %{HTTPS} off
< #    RewriteRule (.*) https://%{HTTP_HOST}/$1 [R,L]
---
>     RewriteEngine On
>     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
>     RewriteRule .* - [F]
>     RewriteRule /management/other/ca.cert.der$ - [L]
>     RewriteCond %{HTTPS} off
>     RewriteRule (.*) https://%{HTTP_HOST}/$1 [R,L]
20,21c21,22
<     ServerName 192.168.1.200
<     ServerAlias fogdeb10.ad.atdqm.tech
---
>     ServerName 10.17.1.220
>     ServerAlias fogm.ad.atdqm.tech
24c25
<     SSLProtocol all -SSLv3 +TLSv1.3
---
>     SSLProtocol all -SSLv3 -SSLv2

I got the exact same problem few times ago and you and @Sebastian-Roth already helped me out !

Right here :

https://forums.fogproject.org/topic/15760/uefi-boot-pxe-preseed-ubuntu20-04-via-nfs-with-https-preseed?_=1641557754413

I just adapt the the apache conf of new FOG and it works perfectly ! Now i just feel stupid.

Thank you very much and sorry for the convenience.

Best regards.

fogman4

Hi there.

First i need to thanks all team,devs and enthousiats volounteers participating and helping this great project.

I managed to boot Ubuntu 20.04.3 via NFS/HTTPS with UEFI (BTRFS + apt-btrfs-snapshots) (LUKS OR NOT) with a fully automated preseed/postinstall.sh

Here are the files :

The menu :

kernel tftp://${fog-ip}/os/ubuntu/20.04D/vmlinuz
initrd tftp://${fog-ip}/os/ubuntu/20.04D/initrd
imgargs vmlinuz initrd=initrd root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/images/os/ubuntu/ locale=fr_FR.UTF-8 net.ifnames=0 biosdevname=0 ipv6.disable=1 keyboard-configuration/layoutcode=fr ip=dhcp rw hostname=DEPLOYX-ATD domain=ad.atdqm.tech automatic-ubiquity url=http://${fog-ip}/autoinstall/ubuntu/ubiseed_20_nvme.cfg debian-installer/allow_unauthenticated_ssl=true DEBCONF_DEBUG=5
boot || goto MENU

The Preseed

# Scripté par votre serviteur Val durant un apres-midi de printemps.
# version 0.8
# TODO 
# REDUIR TEMPS GRUB
# AJOUTER COMMANDE PAM MKHOME

# Il s'agit d'automatiser une installation d' Uuntu 20.04.2 Desktop à destination des desktops et laptops du mouvement.
# Certaines informations manquent et des tests sont en cour.
# On pourrait utiliser Packer , Vagrant, Ansible , toussa mais pour le moment on fait un preseed assez simple sans jonction à l'AD mais avec les
# paquets qui vont bien.
# On pourrait aussi utiliser autoinstall du cloud-init en yaml mais c'est compatible uniquement avec la version server . Pourquoi ? je n'en ai absolument aucune idée.
# À terme nous prevoyons deux autres preseed apres des tests: 
# Un pour des laptop (chiffrement luks)  avec/sans jonction AD
# Un pour machines virtuelles avec jonction AD
# Enjoy ! 


# À partir du moment ou le preseed est lu on peut directement executer une commande
# This first command is run as early as possible, just after
# preseeding is read.
#d-i preseed/early_command string anna-install some-udeb


### Unattended Installation
d-i auto-install/enable boolean true
d-i debconf/priority select critical

# 1 - ### Localization

# Preseeding only locale sets language, country and locale.
# On setup la locale qui s'occupe de language, country and locale.
d-i debian-installer/locale string fr_FR.UTF-8
d-i localechooser/supported-locales multiselect fr_FR.UTF-8
# Keyboard selection.
# Disable automatic (interactive) keymap detection.
d-i console-setup/ask_detect boolean false
d-i keyboard-configuration/xkb-keymap select fr

# 2 -  ### Network configuration

# On active la conf reseau bah oui on est en pxe les copains. Il faut que la plage IP et les DNS soient good !

d-i netcfg/enable boolean true

# netcfg will choose an interface that has link if possible. This makes it
# skip displaying a list if there is more than one interface.
d-i netcfg/choose_interface select eth1

# À tricker au cas ou la conf auto ne passe pas.

# To set a different link detection timeout (default is 3 seconds).
# Values are interpreted as seconds.
d-i netcfg/link_wait_timeout string 10

# En cas de DHCP molasson on definit un timeout (en secondes) 
 
#d-i netcfg/dhcp_timeout string 60
#d-i netcfg/dhcpv6_timeout string 60

# If you prefer to configure the network manually, uncomment this line and
# the static network configuration below.
#d-i netcfg/disable_autoconfig boolean true

# If you want the preconfiguration file to work on systems both with and
# without a dhcp server, uncomment these lines and the static network
# configuration below.
#d-i netcfg/dhcp_failed note
#d-i netcfg/dhcp_options select Configure network manually

# Static network configuration.
#
# IPv4 example
#d-i netcfg/get_ipaddress string 192.168.1.42
#d-i netcfg/get_netmask string 255.255.255.0
#d-i netcfg/get_gateway string 192.168.1.1
#d-i netcfg/get_nameservers string 192.168.1.1
#d-i netcfg/confirm_static boolean true
#
# IPv6 example
#d-i netcfg/get_ipaddress string fc00::2
#d-i netcfg/get_netmask string ffff:ffff:ffff:ffff::
#d-i netcfg/get_gateway string fc00::1
#d-i netcfg/get_nameservers string fc00::1
#d-i netcfg/confirm_static boolean true

# Any hostname and domain names assigned from dhcp take precedence over
# values set here. However, setting the values still prevents the questions
# from being shown, even if values come from dhcp.
d-i netcfg/get_hostname string DEPLOYX-ATD
#d-i netcfg/get_domain string unassigned-domain

d-i netcfg/get_domain string ad.atdqm.tech

# If you want to force a hostname, regardless of what either the DHCP
# server returns or what the reverse DNS entry for the IP is, uncomment
# and adjust the following line.
#d-i netcfg/hostname string somehost

# Disable that annoying WEP key dialog.
d-i netcfg/wireless_wep string
# The wacky dhcp hostname that some ISPs use as a password of sorts.
#d-i netcfg/dhcp_hostname string radish

# If non-free firmware is needed for the network or other hardware, you can
# configure the installer to always try to load it, without prompting. Or
# change to false to disable asking.

# Cette directive est à adapter selon les experiences rencontrées avec le hardware du parc.
d-i hw-detect/load_firmware boolean false

### Network console
# Use the following settings if you wish to make use of the network-console
# component for remote installation over SSH. This only makes sense if you
# intend to perform the remainder of the installation manually.
#d-i anna/choose_modules string network-console
#d-i network-console/authorized_keys_url string http://10.0.0.1/openssh-key
#d-i network-console/password password r00tme
#d-i network-console/password-again password r00tme

# Use this instead if you prefer to use key-based authentication
#d-i network-console/authorized_keys_url http://host/authorized_keys

# 3 -### Mirror settings

# If you select ftp, the mirror/country string does not need to be set.

#d-i mirror/protocol string ftp

#d-i mirror/country string france
#d-i mirror/http/hostname string fr.archive.ubuntu.com
#d-i mirror/http/directory string /ubuntu
#d-i mirror/http/proxy string



### Lorsque notre apt -cacher-ng sera installé precisez l'addresse ici.
#d-i mirror/http/proxy string https://apt-cacher-ng:3184/


# Alternatively: by default, the installer uses CC.archive.ubuntu.com where
# CC is the ISO-3166-2 code for the selected country. You can preseed this
# so that it does so without asking.

# On utilise le depot par defaut en FR
d-i mirror/http/mirror select fr.archive.ubuntu.com

# Suite to install.
# TODO Incomprehensible que les dev d'ubuntu n'aient pas updaté cette valeur stretch pour la 20.04 ?

#d-i mirror/suite string focal

# Suite to use for loading installer components (optional).
#d-i mirror/udeb/suite string focal

# Components to use for loading installer components (optional).

# On balance les depots universe et multiverse en plus pour que notre preseed sache ou aller taper.
d-i mirror/udeb/components multiselect main, restricted, universe, multiverse

# 5 - ### Account setup


### Account setup
# Skip creation of a root account (normal user account will be able to
# use sudo). The default is false; preseed this to true if you want to set
# a root password.


d-i passwd/root-login boolean false
# Alternatively, to skip creation of a normal user account.
d-i passwd/make-user boolean true

# Root password, either in clear text
#d-i passwd/root-password password r00tme
#d-i passwd/root-password-again password r00tme
# or encrypted using a crypt(3)  hash.
#d-i passwd/root-password-crypted password [crypt(3) hash]

# Nous specifions le local admin pour acces à l'interface graphique en cas de depannage sans A.D (SSSD)



# To create a normal user account.
d-i passwd/user-fullname string admin6
d-i passwd/username string admin6
d-i passwd/user-uid string 980

# Normal user's password, either in clear text
#d-i passwd/user-password password insecure
#d-i passwd/user-password-again password insecure

# or encrypted using a crypt(3) hash.
#d-i passwd/user-password-crypted password [crypt(3) hash]
d-i passwd/user-password-crypted password $6$1SJtgvACAbAK$RbIwXeRozK7OWXxYvFiHYJphPoRtbbouXjM2XtTf0UZZyZcFx4boNg2B0BGZl0b8LqecuhnaXPX8apyRuxxmG/

# Create the first user with the specified UID instead of the default.

# On cree un user sous le GID 1000 afin qu'il n'apparaisse pas dans gdm.
#d-i passwd/user-uid string 888

# The installer will warn about weak passwords. If you are sure you know
# what you're doing and want to override it, uncomment this.
d-i user-setup/allow-password-weak boolean true

# The user account will be added to some standard initial groups. To
# override that, use this.

# On ajoute l'user à netdev et sudo juste comme ça pour le fun.
d-i passwd/user-default-groups string audio cdrom video netdev sudo users lpadmin

# Set to true if you want to encrypt the first user's home directory.

# TODO on test mais on y croit pas . 
d-i user-setup/encrypt-home boolean false

### Clock and time zone setup
# Controls whether or not the hardware clock is set to UTC.
d-i clock-setup/utc boolean true

# You may set this to any valid setting for $TZ; see the contents of
# /usr/share/zoneinfo/ for valid values.
d-i time/zone string Europe/Paris

# Controls whether to use NTP to set the clock during the install
d-i clock-setup/ntp boolean true

# NTP server to use. The default is almost always fine here.
# TODO trouver le ntp qui va bien.
d-i clock-setup/ntp-server string server 0.fr.pool.ntp.org

### i386 specific disk storage
# Activate DASD disks
#d-i s390-dasd/dasd string 0.0.0200,0.0.0300,0.0.0400

# DASD configuration; by default dasdfmt (low-level format) if needed
#d-i s390-dasd/auto-format boolean true
#d-i s390-dasd/force-format boolean true

# zFCP activation and configuration
# d-i s390-zfcp/zfcp string 0.0.1b34:0x400870075678a1b2:0x201480c800000000, \
#                           0.0.1b34:0x400870075679a1b2:0x201480c800000000


# 5 - Partitionnement

# This command is run immediately before the partitioner starts. It may be
# useful to apply dynamic partitioner preseeding that depends on the state
# of the disks (which may not be visible when preseed/early_command runs).
#d-i partman/early_command \
#       string debconf-set partman-auto/disk "$(list-devices disk | head -n1)"
#d-i partman/early_command \
#       string sgdisk -Z /dev/vda

## Partitioning example
# If the system has free space you can choose to only partition that space.
# This is only honoured if partman-auto/method (below) is not set.
# Alternatives: custom, some_device, some_device_crypto, some_device_lvm.
#d-i partman-auto/init_automatically_partition select biggest_free

# Alternatively, you may specify a disk to partition. If the system has only
# one disk the installer will default to using that, but otherwise the device
# name must be given in traditional, non-devfs format (so e.g. /dev/sda
# and not e.g. /dev/discs/disc0/disc).
# For example, to use the first SCSI/SATA hard disk:
#d-i partman-auto/disk string /dev/sda
# In addition, you'll need to specify the method to use.
# The presently available methods are:
# - regular: use the usual partition types for your architecture
# - lvm:     use LVM to partition the disk
# - crypto:  use LVM within an encrypted partition
d-i partman-auto/method string regular

# If one of the disks that are going to be automatically partitioned
# contains an old LVM configuration, the user will normally receive a
# warning. This can be preseeded away...

# Si il y a deja un lvm dans le cadre d'une reinstallation on vire les avertissements et on ecrase ! 

d-i partman-lvm/device_remove_lvm boolean true
# The same applies to pre-existing software RAID array:
#d-i partman-md/device_remove_md boolean true

# And the same goes for the confirmation to write the lvm partitions.
#d-i partman-lvm/confirm boolean true
#d-i partman-lvm/confirm_nooverwrite boolean true

# For LVM partitioning, you can select how much of the volume group to use
# for logical volumes.
#d-i partman-auto-lvm/guided_size string max
#d-i partman-auto-lvm/guided_size string 99%
#d-i partman-auto-lvm/guided_size string 50%

# You can choose one of the three predefined partitioning recipes:
# - atomic: all files in one partition
# - home:   separate /home partition
# - multi:  separate /home, /var, and /tmp partitions

# Est-ce judicieux de separer le home ? Etant donné qu'on utilise le btrfs il gere lui-meme les subvolume donc pas besoin de multiplier les partitions btrfs.
# Nous ne separons pas le home


#d-i partman-auto/choose_recipe select atomic

# Or provide a recipe of your own...
# If you have a way to get a recipe file into the d-i environment, you can
# just point at it.
#d-i partman-auto/expert_recipe_file string /hd-media/recipe

# If not, you can put an entire recipe into the preconfiguration file in one
# (logical) line. This example creates a small /boot partition, suitable
# swap, and uses the rest of the space for the root partition:
d-i partman-auto/expert_recipe string                         \
      boot-root ::                                            \
              512 50 512 fat32                                  \
                      $primary{ } $bootable{ }                \
                      method{ efi } format{ }              \
                      mountpoint{ /boot/efi }                     \
              .                                               \
              500 10000 1000000000 btrfs                       \
                      method{ format } format{ }              \
                      use_filesystem{ } filesystem{ btrfs }    \
                      mountpoint{ / }                         \
              .                                               \
              8192 80 9000 linux-swap                          \
                      method{ swap } format{ }                \
              .

# If you just want to change the default filesystem from ext3 to something
# else, you can do that without providing a full recipe.

# On choisit le systeme de fichier par default. Le btrfs c'est bien.
#d-i partman/default_filesystem string btrfs


# The full recipe format is documented in the file partman-auto-recipe.txt
# included in the 'debian-installer' package or available from D-I source
# repository. This also documents how to specify settings such as file
# system labels, volume group names and which physical devices to include
# in a volume group.

# This makes partman automatically partition without confirmation, provided
# that you told it what to do using one of the methods above.

# Encore des confirmations sur le partitionnement
d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true
## Partitioning using RAID

# The method should be set to "raid".
#d-i partman-auto/method string raid
# Specify the disks to be partitioned. They will all get the same layout,
# so this will only work if the disks are the same size.
d-i partman-auto/disk string /dev/nvme0n1

# included in the 'debian-installer' package or available from D-I source
# repository.

# This makes partman automatically partition without confirmation.

## Controlling how partitions are mounted
# The default is to mount by UUID, but you can also choose "traditional" to
# use traditional device names, or "label" to try filesystem labels before
# falling back to UUIDs.
#d-i partman/mount_style select uuid

### Base system installation
# Configure a path to the preconfigured base filesystem. This can be used to
# specify a path for the installer to retrieve the filesystem image that will
# be deployed to disk and used as a base system for the installation.
d-i live-installer/net-image string /install/filesystem.squashfs
 
# Configure APT to not install recommended packages by default. Use of this
# option can result in an incomplete system and should only be used by very
# experienced users.
#d-i base-installer/install-recommends boolean false

# The kernel image (meta) package to be installed; "none" can be used if no
# kernel is to be installed.
#d-i base-installer/kernel/image string linux-generic

### Apt setup
# You can choose to install restricted and universe software, or to install
# software from the backports repository.
d-i apt-setup/restricted boolean true
d-i apt-setup/universe boolean true
d-i apt-setup/multiverse boolean true
d-i apt-setup/backports boolean true

# Uncomment this if you don't want to use a network mirror.
#d-i apt-setup/use_mirror boolean false

# Select which update services to use; define the mirrors to be used.
# Values shown below are the normal defaults.
d-i apt-setup/services-select multiselect security
d-i apt-setup/security_host string security.ubuntu.com
d-i apt-setup/security_path string /ubuntu

# Additional repositories, local[0-9] available
#On va preciser notre apt-cacher -ng qui a la meme addresse que notre FOG 0.200

#d-i apt-setup/local0/repository string \
#       http://local.server/ubuntu stretch main
#d-i apt-setup/local0/comment string local server
# Enable deb-src lines
#d-i apt-setup/local0/source boolean true
# URL to the public key of the local repository; you must provide a key or
# apt will complain about the unauthenticated repository and so the
# sources.list line will be left commented out
#d-i apt-setup/local0/key string http://local.server/key

# By default the installer requires that repositories be authenticated
# using a known gpg key. This setting can be used to disable that
# authentication. Warning: Insecure, not recommended.
#d-i debian-installer/allow_unauthenticated boolean true

# Uncomment this to add multiarch configuration for i386
#d-i apt-setup/multiarch string i386


### Package selection
#tasksel tasksel/first multiselect ubuntu-desktop
#tasksel tasksel/first multiselect lamp-server, print-server
#tasksel tasksel/first multiselect kubuntu-desktop


### On desactive totalement le module pkgsel/include car ces *** de dev d'ubiquity on viré ce module lorsqu'on installe en automatic ubiquity. Bien sur sans le documenter proprement.
# Shame on you bande de trous de balle !
# À la place on va utiliser ubiquity/success_command


# Individual additional packages to install

#d-i pkgsel/include string apt-btrfs-snapshot apt-listchanges apt-transport-https autorandr build-essential chrome-gnome-shell chromium-browser chrony curl debconf-utils gimp git gnome-shell-extensions gnome-terminal gnupg hdparm htop icc-profiles inkscape libxml2-utils libglib2.0-dev-bin libegl1-mesa libgl1-mesa-glx libxcb-xtest0 libgl1-mesa-glx libnss-sss libnss-winbind libpam-sss libxcb-dpms0 libxext6 lsb-release mpv netcat openssh-server pciutils python3.9 python3-distutils python3-distutils-extra realmd remmina samba scribus tmux ubuntu-desktop vim vlc wget x11-xserver-utils x2goclient



# Whether to upgrade packages after debootstrap.
# Allowed values: none, safe-upgrade, full-upgrade
#d-i pkgsel/upgrade select full-upgrade

# Language pack selection
#d-i pkgsel/language-packs multiselect de, en, zh

#d-i pkgsel/language-packs select fr

# Policy for applying updates. May be "none" (no automatic updates),
# "unattended-upgrades" (install security updates automatically), or
# "landscape" (manage system with Landscape).
#d-i pkgsel/update-policy select unattended-upgrades

# Some versions of the installer can report back on what software you have
# installed, and what software you use. The default is not to report back,
# but sending reports helps the project determine what software is most
# popular and include it on CDs.
#popularity-contest popularity-contest/participate boolean false

# By default, the system's locate database will be updated after the
# installer has finished installing most packages. This may take a while, so
# if you don't want it, you can set this to "false" to turn it off.
#d-i pkgsel/updatedb boolean true

### Boot loader installation
# Grub is the default boot loader (for x86). If you want lilo installed
# instead, uncomment this:
#d-i grub-installer/skip boolean true

# To also skip installing lilo, and install no bootloader, uncomment this
# too:
#d-i lilo-installer/skip boolean true

#ubiquity languagechooser/language-name string French
#ubiquity countrychooser/shortlist string FR
#ubiquity localechooser/supported-locales string fr_FR.UTF-8





# This is fairly safe to set, it makes grub install automatically to the MBR
# if no other operating system is detected on the machine.
d-i grub-installer/only_debian boolean true

# This one makes grub-installer install to the MBR if it also finds some other
# OS, which is less safe as it might not be able to boot that other OS.
#d-i grub-installer/with_other_os boolean true

# Due notably to potential USB sticks, the location of the MBR can not be
# determined safely in general, so this needs to be specified:
#d-i grub-installer/bootdev  string /dev/nvme0n1

# To install to the first device (assuming it is not a USB stick):
d-i grub-installer/bootdev string default



# Si l'installation ne fonctionne pas pour une raison ou pour une autre on lui demande de rebooter : 
#ubiquity/failure_command string
#systemctl reboot;


#ubiquity ubiquity/success_command string
#string ip link set up dev enp5s0;
#dhclient enp5s0;
#apt-get update -y;
#in-target apt-get install -y apt-btrfs-snapshot apt-listchanges apt-transport-https autorandr build-essential chrome-gnome-shell chromium-browser chrony curl debconf-utils gimp git gnome-shell-extensions gnupg hdparm htop icc-profiles inkscape libxml2-utils libglib2.0-dev-bin libegl1-mesa libgl1-mesa-glx libxcb-xtest0 libgl1-mesa-glx libnss-sss libnss-winbind libpam-sss libxcb-dpms0 libxext6 lsb-release mpv netcat openssh-server pciutils python python3-distutils python3-distutils-extra realmd remmina samba scribus tmux unattended-upgrades vim vlc wgetx12-xserver-utils x2goclient;


#ubiquity ubiquity/success_command string
#'sed '2 a dhcp=dhclient2' /target/etc/NetworkManager/NetworkManager.conf';
#echo 'yeah';



#
#
# Alternatively, if you want to install to a location other than the mbr,
# uncomment and edit these lines:
#d-i grub-installer/only_debian boolean false
#d-i grub-installer/with_other_os boolean false
#d-i grub-installer/bootdev  string (hd0,1)

# To install grub to multiple disks:
#d-i grub-installer/bootdev  string (hd0,1) (hd1,1) (hd2,1)

# Optional password for grub, either in clear text
#d-i grub-installer/password password r00tme
#d-i grub-installer/password-again password r00tme

# or encrypted using an MD5 hash, see grub-md5-crypt(8).
#d-i grub-installer/password-crypted password [MD5 hash]

# Use the following option to add additional boot parameters for the
# installed system (if supported by the bootloader installer).
# Note: options passed to the installer will be added automatically.
#d-i debian-installer/add-kernel-opts string nousb

### Finishing up the installation
# During installations from serial console, the regular virtual consoles
# (VT1-VT6) are normally disabled in /etc/inittab. Uncomment the next
# line to prevent this.
d-i finish-install/keep-consoles boolean true

# Avoid that last message about the install being complete.
d-i finish-install/reboot_in_progress note

# Custom command si lancé avec automatic-ubiquity
ubiquity ubiquity/success_command string \
mkdir -p /target/home/admin6/.ssh; \
echo 'ssh-ed25519 AAAAC3NzaC1lZDI1BV32184AAIGcgTW5wqCc0o8b4qtKjXwoIP/5Zmu/lSmuA0nNZ4uOS' >> /target/home/admin6/.ssh/authorized_keys; \
chmod -R 700 /target/home/admin6/.ssh; \
chmod -R 600 /target/home/admin6/.ssh/authorized_keys; \
chown -R 1000:1000 /target/home/admin6/.ssh; \
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config; \
sed -i 's/#PermitRootLogin prohibit-password/#PermitRootLogin no/' /etc/ssh/sshd_config; \
#echo 'admin6 ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers.d/99_admin6; \
sed -i '3idhcp=dhclient' /target/etc/NetworkManager/NetworkManager.conf; \
sed -i 's/MaxAge=90/MaxAge=7/g' /target/etc/cron.weekly/apt-btrfs-snapshot; \
mkdir -p /target/root; \
wget --no-check-certificate -c 'https://192.168.1.200/fog/autoinstall/ubuntu/postinstall.sh' -P /target/root; \
chmod +x /target/root/postinstall.sh; \
echo '@reboot root bash /root/postinstall.sh >> /var/log/postinstall.log 2>&1' >> /target/etc/crontab;
#sed -i -e 's/dhcp=dhclient/#dhcp=dhclient/' /target/etc/NetworkManager/NetworkManager.conf \
#sed -i -e 's/dns=dnsmasq/#dns=dnsmasq/' /target/etc/NetworkManager/NetworkManager.conf ;\
#in-target apt install openssh-sftp-server;


# This will prevent the installer from ejecting the CD during the reboot,
# which is useful in some situations.
d-i cdrom-detect/eject boolean true
d-i debian-installer/splash boolean false

d-i debian-installer/exit/poweroff boolean true

# This is how to make the installer shutdown when finished, but not
# reboot into the installed system.
#d-i debian-installer/exit/halt boolean true
# This will power off the machine instead of just halting it.
#d-i debian-installer/exit/poweroff boolean true

### Preseeding other packages
# Depending on what software you choose to install, or if things go wrong
# during the installation process, it's possible that other questions may
# be asked. You can preseed those too, of course. To get a list of every
# possible question that could be asked during an install, do an
# installation, and then run these commands:
#   debconf-get-selections --installer > file
#   debconf-get-selections >> file


#### Advanced options
### Running custom commands during the installation
## i386 Preseed Example
# d-i preseeding is inherently not secure. Nothing in the installer checks
# for attempts at buffer overflows or other exploits of the values of a
# preconfiguration file like this one. Only use preconfiguration files from
# trusted locations! To drive that home, and because it's generally useful,
# here's a way to run any shell command you'd like inside the installer,
# automatically.


# This command is run immediately before the partitioner starts. It may be
# useful to apply dynamic partitioner preseeding that depends on the state
# of the disks (which may not be visible when preseed/early_command runs).
#d-i partman/early_command \
#       string debconf-set partman-auto/disk "$(list-devices disk | head -n1)"

# This command is run just before the install finishes, but when there is
# still a usable /target directory. You can chroot to /target and use it
# directly, or use the apt-install and in-target commands to easily install
# packages and run commands in the target system.
#d-i preseed/late_command string apt-install zsh; in-target chsh -s /bin/zsh

The quite simple postinstall.sh script :

#!/bin/bash
dhclient
echo "Waiting for Internet ..."
while ! timeout 0.2 ping -c 1 -n 9.9.9.9 &> /dev/null
do
	    printf "%c" "."
    done
    echo "OK"
# Instal The stuff
	notify-send --expire-time=25 "Votre systeme applique son script de postinstallation"
	apt update
	apt install -y apt-btrfs-snapshot python3-distutils
	apt install -y --allow-downgrades sssd-ad-common=2.2.3-3 sssd-ad=2.2.3-3 sssd-common=2.2.3-3 sssd-dbus=2.2.3-3 sssd-ipa=2.2.3-3 sssd-kcm=2.2.3-3 sssd-krb5-common=2.2.3-3 sssd-krb5=2.2.3-3 sssd-ldap=2.2.3-3 sssd-proxy=2.2.3-3 sssd-tools=2.2.3-3 sssd=2.2.3-3 libsss-idmap0=2.2.3-3 libipa-hbac0=2.2.3-3 libsss-idmap0=2.2.3-3 python3-sss=2.2.3-3
	apt-mark hold sssd-ad-common=2.2.3-3 sssd-ad=2.2.3-3 sssd-common=2.2.3-3 sssd-dbus=2.2.3-3 sssd-ipa=2.2.3-3 sssd-kcm=2.2.3-3 sssd-krb5-common=2.2.3-3 sssd-krb5=2.2.3-3 sssd-ldap=2.2.3-3 sssd-proxy=2.2.3-3 sssd-tools=2.2.3-3 sssd=2.2.3-3 libsss-idmap0=2.2.3-3 libipa-hbac0=2.2.3-3 libsss-idmap0=2.2.3-3 python3-sss=2.2.3-3
	apt install -y apt-listchanges apt-transport-https autorandr build-essential chrome-gnome-shell chromium-browser chrony curl debconf-utils gimp git glances gnome-shell-extensions gnupg hdparm htop icc-profiles inkscape libxml2-utils libglib2.0-dev-bin libegl1-mesa libgl1-mesa-glx libxcb-xtest0 libgl1-mesa-glx libnss-sss libnss-winbind libpam-sss libxcb-dpms0 libxext6 lsb-release mpv nautilus-nextcloud netcat nextcloud-desktop openssh-server pciutils python3.9 python3-distutils-extra realmd remmina samba scribus tmux vim vlc wget x11-xserver-utils x2goclient x2goserver
   	wget --no-check-certificate -c 'https://192.168.1.200/fog/autoinstall/ubuntu/99-wlan' -P /etc/NetworkManager/dispatcher.d
   	systemctl disable --now cups-browsed
	notify-send -u critical "Votre systeme va redemarrer et sera pret Enjoy !"
   	apt install -y krb5-user samba cifs-utils smbclient adcli
# Remove from crontab
    	sed -i '$d' /etc/crontab
    	reboot
    	exit 0

It worked like a charm on Debian 10.11 with FOG 1.5.9

I tried the exact same configuration on Debian 11.2 with FOG 1.5.9.114

I got this error on the client :

Error cannot verify [...] certificate issued by CN=FOG Server CA

and this in apache2 logs :

10.17.1.220:80 10.17.3.171 - - [07/Jan/2022:10:58:05 +0100] "GET /autoinstall/ubuntu/ubiseed_20_vm.cfg HTTP/1.1" 302 563 "-" "Wget/1.20.3 (linux-gnu)"

EDIT : Forgot to say i can DL the file from a client on the network with :

wget --no-check-certificate https://10.17.1.220:/autoinstall/ubuntu/ubiseed_20_vm.cfg

i got :

--2022-01-07 12:15:28--  https://10.17.1.220/autoinstall/ubuntu/ubiseed_20_vm.cfg                                                                                                             
Connexion vers 10.17.1.220:443... connecté.                                                                                                                                                   
AVERTISSEMENT : impossible de vérifier l'attribut 10.17.1.220 du certificat, émis par «CN=FOG Server CA» :
  Récupération d'un certificat auto-signé.
requête HTTP transmise, en attente de la réponse... 200 OK
Taille : 26567 (26K)
Enregistre : «ubiseed_20_vm.cfg»

Wich means it could’nt verify the self signed attribute but however result with a 200 OK .

I thought it can be some minor changes i need to do and looking for a clue or some good advice here.

Thanks fellows.

Have a nice day.

fogman4

Thanks it saved my day.

fogman4

Ok just changed my site-ebabled with

@george1421 said in UEFI boot pxe preseed Ubuntu20.04 via NFS with https preseed.:

/tftpboot/default.ipxe

Yes it does :

chain https://192.168.1.200/fog/service/ipxe/boot.php##params

I just managed to make it work :

I commented disabled rewrite in apache conf

/etc/apache2/sites-enabled/001-fog.conf

    RewriteEngine Off
#    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
#    RewriteRule .* - [F]
#    RewriteRule /management/other/ca.cert.der$ - [L]
#    RewriteCond %{HTTPS} off
#    RewriteRule (.*) https://%{HTTP_HOST}/$1 [R,L]

systemctl restart apache2

And now it can download the preseed via http !

Thank you very much @george1421 for the really good pointers as always.

fogman4

@george1421 said in UEFI boot pxe preseed Ubuntu20.04 via NFS with https preseed.:

http://<fog_server_ip>/autoinstall/ubuntu/ubiseed_20_w.cfg

Yes i think i enabled it during installation.

I really like accessing FOG webUI via https because we got not VLAN here (i know my bad)

Is there a way to properly disable it to do some test without breaking any fog confs or encounter side effects ? Or just disable the Rewrite ?

Thank you @george1421

fogman4

@fogman4

Best posts made by fogman4

Latest posts made by fogman4