RE: Status of NFSv4

@george1421 Thanks! I wonder if a chat bot could help with reading through what worked and make a tutorial.

@george1421 I’ve been reading through it but it all looks like a conversation/experimentation/testing more than a tutorial on how to get it working in FOG. I saw a link from that thread to getting NFSv4 set up on Linux but to get it to work in FOG is the key I need. Was there a specific post or posts that show how exactly you got it working?

I didn’t want to necro the “Feature Request NFSv4…” post. Has anyone successfully got NFSv4 to work properly with capturing and deployment?

@Tom-Elliott said in Hide/Secure FOG Client download page:

Private key is built to the client at install time. The Public server ca cert is pulled at install time

This is what I was unclear about. I thought the installer already had FOG’s private key. So each client gets its own private key?

I noticed the page/url where you can download the FOG client isn’t locked behind a login/auth so in case anyone is looking to lock it you can add these lines to /etc/apache2/apache2.conf:

# Restrict access to FOG Client
<Location "/fog/client/download.php">
    Require ip <*ip or subnet/mask*>
    Require all denied
</Location>

# Hide Server info
ServerTokens Prod
ServerSignature Off

Restart apache2 service after making changes to apache2.conf

What this will do is restrict access to the FOG Client downloads to specific IP or subnet. I have mine restricted to my lab/imaging network. I don’t think it is a good idea to have this download available to all production network users. I’m not 100% sure (devs please correct me) but I believe the FOG Client has the private key embedded in order to connect to the FOG server via HTTPS. I wouldn’t want that private key extracted from the client installer.

Using Access Controls I use the Technician group to restrict the FOG Web UI down to bare essentials for field techs to deploy and capture images. How can I hide a Host group from the Technician user group?

@george1421 I see. So a basic script like (I’m paraphrasing the commands here) “get mac get userID get IP > log.txt” but from there it would have to write to the FOG’s reporting system right?

Currently we can see which user deploys an image to registered hosts but not to unregistered hosts. Why is that? Shouldn’t there be a way to record that an image gets deployed to an unreg’d host? At the very least a MAC address would be helpful. I use LDAP in my environment for FOG auth so theoretically I would be able to see which user deployed an image to this MAC. If an IP address can be reported that would be even better.

Bumping this topic. I too see the issue. I only see imaging events for registered hosts. I have a lot of field techs imaging unregistered hosts and need to have these events logged.

I had to make a correction. I meant to say pre-1Gbit internet not 10Gbit internet. We have 10G backbones (intranet) but not to the internet.

@pauleb In our environment, pre-365 and pre-1G internet, we would use deployment tools to deploy Office from our local repositories using scripts and XMLs. For licensing we used KMS. Now with 365, all licensing is handled on the cloud, and we can install Office apps via internet. The OfficeSetup.exe file has no licensing embedded in it. It is simply a thin-installer that downloads the apps from the internet and installs them. Once complete, when the app starts for the first time it will ask for authentication to activate.

@pauleb When a 365 user logs into portal.office365.com and then goes to my account>install apps, they can download the Office installer, officesetup.exe. This is an online installer for Office.

I simply dropped the OfficeSetup.exe into the snapin and left everything else as is. It will install office or update Office if it is already installed.

I would like to know if it is possible to restrict this page of the FOG server web UI to certain subnets as I don’t want it available everywhere
https://<fogserverip>//fog/management/index.php?node=client

Also these pages
https://<fogserverip>/fog/client/*

@Tom-Elliott Thank you for that! I believe this is the setting “CLIENT HOSTREGISTER ENABLED” that should be disabled:

Not sure if what I’m seeing is due to the FOG client, but lately since I’ve been installing the FOG Client on my VMs, I’ve been seeing more and more pending reg hosts. I only register hosts that need be captured, in my case all of the VMs (since they are the golden image factories), and the field techs use physical PCs sometimes to capture. The one thing the pending hosts have in common is they all have the FOG client installed. Is there a way to completely disable auto reg or the pending reg function so that registration only happens via Full Reg and Inv via the FOG pxe menu?

By the way does the FOG Client use unique GUIDs? If a workstation with the FOG client installed gets captured and deployed to other workstations, does the FOG client recreate a new GUID or does it remain the same as it was on the original workstation?

Another thing to consider which I have observed in my environment is network congestion. If you are imaging on your production network, especially if the subnets aren’t segmented, you may experience slower than normal imaging speed. If your FOG server is connected to the network at 1Gbps, keep in mind that if you are trying to image 10 workstations connected at 1Gbps, the server will only be able to send/receive at 1Gbps. The more imaging that happens at once, the slower they will all be. That is why I have been looking into getting my FOG server connected at 10Gbps so that it can handle at least 10x1Gbps connections without slowing down.

@Sebastian-Roth I know nothing about API’s so I wouldn’t know where to start with that, like even how to form a proper question to ask the google lol. I’m using FOG 1.5.10. I have to keep testing and troubleshooting the image cron jobs.

@Fernando-Gietz I tried this fix, restarted php8 and was able to log in via LDAP auth but the domain user that I logged in as does not appear in the Users list. I remember this part did populate the user as I would then assign the user to Technician or Administrator via Access Control.

I think this may be a feature request unless there’s a way to do the following:

I have several VMs in a Group called Virtual Machines. Each VM is associated with its own image. I see that the Group only has an image deploy function and only one image can be associated with a Group. Can there be a different type of Group to say “The hosts in this Group are part of a task group” for instance. My goal is to be able to click one button to send a capture task to all hosts in a group to capture to their respective images. I tried using the cron style scheduler but it didn’t work at all. All of my VMs are running 24/7 to receive windows updates and stay current, and I’d like to update the images once a week.