Create a restricted user for the webui login

I’m looking for a way to create a standard, non-admin user for the fog webui. This user will be able to manage images, tasks, but nothing else. I basically want to prevent this user from changing storage settings and be completely locked out from the FOG Settings menu. Is this possible?

My fog server is on 1.5.9-RC2 (I will update to 1.5.9 soon) and according to the Web UI>FOG Config>FOG Settings>TFTP Settings, the user name was set to “fogproject” and a long hash password. When I tried to update a kernel, it threw the wrong credentials error. So after some internet digging, I found that I had to change or make sure the owner of /var/www/fog/service/ipxe/ was fogproject:www-data. After doing that using “chown -R fogproject:www-data /var/www/fog/service/ipxe/”, still got the same error. I then checked what password was in the TFTP settings menu and compared it to the Storage setting menu, and they were different. Set the Storage password to the one in TFTP settings, still failed, wrong credentials. So I changed “fogproject” to just “fog” and left the password the same. Changed the owner of that ipxe folder to “fog:www-data”, tried the kernel update and it succeeded. I never changed the credentials so I am wondering if it is possible they change during an update? I am not ruling out the possibility that one of my colleagues might have changed them accidentally. I will lock down the GUI just in case. I am up and running now. I think there was a power outage this weekend and noticed that the isc-dhcp-server service was not running. I had to use “sudo systemctl enable isc-dhcp-server.service” again as I did that a few weeks ago because of the same issue. I know that is more of an Ubuntu problem than a FOG problem but figured I’d mention it in case someone has some insight.

@sebastian-roth Is it possible that running apt upgrade might have broken something? On my home server (Ubuntu Server 20.04) upgrading packages broke the qbittorent-nox service and I had to recreate the .service file and re-enable it.

Of course I didn’t run that command ever! I thought I had run something like that but I guess I didn’t. Thanks!

I am using Ubuntu Server 18.04.5 LTS. The dhcp server doesnt seem to start whenever I reboot the server. I have to run “sudo /etc/init.d/isc-dhcp-server restart” manually to get it back. I know this isn’t a FOG specific problem, but hopefully someone can help me out.

I copied all the files with the folder structure to the partition I created. Set the part type to EFI System, filesystem to FAT32, told the BIOS/UEFI to boot from bootx64.efi in /BOOT/EFI and landed at a grub rescue prompt. After playing out the process in my head I realize that full automation won’t work because the way the menu is set up to autoboot into Windows after 5 seconds will prevent a deploy or capture task from ever starting. I’d have to be at the PC to select the Deploy/Capture option on the FOG Menu. The USB option still works though so all is not lost.

Got it working! This worked for me after making sure the drive was changed to GPT and I also labeled the efi parition as “EFI”:
menuentry “Windows” {
insmod chain
insmod ntfs
insmod part_gpt
set root=(hd1,gpt2)
chainloader (hd1,gpt2)/efi/microsoft/boot/bootmgfw.efi
}

Just realized that the set root part is redundant. I am partitoning the drive now to copy the files from the FOG USB key then tell the UEFI on the PC to boot from this new GRUB partition first. Looking good!

that didnt work for me. said ntldr and drivemap not a command.

I found the Windows partition it is actually (hd1,msdos1). I ran "ls (hd1,msdos1) and it showed filesystem ntfs label “Windows” and the UUID. But when I try to run the command “chainloader (hd1,msdos1)/EFI/Microsoft/Boot/bootmgfw.efi” or “chainloader (hd1,msdos1)/EFI/Microsoft/Boot/bootx64.efi”, says file not found.

Correction: This drive was MBR with only one partition. Sorry about that.

It probably is the USB drive. I don’t think this particular environment is seeing the hard drive in the PC. I know for a fact that the Windows drive is GPT and EFI because I converted it to GPT before I imaged it, also made sure the image itself was created as GPT. I am able to boot from the Windows EFI partition normally.

@Sebastian-Roth The windows partition I’m trying to boot from is a GPT-EFI bootable system. Is that “+1” always supposed to follow the chainloader entry?

Great thanks! I already found and tried this:
insmod part_gpt
insmod chain
set root=(hd0,gpt1)
chainloader /EFI/Microsoft/Boot/bootmgfw.efi
boot

No luck. Says the file could not be found.

The ls command shows hd0 hd0,msdos hd1 hd1,msdos, hd2 hd2, msdos. I tried all three hd entries and pointed to /EFI/Microsoft/Boot/bootmgfw.efi no go, but much further than I was thanks to you and @george1421.

UPDATE!!!
I added a storage node and specified the interface and ip of my prod network and successfully deployed an image using the USB FOG. Now I added an entry to the GRUB menu called “Boot from HDD” but I don’t know the command line to boot from it. I have used “sanboot --no-describe --drive 0x08” in an ipxe menu file with a different setup but GRUB isn’t recognizing sanboot.

Ok created a task and tried it again, and now it looks like the task is trying to mount the nfs share via the imaging (isolated network) interface 10.0.0.10

Is there a way to make FOG try to connect to two different nfs shares? Like if one fails try another?

@george1421 So I changed the IP in the grub.cfg file to my FOG server on the production side, and booted the USB, chose deploy/capture image (the first option on the boot menu), and got this error:

It is for convenience and also better workflow efficiency. Right now, I am the only one using Acronis pulling images from my NAS but the supervisors wanted me to build them a FOG server, so I did. Now we’ve all been using FOG here at our imaging lab but it would be nice to be able to image onsite at a clients office, instead of either pulling the drive/PC back to the lab to image. I can image a PC in about 7min across the network at a clients office with acronis. I want the rest of our team to be able to do that. I use an Acronis iso that is somewhat old now and that I paid for. Acronis doesn’t offer deployment unless we purchase Snap Deploy. FOG is free, so we are dedicated to that solution.

I just confirmed that the images on the NFS share /images are accessible on the management interface which is on our production network. Now we have to find a way to get the FOG menu without using pxe or ipxe.

@george1421

1. yes one for management, the other for imaging.
2. eno1 is for management, on my production network. eno2 is for imaging, isolated with DHCP and TFTP.
3. Yes refer to point #2/.
4. The PC that I am testing with is on my production network, and I am using a USB drive with the ipxe.efi renamed to bootx64.efi in /BOOT/EFI.

I was wrong you were right I misread the blotted IP. It is actually the IP address of our SCCM server that provides boot files. Not sure how that happened. Maybe the PC requested a PXE packet and the DHCP server relayed that request to the SCCM server. Just a note, SCCM PXE booting only works on our department’s subnet so we can image using SCCM if we want, but only on our IT dept’s network. So this won’t work. I want to be able to get to the FOG menu via USB and pull images from the FOG server. Once that works, then I can figure out how to create a bootable partition and somehow get the FOG management client to do this automatically/magically.