RE: Powershell API Module

Due to current global pandemic conditions I find myself with some extra time to work on this. I do also have an infant, so not a ton of time, but more than I usually have to work on these kinds of projects.

I am currently thinking I will focus on the following things in the module but would love input on any features people would like in an API module out of the box.

• Creating a readthedocs or github pages based webpage for help files integrated with powershell’s get-help {function-Name} -online functionality. i.e. https://github.com/darksidemilk/FogApi is a rough draft
• Moving the api to its own repo following best practices for powershell modules. https://github.com/darksidemilk/FogApi.
• Update the build script to utilize the new structure and documentation needs
• Make sure each existing function has documentation, especially including examples
• Make it compatible with Powershell 7 (ideally without losing powershell 5 compatibility)
• Once compatible with powershell 7, add more cross platform compatibility for linux and mac (though I don’t have a way to test mac functionality) on all existing functions
• Add Functions for more common fog tasks (Hoping to get some requests to know where focus is best spent)
• Make it so the return object will work with the small api changes in fog 1.6 by making it just return just the content as the count is automatically included in a powershell object or changing the return object in some way that isn’t a breaking change. i.e. it currently returns something like

count: 100
hosts: {hostJsonContent}

in 1.6 I understand it will change to

count: 100
data: {hostJsonContent}

So I may utilize some method to make it so everything returns an object with count and data or just data or something based on what fog version you have. May also add additional 1.6 options if time permits (I understand there are join functions, and options to return just a specific parameter/member of an object or objects, or at least those were the plans 2 years ago)

• Make it so there’s more pipeable commands. i.e. you put some host in a variable and then just pipe it to actions

Get-FogHost -hostname computername | Add-FogHostMac -macaddress "12:34:56:78:90"

This would probably take quite some time to add

We’ll see how much of this I’m able to do in the undetermined amount of time this pandemic has me at home all day.

@abulhol Any luck with the new Nuc?

@george1421 I also have a theory that it could be sysprep related, but that’s harder to troubleshoot so I figured why not try the other things first.

Answering some of these in reverse

I am pretty sure that the default group apply settings do overwrite fields with the empty fields but I’m not 100% on that which is by design. i.e. maybe you want to remove the ad settings on all computers in a group, you’d want it to overwrite with blank fields. I don’t use that plugin, so I’m not sure if that was one of the things it does different or not, it may be. It would probably be moderately difficult to change that in the plugin, but that’s just a guess.

The domain trust issues could be fog related or rather a mix of things. I would suggest double checking your user/password on the group2 domain settings. Sometimes if there is already a computer with the same name a problem occurs, not always as that is something that should be allowed. I would check the c:\fog.log on any of the machines that are getting the errors. See if there are any error messages when fog joins them to the domain.

The first thing I would suggest trying is disabling the plugin and trying normal groups or just individual hosts for a couple hosts to isolate if the problem is in FOG or in the plugin. I would also double check the quick registration settings in the fog server and double check the default ad settings in the fog server, maybe they are set to group1 and its overwriting things at some point.

What OS are you using to connect to the api?
Shameless plug here for the api powershell module. I have a function called Set-FogServerSettings that helps with just inputting the api keys and it will handle the authentication from there with any function call. See the links in my signature. I originally made it cross-platform but it’s currently more windows oriented. Due to COVID-19 I am not working, which means I might have some free time (I say might because I also have a new baby). If you’re not running on windows I can dedicate some time to adding more linux support to the module since powershell core 6 and 7 are both cross platform on linux, mac, and windows.
The module takes that simplified documentation and creates tab completable functions from the structure outlined in the documentation.

I realize I gave a lot of possibilities there, but do try to only attempt one thing at a time.

1. Start with bios updates/rollbacks
2. Adjust bios fastboot and other settings, one at a time,
3. Different boot option after fog imaging
   a. legacy pxe boot
   b. use wake on lan/manual network boot
   c. use a uefi shell to manually boot to windows after imaging
   d. create a local bootmanager

Once one of these things works we’ll see if we can help you come up with a full solution

When you say restored several times per day, do you mean you are re-imaging it several times a day? I’m curious about the use case on that.

I have seen this happen on some integrated systems like NUC’s computer sticks, and soc based tablets that we’ve tested at my work. I think sadly it may just be a hardware issue and they just freeze up sometimes, and a reboot fixes, but that’s more of an acceptable answer if it’s a $100-200 computer with a SoC cpu (I use acceptable loosely there).

I think that @george1421 is probably right that it’s going to be related to refind boot through fog, recently I’ve been finding it less reliable. I’m not sure if it’s something changed in the refind code, the iPxe code, or windows boot stuff. It would take quite a bit of digging to figure out which of those things have had changes that could have caused this. There are some ways to test if this is the problem.

1. Try using legacy pxe boot if it’s supported (you can still image and boot to uefi as I recall)
2. Try not having it boot to fog after the image is complete (i.e. set the boot options to harddrive/windows boot manager first, and use wake on lan to remote boot source or a manual boot option hotkey to get to the network boot)
3. You can set up a local version of a bootmanager such as grub2forwin or refind and put a local copy of the ipxe.efi file on the machine so that you have a way to boot to fog without the download and boot to the ipxe.efi file to get to fog and then boot to windows.
4. If supported, use the built in uefi shell (if you boot to a refind usb or locally installed refind it also has a uefi shell). Then use fs0: ls then fs1: ls incrementing the number till you find the microsoft EFI folder. Then you can launch the microsoft efi boot file from that shell at .\EFI\Microsoft\Boot\bootmgfw.efi (slashes might be the other way, I’m doing this from memory)

Point is, try a different boot method and see if that makes any difference.

Also check for any bios updates, or if supported maybe a bios rollback if it maybe worked better before?

Also check bios options and try enabling/disabling things like fastboot (enabling it may disable some drivers that refind searches for, but that’s just my theory) and any other setting that might relate.

Hope one of these suggestions help.

Also, here’s my ranting on unattend and sysprep that I can’t seem to stop myself from interjecting.

There are also multiple places you can put the unattend.xml file to get it to be used. I put it in 2 places C:\unattend.xml and C:\windows\system32\sysprep\unattend.xml I could have swore you had yours in a panther folder when I first read this, but it looks like I read that wrong or you edited while I was writing. I reference the one in the root of C in my call to sysprep and have it in the sysprep folder as a fail safe because it is a place that sysprep looks for the file. Is the unattend file doing what you expect? You have some winpe commands and partition creation commands in there. Are you using winPE in your process or is that just from the guide you found?

There are many ways that you can use sysprep and fog. The way I do it is

Install windows 10 onto vm
Hit Ctrl+shift+f3 at the oobe screen to enter audit mode
Run my base customization script (copies some custom files, copies some network drivers, installs some basic default programs)
Run my cleanup script (defrag, cleanmgr, sfc, dism, chkdsk, provision the metro/uwp apps to my liking…I’m thorough…)
Copy the unattend file and run sysprep with sysprep.exe /audit /reboot /unattend:C:\Unattend.xml

My unattend file is then set to run the Audit System pass, the Audit User pass, then the generalize pass and then shuts down. At that point I capture the image. I use the reseal property in unattend.xml to control which phase comes next.

Then when I deploy the image, it is a generalized image with no drivers but with lots of customization built in. Right after the image deploys the unattend file continues in specialize phase where, among many other things, the network drivers I copied earlier that apply to the hardware get added to ensure network connectivity. Then the oobe phase starts where all the oobe wizard stuff gets skipped because it is all already answered and then I use the firstlogoncommands section to start up a custom provisioning powershell module/script that sets everything up across a few reboots. I use the built-in admin user during those firstlogon setup pieces, I find that much easier and more reliable then setting up a separate user, the builtin admin usually has a better time with initial setup and having admin rights to do everything you want to, you can always disable the admin account once all is done.

That may all sound kinda complicated, but once you get it set up and scripted, it’s pretty simple.

My point in sharing all this, is you mentioned your new, and I want to let you know that there’s not just one way to handle all this. It’s good that you’re wanting to use sysprep at least. I was once a misguided soul and tried to find ways around it.

I see that you used a website to generate the answerfile. It looks like a decent starting point. I would reccomend making the whole thing yourself using the windows system image manager. It’s not quite as easy, but you’ll be able to see how much more you can do. https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference. Once you download the adk you can extract your windows 10 iso somewhere and load it up into the system image manager and start messing with it.

I could go on and on, but I don’t want to scare you away. Hopefully I haven’t already. It is completely possible to use somone elses or a web generated unattend file and image with fog without breaking any windows licensing or custom ids. I just felt, once I read through the documentation and gave it a try, that it was worth it to make it myself the official windows way. And I found that they have a lot of documentation on the topic. Here’s some more to look at, docs.microsoft.com is your friend in this adventure.

https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/sysprep--system-preparation--overview

So if the root problem you want to solve is fog joining the domain I think I see an issue, but could be missing something. So in your script that starts sysprep you have it copy a setupComplete.cmd. I also see that you have it disable the fog service. Does setupcomplete re-enable and start the fogservice back up? If it is starting backup are you getting any error messages in C:\fog.log on the imaged machine?

@Quazz

@Quazz said in Git commit fcf4695 Setting up MySQL user and database..........................Failed:

@JJ-Fullmer Thanks for the instructions; that worked!
Some notes on the situation for me:

Woo Hoo!

Root password was set BUT only for ‘localhost’, but the host localhost did not have any type set (whereas the others had mysql_native_password)

I think that this may have also been the case for me. I certainly remember having set a root password but after fixing everything my only conclusion was that I must have not. But I did also notice that my mysql.user table had 3 different root users for localhost, 127.0.0.1, and 1 other I can’t remember right now. Mine were all set to the mysql_native_password plugin as well. It looks like a solution is in the works here already, but just wanted to add that note that the root problem might be the authentication problem.

I had a similar problem with 1.5.8 and centos 7 and also mariadb 5.x

In my case it turned out that I was running mysql with an empty root password. Which I don’t recall doing but may have occurred via the auto-accept/-y install when I initiatilly installed fog on this server. Should really not use -y the first time you run the installer, which is probably what I did many moons ago from habit in auto-updating to stay on the latest dev version. For updates once all is configured, -y should be fine.

So can you login to mysql as root either with mysql -u root or does that fail and you can instead login with a password mysql -u root -p

Or do neither of those options work and maybe you’re locked out of mysql? I got locked out. If you are, don’t worry, we got you. Here’s how @Sebastian-Roth helped me reset the root password and afterwords everything worked again

#stop the mysql service
systemctl stop mariadb
# open mysql in safemode in a foreground task and use & to get back to your shell
mysqld_safe --skip-grant-tables &
# you may need to hit enter twice
#login to mysql in safemode as root
mysql -u root

#look at what your usertable says for funsies
select user,password,host,plugin from mysql.user;
# You should see your root user(s) if it exists and the fogstorage and fogmaster users
# Now update the password in the table to something else, note that for me this didn't actually 
# set a password but made it blank
update mysql.user set password=PASSWORD("newpassword") where User='root';
update mysql.user set plugin='mysql_native_password' where User='root';
# flush the privileges to save the changes
flush privileges;
# exit the mysqld_safe command line
\q;

#shutdown the safemode mysql
mysqladmin -u root shutdown

# start the native mysql service up again
systemctl start mariadb

#try to login normally again, add -p and use what you think your password was or what you might have changed it to just now if it doesn't work
mysql -u root

#update the root user password with the proper command
SET PASSWORD FOR 'root'@'localhost' = PASSWORD('yourPassword');
# flush the privileges to save the changes
flush privileges;
#exit the mysql shell
\q;

#restart mysql one more time to be safe
service mariadb restart

#attempt to login with the now set root password
mysql -u root -p

If the last login works as expected, give the installer another try and see if it works now. Once I had that password reset and working I was able to run the latest dev-branch installer without issue.

I copy pasted the function into my console and tested it with a snapin that was assigned to just my computer and it did in fact queue it to deploy.

This could be altered to quickly deploy to a given list of hosts or groups as well. Giving you a quick command line method for deploying snapins to hosts in a variety of ways.

If this is something that would achieve what you’re going for let me know and maybe I can add in the functions to the api module so they just exist and then you have a deployment tool via command line, which is typically quicker in my humble opinion

@mousepl Are you thinking you would want to be able to do this on the fly, or would you want to deploy the snapin on all hosts that have it assigned to it?
By on the fly I mean, select specific hosts from the snapin then deploy, that would be a bit more difficult to implement, but maybe adding a button for deploying on all hosts with a snapin is possible.

If you’re familar with powershell or willing to learn. You could create a function/script that does this with the api module.

i.e.

# install the module
Install-Module FogApi;
# Follow the setup instructions found in the links in my signature. i.e. get the fogapi token and user api token from your web gui
Set-FogServerSettings -fogServer 'serverName' -fogapitoken 'insertServerAPItokenHere' -fogusertoken 'insertFogUserAPItokenHere'

Assuming those steps are done for the user running the function

function Start-SnapinDeploy {
[CmdletBinding()]
param(
    #define the snapin name you want to deploy
    $snapinName
)
#get all the snapins from the server
$allSnapins = Get-FogSnapins;
#get all the host/snapin associations from the server
$snapAssocs = Get-FogObject -type object -coreObject snapinassociation;
#get the snapin you want to deploye in a single object
$snapinToDeploy = $allSnapins | Where-Object name -match $snapinName;
#find all the hosts that have that snapin associated
$hostsWithSnapin = $snapAssocs.snapinassociations | Where-Object snapinID -match "$($snapinToDeploy.ID)"
#loop through the hosts that have that snapin assigned and start a task for that snapin for each of them
$hostsWithSnapin.hostID | ForEach-Object {
    $hostID = $_;
    $json = (@{
        "taskTypeID" = 13
        "deploySnapins"=$snapinToDeploy.ID
    } | ConvertTo-Json);
    New-FogObject -type objecttasktype -coreTaskObject host -jsonData $json -IDofObject $hostID;
    }
}
# call the function to deploy a snapin named office365
Start-SnapinDeploy -snapinName 'office365'

I may be off on the json creation as I haven’t tested a single snapin deploy, so the required body data might be different. I just kinda altered the way I use the start-fogsnapins function https://github.com/FOGProject/fog-community-scripts/blob/master/PowershellModules/FogApi/FogApi/Public/Start-FogSnapins.ps1 for this example. I typically only use fog snapins for the initial deployment at imaging.

But as you can see from the example, while things are linked together, the linkage is really meant to go from host to snapin. Snapins are really meant to be deployed at imaging time, which is why they are all queued when you a image a host. The idea being to include software provisioning with your OS images. The feature request you described would be useful I agree, but one might argue that that makes more sense for a software deployment tool, where fog is an imaging tool.

It can be used as a software deployment tool, but that’s just not how it’s designed.

That’s all really just a disclaimer to say it may be a bit for this to show up as a new feature. It’s possible and it would be useful. I’m all for anything linked in a database having linked buttons in each spot in a gui. But creating that button may just be easier said than done, but may eventually be done.

You could in theory create a gui using the powershell module and built in powershell command show-command and some dynamic paramters that grab all the available snapins, it would take a bit of work but you could make a gui prompt with drop downs/multi-selector for fog host(s), snapins, then a deploy button. Point being, just because it isn’t in the web gui, doesn’t mean the capability doesn’t already exist.

I hope that helps

@rmishra1004 is this happening on all hosts or just this one? Have you tried hitting the ‘reset host encryption keys’ on the host in the webgui?
If you copy past the url that fails, what happens? I believe you should see an error message like this

{"error":"im"}

when going to it in a browser

@george1421 While I agree and understand how it all works. I have found that we did get an increase in speed when we setup the aggregated adapter on the storage node. Even with just one client going. But perhaps that’s really just agreeing with your statements. As like on a highway if it was 1 lane, you often slowdown cause of the other slow drivers and perhaps I just opened up a metaphorical passing lane for fog images to go the full speed limit at. You do also have to consider all the switches it goes through and yada yada. And of course it’s all more complicated. Point being, I didn’t get a 2x boost when we aggregated the server link, but we did get a boost, so I wouldn’t deter anyone with the equipment capable of it from giving it a try.

@george1421 On the node that was showing that speed I have a bonded/aggregated link. So the node has a 2 Gbps link. Then the nvme storage has a theoretical write speed of 2.3 GB/s which is a theoretical speed of 138 GB/min (I don’t expect to see that kinda speed of course, just cool to think about, and shows that’s certainly not a bottleneck). I think that the 11 GiB/min I see now on 1.5.8 is probably closer to the actual speed I’ve been experiencing the whole time.

I just wanted to make a matching forum post for my github issue here

https://github.com/FOGProject/fogproject/issues/373

rEFInd, while a really cool tool, is not universally compatible.

Sometimes when a computer attempts to boot to hard drive from the pxe menu it gets stuck trying to load refind. Sometimes different configurations in the refind.conf file can help, but in a mixed hardware environment it’s not uncommon to not be able to find a universal answer.

Some of these hardware compatibility issues have been brought to the attention of the refind developer but he eventually figured that it sounded like a low number of computers, personally I find the opposite. We used to use rEFInd as a custom boot manager built into our images, but it had enough problems that we’ve moved to grub2win a grub 2 based windows efi compatible solution. I have attempted to add a chain load option to this copy pasting the boot files to the fog webserver to no avail. So while perhaps an efi version of grub2 might be an alternate option I haven’t found a way to get that working just yet.

In doing some testing with the ipxe shell and reading their documentation (https://ipxe.org/cmd/exit) the exit command can take parameters of 1 or 0 to send a error (1) or success (0) to the bios/firmware. Theoretically sending the 1 would tell the firmware to try the next boot option. I was able to exit the ipxe shell and boot to my local disk with exit 0 and exit 1 where just exit goes to black nothingness. I attempted to add this command to the bootmenu options of fog, but it didn’t work for me straight through the pxe menu.

I also messed with sanboot a bit, but couldn’t find a way to list what local drives the ipxe shell sees. The documented examples of 0x80 0x81 0x82 etc were not recognized.

Point is, there needs to be another option for booting to the hard drive on efi systems when refined doesn’t work. There are some possibilities out there.

@Chris-Whiteley 3-5 minutes is definitely a bigger deal than 0-30 seconds. I was hoping I was right, but I guess not. Have you tried the changes to the kernel suggested?

Just wanted to chime in with another report on a speed change between 1.5.7 and 1.5.8

1.5.7 ~22 GiB/min
1.5.8 ~11 GiB/min

This is on nvme drives, and we have a gigabit port aggregation on the main deploying node (in case you’re wondering how we got it going so fast).

However on 1.5.7 there was always a slow but steady drop in speed. It would start at 20-25 GiB/min and slowly drop GiB/min every couple seconds. But I never cared much since the ~20 GB image was done deploying in 2-3 minutes each time. In 1.5.8 it isn’t doing the speed drop and the overall time taken is about the same. It was just cycling between just below and just above 11 GiB/min (i.e. 10.58 - 11.03 or something along those lines) Looking at some of my recent imaging times just before and now after the upgrade to 1.5.8 they’re all at about 2 minutes 30 seconds. The only real variation appears to be the hardware being imaged, which is to be expected.

Point being, perhaps there isn’t actually a speed change but rather a more accurate overall average speed for the whole process instead of attempting a realtime speed? Or maybe just a generally more steady speed? Or just a better way of calculating the displayed imaging speed?

@Chris-Whiteley Maybe take a look in the web gui at the report viewer -> Imaging log and see if there’s actually a difference in time for your images deploying before and after the upgrade? I’m finding mine are all still within 0-30 seconds of the same time.

@64bitfury your comment about there being no gui leads me to believe you just haven’t had the chance to work with a command line only linux os before, at least in this context.
I could also be wrong but wanted to try and help when I saw this, as I use an internal CA.

To answer your questions on a basic level
you want an ftp client such as winscp, filezilla, or cyberduck to connect to the fog server and copy over your server cert, private key, and your ca cert.
Where you put them depends on your OS, you’ll want to google something like insert linux os here ssl cert directories

Then you configure apache to point to the cert and private key in a virtualhost on port 443.
i.e.

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/fog.crt
SSLCertificateKeyFile /etc/pki/tls/private/fog.key
#other virtual host stuff
</VirtualHost>

You can also usually set a default cert and key file in a ssl.conf file, but that file can be overwritten by yum/apt updates of apache.

But maybe that’s enough to point you in the right direction. There’s quite a few possibilities for how to configure it and more information is needed that @Sebastian-Roth has already requested to give you full on step by step directions. But it sounds like you might just need these couple little things to help you along the way. My apologies if I’m wrong, just wanting to help.