Working Tree

I know this is uncommon, but I need testing on the normalized elements of FOG under a new GUI I’ve been slowly working on. It was originally under ‘bootstrap’ for the branch label under git.

I need people or are daring/willing enough to checkout the working branch now and run this version of fog. It is still in active development, and I know it’s not 100% complete yet. The main components should all work as they had in the past.

The idea is I’ve been converting to bootstrap which essentially rids the need of “mobile only” users. Mobile Only users could still “do” everything other users could they were just restricted to using the mobile page. With the access control plugin by Fernando, I think more suitable restraints are more properly in place.

With the new GUI stuff, memory limits should be handled a lot better as we’re now using api elements to get the data within the GUI.

I ask for help in seeing if there’s any significant issues and where those issues are, so please if you’re willing update to the working branch and try using it.

it looks completely different, but oddly familiar if that makes any sense. I hope you enjoy the new layout, look, and operation. Please report any issues you do see from the GUI perspective so I can get them fixed much faster. For the better part of the last month it’s been basically me looking/editing/playing with one or two people that look at things and give simple guidance. While it’s gotten us this far, I need more hands/eyes on if/where possible.

Thank you

@sourcaffeine the “shutdown immediately” is a bit of a misnomer. The fog client works on cycles and the next checkin cycle will cause the action to be performed.

The GreenFOG service is the legacy client way of performing the shutdown task and even then it would only do this on the time you schedule. The new client uses power management which will do what we call on demand or scheduled items. On demand will happen the next cycle the client checks in.

I’m very sorry this free project doesn’t fit your requirements for documentation. The fog client doesn’t need much documentation because the main fog server tells the client what to do. The documentation we have is quite robust I find. And while I can’t document every thing we have been working hard to keep things as updated as we can.

The user guide should be fairly robust to give you enough information to use fog.

https://news.fogproject.org/fog-1-5-0-rc-1/

@Lenain simplest approach would be updating. http://wiki.fogproject.org/wiki/index.php?title=Upgrade_to_trunk

https://news.fogproject.org/fog-1-5-0-rc-4/

@dureal99d ISO’s can be created to run in only “BIOS” mode. This means, while UEFI is backwards compatible from a support perspective, the ISO’s have no idea how to use UEFI. BIOS expects certain things to run. You must remember BIOS booting has been around, essentially, since the beginning of personal computers. UEFI is relatively new so simply saying “UEFI is supposed to be backwards compatible” doesn’t mean much. EFI has been around for quite some time, but only recently has it been in “major” use.

@trialanderror what are you talking about?

:MENU
menu
item --gap -- ---------------- iPXE boot menu ----------------
item mac Macrium Reflect
item clonezilla Clonezilla 2015
item ubuntu6 Ubuntu 16:04.1 x64
item ubuntu6 Ubuntu 16:04.1 x32
item ubuntu Ubuntu 15:10 x64
item ubuntu Ubuntu 15:10 x32
item kubuntu6 Kubuntu 16:04.1 x64 
item kubuntu6 Kubuntu 16:04.1 x32
item kubuntu Kubuntu 15:10 x64 
item kubuntu Kubuntu 15:10 x32
item mint18 Linux Mint 18 "Sarah" - MATE (32-bit)
item Mint18 Linux Mint 18 "Sarah" - MATE (64-bit)
item mint Linux Mint 17.2 "Rafaela" - MATE (32-bit)
item Mint Linux Mint 17.2 "Rafaela" - MATE (64-bit)
item mint Linux Mint 17.2 "Rafaela" - Cinnamon (32-bit)
item Mint Linux Mint 17.2 "Rafaela" - Cinnamon (64-bit)
item BOOTCD Hirens 15.2 BOOTCD
item pgon Paragon Harddisk Manager 12
item ubd Ultimate Boot Disk
item ez  EZ Gig IV Cloning Software
item centos Centos
item fedora Fedora
item fedoral Fedora Live
item hostinfo details about this computer
item win windows10 32-bit
item win64 windows10 64-bit
item part Parted Magic x64
item shell ipxe shell
item return return to previous menu
choose --default return --timeout 5000 target && goto ${target}
:mac
initrd http://${fog-ip}/fog/service/ipxe/mac/mac.iso
chain memdisk iso raw ||
goto MENU

:clonezilla
kernel http://${fog-ip}/bootimgs/clonezilla/vmlinuz
initrd http://${fog-ip}/bootimgs/clonezilla/initrd.img
imgargs vmlinuz initrd=initrd.img boot=live username=user fetch=http://${fog-ip}/bootimgs/clonezilla/filesystem.squashfs locale=en_US.UTF-8 keyboard-layouts=NONE
boot || echo failed to boot
prompt
goto MENU

:ubuntu6
kernel http://${fog-ip}/bootimgs/16.04.1_64/casper/vmlinuz.efi
initrd http://${fog-ip}/bootimgs/16.04.1_64/casper/initrd.lz
imgargs vmlinuz.efi initrd=initrd.lz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/16.04.1_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:ubuntu6
kernel http://${fog-ip}/bootimgs/16.04.1_32/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/16.04.1_32/casper/initrd.lz
imgargs vmlinuz initrd=initrd.lz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/16.04.1_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:ubuntu
kernel http://${fog-ip}/bootimgs/15.10_64/casper/vmlinuz.efi
initrd http://${fog-ip}/bootimgs/15.10_64/casper/initrd.lz
imgargs vmlinuz.efi initrd=initrd.lz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/15.10_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:ubuntu
kernel http://${fog-ip}/bootimgs/15.10_32/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/15.10_32/casper/initrd.lz
imgargs vmlinuz initrd=initrd.lz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/15.10_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:kubuntu6
kernel http://${fog-ip}/bootimgs/kubuntu6_64/casper/vmlinuz.efi
initrd http://${fog-ip}/bootimgs/kubuntu6_64/casper/initrd.lz
imgargs vmlinuz.efi initrd=initrd.lz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/kubuntu6_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:kubuntu6
kernel http://${fog-ip}/bootimgs/kubuntu6_32/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/kubuntu6_32/casper/initrd.lz
imgargs vmlinuz initrd=initrd.lz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/kubuntu6_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed

:kubuntu
kernel http://${fog-ip}/bootimgs/kubuntu5_64/casper/vmlinuz.efi
initrd http://${fog-ip}/bootimgs/kubuntu5_64/casper/initrd.lz
imgargs vmlinuz.efi initrd=initrd.lz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/kubuntu5_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:kubuntu
kernel http://${fog-ip}/bootimgs/kubuntu5_32/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/kubuntu5_32/casper/initrd.lz
imgargs vmlinuz initrd=initrd.lz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/kubuntu5_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:mint18
kernel http://${fog-ip}/bootimgs/lm18_32/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/lm18_32/casper/initrd.lz
imgargs vmlinuz initrd=initrd.lz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/lm18_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:Mint18
kernel http://${fog-ip}/bootimgs/lm18_64/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/lm18_64/casper/initrd.lz
imgargs vmlinuz initrd=initrd.lz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/lm18_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:mint
kernel http://${fog-ip}/bootimgs/lm_32/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/lm_32/casper/initrd.lz
imgargs vmlinuz initrd=initrd.lz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/lm_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:Mint
kernel http://${fog-ip}/bootimgs/lm_64/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/lm_64/casper/initrd.lz
imgargs vmlinuz initrd=initrd.lz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/lm_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:mint
kernel http://${fog-ip}/bootimgs/lmc_32/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/lmc_32/casper/initrd.lz
imgargs vmlinuz initrd=initrd.lz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/lmc_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:Mint
kernel http://${fog-ip}/bootimgs/lmc_64/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/lmc_64/casper/initrd.lz
imgargs vmlinuz initrd=initrd.lz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/lmc_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:centos
initrd http://${fog-ip}/bootimgs/centos/images/pxeboot/initrd.img
chain http://${fog-ip}/bootimgs/centos/images/pxeboot/vmlinuz initrd=initrd.img root=live:http://${fog-ip}/bootimgs/centos/LiveOS/squashfs.img ip=dhcp repo=http://192.168.1.109/bootimgs/centosrepo/mirror.nodeshosting.com/centos/7.2.1511/os/x86_64 splash quiet – || read void
boot || goto MENU

:fedoral
initrd http://${fog-ip}/bootimgs/fedora/images/pxeboot/initrd.img
chain http://${fog-ip}/bootimgs/fedora/images/pxeboot/vmlinuz initrd=initrd.img root=live:http://${fog-ip}/bootimgs/fedora/LiveOS/squashfs.img devfs=nomount ip=dhcp
boot || goto MENU

:fedora
initrd http://${fog-ip}/bootimgs/fedora/images/pxeboot/initrd.img
chain http://${fog-ip}/bootimgs/fedora/images/pxeboot/vmlinuz initrd=initrd.img root=live:http://${fog-ip}/bootimgs/fedora/LiveOS/squashfs.img rootfstype=auto ro rd.live.image quiet rhgb rd.luks=0 rd.md=0 rd.dm=0
boot || goto MENU

:BOOTCD
initrd http://${fog-ip}/bootimgs/bootcd/hirensboot.iso ||
chain memdisk iso raw ||
boot ||
goto MENU

:pgon
initrd http://${fog-ip}/bootimgs/pgon/phdman12.iso ||
chain memdisk iso raw ||
boot ||
goto MENU

:ubd
initrd http://${fog-ip}/bootimgs/ubcd/ubcd535.iso ||
chain memdisk iso raw ||
boot ||
goto MENU

:ez
initrd http://${fog-ip}/bootimgs/ez/EZGIG438.iso ||
chain memdisk iso raw ||
boot ||
goto MENU

:hostinfo
echo This computer : ||
echo MAC address....${net0/mac} ||
echo IP address.....${ip} ||
echo Netmask........${netmask} ||
echo Serial.........${serial} ||
echo Asset number...${asset} ||
echo Manufacturer...${manufacturer} ||
echo Product........${product} ||
echo BIOS platform..${platform} ||
echo ||
echo press any key to return to Menu ||
prompt
goto MENU

:win
initrd http://${fog-ip}/bootimgs/winiso/winpe10.iso
chain memdisk iso raw

:win64
initrd http://${fog-ip}/bootimgs/winiso/winpe1064.iso
chain memdisk iso raw

:part
kernel http://${fog-ip}/bootimgs/pmagic/bzImage64
initrd http://${fog-ip}/bootimgs/pmagic/initrd.img
initrd http://${fog-ip}/bootimgs/pmagic/files.cgz
initrd http://${fog-ip}/bootimgs/pmagic/fu.img
initrd http://${fog-ip}/bootimgs/pmagic/m64.img
imgargs initrd=initrd.img bzImage64 boot=live ip=dhcp edd=on noapic load_ramdisk=1 prompt_ramdisk=0 rw vga=normal sleep=0 loglevel=0 keymap=us splash quiet - || read void
boot || read void

:shell
shell ||
goto MENU
:return
chain http://${fog-ip}/${fog-webroot}/bootimgs/boot.php?mac=${net0/mac} ||
prompt
goto MENU
autoboot

Just bringing it to the top of the list. I’ve edited your config, but realized it was ONLY editing, it wasn’t a quote as I originally intended. Here’s just to bring it forward.

https://news.fogproject.org/fog-1-5-0-rc-13/

@Wayne-Workman Nope. Validation wasn’t the issue. Something else was edited which broke it. I’m nearly certain of it.

https://news.fogproject.org/fog-1-5-5-officially-released/

Alright,

I’ve rebuilt the 4.9.0 kernels to have the patch in the first link.

Please goto FOG Configuration Page->Kernel Update

Download the 4.9.0 kernels as bzImage/bzImage32.

The one with Arch Type (x86_64) would be named bzImage
The one with Arch Type (x86) would be named bzImage32

Hello all,

There was a vulnerability brought to attention of a privelege escalation in how FOG has previously used NFS.

The specific vulnerability was using options “no_root_squash” and “insecure” as definitions of the exports file.

The insecure option effectively allowed any system on non-priveleged ports (anything > 1024 which we defaulted to for NFS) had root level access to the filesystem.

The no_root_squash allowed a client system to mount the NFS share and if a client UID matched the UID of the server the files would be created as that user (say client had user named bob with UID 1000, and server had user named admin with UID 1000, NFS on the server would show “admin” created the file). It also allowed root (UID 0) on a clients machine to create files - scripts and all - as root on the server.

If I understand the depth, once that client root level created a file that contained code to escalate privilege, anyone could mount the NFS share and use that bad acting file to elevate as root on the server system.

Luckily this had a relatively easy fix and this fix has been implemented to dev-branch and working-1.6 from an installer standpoint.

Since I don’t know when a “full” release will be made I am outlining the steps you should/will need to take to correct the issue in the meantime.

Here’s a diff of the master to include these changes in an automated fashion if you feel comfortable doing this:

diff --git a/lib/common/functions.sh b/lib/common/functions.sh
index b20b0e482..44f8657f5 100755
--- a/lib/common/functions.sh
+++ b/lib/common/functions.sh
@@ -1357,7 +1357,9 @@ configureNFS() {
         echo "Skipped"
     else
         mv -fv "${nfsconfig}" "${nfsconfig}.${timestamp}" >>$error_log 2>&1
-        echo -e "$storageLocation *(ro,sync,no_wdelay,no_subtree_check,insecure_locks,no_root_squash,insecure,fsid=0)\n$storageLocation/dev *(rw,async,no_wdelay,no_subtree_check,no_root_squash,insecure,fsid=1)" > "$nfsconfig"
+        userId=$(id -u $username)
+        groupId=$(id -g $username)
+        echo -e "$storageLocation *(ro,sync,no_wdelay,no_subtree_check,insecure_locks,all_squash,anonuid=${userId},anongid=${groupId},fsid=0)\n$storageLocation/dev *(rw,async,no_wdelay,no_subtree_check,all_squash,anonuid=${userId},anongid=${groupId},fsid=1)" > "$nfsconfig"
         diffconfig "${nfsconfig}"
         errorStat $?
         dots "Setting up and starting RPCBind"
@@ -1569,8 +1571,8 @@ configureStorage() {
     else
         (head -1 "$storageLocationCapture/postinitscripts/fog.postinit" | grep -q '^#!/bin/bash') || sed -i '1i#!/bin/bash' "$storageLocationCapture/postinitscripts/fog.postinit" >/dev/null 2>&1
     fi
-    chmod -R 777 $storageLocation $storageLocationCapture >>$error_log 2>&1
-    chown -R $username $storageLocation $storageLocationCapture >>$error_log 2>&1
+    chmod -R 775 $storageLocation $storageLocationCapture >>$error_log 2>&1
+    chown -R $username:$username $storageLocation $storageLocationCapture >>$error_log 2>&1
     errorStat $?
 }
 clearScreen() {

Steps:
(If you rerun the installer please re-perform these steps to ensure things are as secure as possible)

1. Get your fogproject user’s user and group ids:
   echo "UserID: "$(id -u fogproject); echo "GroupID: "$(id -g fogproject)
2. Note these down and edit your systems export file (usually located in /etc/exports)
   Remove the no_root_squash and replace with all_squash in both instances
   Remove the insecure, from both instances
3. Add: anonuid=<UserID>,anongid=<GroupID> to both instances
   Please replace <UserID> with the actual userID returned, and <GroupID> with the actual groupID returned.
   You should end up with an exports that looks like:

/images *(ro,sync,no_wdelay,no_subtree_check,insecure_locks,all_squash,anonuid=1001,anongid=1001,fsid=0)
/images/dev *(rw,async,no_wdelay,no_subtree_check,all_squash,anonuid=1001,anongid=1001,fsid=1)

4. Change filesystem permissions of /images to at least chmod -R 775 /images (Not necessary, but useful for an extra bit of security)
5. Change owner ship of /images to fogproject/fogproject chown -R fogproject:fogproject /images
6. Restart nfsd: systemctl restart nfsd
7. Test.

This should address the vulnerabilty. While it won’t prevent a “bad actor” from placing a new file on your system the max level of that escalation could only be that of your fogproject user.

I know this isn’t a good way to start a Monday, but when is a good time when it comes to security issues?

Hopefully this will help and is simple enough to work in the mean time. Those who don’t mind, please use dev-branch for simplicity as it should address this in a more autonomous method.

Thank you all in advance!

Particularly, thank you Christophe Hugueny (Advens) @IronBlackBird

@sjensen I think, then, all you need is

vgextend FOGserver-vg /dev/FOGserver-vg/root

Edited as I copied from another site, and forgot to modify the vg_tecmint portion.

To fix removing vsftpd removed the /etc/rc2.d/20vsftpd link. Removed the original /etc/vsftpd.conf file and then was able to purge vsftpd from the server.

Added the fstab to make the filesystem boot to the same location everytime.

Checked all settings and file size is now reporting properly.

@The-Dealman Why would the RC not be stable? It’s testing to get hopefully functional elements, but the “processes” involved are the same as 1.3.5.

I understand hesitation, I really do, but asking you to do something is not an attempt to cause failure, if anything it’s to go towards the betterment of fog in general.

That said, if you got it working with 6420 and aren’t willing to move to get your 7240’s going, I can’t really do anything more to help you out.

The upside of going forward is the things that worked in the past will continue to work now. The things that failed in the past, hopefully, will also start working with any luck. At least that’s the goal.

Fog config page
Fog settings-
Fog view
It’s in there

@george1421 Or just a simple echo

@maximillian I think you’re thinking FAR too into this.

FOG doesn’t have this capability, but the utilities FOG uses do.

iPXE is more than capable of doing what you’re requesting, and you CAN configure your menu’s and whatnot through fog to do what it is you are wanting. The difference, here though, is FOG is meant to do (generally speaking) very specific things and actions. Due to this, it’s not something WE (the fog people) are going to “support”. Meaning, we can tell you it’s possible, we can even help lead you in the direction, but as far as a single “goto” resource for something like what you’re requesting is FAR out of scope of what FOG is.

I’m not trying to sound rude or anything, but It’d be like asking a Small Engine repair shop to install a turbo charger on your Truck. They have the utilities and tools to do the job, but it’s not something they would be “expected” to do or walk through with a person.

Did you follow the instructions exactly?

Typically there’s a couple items you must remove/disable/allow

SELinux should be set to permissive

Firewalls should be disabled (unless you really want to play around with getting the ports exactly correct).