RE: "Approve MAC Addresses"

It can also be used to filter out potential spoofs. For example, the Additional and primary mac fields (unless otherwise specified) is how the service is handled for now. Basically, it tests any/all macs against all hosts in the system. If there’s a match, it continues to pass information to the host about what’s being sent. This is important, for example, in the case of Active directory.

If we just assumed all MACs were safe for the host it’s registering from, you would potentially be opening yourself up for attack. Not necessarily in a traditional sense.

For example, the most secure piece of information we want to protect, the Active Directory Password. Yes, I know you shouldn’t have admin rights on the user (create a new one as necessary) to allow FOG to register the host to the domain. However, this isn’t always practical. Whether by inexperience/knowledge, or because the setup was just done quick and dirty. That said, if all mac’s where automatically “approved” the potential arises that somebody could inject their own macs to a host. Because their host is no registered, they can see all the data sent from the server including the AD Password. (of course the new client doesn’t have this issue as readily, but still).

It’s these types of things we’re trying to help prevent as much as possible that we require you to approve the macs. If you are always going in and approving all macs, then I say shame on you, but to each their own. The mac’s can be approved by the individual MAC from the relevant host or hosts. The “green checkbox” that appears is the link on how to approve a single mac address. You can also approve all macs from the host as well.

It’s actually these security concerns that allowed us to have the FOG Client (New again) register the host if it was not already registered to the main FOG system. In olden times the client did register the host to the server if it wasn’t already done, but it also registered them as “approved”.

Main flaw, I think, in that approach is FOG is dependent upon a system being compatible to image/task a system. This is why the full register drops you into the init and you get asked all those questions, followed by a reboot if you wanted the system to image. If we only registered hosts through iPXE, the potential arises that a host is registered, and FOG recognizes it, but the init’s do not have the proper drivers to actually support imaging that device, so your system is stuck in a boot loop. Under the new client, the registration still happens, and the potential is still there that the registered through the client system is not compatible, but you can’t task the system until it is in an “approved” state.

Basically, we’re moving fog into an admin centric style system. The Administrator of the network/systems should know about any and all items being input especially when dealing with a host. If you’re registering through one of the registration/quick reg systems on the PXE menu, you already have a head start because there had to be a form of action performed to enable that reception of the task. So these full/quick registration methods are assumed to be “trusted”. Systems that are registered by the fog client is not automatically assumed trusted, because anybody can download the FOG Client installer and communicate to your fog server. By placing the system in a “pending” state, we keep the service from receiving unwarranted data. It also gives you and your admins a chance to verify the host indeed is valid for your network. The same principle for the MAC addresses.

Hopefully all this makes sense.

@abulhol Should be back up and running.

Thanks for letting us know.

I feel I should add all Enabled nodes will send wol. Non enabled won’t cause they’re not enabled lol.

@sudburr I know it doesn’t seem like it, but I do try.

Added.

FOG Version 4692 now has the ability to set hosts individually with specific boot type exit parameters.

They can also be setup by groups. I don’t have any good way to verify that the individual items will actually work, as all of my systems are VMs, and only one of them is my “test” station for now.

Please test and let me know if things are good to go for you all.

@gabrielzeit https://forums.fogproject.org/topic/10160/virtualbox-pxe-boot-no-configuration-methods-succeeded

Can you please try maybe using the ipxe.pxe for the boot file for these VirtualBox machines?

There is a weird known that warm reboots will not always work with VirtualBox, this isn’t something I or our team can control, but in the past I was able to continually use ipxe.pxe as the medium and things appear to have worked.

Added the plugin to the plugins in the working branch.

I’m solving this thread as the issue has been addressed two fold. First, when the data is stored it adds then strips slashes and I do the same for how it gets output.

I’m sure there may be a nicer way and printers that stored improperly will still need to be fixed but the problem this is focusing on can, I think, safely be solved.

Removing the client installer sure, removing functionality no. Too many people are using the legacy client. Removing from dev means removing from the next release. I am not of the mind to tell everybody that they have to recreate their images because of the client. While I do recommend such things, I’m thinking it’s not a good idea to do enforce such extreme things.

@scgsg There are may things that impact the speed, regardless of the manager in use.

1. Network, the most obvious one here, would play a big factor.

2. System, as decompression is handled on the client.

3. Disk read/write speeds, this one is probably the largest factor on most modern systems.

4. Compression type, ZSTD compresses and decompresses much faster than gzip when in multithreading.

5. Compression Ratio, 19 is the maximum I’d recommend for any zstd as the memory required for any higher makes it nearly impossible to perform on most systems. 0 is the minimum, it still compresses but is nearly nothing. This impacts speeds because of the data that would need to transfer over the network. 1GB plain on a 1gbps will take anywhere between 5-10 seconds on a “perfect” network. 1GB compressed to 50% would take half the time to transfer because the data size would be only about 500MB. The speed it writes to disk would primarily be slowed down by the system decompressing the system. You must think of this when capturing too because while it will ultimately mean faster deploy’s, this setting can slow the capture process quite a lot.

6. Hops over network. The most direct route to a system will give you the fastest speed. If you have to jump through 10 switches to get to the host, your delays are somewhat related to the network as the data has to traverse the different points to reach the target.

These, obviously, aren’t everything that might impact speeds, but a basic list of what I can think of for right now.

As you’ve seen with the many other posts however, your case appears to be the exception. I understand there may be others with similar results to your own, but please understand we aren’t making these changes to make your day go longer. If anything we’ve made these changes so the vast majority of people will have a faster deploy/capture time. It also helps that partclone is in active development where partimage seems to have lost their develoment.

I’ve fixed this in the code so fresh installs should no longer have this issue. That said this would not have caused any issues.

@Wayne-Workman It happens much faster than that sometimes. (sub 15 second patch?)

Ignore the wifi mac from client operations?

This was fixed last night, sorry I didn’t update sooner and as always thanks for the report.

Understood, and completed.

Here’s a couple of quick and dirty txt files containing all the hook events, and their respective tie-ins for plugins or hooks for operationally using them.

I’m posting this because the AccessControl plugins uses these very emphatically to help with granularly controlling access. This, ultimately, means a full documentation of all the things that can be done natively.

One file is the “Core” events. These are the events that can be enacted upon and integrated directly with the “base” of FOG using no plugins. The other file is all the hooks that plugins also generate.

My hope is to get the access control plugin more on a dynamic nature than a guessing game. In the past I had tried documenting all the hook events into the database, and while this approach can work, it only inserts new entries when the event is to be processed in the first place.

What’s wrong with the above approach? Well, to limit constant read/write to the database, the hooks were only inserted into the database as they were spawned. So let’s just say, for example, you never visited the User page. Your hookEvent’s table would never contain any of the hooks that are available on the user page.

In these files, particularly the core file, is some commonalities between all pages I think. This will be evident just by looking at these files. A couple of places, however, use a generic approach to generate the event. These are using a % symbol to symbolize Host, Group, User, etc…

Some of these will also function for the Plugins too (just a note).

Hopefully this will help prepare people with some of our changes for when 1.6 is able to be published.

Hooks_And_Tie-ins.txt

Hooks_And_Tie-ins - Plugins.txt

@Arrowhead-IT The error with the percent problem you saw should now be fixed as well. I hope I finally do something right.

I’ve added the hostinfo.php script, though in a much different fashion. As I stated in chat and on the comments of the pull request, I have not added the setHostname due to security concerns. That all said, the information is now exposed as you requested.

@sebastian-roth et al.

Sorry, I’ve not been able much to work on anything in a while. I will try to correct that moving forward though I’m still fairly busy with work and all.

I’m keen, if everybody else is, to look over 1.6 vs 1.5.x and just simply moving over to it. The UI for 1.5 was itself quite an overhaul but shows too little progress now (that we’re at 1.5.9). Moving to 1.5.10 seems cursory at this point, in my opinion.

I can’t say I’ll have a lot of cycles free to keep this moving in a linear fashion though.

The biggest hurdles with 1.5.x and 1.6.x are getting the codebase ready with PHP 8 support it seems too me.

I’m of course able to try to help release a 1.5.10 release if that’s what’s really needed, but I think the 1.6 codebase has been around long enough and in parallel long enough it might be a good position to just check the bases, clean up where necessary, and release 1.6.0.

Let me know what you all think.

@Tom-Elliott https://wiki.fogproject.org/wiki/index.php?title=Upgrade_to_trunk