Re: boot locally after install via cobbler

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Peter Wright wrote:
Michael DeHaan wrote:

Michael DeHaan wrote:
> Peter Wright wrote:
>> Harry Hoffman wrote:
>>>
>>> Hi Peter,
>>>
>>> No, I don't think that'll work... but if you wrote a quick cgi to
>>> accept
>>> the args of mac addr and netboot then you could exec the cobbler
>>> command...
>>>
>>> something like
>>>
>>> %post
>>>
>>> wget
>>> http://cobbler/cgi-bin/done_install?mac=00:11:22:33:44:55&netboot=n <http://cobbler/cgi-bin/done_install?mac=00:11:22:33:44:55&netboot=n> >>> <http://cobbler/cgi-bin/done_install?mac=00:11:22:33:44:55&netboot=n <http://cobbler/cgi-bin/done_install?mac=00:11:22:33:44:55&netboot=n>>
>>>
>>> You'd of course want to do the normal sanitization of user data.
>>>
>>> I've got a script that I could modify to do this, let me know if you
>>> need/want it.
>>>
>>> Cheers,
>>> Harry
>>>
>>
>>
>>
>> ok - i think i'm getting this thing now.  nice - if you don't mind
>> posting that script i'd love to take a look at it.
>>
>> -p
>>
> Harry has the right idea -- still though, CGI scripts should be
> running as the apache user and not root.   This means they won't (by
> design) have access to modify the cobbler configuration.   What you
> would really want to do is write a simple script that can /only/
> disable the netboot field and then grant SSH access for only that one
> command.   There is some example of that technique posted here, which
> I personally haven't used, but I have it on good authority that it
> works well :)
>
> http://www.mythic-beasts.com/support/dyndns_howto.html
>
> This way (writing a script that calls "cobbler system edit --name=name
> --netboot-enabled=0") you make sure you've allowed remote access to
> changing only that one
> specific flag.   (This particular flag has the result of removing the
> per-system configuration file in /tftpboot that enables the system to
> boot to a specific PXE target)
>
> Incidentally, Matt Hyclak wrote a script to do this before you could
> do this in the cobbler command line.  That script is mentioned on this
> page:
>
> https://hosted.fedoraproject.org/projects/cobbler/wiki/CobblerApi
>
> The alternative is to SSH is to make the cgi to do this setuid root,
> which has security implications.
>
> Another (perhaps simpler) option is set network boot lower in the BIOS
> order (so hard drives first), and then when it comes time to reinstall
> them, you can use
> "koan --replace-self --server=bootserver.example.com --profile=name"
> to do the reinstall rather than needing to PXE.  If the Linux box is
> already running, you can invoke that koan call over SSH followed by a
> call to /sbin/reboot.    That will essentially do the same thing, and
> is what I do and generally recommend.
>
>

Talking on IRC,

We've decided we're going to implement the following:

When /var/lib/cobbler/settings parameter "pxe_just_once" is set to 1,
we're going to add a line to the bottom of the kickstart to call
a CGI script.   (You'll also have to add a sudoers entry that we can
define in the manpage)

There's going to be a wget to a CGI script that takes a cobbler system
name as a parameter.
This script invokes cobbler_set_netboot via sudo, which can do nothing
else but toggle the netboot-enabled parameter.
cobbler_set_netboot has permissions to only toggle the netboot flag

So, in summary, all a user will need to do is:
-- flip the pxe_just_once switch in the settings file
-- add a sudoers entry (cobbler check can even show the user what this
entry must look like)

We can do this :)



OK, this sounds like a reasonable solution for me, thanks all!

-pete



I just committed this to git, if anyone wants to try it out...

All you have to do is change pxe_just_once to 1 in /var/lib/cobbler/settings and it works out of the box. The $kickstart_done symbol in the kickstart file is replaced automatically with the correct wget to make this happen.

To make a system PXE again after it trips off, just run:

cobbler system edit --name=foo --netboot-enabled=1

This behavior is off by default.

--Michael

_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/et-mgmt-tools

[Index of Archives]     [Fedora Users]     [Fedora Legacy List]     [Fedora Maintainers]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux