[et-mgmt-tools] boot locally after install via cobbler

Michael DeHaan mdehaan at redhat.com
Fri Aug 3 14:57:17 UTC 2007 

Michael DeHaan wrote:
> Peter Wright wrote:
>> Harry Hoffman wrote:
>>>
>>> Hi Peter,
>>>
>>> No, I don't think that'll work... but if you wrote a quick cgi to 
>>> accept
>>> the args of mac addr and netboot then you could exec the cobbler
>>> command...
>>>
>>> something like
>>>
>>> %post
>>>
>>> wget 
>>> http://cobbler/cgi-bin/done_install?mac=00:11:22:33:44:55&netboot=n 
>>> <http://cobbler/cgi-bin/done_install?mac=00:11:22:33:44:55&netboot=n>
>>>
>>> You'd of course want to do the normal sanitization of user data.
>>>
>>> I've got a script that I could modify to do this, let me know if you
>>> need/want it.
>>>
>>> Cheers,
>>> Harry
>>>
>>
>>
>>
>> ok - i think i'm getting this thing now.  nice - if you don't mind 
>> posting that script i'd love to take a look at it.
>>
>> -p
>>
> Harry has the right idea -- still though, CGI scripts should be 
> running as the apache user and not root.   This means they won't (by 
> design) have access to modify the cobbler configuration.   What you 
> would really want to do is write a simple script that can /only/ 
> disable the netboot field and then grant SSH access for only that one 
> command.   There is some example of that technique posted here, which 
> I personally haven't used, but I have it on good authority that it 
> works well :)
>
> http://www.mythic-beasts.com/support/dyndns_howto.html
>
> This way (writing a script that calls "cobbler system edit --name=name 
> --netboot-enabled=0") you make sure you've allowed remote access to 
> changing only that one
> specific flag.   (This particular flag has the result of removing the 
> per-system configuration file in /tftpboot that enables the system to 
> boot to a specific PXE target)
>
> Incidentally, Matt Hyclak wrote a script to do this before you could 
> do this in the cobbler command line.  That script is mentioned on this 
> page:
>
> https://hosted.fedoraproject.org/projects/cobbler/wiki/CobblerApi
>
> The alternative is to SSH is to make the cgi to do this setuid root, 
> which has security implications.
>
> Another (perhaps simpler) option is set network boot lower in the BIOS 
> order (so hard drives first), and then when it comes time to reinstall 
> them, you can use
> "koan --replace-self --server=bootserver.example.com --profile=name" 
> to do the reinstall rather than needing to PXE.  If the Linux box is 
> already running, you can invoke that koan call over SSH followed by a 
> call to /sbin/reboot.    That will essentially do the same thing, and 
> is what I do and generally recommend.
>
>

Talking on IRC,

We've decided we're going to implement the following:

When /var/lib/cobbler/settings parameter "pxe_just_once" is set to 1, 
we're going to add a line to the bottom of the kickstart to call
a CGI script.   (You'll also have to add a sudoers entry that we can 
define in the manpage)

There's going to be a wget to a CGI script that takes a cobbler system 
name as a parameter.
This script invokes cobbler_set_netboot via sudo, which can do nothing 
else but toggle the netboot-enabled parameter.
cobbler_set_netboot has permissions to only toggle the netboot flag

So, in summary, all a user will need to do is:
-- flip the pxe_just_once switch in the settings file
-- add a sudoers entry (cobbler check can even show the user what this 
entry must look like)

We can do this :)




>
>>
>>
>>
>>>
>>> > Harry Hoffman wrote:
>>> >>
>>> >> Hi Peter,
>>> >>
>>> >> I had this same problem... it should be said that with >= 
>>> cobbler-0.5
>>> >> there is a option to edit the system:
>>> >> cobbler system add --name=string --profile=string [--mac=macaddress]
>>> >>        [--ip=ipaddress] [--hostname=hostname] [--kopts=string] 
>>> [--ipad-
>>> >>        dress=string] [--ksmeta=string] [--netboot-enabled=Y/N
>>> >>
>>> >> The nice thing about cobbler via (git - yeah, it's a messed up 
>>> name) is
>>> >> that a make in the d/l'd src directory will build you a rpm with 
>>> proper
>>> >> version so that yum upgrades will overwrite it.
>>> >>
>>> >> It's a pretty trivial process, feel free to ask questions.
>>> >>
>>> >
>>> > Awesome, thanks Harry - I'll start diving into this tomorrow 
>>> then.  Just
>>> > to make sure I understand clearly.  With the newer version I 
>>> should be
>>> > able to run something like this during %post:
>>> >
>>> > cobbler system edit --name=$MAC --netboot-enabled=N
>>> >
>>> > -pete
>>> >
>>> >>
>>> >>
>>> >> > hi all,
>>> >> > i'm currently working on moving a cluster over from Xcat to 
>>> cobbler.
>>> >> so
>>> >> > far things have gone quite smoothly, i have imported several 
>>> distros -
>>> >> > created my own distros and gotten my custom kickstart's working 
>>> quite
>>> >> > easilly!
>>> >> >
>>> >> > my question is i have not figured out how one has an 
>>> installation dial
>>> >> > back to the cobbler master node and tell it that it no longer 
>>> needs to
>>> >> > to re-install itself.  with Xcat during the %post phase your node
>>> >> would
>>> >> > set it's status on the Xcat master node to boot locally after 
>>> install
>>> >> -
>>> >> > is there something similar for cobbler?
>>> >> >
>>> >> > hopefully i'm missing something basic here, but have had no luck
>>> >> reading
>>> >> > through the man pages or mailing list archives.
>>> >> >
>>> >> > thanks!
>>> >> > -pete
>>> >> >
>>> >> > --
>>> >> > Peter Wright
>>> >> > Systems Administrator
>>> >> > Sony Pictures Imageworks
>>> >> > wright at imageworks.com
>>> >> > www.imageworks.com
>>> >> >
>>> >> >
>>> >> > _______________________________________________
>>> >> > et-mgmt-tools mailing list
>>> >> > et-mgmt-tools at redhat.com
>>> >> > https://www.redhat.com/mailman/listinfo/et-mgmt-tools
>>> >> >
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> et-mgmt-tools mailing list
>>> >> et-mgmt-tools at redhat.com
>>> >> https://www.redhat.com/mailman/listinfo/et-mgmt-tools
>>> >>
>>> >
>>> >
>>> > --
>>> > Peter Wright
>>> > Systems Administrator
>>> > Sony Pictures Imageworks
>>> > wright at imageworks.com
>>> > www.imageworks.com
>>> >
>>> >
>>> >
>>>
>>>
>>>
>>
>>
>
> _______________________________________________
> et-mgmt-tools mailing list
> et-mgmt-tools at redhat.com
> https://www.redhat.com/mailman/listinfo/et-mgmt-tools

More information about the et-mgmt-tools mailing list