[et-mgmt-tools] boot locally after install via cobbler

Michael DeHaan mdehaan at redhat.com
Fri Aug 3 16:04:37 UTC 2007 

Peter Wright wrote:
> Michael DeHaan wrote:
>>
>> Michael DeHaan wrote:
>> > Peter Wright wrote:
>> >> Harry Hoffman wrote:
>> >>>
>> >>> Hi Peter,
>> >>>
>> >>> No, I don't think that'll work... but if you wrote a quick cgi to
>> >>> accept
>> >>> the args of mac addr and netboot then you could exec the cobbler
>> >>> command...
>> >>>
>> >>> something like
>> >>>
>> >>> %post
>> >>>
>> >>> wget
>> >>> 
>> http://cobbler/cgi-bin/done_install?mac=00:11:22:33:44:55&netboot=n 
>> <http://cobbler/cgi-bin/done_install?mac=00:11:22:33:44:55&netboot=n>
>> >>> 
>> <http://cobbler/cgi-bin/done_install?mac=00:11:22:33:44:55&netboot=n 
>> <http://cobbler/cgi-bin/done_install?mac=00:11:22:33:44:55&netboot=n>>
>> >>>
>> >>> You'd of course want to do the normal sanitization of user data.
>> >>>
>> >>> I've got a script that I could modify to do this, let me know if you
>> >>> need/want it.
>> >>>
>> >>> Cheers,
>> >>> Harry
>> >>>
>> >>
>> >>
>> >>
>> >> ok - i think i'm getting this thing now.  nice - if you don't mind
>> >> posting that script i'd love to take a look at it.
>> >>
>> >> -p
>> >>
>> > Harry has the right idea -- still though, CGI scripts should be
>> > running as the apache user and not root.   This means they won't (by
>> > design) have access to modify the cobbler configuration.   What you
>> > would really want to do is write a simple script that can /only/
>> > disable the netboot field and then grant SSH access for only that one
>> > command.   There is some example of that technique posted here, which
>> > I personally haven't used, but I have it on good authority that it
>> > works well :)
>> >
>> > http://www.mythic-beasts.com/support/dyndns_howto.html
>> >
>> > This way (writing a script that calls "cobbler system edit --name=name
>> > --netboot-enabled=0") you make sure you've allowed remote access to
>> > changing only that one
>> > specific flag.   (This particular flag has the result of removing the
>> > per-system configuration file in /tftpboot that enables the system to
>> > boot to a specific PXE target)
>> >
>> > Incidentally, Matt Hyclak wrote a script to do this before you could
>> > do this in the cobbler command line.  That script is mentioned on this
>> > page:
>> >
>> > https://hosted.fedoraproject.org/projects/cobbler/wiki/CobblerApi
>> >
>> > The alternative is to SSH is to make the cgi to do this setuid root,
>> > which has security implications.
>> >
>> > Another (perhaps simpler) option is set network boot lower in the BIOS
>> > order (so hard drives first), and then when it comes time to reinstall
>> > them, you can use
>> > "koan --replace-self --server=bootserver.example.com --profile=name"
>> > to do the reinstall rather than needing to PXE.  If the Linux box is
>> > already running, you can invoke that koan call over SSH followed by a
>> > call to /sbin/reboot.    That will essentially do the same thing, and
>> > is what I do and generally recommend.
>> >
>> >
>>
>> Talking on IRC,
>>
>> We've decided we're going to implement the following:
>>
>> When /var/lib/cobbler/settings parameter "pxe_just_once" is set to 1,
>> we're going to add a line to the bottom of the kickstart to call
>> a CGI script.   (You'll also have to add a sudoers entry that we can
>> define in the manpage)
>>
>> There's going to be a wget to a CGI script that takes a cobbler system
>> name as a parameter.
>> This script invokes cobbler_set_netboot via sudo, which can do nothing
>> else but toggle the netboot-enabled parameter.
>> cobbler_set_netboot has permissions to only toggle the netboot flag
>>
>> So, in summary, all a user will need to do is:
>> -- flip the pxe_just_once switch in the settings file
>> -- add a sudoers entry (cobbler check can even show the user what this
>> entry must look like)
>>
>> We can do this :)
>>
>
>
> OK, this sounds like a reasonable solution for me, thanks all!
>
> -pete
>
>

I just committed this to git, if anyone wants to try it out...

All you have to do is change pxe_just_once to 1 in 
/var/lib/cobbler/settings and it works out of the box.   The $kickstart_done
symbol in the kickstart file is replaced automatically with the correct 
wget to make this happen.

To make a system PXE again after it trips off, just run:

cobbler system edit --name=foo --netboot-enabled=1

This behavior is off by default.

--Michael

More information about the et-mgmt-tools mailing list