[et-mgmt-tools] boot locally after install via cobbler

Peter Wright wright at imageworks.com
Fri Aug 3 17:10:50 UTC 2007 

Michael DeHaan wrote:
>
> Peter Wright wrote:
> > Michael DeHaan wrote:
> >>
> >> Michael DeHaan wrote:
> >> > Peter Wright wrote:
> >> >> Harry Hoffman wrote:
> >> >>>
> >> >>> Hi Peter,
> >> >>>
> >> >>> No, I don't think that'll work... but if you wrote a quick cgi to
> >> >>> accept
> >> >>> the args of mac addr and netboot then you could exec the cobbler
> >> >>> command...
> >> >>>
> >> >>> something like
> >> >>>
> >> >>> %post
> >> >>>
> >> >>> wget
> >> >>>
> >> http://cobbler/cgi-bin/done_install?mac=00:11:22:33:44:55&netboot=n 
> <http://cobbler/cgi-bin/done_install?mac=00:11:22:33:44:55&netboot=n>
> >> 
> <http://cobbler/cgi-bin/done_install?mac=00:11:22:33:44:55&netboot=n 
> <http://cobbler/cgi-bin/done_install?mac=00:11:22:33:44:55&netboot=n>>
> >> >>>
> >> <http://cobbler/cgi-bin/done_install?mac=00:11:22:33:44:55&netboot=n
> >> 
> <http://cobbler/cgi-bin/done_install?mac=00:11:22:33:44:55&netboot=n 
> <http://cobbler/cgi-bin/done_install?mac=00:11:22:33:44:55&netboot=n>>>
> >> >>>
> >> >>> You'd of course want to do the normal sanitization of user data.
> >> >>>
> >> >>> I've got a script that I could modify to do this, let me know 
> if you
> >> >>> need/want it.
> >> >>>
> >> >>> Cheers,
> >> >>> Harry
> >> >>>
> >> >>
> >> >>
> >> >>
> >> >> ok - i think i'm getting this thing now.  nice - if you don't mind
> >> >> posting that script i'd love to take a look at it.
> >> >>
> >> >> -p
> >> >>
> >> > Harry has the right idea -- still though, CGI scripts should be
> >> > running as the apache user and not root.   This means they won't (by
> >> > design) have access to modify the cobbler configuration.   What you
> >> > would really want to do is write a simple script that can /only/
> >> > disable the netboot field and then grant SSH access for only that one
> >> > command.   There is some example of that technique posted here, which
> >> > I personally haven't used, but I have it on good authority that it
> >> > works well :)
> >> >
> >> > http://www.mythic-beasts.com/support/dyndns_howto.html
> >> >
> >> > This way (writing a script that calls "cobbler system edit 
> --name=name
> >> > --netboot-enabled=0") you make sure you've allowed remote access to
> >> > changing only that one
> >> > specific flag.   (This particular flag has the result of removing the
> >> > per-system configuration file in /tftpboot that enables the system to
> >> > boot to a specific PXE target)
> >> >
> >> > Incidentally, Matt Hyclak wrote a script to do this before you could
> >> > do this in the cobbler command line.  That script is mentioned on 
> this
> >> > page:
> >> >
> >> > https://hosted.fedoraproject.org/projects/cobbler/wiki/CobblerApi
> >> >
> >> > The alternative is to SSH is to make the cgi to do this setuid root,
> >> > which has security implications.
> >> >
> >> > Another (perhaps simpler) option is set network boot lower in the 
> BIOS
> >> > order (so hard drives first), and then when it comes time to 
> reinstall
> >> > them, you can use
> >> > "koan --replace-self --server=bootserver.example.com --profile=name"
> >> > to do the reinstall rather than needing to PXE.  If the Linux box is
> >> > already running, you can invoke that koan call over SSH followed by a
> >> > call to /sbin/reboot.    That will essentially do the same thing, and
> >> > is what I do and generally recommend.
> >> >
> >> >
> >>
> >> Talking on IRC,
> >>
> >> We've decided we're going to implement the following:
> >>
> >> When /var/lib/cobbler/settings parameter "pxe_just_once" is set to 1,
> >> we're going to add a line to the bottom of the kickstart to call
> >> a CGI script.   (You'll also have to add a sudoers entry that we can
> >> define in the manpage)
> >>
> >> There's going to be a wget to a CGI script that takes a cobbler system
> >> name as a parameter.
> >> This script invokes cobbler_set_netboot via sudo, which can do nothing
> >> else but toggle the netboot-enabled parameter.
> >> cobbler_set_netboot has permissions to only toggle the netboot flag
> >>
> >> So, in summary, all a user will need to do is:
> >> -- flip the pxe_just_once switch in the settings file
> >> -- add a sudoers entry (cobbler check can even show the user what this
> >> entry must look like)
> >>
> >> We can do this :)
> >>
> >
> >
> > OK, this sounds like a reasonable solution for me, thanks all!
> >
> > -pete
> >
> >
>
> I just committed this to git, if anyone wants to try it out...
>
> All you have to do is change pxe_just_once to 1 in
> /var/lib/cobbler/settings and it works out of the box.   The 
> $kickstart_done
> symbol in the kickstart file is replaced automatically with the correct
> wget to make this happen.
>
> To make a system PXE again after it trips off, just run:
>
> cobbler system edit --name=foo --netboot-enabled=1
>
> This behavior is off by default.
>

it works!  i had to set my SELinux policy to permissive as i have not 
setup any custom rule-sets yet.  i'll get those setup shortly.  all i 
had to do was add the $kickstart_done line to my custom kickstart %post 
section and we are off to the races.

thanks all!

-pete



-- 
Peter Wright
Systems Administrator
Sony Pictures Imageworks
wright at imageworks.com
www.imageworks.com

More information about the et-mgmt-tools mailing list