[et-mgmt-tools] FreeLinuxPC.org and a neat Cobbler trick/idea (WIP)

Mon Mar 3 21:55:52 UTC 2008

Michael DeHaan wrote:
> The UCLUG guys at FreeLinuxPC.org have a warehouse of 600 computers 
> they are setting up to give away to kids that need them.
>
> Before this happens, they need to be securely erased.   Now, we have 
> instructions for using Cobbler to PXE DBAN (a secure erasure
> tool), and they could set up one network for erasure and another 
> network for installation, but, at least theoretically, is it possible 
> for Cobbler
> to install one OS (DBAN) and then install another right afterwards, 
> using the Cobbler API to switch between them at reboot, so you don't have
> to move machines between networks or issue any cobbler commands at 
> all?   The theory is yes, though we're figuring this out.
>
> This is a fun problem, a good cause, and a chance to abuse the Cobbler 
> API some.   Here goes...
>
> Scenario:
>    -- You have a bunch of new machines come in off trucks
>    -- You need Cobbler records for each of them (per MAC), but do not 
> want to record them manually
>    -- Each new machine should be securely erased.
>    -- After the machine is erased, it should get a new OS.
>    -- once the final OS is installed, the system should not be PXE'd 
> again
>
> Proposed Solution:
> -- First create two cobbler scripts using the Cobbler XMLRPC 
> Read-Write API (to be provided later...stay tuned)
>    -- add_system.cgi, which detects the MAC from HTTP vars and adds it 
> to cobbler
>    -- change_profile.cgi, which detects the MAC and takes a "profile" 
> parameter, sets the system record for the MAC to the given profile
> -- Create a cobbler profile called "default"
>    -- the default profile has "kssendmac" in the kernel args so the 
> scripts can find the MAC
>       -- wget http://cobbler.example.org/cgi-bin/add_system.cgi
>       -- second wget to 
> http://cobbler.example.org/cgi-bin/change_profile.cgi?profile=erase
>       -- it does not call nopxe.cgi
> -- Create a second cobbler profile called "erase"
>    -- modified DBAN initrd
>    -- it first makes a wget to 
> http://cobbler.example.org/cgi-bin/change_profile?profile=productionOS
>    -- then it erases the machine and rebo
>    -- it does not call nopxe.cgi
> -- "productionOS" is the final profile.
>    -- it calls nopxe.cgi in post (already available in Cobbler) to 
> stop the boot loop chain
>
> So basically, with a couple of scripts written in Cobbler API, we can 
> boot a system three times, chaining what gets installed each
> time.
>
> I think the scripts above are interesting enough to be used on a wider 
> basis -- particularly the idea of making sure all MACs get a cobbler 
> system
> record.   The "change profile" scripts are a bit of a security 
> problem, but not in this case as it's a limited use network.   Either 
> way, I plan on polishing these up a bit, explaining them further on 
> the Wiki, and making them more generally useful.
>
> --Michael
>
> _______________________________________________
> et-mgmt-tools mailing list
> et-mgmt-tools at redhat.com
> https://www.redhat.com/mailman/listinfo/et-mgmt-tools

I have register_mac.cgi and change_profile.cgi now pushed to the master 
branch of git in the "scripts" directory.  They are not installed
by the RPM by default for security reasons, it's up to you as to how 
wide open your provisioning network should be.

The next plan is to make new settings in the settings file for 
"allow_cgi_mac_registration" and "allow_cgi_profile_change" (default to off)
so we can in fact ship these scripts and they will no longer need the 
XMLRPC_RW api.

Currently register_mac.cgi will create a system record named after the 
mac (ex:  AA_BB_CC_DD_EE_FF -- just like old style Cobbler) if there
is no system anywhere in the Cobbler database with the given MAC.  If 
there is a record, it will not overwrite or change it.

Currently change_profile.cgi will change the profile matching the IP 
and/or MAC of the requestor (if one exists) to the profile requested, 
but will not make any changes if it is not found.

This work will be done on the devel branch for Cobbler 0.9.X.   Wiki 
docs TBD after more testing and cleanup there.

--Michael