Fixes #22756 - Allow provisioning based on MAC address

[karras]

This PR allows provisioning based on MAC address also for non-EL systems like Ubuntu or openSUSE. There has already been a PR #1106 several years ago but was sadly never merged.

I don't think the security concerns mentioned in #1106 are really an issue as templates can only be accessed when a host is in build mode even when faking the MAC address. By choosing an appropriate build / token TTL this security risk can be minified.

More details can be found here: https://projects.theforeman.org/issues/22756

[theforeman-bot]

Do not merge! This patch has not been tested yet.

Can an existing organization member please verify this patch?

[theforeman-bot]

Do not merge! This patch has not been tested yet.

Can an existing organization member please verify this patch?

[theforeman-bot]

Do not merge! This patch has not been tested yet.

Can an existing organization member please verify this patch?

[theforeman-bot]

Issues: #22756

[iNecas]

ok to test

[iNecas]

@dLobatog as you were involved in the original PR, mind having a look? Seems innocent enough

[lzap]

I am fine with this, @karras can you show us templates you use for this workflow? Perhaps making the changes in https://github.com/theforeman/community-templates repo would be appropriate.

[karras]

We use an iPXE image with a configuration which looks like this:

#!ipxe

dhcp
chain http://foreman.example.com/unattended/iPXE?mac=${netX/mac}

This way we can provision all clients using the same image as the chain script is downloaded from Foreman. All other templates (e.g. preseed) are then accessed via the token URLs.

iPXE Template:

#!ipxe
<% kernel, initrd = @host.operatingsystem.boot_files_uri(@host.medium,@host.architecture) -%>
kernel <%= kernel %> auto locale=en_US.UTF-8 language=en country=US keymap=us hostname=<%= @host %> interface=auto url=<%= foreman_url('provision')%> -- quiet
initrd <%= initrd %>

console --picture http://webserver.example.com/company_logo.png

boot

The finish templates are basically embedded the same way via foreman_url() to use the build tokens.

I haven't checked it but I guess it would be good to update the documentation as well. I'd suggest to describe this case in the documentation and add the iPXE at the top to the community-templates repo.

What do you think?

[lzap]

Well I think this is okay. If you have foreman bootdisk installed, you actually already have this code. Can you go ahead and once this is merged, please file PR into bootdisk to remove its extension?

https://github.com/theforeman/foreman_bootdisk/blob/master/app/controllers/concerns/foreman_bootdisk/unattended_controller_ext.rb

Security concern is not valid IMHO, you can spoof by MAC today (when bootdisk is enabled), we just move this from the plugin to core. Also it is possible to spoof via MAC through HTTP headers and also via REMOTE_IP as well. It's dangerous world outside, provisioning networks must be secured at all costs.

[lzap]

Please file PR to bootdisk plugin and remove the extension from there.

[karras]

Done: theforeman/foreman_bootdisk#58

Should I also try to update the documentation or is this not necessary?

Thanks! :)

[lzap]

Thanks, if you want to its here: https://github.com/theforeman/theforeman.org but I don't think we have much on this topic.