New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes #22756 - Allow provisioning based on MAC address #5290
Fixes #22756 - Allow provisioning based on MAC address #5290
Conversation
Do not merge! This patch has not been tested yet. Can an existing organization member please verify this patch? |
2 similar comments
Do not merge! This patch has not been tested yet. Can an existing organization member please verify this patch? |
Do not merge! This patch has not been tested yet. Can an existing organization member please verify this patch? |
Issues: #22756 |
ok to test |
@dLobatog as you were involved in the original PR, mind having a look? Seems innocent enough |
I am fine with this, @karras can you show us templates you use for this workflow? Perhaps making the changes in https://github.com/theforeman/community-templates repo would be appropriate. |
We use an iPXE image with a configuration which looks like this:
This way we can provision all clients using the same image as the chain script is downloaded from Foreman. All other templates (e.g. preseed) are then accessed via the token URLs. iPXE Template:
The finish templates are basically embedded the same way via I haven't checked it but I guess it would be good to update the documentation as well. I'd suggest to describe this case in the documentation and add the iPXE at the top to the community-templates repo. What do you think? |
Well I think this is okay. If you have foreman bootdisk installed, you actually already have this code. Can you go ahead and once this is merged, please file PR into bootdisk to remove its extension? Security concern is not valid IMHO, you can spoof by MAC today (when bootdisk is enabled), we just move this from the plugin to core. Also it is possible to spoof via MAC through HTTP headers and also via REMOTE_IP as well. It's dangerous world outside, provisioning networks must be secured at all costs. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please file PR to bootdisk plugin and remove the extension from there.
Done: theforeman/foreman_bootdisk#58 Should I also try to update the documentation or is this not necessary? Thanks! :) |
Thanks, if you want to its here: https://github.com/theforeman/theforeman.org but I don't think we have much on this topic. |
This PR allows provisioning based on MAC address also for non-EL systems like Ubuntu or openSUSE. There has already been a PR #1106 several years ago but was sadly never merged.
I don't think the security concerns mentioned in #1106 are really an issue as templates can only be accessed when a host is in build mode even when faking the MAC address. By choosing an appropriate build / token TTL this security risk can be minified.
More details can be found here: https://projects.theforeman.org/issues/22756