Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove trusted proxies around auto.ipxe: #363

Merged
merged 8 commits into from
Nov 3, 2023
Merged

Remove trusted proxies around auto.ipxe: #363

merged 8 commits into from
Nov 3, 2023

Conversation

jacobweinstock
Copy link
Member

Description

This moves from using IP auth via the source IP address and the trusted proxies cli flag/env var to using the MAC address in the URL in order to determine the Hardware to lookup when serving the auto.ipxe. For example: http://192.168.2.3/40:15:ff:89:cc:0e/auto.ipxe

This opens up the auto.ipxe script to be able to be served across network address translation (NAT) layers and simplifies the deployment by not having to deal with the X-Forwarded-For (XFF) header.

Why is this needed

Fixes: #

How Has This Been Tested?

How are existing users impacted? What migration steps/scripts do we need?

Checklist:

I have:

  • updated the documentation and/or roadmap (if required)
  • added unit or e2e tests
  • provided instructions on how to upgrade

@jacobweinstock
Remove trusted proxies around auto.ipxe:
d60bd52 
Move from using IP auth via the source IP address
to using the MAC address in the URL in order to determine
the Hardware to lookup when serving the auto.ipxe.
This opens up the auto.ipxe script to be able to be served
across network address translation (NAT) layers and simplifies
the deployment.

Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
@jacobweinstock
Update the CLI help message:
05e6267 
Improved usage and description.

Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
@jacobweinstock
Fix docker compose:
0efd26d 
It wasn't working as the env vars weren't correct.

Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
@jacobweinstock
Update readme:
4221522 
Added the new CLI help usage and
updated the section on running Smee manually.

Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
@jacobweinstock
Clean up ipxe script code:
52bab95 
Unexport functions that don't need to be public.
Removed an unused interface and the GetByIP function.

Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
chrisdoherty4
chrisdoherty4 reviewed Nov 3, 2023
View reviewed changes
README.md Outdated
-http-addr [http] local IP:Port to listen on for iPXE HTTP script requests (default "172.17.0.2:80")
-http-ipxe-binary-enabled [http] enable iPXE HTTP binary server (default "true")
-http-ipxe-script-enabled [http] enable iPXE HTTP script server (default "true")
-osie-url [http] URL where OSIE(Hook) images are located
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
-osie-url [http] URL where OSIE(Hook) images are located
-osie-url [http] URL where OSIE (Hook) images are located

Is it Hook or HookOS?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated

chrisdoherty4
chrisdoherty4 reviewed Nov 3, 2023
View reviewed changes
cmd/smee/flag.go Outdated
@@ -114,7 +113,8 @@ func dhcpFlags(c *config, fs *flag.FlagSet) {
fs.StringVar(&c.dhcp.syslogIP, "dhcp-syslog-ip", detectPublicIPv4(""), "[dhcp] syslog server IP address to use in DHCP packets (opt 7)")
fs.StringVar(&c.dhcp.tftpIP, "dhcp-tftp-ip", detectPublicIPv4(":69"), "[dhcp] tftp server IP address to use in DHCP packets (opt 66, etc)")
fs.StringVar(&c.dhcp.httpIpxeBinaryURL, "dhcp-http-ipxe-binary-url", "http://"+detectPublicIPv4(":8080/ipxe/"), "[dhcp] HTTP ipxe binaries URL to use in DHCP packets")
fs.StringVar(&c.dhcp.httpIpxeScriptURL, "dhcp-http-ipxe-script-url", "http://"+detectPublicIPv4("/auto.ipxe"), "[dhcp] HTTP ipxe script URL to use in DHCP packets")
fs.StringVar(&c.dhcp.httpIpxeScript.url, "dhcp-http-ipxe-script-url", "http://"+detectPublicIPv4("/auto.ipxe"), "[dhcp] HTTP ipxe script URL to use in DHCP packets")
fs.BoolVar(&c.dhcp.httpIpxeScript.injectMacAddress, "dhcp-http-ipxe-script-prepend-mac", true, "[dhcp] prepend the hardware mac address to ipxe script URL base, http://1.2.3.4/auto.ipxe -> http://1.2.3.4/40:15:ff:89:cc:0e/auto.ipxe")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like we're removing the IP mechanism so what happens when this is set to false?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The mac addreess will not be included in the http ipxe script url. Setting this to false is useful when you are not using the auto.ipxe script in Smee. I have a comment over the struct field in main for c.dhcp.httpIpxeScript.injectMacAddress

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the clarification.

cmd/smee/flag.go Outdated
@@ -114,7 +113,8 @@ func dhcpFlags(c *config, fs *flag.FlagSet) {
fs.StringVar(&c.dhcp.syslogIP, "dhcp-syslog-ip", detectPublicIPv4(""), "[dhcp] syslog server IP address to use in DHCP packets (opt 7)")
fs.StringVar(&c.dhcp.tftpIP, "dhcp-tftp-ip", detectPublicIPv4(":69"), "[dhcp] tftp server IP address to use in DHCP packets (opt 66, etc)")
fs.StringVar(&c.dhcp.httpIpxeBinaryURL, "dhcp-http-ipxe-binary-url", "http://"+detectPublicIPv4(":8080/ipxe/"), "[dhcp] HTTP ipxe binaries URL to use in DHCP packets")
fs.StringVar(&c.dhcp.httpIpxeScriptURL, "dhcp-http-ipxe-script-url", "http://"+detectPublicIPv4("/auto.ipxe"), "[dhcp] HTTP ipxe script URL to use in DHCP packets")
fs.StringVar(&c.dhcp.httpIpxeScript.url, "dhcp-http-ipxe-script-url", "http://"+detectPublicIPv4("/auto.ipxe"), "[dhcp] HTTP ipxe script URL to use in DHCP packets")
fs.BoolVar(&c.dhcp.httpIpxeScript.injectMacAddress, "dhcp-http-ipxe-script-prepend-mac", true, "[dhcp] prepend the hardware mac address to ipxe script URL base, http://1.2.3.4/auto.ipxe -> http://1.2.3.4/40:15:ff:89:cc:0e/auto.ipxe")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
fs.BoolVar(&c.dhcp.httpIpxeScript.injectMacAddress, "dhcp-http-ipxe-script-prepend-mac", true, "[dhcp] prepend the hardware mac address to ipxe script URL base, http://1.2.3.4/auto.ipxe -> http://1.2.3.4/40:15:ff:89:cc:0e/auto.ipxe")
fs.BoolVar(&c.dhcp.httpIpxeScript.injectMacAddress, "dhcp-http-ipxe-script-prepend-mac", true, "[dhcp] prepend the hardware MAC address to ipxe script URL base, http://1.2.3.4/auto.ipxe -> http://1.2.3.4/40:15:ff:89:cc:0e/auto.ipxe")

? I also noticed ipxe and tftp (probably more) are lower cased. That feels inconsistent against the various HTTPs, DHCPs etc.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks, I've updated all these.

@jacobweinstock
More clean up of XFF code
60e5b70 
Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
@jacobweinstock
Standardized capitalization of words in the flags
1a24b55 
Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
@jacobweinstock
Update readme help example
65a95b5 
Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
@jacobweinstock jacobweinstock added the ready-to-merge Signal to Mergify to merge the PR. label Nov 3, 2023
@mergify mergify bot merged commit 122cf12 into tinkerbell:main Nov 3, 2023
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chrisdoherty4 chrisdoherty4 chrisdoherty4 approved these changes

Assignees
No one assigned
Labels
ready-to-merge Signal to Mergify to merge the PR.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jacobweinstock @chrisdoherty4