Project

General

Profile

Actions

Feature #1069

closed

Unattended install behind firewall and built status

Added by NoName NoSurname over 12 years ago. Updated over 11 years ago.

Status:
Closed
Priority:
Normal
Category:
Unattended installations
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

Hello,

It would be nice if we can build machines behind firewall. The problem is that, today, the Kickstart will send, at the end, a wget "built" information to foreman server. But if the machine is behind a firewall, foreman will not know from who this request come as he only see the FW IPs.

Is that possible ?

Thanks


Related issues 2 (0 open2 closed)

Related to Smart Proxy - Feature #969: Direct Client->Foreman communication shouldn't be needed (and moved to the Proxy)Closeddustin tsang06/09/2011Actions
Has duplicate Foreman - Bug #1059: Post Centos install build information to foreman not wokringDuplicate07/21/2011Actions
Actions #1

Updated by Corey Osman over 12 years ago

I dont' know much about the provisioning aspect of foreman but it seems the following URL works great when foreman is on the same network.

http://foreman:3000/unattended/built (IP is inspected to verify build was successful)

However, in situations where NAT is used I think we should be relying on a url scheme rather than inspected IP packets.
This method would allow for any system in any network to send the built ack to foreman with worrying about NAT.

http://foreman:3000/unattended/fqdn/built

Actions #2

Updated by Ohad Levy over 12 years ago

Corey Osman wrote:

However, in situations where NAT is used I think we should be relying on a url scheme rather than inspected IP packets.
This method would allow for any system in any network to send the built ack to foreman with worrying about NAT.

My main concern here is security... since this is a non authenticated call.

I'm more then open for suggestion of how to identify the requesting machine...

Actions #3

Updated by Marcello de Sousa over 12 years ago

Following the same line as suggested in #969 - Direct Client->Foreman communication shouldn't be needed (and moved to the Proxy)

We would have to figure out exactly how, but the client server should never really need to contact Foreman directly (I want to have my Foreman firewalled) and IMHO this "Built acknoledgement" should also be moved to the proxy .

Actions #4

Updated by Corey Osman over 12 years ago

well i would do something like this: wget -q -O /dev/null --no-check-certificate https://foreman/unattended/built/$UUID
where $UUID is a random string shared with the client at the time the provision file is generated. So in the provision file the wget -q -O /dev/null --no-check-certificate https://foreman/unattended/built/$UUID line would be unique each time.

This would help with not relying on a specific IP to be present and instead a hard coded Mac address and UUID.

Actions #5

Updated by Ohad Levy over 11 years ago

we can simply use a unique secure uuid to identify the system, very similar to how puppet certnames work.

Actions #6

Updated by Ohad Levy over 11 years ago

  • Category set to Unattended installations
  • Assignee set to Greg Sutcliffe
  • Target version set to 1.1
Actions #7

Updated by Anonymous over 11 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF