H

hrumph2

Member

Last active yesterday

  1. last week
    Fri Sep 7 19:00:03 2018

    Maybe this is a bit off topic but I've set things up so clonedeploy installs the salt management system (by copying the necessary files over to windows/setup/scripts. This results in a fluid transition from deployment (using CloneDeploy) to management (using salt). I'm not autojoining the machines at the moment however because our business process for naming and joining is a bit ad hoc.

    Edit the salt id's (names) we use remain static for the life of the computer. The windows names can change depending on deployment usage. In the CloneDeploysystem the computers have the salt names. They are given those names on deployement sand the salt installer picks up that name (and uses that salt id from thence forth). Computers are also physically labeled with the salt ID's. The Windows computer names will change to something else before domain joining. It would seem logical that a similar approach could be taken depending on which management system you want to go with (be it salt puppet ansible, or various windows tools etc.)

  2. Fri Sep 7 16:27:26 2018
    H hrumph2 posted in Win 10 Imaging.

    @NMGAdmin Ok, I have a sample file now. Does the unattend.xml file goes on the PC that is being captured as the source image?

    Yes it does and unattend.xml can be put in C:\WIndows\system32\sysprep (but I don't think it has to go there or anywhere in particular). It gets validated (and cached somewhere) when you call sysprep with the unattend switch
    (e.g. sysprep.exe /oobe /generalize /shutdown /unattend:C:\Windows\system32\sysprep\unatttend.xml).
    It gets used when you start up a freshly imaged PC assuming the image has been sysprepped.

    First attempt to fully prepare your PC in audit mode (this may not always be possible to to update issues). To do this, rather then creating a user and logging in after the initial install, instead hit CTRL-SHIFT-F3. This will take you straight into audit mode as the admin user.

    When in audit mode attempt to get the PC fully updated and install software. You can then write an unattend file yourself which might work, but if its your first go round you should probably install windows ADK, specifically the system image manager component. With the system image manager you can load in a file called install.wim (found in the sources directory of your installation disk [or USB]). Once you do that you can start creating an answer file using the GUI and then save it.

    When you are in audit mode, if you reboot your PC it will reboot again in audit mode.

  3. 4 weeks ago
    Mon Aug 20 17:48:32 2018

    Same problem on Fedora 27. I assume that this has something to do with the mono upgrade too.

  4. 4 months ago
    Wed May 9 18:59:01 2018
    H hrumph2 started the conversation Questions about sysprep tags.

    Hi,
    I was just experimenting with the sysprep tags. My undersanding is that if

       {OPENING_TAG} .... {CLOSING_TAG}

    is found in the answer file then

       {OPENING_TAG} .... {CLOSING_TAG}

    will be replaced by the tag contents (no matter what's in between the tags). So far so good (if my understanding is correct),
    but the *only* example I could find online used html/xml angle brackets as part of the tagnames. e.g.

    Opening tag: <opening_tag>

    Closing tag: </closing_tag>

    When I try to enter in these tag names, I get the following error:

    Request validation detected a potentially dangerous input value from the client and aborted the request. This might be an attemp of using cross-site scripting to compromise the security of your site. You can disable request validation using the 'validateRequest=false' attribute in your page or setting it in your machine.config or web.config configuration files. If you disable it, you're encouraged to properly check the input values you get from the client.<br>
    You can get more information on input validation <a href="http://www.cert.org/tech_tips/malicious_code_mitigation.html">here</a>.

    It looks like this would be easy to fix, so I have a few questions.

    1. Is this a bug or do I misunderstand tags?
    2. If this is not a bug, do we have to use the xml/html style tags with the angle brackets or is this just recommended practice?
  5. Mon May 7 01:52:23 2018
    H hrumph2 posted in Secure Boot Hurdles.

    Create the free and paid versions. I don't think it will hurt with the core mission at all. It may actually help in some way. If you tell people they have to pay (or work) for something it can bring respect.

  6. Fri May 4 18:02:11 2018
    H hrumph2 posted in Security Question.

    I did eventually recompile ipxe.efi. WHen building it seemed that I also had to embed an efi script that looked something like this:

    #!ipxe
    dhcp
    tftp://[server ip]/proxy/efi64/pxelinux.cfg/default.ipxe

    The build command looked like this:

    make bin-x86_64-efi/ipxe.efi TRUST=[path to certificate] CERT=[path to certificate]  EMBED=[path to script]

    The good news is that things are working now (so far).

    Edit: I also had to edit a source file to enable HTTPS downloading before building.

  7. Fri May 4 17:54:28 2018
    H hrumph2 posted in Got this working on Fedora 25.

    Ok I still haven't tried out CloneDeploy Proxy DHCP. I'm still using DNSmasq. This is the first time I've worked with efi boot and so far I've only been able to get ipxe.efi to work.

    The critical line seems to be
    pxe-service=X86-64_EFI, "PXELINUX (EFI)", "/proxy/efi64/ipxe.efi",
    and I know I can granularise by PC because you can tag by mac address in dnsmasq.

    For the computer I was testing on ipxe.efi worked but syslinux.efi did not. For syslinux.efi is there something more that the DHCP service must do other than send the file? Do you think this is my failure
    to configure Dnsmasq properly, or would it be the case that syslinux.efi doesn't work this this particular model?

  8. Thu May 3 14:54:01 2018
    H hrumph2 posted in Security Question.

    I just realised that manually editing the files isn't really going to cut it because the specific menu files that get created when a task is started would also have to be edited and that's too much manual work. Anyway it's not a big deal. Thanks a lot for clonedeploy. I love it but I recognise that it's still not getting the deserved acclaim.

  9. Thu May 3 02:27:40 2018
    H hrumph2 started the conversation Security Question.

    I have upgraded to clonedeploy 1.3.3 (from 1.2.x) in Fedora. I should note that https will not work without the mono complete package installed from the mono repo. (Without this I got some error about tokens, I forget what it is.) This isn't a complaing. I'm just saying this in case anyone else has the same problem.

    Furthermore I have some questions about security. I'm trying to use ipxe, but the ipxe devels have been very annoying with their TLS implementation. You can't just set a flag to say "please don't check certificates". If you want to use your own root certificate you have to build your own ipxe binaries (NO THANK YOU!). Anyway I'm trying to use https as much as possible. At some point during the process the SMB password has to be communicated to the client and I assume this is through http. If https is not used during that step is there any other encrpytion securing the passwords? Also if you don't have a task set up and choose clone deploy from the menu it will ask for the clone deploy user name and password?. If https is not used at that point, once again is there any encrpytion of the passwords? Thanks in advance for answering. I think that the answer will be no and no in which case I'll have to allow for http for the kernel and image fetching (I forget the path) and manually edit the ipxe menu file, to change https to http in that file.

  10. Thu May 3 02:16:17 2018
    H hrumph2 started the conversation issue with multicast.

    Hi,
    thanks for CloneDeploy. I wish to point out that the multicast didn't work for me when the IP/FQDN setting is a FQDN (as opposed to a numeric IP). Doesn't make a real difference because it's all working in any case.

View more