H

hrumph2

Member

Last active 2 months ago

  1. 2 months ago
    Wed May 9 18:59:01 2018
    H hrumph2 started the conversation Questions about sysprep tags.

    Hi,
    I was just experimenting with the sysprep tags. My undersanding is that if

       {OPENING_TAG} .... {CLOSING_TAG}

    is found in the answer file then

       {OPENING_TAG} .... {CLOSING_TAG}

    will be replaced by the tag contents (no matter what's in between the tags). So far so good (if my understanding is correct),
    but the *only* example I could find online used html/xml angle brackets as part of the tagnames. e.g.

    Opening tag: <opening_tag>

    Closing tag: </closing_tag>

    When I try to enter in these tag names, I get the following error:

    Request validation detected a potentially dangerous input value from the client and aborted the request. This might be an attemp of using cross-site scripting to compromise the security of your site. You can disable request validation using the 'validateRequest=false' attribute in your page or setting it in your machine.config or web.config configuration files. If you disable it, you're encouraged to properly check the input values you get from the client.<br>
    You can get more information on input validation <a href="http://www.cert.org/tech_tips/malicious_code_mitigation.html">here</a>.

    It looks like this would be easy to fix, so I have a few questions.

    1. Is this a bug or do I misunderstand tags?
    2. If this is not a bug, do we have to use the xml/html style tags with the angle brackets or is this just recommended practice?
  2. Mon May 7 01:52:23 2018
    H hrumph2 posted in Secure Boot Hurdles.

    Create the free and paid versions. I don't think it will hurt with the core mission at all. It may actually help in some way. If you tell people they have to pay (or work) for something it can bring respect.

  3. Fri May 4 18:02:11 2018
    H hrumph2 posted in Security Question.

    I did eventually recompile ipxe.efi. WHen building it seemed that I also had to embed an efi script that looked something like this:

    #!ipxe
    dhcp
    tftp://[server ip]/proxy/efi64/pxelinux.cfg/default.ipxe

    The build command looked like this:

    make bin-x86_64-efi/ipxe.efi TRUST=[path to certificate] CERT=[path to certificate]  EMBED=[path to script]

    The good news is that things are working now (so far).

    Edit: I also had to edit a source file to enable HTTPS downloading before building.

  4. Fri May 4 17:54:28 2018
    H hrumph2 posted in Got this working on Fedora 25.

    Ok I still haven't tried out CloneDeploy Proxy DHCP. I'm still using DNSmasq. This is the first time I've worked with efi boot and so far I've only been able to get ipxe.efi to work.

    The critical line seems to be
    pxe-service=X86-64_EFI, "PXELINUX (EFI)", "/proxy/efi64/ipxe.efi",
    and I know I can granularise by PC because you can tag by mac address in dnsmasq.

    For the computer I was testing on ipxe.efi worked but syslinux.efi did not. For syslinux.efi is there something more that the DHCP service must do other than send the file? Do you think this is my failure
    to configure Dnsmasq properly, or would it be the case that syslinux.efi doesn't work this this particular model?

  5. Thu May 3 14:54:01 2018
    H hrumph2 posted in Security Question.

    I just realised that manually editing the files isn't really going to cut it because the specific menu files that get created when a task is started would also have to be edited and that's too much manual work. Anyway it's not a big deal. Thanks a lot for clonedeploy. I love it but I recognise that it's still not getting the deserved acclaim.

  6. Thu May 3 02:27:40 2018
    H hrumph2 started the conversation Security Question.

    I have upgraded to clonedeploy 1.3.3 (from 1.2.x) in Fedora. I should note that https will not work without the mono complete package installed from the mono repo. (Without this I got some error about tokens, I forget what it is.) This isn't a complaing. I'm just saying this in case anyone else has the same problem.

    Furthermore I have some questions about security. I'm trying to use ipxe, but the ipxe devels have been very annoying with their TLS implementation. You can't just set a flag to say "please don't check certificates". If you want to use your own root certificate you have to build your own ipxe binaries (NO THANK YOU!). Anyway I'm trying to use https as much as possible. At some point during the process the SMB password has to be communicated to the client and I assume this is through http. If https is not used during that step is there any other encrpytion securing the passwords? Also if you don't have a task set up and choose clone deploy from the menu it will ask for the clone deploy user name and password?. If https is not used at that point, once again is there any encrpytion of the passwords? Thanks in advance for answering. I think that the answer will be no and no in which case I'll have to allow for http for the kernel and image fetching (I forget the path) and manually edit the ipxe menu file, to change https to http in that file.

  7. Thu May 3 02:16:17 2018
    H hrumph2 started the conversation issue with multicast.

    Hi,
    thanks for CloneDeploy. I wish to point out that the multicast didn't work for me when the IP/FQDN setting is a FQDN (as opposed to a numeric IP). Doesn't make a real difference because it's all working in any case.

  8. last year
    Tue Dec 13 03:12:26 2016
    H hrumph2 posted in Got this working on Fedora 25.

    OK, I need to look more deeply into this before commenting further.

  9. Tue Dec 13 00:02:18 2016
    H hrumph2 posted in Got this working on Fedora 25.

    Setting up the dnsmasq.conf file was a bit of a hurdle for me, and if anyone want to see the config for that, I would be happy to share.

    I may be completely wrong but I thought that CloneDeploy DHCP was for windows only. Also dnsmasq does work with existing dhcp servers (that's how i'm using it now). BTW I think that clonedeploy is possibly the best deployment system there is right now, but it's hard for me to believe that the ClondeDeploy proxy dhcp system has advantages over dnsmasq (given that dnsmasq has a high volume mailing list and very active development), but I'm keeping an open mind and I'm interested to hear about CloneDeploy Proxy DHCP.

  10. Mon Dec 12 05:32:15 2016
    H hrumph2 started the conversation Got this working on Fedora 25.

    Hi everyone. I got this working on fedora 25 with dnsmasq as the proxy dhcp server. I think should be working with EFI boot but I haven't tested that yet (dnsmasq added efi proxy boot support a few months ago). Anyway the long and short of it is that it's pretty awesome. Thanks to the devel(s) and keep up the good work.

View more