FOG Project - User contributions [en]

Images Directory Permissions

2012-02-13T16:40:07Z

Termiux: Undo revision 5659 by BarryBlackwellbdv (talk)

== * unable to move /images/dev/macaddress to /images/name-of-image ==

=== Problem ===
You receive the following error after an image has been created:

''* unable to move /images/dev/macaddress to /images/name-of-image''

The error will repeat indefinitely.

=== Cause ===

The FOG user does not have permission to write to the images directory on the FOG server (usually /images). This often occurs when the /images directory has been recreated or has had its permissions changed.

Another cause is the Image Type is not correct (i.e. You're trying to image multiple partitions as a single partition.)

There is a third cause, that involves your FTP passwords being incorrect making FOG unable to handle files via FTP

=== Resolution ===

==== Method 1 ====

# Turn off the computer being imaged.(you don't have to turn off the PC just run the command on your server)
# Ensure the FOG user has write permissions on the images directory.
# Run command as root ''chown -R fog:root /images''

Example: Use:

chown -R fog.root /images

Finally attempt to create the image again.

==== Method 2 ====

# Switch off the computer being imaged.
# On the FOG server go to your /images/dev directory and move the temporary image (macaddress.000) to /images
# Rename the temporary image (macaddress.000) to the name you have set up in the FOG WebUI

FOG security

2012-01-31T15:12:33Z

Termiux: /* Other issues */ Clear up text

== FOG Security ==

Currently FOG does not comes with tight permissions or a secure default set up. Although is possible to increase the level of security of our FOG server(s) it must be done carefully if is not to interfere with FOG functionality.

We will list some of the most basics steps you can take to increase the security of your FOG server(s)

''The following set up has been tested on FOG 0.29 and 0.30, things may change in latter versions.''

=== Secure MySQL ===

If you have not secure your MySQL Database since installation, whether it was installed by FOG or via other methods, you need to take a few steps to secure it.

MySQL comes with a little script that enables you to implement some basic security to your database, you only have to run the script but MAKE SURE to take note of the passwords you will set since you will need to provide them to FOG.

* Run the MySQL secure installation script, to run it do this

sudo mysql_secure_installation

''Read what the script states since it's important that you understand what you are doing.''

The script will allow you to set a root password for your database since it was '''blank!''' now set your password and make sure to take note of it. FOG will need it.

When you are done run

/etc/init.d/mysqld reload

[http://dev.mysql.com/doc/refman/5.0/en/mysql-secure-installation.html More info:]

If your interested in further secure your MySQL you can go to the link below, however bear in mind that I have not tested those changes.
[http://www.symantec.com/connect/articles/securing-mysql-step-step Securing MySQL: step-by-step]

=== Securing your Images ===

When FOG makes a backup(upload and image), it creates one or more image files for that computer. Depending on how your using FOG you may wanna secure your images directory. Since it's not necessary for other users to access this files we will restrict the access to root and to FOG.

To fix Images folder ownership run (assuming /images/ is where you have your FOG images)

chown -R fog:root /images/

Then do to set up permissions

chmod -R 770 /images/

In theory you could(should?) go with a more restrictive set of permissions however, in reality FOG usually complains if we do.

=== Securing NFS ===

NFS Shares are harder to secure cause of its nature. They constantly change ports, and give how FOG access them is not so easy to secure them and at the same time keep FOG working.

''More to come on how to secure NFS soon!''

=== Other issues ===

Unfortunately FOG design doesn't leave much room for security. It's hard to tighten the server and keep FOG working, however this doesn't mean we should ignore this security holes, in contrary we must keep watching them to avoid intrusions.

Here's a list of some of FOG security problems still to be addressed.

* '''No SSL Support on Web UI:''' (Tested on FOG 0.29 and 0.30) Tests performed in Apache and the use of ''RequireSSL'' option with FOG, showed that it cannot deal with the use of SSL, when server enforce SSL connections FOG fails to connect properly.''(Seems like next FOG version 0.33 will support SSL on its Web UI)''
* '''NFS Shares'''. FOG design allows it to upload(write) images via nfs, this requires access to the nfs share from any computer you wanna upload images from. An attacker could fill your disk and/or erase all files in /images/dev since is mounted as read and write for any client.''(nfs share /images/ is read only)''
* '''Public availability of files:''' Since FOG files are served via TFTP and PXE, this means any computer on your network can access those files (as longs as they can network boot). This includes the Linux kernel that FOG uses. So any password you set up in the FOG menu is not really relevant for a technical user or an attacker.
* '''Installation advices:''' During installation FOG recommends to turn off SELinux because it can get in the way of the installation and the way FOG works. Although this certainly allows FOG to work, is not good practice to turn SELinux off. Is better to set SELinux in permissive mode, and then run a few test with FOG so we can allow only the things it needs, and then put it back on, this can take some time to configure properly but it's the safest way to work.

=== Informing FOG of Changes ===

''This assumes you ONLY performed the steps mentioned in this wiki, if you made any other changes this guide might be incomplete for you.''

FOG will start to complain it cannot access the MySQL Database case we set up a root password. Lets give FOG the password

* Go to
/opt/fog/service/etc/config.php
Make sure the fields '''MYSQL_USERNAME''' reads '''root''' (or whatever user you wanna use) and for '''MYSQL_PASSWORD''' write down the password. Example

define( "MYSQL_PASSWORD", "thisISmySUPERpass0*$98!" );

''If your running FOG and MySQL in the same host, you need to check the line '''MYSQL_HOST''' so it reads '''localhost'''''
define( "MYSQL_HOST", "localhost" );

* Now go to
/var/www/html/fog/commons/config.php
and check the same 3 fields that we did before.

define( "MYSQL_HOST", "localhost" );
define( "MYSQL_DATABASE", "fog" );
define( "MYSQL_USERNAME", "root" );
define( "MYSQL_PASSWORD", "thisISmySUPERpass0*$98!" );

Save everything and try to access FOG again and your done =)

Unable to connect to TFTP

2012-01-24T15:03:00Z

Termiux: /* For Versions .24 + */ Added a few steps to ensure password is correct

== Unable to connect to tftp server ==

=== For Versions Before 0.24 ===

This seems to be caused by a password issue,

1. From the fog management interface, go to users.
2. Reset the fog user password.
3. Click the "I" icon - "Other Information"
4. Click "Fog Settings" in the menu on the left
5. Replace the FOG_TFTP_FTP_PASSWORD and the FOG_NFS_FTP_PASSWORD fields under FOG settings with
your Linux fog user password. (Seems like FOG_NFS_FTP_PASSWORD is gone for ver .24).

=== For Versions .24 + ===

*Reset the local password for user fog with: [sudo] passwd fog
*In management front end, go to '''Storage Management''' -> '''All Storage Nodes'''
*Click on '''DefaultMember'''
*Change the '''Management Password''' to match the password you just changed.
*Then go to '''Other Information''' and change '''FOG_TFTP_FTP_PASSWORD''' also.

* Go to your fog web location, on Red Hat and CentOS is in:
/var/www/html/fog/

Then open the file:
/commons/config.php

and check the values of:
'''TFTP_FTP_PASSWORD''' and '''STORAGE_FTP_PASSWORD'''

These '''MUST''' match the password you set above, if not write them properly in here

Finally reload of the service

/etc/init.d/vsftpd reload

=== Verify Server Settings ===

If you have modified your server setup since first install, then the new changes must be updated and verified in the '''Fog Settings''' menu.
It might not be enough to just re-run the installer.
For instance, a new IP lease will cause the server to show the '''Unable to connect to tftp server''' error message.

* Go to the "I" icon, which is the '''About''' menu in 0.29
* Select '''Fog Settings''' and navigate down to '''TFTP Settings''' and verify that all options are correct for your setup.

=== Ensure nothing else on the network is conflicting with the DHCP server ===

I had this error the past two days and tried all of the standard suggestions. Finally Wireshark came to the rescue. I discovered a second, feral DHCP server on the network that wasn't issuing IP addresses but must have been running interference somehow. When I disconnected it from the network, PXE boot worked as expected.