Difference between revisions of "FOG Client"

From FOG Project
Jump to: navigation, search
m (FOG Client with Sysprep)
m (Installing - Windows)
Line 22: Line 22:
  
 
[https://www.microsoft.com/en-us/download/details.aspx?id=40779 Microsoft .NET Framework 4.5.1 (Offline Installer) for Windows Vista SP2, Windows 7 SP1, Windows 8, Windows Server 2008 SP2 Windows Server 2008 R2 SP1 and Windows Server 2012]
 
[https://www.microsoft.com/en-us/download/details.aspx?id=40779 Microsoft .NET Framework 4.5.1 (Offline Installer) for Windows Vista SP2, Windows 7 SP1, Windows 8, Windows Server 2008 SP2 Windows Server 2008 R2 SP1 and Windows Server 2012]
 +
 +
Windows 10 comes with a version of .Net that will work.
  
 
'''Installation'''
 
'''Installation'''

Revision as of 14:50, 16 May 2016

This article applies to the new FOG Client, version 0.10+

The Different Installers

The different installers are located in your FOG server's web interface. The link is always at the very bottom of every page and are even available to you if you're not logged into the fog server.

Fog client link.png

New FOGClient download link.png

FOGService.msi - Windows only, and is ideal for network deployment.

SmartInstaller.exe - This is the new default installer. It will work on all platforms.

Debugger.exe - This is not listed in the web interface but is available from github here. Only use this when the above two are not working. This build has more detailed logs that you can use for troubleshooting or a bug report.

Installing - Windows

Prerequisites

  • .NET Framework version 4.0+ (Note: .NET 4 client profile will NOT work)

You can download the framework from here:

Microsoft .NET Framework 4.5.1 (Offline Installer) for Windows Vista SP2, Windows 7 SP1, Windows 8, Windows Server 2008 SP2 Windows Server 2008 R2 SP1 and Windows Server 2012

Windows 10 comes with a version of .Net that will work.

Installation

  • May use SmartInstaller or msi. Simply download either one of them and run.
  • Reboot to complete installation.

Limitations

  • CUPS printers are not yet supported

Installing - Linux

Installation instructions derived from http://www.mono-project.com/docs/getting-started/install/linux/

Prerequisites

  • Mono (latest stable build)
  • xprintidle - This dependency is optional. If not installed AutoLogOut will not run. xprintidle basically just returns the idle time of an x window, therefore on a system without a GUI it is not needed and should not be installed. It should be available in standard package managers. E.G. apt-get, yum, or dnf

Installing Mono Many distributions come with an out of date version of mono in their package manager. Therefore, do not attempt to install via your package manager without the below modifications

Debian 8+, Ubuntu 13.10+, and derivatives

To install:

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF
echo "deb http://download.mono-project.com/repo/debian wheezy main" | sudo tee /etc/apt/sources.list.d/mono-xamarin.list
sudo apt-get update
sudo apt-get install mono-complete
sudo apt-get install xprintidle
  • Download SmartInstaller.exe from your FOG server and run the installer with mono.
    • sudo mono SmartInstaller.exe
  • The client will install to /opt/fog-service , and fog.log will be located at /opt/fog-service/fog.log


The service is automatically configured to run on startup. To manually start and stop the service:

sudo service FOGService start
sudo service FOGService stop

To uninstall:

sudo service FOGService stop
sudo mono SmartInstaller.exe uninstall

CentOS 7, Fedora 19 (and later), and derivatives

To install:

yum install yum-utils
rpm --import "http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF"
yum-config-manager --add-repo http://download.mono-project.com/repo/centos/
yum install mono-complete
yum install xprintidle
  • Download SmartInstaller.exe from your FOG server and run the installer with mono.
    • sudo mono SmartInstaller.exe
  • The client will install to /opt/fog-service , and fog.log will be located at /opt/fog-service/fog.log

The service is automatically configured to run on startup. To manually start and stop the service:

sudo systemctl start FOGService
sudo systemctl stop FOGService

To uninstall:

sudo systemctl stop FOGService
sudo mono SmartInstaller.exe uninstall

openSUSE and SLES

You can install mono using SUSE One-Click files: http://download.mono-project.com/repo/mono-complete.ymp

Other

The FOG Client can be installed on any platform that can run the latest stable build of mono.

To install:

  • Check your package manager for mono-complete. After installing it run mono --version. Ensure the version is at least 4.2._ . If it not, remove the package.
  • If your package manager had an old version of mono, see here for how to compile mono
  • Download SmartInstaller.exe from your FOG server and run the installer with mono.
    • sudo mono SmartInstaller.exe
  • The client will install to /opt/fog-service , and fog.log will be located at /opt/fog-service/fog.log

If your system either has systemd or initd the client will be automatically configured to run on startup. If your system does not have either, you will need to configure your system to run the manual start command below on startup.

To manually start and stop the service:

sudo /opt/fog-service/control.sh start
sudo /opt/fog-service/control.sh stop

Limitations

  • The FOG Tray is currently incompatible on all non-windows systems. Regardless of what you set during installation, it will not run.
  • The follow modules / features are not yet supported
    • Active Directory joining
    • PrinterManager
    • GreenFOG

Installing - OSX

Installation instructions derived from http://www.mono-project.com/docs/getting-started/install/linux/

Prerequisites

  • Mono (latest stable build)

Installing Mono

Installation

  • Download SmartInstaller.exe from your FOG server and run the installer with mono.
    • sudo mono SmartInstaller.exe
  • The client will install to /opt/fog-service , and fog.log will be located at /opt/fog-service/fog.log
  • Reboot the system to complete the installation.

The service is automatically configured to run on startup. To manually start and stop the service:

sudo launchctl load -w /Library/LaunchDaemons/org.freeghost.daemon.plist
sudo launchctl unload -w /Library/LaunchDaemons/org.freeghost.daemon.plist

To uninstall:

sudo launchctl unload -w /Library/LaunchDaemons/org.freeghost.daemon.plist
sudo mono SmartInstaller.exe uninstall

Limitations

  • When running snapins on Yosemite, it is not guaranteed that it will have PATH set.
  • The FOG Tray is currently incompatible on all non-windows systems. Regardless of what you set during installation, it will not run.
  • The follow modules / features are not yet supported
    • PrinterManager
    • GreenFOG

Logging

You can find the client log file in /opt/fog-service/fog.log

Additional Details

Security Design

Communications between the FOG Client (0.9.9+) and the FOG Server (1.3.0+) are secured using public key infrastructure.

A Certificate Authority and private key is generated on the FOG server during first installation in this location:

/opt/fog/snapins/ssl

The public certificate is generally located here:

/var/www/html/fog/management/other/ssl

The client installs your servers’ certificate and the FOG Project certificate.

The “FOG Project” CA (made by the FOG Project) serves two purposes:

  • SYSTEM level services need to be digitally signed otherwise windows will throw security errors. This can also be used to ensure no tampering was done with the client files
  • That certificate is used to “verify” upgrades. Lets say we release a patch for the client, the client will download the MSI from your server and check if it was signed by us. If the MSI was somehow tampered, the digital signature would no longer be valid.

Using HTTP over HTTPS has no security benefit to the client. Why? Because all traffic is already encrypted. Here’s a very basic overview of how the new client communicates

  • Each client has a security token. This is used to prove to the server that the client is the actual host and not an impersonator. This token gets cycled constantly. When the client first makes contact, it encrypts its token and a proposed AES 256 key using RSA 4096 using your server’s public key. This public key is verified against the pinned server CA certificate by checking the x509 chain and fingerprints.
  • If the server accepts the security token and the new AES key, all traffic from that point on is AES 256 encrypted using that securely transmitted key.

The whole point of our security model is to allow for secure communication over insecure medians. Even then, the client installation has an HTTPS option, but it serves no real security benefit.

References:

CA SSL security concerns

Certificate and Public Key Pinning

Transport_Layer_Protection_Cheat_Sheet

Maintain Control Of Hosts When Building New Server

Because of the security model of FOG 1.3.0 and the new client, without the proper CA and ssl certificates present on a new fog server, any currently deployed hosts with the new fog client installed will ignore the new server and not accept commands from it. This is by design.

In order to maintain control of existing hosts with existing new fog client deployments, you must copy this directory from the old server to the new server:

  • /opt/fog/snapins/ssl

Copy the directory to a temporary location first. I would suggest /root

cp -R /opt/fog/snapins/ssl /root

Then you can use scp to copy the directory (or some other method) to your new fog server. Run the below command from the old server, Where x.x.x.x is the new fog server's address:

scp -rp /opt/fog/snapins/ssl root@x.x.x.x:/root

Or, the reverse. Run the below command from the new server, where x.x.x.x is the old fog server's address.

scp -rp root@x.x.x.x:/opt/fog/snapins/ssl /root

Next, install fog. After the installation is complete, delete the ssl folder the installer made, and place your old ssl (from /root that you copied) in there. The ownership should be fog:apache on Red-Hat variants, should be fog:www-data on Debian variants. Then re-run the installer. Instructions for the folder manipulation are below, assuming you followed the above instructions. On the new server:

rm -rf /opt/fog/snapins/ssl
cp -R /root/ssl /opt/fog/snapins/ssl
chown -R fog:apache /opt/fog/snapins/ssl  #or fog:www-data for ubuntu and debian

If you do not care about maintaining control of existing hosts with existing new fog client deployments (because there is only 1 or 2), you can recreate your CA with the -C argument during installation:

./installfog.sh -C

Note: Recreating the CA (--recreate-CA) is very strongly advised against if you have many clients deployed already, because it resets the identity of the FOG Server. This causes all fog clients to distrust the server, and will require total reinstallation of all fog clients in an environment. However, you may recreate the keys (--recreate-keys) safely.

FOG Client 0.10.0+ Installation Options

msiexec /i FOGService.msi /quiet USETRAY="0" HTTPS="0" WEBADDRESS="192.168.1.X" WEBROOT="/fog" ROOTLOG="0"

Firstly, all options are optional. Here’s what they all do:

  • USETRAY: defaults to "1", if "0" the tray will be hidden
  • HTTPS: defaults to "0", if "1" the client will use HTTPS (not recommended)
  • WEBADDRESS: defaults to "fog-server", this is the ip/dns name of your server
  • WEBROOT: defaults to "/fog"
  • ROOTLOG defaults to "0", if "1" the fog.log will be at C:\fog.log, otherwise %PROGRAMFILES%\FOG\fog.log

Reference: MSI Silent Install without Tray Icon

Manually Reset Encryption On ALL Hosts

This applies to FOG 1.3.0 where the New Client is in use and for some reason you need to manually reset the encryption for all hosts.

mysql
use fog
UPDATE hosts SET hostPubKey="", hostSecToken="", hostSecTime="0000-00-00 00:00:00";


FOG Client with Sysprep

If you plan to use Sysprep before image capture and are also planning to use the FOG Client, You must disable the FOGService service from running at boot before you Sysprep to take your image, and then re-enable it within your SetupComplete.cmd so that it is re-enabled after the image deployment is complete. Failing to do so will break the Sysprep post-deployment process with an error message that says "Windows Setup could not configure Windows to run on this computer’s hardware.”

  • To disable the FOGService, navigate through Windows Control Pannel -> View by Small Icons -> Administrative Tools (This name sometimes changes from version to version) -> Services -> Locate the FOGService -> Right click -> Properties -> Startup Type -> Disabled.
  • To re-enable it post-deployment and post-sysprep operations, in your SetupComplete.cmd you must have these two lines at the end:
sc config FOGService start= auto
net start FOGService

setupcomlete.cmd has to be placed under C:\Windows\Setup\scripts in the master system. As the name indicates, the script is called by windows just after setup has finished.

After setting up these two things, sysprep can successfully complete post-deployment setup and start the FOGService. The FOGService can then rename/join/deploy/setup printers/setup snapins/etc for you as normal.