Open marino-mrc opened 1 year ago
Not really - the payload paths currently need to be interpreted in the context of the original configuration file. This means we resolve any non-absolute URIs under the base URI where we fetched the config.
Doing otherwise may introduce security issues, where unexpected payloads may be loaded against the intention of the original config.
Can you provide a little more detail on your use-case? You say you don't have access to the DCHP and TFTP servers (and hence the boot config?) but you do have access to the HTTP service - on the same machine?
Unfortunately, I don't have any control on the HTTP server.
I'm trying to improve the compatibility between Single Board Computers and MaaS (https://maas.io/). Actually I'm focusing on Odroid M1 (https://www.hardkernel.com/shop/odroid-m1-with-8gbyte-ram/) that uses Petitboot and I noticed the problem mentioned in this thread.
The only way I see, is having the possibility to customize the behavior of Petitboot, but your point (security) makes sense. Please, let me know if you have any other suggestion.
Thank you. Marco
By far the cleanest & easiest way here is to get MaaS to serve a config that refers to boot payloads on the HTTP server. Or, even better, serve the config itself over HTTP, by setting DHCP option 210 to a http://
url.
I'm not sure what you mean by "the problem in this thread" though; is there a problem with loading the payloads from the same source (and protocol) as the config?
In maas, I can create DHCP snippets (https://maas.io/docs/how-to-enable-dhcp#heading--dhcp-snippets). The point is: by default, MaaS does something like this:
... elsif option arch = 00:13 {
filename "http://172.16.7.2:5248/images/bootaa64.efi";
option vendor-class-identifier "HTTPClient";
} ...
and the efi file causes a problem on Petitboot (Couldn't load kernel image from http://172.16.7.2:5248/images/bootaa64.efi) But if I add the following snippet:
if option arch = 00:13 { option path-prefix "/"; }
I see a new line in the available Network boots when Petitboot starts called "execute". If I select the "execute" line, everything works fine (Kernel and Initrd loaded) because MaaS provides a good configuration if you do this:
root@server:~# curl tftp://172.16.7.2/ppc64el/pxelinux.cfg/01-00-1e-06-51-02-9a DEFAULT execute
LABEL execute
KERNEL ubuntu/arm64/hwe-20.04-edge/focal/candidate/boot-kernel.odroidm1 INITRD ubuntu/arm64/hwe-20.04-edge/focal/candidate/boot-initrd.odroidm1 APPEND nomodeset ro root=squash:http://172.16.7.2:5248/images/ubuntu/arm64/hwe-20.04-edge/focal/candidate/squashfs ip=::::OdroidM1-unit0:BOOTIF ip6=off overlayroot=tmpfs overlayroot_cfgdisk=disabled cc:{'datasource_list': ['MAAS']}end_cc cloud-config-url=http://172-16-7-0--24.maas-internal:5248/MAAS/metadata/latest/by-id/myf6yh/?op=get_preseed apparmor=0 log_host=172.16.7.2 log_port=5247 --- console=tty1 console=FIQ0 console=ttyS2,1500000 pci=nomsi debug BOOTIF=01-00-1e-06-51-02-9a IPAPPEND 2 root@server:~#
and also this:
root@server:~# curl http://172.16.7.2:5248/ppc64el/pxelinux.cfg/01-00-1e-06-51-02-9a DEFAULT execute
LABEL execute
KERNEL ubuntu/arm64/hwe-20.04-edge/focal/candidate/boot-kernel.odroidm1 INITRD ubuntu/arm64/hwe-20.04-edge/focal/candidate/boot-initrd.odroidm1 APPEND nomodeset ro root=squash:http://172.16.7.2:5248/images/ubuntu/arm64/hwe-20.04-edge/focal/candidate/squashfs ip=::::OdroidM1-unit0:BOOTIF ip6=off overlayroot=tmpfs overlayroot_cfgdisk=disabled cc:{'datasource_list': ['MAAS']}end_cc cloud-config-url=http://172-16-7-0--24.maas-internal:5248/MAAS/metadata/latest/by-id/myf6yh/?op=get_preseed apparmor=0 log_host=172.16.7.2 log_port=5247 --- console=tty1 console=FIQ0 console=ttyS2,1500000 pci=nomsi debug BOOTIF=01-00-1e-06-51-02-9a IPAPPEND 2 root@server:~#
But MaaS doesn't provide the protocol and Url in the KERNEL and INITRD lines and Petitboot automatically uses TFTP (which is much slower than HTTP). If I change the value of "path-prefix" with anything else, the "execute" string doesn't appear. I think this means that Petitboot doesn't request the data through tftp://172.16.7.2/ppc64el/pxelinux.cfg/01-00-1e-06-51-02-9a
At the moment, I do not understand what happens in Petitboot if a path-prefix is different than "/". Please, let me know if you have any suggestion.
Note:
These are defined by default in MaaS option arch code 93 = unsigned integer 16; # RFC4578 option path-prefix code 210 = text; #RFC5071
Thank you. Marco
If I change the value of "path-prefix" with anything else, the "execute" string doesn't appear. I think this means that Petitboot doesn't request the data through tftp://172.16.7.2/ppc64el/pxelinux.cfg/01-00-1e-06-51-02-9a
If the execute
option doesn't appear, that likely means that petitboot wasn't able to find/access your configuration.
At the moment, I do not understand what happens in Petitboot if a path-prefix is different than "/".
The path-prefix
specifies where petitboot starts the config discovery requests (ie, the list at the top of http://jk.ozlabs.org/blog/post/158/netbooting-petitboot/). You should be able to provide a http:// URL here, and petitboot will use HTTP for those config requests.
If you set path-prefix to http://example.org/some-path/
, the requests would end up being:
http://example.org/some-path/pxelinux.cfg/01-00-01-02-03-04-05
http://example.org/some-path/pxelinux.cfg/C0A8000A
http://example.org/some-path/pxelinux.cfg/C0A8000
http://example.org/some-path/pxelinux.cfg/C0
http://example.org/some-path/pxelinux.cfg/C
http://example.org/some-path/pxelinux.cfg/default
Of course, if you specify a path prefix that does not contain the correct file structure, petitboot won't be able to find the config files, and not show your execute
option. You can check the petitboot debug logs (under /var/log/ in the petitboot environment) if you need to investigate what's happening.
Alternatively, you can just set the conf-file directly (using DHCP option 209 instead), and that allows you to specify the config URL itself, without all of those separate discovery requests.
Hi, according to this, in a "syslinux configuration" file, " If a full URL is given, then petitboot will use that as-is. Supported protocols are currently http, ftp, tftp and nfs. If only a path is given, petitboot will assume the TFTP protocol". Is there any way to force Petitboot to use HTTP instead of TFTP?
I don't have any control over the dhcp/tftp server and I'd like to use HTTP.
Thank you. Regards, Marco