date:20160913

Re: [foreman-dev] cannot provision w/ foreman

2016-09-13 Thread Partha Aji

I ve updated the host creation part to work with Katello.

Hostgroup creation is blocked by ->
http://projects.theforeman.org/issues/16532

On Tue, Sep 13, 2016 at 2:35 PM, Tom McKay  wrote:

> The media selection is unusable on host and host group creation forms in
> nightly[1]. I assume foreman-1.13 w/ katello is similarly broken. @partha
> is trying to fix it but if a foreman dev familiar with the UI webpack
> changes that are the root can help out, that would be much appreciated. I
> don't know if bare foreman has issues but failing to provision out of
> katello is a blocker.
>
> [1] http://projects.theforeman.org/issues/16480
>
> --
> You received this message because you are subscribed to the Google Groups
> "foreman-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to foreman-dev+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[foreman-dev] cannot provision w/ foreman

2016-09-13 Thread Tom McKay

The media selection is unusable on host and host group creation forms in
nightly[1]. I assume foreman-1.13 w/ katello is similarly broken. @partha
is trying to fix it but if a foreman dev familiar with the UI webpack
changes that are the root can help out, that would be much appreciated. I
don't know if bare foreman has issues but failing to provision out of
katello is a blocker.

[1] http://projects.theforeman.org/issues/16480

-- 
You received this message because you are subscribed to the Google Groups 
"foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[foreman-dev] Freeze edits on a host?

2016-09-13 Thread Thomas Fee

In the "All hosts" screen, is it possible to freeze a host or something 
like that so that the "Edit" button under "Actions" is grayed out?

-- 
You received this message because you are subscribed to the Google Groups 
"foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-dev] Using certificates for SSH access

2016-09-13 Thread Sean O'Keeffe

Agreed, I think we should look for better integrations into other projects
like FreeIPA, so users can easily do this. A authentication
infrastructure project like FreeIPA will always do a better job than we
could do imo

Sean

On Tuesday, 13 September 2016, Stephen Benjamin  wrote:

>
>
> - Original Message -
> > From: "Marek Hulán" >
> > To: foreman-dev@googlegroups.com 
> > Sent: Tuesday, September 13, 2016 10:13:45 AM
> > Subject: Re: [foreman-dev] Using certificates for SSH access
> >
> > Hello
> >
> > some comments below
> >
> > On Tuesday 13 of September 2016 08:51:12 Ohad Levy wrote:
> > > Hi,
> > >
> > > I was looking at [1] which talks about how to leverage a CA for
> managing
> > > SSH access, and I thought it could be interesting for REX and
> potentially
> > > for foreman to manage.
> > >
> > > In the post, they describe how they create different principles
> (groups -
> > > think hostgroups) for access, generating certificates with expatriation
> > > etc.
> > >
> > > Since we already have some of the certificate handling code (puppet ca,
> > > pulp / katello certs) I wonder if it make sense to generalize it and
> offer
> > > SSH certificates (and their management and possible an auditing system
> for
> > > their usage) offering?
> >
> > I was thinking about this earlier, the major benefit I see is that in
> case we
> > change the key that Foreman uses we wouldn't have to update all hosts.
> Since
> > we currently only install it during provisioning it might be very
> helpful.
> > OTOH we should also provide puppet module that would configure this key
> so
> > there's easy way to update it also for unmanaged hosts. Then the CA
> might not
> > have that many benefits, we'd have to distribute the CA pub key instead
> of
> > the
> > main pub key. Probably the biggest benefit would be the key expiration.
> >
> > If we decide to generalize the CA handling I'd first look if we could use
> > something existing, e.g. FreeIPA. Maybe we could provide our simple
> backend
> > too but I'd like to avoid building our own CA on top ssh-keygen :-) I'd
> also
> > like to keep it in separate plugin - probably rex.
>
>
> The CA use with ssh-keygen is a neat idea, but FreeIPA does some great
> things
> that I'd rather not have us have to deal with.  The Facebook article
> towards
> the end evens offers warnings about the lack of any kind of revocation
> scheme.
>
> FreeIPA can do that, and handles it quite gracefully.  If a smart proxy key
> gets compromised, you can just remove it from authorized keys in FreeIPA
> and it propagates everywhere automatically.
>
> And we could even go further with FreeIPA and not have to deal with SSH
> keys
> at all and go the kerberos route, which handles access controls, key
> revocation,
> expiration, etc all very nicely.  We have an RFE for that[1].
>
>
> - Stephen
>
> [1] http://projects.theforeman.org/issues/11936
>
>
> > --
> > Marek
> >
> > >
> > > Ohad
> > >
> > > [1]
> > > https://code.facebook.com/posts/365787980419535/
> scalable-and-secure-access-w
> > > ith-ssh/
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "foreman-dev" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to foreman-dev+unsubscr...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
> >
>
> --
> You received this message because you are subscribed to the Google Groups
> "foreman-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to foreman-dev+unsubscr...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-dev] Using certificates for SSH access

2016-09-13 Thread Stephen Benjamin



- Original Message -
> From: "Marek Hulán" 
> To: foreman-dev@googlegroups.com
> Sent: Tuesday, September 13, 2016 10:13:45 AM
> Subject: Re: [foreman-dev] Using certificates for SSH access
> 
> Hello
> 
> some comments below
> 
> On Tuesday 13 of September 2016 08:51:12 Ohad Levy wrote:
> > Hi,
> > 
> > I was looking at [1] which talks about how to leverage a CA for managing
> > SSH access, and I thought it could be interesting for REX and potentially
> > for foreman to manage.
> > 
> > In the post, they describe how they create different principles (groups -
> > think hostgroups) for access, generating certificates with expatriation
> > etc.
> > 
> > Since we already have some of the certificate handling code (puppet ca,
> > pulp / katello certs) I wonder if it make sense to generalize it and offer
> > SSH certificates (and their management and possible an auditing system for
> > their usage) offering?
> 
> I was thinking about this earlier, the major benefit I see is that in case we
> change the key that Foreman uses we wouldn't have to update all hosts. Since
> we currently only install it during provisioning it might be very helpful.
> OTOH we should also provide puppet module that would configure this key so
> there's easy way to update it also for unmanaged hosts. Then the CA might not
> have that many benefits, we'd have to distribute the CA pub key instead of
> the
> main pub key. Probably the biggest benefit would be the key expiration.
> 
> If we decide to generalize the CA handling I'd first look if we could use
> something existing, e.g. FreeIPA. Maybe we could provide our simple backend
> too but I'd like to avoid building our own CA on top ssh-keygen :-) I'd also
> like to keep it in separate plugin - probably rex.


The CA use with ssh-keygen is a neat idea, but FreeIPA does some great things
that I'd rather not have us have to deal with.  The Facebook article towards
the end evens offers warnings about the lack of any kind of revocation scheme.

FreeIPA can do that, and handles it quite gracefully.  If a smart proxy key
gets compromised, you can just remove it from authorized keys in FreeIPA
and it propagates everywhere automatically.

And we could even go further with FreeIPA and not have to deal with SSH keys
at all and go the kerberos route, which handles access controls, key revocation,
expiration, etc all very nicely.  We have an RFE for that[1].


- Stephen

[1] http://projects.theforeman.org/issues/11936


> --
> Marek
> 
> > 
> > Ohad
> > 
> > [1]
> > https://code.facebook.com/posts/365787980419535/scalable-and-secure-access-w
> > ith-ssh/
> 
> --
> You received this message because you are subscribed to the Google Groups
> "foreman-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to foreman-dev+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> 

-- 
You received this message because you are subscribed to the Google Groups 
"foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-dev] Using certificates for SSH access

2016-09-13 Thread Marek Hulán

Hello

some comments below

On Tuesday 13 of September 2016 08:51:12 Ohad Levy wrote:
> Hi,
> 
> I was looking at [1] which talks about how to leverage a CA for managing
> SSH access, and I thought it could be interesting for REX and potentially
> for foreman to manage.
> 
> In the post, they describe how they create different principles (groups -
> think hostgroups) for access, generating certificates with expatriation etc.
> 
> Since we already have some of the certificate handling code (puppet ca,
> pulp / katello certs) I wonder if it make sense to generalize it and offer
> SSH certificates (and their management and possible an auditing system for
> their usage) offering?

I was thinking about this earlier, the major benefit I see is that in case we 
change the key that Foreman uses we wouldn't have to update all hosts. Since 
we currently only install it during provisioning it might be very helpful. 
OTOH we should also provide puppet module that would configure this key so 
there's easy way to update it also for unmanaged hosts. Then the CA might not 
have that many benefits, we'd have to distribute the CA pub key instead of the 
main pub key. Probably the biggest benefit would be the key expiration.

If we decide to generalize the CA handling I'd first look if we could use 
something existing, e.g. FreeIPA. Maybe we could provide our simple backend 
too but I'd like to avoid building our own CA on top ssh-keygen :-) I'd also 
like to keep it in separate plugin - probably rex.

--
Marek

> 
> Ohad
> 
> [1]
> https://code.facebook.com/posts/365787980419535/scalable-and-secure-access-w
> ith-ssh/

-- 
You received this message because you are subscribed to the Google Groups 
"foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[foreman-dev] DHCP ISC Smart Proxy Plugin / Static reservations

2016-09-13 Thread 'Dmitry Nilsen' via foreman-dev

Hi there... I created  a DHCP ISC Smart Proxy Plugin(an extension), which 
handles special cases, like ability to have static reservations in 
dhcp.conf and not raise exceptions by creating/deleting records for such 
reservations.
This is sometimes needed.. if you need to have a few hosts at the network 
not to be under Foreman-Proxy control. Having really static reservations.. 
Especial if you remove a host from Foreman, it should stay in dhcp with 
MAC-IP reserved.

here is the projects:
https://github.com/quadriq/smart_proxy_dhcp_isc_res

I am rather new to Foreman/Ruby.. so I did it on my best :)) It would be 
great if somebody with experience could look at it.


-- 
You received this message because you are subscribed to the Google Groups 
"foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-dev] cannot provision w/ foreman

[foreman-dev] cannot provision w/ foreman

[foreman-dev] Freeze edits on a host?

Re: [foreman-dev] Using certificates for SSH access

Re: [foreman-dev] Using certificates for SSH access

Re: [foreman-dev] Using certificates for SSH access

[foreman-dev] DHCP ISC Smart Proxy Plugin / Static reservations

7 matches

Site Navigation

Mail list logo

Footer information