Comments (19)
This is fine for packages, but what happens with images? Currently we restore straight over http. Can we use basic auth then?
from imagr.
It looks like asr supports https, but doesn't offer any options for neither basic auth or verifying the SSL cert on the server.
from imagr.
The only way I can think of doing this then is to create a RAM disk, but that brings its own challenges (and slows down the whole process).
from imagr.
There's no need for "options for ... verifying the SSL cert on the server" -- that's handled by Apple's underlying CFURLConnection functions and friends. If the OS can validate the cert, it's accepted.
I'd not worry too much about HTTP authentication at this point.
Nate: you should do some testing. Put an asr disk image on a web share protected by BasicAuth and try to restore from it via the command line. What happens?
from imagr.
@gregneagle This is in reference to the ASR restore as well. We can test package downloads via gurl using certs and I am confident that will work as it does in munki.
asr on the other hand does not seem to have any configurable options for SSL, so I'm not sure what asr over https even looks like (especially if it doesn't validate the server).
from imagr.
"We can test package downloads via gurl using certs"
If any of the certs are not from CAs already trusted by OS X, you'd have to add the appropriate CAs to the System keychain on the NBI. If you wanted also to do client certs, you'd need to have the appropriate identity/identities configured in the System keychain as well.
This configuration (if successful) should cover all HTTPS interactions: restoring images via https; mounting disk images via https; downloading pkgs via https, etc, etc.
But setting this up sounds complex and difficult to support. I think the work must be put on the shoulders of those who want/need this...
from imagr.
Are you assuming that if the correct bits are in the correct place in the keychain, that asr will use them and it will just work? The asr man page did not indicate that it supports client certs at all, so I wasn't sure if it was even possible.
from imagr.
asr and hdiutil use CFURLConnection and friends. I don't know if they are keychain-aware, but I believe they are.
gurl.py uses NSURLConnection and friends, which is a little higher-level, but those may well share code with the lower-level CFURL methods.
from imagr.
"The asr man page did not indicate that it supports client certs at all" that would not be asr's job. That would be the job of the lower-level CFURL* libraries.
from imagr.
Safari has no help pages telling how to use client certs, yet it's possible to do so.
from imagr.
Sure, Safari uses it. I can also find documentation on Safari + CFURLConnection, whereas I am coming up dry for asr + CFURLConnection.
I'll take your word for it that it will just work I guess. It seems like a reasonable assumption.
from imagr.
I don't know that it will just work. I suspect it will. I think you should test it.
from imagr.
I can test it. I'm not sure what the state of the security framework is like in the NBI, so I'll have to test it to know for sure.
from imagr.
Exactly!
from imagr.
security
is available on the DS NetBoot set and security list-keychains
shows /Library/Keychains/System.keychain and /private/var/root/Library/Keychains/login.keychain.
You should check an AutoNBI NBI to compare.
from imagr.
I tried adding a certificate this morning to an AutoNBI image and was not able to.
There is no system keychain in /Library, only the login keychain in /private/var/root/Library/Keychains
Even adding the certificate to the login keychain resulted in an error: SecTrustSettingsSetTrustSettings: errSecInternalComponent
I used security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "/private/tmp/certs/certname.cer"
when attempting to add a new certificate.
Would it be possible to alter /System/Library/Keychains/SystemRootCertificates.keychain" when the NBI is being created?
from imagr.
I'm sure it would, but that's a AutoNBI thing.
from imagr.
I'll comment on this AutoNBI request here: https://bitbucket.org/bruienne/autonbi/issue/2/unable-to-add-certificate
from imagr.
Is there any movement or update on this? If it's not possible, I'll close the issue.
from imagr.
Related Issues (20)
- imagr open behind select language pane in macOS Sierra HOT 3
- Imagr crashes if reporting server unavailable HOT 2
- Imagr crashes if timeapi.org returns unexpected data HOT 1
- Description text box for the workflows is not scrollable HOT 1
- Imagr logs a crash if a volume is unmounted HOT 2
- Setting time with http fails to respect timezone HOT 4
- Bug: first-boot items are not installed in order in macOS High Sierra
- validateplist doesn't append query string to background_image check
- Packages/DMGs with spaces will fail if using gurl HOT 2
- Feature request: Prevent Mac from sleeping while Imagr app is running a workflow HOT 1
- first-boot infinite loop if exit code non-zero HOT 7
- After APFS to HFS Conversion via script will casue Imagr to hang HOT 9
- Does not work with macOS 10.13.4 Installer HOT 4
- 10.11 NBI workflow start crash HOT 1
- Workflow doesn't recognize volume format change HOT 4
- Auto key of computer_name component ignored when part of included workflow HOT 2
- com.apple.osinstall error -3 on OS X 10.13.4 if workflow writes to formatted target before startosinstall HOT 2
- first_boot LaunchDaemon does not get created when startosinstall is called via included_workflow HOT 1
- Imagr (High Sierra) preventing reboot during install workflow HOT 1
- first-boot fails to start after Mojave install HOT 13
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from imagr.