4

Background: Kickstarting RHEL7 on powerppc (IBM pSeries)

So I've kickstarted unattended for years, and had to use yaboot, NFS, etc. for kickstart in the past. Trying to modernize now. I have a working kickstart using HTTP (Apache) only (and TFTP). My problem comes in attempting to do it https only. Not sure if this is possible, but one would think it would be since you can specify https.

If I have the previously working web server answer for HTTP and HTTPS (same htdocs), and the following grub.conf, it works fine (IP and FQDN are masked obviously):

menuentry 'Install RHEL 7 via Kickstart...' {
    set root=http,WEBIP
    linux https://WEBFQDN/software/rhel/ppc/ppc64/vmlinuz ro ip=dhcp ks=https://WEBFQDN/kickstart/rhel7-power.ks
    echo 'Loading initial ramdisk ...'
    inst.repo=https://WEBFQDN/software/rhel/
    initrd https://WEBFQDN/software/rhel/ppc/ppc64/initrd.img
}

However a tcpdump reveals it still is using HTTP for a lot of traffic. And indeed, if I reconfigure the web server to RedirectMatch (.*) https://WEBFQDN/$1 (redirect all http to https, don't serve http), I get the following error:

error: invalid arch-independent ELF magic.

If I remove the RedirectMatch (and go back to allowing http instead of a redirect), it works fine again.

So, I could live with http, but ideally the web server is just https (because it houses lots of sensitive data other than kickstart). Is this possible? Am I missing a key flag? I tried root=https,... but then I got a "file not found" (unsupported network option I guess).

Thanks for any pointers!

techraf
  • 4,163
  • 8
  • 27
  • 44
zenfridge
  • 41
  • 5
  • Can you explain exactly what this system is and how it is booting? – Michael Hampton Sep 24 '16 at 03:25
  • @Michael - I'm not totally sure what details you're asking for but: Hardware is an IBM pSeries (p850). Server is RHEL 7.2, running TFTP (for initial bootstrap) and DHCP (for network) and HTTP/HTTPS serving vmlinuz, initrd.img, and eventually all the software for a kickstart installation (loopback mounted ISO). RHEL 7.2 client boots to network, using DHCP requested address, TFTP for initial bootstrapping to get to grub config file, and then loads the installation images per the grub entry above. All this works fine - it's just that even with everything listed as HTTPS it's still doing HTTP. – zenfridge Sep 24 '16 at 19:27
  • Hmm. It looks like `inst.repo=` is on the wrong line. It doesn't belong by itself; it's meant to be one of the arguments to `linux`. Of course, it should be specified in the kickstart rather than here, anyway. So, what _is_ in the kickstart? – Michael Hampton Sep 24 '16 at 19:31
  • So, I moved the inst.repo part to the end of the Linux/kernel load - thanks! Post move, I am still seeing http traffic. I should note that I see that traffic AS it is running (with echo's in grub): During the load of "linux", during the load of "initrd", and then it goes silent during the software installation, no http just https. In other words, the http occurs before the ks file is run. So rather than post the entire ks file, I will say that I use --url=https://.... and that part seems to work. It's the grub portion that isn't doing https. – zenfridge Sep 30 '16 at 17:45
  • (if you'd like something else from the ks file or really want the whole thing, I can accommodate, but I don't think it's relevant here) – zenfridge Sep 30 '16 at 17:46

1 Answers1

0

So, I did get an answer eventually from Red Hat backline on this. They indicate that grub does not support HTTPS, even though some docs indicate you can use HTTPS. And in fact, you CAN use HTTPS in the config... but it will still roll back and use HTTP instead. Grub has no certs or SSL libraries loaded in, according to them. So, no HTTPS support at that time.

The answer then, to the question, and tested: The grub.conf is configured to use TFTP to get the vmlinuz and initrd.img files (locally), instead of HTTPS (HTTP). ks=https://... and inst.repo=https://... lines CAN be HTTPS because once the kernel is loaded, it DOES have SSL and can get the kickstart file and the repo files via HTTPS. In that way, no HTTP is used.

zenfridge
  • 41
  • 5