FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.

» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora/Linux Management Tools

LinkBack Thread Tools
Old 04-15-2008, 09:55 PM
Michael DeHaan
Default Cobbler kerberos support testing (& other 1.0 notes/ramblings)

Hello Cobbler land,

I wanted to give a quick update on some things going on in Cobbler
development. So far the 0.9.X branch is coming along very nicely and
the changelog is already quite large. A lot of this can use testing
now and will help us get a much nicer release out earlier. Of
particular interest: Kerberos added yesterday. It's an optional
authentication mode, and if anyone wants to test it see the following:


This feature pretty much relies on Apache to get things done and should
be pretty easy to set up if you already have a Kerberos Apache config
for another application. As always, the default out-of-the-box
configuration is the simple config file (digest) based one, so Kerberos
will not be required for a Cobbler setup in any case. (Slightly
related -- We've also talked about doing LDAP authorization in addition
to authentication for a future release --f or those who want to control
ownership but don't want to use the config file).

I'm also working on updating the Cobbler "status" command (which has
been pretty weak for a while) for the 0.9/1.0 release. This feature
will now log the IP/MAC and profile/system names of any provisioning
requests, so you'll be able to see what a particular ip/mac is installed
to, even if it's not in your Cobbler "database", and when it was last
installed. For installing systems, you'll also be able to see how long
they have been installing. This will be much better than the existing
status implementation, which relies on Apache logs and isn't very
accurate when it tries to determine when things happened (when it
works). We'll continue to log syslog for distros that support it as well.

There have also been some good ideas on IRC over the last few days about
improving the WebUI to better deal with the ownership modes. A couple
of those ideas including offering a simpler webui view for "lowly users"
that only allow them to edit select fields of what they own -- for
instance, they can see they own profile X and Y, and systems A, B, and
C, and can choose to flip the netboot flags of system C and reinstall it
if they wish, etc. Another thing we'll likely want to add is search to
the WebUI, so if you have a very large number of systems, and just want
to find out what a particular hostname/ip/mac is running, it will be
quick to do that. The final thing that I want to address for the WebUI
for 0.9/1.0 is being able to create/copy kickstart templates as opposed
to just being able to edit them. That should round out the webapp a
good bit. Other ideas welcome. Surfacing cobbler status is probably
also a good idea, especially if we can find a nice way to show the "last
installed date" for systems and other neat stuff like that. I also
want to look at ACLs and running Cobbler as non-root (possibly) though
that may be a later release depending on how development goes, probably
a quick 1.1/1.2 release.

Anyhow, if you have a kerberos setup and don't mind playing with git
(see the first parts of
https://fedorahosted.org/cobbler/wiki/PatchProcess) -- testing is very
welcome. The latest version of the rest of the development changelog
is always available here:


And as always, other comments about what you'd like to see in Cobbler
are always welcome to. We have an RFE list in Trac for holding the
ideas. If you don't have a Trac account you can get one at
https://admin.fedoraproject.org/accounts and Trac is here:



et-mgmt-tools mailing list
Old 04-16-2008, 12:25 AM
Robin Bowes
Default Cobbler kerberos support testing (& other 1.0 notes/ramblings)

Michael DeHaan wrote:

We've also talked about doing LDAP authorization in addition to
authentication for a future release --f or those who want to control
ownership but don't want to use the config file).

I'd be very interested in this sort of thing.

One use-case I'm thinking about is for an ISP with several clients
allowing each client to use cobbler to do their own installs. Of course,
this would require a further degree of privacy, i.e. it would be
necessary to prevent client A seeing anything belonging to Client B, and
vice versa. Some things should be viewable (read-only) to all, e.g. a
standard RHEL5 profile. Clients could perhaps copy a read-only profile
to their own custom profile and modify it as required.

Of course, another option is to restrict cobbler access to ISP employees
thus eliminating the need for strict partitioning.

Anyway, the LDAP authorisation sounds like interesting stuff - I
certainly wouldn't want to have to maintain an LDAP directory for
authentication, then manually edit a file to control authorisation.



et-mgmt-tools mailing list

Thread Tools

All times are GMT. The time now is 04:05 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org