pfSense: Unattended installation with Foreman

September 4th, 2014 No comments

As you may know, Foreman is probably the lifecycle management tool for virtual and physical servers. And it already supports a rather large number of different operating systems. Lately it got support to provision FreeBSD servers and this brought up the idea to add support for pfSense firewalls as well.

First of all: This project was a success. It is now possible to automatically deploy pfSense with Foreman. I’ve created a small video to showcase the deployment of pfSense using Foreman:

The video may not be very entertaining, but it should give you an impression on how the unattended installation works (even if you don’t know Foreman yet).

You can download the required Foreman templates from Github. You may also want to have a look at the Foreman Documentation to find out how to add these templates to your instance of Foreman.

What are the benefits?
– do fully unattended installations of pfSense
– in conjunction with Puppet it allows you to automate basically every task (full lifecycle management)
– choose from different versions of pfSense according to your needs

How does it work?
– it assumes you want to use The Foreman to provision your servers
– it assumes that pfSense can be automatically provisioned similar to FreeBSD
– on top of that assumption it’s basically a set of patches for the pfSense Installer
– it assumes you want to use Puppet with pfSense

Feedback or contributions? Please use the Github issue tracker.

Automatically update pfSense firewalls (with puppet)

July 14th, 2014 No comments

Updating pfSense firewalls is easy and stable thanks to its proven upgrade mechanisms. So why should I use the WebGUI to update every pfSense firewall manually? If you have multiple pfSense firewalls and a working test environment, there is no reason to avoid automatic updates.

I’ve extracted a portion of the pfSense firmware upgrade code and put together a small PHP script. This makes it possible to automatically update pfSense. In combination with puppet you need just one line to enable automatic updates:

class { 'pfsense_autoupdate': }

Now your pfSense firewall will check hourly for new versions and install it (almost) instantly. If you want more control you can specify any of the optional parameters:

class { 'pfsense_autoupdate':
  major_updates => false,
  update_hours => ['22-23', '2-4', 6],
  update_weekdays => ['6-7'],
  random_sleep => false,
  firmware_url => '',
  sig_verification => false,
  quiet => true,

You may download the PHP script and puppet module from puppet forge. Additionally you may want to check out the project page on github. Note that you need the puppet agent for pfSense and my pfSense provider collection for this to work.

Prepare pfSense for RANCID (with puppet)

July 14th, 2014 No comments

pfSense is a great firewall and RANCID is a good choice for regular configuration backups. Sounds like a good team? It is! And it has been for years. But configuring pfSense for RANCID can be a pain. I wrote a puppet module to make it easier. You may download it from puppet forge.

Now configuring pfSense for RANCID is quite simple:

class { 'pfsense_rancid':
  password => '$1$dSJImFph$GvZ7.1UbuWu.Yb8etC0re.',

I’ve added some optional parameters to make it suitable for most environments:

class { 'pfsense_rancid':
  username       => 'backupuser',
  password       => '$1$dSJImFph$GvZ7.1UbuWu.Yb8etC0re.',
  authorizedkeys => [
    'ssh-rsa AAAAksdjfkjsdhfkjhsdfkjhkjhkjhkj',
    'ssh-rsa AAAAksdjfkjsdhfkjhsdfkjhkjhkjhkj',
  diskusage      => false,

Note that you need the puppet agent for pfSense and my pfSense provider collection for this to work.

Categories: [EN] Tech Tags: , ,

pfSense user/group management with puppet

July 14th, 2014 No comments


Categories: [EN] Tech Tags: , , , , ,

Installing puppet on pfSense firewalls

July 14th, 2014 2 comments


While pfSense offers a rather large collection of packages, there is currently no puppet package available. However, there is a pull request to add a puppet package, but it has not been accepted yet. Please join the discussion here.

Some people might tell you to just install a FreeBSD package in pfSense to get puppet. Don’t do it, it’s just wrong. pfSense isn’t plain FreeBSD, it is an appliance and thus a different kind of beast. There are good reasons to use specialized pfSense packages.

Besides the technical reasons, the puppet package on pfSense includes a small but nice GUI component, as you can see from the screenshot below.


Configure package repo

Since there’s no official puppet package for pfSense yet, we need to use an unofficial package. I’ve setup a pfSense package repo so everyone may checkout puppet on pfSense. To use this unofficial repo you need to open a hidden settings page in your pfSense firewall:

This allows you to configure a non-official server for packages. Enter for Base URL and click Save. Now go to Available Packages tab, find the puppet package and install it.

Configure puppet agent

Go to Services->Puppet to configure the puppet agent. You may want to change the Puppet Server and Environment settings. Once you click Save the puppet agent configuration will be created and pfSense will try to start the puppet agent daemon. Of course, this will fail, since no signed SSL certificate is available. Now you should see a certificate request on your puppet master.

When the certificate was signed by your puppet master, you need to restart the puppet agent. Go to Status->Services and restart the puppet service accordingly.

Debug puppet agent

Now verify that the puppet agent is running. Go to Services->Puppet and open the Status tab. The agent should be running and no errors should be reported for the last run. The Facts and Debug tabs provide additional debug information. Additionally you may want to check Status->System Logs to see the log messages from last puppet run.

If your puppet agent is still not running you may want to open a pfSense shell and run puppet agent –test –verbose.

What’s next

Currently the number of ready-to-use puppet modules for pfSense is very limited, but most FreeBSD compatible modules/providers should work. You may also want to check out my collection of pfSense providers, pfsense_rancid module and pfsense_autoupdate module.

Categories: [EN] Tech Tags: , ,

oVirt: reset/change admin password

April 22nd, 2014 No comments

Starting with oVirt 3.6 there is a new method to change the passworf for user ‘admin’:

ovirt-aaa-jdbc-tool user password-reset admin –password-valid-to=’yyyy-MM-dd hh:mm:ssZ’

In oVirt it is possible to change the password for user ‘admin’ from the command line:

# engine-config -s AdminPassword=interactive
Please enter a password:
Please reenter password:

Side note: Reasons for a password reset

Changes to oVirt CA may force you to reset the password. In this case your engine.log may contain messages like the following:

Failed to decrypt value for property LocalAdminPassword will be used encrypted value: javax.crypto.BadPaddingException: Decryption error

A similar error will be shown on the command line:

# engine-config -g AdminPassword
AdminPassword: Failed to decrypt the current value.
Failed to decrypt the current value.

The most simple fix is to reset the password in that case.

Categories: [EN] Tech Tags: , ,

oVirt: Change default console to NoVNC

April 14th, 2014 No comments

If running with default configuration, oVirt uses a native VNC client:

# engine-config -g ClientModeVncDefault
ClientModeVncDefault: Native version: general

Change this setting to always use the NoVNC client:

# engine-config -s ClientModeVncDefault=NoVnc

You need to restart the ovirt-engine service for this change to take effect.

Categories: [EN] Snippets Tags: , ,

Install puppet on ARM devices (Raspberry Pi)

March 11th, 2014 No comments

If you try to install a recent puppet version on an ARM device like the Raspberry Pi you will see this error:

# apt-get install puppet
Reading package lists… Done
Building dependency tree
Reading state information… Done
You might want to run ‘apt-get -f install’ to correct these:
The following packages have unmet dependencies:
facter : Depends: dmidecode but it is not installable
puppet : Depends: puppet-common (= 3.4.3-1puppetlabs1) but it is not going to be installed
E: Unmet dependencies. Try ‘apt-get -f install’ with no packages (or specify a solution).

A quick google search reveals that this is a known bug. In fact it could easily be solved by removing the dmicode dependency from the facter package for the ARM architecture.

I didn’t want to rebuild the facter package to remove the dependency. Instead I’ve built a simple dmidecode dummy package to provide the required dependency. This makes it easy to install puppet on ARM devices running Debian Wheezy:

# setup puppetlabs repo
dpkg -i puppetlabs-release-wheezy.deb

# install dumy package
dpkg -i dmidecode_0.01_armhf.deb

# install puppet
apt-get update
apt-get install puppet

Of course, I’d prefer a new facter package. I’m pretty sure puppetlabs will provide a new package in the future, but until then, this workaround will just work and does no harm.

Firefox: address is restricted

January 29th, 2014 No comments

Sometimes web applications are configured to use non-standard TCP ports for communication. When trying to access such web apllications, your Firefox browser may come up with this error message:

This address is restricted
This address uses a network port which is normally used for purposes other than Web browsing. Firefox has canceled the request for your protection.

It turns out Firefox restricts TCP ports to mostly well-known ports. To override this restriction you need to follow these simple steps:

  1. enter about:config in the address bar
  2. New -> String
  3. Enter the preference name:
  4. Enter string value: 1-65535

This will allow all TCP ports for communication. Of course, you’re free to enter a different portrange or only a single port.

Categories: [EN] Tech Tags: , , , ,

Fix delayed SSH login

January 29th, 2014 No comments

On an Ubuntu/Mint workstation you might notice delayed SSH logins. If you turn on debugging by using the -v option you will find this failure multiple times:

debug1: Unspecified GSS failure.  Minor code may provide more information

Depending on your configuration, these failures result in a significant login delay. To verify that these GSS failures are the reason for the delay, you should try to disable it:

ssh -o GSSAPIAuthentication=no

If it works, you can disable this feature permanently by adding or changing this parameter in the system-wide /etc/ssh/ssh_config or your own ~/.ssh/ssh_config configuration file:

GSSAPIAuthentication no

It is interesting to note that the default setting is still “no”, according to the ssh_config man page.

Categories: [EN] Tech Tags: , , ,