-
Sub-task
-
Resolution: Done
-
Undefined
-
None
-
None
-
0
-
False
-
-
False
-
0
-
Rocket
-
-
+++ This bug was initially created as a clone of Bug #2269386 +++
Description of problem:
While following https://access.redhat.com/documentation/en-us/red_hat_satellite/6.14/html-single/provisioning_hosts/index#Using_an_Image_Builder_Image_for_Provisioning_provisioning , After submitting the host for build with kickstart_liveimg parameter, The process is unable to fetch kickstart or render\preview the Kickstart template shipped with Red Hat Satellite 6.
Version-Release number of selected component (if applicable):
Satellite 6.14 [ perhaps some older versions are affected as well ]
How reproducible:
Always
Steps to Reproduce:
1. Create a system with kickstart_liveimg parameter added
2. Try to render\preview the kickstart template against that host
3. Repeat Step 2 with both Safemode Rendering enabled and disabled
Actual results:
With Safemode enabled:
2024-03-13T20:38:49 [W|app|74498179] Error rendering the Kickstart default template
2024-03-13T20:38:49 [I|app|74498179] Backtrace for 'Error rendering the Kickstart default template' error (Safemode::SecurityError): Safemode doesn't allow to access 'repository_url' on #<Safemode::ScopeObject>
74498179 | /usr/share/gems/gems/safemode-1.3.8/lib/safemode/scope.rb:39:in `method_missing'
74498179 | Kickstart default:114:in `initialize'
74498179 | /usr/share/gems/gems/safemode-1.3.8/lib/safemode.rb:52:in `eval'
74498179 | /usr/share/gems/gems/safemode-1.3.8/lib/safemode.rb:52:in `eval'
74498179 | /usr/share/foreman/app/services/foreman/renderer/safe_mode_renderer.rb:7:in `render'
74498179 | /usr/share/foreman/app/services/foreman/renderer/base_renderer.rb:18:in `render'
74498179 | /usr/share/foreman/app/models/template.rb:172:in `render'
74498179 | /usr/share/foreman/app/controllers/templates_controller.rb:131:in `safe_render'
74498179 | /usr/share/foreman/app/controllers/templates_controller.rb:111:in `preview'
74498179 | /usr/share/gems/gems/actionpack-6.1.7.4/lib/action_controller/metal/basic_implicit_render.rb:6:in `send_action'
74498179 | /usr/share/gems/gems/actionpack-6.1.7.4/lib/abstract_controller/base.rb:228:in `process_action'
74498179 | /usr/share/gems/gems/actionpack-6.1.7.4/lib/action_controller/metal/rendering.rb:30:in `process_action'
74498179 | /usr/share/gems/gems/actionpack-6.1.7.4/lib/abstract_controller/callbacks.rb:42:in `block in process_action'
74498179 | /usr/share/gems/gems/activesupport-6.1.7.4/lib/active_support/callbacks.rb:117:in `block in run_callbacks'
74498179 | /usr/share/foreman/app/controllers/concerns/foreman/controller/timezone.rb:10:in `set_timezone'
74498179 | /usr/share/gems/gems/activesupport-6.1.7.4/lib/active_support/callbacks.rb:126:in `block in run_callbacks'
74498179 | /usr/share/foreman/app/models/concerns/foreman/thread_session.rb:32:in `clear_thread'
74498179 | /usr/share/gems/gems/activesupport-6.1.7.4/lib/active_support/callbacks.rb:126:in `block in run_callbacks'
74498179 | /usr/share/foreman/app/controllers/concerns/foreman/controller/topbar_sweeper.rb:12:in `set_topbar_sweeper_controller'
74498179 | /usr/share/gems/gems/activesupport-6.1.7.4/lib/active_support/callbacks.rb:126:in `block in run_callbacks'
74498179 | /usr/share/gems/gems/audited-5.3.2/lib/audited/sweeper.rb:16:in `around'
74498179 | /usr/share/gems/gems/activesupport-6.1.7.4/lib/active_support/callbacks.rb:126:in `block in run_callbacks'
74498179 | /usr/share/gems/gems/audited-5.3.2/lib/audited/sweeper.rb:16:in `around'
74498179 | /usr/share/gems/gems/activesupport-6.1.7.4/lib/active_support/callbacks.rb:126:in `block in run_callbacks'
74498179 | /usr/share/gems/gems/activesupport-6.1.7.4/lib/active_support/callbacks.rb:137:in `run_callbacks'
With Safemode disabled:
2024-03-13T20:36:07 [W|app|0deac36e] Error rendering the Kickstart default template
2024-03-13T20:36:07 [I|app|0deac36e] Backtrace for 'Error rendering the Kickstart default template' error (NoMethodError): undefined method `repository_url' for #<Foreman::Renderer::Scope::Provisioning:0x0000557a6cde2a10>
0deac36e | Did you mean? register_url
0deac36e | Kickstart default:38:in `get_binding'
0deac36e | /usr/share/ruby/erb.rb:905:in `eval'
0deac36e | /usr/share/ruby/erb.rb:905:in `result'
0deac36e | /usr/share/foreman/app/services/foreman/renderer/unsafe_mode_renderer.rb:7:in `render'
0deac36e | /usr/share/foreman/app/services/foreman/renderer/base_renderer.rb:18:in `render'
0deac36e | /usr/share/foreman/app/services/foreman/renderer.rb:46:in `render'
0deac36e | /usr/share/foreman/app/models/template.rb:172:in `render'
0deac36e | /usr/share/foreman/app/controllers/templates_controller.rb:131:in `safe_render'
0deac36e | /usr/share/foreman/app/controllers/templates_controller.rb:111:in `preview'
0deac36e | /usr/share/gems/gems/actionpack-6.1.7.4/lib/action_controller/metal/basic_implicit_render.rb:6:in `send_action'
0deac36e | /usr/share/gems/gems/actionpack-6.1.7.4/lib/abstract_controller/base.rb:228:in `process_action'
0deac36e | /usr/share/gems/gems/actionpack-6.1.7.4/lib/action_controller/metal/rendering.rb:30:in `process_action'
0deac36e | /usr/share/gems/gems/actionpack-6.1.7.4/lib/abstract_controller/callbacks.rb:42:in `block in process_action'
0deac36e | /usr/share/gems/gems/activesupport-6.1.7.4/lib/active_support/callbacks.rb:117:in `block in run_callbacks'
0deac36e | /usr/share/foreman/app/controllers/concerns/foreman/controller/timezone.rb:10:in `set_timezone'
0deac36e | /usr/share/gems/gems/activesupport-6.1.7.4/lib/active_support/callbacks.rb:126:in `block in run_callbacks'
0deac36e | /usr/share/foreman/app/models/concerns/foreman/thread_session.rb:32:in `clear_thread'
0deac36e | /usr/share/gems/gems/activesupport-6.1.7.4/lib/active_support/callbacks.rb:126:in `block in run_callbacks'
0deac36e | /usr/share/foreman/app/controllers/concerns/foreman/controller/topbar_sweeper.rb:12:in `set_topbar_sweeper_controller'
0deac36e | /usr/share/gems/gems/activesupport-6.1.7.4/lib/active_support/callbacks.rb:126:in `block in run_callbacks'
0deac36e | /usr/share/gems/gems/audited-5.3.2/lib/audited/sweeper.rb:16:in `around'
0deac36e | /usr/share/gems/gems/activesupport-6.1.7.4/lib/active_support/callbacks.rb:126:in `block in run_callbacks'
0deac36e | /usr/share/gems/gems/audited-5.3.2/lib/audited/sweeper.rb:16:in `around'
0deac36e | /usr/share/gems/gems/activesupport-6.1.7.4/lib/active_support/callbacks.rb:126:in `block in run_callbacks'
0deac36e | /usr/share/gems/gems/activesupport-6.1.7.4/lib/active_support/callbacks.rb:137:in `run_callbacks'
0deac36e | /usr/share/gems/gems/actionpack-6.1.7.4/lib/abstract_controller/callbacks.rb:41:in `process_action'
0deac36e | /usr/share/gems/gems/actionpack-6.1.7.4/lib/action_controller/metal/rescue.rb:22:in `process_action'
0deac36e | /usr/share/gems/gems/actionpack-6.1.7.4/lib/action_controller/metal/instrumentation.rb:34:in `block in process_action'
It seems foreman does not even know where the repository_url function exists or what to pick from.
Expected results:
No such error and end-users would be able to deploy systems using the RH Image builder images and the documented procedure in "Chapter 8. Using a Red Hat Image Builder Image for Provisioning"
Additional info:
— Additional comment from on 2024-03-13T16:06:21Z
=== In Red Hat Customer Portal Case 03762478 ===
— Comment by Francisco Peralta on 3/13/2024 5:06 PM —
Hola David,
good and bad news I would say.. 
The bad first, right? We could reproduce it also on our side and it seems a bug/regression.
The good news we already filed a BZ about it here: (2269386)https://bugzilla.redhat.com/show_bug.cgi?id=2269386
I think the workarounds you have, in the meantime we try o fix this is, are either:
- following the documented way i.e. by adding the image as a content of custom product and using it's path
- as you mentioned already, edit/change the template (I ges making a copy of it instead of altering it is the best) so to not use repository_url
In any case I will keep you posted and update you when I know more about the issue.
Kr,
Cisco.
— Additional comment from on 2024-03-14T08:58:50Z
Interestingly, the code that allows repository_url is still in place https://github.com/Katello/katello/blob/91d7db8ebed74fa9fb29d39820b7a97f366fc38c/lib/katello/plugin.rb#L203 so I'm not sure what has caused the regression. The other workaround to offer is to disable the safemode through settings, but beware that any user with ability to modify the template could actually run any code on the Satellite server under the foreman linux user (shellout from the template). So only use that if you ultimately trusts users of your Satellite.
— Additional comment from on 2024-03-14T09:02:11Z
As you can see the tracbacks pointed out, Disabling safemode does not work as well.
With Safemode enabled:
2024-03-13T20:38:49 [W|app|74498179] Error rendering the Kickstart default template
2024-03-13T20:38:49 [I|app|74498179] Backtrace for 'Error rendering the Kickstart default template' error (Safemode::SecurityError): Safemode doesn't allow to access 'repository_url' on #<Safemode::ScopeObject>
74498179 | /usr/share/gems/gems/safemode-1.3.8/lib/safemode/scope.rb:39:in `method_missing'
74498179 | Kickstart default:114:in `initialize'
With Safemode disabled:
2024-03-13T20:36:07 [W|app|0deac36e] Error rendering the Kickstart default template
2024-03-13T20:36:07 [I|app|0deac36e] Backtrace for 'Error rendering the Kickstart default template' error (NoMethodError): undefined method `repository_url' for #<Foreman::Renderer::Scope::Provisioning:0x0000557a6cde2a10>
0deac36e | Did you mean? register_url
0deac36e | Kickstart default:38:in `get_binding'
0deac36e | /usr/share/ruby/erb.rb:905:in `eval'
0deac36e | /usr/share/ruby/erb.rb:905:in `result'
0deac36e | /usr/share/foreman/app/services/foreman/renderer/unsafe_mode_renderer.rb:7:in `render'
0deac36e | /usr/share/foreman/app/services/foreman/renderer/base_renderer.rb:18:in `render'
0deac36e | /usr/share/foreman/app/services/foreman/renderer.rb:46:in `render'
0deac36e | /usr/share/foreman/app/models/template.rb:172:in `render'
0deac36e | /usr/share/foreman/app/controllers/templates_controller.rb:131:in `safe_render'
In short, Foreman can't even find the repository_url method from anywhere to use
— Additional comment from on 2024-03-14T09:29:20Z
Also,
allowed_template_helpers :subscription_manager_configuration_url, :repository_url
does not exists in the Katello shipped with Sat 6.14 or even in the master branch of katello itself
I can last see it in KATELLO-3.15 branch and not after that
— Additional comment from on 2024-03-14T09:40:25Z
It seems it was dropped by this change https://github.com/Katello/katello/commit/c33da7a3fa9473add44a154feba4e57f34b2b289#diff-ac11d53af30eba816142dd5574d5291a930807f91c255de46f2fe550f43070ccL46
— Additional comment from on 2024-03-14T09:46:06Z
Yeah.
And by reading the dropped code, I can see that, The host parameter kickstart_liveimg would expect to have the relative path of the image instead of any HTTP URL where the image is located which is exactly what is documented in the Product Doc as well i.e. https://access.redhat.com/documentation/en-us/red_hat_satellite/6.14/html-single/provisioning_hosts/index#Using_an_Image_Builder_Image_for_Provisioning_provisioning
But the customer Roche , was feeding a http:// location to the image which may not work [ even if the dropped code, existed today ]. So the way they were trying to use the feature ( which called for repository_url method ) would not have worked i guess.
Anyways, Let's hope someone knows how to fix the repository_url part. If it was removed, There must have been some alternative present or developed.
— Additional comment from on 2024-03-14T10:15:00Z
Ref: https://redhat-internal.slack.com/archives/C049F7NSXV3/p1710335556261969
Part of the affected code:
<%
if host_param('kickstart_liveimg')
img_name = host_param('kickstart_liveimg')
liveimg_url = if host_param('kt_activation_keys')
repository_url(img_name, 'isos')
else
if img_name.match(%r|^([\w\-\+]+)://|)
img_name
else
"#
end
end
%>
Roche says, if they hardocode the URL of the image i.e. full HTTP path , in the liveimg_url variable, then the template renders fine for them.
Which means,
if host_param('kickstart_liveimg')
img_name = host_param('kickstart_liveimg')
liveimg_url = if host_param('kt_activation_keys')
repository_url(img_name, 'isos')
else
if img_name.match(%r|^([\w\-\+]+)://|)
img_name
else
"#{medium_uri}
/#
{img_name}"
end
end
%>
liveimg --url=<%= liveimg_url %> <%= proxy_string %>
<% else %>
<%
if host_param('kickstart_liveimg')
liveimg_url = host_param('kickstart_liveimg')
%>
liveimg --url=<%= liveimg_url %> <%= proxy_string %>
<% else %>
or even simpler.
I wonder why repository_url function was written under the context of having the image accessed from a repository hosted in satellite.
Technically, if the image is available in the correct format on any HTTP server and we can pass the full HTTP path of the image, The deployment should work fine as long as the image is accessible by satellite and\or the host to use.
This would require a QE verification for sure i.e. the entire documented process needs to be simplified and verified
— Additional comment from on 2024-03-14T12:22:49Z
Seems we were a bit overzealous when rearranging things for multi-CV: https://github.com/Katello/katello/pull/10296#discussion_r997378741
— Additional comment from on 2024-03-14T19:15:13Z
Created redmine issue https://projects.theforeman.org/issues/37268 from this bug
— Additional comment from on 2024-03-15T16:03:42Z
Upstream bug assigned to iballou@redhat.com
— Additional comment from on 2024-03-15T16:03:45Z
Upstream bug assigned to iballou@redhat.com
— Additional comment from on 2024-03-26T16:03:47Z
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/37268 has been resolved.
— Additional comment from on 2024-03-26T16:09:56Z
Hi Jeremy and Ian
I feel like we are lacking some clarification about that deployment method in https://access.redhat.com/documentation/en-us/red_hat_satellite/6.14/html-single/provisioning_hosts/index#Using_an_Image_Builder_Image_for_Provisioning_provisioning
We do mention that
~~~
On Satellite, create a custom product, add a custom file repository to this product, and upload the image to the repository. For more information, see Importing Individual ISO Images and Files in Managing Content.
~~~
but then if i scroll up a bit, Just under the Chapter name we say:
~~
Using RHEL web console, you can access Red Hat Image Builder and build images that you can then upload to a HTTP server and use this image to provision hosts.
~~
So both contradict each other.
If The image needs to be part of a custom repo and that repo needs to be part of the same CV+LCE which is selected while creating the host profile, we need to make it abundantly clear in the doc section.
Can you confirm my assumption and also have someone from doc team to review this suggestion please ?
– Sayan
— Additional comment from on 2024-03-26T18:14:13Z
Sayan, I agree the docs there are confusing. What's interesting is that our code supports both scenarios, either a random web server that the user hosts or File repo content hosted by Satellite. I think the docs are very lacking because there are different rules based on if the URL has "://" in it or if the host is consuming from library or not.
I'd be in support of a docs BZ to better specify how to use this feature we have.
QE Tracker for https://issues.redhat.com/browse/SAT-24287
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2272114
