Description of problem:
By default if we have a hostname set something like this i.e. SATELLITE.example.com , Then installer will immediately fail to execute due to the check in place i.e. https:
~~
# satellite-installer
2023-04-05 22:12:46 [NOTICE] [root] Loading installer configuration. This will take some time.
2023-04-05 22:12:50 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
2023-04-05 22:12:50 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
Output of 'facter fqdn' is different from 'hostname -f'
..
..
Your system does not meet configuration criteria
~~
When a host entry is created in satellite , Even that is also downcase'ed via https:
But now, Lets say when i fix the OS hostname of said satellite instance, and pass some arguments with satellite-installer having values like SATELLITE.example.com, those are somehow accepted and is not downcased at all ( resulting in weird issues ).
If we look into 1 and 2, we will see we directly use $facts['networking']['fqdn'] but then in one or two places we use $lower_fqdn which is downcase($facts['networking']['fqdn'])
In my opinion, we should use $lower_fqdn almost everywhere, where we need to use the FQDN.
[1] https:[2] https:
Version-Release number of selected component (if applicable):
Satellite 6.10/6.11/6.12/6.13
( Reproducer created on 6.11.5 )
How reproducible:
Always and easily
Steps to Reproduce and Results:
1. On a RHEL 8 box, enable required repos, modules and install the satellite rpm and it's dependencies.
2. Ensure that the OS has a valid hostname set i.e. satellite.example.com
3. Run the satellite-installer in the following way
# satellite-installer --scenario satellite --verbose \
--foreman-initial-organization "RedHat" \
--foreman-initial-location "GSS" \
--foreman-initial-admin-username admin \
--foreman-initial-admin-password RedHat1! \
--enable-foreman-plugin-puppet \
--enable-foreman-cli-puppet \
--foreman-proxy-puppet true \
--foreman-proxy-puppetca true \
--foreman-proxy-content-puppet true \
--enable-puppet \
--puppet-server true \
--puppet-server-foreman-ssl-ca /etc/pki/katello/puppet/puppet_client_ca.crt \
--puppet-server-foreman-ssl-cert /etc/pki/katello/puppet/puppet_client.crt \
--puppet-server-foreman-ssl-key /etc/pki/katello/puppet/puppet_client.key \
--foreman-proxy-puppet-url https:--foreman-proxy-template-url http:--foreman-proxy-registered-name SATELLITE.example.com \
--foreman-servername SATELLITE.example.com \
--certs-node-fqdn SATELLITE.example.com \
--certs-ca-common-name SATELLITE.example.com
4. It will fail with an error like this i.e.
2023-03-30 14:32:59 [ERROR ] [configure] Host SATELLITE.example.com does not exist in Foreman at https:2023-03-30 14:32:59 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy_host[foreman-proxy-SATELLITE.example.com]/ensure: change from 'absent' to 'present' failed: Host SATELLITE.example.com does not exist in Foreman at https:2023-03-30 14:36:32 [NOTICE] [configure] System configuration has finished.
Because, The smart-proxy entry is created with malformed FQDN i.e.
# echo "select * from smart_proxies;" | su - postgres -c "psql -x foreman"
-[ RECORD 1 ]---+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
id | 1
name | SATELLITE.example.com
url | https:created_at | 2023-03-30 09:02:57.929567
updated_at | 2023-03-30 09:02:58.308301
pubkey | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc9W0XFtXPduwc/DeUdRN+RXQZEqCn3ErmI3yVwSbzhyKAQ8i5VRo2SvDULQKrRErBd1vhsbQU+/nFmBuTtP41vabsMUyaKcn1BsvrES9tU80JBba4bIn/BbI7dbye1r4jgQKdSKF1j3TG2yg73huqICB8QbZHpfxrN2oUJ+sjoi/a2hkonnatkhYmP7RcvOgnG2/7jUaLqyCqyd4+cRiK1J1LQoEfti+8iTBxmnuaiAVnfG1gPZhY1ixx6F6u5Qwkg/Jp7nRNe7Ih6WOTBfwEBsAt6+8OZ83dkhe770Y6dXcgMRGYNqXv5oykp/2JjyAzFlquyPw0QXpREqx+jyWL foreman-proxy@satellite.example.com
expired_logs | 0
puppet_path |
download_policy | on_demand
But the entry of satellite itself as a host, has been created by puppet facts with expected FQDN :
# echo "select id,name,certname,type,lookup_value_matcher from hosts where name ilike '%SATELLITE%';" | su - postgres -c "psql -x foreman"
-[ RECORD 1 ]--------+----------------------------------------
id | 1
name | satellite.example.com
certname | satellite.example.com
type | Host::Managed
lookup_value_matcher | fqdn=satellite.example.com
5. Now, if we want to fix it, Just update the name of the smart-proxy from SATELLITE.example.com to satellite.example.com and then run "satellite-installer" which will finish successfully and gives us an assumption that evcerything is fine.
# hammer capsule list
---|------------------------------------|-------------------------------------------------|------------------------------------------------------------------------------
ID | NAME | URL | FEATURES
---|------------------------------------|-------------------------------------------------|------------------------------------------------------------------------------
1 | SATELLITE.example.com | https:---|------------------------------------|-------------------------------------------------|------------------------------------------------------------------------------
# hammer capsule update --name SATELLITE.example.com --new-name satellite.example.com --organization RedHat
Smart proxy updated.
# hammer capsule list
---|------------------------------------|-------------------------------------------------|------------------------------------------------------------------------------
ID | NAME | URL | FEATURES
---|------------------------------------|-------------------------------------------------|------------------------------------------------------------------------------
1 | satellite.example.com | https:---|------------------------------------|-------------------------------------------------|------------------------------------------------------------------------------
# satellite-installer --foreman-proxy-registered-name satellite.example.com
..
2023-03-30 14:59:17 [NOTICE] [configure] System configuration has finished.
Success!
* Satellite is running at https: Initial credentials are admin / RedHat1!
* To install an additional Capsule on separate machine continue by running:
capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE" --certs-tar "/root/$CAPSULE-certs.tar"
* Capsule is running at https:
The full log is at /var/log/foreman-installer/satellite.log
Package versions are being locked.
# hammer capsule list
---|------------------------------------|-------------------------------------------------|------------------------------------------------------------------------------
ID | NAME | URL | FEATURES
---|------------------------------------|-------------------------------------------------|------------------------------------------------------------------------------
1 | satellite.example.com | https:---|------------------------------------|-------------------------------------------------|------------------------------------------------------------------------------
6. But pulp is messed up:
# cat /etc/pulp/settings.py | grep -i satellite
CONTENT_HOST = "SATELLITE.example.com"
CONTENT_ORIGIN = "https:
ANSIBLE_API_HOSTNAME = "SATELLITE.example.com"
ANSIBLE_CONTENT_HOSTNAME = "https:
And it cannot do anything right now due to how we got the installer completed and how pulp knows about the malformed FQDN:
# echo "Katello::Pulp3::Api::ContentGuard.new(SmartProxy.pulp_primary).refresh" | foreman-rake console
Loading production environment (Rails 6.0.6)
Switch to inspect mode.
Katello::Pulp3::Api::ContentGuard.new(SmartProxy.pulp_primary).refresh
Traceback (most recent call last):
4: from lib/tasks/console.rake:5:in `block in <top (required)>'
3: from (irb):1
2: from katello (4.3.0.52) app/services/katello/pulp3/api/content_guard.rb:32:in `refresh'
1: from katello (4.3.0.52) app/services/katello/pulp3/api/content_guard.rb:65:in `list'
PulpCertguardClient::ApiError (Error message: the server returns an error)
HTTP status code: 403
Response headers: {"Date"=>"Thu, 30 Mar 2023 09:25:14 GMT", "Server"=>"gunicorn", "Content-Type"=>"application/json", "Vary"=>"Accept,Cookie", "Allow"=>"GET, POST, HEAD, OPTIONS", "X-Frame-Options"=>"DENY", "Content-Length"=>"58", "X-Content-Type-Options"=>"nosniff", "Referrer-Policy"=>"same-origin", "Correlation-ID"=>"4a5ed40a53244af7879e08722cf703f3", "Access-Control-Expose-Headers"=>"Correlation-ID", "Via"=>"1.1 SATELLITE.example.com"}
Response body: {"detail":"Authentication credentials were not provided."}
And the same error will continue to affect any new pulp actions unless the issue is properly fixed.
Additional info:
The only way to fix this scenarios is to re-use the exact same set of installer params with correct FQDN i.e. all in lowercase
satellite-installer --scenario satellite --verbose \
--foreman-proxy-puppet-url https:--foreman-proxy-template-url http:--foreman-proxy-registered-name satellite.example.com \
--foreman-servername satellite.example.com \
--certs-node-fqdn satellite.example.com \
--certs-ca-common-name satellite.example.com
Bug
Major
SAT-30170 always compare CNs as downcase by evgeni · Pull Request #364 · theforeman/puppet-pulpcore · GitHub
