Bug #13915
closed
Foreman-Proxy does not honour configuration for nsupdate_gss
Description
Centos 7 w/ and w/o SElinux:
Problem: Settings for nsupdate_gss not being taken from conf:
Steps to reproduce:
1.) Install the foreman-proxy
2.) enable http, dns, use dns_nsupdate_gss
3.) modify dns_nsupdate_gss.yml
4.) dns_nsupdate_gss still being initialized with default params:
I, [2016-02-26T12:04:50.234231 #4322] INFO -- : 'dns_nsupdate_gss' settings were initialized with default values: :dns_key: , :dns_server: localhost, :dns_tsig_keytab: /usr/share/foreman-proxy/dns.keytab, :dns_tsig_principal: DNS/host.example.com@EXAMPLE.COM, :enabled: false
# grep -v ^# /etc/foreman-proxy/settings.d/dns_nsupdate_gss.yml --- :dns_server: foobar.com :dns_tsig_keytab: /usr/FOOBAR/foreman-proxy/dns.keytab :dns_tsig_principal: FOOBAR/host.example.com@EXAMPLE.COM # grep -v ^# /etc/foreman-proxy/settings.d/dns.yml --- :enabled: true :use_provider: dns_nsupdate_gss :dns_ttl: 86400
Files
Updated by Dominic Cleal almost 9 years ago
Could you also provide the main settings.yml please? Any more of the logs you can provide for the full startup might contain useful context too.
Updated by Andreas Pfaffeneder almost 9 years ago
Dominic Cleal wrote:
Could you also provide the main settings.yml please? Any more of the logs you can provide for the full startup might contain useful context too.
egrep -v '^#|^$' /etc/foreman-proxy/settings.yml --- :settings_directory: /etc/foreman-proxy/settings.d :daemon: true :http_port: 8000 :virsh_network: default :log_level: DEBUG
Log is attached.
Updated by Dominic Cleal almost 9 years ago
- Status changed from New to Feedback
The attached log shows that it's probably configured correctly. It shows:
I, [2016-02-26T12:32:26.276357 #6909] INFO -- : 'dns_nsupdate_gss' settings were initialized with default values: :dns_key: , :enabled: false
The log's a bit odd, it only shows the settings that came from defaults, so this implies it's picked up dns_tsig etc correctly from your config. Could you check if it's working properly now please?
Updated by Andreas Pfaffeneder almost 9 years ago
Ok, there seems to be a problem which has gone away/was due to missconfiguration.
Still the proxy picks up the wrong host:
D, [2016-02-26T12:43:41.778374 #8227] DEBUG -- : accept: 192.168.0.8:53141
D, [2016-02-26T12:43:41.779937 #8227] DEBUG -- : Rack::Handler::WEBrick is invoked.
D, [2016-02-26T12:43:41.821550 #8227] DEBUG -- : verifying remote client 192.168.0.8 against trusted_hosts ["katello3.zuhause-local.de", "katello3.zuhause-local.de"]
I, [2016-02-26T12:43:41.822807 #8227] INFO -- : Requesting credentials for Kerberos principal DNS/katello3.zuhause-local.de@ZUHAUSE-LOCAL.DE using keytab /etc/foreman-proxy/dns.keytab
D, [2016-02-26T12:43:43.994525 #8227] DEBUG -- : Kerberos credential cache initialised with principal: DNS/katello3.zuhause-local.de@ZUHAUSE-LOCAL.DE
D, [2016-02-26T12:43:43.994841 #8227] DEBUG -- : running /usr/bin/nsupdate g : nsupdate: executed - server localhost
D, [2016-02-26T12:43:44.522560 #8227] DEBUG -
D, [2016-02-26T12:43:44.523937 #8227] DEBUG -- : nsupdate: executed - update add 139.178.168.192.in-addr.arpa. 86400 IN PTR awefrweqr.zuhause-local.de
I, [2016-02-26T12:44:08.425166 #8227] INFO -- : 192.168.0.8 - - [26/Feb/2016 12:44:08] "POST /dns/ HTTP/1.1" 200 - 26.6048
It tries to update localhost although another dns-server is being configured:
:dns_server: ipa.zuhause-local.de
Updated by Dominic Cleal almost 9 years ago
Can you try putting :dns_server into dns_update.yml too?
This might be fixed in Foreman 1.11.0-RC1 via #12209, which refactored the DNS providers and appears to correctly load the dns_server from the dns_nsupdate_gss settings when using that provider instead of dns_nsupdate (they share code).
Updated by Andreas Pfaffeneder almost 9 years ago
Adding the server to dns_nsupdate.yml did the trick!
Updated by Dominic Cleal almost 9 years ago
- Status changed from Feedback to Resolved
Good to hear. The other setting that will be affected is dns_ttl, if you rely on it.
I'll mark this as resolved for now as I believe the fix is in 1.11, reopen if somebody wants to try backporting it to 1.10-stable.