Project

General

Profile

Actions

Bug #13915

closed

Foreman-Proxy does not honour configuration for nsupdate_gss

Added by Andreas Pfaffeneder about 8 years ago. Updated about 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
DNS
Target version:
-
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

Centos 7 w/ and w/o SElinux:

Problem: Settings for nsupdate_gss not being taken from conf:

Steps to reproduce:
1.) Install the foreman-proxy
2.) enable http, dns, use dns_nsupdate_gss
3.) modify dns_nsupdate_gss.yml
4.) dns_nsupdate_gss still being initialized with default params:

I, [2016-02-26T12:04:50.234231 #4322]  INFO -- : 'dns_nsupdate_gss' settings were initialized with default values: :dns_key: , :dns_server: localhost, :dns_tsig_keytab: /usr/share/foreman-proxy/dns.keytab, :dns_tsig_principal: DNS/host.example.com@EXAMPLE.COM, :enabled: false
# grep -v ^# /etc/foreman-proxy/settings.d/dns_nsupdate_gss.yml
---

:dns_server: foobar.com
:dns_tsig_keytab: /usr/FOOBAR/foreman-proxy/dns.keytab
:dns_tsig_principal: FOOBAR/host.example.com@EXAMPLE.COM

# grep -v ^# /etc/foreman-proxy/settings.d/dns.yml
---
:enabled: true

:use_provider: dns_nsupdate_gss
:dns_ttl: 86400

Files

proxy.log proxy.log 2.16 KB Andreas Pfaffeneder, 02/26/2016 06:33 AM
Actions #1

Updated by Dominic Cleal about 8 years ago

  • Description updated (diff)
Actions #2

Updated by Dominic Cleal about 8 years ago

Could you also provide the main settings.yml please? Any more of the logs you can provide for the full startup might contain useful context too.

Actions #3

Updated by Andreas Pfaffeneder about 8 years ago

Dominic Cleal wrote:

Could you also provide the main settings.yml please? Any more of the logs you can provide for the full startup might contain useful context too.

egrep -v '^#|^$' /etc/foreman-proxy/settings.yml
---
:settings_directory: /etc/foreman-proxy/settings.d
:daemon: true
:http_port: 8000
:virsh_network: default
:log_level: DEBUG

Log is attached.

Actions #4

Updated by Dominic Cleal about 8 years ago

  • Status changed from New to Feedback

The attached log shows that it's probably configured correctly. It shows:

I, [2016-02-26T12:32:26.276357 #6909]  INFO -- : 'dns_nsupdate_gss' settings were initialized with default values: :dns_key: , :enabled: false

The log's a bit odd, it only shows the settings that came from defaults, so this implies it's picked up dns_tsig etc correctly from your config. Could you check if it's working properly now please?

Actions #5

Updated by Andreas Pfaffeneder about 8 years ago

Ok, there seems to be a problem which has gone away/was due to missconfiguration.

Still the proxy picks up the wrong host:

D, [2016-02-26T12:43:41.778374 #8227] DEBUG -- : accept: 192.168.0.8:53141
D, [2016-02-26T12:43:41.779937 #8227] DEBUG -- : Rack::Handler::WEBrick is invoked.
D, [2016-02-26T12:43:41.821550 #8227] DEBUG -- : verifying remote client 192.168.0.8 against trusted_hosts ["katello3.zuhause-local.de", "katello3.zuhause-local.de"]
I, [2016-02-26T12:43:41.822807 #8227] INFO -- : Requesting credentials for Kerberos principal using keytab /etc/foreman-proxy/dns.keytab
D, [2016-02-26T12:43:43.994525 #8227] DEBUG -- : Kerberos credential cache initialised with principal:
D, [2016-02-26T12:43:43.994841 #8227] DEBUG -- : running /usr/bin/nsupdate g
D, [2016-02-26T12:43:44.522560 #8227] DEBUG -
: nsupdate: executed - server localhost
D, [2016-02-26T12:43:44.523937 #8227] DEBUG -- : nsupdate: executed - update add 139.178.168.192.in-addr.arpa. 86400 IN PTR awefrweqr.zuhause-local.de
I, [2016-02-26T12:44:08.425166 #8227] INFO -- : 192.168.0.8 - - [26/Feb/2016 12:44:08] "POST /dns/ HTTP/1.1" 200 - 26.6048

It tries to update localhost although another dns-server is being configured:

:dns_server: ipa.zuhause-local.de

Actions #6

Updated by Dominic Cleal about 8 years ago

Can you try putting :dns_server into dns_update.yml too?

This might be fixed in Foreman 1.11.0-RC1 via #12209, which refactored the DNS providers and appears to correctly load the dns_server from the dns_nsupdate_gss settings when using that provider instead of dns_nsupdate (they share code).

Actions #7

Updated by Andreas Pfaffeneder about 8 years ago

Adding the server to dns_nsupdate.yml did the trick!

Actions #8

Updated by Dominic Cleal about 8 years ago

  • Status changed from Feedback to Resolved

Good to hear. The other setting that will be affected is dns_ttl, if you rely on it.

I'll mark this as resolved for now as I believe the fix is in 1.11, reopen if somebody wants to try backporting it to 1.10-stable.

Actions

Also available in: Atom PDF