Bug #13915
closed
Foreman-Proxy does not honour configuration for nsupdate_gss
Added by Andreas Pfaffeneder almost 9 years ago.
Updated almost 9 years ago.
Description
Centos 7 w/ and w/o SElinux:
Problem: Settings for nsupdate_gss not being taken from conf:
Steps to reproduce:
1.) Install the foreman-proxy
2.) enable http, dns, use dns_nsupdate_gss
3.) modify dns_nsupdate_gss.yml
4.) dns_nsupdate_gss still being initialized with default params:
I, [2016-02-26T12:04:50.234231 #4322] INFO -- : 'dns_nsupdate_gss' settings were initialized with default values: :dns_key: , :dns_server: localhost, :dns_tsig_keytab: /usr/share/foreman-proxy/dns.keytab, :dns_tsig_principal: DNS/host.example.com@EXAMPLE.COM, :enabled: false
# grep -v ^# /etc/foreman-proxy/settings.d/dns_nsupdate_gss.yml
---
:dns_server: foobar.com
:dns_tsig_keytab: /usr/FOOBAR/foreman-proxy/dns.keytab
:dns_tsig_principal: FOOBAR/host.example.com@EXAMPLE.COM
# grep -v ^# /etc/foreman-proxy/settings.d/dns.yml
---
:enabled: true
:use_provider: dns_nsupdate_gss
:dns_ttl: 86400
Files
- Description updated (diff)
Could you also provide the main settings.yml please? Any more of the logs you can provide for the full startup might contain useful context too.
Dominic Cleal wrote:
Could you also provide the main settings.yml please? Any more of the logs you can provide for the full startup might contain useful context too.
egrep -v '^#|^$' /etc/foreman-proxy/settings.yml
---
:settings_directory: /etc/foreman-proxy/settings.d
:daemon: true
:http_port: 8000
:virsh_network: default
:log_level: DEBUG
Log is attached.
- Status changed from New to Feedback
The attached log shows that it's probably configured correctly. It shows:
I, [2016-02-26T12:32:26.276357 #6909] INFO -- : 'dns_nsupdate_gss' settings were initialized with default values: :dns_key: , :enabled: false
The log's a bit odd, it only shows the settings that came from defaults, so this implies it's picked up dns_tsig etc correctly from your config. Could you check if it's working properly now please?
Ok, there seems to be a problem which has gone away/was due to missconfiguration.
Still the proxy picks up the wrong host:
D, [2016-02-26T12:43:41.778374 #8227] DEBUG -- : accept: 192.168.0.8:53141
D, [2016-02-26T12:43:41.779937 #8227] DEBUG -- : Rack::Handler::WEBrick is invoked.
D, [2016-02-26T12:43:41.821550 #8227] DEBUG -- : verifying remote client 192.168.0.8 against trusted_hosts ["katello3.zuhause-local.de", "katello3.zuhause-local.de"]
I, [2016-02-26T12:43:41.822807 #8227] INFO -- : Requesting credentials for Kerberos principal DNS/katello3.zuhause-local.de@ZUHAUSE-LOCAL.DE using keytab /etc/foreman-proxy/dns.keytab
D, [2016-02-26T12:43:43.994525 #8227] DEBUG -- : Kerberos credential cache initialised with principal: DNS/katello3.zuhause-local.de@ZUHAUSE-LOCAL.DE
D, [2016-02-26T12:43:43.994841 #8227] DEBUG -- : running /usr/bin/nsupdate g
D, [2016-02-26T12:43:44.522560 #8227] DEBUG - : nsupdate: executed - server localhost
D, [2016-02-26T12:43:44.523937 #8227] DEBUG -- : nsupdate: executed - update add 139.178.168.192.in-addr.arpa. 86400 IN PTR awefrweqr.zuhause-local.de
I, [2016-02-26T12:44:08.425166 #8227] INFO -- : 192.168.0.8 - - [26/Feb/2016 12:44:08] "POST /dns/ HTTP/1.1" 200 - 26.6048
It tries to update localhost although another dns-server is being configured:
:dns_server: ipa.zuhause-local.de
Can you try putting :dns_server into dns_update.yml too?
This might be fixed in Foreman 1.11.0-RC1 via #12209, which refactored the DNS providers and appears to correctly load the dns_server from the dns_nsupdate_gss settings when using that provider instead of dns_nsupdate (they share code).
Adding the server to dns_nsupdate.yml did the trick!
- Status changed from Feedback to Resolved
Good to hear. The other setting that will be affected is dns_ttl, if you rely on it.
I'll mark this as resolved for now as I believe the fix is in 1.11, reopen if somebody wants to try backporting it to 1.10-stable.
Also available in: Atom
PDF
Updated by 
Updated by