http://foreman/unattended/provision should match http://foreman/unattended/provision?spoof=xxx.xxx.xxx.xxx
I just spend the last day and half trying to figure out what was wrong with a kick start file for provisioning. In the end the spoof url gave me a working kickstart file, the http://foreman/unattended/provision url gave me the output: "Failed to clean any old certificates or add the autosign entry.
Terminating the build!"
I think it would be better if the two matched, spoof should show the same error.
Also, if possible if any of the smart proxies tasks fail when selecting building a host... That task should fail, but I would settle for the the above two message to match.
#1 Updated by Roger K about 9 years ago
I am experiencing this issue on latest "develop".
Accessing http://manage.example.com:3000/unattended/provision/?spoof=IP_ADDR results in the correct output.
attempting to boot with "ks=http://manage.example.com:3000/unattended/provision/" results in a failure.
using `tcpdump`, the following was captured:
..r....)Failed to clean any old certificates or add the autosign entry. Terminating the build!
SELinux is in permissive mode and I have set my file permissions extremely lax to debug.
drwxr-xr-x. 5 root root 4096 Mar 24 14:13 /etc/puppet/
-rwxrwxrwx. 1 foreman-proxy foreman 21 Mar 27 09:28 /etc/puppet/autosign.conf
Here is the smart-proxy object in Foreman:
manage.example.com http://manage.example.com:8443 TFTP, DHCP, Puppet CA, and Puppet
there is an entry for "test1.example.com" both via Foreman and via /etc/puppet/autosign.conf.
#3 Updated by Ohad Levy about 9 years ago
I'm not sure if what can we do about this one, the main issue, is that there are some operations (such as cert signing) that should happen only when the host is actually getting the KS.
maybe one option would be to have a test function that checks permissions on the proxy or something like that, not 100% sure if we can cover all cases, but it might be a start.
#4 Updated by Roger K about 9 years ago
Yes, a good start would just be to increase the visibility into this problem. I was watching syslog, audit.log, production.log (Foreman) and the foreman-proxy log and saw no indications that there was a problem. my current workaround just comments out the "render" on line 142 in app/controllers/unattended_controller.rb and manage autosigning by hand.
render(:text => "Failed to clean any old certificates or add the autosign entry. Terminating the build!") unless @host.handle_ca
#5 Updated by Trey 85Stang about 9 years ago
I think more visibility on the booting host could be managed by changing the message to perhaps a recuse boot? If your host keeps booting into rescue mode then some part of the provisioning task failed. I'm not a whiz with kickstart but perhaps a custom message can be inserted into the rescue boot somewhere.