Project

General

Profile

Bug #21856

foreman-proxy unable to add autosign entry

Added by Joost Polley about 3 years ago. Updated almost 2 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

When going into the Foreman GUI and adding an autosign entry in the smart-proxy view, the request fails.

Log of the foreman-proxy:

ERROR -- : Failed to enable autosign for *: No such file or directory @ rb_sysopen - /etc/puppet/autosign.conf

This install is an AIO install through foreman-installer, where the file is located in /etc/puppetlabs/puppet/autosign.conf.


Related issues

Related to Katello - Bug #22249: Handle autosign file with puppet 4Closed2018-01-11

History

#1 Updated by Dmitri Dolguikh about 3 years ago

  • Tracker changed from Bug to Support

The path to autosign.conf file can be updated via "autosignfile" setting in puppetca's module config file.

#2 Updated by Joost Polley about 3 years ago

Dmitri Dolguikh wrote:

The path to autosign.conf file can be updated via "autosignfile" setting in puppetca's module config file.

Hello Dmitri, not sure if I understand. The puppet-puppet module configures this directory for future use (https://github.com/theforeman/puppet-puppet/blob/8.0.4/manifests/params.pp#L129). Then the location of the autosign file is set here: https://github.com/theforeman/puppet-puppet/blob/8.0.4/manifests/params.pp#L172.

Why should I reconfigure this if it's decided for me in the puppet module (which is as far as I understand used by foreman-installer)?

#3 Updated by Dmitri Dolguikh about 3 years ago

  • Category deleted (PuppetCA)
  • Project changed from Smart Proxy to Installer
  • Tracker changed from Support to Bug

The initial description of the problem did not make it apparent that the issue is related to the installer and used smart-proxy as the project. I updated the project field to "installer".

Which version of puppet are you using?

#4 Updated by Joost Polley about 3 years ago

Apologies for the confusion.
  • Puppet 5.3.3
  • Foreman-proxy 1.16.0-1
  • Foreman-installer 1.16.0-1

#5 Updated by Ewoud Kohl van Wijngaarden about 3 years ago

Was this a fresh install and on which OS is this? The puppet code should autodetect this, but on an upgrade it will remember the answers.

https://projects.theforeman.org/projects/foreman/wiki/Upgrading_from_Puppet_3_to_4#2-Upgrading-with-foreman-installer has a long list of all answers that we autodetect and are a good starting point to check.

#6 Updated by Joost Polley about 3 years ago

This was a fresh installation.

#7 Updated by Ewoud Kohl van Wijngaarden about 3 years ago

And on which OS + version?

#8 Updated by Joost Polley about 3 years ago

I am using Debian 9.2

More info about the installed packages:

~$ apt-cache policy puppetserver
puppetserver:
Installed: 5.1.4-1stretch
Candidate: 5.1.4-1stretch

~$ apt-cache policy foreman-proxy # apologies about this one, still using rc2 but I'm not sure if upgrading will change much
foreman-proxy:
Installed: 1.16.0~rc2-1
Candidate: 1.16.0-1

My foreman-installer command:

foreman-installer
--no-enable-foreman
--no-enable-foreman-cli
--no-enable-foreman-plugin-setup
--enable-foreman-proxy
--enable-puppet
--foreman-proxy-trusted-hosts=foreman.example.com
--foreman-proxy-tftp=false
--foreman-proxy-dhcp=false
--foreman-proxy-dhcp-range="false"
--foreman-proxy-dns=false
--foreman-proxy-puppet=false
--foreman-proxy-foreman-base-url=https://foreman.example.com
--foreman-proxy-ssl-cert=/etc/puppetlabs/puppet/ssl/certs/puppetca.example.com.pem
--foreman-proxy-ssl-key=/etc/puppetlabs/puppet/ssl/private_keys/puppetca.example.com.pem
--foreman-proxy-foreman-ssl-cert=/etc/puppetlabs/puppet/ssl/certs/foreman.example.com.pem
--foreman-proxy-foreman-ssl-key=/etc/puppetlabs/puppet/ssl/private_keys/foreman.example.com.pem
--foreman-proxy-puppet-ssl-cert=/etc/puppetlabs/puppet/ssl/certs/puppetca.example.com.pem
--foreman-proxy-puppet-ssl-key=/etc/puppetlabs/puppet/ssl/private_keys/puppetca.example.com.pem
--foreman-proxy-oauth-consumer-key=keymasked
--foreman-proxy-oauth-consumer-secret=secretmasked
--puppet-server-ca=true
--puppet-server-http=true
--puppet-server-http-port=8139
--puppet-server-certname=puppetca.example.com
--puppet-server-foreman-url=https://foreman.example.com
--puppet-client-certname=puppetca.example.com
--foreman-proxy-registered-name=puppetca.example.com
--puppet-server-additional-settings=ca_ttl:20y

#9 Updated by Ewoud Kohl van Wijngaarden about 3 years ago

RC2 and final are the same installer wise. Just a version bump, no actual change.

Can you also share what's in /etc/foreman-installer/scenarios.d/foreman-answers.yaml? I wonder if the AIO detection went wrong somehow. Possibly you ran with system puppet installed, the installed puppetlabs versions but it still has the old paths.

#10 Updated by Joost Polley about 3 years ago

Sure. Keep in mind that I masked passwords & ip addresses. Here's what's in my file:

---
foreman: false
foreman::cli: false
foreman::cli::openscap: false
foreman_proxy:
  repo: stable
  gpgcheck: true
  custom_repo: false
  version: present
  ensure_packages_version: present
  plugin_version: installed
  bind_host:
  - "*" 
  http_port: 8000
  ssl_port: 8443
  dir: "/usr/share/foreman-proxy" 
  user: foreman-proxy
  groups: []
  log: "/var/log/foreman-proxy/proxy.log" 
  log_level: INFO
  log_buffer: 2000
  log_buffer_errors: 1000
  http: false
  ssl: true
  ssl_ca: "/etc/puppetlabs/puppet/ssl/certs/ca.pem" 
  ssl_cert: "/etc/puppetlabs/puppet/ssl/certs/puppetca.example.com.pem" 
  ssl_key: "/etc/puppetlabs/puppet/ssl/private_keys/puppetca.example.com.pem" 
  foreman_ssl_ca:
  foreman_ssl_cert: "/etc/puppetlabs/puppet/ssl/certs/foreman.example.com.pem" 
  foreman_ssl_key: "/etc/puppetlabs/puppet/ssl/private_keys/foreman.example.com.pem" 
  trusted_hosts:
  - foreman.example.com
  ssl_disabled_ciphers: []
  manage_sudoersd: true
  use_sudoersd: true
  use_sudoers: true
  puppetca: true
  puppetca_listen_on: https
  ssldir: "/etc/puppetlabs/puppet/ssl" 
  puppetdir: "/etc/puppetlabs/puppet" 
  puppetca_cmd: "/opt/puppetlabs/bin/puppet cert" 
  puppet_group: puppet
  autosignfile: "/etc/puppetlabs/puppet/autosign.conf" 
  use_autosignfile: false
  manage_puppet_group: true
  puppet: false
  puppet_listen_on: https
  puppetrun_cmd: "/opt/puppetlabs/bin/puppet kick" 
  puppetrun_provider:
  customrun_cmd: "/bin/false" 
  customrun_args: "-ay -f -s" 
  mcollective_user: root
  puppetssh_sudo: false
  puppetssh_command: "/opt/puppetlabs/bin/puppet agent --onetime --no-usecacheonfailure" 
  puppetssh_user: root
  puppetssh_keyfile: "/etc/foreman-proxy/id_rsa" 
  puppetssh_wait: false
  salt_puppetrun_cmd: puppet.run
  puppet_user: root
  puppet_url: https://puppetca.example.com:8140
  puppet_ssl_ca: "/etc/puppetlabs/puppet/ssl/certs/ca.pem" 
  puppet_ssl_cert: "/etc/puppetlabs/puppet/ssl/certs/puppetca.example.com.pem" 
  puppet_ssl_key: "/etc/puppetlabs/puppet/ssl/private_keys/puppetca.example.com.pem" 
  puppet_use_environment_api:
  puppet_api_timeout: 30
  templates: false
  templates_listen_on: both
  template_url: http://puppetca.example.com:8000
  logs: true
  logs_listen_on: https
  tftp: false
  tftp_listen_on: https
  tftp_managed: true
  tftp_manage_wget: true
  tftp_syslinux_filenames:
  - "/usr/lib/PXELINUX/pxelinux.0" 
  - "/usr/lib/syslinux/memdisk" 
  - "/usr/lib/syslinux/modules/bios/chain.c32" 
  - "/usr/lib/syslinux/modules/bios/ldlinux.c32" 
  - "/usr/lib/syslinux/modules/bios/libcom32.c32" 
  - "/usr/lib/syslinux/modules/bios/libutil.c32" 
  - "/usr/lib/syslinux/modules/bios/mboot.c32" 
  - "/usr/lib/syslinux/modules/bios/menu.c32" 
  tftp_root: "/srv/tftp" 
  tftp_dirs:
  - "/srv/tftp/pxelinux.cfg" 
  - "/srv/tftp/grub" 
  - "/srv/tftp/grub2" 
  - "/srv/tftp/boot" 
  - "/srv/tftp/ztp.cfg" 
  - "/srv/tftp/poap.cfg" 
  tftp_servername:
  tftp_replace_grub2_cfg: false
  dhcp: false
  dhcp_listen_on: https
  dhcp_managed: true
  dhcp_provider: isc
  dhcp_subnets: []
  dhcp_option_domain:
  - example.com
  dhcp_search_domains:
  dhcp_interface: eth0
  dhcp_gateway: 192.168.100.1
  dhcp_range: false
  dhcp_pxeserver:
  dhcp_nameservers: default
  dhcp_server: 127.0.0.1
  dhcp_config: "/etc/dhcp/dhcpd.conf" 
  dhcp_leases: "/var/lib/dhcp/dhcpd.leases" 
  dhcp_key_name:
  dhcp_key_secret:
  dhcp_omapi_port: 7911
  dhcp_peer_address:
  dhcp_node_type: standalone
  dhcp_failover_address: x.x.x.x
  dhcp_failover_port: 519
  dhcp_max_response_delay: 30
  dhcp_max_unacked_updates: 10
  dhcp_mclt: 300
  dhcp_load_split: 255
  dhcp_load_balance: 3
  dhcp_manage_acls: false
  dns: false
  dns_listen_on: https
  dns_managed: true
  dns_provider: nsupdate
  dns_interface: eth0
  dns_zone: example.com
  dns_reverse:
  dns_server: 127.0.0.1
  dns_ttl: 86400
  dns_tsig_keytab: "/etc/foreman-proxy/dns.keytab" 
  dns_tsig_principal: foremanproxy/puppetca.example.com@example.com
  dns_forwarders: []
  libvirt_network: default
  libvirt_connection: qemu:///system
  bmc: false
  bmc_listen_on: https
  bmc_default_provider: ipmitool
  realm: false
  realm_split_config_files: false
  realm_listen_on: https
  realm_provider: freeipa
  realm_keytab: "/etc/foreman-proxy/freeipa.keytab" 
  realm_principal: realm-proxy@EXAMPLE.COM
  freeipa_config: "/etc/ipa/default.conf" 
  freeipa_remove_dns: true
  keyfile: "/etc/bind/rndc.key" 
  register_in_foreman: true
  foreman_base_url: https://foreman.example.com
  registered_name: puppetca.example.com
  registered_proxy_url:
  oauth_effective_user: admin
  oauth_consumer_key: keymasked
  oauth_consumer_secret: secretmasked
  puppet_use_cache:
puppet:
  version: present
  user: puppet
  group: puppet
  dir: "/etc/puppetlabs/puppet" 
  codedir: "/etc/puppetlabs/code" 
  vardir: "/opt/puppetlabs/puppet/cache" 
  logdir: "/var/log/puppetlabs/puppet" 
  rundir: "/var/run/puppetlabs" 
  ssldir: "/etc/puppetlabs/puppet/ssl" 
  sharedir: "/opt/puppetlabs/puppet" 
  manage_packages: true
  dir_owner: root
  dir_group:
  package_provider:
  package_source:
  port: 8140
  listen: false
  listen_to: []
  pluginsync: true
  splay: false
  splaylimit: '1800'
  autosign: "/etc/puppetlabs/puppet/autosign.conf" 
  autosign_entries: []
  autosign_mode: '0664'
  autosign_content:
  autosign_source:
  runinterval: 1800
  usecacheonfailure: true
  runmode: service
  unavailable_runmodes: []
  cron_cmd:
  systemd_cmd:
  agent_noop: false
  show_diff: false
  module_repository:
  configtimeout:
  ca_server:
  ca_port:
  ca_crl_filepath:
  prerun_command:
  postrun_command:
  dns_alt_names: []
  use_srv_records: false
  srv_domain: example.com
  pluginsource: puppet:///plugins
  pluginfactsource: puppet:///pluginfacts
  additional_settings: {}
  agent_additional_settings: {}
  agent_restart_command: "/usr/sbin/service puppet reload" 
  classfile: "$statedir/classes.txt" 
  hiera_config: "$confdir/hiera.yaml" 
  main_template: puppet/puppet.conf.erb
  agent_template: puppet/agent/puppet.conf.erb
  auth_template: puppet/auth.conf.erb
  allow_any_crl_auth: false
  auth_allowed:
  - "$1" 
  client_package:
  - puppet-agent
  agent: true
  remove_lock: true
  client_certname: puppetca.example.com
  puppetmaster:
  systemd_unit_name: puppet-run
  service_name: puppet
  syslogfacility:
  environment: production
  server: true
  server_admin_api_whitelist:
  - localhost
  - puppetca.example.com
  server_user: puppet
  server_group: puppet
  server_dir: "/etc/puppetlabs/puppet" 
  server_ip: 0.0.0.0
  server_port: 8140
  server_ca: true
  server_ca_crl_sync: false
  server_crl_enable:
  server_ca_auth_required: true
  server_ca_client_whitelist:
  - localhost
  - puppetca.example.com
  server_http: true
  server_http_port: 8139
  server_http_allow: []
  server_reports: foreman
  server_implementation: puppetserver
  server_passenger: false
  server_puppetserver_dir: "/etc/puppetlabs/puppetserver" 
  server_puppetserver_vardir: "/opt/puppetlabs/server/data/puppetserver" 
  server_puppetserver_rundir: "/var/run/puppetlabs/puppetserver" 
  server_puppetserver_logdir: "/var/log/puppetlabs/puppetserver" 
  server_puppetserver_version: 5.1.0
  server_service_fallback: true
  server_passenger_min_instances: 1
  server_passenger_pre_start: true
  server_passenger_ruby:
  server_httpd_service: httpd
  server_external_nodes: "/etc/puppetlabs/puppet/node.rb" 
  server_template: puppet/server/puppet.conf.erb
  server_main_template: puppet/server/puppet.conf.main.erb
  server_cipher_suites:
  - TLS_RSA_WITH_AES_256_CBC_SHA256
  - TLS_RSA_WITH_AES_256_CBC_SHA
  - TLS_RSA_WITH_AES_128_CBC_SHA256
  - TLS_RSA_WITH_AES_128_CBC_SHA
  server_config_version:
  server_connect_timeout: 120000
  server_git_repo: false
  server_dynamic_environments: false
  server_directory_environments: true
  server_default_manifest: false
  server_default_manifest_path: "/etc/puppet/manifests/default_manifest.pp" 
  server_default_manifest_content: ''
  server_environments:
  - development
  - production
  server_environments_owner: puppet
  server_environments_group:
  server_environments_mode: '0755'
  server_envs_dir: "/etc/puppetlabs/code/environments" 
  server_envs_target:
  server_common_modules_path:
  - "/etc/puppetlabs/code/environments/common" 
  - "/etc/puppetlabs/code/modules" 
  - "/opt/puppetlabs/puppet/modules" 
  server_git_repo_mode: '0755'
  server_git_repo_path: "/opt/puppetlabs/puppet/cache/puppet.git" 
  server_git_repo_group: puppet
  server_git_repo_user: puppet
  server_git_branch_map: {}
  server_idle_timeout: 1200000
  server_post_hook_content: puppet/server/post-receive.erb
  server_post_hook_name: post-receive
  server_storeconfigs_backend:
  server_app_root: "/etc/puppetlabs/puppet/rack" 
  server_ruby_load_paths:
  - "/opt/puppetlabs/puppet/lib/ruby/vendor_ruby" 
  server_ssl_dir: "/etc/puppetlabs/puppet/ssl" 
  server_ssl_dir_manage: true
  server_ssl_key_manage: true
  server_ssl_protocols:
  - TLSv1.2
  server_ssl_chain_filepath: "/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem" 
  server_package:
  server_version:
  server_certname: puppetca.example.com
  server_enc_api: v2
  server_report_api: v2
  server_request_timeout: 60
  server_ca_proxy:
  server_strict_variables: false
  server_additional_settings:
    ca_ttl: 20y
  server_rack_arguments: []
  server_foreman: true
  server_foreman_url: https://foreman.example.com
  server_foreman_ssl_ca:
  server_foreman_ssl_cert:
  server_foreman_ssl_key:
  server_foreman_facts: true
  server_puppet_basedir: "/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet" 
  server_puppetdb_host:
  server_puppetdb_port: 8081
  server_puppetdb_swf: false
  server_parser: current
  server_environment_timeout:
  server_jvm_java_bin: "/usr/bin/java" 
  server_jvm_config: "/etc/default/puppetserver" 
  server_jvm_min_heap_size: 1G
  server_jvm_max_heap_size: 1G
  server_jvm_extra_args: "-Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger" 
  server_jruby_gem_home: "/opt/puppetlabs/server/data/puppetserver/jruby-gems" 
  server_max_active_instances: 1
  server_max_requests_per_instance: 0
  server_use_legacy_auth_conf: false
  server_check_for_updates: true
  server_environment_class_cache_enabled: false
  server_allow_header_cert_info: false
  server_web_idle_timeout: 30000
  server_puppetserver_jruby9k: false
  server_puppetserver_metrics: true
  server_puppetserver_experimental: true
foreman::plugin::ansible: false
foreman::plugin::azure: false
foreman::plugin::bootdisk: false
foreman::plugin::chef: false
foreman::plugin::cockpit: false
foreman::plugin::default_hostgroup: false
foreman::plugin::dhcp_browser: false
foreman::plugin::digitalocean: false
foreman::plugin::discovery: false
foreman::plugin::docker: false
foreman::plugin::expire_hosts: false
foreman::plugin::hooks: false
foreman::plugin::host_extra_validator: false
foreman::plugin::memcache: false
foreman::plugin::monitoring: false
foreman::plugin::omaha: false
foreman::plugin::openscap: false
foreman::plugin::ovirt_provision: false
foreman::plugin::puppetdb: false
foreman::plugin::remote_execution: false
foreman::plugin::salt: false
foreman::plugin::setup: false
foreman::plugin::tasks: false
foreman::plugin::templates: false
foreman::compute::ec2: false
foreman::compute::gce: false
foreman::compute::libvirt: false
foreman::compute::openstack: false
foreman::compute::ovirt: false
foreman::compute::rackspace: false
foreman::compute::vmware: false
foreman_proxy::plugin::abrt: false
foreman_proxy::plugin::ansible: false
foreman_proxy::plugin::chef: false
foreman_proxy::plugin::dhcp::infoblox: false
foreman_proxy::plugin::dhcp::remote_isc: false
foreman_proxy::plugin::discovery: false
foreman_proxy::plugin::dns::infoblox: false
foreman_proxy::plugin::dns::powerdns: false
foreman_proxy::plugin::dynflow: false
foreman_proxy::plugin::monitoring: false
foreman_proxy::plugin::omaha: false
foreman_proxy::plugin::openscap: false
foreman_proxy::plugin::pulp: false
foreman_proxy::plugin::remote_execution::ssh: false
foreman_proxy::plugin::salt: false

#11 Updated by Evgeni Golov about 3 years ago

So I can reproduce this on my 1.16 (with Katello 3.5, but that should not matter). Happens on both the master and the standalone proxy. This is with forklift and using the katello 3.5 pipeline playbook.

/etc/foreman-installer/scenarios.d/katello-answers.yaml (and /etc/foreman-installer/scenarios.d/foreman-proxy-content-answers.yaml) does contain
foreman_proxy:
  autosignfile: /etc/puppetlabs/puppet/autosign.conf
  use_autosignfile: false

and this results in

# cat /etc/foreman-proxy/settings.d/puppetca.yml 
---
# PuppetCA management
:enabled: https
:ssldir: /etc/puppetlabs/puppet/ssl
:puppetdir: /etc/puppetlabs/puppet

and the smart proxy then uses /etc/puppet/autosign.conf: https://github.com/theforeman/smart-proxy/blob/develop/modules/puppetca/puppetca_plugin.rb#L6

#12 Updated by Evgeni Golov about 3 years ago

using forklift and centos7-foreman-1-16, I correctly get:

  autosignfile: /etc/puppetlabs/puppet/autosign.conf
  use_autosignfile: true

#13 Updated by Evgeni Golov about 3 years ago

this should be fixed in https://github.com/theforeman/foreman-installer/commit/6f69a881b5296cf12627adfbd3e03933953a28fc, and that migration should have run on both of my installs...

#14 Updated by Evgeni Golov about 3 years ago

and vagrant up centos7-katello-3.5

produces

  autosignfile: /etc/puppetlabs/puppet/autosign.conf
  use_autosignfile: false

and

[root@centos7-katello-3-5 ~]# cat /etc/foreman-proxy/settings.d/puppetca.yml 
---
# PuppetCA management
:enabled: https
:ssldir: /etc/puppetlabs/puppet/ssl
:puppetdir: /etc/puppetlabs/puppet

#15 Updated by Evgeni Golov about 3 years ago

so it seems the foreman migrations are not executed in the katello scenario → boom

#16 Updated by Ewoud Kohl van Wijngaarden about 3 years ago

@Joost: I can't explain why it would fail in your vanilla foreman install. In the vanilla foreman we should have a migration to enable it.

#17 Updated by Ewoud Kohl van Wijngaarden about 3 years ago

  • Related to Bug #22249: Handle autosign file with puppet 4 added

#18 Updated by Joost Polley about 3 years ago

Ewoud Kohl van Wijngaarden wrote:

@Joost: I can't explain why it would fail in your vanilla foreman install. In the vanilla foreman we should have a migration to enable it.

Ewoud: what would be the best solution for me to make this work then?
I could use the '--puppet-autosign-entries' foreman-installer setting but that's not through the foreman-proxy.
Would setting '--puppet-autosign-source' be a better solution?

#19 Updated by Ewoud Kohl van Wijngaarden about 3 years ago

Now that I've looked further into it I can see where it's going wrong. You have --foreman-proxy-use-autosignfile set to false. That's why it's ignoring the (correct) autosignfile. Try rerunning it with --foreman-proxy-use-autosignfile true and see if it works then.

#20 Updated by Joost Polley about 3 years ago

Ewoud: I can confirm that suggestion fixes the problem. Thanks!

#21 Updated by Anonymous almost 3 years ago

what's the status here?

#22 Updated by Anonymous almost 3 years ago

is this a dupliate of #22249?

#23 Updated by Ewoud Kohl van Wijngaarden almost 2 years ago

  • Status changed from New to Rejected

In the current versions we have dropped the autosign parameter so this should no longer happen.

Also available in: Atom PDF