Bug #21856
closed
foreman-proxy unable to add autosign entry
Added by Joost Polley about 7 years ago. Updated almost 6 years ago.
Description
When going into the Foreman GUI and adding an autosign entry in the smart-proxy view, the request fails.
Log of the foreman-proxy:
ERROR -- : Failed to enable autosign for *: No such file or directory @ rb_sysopen - /etc/puppet/autosign.conf
This install is an AIO install through foreman-installer, where the file is located in /etc/puppetlabs/puppet/autosign.conf.
Updated by Anonymous about 7 years ago
- Tracker changed from Bug to Support
The path to autosign.conf file can be updated via "autosignfile" setting in puppetca's module config file.
Updated by Joost Polley about 7 years ago
Dmitri Dolguikh wrote:
The path to autosign.conf file can be updated via "autosignfile" setting in puppetca's module config file.
Hello Dmitri, not sure if I understand. The puppet-puppet module configures this directory for future use (https://github.com/theforeman/puppet-puppet/blob/8.0.4/manifests/params.pp#L129). Then the location of the autosign file is set here: https://github.com/theforeman/puppet-puppet/blob/8.0.4/manifests/params.pp#L172.
Why should I reconfigure this if it's decided for me in the puppet module (which is as far as I understand used by foreman-installer)?
Updated by Anonymous about 7 years ago
- Tracker changed from Support to Bug
- Project changed from Smart Proxy to Installer
- Category deleted (
PuppetCA)
The initial description of the problem did not make it apparent that the issue is related to the installer and used smart-proxy as the project. I updated the project field to "installer".
Which version of puppet are you using?
Updated by Joost Polley about 7 years ago
- Puppet 5.3.3
- Foreman-proxy 1.16.0-1
- Foreman-installer 1.16.0-1
Updated by Ewoud Kohl van Wijngaarden about 7 years ago
Was this a fresh install and on which OS is this? The puppet code should autodetect this, but on an upgrade it will remember the answers.
https://projects.theforeman.org/projects/foreman/wiki/Upgrading_from_Puppet_3_to_4#2-Upgrading-with-foreman-installer has a long list of all answers that we autodetect and are a good starting point to check.
Updated by Ewoud Kohl van Wijngaarden about 7 years ago
And on which OS + version?
Updated by Joost Polley about 7 years ago
I am using Debian 9.2
More info about the installed packages:
~$ apt-cache policy puppetserver
puppetserver:
Installed: 5.1.4-1stretch
Candidate: 5.1.4-1stretch
~$ apt-cache policy foreman-proxy # apologies about this one, still using rc2 but I'm not sure if upgrading will change much
foreman-proxy:
Installed: 1.16.0~rc2-1
Candidate: 1.16.0-1
My foreman-installer command:
foreman-installer
--no-enable-foreman
--no-enable-foreman-cli
--no-enable-foreman-plugin-setup
--enable-foreman-proxy
--enable-puppet
--foreman-proxy-trusted-hosts=foreman.example.com
--foreman-proxy-tftp=false
--foreman-proxy-dhcp=false
--foreman-proxy-dhcp-range="false"
--foreman-proxy-dns=false
--foreman-proxy-puppet=false
--foreman-proxy-foreman-base-url=https://foreman.example.com
--foreman-proxy-ssl-cert=/etc/puppetlabs/puppet/ssl/certs/puppetca.example.com.pem
--foreman-proxy-ssl-key=/etc/puppetlabs/puppet/ssl/private_keys/puppetca.example.com.pem
--foreman-proxy-foreman-ssl-cert=/etc/puppetlabs/puppet/ssl/certs/foreman.example.com.pem
--foreman-proxy-foreman-ssl-key=/etc/puppetlabs/puppet/ssl/private_keys/foreman.example.com.pem
--foreman-proxy-puppet-ssl-cert=/etc/puppetlabs/puppet/ssl/certs/puppetca.example.com.pem
--foreman-proxy-puppet-ssl-key=/etc/puppetlabs/puppet/ssl/private_keys/puppetca.example.com.pem
--foreman-proxy-oauth-consumer-key=keymasked
--foreman-proxy-oauth-consumer-secret=secretmasked
--puppet-server-ca=true
--puppet-server-http=true
--puppet-server-http-port=8139
--puppet-server-certname=puppetca.example.com
--puppet-server-foreman-url=https://foreman.example.com
--puppet-client-certname=puppetca.example.com
--foreman-proxy-registered-name=puppetca.example.com
--puppet-server-additional-settings=ca_ttl:20y
Updated by Ewoud Kohl van Wijngaarden about 7 years ago
RC2 and final are the same installer wise. Just a version bump, no actual change.
Can you also share what's in /etc/foreman-installer/scenarios.d/foreman-answers.yaml? I wonder if the AIO detection went wrong somehow. Possibly you ran with system puppet installed, the installed puppetlabs versions but it still has the old paths.
Updated by Joost Polley about 7 years ago
Sure. Keep in mind that I masked passwords & ip addresses. Here's what's in my file:
---
foreman: false
foreman::cli: false
foreman::cli::openscap: false
foreman_proxy:
repo: stable
gpgcheck: true
custom_repo: false
version: present
ensure_packages_version: present
plugin_version: installed
bind_host:
- "*"
http_port: 8000
ssl_port: 8443
dir: "/usr/share/foreman-proxy"
user: foreman-proxy
groups: []
log: "/var/log/foreman-proxy/proxy.log"
log_level: INFO
log_buffer: 2000
log_buffer_errors: 1000
http: false
ssl: true
ssl_ca: "/etc/puppetlabs/puppet/ssl/certs/ca.pem"
ssl_cert: "/etc/puppetlabs/puppet/ssl/certs/puppetca.example.com.pem"
ssl_key: "/etc/puppetlabs/puppet/ssl/private_keys/puppetca.example.com.pem"
foreman_ssl_ca:
foreman_ssl_cert: "/etc/puppetlabs/puppet/ssl/certs/foreman.example.com.pem"
foreman_ssl_key: "/etc/puppetlabs/puppet/ssl/private_keys/foreman.example.com.pem"
trusted_hosts:
- foreman.example.com
ssl_disabled_ciphers: []
manage_sudoersd: true
use_sudoersd: true
use_sudoers: true
puppetca: true
puppetca_listen_on: https
ssldir: "/etc/puppetlabs/puppet/ssl"
puppetdir: "/etc/puppetlabs/puppet"
puppetca_cmd: "/opt/puppetlabs/bin/puppet cert"
puppet_group: puppet
autosignfile: "/etc/puppetlabs/puppet/autosign.conf"
use_autosignfile: false
manage_puppet_group: true
puppet: false
puppet_listen_on: https
puppetrun_cmd: "/opt/puppetlabs/bin/puppet kick"
puppetrun_provider:
customrun_cmd: "/bin/false"
customrun_args: "-ay -f -s"
mcollective_user: root
puppetssh_sudo: false
puppetssh_command: "/opt/puppetlabs/bin/puppet agent --onetime --no-usecacheonfailure"
puppetssh_user: root
puppetssh_keyfile: "/etc/foreman-proxy/id_rsa"
puppetssh_wait: false
salt_puppetrun_cmd: puppet.run
puppet_user: root
puppet_url: https://puppetca.example.com:8140
puppet_ssl_ca: "/etc/puppetlabs/puppet/ssl/certs/ca.pem"
puppet_ssl_cert: "/etc/puppetlabs/puppet/ssl/certs/puppetca.example.com.pem"
puppet_ssl_key: "/etc/puppetlabs/puppet/ssl/private_keys/puppetca.example.com.pem"
puppet_use_environment_api:
puppet_api_timeout: 30
templates: false
templates_listen_on: both
template_url: http://puppetca.example.com:8000
logs: true
logs_listen_on: https
tftp: false
tftp_listen_on: https
tftp_managed: true
tftp_manage_wget: true
tftp_syslinux_filenames:
- "/usr/lib/PXELINUX/pxelinux.0"
- "/usr/lib/syslinux/memdisk"
- "/usr/lib/syslinux/modules/bios/chain.c32"
- "/usr/lib/syslinux/modules/bios/ldlinux.c32"
- "/usr/lib/syslinux/modules/bios/libcom32.c32"
- "/usr/lib/syslinux/modules/bios/libutil.c32"
- "/usr/lib/syslinux/modules/bios/mboot.c32"
- "/usr/lib/syslinux/modules/bios/menu.c32"
tftp_root: "/srv/tftp"
tftp_dirs:
- "/srv/tftp/pxelinux.cfg"
- "/srv/tftp/grub"
- "/srv/tftp/grub2"
- "/srv/tftp/boot"
- "/srv/tftp/ztp.cfg"
- "/srv/tftp/poap.cfg"
tftp_servername:
tftp_replace_grub2_cfg: false
dhcp: false
dhcp_listen_on: https
dhcp_managed: true
dhcp_provider: isc
dhcp_subnets: []
dhcp_option_domain:
- example.com
dhcp_search_domains:
dhcp_interface: eth0
dhcp_gateway: 192.168.100.1
dhcp_range: false
dhcp_pxeserver:
dhcp_nameservers: default
dhcp_server: 127.0.0.1
dhcp_config: "/etc/dhcp/dhcpd.conf"
dhcp_leases: "/var/lib/dhcp/dhcpd.leases"
dhcp_key_name:
dhcp_key_secret:
dhcp_omapi_port: 7911
dhcp_peer_address:
dhcp_node_type: standalone
dhcp_failover_address: x.x.x.x
dhcp_failover_port: 519
dhcp_max_response_delay: 30
dhcp_max_unacked_updates: 10
dhcp_mclt: 300
dhcp_load_split: 255
dhcp_load_balance: 3
dhcp_manage_acls: false
dns: false
dns_listen_on: https
dns_managed: true
dns_provider: nsupdate
dns_interface: eth0
dns_zone: example.com
dns_reverse:
dns_server: 127.0.0.1
dns_ttl: 86400
dns_tsig_keytab: "/etc/foreman-proxy/dns.keytab"
dns_tsig_principal: foremanproxy/puppetca.example.com@example.com
dns_forwarders: []
libvirt_network: default
libvirt_connection: qemu:///system
bmc: false
bmc_listen_on: https
bmc_default_provider: ipmitool
realm: false
realm_split_config_files: false
realm_listen_on: https
realm_provider: freeipa
realm_keytab: "/etc/foreman-proxy/freeipa.keytab"
realm_principal: realm-proxy@EXAMPLE.COM
freeipa_config: "/etc/ipa/default.conf"
freeipa_remove_dns: true
keyfile: "/etc/bind/rndc.key"
register_in_foreman: true
foreman_base_url: https://foreman.example.com
registered_name: puppetca.example.com
registered_proxy_url:
oauth_effective_user: admin
oauth_consumer_key: keymasked
oauth_consumer_secret: secretmasked
puppet_use_cache:
puppet:
version: present
user: puppet
group: puppet
dir: "/etc/puppetlabs/puppet"
codedir: "/etc/puppetlabs/code"
vardir: "/opt/puppetlabs/puppet/cache"
logdir: "/var/log/puppetlabs/puppet"
rundir: "/var/run/puppetlabs"
ssldir: "/etc/puppetlabs/puppet/ssl"
sharedir: "/opt/puppetlabs/puppet"
manage_packages: true
dir_owner: root
dir_group:
package_provider:
package_source:
port: 8140
listen: false
listen_to: []
pluginsync: true
splay: false
splaylimit: '1800'
autosign: "/etc/puppetlabs/puppet/autosign.conf"
autosign_entries: []
autosign_mode: '0664'
autosign_content:
autosign_source:
runinterval: 1800
usecacheonfailure: true
runmode: service
unavailable_runmodes: []
cron_cmd:
systemd_cmd:
agent_noop: false
show_diff: false
module_repository:
configtimeout:
ca_server:
ca_port:
ca_crl_filepath:
prerun_command:
postrun_command:
dns_alt_names: []
use_srv_records: false
srv_domain: example.com
pluginsource: puppet:///plugins
pluginfactsource: puppet:///pluginfacts
additional_settings: {}
agent_additional_settings: {}
agent_restart_command: "/usr/sbin/service puppet reload"
classfile: "$statedir/classes.txt"
hiera_config: "$confdir/hiera.yaml"
main_template: puppet/puppet.conf.erb
agent_template: puppet/agent/puppet.conf.erb
auth_template: puppet/auth.conf.erb
allow_any_crl_auth: false
auth_allowed:
- "$1"
client_package:
- puppet-agent
agent: true
remove_lock: true
client_certname: puppetca.example.com
puppetmaster:
systemd_unit_name: puppet-run
service_name: puppet
syslogfacility:
environment: production
server: true
server_admin_api_whitelist:
- localhost
- puppetca.example.com
server_user: puppet
server_group: puppet
server_dir: "/etc/puppetlabs/puppet"
server_ip: 0.0.0.0
server_port: 8140
server_ca: true
server_ca_crl_sync: false
server_crl_enable:
server_ca_auth_required: true
server_ca_client_whitelist:
- localhost
- puppetca.example.com
server_http: true
server_http_port: 8139
server_http_allow: []
server_reports: foreman
server_implementation: puppetserver
server_passenger: false
server_puppetserver_dir: "/etc/puppetlabs/puppetserver"
server_puppetserver_vardir: "/opt/puppetlabs/server/data/puppetserver"
server_puppetserver_rundir: "/var/run/puppetlabs/puppetserver"
server_puppetserver_logdir: "/var/log/puppetlabs/puppetserver"
server_puppetserver_version: 5.1.0
server_service_fallback: true
server_passenger_min_instances: 1
server_passenger_pre_start: true
server_passenger_ruby:
server_httpd_service: httpd
server_external_nodes: "/etc/puppetlabs/puppet/node.rb"
server_template: puppet/server/puppet.conf.erb
server_main_template: puppet/server/puppet.conf.main.erb
server_cipher_suites:
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA
server_config_version:
server_connect_timeout: 120000
server_git_repo: false
server_dynamic_environments: false
server_directory_environments: true
server_default_manifest: false
server_default_manifest_path: "/etc/puppet/manifests/default_manifest.pp"
server_default_manifest_content: ''
server_environments:
- development
- production
server_environments_owner: puppet
server_environments_group:
server_environments_mode: '0755'
server_envs_dir: "/etc/puppetlabs/code/environments"
server_envs_target:
server_common_modules_path:
- "/etc/puppetlabs/code/environments/common"
- "/etc/puppetlabs/code/modules"
- "/opt/puppetlabs/puppet/modules"
server_git_repo_mode: '0755'
server_git_repo_path: "/opt/puppetlabs/puppet/cache/puppet.git"
server_git_repo_group: puppet
server_git_repo_user: puppet
server_git_branch_map: {}
server_idle_timeout: 1200000
server_post_hook_content: puppet/server/post-receive.erb
server_post_hook_name: post-receive
server_storeconfigs_backend:
server_app_root: "/etc/puppetlabs/puppet/rack"
server_ruby_load_paths:
- "/opt/puppetlabs/puppet/lib/ruby/vendor_ruby"
server_ssl_dir: "/etc/puppetlabs/puppet/ssl"
server_ssl_dir_manage: true
server_ssl_key_manage: true
server_ssl_protocols:
- TLSv1.2
server_ssl_chain_filepath: "/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem"
server_package:
server_version:
server_certname: puppetca.example.com
server_enc_api: v2
server_report_api: v2
server_request_timeout: 60
server_ca_proxy:
server_strict_variables: false
server_additional_settings:
ca_ttl: 20y
server_rack_arguments: []
server_foreman: true
server_foreman_url: https://foreman.example.com
server_foreman_ssl_ca:
server_foreman_ssl_cert:
server_foreman_ssl_key:
server_foreman_facts: true
server_puppet_basedir: "/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet"
server_puppetdb_host:
server_puppetdb_port: 8081
server_puppetdb_swf: false
server_parser: current
server_environment_timeout:
server_jvm_java_bin: "/usr/bin/java"
server_jvm_config: "/etc/default/puppetserver"
server_jvm_min_heap_size: 1G
server_jvm_max_heap_size: 1G
server_jvm_extra_args: "-Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger"
server_jruby_gem_home: "/opt/puppetlabs/server/data/puppetserver/jruby-gems"
server_max_active_instances: 1
server_max_requests_per_instance: 0
server_use_legacy_auth_conf: false
server_check_for_updates: true
server_environment_class_cache_enabled: false
server_allow_header_cert_info: false
server_web_idle_timeout: 30000
server_puppetserver_jruby9k: false
server_puppetserver_metrics: true
server_puppetserver_experimental: true
foreman::plugin::ansible: false
foreman::plugin::azure: false
foreman::plugin::bootdisk: false
foreman::plugin::chef: false
foreman::plugin::cockpit: false
foreman::plugin::default_hostgroup: false
foreman::plugin::dhcp_browser: false
foreman::plugin::digitalocean: false
foreman::plugin::discovery: false
foreman::plugin::docker: false
foreman::plugin::expire_hosts: false
foreman::plugin::hooks: false
foreman::plugin::host_extra_validator: false
foreman::plugin::memcache: false
foreman::plugin::monitoring: false
foreman::plugin::omaha: false
foreman::plugin::openscap: false
foreman::plugin::ovirt_provision: false
foreman::plugin::puppetdb: false
foreman::plugin::remote_execution: false
foreman::plugin::salt: false
foreman::plugin::setup: false
foreman::plugin::tasks: false
foreman::plugin::templates: false
foreman::compute::ec2: false
foreman::compute::gce: false
foreman::compute::libvirt: false
foreman::compute::openstack: false
foreman::compute::ovirt: false
foreman::compute::rackspace: false
foreman::compute::vmware: false
foreman_proxy::plugin::abrt: false
foreman_proxy::plugin::ansible: false
foreman_proxy::plugin::chef: false
foreman_proxy::plugin::dhcp::infoblox: false
foreman_proxy::plugin::dhcp::remote_isc: false
foreman_proxy::plugin::discovery: false
foreman_proxy::plugin::dns::infoblox: false
foreman_proxy::plugin::dns::powerdns: false
foreman_proxy::plugin::dynflow: false
foreman_proxy::plugin::monitoring: false
foreman_proxy::plugin::omaha: false
foreman_proxy::plugin::openscap: false
foreman_proxy::plugin::pulp: false
foreman_proxy::plugin::remote_execution::ssh: false
foreman_proxy::plugin::salt: false
Updated by Evgeni Golov about 7 years ago
So I can reproduce this on my 1.16 (with Katello 3.5, but that should not matter). Happens on both the master and the standalone proxy. This is with forklift and using the katello 3.5 pipeline playbook.
/etc/foreman-installer/scenarios.d/katello-answers.yaml (and /etc/foreman-installer/scenarios.d/foreman-proxy-content-answers.yaml) does contain foreman_proxy: autosignfile: /etc/puppetlabs/puppet/autosign.conf use_autosignfile: false
and this results in
# cat /etc/foreman-proxy/settings.d/puppetca.yml --- # PuppetCA management :enabled: https :ssldir: /etc/puppetlabs/puppet/ssl :puppetdir: /etc/puppetlabs/puppet
and the smart proxy then uses /etc/puppet/autosign.conf: https://github.com/theforeman/smart-proxy/blob/develop/modules/puppetca/puppetca_plugin.rb#L6
Updated by Evgeni Golov about 7 years ago
using forklift and centos7-foreman-1-16, I correctly get:
autosignfile: /etc/puppetlabs/puppet/autosign.conf use_autosignfile: true
Updated by Evgeni Golov about 7 years ago
this should be fixed in https://github.com/theforeman/foreman-installer/commit/6f69a881b5296cf12627adfbd3e03933953a28fc, and that migration should have run on both of my installs...
Updated by Evgeni Golov about 7 years ago
and vagrant up centos7-katello-3.5
produces
autosignfile: /etc/puppetlabs/puppet/autosign.conf use_autosignfile: false
and
[root@centos7-katello-3-5 ~]# cat /etc/foreman-proxy/settings.d/puppetca.yml --- # PuppetCA management :enabled: https :ssldir: /etc/puppetlabs/puppet/ssl :puppetdir: /etc/puppetlabs/puppet
Updated by Evgeni Golov about 7 years ago
so it seems the foreman migrations are not executed in the katello scenario → boom
Updated by Ewoud Kohl van Wijngaarden about 7 years ago
@Joost: I can't explain why it would fail in your vanilla foreman install. In the vanilla foreman we should have a migration to enable it.
Updated by Ewoud Kohl van Wijngaarden about 7 years ago
- Related to Bug #22249: Handle autosign file with puppet 4 added
Updated by Joost Polley about 7 years ago
Ewoud Kohl van Wijngaarden wrote:
@Joost: I can't explain why it would fail in your vanilla foreman install. In the vanilla foreman we should have a migration to enable it.
Ewoud: what would be the best solution for me to make this work then?
I could use the '--puppet-autosign-entries' foreman-installer setting but that's not through the foreman-proxy.
Would setting '--puppet-autosign-source' be a better solution?
Updated by Ewoud Kohl van Wijngaarden about 7 years ago
Now that I've looked further into it I can see where it's going wrong. You have --foreman-proxy-use-autosignfile set to false. That's why it's ignoring the (correct) autosignfile. Try rerunning it with --foreman-proxy-use-autosignfile true and see if it works then.
Updated by Joost Polley about 7 years ago
Ewoud: I can confirm that suggestion fixes the problem. Thanks!
Updated by Ewoud Kohl van Wijngaarden almost 6 years ago
- Status changed from New to Rejected
In the current versions we have dropped the autosign parameter so this should no longer happen.