Project

General

Profile

Bug #29649

The system does not seem to be IPA-enrolled

Added by Han Boetes 5 months ago. Updated 29 days ago.

Status:
New
Priority:
Low
Category:
Foreman modules
Target version:

Description

Running the installer after the upgrade like I always do:

env TMP= TMPDIR= foreman-installer \
    -v \
    --foreman-proxy-log-level=DEBUG \
    --enable-foreman-plugin-remote-execution \
    --enable-foreman-proxy-plugin-remote-execution-ssh \
    --enable-foreman-plugin-dhcp-browser \
    --enable-foreman-plugin-remote-execution \
    --enable-foreman-proxy-plugin-remote-execution-ssh \
    --foreman-ipa-authentication=true \
    --foreman-pam-service=foreman \
    --foreman-http-keytab=/etc/http.keytab \
    --no-enable-foreman-cli-ansible \
    --no-enable-foreman-plugin-ansible \
    --no-enable-foreman-proxy-plugin-ansible

After the upgrade to 2.0 I get

Evaluation Error: Error while evaluating a Function Call, theforeman: The system does not seem to be IPA-enrolled (file: /usr/share/foreman-installer/modules/foreman/manifests/config.pp, line: 101, column: 9) on node

Which reads:

unless 'ipa' in $facts and 'default_server' in $facts['ipa'] and 'default_realm' in $facts['ipa'] {

So it tests the output of facter ipa. If I do that manually I get no output. digging a bit further this is the code in question: /etc/puppetlabs/code/modules/ipaclient/lib/facter/ipa_facts.rb

The important part would be:

if File.exist?('/etc/sssd/sssd.conf') && sssd = File.readlines('/etc/sssd/sssd.conf')                                                                                         
  sssd.each do |line|                                                                                                                                                         
    case line                                                                                                                                                                 
      when /^ipa_domain/                                                                                                                                                      
        Facter.add("ipa_domain") do                                                                                                                                           
              has_weight 100                                                                                                                                                  
          setcode do                                                                                                                                                          
            line.split("=")[1].strip                                                                                                                                          
          end                                                                                                                                                                 
        end                                                                                                                                                                   
      when /^ipa_server/                                                                                                                                                      
        Facter.add("ipa_server") do                                                                                                                                           
              has_weight 100                                                                                                                                                  
          setcode do                                                                                                                                                          
            line.split("=")[1].strip                                                                                                                                          
          end                                                                                                                                                                 
        end                                                                                                                                                                   
      when /^auth_provider/                                                                                                                                                   
        Facter.add("ipa_enrolled") do                                                                                                                                         

Odd because:

root@theforeman ~ # ag '(ipa_domain|ipa_server|auth_provider)' /etc/sssd/sssd.conf |sed -e 's|mycompany.com|example.com|g'
auth_provider = ipa
ipa_domain = example.com
ipa_server = _srv_, gandalf.example.com, olorin.example.com, mithrandir.example.com
ipa_server_mode = false

Seems like I'm barking up the wrong tree, this must be a puppet problem. But please leave it for the moment because other may run into this problem as well.

Associated revisions

Revision 631f4a6a (diff)
Added by Ewoud Kohl van Wijngaarden 4 months ago

Fixes #29649 - Prefix ipa and sssd facts with foreman_

This prevents a collision with the ipa fact from the ipa module.

History

#1 Updated by Han Boetes 5 months ago

I reported the issue with puppet: https://tickets.puppetlabs.com/browse/FACT-2588

#2 Updated by Han Boetes 5 months ago

  • Description updated (diff)

#3 Updated by Han Boetes 5 months ago

The ipa_facts file comes from https://github.com/joshuabaird/puppet-ipaclient/blob/master/lib/facter/ipa_facts.rb and contrary to my previous assumption is not a part of puppet but a custom module I happen to have installed.

I tried moving the module out of the way but facter ipa keeps returning empty. Am I missing something here? Where is the right ipa facter that I don't have?

#4 Updated by Ewoud Kohl van Wijngaarden 5 months ago

I was playing with https://github.com/theforeman/puppet-foreman/pull/801 but don't have an IPA env myself so find it hard to verify. Could you check it out and see if it fixes it for you?

#5 Updated by Han Boetes 5 months ago

I run into this error after applying your patch.

[ INFO 2020-04-29T20:25:33 verbose]  Facter: loading custom facts from /usr/share/foreman-installer/modules/foreman/lib/facter/sssd.rb.                                      
[ERROR 2020-04-29T20:25:33 verbose]  Facter: error while resolving custom facts in /usr/share/foreman-installer/modules/foreman/lib/facter/sssd.rb: expected chunk name to be
a Symbol                                                                                                                                                                     
[ERROR 2020-04-29T20:25:33 verbose] backtrace:                                                                                                                               
[ERROR 2020-04-29T20:25:33 verbose] /usr/share/foreman-installer/modules/foreman/lib/facter/sssd.rb:10:in `chunk'                                                            
[ERROR 2020-04-29T20:25:33 verbose] /usr/share/foreman-installer/modules/foreman/lib/facter/sssd.rb:10:in `block (2 levels) in <top (required)>'                             
[ERROR 2020-04-29T20:25:33 verbose] /usr/share/foreman-installer/modules/foreman/lib/facter/sssd.rb:9:in `each'                                                              
[ERROR 2020-04-29T20:25:33 verbose] /usr/share/foreman-installer/modules/foreman/lib/facter/sssd.rb:9:in `block in <top (required)>'                                         
[ERROR 2020-04-29T20:25:33 verbose] /usr/share/foreman-installer/modules/foreman/lib/facter/sssd.rb:5:in `instance_eval'                                                     
[ERROR 2020-04-29T20:25:33 verbose] /usr/share/foreman-installer/modules/foreman/lib/facter/sssd.rb:5:in `add'                                                               
[ERROR 2020-04-29T20:25:33 verbose] /usr/share/foreman-installer/modules/foreman/lib/facter/sssd.rb:5:in `<top (required)>'                                                  
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/facts/facter.rb:35:in `to_hash'                                            
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/facts/facter.rb:35:in `find'
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:198:in `find'
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/node.rb:135:in `fact_merge'
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/node/plain.rb:18:in `find'
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:198:in `find'
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/apply.rb:215:in `main'
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/apply.rb:174:in `run_command'
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:375:in `block in run'
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:690:in `exit_on_fail'
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:375:in `run'
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:139:in `run'
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:77:in `execute'
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/bin/puppet:5:in `<main>'

#6 Updated by The Foreman Bot 4 months ago

  • Assignee set to Ewoud Kohl van Wijngaarden
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/puppet-foreman/pull/839 added

#7 Updated by Ewoud Kohl van Wijngaarden 4 months ago

  • Triaged changed from No to Yes
  • Target version set to 2.1.0
  • Category set to Foreman modules
  • Fixed in Releases deleted (1.24.3)

#8 Updated by The Foreman Bot 4 months ago

  • Fixed in Releases 2.2.0 added

#9 Updated by Ewoud Kohl van Wijngaarden 4 months ago

  • Status changed from Ready For Testing to Closed

#10 Updated by Ewoud Kohl van Wijngaarden 4 months ago

  • Fixed in Releases 2.1.0 added
  • Fixed in Releases deleted (2.2.0)

#11 Updated by Tomer Brisker 4 months ago

  • Target version changed from 2.1.0 to 2.0.1

#12 Updated by The Foreman Bot 4 months ago

  • Pull request https://github.com/theforeman/puppet-foreman/pull/848 added

#13 Updated by Tomer Brisker 3 months ago

  • Fixed in Releases 2.0.1 added

#14 Updated by Han Boetes 3 months ago

Nope, not fixed.

[ERROR 2020-06-18T22:10:51 verbose]  Evaluation Error: Error while evaluating a Function Call, theforeman: The system does not seem to be IPA-enrolled (file: /usr/share/foreman-installer/modules/foreman/manifests/config.pp, line: 101, column: 9) on node theforeman.example.com

#15 Updated by Ewoud Kohl van Wijngaarden 3 months ago

Which version of foreman-installer is installed?

#16 Updated by Han Boetes 3 months ago

Hallo Ewoud,

thanks for your time and effort.

I followed the instructions https://theforeman.org/manuals/2.0/index.html#3.6Upgrade
So the version provided by: yum upgrade https://yum.theforeman.org/releases/2.0/el7/x86_64/foreman-release.rpm
2.0.1 I assume. I can't be entirely sure, since I restored the previous version with a snapshot.

With kind regards,
Han

#17 Updated by Han Boetes 2 months ago

# rpm -q foreman-installer
foreman-installer-2.0.1-1.el7.noarch

#18 Updated by Han Boetes 2 months ago

After reading the code a bit and looking what was actually requested I hacked around a bit and came up with this:
Of course that's rather ugly. The domain is used instead of the realm. But it works. The realm can be found in /etc/ipa/default.conf, the domain can be found in /etc/sssd/sssd.conf

It's a bunch of arbitrary checks since there quite some overlap between those two files and lots values are not obligate. I really can't tell how well this config would work elsewhere.

I never edited /etc/ipa/default.conf and I mildly edited /etc/sssd/sssd.conf, using freeipa without sssd is not possible. I would focus on getting info from sssd.conf

# cat sssd.rb 
require_relative 'util/sssd'
if defined? Facter::Util::Sssd

  # == Fact: foreman_sssd
  Facter.add(:foreman_ipa, :type => :aggregate) do
    {
      :default_server => 'target[.=~regexp("domain/.*")][1]/ipa_server',
      :default_realm  => 'target[.="sssd"]/domains'
    }.each do |key, path|
      chunk(key) do
        val = Facter::Util::Sssd.sssd_value(path)
        {key => val} if val
      end
    end
  end

  # == Fact: foreman_ipa
  Facter.add(:foreman_sssd, :type => :aggregate) do
    {
      :services => 'target[.="sssd"]/services',
      :ldap_user_extra_attrs => 'target[.=~regexp("domain/.*")][1]/ldap_user_extra_attrs',
      :allowed_uids => 'target[.="ifp"]/allowed_uids',
      :user_attributes => 'target[.="ifp"]/user_attributes',
    }.each do |key, path|
      chunk(key) do
        val = Facter::Util::Sssd.sssd_value(path)
        {key => val} if val
      end
    end

  end
end

#19 Updated by Ewoud Kohl van Wijngaarden about 1 month ago

  • Target version changed from 2.0.1 to 2.1.2
  • Status changed from Closed to New

From reports, this hasn't been solved so reopening.

#20 Updated by Tomer Brisker 30 days ago

  • Target version changed from 2.1.2 to 2.1.3

#21 Updated by Han Boetes 30 days ago

The file I just proposed works, but it's not exactly pretty. I have no idea how to make it pretty or how you guys would like to see it. I'm available for testing or reworking the proposed code.

Please communicate with me! Or simply apply the code and see what happens.

#22 Updated by Ewoud Kohl van Wijngaarden 29 days ago

A patch to https://github.com/theforeman/puppet-foreman is easier for us. You also get proper credit.

Also available in: Atom PDF