Project

General

Profile

Bug #29649

The system does not seem to be IPA-enrolled

Added by Han Boetes over 1 year ago. Updated 3 months ago.


Description

Running the installer after the upgrade like I always do:

env TMP= TMPDIR= foreman-installer \
    -v \
    --foreman-proxy-log-level=DEBUG \
    --enable-foreman-plugin-remote-execution \
    --enable-foreman-proxy-plugin-remote-execution-ssh \
    --enable-foreman-plugin-dhcp-browser \
    --enable-foreman-plugin-remote-execution \
    --enable-foreman-proxy-plugin-remote-execution-ssh \
    --foreman-ipa-authentication=true \
    --foreman-pam-service=foreman \
    --foreman-http-keytab=/etc/http.keytab \
    --no-enable-foreman-cli-ansible \
    --no-enable-foreman-plugin-ansible \
    --no-enable-foreman-proxy-plugin-ansible

After the upgrade to 2.0 I get

Evaluation Error: Error while evaluating a Function Call, theforeman: The system does not seem to be IPA-enrolled (file: /usr/share/foreman-installer/modules/foreman/manifests/config.pp, line: 101, column: 9) on node

Which reads:

unless 'ipa' in $facts and 'default_server' in $facts['ipa'] and 'default_realm' in $facts['ipa'] {

So it tests the output of facter ipa. If I do that manually I get no output. digging a bit further this is the code in question: /etc/puppetlabs/code/modules/ipaclient/lib/facter/ipa_facts.rb

The important part would be:

if File.exist?('/etc/sssd/sssd.conf') && sssd = File.readlines('/etc/sssd/sssd.conf')                                                                                         
  sssd.each do |line|                                                                                                                                                         
    case line                                                                                                                                                                 
      when /^ipa_domain/                                                                                                                                                      
        Facter.add("ipa_domain") do                                                                                                                                           
              has_weight 100                                                                                                                                                  
          setcode do                                                                                                                                                          
            line.split("=")[1].strip                                                                                                                                          
          end                                                                                                                                                                 
        end                                                                                                                                                                   
      when /^ipa_server/                                                                                                                                                      
        Facter.add("ipa_server") do                                                                                                                                           
              has_weight 100                                                                                                                                                  
          setcode do                                                                                                                                                          
            line.split("=")[1].strip                                                                                                                                          
          end                                                                                                                                                                 
        end                                                                                                                                                                   
      when /^auth_provider/                                                                                                                                                   
        Facter.add("ipa_enrolled") do                                                                                                                                         

Odd because:

root@theforeman ~ # ag '(ipa_domain|ipa_server|auth_provider)' /etc/sssd/sssd.conf |sed -e 's|mycompany.com|example.com|g'
auth_provider = ipa
ipa_domain = example.com
ipa_server = _srv_, gandalf.example.com, olorin.example.com, mithrandir.example.com
ipa_server_mode = false

Seems like I'm barking up the wrong tree, this must be a puppet problem. But please leave it for the moment because other may run into this problem as well.

Associated revisions

Revision 631f4a6a (diff)
Added by Ewoud Kohl van Wijngaarden over 1 year ago

Fixes #29649 - Prefix ipa and sssd facts with foreman_

This prevents a collision with the ipa fact from the ipa module.

Revision eaefa6f0 (diff)
Added by Ewoud Kohl van Wijngaarden 3 months ago

Fixes #29649 - Drop default_server argument in IPA

ipa-getkeytab can figure out the default server on its own1. There is no
need to specify it and can even break things. For example, DNS can be
used to detect servers. Then the fact is empty and it fails while the
command would actually pass.

The foreman_ipa fact is removed since it's a major version bump anyway
and nothing else should use our foreman_ipa fact.

[1] https://github.com/theforeman/puppet-foreman/pull/880#issuecomment-683902223

History

#1 Updated by Han Boetes over 1 year ago

I reported the issue with puppet: https://tickets.puppetlabs.com/browse/FACT-2588

#2 Updated by Han Boetes over 1 year ago

  • Description updated (diff)

#3 Updated by Han Boetes over 1 year ago

The ipa_facts file comes from https://github.com/joshuabaird/puppet-ipaclient/blob/master/lib/facter/ipa_facts.rb and contrary to my previous assumption is not a part of puppet but a custom module I happen to have installed.

I tried moving the module out of the way but facter ipa keeps returning empty. Am I missing something here? Where is the right ipa facter that I don't have?

#4 Updated by Ewoud Kohl van Wijngaarden over 1 year ago

I was playing with https://github.com/theforeman/puppet-foreman/pull/801 but don't have an IPA env myself so find it hard to verify. Could you check it out and see if it fixes it for you?

#5 Updated by Han Boetes over 1 year ago

I run into this error after applying your patch.

[ INFO 2020-04-29T20:25:33 verbose]  Facter: loading custom facts from /usr/share/foreman-installer/modules/foreman/lib/facter/sssd.rb.                                      
[ERROR 2020-04-29T20:25:33 verbose]  Facter: error while resolving custom facts in /usr/share/foreman-installer/modules/foreman/lib/facter/sssd.rb: expected chunk name to be
a Symbol                                                                                                                                                                     
[ERROR 2020-04-29T20:25:33 verbose] backtrace:                                                                                                                               
[ERROR 2020-04-29T20:25:33 verbose] /usr/share/foreman-installer/modules/foreman/lib/facter/sssd.rb:10:in `chunk'                                                            
[ERROR 2020-04-29T20:25:33 verbose] /usr/share/foreman-installer/modules/foreman/lib/facter/sssd.rb:10:in `block (2 levels) in <top (required)>'                             
[ERROR 2020-04-29T20:25:33 verbose] /usr/share/foreman-installer/modules/foreman/lib/facter/sssd.rb:9:in `each'                                                              
[ERROR 2020-04-29T20:25:33 verbose] /usr/share/foreman-installer/modules/foreman/lib/facter/sssd.rb:9:in `block in <top (required)>'                                         
[ERROR 2020-04-29T20:25:33 verbose] /usr/share/foreman-installer/modules/foreman/lib/facter/sssd.rb:5:in `instance_eval'                                                     
[ERROR 2020-04-29T20:25:33 verbose] /usr/share/foreman-installer/modules/foreman/lib/facter/sssd.rb:5:in `add'                                                               
[ERROR 2020-04-29T20:25:33 verbose] /usr/share/foreman-installer/modules/foreman/lib/facter/sssd.rb:5:in `<top (required)>'                                                  
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/facts/facter.rb:35:in `to_hash'                                            
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/facts/facter.rb:35:in `find'
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:198:in `find'
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/node.rb:135:in `fact_merge'
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/node/plain.rb:18:in `find'
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:198:in `find'
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/apply.rb:215:in `main'
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/apply.rb:174:in `run_command'
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:375:in `block in run'
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:690:in `exit_on_fail'
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:375:in `run'
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:139:in `run'
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:77:in `execute'
[ERROR 2020-04-29T20:25:33 verbose] /opt/puppetlabs/puppet/bin/puppet:5:in `<main>'

#6 Updated by The Foreman Bot over 1 year ago

  • Assignee set to Ewoud Kohl van Wijngaarden
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/puppet-foreman/pull/839 added

#7 Updated by Ewoud Kohl van Wijngaarden over 1 year ago

  • Triaged changed from No to Yes
  • Target version set to 2.1.0
  • Category set to Foreman modules
  • Fixed in Releases deleted (1.24.3)

#8 Updated by The Foreman Bot over 1 year ago

  • Fixed in Releases 2.2.0 added

#9 Updated by Ewoud Kohl van Wijngaarden over 1 year ago

  • Status changed from Ready For Testing to Closed

#10 Updated by Ewoud Kohl van Wijngaarden over 1 year ago

  • Fixed in Releases 2.1.0 added
  • Fixed in Releases deleted (2.2.0)

#11 Updated by Tomer Brisker over 1 year ago

  • Target version changed from 2.1.0 to 2.0.1

#12 Updated by The Foreman Bot over 1 year ago

  • Pull request https://github.com/theforeman/puppet-foreman/pull/848 added

#13 Updated by Tomer Brisker over 1 year ago

  • Fixed in Releases 2.0.1 added

#14 Updated by Han Boetes over 1 year ago

Nope, not fixed.

[ERROR 2020-06-18T22:10:51 verbose]  Evaluation Error: Error while evaluating a Function Call, theforeman: The system does not seem to be IPA-enrolled (file: /usr/share/foreman-installer/modules/foreman/manifests/config.pp, line: 101, column: 9) on node theforeman.example.com

#15 Updated by Ewoud Kohl van Wijngaarden over 1 year ago

Which version of foreman-installer is installed?

#16 Updated by Han Boetes over 1 year ago

Hallo Ewoud,

thanks for your time and effort.

I followed the instructions https://theforeman.org/manuals/2.0/index.html#3.6Upgrade
So the version provided by: yum upgrade https://yum.theforeman.org/releases/2.0/el7/x86_64/foreman-release.rpm
2.0.1 I assume. I can't be entirely sure, since I restored the previous version with a snapshot.

With kind regards,
Han

#17 Updated by Han Boetes over 1 year ago

# rpm -q foreman-installer
foreman-installer-2.0.1-1.el7.noarch

#18 Updated by Han Boetes over 1 year ago

After reading the code a bit and looking what was actually requested I hacked around a bit and came up with this:
Of course that's rather ugly. The domain is used instead of the realm. But it works. The realm can be found in /etc/ipa/default.conf, the domain can be found in /etc/sssd/sssd.conf

It's a bunch of arbitrary checks since there quite some overlap between those two files and lots values are not obligate. I really can't tell how well this config would work elsewhere.

I never edited /etc/ipa/default.conf and I mildly edited /etc/sssd/sssd.conf, using freeipa without sssd is not possible. I would focus on getting info from sssd.conf

# cat sssd.rb 
require_relative 'util/sssd'
if defined? Facter::Util::Sssd

  # == Fact: foreman_sssd
  Facter.add(:foreman_ipa, :type => :aggregate) do
    {
      :default_server => 'target[.=~regexp("domain/.*")][1]/ipa_server',
      :default_realm  => 'target[.="sssd"]/domains'
    }.each do |key, path|
      chunk(key) do
        val = Facter::Util::Sssd.sssd_value(path)
        {key => val} if val
      end
    end
  end

  # == Fact: foreman_ipa
  Facter.add(:foreman_sssd, :type => :aggregate) do
    {
      :services => 'target[.="sssd"]/services',
      :ldap_user_extra_attrs => 'target[.=~regexp("domain/.*")][1]/ldap_user_extra_attrs',
      :allowed_uids => 'target[.="ifp"]/allowed_uids',
      :user_attributes => 'target[.="ifp"]/user_attributes',
    }.each do |key, path|
      chunk(key) do
        val = Facter::Util::Sssd.sssd_value(path)
        {key => val} if val
      end
    end

  end
end

#19 Updated by Ewoud Kohl van Wijngaarden about 1 year ago

  • Target version changed from 2.0.1 to 2.1.2
  • Status changed from Closed to New

From reports, this hasn't been solved so reopening.

#20 Updated by Tomer Brisker about 1 year ago

  • Target version changed from 2.1.2 to 2.1.3

#21 Updated by Han Boetes about 1 year ago

The file I just proposed works, but it's not exactly pretty. I have no idea how to make it pretty or how you guys would like to see it. I'm available for testing or reworking the proposed code.

Please communicate with me! Or simply apply the code and see what happens.

#22 Updated by Ewoud Kohl van Wijngaarden about 1 year ago

A patch to https://github.com/theforeman/puppet-foreman is easier for us. You also get proper credit.

#24 Updated by Tomer Brisker about 1 year ago

  • Target version changed from 2.1.3 to 2.2.0

pushing off 2.1.3 since we are starting to make the release and this won't be merged in time.

#25 Updated by Han Boetes about 1 year ago

No worries, this is more complicated to do right than initially estimated.

"we thought that we had the answers, it was the questions we had wrong"

#26 Updated by Tomer Brisker about 1 year ago

  • Target version deleted (2.2.0)

Unsetting target version for now until we have a working solution.

#27 Updated by The Foreman Bot 7 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/puppet-foreman/pull/935 added

#28 Updated by The Foreman Bot 4 months ago

  • Pull request https://github.com/theforeman/puppet-foreman/pull/888 added

#29 Updated by The Foreman Bot 3 months ago

  • Fixed in Releases 3.0.0 added

#30 Updated by Ewoud Kohl van Wijngaarden 3 months ago

  • Status changed from Ready For Testing to Closed

#31 Updated by The Foreman Bot 3 months ago

  • Pull request https://github.com/theforeman/puppet-foreman/pull/960 added

#32 Updated by Ewoud Kohl van Wijngaarden 3 months ago

  • Pull request deleted (https://github.com/theforeman/puppet-foreman/pull/960)

Also available in: Atom PDF