Bug #32299
openInstallation of Katello 4 RC3 fails when --foreman-proxy-ssl-port is not set to default 9090
Description
Hi,
Katello 4 installation completes without any error when using the default foreman-proxy ssl port of 9090, however when using a custom port with the argument --foreman-proxy-ssl-port "9093" the installation fails with the following:
.
.
.
2021-04-12 19:02:57 [NOTICE] [configure] 2200 out of 2289 done.
2021-04-12 19:03:05 [ERROR ] [configure] Error making PUT request to https://katello.mnsmithuk/api/v2/smart_proxies/1/refresh: Response: 500 Internal Server Error: Check /var/log/foreman/production.log on Foreman server for detailed information
2021-04-12 19:03:05 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[katello.mnsmithuk]/features: change from ["Ansible", "BMC", "DHCP", "DNS", "Discovery", "Dynflow", "Logs", "Pulpcore", "Puppet", "Puppet CA", "Registration", "SSH", "TFTP"] to ["Ansible", "BMC", "DHCP", "DNS", "Discovery", "Dynflow", "HTTPBoot", "Logs", "Pulpcore", "Puppet", "Puppet CA", "Registration", "SSH", "TFTP"] failed: Error making PUT request to https://katello.mnsmithuk/api/v2/smart_proxies/1/refresh: Response: 500 Internal Server Error: Check /var/log/foreman/production.log on Foreman server for detailed information
2021-04-12 19:03:05 [ERROR ] [configure] Error making PUT request to Foreman at https://katello.mnsmithuk/api/v2/smart_proxies/1: Response: 422 Unprocessable Entity
2021-04-12 19:03:05 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[katello.mnsmithuk]/url: change from 'https://katello.mnsmithuk:9090' to 'https://katello.mnsmithuk:9093' failed: Error making PUT request to Foreman at https://katello.mnsmithuk/api/v2/smart_proxies/1: Response: 422 Unprocessable Entity
2021-04-12 19:03:05 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[katello.mnsmithuk]: Failed to call refresh: Error making PUT request to https://katello.mnsmithuk/api/v2/smart_proxies/1/refresh: Response: 500 Internal Server Error: Check /var/log/foreman/production.log on Foreman server for detailed information
2021-04-12 19:03:05 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[katello.mnsmithuk]: Error making PUT request to https://katello.mnsmithuk/api/v2/smart_proxies/1/refresh: Response: 500 Internal Server Error: Check /var/log/foreman/production.log on Foreman server for detailed information
2021-04-12 19:03:07 [NOTICE] [configure] System configuration has finished.
There were errors detected during install.
Please address the errors and re-run the installer to ensure the system is properly configured.
Failing to do so is likely to result in broken functionality.
The full log is at /var/log/foreman-installer/katello.log
Below is the extract from katello.log
2021-04-12 19:03:02 [DEBUG ] [configure] /Stage[main]/Foreman_proxy::Register/Datacat_collector[foreman_proxy::enabled_features]: Evaluated in 0.01 seconds
2021-04-12 19:03:02 [DEBUG ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[katello.mnsmithuk]: Starting to evaluate the resource (2265 of 2289)
2021-04-12 19:03:02 [DEBUG ] [configure] Foreman_smartproxy[katello.mnsmithuk](provider=rest_v3): Making get request to https://katello.mnsmithuk/api/v2/smart_proxies?search=name%3D%22katello.mnsmithuk%22
2021-04-12 19:03:05 [DEBUG ] [configure] Foreman_smartproxy[katello.mnsmithuk](provider=rest_v3): Received response 200 from request to https://katello.mnsmithuk/api/v2/smart_proxies?search=name%3D%22katello.mnsmithuk%22
2021-04-12 19:03:05 [DEBUG ] [configure] Foreman_smartproxy[katello.mnsmithuk](provider=rest_v3): Making put request to https://katello.mnsmithuk/api/v2/smart_proxies/1/refresh
2021-04-12 19:03:05 [DEBUG ] [configure] Foreman_smartproxy[katello.mnsmithuk](provider=rest_v3): Received response 500 from request to https://katello.mnsmithuk/api/v2/smart_proxies/1/refresh
2021-04-12 19:03:05 [ERROR ] [configure] Error making PUT request to https://katello.mnsmithuk/api/v2/smart_proxies/1/refresh: Response: 500 Internal Server Error: Check /var/log/foreman/production.log on Foreman server for detailed information
2021-04-12 19:03:05 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[katello.mnsmithuk]/features: change from ["Ansible", "BMC", "DHCP", "DNS", "Discovery", "Dynflow", "Logs", "Pulpcore", "Puppet", "Puppet CA", "Registration", "SSH", "TFTP"] to ["Ansible", "BMC", "DHCP", "DNS", "Discovery", "Dynflow", "HTTPBoot", "Logs", "Pulpcore", "Puppet", "Puppet CA", "Registration", "SSH", "TFTP"] failed: Error making PUT request to https://katello.mnsmithuk/api/v2/smart_proxies/1/refresh: Response: 500 Internal Server Error: Check /var/log/foreman/production.log on Foreman server for detailed information
2021-04-12 19:03:05 [DEBUG ] [configure] Foreman_smartproxy[katello.mnsmithuk](provider=rest_v3): Making put request to https://katello.mnsmithuk/api/v2/smart_proxies/1
2021-04-12 19:03:05 [DEBUG ] [configure] Foreman_smartproxy[katello.mnsmithuk](provider=rest_v3): Received response 422 from request to https://katello.mnsmithuk/api/v2/smart_proxies/1
2021-04-12 19:03:05 [ERROR ] [configure] Error making PUT request to Foreman at https://katello.mnsmithuk/api/v2/smart_proxies/1: Response: 422 Unprocessable Entity
2021-04-12 19:03:05 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[katello.mnsmithuk]/url: change from 'https://katello.mnsmithuk:9090' to 'https://katello.mnsmithuk:9093' failed: Error making PUT request to Foreman at https://katello.mnsmithuk/api/v2/smart_proxies/1: Response: 422 Unprocessable Entity
2021-04-12 19:03:05 [DEBUG ] [configure] Foreman_smartproxy[katello.mnsmithuk](provider=rest_v3): Making put request to https://katello.mnsmithuk/api/v2/smart_proxies/1/refresh
2021-04-12 19:03:05 [DEBUG ] [configure] Foreman_smartproxy[katello.mnsmithuk](provider=rest_v3): Received response 500 from request to https://katello.mnsmithuk/api/v2/smart_proxies/1/refresh
2021-04-12 19:03:05 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[katello.mnsmithuk]: Failed to call refresh: Error making PUT request to https://katello.mnsmithuk/api/v2/smart_proxies/1/refresh: Response: 500 Internal Server Error: Check /var/log/foreman/production.log on Foreman server for detailed information
2021-04-12 19:03:05 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[katello.mnsmithuk]: Error making PUT request to https://katello.mnsmithuk/api/v2/smart_proxies/1/refresh: Response: 500 Internal Server Error: Check /var/log/foreman/production.log on Foreman server for detailed information
2021-04-12 19:03:05 [DEBUG ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[katello.mnsmithuk]: Evaluated in 3.47 seconds
2021-04-12 19:03:05 [DEBUG ] [configure] Class[Foreman_proxy::Register]: Starting to evaluate the resource (2266 of 2289)
2021-04-12 19:03:05 [DEBUG ] [configure] Class[Foreman_proxy::Register]: Resource is being skipped, unscheduling all events
2021-04-12 19:03:05 [DEBUG ] [configure] Class[Foreman_proxy::Register]: Evaluated in 0.00 seconds
2021-04-12 19:03:05 [DEBUG ] [configure] Class[Foreman_proxy]: Starting to evaluate the resource (2267 of 2289)
2021-04-12 19:03:05 [DEBUG ] [configure] Class[Foreman_proxy]: Resource is being skipped, unscheduling all events
2021-04-12 19:03:05 [DEBUG ] [configure] Class[Foreman_proxy]: Unscheduling all events on Class[Foreman_proxy]
2021-04-12 19:03:05 [DEBUG ] [configure] Class[Foreman_proxy]: Evaluated in 0.00 seconds
Updated by Chris Roberts over 3 years ago
- Project changed from Katello to Installer
- Category set to Foreman modules
Moving to installer, since it is related to puppet-foreman-proxy
Updated by Ewoud Kohl van Wijngaarden over 3 years ago
I wonder if this has something to do with the SELinux policy. Can you check for denials? I usually grep for AVC in /var/log/audit/audit.log but I think ausearch can also be used.
Updated by Matthew Smith over 3 years ago
Ewoud Kohl van Wijngaarden wrote:
I wonder if this has something to do with the SELinux policy. Can you check for denials? I usually grep for AVC in /var/log/audit/audit.log but I think ausearch can also be used.
Hi Ewoud,
I just reinsstalled and grepped AVC as suggested. Here is the ouput below.
[root@katello ~]# grep AVC /var/log/audit/audit.log
type=USER_AVC msg=audit(1619257981.018:338): pid=1607 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=2) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1619258089.614:522): pid=1607 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=3) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1619258416.392:154): pid=845 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=2) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1619258563.872:443): pid=845 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=3) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1619258568.859:453): pid=845 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=4) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1619258571.290:456): pid=845 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=5) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1619258582.033:462): pid=845 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=6) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1619258599.595:470): pid=845 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=7) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1619258600.332:473): pid=845 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=8) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1619258603.054:474): pid=845 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=9) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1619258659.930:573): pid=845 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=10) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1619258663.030:575): pid=845 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=11) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1619258677.423:579): pid=845 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=12) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1619258680.529:581): pid=845 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=13) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1619258712.729:652): pid=845 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=14) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1619258723.638:654): pid=845 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=15) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1619258734.605:656): pid=845 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=16) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1619258833.840:782): pid=845 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=17) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1619258836.523:783): pid=845 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=18) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1619258876.172:805): pid=845 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=19) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1619258878.846:806): pid=845 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=20) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1619258953.645:866): pid=845 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=21) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1619258956.248:867): pid=845 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=22) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1619259801.263:967): avc: denied { create } for pid=1514 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_server_t:s0 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1619259801.263:968): avc: denied { connect } for pid=1514 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_server_t:s0 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1619259801.263:968): avc: denied { sendto } for pid=1514 comm="gunicorn" path="/run/systemd/notify" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1619259802.374:970): avc: denied { sendto } for pid=1654 comm="gunicorn" path="/run/systemd/notify" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1619259817.825:975): avc: denied { name_connect } for pid=31541 comm="diagnostic_con*" dest=9093 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
Updated by Ewoud Kohl van Wijngaarden over 3 years ago
- Project changed from Installer to SELinux
- Category changed from Foreman modules to General Foreman
This line here is the denial:
type=AVC msg=audit(1619259817.825:975): avc: denied { name_connect } for pid=31541 comm="diagnostic_con*" dest=9093 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
Foreman (in the foreman_rails_t domain) isn't allowed to talk to port 9093.
Updated by Matthew Smith over 3 years ago
Ewoud Kohl van Wijngaarden wrote:
This line here is the denial:
type=AVC msg=audit(1619259817.825:975): avc: denied { name_connect } for pid=31541 comm="diagnostic_con*" dest=9093 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0Foreman (in the foreman_rails_t domain) isn't allowed to talk to port 9093.
Ok. So it this a bug or is there a semanage command that can rectify it ?
Updated by Matthew Smith over 3 years ago
Matthew Smith wrote:
Ewoud Kohl van Wijngaarden wrote:
This line here is the denial:
type=AVC msg=audit(1619259817.825:975): avc: denied { name_connect } for pid=31541 comm="diagnostic_con*" dest=9093 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0Foreman (in the foreman_rails_t domain) isn't allowed to talk to port 9093.
Ok. So it this a bug or is there a semanage command that can rectify it ?
I think when I initially read the line "For Red Hat family operating systems, SELinux must not be set to disabled mode." in the Katello 4 documentation I assumed it meant needs to be set to Enforcing but now realised I could have set it to Permissive. I just set SELINUX to Permissive and that worked.
Thanks for the pointer.