Create OTP on system rebuild

wortmanb · August 18, 2021, 1:16pm

Problem:
When we’re provisioning a new system, everything works great. But if we need to re-baseline a system, or re-install its OS, then the OTP never gets re-generated by FreeIPA as it does when the system is new.

Expected outcome:
Anytime we trigger the “Build” action, the IPA SmartProxy should create a new OTP among its other “get-ready” tasks.

Foreman and Proxy versions:
Foreman 3.0.0.rc1
Proxy 2.6.0

Foreman and Proxy plugin versions:

Distribution and version:
CentOS 7 (7.9)

Other relevant data:

lzap · August 20, 2021, 8:47am

Hey, in the production.log you should see the following log line:

logger.info "#{options[:update] ? 'Update' : 'Add'} realm entry for #{options[:rebuild] ? 'reprovisioned' : 'new'} host #{name}"

then you should see a HTTP request coming to your Realm smart-proxy with /realm/hostname URL and arguments. The “rebuild” argument should be passed as “true” which causes the host to call “host_disable” first and then “host_mod” FreeIPA API calls. In the proxy.log with debug on you should see “Making IPA call xyz”.

Investigate IPA logs if you see those two calls.

Can you confirm all of this?

wortmanb · August 20, 2021, 10:53am

When I hit the “Build” button to re-build the system, I get no lines in production.log referencing “realm”, but when I delete and re-create the host, I do get this:

Delete realm entry for zsdiscoverytest.our.net
:
:
Add realm entry for new host zsdiscoverytest.our.net

wortmanb · August 20, 2021, 11:06am

I don’t see where any message is getting to the proxy through the HTTP call you mentioned in /var/log/foreman-proxy/proxy.log or /var/log/httpd/access_log or error_log.

lzap · August 23, 2021, 7:45am

You need to increase verbosity for proxy, it is not INFO log level but DEBUG.

wortmanb · August 23, 2021, 10:59am

I increased the logging verbosity and requested a build for this host again.

accept: 192.168.1.159:42492
Rack::Handler::WEBrick is invoked.
c5c4d669 [I] Started GET /v2/features
c5c4d669 [D] verifying remote client 192.168.1.159 against trusted_hosts ["foreman.our.net", "zsinf08.our.net"]
c5c4d669 [I] Finished GET /v2/features with 200 (37.8 ms)
[D] close: 192.168.1.159:42492

That was all that I got in /var/log/foreman-proxy/proxy.log

wortmanb · August 31, 2021, 10:09am

@lzap is there something else I should be looking at?

lzap · September 1, 2021, 11:14am

Sorry for the delay, this means that Foreman does not orchestrate any Realm changes.

Looking into the codebase, Foreman only performs the update if hostgroup or realm id changes:

github.com

theforeman/foreman/blob/develop/app/models/concerns/orchestration/realm.rb#L58-L64

    
      
          def queue_realm_update
            # Update if the hostgroup is changed or if the realm is changed
            if hostgroup_id_changed? || realm_id_changed?
              queue.create(:name => _("Update realm entry for %s") % self, :priority => 1,
                           :action => [self, :update_realm])
            end
          end

@Marek_Hulan I do not understand this code could you provide an insight?

Marek_Hulan · September 15, 2021, 6:22pm

If I read the core correctly, this means we update the realm entry in case Host’s realm has changed or its host group changed (which could also cause the actual realm change).

@wortmanb the log you’re looking at is the smart proxy one. The orchestration and logging (Delete and Add entries) are expected in the Foreman’s production.log. If you don’t see them, can you upload the full log of a request from Foreman, when you actually modify the realm? That may reveal something more.