Create OTP on system rebuild

When we’re provisioning a new system, everything works great. But if we need to re-baseline a system, or re-install its OS, then the OTP never gets re-generated by FreeIPA as it does when the system is new.

Expected outcome:
Anytime we trigger the “Build” action, the IPA SmartProxy should create a new OTP among its other “get-ready” tasks.

Foreman and Proxy versions:
Foreman 3.0.0.rc1
Proxy 2.6.0

Foreman and Proxy plugin versions:

Distribution and version:
CentOS 7 (7.9)

Other relevant data:

Hey, in the production.log you should see the following log line: "#{options[:update] ? 'Update' : 'Add'} realm entry for #{options[:rebuild] ? 'reprovisioned' : 'new'} host #{name}"

then you should see a HTTP request coming to your Realm smart-proxy with /realm/hostname URL and arguments. The “rebuild” argument should be passed as “true” which causes the host to call “host_disable” first and then “host_mod” FreeIPA API calls. In the proxy.log with debug on you should see “Making IPA call xyz”.

Investigate IPA logs if you see those two calls.

Can you confirm all of this?

1 Like

When I hit the “Build” button to re-build the system, I get no lines in production.log referencing “realm”, but when I delete and re-create the host, I do get this:

Delete realm entry for
Add realm entry for new host

I don’t see where any message is getting to the proxy through the HTTP call you mentioned in /var/log/foreman-proxy/proxy.log or /var/log/httpd/access_log or error_log.

You need to increase verbosity for proxy, it is not INFO log level but DEBUG.

I increased the logging verbosity and requested a build for this host again.

Rack::Handler::WEBrick is invoked.
c5c4d669 [I] Started GET /v2/features
c5c4d669 [D] verifying remote client against trusted_hosts ["", ""]
c5c4d669 [I] Finished GET /v2/features with 200 (37.8 ms)
[D] close:

That was all that I got in /var/log/foreman-proxy/proxy.log

@lzap is there something else I should be looking at?

Sorry for the delay, this means that Foreman does not orchestrate any Realm changes.

Looking into the codebase, Foreman only performs the update if hostgroup or realm id changes:

@Marek_Hulan I do not understand this code could you provide an insight?

If I read the core correctly, this means we update the realm entry in case Host’s realm has changed or its host group changed (which could also cause the actual realm change).

@wortmanb the log you’re looking at is the smart proxy one. The orchestration and logging (Delete and Add entries) are expected in the Foreman’s production.log. If you don’t see them, can you upload the full log of a request from Foreman, when you actually modify the realm? That may reveal something more.

1 Like