I'm working on some documentation and demos around bootstrapping a Foreman
environment from scratch. If I manually install Foreman, following the
directions on the web site everything is fine, with selinux in enforcing
mode. However, I want to build a Foreman installation via the puppet agent.
I've installed the latest puppetserver and puppet-agent AIO on CentOS 7,
and then installed the theforeman/foreman puppet module (and dependencies).
The puppet run errors out with a can't find SSL certificate error:
==> bootstrap-foreman: Error:
/Stage[main]/Apache::Service/Service[httpd]/ensure: change from stopped to
running failed: Systemd start for httpd failed!
==> bootstrap-foreman: journalctl log for httpd:
==> bootstrap-foreman: – Logs begin at Thu 2017-03-09 01:30:31 UTC, end at
Thu 2017-03-09 01:40:38 UTC. –
==> bootstrap-foreman: Mar 09 01:40:38 foreman.vagrant systemd[1]: Starting
The Apache HTTP Server…
==> bootstrap-foreman: Mar 09 01:40:38 foreman.vagrant httpd[18478]:
AH00526: Syntax error on line 30 of /etc/httpd/conf.d/05-foreman-ssl.conf:
==> bootstrap-foreman: Mar 09 01:40:38 foreman.vagrant httpd[18478]:
SSLCertificateFile: file
'/etc/puppetlabs/puppet/ssl/certs/foreman.vagrant.pem' does not exist or is
empty
==> bootstrap-foreman: Mar 09 01:40:38 foreman.vagrant systemd[1]:
httpd.service: main process exited, code=exited, status=1/FAILURE
==> bootstrap-foreman: Mar 09 01:40:38 foreman.vagrant kill[18480]: kill:
cannot find process ""
The cert is there, and is valid. Manually trying to start the apache server
gives the same error. Changing selinux to permissive mode allows apache to
start, and everything seems to be working in my simple vagrant tests. The
selinux labels seem to be the same from the working "hand installed"
version and the puppet installed version:
Working:
-rw-r–r--. puppet puppet system_u:object_r:puppet_etc_t:s0
/etc/puppetlabs/puppet/ssl/certs/foreman.working.pem
Not working:
-rw-r–r--. puppet puppet system_u:object_r:puppet_etc_t:s0
/etc/puppetlabs/puppet/ssl/certs/foreman.vagrant.pem
I've looked though the source of the foreman-installer, and I don't see
anything that is obviously making changes to selinux. I'd really like to
get this working in enforcing mode, and it seems like it should work. Does
anyone have any ideas about what might be causing the puppet module to
break when used without the installer?
james
> I'm working on some documentation and demos around bootstrapping a
> Foreman environment from scratch. If I manually install Foreman,
> following the directions on the web site everything is fine, with
> selinux in enforcing mode. However, I want to build a Foreman
> installation via the puppet agent. I've installed the latest
> puppetserver and puppet-agent AIO on CentOS 7, and then installed the
> theforeman/foreman puppet module (and dependencies). The puppet run
> errors out with a can't find SSL certificate error:
>
[…]
>
> The cert is there, and is valid. Manually trying to start the apache
> server gives the same error. Changing selinux to permissive mode allows
> apache to start, and everything seems to be working in my simple vagrant
> tests. The selinux labels seem to be the same from the working "hand
> installed" version and the puppet installed version:
The process labels may be different, but hard to say without the AVC log.
> I've looked though the source of the foreman-installer, and I don't see
> anything that is obviously making changes to selinux. I'd really like to
> get this working in enforcing mode, and it seems like it should work.
> Does anyone have any ideas about what might be causing the puppet module
> to break when used without the installer?
The installer also sets the parameter:
apache::mod::passenger::manage_repo: false
which on EL7 will install the version of Passenger from EPEL7 rather
than from Phusion. There isn't support in the OS policy for Phusion
Passenger, so it may be running in the wrong context (httpd_t, not
passenger_t), bug #17093.
···
On 11/03/17 00:28, James Evans wrote:
–
Dominic Cleal
dominic@cleal.org
I've added "custom_repo => true," to a foreman class I'm using with "puppet
apply" and that allowed me to get further. I'm now
getting ERR_SSL_SERVER_CERT_BAD_FORMAT from Chrome when I try to talk to
the httpd.
···
On Tuesday, 14 March 2017 10:36:24 UTC, Dominic Cleal wrote:
>
> On 11/03/17 00:28, James Evans wrote:
> > I'm working on some documentation and demos around bootstrapping a
> > Foreman environment from scratch. If I manually install Foreman,
> > following the directions on the web site everything is fine, with
> > selinux in enforcing mode. However, I want to build a Foreman
> > installation via the puppet agent. I've installed the latest
> > puppetserver and puppet-agent AIO on CentOS 7, and then installed the
> > theforeman/foreman puppet module (and dependencies). The puppet run
> > errors out with a can't find SSL certificate error:
> >
> [..]
> >
> > The cert is there, and is valid. Manually trying to start the apache
> > server gives the same error. Changing selinux to permissive mode allows
> > apache to start, and everything seems to be working in my simple vagrant
> > tests. The selinux labels seem to be the same from the working "hand
> > installed" version and the puppet installed version:
>
> The process labels may be different, but hard to say without the AVC log.
>
> > I've looked though the source of the foreman-installer, and I don't see
> > anything that is obviously making changes to selinux. I'd really like to
> > get this working in enforcing mode, and it seems like it should work.
> > Does anyone have any ideas about what might be causing the puppet module
> > to break when used without the installer?
>
> The installer also sets the parameter:
>
> apache::mod::passenger::manage_repo: false
>
> which on EL7 will install the version of Passenger from EPEL7 rather
> than from Phusion. There isn't support in the OS policy for Phusion
> Passenger, so it may be running in the wrong context (httpd_t, not
> passenger_t), bug #17093.
>
> --
> Dominic Cleal
> dom...@cleal.org
>
I've identified that SELinux was preventing Foreman from starting when
using the passenger upstream repo, and replacing mod_passenger with the
EPEL version fixed that.
I'm currently applying a Puppet manifest using the puppet-foreman module,
that simply says:
class { '::foreman':
admin_<settings> => …
}
Is there any way in this type of installation to also set the Apache
manage_repo to false so that the passenger repo never gets added?
Thanks,
Iain.
···
On Tuesday, 14 March 2017 10:36:24 UTC, Dominic Cleal wrote:
>
> On 11/03/17 00:28, James Evans wrote:
> > I'm working on some documentation and demos around bootstrapping a
> > Foreman environment from scratch. If I manually install Foreman,
> > following the directions on the web site everything is fine, with
> > selinux in enforcing mode. However, I want to build a Foreman
> > installation via the puppet agent. I've installed the latest
> > puppetserver and puppet-agent AIO on CentOS 7, and then installed the
> > theforeman/foreman puppet module (and dependencies). The puppet run
> > errors out with a can't find SSL certificate error:
> >
> [..]
> >
> > The cert is there, and is valid. Manually trying to start the apache
> > server gives the same error. Changing selinux to permissive mode allows
> > apache to start, and everything seems to be working in my simple vagrant
> > tests. The selinux labels seem to be the same from the working "hand
> > installed" version and the puppet installed version:
>
> The process labels may be different, but hard to say without the AVC log.
>
> > I've looked though the source of the foreman-installer, and I don't see
> > anything that is obviously making changes to selinux. I'd really like to
> > get this working in enforcing mode, and it seems like it should work.
> > Does anyone have any ideas about what might be causing the puppet module
> > to break when used without the installer?
>
> The installer also sets the parameter:
>
> apache::mod::passenger::manage_repo: false
>
> which on EL7 will install the version of Passenger from EPEL7 rather
> than from Phusion. There isn't support in the OS policy for Phusion
> Passenger, so it may be running in the wrong context (httpd_t, not
> passenger_t), bug #17093.
>
> --
> Dominic Cleal
> dom...@cleal.org
>
Set it via Hiera, or possibly use:
class { '::apache::mod::passenger':
manage_repo => false,
}
···
On 06/04/17 22:39, Iain Hallam wrote:
> I've identified that SELinux was preventing Foreman from starting when
> using the passenger upstream repo, and replacing mod_passenger with the
> EPEL version fixed that.
>
> I'm currently applying a Puppet manifest using the puppet-foreman
> module, that simply says:
>
> class { '::foreman':
> admin_ => ...
> }
>
> Is there any way in this type of installation to also set the Apache
> manage_repo to false so that the passenger repo never gets added?
–
Dominic Cleal
dominic@cleal.org
