Hello all,

I'd like to provision and manage Docker containers in my Foreman
installation. I found this
plugin https://github.com/theforeman/foreman-docker

I have CentOS release 6.6, foreman-1.7.3-1.el6.noarch and I instaled
plugin ruby193-rubygem-foreman_docker-1.2.3-1.fm1_7.el6.noarch

When I try to test it I get the following error:

pwd

/usr/share/foreman
[root@puppet foreman]# rake test:docker --trace
rake aborted!
no such file to load – apipie/middleware/checksum_in_headers
/usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in
gem_original_require' /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:inrequire'
/usr/share/foreman/config/application.rb:2
/usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in
gem_original_require' /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:inrequire'
/usr/share/foreman/Rakefile:1
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/rake_module.rb:25:in load' /usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/rake_module.rb:25:inload_rakefile'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:589:in
raw_load_rakefile' /usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:89:in
load_rakefile'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:160:in
standard_exception_handling' /usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:88:inload_rakefile'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:72:in run' /usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:160:instandard_exception_handling'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:70:in run' /usr/lib/ruby/gems/1.8/gems/rake-10.0.4/bin/rake:33 /usr/bin/rake:19:inload'
/usr/bin/rake:19

But the file exists:
locate apipie/middleware/checksum_in_headers
/opt/rh/ruby193/root/usr/share/gems/gems/apipie-rails-0.2.6/lib/apipie/
middleware/checksum_in_headers.rb

When I try to connect to Docker registry from Foreman web interface
Go to Infrastructure > Compute Resources and click on "New Compute
Resource".

Choose the Docker provider, and fill in all the fields:
Url: https://registry.hub.docker.com/ My username on the docker site and
my password.
I see the following error:
Unable to save
Expected([200, 201, 202, 203, 204, 304]) <=> Actual(503 Service Unavailable)

In the log /var/log/foreman/production.log file I can see:
Error has occurred while listing VMs on docker.com (Docker): Expected([200,
201, 202, 203, 204, 304]) <=> Actual(503 Service Unavailable)

Do I need to install or configure anything else? Is there any good solution
for provisioning and managing Docker containers in Foreman?

Thanks a lot.

I am still troubleshooting my problem.

I set up a local docker repository on another machine then my
Puppet/Foreman server following this article

I'm able to connect from my Puppet/Foreman server to my Docker registry
from the command line interface. To be able to do it I added foreman user
to the docker group https://bugzilla.redhat.com/show_bug.cgi?id=1190059

sudo -u foreman docker login https://docker_hostname:8080
Username: my_username
Password: my_password
Email: whatever
Login Succeeded

But I keep having problems connecting from Foreman web-interface:

Unable to save
Expected([200, 201, 202, 203, 204, 304]) <=> Actual(401 Unauthorized)

It's a different error now, but still no joy.

Has anyone had the same issue?

Thanks!

Not sure the docker plugin is ready fr prime time. I also had issues with
it. I am redoing my whole setup so I will keep you posted.

A bit more details. When I'm trying to create a new Docker compute
recourse, I see in the log file /var/log/foreman/production.log :

Started PUT "/compute_resources/test_connection" for xxx.xxx.xxx.xxx at 2015
-03-30 15:49:10 -0700
Processing by ComputeResourcesController#test_connection as /
Parameters: {"utf8"=>"✓", "authenticity_token"=>
"NBG0GHu2K8mT5lYMLas6Lv7TPsvHP/zUueqLi6JoUUI=", "compute_resource"=>{"name"
=>"Our docker", "provider"=>"Docker", "description"=>"", "url"=>
"https://docker.domain:8080", "user"=>"username", "password"=>"[FILTERED]",
"email"=>""}, "fakepassword"=>"[FILTERED]", "cr_id"=>"null"}
CR_ID IS null
String does not start with the prefix 'encrypted-', so ForemanDocker::Docker
Our docker was not decrypted
String does not start with the prefix 'encrypted-', so ForemanDocker::Docker
Our docker was not decrypted
String does not start with the prefix 'encrypted-', so ForemanDocker::Docker
Our docker was not decrypted
String does not start with the prefix 'encrypted-', so ForemanDocker::Docker
Our docker was not decrypted
Rendered /opt/rh/ruby193/root/usr/share/gems/gems/foreman_docker-1.2.4/app
/views/compute_resources/form/_docker.html.erb (4.9ms)
Rendered compute_resources/_form.html.erb (13.9ms)
Completed 200 OK in 344ms (Views: 14.9ms | ActiveRecord: 1.6ms)

I see people have the same problem with different types of Computing
Resources
(EC2 http://comments.gmane.org/gmane.linux.redhat.fedora.foreman.user/2102
and Xen Support #9374: Foreman-xen and XenServer Pool - Xen - Foreman)
But I cannot find a solution. I tried with disabled and enforcing selinux.

Anybody?

I was able to solve half of the problem. Now the command* foreman-rake
test:docker *can be executed without errors.

I installed ruby193-rubygem-sqlite3 and ruby193-rubygem-foreman-tasks
packages and run foreman-rake apipie:cache and* foreman-rake db:migrate*

foreman-rake test:docker --trace
** Invoke test:docker (first_time)
** Invoke db:test:prepare (first_time)
** Invoke db:abort_if_pending_migrations (first_time)
** Invoke environment (first_time)
** Execute environment
** Invoke db:load_config (first_time)
** Execute db:load_config
** Execute db:abort_if_pending_migrations
** Execute db:test:prepare
** Invoke db:test:load (first_time)
** Invoke db:test:purge (first_time)
** Invoke environment
** Invoke db:load_config
** Execute db:test:purge
** Execute db:test:load
** Invoke db:test:load_schema (first_time)
** Invoke db:test:purge
** Execute db:test:load_schema
** Invoke db:schema:load (first_time)
** Invoke environment
** Invoke db:load_config
** Execute db:schema:load
** Execute test:docker
** Invoke docker_test_task (first_time)
** Execute docker_test_task
/opt/rh/ruby193/root/usr/bin/ruby -I
"lib:test:/opt/rh/ruby193/root/usr/share/gems/gems/foreman_docker-1.2.4/test"
-I"/opt/rh/ruby193/root/usr/share/gems/gems/rake-0.9.2.2/lib"
"/opt/rh/ruby193/root/usr/share/gems/gems/rake-0.9.2.2/lib/rake/rake_test_loader.rb"
"/opt/rh/ruby193/root/usr/share/gems/gems/foreman_docker-1.2.4/test/**/*_test.rb"

But I still see the following error when I try aad a new Docker compute
recourse:

CR_ID IS null
String does not start with the prefix 'encrypted-', so ForemanDocker::Docker
docker.com was not decrypted
String does not start with the prefix 'encrypted-', so ForemanDocker::Docker
docker.com was not decrypted
String does not start with the prefix 'encrypted-', so ForemanDocker::Docker
docker.com was not decrypted

I'd appreciate any help.
Thanks

> I was able to solve half of the problem. Now the command* foreman-rake
> test:docker can be executed without errors.
>
> I installed ruby193-rubygem-sqlite3 and ruby193-rubygem-foreman-tasks
> packages and run foreman-rake apipie:cache and foreman-rake db:migrate*
>
> foreman-rake test:docker --trace
> ** Invoke test:docker (first_time)
> ** Invoke db:test:prepare (first_time)
> ** Invoke db:abort_if_pending_migrations (first_time)
> ** Invoke environment (first_time)
> ** Execute environment
> ** Invoke db:load_config (first_time)
> ** Execute db:load_config
> ** Execute db:abort_if_pending_migrations
> ** Execute db:test:prepare
> ** Invoke db:test:load (first_time)
> ** Invoke db:test:purge (first_time)
> ** Invoke environment
> ** Invoke db:load_config
> ** Execute db:test:purge
> ** Execute db:test:load
> ** Invoke db:test:load_schema (first_time)
> ** Invoke db:test:purge
> ** Execute db:test:load_schema
> ** Invoke db:schema:load (first_time)
> ** Invoke environment
> ** Invoke db:load_config
> ** Execute db:schema:load
> ** Execute test:docker
> ** Invoke docker_test_task (first_time)
> ** Execute docker_test_task
> /opt/rh/ruby193/root/usr/bin/ruby -I
> "lib:test:/opt/rh/ruby193/root/usr/share/gems/gems/foreman_docker-1.2.4/test"
> -I"/opt/rh/ruby193/root/usr/share/gems/gems/rake-0.9.2.2/lib"
> "/opt/rh/ruby193/root/usr/share/gems/gems/rake-0.9.2.2/lib/rake/rake_test_loader.rb"
> "/opt/rh/ruby193/root/usr/share/gems/gems/foreman_docker-1.2.4/test/**/*_test.rb"
>
>
> But I still see the following error when I try aad a new Docker compute
> recourse:
>
> CR_ID IS null
> String does not start with the prefix 'encrypted-', so ForemanDocker::Docker
> docker.com was not decrypted
> String does not start with the prefix 'encrypted-', so ForemanDocker::Docker
> docker.com was not decrypted
> String does not start with the prefix 'encrypted-', so ForemanDocker::Docker
> docker.com was not decrypted

That last bit suggests your compute resource was created at a time when
you didn't have an encryption key (check the content of
/etc/foreman/encryption_key), or if you are running nightlies you might
have hit Bug #9775: CR encryption key not loaded before it's checked, encryption is disabled - Foreman which is now solved.

You can run foreman-rake db:compute_resources:encrypt to re-encrypt it,
it will NOT re-encrypt other compute resources that are already
encrypted.

We have recently documented this in the manual:
http://www.theforeman.org/manuals/1.8/#5.2.10PasswordEncryption

Let us know if that helped, you can also find us on #theforeman-dev and
#theforeman on IRC if you want live help.

Hi Daniel,

thanks a lot for your answer.

Some information about my encryption key file:
ls -la /etc/foreman/encryption_key.rb
-rw-r-----. 1 root foreman 483 Dec 6 14:28 /etc/foreman/encryption_key.rb

stat /etc/foreman/encryption_key.rb
File: `/etc/foreman/encryption_key.rb'
Size: 483 Blocks: 8 IO Block: 4096 regular file
Device: 803h/2051d Inode: 1454521 Links: 1
Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 493/ foreman)
Access: 2015-04-06 18:00:10.403951462 -0700
Modify: 2014-12-06 14:28:07.706155998 -0800
Change: 2015-03-26 15:42:43.089681437 -0700

cat /etc/foreman/encryption_key.rb

Be sure to restart your server when you modify this file.

Your encryption key for encrypting and decrypting database fields.

If you change this key, all encrypted data will NOT be able to be

decrypted by Foreman!

Make sure the key is at least 32 bytes such as SecureRandom.hex(20)

You can use rake security:generate_encryption_key to regenerate this

file.

module EncryptionKey
ENCRYPTION_KEY = ENV['ENCRYPTION_KEY'] || '<my_key>'
end

I run:

foreman-rake db:compute_resources:encrypt–trace
** Invoke db:compute_resources:encrypt (first_time)
** Invoke environment (first_time)
** Execute environment
** Execute db:compute_resources:encrypt
String starts with the prefix 'encrypted-', so Foreman::Model::Vmware COLO
was not encrypted again
String is empty', so ForemanDocker::Docker ext_docker was not encrypted
String starts with the prefix 'encrypted-', so Foreman::Model::Vmware
SafetyServices was not encrypted again

As far as i understand it is looking for particular string which is empty.
But my key in /etc/foreman/encryption_key.rb is not empty. I tried to
export my key in environment variable ENCRYPTION_KEY but it didn't help as
well.
What string is it looking for?
My other compute resources are fine (2 instance of Vmware recources).

I'm not running nightlies. I'm running stable version of Foreman 1.7.
Everything was installed through OS package manager.
Just in case if it can help:
rpm -qa |grep foreman
ruby193-rubygem-foreman_salt-1.1.1-1.el6.noarch
ruby193-rubygem-foreman-tasks-0.6.4-1.el6.noarch
foreman-selinux-1.7.4-1.el6.noarch
foreman-postgresql-1.7.4-1.el6.noarch
foreman-proxy-1.7.4-1.el6.noarch
rubygem-foreman_api-0.1.11-1.el6.noarch
ruby193-rubygem-foreman_docker-1.2.4-1.fm1_7.el6.noarch
foreman-compute-1.7.4-1.el6.noarch
foreman-vmware-1.7.4-1.el6.noarch
ruby193-rubygem-foreman_salt-doc-1.1.1-1.el6.noarch
ruby193-rubygem-foreman_templates-1.5.0-1.el6.noarch
foreman-1.7.4-1.el6.noarch
foreman-release-1.7.4-1.el6.noarch
foreman-installer-1.7.4-1.el6.noarch

Thanks again.
I really appreciate your help.

> Hi Daniel,
>
> thanks a lot for your answer.
>
> Some information about my encryption key file:
> ls -la /etc/foreman/encryption_key.rb
> -rw-r-----. 1 root foreman 483 Dec 6 14:28 /etc/foreman/encryption_key.rb
>
>
> stat /etc/foreman/encryption_key.rb
> File: /etc/foreman/encryption_key.rb' > Size: 483 Blocks: 8 IO Block: 4096 regular file > Device: 803h/2051d Inode: 1454521 Links: 1 > Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 493/ foreman) > Access: 2015-04-06 18:00:10.403951462 -0700 > Modify: 2014-12-06 14:28:07.706155998 -0800 > Change: 2015-03-26 15:42:43.089681437 -0700 > > cat /etc/foreman/encryption_key.rb > # Be sure to restart your server when you modify this file. > > > # Your encryption key for encrypting and decrypting database fields. > # If you change this key, all encrypted data will NOT be able to be > decrypted by Foreman! > # Make sure the key is at least 32 bytes such as SecureRandom.hex(20) > > > # You can userake security:generate_encryption_key` to regenerate this
> file.
>
>
> module EncryptionKey
> ENCRYPTION_KEY = ENV['ENCRYPTION_KEY'] || '<my_key>'
> end
>
> I run:
>
> foreman-rake db:compute_resources:encrypt–trace
> ** Invoke db:compute_resources:encrypt (first_time)
> ** Invoke environment (first_time)
> ** Execute environment
> ** Execute db:compute_resources:encrypt
> String starts with the prefix 'encrypted-', so Foreman::Model::Vmware COLO
> was not encrypted again
> String is empty', so ForemanDocker::Docker ext_docker was not encrypted
> String starts with the prefix 'encrypted-', so Foreman::Model::Vmware
> SafetyServices was not encrypted again
>
>
> As far as i understand it is looking for particular string which is empty.
> But my key in /etc/foreman/encryption_key.rb is not empty. I tried to
> export my key in environment variable ENCRYPTION_KEY but it didn't help as
> well.
> What string is it looking for?

Oh I see, that's just fine. It's skipping the encryption because you
didn't specify a Docker hub username, password and email.

I'd recommend you to do so as it allows you to search in the Hub. The password
will be automatically encrypted if you've setup your key as I saw before.

Hi Daniel,

I wish it was so simple. I might missing something simple but I don't see
this.

I specify my username, password and email, but I cannot connect.

I try to connect to the external one https://registry.hub.docker.com and
our local one https://docker.<mydomain>:8080

CLI:
External:
sudo -u foreman docker login https://registry.hub.docker.com
Username: <username>
Password:
Email: <email>
Login Succeeded

Local:
sudo -u foreman docker login https://docker.<mydomain>:8080
Username: <username>
Password:
Email: <email>
Login Succeeded

Foreman Web Dashboard:
For external one I press "Test Connection":
Unable to save
Expected([200, 201, 202, 203, 204, 304]) <=> Actual(503 Service Unavailable)

For local one I press "Test Connection":
Unable to save
Expected([200, 201, 202, 203, 204, 304]) <=> Actual(401 Unauthorized)

In log file I can see (for example, external one)
Processing by ComputeResourcesController#test_connection as /
Parameters: {"utf8"=>"✓", "authenticity_token"=>
"4v+dbIBqbG+QOCRcqYw5K0OWBIlXGZ+uzLur9wDWtNw=", "compute_resource"=>{"name"
=>"ext_docker", "description"=>"", "url"=>"https://registry.hub.docker.com",
"user"=>"<username>", "password"=>"[FILTERED]", "email"=>"<email>"},
"fakepassword"=>"[FILTERED]", "cr_id"=>"7"}
CR_ID IS 7
String does not start with the prefix 'encrypted-', so ForemanDocker::Docker
ext_docker was not decrypted
String does not start with the prefix 'encrypted-', so ForemanDocker::Docker
ext_docker was not decrypted
String does not start with the prefix 'encrypted-', so ForemanDocker::Docker
ext_docker was not decrypted
String does not start with the prefix 'encrypted-', so ForemanDocker::Docker
ext_docker was not decrypted
Rendered /opt/rh/ruby193/root/usr/share/gems/gems/foreman_docker-1.2.4/app
/views/compute_resources/form/_docker.html.erb (8.6ms)
Rendered compute_resources/_form.html.erb (36.4ms)
Completed 200 OK in 2961ms (Views: 41.9ms | ActiveRecord: 4.4ms)

Anyway I saved both Compute resources to run the encryption command:

foreman-rake db:compute_resources:encrypt --trace
** Invoke db:compute_resources:encrypt (first_time)
** Invoke environment (first_time)
** Execute environment
** Execute db:compute_resources:encrypt
String starts with the prefix 'encrypted-', so Foreman::Model::Vmware COLO
was not encrypted again
String is empty', so ForemanDocker::Docker ext_docker was not encrypted
String starts with the prefix 'encrypted-', so ForemanDocker::Docker
int_docker was not encrypted again
String starts with the prefix 'encrypted-', so Foreman::Model::Vmware
SafetyServices was not encrypted again

What I'm missing or doing wrong?

Thanks a lot!