Foreman-installer failing on EC2 instance due to DNS

Jruybal · July 17, 2020, 12:44am

OS: CentOS 8
Foreman: forman-installer 2.1.0

I’m trying to run the foreman-installer on a fresh centos 8 node in AWS. I get the following response:

Forward DNS points to 34.194.###.### which is not configured on this server
Your system does not meet configuration criteria

DNS records contain both internal and external records. The host itself will return the internal ip with dig. This in itself is confusing. Is foreman checking some external nameserver?

A quick google suggest I add the external IP to /etc/hosts with the FQDN. Same error.

I ran hostname -f to make sure the hostname was the fqdn, it is. More googling…this time it suggests to add the " foreman" before the localhost entry. No luck there.

At this point the only thing I can think is that it’s looking for the external IP in the eth configs and not finding it. (This is on purpose as the firewall routes external IPs internally).

I’m not seeing anyone having this issue for the past few years. Anyone have a clue as to why this might be happening?

lzap · July 17, 2020, 12:17pm

Hello, welcome back!

We check one of our prerequisites - the host you are installing on must have FQDN, because once the installation finishes it also generates a bunch of X509 certificates with embedded common names. Changing these is extra work you don’t want to do.

To achieve that, you want to make sure that the upstream DNS server has A/PTR records for the host you are installing on. Because this will be exactly the name you will use to access the API and WebUI via your browser. You want a valid certificate. The same rule applies to all smart proxies.

So yes, we do perform a DNS query and compare this to your IP addresses. Why would you want to have an incorrect entry in the DNS? That does not make sense. However, you can skip these checks with a parameter if you know what you are doing.

Jruybal · July 17, 2020, 8:47pm

Hey thanks for the response,

I’m confident we have the full FQDN in the upstream dns A/PTR records, and that those records are set up correctly. We have different IP resolution to ease internal communication.

At this point I’m tempted to use whatever parameter it is we need to skip this check. Setting this foreman server up is still just a proof of concept.

What is the parameter to skip this?

Thanks

lzap · July 20, 2020, 9:36am

Go ahead, I think it’s -s or --skip-checks-i-know-better (probably something little bit different). Before you do so, just try to do nslookup locally. The check uses OS resolver, that should work.

ekohl · July 20, 2020, 9:45am

nslookup should be avoided. It’s an unreliable tool that gives unreliable answers. Quoting https://jdebp.eu/FGA/nslookup-flaws.html

nslookup doesn’t use the system-wide DNS client libraries that everything else uses for name and address lookups (usually the BIND DNS client library).

Using host or dig is recommended.

lzap · July 20, 2020, 9:47am

Another my beloved tool down!

bittner · April 14, 2022, 9:31am

I have a similar issue with a local Vagrant-based setup:

Vagrant.configure("2") do |config|
  config.vm.define "enc" do |enc|
    enc.vm.box = "generic/centos8"
    enc.vm.hostname = "foobar.example.com"
    enc.vm.network :forwarded_port, host: 8443, guest: 443, auto_correct: true

Vagrant sets up an /etc/hosts that has 127.0.1.1 configured, but the foreman-installer still complains that 127.0.1.1 is not configured:

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4                                                                                                                
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6                                                                                                                
                                                                                                                                                                                              
127.0.0.1 centos8.localdomain                                                                                                                                                                 
                                                                                                                                                                                              
127.0.1.1 foobar.example.com foobar

Interestingly, when I run dig on the IP address my local hostmachine is resolved (an Ubuntu 18.04 box, which also has 127.0.1.1 configured in its /etc/hosts file).

$ host 127.0.1.1
1.1.0.127.in-addr.arpa domain name pointer bittner.

I didn’t have those problems with an older version of The Foreman and Vagrant 4 years ago (see GitHub repo). Any ideas how to resolve the issue properly?