Hi, folks!
I ran across a strange behavior of foreman-installer in 1.10.0 and just
finished testing of 1.10.1 and it is the same way.
Consider the following command.
foreman-installer
–enable-foreman-cli
–enable-foreman-plugin-default-hostgroup
–enable-foreman-plugin-discovery
–enable-foreman-plugin-docker
–enable-foreman-plugin-hooks
–enable-foreman-plugin-salt
–enable-foreman-plugin-tasks
–enable-foreman-plugin-templates
–enable-foreman-plugin-dhcp-browser
–foreman-proxy-puppetca=false
–foreman-proxy-bmc=true
–foreman-proxy-dhcp=true --foreman-proxy-dhcp-config=/dhcp/conf/dhcpd.conf
–foreman-proxy-dhcp-leases=/dhcp/conf/dhcpd.leases
–foreman-proxy-dhcp-key-name=omapi-key
–foreman-proxy-dhcp-key-secret=$OMAPI_SECRET
–foreman-proxy-dhcp-managed=false
–foreman-proxy-tftp=true --foreman-proxy-tftp-servername=$VIP
–foreman-proxy-tftp-root=/tftpboot
–foreman-proxy-tftp-syslinux-filenames=/tftpboot
–enable-foreman-compute-libvirt
–enable-foreman-compute-openstack
–enable-foreman-compute-vmware
–foreman-configure-epel-repo=false
–foreman-db-type=mysql
–foreman-db-manage=false
–foreman-db-password=$FOREMAN_DBPASSWORD
–foreman-admin-password=$FOREMAN_PASSWORD
–puppet-ca-server=puppet-ca.domain.com
–puppet-server-ca=false
–puppet-dns-alt-names=$VIP
–verbose
As you can see, I'm disabling local puppet CA function. However, I end up
with SSL revocation lines in Apache config, which are pointing to
non-existing files:
<snip>
[ INFO 2016-01-22 15:04:46 verbose] Executing hooks in group post
Something went wrong! Check the log for ERROR-level output
- Foreman is running at https://spc02.domain.com
Initial credentials are admin / $FOREMAN_PASSWORD - Foreman Proxy is running at https://spc02.domain.com:8443
- Puppetmaster is running at port 8140
The full log is at /var/log/foreman-installer/foreman-installer.log
[ INFO 2016-01-22 15:04:46 verbose] All hooks in group post finished
[ERROR 2016-01-22 15:04:46 verbose] Repeating errors encountered during run:
[ERROR 2016-01-22 15:04:46 verbose] Could not start Service[httpd]:
Execution of '/usr/bin/systemctl start httpd' returned 1: Job for
httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xe" for details.
[ERROR 2016-01-22 15:04:46 verbose]
/Stage[main]/Apache::Service/Service[httpd]/ensure: change from stopped to
running failed: Could not start Service[httpd]: Execution of
'/usr/bin/systemctl start httpd' returned 1: Job for httpd.service failed
because the control process exited with error code. See "systemctl status
httpd.service" and "journalctl -xe" for details.
[ERROR 2016-01-22 15:04:46 verbose]
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[spc02.domain.com]:
Could not evaluate: Proxy spc02.domain.com cannot be registered (Could not
load data from https://spc02.domain.com
[root@spc02 ~]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor
preset: disabled)
Active: failed (Result: exit-code) since Fri 2016-01-22 15:04:44 MST; 9s
ago
Docs: man:httpd(8)
man:apachectl(8)
Process: 7905 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited,
status=1/FAILURE)
Process: 7903 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
(code=exited, status=1/FAILURE)
Main PID: 7903 (code=exited, status=1/FAILURE)
Jan 22 15:04:44 spc02.domain.com systemd[1]: Starting The Apache HTTP
Server…
Jan 22 15:04:44 spc02.domain.com httpd[7903]: AH00526: Syntax error on line
35 of /etc/httpd/conf.d/05-foreman-ssl.conf:
Jan 22 15:04:44 spc02.domain.com httpd[7903]: SSLCARevocationFile: file
'/var/lib/puppet/ssl/crl.pem' does not e…empty
Jan 22 15:04:44 spc02.domain.com systemd[1]: httpd.service: main process
exited, code=exited, status=1/FAILURE
Jan 22 15:04:44 spc02.domain.com kill[7905]: kill: cannot find process ""
Jan 22 15:04:44 spc02.domain.com systemd[1]: httpd.service: control process
exited, code=exited status=1
Jan 22 15:04:44 spc02.domain.com systemd[1]: Failed to start The Apache
HTTP Server.
Jan 22 15:04:44 spc02.domain.com systemd[1]: Unit httpd.service entered
failed state.
Jan 22 15:04:44 spc02.domain.com systemd[1]: httpd.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
[root@spc02 ~]#
[root@spc02 ~]# grep Revocation /etc/httpd/conf.d/*
grep: /etc/httpd/conf.d/05-foreman.d: Is a directory
/etc/httpd/conf.d/05-foreman-ssl.conf: SSLCARevocationFile
"/var/lib/puppet/ssl/crl.pem"
/etc/httpd/conf.d/05-foreman-ssl.conf: SSLCARevocationCheck "chain"
grep: /etc/httpd/conf.d/05-foreman-ssl.d: Is a directory
[root@spc02 ~]#
Am I missing some option to completely disable puppet-CA and thus
preventing Revocation lines appearing in my Apache config?
What I don't understand though is why the actual files are generated (as it
happens when puppet-ca functionality is enabled) but those lines still
added into Apache config?
As soon as I remove these 3 lines from above foreman-installer command,
things start working perfectly fine.
–foreman-proxy-puppetca=false
–puppet-ca-server=puppet-ca.domain.com
–puppet-server-ca=false \
The worse thing is that SSLRevocation issue is intermittent and I can't
figure out what triggers it, it just comes and goes… I take the same VM,
start it up, set my variable and run installer. After that it is 50/50
chance.
Any ideas/suggestions?