Foreman-installer username password does not work

I am able to run the foreman-installer successfully. At the end of the run the installer prints out the username/password combination, I supplied on via the command line argument. However, the combination does not work.


NOTE: I am using a complex password 24 characters long, including ] & , characters.

Expected outcome:
Able to login with the supplied username/password combination.

Foreman and Proxy versions:

Foreman and Proxy plugin versions:

Distribution and version:
foreman-installer-katello version 1.24.2-1
Puppet 6.13.1

Other relevant data:

Did you properly quote them or was the shell interpreting some of them?

I’d also like to emphasize that it’s the initial password. It’s never changed if a user already exists. That also means it can be better to trust the randomly generated default password, log in and then change it to a secure password. While the installer only writes to files readable by root, it’s no guarantee it’ll never leak out. Certainly never reuse a password that’s also used in another service.

I did surround them with a single quote. Our use case is slightly different and needs to have the password set as expected. Currently, we are resetting to the same password using the foreman-rake permissions:reset username=myadmin password='thepass,wo]rd&’.

The fact, that reset works but the installer doesn’t make me think the value is losing a char or part of the value in the process.

I am using the following as the installer arguments


I tried using escape similar to shell_escape, the installer installed but the password does not work. The escaped password --foreman-initial-admin-password='thepass.wo\]rd\&rest' To my surprise the hammer config file included the escaped version.

I’m not sure where in the installer it would break:

It’d be good so see when you manually seed an empty database with that password it still fails to see if it’s Foreman’s db:seed task or in the installer. If it does show up correct in the hammer config file, it’s at least correctly loaded in memory for the installer.

However, I don’t see how this would fail:

Thanks for looking into the code. I actually went through similar exercise yesterday and concluded that I need to implement my own escape function.

We use puppet to execute the foreman-installer command. The call is implemented through an exec resource.

Distribution CentOS 7.7
Puppet 6.15

# omitting other arguments for clarity
# does not work due to quotes
$foreman_cmd = "--foreman-initial-admin-password='${escaped_admin_password}'"
# works without the quote
$foreman_cmd = "--foreman-initial-admin-password=${escaped_admin_password}"
exec {'install foreman':
  command => $foreman_command,

The puppet shell_escape function wants to escape all chars but that’s not the case. Only few chars needs to be escaped by the shell. I implemented a function to properly escape only required chars.

    replacements = { 
        '&' => '\&',
        '!' => '\!',
        '(' => '\(',
        ')' => '\)',
        "'" => "\'",
        '"' => '\"',
        '<' => '\<',
        '>' => '\>',
        ';' => '\;',
        '|' => '\|',
        '\\' => '\\\\',

In the end here is what I have found working.

  • Do not quote the password
  • Properly escape the password
  • Potential bug in the Installer + ActiveRecords + Puppet ???

Hope the above helps others.

If you’re calling the installer, via Puppet, why don’t you actually directly use the Puppet modules?

That’s what we have been doing and now migrating away from it in favor of well tested installer method. Maintainance of the module hierarchy is not easy. We tend to get behind several versions while trying to update the Puppet code.
We want to stay as current as possible without. Once we migrate to the installer method, hopefully the upgrade will be a breeze. Upgrade is the main reason.

1 Like