Foreman-installer username password does not work

apatelKmd · May 13, 2020, 1:46pm

Problem:
I am able to run the foreman-installer successfully. At the end of the run the installer prints out the username/password combination, I supplied on via the command line argument. However, the combination does not work.

–foreman-initial-admin-username=myadminuser
–foreman-initial-admin-password=xxxxx

NOTE: I am using a complex password 24 characters long, including ] & , characters.

Expected outcome:
Able to login with the supplied username/password combination.

Foreman and Proxy versions:

Foreman and Proxy plugin versions:

Distribution and version:
foreman-installer-katello version 1.24.2-1
Puppet 6.13.1

Other relevant data:

ekohl · May 13, 2020, 5:09pm

Did you properly quote them or was the shell interpreting some of them?

I’d also like to emphasize that it’s the initial password. It’s never changed if a user already exists. That also means it can be better to trust the randomly generated default password, log in and then change it to a secure password. While the installer only writes to files readable by root, it’s no guarantee it’ll never leak out. Certainly never reuse a password that’s also used in another service.

apatelKmd · May 13, 2020, 5:31pm

I did surround them with a single quote. Our use case is slightly different and needs to have the password set as expected. Currently, we are resetting to the same password using the foreman-rake permissions:reset username=myadmin password='thepass,wo]rd&’.

The fact, that reset works but the installer doesn’t make me think the value is losing a char or part of the value in the process.

apatelKmd · May 13, 2020, 5:33pm

I am using the following as the installer arguments

--foreman-initial-admin-username=myadmin,
--foreman-initial-admin-password='thepass,wo]rd&rest`

apatelKmd · May 13, 2020, 7:40pm

I tried using escape similar to shell_escape, the installer installed but the password does not work. The escaped password --foreman-initial-admin-password='thepass.wo\]rd\&rest' To my surprise the hammer config file included the escaped version.

ekohl · May 14, 2020, 4:49pm

I’m not sure where in the installer it would break:

github.com

theforeman/puppet-foreman/blob/532c96b9862da0a495ebdd6f848e2c29392fff47/manifests/database.pp#L14


  contain foreman::database::postgresql


  if $foreman::db_manage_rake {
    Class['foreman::database::postgresql'] ~> Foreman::Rake['db:migrate']
  }
}


if $foreman::db_manage_rake {
  $seed_env = {
    'SEED_ADMIN_USER'       => $foreman::initial_admin_username,
    'SEED_ADMIN_PASSWORD'   => $foreman::initial_admin_password,
    'SEED_ADMIN_FIRST_NAME' => $foreman::initial_admin_first_name,
    'SEED_ADMIN_LAST_NAME'  => $foreman::initial_admin_last_name,
    'SEED_ADMIN_EMAIL'      => $foreman::initial_admin_email,
    'SEED_ADMIN_LOCALE'     => $foreman::initial_admin_locale,
    'SEED_ADMIN_TIMEZONE'   => $foreman::initial_admin_timezone,
    'SEED_ORGANIZATION'     => $foreman::initial_organization,
    'SEED_LOCATION'         => $foreman::initial_location,
  }


  foreman::rake { 'db:migrate':

github.com

theforeman/puppet-foreman/blob/532c96b9862da0a495ebdd6f848e2c29392fff47/manifests/database.pp#L32


    }


    foreman::rake { 'db:migrate':
      unless => '/usr/sbin/foreman-rake db:abort_if_pending_migrations',
    }
    ~> foreman_config_entry { 'db_pending_seed':
      value => false,
      dry   => true,
    }
    ~> foreman::rake { 'db:seed':
      environment => delete_undef_values($seed_env),
    }
    ~> Foreman::Rake['apipie:cache:index']
  }
}

It’d be good so see when you manually seed an empty database with that password it still fails to see if it’s Foreman’s db:seed task or in the installer. If it does show up correct in the hammer config file, it’s at least correctly loaded in memory for the installer.

However, I don’t see how this would fail:

github.com

theforeman/foreman/blob/f96ede2132c45662281e7c184a5db3f8274a5acf/db/seeds.d/035-admin.rb#L59-L60


if ENV['SEED_ADMIN_PASSWORD'].present?
  user.password = ENV['SEED_ADMIN_PASSWORD']

apatelKmd · May 14, 2020, 5:09pm

Thanks for looking into the code. I actually went through similar exercise yesterday and concluded that I need to implement my own escape function.

We use puppet to execute the foreman-installer command. The call is implemented through an exec resource.

Distribution CentOS 7.7
Puppet 6.15

# omitting other arguments for clarity
# does not work due to quotes
$foreman_cmd = "--foreman-initial-admin-password='${escaped_admin_password}'"
# works without the quote
$foreman_cmd = "--foreman-initial-admin-password=${escaped_admin_password}"
exec {'install foreman':
  command => $foreman_command,
}

The puppet shell_escape function wants to escape all chars but that’s not the case. Only few chars needs to be escaped by the shell. I implemented a function to properly escape only required chars.

    replacements = { 
        '&' => '\&',
        '!' => '\!',
        '(' => '\(',
        ')' => '\)',
        "'" => "\'",
        '"' => '\"',
        '<' => '\<',
        '>' => '\>',
        ';' => '\;',
        '|' => '\|',
        '\\' => '\\\\',
      }

In the end here is what I have found working.

Do not quote the password
Properly escape the password
Potential bug in the Installer + ActiveRecords + Puppet ???

Hope the above helps others.

ekohl · May 14, 2020, 5:13pm

If you’re calling the installer, via Puppet, why don’t you actually directly use the Puppet modules?

apatelKmd · May 14, 2020, 5:43pm

That’s what we have been doing and now migrating away from it in favor of well tested installer method. Maintainance of the module hierarchy is not easy. We tend to get behind several versions while trying to update the Puppet code.
We want to stay as current as possible without. Once we migrate to the installer method, hopefully the upgrade will be a breeze. Upgrade is the main reason.