Foreman provision template @host doesn't have correct puppetserver or puppetca

vollmerk · June 30, 2020, 12:00pm

Problem:

<%= @host.puppetmaster %> does not output the value from the host’s puppetmaster profile, it outputs what appears to be the value from some other location @host.puppetca also does not output anything

Expected outcome:

The puppetmaster defined on the host record should be the output of @host.puppetmaster and @host.puppetca should be the value of it’s CA

Foreman and Proxy versions:

1.24.3 and 1.24.3

Foreman and Proxy plugin versions:

1.24.3

Distribution and version:

N/A

Other relevant data:

N/A

lzap · July 3, 2020, 12:21pm

Hello and welcome!

Check your taxonomy, this is how we call organization and location. You need to have both host and puppet master in the same organization. Otherwise you will see nothing.

vollmerk · July 7, 2020, 12:41pm

The host and the smart proxy, and the puppetserver host record itself are all in the same Location and Organization. I would expect @host.puppetmaster to be blank if they weren’t, not return an incorrect value?

The puppetca host is not in the same location, but it’s in the same organization. The CA providing smart proxy is defined in the same location however - so again I’d expect that to show up not be blank.

ekohl · July 7, 2020, 12:52pm

It reads the value of puppet_url from the Foreman Proxy. Check if that is correct. This is read when the proxy is registered. After it’s changed, the proxy must refresh its features. The installer should do this for you, but if you changed it outside of the installer then you should manually refresh its features.

vollmerk · July 7, 2020, 12:58pm

@ekohl - So puppet_url on the relevant smart proxy in the puppetca_http_api.yml setting file is set to the correct value - if you’re referring to what I expect to show up in @host.puppetca again the @host.puppetca is blank even though the host also has it specifically set.

ekohl · July 7, 2020, 1:01pm

Have you tried to refresh the features? (Infrastructure -> Smart Proxies -> find the proxy and under actions).

vollmerk · July 7, 2020, 1:05pm

I had - but I went ahead and did it again, (No changes detected)

For exact context here’s the line in the provision template

/bin/curl <% if proxy_uri -%> --proxy <%= host_param(‘http-proxy’) %>:<%= host_param(‘http-proxy-port’) %> <% end %> -s https://[Internal mirror]/bootstrap-puppet/bootstrap-puppet.sh | bash -s <%= @host.puppetmaster %> <%= @host.puppetca %>

The resulting line in the template when applied to a host has

/bin/curl --proxy 10.20.50.2:3128 -s https://[Internal mirror]/bootstrap-puppet/bootstrap-puppet.sh | bash -s puppet.[domain].ca

The puppet.[domain].ca is output of @host.puppetmaster variable - but is actually the puppetca as defined both in the smart proxy, and on the host record itself. The @host.puppetca value is empty

ekohl · July 7, 2020, 2:05pm

And the host has both a Puppet server and a Puppet CA assigned? Note that on the Proxy the CA is a separate feature and it’s assigned separate to the host. The field is not visible in the host form if there are no Smart Proxies with the feature available.

vollmerk · July 7, 2020, 2:06pm

Correct the host record has both Puppet Master and Puppet CA defined on it’s record, I’ve tried letting it “inherit” the value from the hostgroup, and specifically defining it on the individual host, and the behavior does not change.

It might be of note that it so happens the value of @host.puppetmaster that it’s outputting is the “First” Smart Proxy FQDN / Puppet Master listed in Foreman, so devoid of any other reasoning perhaps it’s just returning the first puppet server found and disregarding the host entry.

ekohl · July 7, 2020, 2:13pm

I had a look at the code and think it may actually more simple and you need to use @host.puppet_ca_server. Please try that and see if it solves it.

Foreman 2.2 will have macro documentation which should list it. Perhaps that would have avoided it.

vollmerk · July 7, 2020, 2:18pm

Great that fixed @host.puppet_ca_server, it’s outputting the value of the Puppet CA on the host record, however @host.puppetmaster is still outputting the same thing… which is incorrect. I on a whim tried host.puppet_server and that just errored out

vollmerk · July 8, 2020, 9:49am

I upgraded to Foreman 2.1.x this morning and I’m still seeing the same behavior, host.puppetmaster does not reflect the value of the Hosts’ “puppetmaster” value. I checked in 2.0.x as well and that also was incorrect.

tbrisker · July 8, 2020, 10:29am

@host.puppetmaster returns the url defined in the puppet proxy configuration:

github.com

theforeman/foreman/blob/develop/app/models/concerns/host_common.rb#L105-L115


def puppet_server_uri
  return unless puppet_proxy
  url = puppet_proxy.setting('Puppet', 'puppet_url')
  url ||= "https://#{puppet_proxy}:8140"
  URI(url)
end


# The Puppet server FQDN or an empty string. Exposed as a provisioning macro
def puppetmaster
  puppet_server_uri.try(:host) || ''
end

if the puppet_url setting is incorrectly configured on the proxy, you will get an unexpected result.
If you wish to force it to use the url of the proxy and not the proxy setting, you can use @host.puppet_proxy, though i think that is not available in safe mode.

vollmerk · July 8, 2020, 10:47am

Ahh ok that’s unexpected behavior, why is the Puppet Master field in the Host edit screen if it seems to effectively do nothing, or is there a way to get that value in a template - I cursory scan of the above linked file (thanks for that) doesn’t seem to indicate there’s a way to get it.

tbrisker · July 8, 2020, 11:28am

The field on the host edit screen defines which smart proxy it should use for connecting to the puppet server. The proxy itself can have various settings, such as the url that should be used for the puppet server, as it could be different from the proxy itself. For example, proxy1.example.com is the smart proxy fqdn but the puppet server actually expects hosts to connect to it via puppet.example.com.
Normally I believe that the installer should set this setting on the proxy to its fqdn by default (or it is nil and will fallback to the proxy’s fqdn), but it may have been modified in your case to something else.

vollmerk · July 8, 2020, 11:34am

Ok - so the name, and the alt text on that field are both incorrect then as it’s label is

“Puppet Master” should be “Smart Proxy”

The alt text says “Use this puppet server as an initial puppet server to execute puppet runs” and maybe it should say “Smart Proxy host used to connect to puppet server” ?

ekohl · July 8, 2020, 12:33pm

This would be ambiguous because PuppetCA is also a Smart Proxy that has the PuppetCA feature. Correct would be Smart Proxy With Puppet Feature but that’s not a very catchy label.

That alt text is indeed very outdated. Perhaps this needs a longer help text.

vollmerk · July 8, 2020, 12:42pm

Hmm good point, borrowing from the OpenSCAP setting which is “OpenSCAP Proxy” maybe

Puppet Master Proxy & Puppet CA Proxy

? that would give you a hint even without the alt text that the value there isn’t the puppet server, but rather the proxy for the puppet server?

ekohl · July 8, 2020, 12:56pm

Yes, but let’s update it to Puppetserver Proxy. Nowadays we no longer support Puppet Master (that was the Ruby with Passenger implementation). This would be a good PR, would you be willing to make the change?

github.com

theforeman/foreman/blob/92d2d631df6b6bfe96fbfdc3481b87c21751ac71/app/models/concerns/host_common.rb#L16-L26


belongs_to_proxy :puppet_proxy,
  :feature => N_('Puppet'),
  :label => N_('Puppet Master'),
  :description => N_('Use this puppet server as an initial Puppet Server or to execute puppet runs'),
  :api_description => N_('Puppet proxy ID')


belongs_to_proxy :puppet_ca_proxy,
  :feature => 'Puppet CA',
  :label => N_('Puppet CA'),
  :description => N_('Use this puppet server as a CA server'),
  :api_description => N_('Puppet CA proxy ID')

vollmerk · July 8, 2020, 12:58pm

Yeah definitely, I’ll get to it this afternoon - now that this is fixed I have a few systems to provision