Foreman upgrade 3.1.2 -> 3.2 Fails

Nash · May 6, 2022, 11:44am

Problem:
Upgrade 3.1.2 → 3.2 Fails
Following Upgrading and Updating Foreman
When issuing:

foreman-installer

It fails with:

2022-05-06 13:13:43 [DEBUG ] [configure] Original path: “%{facts.kafo.scenario.answer_file}”
2022-05-06 13:13:43 [DEBUG ] [configure] Found key: “foreman_proxy_content::enable_katello_agent” value: true
2022-05-06 13:13:43 [DEBUG ] [configure] Found key: “katello::globals::enable_katello_agent” value: true
2022-05-06 13:13:43 [DEBUG ] [configure] importing ‘/usr/share/foreman-installer/modules/katello/manifests/candlepin.pp’ in environment production
2022-05-06 13:13:43 [DEBUG ] [configure] Automatically imported katello::candlepin from katello/candlepin into production
2022-05-06 13:13:43 [DEBUG ] [configure] importing ‘/usr/share/foreman-installer/modules/certs/manifests/candlepin.pp’ in environment production
2022-05-06 13:13:43 [DEBUG ] [configure] Automatically imported certs::candlepin from certs/candlepin into production
2022-05-06 13:13:43 [DEBUG ] [configure] importing ‘/usr/share/foreman-installer/modules/certs/manifests/foreman.pp’ in environment production
2022-05-06 13:13:43 [DEBUG ] [configure] Automatically imported certs::foreman from certs/foreman into production
2022-05-06 13:13:43 [DEBUG ] [configure] importing ‘/usr/share/foreman-installer/modules/certs/manifests/keypair.pp’ in environment production
2022-05-06 13:13:43 [DEBUG ] [configure] Automatically imported certs::keypair from certs/keypair into production
2022-05-06 13:13:43 [DEBUG ] [configure] importing ‘/usr/share/foreman-installer/modules/candlepin/manifests/init.pp’ in environment production
2022-05-06 13:13:43 [DEBUG ] [configure] Automatically imported candlepin from candlepin into production
2022-05-06 13:13:43 [DEBUG ] [configure] importing ‘/usr/share/foreman-installer/modules/candlepin/manifests/params.pp’ in environment production
2022-05-06 13:13:43 [DEBUG ] [configure] Automatically imported candlepin::params from candlepin/params into production
2022-05-06 13:13:43 [DEBUG ] [configure] importing ‘/usr/share/foreman-installer/modules/candlepin/manifests/service.pp’ in environment production
2022-05-06 13:13:43 [DEBUG ] [configure] Automatically imported candlepin::service from candlepin/service into production
2022-05-06 13:13:43 [ERROR ] [configure] Evaluation Error: Error while evaluating a Method call, ‘unwrap’ parameter ‘arg’ expects a Sensitive value, got String (file: /usr/share/foreman-installer/modules/candlepin/manifests/init.pp, line: 230, column: 54) on node X

Expected outcome:
Functioning 3.2 version

Foreman and Proxy versions:
No proxies in the setup
Foreman 3.1.2

Foreman and Proxy plugin versions:
foreman-tasks 5.2.3
foreman_puppet 2.0.6
foreman_remote_execution 5.0.5
katello 4.3.1

Distribution and version:
CentOS Linux 7.9 x86_64

Other relevant data:

evgeni · May 6, 2022, 2:41pm

The unwrap was introduced in Accept Sensitive for Secrets · theforeman/puppet-candlepin@41fd041 · GitHub, but I would have expected it handles non-sensitive types transparently.

cc @ehelms for ideas

Nash · May 10, 2022, 2:08pm

Workaround.
in /usr/share/foreman-installer/modules/candlepin/manifests/init.pp, remove “.unwrap”

# TODO: use EPP instead of  ERB, as EPP handles Sensitive natively
  #$keystore_password_unsensitive = $keystore_password.unwrap
  $keystore_password_unsensitive = $keystore_password
  #$ca_key_password_unsensitive  = $ca_key_password.unwrap
  $ca_key_password_unsensitive  = $ca_key_password
  #$truststore_password_unsensitive = $truststore_password.unwrap
  $truststore_password_unsensitive = $truststore_password

In /usr/share/foreman-installer/modules/candlepin/manifests/database/postgresql.pp, remove “.unwrap”

  # TODO: use EPP instead of  ERB, as EPP handles Sensitive natively
  #$db_password             = $candlepin::db_password.unwrap,
  $db_password             = $candlepin::db_password,

Foreman-installer completes successfully.
System is updated to 3.2.0 and function as expected.

evgeni · May 10, 2022, 2:53pm

While this is a very valid workaround, I wonder why you had to do it

Which Puppet (Agent) version do you have?

In other modules, I’ve seen code like this (Use Puppet-Datatype Sensitive for Passwords · puppetlabs/puppetlabs-postgresql@d878d13 · GitHub):

  $postgres_password = if $postgresql::server::postgres_password =~ Sensitive {
    $postgresql::server::postgres_password.unwrap
  } else {
    $postgresql::server::postgres_password
  }

Just curious why this was never an issue for other users of Foreman.

Nash · May 11, 2022, 6:01am

rpm -qa|grep puppet
tfm-rubygem-foreman_puppet-2.0.6-1.fm3_1.el7.noarch
puppet6-release-6.0.0-14.el7.noarch
puppet-agent-oauth-0.5.5-1.el7.noarch
puppet-agent-6.23.0-1.el7.x86_64
puppetserver-6.16.0-1.el7.noarch
foreman.prod.nordnet.se-puppet-client-1.0-1.noarch
tfm-rubygem-hammer_cli_foreman_puppet-0.0.4-1.fm3_1.el7.noarch

gvde · May 11, 2022, 6:20am

That is the rpm from the 3.1 repository. It seems you didn’t update all packages to 3.2 before running the foreman-installer.

What repositories are active at the moment? Run yum repolist -v

evgeni · May 11, 2022, 7:17am

While gvde’s observation is correct, I can reproduce the original error if I downgrade my Puppet Agent to 6.23.0, but it works once I upgrade to 6.27.1 again.

evgeni · May 11, 2022, 7:40am

Aha! .unwrap was made more flexible in 6.24 (and 7.9): https://tickets.puppetlabs.com/browse/PUP-11123

And as you don’t have that version, you’re facing the issue.

Nash · May 11, 2022, 8:57am

Ah yes, these are from the production system still running 3.1.
(The clone I tested removing unwrap on is gone.)
I of course issue commands in step 7,8,9 according to Upgrading and Updating Foreman