Problem:
Trying to install Foreman V3.0 on CentOS OS on a newly install CentOS 7.9.
[root@foreman02 ~]# foreman-installer --scenario katello \
–foreman-initial-organization “Magi Design and Support”
–foreman-initial-location “Dacula, GA”
–foreman-initial-admin-username admin
–foreman-initial-admin-password c0cYt4S
2021-09-18 20:15:06 [NOTICE] [root] Loading installer configuration. This will take some time.
2021-09-18 20:15:21 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
2021-09-18 20:15:21 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
2021-09-18 20:20:27 [NOTICE] [configure] Starting system configuration.
2021-09-18 20:22:37 [ERROR ] [configure] Execution of ‘/bin/yum -d 0 -e 0 -y install katello’ returned 1: Error: Package: tfm-rubygem-qpid_proton-0.34.0-3.el7.x86_64 (katello)
2021-09-18 20:22:37 [ERROR ] [configure] Requires: qpid-proton-c = 0.34.0
2021-09-18 20:22:37 [ERROR ] [configure] Available: qpid-proton-c-0.14.0-2.el7.x86_64 (extras)
2021-09-18 20:22:37 [ERROR ] [configure] qpid-proton-c = 0.14.0-2.el7
2021-09-18 20:22:37 [ERROR ] [configure] Available: qpid-proton-c-0.35.0-1.el7.x86_64 (epel)
2021-09-18 20:22:37 [ERROR ] [configure] qpid-proton-c = 0.35.0-1.el7
2021-09-18 20:22:37 [ERROR ] [configure] You could try using --skip-broken to work around the problem
2021-09-18 20:22:37 [ERROR ] [configure] You could try running: rpm -Va --nofiles --nodigest
2021-09-18 20:22:37 [ERROR ] [configure] /Stage[main]/Katello/Package[katello]/ensure: change from ‘purged’ to ‘present’ failed: Execution of ‘/bin/yum -d 0 -e 0 -y install katello’ returned 1: Error: Package: tfm-rubygem-qpid_proton-0.34.0-3.el7.x86_64 (katello)
Expected outcome:
Well, for the install to work.
Foreman and Proxy versions:
foreman-service-3.0.0-1.el7.noarch
foreman02.magidesign.com-foreman-proxy-client-1.0-1.noarch
tfm-rubygem-hammer_cli_foreman-3.0.0-1.el7.noarch
tfm-rubygem-hammer_cli_foreman_tasks-0.0.16-1.fm3_0.el7.noarch
foreman02.magidesign.com-apache-1.0-1.noarch
foreman-debug-3.0.0-1.el7.noarch
foreman-postgresql-3.0.0-1.el7.noarch
tfm-rubygem-hammer_cli_foreman_puppet-0.0.3-1.fm3_0.el7.noarch
foreman-installer-katello-3.0.0-1.el7.noarch
foreman-selinux-3.0.0-1.el7.noarch
tfm-rubygem-foreman_remote_execution-4.7.0-1.fm3_0.el7.noarch
foreman-dynflow-sidekiq-3.0.0-1.el7.noarch
foreman-proxy-3.0.0-1.el7.noarch
foreman02.magidesign.com-foreman-client-1.0-1.noarch
foreman02.magidesign.com-foreman-proxy-1.0-1.noarch
tfm-rubygem-foreman-tasks-5.1.0-1.fm3_0.el7.noarch
tfm-rubygem-hammer_cli_foreman_remote_execution-0.2.2-1.fm3_0.el7.noarch
foreman-installer-3.0.0-1.el7.noarch
foreman-release-3.0.0-1.el7.noarch
tfm-rubygem-foreman_puppet-1.0.1-1.fm3_0.el7.noarch
foreman-3.0.0-1.el7.noarch
foreman02.magidesign.com-puppet-client-1.0-1.noarch
foreman-cli-3.0.0-1.el7.noarch
Foreman and Proxy plugin versions:
Distribution and version:
CentOS 7.9
Other relevant data:
I tried to see if the package was missing
[root@foreman02 ~]# yum install tfm-rubygem-qpid_proton-0.34.0-3.el7.x86_64
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
base: mirrors.cmich.edu
centos-sclo-rh: packages.oit.ncsu.edu
epel: d2lzkl7pfhq30w.cloudfront.net
extras: centos.mirror.constant.com
updates: mirror.grid.uchicago.edu
Resolving Dependencies
→ Running transaction check
—> Package tfm-rubygem-qpid_proton.x86_64 0:0.34.0-3.el7 will be installed
→ Processing Dependency: qpid-proton-c = 0.34.0 for package: tfm-rubygem-qpid_proton-0.34.0-3.el7.x86_64
→ Finished Dependency Resolution
Error: Package: tfm-rubygem-qpid_proton-0.34.0-3.el7.x86_64 (katello)
Requires: qpid-proton-c = 0.34.0
Available: qpid-proton-c-0.14.0-2.el7.x86_64 (extras)
qpid-proton-c = 0.14.0-2.el7
Available: qpid-proton-c-0.35.0-1.el7.x86_64 (epel)
qpid-proton-c = 0.35.0-1.el7
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
The final release of Katello 4.2 hasn’t come out yet. Still in RC as far as I can tell.
You’ll need to wait for the Katello 4.2 final to install against Foreman 3.0
That’s good to know. I will wait. I tried to install 2.5 on Rocky Linux with it fail. Wasted a day trying to get one form of Foreman working.
gvde
September 19, 2021, 5:14am
4
CentOS 8 no longer, it now a rolling release. Rocky Linux didn’t work. So which distro do you recommend then?
I got a weird message about couldn’t install system unknown. That’s why I downgraded to CentOS 7.
Mamba
September 19, 2021, 3:55pm
10
I’ve been doing test installs of Foreman/Katello on CentOS 8/Rocky 8 for the past 2 weeks with.
These versions specifically
foreman-3.0.0-1.el8.noarch
katello-4.2.0.rc1-1.el8.noarch
The only install issue I’ve encountered is if you enable EPEL on CentOS 8/Rocky 8 you will get pulp related errors during the installer. Which is not surprising because the Install document actually says EPEL is not supported on EL 8 installs.
If you are interested I can share with you the commands I’m using to perform the install in my lab, to help with your troubleshooting.
Note that I am doing the install with SELinux set to permissive mode for the install with the intention to go back later and do the audit2allow dance (because I often find that is necessary with foreman/katello)
ekohl
September 28, 2021, 3:08pm
11
This should not be needed: enforcing mode is supposed to work. If you encounter such a case, it’s a bug and it’d be best to file a new issue .
Mamba
September 28, 2021, 3:13pm
12
----
time->Tue Sep 28 08:53:40 2021
type=PROCTITLE msg=audit(1632833620.096:818): proctitle=2F7573722F6C69622F6A766D2F6A72652D31312F62696E2F6A617661002D586D73313032346D002D586D78343039366D002D446A6176612E73656375726974792E617574682E6C6F67696E2E636F6E6669673D2F7573722F73686172652F746F6D6361742F636F6E662F6C6F67696E2E636F6E666967002D636C617373706174
type=PATH msg=audit(1632833620.096:818): item=1 name=(null) inode=202935827 dev=fd:00 mode=040740 ouid=91 ogid=91 rdev=00:00 obj=system_u:object_r:usr_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1632833620.096:818): item=0 name=(null) inode=202185107 dev=fd:00 mode=040775 ouid=0 ogid=91 rdev=00:00 obj=system_u:object_r:usr_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1632833620.096:818): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1632833620.096:818): arch=c000003e syscall=83 success=yes exit=0 a0=7eff198ab360 a1=1f0 a2=0 a3=7eff21c35bc0 items=2 ppid=1 pid=15022 auid=4294967295 uid=91 gid=91 euid=91 suid=91 fsuid=91 egid=91 sgid=91 fsgid=91 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-11-openjdk-11.0.12.0.7-0.el8_4.x86_64/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1632833620.096:818): avc: denied { create } for pid=15022 comm="java" name=".pki" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1
----
time->Tue Sep 28 08:58:02 2021
type=PROCTITLE msg=audit(1632833882.095:870): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002F7573722F62696E2F70756C70636F72652D776F726B6572
type=SYSCALL msg=audit(1632833882.095:870): arch=c000003e syscall=4 success=no exit=-2 a0=7fc53d03aa28 a1=7fff5a320240 a2=7fff5a320240 a3=1 items=0 ppid=1 pid=17355 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="pulpcore-worker" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:pulpcore_t:s0 key=(null)
type=AVC msg=audit(1632833882.095:870): avc: denied { search } for pid=17355 comm="pulpcore-worker" name="httpd" dev="dm-0" ino=68034065 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=1
----
time->Tue Sep 28 08:58:04 2021
type=PROCTITLE msg=audit(1632833884.289:875): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002F7573722F62696E2F70756C70636F72652D776F726B6572
type=SYSCALL msg=audit(1632833884.289:875): arch=c000003e syscall=4 success=no exit=-2 a0=7f65176a3a98 a1=7ffe2111b720 a2=7ffe2111b720 a3=1 items=0 ppid=1 pid=17936 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="pulpcore-worker" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:pulpcore_t:s0 key=(null)
type=AVC msg=audit(1632833884.289:875): avc: denied { search } for pid=17936 comm="pulpcore-worker" name="httpd" dev="dm-0" ino=68034065 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=1
----
time->Tue Sep 28 09:03:35 2021
type=PROCTITLE msg=audit(1632834215.832:907): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002F7573722F62696E2F70756C70636F72652D776F726B6572
type=SYSCALL msg=audit(1632834215.832:907): arch=c000003e syscall=42 success=no exit=-115 a0=f a1=7ffea17a52a0 a2=10 a3=4 items=0 ppid=17519 pid=19159 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="pulpcore-worker" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:pulpcore_t:s0 key=(null)
type=AVC msg=audit(1632834215.832:907): avc: denied { name_connect } for pid=19159 comm="pulpcore-worker" dest=8080 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
----
time->Tue Sep 28 11:07:29 2021
type=PROCTITLE msg=audit(1632841649.865:1282): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002F7573722F62696E2F70756C70636F72652D776F726B6572
type=SYSCALL msg=audit(1632841649.865:1282): arch=c000003e syscall=4 success=no exit=-2 a0=7fe54abc1a98 a1=7ffc3c7d3f00 a2=7ffc3c7d3f00 a3=1 items=0 ppid=1 pid=30965 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="pulpcore-worker" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:pulpcore_t:s0 key=(null)
type=AVC msg=audit(1632841649.865:1282): avc: denied { search } for pid=30965 comm="pulpcore-worker" name="httpd" dev="dm-0" ino=68034065 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=1
This what I have so far with the lastest packages, I’m not finished testing though.
ekohl
September 28, 2021, 3:34pm
13
It must be Candlepin, but we don’t maintain the Candlepin policy ourselves so I can’t comment on it.
Can you check if /etc/mime.types
is present on your system? Last time I was looking at it, I think this was mime type loading.
I think this is an oversight in the Pulpcore SELinux policy. Do you what you have running on port 8080? Is it a HTTP Proxy or do you sync content from a server on port 8080?
Mamba
September 28, 2021, 3:48pm
14
ekohl:
/etc/mime.types
Yes, mime types is present
[root@lab0l27 .ssh]# wc -l /etc/mime.types
1828 /etc/mime.types
According to “fuser -n tcp 8080” nothing is listening on port 8080. nc can’t connect to it.
I assume nothing is listening on 8080 unless it is opened dynamically.
This test host is a standalone foreman with these install options
foreman-installer --scenario katello --foreman-proxy-tftp true --foreman-proxy-dhcp true --foreman-proxy-dhcp-nameservers 192.168.122.1 --foreman-proxy-templates true
gvde
September 28, 2021, 4:06pm
15
Well, at least on my foreman server pulpcore_t is set to permissive anyway. So the only message where the permissive mode might have an effect would be the tomcat_t message.
# semanage permissive -l
Customized Permissive Types
Builtin Permissive Types
candlepin_t
pulpcore_t
pulpcore_server_t