Foreman with Katello V 3.0 failing install

Problem:

Trying to install Foreman V3.0 on CentOS OS on a newly install CentOS 7.9.

[root@foreman02 ~]# foreman-installer --scenario katello \

–foreman-initial-organization “Magi Design and Support”
–foreman-initial-location “Dacula, GA”
–foreman-initial-admin-username admin
–foreman-initial-admin-password c0cYt4S
2021-09-18 20:15:06 [NOTICE] [root] Loading installer configuration. This will take some time.
2021-09-18 20:15:21 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
2021-09-18 20:15:21 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
2021-09-18 20:20:27 [NOTICE] [configure] Starting system configuration.
2021-09-18 20:22:37 [ERROR ] [configure] Execution of ‘/bin/yum -d 0 -e 0 -y install katello’ returned 1: Error: Package: tfm-rubygem-qpid_proton-0.34.0-3.el7.x86_64 (katello)
2021-09-18 20:22:37 [ERROR ] [configure] Requires: qpid-proton-c = 0.34.0
2021-09-18 20:22:37 [ERROR ] [configure] Available: qpid-proton-c-0.14.0-2.el7.x86_64 (extras)
2021-09-18 20:22:37 [ERROR ] [configure] qpid-proton-c = 0.14.0-2.el7
2021-09-18 20:22:37 [ERROR ] [configure] Available: qpid-proton-c-0.35.0-1.el7.x86_64 (epel)
2021-09-18 20:22:37 [ERROR ] [configure] qpid-proton-c = 0.35.0-1.el7
2021-09-18 20:22:37 [ERROR ] [configure] You could try using --skip-broken to work around the problem
2021-09-18 20:22:37 [ERROR ] [configure] You could try running: rpm -Va --nofiles --nodigest
2021-09-18 20:22:37 [ERROR ] [configure] /Stage[main]/Katello/Package[katello]/ensure: change from ‘purged’ to ‘present’ failed: Execution of ‘/bin/yum -d 0 -e 0 -y install katello’ returned 1: Error: Package: tfm-rubygem-qpid_proton-0.34.0-3.el7.x86_64 (katello)

Expected outcome:

Well, for the install to work.

Foreman and Proxy versions:

foreman-service-3.0.0-1.el7.noarch
foreman02.magidesign.com-foreman-proxy-client-1.0-1.noarch
tfm-rubygem-hammer_cli_foreman-3.0.0-1.el7.noarch
tfm-rubygem-hammer_cli_foreman_tasks-0.0.16-1.fm3_0.el7.noarch
foreman02.magidesign.com-apache-1.0-1.noarch
foreman-debug-3.0.0-1.el7.noarch
foreman-postgresql-3.0.0-1.el7.noarch
tfm-rubygem-hammer_cli_foreman_puppet-0.0.3-1.fm3_0.el7.noarch
foreman-installer-katello-3.0.0-1.el7.noarch
foreman-selinux-3.0.0-1.el7.noarch
tfm-rubygem-foreman_remote_execution-4.7.0-1.fm3_0.el7.noarch
foreman-dynflow-sidekiq-3.0.0-1.el7.noarch
foreman-proxy-3.0.0-1.el7.noarch
foreman02.magidesign.com-foreman-client-1.0-1.noarch
foreman02.magidesign.com-foreman-proxy-1.0-1.noarch
tfm-rubygem-foreman-tasks-5.1.0-1.fm3_0.el7.noarch
tfm-rubygem-hammer_cli_foreman_remote_execution-0.2.2-1.fm3_0.el7.noarch
foreman-installer-3.0.0-1.el7.noarch
foreman-release-3.0.0-1.el7.noarch
tfm-rubygem-foreman_puppet-1.0.1-1.fm3_0.el7.noarch
foreman-3.0.0-1.el7.noarch
foreman02.magidesign.com-puppet-client-1.0-1.noarch
foreman-cli-3.0.0-1.el7.noarch

Foreman and Proxy plugin versions:

Distribution and version:

CentOS 7.9

Other relevant data:

I tried to see if the package was missing

[root@foreman02 ~]# yum install tfm-rubygem-qpid_proton-0.34.0-3.el7.x86_64
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile

• base: mirrors.cmich.edu
• centos-sclo-rh: packages.oit.ncsu.edu
• epel: d2lzkl7pfhq30w.cloudfront.net
• extras: centos.mirror.constant.com
• updates: mirror.grid.uchicago.edu
  Resolving Dependencies
  → Running transaction check
  —> Package tfm-rubygem-qpid_proton.x86_64 0:0.34.0-3.el7 will be installed
  → Processing Dependency: qpid-proton-c = 0.34.0 for package: tfm-rubygem-qpid_proton-0.34.0-3.el7.x86_64
  → Finished Dependency Resolution
  Error: Package: tfm-rubygem-qpid_proton-0.34.0-3.el7.x86_64 (katello)
  Requires: qpid-proton-c = 0.34.0
  Available: qpid-proton-c-0.14.0-2.el7.x86_64 (extras)
  qpid-proton-c = 0.14.0-2.el7
  Available: qpid-proton-c-0.35.0-1.el7.x86_64 (epel)
  qpid-proton-c = 0.35.0-1.el7
  You could try using --skip-broken to work around the problem
  You could try running: rpm -Va --nofiles --nodigest

The final release of Katello 4.2 hasn’t come out yet. Still in RC as far as I can tell.

You’ll need to wait for the Katello 4.2 final to install against Foreman 3.0

That’s good to know. I will wait. I tried to install 2.5 on Rocky Linux with it fail. Wasted a day trying to get one form of Foreman working.

See Katello installs for 4.0 and 4.1 are broken due to qpid-proton update in EPEL on EL7

I wouldn’t install on EL7 if it’s a fresh installation, either. Use EL8.

CentOS 8 no longer, it now a rolling release. Rocky Linux didn’t work. So which distro do you recommend then?

CentOS 8 is supported.

The reg. one? Rolling?

I got a weird message about couldn’t install system unknown. That’s why I downgraded to CentOS 7.

I’ve been doing test installs of Foreman/Katello on CentOS 8/Rocky 8 for the past 2 weeks with.

These versions specifically
foreman-3.0.0-1.el8.noarch
katello-4.2.0.rc1-1.el8.noarch

The only install issue I’ve encountered is if you enable EPEL on CentOS 8/Rocky 8 you will get pulp related errors during the installer. Which is not surprising because the Install document actually says EPEL is not supported on EL 8 installs.

If you are interested I can share with you the commands I’m using to perform the install in my lab, to help with your troubleshooting.

Note that I am doing the install with SELinux set to permissive mode for the install with the intention to go back later and do the audit2allow dance (because I often find that is necessary with foreman/katello)

This should not be needed: enforcing mode is supposed to work. If you encounter such a case, it’s a bug and it’d be best to file a new issue.

----
time->Tue Sep 28 08:53:40 2021
type=PROCTITLE msg=audit(1632833620.096:818): proctitle=2F7573722F6C69622F6A766D2F6A72652D31312F62696E2F6A617661002D586D73313032346D002D586D78343039366D002D446A6176612E73656375726974792E617574682E6C6F67696E2E636F6E6669673D2F7573722F73686172652F746F6D6361742F636F6E662F6C6F67696E2E636F6E666967002D636C617373706174
type=PATH msg=audit(1632833620.096:818): item=1 name=(null) inode=202935827 dev=fd:00 mode=040740 ouid=91 ogid=91 rdev=00:00 obj=system_u:object_r:usr_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1632833620.096:818): item=0 name=(null) inode=202185107 dev=fd:00 mode=040775 ouid=0 ogid=91 rdev=00:00 obj=system_u:object_r:usr_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1632833620.096:818): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1632833620.096:818): arch=c000003e syscall=83 success=yes exit=0 a0=7eff198ab360 a1=1f0 a2=0 a3=7eff21c35bc0 items=2 ppid=1 pid=15022 auid=4294967295 uid=91 gid=91 euid=91 suid=91 fsuid=91 egid=91 sgid=91 fsgid=91 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-11-openjdk-11.0.12.0.7-0.el8_4.x86_64/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1632833620.096:818): avc:  denied  { create } for  pid=15022 comm="java" name=".pki" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1
----
time->Tue Sep 28 08:58:02 2021
type=PROCTITLE msg=audit(1632833882.095:870): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002F7573722F62696E2F70756C70636F72652D776F726B6572
type=SYSCALL msg=audit(1632833882.095:870): arch=c000003e syscall=4 success=no exit=-2 a0=7fc53d03aa28 a1=7fff5a320240 a2=7fff5a320240 a3=1 items=0 ppid=1 pid=17355 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="pulpcore-worker" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:pulpcore_t:s0 key=(null)
type=AVC msg=audit(1632833882.095:870): avc:  denied  { search } for  pid=17355 comm="pulpcore-worker" name="httpd" dev="dm-0" ino=68034065 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=1
----
time->Tue Sep 28 08:58:04 2021
type=PROCTITLE msg=audit(1632833884.289:875): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002F7573722F62696E2F70756C70636F72652D776F726B6572
type=SYSCALL msg=audit(1632833884.289:875): arch=c000003e syscall=4 success=no exit=-2 a0=7f65176a3a98 a1=7ffe2111b720 a2=7ffe2111b720 a3=1 items=0 ppid=1 pid=17936 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="pulpcore-worker" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:pulpcore_t:s0 key=(null)
type=AVC msg=audit(1632833884.289:875): avc:  denied  { search } for  pid=17936 comm="pulpcore-worker" name="httpd" dev="dm-0" ino=68034065 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=1
----
time->Tue Sep 28 09:03:35 2021
type=PROCTITLE msg=audit(1632834215.832:907): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002F7573722F62696E2F70756C70636F72652D776F726B6572
type=SYSCALL msg=audit(1632834215.832:907): arch=c000003e syscall=42 success=no exit=-115 a0=f a1=7ffea17a52a0 a2=10 a3=4 items=0 ppid=17519 pid=19159 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="pulpcore-worker" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:pulpcore_t:s0 key=(null)
type=AVC msg=audit(1632834215.832:907): avc:  denied  { name_connect } for  pid=19159 comm="pulpcore-worker" dest=8080 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
----
time->Tue Sep 28 11:07:29 2021
type=PROCTITLE msg=audit(1632841649.865:1282): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002F7573722F62696E2F70756C70636F72652D776F726B6572
type=SYSCALL msg=audit(1632841649.865:1282): arch=c000003e syscall=4 success=no exit=-2 a0=7fe54abc1a98 a1=7ffc3c7d3f00 a2=7ffc3c7d3f00 a3=1 items=0 ppid=1 pid=30965 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="pulpcore-worker" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:pulpcore_t:s0 key=(null)
type=AVC msg=audit(1632841649.865:1282): avc:  denied  { search } for  pid=30965 comm="pulpcore-worker" name="httpd" dev="dm-0" ino=68034065 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=1

This what I have so far with the lastest packages, I’m not finished testing though.

It must be Candlepin, but we don’t maintain the Candlepin policy ourselves so I can’t comment on it.

Can you check if /etc/mime.types is present on your system? Last time I was looking at it, I think this was mime type loading.

I think this is an oversight in the Pulpcore SELinux policy. Do you what you have running on port 8080? Is it a HTTP Proxy or do you sync content from a server on port 8080?

Yes, mime types is present
[root@lab0l27 .ssh]# wc -l /etc/mime.types
1828 /etc/mime.types

According to “fuser -n tcp 8080” nothing is listening on port 8080. nc can’t connect to it.
I assume nothing is listening on 8080 unless it is opened dynamically.
This test host is a standalone foreman with these install options

foreman-installer --scenario katello --foreman-proxy-tftp true --foreman-proxy-dhcp true --foreman-proxy-dhcp-nameservers 192.168.122.1 --foreman-proxy-templates true

Well, at least on my foreman server pulpcore_t is set to permissive anyway. So the only message where the permissive mode might have an effect would be the tomcat_t message.

# semanage permissive -l

Customized Permissive Types


Builtin Permissive Types 

candlepin_t
pulpcore_t
pulpcore_server_t