Foreman without puppetserver

Arledrian · June 5, 2018, 3:48pm

Hi,

Problem: It’s not possible for me to install Foreman without puppetserver.

foreman-installer --puppet-server=false --puppet-server-ca=false --no-enable-puppet --foreman-proxy-manage-puppet-group=false --scenario katello

Expected outcome: Foreman without puppetserver or at least without puppetserver ca.

Foreman and Proxy versions: Foreman 1.16 + 1.17 . Katello 3.5 + 3.6 .

What can i do to install Foreman without puppetserver?

ehelms · June 5, 2018, 6:06pm

I ran the command given on a nightly installation which means it should work on an upcoming Katello 3.7 release. Can you give more information on what issue you are running into when trying?

Arledrian · June 6, 2018, 8:01am

The command exits successfully.
My problem is that it installs puppetserver with puppetserver ca but it shouldn’t, shouldn’t it?

ekohl · June 6, 2018, 8:12am

You forgot --foreman-proxy-content-puppet false. That pulls in puppet::server as well. I’ve been thinking about how to improve this situation because it’s not ideal.

Arledrian · June 7, 2018, 11:22am

If i add this options to the command above the installer fails:

‘cpdb --create --schema-only --dbhost=localhost --dbport=5432 --database=candlepin --user=candlepin --password=UUgExy5neRtaiVLr7iD58yKZWbEHvJv9 >> /var/log/candlepin/cpdb.log 2>&1 && touch /var/lib/candlepin/cpdb_done’ returned 1 instead of one of [0]

It seems that it’s necessary to install ‘java-1.8.0-openjdk-headless’ (CentOS 7.5) which would be a dependency for puppetserver package:
https://stackoverflow.com/questions/34816862/unable-to-get-jdbc-connection-with-postgresql/34816919

Katello installs ‘java-1.7.0-openjdk-headless’.

With the new Java package version this command succeeds (without Puppet as desired):

foreman-installer --puppet-server=false --puppet-server-ca=false --no-enable-puppet --foreman-proxy-manage-puppet-group=false --foreman-proxy-content-puppet=false --foreman-proxy-puppet=false --foreman-proxy-puppetca=false --scenario katello

Arledrian · June 7, 2018, 12:34pm

I’m not allow to attach files but the relevant part from the cpdb.log is i think:

########## ERROR ############
Error running command: liquibase --driver=org.postgresql.Driver --classpath=/usr/share/java/postgresql-jdbc.jar:/var/lib/tomcat/webapps/candlepin/WEB-INF/classes/ --changeLogFile=db/changelog/changelog-create.xml --url=jdbc:postgresql://localhost:5432/candlepin --username=candlepin --password=oZc2cQ552bU3Hfm6CbDzmmf97gVjuuFC --logLevel=severe migrate -Dcommunity=False
Status code: 65280
Command output: Liquibase update Failed: org/postgresql/Driver : Unsupported major.minor version 52.0
SEVERE 06.06.18 12:09:liquibase: org/postgresql/Driver : Unsupported major.minor version 52.0
java.lang.UnsupportedClassVersionError: org/postgresql/Driver : Unsupported major.minor version 52.0

ekohl · June 7, 2018, 12:39pm

Interesting. We had some discussion about that and we did indeed realize that the 1.7.0 dependency in candlepin didn’t make sense because puppetserver pulled in 1.8.0 which was then used. Didn’t realize it was actually a hard dependency. Looks like we need to update our packaging. Bonus is that we save some space by getting rid of a dependency.

Arledrian · June 14, 2018, 4:01pm

I don’t really understand why is this option (–foreman-proxy-content-puppet) is needed?

ekohl · June 20, 2018, 9:53am

This is needed to choose whether to install the certificates for the puppet integration tools (node.rb, reporting). It is ugly and we need a better way to determine this but right now it is implemented in this way. I’m welcoming suggestions for a better place.

ekohl · June 20, 2018, 10:04am

I have made an attempt to improve it a bit, please have a look:

github.com/theforeman/puppet-foreman_proxy_content

Only set up puppet integration if needed

theforeman:master ← ekohl:better-puppet

opened 10:03AM - 20 Jun 18 UTC

ekohl

+6 -5

This still isn't quite perfect, but right now I can't think of a better way to c…orrectly determine if puppet integration is actually needed. Ideally we would get rid of the $puppet parameter but then we need to resort to defined('puppet') and that's compile order dependent. This does mean at worst we pull in the client and not the server. We can also change the notify to a before because the integration is just scripts that read files every run. There is no daemon that caches it.

ToroNZ · January 21, 2019, 9:14am

FYI - Using the following command on a fresh Centos7 install…

sudo foreman-installer --puppet-server=false --puppet-server-ca=false --no-enable-puppet --foreman-proxy-manage-puppet-group=false --foreman-proxy-content-puppet=false --foreman-proxy-puppet=false --foreman-proxy-puppetca=false --scenario katello

Kept getting an error regarding ‘puppet’ group:

/opt/puppetlabs/puppet/bin/puppet:5:in `<main>'
 /Stage[main]/Foreman_proxy::Config/User[foreman-proxy]/groups: change from  to puppet failed: Could not set groups on user[foreman-proxy]: Execution of '/sbin/usermod -G puppet foreman-proxy' returned 6: usermod: group 'puppet' does not e
xist

After creating an empty group, it sailed away.

sudo groupadd puppet

Cheers

ekohl · January 21, 2019, 10:44am

What a coincidence; I looking at this just last week:

There’s also a default assumption in puppet-foreman but at least that one’s a parameter. When 1.21 RC1 is out I’ll try to smooth it out a bit more and get this in.

This should be default since Katello 3.9.0 (Bug #18806: Duplicate declaration: /etc/foreman-proxy/ssl_key.pem - Katello - Foreman)