Getting Error while performing Patch for client server with Foreman katello without Internet in katello

Lakshminarasimha · October 27, 2023, 11:13am

Problem:

Hi ,

My Foreman katello is running with RHEL 8 Latest Version, When i’m trying to patch the one of RHEL 7 Server using Katello without internet access in Katello and Client, I’m able to fetch the repos and packages but unfortunately packages are not downloaded, Please help me to fix the issue.

Expected outcome:
Patching of client has to done without internet in Katello.
Foreman and Proxy versions:
rubygem-foreman_remote_execution-8.0.0-2.fm3_4.el8.noarch
foreman-installer-3.4.1-1.el8.noarch
foreman-cli-3.4.1-1.el8.noarch
foreman-proxy-3.4.1-1.el8.noarch
foreman-installer-katello-3.4.1-1.el8.noarch
foreman-release-3.4.1-1.el8.noarch
rubygem-hammer_cli_foreman_remote_execution-0.2.2-1.fm3_0.el8.noarch
foreman-service-3.4.1-1.el8.noarch
rubygem-foreman_maintain-1.2.1-1.el8.noarch
foreman-3.4.1-1.el8.noarch
foreman-debug-3.4.1-1.el8.noarch
rubygem-hammer_cli_foreman-3.4.0-1.el8.noarch
foreman-dynflow-sidekiq-3.4.1-1.el8.noarch
rubygem-foreman-tasks-7.0.0-1.fm3_4.el8.noarch
rubygem-hammer_cli_foreman_tasks-0.0.17-1.fm3_2.el8.noarch
Foreman and Proxy plugin versions:
rubygem-hammer_cli_katello-1.7.0-0.1.pre.master.20220802114853git2f16bef.el8.noarch
katello-common-4.6.2.1-1.el8.noarch
foreman-installer-katello-3.4.1-1.el8.noarch
katello-repos-4.6.2.1-1.el8.noarch
katello-certs-tools-2.9.0-1.el8.noarch
rubygem-katello-4.6.2.1-1.el8.noarch
katello-client-bootstrap-1.7.9-1.el8.noarch
katello-4.6.2.1-1.el8.noarch
katello-debug-4.6.2.1-1.el8.noarch

Hammer Ping response:-

database:
Status: ok
Server Response: Duration: 0ms
candlepin:
Status: ok
Server Response: Duration: 27ms
candlepin_auth:
Status: ok
Server Response: Duration: 15ms
candlepin_events:
Status: ok
message: 2 Processed, 0 Failed
Server Response: Duration: 0ms
katello_events:
Status: ok
message: 19 Processed, 0 Failed
Server Response: Duration: 0ms
pulp3:
Status: ok
Server Response: Duration: 66ms
pulp3_content:
Status: ok
Server Response: Duration: 75ms
foreman_tasks:
Status: ok
Server Response: Duration: 4ms

Since katello installed in Redhat 8 latest version all the SSL options also by default it came.

VirtualHost configuration:
*:443 airlinuxkatello.ntbl.com (/etc/httpd/conf.d/05-foreman-ssl.conf:6)
*:80 airlinuxkatello.ntbl.com (/etc/httpd/conf.d/05-foreman.conf:6)
AH00513: WARNING: MaxRequestWorkers of 150 is not an integer multiple of ThreadsPerChild of 16, decreasing to nearest multiple 144, for a maximum of 9 servers.
ServerRoot: “/etc/httpd”
Main DocumentRoot: “/etc/httpd/htdocs”
Main ErrorLog: “/var/log/httpd/error_log”
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir=“/etc/httpd/run/” mechanism=default
PidFile: “/etc/httpd/run/httpd.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“apache” id=48
Group: name=“apache” id=48

SSL directives

SSLEngine on
SSLCertificateFile “/etc/pki/katello/certs/katello-apache.crt”
SSLCertificateKeyFile “/etc/pki/katello/private/katello-apache.key”
SSLCertificateChainFile “/etc/pki/katello/certs/katello-server-ca.crt”
SSLVerifyClient optional
SSLVerifyDepth 3
SSLCACertificateFile “/etc/pki/katello/certs/katello-default-ca.crt”
SSLOptions +StdEnvVars +ExportCertData

[root@rhel-7 ~]# yum clean all;yum repolist
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
Cleaning repos: rhel-7-server-rpms
Other repos take up 4.2 G of disk space (use --verbose for details)
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
rhel-7-server-rpms | 3.5 kB 00:00:00
(1/3): rhel-7-server-rpms/7Server/x86_64/group | 631 kB 00:00:00
(2/3): rhel-7-server-rpms/7Server/x86_64/updateinfo | 4.3 MB 00:00:00
(3/3): rhel-7-server-rpms/7Server/x86_64/primary_db | 96 MB 00:00:01
repo id repo name status
!rhel-7-server-rpms/7Server/x86_64 Red Hat Enterprise Linux 7 Server (RPMs) 33,930
repolist: 33,930

Error While patching RHEL 7.9 Client server:-

ksh-20120801-144.el7_9.x86_64. FAILED
https://airlinuxkatello.ntbl.com/pulp/content/Nainital/Production/Production/content/dist/rhel/server/7/7Server/x86_64/os/Packages/k/ksh-20120801-144.el7_9.x86_64.rpm: [Errno 12] Timeout on https://airlinuxkatello.ntbl.com/pulp/content/Nainital/Production/Production/content/dist/rhel/server/7/7Server/x86_64/os/Packages/k/ksh-20120801-144.el7_9.x86_64.rpm: (28, ‘Operation too slow. Less than 1 bytes/sec transferred the last 30 seconds’)
Trying other mirror.

Thanks !!

areyus · October 30, 2023, 8:19am

Just so I understand correctly: Neither you clients nor your Foreman/Katello server do have internet access?
So how do you get the repositories into Katello in the first place? Are you doing a (offline) sync with another Katello server?
If so, my first guess would be that the original server you’re syncing from has download policy set to “on demand”, so it only downloads metadata but not the packages themself unless they are requested. So they would also not be in any exports.

Lakshminarasimha · October 31, 2023, 3:44am

Hi areyus,

Good Morning !!

i have configured the Katello server and sync the repositories when internet access is available. Once Sync got completed, Now i’m trying to patch the client server without internet access in both Katello and client as well.

Thank you in Advance.

areyus · October 31, 2023, 7:23am

With that scenario and your error description, I am 99% sure the repositories are set to “on demand” download policy.
You can go to Content → Products, select one/the affected products, select one/the effected repository from the list. On the repository detail page, look for the “Download Policy” setting. That is probably set to “On Demand” (which I believe is the default). Try changing that to “Immediate” for every repo you have and then sync your repos during the next “internet window”.

“On demand” policy only works if the Katello server has permanent access to the upstream repos, so permanent internet access. With this policy, only metadata are downloaded during syncs, and Katello tries to download the actual packages only when a client first asks for them.
“Immediate” is the opposite approach. All packages are downloaded during sync and are then also available while the Katello server has no internet access. This requires way more time for initial syncs of new repos and also potentially way more disk space.

Be aware that the next sync will probably take way longer and might eat a LOT of disk space when you change the policy of every repo, depending on how big the repos you sync are and how many you have configured. Depending on how long and often the “internet windows” are, you might want to stretch the process of switching over several windows or monitor your Katello server during that time so you can intervene (e.g. resize disks) if needed.