Inconsistent use of Proxy

Hi all,

I've just been setting up a brand new Foreman/Puppet server here at home,
and I've noticed something a bit odd. It seems that for some operations,
Foreman ignores the proxy that has been configured, and tries to do things
itself.

Fore the most part, that's fine - I get a deprecation warning in the
foreman production log, but otherwise it works and we move on. However, in
the case of the autosign.conf, I've got a problem. Three different entities
want to control the file:

  1. Puppet wants it 644
  2. Proxy wants it owned by the proxy user
  3. Foreman wants it owned by the foreman user

I can only ever satisfy two of these - currently I choose to keep it 644,
so I can either break 2) and have the certificate management break, or I
can break 3) and have the build management break. Here's an example log
using 1) & 2) and then clicking the "Cancel Build" link on a host I was
about to build…

Processing HostsController#cancelBuild (for 172.20.10.100 at 2011-11-06
20:49:05) [GET]
Parameters: {"action"=>"cancelBuild",
"id"=>"vm2.qemu.elysium.emeraldreverie.org", "controller"=>"hosts"}
User Load (5.2ms) SELECT * FROM users WHERE (users.id = 1)
Setting current user thread-local variable to admin
Host Load (0.2ms) SELECT * FROM hosts WHERE (hosts.name =
'vm2.qemu.elysium.emeraldreverie.org') LIMIT 1
Setting Load (0.1ms) SELECT * FROM settings WHERE (settings.name
= 'manage_puppetca') ORDER BY LOWER(settings.name) LIMIT 1
DEPRECATION WARNING* Managing Puppet CA without a smart-proxy will not
be supported in the next release
Failed to set Build on vm2.qemu.elysium.emeraldreverie.org: Permission
denied - //etc/puppet/autosign.conf
Failed to save:
undefined method join' for #<String:0xb51a8b40> /usr/share/foreman/app/controllers/application_controller.rb:217:inprocess_error'
/usr/share/foreman/app/controllers/application_controller.rb:210:in
process_error' /usr/share/foreman/app/controllers/hosts_controller.rb:182:incancelBuild'
Rendering template within layouts/application
Rendering common/500 (500)

Has anyone else encountered this? How do I stop Foreman doing things which
the proxy should be doing?

Cheers,
Greg

Are you running the Puppetmaster, proxy and foreman all on the same
server?

··· On Nov 6, 3:01 pm, Greg Sutcliffe wrote: > Hi all, > > I've just been setting up a brand new Foreman/Puppet server here at home, > and I've noticed something a bit odd. It seems that for some operations, > Foreman ignores the proxy that has been configured, and tries to do things > itself. > > Fore the most part, that's fine - I get a deprecation warning in the > foreman production log, but otherwise it works and we move on. However, in > the case of the autosign.conf, I've got a problem. Three different entities > want to control the file: > > 1) Puppet wants it 644 > 2) Proxy wants it owned by the proxy user > 3) Foreman wants it owned by the foreman user > > I can only ever satisfy two of these - currently I choose to keep it 644, > so I can either break 2) and have the certificate management break, or I > can break 3) and have the build management break. Here's an example log > using 1) & 2) and then clicking the "Cancel Build" link on a host I was > about to build... > > Processing HostsController#cancelBuild (for 172.20.10.100 at 2011-11-06 > 20:49:05) [GET] > Parameters: {"action"=>"cancelBuild", > "id"=>"vm2.qemu.elysium.emeraldreverie.org", "controller"=>"hosts"} > User Load (5.2ms) SELECT * FROM `users` WHERE (`users`.`id` = 1) > Setting current user thread-local variable to admin > Host Load (0.2ms) SELECT * FROM `hosts` WHERE (`hosts`.`name` = > 'vm2.qemu.elysium.emeraldreverie.org') LIMIT 1 > Setting Load (0.1ms) SELECT * FROM `settings` WHERE (`settings`.`name` > = 'manage_puppetca') ORDER BY LOWER(settings.name) LIMIT 1 > **DEPRECATION WARNING*** Managing Puppet CA without a smart-proxy will not > be supported in the next release > Failed to set Build on vm2.qemu.elysium.emeraldreverie.org: Permission > denied - //etc/puppet/autosign.conf > Failed to save: > undefined method `join' for # > /usr/share/foreman/app/controllers/application_controller.rb:217:in > `process_error' > /usr/share/foreman/app/controllers/application_controller.rb:210:in > `process_error' > /usr/share/foreman/app/controllers/hosts_controller.rb:182:in `cancelBuild' > Rendering template within layouts/application > Rendering common/500 (500) > > Has anyone else encountered this? How do I stop Foreman doing things which > the proxy should be doing? > > Cheers, > Greg

> Hi all,
> I've just been setting up a brand new Foreman/Puppet server here at home,
> and I've noticed something a bit odd. It seems that for some operations,
> Foreman ignores the proxy that has been configured, and tries to do things
> itself.
> Fore the most part, that's fine - I get a deprecation warning in the foreman
> production log, but otherwise it works and we move on. However, in the case
> of the autosign.conf, I've got a problem. Three different entities want to
> control the file:
> 1) Puppet wants it 644
> 2) Proxy wants it owned by the proxy user
> 3) Foreman wants it owned by the foreman user
> I can only ever satisfy two of these - currently I choose to keep it 644, so
> I can either break 2) and have the certificate management break, or I can
> break 3) and have the build management break. Here's an example log using 1)
> & 2) and then clicking the "Cancel Build" link on a host I was about to
> build…
> Processing HostsController#cancelBuild (for 172.20.10.100 at 2011-11-06
> 20:49:05) [GET]
> Parameters: {"action"=>"cancelBuild",
> "id"=>"vm2.qemu.elysium.emeraldreverie.org", "controller"=>"hosts"}
> User Load (5.2ms) SELECT * FROM users WHERE (users.id = 1)
> Setting current user thread-local variable to admin
> Host Load (0.2ms) SELECT * FROM hosts WHERE (hosts.name =
> 'vm2.qemu.elysium.emeraldreverie.org') LIMIT 1
> Setting Load (0.1ms) SELECT * FROM settings WHERE (settings.name =
> 'manage_puppetca') ORDER BY LOWER(settings.name) LIMIT 1
> DEPRECATION WARNING* Managing Puppet CA without a smart-proxy will not
> be supported in the next release
> Failed to set Build on vm2.qemu.elysium.emeraldreverie.org: Permission
> denied - //etc/puppet/autosign.conf
> Failed to save:
> undefined method join' for #<String:0xb51a8b40> > /usr/share/foreman/app/controllers/application_controller.rb:217:in >process_error'
> /usr/share/foreman/app/controllers/application_controller.rb:210:in
> process_error' > /usr/share/foreman/app/controllers/hosts_controller.rb:182:incancelBuild'
> Rendering template within layouts/application
> Rendering common/500 (500)
>
> Has anyone else encountered this? How do I stop Foreman doing things which
> the proxy should be doing?

Select the puppet proxy to use in the host edit page.

Ohad

··· On Sun, Nov 6, 2011 at 11:01 PM, Greg Sutcliffe wrote: > Cheers, > Greg > > -- > You received this message because you are subscribed to the Google Groups > "Foreman users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/foreman-users/-/Gpz10qjCqkAJ. > To post to this group, send email to foreman-users@googlegroups.com. > To unsubscribe from this group, send email to > foreman-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/foreman-users?hl=en. >

And now I feel stupid. Thanks Ohad :slight_smile:

Greg

··· On 7 November 2011 04:28, Ohad Levy wrote: >> Has anyone else encountered this? How do I stop Foreman doing things which >> the proxy should be doing? > > Select the puppet proxy to use in the host edit page. > > Ohad

OOI, is there an intended way of operating, or a deliberately unsupported
architecture when it comes to running a puppetmaster, foreman and smart
proxy?

I'm just running a test environment at present, with the puppetmaster,
foreman and smart-proxies all on the same server, and I'm seeing the same
provisioning failure caused by an unwritable /etc/puppet/autosign.conf
which is being changed to mode 0644 by something which I haven't
investigated fully yet, but it coincides with a node trying to do a preseed
install.

Since the puppet files are owned by puppet:puppet and the proxy runs as
foreman-proxy:foreman-proxy, the easiest way of making this coexist
reasonably is by additional group membership and suitable file modes (or by
not munging puppet's files directly, but that's another story).

I'm using the packaged (i.e. out of date :slight_smile: ) deb packages on Ubuntu.

Thanks,

Ant (antiphase)

> OOI, is there an intended way of operating, or a deliberately unsupported
> architecture when it comes to running a puppetmaster, foreman and smart
> proxy?
>
> I'm just running a test environment at present, with the puppetmaster,
> foreman and smart-proxies all on the same server, and I'm seeing the same
> provisioning failure caused by an unwritable /etc/puppet/autosign.conf which
> is being changed to mode 0644 by something which I haven't investigated
> fully yet, but it coincides with a node trying to do a preseed install.
>
> Since the puppet files are owned by puppet:puppet and the proxy runs as
> foreman-proxy:foreman-proxy, the easiest way of making this coexist
> reasonably is by additional group membership and suitable file modes (or by
> not munging puppet's files directly, but that's another story).
>
> I'm using the packaged (i.e. out of date :slight_smile: ) deb packages on Ubuntu.
afair, foreman-proxy user add it self to the puppet group, allowing it
to access the file.

Ohad

··· On Mon, Nov 7, 2011 at 8:06 PM, Anthony Newman wrote: > > > Thanks, > > Ant (antiphase) > > -- > You received this message because you are subscribed to the Google Groups > "Foreman users" group. > To post to this group, send email to foreman-users@googlegroups.com. > To unsubscribe from this group, send email to > foreman-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/foreman-users?hl=en. >

What would be the correct values for "ssl_certificate",
"ssl_ca_file" , and "ssl_private_key" if all 3 services are on the
same host? In my setup the server's hostname differs from the
puppetmaster's CNAME and foreman's CNAME.

host = host.domain
puppetmaster = puppetmaster.domain
foreman = foreman.domain

I've tried the following (in /etc/foreman-proxy/settings.yml and
Foreman Settings)
:ssl_certificate: /var/lib/puppet/ssl/ca/signed/foreman.domain
:ssl_ca_file: /var/lib/puppet/ssl/certs/foreman.domain
:ssl_private_key: /var/lib/puppet/ssl/private_keys/foreman.domain

··· On Nov 7, 1:08 pm, Ohad Levy wrote: > On Mon, Nov 7, 2011 at 8:06 PM, Anthony Newman wrote: > > OOI, is there an intended way of operating, or a deliberately unsupported > > architecture when it comes to running a puppetmaster, foreman and smart > > proxy? > > > I'm just running a test environment at present, with the puppetmaster, > > foreman and smart-proxies all on the same server, and I'm seeing the same > > provisioning failure caused by an unwritable /etc/puppet/autosign.conf which > > is being changed to mode 0644 by something which I haven't investigated > > fully yet, but it coincides with a node trying to do a preseed install. > > > Since the puppet files are owned by puppet:puppet and the proxy runs as > > foreman-proxy:foreman-proxy, the easiest way of making this coexist > > reasonably is by additional group membership and suitable file modes (or by > > not munging puppet's files directly, but that's another story). > > > I'm using the packaged (i.e. out of date :) ) deb packages on Ubuntu. > > afair, foreman-proxy user add it self to the puppet group, allowing it > to access the file. > > Ohad > > > > > > > > > > > Thanks, > > > Ant (antiphase) > > > -- > > You received this message because you are subscribed to the Google Groups > > "Foreman users" group. > > To post to this group, send email to foreman-users@googlegroups.com. > > To unsubscribe from this group, send email to > > foreman-users+unsubscribe@googlegroups.com. > > For more options, visit this group at > >http://groups.google.com/group/foreman-users?hl=en.

Trying to add the local proxy gives me …

Failed to save: Url did not respond to a request for its feature
list.The reason given was: SSL Verification failed – Preverify:
false, Error: unable to get local issuer certificate (20)., Please
check the proxy is configured and running on the host before saving.

Tried this and get error but different

:ssl_certificate: /var/lib/puppet/ssl/ca/signed/foreman.domain
:ssl_ca_file: /var/lib/puppet/ssl/certs/ca.pem
:ssl_private_key: /var/lib/puppet/ssl/private_keys/foreman.domain

Failed to save: Url did not respond to a request for its feature
list.The reason given was: SSL Verification failed – Preverify:
false, Error: self signed certificate in certificate chain (19).,
Please check the proxy is configured and running on the host before
saving.

I’ve added foreman and foreman-proxy users to puppet group, so it
shouldn’t be a permissions issue. Sounds like the certs I’m providing
don’t match up, but I’m not well versed in SSL troubleshooting.

Thanks

  • Trey