Installation of 3.1 without Puppet fails

lzap · January 7, 2022, 7:31am

Cheers, I am attempting to install 3.1 on CentOS 8 Stream without Puppet, but running into issues with group “puppet” does not exist. I will workaround this by creating the group manually, but just to let you know:

[root@zzzap ~]# if [[ "$SCENARIO" == "satellite" ]]; then
> export INSTALLER_OPTS=<<EOF
> --foreman-proxy-content-pulpcore-worker-count 2
> EOF
> else
> export INSTALLER_OPTS=<<EOF
> --enable-foreman-compute-libvirt true
> --foreman-proxy-plugin-discovery-install-images true
> EOF
> fi

[root@zzzap ~]# $SCENARIO-installer --skip-checks-i-know-better --verbose --scenario $SCENARIO \
> --foreman-initial-organization "$ORG" \
> --foreman-initial-location "$LOC" \
> --foreman-initial-admin-password changeme \
> --foreman-initial-admin-locale en_US \
> --no-enable-puppet \
> --enable-foreman-plugin-bootdisk \
> --enable-foreman-plugin-webhooks \
> --enable-foreman-proxy-plugin-shellhooks \
> --foreman-proxy-dns true \
> --foreman-proxy-dns-forwarders ${SUBNET}.1 \
> --foreman-proxy-dns-zone $DOMAIN \
> --foreman-proxy-dns-reverse ${REVERSE}.in-addr.arpa \
> --foreman-proxy-dhcp true \
> --foreman-proxy-dhcp-gateway=${SUBNET}.1 \
> --foreman-proxy-dhcp-range="${SUBNET}.50 ${SUBNET}.150" \
> --foreman-proxy-dhcp-nameservers="${IP}" \
> --foreman-proxy-tftp true \
> --foreman-proxy-tftp-servername=${IP} \
> $INSTALLER_OPTS
2022-01-07 08:19:13 [NOTICE] [root] Loading installer configuration. This will take some time.
2022-01-07 08:19:16 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
2022-01-07 08:19:16 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
2022-01-07 08:19:55 [NOTICE] [configure] Starting system configuration.
2022-01-07 08:21:10 [NOTICE] [configure] 250 configuration steps out of 1129 steps complete.
2022-01-07 08:21:10 [ERROR ] [configure] Could not set groups on user[foreman]: Execution of '/sbin/usermod -G puppet foreman' returned 6: usermod: group 'puppet' does not exist
2022-01-07 08:21:10 [ERROR ] [configure] /Stage[main]/Foreman::Config/User[foreman]/groups: change from  to 'puppet' failed: Could not set groups on user[foreman]: Execution of '/sbin/usermod -G puppet foreman' returned 6: usermod: group 'puppet' does not exist
2022-01-07 08:22:20 [ERROR ] [configure] Could not set groups on user[foreman-proxy]: Execution of '/sbin/usermod -G named,puppet foreman-proxy' returned 6: usermod: group 'puppet' does not exist
2022-01-07 08:22:20 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Config/User[foreman-proxy]/groups: change from  to 'named,puppet' failed: Could not set groups on user[foreman-proxy]: Execution of '/sbin/usermod -G named,puppet foreman-proxy' returned 6: usermod: group 'puppet' does not exist
2022-01-07 08:22:31 [NOTICE] [configure] 500 configuration steps out of 1131 steps complete.
2022-01-07 08:22:57 [NOTICE] [configure] 750 configuration steps out of 1139 steps complete.
2022-01-07 08:23:06 [NOTICE] [configure] 1000 configuration steps out of 1161 steps complete.
2022-01-07 08:23:18 [NOTICE] [configure] System configuration has finished.

  There were errors detected during install.
  Please address the errors and re-run the installer to ensure the system is properly configured.
  Failing to do so is likely to result in broken functionality.

  The full log is at /var/log/foreman-installer/foreman.log

lzap · January 7, 2022, 7:33am

Oh damn there’s more, looks like something is really not right:\

2022-01-07 08:33:12 [ERROR ] [configure] Systemd start for httpd failed!
2022-01-07 08:33:12 [ERROR ] [configure] journalctl log for httpd:
2022-01-07 08:33:12 [ERROR ] [configure] -- Logs begin at Tue 2022-01-04 13:34:45 CET, end at Fri 2022-01-07 08:33:12 CET. --
2022-01-07 08:33:12 [ERROR ] [configure] Jan 07 08:33:12 zzzap.tpb.lab.eng.brq.redhat.com systemd[1]: Starting The Apache HTTP Server...
2022-01-07 08:33:12 [ERROR ] [configure] Jan 07 08:33:12 zzzap.tpb.lab.eng.brq.redhat.com httpd[71018]: AH00526: Syntax error on line 67 of /etc/httpd/conf.d/05-foreman-ssl.conf:
2022-01-07 08:33:12 [ERROR ] [configure] Jan 07 08:33:12 zzzap.tpb.lab.eng.brq.redhat.com httpd[71018]: SSLCertificateFile: file '/etc/puppetlabs/puppet/ssl/certs/zzzap.tpb.lab.eng.brq.redhat.com.pem' does not exist or is empty
2022-01-07 08:33:12 [ERROR ] [configure] Jan 07 08:33:12 zzzap.tpb.lab.eng.brq.redhat.com systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
2022-01-07 08:33:12 [ERROR ] [configure] Jan 07 08:33:12 zzzap.tpb.lab.eng.brq.redhat.com systemd[1]: httpd.service: Failed with result 'exit-code'.
2022-01-07 08:33:12 [ERROR ] [configure] Jan 07 08:33:12 zzzap.tpb.lab.eng.brq.redhat.com systemd[1]: Failed to start The Apache HTTP Server.
2022-01-07 08:33:12 [ERROR ] [configure] /Stage[main]/Apache::Service/Service[httpd]/ensure: change from 'stopped' to 'running' failed: Systemd start for httpd failed!

Any clues what is wrong?

lzap · January 7, 2022, 7:44am

Weird there is some inconsistency between Ruby and Puppet:

[root@zzzap ~]# dnf install puppet
Last metadata expiration check: 1:13:16 ago on Fri 07 Jan 2022 07:28:28 AM CET.
Error:
 Problem: package puppet-6.25.1-1.el8.noarch requires ruby(selinux), but none of the providers can be installed
  - package libselinux-ruby-2.9-5.el8.x86_64 requires libruby.so.2.5()(64bit), but none of the providers can be installed
  - conflicting requests
  - package ruby-libs-2.5.5-105.module_el8.1.0+214+9be47fd7.x86_64 is filtered out by modular filtering
  - package ruby-libs-2.5.9-107.module_el8.5.0+811+d98a1657.x86_64 is filtered out by modular filtering

I have followed our CentOS 8 Stream guide:

dnf -y module reset ruby
dnf -y module enable ruby:2.7
dnf -y install https://yum.puppet.com/puppet6-release-el-8.noarch.rpm
dnf -y install https://yum.theforeman.org/releases/3.1/el8/x86_64/foreman-release.rpm
dnf -y install mlocate sysstat chrony foreman-installer foreman

Could be something in SELinux in CentOS 8 Stream perhaps?

ekohl · January 7, 2022, 8:00am

That looks like you’re installing puppet from EPEL which we don’t support.

This is incomplete. You’re missing --foreman-proxy-puppet false --foreman-proxy-puppetca false.

It looks like you’re installing Foreman without Puppet but the default foreman scenario relies on Puppet as a CA to generate certificates. If you don’t want Puppet, you must provide Foreman and Foreman Proxy with other certificates.

I have been wanting to write a blog about this for about 2 years but it hasn’t gotten out of draft so I’ll share the relevant bits. Here I assume in /etc/ownca there are certificates.

OWNCA=/etc/ownca
foreman-installer \
    --no-enable-puppet \
    --foreman-proxy-puppet false \
    --foreman-proxy-puppetca false \
    --foreman-proxy-ssl-ca $OWNCA/cacert.crt \
    --foreman-proxy-ssl-cert $OWNCA/$HOSTNAME/$HOSTNAME.crt \
    --foreman-proxy-ssl-key $OWNCA/$HOSTNAME/$HOSTNAME.key \
    --foreman-server-ssl-ca $OWNCA/cacert.crt \
    --foreman-server-ssl-chain $OWNCA/cacert.crt \
    --foreman-server-ssl-cert $OWNCA/$HOSTNAME/$HOSTNAME.crt \
    --foreman-server-ssl-key $OWNCA/$HOSTNAME/$HOSTNAME.key \
    --foreman-server-ssl-crl "" \
    --foreman-client-ssl-ca $OWNCA/cacert.crt \
    --foreman-client-ssl-cert $OWNCA/$HOSTNAME/$HOSTNAME.crt \
    --foreman-client-ssl-key $OWNCA/$HOSTNAME/$HOSTNAME.key

Note that you must ensure these files are readable by both foreman and foreman-proxy.

lzap · January 7, 2022, 8:58am

Hmmm thanks, then I will keep puppet to stay as close as what users typically do.

Thulium-Drake · January 10, 2022, 10:44pm

Just a note, but this is only an issue in Foreman without Katello, as in Katello the certs used come from Candlepin, right?

lzap · January 11, 2022, 7:29am

Yes, in Katello I don’t think Candlepin certs are used, Katello has its own cert generation tool I think, but yes.

ekohl · January 11, 2022, 11:33am

Indeed, it’s only an issue in Foreman without Katello and hat @lzap said is correct. To expand on that: Katello has its own CA generated with katello-certs-tools. Technically it’s not Candlepin that generates the certificates used in the infrastructure but rather Candlepin gets the CA certificate from that tool. Candlepin only creates certificates for actual clients.

Marek_Hulan · January 14, 2022, 11:53am

If you won’t get to the full blog, would it make sense to convert this to the Tutorials - TheForeman? I think it would be easier for users to find the magic installer command in there.