Installing foreman proxy plugin openscap fails on Katello 4.10

mnsmithuk · October 19, 2023, 2:13pm

When running the following command on Katello 4.10 (Foreman 3.8) Sever installed on a Rocky 8.8 VM

foreman-installer --scenario katello
-l INFO
–enable-foreman-cli-openscap
–enable-foreman-plugin-openscap
–enable-foreman-proxy-plugin-openscap
–foreman-proxy-plugin-openscap-ansible-module “true”
–foreman-proxy-plugin-openscap-puppet-module “true”

I get the error:

Error 1: Puppet Foreman_smartproxy resource ‘katello.mnsmithuk’ failed. Logs:
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[katello.mnsmithuk]/before
before to Cron[puppet]
before to Service[puppet]
before to Service[puppet-run.timer]
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[katello.mnsmithuk]
Adding autorequire relationship with Anchor[foreman::service]
Adding autorequire relationship with Anchor[foreman::providers::oauth]
Starting to evaluate the resource (2231 of 2259)
Evaluated in 0.80 seconds
Foreman_smartproxykatello.mnsmithuk
Making get request to https://katello.mnsmithuk/api/v2/smart_proxies?search=name%3D"katello.mnsmithuk"
Received response 200 from request to https://katello.mnsmithuk/api/v2/smart_proxies?search=name%3D"katello.mnsmithuk"
Making put request to https://katello.mnsmithuk/api/v2/smart_proxies/1/refresh
Received response 200 from request to https://katello.mnsmithuk/api/v2/smart_proxies/1/refresh
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[katello.mnsmithuk]/features
change from [“Ansible”, “BMC”, “DHCP”, “DNS”, “Discovery”, “Dynflow”, “HTTPBoot”, “Logs”, “Pulpcore”, “Puppet”, “Puppet CA”, “Script”, “TFTP”] to [“Ansible”, “BMC”, “DHCP”, “DNS”, “Discovery”, “Dynflow”, “HTTPBoot”, “Logs”, “Openscap”, “Pulpcore”, “Puppet”, “Puppet CA”, “Script”, “TFTP”] failed: Proxy katello.mnsmithuk has failed to load one or more features (Openscap), check /var/log/foreman-proxy/proxy.log for configuration errors

1 error was detected during installation.
Please address the errors and re-run the installer to ensure the system is properly configured.
Failing to do so is likely to result in broken functionality.

The full log is at /var/log/foreman-installer/katello.log

Just to add if I set --no-enable-foreman-proxy-plugin-openscap instead, it completes without error.

Expected outcome:
No errors with foreman-installer

Distribution and version:

Other relevant data:

firewall port 9090 is open

Also in /etc/foreman-proxy/settings.d/openscap.yml enable has value https instead of true.

I did some digging and the template in /usr/share/foreman-installer/modules/foreman_proxy/templates/plugin/openscap.yml.erb the value for enable is set to
<%= @module_enabled %>
but I think it should be set to
<%= scope.lookupvar(‘::foreman_proxy::plugin::openscap::enabled’) %>

I did manually edit the template to make this change and /etc/foreman-proxy/settings.d/openscap.yml then took the expected value of true, however I was still left with the same problem.

I’ve stopped foreman before running install,
ansible-core is installed but I installed centos-release-ansible-29.noarch as I read this fixed issues for others (but I dont think this is needed if ansible-core is already installed),

Looking at the ERROR it mentioned provider=rest_v3 but requests were https://katello.mnsmithuk/api/v2/smart_proxies?search=name%3D"katello.mnsmithuk". Could this be the issue. If so how do we fix it?

The only other thing is, I’m using puppet7. Could the openscap module only support puppet6 and this is causing the problem ? If so can we get a fix for this?

There was nothing extra in /var/log/foreman-installer/katello.log that could help and I’m lost at what else it could be.

Can anyone help please?

areyus · October 20, 2023, 7:29am

Not sure I can actually help, since this might be a bug, but it looks like your Foreman does not accept the Openscap smart-proxy feature. Can you take a look at /var/log/foreman/production.log for any errors at the time the smart-proxy refresh happens?

mnsmithuk · October 20, 2023, 12:09pm

Hi Areyus,

Thanks for reaching out. Please see attached log of install I tried earlier today.

production.log (11.7 KB)

areyus · October 23, 2023, 6:25am

That log looks very much like it should, and after reading your initial post again, I realized I mistook where the error happens.
This line:

says the error is on the Proxy side. Can you check/share /var/log/foreman-proxy/proxy.log for the relevant timeframe? Maybe there’ s some hints in there where it’s actually going wrong.

mnsmithuk · October 23, 2023, 11:31am

proxy.log (15.5 KB)

areyus · October 23, 2023, 12:46pm

Hm, proxy.log looks fine to me, too.

This might maybe be a problem (enabled https is quite often used across Foreman to distinguish between accepting both http and https and only accepting https requests), but from what I understand you had the problem before making that change, so it is probably not the cause of your issue.

mnsmithuk · October 23, 2023, 9:48pm

oh so enabled https is correct ?

Yes nothing changed between setting it https (<%= @module_enabled %>) and setting it true (<%= scope.lookupvar(‘::foreman_proxy::plugin::openscap::enabled’) %>).

Puzzled why it gives the error. It’s not very important right now but would like to know how to prevent the error eventually.

My guess is, its a bug and nt many people use openscap plugin within foreman, so it

I appreciate the extra eyes having a look at it. Thanks you @areyus

iballou · October 24, 2023, 1:31pm

The smart proxy plugin for openscap is still being maintained by core Foreman folks, so I wouldn’t expect this bug. @ofedoren or @aruzicka do you know what might be going wrong here?

tedevil · October 24, 2023, 3:53pm

I run openscap just fine (deploys with ansible). Only issued these additional settings with foreman-installer on my proxies:
–enable-foreman-proxy-plugin-ansible
–enable-foreman-proxy-plugin-openscap