Issue running theforeman.foreman_scap_client on RHEL 8

hiero-nymus · February 19, 2020, 10:10am

Problem:
Issue when we start the theforeman.foreman_scap_client Ansible Role on a new RHEL 8. This role run without issue on our RHEL 7 servers.
TASK [theforeman.foreman_scap_client : Set facts for rh certs] *****************

    fatal: [XXXXXXXX]: FAILED! => 
      msg: |-
        the field 'args' has an invalid value ({u'rh_consumer_private_key_path': u"{{ (rh_certs.stdout | from_json).get('rh_consumer_private_key_path')  }}", u'rh_consumer_cert_path': u"{{ (rh_certs.stdout | from_json).get('rh_consumer_cert_path') }}", u'rh_ca_cert_path': u"{{ (rh_certs.stdout | from_json).get('rh_ca_cert_path') }}"}), and could not be converted to an dict.The error was: No JSON object could be decoded
        The error appears to be in '/usr/share/ansible/roles/theforeman.foreman_scap_client/tasks/main.yml': line 25, column 3, but may
        be elsewhere in the file depending on the exact syntax problem.

        The offending line appears to be:
        - name: 'Set facts for rh certs'
          ^ here

Expected outcome:

Foreman and Proxy versions:
foreman-proxy-1.22.0.3-1.el7sat.noarch

Foreman and Proxy plugin versions:

Distribution and version:

Other relevant data:
After some troubleshooting regarding this role, I saw a another error and perhaps they’ve connected. When I run this script foreman_scap_client_facts.rb the following error appears (see below):

            # ./foreman_scap_client_facts.rb
            Fatal Python error: Py_Initialize: Unable to get the locale encoding
            Traceback (most recent call last):
              File "/usr/lib64/python3.6/encodings/__init__.py", line 33, in <module>
              File "<frozen importlib._bootstrap>", line 971, in _find_and_load
              File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked
              File "<frozen importlib._bootstrap>", line 665, in _load_unlocked
              File "<frozen importlib._bootstrap_external>", line 674, in exec_module
              File "<frozen importlib._bootstrap_external>", line 780, in get_code
              File "<frozen importlib._bootstrap_external>", line 832, in get_data
            PermissionError: [Errno 1] Operation not permitted: '/usr/lib64/python3.6/encodings/aliases.py'{}
            #

Why is a Puppet error in a Ruby script? As someone an Idea what is the problem?

Best regards, H

Ondrej_Prazak · February 19, 2020, 11:31am

Hi, thank you for reporting this. Does ‘subscription-manager config’ give you any errors?

hiero-nymus · February 19, 2020, 12:17pm

Hi,
No, this command run without errors on client.

Ondrej_Prazak · February 19, 2020, 2:38pm

The errors are indeed connected. Because foreman_scap_client_facts script crashes, it makes the whole role fail. I just set up a clean RHEL8, but unfortunately I was not able to reproduce. The role executed as expected and there were no failures when running the script manually either:

I was counting on subscription-manager to be responsible, because it is the only place I can think of that could cause the python errors in the facts script.

The last error line suggests there is something wrong with file permissions, I looked at the encodings/aliases.py on my client: -rw-r–r–. 1 root root

The facts script is < 30 lines long, so it might not be too difficult to pinpoint the exact line that is causing the failure.

hiero-nymus · February 20, 2020, 7:57am

Thanks for your reply and your support.
You’re right, after checking this ruby script in details, I’ve found that the issue is produce from the line where subscription-manager is calling. It is strange because this command running well on this client.
I start it with root, so normally the ruby script gets root rights too and the right paths? right? Should I look in this direction? With which version of python is it compatible? 2 or 3 or both?

# python2 --version
Python 2.7.16
# python3 --version
Python 3.6.8

Ondrej_Prazak · February 20, 2020, 10:07am

It does not seem like a python version problem when subscription-manager directly on the client. There should be no change in user or permissions when the script runs subscription-manager, but it looks like a problem with permissions to me.

hiero-nymus · March 12, 2020, 2:20pm

We found finally the problem.
You’re right because the issue was a permission’s problem.
The fapolicyd’s service is running to enforce the security → ruby was block → theforeman.foreman_scap_client failed to started the ruby script foreman_scap_client_facts.rb
Now, we’ve whitelisted the ruby into fapolicyd.rules and the foreman script is running again.

Out for curiosity: why this script was wrote in ruby and not in python?

Ondrej_Prazak · March 13, 2020, 7:46am

I am glad you managed to figure it out.

We have essentially the same script in puppet-foreman_scap_client, so I just modified it rather than creating a python version from scratch.