Katello 3.16 content proxy

gvde · August 12, 2020, 1:03pm

I upgraded my katello server to 3.16. Then I upgraded the smart proxy following the 3.16 docs. However, foreman-installer failed because it could start httpd. Reason: httpd wants to listen to port 5000 and it’s blocked by selinux.

It finished successfully after I have switched to permissive mode. httpd is listening to port 5000, though.

Is the smart proxy supposed to listen to port 5000 (i.e. selinux config is broken) or is that an error?

ehelms · August 12, 2020, 1:10pm

The cause is this package is needed – http://yum.theforeman.org/releases/2.1/el7/x86_64/crane-selinux-3.4.0-1.el7.noarch.rpm

The installer should be installing this for you and if it’s not on a content proxy then that is a bug I will look into.

ehelms · August 12, 2020, 1:22pm

Can you verify for me that you have foreman-installer-2.1.1 installed on the proxy?

gvde · August 12, 2020, 1:25pm

crane-linux has not been installed. foreman-installer is at 2.1.1.

Loaded plugins: enabled_repos_upload, fastestmirror, package_upload, product-id, search-disabled-repos, subscription-manager,
              : tracer_upload
Loading mirror speeds from cached hostfile
Available Packages
crane-selinux.noarch                                   3.4.0-1.el7                                   ORG_foreman_2_1_el7_x86_64
Uploading Enabled Repositories Report
Loaded plugins: fastestmirror, product-id, subscription-manager
[root@foreman-proxy ~]# yum list foreman-installer
Loaded plugins: enabled_repos_upload, fastestmirror, package_upload, product-id, search-disabled-repos, subscription-manager,
              : tracer_upload
Loading mirror speeds from cached hostfile
Installed Packages
foreman-installer.noarch                               1:2.1.1-2.el7                                @ORG_foreman_2_1_el7_x86_64
Uploading Enabled Repositories Report
Loaded plugins: fastestmirror, product-id, subscription-manager

gvde · August 18, 2020, 8:38am

It’s odd. According to the foreman-proxy-content log:

[ INFO 2020-08-12T14:53:51 main] Ensuring crane-selinux to package state installed

It is supposed to be installed. But there is no error following. And it’s not installed:

# yum list crane-selinux
Loaded plugins: enabled_repos_upload, fastestmirror, package_upload, product-id,
              : search-disabled-repos, subscription-manager, tracer_upload
Loading mirror speeds from cached hostfile
Available Packages
crane-selinux.noarch           3.4.0-1.el7           DKRZ_foreman_2_1_el7_x86_64

So I guess as a workaround to avoid continuous permissive mode, I can safely install this?

Do I need to relabel something afterwards?

ekohl · August 19, 2020, 6:55pm

A short term workaround would be yum install crane-selinux but obviously that’s not a real fix. Do you have more specific logs? I’m mostly interested in why it logs that it will install, but then doesn’t really.

gvde · August 20, 2020, 6:29am

There is an error message shortly before the ensuring message in the foreman-installer/foreman-proxy-content log.

[DEBUG 2020-08-12T14:53:48 main] Executing: foreman-maintain packages is-locked --assumeyes
[DEBUG 2020-08-12T14:53:50 main] Packages are not locked
[ERROR 2020-08-12T14:53:50 main] foreman-maintain packages is-locked --assumeyes failed! Check the output for error!
[DEBUG 2020-08-12T14:53:50 main] Hook /usr/share/foreman-installer/katello/hooks/pre_commit/09-version_locking.rb returned nil
[DEBUG 2020-08-12T14:53:51 main] Hook /usr/share/foreman-installer/katello/hooks/pre_commit/13-hiera.rb returned nil
[DEBUG 2020-08-12T14:53:51 main] Hook /usr/share/foreman-installer/katello/hooks/pre_commit/14-cdn_setting.rb returned nil
[ INFO 2020-08-12T14:53:51 main] All hooks in group pre_commit finished
[ INFO 2020-08-12T14:53:51 main] Executing hooks in group pre
[DEBUG 2020-08-12T14:53:51 main] Hook /usr/share/foreman-installer/hooks/pre/10-reset_foreman_db.rb returned nil
[DEBUG 2020-08-12T14:53:51 main] Hook /usr/share/foreman-installer/hooks/pre/20-check-hammer-credentials.rb returned nil
[DEBUG 2020-08-12T14:53:51 main] Hook /usr/share/foreman-installer/hooks/pre/25-remove_apache_from_foreman_group.rb returned true
[DEBUG 2020-08-12T14:53:51 main] Hook /usr/share/foreman-installer/hooks/pre/30-el7_upgrade_postgresql.rb returned nil
[DEBUG 2020-08-12T14:53:51 main] Hook /usr/share/foreman-installer/hooks/pre/31-puppet_agent_oauth.rb returned nil
[ INFO 2020-08-12T14:53:51 main] Ensuring crane-selinux to package state installed

I don’t see any other message regarding crane-selinux in any other log.

sajha · September 22, 2020, 4:14pm

Hello,

What was the resolution on this one? We have another post with a similar error. Upgrade from Foreman 2.0.2 / Katello 3.15 to Foreman 2.1.2 / Katello 3.16 fails

[DEBUG 2020-08-12T14:53:48 main] Executing: foreman-maintain packages is-locked --assumeyes
[DEBUG 2020-08-12T14:53:50 main] Packages are not locked
[ERROR 2020-08-12T14:53:50 main] foreman-maintain packages is-locked --assumeyes failed! Check the output for error!
[DEBUG 2020-08-12T14:53:50 main] Hook /usr/share/foreman-installer/katello/hooks/pre_commit/09-version_locking.rb returned nil
[DEBUG 2020-08-12T14:53:51 main] Hook /usr/share/foreman-installer/katello/hooks/pre_commit/13-hiera.rb returned nil
[DEBUG 2020-08-12T14:53:51 main] Hook /usr/share/foreman-installer/katello/hooks/pre_commit/14-cdn_setting.rb returned nil
[ INFO 2020-08-12T14:53:51 main] All hooks in group pre_commit finished

gvde · September 22, 2020, 4:43pm

As mentioned above, I have installed the package crane-selinux. But this problem only happened on the content proxy, not on the main foreman/katello server.