Managing existing hosts

Indeed you are, although it's well hidden, I grant you

http://theforeman.org/manuals/1.5/index.html#3.5.5FactsandtheENC

Scroll down to "Creating hosts in Foreman with facts" - essentially
the point is that to import an existing host into Foreman, you just
run the Puppet agent on it. When the facts and report are submitted to
Foreman, it will create a new host for you if it cannot match the data
to an existing host.

With regard to certificates, this method does require you already have
a certificate in place, of course. Foreman will manage signing of
certificates for machines it provisioned, but it can't do that for
pre-existing hosts, so yes, you'll need to sort out the certs.

Hope that helps,
Greg

Thanks for that, I'll admit that I glossed right over that section when
reading the docs because I didn't know what ENC was.

What's interesting is that in my setup this was already done for me, I've
added a host and when I review the YAML the url contains
"…externalNodes?name=test.domain.net", but when I test it at the command
line as the manual suggests I get the error:

No such file or directory - /var/lib/puppet/yaml/facts/test.domain.net.yaml

I've set this up on Fedora 19 using the repository and have almost no
special configuration except for adding some puppet classes and doing the
basic setup for provisioning.

Thanks again.

If the puppet agent hasn't run at least once, then this is expected -
the puppetmaster caches the facts sent by the local system when the
agent run begins, and we exploit that cache to have the ENC script
upload the facts to Foreman. As such, if puppet hasn't run yet, the
cache won't exist.

Greg

> With regard to certificates, this method does require you already have
> a certificate in place, of course. Foreman will manage signing of
> certificates for machines it provisioned, but it can't do that for
> pre-existing hosts, so yes, you'll need to sort out the certs.

You'll find the signing - requests also in Forman on the SmartProxy-Page,
as soon as you ran puppet once on the existing host. Simply click on the
certificates action at the right end of your SmartProxy listed. Then you
get a list of all known certs and certificate-requests. Simply click on the
sign button and run puppet again on your host.

KR Jens
>
> Hope that helps,
> Greg
>
> –
> You received this message because you are subscribed to the Google Groups
"Foreman users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.

@Greg if I attempt to run the agent on the external host I get this:

Error: Could not request certificate: The certificate retrieved from the
master does not match the agent's private key.
Certificate fingerprint:
BE:53:57:4A:20:FF:0B:21:8E:D2:61:09:2E:B5:27:40:E7:3E:71:22:7F:08:25:FD:8E:41:9A:47:4F:96:57:A2
To fix this, remove the certificate from both the master and the agent and
then start a puppet run, which will automatically regenerate a certficate.
On the master:
puppet cert clean test.domain.net
On the agent:
rm -f /var/lib/puppet/ssl/certs/test.domain.net.pem
puppet agent -t

And this is largely why I was asking about manually dealing with
certificates.

@Jens When I access the certificate page I get this:

Warning!undefined method `gsub' for #<ActiveRecord::RecordNotFound:
ActiveRecord::RecordNotFound>

As mentioned previously this is a very minimal setup on F19 from the
repositories. Perhaps things work better by default in another distro,
CentOS maybe?

Thanks both for the help.

Full trace is this:

NoMethodError
*undefined method gsub' for #<ActiveRecord::RecordNotFound: ActiveRecord::RecordNotFound>* app/controllers/application_controller.rb:172:inerror'
app/controllers/puppetca_controller.rb:17:in rescue in index' app/controllers/puppetca_controller.rb:7:inindex'
app/models/concerns/foreman/thread_session.rb:33:in clear_thread' lib/middleware/catch_json_parse_errors.rb:9:incall'

I came across this issue Bug #6402: Using "run puppet" feature fails: undefined method `gsub' for #<Array ...> - Foreman and
tried the suggested fix to the puppet auth.conf file, which for me didn't
work.

That would be expected if you're had a working master/agent setup and
then pointed the agent at a new master. Try performing the steps
listed

The gsub error is interesting, it implies some odd characters in one
of your cert names. The resukt of "puppet cert -la" on your master
would probably be relevant, if you can provide it.

Greg

When you suggest performing the steps listed are you referring to the
documentation? If so that's exactly what I've done, except that all of the
puppetmaster configuration for node.rb was already done exactly as it
should have been, presumably by the installer.

The listing of the certificates on the master is

[root@foreman ~]# puppet cert -la
"test.domain.net" (SHA256)
CD:EB:F8:58:B8:93:EA:D0:C6:9C:1F:22:1C:C4:AF:1A:BC:A5:74:E0:ED:A4:8D:0A:27:C0:9E:AE:96:B3:AE:36

• "foreman.domain.net" (SHA256)
  BE:53:57:4A:20:FF:0B:21:8E:D2:61:09:2E:B5:27:40:E7:3E:71:22:7F:08:25:FD:8E:41:9A:47:4F:96:57:A2
  (alt names: "DNS:foreman.domain.net", "DNS:puppet", "DNS:puppet.domain.net")

The only thing I find curious is the inclusion of the DNS alt names for
puppet, I never suggested those. I wonder if it would help if I added them
as entries to the hosts file.

Something else that I just realized, but I'm not sure if it matters, is
that the puppetmaster service shown by systemctl isn't running and the logs
have

[2014-07-26 17:27:18] INFO ruby 2.0.0 (2013-11-22) [x86_64-linux]
[2014-07-26 17:27:18] WARN TCPServer Error: Address already in use -
bind(2)

I did a quick search on it and there's some forum posts that say if it's
already running under passenger (which I think Foreman does) then
puppetmaster doesn't need to be running, but that seems dubious.

I just realized the date on the log output, clearly not related.

I was able to fix the gsub error and sign certificates as @Jens suggested
by making the appropriate sudo edits as suggested in the manual. So now the
how shows up with a signed certificate, but the agent still spits out the
same error as before about not being able to request the certificate. I
wonder if that's because the puppetmaster service has failed on foreman.
Unfortunately I can't seem to find any logs that suggest what the problem
is.

I'm referring to the output of the command, as you put in your
previous post - i.e cleaning the cert on both the agent (via rm -rf
/var/lib/puppet/ssl) and the master (via puppet cert -c), which should
then allow the agent to create a clean CSR on the next agent run,
which you can then sign.

Glad you got the proxy sorted, it's interesting that it would cause
that error. We should handle that better, please feel free to open an
issue with all the aapropriate info.

Puppet does indeed run under passenger by default in our setup, so the
service will say it's stopped (which is true, since it wasn't started
via the init script, nor is there a separate pid for the service to
check). The log you showed, however, is actually from the
foreman-proxy service, and the Address in use error is harmless.

Greg

Oh, no, I hadn't done that because I wasn't sure if that's something that I
should be doing manually or not. Will Foreman safely reflect any changes
that are made by puppet at the command line?

I thought I'd give the commands that were suggested a try, so I did

on foreman:

[root@foreman ~]# puppet cert clean foreman.domain.net
Notice: Revoked certificate with serial 2
Notice: Removing file Puppet::SSL::Certificate foreman.domain.net at
'/var/lib/puppet/ssl/ca/signed/foreman.domain.net.pem'
Notice: Removing file Puppet::SSL::Certificate foreman.domain.net at
'/var/lib/puppet/ssl/certs/foreman.domain.net.pem'
Notice: Removing file Puppet::SSL::Key foreman.domain.net at
'/var/lib/puppet/ssl/private_keys/foreman.domain.net.pem'

and on the test agent:

[root@crdc-02-0124 ~]# rm -f /var/lib/puppet/ssl/certs/foreman.domain.net
.pem
[root@crdc-02-0124 ~]# puppet agent -t
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for foreman.domain.net
Info: Certificate Request fingerprint (SHA256):
D0:37:5E:04:87:55:C7:4F:F2:24:09:2E:7A:58:35:F7:7A:46:AA:6A:57:46:30:85:D1:E3:03:D4:FE:94:97:DD
Exiting; no certificate found and waitforcert is disabled

and then I went to the foreman web interface under smart proxies and tried
to bring up the certificates section again and I get:

NoMethodError
*undefined method gsub' for #<ActiveRecord::RecordNotFound: ActiveRecord::RecordNotFound>* app/controllers/application_controller.rb:172:inerror'
app/controllers/puppetca_controller.rb:17:in rescue in index' app/controllers/puppetca_controller.rb:7:inindex'
app/models/concerns/foreman/thread_session.rb:33:in clear_thread' lib/middleware/catch_json_parse_errors.rb:9:incall'

I took a snapshot before this so I'll be reverting back now.

I couldn't really say how I did it but I managed to get it to work by using
a combination of puppet cert/sign/–generate and running the agent
repeatedly until all of the errors disappeared. In the end I think I did
the following

on master:

puppet cert clean --all

on agent:

rm -rf /var/lib/puppet/ssl/*

on master:

puppet cert --generate foreman.coanda.local
systemctl restart httpd
systemctl restart puppet
puppet cert sign foreman.coanda.local

on agent:

puppet agent --test

But I wasn't really using a methodical approach by this point so I can't be
certain. I was loosely trying to follow these:

Fortunately the majority of what I'll be using Foreman for is provisioning
and the hosts seem to register fine when they get added that way.

> I thought I'd give the commands that were suggested a try, so I did
>
> on foreman:
>
> [root@foreman ~]# puppet cert clean foreman.domain.net
> Notice: Revoked certificate with serial 2
> Notice: Removing file Puppet::SSL::Certificate foreman.domain.net at
> '/var/lib/puppet/ssl/ca/signed/foreman.domain.net.pem'
> Notice: Removing file Puppet::SSL::Certificate foreman.domain.net at
> '/var/lib/puppet/ssl/certs/foreman.domain.net.pem'
> Notice: Removing file Puppet::SSL::Key foreman.domain.net at
> '/var/lib/puppet/ssl/private_keys/foreman.domain.net.pem'
>
> and on the test agent:
>
> [root@crdc-02-0124 ~]# rm -f
> /var/lib/puppet/ssl/certs/foreman.domain.net.pem
> [root@crdc-02-0124 ~]# puppet agent -t
> Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
> Info: Creating a new SSL certificate request for foreman.domain.net
> Info: Certificate Request fingerprint (SHA256):
> D0:37:5E:04:87:55:C7:4F:F2:24:09:2E:7A:58:35:F7:7A:46:AA:6A:57:46:30:85:D1:E3:03:D4:FE:94:97:DD
> Exiting; no certificate found and waitforcert is disabled

That all looks fine up to here.

> and then I went to the foreman web interface under smart proxies and tried
> to bring up the certificates section again and I get:

Ah the gsub error again, i'm still uclear on why you're getting that.
Fortunatly it's entirely foreman-side, so if you just sign the cert as
normal (puppet cert -s …) then everything should work fine. As I
said earlier, you're expected to manage certs in whatever way you like
for hosts that Foreman didn't build, so Foreman won't care how it
get's signed.

For reference, the page you're failing to load will have no effect on
Foreman's general operation, it's just a handy extra to save you
having to log into the puppet master for the occasional cert signing
action. You can always use the commandline puppet tools for cert
management, as Foreman (re-)parses the puppet data as required, rather
than maintaining it's own copy of the certificate list.

Ah, missed your last reply. Yes, thats exactly the process I would
have used myself - you're bang on track. See my previous reply for why
that is the case, glad it's all working

Greg

Okay, it's good to have that confirmation. Thanks a lot for all of your
(and everyone else's) help.