Problem:
Today, I have enabled the ansible plugin and proxy plugin, i.e. I ran
# foreman-installer --enable-foreman-plugin-ansible \
--enable-foreman-proxy-plugin-ansible
on my main server foreman.example.com
which was successful. I can see the ansible menu items, tabs, etc.
However, I have noticed that no puppet reports arrived on the main server through my puppet smart proxy foreman-puppet.example.com
anymore.
The access logs now show a 403 for the config report posts on the main server:
... "POST /api/config_reports HTTP/1.1" 403 166 "-" "Ruby"
production.log shows this:
2021-11-18T14:04:18 [I|app|f66a0bac] Started POST "/api/config_reports" for 10.10.25.2 at 2021-11-18 14:04:18 +0100
2021-11-18T14:04:18 [I|app|f66a0bac] Processing by Api::V2::ConfigReportsController#create as JSON
2021-11-18T14:04:18 [I|app|f66a0bac] Parameters: {"config_report"=>"[FILTERED]", "apiv"=>"v2"}
2021-11-18T14:04:18 [W|app|f66a0bac] No smart proxy server found on ["foreman-puppet.example.com"] and is not in trusted_hosts
2021-11-18T14:04:18 [I|app|f66a0bac] Rendering api/v2/errors/access_denied.json.rabl within api/v2/layouts/error_layout
2021-11-18T14:04:18 [I|app|f66a0bac] Rendered api/v2/errors/access_denied.json.rabl within api/v2/layouts/error_layout (Duration: 6.5ms | Allocations: 5866)
2021-11-18T14:04:18 [I|app|f66a0bac] Filter chain halted as #<Proc:0x000000000fc730f8 /usr/share/foreman/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb:14> rendered or redirected
2021-11-18T14:04:18 [I|app|f66a0bac] Completed 403 Forbidden in 23ms (Views: 11.3ms | ActiveRecord: 2.7ms | Allocations: 15887)
This worked just fine before the installer run. All smart proxies show green “active” status. All features are shown as they should. As I did the installer run while everything was running, I have tried another run with services stopped:
# foreman-maintain service stop
# foreman-installer
And I did the same on the smart proxy foreman-puppet.example.com
, too, in case it needed it re-register itself.
Eventually, I have found a hint in a topic to add the host name to TrustedHost, as the error suggests, i.e. Settings - Authentication - TrustedHost, setting it to the names of all my smart proxies in my network.
Now, reports are accepted again on the main server.
Of course, as I understand the description of the TrustedHost setting and as it was working fine before, I think by default foreman should automatically trust the names of all smart proxies registered to the main server.
If I clear our TrustedHosts, I see the 403s, so it’s reproducible. It seems I am not the first one with these kinds of problem, but beyond the manual workaround with TrustedHosts I haven’t found a real solution/fix.
Expected outcome:
All smart proxies should be trusted, even with the ansible plugins installed…
Foreman and Proxy versions:
katello-4.1.4-1.el7.noarch
foreman-2.5.4-1.el7.noarch
foreman-proxy-2.5.4-1.el7.noarch
Distribution and version:
CentOS Linux release 7.9.2009 (Core)