Problem:
OpenScap ansible role executes with error
TASK [theforeman.foreman_scap_client : Ensure that the host has an OpenSCAP proxy assigned.] ***
206:
fatal: [foreman.domain.local]: FAILED! => {
207:
"assertion": "foreman_scap_client_server != ''",
208:
"changed": false,
209:
"evaluated_to": false,
210:
"msg": "The host does not have an OpenSCAP proxy assigned. Please assign an OpenSCAP proxy before continuing."
An OpenScap proxy has been assigned at the hostgroup level and verified in both the foreman interface and via hammer. The host also has an applied compliance policy. This issue applies to a handful of hosts in our environment, while others behave normally.
It seems the support for OpenScap related stuff is a bit lacking at the moment and I had a similar problem here → Empty/unset default value of "OpenSCAP Proxy"
I however do not want to use host groups to assign the OpenScap proxy so use a script as a workaround. Maybe something similar could work for you?
I appreciate the reply. I did see your post in my searching prior to posting. My problem isn’t just on hosts which inherit their proxy settings through the hostgroup. For whatever reason, manually assigning the proxy to individual hosts results in the same error. Its seems to me that on the hosts that work properly, foreman creates a match rule based on the FQDN of the machine which can be viewed under the ansible variable for the openscap role. These match rules never get created when assigning the openscap proxy for a bunch of my hosts. Also, note that I can confirm foreman has the correct proxy defined via the hammer output I originally posted. Its like foreman isn’t managing the ansible variable correctly. I am totally baffled as to why some of my hosts behave as expected and some don’t.
If you can confirm the openscap proxy is assigned, then I guess it comes down if the host actually has the ansible role or not and has an assigned compliance policy. When those are verified, run the ansible role and after that the scan should work.
I’m having the same issue. Random hosts present this issue despite forcing assignment (I even tried with the legacy UI command, just in case).
Nothing seems to work for them.
In my case, what I ended up doing as a workaround was manually creating the matchers for the FQDN of the affected hosts for the ansible variable foreman_scap_client_server. I’m not sure exactly why this was required as match rules had been automatically created for the hostgroups. This got me up and running though and I haven’t had any issues since.
Yeah, did that workaround too (since I found tens of other fqdn matchers already there).
I wonder if I should remove them all and leave the groups only.
Yeah. You can certainly experiment. Also I haven’t messed with my setup since several versions ago. I just upgraded to 3.16.1 yesterday. Wondering if the issue has since been fixed. What version are you on? I also have noticed that some of my hosts get duplicate network interfaces created. I believe it happens when the default ansible roles are run to collect inventory data. While seemingly un-related, when trying to assign ansible roles to hosts it will throw an error on the invalid interface until i manually go in and delete the duplicate. I wonder if this error also causes the variable to not be propagated correctly, but I haven’t done any testing since I manually created the matchers. Do you see anything like that in your installation?
