Hello,
I have a fresh new Foreman 1.15/Katelo 3.4 installation.
I try to get a smart-proxy working with the puppet master feature, with the
puppet CA on the main Foreman server.
Problem 1 : when I try to install the smart proxy with the procedure
from Foreman :: Manual
section 'Standalone Puppet master', I can't get my smart proxy to
communicate with the main server. I get some SSL certs verification failed.
So I try the procedure
from Foreman :: Plugin Manuals,
as I have Katello installed.
The command I'm using is :
foreman-installer
–scenario foreman-proxy-content
–foreman-proxy-content-parent-fqdn "$MAINSRV"
–foreman-proxy-register-in-foreman "true"
–foreman-proxy-foreman-base-url "https://$MAINSRV"
–foreman-proxy-trusted-hosts "$MAINSRV"
–foreman-proxy-trusted-hosts "$CAPSULE"
–foreman-proxy-oauth-consumer-key "$OCK"
–foreman-proxy-oauth-consumer-secret "$OCS"
–foreman-proxy-content-pulp-oauth-secret "$POS"
–foreman-proxy-content-certs-tar "/root/${CAPSULE}-certs.tar"
–foreman-proxy-puppetca "false"
–foreman-proxy-puppet "true"
–foreman-proxy-tftp "false"
–foreman-proxy-logs "false"
–foreman-proxy-templates "false"
–puppet-server-foreman-url "https://$MAINSRV"
I also provided the keys for the puppet master, from the doc
"Foreman :: Manual", section
'SSL certificate authority setup'
Those keys are not in the certs.tar and if I don't provide them the
installer on the smart proxy recreates a puppet CA, I think.
Problem 2: during the installation of the packages, I get :
Installing : foreman-installer-katello-3.4.2-1.el7.noarch
48/48
warning: %posttrans(foreman-installer-katello-3.4.2-1.el7.noarch) scriptlet
failed, exit status 26
Non-fatal POSTTRANS scriptlet failure in rpm package
foreman-installer-katello-3.4.2-1.el7.noarch
Problem 3 : when I run the command 'foreman-installer', during the first
run I get :
'/usr/bin/pulp-gen-ca-certificate' returned 1 instead of one of [0]
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/errors.rb:106:in
fail' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type/exec.rb:164:insync'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction/resource_harness.rb:236:in
sync' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction/resource_harness.rb:134:insync_if_needed'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction/resource_harness.rb:88:in
block in perform_changes' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction/resource_harness.rb:87:ineach'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction/resource_harness.rb:87:in
perform_changes' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction/resource_harness.rb:21:inevaluate'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction.rb:230:in
apply' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction.rb:246:ineval_resource'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction.rb:163:in
call' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction.rb:163:inblock (2 levels) in evaluate'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:387:in block in thinmark' /opt/puppetlabs/puppet/lib/ruby/2.1.0/benchmark.rb:294:inrealtime'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:386:in thinmark' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction.rb:163:inblock in evaluate'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/graph/relationship_graph.rb:118:in
traverse' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction.rb:154:inevaluate'
/usr/share/gems/gems/kafo-2.0.0/modules/kafo_configure/lib/puppet/parser/functions/add_progress.rb:30:in
evaluate_with_trigger' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:222:inblock in apply'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/log.rb:155:in
with_destination' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction/report.rb:142:inas_logging_destination'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:221:in
apply' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:171:inblock in apply_catalog'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:224:in block in benchmark' /opt/puppetlabs/puppet/lib/ruby/2.1.0/benchmark.rb:294:inrealtime'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:223:in
benchmark' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:170:inapply_catalog'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:343:in
run_internal' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:221:inblock in run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:65:in
override' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:306:inoverride'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:195:in
run' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/apply.rb:350:inapply_catalog'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/apply.rb:274:in
block in main' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:65:inoverride'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:306:in override' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/apply.rb:225:inmain'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/apply.rb:170:in
run_command' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:358:inblock in run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:542:in
exit_on_fail' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:358:inrun'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:132:in
run' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:72:inexecute'
/opt/puppetlabs/puppet/bin/puppet:5:in `<main>'
/Stage[main]/Pulp::Config/Exec[run pulp-gen-ca]/returns: change from
notrun to 0 failed: '/usr/bin/pulp-gen-ca-certificate' returned 1 instead
of one of [0]
The second run doesn't throw any errors anymore.
Problem 4 : I get ca = true in the section '[master]'
of /etc/puppetlabs/puppet/puppet.conf
though I used the option "–foreman-proxy-puppetca false'
Puppet runs against the smart-proxy are failing.
Problem 5 : on one of the smart proxies, I get a "Validation failed: Puppet
ca proxy does not have the Puppet CA feature" when I try
subscription-manager register --org "Default_Organization"
I suspect that there is a remnant conf. on the main server due to a
previous attempt at installing the smart proxy on which I forgot to disable
the Puppet CA feature.
But now I don't know how to get past it.
Problem 6 : by using the 'foreman-install --scenario …
–foreman-proxy-content-certs-tar …' command, the one that allows me to
get a good communication between the main server and the smart proxies, I
don't know how to unselect the pulp content feature. It seems to be
mandatory with the scenario. So, how do you do it, or inactivate the pulp
feature afterwards ?
I'm very confused with the different doc sources :
https://theforeman.org/plugins/katello/3.4/installation/smart_proxy.html
https://theforeman.org/manuals/1.15/#3.2.3InstallationScenarios
https://theforeman.org/manuals/1.15/index.html#4.3.1SmartProxyInstallation
I can't find an example with a smart-proxy installation in a Katello
context with the puppet master feature and a shared puppet CA.
Please enlighten me. What am I doing wrong ?
Regards,
Louis Coilliot