Provisioning appears to skip over redhat_register in kickstart finish

birkirf · February 16, 2023, 5:28pm

Problem:
Provisioning a Rocky 9 host using default templates.
Everything appears correct, templates get generated as they always have but the redhat_register snippet appears to get skipped over in the finish steps and are never run.
They get generated, and i can see that they’re there in the template, they just aren’t run.

Only thing i can think of is that this happens due to some change with reading lines that are indented?

Expected outcome:
Host gets provisioned, gets repo’s properly added to host.

Foreman and Proxy versions:
Foreman 3.5.1
Katello 4.7.2

Foreman and Proxy plugin versions:
Foreman 3.5.1
Katello 4.7.2

Distribution and version:
Rocky 8

Other relevant data:

screenshot of the part where it should be running subscription manager
It’s “normal” to get those ssl errors as the external rockylinux basos is always tried as part of the default install, but after that it should install subscription-manager (if not installed) and then the katello_consumer package and register the client - this part never gets triggered even if present in the finish template generated:
The entire indented section for subscription-manager appears to not run at all

#  interface
real=`grep -l 00:50:56:89:2d:64 /sys/class/net/*/{bonding_slave/perm_hwaddr,address} 2>/dev/null | awk -F '/' '// {print $5}' | head -1`
sanitized_real=`echo $real | sed s/:/_/`

cat << EOF-b6b17c26 > /etc/sysconfig/network-scripts/ifcfg-$sanitized_real
BOOTPROTO="none"
IPADDR="10.10.10.34"
NETMASK="255.255.255.0"
GATEWAY="10.10.10.254"
DOMAIN="example.com"
DEVICE=$real
HWADDR="00:50:56:89:2d:64"
ONBOOT=yes
PEERDNS=yes
PEERROUTES=yes
DEFROUTE=yes
DNS1="10.10.10.11"
DNS2="10.10.10.12"
MTU=1500
EOF-b6b17c26


systemctl restart NetworkManager


echo "Updating system time"
systemctl enable --now chronyd
/usr/bin/chronyc -a makestep
/usr/sbin/hwclock --systohc


  echo "##############################################################"
  echo "################# SUBSCRIPTION MANAGER #######################"
  echo "##############################################################"
  echo
  echo "Starting the subscription-manager registration process"

  
    # Avoid timeout accessing unreachable repo on air gapped infrastructure,
    #  assuming subscription-manager is installed in custom packages section.
    if ! rpm --query --quiet subscription-manager ; then
      if [ -f /usr/bin/dnf ]; then
        dnf -y install subscription-manager
      else
        yum -t -y install subscription-manager
      fi
    fi
  
    rpm -Uvh http://foreman.example.com/pub/katello-ca-consumer-latest.noarch.rpm
  
    subscription-manager register --name="birkir-test.example.com" --org='org' --activationkey='Rocky 9'
  

    for subman_config_file in /etc/yum/pluginconf.d/subscription-manager.conf /etc/dnf/plugins/subscription-manager.conf; do
      if [ -f $subman_config_file ]; then
        egrep -q "^disable_system_repos=" $subman_config_file
        if [ "$?" -eq 0 ]; then
          sed s/^disable_system_repos=.*/disable_system_repos=1/ $subman_config_file >"${subman_config_file}.new"
          mv -f "${subman_config_file}.new" $subman_config_file
        else
          echo "disable_system_repos=1" >>$subman_config_file
        fi
      fi
    done
    

       if [ -f /usr/bin/dnf ]; then
         PACKAGE_MAN="dnf -y"
       else
         PACKAGE_MAN="yum -t -y"
       fi
    

    
      $PACKAGE_MAN install katello-host-tools


# update all the base packages from the updates repository
if [ -f /usr/bin/dnf ]; then
  dnf -y update
else
  yum -t -y update
fi


user_exists=false
getent passwd svc-ansible-mgmt >/dev/null 2>&1 && user_exists=true


if $user_exists; then
  mkdir -p ~svc-ansible-mgmt/.ssh

  cat << EOF >> ~svc-ansible-mgmt/.ssh/authorized_keys
ssh-rsa RSA_PUB_KEY_SHOULD_BE_HERE root@foreman.example.com
EOF

  chmod 0700 ~svc-ansible-mgmt/.ssh
  chmod 0600 ~svc-ansible-mgmt/.ssh/authorized_keys
  chown -R svc-ansible-mgmt: ~svc-ansible-mgmt/.ssh

  # Restore SELinux context with restorecon, if it's available:
  command -v restorecon && restorecon -RvF ~svc-ansible-mgmt/.ssh || true

echo "svc-ansible-mgmt ALL = (root) NOPASSWD : ALL
Defaults:svc-ansible-mgmt !requiretty" > /etc/sudoers.d/svc-ansible-mgmt
else
  echo 'The remote_execution_ssh_user does not exist and remote_execution_create_user is not set to true.  remote_execution_ssh_keys snippet will not install keys'
fi

if [ -f /usr/bin/dnf ]; then
  dnf -y install puppet-agent
else
  yum -t -y install puppet-agent
fi

cat > /etc/puppetlabs/puppet/puppet.conf << EOF
[main]

[agent]
pluginsync      = true
report          = true
ca_server       = foreman.example.com
certname        = birkir-test.example.com
server          = foreman.example.com
environment     = production

EOF


puppet_unit=puppet
/usr/bin/systemctl list-unit-files | grep -q puppetagent && puppet_unit=puppetagent
/usr/bin/systemctl enable ${puppet_unit}

# export a custom fact called 'is_installer' to allow detection of the installer environment in Puppet modules
export FACTER_is_installer=true
# passing a non-existent tag like "no_such_tag" to the puppet agent only initializes the node
# You can select specific tag(s) with the "run-puppet-in-installer-tags" parameter
# or set a full puppet run by setting "run-puppet-in-installer" = true
echo "Performing initial puppet run for --tags no_such_tag"
/opt/puppetlabs/bin/puppet agent --config /etc/puppetlabs/puppet/puppet.conf --onetime --tags no_such_tag --server foreman.example.com --no-daemonize


sync

exit 0

birkirf · February 20, 2023, 12:27pm

Found the issue!
At least in the latest update, RHEL9+ installations no longer use the redhat_snippet and instead use kickstart_rhsm snippet.
The kickstart_rhsm snipper is missing the part where the disable_system_repos option is set and breaks installation on networks that cant talk to the outside world.

Trying to find a good way to set it, hoping rhsm command has some fancy option for it, but having a hard time finding it.
Can’t just copy over the snippet from redhat_register as the kickstart_rhsm is run in provisioning so theres limited shell stuff, so for-loops do not exist

birkirf · February 20, 2023, 1:14pm

in order to not mess with default templates, I copied Kickstart default finish over to Kickstart default custom post and that worked for now.

If the plan is to move from using the redhat_register snippet over to using kickstart_rhsm instead, then there is clearly still some work to be done.
At least the disable_system_repos option needs to be settable for air-gapped installations such as ours, otherwise this is a massive regression in provisioning capability (by default)

gvde · March 7, 2023, 6:04am

I have just opened a topic on this EL9 kickstart using rhsm

It seems it is intended behavior of the anaconda installer to ignore the rhsm kickstart command expect for RHEL. Thus the whole rhsm command is ignored. Using it instead of the rhn_register snippet on EL9 other then RHEL 9 looks like a bug to me…