Problem:
The puppet agent is not being installed on created hosts because the package cannot be found. It looks like the epel repo that contains said puppet package is no longer being included in the kickstart. I am using the Katello Kickstart Default (Finish) templates unmodified. This worked previously and I don’t know exactly what caused it to stop. I have the EPEL repository synced but as I understand it that’s not where the puppet package comes from during kickstart. I am selecting the puppet master at creation.
Expected outcome:
Puppet agent installed during kickstart
Foreman and Proxy versions:
1.17
Foreman and Proxy plugin versions:
katello 3.6
Other relevant data:
[e.g. logs from Foreman and/or the Proxy, modified templates, commands issued, etc]
Complete!
/sbin/restorecon
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.teklinks.com
* extras: mirror.wdc1.us.leaseweb.net
* updates: ftp.osuosl.org
No package puppet available.
Error: Nothing to do
/tmp/ks-script-FbQTiq: line 104: /etc/puppet/puppet.conf: No such file or directory
Operation failed: No such file or directory
/tmp/ks-script-FbQTiq: line 131: /usr/bin/puppet: No such file or directory
Informing Foreman that we are built
Previous installs where puppet agent was installed show the epel repo in addition to base,extras and updates.
Hi,
this it is usually caused by Puppet repos not being configured for client. The puppet_setup snippet relies on a specific host parameters to be present to configure a repo. Katello kickstart default finish already uses the snippet, so all you have to do is add the params to your host.
Thanks for your reply.
Can this be set as a global parameter or should I add it to the host groups? At one point recently i had ‘enable-puppetlabs-pc1-repo’ set as a global param and it still failed. it looks like I also need enable-puppet4? I don’t know how much clarity this brings but previously on the ‘successful’ installs the puppet version on the hosts was 3.5…
Interestingly, I don’t recall ever having set those parameters before and I was having successful puppet installs.
I have tried defining enable-puppetlabs-pc1-repo and enable-puppet4 as both global and host-level parms with the same result, package not found.
These parameters were not needed for Puppet 3 if I recall correctly, things changed a bit for Puppet 4.
I think I found the reason, could you try using a modified version of the Katello Kickstart Default (Finish) by changing :
<% if puppet_enabled %>
<%= snippet 'puppet_setup' %>
<% end -%>
into:
<% if puppet_enabled %>
<% if host_param_true?('enable-puppetlabs-pc1-repo') || host_param_true?('enable-puppetlabs-repo') || host_param_true?('enable-puppetlabs-puppet5-repo') -%>
<%= snippet 'puppetlabs_repo' %>
<% end -%>
<%= snippet 'puppet_setup' %>
<% end -%>
The puppetlabs_repo should configure the repository before the puppet_setup tries to install the puppet.
Same result, I’m afraid.
To confirm, i have set host group parameters:
enable-puppetlabs-pc1-repo | true
enable-puppet4 | true
and i am assigning the puppet master
I recently added ansible and remote execution plugins. Could this be affecting something? This install is only about a month old, few changes have been made. the remote execution snippet does execute correctly, fwiw. i havent messed with any of the puppet configuration since installing it so I am just at a loss for the cause since it was working maybe a week ago. I am able to apply configurations to hosts that were previously successful in installing puppet agent at creation, so puppet itself seems to be working fine.
Thanks for your help
Could you share the ‘compiled’ version of the template? You can go to Hosts > Provisioning Templates > Click on the template you use > Preview for the host you’re having the problem with
Maybe that will shed some light on what’s going on here
katello kickstart default
# interface
real=`grep -l 52:54:00:c1:cd:e4 /sys/class/net/*/{bonding_slave/perm_hwaddr,address} 2>/dev/null | awk -F '/' '// {print $5}' | head -1`
sanitized_real=`echo $real | sed s/:/_/`
cat << EOF > /etc/sysconfig/network-scripts/ifcfg-$sanitized_real
BOOTPROTO="dhcp"
DOMAIN="piggah.lan"
DEVICE=$real
HWADDR="52:54:00:c1:cd:e4"
ONBOOT=yes
PEERDNS=yes
PEERROUTES=yes
DEFROUTE=yes
EOF
service network restart
# FreeIPA Registration Snippet
#
# Optional parameters:
#
# freeipa_server IPA server
#
# freeipa_sudo Enable sudoers
# Default: true
#
# freeipa_ssh Enable ssh integration
# Default: true
#
# freeipa_automount Enable automounter
# Default: false
#
# freeipa_automount_location Location for automounts
#
# freeipa_mkhomedir Enable automatically making home directories
# Default: true
#
# freeipa_opts Additional options to pass directly to installer
#
# freeipa_automount_server Override automount server if freeipa_automount is true and the server differs from freeipa_server
#
freeipa_client=ipa-client
/usr/sbin/sshd-keygen
yum install -y libsss_sudo $freeipa_client
##
## IPA Client Installation
##
freeipa_mkhomedir="--mkhomedir"
# One-time password will be requested at install time. Otherwise, $HOST[OTP] is used as a placeholder value.
/usr/sbin/ipa-client-install -w '2Bh@[b?C6nCz:cOJ11}zkW' --realm=PIGGAH.LAN -U $freeipa_mkhomedir $freeipa_opts $freeipa_server $freeipa_domain $freeipa_ssh
##
## Automounter
##
##
## Sudoers
##
freeipa_client_version=$(ipa-client-install --version)
freeipa_client_version_major=$(echo $freeipa_client_version | cut -f1 -d.)
freeipa_client_version_minor=$(echo $freeipa_client_version | cut -f2 -d.)
freeipa_realm=$(grep default_realm /etc/krb5.conf | cut -d"=" -f2 | tr -d ' ')
freeipa_domain=$(grep -A 2 domain_realm /etc/krb5.conf | tail -n1 | awk '{print $1}')
freeipa_dn=$(for word in $(echo $freeipa_domain | sed 's/\./ /g'); do echo -n dc=$word,; done)
sssd_version=$(sssd --version)
sssd_major=$(echo $sssd_version | cut -f1 -d.)
sssd_minor=$(echo $sssd_version | cut -f2 -d.)
LDAP_CONFIG=$(mktemp)
# >=ipa-client-4.1.0 automatically configures sssd for sudo
# =<ipa-client-3 requires manual configuration which this snippet takes care of
if [ $freeipa_client_version_major -lt 4 ]
then
# Modify sssd.conf
sed -i -e "s/services = .*/\0, sudo/" /etc/sssd/sssd.conf
# Modify sssd.conf for sssd <1.11 (RHEL <6.6)
if [ $sssd_minor -lt 11 ] || [ $sssd_major -lt 1 ]
then
krb5_server="_srv_"
cat <<EOF > $LDAP_CONFIG
sudo_provider = ldap
ldap_uri = _srv_ $ldap_uri
ldap_sudo_search_base = ou=SUDOers,${freeipa_dn%?}
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/$HOSTNAME
ldap_sasl_realm = $freeipa_realm
krb5_server = $krb5_server
EOF
sed -i -e "/\[domain\/.*\]/ r $LDAP_CONFIG" /etc/sssd/sssd.conf
fi
# Modify nsswitch.conf
grep -q sudoers /etc/nsswitch.conf
if [[ $? -eq 0 ]];
then
sed -i -e "s/^sudoers.*/sudoers: files sss/" /etc/nsswitch.conf
else
echo "sudoers: files sss" >> /etc/nsswitch.conf
fi
# Configure nisdomain
authconfig --nisdomain ${freeipa_domain} --update
chkconfig sssd on
if [[ $(rpm -qa systemd | wc -l) -gt 0 ]];
then
domain_service=/usr/lib/systemd/system/*-domainname.service
# Workaround for BZ1071969 on RHEL 7.0
grep -q "DefaultDependencies=no" $domain_service
if [[ $? -ne 0 ]]
then
sed -i -e "s/\[Unit\]/\[Unit\]\nDefaultDependencies=no/" $domain_service
fi
systemctl start $(basename $domain_service)
systemctl enable $(basename $domain_service)
fi
fi
# update local time
echo "updating system time"
/usr/sbin/ntpdate -sub 0.fedora.pool.ntp.org
/usr/sbin/hwclock --systohc
# update all the base packages from the updates repository
yum -t -y -e 0 update
# SSH keys setup snippet for Remote Execution plugin
#
# Parameters:
#
# remote_execution_ssh_keys: public keys to be put in ~/.ssh/authorized_keys
#
# remote_execution_ssh_user: user for which remote_execution_ssh_keys will be
# authorized
#
# remote_execution_create_user: create user if it not already existing
#
# remote_execution_effective_user_method: method to switch from ssh user to
# effective user
#
# This template sets up SSH keys in any host so that as long as your public
# SSH key is in remote_execution_ssh_keys, you can SSH into a host. This only
# works in combination with Remote Execution plugin.
# The Remote Execution plugin queries smart proxies to build the
# remote_execution_ssh_keys array which is then made available to this template
# via the host's parameters. There is currently no way of supplying this
# parameter manually.
# See http://projects.theforeman.org/issues/16107 for details.
user_exists=false
getent passwd root >/dev/null 2>&1 && user_exists=true
if $user_exists; then
mkdir -p ~root/.ssh
cat << EOF >> ~root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8owbSpKYqdHz4u4YG8tn5DfkjDzFXQu7a0zYlsy+vjqEJ/JP0An+gdv593AmgWq3s7sXD3q2yHGL512ovzbxQCxZqQr7gdI0jP2RhehTSqN+kYBylk2ayPOg+fR+YfXuSlTmbGR1JA2dGwdRaL7EcuPJfgBaxnoFV3poQedhIDj8CI0ztzbkux1V/suf+KAc7qcyFJM9698h44P1Du1Abm0OWRSbogxEcb2pyMZeA/4sU8oVnhobiW7jq7QFwXyUwLJ/5d8HWUsw0BT2TWXmDtxiHzm4sVdB7gzQe2oL1PurJVc/O1jfykMIsoLhtol/pFHfwl9oPpP8Eig1SXHGx foreman-proxy@katello.piggah.lan
EOF
chmod 0700 ~root/.ssh
chmod 0600 ~root/.ssh/authorized_keys
chown -R root: ~root/.ssh
# Restore SELinux context with restorecon, if it's available:
command -v restorecon && restorecon -RvF ~root/.ssh || true
else
echo 'The remote_execution_ssh_user does not exist and remote_execution_create_user is not set to true. remote_execution_ssh_keys snippet will not install keys'
fi
if [ -f /usr/bin/dnf ]; then
dnf -y install puppet-agent
else
yum -t -y install puppet-agent
fi
cat > /etc/puppetlabs/puppet/puppet.conf << EOF
[main]
vardir = /opt/puppetlabs/puppet/cache
logdir = /var/log/puppetlabs/puppet
rundir = /var/run/puppetlabs
ssldir = /etc/puppetlabs/puppet/ssl
[agent]
pluginsync = true
report = true
ignoreschedules = true
ca_server = katello.piggah.lan
certname = faith-ingleton.piggah.lan
environment = production
server = katello.piggah.lan
EOF
puppet_unit=puppet
/usr/bin/systemctl list-unit-files | grep -q puppetagent && puppet_unit=puppetagent
/usr/bin/systemctl enable ${puppet_unit}
# export a custom fact called 'is_installer' to allow detection of the installer environment in Puppet modules
export FACTER_is_installer=true
# passing a non-existent tag like "no_such_tag" to the puppet agent only initializes the node
/opt/puppetlabs/bin/puppet agent --config /etc/puppetlabs/puppet/puppet.conf --onetime --tags no_such_tag --server katello.piggah.lan --no-daemonize
exit 0
katello kickstart default modified as suggested above:
# interface
real=`grep -l 52:54:00:c1:cd:e4 /sys/class/net/*/{bonding_slave/perm_hwaddr,address} 2>/dev/null | awk -F '/' '// {print $5}' | head -1`
sanitized_real=`echo $real | sed s/:/_/`
cat << EOF > /etc/sysconfig/network-scripts/ifcfg-$sanitized_real
BOOTPROTO="dhcp"
DOMAIN="piggah.lan"
DEVICE=$real
HWADDR="52:54:00:c1:cd:e4"
ONBOOT=yes
PEERDNS=yes
PEERROUTES=yes
DEFROUTE=yes
EOF
service network restart
# FreeIPA Registration Snippet
#
# Optional parameters:
#
# freeipa_server IPA server
#
# freeipa_sudo Enable sudoers
# Default: true
#
# freeipa_ssh Enable ssh integration
# Default: true
#
# freeipa_automount Enable automounter
# Default: false
#
# freeipa_automount_location Location for automounts
#
# freeipa_mkhomedir Enable automatically making home directories
# Default: true
#
# freeipa_opts Additional options to pass directly to installer
#
# freeipa_automount_server Override automount server if freeipa_automount is true and the server differs from freeipa_server
#
freeipa_client=ipa-client
/usr/sbin/sshd-keygen
yum install -y libsss_sudo $freeipa_client
##
## IPA Client Installation
##
freeipa_mkhomedir="--mkhomedir"
# One-time password will be requested at install time. Otherwise, $HOST[OTP] is used as a placeholder value.
/usr/sbin/ipa-client-install -w '2Bh@[b?C6nCz:cOJ11}zkW' --realm=PIGGAH.LAN -U $freeipa_mkhomedir $freeipa_opts $freeipa_server $freeipa_domain $freeipa_ssh
##
## Automounter
##
##
## Sudoers
##
freeipa_client_version=$(ipa-client-install --version)
freeipa_client_version_major=$(echo $freeipa_client_version | cut -f1 -d.)
freeipa_client_version_minor=$(echo $freeipa_client_version | cut -f2 -d.)
freeipa_realm=$(grep default_realm /etc/krb5.conf | cut -d"=" -f2 | tr -d ' ')
freeipa_domain=$(grep -A 2 domain_realm /etc/krb5.conf | tail -n1 | awk '{print $1}')
freeipa_dn=$(for word in $(echo $freeipa_domain | sed 's/\./ /g'); do echo -n dc=$word,; done)
sssd_version=$(sssd --version)
sssd_major=$(echo $sssd_version | cut -f1 -d.)
sssd_minor=$(echo $sssd_version | cut -f2 -d.)
LDAP_CONFIG=$(mktemp)
# >=ipa-client-4.1.0 automatically configures sssd for sudo
# =<ipa-client-3 requires manual configuration which this snippet takes care of
if [ $freeipa_client_version_major -lt 4 ]
then
# Modify sssd.conf
sed -i -e "s/services = .*/\0, sudo/" /etc/sssd/sssd.conf
# Modify sssd.conf for sssd <1.11 (RHEL <6.6)
if [ $sssd_minor -lt 11 ] || [ $sssd_major -lt 1 ]
then
krb5_server="_srv_"
cat <<EOF > $LDAP_CONFIG
sudo_provider = ldap
ldap_uri = _srv_ $ldap_uri
ldap_sudo_search_base = ou=SUDOers,${freeipa_dn%?}
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/$HOSTNAME
ldap_sasl_realm = $freeipa_realm
krb5_server = $krb5_server
EOF
sed -i -e "/\[domain\/.*\]/ r $LDAP_CONFIG" /etc/sssd/sssd.conf
fi
# Modify nsswitch.conf
grep -q sudoers /etc/nsswitch.conf
if [[ $? -eq 0 ]];
then
sed -i -e "s/^sudoers.*/sudoers: files sss/" /etc/nsswitch.conf
else
echo "sudoers: files sss" >> /etc/nsswitch.conf
fi
# Configure nisdomain
authconfig --nisdomain ${freeipa_domain} --update
chkconfig sssd on
if [[ $(rpm -qa systemd | wc -l) -gt 0 ]];
then
domain_service=/usr/lib/systemd/system/*-domainname.service
# Workaround for BZ1071969 on RHEL 7.0
grep -q "DefaultDependencies=no" $domain_service
if [[ $? -ne 0 ]]
then
sed -i -e "s/\[Unit\]/\[Unit\]\nDefaultDependencies=no/" $domain_service
fi
systemctl start $(basename $domain_service)
systemctl enable $(basename $domain_service)
fi
fi
# update local time
echo "updating system time"
/usr/sbin/ntpdate -sub 0.fedora.pool.ntp.org
/usr/sbin/hwclock --systohc
# update all the base packages from the updates repository
yum -t -y -e 0 update
# SSH keys setup snippet for Remote Execution plugin
#
# Parameters:
#
# remote_execution_ssh_keys: public keys to be put in ~/.ssh/authorized_keys
#
# remote_execution_ssh_user: user for which remote_execution_ssh_keys will be
# authorized
#
# remote_execution_create_user: create user if it not already existing
#
# remote_execution_effective_user_method: method to switch from ssh user to
# effective user
#
# This template sets up SSH keys in any host so that as long as your public
# SSH key is in remote_execution_ssh_keys, you can SSH into a host. This only
# works in combination with Remote Execution plugin.
# The Remote Execution plugin queries smart proxies to build the
# remote_execution_ssh_keys array which is then made available to this template
# via the host's parameters. There is currently no way of supplying this
# parameter manually.
# See http://projects.theforeman.org/issues/16107 for details.
user_exists=false
getent passwd root >/dev/null 2>&1 && user_exists=true
if $user_exists; then
mkdir -p ~root/.ssh
cat << EOF >> ~root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8owbSpKYqdHz4u4YG8tn5DfkjDzFXQu7a0zYlsy+vjqEJ/JP0An+gdv593AmgWq3s7sXD3q2yHGL512ovzbxQCxZqQr7gdI0jP2RhehTSqN+kYBylk2ayPOg+fR+YfXuSlTmbGR1JA2dGwdRaL7EcuPJfgBaxnoFV3poQedhIDj8CI0ztzbkux1V/suf+KAc7qcyFJM9698h44P1Du1Abm0OWRSbogxEcb2pyMZeA/4sU8oVnhobiW7jq7QFwXyUwLJ/5d8HWUsw0BT2TWXmDtxiHzm4sVdB7gzQe2oL1PurJVc/O1jfykMIsoLhtol/pFHfwl9oPpP8Eig1SXHGx foreman-proxy@katello.piggah.lan
EOF
chmod 0700 ~root/.ssh
chmod 0600 ~root/.ssh/authorized_keys
chown -R root: ~root/.ssh
# Restore SELinux context with restorecon, if it's available:
command -v restorecon && restorecon -RvF ~root/.ssh || true
else
echo 'The remote_execution_ssh_user does not exist and remote_execution_create_user is not set to true. remote_execution_ssh_keys snippet will not install keys'
fi
rpm -Uvh https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm
if [ -f /usr/bin/dnf ]; then
dnf -y install puppet-agent
else
yum -t -y install puppet-agent
fi
cat > /etc/puppetlabs/puppet/puppet.conf << EOF
[main]
vardir = /opt/puppetlabs/puppet/cache
logdir = /var/log/puppetlabs/puppet
rundir = /var/run/puppetlabs
ssldir = /etc/puppetlabs/puppet/ssl
[agent]
pluginsync = true
report = true
ignoreschedules = true
ca_server = katello.piggah.lan
certname = faith-ingleton.piggah.lan
environment = production
server = katello.piggah.lan
EOF
puppet_unit=puppet
/usr/bin/systemctl list-unit-files | grep -q puppetagent && puppet_unit=puppetagent
/usr/bin/systemctl enable ${puppet_unit}
# export a custom fact called 'is_installer' to allow detection of the installer environment in Puppet modules
export FACTER_is_installer=true
# passing a non-existent tag like "no_such_tag" to the puppet agent only initializes the node
/opt/puppetlabs/bin/puppet agent --config /etc/puppetlabs/puppet/puppet.conf --onetime --tags no_such_tag --server katello.piggah.lan --no-daemonize
exit 0
subscription_manager_register is also not working yet, I’m assuming those depend on a successful puppet agent install?
The output of modified template looks ok to me, there is a command to configure the Puppet repo, then installing the agent. You do not need Puppet to use subscription manager, but those 2 issues might be related. Maybe your host lacks the access to the outside network? Did you try to ssh into your host and installing subscription-manager or configuring the puppet repo manually?
The hosts (ive been through several test runs at this point) have network access definitely. I can ssh to the host, install subscription-manager, the puppet repo or anything else manually. One thing I did find was the default kickstart template from the community templates github repository does successfully install the puppet agent. (without even needing to set the parameters. I am not sure why yet. For now I will modify that template with the parts of Katello Default that I need and continue troubleshooting the other issues. So I have at least regained the functionality for now by using the community template. Thanks for taking a look at it with me.
1 Like
