Hi, I’m Working on creating a custom ISO image based on cockpit and foreman composer.
I have followed all the steps regarding this tutorial link “Building Images & Deploying With Foreman”. I’m getting this below error while initiating the build in the foreman.
And also I need to know how to use the provisioning host to build a new VM instance based on the ISO image product repository?
Ad the question: I do not understand what you ask for. But there is currently no Image Builder integration, you need to build images yourself, publish them on a HTTP server and just tell Foreman where to download them. We plan working on this someday, no promises tho:
Thanks, @lzap.
As I mentioned above I’m working on provisioning the host using the ISO image based on the tutorial link.
I have done creating the IOS image using the cockpit composer as they mentioned in the tutorial and downloaded the image. By using that image I have created a product repository and uploaded the ISO file to the product repository.
What we want to know is, can we use the Image-based provisioning on the foreman?
As you (@lzap) suggested in the tutorial “if there was a way to specify the upstream URL for an image just like an upstream repository for packages, this would allow using Katello/Pulp sync feature” can’t we use the repository without the upstream URL right?
Once we added the product repository and the template on the host how do we initiate the booting process on the foreman?
Hey, @mcorr
We are still working on the ab above puppet CA config error. We have also tried by removing the old ssl and generating the new ssl key, still getting the same error.
Have you followed the steps mentioned in the Error wiki:
See Foreman :: Manual, scroll down a little for the Puppet CA configuration and the sudoers rules are listed. These should be in /etc/sudoers.d/foreman-proxy and the file should have -r–r----- (0440) permissions.
How much work would do you estimate it would be to help you connect these dots and make this functionality real?
HBAIT is working with me on this and while I am ok with work arounds, I’m also not opposed to helping the community if it’s not going to kill us After all… you all have been very helpful to us!
Problem is, this is still pretty early in development in both Anaconda (RHEL/Fedora) and Image Builder. There are known issues and quirks, that’s why I kept this chapter pretty slim - we actually do not dive into this as this is all changing (just a week ago another bug was found and folks are working on it).
So for now, I think linking RHEL docs is way to go. We can extend this later on.
If you mean the Puppet CA removal error, I am not sure about this one. I suppose this works out of the box if you used our installer? Any idea why CA removal request would fail with X509 error @ekohl?
To your question - it is really hard to give a good advice without pretty much any context. This thread is lacking on the input front, the OP did not care to even follow our support post template where we ask very basic things like Foreman and OS version. And that is just a beginning, we need to know much more - how it was installed, if custom certificate were attempted to used etc etc.
Currently, We have completed building the ISO image using the cockpit and we are trying to provisioning the host using the foreman server.
On the foreman we have created the products and added uploaded the file to the repositories. We have also created a new installation media based on the created products, configured it with the operating system, and created the new host.
While deploying the host we are getting the Puppet CA removal error (“Screenshot by Lightshot”) and we are not able to initiate the build process.
@ekohl do you have an idea why Puppet CA would fail to remove CA during provisioning? I mean, isn’t this an action that should happen during deletion of a host?
What exact Foreman and Foreman Proxy do you use? This is not Puppet CA response, but rather a Foreman (smart) proxy response. Was this instance installed with the foreman-installer? What is your Puppet CA version? Could you please enable Foreman proxy debug log level, restart it and then upload smart-proxy.log from when you observe the failure? I vaguely remember that e.g. a wrong version in /etc/foreman-proxy/settings.d/puppetca.yml could have caused that. Try investigating /etc/foreman-proxy/settings.d/puppetca*.yml if you see anything goofy. Thanks
What @Marek_Hulan said is correct. This error shows up when Foreman Proxy tries to connect to PuppetCA. It only does that if it’s Puppet 6 or newer so you should be looking at /etc/foreman-proxy/settings.d/puppetca_http_api.yml. There the puppet_ssl_ca file is pointing to a file that’s used to validate the connection (as specified in puppet_url). So the easiest way to replicate it is curl --cacert $puppet_ssl_ca $puppet_url. That must succeed.
We have mentioned all the versions and also added the puppet ca debug log please have a look on the above screenshot.
We will also try to investigate the puppet ca YAML file and we will also start looking on the puppet_ssl_ca file which is pointing to a file that’s used to validate the connection.
As mentioned feedback we checked on the connection path /etc/foreman-proxy/settings.d/puppetca_http_api.yml, and we found this connection path on the YAML file.