Problem:
The remote execution plugin fails to execute.
This is how I installed the foreman-smart-proxy:
foreman-installer \
--no-enable-foreman \
--no-enable-foreman-cli \
--enable-foreman-proxy \
--enable-foreman-proxy-plugin-remote-execution-ssh \
--enable-foreman-proxy-plugin-discovery \
--foreman-proxy-puppet=true \
--foreman-proxy-plugin-discovery-install-images=true \
--foreman-proxy-templates=true \
--foreman-proxy-template-url=http://foreman-proxy.example.com:8000 \
--foreman-proxy-templates-listen-on=both \
--foreman-proxy-puppetca=true \
--foreman-proxy-tftp=true \
--foreman-proxy-http=true \
--foreman-proxy-foreman-ssl-ca=/etc/foreman-proxy/ca.pem \
--foreman-proxy-foreman-ssl-cert=/etc/foreman-proxy/cert.pem \
--foreman-proxy-foreman-ssl-key=/etc/foreman-proxy/key.pem \
--foreman-proxy-foreman-base-url=https://foreman.example.com \
--foreman-proxy-trusted-hosts=foreman.example.com \
--foreman-proxy-oauth-consumer-key=... \
--foreman-proxy-oauth-consumer-secret=...
If I am running a task on a host that is using the smart-proxy, it fails:
tailf /var/log/foreman-proxy/proxy.log
shows:
/usr/share/ruby/webrick/server.rb:295:in `block in start_thread'
/usr/share/gems/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in `call'
/usr/share/gems/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'
2020-02-24T13:42:36 94d4b09f [I] Finished GET /dynflow/tasks/count with 500 (43.48 ms)
/var/log/foreman-proxy/smart_proxy_dynflow_core.log
shows:
/opt/rh/rh-ruby25/root/usr/share/ruby/webrick/server.rb:297:in `block in start_thread'SSL_accept returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain) (OpenSSL::SSL::SSLError)
/opt/rh/rh-ruby25/root/usr/share/ruby/webrick/server.rb:299:in `accept'
/opt/rh/rh-ruby25/root/usr/share/ruby/webrick/server.rb:299:in `block (2 levels) in start_thread'
/opt/rh/rh-ruby25/root/usr/share/ruby/webrick/utils.rb:263:in `timeout'
/opt/rh/rh-ruby25/root/usr/share/ruby/webrick/server.rb:297:in `block in start_thread'^C
The config seems fine to me:
vim /etc/smart_proxy_dynflow_core/settings.yml
---
# Path to dynflow database, leave blank for in-memory non-persistent database
:database:
:console_auth: true
# URL of the foreman, used for reporting back
:foreman_url: https://foreman.example.com
# SSL settings for client authentication against foreman.
:foreman_ssl_ca: /etc/foreman-proxy/ca.pem
:foreman_ssl_cert: /etc/foreman-proxy/cert.pem
:foreman_ssl_key: /etc/foreman-proxy/key.pem
# Listen on address
:listen: 0.0.0.0
# Listen on port
:port: 8008
:use_https: true
:ssl_ca_file: /etc/foreman-proxy/ca.pem
:ssl_certificate: /etc/foreman-proxy/cert.pem
:ssl_private_key: /etc/foreman-proxy/key.pem
# :ssl_ca_file: ssl/ca.pem
# :ssl_private_key: ssl/localhost.pem
# :ssl_certificate: ssl/certs/localhost.pem
# Use this option only if you need to disable certain cipher suites.
# Note: we use the OpenSSL suite name, take a look at:
# https://www.openssl.org/docs/manmaster/apps/ciphers.html#CIPHER-SUITE-NAMES
# for more information.
#:ssl_disabled_ciphers: [CIPHER-SUITE-1, CIPHER-SUITE-2]
# Use this option only if you need to strictly specify TLS versions to be
# disabled. SSLv3 and TLS v1.0 are always disabled and cannot be configured.
# Specify versions like: '1.1', or '1.2'
#:tls_disabled_versions: []
# File to log to, leave empty for logging to STDOUT
# :log_file: /var/log/foreman-proxy/smart_proxy_dynflow_core.log
# Log level, one of UNKNOWN, FATAL, ERROR, WARN, INFO, DEBUG
# :log_level: ERROR
Expected outcome:
Working task execution
Foreman and Proxy versions:
Foreman (main)
Discovery
Version
1.0.5
Dynflow
Version
0.2.4
HTTPBoot
Version
1.24.2
SSH
Version
0.2.1
TFTP
Version
1.24.2
TFTP server
false
Foreman (Smart Proxy)
Discovery
Version
1.0.5
Dynflow
Version
0.2.4
HTTPBoot
Version
1.24.2
SSH
Version
0.2.1
TFTP
Version
1.24.2
TFTP server
false
Templates
Version
1.24.2