Hello,
Can we add the required certificates in the user_data template via a
macro? We have to deploy some machines that will not have access to
the CA proxy, only to a puppet master. Is this possible?
Best regards,
Cristian Falcas
No, since Foreman doesn't ever get a copy of the certificate or private
key for the host. Theoretically it could be extended to generate a key
instead of manage autosign I suppose, but it'd need work on the proxy too.
···
On 04/02/14 06:33, Cristian Falcas wrote: > Hello, > > Can we add the required certificates in the user_data template via a > macro? We have to deploy some machines that will not have access to > the CA proxy, only to a puppet master. Is this possible?–
Dominic Cleal
Red Hat Engineering
Hi ,
I have an openstack test environment , i have installed openstack , puppet
master and foreman. Now i want to integrate them in such a way that when i
create an openstack stack instance , it should be automatically added to
specific foreman host group i specify with command and puppet agent should
run on it after boot. Hoe can that be done? Some steps? thanks
···
On Tuesday, February 4, 2014 at 7:33:40 AM UTC+1, Cristian Falcas wrote: > > Hello, > > Can we add the required certificates in the user_data template via a > macro? We have to deploy some machines that will not have access to > the CA proxy, only to a puppet master. Is this possible? > > Best regards, > Cristian Falcas >Hi,
Thank you for the replay.
I have one more question if you don't mind.
When using user_data with cloud-init, a puppet run is only possible
with autosign? Or can we make foreman/puppetmaster ca sign the
certificate after the machine is build?
I see on a template this code:
/usr/bin/wget --quiet --output-document=/dev/null
–no-check-certificate <%= foreman_url('built') %>
But when I try to use it it gets me this:
HTTP request sent, awaiting response… 405 Method Not Allowed
2014-02-06 12:28:58 ERROR 405: Method Not Allowed.
The same if I use https:
Self-signed certificate encountered.
HTTP request sent, awaiting response… 405 Method Not Allowed
2014-02-06 12:29:12 ERROR 405: Method Not Allowed.
Do I have to enable autosigning?
Best regards,
Cristian Falcas
···
On Thu, Feb 6, 2014 at 11:58 AM, Dominic Cleal wrote: > On 04/02/14 06:33, Cristian Falcas wrote: >> Hello, >> >> Can we add the required certificates in the user_data template via a >> macro? We have to deploy some machines that will not have access to >> the CA proxy, only to a puppet master. Is this possible? > > No, since Foreman doesn't ever get a copy of the certificate or private > key for the host. Theoretically it could be extended to generate a key > instead of manage autosign I suppose, but it'd need work on the proxy too. > > -- > Dominic Cleal > Red Hat Engineering > > -- > You received this message because you are subscribed to the Google Groups "Foreman users" group. > To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com. > To post to this group, send email to foreman-users@googlegroups.com. > Visit this group at http://groups.google.com/group/foreman-users. > For more options, visit https://groups.google.com/groups/opt_out.> Hi,
>
> Thank you for the replay.
>
> I have one more question if you don't mind.
>
> When using user_data with cloud-init, a puppet run is only possible
> with autosign? Or can we make foreman/puppetmaster ca sign the
> certificate after the machine is build?
Yes, only using Foreman's autosign integration (gets added when creating
the VM, removed when "built" is called).
> I see on a template this code:
>
> /usr/bin/wget --quiet --output-document=/dev/null
> --no-check-certificate <%= foreman_url('built') %>
>
> But when I try to use it it gets me this:
> HTTP request sent, awaiting response… 405 Method Not Allowed
> 2014-02-06 12:28:58 ERROR 405: Method Not Allowed.
>
> The same if I use https:
> Self-signed certificate encountered.
> HTTP request sent, awaiting response… 405 Method Not Allowed
> 2014-02-06 12:29:12 ERROR 405: Method Not Allowed.
What do Foreman's logs say? (/var/log/foreman/production.log)
> Do I have to enable autosigning?
Not if Foreman's managing your Puppet CA.
···
On 06/02/14 17:41, Cristian Falcas wrote:–
Dominic Cleal
Red Hat Engineering
Logs from foreman:
Started GET "/unattended/built?token=6f04e6bb-3f58-4f7c-888f-49a22e7a9d5f"
for 172.16.51.113 at 2014-02-06 12:52:18 -0500
Processing by UnattendedController#built as /
Parameters: {"token"=>"6f04e6bb-3f58-4f7c-888f-49a22e7a9d5f"}
Found sdaf.va-aws.company.net
Filter chain halted as :allowed_to_install? rendered or redirected
Completed 405 Method Not Allowed in 8ms (ActiveRecord: 1.7ms)
When I start the first puppet run it says this:
puppet agent --config /etc/puppet/puppet.conf --onetime --tags
no_such_tag --server puppet.company.net --no-daemonize
Exiting; no certificate found and waitforcert is disabled
So I have to manually sign the certificate for puppet to run.
···
On Thu, Feb 6, 2014 at 7:46 PM, Dominic Cleal wrote: > On 06/02/14 17:41, Cristian Falcas wrote: >> Hi, >> >> Thank you for the replay. >> >> I have one more question if you don't mind. >> >> When using user_data with cloud-init, a puppet run is only possible >> with autosign? Or can we make foreman/puppetmaster ca sign the >> certificate after the machine is build? > > Yes, only using Foreman's autosign integration (gets added when creating > the VM, removed when "built" is called). > >> I see on a template this code: >> >> /usr/bin/wget --quiet --output-document=/dev/null >> --no-check-certificate <%= foreman_url('built') %> >> >> But when I try to use it it gets me this: >> HTTP request sent, awaiting response... 405 Method Not Allowed >> 2014-02-06 12:28:58 ERROR 405: Method Not Allowed. >> >> The same if I use https: >> Self-signed certificate encountered. >> HTTP request sent, awaiting response... 405 Method Not Allowed >> 2014-02-06 12:29:12 ERROR 405: Method Not Allowed. > > What do Foreman's logs say? (/var/log/foreman/production.log) > >> Do I have to enable autosigning? > > Not if Foreman's managing your Puppet CA. > > -- > Dominic Cleal > Red Hat Engineering > > -- > You received this message because you are subscribed to the Google Groups "Foreman users" group. > To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com. > To post to this group, send email to foreman-users@googlegroups.com. > Visit this group at http://groups.google.com/group/foreman-users. > For more options, visit https://groups.google.com/groups/opt_out.Is the host in build state at that point? Seems like maybe it's already
been and gone.
···
On 06/02/14 17:54, Cristian Falcas wrote: > Logs from foreman: > > Started GET "/unattended/built?token=6f04e6bb-3f58-4f7c-888f-49a22e7a9d5f" > for 172.16.51.113 at 2014-02-06 12:52:18 -0500 > Processing by UnattendedController#built as */* > Parameters: {"token"=>"6f04e6bb-3f58-4f7c-888f-49a22e7a9d5f"} > Found sdaf.va-aws.company.net > Filter chain halted as :allowed_to_install? rendered or redirected > Completed 405 Method Not Allowed in 8ms (ActiveRecord: 1.7ms)–
Dominic Cleal
Red Hat Engineering
When I start the first puppet run it says this:
puppet agent --config /etc/puppet/puppet.conf --onetime --tags
no_such_tag --server puppet.company.net --no-daemonize
Exiting; no certificate found and waitforcert is disabledSo I have to manually sign the certificate for puppet to run.
On Thu, Feb 6, 2014 at 7:46 PM, Dominic Cleal dcleal@redhat.com wrote:
On 06/02/14 17:41, Cristian Falcas wrote:
Hi,
Thank you for the replay.
I have one more question if you don’t mind.
When using user_data with cloud-init, a puppet run is only possible
with autosign? Or can we make foreman/puppetmaster ca sign the
certificate after the machine is build?Yes, only using Foreman’s autosign integration (gets added when creating
the VM, removed when “built” is called).I see on a template this code:
/usr/bin/wget --quiet --output-document=/dev/null
–no-check-certificate <%= foreman_url(‘built’) %>But when I try to use it it gets me this:
HTTP request sent, awaiting response… 405 Method Not Allowed
2014-02-06 12:28:58 ERROR 405: Method Not Allowed.The same if I use https:
Self-signed certificate encountered.
HTTP request sent, awaiting response… 405 Method Not Allowed
2014-02-06 12:29:12 ERROR 405: Method Not Allowed.What do Foreman’s logs say? (/var/log/foreman/production.log)
Do I have to enable autosigning?
Not if Foreman’s managing your Puppet CA.
–
Dominic Cleal
Red Hat Engineering–
You received this message because you are subscribed to the Google Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/groups/opt_out.
Actually, I've read more about what foreman_url('built') does and it
works as expected: machine goes from from building to normal state.
But the certificates are still not signed for puppet.
After the build command is sent, I see this in the logs:
Started POST "/unattended/built?token=161d7e5d-69ca-4314-ae0a-152f6d578f97"
for 172.16.51.19 at 2014-02-06 13:09:05 -0500
Processing by UnattendedController#built as /
Parameters: {"instance_id"=>"i-22701203",
"hostname"=>"ip-172-16-51-19", "pub_key_dsa"=>"ssh-dss
AAAAB3NzaC1kc3MAAACBAKMlup9RoZPJ7O1Jpv63rajQaGUnU0n2yRflHRDjHf8/py+KVK6t9Cnas0duy6M+/i3/qDLGVwDv3RmLhsBXcZd8OILwHuaXLM4VyEnjCnOTr87PWau5DMPFGnygC8sRhapcGGc/Fj1KJZOe77PChGDr7Lhew6XQ0iio1pdi7fnbAAAAFQDzJszpDkzNeuWIk67z2bPNDr28QQAAAIAN4hjPiF9q+jVuhiVdORzheoIdbNa4dBHl7g/W3QjffsrvG6DZJ/0pwjcfXaLEBm5NySO5MinFGi7b7eEvKPPNqWCMfLbVXOc8kszI5LaFXbdgalrLIp2iWBpc4P4GJyZvHETsL0/pATth4f0XNiLC+TXCUrrSOL/nWKBcwf8dkgAAAIBd+m8UsIhkpsLt7qa0J7NKvNY3/0kxKDCHNInoxAsVjVi7OfBgY+XoPxh2vDBE88qreLzo1Wfc37f/q/gdaoHtJRKqUWpqncoAGdPPdbkqoAivMaqFzLin0vO4wW99DGSw/jpMlJ+6KUhgpvPpQ2LbcmYuZV78MmbTEFaknPLW9w==
\n", "pub_key_ecdsa"=>"N/A", "pub_key_rsa"=>"ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEAvb7xQhsVyQppndOLuOCoMe51z1Bhejim1C7sPV3K3KC48kh/ggrHpzsoNyrrq07dD6QhAOJH134Kjdu4r/2Z1xsHh8BHRn01gfMr/m4EFd1U1/pVB4ZY04SmVXAZJ+CFsaMojvU0wwlQxPhY3/wPhuiSmG+x04rIQm9e/Obof52rGlsuhTmTBa0JIXQDmNsxLcsIF3O65jmA6V/HUfyulR09MRbEqv2Dqp0osoYQGgH1u/xGIBCuh0pM8rf8LEtJYi5mK+RKuREVgejRA0ePLorsFLM+xG6MrD2Y3X+nbEl2TBvSavy9k3tgfkzNQfb5f8bKvZ0GeXj9LCdShnWDPw==
\n", "token"=>"161d7e5d-69ca-4314-ae0a-152f6d578f97"}
WARNING: Can't verify CSRF token authenticity
Found sdafasd.va-aws.company.net
unattended: sdafasd.va-aws.company.net is Built!
Delete the autosign entry for sdafasd.va-aws.company.net
Completed 201 Created in 305ms (ActiveRecord: 13.8ms)
Best regards,
···
On Thu, Feb 6, 2014 at 7:54 PM, Cristian Falcas wrote: > Logs from foreman: > > Started GET "/unattended/built?token=6f04e6bb-3f58-4f7c-888f-49a22e7a9d5f" > for 172.16.51.113 at 2014-02-06 12:52:18 -0500 > Processing by UnattendedController#built as */* > Parameters: {"token"=>"6f04e6bb-3f58-4f7c-888f-49a22e7a9d5f"} > Found sdaf.va-aws.company.net > Filter chain halted as :allowed_to_install? rendered or redirected > Completed 405 Method Not Allowed in 8ms (ActiveRecord: 1.7ms) > > > When I start the first puppet run it says this: > puppet agent --config /etc/puppet/puppet.conf --onetime --tags > no_such_tag --server puppet.company.net --no-daemonize > Exiting; no certificate found and waitforcert is disabled > > So I have to manually sign the certificate for puppet to run. > > > > > On Thu, Feb 6, 2014 at 7:46 PM, Dominic Cleal wrote: >> On 06/02/14 17:41, Cristian Falcas wrote: >>> Hi, >>> >>> Thank you for the replay. >>> >>> I have one more question if you don't mind. >>> >>> When using user_data with cloud-init, a puppet run is only possible >>> with autosign? Or can we make foreman/puppetmaster ca sign the >>> certificate after the machine is build? >> >> Yes, only using Foreman's autosign integration (gets added when creating >> the VM, removed when "built" is called). >> >>> I see on a template this code: >>> >>> /usr/bin/wget --quiet --output-document=/dev/null >>> --no-check-certificate <%= foreman_url('built') %> >>> >>> But when I try to use it it gets me this: >>> HTTP request sent, awaiting response... 405 Method Not Allowed >>> 2014-02-06 12:28:58 ERROR 405: Method Not Allowed. >>> >>> The same if I use https: >>> Self-signed certificate encountered. >>> HTTP request sent, awaiting response... 405 Method Not Allowed >>> 2014-02-06 12:29:12 ERROR 405: Method Not Allowed. >> >> What do Foreman's logs say? (/var/log/foreman/production.log) >> >>> Do I have to enable autosigning? >> >> Not if Foreman's managing your Puppet CA. >> >> -- >> Dominic Cleal >> Red Hat Engineering >> >> -- >> You received this message because you are subscribed to the Google Groups "Foreman users" group. >> To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com. >> To post to this group, send email to foreman-users@googlegroups.com. >> Visit this group at http://groups.google.com/group/foreman-users. >> For more options, visit https://groups.google.com/groups/opt_out.The access to foreman_url('built') is doing the proper thing after all:
- host is in building state
- I access the url
- host goes to build state
I think I may have the order wrong for the commands.
Is puppet supposed to run before the host goes in build state? Because
now I first access the foreman url and after that try to do the puppet
run.
···
On Thu, Feb 6, 2014 at 8:00 PM, Dominic Cleal wrote: > On 06/02/14 17:54, Cristian Falcas wrote: >> Logs from foreman: >> >> Started GET "/unattended/built?token=6f04e6bb-3f58-4f7c-888f-49a22e7a9d5f" >> for 172.16.51.113 at 2014-02-06 12:52:18 -0500 >> Processing by UnattendedController#built as */* >> Parameters: {"token"=>"6f04e6bb-3f58-4f7c-888f-49a22e7a9d5f"} >> Found sdaf.va-aws.company.net >> Filter chain halted as :allowed_to_install? rendered or redirected >> Completed 405 Method Not Allowed in 8ms (ActiveRecord: 1.7ms) > > Is the host in build state at that point? Seems like maybe it's already > been and gone. > > -- > Dominic Cleal > Red Hat Engineering > >> >> When I start the first puppet run it says this: >> puppet agent --config /etc/puppet/puppet.conf --onetime --tags >> no_such_tag --server puppet.company.net --no-daemonize >> Exiting; no certificate found and waitforcert is disabled >> >> So I have to manually sign the certificate for puppet to run. >> >> >> >> >> On Thu, Feb 6, 2014 at 7:46 PM, Dominic Cleal wrote: >>> On 06/02/14 17:41, Cristian Falcas wrote: >>>> Hi, >>>> >>>> Thank you for the replay. >>>> >>>> I have one more question if you don't mind. >>>> >>>> When using user_data with cloud-init, a puppet run is only possible >>>> with autosign? Or can we make foreman/puppetmaster ca sign the >>>> certificate after the machine is build? >>> >>> Yes, only using Foreman's autosign integration (gets added when creating >>> the VM, removed when "built" is called). >>> >>>> I see on a template this code: >>>> >>>> /usr/bin/wget --quiet --output-document=/dev/null >>>> --no-check-certificate <%= foreman_url('built') %> >>>> >>>> But when I try to use it it gets me this: >>>> HTTP request sent, awaiting response... 405 Method Not Allowed >>>> 2014-02-06 12:28:58 ERROR 405: Method Not Allowed. >>>> >>>> The same if I use https: >>>> Self-signed certificate encountered. >>>> HTTP request sent, awaiting response... 405 Method Not Allowed >>>> 2014-02-06 12:29:12 ERROR 405: Method Not Allowed. >>> >>> What do Foreman's logs say? (/var/log/foreman/production.log) >>> >>>> Do I have to enable autosigning? >>> >>> Not if Foreman's managing your Puppet CA. >>> >>> -- >>> Dominic Cleal >>> Red Hat Engineering >>> >>> -- >>> You received this message because you are subscribed to the Google Groups "Foreman users" group. >>> To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com. >>> To post to this group, send email to foreman-users@googlegroups.com. >>> Visit this group at http://groups.google.com/group/foreman-users. >>> For more options, visit https://groups.google.com/groups/opt_out. >> > > -- > You received this message because you are subscribed to the Google Groups "Foreman users" group. > To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com. > To post to this group, send email to foreman-users@googlegroups.com. > Visit this group at http://groups.google.com/group/foreman-users. > For more options, visit https://groups.google.com/groups/opt_out.Correct, run Puppet first as the autosign entry is removed when you set
the host to "built".
Look at any of the %post/finish sections from our default templates, or
this finish script for preseed for an example:
https://github.com/theforeman/community-templates/blob/master/preseed/finish.erb
···
On 06/02/14 19:51, Cristian Falcas wrote: > The access to foreman_url('built') is doing the proper thing after all: > - host is in building state > - I access the url > - host goes to build state > > I think I may have the order wrong for the commands. > > Is puppet supposed to run before the host goes in build state? Because > now I first access the foreman url and after that try to do the puppet > run.–
Dominic Cleal
Red Hat Engineering
Just to let others know that it's working as expected after running
puppet before contacting the build url.