Several issues with httpboot - port 8000, tftp not http, and http on port 8443

Problem:

Ultimately, my problem is I’m unable to Grub2 UEFI HTTP boot. I think it starts with not having anything listening on port 8000 so I think it may be a good place to start. But, the other issues (that may be downstream from that) are: (1) my host that is configured to use Grub2 UEFI HTTP as its PXE Loader is using tftp (packet trace shows in.tftpd - I think it ought to be using http; and, (2) it’s attempting to contact the HTTPBoot host (my smartproxy) via HTTP over port 8443, which I thought would be a protocol mismatch (http://smartproxy:8443). Again, perhaps all of these issues would clear up if I can determine why foreman-proxy service isn’t listening on port 8000.

Expected outcome:

I’d like to HTTPBoot UEFI. I was expecting to be able to pull grubx64.efi down via http on port 8000 but nothing is running on port 8000.

Foreman and Proxy versions:

Foreman version 1.20
Smart Proxy version 1.24
(There is a mismatch but I am hoping that it doesn’t have anything to do with foreman-proxy starting on port 8000.)

Foreman and Proxy plugin versions:

I am unsure. Is listening on port 8000 built in?

Distribution and version:

Foreman: CentOS 7.6
Smart Proxy: CentOS 7.7

Other relevant data:

2019-11-13T13:44:12  [I] WEBrick::HTTPServer#start done.
2019-11-13T13:44:13  [I] Successfully initialized 'discovery'
2019-11-13T13:44:13  [I] Successfully initialized 'foreman_proxy'
2019-11-13T13:44:13  [I] Successfully initialized 'dns_infoblox'
2019-11-13T13:44:13  [I] Successfully initialized 'dns'
2019-11-13T13:44:13  [I] Successfully initialized 'tftp'
2019-11-13T13:44:13  [I] Starting allocated ip address maintenance (used by unused_ip call).
2019-11-13T13:44:13  [I] Successfully initialized 'dhcp_isc'
2019-11-13T13:44:13  [I] Successfully initialized 'dhcp'
2019-11-13T13:44:13  [I] Successfully initialized 'logs'
2019-11-13T13:44:13  [I] Successfully initialized 'httpboot'
2019-11-13T13:44:13  [I] WEBrick 1.3.1
2019-11-13T13:44:13  [I] ruby 2.0.0 (2015-12-16) [x86_64-linux]
2019-11-13T13:44:13  [I] 
Certificate:
<...cert info removed...>
2019-11-13T13:44:13  [I] WEBrick::HTTPServer#start: pid=1818 port=8443
2019-11-13T13:44:13  [I] Smart proxy has launched on 1 socket(s), waiting for requests
2019-11-13T15:38:26 72ae0dd5 [I] Started GET /version 
2019-11-13T15:38:26 72ae0dd5 [I] Finished GET /version with 200 (5.61 ms)

Looking at what is listening:

[root@smartproxy-hyperv ~]# ss -nap | grep -e 'ruby\|8443\|8000'
u_str  ESTAB      0      0         * 27912                 * 26969               users:(("ruby",pid=1818,fd=2),("ruby",pid=1818,fd=1))
tcp    LISTEN     0      128    [::]:8443               [::]:*                   users:(("ruby",pid=1818,fd=10))

I don’t see any indicators as to what may be preventing anything from listening on port 8000

[root@smartproxy-hyperv ~]# cat /etc/foreman-installer/scenarios.d/foreman-answers.yaml 
# Format:
# <classname>: false - don't include this class
# <classname>: true - include and use the defaults
# <classname>:
#   <param>: <value> - include and override the default(s)
#
# See params.pp in each class for what options are available

---
foreman: false
foreman::cli: false
foreman::cli::ansible: false
foreman::cli::discovery: false
foreman::cli::kubevirt: false
foreman::cli::openscap: false
foreman::cli::remote_execution: false
foreman::cli::tasks: false
foreman::cli::templates: false
foreman_proxy:
  repo: stable
  gpgcheck: true
  version: present
  ensure_packages_version: present
  plugin_version: installed
  bind_host:
  - '*'
  http_port: 8000
  ssl_port: 8443
  dir: /usr/share/foreman-proxy
  user: foreman-proxy
  groups: []
  log: /var/log/foreman-proxy/proxy.log
  log_level: DEBUG
  log_buffer: 2000
  log_buffer_errors: 1000
  http: true
  ssl: true
  ssl_ca: /etc/puppetlabs/puppet/ssl/certs/ca.pem
  ssl_cert: /etc/puppetlabs/puppet/ssl/certs/smartproxy-hyperv.example.com.pem
  ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/smartproxy-hyperv.example.com.pem
  foreman_ssl_ca: 
  foreman_ssl_cert: 
  foreman_ssl_key: 
  trusted_hosts:
  - foreman.example.com
  - 10.61.75.9
  - smartproxy-hyperv.example.com
  ssl_disabled_ciphers: []
  tls_disabled_versions: []
  manage_sudoersd: true
  use_sudoersd: true
  use_sudoers: true
  puppetca: false
  puppetca_split_configs: true
  puppetca_listen_on: https
  ssldir: /etc/puppetlabs/puppet/ssl
  puppetdir: /etc/puppetlabs/puppet
  puppetca_cmd: /opt/puppetlabs/bin/puppet cert
  puppet_group: puppet
  puppetca_provider: puppetca_hostname_whitelisting
  autosignfile: /etc/puppetlabs/puppet/autosign.conf
  puppetca_sign_all: false
  puppetca_tokens_file: /var/lib/foreman-proxy/tokens.yml
  puppetca_token_ttl: 360
  puppetca_certificate: 
  manage_puppet_group: false
  puppet: false
  puppet_listen_on: https
  puppetrun_provider: 
  customrun_cmd: /bin/false
  customrun_args: -ay -f -s
  mcollective_user: root
  puppetssh_sudo: false
  puppetssh_command: /opt/puppetlabs/bin/puppet agent --onetime --no-usecacheonfailure
  puppetssh_user: root
  puppetssh_keyfile: /etc/foreman-proxy/id_rsa
  puppetssh_wait: false
  salt_puppetrun_cmd: puppet.run
  puppet_user: root
  puppet_url: https://smartproxy-hyperv.example.com:8140
  puppet_ssl_ca: /etc/puppetlabs/puppet/ssl/certs/ca.pem
  puppet_ssl_cert: /etc/puppetlabs/puppet/ssl/certs/smartproxy-hyperv.example.com.pem
  puppet_ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/smartproxy-hyperv.example.com.pem
  puppet_api_timeout: 30
  templates: false
  templates_listen_on: both
  template_url: http://smartproxy-hyperv.example.com:8000
  logs: true
  logs_listen_on: both
  httpboot: true
  httpboot_listen_on: http
  tftp: true
  tftp_listen_on: both
  tftp_managed: true
  tftp_manage_wget: true
  tftp_syslinux_filenames:
  - /usr/share/syslinux/chain.c32
  - /usr/share/syslinux/mboot.c32
  - /usr/share/syslinux/menu.c32
  - /usr/share/syslinux/memdisk
  - /usr/share/syslinux/pxelinux.0
  tftp_root: /var/lib/tftpboot
  tftp_dirs:
  - /var/lib/tftpboot/pxelinux.cfg
  - /var/lib/tftpboot/grub
  - /var/lib/tftpboot/grub2
  - /var/lib/tftpboot/boot
  - /var/lib/tftpboot/ztp.cfg
  - /var/lib/tftpboot/poap.cfg
  tftp_servername: 10.61.17.254
  tftp_replace_grub2_cfg: false
  dhcp: true
  dhcp_listen_on: https
  dhcp_managed: true
  dhcp_provider: isc
  dhcp_subnets:
  - 10.61.179.0/24
  dhcp_option_domain:
  - example.com
  dhcp_search_domains:
  - example.com
  dhcp_interface: eth0
  dhcp_additional_interfaces: []
  dhcp_gateway: 10.61.17.1
  dhcp_range: 10.61.17.20 10.61.17.240
  dhcp_pxeserver: 10.61.17.254
  dhcp_pxefilename: pxelinux.0
  dhcp_network: 10.61.17.0
  dhcp_netmask: 255.255.255.0
  dhcp_nameservers: 10.35.35.35
  dhcp_server: 127.0.0.1
  dhcp_config: /etc/dhcp/dhcpd.conf
  dhcp_leases: /var/lib/dhcpd/dhcpd.leases
  dhcp_key_name: 
  dhcp_key_secret: 
  dhcp_omapi_port: 7911
  dhcp_peer_address: 
  dhcp_node_type: standalone
  dhcp_failover_address: 10.61.17.254
  dhcp_failover_port: 519
  dhcp_max_response_delay: 30
  dhcp_max_unacked_updates: 10
  dhcp_mclt: 300
  dhcp_load_split: 255
  dhcp_load_balance: 3
  dhcp_manage_acls: true
  dns: true
  dns_listen_on: both
  dns_managed: true
  dns_provider: infoblox
  dns_interface: eth0
  dns_zone: example.com
  dns_reverse:
  - 17.61.10.in-addr.arpa
  dns_server: 10.35.35.35
  dns_ttl: 86400
  dns_tsig_keytab: /etc/foreman-proxy/dns.keytab
  dns_tsig_principal: foremanproxy/smartproxy-hyperv.example.com@EXAMPLE.COM
  dns_forwarders:
  - 10.35.35.35
  - 10.36.36.36
  libvirt_network: default
  libvirt_connection: qemu:///system
  bmc: true
  bmc_listen_on: both
  bmc_default_provider: ipmitool
  bmc_ssh_user: root
  bmc_ssh_key: /usr/share/foreman/.ssh/id_rsa
  bmc_ssh_powerstatus: 'true'
  bmc_ssh_powercycle: shutdown -r +1
  bmc_ssh_poweroff: shutdown +1
  bmc_ssh_poweron: 'false'
  realm: false
  realm_listen_on: https
  realm_provider: freeipa
  realm_keytab: /etc/foreman-proxy/freeipa.keytab
  realm_principal: realm-proxy@EXAMPLE.COM
  freeipa_config: /etc/ipa/default.conf
  freeipa_remove_dns: true
  keyfile: /etc/rndc.key
  register_in_foreman: true
  foreman_base_url: https://foreman.example.com
  registered_name: smartproxy-hyperv.example.com
  registered_proxy_url: 
  oauth_effective_user: admin
  oauth_consumer_key: *****
  oauth_consumer_secret: ******
puppet:
  version: present
  user: puppet
  group: puppet
  dir: /etc/puppetlabs/puppet
  codedir: /etc/puppetlabs/code
  vardir: /opt/puppetlabs/puppet/cache
  logdir: /var/log/puppetlabs/puppet
  rundir: /var/run/puppetlabs
  ssldir: /etc/puppetlabs/puppet/ssl
  sharedir: /opt/puppetlabs/puppet
  manage_packages: true
  dir_owner: root
  dir_group: 
  package_provider: 
  package_source: 
  port: 8140
  listen: false
  listen_to: []
  pluginsync: true
  splay: false
  splaylimit: 1800
  autosign: /etc/puppetlabs/puppet/autosign.conf
  autosign_entries: []
  autosign_mode: '0664'
  autosign_content: 
  autosign_source: 
  runinterval: 1800
  usecacheonfailure: true
  runmode: service
  run_hour: 
  run_minute: 
  unavailable_runmodes: []
  cron_cmd: 
  systemd_cmd: 
  systemd_randomizeddelaysec: 0
  agent_noop: false
  show_diff: false
  module_repository: 
  http_connect_timeout: 
  http_read_timeout: 
  ca_server: 
  ca_port: 
  ca_crl_filepath: 
  prerun_command: 
  postrun_command: 
  dns_alt_names: []
  use_srv_records: false
  srv_domain: example.com
  pluginsource: puppet:///plugins
  pluginfactsource: puppet:///pluginfacts
  additional_settings: {}
  agent_additional_settings: {}
  agent_restart_command: /usr/bin/systemctl reload-or-restart puppet
  classfile: $statedir/classes.txt
  hiera_config: $confdir/hiera.yaml
  auth_template: puppet/auth.conf.erb
  allow_any_crl_auth: false
  auth_allowed:
  - $1
  client_package:
  - puppet-agent
  agent: true
  remove_lock: true
  report: true
  client_certname: smartproxy-hyperv.example.com
  puppetmaster: 
  systemd_unit_name: puppet-run
  service_name: puppet
  syslogfacility: 
  environment: production
  server: true
  server_admin_api_whitelist:
  - localhost
  - smartproxy-hyperv.example.com
  server_manage_user: true
  server_user: puppet
  server_group: puppet
  server_dir: /etc/puppetlabs/puppet
  server_ip: 0.0.0.0
  server_port: 8140
  server_ca: true
  server_ca_crl_sync: false
  server_crl_enable: 
  server_ca_auth_required: true
  server_ca_client_whitelist:
  - localhost
  - smartproxy-hyperv.example.com
  server_custom_trusted_oid_mapping: 
  server_http: false
  server_http_port: 8139
  server_reports: foreman
  server_puppetserver_dir: /etc/puppetlabs/puppetserver
  server_puppetserver_vardir: /opt/puppetlabs/server/data/puppetserver
  server_puppetserver_rundir: /var/run/puppetlabs/puppetserver
  server_puppetserver_logdir: /var/log/puppetlabs/puppetserver
  server_puppetserver_version: 
  server_external_nodes: /etc/puppetlabs/puppet/node.rb
  server_cipher_suites:
  - TLS_RSA_WITH_AES_256_CBC_SHA256
  - TLS_RSA_WITH_AES_256_CBC_SHA
  - TLS_RSA_WITH_AES_128_CBC_SHA256
  - TLS_RSA_WITH_AES_128_CBC_SHA
  server_config_version: 
  server_connect_timeout: 120000
  server_git_repo: false
  server_default_manifest: false
  server_default_manifest_path: /etc/puppet/manifests/default_manifest.pp
  server_default_manifest_content: ''
  server_environments_owner: puppet
  server_environments_group: 
  server_environments_mode: '0755'
  server_envs_dir: /etc/puppetlabs/code/environments
  server_envs_target: 
  server_common_modules_path:
  - /etc/puppetlabs/code/environments/common
  - /etc/puppetlabs/code/modules
  - /opt/puppetlabs/puppet/modules
  - /usr/share/puppet/modules
  server_git_repo_mode: '0755'
  server_git_repo_path: /opt/puppetlabs/puppet/cache/puppet.git
  server_git_repo_group: puppet
  server_git_repo_user: puppet
  server_git_branch_map: {}
  server_idle_timeout: 1200000
  server_post_hook_content: puppet/server/post-receive.erb
  server_post_hook_name: post-receive
  server_storeconfigs_backend: 
  server_ruby_load_paths:
  - /opt/puppetlabs/puppet/lib/ruby/vendor_ruby
  server_ssl_dir: /etc/puppetlabs/puppet/ssl
  server_ssl_dir_manage: true
  server_ssl_key_manage: true
  server_ssl_protocols:
  - TLSv1.2
  server_ssl_chain_filepath: /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
  server_package: 
  server_version: 
  server_certname: smartproxy-hyperv.example.com
  server_enc_api: v2
  server_report_api: v2
  server_request_timeout: 60
  server_strict_variables: false
  server_additional_settings: {}
  server_foreman: true
  server_foreman_url: https://smartproxy-hyperv.example.com
  server_foreman_ssl_ca: 
  server_foreman_ssl_cert: 
  server_foreman_ssl_key: 
  server_foreman_facts: true
  server_puppet_basedir: /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet
  server_puppetdb_host: 
  server_puppetdb_port: 8081
  server_puppetdb_swf: false
  server_parser: current
  server_environment_timeout: 
  server_jvm_java_bin: /usr/bin/java
  server_jvm_config: /etc/sysconfig/puppetserver
  server_jvm_min_heap_size: 2G
  server_jvm_max_heap_size: 2G
  server_jvm_extra_args: 
  server_jvm_cli_args: 
  server_jruby_gem_home: /opt/puppetlabs/server/data/puppetserver/jruby-gems
  server_max_active_instances: 2
  server_max_requests_per_instance: 0
  server_max_queued_requests: 0
  server_max_retry_delay: 1800
  server_use_legacy_auth_conf: false
  server_check_for_updates: true
  server_environment_class_cache_enabled: false
  server_allow_header_cert_info: false
  server_web_idle_timeout: 30000
  server_puppetserver_jruby9k: false
  server_puppetserver_metrics: 
  server_metrics_jmx_enable: true
  server_metrics_graphite_enable: false
  server_metrics_graphite_host: 127.0.0.1
  server_metrics_graphite_port: 2003
  server_metrics_server_id: smartproxy-hyperv.example.com
  server_metrics_graphite_interval: 5
  server_metrics_allowed: 
  server_puppetserver_experimental: true
  server_puppetserver_trusted_agents: []
  server_compile_mode: 
  server_acceptor_threads: 
  server_selector_threads: 
  server_ssl_acceptor_threads: 
  server_ssl_selector_threads: 
  server_max_threads: 
  server_ca_allow_sans: false
  server_ca_allow_auth_extensions: false
  server_ca_enable_infra_crl: false
  server_max_open_files: 
foreman::plugin::ansible: false
foreman::plugin::azure: false
foreman::plugin::bootdisk: false
foreman::plugin::chef: false
foreman::plugin::cockpit: false
foreman::plugin::default_hostgroup: false
foreman::plugin::dhcp_browser: false
foreman::plugin::digitalocean: false
foreman::plugin::discovery: {}
foreman::plugin::expire_hosts: false
foreman::plugin::hooks: false
foreman::plugin::host_extra_validator: false
foreman::plugin::kubevirt: false
foreman::plugin::memcache: false
foreman::plugin::monitoring: false
foreman::plugin::omaha: false
foreman::plugin::openscap: false
foreman::plugin::ovirt_provision: false
foreman::plugin::puppetdb: false
foreman::plugin::remote_execution: false
foreman::plugin::salt: false
foreman::plugin::setup: false
foreman::plugin::snapshot_management: false
foreman::plugin::tasks: false
foreman::plugin::templates: false
foreman::compute::ec2: false
foreman::compute::gce: false
foreman::compute::libvirt: false
foreman::compute::openstack: false
foreman::compute::ovirt: false
foreman::compute::rackspace: false
foreman::compute::vmware: false
foreman_proxy::plugin::ansible: false
foreman_proxy::plugin::chef: false
foreman_proxy::plugin::dhcp::infoblox: false
foreman_proxy::plugin::dhcp::remote_isc: false
foreman_proxy::plugin::discovery:
  install_images: true
  tftp_root: /var/lib/tftpboot
  source_url: http://downloads.theforeman.org/discovery/releases/3.4/
  image_name: fdi-image-latest.tar
foreman_proxy::plugin::dns::infoblox:
  dns_server: <infoblox_server>
  username: svc_foreman
  password: *******
  dns_view: default
foreman_proxy::plugin::dns::powerdns: false
foreman_proxy::plugin::dynflow: false
foreman_proxy::plugin::monitoring: false
foreman_proxy::plugin::omaha: false
foreman_proxy::plugin::openscap: false
foreman_proxy::plugin::pulp: false
foreman_proxy::plugin::remote_execution::ssh: false
foreman_proxy::plugin::salt: false

Originally, I feel like everything was working. I was using the nightly build. Then, my NetOps crew told me I’d have to change my network information so I re-configured everything to use the new network and I got into this state. After review all of my settings and troubleshooting the setup with a colleague, he took over my proxy and reinstalled Foreman using the stable release. Everything came up as expected.

By default it doesn’t listen on port 8000, but you can enable it with --foreman-proxy-http true

In my foreman-answers.yml file I already had:

foreman_proxy:
  http: true

Is there a different setting in foreman-answers.yml that I need to include other than that one?

Answer files should never be modified manually. (In hindsight, answers should have lived in /var/lib/foreman-installer rather than /etc/foreman-installer). You should always call the installer with arguments. It will perform validations, apply the change and store answers. To be clear, the answers file is only a configuration file for the installer. Without running the installer, the system will not change in anyway.

Thanks for the feedback. I’ll try to use the interactive installer and pass parameters to foreman-installer, etc., as suggested. I like editing yaml files better but if that’s not advised then so be it.

As for foreman living in /var/lib rather than /etc, I’m not sure I had any impact on that. Other than installing the software, I did not tell it to install to /etc This is on CentOS. Not sure if that makes a difference or not on where the software is installed or not.

The “solution” to the first part of the problem (not listening on port 8000) appears to have been to install stable foreman and not nightly. However, my other two problems still exist. So, I’ll open tickets for “using tftp and not http as expected” and “protocol mismatch with http and 8443?”

Hello, I think I’ve answered the port issue in the other thread today. Let me know if you still need something in this one, I haven’t read it to save my time.

Thanks for following up. Something about changing the network and downgrading to stable build shook something loose. I have what I need here. Thanks for responding on the other thread! I’ll follow up there.