Hi all,
I have a proof-of-concept foreman instance running in a VM with a proxy on
the machine connected to our IPMI network. For some reason, trying to add
the proxy to my foreman instance yields:
Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features ([Errno::EACCES]:
Permission denied - connect(2) for "10.0.5.33" port 8123) for proxy
http://10.0.5.33:8123/features
Please check the proxy is configured and running on the host.
But I don't understand what's happening. I can curl that URL manually from
the foreman machine:
[root@foreman ~]# curl http://10.0.5.33:8123/features
["bmc"]
Additionally, if I watch the logs on the proxy, I can see my manual
attempts, but I never see anything when I try to connect through the web
interface. It makes me think something on the foreman side is happening
that causes it to never try, but I can't think of what that would be.
Does anyone have an idea of what I'm doing wrong?
Thanks!
Andrew
Is SELinux or another security system enabled and enforcing on your
Foreman server? To receive a permission denied during an outbound
connection suggests a security system.
If SELinux, the standard policy does not include 8123 as a smart proxy
port. You can add ports with semanage port -a -t foreman_proxy_port_t -p tcp 8124, but 8123 is usually defined as a web cache port so you'd
probably need to load new SELinux policy to allow foreman_proxy_t to
connect to http_cache_port_t (audit2allow may help).
···
On 24/01/17 16:57, Andrew Melo wrote:
> Hi all,
>
> I have a proof-of-concept foreman instance running in a VM with a proxy
> on the machine connected to our IPMI network. For some reason, trying to
> add the proxy to my foreman instance yields:
>
> Unable to communicate with the proxy: ERF12-2530
> [ProxyAPI::ProxyException]: Unable to detect features ([Errno::EACCES]:
> Permission denied - connect(2) for "10.0.5.33" port 8123) for proxy
> http://10.0.5.33:8123/features
> Please check the proxy is configured and running on the host.
–
Dominic Cleal
dominic@cleal.org
Hello,
Sorry for the delay responding. That was just it. I was confused
because telnet on the same machine worked.
Cheers,
Andrew
···
On Thu, Jan 26, 2017 at 2:22 AM, Dominic Cleal wrote:
> On 24/01/17 16:57, Andrew Melo wrote:
>> Hi all,
>>
>> I have a proof-of-concept foreman instance running in a VM with a proxy
>> on the machine connected to our IPMI network. For some reason, trying to
>> add the proxy to my foreman instance yields:
>>
>> Unable to communicate with the proxy: ERF12-2530
>> [ProxyAPI::ProxyException]: Unable to detect features ([Errno::EACCES]:
>> Permission denied - connect(2) for "10.0.5.33" port 8123) for proxy
>> http://10.0.5.33:8123/features
>> Please check the proxy is configured and running on the host.
>
> Is SELinux or another security system enabled and enforcing on your
> Foreman server? To receive a permission denied during an outbound
> connection suggests a security system.
>
> If SELinux, the standard policy does not include 8123 as a smart proxy
> port. You can add ports with `semanage port -a -t foreman_proxy_port_t
> -p tcp 8124`, but 8123 is usually defined as a web cache port so you'd
> probably need to load new SELinux policy to allow foreman_proxy_t to
> connect to http_cache_port_t (audit2allow may help).
>
> --
> Dominic Cleal
> dominic@cleal.org
>
> --
> You received this message because you are subscribed to the Google Groups "Foreman users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com.
> To post to this group, send email to foreman-users@googlegroups.com.
> Visit this group at https://groups.google.com/group/foreman-users.
> For more options, visit https://groups.google.com/d/optout.
–
Andrew Melo
