Unable expose redhat repos via http

shashankkulshrestha · September 11, 2023, 6:31am

Problem: Unable expose redhat repos via http in foreman 3.7 with katello4.9

Expected outcome: redhat repos should expose via http

Foreman and Proxy versions: Foreman3.7 and Katello4.9

Problem statement:

I am trying to expose redhat repos via http but it is not working in my foreman server.
On the other hand it is working fine in other foreman server where forman version is foreman-release-1.22.0-1.el7.noarch, to do this I am using a file in /etc/httpd/conf.d and the content of this file is below:

cat 99-katello.conf
<VirtualHost *:443>
ServerName otc-iaas-repo.itn.example
ServerAlias newiaas1-repo.iaas.example.com
SSLEngine On
Alias /pulp/repos/ /var/www/pub/yum/http/repos/
Alias /pulp/isos/ /var/www/pub/http/isos/

<VirtualHost *:80>
ServerName otc-iaas-repo.itn.example
ServerAlias newiaas1-repo.iaas.example.com
Alias /pulp/repos/ /var/www/pub/yum/http/repos/
Alias /pulp/isos/ /var/www/pub/http/isos/

In foreman3.7 I am unable to find /var/www/pub directory, please suggest a way to do the same.

areyus · September 11, 2023, 8:39am

What you are trying to do is definitely an unsupported use-case.
I do not know where /var/ww/pub comes from (my guess would be, you or one of your co-workers created this by hand), but this only worked because pulp2 basically only created a very elaborate filesystem structure that you could just expose via HTTP.
With modern Foreman (starting from Katello 4.0), we have pulp3 which to my knowledge works by tunneling the HTTP requests through Apache to pulp through a unix socket and the “repository as files” structure is gone, afaik. As far as I understad, authorization for repo access is now also handled inside pulp, so you probably won’t be able to circumvent this.
I’m also unsure why you would want to do that, but as long as it’s not to circumvent RedHat subscription conditions, there’s most likely a better solution to your problem.

shashankkulshrestha · September 12, 2023, 10:36am

Hello areyus,
Thanks for your response,

Actually we;re not circumventing any redhat licensing, we are just using katello as a web GUI for pulp so we need the same functionality that’s why we need a solution to the redhat http exposure.

And regarding /var/www/pub , yes you are right it was a workaround that we applied to expose redhat repos on http , we did this on foreman Version 1.22.0

I am trying to do the same in foreman Version 3.7 , I created /var/www/pub directory manually and created the path as per 99-katello.conf file but this workaround is not working in 3.7

areyus · September 12, 2023, 12:11pm

As already mentioned, this will not work in the same way on Foreman 3.7 (or anything from Katello 4.0 onwards) due to the switch to Pulp3 and how it handles things differently. Pulp2 (which you hand in 1.22) basically just built a FS based repo structure through a lot of symlinking.
Pulp3 (which you have with Foreman 3.7) does not do this anymore. Instead it’s a service that creates the repos internally in logic, but never writes them out to the FS.
I would recommend just switching to the full license management stack Katello offers (using subscription-manager and potentially virt-who) and just running it as intended. Katello is way more than a simple Pulp UI, and I would assume what you are trying to accomplish is not possible with recent Katello versions anymore.

jeremylenz · September 12, 2023, 2:16pm

Agree with everything @areyus said above. It would be good to know why you want to use Katello as a web GUI for Pulp? What exactly are you trying to accomplish by doing that? What requirements do you have that are satisfied by that?

shashankkulshrestha · September 13, 2023, 4:41am

Hello jeremylenz,
Thanks for your reply,
I am having foreman version 3.7 along with katello plugin 4.9 installed in my ecosystem and I have installed it with “foreman-installer --scenario katello” for repo management which bought pulp3 by default.

Earlier I was having foreman version 1.22 and katello-3.12.2-1.el7.noarch for content management .

To answer your question, I am using foreman+katello for content management and for provisioning of servers along with repo management.

maurer · October 11, 2023, 9:16am

so if anyone looks for a debug only solution - you need to add in the apache of foreman/katello (/etc/httpd/conf.d/99-debug.conf) the following:

<VirtualHost *:443>
    ServerName debug.domain
    SSLEngine On

#use the same one or create your own self signed
    SSLCertificateFile      "/etc/pki/katello/certs/katello-apache.crt"
    SSLCertificateKeyFile   "/etc/pki/katello/private/katello-apache.key"

    SSLProxyEngine on
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyVerifyDepth 3
    SSLProxyVerify optional
    ProxyRequests On
    SSLProxyVerify require
    ProxyVia On
    SSLProxyCACertificateFile "/etc/pki/katello/certs/katello-default-ca.crt"
#here you need to generate the key/cert like described in 
# https://theforeman.org/plugins/katello/nightly/troubleshooting/index.html#debug-certificate
# but convert the key part as described in
# https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxymachinecertificatefile
# openssl rsa -in debug-certificate-key.pem -outform pem > /etc/pki/debug/debug-repo.pem
# also make sure you also have the cert in this debug-repo.pem file
    SSLProxyMachineCertificateFile "/etc/pki/debug/debug-repo.pem"
    ProxyPass /pulp "https://localhost/pulp"
    ProxyPassReverse /pulp "https://localhost/pulp"
</VirtualHost>