Unable to create a host on GCE

Support
1

Hi
I am working on GCE and I would like to use foreman. I install it with
foreman-installer.
I follow these instructions :
http://theforeman.org/manuals/1.4/index.html#5.2.4GoogleComputeEngineNotes
I put gce in my compute ressource and then I try to create a host in gce
compute ressource. A debian 7.4 from google's image.

When I submit, the first step failed and I have got this in production.log :

Rolling back due to a problem: [Preparation de l'instance <my-host-name>
2 failed [#<Host::Managed id: nil, name: "<my-host-name>", ip:
nil, last_compile: nil, last_freshcheck: nil, last_report: nil, updated_at:
nil, source_file_id: nil, created_at: nil, mac: nil, root_pass: nil,
serial: nil, puppet_status: 0, domain_id: 1, architecture_id: 1,
operatingsystem_id: 36, environment_id: 2, subnet_id: nil, ptable_id: 7,
medium_id: 2, build: true, comment: "", disk: "", installed_at: nil,
model_id: nil, hostgroup_id: 1, owner_id: nil, owner_type: nil, enabled:
true, puppet_ca_proxy_id: nil, managed: true, use_image: nil, image_file:
nil, uuid: nil, compute_resource_id: 1, puppet_proxy_id: nil, certname:
"850d1234-4568-4j0h-9eab-0a39v782b803", image_id: 2, organization_id: nil,
location_id: nil, type: "Host::Managed", compute_profile_id: nil>,
:setCompute]]
Failed to save:
Rendered hosts/_progress.html.erb (0.5ms)
Rendered puppetclasses/_selectedClasses.html.erb (0.0ms)
Rendered puppetclasses/_classes.html.erb (5.8ms)
Rendered puppetclasses/_class_selection.html.erb (516.0ms)

I have no idea where does it comes from. Does someones know why ?

Cheers

2

Hi Laurent,

I'd be happy to test out creating a debian instance on GCE using foreman if
you'd be willing to help me configure my foreman with my GCE project. I've
installed the gce plugin but when I try to add a new compute resource
foreman doesn't like the .p12 file I downloaded from GCE console to
authorise it access my GCE project.

What did you do with the private key once you downloaded it as foreman
won't upload it for me?

1st instance I attempt to create will be a debian vm to your spec if you
get me up and running

Michael

··· On Thursday, February 20, 2014 6:23:21 PM UTC, Laurent Salut wrote: > > Hi > I am working on GCE and I would like to use foreman. I install it with > foreman-installer. > I follow these instructions : > http://theforeman.org/manuals/1.4/index.html#5.2.4GoogleComputeEngineNotes > I put gce in my compute ressource and then I try to create a host in gce > compute ressource. A debian 7.4 from google's image. > > When I submit, the first step failed and I have got this in production.log > : > > Rolling back due to a problem: [Preparation de l'instance > 2 failed [#<Host::Managed id: nil, name: "", ip: > nil, last_compile: nil, last_freshcheck: nil, last_report: nil, updated_at: > nil, source_file_id: nil, created_at: nil, mac: nil, root_pass: nil, > serial: nil, puppet_status: 0, domain_id: 1, architecture_id: 1, > operatingsystem_id: 36, environment_id: 2, subnet_id: nil, ptable_id: 7, > medium_id: 2, build: true, comment: "", disk: "", installed_at: nil, > model_id: nil, hostgroup_id: 1, owner_id: nil, owner_type: nil, enabled: > true, puppet_ca_proxy_id: nil, managed: true, use_image: nil, image_file: > nil, uuid: nil, compute_resource_id: 1, puppet_proxy_id: nil, certname: > "850d1234-4568-4j0h-9eab-0a39v782b803", image_id: 2, organization_id: nil, > location_id: nil, type: "Host::Managed", compute_profile_id: nil>, > :setCompute]] > Failed to save: > Rendered hosts/_progress.html.erb (0.5ms) > Rendered puppetclasses/_selectedClasses.html.erb (0.0ms) > Rendered puppetclasses/_classes.html.erb (5.8ms) > Rendered puppetclasses/_class_selection.html.erb (516.0ms) > > > I have no idea where does it comes from. Does someones know why ? > > Cheers > >
3

I didn't get problem with this part. What does foreman say ?
I put the e-mail which you get on the google developpers console and the
p12 file.

4

I got the message "Unable to save" "Invalid keyfile or passphrase"

··· From: foreman-users@googlegroups.com [mailto:foreman-users@googlegroups.com] On Behalf Of Laurent Salut Sent: 21 February 2014 14:05 To: foreman-users@googlegroups.com Subject: [foreman-users] Re: Unable to create a host on GCE

I didn’t get problem with this part. What does foreman say ?
I put the e-mail which you get on the google developpers console and the p12 file.

You received this message because you are subscribed to a topic in the Google Groups “Foreman users” group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/foreman-users/scWe0wVx7fg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to foreman-users+unsubscribe@googlegroups.commailto:foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.commailto:foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/groups/opt_out.

5

I created a new Client ID/Email in GCE Console's Credentials screen and
selected the "service account" type. This prompts me to save a .p12 file
with a passphase of "notasecret" to my computer.
I copy the *email *address associated with the new cliend ID that's already
been given "edit" permissions to my project

I fill in the compute resource details on my Foreman and add in the path to
the .p12 file I downloaded just a second ago but when I go to load the
Zones I get the error message shown in the attached file and if I try to
save I get the "Invalid keyfile or passphrase".

Is the passphrase set somewhere in foreman?

ForemanGCECompute.jpg919×724 8.76 KB

··· On Friday, February 21, 2014 2:10:40 PM UTC, Michael. OBrien wrote: > > I got the message "Unable to save" "Invalid keyfile or passphrase" > > > > *From:* foreman-users@googlegroups.com [mailto: > foreman-users@googlegroups.com] *On Behalf Of *Laurent Salut > *Sent:* 21 February 2014 14:05 > *To:* foreman-users@googlegroups.com > *Subject:* [foreman-users] Re: Unable to create a host on GCE > > > > I didn't get problem with this part. What does foreman say ? > I put the e-mail which you get on the google developpers console and the > p12 file. > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Foreman users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/foreman-users/scWe0wVx7fg/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > foreman-users+unsubscribe@googlegroups.com. > To post to this group, send email to foreman-users@googlegroups.com. > Visit this group at http://groups.google.com/group/foreman-users. > For more options, visit https://groups.google.com/groups/opt_out. >
6

The p12 file must be on your foreman machine, not your local one. You have
to scp the file to your VM of foreman on GCE. Did you do that ?

7

Is there a particular location I should save it on foreman or a set of user permissions that should apply to it?

··· From: foreman-users@googlegroups.com [mailto:foreman-users@googlegroups.com] On Behalf Of Laurent Salut Sent: 21 February 2014 14:42 To: foreman-users@googlegroups.com Subject: Re: [foreman-users] Re: Unable to create a host on GCE

The p12 file must be on your foreman machine, not your local one. You have to scp the file to your VM of foreman on GCE. Did you do that ?

You received this message because you are subscribed to a topic in the Google Groups “Foreman users” group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/foreman-users/scWe0wVx7fg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to foreman-users+unsubscribe@googlegroups.commailto:foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.commailto:foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/groups/opt_out.

8

No particular location. Foreman just have to read it.

9

Thanks, I owe you 2 debians for that :slight_smile:

··· From: foreman-users@googlegroups.com [mailto:foreman-users@googlegroups.com] On Behalf Of Laurent Salut Sent: 21 February 2014 14:56 To: foreman-users@googlegroups.com Subject: Re: [foreman-users] Re: Unable to create a host on GCE

No particular location. Foreman just have to read it.

You received this message because you are subscribed to a topic in the Google Groups “Foreman users” group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/foreman-users/scWe0wVx7fg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to foreman-users+unsubscribe@googlegroups.commailto:foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.commailto:foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/groups/opt_out.

10

Do you have a Finish Template you want me to try?

··· On Friday, February 21, 2014 3:05:48 PM UTC, Michael. OBrien wrote: > > Thanks, I owe you 2 debians for that J > > > > *From:* foreman-users@googlegroups.com [mailto: > foreman-users@googlegroups.com] *On Behalf Of *Laurent Salut > *Sent:* 21 February 2014 14:56 > *To:* foreman-users@googlegroups.com > *Subject:* Re: [foreman-users] Re: Unable to create a host on GCE > > > > No particular location. Foreman just have to read it. > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Foreman users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/foreman-users/scWe0wVx7fg/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > foreman-users+unsubscribe@googlegroups.com. > To post to this group, send email to foreman-users@googlegroups.com. > Visit this group at http://groups.google.com/group/foreman-users. > For more options, visit https://groups.google.com/groups/opt_out. >
11

I use the preseed default finish… Is it working for you ? You can create
host deploy on gce without trouble ?

12

I tried a debian image and wasn't able to get it to deploy. The UI starts
but errors out and I get similar output in the production.log.
Is it just debian images you have a problem with?

I can view in Foreman any new instances I add using cloud console

··· On Friday, February 21, 2014 3:33:56 PM UTC, Laurent Salut wrote: > > I use the preseed default finish... Is it working for you ? You can create > host deploy on gce without trouble ? >
13

I can't shutdown GCE instances in foreman I created in the cloud console
but I can delete then from foreman

··· On Friday, February 21, 2014 3:48:41 PM UTC, michael...@ul.ie wrote: > > I tried a debian image and wasn't able to get it to deploy. The UI starts > but errors out and I get similar output in the production.log. > Is it just debian images you have a problem with? > > I can view in Foreman any new instances I add using cloud console > > On Friday, February 21, 2014 3:33:56 PM UTC, Laurent Salut wrote: >> >> I use the preseed default finish... Is it working for you ? You can >> create host deploy on gce without trouble ? >> >
14

So we have the same problem…
In fact, my goal is to up a pfsense on gce. But I would like to succed a
debian which is supposed to be easiest than OS which are not in the
googles's image.

I am going to try an other OS but I am not positive about the issue…

15

I tried it using a CentOS image from GCE but using the same finish template
and had the same experience. The production log shows the adding Computer
instance and then immediately rolling back due to an error.

Do you get any other problems when deleting or rebooting existing GCE
instances?
Are you creating them in Europe Zone like me?

··· On Friday, February 21, 2014 4:21:58 PM UTC, Laurent Salut wrote: > > So we have the same problem... > In fact, my goal is to up a pfsense on gce. But I would like to succed a > debian which is supposed to be easiest than OS which are not in the > googles's image. > > I am going to try an other OS but I am not positive about the issue... >
16

I tried centos too, and the problem is the same too.

No, I am creating it in us zone.
I didn't try to reboot or delete my instances over foreman, but I am living
my office and we will see on monday !

17

I also enabled "Enabling use_uuid_for_certificates in Administer >
Settings is recommended for consistent Puppet certificate IDs instead of
hostnames." this morning on Foreman 1.4.0 but still having the same problem

··· On Friday, February 21, 2014 5:47:04 PM UTC, Laurent Salut wrote: > > I tried centos too, and the problem is the same too. > > No, I am creating it in us zone. > I didn't try to reboot or delete my instances over foreman, but I am > living my office and we will see on monday ! >
18

Laurent,

Are you getting similar messages to me when you try to create a new
instance of any type on GCE using foreman?
I'm not sure of the importance or solution

var/log/Messages
Feb 25 10:23:24 MYSERVER kernel: type=1400 audit(1393323804.013:921): avc:
denied { read } for pid=1954 comm="ps" name="online" dev=sysfs ino=23
scontext=system_u:system_r:passenger_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Feb 25 10:23:24 MYSERVER talog kernel: type=1400 audit(1393323804.014:922):
avc: denied { open } for pid=1954 comm="ps" name="online" dev=sysfs
ino=23 scontext=system_u:system_r:passenger_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Feb 25 10:23:29 MYSERVER kernel: type=1400 audit(1393323809.000:923): avc:
denied { search } for pid=1964 comm="ps" name="/" dev=sysfs ino=1
scontext=system_u:system_r:passenger_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
Feb 25 10:29:30 MYSERVER kernel: type=1400 audit(1393324170.684:924): avc:
denied { search } for pid=12966 comm="ruby" name="ForemanGCECert"
dev=dm-0 ino=398314 scontext=system_u:system_r:passenger_t:s0
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=dir
Feb 25 10:29:30 MYSERVER kernel: type=1400 audit(1393324170.692:925): avc:
denied { getattr } for pid=12966 comm="ruby" path="/PATH/MYGCEKey.p12"
dev=dm-0 ino=407490 scontext=system_u:system_r:passenger_t:s0
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
Feb 25 10:29:30 MYSERVER kernel: type=1400 audit(1393324170.811:926): avc:
denied { read } for pid=12966 comm="ruby" name="MYGCEKey.p12" dev=dm-0
ino=407490 scontext=system_u:system_r:passenger_t:s0
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
Feb 25 10:29:30 MYSERVER kernel: type=1400 audit(1393324170.811:927): avc:
denied { open } for pid=12966 comm="ruby" name="MYGCEKey.p12" dev=dm-0
ino=407490 scontext=system_u:system_r:passenger_t:s0
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
Feb 25 10:29:30 MYSERVER kernel: type=1400 audit(1393324170.811:928): avc:
denied { ioctl } for pid=12966 comm="ruby" path="/PATH/MYGCEKey.p12"
dev=dm-0 ino=407490 scontext=system_u:system_r:passenger_t:s0
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

var/log/httpd/error_log
[DEPRECATION] #connection is deprecated, use #service instead
(/opt/rh/ruby193/root/usr/share/gems/gems/fog-1.19.0/lib/fog/google/models/compute/flavors.rb:14:in
all&#39;) [ 2014-02-25 10:29:53.3700 24000/7f6a9084a700 Pool2/Spawner.h:739 ]: [App 2573 stdout] [ 2014-02-25 10:30:16.5839 24000/7f6a9084a700 Pool2/SmartSpawner.h:301 ]: Preloader for /usr/share/foreman started on PID 2573, listening on unix:/tmp/passenger.1.0.1959/generation-1/backends/preloader.2600 [ 2014-02-25 10:30:27.9466 24000/7f6a9088b700 Pool2/Implementation.cpp:1174 ]: [App 12961 stdout] [fog][DEPRECATION] #connection is deprecated, use #service instead (/opt/rh/ruby193/root/usr/share/gems/gems/fog-1.19.0/lib/fog/google/models/compute/flavors.rb:14:inall')

··· On Monday, February 24, 2014 11:31:17 AM UTC, michael...@ul.ie wrote: > > I also enabled "Enabling *use_uuid_for_certificates* in *Administer > > Settings* is recommended for consistent Puppet certificate IDs instead of > hostnames." this morning on Foreman 1.4.0 but still having the same problem > > On Friday, February 21, 2014 5:47:04 PM UTC, Laurent Salut wrote: >> >> I tried centos too, and the problem is the same too. >> >> No, I am creating it in us zone. >> I didn't try to reboot or delete my instances over foreman, but I am >> living my office and we will see on monday ! >> >
19

This is an SELinux denial accessing your certificate, so check if your
server has SELinux enforcing or permissive to understand whether it's
making an actual difference to the behaviour. (Run "getenforce".)

If you're using enforcing mode, you could move it to /usr/share/foreman
and relabel it (restorecon -vv /usr/share/foreman/MYGCEKey.p12) so
Foreman can read it.

··· On 25/02/14 10:52, michael.obrien@ul.ie wrote: > Laurent, > > Are you getting similar messages to me when you try to create a new > instance of any type on GCE using foreman? > I'm not sure of the importance or solution > * > var/log/Messages* > Feb 25 10:23:24 MYSERVER kernel: type=1400 audit(1393323804.013:921): > avc: denied { read } for pid=1954 comm="ps" name="online" dev=sysfs > ino=23 scontext=system_u:system_r:passenger_t:s0 > tcontext=system_u:object_r:sysfs_t:s0 tclass=file > Feb 25 10:23:24 MYSERVER talog kernel: type=1400 > audit(1393323804.014:922): avc: denied { open } for pid=1954 > comm="ps" name="online" dev=sysfs ino=23 > scontext=system_u:system_r:passenger_t:s0 > tcontext=system_u:object_r:sysfs_t:s0 tclass=file > Feb 25 10:23:29 MYSERVER kernel: type=1400 audit(1393323809.000:923): > avc: denied { search } for pid=1964 comm="ps" name="/" dev=sysfs > ino=1 scontext=system_u:system_r:passenger_t:s0 > tcontext=system_u:object_r:sysfs_t:s0 tclass=dir > Feb 25 10:29:30 MYSERVER kernel: type=1400 audit(1393324170.684:924): > avc: denied { search } for pid=12966 comm="ruby" > name="*ForemanGCECer*t" dev=dm-0 ino=398314 > scontext=system_u:system_r:passenger_t:s0 > tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=dir > Feb 25 10:29:30 MYSERVER kernel: type=1400 audit(1393324170.692:925): > avc: denied { getattr } for pid=12966 comm="ruby" > path=*"/PATH/MYGCEKey.p12*" dev=dm-0 ino=407490 > scontext=system_u:system_r:passenger_t:s0 > tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file > Feb 25 10:29:30 MYSERVER kernel: type=1400 audit(1393324170.811:926): > avc: denied { read } for pid=12966 comm="ruby" name="*MYGCEKey.p12*" > dev=dm-0 ino=407490 scontext=system_u:system_r:passenger_t:s0 > tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file > Feb 25 10:29:30 MYSERVER kernel: type=1400 audit(1393324170.811:927): > avc: denied { open } for pid=12966 comm="ruby" name="*MYGCEKey.p12*" > dev=dm-0 ino=407490 scontext=system_u:system_r:passenger_t:s0 > tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file > Feb 25 10:29:30 MYSERVER kernel: type=1400 audit(1393324170.811:928): > avc: denied { ioctl } for pid=12966 comm="ruby" > path="*/PATH/MYGCEKey.p12*" dev=dm-0 ino=407490 > scontext=system_u:system_r:passenger_t:s0 > tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file


Dominic Cleal
Red Hat Engineering

20

SELinux is set to enforcing. Should I change it to permissive or is there a
way to make sure SElinux and permissions are correctly applied for
everything in /usr/share/foreman ?

··· On Tuesday, February 25, 2014 11:22:29 AM UTC, Dominic Cleal wrote: > > On 25/02/14 10:52, michael...@ul.ie wrote: > > Laurent, > > > > Are you getting similar messages to me when you try to create a new > > instance of any type on GCE using foreman? > > I'm not sure of the importance or solution > > * > > var/log/Messages* > > Feb 25 10:23:24 MYSERVER kernel: type=1400 audit(1393323804.013:921): > > avc: denied { read } for pid=1954 comm="ps" name="online" dev=sysfs > > ino=23 scontext=system_u:system_r:passenger_t:s0 > > tcontext=system_u:object_r:sysfs_t:s0 tclass=file > > Feb 25 10:23:24 MYSERVER talog kernel: type=1400 > > audit(1393323804.014:922): avc: denied { open } for pid=1954 > > comm="ps" name="online" dev=sysfs ino=23 > > scontext=system_u:system_r:passenger_t:s0 > > tcontext=system_u:object_r:sysfs_t:s0 tclass=file > > Feb 25 10:23:29 MYSERVER kernel: type=1400 audit(1393323809.000:923): > > avc: denied { search } for pid=1964 comm="ps" name="/" dev=sysfs > > ino=1 scontext=system_u:system_r:passenger_t:s0 > > tcontext=system_u:object_r:sysfs_t:s0 tclass=dir > > Feb 25 10:29:30 MYSERVER kernel: type=1400 audit(1393324170.684:924): > > avc: denied { search } for pid=12966 comm="ruby" > > name="*ForemanGCECer*t" dev=dm-0 ino=398314 > > scontext=system_u:system_r:passenger_t:s0 > > tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=dir > > Feb 25 10:29:30 MYSERVER kernel: type=1400 audit(1393324170.692:925): > > avc: denied { getattr } for pid=12966 comm="ruby" > > path=*"/PATH/MYGCEKey.p12*" dev=dm-0 ino=407490 > > scontext=system_u:system_r:passenger_t:s0 > > tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file > > Feb 25 10:29:30 MYSERVER kernel: type=1400 audit(1393324170.811:926): > > avc: denied { read } for pid=12966 comm="ruby" name="*MYGCEKey.p12*" > > dev=dm-0 ino=407490 scontext=system_u:system_r:passenger_t:s0 > > tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file > > Feb 25 10:29:30 MYSERVER kernel: type=1400 audit(1393324170.811:927): > > avc: denied { open } for pid=12966 comm="ruby" name="*MYGCEKey.p12*" > > dev=dm-0 ino=407490 scontext=system_u:system_r:passenger_t:s0 > > tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file > > Feb 25 10:29:30 MYSERVER kernel: type=1400 audit(1393324170.811:928): > > avc: denied { ioctl } for pid=12966 comm="ruby" > > path="*/PATH/MYGCEKey.p12*" dev=dm-0 ino=407490 > > scontext=system_u:system_r:passenger_t:s0 > > tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file > > This is an SELinux denial accessing your certificate, so check if your > server has SELinux enforcing or permissive to understand whether it's > making an actual difference to the behaviour. (Run "getenforce".) > > If you're using enforcing mode, you could move it to /usr/share/foreman > and relabel it (restorecon -vv /usr/share/foreman/MYGCEKey.p12) so > Foreman can read it. > > -- > Dominic Cleal > Red Hat Engineering >