Unable to provision RHEL 8 using Discovery on Foreman 3.7 due to 403 error

joshwhit · October 10, 2023, 10:49am

Problem:
I am attempting to provision a RHEL 8 host using the Discovery image. The installation media is as follows:
https://hostname.ac.uk/pulp/content/organisation_name/Library/content/dist/rhel8/8/x86_64/baseos/os/

This fails when attempting to connect to the protected Red Hat repository, giving a 403 error. I can’t find any way to provide the certificates to allow access to the repository.

This method works when provisioning a Rocky 8 host.

Any information or workarounds would be greatly appreciated, thanks.

Expected outcome:
Provisions host

Foreman and Proxy versions:
Foreman 3.7.0
No proxy

Foreman and Proxy plugin versions:
foreman_discovery 22.0.4
katello 4.9.2
foreman_remote_execution 10.0.7
foreman-tasks 8.1.1

Discovery image version: 4.1.0

Distribution and version:
Rocky 8.8

Other relevant data:

<%#
kind: kexec
name: Discovery Red Hat kexec
oses:
- CentOS 4
- CentOS 5
- CentOS 6
- CentOS 7
- Fedora 21
- Fedora 22
- Fedora 23
- Fedora 24
- RedHat 4
- RedHat 5
- RedHat 6
- RedHat 7
- RedHat 8
-%>
<%#
This template is used to pass command line options to kexec when reloading
kernel on a discovered host instead of rebooting. This is useful in PXE-less
environments. The template must generate JSON format with the following items
"kernel", "initram", "append" and "extra". The kexec command is composed in
the following way:

kexec --force --reset-vga --append=$append --initrd=$initram $extra $kernel

Please read kexec(8) man page for more information about semantics.
-%>
<%
  mac = @host.facts['discovery_bootif']
  bootif = '00-' + mac.gsub(':', '-') if mac
  ip_cidr = @host.facts['discovery_ip_cidr']
  ip = @host.facts['discovery_ip']
  mask = @host.facts['discovery_netmask']
  gw = @host.facts['discovery_gateway']
  dns = @host.facts['discovery_dns']
  options = ["nomodeset"]
  options << @host.facts['append']
  options << "inst.stage2=#{@host.operatingsystem.medium_uri(@host)}" if @host.operatingsystem.name.match(/Atomic/i)
  options << "inst.noverifyssl"
-%>
{
  "kernel": "<%= @kernel_uri %>",
  "initram": "<%= @initrd_uri %>",
<% if (@host.operatingsystem.name == 'Fedora' and @host.operatingsystem.major.to_i > 16) or
    (@host.operatingsystem.name != 'Fedora' and @host.operatingsystem.major.to_i >= 7) -%>
  "append": "ks=<%= foreman_url('provision') + "&static=yes" %> inst.ks.sendmac <%= "noipv6 ip=#{ip}::#{gw}:#{mask}:::none nameserver=#{dns} ksdevice=bootif BOOTIF=#{bootif} nomodeset nokaslr " + options.compact.join(' ') %>",
<% else -%>
  "append": "ks=<%= foreman_url('provision') + "&static=yes" %> kssendmac nicdelay=5 <%= "noipv6 ip=#{ip} netmask=#{mask} gateway=#{gw} dns=#{dns} ksdevice=#{mac} BOOTIF=#{bootif} nomodeset nokaslr " + options.compact.join(' ') %>",
<% end -%>
  "extra": []
}

evgeni · October 10, 2023, 11:09am

you need to point it at a kickstart repo, those will be unprotected

(I am afraid I have no idea how)

joshwhit · October 10, 2023, 11:31am

Hi,

Thanks for the info.

That is how our Red Hat 7 provisioning is set up. I can’t see any kickstart repositories available from the listing of Red Hat repositories so I will get in touch with Red Hat support and report back if I can get an upstream URL or another solution

evgeni · October 10, 2023, 11:33am

did you select the right type?

by default it doesn’t show them.

joshwhit · October 10, 2023, 12:26pm

Hi evgeni,

Ah, I did not notice that. I will try with the kickstart repositories now.

Thanks so much