Problem:
I am unable to register chef client in Foreman web UI. Can you please help me to resolve this issue?
Expected outcome:
Should be able to see chef client server in Foreman web UI.
Foreman and Proxy versions:
ii foreman 1.16.2-1 amd64 Systems management web interface
ii foreman-cli 1.16.2-1 all metapackage providing hammer CLI for Foreman
ii foreman-debug 1.16.2-1 all provides support utility foreman-debug.
ii foreman-installer 1.16.1-1 all Automated puppet-based installer for The Foreman
ii foreman-postgresql 1.16.2-1 all metapackage providing PostgreSQL dependencies for Foreman
ii foreman-proxy 1.16.2-1 all RESTful proxies for DNS, DHCP, TFTP, and Puppet
Foreman and Proxy plugin versions:
Other relevant data:
[e.g. logs from Foreman and/or the Proxy, modified templates, commands issued, etc]
Getting below error in foreman logs.
=======================================================================
2018-09-08T13:30:32 21b8699d [app] [I] Started GET “/api/enc/node1.hostname.com” for 192.168.56.102 at 2018-09-08 13:30:32 +0530
2018-09-08T13:30:32 21b8699d [app] [F]
| ActionController::RoutingError (No route matches [GET] “/api/enc/node1.hostname.com”):
| lib/middleware/tagged_logging.rb:18:in call' | | 2018-09-08T13:30:32 ccdc55c9 [app] [I] Started GET "/api/enc/node1.hostname.com" for 192.168.56.102 at 2018-09-08 13:30:32 +0530 2018-09-08T13:30:32 ccdc55c9 [app] [F] | ActionController::RoutingError (No route matches [GET] "/api/enc/node1.hostname.com"): | lib/middleware/tagged_logging.rb:18:incall’
|
|
2018-09-08T13:30:34 68a8254a [app] [I] Started POST “/api/hosts/facts” for 192.168.56.102 at 2018-09-08 13:30:34 +0530
2018-09-08T13:30:34 68a8254a [app] [I] Processing by Api::V2::HostsController#facts as JSON
2018-09-08T13:30:34 68a8254a [app] [I] Parameters: {“name”=>“node1.hostname.com”, “facts”=>"[FILTERED]", “apiv”=>“v2”, :host=>{“name”=>“node1.hostname.com”}}
2018-09-08T13:30:34 68a8254a [app] [W] SSL is required - request from 192.168.56.102
2018-09-08T13:30:34 68a8254a [app] [I] Rendered api/v2/errors/access_denied.json.rabl within api/v2/layouts/error_layout (0.6ms)
2018-09-08T13:30:34 68a8254a [app] [I] Filter chain halted as #Proc:0x000000080b57e0@/usr/share/foreman/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb:14 rendered or redirected
2018-09-08T13:30:34 68a8254a [app] [I] Completed 403 Forbidden in 14ms (Views: 1.5ms | ActiveRecord: 1.3ms)
2018-09-08T13:30:34 456ab428 [app] [I] Started POST “/api/reports” for 192.168.56.102 at 2018-09-08 13:30:34 +0530
2018-09-08T13:30:34 456ab428 [app] [I] Processing by Api::V2::ReportsController#create as JSON
2018-09-08T13:30:34 456ab428 [app] [I] Parameters: {“report”=>"[FILTERED]", “apiv”=>“v2”}
2018-09-08T13:30:34 456ab428 [app] [W] SSL is required - request from 192.168.56.102
2018-09-08T13:30:34 456ab428 [app] [I] Rendered api/v2/errors/access_denied.json.rabl within api/v2/layouts/error_layout (0.6ms)
2018-09-08T13:30:34 456ab428 [app] [I] Filter chain halted as #Proc:0x00000009a87358@/usr/share/foreman/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb:14 rendered or redirected
2018-09-08T13:30:34 456ab428 [app] [I] Completed 403 Forbidden in 13ms (Views: 3.2ms | ActiveRecord: 0.0ms)
I’m confused by “chef client servers”. If you mean chef clients, then you
need to instal Foreman and Smart proxy chef plugins, configure certificates
and add chef handler foreman to your chef clients. See plugin
manual for
more instructions.
If you’re provisioning your hosts from Foreman, provisioning can setup chef
client properly for you. Otherwise you have to install the handler and
reconfigure chef config file yourself.
Thank for your response. You are right Marek, I am trying to add chef clients in Foreman. I followed the same line given by you. But i am getting SSL errors. Can you please give me steps to configure certificates on chef client and on Foreman? Getting below error.
[root@node1 chef]# chef-client
Starting Chef Client, version 14.4.56
[2018-09-10T16:13:06+05:30] ERROR: Foreman ENC could not be fetched because of JSON::ParserError: 765: unexpected token at 'Failed to authenticate node: Permission denied @ rb_sysopen - /etc/opscode/pivotal.pem
/usr/lib/ruby/vendor_ruby/chef-api/authentication.rb:163:in `read'
/usr/lib/ruby/vendor_ruby/chef-api/authentication.rb:163:in `canonical_key'
/usr/lib/ruby/vendor_ruby/chef-api/authentication.rb:230:in `encrypted_request'
/usr/lib/ruby/vendor_ruby/chef-api/authentication.rb:242:in `signature_lines'
/usr/lib/ruby/vendor_ruby/chef-api/authentication.rb:103:in `headers'
/usr/lib/ruby/vendor_ruby/chef-api/connection.rb:489:in `add_signing_headers'
/usr/lib/ruby/vendor_ruby/chef-api/connection.rb:246:in `request'
/usr/lib/ruby/vendor_ruby/chef-api/connection.rb:107:in `get'
/usr/lib/ruby/vendor_ruby/chef-api/resources/base.rb:252:in `fetch'
/usr/lib/ruby/vendor_ruby/smart_proxy_chef_plugin/authentication.rb:20:in `verify_signature_request'
/usr/lib/ruby/vendor_ruby/smart_proxy_chef_plugin/authentication.rb:52:in `authenticate_chef_signature'
/usr/lib/ruby/vendor_ruby/smart_proxy_chef_plugin/authentication.rb:12:in `block in authenticate_with_chef_signature'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1611:in `call'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1611:in `block in compile!'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1015:in `block in process_route'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1013:in `catch'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1013:in `process_route'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:966:in `block in filter!'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:966:in `each'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:966:in `filter!'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1084:in `block in dispatch!'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1067:in `block in invoke'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1067:in `catch'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1067:in `invoke'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1082:in `dispatch!'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:907:in `block in call!'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1067:in `block in invoke'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1067:in `catch'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1067:in `invoke'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:907:in `call!'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:895:in `call'
/usr/lib/ruby/vendor_ruby/rack/commonlogger.rb:33:in `call'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:219:in `call'
/usr/share/foreman-proxy/lib/proxy/log.rb:109:in `call'
/usr/share/foreman-proxy/lib/proxy/request_id_middleware.rb:9:in `call'
/usr/lib/ruby/vendor_ruby/rack/protection/xss_header.rb:18:in `call'
/usr/lib/ruby/vendor_ruby/rack/protection/path_traversal.rb:16:in `call'
/usr/lib/ruby/vendor_ruby/rack/protection/json_csrf.rb:18:in `call'
/usr/lib/ruby/vendor_ruby/rack/protection/base.rb:49:in `call'
/usr/lib/ruby/vendor_ruby/rack/protection/base.rb:49:in `call'
/usr/lib/ruby/vendor_ruby/rack/protection/frame_options.rb:31:in `call'
/usr/lib/ruby/vendor_ruby/rack/nulllogger.rb:9:in `call'
/usr/lib/ruby/vendor_ruby/rack/head.rb:13:in `call'
/usr/lib/ruby/vendor_ruby/sinatra/show_exceptions.rb:25:in `call'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:182:in `call'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:2013:in `call'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1487:in `block in call'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1787:in `synchronize'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1487:in `call'
/usr/lib/ruby/vendor_ruby/rack/urlmap.rb:66:in `block in call'
/usr/lib/ruby/vendor_ruby/rack/urlmap.rb:50:in `each'
/usr/lib/ruby/vendor_ruby/rack/urlmap.rb:50:in `call'
/usr/lib/ruby/vendor_ruby/rack/builder.rb:153:in `call'
/usr/lib/ruby/vendor_ruby/rack/handler/webrick.rb:88:in `service'
/usr/lib/ruby/2.3.0/webrick/httpserver.rb:140:in `service'
/usr/lib/ruby/2.3.0/webrick/httpserver.rb:96:in `run'
/usr/lib/ruby/2.3.0/webrick/server.rb:296:in `block in start_thread''
resolving cookbooks for run list: ["apache"]
Synchronizing Cookbooks:
- apache (0.1.1)
Installing Cookbook Gems:
Compiling Cookbooks...
Converging 1 resources
Recipe: apache::default
* yum_package[apache2] action install (up to date)
Running handlers:
- ChefHandlerForeman::ForemanFacts
Running handlers complete
Chef Client finished, 0/1 resources updated in 03 seconds
Just to be very specific. I am trying to manually setup chef-client on Foreman. Currently i am getting below error.
[root@node1 chef]# chef-client
Starting Chef Client, version 14.4.56
[2018-09-11T15:41:03+05:30] ERROR: Foreman ENC could not be fetched because of JSON::ParserError: 765: unexpected token at ‘Failed to authenticate node: Permission denied @ rb_sysopen - /root/chef/avdhoot.pem
/usr/lib/ruby/vendor_ruby/chef-api/authentication.rb:163:in read' /usr/lib/ruby/vendor_ruby/chef-api/authentication.rb:163:incanonical_key’
it seems you configured chef handler already, which seems to fail on “ENC” call. Try setting this in you chef client.rb
foreman_enc false
Also it indicates the problem is rather in smart proxy configuration. It seems your Foreman instance can’t trust it. How did you install the proxy? Do you rely on default CA (puppet CA)?
I will share my client.rb file and chef.yml file to give you better picture.
[root@node1 chef]# cat /etc/chef/client.rb
chef_server_url "https://chefserver/organizations/linuxacademy"
validation_client_name "linuxacademy-validator"
validation_key '/etc/chef/validator.pem'
client_key '/etc/chef/client.pem'
log_location STDOUT
node_name "node1.hostname.com"
trusted_certs_dir "/etc/chef/trusted_certs"
#ssl_verify_mode :verify_none
# this adds new functions to chef configuration
require 'chef_handler_foreman'
# here you can specify your connection options
#foreman_server_options :url => 'http://your.server/foreman'
# Or another option to set URL if using chef-client cookbook config option
foreman_server_options :url => 'https://foreman.linuxtechi.com:8443'
# add following line if you want to upload node attributes (facts in Foreman language)
foreman_facts_upload true
## Facts whitelist / blacklisting
# add following line if you want to upload only specific node attributes - only top-level attributes
foreman_facts_whitelist ['lsb','network','cpu']
# add following line if you want to avoid uploading specific node attributes - any part from the key will do
foreman_facts_blacklist ['kernel','counters','interfaces::sit0']
# enable caching of attributes - (full) upload will be performed only if attributes changed
foreman_facts_cache_file '/var/cache/chef_foreman_cache.md5'
# add following line if you want to upload reports
foreman_reports_upload true
# add following line to manage reports verbosity. Allowed values are debug, notice and error
reports_log_level "notice"
foreman_enc false
# add following line to load additional attributes from Foreman
#foreman_enc true
# to configure the level of attributes coming from Foreman you can set a second argument like this
#foreman_enc true, 'default'
root@foreman:/var/log/foreman-proxy# cat /etc/foreman-proxy/settings.d/chef.yml
---
:enabled: true
:chef_authenticate_nodes: true
:chef_server_url: https://chefserver/organizations/linuxacademy
# smart-proxy client node needs to have some admin right on chef-server
# in order to retrive all nodes public keys
# e.g. 'host.example.net'
:chef_smartproxy_clientname: linuxacademy-validator
# e.g. /etc/chef/client.pem
:chef_smartproxy_privatekey: /etc/chef/linuxacademy-validator.pem
# turning of chef_ssl_verify is not recommended as it turn off authentication
# you can try set path to chef server certificate by chef_ssl_pem_file
# before setting chef_ssl_verify to false
# note that chef_ssl_pem_file must contain both private key and certificate
# because chef-api 0.5 requires it
:chef_ssl_verify: false
:chef_ssl_pem_file: /etc/chef/linuxacademy-validator.pem
root@foreman:/var/log/foreman-proxy#
