Upgrading Foreman/Katello 2.4/4.0 to 2.5/4.1

fred_demarcy · June 22, 2021, 8:59pm

Hi

My Foreman/Katello server and one smart proxy are both registered hosts and I have a product/repos/view/lifecycle for them.
I’m going to switch the repos for the product from 2.4/4.0 to 2.5/4.1 and upgrade this way (VMs will be snapshotted of course!)

I assume this should work?

Also once packages have been updated and I run the forenan-installer do I need to re-specify all the options I used or will the installer use what’s already set?

I have some specific dhcpd.conf which I’ll restore post-upgrade

Just trying to check if I’m going at it the right way!

Thanks

gvde · June 23, 2021, 3:54am

Generally, the complete upgrade procedure is in the docs: Upgrading and Updating Foreman server

I would recommend to install and enable the foreman and katello repositories as well as as the required os repositories from the repo files before the upgrade and installer run. The installer occasionally wants to install additional packages and that doesn’t always work if you are using only the server itself as packages source. (of course, it’s not a disaster either as the installer would print an error and you could manually fix the problem and then rerun the installer).

The installer has all your options save in the answer file in /etc/foreman-installer/scenarios.d/ You only have to give the options if you want to change something. Compare step 10 in the upgrade docs above.

fred_demarcy · June 23, 2021, 4:03pm

ok
For Pulp Core I’m using 3.9 at the moment. Can we go 3.13 or best to stay on 3.9 ?

gvde · June 23, 2021, 4:11pm

pulp is installed as part of foreman/katello. Follow the upgrade instructions. The katello repo file contains the pulp repository to be used. Don’t use a different one.

fred_demarcy · June 24, 2021, 2:30pm

2 issues after upgrading:

2021-06-24 14:20:12 [NOTICE] [configure] System configuration has finished.
Executing: foreman-rake upgrade:run
`/usr/share/foreman` is not writable.
Bundler will use `/tmp/bundler20210624-31137-1h81vc331137' as your home directory temporarily.
=============================================
Upgrade Step 1/4: katello:correct_repositories. This may take a long while.

Upgrade Step 2/4: katello:clean_backend_objects. This may take a long while.
4 orphaned consumer id(s) found in candlepin.
Candlepin orphaned consumers: ["2ceb5371-ad39-4718-b499-25cdb7c9eec5", "963ea2b1-e475-463b-b737-89a6ecfd5a89", "ae1b244f-f8df-457b-a639-bfbc31b4f67b", "ed052cc5-372d-4133-b71a-c38116cb15d4"]
=============================================

I have

drwxr-xr-x.  14 root root   4.0K Jun 24 13:56 foreman/

For the Candlepin orphaned consumers I’m not sure how to deal with those…

fred_demarcy · June 24, 2021, 2:35pm

`/usr/share/foreman` is not writable.
Bundler will use `/tmp/bundler20210624-32184-6oqzow32184' as your home directory temporarily.
Loading production environment (Rails 6.0.3.7)
irb(main):001:0>

ehelms · June 24, 2021, 9:04pm

What you are seeing are warnings and not errors. We have been discussing how to prevent users from seeing this and thinking there is an issue. The bottom line for you is, these do not indicate anything bad happened with the upgrade.

fred_demarcy · June 25, 2021, 9:06am

Ok. Yep these messages can be confusing…
Overall the upgrade went ok for the main server. I reported Bug #32884: Host -> VM displays undefined method `include?' for nil:NilClass - Foreman

Upgrading a smart proxy yielded another error

2021-06-25 08:53:00 [NOTICE] [configure] 1750 configuration steps out of 1852 steps complete.
2021-06-25 08:53:04 [ERROR ] [configure] Error making PUT request to https://foremankatello.fishy.com/api/v2/smart_proxies/2/refresh: Response: 500 Internal Server Error: Check /var/log/foreman/production.log on Foreman server for detailed information
2021-06-25 08:53:04 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foremansmartpxy.fishy.com]/features: change from ["Ansible", "Container_Gateway", "DHCP", "Dynflow", "HTTPBoot", "Logs", "Openscap", "Pulpcore", "Puppet", "Puppet CA", "Registration", "SSH", "TFTP", "Templates"] to ["Ansible", "Container_Gateway", "DHCP", "Discovery", "Dynflow", "HTTPBoot", "Logs", "Pulpcore", "Puppet", "Puppet CA", "Registration", "SSH", "TFTP", "Templates"] failed: Error making PUT request to https://foremankatello.fishy.com/api/v2/smart_proxies/2/refresh: Response: 500 Internal Server Error: Check /var/log/foreman/production.log on Foreman server for detailed information
2021-06-25 08:53:04 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foremansmartpxy.fishy.com]: Failed to call refresh: Error making PUT request to https://foremankatello.fishy.com/api/v2/smart_proxies/2/refresh: Response: 500 Internal Server Error: Check /var/log/foreman/production.log on Foreman server for detailed information
2021-06-25 08:53:04 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foremansmartpxy.fishy.com]: Error making PUT request to https://foremankatello.fishy.com/api/v2/smart_proxies/2/refresh: Response: 500 Internal Server Error: Check /var/log/foreman/production.log on Foreman server for detailed information
2021-06-25 08:53:07 [NOTICE] [configure] System configuration has finished.

  There were errors detected during install.
  Please address the errors and re-run the installer to ensure the system is properly configured.
  Failing to do so is likely to result in broken functionality.

  The full log is at /var/log/foreman-installer/foreman-proxy-content.log

and in /var/log/foreman/production.log

2021-06-25T08:55:55 [I|app|548ffd82] Started GET "/api/v2/smart_proxies/2/refresh" for 10.77.41.46 at 2021-06-25 08:55:55 +0000
2021-06-25T08:55:56 [F|app|548ffd82]
 548ffd82 | ActionController::RoutingError (No route matches [GET] "/api/v2/smart_proxies/2/refresh"):
 548ffd82 |
 548ffd82 | lib/foreman/middleware/logging_context_request.rb:11:in `call'
 548ffd82 | katello (4.1.0) lib/katello/prevent_json_parsing.rb:12:in `call'
2021-06-25T08:56:01 [I|app|d3f87715] Started GET "/notification_recipients" for 10.50.154.234 at 2021-06-25 08:56:01 +0000

fred_demarcy · June 25, 2021, 11:44am

Ssl issues when upgrading from 2.4 to 2.5.1
Was working fine on 2.4

// On main Foreman/Katello VM
// For Smart Proxy certs

# rm -rf ssl-build/foremansmartpxy.fishy.com
# foreman-proxy-certs-generate --foreman-proxy-fqdn "foremansmartpxy.fishy.com" \
 --certs-tar  "/root/foremansmartpxy.fishy.com-certs-2_5.tar" \
 --server-cert "/root/downloads/certs-foremansmartpxy/foremansmartpxy.fishy.com.cer" \
 --server-key "/root/downloads/certs-foremansmartpxy/foremansmartpxy.fishy.com.key" \
 --server-ca-cert "/root/downloads/certs-foremansmartpxy/cacert.crt" \
 --certs-update-all

// On Smart Proxy

# foreman-installer \
 --scenario foreman-proxy-content \
 --enable-foreman-proxy-plugin-remote-execution-ssh \
 --enable-foreman-proxy-plugin-ansible \
 --enable-foreman-proxy-plugin-discovery \
 --enable-foreman-proxy-plugin-openscap \
 --certs-update-server \
 --certs-update-all \
 --certs-tar-file "/root/foremansmartpxy.fishy.com-certs-2_5.tar" \
 --foreman-proxy-dhcp true \
 --foreman-proxy-dhcp-managed true \
 --foreman-proxy-dhcp-ping-free-ip true \
 --foreman-proxy-http true \
 --foreman-proxy-httpboot true \
 --foreman-proxy-foreman-base-url "https://foremankatello.fishy.com" \
 --foreman-proxy-oauth-consumer-key "XXXXXXXXXXXXXXXXXXXXXXXXX" \
 --foreman-proxy-oauth-consumer-secret "YYYYYYYYYYYYYYYYYYYYYYYYY" \
 --foreman-proxy-templates true \
 --foreman-proxy-template-url "http://imforemansmartpxy01.fishy.com:8000" \
 --foreman-proxy-templates-listen-on "both" \
 --foreman-proxy-register-in-foreman true \
 --foreman-proxy-tftp true \
 --foreman-proxy-tftp-managed true \
 --foreman-proxy-trusted-hosts "foremankatello.fishy.com" \
 --foreman-proxy-trusted-hosts "foremansmartpxy.fishy.com"

Now the Foreman server can’t communicate with the Smart Proxy due to Ssl issue

Failure: ERF50-5345 [Foreman::WrappedException]: Unable to connect ([ProxyAPI::ProxyException]: ERF12-7885 [ProxyAPI::ProxyException]: Unable to fetch logs ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)) for proxy https://foremansmartpxy.fishy.com:9090/logs)

Same certs used for initial Smart Proxy installation back on 2.4

# katello-certs-check  -t foreman-proxy  -c foremansmarpxy.fishy.com.cer  -k foremansmarpxy.fishy.com.key  -b cacert.crt
Checking server certificate encoding:
[OK]

Checking expiration of certificate:
[OK]

Checking expiration of CA bundle:
[OK]

Checking if server certificate has CA:TRUE flag
[OK]

Checking for private key passphrase:
[OK]

Checking to see if the private key matches the certificate:
[OK]

Checking CA bundle against the certificate file:
[OK]

Checking CA bundle size: 2
[OK]

Checking Subject Alt Name on certificate
[OK]

Checking if any Subject Alt Name on certificate matches the Subject CN
[OK]

Checking Key Usage extension on certificate for Key Encipherment
[OK]

Checking for use of shortname as CN
[OK]

Validation succeeded

Our Smart Proxy is down because of this…

ehelms · June 25, 2021, 8:17pm

Do you see that smart-proxy present in the UI? If you do, and you try to refresh from there what happens?

fred_demarcy · June 25, 2021, 8:39pm

Top right pop up

ERF12-9411 [ProxyAPI::ProxyException]: Unable to fetch public key ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)) for proxy https://foremansmartpxy.fishy.com:9090/ssh

3 pink boxes under Refresh features with

Failure: ERF50-5345 [Foreman::WrappedException]: Unable to connect ([ProxyAPI::ProxyException]: ERF12-7885 [ProxyAPI::ProxyException]: Unable to fetch logs ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)) for proxy https://foremansmartpxy.fishy.com:9090/logs)

and under Pulp Storage another pink one with

Oops, we're sorry but something went wrong foremansmartpxy.fishy.com is unreachable. SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)

fred_demarcy · June 26, 2021, 10:14am

Is there a way to get out of this mess updating certs manually?
I followed the upgrade guide for smart proxy (taking into account my smart proxy as well as my main foreman server certs are issued by internal CA) and a setup that was working perfectly with 2.4/4.0 got messed up by the upgrade… I have 150+ hosts registered via this Smart Proxy…
I don’t know the internals of Foreman/Katello so very reluctant to start changing stuff randomly.

fred_demarcy · June 28, 2021, 9:53am

Frankly I have no idea what’s wrong…

However I’ve done the following on the smart proxy:

- Moved away everything in /root/ssl-build/
- yum remove improdforemansmartpxy01.iom.local-qpid-router-server improdforemansmartpxy01.iom.local-apache improdforemansmartpxy01.iom.local-puppet-client improdforemansmartpxy01.iom.local-foreman-proxy improdforemansmartpxy01.iom.local-qpid-router-client improdforemansmartpxy01.iom.local-foreman-proxy-client
- Instead of using the generated certs tar as described in the upgrade guide I used the certs tar created when I initially set up the smart proxy (lucky I still had that around!)

# foreman-installer \
                    --scenario foreman-proxy-content \
                    --certs-tar-file                              "/root/foremansmartpxy.fishy.com-certs.tar"\
                    --foreman-proxy-register-in-foreman           "true"\
                    --foreman-proxy-foreman-base-url              "https://foremankatello.fishy.com"\
                    --foreman-proxy-trusted-hosts                 "foremankatello.fishy.com"\
                    --foreman-proxy-trusted-hosts                 "foremansmartpxy.fishy.com"\
                    --foreman-proxy-oauth-consumer-key            "XXXXXXXXXXXXXXXXXX"\
                    --foreman-proxy-oauth-consumer-secret         "YYYYYYYYYYYYYYYYYYYY"\
                    --puppet-server-foreman-url                   "https://foremankatello.fishy.com"

1st run of the installer complained about:

foremansmartpxy.fishy.com-foreman-proxy
foremansmartpxy.fishy.com-local-apache

not being found which is completely wrong as they are in the tar file…

2nd run of the installer (exact same command as above) did not complain yet produced errors:

2021-06-28 09:23:35 [NOTICE] [configure] 1750 configuration steps out of 1866 steps complete.
2021-06-28 09:23:40 [ERROR ] [configure] Proxy foremansmartpxy.fishy.com has failed to load one or more features (Discovery), check /var/log/foreman-proxy/proxy.log for configuration errors
2021-06-28 09:23:40 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foremansmartpxy.fishy.com]/features: change from ["Ansible", "Container_Gateway", "DHCP", "Dynflow", "HTTPBoot", "Logs", "Openscap", "Pulpcore", "Puppet", "Puppet CA", "Registration", "SSH", "TFTP", "Templates"] to ["Ansible", "Container_Gateway", "DHCP", "Discovery", "Dynflow", "HTTPBoot", "Logs", "Openscap", "Pulpcore", "Puppet", "Puppet CA", "Registration", "SSH", "TFTP", "Templates"] failed: Proxy foremansmartpxy.fishy.com has failed to load one or more features (Discovery), check /var/log/foreman-proxy/proxy.log for configuration errors
2021-06-28 09:23:42 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foremansmartpxy.fishy.com]: Failed to call refresh: Proxy foremansmartpxy.fishy.com has failed to load one or more features (Discovery), check /var/log/foreman-proxy/proxy.log for configuration errors
2021-06-28 09:23:42 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foremansmartpxy.fishy.com]: Proxy foremansmartpxy.fishy.com has failed to load one or more features (Discovery), check /var/log/foreman-proxy/proxy.log for configuration errors
2021-06-28 09:23:44 [NOTICE] [configure] System configuration has finished.

  There were errors detected during install.
  Please address the errors and re-run the installer to ensure the system is properly configured.
  Failing to do so is likely to result in broken functionality.

  The full log is at /var/log/foreman-installer/foreman-proxy-content.log

No useful information in /var/log/foreman-proxy/proxy.log or /var/log/foreman-installer/foreman-proxy-content.log

Yet (let’s call it a Monday morning miracle!) the Smart Proxy shows all green in the Foreman/Katello server UI and I synch’ed my views (completed). I went to a VM registered via the smart proxy and ran a yum clean all ; yum update and it picked up everything new happily including new GPG keys so from that point of view it seems alright.

I’m somewhat happy it works again but my confidence in the whole process is somewhat low…

Always fails at “1750 configuration steps out of 1866 steps complete” so has something not been completed?
Certs regeneration from main Foreman/Katello server on 2.5.1/4.1 seems to create something incorrect…

I’m happy to provide more info if I’m directed to get to the bottom at that problem.

I’m going to have to create a few more Smart Proxies in different Geo locations and if the cert generation creates something incorrect for a new smart proxy FQDN it’s not going to be pleasant