Bug 1103935

Summary: foreman-proxy run puppet over ssh doesn't work
Product: Red Hat Satellite Reporter: Bryan Kearney <bkearney>
Component: Foreman ProxyAssignee: Katello Bug Bin <katello-bugs>
Status: CLOSED CURRENTRELEASE QA Contact: Tazim Kolhar <tkolhar>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.0.3CC: bbuckingham, cwelton, gsutclif, jmontleo, tkolhar
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/5561
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-11 12:28:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bryan Kearney 2014-06-02 23:43:23 UTC 
Running foreman(1.4.3) and foreman-proxy (1.5.0-0) on Rhel 6.2, I found that the only way to get puppet run over ssh to work is to remove the space between -l <user> and -i <keyfile> in puppet_ssh.rb. Otherwise, the remote system shows this in the logs (X's added). Note the extra whitespace appearing before foreman-proxy user.
<pre>
May  2 14:06:04 XXXXX sshd[2430]: Invalid user  foreman-proxy from X.X.X.X
May  2 14:06:04 XXXXX sshd[2431]: input_userauth_request: invalid user  foreman-proxy
May  2 14:06:04 XXXXX sshd[2430]: Failed none for invalid user  foreman-proxy from X.X.X.X port 34970 ssh2
May  2 14:06:04 XXXXX sshd[2430]: Failed password for invalid user  foreman-proxy from X.X.X.X port 34970 ssh2
May  2 14:06:04 XXXXX sshd[2430]: Failed password for invalid user  foreman-proxy from X.X.X.X port 34970 ssh2
May  2 14:06:04 XXXXX sshd[2431]: Connection closed by X.X.X.X
</pre>

Related settings look like:
<pre>
:puppet: true
:puppet_provider: puppetssh
:puppetssh_sudo: false
:puppetssh_command: /usr/local/bin/puppet_with_sudo.sh
:puppetssh_user: foreman-proxy
:puppetssh_keyfile: /etc/foreman-proxy/ssh/id_rsa
</pre>

If I change the code to the following, and restart, it runs just fine.
<pre><code class="ruby">
--- foreman-proxy/lib/proxy/puppet/puppet_ssh.rb.orig	2014-05-02 14:06:33.010472500 -0500
+++ foreman-proxy/lib/proxy/puppet/puppet_ssh.rb	2014-05-02 14:06:21.626366466 -0500
@@ -6,10 +6,10 @@
       cmd = []
       cmd.push(which('sudo')) if SETTINGS.puppetssh_sudo
       cmd.push(which('ssh'))
-      cmd.push("-l #{SETTINGS.puppetssh_user}") if SETTINGS.puppetssh_user
+      cmd.push("-l#{SETTINGS.puppetssh_user}") if SETTINGS.puppetssh_user
       if (file = SETTINGS.puppetssh_keyfile)
         if File.exists?(file)
-          cmd.push("-i #{file}")
+          cmd.push("-i#{file}")
         else
           logger.warn("Unable to access SSH private key:#{file}, ignoring...")
         end
</code></pre>
Comment 1 Bryan Kearney 2014-06-02 23:43:27 UTC 
Created from redmine issue http://projects.theforeman.org/issues/5561
Comment 3 Bryan Kearney 2014-06-05 19:49:41 UTC 
Moving to POST since upstream bug http://projects.theforeman.org/issues/5561 has been closed
Comment 6 Tazim Kolhar 2014-07-01 07:49:12 UTC 
please provide verification steps
Comment 7 Corey Welton 2014-07-11 23:22:16 UTC 
6.0.4 for testing
Comment 8 Tazim Kolhar 2014-08-27 12:33:22 UTC 
please provide verification steps
Comment 9 Greg Sutcliffe 2014-09-01 10:04:13 UTC 
DEVELOPER VERIFIED: This bug passed my testing, and was tested on the following systems:

satellite: https://satellite1.internal-el6.satellite.lab.eng.rdu2.redhat.com/hosts/satellite1.internal-el6.satellite.lab.eng.rdu2.redhat.com
capsule: https://satellite1.internal-el6.satellite.lab.eng.rdu2.redhat.com/hosts/satellite1.internal-el6.satellite.lab.eng.rdu2.redhat.com:9090

but please note the following caveats or workarounds to get it tested:

Puppetssh obviously has to be configured, along with an ssh key for access. I used a custom puppetrun command which simply does "date >> /tmp/gsutclif.out" as a proof that a command was run. On clicking the Puppetrun button we see:


==> /var/log/foreman-proxy/proxy.log <==
D, [2014-09-01T06:10:17.460241 #74730] DEBUG -- : about to execute: /usr/bin/ssh -l root -i /etc/foreman-proxy/id_rsa satellite1.internal-el6.satellite.lab.eng.rdu2.redhat.com /usr/local/bin/gsutcliftest.sh
10.8.105.1 - - [01/Sep/2014 06:10:17] "POST /puppet/run HTTP/1.1" 200 - 0.0109

==> /var/log/secure <==
Sep  1 06:10:17 satellite1 sshd[75618]: Accepted publickey for root from 10.8.105.1 port 38437 ssh2
Sep  1 06:10:17 satellite1 sshd[75618]: pam_unix(sshd:session): session opened for user root by (uid=0)

tail: /tmp/gsutclif.out: file truncated
Mon Sep  1 06:10:17 EDT 2014

==> /var/log/secure <==
Sep  1 06:10:17 satellite1 sshd[75618]: Received disconnect from 10.8.105.1: 11: disconnected by user
Sep  1 06:10:17 satellite1 sshd[75618]: pam_unix(sshd:session): session closed for user root

So we can see the command was received by the proxy, ssh was invoked with the correct key, the file was populated with a datestamp, and then ssh disconnected. All good.
Comment 10 Tazim Kolhar 2014-09-01 10:28:51 UTC 
VERIFIED:


==> /var/log/foreman-proxy/proxy.log <==
# tail -f /var/log/foreman-proxy/proxy.log/usr/lib/ruby/gems/1.8/gems/rack-1.4.1/lib/rack/handler/webrick.rb:13:in `run'
/usr/lib/ruby/gems/1.8/gems/rack-1.4.1/lib/rack/server.rb:265:in `start'
/usr/share/foreman-proxy/lib/smart_proxy.rb:131:in `launch'
/usr/share/foreman-proxy/lib/smart_proxy.rb:131:in `initialize'
/usr/share/foreman-proxy/lib/smart_proxy.rb:131:in `new'
/usr/share/foreman-proxy/lib/smart_proxy.rb:131:in `launch'
/usr/share/foreman-proxy/bin/smart-proxy:6
127.0.0.1 - - [01/Sep/2014 06:32:49] "POST /dns HTTP/1.1" 400 32 0.1470
D, [2014-09-01T06:33:33.008936 #78067] DEBUG -- : about to execute: /usr/bin/ssh -l root -i /etc/foreman-proxy/id_rsa mmccune-el72.internal-el6.satellite.lab.eng.rdu2.redhat.com /usr/local/bin/gsutcliftest.sh
10.8.105.1 - - [01/Sep/2014 06:33:33] "POST /puppet/run HTTP/1.1" 200 - 0.0164

==> /var/log/secure <==
# tail -f /var/log/secure
Sep  1 06:29:39 satellite1 sshd[77744]: Accepted password for root from 10.10.48.66 port 50290 ssh2
Sep  1 06:29:40 satellite1 sshd[77744]: pam_unix(sshd:session): session opened for user root by (uid=0)
Sep  1 06:30:01 satellite1 crond[77785]: pam_sss(crond:session): Request to sssd failed. Connection refused
Sep  1 06:30:42 satellite1 CROND[77785]: pam_sss(crond:session): Request to sssd failed. Connection refused
Sep  1 06:31:14 satellite1 runuser: pam_unix(runuser:session): session opened for user foreman-proxy by root(uid=0)
Sep  1 06:31:15 satellite1 runuser: pam_unix(runuser:session): session closed for user foreman-proxy
Sep  1 06:32:45 satellite1 runuser: pam_unix(runuser:session): session opened for user foreman-proxy by root(uid=0)
Sep  1 06:32:47 satellite1 runuser: pam_unix(runuser:session): session closed for user foreman-proxy
Sep  1 06:34:30 satellite1 runuser: pam_unix(runuser:session): session opened for user foreman-proxy by root(uid=0)
Sep  1 06:34:31 satellite1 runuser: pam_unix(runuser:session): session closed for user foreman-proxy
Comment 11 Bryan Kearney 2014-09-11 12:28:02 UTC 
This was delivered with Satellite 6.0 which was released on 10 September 2014.