Bug 1215659

Summary: Configuring katello-installer to use external DNS via GSS-TSIG does not provide a working configuration
Product: Red Hat Satellite Reporter: Rich Jerrido <rjerrido>
Component: InstallationAssignee: Katello Bug Bin <katello-bugs>
Status: CLOSED ERRATA QA Contact: Kedar Bidarkar <kbidarka>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1.0CC: bbuckingham, bkearney, chpeters, cwelton, daobrien, jpazdziora, kbidarka, mburgerh, mmccune, nshaik, pdwyer, sghai, tkolhar, wburrows
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/10436
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Configuring katello-installer to use external DNS via GSS-TSIG did not provide a working configuration. The templates were fixed to support this configuration.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-21 07:41:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1177570, 1281350    

Description Rich Jerrido 2015-04-27 11:53:31 UTC 
Description of problem:
When attempting to run katello-installer such that I can use GSS-TSIG to connect to an external DNS server, neither --capsule-dns nor --capsule-dns-managed provide a working configuration


Version-Release number of selected component (if applicable):
katello-installer-2.3.5-1.el7sat.noarch

How reproducible:
100%

Steps to Reproduce:
1. In my lab, my external DNS server is 172.17.16.3,  and I am running:


katello-installer -d -v --capsule-dns true \
--capsule-dns-provider nsupdate_gss \
--capsule-dns-server 172.17.16.3 \
--capsule-dns-tsig-keytab /etc/foreman-proxy/dnsdude.keytab \
--capsule-dns-tsig-principal dnsdude


Actual results:
1. the named package is installed and zones are created, which I don't need (because I am putting my entries in a DNS server not hosted on the Satellite). Also, the ':dns_key: /etc/rndc.key' directive is enabled in
/etc/foreman-proxy/settings.d/dns.yml

2. If I run the above (with --capsule-dns false), I do not get the 'DNS'
feature enabled under 'Infrastructure->Capsules', using '--capsule-dns-managed' does not provide it either. 

Expected results:

An installer option (or options) that provide a dns.yml such as:

# DNS management
:enabled: https
# valid providers:
#   dnscmd (Microsoft Windows native implementation)
#   nsupdate
#   nsupdate_gss (for GSS-TSIG support)
#   virsh (simple implementation for libvirt)
:dns_provider: nsupdate_gss
#:dns_key: /etc/rndc.key
# use this setting if you are managing a dns server which is not localhost though this proxy
:dns_server: 172.17.16.3
# use this setting if you want to override default TTL setting (86400)
:dns_ttl: 86400
# use dns_tsig_* for GSS-TSIG updates using Kerberos.  Required for Windows MS DNS with
# Secure Dynamic Updates, or BIND as used in FreeIPA.  Set dns_provider to nsupdate_gss.
:dns_tsig_keytab: /etc/foreman-proxy/dnsdude.keytab
:dns_tsig_principal: dnsdude



Additional info:
Comment 1 RHEL Program Management 2015-04-27 12:03:22 UTC 
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 3 Rich Jerrido 2015-10-23 23:26:58 UTC 
This issue is fixed with the following upstream commit. [https://github.com/theforeman/puppet-foreman_proxy/commit/753b65c2dad35a5887c46094061703d0a76e3c3c] 

With the dns.yml.erb from this commit on a satellite 6.1.3 system, the above command works as designed. 

Can we get this backported to the sat 6.1.x codebase?
Comment 4 Bryan Kearney 2015-11-30 14:08:47 UTC 
Connecting redmine issue http://projects.theforeman.org/issues/10436 from this bug
Comment 6 Bryan Kearney 2015-11-30 15:03:00 UTC 
Moving to POST since upstream bug http://projects.theforeman.org/issues/10436 has been closed
-------------
Stefan Meyer
Pull request: https://github.com/theforeman/puppet-foreman_proxy/pull/171
Comment 9 Mike McCune 2016-01-11 06:19:12 UTC 
This failsQA as it causes a regression outlined here:

https://bugzilla.redhat.com/show_bug.cgi?id=1296877

I'd vote we just close the above bug and resolve this one since it is the same code and usecase.
Comment 10 Mike McCune 2016-01-12 00:19:09 UTC 
*** Bug 1296877 has been marked as a duplicate of this bug. ***
Comment 13 Kedar Bidarkar 2016-01-18 14:25:33 UTC 
Ran the below command,

~]#katello-installer -v --capsule-dns true --capsule-dns-provider nsupdate_gss --capsule-dns-server x.x.x.x --capsule-dns-tsig-keytab /etc/foreman-proxy/dnsdude.keytab --capsule-dns-tsig-principal dnsdude

---
# DNS management
:enabled: https
# valid providers:
#   dnscmd (Microsoft Windows native implementation)
#   nsupdate
#   nsupdate_gss (for GSS-TSIG support)
#   virsh (simple implementation for libvirt)
:dns_provider: nsupdate_gss
# use this setting if you are managing a dns server which is not localhost though this proxy
:dns_server: x.x.x.x
# use this setting if you want to override default TTL setting (86400)
:dns_ttl: 86400
# use dns_tsig_* for GSS-TSIG updates using Kerberos.  Required for Windows MS DNS with
# Secure Dynamic Updates, or BIND as used in FreeIPA.  Set dns_provider to nsupdate_gss.
:dns_tsig_keytab: /etc/foreman-proxy/dnsdude.keytab
:dns_tsig_principal: dnsdude
# dns_key must be disabled if nsupdate_gss is used
#:dns_key: /etc/rndc.key

Capsule features in 'Infrastructure->Capsules' shows "DNS" Feature.

-----------------------------------------------------------------------

With 'katello-installer --capsule-dns false', Capsule features in 'Infrastructure->Capsules' Does not show "DNS" Feature.  Is this required ? As per the initial bug request  "Actual Result" 2).

Please confirm.

# DNS management
:enabled: false
# valid providers:
#   dnscmd (Microsoft Windows native implementation)
#   nsupdate
#   nsupdate_gss (for GSS-TSIG support)
#   virsh (simple implementation for libvirt)
:dns_provider: nsupdate_gss
# use this setting if you are managing a dns server which is not localhost though this proxy
:dns_server: x.x.x.x
# use this setting if you want to override default TTL setting (86400)
:dns_ttl: 86400
# use dns_tsig_* for GSS-TSIG updates using Kerberos.  Required for Windows MS DNS with
# Secure Dynamic Updates, or BIND as used in FreeIPA.  Set dns_provider to nsupdate_gss.
:dns_tsig_keytab: /etc/foreman-proxy/dnsdude.keytab
:dns_tsig_principal: dnsdude
# dns_key must be disabled if nsupdate_gss is used
#:dns_key: /etc/rndc.key
Comment 14 Kedar Bidarkar 2016-01-18 14:48:11 UTC 
If DNS feature is set to false, the Capsule feature "DNS" is not shown on the UI.

VERIFIED With Sat6.1.6 compose 5
Comment 15 David O'Brien 2016-01-19 04:48:48 UTC 
If this bug requires doc text for errata release, please provide draft
text in the doc text field in the following format:
 Cause:
 Consequence:
 Fix:
 Result:
The documentation team will review, edit, and approve the text.
If this bug does not require doc text, please set the
'requires_doc_text' flag to -.
Comment 18 errata-xmlrpc 2016-01-21 07:41:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:0052