Bug 1375697
| Summary: | Capsule Installer does not honor virtual fqdn in load-balance scenario | |||
|---|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Dylan Gross <dgross> | |
| Component: | Installation | Assignee: | Stephen Benjamin <stbenjam> | |
| Status: | CLOSED ERRATA | QA Contact: | jcallaha | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 6.2.0 | CC: | andrew.schofield, bbuckingham, bkearney, bperkins, dcaplan, jcallaha, kabbott, oshtaier, rjerrido, stbenjam, zhunting | |
| Target Milestone: | Unspecified | Keywords: | PrioBumpPM, Triaged | |
| Target Release: | Unused | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | katello-installer-base-3.0.0.66-1 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1405514 (view as bug list) | Environment: | ||
| Last Closed: | 2017-01-26 10:42:34 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1405514 | |||
This is must fixed to correct issues found by the customer, when following the prescription laid out in the RefArch for LB https://access.redhat.com/sites/default/files/attachments/sat6ha-lb-refarch.pdf May need a switch that allows the admin to indicate if the Capsule will LB or not. If LB = Yes, then apply the patch. Created redmine issue http://projects.theforeman.org/issues/16945 from this bug Thanks for the patch. At a quick glance, it looks OK and should work regardless on any setup. Will try it out. PR opened upstream. Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/16945 has been resolved. Verified in Satellite 6.2.7 Snap 3 I followed the instructions outlined here (https://www.redhat.com/cms/managed-files/li-highly-available-satellite-server-environment-reference-architecture-us103789-201610-en.pdf) to create the script. Be careful to ensure you clean up the formatting! I then ran that script with my capsule's hostname as well as some additional names thrown in. -bash-4.2# bash katello-multi-host-certs.sh dell-pe-fc630-01.rhts.eng.bos.redhat.com test1.rhts.eng.bos.redhat.com test2.rhts.eng.bos.redhat.com test3.rhts.eng.bos.redhat.com Generating the web server's SSL private key: ./ssl-build/dell-pe-fc630-01.rhts.eng.bos.redhat.com/custom-cert.key Rotated: custom-cert.key --> custom-cert.key.1 Generating web server's SSL certificate request: ./ssl-build/dell-pe-fc630-01.rhts.eng.bos.redhat.com/custom-cert.crt.req Using distinguished names: --set-country = "US" --set-state = "North Carolina" --set-city = "Raleigh" --set-org = "FOREMAN" --set-org-unit = "FOREMAN_PROXY" --set-hostname = "dell-pe-fc630-01.rhts.eng.bos.redhat.com" --set-email = "admin" Rotated: custom-cert.crt.req --> custom-cert.crt.req.1 Generating/signing web server's SSL certificate: custom-cert.crt Rotated: custom-cert.crt --> custom-cert.crt.1 ...working... Generating web server's SSL key pair/set RPM: ./ssl-build/dell-pe-fc630-01.rhts.eng.bos.redhat.com/katello-httpd-ssl-key-pair-dell-pe-fc630-01.rhts.eng.bos.redhat.com-1.0-4.src.rpm ./ssl-build/dell-pe-fc630-01.rhts.eng.bos.redhat.com/katello-httpd-ssl-key-pair-dell-pe-fc630-01.rhts.eng.bos.redhat.com-1.0-4.noarch.rpm The most current RHN Proxy Server installation process against RHN hosted requires the upload of an SSL tar archive that contains the CA SSL public certificate and the web server's key set. Generating the web server's SSL key set and CA SSL public certificate archive: ./ssl-build/dell-pe-fc630-01.rhts.eng.bos.redhat.com/katello-httpd-ssl-archive-dell-pe-fc630-01.rhts.eng.bos.redhat.com-1.0-10.tar Deploy the server's SSL key pair/set RPM: (NOTE: the Katello installer may do this step for you.) The "noarch" RPM needs to be deployed to the machine working as a web server, or RHN Satellite, or RHN Proxy. Presumably 'dell-pe-fc630-01.rhts.eng.bos.redhat.com'. Marking certificate /root/ssl-build/dell-pe-fc630-01.rhts.eng.bos.redhat.com/dell-pe-fc630-01.rhts.eng.bos.redhat.com-apache for update Marking certificate /root/ssl-build/dell-pe-fc630-01.rhts.eng.bos.redhat.com/dell-pe-fc630-01.rhts.eng.bos.redhat.com-foreman-proxy for update Installing Done [100%] [..........................................................................................................] Success! To finish the installation, follow these steps: If you do not have the capsule registered to the Satellite instance, then please do the following: 1. yum -y localinstall http://ibm-x3550m3-08.lab.eng.brq.redhat.com/pub/katello-ca-consumer-latest.noarch.rpm 2. subscription-manager register --org "Default_Organization" Once this is completed run the steps below to start the capsule installation: 1. Ensure that the satellite-capsule package is installed on the system. 2. Copy /root/certs-dell-pe-fc630-01.rhts.eng.bos.redhat.com.tar to the system dell-pe-fc630-01.rhts.eng.bos.redhat.com 3. Run the following commands on the capsule (possibly with the customized parameters, see satellite-installer --scenario capsule --help and documentation for more info on setting up additional services): satellite-installer --scenario capsule\ --capsule-parent-fqdn "ibm-x3550m3-08.lab.eng.brq.redhat.com"\ --foreman-proxy-register-in-foreman "true"\ --foreman-proxy-foreman-base-url "https://ibm-x3550m3-08.lab.eng.brq.redhat.com"\ --foreman-proxy-trusted-hosts "ibm-x3550m3-08.lab.eng.brq.redhat.com"\ --foreman-proxy-trusted-hosts "dell-pe-fc630-01.rhts.eng.bos.redhat.com"\ --foreman-proxy-oauth-consumer-key "RV37XVeL4sMdJiDqtaeCxjhyu2onAPBx"\ --foreman-proxy-oauth-consumer-secret "3vjh5ygYZ2kPHWXH63dGJr2KwsrLSvE9"\ --capsule-pulp-oauth-secret "6K2KvS6kREZVMU6nRaPLBHbCVCzYnFpa"\ --capsule-certs-tar "/root/certs-dell-pe-fc630-01.rhts.eng.bos.redhat.com.tar" The full log is at /var/log/capsule-certs-generate.log Next, I copied over the generated cert and ran the capsule installer on the target capsule. -bash-4.2# satellite-installer --scenario capsule\ > --capsule-parent-fqdn "ibm-x3550m3-08.lab.eng.brq.redhat.com"\ > --foreman-proxy-register-in-foreman "true"\ > --foreman-proxy-foreman-base-url "https://ibm-x3550m3-08.lab.eng.brq.redhat.com"\ > --foreman-proxy-trusted-hosts "ibm-x3550m3-08.lab.eng.brq.redhat.com"\ > --foreman-proxy-trusted-hosts "dell-pe-fc630-01.rhts.eng.bos.redhat.com"\ > --foreman-proxy-oauth-consumer-key "RV37XVeL4sMdJiDqtaeCxjhyu2onAPBx"\ > --foreman-proxy-oauth-consumer-secret "3vjh5ygYZ2kPHWXH63dGJr2KwsrLSvE9"\ > --capsule-pulp-oauth-secret "6K2KvS6kREZVMU6nRaPLBHbCVCzYnFpa"\ > --capsule-certs-tar "/root/certs-dell-pe-fc630-01.rhts.eng.bos.redhat.com.tar" Installing Done [100%] [..........................................................................................................] Success! The full log is at /var/log/foreman-installer/capsule.log Finally, you can see that the contents of katello-ca-consumer-latest.noarch.rpm are indeed what we are expecting. -bash-4.2# rpm2cpio /var/www/html/pub/katello-ca-consumer-latest.noarch.rpm ... KATELLO_SERVER=dell-pe-fc630-01.rhts.eng.bos.redhat.com KATELLO_SERVER_CA_CERT=katello-server-ca.pem KATELLO_DEFAULT_CA_CERT=katello-default-ca.pem KATELLO_CERT_DIR=/etc/rhsm/ca PORT=8443 ... Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0197 |
Description of problem: Using the Satellite6 HA LoadBalancing Reference architecture as a guide has the customer creating a multi-host certificate bundle, and then applying it to multiple capsules. However, when the subsequent "satellite-installer --scenario capsule" is used to apply those certs to the capsule, the resulting "katello-ca-consumer-latest" that is created on each capsule contains a /usr/bin/katello-rhsm-consumer script that references the name of each individual capsule (KATELLO_SERVER=) rather than that of the load-balanced name. Version-Release number of selected component (if applicable): Red Hat Satellite 6.2.1 How reproducible: Steps to Reproduce: 1. Following sections 5.2.1.7 and 5.2.1.8 of the reference architecure (https://access.redhat.com/sites/default/files/attachments/sat6ha-lb-refarch.pdf), Create a tar bundle for multiple capsules and use that with the satellite-installer on the capsules to apply the certificate bundle. Actual results: The resulting katello-ca-consumer rpm will contain a /usr/bin/katello-rhsm-consumer with a KATELLO_SERVER= set to the actual fqdn of each individual capsule. Expected results: The resulting katello-ca-consumer rpm should contain a /usr/bin/katello-rhsm-consumer file with a KATELLO_SERVER set to the fqdn of $1 that was specified when using the "katello-multi-host-certs.sh" script in Appendix C.10 of the above Reference Architecture. (In other words, the virtual fqdn representing all of the capsules) Additional info: According to the customer, the class in /usr/share/katello-installer-base/modules/certs/manifests/katello.pp was not honoring the "node_fqdn" override and was instead always just using the capsules fqdn. Making the following changes allowed for the correct Virtual fqdn to be represented in the /usr/bin/katello-rhsm-consumer script. However, it is unknown what other effects this may have. ----------------------------------------- $ diff /usr/share/katello-installer-base/modules/certs/manifests/katello.pp.orig /usr/share/katello-installer-base/modules/certs/manifests/katello.pp 3c3 < $hostname = $fqdn, --- > $hostname = $::certs::node_fqdn, 19,20c19,20 < $candlepin_consumer_name = "katello-ca-consumer-${::fqdn}" < $candlepin_consumer_summary = "Subscription-manager consumer certificate for Katello instance ${::fqdn}" --- > $candlepin_consumer_name = "katello-ca-consumer-${hostname}" > $candlepin_consumer_summary = "Subscription-manager consumer certificate for Katello instance ${hostname}"