Bug 1402062

Summary: satellite-installer does not check for correct values in DNS/DHCP providers
Product: Red Hat Satellite Reporter: Peter Tselios <tselios.petros>
Component: InstallerAssignee: Daniel Lobato Garcia <dlobatog>
Status: CLOSED ERRATA QA Contact: Lukáš Hellebrandt <lhellebr>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2.4CC: bkearney, dlobatog, jcallaha, lhellebr, tselios.petros
Target Milestone: 6.4.0Keywords: Triaged
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
URL: http://projects.theforeman.org/issues/17595
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-16 19:09:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Peter Tselios 2016-12-06 17:10:29 UTC 
Description of problem:
You can run satellite-installer with any value you wish in the DNS/DHCP provider!

Version-Release number of selected component (if applicable):
6.2.4 and probably earlier versions as well. 

How reproducible:
Always.

Steps to Reproduce:
1. Run the following command:

satellite-installer -S satellite  \
  --foreman-proxy-dhcp-provider virsh \
  --foreman-proxy-dhcp-server 192.168.122.1 \
  --foreman-proxy-dns-server 192.168.122.1 \
  --foreman-proxy-dns-provider blabla \
  --foreman-proxy-dns true \
  --foreman-proxy-dhcp true \
  --foreman-proxy-dhcp-interface eth0

Installing             Done                                               [100%] [..........................................................]
  Success!
  * Satellite is running at https://rhss62.testenv
  * To install additional capsule on separate machine continue by running:

      capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar "~/$CAPSULE-certs.tar"

  The full log is at /var/log/foreman-installer/satellite.log

Actual results:
satellite-installer starts and complete the installation without any warning/error message!

Expected results:
It should accept only the foreman-proxy providers. 

Additional info:

cat ./dns.yml 
---
# DNS management
:enabled: https
# valid providers:
#   dns_dnscmd (Microsoft Windows native implementation)
#   dns_nsupdate
#   dns_nsupdate_gss (for GSS-TSIG support)
#   dns_virsh (simple implementation for libvirt)
:use_provider: dns_blabla
# use this setting if you want to override default TTL setting (86400)
:dns_ttl: 86400
Comment 1 Daniel Lobato Garcia 2016-12-06 19:42:59 UTC 
This is a problem upstream too, the puppet module verifies only that the provided provider is a string. It should verify it's a String in a Enum that contains the valid providers.
Comment 2 Daniel Lobato Garcia 2016-12-06 19:44:26 UTC 
Created redmine issue http://projects.theforeman.org/issues/17595 from this bug
Comment 3 Peter Tselios 2016-12-06 21:13:51 UTC 
I hope that the comment is published upstream as well. 
If users have their own plugin, the probably they should flag it somehow and then disable the check. I believe that the vast majority of users will use the default plugins. 

For example like:
..
 --foreman-proxy-dhcp-provider my_custom_plugin
 --foreman-proxy-dhcp-custom-provider yes
..
Comment 4 Bryan Kearney 2016-12-09 09:14:01 UTC 
Upstream bug assigned to dlobatog
Comment 5 Bryan Kearney 2016-12-09 09:14:03 UTC 
Upstream bug assigned to dlobatog
Comment 7 Daniel Lobato Garcia 2016-12-12 10:04:46 UTC 
Peter - Looks like validating DHCP/DNS is a bit hairy as hard validations would make users who have their custom DHCP/DNS plugins unable to use their providers with the installer.

I've filed https://github.com/theforeman/puppet-foreman_proxy/pull/314 downstream which is supposed to fix the issue for puppetrun/realms/bmc providers though. If that's good enough for you - let me know and I'll move the ticket to POST.
Comment 8 Peter Tselios 2016-12-12 15:04:23 UTC 
If I understand correctly, the puppet module will try to validate somehow that the DNS/DHCP provider can actually provide DNS/DHCP answers. If that's the case, it more than sufficient.
Comment 9 Daniel Lobato Garcia 2016-12-12 23:10:54 UTC 
It's not exactly that - the changes I was allowed to put in just put the validations for other providers (puppetrun, realms, bmc). 

For DHCP/DNS, I will have to open a new pull request on the foreman installer that performs the checks you wanted. This means the puppet classes will still accept the 'unknown/wrong' providers, but the installer will not.
Comment 10 Peter Tselios 2016-12-13 09:22:07 UTC 
That's the whole point! The installer should not accept crazy things. But since anyone could write a "provider", I don't see any other way to inform the installer that you will use a non-standard provider by let it know. 

Thanks.
Comment 11 Bryan Kearney 2017-03-06 22:38:10 UTC 
Daniel.. next steps since upstream rejected?
Comment 12 Daniel Lobato Garcia 2017-03-07 09:46:27 UTC 
The fix I submitted upstream had to be modified enough that it no longer fixed this bug.. 

I think the next steps would be to check for correct DNS/DHCP providers in the installer directly (instead of the Puppet module) and ask twice if your choice is not one of the ones provided with Satellite.
Comment 14 Satellite Program 2017-10-06 16:27:15 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/17595 has been resolved.
Comment 16 Lukáš Hellebrandt 2018-09-04 11:40:02 UTC 
Verified with Sat 6.4 snap 20.

Bad DNS:

# satellite-installer -S satellite    --foreman-proxy-dhcp-provider isc   --foreman-proxy-dhcp-server 10.16.66.80   --foreman-proxy-dns-server 10.16.66.80   --foreman-proxy-dns-provider blabla   --foreman-proxy-dns true   --foreman-proxy-dhcp true   --foreman-proxy-dhcp-interface em1
Resetting puppet server version param...
 Proxy dell-pe-fm120-2c.rhts.eng.bos.redhat.com has failed to load one or more features (DNS), check /var/log/foreman-proxy/proxy.log for configuration errors
/usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:70:in `validate_features!'
[...]
 /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[dell-pe-fm120-2c.rhts.eng.bos.redhat.com]/features: change from ["Ansible", "Discovery", "Dynflow", "Logs", "Openscap", "Pulp", "Puppet", "Puppet CA", "SSH", "TFTP"] to ["Ansible", "DHCP", "DNS", "Discovery", "Dynflow", "Logs", "Openscap", "Puppet", "Puppet CA", "TFTP"] failed: Proxy dell-pe-fm120-2c.rhts.eng.bos.redhat.com has failed to load one or more features (DNS), check /var/log/foreman-proxy/proxy.log for configuration errors
 /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[dell-pe-fm120-2c.rhts.eng.bos.redhat.com]: Failed to call refresh: Proxy dell-pe-fm120-2c.rhts.eng.bos.redhat.com has failed to load one or more features (DNS), check /var/log/foreman-proxy/proxy.log for configuration errors
 /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[dell-pe-fm120-2c.rhts.eng.bos.redhat.com]: Proxy dell-pe-fm120-2c.rhts.eng.bos.redhat.com has failed to load one or more features (DNS), check /var/log/foreman-proxy/proxy.log for configuration errors
/usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:70:in `validate_features!'
[...]


# grep ERROR /var/log/foreman-proxy/proxy.log
Disabling all modules in the group ['dns']: following providers are not available ['dns_blabla']


Similar for bad DHCP. Similar for bad DNS and DHCP. Installation works for correct DNS and DHCP.
Comment 17 Bryan Kearney 2018-10-16 19:09:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2927