Bug 1404582

Summary: Finish template without tokens does not work through Capsule
Product: Red Hat Satellite Reporter: Lukas Zapletal <lzap>
Component: Provisioning TemplatesAssignee: Lukas Zapletal <lzap>
Status: CLOSED ERRATA QA Contact: Lukáš Hellebrandt <lhellebr>
Severity: medium Docs Contact:
Priority: high    
Version: 6.2.5CC: bbuckingham, dlobatog, jcallaha, lhellebr, lzap
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/17636
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-21 16:54:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Zapletal 2016-12-14 07:43:05 UTC 
Hello,

this is second part of this patch that was released in 6.2.1:

https://bugzilla.redhat.com/show_bug.cgi?id=1292421

I fixed the rendered, but forgot to fix the preview code. Please ack this into the next z-stream, TWO LINES PATCH, LOW RISK.
Comment 3 Lukas Zapletal 2017-08-09 09:03:25 UTC 
QA NOTES:

Turn of token duration to zero, provision a system, make sure Anaconda downloaded kickstart via Capsule (port 8000).
Comment 4 Lukáš Hellebrandt 2018-01-12 15:05:22 UTC 
Why does this BZ exist? What is the bug, what is supposed to be fixed? And why is it named the same as bug 1405502, is also for 6.3, but is a distinct BZ?
Comment 5 Lukas Zapletal 2018-01-15 08:23:49 UTC 
Lukáš, this patch fixes provisioning via Capsule when token duration Setting is set to 0 (turned off). In this mode, Foreman looks up hosts via REMOTE IP instead of unique token (UUID). To verify, turn off tokens and do provisioning - make sure all communication is done via Capsule (including templating - kickstart).

Case 1: PXE installation of RHEL

Case 2: Image-based installation via finish script (cloud or virt)
Comment 6 Lukáš Hellebrandt 2018-01-17 16:17:44 UTC 
FailedQA with Sat6.3 snap 32.

When running "curl http://<CAPSULE_FQDN>:8000/unattended/finish", 500 ISE is returned. That is probably due to Satellite thinking it should serve finish script for the Capsule based on its IP (and thus returning 405) while it should actually return a finish script for the client.

Tested on a Beaker machine (so, not behind a NAT - if I am incorrect, this whole FailsQA is errorneous). Note the "Found" part of the log.


# curl http://<CAPSULE_FQDN>:8000/unattended/finish -v
* About to connect() to <CAPSULE_FQDN> port 8000 (#0)
*   Trying <IP6_ADDR>...
* No route to host
*   Trying <IP_ADDR>...
* Connected to <CAPSULE_FQDN> (<IP_ADDR>) port 8000 (#0)
> GET /unattended/finish HTTP/1.1
> User-Agent: curl/7.29.0
> Host: <CAPSULE_FQDN>:8000
> Accept: */*
> 
< HTTP/1.1 500 Internal Server Error 
< Content-Type: application/json
< Content-Length: 256
< X-Content-Type-Options: nosniff
< Server: 
< Date: Wed, 17 Jan 2018 15:59:55 GMT
< Connection: Keep-Alive
< 
* Connection #0 to host <CAPSULE_FQDN> left intact
Failed to retrieve finish template for {"splat"=>[], "captures"=>["finish"], "kind"=>"finish"}: Error retrieving finish for {:url=>"http://<CAPSULE_FQDN>:8000"} from <SATELLITE_FQDN>: Net::HTTPMethodNotAllowed





production.log:
2018-01-17 10:59:55 7845510a [app] [I] Started GET "/unattended/finish?url=http%3A%2F%2F<CAPSULE_FQDN>%3A8000" for <CAPSULE_FQDN> at 2018-01-17 10:59:55 -0500
2018-01-17 10:59:55 7845510a [app] [I] Processing by UnattendedController#host_template as TEXT
2018-01-17 10:59:55 7845510a [app] [I]   Parameters: {"url"=>"http://<CAPSULE_FQDN>:8000", "kind"=>"finish", "unattended"=>{}}
2018-01-17 10:59:55 7845510a [app] [I] Current user: foreman_api_admin (administrator)
2018-01-17 10:59:55 7845510a [app] [D] Setting current user thread-local variable to foreman_api_admin
2018-01-17 10:59:55 7845510a [app] [D] Found <CAPSULE_FQDN>
2018-01-17 10:59:55 7845510a [app] [I] Filter chain halted as :allowed_to_install? rendered or redirected
2018-01-17 10:59:55 7845510a [app] [I] Completed 405 Method Not Allowed in 15ms (ActiveRecord: 2.6ms)



On Capsule:
# service dnsmasq status
Redirecting to /bin/systemctl status dnsmasq.service
● dnsmasq.service - DNS caching server.
   Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
# iptables -S | grep -i nat
# service libvirtd status
Redirecting to /bin/systemctl status libvirtd.service
● libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Wed 2018-01-17 11:11:41 EST; 2min 41s ago
Comment 8 Lukas Zapletal 2018-01-19 07:49:59 UTC 
It works, we just forgot one last step. In Administer - Setting, you must set remote_addr (Remote address) to match IP address of proxy server (in this case Capsule):

(127.0.0.1|10.16.66.70)

Then it works, I just verified.
Comment 9 Lukas Zapletal 2018-01-19 08:36:49 UTC 
See https://github.com/theforeman/theforeman.org/pull/1006
Comment 10 Satellite Program 2018-02-21 16:54:37 UTC 
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
> > 
> > For information on the advisory, and where to find the updated files, follow the link below.
> > 
> > If the solution does not work for you, open a new bug report.
> > 
> > https://access.redhat.com/errata/RHSA-2018:0336