Bug 1713103

Summary: Unable to do image based provisioning with Cloud Init and VMware
Product: Red Hat Satellite Reporter: Chris Roberts <chrobert>
Component: Compute Resources - VMWareAssignee: Lukas Zapletal <lzap>
Status: CLOSED ERRATA QA Contact: Sanket Jagtap <sjagtap>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.6.0CC: bbuckingham, chrobert, dvoss, egolov, inecas, jyejare, lzap, mhulan, sghai, sjagtap, sshtein
Target Milestone: 6.6.0Keywords: Regression, Triaged
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: foreman-proxy-1.22.0.1-1,foreman-1.22.0.5-1 Doc Type: Release Note
Doc Text:
The schema (HTTP/HTTPS) of `unattended_url` setting now affects if the provisioning templates are available through HTTP. Please check if you are not specifying the url with HTTPS schema, but using HTTP to get provisioning/userdata templates, this is unsupported behaviour as of Satellite 6.6.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-22 12:47:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chris Roberts 2019-05-22 21:20:25 UTC
Description of problem:

Following this guide:

https://access.redhat.com/blogs/1169563/posts/3640721

We are unable to fetch the `<fqdn_foreman>/userdata/meta-data` because of HTTPS, if I turn off SSL on Foreman this works correctly. 

This worked fine on 6.3

Version-Release number of selected component (if applicable):

Katello 3.11
Foreman 1.21
vCenter 6.7

How reproducible:


Steps to Reproduce:

1. Install Katello 3.11
2. Setup Compute resource for VMware
3. Create a RHEL 7 template with cloud-init
4. Follow https://access.redhat.com/blogs/1169563/posts/3640721

Actual results:

Host builds and gets hostname correctly but does not do anything that it was instructed to with cloud-init, also in the Foreman UI it shows that the build is pending and since cloud-init can not pull down the metadata it never phones home to Foreman.

Expected results:

Build to finish correctly and UI to change from pending install to finished without having to turn off SSL.

Additional info:

It looks like here in the plugin we ignore HSTS:

https://github.com/theforeman/foreman_userdata/blob/master/app/controllers/userdata_controller.rb#L71-L73

I tried turning off HSTS both with the installer and in the /etc/foreman/settings.yml and that did not appear to fix the issue.

https://github.com/theforeman/puppet-foreman/blob/master/manifests/params.pp#L103

It looks like we force SSL here:

https://github.com/theforeman/foreman/blob/1.21-stable/app/controllers/application_controller.rb#L7

https://github.com/theforeman/foreman/blob/1.21-stable/app/controllers/application_controller.rb#L78-L80

https://github.com/theforeman/foreman/blob/1.21-stable/app/controllers/api/base_controller.rb#L8

https://github.com/theforeman/foreman/blob/1.21-stable/app/controllers/api/base_controller.rb#L109-L111

We can see from the cloud-init logs on a client we are getting redirected because of https:

https://gist.github.com/chris1984/00eb466f3730ab6b559b92d8897fe6f5

Since we don't have the SSL CA we get a verify fail

I turned off https on Foreman with

https://gist.github.com/chris1984/50528b4b5df1720067ea58624244a004

Now we can see from a new client that we can curl the meta-data and the logs look good

[root@tonya-dunkel ~]# curl http://foreman.toledo.satellite.lab.eng.rdu2.redhat.com/userdata/meta-data
instance-id: i-c1dfd96eea8cc2b627
hostname: tonya-dunkel.toledo.satellite.lab.eng.rdu2.redhat.com
mac: 00:50:56:9e:63:06
local-ipv4: 10.8.106.218

https://gist.github.com/chris1984/635dc97a8104858daaac54fcc1b5ddb7

Foreman Userdata Templates is now part of Foreman 1.23 so this might work with latest upstream since it is part of core

Comment 10 Lukas Zapletal 2019-07-04 11:17:23 UTC
QA: Please follow this older tutorial on settings things up: https://access.redhat.com/blogs/1169563/posts/3640721

Process will be very similar if not the same, except there is no need of installing any plugin - all code is now part of Foreman core. Templates are also available.

Comment 11 Sanket Jagtap 2019-07-17 08:43:07 UTC
Build : Satellite 6.6 snap 11


I was able to provision and install the Vm on VMware with cloud init successfully following the above blogpost

2019-07-17 08:40:00,099 - url_helper.py[DEBUG]: [0/11] open 'http://sat-host/unattended/built?token=5398f5ce-95ab-4ee9-ac04-881dc4d3e24d' with {'url': 'http://sat-host/unattended/built?token=5398f5ce-95ab-4ee9-ac04-881dc4d3e24d', 'headers': {'User-Agent': 'Cloud-Init/18.2'}, 'allow_redirects': True, 'method': 'GET', 'timeout': 5.0} configuration
2019-07-17 08:40:01,201 - url_helper.py[DEBUG]: Read from http://sat-host/unattended/built?token=5398f5ce-95ab-4ee9-ac04-881dc4d3e24d (201, 0b) after 1 attempts
2019-07-17 08:40:01,202 - handlers.py[DEBUG]: finish: modules-final/config-phone-home: SUCCESS: config-phone-home ran successfully
2019-07-17 08:40:01,202 - main.py[DEBUG]: Ran 5 modules with 0 failures

Comment 13 errata-xmlrpc 2019-10-22 12:47:30 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3172