Bug 1992624

Summary: Remote Execution fails to honor remote_execution_connect_by_ip override on host
Product: Red Hat Satellite Reporter: Stefan Meyer <smeyer>
Component: Remote ExecutionAssignee: Adam Ruzicka <aruzicka>
Status: CLOSED ERRATA QA Contact: Peter Ondrejka <pondrejk>
Severity: medium Docs Contact:
Priority: urgent    
Version: 6.8.0CC: ahumbe, aruzicka, lstejska, myarboro, pondrejk, wclark, zhunting
Target Milestone: 6.11.0Keywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: tfm-rubygem-foreman_remote_execution-4.5.5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2027365 2043698 (view as bug list) Environment:
Last Closed: 2022-07-05 14:29:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
HOTFIX RPM for Satellite 6.8.6
none
Optional tfm-rubygem-foreman_remote_execution-cockpit hotfix RPM
none
tfm-rubygem-foreman_ansible hotfix RPM for Satellite 6.8.6
none
HOTFIX tfm-rubygem-foreman_ansible RPM for Satellite 6.9.7
none
HOTFIX tfm-rubygem-foreman_remote_execution RPM for Satellite 6.9.7
none
HOTFIX tfm-rubygem-foreman_remote_execution-cockpit RPM for Satellite 6.9.7 none

Description Stefan Meyer 2021-08-11 12:48:03 UTC 
Description of problem:
When setting the global setting remote_execution_connect_by_ip to TRUE
and the host setting tor FALSE the remote execution still uses the IP
adress

Version-Release number of selected component (if applicable):
- Satellite 6.8.6
- Satellite 6.9.4

How reproducible:
- Tested via Ansible command because it gave back a proper debug log
- Set the default verbosity level to -vvv to get the same output

Steps to Reproduce:
1. Set global remote_execution_connect_by_ip setting to TRUE (yes)
2. Set parameter for host remote_execution_connect_by_ip = true (boolean)
3. Run remote command via Ansible

Actual results:
The remote execution (via Ansible) is using the IP adress:

<192.168.4.199> SSH: EXEC ssh -o ProxyCommand=none -o StrictHostKeyChecking=no -o Port=22 -o 'IdentityFile="/usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 192.168.4.199 '/bin/sh -c '"'"'echo ~root && sleep 0'"'"''


Expected results:
The remote command should use the dns name of the host like this:

<fluffy.example.com> SSH: EXEC ssh -o ProxyCommand=none -o StrictHostKeyChecking=no -o Port=22 -o 'IdentityFile="/usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 fluffy.example.com '/bin/sh -c '"'"'echo ~root && sleep 0'"'"''

Additional info:

Tested settings

Scenario   | Global |  Host  | Status
------------------------------------------------
Scenario 1 | IP     |  DNS   | Still uses the IP
Scenario 2 | DNS    |  None  | Uses DNS
Scenario 3 | DNS    |  IP    | Uses IP
Comment 2 Adam Ruzicka 2021-08-11 14:48:11 UTC 
Created redmine issue https://projects.theforeman.org/issues/33242 from this bug
Comment 3 Bryan Kearney 2021-08-12 00:06:13 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/33242 has been resolved.
Comment 5 wclark 2021-08-17 19:42:28 UTC 
Created attachment 1814947 [details]
HOTFIX RPM for Satellite 6.8.6

HOTFIX RPM for Satellite 6.8.6

INSTALL INSTRUCTIONS:

1. Take a complete backup or snapshot of Satellite 6.8.6 server

2. Download the hotfix RPM attached to this BZ and copy it to Satellite server

3. # yum install tfm-rubygem-foreman_remote_execution-3.3.7.2-3.HOTFIXRHBZ1992624.el7sat.noarch.rpm --disableplugin=foreman-protector

4. # systemctl restart httpd
Comment 7 wclark 2021-08-18 12:47:30 UTC 
Created attachment 1815192 [details]
Optional tfm-rubygem-foreman_remote_execution-cockpit hotfix RPM

The previous hotfix can fail to install with a dependency conflict when tfm-rubygem-foreman_remote_execution-cockpit is installed

This dependency conflict is due solely to bumped release number in the hotfix RPM, so one workaround is to ignore the dependency conflict and install anyway since there is no corresponding change in the code that is actually required for the cockpit plugin

The other workaround is to also install tfm-rubygem-foreman_remote_execution-cockpit with a bumped release number to satisfy the dependency.

I've attached a 2nd "hotfix" RPM for the cockpit plugin, which is identical to the non-hotfix version in every way except that the release number is bumped.
Comment 9 Adam Ruzicka 2021-08-18 14:01:25 UTC 
The original fix should work for non-ansible REX. Ansible will need this PR[1]. Kudos to smeyer for pointing this out

[1] - https://github.com/theforeman/foreman_ansible/pull/449
Comment 10 Stefan Meyer 2021-08-18 14:09:34 UTC 
After adding Adams fix from #9 it works. So we need that one too.
Comment 11 wclark 2021-08-18 14:50:20 UTC 
Attached Redmine https://projects.theforeman.org/issues/33284 for the related foreman_ansible issue to this BZ for tracking.

When https://github.com/theforeman/foreman_ansible/pull/449 is reviewed and merged, I can build a hotfix RPM for tfm-rubygem-foreman_ansible
Comment 12 Adam Ruzicka 2021-08-19 08:51:57 UTC 
https://github.com/theforeman/foreman_ansible/pull/449 is now reviewed and merged
Comment 15 wclark 2021-08-30 15:14:27 UTC 
Created attachment 1819117 [details]
tfm-rubygem-foreman_ansible hotfix RPM for Satellite 6.8.6

HOTFIX RPM is available for foreman_ansible plugin

The installation steps are the same as before but with this additional RPM
Comment 25 Peter Ondrejka 2021-11-02 08:00:33 UTC 
Verified on Satellite 6.10 sn 23
Comment 28 James Jeffers 2021-11-15 18:24:39 UTC 
@wclark - looking over the previous 6.9.7 triage notes, the query used to determine hotfixes was checking only items that contained a 6.9.z flag. So perhaps that is the root of the issue?
Comment 30 wclark 2021-11-17 22:08:49 UTC 
Created attachment 1842428 [details]
HOTFIX tfm-rubygem-foreman_ansible RPM for Satellite 6.9.7
Comment 31 wclark 2021-11-17 22:09:44 UTC 
Created attachment 1842429 [details]
HOTFIX tfm-rubygem-foreman_remote_execution RPM for Satellite 6.9.7
Comment 32 wclark 2021-11-17 22:10:51 UTC 
Created attachment 1842430 [details]
HOTFIX tfm-rubygem-foreman_remote_execution-cockpit RPM for Satellite 6.9.7
Comment 33 wclark 2021-11-17 22:15:12 UTC 
HOTFIX RPMs are available for Satellite 6.9.7

To obtain the Hotfix RPMs, download the below Bugzilla attachments:
- HOTFIX tfm-rubygem-foreman_ansible RPM for Satellite 6.9.7
- HOTFIX tfm-rubygem-foreman_remote_execution RPM for Satellite 6.9.7
- HOTFIX tfm-rubygem-foreman_remote_execution-cockpit RPM for Satellite 6.9.7

INSTALL INSTRUCTIONS:

1. Take a complete backup or snapshot of Satellite 6.9.7 server

2. Copy the downloaded Hotfix RPMs to Satellite server

3. # yum install tfm-rubygem-foreman_remote_execution-4.2.3.1-2.HOTFIXRHBZ1992624.el7sat.noarch.rpm \
     tfm-rubygem-foreman_remote_execution-cockpit-4.2.3.1-2.HOTFIXRHBZ1992624.el7sat.noarch.rpm \
     tfm-rubygem-foreman_ansible-6.1.1-2.HOTFIXRHBZ1992624.el7sat.noarch.rpm \
     --disableplugin=foreman-protector

4. # satellite-maintain service restart
Comment 38 errata-xmlrpc 2022-07-05 14:29:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5498