Bug 2106475
Summary: | [RFE] Enhance puppet agent deployment for external puppetserver | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Gary Scarborough <gscarbor> |
Component: | Puppet | Assignee: | Ewoud Kohl van Wijngaarden <ekohlvan> |
Status: | CLOSED ERRATA | QA Contact: | Gaurav Talreja <gtalreja> |
Severity: | low | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.11.0 | CC: | ahumbe, ekohlvan, gtalreja, mhulan, pcreech, riehecky, rlavi, shwsingh |
Target Milestone: | 6.13.0 | Keywords: | FutureFeature |
Target Release: | Unused | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | foreman-3.5.1.10-1 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2023-05-03 13:21:28 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Gary Scarborough
2022-07-12 18:37:22 UTC
With https://github.com/theforeman/foreman/pull/9296 merged upstream, can this patch be a candidate for 6.11.z? Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/35187 has been resolved. I took a look at the original PR and even though I merged it, I now see that Leos actually wrote the correct fix later: https://github.com/theforeman/foreman/commit/eebd309f89c71567c2b7e6d4e4fc8f4b00d0edc6 I'm proposing to revert https://github.com/theforeman/foreman/pull/9296 in https://github.com/theforeman/foreman/pull/9630. If we do a cherry pick, it should be Leos' fix. As the author of the PR getting reverted, this all sounds good to me. Extra love if this can get cherry picked into Sat 6.12+ Thanks for posting that PR here. I think we can move it back to ASSIGNED until we get it into the snap, as we discussed and please update the BZ later when PR is merged. Moving back to ON_QA per the comment above that mentions "Reverting isn't strictly needed, since at worst it's redundant." Gaurav, is it really failedQA? Adding steps to verify the non-integrated scenario. I'll use generic hostnames to indicate their roles and easily identify them, but the actual hostnames don't matter. As long as you're consistent. There's a host satellite.example.com. It's installed as a regular Satellite, without Puppet integration. This "just" follows the regular manual, so I'm not including those steps here. Then on puppet.example.com there's a standalone Puppetserver instance. It's installed as follows (assuming EL8): dnf install https://yum.puppet.com/puppet-release-el-8.noarch.rpm dnf install puppetserver . /etc/profile.d/puppet-agent.sh # just needed now, normally part of the shell startup but it was created in the previous command puppetserver ca setup systemctl enable --now puppetserver Depending on your setup you also need to open TCP port 8140 in your firewall. In addition to that, you can simplify provisioning by creating /etc/puppetlabs/puppet/autosign.conf and add hostnames to it. https://www.puppet.com/docs/puppet/7/config_file_autosign.html has the full documentation. It also accepts asterisks, so * or *.example.com is accepted. This is not recommended for production setups since it's insecure, but makes testing a lot easier. To really test it end to end, a trivial environment can be created: puppet module install theforeman/motd mkdir -p /etc/puppetlabs/code/environments/production/manifests echo "include motd" > /etc/puppetlabs/code/environments/production/manifests/site.pp With all of that set up you should be able to provision a new host (let's name it client.example.com) with a parameter (either on the host, hostgroup, or globally): puppet_server (string): puppet.example.com The host also needs access to the puppet-agent package. This can be either done through content views or setting a host parameter. This BZ is not about those host parameters, so I'd suggest to use content views now since that's the generally recommended solution for Satellite users. Make sure the certificate is signed. Either via autosign as above, or manually: puppetserver ca sign --certname client.example.com (note you can only sign after the host has requested a certificate) The expected result is: * On client.example.com `puppet config print server` prints puppet.example.com (which should be set via /etc/puppetlabs/puppet/puppet.conf) * On client.example.com you can run Puppet (either manually using puppet agent -t or systemctl enable --now puppet) and it'll successfully retrieve its configuration and apply it. Afterwards /etc/motd is customized. * On puppet.example.com you see the certificate is signed, as verified by: puppetserver ca list --certname client.example.com Verified. Tested on Satellite 6.13.0 Snap 13.0 with foreman-3.5.1.10-1.el8sat.noarch Steps: Same as mentioned in comment 19 Observation: 1. Puppet config on provisioned host points to external puppetserver for server and ca_server under agent section 2. /etc/motd contains content of template from installed theforeman/motd module, which can be seen when login via SSH Thanks for helping me resolve the setup, I really appreciate it. @ekohlvan ++ Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Satellite 6.13 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:2097 |