1103935 – foreman-proxy run puppet over ssh doesn't work

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1103935 - foreman-proxy run puppet over ssh doesn't work

Summary: foreman-proxy run puppet over ssh doesn't work

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Foreman Proxy
Sub Component:
Version:	6.0.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	Unspecified
Assignee:	Katello Bug Bin
QA Contact:	Tazim Kolhar
Docs Contact:
URL:	http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-06-02 23:43 UTC by Bryan Kearney
Modified:	2017-02-23 21:16 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-09-11 12:28:02 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	5561	0	Normal	Closed	foreman-proxy run puppet over ssh doesn't work	2020-09-09 08:34:24 UTC

Description Bryan Kearney 2014-06-02 23:43:23 UTC

Running foreman(1.4.3) and foreman-proxy (1.5.0-0) on Rhel 6.2, I found that the only way to get puppet run over ssh to work is to remove the space between -l <user> and -i <keyfile> in puppet_ssh.rb. Otherwise, the remote system shows this in the logs (X's added). Note the extra whitespace appearing before foreman-proxy user.
<pre>
May  2 14:06:04 XXXXX sshd[2430]: Invalid user  foreman-proxy from X.X.X.X
May  2 14:06:04 XXXXX sshd[2431]: input_userauth_request: invalid user  foreman-proxy
May  2 14:06:04 XXXXX sshd[2430]: Failed none for invalid user  foreman-proxy from X.X.X.X port 34970 ssh2
May  2 14:06:04 XXXXX sshd[2430]: Failed password for invalid user  foreman-proxy from X.X.X.X port 34970 ssh2
May  2 14:06:04 XXXXX sshd[2430]: Failed password for invalid user  foreman-proxy from X.X.X.X port 34970 ssh2
May  2 14:06:04 XXXXX sshd[2431]: Connection closed by X.X.X.X
</pre>

Related settings look like:
<pre>
:puppet: true
:puppet_provider: puppetssh
:puppetssh_sudo: false
:puppetssh_command: /usr/local/bin/puppet_with_sudo.sh
:puppetssh_user: foreman-proxy
:puppetssh_keyfile: /etc/foreman-proxy/ssh/id_rsa
</pre>

If I change the code to the following, and restart, it runs just fine.
<pre><code class="ruby">
--- foreman-proxy/lib/proxy/puppet/puppet_ssh.rb.orig	2014-05-02 14:06:33.010472500 -0500
+++ foreman-proxy/lib/proxy/puppet/puppet_ssh.rb	2014-05-02 14:06:21.626366466 -0500
@@ -6,10 +6,10 @@
       cmd = []
       cmd.push(which('sudo')) if SETTINGS.puppetssh_sudo
       cmd.push(which('ssh'))
-      cmd.push("-l #{SETTINGS.puppetssh_user}") if SETTINGS.puppetssh_user
+      cmd.push("-l#{SETTINGS.puppetssh_user}") if SETTINGS.puppetssh_user
       if (file = SETTINGS.puppetssh_keyfile)
         if File.exists?(file)
-          cmd.push("-i #{file}")
+          cmd.push("-i#{file}")
         else
           logger.warn("Unable to access SSH private key:#{file}, ignoring...")
         end
</code></pre>

Comment 1 Bryan Kearney 2014-06-02 23:43:27 UTC

Created from redmine issue http://projects.theforeman.org/issues/5561

Comment 3 Bryan Kearney 2014-06-05 19:49:41 UTC

Moving to POST since upstream bug http://projects.theforeman.org/issues/5561 has been closed

Comment 6 Tazim Kolhar 2014-07-01 07:49:12 UTC

please provide verification steps

Comment 7 Corey Welton 2014-07-11 23:22:16 UTC

6.0.4 for testing

Comment 8 Tazim Kolhar 2014-08-27 12:33:22 UTC

please provide verification steps

Comment 9 Greg Sutcliffe 2014-09-01 10:04:13 UTC

DEVELOPER VERIFIED: This bug passed my testing, and was tested on the following systems:

satellite: https://satellite1.internal-el6.satellite.lab.eng.rdu2.redhat.com/hosts/satellite1.internal-el6.satellite.lab.eng.rdu2.redhat.com
capsule: https://satellite1.internal-el6.satellite.lab.eng.rdu2.redhat.com/hosts/satellite1.internal-el6.satellite.lab.eng.rdu2.redhat.com:9090

but please note the following caveats or workarounds to get it tested:

Puppetssh obviously has to be configured, along with an ssh key for access. I used a custom puppetrun command which simply does "date >> /tmp/gsutclif.out" as a proof that a command was run. On clicking the Puppetrun button we see:


==> /var/log/foreman-proxy/proxy.log <==
D, [2014-09-01T06:10:17.460241 #74730] DEBUG -- : about to execute: /usr/bin/ssh -l root -i /etc/foreman-proxy/id_rsa satellite1.internal-el6.satellite.lab.eng.rdu2.redhat.com /usr/local/bin/gsutcliftest.sh
10.8.105.1 - - [01/Sep/2014 06:10:17] "POST /puppet/run HTTP/1.1" 200 - 0.0109

==> /var/log/secure <==
Sep  1 06:10:17 satellite1 sshd[75618]: Accepted publickey for root from 10.8.105.1 port 38437 ssh2
Sep  1 06:10:17 satellite1 sshd[75618]: pam_unix(sshd:session): session opened for user root by (uid=0)

tail: /tmp/gsutclif.out: file truncated
Mon Sep  1 06:10:17 EDT 2014

==> /var/log/secure <==
Sep  1 06:10:17 satellite1 sshd[75618]: Received disconnect from 10.8.105.1: 11: disconnected by user
Sep  1 06:10:17 satellite1 sshd[75618]: pam_unix(sshd:session): session closed for user root

So we can see the command was received by the proxy, ssh was invoked with the correct key, the file was populated with a datestamp, and then ssh disconnected. All good.

Comment 10 Tazim Kolhar 2014-09-01 10:28:51 UTC

VERIFIED:


==> /var/log/foreman-proxy/proxy.log <==
# tail -f /var/log/foreman-proxy/proxy.log/usr/lib/ruby/gems/1.8/gems/rack-1.4.1/lib/rack/handler/webrick.rb:13:in `run'
/usr/lib/ruby/gems/1.8/gems/rack-1.4.1/lib/rack/server.rb:265:in `start'
/usr/share/foreman-proxy/lib/smart_proxy.rb:131:in `launch'
/usr/share/foreman-proxy/lib/smart_proxy.rb:131:in `initialize'
/usr/share/foreman-proxy/lib/smart_proxy.rb:131:in `new'
/usr/share/foreman-proxy/lib/smart_proxy.rb:131:in `launch'
/usr/share/foreman-proxy/bin/smart-proxy:6
127.0.0.1 - - [01/Sep/2014 06:32:49] "POST /dns HTTP/1.1" 400 32 0.1470
D, [2014-09-01T06:33:33.008936 #78067] DEBUG -- : about to execute: /usr/bin/ssh -l root -i /etc/foreman-proxy/id_rsa mmccune-el72.internal-el6.satellite.lab.eng.rdu2.redhat.com /usr/local/bin/gsutcliftest.sh
10.8.105.1 - - [01/Sep/2014 06:33:33] "POST /puppet/run HTTP/1.1" 200 - 0.0164

==> /var/log/secure <==
# tail -f /var/log/secure
Sep  1 06:29:39 satellite1 sshd[77744]: Accepted password for root from 10.10.48.66 port 50290 ssh2
Sep  1 06:29:40 satellite1 sshd[77744]: pam_unix(sshd:session): session opened for user root by (uid=0)
Sep  1 06:30:01 satellite1 crond[77785]: pam_sss(crond:session): Request to sssd failed. Connection refused
Sep  1 06:30:42 satellite1 CROND[77785]: pam_sss(crond:session): Request to sssd failed. Connection refused
Sep  1 06:31:14 satellite1 runuser: pam_unix(runuser:session): session opened for user foreman-proxy by root(uid=0)
Sep  1 06:31:15 satellite1 runuser: pam_unix(runuser:session): session closed for user foreman-proxy
Sep  1 06:32:45 satellite1 runuser: pam_unix(runuser:session): session opened for user foreman-proxy by root(uid=0)
Sep  1 06:32:47 satellite1 runuser: pam_unix(runuser:session): session closed for user foreman-proxy
Sep  1 06:34:30 satellite1 runuser: pam_unix(runuser:session): session opened for user foreman-proxy by root(uid=0)
Sep  1 06:34:31 satellite1 runuser: pam_unix(runuser:session): session closed for user foreman-proxy

Comment 11 Bryan Kearney 2014-09-11 12:28:02 UTC

This was delivered with Satellite 6.0 which was released on 10 September 2014.

Note You need to log in before you can comment on or make changes to this bug.