Red Hat Bugzilla – Bug 1215659
Configuring katello-installer to use external DNS via GSS-TSIG does not provide a working configuration
Last modified: 2017-02-23 15:07:29 EST
Description of problem: When attempting to run katello-installer such that I can use GSS-TSIG to connect to an external DNS server, neither --capsule-dns nor --capsule-dns-managed provide a working configuration Version-Release number of selected component (if applicable): katello-installer-2.3.5-1.el7sat.noarch How reproducible: 100% Steps to Reproduce: 1. In my lab, my external DNS server is 172.17.16.3, and I am running: katello-installer -d -v --capsule-dns true \ --capsule-dns-provider nsupdate_gss \ --capsule-dns-server 172.17.16.3 \ --capsule-dns-tsig-keytab /etc/foreman-proxy/dnsdude.keytab \ --capsule-dns-tsig-principal dnsdude@EXAMPLE.COM Actual results: 1. the named package is installed and zones are created, which I don't need (because I am putting my entries in a DNS server not hosted on the Satellite). Also, the ':dns_key: /etc/rndc.key' directive is enabled in /etc/foreman-proxy/settings.d/dns.yml 2. If I run the above (with --capsule-dns false), I do not get the 'DNS' feature enabled under 'Infrastructure->Capsules', using '--capsule-dns-managed' does not provide it either. Expected results: An installer option (or options) that provide a dns.yml such as: # DNS management :enabled: https # valid providers: # dnscmd (Microsoft Windows native implementation) # nsupdate # nsupdate_gss (for GSS-TSIG support) # virsh (simple implementation for libvirt) :dns_provider: nsupdate_gss #:dns_key: /etc/rndc.key # use this setting if you are managing a dns server which is not localhost though this proxy :dns_server: 172.17.16.3 # use this setting if you want to override default TTL setting (86400) :dns_ttl: 86400 # use dns_tsig_* for GSS-TSIG updates using Kerberos. Required for Windows MS DNS with # Secure Dynamic Updates, or BIND as used in FreeIPA. Set dns_provider to nsupdate_gss. :dns_tsig_keytab: /etc/foreman-proxy/dnsdude.keytab :dns_tsig_principal: dnsdude@EXAMPLE.COM Additional info:
Since this issue was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.
This issue is fixed with the following upstream commit. [https://github.com/theforeman/puppet-foreman_proxy/commit/753b65c2dad35a5887c46094061703d0a76e3c3c] With the dns.yml.erb from this commit on a satellite 6.1.3 system, the above command works as designed. Can we get this backported to the sat 6.1.x codebase?
Connecting redmine issue http://projects.theforeman.org/issues/10436 from this bug
Moving to POST since upstream bug http://projects.theforeman.org/issues/10436 has been closed ------------- Stefan Meyer Pull request: https://github.com/theforeman/puppet-foreman_proxy/pull/171
This failsQA as it causes a regression outlined here: https://bugzilla.redhat.com/show_bug.cgi?id=1296877 I'd vote we just close the above bug and resolve this one since it is the same code and usecase.
*** Bug 1296877 has been marked as a duplicate of this bug. ***
Ran the below command, ~]#katello-installer -v --capsule-dns true --capsule-dns-provider nsupdate_gss --capsule-dns-server x.x.x.x --capsule-dns-tsig-keytab /etc/foreman-proxy/dnsdude.keytab --capsule-dns-tsig-principal dnsdude@EXAMPLE.COM --- # DNS management :enabled: https # valid providers: # dnscmd (Microsoft Windows native implementation) # nsupdate # nsupdate_gss (for GSS-TSIG support) # virsh (simple implementation for libvirt) :dns_provider: nsupdate_gss # use this setting if you are managing a dns server which is not localhost though this proxy :dns_server: x.x.x.x # use this setting if you want to override default TTL setting (86400) :dns_ttl: 86400 # use dns_tsig_* for GSS-TSIG updates using Kerberos. Required for Windows MS DNS with # Secure Dynamic Updates, or BIND as used in FreeIPA. Set dns_provider to nsupdate_gss. :dns_tsig_keytab: /etc/foreman-proxy/dnsdude.keytab :dns_tsig_principal: dnsdude@EXAMPLE.COM # dns_key must be disabled if nsupdate_gss is used #:dns_key: /etc/rndc.key Capsule features in 'Infrastructure->Capsules' shows "DNS" Feature. ----------------------------------------------------------------------- With 'katello-installer --capsule-dns false', Capsule features in 'Infrastructure->Capsules' Does not show "DNS" Feature. Is this required ? As per the initial bug request "Actual Result" 2). Please confirm. # DNS management :enabled: false # valid providers: # dnscmd (Microsoft Windows native implementation) # nsupdate # nsupdate_gss (for GSS-TSIG support) # virsh (simple implementation for libvirt) :dns_provider: nsupdate_gss # use this setting if you are managing a dns server which is not localhost though this proxy :dns_server: x.x.x.x # use this setting if you want to override default TTL setting (86400) :dns_ttl: 86400 # use dns_tsig_* for GSS-TSIG updates using Kerberos. Required for Windows MS DNS with # Secure Dynamic Updates, or BIND as used in FreeIPA. Set dns_provider to nsupdate_gss. :dns_tsig_keytab: /etc/foreman-proxy/dnsdude.keytab :dns_tsig_principal: dnsdude@EXAMPLE.COM # dns_key must be disabled if nsupdate_gss is used #:dns_key: /etc/rndc.key
If DNS feature is set to false, the Capsule feature "DNS" is not shown on the UI. VERIFIED With Sat6.1.6 compose 5
If this bug requires doc text for errata release, please provide draft text in the doc text field in the following format: Cause: Consequence: Fix: Result: The documentation team will review, edit, and approve the text. If this bug does not require doc text, please set the 'requires_doc_text' flag to -.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:0052