Bug 1215659 - Configuring katello-installer to use external DNS via GSS-TSIG does not provide a working configuration
Summary: Configuring katello-installer to use external DNS via GSS-TSIG does not provi...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Installer
Version: 6.1.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: Unspecified
Assignee: Katello Bug Bin
QA Contact: Kedar Bidarkar
URL: http://projects.theforeman.org/issues...
Whiteboard:
: 1296877 (view as bug list)
Depends On:
Blocks: 1177570 1281350
TreeView+ depends on / blocked
 
Reported: 2015-04-27 11:53 UTC by Rich Jerrido
Modified: 2019-10-10 09:46 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Configuring katello-installer to use external DNS via GSS-TSIG did not provide a working configuration. The templates were fixed to support this configuration.
Clone Of:
Environment:
Last Closed: 2016-01-21 07:41:47 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0052 normal SHIPPED_LIVE Satellite 6.1.6 bug fix update 2016-01-21 12:40:53 UTC

Description Rich Jerrido 2015-04-27 11:53:31 UTC
Description of problem:
When attempting to run katello-installer such that I can use GSS-TSIG to connect to an external DNS server, neither --capsule-dns nor --capsule-dns-managed provide a working configuration


Version-Release number of selected component (if applicable):
katello-installer-2.3.5-1.el7sat.noarch

How reproducible:
100%

Steps to Reproduce:
1. In my lab, my external DNS server is 172.17.16.3,  and I am running:


katello-installer -d -v --capsule-dns true \
--capsule-dns-provider nsupdate_gss \
--capsule-dns-server 172.17.16.3 \
--capsule-dns-tsig-keytab /etc/foreman-proxy/dnsdude.keytab \
--capsule-dns-tsig-principal dnsdude@EXAMPLE.COM


Actual results:
1. the named package is installed and zones are created, which I don't need (because I am putting my entries in a DNS server not hosted on the Satellite). Also, the ':dns_key: /etc/rndc.key' directive is enabled in
/etc/foreman-proxy/settings.d/dns.yml

2. If I run the above (with --capsule-dns false), I do not get the 'DNS'
feature enabled under 'Infrastructure->Capsules', using '--capsule-dns-managed' does not provide it either. 

Expected results:

An installer option (or options) that provide a dns.yml such as:

# DNS management
:enabled: https
# valid providers:
#   dnscmd (Microsoft Windows native implementation)
#   nsupdate
#   nsupdate_gss (for GSS-TSIG support)
#   virsh (simple implementation for libvirt)
:dns_provider: nsupdate_gss
#:dns_key: /etc/rndc.key
# use this setting if you are managing a dns server which is not localhost though this proxy
:dns_server: 172.17.16.3
# use this setting if you want to override default TTL setting (86400)
:dns_ttl: 86400
# use dns_tsig_* for GSS-TSIG updates using Kerberos.  Required for Windows MS DNS with
# Secure Dynamic Updates, or BIND as used in FreeIPA.  Set dns_provider to nsupdate_gss.
:dns_tsig_keytab: /etc/foreman-proxy/dnsdude.keytab
:dns_tsig_principal: dnsdude@EXAMPLE.COM



Additional info:

Comment 1 RHEL Program Management 2015-04-27 12:03:22 UTC
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

Comment 3 Rich Jerrido 2015-10-23 23:26:58 UTC
This issue is fixed with the following upstream commit. [https://github.com/theforeman/puppet-foreman_proxy/commit/753b65c2dad35a5887c46094061703d0a76e3c3c] 

With the dns.yml.erb from this commit on a satellite 6.1.3 system, the above command works as designed. 

Can we get this backported to the sat 6.1.x codebase?

Comment 4 Bryan Kearney 2015-11-30 14:08:47 UTC
Connecting redmine issue http://projects.theforeman.org/issues/10436 from this bug

Comment 6 Bryan Kearney 2015-11-30 15:03:00 UTC
Moving to POST since upstream bug http://projects.theforeman.org/issues/10436 has been closed
-------------
Stefan Meyer
Pull request: https://github.com/theforeman/puppet-foreman_proxy/pull/171

Comment 9 Mike McCune 2016-01-11 06:19:12 UTC
This failsQA as it causes a regression outlined here:

https://bugzilla.redhat.com/show_bug.cgi?id=1296877

I'd vote we just close the above bug and resolve this one since it is the same code and usecase.

Comment 10 Mike McCune 2016-01-12 00:19:09 UTC
*** Bug 1296877 has been marked as a duplicate of this bug. ***

Comment 13 Kedar Bidarkar 2016-01-18 14:25:33 UTC
Ran the below command,

~]#katello-installer -v --capsule-dns true --capsule-dns-provider nsupdate_gss --capsule-dns-server x.x.x.x --capsule-dns-tsig-keytab /etc/foreman-proxy/dnsdude.keytab --capsule-dns-tsig-principal dnsdude@EXAMPLE.COM

---
# DNS management
:enabled: https
# valid providers:
#   dnscmd (Microsoft Windows native implementation)
#   nsupdate
#   nsupdate_gss (for GSS-TSIG support)
#   virsh (simple implementation for libvirt)
:dns_provider: nsupdate_gss
# use this setting if you are managing a dns server which is not localhost though this proxy
:dns_server: x.x.x.x
# use this setting if you want to override default TTL setting (86400)
:dns_ttl: 86400
# use dns_tsig_* for GSS-TSIG updates using Kerberos.  Required for Windows MS DNS with
# Secure Dynamic Updates, or BIND as used in FreeIPA.  Set dns_provider to nsupdate_gss.
:dns_tsig_keytab: /etc/foreman-proxy/dnsdude.keytab
:dns_tsig_principal: dnsdude@EXAMPLE.COM
# dns_key must be disabled if nsupdate_gss is used
#:dns_key: /etc/rndc.key

Capsule features in 'Infrastructure->Capsules' shows "DNS" Feature.

-----------------------------------------------------------------------

With 'katello-installer --capsule-dns false', Capsule features in 'Infrastructure->Capsules' Does not show "DNS" Feature.  Is this required ? As per the initial bug request  "Actual Result" 2).

Please confirm.

# DNS management
:enabled: false
# valid providers:
#   dnscmd (Microsoft Windows native implementation)
#   nsupdate
#   nsupdate_gss (for GSS-TSIG support)
#   virsh (simple implementation for libvirt)
:dns_provider: nsupdate_gss
# use this setting if you are managing a dns server which is not localhost though this proxy
:dns_server: x.x.x.x
# use this setting if you want to override default TTL setting (86400)
:dns_ttl: 86400
# use dns_tsig_* for GSS-TSIG updates using Kerberos.  Required for Windows MS DNS with
# Secure Dynamic Updates, or BIND as used in FreeIPA.  Set dns_provider to nsupdate_gss.
:dns_tsig_keytab: /etc/foreman-proxy/dnsdude.keytab
:dns_tsig_principal: dnsdude@EXAMPLE.COM
# dns_key must be disabled if nsupdate_gss is used
#:dns_key: /etc/rndc.key

Comment 14 Kedar Bidarkar 2016-01-18 14:48:11 UTC
If DNS feature is set to false, the Capsule feature "DNS" is not shown on the UI.

VERIFIED With Sat6.1.6 compose 5

Comment 15 David O'Brien 2016-01-19 04:48:48 UTC
If this bug requires doc text for errata release, please provide draft
text in the doc text field in the following format:
 Cause:
 Consequence:
 Fix:
 Result:
The documentation team will review, edit, and approve the text.
If this bug does not require doc text, please set the
'requires_doc_text' flag to -.

Comment 18 errata-xmlrpc 2016-01-21 07:41:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:0052


Note You need to log in before you can comment on or make changes to this bug.