Bug 1286830 - External Authentication configuration fails after setting hostname in appliance console
External Authentication configuration fails after setting hostname in applian...
Status: CLOSED ERRATA
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance (Show other bugs)
5.5.0
x86_64 Linux
high Severity high
: GA
: 5.6.0
Assigned To: Nick Carboni
luke couzens
:
Depends On:
Blocks: 1287853
  Show dependency treegraph
 
Reported: 2015-11-30 15:37 EST by abellott
Modified: 2016-06-29 11:13 EDT (History)
7 users (show)

See Also:
Fixed In Version: 5.6.0.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1287853 (view as bug list)
Environment:
Last Closed: 2016-06-29 11:13:59 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description abellott 2015-11-30 15:37:33 EST
Description of problem:

After setting an appliance's hostname via the appliance console, configuring
external authentication with an IPA server fails with the following error:

Invalid hostname, 'localhost.localdomain' must not be used.


Version-Release number of selected component (if applicable):
5.5.0.12

How reproducible:
always

Steps to Reproduce:
1. Bring up a 5.5.0.12 appliance
2. Setup DB/Appliance
3. Set hostname  via appliance_console
4. Configure external authentication via appliance_console

Actual results:

Proceed? (Y/N): y
Checking connectivity to aab-ipaserver7.aabtest.redhat.com ... Succeeded.

Configuring IPA (may take a minute) ...
Configuring the IPA Client ...
Invalid hostname, 'localhost.localdomain' must not be used.
Installation failed. Rolling back changes.
IPA client is not configured on this system.
Failed to Configure External Authentication - /usr/sbin/ipa-client-install exit
code: 1

External Authentication configuration failed!

Press any key to continue.
Expected results:

Proceed? (Y/N): y
Checking connectivity to aab-ipaserver7.aabtest.redhat.com ... Succeeded.

Configuring IPA (may take a minute) ...
Configuring the IPA Client ...
Configuring pam ...
Configuring sssd ...
Configuring IPA HTTP Service and Keytab ...
Configuring httpd ...
Configuring SELinux ...

Restarting sssd and httpd ...
Configuring sssd to start upon reboots ...

External Authentication configured successfully.

Press any key to continue.


Additional info:

When the hostname is set via the appliance_console, the FQDN gets added
to the /etc/hosts file as follows:

127.0.0.1  localhost localhost.localdomain  FQDN
::1        localhost localhost.localdomain localhost6 localhost6.localdomain6


IPA sees FQDN as an alias and picks "localhost" so uses "localhost.localdomain"
as the FQDN.

One workaround is to update the /etc/hosts file as follows after setting the
hostname via the appliance_console as follows:

127.0.0.1  FQDN localhost localhost.localdomain
::1        localhost localhost.localdomain localhost6 localhost6.localdomain6

and then re-attempt the External Authentication setup.
Comment 3 CFME Bot 2015-12-04 10:45:07 EST
New commit detected on ManageIQ/linux_admin/master:
https://github.com/ManageIQ/linux_admin/commit/e7738efb10f245161acbb33ea770eb6f96164034

commit e7738efb10f245161acbb33ea770eb6f96164034
Author:     Nick Carboni <ncarboni@redhat.com>
AuthorDate: Tue Dec 1 09:23:08 2015 -0500
Commit:     Nick Carboni <ncarboni@redhat.com>
CommitDate: Wed Dec 2 15:39:31 2015 -0500

    Added a method to set the canonical hostname in `/etc/hosts`
    
    Fixes #143
    https://bugzilla.redhat.com/show_bug.cgi?id=1286830

 lib/linux_admin/hosts.rb | 41 ++++++++++++++++++++++++++++-------------
 spec/hosts_spec.rb       | 21 +++++++++++++++++++++
 2 files changed, 49 insertions(+), 13 deletions(-)
Comment 4 Nick Carboni 2015-12-04 13:41:16 EST
The PR on linux_admin added the required functionality to the Hosts class.

The PR here https://github.com/ManageIQ/manageiq/pull/5714 uses that new functionality to fix the bug.
Comment 5 CFME Bot 2015-12-07 10:25:56 EST
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/1e48b727d895a7e94bfbf50f20bd932243ada71d

commit 1e48b727d895a7e94bfbf50f20bd932243ada71d
Author:     Nick Carboni <ncarboni@redhat.com>
AuthorDate: Fri Dec 4 13:33:50 2015 -0500
Commit:     Nick Carboni <ncarboni@redhat.com>
CommitDate: Fri Dec 4 13:33:50 2015 -0500

    Altered the console to set the canonical hostname rather than an alias
    
    The /etc/hosts man page describes a difference between the "canonical_hostname"
    (fqdn) and the aliases for that hostname.
    
    This difference is reflected in the behaviour of some external tools such
    as cloud-init and freeipa.
    These tools will retrieve the hostname (typically via the hostname
    command or from /etc/hostname) then consult /etc/hosts to find the
    fqdn by taking the name in the "canonical_hostname" place in the line
    where the found hostname is an alias.
    
    This can cause problems when the application acts differently based on
    whether the fqdn is "localhost" or not.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1286830

 gems/pending/Gemfile              | 2 +-
 gems/pending/appliance_console.rb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
Comment 6 luke couzens 2016-04-19 06:22:28 EDT
Discussion on this here https://github.com/ManageIQ/manageiq/pull/5854
Comment 7 Nick Carboni 2016-04-25 09:50:25 EDT
Luke,

I don't think this issue is related to that conversation.

This was to fix appliance_console so that it would set the canonical hostname rather than an alias so IPA would see that the hostname was indeed set to something other than localhost.

I think the bug related to that PR is https://bugzilla.redhat.com/show_bug.cgi?id=1291879
Comment 8 luke couzens 2016-04-26 13:54:20 EDT
Verified in 5.6.0.4-beta2.3
Comment 10 errata-xmlrpc 2016-06-29 11:13:59 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1348

Note You need to log in before you can comment on or make changes to this bug.