Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1307107 - [RFE] unattended_url needs to be a per-subnet setting
Summary: [RFE] unattended_url needs to be a per-subnet setting
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Provisioning Templates
Version: 6.1.5
Hardware: Unspecified
OS: Linux
unspecified
high
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact:
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks: 1541321
TreeView+ depends on / blocked
 
Reported: 2016-02-12 17:38 UTC by Prakash Ghadge
Modified: 2022-04-07 14:59 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-07-05 15:18:51 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 1970 0 Normal New Override the foreman_url hostname 2020-11-18 19:22:36 UTC
Red Hat Issue Tracker SAT-4958 0 None None None 2021-09-09 11:53:18 UTC
Red Hat Knowledge Base (Solution) 3142591 0 None None None 2017-08-07 19:59:56 UTC

Comment 5 Bryan Kearney 2016-02-18 16:51:38 UTC
Connecting redmine issue http://projects.theforeman.org/issues/1970 from this bug

Comment 12 Lukas Zapletal 2018-06-18 06:41:58 UTC
Opening this BZ to public. A customer requests:

Current use-case is a system (Satellite 6) with central Satellite server and several Capsules. At least one Capsule is located behind a firewall for the DMZ clients. These clients have no sight of the Satellite or any other Capsules. The current unattended_url is a global setting, so we need to change it every time we prepare a deployment in a different network area.

To compound this, part of our DMZ has no DNS available, so we currently need to set the unattended_url with IP address rather than FQDN. This particular problem may be better solved by other means, but changing the unattended_url is our current method. But the IP address that we need to use is behind a firewall from most of our clients.

Comment 13 Lukas Zapletal 2018-06-18 07:15:34 UTC
There are two parts of the problem.

1) unattended_url for all templates

Satellite 6.3 introduced new per-subnet setting called "Templates Capsule". This can be turned on when there is a Capsule associated with Satellite server with installed smart-proxy plugin called Templates.

To enable templates plugin on a capsule run installer with:

foreman-installer ... --foreman-proxy-templates true

Then register new Capsule or refresh features on existing Capsule in Satellite Server. New feature must appear called Templates.

Then visit Subnet and go to Capsule tab where Templates Capsule can be associated with each Subnet.

When a host is created with provisioning interface in a Subnet which has a Template Capsule set, unattended_url is overriden by capsule hostname. Therefore all provisioning templates are downloaded via Capsule where http(s) proxy is installed. This allows provisioning in subnets where there is no direct connection to Satellite Server. This feature is also available in older Satellite versions, but set up instructions were little bit different (TFTP Feature was used for the same purpose).

Now, environments which do have working DNS with entries for satellite server and capsules can use this feature to avoid direct connection between clients and satellite out of box. For environments without DNS, there is an extra step - Capsules are registered via their FQDN by default. Both Satellite Server and clients are using HTTPS to communicate with them and TLS/SSL certificate is generated for FQDN only.

Capsule can be registered into satellite under it's IP address, therefore the IP address can be used as unattended_url by satellite, but the SSL certificate must be regenerated with IP address as CN (or alias) in order to allow communication. We have a tool and documentation about how to do this.

If Templates Capsule can't be used there is an alternative way how to do this using advanced ERB templating. The function which uses unattended_url is called "foreman_url" and it is used in many our default templates. For example "PXELinux Kickstart Default" is a template used when host enters build mode and it must load Anaconda installer.

It is possible to replace this line:

APPEND initrd=<%= @initrd %> ks=<%= foreman_url('provision') %> <%= pxe_kernel_options %> <%= ksoptions %>

with this:

APPEND initrd=<%= @initrd %> ks=http://<%= host_param('capsule_url') %>/unattended/provision <%= pxe_kernel_options %> <%= ksoptions %>

Then set host/hostgroup/subnet parameter called "capsule_url" to arbitrary URL, IP address can be used as well. In order to have this working, Token duration MUST be disabled (in Administer - Setting - Provisioning set Token duration to zero). This turns off provisioning tokens, so incoming requests are identified by Anaconda HTTP header (MAC address) instead of UUIDs.

2) unattended_url for default template

There is set of PXELinux/PXEGrub/Grub2 Global Default templates which are used as default menu for all "unknown" hosts. By default, they are configured to boot from local hdd or boot into discovery.

The discovery menu entry uses function called foreman_server_url which uses the unattended_url setting. Several workarounds are possible - the easiest is to delete the foreman.url option completely and create DNS SRV record called "x-foreman" which discovered nodes use to connect to Capsule/Server. Keep proxy.type=proxy option however.

Alternatively, every time Build PXE Defaults button is pressed, URL can be replaced on all capsules manually or via ansible/puppet/ssh/rex - the filename to look for is /var/lib/tftproot/pxelinux.cfg/default (similar path for grub as well).

Comment 15 Bryan Kearney 2018-07-05 15:18:51 UTC
Per comment 13, closing current release.


Note You need to log in before you can comment on or make changes to this bug.