Bug 1339883 - Registering the Hypervisor in Satellite fails on candlepin-local.pem
Summary: Registering the Hypervisor in Satellite fails on candlepin-local.pem
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-node
Version: 3.6.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ovirt-3.6.10
: ---
Assignee: Douglas Schilling Landgraf
QA Contact: Wei Wang
URL:
Whiteboard:
Keywords: ZStream
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-05-26 05:18 UTC by Kamudini Gazdikova
Modified: 2017-01-23 14:25 UTC (History)
26 users (show)

(edit)
Previously. when a user used Red Hat Subscription Manager to register a system to the Red Hat Customer Portal the URL and CA URL could not be changed. Whereas, when a user used Subscription Asset Manager to register a system to the Red Hat Customer Portal the URL and CA URL could be changed. Some users were using the option to change the URL and CA URL when registering a Satellite system. However, the new version of Candlepin requires that the Organization and Environment be declared. This meant that users were unable to register their Red Hat Enterprise Virtualization Hypervisor (RHEV-H) with Satellite. Now, the URL is used to verify the version of Satellite that the user is intending to register to ensure that the system is registered correctly. Note that on Satellite version 6.2 or higher the Organization and Environment need to be declared if an activation key is not being used.
Clone Of:
(edit)
Last Closed: 2017-01-23 14:25:04 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0185 normal SHIPPED_LIVE ovirt-node bug fix and enhancement update for RHEV 3.6.10 2017-01-24 17:55:58 UTC
oVirt gerrit 68076 None None None 2016-12-09 21:58 UTC

Comment 5 Yaniv Lavi 2016-06-21 08:56:53 UTC
Did anything change in the CA location? How should a user obtain the pem for registration to Satellite?

Comment 6 Ohad Levy 2016-06-21 09:02:06 UTC
http://satellitepub/katello-ca-consumer-latest.noarch.rpm is the correct bootstrap path, I'm not sure where the candlepin one came from.

Comment 7 Yaniv Lavi 2016-07-03 11:19:17 UTC
Would node work with this? I think we expect pem, not a rpm.

Comment 8 Douglas Schilling Landgraf 2016-07-05 20:52:37 UTC
(In reply to Yaniv Dary from comment #7)
> Would node work with this? I think we expect pem, not a rpm.

At this moment, in rhev-h we expect the certificate not rpm.
The certificate that the doc mention, probably extracted from the rpm.

I have found this KCS that mention how to extract from katello-ca-consumer-latest.noarch.rpm too:

How to register RHEV-H with Red Hat Satellite 6 server?
https://access.redhat.com/solutions/1479783

Comment 9 Ryan Barry 2016-07-05 21:01:20 UTC
I would expect that this changed in katello at some point.

Checking for the certificate is part of registration which I inherited, and I'm not sure of the need for that requirement, but it's been tested and verified on QE's sat6 environment.

It's possible to fetch the rpm and extract the cert on rhev-h directly, though I'd rather avoid making changes to the legacy code at this point unless there's a strict need, since there's a well-documented means to do this.

Can we update the docs to point to the kB article?

Comment 10 Yaniv Lavi 2016-07-18 09:43:10 UTC
(In reply to Ryan Barry from comment #9)
> I would expect that this changed in katello at some point.
> 
> Checking for the certificate is part of registration which I inherited, and
> I'm not sure of the need for that requirement, but it's been tested and
> verified on QE's sat6 environment.
> 
> It's possible to fetch the rpm and extract the cert on rhev-h directly,
> though I'd rather avoid making changes to the legacy code at this point
> unless there's a strict need, since there's a well-documented means to do
> this.
> 
> Can we update the docs to point to the kB article?

The kbase recommends dropping to shell which isn't supported.

Comment 11 Fabian Deutsch 2016-08-30 15:09:12 UTC
We will not support using the rpm on RHEV-H 3.6.

But the mechanism to use an RPM should work on RHVH 4.0.

Thus I suggest to add the kbase, because this will allow users to address the problem - even if dropping to shell is not supported.

Yaniv, please move to ocs if you think it should be documented, otherwise please close this bug as currentrelease.

Comment 12 Yaniv Lavi 2016-09-13 11:42:06 UTC
But this means that all sat6 integration is dependent on weird unsupported flow and for a very long time (Sep 2017). We can do the unpacking of the rpm in RHEV-H to make it work.

Please discuss this with Moran on Sat support. If he decides to not fix this, please move to docs.

Comment 14 Ryan Barry 2016-09-26 17:28:23 UTC
(In reply to Yaniv Dary from comment #10)
> The kbase recommends dropping to shell which isn't supported.

Only the first step of the kbase is necessary.

Once the .pem is hosted somewhere, the TUI takes over the rest, and no manual changes to rhsm.conf are needed.

A workaround:

Extract the PEM on the satellite server (first part of the kbase)

Log into the RHEV-H TUI:

Put the path to the .pem in the "CA Cert" field.

Registration works.

No unsupported steps (on the shell) on the RHEV host are needed. Only one step on the satellite server.

Comment 15 Ryan Barry 2016-09-26 17:32:19 UTC
(In reply to Yaniv Dary from comment #12)
> But this means that all sat6 integration is dependent on weird unsupported
> flow and for a very long time (Sep 2017). We can do the unpacking of the rpm
> in RHEV-H to make it work.

Note that unpacking the RPM on the RHEV host means that the RHEV code must be aware of how the RPM is used in order to facilitate registration:

How is it packed? Is something happening on the %post scripts which we must also perform?

Where does the PEM go?

Do users still need to take additional steps in the TUI? Can all information (satellite server, etc) be inferred from the RPM?

Do we know exactly which files are being touched so they can be persisted?

And we must support continue to support this. It would be better (in my opinion) to extract the PEM on the satellite host, and use that for registration. It's my understanding that this is the current flow used by QE, so it should be well tested.

Comment 17 Wei Wang 2016-09-30 02:39:24 UTC
I have registered RHVH 4.0 to Satellite6.1/6.2 successfully before. 
I think it is right to use the test steps the customer shared for RHEV-H <3.6. But for RHVH 4.0, we should install the CA to RHVH host since NGN does not have TUI at all. The detail steps are list as below:

1. SSH the satellite server
   #ssh admin@<satellite IP>

2. Copy the rpm package e.g : "katello-ca-consumer-satellite61.redhat.com-1.0-1.noarch.rpm" to your host.
   #scp /var/www/html/pub/katello-ca-xxxx.noarch.rpm <host destination>

3. Install the CA rpm
   #rpm -ivh xxxx.rpm

4. Register RHVH via cockpit WebUI or subscription-manager CLI

Comment 18 Wei Wang 2016-09-30 03:41:48 UTC
Test Version:
rhevh-7.2-20160920.1.el7ev.iso 
satellite server is 6.1

Test Steps:
1 Extract the rpm file /var/www/html/pub/katello-ca-consumer-latest.noarch.rpm in /tmp.
 
 [root@satellite /tmp]# rpm2cpio katello-ca-consumer-latest.noarch.rpm | cpio -idv

2 Move the CA pem to /var/www/html/pub/
 [root@satellite /tmp]# mv /tmp/etc/rhsm/ca/*.pem /var/www/html/pub/

3 Restore selinux context
 [root@satellite /tmp]# restorecon -Rv /var/www/html/pub/

4. Using http://<sat-fqdn>/pub/katello-default-ca.pem as CA URL

5. Fill other info for registering satellite

6. Save

Test Result:
RHEVH register to satellite successfully.

Comment 19 Douglas Schilling Landgraf 2016-09-30 03:53:50 UTC
Hi Weiwang,

(In reply to weiwang from comment #18)
> Test Version:
> rhevh-7.2-20160920.1.el7ev.iso 
> satellite server is 6.1
> 
> Test Steps:
> 1 Extract the rpm file
> /var/www/html/pub/katello-ca-consumer-latest.noarch.rpm in /tmp.
>  
>  [root@satellite /tmp]# rpm2cpio katello-ca-consumer-latest.noarch.rpm |
> cpio -idv
> 
> 2 Move the CA pem to /var/www/html/pub/
>  [root@satellite /tmp]# mv /tmp/etc/rhsm/ca/*.pem /var/www/html/pub/
> 
> 3 Restore selinux context
>  [root@satellite /tmp]# restorecon -Rv /var/www/html/pub/
> 
> 4. Using http://<sat-fqdn>/pub/katello-default-ca.pem as CA URL
> 
> 5. Fill other info for registering satellite
> 
> 6. Save
> 
> Test Result:
> RHEVH register to satellite successfully.

Could you please share the steps you have used to register 3.6 into the sat 6.2 ?

Thanks!

Comment 20 Wei Wang 2016-09-30 06:12:19 UTC
Test Steps:
1. Clean install RHEV-H on machine

2. Configure NIC with dhcp/static

3. Go to RHSM Registration page

4. Fill in the username and password of satellite6

5. Select the "satellite" type

6. Fill in the satellite server URL and CA URL got it according to the customer steps

7. Fill in the Organization, then selecting "save"

8. The registering result will be displayed successfully.

Comment 25 Douglas Schilling Landgraf 2016-11-30 22:38:10 UTC
Hi, 

Update about this case:

I have talked with one of Sat/SpaceWalk contributors (Marcelo Mello) and he agrees that our Sat 6.2 support is not working properly from his tests. Discussing the situation with him, he offered help to create a patch and test against all his Sat servers from 5 to 6.2.

Comment 26 Marcelo Moreira de Mello 2016-12-09 22:32:27 UTC
On Satellite 6.2, subscription-manager enforces an organization and library to be specified when registering a system. This patch added the environment option when the customer decides to register a system via username+password. 

Furthermore, the versions after >= 6.1 includes a katello-server-ca.crt under /pub directory by default. To be able to register, instead of checking for an only for a PEM file extension (present only on Red Hat Satellite <= 6.0.8) it now checks for katello-server-ca.crt. 
Also added some further tests to validate the entries provided by the user when combining activation_key or username/password/org/library. 
Tested patch on Red Hat Satellite 6.2 with 3rd party CA and self-signed CA and worked fine. Tested also with Satellite 6.1 and worked fine. Tested with Satellite 6.0.8 and worked with katello-server-ca.pem too.
 
To make possible to register RHEV-H on Satellite <= 6.0.8, the sysadmin will need to export/extract the PEM file manually from thekatello-ca-consumer-latest.noarch RPM. Any Satellite higher than 6.1 is not required to export the certificate, since it will be executed automatically by Satellite. 

Testing instructions:

  Satellite 5.x:

     Inform username+password. Then pass URL i.e: https://mysat5.example.com and CA URL i.e. https://mysat5.example.com/pub/RHN-ORG-TRUSTED-SSL-CERT. 

     If using activation key, don't need username+password.

 
  Satellite 6.0.8 or lower

    It is required to extract the PEM file from the  katello-ca-consumer-latest.noarch.rpm. 

    A good way to do would be:

# cd /tmp
# rpm2cpio /var/www/html/pub/katello-ca-consumer-latest.noarch.rpm | cpio -idmv
# cat etc/rhsm/ca/candlepin-local.pem etc/rhsm/ca/katello-server-ca.pem  >> /var/www/html/pub/katello-server-ca.crt
# restorecon -Rv /var/www/html/pub/katello-server-ca.crt
# chmod  644 /var/www/html/pub/katello-server-ca.crt

  note: if the certificate has .pem extension will work too. 

    Inform username+password. Then pass URL i.e: https://mysat6.example.com and CA URL i.e. https://mysat6.example.com/pub/katello-server-ca.crt

     If using activation key, don't need username+password. 


  Satellite 6.1 or higher

    Inform username+password. Then pass URL i.e: https://mysat6.example.com and CA URL i.e. https://mysat6.example.com/pub/katello-server-ca.crt

     If using activation key, don't need username+password.


Please let me know if you have any further questions. 
mmello

Comment 28 Douglas Schilling Landgraf 2017-01-06 22:04:18 UTC
Hello Wei Wang,

Tests to validate this report are listed in comment#26.

Thanks!

Comment 29 Wei Wang 2017-01-11 10:18:12 UTC
Test Version:
rhev-hypervisor7-7.3-20170110.1.iso
ovirt-node-3.6.1-40.0.el7ev.noarch

First, for satellite 5.7
Test Steps:
1. Clean install RHEVH
2. Input below information:
   username: admin
   password: xxxxxx
   type: satellite
   URL: https://example57.redhat.com
   CA URL: https://example57.redhat.com/pub/RHN-ORG-TRUSTED-SSL-CERT
3. Register to satellite

Results:
RHEVH register to satellite5.7 failed, and report a new bug https://bugzilla.redhat.com/show_bug.cgi?id=1412118

Second, for satellite 6.0.8
Results:
Pending for test environment is setting up now. I will test with satellite 6.0.8 when it is ready.

Third, for satellite 6.2
Test Steps:
1. Clean install RHEVH
2. Input below information:
   username: admin
   password: xxxxxx
   type: satellite
   URL: https://example62.redhat.com
   CA URL: https://example62.redhat.com/pub/katello-server-ca.crt
   Organization: <organization name>
   environment: <libray>
3. Register to satellite

Results:
RHEVH register to satellite6.2 successfully.

Comment 30 Douglas Schilling Landgraf 2017-01-12 15:01:42 UTC
(In reply to Wei Wang from comment #29)
> Test Version:
> rhev-hypervisor7-7.3-20170110.1.iso
> ovirt-node-3.6.1-40.0.el7ev.noarch
> 
> First, for satellite 5.7
> Test Steps:
> 1. Clean install RHEVH
> 2. Input below information:
>    username: admin
>    password: xxxxxx
>    type: satellite
>    URL: https://example57.redhat.com
>    CA URL: https://example57.redhat.com/pub/RHN-ORG-TRUSTED-SSL-CERT
> 3. Register to satellite
> 
> Results:
> RHEVH register to satellite5.7 failed, and report a new bug
> https://bugzilla.redhat.com/show_bug.cgi?id=1412118

As discussed in the bug#1412118 it was an issue in the initial sat57 server.
In a second server, just worked out of box.

> 
> Second, for satellite 6.0.8
> Results:
> Pending for test environment is setting up now. I will test with satellite
> 6.0.8 when it is ready.

Sure, thanks!

> 
> Third, for satellite 6.2
> Test Steps:
> 1. Clean install RHEVH
> 2. Input below information:
>    username: admin
>    password: xxxxxx
>    type: satellite
>    URL: https://example62.redhat.com
>    CA URL: https://example62.redhat.com/pub/katello-server-ca.crt
>    Organization: <organization name>
>    environment: <libray>
> 3. Register to satellite
> 
> Results:
> RHEVH register to satellite6.2 successfully.

Great, thanks!

Comment 32 Douglas Schilling Landgraf 2017-01-13 03:47:37 UTC
As we discussed Wei Wang,

In the sat 6.0.8 you might find a issue if any fact field is > 255 chars [1].
In my case, the proc_cpuinfo.common.flags had > 255 chars. 

In the log file rhsm.log you could find an error like:
 "['Problem creating unit Consumer [id = 8a8c53095994.....]" [2]

To double check, you might run the below command and see if any field is > 255:
   # Press F2 to go to shell
   # subscription-manager facts --list

To fix my case, I have updated proc_cpuinfo.common.flags field reducing the flags and re-executing the registration via TUI.

- Press F2 (go to console)
- Workaround for proc_cpuinfo.common.flags:

# echo '{"proc_cpuinfo.common.flags":"fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl pni pclmulqdq vmx ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes"}' > /etc/rhsm/facts/cpuinfo_override.facts

# persist /etc/rhsm/facs/cpuinfo_override.facts
# exit (Get back to TUI and try again the registration)

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1310827#c3

A similar KCS is available here:
https://access.redhat.com/solutions/1414243

Thanks!

Comment 33 Wei Wang 2017-01-13 04:00:13 UTC
Test Version:
rhev-hypervisor7-7.3-20170110.1.iso
ovirt-node-3.6.1-40.0.el7ev.noarch
satellite 6.0.8

Test Steps:
1. # cd /tmp
# rpm2cpio /var/www/html/pub/katello-ca-consumer-latest.noarch.rpm | cpio -idmv
# cat etc/rhsm/ca/candlepin-local.pem etc/rhsm/ca/katello-server-ca.pem  >> /var/www/html/pub/katello-server-ca.crt
# restorecon -Rv /var/www/html/pub/katello-server-ca.crt
# chmod  644 /var/www/html/pub/katello-server-ca.crt

2. Clean install RHEVH
3. Do according to comment32
4. Input below information:
   username: admin
   password: xxxxxx
   type: satellite
   URL: https://example608.redhat.com
   CA URL: https://example608.redhat.com/pub/katello-server-ca
5. Register to satellite

Results:
RHEVH register to satellite 6.0.8 successfully.

The bug cannot be reproduced, change status to VERIFIED


Note You need to log in before you can comment on or make changes to this bug.