1375697 – Capsule Installer does not honor virtual fqdn in load-balance scenario

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1375697 - Capsule Installer does not honor virtual fqdn in load-balance scenario

Summary: Capsule Installer does not honor virtual fqdn in load-balance scenario

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Installation
Sub Component:
Version:	6.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	Unspecified
Assignee:	Stephen Benjamin
QA Contact:	jcallaha
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1405514
TreeView+	depends on / blocked

Reported:	2016-09-13 18:12 UTC by Dylan Gross
Modified:	2021-06-10 11:32 UTC (History)
CC List:	11 users (show)
Fixed In Version:	katello-installer-base-3.0.0.66-1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1405514 (view as bug list)
Environment:
Last Closed:	2017-01-26 10:42:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	16945	0	Normal	Closed	Capsule Installer does not honor virtual fqdn in load-balance scenario	2020-12-01 08:25:11 UTC
Red Hat Product Errata	RHBA-2017:0197	0	normal	SHIPPED_LIVE	Satellite 6.2.7 Async Bug Release	2017-01-26 15:38:38 UTC

Description Dylan Gross 2016-09-13 18:12:33 UTC

Description of problem:

Using the Satellite6 HA LoadBalancing Reference architecture as a guide has the customer creating a multi-host certificate bundle, and then applying it to multiple capsules.   

However, when the subsequent "satellite-installer --scenario capsule" is used to apply those certs to the capsule, the resulting "katello-ca-consumer-latest" that is created on each capsule contains a /usr/bin/katello-rhsm-consumer script that references the name of each individual capsule (KATELLO_SERVER=) rather than that of the load-balanced name.
 

Version-Release number of selected component (if applicable):

    Red Hat Satellite 6.2.1

How reproducible:

Steps to Reproduce:
1.   Following sections 5.2.1.7 and 5.2.1.8 of the reference architecure (https://access.redhat.com/sites/default/files/attachments/sat6ha-lb-refarch.pdf), Create a tar bundle for multiple capsules and use that with the satellite-installer on the capsules to apply the certificate bundle.

Actual results:

   The resulting katello-ca-consumer rpm will contain a /usr/bin/katello-rhsm-consumer with a KATELLO_SERVER= set to the actual fqdn of each individual capsule.

Expected results:

   The resulting katello-ca-consumer rpm should contain a /usr/bin/katello-rhsm-consumer file with a KATELLO_SERVER set to the fqdn of $1 that was specified when using the "katello-multi-host-certs.sh" script in Appendix C.10 of the above Reference Architecture.  (In other words, the virtual fqdn representing all of the capsules)


Additional info:

   According to the customer, the class in /usr/share/katello-installer-base/modules/certs/manifests/katello.pp was not honoring the "node_fqdn" override and was instead always just using the capsules fqdn.

Making the following changes allowed for the correct Virtual fqdn to be represented in the /usr/bin/katello-rhsm-consumer script.

However, it is unknown what other effects this may have.

-----------------------------------------

$ diff /usr/share/katello-installer-base/modules/certs/manifests/katello.pp.orig /usr/share/katello-installer-base/modules/certs/manifests/katello.pp
3c3
<   $hostname                      = $fqdn,
---
>   $hostname                      = $::certs::node_fqdn,
19,20c19,20
<   $candlepin_consumer_name        = "katello-ca-consumer-${::fqdn}"
<   $candlepin_consumer_summary     = "Subscription-manager consumer certificate for Katello instance ${::fqdn}"
---
>   $candlepin_consumer_name        = "katello-ca-consumer-${hostname}"
>   $candlepin_consumer_summary     = "Subscription-manager consumer certificate for Katello instance ${hostname}"

Comment 3 David Caplan 2016-10-13 20:54:17 UTC

This is must fixed to correct issues found by the customer, when following the prescription laid out in the RefArch for LB https://access.redhat.com/sites/default/files/attachments/sat6ha-lb-refarch.pdf
May need a switch that allows the admin to indicate if the Capsule will LB or not. If LB = Yes, then apply the patch.

Comment 4 Stephen Benjamin 2016-10-14 14:15:19 UTC

Created redmine issue http://projects.theforeman.org/issues/16945 from this bug

Comment 5 Stephen Benjamin 2016-10-14 14:19:32 UTC

Thanks for the patch. At a quick glance, it looks OK and should work regardless on any setup.  Will try it out.  PR opened upstream.

Comment 6 Bryan Kearney 2016-10-14 20:00:41 UTC

Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/16945 has been resolved.

Comment 10 jcallaha 2017-01-25 21:09:37 UTC

Verified in Satellite 6.2.7 Snap 3

I followed the instructions outlined here (https://www.redhat.com/cms/managed-files/li-highly-available-satellite-server-environment-reference-architecture-us103789-201610-en.pdf) to create the script. Be careful to ensure you clean up the formatting!

I then ran that script with my capsule's hostname as well as some additional names thrown in.

-bash-4.2# bash katello-multi-host-certs.sh dell-pe-fc630-01.rhts.eng.bos.redhat.com test1.rhts.eng.bos.redhat.com test2.rhts.eng.bos.redhat.com test3.rhts.eng.bos.redhat.com

Generating the web server's SSL private key: ./ssl-build/dell-pe-fc630-01.rhts.eng.bos.redhat.com/custom-cert.key
Rotated: custom-cert.key --> custom-cert.key.1

Generating web server's SSL certificate request: ./ssl-build/dell-pe-fc630-01.rhts.eng.bos.redhat.com/custom-cert.crt.req
Using distinguished names:
    --set-country      = "US"
    --set-state        = "North Carolina"
    --set-city         = "Raleigh"
    --set-org          = "FOREMAN"
    --set-org-unit     = "FOREMAN_PROXY"
    --set-hostname     = "dell-pe-fc630-01.rhts.eng.bos.redhat.com"
    --set-email        = "admin"
Rotated: custom-cert.crt.req --> custom-cert.crt.req.1

Generating/signing web server's SSL certificate: custom-cert.crt
Rotated: custom-cert.crt --> custom-cert.crt.1

...working...

Generating web server's SSL key pair/set RPM:
    ./ssl-build/dell-pe-fc630-01.rhts.eng.bos.redhat.com/katello-httpd-ssl-key-pair-dell-pe-fc630-01.rhts.eng.bos.redhat.com-1.0-4.src.rpm
    ./ssl-build/dell-pe-fc630-01.rhts.eng.bos.redhat.com/katello-httpd-ssl-key-pair-dell-pe-fc630-01.rhts.eng.bos.redhat.com-1.0-4.noarch.rpm

The most current RHN Proxy Server installation process against RHN hosted
requires the upload of an SSL tar archive that contains the CA SSL public
certificate and the web server's key set.

Generating the web server's SSL key set and CA SSL public certificate archive:
    ./ssl-build/dell-pe-fc630-01.rhts.eng.bos.redhat.com/katello-httpd-ssl-archive-dell-pe-fc630-01.rhts.eng.bos.redhat.com-1.0-10.tar

Deploy the server's SSL key pair/set RPM:
    (NOTE: the Katello installer may do this step for you.)
    The "noarch" RPM needs to be deployed to the machine working as a
    web server, or RHN Satellite, or RHN Proxy.
    Presumably 'dell-pe-fc630-01.rhts.eng.bos.redhat.com'.
Marking certificate /root/ssl-build/dell-pe-fc630-01.rhts.eng.bos.redhat.com/dell-pe-fc630-01.rhts.eng.bos.redhat.com-apache for update
Marking certificate /root/ssl-build/dell-pe-fc630-01.rhts.eng.bos.redhat.com/dell-pe-fc630-01.rhts.eng.bos.redhat.com-foreman-proxy for update
Installing             Done                                               [100%] [..........................................................................................................]
  Success!

  To finish the installation, follow these steps:

  If you do not have the capsule registered to the Satellite instance, then please do the following:

  1. yum -y localinstall http://ibm-x3550m3-08.lab.eng.brq.redhat.com/pub/katello-ca-consumer-latest.noarch.rpm
  2. subscription-manager register --org "Default_Organization"

  Once this is completed run the steps below to start the capsule installation:

  1. Ensure that the satellite-capsule package is installed on the system.
  2. Copy /root/certs-dell-pe-fc630-01.rhts.eng.bos.redhat.com.tar to the system dell-pe-fc630-01.rhts.eng.bos.redhat.com
  3. Run the following commands on the capsule (possibly with the customized
     parameters, see satellite-installer --scenario capsule --help and
     documentation for more info on setting up additional services):

  satellite-installer --scenario capsule\
                    --capsule-parent-fqdn                         "ibm-x3550m3-08.lab.eng.brq.redhat.com"\
                    --foreman-proxy-register-in-foreman           "true"\
                    --foreman-proxy-foreman-base-url              "https://ibm-x3550m3-08.lab.eng.brq.redhat.com"\
                    --foreman-proxy-trusted-hosts                 "ibm-x3550m3-08.lab.eng.brq.redhat.com"\
                    --foreman-proxy-trusted-hosts                 "dell-pe-fc630-01.rhts.eng.bos.redhat.com"\
                    --foreman-proxy-oauth-consumer-key            "RV37XVeL4sMdJiDqtaeCxjhyu2onAPBx"\
                    --foreman-proxy-oauth-consumer-secret         "3vjh5ygYZ2kPHWXH63dGJr2KwsrLSvE9"\
                    --capsule-pulp-oauth-secret                   "6K2KvS6kREZVMU6nRaPLBHbCVCzYnFpa"\
                    --capsule-certs-tar                           "/root/certs-dell-pe-fc630-01.rhts.eng.bos.redhat.com.tar"
  The full log is at /var/log/capsule-certs-generate.log

Next, I copied over the generated cert and ran the capsule installer on the target capsule.

-bash-4.2# satellite-installer --scenario capsule\
>                     --capsule-parent-fqdn                         "ibm-x3550m3-08.lab.eng.brq.redhat.com"\
>                     --foreman-proxy-register-in-foreman           "true"\
>                     --foreman-proxy-foreman-base-url              "https://ibm-x3550m3-08.lab.eng.brq.redhat.com"\
>                     --foreman-proxy-trusted-hosts                 "ibm-x3550m3-08.lab.eng.brq.redhat.com"\
>                     --foreman-proxy-trusted-hosts                 "dell-pe-fc630-01.rhts.eng.bos.redhat.com"\
>                     --foreman-proxy-oauth-consumer-key            "RV37XVeL4sMdJiDqtaeCxjhyu2onAPBx"\
>                     --foreman-proxy-oauth-consumer-secret         "3vjh5ygYZ2kPHWXH63dGJr2KwsrLSvE9"\
>                     --capsule-pulp-oauth-secret                   "6K2KvS6kREZVMU6nRaPLBHbCVCzYnFpa"\
>                     --capsule-certs-tar                           "/root/certs-dell-pe-fc630-01.rhts.eng.bos.redhat.com.tar"
Installing             Done                                               [100%] [..........................................................................................................]
  Success!
  The full log is at /var/log/foreman-installer/capsule.log

Finally, you can see that the contents of katello-ca-consumer-latest.noarch.rpm are indeed what we are expecting. 

-bash-4.2# rpm2cpio /var/www/html/pub/katello-ca-consumer-latest.noarch.rpm
...
KATELLO_SERVER=dell-pe-fc630-01.rhts.eng.bos.redhat.com
KATELLO_SERVER_CA_CERT=katello-server-ca.pem
KATELLO_DEFAULT_CA_CERT=katello-default-ca.pem
KATELLO_CERT_DIR=/etc/rhsm/ca
PORT=8443
...

Comment 13 errata-xmlrpc 2017-01-26 10:42:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0197

Note You need to log in before you can comment on or make changes to this bug.