Bug 1378448 - [RFE] fail asap in satellite installer if hostname is not set at all
Summary: [RFE] fail asap in satellite installer if hostname is not set at all
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Installer
Version: 6.2.2
Hardware: x86_64
OS: Linux
high
high
Target Milestone: Unspecified
Assignee: Chris Roberts
QA Contact: Ales Dujicek
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-22 12:32 UTC by Anthony Green
Modified: 2019-09-25 20:32 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-02-21 17:11:13 UTC
Target Upstream Version:


Attachments (Terms of Use)
foreman-debug output (832.66 KB, application/x-xz)
2016-09-22 12:32 UTC, Anthony Green
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 16946 0 None None None 2016-10-14 14:24:46 UTC

Description Anthony Green 2016-09-22 12:32:27 UTC
Created attachment 1203719 [details]
foreman-debug output

Description of problem:

# subscription-manager register --org="OSCP_PoC" --activationkey 'rhel-7-server-ak'
Task e8537148-cfe3-49d4-b8db-1211b0f3f097: RestClient::InternalServerError: 500 Internal Server Error


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Anthony Green 2016-09-22 12:36:15 UTC
I came across this while writing this: https://github.com/atgreen/idm-satellite-openshift-demo

Comment 2 Chris Duryee 2016-09-22 13:21:11 UTC
Can you provide the output of

ls -lZ /etc/pki/pulp
ls -lZ /root/.rnd

and also check for any selinux denials?


ERROR: Unhandled Exception
ERROR: (2070-79232) error signing cert request: Signature ok
ERROR: (2070-79232) subject=/CN=f71851f0-712d-4770-a3f1-b794409d5dfa/UID=57e3c6c8b281af081699e3f9
ERROR: (2070-79232) Error opening CA Certificate /etc/pki/pulp/ca.crt
ERROR: (2070-79232) 140440626141088:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/pulp/ca.crt','r') 
ERROR: (2070-79232) 140440626141088:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
ERROR: (2070-79232) unable to load certificate
ERROR: (2070-79232) unable to write 'random state'
ERROR: (2070-79232)
ERROR: (2070-79232) Traceback (most recent call last):
ERROR: (2070-79232)   File "/usr/lib/python2.7/site-packages/django/core/handlers/base.py", line 112, in get_response
ERROR: (2070-79232)     response = wrapped_callback(request, *callback_args, **callback_kwargs) 
ERROR: (2070-79232)   File "/usr/lib/python2.7/site-packages/django/views/generic/base.py", line 69, in view
ERROR: (2070-79232)     return self.dispatch(request, *args, **kwargs)
ERROR: (2070-79232)   File "/usr/lib/python2.7/site-packages/django/views/generic/base.py", line 87, in dispatch
ERROR: (2070-79232)     return handler(request, *args, **kwargs)
ERROR: (2070-79232)   File "/usr/lib/python2.7/site-packages/pulp/server/webservices/views/decorators.py", line 241, in _auth_decorator
ERROR: (2070-79232)     return _verify_auth(self, operation, super_user_only, method, *args, **kwargs) 
ERROR: (2070-79232)   File "/usr/lib/python2.7/site-packages/pulp/server/webservices/views/decorators.py", line 195, in _verify_auth
ERROR: (2070-79232)     value = method(self, *args, **kwargs)
ERROR: (2070-79232)   File "/usr/lib/python2.7/site-packages/pulp/server/webservices/views/util.py", line 130, in wrapper
ERROR: (2070-79232)     return func(*args, **kwargs)
ERROR: (2070-79232)   File "/usr/lib/python2.7/site-packages/pulp/server/webservices/views/consumers.py", line 201, in post
ERROR: (2070-79232)     rsa_pub=rsa_pub)
ERROR: (2070-79232)   File "/usr/lib/python2.7/site-packages/pulp/server/managers/consumer/cud.py", line 84, in register
ERROR: (2070-79232)     key, certificate = cert_gen_manager.make_cert(consumer_id, expiration_date, uid=str(_id))
ERROR: (2070-79232)   File "/usr/lib/python2.7/site-packages/pulp/server/managers/auth/cert/cert_generator.py", line 85, in make_cert
ERROR: (2070-79232)     raise Exception("error signing cert request: %%s" %% output)
ERROR: (2070-79232) Exception: error signing cert request: Signature ok
ERROR: (2070-79232) subject=/CN=f71851f0-712d-4770-a3f1-b794409d5dfa/UID=57e3c6c8b281af081699e3f9
ERROR: (2070-79232) Error opening CA Certificate /etc/pki/pulp/ca.crt
ERROR: (2070-79232) 140440626141088:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/pulp/ca.crt','r') 
ERROR: (2070-79232) 140440626141088:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
ERROR: (2070-79232) unable to load certificate
ERROR: (2070-79232) unable to write 'random state'

Comment 3 Anthony Green 2016-09-22 13:44:13 UTC
(In reply to Chris Duryee from comment #2)
> Can you provide the output of
> 
> ls -lZ /etc/pki/pulp
> ls -lZ /root/.rnd

[root@sat6 ~]# ls -lZ /etc/pki/pulp/
drwxr-xr-x. apache apache system_u:object_r:pulp_cert_t:s0 content
-rw-r-----. root   apache unconfined_u:object_r:pulp_cert_t:s0 rsa.key
-rw-r--r--. root   apache unconfined_u:object_r:pulp_cert_t:s0 rsa_pub.key

[root@sat6 ~]# ls -lZ /root/.rnd 
-rw-------. root root unconfined_u:object_r:admin_home_t:s0 /root/.rnd
 
> and also check for any selinux denials?

I'm running in Permissive mode.  That being said:

[root@sat6 ~]# ausearch -m avc
----
time->Mon Sep 19 23:07:58 2016
type=SYSCALL msg=audit(1474340878.566:140): arch=c000003e syscall=21 success=yes exit=0 a0=7fa82d7e3070 a1=4 a2=7fa82d7e307e a3=400 items=0 ppid=1 pid=14200 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null)
type=AVC msg=audit(1474340878.566:140): avc:  denied  { read } for  pid=14200 comm="celery" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Mon Sep 19 23:08:02 2016
type=SYSCALL msg=audit(1474340882.278:151): arch=c000003e syscall=21 success=yes exit=0 a0=7ffd12135b90 a1=4 a2=7ffd12135b9e a3=400 items=0 ppid=1 pid=14228 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null)
type=AVC msg=audit(1474340882.278:151): avc:  denied  { read } for  pid=14228 comm="celery" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Mon Sep 19 23:17:59 2016
type=SYSCALL msg=audit(1474341479.227:224): arch=c000003e syscall=21 success=yes exit=0 a0=7ffe5dbdade0 a1=4 a2=7ffe5dbdadee a3=400 items=0 ppid=14294 pid=14540 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null)
type=AVC msg=audit(1474341479.227:224): avc:  denied  { read } for  pid=14540 comm="celery" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Mon Sep 19 23:45:16 2016
type=SYSCALL msg=audit(1474343116.471:246): arch=c000003e syscall=21 success=yes exit=0 a0=7ffd121318b0 a1=4 a2=7ffd121318be a3=400 items=0 ppid=14228 pid=14538 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null)
type=AVC msg=audit(1474343116.471:246): avc:  denied  { read } for  pid=14538 comm="celery" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Wed Sep 21 06:56:50 2016
type=SYSCALL msg=audit(1474455410.511:57): arch=c000003e syscall=21 success=yes exit=0 a0=7f2367f2c070 a1=4 a2=7f2367f2c07e a3=400 items=0 ppid=1 pid=2278 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null)
type=AVC msg=audit(1474455410.511:57): avc:  denied  { read } for  pid=2278 comm="celery" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Wed Sep 21 07:07:02 2016
type=SYSCALL msg=audit(1474456022.923:119): arch=c000003e syscall=21 success=yes exit=0 a0=7fffd6ed10e0 a1=4 a2=7fffd6ed10ee a3=400 items=0 ppid=2040 pid=2427 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null)
type=AVC msg=audit(1474456022.923:119): avc:  denied  { read } for  pid=2427 comm="celery" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file

Comment 4 Chris Duryee 2016-09-22 13:52:44 UTC
I confirmed on another 6.2 machine that ca.crt and ca.key should be in the /etc/pki/pulp dir. I'm not sure why they are missing on your machine.

Can you run the following?

rpm -q pulp-server
rpm -V pulp-server

Comment 5 Anthony Green 2016-09-22 14:18:11 UTC
I'm closing this as a dupe of 1339904.

IMO, the satellite installer should check for this seemingly common error.

Comment 6 Chris Duryee 2016-09-22 14:28:32 UTC
RFE: if a system has no hostname, the installer should fail early. Otherwise, a script in the pulp-server rpm will fail to generate ca.crt and ca.key, causing registrations to fail.

See 1339904 and https://access.redhat.com/solutions/2355891 for additional detail.

Comment 7 Bryan Kearney 2016-09-26 20:30:21 UTC
Chris, wouldnt this catch that case:

https://github.com/theforeman/foreman-installer/blob/develop/checks/hostname.rb

Comment 8 Chris Duryee 2016-10-03 19:31:42 UTC
re #7, pulp's CA cert generation can happen before the installer runs, depending on if you yum install 'satellite' or just 'satellite-installer'. If you install via the former, it will install pulp-server before the installer runs, which will generate a CA cert as part of %post.

The following will repro on el6 for sat 6.2:

* "hostname foo.bar.baz", ensure "hostname -f" returns "Unknown host"
* yum install satellite (not satellite-installer)
* satellite-installer --scenario satellite
* fix hostname, re-run satellite-installer

At this point, the install will show success, but any system registrations via subscription-manager will result in a 500 error.

Ideally, satellite-installer would check that /etc/pki/pulp/ca.crt and /etc/pki/pulp/ca.key exist, and would re-run pulp-gen-ca-certificate if not.

Comment 9 Stephen Benjamin 2016-10-14 14:24:43 UTC
Created redmine issue http://projects.theforeman.org/issues/16946 from this bug

Comment 12 Bryan Kearney 2018-02-21 17:11:13 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.

For information on the advisory, and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336


Note You need to log in before you can comment on or make changes to this bug.