1378448 – [RFE] fail asap in satellite installer if hostname is not set at all

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1378448 - [RFE] fail asap in satellite installer if hostname is not set at all

Summary: [RFE] fail asap in satellite installer if hostname is not set at all

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Installation
Sub Component:
Version:	6.2.2
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	Unspecified
Assignee:	Chris Roberts
QA Contact:	Ales Dujicek
Docs Contact:
URL:	http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-09-22 12:32 UTC by Anthony Green
Modified:	2019-09-25 20:32 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-02-21 17:11:13 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
foreman-debug output (832.66 KB, application/x-xz) 2016-09-22 12:32 UTC, Anthony Green	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	16946	0	None	None	None	2016-10-14 14:24:46 UTC

Description Anthony Green 2016-09-22 12:32:27 UTC

Created attachment 1203719 [details]
foreman-debug output

Description of problem:

# subscription-manager register --org="OSCP_PoC" --activationkey 'rhel-7-server-ak'
Task e8537148-cfe3-49d4-b8db-1211b0f3f097: RestClient::InternalServerError: 500 Internal Server Error


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Anthony Green 2016-09-22 12:36:15 UTC

I came across this while writing this: https://github.com/atgreen/idm-satellite-openshift-demo

Comment 2 Chris Duryee 2016-09-22 13:21:11 UTC

Can you provide the output of

ls -lZ /etc/pki/pulp
ls -lZ /root/.rnd

and also check for any selinux denials?


ERROR: Unhandled Exception
ERROR: (2070-79232) error signing cert request: Signature ok
ERROR: (2070-79232) subject=/CN=f71851f0-712d-4770-a3f1-b794409d5dfa/UID=57e3c6c8b281af081699e3f9
ERROR: (2070-79232) Error opening CA Certificate /etc/pki/pulp/ca.crt
ERROR: (2070-79232) 140440626141088:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/pulp/ca.crt','r') 
ERROR: (2070-79232) 140440626141088:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
ERROR: (2070-79232) unable to load certificate
ERROR: (2070-79232) unable to write 'random state'
ERROR: (2070-79232)
ERROR: (2070-79232) Traceback (most recent call last):
ERROR: (2070-79232)   File "/usr/lib/python2.7/site-packages/django/core/handlers/base.py", line 112, in get_response
ERROR: (2070-79232)     response = wrapped_callback(request, *callback_args, **callback_kwargs) 
ERROR: (2070-79232)   File "/usr/lib/python2.7/site-packages/django/views/generic/base.py", line 69, in view
ERROR: (2070-79232)     return self.dispatch(request, *args, **kwargs)
ERROR: (2070-79232)   File "/usr/lib/python2.7/site-packages/django/views/generic/base.py", line 87, in dispatch
ERROR: (2070-79232)     return handler(request, *args, **kwargs)
ERROR: (2070-79232)   File "/usr/lib/python2.7/site-packages/pulp/server/webservices/views/decorators.py", line 241, in _auth_decorator
ERROR: (2070-79232)     return _verify_auth(self, operation, super_user_only, method, *args, **kwargs) 
ERROR: (2070-79232)   File "/usr/lib/python2.7/site-packages/pulp/server/webservices/views/decorators.py", line 195, in _verify_auth
ERROR: (2070-79232)     value = method(self, *args, **kwargs)
ERROR: (2070-79232)   File "/usr/lib/python2.7/site-packages/pulp/server/webservices/views/util.py", line 130, in wrapper
ERROR: (2070-79232)     return func(*args, **kwargs)
ERROR: (2070-79232)   File "/usr/lib/python2.7/site-packages/pulp/server/webservices/views/consumers.py", line 201, in post
ERROR: (2070-79232)     rsa_pub=rsa_pub)
ERROR: (2070-79232)   File "/usr/lib/python2.7/site-packages/pulp/server/managers/consumer/cud.py", line 84, in register
ERROR: (2070-79232)     key, certificate = cert_gen_manager.make_cert(consumer_id, expiration_date, uid=str(_id))
ERROR: (2070-79232)   File "/usr/lib/python2.7/site-packages/pulp/server/managers/auth/cert/cert_generator.py", line 85, in make_cert
ERROR: (2070-79232)     raise Exception("error signing cert request: %%s" %% output)
ERROR: (2070-79232) Exception: error signing cert request: Signature ok
ERROR: (2070-79232) subject=/CN=f71851f0-712d-4770-a3f1-b794409d5dfa/UID=57e3c6c8b281af081699e3f9
ERROR: (2070-79232) Error opening CA Certificate /etc/pki/pulp/ca.crt
ERROR: (2070-79232) 140440626141088:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/pulp/ca.crt','r') 
ERROR: (2070-79232) 140440626141088:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
ERROR: (2070-79232) unable to load certificate
ERROR: (2070-79232) unable to write 'random state'

Comment 3 Anthony Green 2016-09-22 13:44:13 UTC

(In reply to Chris Duryee from comment #2)
> Can you provide the output of
> 
> ls -lZ /etc/pki/pulp
> ls -lZ /root/.rnd

[root@sat6 ~]# ls -lZ /etc/pki/pulp/
drwxr-xr-x. apache apache system_u:object_r:pulp_cert_t:s0 content
-rw-r-----. root   apache unconfined_u:object_r:pulp_cert_t:s0 rsa.key
-rw-r--r--. root   apache unconfined_u:object_r:pulp_cert_t:s0 rsa_pub.key

[root@sat6 ~]# ls -lZ /root/.rnd 
-rw-------. root root unconfined_u:object_r:admin_home_t:s0 /root/.rnd
 
> and also check for any selinux denials?

I'm running in Permissive mode.  That being said:

[root@sat6 ~]# ausearch -m avc
----
time->Mon Sep 19 23:07:58 2016
type=SYSCALL msg=audit(1474340878.566:140): arch=c000003e syscall=21 success=yes exit=0 a0=7fa82d7e3070 a1=4 a2=7fa82d7e307e a3=400 items=0 ppid=1 pid=14200 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null)
type=AVC msg=audit(1474340878.566:140): avc:  denied  { read } for  pid=14200 comm="celery" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Mon Sep 19 23:08:02 2016
type=SYSCALL msg=audit(1474340882.278:151): arch=c000003e syscall=21 success=yes exit=0 a0=7ffd12135b90 a1=4 a2=7ffd12135b9e a3=400 items=0 ppid=1 pid=14228 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null)
type=AVC msg=audit(1474340882.278:151): avc:  denied  { read } for  pid=14228 comm="celery" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Mon Sep 19 23:17:59 2016
type=SYSCALL msg=audit(1474341479.227:224): arch=c000003e syscall=21 success=yes exit=0 a0=7ffe5dbdade0 a1=4 a2=7ffe5dbdadee a3=400 items=0 ppid=14294 pid=14540 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null)
type=AVC msg=audit(1474341479.227:224): avc:  denied  { read } for  pid=14540 comm="celery" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Mon Sep 19 23:45:16 2016
type=SYSCALL msg=audit(1474343116.471:246): arch=c000003e syscall=21 success=yes exit=0 a0=7ffd121318b0 a1=4 a2=7ffd121318be a3=400 items=0 ppid=14228 pid=14538 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null)
type=AVC msg=audit(1474343116.471:246): avc:  denied  { read } for  pid=14538 comm="celery" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Wed Sep 21 06:56:50 2016
type=SYSCALL msg=audit(1474455410.511:57): arch=c000003e syscall=21 success=yes exit=0 a0=7f2367f2c070 a1=4 a2=7f2367f2c07e a3=400 items=0 ppid=1 pid=2278 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null)
type=AVC msg=audit(1474455410.511:57): avc:  denied  { read } for  pid=2278 comm="celery" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Wed Sep 21 07:07:02 2016
type=SYSCALL msg=audit(1474456022.923:119): arch=c000003e syscall=21 success=yes exit=0 a0=7fffd6ed10e0 a1=4 a2=7fffd6ed10ee a3=400 items=0 ppid=2040 pid=2427 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null)
type=AVC msg=audit(1474456022.923:119): avc:  denied  { read } for  pid=2427 comm="celery" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file

Comment 4 Chris Duryee 2016-09-22 13:52:44 UTC

I confirmed on another 6.2 machine that ca.crt and ca.key should be in the /etc/pki/pulp dir. I'm not sure why they are missing on your machine.

Can you run the following?

rpm -q pulp-server
rpm -V pulp-server

Comment 5 Anthony Green 2016-09-22 14:18:11 UTC

I'm closing this as a dupe of 1339904.

IMO, the satellite installer should check for this seemingly common error.

Comment 6 Chris Duryee 2016-09-22 14:28:32 UTC

RFE: if a system has no hostname, the installer should fail early. Otherwise, a script in the pulp-server rpm will fail to generate ca.crt and ca.key, causing registrations to fail.

See 1339904 and https://access.redhat.com/solutions/2355891 for additional detail.

Comment 7 Bryan Kearney 2016-09-26 20:30:21 UTC

Chris, wouldnt this catch that case:

https://github.com/theforeman/foreman-installer/blob/develop/checks/hostname.rb

Comment 8 Chris Duryee 2016-10-03 19:31:42 UTC

re #7, pulp's CA cert generation can happen before the installer runs, depending on if you yum install 'satellite' or just 'satellite-installer'. If you install via the former, it will install pulp-server before the installer runs, which will generate a CA cert as part of %post.

The following will repro on el6 for sat 6.2:

* "hostname foo.bar.baz", ensure "hostname -f" returns "Unknown host"
* yum install satellite (not satellite-installer)
* satellite-installer --scenario satellite
* fix hostname, re-run satellite-installer

At this point, the install will show success, but any system registrations via subscription-manager will result in a 500 error.

Ideally, satellite-installer would check that /etc/pki/pulp/ca.crt and /etc/pki/pulp/ca.key exist, and would re-run pulp-gen-ca-certificate if not.

Comment 9 Stephen Benjamin 2016-10-14 14:24:43 UTC

Created redmine issue http://projects.theforeman.org/issues/16946 from this bug

Comment 12 Bryan Kearney 2018-02-21 17:11:13 UTC

Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.

For information on the advisory, and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336

Note You need to log in before you can comment on or make changes to this bug.