Bug 1388136
| Summary: | --upgrade-puppet does not update puppet SSL ca and cert locations by default | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Chris Duryee <cduryee> |
| Component: | Installation | Assignee: | Stephen Benjamin <stbenjam> |
| Status: | CLOSED ERRATA | QA Contact: | Lukas Pramuk <lpramuk> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.3.0 | CC: | bbuckingham, bkearney, ehelms, lpramuk, stbenjam |
| Target Milestone: | Unspecified | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | rubygem-katello-3.4.5 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-02-21 16:51:07 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Chris Duryee
2016-10-24 14:47:28 UTC
Workaround in comment#0 is inaccurate, to adjust certs location you have to run: # satellite-installer \ --foreman-puppet-ssldir /etc/puppetlabs/puppet/ssl \ --foreman-proxy-ssldir /etc/puppetlabs/puppet/ssl \ --foreman-proxy-puppet-ssl-ca /etc/puppetlabs/puppet/ssl/certs/ca.pem \ --foreman-proxy-puppet-ssl-cert /etc/puppetlabs/puppet/ssl/certs/`hostname`.pem \ --foreman-proxy-puppet-ssl-key /etc/puppetlabs/puppet/ssl/private_keys/`hostname`.pem With this the modules [ puppet_proxy_puppet_api, puppet ] gets enabled again. Though this certs adjustment Capsule 'Puppet CA' tab still complains about unavailable PuppetCA certificates: Failure: ERF50-5345 [Foreman::WrappedException]: Unable to connect ([ProxyAPI::ProxyException]: ERF12-5356 [ProxyAPI::ProxyException]: Unable to get PuppetCA certificates ([RestClient...) Is puppet ssldir harcoded in puppetca module? By comparing brand new and upgraded installation I see that more locations still need to be adjusted: # satellite-installer \ --foreman-puppet-ssldir /etc/puppetlabs/puppet/ssl \ --foreman-proxy-ssldir /etc/puppetlabs/puppet/ssl \ --foreman-proxy-puppet-ssl-ca /etc/puppetlabs/puppet/ssl/certs/ca.pem \ --foreman-proxy-puppet-ssl-cert /etc/puppetlabs/puppet/ssl/certs/`hostname`.pem \ --foreman-proxy-puppet-ssl-key /etc/puppetlabs/puppet/ssl/private_keys/`hostname`.pem \ --foreman-proxy-puppetca-cmd '/opt/puppetlabs/bin/puppet cert' \ --foreman-proxy-puppetdir /etc/puppetlabs/puppet \ --foreman-proxy-puppetrun-cmd '/opt/puppetlabs/bin/puppet kick' By this command even the puppetca error is mitigated. I think you're still missing a bunch, you can see in 31-upgrade-puppet.rb hook what we're resetting. Like --foreman-puppet-home, and --foreman-puppet-ssldir. We don't really need a workaround, if you wait for us to merge the upstream PR you can test the actual fix... There was just a bug in how it was resetting them. BTW, you can use --reset-XXX instead of giving a value, like --reset-foreman-puppet-ssldir. It will see puppet 4 is on the box, and use the default value for it instead of 3. Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/17074 has been resolved. FailedQA.
@satellite-6.3.0-16.0.beta.el7sat.noarch
puppet-agent-1.8.2-2.el7sat.x86_64
puppetserver-2.7.2-2.el7sat.noarch
katello-installer-base-3.4.4-1.el7sat.noarch
After upgrade the puppet options are reset now to the new locations.
However, options in the satellite answer files remain the same.
@upgraded p4 install:
# satellite-installer -h | grep -e foreman-proxy-puppet-ssl -e{vardir,ssldir}
--foreman-proxy-puppet-ssl-ca SSL CA used to verify connections when accessing the Puppet master API (current: "/var/lib/puppet/ssl/certs/ca.pem")
--foreman-proxy-puppet-ssl-cert SSL certificate used when accessing the Puppet master API (current: "/var/lib/puppet/ssl/certs/sat3.example.com.pem")
--foreman-proxy-puppet-ssl-key SSL private key used when accessing the Puppet master API (current: "/var/lib/puppet/ssl/private_keys/sat3.example.com.pem")
--foreman-proxy-ssldir Puppet CA SSL directory (current: "/var/lib/puppet/ssl")
--puppet-ssldir Override where SSL certificates are kept. (current: "/var/lib/puppet/ssl")
--puppet-vardir Override the puppet var directory. (current: "/var/lib/puppet")
>>> the defaults (in answer files) remain the very same as before upgrade /var/lib/puppet/*
While with clean p4 install the defaults are the new ones:
@clean p4 install:
# satellite-installer -h | grep -e foreman-proxy-puppet-ssl -e{vardir,ssldir}
--foreman-proxy-puppet-ssl-ca SSL CA used to verify connections when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/certs/ca.pem")
--foreman-proxy-puppet-ssl-cert SSL certificate used when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/certs/sat4.example.com.pem")
--foreman-proxy-puppet-ssl-key SSL private key used when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/private_keys/sat4.example.com.pem")
--foreman-proxy-ssldir Puppet CA SSL directory (current: "/etc/puppetlabs/puppet/ssl")
--puppet-ssldir Override where SSL certificates are kept. (current: "/etc/puppetlabs/puppet/ssl")
--puppet-vardir Override the puppet var directory. (current: "/opt/puppetlabs/puppet/cache")
>>> what's worse is that we are losing idempotency here, i.e. fresh p4 install differs from upgraded p4 install
Failing this BZ can be related to failing BZ 1466912
VERIFIED.
@satellite-6.3.0-17.0.beta.el7sat.noarch
katello-installer-base-3.4.5-1.el7sat.noarch
puppet-agent-1.8.2-2.el7sat.x86_64
puppetserver-2.7.2-2.el7sat.noarch
using manual reproducer:
1. Enable puppet4 repo (currently internal only repo)
2. Upgrade puppet version
# satellite-installer --upgrade-puppet
Upgrading puppet...
...
Upgrade Step: upgrade_puppet_package...
...
Upgrade Step: stop_services...
...
Upgrade Step: copy_data...
...
Upgrade Step: remove_puppet_port_httpd...
...
Upgrade Step: start_httpd...
...
Puppet 3 to 4 upgrade initialization complete, continuing with installation
Resetting puppet params...
Puppet 3 to 4 upgrade param reset, continuing with installation
Installing Done [100%] [.....................................]
Success!
* Katello is running at https://<SATFQDN>
* To install an additional Foreman proxy on separate machine continue by running:
foreman-proxy-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY" --certs-tar "/root/$FOREMAN_PROXY-certs.tar"
The full log is at /var/log/foreman-installer/satellite.log
Upgrade Step: restart_services...
...
3. Check ssl certs locations
# satellite-installer -h | grep -e foreman-proxy-puppet-ssl -e{vardir,ssldir}
--foreman-proxy-puppet-ssl-ca SSL CA used to verify connections when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/certs/ca.pem")
--foreman-proxy-puppet-ssl-cert SSL certificate used when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/certs/<SATFQDN>.pem")
--foreman-proxy-puppet-ssl-key SSL private key used when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/private_keys/<SATFQDN>.pem")
--foreman-proxy-ssldir Puppet CA SSL directory (current: "/etc/puppetlabs/puppet/ssl")
--puppet-ssldir Override where SSL certificates are kept. (current: "/etc/puppetlabs/puppet/ssl")
--puppet-vardir Override the puppet var directory. (current: "/opt/puppetlabs/puppet/cache")
>>> all certs/keys locations are correctly updated (upgraded install now matches fresh p4 install)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
>
> For information on the advisory, and where to find the updated files, follow the link below.
>
> If the solution does not work for you, open a new bug report.
>
> https://access.redhat.com/errata/RHSA-2018:0336
|