Hide Forgot
Description of problem: You can run satellite-installer with any value you wish in the DNS/DHCP provider! Version-Release number of selected component (if applicable): 6.2.4 and probably earlier versions as well. How reproducible: Always. Steps to Reproduce: 1. Run the following command: satellite-installer -S satellite \ --foreman-proxy-dhcp-provider virsh \ --foreman-proxy-dhcp-server 192.168.122.1 \ --foreman-proxy-dns-server 192.168.122.1 \ --foreman-proxy-dns-provider blabla \ --foreman-proxy-dns true \ --foreman-proxy-dhcp true \ --foreman-proxy-dhcp-interface eth0 Installing Done [100%] [..........................................................] Success! * Satellite is running at https://rhss62.testenv * To install additional capsule on separate machine continue by running: capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar "~/$CAPSULE-certs.tar" The full log is at /var/log/foreman-installer/satellite.log Actual results: satellite-installer starts and complete the installation without any warning/error message! Expected results: It should accept only the foreman-proxy providers. Additional info: cat ./dns.yml --- # DNS management :enabled: https # valid providers: # dns_dnscmd (Microsoft Windows native implementation) # dns_nsupdate # dns_nsupdate_gss (for GSS-TSIG support) # dns_virsh (simple implementation for libvirt) :use_provider: dns_blabla # use this setting if you want to override default TTL setting (86400) :dns_ttl: 86400
This is a problem upstream too, the puppet module verifies only that the provided provider is a string. It should verify it's a String in a Enum that contains the valid providers.
Created redmine issue http://projects.theforeman.org/issues/17595 from this bug
I hope that the comment is published upstream as well. If users have their own plugin, the probably they should flag it somehow and then disable the check. I believe that the vast majority of users will use the default plugins. For example like: .. --foreman-proxy-dhcp-provider my_custom_plugin --foreman-proxy-dhcp-custom-provider yes ..
Upstream bug assigned to dlobatog
Peter - Looks like validating DHCP/DNS is a bit hairy as hard validations would make users who have their custom DHCP/DNS plugins unable to use their providers with the installer. I've filed https://github.com/theforeman/puppet-foreman_proxy/pull/314 downstream which is supposed to fix the issue for puppetrun/realms/bmc providers though. If that's good enough for you - let me know and I'll move the ticket to POST.
If I understand correctly, the puppet module will try to validate somehow that the DNS/DHCP provider can actually provide DNS/DHCP answers. If that's the case, it more than sufficient.
It's not exactly that - the changes I was allowed to put in just put the validations for other providers (puppetrun, realms, bmc). For DHCP/DNS, I will have to open a new pull request on the foreman installer that performs the checks you wanted. This means the puppet classes will still accept the 'unknown/wrong' providers, but the installer will not.
That's the whole point! The installer should not accept crazy things. But since anyone could write a "provider", I don't see any other way to inform the installer that you will use a non-standard provider by let it know. Thanks.
Daniel.. next steps since upstream rejected?
The fix I submitted upstream had to be modified enough that it no longer fixed this bug.. I think the next steps would be to check for correct DNS/DHCP providers in the installer directly (instead of the Puppet module) and ask twice if your choice is not one of the ones provided with Satellite.
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/17595 has been resolved.
Verified with Sat 6.4 snap 20. Bad DNS: # satellite-installer -S satellite --foreman-proxy-dhcp-provider isc --foreman-proxy-dhcp-server 10.16.66.80 --foreman-proxy-dns-server 10.16.66.80 --foreman-proxy-dns-provider blabla --foreman-proxy-dns true --foreman-proxy-dhcp true --foreman-proxy-dhcp-interface em1 Resetting puppet server version param... Proxy dell-pe-fm120-2c.rhts.eng.bos.redhat.com has failed to load one or more features (DNS), check /var/log/foreman-proxy/proxy.log for configuration errors /usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:70:in `validate_features!' [...] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[dell-pe-fm120-2c.rhts.eng.bos.redhat.com]/features: change from ["Ansible", "Discovery", "Dynflow", "Logs", "Openscap", "Pulp", "Puppet", "Puppet CA", "SSH", "TFTP"] to ["Ansible", "DHCP", "DNS", "Discovery", "Dynflow", "Logs", "Openscap", "Puppet", "Puppet CA", "TFTP"] failed: Proxy dell-pe-fm120-2c.rhts.eng.bos.redhat.com has failed to load one or more features (DNS), check /var/log/foreman-proxy/proxy.log for configuration errors /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[dell-pe-fm120-2c.rhts.eng.bos.redhat.com]: Failed to call refresh: Proxy dell-pe-fm120-2c.rhts.eng.bos.redhat.com has failed to load one or more features (DNS), check /var/log/foreman-proxy/proxy.log for configuration errors /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[dell-pe-fm120-2c.rhts.eng.bos.redhat.com]: Proxy dell-pe-fm120-2c.rhts.eng.bos.redhat.com has failed to load one or more features (DNS), check /var/log/foreman-proxy/proxy.log for configuration errors /usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:70:in `validate_features!' [...] # grep ERROR /var/log/foreman-proxy/proxy.log Disabling all modules in the group ['dns']: following providers are not available ['dns_blabla'] Similar for bad DHCP. Similar for bad DNS and DHCP. Installation works for correct DNS and DHCP.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:2927