1402062 – satellite-installer does not check for correct values in DNS/DHCP providers

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1402062 - satellite-installer does not check for correct values in DNS/DHCP providers

Summary: satellite-installer does not check for correct values in DNS/DHCP providers

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Installation
Sub Component:
Version:	6.2.4
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	6.4.0
Assignee:	Daniel Lobato Garcia
QA Contact:	Lukáš Hellebrandt
Docs Contact:
URL:	http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-12-06 17:10 UTC by Peter Tselios
Modified:	2019-11-05 23:02 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-10-16 19:09:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	17595	0	Normal	Resolved	foreman-installer does not check for correct values in DNS/DHCP providers	2020-12-07 18:18:12 UTC

Description Peter Tselios 2016-12-06 17:10:29 UTC

Description of problem:
You can run satellite-installer with any value you wish in the DNS/DHCP provider!

Version-Release number of selected component (if applicable):
6.2.4 and probably earlier versions as well. 

How reproducible:
Always.

Steps to Reproduce:
1. Run the following command:

satellite-installer -S satellite  \
  --foreman-proxy-dhcp-provider virsh \
  --foreman-proxy-dhcp-server 192.168.122.1 \
  --foreman-proxy-dns-server 192.168.122.1 \
  --foreman-proxy-dns-provider blabla \
  --foreman-proxy-dns true \
  --foreman-proxy-dhcp true \
  --foreman-proxy-dhcp-interface eth0

Installing             Done                                               [100%] [..........................................................]
  Success!
  * Satellite is running at https://rhss62.testenv
  * To install additional capsule on separate machine continue by running:

      capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar "~/$CAPSULE-certs.tar"

  The full log is at /var/log/foreman-installer/satellite.log

Actual results:
satellite-installer starts and complete the installation without any warning/error message!

Expected results:
It should accept only the foreman-proxy providers. 

Additional info:

cat ./dns.yml 
---
# DNS management
:enabled: https
# valid providers:
#   dns_dnscmd (Microsoft Windows native implementation)
#   dns_nsupdate
#   dns_nsupdate_gss (for GSS-TSIG support)
#   dns_virsh (simple implementation for libvirt)
:use_provider: dns_blabla
# use this setting if you want to override default TTL setting (86400)
:dns_ttl: 86400

Comment 1 Daniel Lobato Garcia 2016-12-06 19:42:59 UTC

This is a problem upstream too, the puppet module verifies only that the provided provider is a string. It should verify it's a String in a Enum that contains the valid providers.

Comment 2 Daniel Lobato Garcia 2016-12-06 19:44:26 UTC

Created redmine issue http://projects.theforeman.org/issues/17595 from this bug

Comment 3 Peter Tselios 2016-12-06 21:13:51 UTC

I hope that the comment is published upstream as well. 
If users have their own plugin, the probably they should flag it somehow and then disable the check. I believe that the vast majority of users will use the default plugins. 

For example like:
..
 --foreman-proxy-dhcp-provider my_custom_plugin
 --foreman-proxy-dhcp-custom-provider yes
..

Comment 4 Bryan Kearney 2016-12-09 09:14:01 UTC

Upstream bug assigned to dlobatog

Comment 5 Bryan Kearney 2016-12-09 09:14:03 UTC

Upstream bug assigned to dlobatog

Comment 7 Daniel Lobato Garcia 2016-12-12 10:04:46 UTC

Peter - Looks like validating DHCP/DNS is a bit hairy as hard validations would make users who have their custom DHCP/DNS plugins unable to use their providers with the installer.

I've filed https://github.com/theforeman/puppet-foreman_proxy/pull/314 downstream which is supposed to fix the issue for puppetrun/realms/bmc providers though. If that's good enough for you - let me know and I'll move the ticket to POST.

Comment 8 Peter Tselios 2016-12-12 15:04:23 UTC

If I understand correctly, the puppet module will try to validate somehow that the DNS/DHCP provider can actually provide DNS/DHCP answers. If that's the case, it more than sufficient.

Comment 9 Daniel Lobato Garcia 2016-12-12 23:10:54 UTC

It's not exactly that - the changes I was allowed to put in just put the validations for other providers (puppetrun, realms, bmc). 

For DHCP/DNS, I will have to open a new pull request on the foreman installer that performs the checks you wanted. This means the puppet classes will still accept the 'unknown/wrong' providers, but the installer will not.

Comment 10 Peter Tselios 2016-12-13 09:22:07 UTC

That's the whole point! The installer should not accept crazy things. But since anyone could write a "provider", I don't see any other way to inform the installer that you will use a non-standard provider by let it know. 

Thanks.

Comment 11 Bryan Kearney 2017-03-06 22:38:10 UTC

Daniel.. next steps since upstream rejected?

Comment 12 Daniel Lobato Garcia 2017-03-07 09:46:27 UTC

The fix I submitted upstream had to be modified enough that it no longer fixed this bug.. 

I think the next steps would be to check for correct DNS/DHCP providers in the installer directly (instead of the Puppet module) and ask twice if your choice is not one of the ones provided with Satellite.

Comment 14 Satellite Program 2017-10-06 16:27:15 UTC

Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/17595 has been resolved.

Comment 16 Lukáš Hellebrandt 2018-09-04 11:40:02 UTC

Verified with Sat 6.4 snap 20.

Bad DNS:

# satellite-installer -S satellite    --foreman-proxy-dhcp-provider isc   --foreman-proxy-dhcp-server 10.16.66.80   --foreman-proxy-dns-server 10.16.66.80   --foreman-proxy-dns-provider blabla   --foreman-proxy-dns true   --foreman-proxy-dhcp true   --foreman-proxy-dhcp-interface em1
Resetting puppet server version param...
 Proxy dell-pe-fm120-2c.rhts.eng.bos.redhat.com has failed to load one or more features (DNS), check /var/log/foreman-proxy/proxy.log for configuration errors
/usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:70:in `validate_features!'
[...]
 /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[dell-pe-fm120-2c.rhts.eng.bos.redhat.com]/features: change from ["Ansible", "Discovery", "Dynflow", "Logs", "Openscap", "Pulp", "Puppet", "Puppet CA", "SSH", "TFTP"] to ["Ansible", "DHCP", "DNS", "Discovery", "Dynflow", "Logs", "Openscap", "Puppet", "Puppet CA", "TFTP"] failed: Proxy dell-pe-fm120-2c.rhts.eng.bos.redhat.com has failed to load one or more features (DNS), check /var/log/foreman-proxy/proxy.log for configuration errors
 /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[dell-pe-fm120-2c.rhts.eng.bos.redhat.com]: Failed to call refresh: Proxy dell-pe-fm120-2c.rhts.eng.bos.redhat.com has failed to load one or more features (DNS), check /var/log/foreman-proxy/proxy.log for configuration errors
 /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[dell-pe-fm120-2c.rhts.eng.bos.redhat.com]: Proxy dell-pe-fm120-2c.rhts.eng.bos.redhat.com has failed to load one or more features (DNS), check /var/log/foreman-proxy/proxy.log for configuration errors
/usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:70:in `validate_features!'
[...]


# grep ERROR /var/log/foreman-proxy/proxy.log
Disabling all modules in the group ['dns']: following providers are not available ['dns_blabla']


Similar for bad DHCP. Similar for bad DNS and DHCP. Installation works for correct DNS and DHCP.

Comment 17 Bryan Kearney 2018-10-16 19:09:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2927

Note You need to log in before you can comment on or make changes to this bug.