Bug 1404582 - Finish template without tokens does not work through Capsule
Summary: Finish template without tokens does not work through Capsule
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Provisioning Templates
Version: 6.2.5
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: Unspecified
Assignee: Lukas Zapletal
QA Contact: Lukáš Hellebrandt
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-12-14 07:43 UTC by Lukas Zapletal
Modified: 2019-09-26 14:39 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-02-21 16:54:37 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 17636 0 Normal Closed Template preview requires token to be present for template proxying 2020-10-30 09:29:33 UTC

Description Lukas Zapletal 2016-12-14 07:43:05 UTC 
Hello,

this is second part of this patch that was released in 6.2.1:

https://bugzilla.redhat.com/show_bug.cgi?id=1292421

I fixed the rendered, but forgot to fix the preview code. Please ack this into the next z-stream, TWO LINES PATCH, LOW RISK.
Comment 3 Lukas Zapletal 2017-08-09 09:03:25 UTC 
QA NOTES:

Turn of token duration to zero, provision a system, make sure Anaconda downloaded kickstart via Capsule (port 8000).
Comment 4 Lukáš Hellebrandt 2018-01-12 15:05:22 UTC 
Why does this BZ exist? What is the bug, what is supposed to be fixed? And why is it named the same as bug 1405502, is also for 6.3, but is a distinct BZ?
Comment 5 Lukas Zapletal 2018-01-15 08:23:49 UTC 
Lukáš, this patch fixes provisioning via Capsule when token duration Setting is set to 0 (turned off). In this mode, Foreman looks up hosts via REMOTE IP instead of unique token (UUID). To verify, turn off tokens and do provisioning - make sure all communication is done via Capsule (including templating - kickstart).

Case 1: PXE installation of RHEL

Case 2: Image-based installation via finish script (cloud or virt)
Comment 6 Lukáš Hellebrandt 2018-01-17 16:17:44 UTC 
FailedQA with Sat6.3 snap 32.

When running "curl http://<CAPSULE_FQDN>:8000/unattended/finish", 500 ISE is returned. That is probably due to Satellite thinking it should serve finish script for the Capsule based on its IP (and thus returning 405) while it should actually return a finish script for the client.

Tested on a Beaker machine (so, not behind a NAT - if I am incorrect, this whole FailsQA is errorneous). Note the "Found" part of the log.


# curl http://<CAPSULE_FQDN>:8000/unattended/finish -v
* About to connect() to <CAPSULE_FQDN> port 8000 (#0)
*   Trying <IP6_ADDR>...
* No route to host
*   Trying <IP_ADDR>...
* Connected to <CAPSULE_FQDN> (<IP_ADDR>) port 8000 (#0)
> GET /unattended/finish HTTP/1.1
> User-Agent: curl/7.29.0
> Host: <CAPSULE_FQDN>:8000
> Accept: */*
> 
< HTTP/1.1 500 Internal Server Error 
< Content-Type: application/json
< Content-Length: 256
< X-Content-Type-Options: nosniff
< Server: 
< Date: Wed, 17 Jan 2018 15:59:55 GMT
< Connection: Keep-Alive
< 
* Connection #0 to host <CAPSULE_FQDN> left intact
Failed to retrieve finish template for {"splat"=>[], "captures"=>["finish"], "kind"=>"finish"}: Error retrieving finish for {:url=>"http://<CAPSULE_FQDN>:8000"} from <SATELLITE_FQDN>: Net::HTTPMethodNotAllowed





production.log:
2018-01-17 10:59:55 7845510a [app] [I] Started GET "/unattended/finish?url=http%3A%2F%2F<CAPSULE_FQDN>%3A8000" for <CAPSULE_FQDN> at 2018-01-17 10:59:55 -0500
2018-01-17 10:59:55 7845510a [app] [I] Processing by UnattendedController#host_template as TEXT
2018-01-17 10:59:55 7845510a [app] [I]   Parameters: {"url"=>"http://<CAPSULE_FQDN>:8000", "kind"=>"finish", "unattended"=>{}}
2018-01-17 10:59:55 7845510a [app] [I] Current user: foreman_api_admin (administrator)
2018-01-17 10:59:55 7845510a [app] [D] Setting current user thread-local variable to foreman_api_admin
2018-01-17 10:59:55 7845510a [app] [D] Found <CAPSULE_FQDN>
2018-01-17 10:59:55 7845510a [app] [I] Filter chain halted as :allowed_to_install? rendered or redirected
2018-01-17 10:59:55 7845510a [app] [I] Completed 405 Method Not Allowed in 15ms (ActiveRecord: 2.6ms)



On Capsule:
# service dnsmasq status
Redirecting to /bin/systemctl status dnsmasq.service
● dnsmasq.service - DNS caching server.
   Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
# iptables -S | grep -i nat
# service libvirtd status
Redirecting to /bin/systemctl status libvirtd.service
● libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Wed 2018-01-17 11:11:41 EST; 2min 41s ago
Comment 8 Lukas Zapletal 2018-01-19 07:49:59 UTC 
It works, we just forgot one last step. In Administer - Setting, you must set remote_addr (Remote address) to match IP address of proxy server (in this case Capsule):

(127.0.0.1|10.16.66.70)

Then it works, I just verified.
Comment 9 Lukas Zapletal 2018-01-19 08:36:49 UTC 
See https://github.com/theforeman/theforeman.org/pull/1006
Comment 10 Satellite Program 2018-02-21 16:54:37 UTC 
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
> > 
> > For information on the advisory, and where to find the updated files, follow the link below.
> > 
> > If the solution does not work for you, open a new bug report.
> > 
> > https://access.redhat.com/errata/RHSA-2018:0336
Note You need to log in before you can comment on or make changes to this bug.