Bug 1468009 - [RFE] Make https redirect for unattended URLs optional
[RFE] Make https redirect for unattended URLs optional
Status: NEW
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Provisioning Templates (Show other bugs)
6.2.10
x86_64 Linux
unspecified Severity medium (vote)
: Unspecified
: --
Assigned To: satellite6-bugs
: FutureFeature, Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-05 14:52 EDT by Abhishek Sahni
Modified: 2018-01-02 01:52 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Abhishek Sahni 2017-07-05 14:52:03 EDT
Description of problem:

Customer would like to modify provisioning template in such a way that when a system get provisioned it will report its build status to the satellite server  over http instead of https.

As in provisioning template there is a command which calls the token on satellite from console,

#wget -q -O /dev/null --no-check-certificate <%= foreman_url %>

or 

#wget -q -O /dev/null --no-check-certificate http://satellite.lab.example.com/unattended/

Ideally satellite is redirecting every request over this url to https.
=========

It should allow reporting without "--no-check-certificate" parameter.
Comment 3 Steven Mercurio 2017-08-30 06:50:41 EDT
I either need to be able to NOT use https and just use http OR even better have Sat6 try a test rex job (like ls or something) and when the rex job succeeds the build is done.

Doing ACTIVE checks from Sat6 has MANY advantages like the ability to set the interval for retries, max number of tries, AND a task or action to take if it hits max retries like restart and retry rebuild or send alert email, etc

This also allows for a minimal monitoring feature for hosts in Sat6.  So say for a critical server if 2 REX failures occur on a physical server power cycle it and it it still fails attempt a rebuild or send email to some DL.
Comment 5 Lukas Zapletal 2017-10-09 08:16:35 EDT
So is the problem that Apache httpd redirect all http requests to https? It should be possible to avoid that for /unattended URLs via some configuration option in httpd.conf.

But after reading the case, it looks like the major problem is your IT security dept and the "--no-check-certificate". Can you check if deploying the Satellite server certificate via kickstartsnippet prior to the wget command would be feasible? Then we could change the template to something like:

cat> <<EOC
FLKJFLDSJKFDSLKJFDSLKJSDFLDFJDSLFJDSLKJFDSLKJFSD..DASKJDSALJDA=
EOC
wget -q -O /dev/null --ca-certificate /tmp/built-server-cert.crt https://satellite.lab.example.com/unattended/

Please let us know which of the two options would you prefer, either embedding the server certificate into kickstart or turning off https rewrite for unattended requests.

For ideas around Remote Execution, please feel free to file additional RFE. These are two separate areas and separate BZ components.
Comment 6 Steven Mercurio 2017-10-09 10:00:41 EDT
Yes, the issue is forcing http to https globally.  Simple "I'm done building" messages I see no reason to be https plus on some systems I am getting Sat6 to build tools like where come from BusyBox and an RPM.  I am looking at embedded systems based on RHEL like SAN appliances which I may once I get this working build on ARM devices now that RHEL is coming to ARM.  For embedded systems every byte of storage counts as the SDcard or Compact Flash IS 
The only "HDD".

also going to look at ARM (Raspberry PI 3b or later) desktops using RHEL workstation/desktop being build via Sat6.

Also adding the active ssh can be a precursor to possible future ancible suppormaybe.
Comment 7 Steven Mercurio 2017-10-09 10:00:57 EDT
Yes, the issue is forcing http to https globally.  Simple "I'm done building" messages I see no reason to be https plus on some systems I am getting Sat6 to build tools like where come from BusyBox and an RPM.  I am looking at embedded systems based on RHEL like SAN appliances which I may once I get this working build on ARM devices now that RHEL is coming to ARM.  For embedded systems every byte of storage counts as the SDcard or Compact Flash IS 
The only "HDD".

also going to look at ARM (Raspberry PI 3b or later) desktops using RHEL workstation/desktop being build via Sat6.

Also adding the active ssh can be a precursor to possible future ancible suppormaybe.

Note You need to log in before you can comment on or make changes to this bug.