Red Hat Bugzilla – Bug 1468009
[RFE] Make https redirect for unattended URLs optional
Last modified: 2018-01-22 02:46:24 EST
Description of problem:
Customer would like to modify provisioning template in such a way that when a system get provisioned it will report its build status to the satellite server over http instead of https.
As in provisioning template there is a command which calls the token on satellite from console,
#wget -q -O /dev/null --no-check-certificate <%= foreman_url %>
#wget -q -O /dev/null --no-check-certificate http://satellite.lab.example.com/unattended/
Ideally satellite is redirecting every request over this url to https.
It should allow reporting without "--no-check-certificate" parameter.
I either need to be able to NOT use https and just use http OR even better have Sat6 try a test rex job (like ls or something) and when the rex job succeeds the build is done.
Doing ACTIVE checks from Sat6 has MANY advantages like the ability to set the interval for retries, max number of tries, AND a task or action to take if it hits max retries like restart and retry rebuild or send alert email, etc
This also allows for a minimal monitoring feature for hosts in Sat6. So say for a critical server if 2 REX failures occur on a physical server power cycle it and it it still fails attempt a rebuild or send email to some DL.
So is the problem that Apache httpd redirect all http requests to https? It should be possible to avoid that for /unattended URLs via some configuration option in httpd.conf.
But after reading the case, it looks like the major problem is your IT security dept and the "--no-check-certificate". Can you check if deploying the Satellite server certificate via kickstartsnippet prior to the wget command would be feasible? Then we could change the template to something like:
wget -q -O /dev/null --ca-certificate /tmp/built-server-cert.crt https://satellite.lab.example.com/unattended/
Please let us know which of the two options would you prefer, either embedding the server certificate into kickstart or turning off https rewrite for unattended requests.
For ideas around Remote Execution, please feel free to file additional RFE. These are two separate areas and separate BZ components.
Yes, the issue is forcing http to https globally. Simple "I'm done building" messages I see no reason to be https plus on some systems I am getting Sat6 to build tools like where come from BusyBox and an RPM. I am looking at embedded systems based on RHEL like SAN appliances which I may once I get this working build on ARM devices now that RHEL is coming to ARM. For embedded systems every byte of storage counts as the SDcard or Compact Flash IS
The only "HDD".
also going to look at ARM (Raspberry PI 3b or later) desktops using RHEL workstation/desktop being build via Sat6.
Also adding the active ssh can be a precursor to possible future ancible suppormaybe.
I have just checked on Satellite 6.2.12 and it works, there is no redirect. We actually prevent HTTPS redirect for unattended URLs. I *think* this is a feature from day one.
I am going to close this bug, feel free to reopen but provide me all reproduce steps.
[root@satellite1 ~]# curl -v http://$(hostname)/unattended/built
* About to connect() to satellite1.xxx.redhat.com port 80 (#0)
* Trying 10.8.108.1...
* Connected to satellite1.xxx.redhat.com (10.8.108.1) port 80 (#0)
> GET /unattended/built HTTP/1.1
> User-Agent: curl/7.29.0
> Host: satellite1.xxx.redhat.com
> Accept: */*
< HTTP/1.1 201 Created
< Date: Fri, 19 Jan 2018 15:08:59 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux)
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Content-Security-Policy: default-src 'self'; connect-src 'self' ws: wss: *.redhat.com; font-src 'self'; frame-src 'self' *.redhat.com *.force.com; img-src 'self' *.gravatar.com *.redhat.com data:; media-src 'self'; object-src 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self' *.redhat.com; style-src 'unsafe-inline' 'self';
< X-Download-Options: noopen
< Cache-Control: max-age=0, private, must-revalidate
< X-Request-Id: b087deac-43d8-4189-8945-d2889ae06536
< X-Runtime: 0.741936
< X-Powered-By: Phusion Passenger 4.0.18
< ETag: "7215ee9c7d9dc229d2921a40e899ec5f"
< Status: 201 Created
< Connection: close
< Transfer-Encoding: chunked
< Content-Type: text/plain; charset=UTF-8
* Closing connection 0
I will update my Sat6 to 6.2.12 today and see but when I tried this last it did NOT work.
My issue was the reporting "I'm done building" back to Sat6 at the end of the KS. I can say for a fact that unless the wget could support https which was not the issue in my test case as wget was part of busybox and NOT installed as a RPM.
To be clear I am *NOT* having an issue with getting the KS or initial content via http - it is at the END where the newly built system has to use wget to tell Sate that it is done the initial build and clear the build flag from the system in Sat6.
All URLs which start with /unattended are allowed both for HTTP and HTTPS, this has been from 6.0 days I am pretty sure. One important thing to notice is when you provide spoof parameter, in that case you are being redirected to https because spoofing is only allowed for authorized users:
[root@satellite1 conf.d]# curl -s http://$(hostname)/unattended/provision | head -n3
[root@satellite1 conf.d]# curl -s http://$(hostname)/unattended/provision?spoof=xxx | head -n3
<html><body>You are being <a href="https://satellite1.released-el7.satellite.lab.eng.rdu2.redhat.com/unattended/provision?spoof=xxx">redirected</a>.</body></html>
For googlers, here is more info on that:
This is the KS section in question:
<% if @provisioning_type == nil || @provisioning_type == 'host' -%>
# Inform the build system that we are done.
echo "Informing Foreman that we are built"
wget -q -O /dev/null --no-check-certificate <%= foreman_url %>
<% end -%>
I do not ever see the URL. Specifically what I need is this:
wget -q -O /dev/null --no-check-certificate <%= foreman_url %>
to support http so that I can change that line to read:
wget -q -O /dev/null <%= foreman_url %>
as wget in busybox does *NOT* support the --no-check-certificate switch.
Do you have a manual entry I can put in place of <%= foreman_url %> ??