Bug 1547912 - formain-maintain fails to use hammer if config has host: localhost
Summary: formain-maintain fails to use hammer if config has host: localhost
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Satellite Maintain
Version: 6.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: Unspecified
Assignee: Martin Bacovsky
QA Contact: Jameer Pathan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-02-22 09:33 UTC by Evgeni Golov
Modified: 2020-03-05 16:22 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-05 16:22:17 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 22739 0 Normal Closed formain-maintain fails to use hammer if config has host: localhost 2021-01-05 18:32:04 UTC

Description Evgeni Golov 2018-02-22 09:33:13 UTC 
Description of problem:
hammer in 6.2 and older did not validate SSL certificates and the installer generated the global config with `host: https://localhost`:

# cat /etc/hammer/cli.modules.d/foreman.yml 
:foreman:
  # Enable/disable foreman commands
  :enable_module: true

  # Your foreman server address
  :host: 'https://localhost/'

  # Credentials. You'll be asked for them interactively if you leave them blank here
  :username: 'admin'
  #:password: 'example'

  # Check API documentation cache status on each request
  #:refresh_cache: false

  # API request timeout. Set to -1 for no timeout
  #:request_timeout: 120 #seconds

  # Follow API redirects. One of :never, :default, :always
  # Value :default means RestClient default behaviour - follow only in GET and HEAD requests
  #:follow_redirects: :never

When the user took that file and used it as a template for their ~/.hammer/cli.modules.d/foreman.yml, they'd end up with:

# cat ~/.hammer/cli.modules.d/foreman.yml
:foreman:
  # Enable/disable foreman commands
  :enable_module: true

  # Your foreman server address
  :host: 'https://localhost/'

  # Credentials. You'll be asked for them interactively if you leave them blank here
  :username: 'admin'
  :password: 'changeme'

(or similar)

Now in 6.3, hammer started to verify the SSL certificate, and the global config is regenerated properly by the installer:

# cat /etc/hammer/cli.modules.d/foreman.yml 
:foreman:
  # Enable/disable foreman commands
  :enable_module: true

  # Your foreman server address
  :host: 'https://sat-6-2-qa-rhel7.kangae.example.com'

:ssl:
  :ssl_ca_file: '/etc/pki/katello/certs/katello-server-ca.crt'

However, due to the fact that the user has `:host: 'https://localhost/'` in their ~/.hammer, this takes precedence and every hammer call fails.

foreman-maintain also generates an own config, based on the one in ~/.hammer:

# cat /etc/foreman-maintain/foreman-maintain-hammer.yml
---
:foreman:
  :enable_module: true
  :host: https://localhost/
  :username: admin
  :password: changeme

So to make f-maintain work, both files need to drop the `:host:` entry.

As a user, I think I'd like f-maintain to:
1. check my ~/.hammer/cli.modules.d/foreman.yml and warn me if it has anything else than $(hostname -f) for host
2. only copy username and password to /etc/foreman-maintain/foreman-maintain-hammer.yml (like it is done in the case there is no config in ~/.hammer and the user is asked)


Version-Release number of selected component (if applicable):
rubygem-foreman_maintain-0.1.3-1.el7sat.noarch

How reproducible:
100%

Steps to Reproduce:
1. have ":host: 'https://localhost/'" in ~/.hammer/cli.modules.d/foreman.yml
2. foreman-maintain upgrade run --target-version 6.3

Actual results:
Running Checks after upgrading to Satellite 6.3
================================================================================
Check for paused tasks:                                               [OK]
--------------------------------------------------------------------------------
Check whether all services are running using hammer ping:             [FAIL]
SSL error: hostname "localhost" does not match the server certificate
--------------------------------------------------------------------------------


Expected results:
Upgrade continues because "hammer ping" worked fine.

Additional info:
Comment 2 Satellite Program 2018-04-12 22:06:07 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/22739 has been resolved.
Comment 3 Kavita 2018-08-02 14:39:45 UTC 
This change is already there in foreman_maintain-0.2.z
Comment 4 Jameer Pathan 2019-02-05 11:18:49 UTC 
verified

@satellite 6.5.0 snap 14
@rubygem-foreman_maintain-0.3.1-1.el7sat.noarch

steps:
1.- have ":host: 'https://localhost/'" in ~/.hammer/cli.modules.d/foreman.yml
  - run foreman-maintain health check --label hammer-ping
  - message in foreman-maintain.log saying "Matching hostname was not found in hammer configs. Using https://hostname.example.com/"
  - "foreman-maintain health check --label hammer-ping" run successfully.
2.- remove admin password from ~/.hammer/cli.modules.d/foreman.yml and /etc/foreman-maintain/foreman-maintain-hammer.yml
  - run foreman-maintain health check --label hammer-ping
  - message in foreman-maintain.log saying "Admin password was not found in hammer configs. Looking into installer answers"
  - "foreman-maintain health check --label hammer-ping" run successfully.
3.- have invalid Admin password in ~/.hammer/cli.modules.d/foreman.yml and /etc/foreman-maintain/foreman-maintain-hammer.yml
  - run foreman-maintain health check --label hammer-ping
  - message in foreman-maintain.log saying "Invalid admin password was found in hammer configs. Looking into installer answers"
  - "foreman-maintain health check --label hammer-ping" run successfully.
Comment 5 Bryan Kearney 2020-03-05 16:22:17 UTC 
The current version of foreman_maintain includes this fix.
Note You need to log in before you can comment on or make changes to this bug.