Description of problem: Instead of symlink /usr/share/foreman-proxy/.ssh -> /var/lib/foreman-proxy/ssh there are two REX ssh keypairs in two distinct locations Version-Release number of selected component (if applicable): @satellite-6.4.0-10.beta.el7sat.noarch foreman-installer-1.18.0-1.el7sat.noarch rubygem-smart_proxy_remote_execution_ssh-0.2.0-3.el7sat.noarch How reproducible: deterministic Steps to Reproduce: 1. Install Satellite 2. Check whether ssh keypairs match (should match because of symlink) # diff /var/lib/foreman-proxy/ssh/ /usr/share/foreman-proxy/.ssh diff /var/lib/foreman-proxy/ssh/id_rsa_foreman_proxy /usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy 2,26c2,26 < MIIEpAIBAAKCAQEAw8mSOBiSS/qQkK6R0XJhNpvOiyZyUU8/NWfHB61J+qYzMX9p ... --- > MIIEowIBAAKCAQEAsft972uC6bFzIl4hKlBoFaa7iIelEplmgLAhVlBbyk4vjlmX ... diff /var/lib/foreman-proxy/ssh/id_rsa_foreman_proxy.pub /usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy.pub 1c1 < ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD... --- > ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC... Actual results: no symlink, two distinct ssh keypairs in two distinct locations Expected results: symlink, only one ssh keypair symlinked to other location
The rpm rubygem-smart_proxy_remote_execution_ssh-0.2.0-3.el7sat.noarch contains /usr/share/foreman-proxy/.ssh as a symlink. So the breakage has to be done by installer, and here we go: ---- [ INFO 2018-07-24T12:51:23 main] /Stage[main]/Foreman_proxy::Plugin::Remote_execution::Ssh/File[/usr/share/foreman-proxy/.ssh]: Starting to evaluate the resource [DEBUG 2018-07-24T12:51:23 main] /Stage[main]/Foreman_proxy::Plugin::Remote_execution::Ssh/File[/usr/share/foreman-proxy/.ssh]: Removing existing link for replacement with directory [ WARN 2018-07-24T12:51:23 main] /Stage[main]/Foreman_proxy::Plugin::Remote_execution::Ssh/File[/usr/share/foreman-proxy/.ssh]/ensure: ensure changed 'link' to 'directory' [DEBUG 2018-07-24T12:51:23 main] /Stage[main]/Foreman_proxy::Plugin::Remote_execution::Ssh/File[/usr/share/foreman-proxy/.ssh]: The container Class[Foreman_proxy::Plugin::Remote_execution::Ssh] will propagate my refresh event ---- >>> Installer ensures back changed 'link' to 'directory', so removes symlink and generates new ssh keypair and you end up with two different keypairs
this should be now ready for testing in linked MR
The consequence is that after upgrade to 6.4, REX on all existing hosts stop working!!! Since existing ssh keypair was moved out to /var/lib/foreman-proxy/ssh and instead the symlink to it a new keypair is generated in /usr/share/foreman-proxy/.ssh
VERIFIED. @satellite-6.4.0-10.beta.el7sat.noarch (Snap14) tfm-rubygem-foreman_ansible-2.2.5-1.el7sat.noarch tfm-rubygem-foreman_ansible_core-2.1.1-1.el7sat.noarch rubygem-smart_proxy_ansible-2.0.2-3.el7sat.noarch ansible-2.6.1-1.el7ae.noarch by manual reproducer from comment #0: 2) Check whether keypairs match: # diff /var/lib/foreman-proxy/ssh/id_rsa_foreman_proxy /usr/share/foreman-proxy/.ssh # ll /usr/share/foreman-proxy/.ssh lrwxrwxrwx. 1 root root 26 Jul 25 05:43 /usr/share/foreman-proxy/.ssh -> /var/lib/foreman-proxy/ssh >>> ssh keypairs match since there is a symlinked directory 3) Check installer default for ssh identity dir: # satellite-installer -h | grep identity-dir --foreman-proxy-plugin-remote-execution-ssh-ssh-identity-dir Directory where SSH keys are stored (current: "/var/lib/foreman-proxy/ssh") >>> ssh identity dir default is correctly migrated to the new default value
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:2927