Description of problem:
Assume a use case where multi-homed Satellite or Capsule needs to be accessed from clients via _different_ alternative hostnames, like caps-altname1 and caps-altname2 and neither is primary FQDN of the Capsule.
Then there is no way to permanently configure lazy sync.
(I expect the "multi-home clients" use case is just one of few similar ones here, like HA capsules + multihomed Caps is another use case)
The cause is, httpd responds with redirect URL (to contact squid) with hostname specified in /etc/pulp/server.conf, [lazy] section, redirect_host property. This property is basically required to have multiple values, or from the code, it must be empty (such that hostname from the request is used directly).
BUT redirect_host has hardcoded default value:
So the workaround is to overwrite it to empty value in /etc/pulp/server.conf :
BUT that will be overwritten by satellite-installer. Making the change permanent via
in /etc/foreman-installer/custom-hiera.yaml is _not_ a solution, since it purges away the "redirect_host: " line completely, hence pulp fallbacks to default primary hostname again.
So I dont see a way how to make the config change permanent - either:
- pulp default value for redirect_host must be empty
- or lazy_redirect_host with empty value in custom hiera must set empty redirect_host in /etc/pulp/server.conf
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Try to configure Capsule to be accessed from 2 clients, each accessing the Capsule via different alternate hostname each.
2. run satellite-installer (to verify the config is persistent)
3. Try to fetch a package from lazy sync repo
3. fails for either or both clients
3. works for both clients concurrently
kudos for egolotov and ewound for some background info here
ewoud++ for the solution:
pulp::lazy_redirect_host: ' '
in /etc/foreman-installer/custom-hiera.yaml is the trick to have in /etc/pulp/server.conf :
that sets the required setting.
(In reply to Pavel Moravec from comment #1)
> ewoud++ for the solution:
> pulp::lazy_redirect_host: ' '
> in /etc/foreman-installer/custom-hiera.yaml is the trick to have in
> /etc/pulp/server.conf :
> redirect_host: <empty-spaces-here>
> that sets the required setting.
So it is just configuration issue and not a bug. Described in KCS 3655581.
Upstream bug assigned to email@example.com
The Pulp upstream bug status is at POST. Updating the external tracker on this bug.
The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.
The Pulp upstream bug status is at MODIFIED. Updating the external tracker on this bug.
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/25266 has been resolved.
The Pulp upstream bug status is at ON_QA. Updating the external tracker on this bug.
The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.
Failed QA in Satellite 6.5.0 Snap 11
Modified the config, performed an upgrade, then checked the config again. The value was stripped.
-bash-4.2# grep redirect_host /etc/pulp/server.conf
-bash-4.2# satellite-installer --upgrade
Resetting puppet server version param...
Upgrading, to monitor the progress on all related services, please do:
foreman-tail | tee upgrade-$(date +%Y-%m-%d-%H%M).log
Upgrade Step: stop_services...
Redirecting to 'foreman-maintain service'
Running Stop Services
Upgrade Step 7/7: katello:upgrades:3.11:update_puppet_repos. foreman-rake upgrade:run finished successfully!
-bash-4.2# grep redirect_host /etc/pulp/server.conf
Requesting needsinfo from upstream developer firstname.lastname@example.org, email@example.com, firstname.lastname@example.org because the 'FailedQA' flag is set.
I think this is a problem in the installer. Setting NEEDINFO to email@example.com.
I think the initial BZ description lead you to a wrong verification path ;)
In Pulp < 2.18, we had to explicitly set "redirect_host" to an empty string to make it redirect using the HTTP Host header value (instead of the value of "redirect_host").
With Pulp 2.18, the redirect_host setting behaves "correctly" and does not need to be set to an empty string to trigger the desired behavior.
See Pulp changes
After these were in, we updated the installer in https://projects.theforeman.org/issues/25266.
So the correct verification steps would be:
1/ setup a on_demand repo
2/ try to access a (not yet downloaded) file in that repo with a hostname that points at the satellite, but is not the satellites FQDN (using /etc/hosts or something, using HTTP instead of HTTPS would make things easier, as you don't have to care for proper certs in that case
3/ see pulp redirect to the streamer at http://the-name-you-used.example.com/pulp/streamer/… and not http://satellite.example.com/pulp/streamer/…
Created attachment 1536645 [details]
script to create a test repository for this BZ
Created attachment 1536646 [details]
test output from Satellite 6.3 (so before this fix)
Created attachment 1536647 [details]
test output from Satellite 6.5 (with this fix)
To test this, you need a recent Katello and Pulp, e.g. as in the Satellite 6.5 snaps we ship.
This BZ has a script attached, that will create and sync a test-repository with on_demand policy:
# bash create-test-repo.sh
New packages: 32 (76.7 KB).
After the repository is synced, you can try to access its content using curl:
curl -I -X GET --location http://<SOME_NAME>/pulp/repos/Test_Organization/Library/custom/Test_Product/Zoo/Packages/b/bear-4.1-1.noarch.rpm
(we only want to see headers, so -I -X GET. we need curl to follow redirects, so --location)
An example output for Satellite 6.3 (broken) and Satellite 6.5 (working) is attached.
On Satellite 6.5 you can substitute anything for <SOME_NAME> that will reach your apache. I've used localhost and $HOSTNAME. In both cases you see a "Location: http://<SOME_NAME>:80/streamer/…" header, followed by a successful RPM download.
On Satellite 6.3 (and 6.4, but I don't have one handy), you'd see that the Location header *always* includes the $HOSTNAME of the machine, not what you've supplied in the original request.
Note: if you want to test this with protected (Red Hat) repositories via HTTPS, you'll have to tell curl to use the entitlement certificates of your machine in the request, as otherwise Pulp will not allow you to access the repositories.
Note2: Pulp will move the streamed RPMs to their proper location at some point, so you might not see the redirect again if you retry the same RPM at a later point. Just pick another one in that case (a listing can be found at https://jlsherrill.fedorapeople.org/fake-repos/needed-errata/)
Verified in Satellite 6.5.0 Snap 15
Followed the verification steps outlined in #17 and #22
First, setup the fake redirect host (note that you only want to have the domain name
-bash-4.2# grep "my.sat.host" /etc/pulp/server.conf
Second, I added an entry to my client's hosts file for the fake domain, linking back to my satellite's IP
After that, I downloaded a package.
[root@testhost2 ~]# curl -I -X GET --location http://<my actual satellite>/pulp/repos/Default_Organization/Library/custom/custom/fake/Packages/a/Antelope-10.6.9-1.elfake.noarch.rpm
HTTP/1.1 302 Found
Date: Wed, 20 Feb 2019 15:34:13 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux)
Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK
Date: Wed, 20 Feb 2019 15:34:14 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Last-Modified: Sat, 08 Sep 2012 20:54:47 GMT
Expires: Wed, 20 Feb 2019 16:04:14 GMT
Cache-Control: public, s-maxage=86400, max-age=86400
X-Cache: MISS from <my actual satellite>
X-Cache-Lookup: MISS from <my actual satellite>:3128
Via: 1.1 <my actual satellite> (squid/3.5.20)
Via: 1.1 <my actual satellite>
The redirect completed successfully
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.