Created attachment 1594687 [details] Satellite Openscap Policies page error Description of problem: Satellite-installer fails with the following error: [ERROR 2019-07-30T10:15:21 verbose] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[sat65.example.lab]/ensure: change from 'absent' to 'present' failed: Proxy sat65.example.lab has failed to load one or more features (Openscap), check /var/log/foreman-proxy/proxy.log for configuration errors [ERROR 2019-07-30T10:15:21 verbose] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[sat65.example.lab]: Failed to call refresh: Proxy sat65.example.lab has failed to load one or more features (Openscap), check /var/log/foreman-proxy/proxy.log for configuration errors [ERROR 2019-07-30T10:15:21 verbose] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[sat65.example.lab]: Proxy sat65.example.lab has failed to load one or more features (Openscap), check /var/log/foreman-proxy/proxy.log for configuration errors Version-Release number of selected component (if applicable): 6.5 How reproducible: Steps to Reproduce: 1. In the '/etc/pam.d/su' file, comment the line: auth sufficient pam_rootok.so It should look like this: #auth sufficient pam_rootok.so 2. Install satellite package #yum install satellite -y 3. Run satellite-installer --scenario satellite --foreman-initial-organization "ACME" --foreman-initial-location "RECIFE" --foreman-admin-username admin --foreman-admin-password redhat --verbose satellite-installer will fail with the following error: ====================================================== [ERROR 2019-07-29T15:19:18 verbose] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[sat65.example.lab]/ensure: change from 'absent' to 'present' failed: Proxy sat65.example.lab has failed to load one or more features (Openscap), check /var/log/foreman-proxy/proxy.log for configuration errors [ERROR 2019-07-29T15:19:19 verbose] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[sat65.example.lab]: Failed to call refresh: Proxy sat65.example.lab has failed to load one or more features (Openscap), check /var/log/foreman-proxy/proxy.log for configuration errors [ERROR 2019-07-29T15:19:19 verbose] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[sat65.example.lab]: Proxy sat65.example.lab has failed to load one or more features (Openscap), check /var/log/foreman-proxy/proxy.log for configuration errors ====================================================== Actual results: Installation process(yum install satellite -y) finishes successfully satellite-installer finishes with the error reported on step3 https://sat65.example.lab/compliance/policies page shows(see attachment openscap-web-error.png): ====================================================== Oops, we're sorry but something went wrong PG::UndefinedTable: ERROR: relation "foreman_openscap_policies" does not exist LINE 8: WHERE a.attrelid = '"foreman_openscap_policie... ^ : SELECT a.attname, format_type(a.atttypid, a.atttypmod), pg_get_expr(d.adbin, d.adrelid), a.attnotnull, a.atttypid, a.atttypmod, c.collname, col_description(a.attrelid, a.attnum) AS comment FROM pg_attribute a LEFT JOIN pg_attrdef d ON a.attrelid = d.adrelid AND a.attnum = d.adnum LEFT JOIN pg_type t ON a.atttypid = t.oid LEFT JOIN pg_collation c ON a.attcollation = c.oid AND a.attcollation <> t.typcollation WHERE a.attrelid = '"foreman_openscap_policies"'::regclass AND a.attnum > 0 AND NOT a.attisdropped ORDER BY a.attnum ===================================================== Expected results: satellite-installer fails with some message like: "User root can not become foreman user" or something more meaningful. Perhaps, we could implement some sort of test to verify if root can become foreman without asking for password and if it fails, it would throw some message during the installer other than one related to Openscap plugin. Additional info: /var/log/messages we will see the root user trying to become foreman user with a failure message ====================================================== Jul 29 16:58:33 sat65 su: FAILED SU (to foreman) root on none Jul 29 16:58:36 sat65 su: FAILED SU (to foreman) root on none Jul 29 16:58:39 sat65 su: FAILED SU (to foreman) root on none Jul 29 16:58:42 sat65 su: FAILED SU (to foreman) root on none Jul 29 16:58:45 sat65 su: FAILED SU (to foreman) root on none Jul 29 16:58:48 sat65 su: FAILED SU (to foreman) root on none Jul 29 16:58:51 sat65 su: FAILED SU (to foreman) root on none Jul 29 16:58:55 sat65 su: FAILED SU (to foreman) root on none Jul 29 16:58:58 sat65 su: FAILED SU (to foreman) root on none Jul 29 16:59:01 sat65 su: FAILED SU (to foreman) root on none Jul 29 16:59:04 sat65 su: FAILED SU (to foreman) root on none Jul 29 16:59:08 sat65 su: FAILED SU (to foreman) root on none Jul 29 16:59:10 sat65 su: FAILED SU (to foreman) root on none Jul 29 16:59:13 sat65 su: FAILED SU (to foreman) root on none Jul 29 16:59:16 sat65 su: FAILED SU (to foreman) root on none Jul 29 16:59:19 sat65 su: FAILED SU (to foreman) root on none Jul 29 16:59:23 sat65 su: FAILED SU (to foreman) root on none ======================================================= In /var/log/secure ======================================================= jul 29 17:07:11 sat65 su: pam_unix(su:auth): auth could not identify password for [foreman] Jul 29 17:07:11 sat65 su: pam_succeed_if(su:auth): requirement "uid >= 1000" not met by user "foreman" Jul 29 17:07:14 sat65 su: pam_unix(su:auth): auth could not identify password for [foreman] Jul 29 17:07:14 sat65 su: pam_succeed_if(su:auth): requirement "uid >= 1000" not met by user "foreman" Jul 29 17:07:18 sat65 su: pam_unix(su:auth): auth could not identify password for [foreman] Jul 29 17:07:18 sat65 su: pam_succeed_if(su:auth): requirement "uid >= 1000" not met by user "foreman" Jul 29 23:00:01 sat65 su: pam_unix(su:auth): auth could not identify password for [foreman] Jul 29 23:00:01 sat65 su: pam_succeed_if(su:auth): requirement "uid >= 1000" not met by user "foreman" ======================================================= Here is the fix: 1. In the '/etc/pam.d/su' file, uncomment the line: #auth sufficient pam_rootok.so it should look like this: auth sufficient pam_rootok.so 2. Remove the Satellite packages by running: # katellote-remove 3. Install the satellite package # yum install satellite -y 3. In /var/log/messages we will see the root user trying to become foreman user and this time will work ===================================================== Jul 30 11:18:30 sat65 su: (to foreman) root on none Jul 30 11:18:33 sat65 su: (to foreman) root on none Jul 30 11:18:37 sat65 su: (to foreman) root on none Jul 30 11:18:41 sat65 su: (to foreman) root on none Jul 30 11:18:45 sat65 su: (to foreman) root on none Jul 30 11:18:49 sat65 su: (to foreman) root on none Jul 30 11:18:53 sat65 su: (to foreman) root on none Jul 30 11:18:57 sat65 su: (to foreman) root on none Jul 30 11:19:01 sat65 su: (to foreman) root on none Jul 30 11:19:06 sat65 su: (to foreman) root on none Jul 30 11:19:10 sat65 su: (to foreman) root on none Jul 30 11:19:13 sat65 su: (to foreman) root on none Jul 30 11:19:17 sat65 su: (to foreman) root on none Jul 30 11:19:22 sat65 su: (to foreman) root on none Jul 30 11:19:26 sat65 su: (to foreman) root on none ===================================================== 4. In /var/log/secure ===================================================== Jul 30 11:29:30 sat65 su: pam_unix(su:session): session opened for user foreman by (uid=0) Jul 30 11:29:46 sat65 su: pam_unix(su:session): session closed for user foreman Jul 30 11:29:46 sat65 su: pam_unix(su:session): session opened for user foreman by (uid=0) Jul 30 11:30:12 sat65 su: pam_unix(su:session): session closed for user foreman Jul 30 11:30:12 sat65 su: pam_unix(su:session): session opened for user foreman by (uid=0) Jul 30 11:32:20 sat65 su: pam_unix(su:session): session closed for user foreman ===================================================== 5. Run the satellite installer: # satellite-installer --scenario satellite --foreman-initial-organization "ACME" --foreman-initial-location "RECIFE" --foreman-admin-username admin --foreman-admin-password redhat --verbose This time it will finish succesfully ===================================================== Success! * Satellite is running at https://sat65.example.lab Initial credentials are admin / redhat * To install an additional Capsule on separate machine continue by running: capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE" --certs-tar "/root/$CAPSULE-certs.tar" * To upgrade an existing 6.4 Capsule to 6.5: Please see official documentation for steps and parameters to use when upgrading a 6.4 Capsule to 6.5. The full log is at /var/log/foreman-installer/satellite.log ===================================================== 6. On the Satellite Openscap policy page will work as expected. https://sat65.example.lab/compliance/policies
What would be the impact if we comment that option after running the satellite-installer? Thank you, Rafael
The "auth sufficient pam_rootok.so" configuration is required for the initial installation as well as critical parts of the on-going operation of Satellite 6. There is no supportable method for disabling pam_rootok as it is used for: * The installation routine * Backup utilities * All the ongoing operational periodic jobs required to keep Satellite functioning via cron and foreman-rake * Upgrades This would make Satellite be unable to install, upgrade and operate. If this is a critical configuration in this environment, this BZ should be reworked into an RFE to support disabling pam_rootok but there is no current workaround we are aware of that would allow this to be disabled.
If this is still a persistent issue please reopen, but for now we are going to close this.