Bug 1734473 - Satellite-installer fails with /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[sat65.example.lab]/ensure: change from 'absent' to 'present' failed: Proxy sat65.example.lab has failed to load one or more features (Openscap), check /var/log/foreman-
Summary: Satellite-installer fails with /Stage[main]/Foreman_proxy::Register/Foreman_s...
Keywords:
Status: NEW
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Installer
Version: 6.5.0
Hardware: Unspecified
OS: Linux
unspecified
unspecified vote
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: Devendra Singh
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-30 16:01 UTC by Rafael Cavalcanti
Modified: 2019-11-19 14:04 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)
Satellite Openscap Policies page error (52.42 KB, image/png)
2019-07-30 16:01 UTC, Rafael Cavalcanti
no flags Details

Description Rafael Cavalcanti 2019-07-30 16:01:31 UTC
Created attachment 1594687 [details]
Satellite Openscap Policies page error

Description of problem:

Satellite-installer fails with the following error:

[ERROR 2019-07-30T10:15:21 verbose]  /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[sat65.example.lab]/ensure: change from 'absent' to 'present' failed: Proxy sat65.example.lab has failed to load one or more features (Openscap), check /var/log/foreman-proxy/proxy.log for configuration errors
[ERROR 2019-07-30T10:15:21 verbose]  /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[sat65.example.lab]: Failed to call refresh: Proxy sat65.example.lab has failed to load one or more features (Openscap), check /var/log/foreman-proxy/proxy.log for configuration errors
[ERROR 2019-07-30T10:15:21 verbose]  /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[sat65.example.lab]: Proxy sat65.example.lab has failed to load one or more features (Openscap), check /var/log/foreman-proxy/proxy.log for configuration errors

Version-Release number of selected component (if applicable):
6.5

How reproducible:

Steps to Reproduce:
1. In the '/etc/pam.d/su' file, comment the line:
   auth           sufficient      pam_rootok.so
It should look like this:
   #auth           sufficient      pam_rootok.so

2. Install satellite package
   #yum install satellite -y


3. Run satellite-installer --scenario satellite --foreman-initial-organization "ACME" --foreman-initial-location "RECIFE" --foreman-admin-username admin --foreman-admin-password redhat --verbose
   satellite-installer will fail with the following error:
======================================================
[ERROR 2019-07-29T15:19:18 verbose]  /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[sat65.example.lab]/ensure: change from 'absent' to 'present' failed: Proxy sat65.example.lab has failed to load one or more features (Openscap), check /var/log/foreman-proxy/proxy.log for configuration errors
[ERROR 2019-07-29T15:19:19 verbose]  /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[sat65.example.lab]: Failed to call refresh: Proxy sat65.example.lab has failed to load one or more features (Openscap), check /var/log/foreman-proxy/proxy.log for configuration errors
[ERROR 2019-07-29T15:19:19 verbose]  /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[sat65.example.lab]: Proxy sat65.example.lab has failed to load one or more features (Openscap), check /var/log/foreman-proxy/proxy.log for configuration errors
======================================================

Actual results:
Installation process(yum install satellite -y) finishes successfully 
satellite-installer finishes with the error reported on step3
https://sat65.example.lab/compliance/policies page shows(see attachment openscap-web-error.png):
======================================================
Oops, we're sorry but something went wrong PG::UndefinedTable: ERROR: relation "foreman_openscap_policies" does not exist LINE 8: WHERE a.attrelid = '"foreman_openscap_policie... ^ : SELECT a.attname, format_type(a.atttypid, a.atttypmod), pg_get_expr(d.adbin, d.adrelid), a.attnotnull, a.atttypid, a.atttypmod, c.collname, col_description(a.attrelid, a.attnum) AS comment FROM pg_attribute a LEFT JOIN pg_attrdef d ON a.attrelid = d.adrelid AND a.attnum = d.adnum LEFT JOIN pg_type t ON a.atttypid = t.oid LEFT JOIN pg_collation c ON a.attcollation = c.oid AND a.attcollation <> t.typcollation WHERE a.attrelid = '"foreman_openscap_policies"'::regclass AND a.attnum > 0 AND NOT a.attisdropped ORDER BY a.attnum 
=====================================================

Expected results:
satellite-installer fails with some message like: "User root can not become foreman user" or something more meaningful.
Perhaps, we could implement some sort of test to verify if root can become foreman without asking for password and if it fails, it would throw 
some message during the installer other than one related to Openscap plugin.
 
Additional info:
/var/log/messages we will see the root user trying to become foreman user with a failure message
======================================================
Jul 29 16:58:33 sat65 su: FAILED SU (to foreman) root on none
Jul 29 16:58:36 sat65 su: FAILED SU (to foreman) root on none
Jul 29 16:58:39 sat65 su: FAILED SU (to foreman) root on none
Jul 29 16:58:42 sat65 su: FAILED SU (to foreman) root on none
Jul 29 16:58:45 sat65 su: FAILED SU (to foreman) root on none
Jul 29 16:58:48 sat65 su: FAILED SU (to foreman) root on none
Jul 29 16:58:51 sat65 su: FAILED SU (to foreman) root on none
Jul 29 16:58:55 sat65 su: FAILED SU (to foreman) root on none
Jul 29 16:58:58 sat65 su: FAILED SU (to foreman) root on none
Jul 29 16:59:01 sat65 su: FAILED SU (to foreman) root on none
Jul 29 16:59:04 sat65 su: FAILED SU (to foreman) root on none
Jul 29 16:59:08 sat65 su: FAILED SU (to foreman) root on none
Jul 29 16:59:10 sat65 su: FAILED SU (to foreman) root on none
Jul 29 16:59:13 sat65 su: FAILED SU (to foreman) root on none
Jul 29 16:59:16 sat65 su: FAILED SU (to foreman) root on none
Jul 29 16:59:19 sat65 su: FAILED SU (to foreman) root on none
Jul 29 16:59:23 sat65 su: FAILED SU (to foreman) root on none
=======================================================
In /var/log/secure
=======================================================
jul 29 17:07:11 sat65 su: pam_unix(su:auth): auth could not identify password for [foreman]
Jul 29 17:07:11 sat65 su: pam_succeed_if(su:auth): requirement "uid >= 1000" not met by user "foreman"
Jul 29 17:07:14 sat65 su: pam_unix(su:auth): auth could not identify password for [foreman]
Jul 29 17:07:14 sat65 su: pam_succeed_if(su:auth): requirement "uid >= 1000" not met by user "foreman"
Jul 29 17:07:18 sat65 su: pam_unix(su:auth): auth could not identify password for [foreman]
Jul 29 17:07:18 sat65 su: pam_succeed_if(su:auth): requirement "uid >= 1000" not met by user "foreman"
Jul 29 23:00:01 sat65 su: pam_unix(su:auth): auth could not identify password for [foreman]
Jul 29 23:00:01 sat65 su: pam_succeed_if(su:auth): requirement "uid >= 1000" not met by user "foreman"
=======================================================


Here is the fix:
1. In the '/etc/pam.d/su' file, uncomment the line:
#auth           sufficient      pam_rootok.so
it should look like this:
auth           sufficient      pam_rootok.so

2. Remove the Satellite packages by running:
# katellote-remove

3. Install the satellite package
# yum install satellite -y

3. In /var/log/messages we will see the root user trying to become foreman user and this time will work
=====================================================
Jul 30 11:18:30 sat65 su: (to foreman) root on none
Jul 30 11:18:33 sat65 su: (to foreman) root on none
Jul 30 11:18:37 sat65 su: (to foreman) root on none
Jul 30 11:18:41 sat65 su: (to foreman) root on none
Jul 30 11:18:45 sat65 su: (to foreman) root on none
Jul 30 11:18:49 sat65 su: (to foreman) root on none
Jul 30 11:18:53 sat65 su: (to foreman) root on none
Jul 30 11:18:57 sat65 su: (to foreman) root on none
Jul 30 11:19:01 sat65 su: (to foreman) root on none
Jul 30 11:19:06 sat65 su: (to foreman) root on none
Jul 30 11:19:10 sat65 su: (to foreman) root on none
Jul 30 11:19:13 sat65 su: (to foreman) root on none
Jul 30 11:19:17 sat65 su: (to foreman) root on none
Jul 30 11:19:22 sat65 su: (to foreman) root on none
Jul 30 11:19:26 sat65 su: (to foreman) root on none
=====================================================
4. In /var/log/secure
=====================================================
Jul 30 11:29:30 sat65 su: pam_unix(su:session): session opened for user foreman by (uid=0)
Jul 30 11:29:46 sat65 su: pam_unix(su:session): session closed for user foreman
Jul 30 11:29:46 sat65 su: pam_unix(su:session): session opened for user foreman by (uid=0)
Jul 30 11:30:12 sat65 su: pam_unix(su:session): session closed for user foreman
Jul 30 11:30:12 sat65 su: pam_unix(su:session): session opened for user foreman by (uid=0)
Jul 30 11:32:20 sat65 su: pam_unix(su:session): session closed for user foreman
=====================================================

5. Run the satellite installer:
# satellite-installer --scenario satellite --foreman-initial-organization "ACME" --foreman-initial-location "RECIFE" --foreman-admin-username admin --foreman-admin-password redhat --verbose
This time it will finish succesfully
=====================================================
 Success!
  * Satellite is running at https://sat65.example.lab
      Initial credentials are admin / redhat

  * To install an additional Capsule on separate machine continue by running:

      capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE" --certs-tar "/root/$CAPSULE-certs.tar"

  * To upgrade an existing 6.4 Capsule to 6.5:
      Please see official documentation for steps and parameters to use when upgrading a 6.4 Capsule to 6.5.

  The full log is at /var/log/foreman-installer/satellite.log
=====================================================

6. On the Satellite Openscap policy page will work as expected.
https://sat65.example.lab/compliance/policies

Comment 4 Rafael Cavalcanti 2019-07-30 17:37:35 UTC
What would be the impact if we comment that option after running the satellite-installer?

Thank you,

Rafael

Comment 5 Mike McCune 2019-08-12 20:53:45 UTC
The "auth sufficient  pam_rootok.so" configuration is required for the initial installation as well as critical parts of the on-going operation of Satellite 6.

There is no supportable method for disabling pam_rootok as it is used for:

 * The installation routine
 * Backup utilities
 * All the ongoing operational periodic jobs required to keep Satellite functioning via cron and foreman-rake
 * Upgrades

This would make Satellite be unable to install, upgrade and operate.

If this is a critical configuration in this environment, this BZ should be reworked into an RFE to support disabling pam_rootok but there is no current workaround we are aware of that would allow this to be disabled.


Note You need to log in before you can comment on or make changes to this bug.