Description of problem: We need CLI proxy install. Becouse we should not be dependent on proxy.
OK, changes are in svn Test plan to install proxy using CLI proxy installer: subscribe to rhn-tools channels install proxy-installer package run configure-proxy.sh
fails-qa proxy-installer failed to install on Rhel5 satellite (rlx-0-14) Error: Missing Dependency: rhns-proxy-management >= 5.2.0 is needed by package proxy-installer proxy-installer package is missing from rhel4 satellite 5.2 channels in webqa.
dependency fixed (rev. 176535) Built package proxy-installer-5.2.0-13 proxy installer was not pushed to AS4 rhn-tools during push qa, should be done during next qa push.
mass move to ON_QA
fails-qa Needs a better test plan as well. root@fjs-0-20 ~]# /usr/sbin/configure-proxy.sh Proxy version to activate [5.2]: 5.2 RHN Parent [rlx-0-14.rhndev.redhat.com]: rlx-0-14.rhndev.redhat.com Traceback email []: pthomas Use SSL [0]: CA Chain [noReboot;sslCACert;useNoSSLForPackages;noSSLServerURL;serverURL;disallowConfChanges;]: HTTP Proxy []: Regardless of whether you enabled SSL for the connection to the RHN Parent Server, you will be prompted to generate an SSL certificate. This SSL certificate will allow client systems to connect to this RHN Proxy securely. Refer to the RHN Proxy Installation Guide for more information. Organization: Red Hat Organization Unit [fjs-0-20.rhndev.redhat.com]: RHEN Common Name: City: Raleigh State: NC Country code: US Email [pthomas]: pthomas Unable to load module rhn_proxy_activate No module named proxy.tools.rhn_proxy_activate /usr/sbin/configure-proxy.sh: line 83: _PASSWORD: command not found Proxy activation failed! Configuration interrupted.
Committed revision 177157.
Build failed. Committed revision 177166. Committed revision 177170. Built rhns-proxy-5.2.0-15 and proxy-installer-5.2.0-15.el5.
fails_qa [root@dell-pe2850-01 ~]# rpm -qa proxy-installer proxy-installer-5.2.0-15.el4 [root@dell-pe2850-01 ~]# /usr/sbin/configure-proxy.sh Proxy version to activate [5.2]: RHN Parent [fjs-0-13.rhndev.redhat.com]: Traceback email []: pthomas Use SSL [1]: 1 CA Chain [/usr/share/rhn/RHNS-CA-CERT]: HTTP Proxy []: Regardless of whether you enabled SSL for the connection to the RHN Parent Server, you will be prompted to generate an SSL certificate. This SSL certificate will allow client systems to connect to this RHN Proxy securely. Refer to the RHN Proxy Installation Guide for more information. Organization: Red hat Organization Unit [dell-pe2850-01.rhts.bos.redhat.com]: RHEN Common Name: City: Raleigh State: NC Country code: US Email [pthomas]: ERROR: unhandled exception occurred: Traceback (most recent call last): File "/usr/bin/rhn-proxy-activate", line 41, in ? sys.exit(mod.main() or 0) File "/usr/share/rhn/installer/rhn_proxy_activate.py", line 551, in main chmod_chown_systemid() File "/usr/share/rhn/installer/rhn_proxy_activate.py", line 97, in chmod_chown_systemid apacheGID = pwd.getpwnam('apache')[3] KeyError: 'getpwnam(): name not found: apache' Proxy activation failed! Configuration interrupted.
Nice catch Preethi, package httpd need to be installed (apache user have to exist) before configure-proxy.sh is run. I added Requires to spec. Committed revision 177305. Additional common name should be set to some value adding defaults: Committed revision 177307. Package proxy-installer-5.2.0-17 built and tagged.
Jan pushed packages to rhn-tools. Moving to ON_QA.
[root@rlx-0-14 ~]# /usr/sbin/configure-proxy.sh Proxy version to activate [5.2]: RHN Parent [fjs-0-13.rhndev.redhat.com]: Traceback email []: pthomas Use SSL [1]: 1 CA Chain [/usr/share/rhn/RHNS-CA-CERT]: HTTP Proxy []: Regardless of whether you enabled SSL for the connection to the RHN Parent Server, you will be prompted to generate an SSL certificate. This SSL certificate will allow client systems to connect to this RHN Proxy securely. Refer to the RHN Proxy Installation Guide for more information. Organization: Red Hat Organization Unit [rlx-0-14.rhndev.redhat.com]: RHEN Common Name [rlx-0-14.rhndev.redhat.com]: City: Raleigh State: NC Country code: US Email [pthomas]: ERROR: failed SSL connection - bad or expired cert? Proxy activation failed! Configuration interrupted.
Miroslav, I am not sure if this is something to do with the values I entered. But if its please put in a detailed test plan. Thanks Preethi
This problem happen when you have in /etc/sysconfig/rhn/up2date: serverURL=http://your.satellite/XMLRPC and sslCACert=/usr/share/rhn/RHNS-CA-CERT I.e. you registred as http to your parent, and you did not configure sslCACert properly (because most operation without it works). You have to properly set up sslCACert in configuration file or do not accept default value in installer and enter path to downloaded parent sat public key (which reside in http://your.satellite/pub/RHN-ORG-TRUSTED-SSL-CERT ) I do not think this specific case need mention in release notes or in some doc, because if properly configured, this case will not happen.
verified
this appears to fail in stage.. [root@fjs-0-18 rhn]# rpm -qa | grep proxy rhns-proxy-docs-5.1.1-3.rhel4 rhns-proxy-redirect-5.1.1-3.rhel4 proxy-installer-5.2.0-18.el4 [root@fjs-0-18 rhn]# 1. [root@fjs-0-18 ~]# 2. [root@fjs-0-18 ~]# configure-proxy.sh 3. Proxy version to activate [5.2]: 4. RHN Parent [rlx-2-18.rhndev.redhat.com]: 5. Traceback email []: whayutin 6. Use SSL [1]: 7. CA Chain [/root/RHN-ORG-TRUSTED-SSL-CERT;]: 8. HTTP Proxy []: 9. Regardless of whether you enabled SSL for the connection to the RHN Parent 10. Server, you will be prompted to generate an SSL certificate. 11. This SSL certificate will allow client systems to connect to this RHN Proxy 12. securely. Refer to the RHN Proxy Installation Guide for more information. 13. Organization: Red Hat 14. Organization Unit [fjs-0-18.rhndev.redhat.com]: RHEN 15. Common Name [fjs-0-18.rhndev.redhat.com]: Red Hat Test 16. City: Raleigh 17. State: NC 18. Country code: US 19. Email [whayutin]: 20. 21. 22. ERROR: unhandled exception occurred: 23. Traceback (most recent call last): 24. File "/usr/bin/rhn-proxy-activate", line 41, in ? 25. sys.exit(mod.main() or 0) 26. File "/usr/share/rhn/installer/rhn_proxy_activate.py", line 525, in main 27. apiVersion = getAPIVersion(options) 28. File "/usr/share/rhn/installer/rhn_proxy_activate.py", line 295, in getAPIVersion 29. s = getServer(options, DEFAULT_WEBRPC_HANDLER_v3_x) 30. File "/usr/share/rhn/installer/rhn_proxy_activate.py", line 96, in getServer 31. s.add_trusted_cert(options.ca_cert) 32. File "/usr/lib/python2.3/site-packages/rhn/rpclib.py", line 466, in add_trusted_cert 33. self._transport.add_trusted_cert(certfile) 34. File "/usr/lib/python2.3/site-packages/rhn/transports.py", line 258, in add_trusted_cert 35. raise ValueError, "Certificate file %s is not accessible" % certfile 36. ValueError: Certificate file /root/RHN-ORG-TRUSTED-SSL-CERT; is not accessible 37. Proxy activation failed! Configuration interrupted. 38. [root@fjs-0-18 ~]# ls /root/RHN-ORG-TRUSTED-SSL-CERT 39. 40. 41. [root@fjs-0-18 ~]# history |grep wget 42. 43 wget http://rlx-2-18.rhndev.redhat.com/pub/RHN-ORG-TRUSTED-SSL-CERT 43. 48 history |grep wget 44. [root@fjs-0-18 ~]# ls /root/ 45. anaconda-ks.cfg install.log.syslog RHN-ORG-TRUSTED-SSL-CERT 46. install.log ks-post.log 47. [root@fjs-0-18 ~]# cat /etc/sysconfig/rhn/up2date | grep RHN-ORG 48. sslCACert=/root/RHN-ORG-TRUSTED-SSL-CERT; 49. [root@fjs-0-18 ~]# 50. 51. 52. [root@fjs-0-18 rhn]# configure-proxy.sh 53. Proxy version to activate [5.2]: 54. RHN Parent [rlx-2-18.rhndev.redhat.com]: 55. Traceback email []: whayutin 56. Use SSL [1]: 57. CA Chain [/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT;]: 58. HTTP Proxy []: 59. Regardless of whether you enabled SSL for the connection to the RHN Parent 60. Server, you will be prompted to generate an SSL certificate. 61. This SSL certificate will allow client systems to connect to this RHN Proxy 62. securely. Refer to the RHN Proxy Installation Guide for more information. 63. Organization: Red Hat 64. Organization Unit [fjs-0-18.rhndev.redhat.com]: RHEN 65. Common Name [fjs-0-18.rhndev.redhat.com]: Red Hat Test 66. City: Raleigh 67. State: NC 68. Country code: US 69. Email [whayutin]: 70. 71. ERROR: unhandled exception occurred: 72. Traceback (most recent call last): 73. File "/usr/bin/rhn-proxy-activate", line 41, in ? 74. sys.exit(mod.main() or 0) 75. File "/usr/share/rhn/installer/rhn_proxy_activate.py", line 525, in main 76. apiVersion = getAPIVersion(options) 77. File "/usr/share/rhn/installer/rhn_proxy_activate.py", line 295, in getAPIVersion 78. s = getServer(options, DEFAULT_WEBRPC_HANDLER_v3_x) 79. File "/usr/share/rhn/installer/rhn_proxy_activate.py", line 96, in getServer 80. s.add_trusted_cert(options.ca_cert) 81. File "/usr/lib/python2.3/site-packages/rhn/rpclib.py", line 466, in add_trusted_cert 82. self._transport.add_trusted_cert(certfile) 83. File "/usr/lib/python2.3/site-packages/rhn/transports.py", line 258, in add_trusted_cert 84. raise ValueError, "Certificate file %s is not accessible" % certfile 85. ValueError: Certificate file /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT; is not accessible 86. Proxy activation failed! Configuration interrupted.
Wes if you notice: cat /etc/sysconfig/rhn/up2date | grep RHN-ORG sslCACert=/root/RHN-ORG-TRUSTED-SSL-CERT; notice the semicolon on the end of the line. I'm sure that if you remove the semicolon it will work :) Moving back to VERIFIED.
interesting.. but crappy for our customers. The semicolon was not added manually, it was added when registering the client with the following command. rhnreg_ks **** --sslCACert=/root/RHN-ORG-TRUSTED-SSL-CERT The proxy does indeed work now w/o the semicolon. I will open a separate bug on the semicolon issue Thanks for pointing that out Miroslav.
Created attachment 321215 [details] debug info for rhel4 server fjs-0-18 RHEL 4 proxy server
Created attachment 321216 [details] RHEL 5 server rhel 5 server w/ proxy 520 command line
Preethi validated the problem on her server as well in stage
Created attachment 321286 [details] Traceback from satellite The problem seems to be in satellite. This is tracaback when calling API proxy.deactivate proxy.activate
I even tried if can be problem with the new tomcat, but after downgrading the ISE still persist. Note to myself: smallest reproducer - call: /usr/bin/rhn-proxy-activate --server=rlx-2-18.rhndev.redhat.com --http-proxy= --http-proxy-username= --http-proxy-password= --ca-cert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT --version=5.2 --non-interactive
[16:22] <msuchy> Caused by: org.hibernate.NonUniqueObjectException: a different object with the same identifier value was already associated with the session: [com.redhat.rhn.domain.server.Server#1000010668] [16:22] <msuchy> .... [16:23] <msuchy> at com.redhat.rhn.domain.channel.ChannelFamilyFactory.lookupByLabel(ChannelFamilyFactory.java:78) [16:23] <msuchy> at com.redhat.rhn.manager.channel.ChannelManager.getProxyChannelByVersion(ChannelManager.java:507) [16:23] <msuchy> at com.redhat.rhn.manager.system.SystemManager.activateProxy(SystemManager.java:1263) [16:23] <msuchy> at com.redhat.rhn.frontend.xmlrpc.proxy.ProxyHandler.activateProxy(ProxyHandler.java:124) [16:23] <msuchy> ... 41 more [16:23] <msuchy> going to check if is possible that db have ChannelFamily duplicity [16:24] <zeus> I doubt it's a db problem :) [16:26] <msuchy> it is not. Just trying :) [16:26] <zeus> usually that error means that an object in memory has an id of 1000010668 [16:26] <zeus> then we create/load another one of the same id but of a different type [16:27] <zeus> this can happen with satellite and proxy activation [16:27] <zeus> because when you come into activation with id 1000010668, when we laod it from the database it is a Server object [16:27] <zeus> the first time [16:27] <zeus> after activation, we reload it [16:27] <zeus> and it is now a ProxyServer objects or a SatelliteServer object [16:27] <zeus> both extend Server [16:27] <zeus> but to Hibernate they are different objects with the same id [16:28] <msuchy> aghhh :o [16:28] <zeus> it's one of the pains with hibernate and our schema becase we put proxy information into a seperate table but that is core to what makes a server a Proxy [16:29] <msuchy> strange thing is that it worked, and we it stopped worked on stage :( [16:30] <zeus> interesting [16:30] <msuchy> do you recall if something changed in java recently, what can caused it? [16:30] <zeus> nothing off the top of my head. [16:30] <zeus> I'd have to look at the commit logs to see if something might have triggered this. [16:30] <zeus> it is very odd that it occurs during the loading of a ChannelFamily objectws [16:30] <zeus> because there's no server in that query [16:41] <msuchy> one reloading of the server is on line com/redhat/rhn/manager/system/SystemManager.java +1262, but the TB is invoked by line bellow :( [16:42] <zeus> yeah that's the odd part [16:43] <zeus> I see we pass in the reloaded object to ChannelManager [16:51] <zeus> I don't understand why the lookup would cause that error [16:51] <zeus> if anything I would expect this to have caused it, more so than the lookupByLabel call [16:51] <zeus> this = proxyChan.getParentChannel().equals(server.getBaseChannel())) [16:52] <zeus> : [16:53] <msuchy> where it is? [16:53] <zeus> the traceback says it is happening when it calls ChannelFamilyFactory.java lookupByLabel [16:54] <zeus> return (ChannelFamily) c.uniqueResult(); [16:55] <msuchy> yeah, thah I see, but did not get the part: proxyChan.getParentChannel().equals(server.getBaseChannel())) [16:56] <zeus> oh that part [16:56] <zeus> I was saying that the above line would make much more sense to have caused the problem. [16:56] <zeus> but it is NOT the cause [16:58] * msuchy agree, I do not uderstand it :( [16:59] <zeus> was there a hibernate change? [16:59] <zeus> i.e. is hibernate pkg the same on both the busted installation and the working one? [16:59] <zeus> especially if one was an upgrade [16:59] <msuchy> we recently upgraded tomcat5 [17:00] <msuchy> but I tried to downgrade to old, but ISE was still there [17:00] <zeus> yeah, that really should not affect this. This is hibernate not a tomcat issue. [17:00] <msuchy> it is in different package? [17:00] <zeus> hibernate? yes hibernate is in hibernate3 package [17:01] <msuchy> checking with adelton [17:03] <msuchy> no. it is unchanges is april [17:03] <msuchy> unchanged [17:03] <zeus> ok good [17:03] <zeus> rules that out [17:24] <zeus> I will investigate this hibernate error
Wes satellite was RHEL4, I just tried satellite on RHEL5 and there it happend too.
Because of the way we handle Server and ProxyServer objects during proxy activation. I think we can fix this by changing the flushmode to NEVER. // current code public static List lookupByLabelLike(String label, Org orgIn) { Session session = getSession(); Criteria c = session.createCriteria(ChannelFamily.class); c.add(Restrictions.like("label", label + "%")); c.add(Restrictions.or(Restrictions.eq("org", orgIn), Restrictions.isNull("org"))); return c.list(); } // proposed changes public static List lookupByLabelLike(String label, Org orgIn) { Session session = getSession(); Criteria c = session.createCriteria(ChannelFamily.class); // change c.setFlushMode(FlushMode.NEVER); c.add(Restrictions.like("label", label + "%")); c.add(Restrictions.or(Restrictions.eq("org", orgIn), Restrictions.isNull("org"))); return c.list(); } We don't need to sync with the database during the querying of ChannelFamily object. We will flush when we finally store the ProxyServer at the end of the api call.
Possible fix committed to RELEASE-5.2 branch @ revision 178106.
Created attachment 321392 [details] Traceback from satellite I tried to apply this code to satellite (xen83.englab.brq) and I still got ISE. This time however with little bit different traceback.
Marking this Verified for a re-test against Stage. The test plan for validating this bug against stage and moving to release_pending is: 1) Register a system to the RHN Hosted Stage environment. 2) Add a Provisioning system entitlement to the system. 3) Subscribe the system to the rhn-tools channel. 4) Install the proxy-installer package. 5) run configure-proxy.sh This needs to be tested on both RHEL4 and RHEL5 and cover all architectures. That is, we don't need to test all seven combinations, just at least one of each architecture and at least one of each RHEL, so it should only be four tests. This functionality does not work against Satellite at this time. This bug will be cloned to 530 for the Satellite functionality.
The clone for 530 with Satellite support and Hosted support is bug 468874.
the cmd line proxy installer is actually working fine as long as your ssl cert is not in /root when you install the proxy w/ the webui the ssl cert works fine w/ a ssl cert in /root release pending this... and will open a bug for 530 to try and figure out a way to avoid customers from putting their ssl cert in a directory where apache does not have access.
5.2.0 Satellite is now GA, bugs Closed for Current Release.