Bug 447935 - We need CLI installer for RHN proxy
We need CLI installer for RHN proxy
Status: CLOSED CURRENTRELEASE
Product: Red Hat Satellite Proxy 5
Classification: Red Hat
Component: Installer (Show other bugs)
520
All Linux
low Severity low
: ---
: ---
Assigned To: Partha Aji
Preethi Thomas
:
Depends On:
Blocks: 446878
  Show dependency treegraph
 
Reported: 2008-05-22 10:47 EDT by Miroslav Suchý
Modified: 2008-11-05 13:40 EST (History)
4 users (show)

See Also:
Fixed In Version: sat520
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-05 13:40:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
debug info for rhel4 server fjs-0-18 (75.93 KB, application/x-bzip)
2008-10-22 17:58 EDT, wes hayutin
no flags Details
RHEL 5 server (79.89 KB, application/x-bzip)
2008-10-22 17:59 EDT, wes hayutin
no flags Details
Traceback from satellite (38.93 KB, application/octet-stream)
2008-10-23 09:49 EDT, Miroslav Suchý
no flags Details
Traceback from satellite (26.71 KB, application/octet-stream)
2008-10-24 05:42 EDT, Miroslav Suchý
no flags Details

  None (edit)
Description Miroslav Suchý 2008-05-22 10:47:30 EDT
Description of problem:
We need CLI proxy install. Becouse we should not be dependent on proxy.
Comment 1 Miroslav Suchý 2008-08-26 10:08:55 EDT
OK, changes are in svn
Test plan to install proxy using CLI proxy installer:
subscribe to rhn-tools channels
install proxy-installer package
run configure-proxy.sh
Comment 2 Preethi Thomas 2008-08-29 13:53:52 EDT
fails-qa

proxy-installer failed to install on Rhel5 satellite (rlx-0-14)
Error: Missing Dependency: rhns-proxy-management >= 5.2.0 is needed by package proxy-installer


proxy-installer package is missing from rhel4 satellite 5.2 channels in webqa.
Comment 3 Miroslav Suchý 2008-09-01 08:44:24 EDT
dependency fixed (rev. 176535)
Built package proxy-installer-5.2.0-13

proxy installer was not pushed to AS4 rhn-tools during push qa, should be done during next qa push.
Comment 4 Brad Buckingham 2008-09-15 08:51:32 EDT
mass move to ON_QA
Comment 5 Preethi Thomas 2008-09-17 14:15:29 EDT
fails-qa
Needs a better test plan as well.
root@fjs-0-20 ~]# /usr/sbin/configure-proxy.sh
Proxy version to activate [5.2]: 5.2
RHN Parent [rlx-0-14.rhndev.redhat.com]: rlx-0-14.rhndev.redhat.com
Traceback email []: pthomas@redhat.com
Use SSL [0]: 
CA Chain [noReboot;sslCACert;useNoSSLForPackages;noSSLServerURL;serverURL;disallowConfChanges;]: 
HTTP Proxy []: 
Regardless of whether you enabled SSL for the connection to the RHN Parent
Server, you will be prompted to generate an SSL certificate.
This SSL certificate will allow client systems to connect to this RHN Proxy
securely. Refer to the RHN Proxy Installation Guide for more information.
Organization: Red Hat
Organization Unit [fjs-0-20.rhndev.redhat.com]: RHEN
Common Name: 
City: Raleigh
State: NC
Country code: US
Email [pthomas@redhat.com]: pthomas@redhat.com
Unable to load module rhn_proxy_activate
No module named proxy.tools.rhn_proxy_activate
/usr/sbin/configure-proxy.sh: line 83: _PASSWORD: command not found
Proxy activation failed! Configuration interrupted.
Comment 6 Miroslav Suchý 2008-09-22 09:57:00 EDT
Committed revision 177157.
Comment 7 Miroslav Suchý 2008-09-22 11:54:24 EDT
Build failed.
Committed revision 177166.
Committed revision 177170.
Built rhns-proxy-5.2.0-15 and  proxy-installer-5.2.0-15.el5.
Comment 8 Brad Buckingham 2008-09-24 12:27:29 EDT
mass move to ON_QA
Comment 9 Preethi Thomas 2008-09-24 14:15:22 EDT
fails_qa

[root@dell-pe2850-01 ~]# rpm -qa proxy-installer
proxy-installer-5.2.0-15.el4


[root@dell-pe2850-01 ~]# /usr/sbin/configure-proxy.sh
Proxy version to activate [5.2]: 
RHN Parent [fjs-0-13.rhndev.redhat.com]: 
Traceback email []: pthomas@redhat.com
Use SSL [1]: 1
CA Chain [/usr/share/rhn/RHNS-CA-CERT]: 
HTTP Proxy []: 
Regardless of whether you enabled SSL for the connection to the RHN Parent
Server, you will be prompted to generate an SSL certificate.
This SSL certificate will allow client systems to connect to this RHN Proxy
securely. Refer to the RHN Proxy Installation Guide for more information.
Organization: Red hat
Organization Unit [dell-pe2850-01.rhts.bos.redhat.com]: RHEN
Common Name: 
City: Raleigh
State: NC
Country code: US
Email [pthomas@redhat.com]: 

ERROR: unhandled exception occurred:
Traceback (most recent call last):
  File "/usr/bin/rhn-proxy-activate", line 41, in ?
    sys.exit(mod.main() or 0)
  File "/usr/share/rhn/installer/rhn_proxy_activate.py", line 551, in main
    chmod_chown_systemid()
  File "/usr/share/rhn/installer/rhn_proxy_activate.py", line 97, in chmod_chown_systemid
    apacheGID = pwd.getpwnam('apache')[3]
KeyError: 'getpwnam(): name not found: apache'
Proxy activation failed! Configuration interrupted.
Comment 10 Miroslav Suchý 2008-09-25 03:29:32 EDT
Nice catch Preethi,
package httpd need to be installed (apache user have to exist) before configure-proxy.sh is run.
I added Requires to spec.
Committed revision 177305.
Additional common name should be set to some value adding defaults:
Committed revision 177307.
Package proxy-installer-5.2.0-17 built and tagged.
Comment 11 Miroslav Suchý 2008-09-25 04:20:16 EDT
Jan pushed packages to rhn-tools. Moving to ON_QA.
Comment 12 Preethi Thomas 2008-09-26 11:50:27 EDT
[root@rlx-0-14 ~]# /usr/sbin/configure-proxy.sh
Proxy version to activate [5.2]: 
RHN Parent [fjs-0-13.rhndev.redhat.com]: 
Traceback email []: pthomas@redhat.com
Use SSL [1]: 1
CA Chain [/usr/share/rhn/RHNS-CA-CERT]: 
HTTP Proxy []: 
Regardless of whether you enabled SSL for the connection to the RHN Parent
Server, you will be prompted to generate an SSL certificate.
This SSL certificate will allow client systems to connect to this RHN Proxy
securely. Refer to the RHN Proxy Installation Guide for more information.
Organization: Red Hat
Organization Unit [rlx-0-14.rhndev.redhat.com]: RHEN
Common Name [rlx-0-14.rhndev.redhat.com]: 
City: Raleigh
State: NC
Country code: US
Email [pthomas@redhat.com]: 
ERROR: failed SSL connection - bad or expired cert?
Proxy activation failed! Configuration interrupted.
Comment 13 Preethi Thomas 2008-09-26 11:53:45 EDT
Miroslav,

I am not sure if this is something to do with the values I entered. But if its please put in a detailed test plan.

Thanks
Preethi
Comment 14 Miroslav Suchý 2008-09-29 08:13:51 EDT
This problem happen when you have in /etc/sysconfig/rhn/up2date:
 serverURL=http://your.satellite/XMLRPC
and 
 sslCACert=/usr/share/rhn/RHNS-CA-CERT
I.e. you registred as http to your parent, and you did not configure sslCACert properly (because most operation without it works).

You have to properly set up sslCACert in configuration file or do not accept default value in installer and enter path to downloaded parent sat public key (which reside in http://your.satellite/pub/RHN-ORG-TRUSTED-SSL-CERT )

I do not think this specific case need mention in release notes or in some doc, because if properly configured, this case will not happen.
Comment 15 Preethi Thomas 2008-10-01 15:40:06 EDT
verified
Comment 16 wes hayutin 2008-10-21 12:06:43 EDT
this appears to fail in stage..

[root@fjs-0-18 rhn]# rpm -qa | grep proxy
rhns-proxy-docs-5.1.1-3.rhel4
rhns-proxy-redirect-5.1.1-3.rhel4
proxy-installer-5.2.0-18.el4
[root@fjs-0-18 rhn]# 


   1.
      [root@fjs-0-18 ~]#
   2.
      [root@fjs-0-18 ~]# configure-proxy.sh
   3.
      Proxy version to activate [5.2]:
   4.
      RHN Parent [rlx-2-18.rhndev.redhat.com]:
   5.
      Traceback email []: whayutin@redhat.com
   6.
      Use SSL [1]:
   7.
      CA Chain [/root/RHN-ORG-TRUSTED-SSL-CERT;]:
   8.
      HTTP Proxy []:
   9.
      Regardless of whether you enabled SSL for the connection to the RHN Parent
  10.
      Server, you will be prompted to generate an SSL certificate.
  11.
      This SSL certificate will allow client systems to connect to this RHN Proxy
  12.
      securely. Refer to the RHN Proxy Installation Guide for more information.
  13.
      Organization: Red Hat
  14.
      Organization Unit [fjs-0-18.rhndev.redhat.com]: RHEN
  15.
      Common Name [fjs-0-18.rhndev.redhat.com]: Red Hat Test
  16.
      City: Raleigh
  17.
      State: NC
  18.
      Country code: US
  19.
      Email [whayutin@redhat.com]:
  20.
       
  21.
       
  22.
      ERROR: unhandled exception occurred:
  23.
      Traceback (most recent call last):
  24.
        File "/usr/bin/rhn-proxy-activate", line 41, in ?
  25.
          sys.exit(mod.main() or 0)
  26.
        File "/usr/share/rhn/installer/rhn_proxy_activate.py", line 525, in main
  27.
          apiVersion = getAPIVersion(options)
  28.
        File "/usr/share/rhn/installer/rhn_proxy_activate.py", line 295, in getAPIVersion
  29.
          s = getServer(options, DEFAULT_WEBRPC_HANDLER_v3_x)
  30.
        File "/usr/share/rhn/installer/rhn_proxy_activate.py", line 96, in getServer
  31.
          s.add_trusted_cert(options.ca_cert)
  32.
        File "/usr/lib/python2.3/site-packages/rhn/rpclib.py", line 466, in add_trusted_cert
  33.
          self._transport.add_trusted_cert(certfile)
  34.
        File "/usr/lib/python2.3/site-packages/rhn/transports.py", line 258, in add_trusted_cert
  35.
          raise ValueError, "Certificate file %s is not accessible" % certfile
  36.
      ValueError: Certificate file /root/RHN-ORG-TRUSTED-SSL-CERT; is not accessible
  37.
      Proxy activation failed! Configuration interrupted.
  38.
      [root@fjs-0-18 ~]# ls /root/RHN-ORG-TRUSTED-SSL-CERT
  39.
       
  40.
       
  41.
      [root@fjs-0-18 ~]# history |grep wget
  42.
         43  wget http://rlx-2-18.rhndev.redhat.com/pub/RHN-ORG-TRUSTED-SSL-CERT
  43.
         48  history |grep wget
  44.
      [root@fjs-0-18 ~]# ls /root/
  45.
      anaconda-ks.cfg  install.log.syslog  RHN-ORG-TRUSTED-SSL-CERT
  46.
      install.log      ks-post.log
  47.
      [root@fjs-0-18 ~]# cat /etc/sysconfig/rhn/up2date | grep RHN-ORG
  48.
      sslCACert=/root/RHN-ORG-TRUSTED-SSL-CERT;
  49.
      [root@fjs-0-18 ~]#
  50.
       
  51.
       
  52.
      [root@fjs-0-18 rhn]# configure-proxy.sh
  53.
      Proxy version to activate [5.2]:
  54.
      RHN Parent [rlx-2-18.rhndev.redhat.com]:
  55.
      Traceback email []: whayutin@redhat.com
  56.
      Use SSL [1]:
  57.
      CA Chain [/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT;]:
  58.
      HTTP Proxy []:
  59.
      Regardless of whether you enabled SSL for the connection to the RHN Parent
  60.
      Server, you will be prompted to generate an SSL certificate.
  61.
      This SSL certificate will allow client systems to connect to this RHN Proxy
  62.
      securely. Refer to the RHN Proxy Installation Guide for more information.
  63.
      Organization: Red Hat
  64.
      Organization Unit [fjs-0-18.rhndev.redhat.com]: RHEN
  65.
      Common Name [fjs-0-18.rhndev.redhat.com]: Red Hat Test
  66.
      City: Raleigh
  67.
      State: NC
  68.
      Country code: US
  69.
      Email [whayutin@redhat.com]:
  70.
       
  71.
      ERROR: unhandled exception occurred:
  72.
      Traceback (most recent call last):
  73.
        File "/usr/bin/rhn-proxy-activate", line 41, in ?
  74.
          sys.exit(mod.main() or 0)
  75.
        File "/usr/share/rhn/installer/rhn_proxy_activate.py", line 525, in main
  76.
          apiVersion = getAPIVersion(options)
  77.
        File "/usr/share/rhn/installer/rhn_proxy_activate.py", line 295, in getAPIVersion
  78.
          s = getServer(options, DEFAULT_WEBRPC_HANDLER_v3_x)
  79.
        File "/usr/share/rhn/installer/rhn_proxy_activate.py", line 96, in getServer
  80.
          s.add_trusted_cert(options.ca_cert)
  81.
        File "/usr/lib/python2.3/site-packages/rhn/rpclib.py", line 466, in add_trusted_cert
  82.
          self._transport.add_trusted_cert(certfile)
  83.
        File "/usr/lib/python2.3/site-packages/rhn/transports.py", line 258, in add_trusted_cert
  84.
          raise ValueError, "Certificate file %s is not accessible" % certfile
  85.
      ValueError: Certificate file /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT; is not accessible
  86.
      Proxy activation failed! Configuration interrupted.
Comment 17 Miroslav Suchý 2008-10-22 04:57:02 EDT
Wes if you notice:
 cat /etc/sysconfig/rhn/up2date | grep RHN-ORG
 sslCACert=/root/RHN-ORG-TRUSTED-SSL-CERT;
notice the semicolon on the end of the line.
I'm sure that if you remove the semicolon it will work :)
Moving back to VERIFIED.
Comment 18 wes hayutin 2008-10-22 10:25:10 EDT
interesting.. but crappy for our customers.
The semicolon was not added manually, it was added when registering the client
with the following command.

rhnreg_ks ****  --sslCACert=/root/RHN-ORG-TRUSTED-SSL-CERT

The proxy does indeed work now w/o the semicolon.  I will open a separate bug on the semicolon issue

Thanks for pointing that out Miroslav.
Comment 20 wes hayutin 2008-10-22 17:58:23 EDT
Created attachment 321215 [details]
debug info for rhel4 server fjs-0-18

RHEL 4 proxy server
Comment 21 wes hayutin 2008-10-22 17:59:30 EDT
Created attachment 321216 [details]
RHEL 5 server

rhel 5 server w/ proxy 520 command line
Comment 22 wes hayutin 2008-10-22 18:05:21 EDT
Preethi validated the problem on her server as well in stage
Comment 23 Miroslav Suchý 2008-10-23 09:49:03 EDT
Created attachment 321286 [details]
Traceback from satellite

The problem seems to be in satellite. This is tracaback when calling API
proxy.deactivate
proxy.activate
Comment 24 Miroslav Suchý 2008-10-23 09:50:55 EDT
I even tried if can be problem with the new tomcat, but after downgrading the ISE still persist.

Note to myself:
smallest reproducer - call:
/usr/bin/rhn-proxy-activate --server=rlx-2-18.rhndev.redhat.com --http-proxy= --http-proxy-username= --http-proxy-password= --ca-cert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT --version=5.2 --non-interactive
Comment 25 Miroslav Suchý 2008-10-23 11:42:32 EDT
[16:22] <msuchy> Caused by: org.hibernate.NonUniqueObjectException: a different object with the same identifier value was already associated with the session: [com.redhat.rhn.domain.server.Server#1000010668]
[16:22] <msuchy> ....
[16:23] <msuchy>         at com.redhat.rhn.domain.channel.ChannelFamilyFactory.lookupByLabel(ChannelFamilyFactory.java:78)
[16:23] <msuchy>         at com.redhat.rhn.manager.channel.ChannelManager.getProxyChannelByVersion(ChannelManager.java:507)
[16:23] <msuchy>         at com.redhat.rhn.manager.system.SystemManager.activateProxy(SystemManager.java:1263)
[16:23] <msuchy>         at com.redhat.rhn.frontend.xmlrpc.proxy.ProxyHandler.activateProxy(ProxyHandler.java:124)
[16:23] <msuchy>         ... 41 more
[16:23] <msuchy> going to check if is possible that db have ChannelFamily duplicity

[16:24] <zeus> I doubt it's a db problem :)
[16:26] <msuchy> it is not. Just trying :)

[16:26] <zeus> usually that error means that an object in memory has an id of 1000010668
[16:26] <zeus> then we create/load another one of the same id but of a different type
[16:27] <zeus> this can happen with satellite and proxy activation
[16:27] <zeus> because when you come into activation with id 1000010668, when we laod it from the database it is a Server object
[16:27] <zeus> the first time
[16:27] <zeus> after activation, we reload it
[16:27] <zeus> and it is now a ProxyServer objects or a SatelliteServer object
[16:27] <zeus> both extend Server
[16:27] <zeus> but to Hibernate they are different objects with the same id
[16:28] <msuchy> aghhh :o
[16:28] <zeus> it's one of the pains with hibernate and our schema becase we put proxy information into a seperate table but that is core to what makes a server a Proxy
[16:29] <msuchy> strange thing is that it worked, and we it stopped worked on stage :(
[16:30] <zeus> interesting
[16:30] <msuchy> do you recall if something changed in java recently, what can caused it?
[16:30] <zeus> nothing off the top of my head.
[16:30] <zeus> I'd have to look at the commit logs to see if something might have triggered this.
[16:30] <zeus> it is very odd that it occurs during the loading of a ChannelFamily objectws
[16:30] <zeus> because there's no server in that query
[16:41] <msuchy> one reloading of the server is on line com/redhat/rhn/manager/system/SystemManager.java +1262, but the TB is invoked by line bellow :(
[16:42] <zeus> yeah that's the odd part
[16:43] <zeus> I see we pass in the reloaded object to ChannelManager
[16:51] <zeus> I don't understand why the lookup would cause that error
[16:51] <zeus> if anything I would expect this to have caused it, more so than the lookupByLabel call
[16:51] <zeus> this =  proxyChan.getParentChannel().equals(server.getBaseChannel()))
[16:52] <zeus> :
[16:53] <msuchy> where it is?
[16:53] <zeus> the traceback says it is happening when it calls ChannelFamilyFactory.java lookupByLabel
[16:54] <zeus>         return (ChannelFamily) c.uniqueResult();
[16:55] <msuchy> yeah, thah I see, but did not get the part: proxyChan.getParentChannel().equals(server.getBaseChannel()))
[16:56] <zeus> oh that part
[16:56] <zeus> I was saying that the above line would make much more sense to have caused the problem.
[16:56] <zeus> but it is NOT the cause
[16:58] * msuchy agree, I do not uderstand it :(
[16:59] <zeus> was there a hibernate change?
[16:59] <zeus> i.e. is hibernate pkg the same on both the busted installation and the working one?
[16:59] <zeus> especially if one was an upgrade
[16:59] <msuchy> we recently upgraded tomcat5
[17:00] <msuchy> but I tried to downgrade to old, but ISE was still there
[17:00] <zeus> yeah, that really should not affect this. This is hibernate not a tomcat issue.
[17:00] <msuchy> it is in different package?
[17:00] <zeus> hibernate? yes hibernate is in hibernate3 package
[17:01] <msuchy> checking with adelton
[17:03] <msuchy> no. it is unchanges is april
[17:03] <msuchy> unchanged
[17:03] <zeus> ok good
[17:03] <zeus> rules that out
[17:24] <zeus> I will investigate this hibernate error
Comment 26 Miroslav Suchý 2008-10-23 12:17:07 EDT
Wes satellite was RHEL4,
I just tried satellite on RHEL5 and there it happend too.
Comment 27 Jesus M. Rodriguez 2008-10-23 13:46:55 EDT
Because of the way we handle Server and ProxyServer objects during proxy activation. I think we can fix this by changing the flushmode to NEVER.

// current code

    public static List lookupByLabelLike(String label, Org orgIn) {
        Session session = getSession();
        Criteria c = session.createCriteria(ChannelFamily.class);
        c.add(Restrictions.like("label", label + "%"));
        c.add(Restrictions.or(Restrictions.eq("org", orgIn),
              Restrictions.isNull("org")));
        return  c.list();
    }


// proposed changes
    public static List lookupByLabelLike(String label, Org orgIn) {
        Session session = getSession();
        Criteria c = session.createCriteria(ChannelFamily.class);
        // change
        c.setFlushMode(FlushMode.NEVER);
        c.add(Restrictions.like("label", label + "%"));
        c.add(Restrictions.or(Restrictions.eq("org", orgIn),
              Restrictions.isNull("org")));
        return  c.list();
    }

We don't need to sync with the database during the querying of ChannelFamily object.  We will flush when we finally store the ProxyServer at the end of the
api call.
Comment 28 Jesus M. Rodriguez 2008-10-23 13:59:57 EDT
Possible fix committed to RELEASE-5.2 branch @ revision 178106.
Comment 29 Miroslav Suchý 2008-10-24 05:42:33 EDT
Created attachment 321392 [details]
Traceback from satellite

I tried to apply this code to satellite (xen83.englab.brq) and I still got ISE.
This time however with little bit different traceback.
Comment 30 Brandon Perkins 2008-10-28 11:16:11 EDT
Marking this Verified for a re-test against Stage.  The test plan for validating this bug against stage and moving to release_pending is:

1) Register a system to the RHN Hosted Stage environment.
2) Add a Provisioning system entitlement to the system.
3) Subscribe the system to the rhn-tools channel.
4) Install the proxy-installer package.
5) run configure-proxy.sh

This needs to be tested on both RHEL4 and RHEL5 and cover all architectures.  That is, we don't need to test all seven combinations, just at least one of each architecture and at least one of each RHEL, so it should only be four tests.

This functionality does not work against Satellite at this time.  This bug will be cloned to 530 for the Satellite functionality.
Comment 31 Brandon Perkins 2008-10-28 11:23:14 EDT
The clone for 530 with Satellite support and Hosted support is bug 468874.
Comment 32 wes hayutin 2008-10-28 17:03:05 EDT
the cmd line proxy installer is actually working fine as long as your ssl cert is not in /root

when you install the proxy w/ the webui the ssl cert works fine w/ a ssl cert in /root

release pending this...

and will open a bug for 530 to try and figure out a way to avoid customers from putting their ssl cert in a directory where apache does not have access.
Comment 33 Brandon Perkins 2008-11-05 13:40:23 EST
5.2.0 Satellite is now GA, bugs Closed for Current Release.

Note You need to log in before you can comment on or make changes to this bug.