Description of problem: Trying to install packages to subscribed clients via the web ui fail and error shows up in pulp. Version-Release number of selected component (if applicable): * candlepin-0.6.5-1.el6_2.noarch * candlepin-tomcat6-0.6.5-1.el6_2.noarch * katello-0.1.317-1.el6_2.noarch * katello-all-0.1.317-1.el6_2.noarch * katello-candlepin-cert-key-pair-1.0-1.noarch * katello-certs-tools-1.0.7-1.el6_3.noarch * katello-cli-0.1.111-1.el6_2.noarch * katello-cli-common-0.1.111-1.el6_2.noarch * katello-common-0.1.317-1.el6_2.noarch * katello-configure-0.1.110-1.el6_3.noarch * katello-glue-candlepin-0.1.317-1.el6_2.noarch * katello-glue-foreman-0.1.317-1.el6_2.noarch * katello-glue-pulp-0.1.317-1.el6_2.noarch * katello-qpid-broker-key-pair-1.0-1.noarch * katello-qpid-client-key-pair-1.0-1.noarch * katello-selinux-0.1.10-1.el6.noarch * pulp-1.0.4-1.el6.noarch * pulp-common-1.0.4-1.el6.noarch * pulp-selinux-server-1.0.4-1.el6.noarch How reproducible: Steps to Reproduce: 1. Create organization + environment 2. Upload valid manifest and enable RHEL 6Server RPMS + SAM + CF Tools x86_64 3. Sync and promote product to first environment 4. Subscribe a plain vanilla RHEL 6.2 server with --autosubscribe 5. Install katello-agent 6. Install httpd to the client using the web ui Actual results: 2012-06-21 17:19:44,727 6835:139794577344256: pulp.server.api.consumer:INFO: consumer:411 Successfully updated package profile for consumer 41aa5b43-5efc-46d3-b2e2-be48ffd66e2e 2012-06-21 17:20:06,007 6835:139794577344256: pulp.server.api.consumer:INFO: consumer:411 Successfully updated package profile for consumer ca65aafc-cfaf-4f2d-9a7d-e7ae3fd4d275 2012-06-21 17:24:47,920 6835:139794566854400: pulp.server.api.consumer:INFO: consumer:411 Successfully updated package profile for consumer 570dbd91-d52f-4fb3-8541-f7e6845b3811 2012-06-21 17:26:47,606 6835:139795139610368: gofer.messaging.broker:INFO: broker:100 connecting: {localhost:5674}: transport=SSL host=localhost port=5674 cacert=/usr/share/katello/candlepin-cert.crt clientcert=/etc/pki/pulp/qpid_client_striped.crt 2012-06-21 17:26:48,210 6835:139795139610368: pulp.server.tasking.task:ERROR: task:468 Task failed: Task ce7cc70a-bbe7-11e1-b762-52540005c9e2: ConsumerApi.__installpackages(570dbd91-d52f-4fb3-8541-f7e6845b3811, ['httpd'], ) Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/pulp/server/tasking/task.py", line 414, in run result = self.callable(*self.args, **self.kwargs) File "/usr/lib/python2.6/site-packages/pulp/server/api/consumer.py", line 448, in __installpackages return packages.install(names, reboot) File "/usr/lib/python2.6/site-packages/gofer/rmi/stub.py", line 72, in __call__ return self.stub._send(request, opts) File "/usr/lib/python2.6/site-packages/gofer/rmi/stub.py", line 133, in _send return self.__send(request, options) File "/usr/lib/python2.6/site-packages/gofer/rmi/stub.py", line 164, in __send any=opts.any) File "/usr/lib/python2.6/site-packages/gofer/rmi/policy.py", line 138, in send **any) File "/usr/lib/python2.6/site-packages/gofer/messaging/producer.py", line 51, in send sender = self.session().sender(address) File "/usr/lib/python2.6/site-packages/gofer/messaging/endpoint.py", line 187, in session self.__session = self.ssnpool.get(self.url) File "/usr/lib/python2.6/site-packages/gofer/messaging/endpoint.py", line 55, in get con = broker.connect() File "/usr/lib/python2.6/site-packages/gofer/messaging/broker.py", line 102, in connect con.attach() File "<string>", line 6, in attach File "/usr/lib/python2.6/site-packages/qpid/messaging/endpoints.py", line 262, in attach self._ewait(lambda: self._transport_connected and not self._unlinked()) File "/usr/lib/python2.6/site-packages/qpid/messaging/endpoints.py", line 197, in _ewait self.check_error() File "/usr/lib/python2.6/site-packages/qpid/messaging/endpoints.py", line 190, in check_error raise self.error AuthenticationFailure: Error in sasl_client_start (-1) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_48' not found) Expected results: Package should be installed Additional info:
Martin Bacovsky sent me this comment: Just for tracking: addition of mech_list: ANONYMOUS in /etc/sasl2/qpidd.conf made the trick after pulp-server restart. If anyone has an idea why qpidd chose GSSAPI as a default auth method, please, let me know.
Please attach the qpidd.conf.
Created attachment 594232 [details] qpidd.conf fwiw, this file has been modified from its original state. Here's what a diff would look like: --- Downloads/qpidd.conf 2012-06-25 12:24:51.296495028 -0400 +++ Downloads/qpidd2.conf 2012-06-25 12:25:17.233414346 -0400 @@ -20,11 +20,10 @@ # (Note: no spaces on either side of '='). Using default settings: # "qpidd --help" or "man qpidd" for more details. cluster-mechanism=ANONYMOUS -log-enable=debug+ +log-enable=error+ require-encryption=yes ssl-require-client-authentication=yes -auth=yes ssl-port=5674 ssl-cert-db=/etc/pki/katello/nssdb ssl-cert-password-file=/etc/katello/nss_db_password-file
auth=no must be explicitly set because the default when not specified is (1). This seems to be a regression in the installer. See: https://bugzilla.redhat.com/show_bug.cgi?id=743327.
Reproduced after updating qpid-cpp-server-0.12-6.el6.x86_64 to qpid-cpp-server-0.14-16.el6.x86_64 - both SASL and Timeout error. I'm trying to find out what's going on there now
The problem was introduces probably by this [1] or this [2] change in qpid (or both of them). They either turn the authentication on by default, or changed the priority of different auth methods so that that one working before was not used by default now. Setting auth=no seems to be the right choice for use, since it worked for RHUI as well and we don't use the qpid auth features. [1] - https://issues.apache.org/jira/browse/QPID-3337 [2] - https://issues.apache.org/jira/browse/QPID-3246
The problem with time-out occurred when I've restarted qpid server, but haven't restartd goferd on the client machine and therefore the connection wasn't established.
commit 81a551dd62323b5494401b8add3e96646e1f7f87 Author: Ivan Necas <inecas> Date: Wed Jun 27 15:30:44 2012 +0200 834697 - explicitly disable qpid authentication
For the servers already installed, adding auth=no to /etc/qpidd.conf, restarting pulp-server service on server and goferd service on the client fixes the issue.
To be clear: CFSE: * Add auth=no to /etc/qpidd.conf * service qpidd restart * service pulp-server restart Client: * service goferd restart This works like a charm!
Verified using: * candlepin-0.7.8-1.el6cf.noarch * candlepin-selinux-0.7.8-1.el6cf.noarch * candlepin-tomcat6-0.7.8-1.el6cf.noarch * katello-1.1.12-9.el6cf.noarch * katello-all-1.1.12-9.el6cf.noarch * katello-candlepin-cert-key-pair-1.0-1.noarch * katello-certs-tools-1.1.8-1.el6cf.noarch * katello-cli-1.1.8-5.el6cf.noarch * katello-cli-common-1.1.8-5.el6cf.noarch * katello-common-1.1.12-9.el6cf.noarch * katello-configure-1.1.9-4.el6cf.noarch * katello-glue-candlepin-1.1.12-9.el6cf.noarch * katello-glue-pulp-1.1.12-9.el6cf.noarch * katello-qpid-broker-key-pair-1.0-1.noarch * katello-qpid-client-key-pair-1.0-1.noarch * katello-selinux-1.1.1-1.el6cf.noarch * pulp-1.1.12-1.el6cf.noarch * pulp-common-1.1.12-1.el6cf.noarch * pulp-selinux-server-1.1.12-1.el6cf.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-1543.html
getting rid of 6.0.0 version since that doesn't exist