search

RedHatGov / redhatgov.workshops

This is a collection of Ansible-deployed workshop environments. Use it in combination with the student workbook content, from the repo at https://github.com/RedHatGov/redhatgov.github.io
http://redhatgov.io
65 stars 69 forks source link

RHEL_AWS: Certificate installation failing #186

Open benblasco opened 2 years ago

benblasco commented 2 years ago

Getting the following issue when trying to install certs during execution of playbook 2_load.yml

TASK [install real certificate to web console] *****************************************************************************************************************************************************************************************************
fatal: [node-1.rhel.sandbox506.opentlc.com]: FAILED! => {"changed": false, "checksum": "d42162d473c6cf6e91315e1b293349e2cd5442b6", "msg": "Destination directory /etc/cockpit/ws-certs.d does not exist"}
fatal: [node-0.rhel.sandbox506.opentlc.com]: FAILED! => {"changed": false, "checksum": "d42162d473c6cf6e91315e1b293349e2cd5442b6", "msg": "Destination directory /etc/cockpit/ws-certs.d does not exist"}

Further investigation pending due to other recent reported issues.

benblasco commented 2 years ago

RHEL version in use:

[ec2-user@ip-10-0-2-119 ~]$ more /etc/*release
::::::::::::::
/etc/os-release
::::::::::::::
NAME="Red Hat Enterprise Linux"
VERSION="8.5 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.5"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.5 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/8/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.5
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.5"
::::::::::::::
/etc/redhat-release
::::::::::::::
Red Hat Enterprise Linux release 8.5 (Ootpa)
benblasco commented 2 years ago

It appears though the directory needs to be created by the playbook and have the correct permissions set.

[root@bblasco-rhel82 ws-certs.d]# ls -ld /etc/cockpit/ws-certs.d/
drwxr-xr-x. 2 root root 6 Mar 13  2020 /etc/cockpit/ws-certs.d/

Fix under test:


    - name: Create dir for real certificate to web console
      file:
        path: "/etc/cockpit/ws-certs.d"
        state: directory
        owner: "root"
        group: "root"
        mode: '0755'
benblasco commented 2 years ago

Looks like the above fix takes us to a problem in the next task:

TASK [install real certificate to web console] *****************************************************************************************************************************************************************************************************
fatal: [node-1.rhel.sandbox506.opentlc.com]: FAILED! => {"changed": false, "checksum": "d42162d473c6cf6e91315e1b293349e2cd5442b6", "gid": 0, "group": "root", "mode": "0644", "msg": "chgrp failed: failed to look up group cockpit-ws", "owner": "root", "path": "/etc/cockpit/ws-certs.d/acme.cert", "secontext": "system_u:object_r:etc_t:s0", "size": 4003, "state": "file", "uid": 0}
fatal: [node-0.rhel.sandbox506.opentlc.com]: FAILED! => {"changed": false, "checksum": "d42162d473c6cf6e91315e1b293349e2cd5442b6", "gid": 0, "group": "root", "mode": "0644", "msg": "chgrp failed: failed to look up group cockpit-ws", "owner": "root", "path": "/etc/cockpit/ws-certs.d/acme.cert", "secontext": "system_u:object_r:etc_t:s0", "size": 4003, "state": "file", "uid": 0}

This suggests that none of the cockpit-ws stuff is being set up properly. The user and group are not being created correctly suggesting that something is missing from the cockpit install prior to this point.

https://access.redhat.com/solutions/6097191

benblasco commented 2 years ago

Root cause found: 2_load.yml hjas checks for rhel_ver to determine whether it's RHEL 7 or RHEL 8, and therefore determine how to install cockpit.

e.g. 

- name: Configure web console (RHEL 8)
  become: yes
  remote_user: ec2-user
  hosts: rhel_nodes
  gather_facts: no
  tags:
    - webconsole
  roles:
    - role: cockpit
      when: rhel_ver == 'rhel8'

Again, this is caused by the breaking changes:

https://github.com/RedHatGov/redhatgov.workshops/pull/179 https://github.com/RedHatGov/redhatgov.workshops/issues/184

benblasco commented 2 years ago

Potential work around/fix in 2_load.yml

%s/when: rhel_ver == 'rhel8'/when: rhel_ver is search('RHEL-8')

However the above is a somewhat hacky fix that again is a byproduct of the breaking change #179 We cannot have a string as simple as just "RHEL-8" due to the other related issues mentioned above.

Will test further.