search

RedHatSatellite / satellite-clone

Utility to assist cloning an existing Satellite 6 server to a new host
GNU General Public License v3.0
37 stars 31 forks source link

Reset puppet server ssl chain on install #350

Closed johnpmitsch closed 5 years ago

johnpmitsch commented 5 years ago

Fixes #349

johnpmitsch commented 5 years ago

yee-haw

beav commented 5 years ago

how is the SSL chain filepath getting altered to begin with? The fix looks correct but I'm not sure what the root cause is

ekohl commented 5 years ago

@beav this path is stored in the answers file and is correct for Puppet 3. When moving to Puppet 4 we have a hook that resets a bunch of answers (https://github.com/Katello/katello-installer/blob/KATELLO-3.4/hooks/pre_validations/31-upgrade-puppet.rb). It doesn't reset this one. The hook was based on https://projects.theforeman.org/projects/foreman/wiki/Upgrading_from_Puppet_3_to_4 but that doesn't mention it.

On upgrading systems this isn't really a problem because the hook copies the certs (https://github.com/Katello/katello-installer/blob/918d3780558b4769da0a32b965cbc5369c2c544a/hooks/init/31-upgrade-puppet.rb#L29) so the old location remains valid. Realistically: how often do you have a new SSL chain on your Puppet master? Probably once every 5 years when your CA expires (maybe this was extended in later versions).

When cloning the old location isn't available. I assume the clone does present ensure the certificates are present in the new (default) location. By resetting the answer the puppetserver knows where to find the file.

We should really fix it properly for all systems because when you do want to replace the CA, you can see the same breakage. That's why I consider this a workaround

johnpmitsch commented 5 years ago

@beav expanding on what @ekohl said, It does seem some further fixes are needed, but we haven't seen this issue (afaik) on upgraded puppet systems. The workflow to create this error was: clone 6.3 backup; upgrade puppet 3 to 4; upgrade to sat 6.4; run a backup; and clone that backup. In this case, you have two backups being restored, so I'm guessing that caused (or exposed) the mismatch in the puppet answers file.

After we hear if this fixed the automation issue, we can file a proper installer bug for the more permanent fix.

johnpmitsch commented 5 years ago

yee-haw

ntkathole commented 5 years ago

@johnpmitsch yup, I tested it with above changes and it works :100: Thanks :+1:

johnpmitsch commented 5 years ago

Thanks for testing @ntkathole!

1/6 dolly clones failed, looks like it was a resources issue again, but it worked when I re-ran it. It was a 6.3 clone too so unlikely affected by this PR. merging!