Project

General

Profile

Actions
Copy link

Support #3657

closed

unable to download KS file during PXE

Added by TJ Walker over 10 years ago. Updated over 10 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Triaged:
Fixed in Releases:
Found in Releases:

Description

I have a new fresh install of Foreman 1.3.1 with puppet 3.3.2. I have attempted to build my first system but I cannot get the system to download the KS file.
The Foreman server is RHEL6.4 and I have tried deploying RHEL6.4, RHEL6. and Centos6.4 on the new system. I can ping the host from the foreman server and http is listening and see the connection via tcpdump:
10:37:36.758434 IP 10.199.206.4.55969 > 10.199.202.51.http: Flags [S], seq 1504641957, win 14600, options [mss 1460,sackOK,TS val 2292813 ecr 0,nop,wscale 7], length 0
10:37:36.758459 IP 10.199.202.51.http > 10.199.206.4.55969: Flags [S.], seq 2203977837, ack 1504641958, win 14480, options [mss 1460,sackOK,TS val 89485239 ecr 2292813,nop,wscale 7], length 0
10:37:36.758532 IP 10.199.206.4.55969 > 10.199.202.51.http: Flags [.], ack 1, win 115, options [nop,nop,TS val 2292814 ecr 89485239], length 0
10:37:36.758594 IP 10.199.206.4.55969 > 10.199.202.51.http: Flags [P.], seq 1:391, ack 1, win 115, options [nop,nop,TS val 2292814 ecr 89485239], length 390
10:37:36.758617 IP 10.199.202.51.http > 10.199.206.4.55969: Flags [.], ack 391, win 122, options [nop,nop,TS val 89485240 ecr 2292814], length 0
10:37:36.872174 IP 10.199.202.51.http > 10.199.206.4.55969: Flags [P.], seq 1:587, ack 391, win 122, options [nop,nop,TS val 89485353 ecr 2292814], length 586
10:37:36.872204 IP 10.199.202.51.http > 10.199.206.4.55969: Flags [P.], seq 587:592, ack 391, win 122, options [nop,nop,TS val 89485353 ecr 2292814], length 5
10:37:36.872279 IP 10.199.202.51.http > 10.199.206.4.55969: Flags [F.], seq 592, ack 391, win 122, options [nop,nop,TS val 89485353 ecr 2292814], length 0
10:37:36.872303 IP 10.199.206.4.55969 > 10.199.202.51.http: Flags [.], ack 587, win 124, options [nop,nop,TS val 2292927 ecr 89485353], length 0
10:37:36.872313 IP 10.199.206.4.55969 > 10.199.202.51.http: Flags [.], ack 592, win 124, options [nop,nop,TS val 2292927 ecr 89485353], length 0
10:37:36.872357 IP 10.199.206.4.55969 > 10.199.202.51.http: Flags [F.], seq 391, ack 593, win 124, options [nop,nop,TS val 2292927 ecr 89485353], length 0
10:37:36.872365 IP 10.199.202.51.http > 10.199.206.4.55969: Flags [.], ack 392, win 122, options [nop,nop,TS val 89485353 ecr 2292927], length 0

I did see this in the foreman production.log:
Started GET "/media" for 10.199.250.4 at 2013-11-14 10:06:13 -0500
Processing by MediaController#index as HTML
Rendered media/index.html.erb within layouts/application (13.5ms)
Rendered home/_user_dropdown.html.erb (3.7ms)
Read fragment views/tabs_and_title_records-1 (0.1ms)
Rendered home/_org_switcher.html.erb (0.0ms)
Rendered home/_settings.html.erb (3.8ms)
Write fragment views/tabs_and_title_records-1 (0.6ms)
Rendered home/_topbar.html.erb (9.4ms)
Rendered common/_searchbar.html.erb (1.7ms)
Completed 200 OK in 44ms (Views: 30.0ms | ActiveRecord: 3.3ms)

Started GET "/unattended/provision" for 10.199.206.4 at 2013-11-14 10:10:12 -0500
Processing by UnattendedController#provision as */*
Found kvm01.oadr
Remove puppet certificate for kvm01.oadr
Failed to remove kvm01.oadr's puppet certificate: 406 Not Acceptable
Rendered text template (0.0ms)
Filter chain halted as :handle_ca rendered or redirected
Completed 500 Internal Server Error in 139ms (Views: 0.8ms | ActiveRecord: 2.5ms)

there is no other certs on this server:
[root@puppet01 pxelinux.cfg]# puppet cert --list --all
+ "puppet01.oadr" (SHA1) intentionally removed (alt names: "DNS:puppet", "DNS:puppet.oadr", "DNS:puppet01.oadr")

Thanks,
-tj

Files

foreman_erro1.PNG View foreman_erro1.PNG 19 KB link to KS file TJ Walker, 11/14/2013 10:31 PM
foreman_erro2.PNG View foreman_erro2.PNG 101 KB error message from alt+f4 TJ Walker, 11/14/2013 10:31 PM
Actions
Copy link
 #1

Updated by Dominic Cleal over 10 years ago

  • Tracker changed from Bug to Support
  • Status changed from New to Feedback
  • Assignee deleted (Sam Kottler)

This is the clue:

Remove puppet certificate for kvm01.oadr
Failed to remove kvm01.oadr's puppet certificate: 406 Not Acceptable

This indicates a problem coming from the smart proxy on your Puppet CA server. Can you check on there in /var/log/foreman-proxy/proxy.log for any further messages? You may want to drop the log level to DEBUG in /etc/foreman-proxy/settings.yml too.

Actions
Copy link
 #2

Updated by Dominic Cleal over 10 years ago

  • Tracker changed from Support to Bug
  • translation missing: en.field_release deleted (1)
Actions
Copy link
 #3

Updated by Dominic Cleal over 10 years ago

  • Tracker changed from Bug to Support
Actions
Copy link
 #4

Updated by TJ Walker over 10 years ago

nothing was in the proxy.log so I turned on debug and reran the build and this is whats in the log:
[root@puppet01 config]# tail 50 /var/log/foreman-proxy/proxy.log
D, [2013-11-15T05:59:08.433418 #6595] DEBUG - : Found puppetca at /usr/bin/puppet
D, [2013-11-15T05:59:08.433722 #6595] DEBUG -- : Found sudo at /usr/bin/sudo
D, [2013-11-15T05:59:08.433770 #6595] DEBUG -- : Executing /usr/bin/sudo S /usr/bin/puppet cert --ssldir /var/lib/puppet/ssl --clean kvm01.oadr
W, [2013-11-15T05:59:08.484268 #6595] WARN - : Failed to run puppetca: [sudo] password for foreman-proxy:

E, [2013-11-15T05:59:08.484647 #6595] ERROR -- : Failed to remove certificate(s) for kvm01.oadr: Execution of puppetca failed, check log files
D, [2013-11-15T05:59:11.206715 #6595] DEBUG -- : Found puppetca at /usr/bin/puppet
D, [2013-11-15T05:59:11.206823 #6595] DEBUG -- : Found sudo at /usr/bin/sudo
D, [2013-11-15T05:59:11.206866 #6595] DEBUG -- : Executing /usr/bin/sudo S /usr/bin/puppet cert --ssldir /var/lib/puppet/ssl --clean kvm01.oadr
W, [2013-11-15T05:59:11.229099 #6595] WARN - : Failed to run puppetca: [sudo] password for foreman-proxy:

E, [2013-11-15T05:59:11.229357 #6595] ERROR -- : Failed to remove certificate(s) for kvm01.oadr: Execution of puppetca failed, check log files
[root@puppet01 config]#

I've check everything under /var/lib/puppet/ssl and there is nothing for kvm01.oadr

I'm going to have to try and format and reinstall the foreman server sometime today since I need this working, but if there is anything else you need me o try let me know soon.

thanks,
-tj

Actions
Copy link
 #5

Updated by Dominic Cleal over 10 years ago

Looks like you're missing some sudoers configuration to let foreman-proxy run the puppet cert command as the logs are showing a sudo password prompt.

For Puppet 3, ensure you have this in /etc/sudoers.d/ or /etc/sudoers:

foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *
Defaults:foreman-proxy !requiretty
Actions
Copy link
 #6

Updated by TJ Walker over 10 years ago

Yep that must have been it cause after adding that it works.

You are the greatest thanks!

Actions
Copy link
 #7

Updated by Dominic Cleal over 10 years ago

  • Status changed from Feedback to Resolved

Great, no problem.

Actions
Copy link

Also available in: Atom PDF