Support #3657
closedunable to download KS file during PXE
Description
I have a new fresh install of Foreman 1.3.1 with puppet 3.3.2. I have attempted to build my first system but I cannot get the system to download the KS file.
The Foreman server is RHEL6.4 and I have tried deploying RHEL6.4, RHEL6. and Centos6.4 on the new system. I can ping the host from the foreman server and http is listening and see the connection via tcpdump:
10:37:36.758434 IP 10.199.206.4.55969 > 10.199.202.51.http: Flags [S], seq 1504641957, win 14600, options [mss 1460,sackOK,TS val 2292813 ecr 0,nop,wscale 7], length 0
10:37:36.758459 IP 10.199.202.51.http > 10.199.206.4.55969: Flags [S.], seq 2203977837, ack 1504641958, win 14480, options [mss 1460,sackOK,TS val 89485239 ecr 2292813,nop,wscale 7], length 0
10:37:36.758532 IP 10.199.206.4.55969 > 10.199.202.51.http: Flags [.], ack 1, win 115, options [nop,nop,TS val 2292814 ecr 89485239], length 0
10:37:36.758594 IP 10.199.206.4.55969 > 10.199.202.51.http: Flags [P.], seq 1:391, ack 1, win 115, options [nop,nop,TS val 2292814 ecr 89485239], length 390
10:37:36.758617 IP 10.199.202.51.http > 10.199.206.4.55969: Flags [.], ack 391, win 122, options [nop,nop,TS val 89485240 ecr 2292814], length 0
10:37:36.872174 IP 10.199.202.51.http > 10.199.206.4.55969: Flags [P.], seq 1:587, ack 391, win 122, options [nop,nop,TS val 89485353 ecr 2292814], length 586
10:37:36.872204 IP 10.199.202.51.http > 10.199.206.4.55969: Flags [P.], seq 587:592, ack 391, win 122, options [nop,nop,TS val 89485353 ecr 2292814], length 5
10:37:36.872279 IP 10.199.202.51.http > 10.199.206.4.55969: Flags [F.], seq 592, ack 391, win 122, options [nop,nop,TS val 89485353 ecr 2292814], length 0
10:37:36.872303 IP 10.199.206.4.55969 > 10.199.202.51.http: Flags [.], ack 587, win 124, options [nop,nop,TS val 2292927 ecr 89485353], length 0
10:37:36.872313 IP 10.199.206.4.55969 > 10.199.202.51.http: Flags [.], ack 592, win 124, options [nop,nop,TS val 2292927 ecr 89485353], length 0
10:37:36.872357 IP 10.199.206.4.55969 > 10.199.202.51.http: Flags [F.], seq 391, ack 593, win 124, options [nop,nop,TS val 2292927 ecr 89485353], length 0
10:37:36.872365 IP 10.199.202.51.http > 10.199.206.4.55969: Flags [.], ack 392, win 122, options [nop,nop,TS val 89485353 ecr 2292927], length 0
I did see this in the foreman production.log:
Started GET "/media" for 10.199.250.4 at 2013-11-14 10:06:13 -0500
Processing by MediaController#index as HTML
Rendered media/index.html.erb within layouts/application (13.5ms)
Rendered home/_user_dropdown.html.erb (3.7ms)
Read fragment views/tabs_and_title_records-1 (0.1ms)
Rendered home/_org_switcher.html.erb (0.0ms)
Rendered home/_settings.html.erb (3.8ms)
Write fragment views/tabs_and_title_records-1 (0.6ms)
Rendered home/_topbar.html.erb (9.4ms)
Rendered common/_searchbar.html.erb (1.7ms)
Completed 200 OK in 44ms (Views: 30.0ms | ActiveRecord: 3.3ms)
Started GET "/unattended/provision" for 10.199.206.4 at 2013-11-14 10:10:12 -0500
Processing by UnattendedController#provision as */*
Found kvm01.oadr
Remove puppet certificate for kvm01.oadr
Failed to remove kvm01.oadr's puppet certificate: 406 Not Acceptable
Rendered text template (0.0ms)
Filter chain halted as :handle_ca rendered or redirected
Completed 500 Internal Server Error in 139ms (Views: 0.8ms | ActiveRecord: 2.5ms)
there is no other certs on this server:
[root@puppet01 pxelinux.cfg]# puppet cert --list --all
+ "puppet01.oadr" (SHA1) intentionally removed (alt names: "DNS:puppet", "DNS:puppet.oadr", "DNS:puppet01.oadr")
Thanks,
-tj
Files
Updated by Dominic Cleal over 10 years ago
- Tracker changed from Bug to Support
- Status changed from New to Feedback
- Assignee deleted (
Sam Kottler)
This is the clue:
Remove puppet certificate for kvm01.oadr
Failed to remove kvm01.oadr's puppet certificate: 406 Not Acceptable
This indicates a problem coming from the smart proxy on your Puppet CA server. Can you check on there in /var/log/foreman-proxy/proxy.log for any further messages? You may want to drop the log level to DEBUG in /etc/foreman-proxy/settings.yml too.
Updated by Dominic Cleal over 10 years ago
- Tracker changed from Support to Bug
- translation missing: en.field_release deleted (
1)
Updated by TJ Walker over 10 years ago
nothing was in the proxy.log so I turned on debug and reran the build and this is whats in the log:
[root@puppet01 config]# tail 50 /var/log/foreman-proxy/proxy.log : Found puppetca at /usr/bin/puppet
D, [2013-11-15T05:59:08.433418 #6595] DEBUG -
D, [2013-11-15T05:59:08.433722 #6595] DEBUG -- : Found sudo at /usr/bin/sudo
D, [2013-11-15T05:59:08.433770 #6595] DEBUG -- : Executing /usr/bin/sudo S /usr/bin/puppet cert --ssldir /var/lib/puppet/ssl --clean kvm01.oadr : Failed to run puppetca: [sudo] password for foreman-proxy:
W, [2013-11-15T05:59:08.484268 #6595] WARN -
E, [2013-11-15T05:59:08.484647 #6595] ERROR -- : Failed to remove certificate(s) for kvm01.oadr: Execution of puppetca failed, check log files
D, [2013-11-15T05:59:11.206715 #6595] DEBUG -- : Found puppetca at /usr/bin/puppet
D, [2013-11-15T05:59:11.206823 #6595] DEBUG -- : Found sudo at /usr/bin/sudo
D, [2013-11-15T05:59:11.206866 #6595] DEBUG -- : Executing /usr/bin/sudo S /usr/bin/puppet cert --ssldir /var/lib/puppet/ssl --clean kvm01.oadr : Failed to run puppetca: [sudo] password for foreman-proxy:
W, [2013-11-15T05:59:11.229099 #6595] WARN -
E, [2013-11-15T05:59:11.229357 #6595] ERROR -- : Failed to remove certificate(s) for kvm01.oadr: Execution of puppetca failed, check log files
[root@puppet01 config]#
I've check everything under /var/lib/puppet/ssl and there is nothing for kvm01.oadr
I'm going to have to try and format and reinstall the foreman server sometime today since I need this working, but if there is anything else you need me o try let me know soon.
thanks,
-tj
Updated by Dominic Cleal over 10 years ago
Looks like you're missing some sudoers configuration to let foreman-proxy run the puppet cert command as the logs are showing a sudo password prompt.
For Puppet 3, ensure you have this in /etc/sudoers.d/ or /etc/sudoers:
foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *
Defaults:foreman-proxy !requiretty
Updated by TJ Walker over 10 years ago
Yep that must have been it cause after adding that it works.
You are the greatest thanks!
Updated by Dominic Cleal over 10 years ago
- Status changed from Feedback to Resolved
Great, no problem.