Fixes #10052 - Code to setup rhsm.conf for atomic hosts #67
Conversation
|
What is different about the atomic reconfigure from the existing reconfigure script? Thoughts on deploying a script that machines download and run that fetches the cert and reconfigure script and then runs them? I imagine this process will be scripted anyway so we could just handle that directly. |
Some differences.
But I understand your concern that it will add 2 places to maintain this logic.. Any suggestions on combining? Concat would be hard, would be better if I could do includes or variable magic.
So I noticed that I would have to add a "--insecure" every time I did a wget. I felt it would be better user experience to say, download this tar gz and have the script use the files in that extracted directory. In other word the tar gz would be the equivalent of the rpm and the script inside it would be the equivalent of the post script. |
|
On Mon, Sep 14, 2015 at 12:03 PM, Partha Aji [email protected]
Eric D. Helms |
I am not sure I get this. Here is the proposed workflow That tar gz has all the certs and other potential future rpm artifacts that may be needed so that I don't need the script do -> wget --no-check-certificate http:///pub/katello-ca.crt (I am more concerned with adding a --no-check for every wget.) |
|
On Mon, Sep 14, 2015 at 2:03 PM, Partha Aji [email protected]
What am I asking is, why wouldn't this workflow work: $ wget --no-check-certificate http:///pub/katello-ca-consumer-latest.sh You had mentioned RPM isn't available on an atomic host, are we guaranteed —
Eric D. Helms |
It may work. I just feel its more convinient and consistent with the way we do rpm + script to have it packaged as tar gz |
|
I think we were hesitant to write a script that downloads the ca file insecurely. Leaving it up to the user to transfer the tar file means both the script and the ca make it to the box. Also there is really no need to gzip the file if that is a concern. Just tar'ing it is sufficient. |
|
I'm in favor of anything that reduces the steps for the user to a 1-2 liner statement if possible. You could even reduce it to: curl http:///pub/katello-ca-consumer-latest.sh | sudo bash keep in mind, wget isn't always installed by default in RHEL/CentOS, curl/tar/gzip are so rely on curl when you can |
|
Tar or not it's still generally insecure unless they go outside of http to
|
I tried very hard on this and almost had it working except for this stupid change in the subs manager command vs RPM Version Notice the extra % in --rhsm.repo_ca_cert (extra % necessary because its an rpm post script) |
|
Ahh, bummer, maybe two is the proper way due to these subtleties :/ Could you re-work the declarations in katello.pp so that the atomic chain of types is not intermixed throughout the RPM side of things? |
Could you please expand on your comments here, I am trying to figure out what exactly you want me to change. I thought katello.pp was the place put everything that goes on in pub. |
parthaa
force-pushed
the
atomic-register
branch
from
8d63ecb to
e8b7a40
Compare
@ehelms addressed |
| @@ -46,5 +54,35 @@ | |||
| bootstrap_script => template('certs/rhsm-katello-reconfigure.erb'), | |||
| alias => $candlepin_cert_rpm_alias, | |||
| subscribe => $::certs::server_ca, | |||
| } ~> | |||
There was a problem hiding this comment.
This still ties the atomic workflow to the certs_bootstrap_rpm, I think it would be better to break this dependency and let the atomic stuff stand alone i.e. change this line to } and insert a blank line.
parthaa
force-pushed
the
atomic-register
branch
2 times, most recently
from
8147629 to
e9ab24d
Compare
|
@ehelms @stbenjam @jlsherrill @bbuckingham updating this as per our discussion. Main intent of this commit is to setup rhsm conf on an atomic host to Artifacts produced
|
parthaa
force-pushed
the
atomic-register
branch
7 times, most recently
from
4c5f21c to
5396f91
Compare
| $candlepin_consumer_name = "katello-ca-consumer-${::fqdn}" | ||
| $candlepin_consumer_summary = "Subscription-manager consumer certificate for Katello instance ${::fqdn}" | ||
| $candlepin_consumer_description = 'Consumer certificate and post installation script that configures rhsm.' | ||
|
|
||
| $katello_default_ca_data = file("${certs::pki_dir}/certs/${certs::default_ca_name}.crt") |
There was a problem hiding this comment.
You'd want to reference certs::katello::default_ca_name
parthaa
force-pushed
the
atomic-register
branch
2 times, most recently
from
2ce2a8f to
7d798b1
Compare
parthaa
force-pushed
the
atomic-register
branch
from
7d798b1 to
40cce3b
Compare
|
@ehelms, @bbuckingham green! |
parthaa
force-pushed
the
atomic-register
branch
from
40cce3b to
990e26a
Compare
|
@parthaa, I tested this out on my katello-devel environment with an atomic host and it is behaving perfectly. The full flow that i did was:
Note: i haven't verified a RHEL7 host (non-atomic) yet, but plan to try that as well. |
|
@parthaa, I ran a test with a RHEL 7 vagrant host. I was able to download/install the bootstrap rpm, register the host, subscribe to custom content and download RPMs from katello. |
|
@parthaa, ACK from me; however, I'd recommend that also get ACK from an additional dev that is more familiar with the puppet-certs module. |
|
I'll take a quick pass today |
|
Testing this against a fresh installation, I immediately run into the following: |
|
@ehelms, Good catch! My install was a dev install where I re-applied the puppet-certs update and re-ran the katello-installer-devel. (i.e. testing in a clean, but pre-existing environment) |
parthaa
force-pushed
the
atomic-register
branch
from
990e26a to
1850a9c
Compare
|
@ehelms updated. If you can figure out a way to get custom types to work with my template let me know :) |
|
@ehelms is the change I had to make to address your comment -> https://github.com/Katello/puppet-certs/pull/67/files#diff-aad4d37a11e8099dfec9d8ad8c38dec0R21 |
| $candlepin_consumer_name = "katello-ca-consumer-${::fqdn}" | ||
| $candlepin_consumer_summary = "Subscription-manager consumer certificate for Katello instance ${::fqdn}" | ||
| $candlepin_consumer_description = 'Consumer certificate and post installation script that configures rhsm.' | ||
|
|
||
| $katello_default_ca_file = "${certs::pki_dir}/certs/${certs::katello::default_ca_name}.crt" | ||
| $katello_server_ca_file = "${certs::pki_dir}/certs/${certs::katello::server_ca_name}.crt" |
There was a problem hiding this comment.
This is essentially redefining https://github.com/Katello/puppet-certs/blob/master/manifests/init.pp#L130 which you could just use to DRY this up.
|
Functionally this worked for me through and install and a regenerate. |
parthaa
force-pushed
the
atomic-register
branch
from
1850a9c to
1218a54
Compare
Main intent of this commit is to setup rhsm conf on an atomic host to setup consumer registration (a role similar to the one played by the consumer bootstrap rpm). Artifacts produced 1) /var/www/html/pub/katello-rhsm-consumer on the satellite. This script contains the code needed to setup rhsm conf on both atomic as well as non atomic machines. The contents of this script came out of the template used for post install script in the bootstrap consumer rpm. It has been tuned to work for both atomic/non-atomic machines 2) Update to the bootstrap rpm to copy the new script to /usr/bin and run that as a part of post install.
parthaa
force-pushed
the
atomic-register
branch
from
1218a54 to
3028e1f
Compare
|
ACK - thanks @parthaa |
Fixes #10052 - Code to setup rhsm.conf for atomic hosts
Atomic hosts don't deal with Rpms. This script provides an alternative way to setup the rhsm.conf by including the cert + rpm post script as a separate entity. It also generates a katello-rhsm-atomic-consumer.tar.gz , which has this. So the user is expected download the tar gz , extract, cd into atomic and then run "katello-rhsm-atomic-consumer" script for it to setup rhsm.conf .