[foreman-users] Smart Proxy and Provisioning

Discussion:

James Denton

2016-03-31 07:48:48 UTC

Hi all,

I wonder if someone could please answer this.

Currently we have a Foreman server within our internal network with a Smart
Proxy in an isolated network with the correct ports opened between them. In
order for us to build hosts within the isolated network they will need to
use the Smart Proxy for everything from TFTP to Puppet as new hosts will
not be able to communicate directly with the Foreman master. My question is
for initial Provisioning and installation - Does the Smart proxy need to
have installation media locally or does it proxy off requests for the
install media to the Master Foreman server? If not is there a plugin or
tool available to allow this?

Thanks!

--
You received this message because you are subscribed to the Google Groups "Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+***@googlegroups.com.
To post to this group, send email to foreman-***@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Dominic Cleal

2016-03-31 08:02:05 UTC

Permalink

Post by James Denton
Hi all,
I wonder if someone could please answer this.
Currently we have a Foreman server within our internal network with a
Smart Proxy in an isolated network with the correct ports opened between
them. In order for us to build hosts within the isolated network they
will need to use the Smart Proxy for everything from TFTP to Puppet as
new hosts will not be able to communicate directly with the Foreman
master. My question is for initial Provisioning and installation - Does
the Smart proxy need to have installation media locally or does it proxy
off requests for the install media to the Master Foreman server? If not
is there a plugin or tool available to allow this?

The installation media URLs configured in Foreman must be accessible
directly to the hosts being provisioned and to the smart proxy itself.
The hosts use them for the whole installation, so create a new
installation medium for each location.

The smart proxy itself doesn't provide any access to the installation
media, it only uses it (to download the OS PXE boot files). You could
look at tools like aptly or mrepo to easily mirror media.
--
Dominic Cleal
***@cleal.org

James Denton

2016-03-31 08:15:46 UTC

Permalink

Thanks for the reply Dominic

Post by Dominic Cleal

The installation media URLs configured in Foreman must be accessible
directly to the hosts being provisioned and to the smart proxy itself.
The hosts use them for the whole installation, so create a new
installation medium for each location.
The smart proxy itself doesn't provide any access to the installation
media, it only uses it (to download the OS PXE boot files). You could
look at tools like aptly or mrepo to easily mirror media.
--
Dominic Cleal

Lukas Zapletal

2016-03-31 13:34:46 UTC

Permalink

Post by James Denton
Thanks for the reply Dominic

Take a look on Katello plugin.

http://www.katello.org/
--
Later,
Lukas #lzap Zapletal

James Denton

2016-04-01 07:15:25 UTC

Permalink

Thanks, I have looked at Katello previously but will look again.

I also have another issue in regards to TFTP and Smart Proxy. As mentioned
in my original post, the Smart Proxy i am using resides on a differant
subnet from the master. The TFTP feature is enabled on the Smart Proxy
(config is picked up by the master) and set in correctly in the "subnet"
configuration. However when i press "build" for a new client the correct
pxelinux.0 and pxelinux.cfg/ files are not present or popualted on the
Smart Proxy, either for that particular client or generically. I have seen
similar issues in other threads but no definitive answer. The log files on
both the master and proxy are not showing any errors. Can someone help?

Post by Lukas Zapletal

Post by James Denton
Thanks for the reply Dominic

Take a look on Katello plugin.
http://www.katello.org/
--
Later,
Lukas #lzap Zapletal

Dominic Cleal

2016-04-01 07:18:37 UTC

Permalink

Post by James Denton
Thanks, I have looked at Katello previously but will look again.
I also have another issue in regards to TFTP and Smart Proxy. As
mentioned in my original post, the Smart Proxy i am using resides on a
differant subnet from the master. The TFTP feature is enabled on the
Smart Proxy (config is picked up by the master) and set in correctly in
the "subnet" configuration. However when i press "build" for a new
client the correct pxelinux.0 and pxelinux.cfg/ files are not present or
popualted on the Smart Proxy, either for that particular client or
generically. I have seen similar issues in other threads but no
definitive answer. The log files on both the master and proxy are not
showing any errors. Can someone help?

There are quite a few conditions that must be true for these to be
created. Have a work through the list here:
http://projects.theforeman.org/projects/foreman/wiki/Troubleshooting#No-TFTP-menus-or-files-are-created-for-new-hosts

You're right that the TFTP Proxy must be set on the subnet - also ensure
the subnet is set on the provisioning interface when creating the host,
and that this interface has the Managed tickbox enabled.
--
Dominic Cleal
***@cleal.org

James Denton

2016-04-01 07:37:13 UTC

Permalink

Thanks again Dominic - Its this bit that was missing:

*interface has the Managed tickbox enabled*

I will try an install now, thanks again! :)

Post by Dominic Cleal

There are quite a few conditions that must be true for these to be
http://projects.theforeman.org/projects/foreman/wiki/Troubleshooting#No-TFTP-menus-or-files-are-created-for-new-hosts
You're right that the TFTP Proxy must be set on the subnet - also ensure
the subnet is set on the provisioning interface when creating the host,
and that this interface has the Managed tickbox enabled.
--
Dominic Cleal

James Denton

2016-04-06 07:55:43 UTC

Permalink

Morning all,

I have one last (I hope) issue with provisioning a new server via the
smart-proxy. I have set the Templates feature up on the Smart Proxy and set
a new server to build. Once build on the new server has been set i see that
the pxelinux.cfg dir on the proxy is populated (as expected) with the
correct file for the new server:

*DEFAULT linuxLABEL linux KERNEL boot/RHEL-6.7-x86_64-vmlinuz
APPEND initrd=boot/RHEL-6.7-x86_64-initrd.img
ks=http://smartproxy:80/unattended/provision?token=50410318-039c-4327-86cc-82f60c27d6b3
ksdevice=bootif network kssendmac IPAPPEND 2*

So the client will boot, obtain a DHCP IP and grab the init/kernel files as
expected, however when it tries to download the ks file (as above) it fails
to download. Port 80 is definatly open on the smart proxy server and when i
try a curl or wget on the above file it also fails with "file not found".
So my question is, does the Foreman master transfer the ks file to the
smart-proxy when the client is set to build (i.e. should it exist somewhere
on the proxy) or does the smart-proxy obtain the file from the master
foreman when required by the install client?

Your help is appreciated :)

Post by James Denton
Hi all,
I wonder if someone could please answer this.
Currently we have a Foreman server within our internal network with a
Smart Proxy in an isolated network with the correct ports opened between
them. In order for us to build hosts within the isolated network they will
need to use the Smart Proxy for everything from TFTP to Puppet as new hosts
will not be able to communicate directly with the Foreman master. My
question is for initial Provisioning and installation - Does the Smart
proxy need to have installation media locally or does it proxy off requests
for the install media to the Master Foreman server? If not is there a
plugin or tool available to allow this?
Thanks!

Greg Sutcliffe

2016-04-06 11:48:14 UTC

Permalink

Post by James Denton
So my question is, does the Foreman master transfer the ks file to the
smart-proxy when the client is set to build (i.e. should it exist somewhere
on the proxy) or does the smart-proxy obtain the file from the master
foreman when required by the install client?

The proxy requests it from Foreman when the call is made to the proxy -
it's not stored on the proxy (othewise it could get out of date if, for
example, your kickstart makes use of ERB variables which have changed in
the time between enabling build mode and booting the client)

Check the Foreman logs to see if the proxy is requesting the kickstart for
the host, and if there's any associated error.

James Denton

2016-04-06 12:11:32 UTC

Permalink

Thanks Greg, that answers my question although I have tried 2 differant
proxies (one on the same subnet as the master) and neither appear to
transfer the KS/Template file from the Foreman master server to the build
client, is there any settings outside of the template.yml file that need to
be set and which port would it connect to the master on?

Thanks

Post by Greg Sutcliffe

The proxy requests it from Foreman when the call is made to the proxy -
it's not stored on the proxy (othewise it could get out of date if, for
example, your kickstart makes use of ERB variables which have changed in
the time between enabling build mode and booting the client)
Check the Foreman logs to see if the proxy is requesting the kickstart for
the host, and if there's any associated error.

James Denton

2016-04-06 13:02:51 UTC

Permalink

Also i have checked the logs on the proxy and noticed the following:

The Smart Proxy obtains the initrd and vmlinuz correctly.

I see this line each time i perform a build:

I, [2016-04-06T13:24:36.698098 #48681] INFO -- : *Foreman-master* - -
[06/Apr/2016 13:24:36] "GET /templateServer HTTP/1.1" 200 45 0.0004

and from the httpd access log:

*Foreman-master* - - [06/Apr/2016:13:36:50 +0100] "GET
/unattended/provision?token=c9cbb6cf-6889-4dc8-ab16-bfb52e05d40b HTTP/1.1"
404 218 "-" "anaconda/13.21.239"
*Foreman-master* - - [06/Apr/2016:13:50:54 +0100] "GET
/unattended/provision?token=c9cbb6cf-6889-4dc8-ab16-bfb52e05d40b HTTP/1.0"
404 218 "-" "Wget/1.12 (linux-gnu)"
*Foreman-maste*r - - [06/Apr/2016:13:51:02 +0100] "GET
/unattended/provision?token=c9cbb6cf-6889-4dc8-ab16-bfb52e05d40b HTTP/1.1"
404 218 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.18
Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"

On the Foreman master in /var/log/httpd/foreman_access.log I dont see much
other than when i tried to manually retreive the provision template via
wget:

*smart-proxy* - - [06/Apr/2016:13:51:35 +0100] "GET
/unattended/provision?token=c9cbb6cf-6889-4dc8-ab16-bfb52e05d40b HTTP/1.1"
200 4543 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.18
Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"

Post by Greg Sutcliffe

The proxy requests it from Foreman when the call is made to the proxy -
it's not stored on the proxy (othewise it could get out of date if, for
example, your kickstart makes use of ERB variables which have changed in
the time between enabling build mode and booting the client)
Check the Foreman logs to see if the proxy is requesting the kickstart for
the host, and if there's any associated error.

Greg Sutcliffe

2016-04-06 15:54:02 UTC

Permalink

Seems like the request is being correctly proxied, but Foreman isn't
finding the host. You might need to enable debug logs on Foreman, but since
it's a 404 rather than an error, I'd guess the host either isn't in build
mode, or the token has expired. What's your token_duration setting and has
the host been in build mode longer than that?

Greg

James Denton

2016-04-06 17:43:05 UTC

Permalink

Hi Greg,

I have/had debug enabled already on the logs but its not providing much
further information im afraid.

The build mode set on the client is no more than a min before its powered
on for the build and i have cancelled and set build multiple times. You
mention Foreman finding the host, how do you mean exactly? The client for
installation is in an isolated network and so the Foreman master will not
have any direct access to it and vice versa from the build client - hence
the need for the Smart Proxy which has access to both the Foreman master
and the build client to handle TFTP, Templates etc.

Thanks

Post by Greg Sutcliffe
Seems like the request is being correctly proxied, but Foreman isn't
finding the host. You might need to enable debug logs on Foreman, but since
it's a 404 rather than an error, I'd guess the host either isn't in build
mode, or the token has expired. What's your token_duration setting and has
the host been in build mode longer than that?
Greg

Greg Sutcliffe

2016-04-06 18:45:49 UTC

Permalink

Post by James Denton
Hi Greg,
I have/had debug enabled already on the logs but its not providing much
further information im afraid.
The build mode set on the client is no more than a min before its powered
on for the build and i have cancelled and set build multiple times. You
mention Foreman finding the host, how do you mean exactly? The client for
installation is in an isolated network and so the Foreman master will not
have any direct access to it and vice versa from the build client - hence
the need for the Smart Proxy which has access to both the Foreman master
and the build client to handle TFTP, Templates etc.

I just mean finding it in the DB, thats all. However what you posted
earlier look like Apache logs - I was asking for the Foreman logs (usually
/var/log/foreman/production.log) - I'd be interesting so seen a tail of
that while a build is in progress, especially if debug is enabled.

Greg

James Denton

2016-04-07 06:55:49 UTC

Permalink

Hi Greg,

I have re-ran the kickstart and i see no output on the master
production.log at the time the request for the template is made:-/

Here is the current log level settings in /etc/foreman/settings.yml:

*# Log settings for the current environment can be adjusted by adding them#
here. For example, if you want to increase the log level.:logging: :level:
debug# Individual logging types can be toggled on/off here:loggers:*

This has always been set to debug as have the smart proxies log level.

Thanks

Post by Greg Sutcliffe

Greg Sutcliffe

2016-04-07 09:26:25 UTC

Permalink

Post by James Denton
Hi Greg,
I have re-ran the kickstart and i see no output on the master
production.log at the time the request for the template is made:-/

That sounds very odd, since the proxy claims it's making a request. I would
expect to see something like:

2016-04-07T10:23:36 [app] [I] Started GET "/unattended/provision" for
127.0.0.1 at 2016-04-07 10:23:36 +0100
2016-04-07T10:23:36 [app] [I] Processing by
UnattendedController#host_template as */*
2016-04-07T10:23:36 [app] [I] Parameters: {"kind"=>"provision"}
2016-04-07T10:23:36 [app] [I] unattended: unable to find a host that
matches the request from 127.0.0.1
2016-04-07T10:23:36 [app] [I] Filter chain halted as :get_host_details
rendered or redirected
2016-04-07T10:23:36 [app] [I] Completed 404 Not Found in 5ms (ActiveRecord:
0.7ms)

Obviously 127.0.0.1 is due to me testing this on my dev setup, but that's
the log form I'd expect to see - and crucially, the message "unable to find
a host that matches the request from 127.0.0.1" which is what tells me the
problem.

Assuming other things are logging normally to production.log, that would
lead me to suspect the smart-proxy config - is the :foreman_url parameter
correct? Can you get the template from Foreman yourself from the proxy
(i.e. there's no firewall issues)?

Greg

James Denton

2016-04-07 09:38:03 UTC

Permalink

At the moment i am testing between the foreman master and a proxy that
resides within the same subnet so no FW's in between - I have actually
wondered about the proxy configuration and the Foreman URL, this is what it
is set to:

#:foreman_url: http://127.0.0.1:3000
:foreman_url: http://foreman.test.com

I did wonder why in the hashed example the port is specified as 3000.

Post by Greg Sutcliffe

Post by James Denton
Hi Greg,
I have re-ran the kickstart and i see no output on the master
production.log at the time the request for the template is made:-/

That sounds very odd, since the proxy claims it's making a request. I
2016-04-07T10:23:36 [app] [I] Started GET "/unattended/provision" for
127.0.0.1 at 2016-04-07 10:23:36 +0100
2016-04-07T10:23:36 [app] [I] Processing by
UnattendedController#host_template as */*
2016-04-07T10:23:36 [app] [I] Parameters: {"kind"=>"provision"}
2016-04-07T10:23:36 [app] [I] unattended: unable to find a host that
matches the request from 127.0.0.1
2016-04-07T10:23:36 [app] [I] Filter chain halted as :get_host_details
rendered or redirected
2016-04-07T10:23:36 [app] [I] Completed 404 Not Found in 5ms
(ActiveRecord: 0.7ms)
Obviously 127.0.0.1 is due to me testing this on my dev setup, but that's
the log form I'd expect to see - and crucially, the message "unable to find
a host that matches the request from 127.0.0.1" which is what tells me the
problem.
Assuming other things are logging normally to production.log, that would
lead me to suspect the smart-proxy config - is the :foreman_url parameter
correct? Can you get the template from Foreman yourself from the proxy
(i.e. there's no firewall issues)?
Greg

Greg Sutcliffe

2016-04-07 13:26:19 UTC

Permalink

Post by James Denton
At the moment i am testing between the foreman master and a proxy that
resides within the same subnet so no FW's in between - I have actually
wondered about the proxy configuration and the Foreman URL, this is what it
#:foreman_url: http://127.0.0.1:3000
:foreman_url: http://foreman.test.com
I did wonder why in the hashed example the port is specified as 3000.

3000 is the default port for the built-in Rails server, which is what you'd
be using in development mode. Our default installs replace that with
Apache, so 80/443 as usual

I'm running out of ideas then. Is the production.log otherwise active (i.e
you can see you own activity while browsing the UI etc)? If so, I'm stumped
as to where your proxy requests are actually going (assuming that
foreman_url is correct) - it might be a case of wireshark-ing the traffic
and verifying the server is receiving it.

Greg

James Denton

2016-04-07 13:35:40 UTC

Permalink

The Production is otherwise active and I can see other processes' being
logged e.g. when the TFTP files are created or when i need to remove or
cancel/start a build but as mentioned, when i expect to see something
logged when the attempt is made to get the template file, nothing.

the :foreman_url under admin -- settings is https://foreman.test.com

Here my configuration for both the proxy server settings.yml and
templates.yml

*---#replace default location of "settings.d":settings_directory:
/etc/foreman-proxy/settings.d# SSL Setup# If enabled, all communication
would be verified via SSL# NOTE that both certificates need to be signed by
the same CA in order for this to work# see
http://theforeman.org/projects/smart-proxy/wiki/SSL for more
information:ssl_certificate:
/var/lib/puppet/ssl/certs/smartproxy.test.com.pem:ssl_ca_file:
/var/lib/puppet/ssl/certs/ca.pem:ssl_private_key:
/var/lib/puppet/ssl/private_keys/smartproxy.test.com.pem# Hosts which the
proxy accepts connections from# commenting the following lines would mean
every verified SSL connection allowed# HTTPS: test the certificate CN#
HTTP: test the reverse DNS entry of the remote IP#:trusted_hosts:#-
foreman.dev.domain#to deny access to all hosts use:#:trusted_hosts: []#
verify a DNS reverse lookup against it's forward lookup# 1.1.1.1 ->
foreman.mycompany.com -> 1.1.1.1# (default: true)#:forward_verify:
true#:foreman_url: http://127.0.0.1:3000:foreman_url:
https://foreman.test.com# SSL settings for client authentication against
Foreman. If undefined, the values# from general SSL options are used
instead. Mainly useful when Foreman uses# different certificates for its
web UI and for smart-proxy requests.#:foreman_ssl_ca:
ssl/certs/ca.pem#:foreman_ssl_cert: ssl/certs/fqdn.pem#:foreman_ssl_key:
ssl/private_keys/fqdn.pem# by default smart_proxy runs in the foreground.
To enable running as a daemon, uncomment 'daemon' setting:daemon: true#
Only used when 'daemon' is set to true.# Uncomment and modify if you want
to change the default pid file
'/var/run/foreman-proxy/foreman-proxy.pid':daemon_pid:
/var/run/foreman-proxy/foreman-proxy.pid# host and ports configuration#
host to bind ports to (possible values: *, localhost, 0.0.0.0):bind_host:
'*'# http is disabled by default. To enable, uncomment 'http_port'
setting#:http_port: 8000# https is enabled if certificate, CA certificate,
and private key are present in locations specifed by# ssl_certificate,
ssl_ca_file, and ssl_private_key correspondingly# default values for
https_port is 8443:https_port: 8443# Shared options for virsh DNS/DHCP
provider:virsh_network: default# Log configuration# Uncomment and modify if
you want to change the location of the log file or use STDOUT#:log_file:
/var/log/foreman-proxy/proxy.log# Uncomment and modify if you want to
change the log level# WARN, DEBUG, ERROR, FATAL, INFO, UNKNOWN:log_level:
DEBUG*

Post by Greg Sutcliffe

3000 is the default port for the built-in Rails server, which is what
you'd be using in development mode. Our default installs replace that with
Apache, so 80/443 as usual
I'm running out of ideas then. Is the production.log otherwise active (i.e
you can see you own activity while browsing the UI etc)? If so, I'm stumped
as to where your proxy requests are actually going (assuming that
foreman_url is correct) - it might be a case of wireshark-ing the traffic
and verifying the server is receiving it.
Greg

James Denton

2016-04-07 13:38:43 UTC

Permalink

Forgot the templates.yml output :)

*---# Enable this if the Proxy should handle template requests on behalf of
Foreman# Can be true, false, or http/https to enable just one of the
protocols:enabled: true# This plugin also requires that :foreman_url: be
set in the main settings.yml# This lets the plugin know how to obtain the
templates from foreman.# This allows the proxy to define how hosts that are
being provisioned where to# obtain the templates from. Most installers
don't support https, so it's recommended# to enable an http port listener
in the main config file too, and use it in# the url below## :template_url
is the URL the host should use to contact the proxy for a template.# The
default protocol is http on port 80 unless otherwise specified in the url.#
Examples:# https://1.2.3.4:8443 # default proxy https port#
http://1.2.3.4:8000 # default proxy http port#
https://smart-proxy.example.com # assumes port
443#http://ldn1pup2.ebrd.com # assumes port 80#
smart-proxy.example.com:8080 # assumes http:template_url:
http://smartproxy.test.com*

Post by James Denton
Hi all,
I wonder if someone could please answer this.
Currently we have a Foreman server within our internal network with a
Smart Proxy in an isolated network with the correct ports opened between
them. In order for us to build hosts within the isolated network they will
need to use the Smart Proxy for everything from TFTP to Puppet as new hosts
will not be able to communicate directly with the Foreman master. My
question is for initial Provisioning and installation - Does the Smart
proxy need to have installation media locally or does it proxy off requests
for the install media to the Master Foreman server? If not is there a
plugin or tool available to allow this?
Thanks!

James Denton

2016-04-07 13:46:15 UTC

Permalink

I setup a simple tcpdump running on both the foreman and proxy, and it
shows no calls are made between them at the time of the template request.

Post by James Denton
Hi all,
I wonder if someone could please answer this.
Currently we have a Foreman server within our internal network with a
Smart Proxy in an isolated network with the correct ports opened between
them. In order for us to build hosts within the isolated network they will
need to use the Smart Proxy for everything from TFTP to Puppet as new hosts
will not be able to communicate directly with the Foreman master. My
question is for initial Provisioning and installation - Does the Smart
proxy need to have installation media locally or does it proxy off requests
for the install media to the Master Foreman server? If not is there a
plugin or tool available to allow this?
Thanks!

James Denton

2016-04-07 16:35:02 UTC

Permalink

Forgot the templates.yml output :)

*---# Enable this if the Proxy should handle template requests on behalf of
Foreman# Can be true, false, or http/https to enable just one of the
protocols:enabled: true# This plugin also requires that :foreman_url: be
set in the main settings.yml# This lets the plugin know how to obtain the
templates from foreman.# This allows the proxy to define how hosts that are
being provisioned where to# obtain the templates from. Most installers
don't support https, so it's recommended# to enable an http port listener
in the main config file too, and use it in# the url below## :template_url
is the URL the host should use to contact the proxy for a template.# The
default protocol is http on port 80 unless otherwise specified in the url.#
Examples:# https://1.2.3.4:8443 <https://1.2.3.4:8443> # default
proxy https port# http://1.2.3.4:8000 <http://1.2.3.4:8000> #
default proxy http port# https://smart-proxy.example.com
<https://smart-proxy.example.com> # assumes port 443#
smart-proxy.example.com:8080 <http://smart-proxy.example.com:8080> #
assumes http:template_url: http://smartproxy.test.com
<http://smartproxy.test.com>*

Post by James Denton
I setup a simple tcpdump running on both the foreman and proxy, and it
shows no calls are made between them at the time of the template request.

Post by James Denton
Hi all,
I wonder if someone could please answer this.
Currently we have a Foreman server within our internal network with a
Smart Proxy in an isolated network with the correct ports opened between
them. In order for us to build hosts within the isolated network they will
need to use the Smart Proxy for everything from TFTP to Puppet as new hosts
will not be able to communicate directly with the Foreman master. My
question is for initial Provisioning and installation - Does the Smart
proxy need to have installation media locally or does it proxy off requests
for the install media to the Master Foreman server? If not is there a
plugin or tool available to allow this?
Thanks!

Greg Sutcliffe

2016-04-08 00:34:28 UTC

Permalink

*:template_url: http://smartproxy.test.com <http://smartproxy.test.com>*

Is that verbatim? The proxy is normally on 8000 or 8433 (your config above
says 8443) rather than 80/443 - is the port correctly assigned?

I setup a simple tcpdump running on both the foreman and proxy, and it
shows no calls are made between them at the time of the template request.

That would imply template_url is wrong, doublecheck it and potentially try
http.

Greg

James Denton

2016-04-08 10:10:54 UTC

Permalink

Hi Greg

That appears to have resolved it for the internal Smart Proxy, setting the
template URL to be 8000 and IP based.

I appreciate the help! I will look now at trying the same on the server
within an isolated network.

Post by Greg Sutcliffe

*:template_url: http://smartproxy.test.com <http://smartproxy.test.com>*

Is that verbatim? The proxy is normally on 8000 or 8433 (your config above
says 8443) rather than 80/443 - is the port correctly assigned?

I setup a simple tcpdump running on both the foreman and proxy, and it
shows no calls are made between them at the time of the template request.

That would imply template_url is wrong, doublecheck it and potentially try
http.
Greg

James Denton

2016-04-12 14:16:48 UTC

Permalink

Hi Greg/All

Today i tried again to build from the other smart proxy which provisions
hosts in the isolated network now that the correct FW rules are in place
and i have the same issue with obtaining the provision token for the host
however i do now see actions being logged to the production.log on the
foreman master server:

|
| Started GET
"/unattended/provision?url=http%3A%2F%2F10.148.6.34%3A8000&token=4bee34fe-ba86-4866-a776-c9a282d435a9"
for 10.148.6.34 at 2016-04-12 15:12:01 +0100
2016-04-12 15:12:01 [app] [I] Processing by UnattendedController#provision
as HTML
2016-04-12 15:12:01 [app] [I] Parameters:
{"url"=>"http://10.148.6.34:8000",
"token"=>"4bee34fe-ba86-4866-a776-c9a282d435a9", "unattended"=>{}}
2016-04-12 15:12:01 [app] [I] Found extest1.ebrd.dmz
2016-04-12 15:12:02 [app] [I] Redirected to
2016-04-12 15:12:02 [app] [I] Completed 500 Internal Server Error in 885ms
2016-04-12 15:12:02 [app] [F]
| ActionController::RedirectBackError (No HTTP_REFERER was set in the
request to this action, so redirect_to :back could not be called
successfully. If this is a test, make sure to specify
request.env["HTTP_REFERER"].):
| app/controllers/application_controller.rb:275:in `process_error'
| app/controllers/application_controller.rb:107:in
`smart_proxy_exception'
| lib/middleware/catch_json_parse_errors.rb:9:in `call'
|
|

Can someone explain from this what the error is?

Thanks

Post by James Denton
Hi Greg
That appears to have resolved it for the internal Smart Proxy, setting the
template URL to be 8000 and IP based.
I appreciate the help! I will look now at trying the same on the server
within an isolated network.

Post by Greg Sutcliffe

*:template_url: http://smartproxy.test.com <http://smartproxy.test.com>*

Is that verbatim? The proxy is normally on 8000 or 8433 (your config
above says 8443) rather than 80/443 - is the port correctly assigned?

I setup a simple tcpdump running on both the foreman and proxy, and it
shows no calls are made between them at the time of the template request.

That would imply template_url is wrong, doublecheck it and potentially
try http.
Greg

James Denton

2016-04-12 14:18:08 UTC

Permalink

Hi Greg/All

Today i tried again to build from the other smart proxy which provisions
hosts in the isolated network now that the correct FW rules are in place
and i have the same issue with obtaining the provision token for the host
however i do now see actions being logged to the production.log on the
foreman master server:

|
| Started GET "/unattended/provision?url=
http%3A%2F%2F10.148.6.34%3A8000&token=4bee34fe-ba86-4866-a776-c9a282d435a9"
for 10.148.6.34 at 2016-04-12 15:12:01 +0100
2016-04-12 15:12:01 [app] [I] Processing by UnattendedController#provision
as HTML
2016-04-12 15:12:01 [app] [I] Parameters: {"url"=>"http://10.148.6.34:8000",
"token"=>"4bee34fe-ba86-4866-a776-c9a282d435a9", "unattended"=>{}}
2016-04-12 15:12:01 [app] [I] Found extest1.test.dmz
2016-04-12 15:12:02 [app] [I] Redirected to
2016-04-12 15:12:02 [app] [I] Completed 500 Internal Server Error in 885ms
2016-04-12 15:12:02 [app] [F]
| ActionController::RedirectBackError (No HTTP_REFERER was set in the
request to this action, so redirect_to :back could not be called
successfully. If this is a test, make sure to specify
request.env["HTTP_REFERER"].):
| app/controllers/application_controller.rb:275:in `process_error'
| app/controllers/application_controller.rb:107:in
`smart_proxy_exception'
| lib/middleware/catch_json_parse_errors.rb:9:in `call'
|
|

Can someone explain from this what the error is?

Thanks

Post by Greg Sutcliffe

*:template_url: http://smartproxy.test.com <http://smartproxy.test.com>*

Is that verbatim? The proxy is normally on 8000 or 8433 (your config
above says 8443) rather than 80/443 - is the port correctly assigned?

I setup a simple tcpdump running on both the foreman and proxy, and it
shows no calls are made between them at the time of the template request.

That would imply template_url is wrong, doublecheck it and potentially
try http.
Greg