-
Notifications
You must be signed in to change notification settings - Fork 148
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Direct the users to use the new CA refresh script instead of the rpm #11079
base: rpm/develop
Are you sure you want to change the base?
Direct the users to use the new CA refresh script instead of the rpm #11079
Conversation
@@ -143,8 +143,7 @@ def next_steps_message | |||
You will have to install the new bootstrap rpm and reregister all clients and #{@plural_proxy} with subscription-manager |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please fix this comment.
Maybe something like:
You will have to apply the new katello-ca-consumer and reregister all clients and #{@plural_proxy} with subscription-manager
Comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems entirely wrong. Just because the hostname changes does not require re-registration of a host.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we change Foreman's host name, we will definitely need to reconfigure rhsm to point to the new server, and sometimes (depends if the cert is self-managed for example) we will need the CA to be updated. I think that simplifying the procedure takes precedence here, and having a single procedure will do us good.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
None of that requires a host to be re-registered.
@@ -143,8 +143,7 @@ def next_steps_message | |||
You will have to install the new bootstrap rpm and reregister all clients and #{@plural_proxy} with subscription-manager | |||
(update organization and environment arguments appropriately): | |||
|
|||
yum remove -y katello-ca-consumer* | |||
rpm -Uvh http://#{@new_hostname}/pub/katello-ca-consumer-latest.noarch.rpm | |||
set -o pipefail && curl -sS "http://#{@new_hostname}/unattended/public/foreman-ca-refresh" | bash |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this what you want?
set -o pipefail && curl -sS "http://#{@new_hostname}/unattended/public/foreman-ca-refresh" | bash | |
curl -sS "http://#{@new_hostname}/unattended/public/foreman-ca-refresh" | bash -o pipefail |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No. When curl fails, we want to stop bash from running, otherwise the return code of the action would be 0
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When the hostname changes on the server, we don't need to perform a CA refresh, we need to perform a sub-man configuration update (to point to the new hostname).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ehelms I take your point about changing from re-registration to reconfiguration.
Now about hostname change: is there a chance that hostname change also requires change to a certificate? For example if the CA is self-signed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not the CA certificate since it is not tied to a hostname.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess, if its only about changing the subscription-manager configuration, something like this is sufficient: https://github.com/theforeman/foreman/blob/develop/app/views/unattended/provisioning_templates/snippet/subscription_manager_setup.erb#L108 ?
Then we should also get rid of
subscription-manager register --org="Default_Organization" --environment="Library" --force |
Then reattach subscriptions to the client(s) and run: |
@@ -143,8 +143,7 @@ def next_steps_message | |||
You will have to install the new bootstrap rpm and reregister all clients and #{@plural_proxy} with subscription-manager | |||
(update organization and environment arguments appropriately): | |||
|
|||
yum remove -y katello-ca-consumer* | |||
rpm -Uvh http://#{@new_hostname}/pub/katello-ca-consumer-latest.noarch.rpm | |||
set -o pipefail && curl -sS "http://#{@new_hostname}/unattended/public/foreman-ca-refresh" | bash | |||
subscription-manager register --org="Default_Organization" --environment="Library" --force | |||
|
|||
Then reattach subscriptions to the client(s) and run: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
attach is no longer necessary with SCA?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ianballou any thoughts on this one? I don't mind doing the change, but open to suggestions about what is needed here.
@@ -143,8 +143,7 @@ def next_steps_message | |||
You will have to install the new bootstrap rpm and reregister all clients and #{@plural_proxy} with subscription-manager | |||
(update organization and environment arguments appropriately): | |||
|
|||
yum remove -y katello-ca-consumer* | |||
rpm -Uvh http://#{@new_hostname}/pub/katello-ca-consumer-latest.noarch.rpm | |||
set -o pipefail && curl -sS "http://#{@new_hostname}/unattended/public/foreman-ca-refresh" | bash | |||
subscription-manager register --org="Default_Organization" --environment="Library" --force |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this the default way to register? I think, using a activation key is more common.
Or should is use the HostRegistration template for the whole process?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Host registration is actually a good idea, but we can't put here the command that initiates it, since each invocation generates a new token.
Maybe we should change this part to something that will say "Go to Foreman UI and generate a registration command" (with proper links of course)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As I stated above, changing the hostname should not require clients to be re-registered, only re-configured.
Update the katello host rename script documentation to the new CA refresh script introduced in theforeman/foreman#10208