Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Direct the users to use the new CA refresh script instead of the rpm #11079

Open
wants to merge 1 commit into
base: rpm/develop
Choose a base branch
from

Conversation

ShimShtein
Copy link
Member

Update the katello host rename script documentation to the new CA refresh script introduced in theforeman/foreman#10208

@@ -143,8 +143,7 @@ def next_steps_message
You will have to install the new bootstrap rpm and reregister all clients and #{@plural_proxy} with subscription-manager

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please fix this comment.
Maybe something like:

You will have to apply the new katello-ca-consumer and reregister all clients and #{@plural_proxy} with subscription-manager
Comment

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems entirely wrong. Just because the hostname changes does not require re-registration of a host.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we change Foreman's host name, we will definitely need to reconfigure rhsm to point to the new server, and sometimes (depends if the cert is self-managed for example) we will need the CA to be updated. I think that simplifying the procedure takes precedence here, and having a single procedure will do us good.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

None of that requires a host to be re-registered.

@@ -143,8 +143,7 @@ def next_steps_message
You will have to install the new bootstrap rpm and reregister all clients and #{@plural_proxy} with subscription-manager
(update organization and environment arguments appropriately):

yum remove -y katello-ca-consumer*
rpm -Uvh http://#{@new_hostname}/pub/katello-ca-consumer-latest.noarch.rpm
set -o pipefail && curl -sS "http://#{@new_hostname}/unattended/public/foreman-ca-refresh" | bash

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this what you want?

Suggested change
set -o pipefail && curl -sS "http://#{@new_hostname}/unattended/public/foreman-ca-refresh" | bash
curl -sS "http://#{@new_hostname}/unattended/public/foreman-ca-refresh" | bash -o pipefail

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No. When curl fails, we want to stop bash from running, otherwise the return code of the action would be 0.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When the hostname changes on the server, we don't need to perform a CA refresh, we need to perform a sub-man configuration update (to point to the new hostname).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ehelms I take your point about changing from re-registration to reconfiguration.
Now about hostname change: is there a chance that hostname change also requires change to a certificate? For example if the CA is self-signed?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not the CA certificate since it is not tied to a hostname.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess, if its only about changing the subscription-manager configuration, something like this is sufficient: https://github.com/theforeman/foreman/blob/develop/app/views/unattended/provisioning_templates/snippet/subscription_manager_setup.erb#L108 ?

Then we should also get rid of

subscription-manager register --org="Default_Organization" --environment="Library" --force
and rewrite
Then reattach subscriptions to the client(s) and run:

@@ -143,8 +143,7 @@ def next_steps_message
You will have to install the new bootstrap rpm and reregister all clients and #{@plural_proxy} with subscription-manager
(update organization and environment arguments appropriately):

yum remove -y katello-ca-consumer*
rpm -Uvh http://#{@new_hostname}/pub/katello-ca-consumer-latest.noarch.rpm
set -o pipefail && curl -sS "http://#{@new_hostname}/unattended/public/foreman-ca-refresh" | bash
subscription-manager register --org="Default_Organization" --environment="Library" --force

Then reattach subscriptions to the client(s) and run:

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

attach is no longer necessary with SCA?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ianballou any thoughts on this one? I don't mind doing the change, but open to suggestions about what is needed here.

@@ -143,8 +143,7 @@ def next_steps_message
You will have to install the new bootstrap rpm and reregister all clients and #{@plural_proxy} with subscription-manager
(update organization and environment arguments appropriately):

yum remove -y katello-ca-consumer*
rpm -Uvh http://#{@new_hostname}/pub/katello-ca-consumer-latest.noarch.rpm
set -o pipefail && curl -sS "http://#{@new_hostname}/unattended/public/foreman-ca-refresh" | bash
subscription-manager register --org="Default_Organization" --environment="Library" --force

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this the default way to register? I think, using a activation key is more common.

Or should is use the HostRegistration template for the whole process?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Host registration is actually a good idea, but we can't put here the command that initiates it, since each invocation generates a new token.
Maybe we should change this part to something that will say "Go to Foreman UI and generate a registration command" (with proper links of course)?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I stated above, changing the hostname should not require clients to be re-registered, only re-configured.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants