Skip to content

Commit

Permalink
Fixes #32678 - katello_ca_consumer in registration template
Browse files Browse the repository at this point in the history
Move `rhsm_reconfigure` script from `katello_consumer.rpm` to
`global_registration` template so the `rpm` is not needed anymore

Migrated script is without support of RHEL5 and older
`subscription-manager` versions (0.96 and bellow)
  • Loading branch information
stejskalleos committed Sep 16, 2021
1 parent 80fb0c2 commit 696b9be
Show file tree
Hide file tree
Showing 4 changed files with 92 additions and 23 deletions.
7 changes: 5 additions & 2 deletions app/controllers/concerns/foreman/controller/registration.rb
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,6 @@ def global_registration_vars
location: (location || User.current.default_location || User.current.my_locations.first),
hostgroup: host_group,
operatingsystem: operatingsystem,
url_host: registration_url.host,
registration_url: registration_url,
setup_insights: ActiveRecord::Type::Boolean.new.deserialize(params['setup_insights']),
setup_remote_execution: ActiveRecord::Type::Boolean.new.deserialize(params['setup_remote_execution']),
packages: params['packages'],
Expand All @@ -40,6 +38,7 @@ def global_registration_vars
.to_h
.symbolize_keys
.merge(context)
.merge(context_urls)
end

def safe_render(template)
Expand Down Expand Up @@ -96,6 +95,10 @@ def registration_url
fail Foreman::Exception.new(msg)
end

def context_urls
{ registration_url: registration_url }
end

def setup_host_params
clean_host_params

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,11 +37,36 @@ if [ -f /etc/os-release ] ; then
. /etc/os-release
fi

# Choose package manager
# apt-get for Debian & Ubuntu
# dnf for Fedora (version >= 22) & RHEL family (version > 7)
# yum for Fedora (version < 22) & RHEL family (version < 8)
if [ x$ID = xrhel ] || [ x$ID = xol ] || test "${ID_LIKE#*rhel*}" != "$ID_LIKE" ; then
if [ "${VERSION_ID%.*}" -gt 7 ]; then
PKG_MANAGER='dnf'
else
PKG_MANAGER='yum'
fi
elif [ x$ID = xfedora ]; then
if [ "${VERSION_ID%.*}" -gt 21 ]; then
PKG_MANAGER='dnf'
else
PKG_MANAGER='yum'
fi
elif [ x$ID = xdebian ] || [ x$ID = xubuntu ]; then
PKG_MANAGER='apt-get'
fi

SSL_CA_CERT=$(mktemp)
cat << EOF > $SSL_CA_CERT
<%= foreman_server_ca_cert %>
EOF

cleanup_and_exit() {
rm -f $SSL_CA_CERT
exit $1
}

<% unless @repo.blank? -%>
echo '#'
echo '# Adding repository'
Expand All @@ -58,7 +83,7 @@ gpgkey=<%= shell_escape @repo_gpg_key_url %>
EOF

echo "Building yum metadata cache, this may take a few minutes"
yum makecache
$PKG_MANAGER makecache
elif [ x$ID = xdebian ] || [ x$ID = xubuntu ]; then
cat << EOF > /etc/apt/sources.list.d/foreman_registration.list
<%= shell_escape @repo %>
Expand All @@ -71,7 +96,7 @@ EOF

else
echo "Unsupported operating system, can't add repository."
exit 1
cleanup_and_exit 1
fi
<% end -%>

Expand Down Expand Up @@ -102,7 +127,7 @@ echo "#"
if [ x$ID = xrhel ] || [ x$ID = xcentos ] || [ x$ID = xol ]; then
register_katello_host(){
UUID=$(subscription-manager identity | head -1 | awk '{print $3}')
curl --silent --show-error --cacert $SSL_CA_CERT --request POST "<%= @registration_url %>" \
curl --silent --show-error --cacert $KATELLO_SERVER_CA_CERT --request POST "<%= @registration_url %>" \
--data "uuid=$UUID" \
<%= headers.join(' ') %> \
<%= " --data 'host[organization_id]=#{@organization.id}' \\\n" if @organization -%>
Expand All @@ -115,42 +140,73 @@ if [ x$ID = xrhel ] || [ x$ID = xcentos ] || [ x$ID = xol ]; then
<%= " --data packages=#{shell_escape(@packages)} \\\n" if @packages.present? -%>
<%= " --data 'update_packages=#{@update_packages}' \\\n" unless @update_packages.nil? -%>

}
}

KATELLO_SERVER_CA_CERT=/etc/rhsm/ca/katello-server-ca.pem
RHSM_CFG=/etc/rhsm/rhsm.conf

<% if @force -%>
yum remove -y katello-ca-consumer\*
<% end -%>
# Backup rhsm.conf
test -f $RHSM_CFG.bak || cp $RHSM_CFG $RHSM_CFG.bak

# rhn-client-tools conflicts with subscription-manager package
# since rhn tools replaces subscription-manager, we need to explicitly
# install subscription-manager after the rhn tools cleanup
if [ x$ID = xol ]; then
yum remove -y rhn-client-tools
yum install -y --setopt=obsoletes=0 subscription-manager
$PKG_MANAGER remove -y rhn-client-tools
$PKG_MANAGER install -y --setopt=obsoletes=0 subscription-manager
fi

CONSUMER_RPM=$(mktemp --suffix .rpm)
curl --silent --show-error --output $CONSUMER_RPM <%= subscription_manager_configuration_url(hostname: @url_host) %>
# Prepare SSL certificate
cp -f $SSL_CA_CERT $KATELLO_SERVER_CA_CERT
chmod 644 $KATELLO_SERVER_CA_CERT

# Workaround for systems with enabled FIPS,
# where installation of RPM generated on RHEL7 cause 'no digest' error
# See https://projects.theforeman.org/issues/32068
if [ "$(cat /proc/sys/crypto/fips_enabled)" = "1" ]; then
rpm -ivh --nodigest --nofiledigest $CONSUMER_RPM
# Prepare subscription-manager
$PKG_MANAGER remove -y katello-ca-consumer\*

if ! [ -x "$(command -v subscription-manager)" ] ; then
$PKG_MANAGER install -y subscription-manager
else
yum localinstall $CONSUMER_RPM -y
$PKG_MANAGER upgrade -y subscription-manager
fi

rm -f $CONSUMER_RPM
if ! [ -f $RHSM_CFG ] ; then
echo "'$RHSM_CFG' not found, cannot configure subscription-manager"
cleanup_and_exit 1
fi

subscription-manager register <%= '--force' if @force %> \
--org='<%= @organization.label %>' \
--activationkey=<%= shell_escape(activation_keys) %> || <%= @ignore_subman_errors ? 'true' : 'exit 1' %>
# Configure subscription-manager
test -f $RHSM_CFG.bak || cp $RHSM_CFG $RHSM_CFG.bak
subscription-manager config \
--server.hostname="<%= @rhsm_url.host %>" \
--server.port="<%= @rhsm_url.port %>" \
--server.prefix="<%= @rhsm_url.path %>" \
--rhsm.repo_ca_cert="$KATELLO_SERVER_CA_CERT" \
--rhsm.baseurl="<%= @pulp_content_url %>"

# Older versions of subscription manager may not recognize
# report_package_profile and package_profile_on_trans options.
# So set them separately and redirect out & error to /dev/null
# to fail silently.
subscription-manager config --rhsm.package_profile_on_trans=1 > /dev/null 2>&1 || true
subscription-manager config --rhsm.report_package_profile=1 > /dev/null 2>&1 || true

# Configuration for EL6
if grep --quiet full_refresh_on_yum $RHSM_CFG; then
sed -i "s/full_refresh_on_yum\s*=.*$/full_refresh_on_yum = 1/g" $RHSM_CFG
else
full_refresh_config="#config for on-premise management\nfull_refresh_on_yum = 1"
sed -i "/baseurl/a $full_refresh_config" $RHSM_CFG
fi

subscription-manager register <%= '--force' if @force %> \
--org='<%= @organization.label %>' \
--activationkey='<%= activation_keys %>' || <%= @ignore_subman_errors ? 'true' : 'cleanup_and_exit 1' %>
register_katello_host | bash
else
register_host | bash
fi
<% else -%>
register_host | bash
<% end -%>

cleanup_and_exit
3 changes: 3 additions & 0 deletions config/initializers/uri_jail.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
class URI::Generic::Jail < Safemode::Jail
allow :host, :path, :port, :query, :scheme
end
7 changes: 7 additions & 0 deletions test/unit/foreman/renderer/scope/macros/base_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,13 @@ class BaseMacrosTest < ActiveSupport::TestCase
end
end

test 'URI::Generic jail test' do
allowed = [:host, :path, :port, :query, :scheme]
allowed.each do |m|
assert URI::HTTP::Jail.allowed?(m), "Method #{m} is not available in URI::HTTP::Jail while should be allowed."
end
end

context 'subnet helpers' do
setup do
host = FactoryBot.build(:host)
Expand Down

0 comments on commit 696b9be

Please sign in to comment.