I tried a number of ways to get kick running reliably but couldn't and it's deprecated anyway so I moved on to puppetssh. That required configuring smart-proxy's SSH keys, the foreman-proxy user and its sudo rights. There isn't a lot of documentation on this puppet run method and the DEBUG logging in foreman-proxy doesn't include any command output so it was hard to tell where/how something was failing.
By default, the foreman-proxy user doesn't have a shell (on RHEL) and wouldn't be able to run /usr/bin/ssh. A simple usermod -s /bin/bash did the trick but that seems like a security risk to me. On top of that, different sudo rights are necessary to run it so I had to change foreman-proxy ALL = NOPASSWD: /usr/bin/puppet kick to foreman-proxy ALL = NOPASSWD: /usr/bin/ssh. After that it was just a matter of configuring the ssh command.
In my case, we deployed a user account and SSH keys for running Puppet commands with sudo on client machines. I copied the private key to some place foreman-proxy could use it (eg: /etc/foreman-proxy/puppetssh/id_rsa) and configured the puppetssh parameters in /etc/foreman-proxy/settings.yml like so:
:puppetssh_command: /usr/bin/sudo /usr/bin/puppet agent -t --no-usecacheonfailure
:puppetssh_user: puppetssh
:puppetssh_keyfile: /etc/foreman-proxy/puppetssh/id_rsa
If this is still a problem I've found that following along with the Foreman installation guide is very confusing. Both your dns and dhcp keys need to be the same, whereas in the installation guide it shows two different ways to configure keys between dns and dhcp.
This is what finally worked for me:
run: ddns-confgen -k foreman -a hmac-md5
This produces output that looks like this:
key "foreman" {
algorithm hmac-md5;
secret "GGd1oNCxaKsh8HA84sP1Ug=="; };
Put this block of text into /etc/rndc.key
Now you have to update your daemon configurations:
/etc/named.conf
/etc/zones.conf
/etc/dhcp/dhcpd.conf
/etc/named.conf:
Add:
include "/etc/rndc.key";
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "foreman"; };
};
This tells BIND to read the key named "foreman" out of /etc/rndc.key and allow the key named "foreman" to connect to the control port on 953 to do ddns updates.
Now, In /etc/zones.conf, this is from my example, I am using ".local" as my domain and 172.16.1.0/24 as my network. Adjust accordingly.
zone "1.16.172.in-addr.arpa" {
type master;
file "/var/named/dynamic/db.1.16.172.in-addr.arpa";
update-policy {
grant foreman zonesub ANY;
};
};
zone "local" {
type master;
file "/var/named/dynamic/db.local";
update-policy {
grant foreman zonesub ANY;
};
};
The important part is:
update-policy {
grant foreman zonesub ANY;
};
This is telling BIND that the key foreman is allowed to update/add any of the records in these zones.
Finally, and this is what messed me up because the install guide uses a different syntax for the DHCP server:
/etc/dhcp/dhcpd.conf
Add:
omapi-port 7911;
key foreman {
algorithm HMAC-MD5;
secret "GGd1oNCxaKsh8HA84sP1Ug==";
};
omapi-key foreman;
Now you moved on to the foreman-proxy config files:
/etc/foreman-proxy/settings.d/dns.yml
/etc/foreman-proxy/settings.d/dhcp.yml
Contents of: /etc/foreman-proxy/settings.d/dns.yml
---
# DNS management
:enabled: true
# valid providers:
# dnscmd (Microsoft Windows native implementation)
# nsupdate
# nsupdate_gss (for GSS-TSIG support)
# virsh (simple implementation for libvirt)
:dns_provider: nsupdate
:dns_key: /etc/rndc.key
# use this setting if you are managing a dns server which is not localhost though this proxy
:dns_server: 127.0.0.1
# use this setting if you want to override default TTL setting (86400)
:dns_ttl: 86400
Contents of: /etc/foreman-proxy/settings.d/dhcp.yml
---
# Enable DHCP management
:enabled: true
# valid vendors:
# - isc
# - native_ms (Microsoft native implementation)
# - virsh (simple implementation for libvirt)
:dhcp_vendor: isc
:dhcp_config: /etc/dhcp/dhcpd.conf
:dhcp_leases: /var/lib/dhcpd/dhcpd.leases
:dhcp_key_name: foreman
:dhcp_key_secret: GGd1oNCxaKsh8HA84sP1Ug==
For whatever reason having both configured with different keys kept causing problems for me. This finally fixed it. Hope that helps.
Oh and as an FYI those files /etc/rndc.key, /etc/dhcp/dhcpd.conf, /var/lib/dhcpd/dhcpd.leases need to be readable by foreman-proxy, I accomplished this by adding foreman-proxy to the dhcp and named groups:
usermod -a -G dhcpd foreman-proxy
usermod -a -G named foreman-proxy
ls -l /etc/named.conf /etc/zones.conf /etc/rndc.key /etc/dhcp/dhcpd.conf /var/lib/dhcpd/dhcpd.leases
-rw-r--r--. 1 root root 787 Apr 10 14:56 /etc/dhcp/dhcpd.conf
-rw-r-----. 1 root named 275 Apr 10 14:45 /etc/named.conf
-rw-r-----. 1 root named 77 Apr 10 14:41 /etc/rndc.key
-rw-r-----. 1 root named 316 Apr 10 12:40 /etc/zones.conf
-rw-r--r--. 1 dhcpd dhcpd 1262 Apr 10 15:00 /var/lib/dhcpd/dhcpd.leases
id foreman-proxy
uid=498(foreman-proxy) gid=497(foreman-proxy) groups=497(foreman-proxy),52(puppet),177(dhcpd),25(named)
Best Answer
Finally managed to get it running! It seems the error code (
ERF12-4252) corresponds to different errors. I had different misconfigurations that returned different errors on the console, but Foreman always reported the same message.The way to solve the issue for me was to use the
puppet kick <mynode>command from the command line. There I discovered that my client certificate had a typo in its name and thus did not fit to the hostname.On the Windows client I did the same (stopping the puppet windows service and starting the agent in the puppet command line window with
puppet agent --debug --no-daemonizeto verify if anything happens on the agent.This also helped in finding the correct directory for the auth.conf file. When installing the agent on Windows, the auth.conf file is placed in the install directory (usually
C:\Program Files\PuppetLabs\Puppet\puppet\conf), but it is expected inC:\ProgramData\PuppetLabs\puppet\etc!So, copying the file to this location and adding the required lines did the trick.
After that, I only had to delete the old host in foreman, create a new certificate on the agent, sign it on the puppetmaster and add the new host in foreman.