Direct the users to use the new CA refresh script instead of the rpm #11079
Conversation
| @@ -143,8 +143,7 @@ def next_steps_message | |||
| You will have to install the new bootstrap rpm and reregister all clients and #{@plural_proxy} with subscription-manager | |||
There was a problem hiding this comment.
Please fix this comment.
Maybe something like:
You will have to apply the new katello-ca-consumer and reregister all clients and #{@plural_proxy} with subscription-manager
Comment
There was a problem hiding this comment.
This seems entirely wrong. Just because the hostname changes does not require re-registration of a host.
There was a problem hiding this comment.
If we change Foreman's host name, we will definitely need to reconfigure rhsm to point to the new server, and sometimes (depends if the cert is self-managed for example) we will need the CA to be updated. I think that simplifying the procedure takes precedence here, and having a single procedure will do us good.
There was a problem hiding this comment.
None of that requires a host to be re-registered.
| @@ -143,8 +143,7 @@ def next_steps_message | |||
| You will have to install the new bootstrap rpm and reregister all clients and #{@plural_proxy} with subscription-manager | |||
| (update organization and environment arguments appropriately): | |||
|
|
|||
| yum remove -y katello-ca-consumer* | |||
| rpm -Uvh http://#{@new_hostname}/pub/katello-ca-consumer-latest.noarch.rpm | |||
| set -o pipefail && curl -sS "http://#{@new_hostname}/unattended/public/foreman-ca-refresh" | bash | |||
There was a problem hiding this comment.
Is this what you want?
| set -o pipefail && curl -sS "http://#{@new_hostname}/unattended/public/foreman-ca-refresh" | bash | |
| curl -sS "http://#{@new_hostname}/unattended/public/foreman-ca-refresh" | bash -o pipefail |
There was a problem hiding this comment.
No. When curl fails, we want to stop bash from running, otherwise the return code of the action would be 0.
There was a problem hiding this comment.
When the hostname changes on the server, we don't need to perform a CA refresh, we need to perform a sub-man configuration update (to point to the new hostname).
There was a problem hiding this comment.
@ehelms I take your point about changing from re-registration to reconfiguration.
Now about hostname change: is there a chance that hostname change also requires change to a certificate? For example if the CA is self-signed?
There was a problem hiding this comment.
Not the CA certificate since it is not tied to a hostname.
There was a problem hiding this comment.
I guess, if its only about changing the subscription-manager configuration, something like this is sufficient: https://github.com/theforeman/foreman/blob/develop/app/views/unattended/provisioning_templates/snippet/subscription_manager_setup.erb#L108 ?
Then we should also get rid of
and rewrite
| @@ -143,8 +143,7 @@ def next_steps_message | |||
| You will have to install the new bootstrap rpm and reregister all clients and #{@plural_proxy} with subscription-manager | |||
| (update organization and environment arguments appropriately): | |||
|
|
|||
| yum remove -y katello-ca-consumer* | |||
| rpm -Uvh http://#{@new_hostname}/pub/katello-ca-consumer-latest.noarch.rpm | |||
| set -o pipefail && curl -sS "http://#{@new_hostname}/unattended/public/foreman-ca-refresh" | bash | |||
| subscription-manager register --org="Default_Organization" --environment="Library" --force | |||
|
|
|||
| Then reattach subscriptions to the client(s) and run: | |||
There was a problem hiding this comment.
attach is no longer necessary with SCA?
There was a problem hiding this comment.
@ianballou any thoughts on this one? I don't mind doing the change, but open to suggestions about what is needed here.
| @@ -143,8 +143,7 @@ def next_steps_message | |||
| You will have to install the new bootstrap rpm and reregister all clients and #{@plural_proxy} with subscription-manager | |||
| (update organization and environment arguments appropriately): | |||
|
|
|||
| yum remove -y katello-ca-consumer* | |||
| rpm -Uvh http://#{@new_hostname}/pub/katello-ca-consumer-latest.noarch.rpm | |||
| set -o pipefail && curl -sS "http://#{@new_hostname}/unattended/public/foreman-ca-refresh" | bash | |||
| subscription-manager register --org="Default_Organization" --environment="Library" --force | |||
There was a problem hiding this comment.
Is this the default way to register? I think, using a activation key is more common.
Or should is use the HostRegistration template for the whole process?
There was a problem hiding this comment.
Host registration is actually a good idea, but we can't put here the command that initiates it, since each invocation generates a new token.
Maybe we should change this part to something that will say "Go to Foreman UI and generate a registration command" (with proper links of course)?
There was a problem hiding this comment.
As I stated above, changing the hostname should not require clients to be re-registered, only re-configured.
Update the katello host rename script documentation to the new CA refresh script introduced in theforeman/foreman#10208