Migration guide to convert Uyuni installation from RPM to container setup?

[mayrstefan]

With the release of 2024.05 we got two announcements that will affect existing Uyuni installations:

1. the container version of Uyuni is now ready for prime time
2. there will be only one more RPM release: 2024.06

So what are the supported migration or upgrade paths to switch an existing installation from RPM to the new container setup? Do we have a migration guide that we can follow?

[mayrstefan]

I'm aware of

• https://www.uyuni-project.org/uyuni-docs/en/uyuni/installation-and-upgrade/server-intro-uyuni.html#container-deployment/suma/migrate-uyuni-to-a-container.adoc which does not contain any information at all.
• https://www.uyuni-project.org/uyuni-docs/en/uyuni/installation-and-upgrade/container-deployment/uyuni/migrate-uyuni-to-a-container.html which does explain the difference between the kubernetes and podman variants and has no information regarding the verions that can be used for that migration.

[mayrstefan]

And some more confusion: https://youtu.be/0eiQIDTGY-U?t=88 uses Leap 15.5 and 15.6 while the docs in https://www.uyuni-project.org/uyuni-docs/en/uyuni/installation-and-upgrade/container-deployment/uyuni/opensuse-leap-micro-deployment.html use only Leap Micro 5.5

[rjmateus]

For now we, are only supporting the migration or existing servers to a new machine. The reason is that we didn't had the time to test an in-place migration yet.
The tested scenario is deploy a new machine with opensuse leap micro 5.5, install the new tools, configure ssh connection between new machine and new one, and run the migrate command. All data should be migrated to the new containerized version.
After that you only need to change DNS to point to the new machine and al should be working with all the data.

The migration was tested for uyuni running on podman and kubernetes.

Thank you for point out the documentation, I also think it's not clear enough, and we will work on improving it.

[sbluhm]

@rjmateus , got one more question on this for testing.
Am I correct to assume that the migration is non-destructive/intrusive? I.e. Can I run the migration multiple times with the same result?
Otherwise it would require cloning the prod server first for testing.

[rjmateus]

Migration is non-destructive. With migration from 4.3 to 5.0, the old machine will stay untouch. If something going wrong in the migration, you can just revert the DNS and have the old suma working.
Then you can migrate again, how many times you want.

[mayrstefan]

So if I understand this correctly we can use the migration command to upgrade from a 2024.03 legacy to a 2024.05 container setup in one step. No need to upgrade the legacy setup first and migration in a second step. Although I think I would prefer doing the two-step approach so differ which issues come from the version upgrade and which come from the new container setup.

When the migration is done - can we change the Uyuni master name on the clients to get rid of the old DNS name or will it have to stick around forever? I would like to transfer all clients to a generic alias which is easier to move around between servers. Keeping the old server name would complicate things for us.

[rjmateus]

You can migrate from uyuni version 2024.03 to a containerized one, with no need for an intermediate step.
The current approach is to migrate to a new server and adjust the DNS to redirect the traffic from the old server to the new one. After this one should be able to change server DNS, as it was able in the past.
However, the script to change the DNS has not been migrated yet, so it will not work as is. Updating the script is in our plans, but I cannot say when it will be ready (we hope it will be soon).

[ppanon2022]

Does the migration script handle migrating imported/custom signed cert/key pairs for the server if they're in use? If not, do you have some guidance on how to modify settings in the container and deploying the associated CA chain certs? Other customizations of concern would be the salt pillars for copying GPG keys according to https://www.uyuni-project.org/uyuni-docs/en/uyuni/client-configuration/gpg-keys.html#_user_defined_gpg_keys (which currently doesn't seem to actually work for us even in an rpm installation), generating new management GPG keys for signing repo data in the containerized model https://www.uyuni-project.org/uyuni-docs/en/uyuni/administration/repo-metadata.html. How does that get done in the container environment? When can we expect updated documentation for doing that?

For anything that isn't supported by the migration script, I'm going to guess that we would use mgrctl term, similar to what you've indicated for the PAM setup in #8675 (which we also use), but are there any gotchas?

I'm also not clear on how updates are supposed to happen in the containerized environment. If we just update the container, but we've had to make these changes in the container overlay, won't they get lost with the container update? Having to redo all these changes manually with each new container release/update would be a big step backwards.

[mbussolotto]

I confirm also the reports are automatically migrated by mgradm migrate podman ...

[ppanon2022]

I confirm also the reports are automatically migrated by mgradm migrate podman ...

I'm finally trying to do a migration test with 2024.08. I've already set up the authorized-keys ssh settings on the legacy Uyuni server, tested that it works to ssh directly to root from the container server but, when trying to do a trial run, I now get

# mgradm migrate podman --prepare --logLevel debug <legacy_uyuni.fqdn>
8:07PM INF mgradm/cmd/cmd.go:67 > Welcome to mgradm
8:07PM INF mgradm/cmd/cmd.go:68 > Executing command: podman
8:07PM INF shared/utils/utils.go:200 > Computed image name is registry.opensuse.org/uyuni/server:latest
8:07PM DBG shared/utils/inspector.go:51 > Generating inspect script in /tmp/mgradm-1406773444/inspect.sh
8:07PM DBG shared/utils/exec.go:50 > Running: /tmp/mgradm-1406773444/inspect.sh
8:07PM DBG shared/utils/inspector.go:80 > Trying to read /tmp/mgradm-1406773444/data
8:07PM INF shared/podman/images.go:44 > Pull Policy is always. Presence of RPM image will be checked and if it's not present it will be pulled from registry
8:07PM DBG shared/podman/images.go:112 > Looking for installed RPM package containing registry.opensuse.org/uyuni/server:latest image
8:07PM DBG shared/podman/images.go:118 > Cannot read directory /usr/share/suse-docker-images/native/ error="open /usr/share/suse-docker-images/native/: no such file or directory"
8:07PM INF shared/podman/images.go:60 > Cannot find RPM image for registry.opensuse.org/uyuni/server:latest
8:07PM DBG shared/podman/images.go:64 > Pulling image registry.opensuse.org/uyuni/server:latest because it is missing and pull policy is not 'never'
8:07PM INF shared/podman/images.go:210 > Running podman pull registry.opensuse.org/uyuni/server:latest
8:07PM DBG shared/utils/exec.go:50 > Running: podman pull registry.opensuse.org/uyuni/server:latest
Trying to pull registry.opensuse.org/uyuni/server:latest...
Getting image source signatures
Copying blob 0a5f8240e04b skipped: already exists
Copying blob 3e004aa9a8af skipped: already exists
Copying blob 4dcdc701cb4a skipped: already exists
Copying config 1b794a1eb8 done |
Writing manifest to image destination
1b794a1eb81cf14fe337f9bf243e0cd56f81c4af9bc3e1bb259396f702a6f49e
8:07PM INF mgradm/shared/podman/podman.go:196 > Migrating server
8:07PM DBG shared/utils/exec.go:50 > Running: podman run --name uyuni-migration --rm --cap-add NET_RAW --tmpfs /run -v cgroup:/sys/fs/cgroup:rw --security-opt label=disable -e SSH_AUTH_SOCK -v /tmp/ssh-XXXXXXavM1nX:/tmp/ssh-XXXXXXavM1nX -v /tmp/mgradm-3425645276:/var/lib/uyuni-tools/ -v /root/.ssh/known_hosts:/etc/ssh/ssh_known_hosts -v var-cobbler:/var/lib/cobbler -v var-salt:/var/lib/salt -v var-cache:/var/cache -v var-spacewalk:/var/spacewalk -v var-log:/var/log -v srv-salt:/srv/salt -v srv-www:/srv/www/ -v srv-tftpboot:/srv/tftpboot -v srv-formulametadata:/srv/formula_metadata -v srv-pillar:/srv/pillar -v srv-susemanager:/srv/susemanager -v srv-spacewalk:/srv/spacewalk -v root:/root -v ca-cert:/etc/pki/trust/anchors -v etc-tls:/etc/pki/tls -v var-pgsql:/var/lib/pgsql -v etc-rhn:/etc/rhn -v tls-key:/etc/pki/spacewalk-tls -v etc-apache2:/etc/apache2 -v etc-systemd-multi:/etc/systemd/system/multi-user.target.wants -v etc-systemd-sockets:/etc/systemd/system/sockets.target.wants -v etc-salt:/etc/salt -v etc-rhn:/etc/rhn -v etc-tomcat:/etc/tomcat -v etc-cobbler:/etc/cobbler -v etc-sysconfig:/etc/sysconfig -v etc-postfix:/etc/postfix -v etc-sssd:/etc/sssd registry.opensuse.org/uyuni/server:latest /var/lib/uyuni-tools/migrate.sh
Preparing migration...
Permission denied, please try again.
Permission denied, please try again.
Received disconnect from 10.1.11.155 port 22:2: Too many authentication failures
Disconnected from 10.1.11.155 port 22
Error: cannot run migration script: cannot run uyuni migration container: failed to run uyuni-migration container: exit status 255

Why is it getting ssh connections denied when I've tested it successfully prior?
If I look at the legacy server's audit log, when I log in from root to root with ssh, I just see lines with res=success, including some
type=CRYPTO_KEY_USER lines.
When I run the mgradm command, I see a bunch of failing type=USER_AUTH line failures, then a couple of successful type=CRYPTO_KEY_USER lines, but with a failing type=USER_ERR between them and a failing type=USER_LOGIN afterwards.

So I'm guessing the mgradm command is failing because of the USER_AUTH (op=PAM:authentication and op=challenge-response ) failures are superceding the later ssh key successes, but I don't understand why mgradm is trying to do challenge-response when the ssh client doesn't. Or how to suppress it.

I am using openSUSE Leap Micro 6.0, because by the time I tried to get started, Leap Micro 5.5 was no longer available for download, but I wouldn't think it would affect something like ssh connections.

[admd]

Hi Paul-Andre,
If you have followed the these instruction https://www.uyuni-project.org/uyuni-docs/en/uyuni/installation-and-upgrade/container-deployment/uyuni/migrate-uyuni-to-a-container.html#_prepare_the_ssh_connection and you still get this error, please create a Uyuni issue.

[admd]

BTW you can still download Leap Micro 5.5 http://download.opensuse.org/distribution/leap-micro/5.5/product/iso/

[ppanon2022]

I confirm also the reports are automatically migrated by mgradm migrate podman ...

Thanks. Thanks to your reply in the other bug report, I did find the issue was not re-running ssh-add after starting the ssh agent. I had done that before a transactional update reboot, but not afterwards. As you can see in my other reply lower, I ran into some other issues, some of which were my fault, but which the Uyuni container tools don't provide an easy way to recover from.

The #1 thing I'm currently finding a challenge that didn't get migrated is realm/sssd configuration for SSO authentication against AD or LDAP to allow use with Uyuni.

It looks like the 2024.08 release supports two ways of doing AD auth, SSO with SAML2.0 and SSO with PAM
https://www.uyuni-project.org/uyuni-docs/en/uyuni/administration/auth-methods.html
However, I don't see how the pam config should work. I do see a health check failure, so I perhaps shouldn't have tried to install sssd packages at the host level. That page is minimalistic in its example. I suppose you're trying to encourage SAML use more now?

I did get adcli to rejoin the container, but it's looks like it's not really all that useful since the kerberos config file isn't persistent, so it disappears with the next container restart. I guess we have to use LDAP?

The other thing is I'm seeing a healthcheck failure for the Uyuni pod. The web site seems up, but not everything seems to be working. Any tips on how to get more details on the healthcheck failure than "healthcheck failed"? Maybe that could be added to the troubleshooting section.

P.S. There's a mistake in https://www.uyuni-project.org/uyuni-docs/en/uyuni/installation-and-upgrade/container-deployment/uyuni/migrate-uyuni-to-a-container.html

2. Copy the file into the container with:
   mgradm cp /local/ca.file server:/etc/pki/trust/anchors/

should be using mgrctl, not mgradm

[digdilem]

I think ppanon2022 makes some very valid points, all of which I share. The timescale seems very short for all of those reasons, plus the complexity of what may be quite evolved installations. Migration scripts in my experience rarely manage to resolve every single issue without fault, so it seems likely there will be a lot of testing and issues arising.

That might mean several migration attempts for each user, then if they do hit problems, having to restore from backups, report the issue and wait for the dev team to fix. It feels unrealistic for that to happen within one month at any time of the year, but especially during the northern hemisphere's summer break.

Admission: I hadn't actually realised until now that this container change would be mandatory and that Uyuni would only be available as a container option going forwards, so perhaps I hadn't given it my full attention. But this makes me uneasy and not every admin will have familiarity with the tools and methods going forwards. I would have expected some quite big notifications to make users aware of this, and at least a six month transition period.

[mbussolotto]

Will adcli be changed to move that setting into a separate file in krb5.conf.d

I think if you create a file in krb5.conf.d, you should be able to overwrite the default_realm, at least this is the expected behaviour.

there doesn't seem to be much possibility for adding 3rd party 2FA pam modules

Consider that the backend is managed by sssd, so it should be fine to handle lots of different modules...let us know if there's some scenario that is missing, you can discusss about how to add it.

[ppanon2022]

As far as I know, modularization and extension is done via pam, not sssd. I mean, there's some sssd variation available for joining via adcli vs. samba and using their respective callback handler libraries. But IIRC those options are hardcoded and sssd isn't anywhere near as standardized or designed for 3rd party integration the way PAM is, so I think the latter is what most 2FA solutions would use for maximum portability.

If you take a look at the Cisco Duo installation process, it uses a separate pam module and the pam configuration files are modified to make it a second necessary component for ssh (or uyuni login). hhttps://duo.com/docs/duounix.
Following the Build and Install from Source section, that pam module is installed by the make command under /lib and it also modifies some pam config files, such as for ssh, in /etc/pam.d. I can manually build the libraries on a full Leap install, then manually copy the linklib module to the container and modify the pam config files. However, if there are no persistent changes possible to /lib, and pam configuration files under /etc/pam.d are also immutable, then I don't see how it's possible to persist such a configuration. Those directories don't show up in the list of persistent volumes for the server container (which I presume will be updated when PR 9188 is incorporated into a release).
https://www.uyuni-project.org/uyuni-docs/en/uyuni/installation-and-upgrade/container-management/persistent-container-volumes.html

I think if you create a file in krb5.conf.d, you should be able to overwrite the default_realm, at least this is the expected behaviour.

True, but it would be helpful to expand the current documentation that just says "use mgrctl term, change sssd.conf, then restart the container" and Bob's your uncle. If you also manually need to move directives like the default_realm directive into a separate file in /etc/krb5.conf. because adcli isn't being modified to support those persistent volume configurations, then departures from common administration workflows should be documented a little more clearly. Maybe some people will come looking and hit this discussion thread, but you might also lose a few users.
https://www.uyuni-project.org/uyuni-docs/en/uyuni/administration/auth-methods-pam.html

I had this working for both ssh and the uyuni web app in the previous non-container installation. Now that I understand a little better how MicroOS transactional-update config works, I might be able to get it to work for ssh at the host level again (the older version of Duo depended on the 1.1 openssl library which doesn't have compat packages in MicroOS, but a newer version hopefully supports the openssl 3 libs included in MicroOS). Unfortunately, I don't see how I can get it to work for the Uyuni web app in the container currently.

P.S. Since I didn't say it already, thank you very much for your responses and the pointer to PR 9188. I'm looking forward to a release that contains it.

[ppanon2022]

I've managed to get Duo to work for the MicroOS host's ssh connection. Firstly, I got sssd ad authentication configured (which required using 'semanage boolean --modify --on kerberos_enabled'). Then I compiled from the source tarball on an openSUSE Leap 15.5 system, copied the tarball to the host, and manually installed the libraries (the make install command somehow requires gcc for the build dependencies, and it isn't available on MicroOS). I only actually need to install the pam components, since we don't use the duo_login (and the pam components are what we would want for web app auth in the container). The duo_unix_support directory/command isn't needed for normal operation, just for gathering info for a support case. Below are the commands I used to install it on the host, plus setting up the /etc/duo/pam_duo.conf (which I copied separately from the full Leap server because it isn't in the compiled tarball), to provide an example of the directories it uses. It's not a huge list, the really critical ones are the /etc/duo directory, the /lib64/security directory, maybe what goes in /usr/lib64/pkgconfig (not sure what it does), and whatever the container pam's equivalent of the /usr/lib/pam.d/postlogin-auth would be. However, I'm not sure what libtool does beyond copying the two pam_duo library files into /lib64/security and what other directories/files libtool might change. Those lib loader cache updates might be deal-breakers. I don't remember needing to do any SELinux chcon context changes as the context inherited from the parent directories seemed to generally be functional - although it might be better to change some user contexts from unconfined_u to system_u.

transactional-update shell
cd /root/duo_unix-2.0.3/lib
mkdir -p /usr/lib64/pkgconfig
/usr/bin/install -c -m 644 libduo.pc '/usr/lib64/pkgconfig'
cd ../login_duo
/bin/sh ../libtool --mode=install /usr/bin/install -c login_duo '/usr/sbin'
chmod 4755 /usr/sbin/login_duo
/usr/bin/mkdir -p /etc/duo
#cp ../../etcduoconf/login_duo.conf /etc/duo
#cat > /etc/duo/login_duo.conf
#chown sshd /etc/duo/login_duo.conf
#chmod 600 /etc/duo/login_duo.conf
cd ../duo_unix_support/
/usr/bin/install -c duo_unix_support.sh '/usr/sbin'
/usr/bin/mkdir -p '/usr/share/doc/duo_unix/duo_unix_support'
/usr/bin/install -c -m 644 README.md '/usr/share/doc/duo_unix/duo_unix_support'
#
cp ../../etcduoconf/pam_duo.conf /etc/duo
chmod 600 /etc/duo/pam_duo.conf
cd ../pam_duo/
/bin/sh ../libtool --mode=install /usr/bin/install -c pam_duo.la '/lib64/security'
/usr/bin/mkdir -p '/usr/share/doc/duo_unix'
cd ..
find . -name README.md
/usr/bin/install -c -m 644 README.md CONTRIBUTING.md AUTHORS CHANGES sbom.spdx '/usr/share/doc/duo_unix'
/usr/bin/mkdir -p '/usr/share/LICENSES'
/usr/bin/install -c -m 644 LICENSES/SSH-short.txt LICENSES/MIT.txt LICENSES/LicenseRef-URLEnc-MIT.txt LICENSES/GPL-2.0-with-classpath-exception.txt LICENSES/GPL-1.0-only.txt LICENSES/FSFULLR.txt LICENSES/FSFAP.txt LICENSES/BSD-4-Clause.txt LICENSES/BSD-3-Clause.txt LICENSES/BSD-2-Clause.txt LICENSES/Apache-2.0.txt '/usr/share/LICENSES'
semanage boolean --modify --on authlogin_yubikey
echo "auth required /lib64/security/pam_duo.so" >> /usr/lib/pam.d/postlogin-auth
exit

[ppanon2022]

One more question about the postgresql.conf configuration that is set up by the migration. I noticed that it sets wal logging level to archive (which is somewhat deprecated and synonymous with replication). Is there some type of automated backup set up in the container for the database? If it's not set to minimal and there is no backup, then I think it's going to grow those wal logs with every row data or schema change. If there is a pre-configured mechanism, what is it and what is the schedule?

One more request, we used to run spacewalk-report and send the results out with output piped through the mailx command, but there doesn't seem to be a mailx (or even a mail) command in the container. Could that be added or is there a different mail mechanism you would recommend within the container context?

[ppanon2022]

@ppanon2022 there's already a PR to fix this #9188 . Let us know if there's something else we can do to improve it

Ah, one more thing. Our AD domain controllers enforce SASL channel binding as described in
https://access.redhat.com/articles/4661861#:~:text=The%20channel%20binding%20type%20to%20use%20can%20be%20configured%20in
Could /etc/openldap/ldap.conf for the container include `SASL_CBINDING tls-endpoint', or can the file can be externalized and editable/persistent to add the option? /etc/openldap isn't on the list of persistent container volumes

As for the container host itself, there is no installable libldap-data package for that directory and config file. If I create the directory and file manually in a transactional-update shell, will the sssd ldap lookup functions use it, or does it try to find and parse that file from a different directory such as /etc/ldap, /usr/etc/openldap, /usr/etc/ldap, /lib/openldap, /lib/ldap, or something else?

[ppanon2022]

OK, this is actually pretty important to avoid filling the database disk. How are we supposed to be doing database backups to clear the wal logs with the container? With the legacy install, we were setting wal logging to minimal, and doing VM level snapshot backups that got deduped. If I try to do this with the container, postgresql won't startup with the error
Sep 20 10:51:59 uyuni-server.mgr.internal systemd[1]: Starting PostgreSQL database server...
Sep 20 10:51:59 uyuni-server.mgr.internal postgresql-script[395]: 2024-09-20 10:51:59.726 PDT [395]FATAL: WAL archival cannot be enabled when wal_level is "minimal"
Sep 20 10:51:59 uyuni-server.mgr.internal postgresql-script[393]: pg_ctl: could not start server
Sep 20 10:51:59 uyuni-server.mgr.internal postgresql-script[393]: Examine the log output.
Sep 20 10:51:59 uyuni-server.mgr.internal systemd[1]: postgresql.service: Control process exited, code=exited, status=1/FAILURE
Sep 20 10:51:59 uyuni-server.mgr.internal systemd[1]: postgresql.service: Failed with result 'exit-code'.
Sep 20 10:51:59 uyuni-server.mgr.internal systemd[1]: Failed to start PostgreSQL database server.

I mean I guess I'm supposed to use
https://www.uyuni-project.org/uyuni-docs/en/uyuni/administration/backup-restore.html
to set it up, but that's just going to unnecessarily use storage. And if you have a container and a migration script, why wouldn't you automatically set that up with the migration script so that people don't have a nasty surprise with their DB disk filling up?

[rjmateus]

@mbussolotto I think this is something we should look at. Could you have a look and give your opinion? Thank you

[ppanon2022]

Following the instructions above, it looks like the archive logs just build up in /var/spacewalk/db-backup. Currently up to 540+ files in the top level of that directory. Can I just have the cron job clear out everything in /var/spacewalk/db-backup before running the smdba backup-hot command?

[ppanon2022]

I'm also a little confused about how cobblerd and autoinstallable distributions are supposed to work. It seems like at one point it was recommended to run dhcpd on the Uyuni server so that Uyuni could update the dhcpd configuration dynamically. However, dhcpd doesn't seem to be included in the container so that's clearly no longer the case. Is there some guidance I've missed on how to configure dhcpd for BOOTP redirection to the TFTPD service? Are we supposed to just use an Uyuni proxy for dhcp/tftp PXE bootstrapping? The DHCPd salt formula still seems to be in the 2024.08 Specialized Guides but I thought I had read somewhere that that salt formula was deprecated. Is there something I've missed in Community Hours on the future direction in the container-based deployment for this functionality?

[rjmateus]

@aaannz could you advise in this regard? Thank you

[aaannz]

I do not remember when dhcpd was recommended to run on Uyuni. As far as I remember, cobbler managed dhcpd was not supported by Uyuni/SUSE Manager.
External DHCP service is supposed to be used and depending on what service is used there are different configuration options to set BOOTP to point the Uyuni server.

DHCPd formula still can be used, however you need Leap or SLES minion for it.

Lastly, you can use both Uyuni Server and Uyuni Proxy as PXE hosts. Uyuni Server has socket activated tftpd service, Uyuni Proxy has tftpd translation container running.

[ppanon2022]

I've got one more question. On one of our Uyuni systems, we are using an NFS volume for the /var/spacewalk package repos (and a separate virtual disk for /var/lib/pgsql). But mgr-storage-server takes two disk devices as arguments. How do we deal with the migration and that command if we still want that mapped storage to be an NFS drive. Is there something fundamental about podman that requires that to be a disk interface? Or is it safe to run that command using a small dummy disk, then move its contents into an NFS volume and replace the small disk mount with the NFS mount? We would still use a virtual local disk for the Postgresql database.

If it does require a local disk interface, why?

[rjmateus]

the tool is just preparing the disk, formating it and mount it in the right location. the trick in here is mount it in the expected location. You are not forced to use this script and can make it by hand, and mount whatever you want.
https://github.com/uyuni-project/uyuni/blob/master/uyuni/uyuni-storage-setup/scripts/mgr-storage-server#L67
https://github.com/uyuni-project/uyuni/blob/master/uyuni/uyuni-storage-setup/scripts/mgr-storage-server#L48

The folder name inside the podman volumes should be the podman volume name.

[ppanon2022]

That's what I was suspecting. I had tried manually changing the fstab but I ran into an issue. It looks as though the NFS volume has to support NFSv4.2 for security label extensions, because otherwise the SELinux context setting commands in the migration script fail and the migration script aborts. I tried setting the context on the nfs mount options in the hope that they would be consistent for the volume, but that didn't help.

[ppanon2022]

Um, our two openSUSE Leap Micro container hosts for Uyuni (in different sites) both appear to have spontaneously rebooted at 4:30AM PST today. Is this typical? What would be the trigger?

[mcalmer]

Sounds like rebootmgr is active.

[ppanon2022]

That does seem to be the case. Micro's transactional update configuration has a bit of a learning curve. It also looks like the configuration file to change its schedule is /usr/etc/rebootmgr.conf (not /etc/rebootmgr.conf indicated by https://microos.opensuse.org/blog/2018-04-04-transactionalupdates/#:~:text=Rather%20than%20a%20dumb%20cron%20job,%20we%20recommend%20using%20rebootmgr.)

[ppanon2022]

Hmm. I don't seem to be able to use spacecmd from within the container context with a config file.

uyuni-server:~ # spacecmd
Welcome to spacecmd, a command-line interface to Spacewalk.

Type: 'help' for a list of commands
      'help <cmd>' for command-specific help
      'quit' to quit


ERROR: Failed to connect to http://<server.fqdn>/rpc/api

I do see some SELinux errors but they are for SEL context re-labeling, which seems to try to happen as a result of the spacecmd. It's possible it's misreporting the error. With no tcpdump packet capture available, it's not possible to be sure whether it's actually sending a packet or if it's very coarse-grained exception handling. It does take a long time to return the error.

/var/log/audit # audit2allow -a


#============= container_init_t ==============

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
#       constrain dir { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED

#       Possible cause is the source user (system_u) and target user (unconfined_u) are different.
#       Possible cause is the source level (s0:c303,c621) and target level (s0) are different.
allow container_init_t container_file_t:dir relabelfrom;

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
#       constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED

#       Possible cause is the source user (system_u) and target user (unconfined_u) are different.
#       Possible cause is the source level (s0:c303,c621) and target level (s0) are different.

Suggestions? I could add a policy to allow the relabeling, but that seems like it would significantly reduce the security of the container.

[cbosdo]

From within the container, spacecmd should connect to localhost (no SSL) rather than the FQDN: this is due to hairpins caused by the podman network. Do you have an /root/.spacecmd/config file that sets the server URL to something else than localhost ?

[rjmateus]

To use spacecmd from inside the container please use localhost and call it with the insecure flag, to use HTTP instead of https

[rjmateus]

you may be hitting this error: uyuni-project/uyuni-tools#474
@cbosdo @mbussolotto could one of you have a look?

[cbosdo]

I doubt it's the same issue, but I fail to understand the real problem. The generated inspect script looks like this (replace the dataPath with any path) and is executed inside a container with the var-pgsql and etc-* volumes. I would be interested in knowing what the generated file looks like as that's the one failed to be parsed.

[ppanon2022]

The solution to the "Error: cannot inspect podman values: cannot inspect data: cannot read config: While parsing config: line..." turned out to be deleting a duplicate java.hostname entry/line in /etc/rhn/rhn.conf, per Issue #9348, and deleting the duplicate line and re-running the mgradm upgrade podman (following digdilem-work's recommendation) allowed the rest of the container upgrade to proceed. Unfortunately, it did not fix my localhost/loopback issue. Spacecmd still fails as does calls to cobbler, preventing the registration/onboarding and deletion of systems from uyuni. So just running spacecmd on a different system doesn't solve those other serious issues.

[cbosdo]

That discussion starts to grow in all directions and I'm a bit lost in it... Couldn't we try to separate problems in different discussions?

[ppanon2022]

I can see your point, but also there's a certain advantage to having a one stop shop survey article for issues that can arise from migration. Finding issues like #9348 and realizing it's applicable based on the issue's subject isn't straightforward. I think I should probably open an issue for my loopback/localhost problem at this point, but I don't know how to make it reproducible, so that's a challenge.

[digdilem-work]

I also hit this. Two options: As Ricardo mentioned, using localhost and –nossl works. From the host: mgrctl exec -- spacecmd -s localhost --nossl -u ValidUser -p UserPass The second option is to download spacecmd onto a different machine on your network and run commands from there. (The binaries are in most EL distros – “yum install spacecmd.noarch” ) Then you can use spacecmd as you did on the RPM distro. Eg: spacecmd -u ValidUser -p UserPass -s fqdn-of-original-server In both cases you can create the old ~/.spacecmd/config file with the server, user and password values to save entering them each time. From: Paul-Andre Panon ***@***.***> Sent: 09 October 2024 22:42 To: uyuni-project/uyuni ***@***.***> Cc: Subscribed ***@***.***> Subject: Re: [uyuni-project/uyuni] Migration guide to convert Uyuni installation from RPM to container setup? (Discussion #8816) Hmm. I don't seem to be able to use spacecmd from within the container context with a config file. uyuni-server:~ # spacecmd Welcome to spacecmd, a command-line interface to Spacewalk. Type: 'help' for a list of commands 'help <cmd>' for command-specific help 'quit' to quit ERROR: Failed to connect to http://CARMD-NV-UYUNI1.sierrawireless.local/rpc/api I do see some SELinux errors but they are for SEL context re-labeling, which seems to try to happen as a result of the spacecmd. It's possible it's misreporting the error. With no tcpdump packet capture available, it's not possible to be sure. /var/log/audit # audit2allow -a #============= container_init_t ============== #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. #Constraint rule: # constrain dir { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED # Possible cause is the source user (system_u) and target user (unconfined_u) are different. # Possible cause is the source level (s0:c303,c621) and target level (s0) are different. allow container_init_t container_file_t:dir relabelfrom; #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. #Constraint rule: # constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED # Possible cause is the source user (system_u) and target user (unconfined_u) are different. # Possible cause is the source level (s0:c303,c621) and target level (s0) are different. Suggestions? — Reply to this email directly, view it on GitHub<#8816 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A7AIN5J7TUNM7D7QTMIDHLDZ2WPJFAVCNFSM6AAAAABIIWRW7SVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTAOBZG42DGNA>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.******@***.***>>

[ppanon2022]

That doesn't work for me

myuyuniserver:/home/itadmin # mgrctl exec -- spacecmd -s localhost --nossl -d
DEBUG: stdout is not a TTY, setting TERM=dumb
DEBUG: command=, return_value=False
DEBUG: Read configuration from /root/.spacecmd/config
DEBUG: Loading configuration section [spacecmd]
DEBUG: Current Configuration: {'server': 'localhost', 'username': 'swi_admin', 'password': '************', 'nossl': True}
DEBUG: Configuration section [localhost] does not exist
DEBUG: Connecting to http://localhost/rpc/api
ERROR: <class 'xmlrpc.client.ProtocolError'>
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/spacecmd/misc.py", line 295, in do_login
    self.api_version = self.client.api.getVersion()
  File "/usr/lib64/python3.6/xmlrpc/client.py", line 1112, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib64/python3.6/xmlrpc/client.py", line 1452, in __request
    verbose=self.__verbose
  File "/usr/lib64/python3.6/xmlrpc/client.py", line 1154, in request
    return self.single_request(host, handler, request_body, verbose)
  File "/usr/lib64/python3.6/xmlrpc/client.py", line 1187, in single_request
    dict(resp.getheaders())
xmlrpc.client.ProtocolError: <ProtocolError for localhost/rpc/api: 404 Not Found>
ERROR: Failed to connect to http://localhost/rpc/api
DEBUG: Error while connecting to the server http://localhost/rpc/api: <ProtocolError for localhost/rpc/api: 404 Not Found>

I'm actually trying to run my own python command that does multiple LCM promotions, but it uses a lot of the same python libraries as spacecmd for parsing the config file and running API calls, so spacecmd is a good debugging tool because my issues with that should be reproducible and easier to support. If I can get spacecmd to work then I should be able to get my command to work But so far no joy. I really don't want to set up a completely different VM just to be able to run that one command. It shouldn't be necessary.

[digdilem-work]

Can you reach that endpoint with curl? mgrctl term Then when inside the container; curl http://localhost/rpc/api Should return with no error. From: Paul-Andre Panon ***@***.***> Sent: 10 October 2024 19:18 To: uyuni-project/uyuni ***@***.***> Cc: Simon Avery ***@***.***>; Comment ***@***.***> Subject: Re: [uyuni-project/uyuni] Migration guide to convert Uyuni installation from RPM to container setup? (Discussion #8816) That doesn't work for me myuyuniserver:/home/itadmin # mgrctl exec -- spacecmd -s localhost --nossl -d DEBUG: stdout is not a TTY, setting TERM=dumb DEBUG: command=, return_value=False DEBUG: Read configuration from /root/.spacecmd/config DEBUG: Loading configuration section [spacecmd] DEBUG: Current Configuration: {'server': 'localhost', 'username': 'swi_admin', 'password': '************', 'nossl': True} DEBUG: Configuration section [localhost] does not exist DEBUG: Connecting to http://localhost/rpc/api ERROR: <class 'xmlrpc.client.ProtocolError'> Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/spacecmd/misc.py", line 295, in do_login self.api_version = self.client.api.getVersion() File "/usr/lib64/python3.6/xmlrpc/client.py", line 1112, in call return self.__send(self.__name, args) File "/usr/lib64/python3.6/xmlrpc/client.py", line 1452, in __request verbose=self.__verbose File "/usr/lib64/python3.6/xmlrpc/client.py", line 1154, in request return self.single_request(host, handler, request_body, verbose) File "/usr/lib64/python3.6/xmlrpc/client.py", line 1187, in single_request dict(resp.getheaders()) xmlrpc.client.ProtocolError: <ProtocolError for localhost/rpc/api: 404 Not Found> ERROR: Failed to connect to http://localhost/rpc/api DEBUG: Error while connecting to the server http://localhost/rpc/api: <ProtocolError for localhost/rpc/api: 404 Not Found> — Reply to this email directly, view it on GitHub<#8816 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A7AIN5JODWJJ4WFMQJ4GR7LZ23AFZAVCNFSM6AAAAABIIWRW7SVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTAOJQG4ZTSNY>. You are receiving this because you commented.Message ID: ***@***.******@***.***>>

[ppanon2022]

Not on this server having the problem, no.

uyuni-server:/ # curl http://localhost/rpc/api
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>

We do have a different server where this isn't an issue. The curl works, and the spacecmd works. However, I don't remember doing anything different between the two migrations. They were both created with the same
mgradm migrate podman --prepare --logLevel debug servername
mgradm migrate podman --logLevel debug servername
commands.

The broken server does have some additional changes for sssd configuration attempts (currently failing due to lack of krb5.keytab that is awaiting a PR included in the next release). But that shouldn't be resulting in a 404 error AFAIK, since the rpc/api call should be using a local admin account. If that was causing problems, I would expect a 403 error or a 50X error. I tried stopping the sssd service and the error is unchanged (I tested and found that discrepancy thanks to your suggestion, so I do appreciate it.)

I'll see if I can think of what else might be different between the two systems and causing the discrepancy, but I'd be grateful for further suggestions.

[ppanon2022]

I'm wondering if setting up and running sssd on the container host could have interfered with the network configuration during pod deployment. See #8816 (reply in thread) above. What do you think?

[ppanon2022]

OK , one more question. Post-migration, we're having some problems updating some Redhat 8 systems with perl packages in Appstream modules. The Appstreams are enabled on the Uyuni system entry and running dnf module list on the client shows the same modules enabled.

    perl                 5.26 [d][e]     common [d], minimal                      Practical Extraction and Report Language                                                     

    perl-DBD-SQLite      1.58 [d][e]     common [d]                               SQLite DBI driver                                                                           
    perl-DBI             1.641 [d][e]    common [d]                               A database access API for Perl                                                              
    perl-FCGI            0.78 [d][e]     common [d]                               FastCGI Perl bindings                                                                       
    perl-IO-Socket-SSL   2.066 [d][e]    common [d]                               Perl library for transparent TLS                                                            
    perl-YAML            1.24 [d]        common [d]                               Perl parser for YAML                                                                        
    perl-libwww-perl     6.34 [d][e]     common [d]                               A Perl interface to the World-Wide Web                                                      

24 packages show as having newer versions needing to update from Uyuni, but none from the client when running a dnf update.

Attempting to push the updates from Uyuni results in a code 02 result and

          ID: pkg_installed
    Function: pkg.installed
        Name: pkg_installed
      Result: false
     Comment: Error occurred installing package(s). Additional info follows:

errors:
    - Running scope as unit: run-r30d955a5723048ed994ad54f0a8cd1f7.scope
      Last metadata expiration check: 0:00:06 ago on Wed Oct 16 02:51:21 2024.
      All matches were filtered out by modular filtering for argument: perl-Encode-Locale-1.05-10.module+el8.6.0+13414+533ca04e
      All matches were filtered out by modular filtering for argument: perl-Try-Tiny-0.30-7.module+el8.6.0+13414+533ca04e
      All matches were filtered out by modular filtering for argument: perl-DBI-1.641-4.module+el8.6.0+13388+2264dcd4
      All matches were filtered out by modular filtering for argument: perl-HTTP-Message-6.18-1.module+el8.6.0+13414+533ca04e
      All matches were filtered out by modular filtering for argument: perl-Mozilla-CA-20160104-7.module+el8.6.0+13414+533ca04e
      All matches were filtered out by modular filtering for argument: perl-FCGI-0.78-11.module+el8.6.0+13378+8c0bf7dc
      All matches were filtered out by modular filtering for argument: perl-Net-HTTP-6.17-2.module+el8.6.0+13414+533ca04e
      All matches were filtered out by modular filtering for argument: perl-File-Listing-6.04-17.module+el8.6.0+13414+533ca04e
      All matches were filtered out by modular filtering for argument: perl-HTTP-Negotiate-6.01-19.module+el8.6.0+13414+533ca04e
      All matches were filtered out by modular filtering for argument: perl-HTTP-Date-6.02-19.module+el8.6.0+13414+533ca04e
      All matches were filtered out by modular filtering for argument: perl-IO-HTML-1.001-11.module+el8.6.0+13414+533ca04e
      All matches were filtered out by modular filtering for argument: perl-HTTP-Cookies-6.04-2.module+el8.6.0+13414+533ca04e
      All matches were filtered out by modular filtering for argument: perl-Net-SSLeay-1.88-2.module+el8.6.0+13392+30f09725
      All matches were filtered out by modular filtering for argument: perl-DBD-SQLite-1.58-2.module+el8.6.0+13408+461b4ab5
      All matches were filtered out by modular filtering for argument: perl-HTML-Tagset-3.20-34.module+el8.6.0+13414+533ca04e
      All matches were filtered out by modular filtering for argument: perl-TimeDate-2.30-15.module+el8.6.0+13414+533ca04e
      All matches were filtered out by modular filtering for argument: perl-LWP-MediaTypes-6.02-15.module+el8.6.0+13414+533ca04e
      All matches were filtered out by modular filtering for argument: perl-HTML-Parser-3.72-15.module+el8.6.0+13414+533ca04e
      All matches were filtered out by modular filtering for argument: perl-WWW-RobotRules-6.02-18.module+el8.6.0+13414+533ca04e
      All matches were filtered out by modular filtering for argument: perl-Data-Dump-1.23-7.module+el8.6.0+13414+533ca04e
      All matches were filtered out by modular filtering for argument: perl-NTLM-1.09-17.module+el8.6.0+13414+533ca04e
      All matches were filtered out by modular filtering for argument: perl-IO-Socket-SSL-2.066-4.module+el8.6.0+13392+6b8485cb
      All matches were filtered out by modular filtering for argument: perl-Digest-HMAC-1.03-17.module+el8.6.0+13414+533ca04e
      All matches were filtered out by modular filtering for argument: perl-libwww-perl-6.34-1.module+el8.6.0+13414+533ca04e
      Error: Unable to find a match: perl-Encode-Locale-1.05-10.module+el8.6.0+13414+533ca04e perl-Try-Tiny-0.30-7.module+el8.6.0+13414+533ca04e perl-DBI-1.641-4.module+el8.6.0+13388+2264dcd4 perl-HTTP-Message-6.18-1.module+el8.6.0+13414+533ca04e perl-Mozilla-CA-20160104-7.module+el8.6.0+13414+533ca04e perl-FCGI-0.78-11.module+el8.6.0+13378+8c0bf7dc perl-Net-HTTP-6.17-2.module+el8.6.0+13414+533ca04e perl-File-Listing-6.04-17.module+el8.6.0+13414+533ca04e perl-HTTP-Negotiate-6.01-19.module+el8.6.0+13414+533ca04e perl-HTTP-Date-6.02-19.module+el8.6.0+13414+533ca04e perl-IO-HTML-1.001-11.module+el8.6.0+13414+533ca04e perl-HTTP-Cookies-6.04-2.module+el8.6.0+13414+533ca04e perl-Net-SSLeay-1.88-2.module+el8.6.0+13392+30f09725 perl-DBD-SQLite-1.58-2.module+el8.6.0+13408+461b4ab5 perl-HTML-Tagset-3.20-34.module+el8.6.0+13414+533ca04e perl-TimeDate-2.30-15.module+el8.6.0+13414+533ca04e perl-LWP-MediaTypes-6.02-15.module+el8.6.0+13414+533ca04e perl-HTML-Parser-3.72-15.module+el8.6.0+13414+533ca04e perl-WWW-RobotRules-6.02-18.module+el8.6.0+13414+533ca04e perl-Data-Dump-1.23-7.module+el8.6.0+13414+533ca04e perl-NTLM-1.09-17.module+el8.6.0+13414+533ca04e perl-IO-Socket-SSL-2.066-4.module+el8.6.0+13392+6b8485cb perl-Digest-HMAC-1.03-17.module+el8.6.0+13414+533ca04e perl-libwww-perl-6.34-1.module+el8.6.0+13414+533ca04e
     Started: 02:51:19.807344
    Duration: 12643.138
         SLS: packages.pkginstall
     Changed: {}

The versions on the client seem older, i.e. el8.1.0 for DBD SQLlite, and el8.3.0 - although one outdated package is also el8.6.0 - whereas all the new packages it's trying to update to are el8.6.0. Dependencies seem OK otherwise.

There are no filters on the LCM project used to create the channels assigned to this system. Looking at the Appstream tab on the assigned LCM channel shows the expected option for those modules and nothing else. But the same is true with the sync channel used as a source

perl-DBD-SQLite | 1.58
-- | --
perl-DBI | 1.641
perl-FCGI | 0.78
perl-IO-Socket-SSL | 2.066
perl-libwww-perl | 6.34

Thus, it seems like the available package list being transmitted to the client does not include the packages in the Appstream modules that are enabled for the system, despite showing up in the proposed updates list. The minion package version installed on the client is venv-salt-minion-3006.0-33.1.uyuni.x86_64, which seems to be the right one. I believe this used to work before the container migration but is broken now.

[digdilem-work]

Your post was very useful, Cedric, in solving my own issue which I believe is related as it’s giving the same hostname error. As a test of an affected system, I’ve run those commands you mention in the container and this one

cat /etc/rhn/rhn.conf 2>/dev/null | grep 'java.hostname' | cut -d' ' -f3 || true

Produces a double output uyuni-server:/ # cat /etc/rhn/rhn.conf 2>/dev/null | grep 'java.hostname' | cut -d' ' -f3 || tru ata-oxy-uyuni01.domain.com ata-oxy-uyuni01.domain.com On inspection, this file contains TWO java.hostname lines uyuni-server:/ # grep java.hostname /etc/rhn/rhn.conf java.hostname = ata-oxy-uyuni01.domain.com java.hostname = ata-oxy-uyuni01.domain.com Removing one of these lines (Commenting out doesn’t fix it, obviously since it’s grepping) allowed me to run the update “mgradm update podman” So – it looks like the migration adds a valid java.hostname value to this file without checking whether one exists already. I suspect this could be fixed within mgradm by restricting the output of the value by one, ie, changing that command to:

cat /etc/rhn/rhn.conf 2>/dev/null | grep 'java.hostname' | cut -d' ' -f3 | head -n 1 || true

Hope this helps. — Reply to this email directly, view it on GitHub<#8816 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A7AIN5LXRKQYBMSZOEBELSLZ5JCDLAVCNFSM6AAAAABIIWRW7SVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTCMBVGI4TCMA>. You are receiving this because you commented.Message ID: ***@***.******@***.***>>

[cbosdo]

Thanks a lot for the investigation! It seems that you nailed down the problem. Let me see if I can come with a quick PR fixing it.

[cbosdo]

Here is a PR fixing the migration: uyuni-project/uyuni-tools#479. Maybe I should fix the inspect too to be more robust... who knows what could land in a config file 😉

[cbosdo]

While at it I added a -m1 to the greps in /etc/rhn/rhn.conf just to make sure the inspect result won't be broken. It's all in the same PR.

[admd]

Please keep discussions focused on the original topic and start a new discussion for each new topic. Mixing multiple topics can make it hard to follow and may lead to confusion. While related discussions are common, organizing them separately ensures clarity and helps everyone stay on track.

So if the original issue has been resolved, please mark this discussion as "Close as resolved "