From cb979f545b85bed79659dd2278b01a7aa85b66d6 Mon Sep 17 00:00:00 2001 From: Ewoud Kohl van Wijngaarden Date: Thu, 13 Mar 2025 18:48:18 +0100 Subject: [PATCH 1/4] Introduce foreman_url variable This makes it easier to change where the service listens on. --- src/roles/foreman/defaults/main.yaml | 1 + src/roles/foreman/tasks/main.yaml | 6 +++--- src/roles/foreman/templates/settings.yaml.j2 | 2 ++ 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/roles/foreman/defaults/main.yaml b/src/roles/foreman/defaults/main.yaml index 8868b2a0..6827fc29 100644 --- a/src/roles/foreman/defaults/main.yaml +++ b/src/roles/foreman/defaults/main.yaml @@ -1,6 +1,7 @@ --- foreman_container_image: "quay.io/evgeni/foreman-rpm" foreman_container_tag: "nightly" +foreman_url: "http://localhost:3000" foreman_database_name: foreman foreman_database_user: foreman diff --git a/src/roles/foreman/tasks/main.yaml b/src/roles/foreman/tasks/main.yaml index c38c9a66..4f2a2969 100644 --- a/src/roles/foreman/tasks/main.yaml +++ b/src/roles/foreman/tasks/main.yaml @@ -119,7 +119,7 @@ - name: Wait for Foreman service to be accessible ansible.builtin.uri: - url: 'http://{{ ansible_hostname }}:3000/api/v2/ping' + url: '{{ foreman_url }}/api/v2/ping' until: foreman_status.status == 200 retries: 60 delay: 5 @@ -137,7 +137,7 @@ - name: Wait for Foreman tasks to be ready ansible.builtin.uri: - url: 'http://{{ ansible_hostname }}:3000/api/v2/ping' + url: '{{ foreman_url }}/api/v2/ping' until: foreman_tasks_status.json['results']['katello']['services']['foreman_tasks']['status'] == 'ok' retries: 60 delay: 5 @@ -149,6 +149,6 @@ theforeman.foreman.smart_proxy: name: "{{ ansible_fqdn }}" url: "https://{{ ansible_fqdn }}:9090" - server_url: "http://{{ ansible_fqdn }}:3000" + server_url: "{{ foreman_url }}" username: admin password: changeme diff --git a/src/roles/foreman/templates/settings.yaml.j2 b/src/roles/foreman/templates/settings.yaml.j2 index 17bad384..d39f7941 100644 --- a/src/roles/foreman/templates/settings.yaml.j2 +++ b/src/roles/foreman/templates/settings.yaml.j2 @@ -1,4 +1,6 @@ --- +:foreman_url: {{ foreman_url }} + :ssl_certificate: /etc/foreman/client_cert.pem :ssl_ca_file: /etc/foreman/katello-default-ca.crt :ssl_priv_key: /etc/foreman/client_key.pem From ca16d801f6e085ec43f782559e9c84a622035903 Mon Sep 17 00:00:00 2001 From: Ewoud Kohl van Wijngaarden Date: Thu, 13 Mar 2025 18:51:29 +0100 Subject: [PATCH 2/4] Always serve Foreman via Apache This means certificates are properly verified, both server side and client side. --- src/playbooks/deploy/deploy.yaml | 1 + src/roles/foreman/tasks/main.yaml | 5 +++++ src/roles/foreman_proxy/templates/settings.yaml.j2 | 2 +- 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/playbooks/deploy/deploy.yaml b/src/playbooks/deploy/deploy.yaml index acf37dc7..994fc1fa 100644 --- a/src/playbooks/deploy/deploy.yaml +++ b/src/playbooks/deploy/deploy.yaml @@ -32,6 +32,7 @@ foreman_client_certificate: "{{ client_certificate }}" foreman_oauth_consumer_key: abcdefghijklmnopqrstuvwxyz123456 foreman_oauth_consumer_secret: abcdefghijklmnopqrstuvwxyz123456 + foreman_url: "https://{{ ansible_fqdn }}" httpd_server_ca_certificate: "{{ server_ca_certificate }}" httpd_client_ca_certificate: "{{ client_ca_certificate }}" httpd_server_certificate: "{{ server_certificate }}" diff --git a/src/roles/foreman/tasks/main.yaml b/src/roles/foreman/tasks/main.yaml index 4f2a2969..e4d56fb1 100644 --- a/src/roles/foreman/tasks/main.yaml +++ b/src/roles/foreman/tasks/main.yaml @@ -120,6 +120,7 @@ - name: Wait for Foreman service to be accessible ansible.builtin.uri: url: '{{ foreman_url }}/api/v2/ping' + ca_path: '{{ ca_certificate }}' until: foreman_status.status == 200 retries: 60 delay: 5 @@ -138,6 +139,7 @@ - name: Wait for Foreman tasks to be ready ansible.builtin.uri: url: '{{ foreman_url }}/api/v2/ping' + ca_path: '{{ ca_certificate }}' until: foreman_tasks_status.json['results']['katello']['services']['foreman_tasks']['status'] == 'ok' retries: 60 delay: 5 @@ -150,5 +152,8 @@ name: "{{ ansible_fqdn }}" url: "https://{{ ansible_fqdn }}:9090" server_url: "{{ foreman_url }}" + # TODO: requires https://github.com/theforeman/foreman-ansible-modules/commit/03298a74e6096c370a932de37aa62dbece3f452f + validate_certs: false + #ca_path: '{{ ca_certificate }}' username: admin password: changeme diff --git a/src/roles/foreman_proxy/templates/settings.yaml.j2 b/src/roles/foreman_proxy/templates/settings.yaml.j2 index 5cdf0667..01d02ed3 100644 --- a/src/roles/foreman_proxy/templates/settings.yaml.j2 +++ b/src/roles/foreman_proxy/templates/settings.yaml.j2 @@ -7,7 +7,7 @@ :trusted_hosts: - {{ ansible_fqdn }} -:foreman_url: http://{{ ansible_fqdn }}:3000 +:foreman_url: {{ foreman_url }} :foreman_ssl_ca: /etc/foreman-proxy/foreman_ssl_ca.pem :foreman_ssl_cert: /etc/foreman-proxy/foreman_ssl_cert.pem From 5eeb3b71c4ec15fcd6c54ab934020df8767ae99d Mon Sep 17 00:00:00 2001 From: Ewoud Kohl van Wijngaarden Date: Thu, 13 Mar 2025 18:53:57 +0100 Subject: [PATCH 3/4] Use systemd socket activation for Foreman --- src/roles/foreman/defaults/main.yaml | 3 ++- src/roles/foreman/tasks/main.yaml | 8 ++++++++ src/roles/foreman/templates/foreman.socket.j2 | 8 ++++++++ 3 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 src/roles/foreman/templates/foreman.socket.j2 diff --git a/src/roles/foreman/defaults/main.yaml b/src/roles/foreman/defaults/main.yaml index 6827fc29..b6582c5b 100644 --- a/src/roles/foreman/defaults/main.yaml +++ b/src/roles/foreman/defaults/main.yaml @@ -1,7 +1,8 @@ --- foreman_container_image: "quay.io/evgeni/foreman-rpm" foreman_container_tag: "nightly" -foreman_url: "http://localhost:3000" +foreman_listen_stream: localhost:3000 +foreman_url: "http://{{ foreman_listen_stream }}" foreman_database_name: foreman foreman_database_user: foreman diff --git a/src/roles/foreman/tasks/main.yaml b/src/roles/foreman/tasks/main.yaml index e4d56fb1..675b9979 100644 --- a/src/roles/foreman/tasks/main.yaml +++ b/src/roles/foreman/tasks/main.yaml @@ -46,6 +46,12 @@ name: foreman-client-key path: "{{ foreman_client_key }}" +- name: Deploy Foreman socket + ansible.builtin.template: + src: foreman.socket.j2 + dest: /etc/systemd/system/foreman.socket + mode: '0644' + - name: Deploy Foreman Container containers.podman.podman_container: name: "foreman" @@ -64,6 +70,8 @@ SEED_ADMIN_PASSWORD: changeme quadlet_options: - | + [Unit] + Requires=foreman.socket [Install] WantedBy=default.target diff --git a/src/roles/foreman/templates/foreman.socket.j2 b/src/roles/foreman/templates/foreman.socket.j2 new file mode 100644 index 00000000..b40cc96f --- /dev/null +++ b/src/roles/foreman/templates/foreman.socket.j2 @@ -0,0 +1,8 @@ +[Unit] +Description=Foreman socket + +[Socket] +ListenStream={{ foreman_listen_stream }} + +[Install] +WantedBy=sockets.target From 0885411661642893af60978fc44bac7d60c2ec48 Mon Sep 17 00:00:00 2001 From: Ewoud Kohl van Wijngaarden Date: Tue, 11 Mar 2025 20:50:58 +0100 Subject: [PATCH 4/4] Use unix socket for httpd -> Foreman communication --- src/playbooks/deploy/deploy.yaml | 2 ++ src/roles/foreman/templates/foreman.socket.j2 | 6 ++++++ src/roles/httpd/defaults/main.yml | 2 +- src/roles/httpd/tasks/main.yml | 7 +++++++ src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 | 4 ++-- 5 files changed, 18 insertions(+), 3 deletions(-) diff --git a/src/playbooks/deploy/deploy.yaml b/src/playbooks/deploy/deploy.yaml index 994fc1fa..93800929 100644 --- a/src/playbooks/deploy/deploy.yaml +++ b/src/playbooks/deploy/deploy.yaml @@ -32,7 +32,9 @@ foreman_client_certificate: "{{ client_certificate }}" foreman_oauth_consumer_key: abcdefghijklmnopqrstuvwxyz123456 foreman_oauth_consumer_secret: abcdefghijklmnopqrstuvwxyz123456 + foreman_listen_stream: /run/httpd.foreman.sock foreman_url: "https://{{ ansible_fqdn }}" + httpd_foreman_backend: "unix://{{ foreman_listen_stream }}|http://%{HTTP_HOST}/" httpd_server_ca_certificate: "{{ server_ca_certificate }}" httpd_client_ca_certificate: "{{ client_ca_certificate }}" httpd_server_certificate: "{{ server_certificate }}" diff --git a/src/roles/foreman/templates/foreman.socket.j2 b/src/roles/foreman/templates/foreman.socket.j2 index b40cc96f..a2b1d2dd 100644 --- a/src/roles/foreman/templates/foreman.socket.j2 +++ b/src/roles/foreman/templates/foreman.socket.j2 @@ -3,6 +3,12 @@ Description=Foreman socket [Socket] ListenStream={{ foreman_listen_stream }} +SocketUser=apache +SocketMode=0600 + +NoDelay=false +ReusePort=true +Backlog=1024 [Install] WantedBy=sockets.target diff --git a/src/roles/httpd/defaults/main.yml b/src/roles/httpd/defaults/main.yml index 93399472..8361c753 100644 --- a/src/roles/httpd/defaults/main.yml +++ b/src/roles/httpd/defaults/main.yml @@ -1,4 +1,4 @@ httpd_ssl_dir: /etc/pki/httpd httpd_pulp_api_backend: http://localhost:24817 httpd_pulp_content_backend: http://localhost:24816 -httpd_foreman_backend: http://localhost:3000 +httpd_foreman_backend: http://localhost:3000/ diff --git a/src/roles/httpd/tasks/main.yml b/src/roles/httpd/tasks/main.yml index 727eff02..82d3bcb4 100644 --- a/src/roles/httpd/tasks/main.yml +++ b/src/roles/httpd/tasks/main.yml @@ -12,6 +12,13 @@ state: true persistent: true +# TODO: probably not the right boolean +- name: Set daemons_enable_cluster_mode so Apache can connect to unix sockets + ansible.posix.seboolean: + name: daemons_enable_cluster_mode + state: true + persistent: true + - name: Disable welcome page ansible.builtin.file: path: /etc/httpd/conf.d/welcome.conf diff --git a/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 b/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 index 6b972413..5df92d02 100644 --- a/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 +++ b/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 @@ -70,8 +70,8 @@ ProxyPass /pulp ! ProxyPass /icons ! ProxyPass /server-status ! - ProxyPass / {{ httpd_foreman_backend }}/ retry=0 timeout=900 - ProxyPassReverse / {{ httpd_foreman_backend }}/ + ProxyPass / {{ httpd_foreman_backend }} retry=0 timeout=900 + ProxyPassReverse / {{ httpd_foreman_backend }} AddDefaultCharset UTF-8