Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes #36809 - Do not clobber answers provided on the command line wi… #891

Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

Fixes #36809 - Do not clobber answers provided on the command line wi… #891

wants to merge 2 commits into from

Conversation

ehelms
Copy link
Member

@ehelms ehelms commented Oct 6, 2023
edited
Loading

…th --certs-regenerate

Problem:

foreman-installer --certs-state Texas --certs-regenerate True

The installer will see and run as if the state value was changed to Texas, regenerating certificates. However, because kafo.config.app.answers returns the answers file and not the compiled params, what gets written back to the answers file is the original answers at runtime. Thus the answers file now have the previous value (e.g. North Carolina) and the next installer run will trigger a certificate update under the hood.

ehelms
ehelms commented Oct 6, 2023
View reviewed changes
hooks/pre_exit/20-certs_regenerate.rb

kafo.config.store(answers)
kafo.send(:store_params)
Copy link
Member Author

@ehelms ehelms Oct 6, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree this is a bit ugly, calling into a private method. My goal here is to patch the problem first with a fix that can be cherry picked cleanly backward. The alternative is to add methods to kafo and then release a patch release and also a patch to the installer for older releases.

@ehelms
Copy link
Member Author

ehelms commented Oct 6, 2023

This is intended to be a patch that fixes the issue, and I think what needs to follow is a real fix to the way we regenerate certificates which is now possible that we have gotten rid of the RPM part.

@ekohl
Copy link
Member

ekohl commented Oct 12, 2023

Some notes: it was introduced in e28a519 and we shouldn't store --certs-regenerate but it should be passed to Puppet.

I'm now debating options, but can't think of any right now. I'll get back to this.

@ehelms
Copy link
Member Author

ehelms commented Dec 15, 2023

[test foreman-installer]

@ehelms
Copy link
Member Author

ehelms commented Jan 16, 2024

@ekohl This is still a pretty ugly problem that it can cause, do you have any additional thoughts or review?

@ehelms ehelms closed this Jul 18, 2024
@ehelms ehelms reopened this Jul 18, 2024
@ehelms
Copy link
Member Author

ehelms commented Jul 18, 2024

@ekohl Do you have any additional ideas or can we move forward with this change to prevent this issue as-is for users?

@ekohl
Copy link
Member

ekohl commented Jul 30, 2024

My issue with the current implementation is that --noop or --dont-save-answers isn't respected: it always saves the answers.

I'm looking at https://github.com/theforeman/kafo/blob/master/doc/kafo_run.png and I'm wondering if we should take a different approach:

  • In pre_commit we ensure the value is false in the answers file
  • Kafo saves the answers
  • In pre we set the answer back to what it was supposed to be

I don't know what the best mechanism is to store data between hooks. Our store_custom_config is probably the best we have.

@ehelms
Copy link
Member Author

ehelms commented Jul 30, 2024

My issue with the current implementation is that --noop or --dont-save-answers isn't respected: it always saves the answers.

I'm looking at https://github.com/theforeman/kafo/blob/master/doc/kafo_run.png and I'm wondering if we should take a different approach:

  • In pre_commit we ensure the value is false in the answers file
  • Kafo saves the answers
  • In pre we set the answer back to what it was supposed to be

None of this worked. And you are correct -- the current implementation saves the answers and that is why it's not working entirely correctly. I tried a variety of ideas using the pre state and could not get things to land in the correct state.

The approach I have proposed here modifies this to only reset the single parameter back to false rather than resetting all the answers back.

Ideally we get rid of the regenerate parameter, I think that is a bigger change and my aim here is to fix the existing problem in a minimal way.

ekohl
ekohl requested changes Jul 30, 2024
View reviewed changes
Copy link
Member

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's at least respect the --noop and --dont-save-answers flags and avoid storing the answers then. Then I think this is OK to merge.

hooks/pre_exit/20-certs_regenerate.rb Outdated Show resolved Hide resolved
@ehelms @ekohl
Update hooks/pre_exit/20-certs_regenerate.rb
147f837 
Co-authored-by: Ewoud Kohl van Wijngaarden <[email protected]>
@ehelms
Copy link
Member Author

ehelms commented Jul 30, 2024

Let's at least respect the --noop and --dont-save-answers flags and avoid storing the answers then. Then I think this is OK to merge.

Accepted your update

@ehelms
Copy link
Member Author

ehelms commented Aug 5, 2024

@ekohl Are you good with this updated form?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ekohl ekohl ekohl requested changes

Assignees
No one assigned
Labels
Needs re-review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ehelms @ekohl