5:24 p.m.
Hi list!
I'm looking at overhauling an existing PXE-based provisioning system for
a blend of older Fedora servers and some
CentOS development machines. I installed cobbler from the 1.2.8 source
RPM a couple days ago and I'm having some
trouble getting the web UI to authenticate to cobblerd. I can
authenticate as far as Apache is concerned, but
as soon as I click on a link in the UI that requires an XMLRPC call, I
get an exception that turns out to be
"403: Forbidden."
I've tried restarting both daemons, switching authentication methods to
something besides digest (didn't help).
The user is listed as an admin group member in the authorization group
config file. cobblerd doesn't seem to
be logging output to /var/log/cobbler/cobblerd.log, even if I uncomment
all the debug log info at the top of
cobblerd.
I also poked around in my Apache httpd configs, but didn't see anything
immediately off - the cobbler.conf is from
the cobbler distribution, and authentication works as far as Apache and
mod_python are concerned.
Does anyone have any ideas on how/where I can fix this? Cobbler's main
functionality seems to be okay, but I'd
really like to get the web UI working before I go any further.
Any help would be appreciated. Thanks!
-steve
5:39 p.m.
Steven Wagner wrote:
Hi list!
I'm looking at overhauling an existing PXE-based provisioning system for
a blend of older Fedora servers and some
CentOS development machines. I installed cobbler from the 1.2.8 source
RPM a couple days ago and I'm having some
trouble getting the web UI to authenticate to cobblerd. I can
authenticate as far as Apache is concerned, but
as soon as I click on a link in the UI that requires an XMLRPC call, I
get an exception that turns out to be
"403: Forbidden."
(1) Where did you get the source RPM? Arch-specific src rpms out of the
build system have been known to cause problems. The one of my
fedorapeople page is not known to.
(2) For starters, Is "cobbler check" showing no signs of anything you
need to fix?
(3) How about sharing the relevant authn and authz sections of your
"/etc/cobbler/modules.conf" file?
(4) Is this install perhaps an upgrade from a much older version of
Cobbler? If so, that may cause problems and you should revisit
https://fedorahosted.org/cobbler/wiki/CobblerWebInterface
(5) selinux booleans can prevent connections. Cobbler check will report
on these.
(6) Try changing the any cobbler XMLRPC addresses in the Cobbler config
from localhost to 127.0.0.1, it may be that localhost does not resolve.
I've tried restarting both daemons, switching authentication
methods to
something besides digest (didn't help).
authn_testing allows "testing/testing" ? That does not work?
Is your Apache configuration in any way modified from a stock install?
This is rather important as depending on setup options this can cause
problems.
The user is listed as an admin group member in the authorization
group
config file. cobblerd doesn't seem to
be logging output to /var/log/cobbler/cobblerd.log, even if I uncomment
all the debug log info at the top of
cobblerd.
It's /var/log/cobbler/cobbler.log, the daemon does not have it's own log.
I also poked around in my Apache httpd configs, but didn't see
anything
immediately off - the cobbler.conf is from
the cobbler distribution, and authentication works as far as Apache and
mod_python are concerned.
Does anyone have any ideas on how/where I can fix this? Cobbler's main
functionality seems to be okay, but I'd
really like to get the web UI working before I go any further.
Sure... take a shot at the above and we can perhaps dive further
depending on answers...
It's probably something simple.
Any help would be appreciated. Thanks!
-steve
_______________________________________________
cobbler mailing list
cobbler(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler
6:40 p.m.
Thanks for the reply. Here's the results:
1. I got the RPM from your fedorapeople page.
2. "cobbler check" notes that I'm not running DHCP (true, not yet...)
and that I have default passwords in my kickstarts, and that's it.
3. Sure thing:
---[start modules.conf]---
[...]
[authentication]
#module = authn_configfile
module = authn_testing
[...]
[authorization]
module = authz_configfile
---[end modules.conf]---
---[start users.conf]---
[...]
[admins]
admin = ""
cobbler = ""
swagner = ""
testing = ""
---[end users.conf]---
4. I tried uninstalling and reinstalling from the SRPM-based local RPM
at one point to try to address this issue, but got complacent and
"reinstalled" a pre-0.7.0 version through an old yum repository. I
eventually figured this out and erased the main cobbler directories
(/var/lib/cobbler and /etc/cobbler) to start over fresh.
5. This box is not running selinux.
6. I didn't find any "localhost" (or, for that matter, any
"any")
values to replace in the cobbler config trees. I did,
however, find and run demo_connect.py against localhost, u: testing p:
testing ... and it worked.
Based on that, I think the problem must be somewhere in the Apache
(2.2.6) reverse proxy config, which is straight from
the source RPM. For some reason, I am not seeing any useful logging
info out of Apache and/or mod_proxy...
-----Original Message-----
From: cobbler-bounces(a)lists.fedorahosted.org
[mailto:cobbler-bounces@lists.fedorahosted.org] On Behalf Of Michael
DeHaan
Sent: Friday, October 17, 2008 3:40 PM
To: cobbler mailing list
Subject: Re: 1.2.8 cobbler webUI <-> cobblerd issue
Steven Wagner wrote:
Hi list!
I'm looking at overhauling an existing PXE-based provisioning system
for a blend of older Fedora servers and some CentOS development
machines. I installed cobbler from the 1.2.8 source RPM a couple days
ago and I'm having some trouble getting the web UI to
authenticate to
cobblerd. I can authenticate as far as Apache is concerned, but as
soon as I click on a link in the UI that requires an XMLRPC call, I
get an exception that turns out to be
"403: Forbidden."
(1) Where did you get the source RPM? Arch-specific src rpms out of the
build system have been known to cause problems. The one of my
fedorapeople page is not known to.
(2) For starters, Is "cobbler check" showing no signs of anything you
need to fix?
(3) How about sharing the relevant authn and authz sections of your
"/etc/cobbler/modules.conf" file?
(4) Is this install perhaps an upgrade from a much older version of
Cobbler? If so, that may cause problems and you should revisit
https://fedorahosted.org/cobbler/wiki/CobblerWebInterface
(5) selinux booleans can prevent connections. Cobbler check will report
on these.
(6) Try changing the any cobbler XMLRPC addresses in the Cobbler config
from localhost to 127.0.0.1, it may be that localhost does not resolve.
I've tried restarting both daemons, switching authentication
methods
to
something besides digest (didn't help).
authn_testing allows "testing/testing" ? That does not work?
Is your Apache configuration in any way modified from a stock install?
This is rather important as depending on setup options this can cause
problems.
The user is listed as an admin group member in the authorization
group
config file. cobblerd doesn't seem to
be logging output to /var/log/cobbler/cobblerd.log, even if I
uncomment
all the debug log info at the top of
cobblerd.
It's /var/log/cobbler/cobbler.log, the daemon does not have it's own
log.
I also poked around in my Apache httpd configs, but didn't see
anything
immediately off - the cobbler.conf is from
the cobbler distribution, and authentication works as far as Apache
and
mod_python are concerned.
Does anyone have any ideas on how/where I can fix this? Cobbler's
main
functionality seems to be okay, but I'd
really like to get the web UI working before I go any further.
Sure... take a shot at the above and we can perhaps dive further
depending on answers...
It's probably something simple.
Any help would be appreciated. Thanks!
-steve
_______________________________________________
cobbler mailing list
cobbler(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler
_______________________________________________
cobbler mailing list
cobbler(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler
9:09 a.m.
Steven Wagner wrote:
4. I tried uninstalling and reinstalling from the SRPM-based local RPM
at one point to try to address this issue, but got complacent and
"reinstalled" a pre-0.7.0 version through an old yum repository. I
eventually figured this out and erased the main cobbler directories
(/var/lib/cobbler and /etc/cobbler) to start over fresh.
FYI -- downgrades aren't "supported" as new config file elements are
added and/or changed. Restoring your config from a backup, etc, would
work but keep in mind there are different config files and changes in
config files. We do ensure that upgrades work, of course.
5. This box is not running selinux.
6. I didn't find any "localhost" (or, for that matter, any
"any")
values to replace in the cobbler config trees. I did,
however, find and run demo_connect.py against localhost, u: testing p:
testing ... and it worked.
This is a good sign.
Based on that, I think the problem must be somewhere in the Apache
(2.2.6) reverse proxy config, which is straight from
the source RPM. For some reason, I am not seeing any useful logging
info out of Apache and/or mod_proxy...
If you look in demo_connect.py you will see it connects to:
sp = ServerProxy("http://127.0.0.1:25152")
If you change this to:
sp = ServerProxy("http://127.0.0.1/cobbler_api_rw")
You are now going through Apache.
That may be easier than doing tests through the webapp as you
investigate your Apache config.
The Apache config files have:
ProxyPass /cobbler_api http://localhost:25151/
ProxyPassReverse /cobbler_api http://localhost:25151/
ProxyPass /cobbler_api_rw http://localhost:25152/
ProxyPassReverse /cobbler_api_rw http://localhost:25152/
Occasionally folks have problems with the "localhost" and need to change
this to 127.0.0.1
Also if you have done any major changes to your main Apache
configuration file, or have enabled vhosts, this may be a factor.
If Apache virtual hosts are turned on, everything must be a virtual
host, which will break cobbler's stock configuration (and you'll have to
modify it).
--Michael
-----Original Message-----
From: cobbler-bounces(a)lists.fedorahosted.org
[mailto:cobbler-bounces@lists.fedorahosted.org] On Behalf Of Michael
DeHaan
Sent: Friday, October 17, 2008 3:40 PM
To: cobbler mailing list
Subject: Re: 1.2.8 cobbler webUI <-> cobblerd issue
Steven Wagner wrote:
> Hi list!
>
> I'm looking at overhauling an existing PXE-based provisioning system
> for a blend of older Fedora servers and some CentOS development
> machines. I installed cobbler from the 1.2.8 source RPM a couple days
>
> ago and I'm having some trouble getting the web UI to authenticate to
> cobblerd. I can authenticate as far as Apache is concerned, but as
> soon as I click on a link in the UI that requires an XMLRPC call, I
> get an exception that turns out to be
> "403: Forbidden."
>
>
(1) Where did you get the source RPM? Arch-specific src rpms out of the
build system have been known to cause problems. The one of my
fedorapeople page is not known to.
(2) For starters, Is "cobbler check" showing no signs of anything you
need to fix?
(3) How about sharing the relevant authn and authz sections of your
"/etc/cobbler/modules.conf" file?
(4) Is this install perhaps an upgrade from a much older version of
Cobbler? If so, that may cause problems and you should revisit
https://fedorahosted.org/cobbler/wiki/CobblerWebInterface
(5) selinux booleans can prevent connections. Cobbler check will report
on these.
(6) Try changing the any cobbler XMLRPC addresses in the Cobbler config
from localhost to 127.0.0.1, it may be that localhost does not resolve.
> I've tried restarting both daemons, switching authentication methods
>
to
> something besides digest (didn't help).
>
>
authn_testing allows "testing/testing" ? That does not work?
Is your Apache configuration in any way modified from a stock install?
This is rather important as depending on setup options this can cause
problems.
> The user is listed as an admin group member in the authorization group
> config file. cobblerd doesn't seem to
> be logging output to /var/log/cobbler/cobblerd.log, even if I
>
uncomment
> all the debug log info at the top of
> cobblerd.
>
>
>
It's /var/log/cobbler/cobbler.log, the daemon does not have it's own
log.
> I also poked around in my Apache httpd configs, but didn't see
>
anything
> immediately off - the cobbler.conf is from
> the cobbler distribution, and authentication works as far as Apache
>
and
> mod_python are concerned.
>
> Does anyone have any ideas on how/where I can fix this? Cobbler's
>
main
> functionality seems to be okay, but I'd
> really like to get the web UI working before I go any further.
>
>
>
Sure... take a shot at the above and we can perhaps dive further
depending on answers...
It's probably something simple.
> Any help would be appreciated. Thanks!
>
> -steve
> _______________________________________________
> cobbler mailing list
> cobbler(a)lists.fedorahosted.org
> https://fedorahosted.org/mailman/listinfo/cobbler
>
>
_______________________________________________
cobbler mailing list
cobbler(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler
_______________________________________________
cobbler mailing list
cobbler(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler
11:36 a.m.
New subject: 1.2.8 cobbler webUI <-> cobblerd issue (SOLVED)
Okay. Wow, looks like I hit the jackpot, as I had just about every one
of these issues going on.
For future (searchable) reference...
I had a long-forgotten Proxy config block in the main httpd.conf. Not
only was this set to "Deny from all"
and allowing only from my domain (i.e., excluding localhost!), but I
also had a useless virtual host directive muddying
things up.
Once I took those things out, I was still getting 403 Forbidden, but the
error log message in httpd had changed to:
proxy: No protocol andler was valid for the URL /cobbler_api_rw.
I was using a shared object version of mod_proxy, so I loaded up
mod_proxy_http and mod_proxy_connect ... now the two
daemons are talking to one another. The web UI is now fully
operational.
Thanks for all your help, Michael!
-----Original Message-----
From: cobbler-bounces(a)lists.fedorahosted.org
[mailto:cobbler-bounces@lists.fedorahosted.org] On Behalf Of Michael
DeHaan
Sent: Monday, October 20, 2008 7:09 AM
To: cobbler mailing list
Subject: Re: 1.2.8 cobbler webUI <-> cobblerd issue
Steven Wagner wrote:
4. I tried uninstalling and reinstalling from the SRPM-based local
RPM at one point to try to address this issue, but got complacent and
"reinstalled" a pre-0.7.0 version through an old yum repository. I
eventually figured this out and erased the main cobbler directories
(/var/lib/cobbler and /etc/cobbler) to start over fresh.
FYI -- downgrades aren't "supported" as new config file elements are
added and/or changed. Restoring your config from a backup, etc, would
work but keep in mind there are different config files and changes in
config files. We do ensure that upgrades work, of course.
5. This box is not running selinux.
6. I didn't find any "localhost" (or, for that matter, any
"any")
values to replace in the cobbler config trees. I did, however, find
and run demo_connect.py against localhost, u: testing p:
testing ... and it worked.
This is a good sign.
Based on that, I think the problem must be somewhere in the Apache
(2.2.6) reverse proxy config, which is straight from the source RPM.
For some reason, I am not seeing any useful logging info out of Apache
and/or mod_proxy...
If you look in demo_connect.py you will see it connects to:
sp = ServerProxy("http://127.0.0.1:25152")
If you change this to:
sp = ServerProxy("http://127.0.0.1/cobbler_api_rw")
You are now going through Apache.
That may be easier than doing tests through the webapp as you
investigate your Apache config.
The Apache config files have:
ProxyPass /cobbler_api http://localhost:25151/ ProxyPassReverse
/cobbler_api http://localhost:25151/
ProxyPass /cobbler_api_rw http://localhost:25152/ ProxyPassReverse
/cobbler_api_rw http://localhost:25152/
Occasionally folks have problems with the "localhost" and need to change
this to 127.0.0.1
Also if you have done any major changes to your main Apache
configuration file, or have enabled vhosts, this may be a factor.
If Apache virtual hosts are turned on, everything must be a virtual
host, which will break cobbler's stock configuration (and you'll have to
modify it).
--Michael
-----Original Message-----
From: cobbler-bounces(a)lists.fedorahosted.org
[mailto:cobbler-bounces@lists.fedorahosted.org] On Behalf Of Michael
DeHaan
Sent: Friday, October 17, 2008 3:40 PM
To: cobbler mailing list
Subject: Re: 1.2.8 cobbler webUI <-> cobblerd issue
Steven Wagner wrote:
> Hi list!
>
> I'm looking at overhauling an existing PXE-based provisioning system
> for a blend of older Fedora servers and some CentOS development
> machines. I installed cobbler from the 1.2.8 source RPM a couple
> days
>
> ago and I'm having some trouble getting the web UI to authenticate to
> cobblerd. I can authenticate as far as Apache is concerned, but
as
> soon as I click on a link in the UI that requires an XMLRPC call, I
> get an exception that turns out to be
> "403: Forbidden."
>
>
(1) Where did you get the source RPM? Arch-specific src rpms out of
the build system have been known to cause problems. The one of my
fedorapeople page is not known to.
(2) For starters, Is "cobbler check" showing no signs of anything you
need to fix?
(3) How about sharing the relevant authn and authz sections of your
"/etc/cobbler/modules.conf" file?
(4) Is this install perhaps an upgrade from a much older version of
Cobbler? If so, that may cause problems and you should revisit
https://fedorahosted.org/cobbler/wiki/CobblerWebInterface
(5) selinux booleans can prevent connections. Cobbler check will
report on these.
(6) Try changing the any cobbler XMLRPC addresses in the Cobbler
config from localhost to 127.0.0.1, it may be that localhost does not
resolve.
> I've tried restarting both daemons, switching authentication methods
>
to
> something besides digest (didn't help).
>
>
authn_testing allows "testing/testing" ? That does not work?
Is your Apache configuration in any way modified from a stock install?
This is rather important as depending on setup options this can cause
problems.
> The user is listed as an admin group member in the authorization
> group config file. cobblerd doesn't seem to be logging output to
> /var/log/cobbler/cobblerd.log, even if I
>
uncomment
> all the debug log info at the top of
> cobblerd.
>
>
>
It's /var/log/cobbler/cobbler.log, the daemon does not have it's own
log.
> I also poked around in my Apache httpd configs, but didn't see
>
anything
> immediately off - the cobbler.conf is from the cobbler distribution,
> and authentication works as far as Apache
>
and
> mod_python are concerned.
>
> Does anyone have any ideas on how/where I can fix this? Cobbler's
>
main
> functionality seems to be okay, but I'd really like to get the web UI
> working before I go any further.
>
>
>
Sure... take a shot at the above and we can perhaps dive further
depending on answers...
It's probably something simple.
> Any help would be appreciated. Thanks!
>
> -steve
> _______________________________________________
> cobbler mailing list
> cobbler(a)lists.fedorahosted.org
> https://fedorahosted.org/mailman/listinfo/cobbler
>
>
_______________________________________________
cobbler mailing list
cobbler(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler
_______________________________________________
cobbler mailing list
cobbler(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler
_______________________________________________
cobbler mailing list
cobbler(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler
5:40 p.m.
Steven Wagner wrote:
Hi list!
I'm looking at overhauling an existing PXE-based provisioning system for
a blend of older Fedora servers and some
CentOS development machines. I installed cobbler from the 1.2.8 source
RPM a couple days ago and I'm having some
trouble getting the web UI to authenticate to cobblerd. I can
authenticate as far as Apache is concerned, but
as soon as I click on a link in the UI that requires an XMLRPC call, I
get an exception that turns out to be
"403: Forbidden."
I've tried restarting both daemons, switching authentication methods to
something besides digest (didn't help).
The user is listed as an admin group member in the authorization group
config file. cobblerd doesn't seem to
be logging output to /var/log/cobbler/cobblerd.log, even if I uncomment
all the debug log info at the top of
cobblerd.
I also poked around in my Apache httpd configs, but didn't see anything
immediately off - the cobbler.conf is from
the cobbler distribution, and authentication works as far as Apache and
mod_python are concerned.
Does anyone have any ideas on how/where I can fix this? Cobbler's main
functionality seems to be okay, but I'd
really like to get the web UI working before I go any further.
Any help would be appreciated. Thanks!
-steve
_______________________________________________
cobbler mailing list
cobbler(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler
Another thing to check --
see if any functions in koan work, such as:
koan --server=cobbler.example.org --display --profile=name-of-profile
That will check for basic XMLRPC connectivity.
--Michael
6:45 p.m.
Almost forgot: The koan command worked, as well. I was able to create
a profile and display it from command-line...
-----Original Message-----
From: cobbler-bounces(a)lists.fedorahosted.org
[mailto:cobbler-bounces@lists.fedorahosted.org] On Behalf Of Michael
DeHaan
Sent: Friday, October 17, 2008 3:40 PM
To: cobbler mailing list
Subject: Re: 1.2.8 cobbler webUI <-> cobblerd issue
Steven Wagner wrote:
Hi list!
I'm looking at overhauling an existing PXE-based provisioning system
for a blend of older Fedora servers and some CentOS development
machines. I installed cobbler from the 1.2.8 source RPM a couple days
ago and I'm having some trouble getting the web UI to
authenticate to
cobblerd. I can authenticate as far as Apache is concerned, but as
soon as I click on a link in the UI that requires an XMLRPC call, I
get an exception that turns out to be
"403: Forbidden."
I've tried restarting both daemons, switching authentication methods
to something besides digest (didn't help).
The user is listed as an admin group member in the authorization group
config file. cobblerd doesn't seem to be logging output to
/var/log/cobbler/cobblerd.log, even if I uncomment all the debug log
info at the top of cobblerd.
I also poked around in my Apache httpd configs, but didn't see
anything immediately off - the cobbler.conf is from the cobbler
distribution, and authentication works as far as Apache and mod_python
are concerned.
Does anyone have any ideas on how/where I can fix this? Cobbler's
main functionality seems to be okay, but I'd really like to get the
web UI working before I go any further.
Any help would be appreciated. Thanks!
-steve
_______________________________________________
cobbler mailing list
cobbler(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler
Another thing to check --
see if any functions in koan work, such as:
koan --server=cobbler.example.org --display --profile=name-of-profile
That will check for basic XMLRPC connectivity.
--Michael
_______________________________________________
cobbler mailing list
cobbler(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler
5681
days inactive
5684
days old
cobbler@lists.fedorahosted.org
6 comments
2 participants
participants (2)
-
Michael DeHaan -
Steven Wagner