On 11/03/17 00:28, James Evans wrote: > I'm working on some documentation and demos around bootstrapping a > Foreman environment from scratch. If I manually install Foreman, > following the directions on the web site everything is fine, with > selinux in enforcing mode. However, I want to build a Foreman > installation via the puppet agent. I've installed the latest > puppetserver and puppet-agent AIO on CentOS 7, and then installed the > theforeman/foreman puppet module (and dependencies). The puppet run > errors out with a can't find SSL certificate error: > [..] > > The cert is there, and is valid. Manually trying to start the apache > server gives the same error. Changing selinux to permissive mode allows > apache to start, and everything seems to be working in my simple vagrant > tests. The selinux labels seem to be the same from the working "hand > installed" version and the puppet installed version:
The process labels may be different, but hard to say without the AVC log. > I've looked though the source of the foreman-installer, and I don't see > anything that is obviously making changes to selinux. I'd really like to > get this working in enforcing mode, and it seems like it should work. > Does anyone have any ideas about what might be causing the puppet module > to break when used without the installer? The installer also sets the parameter: apache::mod::passenger::manage_repo: false which on EL7 will install the version of Passenger from EPEL7 rather than from Phusion. There isn't support in the OS policy for Phusion Passenger, so it may be running in the wrong context (httpd_t, not passenger_t), bug #17093. -- Dominic Cleal [email protected] -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
