For general support information, see here.
Katello uses a set of back-end services to perform the actual job. The status of these services can negatively influence the whole system and it’s one of the first things to check when some errors occur.
The status of back-end services can be found either from the Web UI on the /about
page:
Alternatively, the hammer ping
command can be used to get this information.
foreman-maintain
tool can be used to restart Katello related services. See foreman-maintain --help
for more details.
Katello uses Foreman Tasks for orchestration between the underlying services (local database, Pulp, Candlepin…). The tasks are modeled as Dynflow processes. When something goes wrong (and there might be many reasons for this happening), Dynflow gives us the tools to recover from these errors to get to the consistent state.
There are two properties used for identifying issues with a task:
foreman-tasks service
) to pick it upTo see all the tasks in the system, one can go to /foreman_tasks/tasks
page. To see all the tasks that failed, one can search on result = error
:
Failed tasks include those in the ‘stopped’ or ‘paused’ state. The stopped tasks are already considered as resolved, there is no risk of inconsistency. The tasks in the ‘stopped’ state and the ‘error’ result are usually those failed during the planning phase (usually locking error or bad input data).
To see all the tasks requiring further assistance, filter on state = paused
:
Once the paused task is identified, one can investigate the problem causing the errors:
The resolution of the problem is dependent on the error details. The task may be resolvable by resuming the task: make sure the sub-services are running (see Sub-services status for more details) and then click ‘Resume’ within the web interface.
If this still doesn’t help, one possible step is going to a Dynflow console (the button from task details takes you there):
Caution: Dynflow console is considered a low-level tool and should be used very carefully, ideally discussing other options before using its features
If the failed task was taken care of by other means (performing the failed steps manually) or it was identified as not critical to the whole task, one can skip
the failed step and resume
the task to continue. These tasks end up with warning
result at the end, to indicate there was some difficulty during the run.
In came cases, there might be an issue with sub-services that make it appear as if the task is running for too long without any obvious evidence that something is occurring withing the task.
The first place to look in this case is filtering the tasks on state = running
and looking at Running Steps
in the task details:
In this case, the "start_time" => nil
indicates that the task was not picked up by Pulp, which usually means some issues with running the Pulp workers. See (see Sub-services status for more details).
One can also go to the Dynflow console for even more details: the suspended
state means that the step is waiting for the external task to finish - the suspended
state itself doesn’t have to indicate any error:
If you’re sure the underlying services are running fine, depending on the type of task, there might be a possibility to cancel the running step and possibly following dealing with paused tasks instead.
Foreman tasks provides a locking mechanism which is important to prevent the possibility of operations colliding that are being performed concurrently on the same resource (such as synchronizing and deleting a repository at the same time).
When trying to run an operation on a resource that another task is already running, one can get Required lock is already taken by other running tasks.
:
A locked resource is one where another task that is related to the same resource is already running. Thus, the task being attempted will result in that task being tried in running or paused state. This means that the error is triggered also in cases, where there is a task with unresolved failure (see dealing with paused tasks for more details).
In rare cases, it might be hard to get into the stopped state. There is a possibility to unlock the resource in the running
/paused
task. This will switch the task into stopped
state, freeing the resources for other tasks. Caution: unlocking allows running other tasks to run on potentially inconsistent data, which might lead into further errors. It’s still possible to go to the Dynflow console and resume the tasks, even after using the unlock feature. There are two unlock-related buttons:
Unlock
and Force Unlock
. The only difference between these two is the second one is allowed even when the task is in running
state, and therefore is potentially even more dangerous than the Unlock
button. See dealing with tasks running too long before attempting to use the Force Unlock
option.
Debug certificates (also called Ueber Certificates) can be used to unlock all the content for a given Organization. These are meant to be used by sysadmins who are debugging issues with the Katello install.
To generate a debug certificate for a given Organization from the UI, navigate to the organizations page and click on the organization for which you want a debug certificate. Click on the button to generate and download the certificate as highlighted below:
To generate a debug certificate using the API see the API docs located on your server running at /apidoc
.
In either case, you will get the Private Key and Certificate returned to you in a format such as :
Key: -----BEGIN RSA PRIVATE KEY-----
<<<<DER ENCODED TEXT>>>>
-----END RSA PRIVATE KEY-----
Cert: -----BEGIN CERTIFICATE-----
<<<<DER ENCODED TEXT>>>>
-----END CERTIFICATE-----
If you wish to use the certificate to browse content via Firefox, do the following:
-----BEGIN RSA PRIVATE KEY-----
to -----END RSA PRIVATE KEY-----
inclusive to a file called key.pem-----BEGIN CERTIFICATE-----
to -----END CERTIFICATE-----
inclusive to a file called cert.pemopenssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in cert.pem -inkey key.pem -out [NAME].pfx -name [NAME]
To use curl to access the repository, you can provide –cert and –key options. Provided the cert is in ~/cert.pem
and key in ~/key.cert
, the following command will let you access any repository data in the organization. To check the access to a repository, checking the availability of repodata/repomd.xml is usually a good idea (make sure key.pem and cert.pem are ‘'’absolute paths’’’ otherwise it silently fails):
curl -k --cert ~/cert.pem --key ~/key.pem https://katello.example.com/pulp/repos/test/Dev/custom/zoo/base-two/repodata/repomd.xml
We do not encourage the use of pulp-admin because it has the potential to get data out of sync. However, pulp-admin can be useful when troubleshooting Katello.
Install needed packages
yum install -y pulp-admin-client pulp-rpm-admin-extensions
Uncomment the ‘host:’ line and add your server’s hostname:
host: katello-hostname.example.com
Run grep default_password /etc/pulp/server.conf
to lookup the admin password
sudo grep default_password /etc/pulp/server.conf
# default_password: default password for admin when it is first created; this
default_password: rGox3G9QhfCRD8fTsNR7FxqdgbvfJfSJ
Use pulp-admin by specifying the admin username and password:
pulp-admin -u admin -p rGox3G9QhfCRD8fTsNR7FxqdgbvfJfSJ repo list
Using the ‘pulp-admin login’ command does not function and is not supported with Katello in an attempt to limit access to the certificate authoriity generated at installation time.
Katello 3.0 generates a client cert at installation time which allows usage of pulp-admin without specifying the username and password. To use this:
Copy the public client cert and private key to a file together:
# sudo cat /etc/pki/katello/certs/pulp-client.crt /etc/pki/katello/private/pulp-client.key > ~/.pulp/user-cert.pem
Run pulp-admin without username and password:
pulp-admin repo list
Sometimes you want to debug why a synchronization of a repository from Katello is failing and rather than dig through log files and error messages it can often be easier to try to sync the repo with the ‘‘grinder’’ tool which is what Katello uses to download repositories. The tool can be ran from a terminal on your Katello server:
$ grinder yum --label=sync-test --url=https://fedorapeople.org/groups/katello/releases/yum/1.0/RHEL/6Server/x86_64/
grinder.RepoFetch: INFO fetchYumRepo() repo_label = sync-test, repo_url =
https://fedorapeople.org/groups/katello/releases/yum/1.0/RHEL/6Server/x86_64/, basepath = ./, verify_options = {}
grinder.RepoFetch: INFO sync-test, https://fedorapeople.org/groups/katello/releases/yum/1.0/RHEL/6Server/x86_64/,
Calling RepoFetch with: cacert=<None>, clicert=<None>, clikey=<None>, proxy_url=<None>, proxy_port=<3128>, proxy_user=<None>,
proxy_pass=<NOT_LOGGED>, sslverify=<1>, max_speed=<None>, verify_options=<{}>, filter=<None>
....
grinder.ParallelFetch: INFO 5 threads are active. 8 items left to be fetched
grinder.ParallelFetch: INFO 4 threads are active. 4 items left to be fetched
grinder.ParallelFetch: INFO WorkerThread deleting ActiveObject
grinder.ParallelFetch: INFO Thread ending
grinder.ParallelFetch: INFO 3 threads are active. 3 items left to be fetched
grinder.ParallelFetch: INFO WorkerThread deleting ActiveObject
grinder.ParallelFetch: INFO Thread ending
You now have a directory called sync-test off of your current working directory:
$ ls sync-test/
converge-ui-devel-0.8.3-1.el6.noarch.rpm
elasticsearch-0.18.4-13.el6.noarch.rpm
katello-1.0.6-1.el6.noarch.rpm
katello-agent-1.0.6-1.el6.noarch.rpm
katello-all-1.0.6-1.el6.noarch.rpm
katello-certs-tools-1.1.7-1.el6.noarch.rpm
lucene3-contrib-3.4.0-2.el6.noarch.rpm
repodata
rubygem-actionmailer-3.0.10-3.el6.noarch.rpm
...
Foreman 3.12.1 has been released! Follow the quick start to install it.
Foreman 3.11.5 has been released! Follow the quick start to install it.