Agent Install - should be possible without access to external OS repos

Provisioning & Self Service
1

I have a RHEL8 VM I am launching, and I am running a cloud-init bootcmd script to register the VM to Satellite. But, right now at least, the instance cannot consult Satellite repos because the keys and certs that are specified in the repo are not actually available on the VM. So, the Agent is not installing, because these repos cannot be reached.

In debugging the script that installs the agent, I see two lines in this script that stand out to me.

  1. yum Clean All
    Is the line “#yum clean all” truly necessary? If you are trying to install the Morpheus package only, locally, this line will prevent that if the other repos cannot be reached.

  2. yum wget curl
    This statement assumes wget is installed, in order to ensure that curl is installed. I think that the script should check to see if both of these are installed.

Would it not be cleaner to do the fetch (wget) on the rpm, and do a “yum localinstall morpheus-agent”? That way we can get the agent on the VM without worrying about the other distro-specific repos that may or may not be reachable?

2

Curl at the very least is a base requirement for RHEL/CentOS, so we shouldn’t need to install anything additional for that at least. I assume all of this is in the reconfigure script when the agent installs.

It would be a really good FR to see if the agent could install without any additional packages if possible.

3

Morpheus drops a runcmd script in /var/lib/cloud/instance/scripts. This runcmd script does a curl on the “install agent” script and pipes it to bash.

curl -k -s "https://100.125.194.77/api/server-script/agentInstall?apiKey=xxxxxxxxxxxx | bash

If you remove the pipe to bash and save the script down to a file you will see, in the script, a few lines:

yum clean all
/usr/bin/morpheus-node-ctl graceful-kill morphd
  yum -y install wget curl
  if [ "$FIPS_ENABLED" == "1" ]; then
    yum -y --disablerepo=base,updates,extras,epel install morpheus-vm-node-fips
  else
    yum -y --disablerepo=base,updates,extras,epel install morpheus-vm-node
  fi
  /usr/bin/morpheus-node-ctl reconfigure

One oversight is that there is no check to ensure morpheus-node-ctl is on the box before running that command (the script in general does a lot of defensive checking to ensure commands are there before running them but missed this one).

But, if we want the agent install to be completely independent of distribution repos, we would need to either assume wget and curl are on the VM (and bark and exit if they’re not). I am not against trying to install them, necessarily, but, maybe a better way might be to change the script and do a “rpm -qa | grep wget” and “rpm -qa | grep curl” command. And, if you don’t get a $? of 0 on them, you could either exit with a message “curl | wget not installed”, or, you could attempt to reach out and install them ONLY if the rpm -qa command can’t find them.

This does not solve the yum clean all, but do you really NEED to be running a yum clean all in this script? I am thinking you probably don’t (maybe in your script testing you found otherwise).

I think this approach on the script would indeed allow someone to drop an instance on a locked isolated network segment that can ONLY reach Morpheus, and get the agent installed without all of these dependency issues related to reaching repos that need to be proxied or have internet access to reach?