foreman
### WIP
About
Foreman is a complete lifecycle management tool for physical and virtual servers.
- Provision from anywhere
Bare metal (MaaS), Amazon EC2, Google Compute Engine, OpenStack, Libvirt, oVirt, VMware, and many other providers allow you to manage a hybrid cloud through Foreman.
- Configuration
- An external node classifier, hiera-like parameters, and reports monitoring for Puppet, Salt and Chef are included. Completely ready to tweak host groups in your data center.
- Monitor hosts
- Foreman reports will tell you exactly what happened in your nodes, and alert you when things go awry. See in your dashboard which hosts are healthy, and which ones are outdated.
Links
Foreman.org - Quick Start <- Use this guide
Prerequisites
- Lot's of patience and ability to suffer and fail hard.
- Use a Red Hat derivation as base OS, because the variety of plugins available is much richer.
- You'll need quite some resources:
- CPU: 4
- RAM: At least 8GiB
- Storage:
RootFS /: at least 20GiB
Variable data /var: at least 64GiB
- NICs: There will be some traffic, when you are managing the whole provisioning with foreman. In a virtualized environment the 10Gbit/s virtio is quite okay. But think about attaching foreman to the network in a performant way. There should be at least 4Gbit/s available on the machine. It's an important system, use LACP-Bonds or other measures to facilitate more than one interface for redundancy and performance.
- Plan the networking layout
- Zoning, IP addressing, DNS, Naming
- The foreman-installer needs puppet.
With CentOS 7/8 (Stream) you may install puppet from
https://yum.puppet.com/With Debian 10/11 you may install puppet from
https://apt.puppet.com/
Installation
Prepare the installation
Firewalling
Configure the firewall for Foreman and its proxies.
Source_IP |
Source_Name |
Dest_IP |
Dest_Name |
Dest_Port |
Proto |
Action |
Description |
192.168.12.3 |
foreman1 |
0.0.0.0/0 |
INET |
tcp/80,tcp/443 |
http,https |
allow |
Allow access to repos from foreman |
192.168.33.9 |
fproxy |
0.0.0.0/0 |
INET |
tcp/80,tcp/443 |
http,https |
allow |
Allow access to repos from fproxy |
192.168.12.3 |
foreman1 |
192.168.33.9 |
fproxy |
tcp/8443 |
https |
allow |
Allow https from foreman to proxy |
192.168.12.3 |
foreman1 |
192.168.33.9 |
fproxy |
tcp/22 |
ssh |
allow |
Allow ssh from foreman to proxy |
192.168.33.9 |
fproxy |
192.168.12.3 |
foreman1 |
tcp/443 |
https |
allow |
Allow https from smart proxy to foreman |
192.168.33.0/24 |
provisioning_network |
192.168.12.3 |
foreman1 |
tcp/443 |
https |
allow |
Allow https from provisioning network to foreman |
Correct /etc/hosts
Bind hostname to correct interface in
/etc/hosts
Repositories and dependencies on Debian 11
Stop right here and use CentOS 8 Stream. 
Create a VM snapshot.
Make puppet available as described in the Quick Start.
Enable Puppet's 7.x repository
Enable the Foreman repositories
1 sudo wget https://deb.theforeman.org/foreman.asc -O /etc/apt/trusted.gpg.d/foreman.asc
2 echo "deb http://deb.theforeman.org/ bullseye 3.2" | sudo tee /etc/apt/sources.list.d/foreman.list
3 echo "deb http://deb.theforeman.org/ plugins 3.2" | sudo tee -a /etc/apt/sources.list.d/foreman.list
4 apt-get update
Install the foreman-installer
1 apt install foreman-installer
Repositories and dependencies on CentOS 8 Stream
Create a VM snapshot.
Make puppet available as described in the Quick Start.
Enable Puppet's 7.x repository
1 dnf install https://yum.puppet.com/puppet7-release-el-8.noarch.rpm
Enable module ruby 2.7
Enable the Foreman, Katello and Ansible repositories
Install the foreman-installer
Create and distribute ssh pubkeys
Generate a ssh-key for root and distribute it to the proxies
1 ssh-keygen -b 4096
Install Foreman
Install Foreman with the plugin Katello
Wait for a loong time …
and Don't forget to note the final instructions of the foreman-installer
1 …
2 * Foreman is running at https://foreman1.server.dezentrale.space
3 Initial credentials are admin / __secret_initial_password
4 * To install an additional Foreman proxy on separate machine continue by running:
5
6 foreman-proxy-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY" --certs-tar "/root/$FOREMAN_PROXY-certs.tar"
7 * Foreman Proxy is running at https://foreman1.server.dezentrale.space:9090
8
9 The full log is at /var/log/foreman-installer/katello.log
10 2022-06-06 16:54:58 [INFO ] [post] All hooks in group post finished
11 foreman-installer -l INFO -i -v --scenario katello 899,57s user 103,08s system 53% cpu 31:03,32 total
Configure the host firewall
Allow queries to the web-interface.
1 firewall-cmd --permanent --add-service=http{,s}
Install Foreman proxy
Foreman cannot handle multiple proxy.urls. For more information please see
Foreman - Provisioning Guide 7.4. Discovery Templates and Snippets Settings - Paragraph Rendering the Smart Proxy’s Host Name
Therefor the smart proxy should be named equally in every subnet - something like foreman-proxy or fproxy.
Make sure your foreman server can resolve your proxy!
Generate a certificate for the smart proxy
1 /opt/puppetlabs/bin/puppetserver ca generate --certname fproxy.hw4f.dezentrale.space
2 Successfully saved private key for fproxy.hw4f.dezentrale.space to /etc/puppetlabs/puppet/ssl/private_keys/fproxy.hw4f.dezentrale.space.pem
3 Successfully saved public key for fproxy.hw4f.dezentrale.space to /etc/puppetlabs/puppet/ssl/public_keys/fproxy.hw4f.dezentrale.space.pem
4 Successfully submitted certificate request for fproxy.hw4f.dezentrale.space
5 Error:
6 Signed certificate fproxy.hw4f.dezentrale.space could not be found on the CA
7 Successfully signed certificate request for fproxy.hw4f.dezentrale.space
8 Successfully saved certificate for fproxy.hw4f.dezentrale.space to /etc/puppetlabs/puppet/ssl/certs/fproxy.hw4f.dezentrale.space.pem
Copy the files to the smart proxy
Adjust owner and group of the files.
Also select foreman_plugin_setup and foreman_plugin_discovery.
Get the oauth key and secret of your foreman.
1 foreman-rake config |grep oauth_consumer |sed -r 's/(oauth_consumer_.*): (.+)$/ \1=\2/'
Install a foreman smart proxy in the desired network
1 foreman-installer \
2 --no-enable-foreman \
3 --no-enable-foreman-cli \
4 --no-enable-foreman-plugin-puppet \
5 --no-enable-foreman-cli-puppet \
6 --enable-puppet \
7 --puppet-server-ca=false \
8 --puppet-server-foreman-url="https://foreman1.server.dezentrale.space" \
9 --foreman-proxy-puppetca=false \
10 --foreman-proxy-puppet-group="puppet" \
11 --foreman-proxy-manage-puppet-group=true \
12 --foreman-proxy-trusted-hosts="foreman1.server.dezentrale.space" \
13 --enable-foreman-proxy \
14 --foreman-proxy-tftp=true \
15 --foreman-proxy-tftp-servername=192.168.33.3 \
16 --foreman-proxy-dhcp=true \
17 --foreman-proxy-dhcp-interface=ens18 \
18 --foreman-proxy-dhcp-gateway=192.168.33.1 \
19 --foreman-proxy-dhcp-nameservers="192.168.33.3" \
20 --foreman-proxy-dhcp-range "192.168.33.100 192.168.33.199" \
21 --foreman-proxy-dns=true \
22 --foreman-proxy-dns-interface=ens18 \
23 --foreman-proxy-dns-zone=hw4f.dezentrale.space \
24 --foreman-proxy-dns-reverse=33.168.192.in-addr.arpa \
25 --foreman-proxy-dns-forwarders=192.168.33.1 \
26 --foreman-proxy-oauth-consumer-key="$oauth_consumer_key" \
27 --foreman-proxy-oauth-consumer-secret="$oauth_consumer_secret"
Foreman discovery
Make sure the discovery image is in place
In Administer > Settings > (Tab) Provisioning change Default PXE global template entry to discovery. The global default is empty and the template defaults to local boot.
Katello
Create, organize, and manage local yum, deb, and puppet repositories. Sync remote repositories or upload content directly to build a library of content that serves as the basis for building custom builds of your content.
theforeman.org - Katello nightly Documentation (slightly outdated)
Looks like Katello is only available for Red Hat derivatives.
You can find a subscription-manager for Debian and Ubuntu at
https://apt.atix.de/
File locations
- Provisioning templates
Standard (do not modify, as they may be overwritten on update)
/usr/share/foreman/app/views/unattended/provisioning_templates
Configure
Administer > Users
- Create your personal user
Administer > User Groups
- Create user group "admins"
- Under roles mark check box "Administrator"
- Include your user in the group "admins"
Hosts > All hosts
- Check the foreman server
Infrastructure > Smart Proxies
- Make sure a proxy is available for the target network
- Check that the desired functions are available (DHCP, DNS, TFTP, Discovery)
Infrastructure > Organizations
- Create your beloved organization
Infrastructure > Locations
- Create your beloved location
Infrastructure > Domains
- Create Domain
- Assign DNS Proxy, so A-Records can be deployed on the subnets DNS-Server (if available on the smart proxy for the domain)
- Assign to organization and location
Configure > (Puppet) Environments
- Puppets default is lowercase "production"
- Assign to organization and location
Infrastructure > Subnets
- Create Subnet
- Assign DHCP, TFTP, Reverse DNS(, Template) and Discovery Proxy
- Assign to organization and location
Hosts > Operating Systems
- Create the OS you want to provision
Configure > Host Group
- Create a host group to act as a set of defaults
- Create host
Trouble shooting
PXE menu entry does not respond
When selecting a PXE menu entry nothing happens.
Probably the corresponding file to downloaded from tftp does not exist.
Smart Proxy shows DHCP related errors on Debian Bullseye
Debian isc-dhcp-server in version 4.4.1-2.3 has a bug.
Debian Bug #995242 - isc-dhcp-server: omshell returns inconsistent results or segfaults
As a workaround upgrade to a version >= 4.4.3-1, e.g. from SID.
Pin SID low
/etc/apt/preferences.d/zz_releases
Check the priorities
And install isc-dhcp-server from SID using aptitude. You will have to upgrade glibc dependencies, too.