A Foreman installation will always contain a central foreman instance that is responsible for providing the Web based GUI, node configurations, initial host configuration files, etc. However, if the foreman installation supports unattended installations then other operations need to be performed to fully automate this process. The smart proxy manages remote services and is generally installed with all Foreman installations to allow for TFTP, DHCP, DNS, and Puppet, and the Puppet CA.
A Smart-Proxy is located on or near a machine that performs a specific function and helps foreman orchestrate the process of commissioning a new host. Placing the proxy on or near to the actual service will also help reduce latencies in large distributed organizations.
A new installer based on the kafo project is available. Refer to the installation section of the manual for more information.
In the default all-in-one setup, the smart-proxy is automatically registered
in the Foreman UI, using the API during installation.
You can change that behavior with
register_in_foreman
puppet class parameter (or installer option
--foreman-proxy-register-in-foreman
).
The install module that manages Puppet was refactored, the puppet::server class is now top level. Please review updated readme if you install Foreman directly via your Puppet infrastructure.
Brand new command-line interface for Foreman codenamed “Hammer” is introduced by this release. The first version, which is released with Foreman 1.3, is not yet feature-complete and should be treated as a “preview”.
To install the new Foreman command line client, install package
rubygem-hammer_cli_foreman
first and run:
hammer -h
Support for Amazon EC2’s Virtual Private Cloud (VPC) feature has been added, allowing selection of VPC security groups when creating new hosts.
Support for Google Compute Engine as a compute resource has been added. Packages are unavailable in RC1 due to the late addition, but should follow. This implementation is currently in beta state.
Since web-based VNC/SPICE console is popular, we have added possibility to set VNC password for libvirt and VMware resources which helps to integrate with VMs created outside Foreman too. SPICE support can now be enabled for libvirt VMs too.
Compute resource passwords can now be encrypted in the database.
VM and host records can be now matched via MAC address, either all at once by clicking on Associate VMs at the Compute Resource level, or the Associate button, if available on the compute resource VM. There is logic to determine if it is capable of matching a host.
It is now possible to to restrict LDAP authentication to a security group which was highly demanded feature. In the LDAP definition dialog, there is new field called “Custom LDAP search filter” which can be used for that purpose.
A nice and handy feature which is useful when you have no Puppet Master and using token-based templates. Before Foreman 1.3, there was no other way to get the IP updated, now foreman does that automatically when “update_ip_from_built_request” setting is set.
Various plugins have been packaged as RPMs for easy installation, including foreman_discovery, foreman_content, foreman_hooks, or foreman_simplify. For the whole list head over to plugin documentation.
The new “experimental” API version (v2) has been improved, providing new features while retaining API compatibility. API v1 still remains the default version. To use API v2, users must pass “version=2” in the header. For example:
curl -u admin:secret -H 'Accept:application/json,version=2' http://abc.com/api/locations
New features include REMOTE_USER support, data format consolidation, better logging, documentation, smart classes support, network interfaces, power management and boot device APIs.
Foreman 1.3 is now fully translated into (in alphabetical order):
Join the translation effort now at transifex.com site.
Puppet dependency was removed from Foreman core, so all Puppet usage is in the smart proxy only. This will make it optional for people who don’t use Puppet, plus avoid conflicts when loading Puppet as a library. In addition, if puppetmaster is not on the same server as Foreman, Puppet no longer needs to be installed there at all.
To accomplish this, the way facts and reports are uploaded was changed. Specifically, Foreman itself now uses a JSON format, and the ENC (node.rb) and Puppet report processor (foreman.rb) have been updated to handle changing Puppet-specific data into JSON. Existing ENC/Reports scripts will need a change to the latest version, which can be found in the installer git repository:
Configuration values defined via settings.yaml file are now presented in the Foreman Settings page as read-only settings. Every time value is changed in settings.yaml Foreman automatically updates the database. See #2764 for more info.
The new API v2 is still work in progress, there are some changes to the API, parameters and output format. We are working hard to stabilize this API in future releases.
Large changes to the API v2 include replacement of api/lookup_keys by api/smart_variables and api/smart_class_parameters (tickets #2810 and #2142) or removal of JSON roots (#2803).
A new foreman-rake
command replaces the various rake
commands for running administrative tasks.
It is a wrapper around rake
that changes to the correct user and
directory and on SCL-enabled systems also uses the scl
command.
The foreman-rake command is provided in packages for all OSes to make
administration of Foreman consistent.
More information about software collections is available in the Software Collections manual section.
Foreman 1.3.2 is a bug fix release for the 1.3 series. Only the core Foreman component has been updated - the installer remains at 1.3.1 and the smart proxy and SELinux packages remain at version 1.3.0.
A full list of changes in 1.3.2 is also available via Redmine
Foreman 1.3.1 is a bug fix release for the 1.3 series. Only the core Foreman component and the installer have been updated - the smart proxy and SELinux packages remain at version 1.3.0.
node.rb --push-facts
now tracks which fact files have already been uploaded (#3262)A full list of changes in 1.3.1 is also available via Redmine
A full list of changes in 1.3.0 is available via the Roadmap
We’d like to thank the following people who contributed to the Foreman 1.3 release:
Aaron Stone, Adam Price, Amos Benari, Andy Bohne, Antony Perigault, Arnoud de Jonge, Ash Caire, Bernard McKeever, Cédric Jeanneret, Daniel Baeurer, Daniel Lobato, Dmitri Dolguikh, Dominic Cleal, Ewoud Kohl van Wijngaarden, Florentin Raud, Florian Ernst, Gavin McCance, Gaël Chamoulaud, Greg Sutcliffe, Grégoire Morpain, Ian Mordey, Ivan Nečas, James Bailey, Jason Montleon, Jeremy Kitchen, Jimmi Dyson, Joseph Mitchell Magen, Justin Foreman, Kamil Winczek, Libor Zoubek, Luke Alford, Lukáš Zapletal, Marek Hulán, Mark O’Shea, Martin Bačovský, Martin Matuska, Michael Moll, Mickaël Canévet, Mikael Fridh, Nacho Barrientos, Nils Domrose, Ohad Levy, Povilas Daukintis, Rick Sherman, Romain Vrignaud, Ryan Davies, Sam Kottler, Stef Telford, Stephen Hoekstra, Tomas Strachota, bmx0r, kleind, snobear.
As well as all users who helped test releases, report bugs and provide feedback on the project.
The Foreman installer is a collection of Puppet modules that installs everything required for a full working Foreman setup. It uses native OS packaging (e.g. RPM and .deb packages) and adds necessary configuration for the complete installation.
Components include the Foreman web UI, Smart Proxy, Passenger (for the puppet master and Foreman itself), and optionally TFTP, DNS and DHCP servers. It is configurable and the Puppet modules can be read or run in “no-op” mode to see what changes it will make.
Other operating systems will need to use alternative installation methods (see the manual).
The Foreman installer uses Puppet to install Foreman. This guide assumes that you have a newly installed operating system, on which the installer will setup Foreman, a puppet master with Passenger and the Smart Proxy by default.
For Red Hat variants, run this (replace ‘el6’ with ‘f18’ or ‘f19’ as appropriate):
For Debian variants, run this (replace ‘wheezy’ with ‘precise’ if on Ubuntu 12.04, or ‘squeeze’ for Debian 6):
The installation run is non-interactive, but the configuration can be customized by supplying any of the options listed in foreman-installer --help
, or by running foreman-installer -i
for interactive mode. More examples are given in the Installation Options section. Adding -v
will disable the progress bar and display all changes. To run the installer, execute:
After it completes, Foreman will be accessible at https://fqdn/
with a default username/password of “admin” and “changeme”.
After installation, the Foreman installer will have set up a puppet master on the host, fully integrated with Foreman. First run the Puppet agent on the Foreman host which will send the first Puppet report to Foreman, automatically creating the host in Foreman’s database.
In Foreman, click on the Hosts tab and your Foreman host should be visible in the list with an “O” status. This indicates its status is OK, with no changes made on the last Puppet run.
Next, we’ll install a Puppet module for managing the NTP service. If you have Puppet 2.7.14 or higher, install the module automatically from Puppet Forge to our “production” environment (the default):
On older versions, download the tar.gz and unpack to /etc/puppet/environments/production/modules/
. Rename the directory to “ntp”, removing the author and version number.
In Foreman, go to More > Configuration > Puppet Classes and click Import from hostname (top right) to read the available Puppet classes from the puppet master and populate Foreman’s database. The “ntp” class will appear in the Puppet class list if installed correctly.
Click on the “ntp” class in the list, change to the Smart Class Parameters tab and select the server_list parameter on the left hand side. Tick the Override checkbox so Foreman manages the “server_list” parameter of the class and change the default value if desired, before submitting the page.
Change back to the Hosts tab and click Edit on the Foreman host. On the Puppet Classes tab, expand the ntp module and click the + icon to add the ntp class to the host, then save the host.
Clicking the YAML button when back on the host page will show the ntp class and the server_list parameter, as passed to Puppet via the ENC (external node classifier) interface. Re-run puppet agent --test
on the Foreman host to see the NTP service automatically reconfigured by Puppet and the NTP module.
Other hosts with Puppet agents installed can use this puppet master by setting server = foreman.example.com
in puppet.conf. Sign their certificates in Foreman by going to More > Configuration > Smart Proxies > Certificates or using puppet cert list
and puppet cert sign
on the puppet master.
Puppet classes can be added to host groups in Foreman instead of individual hosts, enabling a standard configuration of many hosts simultaneously. Host groups are typically used to represent server roles.
There are several different methods of installing Foreman. The recommended way is with the puppet based Foreman Installer but you may also use your distribution’s package manager or install directly from source.
This sections outlines the system requirements for an installation of Foreman. This will cover the hardware requirements, OS requirements and firewall requirements. This includes variations for all supported database types.
The following operating systems are supported by the installer, have packages and are tested for deploying Foreman:
yum-config-manager --enable rhel-6-server-optional-rpms
)All platforms will require Puppet 2.6.5 or higher. Puppet 3.x is supported and may be installed from the Puppet Labs repositories.
Other operating systems will need to use alternative installation methods, such as from source.
The following operating systems are known to install successfully from Foreman:
Protect your Foreman environment by blocking all unnecessary and unused ports.
Port | Protocol | Required For |
---|---|---|
80, 443 | TCP | * HTTP & HTTPS access to Foreman web UI - using Apache + Passenger |
3000 | TCP | HTTP access to Foreman web UI - using standalone WEBrick service |
8443 | TCP | Smart Proxy, open only to Foreman |
8140 | TCP | * Puppet Master |
67, 68 | UDP | DHCP Smart Proxies |
69 | UDP | * TFTP Smart Proxies |
53 | TCP & UDP | DNS Smart Proxies |
5432 | TCP | Separate PostgreSQL database |
3306 | TCP | Separate MySQL database |
Ports indicated with * are running by default on a Foreman all-in-one installation and should be open.
The Foreman installer is a collection of Puppet modules that installs everything required for a full working Foreman setup. It uses native OS packaging (e.g. RPM and .deb packages) and adds necessary configuration for the complete installation.
Components include the Foreman web UI, Smart Proxy, Passenger (for the puppet master and Foreman itself), and optionally TFTP, DNS and DHCP servers. It is configurable and the Puppet modules can be read or run in “no-op” mode to see what changes it will make.
It’s strongly recommended to use the installer instead of only installing packages, as the installer uses OS packages and it saves a lot of time otherwise spent replicating configuration by hand.
By default it will configure:
Other modules can be enabled, which will also configure:
The Foreman installer uses Puppet to install Foreman. This guide assumes that you have a newly installed operating system, on which the installer will setup Foreman, a puppet master with Passenger and the Smart Proxy by default.
For Red Hat variants, run this (replace ‘el6’ with ‘f18’ or ‘f19’ as appropriate):
For Debian variants, run this (replace ‘wheezy’ with ‘precise’ if on Ubuntu 12.04, or ‘squeeze’ for Debian 6):
The installation run is non-interactive, but the configuration can be customized by supplying any of the options listed in foreman-installer --help
, or by running foreman-installer -i
for interactive mode. More examples are given in the Installation Options section. Adding -v
will disable the progress bar and display all changes, while --noop
will run without making any changes. To run the installer, execute:
After it completes, Foreman will be accessible at https://fqdn/
with a default username/password of “admin” and “changeme”. Logs of the installation are stored under /var/log/foreman-installer
.
The installer is a collection of Puppet modules, which have a large number of parameters available to customize the configuration. Parameters can be set by running foreman-installer
with arguments, e.g. --foreman-db-type
, changing settings in interactive mode or by setting up an answers file.
The precedence for settings is for those set by arguments to foreman-installer or interactive mode, then the answers file, then the Puppet manifest defaults.
Every parameter available in the installer can be set using command line arguments to foreman-installer
. Run foreman-installer --help
for a list of every available option.
When running the installer, all arguments passed on the command line will be persisted by default to /etc/foreman/foreman-installer.yaml and used automatically on subsequent runs, without needing to specify those arguments again. This persistence can be disabled with the -b
option.
The installer also provides a text driven interface to customize configuration parameters, and can be run by executing:
Option | Description |
---|---|
--foreman-apache-conf-dir | Directory that holds Apache configuration files (e.g. /etc/httpd/conf.d) |
--foreman-app-root | Name of foreman root directory |
--foreman-authentication | Enable users authentication (default user:admin pw:changeme) |
--foreman-custom-repo | No need to change anything here by default if set to true, no repo will be added by this module, letting you to set it to some custom location. |
--foreman-db-adapter | Database 'production' adapter |
--foreman-db-database | Database 'production' database (e.g. foreman) |
--foreman-db-host | Database 'production' host |
--foreman-db-manage | if enabled, will install and configure the database server on this host |
--foreman-db-password | Database 'production' password (default is random) |
--foreman-db-port | Database 'production' port |
--foreman-db-sslmode | Database 'production' ssl mode |
--foreman-db-type | Database 'production' type (valid types: mysql/postgresql/sqlite) |
--foreman-db-username | Database 'production' user (e.g. foreman) |
--foreman-environment | Rails environment of foreman |
--foreman-foreman-url | URL on which foreman is going to run |
--foreman-gpgcheck | turn on/off gpg check in repo files (effective only on RedHat family systems) |
--foreman-group | Primary group for the Foreman user |
--foreman-locations-enabled | Enable locations? |
--foreman-oauth-active | Enable OAuth authentication for REST API |
--foreman-oauth-consumer-key | OAuth consumer key |
--foreman-oauth-consumer-secret | OAuth consumer secret |
--foreman-oauth-map-users | Should foreman use the foreman_user header to identify API user? |
--foreman-organizations-enabled | Enable organizations? |
--foreman-passenger | Configure foreman via apache and passenger |
--foreman-passenger-interface | Defines which network interface passenger should listen on, undef means all interfaces |
--foreman-passenger-scl | Software collection name (on RHEL currently 'ruby193', undef on others) |
--foreman-puppet-basedir | Where are puppet modules located |
--foreman-puppet-home | Puppet home directory |
--foreman-repo | This can be stable, rc, or nightly |
--foreman-selinux | when undef, foreman-selinux will be installed if SELinux is enabled setting to false/true will override this check (e.g. set to false on 1.1) |
--foreman-ssl | Enable and set require_ssl in Foreman settings (note: requires passenger, SSL does not apply to kickstarts) |
--foreman-unattended | Should foreman manage host provisioning as well |
--foreman-use-vhost | Enclose apache configuration in |
--foreman-user | User under which foreman will run |
--foreman-user-groups | Additional groups for the Foreman user |
--foreman-version | foreman package version, it's passed to ensure parameter of package resource can be set to specific version number, 'latest', 'present' etc. |
--foreman-proxy-autosign-location | Path to autosign configuration file |
--foreman-proxy-bmc | Use BMC |
--foreman-proxy-bmc-default-provider | BMC default provider. |
--foreman-proxy-custom-repo | No need to change anything here by default if set to true, no repo will be added by this module, letting you to set it to some custom location. |
--foreman-proxy-dhcp | Use DHCP |
--foreman-proxy-dhcp-config | DHCP config file path |
--foreman-proxy-dhcp-gateway | DHCP pool gateway |
--foreman-proxy-dhcp-interface | DHCP listen interface |
--foreman-proxy-dhcp-key-name | DHCP key name |
--foreman-proxy-dhcp-key-secret | DHCP password |
--foreman-proxy-dhcp-leases | DHCP leases file |
--foreman-proxy-dhcp-managed | DHCP is managed by Foreman proxy |
--foreman-proxy-dhcp-nameservers | DHCP nameservers |
--foreman-proxy-dhcp-range | Space-separated DHCP pool range |
--foreman-proxy-dhcp-vendor | DHCP vendor |
--foreman-proxy-dir | Foreman proxy install directory |
--foreman-proxy-dns | Use DNS |
--foreman-proxy-dns-forwarders | DNS forwarders |
--foreman-proxy-dns-interface | DNS interface |
--foreman-proxy-dns-managed | DNS is managed by Foreman proxy |
--foreman-proxy-dns-reverse | DNS reverse zone name |
--foreman-proxy-dns-server | Address of DNS server to manage |
--foreman-proxy-dns-zone | DNS zone name |
--foreman-proxy-foreman-base-url | Base Foreman URL used for REST interaction |
--foreman-proxy-gpgcheck | Turn on/off gpg check in repo files (effective only on RedHat family systems) |
--foreman-proxy-keyfile | DNS server keyfile path |
--foreman-proxy-log | Foreman proxy log file |
--foreman-proxy-manage-sudoersd | Whether to manage File['/etc/sudoers.d'] or not. When reusing this module, this may be disabled to let a dedicated sudo module manage it instead. |
--foreman-proxy-oauth-consumer-key | OAuth key to be used for REST interaction |
--foreman-proxy-oauth-consumer-secret | OAuth secret to be used for REST interaction |
--foreman-proxy-oauth-effective-user | User to be used for REST interaction |
--foreman-proxy-port | Port on which will foreman proxy listen |
--foreman-proxy-puppet-group | Groups of Foreman proxy user |
--foreman-proxy-puppetca | Use Puppet CA |
--foreman-proxy-puppetca-cmd | Puppet CA command to be allowed in sudoers |
--foreman-proxy-puppetdir | Puppet var directory |
--foreman-proxy-puppetrun | Enable puppet run/kick management |
--foreman-proxy-puppetrun-cmd | Puppet run/kick command to be allowed in sudoers |
--foreman-proxy-register-in-foreman | Register proxy back in Foreman |
--foreman-proxy-registered-name | Proxy name which is registered in Foreman |
--foreman-proxy-registered-proxy-url | Proxy URL which is registered in Foreman |
--foreman-proxy-repo | This can be stable, rc, or nightly |
--foreman-proxy-ssl | Enable SSL, ensure proxy is added with "https://" protocol if true |
--foreman-proxy-ssl-ca | If CA is specified, remote Foreman host will be verified |
--foreman-proxy-ssl-cert | Used to communicate to Foreman |
--foreman-proxy-ssl-key | Corresponding key to a certificate |
--foreman-proxy-ssldir | Puppet CA ssl directory |
--foreman-proxy-tftp | Use TFTP |
--foreman-proxy-tftp-dirs | Directories to be create in $tftp_root |
--foreman-proxy-tftp-root | TFTP root directory |
--foreman-proxy-tftp-servername | Defines the TFTP Servername to use, overrides the name in the subnet declaration |
--foreman-proxy-tftp-syslinux-files | Syslinux files to install on TFTP (copied from $tftp_syslinux_root) |
--foreman-proxy-tftp-syslinux-root | Directory that hold syslinux files |
--foreman-proxy-trusted-hosts | Only hosts listed will be permitted, empty array to disable authorization |
--foreman-proxy-use-sudoersd | Add a file to /etc/sudoers.d (true) or uses augeas (false) |
--foreman-proxy-user | User under which foreman proxy will run |
--puppet-agent-noop | Run the agent in noop mode. |
--puppet-agent-template | Use a custom template for the agent puppet configuration. |
--puppet-auth-template | Use a custom template for the auth configuration. |
--puppet-ca-server | Use a different ca server. Should be either a string with the location of the ca_server or 'false'. |
--puppet-client-package | Install a custom package to provide the puppet client |
--puppet-dir | Override the puppet directory. |
--puppet-group | Override the name of the puppet group. |
--puppet-listen | Should the puppet agent listen for connections. |
--puppet-nsauth-template | Use a custom template for the nsauth configuration. |
--puppet-pluginsync | Enable pluginsync. |
--puppet-port | Override the port of the master we connect to. |
--puppet-runinterval | Set up the interval (in seconds) to run the puppet agent. |
--puppet-runmode | Select the mode to setup the puppet agent. Can be either 'cron' or 'service'. |
--puppet-server | Should a puppet master be installed as well as the client |
--puppet-server-app-root | Directory where the application lives |
--puppet-server-ca | Provide puppet CA |
--puppet-server-common-modules-path | Common modules paths (only when $server_git_repo_path and $server_dynamic_environments are false) |
--puppet-server-config-version | How to determine the configuration version. When using git_repo, by default a git describe approach will be installed. |
--puppet-server-dir | Puppet configuration directory |
--puppet-server-dynamic-environments | Use $environment in the modulepath |
--puppet-server-enc-api | What version of enc script to deploy. Valid values are 'v2' for latest, and 'v1' for Foreman =< 1.2 |
--puppet-server-environments | Environments to setup (creates directories). Applies only when $server_dynamic_environments is false |
--puppet-server-environments-owner | The owner of the environments directory |
--puppet-server-envs-dir | Directory that holds puppet environments |
--puppet-server-external-nodes | External nodes classifier executable |
--puppet-server-facts | Should foreman receive facts from puppet |
--puppet-server-foreman-ssl-ca | SSL CA of the Foreman server |
--puppet-server-foreman-ssl-cert | Client certificate for authenticating against Foreman server |
--puppet-server-foreman-ssl-key | Key for authenticating against Foreman server |
--puppet-server-foreman-url | Foreman URL |
--puppet-server-git-repo | Use git repository as a source of modules |
--puppet-server-git-repo-path | Git repository path |
--puppet-server-group | Name of the puppetmaster group. |
--puppet-server-httpd-service | Apache/httpd service name to notify on configuration changes. Defaults to 'httpd' based on the default apache module included with foreman-installer. |
--puppet-server-manifest-path | Path to puppet site.pp manifest (only when $server_git_repo_path and $server_dynamic_environments are false) |
--puppet-server-package | Custom package name for puppet master |
--puppet-server-passenger | If set to true, we will configure apache with passenger. If set to false, we will enable the default puppetmaster service unless service_fallback is set to false. See 'Advanced server parameters' for more information. |
--puppet-server-passenger-max-pool | The PassengerMaxPoolSize parameter. If your host is low on memory, it may be a good thing to lower this. Defaults to 12. |
--puppet-server-port | Puppet master port |
--puppet-server-post-hook-content | Which template to use for git post hook |
--puppet-server-post-hook-name | Name of a git hook |
--puppet-server-puppet-basedir | Where is the puppet code base located |
--puppet-server-puppet-home | Puppet var directory |
--puppet-server-report-api | What version of report processor to deploy. Valid values are 'v2' for latest, and 'v1' for Foreman =< 1.2 |
--puppet-server-reports | List of report types to include on the puppetmaster |
--puppet-server-service-fallback | If passenger is not used, do we want to fallback to using the puppetmaster service? Set to false if you disabled passenger and you do NOT want to use the puppetmaster service. Defaults to true. |
--puppet-server-ssl-dir | SSL directory |
--puppet-server-storeconfigs-backend | Do you use storeconfigs? (note: not required) false if you don't, "active_record" for 2.X style db, "puppetdb" for puppetdb |
--puppet-server-template | Which template should be used for master configuration |
--puppet-server-user | Name of the puppetmaster user. |
--puppet-server-vardir | Puppet data directory. |
--puppet-show-diff | Show and report changed files with diff output |
--puppet-splay | Switch to enable a random amount of time to sleep before each run. |
--puppet-user | Override the name of the puppet user. |
--puppet-version | Specify a specific version of a package to install. The version should be the exact match for your distro. You can also use certain values like 'latest'. |
The answers file describes the classes that will be applied to the host to
install Foreman, along with their parameters. The foreman-installer package stores it at /etc/foreman/foreman-installer.yaml
. By default, the all-in-one setup will include Foreman, a puppetmaster, Puppet agent, and the Smart Proxy:
Other examples are given in the next section, or /usr/share/foreman-installer/README.md
.
The Foreman installer can accommodate more complex, multi-host setups when supplied with appropriate parameters.
Using the scenarios outlined below, a simple scale-out setup can be created as follows:
For each Puppet master:
Each Puppet master will register with Foreman as a smart proxy, while the instance running on the Foreman host itself will act as a central Puppet CA. These can be selected while adding new hosts or host groups.
The scenarios below assume a single Puppet CA (certificate authority) for all hosts, which is also used for Foreman and smart proxy communications, though more complex deployments are possible. This might be the central Foreman host, or a particular Puppet master.
Other systems require certificates to be generated on the central Puppet CA host, then distributed to them before running foreman-installer (else it may generate a second CA). To prepare these, on the host acting as Puppet CA, run:
Transfer the following files to the same paths on the new host:
This provides the new host a certificate in the same authority, but doesn’t make it a CA itself. Certificates will continue to be generated on the central Puppet CA host.
A standalone Puppet master can be configured along with a smart proxy installation, enabling the Puppet infrastructure to be scaled out. A certificate should be generated and copied to the host first to make it part of the same CA, else a new Puppet CA will be generated.
Command line arguments:
Fill in the OAuth consumer key and secret values from your Foreman instance, retrieve them from More > Settings > Auth, and set the Foreman URLs appropriately. These allow the smart proxy to register automatically with the Foreman instance, or disable with --foreman-proxy-register-in-foreman=false
.
The default “all-in-one” Foreman installation includes a Puppet master, but this can be disabled. Foreman by default uses Puppet’s SSL certificates however, so a certificate must be generated and copied to the host first, or all SSL communications need to be disabled.
Command line arguments:
This will still configure the Puppet agent, but this too can be disabled with --no-enable-puppet
to disable the whole Puppet module.
The smart proxy allows management of various network services, such as DNS, DHCP and TFTP. The installer can set up a basic smart proxy service ready to be configured, or it can install and configure BIND or ISC DHCP ready to go. A certificate should be generated and copied to the host first so Foreman can contact the proxy server.
Command line arguments for a basic smart proxy installation:
Fill in the OAuth consumer key and secret values from your Foreman instance, retrieve them from More > Settings > Auth, and set the Foreman URL appropriately. These allow the smart proxy to register automatically with the Foreman instance, or disable with --foreman-proxy-register-in-foreman=false
.
Command line arguments for a smart proxy configured with just BIND, setting DNS forwarders and overriding the default forward and reverse DNS zones:
Ensure the dns-interface argument is updated with the correct network interface name for the DNS server to listen on.
Command line arguments for a smart proxy configured with just ISC DHCP and a single DHCP subnet:
Also ensure here that the dhcp-interface argument is updated for the interface to run DHCP on.
Packages are available for Red Hat and Debian-based distributions. This will install a standalone Foreman service running under WEBrick, which has limited scalability.
The Puppet-based Foreman installer is recommended for most environments, instead of installing only the packages as it will perform full configuration too.
Foreman is packaged for the following RPM based distributions:
For most users, it’s highly recommended to use the installer as the packages only provide the software and a standalone Foreman service. The installer installs these packages, then additionally configures Foreman to run under Apache and Passenger with PostgreSQL, plus can configure a complete Puppet setup integrated with Foreman.
All RHEL and derivatives must be subscribed to EPEL to provide additional dependencies. Install epel-release from here to automatically configure it.
RHEL 6 hosts must also be subscribed to the “Optional” channel in RHN.
Optionally, the Puppet Labs repository can be configured to obtain the latest version of Puppet available, instead of the version on EPEL. See the Puppet Labs Package Repositories documentation on how to configure these.
Three main repos are provided at http://yum.theforeman.org:
/releases/latest
or /releases/VERSION
(e.g. /releases/1.3
) carries the stable releases and updates of Foreman and its dependencies./rc
carries release candidates only in the few weeks prior to a release. Ensure after a release is made that you use the main releases repo instead./nightly
carries the latest development builds and as such, may be unstable or occasionally broken.Under each repo are directories for each distribution, then each architecture.
To set up the repository, foreman-release packages are provided which add a repo definition to /etc/yum.repos.d
. Install the appropriate release RPM from these lists:
yum localinstall http://yum.theforeman.org/releases/1.3/el6/x86_64/foreman-release.rpm
yum localinstall http://yum.theforeman.org/releases/1.3/f18/x86_64/foreman-release.rpm
yum localinstall http://yum.theforeman.org/releases/1.3/f19/x86_64/foreman-release.rpm
For release candidate or nightly RPMs, change the URL as appropriate based on the above list of available repositories.
Release and release candidate packages are signed by the “Foreman Archive Signing Key packages@theforeman.org” (0xE775FF07). Nightly packages are not signed.
A copy of the key is available from public keyservers or here.
Install foreman and other foreman-* packages to add functionality:
foreman Foreman server
foreman-proxy Foreman Smart Proxy
foreman-compute EC2, OpenStack and Rackspace provisioning support
foreman-libvirt libvirt provisioning support
foreman-ovirt oVirt/RHEV provisioning support
foreman-vmware VMware provisioning support
foreman-cli Foreman CLI utility
foreman-console Console additions
foreman-selinux SELinux targeted policy
foreman-mysql MySQL database support
foreman-mysql2 MySQL database support
foreman-postgresql PostgreSQL database support
foreman-sqlite SQLite database support
/etc/foreman/settings.yaml
and /etc/foreman/database.yml
sudo -u foreman /usr/share/foreman/extras/dbmigrate
service foreman start
The RPMs use a packaging technique called Software Collections, or SCL. This provides Ruby and all dependencies required to run Foreman separately from the version of Ruby provided by the distribution.
The current stack is “ruby193”, which provides Ruby 1.9.3 and Ruby on Rails 3.2. All packages will have a “ruby193-“ prefix, allowing them to be easily identified, and will install entirely underneath /opt/rh/ruby193
.
The system Ruby version is left alone and will still be used for packages provided both by the distribution, and other third parties who target the system Ruby (e.g. Puppet packages).
Foreman currently uses SCL only on RHEL and EL clones where a newer version of Ruby is desired. Fedora only uses the distro version of Ruby.
In order to run rake commands for Foreman, or scripts that run in the same environment, ruby193-rake
and ruby193-ruby
wrappers are provided as alternatives for the usual rake
or ruby
. In order to run a series of commands or a script directly within the software collection, scl enable ruby193 'other command'
can be used. It is also possible to run scl enable ruby193 bash
to get a shell within the context of the SCL. Foreman rake tasks should be run with “foreman-rake”, which automates this process.
More general information about software collections is available from these links:
When running Foreman under Passenger (the default installer setup), a specific configuration is needed for SCL (on EL), since Foreman operates under the SCL Ruby and other apps such as the puppetmaster will use the system Ruby. Passenger 4 is shipped in the Foreman repos as it can be configured with separate Ruby binaries per VirtualHost. The full configuration is described below.
The following packages must be installed:
Ensure all version numbers match and are at least 4.0. mod_passenger provides the Apache module, while there are two copies of the Ruby components, one for the SCL Ruby (ruby193-rubygem-*
) and one for the system Ruby (rubygem-*
).
The /etc/httpd/conf.d/passenger.conf
file is supplied by mod_passenger and should contain:
LoadModule passenger_module modules/mod_passenger.so
<IfModule mod_passenger.c>
PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.5
PassengerRuby /usr/bin/ruby
</IfModule>
Check for .rpmsave or .rpmnew config backup files if this isn’t correct. Note that this refers to the system Ruby paths by default, allowing everything except Foreman (i.e. the puppetmaster) to run under the system Ruby.
Next, the Foreman config file at /etc/httpd/conf.d/foreman.conf
must contain this entry in both HTTP and HTTPS VirtualHost sections:
PassengerRuby /usr/bin/ruby193-ruby
The full foreman.conf template from the installer is available here for comparison.
Ensure both RailsAutoDetect
and RakeAutoDetect
config entries are removed from foreman.conf and puppet.conf when using Passenger 4, since they have been deprecated.
When successfully configured, two Passenger RackApp processes will be visible and by inspecting the open files, the Ruby version being loaded can be confirmed:
# ps auxww | grep RackApp
foreman 16627 0.1 15.4 466980 157196 ? Sl 07:35 0:09 Passenger RackApp: /usr/share/foreman
puppet 16697 0.8 11.3 253080 115720 ? Sl 07:35 1:13 Passenger RackApp: /etc/puppet/rack
# lsof -p 16697 | grep libruby
ruby 16697 puppet mem REG 253,0 951224 272286 /usr/lib64/libruby.so.1.8.7
# lsof -p 16627 | grep libruby
ruby 16627 foreman mem REG 253,0 2041096 171190 /opt/rh/ruby193/root/usr/lib64/libruby.so.1.9.1
The Foreman packages should work on the following Debian-based Linux distributions:
Foreman might still work on these distros, but it has not been tested (let us know if it works for you):
If you encounter any errors during the installation, please file a bug report!
Add one of the following lines to your /etc/apt/sources.list (alternatively in a separate file in /etc/apt/sources.list.d/foreman.list):
You may also want some plugins from the plugin repo:
The public key for secure APT can be downloaded here
You can add this key with
apt-key add pubkey.gpg
or combine downloading and registering:
wget -q http://deb.theforeman.org/pubkey.gpg -O- | apt-key add -
The key fingerprint is
7059 542D 5AEA 367F 7873 2D02 B348 4CB7 1AA0 43B8 Foreman Automatic Signing Key (2014) <packages@theforeman.org>
Remember to update your package lists!
apt-get update
The packages are now split by gem dependencies - there are 11 packages to choose from. These are:
Main package:
Database gems - you need at least one of these:
Optional functionality:
Command line interface:
Installation instructions are:
The packages should auto-run db:migrate if /etc/foreman/database.yml exists. So the initial db:migrate is only needed during first install, upgrades should just work.
Installing the latest development code: Foreman has now moved to using Rails 3 and Bundler to get up and running. This is the preferred way to get Foreman if you want to benefit from the latest improvements. By using the git repository you can also upgrade more easily. You will need to have Bundler installed manually for now (check your distribution repositories, or install it via rubygems).
Foreman will run with the following requirements (aside from rubygem dependencies):
The installation has been successfully tested on RHEL[5,6], Fedora[13,14,15,16,17], Debian Linux 6.0 (Squeeze) and Ubuntu Linux 12.04 (the community has reported varying success with other Debian/Ubuntu versions - 12.10 seems fine for example). For older operating systems you might need additional packages (e.g. sqlite). It is also known to work on Solaris and Mac.
to get latest “development” version do:
You will want to make sure that you have one of the mysql-devel, postgresql-devel, and sqlite-devel libraries installed so the database gems can install properly. Also, you would also need gcc, ruby-devel, libxml-devel, libxslt-devel, and libvirt-devel packages
For RHEL6 or clones, you can issue the following commands to install all required packages:
yum groupinstall "Development Tools" "Development Libraries"
yum -y install gcc-c++ git ruby ruby-devel rubygems \
libvirt-devel mysql-devel postgresql-devel openssl-devel \
libxml2-devel sqlite-devel libxslt-devel zlib-devel \
readline-devel
Additionally, it is important that config/database.yml
is set to use
the correct database in the “production” block. Rails (and subsequently
Foreman) will use these connection settings under “production” to manage
the database it uses and setup the necessary schema.
You can run Foreman with the command ”./script/rails s -e production”
foreman-rake <task>
to run rake tasks, however when installed from source, replace this with bundle exec rake <task> RAILS_ENV=production
to get latest “stable” version do:
To install hammer from git checkouts, you will just need rake
installed on your system.
Clone and install CLI core
and clone plugin with foreman commands
You can install other hammer plugins via any of the methods mentioned above.
The following sections detail the configuration steps required to get Foreman working in your environment. Lets get started!
Foreman configuration is managed from two places; a configuration file config/settings.yaml and from the SETTINGS/Foreman Settings page. A full description of the configuration options is given at foreman_configuration
Foreman requires a database of its own to operate - database sharing is unsupported. By default, the installer uses PostgreSQL, while a package or source installation will use SQLite. If you want to use other database (e.g. MySQL) please modify the configuration file under config/database.yml.
In all cases, please use the production settings.
to initialize the database schema type:
foreman-rake db:migrate
For more information please see the database configuration page here
At this point, you might want to go through the [[FAQ]] to see how can you import your data into Foreman.
if you installed via rpm, just start the foreman service, or start the builtin web server by typing:
RAILS_ENV=production rails server
and point your browser to http://foreman:3000
If you would like to keep the server running, its recommend to setup passenger or use the RPM. Example usage with passenger can be found on GitHub.
Read Puppet_Reports to learn how to get your nodes to report to Foreman.
Configuration is broken into two parts. The config/settings.yaml file and the SETTINGS/Foreman Settings page. The configuration file contains a few low-level options that need to be set before Foreman starts but the majority of Foreman customization is managed from within the program on the Foreman Settings page.
The first non-comment line of this file must be three dashes.
---
This boolean option configures whether Foreman requires users to to login. If it is set then each user will be expected to authenticate themselves and all operations will occur, and be audited, under their identity. When this option is false then all activity will be executed under the admin account.
:login: true
This boolean option configures whether Foreman insists on using only https/ssl encrypted communication channels in the web interface. This does not configure the channels used to contact the smart-proxies. Note that certain operations will still accept a http connection even if this is set, for example, the downloading of a finish script.
:require_ssl: true
This boolean option configures whether Foreman will act as a simple node classifier for puppet, or support the full spectrum of operations required for managing a host’s lifecycle. When set to true then foreman will provide full host building facilities for various operating systems.
:unattended: true
When Foreman needs to mail the administrator then this is the email address that it will contact.
Default: root@
When Foreman receives a fact upload from a machine that it has not previously come across it will create a host in its database. If the facts from that host did not contain information about the puppet environment then it will assign the default_puppet_environment environment to this host. Default: production
A Smart-variable’s match criteria are evaluated in a specific order and if this search order is not provided then Default_variables_Lookup_Path is used. Default: [“fqdn”, “hostgroup”, “os”, “domain”]
The return address applied to outgoing emails. Default: Foreman-noreply@<your domain>
Whether Smart-variables should be included in the yaml node information provided to puppet. Default: true
The number of entries that will be shown in the web interface for list operations. Default: 20
If this option is set to true then an email will be sent to the host’s owner whenever a report is received that contains errors. If the host is not owned or Foreman is not configured to use logins then send the email to the administrator. Default: false
Emails may contain embedded references to Foreman’s web interface. This option allows the hostname component of the URL to be configured.
Default: foreman.
If this option is set to true then Foreman will not update a host’s IP and MAC with the values that it receives in a host’s facts and it will also include Foreman’s values for IP and MAC to puppet in its node information. Default: false
If this option is set to true then Foreman will manage a host’s Puppet certificate signing. If it is set to false then some external mechanism is required to ensure that the host’s certificate request is signed. Default: true
When enabled, Foreman will generate UUIDs for each host instead of using the hostname as the Puppet certname, which is more reliable with changing hostnames. Note that when disabling this setting, existing stored certnames won’t be changed or discarded until new certificates are requested from a host (i.e. on a rebuild), in order that the existing certificate remains known to Foreman and can be revoked.
This it the modulepath that foreman uses when processing puppet modules. It is usually able to determine this itself at runtime but if it is not able to find a value then modulepath is used. Default: /etc/puppet/modules
This is the number of minutes between each run of puppet. Default: 30
The default puppet server hostname. For larger organizations this is often a non fqdn so that a name like puppet can be a different host within each DNS domain. Default: puppet
Path to directory containing puppet.conf. Default: /etc/puppet
If this option is set to true then Foreman will be able to trigger a puppet run on any host that it manages. Default: false
If a root password is not provided whilst configuring a host then this encrypted password is used when building the machine. The plain text password “123123” has been encrypted to produce the default value. Default: xybxa6JUkz63w (To generate a new one you should use: openssl passwd -1 “your_password” )
The default templating system used within Foreman allows unlimited interpolated variables and expressions. This could obviously be abused so a evaluation environment is provided that restricts the template variables and expressions to a whitelist. When this option is true then only known helper methods and instance variables will be available in template expansion. Default: true
The SSL Certificate Authority file that Foreman will use when connecting to its smart-proxies. Default: The CA file used by puppet
The SSL certificate that Foreman will use when connecting to its smart-proxies. Default: The host certificate used by puppet
The SSL private key file that Foreman will use when connecting to its smart-proxies. Default: The private key file used by puppet
If Foreman receives an environment fact from one of its hosts and if this option is true, it will update the host’s environment with the new value. By default this is not the case as Foreman should manage the host’s environment. Default: false
Must be false, a shared storeconfigs database (which this setting refers to) is now unsupported.
Foreman is a rails application. Therefore, anything that is supported under RAILS (sqlite, mysql, postgresql, …) can be used. See 3.3 Install From Packages for a list of packages for connecting foreman to the databse of your choice. At this time, Oracle DB is known to not work. Patches are welcome!
The database configuration file can be found at:
/etc/foreman/database.yml
By default, the database will be created in the db subdirectory.
Edit your config/database.yml and modify:
If you use foreman 1.0 with foreman-mysql2 use ‘adapter: mysql2’ instead
Afterwards you would need to re-populate your database, simply execute extras/dbmigrate script.
Edit your config/database.yml and modify:
We have a rake task for this. First setup your database.yml to have the sqlite db as production and the mysql/psql db as dev:
Now migrate both dbs so they’re consistent:
Now move the data to the new db
(On RPM distros, remove “bundle exec” from the start of these commands.)
Once you’ve migrated to your new database using prod2dev, you should update your database.yml file to point your ‘production’ environment at the new database. You should also update the ‘development’ environment to point to an alternative location (for example, at SQLite) to ensure you don’t accidentally overwrite your production database.
Firstly, the default installer setup doesn’t give superuser privileges to the ‘foreman’ user, which then prevents the prod2dev script from temporarily disabling foreign keys. You’ll need to do
before the prod2dev call, and
after it.
Secondly, the psql sequence numbers will be wrong after the prod2dev execution. You can fix them like this:
(big thanks to Fixing Sequences for the fix)
Foreman uses a custom puppet reports address (similar to tagmail or store) which Puppet will use to upload it’s report into Foreman. This enables you to see the reports through the web interface as soon as the client finishes its run.
Ensure that the puppet clients has the following option in their puppet.conf:
report = true
Without it, no reports will be sent.
reports=log, foreman
and restart your puppetmaster
You should start seeing reports coming in under the reports link.
You will probably want to delete your reports after some time to limit database growth. To do so, you can set a cronjob:
Available conditions:
Example:
foreman-rake reports:expire days=7
foreman-rake reports:expire days=1 status=0
Foreman can act as a classifier to Puppet through the External Nodes interface. This is a mechanism provided by Puppet to ask for configuration data from an external service, via a script on the puppetmaster.
The external nodes script we supply also deals with uploading facts from hosts to Foreman, so we will discuss the two things together.
Restart the puppetmaster. When the next agent checks in, the puppetmaster will upload fact data for this host to Foreman, and download the ENC data.
No agent configuration is necessary to use this functionality.
Make sure that the puppet user can execute the ENC script and it works:
sudo -u puppet /etc/puppet/node.rb [the name of a node, eg agent.local]
should output something like:
parameters:
puppetmaster: puppet
foreman_env: &id001 production
classes:
helloworld:
environment: *id001
This output should match the information displayed when you click on the YAML button on the Host page in Foreman.
For further information see the Puppet Labs docs on external nodes
Foreman passes all assoicated parameters, classes,and class parameters, to the Host, including those inherited from host groups, domains, or global settings. See section Managing Puppet for more information on assigning configuration to hosts.
There are several options for pushing fact data to Foreman if you are using Foreman for reporting/inventory only.
The ENC script (node.rb) accepts an option to run in ‘batch-mode’. In this mode, the script iterates over the cached fact data stored on the puppet master, and uploads all of it to Foreman.
Download and configure the node.rb script as above, and then call it like this:
sudo -u puppet /etc/puppet/node.rb --push-facts
As of Foreman 1.3, the fact-upload API endpoint accepts data in pure JSON. You can push data to Foreman as a hash containing:
{
"name": "fqdn-of-host.domain.com",
"certname": "optional-certname-of-host.domain.com",
"facts": {
"fact1": "string",
"fact2": "true",
"fact3": "1.2.3.4",
...
}
}
The ‘certname’ is optional but will be used to location the Host in Foreman if supplied. The ‘facts’ hash must be a flat hash, not nested with other arrays or hashes. See link-to-API-when-its-updated-here for more details.
This body can be POSTed to ‘/api/hosts/facts’ using Foreman API v2. See the node.rb template for an example of constructing and sending data in Ruby.
The Command Line Interface is based on the hammer framework. The foreman-related commands are defined in plugin hammer_cli_foreman
Configuration is set based on the following files, loaded in this order:
/etc/foreman/cli_config.yml
.~/.foreman/cli_config.yml
./config/cli_config.yml
(config dir in CWD)-c CONF_FILE_PATH
Later files have precedence if they redefines the same option.
Hammer uses yaml formatting for its configuration. The config file template is contained in the hammer_cli gem
gem contents hammer_cli|grep cli_config.template.yml
and can be copied to one of the locations above and changed as needed. The packaged version of hammer copies the template to /etc for you.
Plugins are disabled by default. You have to edit the config file and enable them manually under modules
option, as can be seen in the sample config below.
Plugin specific configuration should be nested under plugin’s name.
:log_dir: <path>
- directory where the logs are stored. The default is /var/log/foreman/
and the log file is named hammer.log
:log_level: <level>
- logging level. One of debug
, info
, warning
, error
, fatal
:log_owner: <owner>
- logfile owner:log_group: <group>
- logfile group:log_size: 1048576
- size in bytes, when exceeded the log rotates. Default is 1MB:watch_plain: false
- turn on/off syntax highlighting of data being logged in debug modeBefore updating to 1.3, make sure you have successfully upgraded to 1.2 first.
Upgrading across more than one version is not supported, so it’s required to upgrade to each intermediate version and follow all upgrade instructions for the previous versions.
Please check the upgrade notes for this release, as there may be things to be aware of or additional steps:
It is recommended that you backup your database and modifications to Foreman files(config/settings.yaml, unattended installations etc). Most upgrades are safe but it never hurts to have a backup just in case.
For more information about how to backup your instance head over to Backup
Before proceeding, it is necessary to shutdown the Foreman instance.
Now it’s time to perform the actual upgrade. This process if different depending on how you downloaded Foreman. You only need to perform one of the following options.
Important note: Foreign keys on the SQL database level were introduced in the Foreman 1.3. During migration, all orphaned records are deleted automatically. It is strongly recommended to backup database prior proceeding with upgrade.
To upgrade an existing Foreman 1.2 installation, first update with the appropriate foreman-release package from the above list of release packages, e.g. for RHEL6
yum upgrade http://yum.theforeman.org/releases/1.3/el6/x86_64/foreman-release.rpm
cat /etc/yum.repos.d/foreman.repo.rpmnew > /etc/yum.repos.d/foreman.repo
Next upgrade all Foreman packages:
yum upgrade ruby\* foreman\*
If you wish to install the SELinux policy, also install the foreman-selinux package.
If Foreman doesn’t load due to a Passenger error (particularly referencing bundler_ext), verify the configuration against the description in the Software Collections section below.
You can skip to Step 3.
Upgrading from 1.2 to 1.3 has been tested on both Debian and Ubuntu. Updating the packages will upgrade the application and automatically migrate the database.
apt-get update apt-get dist-upgrade
You can skip to Step 3.
config/database.yml
into the new config
directory.VERY IMPORTANT: do NOT overwrite config/settings.yml
with the old one.
Please note now that the development branch has moved to Rails 3, you MUST take care to select a branch and make sure you get the correct one.
For staying on the stable branch:
The following step is the one that could change the contents of your database. Go to your new Foreman directory (or the git dir), then migrate your database:
foreman-rake db:migrate
You should compile i18n strings and precompile assets now:
foreman-rake locale:pack
foreman-rake assets:precompile
Database should be migrated already, but you can make sure by executing the migration script again, it should produce no errors or output:
foreman-rake db:migrate
You should clear the cache and the existing sessions:
foreman-rake tmp:cache:clear
foreman-rake tmp:sessions:clear
Restart the application server (e.g. mongrel, thin, passenger)
See Troubleshooting
This section covers general information on using Foreman to manage your infrastructure. It covers the features of the web interface, managing puppet, provisioning systems and the installation and configuration of Foreman Smart Proxies.
Foreman natively supports LDAP authentication using one or multiple LDAP directories.
Enable LDAP and User/Group settings menus
Edit your config/setting.yml
:login: true
and restart Foreman
Go to More > Users > LDAP Authentication
Click on New LDAP Source and enter the following
By checking On-the-fly user creation, any LDAP user will have his Foreman account automatically created the first time he logs into Foreman. For that, you have to specify the LDAP attributes name (firstname, lastname, email) that will be used to create their Foreman accounts.
Name = My Directory Host = host.domain.org Port = 636 TLS = yes Onthefly register = yes Account = MyDomain\$login Password = (leave blank) Base DN = CN=users,DC=host,DC=domain,DC=org attr login = sAMAccountName attr firstname = givenName attr lastname = sN mail = mail
Name = My Directory Host = host.domain.org Port = 389 TLS = no Onthefly register = yes Account = (leave blank if anonymous access is enabled) Password = (leave blank) Base DN = ou=Users,dc=domain,dc=co,dc=il attr login = uid attr firstname = givenName attr lastname = sn mail = mail
Note that LDAP attribute names are case sensitive.
If you want to use on-the-fly user creation, make sure that Foreman can fetch from your LDAP all the required information to create a valid user. For example, on-the-fly user creation won’t work if you don’t have valid email addresses in your directory (you will get an ‘Invalid username/password’ error message when trying to log in).
A user’s access to the features of Foreman are constrained by the roles and permissions that they are granted. These permissions are also used to restrict the set of hosts, host groups and domains that a user is able to access and modify.
Note: a user with global admin enabled is not restricted by the authorization system. This is the default for installations that do not have :login:true in config/settings.yml.
A logged in user will be granted the Anonymous role plus one or more additional roles. The permissions associated with these roles are aggregated and determine the final permission set.
Roles may be administered only by a user with global admin privileges.
These may be created, deleted and edited on the Roles page. Each role will be associates with one or more base privileges.
There are two builtin system roles
These determine the operations that are allowed to be performed upon the items to which they refer. For simple items, like an architecture, this operates as expected but for more complex items, such as, the hosts a user is able to operate on, there is an additional layer of security called filtering.
When editing a user account there is a section at the bottom that narrows the scope of the permissions granted to a subset of the hosts, domains and host groups. See filtering below.
Permission | Description |
---|---|
Permissions for Architectures, Authentication providers, environments, External variables, Common parameters, Medias, Models, Operating systems, Partition tables, Puppet classes and User groups | |
view | The user is allowed to see this type of object when listing them on the index page |
create | The user is allowed to create this type of object |
edit | The user is allowed to edit this type of object |
destroy | The user is allowed to destroy this type of object |
Permissions for Domains | |
view | The user is allowed to see a list of domains when viewing the index page |
create | The user is allowed to create a new domain and will also be able to create domain parameters |
edit | The user is allowed to edit a domain and will also be able to edit a domain's parameters. If they have domain filtering active in their profile then only these domains will be editable |
destroy | The user is allowed to destroy a domain and will also be able to destroy domain parameters. If they have domain filtering active in their profile then only these domains will be deletable |
Permissions for Host groups | |
view | The user is allowed to see a list of host groups when viewing the index page |
create | The user is allowed to create a new host group and will also be able to create host group parameters |
edit | The user is allowed to edit a host group and will also be able to edit a host group's parameters. If they have host group filtering active in their profile then only these host groups will be editable |
destroy | The user is allowed to destroy a host group and will also be able to destroy host group parameters. If they have host group filtering active in their profile then only these host groups will be deletable |
Permissions for Hosts | |
view | The user is allowed to see a list of hosts when viewing the index page. This list may be constrained by the user's host filters |
create | The user is allowed to create a new host. This operation may be constrained by the user's host filters |
edit | The user is allowed to edit a host. This operation may be constrained by the user's host filters |
destroy | The user is allowed to destroy a host. This operation may be constrained by the user's host filters |
Permissions for Users | |
view | The user is allowed to see a list of users when viewing the index page. A user will always be able to see their own account even if they do not have this permission |
create | The user is allowed to create a new user |
edit | The user is allowed to edit existing users. A user will always be able to edit their own basic account settings and password |
destroy | The user is allowed to delete users from the system |
If the filtering section at the bottom of the user’s profile page has no content then the permissions that the user has been granted will apply to all hosts within the system.
However, if the filtering section is in use then the permissions will apply only to those items selected in the filters and the user will have no access to anything not selected by the filters.
This is primarily a mechanism for restricting access to hosts. However if one or more domains or host groups are selected then this also restricts where parameters can be created, edited and deleted.
Filtering operates by generating a list of hosts on which actions can be performed. The list may be built out of four components
Ownership: The hosts that a user owns directly or hosts that are owned by a user group of which the user is a member.
Domain membership: The hosts that exist within one or more indicated domains.
Compute resource membership: The hosts that are deployed on one or more compute resources.
Host group membership: The hosts that are defined as being of one or more host group types.
Fact filtering: These restrict the hosts to those machines that have this fact associated with them. As a fact is only generated during a puppet run, this filter will only refer to machines that have been built and therefore cannot be used to restrict the creation of machines.
These four pools of hosts can be combined by adding them together or the filters can be used to restrict the selected hosts to a smaller and smaller subset of the total. Think of it as set operations.
Note: If the “Administrator” check box is checked for a user, filtering will not take effect.
A user’s filter section has the select checkbox unticked, indicating that the user’s owned hosts are not included in the final set of hosts, (unless they are selected some other way.)
The domain selection is prefixed with plus all and the two domains a.com and b.com are ticked. This implies that the hosts selected are the user’s hosts, (of which there are none,) plus all the hosts in a.com and b.com.
The host group section is prefixed by must be and the hostgroup web server is selected. This implies that the hosts selected are the user’s hosts, (of which there are none,) plus all the hosts in a.com and b.com but they must be of type web server.
The fact filter section is prefixed by must match and there are two filters virtual = vmware and architecture = i386. This implies that the hosts selected are the user’s hosts, (of which there are none,) plus all the hosts in a.com and b.com but they must be of type web server and must match an i386 vmware host.
In any of these sections above, if the prefix had been plus all then every host in the system that matched the selections would have been added to the final host list, (though possibly removed by a later filter.)
Trends in Foreman allow you to track changes in your infrastructure over time. It allows you to track both Foreman related information and any puppet facts. The Trend pages give a graph of how the number of hosts with that value have changed over time, and the current hosts list.
There are two pieces to the Trends area, the Trends to track and their corresponding counters. To define trend counters, use the “Add Trend Counter” button on the ‘/trends’ page. Optionally set the “Name” field to over-ride odd puppet fact names to be more readable. Once created you can optionally ‘Edit’ the Trend to change the display names of the underlying values.
Next, to start collecting trend data, set a cron job to execute ‘foreman-rake trends:counter’. Each time the rake task executes it will create 1 tick on the graphs, so you can fine tune the granularity with your cron job. We recommend using the same as your puppet run interval (30 minutes). Here’s an example to run once per hour:
Finally note that these trends are the same for all users. So if you delete a Trend category you will loose all history for that trend and the trackers will start all over again. So please be careful when deleting.
Foreman supports auditing of almost all changes that happen within Foreman, from both the UI and from the API. Auditing is done at a user level, and is thus ineffective if :login: is set to false, as all audits will be done as the ‘admin’ user.
Got to the Audit tab to see a view of what has changed. This view can be filtered by the type of change or by the object that was altered (e.g. search for a hostname to see all changes relating to that host). You also get the parent object - so if a parameter was modified, you can see what host/group that parameter belongs to. The timestamp of the change and the user who performed it will be listed.
Template changes also store a diff of the changes, and the ability to roll back to a previous version of the template.
In this section we’ll look at the various ways we can control and interact with Puppet.
Puppet environments are mapped directly into Foreman. They can be used at various levels throughout the Foreman interface. Puppet environments are generally used to separate classes from different types of Host, typically allowing changes to a module to tested in one environment (e.g. development) before being pushed to another (e.g production).
There are several ways to create Puppet environments within Foreman.
To create an environment by hand, simply go to More > Configuration > Environments and click New Environment. Give the new environment a name and save.
Foreman can detect all the environments and classes contained on a PuppetMaster, and import them automatically. To do this, go to More > Configuration > Environments and click on *Import from
This is done from the Host Edit page, on the Host tab. Selecting an environment will filter the classes visible on the Puppet Classes tab to just the classes in the selected environment.
You can also also mass-assign an environment to a group of hosts - tick the checkboxes of the required Hosts in the Hosts index, and then select Change Environment from the buttons at top of the page.
You can assign an environment to a hostgroup as well. This functions as a form of default - a user creating a new host and selecting the hostgroup will automatically have the environment pre-selected. The user is not prevented from changing the environment of the new host, it simply saves a few clicks if they are happy with it.
Puppet classes are generally imported from the Puppet Master(s) via the Import button on the Puppet Classes page. They can also be created by hand, and manually associated with a set of environments (for filtering purposes).
Go to More > Configuration > Puppet Classes and click the Import button. This will not be visible unless you have at least one Puppet Master with a puppet-enabled Smart Proxy
Under More > Configuration > Puppet Classes you will also see a column called “Hosts”. This column represents the number of hosts the given module/class has been assigned to. Clicking this figure will list the hosts.
This column currently suffers from a known bug. This bug means this count excludes host groups from final figure.
It’s often to have a module structure like this:
In this situation, Foreman would offer to create:
However, if we know that the subclasses are not intended for direct consumption, but are only really part of the internal structure of the module, then we would want to exclude those from the import mechanism, so that Foreman only offers to import git. We can achieve this via the file config/ignored_environments.yml. This file takes a set of regular expressions - any class which matches one of them will not be imported. So, for this example, we might configure:
To cause Puppet to apply your classes, you will need to assign them to your Hosts. This can be done at either an individual host level, or at a group level. The process is the same; edit the Host(group), select an Environment, and then go to the Puppet Classes tab and select what classes you want in this Host(Group).
To see how Foreman is passing the classes to Puppet, go to a Host and click the YAML button. You will be shown the exact YAML data sent to the PuppetMaster - the classes will be in the “classes” hash.
Foreman’s concept of parameters maps onto Puppet’s idea of default-scope parameters. Foreman allows us to define a hierarchy of parameter inheritance.
These are defined in More > Configuration > Global Parameters and will apply to every host in Foreman.
These are defined for all Hosts in a given domain. Edit the domain from More > Provisioning > Domains and switch to the Parameters tab and specify a parameter. If it has the same name as a Global Parameter, it will override the Global one.
These are defined for all Hosts in the Group. Edit the Hostgroup from More > Configuration > Host Groups and switch to the Parameters tab and specify a parameter. If it has the same name as a Global or Domain Parameter, it will override it.
The final (most-specific) level of Parameters applies only to a single Host. Edit a Host and switch to Parameters, and you will see all it’s inherited parameters from the other three layers (note: they will all be marked as “Scope: Global” as this refers to the Puppet scope, not the Foreman scope). You can override higher-level parameters or define new ones here.
To see how Foreman is passing the parameters to Puppet, go to a Host and click the YAML button. You will be shown the exact YAML data sent to the PuppetMaster -the parameters will be in the “parameters” hash.
Smart variables are a tool to provide data (Key / Value), normally to your puppet ENC, depending on a set of rules. They are intended to be a stepping stone to full parameterized classes.
Smart variable is usually associated with a puppet class, and may have multiple values, all depending on hierarchical context or various conditions a user can wish to apply.
for example:
Start by going to Foreman > More > Puppetclasses and then click one of your classes to edit it.
Click on the Smart Variables tab. If you have any existing Smart Variables, they will be listed at the left side of the tab.
Click New Variable, and you will be presented with a set of input fields:
Name | What the parameter will be called in the ENC data |
Description | A free form text box for your own information |
Default Value | What the ENC will use if no other criteria is matched |
Type Validator | A combo-box of data types. The type applies to the next field, the validator |
Validator Constraint | Used to enforce certain values for the Smart Variable. See below for examples |
Order | A list of variables which Foreman will search (in order) for the validator |
Once you’ve created the defaults for your Smart variable, you then need to add at least one criterion to match against - click the “plus” under your variable, and two more input fields will appear:
Match | Should state a name = value relationship that Foreman use to match against the entries in searchlist |
Value | What the parameter should be in the ENC, if this rule is matched |
The fourth and fifth fields in the Smart Variable combine to produce a validation criteria for the final value of the Smart Variable.
At present, the string type cannot be validated - leave the validator field blank, and all strings in the variable will be considered acceptable
By entering a list (comma-separated, no spaces) or a regex (no delimiter required), the value to be assigned to the Smart Variable will be checked against this list. If the value does not match the validator, and error will be raised.
All the ordering information is stored in the sixth field of the Smart Variable (order). The order matters and is used to find the first match.
All our hosts use server.foo for something, except bob.domain.com which uses server2.bar:
Name | target |
Description | The target server to talk to |
Default Value | server.foo |
Type Validator | string |
Validator Constraint | |
Order | fqdn hostgroup os domain |
Match | fqdn = bob.domain.com |
Value | server2.bar |
Most hosts need to use a port of 80 but all machines with a fact region and value europe need to use 8080. To do this, you have to add the factname (in this example region) to the searchlist:
Name | port |
Description | The port to use |
Default Value | 80 |
Type Validator | list |
Validator Constraint | 80,443,8080 |
Order | fqdn region hostgroup os domain |
Match | region = europe |
Value | 8080 |
Match | fqdn = foo.domain |
Value | 67 |
Note that all machines will get either 80 or 8080 as required, except foo.domain which will generate an error, since 67 is not in the list validator. Note also that foo.domain will match before region, since it is higher in the searchlist. The rule ordering does not matter.
It is also possible to mix conditions, e.g.
Name | port |
Description | The port to use |
Default Value | 80 |
Type Validator | list |
Validator Constraint | 80,443,8080 |
Order | fqdn region, hostgroup, environment hostgroup environment domain |
Match | fqdn = foo.domain |
Value | 67 |
Match | region = europe, hostgroup = "web servers", environment = production |
Value | 8080 |
It’s also possible to retrieve these values if you’re not using a ENC, via a custom Puppet function or a http request.. You’ll need to retrieve the value from
https://foreman/hosts/<fqdn>/lookup_keys/<key>
You can find a ready-made function for your puppet module here
Parameterized Class Support (PCS) permits detecting, importing, and supplying parameters direct to classes which support it, via the ENC.
Firstly, you’ll need to enable the PCS support. Go to More > Settings, select the Puppet tab, and ensure Parameterized_Classes_in_ENC is set to true.
Now you’ll need to import some parameterized classes from your puppet master. If you don’t have any parameterized classes in your modules dir, the foreman-installer has several, you can download a few modules from the Puppet Forge. Once you have some parameterized modules, import your classes (see 4.2.2 Classes)
This example will work with the foreman class from the installer. Click on the class, and you should get a page with 3 tabs, like so:
The middle tab, “Smart Class Parameter”, is the important one. Click onto that, and you should see something like this:
On the left, we have a list of possible parameters that the class supports. On the right, we have the configuration options for the parameter selected.
Lets configure the foreman class to change the user the foreman processes run as. Select the user parameter, at the end of the list. Now lets go through the options:
Ok, so let’s configure our user parameter. We want to tick Override, set type to “String” and set the default value to “foreman”, like so:
We’ve configured the default, but that’s not very useful. We need to be able to override the default for hosts or groups of hosts. To do that we need the “Override Value For Specific Hosts” section at the bottom of the page.
Let’s say that any machine in the “development” puppet environment should use a value of “foremandev” instead of “foreman” for the “user” parameter. Add “environment” to the end of the matchers list, then click the “New Matcher-Value” button, and fill it out like this:
This is a basic configuration - for more complex examples of using matchers, see the 4.2.4 Smart Variables page.
Here’s an example of adding an array parameter. Note the use of YAML in the editbox:
This will be converted to the normal [“a”,”b”] syntax when you save. You can also use Hashes, YAML or JSON as data types too.
Because Foreman offers templating capabilities, you can utilise pre-existing variables, macros and or functions within your parameterized classes. This is especially useful if you need to send a string to Puppet/Chef, but have a need to embed host specific information within the string, such as the host’s FQDN.
Let’s look a quick example situation: we need to configure RabbitMQ and have it use our existing Puppet SSL certs. Using what we’ve learnt above, we jump into the RabbitMQ class and configure the “ssl cert” parameter as such:
As you can see we’re utilising a template variable within the parameter’s string just like we would in a normal template file. The important part of this string, as we’re sure you’ve gathered, is the “@host.name” element. This pulls the FQDN from Foreman’s facts and inserts it into the string.
More information regarding templates can be found on the wiki. This page also contains the pre-existing functions and macros you can use in your templates and parameter classes.
If Foreman manages the value of a class parameter (“override = true”), it’s also possible to update a host-specific override from the host itself. That way you don’t have to grant access to the Puppet Classes page to everyone. From a Host, click Edit, go to the Parameters tab, and you’ll see the variable, the class-scope, and the current value. You can then override the value for that host:
If you go back and look at the Puppet class, you’ll see Foreman has added a matcher for that host:
Currently this only works for Hosts, not Hostgroups. For more complex logic, like matching on facts, use the Puppet Class page
The “Optional Input Validator” section can be used to restrict the allowed values for the parameter. This functions in the same way as for Smart Variables, but it is important to note that the validation applies to changes made from the Host edit page as well as the Puppet Classes edit page.
For example, to restrict the “user” field to either “foreman” or “foremandev”, tick the Required checkbox, and then set:
The Smart Proxy is a project which provides a restful API to various sub-systems.
Its goal is to provide an API for a higher level orchestration tools (such as Foreman). The Smart proxy provides an easy way to add or extended existing subsystems and API’s.
Currently supported (Click on the links below for more details).
If you require another sub system type or implementation, Please add a new feature request.
After you got it running, You would need to configure each one of the sub systems via the settings.yml file in the config directory.
A smart proxy is an autonomous web-based foreman component that is placed on a host performing a specific function in the host commissioning phase. It receives requests from Foreman to perform operations that are required during the commissioning process and executes them on its behalf. More details can be found on the Foreman Architecture page.
To fully manage the commissioning process then a smart proxy will have to manipulate these services, DHCP, DNS, Puppet CA, Puppet and TFTP. These services may exist on separate machines or several of them may be hosted on the same machine. As each smart proxy instance is capable of managing all the of these services, there is only need for one proxy per host. In the special case of a smart proxy managing a windows DHCP server, the host machine must be running Windows and support the netsh dhcp utility, it does not need to be the Microsoft DHCP server itself.
RPM and Debian packages are available, see the Install from Packages section for configuration and install the foreman-proxy
package.
You can get the latest stable code from GitHub (via git).
git clone git://github.com/theforeman/smart-proxy.git
Usually can be found at /etc/foreman-proxy/settings.yml or on the config/settings.yml subdirectory. You can use the settings.yml.example file inside the config directory as a template for your own settings.yml.
If you don’t plan to use one of the subsystems, please disable them in this configuration file. For more information see Smartproxy Configuration
bin/smart-proxy.rb
Or if you installed it via a package simply start the foreman-proxy service.
For example:
Name: Puppet-Proxy URL: http://puppet.your-domain.com:8443
The configuration for Smart-Proxy is held in the /etc/foreman-proxy/settings.yml or config/settings.yml file.
The first non-comment line of this file must be three dashes.
---
The existence of all the three ssl key entries below enables the use of an SSL connections.
NOTE that both client certificates need to be signed by the same CA, which must be in the ssl_ca_file, in order for this to work see SSL for more information
:ssl_certificate: ssl/certs/fqdn.pem :ssl_ca_file: ssl/certs/ca.pem :ssl_private_key: ssl/private_keys/fqdn.key
This is the list of hosts from which the smart proxy will accept connections. If this list is empty then every verified SSL connection is allowed to access the API.
:trusted_hosts: - foreman.prod.domain - foreman.dev.domain
If this entry is present and not false then Smart-Proxy will attempt to disconnect itself from the controlling terminal and daemonize itself.
:daemon: true
The port listened to by the proxy. If this is not present then the default Sinatra port of 4567 is used.
:port: 8443
Activate the TFTP management module within the Smart-Proxy instance.
The tftproot value is directory into which tftp files are copied and then served from. The tftp daemon will also be expected to chroot to this location. This component is only supported in the Unix environment
:tftp: true :tftproot: /var/lib/tftpboot :tftp_servername: name of your tftp server (used for next server value in your dhcp reservation) - defaults to the host name of your proxy.
NOTE: the foreman proxy user must have read/write access to the tftpboot/pxelinux.cfg and tftpboot/boot directories.
Activate the DNS management module within the Smart-Proxy instance.
The DNS module can manipulate any DNS server that complies with the ISC Dynamic DNS Update standard and can therefore be used to manage both Microsoft and Bind servers. Updates can also be done using GSS-TSIG, see the documentation.
The dns_key specifies a file containing a shared secret used to generate a signature for the update request (TSIG record). This option should not be used if you plan to use Kerberos/GSS-TSIG (for example for DNS servers shipped with FreeIPA or Microsoft AD).
If neither the dns_key or GSS-TSIG is used then the update request is sent without any signature. Unsigned update requests are considered insecure. Some DNS servers can be configured to accept only signed signatures.
The dns_server option is used if the Smart-Proxy is not located on the same physical host as the DNS server. If it is not specified then localhost is presumed.
:dns: true :dns_key: /home/proxy/keys/Kapi.+157+47848.private :dns_server: dnsserver.site.domain.com
NOTE: if you use a key, make sure that the foreman proxy account can read that file.
Activate the DHCP management module within the Smart-Proxy instance.
:dhcp: true
If the DHCP server is ISC compliant then set dhcp_vendor to isc. In this case Smart-Proxy must run on the same host as the DHCP server. If the proxy is managing a Microsoft DHCP server then set dhcp_vendor to native_ms. Smart-Proxy must then be run on an NT server so as to access the Microsoft native tools, though it does not have to be the same machine as the DHCP server. More details can be found at [[Foreman:Foreman Architecture]].
:dhcp_vendor: isc
The DHCP component needs access to the DHCP configuration file as well as the currently allocated leases. The section below shows these values for a RedHat client. In the case of a Smart-Proxy hosted on an Ubuntu machine then these values would be more appropriate: /etc/dhcp3/dhcpd.conf and /var/lib/dhcp3/dhcpd.leases
:dhcp_config: etc/dhcpd.conf :dhcp_leases: etc/dhcpd.leases
NOTE: Make sure that the foreman proxy account can read both ISC configuration files.
If your native_ms implementation is slow then you can request that the smart proxy only operate on a subset of the subnets managed by the dhcp server.
:dhcp_subnets: [192.168.1.0/255.255.255.0, 192.168.11.0/255.255.255.0]
If you secured your DHCP with an “omapi_key”, add the entries:
:dhcp_key_name: omapi_key :dhcp_key_secret: XXXXXXXX
Activate the Puppet CA management module within the Smart-Proxy instance.
This should only be enabled in the Smart-Proxy that is hosted on the machine responsible for providing certificates to your puppet clients. You would expect to see a directory /var/lib/puppet/ssl/ca on such a host.
:puppetca: true
If your puppet SSL directory is located elsewhere, you’ll need to set ‘ssldir’ as well.
:ssldir: /etc/puppet/ssl
:puppetdir: /etc/puppet
The proxy requires write access to the puppet autosign.conf file, which is usually owner and group puppet, and has mode 0644 according to the puppet defaults.
Ensure the foreman-proxy user is added to the puppet group ( e.g. gpasswd -a foreman-proxy puppet
or usermod -aG puppet foreman-proxy
)
puppet.conf:
[master] autosign = $confdir/autosign.conf {owner = service, group = service, mode = 664 }
Sudo access to the proxy is required - in your sudoers file ensure you have the following lines:
For older puppet (pre-3.0) with separate sub-commands available:
foreman-proxy ALL = NOPASSWD: /usr/sbin/puppetca * Defaults:foreman-proxy !requiretty
For newer monolithic puppet without separate commands (3.0-onwards)
foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert * Defaults:foreman-proxy !requiretty
Activate the puppet management module within the Smart-Proxy instance.
This should only be enabled in the Smart-Proxy that is hosted on the machine capable of executing puppetrun. This will be a puppetmaster. This can also be set to true if you need to import puppet classes from the puppetmaster. Without this the import will not be possible
:puppet: true
:puppet_conf: /etc/puppet/puppet.conf # Defaults to %INSTALL_DIR%/.puppet/puppet.conf
Sudo access for the proxy is required - in your sudoers file ensure you have the following lines (use /opt/puppet/bin/puppet for Puppet Enterprise):
Defaults:foreman-proxy !requiretty foreman-proxy ALL = NOPASSWD: /usr/sbin/puppetrun
If you are using Puppet 3.0 or higher, the puppetrun binary has been removed and so the Smart Proxy will use puppet kick
. The sudoers entry should be:
Defaults:foreman-proxy !requiretty foreman-proxy ALL = NOPASSWD: /usr/bin/puppet kick *
The proxy can trigger Puppet runs using the MCollective “puppet” agent. To enable this, add this line to settings.yml:
:puppet_provider: mcollective
And then add a sudoers rule:
Defaults:foreman-proxy !requiretty
foreman-proxy ALL = NOPASSWD: /usr/bin/mco puppet runonce *
The proxy’s output is captured to the log_file and may be filtered via the usual unix syslog levels:
See Ruby’s Logger class for details.
:log_file: /tmp/proxy.log :log_level: DEBUG
ISC implementation is based on the omapi interface, which means:
omapi-port 7911;
The dhcpd api server will listen to any host. You might need to add a omapi_key to provide basic security.
Example generating a key (on CentOS):
yum install bind97 dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST omapi_key cat Komapi_key.+*.private |grep ^Key|cut -d ' ' -f2-
Edit your “/etc/dhcpd.conf”:
omapi-port 7911; key omapi_key { algorithm HMAC-MD5; secret "XXXXXXXXX"; #<-The output from the generated key above. }; omapi-key omapi_key;
Make sure you also add the omapi_key to your proxy’s [[Smart-Proxy:Settingsyml#DHCP-section | settings.yml]] |
If everything works, you could browse your dhcp server data if you goto http://proxy:8443/dhcp
The next step is to set up appropriate Subnets in Foreman from the settings menu.
ddns-update-style interim; ignore client-updates; authoritative; allow booting; allow bootp; omapi-port 7911; #Optional key: key omapi_key { algorithm HMAC-MD5; secret "2wgoV3yukKdKMkmOzOn/hIsM97QgLTT4CLVzg9Zv0sWOSe1yxPxArmr7a/xb5DOJTm5e/9zGgtzL9FKna0NWis=="; } omapi-key omapi_key; subnet 10.1.1.0 netmask 255.255.255.0 { # --- default gateway option routers 10.1.1.254; option subnet-mask 255.255.255.0; option domain-name "domain.com"; option domain-name-servers 10.1.1.1, 8.8.8.8; option log-servers syslog; option ntp-servers ntp; range dynamic-bootp 10.1.1.10 10.1.1.250; default-lease-time 21600; max-lease-time 43200; }
The Microsoft smart-proxy installation procedure is very basic compared to the RPM or APT based solution.
It is required that this procedure is executed as an administrator.
It is not required that the smart-proxy be on the same host as the MS dhcp server. The smart-proxy just needs to be on a windows host that has netsh commands available.
columnize (0.3.2) highline (1.6.1) json (1.4.6 x86-mswin32) linecache (0.43 mswin32) mime-types (1.16) mocha (0.9.11) net-ping (1.3.7) rack (1.2.0) rake (0.8.7) rest-client (1.6.1) sinatra (1.1.0) tilt (1.1) win32-api (1.4.6 x86-mswin32-60) win32-open3 (0.3.2 x86-mswin32-60) win32-service (0.7.1 x86-mswin32-60) windows-api (0.4.0) windows-pr (1.1.2)
Command to download them all:
wget http://rubygems.org/downloads/columnize-0.3.2.gem \ http://rubygems.org/downloads/haml-3.0.24.gem \ http://rubygems.org/downloads/highline-1.6.1.gem \ http://rubygems.org/downloads/json-1.4.6-x86-mswin32.gem \ http://rubygems.org/downloads/linecache-0.43-mswin32.gem \ http://rubygems.org/downloads/mime-types-1.16.gem \ http://rubygems.org/downloads/mocha-0.9.11.gem \ http://rubygems.org/downloads/net-ping-1.3.7.gem \ http://rubygems.org/downloads/rack-1.2.0.gem \ http://rubygems.org/downloads/rake-0.8.7.gem \ http://rubygems.org/downloads/rest-client-1.6.1.gem \ http://rubygems.org/downloads/sinatra-1.1.0.gem \ http://rubygems.org/downloads/tilt-1.1.gem \ http://rubygems.org/downloads/win32-api-1.4.6-x86-mswin32-60.gem \ http://rubygems.org/downloads/win32-open3-0.3.2-x86-mswin32-60.gem \ http://rubygems.org/downloads/win32-service-0.7.1-x86-mswin32-60.gem \ http://rubygems.org/downloads/windows-api-0.4.0.gem \ http://rubygems.org/downloads/windows-pr-1.1.2.gem
To get it to work on Windows 2008 R2 some of the packages has to change
columnize (0.3.2) highline (1.6.1) json (1.4.6 x86-mingw32) linecache (0.43 mswin32) mime-types (1.16) mocha (0.9.11) net-ping (1.3.7) rack (1.2.0) rake (0.8.7) rest-client (1.6.1) sinatra (1.1.0) tilt (1.1) win32-api (1.4.6 x86-mingw32) win32-open3 (0.3.2 x86-mingw32) win32-service (0.7.1 x86-mswin32-60) windows-api (0.4.0) windows-pr (1.1.2)
Easy copy and paste method (platform may be different for you. Please check gem environment to find out.
gem install --version 0.3.2 --platform x86-mingw32 columnize gem install --version 1.6.1 --platform x86-mingw32 highline gem install --version 1.4.6 --platform x86-mingw32 json gem install --version 0.43 --platform x86-mingw32 linecache gem install --version 1.16 --platform x86-mingw32 mime-types gem install --version 0.9.11 --platform x86-mingw32 mocha gem install --version 1.3.7 --platform x86-mingw32 net-ping gem install --version 1.2.0 --platform x86-mingw32 rack gem install --version 0.8.7 --platform x86-mingw32 rake gem install --version 1.6.1 --platform x86-mingw32 rest-client gem install --version 1.1.0 --platform x86-mingw32 sinatra gem install --version 1.1 --platform x86-mingw32 tilt gem install --version 1.4.6 --platform x86-mingw32 win32-api gem install --version 0.3.2 --platform x86-mingw32 win32-open3 gem install --version 0.7.1 --platform x86-mingw32-60 win32-service gem install --version 0.4.0 --platform x86-mingw32 windows-api gem install --version 1.1.2 --platform x86-mingw32 windows-pr
Command to download them all:
wget http://rubygems.org/downloads/columnize-0.3.2.gem \ http://rubygems.org/downloads/haml-3.0.24.gem \ http://rubygems.org/downloads/highline-1.6.1.gem \ http://rubygems.org/downloads/json-1.4.6-x86-mingw32.gem \ http://rubygems.org/downloads/linecache-0.43-mswin32.gem \ http://rubygems.org/downloads/mime-types-1.16.gem \ http://rubygems.org/downloads/mocha-0.9.11.gem \ http://rubygems.org/downloads/net-ping-1.3.7.gem \ http://rubygems.org/downloads/rack-1.2.0.gem \ http://rubygems.org/downloads/rake-0.8.7.gem \ http://rubygems.org/downloads/rest-client-1.6.1.gem \ http://rubygems.org/downloads/sinatra-1.1.0.gem \ http://rubygems.org/downloads/tilt-1.1.gem \ http://rubygems.org/downloads/win32-api-1.4.6-x86-mingw32.gem \ http://rubygems.org/downloads/win32-open3-0.3.2-x86-mingw32.gem \ http://rubygems.org/downloads/win32-service-0.7.1-x86-mswin32-60.gem \ http://rubygems.org/downloads/windows-api-0.4.0.gem \ http://rubygems.org/downloads/windows-pr-1.1.2.gem
8) CD to the root of the smart-proxy install directory
9) Edit config/settings.yml so that it looks a bit like this
Sample config/settings.yml file
--- # HTTPS settings :ssl_certificate: c:\documents\smart-proxy\config\signed.pem :ssl_private_key: c:\documents\smart-proxy\config\private.pem :ssl_ca_file: c:\documents\smart-proxy\config\ca.pem :trusted_hosts: [ foreman.someware.com] :daemon: false # Enable DHCP management :dhcp: true # The vendor can be either isc or native_ms :dhcp_vendor: native_ms # The dhcp_server is only used by the native_ms implementation :dhcp_server: 172.29.90.240 # Where our proxy log files are stored # filename or STDOUT # Unix setting #:log_file: log/proxy.log # Windows setting :log_file: c:\tmp\proxy.log # valid options are # Logger::WARN, Logger::DEBUG, Logger::Error, Logger::Fatal, Logger:INFO, LOGGER::UNKNOWN #:log_level: Logger::DEBUG
10) Create the SSL key
10.1) Login to your puppetmaster
10.2) puppetca –generate Smart-proxy FQDN. (Do not use an alias here.)
10.3) Copy the private key, the public certificate and the ca.pem from /var/lib/puppet/ssl over to the locations that you specified in the setting file.
11) Test the installation by running ruby bin\smart-proxy.rb
12) Install the program as a service
12.1) ruby extra\register-service.rb
12.2) This may install the service but not run it. If so then try to start the service from the Ordinary Microsoft services snapin utility.
13) You may test connectivity by running the extra\query.rb utility from your foreman host. (Note that this file comes from the extra directory in the smart-proxy release.)
Bind configuration manipulation is based on nsupdate, which means that in theory could also be used to manipulate other dns servers which support nsupdate (such as Microsoft DNS server).
In order to communicate securely with your dns server, you would need a key which will be used by nsupdate and your named daemon using ddns-confgen or dnssec-keygen
execute ‘ddns-confgen -k foreman -a hmac-md5’ - this should output something like the following:
# To activate this key, place the following in named.conf, and # in a separate keyfile on the system or systems from which nsupdate # will be run: key "foreman" { algorithm hmac-md5; secret "GGd1oNCxaKsh8HA84sP1Ug=="; }; # Then, in the "zone" statement for each zone you wish to dynamically # update, place an "update-policy" statement granting update permission # to this key. For example, the following statement grants this key # permission to update any name within the zone: update-policy { grant foreman zonesub ANY; }; # After the keyfile has been placed, the following command will # execute nsupdate using this key: nsupdate -k /path/to/keyfile
You should create a new file (such as /etc/rndc.key or other) and store the key “foreman {…} in it. in the proxy Settings file you should point to this file location - make sure that the proxy have read permissions to this file.
In your named file, you could add the update-policy statement or something like this named example file if you need more fine grained permissions.
Both BIND as configured in FreeIPA and Microsoft AD DNS servers can accept DNS updates using GSS-TSIG authentication. This uses Kerberos principals to authenticate to the DNS server. Under Microsoft AD, this is known as “Secure Dynamic Update”.
A user has to be created in Active Directory that will be used by the Smart Proxy, e.g. foremanproxy
. This will automatically create a service principal, e.g. foremanproxy@EXAMPLE.COM
.
Test the Kerberos login with that user on the Smart Proxy using kinit:
kinit foremanproxy@EXAMPLE.COM
This requires that the /etc/krb5.conf file is setup correctly. By default many systems use DNS to locate the Kerberos DC. A KDC can also be statically set in this file. There are dozens of documents on how to do this on the net.
If login works, the keytab file can be created using ktutil
. First clear the Kerberos ticket cache:
kdestroy
Now create the keytab file with ktutil
:
ktutil: addent -password -p foreman@EXAMPLE.COM -k 1 -e RC4-HMAC
ktutil: wkt dns.keytab
ktutil: q
Once the keytab file has been created, test it using kinit:
kinit foreman@EXAMPLE.COM -k -t dns.keytab
If this works, clear the Kerberos ticket cache once again using kdestroy
.
Store the keytab at /etc/foreman-proxy/dns.keytab
, ensure permissions are 0600 and the owner is foreman-proxy
.
The DNS zone Dynamic Updates
option on the DNS zones can now be set to Secure Only
. Now follow the steps below under Proxy Configuration
.
A service principal is required for the Smart Proxy, e.g. foremanproxy/proxy.example.com@EXAMPLE.COM
.
First of all, create a new principal (FreeIPA service) for Foreman, e.g. ipa service-add foremanproxy/proxy.example.com@EXAMPLE.COM
.
Then fetch the keytab, e.g. ipa-getkeytab -p foremanproxy/proxy.example.com@EXAMPLE.COM -s ipa-server.example.com -k /etc/foreman-proxy/dns.keytab
.
Store the keytab at /etc/foreman-proxy/dns.keytab
, ensure permissions are 0600 and the owner is foreman-proxy
.
The ACL on updates to the DNS zone then needs to permit the service principal. In the FreeIPA web UI, under the DNS zone, go to the Settings tab and add to the BIND update policy a new grant:
grant foremanproxy\047ipa.example.com@EXAMPLE.COM wildcard * ANY;
Note the \047
is written verbatim, and don’t forget the semicolon.
Next, update the proxy configuration file (/etc/foreman-proxy/settings.yml
) with the following settings:
:dns_provider: nsupdate_gss
:dns_tsig_keytab: /etc/foreman-proxy/dns.keytab
:dns_tsig_principal: foremanproxy/ipa.example.com@EXAMPLE.COM
The smart proxy can work in SSL mode, where both sides verify and trust each other. Requests from Foreman will only be accepted if the SSL certificate can be verified. Since proxies abstract a high level of control over your infrastructure, the configuration and security of keys and certificates is important.
Since Foreman integrates with Puppet heavily, it is recommended to use the Puppet Certificate Authority (CA) to secure proxy access. See the Security Communciations with SSL section for more advanced installations (multiple or internal CAs).
If the smart proxy host is not managed by Puppet, you will need to generate a certificate - skip forward to the generate section.
When using Puppet’s certificates, the following lines will be required in puppet.conf to relax permissions to the puppet
group. The foreman
and/or foreman-proxy
users should then be added to the puppet
group.
[main] privatekeydir = $ssldir/private_keys { group = service } hostprivkey = $privatekeydir/$certname.pem { mode = 640 }
Configure the locations to the SSL files in /etc/foreman-proxy/settings.yml
, plus the list of trusted Foreman hosts:
:ssl_certificate: /var/lib/puppet/ssl/certs/FQDN.pem :ssl_ca_file: /var/lib/puppet/ssl/certs/ca.pem :ssl_private_key: /var/lib/puppet/ssl/private_keys/FQDN.pem :trusted_hosts: - foreman.corp.com #- foreman.dev.domain
To generate a certificate for a proxy host that isn’t managed by Puppet, do the following:
puppet cert --generate <proxy-FQDN>
/etc/foreman-proxy
:<ol></ol>
Follow the configuration section above, however use the /etc/foreman-proxy
paths instead of the Puppet defaults.
For Foreman to connect to an SSL-enabled smart proxy, it needs configuring with SSL certificates in the same way. If the Foreman system is managed by Puppet, it will already have these, else certificates can be generated following the above instructions.
The locations of the certificates are managed in the Settings page, under Provisioning with the ssl_ca_file, ssl_certificate and ssl_priv_key settings. By default these will point to the Puppet locations - for manually generated certificates, or non-standard locations, they may have to be changed.
Lastly, when adding the smart proxy in Foreman, ensure the URL begins with https://
rather than http://
.
An essential first step in netbooting a system is preparing the TFTP server with the PXE configuration file and boot images. This document assumes that you have already configured your DHCP infrastructure, either via manual configuration or through the DHCP smart proxy.
Once enabled, there is currently only one valid setting to change, the default TFTP root. This is set with the :tftproot: parameter, which defaults to /var/lib/tftpboot.
Foreman tries to guess the right server name that should put into the dhcp record, if this is not what you want, you can override it - see tftp_servername under Settings.yml.
Regardless of the filesystem setup is performed, you must also make sure you have the wget utility installed and in the default path. wget is used to download OS specific installation when a given host is enabled for the build process.
Foreman includes a TFTP server module that will perform all of the basic setup. It defaults to TFTP root of /var/lib/tftpboot, which may change if necessary. You will still need to provide the basic TFTP load images in your TFTP root directory. For vanilla PXE booting, this includes pxelinux.0, menu.c32, and chain.c32.
The setup is very simple, and may be performed manually if desired.
In most cases, the default templates should work fine. You do, however, need to make sure that a PXELinux or gPXE template is associated with your hosts. See [[Foreman:Unattended_installations | Unattended Installations]] for details. The template will be used to define the PXE configuration file when a host is enabled for build. |
This is a rough outline of the steps triggered on the TFTP smart proxy host when you click on the “Build” link for a host.
wget --no-check-certificate -nv -c <src> -O "<destination>"
At the moment, the proxy is not able to fetch boot files using NFS. As a workaround, expose your installation medium (or use a public mirror) over http/ftp to configure one machine with the require boot files. this would be resolved as part of #992.
This chapter details the configuration of the required UI components necessary to provision an OS onto a host.
The Operating Systems page (More -> Provisioning -> Operating Systems) details the OSs known to Foreman, and is the central point that the other required components tie into.
Simply click New Operatingsystem on the main page. You will be taken to a screen where you can create the bare essentials of a new OS. Not everything required for a successful provision is on this page (yet) - the remaining components will appear for selection as we create them.
You will need to fill in the first few parts of the form (Name, Major, Minor, Family, and possibly some family-dependent information). In the case of OSs like Fedora, it is fine to leave Minor blank.
If the default Partition Tables & Installation media are suitable, then you can assign them now. If not, return here after each step in this chapter to assign the newly created objects to your Operating System
Foreman does not come with any Operating Systems by default. However, Foreman will detect the Operating System of any host which reports in via Puppet - if the OS of that Host is supported, it will be created (with very basic settings) and assigned to the Host. Thus you may find some OSs already created for you.
The Installation Media represents the web URL from where the installation packages can be retrieved (i.e. the OS mirror). Some OS Media is pre-created for you when Foreman is first installed. However, it is best to edit the media you are going to use and ensure the Family is set.
If your OS of choice does not have a mirror pre-created for you, click the New Medium button to create one. There are a few variables which can be used to pad out the URL. For example:
http://mirror.averse.net/centos/$major.$minor/os/$arch
Be sure to set the Family for the Media
If you have not already done so, return to the Operating System page for your OS and assign the Media to it now.
The Provision Templates is the core of Foreman’s flexibility to deploy the right OS with the right options. There are several types of template, along with a flexible matching system to deliver different templates to different Hosts.
Foreman comes with pre-created templates for the more common OSs, but you will need to review these.
There are 5 template kinds:
In practice, most environments only make use of the first 3. The Create Host action deploys the PXELinux template to the TFTP server. The PXELinux template directs the host to retrieve the Provision template. The Provision template will direct the installer to retrieve and run the Finish template at the end of the install, and the Finish template will notify Foreman the build is complete just before reboot.
Clicking a template will take you to the edit page. All templates are ERB-enabled, and you can access many variables about the to-be-installed-host within the template. See Template Writing for ideas.
As noted in 4.1.4 Auditing, changes to the templates are logged as diffs - you can browse the history of changes to the templates from the History tab within the Edit Template page. You can also revert changes here.
When editing a Template, you must assign a list of Operating Systems which this Template can be used with. Optionally, you can restrict a template to a list of Hostgroups and/or Environments
When a Host requests a template (e.g. during provisioning), Foreman will select the best match from the available templates of that type, in the following order:
The final entry, Operating System default, can be set by editing the Operating System page.
You will need to associate at least one PXELinux, Provision, and Finish template to your Operating System, and this must be done in two steps. First edit each of the templates, switch to the Association tab, and ensure the appropriate OSs are checked. Then edit the Operating System, switch to the Templates tab, and choose a default template for each template kind.
Partition templates are a subset of normal Provisioning Templates. They are handled separately because it is frequently the case that an admin wants to deploy the same host template (packages, services, etc) with just a different harddisk layout to account for different servers’ capabilities.
Foreman comes with pre-created templates for common Operating Systems, but it is good to edit the template, check it’s content and it’s Family setting. If the Family is wrong, be sure to go back to Operating Systems and associate it with your Operating System.
When creating a new Host, you will be given the option to create a Dynamic Partition table. This is essentially a ‘one-off’ partition table that is stored with the host and used only for that host. It replaces the choice of Partition Table from the normal list of those associated with the selected OS.
Architectures are simple objects, usually created by Foreman automatically when Hosts check in via Puppet. However, none are created by default, so you may need to create them if you’re not using Foreman for reporting.
Simply click New Architecture to create a new one. This should match the Facter fact :architecture e.g. “x86_64”. If you’ve already created some Operating Systems, you can associate the Architecture with the OS now; if not, the list of Architectures will be present when you create an OS.
The framework used for implementation of command line client for foreman provides many features common for modern CLI applications. The task of managing Foreman from command line is quite complex so the commands have to be organized in more levels of subcommands. There is help available for each level to make it easy to use. Some other features for greater comfort are option validation, logging and customizable output formatting.
Basic help and list of supported commands:
First level command help:
Second level command help:
There was a set of common commands identified as necessary for basic Foreman management, we called it “success story” and track the progress of its implementation. The commands could also serve as a basic hammer cookbook.
The goal is to provision bare metal host on a clean install of Foreman. The following steps are necessary:
hammer proxy create --name myproxy --url https://proxy.my.net:8443
hammer architecture create --name x86_64
hammer subnet create --name "My Net" --network "192.168.122.0" --mask "255.255.255.0" --gateway "192.168.122.1" --dns-primary "192.168.122.1"
import existing subnet from a proxy
missing, see #3355
create new domain
hammer domain create --name "my.net" --fullname "My network"
hammer domain update --id 1 --dns-id 1
hammer subnet update --id 1 --domain-ids 1
hammer subnet update --id 1 --dhcp-id 1 --tftp-id 1 --dns-id 1
hammer partition_table create --name "Redhat test" --file /tmp/rh_test.txt
hammer os create --name RHEL --major 6 --minor 4
hammer template create --name "kickstart mynet" --type provision --file /tmp/ks.txt
hammer template dump --id 4 > /tmp/ks.txt vim /tmp/ks.txt hammer template update --id 4 --file /tmp/ks.txt
hammer template update --id 1 --operatingsystem-ids 1
Listing associated OS’s is still missing - see #3360
hammer os update --id 1 --architecture-ids 1
hammer os update --id 1 --ptable-ids 1
hammer os update --id 1 --medium-ids 1
associate OS with install provision and pxelinux templates
Missing, needs investigation, may be related to #3360
create libvirt compute resource
hammer compute_resource create --name libvirt --url "qemu:///system" --provider Libvirt
import puppet classes
missing - see #3035
and finally create a bare metal host entry
works with some options, needs improvements - see #3063
API v1 is the default version for Foreman 1.3.x.
This section documents the JSON API conventions for the Foreman API v2 and Katello API v2, both of which are not released. To test out new features in API v2, see Section 5.1.6, to specify version.
The following examples show the basic CRUD operations (Create, Read, Update, Delete) using the JSON API.
Get of a collection of domains: GET /api/domains
Send a HTTP GET request. No JSON data hash is required.
$ curl -k -u admin:changeme -H "Accept: version=2,application/json" https://foreman.example.com/api/domains
This returns a collection JSON response. The format for a collection response is described in Section 5.1.2.
Get a single domain: GET /api/domains/:id
or GET /api/domains/:name
Send a HTTP GET request with the object’s unique identifier, either :id
or :name
. No JSON data hash is required.
$ curl -k -u admin:changeme -H "Accept: version=2,application/json" \
https://foreman.example.com/api/domains/42
# or
$ curl -k -u admin:changeme -H "Accept: version=2,application/json" \
https://foreman.example.com/api/domains/foo
This returns a single object in JSON format. The format for a single object response is described in Section 5.1.3.
Create a new domain: POST /api/domains
Send a HTTP POST request with a JSON data hash containing the required fields to create the object. In this example, a domain is being created.
$ curl -k -u admin:changeme -H "Accept: version=2,application/json" -X POST \
-d { "name":"foo.bar.com","fullname":"foo.bar.com description" } https://foreman.example.com/api/domains
This returns the newly created object in JSON format. The format for a single object response is described in Section 5.1.3.
Update a domain: PUT /api/domains/:id
or PUT /api/domains/:name
Send a HTTP PUT request with the object’s unique identifier, either :id
or :name
, plus a JSON data hash containing only the data to be updated. In this example, only the domain name is being updated.
$ curl -k -u admin:changeme -H “Accept: version=2,application/json” -X PUT
-d { “name”: “a new name” } https://foreman.example.com/api/domains/12
# or
$ curl -k -u admin:changeme -H “Accept: version=2,application/json” -X PUT
-d { “name”: “a new name” } https://foreman.example.com/api/domains/foo
This returns the newly updated object in JSON format. The format for a single object response is described in Section 5.1.3.
Delete a domain: DELETE /api/domains/:id
or DELETE /api/domains/:name
Send a HTTP DELETE request with the object’s unique identifier, either :id
or :name
. No JSON data hash is required.
$ curl -k -u admin:changeme -H "Accept: version=2,application/json" -X DELETE \
https://foreman.example.com/api/domains/17
# or
$ curl -k -u admin:changeme -H "Accept: version=2,application/json" -X DELETE \
https://foreman.example.com/api/domains/foo
This returns the deleted object in JSON format. The format for a single object response is described in Section 5.1.3.
Collections are a list of objects (i.e. hosts, domains, etc). The format for a collection JSON response consists of a results
root node and metadata fields total, subtotal, page, per_page
. Note: for Katello objects, the metadata includes limit, offset
instead of page, per_page
.
Below is an example of the format for a collection JSON response for a list of domains: GET /api/domains
{
"total": 3,
"subtotal": 3,
"page": 1,
"per_page": 20,
"search": null,
"sort": {
"by": null,
"order": null
},
"results": [
{
"id": 23,
"name": "qa.lab.example.com",
"fullname": "QA",
"dns_id": 10,
"created_at": "2013-08-13T09:02:31Z",
"updated_at": "2013-08-13T09:02:31Z"
},
{
"id": 25,
"name": "sat.lab.example.com",
"fullname": "SATLAB",
"dns_id": 8,
"created_at": "2013-08-13T08:32:48Z",
"updated_at": "2013-08-14T07:04:03Z"
},
{
"id": 32,
"name": "hr.lab.example.com",
"fullname": "HR",
"dns_id": 8,
"created_at": "2013-08-16T08:32:48Z",
"updated_at": "2013-08-16T07:04:03Z"
}
]
}
The response metadata fields are described below:
total
- total number of objects without any search parameterssubtotal
- number of objects returned with given search parameters (if there is no search, then subtotal
equals total
)page
(Foreman only) - page numberper_page
(Foreman only) - maximum number of objects returned per pagelimit
- (Katello only) specified number of objects to return in collection responseoffset
- (Katello only) number of objects skipped before beginning to return collection.search
- search string (based on scoped_scoped syntax)sort
by
- the field that the collection is sorted byorder
- sort order, either ASC for ascending or DESC for descendingresults
- collection of objects. See Section 5.1.4 for how to change the root name from ‘results’ to something else.Single object JSON responses are used to show a single object. The object’s unique identifier :id
or :name
is required in the GET request. Note that :name
may not always be used as a unique identifier, but :id
can always be used. The format for a single object JSON response consists of only the object’s attributes. There is no root node and no metadata by default. See Section 5.1.4 for how to add a root name.
Below is an example of the format for a single object JSON response: GET /api/domains/23
or GET /api/domains/qa.lab.example.com
{
"id": 23,
"name": "qa.lab.example.com",
"fullname": "QA",
"dns_id": 10,
"created_at": "2013-08-13T09:02:31Z",
"updated_at": "2013-08-13T09:02:31Z"
}
The default root node name for collections is results
but can be changed.
To change the root node name per API request, pass root_name=
as a URL parameter. See example below:
$ curl -k -u admin:changeme -H "Accept: version=2,application/json" \
https://foreman.example.com/api/domains?root_name=data
There is no root node as the default for single object JSON responses, but it can be added.
To change the object’s root node name per API request, pass object_name=
as a URL parameter. See example below:
$ curl -k -u admin:changeme -H "Accept: version=2,application/json" \
https://foreman.example.com/api/domains/23?object_name=record
Currently, there is no option to change or customize which attributes are returned for collections or single objects. In the future, customized partial responses such as fields=field1,field2,field3
or fields=all
may be implemented (#3019). Similarly, there is currently no option to specify child nodes in an API call or to remove child nodes if they are returned by default.
Foreman paginates all collections in the JSON response. The number of objects returned per request is defined in More > Settings > General > entries_per_page. The default is 20. Thus, if there are 27 objects in a collection, only 20 will be returned for the default page=1.
To view the next page, pass page=
as a URL parameter. See example below:
$ curl -k -u admin:changeme -H "Accept: version=2,application/json" \
https://foreman.example.com/api/domains?page=2
The example above will show the remaining 7 objects in our example of 27 objects in the collection.
To increase or decrease the number of objects per response, pass per_page=
as a URL parameter. See example below:
$ curl -k -u admin:changeme -H "Accept: version=2,application/json" \
https://foreman.example.com/api/domains?per_page=1000
This will return all the objects in one request since 27 is less than the per_page
parameter set to 1000.
Foreman uses the gem scoped_search for searching and filtering which allows all query search parameters to be specified in one string. To filter results of a collection, pass search=
as a URL parameter. See example below:
$ curl -k -u admin:changeme -H "Accept: version=2,application/json" \
https://foreman.example.com/api/domains?search=name%3Dexample.com
The number of objects returned will be shown in the subtotal
metadata field, and the query string will be shown in the search
metadata field.
Custom sort order per collection can be specified by passing order=
as a URL parameter. See example below:
$ curl -k -u admin:changeme -H "Accept: version=2,application/json" \
https://foreman.example.com/api/domains?order=name+DESC
The default sort order is ascending (ASC) if only a field name is passed. The sort parameters will be shown in sort
by
and order
metadata fields.
The goal is to implement nested routes for all objects as an alternative to filtering collections.
For example, rather then filtering subnets by a specified domain using a search string
$ GET /api/subnets?search=name%3Dqa.lab.example.com
the alternative nested route below returns the same result as the above.
$ GET /api/domains/qa.lab.example.com/subnets
All actions will be accessible in the nested route as in the main route.
The default API version is v1 for Foreman 1.3.
There are two methods of selecting API v2:
In the header, pass Accept: application/json,version=2
In the URL, pass /v2/ such as GET /api/v2/hosts
Similarly, when API version v2 becomes the default, v1 can still be used by passing Accept: application/json,version=1
in the header or api/v1/
in the URL.
Foreman supports creating and managing hosts on a number of virtualization and cloud services - referred to as “compute resources” - as well as bare metal hosts.
The capabilities vary between implementations, depending on how the compute resource provider deploys new hosts and what features are available to manage currently running hosts. Some providers are able to support unattended installation using PXE, while others are image-based. Some providers have graphical consoles that Foreman interfaces to, and most have power management features. A summary of all providers and their support features is given below, and more detailed sections follow with specific notes.
Provider | Package | Unattended installation | Image-based | Console | Power management |
---|---|---|---|---|---|
EC2 | foreman-compute | no | yes | read-only | yes |
Google Compute Engine | foreman-gce | no | yes | no | yes |
Libvirt | foreman-libvirt | yes | no | VNC or SPICE | yes |
OpenStack Nova | foreman-compute | no | yes | no | yes |
oVirt / RHEV | foreman-ovirt | yes | yes | VNC or SPICE | yes |
Rackspace | foreman-compute | no | yes | no | yes |
VMware | foreman-vmware | yes | no | VNC | yes |
Support for these features is aimed at being as transparent as possible, allowing the same configuration to be applied to hosts irrespective of the provider in use (compute resource or not). The selection of compute resource is made when creating a new host and the host in Foreman’s database remains associated to the VM that’s created, allowing it to be managed throughout the lifetime of the host.
The following steps describe how to configure a compute resource and provision new hosts on it.
Ensure the necessary package for the provider (from the above table) is installed, e.g. yum -y install foreman-ovirt
. Restart the Foreman application to complete installation.
Add a compute resource under More > Provisioning > Compute Resources > New Compute Resource. Select the provider type from the menu and appropriate configuration options will be displayed. Check the notes sections below for any provider-specific setup instructions.
Click the Test Connection button after entering the configuration. If no error is displayed, the test was successful.
After saving the compute resource, existing virtual machines can be browsed by clicking on the compute resource and the Virtual Machines tab.
For providers that use images, click on the compute resource, then the Images tab, where known images are listed. To register images that Foreman can use, click New Image and enter the details.
To provision a new host on this compute resource, from Hosts, click New Host and select the compute resource from the Deploy to menu.
Also note the following features:
When viewing a host, power management controls and the console access button are in the top right hand corner of the page.
If a host provisioned on a compute resource is deleted, the VM and associated storage on the compute resource will also be deleted.
Users in Foreman can have access restricted to hosts present on certain compute resources. For more information, see Filtering in 4.1.2 Roles and Permissions.
A full example for configuring EC2 provisioning is given on the Foreman blog: EC2 provisioning using Foreman.
To connect to the hypervisor using SSH:
qemu+ssh://root@hypervisor.example.com/system
to use the remote ‘root’ accountqemu+ssh://hypervisor.example.com/system
to use the remote ‘foreman’ accountTo connect to the hypervisor over TCP without authentication or encryption (not recommended):
listen_tls = 0
listen_tcp = 1
auth_tcp = "none"
LIBVIRTD_ARGS="--listen"
in /etc/sysconfig/libvirtdqemu+tcp://hypervisor.example.com:16509/system
If you have difficulty connecting, test access using the virsh command under the ‘foreman’ account on the Foreman host first, e.g. virsh -c qemu+ssh://hypervisor.example.com/system list
.
A full example for configuring image-based provisioning is given on the Foreman blog, also applicable to OpenStack: EC2 provisioning using Foreman.
https://identity.api.rackspacecloud.com/v2.0
A full example for configuring image-based provisioning is given on the Foreman blog, also applicable to Rackspace: EC2 provisioning using Foreman.
Consoles are provided using VNC connections from Foreman to the ESX server, which requires a firewall change to open the respective ports (TCP 5910 to 5930)
Add the following file content:
Apply and check the firewall rule:
Lastly, make the rule persistent:
Missing content. Consider contributing, you kind soul!
The Foreman web application needs to communicate securely with associated smart proxies and puppet masters, plus users and applications connecting to the web interface. This section details recommended SSL configurations.
In a typical ENC-based setup with reporting, puppet masters require access to Foreman for three tasks:
All traffic here is initiated by the puppet master itself. Other traffic from Foreman to the puppet master for certificate signing etc. is handled via smart proxies (SSL configuration covered in the next section).
The Foreman interface authorizes access to puppet master interfaces based on its list of registered smart proxies with the Puppet feature, and identifies hosts using client SSL certificates.
Five main settings control the authentication, the first are in Foreman under Settings, Auth:
And two in config/settings.yaml
:
Using Apache HTTP with mod_ssl and mod_passenger is recommended. For simple setups, the Puppet certificate authority (CA) can be used, with Foreman and other hosts using certificates generated by puppet cert
.
/etc/puppet/node.rb
) should have these settings:/usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb
) should have these settings:Warning messages will be printed to Foreman’s log file (typically /var/log/foreman/production.log
) when SSL-based authentication fails.
A typical small setup will use a single Puppet CA and certificates it provides for the Foreman host and puppet master hosts. In larger setups with multiple CAs or an internal CA, this will require more careful configuration to ensure all hosts can trust each other.
In non-SSL setups, host-based authentication can be performed, so any connection from a host running a puppet smart proxy is able to access the interfaces.
Entirely disabling authentication isn’t recommended, since it can lead to security exploits through YAML import interfaces and expose sensitive host information, however it may be useful for troubleshooting.
Foreman makes HTTP requests to smart proxies for a variety of orchestration tasks. In a production setup, these should use SSL certificates so the smart proxy can verify the identity of the Foreman host.
In a simple setup, a single Puppet Certificate Authority (CA) can be used for authentication between Foreman and proxies. In more advanced setups with multiple CAs or an internal CA, the services can be configured as follows.
/etc/foreman-proxy/settings.yml
contains the locations to the SSL certificates and keys:
--- # SSL Setup # if enabled, all communication would be verified via SSL # NOTE that both certificates need to be signed by the same CA in order for this to work # see https://projects.theforeman.org/projects/smart-proxy/wiki/SSL for more information :ssl_certificate: /var/lib/puppet/ssl/certs/FQDN.pem :ssl_ca_file: /var/lib/puppet/ssl/certs/ca.pem :ssl_private_key: /var/lib/puppet/ssl/private_keys/FQDN.pem
In this example, the proxy is sharing Puppet’s certificates, but it could equally use its own.
In addition it contains a list of hosts that connections will be accepted from, which should be the host(s) running Foreman:
# the hosts which the proxy accepts connections from # commenting the following lines would mean every verified SSL connection allowed :trusted_hosts: - foreman.corp.com #- foreman.dev.domain
For Foreman to connect to an SSL-enabled smart proxy, it needs configuring with SSL certificates in the same way.
The locations of the certificates are managed in the Settings page, under Provisioning - the ssl_ca_file, ssl_certificate and ssl_priv_key settings. By default these will point to the Puppet locations - for manually generated certificates, or non-standard locations, they may have to be changed.
Lastly, when adding the smart proxy in Foreman, ensure the URL begins with https://
rather than http://
.
If using Puppet’s certificates, the following lines will be required in puppet.conf to relax permissions to the puppet
group. The foreman
and/or foreman-proxy
users should then be added to the puppet
group.
[main] privatekeydir = $ssldir/private_keys { group = service } hostprivkey = $privatekeydir/$certname.pem { mode = 640 }
Note that the “service” keyword will be interpreted by Puppet as the “puppet” service group.
This chapter will provide you with information how to backup and recover your instance. All commands presented here are just examples and should be considered as a template command for your own backup script which differs from one environment to other.
It is possible to perform a migration by doing backup one one host and recovery on a different host, but in this case pay attention to different configuration between the two hosts.
This can be applied to the Foreman application itself, but pay attention when migrating smart-proxy and services because things like different IP addresses or hostnames will need manual intervention.
This chapter will provide you with information how to backup a Foreman instance.
The pg_dump
command can be used to backup the contents of a PostgreSQL
database to a text file. The most reliable way of backing up PostgreSQL
database is:
su postgres -c "pg_dump -Fc foreman > foreman.dump"
The mysqldump
command can be used to backup the contents of your MySQL
database to a text file.
mysqldump --opt foreman > foreman.sql
Please follow MySQL documentation about other options for doing backups.
To backup SQLite database perform this simple step:
sqlite3 /path/to/foreman/db/production.db .dump > foreman.dump
SQLite databases are all contained in a single file, so you can back them up by copying the file to another location, but it is recommended to shut down the instance first, or at lest verify the integrity of the created archive using sqlite3 command. The dump command above is preferred.
On Red Hat compatible systems issue the following command to backup whole /etc directory structure:
tar --selinux -czvf etc_foreman_dir.tar.gz /etc/foreman
For all other distribution do similar command:
tar -czvf etc_foreman_dir.tar.gz /etc/foreman
On the puppet master node, issue the following command to backup Puppet certificates on Red Hat compatible systems
tar --selinux -czvf var_lib_puppet_dir.tar.gz /var/lib/puppet/ssl
For all other distribution do similar command:
tar -czvf var_lib_puppet_dir.tar.gz /var/lib/puppet/ssl
Depending on used software packages, perform backup of important data and configuration files according to the documentation. For ISC DHCP and DNS software, these are located within /etc and /var directories depending on your distribution as well as TFTP service.
Recovery process is supposed to be performed on the same host the backup was created on on the same distribution and version.
If you planning to migrate Foreman instance, please read remarks in the beginning of this chapter.
Note: Foreman instance must be stopped before proceeding.
The pg_restore
command can be used to recover contents of your PostgreSQL
database from the database dump. The most reliable way PostgreSQL
database is:
su postgres -c "pg_restore -C -d postgres foreman.dump"
The mysql
command can be used to recover contents of your MySQL database
from the database dump in SQL format.
mysql < dump.sql
Please follow MySQL documentation about other options for data recovery.
To recover from SQLite dump perform this simple step:
sqlite3 /path/to/foreman/db/production.db < foreman.dump
It is possible just to copy db file, but Foreman instance must be stopped.
On Red Hat compatible systems issue the following command to restore whole /etc directory structure:
tar --selinux -xzvf etc_foreman_dir.tar.gz -C /
For all other distribution do similar command:
tar -xzvf etc_foreman_dir.tar.gz -C /
It is recommended to extract files to an empty directory first and inspect the content before overwriting current files (change -C option to an empty directory).
On the puppet master node, issue the following command to restore Puppet certificates on Red Hat compatible systems
tar --selinux -xzvf var_lib_puppet_dir.tar.gz -C /
For all other distribution do similar command:
tar -xzvf var_lib_puppet_dir.tar.gz -C /
It is recommended to inspect the content of the restore first (see above).
Depending on used software packages, perform recovery of important data and configuration files according to the documentation. This depends on the software and distribution that is in use.
Foreman is a Ruby on Rails application, which provides an interactive console for advanced debugging and troubleshooting tasks. Using this allows easy bypass of authorization and security mechanisms, and can easily lead to loss of data or corruption unless care is taken.
To access the Rails console, choose the method below appropriate to the installation method.
As root, execute:
As root, execute:
To assume full admin permissions in order to modify objects, enter in the console:
There are two primary methods of getting support for the Foreman: IRC and mailing lists.
We work on the libera.chat servers. You can get general support in #theforeman, while development chat takes place in #theforeman-dev.
Mailing lists are available via Google Groups. Much like IRC, we have a general users (support, Q/A, etc) lists and a development list:
Foreman 3.13.0 has been released! Follow the quick start to install it.
Foreman 3.12.1 has been released! Follow the quick start to install it.