I am trying to deploy on VMWare to a network with no internet access. The machines have no DNS, and can only talk to the smart-proxy in that network. I set pre- and post- scripts to define the smart-proxy in /etc/hosts, which should allow the machine to resolve the smart-proxy. These are all Rocky Linux (RHEL derived) but I’ve run into a couple of problems:
Subscription manager is not installed by default, so before the configuration for it can be applied (which would then point it to our local-repos) it has to install it - which obviously it tries to do from the default Rocky Mirrors, which fail.
The “puppetlabs_repo” snippet appears to have “yum.puppet.com” hard coded, rather than using the local repository for it, or waiting until subscription-manager has been configured and using the package manager to install it from our local repo.
Has anyone else managed to configure a smart-proxy in an isolated network and get builds working? It appears perfectly happy to pull the Kickstart and installation media from the smart-proxy by using the IP, but the latter part of the Kickstart fails likely due to no internet.
If you use Katello then you can sync content. Managing content is a long guide because it’s a large area, but it’s precisely designed for use cases like yours here: disconnected hosts.
Note we don’t support adding Katello to an existing Foreman deployment. It has been done by some, but there are no instructions because there may be dragons.
We have Katello installed and use it for the systems, the issues I have are that it appears to require “subscription-manager” in order to register the host and get pointed to our local repositories - which is not included in the installation media, and so we end up in a chicken-and-egg situation of we can’t install it from our repository as it doesn’t have them listed yet because that requires subscription-manager…
Since you’re already doing kickstart based deployments, it should tell the host to pull content from the content source (which is your Smart Proxy). Can you share how you’re creating the host?
I noticed it was configured to use “All Media” rather than “Synced content”, however having just changed that to Synced Content - where before it seemed to use the IP address to download the kickstart etc. it now seems to be trying to use the DNS name again - which fails due to not having DNS servers in that network. I suspect this is also too early for the pre-script we added to add the smart-proxy to the local Hosts file to have kicked in…
The “installation media” for that proxy is set to “http://IP/pulp/content…” I can see the “inst.ks” line in the PXE install is set to the IP address of the server exactly as it was before.
Regarding the question of how these are being created - via the Foreman web interface, to a local VMWare server. (I suspect I am not understanding what you’re actually asking for, sorry!)
I suspect the latest issue about the installation media is down to the KickStart Default now having this at the top:
Lifecycle environment: Production
Content View: Rocky 9
Content Source: smart-proxy-url
I thought I could try changing the “URL” in the smart-proxy page, however the certificate obviously isn’t valid for the IP address just for the FQDN. Is it possible to regenerate the SSL certificate to have the IP address as a SAN for just this smart-proxy?
My workplace does provisioning for hosts that are firewalled off and get everything, including Puppet, from Katello. The parameters
enable-epel false,
enable-puppet6 (the 6 doesn’t seem to matter) true,
only_subscription_manager_repos true, and
package_upgrade false
are set at the Location level. I think the hardcoding in the puppetlabs_repo snippet doesn’t matter because we’re not turning on any of the enable-*puppet*-repo params. So puppetlabs_repo evaluates to nothing and puppet_setup runs dnf -y install puppet-agent because an enable-*puppet* param is set.
In Kickstart default, snippet redhat_register happens prior, which I believe is activated by our setting kt_activation_keys at the hostgroup level.
For anyone with the same issue, I managed to resolve this by:
Enabling the smart-proxy to be a local DNS server (it will only really resolve itself, and possibly machines it built, but we only need it to resolve itself).
Making sure the smart-proxy is also a Katello/Pulp content host
Setting the smart-proxy as the DNS server for machines built in that network
Ensure the Installation Media is set to “Synced Content”
Adding the parameter “additional_packages” with the string “subscription-manager” (this way it installs it during the initial build and pulls it from the smart-proxy)
I think the last is possibly a bug - or at least odd behavior. If you don’t add it as an “additional_package” then it doesn’t try and pull it from the smart-proxy repositories, but instead tries to use the distro-default repositories. Once subscription-manager is installed (and configured I suppose), then all future packages correctly pull from the smart-proxy.
