Different subnet for provisioning and puppet/general usage

I would like to setup foreman as following :

  • provisioning through discovered hosts
  • 2 NICs
  • dedicated subnet for provisioning (dhcp/tftp first then static IP assignment)
  • dedicated subnet for puppet/content/webui

Is it possible to achieve such configuration by playing with foreman-install arguments and/or settings/templates ?
Currently, the PXE/discovery template uses proxy.url=<%= foreman_server_url %> which resolves to the main URL, so when host boots, it tries to reach the smartproxy through it s main IP, not through its provisioning-network NIC.
If I could use an URL which resolves to an IP in this dedicated network, I could at least reach this step (but I m not sure how then to split puppet registration to the other URL)
unattended_url does not seems to have this goal.

I would like to be able to do the same for the remote smart-proxies : one subnet for dhcp/tftp/provisioning, another for the other uses.

So, any suggestions ?
Thanks in advance

Do not use two nics for foreman. Use a separate smart proxy running on the second subnet to do the integration - that is how we designed Foreman in first plac. You can run the second smart-proxy on the same host as Foreman, so you only need one extra host/vm.

It is not technically impossible, but multihoming setups are challenging and I’d recommend to avoid it, if you are new to Foreman. If you are not, than keep in mind that the two NICs have different IPs and hostnames. Our installer might not be able to set you everything up.

1 Like

I’ll second that for the installer - it’s designed for simple(ish) usecases and a multihomed Foreman server is definitely not it. You may well be able to achieve everything you want with some tweaking, but I doubt the installer could cope with it.

You will absolutely need a proxy for each of the networks, so that you can set appropriate hostnames/IPs. Configuring a proxy alone should be relatively easy once the main server is up, as you can use the puppet-foreman_proxy Puppet module to configure it from Foreman (the same module is used in the installer).

I m not sure to understand, you mention to run a second smart-proxy on the same host but mention an extra host.

You advice me to run foreman (and its builtin smart-proxy) on a single NIC host, and an additional smartproxy on a second host ?

Since I m using katello, I thought at first to use the proxy scenario from the foreman-installer. Nothing wrong with that ?

All we’re saying is that the installer (which your original posts asks about) isn’t designed for multi-home setup. You can almost certainly achieve what you describe manually, but the installer can’t automate it for you - it’s intended to speed up deployment in the common use cases.

Typically a multi-network setup has one proxy for each network, residing within that network (usually on the DHCP/DNS/gateway for that network). As such, you get something like:

Foreman (management network, 10.X)
  |                            \
192.X                        172.X   
  |                              \    
Proxy 1 (provision net)           Proxy 2 (production net)

The scenario @lzap describes is where Foreman and Proxy 2 are on the same host/net, but that’s not required. This way you have unique IPs/URLs for each proxy, and all the hosts can resolve correctly.

The issue is that you can’t easily use the installer for this, as it doesn’t orchestrate multiple hosts. You can use the installer to build Foreman, and then use the installer Puppet modules to build Proxy 1 & 2 from Foreman, as I mentioned, but that’s not the same thing :slight_smile: - or of course, you can build Proxy 1 & 2 manually and connect them to Foreman.

1 Like

Indeed my first idea was an “easy” multi-home. After reading yours answers, I will try to follow the common use case then, 1 single nic host with foreman + its bundled proxy installed, and provisioning will be done in this single subnet.
I will setup standalone smartproxies (single nic) for other locations.
Please correct me if i m wrong, but the bundled smart-proxy on the same host than foreman core is the common use case ?

You are correct - that’s the default for the installer. Note that the defaults don’t set up DHCP/DNS on the Foreman box, as we don’t want to mess with any exisiting servers on your network. Those features should be easy to add via the appropriate installer switches, see the manual for examples.

Yes, I already have a dhcp/pxe working. I plan to setup registration in FreeIPA.
Thanks for all your answers and for the work on foreman, it s amazing software.

1 Like

Greg is right, it is technically possible to run two proxies on same host. If you are going to install Foreman in a VM (which is recommended - Foreman is “pet server”) then an extra VM for smart-proxy can be quite small-sized - you can do just fine with 2 GB VM and 1 vCPU if you only plan to have DHCP/TFTP there. Note that Puppet will be demanding, in case of remote smart-proxy be sure to plan VM/hardware accordingly.