I am having a devil of a time setting up foreman with a separated
smartproxy on a separate subnet. The problem is NOT installing the
smartproxy, but getting it to 'work' without 85+ pages of documentation. I
did try installing the 'foreman-installer' and just enabling the
foreman-smartproxy w/o the gui, but still am in a bit of hot water. Is
there any guide/docs on how to do this w/o the usual "RTFM" (I did and its
nearly 50 pages of how to configure dhcp etc), when the foreman-installer
trick seems to do most of it automagically.
So I guess the real question is how to do smartproxy install in separate
network, attach to foreman using the formena installer NOT doing it the
'old fashioned way"?
I did try doing a 'just install foreman' without putting the smartproxy on
the same server. Disaster. Couldn't get foreman to pass the puppet test. I
also tried installing 'just the smartproxy' on a separate machine (just for
fun). Again, puppet problems etc.
What I can't find is a nice document on how to separate smartproxy from
foreman core, or even run smartproxy separately? I did find lots of info on
how to do it 'manually' but this seems to completely violate the whole
point of foreman, and the 'foreman-installer' seems to mostly be able to do
the 'right thing' if you only happen to know the right incantantation.
So what I would like to do is:
Forman (main web server) in a management network -----smartproxy in
separate network------smartproxy in second network-------smartproxy in
third network etc. Each being in separate vlans (layer 2 domains)
Short of spending all night reading the docs and doing it manually is there
any way to do this using foreman-installer with the proper spell?
On Sunday, January 24, 2016 at 1:05:48 AM UTC-5, Thomas Munn wrote:
> I am having a devil of a time setting up foreman with a separated
> smartproxy on a separate subnet. The problem is NOT installing the
> smartproxy, but getting it to 'work' without 85+ pages of documentation. I
> did try installing the 'foreman-installer' and just enabling the
> foreman-smartproxy w/o the gui, but still am in a bit of hot water. Is
> there any guide/docs on how to do this w/o the usual "RTFM" (I did and its
> nearly 50 pages of how to configure dhcp etc), when the foreman-installer
> trick seems to do most of it automagically.
> So I guess the real question is how to do smartproxy install in separate
> network, attach to foreman using the formena installer NOT doing it the
> 'old fashioned way"?
The reason it's awkward is SSL. THe default install has Foreman, Proxy, and
Puppet all on one box, meaning that (a) the puppetmaster has created a CA,
and (b) Foreman can use that CA and the descending certificates for itself,
to wrap all it's proxy comms in SSL. Separately, without a proxy, a
puppetmaster can't report to Foreman (unless you lower it's default
security) which is why that test is failing - Foreman only accepts reports
from hosts it knows about.
From an installer perspective, it's hard to automate generating and copying
those certs around across multiple machines, which is why it's something
we're still playing around with. It's much easier when you know where the
CA will be, so I would do this:
- Do an all-in-one install, with a temporary proxy - that definitely works
- Either provision your real proxy through Foreman, or at least generate a
cert for it on the cmdline with "puppet cert" on the Foreman box
2a) Copy the cert to the proxy box if Foreman didn't provision it
- Install and configure the proxy on the new host, using the provided cert
- I believe the installer has a set of proxyssl options to pass the paths
in (they'll default to /var/lib/puppet/, since it's expecting puppet
certs - this may be fine)
- Add the proxy in the Foreman UI - this requires Foreman to be able to
reach the proxy on the other subnet, it will hit /features on the proxy's
configured port to confirm access/ssl setup.
- Once it's all working, delete the temporary proxy from the Foreman UI,
and uninstall the packages for it from the OS
This is all assuming you don't have an existing puppetmaster or other CA to
get certs from - if so, you can use that too. So long as Foreman and the
proxy are using the certs from the same CA, it should work.
Once set up, you should be able to configure the puppetmodules to
maintain it - here, no-op mode is your friend while you sort out what
options you need to pass to the modules. As a different, but related
example, I have an all-in-one setup handling puppet, but my dns/dhcp/tftp
is handled on a separate box, so there are two proxies on my network, and
the modules handle that just fine.