Foreman 1.22 test week

Foreman 1.22 RC has been announced!

It is the time again where we put our effort into making sure that all most important scenarios work. It’s easy to get your hands dirty and help us with testing:

  1. Install Foreman RC version (the most up to date one)
  2. Pick a scenario from this post or add your own scenario
  3. If you find an issue, file it in the RedMine and make a comment in this thread linking the issue
  4. Mark the scenario as checked in this OP (this is an editable wiki post), here is syntax of checked and unchecked lines (you can click on checkboxes directly with mouse):
    • Unchecked
    • [*] Checked
    • Checked (alternative syntax with no special semantics - both are equal)

You can start right away, the ideal timing is from Monday May 6th until Monday May 13th but feel free to put your effort anytime before the final release comes out.


  • Install Foreman using existing script/forklift/beaker
    • RHEL / CentOS latest stable version
    • Debian stable
    • Ubuntu stable LTS
  • Install Foreman manually by following our installation guide
    • RHEL / CentOS latest stable version
    • Debian stable
    • Ubuntu stable LTS
  • Upgrade existing Foreman deployment (advertise in RedMine it was an upgraded instance if you encounter bug)
    • [*] RHEL / CentOS latest stable version
    • Debian stable
    • Ubuntu stable LTS
  • Sanity checks
    • Installation on Red Hat distro with SELinux turned on
    • Packages passenger and tfm-rubygem-passenger are from the same repo (foreman) and in the same version
    • Logging in with a user that has limited permissions works properly


  • Bare-metal or virtualized PXE provisioning (host exits build mode and reboots)
    • [*] BIOS host with CentOS
    • [*] UEFI host with CentOS
    • [*] BIOS host with Debian or Ubuntu
    • UEFI host with Debian or Ubuntu
    • BIOS host with Atomic OS
  • Compute Resources (VM is successfully created, finish or cloud-init is executed)
    • [*] Create VMware host (Image Based/Network Based)
    • Create OpenStack host (Image Based)
    • Create Ovirt host (Image Based/Network Based)
    • [*] Create Libvirt host (Image Based/Network Based)
    • Creare AWS host (Image Based)
    • Create GCE host
  • Puppet manifest import (classes are imported, parameters recognized)
  • Puppet configuration (class is assigned to a host, agent performs changes, reports and facts appears correctly)
  • [*] Log in using user from LDAP (user account is created from LDAP)
  • Log in using user from FreeIPA (user account is created from FreeIPA)

Foreman Discovery

  • Bare-metal or virtualized provisioning via Provision - Customize Host (host exits build mode and reboots)
    • [*] BIOS with discovery from PXE
    • [*] UEFI with discovery from PXE
    • BIOS with discovery PXE-less
    • UEFI with discovery PXE-less
  • [*] Provision a host via discovery rule
  • [*] Provision a host via Customize UI button
  • Provision a host without hostgroup via Customize UI button
  • Provision a host via hammer via hostgroup
  • Provision a host via hammer via auto provisioning rule

Foreman Bootdisk

  • Bootdisk basic provisioning (host exits build mode and reboots)
    • [*] Full host image
    • [*] Host image
    • [*] Generic image
    • [*] Subnet image

Foreman Ansible

  • Import Roles
    • [*] With/From Smart-Proxy
  • Assign Roles
    • [*] Hostgroup
    • [*] Hosts
  • Play Roles
    • [*] Hostgroup
    • [*] Hosts
  • [*] Run shipped Ansible playbook (job), e.g. to install ansible role from galaxy

Foreman Remote Execution

  • [*] Run some job, e.g. ‘ls /etc’ on a system that was provisioned from Foreman, it should work out of the box
  • [*] Run some job against the Foreman host itself, only key configuration should be needed

Foreman Puppet run

  • [*] Trigger Puppet run on host through SSH

Foreman Openscap

  • [*] Create new content file, define a policy, assign it to a host and deploy the foreman_scap_client using puppet
  • [*] Verify ARF report gets uploaded upon foreman_scap_client run and full version of it can be rendered
  • [*] Create tailoring file, assign it to the policy and rerun client with the tailoring file

Foreman Virt Who Configure

  • [*] Create a configuration definition and run it e.g. through REX on some provisioned host. It should succeed as long as it has access to sat tools repo on RHEL, epel (I think) on centos.
    note: plugin works, the configuration requires new virt-who that is currently in fedora 30, not in epel

Foreman Templates

  • [*] hammer import-templates --lock true # sync newest templates from community-templates repo, see audits
  • [*] mkdir /repo; chown foreman /repo; hammer export-templates --repo /repo # may need setenforce 0

This page is a wiki, feel free to update it and add new scenarios as you test them.

I’ve installed 1.22 the same way as 1.21:

foreman-installer -v --scenario $SCENARIO \
  --foreman-organizations-enabled true \
  --foreman-locations-enabled true \
# ... couple of irrelevant options
  --foreman-proxy-puppet true \
  --foreman-proxy-puppetca true \
  --puppet-runmode none

However I am running into this issue when creating a new host:

2019-05-07T12:37:57 03379393 [E] Failed to remove certificate(s) for mac525400606001.nat.lan: uninitialized constant Proxy::PuppetCa::PuppetcaPuppetCert::PuppetcaImpl::NotPresent

This is how /etc/foreman-proxy/settings.d/puppet.yml looks like:

# Puppet management
:enabled: https
# valid providers:
#   puppet_proxy_puppetrun   (for puppetrun/kick, deprecated in Puppet 3)
#   puppet_proxy_mcollective (uses mco puppet)
#   puppet_proxy_ssh         (run puppet over ssh)
#   puppet_proxy_salt        (uses salt
#   puppet_proxy_customrun   (calls a custom command with args)
#:use_provider: puppet_proxy_puppetrun

:puppet_version: 5.5.14


How does the configuration for puppetca look like? During my upgrade I recognized multiple changes for this feature, but have not started to dig deeper.


# PuppetCA management
# Can be true, false, or http/https to enable just one of the protocols
:enabled: https

# valid providers:
#   - puppetca_hostname_whitelisting (verify CSRs based on a hostname whitelist)
#   - puppetca_token_whitelisting (verify CSRs based on a token whitelist)
:use_provider: puppetca_hostname_whitelisting

# Puppet version used
:puppet_version: 5.5.14

In my case it also has the configuration for this provider and requires also the ssldir option for puppet_cert.


# Configuration of the PuppetCA hostname_whitelisting provider

:autosignfile: /etc/puppet/autosign.conf


:ssldir: /etc/puppetlabs/puppet/ssl
#:puppetca_use_sudo: true
#:sudo_command: /usr/bin/sudo

Perhaps one of these options is missing?

I have the very same.

Found a workaround - set environment, puppet master and ca to blank. However here is a patch that should show a little bit more about the error. Need to wait until @ekohl takes a look:

Setting the puppet master and ca to blank disables the entire integration so it’s no surprise that you don’t hit the error then.

I’ll see if I can replicate the error. To be clear, this happens when provisioning a host with Puppet, correct?

Yes, I’ve used installer parameters which were previously working on 1.21.

foreman-installer -v --scenario $SCENARIO \
  --foreman-organizations-enabled true \
  --foreman-locations-enabled true \
  --foreman-initial-organization=$ORG \
  --foreman-initial-location=$LOC \
  --enable-foreman-plugin-discovery \
  --enable-foreman-plugin-bootdisk \
  --enable-foreman-plugin-remote-execution --enable-foreman-proxy-plugin-remote-execution-ssh \
  --enable-foreman-plugin-openscap --enable-foreman-proxy-plugin-openscap \
  --foreman-proxy-http=true \
  --foreman-proxy-dns true \
  --foreman-proxy-dns-interface $NICDEV \
  --foreman-proxy-dns-forwarders 192.168.${NATLAN}.1 \
  --foreman-proxy-dns-zone nat.lan \
  --foreman-proxy-dns-reverse ${NATLAN} \
  --foreman-proxy-dhcp true \
  --foreman-proxy-dhcp-interface $NICDEV \
  --foreman-proxy-dhcp-gateway=192.168.${NATLAN}.1 \
  --foreman-proxy-dhcp-range="192.168.${NATLAN}.10 192.168.${NATLAN}.109" \
  --foreman-proxy-dhcp-nameservers="192.168.${NATLAN}.${IP}" \
  --foreman-proxy-tftp true \
  --foreman-proxy-tftp-servername=192.168.${NATLAN}.${IP} \
  --foreman-proxy-puppet true \
  --foreman-proxy-puppetca true \
  --puppet-runmode none \
  --foreman-proxy-templates true \
  --foreman-proxy-logs true \
  --foreman-proxy-register-in-foreman true

Discovery and Bootdisk sanity checks done, Iooks good. I’d appreciate any kind of end-to-end testing including PXE-less.

Upgrade from 1.21.1 to 1.22 returned some errors.

I’ve created Bug #26823: PuppetCA command line implementation fails with uninitialized constant Proxy::PuppetCa::PuppetcaPuppetCert::PuppetcaImpl::NotPresent - Smart Proxy - Foreman with a PR to fix it:

1 Like