Foreman and Smart-proxy-only install issues


after a time doing other stuff, I’m back playing with different kind of foreman architecture layout/setup.

Reminder :

My ultimate goal is to provision an CentOS-6 HPC cluster with foreman (1.18 at the moment) and its discovery plugin, then, as soon as possible, go on with configuration with ansible (driven by Foreman or not).
So basically, I want Foreman to manage pxe, discovery, dhcp, dns and initial OS install/setup.

The main diffculty in my case is that the cluster compute nodes are on a private and non-routed and not NATed subnet, which makes a lot of normally trivial install tasks quite a burden. Only admin nodes (submit, scheduler and accounting) have dual nics, one of which in a public routed subnet.

I haven’t played yet with discovery plugin yet.

I did succeed in setting up a foreman and its Smart Proxies on the same dual nic (one public/one private) host and I “owe” you some kind of digest/documentation/blog post :wink: about that and what I digged on the way.

However, since I’ve been told right here that, though feasible, it was not fully supported, I was interested to see what the opposite setup would do. It turns out that, in my specific case, it is much harder to achieve. I’m still not here yet.

I’m talking about trying to setup :

  • one dual nic (private/public subnets) host running a foreman only server
  • one single nic (private subnet) host running Smart proxies only

Here’s what I did and what I’m still wrapping my head around :

What went right

The foreman only part went smooth : usual system config and ``foreman-installer --no-enable-foreman-proxy`

What caused some burden but could be worked around

for the smart proxy only I had to :

  • tweak sssd a little (a certificate issue which has nothing to do with foreman but is part of the burden of not being “able” to make a multi-host install)

  • clone locally some public repos (because the host in the private non-routable network has no access to them) :

puppet5.repo, foreman.repo, foreman-plugins.repo, foreman-rails.repo, CentOS-SCLo-scl-rh.repo (actually only rh-ruby24 for foreman-cli I think)

with the issue that some meta-packages re-install the public repo :

for instance

yum -y install puppet5-release.noarch left my local repo and created a puppet5.repo.rpmnew but

yum -y install foreman-release will override my local repo renaming it to foreman.repo.rpmorig, which I have to revert manually

I don’t know if it should be considered a bug or not

After that I’ve been able to do

yum -y install foreman-release
yum -y install foreman-installer

Things that didn’t work

I did

foreman-installer \
--no-enable-foreman \
--enable-foreman-cli \
--no-enable-foreman-plugin-bootdisk \
--no-enable-foreman-plugin-setup \
--enable-puppet \
--enable-foreman-proxy \
--foreman-proxy-dhcp=true \
--foreman-proxy-dhcp-managed=true \
--foreman-proxy-dhcp-interface=eth0 \
--foreman-proxy-dhcp-subnets="" \
--foreman-proxy-dhcp-gateway="" \
--foreman-proxy-dhcp-range="" \
--foreman-proxy-tftp=true \
--foreman-proxy-tftp-managed=true \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=true \
--foreman-proxy-dns-interface=eth0 \ \
--foreman-proxy-bmc=true \
--foreman-proxy-foreman-base-url= \ \
--foreman-proxy-oauth-consumer-key="XXX" \

but it failed because it tried to add foreman-proxy user to the named and (non existent) puppet group.

change from to 'named,puppet' failed: Could not set groups on user[foreman-proxy]

as a “workaround” (not sure of its effect) I added --foreman-proxy-puppet-group="named"

Then it “worked” until another issue :

Sep 13 16:27:18 smart-proxy[16092]: Errors detected on startup, see log for details. Exiting: Permission denied - /etc/puppetlabs/puppet/ssl/private_keys/

as a matter of fact this directory is not owned by the puppet user. In fact no puppet user has been created and I’m not really sure why.

Obviously my understanding of the Puppet module is limited. So this raises the following questions :

  • what exactly is the purpose of the puppet module (turn the host in a puppet ENC ?)
  • does it make sens on a Smart Proxy only ?
  • is the puppet group not found a bug or is it because my setup is bogus ?


obviously the foreman server and the smartproxy need to communicate through https thus the need of a certifcate but I’m not sure

  • if the smartproxy needs one (and if yes which one) or just the CA to check the foreman server certificate
  • or if it is the other way around
  • and/or if the certificates involved are the same as the one used by puppet (which I’m not sure where they are : /etc/puppetlabs/puppet/ssl/certs ?)

Can you help me understand all those things ?



As a quick note :

on the foreman-only server :

  • puppet5-release-5.0.0-1.el7.noarch
  • puppet-agent-5.5.6-1.el7.x86_64
  • puppetserver-5.3.5-1.el7.noarch

on the smart-proxy-only server :

  • puppet-agent-5.5.4-1.el7.x86_64
  • puppet-agent-oauth-0.5.1-3.el7.noarch
  • puppet5-release-5.0.0-1.el7.noarch