Foreman Community Demo #110

Every few weeks we host a Community Demo to showcase new & interesting developments from the Foreman community. We encourage participation from any member of the community (although you do need a Google account), so if you’ve been working on something cool, please do come show it off.

This post is a wiki, so if you have something to show, add yourself to this table!

Expected In

We’ve added a new column to indicate the release in which community members might expect the feature that is being demoed to appear. This column should be taken as a guide rather than gospel. Unforeseen circumstances might drag a feature out a release or two. The best way to know for sure what is in a release is to check out the release announcement! :slight_smile:

If you have any feedback about the change to the format, feel free to comment here :slight_smile:

Depending on where it would be a better fit, please add yourself to one of the following tables:

Foreman user-focused demos

Foreman developer-focused demos

Speaker Time Topic Redmine issue Expected in version
@lstejskal 3 mins Rails 6.1 #34526, community post 3.4

Tomorrow we will host another live community demo!
Please sign up!

Link to the livestream for later today!

It’s not too late to sign up!

1 Like

Performance Tuning Guide: feel free to open issues or create PRs on

1 Like

Community Demo 110 summary

Here is a transcript of Foreman Community Demo 110!
This is a wiki. Please correct my notes if you see I’ve drifted into fiction at any point.

Upgrade your Foreman to EL8! @evgeni

If you’re on Foreman 3.2 or 3.3, you can upgrade your Foreman from EL7 to EL8 in-place.
You can only do it during these two releases, after that you’ll have to redeploy everything.

Evgeni walked us through each step of the upgrade, including the prerequisites.

Documentation on this process is in progress and if you have any issues, please post to the community so that we can understand the issue and look for a solution.

Ansible Tab bug fixes @Ron_Lavi

If you go to the new host details page
There was an issue when you tried to assign new roles. Any new roles added with the menu were reset after a few minutes.
When you only have one role, you couldn’t edit or add new roles.

Ron would like further feedback about the Ansible workflows in the new host page, so please let us know what you think of the experience so far.

Reports tab @Ron_Lavi

There is a new Puppet tab with additional subtabs.
The reports tab that has been previously demoed has been reused and will be used also for Ansible reports.
Take a look at Puppet reports and let us know does it meet your expectations.

Update to the Foreman readme file on github @nofaralfasi

Nofar has added updated Foreman screenshots to update the readme so as to provide updated examples.

Remote Execution Pull Provider overview and Quickstart @aruzicka

At the previous community demo, Adam introduced the Remote Execution Pull Provider. At this demo, he showed us more progress and explained the workflow.

Historically, Foreman used SSH for Remote Execution.
Foreman would delegate a job to a Smart Proxy and would run a job on the host over an SSH connection.

With the addition of the Remote Execution Pull Provider, jobs can now be run via a different mode.

Pull MQTT mode all connections are initiated by the remote client. There are no outgoing connections made from the Smart Proxy to the client.
Foreman still delegates the job to the Smart Proxy.
The Smart Proxy notifies the target host via MQTT.

Once the target host is notified, it pulls the job and runs it.

From the user perspective, everything should just work as before.
The pull mode is only applicable to script-provider jobs.
Ansible will always use SSH.
The only thing that does not work the same way or may not work at all is setting a connection user.
In the pull-mqtt mode, we are not opening any connection as a user.
On the Proxy side, when the Proxy is configured in the Pull MQTT mode, the proxy runs an MQTT broker.
When proxy receives a job from Foreman, it stores it and notifies the host over MQTT, waits for the host to run the job.

On the client side, there are a few new things.
The clients now run yggdrasil - an upstream project for Red Hat’s RHC. It runs a Foreman worker that knows how to do the Foreman operations.
yggdrasil connects to MQTT and waits for a message.

yggdrasil passes the message to a Foreman worker.
The Foreman worker downloads the job to run over HTTPS from the Smart Proxy, runs the script and sends updates to the Smart Proxy.

Issues to look out for:

Since mode is configured on a per-Smart Proxy basis, if you have two proxies, one configured for SSH and one using the new mode, and the hosts are able to connect to both Proxies, you might use both SSH and the new Pull Provider to run the job and from Foreman you cannot tell.

Sometimes it might use one method one time and another method another time.

Effective user:

Everything that the Foreman worker uses runs as root.
If you ever need to run the script as a different user, you have to use su or sudo in the job template itself. Currently you have to do it on your own.
We might add additional support for it at a later state but for now you have to manually set that up.

This is all available on Foreman nightly and will hopefully be on Foreman 3.3 soon.

User set up to use the Foreman REX Pull Provider:

On the Foreman side, Foreman doesn’t know so there is nothing changes here.

Smart Proxy - user actions:

Use the foreman-installer to set up everything for the Smart Proxy by passing the following argument with foreman-installer:

foreman-installer --foreman-proxy-plugin-remote-execution-script-mode=pull-mqtt

Client side setup:

We rely on certificates to ensure that hosts are only able to pick up jobs that belong to them in a secure manner.
There’s no way to use the REX Pull Provider without certificates.
You need to install certificates and configure them with yggdrasil.

If you use Katello:
You can use the Katello entitlement certificates
You can even use Katello’s katello-pull-transport-migrate certificate
This takes info from subscription management and configures with yggdrasil.
Adam demoes how to set everything up on a Rocky Linux 8.6 host.

Foreman with Puppet:

You can use Puppet certificates but there is no quick script to set it all up.

Foreman without Katello or Puppet:

You need to obtain certificates from somewhere.
You need to configure yggdrasil to use the certificates.

For non-Red Hat flavoured Linux clients, there are no official builds yet.

You might want to pull the workers from the static binaries and run them.

Non-Intel and non-Linux platforms:

Installation from source is probably your only option.

Areas for improvement:

  • setup to be part of global host registration.
  • make it so that it is automatically configured as part of host provisioning.
  • make Ansible/SSH deploy the pull provider to hosts

Changing Content Source for a host @lstejskal

Leos demoed how it is now possible to change a content source for a host from the new hosts page.
From the host’s page, you are redirected to a page where you can specify the new lifecycle environment, content view and content source.

Alternative Content Sources @iballou

Ian introduced alternative content sources a few demos ago and came back to show them in Katello.

If you’ve a repo in Katello, it’ll take the repodata from the repository and will download RPMs from the repository. If you want the data to come from somewhere else, you can tell Katello to download the RPMs from somewhere else.

For example, you can have an alternative content source closer to your Smart Proxy to download content more quickly.

Ian demoed how the alternative content source actually downloads from an alternative location.

Ian demoed creating an alternative content source with hammer and also via the Foreman web UI.
He also demoed updating the Smart Proxy with the alternative content source for synching.

Registration details card @cintrix84

Chris demoed a new card that has been added to the host details page.
If you select a host and then click the details tab, you can find a new card called Registration details.
Unfortunately there were environmental issues so we didn’t get to see that the registration card pulls in information about the activation key that was used to register it.

Performance Tuning Guide on @maximilian

Maximilian from ATIX came along to tell us about the results of his efforts with the Satellite Performance Tuning Guide.

You can now find an open-sourced version of the Satellite Performance Tuning Guide in the foreman-documentation repo.
You can help us with this by contributing your deployment’s configuration and share with us feedback on tuning. Please share with us how you tune your deployment so that others can benefit and improve their Foreman experience also.

Developer updates: Rails 6.1 @lstejskal

Leos gave an update about his efforts around the Rails 6.1 upgrade. He posted an open appeal to plugin maintainers in the community as the update to Rails 6.1 will certainly break things for some of the plugins. This PR was merged yesterday. Any issues, let us know.

1 Like