Community Demo 110 summary
Here is a transcript of Foreman Community Demo 110!
This is a wiki. Please correct my notes if you see I’ve drifted into fiction at any point.
If you’re on Foreman 3.2 or 3.3, you can upgrade your Foreman from EL7 to EL8 in-place.
You can only do it during these two releases, after that you’ll have to redeploy everything.
Evgeni walked us through each step of the upgrade, including the prerequisites.
Documentation on this process is in progress and if you have any issues, please post to the community so that we can understand the issue and look for a solution.
If you go to the new host details page
There was an issue when you tried to assign new roles. Any new roles added with the menu were reset after a few minutes.
When you only have one role, you couldn’t edit or add new roles.
Ron would like further feedback about the Ansible workflows in the new host page, so please let us know what you think of the experience so far.
There is a new Puppet tab with additional subtabs.
The reports tab that has been previously demoed has been reused and will be used also for Ansible reports.
Take a look at Puppet reports and let us know does it meet your expectations.
Nofar has added updated Foreman screenshots to update the readme so as to provide updated examples.
At the previous community demo, Adam introduced the Remote Execution Pull Provider. At this demo, he showed us more progress and explained the workflow.
Historically, Foreman used SSH for Remote Execution.
Foreman would delegate a job to a Smart Proxy and would run a job on the host over an SSH connection.
With the addition of the Remote Execution Pull Provider, jobs can now be run via a different mode.
Pull MQTT mode all connections are initiated by the remote client. There are no outgoing connections made from the Smart Proxy to the client.
Foreman still delegates the job to the Smart Proxy.
The Smart Proxy notifies the target host via MQTT.
Once the target host is notified, it pulls the job and runs it.
From the user perspective, everything should just work as before.
The pull mode is only applicable to script-provider jobs.
Ansible will always use SSH.
The only thing that does not work the same way or may not work at all is setting a connection user.
In the pull-mqtt mode, we are not opening any connection as a user.
On the Proxy side, when the Proxy is configured in the Pull MQTT mode, the proxy runs an MQTT broker.
When proxy receives a job from Foreman, it stores it and notifies the host over MQTT, waits for the host to run the job.
On the client side, there are a few new things.
The clients now run yggdrasil - an upstream project for Red Hat’s RHC. It runs a Foreman worker that knows how to do the Foreman operations.
yggdrasil connects to MQTT and waits for a message.
yggdrasil passes the message to a Foreman worker.
The Foreman worker downloads the job to run over HTTPS from the Smart Proxy, runs the script and sends updates to the Smart Proxy.
Issues to look out for:
mode is configured on a per-Smart Proxy basis, if you have two proxies, one configured for SSH and one using the new mode, and the hosts are able to connect to both Proxies, you might use both SSH and the new Pull Provider to run the job and from Foreman you cannot tell.
Sometimes it might use one method one time and another method another time.
Everything that the Foreman worker uses runs as root.
If you ever need to run the script as a different user, you have to use su or sudo in the job template itself. Currently you have to do it on your own.
We might add additional support for it at a later state but for now you have to manually set that up.
This is all available on Foreman nightly and will hopefully be on Foreman 3.3 soon.
User set up to use the Foreman REX Pull Provider:
On the Foreman side, Foreman doesn’t know so there is nothing changes here.
Smart Proxy - user actions:
Use the foreman-installer to set up everything for the Smart Proxy by passing the following argument with foreman-installer:
Client side setup:
We rely on certificates to ensure that hosts are only able to pick up jobs that belong to them in a secure manner.
There’s no way to use the REX Pull Provider without certificates.
You need to install certificates and configure them with yggdrasil.
If you use Katello:
You can use the Katello entitlement certificates
You can even use Katello’s katello-pull-transport-migrate certificate
This takes info from subscription management and configures with yggdrasil.
Adam demoes how to set everything up on a Rocky Linux 8.6 host.
Foreman with Puppet:
You can use Puppet certificates but there is no quick script to set it all up.
Foreman without Katello or Puppet:
You need to obtain certificates from somewhere.
You need to configure yggdrasil to use the certificates.
For non-Red Hat flavoured Linux clients, there are no official builds yet.
You might want to pull the workers from the static binaries and run them.
Non-Intel and non-Linux platforms:
Installation from source is probably your only option.
Areas for improvement:
- setup to be part of global host registration.
- make it so that it is automatically configured as part of host provisioning.
- make Ansible/SSH deploy the pull provider to hosts
Leos demoed how it is now possible to change a content source for a host from the new hosts page.
From the host’s page, you are redirected to a page where you can specify the new lifecycle environment, content view and content source.
Ian introduced alternative content sources a few demos ago and came back to show them in Katello.
If you’ve a repo in Katello, it’ll take the repodata from the repository and will download RPMs from the repository. If you want the data to come from somewhere else, you can tell Katello to download the RPMs from somewhere else.
For example, you can have an alternative content source closer to your Smart Proxy to download content more quickly.
Ian demoed how the alternative content source actually downloads from an alternative location.
Ian demoed creating an alternative content source with hammer and also via the Foreman web UI.
He also demoed updating the Smart Proxy with the alternative content source for synching.
Chris demoed a new card that has been added to the host details page.
If you select a host and then click the details tab, you can find a new card called Registration details.
Unfortunately there were environmental issues so we didn’t get to see that the registration card pulls in information about the activation key that was used to register it.
Maximilian from ATIX came along to tell us about the results of his efforts with the Satellite Performance Tuning Guide.
You can now find an open-sourced version of the Satellite Performance Tuning Guide in the foreman-documentation repo.
You can help us with this by contributing your deployment’s configuration and share with us feedback on tuning. Please share with us how you tune your deployment so that others can benefit and improve their Foreman experience also.
Leos gave an update about his efforts around the Rails 6.1 upgrade. He posted an open appeal to plugin maintainers in the community as the update to Rails 6.1 will certainly break things for some of the plugins. This PR was merged yesterday. Any issues, let us know.