Foreman/Katello deployment

Hi everyone, Could you share with me, which version Foreman/Katello you are using in production environment? Right now i am using F2.3/K3.18 on CentOS 7 and testing F3.0/K4.2 one the same os version. Another think what i want to test is use the Postgresql12 + Zalando/Patroni HA cluster as a Foreman/Katello backend, what you are think about that?

1 Like

One thought does come to mind: I think the downstream products will move from K3.18 to K4.1, so you could consider mirroring that step since it will naturally receive a lot of testing and attention. Instead of going straight to K4.2 that is.

Thanks for reply, that’s make perfect sense, but what about the database backend. Is that worth to try with zalando/patroni or there are some limitations? Is a good idea move the pulpcore db to external host or better will be leave that on Foreman/Katello server and only move candlepin and foreman db to external node. The install docs talking only about that two, but i am curious about the reasons.

Since I have little experience about Foreman with HA and separate DB, I will just ping @Justin_Sherrill who may be able to help (or at least ping the right person).

I see that current installation docs has been updated and right now all pointing to install all three databases(foreman/candlepin/pulpcore) on external node, unfortunately i did not have time to test Postgresql12 + Zalando/Patroni HA cluster.

Another question is if i can safely disable proxy content:
–foreman-proxy-content-enable-docker=false
–foreman-proxy-content-enable-ansible=false
–foreman-proxy-content-enable-deb=false
–foreman-proxy-content-enable-file=false
new in F3.1/K4.3
–foreman-proxy-content-enable-python=false
–foreman-proxy-content-enable-ostree=false

if I do not plan to use that? Same is related to:
–no-enable-puppet
–foreman-proxy-puppet false
–foreman-proxy-puppetca false

but i consider to set Load balancer proxy and I am not sure if that is required on master server?

Thanks.

Hello Foreman/Katello community

Smart proxy installation error, I will fallow that doc: Configuring Smart Proxies with a Load Balancer

Was able to install F3.1/K4.3
foreman-installer --scenario katello
-l DEBUG
–foreman-initial-organization="$ORGANIZATION"
–foreman-initial-location="$LOCATION"
–foreman-initial-admin-username="$ADMIN_USER"
–foreman-initial-admin-password="$ADMIN_PASSWORD"
–foreman-initial-admin-email="$ADMIN_EMAIL"
–foreman-proxy-dhcp=“false”
–foreman-proxy-dns=“false”
–foreman-proxy-tftp=“true”
–enable-foreman-plugin-bootdisk
–enable-foreman-plugin-templates
–foreman-plugin-tasks-automatic-cleanup=“true”
–foreman-proxy-content-enable-docker=“false”
–foreman-proxy-content-enable-ansible=“false”
–foreman-proxy-content-enable-deb=“false”

I generate certs on katello:
foreman-proxy-certs-generate
–foreman-proxy-fqdn $SMART_PROXY
–certs-tar $SMART_PROXY_CERTS_TAR
–foreman-proxy-cname $SMART_PROXY_CNAME

But when i trying to install foreman-proxy-content with default SSL without puppet:
foreman-installer --scenario foreman-proxy-content
-l DEBUG
–certs-tar-file="/root/$SMART_PROXY_CERTS_TAR"
–certs-cname="$SMART_PROXY_CNAME"
–foreman-proxy-puppetca=“true”
–puppet-server-ca=“true”
–puppet-ca-server="$SMART_PROXY"
–puppet-dns-alt-names="$SMART_PROXY_CNAME"
–puppet-server-foreman-url=“https://$KATELLO
–foreman-proxy-register-in-foreman=“true”
–foreman-proxy-foreman-base-url=“https://$KATELLO
–foreman-proxy-trusted-hosts="$KATELLO"
–foreman-proxy-trusted-hosts="$SMART_PROXY"
–foreman-proxy-oauth-consumer-key="$KATELLO_KEY"
–foreman-proxy-oauth-consumer-secret="$KATELLO_SECRET"
–foreman-proxy-dhcp=“false”
–foreman-proxy-dns=“false”
–foreman-proxy-tftp=“true”
–foreman-proxy-content-enable-docker=“false”
–foreman-proxy-content-enable-ansible=“false”
–foreman-proxy-content-enable-deb=“false”

I run into issue:
[configure] Could not set groups on user[foreman-proxy]: Execution of ‘/sbin/usermod -G puppet foreman-proxy’ returned 6: usermod: group ‘p
uppet’ does not exist

so i added that group and have another issue:

[configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[sp1.lan]/features: change from [“Logs”, “Pulpcore”, “Registration”, “TFTP”, “Templates”] to [“Dynflow”, “Logs”, “Pulpcore”, “Puppet CA”, “Registration”, “TFTP”, “Templates”] failed: Proxy sp1.lan has failed to load one or more features (Puppet CA), check /var/log/foreman-proxy/proxy.log for configuration errors

Do I missing something? To have that working?

I am refering to docs.theforeman.org LB configuration default certs without puppet.
OK, another day, I am just curious, if puppet is disabled by default in scenario katello and we use command:
foreman-proxy-certs-generate
–foreman-proxy-fqdn $SMART_PROXY
–certs-tar $SMART_PROXY_CERTS_TAR
–foreman-proxy-cname $SMART_PROXY_CNAME
to generate certificates for smart proxy:
apache.crt
foreman-client.crt
foreman-proxy-client.crt
foreman-proxy.crt
puppet-client.crt
qpid-broker.crt
qpid-router-client.crt
qpid-router-server.crt

Do we need PuppetCA on smart proxy?
I was able to install without any issue two smart proxies:
For LB i am using HAPROXY - config from forklift repo.

Those are the magic options which i used(same for sp1 and sp2):
foreman-installer --scenario foreman-proxy-content
-l DEBUG
–certs-tar-file="/root/$SMART_PROXY_CERTS_TAR"
–foreman-proxy-register-in-foreman=“true”
–foreman-proxy-foreman-base-url=“https://$KATELLO
–foreman-proxy-trusted-hosts="$KATELLO"
–foreman-proxy-trusted-hosts="$SMART_PROXY"
–foreman-proxy-oauth-consumer-key="$KATELLO_KEY"
–foreman-proxy-oauth-consumer-secret="$KATELLO_SECRET"
–foreman-proxy-dhcp=“false”
–foreman-proxy-dns=“false”
–foreman-proxy-tftp=“true”
–foreman-proxy-content-enable-docker=“false”
–foreman-proxy-content-enable-deb=“false”
–certs-cname “$SMART_PROXY_CNAME”
–enable-foreman-proxy-plugin-remote-execution-ssh

I was able to sync CentOS7/Stream8/Rocky8
I made the dummy smart proxy pointing to LB server.
Set the subents and assign that proxy.

For now just tested CentOS7 and with using the bootdisk generated from UI I was able provision that VM.

Disabling one from two smart proxies, i was able without any issue sync repos to VM which is registered to dummy proxy like that.

yum -y localinstall http://$SMART_PROXY_CNAME/pub/katello-ca-consumer-latest.noarch.rpm

subscription-manager register --org=$ORG --serverurl=https://$SMART_PROXY_CNAME:8443/rhsm --baseurl=https://$SMART_PROXY_CNAME/pulp/content --activationkey centos-7

I do not see any error logs(enabled debug option on both) in
/var/log/foreman/production.log
/var/log/foreman-proxy/proxy.log

The most strange is that wen i first sync proxies some dirs was missing and I had to sync one more time but i used Complete sync and all show up on smart proxies.

Any comments are appreciated.
Thanks