Foreman/Katello deployment

Community
1

Hi everyone, Could you share with me, which version Foreman/Katello you are using in production environment? Right now i am using F2.3/K3.18 on CentOS 7 and testing F3.0/K4.2 one the same os version. Another think what i want to test is use the Postgresql12 + Zalando/Patroni HA cluster as a Foreman/Katello backend, what you are think about that?

1 Like
2

One thought does come to mind: I think the downstream products will move from K3.18 to K4.1, so you could consider mirroring that step since it will naturally receive a lot of testing and attention. Instead of going straight to K4.2 that is.

3

Thanks for reply, thatā€™s make perfect sense, but what about the database backend. Is that worth to try with zalando/patroni or there are some limitations? Is a good idea move the pulpcore db to external host or better will be leave that on Foreman/Katello server and only move candlepin and foreman db to external node. The install docs talking only about that two, but i am curious about the reasons.

4

Since I have little experience about Foreman with HA and separate DB, I will just ping @Justin_Sherrill who may be able to help (or at least ping the right person).

5

I see that current installation docs has been updated and right now all pointing to install all three databases(foreman/candlepin/pulpcore) on external node, unfortunately i did not have time to test Postgresql12 + Zalando/Patroni HA cluster.

Another question is if i can safely disable proxy content:
ā€“foreman-proxy-content-enable-docker=false
ā€“foreman-proxy-content-enable-ansible=false
ā€“foreman-proxy-content-enable-deb=false
ā€“foreman-proxy-content-enable-file=false
new in F3.1/K4.3
ā€“foreman-proxy-content-enable-python=false
ā€“foreman-proxy-content-enable-ostree=false

if I do not plan to use that? Same is related to:
ā€“no-enable-puppet
ā€“foreman-proxy-puppet false
ā€“foreman-proxy-puppetca false

but i consider to set Load balancer proxy and I am not sure if that is required on master server?

Thanks.

6

Hello Foreman/Katello community

Smart proxy installation error, I will fallow that doc: Configuring SmartĀ Proxies with a Load Balancer

Was able to install F3.1/K4.3
foreman-installer --scenario katello
-l DEBUG
ā€“foreman-initial-organization="$ORGANIZATION"
ā€“foreman-initial-location="$LOCATION"
ā€“foreman-initial-admin-username="$ADMIN_USER"
ā€“foreman-initial-admin-password="$ADMIN_PASSWORD"
ā€“foreman-initial-admin-email="$ADMIN_EMAIL"
ā€“foreman-proxy-dhcp=ā€œfalseā€
ā€“foreman-proxy-dns=ā€œfalseā€
ā€“foreman-proxy-tftp=ā€œtrueā€
ā€“enable-foreman-plugin-bootdisk
ā€“enable-foreman-plugin-templates
ā€“foreman-plugin-tasks-automatic-cleanup=ā€œtrueā€
ā€“foreman-proxy-content-enable-docker=ā€œfalseā€
ā€“foreman-proxy-content-enable-ansible=ā€œfalseā€
ā€“foreman-proxy-content-enable-deb=ā€œfalseā€

I generate certs on katello:
foreman-proxy-certs-generate
ā€“foreman-proxy-fqdn $SMART_PROXY
ā€“certs-tar $SMART_PROXY_CERTS_TAR
ā€“foreman-proxy-cname $SMART_PROXY_CNAME

But when i trying to install foreman-proxy-content with default SSL without puppet:
foreman-installer --scenario foreman-proxy-content
-l DEBUG
ā€“certs-tar-file="/root/$SMART_PROXY_CERTS_TAR"
ā€“certs-cname="$SMART_PROXY_CNAME"
ā€“foreman-proxy-puppetca=ā€œtrueā€
ā€“puppet-server-ca=ā€œtrueā€
ā€“puppet-ca-server="$SMART_PROXY"
ā€“puppet-dns-alt-names="$SMART_PROXY_CNAME"
ā€“puppet-server-foreman-url=ā€œhttps://$KATELLOā€
ā€“foreman-proxy-register-in-foreman=ā€œtrueā€
ā€“foreman-proxy-foreman-base-url=ā€œhttps://$KATELLOā€
ā€“foreman-proxy-trusted-hosts="$KATELLO"
ā€“foreman-proxy-trusted-hosts="$SMART_PROXY"
ā€“foreman-proxy-oauth-consumer-key="$KATELLO_KEY"
ā€“foreman-proxy-oauth-consumer-secret="$KATELLO_SECRET"
ā€“foreman-proxy-dhcp=ā€œfalseā€
ā€“foreman-proxy-dns=ā€œfalseā€
ā€“foreman-proxy-tftp=ā€œtrueā€
ā€“foreman-proxy-content-enable-docker=ā€œfalseā€
ā€“foreman-proxy-content-enable-ansible=ā€œfalseā€
ā€“foreman-proxy-content-enable-deb=ā€œfalseā€

I run into issue:
[configure] Could not set groups on user[foreman-proxy]: Execution of ā€˜/sbin/usermod -G puppet foreman-proxyā€™ returned 6: usermod: group ā€˜p
uppetā€™ does not exist

so i added that group and have another issue:

[configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[sp1.lan]/features: change from [ā€œLogsā€, ā€œPulpcoreā€, ā€œRegistrationā€, ā€œTFTPā€, ā€œTemplatesā€] to [ā€œDynflowā€, ā€œLogsā€, ā€œPulpcoreā€, ā€œPuppet CAā€, ā€œRegistrationā€, ā€œTFTPā€, ā€œTemplatesā€] failed: Proxy sp1.lan has failed to load one or more features (Puppet CA), check /var/log/foreman-proxy/proxy.log for configuration errors

Do I missing something? To have that working?

7

I am refering to docs.theforeman.org LB configuration default certs without puppet.
OK, another day, I am just curious, if puppet is disabled by default in scenario katello and we use command:
foreman-proxy-certs-generate
ā€“foreman-proxy-fqdn $SMART_PROXY
ā€“certs-tar $SMART_PROXY_CERTS_TAR
ā€“foreman-proxy-cname $SMART_PROXY_CNAME
to generate certificates for smart proxy:
apache.crt
foreman-client.crt
foreman-proxy-client.crt
foreman-proxy.crt
puppet-client.crt
qpid-broker.crt
qpid-router-client.crt
qpid-router-server.crt

Do we need PuppetCA on smart proxy?
I was able to install without any issue two smart proxies:
For LB i am using HAPROXY - config from forklift repo.

Those are the magic options which i used(same for sp1 and sp2):
foreman-installer --scenario foreman-proxy-content
-l DEBUG
ā€“certs-tar-file="/root/$SMART_PROXY_CERTS_TAR"
ā€“foreman-proxy-register-in-foreman=ā€œtrueā€
ā€“foreman-proxy-foreman-base-url=ā€œhttps://$KATELLOā€
ā€“foreman-proxy-trusted-hosts="$KATELLO"
ā€“foreman-proxy-trusted-hosts="$SMART_PROXY"
ā€“foreman-proxy-oauth-consumer-key="$KATELLO_KEY"
ā€“foreman-proxy-oauth-consumer-secret="$KATELLO_SECRET"
ā€“foreman-proxy-dhcp=ā€œfalseā€
ā€“foreman-proxy-dns=ā€œfalseā€
ā€“foreman-proxy-tftp=ā€œtrueā€
ā€“foreman-proxy-content-enable-docker=ā€œfalseā€
ā€“foreman-proxy-content-enable-deb=ā€œfalseā€
ā€“certs-cname ā€œ$SMART_PROXY_CNAMEā€
ā€“enable-foreman-proxy-plugin-remote-execution-ssh

I was able to sync CentOS7/Stream8/Rocky8
I made the dummy smart proxy pointing to LB server.
Set the subents and assign that proxy.

For now just tested CentOS7 and with using the bootdisk generated from UI I was able provision that VM.

Disabling one from two smart proxies, i was able without any issue sync repos to VM which is registered to dummy proxy like that.

yum -y localinstall http://$SMART_PROXY_CNAME/pub/katello-ca-consumer-latest.noarch.rpm

subscription-manager register --org=$ORG --serverurl=https://$SMART_PROXY_CNAME:8443/rhsm --baseurl=https://$SMART_PROXY_CNAME/pulp/content --activationkey centos-7

I do not see any error logs(enabled debug option on both) in
/var/log/foreman/production.log
/var/log/foreman-proxy/proxy.log

The most strange is that wen i first sync proxies some dirs was missing and I had to sync one more time but i used Complete sync and all show up on smart proxies.

Any comments are appreciated.
Thanks