I've been been experimenting in a lab with enabling orgs and locations
combined with additional puppet masters for the various locations. I have
a couple of questions and an initial difficulty in configuration of the
smart-proxies.
Background:
We have a basic setup with everything on the Foreman system -
smart-proxy for PuppetMaster, PuppetCA, DHCP, and TFTP. I have an
additional smart-proxy with TFTP/DHCP high security build vlan as well.
My team (Org 1) is the only one using puppet. We have another team
(Org 2) beginning to use it for provisioning only, but soon they will be
digging into puppet.
We have several datacenter locations, 3 local and 1 remote.
Questions:
I'd like to setup new PuppetMasters for each Org 1 and Org 2, another
for our remote datacenter, while leaving the PuppetMaster on the Foreman
system to master the new puppets only and continue to be the PuppetCA.
Does that seem to be a reasonable configuration?
Is there a good Puppet Module that could manage the configuration of
the puppet masters listed above…e.g. something equivalent to running
foreman-installer with an answer file for each server.
Can (or how do) I force Org 2 to only be able to select their
PuppetMaster from their smart-proxy, while remaining able to use the
"master" smart proxy on Foreman for PuppetCA, provisioning, etc.?
Is there a better way to give Org 2's system admins the ability to
manage their own puppet modules with out making dedicated puppet masters?
Regarding #4- It sounds like you need to look into Puppet environments.
···
> On Dec 18, 2014, at 5:58 PM, Sean Alderman wrote:
>
> Hi all,
>
> I've been been experimenting in a lab with enabling orgs and locations combined with additional puppet masters for the various locations. I have a couple of questions and an initial difficulty in configuration of the smart-proxies.
>
> Background:
> We have a basic setup with everything on the Foreman system - smart-proxy for PuppetMaster, PuppetCA, DHCP, and TFTP. I have an additional smart-proxy with TFTP/DHCP high security build vlan as well.
> My team (Org 1) is the only one using puppet. We have another team (Org 2) beginning to use it for provisioning only, but soon they will be digging into puppet.
> We have several datacenter locations, 3 local and 1 remote.
> Questions:
>
> I'd like to setup new PuppetMasters for each Org 1 and Org 2, another for our remote datacenter, while leaving the PuppetMaster on the Foreman system to master the new puppets only and continue to be the PuppetCA. Does that seem to be a reasonable configuration?
> Is there a good Puppet Module that could manage the configuration of the puppet masters listed above...e.g. something equivalent to running foreman-installer with an answer file for each server.
> Can (or how do) I force Org 2 to only be able to select their PuppetMaster from their smart-proxy, while remaining able to use the "master" smart proxy on Foreman for PuppetCA, provisioning, etc.?
> Is there a better way to give Org 2's system admins the ability to manage their own puppet modules with out making dedicated puppet masters?
> Thanks for reading and considering my questions!
>
> --
> You received this message because you are subscribed to the Google Groups "Foreman users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com.
> To post to this group, send email to foreman-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/foreman-users.
> For more options, visit https://groups.google.com/d/optout.
I considered that, we already use environments, but I'm not up for giving
to the filesystem on my main puppet server away so Org 2 can populate their
modules. Either way, I'm not sure how to manage Foreman's discovery of new
Puppet Classes across multiple Masters. Is there a permission in Foreman
to allow a group to run the import only for the masters their org/loc can
see?
···
On Thursday, December 18, 2014 6:13:31 PM UTC-5, Josh wrote:
>
> Regarding #4- It sounds like you need to look into Puppet environments.
>
> On Dec 18, 2014, at 5:58 PM, Sean Alderman > wrote:
>
> Hi all,
>
> I've been been experimenting in a lab with enabling orgs and locations
> combined with additional puppet masters for the various locations. I have
> a couple of questions and an initial difficulty in configuration of the
> smart-proxies.
>
> Background:
>
> - We have a basic setup with everything on the Foreman system -
> smart-proxy for PuppetMaster, PuppetCA, DHCP, and TFTP. I have an
> additional smart-proxy with TFTP/DHCP high security build vlan as well.
> - My team (Org 1) is the only one using puppet. We have another team
> (Org 2) beginning to use it for provisioning only, but soon they will be
> digging into puppet.
> - We have several datacenter locations, 3 local and 1 remote.
>
> Questions:
>
> 1. I'd like to setup new PuppetMasters for each Org 1 and Org 2,
> another for our remote datacenter, while leaving the PuppetMaster on the
> Foreman system to master the new puppets only and continue to be the
> PuppetCA. Does that seem to be a reasonable configuration?
> 2. Is there a good Puppet Module that could manage the configuration
> of the puppet masters listed above...e.g. something equivalent to running
> foreman-installer with an answer file for each server.
> 3. Can (or how do) I force Org 2 to only be able to select their
> PuppetMaster from their smart-proxy, while remaining able to use the
> "master" smart proxy on Foreman for PuppetCA, provisioning, etc.?
> 4. Is there a better way to give Org 2's system admins the ability to
> manage their own puppet modules with out making dedicated puppet masters?
>
> Thanks for reading and considering my questions!
>
> --
> You received this message because you are subscribed to the Google Groups
> "Foreman users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to foreman-user...@googlegroups.com .
> To post to this group, send email to forema...@googlegroups.com
> .
> Visit this group at http://groups.google.com/group/foreman-users.
> For more options, visit https://groups.google.com/d/optout.
>
>
You use git with a product like Stash and control who can push code to branches/environments. You don't give them filesystem access to your puppet masters.
···
> On Dec 18, 2014, at 6:19 PM, Sean Alderman wrote:
>
> I considered that, we already use environments, but I'm not up for giving to the filesystem on my main puppet server away so Org 2 can populate their modules. Either way, I'm not sure how to manage Foreman's discovery of new Puppet Classes across multiple Masters. Is there a permission in Foreman to allow a group to run the import only for the masters their org/loc can see?
>
>> On Thursday, December 18, 2014 6:13:31 PM UTC-5, Josh wrote:
>> Regarding #4- It sounds like you need to look into Puppet environments.
>>
>>> On Dec 18, 2014, at 5:58 PM, Sean Alderman wrote:
>>>
>>> Hi all,
>>>
>>> I've been been experimenting in a lab with enabling orgs and locations combined with additional puppet masters for the various locations. I have a couple of questions and an initial difficulty in configuration of the smart-proxies.
>>>
>>> Background:
>>> We have a basic setup with everything on the Foreman system - smart-proxy for PuppetMaster, PuppetCA, DHCP, and TFTP. I have an additional smart-proxy with TFTP/DHCP high security build vlan as well.
>>> My team (Org 1) is the only one using puppet. We have another team (Org 2) beginning to use it for provisioning only, but soon they will be digging into puppet.
>>> We have several datacenter locations, 3 local and 1 remote.
>>> Questions:
>>>
>>> I'd like to setup new PuppetMasters for each Org 1 and Org 2, another for our remote datacenter, while leaving the PuppetMaster on the Foreman system to master the new puppets only and continue to be the PuppetCA. Does that seem to be a reasonable configuration?
>>> Is there a good Puppet Module that could manage the configuration of the puppet masters listed above...e.g. something equivalent to running foreman-installer with an answer file for each server.
>>> Can (or how do) I force Org 2 to only be able to select their PuppetMaster from their smart-proxy, while remaining able to use the "master" smart proxy on Foreman for PuppetCA, provisioning, etc.?
>>> Is there a better way to give Org 2's system admins the ability to manage their own puppet modules with out making dedicated puppet masters?
>>> Thanks for reading and considering my questions!
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups "Foreman users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an email to foreman-user...@googlegroups.com.
>>> To post to this group, send email to forema...@googlegroups.com.
>>> Visit this group at http://groups.google.com/group/foreman-users.
>>> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups "Foreman users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com.
> To post to this group, send email to foreman-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/foreman-users.
> For more options, visit https://groups.google.com/d/optout.
yes - foreman can import from multiple puppet masters - you just need the proxy setup properly - the only issue I can see if name collisions i.e. a manifest called NTP on more than one puppet master and setting parameters on that.
HTH
···
> On Dec 19, 2014, at 8:19 AM, Sean Alderman wrote:
>
> I considered that, we already use environments, but I'm not up for giving to the filesystem on my main puppet server away so Org 2 can populate their modules. Either way, I'm not sure how to manage Foreman's discovery of new Puppet Classes across multiple Masters. Is there a permission in Foreman to allow a group to run the import only for the masters their org/loc can see?
>
> On Thursday, December 18, 2014 6:13:31 PM UTC-5, Josh wrote:
> Regarding #4- It sounds like you need to look into Puppet environments.
>
> On Dec 18, 2014, at 5:58 PM, Sean Alderman <salde...@udayton.edu > wrote:
>
>> Hi all,
>>
>> I've been been experimenting in a lab with enabling orgs and locations combined with additional puppet masters for the various locations. I have a couple of questions and an initial difficulty in configuration of the smart-proxies.
>>
>> Background:
>> We have a basic setup with everything on the Foreman system - smart-proxy for PuppetMaster, PuppetCA, DHCP, and TFTP. I have an additional smart-proxy with TFTP/DHCP high security build vlan as well.
>> My team (Org 1) is the only one using puppet. We have another team (Org 2) beginning to use it for provisioning only, but soon they will be digging into puppet.
>> We have several datacenter locations, 3 local and 1 remote.
>> Questions:
>>
>> I'd like to setup new PuppetMasters for each Org 1 and Org 2, another for our remote datacenter, while leaving the PuppetMaster on the Foreman system to master the new puppets only and continue to be the PuppetCA. Does that seem to be a reasonable configuration?
>> Is there a good Puppet Module that could manage the configuration of the puppet masters listed above...e.g. something equivalent to running foreman-installer with an answer file for each server.
>> Can (or how do) I force Org 2 to only be able to select their PuppetMaster from their smart-proxy, while remaining able to use the "master" smart proxy on Foreman for PuppetCA, provisioning, etc.?
>> Is there a better way to give Org 2's system admins the ability to manage their own puppet modules with out making dedicated puppet masters?
>> Thanks for reading and considering my questions!
>>
