Getting Started

mason · February 5, 2019, 4:22am

Infoblox is a third-party commercial product, you would choose these options if you were in an existing environment that currently used an Infoblox appliance for managing DHCP and DNS. I get the impression that you’re trying to setup an environment from scratch and you want to use ISC DHCP and BIND (this is what I’m doing too).

Yes, that was my experience as well. The installer’s interactive flag only seems to allow you to select plugins, it doesn’t help you setup DHCP, DNS, etc.

No, to have foreman-installer setup DHCP and DNS, you need to pass options to the installer. As mentioned before, the interactive installer doesn’t ask you any questions relating to configuring DNS, DHCP, etc. Note that in the command below, I am specifying that the installer be run in interactive mode (so that you can choose the plugins you want), but I’m explicitly telling it to setup TFTP, DHCP and DNS.

foreman-installer --interactive --scenario katello
–enable-foreman-proxy
–foreman-proxy-tftp=true
–foreman-proxy-tftp-servername=2001:db8::51f0
–foreman-proxy-dhcp=true
–foreman-proxy-dhcp-interface=ens160
–foreman-proxy-dhcp-gateway=2001:db8::1
–foreman-proxy-dhcp-nameservers=2001:db8::51f0
–foreman-proxy-dns=true
–foreman-proxy-dns-interface=ens160
–foreman-proxy-dns-zone=example.com
–foreman-proxy-dns-reverse=0.0.0.0.0.0.0.0.0.8.b.d.1.0.0.2.ip6.arpa.
–foreman-proxy-dns-forwarders=2001:4860:4860::8888
–foreman-proxy-foreman-base-url=https://foreman.example.com

Peek · February 5, 2019, 5:15am

Thanks a million. That’s another landmine cleared up.

Peek · February 5, 2019, 5:57am

… though the installer isn’t happy ( IPv6 addresses specified with or without […], using FQDNs or even IPv4 ) result in:

Welcome to the Katello installer!

This wizard will gather all required information. You can change any parameter
to your needs.

Ready to start? (y/n)
You must enter a valid
#<Proc:0x000000038fd880@/usr/share/gems/gems/highline-1.7.8/lib/highline.rb:227
(lambda)>.

Ready to start? (y/n)
You must enter a valid
#<Proc:0x000000038fd880@/usr/share/gems/gems/highline-1.7.8/lib/highline.rb:227
(lambda)>.

Ready to start? (y/n)
You must enter a valid
#<Proc:0x000000038fd880@/usr/share/gems/gems/highline-1.7.8/lib/highline.rb:227
(lambda)>.

Ready to start? (y/n)
e
Please enter “yes” or “no”.

Ready to start? (y/n)
n

How stupid am I ? Cause I’ve been at it for an afternoon and simply can’t get it to run

mason · February 5, 2019, 7:31am

Sorry @Peek I didn’t actually carefully look over my last post. I had copied and pasted from an earlier post of yours, just because you had specified all the IPs that were specific to your environment. I just tried running that command on my own test machine and it didn’t work due to a number of formatting issues. Here is a command that I know works, because I just ran it:

foreman-installer --interactive --scenario katello \
--enable-foreman-proxy \
--foreman-proxy-tftp=true \
--foreman-proxy-tftp-servername=192.168.50.20 \
--foreman-proxy-dhcp=true \
--foreman-proxy-dhcp-interface=eth0 \
--foreman-proxy-dhcp-gateway=192.168.50.1 \
--foreman-proxy-dhcp-nameservers="192.168.50.20" \
--foreman-proxy-dns=true \
--foreman-proxy-dns-interface=eth0 \
--foreman-proxy-dns-zone=example.com \
--foreman-proxy-dns-reverse=50.168.192.in-addr.arpa \
--foreman-proxy-dns-forwarders=9.9.9.9 \
--foreman-proxy-foreman-base-url=https://foreman.example.com

lzap · February 5, 2019, 9:02am

My 2c’s here:

I think the biggest issue is that our users need to figure out those long installer commands themselves. We do have a (currently broken) foreman setup which somehow guides users and Installation Scenarios section but it’s probably not enough.

I vote for expanding the Installation Scenarios here - please describe your setup, maybe draw a diagram of your infrastructure and then provide the working installer command:

https://theforeman.org/manuals/1.20/index.html#3.2.3InstallationScenarios

If this is missing in Katello docs we should probably do link from there to Foreman manual. This is fuzzy…

Peek · February 5, 2019, 10:32am

@mason, I second your query to @ekohl. The confusion is not only around syntax errors. For eg:

8 hours ago, I started “anew” on the installer.

“foreman-installer -i --scenario katello -–foreman-proxy-dhcp=true --foreman-proxy-dns=true” completed successfully and reflected the DHCP & DNS features as being active on the proxy (visible via web interface -> Infrastructure > Smart Proxies -> localhost) !

Naturally I did do a quick dance around my chair. But this was only the start.

I then started applying config changes one-by-one, adding only a single option after every successful foreman-installer run, validating the config change with “foreman-installer --help | less”

IPv6 addresses (with or without […]) is definitely not accepted by the foreman-installer which I believe only caters for IPv4 in the DHCP proxy. With FQDN’s being accepted, I’m hoping for a manual DHCP6 configuration workaround a bit later…

… with the DNS proxy though, the foreman-installer happily accepts IPv6 addresses i.e.

–forman-proxy-dns-forwarders=2001:4860:4860::8888

though being reflected as [“2001:4860:4860::8888”] when being validated. Yet now I ponder the reasoning for the quotes (") within the brackets ([…]) than being on the outside as one would’ve expected with IPv6 ?

Marching on, the “installer initialization string” at this point thus being :

**foreman-installer -i --scenario katello **
**–foreman-proxy-dhcp=true **
**–foreman-proxy-dhcp-interface=ens160 **
**–foreman-proxy-dhcp-gateway=gateway.domain.com **
**–foreman-proxy-dhcp-nameservers=foreman.domain.com **
**–foreman-proxy-dns=true **
**–foreman-proxy-dns-interface=ens160 **
**–foreman-proxy-dns-zone=domain.com **
**–foreman-proxy-dns-forwarders=2001:4860:4860::8888 **
–foreman-proxy-foreman-base-url=https://foreman.domain.com

Yet … the moment I started to add TFTP options, the DHCP proxy started to fail with

“Couldn’t enable ‘dhcp_isc’: Invalid IP Address gateway.domain.com”

and within

/var/log/foreman-proxy/proxy.log

" Disabling all modules in the group [‘dhcp_isc’, ‘dhcp’] due to a failure in one of them: Invalid IP Address gateway.domain.com"

The host is still dual stacked (IPv4 & IPv6) and gateway.domain.com resolves correctly to the hosts’s IPv4 address… changing the FQDN to the IPv4 address, doesn’t resolved the issue …

and /etc/hosts has all references to 127.0.0.1 and ::1 removed.

** For clarity, once “foreman-installer -i --scenario katello -–foreman-proxy-dhcp=true --foreman-proxy-dns=true” completed successfully, a single option was tacked on per installer run, until the noted error was experienced.

The DHCP config being:

--foreman-proxy-dhcp          Enable DHCP feature (current: true)
--foreman-proxy-dhcp-additional-interfaces  Additional DHCP listen interfaces (in addition to dhcp_interface). Note: as opposed to dhcp_interface
                              additional subnets using `dhcp::pool` and related resource types (provided by the theforeman/puppet-dhcp
--foreman-proxy-dhcp-config   DHCP config file path (current: "/etc/dhcp/dhcpd.conf")
--foreman-proxy-dhcp-gateway  DHCP pool gateway (current: "10.10.0.1")
--foreman-proxy-dhcp-interface  DHCP listen interface (current: "ens160")
--foreman-proxy-dhcp-key-name  DHCP key name (current: UNDEF)
--foreman-proxy-dhcp-key-secret  DHCP password (current: UNDEF)
--foreman-proxy-dhcp-leases   DHCP leases file (current: "/var/lib/dhcpd/dhcpd.leases")
--foreman-proxy-dhcp-listen-on  DHCP proxy to listen on https, http, or both (current: "https")
--foreman-proxy-dhcp-managed  DHCP is managed by Foreman proxy (current: true)
--foreman-proxy-dhcp-nameservers  DHCP nameservers, comma-separated (current: "10.10.0.121")
--foreman-proxy-dhcp-netmask  DHCP server netmask value, defaults otherwise to value based on IP of dhcp_interface (current: UNDEF)
--foreman-proxy-dhcp-network  DHCP server network value, defaults otherwise to value based on IP of dhcp_interface (current: UNDEF)
--foreman-proxy-dhcp-node-type  DHCP node type (current: "standalone")
--foreman-proxy-dhcp-omapi-port  DHCP server OMAPI port (current: 7911)
--foreman-proxy-dhcp-option-domain  DHCP use the dhcpd config option domain-name (current: ["pxecloud.com"])
--foreman-proxy-dhcp-peer-address  The other DHCP servers address (current: UNDEF)
--foreman-proxy-dhcp-provider  DHCP provider (current: "isc")
--foreman-proxy-dhcp-pxefilename  DHCP "filename" value, defaults otherwise to pxelinux.0 (current: "pxelinux.0")
--foreman-proxy-dhcp-pxeserver  DHCP "next-server" value, defaults otherwise to IP of dhcp_interface (current: UNDEF)
--foreman-proxy-dhcp-range    Space-separated DHCP pool range (current: UNDEF)
--foreman-proxy-dhcp-search-domains  DHCP search domains option (current: UNDEF)
--foreman-proxy-dhcp-server   Address of DHCP server to manage (current: "127.0.0.1")
--foreman-proxy-dhcp-subnets  Subnets list to restrict DHCP management to (current: [])

Then I tacked on “–foreman-proxy-dhcp-server=10.10.0.121” and life is all funky again

The “installer initialization string” now mutating to:

**foreman-installer -i --scenario katello **
**–enable-foreman-proxy **
**–foreman-proxy-dhcp=true **
**–foreman-proxy-dhcp-server=10.10.0.121 **
**–foreman-proxy-dhcp-interface=ens160 **
**–foreman-proxy-dhcp-gateway=10.10.0.1 **
**–foreman-proxy-dhcp-nameservers=10.10.0.121 **
**–foreman-proxy-dns=true **
**–foreman-proxy-dns-interface=ens160 **
**–foreman-proxy-dns-zone=domain.com **
**–foreman-proxy-dns-forwarders=2001:4860:4860::8888 **
–foreman-proxy-foreman-base-url=https://foreman.domain.com

… and so the journey continues, still eluding the once off single installer line … and acquiring clarity.

Peek · February 5, 2019, 10:52am

@lzap, I believe @mason and @jmrice6640 would agree that we’re after a very simple, yet fully functional commissioning environment, from scratch. The most basic initial components being:

puppet
dhcp (isc)
dns (bind)
tftp ( I’d LOVE to have this scratched in favor of HTTP Boot)

all on a bed of succulent IPv6.

Topped off with a quick auto deploying of a CentOS & Debian image.
Config change, i.e. NTP
Remote execution example
and the destruction of the images to conclude the life-cycle thereof.

We just never expected it to be this … frustratingly interesting …

Peek · February 5, 2019, 11:11am

Originally we only hoped to HTTP Boot diskless stations. Only, Intel has other ideas …

https://forums.intel.com/s/question/0D50P00004AvfzOSAR/what-is-the-correct-syntax-structure-when-creating-an-uefi-http-boot-option-within-the-uefi-boot-manager-

lzap · February 5, 2019, 1:53pm

Foreman 1.20 can do both TFTP and UEFI HTTP Boot now. Another alternative is iPXE but you need to have luck to have hardware supported by iPXE.

jmrice6640 · February 5, 2019, 4:15pm

Just for grins, I ran foreman-installer --full-help … Over 1,600 lines of options.
That’s a lot of trial and error, and wiping it clean and starting over a few times isn’t practical.

I’ve reviewed my notes, and don’t think that I could boil it down into a simple set of instructions
on how I got to where I am now. Lost. But I do believe that starting over with what has been shared here
will end up saving me some time in the long run.

Yes, @lzap, I agree. Installation Scenarios should be expanded. But with so many combinations,
there won’t be a one size fits all approach. Perhaps include an example of some of the more common ones.
The most important one I’ve found so far is to start with Katello. That little caveat needs to be more prominent. I didn’t realize that I wanted/needed it until after installing and configuring 5 nodes, DHCP, DNS, NTP, SSH, and was looking into adding additional modules …

I read the book, Mastering Puppet, Second Addition. The problem with books is that by the time they get printed and released, they are obsolete. This one was on Puppet version 4.2, and only had 5 pages about Foreman, and then, only as a Puppet reporting tool.

I am still searching for anything more in depth about Foreman, other than a $3,100 4-day training course.

mason · February 5, 2019, 7:22pm

@Peek I have created a Github repo that contains my automated install script. At the moment, it does the following:

Disables the firewall
Installs all the yum repo definitions necessary to install Foreman, Katello, Puppet, EPEL
Creates an answer file which has several plugins enabled
Installs Foreman, Katello, ISC DHCP, Bind and TFTP
Changes /etc/resolv.conf to use the newly created local DNS server
Performs a full backup (using foreman-maintain) of the install to this point
Sets the default Org and Location in Foreman
Creates 5 products and their associated GPG keys and yum repos
- CentOS 7
- EPEL 7
- Puppet 5
- Katello Agent
- Lynis
Synchronizes the repos
Creates a content view
Performs an incremental backup, using foreman-maintain

Note that I haven’t fully broken out all my local names into the local.conf file, so if you were to run the script, without modification, you would see some personalized names in Foreman.

I’m still learning as I go, so any feedback that you or anyone else has, about my script or how it sets up Foreman/Katello, would be very helpful.

Peek · February 5, 2019, 11:39pm

Mutual.

Peek · February 6, 2019, 5:47am

… UEFI iPXE doesn’t function like ye olde “ROMs”… May I enlighten you on a topic that has already taken to much time hostage, yet is simpler than one would expect, yet very few are aware of?

i.e.

Download & drop the iPXE “UEFI version” onto a FAT32 formatted USB drive.
Boot into the “UEFI Built-in Shell” of a physical machine.
At the shell prompt, type:
Shell> map
— Which will list all the mapped drives
— Lets assume the USB drive is FS3
— Type fs3: at the prompt
Shell> fs3:
— Do a listing of the files on the partition
Shell> ls
— Execute iPXE by simply typing it’s name
Shell> iPXE.efi

Lo and behold Were you aware of this before ?

The only burning question being: How to “flash” the iPXE.efi file to NVRAM of a physical machine?

Peek · February 6, 2019, 6:16am

With the Foreman/Katello host’s Smart Proxy now featuring:

DHCP
DNS
Dynflow
Logs
Pulp
Puppet
Puppet CA
Templates and
TFTP

What would be the advisable “area” a noob should be focusing on ?

Setting up for the first unattended auto deployment …

Peek · February 6, 2019, 7:26am

When this error starts popping up, simply disable the DHCP proxy:

“foreman-installer --scenario katello -i --foreman-proxy-dhcp=false”

Immediately follow it up with a rerun of the foreman-installer specifying the FQDN’s as opposed to the IPs, and it’s all happy again.

"foreman-installer --scenario katello -i
–enable-foreman-proxy
–foreman-proxy-tftp=true
–foreman-proxy-tftp-servername=foreman.domain.com
–foreman-proxy-dhcp=true
–foreman-proxy-dhcp-server=foreman.domain.com
–foreman-proxy-dhcp-interface=ens160
–foreman-proxy-dhcp-gateway=gateway.domain.com
–foreman-proxy-dhcp-nameservers=foreman.domain.com
–foreman-proxy-dns=true
–foreman-proxy-dns-interface=ens160
–foreman-proxy-dns-zone=domain.com
–foreman-proxy-dns-forwarders=2001:4860:4860::8888
–foreman-proxy-foreman-base-url=https://foreman.domain.com"

lzap · February 6, 2019, 10:57am

Well, Foreman supports this workflow as well via Bootdisk plugin. You generate bootable ISO which you can dd to USB stick as well and it’s fully automatic. However we do support BIOS out of box and UEFI hasn’t yet landed. There were several attempts to implement this, latest being:

github.com/theforeman/foreman_bootdisk

Fixes #4413 - Bootdisk images UEFI compatible

theforeman:master ← dforsberg:uefi2

opened 09:04AM - 21 Jun 18 UTC

dforsberg

+44 -6

This is a new version of @lzap PR #62 This uses the grub2 files for foreman-…bootloaders-tftpboot located in /var/lib/tftpboot/grub2. Supports EFI boot of older operating systems like RHEL6, use _linux_ and _initrd_ command in the PXEGrub2 template for those. If there is no PXEGrub2 template assigned to the operating system it will only give a warning in the log file. PXEGrub templates are not assigned to operating systems by default and is not required. TODO: Patch for ipxe.efi to read cmdline options: https://bugzilla.redhat.com/show_bug.cgi?id=1401491 Needs a selinux change to work: ``` module satellite-efi-bootdisk 1.0; require { type passenger_t; type tftpdir_rw_t; class file { getattr ioctl open read }; class dir search; } #============= passenger_t ============== allow passenger_t tftpdir_rw_t:file { getattr ioctl open read }; allow passenger_t tftpdir_rw_t:dir search; ``` Compile this to a selinux package and install it: ``` checkmodule -M -m -o satellite-efi-bootdisk.mod satellite-efi-bootdisk.te semodule_package -o satellite-efi-bootdisk.pp -m satellite-efi-bootdisk.mod semodule -i satellite-efi-bootdisk.pp ```

AFAIK NVRAM cannot be used to flash bootloaders, it’s only used for variables, settings essentially. Bootloaders are required to reside on ESP, you can however set the path to EFI loader on the ESP partition.

Peek · February 7, 2019, 11:33pm

Yet with “HTTP Boot” the EFI bootloader resides on a web server as opposed to the ESP partition.

Yet one cannot set an HTTP URL, unless the particular device’s UEFI implementation has the “HTTP driver” compiled in. UEFI being modular in design.

“HTTP Boot” (aka “Boot from URL”) is supported since UEFI specification 2.5. With specification 2.7 having been available since May 2017. Why is Intel devices then running UEFI specification 2.6 which is crippled as to not allow “HTTP Boot”?..

A very informative UEFI course:

Zip File**	Lesson 0: Introduction and Defining Specifications Role in Firmware - Overview
Zip File**	Lesson 1: Pre-EFI (PEI) and Security (SEC) Phases
Zip File**	Lesson 2: Driver Execution Environment (DXE)
Zip File**	Lesson 3: UEFI Drivers
Zip File**	Lesson 4: Firmware and Data Storage
Zip File**	Lesson 5: Boot Device Selection (BDS) and Human Interface Infrastructure (HII)

Stefan_Lasiewski · February 8, 2019, 1:23am

So question, when you make changes to Foreman using the foreman-installer, how do you keep track of the changes over time? Are you storing the answers file in Git? Would scenarios play into this?

I was looking at making changes to Foreman directly from Puppet manifests, as we would do for MySQL, Apache and most other software. Unfortunately, I couldn’t get very far-- I can’t figure out what many of the parameters should be.

jmrice6640 · February 8, 2019, 5:08pm

Finally came up with a list of plugins to include, and after installing katello with the proper repos,
I ran the installer interactively with the following:

    
# foreman-installer --interactive --scenario katello \
> --enable-foreman-proxy \
> --foreman-proxy-tftp=true \
> --foreman-proxy-tftp-servername=10.0.0.234 \
> --foreman-proxy-dhcp=true \
> --foreman-proxy-dhcp-interface=ens192 \
> --foreman-proxy-dhcp-gateway=10.0.0.234 \
> --foreman-proxy-dhcp-nameservers="10.0.0.234" \
> --foreman-proxy-dns=true \
> --foreman-proxy-dns-interface=ens192 \
> --foreman-proxy-dns-zone=domain.com \
> --foreman-proxy-dns-reverse=0.0.10.in-addr.arpa \
> --foreman-proxy-dns-forwarders=9.9.9.9 \
> --enable-foreman-plugin-discovery \
> --enable-foreman-proxy-plugin-discovery \
> --enable-foreman-cli-discovery \
> --enable-foreman-plugin-docker \
> --enable-foreman-proxy-plugin-dynflow \
> --enable-foreman-plugin-memcache \
> --enable-foreman-proxy-plugin-monitoring \
> --enable-foreman-plugin-openscap \
> --enable-foreman-proxy-plugin-openscap \
> --enable-foreman-cli-openscap \
> --enable-foreman-proxy-plugin-pulp \
> --enable-foreman-plugin-puppetdb \
> --enable-foreman-plugin-remote-execution \
> --enable-foreman-proxy-plugin-remote-execution-ssh \
> --enable-foreman-cli-remote-execution \
> --enable-foreman-plugin-tasks \
> --enable-foreman-cli-tasks \
> --enable-foreman-plugin-templates \
> --enable-foreman-cli-templates \
> --enable-foreman-plugin-digitalocean \
> --foreman-proxy-foreman-base-url=https://foreman.domain.com
ERROR: Unrecognised option '--enable-foreman-plugin-docker'
See: ‘foreman-installer --help’

[root@foreman ~]#

Did I miss something about including extra options to the installer command line? I'm pretty sure that --enable-foreman-plugin-docker is in the list.

jmrice6640 · February 8, 2019, 5:12pm

As a followup …


[root@foreman ~]# foreman-installer --help
ERROR: No installation scenario was selected, the installer cannot continue.
       Even --help content is dependent on selected scenario.
       Select scenario with --scenario SCENARIO or list available scenarios with --list-scenarios.
[root@foreman ~]# foreman-installer --list-scenarios
Available scenarios
  Foreman (use: --scenario foreman)
        Default installation of Foreman
  Foreman Proxy (use: --scenario foreman-proxy-content)
        Install a stand-alone Foreman Proxy.
  Katello (use: --scenario katello)
        Install Foreman with Katello
[root@foreman ~]#