New Foreman user, basic questions!

Hi All,

TL:DR ; when choosing a foreman install method, is it forman OR katello install choice at install time, and what are the gotchas with each choice? Are there any gotchas around regular system patching on the foreman when pulling down so many dependency packages. Finally, what are peoples experiences with scaling a katello/deployment/puppet solution? Security/network issues aside, Is it best to scale up a single server or scale out and use many smart-proxies on independent servers?

longer version;

I’m a new user to foreman, and have some basic questions if I may?

I’m looking at implementing a foreman infrastructure at a Higher Education establishment in the UK, with a view to displace our current HPE server provisioning, patching and auditing solutions.

Without looking at other commercial solutions, Foreman looks like the ideal orchestrator to front-up a lot of functionality from open-source components.

Looking at the manual’s, it looks like if you ever require the katello functionality, and want to keep your sanity, you MUST install the katello scenario at the time of the foreman installation. Does this then limit or change any of the vanilla foreman behaviour (other than adding katello of course), or affect how you must treat the solution in general?

When it comes to updating katello/foreman, I can see great install instructions on how to do it in the manuals. But when it comes to regular automated OS patching, what is the scope/history of this to breaking functionality? This is of concern because of the immense number of dependencies and packages installed, and we have to install patches within 30 day of them being released.

Finally, when it comes to architecting a foreman/katello deployment, I need to size an initial solution to potentially scale to 500-1000 deployed and managed objects. If we assume that the environment is on a flat network (I wish!!), is the best approach to have an all-in-one deployment, or can I install multiple foreman solutions with different scenarios/plugins installed and somehow link them all together using smart-proxies? e.g., Have a server specifically for katello repos and patching, another for deployment, another for puppet-master.

Thanks for your time in advance, I’d really like to understand how the whole stack hangs together and give it its best change of implementation.


Hello, welcome!

Yes, katello plugin is essentially “all or nothing” and also “no way back”. Technically you could uninstall it, but I am not aware that anyone would do it as there are multiple components installed. So pick one of the two and architect on top of that.

What you can do is starting with Foreman core adding only required plugins and trying provisioning and config management without content management and deciding later. Or simply install with katello and don’t use katello features yet until you are ready.

Note that with Katello, you can’t basically avoid Sync/Publish/Promote workflow and if you need super-fast patching, that this can be limiting. Katello does implement “fast track” publishing, but still every operation on yum repos usually involve recalculation of yum metadata, errata applicability and this is very CPU/IO intensive operation. There were some improvements in the past, but it’s definitely not instant.

This is tough, depends on what you are going to use - we support many things. By design, Foreman is usually one instance with multiple proxies, Foreman itself is best as a VM where you can easily add more CPU/memory as you grow and proxies can be easily added into individual sites/subnets/datacenters - installing them is easy, registration process is smooth.

I’d say that 1k hosts is nothing (there are users with 100k+) and you can easily go with single Foreman and one smart proxy but this highly depends on how often are you gonna check in, Puppet Master version, additional plugins. Anyway, be prepared to closely monitor everything, troubleshoot and do regular maintenance.