Next Foreman Community Demo 2015-10-08

We will be holding another installment of the Foreman Community Demo this
coming Thursday, Oct 8th. Please see the event page for more detailed
information [1].
The agenda is being compiled and can be viewed on the wiki [2].

As ever, we encourage live participation via the Hangouts Q&A app, or in IRC
(#theforeman on Freenode). For those that can't attend, the video will be
posted afterwards.

[1] https://plus.google.com/events/c0rmd19urkgnhojlmtm53sh5ius
[2] Current Sprint Information - Foreman

The Youtube recording for this is now available [1]. As an experiment,
I've added timestamps to each of the agenda items to make it easy to
jump to the sections you are interested in. Let me know if you find it
useful :slight_smile:

Greg

[1] https://www.youtube.com/watch?v=afOWk6V8neU

Thanks, Greg, it was VERY useful!

I'm curious: does new PXE-less discovery image require outgoing connect
from Foreman/proxy back to provisioned host?
I.e. what will happen when I press "provision" button in discovery UI?
Foreman/proxy attempts to connect to provisioned host or host is receiving
kexec data using long-poll or something like that?

··· 2015-10-08 17:51 GMT+03:00 Greg Sutcliffe :

The Youtube recording for this is now available [1]. As an experiment,
I’ve added timestamps to each of the agenda items to make it easy to
jump to the sections you are interested in. Let me know if you find it
useful :slight_smile:

Greg

[1] https://www.youtube.com/watch?v=afOWk6V8neU


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Kind regards,
Vladimir.

> Thanks, Greg, it was VERY useful!
>
> I'm curious: does new PXE-less discovery image require outgoing connect
> from Foreman/proxy back to provisioned host?
> I.e. what will happen when I press "provision" button in discovery UI?
> Foreman/proxy attempts to connect to provisioned host or host is receiving
> kexec data using long-poll or something like that?
>

The current implementation assumes there is a connection from the proxy (or
foreman) to the discovered host.

What is the usage case for long poll? (the assumption we had was that the
proxy can be located at reachable network from the discovered node, and
that normally you don't want your nodes accessing foreman directly).

Ohad

··· On Fri, Oct 9, 2015 at 5:00 PM, Vladimir Stackov wrote:

2015-10-08 17:51 GMT+03:00 Greg Sutcliffe greg.sutcliffe@gmail.com:

The Youtube recording for this is now available [1]. As an experiment,
I’ve added timestamps to each of the agenda items to make it easy to
jump to the sections you are interested in. Let me know if you find it
useful :slight_smile:

Greg

[1] https://www.youtube.com/watch?v=afOWk6V8neU


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Kind regards,
Vladimir.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

>What is the usage case for long poll? (the assumption we had was that the
proxy can be located at reachable network from the discovered node, and
that normally you don't want your nodes accessing foreman directly).

Two words: security policies :frowning:
Currently it was possible to use Foreman/Proxies with nearly no limitations
without any outgoing connections. Discovery is a very nice feature but
currently it's not compatible with that security model because it requires
outgoing connections to start host provisioning.

··· 2015-10-19 10:41 GMT+03:00 Ohad Levy :

On Fri, Oct 9, 2015 at 5:00 PM, Vladimir Stackov amigo.elite@gmail.com > wrote:

Thanks, Greg, it was VERY useful!

I’m curious: does new PXE-less discovery image require outgoing connect
from Foreman/proxy back to provisioned host?
I.e. what will happen when I press “provision” button in discovery UI?
Foreman/proxy attempts to connect to provisioned host or host is receiving
kexec data using long-poll or something like that?

The current implementation assumes there is a connection from the proxy
(or foreman) to the discovered host.

What is the usage case for long poll? (the assumption we had was that the
proxy can be located at reachable network from the discovered node, and
that normally you don’t want your nodes accessing foreman directly).

Ohad

2015-10-08 17:51 GMT+03:00 Greg Sutcliffe greg.sutcliffe@gmail.com:

The Youtube recording for this is now available [1]. As an experiment,
I’ve added timestamps to each of the agenda items to make it easy to
jump to the sections you are interested in. Let me know if you find it
useful :slight_smile:

Greg

[1] https://www.youtube.com/watch?v=afOWk6V8neU


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Kind regards,
Vladimir.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Kind regards,
Vladimir.

> >What is the usage case for long poll? (the assumption we had was that the
> proxy can be located at reachable network from the discovered node, and
> that normally you don't want your nodes accessing foreman directly).
>
> Two words: security policies :frowning:
> Currently it was possible to use Foreman/Proxies with nearly no
> limitations without any outgoing connections. Discovery is a very nice
> feature but currently it's not compatible with that security model because
> it requires outgoing connections to start host provisioning.
>

Cant you put your proxy in the same security zone as the discovered host?

Ohad

··· On Mon, Oct 19, 2015 at 11:00 AM, Vladimir Stackov wrote:

2015-10-19 10:41 GMT+03:00 Ohad Levy ohadlevy@gmail.com:

On Fri, Oct 9, 2015 at 5:00 PM, Vladimir Stackov amigo.elite@gmail.com >> wrote:

Thanks, Greg, it was VERY useful!

I’m curious: does new PXE-less discovery image require outgoing connect
from Foreman/proxy back to provisioned host?
I.e. what will happen when I press “provision” button in discovery UI?
Foreman/proxy attempts to connect to provisioned host or host is receiving
kexec data using long-poll or something like that?

The current implementation assumes there is a connection from the proxy
(or foreman) to the discovered host.

What is the usage case for long poll? (the assumption we had was that the
proxy can be located at reachable network from the discovered node, and
that normally you don’t want your nodes accessing foreman directly).

Ohad

2015-10-08 17:51 GMT+03:00 Greg Sutcliffe greg.sutcliffe@gmail.com:

The Youtube recording for this is now available [1]. As an experiment,
I’ve added timestamps to each of the agenda items to make it easy to
jump to the sections you are interested in. Let me know if you find it
useful :slight_smile:

Greg

[1] https://www.youtube.com/watch?v=afOWk6V8neU


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Kind regards,
Vladimir.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Kind regards,
Vladimir.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

No, all our proxies is used for load balancing only and they were placed in
dedicated security zone with filtered ingoing access on specific ports.

I'm thinking about some polling timer/long poll that could replace outgoing
connection from Foreman/proxy for starting provisioning/reboot.

··· 2015-10-19 11:02 GMT+03:00 Ohad Levy :

On Mon, Oct 19, 2015 at 11:00 AM, Vladimir Stackov amigo.elite@gmail.com > wrote:

What is the usage case for long poll? (the assumption we had was that
the proxy can be located at reachable network from the discovered node, and
that normally you don’t want your nodes accessing foreman directly).

Two words: security policies :frowning:
Currently it was possible to use Foreman/Proxies with nearly no
limitations without any outgoing connections. Discovery is a very nice
feature but currently it’s not compatible with that security model because
it requires outgoing connections to start host provisioning.

Cant you put your proxy in the same security zone as the discovered host?

Ohad

2015-10-19 10:41 GMT+03:00 Ohad Levy ohadlevy@gmail.com:

On Fri, Oct 9, 2015 at 5:00 PM, Vladimir Stackov amigo.elite@gmail.com >>> wrote:

Thanks, Greg, it was VERY useful!

I’m curious: does new PXE-less discovery image require outgoing connect
from Foreman/proxy back to provisioned host?
I.e. what will happen when I press “provision” button in discovery UI?
Foreman/proxy attempts to connect to provisioned host or host is receiving
kexec data using long-poll or something like that?

The current implementation assumes there is a connection from the proxy
(or foreman) to the discovered host.

What is the usage case for long poll? (the assumption we had was that
the proxy can be located at reachable network from the discovered node, and
that normally you don’t want your nodes accessing foreman directly).

Ohad

2015-10-08 17:51 GMT+03:00 Greg Sutcliffe greg.sutcliffe@gmail.com:

The Youtube recording for this is now available [1]. As an experiment,
I’ve added timestamps to each of the agenda items to make it easy to
jump to the sections you are interested in. Let me know if you find it
useful :slight_smile:

Greg

[1] https://www.youtube.com/watch?v=afOWk6V8neU


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Kind regards,
Vladimir.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Kind regards,
Vladimir.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Kind regards,
Vladimir.

> No, all our proxies is used for load balancing only and they were placed
> in dedicated security zone with filtered ingoing access on specific ports.
>
Are we mixing up regular proxies and foreman smart proxies?

Ohad

··· On Mon, Oct 19, 2015 at 12:29 PM, Vladimir Stackov wrote:

I’m thinking about some polling timer/long poll that could replace
outgoing connection from Foreman/proxy for starting provisioning/reboot.

2015-10-19 11:02 GMT+03:00 Ohad Levy ohadlevy@gmail.com:

On Mon, Oct 19, 2015 at 11:00 AM, Vladimir Stackov <amigo.elite@gmail.com >> > wrote:

What is the usage case for long poll? (the assumption we had was that
the proxy can be located at reachable network from the discovered node, and
that normally you don’t want your nodes accessing foreman directly).

Two words: security policies :frowning:
Currently it was possible to use Foreman/Proxies with nearly no
limitations without any outgoing connections. Discovery is a very nice
feature but currently it’s not compatible with that security model because
it requires outgoing connections to start host provisioning.

Cant you put your proxy in the same security zone as the discovered host?

Ohad

2015-10-19 10:41 GMT+03:00 Ohad Levy ohadlevy@gmail.com:

On Fri, Oct 9, 2015 at 5:00 PM, Vladimir Stackov <amigo.elite@gmail.com >>>> > wrote:

Thanks, Greg, it was VERY useful!

I’m curious: does new PXE-less discovery image require outgoing
connect from Foreman/proxy back to provisioned host?
I.e. what will happen when I press “provision” button in discovery UI?
Foreman/proxy attempts to connect to provisioned host or host is receiving
kexec data using long-poll or something like that?

The current implementation assumes there is a connection from the proxy
(or foreman) to the discovered host.

What is the usage case for long poll? (the assumption we had was that
the proxy can be located at reachable network from the discovered node, and
that normally you don’t want your nodes accessing foreman directly).

Ohad

2015-10-08 17:51 GMT+03:00 Greg Sutcliffe greg.sutcliffe@gmail.com:

The Youtube recording for this is now available [1]. As an experiment,
I’ve added timestamps to each of the agenda items to make it easy to
jump to the sections you are interested in. Let me know if you find it
useful :slight_smile:

Greg

[1] https://www.youtube.com/watch?v=afOWk6V8neU


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it,
send an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Kind regards,
Vladimir.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Kind regards,
Vladimir.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Kind regards,
Vladimir.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

I understand that this setup was relatively specific and no, I'm talking
about only foreman smart proxies (calling them proxies).

Load-balancing is probably bad chosen term, I should call it load
distribution because we did have multiple smart proxies with puppet master
on each one and they were place in dedicated security zone along with
Foreman.

··· 2015-10-19 12:49 GMT+03:00 Ohad Levy :

On Mon, Oct 19, 2015 at 12:29 PM, Vladimir Stackov amigo.elite@gmail.com > wrote:

No, all our proxies is used for load balancing only and they were placed
in dedicated security zone with filtered ingoing access on specific ports.

Are we mixing up regular proxies and foreman smart proxies?

Ohad

I’m thinking about some polling timer/long poll that could replace
outgoing connection from Foreman/proxy for starting provisioning/reboot.

2015-10-19 11:02 GMT+03:00 Ohad Levy ohadlevy@gmail.com:

On Mon, Oct 19, 2015 at 11:00 AM, Vladimir Stackov < >>> amigo.elite@gmail.com> wrote:

What is the usage case for long poll? (the assumption we had was that
the proxy can be located at reachable network from the discovered node, and
that normally you don’t want your nodes accessing foreman directly).

Two words: security policies :frowning:
Currently it was possible to use Foreman/Proxies with nearly no
limitations without any outgoing connections. Discovery is a very nice
feature but currently it’s not compatible with that security model because
it requires outgoing connections to start host provisioning.

Cant you put your proxy in the same security zone as the discovered host?

Ohad

2015-10-19 10:41 GMT+03:00 Ohad Levy ohadlevy@gmail.com:

On Fri, Oct 9, 2015 at 5:00 PM, Vladimir Stackov < >>>>> amigo.elite@gmail.com> wrote:

Thanks, Greg, it was VERY useful!

I’m curious: does new PXE-less discovery image require outgoing
connect from Foreman/proxy back to provisioned host?
I.e. what will happen when I press “provision” button in discovery
UI? Foreman/proxy attempts to connect to provisioned host or host is
receiving kexec data using long-poll or something like that?

The current implementation assumes there is a connection from the
proxy (or foreman) to the discovered host.

What is the usage case for long poll? (the assumption we had was that
the proxy can be located at reachable network from the discovered node, and
that normally you don’t want your nodes accessing foreman directly).

Ohad

2015-10-08 17:51 GMT+03:00 Greg Sutcliffe greg.sutcliffe@gmail.com:

The Youtube recording for this is now available [1]. As an
experiment,
I’ve added timestamps to each of the agenda items to make it easy to
jump to the sections you are interested in. Let me know if you find
it
useful :slight_smile:

Greg

[1] https://www.youtube.com/watch?v=afOWk6V8neU


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it,
send an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Kind regards,
Vladimir.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it,
send an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Kind regards,
Vladimir.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Kind regards,
Vladimir.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Kind regards,
Vladimir.

> I understand that this setup was relatively specific and no, I'm talking
> about only foreman smart proxies (calling them proxies).
>
> Load-balancing is probably bad chosen term, I should call it load
> distribution because we did have multiple smart proxies with puppet master
> on each one and they were place in dedicated security zone along with
> Foreman.
>

So I'm still a bit confused in terms of why would you mind adding another
proxy just for discovery purpose, which allows foreman to talks to, and the
discovered hosts to reach out to? (purely port 8443).

Ohad

··· On Mon, Oct 19, 2015 at 1:03 PM, Vladimir Stackov wrote:

2015-10-19 12:49 GMT+03:00 Ohad Levy ohadlevy@gmail.com:

On Mon, Oct 19, 2015 at 12:29 PM, Vladimir Stackov <amigo.elite@gmail.com >> > wrote:

No, all our proxies is used for load balancing only and they were placed
in dedicated security zone with filtered ingoing access on specific ports.

Are we mixing up regular proxies and foreman smart proxies?

Ohad

I’m thinking about some polling timer/long poll that could replace
outgoing connection from Foreman/proxy for starting provisioning/reboot.

2015-10-19 11:02 GMT+03:00 Ohad Levy ohadlevy@gmail.com:

On Mon, Oct 19, 2015 at 11:00 AM, Vladimir Stackov < >>>> amigo.elite@gmail.com> wrote:

What is the usage case for long poll? (the assumption we had was that
the proxy can be located at reachable network from the discovered node, and
that normally you don’t want your nodes accessing foreman directly).

Two words: security policies :frowning:
Currently it was possible to use Foreman/Proxies with nearly no
limitations without any outgoing connections. Discovery is a very nice
feature but currently it’s not compatible with that security model because
it requires outgoing connections to start host provisioning.

Cant you put your proxy in the same security zone as the discovered
host?

Ohad

2015-10-19 10:41 GMT+03:00 Ohad Levy ohadlevy@gmail.com:

On Fri, Oct 9, 2015 at 5:00 PM, Vladimir Stackov < >>>>>> amigo.elite@gmail.com> wrote:

Thanks, Greg, it was VERY useful!

I’m curious: does new PXE-less discovery image require outgoing
connect from Foreman/proxy back to provisioned host?
I.e. what will happen when I press “provision” button in discovery
UI? Foreman/proxy attempts to connect to provisioned host or host is
receiving kexec data using long-poll or something like that?

The current implementation assumes there is a connection from the
proxy (or foreman) to the discovered host.

What is the usage case for long poll? (the assumption we had was that
the proxy can be located at reachable network from the discovered node, and
that normally you don’t want your nodes accessing foreman directly).

Ohad

2015-10-08 17:51 GMT+03:00 Greg Sutcliffe greg.sutcliffe@gmail.com
:

The Youtube recording for this is now available [1]. As an
experiment,
I’ve added timestamps to each of the agenda items to make it easy to
jump to the sections you are interested in. Let me know if you find
it
useful :slight_smile:

Greg

[1] https://www.youtube.com/watch?v=afOWk6V8neU


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it,
send an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com
.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Kind regards,
Vladimir.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it,
send an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it,
send an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Kind regards,
Vladimir.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Kind regards,
Vladimir.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Kind regards,
Vladimir.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

It's no problem to add another proxy, problem is to allow outgoing
connections for proxies because, as I said before, currently they only
accepting incoming connections and prohibited to initiate any outgoing
connections (except for connections to Foreman).

··· 2015-10-19 13:14 GMT+03:00 Ohad Levy :

On Mon, Oct 19, 2015 at 1:03 PM, Vladimir Stackov amigo.elite@gmail.com > wrote:

I understand that this setup was relatively specific and no, I’m talking
about only foreman smart proxies (calling them proxies).

Load-balancing is probably bad chosen term, I should call it load
distribution because we did have multiple smart proxies with puppet master
on each one and they were place in dedicated security zone along with
Foreman.

So I’m still a bit confused in terms of why would you mind adding another
proxy just for discovery purpose, which allows foreman to talks to, and the
discovered hosts to reach out to? (purely port 8443).

Ohad

2015-10-19 12:49 GMT+03:00 Ohad Levy ohadlevy@gmail.com:

On Mon, Oct 19, 2015 at 12:29 PM, Vladimir Stackov < >>> amigo.elite@gmail.com> wrote:

No, all our proxies is used for load balancing only and they were
placed in dedicated security zone with filtered ingoing access on specific
ports.

Are we mixing up regular proxies and foreman smart proxies?

Ohad

I’m thinking about some polling timer/long poll that could replace
outgoing connection from Foreman/proxy for starting provisioning/reboot.

2015-10-19 11:02 GMT+03:00 Ohad Levy ohadlevy@gmail.com:

On Mon, Oct 19, 2015 at 11:00 AM, Vladimir Stackov < >>>>> amigo.elite@gmail.com> wrote:

What is the usage case for long poll? (the assumption we had was
that the proxy can be located at reachable network from the discovered
node, and that normally you don’t want your nodes accessing foreman
directly).

Two words: security policies :frowning:
Currently it was possible to use Foreman/Proxies with nearly no
limitations without any outgoing connections. Discovery is a very nice
feature but currently it’s not compatible with that security model because
it requires outgoing connections to start host provisioning.

Cant you put your proxy in the same security zone as the discovered
host?

Ohad

2015-10-19 10:41 GMT+03:00 Ohad Levy ohadlevy@gmail.com:

On Fri, Oct 9, 2015 at 5:00 PM, Vladimir Stackov < >>>>>>> amigo.elite@gmail.com> wrote:

Thanks, Greg, it was VERY useful!

I’m curious: does new PXE-less discovery image require outgoing
connect from Foreman/proxy back to provisioned host?
I.e. what will happen when I press “provision” button in discovery
UI? Foreman/proxy attempts to connect to provisioned host or host is
receiving kexec data using long-poll or something like that?

The current implementation assumes there is a connection from the
proxy (or foreman) to the discovered host.

What is the usage case for long poll? (the assumption we had was
that the proxy can be located at reachable network from the discovered
node, and that normally you don’t want your nodes accessing foreman
directly).

Ohad

2015-10-08 17:51 GMT+03:00 Greg Sutcliffe <greg.sutcliffe@gmail.com

:

The Youtube recording for this is now available [1]. As an
experiment,
I’ve added timestamps to each of the agenda items to make it easy
to
jump to the sections you are interested in. Let me know if you
find it
useful :slight_smile:

Greg

[1] https://www.youtube.com/watch?v=afOWk6V8neU


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it,
send an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to
foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Kind regards,
Vladimir.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it,
send an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com
.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it,
send an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Kind regards,
Vladimir.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it,
send an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Kind regards,
Vladimir.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Kind regards,
Vladimir.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Kind regards,
Vladimir.