Hello,
Is there a way to provison systems using Foreman without using dhcp? I have
that requirement now, previously I used Cobbler's buildiso command to hosts
with static network interfaces but can find a similar feature in Foreman.
Regards Jim
Sure, but you would have to be more specific.
if you want a full alternative to pxe booting, I would suggest to try
using gpxe… this way you could use a cd/usb etc to boot the machine,
and in turn will ask foreman for instruction (e.g. which kernel to
download, os to boot etc).
the documentation is a bit lacking on that feature, but you might be
able to get more info out of Feature #470: Add kickstart via gpxe support - Foreman
not that once you got that running, its easy to create a simple gpxe
image, which will hardcode foreman values, so you don't have to type
anything during gpxe boot.
Ohad
···
On Fri, Jul 1, 2011 at 10:12 AM, James Bailey wrote: > Hello, > > Is there a way to provison systems using Foreman without using dhcp? I have > that requirement now, previously I used Cobbler's buildiso command to hosts > with static network interfaces but can find a similar feature in Foreman. > > Regards Jim > > -- > You received this message because you are subscribed to the Google Groups > "Foreman users" group. > To post to this group, send email to foreman-users@googlegroups.com. > To unsubscribe from this group, send email to > foreman-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/foreman-users?hl=en. >Thanks Ohad,
It is an excellent start, I should be able to get most of what I need
from the link.
Not sure what you need for more inforamtion but this is the situation here now.
the current set up here is a heterogeneous mix of Windows corporate
infrastructure including the DHCP, DNS and AD, They are in the process
of moving to including Tivoli directory services and use Domino
Groupware heavily. I am contracted look after the *nix infrastructure
here and improve it, it includes: Several public facing websites, a
couple of FTP/SFTP servers Jira and Confluence which the current
Intranet runs on and the nascent beginning of an Alfresco cluster the
new Intranet runs on.
There current processes involve VMware V2P and P2V and cloning to try
and keep consistency in there builds with a lot of manual hacking and
configuration.
I have got them to agree in principal to replacing this on *nix side
with Puppet and Foreman but for reasons I have not yet got to fully to
the bottom of yet they don't want or have DHCP in the DMZ.
It seems a personal curse that I end up in companies scared of DHCP in
a previous role we had no DHCP for the first half of the project and
had to use Cobblers buildiso feature to get systems build and keep the
project on track. when a collegue and myself finally got the
corporate infrastructure team around a table to discuss their refusal
it turned out that they were afraid of our DHCP server breaking out of
its subnet and VLAN and installing Linux on their Cisco VIOP phones
and rebooting Windows servers. when we explained this was impossible
and any how since we were tieing lease to MAC it could happen even if
it did end up on the same VLAN, they agreed.
I might one day be able to do the same thing here one day but in the
mean time I just need to push on with the project.
Jim
···
On 1 July 2011 08:31, Ohad Levy wrote: > Sure, but you would have to be more specific. > > if you want a full alternative to pxe booting, I would suggest to try > using gpxe.. this way you could use a cd/usb etc to boot the machine, > and in turn will ask foreman for instruction (e.g. which kernel to > download, os to boot etc). > > the documentation is a bit lacking on that feature, but you might be > able to get more info out of http://theforeman.org/issues/470 > > not that once you got that running, its easy to create a simple gpxe > image, which will hardcode foreman values, so you don't have to type > anything during gpxe boot.Hello,
I am trying to find out information about the foreman proxy for
Windows but I am getting a 404 is the Windows functionality still
available?
http://theforeman.org/projects/smart-proxy/wiki/MS_DHCP
Jim
it would compromise all DHCP clients
A compromise I've had in many organisations is to
jumpstart(bootp!)/kickstart(dhcp) in a build VLAN, and then move the server
to the DMZ
John
···
On 1 July 2011 19:54, James Bailey wrote:I have got them to agree in principal to replacing this on *nix side
with Puppet and Foreman but for reasons I have not yet got to fully to
the bottom of yet they don’t want or have DHCP in the DMZ.That’s probably not unreasonable. If your DMZ DHCP server was compromised,
Yes it does, afaik tested on windows 2003, 2008.
Paul, would you mind point us to installation instructions? I remember
reading them in the past, but I cant find it either 
Thanks,
Ohad
···
On Fri, Jul 1, 2011 at 1:21 PM, James Bailey wrote: > Hello, > > I am trying to find out information about the foreman proxy for > Windows but I am getting a 404 is the Windows functionality still > available? > > http://theforeman.org/projects/smart-proxy/wiki/MS_DHCP > > Jim > > -- > You received this message because you are subscribed to the Google Groups "Foreman users" group. > To post to this group, send email to foreman-users@googlegroups.com. > To unsubscribe from this group, send email to foreman-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/foreman-users?hl=en. > >>
>>
>> I have got them to agree in principal to replacing this on *nix side
>> with Puppet and Foreman but for reasons I have not yet got to fully to
>> the bottom of yet they don't want or have DHCP in the DMZ.
>>
> That's probably not unreasonable. If your DMZ DHCP server was compromised,
> it would compromise all DHCP clients.
Agreed but although there is a DHCP server in the DMZ it isn't used
and all the systems have static IPs as they should.
>
> A compromise I've had in many organisations is to
> jumpstart(bootp!)/kickstart(dhcp) in a build VLAN, and then move the server
> to the DMZ
It is a method I have used too and considered it here but using VLANs
effectively are further down the road the safe, secure, stable and
reproducible infrastructure.
I managed to get to the bottom of the no DHCP when I brought up gpxe
in a team meetting yesterday, they thought I wanted to put the servers
into DHCP which sounded crazy bad to me. Once I explained more
effectively exactly what I wanted they were cool about the idea.
Jim
···
On 2 July 2011 06:14, John Warburton wrote: > On 1 July 2011 19:54, James Bailey wrote:>
>
>> I have got them to agree in principal to replacing this on *nix side
>> with Puppet and Foreman but for reasons I have not yet got to fully to
>> the bottom of yet they don't want or have DHCP in the DMZ.
>>
>> That's probably not unreasonable. If your DMZ DHCP server was compromised,
> it would compromise all DHCP clients
>
> A compromise I've had in many organisations is to
> jumpstart(bootp!)/kickstart(dhcp) in a build VLAN, and then move the server
> to the DMZ
>
Foreman actually have some basic support for that feature, but it would be
nice if we could extend that a bit further.
ideally, foreman (or smart proxy) should manage the switch configuration too
but I agree, that if you have a dhcp service which provide ip addresses only
to predefined reservations, I would use that option instead (unless security
it a big issue --> dmz hosts can reach foreman).
Ohad
···
On Sat, Jul 2, 2011 at 8:14 AM, John Warburton wrote: > On 1 July 2011 19:54, James Bailey wrote:John
–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To post to this group, send email to foreman-users@googlegroups.com.
To unsubscribe from this group, send email to
foreman-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/foreman-users?hl=en.
I have updated the MS DHCP installation page on the wiki. This procedure
was written down from memory so I hope that it is complete. James can always
contact me on #theforeman IRC if this has errors or omissions.
···
On 1 July 2011 11:55, Ohad Levy wrote:Yes it does, afaik tested on windows 2003, 2008.
Paul, would you mind point us to installation instructions? I remember
reading them in the past, but I cant find it eitherThanks,
OhadOn Fri, Jul 1, 2011 at 1:21 PM, James Bailey paradoxbound@gmail.com > wrote:
Hello,
I am trying to find out information about the foreman proxy for
Windows but I am getting a 404 is the Windows functionality still
available?MS DHCP - Smart Proxy - Foreman
Jim
–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To post to this group, send email to foreman-users@googlegroups.com.
To unsubscribe from this group, send email to
foreman-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/foreman-users?hl=en.
It should be perfectly safe, so long as you're using reasonably current
enterprise switching gear. Most of them will have various abilities to filter
DHCP server traffic, such that only servers connected to whitelisted ports
will be able to send responses to clients.
···
On 7/3/2011 3:00 AM, James Bailey wrote: > On 3 July 2011 07:21, Ohad Levy wrote:but I agree, that if you have a dhcp service which provide ip addresses only
to predefined reservations, I would use that option instead (unless security
it a big issue --> dmz hosts can reach foreman).DHCP is allowed in PCI/DSS environment and it is not expressly
forbidden in NSA build guide. I see no reason if people are completly
paranoid about a DHCP service it can not be shut down between builds
using smart proxy.Jim
–
Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
Manager of Network Operations | is simple, elegant, and wrong.
Worcester Polytechnic Institute | - HL Mencken
>
>
>>
>>>
>>> I have got them to agree in principal to replacing this on *nix side
>>> with Puppet and Foreman but for reasons I have not yet got to fully to
>>> the bottom of yet they don't want or have DHCP in the DMZ.
>>>
>> That's probably not unreasonable. If your DMZ DHCP server was compromised,
>> it would compromise all DHCP clients
>>
>> A compromise I've had in many organisations is to
>> jumpstart(bootp!)/kickstart(dhcp) in a build VLAN, and then move the server
>> to the DMZ
>
> Foreman actually have some basic support for that feature, but it would be
> nice if we could extend that a bit further.
> ideally, foreman (or smart proxy) should manage the switch configuration too
>
Ideally yes, but any switching and networking configuration is going
to be a long Conradian journey into the heart of darkness. That said
Cisco have anounced they are jumping on the cloud Open Stack band
wagon so maybe we will find more APIs we can plug smart proxy and
Puppet into and there is limited support in puppet now.
> but I agree, that if you have a dhcp service which provide ip addresses only
> to predefined reservations, I would use that option instead (unless security
> it a big issue --> dmz hosts can reach foreman).
DHCP is allowed in PCI/DSS environment and it is not expressly
forbidden in NSA build guide. I see no reason if people are completly
paranoid about a DHCP service it can not be shut down between builds
using smart proxy.
Jim