Question about a potential large (or rather: more complicated setup)

Hi,

I’m trying to come up with a way to use Foreman Katello for our setup (have been for a long time, actually, but never got around doing it seriously).
Both for provisioning and for content-management (“updates”).

Background: we have a couple of hundred hosts, with a mixture of (a few) RHEL, (some more) CentOS 7, 8 (future unknown for to obvious reasons, some I’ll probably convert/reinstall to RHEL), Ubuntu 18+20 (and FreeBSD, but they’re out of scope for this question anyway). These hosts are either bare metal, VMWare VMs, or OpenStack VMs.
We also have our own OpenStack installation, but this is controlled almost 100% by OpenStack tools (ironic etc.pp.) and it’s unlikely that the group who runs this would want to change their workflow.

(Side note: a different group already went and bought Satellite Server, which they are using mostly for patching last time I asked - we could probably use that to manage our RHELs, but AFAIK Satellite Server does not really support anything but RHEL) and we’d still need a solution for non-RHEL.

Anyway - all these servers sit compartmentalized in multiple dozens of different VLANs behind (physical) firewalls (typical “old-school” MSP setup, if you want), sometimes in different switching-domains. There’s not really a management-LAN for them that they all share - the office-network is the management-network in effect.
There’s sometimes only a one or two servers in a VLAN (reverse-proxy or WAF).

Until I think Ubuntu 18, the Ubuntu servers were setup with a simple homegrown pxe-boot setup through a single, enterprise-wide PXE-boot VLAN, that was mapped to the host either via VMWare or via switch-setup (bare metal).
With Ubuntu 20, this did not work any longer and thus these servers are setup manually (except on Openstack where we use ansible or create them from images via openstack cli commands).

CentOS servers are still setup via Cobbler (no effort has been made to install Ubuntu via Cobbler), but the server is CentOS 7 and it shows its age (and I really want to move to something more “modern”, like Foreman.

Now, we (our group) do not control the switches, nor the Vcenter(s - yes, we have 20-ish of those, too, all slightly different…) - thus we cannot create VMs directly but only via opening a ticket.

For updating, we have our own mirror(s) of Ubuntu + CentOS repos, which we create weekly (and quarterly) “branches” off those we apply updates via ansible (or manually).

I would like to minimize the amount of SmartProxies to use - but last time I looked Foreman wasn’t really geared towards doing installation via a temporary PXE-boot VLAN such as what we currently have.

For content-management, it should not be a problem as I just have to give the Smart-Proxy a public IP and allow traffic to it from the clients. But how do you do DHCP/PXE?

Any advice?

While I cannot comment on your specific setup regarding the VLANs, you might want to have a look at the Foreman Professional Services page.

Disclaimer: I work for ATIX and I’d be happy to send you contact details via PM.

We are not into that, no. The point is, if you want to do VM moving, then use image-based workflow. Foreman currently does not support much in that area, but there are plans improving image-based provisioning (even for bare metal), at least for RHEL and compatible systems due to new projects in Anaconda and Image Builder (Lorax).

While you do not have control of your VMWare, what stops you from asking for a VM, configuring smart proxy there and then creating tickets with “boot from network”. Those systems can be discovered via our plugin and then provisioned from scratch.

I am not sure what is the question here.

Anyway, if you want more flexible provisioning workflow not dependant on Foreman, DHCP is not required at all. Many users use Foreman with what we call “unmanaged DHCP”, the same for DNS. All you need to have a working PXE, iPXE or HTTP UEFI setup is to have access to a TFTP smart-proxy that will manage PXELinux, iPXE or Grub2 configuration files and a DHCP server that is configured to hand over clients to those TFTP/HTTP services.

Then in your subnet, you can just associate a TFTP proxy leaving DHCP and DNS blank, Foreman will not perform any DHCP/DNS orchestration. Foreman generates a UUID token and stores that on the PXE server config files so hosts are matched correctly. I am not sure if Foreman lets you create a host without any IP address tho, I think it does not, in that case just configure a subnet with DB IPAM so a “fake” IP address is assigned and once a host is provisioned and configuration management tool checks in, it will overwrite the IP address in the Foreman inventory.

1 Like

Hi,

thanks everybody for your feedback.

We do have access to Vcenter to adjust VLANs (for which we have rights to “see”) for VMs (and Remote Console to boot, install). We just can’t create new VMs (with 50-ish engineers, that would create the mother of all sprawls…).

We don’t do VM templates, so every VM is delivered blank. I was under the assumption that to boot such a VM (and install it via PXE), I need a DHCP-server in that subnet (and thus a smart-proxy)?

I am now leaning towards installing a smart-proxy in one of our “more central” vlans/subnets and assigning the interface with the DHCP-server to the machine to be installed as-needed.
The idea is to NAT the primary interface of the SmartProxy into the network where the client is installed, while being able to have only one single pxe-boot network.

This is what I draw from this thread:

This is more of a proof-of-concept install. We might later actually settle for ATIX’s “fork” of foreman.

All-in-all, foreman is a massive amount of software that will take a while to wrap one’s mind around.

I take it there is no integration, yet, with any kind of IPAM for the subnets that can be configured?

I know there is an abstraction for IPAM itself, but you still need to create the subnets (AFAIK) - and we have plenty of those, too. We plan to move to a “professional” (commercial) DDI solution soon-ish.

Yes, I believe in PXE/HTTP UEFI boot as the most flexible way of provisioning and this is our main goal. We do have many other workflows but booting from network will always be well tested and with most features.

You need at least a TFTP proxy there, you can even deploy it somewhere else, all you need is a working NFS mount to a TFTP server (of any kind), if deploying smart proxy “somewhere” is a big deal for you.

Indeed, it’s a little monster of ours :slight_smile:

You might find this handy:

https://docs.theforeman.org/nightly/Provisioning_Guide/index-foreman-el.html

https://docs.theforeman.org/

Foreman currently supports manual IP, DB IPAM (Foreman owns the pool of IP addresses, just a single heap per subnet), DHCP mode (meaning DHCP proxy will find the next available IP from a range sequentially) and External IPAM which is an experimental feature - there is a plugin that integrates with MyIPAM and one more provider. This is fairly fresh code:

1 Like