RFC: Bare Metal Provisioning with M2 in Foreman

lzap · June 21, 2018, 7:22am

Our current ComputeResources usually implements start, stop, list images, list projects/tenants/flavors/zones/networks. I suggest to take a look on OpenStack or similar cloud provider:

github.com

theforeman/foreman/blob/develop/app/models/compute_resources/foreman/model/openstack.rb#L1


      
          module Foreman::Model
            class Openstack < ComputeResource
              include KeyPairComputeResource
              attr_accessor :scheduler_hint_value
              delegate :flavors, :to => :client
              delegate :security_groups, :to => :client
          
              validates :url, :format => { :with => URI::DEFAULT_PARSER.make_regexp }, :presence => true
              validate :url_contains_version
              validates :user, :password, :presence => true
              validates :allow_external_network, inclusion: { in: [true, false] }

As you can see, our CRs are tightly coupled with Foreman core and also with Fog Ruby library which provides connection. I don’t like this coupling very much and it looks like you would prefer creating smart proxy module with HTTP API to access M2. I like this, we have several RFEs to support connecting via smart-proxy because direct connection is not always available.

I think it is worth exploring an idea of creating generic Compute Resource that would only connect to well designed smart-proxy API. The same Compute Resource code could be reused in the future for other/new smart proxy “connectors” implemented remotely via HTTP API. We already have a decent module/plugin/provider system in smart proxy which enables us to write loosly coupled components and we could build on top of that. One advantage of this approach is that smart proxies has “auto-discovery” feature, once they are registered in Foreman they pass list of “available modules” (we call them really “features”) so new Compute Resources would automatically appear.

I’d recommend to specify minimum set of integration calls required for successful provisioning but to include multi-tenancy from the very beginning. This is an important aspect downstream and for the enterprise. Foreman-Smart Proxy connection does not carry credentials and have global authorization AFAIR (client HTTPS certificate) so the API would need to define this. A simple mapping between Foreman Organization and User/Group would do the job.

On another thought, you can have M2-managed VMs as well, maybe just M2 would do the job. I agree that it makes most sense with bare-metal.

We can do a community call where I can provide more details and answer questions if you want.

Foreman today does not manage network on lower level (ports, VLANs) or even in cloud/virt providers, but we have plans on redesigning network model in our DB in a more flexible way so we can start building towards something like that. There is a demand for this in our community and RFC is currently being discussed

We have really deep multi-tenancy in Foreman, it’s possible to have multiple Foremans but rather than that I’d like to work towards fully multi-tenant instance. If M2 can manage isolated networks, than it’s just matter of provisioning smart-proxy on each DHCP subnet and connecting it to Foreman under correct Organization.