Setup Primary Foreman, distributed puppet masters

Support
1

So, after looking at Foreman it seems to do a lot of what our system
intendeds to do but I'm having trouble grasping how I should configure
hosts/proxies to make it work the way we'd like.

What we have now is a puppet master for each esxi host. So that any VM on
that esxi host uses the puppet master on that esxi.

vh01:

  • va01 (puppet master)
    • vm1
    • vm2
    • vm3

vh02:

  • va02 (puppet master)
    • vm1
    • vm2
    • vm3

Something like that. The puppet modules and configurations are sourced from
the primary va01 and synced to va02/va03/etc (via lsync/svn)

What I'd like to do is setup a primary Foreman server that manages
puppet/provisions hosts and then the "local" master manages the host once
it's up.

I've been looking over these documents
"Foreman :: Manual"
trying to understand what they are saying but I am unsure. Does foreman
have a method of making a "local" master mirror the primary foreman setup?
Am I not understanding how Foreman should be configured?

The cert section is quite confusing, it mentions /var/lib/puppet/ssl but 4
doesn't seem to store there so wondering if thats just old documentation?

I'm open to actually restyling our design (the current was not my choice
and seems quite overkill) to a more "local cluster" where all the vms on
all the local vhosts (vhXX) in say dllstx09 are served from a puppet
master in dllstx09 cluster (we currently have some 20+ vhosts in dllstx09
pop) and pop mlpsca01 has it's own master, etc.

I guess my problem is understanding just how foreman links to other foreman
smartproxies/puppet masters.

Again I'm happy to read/watch any videos that you might find helpful on
this topic for the current version of Foreman.

2

Guess I just can't get a good idea what the smart proxies exactly do. Are
they just for API calls? Do they actually let other proxies sync up
modules/node data?

If I set up a remote smart-proxy puppet master and tell it to use the
primary foreman puppet master as proxy… will it also keep the modules,
nodes, and other data that is manipulated in Foreman (it's the primary
puppet master also) current?

Do I need to manually sync the puppet server files in
/etc/puppetlabs/code/* (we do something like that that currently with our
multi-puppet server setup) but unclear if this is required for foreman and
smart-proxy setup.

This document "http://lofic.github.io/tips/foreman-install.html" seemed
quite promising but not getting what I want out of it. Going to wipe it all
and start cleaning following each step again and see if I missed something.

3

> Guess I just can't get a good idea what the smart proxies exactly do. Are
> they just for API calls? Do they actually let other proxies sync up
> modules/node data?
>

It's for API, yes. They don't talk to each other, they only talk to Foreman
(in general - of course, plugins can do what they like). Since the
intention is to only have a single Foreman, but to manage multiple
networks/datacentres/office etc, then intended use of smart proxies is for
Foreman to have something consistent to talk to that can manage local
services in a gven location. That might mean Puppetmasters, DNS servers,
TFTP, etc. YOu can get a diagram of that in the manual -
https://theforeman.org/manuals/1.12/#Smart-Proxy

For the sake of clarity, I'll also add a note about the overloading of the
word "proxy" - it means many things to many people these days. The
smart-proxy is a proxy in the sense of "a person authorized to act on
behalf of another" (see https://www.google.co.uk/search?q=definiton+proxy).
In other words, it acts on the behalf of Foreman on a local network. It is
not a caching proxy, reverse proxy, or other form of synchronisation agent.

If I set up a remote smart-proxy puppet master and tell it to use the
> primary foreman puppet master as proxy… will it also keep the modules,
> nodes, and other data that is manipulated in Foreman (it's the primary
> puppet master also) current?
>

The short answer is "no". To explain a little, understand that no state or
data is stored in the proxy at all - if, for example, you ask the proxy for
a free IP on it's subnet, then it gets this by parsing the DHCP leases file
right now, not by storing a set of IP states itself.

Do I need to manually sync the puppet server files in
> /etc/puppetlabs/code/* (we do something like that that currently with our
> multi-puppet server setup) but unclear if this is required for foreman and
> smart-proxy setup.
>

You do, yes. Foreman makes no statement about how Puppet code should arrive
on disk - all it does is (when you click Import in the UI) ask the puppet
stuff what classes are on disk right now - that could be by asking the
puppetmaster over the Puppet API or parsing the *.pp files themselves (for
older puppetmasters with no class API)

Hope it helps!
Greg

··· On 25 August 2016 at 17:04, Mike Wilson wrote:
4

Thanks for the information Greg. It'd been a great help.