Using cloud-init-templates with foreman-proxy (foreman-proxy-content)

Using userdata/cloud-init installation with a foreman-proxy-content-proxy as template server

**Expected outcome: **
Same results as if the host would connect to the main foreman-server to get the user-data-/cloud-init-template

Foreman and Proxy versions:
Both on 1.24.3

Distribution and version:
CentOS 7

Other relevant data:

I am currently trying to provision new VMware machines using image-based deployments. For this I want to use cloud-init & userdata and static IP-adresses.
This works fine with an foreman 1.24.3 if my hosts are connected directly to the foreman-server itself to get their userdata-template.

However, I have separated network with no access to other subnets. For this I use a foreman-content-proxy, which is also configured to be template-server. This proxy works fine for other deployment-methods but in case of the userdata-templates the URL http:///userdata/user-data throws an 404.

curl -D - -H 'X-Forwarded-For:' https://<proxy-content-url>/userdata/user-data
HTTP/1.1 404 Not Found
Date: Fri, 28 Aug 2020 08:33:54 GMT
Server: Apache
Content-Length: 216
Content-Type: text/html; charset=iso-8859-1

<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL /userdata/user-data was not found on this server.</p>

Other than that I have not found any helpful entries in the logs.

I also tried to access it on different ports. Port 8000 gives an Internal Server Error, which also appears in the production.log.
If I try to use port 8443 I get a userdata-template but this is rendered for my proxy-content-host and not for the given IP or host I want to provision. Same effect if I use a squid-proxy to connect to the main foreman.

I found that this should be somehow implemented in the pullrequest:

But it seems only to work for the main-foreman-server.

Am I missing some extra configuration to enable this or is this feature just not available?


Hello, support was added in 1.24 according to git (1.23 according to redmine probably incorrectly set flag): Feature #24885: templates proxy should proxy cloud-init nocloud templates - Smart Proxy - Foreman

This was added as part of “templates” feature, the moment you have it turned on on HTTP endpoint, you should be able to reach it on the HTTP port (8000 in your case) under the /userdata path. Doublecheck the smart proxy config in settings.d/templates.yml and that the module was not turned off during boot because of some error.


thank you for the answer. But my templates.yml looks ok:

# Enable this if the Proxy should handle template requests on behalf of Foreman
# Can be true, false, or http/https to enable just one of the protocols
:enabled: true

# This plugin also requires that :foreman_url: be set in the main settings.yml
# This lets the plugin know how to obtain the templates from foreman.

# This allows the proxy to define how hosts that are being provisioned where to
# obtain the templates from. Most installers don't support https, so it's recommended
# to enable an http port listener in the main config file too, and use it in
# the url below
# :template_url is the URL the host should use to contact the proxy for a template.
# The default protocol is http on port 80 unless otherwise specified in the url.
# Examples:
#            # default proxy https port
#             # default proxy http port
# # assumes port 443
#  # assumes port 80
#    # assumes http
:template_url: http://<proxyurl>:8000

Or do I need some extra configuration for the userdata?

But I can try it again with the port 8000 in the URL - maybe I missed something during the tests until it worked without the proxy.

Hi again,

I retried it - with port 8000 I get a user-data-template, BUT it is not the correct one.
I expect the template to render with the details of the host I provisioned but I get the template rendered for the smart-proxy I am using to register to.
It seems that the template-API is forwarded to the foreman but then it renders the template for the smart proxy and not for the host I want to register.

This follows to a new cloned host (with the correct provisioned static IP by the vSphere Customization) but then it runs cloud-init and has the same hostname as my smart-proxy (which then leads to errors within the subscription-manager and the puppet registration).

That sounds like a nasty bug indeed. Let me take a look.

So it’s a forgotten configuration step in our guide:

Perform this step to fix the issue.

Hello lzap,

I have the same problem as described above.

If I now add the remote addr setting I don’t get any template with curl anymore.
curl gives me this output:

Could not find host for request

What is missing here so that it can be determined where the request is coming from?

If i try it with port 8000 instead of 8443 i get
Failed to retrieve user-data userdata template for {“kind”=>“user-data”}: Error retrieving userdata/user-data for {“url”=>“http://< smart-proxy-fqdn >:8443”} from < foreman-fqdn >.

Got it, remote_addr was wrong.