Using smart-proxy site to build system question

Support
1

I've been learning Foreman and have had good luck with building "locally"
(same network as foreman master host). So my next learning experience was
to setup a ESXi host in a remote pop and build across the wire. I setup a
dhcp/tftp smart proxy site and was able to get the remote vm created and
the kickstart process "started" (boot file from tftp) but when it gets to
the unattended URL it fails.

This is a sample of the URL:

http://10.0.10.10/unattended/provision?token=90aafb73-fd6b-4d8d-a35d-c0d54f6bcfc2

The ip address is the smart-proxy locally at that site. I must be missing
some part of the process… do I need to setup apache proxy to bounce the
local request BACK to the foreman primary server?

Thanks for any tips.

2

To add more to the story… here a clip from the log of the local
smart-proxy host for this kickstart. You can see the 404 (not found) error
for the unattended url request.

10.0.10.15 - - [29/Sep/2016:19:07:28 +0000] "GET
/unattended/provision?token=90aafb73-fd6b-4d8d-a35d-c0d54f6bcfc2 HTTP/1.1"
404 218 "-" "curl/7.29.0"

3

Just to be clear, you're attempting to build a host without any direct
connections to Foreman? Have you done this via changing the :unattended_url
setting in Foreman (not the right way to go) or via the Templates feature
in the smart-proxy (definitely the right way to go)?

Cheers
Greg

4

I am trying to have the primary foreman host do the fiddly bits of building
(configuration hostname/ips/disk/etc) like it does for it's "local" host
builds and the smart-proxy do the actual building (tftp/centos media). The
host initially will have a non-routable ip address (provisioning interface
10.0.10.X) and at a remote location from the foreman primary so I need to
figure out how to get past the initial kickstart. As an FYI, the host I'm
building will use a "local" puppet master that is a agent of the foreman
primary once it's built.

Is there a better way to go about this?

Not sure if this will make it any more clear but here is what I'm looking
at right now.

  • pop01
    -foreman primary (puppet master "alpha" also)

  • pop02
    -builder01, smart-proxy (tftp,dhcp) (puppet master agent of foreman alpha)
    -host-to-be-built <------

··· On Tuesday, October 4, 2016 at 7:24:21 AM UTC-5, Greg Sutcliffe wrote: > > Just to be clear, you're attempting to build a host without any direct > connections to Foreman? Have you done this via changing the :unattended_url > setting in Foreman (not the right way to go) or via the Templates feature > in the smart-proxy (definitely the right way to go)? > > Cheers > Greg >
5

Firstly, by default the media comes from an upstream mirror - the default
Centos mirror we ship is http://mirror.centos.org/centos/$version/os/$arch

  • no installation media is going to be retrieved from Foreman under either
    scenario. Of course, you're welcome to spin up an http mirror of your own
    on a given network add it in the Foreman UI (or take a look at our Katello
    plugin for content management). Your "Local" scenario is presumably using
    an appropriate solution for you, so we're good here (assuming pop2 can see
    this mirror).

Secondly, the TFTP is always handled at the proxy level, so that doesn't
change from your "Local" scenario.

The only "non-local" thing you need to worry about is the templates - as
you see in your original post, you're trying to retrieve them from the
proxy, which (out of the box) won't work - the proxy doesn't understand
those URLs. That's what leads to my question about how the proxy's IP
appears in your PXE template, because if you hard-coded it (or changed
:unattended_url) then not only will it not work, it'll actually break your
"Local" setup, because :unattended_url is a global setting.

Assuming then that the host in pop2 has no route to Foreman in pop1 (if it
does, then you need nothing more than a TFTP proxy in pop2, the rest should
work as before), then what you want to do is configure the "Templates"
plugin for the proxy - this is exactly the use case it was written for.
You can find docs for it here:
https://theforeman.org/manuals/1.12/index.html#4.3.12Templates

HTH
Greg

6

>
> Firstly, by default the media comes from an upstream mirror - the default
> Centos mirror we ship is http://mirror.centos.org/centos/$version/os/$arch
> - no installation media is going to be retrieved from Foreman under either
> scenario. Of course, you're welcome to spin up an http mirror of your own
> on a given network add it in the Foreman UI (or take a look at our Katello
> plugin for content management). Your "Local" scenario is presumably using
> an appropriate solution for you, so we're good here (assuming pop2 can see
> this mirror).
>

Indeed I built a local media for this purpose.

>
> Secondly, the TFTP is always handled at the proxy level, so that doesn't
> change from your "Local" scenario.
>
> The only "non-local" thing you need to worry about is the templates - as
> you see in your original post, you're trying to retrieve them from the
> proxy, which (out of the box) won't work - the proxy doesn't understand
> those URLs. That's what leads to my question about how the proxy's IP
> appears in your PXE template, because if you hard-coded it (or changed
> :unattended_url) then not only will it not work, it'll actually break your
> "Local" setup, because :unattended_url is a global setting.
>

The unattended_url configured on the foreman primary is "10.10.0.10" and
the ip I plan to configure "local" builderXX hosts with.

> Assuming then that the host in pop2 has no route to Foreman in pop1 (if it
> does, then you need nothing more than a TFTP proxy in pop2, the rest should
> work as before), then what you want to do is configure the "Templates"
> plugin for the proxy - this is exactly the use case it was written for.
> You can find docs for it here:
> Foreman :: Manual
>

So this appears to be what I needed (template proxy) and I did set it up
and it now shows up in the smart proxy's (builder01) list of "features"
after a refresh on the foreman primary… however I still get 404 on the
unattended URL.

Here is the configuration I have for the
"/etc/foreman-proxy/settings.d/templates.yml

:enabled: true
:template_url: http://10.10.0.10:8000

(10.10.0.10 is one of builder01 ips) . I also pointed it at the foreman
primary at one point thinking it needed to be using that instead (based on
notes in the example templates.yml file) but didn't seem to help.

And I did ensure that ":http_port: 8000" was uncommented in
/etc/foreman-proxy/settings.yml. (restarted foreman-proxy and httpd to be
sure).

I tried "cancel build" then "build" thinking maybe it needed to copy
something and that didn't seem to make a difference so I also deleted the
host and re-added to build and same error.

I'll keep trying to trace what I am missing here.

Thanks for the suggestions, they certainly seem to be what I need to get
working!

··· On Tuesday, October 4, 2016 at 10:20:40 AM UTC-5, Greg Sutcliffe wrote:
7

So, still trying to debug this and wanted to update a few things I tried.

First off the template_url above should have been "10.0.10.10".

I also disabled iptables/firewalld on both the smart proxy and the foreman
server to make sure there wasn't something there blocking.

I've monitored the logs of the smart proxy and the foreman prime server
during the kickstart process and the only thing I see is the http error on
the smart proxy builder host.

==> httpd/access_log <==
10.0.10.19 - - [05/Oct/2016:15:19:05 +0000] "GET
/unattended/provision?token=290e1cce-21d6-43a2-97c9-47a2d114d9b2 HTTP/1.1"
404 218 "-" "curl/7.29.0"

I've tried to use a web browser to get the URL as well and get the same
error.

As I mentioned previously, on the foreman prime server it shows "Templates"
in the smart proxy's "Features".

Is the "template_url" supposed to be the foreman prime server or the smart
proxy builder? I've actually tried both and had no luck for what it's
worth. I must be missing something in how it's supposed to be configured.