Based on pchalupa's setup, if you find a bug/problem ping me irc #theforeman-dev channel.
Bare-metal machine with: smart-proxy, puppet master, foreman, kvm, (virsh with dhcp and dns support on proxy). VMs provisioned in virtual network. Foreman web server process replaced, redirected in Apache to thin running form checkout with Staypuft.
-
fresh Fedora 19 on bare-metal
-
yum -y install http://yum.theforeman.org/releases/1.5/f19/x86_64/foreman-release.rpm -
yum -y install foreman-installer -
yum -y install foreman-libvirt -
disable selinux:
setenforce Permissive- edit
/etc/sysconfig/selinuxand set SELINUX=disabled
-
allow ports in firewall I've used F19 firewall config tool:
firewall-config- enable in zone public
- services: http, https, libvirt
- ports: 8140 (puppetmaster), 8443 (proxy), 5900-5930 (vnc)
- enable in zone public
-
install
yum install @virtualization -
create/update subnet
sudo virsh net-edit default<network> <name>default</name> <uuid>7c58ee26-2c78-4b4c-be8d-2d7f1ce9b4f8</uuid> <forward mode='nat'> <nat> <port start='1024' end='65535'/> </nat> </forward> <bridge name='virbr0' stp='on' delay='0' /> <mac address='52:54:00:e4:89:49'/> <domain name='example.com'/> <ip address='192.168.100.1' netmask='255.255.255.0'> <tftp root='/var/lib/tftpboot/' /> <dhcp> <range start='192.168.100.10' end='192.168.100.254' /> <bootp file='pxelinux.0' /> </dhcp> </ip> </network> -
set fqdn of the bare-metal machine to foreman.example.com
hostname foreman.example.com- update
/etc/hostname - add
192.168.100.1 foreman.example.com foremanline to/etc/hosts
-
fix non ASCI chars in
/etc/fedora-releaseand if it exists/etc/fedoraversionreplace ö with o and also remove the ' char. -
run
foreman-installer(to install foreman with default options)- use system ruby; rvm and rbenv can mess things up
- If you get locale errors or related to operatingsystem version
check:
export LANG=en_GB.utf8 - If you get the error:
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[martyn-work-laptop.example.com]: Could not evaluate: 404 Resource Not Found: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">try:- setenforce 0
- service httpd restart
- forman-install
- see: https://groups.google.com/forum/#!msg/foreman-users/KLLYmqS0aD4/OkoTfdDe8DsJ
-
enable access to libvirt http://theforeman.org/manuals/1.5/index.html#5.2.5LibvirtNotes
- test connection from foreman UI
https://foreman.example.com/compute_resources/1-libvirt/edit
Test Connectionbutton
- test connection from foreman UI
https://foreman.example.com/compute_resources/1-libvirt/edit
-
configure smart proxy with tftp, dhcp, dns http://theforeman.org/manuals/1.5/index.html#4.3.9Libvirt
- refresh Features on the smart proxy record
-
see http://www.youtube.com/watch?v=eHjpZr3GB6s about how setup provisioing in the foreman UI, basically linking all together
-
DNS setup
- VMs see foreman.example.com and each other because of dnsmasq run by libvirt and managed by foreman-proxy
- to set up local dnsmasq to see VMs from the foreman.example.com
machine
-
add
dns=dnsmasqto/etc/NetworkManager/NetworkManager.confto enable global dnsmasq -
add file
/etc/NetworkManager/dnsmasq.d/global.confcontaining# to only listen on local network and not to colide with libvirt dnsmasqs listen-address=127.0.0.1 server=/example.com/192.168.100.1 -
restart NetworkManager
systemctl restart NetworkManager.service
-
-
update httpd foreman config files both
/etc/httpd/conf.d/05-foreman.confand05-foreman-ssl.conf# replace following line PassengerAppRoot /usr/share/foreman # with following: # PassengerAppRoot /usr/share/foreman LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule slotmem_shm_module modules/mod_slotmem_shm.so LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so <Proxy balancer://thinserversforeman> BalancerMember http://your.machine:3000/ # use fqdn not localhost </Proxy> RewriteEngine On # RewriteCond %{REQUEST_URI} !^/pulp.*$ # needed when installed with Katello RewriteRule ^/(.*)$ balancer://thinserversforeman%{REQUEST_URI} [P,QSA,L] ProxyPassReverse / http://your.machine:3000/ ProxyPass / balancer://thinserversforeman ProxyPreserveHost on -
Use same DB or copy to the other machine.
-
check the settings of your new foreman process: modulepath, foreman_url, ssl_ca_file, ssl_certificate, ssl_priv_key, unattended_url
Configure /etc/puppet/puppet.conf to point to openstack-puppet-modules and astapor modules.
-
Check out astapor and openstack-puppet-modules
- from
git@github.com:redhat-openstack/astapor.gitand - from
git@github.com:redhat-openstack/openstack-puppet-modules.git(usegit clone --recursive ...to initialize the submodules).
- from
-
Modify the
[production]/modulepathsection of/etc/puppet/puppet.conf:[production] modulepath = /etc/puppet/environments/production/modules:/etc/puppet/environments/common:/usr/share/puppet/modules:/{git-root}/openstack-puppet-modules:{git-root}/astapor/puppet/modules -
rake puppet:import:puppet_classes[batch]- If using the rpm version, then substitute
foreman-rakeforrake
- If using the rpm version, then substitute
-
If an error results stating that the sqlite3 gem is required, then: yum -y install ruby-devel gcc libsqlite3x-devel gem install sqlite3
-
the plugin it is a dependency of Staypuft when #39 is merged
-
install the discovery plugin
- Create /etc/yum.repos.d/foreman_plugins.repo containing the following: [foreman-plugins] name=Foreman plugins baseurl=http://yum.theforeman.org/plugins/1.6/el6/x86_64/ enabled=1 gpgcheck=0
yum -y install rubygem-foreman_discovery.noarch- reboot the system (
systemctl restart foremanis not sufficient by itself)
-
install tftp images, on the machine with proxy execute:
cd /var/lib/tftpboot/bootwget http://downloads.theforeman.org/discovery/nightly/foreman-discovery-image-latest.el6.iso-imgwget http://downloads.theforeman.org/discovery/nightly/foreman-discovery-image-latest.el6.iso-vmlinuz
-
in the foreman GUI, navigate to Administer->Settings->Provisioning. Set
safemode_renderto false and click Save. This is required for<%= Setting['foreman_url'] %>to work in the PXELinux global default template below. -
navigate to Hosts->Provisioning templates. Edit the
PXELinux global defaulttemplate. Change the template code to the following and click Submit:<%# kind: PXELinux name: Community PXE Default %> <%# This template has special name (do not change it) and it is used for booting unknown hosts. %> DEFAULT menu PROMPT 0 MENU TITLE PXE Menu TIMEOUT 200 TOTALTIMEOUT 6000 ONTIMEOUT discovery LABEL discovery MENU LABEL Foreman Discovery KERNEL boot/foreman-discovery-image-latest.el6.iso-vmlinuz APPEND rootflags=loop initrd=boot/foreman-discovery-image-latest.el6.iso-img root=live:/foreman.iso rootfstype=auto ro rd.live.image rd.live.check rd.lvm=0 rootflags=ro crashkernel=128M elevator=deadline max_loop=256 rd.luks=0 rd.md=0 rd.dm=0 foreman.url=<%= Setting['foreman_url'] %> nomodeset selinux=0 stateless IPAPPEND 2 -
click the Build PXE Default button in the upper right corner
-
foreman web process has to have access to discovered hosts by IP adresses, if the foreman web process is running on the same machine as the virtual network then all is good, otherwise:
- set static routes from machine with foreman web process to the virtual network
sudo route -n add 192.168.100.0/24 foreman.example.com - update iptables on machine hosting the virtual network
- enable logging of TRACE target
modprobe ipt_LOG - add
kern.debug /var/log/iptablesto/etc/rsyslog.conf - restart
systemctl restart rsyslog.service - add rule to trace the incoming packet
iptables -A PREROUTING -t raw --source 10.34.131.187 --destination 192.168.100.53 -j TRACE - try to access a machine on private network
- look into
/var/log/iptableswhich rule REJECTed the packet - add rule ACCEPTing the packets above the rejecting rule
in my case
iptables -t filter -I FORWARD 15 -o virbr0 -s 10.34.131.187 -j ACCEPTbefore the rejecting one in FORWARD chainREJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable - TODO make static routes and iptable changes permanent
- enable logging of TRACE target
- set static routes from machine with foreman web process to the virtual network
-
create a machine in libvirt and let it be discovered
-
Host -> Provisioning Templates -> New Template
-
Add the following
- Name: Kickstart OpenStack
- Content: https://gist.githubusercontent.com/mtaylor/9669224/raw/090f2af39939c7fff03d04da4abff6ea7d35510e/gistfile1.rb
- Type: provisioning
- Association:
-
Host -> Operating Systems -> -> Templates
- provisioning: Kickstart OpenStack
- Override parrameters with the controller IP:
controller_admin_host,controller_priv_hos,controller_pub_host,mysql_host,qpid_host
This is required for invoking puppet runs on remote machines. This will be needed in future versions of Staypuft for orchestration tasks.
-
Enable Puppet Run
- Go to the foreman web UI. Administer -> Settings -> Puppet
- Set Puppet Run to 'true'
-
Configure Foreman Proxy
-
Add the following lines to the foreman proxy settings.yml
:puppet_provider: puppetssh :puppetssh_sudo: false :puppetssh_user: root :puppetssh_keyfile: /etc/foreman-proxy/id_rsa :puppetssh_command: /usr/bin/puppet agent --onetime --no-usecacheonfailure
-
-
Create SSH Key for foreman-proxy
# Create SSH Key using ssh-keygen # cp private key to /etc/foreman-proxy/ chown foreman-proxy /etc/foreman-proxy/id_rsa chmod 600 /etc/foreman-proxy/id_rsa -
Turn off StrictHostChecking for the foreman-proxy user
-
Create the following file:
<foreman HOME directory>/.ssh/configHost * StrictHostKeyChecking no -
This is a temporary solution. We are tracking this issue here: http://projects.theforeman.org/issues/4543
-
-
Distribute Foreman Public Key to Hosts
- Add the id_rsa.pub public key to .ssh/authorized_keys file for user root on all Hosts
- This is a temporary solution. We are tracking this issue here: http://projects.theforeman.org/issues/4542
-
Restart foreman-proxy,
sudo service foreman-proxy restart