Foreman : add new hosts to foreman

Here are logs when adding new hosts on foreman.

Reference

https://docs.puppetlabs.com/guides/install_puppet/install_fedora.html

https://www.digitalocean.com/community/tutorials/how-to-use-foreman-to-manage-puppet-nodes-on-ubuntu-14-04

https://www.digitalocean.com/community/tutorials/how-to-install-puppet-to-manage-your-server-infrastructure#sign-request-on-master

Assume that foreman/puppet agent can communicate with the other by using hostname instead of IP addresses.

foreman : CentOS7, hostname : foreman.localdomain

new host : fedora 21, hostname : puppet-agent01.localdomain

new host : ubuntu14.04, hostname : ubuntu1404-puppet-agent01.localdomain

foreman can communicate with the puppet agent.

[root@foreman ~]# ping -c 1 puppet-agent01.localdomain PING puppet-agent01.localdomain (192.168.122.233) 56(84) bytes of data. 64 bytes from puppet-agent01.localdomain (192.168.122.233): icmp_seq=1 ttl=64 time=0.455 ms --- puppet-agent01.localdomain ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.455/0.455/0.455/0.000 ms

puppet agent can communicate with the foreman

[root@puppet-agent01 ~]# ping -c 1 foreman.localdomain PING foreman.localdomain (192.168.122.70) 56(84) bytes of data. 64 bytes from foreman.localdomain (192.168.122.70): icmp_seq=1 ttl=64 time=0.353 ms --- foreman.localdomain ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.353/0.353/0.353/0.000 ms

[ install puppet agent on Fedora21 ]

[root@puppet-agent01 ~]# yum search puppet [root@puppet-agent01 ~]# systemctl status puppet.service * puppet.service - Puppet agent   Loaded: loaded (/usr/lib/systemd/system/puppet.service; disabled)   Active: inactive (dead)

edit /etc/puppet/puppet.conf

[root@puppet-agent01 puppet]# grep -v '#' puppet.conf [main]    logdir = /var/log/puppet    rundir = /var/run/puppet    ssldir = $vardir/ssl [agent]    classfile = $vardir/classes.txt    localconfig = $vardir/localconfig    server = foreman.localdomain

start puppet agent.

When you run puppet agent first time, puppet agent send a certificate signing request to the puppet master(foreman).

[root@puppet-agent01 puppet]# systemctl start puppet.service [root@puppet-agent01 puppet]# systemctl status puppet.service * puppet.service - Puppet agent   Loaded: loaded (/usr/lib/systemd/system/puppet.service; disabled)   Active: active (running) since Tue 2014-12-30 02:34:20 JST; 4s ago Main PID: 1293 (start-puppet-ag)   CGroup: /system.slice/puppet.service           |-1293 /bin/sh /usr/bin/start-puppet-agent agent --no-daemonize           `-1294 /usr/bin/ruby-mri /usr/bin/puppet agent --no-daemonize

on the foreman host, sing the client Cert

[root@foreman ~]# puppet cert list  "puppet-agent01.localdomain" (SHA256) FA:7A:C3:0F:69:F6:D2:DC:B3:6E:50:69:08:96:99:D3:B1:7A:8F:80:B7:97:1B:7F:A9:24:24:A9:2B:06:CC:1E [root@foreman ~]# puppet cert sign puppet-agent01.localdomain Notice: Signed certificate request for puppet-agent01.localdomain Notice: Removing file Puppet::SSL::CertificateRequest puppet-agent01.localdomain at '/var/lib/puppet/ssl/ca/requests/puppet-agent01.localdomain.pem'

view all signed requests.

[root@foreman ~]# puppet cert list --all + "foreman.localdomain"        (SHA256) 46:E4:30:5E:70:1A:2D:3A:CC:F4:13:03:C4:2C:78:DE:36:A2:23:74:89:D4:B0:51:C8:94:B8:3F:63:39:A0:5B (alt names: "DNS:foreman.localdomain", "DNS:puppet", "DNS:puppet.localdomain") + "puppet-agent01.localdomain" (SHA256) CA:DB:E1:82:10:B8:41:D5:06:BE:51:55:E5:9D:A3:81:CE:7F:AC:0A:DA:5B:C2:C5:6F:82:17:8F:1A:91:3B:90

Go to the foreman GUI ( https:// <foreman IP> )

You will find the client via HOSTS -> All hosts

You can sing client cert via GUI.

Infrastructure -> “foreman.localdomain”, clieck Certificates

[ install puppet agent on Ubuntu 14.04 ]

install puppet agent via apt-get.

root@ubuntu1404-puppet-agent01:~# apt-get install puppet

edit /etc/puppet/puppet.conf

root@ubuntu1404-puppet-agent01:~# grep -v '#' /etc/puppet/puppet.conf [main] logdir=/var/log/puppet vardir=/var/lib/puppet ssldir=/var/lib/puppet/ssl rundir=/var/run/puppet factpath=$vardir/lib/facter templatedir=$confdir/templates prerun_command=/etc/puppet/etckeeper-commit-pre postrun_command=/etc/puppet/etckeeper-commit-post [master] ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY [agent] server = foreman.localdomain

run puppet agent

root@ubuntu1404-puppet-agent01:~# service puppet restart * Restarting puppet agent                                               [ OK ]

on the foreman GUI, go to Infrastructure -> smart proxies

sign the cert request.

list signed requests via CLI.

on the foreman CLI

[root@foreman ~]# puppet cert list --all + "foreman.localdomain"                   (SHA256) 46:E4:30:5E:70:1A:2D:3A:CC:F4:13:03:C4:2C:78:DE:36:A2:23:74:89:D4:B0:51:C8:94:B8:3F:63:39:A0:5B (alt names: "DNS:foreman.localdomain", "DNS:puppet", "DNS:puppet.localdomain") + "puppet-agent01.localdomain"            (SHA256) CA:DB:E1:82:10:B8:41:D5:06:BE:51:55:E5:9D:A3:81:CE:7F:AC:0A:DA:5B:C2:C5:6F:82:17:8F:1A:91:3B:90 + "ubuntu1404-puppet-agent01.localdomain" (SHA256) 8D:0B:BA:60:12:68:F8:87:A7:1E:77:6D:2F:71:E3:60:AC:CC:AE:D5:61:61:70:A1:18:BF:C5:01:03:D6:59:C9

install Foreman all in one node on CentOS7

Here are trial and error logs when installing foreman on CentOS7.

Reference

http://theforeman.org/manuals/1.7/quickstart_guide.html#Morequickstartresources…

https://github.com/theforeman/foreman-installer/

I am newbie to foreman and puppet. just followed the instructions.

[root@foreman ~]# cat /etc/centos-release CentOS Linux release 7.0.1406 (Core)

install foreman

68  rpm -ivh http://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm   69  yum -y install epel-release http://yum.theforeman.org/releases/1.7/el7/x86_64/foreman-release.rpm   70  yum -y install foreman-installer

configure foreman

[root@foreman ~]# foreman-installer Output of 'facter fqdn' is different from 'hostname -f' Make sure above command gives the same output. If needed, change the hostname permanently via 'hostname' command and editing appropriate configuration file. (e.g. on Red Hat systems /etc/sysconfig/network). If 'hostname -f' still returns unexpected result, check /etc/hosts and put hostname entry in the correct order, for example:  1.2.3.4 full.hostname.com full Fully qualified hostname must be the first entry on the line Your system does not meet configuration criteria

needs to configure hostname with fully qualified domain name.

edit /etc/hosts and /etc/hostname.

[root@foreman ~]# cat /etc/hosts 127.0.0.1   foreman.localdomain foreman localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1         foreman.localdomain foreman localhost localhost.localdomain localhost6 localhost6.localdomain6 [root@foreman ~]# cat /etc/hostname foreman.localdomain [root@foreman ~]# hostname -f foreman.localdomain

[root@foreman ~]# foreman-installer Installing             Done                                               [100%]Installing             Done                                               [100%] []  Success!  * Foreman is running at https://foreman.localdomain      Initial credentials are admin / 7J3PpPpjTnqGQXnx  * Foreman Proxy is running at https://foreman.localdomain:8443  * Puppetmaster is running at port 8140  The full log is at /var/log/foreman-installer/foreman-installer.log

I have installed three components in one node, foreman, smart proxy and puppet master.

clear iptables rule so that I can access to foreman(HTTP 443)

[root@foreman ~]# iptables -F

run puppet agent on the foreman box.

[root@foreman ~]# puppet agent --test Warning: Unable to fetch my node definition, but the agent run will continue: Warning: Error 400 on SERVER: Failed to find foreman.localdomain via exec: Execution of '/etc/puppet/node.rb foreman.localdomain' returned 1: Info: Retrieving pluginfacts Info: Retrieving plugin Info: Caching catalog for foreman.localdomain Info: Applying configuration version '1419360152' Notice: Finished catalog run in 0.13 seconds

puppet agent sent puppet reports to foreman.

foreman automatically the reports into its database.

GUI -> HOSTS

You will find the host.

download puppet module.

[root@foreman ~]# puppet module install -i /etc/puppet/environments/production/modules saz/ntp Notice: Preparing to install into /etc/puppet/environments/production/modules ... Notice: Downloading from https://forgeapi.puppetlabs.com ... Notice: Installing -- do not interrupt ... /etc/puppet/environments/production/modules └── saz-ntp (v2.3.0) [root@foreman ~]# ls /etc/puppet/environments/production/modules/ntp/ Gemfile  README.md  checksums.json  metadata.json  templates LICENSE  Rakefile   manifests       spec           tests

GUI -> Puppet classes -> Import from ..

ntp class will appear

select ntp and click “Update”

configure ntp server.

Puppet classes -> ntp -> smart class parameter -> server_list

change ntp server and click “Submit”

apply this class to puppet agent.

HOSTS  -> hostname(in my case, foreman.localdomain) -> Edit -> Puppet class -> ntp

add this and click Submit.

run puppet agent.

[root@foreman ~]# puppet agent --test Info: Retrieving pluginfacts Info: Retrieving plugin Info: Caching catalog for foreman.localdomain Warning: The package type's allow_virtual parameter will be changing its default value from false to true in a future release. If you do not want to allow virtual packages, please explicitly set allow_virtual to false.   (at /usr/share/ruby/vendor_ruby/puppet/type/package.rb:430:in `block (3 levels) in <module:Puppet>') Info: Applying configuration version '1419362024' Notice: /Stage[main]/Ntp/Package[ntp]/ensure: created Notice: /Stage[main]/Ntp/File[/etc/ntp.conf]/content: --- /etc/ntp.conf 2014-12-20 11:33:10.000000000 +0900 +++ /tmp/puppet-file20141224-7838-16ei0z1 2014-12-24 04:14:08.345000000 +0900 @@ -1,58 +1,16 @@ -# For more information about this file, see the man pages -# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5). +# file is managed by puppet driftfile /var/lib/ntp/drift -# Permit time synchronization with our time source, but do not -# permit the source to query or modify the service on this system. -restrict default nomodify notrap nopeer noquery - -# Permit all access over the loopback interface.  This could -# be tightened as well, but to do so would effect some of -# the administrative functions. -restrict 127.0.0.1 -restrict ::1 -# Hosts on local network are less restricted. -#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap -# Use public servers from the pool.ntp.org project. -# Please consider joining the pool (http://www.pool.ntp.org/join.html). -server 0.centos.pool.ntp.org iburst -server 1.centos.pool.ntp.org iburst -server 2.centos.pool.ntp.org iburst -server 3.centos.pool.ntp.org iburst - -#broadcast 192.168.1.255 autokey # broadcast server -#broadcastclient # broadcast client -#broadcast 224.0.1.1 autokey # multicast server -#multicastclient 224.0.1.1 # multicast client -#manycastserver 239.255.254.254 # manycast server -#manycastclient 239.255.254.254 autokey # manycast client - -# Enable public key cryptography. -#crypto - -includefile /etc/ntp/crypto/pw - -# Key file containing the keys and key identifiers used when operating -# with symmetric key cryptography. -keys /etc/ntp/keys - -# Specify the key identifiers which are trusted. -#trustedkey 4 8 42 - -# Specify the key identifier to use with the ntpdc utility. -#requestkey 8 - -# Specify the key identifier to use with the ntpq utility. -#controlkey 8 - -# Enable writing of statistics records. -#statistics clockstats cryptostats loopstats peerstats - -# Disable the monitoring facility to prevent amplification attacks using ntpdc -# monlist command when default restrict does not include the noquery flag. See -# CVE-2013-5211 for more details. -# Note: Monitoring will not be disabled with the limited restriction flag. -disable monitor +server clock.redhat.com + +# by default act only as a basic NTP client +restrict -4 default nomodify nopeer noquery notrap +restrict -6 default nomodify nopeer noquery notrap + +# Local users may interrogate the ntp server more closely. +restrict 127.0.0.1 +restrict ::1 + Info: Computing checksum on file /etc/ntp.conf Info: /Stage[main]/Ntp/File[/etc/ntp.conf]: Filebucketed /etc/ntp.conf to puppet with sum dc9e5754ad2bb6f6c32b954c04431d0a Notice: /Stage[main]/Ntp/File[/etc/ntp.conf]/content: content changed '{md5}dc9e5754ad2bb6f6c32b954c04431d0a' to '{md5}49f0cd4ccf5b44ab3799ad12e5c22bfd' Info: /Stage[main]/Ntp/File[/etc/ntp.conf]: Scheduling refresh of Service[ntpd] Notice: /Stage[main]/Ntp/File[/etc/sysconfig/ntpd]/content: --- /etc/sysconfig/ntpd 2014-12-20 11:33:10.000000000 +0900 +++ /tmp/puppet-file20141224-7838-bbl7hv 2014-12-24 04:14:08.442000000 +0900 @@ -1,2 +1,4 @@ -# Command line options for ntpd -OPTIONS="-g" +# file is managed by puppet + +# Drop root to id 'ntp:ntp' by default. +OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid -g" Info: Computing checksum on file /etc/sysconfig/ntpd Info: /Stage[main]/Ntp/File[/etc/sysconfig/ntpd]: Filebucketed /etc/sysconfig/ntpd to puppet with sum 48eae7fef92ce98217b36195e7f6b3e0 Notice: /Stage[main]/Ntp/File[/etc/sysconfig/ntpd]/content: content changed '{md5}48eae7fef92ce98217b36195e7f6b3e0' to '{md5}3489d89153bb9734a4e9555eae755c7c' Notice: /Stage[main]/Ntp/Service[ntpd]/ensure: ensure changed 'stopped' to 'running' Info: /Stage[main]/Ntp/Service[ntpd]: Unscheduling refresh on Service[ntpd] Notice: Finished catalog run in 21.79 seconds [root@foreman ~]#

confirm ntp server has been configured via puppet.

[root@foreman ~]# grep clock.redhat.com /etc/ntp.conf server clock.redhat.com