Foreman via Salt - LinuxUserGroupUWSP/RackMesa GitHub Wiki

#Salt Setup ##Prepare CentOS 7

yum update -y
yum install -y wget epel-release firewalld

##Prepare SaltStack ###Add SaltStack repo

yum install -y https://repo.saltstack.com/yum/redhat/salt-repo-latest-1.el7.noarch.rpm 
yum clean expire-cache
yum update -y

###Set Hostname

hostnamectl set-hostname <name>

###Install Salt-Master and Salt-Minion

yum install -y salt-master salt-minion

###Enable Services

systemctl enable salt-master salt-minion firewalld
systemctl start firewalld

###Configure Firewalld

firewall-cmd --permanent --zone=public --add-port=4505/tcp
firewall-cmd --permanent --zone=public --add-port=4506/tcp
firewall-cmd --reload
systemctl status firewalld -l

##Configure Salt-Master - /etc/salt/master ###To setup a single 'base' environment: Find "#file_roots" and uncomment:

file_roots:
  base:
    -/srv/salt

Find "pillar_roots" and uncomment:

pillar_roots:
  base:
    -/srv/pillar

###Create directories for the single 'base' environment

mkdir /srv/salt
mkdir /srv/pillar

##To setup a multiple environment salt ecosystem: Find "#file_roots" and uncomment:

file_roots:
  dev:
    -/srv/dev/salt
    -/srv/base/salt
  prod:
    -/srv/prod/salt
    -/srv/base/salt

Find "pillar_roots" and uncomment:

  dev:
    -/srv/dev/pillar
    -/srv/base/pillar
  prod:
    -/srv/prod/pillar
    -/srv/base/pillar

In theory, the dev and prod environments should inherit from the base environment

###Create directories for the multi-environment salt ecosystem

mkdir /srv/base/pillar/
mkdir /srv/base/salt/
mkdir /srv/dev/pillar/
mkdir /srv/dev/salt/
mkdir /srv/prod/pillar/
mkdir /srv/prod/salt/

###Configure Salt-Minion - /etc/salt/minion Find "#master: salt", uncomment and replace salt with the fully qualified server name or ip-address of the master

master: <fqdn|ipv4>

Find "#id:" and give the minion client on the master server a name. Or skip this and it will default to a the reverse DNS lookup of the minion.

id: master

##Start Salt-Master and Salt-Minion

systemctl start salt-master salt-minion
systemctl status salt-master salt-minion -l

##Accept the minion key to the master. List Keys

salt-key -L

Accept Key

salt-key -a -y <minion-name>

Test Minion

salt '<minion-name>' test.ping

Test all Minions

salt '*' test.ping

#Build Foreman ###Create a foreman directory in the salt directory

mkdir /srv/salt/foreman/master
mkdir /srv/salt/foreman/minion

###Create an init.sls, build.sls, and manage.sls file inside the foreman directory

touch /srv/salt/foreman/master/build.sls
touch /srv/salt/foreman/minion/build.sls

###Edit: /srv/salt/foreman/master/build.sls

#Get the path of the minion. 
#Need to find a way to set it permanently. it is not working like it should using: 
#cmd.run --> export PATH=$PATH:/opt/puppetlabs/bin
#maybe just symlink it and call it a day :)
{% set current_path = salt['environ.get']('PATH', '/bin:/usr/bin') %}

#this isn't the best way to add repos but i am lazy. 
#it will fail but the repo is still added
add repos:
  pkg.installed:
    - pkgs:
      - https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm
      - https://yum.theforeman.org/releases/1.14/el7/x86_64/foreman-release.rpm
    - order: 1

foreman-installer:
  pkg.installed:
#    - pkgs:
#      - foreman-installer
#      - tfm-rubygem-foreman_cockpit
    - order: 2

build foreman:
  cmd.run:
    - name: foreman-installer
    - require:
      - pkg: foreman-installer
    - require_in:
      - install puppet ntp module
      - apply master config
      - populate databases

#apply master config:
#  module.run:
#    - name: puppet.run

apply master config:
  cmd.run:
     - name: puppet agent --test
     - env:
       - PATH: {{ [current_path, '/opt/puppetlabs/bin']|join(':') }}


foreman firewalld:
  firewalld.present:
    - name: public
    - ports:
#      - 80/tcp        #Foreman UI (Apache)
      - 443/tcp        #Foreman UI (Apache)
      - 8443/tcp       #Smart Proxy
      - 8140/tcp       #Puppet Master
      - 69/udp         #TFTP Server
      - 4505/tcp       #Salt Master
      - 4506/tcp       #Salt Master

#this might not be necessary
populate databases:
  cmd.run:
    - name: foreman-rake db:migrate | foreman-rake db:seed | foreman-rake apipie:cache:index

#install puppet ntp module:
#  module.run:
#    - name: puppet.run
#    - args: module install puppetlabs/ntp

install puppet ntp module:
  cmd.run:
    - name: puppet module install puppetlabs/ntp
    - env:
      - PATH: {{ [current_path, '/opt/puppetlabs/bin']|join(':') }}

For now, a default password is displayed at the end of the state's run. I can give it a default password from pillar data once i get to that stage.

###Edit: /srv/salt/foreman/minion/build.sls

install repos:
  pkg.installed:
    - pkgs:
      - https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm

install puppet:
  - pkg.installed:
    - pkgs:
      - puppet

/etc/puppetlabs/puppet/puppet/puppet.conf:
  file.managed:
   - source: salt://foreman/minion/puppetlabs.conf

/etc/puppet/puppet/conf:
  file.managed:
    - source: salt://foreman/minion/puppet.conf

start-enable services:
  service.running:
    -

###TODO

  • state to build puppet node and add to foreman master
  • install plugins
    • salt-proxy
    • cockpit
    • openscap
    • skip all configurations from /srv and pull from a git repo instead
⚠️ **GitHub.com Fallback** ⚠️