ForemanQuickNotes - henk52/knowledgesharing GitHub Wiki
- Satellite
- Opensource path
- foreman log files
- installing open foreman
-
SpaceWalk
- Puppet related
- Foreman
-
Troubleshooting registration of existing machines
- Exiting; no certificate found and waitforcert is disabled
- Error: Could not request certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: FOREMAN]
- CRL is not yet valid for /CN=Puppet
- No PXELinux templates were found for this host, make sure you define at least one in your RedHat 7.5 settings or change PXE loader
-
https://www.youtube.com/watch?v=XwD2eEreCoQ - Reduce operational risk with analytics from Red Hat Access Insights - 2015 Red Hat Summit
-
https://www.youtube.com/watch?v=t1tlntxyJyc - Proactively manage your infrastructure with Red Hat® Insights
-
https://www.youtube.com/watch?v=SwMSSNuL8Fo - Foreman/Katello/Satellite Server
-
https://www.redhat.com/en/services/training/rh403-red-hat-satellite-6-administration
-
https://www.redhat.com/en/technologies/management/satellite/faq
-
https://www.redhat.com/en/services/training/all-courses-exams
-
https://www.redhat.com/en/services/training/learning-subscription
-
foreman: https://theforeman.org/
-
katello: https://github.com/Katello/katello
-
pulp: https://pulpproject.org/
-
puppet
-
candlepin: http://www.candlepinproject.org/
-
/var/log/foreman/production.log
-
sudo lxc-create -t centos -n base_centos7 — --release 7
-
sudo lxc-copy --name base_centos7 --newname foreman
-
sudo lxc-start -n foreman
-
sudo lxc-attach -n foreman
-
create VM
-
Install from CentOS minimal
-
login
-
cd /etc/yum.repos.d
-
mkdir Disabled
-
mv *.repo Disabled
-
scp root@dm:/var/ks/mirrors/centOS.repo .
-
scp root@dm:/var/ks/mirrors/epel.repo .
-
scp root@dm:/var/ks/mirrors/foreman.repo .
-
scp dm:/var/ks/extrarepos/foreman_puppet5/foreman_puppet.repo .
-
yum -y install foreman-installer
-
hostnamectl --static set-hostname foreman.mylab
-
vi /etc/hosts (add foreman.mylab)
-
Ensure the repos are propperly set: centOS.repo epel.repo foreman_puppet.repo foreman.repo
-
Edit /etc/bashrc
-
PATH=${PATH}:/opt/puppetlabs/puppet/bin
-
-
bash
-
Install foreman: https://theforeman.org/manuals/1.16/index.html#2.Quickstart
-
foreman-installer --enable-foreman --enable-foreman-cli --enable-foreman-cli-openscap --enable-foreman-compute-vmware --enable-foreman-plugin-bootdisk --enable-foreman-plugin-cockpit --enable-foreman-plugin-default-hostgroup --enable-foreman-plugin-dhcp-browser --enable-foreman-plugin-discovery --enable-foreman-plugin-docker --enable-foreman-plugin-hooks --enable-foreman-plugin-openscap --enable-foreman-plugin-remote-execution --enable-foreman-plugin-tasks --enable-puppet --foreman-configure-epel-repo=false
-
foreman-installer --foreman-configure-epel-repo=false --foreman-proxy-tftp=true --foreman-proxy-tftp-managed=true --foreman-proxy-tftp-servername=10.1.2.3
-
foreman-installer --foreman-proxy-dhcp=true --foreman-proxy-dhcp-interface=eth1
-
foreman-installer --foreman-proxy-dns=true --foreman-proxy-dns-interface=ens160 --foreman-proxy-dns-zone=home --foreman-proxy-dns-reverse=1.168.192.in-addr.arpa --foreman-proxy-dns-forwarders=8.8.8.8 --foreman-proxy-dns-managed=true
-
--foreman-proxy-dns-forwarders : I think this is add nameservers (you can add this option multiple times)
-
--foreman-proxy-dns-managed=true : I think, when this is true, then something is managed through puppet?
-
foreman-installer --enable-foreman-plugin-remote-execution --enable-foreman-proxy-plugin-remote-execution-ssh --foreman-configure-epel-repo=false
-
https://www.theforeman.org/plugins/foreman_remote_execution/1.3/index.html
-
-
open firewall: https://www.itzgeek.com/how-tos/linux/ubuntu-how-tos/install-foreman-on-centos-7-rhel-7-ubuntu-14-04-3.html
firewall-cmd --permanent --add-port=53/tcp firewall-cmd --permanent --add-port=53/udp firewall-cmd --permanent --add-port=67-69/udp firewall-cmd --permanent --add-port=80/tcp firewall-cmd --permanent --add-port=443/tcp firewall-cmd --permanent --add-port=3000/tcp firewall-cmd --permanent --add-port=3306/tcp firewall-cmd --permanent --add-port=5910-5930/tcp firewall-cmd --permanent --add-port=5432/tcp firewall-cmd --permanent --add-port=8140/tcp firewall-cmd --permanent --add-port=8443/tcp firewall-cmd --reload-
Port 53: DNS
-
-
- Metal-as-a-Service functionality for Foreman
-
- Displays vulnerability and compliance reports from OpenSCAP
-
- Sync templates from the Foreman Community Templates repo (or your own git repo, optionally) to Foreman’s provisioning templates
-
- Create windows server images for Foreman with Wimaging
-
- Adds a configurable, custom banner to the Foreman UI
-
- Allows Foreman to cooperate with Jenkins CI
-
- Foreman plugin for displaying reports from Automatic Bug Reporting Tool
-
- Show cockpit components (terminal, system, journald..) on Foreman host view.
-
- Docker container management and provisioning
-
- Creates iPXE-based ISO and USB boot disks to provision hosts without the need for PXE infrastructure
-
- It helps set up provisioning in two parts using a wizard: a) helps you enter network info and then tells you how to run Foreman installer to set up DHCP and DNS management, b) sets up an OS with templates, installation media and everything you need
-
- A plugin to manage vmware vSphere snapshots from foreman UI
-
- Adds or removes a given interface to a VMware guest when build and removes it afterwards
-
- Add newly-created hosts to a default host group when they check in through Puppet
Retrying: * sudo lxc-stop -n foreman * sudo lxc-destroy -n foreman
-
https://theforeman.org/plugins/foreman_openscap/0.8/index.html *
-
foreman-installer --enable-foreman-plugin-openscap --enable-foreman-proxy-plugin-openscap
-
puppet module install theforeman-foreman_scap_client
-
foreman-rake foreman_openscap:bulk_upload:default
-
foreman-installer --enable-foreman-plugin-remote-execution
-
Issues:
-
missing foreman_scap_client
-
yum -y install http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
-
yum -y install https://yum.theforeman.org/releases/1.16/el7/x86_64/foreman-release.rpm
-
unable to install rubygem-foreman_scap_client
-
You need the foreman-plugins/x86_64 repo.
-
/etc/yum.repos.d/foreman-plugins.repo
-
Failed to initialize: Dynflow::ExecutionPlan::Steps::Error - Could not use any proxy. Consider configuring remote_execution_global_proxy, remote_execution_fallback_proxy or remote_execution_no_proxy in settings
-
Use https://www.theforeman.org/plugins/foreman_remote_execution/1.3/index.html
-
WARNING: This content points out to the remote resources. Use `--fetch-remote-resources' option to download them.
-
On each client: vi /usr/share/gems/gems/foreman_scap_client-0.3.0/lib/foreman_scap_client/client.rb
DEBUG: running: oscap xccdf eval --results-arf /tmp/d20180111-12393-1nmncgw/results.xml /var/lib/openscap/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e.xml
2: WARNING: This content points out to the remote resources. Use `--fetch-remote-resources' option to download them.
3: WARNING: Skipping https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 file which is referenced from XCCDF content
4: DEBUG: running: /usr/bin/bzip2 /tmp/d20180111-12393-1nmncgw/results.xml
5: Uploading results to https://foreman.ea.mot-solutions.com:8443/compliance/arf/2
6: Exit status: 0-
pxe boot
-
register existing machine
-
openscap usage
-
doing openscap on isolated network
-
Register the install media
-
Hosts→Installation Media
-
Click Create Medium
-
click Submit
-
Create operating System
-
Click 'Create Operating System'
-
Fill out 'Operating System' tab
-
Fill out 'Partition Table' tab
-
'Kickstart default'
-
-
Fill out 'Installation Media' tab
-
Fill out 'Templates' tab
-
PXE: 'Kickstart default PXELinux'
-
Finish: 'Kickstart default finish'
-
Provisioning: 'Kickstart default'
-
-
Assign templates
-
Hosts → provisioning templates
-
click on each template you need.
-
Click the 'Association' tab
-
Click the applicable Operating System.
-
Click submit
-
Create operating System
-
assign the templates
-
-
Provisioning templates
-
Kickstart default
-
Association tab
-
Centos
-
Submit
-
-
Povisioning Templastes
-
PXELinux default local boot
-
-
Operating system
-
Template
-
Kickstart default
-
PXELinux template
-
Submit
-
-
Infreastructure→subnets
-
click 'Create Subnet'
-
subnet tab
-
Network Address: The IP addr of the machine on the NIC.
-
Remote Execution
-
move the 'foreman' proxy to selected.
-
Domains
-
Move the domain to selected.
-
Proxies tab
-
TFTP Proxy: the foreman.
-
-
Require the Operation system to be configured
-
Click on the Operating system you want to configure
-
Partition table: Kickstart default
-
Installation Media: CentOS mirror
-
Submit
-
Requires a HostGroup exists
-
Configure → Host Groups
-
Hosts → Create host
-
-
Host
-
Name:
-
Host Group
-
'Operating system'
-
Root Pass:
-
Click 'Resolve' to ensure all three templates are there.
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: Error 500 on SERVER: {"message":"Server Error: Failed to find ghostrider via exec: Execution of '/etc/puppetlabs/puppet/node.rb ghostrider' returned 1: ","issue_kind":"RUNTIME_ERROR"}-
cp Fedora-Workstation-Live-x86_64-27-1.6.iso to / of foreman
-
mkdir -p /var/ks/images
-
vi 25-localmedia.conf
-
systemctl restart httpd
-
mount -o loop /Fedora-Workstation-Live-x86_64-27-1.6.iso /mnt
-
mkdir /var/ks/images/fedora27
-
time cp -apv /mnt/* /var/ks/images/fedora27
-
umount /mnt
-
On foreman
-
hosts → Installation Media
-
Create media
-
Name: Fedora27
-
OS Family: Red Hat
-
-
hosts → Provisioning Templates
-
Find 'Kickstart default PXELinux' and edit it
-
Associate: Kickstart default PXELinux
-
-
hosts → Operating Systems
-
Create Operating system
-
/var/lib/tftpboot/boot
-
Issues:
-
No PXELinux templates were found for this host, make sure you define at least one in your Fedora 27.0 settings or change PXE loader
-
Seems like the Kickstart default PXELinux has to be associated with the OS and the OS config then has to select it.
-
Files in /var/lib/tftpboot/boot are empty
-
cp /var/ks/images/fedora27/images/pxeboot/vmlinuz /var/lib/tftpboot/boot/Fedora-27-x86_64-vmlinuz
-
cp /var/ks/images/fedora27/images/pxeboot/initrd.img /var/lib/tftpboot/boot/Fedora-27-x86_64-initrd.img
-
Failed to start Switch Root
-
Specified switch root path '/sysroot' does not seem to be an OS tree. os-release file is missing.
It seems like it can’t even install on Fedora22.
Anyway dnsmasq: host-addr=MACADDR,NAME,IP ensures that the propper name is assigned to the machine, along with the IP address.
-
rpm -Uvh http://yum.spacewalkproject.org/2.4/Fedora/22/x86_64/spacewalk-repo-2.4-3.fc22.noarch.rpm
-
vi /etc/yum.repos.d/spacewalk.repo .* Change the '$releaseversion' to '22' for F23.
-
yum clean all
-
yum install spacewalk-postgresql .* Maybe the above include this: # yum install spacewalk-setup-postgresql
-
spacewalk-setup --disconnected --answer-file=<FILENAME> .* spacewalk-setup --disconnected .** Should the spacewalk-setup fail, check the error it gives you and also investigate the logs in /var/log/rhn, as well as the logs from your database server, Apache server and tomcat.
-
/usr/sbin/spacewalk-service [stop|start|restart].
admin-email = root@localhost
ssl-set-org = Spacewalk Org
ssl-set-org-unit = spacewalk
ssl-set-city = My City
ssl-set-state = My State
ssl-set-country = US
ssl-password = spacewalk
ssl-set-email = root@localhost
ssl-config-sslvhost = Y
db-backend=postgresql
db-name=spaceschema
db-user=spaceuser
db-password=spacepw
db-host=localhost
db-port=5432
enable-tftp=Y-
Configure → Classes
-
Select the Puppet class you want to configure the parameters for
-
Click the 'Smart Class Parameter' tab
-
Click the Parameter you want to affect
-
Make sure to check-mark the 'Override' box. Otherwise Foreman will not pass anything to Puppet via the ENC. # Troubleshooting
No PXELinux templates were found for this host, make sure you define at least one in your Fedora 27 settings or change PXE loader
In the Edit Operating System, under the 'Templates' tab you need to select a pxelinug template.
Create DHCP Settings for XXX task failed with the following error: ERF12-6899 [ProxyAPI::ProxyException]: Unable to set DHCP entry ([RestClient::Conflict]: 409 Conflict) for proxy https://foreman.mynet:8443/dhcp
Remove the offending entry from /var/lib/dhcpd/dhcpd.leases
DO NOT delete the file, you will be sorry….
Create DHCP Settings for XXX task failed with the following error: ERF12-6899 [ProxyAPI::ProxyException]: Unable to set DHCP entry ([RestClient::Conflict]: 409 Conflict) for proxy https://foreman.mynet:8443/dhcp
Info: Creating a new SSL key for `hostname`
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for `hostname`
Info: Certificate Request fingerprint (SHA256): LONG_KEY
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabledError: Could not request certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: FOREMAN]
-
on the master/ca server you need to run: puppet cert clean MY_NODE
-
on the client: rm -rf /etc/puppetlabs/puppet/ssl/*
-
then on the client: puppet agent --server servername --waitforcert 60
-
if you dont have autosign enabled then on the server run puppet cert sign certname..
/opt/puppetlabs/puppet/bin/puppet agent --test
Info: Caching certificate for MY_NODE
Info: Caching certificate_revocation_list for ca
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: FOREMAN]
Exiting; failed to retrieve certificate and waitforcert is disabledGet the timestamp in sync
/opt/puppetlabs/puppet/bin/puppet agent --test Warning: Unable to fetch my node definition, but the agent run will continue: Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman] Info: Retrieving pluginfacts Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman] Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman] Info: Retrieving plugin Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman] Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman] Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman] Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman]