Creation of the Katello Client Product (or another Product)
Configuration of Ansible, Puppet and Remote Execution
in the third part I’ll explain how to:
Configuration of VMWare and virt-who
Configuration of Provisioning
Provisioning of new server and KickStart configuration
Configuration of OpenSCAP
Final Setup
Creation of Katello Product
As written in the first article, I added the Katello repository to my servers registered to Foreman, so I’m using an external repository and now I want to use an internal one, as the same of EPEL. With this procedure I can add how many different repositories I want (eg. docker, some sw, internal repos…), I’ve just to change the yum repository upstream URL and the name. The following steps are for CentOS7 and 8, I’ll do the same for RHEL, just change name and label.
First of all I’ll create a new credential key for Katello Client:
I want to configure Ansible, Puppet and Remote Execution because I need something who is able to talk with my server, the Katello remote agent will be deprecated in a bit. I’ll configure all the three solutions and choose (or not) the better for my environment.
First of all I’ll install & enable Ansible and Remote Execution on Foreman, the new version of Foreman needs that.
Now I’ve to create an ssh key for the user foreman-proxy, who is the user who run the Ansible jobs and the remote execution. I’ll save the key into the proper home directory:
1
2
3
4
5
6
7
8
9
10
11
12
mkdir ~foreman-proxy/.ssh
chown foreman-proxy ~foreman-proxy/.ssh
sudo -u foreman-proxy ssh-keygen -f ~foreman-proxy/.ssh/id_rsa_foreman_proxy -N ''
### I need also this for SSH Remote Execution
ln -s /usr/share/foreman-proxy/.ssh /usr/share/foreman-proxy/ssh
ls -ltr /usr/share/foreman-proxy/.ssh/
total 12
-rw-r--r-- 1 foreman-proxy foreman-proxy 193 May 5 15:22 known_hosts
-rw-r--r-- 1 foreman-proxy foreman-proxy 738 May 5 16:42 id_rsa_foreman_proxy.pub
-rw------- 1 foreman-proxy foreman-proxy 3243 May 5 16:42 id_rsa_foreman_proxy
and after I’ll copy the key into all the servers, just for test I copy it into my foreman server, it will connect to itself and send/collect all the facts to itself:
Yes, I’m running/copying the key to root account, it’s just for test. I know it’s wrong but it’s just for test. I’ll explain later how to setup the proper user.
Now I setup the Remote Execution, or better I’ll check if the setup is the default one (running with root), the fastest way is checking the web GUI/console:
Administer -> Settings -> Remote execution
and I have:
and it’s the default one, ssh user and effective user are root! I’ll move to a test host, always the client foreman.kraba.lan, and run an ansible playbook:
Hosts -> All Hosts -> Tick my server -> Select Action -> Schedule Remote Job
Select “Ansible Playbook” as Job Category -> Ansible Roles - Ansible Deault as Job Template -> Submit
and wait:
If I move now to :
Hosts -> All Hosts -> Click my server
Facts, order by Reported At
I’ll have the facts reported by Ansible:
Good, the VM/client can send all facts to my Foreman, it’s useful and it’s a good check if all my server estate is working. I’ll create now a Recurring Job for obtaining an Ansible Callback (I’ll collect all the facts) every 30 minutes. To create a new Recurring Job I’ll use the web GUI:
Monitor -> Jobs -> Run Job
Select “Ansible Playbook” as Job Category -> Ansible Roles - Ansible Deault as Job Template
Write organization = kraba.lan without into Search Query
Type Of Query dynamic
Schedule -> Set Up Recurring Logic
Repeats -> Cronline and add */30 * * * * as cronline
Save
If I move to:
Monitor -> Recurring Logics
I can see the new job and all the information about. We can check it also via hammer cli:
1
2
3
4
5
6
7
8
hammer recurring-logic list
---|--------------|----------|-----------|-------
ID | CRON LINE | END TIME | ITERATION | STATE
---|--------------|----------|-----------|-------
1 | 0 2 * * 6 | | 2 | active
2 | */30 * * * * | | 1 | active
---|--------------|----------|-----------|-------
the ID 1 is my weekly sync, the ID 2 is the Ansible Callback job.
Now I’m ready to run ansible jobs/playbook from my Foreman to every server registered to it. But…but…I’m using the root account into the server, what I need and prefer is creating a service account (eg. svcforeman) with sudo privileges in every server and copy the ssh key of foreman-proxy to them. After that I’ve to change some settings on Foreman:
Administer -> Settings -> Remote execution
SSH User -> the new user eg. svcforeman
Effective User -> root
Effective User Method -> sudo
if the ssh key exchange is working I don’t need the password/other setting.
Configuration of Puppet
Puppet is part of Foreman, I’ll configure it on my Foreman client/VMs for my purpose and just for few thinks, later for the OpenSCAP plugin. I can use it instead of Ansible for obtaining the facts every 30 minutes or running some jobs.
By default I’ve only one Puppet Environment, the Production one, but if I want to create a new one and associate my servers to a different environment (eg. dev, test…) I can create a new Puppet Environment:
hammer puppet-environment list
---|-----------
ID | NAME
---|-----------
2 | Production
---|-----------
hammer puppet-environment create --name test --locations krabaDC --organizations 'kraba.lan'
hammer puppet-environment list
---|-----------
ID | NAME
---|-----------
2 | Production
8 | test
---|-----------
hammer puppet-environment info --id 8
Id: 8
Name: test
Puppetclasses:
Locations:
krabaDC
Organisations:
kraba.lan
Created at: 2020/05/07 08:23:57
Updated at: 2020/05/07 08:23:57
Or use the web GUI:
Configure -> Puppet -> Environments
Create Puppet Environment
To configure Puppet properly I’ve to install the repo in every server or, following the previous chapter, add it to Foreman as a local repo. I’ll run it via remote executions and check if it works, I’ll add it later maybe. What I run in all server is:
Tip
I don’t have to install puppet repo and puppet-agent into my Foreman server, just on the other servers
Change the /opt/puppetlabs/puppet/bin/puppet config set –section agent environment setting to your new one (or leave in Production) if you want to change Puppet Environment
1
2
3
4
5
6
7
8
9
10
11
12
13
14
### CentOS7/RHEL7
yum -y localinstall https://yum.puppet.com/puppet6-release-el-7.noarch.rpm
yum install -y puppet-agent
content=`hostname -a`
/opt/puppetlabs/puppet/bin/puppet config set --section agent server foreman.kraba.lan
/opt/puppetlabs/puppet/bin/puppet config set --section agent certname ${content}.kraba.lan
/opt/puppetlabs/puppet/bin/puppet config set --section agent runinterval 1800
/opt/puppetlabs/puppet/bin/puppet config set --section agent environment Production
/opt/puppetlabs/puppet/bin/puppet config set --section agent listen false
/opt/puppetlabs/puppet/bin/puppet config set --section agent report true
/opt/puppetlabs/puppet/bin/puppet config set --section agent usecacheonfailure true
/opt/puppetlabs/puppet/bin/puppet config set --section agent pluginsync true
systemctl enable puppet
systemctl restart puppet
or
1
2
3
4
5
6
7
8
9
10
11
12
13
14
### CentOS8/RHEL8
yum -y localinstall https://yum.puppet.com/puppet6-release-el-8.noarch.rpm
yum install -y puppet-agent
content=`hostname -a`
/opt/puppetlabs/puppet/bin/puppet config set --section agent server foreman.kraba.lan
/opt/puppetlabs/puppet/bin/puppet config set --section agent certname ${content}.kraba.lan
/opt/puppetlabs/puppet/bin/puppet config set --section agent runinterval 1800
/opt/puppetlabs/puppet/bin/puppet config set --section agent environment Production
/opt/puppetlabs/puppet/bin/puppet config set --section agent listen false
/opt/puppetlabs/puppet/bin/puppet config set --section agent report true
/opt/puppetlabs/puppet/bin/puppet config set --section agent usecacheonfailure true
/opt/puppetlabs/puppet/bin/puppet config set --section agent pluginsync true
systemctl enable puppet
systemctl restart puppet
Tip
I don’t have to install puppet repo and puppet-agent into the Foreman server, just on the other servers
I choose to run it via Remote Execution, just for testing it via web GUI:
Hosts -> All Hosts -> Tick my server -> Select Action -> Schedule Remote Job
Commands as Job Category -> Run Command - SSH Default as Job Template
I’ll cut & paste all the commands into command
Submit
When the job is finished I can check - just to be sure if my puppet agent is configured properly:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
cat /etc/puppetlabs/puppet/puppet.conf
...
[agent]
classfile = $statedir/classes.txt
default_schedules = false
environment = Production
localconfig = $vardir/localconfig
masterport = 8140
noop = false
report = true
runinterval = 1800
splay = false
splaylimit = 1800
usecacheonfailure = true
### i'm running it on foreman...it will be different if i'm running it on server1.kraba.kraba_lan_CentOS7_CentOS7_Extras
certname = foreman.kraba.lan
listen = false
pluginsync = true
server = foreman.kraba.lan
and I can check if I’m receveing some puppet facts: