I am trying to implement Foreman to allow us to manage and provision servers for the customers that we manage, I have installed Foreman in a central location and then installed a Foreman Smart Proxy inside one of the customer networks, everything is working fine (remote Puppet agents can connect to my smart proxy and my central Foreman server can see the data) however I now want to provision new VMs (via vCenter). I have installed foreman-vmware and configured my compute resource profile, created an entry for my VM template, but when I create a new host via Foreman and tell it to clone from my template it hangs waiting for the node to be available, I assume so it can SSH onto it to finish the configuration, my problem is that the Foreman server will not have a connection to the new VM, I was hoping that the new VM (which has the Puppet agent installed) would be configured to connect to my smart proxy and finish configuring itself that way?
Have I got my design wrong? Can someone help me design the solution that is right for me?
I am unable to create a new DHCP, DNS and TFTP server on the customer network as it may interfere with existing DHCP and DNS services.
Thank you, Ben
Best Answer
tl;dr: Won't work currently, SSH provisioning comes from the foreman server.
We have a similar configuration, where were have a public/centralized Foreman/Puppet instance that we connect several "small" customers to. In our case, I did not even install a "smart proxy" into the customer's network. The customer's IT staff actually provided me with SSH credentials into a minimal CentOS 6.x install (effectively like deploying an image?). In Foreman, I just created the new VM as "Bare Metal" and then copied the finish script from the "Templates" tab of the Host details screen, and pasted it into the VM (I had to use VPN to SSH to the client machine). In your case, you could probably do something similar, but any "manual" steps are usually frowned upon.
Here are some random ideas I had while thinking about this:
Maybe you could figure out how to use "cloud-init" then you would be able to "provision" (run a script on) the VM without the foreman server being able to SSH to it. I am not sure how that would work with ESXi, and it would likely require some "custom code" :)
Perhaps setup an OpenVPN server on the foreman server, and setup your images to automatically VPN connect to the foreman server. That has some advantages in that you don't need to expose puppet/foreman to the Internet, but again there would probably be some custom code involved in trying to figure out the host's VPN IP to SSH into. It could also be considered a vulnerability by some customers, especially if they are trying to be PCI compliant.
Create a new module that would allow and "SSH via" configuration, such that the foreman server would SSH to a specific host, then to the desired client IP (
ssh -t viaHost ssh $HOST_ADDRESS) during the provisioning process. Of course if you go down that road, you could probably make it a smart proxy operation too, where instead of trying to SSH from the foreman server, it would ask a smart proxy to do it.These are all potential solutions, but I don't think any of them will work currently. It might be a good idea to file some feature requests at http://projects.theforeman.org/projects/foreman/issues
~tommy