Bring order to the system jungle with Foreman
Team Leader
Orchestration tools such as Chef, Puppet, and SaltStack provide uniform management of a system landscape, but they can't do everything. Foreman fills in the gaps and installs a uniform interface that makes the admin's life a lot easier.
Administrators are faced with managing an infrastructure jungle. Although orchestration tools can solve many problems, they do not handle everything in the overall structure – from bare metal without an operating system to the server. Things like an install server for bare metal and a solution for managing IP addresses can, in principle, be accomplished, but at the cost of individual configuration. That prompted Israeli Ohad Levy to program the missing links himself; thus was Foreman born.
A Self-Programmed Deployment Tool
Starting with Puppet, Foreman provides a parameterized install server that also allows the installation of FreeBSD, Solaris, or even Juniper Zero Touch Provisioning for some switch series (as is the case for most Linux derivatives and their installation mechanisms, such as Kickstart or Preseed).
If the managed system is installed and the Puppet client is also installed using the template parameters, Foreman implements the preconfigured Puppet classes. Searching for the next available IP address also usually proves to be a troublesome operation in practice, but Foreman can freely assign IP addresses when creating a new host or simply take the next available IP from the network pool, including entries from DNS – both forward and backward.
Foreman also integrates with various cloud and virtualization platforms such as OpenStack, oVirt, VMware, Rackspace, and Amazon's AWS so that the described functions work in a virtualized environment. Finally, Foreman picks up the results from the installations and Puppet runs, thus giving you a good overview of whether all systems are up to date or something went wrong. You can therefore boot a system that afterward requires no further configuration steps to be productive with a few mouse clicks or by calling up a command line.
Architecture
Foreman is written in Ruby and consists of a server process that controls the other components, smart proxies that communicate with other services (Puppet, DHCP, DNS, TFTP, etc.), and a web UI and a command-line tool for setting up the desired configuration. Foreman can use a PostgreSQL (default) or MySQL database for the data. Figure 1 shows the architecture schematically.
The smart proxy for DNS and DHCP (both in the ISC version) communicate with the relevant services via the update logs of both services (dynamic DNS updates or OMAPI) to make entries after creating a new host in Foreman. The services can also run on hosts other than the Foreman server. Only the correct files end up in the correct directory for Puppet and the TFTP server.
If you change anything about the interface, the Foreman process pushes the matching information to the respective smart proxies, and they change the configuration. If anything goes wrong, you can look at the smart proxy logfiles, where you will usually find the error and the commands to be changed. This modular architecture makes Foreman easy to expand with other orchestration tools such as Chef or SaltStack.
Installation
On the Foreman website [1], you can find packages for CentOS/RHEL 6 and 7, Debian 7, Ubuntu 12.04 and 14.04, and Fedora 19. The instructions under Getting started deliver quick success, provided name resolution works: The fully qualified domain name must be set consistently across the system. The hostname
and hostname -f
commands must return names that lead to the correct results in the forward or reverse direction via DNS or /etc/hosts
.
At first, I was a bit sloppy in my test environment and only found the cause of my problem after testing on three different Linux distributions: Foreman has a CA for certificates that secures communication between the Foreman process and the smart proxy. The two refuse to cooperate for trust reasons if access problems are present.
Once the foreman-installer package is downloaded and installed, you can either select the component to be installed using the command-line options or use an interactive installer, with which you can select the components in an ASCII interface.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs