Installing Foreman on an existing Puppet Master

Puppet is an extremely useful, powerful and hyped tool for configuration management. Foreman provides a web frontend for Puppet (among other things) and is also capable of interfacing with virtualization tools to create new hosts. Both Puppet and Foreman are extremely useful in modern System Administration, but both of their documentation is kind of wide-spread and not as comprehensive as one might hope. That's why I'll do a writeup on how to install Foreman on top of an existing (and working) Puppet Master.

Before

In the beginning, Puppet was running on a host called puppet.shack and was the Master to about 25 machines in the same network. It had been in use for about a week or two and mostly used to fix vulnerabilities, deploy ssh keys and reasonable configs for both shell and vim.

Since I would be using and extending Foreman for my bachelor thesis a few months later, I decided to set up Foreman to interface with the existing Puppet Master, so that I'd get used to Foreman's front end and way of doing things. (Of course, there were backups of puppet.shack standing by).

The system in question was a Debian running Puppet 3.7.4. The Foreman version to be installed was 1.7.

Pre-Installation

The recommended way to install Foreman is to install the Foreman Installer (yeah.). You do so by calling

echo "deb http://deb.theforeman.org/ wheezy 1.7" > /etc/apt/sources.list.d/foreman.list
echo "deb http://deb.theforeman.org/ plugins 1.7" >> /etc/apt/sources.list.d/foreman.list
wget -q http://deb.theforeman.org/pubkey.gpg -O- | apt-key add -
apt-get update && apt-get install foreman-installer

Installation

There are three ways to configure the Foreman Installer: pass command line arguments, edit a config file or run the Installer in interactive mode. While the config file is best for reproducing your results, I recommend choosing the interactive mode for your first try though, because it gives you a good overview over options and features. So, you either call the interactive mode with

foreman-installer --no-puppet -i

OR you just trust the presets and call

foreman-installer --no-puppet

After the installation is complete, the Installer will provide you with a login credentials for the admin account. If you're lucky and the Apache installation went right, you can now just browse to your server's URL and log in.

Configuration

Now, you're far from finished, because you need to set up a lot of things in order to see all interesting and current Puppet data in your Foreman web interface.

Puppet Reports

To recieve Puppet Reports in Foreman, first ensure that all Puppet clients have the line

report = true

in their puppet.conf. Next up:

wget https://raw.githubusercontent.com/theforeman/puppet-foreman/master/files/foreman-report_v2.rb
mv foreman-report_v2.rb /usr/lib/ruby/vendor_ruby/puppet/reports/foreman.rb

Please check here that this link is correct and that the folder you move the file to contains the tagmail.rb. Create /etc/puppet/foreman.yaml by copying and adjusting the following:

---
# Update for your Foreman and Puppet master hostname(s)
:url: "https://foreman.example.com"
:ssl_ca: "/var/lib/puppet/ssl/certs/ca.pem"
:ssl_cert: "/var/lib/puppet/ssl/certs/puppet.example.com.pem"
:ssl_key: "/var/lib/puppet/ssl/private_keys/puppet.example.com.pem"

# Advanced settings
:puppetdir: "/var/lib/puppet"
:puppetuser: "puppet"
:facts: true
:timeout: 10
:threads: null

Lastly, add the following to the [main] section of your Puppet Master puppet.conf and then restart your Puppet service:

reports=log, foreman

Now you should see Reports under Monitor -> Reports as soon as your Puppet agents do anything. You can trigger this by calling 

puppet agent --test

on a Puppet client.

Puppet Facts via ENC

wget https://raw.githubusercontent.com/theforeman/puppet-foreman/2.2.3/files/external_node_v2.rb
mv external_node_v2.rb /etc/puppet/node.rb
chmod +x /etc/puppet/node.rb

Put the following with the appropriate domain names and paths into the /etc/puppet/foreman.yaml:

---
# Update for your Foreman and Puppet master hostname(s)
:url: "https://foreman.example.com"
:ssl_ca: "/var/lib/puppet/ssl/certs/ca.pem"
:ssl_cert: "/var/lib/puppet/ssl/certs/puppet.example.com.pem"
:ssl_key: "/var/lib/puppet/ssl/private_keys/puppet.example.com.pem"

# Advanced settings
:puppetdir: "/var/lib/puppet"
:puppetuser: "puppet"
:facts: true
:timeout: 10
:threads: null

Add the following to the [master] section of the puppet.conf:

external_nodes = /etc/puppet/node.rb
node_terminus  = exec

Now restart your Puppet Master and you should be fine. You can test the ENC script:

sudo -u puppet /etc/puppet/node.rb [the name of a node, eg agent.local]

This should give some kind of meaningful output. Sometimes Foreman doesn't seem to incorporate some Facts despite recieving them. You can see them in the YAML field of a host, but not in the general host list. Force Foreman to get those Facts by running

sudo -u puppet /etc/puppet/node.rb --push-facts

Now you should be good to go. I'll add a further guide on how to actually use Foreman for more than just monitoring and reporting at some point in the future.