Foreman » Installer

Hello,

Firstly, what is in the scope of HA?
Do you want to implement smart proxy redundancy? dns/dhcp/tftp/whatever redundancy?
I think we will have to think to it for every component. for example you can use 2 ldap servers for authentification. The libldap can take 2 servers as argument and manages itself the failover
Do we want this level of details/implementation?

• Active / Passive
• Active / Active

Active / Passive:
It is the simpler and it can handle smart proxy (dunno about dhcp/dns)
The main technical components are certainly corrosync + drbd for files

Active / Active:
Main idea is shared database with postgresql + http load balancer in front (haproxy + keepalived)
How do we manage certificates this way? only one smartproxy puppetca ? how about crl?

I can discuss that today on IRC this afternoon if you wish :)

Thanks for starting the discussion, this was exactly my intent.

• add LB service, via apache, SSL termination is done here
  • add multiple foreman servers that are used by the LB
  • add multiple puppetmasters that are used by the LB
• add DB clustering
  • either active/active or master/slave (depends on the db type)?

I'd echo the situation with LDAP servers. We have a pair of IPA servers in each discrete network location (normally behind firewalls). We do something similar with puppetmasters, but it's just a single instance in each location. Configuring puppet clients with multiple puppetmasters would be an impressive move.

Back at the foreman end, failover capability for us would normally require a prod foreman and database pair and a failover foreman and database pair. Clustering of the DB would be a nicer option, however.

What's the main goal of HA though? To provide HA access to the front-end? To provide HA database? To provide HA access from clients to puppetmasters? Which one is the 'big win' - or is the target to steadily increase the HA across all areas?

I think that one part of having foreman HA would be to just have the foreman HA. That excludes all proxy related items and the proxy itself. That means it becomes a pure webserver or application server and makes it IMHO a lot easier.

To achieve that, I'd think the first step is to modify the installer to install foreman as a pure webserver. That means parameterizing the related services. Since you can already specify the database parameters, you only need to worry about the sessions. For that we install the foreman_memcache plugin. For simplicity we can assume memcache is on another machine as well and we only need to specify the host and port.

Another thing is certificates. Since you most likely won't serve using the FQDN, you need to override that as well. https://github.com/theforeman/puppet-foreman/pull/135 could help with that.

Possibly you also need to tell the webserver if it's behind a reverse proxy. That depends on the load balancer used since a TCP load balancer such as LVS doesn't need that, but in turn needs a Virtual IP set up if using direct routing.

Am I forgetting anything? Would this be the best path to take?