However, these repositories have one problem: only a few packages are truly built every day (or night), the majority still requires people to prepare a release of the code. This is done quite intentionally, as it keeps the repositories in a state where preparing a full Foreman release is rather quick, as only few packages need immediate human attention. The downside is that you don’t get the absolute latest changes to try out.

For a while now, we had Packit available for GitHub Pull Requests, which meant you could get an RPM with the changes from a PR and install that on a regular nightly setup. Those builds are only kept for 60 days and easily get out-of-date once the PR is merged, which means they are great to test that explicit change, but not suitable for full integration testing of all components.

Enter the @theforeman/develop COPR! This is a new COPR repository we offer, built by Packit, that contains builds of every single commit made to the main branches of our git repositories.

There is no testing or verification of the contents in this COPR. If the RPM could be built, it will be published, even if the code is broken or dependencies can’t be satisfied.

If you’re still eager to try this out after all these warnings:

• Prepare an Enterprise Linux 9 system, like you would for a normal nightly deployment
• Enable the COPR repository: dnf copr enable @theforeman/develop rhel-9-x86_64
• Perform the rest of the deployment as usual

This will use the “nightly” repository on https://yum.theforeman.org for Rails, Puma, etc. and the @theforeman/develop COPR for Foreman and plugins.

You can also enable the COPR on an existing system and either use dnf upgrade to update all available packages, or selectively install certain packages you want to try out, like you would upgrade a normal nightly deployment.

What You Can Do with 1.0

With this first release, you can already:

• Set up a basic Foreman + Katello environment using containers.
• Use an external database configuration.
• Manage services with systemd and Quadlet, making it easier to start, stop, and maintain the setup.

Under the hood, foremanctl generates Podman Quadlet units that integrate directly with systemd, providing a consistent and declarative way to run Foreman services as containers — without relying on traditional installer RPMs.

If you’d like to try it out, follow the updated Quickstart Guide for 3.16, which now includes step-by-step instructions for installing and running foremanctl. For detailed changes and improvements, see the 1.0.0 release notes.

What’s Still in Progress

This release is an important first step, but it’s not yet a full replacement for the traditional installer setup. We’re continuing to work on:

• Containerizing Smart Proxy
• Adding support for managing plugins (currently static list)
• Improving SELinux and networking integration
• Extending system requirement checks and configuration flexibility

Note: Smart Proxy services (like REX, Ansible, and DNS/DHCP) are not yet available in the release.

You can follow progress and upcoming work items in the foremanctl milestone 2.0 roadmap.

Upcoming releases are expected to build on this foundation: 3.16 serving as an alpha milestone, 3.17 as beta, and 3.18 aimed to be a GA-ready containerized deployment flow. (Please note that these plans reflect our current goals and may evolve as development continues.)

Try It Out and Share Feedback

We’d love for you to experiment with foremanctl, try out the containerized setup, and tell us what works (and what doesn’t). Your feedback helps us smooth the rough edges and shape the next iterations.

Please share your experiences, questions, and feedback in the dedicated foremanctl 1.0 feedback thread on the Foreman Community Forum.

You can also open issues directly in the foremanctl repository if you encounter specific bugs or setup problems.

foremanctl 1.0 is our first tangible step toward running Foreman in a modern, containerized way. By building on systemd and Podman Quadlet, we’re making deployments more flexible, maintainable, and easier to evolve — while keeping the same Foreman you know and rely on.

Big thanks to everyone testing, contributing, and providing feedback. This is just the start — and we’re excited to see where it goes from here! \o/

Well, not really right now. We already do this since years! betadots is a German consulting company with a focus on automation with open source tooling. We have a long history in the Puppet ecosystem. We assist companies with their planning and upgrading of their Puppet and Foreman infrastructure. Besides that we also offer public and inhouse trainings for Puppet and Foreman/Katello (with or without Puppet). The training material is also public at: github.com/betadots/foreman-training.

betadots maintains an open source tool to visualize Hiera data, HDM (Hiera Data Manager). We also maintain a foreman plugin to display the information within the Foreman UI.

Foreman has multiple Puppet modules to bootstrap Foreman and Katello, we provide regular patches to the modules to improve the code quality, update dependencies or implement new features.

Today we run an rsyncd on our webserver to offer a set of shares:

• yum - our RPM packages (same content as yum.theforeman.org)
• deb - our Debian packages (same content as deb.theforeman.org)
• archivedeb - our old Debian packages (same content as archivedeb.theforeman.org)
• downloads - misc downloads, especially release tarballs (same content as downloads.theforeman.org)
• debug-incoming - write-only share for foreman-debug uploads

Our CDN provider (Fastly) doesn’t support rsync, so whenever someone tries to download things via rsync, it hits our webserver directly, instead of being served from a CDN (which is both quicker and cheaper).

Additionally, we’re currently planing the move (and split) of our webserver, which would make offering rsync more complicated.

With all that, we decided to discontinue the service altogether on 2024-06-03.

If you need to mirror our repositories, Katello and Pulp can do that for you via HTTP(S), and so can debmirror and dnf reposync.

TL;DR

Provisioning Ubuntu 20.04.3+ uses the new Ubuntu Autoinstall mechanism which is based on cloud-init to perform image-based deployments. In your Foreman+Katello instance, you need the ISO image, boot files, and a user data template. Associate the Autoinstall provisioning templates to your operating system entry.

For Ubuntu 20.04.z deployments, Foreman decides based on the minor OS version whether to use the Preseed or Autoinstall mechanism:

• Minor OS version 0, 1, 2: Preseed
• Minor OS version 3 or above: Autoinstall

Ensure that the mechanism matches the associated templates and that your managed host has at least 3 GiB of memory. Ubuntu 22.04 “Jammy Jellyfish” deployment is Autoinstall-only and not affected by the minor OS version.

Previous approach: using “debian-installer”

Provisioning hosts with Debian and Ubuntu up to Ubuntu 20.04.2 supports debian-installer with Preseed templates. With Ubuntu 20.04.3+ and Ubuntu 22.04, you have to use Autoinstall, a cloud-init-based mechanism, to perform network-based deployments.

Introducing “Subiquity” aka. Ubuntu Autoinstall

Ubuntu 20.04 comes with a new Subiquity installer, but .0, .1, and .2 still supported debian-installer and therefore Preseed templates. With Ubuntu 20.04.2 and below, Ubuntu relied on the same deployment mechanism as Debian to install the operating system in an unattended way. Foreman still contains different well tested and maintained Preseed templates to provision hosts running all Debian and Ubuntu 20.04.2 and older.

For the Foreman community, this meant additional development time to provide Autoinstall templates and the option to use the minor OS version for Ubuntu 20.04 to optionally select debian-installer on Ubuntu 20.04.0, 20.04.1, and 20.04.2.

Comparing “Preseed” Templates and “Autoinstall” Templates

Autoinstall templates are much shorter and simpler:

Preseed Default template

# This preseed file was rendered from the Foreman provisioning template "Preseed default".
# for debian12.example.com running Debian 12
# Organization: Example
# Location: Munich

# Locale
d-i debian-installer/locale string en_US
# country and keyboard settings are automatic. Keep them ...
# ... for wheezy and newer:
d-i keyboard-configuration/xkb-keymap seen true

# Network configuration
d-i netcfg/choose_interface select auto
d-i netcfg/get_hostname string debian12.example.com
d-i netcfg/get_domain string example.com
d-i netcfg/wireless_wep string

d-i hw-detect/load_firmware boolean true

# Mirror settings
d-i mirror/country string manual
d-i mirror/http/hostname string ftp.debian.org:80
d-i mirror/http/directory string /debian
d-i mirror/http/proxy string
d-i mirror/codename string bookworm
d-i mirror/suite string bookworm
d-i mirror/udeb/suite string bookworm

# Time settings
d-i clock-setup/utc boolean true
d-i time/zone string UTC

# NTP
d-i clock-setup/ntp boolean true
d-i clock-setup/ntp-server string 0.debian.pool.ntp.org

# Set alignment for automatic partitioning
# Choices: cylinder, minimal, optimal
#d-i partman/alignment select cylinder

# Use the first detected hard disk
d-i partman/early_command string \
  INSTALL_DISK="$(list-devices disk | head -n1)"; \
  debconf-set partman-auto/disk "$INSTALL_DISK"; \
  debconf-set grub-installer/bootdev "$INSTALL_DISK"

### Partitioning
# The presently available methods are: "regular", "lvm" and "crypto"
d-i partman-auto/method string regular

# If one of the disks that are going to be automatically partitioned
# contains an old LVM configuration, the user will normally receive a
# warning. This can be preseeded away...
d-i partman-lvm/device_remove_lvm boolean true
# The same applies to pre-existing software RAID array:
d-i partman-md/device_remove_md boolean true
# And the same goes for the confirmation to write the lvm partitions.
d-i partman-lvm/confirm boolean true
d-i partman-lvm/confirm_nooverwrite boolean true

# You can choose one of the three predefined partitioning recipes:
# - atomic: all files in one partition
# - home:   separate /home partition
# - multi:  separate /home, /var, and /tmp partitions (/usr was removed in jessie)
d-i partman-auto/choose_recipe select atomic

# If you just want to change the default filesystem to something
# else, you can do that without providing a full recipe.

# This makes partman automatically partition without confirmation, provided
# that you told it what to do using one of the methods above.
d-i partman/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true

# User settings
d-i passwd/root-password-crypted password _My_Password_
user-setup-udeb passwd/root-login boolean true
d-i passwd/make-user boolean false
user-setup-udeb passwd/make-user boolean false

# If we are using Katello for content management, then we do not want to use
# upstream mirrors prior to Katello registration.
d-i apt-setup/use_mirror boolean false
d-i apt-setup/service-select multiselect
d-i apt-setup/services-select multiselect

# Install minimal task set (see tasksel --task-packages minimal)
tasksel tasksel/first multiselect minimal, ssh-server, openssh-server

# Install some base packages
d-i pkgsel/include string lsb-release wget python3
d-i pkgsel/update-policy select unattended-upgrades
d-i pkgsel/upgrade select none

popularity-contest popularity-contest/participate boolean false

# Boot loader settings
#grub-pc grub-pc/hidden_timeout boolean false
#grub-pc grub-pc/timeout string 10
d-i grub-installer/only_debian boolean true
d-i grub-installer/with_other_os boolean true
d-i finish-install/reboot_in_progress note

d-i preseed/late_command string wget -Y off http://foreman.example.com/unattended/finish -O /target/tmp/finish.sh && in-target chmod +x /tmp/finish.sh && in-target /tmp/finish.sh

Preseed Autoinstall Cloud-init user data template

#cloud-config
autoinstall:
  version: 1
  apt:
    geoip: false
    preserve_sources_list: false
    primary:
      - arches: [amd64, i386]
        uri: http://foreman.example.com:80/pub/installation_media/ubuntu/22.04-x86_64/
    disable_components: [multiverse]
    disable_suites: [backports,security,updates]
  user-data:
    disable_root: false
    fqdn: ubuntu2204.example.com
    users:
    - name: root
      gecos: root
      lock-passwd: false
      hashed_passwd: _My_Password_
      ssh_authorized_keys: ["ssh-rsa _My_Foreman_Proxy_SSH_Key_ foreman-proxy@foreman.example.com"]
  keyboard:
    layout: us
    toggle: null
    variant: ''
  locale: en_US.UTF-8
  network:
    version: 2
    ethernets:
      ens160:
        dhcp4: true
        dhcp6: false
  ssh:
    allow-pw: true
    install-server: true
  updates: security

  storage:
    layout:
      name: lvm
  late-commands:
  - wget -Y off http://foreman.example.com/unattended/finish -O /target/tmp/finish.sh
  - curtin in-target -- chmod +x /tmp/finish.sh
  - curtin in-target -- /tmp/finish.sh

Behind the Scenes

Behind the scenes, there are changes in Ubuntu, Foreman, and the provisioning workflow.

New Installer

With Ubuntu 20.04.3+, the server installer changed from debian-installer to Subiquity installer. This installer brings various changes:

• UEFI/BIOS boot templates require different Kernel parameters
• Installation media file layout changed, for example the file structure in the ISO image
• Unattended installations require a different config file format

This means that Foreman has to search for the boot files in different paths depending on the Ubuntu version and provisioning method to provide the boot files during the host deployment. This is technically independent of the used installation mechanism, but the provisioning templates associated with the OS and the installation mechanism of the OS have to match.

Overall, provisioning hosts running Ubuntu 20.04.3+ requires different provisioning templates, a way to handle the ISO image and boot files on Foreman Server and Smart Proxy Servers, and a user data template for Autoinstall.

Changes in Foreman

• With Autoinstall, you need a new type of template called “user data template” similar to cloud deployments. (before: Preseed templates)
• Provide the ISO image and extracted ISO image. (before: installation with debian-installer was based on a repository)

With these two changes, the location of the ISO image and the Autoinstall template must be passed to the Kernel. Therefore, the new PXELinux Autoinstall and PXEGrub2 Autoinstall templates contain the URLs where to find the user data template and ISO image.

Boot Files: Linux Kernel and initrd

• For Ubuntu with major OS version 18.04 or 20.04.z with minor OS version 0, 1, or 2: Foreman searches for initrd.gz and linux in dists/bionic/main/installer-amd64/current/images/netboot/ubuntu-installer/amd64/ for 18.04 and dists/focal/main/installer-amd64/current/legacy-images/netboot/ubuntu-installer/amd64/ for 20.04. This means that you have to use Preseed templates suitable for the debian-installer mechanism.
• For Ubuntu with major OS version 20.04 with minor OS version 3 or above, or 22.04.z: Foreman searches for initrd and vmlinuz in casper/. This means that you have to use Autoinstall templates suitable for the Subiquity installer.

When you create a host, Foreman retrieves the boot files from the URL of the installation media. For Debian and Ubuntu prior to 20.04.3, you could use http://archive.ubuntu.com and Foreman would find the required files based on the code name configured for the OS entry. For Ubuntu 20.04.3+, those files are no longer present in the official upstream repositories. Therefore, you have to extract the ISO image and make it accessible for Foreman Server or Smart Proxy Server during provisioning. For example, you can place it in FQDN/pub/installation_media/ubuntu/20.04/.

Provisioning Debian/Ubuntu Compared to Enterprise Linux

In contrast to Enterprise Linux such as Red Hat Enterprise Linux or AlmaLinux, you cannot provision Ubuntu based on synchronized content. This is due to the missing Linux Kernel and initrd files in the synchronized Pulp repositories. The alternative for both Debian and Ubuntu has mostly been to either use the upstream repositories (downside: you need access to the internet), or by extracting the installation files from the ISO image and providing them under pub/ on your Foreman Server (downside: depends on the z-release).

Provisioning process

• Foreman provides the rendered user data template on FQDN/userdata/. This interface is already in use for all image-based deployments that use cloud-init templates.
• Because the ISO image is also required for the deployment but Foreman does not provide any dedicated interface for this, we have documented a way to place the ISO image into the FQDN/pub/installation_media directory on Foreman Server. This means Foreman serves the ISO image over http. If you want to deploy a host from a Smart Proxy Server, you have to copy the ISO image to your Smart Proxy Server.
• Ubuntu Autoinstall deployments also require the extracted ISO image. You have to place the extracted ISO image in FQDN/pub/installation_media/ on your Foreman Server and name the directory identical to the ISO image without the .iso file ending. If you want to deploy a host from a Smart Proxy Server, you have to copy the extracted ISO image to your Smart Proxy Server.

Ensure that you provide the ISO and extracted ISO under the same name, for example 22_04.iso and 22_04/, to use the URL for the installation media as path for both. For more information, see Creating an Installation Medium for Ubuntu 22.04 in Provisioning Hosts.

preseed_kernel_options_autoinstall.erb

The preseed_kernel_options_autoinstall.erb template sets the path to the ISO image based on the URL of the installation media and configure the Kernel parameters.

<%#
kind: snippet
name: preseed_kernel_options_autoinstall
model: ProvisioningTemplate
snippet: true
description: options for the kernel / preseed startup initialization
oses:
- ubuntu
test_on:
- ubuntu_autoinst4dhcp
-%>
<%
  ...
  image_path = @preseed_path.sub(/\/?$/, '.iso')
  userdata_option = "ds=nocloud-net;s=http://#{foreman_request_addr}/userdata/"
  options = []

  ...

  options << "BOOTIF=#{mac}" if mac
  options << 'ramdisk_size=1500000'
  options << 'fsck.mode=skip'
  options << 'autoinstall'
  options << "url=http://#{@preseed_server}#{image_path}"
  options << 'cloud-config-url=/dev/null'
  if @add_userdata_quotes
    options << "\"#{userdata_option}\""
  else
    options << userdata_option
  end
  options << 'console-setup/ask_detect=false'
  options << "locale=#{host_param('lang') || 'en_US'}"
  options << 'localechooser/translation/warn-light=true'
  options << 'localechooser/translation/warn-severe=true'
  options << "hostname=#{hostname}"
  options << "domain=#{domain}"
%>
<%= options.join(' ') -%>

For more information, see app/views/unattended/provisioning_templates/snippet/preseed_kernel_options_autoinstall.erb in the foreman repository.

To complete the provisioning process, the user data template configures a user, sets up remote access using authorized SSH keys, configures networking and the disk layout, and fetches the rendered finish data template from Foreman. The Preseed default finish template installs subscription-manager and registers the host to Foreman.

Provisioning Templates

• Debian 10 “Buster”, Debian 11 “Bullseye”, Debian 12 “Bookworm”, Ubuntu 18.04 “Bionic”, and Ubuntu 20.04, 20.04.1, 20.04.2 “Focal”: Preseed default provisioning templates
• Ubuntu 20.04 “Focal” and Ubuntu 22.04 “Jammy”: Autoinstall provisioning templates

Provisioning Templates for “Preseed” and “Autoinstall”

Example Workflow: Provisioning Ubuntu 22.04 through a Smart Proxy Server

This example guides you through the extensive Foreman documentation and its Provisioning Hosts guide. It assumes you have a running Foreman 3.9 with Katello 4.11 instance.

1. Create an operating system entry on your Foreman+Katello. For more information, see Creating an Operating System for Ubuntu.
   • Set the OS major version to 22.04 for Ubuntu 22.04 “Jammy Jellyfish”.
   • The OS minor version does not impact your OS deployment.
   • Set the Release Name to jammy.
   • Select the Preseed default Autoinstall templates and Preseed Autoinstall cloud-init user data as user data template.
   • Ensure to use the PXELinux Autoinstall template as PXELinux template.
2. If you have made any changes to Preseed default templates, replicate those, if required, in the Autoinstall templates. Be aware that customized templates in Foreman do not receive any updates. For more information, see Associating Templates with Operating Systems.
3. Provide the Ubuntu 22.04 ISO image and extracted ISO image on your Foreman Server: Creating an Installation Medium for Ubuntu 22.04. Ensure that the name of the ISO image and the directory of the extracted ISO image match as described above.
4. Copy the ISO image and extracted ISO image to your Smart Proxy Server: Provisioning Ubuntu Autoinstall Through Smart Proxies.
5. Create two installation media entries and associate them with your operating system entry: Adding Installation Media to Foreman.
   • Create an installation media entry for the extracted ISO image on your Foreman Server.
   • Create an installation media entry for the extracted ISO image on your Smart Proxy Server.
6. Synchronize the Foreman Client for Ubuntu 22.04 from oss.atix.de: Adding DEB Repository Example for Ubuntu 22.04. For more information, see oss.atix.de. Ensure to add the Foreman Client repository to your content view.
7. Tie everything together in a host group: Creating a Host Group. Ensure that your host group uses the proper installation media entry to provision Ubuntu 22.04 through Smart Proxy Servers.
8. Deploy a host. 🎉

If you have any questions, please open a thread in the Foreman Community Forum.

I knew that the potential fix is to set PrivateTmp=true in the systemd unit, so the patch was quickly written, but how would one verify it end to end?

In Foreman, our releases (and nightlies!) are tested using forklift, a combination of Vagrant for managing VMs and Ansible for deploying Foreman in them and running bats.

We can run the installation pipeline for Foreman nightly on CentOS Stream 8 like this:

% ansible-playbook pipelines/install_pipeline.yml -e pipeline_os=centos8-stream -e pipeline_version=nightly -e pipeline_type=foreman
…
TASK [bats : Run bats] *************************************************************************************************************
changed: [pipe-foreman-server-nightly-centos8-stream] => (item=fb-verify-packages.bats)
changed: [pipe-foreman-server-nightly-centos8-stream] => (item=fb-test-foreman.bats)
changed: [pipe-foreman-server-nightly-centos8-stream] => (item=fb-test-puppet.bats)
changed: [pipe-foreman-server-nightly-centos8-stream] => (item=fb-test-backup.bats)
changed: [pipe-foreman-server-nightly-centos8-stream] => (item=fb-verify-selinux.bats)
…
PLAY RECAP *************************************************************************************************************************
localhost                  : ok=5    changed=2    unreachable=0    failed=0    skipped=5    rescued=0    ignored=0
pipe-foreman-server-nightly-centos8-stream : ok=62   changed=19   unreachable=0    failed=0    skipped=37   rescued=0    ignored=1
pipe-foreman-smoker-nightly-centos8-stream : ok=17   changed=12   unreachable=0    failed=0    skipped=3    rescued=0    ignored=0

As we see, the tests pass and everyone is happy.

We can destroy the setup again, and continue with our tasks:

% ansible-playbook pipelines/install_pipeline.yml -e pipeline_os=centos8-stream -e pipeline_version=nightly -e pipeline_type=foreman -e forklift_state=destroy

The tests passed because we do not deploy fapolicyd by default as the integration is not yet fully ready.

To test the integration, there is a feature flag: foreman_fapolicyd and if we enable it, the overall installation fails as expected:

% ansible-playbook pipelines/install_pipeline.yml -e pipeline_os=centos8-stream -e pipeline_version=nightly -e pipeline_type=foreman -e foreman_fapolicyd=true
…
TASK [foreman_installer : Run installer] *******************************************************************************************
fatal: [pipe-foreman-server-nightly-centos8-stream]: FAILED! => changed=true
…
    Error 1: Puppet Service resource 'puppetserver' failed. Logs:
      /Service[puppetserver]
        Starting to evaluate the resource (993 of 1266)
        Skipping restart; service is not running
        Triggered 'refresh' from 2 events
        The container Class[Puppet::Server::Service] will propagate my refresh event
        Evaluated in 9.75 seconds
      /Stage[main]/Puppet::Server::Service/Service[puppetserver]/ensure
        change from 'stopped' to 'running' failed: Systemd start for puppetserver failed!
    journalctl log for puppetserver:
    -- Logs begin at Fri 2023-11-03 08:53:57 UTC, end at Fri 2023-11-03 09:01:28 UTC. --
    Nov 03 09:01:19 pipe-foreman-server-nightly-centos8-stream.tanso.example.com systemd[1]: Starting puppetserver Service...
    Nov 03 09:01:22 pipe-foreman-server-nightly-centos8-stream.tanso.example.com puppetserver[48125]: WARNING: abs already refers to: #'clojure.core/abs in namespace: medley.core, being replaced by: #'medley.core/abs
    Nov 03 09:01:28 pipe-foreman-server-nightly-centos8-stream.tanso.example.com puppetserver[48125]: Execution error (ClassNotFoundException) at java.net.URLClassLoader/findClass (URLClassLoader.java:387).
    Nov 03 09:01:28 pipe-foreman-server-nightly-centos8-stream.tanso.example.com puppetserver[48125]: org.jruby.ext.psych.PsychLibrary
    Nov 03 09:01:28 pipe-foreman-server-nightly-centos8-stream.tanso.example.com puppetserver[48125]: Full report at:
    Nov 03 09:01:28 pipe-foreman-server-nightly-centos8-stream.tanso.example.com puppetserver[48125]: /tmp/clojure-5697285534509071746.edn
    Nov 03 09:01:28 pipe-foreman-server-nightly-centos8-stream.tanso.example.com puppetserver[48098]: Background process 48125 exited before start had completed
    Nov 03 09:01:28 pipe-foreman-server-nightly-centos8-stream.tanso.example.com systemd[1]: puppetserver.service: Control process exited, code=exited status=1
    Nov 03 09:01:28 pipe-foreman-server-nightly-centos8-stream.tanso.example.com systemd[1]: puppetserver.service: Failed with result 'exit-code'.
    Nov 03 09:01:28 pipe-foreman-server-nightly-centos8-stream.tanso.example.com systemd[1]: Failed to start puppetserver Service.

    1 error was detected during installation.
    Please address the errors and re-run the installer to ensure the system is properly configured.
    Failing to do so is likely to result in broken functionality.

    The full log is at /var/log/foreman-installer/foreman.log
  stdout_lines: <omitted>

PLAY RECAP *************************************************************************************************************************
localhost                  : ok=5    changed=2    unreachable=0    failed=0    skipped=5    rescued=0    ignored=0
pipe-foreman-server-nightly-centos8-stream : ok=47   changed=12   unreachable=0    failed=1    skipped=28   rescued=0    ignored=1

Now that we know that we can reproduce the reported issue, let’s try to deploy the fix and see if it actually fixes things.

The patch is against our Puppet module that is responsible for deploying the Puppetserver, but our installation procedure doesn’t call Puppet directly, it uses foreman-installer which under the hood uses Puppet. So to test the fix we need to build foreman-installer with the patched module and deploy the result during the installation pipeline, before Ansible calls the installer.

This sounds tedious and error prone, but luckily we have Packit integration in our foreman-installer repository and in forklift. That means that we need to create a PR against the installer repository, temporarily pointing at the patched Puppet module and once Packit has built the package can instruct forklift to use that Packit repository during deployment, validating the fix:

% ansible-playbook pipelines/install_pipeline.yml -e pipeline_os=centos8-stream -e pipeline_version=nightly -e pipeline_type=foreman -e foreman_fapolicyd=true -e '{"packit_prs":["theforeman/foreman-installer/897"]}'
…
TASK [packit : setup packit copr] **************************************************************************************************
changed: [pipe-foreman-server-nightly-centos8-stream] => (item=theforeman/foreman-installer/897)
…
TASK [bats : Run bats] *************************************************************************************************************
changed: [pipe-foreman-server-nightly-centos8-stream] => (item=fb-verify-packages.bats)
changed: [pipe-foreman-server-nightly-centos8-stream] => (item=fb-test-foreman.bats)
changed: [pipe-foreman-server-nightly-centos8-stream] => (item=fb-test-puppet.bats)
changed: [pipe-foreman-server-nightly-centos8-stream] => (item=fb-test-backup.bats)
changed: [pipe-foreman-server-nightly-centos8-stream] => (item=fb-verify-selinux.bats)
…

And this is the story of how I could validate the fix while drinking a coffee instead of thinking how to inject the manually built package at the right time into the automated installation test.

As workflows and events one might want to react to will vary across different setups, we’ll show one example integration and let everyone adopt it to their needs. The workflow in this example is to have machines in a group update once their content has been updated in Katello. You can find a full list of available Webhook Events in the documentation.

First of all, we need a Katello installation with the Foreman Webhooks plugin enabled. This can be achieved by calling foreman-installer --enable-foreman-plugin-webhooks on an existing setup or passing --enable-foreman-plugin-webhooks during the initial installation.

Second, we need a place to run Ansible and Ansible-Rulebook. An empty CentOS Stream 8 machine where we follow the ansible-rulebook installation and the ansible.eda collection installation guides will do:

[root@eda] # dnf install java-17-openjdk python39-pip
[user@eda ~]$ export JAVA_HOME=/usr/lib/jvm/jre-17-openjdk
[user@eda ~]$ python3.9 -m venv ./eda-venv
[user@eda ~]$ . ./eda-venv/bin/activate
(eda-venv) [user@eda ~]$ pip install ansible-rulebook ansible ansible-runner
(eda-venv) [user@eda ~]$ ansible-galaxy collection install ansible.eda
(eda-venv) [user@eda ~]$ pip install -r ~/.ansible/collections/ansible_collections/ansible/eda/requirements.txt

The only difference to the official guides is that we explicitly used Python 3.9, as the default Python in CentOS Stream 8 is Python 3.6 and that is too old for ansible-rulebook and ansible-runner.

Quickly check that the ansible-rulebook CLI is working:

(eda-venv) [user@eda ~]$ ansible-rulebook --help
usage: ansible-rulebook [-h] [-r RULEBOOK] [-e VARS] [-E ENV_VARS] [-v] [--version] [-S SOURCE_DIR] [-i INVENTORY] [-W WEBSOCKET_ADDRESS] [--id ID] [-w] [-T PROJECT_TARBALL] [--controller-url CONTROLLER_URL]
                        [--controller-token CONTROLLER_TOKEN] [--controller-ssl-verify CONTROLLER_SSL_VERIFY] [--print-events] [--shutdown-delay SHUTDOWN_DELAY] [--gc-after GC_AFTER]

optional arguments:
  -h, --help            show this help message and exit
  -r RULEBOOK, --rulebook RULEBOOK
                        The rulebook file or rulebook from a collection
  -e VARS, --vars VARS  Variables file
  -E ENV_VARS, --env-vars ENV_VARS
                        Comma separated list of variables to import from the environment
  -v, --verbose         Causes ansible-rulebook to print more debug messages. Adding multiple -v will increase the verbosity, the default value is 0. The maximum value is 2. Events debugging might require -vv.
  --version             Show the version and exit
  -S SOURCE_DIR, --source-dir SOURCE_DIR
                        Source dir
  -i INVENTORY, --inventory INVENTORY
                        Inventory
  -W WEBSOCKET_ADDRESS, --websocket-address WEBSOCKET_ADDRESS
                        Connect the event log to a websocket
  --id ID               Identifier
  -w, --worker          Enable worker mode
  -T PROJECT_TARBALL, --project-tarball PROJECT_TARBALL
                        A tarball of the project
  --controller-url CONTROLLER_URL
                        Controller API base url, e.g. https://host1:8080 can also be passed via the env var EDA_CONTROLLER_URL
  --controller-token CONTROLLER_TOKEN
                        Controller API authentication token, can also be passed via env var EDA_CONTROLLER_TOKEN
  --controller-ssl-verify CONTROLLER_SSL_VERIFY
                        How to verify SSL when connecting to the controller, yes|no|<path to a CA bundle>, default to yes for https connection.can also be passed via env var EDA_CONTROLLER_SSL_VERIFY
  --print-events        Print events to stdout, redundant and disabled with -vv
  --shutdown-delay SHUTDOWN_DELAY
                        Maximum number of seconds to wait after issuing a graceful shutdown, default: 60. The process will shutdown if all actions complete before this time period
  --gc-after GC_AFTER   Run the garbage collector after this number of events. It can be configured with the environment variable EDA_GC_AFTER

Now that we have Foreman/Katello and ansible-rulebook working, we need to integrate the two together.

The ansible.eda collection comes with an ansible.eda.webhook event source plugin, which we can use as the receiver of the webhooks that Foreman Webhooks will send. For that we create a new rulebook (rulebook.yml) that configures the webhook and how to proceed with the received events:

---
- name: Listen for events on a webhook
  hosts: all

  ## Define our source for events

  sources:
    - ansible.eda.webhook:
        host: 0.0.0.0
        port: 5000

  ## Define the conditions we are looking for

  rules:
    - name: check which content view was updated
      condition: event.payload.content_view_name == "dev"

  ## Define the action we should take should the condition be met

      action:
        run_playbook:
          name: update.yml

This rulebook means we start the ansible.eda.webhook plugin on 0.0.0.0:5000 and every time an event happens that has the content_view_name field in the payload set to dev we execute the update.yml playbook.

The update.yml playbook is rather short, just calling the ansible.builtin.dnf module on the foreman_dev group to update packages:

---
- hosts: foreman_dev
  tasks:
    - name: Upgrade all packages
      ansible.builtin.dnf:
        name: "*"
        state: latest

Ideally, the foreman_dev group would come from the theforeman.foreman.foreman inventory plugin we provide, but ansible-rulebook does not yet support inventory plugins. Instead, we create a static YAML inventory (inventory.yml):

---
foreman_dev:
  hosts:
    dev01.example.com

We can now start ansible-rulebook:

(eda-venv) [user@eda ~]$ ansible-rulebook --inventory inventory.yml --rulebook rulebook.yml --verbose
2023-04-13 07:55:11,974 - ansible_rulebook.app - INFO - Starting sources
2023-04-13 07:55:11,974 - ansible_rulebook.app - INFO - Starting rules
2023-04-13 07:55:11,974 - ansible_rulebook.engine - INFO - run_ruleset
2023-04-13 07:55:11,974 - drools.ruleset - INFO - Using jar: /home/user/eda-venv/lib/python3.9/site-packages/drools/jars/drools-ansible-rulebook-integration-runtime-1.0.0-SNAPSHOT.jar
2023-04-13 07:55:12,308 - ansible_rulebook.engine - INFO - ruleset define: {"name": "Listen for events on a webhook", "hosts": ["all"], "sources": [{"EventSource": {"name": "ansible.eda.webhook", "source_name": "ansible.eda.webhook", "source_args": {"host": "0.0.0.0", "port": 5000}, "source_filters": []}}], "rules": [{"Rule": {"name": "check which content view was updated", "condition": {"AllCondition": [{"EqualsExpression": {"lhs": {"Event": "payload.content_view_name"}, "rhs": {"String": "dev"}}}]}, "actions": [{"Action": {"action": "run_playbook", "action_args": {"name": "update.yml"}}}], "enabled": true}}]}
2023-04-13 07:55:12,317 - ansible_rulebook.engine - INFO - load source
2023-04-13 07:55:12,621 - ansible_rulebook.engine - INFO - load source filters
2023-04-13 07:55:12,621 - ansible_rulebook.engine - INFO - loading eda.builtin.insert_meta_info
2023-04-13 07:55:12,909 - ansible_rulebook.engine - INFO - Calling main in ansible.eda.webhook
2023-04-13 07:55:12,911 - ansible_rulebook.engine - INFO - Waiting for all ruleset tasks to end
2023-04-13 07:55:12,911 - ansible_rulebook.rule_set_runner - INFO - Waiting for actions on events from Listen for events on a webhook
2023-04-13 07:55:12,911 - ansible_rulebook.rule_set_runner - INFO - Waiting for events, ruleset: Listen for events on a webhook
2023-04-13 07:55:12 912 [drools-async-evaluator-thread] INFO org.drools.ansible.rulebook.integration.api.io.RuleExecutorChannel - Async channel connected

A quick curl call shows us that things are responding – don’t worry about the “Method Not Allowed”, curl does a GET here, but the endpoint only accepts POST:

% curl http://eda.example.com:5000/endpoint
405: Method Not Allowed

With the Ansible side done, we can move on to Foreman.

While Foreman Webhooks comes with a few example webhook templates, none of these generate a JSON representation of a Content View Promotion event, so we need to create one ourselves under “Administer > Webhook Templates”:

<%#
name: Katello Promote JSON
description: JSON payload for actions.katello.content_view.promote_suceeded
snippet: false
model: WebhookTemplate
-%>
<%=
  payload({
    "content_view_id": @object.content_view_id,
    "content_view_name": @object.content_view_name,
    "content_view_label": @object.content_view_label,
  })
-%>

Once the template is created, we can create we webhook under “Administer > Webhooks”, using it:

• Subscribe to: Actions Katello Content View Promote Succeeded
• Name: ansible inform cv promote
• Target URL: http://eda.example.com:5000/endpoint
• Template: Katello Promote JSON
• HTTP Method: POST
• Enabled: true

Now, every time any content view is promoted, a webhook is sent to eda.example.com, which then filters based on the name of the content view and executes the update.yml playbook if the name was dev:

2023-04-13 08:11:00,856 - aiohttp.access - INFO - 192.168.122.149 [13/Apr/2023:08:11:00 +0000] "POST /endpoint HTTP/1.1" 200 177 "-" "Ruby"
2023-04-13 08:11:00 937 [main] INFO org.drools.ansible.rulebook.integration.api.rulesengine.RegisterOnlyAgendaFilter - Activation of effective rule "check which content view was updated" with facts: {m={payload={content_view_id=2, content_view_name=dev, webhook_id=1, context={request=e86e61df-548b-4572-9c20-d534d2addad6, user_admin=true, org_id=1, org_label=Default_Organization, user_login=admin, loc_name=Default Location, org_name=Default Organization, loc_id=2}, content_view_label=dev, event_name=actions.katello.content_view.promote_succeeded.event.foreman}, meta={headers={Accept=*/*, X-Session-Id=c38e182d-b6bc-4ceb-9cc4-c8ad36dbbda2, X-Request-Id=e86e61df-548b-4572-9c20-d534d2addad6, User-Agent=Ruby, Connection=close, Host=centos8-stream-eda.tanso.example.com:5000, Accept-Encoding=gzip;q=1.0,deflate;q=0.6,identity;q=0.3, Content-Length=386, Content-Type=application/json}, endpoint=endpoint, received_at=2023-04-13T08:11:00.856103Z, source={name=ansible.eda.webhook, type=ansible.eda.webhook}, uuid=0bef4d63-df1c-4be1-b1f1-4956d2e6529b}}}
2023-04-13 08:11:00,962 - ansible_rulebook.rule_generator - INFO - calling check which content view was updated
2023-04-13 08:11:00,964 - ansible_rulebook.rule_set_runner - INFO - call_action run_playbook
2023-04-13 08:11:00,964 - ansible_rulebook.rule_set_runner - INFO - substitute_variables [{'name': 'update.yml'}] [{'event': {'payload': {'content_view_id': 2, 'content_view_name': 'dev', 'webhook_id': 1, 'context': {'request': 'e86e61df-548b-4572-9c20-d534d2addad6', 'user_admin': True, 'org_id': 1, 'org_label': 'Default_Organization', 'user_login': 'admin', 'loc_name': 'Default Location', 'org_name': 'Default Organization', 'loc_id': 2}, 'content_view_label': 'dev', 'event_name': 'actions.katello.content_view.promote_succeeded.event.foreman'}, 'meta': {'headers': {'Accept': '*/*', 'X-Session-Id': 'c38e182d-b6bc-4ceb-9cc4-c8ad36dbbda2', 'X-Request-Id': 'e86e61df-548b-4572-9c20-d534d2addad6', 'User-Agent': 'Ruby', 'Connection': 'close', 'Host': 'centos8-stream-eda.tanso.example.com:5000', 'Accept-Encoding': 'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'Content-Length': '386', 'Content-Type': 'application/json'}, 'endpoint': 'endpoint', 'received_at': '2023-04-13T08:11:00.856103Z', 'source': {'name': 'ansible.eda.webhook', 'type': 'ansible.eda.webhook'}, 'uuid': '0bef4d63-df1c-4be1-b1f1-4956d2e6529b'}}}]
2023-04-13 08:11:00,964 - ansible_rulebook.rule_set_runner - INFO - action args: {'name': 'update.yml'}
2023-04-13 08:11:00,964 - ansible_rulebook.builtin - INFO - running Ansible playbook: update.yml
2023-04-13 08:11:00,977 - ansible_rulebook.builtin - INFO - ruleset: Listen for events on a webhook, rule: check which content view was updated
2023-04-13 08:11:00,977 - ansible_rulebook.builtin - INFO - Calling Ansible runner

PLAY [foreman_dev] *************************************************************

TASK [Gathering Facts] *********************************************************
ok: [dev01.example.com]

TASK [Upgrade all packages] ****************************************************
changed: [dev01.example.com]

PLAY RECAP *********************************************************************
dev01.example.com          : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
2023-04-13 08:13:57,332 - ansible_rulebook.builtin - INFO - Ansible Runner Queue task cancelled
2023-04-13 08:13:57,333 - ansible_rulebook.builtin - INFO - Playbook rc: 0, status: successful
2023-04-13 08:13:57,333 - ansible_rulebook.rule_set_runner - INFO - Task action::run_playbook::Listen for events on a webhook::check which content view was updated finished, active actions 0

In the case of LDAP we still can provide the LDAP password to Ansible, and things will work. However, providing the LDAP password to Ansible also means that Ansible is now in the possession of a credential that can be used in other contexts than Foreman, which is something nobody really wants to do. Some LDAP servers even require a kind of 2FA authentication, by requiring the password to be transferred as <password><token> and thus the transferred password changes on each request.

Enter “Personal Access Tokens” (PAT)! Foreman supports Personal Access Tokens since 1.17 and allows the use of PATs instead of the password when performing API requests. As Personal Access Tokens are stored and validated by Foreman, they can be used regardless of the requirements and constraints the “real” authentication method enforces.

To create a Personal Access Token, we go to the user’s profile

Select the “Personal Access Tokens” tab

Click “Add Personal Access Token”

Fill out the form, the name is something that the token can be later be identified by, say “ansible” and the expiration date is optional

Once the form is submitted, the newly created token is shown and can be used

Now the token can be used as the password in any Ansible playbook:

---
- hosts: localhost
  tasks:
    - name: set instance title
      theforeman.foreman.setting:
        server_url: https://foreman.example.com/
        username: admin
        password: hjYrjFXmRqi12uumRQPsbg
        name: instance_title
        value: the awesome and secure instance

Release updates

Foreman 3.3 GA

This month, Foreman 3.3 became generally available. Upgrade to enjoy the latest features and bugfixes. For more information see Foreman 3.3.0 has been released!

Foreman 3.4 release update

We are halfway through the development phase for Foreman 3.4.

@upadhyeammit gave us the latest update on this in the community demo. You can listen back here:

Katello 4.5

The Katello 4.5 release is imminent, expected to become GA during early next week (week starting July 3rd). You can keep up to date with the latest updates by keeping an eye on our release announcements on our community forum.

Debian installations and foreman-maintain

The foreman-maintain utility has been around for quite some time but only available to Foreman installations on Enterprise Linux. However, we have some good news. @upadhyeammit has been working away behind the scenes to put together the different pieces to allow Debian and Ubuntu users to use foreman-maintain.

You can watch @upadhyeammit talk through his work and the benefits that foreman-maintain will bring for Foreman Debian and Ubuntu users in our latest demo:

Foreman on El7 Deprecation updates

@ehelms posted an update regarding the EL7

At this time we have dropped EL7 from our nightly testing pipelines. We are no longer generating EL7 nightly repositories nor testing installations or upgrade against EL7. We are continuing to work in this area to remove the nightly release repositories on EL7, as well as cleanup packaging to stop building all but client packages on EL7. Forklift has also been updated to drop EL7 as a nightly and development environment option. Developers – this means that if you are using an EL7 based development environment, it is now out of date and will not be update-able - Please find time and move to an EL8 based setup. There is no in-place upgrade for development environments.

For more information, see the Deprecation plans for Foreman on EL7, Debian 10 and Ubuntu 18.04 thread.

Do you append domain names to host settings?

@Marek_Hulan has put out a call to understand if there are use cases where appending domain names to host settings has been useful for Foreman users. Removing this might help simplify things, especially around Ansible workflows.

If you are using this setting (Append domain names to the host from Settings > General), please let us know how and why this helps you.

Making email optional for Foreman user accounts?

This month @nofaralfasi opened a discussion regarding user accounts and different requirements for email depending on whether you’re updating or creating a user in Foreman. She has proposed that we make adding a user email address optional in all scenarios.

For more information see Update users email to be optional and add your thoughts to the discussion, even if just to add a +1 to the suggestion.

New Foreman developer guide

@nofaralfasi also created a new guide to help fellow Foreman developers install and get started with Foreman. She has an open PR with her work. Please test, and let us know what you think.

Community Demos

We had two demos this month!

Demo #111

Demo #112

Thank you!

Thank you to everyone who asked and answered questions, opened issues, and made the Foreman community a vibrant place to be over the last month!

Foreman 3.3 RC 2

The second release candidate for Foreman 3.3 has been released and is available for testing. If you use Foreman and would like to contribute to the project, installing and testing the release candidates is a great way to help out. Evaluating the release candidates is also a great way to familiarize yourself with changes in the upcoming release.

For more information about evaluating the 3.3 release candidate, see Foreman 3.3.0 RC2 is ready for testing!

Ruby 2.5 deprecation in Foreman 3.3

Ruby 2.5 will be deprecated as part of the release of Foreman 3.3 and removed with the release of Foreman 3.4.

evgeni has outlined the reasons behind the Ruby 2.5 deprecation and set out the timeline for this. For more information, check out Deprecation of Ruby 2.5.

Foreman 3.2.1

The first update to Foreman 3.2 was also released. This release contains a number of bug fixes.

Update your Foreman 3.2 instance to enjoy all the latest fixes.

For more information, check out the release announcement.

3.1.3 - final update to the 3.1 series

With the release of Foreman 3.3 in the offing, the 3.1.3 update will be the final update to 3.1. After 3.3 is released, the 3.1 version will no longer be supported. Consider updating to 3.2 today to ensure that you remain on an up-to-date Foreman version.

For more information, see Foreman 3.1.3 has been released!.

Katello 4.5 update

As part of our community demo, cintrix84 updated us on the timeline and what we can expect as part of Katello 4.5:

Upgrade Foreman to EL 8

evgeni has been doing everything he can to highlight the importance of upgrading your Foreman instance from EL 7 to EL 8 as soon as possible.

On Foreman 3.2 and the upcoming release Foreman 3.3, you can perform this in-place. However, if you don’t upgrade to EL8 while using these versions of Foreman, you’ll have a much bigger job to do redeploying everything yourself.

evgeni came and demoed the upgrade process as part of the most recent community demo.

Documentation on this process is in progress and if you have any issues, please post to the community so that we can understand the issue and look for a solution.

Remote Execution Pull Provider now available on nightly!

From a user perspective, little will change with the remote execution workflow. However, behind the scenes, there have been some major changes that are now available on nightly and will hopefully make it in on time for the Foreman 3.3 release also.

In an effort to improve the way remote execution is handled, remote execution will take place via Pull MQTT rather than SSH.

For a comprehensive overview of what you can look forward to, let aruzicka walk you through the changes:

Katello Alternative Content Sources

iballou has mentioned progress on Alternative Content Sources for Katello a few times over the past few months. You can watch him discussing this and providing a walkthrough of creating an alternative content source in the Foreman web UI and also with the Hammer CLI:

Save the date for OSAD 2022

maximilian added Open Source Automation Days (OSAD) dates to the Foreman calendar. Throughout the years, many Foreman community members have presented their work at OSAD. While the call for papers ends on May 31, save the date to enjoy the main conference either online or in Munich on October, 4th and 5th plus Workshops on October 6th 2022

For more information, see Open Source Automation Days Foreman calendar entry.

Foreman/Katello Performance Tuning Guide

Getting the most out of very large Foreman deployments might require some tuning. maximilian has open sourced the Red Hat Satellite Performance Tuning source to create a guide that is useful for Foreman and Katello users. We need your contributions to make this guide useful and helpful to other community members so they can get the most out of their larger Foreman deployments. For more information, watch maximilian’s presentation at the latest community demo:

Thank you!

Thank you to everyone who asked and answered questions, opened issues, and made the Foreman community a vibrant place to be over the last month!