Linux Foreman Automation Deployment and Operations Guide

1. Foreman Automation Deployment Steps

Environment Preparation

  1. System Requirements
  • Server: CentOS 8/RHEL 8 (recommended), 4 cores CPU, 8GB RAM, 100GB disk
  • Network: Static IP, DNS resolution, firewall open ports (80/443/8443/69)

bash

sudo firewall-cmd –permanent –add-port={80/tcp,443/tcp,8443/tcp,69/udp}

sudo firewall-cmd –reload

  1. Install Foreman

bash

# Add repository

sudo dnf install -y https://yum.theforeman.org/releases/3.5/el8/x86_64/foreman-release.rpm

# Install Foreman + Puppet (default configuration)

sudo dnf install -y foreman-installer

sudo foreman-installer –scenario foreman \

–enable-foreman-proxy \

–enable-foreman-plugin-remote-execution \

–enable-foreman-plugin-templates

  • After installation, record the console URL and admin password (view in /etc/foreman-installer/scenarios.d/foreman-answers.yaml ).

2. Operating System Deployment Process

  1. Configure DHCP/TFTP/PXE
  • In Foreman Web console (https://<foreman-ip>): configure:InfrastructureSubnetsSelect subnetEdit
    • Fill in DHCP range, gateway, DNS
    • Enable TFTP and PXE
  • Add Operating System ImageHostsOperating SystemsNew
    • Example: CentOS 8
      • Name:CentOS 8.5
      • Family:Red Hat
      • Root password:Use encrypted (recommended)

    bash

    # Generate encrypted password (copy output to Foreman)

    echo “mypassword” | openssl passwd -1 -stdin

    1. Create Provisioning TemplateHostsTemplatesNew
    • Type:Provisioning Template
    • Associated Operating System: select CentOS 8.5
    • Content example (Kickstart minimal version):

    kickstart

    lang en_US.UTF-8

    keyboard us

    timezone UTC

    rootpw –iscrypted <%= root_pass %>

    reboot

    install

    url –url <%= medium_uri %>

    bootloader –location=mbr

    zerombr

    clearpart –all –initlabel

    autopart

    network –bootproto=dhcp –hostname=<%= host.name %>

    auth –passalgo=sha512 –useshadow

    selinux –enforcing

    firewall –enabled

    %post

    /usr/sbin/subscription-manager register … # If subscribed

    %end

    1. Define Host GroupConfigureHost GroupsNew
    • Name:web-servers
    • Operating System:CentOS 8.5
    • Environment:production
    • Puppet Classes: add basic security classes (e.g., ntp, selinux)
  • Start PXE Deployment
    • Set the target server to boot from network (PXE)
    • Foreman automatically detects and lists hostsClick Provision

    3. Daily Operations and Maintenance

    1. Host Lifecycle Management
    • Batch Operations:

    bash

    # Reboot all web-servers group hosts via Hammer CLI

    hammer host reboot –search ‘hostgroup = “web-servers”‘

    • Status Monitoring: View in console MonitoringReports (Puppet run status, audit logs)
  • Software Updates
  • bash

    # Remote execution for batch updates (requires remote-execution plugin)

    hammer job-invocation create –job-template “Run Command – SSH Default” \

    –search-query “hostgroup = web-servers” \

    –inputs “command=yum update -y –security”

    1. Log Management
    • Integrate ELK or Loki: Modify Puppet Manifest to add filebeat class to forward logs to central server.

    4. Security Compliance Hardening

    1. Baseline Configuration (Enforced via Puppet)

    puppet

    # Example: Hardening SSH (manifests/secure_ssh.pp)

    class secure_ssh {

    file { ‘/etc/ssh/sshd_config’:

    content => template(‘secure/sshd_config.erb’),

    notify => Service[‘sshd’],

    }

    service { ‘sshd’: ensure => running, enable => true }

    }

    • Template sshd_config.erb Content:

    conf

    PermitRootLogin no

    PasswordAuthentication no

    Protocol 2

    1. Compliance Scanning (OpenSCAP Integration)
    • In Foreman:HostsPoliciesNew OSCAP Policy
      • Select profile:CIS CentOS 8 Benchmark
      • Regularly scan and generate reports (ComplianceReports)
  • Vulnerability Management
    • Synchronize security repositories:

    bash

    hammer repository synchronize –name=”CentOS 8 Security Updates” –product=”CentOS”

    • Automated patching (create scheduled job template):

    bash

    hammer job-template create –name “Monthly Security Patch” \

    –template “yum update -y –security” \

    –cron-line “0 3 * * 6” # Every Saturday 3AM execution

    5. Data Backup Strategy

    1. Foreman Metadata Backup

    bash

    # Daily full backup (including database, configuration, Puppet code)

    sudo foreman-maintain backup offline –preserve-directory /backup/foreman-$(date +%F)

    1. Application Data Backup
    • Use Rclone to sync to S3:

    bash

    rclone sync /var/lib/pulp s3:mybucket/foreman-pulp –copy-links

    1. Disaster Recovery Testing

    bash

    # Recovery drill (quarterly)

    sudo foreman-maintain restore /backup/foreman-2025-01-01

    6. Key Considerations

    1. Network Isolation
    • PXE/DHCP services must run in a dedicated VLAN to avoid interference with the production network.
  • Key Management
    • Use Vault plugin to store encrypted passwords:

    puppet

    $db_password = vault_lookup(‘secret/db’, ‘password’)

    1. Audit and Compliance
    • Enable Foreman audit logs (/var/log/foreman/audit.log), archive regularly.
  • Performance Optimization
    • Configure Pulp (software repository) with SSD storage
    • Adjust Passenger thread count:

    bash

    echo “PassengerMaxPoolSize 12” >> /etc/foreman/apache2.conf

    1. Self-Healing
    • Deploy monitoring alert integration (Prometheus + Alertmanager):
      • Rule example: TFTP service down or PXE boot failure rate > 5%.

    Ultimate Recommendations

    • Test First: All Puppet code/ templates should be validated in a non-production environment
    • Documentation as Code: Use Git to manage Kickstart templates and Puppet Manifest
    • Principle of Least Privilege: Foreman user roles should be assigned as needed (e.g., Viewer/Operator)
    • Regular Drills: Conduct a complete disaster recovery process every six months

    By following the above steps, a highly reliable automated operations and maintenance system can be built, achieving full lifecycle management from deployment to compliance.

    #Foreman#linux#automation deployment system

    Leave a Comment