1. Foreman Automation Deployment Steps
Environment Preparation
- System Requirements
- Server: CentOS 8/RHEL 8 (recommended), 4 cores CPU, 8GB RAM, 100GB disk
- Network: Static IP, DNS resolution, firewall open ports (80/443/8443/69)
bash
sudo firewall-cmd –permanent –add-port={80/tcp,443/tcp,8443/tcp,69/udp}
sudo firewall-cmd –reload
- Install Foreman
bash
# Add repository
sudo dnf install -y https://yum.theforeman.org/releases/3.5/el8/x86_64/foreman-release.rpm
# Install Foreman + Puppet (default configuration)
sudo dnf install -y foreman-installer
sudo foreman-installer –scenario foreman \
–enable-foreman-proxy \
–enable-foreman-plugin-remote-execution \
–enable-foreman-plugin-templates
- After installation, record the console URL and admin password (view in /etc/foreman-installer/scenarios.d/foreman-answers.yaml ).
2. Operating System Deployment Process
- Configure DHCP/TFTP/PXE
- In Foreman Web console (https://<foreman-ip>): configure:Infrastructure → Subnets → Select subnet → Edit
- Fill in DHCP range, gateway, DNS
- Enable TFTP and PXE
- Example: CentOS 8
- Name:CentOS 8.5
- Family:Red Hat
- Root password:Use encrypted (recommended)
bash
# Generate encrypted password (copy output to Foreman)
echo “mypassword” | openssl passwd -1 -stdin
- Create Provisioning TemplateHosts → Templates → New
- Type:Provisioning Template
- Associated Operating System: select CentOS 8.5
- Content example (Kickstart minimal version):
kickstart
lang en_US.UTF-8
keyboard us
timezone UTC
rootpw –iscrypted <%= root_pass %>
reboot
install
url –url <%= medium_uri %>
bootloader –location=mbr
zerombr
clearpart –all –initlabel
autopart
network –bootproto=dhcp –hostname=<%= host.name %>
auth –passalgo=sha512 –useshadow
selinux –enforcing
firewall –enabled
%post
/usr/sbin/subscription-manager register … # If subscribed
%end
- Define Host GroupConfigure → Host Groups → New
- Name:web-servers
- Operating System:CentOS 8.5
- Environment:production
- Puppet Classes: add basic security classes (e.g., ntp, selinux)
- Set the target server to boot from network (PXE)
- Foreman automatically detects and lists hosts → Click Provision
3. Daily Operations and Maintenance
- Host Lifecycle Management
- Batch Operations:
bash
# Reboot all web-servers group hosts via Hammer CLI
hammer host reboot –search ‘hostgroup = “web-servers”‘
- Status Monitoring: View in console Monitoring → Reports (Puppet run status, audit logs)
bash
# Remote execution for batch updates (requires remote-execution plugin)
hammer job-invocation create –job-template “Run Command – SSH Default” \
–search-query “hostgroup = web-servers” \
–inputs “command=yum update -y –security”
- Log Management
- Integrate ELK or Loki: Modify Puppet Manifest to add filebeat class to forward logs to central server.
4. Security Compliance Hardening
- Baseline Configuration (Enforced via Puppet)
puppet
# Example: Hardening SSH (manifests/secure_ssh.pp)
class secure_ssh {
file { ‘/etc/ssh/sshd_config’:
content => template(‘secure/sshd_config.erb’),
notify => Service[‘sshd’],
}
service { ‘sshd’: ensure => running, enable => true }
}
- Template sshd_config.erb Content:
conf
PermitRootLogin no
PasswordAuthentication no
Protocol 2
- Compliance Scanning (OpenSCAP Integration)
- In Foreman:Hosts → Policies → New OSCAP Policy
- Select profile:CIS CentOS 8 Benchmark
- Regularly scan and generate reports (Compliance → Reports)
- Synchronize security repositories:
bash
hammer repository synchronize –name=”CentOS 8 Security Updates” –product=”CentOS”
- Automated patching (create scheduled job template):
bash
hammer job-template create –name “Monthly Security Patch” \
–template “yum update -y –security” \
–cron-line “0 3 * * 6” # Every Saturday 3AM execution
5. Data Backup Strategy
- Foreman Metadata Backup
bash
# Daily full backup (including database, configuration, Puppet code)
sudo foreman-maintain backup offline –preserve-directory /backup/foreman-$(date +%F)
- Application Data Backup
- Use Rclone to sync to S3:
bash
rclone sync /var/lib/pulp s3:mybucket/foreman-pulp –copy-links
- Disaster Recovery Testing
bash
# Recovery drill (quarterly)
sudo foreman-maintain restore /backup/foreman-2025-01-01
6. Key Considerations
- Network Isolation
- PXE/DHCP services must run in a dedicated VLAN to avoid interference with the production network.
- Use Vault plugin to store encrypted passwords:
puppet
$db_password = vault_lookup(‘secret/db’, ‘password’)
- Audit and Compliance
- Enable Foreman audit logs (/var/log/foreman/audit.log), archive regularly.
- Configure Pulp (software repository) with SSD storage
- Adjust Passenger thread count:
bash
echo “PassengerMaxPoolSize 12” >> /etc/foreman/apache2.conf
- Self-Healing
- Deploy monitoring alert integration (Prometheus + Alertmanager):
- Rule example: TFTP service down or PXE boot failure rate > 5%.
Ultimate Recommendations
- Test First: All Puppet code/ templates should be validated in a non-production environment
- Documentation as Code: Use Git to manage Kickstart templates and Puppet Manifest
- Principle of Least Privilege: Foreman user roles should be assigned as needed (e.g., Viewer/Operator)
- Regular Drills: Conduct a complete disaster recovery process every six months
By following the above steps, a highly reliable automated operations and maintenance system can be built, achieving full lifecycle management from deployment to compliance.
#Foreman#linux#automation deployment system