Re: [foreman-users] limit host provisioning

2017-11-26 Thread Marek Hulán 
Hello,

if by limit you mean something like there can exist only 5 hosts in this 
hostgroup, there's nothing like that in core AFAIK. If you use some compute 
resource, chance is limits/quotas can be set there. If you don't need hard 
limits and you simply want prevent users from misusing resources, there's a 
plugin foreman expire hosts [1] that could help.

[1] https://github.com/theforeman/foreman_expire_hosts

--
Marek


Dne pondělí 27. listopadu 2017 8:05:27 CET, Alejandro Cortina napsal(a):
> Hi mailing list,
> 
> I wonder if there is a way to limit host provisioning, for example
> assigning this limit to a hostgroup
> 
> Cheers,


-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-users] Feedback wanted - migrate mailing lists to a forum?

2017-11-22 Thread Marek Hulán 
Dne středa 22. listopadu 2017 11:59:16 CET, Greg Sutcliffe napsal(a):
> Heya!
> 
> Answers in-line, but I wanted to put a quick summary here for folks in a
> hurry. Most, if not all, of these questions are *technical* in nature -
> they are things we can alter, either by existing settings, or by
> altering the Discourse code. I see this as similar to our Redmine
> instance - we've taken a FOSS tool and customized it to our needs, both
> via code changes and plugins.
> 
> More generally, though, your post reads as a direct comparison to a
> mailing list, and as I said in my opening post, I don't think a mailing
> list is right for us anymore.
> 
> I'm not trying to mislead on this point. The mailing list mode that
> Discourse offers *is* different, yes, so a direct comparision is likely
> to find flaws. The real question is whether the *other* things it does
> are worth the cost. I know (from our chat on the dev list) that you
> don't agree with my conclusions about our needs as a community, so we're
> going to end up differing on whether it's worthwhile.
> 
> If we migrate, then some "getting used to" is going to be needed, for
> sure. A balance of tweaks vs change-acceptance will no doubt be found,
> some of which I expect to be altered *after* we migrate. We don't have
> to set *everything* in stone on day 1 (and that flexibility is one of
> the things I like). Some things may be possible to do per-user, which is
> even better (again, flexibility to interact with the community as each
> user wants to).
> 
> OK, specific answers:
> 
> On 21/11/17 15:09, Lukas Zapletal wrote:
> > 1) Edits are not propagated to e-mail only users, I edited a post
> > andnever got an e-mail about this.
> > 
> > 5) Email response is slow, I know there is some polling, but this is
> > 
> >  simply limiting and web users are inadvantage as they see the
> > 
> > content earlier.
> 
> There is no polling now, that was temporary. Inbound email is instantly
> visible in the UI.
> 
> Outbound email is delayed 5 min so that people have a chance to spot
> typos, missed links etc in their posts (in the UI ofc) before the emails
> are sent. I really don't think 5 minutes is a big deal, a quick scan of
> our lists suggests average response time is Order(hours) - to claim it's
> a disadvantage seems a bit of a jump. It seems an acceptable tradeoff to
> get allow posts to be correct when sent in the first place, cutting down
> on "oops, forgot the link" style followups.
> 
> As for editing, there is a limit on the length of time you can edit your
> posts, currently that seems to default to 60 days (seems too high to me,
> for sure). I guess we could set it to the same 5 mins as above, so that
> no editing can be done after mails are sent, if this is a significant
> concern for people.

Yes please, editing feature feels odd to me. When you read the thread later, 
it can be very confusing. Especially if we don't get email notifications about 
the edit.

> 
> > 2) It seems you can't reply to yourself via email, this often
> > happens if you need to correct yourself.
> 
> This needs some context for those following along, and it's actually a
> security thing.
> 
> This only happens when you reply to yourself by hitting "Reply" to the
> mail in your Sent folder. In this case you'll be sending a second mail
> to "someth...@community.theforeman.org" instead of
> "reply+{token}@community.theforeman.org", which by default will create a
> new thread.
> 
> I say "by default" because there *is* a setting to allow this, but the
> consequence is that it then allows sender-spoofing to occur. Discourse
> sends a different reply token to every user, so your reply-to address is
> different to mine even for the same post, and Discourse requires the
> "From" header to match the token. Unless you have my token, you can't
> spoof-post things pretending to be me. We can disable this, but that
> means sender spoofing is then possible. Details at [1].
> 
> So, we could enable this setting, but there are also other workarounds -
> enabling "Send me my own posts" in mailing list mode will mean you have
> something to reply to with a token (albeit after 5 minutes), and
> moderators can also merge split threads back together in the UI. As
> such, I'm inclined to leave it as it is, but we can flip that setting if
> it becomes a problem.
> 
> > 3) All emails contain huge button to visit the thread
> 
> I see you're already asking about this upstream :)
> 
> Templates are editable, yes. That said, they seem fine in my client [2],
> pretty much the same 3 lines Google Groups adds. Would love to see what
> other plaintext readers get.
> 
> > 4) Does not support text/plain emails,
> 
> Again [2], plaintext in Thunderbird seems OK here.
> 
> The plaintext version is the raw markdown from the post, which has
> some quirks, admittedly - I've opened [3] to discuss options there - but
> largely I've been getting nice emails from it. Could be MUA specific (I
> am reminded of the

Re: [foreman-users] Foreman n00b having startup issues

2017-11-14 Thread Marek Hulán 
Hello,

I have no idea how the foreman was installed but chances are you are using rpm 
based installation. In that case, if you install foreman_memcache, make sure 
you install it into SCL.

scl enable tfm bash
gem list
# if you don't see foreman_memcache there try following
gem install foreman_memcache
exit

also based on your Foreman version, the SCL might not be tfm, in that case 
(Foreman 1.9 and older) try ruby193 so the first command would be
scl enable ruby193 bash

Hope that helps

--
Marek

On úterý 14. listopadu 2017 2:09:44 CET Spencer Da Monkey wrote:
> Hi folks!
> 
> I'm a relative new foreman user (from an administrative standpoint, at
> least), and I've inherited a bit of an issue.
> 
> I've got an instance of foreman running on a rhel 6 ec2 instance, and,
> after some upgrades were done to the instance (specifically, mysql was
> upgraded from 5.6.37 to 5.6.38), my instance has stopped starting.
> 
> One of my co-workers spent a few days on this before handling it over to
> me, and I've spent a few days beating on this as well, to no avail.
> 
> When I attempt to start it up, I get the following error:
> 
> Starting foreman:
> /opt/theforeman/tfm/root/usr/share/gems/gems/bundler_ext-0.3.0/lib/bundler_e
> xt/bundler_ext.rb:30:in `strict_error': Gem loading error: cannot load such
> file --
> foreman_memcache (RuntimeError)
> from
> /opt/theforeman/tfm/root/usr/share/gems/gems/bundler_ext-0.3.0/lib/bundler_e
> xt/bundler_ext.rb:56:in `rescue in block in system_require'
> from
> /opt/theforeman/tfm/root/usr/share/gems/gems/bundler_ext-0.3.0/lib/bundler_e
> xt/bundler_ext.rb:37:in `block in system_require'
> from
> /opt/theforeman/tfm/root/usr/share/gems/gems/bundler_ext-0.3.0/lib/bundler_e
> xt/bundler_ext.rb:35:in `each'
> from
> /opt/theforeman/tfm/root/usr/share/gems/gems/bundler_ext-0.3.0/lib/bundler_e
> xt/bundler_ext.rb:35:in `system_require'
> from /usr/share/foreman/config/application.rb:16:in ` (required)>'
> from
> /opt/rh/rh-ruby22/root/usr/share/rubygems/rubygems/core_ext/kernel_require.r
> b:54:in `require'
> from
> /opt/rh/rh-ruby22/root/usr/share/rubygems/rubygems/core_ext/kernel_require.r
> b:54:in `require'
> from
> /opt/rh/sclo-ror42/root/usr/share/gems/gems/railties-4.2.5.1/lib/rails/comma
> nds/commands_tasks.rb:78:in `block in server'
> from
> /opt/rh/sclo-ror42/root/usr/share/gems/gems/railties-4.2.5.1/lib/rails/comma
> nds/commands_tasks.rb:75:in `tap'
> from
> /opt/rh/sclo-ror42/root/usr/share/gems/gems/railties-4.2.5.1/lib/rails/comma
> nds/commands_tasks.rb:75:in `server'
> from
> /opt/rh/sclo-ror42/root/usr/share/gems/gems/railties-4.2.5.1/lib/rails/comma
> nds/commands_tasks.rb:39:in `run_command!'
> from
> /opt/rh/sclo-ror42/root/usr/share/gems/gems/railties-4.2.5.1/lib/rails/comma
> nds.rb:17:in `'
> from
> /opt/rh/rh-ruby22/root/usr/share/rubygems/rubygems/core_ext/kernel_require.r
> b:128:in `require'
> from
> /opt/rh/rh-ruby22/root/usr/share/rubygems/rubygems/core_ext/kernel_require.r
> b:128:in `rescue in require'
> from
> /opt/rh/rh-ruby22/root/usr/share/rubygems/rubygems/core_ext/kernel_require.r
> b:39:in `require'
> from /usr/share/foreman/bin/rails:4:in `'
>[FAILED]
> 
> 
> I've verified that foreman_memcache is installed and accessible, though I
> fear that it may be showing as accessible to me, but not the foreman
> application itself.
> 
> The specific instance details are as follows:
> 
>OS: redhat
>   RELEASE: Red Hat Enterprise Linux Server release 6.9 (Santiago)
>   FOREMAN: 1.12.4
>  RUBY: ruby 1.8.7 (2013-06-27 patchlevel 374) [x86_64-linux]
>PUPPET: 3.8.7
>   DENIALS: 0
> 
> 
> I'm painfully aware the the ruby, foreman, and puppet versions are horribly
> out of date, but, due to circumstances beyond my control, I'm unable to
> change them currently.
> 
> Anyone have any ideas what could be done to potentially fix this beast?
> Wouldn't be as much of an issue if it weren't blocking deployment of a
> newer version/instance of it as well...
> 
> Thanks in advance!


-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-users] Re: 1.16RC2 and AD LDAP

2017-11-07 Thread Marek Hulán 
On úterý 7. listopadu 2017 17:16:19 CET mevans@gmail.com wrote:
> Thanks for doing the legwork on this. I was pulling my hair out all morning
> because I decided to tackle AD LDAP auth with our 1.16-RC2 deployment.
> 
> Is there any way to fix this manually until RC3 is released? I tried adding
> 'true' in auth_source_ldap.rb
>  1d2be7093a1a9e30> but the behavior seems to be the same.
> 
> On Wednesday, November 1, 2017 at 11:03:58 AM UTC-4, Roger Martensson wrote:
> > Hi!
> > 
> > I seem not to be able to add an AD-Auth in 1.16RC2.
> > I found this pull: https://github.com/theforeman/foreman/pull/4885
> > 
> > That may solve my problem but it doesn't seem to be part of RC2(?). Could
> > this be included in RC3?

This was not cherry-picked to 1.16 yet, you can follow [1] to see what version 
it lands in.

[1] http://projects.theforeman.org/issues/21300

Hope it helps

--
Marek

-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-users] AD/LDAP group authentication?

2017-10-27 Thread Marek Hulán 
On pátek 6. října 2017 22:27:46 CEST Charlie Baum wrote:
> Pretty new to Foreman and standing up our first POC of the product.
> 
> Can someone verify/shoot down a question I have?  Does Foreman not support
> AD group authentication?  In other words, can you authenticate to the
> Foreman UI without being setup as a local Foreman user first?  I am playing
> around with AD stuff in there and got my AD account setup for access just
> fine.  I created a user group linked to an external AD account but unless I
> setup the user locally in Foreman, a member of that AD group could not
> login to Foreman.  Is this by design or am I overlooking something?  Thanks
> folks!
> 
> CB

Hello, yes, this is entirely possible. Just setup LDAP auth source. Double 
check you have "Automatically create accounts in Foreman" checkbox enabled for 
this auth source (it's under Account tab)

Hope this helps

--
Marek

-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-users] rake aborted! foreman-rake db:seed

2017-10-20 Thread Marek Hulán 
> > https://theforeman.org/manuals/1.15/index.html#Upgradewarnings
> 
> This has to do with my issue?

Yes, that's "the cause" but it's an issue of foreman_salt plugin that needs to 
be fixed.

--
Marek

On pátek 20. října 2017 16:34:24 CEST Sam Amara wrote:
> Hi,
> 
> I have just find this:
> 
> 
> Upgrade warnings
> 
> >- CVE-2016-8634
> > >ionswizardmayrunstoredXSSinname> is fixed on this version. This means
> >users not in any organization or location will not be able to see
> >anything unless they are administrators. - Roles ‘Manager’ and
> >‘Viewer’ used to only have permissions related to Foreman itself but
> >no permissions related to Foreman plugins. This decision was taken
> >because users found confusing that “Viewer” or “Manager” roles would
> >not contain all permissions.
> > 
> > https://theforeman.org/manuals/1.15/index.html#Upgradewarnings
> 
> This has to do with my issue?
> 
> Le vendredi 20 octobre 2017 14:31:38 UTC+2, Sam Amara a écrit :
> > Hi,
> > 
> > I am bad in RubyonRails :(
> > How can I add permissions to an existing role? I'm blocked to continue
> > foreman installation.
> > 
> > Thank you.
> > 
> > Le mercredi 18 octobre 2017 08:44:25 UTC+2, Ondrej Prazak a écrit :
> >> Hi,
> >> the seeds from foreman_salt in:
> >> 
> >> /opt/theforeman/tfm/root/usr/share/gems/gems/foreman_salt-8.0.2/db/seeds.
> >> d/75-salt_seeds.rb
> >> 
> >> try to add permissions from foreman_salt to an existing role [1] which is
> >> locked. A small patch for foreman_salt will be needed to fix this, I
> >> already created a ticket [2]. Without foreman_salt, the seeds should
> >> pass.
> >> 
> >> Hope this helps,
> >> Ondrej Prazak
> >> 
> >> [1]
> >> https://github.com/theforeman/foreman_salt/blob/8.0.2/db/seeds.d/75-salt_
> >> seeds.rb#L5-L10 [2] http://projects.theforeman.org/issues/21372
> >> 
> >> On Wed, Oct 18, 2017 at 1:11 AM, Michael Hurn 
> >> 
> >> wrote:
> >>> Two things that may help until an expert can give some imput
> >>> 
> >>> I recommend all ways using FQDNs for the host and server names. It’s ok
> >>> if you do not have DNS just add the entries to the local hosts file
> >>> 
> >>> Also did you set up the foreman account in Postgres? When you use an
> >>> external db the user account and access permissions need to be in place.
> >>> 
> >>> Regards, Mike.
> >>> 
> >>> --
> >>> You received this message because you are subscribed to the Google
> >>> Groups "Foreman users" group.
> >>> To unsubscribe from this group and stop receiving emails from it, send
> >>> an email to foreman-user...@googlegroups.com.
> >>> To post to this group, send email to forema...@googlegroups.com.
> >>> Visit this group at https://groups.google.com/group/foreman-users.
> >>> For more options, visit https://groups.google.com/d/optout.


-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-users] Deleted host via api, how to re-add?

2017-10-20 Thread Marek Hulán 
On čtvrtek 19. října 2017 20:12:43 CEST gav...@nvidia.com wrote:
> Normally when I provision a server, when puppet runs the host is
> automatically added to Foreman.  I recently worked on a de-provision
> process and tested uses the api to delete a host.  Afterwards on a
> re-provision of the host I deleted, it is not being added to Foreman.  Can
> someone point me in the right direction?  There is a step I am missing so
> that will get that re-provisioned host back into Foreman.

Hello,

double check the puppet ca, if it has still the old certificate for new host, 
the puppet bootstrap will fail since it tries to create new one with the same 
FQDN. Normally it should work fine but it depends how exactly you did de-
provisioning. The cert should be revoked supposing the host was assign to the 
puppet ca while being deleted.

If that's not the case, it would be good to check provisioning logs or try 
running manually on the newly provisioned host that does not appear to see why 
the initial puppet run fails.

Hope this helps

--
Marek

-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-users] Foreman 1.15.1 error rendering the Kickstart default template (subnet6 issue)

2017-10-10 Thread Marek Hulán 
Hello

Based on the error message, it seems that @interface is nil for some reason. 
OTOH I don't understand why it wouldn't fail on @interface.ip few lines above.

Sorry, no more ideas

--
Marek

On pondělí 9. října 2017 17:16:23 CEST Mike Wilson wrote:
> On Monday, October 9, 2017 at 4:01:16 AM UTC-5, Marek Hulán wrote:
> > Hello,
> > 
> > it looks like http://projects.theforeman.org/issues/14664 which was fixed
> > in
> > 1.13, subnet6 is among allowed attributes. The error message might be
> > misleading, double check the host interfaces. You can debug the snippet
> > using
> > the preview button when editing the template.
> 
> So I did run a preview on various hosts and it failed on all of them. The
> output wasn't helpful other than to say it failed. Not why it failed. The
> errors in the log look the similar as well.
> 
> 2017-10-09 15:12:44 6d0e1450 [templates] [I] Rendering template
> 'kickstart_ifcfg_generic_interface'
> 2017-10-09 15:12:44 6d0e1450 [app] [W] Error rendering the
> kickstart_ifcfg_generic_interface template
> 
>  | Safemode::NoMethodError: undefined method '#ip6' for NilClass::Jail
> 
> (NilClass)
> 
> /opt/theforeman/tfm/root/usr/share/gems/gems/safemode-1.3.1/lib/safemode/jai
> l.rb:22:in `method_missing'
> 
>  | kickstart_ifcfg_generic_interface:71:in `bind'
> 
>  Also, you mentioned 1.13, we're running 1.15.1.
> 
> Here is the snippet we have currently.
> 
> <%#
> name: kickstart_ifcfg_generic_interface
> snippet: true
> model: ProvisioningTemplate
> kind: snippet
> -%>
> BOOTPROTO="<%= @dhcp ? 'dhcp' : 'none' -%>"
> <%- unless @dhcp || @subnet.nil? -%>
> <%-   if @interface.ip.present? -%>
> <%= "IPADDR=\"#{@interface.ip}\"" %>
> <%= "NETMASK=\"#{@subnet.mask}\"" %>
> <%- if @subnet.gateway.present? -%>
> <%=   "GATEWAY=\"#{@subnet.gateway}\"" %>
> <%- end -%>
> <%-   end -%>
> <%- end -%>
> <%- if @interface.ip6.present? -%>
> <%=   "IPV6INIT=yes" %>
> <%=   "IPV6_AUTOCONF=no" %>
> <%=   "IPV6ADDR=#{@interface.ip6}" %>
> <%-   if !@subnet6.nil? && @subnet6.gateway.present? -%>
> <%= "IPV6_DEFAULTGW=#{@subnet6.gateway}" %><%= '%$real' if
> subnet6.gateway.match(/^fe80:/) %>
> <%-   end -%>
> <%=   "IPV6_PEERDNS=no" %>
> <%- end -%>
> DEVICE=$real
> <%- unless @interface.virtual? -%>
> <%=   "HWADDR=\"#{@interface.mac}\"" %>
> <%- end -%>
> ONBOOT=yes
> <%- primary = @interface.primary ? 'yes' : 'no' -%>
> PEERDNS=<%= primary %>
> PEERROUTES=<%= primary %>
> DEFROUTE=<%= primary %>
> <%- if @interface.primary -%>
> <%-   if !@dhcp && @subnet && @subnet.dns_primary.present? -%>
> <%= "DNS1=\"#{@subnet.dns_primary}\"" %>
> <%- if @subnet.dns_secondary.present? -%>
> <%=   "DNS2=\"#{@subnet.dns_secondary}\"" %>
> <%- end -%>
> <%-   end -%>
> <%- end -%>
> <%- if @interface.virtual? && ((!@subnet.nil? && @subnet.has_vlanid?) ||
> @interface.vlanid.present?) -%>
> <%=   "VLAN=yes" %>
> <%- elsif @interface.virtual? && !@subnet.nil? && !@subnet.has_vlanid? &&
> @interface.identifier.include?(':') -%>
> <%=   "TYPE=Alias" %>
> <%- end -%>


-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-users] Assign user groups to organizations?

2017-10-09 Thread Marek Hulán 
On sobota 7. října 2017 3:08:45 CEST Charlie Baum wrote:
> Trying to see if Foreman can handle a multi-tenancy model and I believe it
> can or its close except I can't see/find where to associate a user group
> with an organization.  Under the organization menu, there is only Users,
> not User Groups.  Am I missing somewhere to do that?

You're right. While it make sense to introduce Orgs and Locs to user groups, 
it's not that trivial. Since user group can have roles, what would happen if 
user is assigned in org A but he belongs to user group which is assigned to 
org A and B? Let's say the user group role contains permissions to view 
domains.

Should user be able to see domains only from org A or also from org B? Should 
users from org B with view users permission see this user? Should they see him 
when they edit this user group? Should nested user groups inherit orgs/locs?

The simplest way to implement it that I see is just inheriting roles from all 
user groups, not inheriting any org/loc. Org assigned to user group would only 
be used to hide them from other orgs. No org/loc inheritance in user groups 
nesting. We'd need to add validations so all user groups of user are at least 
in one shared organization and location. The same validation should be there 
when setting parent user group.

I think it's definitely worth of raising RFE issue in our redmine

--
Marek

-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-users] Re: Templates

2017-09-26 Thread Marek Hulán 
Hello Ido,

no it's not what locked means. When template is locked, it can't be edited by 
users. User need to unlock them first, which gives them a warning about the 
template content can be overridden.

Hope that helps

--
Marek

On úterý 26. září 2017 16:08:03 CEST Ido Kaplan wrote:
> Hi Marek,
> 
> Thank you for the follow up.
> Let me please try to make sure that I understand.
> If template is locked, is it means that no updates will happen to the
> template on any trigger (upgrade, foreman-installer, etc') that will occur?
> 
> Thanks!
> Ido
> 
> On Tuesday, September 26, 2017 at 9:35:32 AM UTC+3, Ido Kaplan wrote:
> > Hi,
> > 
> > It looks like that sometimes provisioning templates are restored to
> > default.
> > 
> > I think that it's happens when I click "Build PXE Default".
> > Is it by design?
> > 
> > Thanks!
> > Ido


-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-users] Templates

2017-09-26 Thread Marek Hulán 
In fact anything that triggers foreman-rake db:seed changes the default 
template content (Foreman 1.14+). That can be run of foreman-installer, 
installing a plugin or manual trigger. These changes are not audited IIRC. If 
you need to adjust template that is shipped by default, it is a good idea to 
clone it first. Note that you'd miss all future updates and it's up to you to 
keep it up to date. Default templates should be locked since 1.15.

--
Marek

On úterý 26. září 2017 13:24:21 CEST Greg Sutcliffe wrote:
> On Tue, 2017-09-26 at 13:51 +0300, Ido Kaplan wrote:
> > Hi Greg,
> > 
> > I mean about contents of the templates in Foreman, for example -
> > "Kickstart default.rb"?
> 
> Those should not be altered by that button, no. The only time the
> default templates would be updated would be during a version upgrade of
> Foreman.
> 
> Changes to templates are audited, so you should be able to see the
> history of changes, so that's worth looking at to see what might have
> made the changes. Also, if you can reproduce it reliably, we can try
> and see if we see the same behaviour
> 
> Greg


-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-users] Help with Foreman's external authentication with FreeIPA. (Kerberos)

2017-09-11 Thread Marek Hulán 
Hello,

I think all you need to do is documented at https://theforeman.org/manuals/
1.15/#5.7.1ConfigurationviaForemaninstaller, as long as the host is FreeIPA 
enrolled, you just create a service for it and run installer with --foreman-
ipa-authentication=true

You seem to be using old version of manual, if you're running Foreman 1.6, I'd 
recommend updating first.

Hope this helps

--
Marek

On středa 23. srpna 2017 15:08:57 CEST VladF wrote:
> Hi,
> I am trying  to make external authentication via kerberos SSO on foreman
> server.  I use this tutorial
> - https://theforeman.org/manuals/1.6/#5.7ExternalAuthentication
> Foreman server is freeipa enrolled. I've make a service
> HTTP/foreman.test.com on freeipa and do that on foreman server:
> 
> kinit admin ipa-getkeytab -s MY IPA SERVER fqdn -k /etc/http.keytab -p HTTP/
> foreman.test.com
> chown apache /etc/http.keytab
> chmod 600 /etc/http.keytab
> 
> 
> 
> but when I try to access foreman.test.com I see the error Kerberos
> authentication did not pass.
> 
> klist on my foreman server:
> 
> [root@foreman ~]# klist
> Ticket cache: KEYRING:persistent:0:krb_ccache_Sab2PVh
> Default principal: HTTPS/foreman.test@centos-25.test.com
> 
> 
> Valid starting   Expires  Service principal
> 08/23/2017 08:50:29  08/24/2017 08:50:29  krbtgt/CENTOS-25.TEST.COM@CENTOS-
> 25.TEST.COM
> 
> I've installed modules mod_auth_kerb mod_authnz_pam and edit my
> /etc/httpd/conf.d/auth_kerb.conf.
> 
> # add to /etc/httpd/conf.d/auth_kerb.conf LoadModule auth_kerb_module
> modules/mod_auth_kerb.so LoadModule authnz_pam_module
> modules/mod_authnz_pam.so  AuthType Kerberos
> AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off
> KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/http.keytab KrbLocalUserMapping
> On # require valid-user require pam-account foreman-prod ErrorDocument 401
> 'Kerberos authentication did not
> pass.' # The following is needed as a workaround for
> https://bugzilla.redhat.com/show_bug.cgi?id=1020087 ErrorDocument 500
> 'Kerberos authentication did not
> pass.' 
> 
> What am I doing wrong? How can I debug this problem?


-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-users] [event] UX proposals, provisioning wizards - 30th Aug (tomorrow) 2pm UK

2017-08-31 Thread Marek Hulán 
On středa 30. srpna 2017 18:53:38 CEST Tom McKay wrote:
> Provisioning flow looks great!
> 
> I understand the idea of "wizard that then lands on existing host page" but
> I'd not want to see that in production. If the wizard were using the API
> instead of the host form, would the existing host page ever be needed
> (except as an emergency backup for when things go sideways)?

Thanks for the feedback. As mentioned during the demo, the wizard might not 
contain all of the fields that current host form has, e.g. configuration 
management. Also the wizards helps to setup all things required for the 
provisioning but after first or more run through, all should be set and ready. 
In such case, it might be easier for skilled users to just use host group and 
compute profile to prefill everything.

A midstep is adding "Provision now" and "Further customize" buttons at the end 
of wizard. Later, if we get positive feedback from users and 100% of them will 
use provisioning wizard and the existing host form will be extra unnecessary 
step, I can imagine removing it completely. 

--
Marek

> 
> On Tue, Aug 29, 2017 at 9:51 AM, Greg Sutcliffe 
> 
> wrote:
> > Hi all,
> > 
> > Apologies for not sending this out sooner, I really thought I had...
> > 
> > Tomorrow we're having the first in what we hope will be quite a few UX
> > demos - the plan is to quickly review an area of the UI that needs help
> > and what it's problems are, and then detail a potential way to improve
> > it. This mirrors what we did recently for the vertical navigation
> > proposals.
> > 
> > Since this is user-facing, we'd like the community to feedback on the
> > proposals, so we're doing this as a live stream (same as the demos) and
> > you're welcome to watch live (or watch the recording after) and put
> > your thoughts on this thread. I'll be sure to post a summary of the
> > discussion as well.
> > 
> > We're looking forward to your feedback! Here's the URL for the stream
> > tomorrow:
> > 
> > https://www.youtube.com/watch?v=ZvcAbIuwXsQ
> > 
> > Greg
> > 
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Foreman users" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to foreman-users+unsubscr...@googlegroups.com.
> > To post to this group, send email to foreman-users@googlegroups.com.
> > Visit this group at https://groups.google.com/group/foreman-users.
> > For more options, visit https://groups.google.com/d/optout.


-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-users] Re: Foreman OpenSCAP problems

2017-08-28 Thread Marek Hulán 
Hello,

parameters should be automatically set when you in last step of the wizard 
assign the policy to the hostgroup. It should override puppet parameters on 
it. If you didn't assign any hostgroup to the policy, you'd need to do it 
manually.

Hope this helps

--
Marek

On čtvrtek 24. srpna 2017 15:51:25 CEST Diggy wrote:
> Hi, Marek.
> 
> Thanks for your reply.  After doing the basic OpenSCAP setup, I created a
> group (e.g. CentOS 6 Servers), and add a host to it.  Then, I created an
> OpenSCAP policy to use Scap Content=Red Hat centos6 default content (which
> does appear on the SCAP Content page in Foreman), and XCCDF
> profile=Upstream STIG for Red Hat Enterprise 6 Linux Server.  So far, so
> good, I think.  And, you're probably right, I don't have the parameters set
> for the host.  But, I'm not sure how to do that.  If you, or anyone else on
> the list would be kind enough to tell me how, I's appreciate it.
> 
> Diggy
> 
> On Wednesday, August 23, 2017 at 3:31:48 PM UTC-4, Diggy wrote:
> > Hello, all.
> > 
> > I'm running the latest version of Foreman, and would like to extend its
> > capabilities by enabling OpenSCAP.  As per the Foreman OpenSCAP Manual,
> > I've installed foreman_openscap, smart_proxy_openscap, and
> > puppet-foreman_openscap_client, and can see OpenSCAP-related controls in
> > my
> > Foreman instance.  However, when the foreman_scap_client class is added
> > to a host that I've added to an OpenScap policy, not only doesn't Foreman
> > OpenSCap not work on that host, but Puppet on that host stops working
> > altogether.  Here's the relevant output from running "puppet agent --test"
> > on the host:
> > 
> > Error: Could not retrieve catalog from remote server: Error 500 on SERVER:
> > {"message":"Server Error: Evaluation Error: Error while evaluating a
> > Resource Statement, Evaluation Error: Error while evaluating a Function
> > Call, Failed to parse inline template: undefined local variable or method
> > `policies_array' for # at
> > /etc/puppetlabs/code/environments/production/modules/foreman_scap_client/m
> > anifests/init.pp:42:20 on node
> > agrega2.netatlantic.com","issue_kind":"RUNTIME_ERROR","stacktrace":["Warn
> > ing: The 'stacktrace' property is deprecated and will be removed in a
> > future version of Puppet. For security reasons, stacktraces are not
> > returned with Puppet HTTP Error responses."]}
> > Warning: Not using cache on failed catalog
> > Error: Could not retrieve catalog; skipping run
> > 
> > Firstly, can anyone tell me why this error is occurring?  Secondly, can
> > anyone help me with (explicit) steps needed to make Foreman OpenSCAP work?
> > 
> > Your help would be greatly appreciated.
> > 
> > Diggy


-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-users] foreman + ansible integration not working properly + no facts+ not able to execute role in dashboard

2017-08-04 Thread Marek Hulán 
Hello,

for the facts upload I think I found the fix. You will need to modify the 
callback script, try applying this patch [1]. It seems that in some cases, 
there's no setup module, so we also check ansible_facts being present.

[1] https://github.com/theforeman/foreman_ansible/pull/96/files

Hope this helps

--
Marek

On čtvrtek 3. srpna 2017 11:19:40 CEST shyam sundar Keshari wrote:
> Hi friends:
> 
> I am trying to integrate Foreman with Ansible but not able to make it
> working :
> 
> Version details :
> 
> Ansible :  -->>  ansible 2.3.1.0
>   config file = /etc/ansible/ansible.cfg
>   configured module search path = Default w/o overrides
>   python version = 2.7.5 (default, Nov  6 2016, 00:28:07) [GCC 4.8.5
> 20150623 (Red Hat 4.8.5-11)]
> 
> foreman dashboard version : 1.15.2
> 
> I have followed the official URL to integrate Foreman with Ansible .
> 
> But i am not able to make it work .
> 
> Issue :
> 
> 1.>NO facts coming
> 2.>When i set password in Foreman for root user in Ansible tab ,and then
> able to execute playbook in role .
> 
> 
> Kindly update what are more changes I need to make at ansible and foreman
> end to make it work .
> 
> If anyone done this ,it will be grt you like to share it .
> 
> Thanks in Advance :


-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-users] Location Permissions issues

2017-07-31 Thread Marek Hulán 
I think you're hitting [1], the fix is in review [2].

[1] http://projects.theforeman.org/issues/6150/
[2] https://github.com/theforeman/foreman/pull/4111

Hope this helps

--
Marek

On pondělí 24. července 2017 20:18:53 CEST Tim Rosine wrote:
> I am having issues dealing with locations/organizations and permissions.
> 
> I am currently using foreman 1.13.4.
> 
> My test user is not an administrator.
> My test user belongs to a single role with "view_locations" as its only
> filter.
> The role has all locations and organizations associated to it.
> When I create a new location, under "Users", I check the "All Users"
> checkbox. (All of our locations have this as well.)
> My test user cannot see this new location (tested via curl
> /api/v2/locations).
> 
> It seems the only way I can get this user to view the location is by
> manually adding the user to the location within the user administration
> page. Is this expected? What is the purpose of the "All Users" checkbox,
> then?
> 
> Note, this is just a simplified version of my problem - what I'm really
> trying to do is to grant users the ability to create discovery rules (but
> not restrict them by location), but the lack of visibility into locations
> is causing problems.


-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-users] Re: Multi organizations setups and conflicting puppet modules

2017-03-05 Thread Marek Hulán 
Thanks for the answer, definitely worth investigating. I suppose in this case 
where you put shared modules into ignored common env, you can't have two 
different versions of the same module for each org. Or did I miss something? 
Anyway it's a good start.

--
Marek

On středa 1. března 2017 13:59:56 CET Sean A wrote:
> Hi,
> 
> We have a similar problem.  There was a post by me a while back which
> discussed this.  Basically, Foreman assumes an environment has a set of
> classes, regardless of what puppet master that environment exists in.  So
> to solve this for us, we are deploying environments specific to puppet
> masters by organization.
> 
> In your example, with ORGA and ORGB, we would have environments named
> orgaprod, orgadev, orgbprod, orgbdev, and the "common" module directory
> that foreman deploys as an environment set to be ignored by foreman but
> still in the modulepath.  We deploy enterprise level modules to the common
> module dir, then let the org's admins manage their org specific
> environments.
> 
> I can't say it works great just yet, because we are trying to fit this into
> an existing environment.  It has worked very well in clean test labs where
> nothing pre-existing was setup.
> 
> On Wednesday, March 1, 2017 at 9:56:23 AM UTC-5, Marek Hulán wrote:
> > Hello Foreman users,
> > 
> > I wonder how people using multiple organizations in Foreman manage their
> > puppet modules. Let's assume I have two organizations A and B and I want
> > them
> > to be isolated as much as possible. Since puppet environments can be
> > scoped to
> > organization, we can have separate environments for each organization.
> > Well,
> > as long as they have unique name, since the validation prevents to have
> > two
> > environments with the same name even if they are in different
> > organizations.
> > 
> > But the bigger issue seems to be is how puppet classes should work, since
> > they
> > are not scoped to organizations. When user in organization B tries to
> > import
> > the class with the same name that users from organization A already
> > imported,
> > it fails saying the name has already been taken. In theory the
> > organization
> > should be clear from environment but what if I have two separate
> > environments
> > for organizations and they want to use same puppet module? And what if
> > their
> > puppet modules have different versions so the smart class parameters
> > differs?
> > 
> > And does using katello content views with puppet modules helps in this
> > case?
> > It creates different puppet environment for each content view version but
> > is
> > there the same problem for puppet class name collision?
> > 
> > Is there some workflow I'm missing? If you have such use case but yout
> > (same
> > as me) can't solve it with Foreman, how would you change Foreman so it
> > fulfills your needs?
> > 
> > Thanks for any suggestions


-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

[foreman-users] Multi organizations setups and conflicting puppet modules

2017-03-01 Thread Marek Hulán 
Hello Foreman users,

I wonder how people using multiple organizations in Foreman manage their 
puppet modules. Let's assume I have two organizations A and B and I want them 
to be isolated as much as possible. Since puppet environments can be scoped to 
organization, we can have separate environments for each organization. Well, 
as long as they have unique name, since the validation prevents to have two 
environments with the same name even if they are in different organizations.

But the bigger issue seems to be is how puppet classes should work, since they 
are not scoped to organizations. When user in organization B tries to import 
the class with the same name that users from organization A already imported, 
it fails saying the name has already been taken. In theory the organization 
should be clear from environment but what if I have two separate environments 
for organizations and they want to use same puppet module? And what if their 
puppet modules have different versions so the smart class parameters differs?

And does using katello content views with puppet modules helps in this case? 
It creates different puppet environment for each content view version but is 
there the same problem for puppet class name collision?

Is there some workflow I'm missing? If you have such use case but yout (same 
as me) can't solve it with Foreman, how would you change Foreman so it 
fulfills your needs?

Thanks for any suggestions

--
Marek

-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-users] Can you use Host Collection as a Smart Matcher

2016-11-04 Thread Marek Hulán 
On úterý 1. listopadu 2016 20:21:01 CET Greg Payne wrote:
> Hi All,
> 
> I'd like to use host collection as an attribute in a smart matcher that's
> applied to a specific smart class parameter override in puppet.
> 
> Looking in a hosts YAML file i don't see host collection listed as one of
> the parameters so I'm not sure if this is possible at the moment?
> 
> Thanks
> Greg

Hello,

it seems you're not the only one asking for the same [1]. Right now it's not 
possible as far as I know.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1391824

--
Marek


-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-users] Re: unable to create bond or bridge with foreman 1.13

2016-11-01 Thread Marek Hulán 
Hello,

what you describe sounds as UI issue, the JS should redraw the form so one 
could specify attached devices etc. It seems easily reproducible and is 
probably caused by strong params change. Please send the issue number here. A 
workaround might be to use API for now.

--
Marek

On pondělí 31. října 2016 13:49:30 CET Bill Sirinek wrote:
> I am having the same (or at least very similar) issue as well. After
> upgrading to 1.13.0 I can't create an interface that is seen as bonded to
> my snippets. 1.13.1 didn't fix it either.
> 
> When adding a bonded interface to a host in foreman, the only way I see the
> options to enter attached interfaces or bonding options is to select "Bond"
> and add the interface (without being able to specify attached interfaces or
> bonding options because those are missing), then when I edit the bonded
> interface again, those options are available to me. The interface saves
> after I make my edits, but the attached interfaces information does not
> persist.
> 
> Also, @host.bond_interfaces remains empty because the Bond interface
> apparently isn't seen as a bond?
> 
> On the host I am working with, I have the provisioning interface, eth0 with
> an IP address and MAC assigned to it and marked managed and provisioning.
> I have a bonded interface, bond0, which uses eth4/eth7. The bond0 interface
> is marked primary and given an IP, but not marked as managed.
> eth4 and eth7 are not marked managed, primary or provisioning.
> 
> Here's the @host.interfaces array:
> 
> @host.interfaces.to_a = [# ip: "1.2.3.31", type: "Nic::Managed", name: "testbox.admin.domain.com",
> host_id: 18415, subnet_id: 533, domain_id: 10, attrs: {}, created_at:
> "2016-10-31 19:22:44", updated_at: "2016-10-31 19:22:44", provider: nil,
> username: nil, password: nil, virtual: false, link: true, identifier: "",
> tag: "", attached_to: "", managed: true, mode: "balance-rr",
> attached_devices: "", bond_options: "", primary: false, provision: true,
> compute_attributes: {}, ip6: "", subnet6_id: nil>, # mac: nil, ip: "1.2.4.31", type: "Nic::Bond", name: "testbox.domain.com",
> host_id: 18415, subnet_id: 534, domain_id: 1, attrs: {}, created_at:
> "2016-10-31 19:22:44", updated_at: "2016-10-31 19:36:40", provider: nil,
> username: nil, password: nil, virtual: true, link: true, identifier:
> "bond0", tag: "", attached_to: "", managed: false, mode: "balance-rr",
> attached_devices: "", bond_options: "mode=1 miimon=100 downdelay=200
> updelay=200 use_ca...", primary: true, provision: false,
> compute_attributes: {}, ip6: "", subnet6_id: nil>, # 12227, mac: nil, ip: "", type: "Nic::Managed", name: "", host_id: 18415,
> subnet_id: nil, domain_id: nil, attrs: {}, created_at: "2016-10-31
> 19:22:44", updated_at: "2016-10-31 19:22:44", provider: nil, username: nil,
> password: nil, virtual: false, link: true, identifier: "eth4", tag: "",
> attached_to: "", managed: false, mode: "balance-rr", attached_devices: "",
> bond_options: "", primary: false, provision: false, compute_attributes: {},
> ip6: "", subnet6_id: nil>, # type: "Nic::Managed", name: "", host_id: 18415, subnet_id: nil, domain_id:
> nil, attrs: {}, created_at: "2016-10-31 19:22:44", updated_at: "2016-10-31
> 19:22:44", provider: nil, username: nil, password: nil, virtual: false,
> link: true, identifier: "eth7", tag: "", attached_to: "", managed: false,
> mode: "balance-rr", attached_devices: "", bond_options: "", primary: false,
> provision: false, compute_attributes: {}, ip6: "", subnet6_id: nil>]
> 
> 
> 
> Is there at least a workaround here?
> 
> Bill
> 
> 
> Later,
> 
> >  Lukas #lzap Zapletal


-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-users] Foreman ENC and Facts

2016-09-30 Thread Marek Hulán 
Hello Luke

based on output you sent you can tell which one is primary. I think you'd have 
to write some puppet function for finding it in that array. Also this [1] 
puppet module could be used for inspiration for how to parse ENC data.

[1] https://github.com/treydock/puppet-foreman_networking

Hope this helps

--
Marek

On Sunday 11 of September 2016 22:21:55 Luke Tinker wrote:
>  foreman_interfaces:
>   - mac: 6a:ab:a5:a4:1a:99
> ip: 10.1.1.1
> type: Interface
> name: myhost.mydomain.tld
> attrs:
>   netmask: 255.255.255.0
>   mtu: '1500'
>   network: 10.1.1.0
> virtual: false
> link: true
> identifier: en0
> managed: true
> primary: true

this is primary interface

> provision: true
> subnet: 
>   - mac: a8:a0:ab:5a:ea:1f
> ip: 
> type: Interface
> name: ''
> attrs:
>   mtu: '1500'
> virtual: false
> link: true
> identifier: en1
> managed: false
> primary: false

this is not :-)

> provision: false
> subnet: 

-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-users] Re: Cannot provision vnic correctly

2016-09-23 Thread Marek Hulán 
Hello

According to what I see, the --nameserver [1] is used from subnet of primary 
interface. I think the provisioning interface was meant only for PXE boot but 
the rest of the installation goes through primary interface including 
downloading the content.

I'm still a bit confused about your setup. You have one physical nic, you try 
to build two virtual vlan nics eth0.1 and eth0.101 and use first of them for 
provisioning and second as primary? I don't think this would work.

[1] 
https://github.com/theforeman/community-templates/blob/develop/kickstart/provision.erb#L52

--
Marek

On Thursday 22 of September 2016 06:57:36 Cale Bouscal wrote:
> Hmm, not sure that's what we're looking for.
> 
> eth0 is capable of booting natively and provisioning. If we ignored the
> eth0.1 completely we'd be set. However, during ks, we don't resolve the
> repo name, because "dnsservers is " even though there is a dns
> server configured in the prov subnet. It's as if I select the second nic as
> 'primary', it tries to provision using it's subnet details instead of the
> one that's checked as prov.
> 
> Does this make sense?
> 
> On Thursday, 22 September 2016 07:20:35 UTC-6, Cale Bouscal wrote:
> > I have a UCS instance with a nic trunked to a pair of vlans, one for
> > provisioning  (vlan1) and one for primary service (vlan 101)
> > 
> > My expectation:
> > - all pxe/provision activity happens over nic1/vlan1, while a nic1.101
> > sysconfig file is created to define the primary interface.
> > 
> > My result:
> > - no matter how I configure this, I end up with a system trying to use
> > nic1.101 dns servers during provisioning, and fails. Further inspection
> > shows "only one interface found" during boot - it's like the virtual nic
> > isn't being recognized, even though I've configured it with the
> > appropriate
> > vlan tag and listed the parent eth0.
> > 
> > I understand that nic1.101 has to be flagged as "managed" in order for
> > foreman to configure it - but that seems to lead to all sorts of other
> > issues, including registration of DNS (which I don't want) being attempted
> > and failing.
> > 
> > How do I achieve the result I'm looking for?

-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-users] Cannot provision vnic correctly

2016-09-22 Thread Marek Hulán 
Hello,

the problem in this case is probably that we configure these interfaces during 
last step of provisioning (%post in case of kickstart, finish script in case of 
debian). If you need to use VLAN for the actual installation you should be 
able to achieve it by changing provisioning template, there's no built-in 
support for it atm. OTOH the data that you'd need should be accessible in that 
template, you can take a look at [1] for good example.

[1] 
https://github.com/theforeman/community-templates/blob/develop/snippets/kickstart_networking_setup.erb

Hope this helps

--
Marek

On Thursday 22 of September 2016 06:20:03 Cale Bouscal wrote:
> I have a UCS instance with a nic trunked to a pair of vlans, one for
> provisioning  (vlan1) and one for primary service (vlan 101)
> 
> My expectation:
> - all pxe/provision activity happens over nic1/vlan1, while a nic1.101
> sysconfig file is created to define the primary interface.
> 
> My result:
> - no matter how I configure this, I end up with a system trying to use
> nic1.101 dns servers during provisioning, and fails. Further inspection
> shows "only one interface found" during boot - it's like the virtual nic
> isn't being recognized, even though I've configured it with the appropriate
> vlan tag and listed the parent eth0.
> 
> I understand that nic1.101 has to be flagged as "managed" in order for
> foreman to configure it - but that seems to lead to all sorts of other
> issues, including registration of DNS (which I don't want) being attempted
> and failing.
> 
> How do I achieve the result I'm looking for?

-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-users] Foreman ENC and Facts

2016-09-07 Thread Marek Hulán 
On Tuesday 06 of September 2016 20:41:13 Luke Tinker wrote:
> Hi everyone,
> 
> hopefully someone can point me in the right direction here
> I started using foreman earlier this year,
> 
> The short of what i want to achieve is have Foreman Host Name field
> provided as a fact so puppet can use it to ensure the hostname is enforced,
> this is so when a machine is pre-created in foreman, puppet can ensure its
> hostname is always correct,
> also making renaming the machine possible via foreman.
> 
> The most obvious place to find this information is via the YAML output
> values provided per host, specifically the primary interface's name value.
> however is this the best source, is it possible to get the host name from
> the Name* field when you go to edit a host, thus allowing for the direct
> change if its name is changed?
> 
> any assistance would be greatly appreciated, even if its a simple push in a
> certain direction.
> 
> Cheers,
> Luke

Hello

I'd say it's a good source. A host name + primary interface domain name is 
what give us host FQDN. Host name is always synced to primary interface name.

Hope this helps

--
Marek

-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-users] Adding subnet details to Interface hash sent via orchestration 'create' event

2016-08-26 Thread Marek Hulán 
Hello

Sorry I'm not aware of that change. Since this sounds like something useful 
for everybody and you already got a patch, could you please create a redmine 
issue and send a pull request so we incorporate it? You can find information 
about the process at [1]. One potential benefit for you - you wouldn't lose the 
custom patch after next Foreman upgrade :-)

[1] https://theforeman.org/contribute.html#SubmitPatches

--
Marek

On Tuesday 16 of August 2016 17:20:09 Francois Herbert wrote:
> OK, Just in case anyone else needs to know, I figured this out, in the same
> file (app/views/api-v2/hosts/show.json.rabl) I needed to apply the
> following patch:
> 
> 14c14
> 
> <   extends "api/v2/interfaces/main"
> 
> ---
> 
> >   extends "api/v2/interfaces/base"
> 
> This makes the following change:
> 
> 
> child :interfaces => :interfaces do
> 
>   extends "api/v2/interfaces/main"
> 
> end
> 
> On Thursday, August 11, 2016 at 11:27:52 AM UTC+12, Francois Herbert wrote:
> > Has this behaviour changed in version 1.11.4?
> > 
> > 
> > in app/views/api/v2/hosts.show.json.rabl I have:
> > 
> > 
> > extends "api/v2/interfaces/main”
> > 
> > 
> > but I don’t get the subnet_name or subnet_id passed to the hook on the
> > create event. I've checked main.json.rabl and it is adding the subnet_id
> > and subnet_name attributes.
> > 
> > 
> > What I do get is:
> > 
> > 
> > "interfaces":[{"id":null,"name":"test52.domain.com
> > ","ip":null,"mac":"00:50:56:9a:43:f7","identifier":"","primary":true,"prov
> > ision":true,"type":"interface"}]
> > 
> > 
> > Thanks
> > 
> > Francois
> > 
> > On Tuesday, March 22, 2016 at 9:15:28 PM UTC+13, Dominic Cleal wrote:
> >> On 21/03/16 20:57, Francois Herbert wrote:
> >> > I'm using foreman hooks to update an external IPAM system. The
> >> 
> >> interface
> >> 
> >> > hash that is sent does not include the subnet name or id that the
> >> > interface has been designated in foreman.
> >> > There is subnet information sent through in the host hash but only one
> >> > subnet per host is sent - not useful is there are multiple network
> >> > interfaces on different subnets.
> >> > 
> >> > I've tired making an API call in the create hook but the data isn't
> >> > committed to the database at this stage so can't retrieve the subnet
> >> > information for each network interface.
> >> > 
> >> > This is what currently gets sent through with the create hook for the
> >> 
> >> > interface hash:
> >> interfaces":[{"id":null,"name":"interface1name","ip":null,"mac":"00:11:22
> >> :33:44:55","identifier":"","primary":true,"provision":true,"type":"interf
> >> ace"},{"id":null,"name":"interface2name","ip":null,"mac":"00:11:22:33:44:
> >> 56","identifier":"","primary":false,"provision":false,"type":"interface"}
> >> ]>> 
> >> > The ideal data that I need would look like:
> >> interfaces":[{"id":null,"name":"interface1name","ip":null,"mac":"00:11:22
> >> :33:44:55","identifier":"","primary":true,"provision":true,"type":"interf
> >> ace","subnet_id":2,"subnet_name":"Frontend","sp_subnet_id":null},{"id":nu
> >> ll,"name":"interface2name","ip":null,"mac":"00:11:22:33:44:56","identifie
> >> r":"","primary":false,"provision":false,"type":"interface","subnet_id":3,
> >> "subnet_name":"Backend","sp_subnet_id":null}]>> 
> >> > Has anyone got any idea what code I need to modify (or if it's
> >> 
> >> possible)
> >> 
> >> > to add the subnet name and subnet id through with the create hook event
> >> > data in the interfaces hash?
> >> 
> >> It's from the API responses defined in
> >> app/views/api/v2/hosts/show.json.rabl, which uses the "base" interface
> >> view rather than the "main" one which usually includes the subnet ID.

-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-users] Re: Setting up chef client to use smart proxy of Foreman

2016-08-04 Thread Marek Hulán 
On Wednesday 03 of August 2016 02:22:29 Abir wrote:
> I don't think the Chef plugin can act as a proxy for the Chef server. I
> don't believe that would be possible ( or very secure ).
> 
> This diagram in the official manual will give you an
> idea:https://theforeman.org/plugins/foreman_chef/0.3/chef.svg
> 
> Foreman simply receives the results of a Chef run Through the handler and
> verifies this information with the chef server. The communication between
> the chef client and server remains unchanged.

You are correct. The Foreman chef plugin originally worked as endpoint for the 
client handler but it ignores authentication completely so you should always 
configure it to communicate through smart proxy (with smart proxy chef plugin).

Rajnesh, what exactly does not work for you? You don't mention any error 
message.

--
Marek

-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.