Skip to content

Use systemd socket activation for Foreman #118

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ekohl wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Use systemd socket activation for Foreman #118

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
cb979f5
Introduce foreman_url variable
ekohl Mar 13, 2025
ca16d80
Always serve Foreman via Apache
ekohl Mar 13, 2025
5eeb3b7
Use systemd socket activation for Foreman
ekohl Mar 13, 2025
0885411
Use unix socket for httpd -> Foreman communication
ekohl Mar 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions src/playbooks/deploy/deploy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,9 @@
foreman_client_certificate: "{{ client_certificate }}"
foreman_oauth_consumer_key: abcdefghijklmnopqrstuvwxyz123456
foreman_oauth_consumer_secret: abcdefghijklmnopqrstuvwxyz123456
foreman_listen_stream: /run/httpd.foreman.sock
foreman_url: "https://{{ ansible_fqdn }}"
httpd_foreman_backend: "unix://{{ foreman_listen_stream }}|http://%{HTTP_HOST}/"
Copy link
Member

@ehelms ehelms May 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm surprised all three of these are not the role defaults.

Copy link
Member Author

@ekohl ekohl May 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because they're connected: my thought was that the roles should be dependent and only on the playbook level you can relate them.

httpd_server_ca_certificate: "{{ server_ca_certificate }}"
httpd_client_ca_certificate: "{{ client_ca_certificate }}"
httpd_server_certificate: "{{ server_certificate }}"
Expand Down
2 changes: 2 additions & 0 deletions src/roles/foreman/defaults/main.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
---
foreman_container_image: "quay.io/evgeni/foreman-rpm"
foreman_container_tag: "nightly"
foreman_listen_stream: localhost:3000
Copy link
Member

@ehelms ehelms May 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think what I don't know enough about is why we wouldn't default this to /run/httpd.foreman.sock if our intent is to use systemd sock activation.

foreman_url: "http://{{ foreman_listen_stream }}"

foreman_database_name: foreman
foreman_database_user: foreman
Expand Down
19 changes: 16 additions & 3 deletions src/roles/foreman/tasks/main.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,12 @@
name: foreman-client-key
path: "{{ foreman_client_key }}"

- name: Deploy Foreman socket
ansible.builtin.template:
src: foreman.socket.j2
dest: /etc/systemd/system/foreman.socket
mode: '0644'

- name: Deploy Foreman Container
containers.podman.podman_container:
name: "foreman"
Expand All @@ -64,6 +70,8 @@
SEED_ADMIN_PASSWORD: changeme
quadlet_options:
- |
[Unit]
Requires=foreman.socket
[Install]
WantedBy=default.target

Expand Down Expand Up @@ -119,7 +127,8 @@

- name: Wait for Foreman service to be accessible
ansible.builtin.uri:
url: 'http://{{ ansible_hostname }}:3000/api/v2/ping'
url: '{{ foreman_url }}/api/v2/ping'
ca_path: '{{ ca_certificate }}'
until: foreman_status.status == 200
retries: 60
delay: 5
Expand All @@ -137,7 +146,8 @@

- name: Wait for Foreman tasks to be ready
ansible.builtin.uri:
url: 'http://{{ ansible_hostname }}:3000/api/v2/ping'
url: '{{ foreman_url }}/api/v2/ping'
ca_path: '{{ ca_certificate }}'
until: foreman_tasks_status.json['results']['katello']['services']['foreman_tasks']['status'] == 'ok'
retries: 60
delay: 5
Expand All @@ -149,6 +159,9 @@
theforeman.foreman.smart_proxy:
name: "{{ ansible_fqdn }}"
url: "https://{{ ansible_fqdn }}:9090"
server_url: "http://{{ ansible_fqdn }}:3000"
server_url: "{{ foreman_url }}"
# TODO: requires https://github.com/theforeman/foreman-ansible-modules/commit/03298a74e6096c370a932de37aa62dbece3f452f
validate_certs: false
#ca_path: '{{ ca_certificate }}'
username: admin
password: changeme
14 changes: 14 additions & 0 deletions src/roles/foreman/templates/foreman.socket.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
[Unit]
Description=Foreman socket

[Socket]
ListenStream={{ foreman_listen_stream }}
SocketUser=apache
SocketMode=0600

NoDelay=false
ReusePort=true
Backlog=1024

[Install]
WantedBy=sockets.target
2 changes: 2 additions & 0 deletions src/roles/foreman/templates/settings.yaml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
---
:foreman_url: {{ foreman_url }}

:ssl_certificate: /etc/foreman/client_cert.pem
:ssl_ca_file: /etc/foreman/katello-default-ca.crt
:ssl_priv_key: /etc/foreman/client_key.pem
Expand Down
2 changes: 1 addition & 1 deletion src/roles/foreman_proxy/templates/settings.yaml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
:trusted_hosts:
- {{ ansible_fqdn }}

:foreman_url: http://{{ ansible_fqdn }}:3000
:foreman_url: {{ foreman_url }}

:foreman_ssl_ca: /etc/foreman-proxy/foreman_ssl_ca.pem
:foreman_ssl_cert: /etc/foreman-proxy/foreman_ssl_cert.pem
Expand Down
2 changes: 1 addition & 1 deletion src/roles/httpd/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
httpd_ssl_dir: /etc/pki/httpd
httpd_pulp_api_backend: http://localhost:24817
httpd_pulp_content_backend: http://localhost:24816
httpd_foreman_backend: http://localhost:3000
httpd_foreman_backend: http://localhost:3000/
7 changes: 7 additions & 0 deletions src/roles/httpd/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,13 @@
state: true
persistent: true

# TODO: probably not the right boolean
- name: Set daemons_enable_cluster_mode so Apache can connect to unix sockets
ansible.posix.seboolean:
name: daemons_enable_cluster_mode
state: true
persistent: true

- name: Disable welcome page
ansible.builtin.file:
path: /etc/httpd/conf.d/welcome.conf
Expand Down
4 changes: 2 additions & 2 deletions src/roles/httpd/templates/foreman-ssl-vhost.conf.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,8 +70,8 @@
ProxyPass /pulp !
ProxyPass /icons !
ProxyPass /server-status !
ProxyPass / {{ httpd_foreman_backend }}/ retry=0 timeout=900
ProxyPassReverse / {{ httpd_foreman_backend }}/
ProxyPass / {{ httpd_foreman_backend }} retry=0 timeout=900
ProxyPassReverse / {{ httpd_foreman_backend }}

AddDefaultCharset UTF-8
</VirtualHost>
Loading