 So I'll stop copying them now I'm waiting for this one to fit. Oh, what has gone on with my monitor? So is that right okay, that's duplicated so outputs What's the resolution on this can we make this bigger or is that as good as it's gonna get I guess that's as good as it's gonna get Okay, so I want Now I can see what I'm doing good Make that smaller that is not gonna finish is it Okay, I make it bigger again how about that okay, we're not gonna spend too much time on the console It should be okay. I guess I can make it a bit bigger. I just want to see that progress bar Swarming here So we need always auto lock we're not about to touch it. It was It should be it should be Call the AB As long as this is working I think it just controls the Microphones Ah So are we ready to go you want me to get started I'm kind of I guess this is a very very very Okay, that is actually running that I was actually progressing 21% I need to wait for that one to finish Okay, in the meantime, we'll do some slides and we'll talk for like 10 minutes or something We'll see how we go I've got one in I've got one in here, but I guess until that finishes I can't I Guess I can we can run it later And this is a VM so based on copying Q Cal images for people's liver networks, so they're big files All right, they're like technically 11 gig each, but they're not because that's bars So yeah, it's gonna take a while So this is gonna be really really risky. Oh, thank you Right, so let's get a random thing Oh I'm a long time presenters my first time doing a workshop here, so I'm quite okay That's fine. My aim is to have I've got 45 minutes of content because I know this is gonna go wrong So that will take us two hours to get through it, right? That's cool. Wonderful. Thank you. That's perfect Wrap it up. That's fine. Yep. That's cool. I would imagine we're gonna get to it before then I hope we're gonna get to it before then all right, so Thank you all for coming. I have I had actually no idea how full this room is gonna be right So I don't know if I was getting five people or whatever. So thank you all for coming. It's great to see such a great turn out We're gonna do a bit of an experiment I'm gonna do just a really quick set aside. So who already knows for me for my interest. Yeah, yeah Okay, who's already using for me Good, you're supposed to put your hand up at that one Okay, good. So these are a bunch of people interested in learning form. You come to the right place So what we're gonna do so who followed the notes who's got lipvert set up Got a clean VM ready to go. Nobody superb. You're all never you're not gonna get anything out of this so Form so so you you've got some idea of what form it is very very quickly I'm gonna do a couple of slides just to give you just to set the groundwork and then we're gonna dive in We're gonna do some stuff if you don't have lipvert set up and you want to get it set up while I'm talking Please go ahead. I have cue cow images, which I am trying to copy onto USB sticks as we speak Would be nice if I got hold of those earlier this morning, but I hoped we could do some kind of Wi-Fi thing That seems to be firewalls. Sadly. We had to go but it didn't work out So I'm just finishing off some cue car images for you all to have if that's what you need otherwise I can provide package caches and all sorts things so what we're gonna do is we're gonna try and build you a form and Sandbox that you can take away with you and play with when we're done. That's the aim of this workshop I suspect we're gonna struggle given the the networking and the problems with file sharing and so on but we'll see how we go So very quickly firstly some thanks to one of our contributors because he wrote this slide deck and I just kind of hacked it So he really should get fair credit for this. He's a fantastic guy So what is foreman? Foreman's a life cycle management system. That's the key phrase if you think about trying to build hosts be they physical hosts Virtual hosts virtual hosts. They're a bit like physical hosts like live ver or Zen or something like this or Really really virtual stuff cloud stuff Amazon EC2 digital ocean image based stuff It doesn't matter what you're building You need to get it up and running. You need to put something on desk or on the cloud You need to spin it up. It needs needs some CPU time and needs to come up It needs to have some initial configuration Maybe you need to hook it up to puppet or Ansible or something like this You want to run some one-time setup stuff you want to hand it off to your configuration management most likely Once you've got it done to that point you want to monitor it maintain it drive it and When you're done with all that you probably want to do some deep provisioning tasks as well at some point delete the image Recycle the host whatever it is That's foreman's job. It's sitting slightly above your configuration management and dealing with all those other tasks that need to happen In order to give you a nice easy way of handling your infrastructure So that's probably more So yes provisioning operation demolish is what we're really talking about here get it up and running maintain it Get rid of it when you're finished How do we do that foreman's a? Client client server, but it's got a thing called the smart proxy And we only want one form and server one point of truth One place to go to manage your infrastructure It doesn't matter if you've got one data center five data centers If you're just running it in your house or if you've got 40,000 hosts You don't want to be going to multiple different places to get this information So there is one form and server But but if you have lots of things to manage you need a way to do that So we have a thing called the form and proxy and smart proxy and we put these wherever there are services to manage and And you will see that as we as we get into the workshop itself and the idea here is that it's a tiny little thing It's a little ruby thing that provides us a nice API that we can talk to in order to get a consistent way of Executing certain actions. So a good example here is something like DHCP DHCP has the OMAPI protocol, but it's a pain to work with But we've got proxies sitting on the same server as the DHCP server. So it's much easier to work locally Same with DNX we can execute things like NS update commands using the R and DC keys locally So we can actually add DNS records into your DNS system for you. This is what you want when I build a new VM I don't want to have to care what IP address it's on I want to SSH to its name when it's finished building and form and can do that for us It does that by these smart proxies same with Puppet or other configuration management systems We can put smart proxies down onto those servers so that we can control them a little bit more easily and scan Things and get information back So that's the core architecture. We have one foreman many many smart proxies And we're gonna have by the end of the day. We're really just gonna have one smart proxy, but it's gonna be doing quite a lot of Jobs for us. It's gonna be looking at Puppet. It's gonna be looking at TFTP DNS DHCP That kind of stuff So what can we provision? Well pretty much anything really These so the list there is everything we can do today Some of those are plugins that don't come out of the box, but they're very easy to set up so Zen and azio for example are plugins things like over things like libvert things like AWS come straight out of the box And of course bare metal. So the key thing here is it's very extensible if there's something you'd like that's not on that list It probably can be added writing plugins for form and it's not hard So if you need to provision something we can probably help What do we mean by provisioning? This is what we're gonna be doing today This one here because it's the hardest one. So I thought that'd be a good choice for a workshop, right? I'm brave Imaging is in some ways easier, but you still have a lot of work to do You still need to get that get into that image and configure it somehow And then if you have some interesting use cases We have a variety of ISO and pixie less things that we can do but we're not probably gonna get into that today That's of interest to you come see us down at the table. We'll talk about it Yeah, if you don't know by that we have a table over there So anything that isn't clear by the end of this if we run out of time come talk to us We've got whole demos set up over there. You can come and play with it. So this is all we're gonna focus on So what do we mean by this? Pre-execution environment that's what pixie stands for and it's a network protocol, right? The idea is that when your host boots up for the first time it's going to get it's gonna ask the DHCP The DHCP so he's going to respond. It's gonna say hey, you need to network boot. Here's the IP address to network boot from That's going to go and get some configuration and then it's going to come up And in this case what happens is form and drives that process It writes files into the TFDP server and says this is how machines should boot and we will see that happen and what happens is there's a Default file which basically says if I don't know you just boot off your disk Which means it's safe to set all of your machines on your network to boot from the network first because form won't touch it However once form knows about a house once it's got that MAC address it can start controlling it You can write specific files for specific hosts and it will form and can check it's okay This hosts in build mode. So don't boot from your local disk Here's the kernel and the NIT ID for the kickstart for anaconda off you go get started and we can provide the templates and so on So we'll we'll try and get that working We do orchestration so I mentioned DNS DHCP configuration management. We'll see that happen These are the tools that we have plugins for puppet comes out of the box, but we support these ones as well We get data back. So once the hosts are up and running you want to be able to see what's happening So if you do an answer will run, you know execute a role You want to get the reports back from that what packages were installed what files were changed puppet the same inventory data Nice graphs all that kind of good stuff We have some enterprise stuff, which is not so relevant today I guess this one is quite useful to a lot of people if you're doing any kind of multi-tenant multiple groups within your organization That's very useful And we have a ton of interfaces. So we have command line tool called hammer. We have API So so right Boring right you didn't come here to hear me talk. You came here to to actually do some work So let me see if we can get something rolling. So okay, so who? Who needs the libvert files? Who's actually a liver up and running right now? anyone It was in the notes. It was in the notes. I did say please bring a libvert enabled machine or at least access to one I don't know. You can SSH out if you want So let me show you my setup. Let's let's just have a quick look where is My virtual machine manager So here is my liver system And I'll walk you through what we've got here So this is local to my laptop. So if you've got liver running what we've got is a network called workshop And in this case, I've got DHCP disabled. You don't need that right now We'll basically I'm going to give form and control of DHCP and I don't want it conflicting with the DNS mask that comes By default with liver, but if you're just building your first VM, you are obviously going to need Something to get it up and running Now I'm currently in the process of building some images. It seems to have mostly failed It's it's fine because the image itself works what I'm trying to do is This is kind of about 30 40 percent of the way through the workshop, which we'll get to and I'm running it now So that we've got it all done and cached, but it's being a bit slow on this Wi-Fi We actually still got Wi-Fi My I'm still connected to the internet. Yes, apparently I am so it should work Well, we'll see if it gets there So back to that's a more important thing. So where did that go? I did that go here So what we've got here just to give you a basic idea of the architecture It's a single network single slash 24 subnet and we've got absolutely Nothing else on it apart from one host, which is going to be our form and host now We'll create a few more hosts as we go, but for now we don't have very much on it I'm going to boot this one up, which I pretty sure is also on the same So this is a machine I created a few days ago, which I can give out to people This one doesn't have the form and installer run yet. So this is where you start with form and so when you're first getting into Forman, and this is what I was hoping more people bring clean VM so we could do it together The the very first starting point is our form and install the form is a complex system If I show you assist if I come back over to this one. I know that's tiny. I'll try and make it bigger Is that big enough for people do I need to make that bigger? I was it at the back That's okay. Cool So this is going to be huge output, right? But just to give you an idea of all the processes that are running on a form and system, right? So we've got you know, we've got puppet is running Apache is running Exynet D which is for for TFTP That's the form and install process. You saw me start a couple minutes ago Java process here. That's the puppet server. We've got postgres postfix stuff tons of stuff, right? so That's a lot to configure by yourself. It's a big ask to get people to get that up and running That's why I wanted to do a workshop where I tried to show people how to get started with form and because It's a lot to work with but you don't have to do it yourself. We have an installer call the form and installer Go figure and it's written in puppet So this is not like your classic kind of grab a bash script from the internet and pipe it into Curl it and pipe it to bash right? We don't like that. I don't think that's a good model What we have is a published set of puppet modules for configuring each component of formant and the form and installer wraps those up together into one Executable and all it's doing is calling puppet in the background. So it's all you know introspectable Okay, so I have the debian one ready I know I guess there's not many people who really want to do debian in here But the centos one needs to be finished before I give it to people. So so the debian one has been copied. I think Yep How much space is that taken up? So there's still 12 gig available on there I might just give up on running this for a minute and copy the image as is So let's get that copied and start passing it around for the people who want to make sure that's shut down Then I can then people can start copying it and it'll be ready The centos image won't have the dns stuff running yet It's got the basic web UI ready for people to play with but No more than that until I get that command to finish All right, let's copy that cross which tab was on here. Yeah, so I want to copy So the form installer then let's let's talk about that So if the very first thing you will do with form and when you get started and You won't if you're using the images of this you won't need to do this It's already been done, but I'm going to show it because it's important to know So we have this big get started button and right away you get to pick your OS So I'm quick show hands. I'm pretty sure I know the answer Who prefers centos? Okay, and who prefers debion? Yeah, you're just trolling me Okay, so as I figured most more of a centos crowd at devconf that's not really surprising as it was So we have instructions for both so form and packages are built for a variety of os's But this is your get started guide basically so Puppet four out of the box or if you want puppet three you can use this one So that's your your release rpm for that then there's apple and our release rpm So just a bunch of our release rpms and then literally yum install form and install it and that's it, right? So this is straight This is linked to from the front page of the website You run those three four commands and you've got the form and install it which is a binary And that's copying so let's see if my other virtual where's my other virtual machine gone I just find out what ip addresses come up on Ah kind of type By the way, I should say this is meant to be fairly interactive. Do stop me jump in ask if anything's unclear We have lots of time. I did this as a youtube video It took 45 minutes because I knew what I was doing. It was all prepared It was all snapshotted and nobody can interrupt me, right? So it was great So we have two hours jump in tell me where I'm I'm not explaining things well enough It's absolutely fine. So that's on it hasn't got an ip address lovely So you can see on this one, it's similar. I know that's not easy easiest of things to read but What's marginally different is you don't see things like Oh, it's not like D is on there. Did I run it already? I think it comes out of the box But yeah, we don't have named D. We don't have bind We don't have any of that kind of provisioning side of things done But at least we do have the ui So why is this not? Oh, I know what it is. I know what it is the workshop But network doesn't do DHCP. So that'll be what it is. I'll just quickly reboot this So all right, let's let's stop talking nonsense. So the form and install as I said set a puppet modules Get you up and running really quickly. You can literally run it with no arguments. So there you go. Just like that And that will get you a default form and install So what you get out of the box and I hope hope to show you that in a minute is Foreman running under Apache So so if only if you don't know it's a rails app, so you can technically run it standalone But it doesn't scale very well. You can run it in web brick or or thin or whatever. It does not scale So we give you Apache out of the box So you get that you get that nicely tuned with the passenger you get a postgres database And so that scales reasonably well and you get a puppet server as well So you can do something useful with it because most of the pieces of form and are opt in like if you don't want to do Provisioning that's fine. If you don't want to do configuration management, that's fine But you want something useful when you finish with the form and install it So we choose to give you puppet. It's the easiest thing and the least intrusive thing And what you get is output like this at the end. I make that a bit bigger So you get this so you get your url You get admin credentials. It tells you where the smart proxy is It tells you where puppet is and it gives you a place to go and look in the log If you really want the entire output of this massive puppet run That's you up and running literally if you have a clean vm and a good network access which is what we don't have Then you can do this in 10 minutes, right? It's it's literally install some release rpms run one command and form and is up and running So Let's boot this back up. No, not that one. Where is it? All my desktops have got messed up by working on such a small screen So this is now on 100.247. Okay So let's do that make ttps So you also get self-signed certificate. So I don't know how many of you know puppet Okay, a few hands. So, you know puppet builds its own ssl infrastructure when you start it up, right? So we hook into that. We just use that. So you get this self-signed Set up right from the beginning So this will really Well, I mistyped that 247. It was 247, wasn't it? Yes And it's definitely running Apache. This is why we like doing things live, right? 247. Thank you, Mark I'm harsh, right? There we go So self-signed certificate, as I said, so we have to go through all the usual fun hoops now Uh, quickly quickly show you this. So as I said, um Well, that's not wanted to form a dog so That output that I showed you That that those four lines of output has a random password in it, right? It's some long string and it's really easy really really easy to lose that and and not be able to get it back So there is a command to help you with that and I'm going to show it to you right now because I need to there we go so I don't need to worry about where my livevert window is about now. Is that that's still big enough, right? Do I bring it up here? So you have a command called form and rake and we can do permissions Reset so I'll just check. Is that finished copying? No, don't you just love copying massive files? Password And here we are So if you ever need to reset it, you can just run form and rake permissions reset and you're back in So this is the form and you are this is what you get out of the box Day one day zero with form and you have all we have done so far. Is those four commands off the website? Run form and install it That's all this is this is where this vm got as far as that is all we have done And hopefully this is what I'm going to distribute in a few minutes when these I'll start copying it again As soon as I've given you the first one we can start trying to Fork this. Is it done? Looks like it might be done No, it's still kind of lc I have no idea what that even means We'll get there so This is the form and you are let me show you around um The main tab probably the main place to go is the hosts page and by default you won't see this I'm going to delete this actually when you first come into form and This is what you will actually see no hosts because you haven't built anything yet Fortunately, it's really really easy to get your hosts into form and we provide the capability to create them automatically Based on configuration management reports coming in and as we said a minute ago. I've got to stop hitting that key Puppets already running right you get puppet out of the box In fact, I'll tell you what I'll run for an installer just to show you that it does actually work. I'm not lying um It gives me two seconds to drink some water as well This won't this should not do anything because we already did it. I ran it for you as it were So if you're familiar with puppet output, this looks familiar You can see stage main and things like that in there But we hide it because it's not massively interesting And there we go and as you saw on the website we get some nice output We know what our credentials are and so on and so forth But now if I run this so let's just have a quick look here cat etc puppet labs puppet puppet.com So you can see the server is set to itself, right? So it's all been preconfigured. It's all up and running It's all happy happy and we can just do puppet agent minus tv Just check that it's not finished yet. No, okay No It's bombed lovely I'll come back and check that in a minute But if we have a look here now, I'll have our host back in and we see whereas that was orange before we have now a nice green Tick this has checked in in the last half an hour, which is the standard puppet run It's automatic created. It knows it's sent us. It knows that it's uh, a nice host We've got the ip address here the mac address That's a bit small. I guess but you get the basic idea so we can see straight away so I was hoping to have more people up and running by this point, but that's life We have plenty of time So the basic idea is really simple. You run the installer you run puppet Now you've got a web UI with the form and host itself in there And literally that is stage one of form and that is all you have to do And then you've got some hose you can do puppet with and oh come on Sparse files right sparse q cal files technically 12 gig in size not actually 12 gig in size, but it still has to copy all the zeros Okay, so is that I mean you'll get a chance to try this once this image is ready when you can start distributing it But does that make sense to people? Is that is that fairly fairly okay fairly straightforward, right? Okay, so I can go two ways at this point. I can start showing off the provisioning side or the puppet side. What are people more interested in? Let's go for hands up for provisioning Okay, that's like oh no. Hang on late rush. Okay. That's quite a lot of people. What about puppet? I Like one hand for puppet. Okay fine. I can take a hint So let's talk about that So this is a nice clean form and install And we try and make this easy for people So out of the box one of formans goals is to fit into what we call brownfield deployments, right Forman can interact with a lot of things it can talk to your dhcp servers It can talk to your dns servers It can handle all your network booting But it's kind of intrusive if you already have stuff on your network And we don't want to break that right the last thing we want is to to say hey, you want to try our project great Re-deploy your entire network Just to try it out bad idea. So we don't deploy that out of the box We don't Force you to say I'm going to have to turn off my dhcp server just to try out for me But if you're going to manage this stuff, you do actually need Something that forman can control. So we we try and make this easy for you And we have this provisioning setup wizard here What's the best way to explain this the way this works is it's Probably easier to answer that question after we've done this step Just because I can show it rather than just talk about it and it's probably more interesting But thank you and remind me if I don't cover it for you because it's actually a very good question and very worth showing so I mentioned the forman installer is a puppet thing and it does lots of options. It has a lot of options So I ran it with absolutely no arguments here But actually if I do I'm going to take a risk here Um, this might go on for a while So basically there we go. So just to give you an idea of how long this is It has a oh, there we go. I think I hit end by accident But oh no, I've just changed tab. That's why yeah, and this is just the puppet modules, right? There we go Oh, there we go. There's the basic ones Advanced stuff. So yeah, the reason these are so long is basically anything you can pass to the underlying puppet modules Is a valid command line switch. So it's huge But the key point is you can use this to configure your dns dhcp tscp stuff But you have to know the right options to pass to it and there's a lot of choice, right? So asking users to get this right Not a great idea. However, forman can tell us what we need to do It doesn't want to out of the box mess with your network But if you're ready to take that step it can help you and that's what this wizard is for So basically what it's doing is it's saying, okay, I found that we've got a host and a smart proxy Because we need a smart proxy to manage our services And we've got a network interface that we can work with. So that's what we can bind dns and dhcp to And let's submit on that. So that's really easy. So what we have to do here is define a subnet So forman does more than just hosts, right? We've got this We've got this tab here for things like subnet domains and so on and we need at least one subnet because we're going to have to Put the host that we want to be provisioned into this subnet. But literally we don't have to do very much We'll just call this one devconf Just check these things are sane. So it's 100. It's a 24 network. We'll put in a sensible gateway dns server is Going to be there as well and we'll use google and so this one's this one is I'll explain more about that when when we've got a chance, but basically This is what we spit back out. Here is the exact thing we need to run the switches. We need to add To form an install and this is why we don't have to use it to come up with this themselves, right? Because there's a lot of them So you can grab this Take the whole thing And paste it straight in And that's what I was doing On the centOS one. Oh, it's finished. Yeah It's finished. I'll get it out Okay, let's And now safely be removed. You surprised me. I bet it would take longer to sync right you have that one and start copying them off And I'll do another one So those images the devian image has had that command run the the big one that I just pushed in Um, the center the centOS one has not yet Oh, that could be good. Yeah Quicker we can get this out to people the more fun we can have But I guess it makes sense to go through the material and then we can all kind of walk around I can I can go around the room helping people who get stuck whatever because as you can imagine There's a lot of ways in which this can go badly wrong Which is why I wanted to do it kind of interactive And we got this one as well So let's open that one up And let's open that one up CP which is Maybe in no not that one images centOS To slash Run media Greg That one And then grab that so that was the 35 so that one Okay, so they're copying and in the meantime you can see this is Okay, so it finished actually We've got a lot of free desktop nonsense in my in my log, but let's just scroll back up a little bit So here's the command I ran. Let's just have a quick look at this. So what am I saying? I'm saying, okay I want to form in proxy. Well, we have one anyway, but it doesn't hurt. This is puppet, right? It's idempotent so we can specify options that were already done and they just won't do anything TFTP true with a server name actually that server name is probably wrong Um The thtp we want a dhp server on the eth0 interface. Why has my Mouse stopped working This is not good Okay, my laptop is frozen So that's really bad Well, I'll carry on talking you through it even then hope hopefully it'll recover in a minute. Yep keyboards frozen Okay, that's not good at all. We might need to reboot this in a minute So dhcp interface is zero. So again, we need to know where to bind it to What's the gateway? This is so that you can hand out correct leases dns server again with an interface to bind to a zone to create so that I can create host names in this zone And so on and so forth and some other secrets that allow us to actually talk to form and properly. Um, oh, let's come back Don't do that to me. That is not good. Anyway, so what did we see? So apart from these free desktop things getting the way you can see that it was basically running through the whole installer again So it's not like we're just doing optional extra stuff here. We're running through everything checking. It's consistent That's puppet at its best Let's go back to the ui So we have run this command and we come to the bottom of this page and we say, okay I did that. I think it's the file copy to both of these things. It's really stressing it out It keeps kind of freezing and coming back again. So hopefully we can be done with this in a minute Yeah, it's it's really not happy Okay, we'll come I just want to click on that button seriously I need a brand I need a better spec laptop It's my boss. Yeah right now. I need right now. Yeah, it's completely frozen again. Great Anyway, so we've run some commands. We've got Stuff is it going to come back? Oh, yep. Oh, yes. Yes. Yes. Click it click it fast So what's that done? That's given us a lot of new functionality within The under underside of for me. You don't really see much new in the ui for this We need one last thing. We're going to create a sentos os And we're going to use the baked in sentos mirror that comes with foreman Now you can if you have your own mirrors on site or whatever you can specify them here But by for this workshop, it makes sense just to use the standard upstream sentos mirrors I did not sadly have time to create a complete mirror of sentos on my laptop and looking at these two things That's probably a good choice Does not seem to handle lots of load very well so What this is doing this page here is dealing with one of the more Annoying parts of the foreman ui which is creating a valid operating systems for provisioning with it's not That bad and if we get time, I'll show you what it looks like for doing again with say you want to do fedora or something like that It's just that there's a couple of places you have to kind of go back and forth between two pages of the ui It's really annoying. You kind of have to create one thing But then you can only kind of half configure it and you have to come create something else I mean go back and finish configuring the first one. It's really irritating. So this is taking care of that for us How's that copy going is it just almost done fantastic soon? We'll get people running on this. That's good before we leave the entire audience, hopefully So This is finished. Let's let's go back and have a quick look here and let's just have a look at what's new So you are asking about how we interact with with dhcp now. We can sort start to talk about that So if I have a look now we've got some new processes here So you can see we've got dhcpd is running named is running. I think we already had xinetd. Yep, that's nxd for tftp So we have all of the services necessary to do provisioning right if we have a look in Remind me where it is on centos. Is it valid tftp boot? I think so That might be I switch os is quite a lot So I get confused and they can we just agree where file should live that would be great Let's see if it's in here Cool, we should have two more copies in a couple of minutes and then we'll have as far as again Yeah Thank you very much Yes So As far as again, I'll talk it through. So the way it works is like this you can see that we have This process here the smart proxy process So we put one of those wherever we have services we need to manage and it's really small really light I run one on an original raspberry pi the the 256 meg one along with bind and ioc dhcp and openvpn And pop it. So, you know, it's lightweight and the idea here is that we can yeah, that's not finished yet Oh, that one has though. Which one was that one? I don't know which one's which I'm gonna have to wait for them both to finish before I can eject them Yeah, one of the one of them's that one's still writing, isn't it? So I guess it's this one that's finished I to to be safe. I'm gonna let them both finish and eject them at the same time because I don't know so Uh, tftp. Right. Let's have a look at it. So this so who's familiar with pxc? Okay, it's good most of room you guys are here So Let's have a look in that case. I don't need to spend too much time on this If anything doesn't make sense for the rest, please do to jump in and and let me know But as you know, we have the pxc linux zero file. So we Have configured dhcpd.com And that has got pxc linux zero and an appropriate next server to come and talk to this machine So when we give out leases at boot time, we're going to say come and boot from here And then if we look in pxc linux.cfg, there's currently only a default file Which obviously is the the one that goes to all hosts unless there's something better a better match And don't worry about the discovery thing. The main thing is default menu On time out local local is just local boot zero So we're not changing the network at this point any host that boots off the network right now It's going to spend 30 seconds going. I want a pixie boot and the pixie boot server saying I don't know you boot off your disk We've not broken anything But we want to create some hosts right want to do some provisioning. So what's going to happen is when we create a host The foreman is going to write a specific file for that host into this that says Boot the sent awesome store So let's actually see that happen new host Now that that's cheating. Let's do it from here. New host. It's the same link But you don't my point being you don't have to go through the provisioning setup just to get to the new host link It's a bit of a bad example. So we have a random name generator. That's terrible. Holly. Okay, that's better And we have a host group. So a host group just Exists a collection of defaults and you can define as many host groups as you want For different os's or different roles within your infrastructure web server host group database host group Whatever you want in this case, it just means that you've seen a lot of the fields here We've got filled out and that's true for some of the other tabs as well So it sets up the operating system and and where to get your network from and all this kind of thing So we're sticking with bare metal. We'll come back to virtualization in a little while Don't need to worry about environments because we don't have this is probably going to break. Isn't it because oh, there we go production Um puppet c. A so we might we talked about puppet. We'll come back to I will I will I know only one person put their hand I will I will very briefly do puppet in a little while But we'll come back to that so we have interfaces So you'll see that already it knows that this IP address is free So what's happened there is it's gone off to the smart proxy that's responsible for DHCP and said hey, give me an IP address And so the DHCP proxy does a few jobs like looking in the leases file to see what's already taken And then maybe trying to ping a few IP addresses till it finds one that doesn't respond It is but it's the proxy that's doing the OMAPI bit so so what's nice is it means you can keep OMAPI for local host You don't need to expose that to your network. So yeah, yeah, we do use OMAPI which is a whole world of fun It's not the most Easy to understand protocol Anyway, so we've gone off to the proxy. We've said give me an IP address. It's come back the IP address. So we're good Um But we do need to give it a mac address now. I said I'd talk about virtualization Obviously when you're talking about spinning up VMs that step can be automated and we can see that Later on in in the workshop But for now we're going to need a mac address to finish this So i'm going to fake the bare metal process because libvert is as close to bare metal as you get right So i'm going to come find One of my other VMs. Let's go with this one And i'm going to grab its mac address. Well, there we go and eight zero So this is all Great. We've got a dns name. We have a dns domain We've got an ip address We can provision this right Um, we can okay that and this you'll note this is a table You can have as many interfaces as you need if you have you know Physical service with four nicks on it and you want to do things with that. That's totally fine Common use cases you can see we've got provisioning and primary So provisioning is useful the tftp pixie fun Primaries used for things like the puppet certificate name things like that So if you want to do something where you have a dedicated provisioning network in your infrastructure And then the production network you can totally manage that you can have as many interfaces You like and handle which ones deal with the booting and the install and so on Keep it simple for today though. We're going to go with one network. You can see sentos has already been enabled We already have our sentos mirror kick starts pixie linux will give it a root password You can automate that I think leaves them nearly finished copying as well and if I hit resolve so so I haven't mentioned templates at all yet So let me very briefly touch on templates If you think about how network installs work You need to provide some information in the case of sentos. It's a kickstart file All right, you need to actually give it the packages to install You need to give it the network configuration Services to be running all that kind of stuff foreman helps with that And the way it helps with that Is with our templating engine And so we have here a default template that comes with foreman And it looks like a mess, but that's because it's in it's written in what's called embedded ruby erb So foreman allows you to put variables into these templates. That's why it's called a template, right? So as an example Let's see where the network is so you can see we've got host.ip here for example Or subnet.mask so we're pulling information out of the host This is applicable to many of my hosts, but it will be rendered specifically for a host when it's requested and I can preview that Oh, I said that I can't preview that because we haven't created any hosts this year We'll come back for that. I said oh, and then it will work. So We have templates. We have pixie templates. We have kickstart templates. It's all going to be magical Let's let's go ahead and submit that So where are we at pending installation? This is a keyword here. It's ready to go. It's what it's in what we call build mode And if I go back and have a look here now You can see now That's the mac address of my vm, right? So we've gone ahead We've so what's happened is foreman's reached out to the proxy and said write me some pixie configuration And if we have a look in that You can see it's going to boot vm linus sentos vm linus sentos in rd And the kickstart url calls back to foreman So htdp foreman unattended provision token There's a build tokens are there for a certain measure of security. We can go into that if people are interested What's worth seeing and if we just have a quick look this file wasn't here before But now I have these files as well. So the proxy is responsible for downloading those It only does it once if the file is already there. It won't do it again So if there's a newer version of the same file, it's kind of a job to go and get it or at least delete it and Let the proxy redownload it, but just to keep things light. It just downloads it the ones What's interesting on this network is um, it may still be running Oh, no, I think it's actually finished. I think I think it's all right. Let's have a look Yeah, so 42 meg well done devil's network We're actually download it and theoretically this will work. But before we do that is this no, it's still copying. Okay, well, I'll leave that bit So let's boot it. Let's see if it works. All right. This is this is exciting stuff So here's my vm It's on let's just check we're on the same network That's not the same thing This is on This is on my nat network. So it's This might not go well because there'll be too conflicting dhcp servers, which is what I was trying to avoid, but Let's um, let's try it and see if it works No, I didn't work. Uh, what have I done wrong? What have I done wrong? Ah, I don't know what it is force off So I mentioned how it's about booting from network, right helps if you actually boot from the network Let's try that again So it's gonna it's gonna do pixie It's gonna work There it goes and we're booting into the sentos installer So I haven't had to manually handle any of the network in configuration to make that happen, right? That's form an installer Run through the provisioning setup rerun form and install with the extra options go and create a host Give it a mac address And now I've got sentos installing and now I'm going to kill that for a number of reasons One, I want that vm to stay put and two I don't really want to run an entire install sentos over the devconf network. I think it might take a while Does that make sense to people? that okay So what's also interesting is that if I'm hopefully If we go back up here and grab the name Is this going to work? Uh, hang on. What's my resolve.com? Yeah, okay, so it's 247 Yeah, why not That should work It should have been added to dns And if we have a look in the is it var Name d. Yes dynamic So we've got zone files here Okay, so we're in there. Why is interesting which are we in? That one. Oh, I need to flush it on Okay, I'm slightly annoyed because that should work So one of the all right before I say it should work I should check my my my facts and figures Parameters Ah, right. Okay. That makes more sense. Right. Let's let's let's go through a little bit more closely I mentioned the smart proxy the smart proxy has a certain number of features. You can see we've got dns dhcp tfp. That's how we're getting these files written. That's how we're talking to a mappy That's how we're talking to pixie Just because a smart proxy has a feature Doesn't mean you have to use it for every single interaction Consider a situation where a smart proxy is responsible for a couple of networks And only one of them you want to do dns on and the other ones for whatever reason you don't so you can turn it off And in this case, it seems like the domain has not Got a dns proxy set Which is why I don't get a dns record It's simple but an easy thing to miss and I'm going to check this one. This one probably has Yes, so this one's fine. So now I'm going to go and tell it to rewrite Take this host. I'm going really quickly here because I don't think this is actually that interesting But there we go. So let's just see IP address there we go. I mean, okay, it doesn't ping because I turned it off, but The dns is there for it. So again, it's all about automating those jobs that are just a pain really when you're being When you're doing sys admin work and you just want to get on and build a host and then ssh to it I don't want to remember the IP address. I want it in dns and it just works. That's great This is nearly done. Oh, I don't know We can keep trying Good catch This one looks like I want to know which one of these is finished, but I don't know which one it is so B37 is done This one Okay. Okay. This one is done apparently I'm gonna I'm gonna risk it media Yep, that one's still there Yeah, okay. So this one is finished if anyone else needs it. You want it? I guess it's yours. So fair enough So so my aim is to quickly I've basically completely reorganized this workshop on the fly I'm doing the demo and then I'm going to help everyone else do the same thing, right? Because that seems to be the only way we're going to get this to work Okay, so that's basic provisioning really done really really fast I appreciate that's not the easiest thing to follow when you can't follow along I'll come and help you guys get it up and running in a short while once we've got more copies of these images What else can we say about provisioning? What's worth mentioning? So there's a lot of options you can mess with Up here. Um, you can have as many subnets as you want. You know, you can come in here and edit these things change Very stuff. If you if you want to add ranges now Be careful with ranges They don't correspond to what's in dhcpd.com It's what it's what form and we'll choose to use and you can put a range here that's outside of your dhcp range And form will happily try and use it. It's a bit of a mismatch, but Such is life one thing to be aware of anyway I said I'd come back to this field IPAM stands for IP allocation mode It's how do we how does form and decide Where to get IPs from when you create that new host and you saw how it loaded It went and got an IP address and pre pre populated the form This setting is how we determine What to do with that for this subnet and there's three ways you can do it dhcp is exactly what we talked about go to the proxy Ask the proxy for an IP address and then the code on the proxy side is responsible for figuring out how to get you an IP address and that can depend on which dhcp servers you're using or what's available and so on But eventually the proxy will return an answer or not db only internal db just says Only look at form and itself. So if I go back and I look at my host page And you can't see it here, but you know, we know these IP addresses, right? I know this is dot two And I know that this is dot two four seven So I can look and do a do an inverse that I can say what IPs have I not used on this subnet yet According to the database and that's obviously quicker But it's prone to missing things that might be on the network that form and doesn't know about But if for some reason you can't ask the proxy for an IP address you can use this And then the third option is not on at all, right? And you manually have to give it an IP address. It cannot pre-populate that for you. But that's that's the fallback So that that's a thing worth mentioning I don't think I can show much more about provisioning in terms of bare metal We can talk about virtualization in a minute Does that make sense to people? I mean I'll come and help people get it set up Once we've got enough copies of the images going around but does that make sense to people? Is that reasonably easy to follow I don't think no If you handle if you think no I'm not going to call you out. I'm just curious Nobody apparently I'm awesome So Right How are we doing with images? Who's still waiting for images? Really the debbie once that's all right, but the central one doesn't Okay, uh, let's see if we can prove to I'll test it on my end. Let's have a look I mean make ultimately In terms of this workshop it makes no difference because Foreman has packages for both and the foreman installer knows how to handle both os's so you get something that works either way So if if that's where we end up then I'm not going to be massively heartbroken. It just means everyone has to use debbie Such is life Let's just boot this one up and see if it will actually run because maybe the disk image has been corrupted It's possible. The thing is they're 15 gig USB sticks And whilst they're sparse images, so they only take up a couple of gig they are technically 11 gig files So maybe it didn't write it correctly because that it seems to boot here. So Yeah, I don't know What's happened there? Just get well, I mean yours is huge. Anyway, yours yours is like 120 gig, right? So if yours boots then Yeah, could work. Yeah, I should probably I should have thought of that. It's a good point It's a good point. Anyway, it does seem like it's okay at this end But something's obviously gone wrong with the USB stick. Um, I guess Is this finished copying? Yeah, I guess that's what these error messages are, right? Some some problem with that Well, at least we've got one bootable image that's going around and we've got hopefully the ones on that SSD as well So, um, who else is still waiting for a bootable image? You guys I don't know what's got is anyone finished with the disk that we can pass on Okay, we'll we'll get to you we will All right, any questions on just basic bare metal provisioning? Um, apart from the fact, obviously, you haven't had a chance to try it yet. Yes So Sure, so This is not my strong suit anymore. I used to be good at this and I've gone and done other things for a couple of years And I've mostly forgotten how to do it We definitely have support for UEFI, which helps like we have support for multiple different types of bootloaders For the installation. So if I um wrong host, I should mention what this button does at some point someone remind me But to answer your question, let's go ahead and edit this host So I can't remember if we've done anything with tpm itself Um, but certainly, you know, this is we've we've got a number of options here. Oh, it's a cube here So yes, you can do you can do secure boot Um, exactly how that works. I cannot answer. I haven't played with it at all because I don't have any hardware with tpm on it, but Definitely, there are people in the community who are looking into this and if that's something that's of interest of you come And come by the booth tomorrow Because the guy that did the implementation of this menu and all the the UEFI stuff will be here tomorrow So, um, so he's definitely the guy to speak to but in theory. Yes Is the short answer Anyone else for bare metal provisioning at least as far as not being able to try yourself goes Okay So these are these are kind of just right to this with dd type energy So So so there is there is an interesting approach this So we have a plug-in which we might get to have a look at in a little while called form and discovery now discovery itself I'll I will convert to a question, but bear with me Discovery itself is aimed at making it easier to manage bare metal Now I had when I edited this host, right? I had to go and get a mac address and put it in here Which is not fun, right? If you've got three racks of hosts to build that is not a fun thing to have to do. It is error prone You're going to get it wrong. So the way discovery works Is and I can show you So in that initial file that we deployed there is this block here, which is not enabled, right? The default is timeout local But this boots a ram disk image Which can then report to formant, right? And then it sits there still up I'd love to put wake online on this, but we don't have it yet It sits there waiting for a reply from formant and at some point, you know This this host then appears in the formant ui and you can go and choose what to do with it, right? Now at the moment what that means is provisioning it in the same way as what I just showed you getting it to reboot into Into kickstart or into devian precede or whichever os you're building But we are looking at adding the ability to d&d an image directly from the discovery image So that is definitely something that's being worked on I don't have an eta Again, I'm not working on it directly, but there's a lot of people who want this for a lot of different things So it's particularly good if you have any kind of os image like the thorough ones Or if you want to do like windows provisioning, it's quite good or mac os, you know If you've got dd image you can you can write it It's particularly good if you're looking at platform stuff. So for example over or rev comes as an iso, right? So if you want to deploy a hypervisor for that being able to to burn that straight to disk is is a value So it's definitely something we're looking at because there's a lot of use cases for it How the image gets to the ram disk image has not necessarily been decided yet. So it might be a good fit. Yeah Um, I don't I don't know what Transport method they're planning to use To make that section happen But I know I know the basic idea of writing an image from the form server Down onto disk is definitely something we want to do because let's face it. You can do image provisioning everywhere else You can do image provisioning in live or an ec2 or digital or whatever, right? So why not on bare metal as well? So, yeah Okay, allegedly that is finished So I'm gonna someone can give it a go and see see which of the images work Um, where is it here? And in the meantime, I will gzip them All right, who needs a USB stick So evidence so far the central's one might right So we can go two ways again. I can carry on with the provisioning stuff But talk about virtualization or we can maybe take a short break from that and talk about config management Which which way shall I go? Who wants to see more virtualization stuff One hand there who wants me a few hands. Okay, let's do that. So As I just said supplying mac addresses. Nobody wants to do that Let's give form and control over the libvert host itself and form and can then spin up VMs directly That's much more interesting right much more useful Now then preface We need to give form and access to the libvert server, which in this case is my laptop, right? So I'm gonna I'm going to use SSH for this. But basically if you can make verse Connect You can do it any way you like if you want to use tls Certificates for it. You can do that if you want to use sockets for that you can do that I'm going to use SSH because it's dead easy But any option will work Now I will probably need to come around and help people a bit with this one because it's a little bit messy So the first Someone else needed it. Yep. Cool As soon as everyone's got it and they're all booted off stock come around helping people and check it's working And we can just run through it again, but Just to get get through the content. So SSH right I need to create a key So let's start with that now it needs to be done as the form and user So I'm going to do that but form and user is disabled by default. So I'm going to specify show So I'm here and I can do ssh keygen And that's fine and no passphrase obviously there is actually no way for form and to specify it There we go. Now cat So this is standard ssh keygen stuff, right? There's there's nothing complicated here. It's just a normal ssh key Um, and I want the public key I'll copy that And I'm going to So do minus I yes, I'm going to be very naughty. I'm going to put this in roots ssh It's a demo, right? It's a demo. There we go. So that should mean I can do First minus c qmu plus ssh 192.168.1 100.1 forward slash system So there's a package you need first Um, this is my debian house, isn't it? Oh, it's the central source. Yeah, I'm install form and So To keep dependencies down because there are a lot of them we split the packages out for each of the company providers What? I've probably just spilt it wrong. Okay, that's Not what I was, oh Yeah, it's the cached ones. Where's the Let me go and get them So obviously I didn't want to go out to the network, right? But this is a smaller number of packages So it won't be so bad Yeah, we just need These two I think let's try that again. All right. That's a bit more like it Uh foreman That's tfm stuff. Here we go. It is formally work good. I wasn't imagining it So yeah, we split these up into into separate packages 90 megabytes. Hopefully we can handle that Maybe I should have just told everyone to use the network It does actually appear to be working fairly quickly, but that's life, right? Oh, that one's a bit slow. Oh, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no That's that's an upgraded version of foreman. If we do that, that could all go very badly wrong. Let's do yum dot repose dot d foreman star All right, let's change that So we do we do repose per version So it's really easy to go and get the right version and I'm doing so one of 14 was released like a week and a half ago And I haven't had chance to update all my demo stuff Let's try that again. It should be even less now Yeah, talk mate. There we go. There's a new version. It's still got a new version of foreman Thanks, Dominic I release manager put out a new version new new point release of 113 watt two days ago Don't do that to me when I'm doing a demo. Anyway, this will take a few minutes. So In the meantime, what can we do? We can at least test ssh, right? So let's ssh one nine two six eight dot one Minus l root CD minus u foreman minus s slash bin slash bash ssh root at one nine two dot one six eight dot one hundred dot one Yes, oops Yeah, there we go So ssh is working right? I can ssh as the foreman user From the foreman host to the hypervisor. That's important if I'm going to make libver communication work Um now as I say you can do this some other way You secure it properly use certificates restricted user to the kvm user rather than root user All the sensible things you would do if you're doing this in production. This is not production. This is a demo So I'm just doing it hackily, but you don't still need to copy the images Good, this is actually going quite well because we're basically about half halfway through the time And I can then start by helping people and getting it working and so So Should have worked Uh, what what's the right command for a tpg check? That's the one I wanted to get rid of good So that's going to take a couple of minutes because a whole new version of foreman to install. Thanks for that guys What's I going to say? Yeah, I need to think I need to let that finish because the next thing we need to do is in the ui So we'll just give that a couple seconds. Um I really that's probably already done. Let's go and have a look So you can tell what you've got so page worth knowing about actually for foreman in general is the about page This tells you a lot about what's installed in your foreman setup So first tab is smart proxies and what features they've got if you've got more than one. This is useful You can see libvert hasn't come up as installed yet. That will be okay in a minute We don't know what plugins are installed So there's lots of useful information here if you start customizing or extending worth mentioning There are something like 80 plugins for foreman So if you find a use case that you want to do it might well already be covered, right? So be aware of that one. Is this actually finished yet? No All right, see it's just hung because it's restarting Let's come That's interesting It appears to have broken entirely. I can't actually use any of the menus either There we go. That's better What is going on? I think I just need to restart this System ctl re So you'll note a whole ton of you know, I also need the images or are we getting the fantastic okay, so As soon as you've got your VMs up guys, let me know and I'll come and start and I guess marik might be able to help us as all because he's still here That's just completely hung Do this the hardest windows, right? So yeah, we've That's finished with when did the virtual machine go? It's not happy Give that a sec. I can see a scroll bar, but I don't know That's not happy. Is it fine? uh so Hopefully when this comes back, I can show you the last piece of the the puzzle when it comes to libvert management It's not particularly complicated. Actually, we just add it in form and ui. It's really what you'd expect Um, let's just check this is still the same. Okay, so everything's still there We will ssh back in We will reload the page No, yeah, not that one. That's another another demo for something entirely different Really? Oh ip tables Listen to learn guys ip tables. There's a real pain sometimes And we're back. There we go. Right. Thank goodness for that. We're starting to get worried. So let's go and have a look at our about page So libvert is now installed. It's really tiny fault. I know but you can see it's green Which is the main thing. So we're going to add libvert to form and so let's do that So that's happens under this thing called compute resources. So this is where you would configure any kind of virtualization provider So whether that's amazon or digital ocean or open stack or whatever, right? So your compute resource name On we go libvert url qmu Plus ssh 192.168 100.1 system Copy that just in case I need it Uh vnc is fine. Don't want console passwords for this I've already done wrong there. That is right, isn't it? It can ssh So it should work If I go ssh 192.168. Oh, I know what it is. I know what it is I know what it is It's the user. I've not put the user in My cell root. Yeah, so it should be A root app Green there we go So I can hit submit and I've got a compute resource. I can look at my virtual machine. So the same thing that you can see Here five vms one of them running five vms one of them on So we've got access to the hypervisor. We can see the state of the hypervisor We can manage the vms directly if we want to but that's not particularly interesting More interesting is to actually build a new host, right? So let's go back and do another new host So before let's just revisit before we had to Create a vm get its mac address and then go and use that mac address in the form in ui, right? Kind of dull kind of annoying. Let's do it this way set the host group Select now you see we've got this deploy on button which now has extra options in it So I can now choose libvert One two three four five six seven eight Yeah, I should we don't really have a white. Oh, we have a white word. So, um, yeah, but I've already told you So what what's happened? What's new? Let's have a look around We recognize this we have a new so you notice it's detected that we need a new ip address dot four This is fine. But if I scroll down a little bit, I have this now Which is nice and I can say I want the The default network or the workshop network does not matter, you know, whichever one's appropriate for the vm You're building You notice I can leave the mac address blank now. I had to specify that before But in this case, we're going to get that from the hypervisor so I can just ignore it So this is all the same as before. I'm not even going to touch it Well, I'm going to do this. Otherwise it will complain at me. You can set that in the default settings I just never got around to it. But now we have this new virtual machine tab Um, so we can specify some more hypervisor stuff here So I can say I want a two gig host with 10 gig of disk space. That seems fine But here I think probably I'm a bit low on disk space. So we'll go for five And you can have more volumes or you can have more network interfaces or everything you would expect, right? And we hit submit And if I go and look over here There it is And it's booting up to sent us So I don't have to go anywhere near the libvert config itself It's all just working for me Out of the box. Foreman knows about it. Foreman can control it. I can come over here and I can say Do you know what? Just turn it off for now. Actually, let's see if this works. This is always the most impressive, but I don't know if this will work. Yeah Certificate issues. This is a bit fiddly to make work, which is why I don't often do it in demos But with a little bit of effort you can make it display Um, wherever that's gone This this bit you can get in the web browser So you don't have to give vert manager permissions to anyone. You can just say do it all in the ui Which is really lovely And then as you would expect, um, we can go back to the host We can power it off if you really want to and I'm sure Any second now, uh, that that'll be a shutdown command rather than a force off So it won't work while it's in the installer, but you get the idea And then we can delete it right because I don't really want to do this And it's gone and it really is gone That's it. That's really all you have to do once you've got basic provisioning working adding libvert or some other hypervisor into the mix Really easy to really really easy to do and you can do image based provisioning So let me quickly show you that as well and then I'm gonna Catch up with everybody around the room and see how you're all doing So last piece of this puzzle Libvert is great But doing pixie install every time you want on vm is not great because it's 25 minutes to do a build Right and that's I'm sorry. That's too slow for me. I'm lazy. So how do we get around this? What we do like this We create what's called an image And this would be the same if you're doing et2 or digital as well. You create this the same ui You you tell it. What am I booting from? So I'm going to use, um The image that I've just given you guys Oh, no, I'm not okay. I'm going to use the centos image that would have given you guys Username is root password is one two three four five six seven eight It does so you have the option to use user data or not depending if your hypervisor supports it obviously for libvert Not such a good idea And I need to get the actual path slash home greg images centos Seven Ready to go. Now, let's use the base image actually So this obviously is relative to the hypervisor, right? It's not on the form and host So that Let's try it again new host. So we're going to do the same thing as before So I'm going to select this and I'm going to select this and I'm going to give that And I'm going to edit this now you can automate a lot of this We have a thing called compute profiles, which will set all these up for you. So it's one click And it's done. Maybe I'll demo that in just a second Uh, but here is the different bit. I'm going to go to image based image center seven two three four five six seven And if I hit if you remember when I hit this button before we got four templates back So the the pixie information the kickstart file Configuration script. It's a lot shorter when you use an image, right? Because you don't need to do any of that And I'm going to do Give it a gig As I say, I don't have a lot of space. So that's fine. I hit submit. No something it didn't like Oh, yeah What's it complaining about This function not supported. Oh backing storage for raw valium. Yeah. Okay. That's It's this one here is should be QQT All right goes So you know this time it's not asynchronous. So before we did a provisioning option Operation and it immediately returned to the host page And then the VM starts booting up now in the case of this We have to be synchronous because we want to log into it and run some configuration script on it when it comes up And we only way we have to know that is to pull SSH until it comes up So it takes a little bit longer. That's not true if you're using user data on that kind of image, but It's just the way it has to be So if I come over here, you can see this is booting up It's it's booting my sent us image So again, we've skipped the pixie step entirely booted straight into a working sent us image and once that finishes booting This step will continue will run SSH set up our SSH keys or whatever we need to get into the image So that's a lot quicker than waiting for pixie to complete particularly if you have some custom image You know if you're working on a particular application And you set that you bake that in you bake the basics or the dependencies or whatever into your image You can boot a copy of that image in You know under a minute and have it available in your dns with your SSH key that you can go straight into So it's really really nice when you get that up and running Okay, so while I wait for that to finish where are people up to what do people need help with? Have you got the images up and running? You're into the UI? Okay, they just didn't work dammit. This is what I was afraid of I mean I I actually have a complete It worked for you. Okay. I have a complete yum and apt cache on here But no one can use it because we can't do host to host networking But I have all the devs and all the rpms cached on here and It doesn't work. So okay, so you're up. You've got the UI Getting there Where are people up to you got the are the images working for the people are they booting? They're okay Yeah, what's up? Really? Okay, that's So everyone's getting different results Maybe but but yours wouldn't be the centos yours won't be the debbie one and it's working for you I hate live demos. I really hate live demo Who else is trying the images? How's it going for other people? Because I can I can work around I can work around and come see how we're doing Okay, so I have I have I'll I'll do another one with So yeah, they're a bit smaller See if I can do one more for people to try Because we start plenty of time and I do want I do want people to leave With a working form and install for people who want it because that's really the purpose of why I pitched this talk. So I'd rather kind of Break down and start trying to figure out how we can do that We'll do I'll do another copy of the files and see how we're doing anyone else got them to work Yeah, I'm afraid I can't Yeah I've I've I've only prepped this for the advert because otherwise it's just there's just so much That you know, I can't support every possible hypervisor in a demo. So yeah, but hopefully it'll work for you, you know If you if you've got a clean Virtual box I've sent us images or something you can just run straight from the website and it should just work But it'll just be slow, right? So that's cool Yeah, it seemed to work okay for me actually the first I mean even on a good day with a reasonably fast internet connection I would expect the form and install it to take about 10 minutes to run The first time because it's got to download and configure a lot of things like the puppet server postgres Apache The presentation, uh, nobody can I can put it up somewhere and uh, let me do that now actually I'll put that Where will I put it? Be brown bag Oh, so this is I did this for another group for you brown bag back in november as I say as a youtube thing It's just the same slides. So, um to Don't look too closely V hosts Downloads htdocs I guess this will do for now I'll just um To Sashdev Conf 2017 That's gonna fail really? Oh One character typos Yeah, I thought as much Get my password No guessing please Uh, where is it for me? Yep So that's the the slides aren't massively interesting. I guess right, but they are now they should now be on downloads dot the form org Yep, there it is dev conf 2017 pdf. That's just the slides. It's not that interesting. However, if you want to Basically see a youtube video of what I've been doing for the last hour. I'll get you the link for that se linux Is it it's restore Yep, cool. Good. Um, so so the other link that's worth having um, I'm gonna have to google for it, but it's fee brown bag That's the one So I'm not going to actually play this but basically I'll just I'll just click a few obvious places Yeah, I'll be quiet So you this this is exactly the same as we've been going through the same content So if you get this working later, um, this is the the thing to search for fee brown bag follow up with me And you know, I'll put that I'll just put that link in a text file there as well. So, um Yeah, I I know I could probably do a redirect or something, but just for speed I'm just gonna All right, so that's that's there as well. Um, so Basically, hopefully we can get the people who've got the images we can hopefully get you all working and up and running For the people who want to follow this later Hit up downloads dot the form and org grab that link this this youtube video You can see it's now a seven and the first 15 minutes of that slide deck So that's about 45 50 minutes of me doing exactly all of this But obviously very quickly with a pre-prepared set of images So but it's the same stuff so you can just pause it and follow along and and so on so Would people like to see a bit of puppet while we have time Um, or if people got stuck anywhere, feel free to shout out questions I can try and help get you moving forward, but it's not bad So we have a plugin called form and answer one Let's see We go group stop So there was a new release of form and answerable About a week ago and I'm just going to go and look at all the features that are in it because it's been all I I'm not an answer We'll use it myself. Um, so I'm not the best person to answer that question But it's not bad. Um, you can certainly do so if you want to see it I actually come to the booth afterwards because we've got it set up In our demo if you might So you can come and have a play with it, but you can you can assign roles to hosts You can run those roles and hosts you can assign roles to host groups as well So again, you can build that idea of a web server host. That's right. You can do that. Yeah So we've got that you can get the inventory data back into form and I haven't actually talked about inventory data at all Let me show you that why don't I show you the puppet stuff because the answerable stuff Actually isn't that different because form obviously tries to abstract away a little bit So it's it's not a hundred miles away So let's talk a little bit about how puppet or configuration management in general works with informant And hopefully oh, no, that's the wrong host That's dot three. That was the other one. Here we are a few two four seven right, so let's do Some oh did that actually finish building in the end fabulous We were talking about it and we never went back to check on it. So here it is I think it's still booting. I think it's kind of broken, but no right Puppet configuration management in general starts from having some puppet code on disk Now formant makes no assumptions about how you get your your configuration management stuff on disk You can do that however you like you can write it by hand, which is what I'm about to do You can use git or r10k or puppet librarian I'm going to talk exclusively about puppet here But if you don't use puppet replace it with whatever you do use in your head because it's broadly the same in each case So I'm going to log out of that because I shouldn't stay logged into things. I have root permissions on right, so Let's log out of this Puppet has a tool called puppet module So I'm going to be puppet module minus i Uh, says ntp is always a classic So This is a bit like ansible galaxy and things like that So, you know, you can get some modules you can install once you have some code on disk Then you you can tell puppet formant to import it So we go to puppet classes Again similar for other tools And it goes off again with we're seeing the smart proxy in action here formant reached out to the puppet smart proxy Says hey, I need you to go and look for puppet classes. Tell me what you find in this case Obviously, it's found ntp, which has a couple of classes in it. I can say yes. I want to import that Okay, I have some ntp. Fantastic. Let's actually assign that to a host So let's let's do it on this one And I'm going to edit the host And I'm going to say I want ntp Pure and simple dead easy I want to manage ntp on this house and I could assign this to a host group Right and I could put so it's quite common to have a base host group that all your hosts go into and then you nest Host groups from there So base would have things like your ssh configuration your ntp configuration Stuff that you want on every single host, right? So What does this mean? Well, we we do what's called We act as what's called an enc in puppet terms and that means puppet will ask for this file Um, the important thing is we've got this up here now, right? That wasn't there two minutes ago We're now we're going to tell puppet to run that particular class on this host and again the answer will always kind of similar So if I now do puppet agent minus tv Oh, it's broken. Oh, I've seen this before. This is a bug in the sass ntp module Um, maybe I shouldn't have used that one. Do you know a good ntp module? Because it seems like they've broken it. Maybe I'll just fix it I've seen this bug before Sass ntp has always been my go-to module. Um, what is it line 28 character 14? I forget how to fix that What is it expected? I expect the string got an integer. Okay. Um, I can't fix that. Oh, yes, I can I can quote that. That's what it needs Lovely bugs in live demos, right There it goes Give it a few seconds Running puppet is not interesting. I would imagine to most people in the room. What is interesting is two things. First of all It has actually done it ntp is running, but what's more useful is the fact that we get to know about it So here is puppet. Here's the error that we just saw on the command line Here's the one that worked I can view a diff and see that ntp conf was written I can see that sysconfig got modified So all of the data is available to me to manage my infrastructure if something's brought and that's stored for by default What we call interesting reports reports where something changed They're stored for 30 days by default So if your system breaks and you want to know why you can go back and look now this is quite important because And I can't speak for other configuration management systems, but certainly in puppet these reports are not usually visible They're very hard to find they can be stored on disk as yaml objects But they're not easy to read and they're not easy to work with if We go back and look at the dashboard. So you could actually like put this chart up on your ops wall or something I can see straight away one third of my hosts are active Um, because one of them just made some changes and that's really useful information Right, you want that to be mostly green saying No changes if I run puppet again Obviously this time there'll be no changes because we haven't done anything There we go Come back now it's green so This is really useful. This is a really good. This is kind of this is We call it monitoring. I'm not actually a big fan of that. I wish that we'd call it reporting monitoring gives people images of things like nagios and a singer and Open nms Right, so inventory we have this So I have all of this data so I can search for something like IP address No, it's all one word in puppets There we go. I know the IP addresses from the host second and I can actually use this to drive Um, the data that goes back into puppet as well. So you can make decisions based on things You can decide whether or not to Change variables that go into the configuration motion system. We we can use a light form of templating. So, um Let me give you an example Probably easier to see it in action than anything. So let's suppose I want to change the list of servers. All right, so here's my server list now the default server list is an array So I want to override this but for most hosts. I'm going to keep the default. I don't really care That's an array But for a one specific host And let's go with fgdn and I'll use this host right here There it is One specific host. I want it to be a single value of zero dot pool dot ntp. Is it org? Yes Pretty sure it's org Yeah, so I'm gonna do that submit that and now I can say I can come back here Have a look here If I look at this data, I can now see that this is overridden the server list if I change And I can go further than that I can use the inventory data So I can say for my one specific host. I want you to use yourself for example So you could do something like You know, you can get really clever with this you can do lots of interesting things But I could say something like for everything in the Workshop domain Then I would like you to use Yourself So let me make that a bit bigger so you can see that so I so the percent signs is embedded ruby if you're familiar with ERB That's the syntax we're using and at host is an object you get to interrogate and call methods on and find things out So I'm going to submit that and if we go back and refresh this Ah, it's bombed. I've clearly done something wrong there But you get the idea So it's possible both to use that inventory data within foreman itself and to call back to it, but also Not sure about ansible There's definitely been some stuff to do with the sort of syncing of inventory between ansible and form And been merged into the ansible code base. I'm not sure if we have anything like What we have in puppet which is actual function that can call the form an api and pull data directly into the puppet code as well Which is quite useful if you want to say something like I'm building an app server So go to form and and get the ip address of all the firewall nodes or all of the low balances So I can configure my firewall and things like that. It's totally possible to write puppet code that does that Um, and I can even probably show a bit examples if people are interested I'm guessing something I did There it doesn't work, but Take that away again submit it and it goes back to just being entity so That's a really whistle stop overview of the sort of configuration management side of things But but we can do lots of interesting stuff with this, you know, we can do we have a thing called trends I don't have any trends But the sort of this allows you to pick something out of your inventory data and map it over time So really good example is if you're doing a big migration from say central six to central seven You could use a trend of the value of the os, right? And then that could you would hope to see that shifting over time as you do your migration. So that's quite useful trend um, we have variety of statistics, which don't look great when you've only got three hosts, right, but That's that's fine You can Yes, and no you can't do it on this page But what you can do is let's suppose I want to do something like I'm going to pick something that Does a nice job so his public version you can actually get pie charts out of any fact Which is quite useful as well. That's not quite the the statistics page. I think is still hard coded Yeah, I thought so. So, um, I think that's something we'd like to to to do at some point But it is but you can at least pull out a graph for any of your inventory data. So, yeah, absolutely The trend the trends are completely arbitrary. You can define those on any inventory data. Yeah, absolutely The specific the the specific statistics page is hard coded, but but this one and this one Yeah, they work off any any inventory data and you can also do quite a bit with this widgets page You can like write so so form is very extensible has a quite a big plug-in ecosystem now I think there's something like 80 odd plugins and writing new ones that say just add an extra widget or two to this page is really very very easy and Per user you can manage this and say I'm not interested in this widget anymore So you can create a custom view for your ops team or whatever you need All right, how are people getting on with those images? We are you getting somewhere? I really want some people to walk walk walk walk away with a working form in installs. So Yeah, of course IP table How we doing we got what 20 minutes left so Is that on a VM of your own or the one that I gave you? Oh, okay Okay, uh that I can come and have a look in a minute. Oh, maybe mark. I don't know There are there are a number of prerequisites for running the form in installer, which I didn't go over One of which is that you have to have a fully qualified domain there. So work's okay for you Yeah, yeah, exactly. Yeah, okay, cool. Um So, let me let me come and show you so so for the form installer So That's it really whistle stop There's the url on on uh on downloads.form.org. I'll put that back up So the one so the guy we wanted done some stuff's gone. I guess but So downloads.form.org you'll see these two files here That'll allow you if you want to play with this in your own time and play with it at home You totally can do that. Um You can do a lot with this you can build it in a sandbox You know turn off dns mask and let it run its own dhcp its own dns What else is worth having let's I'll I'll very quickly show you this as well. So we have a wiki uh foreman There are two places to find about to find out about plugins firstly the manual itself So we have a huge manual right if I go back to the foreman.org and you click learn more Or even if you don't actually if you just come up here to documentation so If you want to play the play the full training course There's a two-day training course there kindly contributed by our community Which is a different way of learning if you prefer that kind of way of learning you can work through the exercises in that If you just prefer looking at the manual, um, then we have exactly that and it believe me it's massive Um, you can see how slowly that scroll bar is going, right? It's huge, but there's lots and lots of good information in there And there's also the plugins here. So this is kind of the popular plugins So I'll just pick pick out a couple that are worth mentioning. So I mentioned ansible chef and salt So those are our plugins for the other configuration management systems um remote execution It's not a security issue. Um, it's a plugin for literally so sshing to host and running one-off commands or regular commands Um on a schedule a bit like I guess cron from foreman if you like Um foreman hooks is very useful That's a lowest common denominator if you can write a bash script or a python script that can deal with a bit of json You can basically hook in at various points in the orchestration and run extra stuff So if you have third party systems to integrate with if you have systems where you want to Go and put things in, you know a rack management system or whatever then foreman hooks is very useful for that Docker is fairly obvious. I guess catello is worth a big mention if you are aware of spacewalk satellite 5 satellite 6 Catello goes with foreman to make satellite 6. That's that's how it works together We're the upstream so catello is the content part that I haven't really shown at all But if you're managing rpms or you're managing docker repositories managing puppet modules you care about how those are handled This is the plugin for you Uh, what else I mentioned discovery. That's the bare metal uh system that would uh It's awesome, but then I would say that because I wrote it And then if that's not enough for you you click this more link and you can have The complete list of all of our plugins Which there are many many many So some notable examples there things like form and expire hosts Which is really good if you operate a self-service thing for other users because form and expire hosts you set an expiry date it deletes the vm Well, it gives a warning first to be fair, but yes, um, it will eventually delete the vm so that you keep your resources clean and so on So I I like that one We have 20 minutes left. You need to help I did On the on the hypervisor on the hypervisor Yeah, uh, so basically you're passing all the information to divert necessary to boot the host so it will need access to that file Yeah So yeah, it's local local to the hypervisor I have a question about, um For example, you have the puppet modules in the puppet classes in the hilly repository And you give uh So So So it's it's important to understand what form and cares about form and doesn't care about the code So if all you've changed is the code You have no no need to take action Because all former needs to know is what the class parameters are in case it needs to supply those class parameters over the enc If you have changed those then you need to come and trigger an import Now you can either do that from the ui in the way that I showed or um, you could Use it through a github. There's a there's a rake task for it in the same way that I showed a permissions reset is a rake task We have a lot of rake tasks, right? So you can trigger a new import From a github or something like that if you want to go that way. That's totally fine. I I keep it as a manual task because Doing it as a batch option Can lead to bad results sometimes Particularly if you've made a mistake and it ends up deleting the whole environment or something because it doesn't think there's any valid classes There anymore So it's I consider to be a little bit risky to automate that completely and because it's not something you have to do very often It's not such a big big issue for me. Um, I'll go I might as well show you because we have a few minutes. So let's um to see Code environments production modules ntp Manifests so I can I'll I'll do two changes. So Um, I'll add a parameter here Well, actually, um, yeah, okay. I'll add a parameter here. So let's suppose we just add in So I've got a new parameter in this class And I'll delete something else NTP date can go away. Uh, no, let's not delete it. Let's move it NTP date to ntp date to vi And obviously this has to match puppet likes its auto magic configuration So that's a bunch of changes made to the puppet module if I go back here and I say import I can see there's been some changes. You know, I can see that the ntp class has changes The ntp date has been removed Ntp date two has been added and I can individually accept these right I can just have the new stuff or just the updated stuff just the deleted stuff whatever right So I have control over that and that's really useful that summary is really useful if you make a mistake If you if you so foreman will ignore anything that doesn't pass, right? So if you make a mess suppose I do Let's go back and have a look at this one. Suppose I do something that does not work, right? If I miss a even if I miss a comma off here, this is no long no longer valid, right? It's a bit weird Or if I make a syntax error somewhere down here Um, I won't actually quit that so I can undo it But if I go back and I do an import now if I'm not mistaken, it should offer to delete the ntp class Right because it's not valid anymore. So as far as form is concerned, it's no longer in the repository So obviously delete it the problem is if you accept that it's going to go and remove the ntp class from your hosts And you don't necessarily want that so I I consider fully automating that through a github to be a little bit risky Unless you're really sure of your other tools to test for that So yeah be a little careful with it But yes in theory you can also Right No, that's fine. Um, you're the only one asking Let's think about them. You have the flow like that. You have the network And in this network you have the next two parameters of the ntp by informant, for example And you put the 10 of new machines So you want to automatically add the 10 new machines to the format that will be, for example, the That also means the informant and everything is breakable through the informant So for example that machine is a possibility to add to this new connected machines brand new connected machines from the formant automatically And for example, we can define other questions Yes So let me let me break you down. Let me break. Let me repeat the question just revealed So I think if I've understood you correctly what you're saying is I've got a rack of hardware Um, are you saying you've already created the hosting formant or that you want that to happen? You want to So basically you want a shipment of hardware and turn it on right? That's what the discovery plug-ins for so So so basically what would happen is you would you would configure discovery When you Boot those hardware it's going to boot into that ram desk That's going to report into formant now I mentioned how discovery works briefly earlier But one option discovery has that I didn't mention it has a quartering system So you can set up rules that say As the as new hosts come in if they match these parameters immediately reboot them into the installer for this os With this data with this host group With these puppet classes and so on and so forth. So basically that all gets driven through the discovery plug-in So you can totally write rules that say that all the 32 gig hosts that come in become database servers and if they're less than that then You know if they're 16 gig make them into app servers and if they're less than that just leave them in a queue And I'll decide what to do with them later Can you do some filter for this for example, you know the puppet is the center of authority So you have something like that also sign of new instances And my question is if you can Some of them to to to to sign the certificate For example based on some hardware and so on so really Can I spell that wrong? See what I did wrong there I just want to get it installed so I can actually show it to you Here it is here it is so specifically talking about autosign and how you handle certificates The way we normally do that is it's it's at when you do the install of the os So at the time when you booted them up and then come up into the discovery mode There's no handling of autosign at that point because they don't have an os on yet They're not connected to the rest of the infrastructure Once you choose to provision them, they'll get a puppet certificate as part of that process The way we do it is when the house. I'm specifically talking about pixie installs here When the host requests its Kickstart file That's when we go to the puppet master and say Add a specific autosign line Exactly for that host and then when it sends there's a there's a url called Right at the end in the very last line of the post To go back to form and say hey, I'm finished booted building and I'm rebooting right now And that's when we take away the pixie configuration so that it boots off local disk And it's also when we take away the autosign so that window of opportunity for someone to spoof and grab a certificate Is extremely small And but other than that it's all automated so yeah in terms of Can I make extra judgments on that? It's not brilliantly easy I mean you can definitely add extra lines to the autosign if you want But when you put a host into build mode, it's going to get a certificate So we don't so so this our method predates the autosign executable back from when it was just an autosigned file And it's worked well enough that no one has really needed me Needed us to change it. I don't think we're against the idea of using the autosign executable And using that to query form and for additional information or anything like that, but no one's written it Because you know 99 percent of the time you want a host your building to get a certificate And so our use case our model works pretty well But yeah, it would be nice to have that option. It would be great. I agree So i'm just getting discovery installed just so you can have a little bit of a look at the ui of it more than anything Um Really my clock must be running slow Okay guys who are doing image-based stuff you got any problems or questions Those testing the images it's working okay for you. You can have a play with that fantastic Some people got something out of it. That was the aim. All right. I literally have a couple of minutes Let's see if we can make this work right vi Not serve of our lib tftp boot pixie limits dot cfg default and we change this Oh, I don't have the image. I've only installed the plugin. All right, never mind Um, I'll just quickly show you the ui Um, I'd need to download a fairly large ram disk image that would then boot over the network and so on But you get you'll get the basic idea. So if I now go To my plugins Check it's actually installed. I might have to restart it. I guess plugins. Yeah, okay Let's Theoretically, this is passenger and you can just touch restart dot txt, but it always find that to be a little bit Dicey So we'll just give that a sec Just just to really quickly show you just want how easy is to get started with some of the plugins This is one of our more complex plugins. I would say catella is probably the most complex Um, but you know discovery requires a certain amount of work. You've got to get the image You've got to set up pixie properly yada yada yada, but I just want to give you a bit of a flavor of how this works Of course it's now taking all of my remaining time to restart HTTP Typical right Come on, there you go, right So And now passenger has to start up joy Here we go. So you can see we've got form and discovery We have a new entry here discovered hosts. There are currently no discovered hosts because you haven't discovered any yet but you can also do Where is that discovery rules? And so you can say something like okay, this is my database my db server rule And the search is something like Memory greater than 32 gig this is pseudocode that wouldn't actually work But you get the idea then I pick a host group. So this is where my puppet classes are going to come from I give it some kind of erb So, uh, you need you need to give it some way of generating a unique name, right? So something like Rand so I can do something like um at host dot facts Mac address Uh plus ram and then All right, and then I can say I only want 10 hosts and then disable the rule And if I've got more rules I can set priority And so as hosts come in as they check in on this ram disk image They'll match these rules and immediately reboot straight back into an installer based on that host group So that host group could say that it's a sent off so a debbie or whatever So you get the idea So that's that's exactly how you'd handle that Cool, well, I think we're really very close to out of time Does anyone have any last questions or people who want to happy to go away and play with this stuff? Fabulous, we will be at the stand over there in d-wing for today and tomorrow So do come and talk to us. We have a much more Fully set up demo that you can come and have a play with and have a look around. It's got discovery on it It's got catella on it. It's got ansible on it. So come and have a play and thank you all for listening It's hard, it's hard doing that Yeah, it's great stuff That's probably because I'm thinking a huge research about the format back in 2012 And maybe there's something like that And the format doesn't pose some security reasons that it has to For example, this kind of stuff