We've now added the ability to provision systems in EC2, alongside with the existing virtualization providers such as RHEVM, libvirt, VMWare etc.
In this blog, I'll try to describe step by step what is required in order to provision a new instance in EC2.
Requirements
- You should be using a recent version of foreman, either directly from git, or using the nightly, see for git instruction, or use the debian, redhat or fedora nightly packages.
- Have a working foreman server, this should include operating system definitions and unattended mode enabled In addition storeconfigs data must not be stored in the foreman database.
- Amazon valid EC2 access and secret keys.
- Security Group which allows foreman to SSH to the instance.
Configuring AWS
Click on the more tab, and select Compute Resources.
Compute Resources are services that can generate a host, e.g. VMWare, libvirt, openstack etc.
Click on New Compute Resource and fill in the information about your new compute resource, normally the name should represent something meaningful to you, such as a combination of the ec2 region and the account used.
if everything is entered correctly, you should be able to get back a list of regions and select the region that you would like to deploy to.
Foreman would then automatically create a new set of SSH keypairs, which would be used in order to configure the instance (you may remove them later on).
Then, the next step is to define which images are allowed to use and assign them to Foreman Operation systems / architectures.
Click on the image tab and select New Image.
Since foreman would SSH to the instance (at least for now, we've decided using ssh first, cloud-init later), it is very important that you define the correct user, that is configured on the ami (normally the ubuntu user, or ec2-user) and of course, the ami id.
Foreman is now ready to create your instance, however, in order to automate fully puppet to load upon instance launch, we would need to create a little post script, this is where the provisioning templates comes into play.
Configuring Provisioning Templates
Add or edit a new provisioning template, More => Provisioning Templates => New
Select Finish and paste the following content in
and then add a the snippets too
etc-hosts
puppet.conf
An important note about UUID's for certnames, if you want to use this feature, please make sure that you enable use_uuid_for_certificates under more => settings, if not, you can simply use <%= @host.name %> for the certname.
additionally, it is not compatible with storeconfigs at this time.
master_bootstrap
and if you want to provision a whole puppet master in EC2, you can use the following snippet to get it up and runningNow if you ask your self how variables like ntp-server get resolved, they are simply Foreman smart vars
Actual instance launch
Goto to the Hosts tab, click on New Host, among other settings, make sure you select your compute resource, image and hardware profile
 |
| Primary tab |
 |
| Operating System Tab |
 |
| Add caption |
 |
| Progress Bar |
 |
| EC2 console |
As always, since this is a new feature, any feedback, comments etc are welcomed!
Great post, interested in using foreman for all our VMware and EC2 provisioning. Question: Does Foreman support deploying EC2 nodes into a VPC?
ReplyDeleteno, but it would be trivial to add another dropdown to select the vpc, I'll look into it :)
DeleteGot a patch ready for you, since I don't use VPC that heavily, I would like some feedback before merging it in, see http://pastie.org/4002125
DeleteHey there Ohad - sorry I never got back to you on this - didn't get notified of a response :)
DeleteThese look good but hit me up on IRC again, we spoke the other day about VMware augmentation.
What IAM Permissions are needed for the AWS user ?
ReplyDeleteIs it possible to make deletion a two step process with EC2 Termination Protection and proper IAM permissions ?
Played with the EC2 Provisioning code - looks good.
ReplyDeleteProblem with VPC (without the patch):
- The Security Group drop down list lists "VPC" and "Public" Security Groups. If you select a VPC SG, the provisioning failes immediatly. However a user can not differntiate between VPC SG's and Public SG's as names may be used multiple times (e.g. default)
Problem with Timeout:
- we provision on the base image via kickstart in the cloud. This takes quite a while (10 min). However the Foreman provisioning workflow aborts with "Operation FAILED: execution expired". How can the timeout be increased ?
- In this case no Rollback takes place and the instance keeps running.
Robert - thanks, I didn't know about the SC and VPC issue, I'll look into it.
DeleteAbout the timeout, its currently hard coded to 5 minutes, you can probably extend it in the code[1], I guess this should be configurable in the settings.
thanks!
[1] - https://github.com/theforeman/foreman/blob/develop/lib/foreman/provision/ssh.rb#L73
I'm testing the EC2 provisioning - I like it, so far.
ReplyDeleteI'm having an issue with creating a new host, the pull-down for "Puppet Master" is empty, so, when I try to submit a new host, the form fails and asks for a puppet master value.
I've searched all the settings and they are populated with "puppet.myhostname.com"
Any pointers on how to get the field to populate?
Thanks,
.dave.
Sure, you would need to add a smart proxy, with the puppet feature turned on.
DeleteOhad
Thanks!
DeleteI tried starting a new host, and I go this error:
"Unable to save
Preparing Post installation script for dh-api-test.myhostname.com task failed with the following error: undefined method `template' for nil:NilClass"
Could you point me in the right direction on how to fix this?
Thanks,
.dave.
I double checked all the steps, and it appears that I missed the "Associate" step for the provision template. I added that, then I was able to create a new host.
DeleteThanks for all the great work on the EC2 provisioning!
Suggestion:
* Add settings for default values to populate Flavor, Sec Group, and Region under "Virtual Machine"
Hello,
ReplyDeleteI was unable to get the host to show up in the Hosts tab. Basically, I add a new host, then the page sits there in waiting mode until the connection times out. Can you give me pointers on where to look to debug?
And, where do the pem keys get stored? I would like to login to the instance, but I need the pem key.
Thanks,
.dave.
Here's the specific error:
DeleteMissing partial compute_resources_vms/show/ec2 with {:locale=>[:en, :en], :formats=>[:html], :handlers=>[:rhtml, :rxml, :builder, :erb, :rjs]} in view paths "/usr/share/foreman/app/views"
If you use webrick, the progress bar cant work (webrick can handle one connection at a time).
Deletesecondly, the keys are stored in the db, but you could easily use your own key in the template you end up deploying to the system (see the example above with ssh_debug_key param).
my guess is that your templates are not assigned correctly.
Interesting, thank you. This has gotten me further along than anything else so far.
DeleteOne issue I see is the inability so associate a new instance with more than one security group. This is a feature I use heavily -- one new group per server + one admin group, at a minimum. Since you can't change which groups the instance belongs to after instance start, but you can change the contents of the group itself, it's very helpful to have more than one group.
yeah, that makes a lot of sense, and I don't think it would be too hard to implement, mind adding a new feature request on http://theforeman.org so we could track it?
Deleteoh nevermind, it was too easy, now its supported :) http://git.io/8zA9FQ
DeleteWow, thanks! I'm trying a new deploy today on a server separate from my puppetmaster.
DeleteIf / when I find anything else I'll make sure and submit a feature request.
Will try this tool this week, I need to get foreman up and running first though... Thanks for working on this tool :)
ReplyDeleteanyone get EC2 provisioning to work with DDNS updating using the internal IP of the instance? Im looking at the code to see if i can tweak foreman proxy anywhere that would allow me to update my dns with the internal IP of the instance
ReplyDeleteNot sure I follow, why would you like your internal dns to point on the internal ip? currently it adds a dns record with the external ip address, it would be a oneliner to change, but i'm not sure if we could accept it upstream without some discussions :)
Deletewe have just been using internal_ip DNS for a while now. Could you point me to the file needeing a oneliner in the debian distro??
DeleteHi Ohad Levy and many thanks for that great software you maid!
ReplyDeleteIs it possible to create ec2 host on amazon without using puppet i followed those steps except puppet.conf and without puppet (CA). I got this error:
-------------------
Adding Compute instance for new_using_foreman.amazon
Rolling back due to a problem: Settings up compute instance new_using_foreman.amazon 1 failed new_using_foreman.amazonsetCompute
Failed to save:
Rendered hosts/_progress.erb (0.1ms)
Rendered puppetclasses/_selectedClasses.html.erb (0.0ms)
Rendered puppetclasses/_classes.html.erb (181.9ms)
Rendered puppetclasses/_class_selection.html.erb (185.7ms)
Rendered common/_hypervisor.html.erb (3.0ms)
Rendered compute_resources_vms/form/_ec2.html.erb (697.0ms)
Rendered hosts/_compute.html.erb (698.5ms)
Rendered common/os_selection/_architecture.html.erb (5.4ms)
Rendered common/os_selection/_operatingsystem.html.erb (9.0ms)
Rendered hosts/_operating_system.erb (179.0ms)
Rendered hosts/_unattended.html.erb (887.3ms)
Rendered common_parameters/_inherited_parameters.erb (0.1ms)
Rendered common_parameters/_parameter.erb (1.9ms)
Rendered common_parameters/_parameters.erb (3.6ms)
Rendered hosts/_form.html.erb (1123.8ms)
Rendered bookmarks/_list.html.erb (2.5ms)
Rendered bookmarks/_list.html.erb (0.5ms)
Rendered home/_settings.html.erb (10.3ms)
Rendered home/_user_dropdown.rhtml (1.3ms)
Rendered home/_topbar.rhtml (23.6ms)
Rendered hosts/new.html.erb within layouts/application (1154.8ms)
Completed 200 OK in 1617ms (Views: 1147.6ms | ActiveRecord: 16.2ms)
------------------
Can you help me out?
Ohad, did you get any feedback regarding the VPC patch ?
ReplyDeleteI've been testing foreman public EC2 provisioning. We are considering adopting foreman for that purpose, although some of our clients/projects are using VPC.
I'm interested in an "official" support of the VPC. Any thoughts on this ?
I am having the exact same problem, any luck?
ReplyDeleteVincent, the VPC stuff is probably going to make its way to the 1.1 release.
ReplyDeleteOhad
I am having an issue with setting the Security Group, by default, it is set to "default" twice. The default under VPC Security Groups and the default under EC2 Security groups. I try to set it to a custom VPC security groups and it always builds as default. Same thing with editing the host afterwards.
ReplyDeleteFYI: I am using the patch found here:
http://pastie.org/5078094
I changed :multiple => false in _ec2.html.erb, so now only 1 security group is selected, but no matter what I select it always configures it as default. This is the last thing I need to get working for full provisioning in EC2. It would be nice if I could manually select the IP too, not just the subnet in the VPC.
DeleteAny update on the issue I reported with it not setting my VPC or Security group? I will quote myself here:
ReplyDelete"I am having an issue with setting the Security Group, by default, it is set to "default" twice. The default under VPC Security Groups and the default under EC2 Security groups. I try to set it to a custom VPC security groups and it always builds as default. Same thing with editing the host afterwards.
FYI: I am using the patch found here:
http://pastie.org/5078094
I changed :multiple => false in _ec2.html.erb, so now only 1 security group is selected, but no matter what I select it always configures it as default. This is the last thing I need to get working for full provisioning in EC2. It would be nice if I could manually select the IP too, not just the subnet in the VPC."
Also, is there a way I can manually put in the IP address I want to set the EC2 instance to? Right now I can only tell it the environment and the subnet, then it grabs the IP automatically.
Thanks!