Foreman can execute puppetrun on selected hosts
currently foreman will execute puppetrun locally (e.g. from the machine which runs foreman), however it is planned to be able to select from which host puppetrun will be executed.
Note: from Puppet 3 this command is now "puppet kick", but for consistency with old versions, this document will refer to it as "puppetrun".
on your clients¶
in your puppet.conf make sure you have
listen = true
and in your namespaceauth.conf (NOTE: puppet > 2.7 does not read this file anymore but requires it to be present (http://projects.puppetlabs.com/issues/4388) so it can be left empty)
[puppetrunner] allow <yourforemanfqdn>
NOTE: in puppet 2.6 and greater, you will also need in your /etc/puppet/auth.conf (above the deny all at the end of the file)
path /run auth any method save allow <yourforemanfqdn>
additionally, if you are behind a firewall, you would need to open tcp port 8139 to the client.
on your foreman server¶
in foreman settings (More --> Settings), make sure you have puppetrun enabled.
enable sudo for the foreman-proxy user since puppetrun is executed by the foreman-proxy user (puppetrun needs to be able to access your puppet certificates) - e.g:
Defaults:foreman-proxy !requiretty foreman-proxy ALL = NOPASSWD: /usr/sbin/puppetrun
If you are using Puppet 3.0 or higher, the
puppetrun binary has been removed and so the Smart Proxy will use
puppet kick. The sudoers entry should be:
Defaults:foreman-proxy !requiretty foreman-proxy ALL = NOPASSWD: /usr/bin/puppet kick *
In your host list, you will see a new option "Run", just click on it :)