PfSense: Unattended installation with Foreman



  • Hi,

    as a perfect addition to the new Puppet Agent for pfSense [1], it is now possible to automatically deploy pfSense with Foreman [2]. I've created a small video to showcase the deployment of pfSense using Foreman: https://www.youtube.com/watch?v=iqIR0pjkdRc. It's not very entertaining, but it should give you an impression on how it works (even if you don't know Foreman).  :)

    You may download the required Foreman templates from Github:
    https://github.com/fraenki/foreman-pfsense
    You may also want to have a look at the Foreman Documentation [3] to find out how to add these templates to your instance of Foreman.

    What are the benefits?

    • do fully unattended installations of pfSense
    • in conjunction with Puppet it allows you to automate basically every task (full lifecycle management)
    • choose from different versions of pfSense according to your needs

    How does it work?

    • it assumes you want to use The Foreman to provision your servers
    • it assumes that pfSense can be automatically provisioned similar to FreeBSD [4]
    • on top of that assumption it's basically a set of patches for the pfSense Installer [5]
    • it assumes you want to use Puppet with pfSense

    [1] https://forum.pfsense.org/index.php?topic=79397.0
    [2] http://theforeman.org/
    [3] http://theforeman.org/manuals/1.6/index.html#4.4.3ProvisioningTemplates
    [4] http://projects.theforeman.org/projects/foreman/wiki/FreeBSD
    [5] https://github.com/fraenki/foreman-pfsense/blob/master/freebsd/provision_pfSense_mfsBSD.erb#L58

    Feedback & contributions are very welcome!

    Regards
    Frank



  • Since the project is open, you can do as Franki details, but you can't distribute the result, and you're actively taking a different trail than where the project is headed.

    We're not putting Ruby on the box.  Franki's work is, while interesting, a dead end where the project is concerned.



  • @gonzopancho:

    We're not putting Ruby on the box.

    What are the reasons for that decision?

    Regards
    Frank



  • Thanks Frank,

    The subject just came up yesterday for "how to manage the pfsense box with puppet" and part of the thought was how to automate the deployment.

    Looks like I got the start to the thanks to you.

    Part of the cloud mentality, everything is controlled by Foreman/Puppet and that needs to include the firewall :)



  • @cmlara:

    The subject just came up yesterday for "how to manage the pfsense box with puppet" and part of the thought was how to automate the deployment.

    You may already be aware that I've started developing some puppet modules for pfSense:
    https://forge.puppetlabs.com/modules?sort=rank&q=pfsense

    Regards

    • Frank


  • As before, you can't distribute an adulterated pfSense and still call it 'pfSense'.

    We're putting an API in pfSense for exactly this reason.  All of this "foreman"/"puppet" work will be useless, other than the value of having done it.



  • @gonzopancho:

    As before, you can't distribute an adulterated pfSense and still call it 'pfSense'.

    I've never indicated that I want to distribute an adulterated pfSense. Neither I nor my employer have such plans. And this is not going to change as it would be pointless.

    @gonzopancho:

    We're putting an API in pfSense for exactly this reason.  All of this "foreman"/"puppet" work will be useless, other than the value of having done it.

    That's not exactly a reason to reject a puppet agent on pfSense. It's a very different approach. You cannot compare an API to configuration management with puppet/chef.

    Regards

    • Frank


  • When pfSense has an API, puppet/chef/anoble/salt stack/cfengine/…. Can all use it.



  • @gonzopancho:

    When pfSense has an API, puppet/chef/anoble/salt stack/cfengine/…. Can all use it.

    That's not how most configuration management systems work.

    Regards

    • Frank


  • Im not sure you know what you're talking about.

    How do you manage IPMI ports, switches, routers, load balances, vpn gateways, etc?



  • @gonzopancho:

    Im not sure you know what you're talking about.

    This was rude and inappropriate.

    I am talking about configuration management tools, while you are talking about a pfSense API. Two completely different things in my opinion. You seem to disagree on my point of view:

    @gonzopancho:

    When pfSense has an API, puppet/chef/anoble/salt stack/cfengine/…. Can all use it.

    The point is that these tools require client software to be installed on pfSense. And you seem to ignore this fact when pointing to the pfSense API.

    This requirement applies to basically every configuration management tool you have mentioned:

    Puppet
    "The puppet agent […] fetches configurations from a master server."
    https://docs.puppetlabs.com/learning/agent_master_basic.html

    Chef
    "The Chef client is installed on each node in your network."
    http://www.getchef.com/chef/#how-chef-works

    SaltStack
    "Salt functions on a master/minion topology. […] The minions connect back to the master."
    http://docs.saltstack.com/en/latest/topics/tutorials/walkthrough.html

    CFEngine
    "The CFEngine agent runs on each host […]"
    http://cfengine.com/product/what-is-cfengine/

    If you decide to boycott all client software, you isolate pfSense from all of the above configuration management tools.

    @gonzopancho:

    How do you manage IPMI ports, switches, routers, load balances, vpn gateways, etc?

    The approach of using puppet/chef/salt stack/cfengine to manage network devices is rather new. As I said earlier [1], there is already a Puppet agent available for Juniper switches and routers. You need to install the Puppet agent on your Juniper switch or router. To get an idea how Puppet is used to configure such devices have a look at this example from Juniper:
    https://github.com/Juniper/puppet-netdev-stdlib-junos#example-usage

    [1] https://forum.pfsense.org/index.php?topic=79397.msg433296#msg433296

    Regards

    • Frank


  • Frank, you're now making my argument for me.

    The code you pointed to works via an API, and does NOT run on. Juniper device.



  • @gonzopancho:

    The code you pointed to works via an API, and does NOT run on. Juniper device.

    You're wrong. Apparently this code connects locally to the netdev API, but it still requires a Puppet agent on the Juniper device to run.

    Regards

    • Frank

  • Netgate Administrator

    Does this really have to be an either-or situation?
    I'm personally unlikely to have a need for either solution (at least in the near term) but I fail to see how having the choice can be bad thing. Perhaps I'm missing something.  :-\

    Steve



  • @fraenki:

    @gonzopancho:

    The code you pointed to works via an API, and does NOT run on. Juniper device.

    You're wrong. Apparently this code connects locally to the netdev API, but it still requires a Puppet agent on the Juniper device to run.

    Regards

    • Frank

    Frank,

    In this case, I am 100% right.  You're not going to run that code on a Juniper switch (or router, or wireless LAN device, etc.)

    For highly similar reasons, it is inadvisable to run your Puppet stuff (including Ruby) on a pfSense installation.



  • @stephenw10:

    Does this really have to be an either-or situation?
    I'm personally unlikely to have a need for either solution (at least in the near term) but I fail to see how having the choice can be bad thing. Perhaps I'm missing something.  :-\

    Steve

    Imagine this scenario:

    Frank (or whomever) creates a "solution", and it manages to get popular with, say, 5% of the installed base of pfSense.  Then pfSense changes (for whatever reason), and the solution doesn't work anymore.

    The developers of pfsense suddenly have a horrible choice to make:  a) support the formerly unsupported module, or b) support "the community".

    This is why I've gone to lengths to make sure that Frank knows that what he's doing isn't supportable, and that my strong preference is that he work via the (still not fully-developed) API.


  • Netgate Administrator

    It would certainly be bad if such a package became sufficiently well used that it was assumed to be part of pfSense. I guess you could argue similar things about other packages though.
    Could be another argument for dividing packages into community and official.

    Steve



  • @gonzopancho:

    In this case, I am 100% right.  You're not going to run that code on a Juniper switch (or router, or wireless LAN device, etc.)

    Have a look at the Juniper documentation or just this picture:
    http://www.juniper.net/techpubs/images/g041409.gif
    http://www.juniper.net/techpubs/en_US/junos-puppet1.0/topics/concept/automation-junos-puppet-overview.html

    It's very clear, that the code runs on the Juniper switch. Along with the Puppet agent a Ruby interpreter is installed on the Junos device to actually run code.

    You may still claim that the code does not run on the device, although the official documentation clearly states that this is the case. You  may need to read the puppet documentation if you insist to not accept my arguments. And yes, the same goes for every other configuration management system we've been talking about.

    Regards

    • Frank


  • @stephenw10:

    Could be another argument for dividing packages into community and official.

    Yes, this would be a good solution. It would shift the responsibility for unsupported packages to the community. And the developers would be able to say "look, it's unsupported, you've been warned". I'm OK with this. It gives people choice.

    Regards

    • Frank


  • @gonzopancho:

    This is why I've gone to lengths to make sure that Frank knows that what he's doing isn't supportable, and that my strong preference is that he work via the (still not fully-developed) API.

    It is possible to develop Puppet modules and providers that make use of the API locally (similar to the netdev approach on JunOS devices). This would make it much harder to break things. But it would still require a Puppet/Chef/… agent installed on pfSense.

    I'm not against the API, but I would prefer to be able to choose how I make use of it.

    Regards

    • Frank


  • @fraenki:

    @stephenw10:

    Could be another argument for dividing packages into community and official.

    Yes, this would be a good solution. It would shift the responsibility for unsupported packages to the community. And the developers would be able to say "look, it's unsupported, you've been warned". I'm OK with this. It gives people choice.

    Regards

    • Frank

    I think it would be a great idea to separate the packages.. Or at least mark them somehow/ maybe another column that they are community packages…



  • it goes way beyond "community" .vs "official".



  • @gonzopancho:

    it goes way beyond "community" .vs "official".

    Sounds like important information is still unspoken. Could you please elaborate more on this?

    Regards

    • Frank


  • Hello,

    I'm just a recent user of pfSense, and I like it. It's currently installed as a front VM on 4 or 5 of our servers, to protect some VMs behind - using Snort and Pound reverse firewall to add some extra security.

    In next months we'll probably have 10s or even 100s VMs to deploy, and many VMServers.

    So of course we're looking for solutions to automate installations, system upgrades, application deployments… As pfSense is an important part of the architecture, we'd prefer not installing manually, going through our checklist.

    I've seen that Puppet (seemed to) provide some solution, so it is a nice candidate for our automation tool.

    • After reading this thread, it seems that Puppet won't be an "official" package - is this right ?

    • Is there any rough estimate about the availability of an API ?

    • I guess that each module (OpenVPN, Snort...) should have to provide its API, too... Right ?

    The API way seems to be a reasonable one - if I read well, it's the way used to configure and manage VMs on VMWare, isn't it ?

    • If API comes in a far or unknown future, and no solution can be found for inserting Puppet on pfSense, what other solution you experienced admins would suggest ?

    Thanks in advance,

    Fred



  • The strategy to enable Puppet (Chef, Saltstack, etc) is to fit an API.  The webGUI will also be re-written to access this API.
    That means a lot of pfSense (a lot of the PHP) will need to be re-written.

    The Puppet packages published by fraenki will not become official in any sense of the word.  They are too promiscuous with the system.

    Jim



  • Hooray, I am responding to another dead thread….

    It is not uncommon in puppet module development to have to re-work the module with each "major" (and sometimes even minor) release version of an application. That is the responsibility of the module maintainer. Anytime you are managing the configuration of something, whether it is clamav, ntpd, apache, mysql, or whatever, you always have to be careful of "updates" and how they affect the configuration files. This is not a puppet specific problem. I have had the same problem with Spacewalk and even "old fashioned" scripts that try to make changes to configuration files in the old days. Using an API, once it is available, is ideal because you can only do what the API supports, and, the API would have release notes accompanying any changes, including, most likely, a major version (/apiv1 or /apiv2) when it makes significant or non-backawards-compatible changes. With an API, testing becomes a lot more simple and finite. That is good!

    However, I have run into this same problem with "services" like "Rackspace CloudDB", "Amazon RDS", etc as well. They all provide an API as well, but it is not possible to install a puppet client (for example) on those machines. I do not have a "solution" for this yet. Maybe we need to have some sort of centralized "administrative workstation" that integrates with the configuration management, such as Puppet, Chef, Ansible, etc, and then applies configuration changes via the API to the "managed device" or "service" in question. The API is the interface by which the "client" affects the operations of the appliance. The overall solution still needs to include the client side that talks to the API as well. In this case, the "client" that talks to the API would be a puppet provider.

    The "normal" configuration management architecture is to run a "client" (agent) on the device being managed. The client gathers up some details about the device itself, such as memory, cpu, disk, network interfaces, etc, (facts). This "client" sends those details to a centralized configuration management system (puppet master), which is able to reference configurations of other systems (exported resources), and its own datastore (hiera) to determine what the correct configuration state of the client should be. It then returns this "state" to the client (catalog), which the client applies as necessary to make sure its configuration matches the "correct" configuration. The "applies" step should be idempotent, such that it can be applied over and over without being any different than the first time it was applied. (i.e. it doesn't reinstall a package every time, if it is already there). This "applies changes" step is where the API comes in. The API may also be involved in the "facts" gathering. In lieu of an API, there may be a "command line interface" that can apply changes through a series of administrative commands, such as https://doc.pfsense.org/index.php/Using_the_PHP_pfSense_Shell which should follow similar "release notes" type of changes to an API. However, any changes made to the system "directly" (via modifying a file, for example) would be "extra risky" and would require extensive testing by the person maintaining the configuration management module before certifying compatibility with the "next" version of pfSense. None of this would be the responsibility of the pfSense maintainers directly. This really wouldn't be that much different from any other package installed on the system. It should be tested by the maintainer of the package before it is "released" to that version of pfSense.

    The long and short of it is that Puppet and the API are not competing solutions. The puppet client is an "implementation" that should (when available) use the API to make changes to the system. In the case where the "managed device" is running an OS that has a puppet client available, it makes sense to run the client locally on the hardware that is being managed. It is just less overhead. It would be great if it ran natively or using an "existing" interpreter, such as PHP, but that is another project for another day. :)

    Sorry for my long winded response :D

    ~tommy




Log in to reply