Tag Archives: Debian

Fully automated deployement of webserver using Foreman

The aim of this post is to show the automation level for application server deployement on virtualization layer that is now possible with Foreman @ Yakaz.

This video shows how easy it is for us to create a new virtual machine and how Puppet manage it to fully configure the server to run our application. This video show the Compute Resource system that was introduced with Foreman 1.0.

Compared to deprecated virtualization support on Foreman before 1.0, the Compute Resources allow to :

  • Deploy new VMs with multiple NIC and disks
  • Direct access to VNC console on Foreman’s interface
  • ACL on Compute Resource use. This is usefull for us to be able to have an ‘open’ virtualization cluster for every developers that need VM and an isolated production cluster
  • VM power cycle management directly on Foreman
  • When a Compute Resource is deleted on Foreman, the VM is also deleted on virtualization cluster
For now, supported compute resources are: 
  • oVirt / RHEV-M
  • libvirt
  • Amazon EC2
  • VMware
  • Rackspace OpenCloud
As reminder, with ‘Unattended Installation’ feature, Foreman manage:
  • A and PTR DNS record for multiple domains
  • DHCP lease for the host
  • Puppet configuration with ENC
  • PuppetCA management : no need to sign and revoke certificates anymore
Once the VM is built, puppet configure it in order that it comply with configuration selected (in that case, our Webserver for Yakaz website)

This video shows that the ‘Operator time’ required for new server deployement is really reaaly short. On top of that, our Foreman integration give us a great flexibility and elasticity on our production cluster management.


How to check Puppet run with Foreman and Nagios

I needed to make sure that Puppet was running smoothly on all production servers. For that purpose I needed to check 2 things :

– First that puppet was running every 30 minutes (I use cron and not Puppet daemon) . For that I simply use the nagios ‘check_file_age’ and I check the age of the “state.yaml” file. Here is my configuration on the command on Debian server:

/usr/lib/nagios/plugins/check_file_age -w 3780 -c 43200 -f /var/lib/puppet/state/state.yaml

– The first check make me sure that Puppet is running on a regular basis. However I am not sure that it run without problems. That’s the reason why I decided to use the Foreman Report status.

You can find my script on Github . To use it on a Debian server, you should install the dependencies :

# apt-get install libhttp-server-simple-perl libjson-perl
# wget http://search.cpan.org/CPAN/authors/id/M/MC/MCRAWFOR/REST-Client-243.tar.gz
# tar xvf REST-Client-243.tar.gz
# cd REST-Client-243
# make
# make install

To use it, it’s very simple:

$ /usr/lib/nagios/plugins/check_foreman_puppet_failure.pl -H webserver.example.com -F http://foreman.example.com -w 3 -c 5 -u username -p password

This command will check last reports of Puppet run. If the number of run with error state is greater than warning or critical then the nagios check will return the corresponding error.

Now, you can monitor your puppet run thanks to Nagios and Foreman !


Protect your Google Apps with LemonLDAP::NG and SAML2

If you are using Google Apps for your emails in your company, there is a way to integrate this applications in your LemonLDAP::NG SSO. This is done with SAML2 protocol. In that case, the Google Apps will be an SAML service provider.

As a communication is done between Google servers and your LemonLDAP server, your SSO should be reachable from Internet.
The aim of this post is not to describe the setup of a Google Apps, please read Google documentation if needed.

You should notice that this installation is possible even with a Free Google Apps account!

Dependency installation

In order to use SAML protocol, LL::NG uses the perl lasso library which is not packaged by default in Debian. To install it (the repository are compatible with Squeeze):

# vim /etc/apt/source.list.d/entrouvert.list
deb http://deb.entrouvert.org/		lenny	main
deb-src http://deb.entrouvert.org/	lenny	main

# wget -O - -q http://deb.entrouvert.org/entrouvert.gpg | apt- key add -
# apt-get update
# apt-get install liblasso3-perl
# service apache2 restart

In LL::NG manager:

  • General Parameters => Issuer Module => SAML => Activation : On
  • SAML2 Service=>  NameID Format => Email : mail
  • SAML2 Service => Security parameters =>  Signature =>  Private key => Generate
  • SAML2 Service => Security parameters => Encryption => Private key => Generate
  • SAML2 Service => Organization => Display Name / Name / URL (for information)
You should then add an SAML service provider:
    • SAML service provider => New service provider
    • SAML service provider => your_service_name => Metadata


Be sure to change the CHANGE_ME !

  • SAML service provider => your_service_name > Options =>Authentication response => Default NameID format : Email
  • SAML service provider => your_service_name > Options => Signature : Everything deactivated except “Sign SSO message”
You should then create a certificate for Google to be able to handle the SAML exchange:
  • SAML2 Service => Security parameters =>  Signature => Private key =>  Download this file (lemonldap.key)
$ openssl req -new -key lemonldap.key  -out lemonldap.csr
$ openssl x509 -req -days 3650 -in lemonldap.csr -signkey lemonldap.key -out lemonldap.pem

Google Apps configuration for SSO

You should connect to the administration dashboard with a Super-Admin account (Address http://www.google.com/a/CHANGE_ME)

In Advanced settings => SSO  :

  • Check Enable SSO
  • Sign-in page URL : http://auth.changeme.com/saml/singleSignOn
  • Sign-out page URL : http://auth.changeme.com/?logout=1
  • Change password URL :  http://auth.changeme.com
  • Verification certificate : send previously generated certificate (lemonldap.pem)

Connexion to Google Apps

The SAML integration between Google Apps and LemonLDAP::NG should be done. If you try to connect to your Google Apps account, you should be automaticaly redirected to LL::NG if you don’t have any active session. If you do have a session, you are automatically loged-in to your Google Apps.

If you have any troubles, you are always able to authenticate yourself on this url : http://www.google.com/changeme.com


You need to have the mail attribute of your LDAP directory declared on your Google Apps. We will see on a further post how to sync your LDAP directory with your Google Apps using Google Apps Directory Sync.