How to get started with the Foreman sysadmin tool

Foreman offers a powerful set of system management tools, from process automation to security compliance and more. Here's how to get started.
767 readers like this.
Construction worker building a cinderblock wall

Is your system management tool robust enough?

As your organization grows, so does your workload—and the IT resources required to manage it. There is no "one-size-fits-all" system management solution, but a centralized, open source tool such as Foreman can help you manage your company's IT assets by provisioning, maintaining, and updating hosts throughout the complete lifecycle.

Foreman becomes even more powerful when integrated with other open source projects and plugins, and I will discuss these in more detail below. To get started, however, let's consider key functions of an effective system management tool.

Foreman and essential system management areas

An effective systems management tool should address all of these key areas.

Host provisioning is for deploying instances or virtual machines on bare-metal, on-premises, or a cloud provider's data center.

Content management refers to publishing, promoting, and managing various versions of repositories and packages in the CDN and systems across the life cycle (i.e., development, testing, QA, and production).

Patch/errata management includes bug fixes and advisory or enhancement packages. An effective systems management tool should identify applicable errata regularly and patch registered systems promptly.

Subscription or license management enables the purchase, renewal, and extension of subscriptions through a systems management portal. This information should be updated frequently in the user account for each system.

Health monitoring and reporting enables real-time system checkups. This should include updates, errata, compliance, workload, and system performance metrics for registered hosts and running services.

Remote execution is for running arbitrary commands on hosts or groups of hosts to perform similar activities remotely. These commands can be customized; for example, to provision templates or partition tables.

Identity and policy lets you create different users and roles and manage various permission policies. This function should also support Kerberos and LDAP integration and authentication.

Alerts and notification audits administrator and user activities. This tool should instantly detect what changes are made in each node, when they are made, and where potential risk may exist.

Automation applies to repetitive tasks. A top systems management tool should help identify and automate these processes.

Foreman and open source plugins

Foreman's basic functions include host provisioning, discovery of unknown nodes, and upgrading instances on bare-metal, hyper-visor, and cloud data centers. Plugins can greatly enhance these capabilities.

Smart Proxy, also known as Foreman Proxy, is an extended subsystem that performs operations through instructions from Foreman. It can be hosted on a physical, on-premises, or third-party cloud or on a hypervisor. In a large distributed organization, placing a Smart Proxy near instances reduces network latency.

Foreman in distributed system

Foreman with plugins at work in a distributed system.

Here are some open source projects that integrate with Foreman:

Katello is a repository and subscription-management plugin. It downloads content from upstream repositories and manages local yum, puppet repos, and content versions in different life-cycle environments. Katello comprises two important services:

  • Candlepin runs within Katello, managing subscriptions and licenses for all registered systems.
  • Pulp handles repositories and packages. It supports RPMs, errata, kickstart trees, metadata, etc. You can sync remote content such as EPEL locally, and upload custom content into a pulp repository.

OpenScap manages security compliance and vulnerability on managed hosts. It uses the Security Content Automation Protocol (SCAP) to assess, measure, and enforce security policies. Foreman then lets you create, upload, and assign them to hosts or host groups. A client running the SCAP scan script can upload the report to Foreman Proxy, and administrators can use it for assessment.

Remote Execution enables Foreman to simultaneously execute random commands on multiple hosts. Variables in these commands can take hosts' facts, class parameters, or host parameters specified by users while triggering the execution.

The Ansible plugin allows you to import hosts along with facts every time you run the playbook or an Ansible module. In short, it automates processes and defines a list of roles that can be enforced on managed hosts.

Docker automates the deployment of applications within Linux containers. In Foreman, containers are deployed only on compute resources of the Docker provider type, enabling rapid application deployment and simplifying testing and maintenance.

Part of the Foreman installer, Puppet helps to configure puppet environments on hosts. The Puppet master, running on the Foreman server, is configured under Apache and Passenger by default. Puppet integration is optional with the 3.0 release.

Hammer is a CLI tool that provides command-line options equivalent to most web UI functions.

Foreman installation

You are only four steps away from your first Foreman installation. Let's perform a quick installation, log into GUI, and start playing with Foreman.

For the initial setup, you must first open four mandatory ports and enable the Puppet, EPEL, and Foreman repositories. The following installation steps were performed on CentOS 7; however, other platforms that support Foreman installation include Fedora, Red Hat Enterprise Linux, Ubuntu, Oracle Linux, etc.

Step 1: Open the necessary ports in the firewall.

Port Protocol Required for
69 UDP TFTP Server
80 TCP HTTP access to Foreman web UI, provisioning templates using Apache + Passenger
443 TCP HTTPS access to Foreman web UI, provisioning templates using Apache + Passenger
8140 TCP Puppet Master
# firewall-cmd --permanent --add-port="69/udp"
# firewall-cmd --permanent --add-port="80/tcp"
# firewall-cmd --permanent --add-port="443/tcp"
# firewall-cmd --permanent --add-port="8140/tcp"
# firewall-cmd --reload

Step 2: Download Puppet, EPEL, and Foreman RPMs.

# yum -y install
# yum -y install
# yum -y install

Step 3: Install and execute the Foreman installer RPM.

To list all the options available during installation, use Foreman installer Help. Use -v to enable verbose installation and -i for user interactive mode. In this example, I will proceed with non-interactive default options.

# yum -y install foreman-installer
# foreman-installer --help
# foreman-installer

foreman installer code

Successful installation of the Foreman tool using installer.

Step 4: After installation, the installer with give you Foreman URL details, a default login user admin, and an auto-generated random password. Launch the Foreman https: URL on your browser and log in.

Foreman login screen

Login screen to Foreman GUI. Sign in here after installation to change your password.

Once you successfully log into Foreman GUI, you can change your password through the My Account settings in Dashboard. For more details, visit the Foreman website and GitHub.

Foreman is a powerful sysadmin tool that can be both fun and challenging to work with. Let us know what you think of it. Also, please share your thoughts on any other open source projects you find useful.

Amit works in Red Hat, and is passionate about linux, cloud computing, devops etc. He is a strong believer that new innovation and technology, in a open way, can positively impact the society and change many lives.


I believe there is a slight mistake within the article. Katello isn't a repository and subscription-management plugin, as this would indirectly imply that if you don't use Katello, you cannot do repository and subscription management. This it's the case.

Katello (which once was a standalone application) prodives unified workflow and web interface (webUI) for content and subscriptions, where said content and subscription are handled by Pulp and Candlepin.

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License.