Installing Foreman 2.5 server on Enterprise Linux

1. Preparing your Environment for Installation

Before you install Foreman, ensure that your environment meets the following requirements.

1.1. System Requirements

The following requirements apply to the networked base operating system:

x86_64 architecture
4-core 2.0 GHz CPU at a minimum
A minimum of 4 GB RAM is required for Foreman server to function. Foreman running with less RAM than the minimum value might not operate correctly.
Administrative user (root) access
A system umask of 0022
Full forward and reverse DNS resolution using a fully-qualified domain name

Foreman only supports UTF-8 encoding. If your territory is USA and your language is English, set en_US.utf-8 as the system-wide locale settings. For more information about configuring system locale in Enterprise Linux, see Configuring System Locale guide. Before you install Foreman server, ensure that your environment meets the requirements for installation.

Foreman server must be installed on a freshly provisioned system that serves no other function except to run Foreman server. The freshly provisioned system must not have the following users provided by external identity providers to avoid conflicts with the local users that Foreman server creates:

apache
foreman
foreman-proxy
postgres
puppet
puppetserver
redis

SELinux Mode

SELinux must be enabled, either in enforcing or permissive mode. Installation with disabled SELinux is not supported.

FIPS Mode

You can install Foreman on a Red Hat Enterprise Linux system that is operating in FIPS mode. You cannot enable FIPS mode after the installation of Foreman. For more information, see Enabling FIPS Mode in the Red Hat Enterprise Linux Security Guide.

The following table details storage requirements for specific directories. These values are based on expected use case scenarios and can vary according to individual environments.

1.2.1. CentOS 7

Table 1. Storage Requirements for a Foreman server Installation
Directory	Installation Size	Runtime Size
/var/log/	10 MB	10 GB
/var/opt/rh/rh-postgresql12/lib/pgsql	100 MB	20 GB
/usr	3 GB	Not Applicable
/opt	3 GB	Not Applicable
/opt/puppetlabs	500 MB	Not Applicable

1.2.2. CentOS 8

Table 2. Storage Requirements for a Foreman server Installation
Directory	Installation Size	Runtime Size
/var/log/	10 MB	10 GB
/var/lib/pgsql	100 MB	20 GB
/usr	3 GB	Not Applicable
/opt/puppetlabs	500 MB	Not Applicable

1.2.3. Red Hat Enterprise Linux 7

Table 3. Storage Requirements for a Foreman server Installation
Directory	Installation Size	Runtime Size
/var/log/	10 MB	10 GB
/var/opt/rh/rh-postgresql12/lib/pgsql	100 MB	20 GB
/usr	3 GB	Not Applicable
/opt	3 GB	Not Applicable
/opt/puppetlabs	500 MB	Not Applicable

1.3. Supported Operating Systems

You can install the operating system from a disc, local ISO image, or kickstart.

The following operating systems are supported by the installer, have packages, and are tested for deploying Foreman:

Table 4. Operating Systems supported by foreman-installer
Operating System	Architecture	Notes
CentOS 7	x86_64 only	EPEL is required.
CentOS 8	x86_64 only	EPEL is not supported.
Red Hat Enterprise Linux 7	x86_64 only	EPEL is required.

Before you install Foreman, apply all operating system updates if possible.

Install Foreman server on a freshly provisioned system.

1.4. Supported Browsers

The recommended requirements are as follows for major browsers:

Google Chrome 54 or higher
Microsoft Edge
Microsoft Internet Explorer 10 or higher
Mozilla Firefox 49 or higher

Other browsers may work unpredictably.

The Foreman web UI and command-line interface support English, Portuguese, Simplified Chinese Traditional Chinese, Korean, Japanese, Italian, Spanish, Russian, French, and German.

1.5. Ports and Firewalls Requirements

For the components of Foreman architecture to communicate, ensure that the required network ports are open and free on the base operating system. You must also ensure that the required network ports are open on any network-based firewalls.

Use this information to configure any network-based firewalls. Note that some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. If possible, disable the application checking and allow open port communication based on the protocol.

Integrated Smart Proxy

Foreman server has an integrated Smart Proxy and any host that is directly connected to Foreman server is a Client of Foreman in the context of this section. This includes the base operating system on which Smart Proxy server is running.

Clients of Smart Proxy

Hosts which are clients of Smart Proxies, other than Foreman’s integrated Smart Proxy, do not need access to Foreman server.

Required ports can change based on your configuration.

The following tables indicate the destination port and the direction of network traffic:

Table 5. Foreman server incoming traffic
Destination Port	Protocol	Service	Source	Required For	Description
53	TCP and UDP	DNS	DNS Servers and clients	Name resolution	DNS (optional)
67	UDP	DHCP	Client	Dynamic IP	DHCP (optional)
69	UDP	TFTP	Client	TFTP Server (optional)
443	TCP	HTTPS	Smart Proxy	Foreman API	Communication from Smart Proxy
5910 - 5930	TCP	HTTPS	Browsers	Compute Resource’s virtual console
8000	TCP	HTTP	Client	Provisioning templates	Template retrieval for client installers, iPXE or UEFI HTTP Boot
8000	TCP	HTTPS	Client	PXE Boot	Installation
8140	TCP	HTTPS	Client	Puppet agent	Client updates (optional)
8443	TCP	HTTPS	Client	OpenSCAP	Configure Client
8443	TCP	HTTPS	Foreman	Smart Proxy API	Smart Proxy functionality

Any managed host that is directly connected to Foreman server is a client in this context because it is a client of the integrated Smart Proxy. This includes the base operating system on which a Smart Proxy server is running.

A DHCP Smart Proxy performs ICMP ping or TCP echo connection attempts to hosts in subnets with DHCP IPAM set to find out if an IP address considered for use is free. This behavior can be turned off using foreman-installer --foreman-proxy-dhcp-ping-free-ip=false.

Table 6. Foreman server outgoing traffic
Destination Port	Protocol	Service	Destination	Required For	Description
	ICMP	ping	Client	DHCP	Free IP checking (optional)
7	TCP	echo	Client	DHCP	Free IP checking (optional)
22	TCP	SSH	Target host	Remote execution	Run jobs
22, 16514	TCP	SSH SSH/TLS	Compute Resource	Foreman originated communications, for compute resources in libvirt
53	TCP and UDP	DNS	DNS Servers on the Internet	DNS Server	Resolve DNS records (optional)
53	TCP and UDP	DNS	DNS Server	Smart Proxy DNS	Validation of DNS conflicts (optional)
53	TCP and UDP	DNS	DNS Server	Orchestration	Validation of DNS conflicts
68	UDP	DHCP	Client	Dynamic IP	DHCP (optional)
80	TCP	HTTP	Remote repository	Content Sync	Remote yum repository
389, 636	TCP	LDAP, LDAPS	External LDAP Server	LDAP	LDAP authenticatiion, necessary only if external authentication is enabled. The port can be customized when `LDAPAuthSource` is defined
443	TCP	HTTPS	Foreman	Smart Proxy	Smart Proxy Configuration management Template retrieval OpenSCAP Remote Execution result upload
443	TCP	HTTPS	Amazon EC2, Azure, Google GCE	Compute resources	Virtual machine interactions (query/create/destroy) (optional)
443	TCP	HTTPS	Infoblox DHCP Server	DHCP management	When using Infoblox for DHCP, management of the DHCP leases (optional)
623			Client	Power management	BMC On/Off/Cycle/Status
5000	TCP	HTTPS	OpenStack Compute Resource	Compute resources	Virtual machine interactions (query/create/destroy) (optional)
5900 - 5930	TCP	SSL/TLS	Hypervisor	noVNC console	Launch noVNC console
7911	TCP	DHCP, OMAPI	DHCP Server	DHCP	The DHCP target is configured using `--foreman-proxy-dhcp-server` and defaults to localhost ISC and `remote_isc` use a configurable port that defaults to 7911 and uses OMAPI
8443	TCP	HTTPS	Client	Discovery	Smart Proxy sends reboot command to the discovered host (optional)
8443	TCP	HTTPS	Smart Proxy	Smart Proxy API	Management of Smart Proxies

1.6. Enabling Connections from a Client to Foreman server

Smart Proxies and Content Hosts that are clients of a Foreman server’s internal Smart Proxy require access through Foreman’s host-based firewall and any network-based firewalls.

Use this procedure to configure the host-based firewall on the Red Hat Enterprise Linux 7 system that Foreman is installed on, to enable incoming connections from Clients, and to make the configuration persistent across system reboots. For more information on the ports used, see Ports and Firewalls Requirements.

If you do not use firewall-cmd to configure the Linux firewall, implement using the command of your choice.

Procedure

To open the ports for client to Foreman communication, enter the following command on the base operating system that you want to install Foreman on:

# firewall-cmd \
--add-port="80/tcp" --add-port="443/tcp" \
--add-port="5647/tcp" --add-port="8000/tcp" \
--add-port="8140/tcp" --add-port="9090/tcp" \
--add-port="53/udp" --add-port="53/tcp" \
--add-port="67/udp" --add-port="69/udp"

Make the changes persistent:
```
# firewall-cmd --runtime-to-permanent
```

1.7. Verifying Firewall Settings

Use this procedure to verify your changes to the firewall settings.

If you do not use firewall-cmd to configure the Linux firewall, implement using the command of your choice.

Procedure

Enter the following command:
```
# firewall-cmd --list-all
```

For more information, see Getting Started with firewalld in the Red Hat Enterprise Linux 7 Security Guide.

1.8. Verifying DNS resolution

Verify the full forward and reverse DNS resolution using a fully-qualified domain name to prevent issues while installing Foreman.

Procedure

Ensure that the host name and local host resolve correctly:

# ping -c1 localhost
# ping -c1 `hostname -f` # my_system.domain.com

Successful name resolution results in output similar to the following:

# ping -c1 localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.043 ms

--- localhost ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.043/0.043/0.043/0.000 ms

# ping -c1 `hostname -f`
PING hostname.gateway (XX.XX.XX.XX) 56(84) bytes of data.
64 bytes from hostname.gateway (XX.XX.XX.XX): icmp_seq=1 ttl=64 time=0.019 ms

--- localhost.gateway ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.019/0.019/0.019/0.000 ms

To avoid discrepancies with static and transient host names, set all the host names on the system by entering the following command:
```
# hostnamectl set-hostname name
```

For more information, see the Configuring Host Names Using hostnamectl in the Red Hat Enterprise Linux 7 Networking Guide.

Warning

Name resolution is critical to the operation of Foreman. If Foreman cannot properly resolve its fully qualified domain name, tasks such as content management, subscription management, and provisioning will fail.

2. Preparing your Environment for Foreman Installation in an IPv6 Network

You can install and use Foreman in an IPv6 network. Before installing Foreman in an IPv6 network, view the limitations and ensure that you meet the requirements.

To provision hosts in an IPv6 network, after installing Foreman, you must also configure Foreman for the UEFI HTTP boot provisioning. For more information, see Configuring Foreman for UEFI HTTP Boot Provisioning in an IPv6 Network.

2.1. Limitations of Foreman Installation in an IPv6 Network

Foreman installation in an IPv6 network has the following limitations:

You can install Foreman and Smart Proxies in IPv6-only systems, dual-stack installation is not supported.
Although Foreman provisioning templates include IPv6 support for PXE and HTTP (iPXE) provisioning, the only tested and certified provisioning workflow is the UEFI HTTP Boot provisioning. This limitation only relates to users who plan to use Foreman to provision hosts.

2.2. Requirements for Foreman Installation in an IPv6 Network

Before installing Foreman in an IPv6 network, ensure that you meet the following requirements:

If you plan to provision hosts from Foreman or Smart Proxy, you must install Foreman and Smart Proxies on a system with grub2 version 2.05 or higher or system with fixes for HTTP Boot, for example CentOS version 7.9 or 8.3 or higher. For other operating systems, copy the newest GRUB build to /var/lib/tftpboot/grub2/grubx64.efi.
You must deploy an external DHCP IPv6 server as a separate unmanaged service to bootstrap clients into GRUB2, which then configures IPv6 networking either using DHCPv6 or or assigning static IPv6 address. This is required because the DHCP server in Red Hat Enterprise Linux (ISC DHCP) does not provide an integration API for managing IPv6 records, therefore the Smart Proxy DHCP plug-in that provides DHCP management is limited to IPv4 subnets.
You must deploy an external IPv4 HTTP proxy server. This is required because Foreman distributes content only over IPv4 networks, therefore you must use an IPv4 proxy to redirect that content to hosts in your IPv6 network.

Note that this requirement is for Katello users only.
You must configure Foreman to use this IPv4 HTTP proxy server as the default proxy. For more information, see Adding a Default HTTP Proxy to Satellite.

3. Installing Foreman server

Use the following procedures to install Foreman server and perform the initial configuration.

On CentOS, you can install Foreman with or without the Katello plug-in. If you are a new user, consider installing Foreman with the Katello plug-in.

Note that the Foreman installation script is based on Puppet, which means that if you run the installation script more than once, it might overwrite any manual configuration changes. ⁠ To avoid this and determine which future changes apply, use the --noop argument when you run the installation script. This argument ensures that no actual changes are made. Potential changes are written to /var/log/foreman-installer/foreman.log.

Files are always backed up and so you can revert any unwanted changes. For example, in the foreman-installer logs, you can see an entry similar to the following about Filebucket:

/Stage[main]/Dhcp/File[/etc/dhcp/dhcpd.conf]: Filebucketed /etc/dhcp/dhcpd.conf to puppet with sum 622d9820b8e764ab124367c68f5fa3a1

You can restore the previous file as follows:

# puppet filebucket -l \
restore /etc/dhcp/dhcpd.conf 622d9820b8e764ab124367c68f5fa3a1

3.1. Configuring Repositories

Use this procedure to enable the repositories that are required to install Foreman server. Choose from the available list which operating system and version you are installing on:

CentOS 7
CentOS 8
Red Hat Enterprise Linux 7

3.1.1. CentOS 7

Clear any metadata:
```
# yum clean all
```

Install the foreman-release.rpm package:

# yum localinstall https://yum.theforeman.org/releases/2.5/el7/x86_64/foreman-release.rpm

Install the puppet6-release-el-7.noarch.rpm package:

# yum localinstall https://yum.puppet.com/puppet6-release-el-7.noarch.rpm

Install the epel-release package:
```
# yum install epel-release
```
Install the centos-release-scl-rh package:
```
# yum install centos-release-scl-rh
```

3.1.2. CentOS 8

Clear any metadata:
```
# dnf clean all
```

Install the foreman-release.rpm package:

# dnf localinstall https://yum.theforeman.org/releases/2.5/el8/x86_64/foreman-release.rpm

Install the puppet6-release-el-8.noarch.rpm package:

# dnf localinstall https://yum.puppet.com/puppet6-release-el-8.noarch.rpm

Enable Ruby 2.7 module:

# dnf module reset ruby
# dnf module enable ruby:2.7

Enable the PostgreSQL 12 module:
```
# dnf module enable postgresql:12
```
If the PostgreSQL 10 module has already been enabled, a module reset will need to be performed.
```
# dnf module reset postgresql
# dnf module enable postgresql:12
```

3.1.3. Red Hat Enterprise Linux 7

Disable all repositories:

# subscription-manager repos --disable "*"

Enable the following repositories:

# subscription-manager repos --enable=rhel-7-server-rpms \
--enable rhel-7-server-optional-rpms \
--enable rhel-server-rhscl-7-rpms

Install the epel-release-latest-7.noarch.rpm package:

# yum localinstall https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

Clear any metadata:
```
# yum clean all
```

Install the foreman-release.rpm package:

# yum localinstall https://yum.theforeman.org/releases/2.5/el7/x86_64/foreman-release.rpm

Install the puppet6-release-el-7.noarch.rpm package:

# yum localinstall https://yum.puppet.com/puppet6-release-el-7.noarch.rpm

Note

If you are installing Foreman server as a virtual machine hosted on oVirt, you must also enable the Red Hat Common repository, and install oVirt guest agents and drivers. For more information, see Installing the Guest Agents and Drivers on Red Hat Enterprise Linux in the Virtual Machine Management Guide for more information.

3.2. Installing Foreman server Packages

CentOS 7
CentOS 8
Red Hat Enterprise Linux 7

3.2.1. CentOS 7

Procedure

Update all packages:
```
# yum update
```
Install foreman-installer
```
# yum install foreman-installer
```

3.2.2. CentOS 8

Update all packages:
```
# dnf update
```
Install foreman-installer
```
# dnf install foreman-installer
```

3.2.3. Red Hat Enterprise Linux 7

Update all packages:
```
# yum update
```
Install foreman-installer
```
# yum install foreman-installer
```

3.3. Synchronizing the System Clock With chronyd

To minimize the effects of time drift, you must synchronize the system clock on the base operating system on which you want to install Foreman server with Network Time Protocol (NTP) servers. If the base operating system clock is configured incorrectly, certificate verification might fail.

For more information about the chrony suite, see Configuring NTP Using the chrony Suite in the Red Hat Enterprise Linux 7 System Administrator’s Guide.

Procedure

Install the chrony package:
```
# yum install chrony
```

Start and enable the chronyd service:

# systemctl start chronyd
# systemctl enable chronyd

3.4. Configuring Foreman server

Install Foreman server using the foreman-installer installation script.

This method is performed by running the installation script with one or more command options. The command options override the corresponding default initial configuration options and are recorded in the Foreman answer file. You can run the script as often as needed to configure any necessary options.

Note	Depending on the options that you use when running the Foreman installer, the configuration can take several minutes to complete.

3.4.1. Configuring Foreman

This initial configuration procedure creates an organization, location, user name, and password. After the initial configuration, you can create additional organizations and locations if required. The initial configuration also installs PostgreSQL databases on the same server.

The installation process can take tens of minutes to complete. If you are connecting remotely to the system, use a utility that allows suspending and reattaching a communication session so that you can check the installation progress in case you become disconnected from the remote system. For example, on Red Hat-based operating systems, use a utility such as tmux or screen. If you lose connection to the shell where the installation command is running, see the log at /var/log/foreman-installer/foreman.log to determine if the process completed successfully.

Considerations

Use the foreman-installer --scenario foreman --help command to display the available options and any default values. If you do not specify any values, the default values are used.
Specify a meaningful value for the option: --foreman-initial-organization. This can be your company name. An internal label that matches the value is also created and cannot be changed afterwards. If you do not specify a value, an organization called Default Organization with the label Default_Organization is created. You can rename the organization name but not the label.
By default, all configuration files configured by the installer are managed by Puppet. When foreman-installer runs, it overwrites any manual changes to the Puppet managed files with the initial values. By default, Foreman server is installed with the Puppet agent running as a service. If required, you can disable Puppet agent on Foreman server using the --puppet-runmode=none option.
If you want to manage DNS files and DHCP files manually, use the --foreman-proxy-dns-managed=false and --foreman-proxy-dhcp-managed=false options so that Puppet does not manage the files related to the respective services. For more information on how to apply custom configuration on other services, see Applying Custom Configuration to Foreman.

Procedure

Enter the following command with any additional options that you want to use:

# foreman-installer --scenario foreman \
--foreman-initial-organization "initial_organization_name" \
--foreman-initial-location "initial_location_name" \
--foreman-initial-admin-username admin_user_name \
--foreman-initial-admin-password admin_password

The script displays its progress and writes logs to /var/log/foreman-installer/foreman-installer --scenario foreman.log.

4. Performing Additional Configuration on Foreman server

4.1. Configuring Foreman for UEFI HTTP Boot Provisioning in an IPv6 Network

Use this procedure to configure Foreman to provision hosts in an IPv6 network with UEFI HTTP Boot provisioning.

Prerequisites

Ensure that your clients can access DHCP and HTTP servers.
Ensure that the UDP ports 67 and 68 are accessible by clients so clients can send DHCP requests and receive DHCP offers.
Ensure that the TCP port 8000 is open for clients to download files and Kickstart templates from Foreman and Smart Proxies.
Ensure that the host provisioning interface subnet has an HTTP Boot Smart Proxy, and Templates Smart Proxy set. For more information, see Adding a Subnet to Foreman server in the Provisioning Guide.
Navigate to Administer > Settings > Provisioning and ensure that the Token duration setting is not set to 0. Foreman cannot identify clients that are booting from the network by a remote IPv6 address because of unmanaged DHCPv6 service, therefore provisioning tokens must be enabled.

Procedure

You must disable DHCP management in the installer or not use it.
For all IPv6 subnets created in Foreman, set the DHCP Smart Proxy to blank.
Optional: If the host and the DHCP server are separated by a router, configure the DHCP relay agent and point to the DHCP server.
On Foreman or Smart Proxy from which you provision, update the grub2-efi package to the latest version:
```
# yum install grub2-efi
```
Synchronize the Red Hat Enterprise Linux 8 kickstart repository.

Note that this step is for Katello users only.

4.2. Configuring Foreman server with an HTTP Proxy

Use the following procedures to configure Foreman with an HTTP proxy.

4.2.1. Adding a Default HTTP Proxy to Foreman

If your network uses an HTTP Proxy, you can configure Foreman server to use an HTTP proxy for requests to the Red Hat Content Delivery Network (CDN) or another content source. Use the FQDN instead of the IP address where possible to avoid losing connectivity because of network changes.

The following procedure configures a proxy only for downloading content for Foreman. To use the CLI instead of the web UI, see the CLI procedure.

Procedure

In the Foreman web UI, navigate to Infrastructure > HTTP Proxies.
Click New HTTP Proxy.
In the Name field, enter the name for the HTTP proxy.
In the Url field, enter the URL of the HTTP proxy in the following format: \https://proxy.example.com:8080.
Optional: If authentication is required, in the Username field, enter the username to authenticate with.
Optional: If authentication is required, in the Password field, enter the password to authenticate with.
To test connection to the proxy, click the Test Connection button.
Click Submit.
Navigate to Administer > Settings, and click the Content tab.
Set the Default HTTP Proxy setting to the created HTTP proxy.

CLI procedure

Verify that the http_proxy, https_proxy, and no_proxy variables are not set.
```
# unset http_proxy
# unset https_proxy
# unset no_proxy
```

Add an HTTP proxy entry to Foreman:

# hammer http-proxy create --name=myproxy \
--url http://myproxy.example.com:8080  \
--username=proxy_username \
--password=proxy_password

Configure Foreman to use this HTTP proxy by default:

# hammer settings set --name=content_default_http_proxy --value=myproxy

4.2.2. Configuring SELinux to Ensure Access to Foreman on Custom Ports

SELinux ensures access of Foreman only to specific ports. In the case of the HTTP cache, the TCP ports are 8080, 8118, 8123, and 10001 - 10010. If you use a port that does not have SELinux type http_cache_port_t, complete the following steps.

Procedure

On Foreman, to verify the ports that are permitted by SELinux for the HTTP cache, enter a command as follows:

# semanage port -l | grep http_cache
http_cache_port_t       tcp    8080, 8118, 8123, 10001-10010
[output truncated]

To configure SELinux to permit a port for the HTTP cache, for example 8088, enter a command as follows:
```
# semanage port -a -t http_cache_port_t -p tcp 8088
```

4.2.3. Using an HTTP Proxy for all Foreman HTTP Requests

If your Foreman server must remain behind a firewall that blocks HTTP and HTTPS, you can configure a proxy for communication with external systems, including compute resources.

Note that if you are using compute resources for provisioning, and you want to use a different HTTP proxy with the compute resources, the proxy that you set for all Foreman communication takes precedence over the proxies that you set for compute resources.

Procedure

In the Foreman web UI, navigate to Administer > Settings.
In the HTTP(S) proxy row, select the adjacent Value column and enter the proxy URL.
Click the tick icon to save your changes.

CLI procedure

Enter the following command:

# hammer settings set --name=http_proxy --value=Proxy_URL

4.2.4. Excluding Hosts from Receiving Proxied Requests

If you use an HTTP Proxy for all Foreman HTTP or HTTPS requests, you can prevent certain hosts from communicating through the proxy.

Procedure

In the Foreman web UI, navigate to Administer > Settings.
In the HTTP(S) proxy except hosts row, select the adjacent Value column and enter the names of one or more hosts that you want to exclude from proxy requests.
Click the tick icon to save your changes.

CLI procedure

Enter the following command:

# hammer settings set --name=http_proxy_except_list --value=[hostname1.hostname2...]

4.2.5. Configuring a proxy for PXE files downloads

For Red Hat content served through the Content Delivery Network, Smart Proxy downloads PXE files from synchronized repositories. However, when configuring and installing an operating system using Installation Media, Smart Proxy connects directly using the wget utility.

Procedure

On Smart Proxy with the TFTP feature, to verify the ports that are permitted by SELinux for the HTTP cache, enter the following command:
```
# systemctl edit foreman-proxy
```

Insert the following test into the editor:

[Service]
Environment="http_proxy=http://proxy.example.com:8888"
Environment="https_proxy=https://proxy.example.com:8888"

Save the file. Verify that the file appears as /etc/systemd/system/foreman-proxy.service.d/overrides.conf.
Restart the foreman-proxy service:
```
# systemctl restart foreman-proxy
```
Create a host or enter build mode for an existing host to re-download PXE files to the TFTP Smart Proxy.

4.2.6. Resetting the HTTP Proxy

If you want to reset the current HTTP proxy setting, unset the Default HTTP Proxy setting.

Procedure

Navigate to Administer > Settings, and click the Content tab.
Set the Default HTTP Proxy setting to no global default.

CLI procedure

Set the content_default_http_proxy setting to an empty string:

# hammer settings set --name=content_default_http_proxy --value=""

4.3. Enabling Power Management on Managed Hosts

To perform power management tasks on managed hosts using the intelligent platform management interface (IPMI) or a similar protocol, you must enable the baseboard management controller (BMC) module on Foreman server.

Prerequisites

All managed hosts must have a network interface of BMC type. Foreman server uses this NIC to pass the appropriate credentials to the host. For more information, see Adding a Baseboard Management Controller (BMC) Interface in Managing Hosts.

Procedure

To enable BMC, enter the following command:

# foreman-installer --foreman-proxy-bmc "true" \
--foreman-proxy-bmc-default-provider "freeipmi"

4.4. Configuring DNS, DHCP, and TFTP on Foreman server

To configure the DNS, DHCP, and TFTP services on Foreman server, use the foreman-installer command with the options appropriate for your environment. To view a complete list of configurable options, enter the foreman-installer --scenario foreman --help command.

Any changes to the settings require entering the foreman-installer command again. You can enter the command multiple times and each time it updates all configuration files with the changed values.

To use external DNS, DHCP, and TFTP services instead, see Configuring Foreman server with External Services.

Adding Multihomed DHCP details

If you want to use Multihomed DHCP, you must inform the installer.

Prerequisites

Ensure that the following information is available to you:
- DHCP IP address ranges
- DHCP gateway IP address
- DHCP nameserver IP address
- DNS information
- TFTP server name
Use the FQDN instead of the IP address where possible in case of network changes.
Contact your network administrator to ensure that you have the correct settings.

Procedure

Enter the foreman-installer command with the options appropriate for your environment. The following example shows configuring full provisioning services:

# foreman-installer --scenario foreman \
--foreman-proxy-dns true \
--foreman-proxy-dns-managed true \
--foreman-proxy-dns-interface eth0 \
--foreman-proxy-dns-zone example.com \
--foreman-proxy-dns-reverse 2.0.192.in-addr.arpa \
--foreman-proxy-dhcp true \
--foreman-proxy-dhcp-managed true \
--foreman-proxy-dhcp-interface eth0 \
--foreman-proxy-dhcp-additional-interfaces eth1 \
--foreman-proxy-dhcp-additional-interfaces eth2 \
--foreman-proxy-dhcp-range "192.0.2.100 192.0.2.150" \
--foreman-proxy-dhcp-gateway 192.0.2.1 \
--foreman-proxy-dhcp-nameservers 192.0.2.2 \
--foreman-proxy-tftp true \
--foreman-proxy-tftp-managed true \
--foreman-proxy-tftp-servername 192.0.2.3

You can monitor the progress of the foreman-installer command displayed in your prompt. You can view the logs in /var/log/foreman-installer/foreman.log. You can view the settings used, including the initial_admin_password parameter, in the /etc/foreman-installer/scenarios.d/foreman-answers.yaml file.

For more information about configuring DHCP, DNS, and TFTP services, see the Configuring Network Services section in the Provisioning Guide.

4.5. Disabling DNS, DHCP, and TFTP for Unmanaged Networks

If you want to manage TFTP, DHCP, and DNS services manually, you must prevent Foreman from maintaining these services on the operating system and disable orchestration to avoid DHCP and DNS validation errors. However, Foreman does not remove the back-end services on the operating system.

Procedure

On Foreman server, enter the following command:

# foreman-installer --foreman-proxy-dhcp false \
--foreman-proxy-dns false \
--foreman-proxy-tftp false

In the Foreman web UI, navigate to Infrastructure > Subnets and select a subnet.
Click the Smart Proxies tab and clear the DHCP Smart Proxy, TFTP Smart Proxy, and Reverse DNS Smart Proxy fields.
Navigate to Infrastructure > Domains and select a domain.
Clear the DNS Smart Proxy field.
Optional: If you use a DHCP service supplied by a third party, configure your DHCP server to pass the following options:
```
Option 66: IP address of Foreman or Smart Proxy
Option 67: /pxelinux.0
```
For more information about DHCP options, see RFC 2132.

Note

Foreman does not perform orchestration when a Smart Proxy is not set for a given subnet and domain. When enabling or disabling Smart Proxy associations, orchestration commands for existing hosts can fail if the expected records and configuration files are not present. When associating a Smart Proxy to turn orchestration on, make sure the required DHCP and DNS records as well as the TFTP files are in place for the existing Foreman hosts in order to prevent host deletion failures in the future.

4.6. Configuring Foreman server for Outgoing Emails

To send email messages from Foreman server, you can use either an SMTP server, or the sendmail command.

Prerequisites

Some SMTP servers with anti-spam protection or grey-listing features are known to cause problems. To setup outgoing email with such a service either install and configure a vanilla SMTP service on Foreman server for relay or use the sendmail command instead.

Procedure

In the Foreman web UI, navigate to Administer → Settings.

Click the Email tab and set the configuration options to match your preferred delivery method. The changes have an immediate effect.

The following example shows the configuration options for using an SMTP server:

Table 7. Using an SMTP server as a delivery method
Name	Example value
Delivery method	SMTP
SMTP address	smtp.example.com
SMTP authentication	login
SMTP HELO/EHLO domain	example.com
SMTP password	password
SMTP port	25
SMTP username	user@example.com

The SMTP username and SMTP password specify the login credentials for the SMTP server.

The following example uses gmail.com as an SMTP server:

Table 8. Using gmail.com as an SMTP server
Name	Example value
Delivery method	SMTP
SMTP address	smtp.gmail.com
SMTP authentication	plain
SMTP HELO/EHLO domain	smtp.gmail.com
SMTP enable StartTLS auto	Yes
SMTP password	password
SMTP port	587
SMTP username	user@gmail.com

The following example uses the sendmail command as a delivery method:

Table 9. Using sendmail as a delivery method

Name Example value

Delivery method

Sendmail

Sendmail arguments

-i -t -G

The Sendmail arguments specify the options passed to the sendmail command. The default value is -i -t. For more information see the sendmail 1 man page.

If you decide to send email using an SMTP server which uses TLS authentication, also perform one of the following steps:
- Mark the CA certificate of the SMTP server as trusted. To do so, execute the following commands on Foreman server:
  # cp mailca.crt /etc/pki/ca-trust/source/anchors/ # update-ca-trust enable # update-ca-trust
  Where mailca.crt is the CA certificate of the SMTP server.
- Alternatively, in the web UI, set the SMTP enable StartTLS auto option to No.
Click Test email to send a test message to the user’s email address to confirm the configuration is working. If a message fails to send, the web UI displays an error. See the log at /var/log/foreman/production.log for further details.

Table 9. Using sendmail as a delivery method
Name	Example value
Delivery method	Sendmail
Sendmail arguments	-i -t -G

Note	For information on configuring email notifications for individual users or user groups, see Configuring Email Notifications in Administering Foreman.

4.7. Configuring an Alternate CNAME for Foreman

You can configure an alternate CNAME for Foreman. This might be useful if you want to deploy the Foreman web interface on a different domain name than the one that is used by client systems to connect to Foreman. You must plan the alternate CNAME configuration in advance prior to installing Smart Proxies and registering hosts to Foreman to avoid redeploying new certificates to hosts.

This procedure is only for Katello plug-in users.

4.7.1. Configuring Foreman with an Alternate CNAME

Use this procedure to configure Foreman with an alternate CNAME. Note that the procedures for users of a default Foreman certificate and custom certificate differ.

For Default Foreman Certificate Users

If you have installed Foreman with a default Foreman certificate and want to configure Foreman with an alternate CNAME, enter the following command on Foreman to generate a new default Foreman SSL certificate with an additional CNAME.
```
# foreman-installer --certs-cname alternate_fqdn --certs-update-server
```
If you have not installed Foreman, you can add the --certs-cname alternate_fqdn option to the foreman-installer command to install Foreman with an alternate CNAME.

For Custom Certificate Users

If you use Foreman with a custom certificate, when creating a custom certificate, include the alternate CNAME records to the custom certificate. For more information, see Creating a Custom SSL Certificate for Foreman Server.

4.7.2. Configuring Hosts to Use an Alternate Foreman CNAME for Content Management

If Foreman is configured with an alternate CNAME, you can configure hosts to use the alternate Foreman CNAME for content management. To do this, you must point hosts to the alternate Foreman CNAME prior to registering the hosts to Foreman. You can do this using the bootstrap script or manually.

Configuring Hosts with the bootstrap Script

On the host, run the bootstrap script with the --server alternate_fqdn.example.com option to register the host to the alternate Foreman CNAME:

# ./bootstrap.py --server alternate_fqdn.example.com

Configuring Hosts Manually

On the host, edit the /etc/rhsm/rhsm.conf file to update hostname and baseurl settings to point to the alternate host name, for example:

[server]
# Server hostname:
hostname = alternate_fqdn.example.com

content omitted

[rhsm]
# Content base URL:
baseurl=https://alternate_fqdn.example.com/pulp/content/

Now you can register the host with the subscription-manager.

4.8. Configuring Foreman server with a Custom SSL Certificate

This procedure is only for Katello plug-in users.

By default, Foreman uses a self-signed SSL certificate to enable encrypted communications between Foreman server, external Smart Proxy servers, and all hosts. If you cannot use a Foreman self-signed certificate, you can configure Foreman server to use an SSL certificate signed by an external Certificate Authority.

To configure your Foreman server with a custom certificate, complete the following procedures:

Creating a Custom SSL Certificate for Foreman server
Deploying a Custom SSL Certificate to Foreman server
Deploying a Custom SSL Certificate to Hosts
If you have external Smart Proxy servers registered to Foreman server, you must configure them with custom SSL certificates. The same Certificate Authority must sign certificates for Foreman server and Smart Proxy server. For more information, see Configuring Smart Proxy server with a Custom SSL Certificate in Installing Smart Proxy server.

4.8.1. Creating a Custom SSL Certificate for Foreman server

Use this procedure to create a custom SSL certificate for Foreman server. If you already have a custom SSL certificate for Foreman server, skip this procedure.

When you configure Foreman server with custom certificates, note the following considerations:

You must use the Privacy-Enhanced Mail (PEM) encoding for the SSL certificates.
You cannot use the same certificate for both Foreman server and Smart Proxy server.
The same Certificate Authority must sign certificates for Foreman server and Smart Proxy server.

Procedure

To store all the source certificate files, create a directory that is accessible only to the root user.
```
# mkdir /root/foreman_cert
```
Create a private key with which to sign the Certificate Signing Request (CSR).

Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.

If you already have a private key for this Foreman server, skip this step.
```
# openssl genrsa -out /root/foreman_cert/foreman_cert_key.pem 4096
```

Create the /root/foreman_cert/openssl.cnf configuration file for the Certificate Signing Request (CSR) and include the following content:

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
x509_extensions = usr_cert
prompt = no

[ req_distinguished_name ] (1)
C  = Country Name (2 letter code)
ST = State or Province Name (full name)
L  = Locality Name (eg, city)
O  = Organization Name (eg, company)
OU = The division of your organization handling the certificate
CN = foreman.example.com (2)

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
subjectAltName = @alt_names

[ usr_cert ]
basicConstraints=CA:FALSE
nsCertType = client, server, email
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

[ alt_names ]
DNS.1 = foreman.example.com (3)

In the [ req_distinguished_name ] section, enter information about your organization.
Set the certificate’s Common Name CN to match the fully qualified domain name (FQDN) of your Foreman server. To confirm a FQDN, on that Foreman server, enter the hostname -f command. This is required to ensure that the katello-certs-check command validates the certificate correctly.
Set the Subject Alternative Name (SAN) DNS.1 to match the fully qualified domain name (FQDN) of your server.

Generate the Certificate Signing Request (CSR):

# openssl req -new \
-key /root/foreman_cert/foreman_cert_key.pem \ (1)
-config /root/foreman_cert/openssl.cnf \ (2)
-out /root/foreman_cert/foreman_cert_csr.pem (3)

Path to the private key.
Path to the configuration file.
Path to the CSR to generate.

Send the certificate signing request to the Certificate Authority. The same Certificate Authority must sign certificates for Foreman server and Smart Proxy server.

When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the Certificate Authority for the preferred method. In response to the request, you can expect to receive a Certificate Authority bundle and a signed certificate, in separate files.

4.8.2. Deploying a Custom SSL Certificate to Foreman server

Use this procedure to configure your Foreman server to use a custom SSL certificate signed by a Certificate Authority. The katello-certs-check command validates the input certificate files and returns the commands necessary to deploy a custom SSL certificate to Foreman server.

Procedure

Validate the custom SSL certificate input files. Note that for the katello-certs-check command to work correctly, Common Name (CN) in the certificate must match the FQDN of Foreman server.
```
# katello-certs-check \
-c /root/satellite_cert/satellite_cert.pem \      (1)
-k /root/satellite_cert/satellite_cert_key.pem \  (2)
-b /root/satellite_cert/ca_cert_bundle.pem        (3)
```
1. Path to Foreman server certificate file that is signed by a Certificate Authority.
2. Path to the private key that was used to sign Foreman server certificate.
3. Path to the Certificate Authority bundle.
If the command is successful, it returns two foreman-installer commands, one of which you must use to deploy a certificate to Foreman server.
To install the Katello main server with the custom certificates, run:
```
  foreman-installer --scenario katello \\
    --certs-server-cert "/root/satellite_cert/satellite_cert.pem" \
    --certs-server-key "/root/satellite_cert/satellite_cert_key.pem" \
    --certs-server-ca-cert "/root/satellite_cert/ca_cert_bundle.pem"
```

To update the certificates on a currently running Katello installation, run:

  foreman-installer --scenario katello \\
    --certs-server-cert "_/root/satellite_cert/satellite_cert.pem_" \
    --certs-server-key "_/root/satellite_cert/satellite_cert_key.pem_" \
    --certs-server-ca-cert "_/root/satellite_cert/ca_cert_bundle.pem_" \
    --certs-update-server --certs-update-server-ca

Depending on your requirements, enter the foreman-installer command that installs a new Foreman server with custom SSL certificates or updates certificates on a currently running Foreman server. The output of the katello-certs-check command may not be accurate in some cases. Therefore, you must follow the steps mentioned above instead of the command outputs.

If you are unsure which command to run, you can verify that Foreman is installed by checking if the file /etc/foreman-installer/scenarios.d/.installed exists. If the file exists, run the second foreman-installer command that updates certificates.

Important
Do not delete the certificate archive file after you deploy the certificate. It is required, for example, when upgrading Foreman server.
On a computer with network access to Foreman server, navigate to the following URL: \https://foreman.example.com.
In your browser, view the certificate details to verify the deployed certificate.

4.8.3. Deploying a Custom SSL Certificate to Hosts

After you configure Foreman server to use a custom SSL certificate, you must also install the katello-ca-consumer package on every host that is registered to this Foreman server.

Procedure

On each host, install the katello-ca-consumer package:

# yum localinstall \
http://foreman.example.com/pub/katello-ca-consumer-latest.noarch.rpm

4.9. Using External Databases with Foreman

For Red Hat systems only.

As part of the installation process for Foreman, the foreman-installer command installs PostgreSQL databases on the same server as Foreman. In certain Foreman deployments, using external databases instead of the default local databases can help with the server load.

To create and use external databases for Foreman, you must complete the following procedures:

Preparing a Host for External Databases. Prepare a Red Hat Enterprise Linux 7 server to host the external databases.
Installing PostgreSQL. Prepare PostgreSQL with databases for Foreman, Candlepin and Pulp with dedicated users owning them.
Configuring Satellite to use External Databases. Edit the parameters of foreman-installer to point to the new databases, and run foreman-installer.

4.9.1. PostgreSQL as an External Database Considerations

Foreman, Katello, and Candlepin use the PostgreSQL database. If you want to use PostgreSQL as an external database, the following information can help you decide if this option is right for your Foreman configuration. Foreman supports PostgreSQL version 12.1.

Advantages of External PostgreSQL:

Increase in free memory and free CPU on Foreman
Flexibility to set shared_buffers on the PostgreSQL database to a high number without the risk of interfering with other services on Foreman
Flexibility to tune the PostgreSQL server’s system without adversely affecting Foreman operations

Disadvantages of External PostgreSQL

Increase in deployment complexity that can make troubleshooting more difficult
The external PostgreSQL server is an additional system to patch and maintain
If either Foreman or the PostgreSQL database server suffers a hardware or storage failure, Foreman is not operational
If there is latency between the Foreman server and database server, performance can suffer

4.9.2. Preparing a Host for External Databases

Install a freshly provisioned system with the latest Red Hat Enterprise Linux 7 server to host the external databases.

Subscriptions for Red Hat Software Collections and Red Hat Enterprise Linux do not provide the correct service level agreement for using Foreman with external databases. You must also attach a Foreman subscription to the base operating system that you want to use for the external databases.

Prerequisites

The Red Hat Enterprise Linux 7 server must meet Foreman’s Storage Requirements.

Procedure

Use the instructions in Attaching the Foreman Infrastructure Subscription to attach a Foreman subscription to your server.

Disable all repositories and enable only the following repositories:

# subscription-manager repos --disable '*'
# subscription-manager repos --enable=rhel-server-rhscl-7-rpms \
--enable=rhel-7-server-rpms --enable=rhel-7-server-satellite-6.10-rpms

4.9.3. Installing PostgreSQL

You can install only the same version of PostgreSQL that is installed with the foreman-installer tool during an internal database installation. You can install PostgreSQL using Red Hat Enterprise Linux Server 7 repositories or from an external source, as long as the version is supported. Foreman supports PostgreSQL version 12.1.

If you do not use firewall-cmd to configure the Linux firewall, implement using the command of your choice.

Procedure

To install PostgreSQL, enter the following command:

# yum install rh-postgresql12-postgresql-server \
rh-postgresql12-syspaths \
rh-postgresql12-postgresql-evr

To initialize PostgreSQL, enter the following command:
```
# postgresql-setup initdb
```
Edit the /var/opt/rh/rh-postgresql12/lib/pgsql/data/postgresql.conf file:
```
# vi /var/opt/rh/rh-postgresql12/lib/pgsql/data/postgresql.conf
```
Remove the # and edit to listen to inbound connections:
```
listen_addresses = '*'
```
Edit the /var/opt/rh/rh-postgresql12/lib/pgsql/data/pg_hba.conf file:
```
# vi /var/opt/rh/rh-postgresql12/lib/pgsql/data/pg_hba.conf
```
Add the following line to the file:
```
  host  all   all   Foreman_ip/24   md5
```
To start, and enable PostgreSQL service, enter the following commands:
```
# systemctl start postgresql
# systemctl enable postgresql
```

Open the postgresql port on the external PostgreSQL server:

# firewall-cmd --add-service=postgresql
# firewall-cmd --runtime-to-permanent

Switch to the postgres user and start the PostgreSQL client:
```
$ su - postgres -c psql
```

Create three databases and dedicated roles: one for Foreman, one for Candlepin, and one for Pulp:

CREATE USER "foreman" WITH PASSWORD 'Foreman_Password';
CREATE USER "candlepin" WITH PASSWORD 'Candlepin_Password';
CREATE USER "pulp" WITH PASSWORD 'Pulpcore_Password';
CREATE DATABASE foreman OWNER foreman;
CREATE DATABASE candlepin OWNER candlepin;
CREATE DATABASE pulpcore OWNER pulp;

Exit the postgres user:
```
# \q
```

From Foreman server, test that you can access the database. If the connection succeeds, the commands return 1.

# PGPASSWORD='Foreman_Password' psql -h postgres.example.com  -p 5432 -U foreman -d foreman -c "SELECT 1 as ping"
# PGPASSWORD='Candlepin_Password' psql -h postgres.example.com -p 5432 -U candlepin -d candlepin -c "SELECT 1 as ping"
# PGPASSWORD='Pulpcore_Password' psql -h postgres.example.com -p 5432 -U pulp -d pulpcore -c "SELECT 1 as ping"

4.9.4. Configuring Satellite to use External Databases

Use the foreman-installer command to configure Foreman to connect to an external PostgreSQL database.

Prerequisites

You have installed and configured a PostgreSQL database on a Red Hat Enterprise Linux server.

Procedure

To configure the external databases for Foreman, enter the following command:

foreman-installer --scenario foreman \
  --foreman-db-host postgres.example.com \
  --foreman-db-password Foreman_Password \
  --foreman-db-database foreman \
  --foreman-db-manage false \
  --katello-candlepin-db-host postgres.example.com \
  --katello-candlepin-db-name candlepin \
  --katello-candlepin-db-password Candlepin_Password \
  --katello-candlepin-manage-db false \
  --foreman-proxy-content-pulpcore-manage-postgresql false \
  --foreman-proxy-content-pulpcore-postgresql-host postgres.example.com \
  --foreman-proxy-content-pulpcore-postgresql-db-name pulpcore \
  --foreman-proxy-content-pulpcore-postgresql-password Pulpcore_Password
  --foreman-proxy-content-pulpcore-postgresql-user pulp

To enable the Secure Sockets Layer (SSL) protocol for these external databases, add the following options:

--foreman-db-sslmode verify-full
--foreman-db-root-cert <path_to_CA>
--katello-candlepin-db-ssl true
--katello-candlepin-db-ssl-verify true
--foreman-proxy-content-pulpcore-postgresql-ssl true
--foreman-proxy-content-pulpcore-postgresql-ssl-root-ca <path_to_CA>

4.10. Tuning Foreman server with Predefined Profiles

If your Foreman deployment includes more than 5000 hosts, you can use predefined tuning profiles to improve performance of Foreman.

Note that you cannot use tuning profiles on Smart Proxies.

You can choose one of the profiles depending on the number of hosts your Foreman manages and available hardware resources.

The tuning profiles are available in the /usr/share/foreman-installer/config/foreman.hiera/tuning/sizes directory.

When you run the foreman-installer command with the --tuning option, deployment configuration settings are applied to Foreman in the following order:

The default tuning profile defined in the /usr/share/foreman-installer/config/foreman.hiera/tuning/common.yaml file
The tuning profile that you want to apply to your deployment and is defined in the /usr/share/foreman-installer/config/foreman.hiera/tuning/sizes/ directory
Optional: If you have configured a /etc/foreman-installer/custom-hiera.yaml file, Foreman applies these configuration settings.

Note that the configuration settings that are defined in the /etc/foreman-installer/custom-hiera.yaml file override the configuration settings that are defined in the tuning profiles.

Therefore, before applying a tuning profile, you must compare the configuration settings that are defined in the default tuning profile in /usr/share/foreman-installer/config/foreman.hiera/tuning/common.yaml, the tuning profile that you want to apply and your /etc/foreman-installer/custom-hiera.yaml file, and remove any duplicated configuration from the /etc/foreman-installer/custom-hiera.yaml file.

default: Number of managed hosts: 0-5000

RAM: 20G

Number of CPU cores: 4
medium: Number of managed hosts: 5001-10000

RAM: 32G

Number of CPU cores: 8
large: Number of managed hosts: 10001-20000

RAM: 64G

Number of CPU cores: 16
extra-large: Number of managed hosts: 20001-60000

RAM: 128G

Number of CPU cores: 32
extra-extra-large: Number of managed hosts: 60000+

RAM: 256G

Number of CPU cores: 48+

Procedure

Optional: If you have configured the custom-hiera.yaml file on Foreman server, back up the /etc/foreman-installer/custom-hiera.yaml file to custom-hiera.original. You can use the backup file to restore the /etc/foreman-installer/custom-hiera.yaml file to its original state if it becomes corrupted:
```
# cp /etc/foreman-installer/custom-hiera.yaml \
/etc/foreman-installer/custom-hiera.original
```
Optional: If you have configured the custom-hiera.yaml file on Foreman server, review the definitions of the default tuning profile in /usr/share/foreman-installer/config/foreman.hiera/tuning/common.yaml and the tuning profile that you want to apply in /usr/share/foreman-installer/config/foreman.hiera/tuning/sizes/. Compare the configuration entries against the entries in your /etc/foreman-installer/custom-hiera.yaml file and remove any duplicated configuration settings in your /etc/foreman-installer/custom-hiera.yaml file.
Enter the foreman-installer command with the --tuning option for the profile that you want to apply. For example, to apply the medium tuning profile settings, enter the following command:
```
# foreman-installer --tuning medium
```

5. Configuring Foreman server with External Services

If you do not want to configure the DNS, DHCP, and TFTP services on Foreman server, use this section to configure your Foreman server to work with external DNS, DHCP and TFTP services.

5.1. Configuring Foreman server with External DNS

You can configure Foreman server with external DNS. Foreman server uses the nsupdate utility to update DNS records on the remote server.

To make any changes persistent, you must enter the foreman-installer command with the options appropriate for your environment.

Prerequisites

You must have a configured external DNS server.

Procedure

Unlock packages to enable installation of new packages:
```
# foreman-maintain packages unlock
```
Install BIND and the utility packages:
```
# yum install bind bind-utils
```
Lock the packages:
```
# foreman-maintain packages lock
```
Copy the /etc/rndc.key file from the external DNS server to Foreman server:
```
# scp root@dns.example.com:/etc/rndc.key /etc/rndc.key
```

Configure the ownership, permissions, and SELinux context:

# restorecon -v /etc/rndc.key
# chown -v root:named /etc/rndc.key
# chmod -v 640 /etc/rndc.key

To test the nsupdate utility, add a host remotely:

# echo -e "server DNS_IP_Address\n \
update add aaa.virtual.lan 3600 IN A Host_IP_Address\n \
send\n" | nsupdate -k /etc/rndc.key
# nslookup aaa.virtual.lan DNS_IP_Address
# echo -e "server DNS_IP_Address\n \
update delete aaa.virtual.lan 3600 IN A Host_IP_Address\n \
send\n" | nsupdate -k /etc/rndc.key

Assign the foreman-proxy user to the named group manually. Normally, foreman-installer ensures that the foreman-proxy user belongs to the named UNIX group, however, in this scenario Foreman does not manage users and groups, therefore you need to assign the foreman-proxy user to the named group manually.
```
# usermod -a -G named foreman-proxy
```

Enter the foreman-installer command to make the following persistent changes to the /etc/foreman-proxy/settings.d/dns.yml file:

# foreman-installer --foreman-proxy-dns=true \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dns-provider=nsupdate \
--foreman-proxy-dns-server="DNS_IP_Address" \
--foreman-proxy-keyfile=/etc/rndc.key \
--foreman-proxy-dns-ttl=86400

Restart the foreman-proxy service:
```
# systemctl restart foreman-proxy
```
Log in to Foreman server web UI.
Navigate to Infrastructure > Smart Proxies, locate the Foreman server, and from the list in the Actions column, select Refresh.
Associate the DNS service with the appropriate subnets and domain.

5.2. Configuring Foreman server with External DHCP

To configure Foreman server with external DHCP, you must complete the following procedures:

Configuring an External DHCP Server to Use with Foreman server
Configuring Foreman server with an External DHCP Server

5.2.1. Configuring an External DHCP Server to Use with Foreman server

To configure an external DHCP server to use with Foreman server, on a Red Hat Enterprise Linux server, you must install the ISC DHCP Service and Berkeley Internet Name Domain (BIND) packages. You must also share the DHCP configuration and lease files with Foreman server. The example in this procedure uses the distributed Network File System (NFS) protocol to share the DHCP configuration and lease files.

Note

If you use dnsmasq as an external DHCP server, enable the dhcp-no-override setting. This is required because Foreman creates configuration files on the TFTP server under the grub2/ subdirectory. If the dhcp-no-override setting is disabled, clients fetch the bootloader and its configuration from the root directory, which might cause an error.

If you do not use firewall-cmd to configure the Linux firewall, implement using the command of your choice.

Procedure

On a Red Hat Enterprise Linux Server server, install the ISC DHCP Service and Berkeley Internet Name Domain (BIND) packages:
```
# yum install dhcp bind
```
Generate a security token:
```
# dnssec-keygen -a HMAC-MD5 -b 512 -n HOST omapi_key
```
As a result, a key pair that consists of two files is created in the current directory.

Copy the secret hash from the key:

# cat Komapi_key.+*.private |grep ^Key|cut -d ' ' -f2

Edit the dhcpd configuration file for all of the subnets and add the key. The following is an example:

# cat /etc/dhcp/dhcpd.conf
default-lease-time 604800;
max-lease-time 2592000;
log-facility local7;

subnet 192.168.38.0 netmask 255.255.255.0 {
	range 192.168.38.10 192.168.38.100;
	option routers 192.168.38.1;
	option subnet-mask 255.255.255.0;
	option domain-search "virtual.lan";
	option domain-name "virtual.lan";
	option domain-name-servers 8.8.8.8;
}

omapi-port 7911;
key omapi_key {
	algorithm HMAC-MD5;
	secret "jNSE5YI3H1A8Oj/tkV4...A2ZOHb6zv315CkNAY7DMYYCj48Umw==";
};
omapi-key omapi_key;

Note that the option routers value is the Foreman or Smart Proxy IP address that you want to use with an external DHCP service.

Delete the two key files from the directory that they were created in.
On Foreman server, define each subnet. Do not set DHCP Smart Proxy for the defined Subnet yet.

To prevent conflicts, set up the lease and reservation ranges separately. For example, if the lease range is 192.168.38.10 to 192.168.38.100, in the Foreman web UI define the reservation range as 192.168.38.101 to 192.168.38.250.

Configure the firewall for external access to the DHCP server:

# firewall-cmd --add-service dhcp \
&& firewall-cmd --runtime-to-permanent

On Foreman server, determine the UID and GID of the foreman user:
```
# id -u foreman
993
# id -g foreman
990
```
On the DHCP server, create the foreman user and group with the same IDs as determined in a previous step:
```
# groupadd -g 990 foreman
# useradd -u 993 -g 990 -s /sbin/nologin foreman
```

To ensure that the configuration files are accessible, restore the read and execute flags:

# chmod o+rx /etc/dhcp/
# chmod o+r /etc/dhcp/dhcpd.conf
# chattr +i /etc/dhcp/ /etc/dhcp/dhcpd.conf

Start the DHCP service:
```
# systemctl start dhcpd
```

Export the DHCP configuration and lease files using NFS:

# yum install nfs-utils
# systemctl enable rpcbind nfs-server
# systemctl start rpcbind nfs-server nfs-lock nfs-idmapd

Create directories for the DHCP configuration and lease files that you want to export using NFS:
```
# mkdir -p /exports/var/lib/dhcpd /exports/etc/dhcp
```

To create mount points for the created directories, add the following line to the /etc/fstab file:

/var/lib/dhcpd /exports/var/lib/dhcpd none bind,auto 0 0
/etc/dhcp /exports/etc/dhcp none bind,auto 0 0

Mount the file systems in /etc/fstab:
```
# mount -a
```

Ensure the following lines are present in /etc/exports:

/exports 192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check)

/exports/etc/dhcp 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)

/exports/var/lib/dhcpd 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)

Note that the IP address that you enter is the Foreman or Smart Proxy IP address that you want to use with an external DHCP service.

Reload the NFS server:
```
# exportfs -rva
```

Configure the firewall for the DHCP omapi port 7911:

# firewall-cmd --add-port="7911/tcp" \
&& firewall-cmd --runtime-to-permanent

Optional: Configure the firewall for external access to NFS. Clients are configured using NFSv3.

# firewall-cmd --zone public --add-service mountd \
&& firewall-cmd --zone public --add-service rpc-bind \
&& firewall-cmd --zone public --add-service nfs \
&& firewall-cmd --runtime-to-permanent

5.2.2. Configuring Foreman server with an External DHCP Server

You can configure Foreman server with an external DHCP server.

Prerequisite

Ensure that you have configured an external DHCP server and that you have shared the DHCP configuration and lease files with Foreman server. For more information, see Configuring an External DHCP Server to Use with Foreman server.

Procedure

Install the nfs-utils utility:
```
# yum install nfs-utils
```

Create the DHCP directories for NFS:

# mkdir -p /mnt/nfs/etc/dhcp /mnt/nfs/var/lib/dhcpd

Change the file owner:
```
# chown -R foreman-proxy /mnt/nfs
```
Verify communication with the NFS server and the Remote Procedure Call (RPC) communication paths:
```
# showmount -e DHCP_Server_FQDN
# rpcinfo -p DHCP_Server_FQDN
```

Add the following lines to the /etc/fstab file:

DHCP_Server_FQDN:/exports/etc/dhcp /mnt/nfs/etc/dhcp nfs
ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcp_etc_t:s0" 0 0

DHCP_Server_FQDN:/exports/var/lib/dhcpd /mnt/nfs/var/lib/dhcpd nfs
ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcpd_state_t:s0" 0 0

Mount the file systems on /etc/fstab:
```
# mount -a
```

To verify that the foreman-proxy user can access the files that are shared over the network, display the DHCP configuration and lease files:

# su foreman-proxy -s /bin/bash
bash-4.2$ cat /mnt/nfs/etc/dhcp/dhcpd.conf
bash-4.2$ cat /mnt/nfs/var/lib/dhcpd/dhcpd.leases
bash-4.2$ exit

Enter the foreman-installer command to make the following persistent changes to the /etc/foreman-proxy/settings.d/dhcp.yml file:

# foreman-installer --foreman-proxy-dhcp=true \
--foreman-proxy-dhcp-provider=remote_isc \
--foreman-proxy-plugin-dhcp-remote-isc-dhcp-config /mnt/nfs/etc/dhcp/dhcpd.conf \
--foreman-proxy-plugin-dhcp-remote-isc-dhcp-leases /mnt/nfs/var/lib/dhcpd/dhcpd.leases \
--foreman-proxy-plugin-dhcp-remote-isc-key-name=omapi_key \
--foreman-proxy-plugin-dhcp-remote-isc-key-secret=jNSE5YI3H1A8Oj/tkV4...A2ZOHb6zv315CkNAY7DMYYCj48Umw== \
--foreman-proxy-plugin-dhcp-remote-isc-omapi-port=7911 \
--enable-foreman-proxy-plugin-dhcp-remote-isc \
--foreman-proxy-dhcp-server=DHCP_Server_FQDN

Restart the foreman-proxy service:
```
# systemctl restart foreman-proxy
```
Log in to Foreman server web UI.
Navigate to Infrastructure > Smart Proxies, locate the Foreman server, and from the list in the Actions column, select Refresh.
Associate the DHCP service with the appropriate subnets and domain.

5.3. Configuring Foreman server with External TFTP

You can configure Foreman server with external TFTP services.

Procedure

Create the TFTP directory for NFS:
```
# mkdir -p /mnt/nfs/var/lib/tftpboot
```

In the /etc/fstab file, add the following line:

TFTP_Server_IP_Address:/exports/var/lib/tftpboot /mnt/nfs/var/lib/tftpboot nfs rw,vers=3,auto,nosharecache,context="system_u:object_r:tftpdir_rw_t:s0" 0 0

Mount the file systems in /etc/fstab:
```
# mount -a
```
Enter the foreman-installer command to make the following persistent changes to the /etc/foreman-proxy/settings.d/tftp.yml file:
```
# foreman-installer --foreman-proxy-tftp=true \
--foreman-proxy-tftp-root /mnt/nfs/var/lib/tftpboot
```
If the TFTP service is running on a different server than the DHCP service, update the tftp_servername setting with the FQDN or IP address of the server that the TFTP service is running on:
```
# foreman-installer --foreman-proxy-tftp-servername=TFTP_Server_FQDN
```
Log in to Foreman server web UI.
Navigate to Infrastructure > Smart Proxies, locate the Foreman server, and from the list in the Actions column, select Refresh.
Associate the TFTP service with the appropriate subnets and domain.

5.4. Configuring Foreman server with External IdM DNS

When Foreman server adds a DNS record for a host, it first determines which Smart Proxy is providing DNS for that domain. It then communicates with the Smart Proxy that is configured to provide DNS service for your deployment and adds the record. The hosts are not involved in this process. Therefore, you must install and configure the IdM client on the Foreman or Smart Proxy that is currently configured to provide a DNS service for the domain you want to manage using the IdM server.

Foreman server can be configured to use a Red Hat Identity Management (IdM) server to provide DNS service. For more information about Red Hat Identity Management, see the Linux Domain Identity, Authentication, and Policy Guide.

To configure Foreman server to use a Red Hat Identity Management (IdM) server to provide DNS service, use one of the following procedures:

Configuring Dynamic DNS Update with GSS-TSIG Authentication
Configuring Dynamic DNS Update with TSIG Authentication

To revert to internal DNS service, use the following procedure:

Reverting to Internal DNS Service

Note

You are not required to use Foreman server to manage DNS. When you are using the realm enrollment feature of Foreman, where provisioned hosts are enrolled automatically to IdM, the ipa-client-install script creates DNS records for the client. Configuring Foreman server with external IdM DNS and realm enrollment are mutually exclusive. For more information about configuring realm enrollment, see External Authentication for Provisioned Hosts in Administering Foreman.

5.4.1. Configuring Dynamic DNS Update with GSS-TSIG Authentication

You can configure the IdM server to use the generic security service algorithm for secret key transaction (GSS-TSIG) technology defined in RFC3645. To configure the IdM server to use the GSS-TSIG technology, you must install the IdM client on the Foreman server base operating system.

Prerequisites

You must ensure the IdM server is deployed and the host-based firewall is configured correctly. For more information, see Port Requirements in the Linux Domain Identity, Authentication, and Policy Guide.
You must contact the IdM server administrator to ensure that you obtain an account on the IdM server with permissions to create zones on the IdM server.
You must confirm whether Foreman server or Smart Proxy server is configured to provide DNS service for your deployment.
You must configure DNS, DHCP and TFTP services on the base operating system of either the Foreman or Smart Proxy that is managing the DNS service for your deployment.
You must create a backup of the answer file. You can use the backup to restore the answer file to its original state if it becomes corrupted. For more information, see Configuring Foreman server.

Procedure

To configure dynamic DNS update with GSS-TSIG authentication, complete the following steps:

Creating a Kerberos Principal on the IdM Server

Obtain a Kerberos ticket for the account obtained from the IdM administrator:
```
# kinit idm_user
```
Create a new Kerberos principal for Foreman server to use to authenticate on the IdM server.
```
# ipa service-add foreman.example.com
```

Installing and Configuring the IdM Client

On the base operating system of either the Foreman or Smart Proxy that is managing the DNS service for your deployment, install the ipa-client package:
```
# yum install ipa-client
```
Configure the IdM client by running the installation script and following the on-screen prompts:
```
# ipa-client-install
```
Obtain a Kerberos ticket:
```
# kinit admin
```
Remove any preexisting keytab:
```
# rm /etc/foreman-proxy/dns.keytab
```

Obtain the keytab for this system:

# ipa-getkeytab -p smart-proxy/foreman.example.com@EXAMPLE.COM \
-s idm1.example.com -k /etc/foreman-proxy/dns.keytab

Note	When adding a keytab to a standby system with the same host name as the original system in service, add the `r` option to prevent generating new credentials and rendering the credentials on the original system invalid.

For the dns.keytab file, set the group and owner to foreman-proxy:

# chown foreman-proxy:foreman-proxy /etc/foreman-proxy/dns.keytab

Optional: To verify that the keytab file is valid, enter the following command:

# kinit -kt /etc/foreman-proxy/dns.keytab \
smart-proxy/foreman.example.com@EXAMPLE.COM

Configuring DNS Zones in the IdM web UI

Create and configure the zone that you want to manage:
1. Navigate to Network Services > DNS > DNS Zones.
2. Select Add and enter the zone name. For example, example.com.
3. Click Add and Edit.
4. Click the Settings tab and in the BIND update policy box, add the following to the semi-colon separated list:
  grant smart-proxy/047foreman.example.com@EXAMPLE.COM wildcard * ANY;
5. Set Dynamic update to True.
6. Enable Allow PTR sync.
7. Click Save to save the changes.
Create and configure the reverse zone:
1. Navigate to Network Services > DNS > DNS Zones.
2. Click Add.
3. Select Reverse zone IP network and add the network address in CIDR format to enable reverse lookups.
4. Click Add and Edit.
5. Click the Settings tab and in the BIND update policy box, add the following to the semi-colon separated list:
  grant smart-proxy\047foreman.example.com@EXAMPLE.COM wildcard * ANY;
6. Set Dynamic update to True.
7. Click Save to save the changes.

Configuring the Foreman or Smart Proxy server that Manages the DNS Service for the Domain

Use the foreman-installer command to configure the Foreman or Smart Proxy that manages the DNS Service for the domain:

On Foreman, enter the following command:

foreman-installer --scenario foreman \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=true \
--foreman-proxy-dns-provider=nsupdate_gss \
--foreman-proxy-dns-server="idm1.example.com" \
--foreman-proxy-dns-tsig-principal="smart-proxy/foreman.example.com@EXAMPLE.COM" \
--foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab \
--foreman-proxy-dns-reverse="55.168.192.in-addr.arpa" \
--foreman-proxy-dns-zone=example.com \
--foreman-proxy-dns-ttl=86400

On Smart Proxy, enter the following command:

foreman-installer --no-enable-foreman \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=true \
--foreman-proxy-dns-provider=nsupdate_gss \
--foreman-proxy-dns-server="idm1.example.com" \
--foreman-proxy-dns-tsig-principal="smart-proxy/foreman.example.com@EXAMPLE.COM" \
--foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab \
--foreman-proxy-dns-reverse="55.168.192.in-addr.arpa" \
--foreman-proxy-dns-zone=example.com \
--foreman-proxy-dns-ttl=86400

Restart the Foreman or Smart Proxy’s Proxy Service.
```
# systemctl restart foreman-proxy
```

After you run the foreman-installer command to make any changes to your Smart Proxy configuration, you must update the configuration of each affected Smart Proxy in the Foreman web UI.

Updating the Configuration in the Foreman web UI

Navigate to Infrastructure > Smart Proxies, locate the Foreman server, and from the list in the Actions column, select Refresh.
Configure the domain:
1. Navigate to Infrastructure > Domains and select the domain name.
2. In the Domain tab, ensure DNS Smart Proxy is set to the Smart Proxy where the subnet is connected.
Configure the subnet:
1. Navigate to Infrastructure > Subnets and select the subnet name.
2. In the Subnet tab, set IPAM to None.
3. In the Domains tab, select the domain that you want to manage using the IdM server.
4. In the Smart Proxies tab, ensure Reverse DNS Smart Proxy is set to the Smart Proxy where the subnet is connected.
5. Click Submit to save the changes.

5.4.2. Configuring Dynamic DNS Update with TSIG Authentication

You can configure an IdM server to use the secret key transaction authentication for DNS (TSIG) technology that uses the rndc.key key file for authentication. The TSIG protocol is defined in RFC2845.

Prerequisites

You must ensure the IdM server is deployed and the host-based firewall is configured correctly. For more information, see Port Requirements in the Linux Domain Identity, Authentication, and Policy Guide.
You must obtain root user access on the IdM server.
You must confirm whether Foreman server or Smart Proxy server is configured to provide DNS service for your deployment.
You must configure DNS, DHCP and TFTP services on the base operating system of either the Foreman or Smart Proxy that is managing the DNS service for your deployment.
You must create a backup of the answer file. You can use the backup to restore the answer file to its original state if it becomes corrupted. For more information, see Configuring Foreman server.

Procedure

To configure dynamic DNS update with TSIG authentication, complete the following steps:

Enabling External Updates to the DNS Zone in the IdM Server

On the IdM Server, add the following to the top of the /etc/named.conf file:

########################################################################

include "/etc/rndc.key";
controls  {
inet _IdM_Server_IP_Address_ port 953 allow { _Foreman_IP_Address_; } keys { "rndc-key"; };
};
########################################################################

Reload the named service to make the changes take effect:
```
# systemctl reload named
```
In the IdM web UI, navigate to Network Services > DNS > DNS Zones and click the name of the zone. In the Settings tab, apply the following changes:
1. Add the following in the BIND update policy box:
  grant "rndc-key" zonesub ANY;
2. Set Dynamic update to True.
3. Click Update to save the changes.
Copy the /etc/rndc.key file from the IdM server to the base operating system of your Foreman server. Enter the following command:
```
# scp /etc/rndc.key root@satellite.example.com:/etc/rndc.key
```
To set the correct ownership, permissions, and SELinux context for the rndc.key file, enter the following command:
```
# restorecon -v /etc/rndc.key
# chown -v root:named /etc/rndc.key
# chmod -v 640 /etc/rndc.key
```
Assign the foreman-proxy user to the named group manually. Normally, foreman-installer ensures that the foreman-proxy user belongs to the named UNIX group, however, in this scenario Foreman does not manage users and groups, therefore you need to assign the foreman-proxy user to the named group manually.
```
# usermod -a -G named foreman-proxy
```

On Foreman server, enter the following foreman-installer command to configure Foreman to use the external DNS server:

# foreman-installer --scenario foreman \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dns-provider=nsupdate \
--foreman-proxy-dns-server="IdM_Server_IP_Address" \
--foreman-proxy-keyfile=/etc/rndc.key \
--foreman-proxy-dns-ttl=86400

Testing External Updates to the DNS Zone in the IdM Server

Ensure that the key in the /etc/rndc.key file on Foreman server is the same key file that is used on the IdM server:
```
key "rndc-key" {
        algorithm hmac-md5;
        secret "secret-key==";
};
```
On Foreman server, create a test DNS entry for a host. For example, host test.example.com with an A record of 192.168.25.20 on the IdM server at 192.168.25.1.
```
# echo -e "server 192.168.25.1\n \
update add test.example.com 3600 IN A 192.168.25.20\n \
send\n" | nsupdate -k /etc/rndc.key
```

On Foreman server, test the DNS entry:

# nslookup test.example.com 192.168.25.1
Server:		192.168.25.1
Address:	192.168.25.1#53

Name:	test.example.com
Address: 192.168.25.20

To view the entry in the IdM web UI, navigate to Network Services > DNS > DNS Zones. Click the name of the zone and search for the host by name.

If resolved successfully, remove the test DNS entry:

# echo -e "server 192.168.25.1\n \
update delete test.example.com 3600 IN A 192.168.25.20\n \
send\n" | nsupdate -k /etc/rndc.key

Confirm that the DNS entry was removed:
```
# nslookup test.example.com 192.168.25.1
```
The above nslookup command fails and returns the SERVFAIL error message if the record was successfully deleted.

5.4.3. Reverting to Internal DNS Service

You can revert to using Foreman server and Smart Proxy server as your DNS providers. You can use a backup of the answer file that was created before configuring external DNS, or you can create a backup of the answer file. For more information about answer files, see Configuring Foreman server.

Procedure

On the Foreman or Smart Proxy server that you want to configure to manage DNS service for the domain, complete the following steps:

Configuring Foreman or Smart Proxy as a DNS Server

If you have created a backup of the answer file before configuring external DNS, restore the answer file and then enter the foreman-installer command:
```
# foreman-installer
```
If you do not have a suitable backup of the answer file, create a backup of the answer file now. To configure Foreman or Smart Proxy as DNS server without using an answer file, enter the following foreman-installer command on Foreman and each affected Smart Proxy:
```
# foreman-installer \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=true \
--foreman-proxy-dns-provider=nsupdate \
--foreman-proxy-dns-server="127.0.0.1"  \
--foreman-proxy-dns-tsig-principal="foremanproxy/foreman.example.com@EXAMPLE.COM" \
--foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab
```
For more information,see Configuring DNS, DHCP, and TFTP on Smart Proxy server.

After you run the foreman-installer command to make any changes to your Smart Proxy configuration, you must update the configuration of each affected Smart Proxy in the Foreman web UI.

Updating the Configuration in the Foreman web UI

Navigate to Infrastructure > Smart Proxies.
For each Smart Proxy that you want to update, from the Actions list, select Refresh.
Configure the domain:
1. Navigate to Infrastructure > Domains and click the domain name that you want to configure.
2. In the Domain tab, set DNS Smart Proxy to the Smart Proxy where the subnet is connected.
Configure the subnet:
1. Navigate to Infrastructure > Subnets and select the subnet name.
2. In the Subnet tab, set IPAM to DHCP or Internal DB.
3. In the Domains tab, select the domain that you want to manage using Foreman or Smart Proxy.
4. In the Smart Proxies tab, set Reverse DNS Smart Proxy to the Smart Proxy where the subnet is connected.
5. Click Submit to save the changes.

Appendix A: Applying Custom Configuration to Foreman

When you install and configure Foreman for the first time using foreman-installer, you can specify that the DNS and DHCP configuration files are not to be managed by Puppet using the installer flags --foreman-proxy-dns-managed=false and --foreman-proxy-dhcp-managed=false. If these flags are not specified during the initial installer run, rerunning of the installer overwrites all manual changes, for example, rerun for upgrade purposes. If changes are overwritten, you must run the restore procedure to restore the manual changes. For more information, see Restoring Manual Changes Overwritten by a Puppet Run.

To view all installer flags available for custom configuration, run foreman-installer --scenario foreman --full-help. Some Puppet classes are not exposed to the Foreman installer. To manage them manually and prevent the installer from overwriting their values, specify the configuration values by adding entries to configuration file /etc/foreman-installer/custom-hiera.yaml. This configuration file is in YAML format, consisting of one entry per line in the format of <puppet class>::<parameter name>: <value>. Configuration values specified in this file persist across installer reruns.

Common examples include:

For Apache, to set the ServerTokens directive to only return the Product name:
```
apache::server_tokens: Prod
```
To turn off the Apache server signature entirely:
```
apache::server_signature: Off
```

The Puppet modules for the Foreman installer are stored under /usr/share/foreman-installer/modules. Check the .pp files (for example: moduleName/manifests/example.pp) to look up the classes, parameters, and values. Alternatively, use the grep command to do keyword searches.

Setting some values may have unintended consequences that affect the performance or functionality of Foreman. Consider the impact of the changes before you apply them, and test the changes in a non-production environment first. If you do not have a non-production Foreman environment, run the Foreman installer with the --noop and --verbose options. If your changes cause problems, remove the offending lines from custom-hiera.yaml and rerun the Foreman installer. If you have any specific questions about whether a particular value is safe to alter, contact Red Hat support.

Appendix B: Restoring Manual Changes Overwritten by a Puppet Run

If your manual configuration has been overwritten by a Puppet run, you can restore the files to the previous state. The following example shows you how to restore a DHCP configuration file overwritten by a Puppet run.

Procedure

Copy the file you intend to restore. This allows you to compare the files to check for any mandatory changes required by the upgrade. This is not common for DNS or DHCP services.
```
# cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.backup
```

Check the log files to note down the md5sum of the overwritten file. For example:

# journalctl -xe
...
/Stage[main]/Dhcp/File[/etc/dhcp/dhcpd.conf]: Filebucketed /etc/dhcp/dhcpd.conf to puppet with sum 622d9820b8e764ab124367c68f5fa3a1
...

Restore the overwritten file:

# puppet filebucket restore --local --bucket \
/var/lib/puppet/clientbucket /etc/dhcp/dhcpd.conf \ 622d9820b8e764ab124367c68f5fa3a1

Compare the backup file and the restored file, and edit the restored file to include any mandatory changes required by the upgrade.