1. Preparing your environment for installation
1.1. System requirements
The following requirements apply to the networked base operating system:
-
x86_64 architecture
-
4-core 2.0 GHz CPU at a minimum
-
A minimum of 12 GB RAM is required for Smart Proxy server to function. In addition, a minimum of 4 GB RAM of swap space is also recommended. Smart Proxy running with less RAM than the minimum value might not operate correctly.
-
A unique host name, which can contain lower-case letters, numbers, dots (.) and hyphens (-)
-
Administrative user (root) access
-
Full forward and reverse DNS resolution using a fully-qualified domain name
Foreman only supports UTF-8
encoding.
If your territory is USA and your language is English, set en_US.utf-8
as the system-wide locale settings.
For more information about configuring system locale in Enterprise Linux, see Configuring the system locale.
Foreman server and Smart Proxy server do not support shortnames in the hostnames. When using custom certificates, the Common Name (CN) of the custom certificate must be a fully qualified domain name (FQDN) instead of a shortname. This does not apply to the clients of a Foreman.
Before you install Smart Proxy server, ensure that your environment meets the requirements for installation.
Warning
|
The version of Smart Proxy must match with the version of Foreman installed. It should not be different. For example, the Smart Proxy version 3.10 cannot be registered with the Foreman version 3.9. |
Smart Proxy server must be installed on a freshly provisioned system that serves no other function except to run Smart Proxy server. The freshly provisioned system must not have the following users provided by external identity providers to avoid conflicts with the local users that Smart Proxy server creates:
-
apache
-
foreman-proxy
-
postgres
-
pulp
-
puppet
-
redis
SELinux must be enabled, either in enforcing or permissive mode. Installation with disabled SELinux is not supported.
You can install Smart Proxy on a Enterprise Linux system that is operating in FIPS mode. You cannot enable FIPS mode after the installation of Smart Proxy. Red Hat Enterprise Linux clones are not being actively tested in FIPS mode. If you require FIPS, consider using Red Hat Enterprise Linux. For more information, see Switching RHEL to FIPS mode in Red Hat Enterprise Linux 9 Security hardening or Switching RHEL to FIPS mode in Red Hat Enterprise Linux 8 Security hardening.
Note
|
Foreman supports DEFAULT and FIPS crypto-policies. The FUTURE crypto-policy is not supported for Foreman and Smart Proxy installations. The FUTURE policy is a stricter forward-looking security level intended for testing a possible future policy. For more information, see Using system-wide cryptographic policies in the Red Hat Enterprise Linux guide. |
1.2. Storage requirements
The following table details storage requirements for specific directories. These values are based on expected use case scenarios and can vary according to individual environments.
The runtime size was measured with Red Hat Enterprise Linux 7, 8, and 9 repositories synchronized.
Directory | Installation Size | Runtime Size |
---|---|---|
/var/lib/pulp |
1 MB |
300 GB |
/var/lib/pgsql |
100 MB |
20 GB |
/usr |
3 GB |
Not Applicable |
/opt/puppetlabs |
500 MB |
Not Applicable |
The size of the PostgreSQL database on your Smart Proxy server can grow significantly with an increasing number of lifecycle environments, content views, or repositories that are synchronized from your Foreman server.
In the largest Foreman environments, the size of /var/lib/pgsql
on Smart Proxy server can grow to double or triple the size of /var/lib/pgsql
on your Foreman server.
1.3. Storage guidelines
Consider the following guidelines when installing Smart Proxy server to increase efficiency.
-
If you mount the
/tmp
directory as a separate file system, you must use theexec
mount option in the/etc/fstab
file. If/tmp
is already mounted with thenoexec
option, you must change the option toexec
and re-mount the file system. This is a requirement for thepuppetserver
service to work. -
Because most Smart Proxy server data is stored in the
/var
directory, mounting/var
on LVM storage can help the system to scale. -
Use high-bandwidth, low-latency storage for the
/var/lib/pulp/
directories. As Foreman has many operations that are I/O intensive, using high latency, low-bandwidth storage causes performance degradation. Ensure your installation has a speed in the range 60 – 80 Megabytes per second.
-
Do not use the GFS2 file system as the input-output latency is too high.
Log files are written to /var/log/messages/,
/var/log/httpd/
, and /var/lib/foreman-proxy/openscap/content/
.
You can manage the size of these files using logrotate.
The exact amount of storage you require for log messages depends on your installation and setup.
When the /var/lib/pulp
directory is mounted using an NFS share, SELinux blocks the synchronization process.
To avoid this, specify the SELinux context of the /var/lib/pulp
directory in the file system table by adding the following lines to /etc/fstab
:
nfs.example.com:/nfsshare /var/lib/pulp nfs context="system_u:object_r:var_lib_t:s0" 1 2
If NFS share is already mounted, remount it using the above configuration and enter the following command:
# restorecon -R /var/lib/pulp
Packages that are duplicated in different repositories are only stored once on the disk.
Additional repositories containing duplicate packages require less additional storage.
The bulk of storage resides in the /var/lib/pulp/
directory.
These end points are not manually configurable.
Ensure that storage is available on the /var
file system to prevent storage problems.
You cannot use symbolic links for /var/lib/pulp/
.
If you plan to synchronize RHEL content ISOs to Foreman, note that all minor versions of Red Hat Enterprise Linux also synchronize. You must plan to have adequate storage on your Foreman to manage this.
1.4. Supported operating systems
The following operating systems are supported by the installer, have packages, and are tested for deploying Foreman:
Operating System |
Architecture |
Notes |
x86_64 only |
EPEL is not supported. |
|
x86_64 only |
EPEL is not supported. |
Foreman community advises against using an existing system because the Foreman installer will affect the configuration of several components.
1.5. Port and firewall requirements
For the components of Foreman architecture to communicate, ensure that the required network ports are open and free on the base operating system. You must also ensure that the required network ports are open on any network-based firewalls.
The installation of a Smart Proxy server fails if the ports between Foreman server and Smart Proxy server are not open before installation starts.
Use this information to configure any network-based firewalls. Note that some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. If possible, disable the application checking and allow open port communication based on the protocol.
Foreman server has an integrated Smart Proxy and any host that is directly connected to Foreman server is a Client of Foreman in the context of this section. This includes the base operating system on which Smart Proxy server is running.
Hosts which are clients of Smart Proxies, other than Foreman’s integrated Smart Proxy, do not need access to Foreman server. For more information on Foreman Topology, see Smart Proxy Networking in Planning for Foreman.
Required ports can change based on your configuration.
The following tables indicate the destination port and the direction of network traffic:
Destination Port | Protocol | Service | Source | Required For | Description |
---|---|---|---|---|---|
53 |
TCP and UDP |
DNS |
DNS Servers and clients |
Name resolution |
DNS (optional) |
67 |
UDP |
DHCP |
Client |
Dynamic IP |
DHCP (optional) |
69 |
UDP |
TFTP |
Client |
TFTP Server (optional) |
|
443, 80 |
TCP |
HTTPS, HTTP |
Client |
Content Retrieval |
Content |
443, 80 |
TCP |
HTTPS, HTTP |
Client |
Content Host Registration |
Smart Proxy CA RPM installation |
443 |
TCP |
HTTPS |
Foreman |
Content Mirroring |
Management |
443 |
TCP |
HTTPS |
Foreman |
Smart Proxy API |
Smart Proxy functionality |
443 |
TCP |
HTTPS |
Client |
Content Host registration |
Initiation Uploading facts Sending installed packages and traces |
1883 |
TCP |
MQTT |
Client |
Pull based REX (optional) |
Content hosts for REX job notification (optional) |
8000 |
TCP |
HTTP |
Client |
Provisioning templates |
Template retrieval for client installers, iPXE or UEFI HTTP Boot |
8000 |
TCP |
HTTP |
Client |
PXE Boot |
Installation |
8140 |
TCP |
HTTPS |
Client |
Puppet agent |
Client updates (optional) |
8443 |
TCP |
HTTPS |
Client |
Content Host registration |
Deprecated and only needed for Client hosts deployed before upgrades |
9090 |
TCP |
HTTPS |
Foreman |
Smart Proxy API |
Smart Proxy functionality |
9090 |
TCP |
HTTPS |
Client |
Register Endpoint |
Client registration with an external Smart Proxy server |
9090 |
TCP |
HTTPS |
Client |
OpenSCAP |
Configure Client (if the OpenSCAP plugin is installed) |
9090 |
TCP |
HTTPS |
Discovered Node |
Discovery |
Host discovery and provisioning (if the discovery plugin is installed) |
Any host that is directly connected to Foreman server is a client in this context because it is a client of the integrated Smart Proxy. This includes the base operating system on which a Smart Proxy server is running.
A DHCP Smart Proxy performs ICMP ping and TCP echo connection attempts to hosts in subnets with DHCP IPAM set to find out if an IP address considered for use is free.
This behavior can be turned off using foreman-installer --foreman-proxy-dhcp-ping-free-ip=false
.
Destination Port | Protocol | Service | Destination | Required For | Description |
---|---|---|---|---|---|
ICMP |
ping |
Client |
DHCP |
Free IP checking (optional) |
|
7 |
TCP |
echo |
Client |
DHCP |
Free IP checking (optional) |
22 |
TCP |
SSH |
Target host |
Remote execution |
Run jobs |
53 |
TCP and UDP |
DNS |
DNS Servers on the Internet |
DNS Server |
Resolve DNS records (optional) |
53 |
TCP and UDP |
DNS |
DNS Server |
Smart Proxy DNS |
Validation of DNS conflicts (optional) |
68 |
UDP |
DHCP |
Client |
Dynamic IP |
DHCP (optional) |
443 |
TCP |
HTTPS |
Foreman |
Smart Proxy |
Smart Proxy Configuration management Template retrieval OpenSCAP Remote Execution result upload |
443 |
TCP |
HTTPS |
Foreman |
Content |
Sync |
443 |
TCP |
HTTPS |
Foreman |
Client communication |
Forward requests from Client to Foreman |
443 |
TCP |
HTTPS |
Infoblox DHCP Server |
DHCP management |
When using Infoblox for DHCP, management of the DHCP leases (optional) |
623 |
Client |
Power management |
BMC On/Off/Cycle/Status |
||
7911 |
TCP |
DHCP, OMAPI |
DHCP Server |
DHCP |
The DHCP target is configured using ISC and |
8443 |
TCP |
HTTPS |
Client |
Discovery |
Smart Proxy sends reboot command to the discovered host (optional) |
Note
|
ICMP to Port 7 UDP and TCP must not be rejected, but can be dropped. The DHCP Smart Proxy sends an ECHO REQUEST to the Client network to verify that an IP address is free. A response prevents IP addresses from being allocated. |
1.6. Enabling connections from Foreman server and clients to a Smart Proxy server
On the base operating system on which you want to install Smart Proxy, you must enable incoming connections from Foreman server and clients to Smart Proxy server and make these rules persistent across reboots.
If you do not use firewall-cmd
to configure the Linux firewall, implement using the command of your choice.
-
Open the ports for clients on Smart Proxy server:
# firewall-cmd \ --add-port="8000/tcp" \ --add-port="9090/tcp"
-
Allow access to services on Smart Proxy server:
# firewall-cmd \ --add-service=dns \ --add-service=dhcp \ --add-service=tftp \ --add-service=http \ --add-service=https \ --add-service=puppetmaster
-
Make the changes persistent:
# firewall-cmd --runtime-to-permanent
-
Enter the following command:
# firewall-cmd --list-all
For more information, see Using and configuring firewalld in Red Hat Enterprise Linux 9 guide or Using and configuring firewalld in Red Hat Enterprise Linux 8 guide.
2. Installing Smart Proxy server
Before you install Smart Proxy server, you must ensure that your environment meets the requirements for installation. For more information, see Preparing your Environment for Installation.
2.1. Registering to Foreman server
Use this procedure to register the base operating system on which you want to install Smart Proxy server to Foreman server.
Registering your Smart Proxy server as a content host is optional unless you wish to download the installation packages from your synced repositories.
-
On Foreman server, a manifest must be installed and it must contain the appropriate repositories for the organization you want Smart Proxy to belong to.
-
The manifest must contain repositories for the base operating system on which you want to install Smart Proxy, as well as any clients that you want to connect to Smart Proxy.
-
The repositories must be synchronized.
For more information on manifests and repositories, see Managing Red Hat Subscriptions in Managing content.
-
The Foreman server base operating system must be able to resolve the host name of the Smart Proxy base operating system and vice versa.
-
Ensure HTTPS connection using client certificate authentication is possible between Smart Proxy server and Foreman server. HTTP proxies between Smart Proxy server and Foreman server are not supported.
-
You must configure the host and network-based firewalls accordingly. For more information, see Port and firewall requirements in Installing a Smart Proxy Server 3.10 on Enterprise Linux. You can register hosts with Foreman using the host registration feature in the Foreman web UI, Hammer CLI, or the Foreman API. For more information, see Registering Hosts in Managing hosts.
-
In the Foreman web UI, navigate to Hosts > Register Host.
-
From the Activation Keys list, select the activation keys to assign to your host.
-
Click Generate to create the registration command.
-
Click on the files icon to copy the command to your clipboard.
-
Connect to your host using SSH and run the registration command.
-
Ensure that the appropriate repositories have been enabled:
-
On Enterprise Linux: Check the
/etc/yum.repos.d/redhat.repo
file and ensure that the appropriate repositories have been enabled. -
On Debian: Check the
/etc/apt/sources.list
file and ensure that the appropriate repositories have been enabled.
-
-
Generate the host registration command using the Hammer CLI:
# hammer host-registration generate-command \ --activation-keys "My_Activation_Key"
If your hosts do not trust the SSL certificate of Foreman server, you can disable SSL validation by adding the
--insecure
flag to the registration command.# hammer host-registration generate-command \ --activation-keys "My_Activation_Key" \ --insecure true
-
Connect to your host using SSH and run the registration command.
-
Ensure that the appropriate repositories have been enabled:
-
On Enterprise Linux: Check the
/etc/yum.repos.d/redhat.repo
file and ensure that the appropriate repositories have been enabled. -
On Debian: Check the
/etc/apt/sources.list
file and ensure that the appropriate repositories have been enabled.
-
-
Generate the host registration command using the Foreman API:
# curl -X POST https://foreman.example.com/api/registration_commands \ --user "My_User_Name" \ -H 'Content-Type: application/json' \ -d '{ "registration_command": { "activation_keys": ["My_Activation_Key_1, My_Activation_Key_2"] }}'
If your hosts do not trust the SSL certificate of Foreman server, you can disable SSL validation by adding the
--insecure
flag to the registration command.# curl -X POST https://foreman.example.com/api/registration_commands \ --user "My_User_Name" \ -H 'Content-Type: application/json' \ -d '{ "registration_command": { "activation_keys": ["My_Activation_Key_1, My_Activation_Key_2"], "insecure": true }}'
Use an activation key to simplify specifying the environments. For more information, see Managing Activation Keys in Managing content.
To enter a password as a command line argument, use
username:password
syntax. Keep in mind this can save the password in the shell history. Alternatively, you can use a temporary personal access token instead of a password. To generate a token in the Foreman web UI, navigate to My Account > Personal Access Tokens. -
Connect to your host using SSH and run the registration command.
-
Ensure that the appropriate repositories have been enabled:
-
On Enterprise Linux: Check the
/etc/yum.repos.d/redhat.repo
file and ensure that the appropriate repositories have been enabled. -
On Debian: Check the
/etc/apt/sources.list
file and ensure that the appropriate repositories have been enabled.
-
2.2. Optional: Using fapolicyd on Smart Proxy server
By enabling fapolicyd
on your Foreman server, you can provide an additional layer of security by monitoring and controlling access to files and directories.
The fapolicyd daemon uses the RPM database as a repository of trusted binaries and scripts.
You can turn on or off the fapolicyd on your Foreman server or Smart Proxy server at any point.
2.2.1. Installing fapolicyd on Smart Proxy server
You can install fapolicyd
along with Smart Proxy server or can be installed on an existing Smart Proxy server.
If you are installing fapolicyd
along with the new Smart Proxy server, the installation process will detect the fapolicyd in your Enterprise Linux host and deploy the Smart Proxy server rules automatically.
-
Ensure your host has access to the BaseOS repositories of Enterprise Linux.
-
For a new installation, install fapolicyd:
# dnf install fapolicyd
-
For an existing installation, install fapolicyd using dnf install:
# dnf install fapolicyd
-
Start the
fapolicyd
service:# systemctl enable --now fapolicyd
-
Verify that the
fapolicyd
service is running correctly:# systemctl status fapolicyd
In case of new Foreman server or Smart Proxy server installation, follow the standard installation procedures after installing and enabling fapolicyd on your Enterprise Linux host.
For more information on fapolicyd, see Blocking and allowing applications using fapolicyd in Red Hat Enterprise Linux 9 guide or Blocking and allowing applications using fapolicyd in Red Hat Enterprise Linux 8 guide.
2.3. Installing Smart Proxy server packages
Before installing Smart Proxy server packages, you must update all packages that are installed on the base operating system.
To install Smart Proxy server, complete the following steps:
-
Update all packages:
# dnf upgrade
-
Install
foreman-proxy-content
:# dnf install foreman-proxy-content
2.4. Installing Smart Proxy server
-
To install Smart Proxy server with content, refer to Configuring Smart Proxy server with SSL certificates. Running
foreman-proxy-certs-generate
is a required prerequisite to installing Smart Proxy server with content.
2.5. Synchronizing the system clock with chronyd
To minimize the effects of time drift, you must synchronize the system clock on the base operating system on which you want to install Smart Proxy server with Network Time Protocol (NTP) servers. If the base operating system clock is configured incorrectly, certificate verification might fail.
For more information about the chrony
suite, see Using the Chrony suite to configure NTP in Red Hat Enterprise Linux 9 guide or Using the Chrony suite to configure NTP in Red Hat Enterprise Linux 8 guide.
-
Install the
chrony
package:# dnf install chrony
-
Start and enable the
chronyd
service:# systemctl enable --now chronyd
2.6. Configuring Smart Proxy server with SSL certificates
Foreman uses SSL certificates to enable encrypted communications between Foreman server, external Smart Proxy servers, and all hosts. Depending on the requirements of your organization, you must configure your Smart Proxy server with a default or custom certificate.
-
If you use a default SSL certificate, you must also configure each external Smart Proxy server with a distinct default SSL certificate. For more information, see Configuring Smart Proxy server with a default SSL certificate.
-
If you use a custom SSL certificate, you must also configure each external Smart Proxy server with a distinct custom SSL certificate. For more information, see Configuring Smart Proxy server with a custom SSL certificate.
2.6.1. Configuring Smart Proxy server with a default SSL certificate
Use this section to configure Smart Proxy server with an SSL certificate that is signed by Foreman server default Certificate Authority (CA).
-
Smart Proxy server is registered to Foreman server. For more information, see Registering to Foreman server.
-
Smart Proxy server packages are installed. For more information, see Installing Smart Proxy server Packages.
-
On Foreman server, to store all the source certificate files for your Smart Proxy server, create a directory that is accessible only to the
root
user, for example/root/smart-proxy_cert
:# mkdir /root/smart-proxy_cert
-
On Foreman server, generate the
/root/smart-proxy_cert/smartproxy.example.com-certs.tar
certificate archive for your Smart Proxy server:# foreman-proxy-certs-generate \ --foreman-proxy-fqdn smartproxy.example.com \ --certs-tar /root/smart-proxy_cert/smartproxy.example.com-certs.tar
Retain a copy of the
foreman-installer
command that theforeman-proxy-certs-generate
command returns for deploying the certificate to your Smart Proxy server.Example output offoreman-proxy-certs-generate
output omitted foreman-installer --scenario foreman-proxy-content \ --certs-tar-file "/root/smart-proxy_cert/smartproxy.example.com-certs.tar" \ --foreman-proxy-register-in-foreman "true" \ --foreman-proxy-foreman-base-url "https://foreman.example.com" \ --foreman-proxy-trusted-hosts "foreman.example.com" \ --foreman-proxy-trusted-hosts "smartproxy.example.com" \ --foreman-proxy-oauth-consumer-key "s97QxvUAgFNAQZNGg4F9zLq2biDsxM7f" \ --foreman-proxy-oauth-consumer-secret "6bpzAdMpRAfYaVZtaepYetomgBVQ6ehY"
-
On Foreman server, copy the certificate archive file to your Smart Proxy server:
# scp /root/smart-proxy_cert/smartproxy.example.com-certs.tar \ root@smartproxy.example.com:/root/smartproxy.example.com-certs.tar
-
On Smart Proxy server, to deploy the certificate, enter the
foreman-installer
command that theforeman-proxy-certs-generate
command returns.When network connections or ports to Foreman are not yet open, you can set the
--foreman-proxy-register-in-foreman
option tofalse
to prevent Smart Proxy from attempting to connect to Foreman and reporting errors. Run the installer again with this option set totrue
when the network and firewalls are correctly configured.ImportantDo not delete the certificate archive file after you deploy the certificate. It is required, for example, when upgrading Smart Proxy server.
2.6.2. Configuring Smart Proxy server with a custom SSL certificate
If you configure Foreman server to use a custom SSL certificate, you must also configure each of your external Smart Proxy servers with a distinct custom SSL certificate.
To configure your Smart Proxy server with a custom certificate, complete the following procedures on each Smart Proxy server:
Creating a custom SSL certificate for Smart Proxy server
On Foreman server, create a custom certificate for your Smart Proxy server. If you already have a custom SSL certificate for Smart Proxy server, skip this procedure.
-
To store all the source certificate files, create a directory that is accessible only to the
root
user:# mkdir /root/smart-proxy_cert
-
Create a private key with which to sign the certificate signing request (CSR).
Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.
If you already have a private key for this Smart Proxy server, skip this step.
# openssl genrsa -out
/root/smart-proxy_cert/smart-proxy_cert_key.pem
4096 -
Create the
/root/smart-proxy_cert/openssl.cnf
configuration file for the CSR and include the following content:[ req ] req_extensions = v3_req distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] commonName = smartproxy.example.com [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection subjectAltName = @alt_names [ alt_names ] DNS.1 = smartproxy.example.com
-
Optional: If you want to add Distinguished Name (DN) details to the CSR, add the following information to the
[ req_distinguished_name ]
section:[req_distinguished_name] CN = smartproxy.example.com countryName =My_Country_Name (1) stateOrProvinceName = My_State_Or_Province_Name (2) localityName = My_Locality_Name (3) organizationName = My_Organization_Or_Company_Name organizationalUnitName = My_Organizational_Unit_Name (4)
-
Two letter code
-
Full name
-
Full name (example: New York)
-
Division responsible for the certificate (example: IT department)
-
-
Generate CSR:
# openssl req -new \ -key /root/smart-proxy_cert/smart-proxy_cert_key.pem \ (1) -config /root/smart-proxy_cert/openssl.cnf \ (2) -out /root/smart-proxy_cert/smart-proxy_cert_csr.pem (3)
-
Path to the private key
-
Path to the configuration file
-
Path to the CSR to generate
-
-
Send the certificate signing request to the certificate authority (CA). The same CA must sign certificates for Foreman server and Smart Proxy server.
When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the CA for the preferred method. In response to the request, you can expect to receive a CA bundle and a signed certificate, in separate files.
Deploying a custom SSL certificate to Smart Proxy server
Use this procedure to configure your Smart Proxy server with a custom SSL certificate signed by a Certificate Authority.
The foreman-installer
command, which the foreman-proxy-certs-generate
command returns, is unique to each Smart Proxy server.
Do not use the same command on more than one Smart Proxy server.
-
Foreman server is configured with a custom certificate. For more information, see Configuring Foreman server with a Custom SSL Certificate in Installing Foreman Server with Katello 4.12 plugin on Enterprise Linux.
-
Smart Proxy server is registered to Foreman server. For more information, see Registering to Foreman server.
-
Smart Proxy server packages are installed. For more information, see Installing Smart Proxy server Packages.
-
On your Foreman server, generate a certificate bundle:
# foreman-proxy-certs-generate \ --foreman-proxy-fqdn smartproxy.example.com \ --certs-tar ~/smartproxy.example.com-certs.tar \ --server-cert /root/smart-proxy_cert/smart-proxy_cert.pem \ (1) --server-key /root/smart-proxy_cert/smart-proxy_cert_key.pem \ (2) --server-ca-cert /root/smart-proxy_cert/ca_cert_bundle.pem (3)
-
Path to Smart Proxy server certificate file that is signed by a Certificate Authority.
-
Path to the private key that was used to sign Smart Proxy server certificate.
-
Path to the Certificate Authority bundle.
-
-
Retain a copy of the
foreman-installer
command that theforeman-proxy-certs-generate
command returns for deploying the certificate to your Smart Proxy server.Example output offoreman-proxy-certs-generate
output omitted foreman-installer --scenario foreman-proxy-content \ --certs-tar-file "/root/smartproxy.example.com-certs.tar" \ --foreman-proxy-register-in-foreman "true" \ --foreman-proxy-foreman-base-url "https://foreman.example.com" \ --foreman-proxy-trusted-hosts "foreman.example.com" \ --foreman-proxy-trusted-hosts "smartproxy.example.com" \ --foreman-proxy-oauth-consumer-key "My_OAuth_Consumer_Key" \ --foreman-proxy-oauth-consumer-secret "My_OAuth_Consumer_Secret"
-
On your Foreman server, copy the certificate archive file to your Smart Proxy server:
# scp ~/smartproxy.example.com-certs.tar \ root@smartproxy.example.com:/root/smartproxy.example.com-certs.tar
-
On your Smart Proxy server, to deploy the certificate, enter the
foreman-installer
command that theforeman-proxy-certs-generate
command returns.If network connections or ports to Foreman are not yet open, you can set the
--foreman-proxy-register-in-foreman
option tofalse
to prevent Smart Proxy from attempting to connect to Foreman and reporting errors. Run the installer again with this option set totrue
when the network and firewalls are correctly configured.ImportantDo not delete the certificate archive file after you deploy the certificate. It is required, for example, when upgrading Smart Proxy server.
Deploying a SSL certificate to hosts
After you configure Foreman to use a SSL certificate, you must deploy the certificate to hosts registered to Foreman.
-
Update the SSL certificate on each host:
-
On Debian and Ubuntu:
# wget http://smartproxy.example.com/pub/katello-rhsm-consumer # chmod +x katello-rhsm-consumer # ./katello-rhsm-consumer
-
On Enterprise Linux 8+:
# dnf install http://smartproxy.example.com/pub/katello-ca-consumer-latest.noarch.rpm
-
On Enterprise Linux 7:
# yum install http://smartproxy.example.com/pub/katello-ca-consumer-latest.noarch.rpm
-
On OpenSUSE and SUSE Linux Enterprise Server:
# zypper install http://smartproxy.example.com/pub/katello-ca-consumer-latest.noarch.rpm
-
2.7. Resetting SSL certificate to default self-signed certificate on Smart Proxy server
To reset the SSL certificate to default self-signed certificate on your Smart Proxy server, you must re-register your Smart Proxy server through Global Registration. For more information, see Registering hosts by using global registration in Managing hosts.
-
In the Foreman web UI, navigate to Infrastructure > Smart Proxies and select any Smart Proxy server.
-
On the Overview tab, click Refresh features.
-
Reset SSL certificate to default self-signed certificate on Foreman server in Installing Foreman Server with Katello 4.12 plugin on Enterprise Linux.
-
Reset SSL certificate to default self-signed certificate on hosts in Managing hosts.
2.8. Assigning the correct organization and location to Smart Proxy server in the Foreman web UI
After installing Smart Proxy server packages, if there is more than one organization or location, you must assign the correct organization and location to Smart Proxy to make Smart Proxy visible in the Foreman web UI.
-
Log into the Foreman web UI.
-
From the Organization list in the upper-left of the screen, select Any Organization.
-
From the Location list in the upper-left of the screen, select Any Location.
-
In the Foreman web UI, navigate to Hosts > All Hosts and select Smart Proxy server.
-
From the Select Actions list, select Assign Organization.
-
From the Organization list, select the organization where you want to assign this Smart Proxy.
-
Click Fix Organization on Mismatch.
-
Click Submit.
-
Select Smart Proxy server. From the Select Actions list, select Assign Location.
-
From the Location list, select the location where you want to assign this Smart Proxy.
-
Click Fix Location on Mismatch.
-
Click Submit.
-
In the Foreman web UI, navigate to Administer > Organizations and click the organization to which you have assigned Smart Proxy.
-
Click Smart Proxies tab and ensure that Smart Proxy server is listed under the Selected items list, then click Submit.
-
In the Foreman web UI, navigate to Administer > Locations and click the location to which you have assigned Smart Proxy.
-
Click Smart Proxies tab and ensure that Smart Proxy server is listed under the Selected items list, then click Submit.
Optionally, you can verify if Smart Proxy server is correctly listed in the Foreman web UI.
-
Select the organization from the Organization list.
-
Select the location from the Location list.
-
In the Foreman web UI, navigate to Hosts > All Hosts.
-
In the Foreman web UI, navigate to Infrastructure > Smart Proxies.
3. Performing additional configuration on Smart Proxy server
After installation, you can configure additional settings on your Smart Proxy server.
3.1. Configuring Smart Proxy for host registration and provisioning
Use this procedure to configure Smart Proxy so that you can register and provision hosts using your Smart Proxy server instead of your Foreman server.
-
On Foreman server, add the Smart Proxy to the list of trusted proxies.
This is required for Foreman to recognize hosts' IP addresses forwarded over the
X-Forwarded-For
HTTP header set by Smart Proxy. For security reasons, Foreman recognizes this HTTP header only from localhost by default. You can enter trusted proxies as valid IPv4 or IPv6 addresses of Smart Proxies, or network ranges.WarningDo not use a network range that is too wide, because that poses a potential security risk. Enter the following command. Note that the command overwrites the list that is currently stored in Foreman. Therefore, if you have set any trusted proxies previously, you must include them in the command as well:
# foreman-installer \ --foreman-trusted-proxies "127.0.0.1/8" \ --foreman-trusted-proxies "::1" \ --foreman-trusted-proxies "My_IP_address" \ --foreman-trusted-proxies "My_IP_range"
The localhost entries are required, do not omit them.
-
List the current trusted proxies using the full help of Foreman installer:
# foreman-installer --full-help | grep -A 2 "trusted-proxies"
-
The current listing contains all trusted proxies you require.
3.2. Enabling remote execution
Use this procedure to enable remote execution on your Smart Proxy server. To learn more about remote execution, see Configuring and Setting Up Remote Jobs in Managing hosts.
-
Enable remote execution with
foreman-installer
:# foreman-installer --enable-foreman-proxy-plugin-remote-execution-script
3.3. Configuring pull-based transport for remote execution
By default, remote execution uses push-based SSH as the transport mechanism for the Script provider. If your infrastructure prohibits outgoing connections from Smart Proxy server to hosts, you can use remote execution with pull-based transport instead, because the host initiates the connection to Smart Proxy server. The use of pull-based transport is not limited to those infrastructures.
The pull-based transport comprises pull-mqtt
mode on Smart Proxies in combination with a pull client running on hosts.
Note
|
The |
The mode is configured per Smart Proxy server.
Some Smart Proxy servers can be configured to use pull-mqtt
mode while others use SSH.
If this is the case, it is possible that one remote job on a given host will use the pull client and the next job on the same host will use SSH.
If you wish to avoid this scenario, configure all Smart Proxy servers to use the same mode.
-
Enable the pull-based transport on your Smart Proxy server:
# foreman-installer --foreman-proxy-plugin-remote-execution-script-mode=pull-mqtt
-
Configure the firewall to allow the MQTT service on port 1883:
# firewall-cmd --add-service=mqtt
-
Make the changes persistent:
# firewall-cmd --runtime-to-permanent
-
In
pull-mqtt
mode, hosts subscribe for job notifications to either your Foreman server or any Smart Proxy server through which they are registered. Ensure that Foreman server sends remote execution jobs to that same Foreman server or Smart Proxy server:-
In the Foreman web UI, navigate to Administer > Settings.
-
On the Content tab, set the value of Prefer registered through Smart Proxy for remote execution to Yes.
-
-
Configure your hosts for the pull-based transport. For more information, see Transport modes for remote execution in Managing hosts.
3.4. Enabling OpenSCAP on Smart Proxy servers
On Foreman server and the integrated Smart Proxy of your Foreman server, OpenSCAP is enabled by default. To use the OpenSCAP plugin and content on external Smart Proxies, you must enable OpenSCAP on each Smart Proxy.
-
To enable OpenSCAP, enter the following command:
# foreman-installer \ --enable-foreman-proxy-plugin-openscap \ --foreman-proxy-plugin-openscap-ansible-module true \ --foreman-proxy-plugin-openscap-puppet-module true
If you want to use Puppet to deploy compliance policies, you must enable it first. For more information, see Configuring hosts using Puppet.
3.5. Adding lifecycle environments to Smart Proxy servers
If your Smart Proxy server has the content functionality enabled, you must add an environment so that Smart Proxy can synchronize content from Foreman server and provide content to host systems.
Do not assign the Library lifecycle environment to your Smart Proxy server because it triggers an automated Smart Proxy sync every time the CDN updates a repository. This might consume multiple system resources on Smart Proxies, network bandwidth between Foreman and Smart Proxies, and available disk space on Smart Proxies.
You can use Hammer CLI on Foreman server or the Foreman web UI.
-
In the Foreman web UI, navigate to Infrastructure > Smart Proxies, and select the Smart Proxy that you want to add a lifecycle to.
-
Click Edit and click the Lifecycle Environments tab.
-
From the left menu, select the lifecycle environments that you want to add to Smart Proxy and click Submit.
-
To synchronize the content on the Smart Proxy, click the Overview tab and click Synchronize.
-
Select either Optimized Sync or Complete Sync.
For definitions of each synchronization type, see Recovering a Repository.
-
To display a list of all Smart Proxy servers, on Foreman server, enter the following command:
# hammer proxy list
Note the Smart Proxy ID of the Smart Proxy to which you want to add a lifecycle.
-
Using the ID, verify the details of your Smart Proxy:
# hammer proxy info \ --id Mysmart-proxy_ID_
-
To view the lifecycle environments available for your Smart Proxy server, enter the following command and note the ID and the organization name:
# hammer proxy content available-lifecycle-environments \ --id Mysmart-proxy_ID_
-
Add the lifecycle environment to your Smart Proxy server:
# hammer proxy content add-lifecycle-environment \ --id Mysmart-proxy_ID_ \ --lifecycle-environment-id My_Lifecycle_Environment_ID --organization "My_Organization"
Repeat for each lifecycle environment you want to add to Smart Proxy server.
-
Synchronize the content from Foreman to Smart Proxy.
-
To synchronize all content from your Foreman server environment to Smart Proxy server, enter the following command:
# hammer proxy content synchronize \ --id Mysmart-proxy_ID_
-
To synchronize a specific lifecycle environment from your Foreman server to Smart Proxy server, enter the following command:
# hammer proxy content synchronize \ --id Mysmart-proxy_ID_ --lifecycle-environment-id My_Lifecycle_Environment_ID
-
To synchronize all content from your Foreman server to your Smart Proxy server without checking metadata:
# hammer proxy content synchronize \ --id Mysmart-proxy_ID_ \ --skip-metadata-check true
This equals selecting Complete Sync in the Foreman web UI.
-
3.6. Enabling power management on hosts
To perform power management tasks on hosts using the intelligent platform management interface (IPMI) or a similar protocol, you must enable the baseboard management controller (BMC) module on Smart Proxy server.
-
All hosts must have a network interface of BMC type. Smart Proxy server uses this NIC to pass the appropriate credentials to the host. For more information, see Adding a Baseboard Management Controller (BMC) Interface in Managing hosts.
-
To enable BMC, enter the following command:
# foreman-installer \ --foreman-proxy-bmc "true" \ --foreman-proxy-bmc-default-provider "freeipmi"
3.7. Configuring DNS, DHCP, and TFTP on Smart Proxy server
To configure the DNS, DHCP, and TFTP services on Smart Proxy server, use the foreman-installer
command with the options appropriate for your environment.
Any changes to the settings require entering the foreman-installer
command again.
You can enter the command multiple times and each time it updates all configuration files with the changed values.
-
You must have the correct network name (
dns-interface
) for the DNS server. -
You must have the correct interface name (
dhcp-interface
) for the DHCP server. -
Contact your network administrator to ensure that you have the correct settings.
-
Enter the
foreman-installer
command with the options appropriate for your environment. The following example shows configuring full provisioning services:# foreman-installer \ --foreman-proxy-dns true \ --foreman-proxy-dns-managed true \ --foreman-proxy-dns-zone example.com \ --foreman-proxy-dns-reverse 2.0.192.in-addr.arpa \ --foreman-proxy-dhcp true \ --foreman-proxy-dhcp-managed true \ --foreman-proxy-dhcp-range "192.0.2.100 192.0.2.150" \ --foreman-proxy-dhcp-gateway 192.0.2.1 \ --foreman-proxy-dhcp-nameservers 192.0.2.2 \ --foreman-proxy-tftp true \ --foreman-proxy-tftp-managed true \ --foreman-proxy-tftp-servername 192.0.2.3
You can monitor the progress of the foreman-installer
command displayed in your prompt.
You can view the logs in /var/log/foreman-installer/katello.log
.
-
For more information about the
foreman-installer
command, enterforeman-installer --help
. -
For more information about configuring DNS, DHCP, and TFTP externally, see Configuring Smart Proxy server with external services.
-
For more information about configuring DHCP, DNS, and TFTP services, see Configuring Network Services in Provisioning hosts.
4. Configuring Smart Proxy server with external services
If you do not want to configure the DNS, DHCP, and TFTP services on Smart Proxy server, use this section to configure your Smart Proxy server to work with external DNS, DHCP, and TFTP services.
4.1. Configuring Smart Proxy server with external DNS
You can configure Smart Proxy server with external DNS.
Smart Proxy server uses the nsupdate
utility to update DNS records on the remote server.
To make any changes persistent, you must enter the foreman-installer
command with the options appropriate for your environment.
-
You must have a configured external DNS server.
-
This guide assumes you have an existing installation.
-
Copy the
/etc/rndc.key
file from the external DNS server to Smart Proxy server:# scp root@dns.example.com:/etc/rndc.key /etc/foreman-proxy/rndc.key
-
Configure the ownership, permissions, and SELinux context:
# restorecon -v /etc/foreman-proxy/rndc.key # chown -v root:foreman-proxy /etc/foreman-proxy/rndc.key # chmod -v 640 /etc/foreman-proxy/rndc.key
-
To test the
nsupdate
utility, add a host remotely:# echo -e "server DNS_IP_Address\n \ update add aaa.example.com 3600 IN A Host_IP_Address\n \ send\n" | nsupdate -k /etc/foreman-proxy/rndc.key # nslookup aaa.example.com DNS_IP_Address # echo -e "server DNS_IP_Address\n \ update delete aaa.example.com 3600 IN A Host_IP_Address\n \ send\n" | nsupdate -k /etc/foreman-proxy/rndc.key
-
Enter the
foreman-installer
command to make the following persistent changes to the/etc/foreman-proxy/settings.d/dns.yml
file:# foreman-installer --foreman-proxy-dns=true \ --foreman-proxy-dns-managed=false \ --foreman-proxy-dns-provider=nsupdate \ --foreman-proxy-dns-server="DNS_IP_Address" \ --foreman-proxy-keyfile=/etc/foreman-proxy/rndc.key
-
In the Foreman web UI, navigate to Infrastructure > Smart Proxies.
-
Locate the Smart Proxy server and select Refresh from the list in the Actions column.
-
Associate the DNS service with the appropriate subnets and domain.
4.2. Configuring Smart Proxy server with external DHCP
To configure Smart Proxy server with external DHCP, you must complete the following procedures:
4.2.1. Configuring an external DHCP server to use with Smart Proxy server
To configure an external DHCP server running Enterprise Linux to use with Smart Proxy server, you must install the ISC DHCP Service and Berkeley Internet Name Domain (BIND) utilities packages. You must also share the DHCP configuration and lease files with Smart Proxy server. The example in this procedure uses the distributed Network File System (NFS) protocol to share the DHCP configuration and lease files.
Note
|
If you use dnsmasq as an external DHCP server, enable the |
If you do not use firewall-cmd
to configure the Linux firewall, implement using the command of your choice.
-
On your Enterprise Linux host, install the ISC DHCP Service and Berkeley Internet Name Domain (BIND) utilities packages:
# dnf install dhcp-server bind-utils
-
Generate a security token:
# tsig-keygen -a hmac-md5 omapi_key
-
Edit the
dhcpd
configuration file for all subnets and add the key generated bytsig-keygen
. The following is an example:# cat /etc/dhcp/dhcpd.conf default-lease-time 604800; max-lease-time 2592000; log-facility local7; subnet 192.168.38.0 netmask 255.255.255.0 { range 192.168.38.10 192.168.38.100; option routers 192.168.38.1; option subnet-mask 255.255.255.0; option domain-search "virtual.lan"; option domain-name "virtual.lan"; option domain-name-servers 8.8.8.8; } omapi-port 7911; key omapi_key { algorithm hmac-md5; secret "My_Secret"; }; omapi-key omapi_key;
Note that the
option routers
value is the IP address of your Foreman server or Smart Proxy server that you want to use with an external DHCP service. -
On Foreman server, define each subnet. Do not set DHCP Smart Proxy for the defined Subnet yet.
To prevent conflicts, set up the lease and reservation ranges separately. For example, if the lease range is 192.168.38.10 to 192.168.38.100, in the Foreman web UI define the reservation range as 192.168.38.101 to 192.168.38.250.
-
Configure the firewall for external access to the DHCP server:
# firewall-cmd --add-service dhcp
-
Make the changes persistent:
# firewall-cmd --runtime-to-permanent
-
On Foreman server, determine the UID and GID of the
foreman
user:# id -u foreman 993 # id -g foreman 990
-
On the DHCP server, create the
foreman
user and group with the same IDs as determined in a previous step:# groupadd -g 990 foreman # useradd -u 993 -g 990 -s /sbin/nologin foreman
-
To ensure that the configuration files are accessible, restore the read and execute flags:
# chmod o+rx /etc/dhcp/ # chmod o+r /etc/dhcp/dhcpd.conf # chattr +i /etc/dhcp/ /etc/dhcp/dhcpd.conf
-
Enable and start the DHCP service:
# systemctl enable --now dhcpd
-
Export the DHCP configuration and lease files using NFS:
# dnf install nfs-utils # systemctl enable --now nfs-server
-
Create directories for the DHCP configuration and lease files that you want to export using NFS:
# mkdir -p /exports/var/lib/dhcpd /exports/etc/dhcp
-
To create mount points for the created directories, add the following line to the
/etc/fstab
file:/var/lib/dhcpd /exports/var/lib/dhcpd none bind,auto 0 0 /etc/dhcp /exports/etc/dhcp none bind,auto 0 0
-
Mount the file systems in
/etc/fstab
:# mount -a
-
Ensure the following lines are present in
/etc/exports
:/exports 192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check) /exports/etc/dhcp 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide) /exports/var/lib/dhcpd 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)
Note that the IP address that you enter is the Foreman or Smart Proxy IP address that you want to use with an external DHCP service.
-
Reload the NFS server:
# exportfs -rva
-
Configure the firewall for DHCP omapi port 7911:
# firewall-cmd --add-port=7911/tcp
-
Optional: Configure the firewall for external access to NFS. Clients are configured using NFSv3.
# firewall-cmd \ --add-service mountd \ --add-service nfs \ --add-service rpc-bind \ --zone public
-
Make the changes persistent:
# firewall-cmd --runtime-to-permanent
4.2.2. Configuring Foreman server with an external DHCP server
You can configure Smart Proxy server with an external DHCP server.
-
Ensure that you have configured an external DHCP server and that you have shared the DHCP configuration and lease files with Smart Proxy server. For more information, see Configuring an external DHCP server to use with Smart Proxy server.
-
Install the
nfs-utils
package:# dnf install nfs-utils
-
Create the DHCP directories for NFS:
# mkdir -p /mnt/nfs/etc/dhcp /mnt/nfs/var/lib/dhcpd
-
Change the file owner:
# chown -R foreman-proxy /mnt/nfs
-
Verify communication with the NFS server and the Remote Procedure Call (RPC) communication paths:
# showmount -e DHCP_Server_FQDN # rpcinfo -p DHCP_Server_FQDN
-
Add the following lines to the
/etc/fstab
file:DHCP_Server_FQDN:/exports/etc/dhcp /mnt/nfs/etc/dhcp nfs ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcp_etc_t:s0" 0 0 DHCP_Server_FQDN:/exports/var/lib/dhcpd /mnt/nfs/var/lib/dhcpd nfs ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcpd_state_t:s0" 0 0
-
Mount the file systems on
/etc/fstab
:# mount -a
-
To verify that the
foreman-proxy
user can access the files that are shared over the network, display the DHCP configuration and lease files:# su foreman-proxy -s /bin/bash $ cat /mnt/nfs/etc/dhcp/dhcpd.conf $ cat /mnt/nfs/var/lib/dhcpd/dhcpd.leases $ exit
-
Enter the
foreman-installer
command to make the following persistent changes to the/etc/foreman-proxy/settings.d/dhcp.yml
file:# foreman-installer \ --enable-foreman-proxy-plugin-dhcp-remote-isc \ --foreman-proxy-dhcp-provider=remote_isc \ --foreman-proxy-dhcp-server=My_DHCP_Server_FQDN \ --foreman-proxy-dhcp=true \ --foreman-proxy-plugin-dhcp-remote-isc-dhcp-config /mnt/nfs/etc/dhcp/dhcpd.conf \ --foreman-proxy-plugin-dhcp-remote-isc-dhcp-leases /mnt/nfs/var/lib/dhcpd/dhcpd.leases \ --foreman-proxy-plugin-dhcp-remote-isc-key-name=omapi_key \ --foreman-proxy-plugin-dhcp-remote-isc-key-secret=My_Secret \ --foreman-proxy-plugin-dhcp-remote-isc-omapi-port=7911
-
Associate the DHCP service with the appropriate subnets and domain.
4.3. Configuring Smart Proxy server with external TFTP
You can configure Smart Proxy server with external TFTP services.
-
Create the TFTP directory for NFS:
# mkdir -p /mnt/nfs/var/lib/tftpboot
-
In the
/etc/fstab
file, add the following line:TFTP_Server_IP_Address:/exports/var/lib/tftpboot /mnt/nfs/var/lib/tftpboot nfs rw,vers=3,auto,nosharecache,context="system_u:object_r:tftpdir_rw_t:s0" 0 0
-
Mount the file systems in
/etc/fstab
:# mount -a
-
Enter the
foreman-installer
command to make the following persistent changes to the/etc/foreman-proxy/settings.d/tftp.yml
file:# foreman-installer \ --foreman-proxy-tftp-root /mnt/nfs/var/lib/tftpboot \ --foreman-proxy-tftp=true
-
If the TFTP service is running on a different server than the DHCP service, update the
tftp_servername
setting with the FQDN or IP address of the server that the TFTP service is running on:# foreman-installer --foreman-proxy-tftp-servername=TFTP_Server_FQDN
-
In the Foreman web UI, navigate to Infrastructure > Smart Proxies.
-
Locate the Smart Proxy server and select Refresh from the list in the Actions column.
-
Associate the TFTP service with the appropriate subnets and domain.
4.4. Configuring Smart Proxy server with external IdM DNS
When Foreman server adds a DNS record for a host, it first determines which Smart Proxy is providing DNS for that domain. It then communicates with the Smart Proxy that is configured to provide DNS service for your deployment and adds the record. The hosts are not involved in this process. Therefore, you must install and configure the IdM client on the Foreman or Smart Proxy that is currently configured to provide a DNS service for the domain you want to manage using the IdM server.
Smart Proxy server can be configured to use a Red Hat Identity Management (IdM) server to provide DNS service.
To configure Smart Proxy server to use a Red Hat Identity Management (IdM) server to provide DNS service, use one of the following procedures:
To revert to internal DNS service, use the following procedure:
Note
|
You are not required to use Smart Proxy server to manage DNS.
When you are using the realm enrollment feature of Foreman, where provisioned hosts are enrolled automatically to IdM, the ipa-client-install script creates DNS records for the client.
Configuring Smart Proxy server with external IdM DNS and realm enrollment are mutually exclusive.
For more information about configuring realm enrollment, see
External Authentication for Provisioned Hosts in Installing Foreman Server with Katello 4.12 plugin on Enterprise Linux.
|
4.4.1. Configuring dynamic DNS update with GSS-TSIG authentication
You can configure the IdM server to use the generic security service algorithm for secret key transaction (GSS-TSIG) technology defined in RFC3645. To configure the IdM server to use the GSS-TSIG technology, you must install the IdM client on the Smart Proxy server base operating system.
-
You must ensure the IdM server is deployed and the host-based firewall is configured correctly.
-
You must contact the IdM server administrator to ensure that you obtain an account on the IdM server with permissions to create zones on the IdM server.
-
You should create a backup of the answer file. You can use the backup to restore the answer file to its original state if it becomes corrupted. For more information, see Configuring Foreman server.
To configure dynamic DNS update with GSS-TSIG authentication, complete the following steps:
-
Obtain a Kerberos ticket for the account obtained from the IdM administrator:
# kinit idm_user
-
Create a new Kerberos principal for Smart Proxy server to use to authenticate on the IdM server:
# ipa service-add smartproxy.example.com
-
On the base operating system of either the Foreman or Smart Proxy that is managing the DNS service for your deployment, install the
ipa-client
package:# dnf install ipa-client
-
Configure the IdM client by running the installation script and following the on-screen prompts:
# ipa-client-install
-
Obtain a Kerberos ticket:
# kinit admin
-
Remove any preexisting
keytab
:# rm /etc/foreman-proxy/dns.keytab
-
Obtain the
keytab
for this system:# ipa-getkeytab -p smartproxy/foreman.example.com@EXAMPLE.COM \ -s idm1.example.com -k /etc/foreman-proxy/dns.keytab
NoteWhen adding a keytab to a standby system with the same host name as the original system in service, add the
r
option to prevent generating new credentials and rendering the credentials on the original system invalid. -
For the
dns.keytab
file, set the group and owner toforeman-proxy
:# chown foreman-proxy:foreman-proxy /etc/foreman-proxy/dns.keytab
-
Optional: To verify that the
keytab
file is valid, enter the following command:# kinit -kt /etc/foreman-proxy/dns.keytab \ smartproxy/foreman.example.com@EXAMPLE.COM
-
Create and configure the zone that you want to manage:
-
Navigate to Network Services > DNS > DNS Zones.
-
Select Add and enter the zone name. For example,
example.com
. -
Click Add and Edit.
-
Click the Settings tab and in the BIND update policy box, add the following to the semi-colon separated list:
grant smartproxy\047foreman.example.com@EXAMPLE.COM wildcard * ANY;
-
Set Dynamic update to True.
-
Enable Allow PTR sync.
-
Click Save to save the changes.
-
-
Create and configure the reverse zone:
-
Navigate to Network Services > DNS > DNS Zones.
-
Click Add.
-
Select Reverse zone IP network and add the network address in CIDR format to enable reverse lookups.
-
Click Add and Edit.
-
Click the Settings tab and in the BIND update policy box, add the following to the semi-colon separated list:
grant smartproxy\047foreman.example.com@EXAMPLE.COM wildcard * ANY;
-
Set Dynamic update to True.
-
Click Save to save the changes.
-
-
Configure your Foreman server or Smart Proxy server to connect to your DNS service:
# foreman-installer \ --foreman-proxy-dns-managed=false \ --foreman-proxy-dns-provider=nsupdate_gss \ --foreman-proxy-dns-server="idm1.example.com" \ --foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab \ --foreman-proxy-dns-tsig-principal="smartproxy/foreman.example.com@EXAMPLE.COM" \ --foreman-proxy-dns=true
-
For each affected Smart Proxy, update the configuration of that Smart Proxy in the Foreman web UI:
-
In the Foreman web UI, navigate to Infrastructure > Smart Proxies, locate the Smart Proxy server, and from the list in the Actions column, select Refresh.
-
Configure the domain:
-
In the Foreman web UI, navigate to Infrastructure > Domains and select the domain name.
-
In the Domain tab, ensure DNS Smart Proxy is set to the Smart Proxy where the subnet is connected.
-
-
Configure the subnet:
-
In the Foreman web UI, navigate to Infrastructure > Subnets and select the subnet name.
-
In the Subnet tab, set IPAM to None.
-
In the Domains tab, select the domain that you want to manage using the IdM server.
-
In the Smart Proxies tab, ensure Reverse DNS Smart Proxy is set to the Smart Proxy where the subnet is connected.
-
Click Submit to save the changes.
-
-
4.4.2. Configuring dynamic DNS update with TSIG authentication
You can configure an IdM server to use the secret key transaction authentication for DNS (TSIG) technology that uses the rndc.key
key file for authentication.
The TSIG protocol is defined in RFC2845.
-
You must ensure the IdM server is deployed and the host-based firewall is configured correctly.
-
You must obtain
root
user access on the IdM server. -
You must confirm whether Foreman server or Smart Proxy server is configured to provide DNS service for your deployment.
-
You must configure DNS, DHCP and TFTP services on the base operating system of either the Foreman or Smart Proxy that is managing the DNS service for your deployment.
-
You must create a backup of the answer file. You can use the backup to restore the answer file to its original state if it becomes corrupted. For more information, see Configuring Foreman server.
To configure dynamic DNS update with TSIG authentication, complete the following steps:
-
On the IdM Server, add the following to the top of the
/etc/named.conf
file:######################################################################## include "/etc/rndc.key"; controls { inet _IdM_Server_IP_Address_ port 953 allow { _Foreman_IP_Address_; } keys { "rndc-key"; }; }; ########################################################################
-
Reload the
named
service to make the changes take effect:# systemctl reload named
-
In the IdM web UI, navigate to Network Services > DNS > DNS Zones and click the name of the zone. In the Settings tab, apply the following changes:
-
Add the following in the
BIND update policy
box:grant "rndc-key" zonesub ANY;
-
Set Dynamic update to True.
-
Click Update to save the changes.
-
-
Copy the
/etc/rndc.key
file from the IdM server to the base operating system of your Foreman server. Enter the following command:# scp /etc/rndc.key root@foreman.example.com:/etc/rndc.key
-
To set the correct ownership, permissions, and SELinux context for the
rndc.key
file, enter the following command:# restorecon -v /etc/rndc.key # chown -v root:named /etc/rndc.key # chmod -v 640 /etc/rndc.key
-
Assign the
foreman-proxy
user to thenamed
group manually. Normally, foreman-installer ensures that theforeman-proxy
user belongs to thenamed
UNIX group, however, in this scenario Foreman does not manage users and groups, therefore you need to assign theforeman-proxy
user to thenamed
group manually.# usermod -a -G named foreman-proxy
-
On Foreman server, enter the following
foreman-installer
command to configure Foreman to use the external DNS server:# foreman-installer \ --foreman-proxy-dns-managed=false \ --foreman-proxy-dns-provider=nsupdate \ --foreman-proxy-dns-server="IdM_Server_IP_Address" \ --foreman-proxy-dns-ttl=86400 \ --foreman-proxy-dns=true \ --foreman-proxy-keyfile=/etc/rndc.key
-
Ensure that the key in the
/etc/rndc.key
file on Foreman server is the same key file that is used on the IdM server:key "rndc-key" { algorithm hmac-md5; secret "secret-key=="; };
-
On Foreman server, create a test DNS entry for a host. For example, host
test.example.com
with an A record of192.168.25.20
on the IdM server at192.168.25.1
.# echo -e "server 192.168.25.1\n \ update add test.example.com 3600 IN A 192.168.25.20\n \ send\n" | nsupdate -k /etc/rndc.key
-
On Foreman server, test the DNS entry:
# nslookup test.example.com 192.168.25.1 Server: 192.168.25.1 Address: 192.168.25.1#53 Name: test.example.com Address: 192.168.25.20
-
To view the entry in the IdM web UI, navigate to Network Services > DNS > DNS Zones. Click the name of the zone and search for the host by name.
-
If resolved successfully, remove the test DNS entry:
# echo -e "server 192.168.25.1\n \ update delete test.example.com 3600 IN A 192.168.25.20\n \ send\n" | nsupdate -k /etc/rndc.key
-
Confirm that the DNS entry was removed:
# nslookup test.example.com 192.168.25.1
The above
nslookup
command fails and returns theSERVFAIL
error message if the record was successfully deleted.
4.4.3. Reverting to internal DNS service
You can revert to using Foreman server and Smart Proxy server as your DNS providers. You can use a backup of the answer file that was created before configuring external DNS, or you can create a backup of the answer file. For more information about answer files, see Configuring Foreman server.
On the Foreman or Smart Proxy server that you want to configure to manage DNS service for the domain, complete the following steps:
-
If you have created a backup of the answer file before configuring external DNS, restore the answer file and then enter the
foreman-installer
command:# foreman-installer
-
If you do not have a suitable backup of the answer file, create a backup of the answer file now. To configure Foreman or Smart Proxy as DNS server without using an answer file, enter the following
foreman-installer
command on Foreman or Smart Proxy:# foreman-installer \ --foreman-proxy-dns-managed=true \ --foreman-proxy-dns-provider=nsupdate \ --foreman-proxy-dns-server="127.0.0.1" \ --foreman-proxy-dns=true
For more information, see Configuring DNS, DHCP, and TFTP on Smart Proxy server.
After you run the foreman-installer
command to make any changes to your Smart Proxy configuration, you must update the configuration of each affected Smart Proxy in the Foreman web UI.
-
In the Foreman web UI, navigate to Infrastructure > Smart Proxies.
-
For each Smart Proxy that you want to update, from the Actions list, select Refresh.
-
Configure the domain:
-
In the Foreman web UI, navigate to Infrastructure > Domains and click the domain name that you want to configure.
-
In the Domain tab, set DNS Smart Proxy to the Smart Proxy where the subnet is connected.
-
-
Configure the subnet:
-
In the Foreman web UI, navigate to Infrastructure > Subnets and select the subnet name.
-
In the Subnet tab, set IPAM to DHCP or Internal DB.
-
In the Domains tab, select the domain that you want to manage using Foreman or Smart Proxy.
-
In the Smart Proxies tab, set Reverse DNS Smart Proxy to the Smart Proxy where the subnet is connected.
-
Click Submit to save the changes.
-
5. Managing DHCP using Smart Proxy
Foreman can integrate with a DHCP service using your Smart Proxy. A Smart Proxy has multiple DHCP providers that you can use to integrate Foreman with your existing DHCP infrastructure or deploy a new one. You can use the DHCP module of Smart Proxy to query for available IP addresses, add new, and delete existing reservations. Note that your Smart Proxy cannot manage subnet declarations.
-
dhcp_infoblox
– For more information, see Using Infoblox as DHCP and DNS Providers in Provisioning hosts. -
dhcp_isc
– ISC DHCP server over OMAPI. For more information, see Configuring DNS, DHCP, and TFTP on Smart Proxy server in Installing a Smart Proxy Server 3.10 on Enterprise Linux. -
dhcp_remote_isc
– ISC DHCP server over OMAPI with leases mounted through networking. For more information, see Configuring an External DHCP Server to Use with Smart Proxy server in Installing a Smart Proxy Server 3.10 on Enterprise Linux. -
dhcp_libvirt
– dnsmasq DHCP via libvirt API
5.1. Configuring dhcp_libvirt
The dhcp_libvirt plugin manages IP reservations and leases using dnsmasq
through the libvirt API.
It uses ruby-libvirt
to connect to the local or remote instance of libvirt daemon.
-
You can use
foreman-installer
to configuredhcp_libvirt
:foreman-installer \ --foreman-proxy-dhcp true \ --foreman-proxy-dhcp-provider libvirt \ --foreman-proxy-libvirt-network default \ --foreman-proxy-libvirt-network qemu:///system
5.2. Securing the dhcpd API
Smart Proxy interacts with DHCP daemon using the dhcpd API to manage DHCP.
By default, the dhcpd API listens to any host without access control.
You can add an omapi_key
to provide basic security.
-
On your Smart Proxy, install the required packages:
# dnf install bind-utils
-
Generate a key:
# dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST omapi_key # cat Komapi_key.+*.private | grep ^Key|cut -d ' ' -f2-
-
Use
foreman-installer
to secure the dhcpd API:# foreman-installer \ --foreman-proxy-dhcp-key-name "My_Name" \ --foreman-proxy-dhcp-key-secret "My_Secret"
6. Managing DNS using Smart Proxy
Foreman can manage DNS records using your Smart Proxy. DNS management contains updating and removing DNS records from existing DNS zones. A Smart Proxy has multiple DNS providers that you can use to integrate Foreman with your existing DNS infrastructure or deploy a new one.
After you have enabled DNS, your Smart Proxy can manipulate any DNS server that complies with RFC 2136 using the dns_nsupdate
provider.
Other providers provide more direct integration, such as dns_infoblox
for Infoblox.
-
dns_infoblox
– For more information, see Using Infoblox as DHCP and DNS Providers in Provisioning hosts. -
dns_libvirt
– Dnsmasq DNS via libvirt API. For more information, see Configuring dns_libvirt. -
dns_nsupdate
– Dynamic DNS update using nsupdate. For more information, see Using Infoblox as DHCP and DNS Providers in Provisioning hosts. -
dns_nsupdate_gss
– Dynamic DNS update with GSS-TSIG. For more information, see Configuring dynamic DNS update with GSS-TSIG authentication. -
dns_powerdns
– PowerDNS. For more information, see Configuring dns_powerdns.
For more information, see List of DNS plugins
6.1. Configuring dns_libvirt
The dns_libvirt DNS provider manages DNS records using dnsmasq through the libvirt API.
It uses ruby-libvirt
gem to connect to the local or a remote instance of libvirt daemon.
-
You can use
foreman-installer
to configuredns_libvirt
:# foreman-installer \ --foreman-proxy-dns true \ --foreman-proxy-dns-provider libvirt \ --foreman-proxy-libvirt-network default \ --foreman-proxy-libvirt-url qemu:///system
Note that you can only use one network and URL for both dns_libvirt and dhcp_libvirt.
6.2. Configuring dns_powerdns
The dns_powerdns DNS provider manages DNS records using the PowerDNS REST API.
-
You can use
foreman-installer
to configuredns_powerdns
:# foreman-installer \ --foreman-proxy-dns true \ --foreman-proxy-dns-provider powerdns \ --enable-foreman-proxy-plugin-dns-powerdns \ --foreman-proxy-plugin-dns-powerdns-rest-api-key api_key \ --foreman-proxy-plugin-dns-powerdns-rest-url http://localhost:8081/api/v1/servers/localhost
6.3. Configuring dns_route53
Route 53 is a DNS provider by Amazon. For more information, see aws.amazon.com/route53.
-
Enable Route 53 DNS on your Smart Proxy:
# foreman-installer \ --enable-foreman-proxy-plugin-dns-route53 \ --foreman-proxy-dns true \ --foreman-proxy-dns-provider route53 \ --foreman-proxy-plugin-dns-route53-aws-access-key My_AWS_Access_Key \ --foreman-proxy-plugin-dns-route53-aws-secret-key My_AWS_Secret_Key
Appendix A: Smart Proxy server scalability considerations
The maximum number of Smart Proxy servers that Foreman server can support has no fixed limit. It was tested that a Foreman server can support 17 Smart Proxy servers with 2 vCPUs. However, scalability is highly variable, especially when managing Puppet clients.
Smart Proxy server scalability when managing Puppet clients depends on the number of CPUs, the run-interval distribution, and the number of Puppet managed resources. Smart Proxy server has a limitation of 100 concurrent Puppet agents running at any single point in time. Running more than 100 concurrent Puppet agents results in a 503 HTTP error.
For example, assuming that Puppet agent runs are evenly distributed with less than 100 concurrent Puppet agents running at any single point during a run-interval, a Smart Proxy server with 4 CPUs has a maximum of 1250 – 1600 Puppet clients with a moderate workload of 10 Puppet classes assigned to each Puppet client. Depending on the number of Puppet clients required, the Foreman installation can scale out the number of Smart Proxy servers to support them.
If you want to scale your Smart Proxy server when managing Puppet clients, the following assumptions are made:
-
There are no external Puppet clients reporting directly to the Foreman integrated Smart Proxy.
-
All other Puppet clients report directly to an external Smart Proxy.
-
There is an evenly distributed run-interval of all Puppet agents.
Note
|
Deviating from the even distribution increases the risk of overloading Foreman server. The limit of 100 concurrent requests applies. |
The following table describes the scalability limits using the recommended 4 CPUs.
Puppet Managed Resources per Host | Run-Interval Distribution |
---|---|
1 |
3000 – 2500 |
10 |
2400 – 2000 |
20 |
1700 – 1400 |
The following table describes the scalability limits using the minimum 2 CPUs.
Puppet Managed Resources per Host | Run-Interval Distribution |
---|---|
1 |
1700 – 1450 |
10 |
1500 – 1250 |
20 |
850 – 700 |
Appendix B: Troubleshooting DNF modules
If DNF modules fails to enable, it can mean an incorrect module is enabled. In that case, you have to resolve dependencies manually as follows. List the enabled modules:
# dnf module list --enabled
Ruby
If Ruby module fails to enable, it can mean an incorrect module is enabled. In that case, you have to resolve dependencies manually as follows:
List the enabled modules:
# dnf module list --enabled
If the Ruby 2.5 module has already been enabled, perform a module reset:
# dnf module reset ruby
PostgreSQL
If PostgreSQL module fails to enable, it can mean an incorrect module is enabled. In that case, you have to resolve dependencies manually as follows:
List the enabled modules:
# dnf module list --enabled
If the PostgreSQL 10 module has already been enabled, perform a module reset:
# dnf module reset postgresql
If a database was previously created using PostgreSQL 10, perform an upgrade:
-
Enable the DNF modules:
# dnf module enable katello:el8
-
Install the PostgreSQL upgrade package:
# dnf install postgresql-upgrade
-
Perform the upgrade:
# postgresql-setup --upgrade
Appendix C: dhcp_isc settings
The dhcp_isc provider uses a combination of the ISC DHCP server OMAPI management interface and parsing of configuration and lease files.
This requires it to be run on the same host as the DHCP server.
The following settings are defined in dhcp_isc.yml
:
:config: /etc/dhcp/dhcpd.conf :leases: /var/lib/dhcpd/dhcpd.leases
:key_name: My_OMAPI_Key :key_secret: My_Key_Secret
:omapi_port: My_DHCP_Server_Port # default: 7911
The server is defined in dhcp.yml
:
:server: My_DHCP_Server_FQDN
Appendix D: DHCP options for network configuration
- --foreman-proxy-dhcp
-
Enables the DHCP service. You can set this option to
true
orfalse
. - --foreman-proxy-dhcp-managed
-
Enables Foreman to manage the DHCP service. You can set this option to
true
orfalse
. - --foreman-proxy-dhcp-gateway
-
The DHCP pool gateway. Set this to the address of the external gateway for hosts on your private network.
- --foreman-proxy-dhcp-interface
-
Sets the interface for the DHCP service to listen for requests. Set this to
eth1
. - --foreman-proxy-dhcp-nameservers
-
Sets the addresses of the nameservers provided to clients through DHCP. Set this to the address for Foreman server on
eth1
. - --foreman-proxy-dhcp-range
-
A space-separated DHCP pool range for Discovered and Unmanaged services.
- --foreman-proxy-dhcp-server
-
Sets the address of the DHCP server to manage.
Run foreman-installer --help
to view more options related to DHCP and other Smart Proxy services.