1. Configuring DNS integration

Foreman can manage DNS records by using Smart Proxy. This DNS management contains updating and removing DNS records from existing DNS zones.

1.1. DNS service providers

Smart Proxy supports the following DNS providers that you can use to integrate Foreman with your existing DNS infrastructure or deploy a new one:

dns_nsupdate

Dynamic DNS updates on an RFC 2136-compatible DNS server by using the nsupdate utility. See:

dns_nsupdate_gss

Dynamic DNS updates on an RFC 2136-compatible DNS server by using the nsupdate utility with Generic Security Service algorithm for Transaction Signature (GSS-TSIG) authentication. See Integrating FreeIPA DNS with GSS-TSIG authentication.

dns_infoblox

Dynamic DNS updates on an Infoblox DNS server. See Integrating Infoblox DNS.

dns_libvirt

Dynamic DNS updates on a dnsmasq DNS server by using the libvirt API. See Integrating dnsmasq DNS by using the libvirt API.

dns_powerdns

Dynamic DNS updates on a PowerDNS server. See Integrating PowerDNS.

dns_route53

Dynamic DNS updates on an Amazon Route 53 DNS server. See Integrating Route 53 DNS.

1.2. Enabling the installer-managed DNS service

If you do not have a DNS server available in your network, you can use the installer-managed DNS service. This feature enables you to provide a DNS service with low maintenance overhead.

Perform the steps on the Foreman or Smart Proxy server that you want to configure to manage the DNS service for the domain.

Procedure

  1. Configure Foreman or Smart Proxy as DNS server:

    # foreman-installer \
--foreman-proxy-dns true \
--foreman-proxy-dns-provider nsupdate \
--foreman-proxy-dns-managed true \
--reset-foreman-proxy-dns-server

  2. For each affected Smart Proxy, update the configuration of that Smart Proxy in the Foreman web UI. For more information, see Associating the DNS service with a domain and subnet.

1.3. Integrating a local self-managed DNS service

The installer exposes a limited feature set for the Foreman installer-managed DNS service. For example, you can configure only a single forward DNS zone. As an alternative to the installer-managed DNS service, you can run a DNS server locally on the Foreman or Smart Proxy server to bypass these limitations.

Perform the steps on the Foreman server or Smart Proxy server that runs the self-managed DNS service.

Prerequisites

  • You installed and configured a DNS service on the Foreman server or Smart Proxy server host.

  • The DNS service supports RFC 2136-compatible updates

Procedure

  1. Set the local, self-managed DNS service on your Foreman server or Smart Proxy server:

    # foreman-installer \
--foreman-proxy-dns true \
--foreman-proxy-dns-provider nsupdate \
--foreman-proxy-dns-managed false \
--foreman-proxy-dns-server "127.0.0.1"

  2. For each affected Smart Proxy, update the configuration of that Smart Proxy in the Foreman web UI. For more information, see Associating the DNS service with a domain and subnet.

1.4. Integrating a generic RFC 2136-compatible remote DNS server

You can configure Foreman server to integrate a remote DNS server that supports dynamic updates as defined in RFC 2136. In this case, Foreman server uses the nsupdate utility to update DNS records on the remote server.

Prerequisites

  • The remote DNS service is configured and can be queried.

  • The remote DNS service supports RFC 2136-compatible dynamic updates

  • The Remote Name Daemon Control (RNDC) key file to connect to the remote DNS server is placed in /etc/foreman-proxy/rndc.key on your Foreman server or Smart Proxy server.

Procedure

  1. Update the permissions on /etc/foreman-proxy/rndc.key to enable members of the foreman-proxy group to read this file:

    # chown -v root:foreman-proxy /etc/foreman-proxy/rndc.key
# chmod -v 640 /etc/foreman-proxy/rndc.key

  2. Restore the SELinux context on /etc/foreman-proxy/rndc.key::

    # restorecon -v /etc/foreman-proxy/rndc.key

  3. Optional: Verify if you can use the key file to manually manage DNS entries:

    1. Create a test DNS entry. For example, host test.example.com with an A record of 192.168.25.20 on the DNS server at 192.168.25.1.

      # echo -e "server 192.168.25.1\n \
update add test.example.com 3600 IN A 192.168.25.20\n \
send\n" | nsupdate -k /etc/foreman-proxy/rndc.key

    2. Verify that you can query the new DNS entry:

      # host test.example.com 192.168.25.1

      Example output:

      Using domain server:
Name: 192.168.25.1
Address: 192.168.25.1#53
Aliases:

test.example.com has address 192.168.25.20

    3. If resolved successfully, remove the test DNS entry:

      # echo -e "server 192.168.25.1\n \
update delete test.example.com 3600 IN A 192.168.25.20\n \
send\n" | nsupdate -k /etc/foreman-proxy/rndc.key

    4. Confirm that the DNS entry was removed:

      # host test.example.com 192.168.25.1

      If the command returns Host test.example.com not found: 3(NXDOMAIN), the record was successfully deleted.

  4. Configure Foreman server or Smart Proxy server to use the DNS server:

    # foreman-installer \
--foreman-proxy-dns true \
--foreman-proxy-dns-provider nsupdate \
--foreman-proxy-dns-managed false \
--foreman-proxy-dns-server "dns_server_ip_address" \
--foreman-proxy-keyfile /etc/foreman-proxy/rndc.key

  5. For the affected Smart Proxy, update the configuration of that Smart Proxy in the Foreman web UI. For more information, see Associating the DNS service with a domain and subnet.

1.5. Integrating FreeIPA DNS with TSIG authentication

You can configure FreeIPA to use the secret key transaction authentication for DNS (TSIG) technology that uses a key file for authentication. The TSIG protocol is defined in RFC2845.

Prerequisites

  • The FreeIPA server is deployed and functional.

  • The firewall on the FreeIPA server allows access to the required ports. See Port requirements for FreeIPA in the Red Hat Enterprise Linux 9 Installing Identity Management guide.

  • You have root access on the FreeIPA server.

Procedure

  1. Perform the following steps on the FreeIPA Server:

    1. Insert the following settings at the top of the /etc/named.conf file:

      include "/etc/rndc.key";
controls {
    inet FreeIPA_server_ip_address port 953 allow { Foreman_ip_address; } keys { "rndc-key"; };
};

    2. Reload the named service:

      # systemctl reload named

  2. In the FreeIPA web UI:

    1. Navigate to Network Services > DNS > DNS Zones

    2. Click the name of the zone.

    3. Open the Settings tab.

    4. Enter in the BIND update policy field:

      grant "rndc-key" zonesub ANY;

    5. Set Dynamic update to True.

    6. Click Update to save the changes.

  3. Configure dynamic DNS updates in Foreman server or Smart Proxy server. For more information, see Integrating a generic RFC 2136-compatible remote DNS server.

1.6. Integrating FreeIPA DNS with GSS-TSIG authentication

You can configure the FreeIPA server to use the generic security service algorithm for secret key transaction (GSS-TSIG) technology defined in RFC3645. To configure the FreeIPA server to use the GSS-TSIG technology, you must install the FreeIPA client on the Foreman server base operating system.

Prerequisites

  • The FreeIPA server is deployed and functional.

  • The firewall on the FreeIPA server allows access to the required ports. For more information, see Port requirements for IdM in Red Hat Enterprise Linux 9 Installing Identity Management.

  • The FreeIPA account has permissions to create zones on the FreeIPA server.

Procedure

  1. Create a Kerberos principal on the FreeIPA server:

    1. Obtain a Kerberos ticket:

      # kinit MyFreeIPA_User_

    2. Create a new Kerberos principal Foreman server to use to authenticate on the FreeIPA server:

      • For a Foreman server, enter:

        # ipa service-add smartproxy/foreman.example.com

      • For a Smart Proxy server, enter:

        # ipa service-add smartproxy.example.com

  2. Install and configure the FreeIPA client on either the Foreman or Smart Proxy that is managing the DNS service for your deployment:

    1. Install the ipa-client package:

      # dnf install ipa-client

    2. Install the FreeIPA client:

      # ipa-client-install

      Follow the on-screen prompts.

    3. Obtain a Kerberos ticket:

      # kinit admin

    4. Remove any preexisting keytab:

      # rm --force /etc/foreman-proxy/dns.keytab

    5. Obtain a keytab file for this system:

      # ipa-getkeytab -p smartproxy/foreman.example.com@EXAMPLE.COM \
-s freeipa-server.example.com -k /etc/foreman-proxy/dns.keytab
      Note

      When adding a keytab to a standby system with the same host name as the original system in service, add the r option to prevent generating new credentials and rendering the credentials on the original system invalid.

    6. Set the owner and group of the /etc/foreman-proxy/dns.keytab to foreman-proxy:

      # chown foreman-proxy:foreman-proxy /etc/foreman-proxy/dns.keytab

    7. Optional: Verify that the keytab file is valid:

      # kinit -kt /etc/foreman-proxy/dns.keytab \
smartproxy/foreman.example.com@EXAMPLE.COM

  3. Add a forward DNS zone in the FreeIPA web UI:

    1. Navigate to Network Services > DNS > DNS Zones.

    2. Select Add, and enter the zone name. For example, example.com.

    3. Click Add and Edit.

    4. On the Settings tab, append the following to the semicolon-separated list in the BIND update policy field:

      grant smartproxy\047foreman.example.com@EXAMPLE.COM wildcard * ANY;

    5. Set Dynamic update to True.

    6. Enable Allow PTR sync.

    7. Click Save to save the changes.

  4. Add a reverse DNS zone in the FreeIPA web UI:

    1. Navigate to Network Services > DNS > DNS Zones.

    2. Click Add.

    3. Select Reverse zone IP network, and add the network address in CIDR format to enable reverse lookups.

    4. Click Add and Edit.

    5. On the Settings tab, append the following to the semicolon-separated list in the BIND update policy field:

      grant smartproxy\047foreman.example.com@EXAMPLE.COM wildcard * ANY;

    6. Set Dynamic update to True.

    7. Click Save to save the changes.

  5. Configure Foreman server or Smart Proxy server to connect to the FreeIPA DNS service:

    # foreman-installer \
--foreman-proxy-dns true \
--foreman-proxy-dns-provider nsupdate_gss \
--foreman-proxy-dns-managed false \
--foreman-proxy-dns-server "freeipa-server.example.com" \
--foreman-proxy-dns-tsig-keytab /etc/foreman-proxy/dns.keytab \
--foreman-proxy-dns-tsig-principal "smartproxy/foreman.example.com@EXAMPLE.COM"

  6. For each affected Smart Proxy, update the configuration of that Smart Proxy in the Foreman web UI. For more information, see Associating the DNS service with a domain and subnet.

1.7. Integrating Infoblox DNS

Install the DNS Infoblox provider on Foreman server.

Limitations

  • You can manage DNS entries only in a single view, and you cannot edit the view after you create it.

  • Foreman server uses the standard HTTPS web API to communicate with Infoblox. By default, it communicates only with a single node. If you require high availability, configure this feature in Infoblox.

  • You cannot integrate the Foreman IP address management (IPAM) feature into Infoblox.

Prerequisites

  • You have an Infoblox account with the roles DHCP Admin and DNS Admin.

  • The Infoblox roles have permissions or belong to an admin group that permits the accounts to perform tasks through the Infoblox API.

Procedure

  1. Download the certificate from the Infoblox server, and store it in the /etc/pki/ca-trust/source/anchors/infoblox.crt file:

    # openssl s_client -showcerts -connect infoblox.example.com:443 </dev/null | \
openssl x509 -text >/etc/pki/ca-trust/source/anchors/infoblox.crt

    The hostname must match the one for the Infoblox application in the X.509 certificate.

  2. Add the Infoblox certificate to the system truststore:

    # update-ca-trust extract

  3. Test the CA certificate by using it in a query to the Infoblox API:

    # curl -u admin:password https://infoblox.example.com/wapi/v2.0/network

    Example of a positive response:

    [
    {
        "_ref": "network/ZG5zLm5ldHdvcmskMTkyLjE2OC4yMDIuMC8yNC8w:infoblox.example.com/24/default",
        "network": "192.168.202.0/24",
        "network_view": "default"
    }
]

  4. Configure Foreman server or Smart Proxy server to connect to the Infoblox DNS service:

    # foreman-installer \
--foreman-proxy-dns true \
--foreman-proxy-dns-provider infoblox \
--enable-foreman-proxy-plugin-dns-infoblox \
--foreman-proxy-plugin-dns-infoblox-dns-server infoblox.example.com \
--foreman-proxy-plugin-dns-infoblox-username admin \
--foreman-proxy-plugin-dns-infoblox-password password \
--foreman-proxy-plugin-dns-infoblox-dns-view view_name

    Omit the --foreman-proxy-plugin-dns-infoblox-dns-view option if you use the default view in Infoblox DNS.

  5. For each affected Smart Proxy, update the configuration of that Smart Proxy in the Foreman web UI. For more information, see Associating the DNS service with a domain and subnet.

1.8. Integrating dnsmasq DNS by using the libvirt API

The dns_libvirt DNS provider manages DNS records using dnsmasq through the libvirt API. It uses ruby-libvirt gem to connect to the local or a remote instance of the libvirt service.

Procedure

  1. Configure Foreman server or Smart Proxy server to connect to the libvirt API:

    # foreman-installer \
--foreman-proxy-dns true \
--foreman-proxy-dns-provider libvirt \
--foreman-proxy-libvirt-network default \
--foreman-proxy-libvirt-url qemu:///system

    Note that you can only use one network and URL for both the dns_libvirt and dhcp_libvirt providers.

  2. For each affected Smart Proxy, update the configuration of that Smart Proxy in the Foreman web UI. For more information, see Associating the DNS service with a domain and subnet.

1.9. Integrating PowerDNS

The dns_powerdns DNS provider manages DNS records using the PowerDNS REST API.

Procedure

  1. Configure Foreman server or Smart Proxy server to connect to the PowerDNS service:

    # foreman-installer \
--foreman-proxy-dns true \
--foreman-proxy-dns-provider powerdns \
--enable-foreman-proxy-plugin-dns-powerdns \
--foreman-proxy-plugin-dns-powerdns-rest-api-key My_API_Key \
--foreman-proxy-plugin-dns-powerdns-rest-url http://powerdns.example.com:8081/api/v1/servers/localhost

  2. For each affected Smart Proxy, update the configuration of that Smart Proxy in the Foreman web UI. For more information, see Associating the DNS service with a domain and subnet.

1.10. Integrating Route 53 DNS

Route 53 is a DNS provider by Amazon. For more information, see aws.amazon.com/route53.

Procedure

  1. Configure Foreman server or Smart Proxy server to connect to the Amazon Route 53 DNS service:

    # foreman-installer \
--foreman-proxy-dns true \
--foreman-proxy-dns-provider route53 \
--enable-foreman-proxy-plugin-dns-route53 \
--foreman-proxy-plugin-dns-route53-aws-access-key My_AWS_Access_Key \
--foreman-proxy-plugin-dns-route53-aws-secret-key My_AWS_Secret_Key

  2. For each affected Smart Proxy, update the configuration of that Smart Proxy in the Foreman web UI. For more information, see Associating the DNS service with a domain and subnet.

1.11. Associating the DNS service with a domain and subnet

After you configured or changed the DNS provider, you must update the configuration of each affected Smart Proxy in the Foreman web UI.

Prerequisites

  • You configured a DNS provider.

Procedure

  1. Configure the domain:

    1. In the Foreman web UI, navigate to Infrastructure > Domains.

    2. Select the domain name.

    3. On the Domain tab, ensure DNS Smart Proxy is set to the Smart Proxy where the subnet is connected.

  2. Configure the subnet:

    1. Navigate to Infrastructure > Subnets.

    2. Select the subnet name.

    3. On the Domains tab, select the domains that are valid on the subnet.

    4. In the Smart Proxies tab, ensure Reverse DNS Smart Proxy is set to the Smart Proxy where the subnet is connected.

    5. Click Submit.

1.12. Disabling DNS for integration

If you want to manually manage a DNS service, you must prevent Foreman from maintaining this service on the operating system and disable orchestration to avoid errors.

Note

Disabling DNS in Foreman does not remove the related backend service on the operating system.
Procedure

  1. In the Foreman web UI, navigate to Infrastructure > Subnets.

  2. For each subnet that is associated with the DNS Smart Proxy:

    1. Select the subnet.

    2. On the Smart Proxies tab, clear the Reverse DNS Smart Proxy field.

    3. Click Submit.

  3. Navigate to Infrastructure > Domains.

  4. For each domain that is associated with the DNS Smart Proxy:

    1. Select the domain.

    2. Clear the DNS Smart Proxy field.

    3. Click Submit.

  5. On Foreman server, enter:

    # foreman-installer --foreman-proxy-dns false
    Note

    Foreman does not perform orchestration when a Smart Proxy is not set for a given subnet and domain. When you disable Smart Proxy associations, orchestration commands for existing hosts can fail if the expected records and configuration files are not present.

2. Configuring DHCP integration

Foreman can manage IP leases on a DHCP server through a Smart Proxy. This includes querying for available IP addresses, adding new reservations, and deleting existing reservations from the lease database.

2.1. DHCP service providers

Smart Proxy supports the following DHCP providers that you can use to integrate Foreman with your existing DHCP infrastructure or deploy a new one:

dhcp_isc

Managing IP leases on an ISC DHCP server by using the Object Management Application Programming Interface (OMAPI). See Enabling the installer-managed DHCP service.

dhcp_remote_isc

Managing IP leases on a remote ISC dhcpd server by using OMAPI. This provider requires that you share the leases over the network, for example, with NFS. See Integrating a remote ISC DHCP server.

dhcp_infoblox

Managing IP leases on an Infoblox DHCP server. See Integrating Infoblox DHCP.

dhcp_libvirt

Managing IP leases on a dnsmasq DHCP server by using the libvirt API. See Integrating dnsmasq DHCP by using the libvirt API.

2.2. Enabling the installer-managed DHCP service

If you do not have a DHCP server available in your network, you can use the installer-managed DHCP service. This feature enables you to provide a DHCP service with low maintenance overhead.

Perform the steps on the Foreman or Smart Proxy server that you want to configure to manage the DHCP service for the subnet.

Prerequisites

  • You know the following network information:

    • The range of IP addresses the DHCP should manage

    • The IP address of the default gateway in the subnet

    • The IP addresses of the name servers for the subnet

Procedure

  1. Configure Foreman server or Smart Proxy server as DHCP server:

    # foreman-installer \
--foreman-proxy-dhcp true \
--foreman-proxy-dhcp-provider isc \
--foreman-proxy-dhcp-managed true \
--foreman-proxy-dhcp-range "192.0.2.100 192.0.2.150" \
--foreman-proxy-dhcp-gateway 192.0.2.1 \
--foreman-proxy-dhcp-nameservers 192.0.2.2,192.0.2.3

  2. For each affected Smart Proxy, update the configuration of that Smart Proxy in the Foreman web UI. See Associating the DHCP service with a subnet.

  3. Optional: Secure the dhcpd API on the Smart Proxy by using an Object Management Application Programming Interface (OMAPI) key:

    1. Install the required package:

      # dnf install bind-utils

    2. Generate an OMAPI key:

      # tsig-keygen -a hmac-md5 omapi_key
key "omapi_key" {
	algorithm hmac-md5;
	secret "hJBge7QC5AaUkRVsZmFUlg==";
};

  4. Add the dhcpd API key to the Smart Proxy configuration:

    # foreman-installer \
--foreman-proxy-dhcp-key-name "omapi_key" \
--foreman-proxy-dhcp-key-secret "key_secret"

2.3. Integrating a remote ISC DHCP server

If you already have an ISC DHCP server in your network, you can configure Foreman server and Smart Proxy server to integrate this server to manage IP leases.

2.3.1. Configuring ISC DHCP to use with Foreman server

To configure an external DHCP server running Enterprise Linux to use with Foreman server, you must install the ISC DHCP Service and Berkeley Internet Name Domain (BIND) utilities packages. You must also share the DHCP configuration and lease files with Foreman server. The example in this procedure uses the distributed Network File System (NFS) protocol to share the DHCP configuration and lease files.

Procedure

  1. Perform the following steps on the DHCP server:

    1. Install the required packages:

      # dnf install dhcp-server bind-utils

    2. Generate a security token:

      # tsig-keygen -a hmac-md5 omapi_key
key "omapi_key" {
	algorithm hmac-md5;
	secret "4z1jwYO0RGUTJbWDepFBdg==";
};

    3. Edit the /etc/dhcp/dhcpd.conf file for all subnets, and add the key generated by tsig-keygen. The following is an example:

      # cat /etc/dhcp/dhcpd.conf
default-lease-time 604800;
max-lease-time 2592000;
log-facility local7;

subnet 192.168.38.0 netmask 255.255.255.0 {
	range 192.168.38.10 192.168.38.100;
	option routers 192.168.38.1;
	option subnet-mask 255.255.255.0;
	option domain-search "virtual.lan";
	option domain-name "virtual.lan";
	option domain-name-servers 8.8.8.8;
}

omapi-port 7911;
key omapi_key {
	algorithm hmac-md5;
	secret "key_secret";
};
omapi-key omapi_key;

      Note that the option routers value is the IP address of your Foreman server or Smart Proxy server that you want to use with an external DHCP service.

    4. Open the DHCP port in the firewalld service:

      # firewall-cmd --add-service dhcp

    5. Make the changes persistent:

      # firewall-cmd --runtime-to-permanent

  2. On Foreman server, determine both the UID and the primary GID of the foreman-proxy user:

    # id -u foreman-proxy
993

# id -g foreman-proxy
990

  3. Perform the following steps on the DHCP server:

    1. Create the foreman-proxy group with the same group ID as determined in a previous step:

      # groupadd -g 990 foreman-proxy

    2. Create the foreman-proxy user with the same user ID and primary group ID as determined in a previous step:

      # useradd -u 993 -g 990 -s /sbin/nologin foreman-proxy

    3. Ensure that the configuration files are accessible:

      # chmod o+rx /etc/dhcp/
# chmod o+r /etc/dhcp/dhcpd.conf
# chattr +i /etc/dhcp/ /etc/dhcp/dhcpd.conf

    4. Enable and start the dhcpd service:

      # systemctl enable --now dhcpd

    5. Install the nfs-server package:

      # dnf install nfs-utils

    6. Enable and start the NFS server service:

      # systemctl enable --now nfs-server

    7. Create directories for the DHCP configuration and lease files that you want to export by using NFS:

      # mkdir -p /exports/var/lib/dhcpd /exports/etc/dhcp

    8. Edit the /etc/fstab file and add bind mount entries for the exported directories:

      /var/lib/dhcpd  /exports/var/lib/dhcpd  none  bind,auto  0 0
/etc/dhcp       /exports/etc/dhcp       none  bind,auto  0 0

      These entries use bind mounts which mount the original directories to the ones you use for the export in NFS.

    9. Activate the bind mounts from the /etc/fstab file:

      # mount -a

    10. Edit the /etc/exports file, and export the required directories in NFS:

      /exports               192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check)
/exports/etc/dhcp      192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)
/exports/var/lib/dhcpd 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)

      Use the IP address of the Foreman or Smart Proxy in the export options to ensure that only these hosts have access.

    11. Reload the NFS server:

      # exportfs -rva

    12. Enable the dhcpd OMAPI port in firewalld:

      # firewall-cmd --add-port=7911/tcp

    13. Enable the services required for NFSv3 in firewalld:

      # firewall-cmd \
--add-service mountd \
--add-service nfs \
--add-service rpc-bind \
--zone public

    14. Make the changes persistent:

      # firewall-cmd --runtime-to-permanent

2.3.2. Configuring Foreman server or Smart Proxy server for use with ISC DHCP

You can configure Foreman server with a non-installer-managed DHCP server. Perform the steps on the Foreman server or Smart Proxy server.

Prerequisites
Procedure

  1. Install the required package:

    # dnf install nfs-utils

  2. Create the directories into which you later mount the NFS shares:

    # mkdir -p /mnt/nfs/etc/dhcp /mnt/nfs/var/lib/dhcpd

  3. Set the owner of the /mnt/nfs and sub-directories to foreman-proxy:

    # chown -R foreman-proxy /mnt/nfs

  4. Verify that the NFS server exports the required directories:

    # showmount -e DHCP_Server_FQDN

  5. Edit the /etc/fstab file, and add entries for the NFS shares to mount them automatically when the system boots:

    dhcp_server_fqdn:/exports/etc/dhcp       /mnt/nfs/etc/dhcp       nfs  ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcp_etc_t:s0"     0 0

dhcp_server_fqdn:/exports/var/lib/dhcpd  /mnt/nfs/var/lib/dhcpd  nfs  ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcpd_state_t:s0"  0 0

  6. Mount the NFS shares:

    # mount /mnt/nfs/etc/dhcp/
# mount /mnt/nfs/var/lib/dhcpd/

  7. Optional: Verify that the foreman-proxy user can access the files on the NFS server:

    1. Switch to the foreman-proxy user:

      # su foreman-proxy -s /bin/bash

    2. Display the /mnt/nfs/etc/dhcp/dhcpd.conf file:

      $ cat /mnt/nfs/etc/dhcp/dhcpd.conf

    3. Display the /mnt/nfs/var/lib/dhcpd/dhcpd.leases file:

      $ cat /mnt/nfs/var/lib/dhcpd/dhcpd.leases

    4. Log out the foreman-proxy user to switch back to the root user:

      $ exit

  8. Configure Foreman server or Smart Proxy server to use the DHCP server:

    # foreman-installer \
--foreman-proxy-dhcp true \
--foreman-proxy-dhcp-provider remote_isc \
--enable-foreman-proxy-plugin-dhcp-remote-isc \
--foreman-proxy-dhcp-server dhcp_server_fqdn \
--foreman-proxy-plugin-dhcp-remote-isc-dhcp-config /mnt/nfs/etc/dhcp/dhcpd.conf \
--foreman-proxy-plugin-dhcp-remote-isc-dhcp-leases /mnt/nfs/var/lib/dhcpd/dhcpd.leases \
--foreman-proxy-plugin-dhcp-remote-isc-key-name omapi_key \
--foreman-proxy-plugin-dhcp-remote-isc-key-secret key_secret \
--foreman-proxy-plugin-dhcp-remote-isc-omapi-port 7911

  9. For each affected Smart Proxy, update the configuration of that Smart Proxy in the Foreman web UI. For more information, see Associating the DHCP service with a subnet.

2.4. Integrating Infoblox DHCP

Install the DHCP Infoblox provider on Foreman server.

Limitations

  • You can manage DHCP entries only in a single network and view, and you cannot edit the view after you create it.

  • Foreman server uses the standard HTTPS web API to communicate with Infoblox. By default, it communicates only with a single node. If you require high availability, configure this feature in Infoblox.

Prerequisites

  • You have an Infoblox account with the roles DHCP Admin and DNS Admin.

  • The Infoblox roles have permissions or belong to an admin group that permits the accounts to perform tasks through the Infoblox API.

Procedure

  1. Download the certificate from the Infoblox server, and store it in the /etc/pki/ca-trust/source/anchors/infoblox.crt file:

    # openssl s_client -showcerts -connect infoblox.example.com:443 </dev/null | \
openssl x509 -text >/etc/pki/ca-trust/source/anchors/infoblox.crt

    The hostname must match the one for the Infoblox application in the X.509 certificate.

  2. Add the Infoblox certificate to the system truststore:

    # update-ca-trust extract

  3. Test the CA certificate by using it in a query to the Infoblox API:

    # curl -u admin:password https://infoblox.example.com/wapi/v2.0/network

    Example of a positive response:

    [
    {
        "_ref": "network/ZG5zLm5ldHdvcmskMTkyLjE2OC4yMDIuMC8yNC8w:infoblox.example.com/24/default",
        "network": "192.168.202.0/24",
        "network_view": "default"
    }
]

  4. Configure Foreman server or Smart Proxy server to connect to the Infoblox DHCP service:

    # foreman-installer \
--foreman-proxy-dhcp true \
--foreman-proxy-dhcp-provider infoblox \
--enable-foreman-proxy-plugin-dhcp-infoblox \
--foreman-proxy-dhcp-server infoblox.example.com \
--foreman-proxy-plugin-dhcp-infoblox-username admin \
--foreman-proxy-plugin-dhcp-infoblox-password password \
--foreman-proxy-plugin-dhcp-infoblox-record-type fixedaddress \
--foreman-proxy-plugin-dhcp-infoblox-dns-view default \
--foreman-proxy-plugin-dhcp-infoblox-network-view default
    Note

    If you want to use the DHCP and DNS Infoblox modules together, configure the DHCP Infoblox module with the fixedaddress record type only. The host record type is not supported in this scenario because it causes conflicts and you cannot rename hosts in Foreman.

  5. For each affected Smart Proxy, update the configuration of that Smart Proxy in the Foreman web UI. For more information, see Associating the DHCP service with a subnet.

2.5. Integrating dnsmasq DHCP by using the libvirt API

The dhcp_libvirt plugin manages IP reservations and leases using dnsmasq through the libvirt API. It uses ruby-libvirt to connect to the local or remote instance of the libvirt service.

Procedure

  1. Configure Foreman server or Smart Proxy server to connect to the libvirt API:

    # foreman-installer \
--foreman-proxy-dhcp true \
--foreman-proxy-dhcp-provider libvirt \
--foreman-proxy-libvirt-network default \
--foreman-proxy-libvirt-url qemu:///system

    Note that you can only use one network and URL for both the dns_libvirt and dhcp_libvirt providers.

  2. For each affected Smart Proxy, update the configuration of that Smart Proxy in the Foreman web UI. For more information, see Associating the DHCP service with a subnet.

2.6. Associating the DHCP service with a subnet

After you configured or changed the DHCP provider, you must update the configuration of each affected Smart Proxy in the Foreman web UI.

Procedure

  1. In the Foreman web UI, navigate to Infrastructure > Subnets.

  2. Select the subnet name.

  3. On the Subnet tab, set IPAM to DHCP.

  4. On the Smart Proxy tab, set DHCP Proxy to your Smart Proxy.

  5. Click Submit.

2.7. Disabling DHCP for integration

If you want to manually manage a DHCP service, you must prevent Foreman from maintaining this service on the operating system and disable orchestration to avoid errors.

Note

Disabling DHCP in Foreman does not remove the related backend service on the operating system.
Procedure

  1. In the Foreman web UI, navigate to Infrastructure > Subnets.

  2. For each subnet that is associated with the DHCP Smart Proxy:

    1. Select the subnet.

    2. On the Smart Proxies tab, clear the DHCP Smart Proxy field.

    3. Click Submit.

  3. On Foreman server and Smart Proxy server, enter:

    # foreman-installer --foreman-proxy-dhcp false
    Note

    Foreman does not perform orchestration when a Smart Proxy is not set for a given subnet. When you disable Smart Proxy associations, orchestration commands for existing hosts can fail if the expected records and configuration files are not present.

2.8. Troubleshooting DHCP problems

Foreman can manage an ISC DHCP server on internal or external DHCP Smart Proxy. Foreman can list, create, and delete DHCP reservations and leases. However, there are a number of problems that you might encounter on occasions.

Out of sync DHCP records

When an error occurs during DHCP orchestration, DHCP records in the Foreman database and the DHCP server might not match. To fix this, you must add missing DHCP records from the Foreman database to the DHCP server and then remove unwanted records from the DHCP server as per the following steps:

Procedure

  1. To preview the DHCP records that are going to be added to the DHCP server, enter the following command:

    # foreman-rake orchestration:dhcp:add_missing subnet_name=NAME

  2. If you are satisfied by the preview changes in the previous step, apply them by entering the above command with the perform=1 argument:

    # foreman-rake orchestration:dhcp:add_missing subnet_name=NAME perform=1

  3. To keep DHCP records in Foreman and in the DHCP server synchronized, you can remove unwanted DHCP records from the DHCP server. Note that Foreman assumes that all managed DHCP servers do not contain third-party records, therefore, this step might delete those unexpected records. To preview what records are going to be removed from the DHCP server, enter the following command:

    # foreman-rake orchestration:dhcp:remove_offending subnet_name=NAME

  4. If you are satisfied by the preview changes in the previous step, apply them by entering the above command with the perform=1 argument:

    # foreman-rake orchestration:dhcp:remove_offending subnet_name=NAME perform=1
PXE loader option change

When the PXE loader option is changed for an existing host, this causes a DHCP conflict. The only workaround is to overwrite the DHCP entry.

This is a known issue. Until Issue 27877 is fixed, the only workaround is to overwrite the DHCP entry.

Incorrect permissions on DHCP files

An operating system update can update the dhcpd package. This causes the permissions of important directories and files to reset so that the DHCP Smart Proxy cannot read the required information.

For more information, see ERF12-6899 - Unable to set DHCP entry.

Changing the DHCP Smart Proxy entry

Foreman manages DHCP records only for hosts that are assigned to subnets with a DHCP Smart Proxy set. If you create a host and then clear or change the DHCP Smart Proxy, when you attempt to delete the host, the action fails.

If you create a host without setting the DHCP Smart Proxy and then try to set the DHCP Smart Proxy, this causes DHCP conflicts.

Deleted hosts entries in the dhcpd.leases file

Any changes to a DHCP lease are appended to the end of the dhcpd.leases file. Because entries are appended to the file, it is possible that two or more entries of the same lease can exist in the dhcpd.leases file at the same time. When there are two or more entries of the same lease, the last entry in the file takes precedence. Group, subgroup and host declarations in the lease file are processed in the same manner. If a lease is deleted, { deleted; } is appended to the declaration.

3. Configuring TFTP integration

By integrating a TFTP server, you can perform unattended installations.

3.1. Enabling the installer-managed TFTP service

If you do not have a TFTP server available in your network, you can use the installer-managed TFTP service to perform unattended installations. With the installer-managed TFTP service, you can run a TFTP server with a low maintenance effort because Foreman fully manages the TFTP service, including the files on that service.

Procedure

  • Configure Foreman or Smart Proxy as the TFTP server:

    # foreman-installer \
--foreman-proxy-tftp true \
--foreman-proxy-tftp-managed true

3.2. Integrating a generic TFTP server

If you have an existing TFTP server in your network, you can integrate it into Foreman to perform unattended installations. If the installer does not manages the TFTP service, you must share the root directory of the TFTP service over the network to enable Foreman to access the files. However, in this case, Foreman does not manage the files on the TFTP server.

Note

If you prefer a low maintenance solution that also manages files on the TFTP server, use the installer-managed TFTP service.

3.2.1. Configuring Foreman server for use with tftp

After you prepared the TFTP server and shared the root directory of the TFTP service over the network, integrate the service into Foreman.

Prerequisites

  • You shared the /exports/var/lib/tftpboot on the TFTP server with NFS.

Procedure

  1. Create the directory into which you later mount the NFS share:

    # mkdir -p /mnt/nfs/var/lib/tftpboot

  2. Edit the /etc/fstab file, and add entry for the NFS share to mount them automatically when the system boots:

    tftp_server_fqdn:/exports/var/lib/tftpboot  /mnt/nfs/var/lib/tftpboot  nfs  rw,vers=3,auto,nosharecache,context="system_u:object_r:tftpdir_rw_t:s0"  0 0

  3. Mount the NFS share:

    # mount /mnt/nfs/var/lib/tftpboot/

  4. Configure Foreman server or Smart Proxy server to use the TFTP server:

    # foreman-installer \
--foreman-proxy-tftp true \
--foreman-proxy-managed false \
--foreman-proxy-tftp-root /mnt/nfs/var/lib/tftpboot \
--foreman-proxy-tftp-servername tftp_server_fqdn

  5. For each affected Smart Proxy, update the configuration of that Smart Proxy in the Foreman web UI. For more information, see Associating the TFTP service with a subnet.

3.3. Associating the TFTP service with a subnet

After you configured or changed the TFTP provider, you must update the configuration of each affected Smart Proxy in the Foreman web UI.

Prerequisites

  • You configured a TFTP server.

Procedure

  1. In the Foreman web UI, navigate to Infrastructure > Subnets.

  2. Select the subnet name.

  3. On the Smart Proxies tab, select the Smart Proxy for TFTP.

  4. Click Submit.

3.4. Disabling TFTP for integration

If you want to manually manage a TFTP service, you must prevent Foreman from maintaining this service on the operating system and disable orchestration to avoid errors.

Note

Disabling TFTP in Foreman does not remove the related backend service on the operating system.
Procedure

  1. In the Foreman web UI, navigate to Infrastructure > Subnets.

  2. For each subnet that is associated with the TFTP Smart Proxy:

    1. Select the subnet.

    2. On the Smart Proxies tab, clear the TFTP Smart Proxy field.

    3. Click Submit.

  3. On Foreman server, enter:

    # foreman-installer --foreman-proxy-tftp false
    Note

    Foreman does not perform orchestration when a Smart Proxy is not set for a given subnet. When you disable Smart Proxy associations, orchestration commands for existing hosts can fail if the expected records and configuration files are not present.