1. Overview of load balancing in orcharhino
You can configure your orcharhino environment to use a load balancer to distribute host requests and network load across multiple orcharhino Proxies. This results in an improved performance on orcharhino Proxies and improved performance and stability for host connections to orcharhino. In a load-balanced setup, orcharhino Proxy functionality supported for load balancing continues to work as expected when one orcharhino Proxy is down for planned or unplanned maintenance.
1.1. Components of a load-balanced setup
A load-balanced setup in a orcharhino environment consists of the following components:
-
orcharhino Server
-
Two or more orcharhino Proxies
-
A load balancer
-
Multiple hosts
A host sends a request to the TCP load balancer. The load balancer receives the request and determines which orcharhino Proxy will handle the request to ensure optimal performance and availability.
1.2. Services and features supported in a load-balanced setup
A load balancer in orcharhino distributes load only for the following services and features:
-
Registering hosts
-
Providing content to hosts
-
Configuring hosts by using Puppet
Other orcharhino services, such as provisioning, virt-who
, or remote execution, go directly through the individual orcharhino Proxies on which these services are running.
1.3. Additional maintenance required for load balancing
Configuring orcharhino Proxies to use a load balancer results in a more complex environment and requires additional maintenance.
The following additional steps are required for load balancing:
-
You must ensure that all orcharhino Proxies have the same content. If you publish a content view version on orcharhino, synchronize it to all orcharhino Proxies.
-
You must upgrade each orcharhino Proxy in sequence.
2. Preparing orcharhino Proxies for load balancing
orcharhino does not support configuring existing orcharhino Proxies for load balancing. You must create a new orcharhino Proxy for this purpose.
3. Configuring orcharhino Proxies with default SSL certificates for load balancing
You can configure one or more orcharhino Proxies that use default SSL certificates for load balancing.
If you use Puppet in your orcharhino deployment, the configuration steps are different. See Configuring orcharhino Proxies with default SSL certificates for load balancing (with Puppet).
3.1. Prerequisites
-
Prepare a new orcharhino Proxy to use for load balancing. See Preparing orcharhino Proxies for load balancing.
-
Review Services and features supported in a load-balanced setup.
3.2. Configuring orcharhino Proxy with default SSL certificates for load balancing without Puppet
On each orcharhino Proxy that you want to configure for load balancing, install Katello certificates.
-
On orcharhino Server, generate Katello certificates for orcharhino Proxy:
# foreman-proxy-certs-generate \ --certs-tar "/root/orcharhino-proxy.example.com-certs.tar" \ --foreman-proxy-cname loadbalancer.example.com \ --foreman-proxy-fqdn orcharhino-proxy.example.com
Retain a copy of the example
foreman-installer
command that is output by theforeman-proxy-certs-generate
command for installing orcharhino Proxy certificate. -
Copy the certificate archive file from orcharhino Server to orcharhino Proxy.
# scp /root/orcharhino-proxy.example.com-certs.tar root@orcharhino-proxy.example.com:/root/orcharhino-proxy.example.com-certs.tar
-
Append the following options to the
foreman-installer
command that you obtain from the output of theforeman-proxy-certs-generate
command:--certs-cname "loadbalancer.example.com" \ --enable-foreman-proxy-plugin-remote-execution-script
-
On orcharhino Proxy, enter the
foreman-installer
command:# foreman-installer --scenario foreman-proxy-content \ --certs-cname "loadbalancer.example.com" \ --certs-tar-file "orcharhino-proxy.example.com-certs.tar" \ --enable-foreman-proxy-plugin-remote-execution-script \ --foreman-proxy-foreman-base-url "https://orcharhino.example.com" \ --foreman-proxy-oauth-consumer-key "oauth key" \ --foreman-proxy-oauth-consumer-secret "oauth secret" \ --foreman-proxy-register-in-foreman "true" \ --foreman-proxy-trusted-hosts "orcharhino.example.com" \ --foreman-proxy-trusted-hosts "orcharhino-proxy.example.com"
4. Configuring orcharhino Proxies with custom SSL certificates for load balancing
You can configure one or more orcharhino Proxies that use custom SSL certificates for load balancing. To do this, configure and install certificates on each orcharhino Proxy you want to use for load balancing.
If you use Puppet in your orcharhino deployment, the configuration steps are different. See Configuring orcharhino Proxies with custom SSL certificates for load balancing (with Puppet).
4.1. Prerequisites
-
Prepare a new orcharhino Proxy to use for load balancing. See Preparing orcharhino Proxies for load balancing.
-
Review Services and features supported in a load-balanced setup.
4.2. Creating a custom SSL certificate for orcharhino Proxy
On each orcharhino Proxy you want to configure for load balancing, create a configuration file for the Certificate Signing Request and include the load balancer and orcharhino Proxy as Subject Alternative Names (SAN).
-
To store all the source certificate files, create a directory that is accessible only to the
root
user:# mkdir /root/orcharhino-proxy_cert
-
Create a private key with which to sign the certificate signing request (CSR).
Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.
If you already have a private key for this orcharhino Proxy, skip this step.
# openssl genrsa -out
/root/orcharhino-proxy_cert/orcharhino-proxy_cert_key.pem
4096 -
Create the
/root/orcharhino-proxy_cert/openssl.cnf
configuration file for the CSR and include the following content:[ req ] req_extensions = v3_req distinguished_name = req_distinguished_name x509_extensions = usr_cert prompt = no [ req_distinguished_name ] commonName = orcharhino-proxy.example.com (1) [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection subjectAltName = @alt_names [alt_names] (2) DNS.1 = loadbalancer.example.com DNS.2 = orcharhino-proxy.example.com
-
The certificate’s common name must match the FQDN of orcharhino Proxy. Ensure to change this when running the command on each orcharhino Proxy that you configure for load balancing. You can also set a wildcard value
*
. If you set a wildcard value, you must add the-t orcharhino-proxy
option when you use thekatello-certs-check
command. -
Under
[alt_names]
, include the FQDN of the load balancer asDNS.1
and the FQDN of orcharhino Proxy asDNS.2
.
-
-
Optional: If you want to add Distinguished Name (DN) details to the CSR, add the following information to the
[ req_distinguished_name ]
section:[req_distinguished_name] CN = orcharhino-proxy.example.com countryName =My_Country_Name (1) stateOrProvinceName = My_State_Or_Province_Name (2) localityName = My_Locality_Name (3) organizationName = My_Organization_Or_Company_Name organizationalUnitName = My_Organizational_Unit_Name (4)
-
Two letter code
-
Full name
-
Full name (example: New York)
-
Division responsible for the certificate (example: IT department)
-
-
Generate CSR:
# openssl req -new \ -key /root/orcharhino-proxy_cert/orcharhino-proxy_cert_key.pem \ (1) -config /root/orcharhino-proxy_cert/openssl.cnf \ (2) -out /root/orcharhino-proxy_cert/orcharhino-proxy_cert_csr.pem (3)
-
Path to the private key
-
Path to the configuration file
-
Path to the CSR to generate
-
-
Send the certificate signing request to the certificate authority (CA). The same CA must sign certificates for orcharhino Server and orcharhino Proxy.
When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the CA for the preferred method. In response to the request, you can expect to receive a CA bundle and a signed certificate, in separate files.
-
Copy the Certificate Authority bundle and orcharhino Proxy certificate file that you receive from the Certificate Authority, and orcharhino Proxy private key to your orcharhino Server.
-
On orcharhino Server, validate orcharhino Proxy certificate input files:
# katello-certs-check \ -c /root/orcharhino-proxy_cert/orcharhino-proxy_cert.pem \ (1) -k /root/orcharhino-proxy_cert/orcharhino-proxy_cert_key.pem \ (2) -b /root/orcharhino-proxy_cert/ca_cert_bundle.pem (3)
-
orcharhino Proxy certificate file, provided by your Certificate Authority
-
orcharhino Proxy private key that you used to sign the certificate
-
Certificate Authority bundle, provided by your Certificate Authority
If you set the
commonName=
to a wildcard value*
, you must add the-t orcharhino-proxy
option to thekatello-certs-check
command.Retain a copy of the example
foreman-proxy-certs-generate
command that is output by thekatello-certs-check
command for creating the Certificate Archive File for this orcharhino Proxy.
-
4.3. Configuring orcharhino Proxy with custom SSL certificates for load balancing without Puppet
On each orcharhino Proxy you want to configure for load balancing, install Katello certificates.
-
Append the following option to the
foreman-proxy-certs-generate
command that you obtain from the output of thekatello-certs-check
command:--foreman-proxy-cname loadbalancer.example.com
-
On orcharhino Server, enter the
foreman-proxy-certs-generate
command to generate orcharhino Proxy certificates:# foreman-proxy-certs-generate \ --certs-tar /root/orcharhino-proxy_cert/orcharhino-proxy.tar \ --foreman-proxy-cname loadbalancer.example.com \ --foreman-proxy-fqdn orcharhino-proxy.example.com \ --server-ca-cert /root/orcharhino-proxy_cert/ca_cert_bundle.pem \ --server-cert /root/orcharhino-proxy_cert/orcharhino-proxy.pem \ --server-key /root/orcharhino-proxy_cert/orcharhino-proxy.pem
Retain a copy of the example
foreman-installer
command from the output for installing orcharhino Proxy certificates. -
Copy the certificate archive file from orcharhino Server to orcharhino Proxy:
# scp /root/orcharhino-proxy.example.com-certs.tar root@orcharhino-proxy.example.com:orcharhino-proxy.example.com-certs.tar
-
Append the following options to the
foreman-installer
command that you obtain from the output of theforeman-proxy-certs-generate
command:--certs-cname "loadbalancer.example.com" \ --enable-foreman-proxy-plugin-remote-execution-script
-
On orcharhino Proxy, enter the
foreman-installer
command:# foreman-installer --scenario foreman-proxy-content \ --certs-cname "loadbalancer.example.com" \ --certs-tar-file "orcharhino-proxy.example.com-certs.tar" \ --enable-foreman-proxy-plugin-remote-execution-script \ --foreman-proxy-foreman-base-url "https://orcharhino.example.com" \ --foreman-proxy-oauth-consumer-key "oauth key" \ --foreman-proxy-oauth-consumer-secret "oauth secret" \ --foreman-proxy-register-in-foreman "true" \ --foreman-proxy-trusted-hosts "orcharhino.example.com" \ --foreman-proxy-trusted-hosts "orcharhino-proxy.example.com"
5. Configuring orcharhino Proxies with default SSL certificates for load balancing (with Puppet)
If you use Puppet in your orcharhino setup, you can configure one or more orcharhino Proxies that use default SSL certificates for load balancing.
To do this, you configure Puppet certificate signing on one of your orcharhino Proxies. Then, you configure each remaining Puppet orcharhino Proxy used for load balancing to use the certificates. The first orcharhino Proxy will generate and sign Puppet certificates for the remaining orcharhino Proxies configured for load balancing.
5.1. Prerequisites
-
Prepare a new orcharhino Proxy to use for load balancing. See Preparing orcharhino Proxies for load balancing.
-
Review Services and features supported in a load-balanced setup.
5.2. Configuring orcharhino Proxy with default SSL certificates to generate and sign Puppet certificates
On the orcharhino Proxy that will generate Puppet certificates for all other load-balancing orcharhino Proxies, configure Puppet certificate generation and signing.
-
On orcharhino Server, generate Katello certificates for the system where you configure orcharhino Proxy to generate and sign Puppet certificates:
# foreman-proxy-certs-generate \ --certs-tar "/root/orcharhino-proxy-ca.example.com-certs.tar" \ --foreman-proxy-cname loadbalancer.example.com \ --foreman-proxy-fqdn orcharhino-proxy-ca.example.com
Retain a copy of the example
foreman-installer
command that is output by theforeman-proxy-certs-generate
command for installing orcharhino Proxy certificate. -
Copy the certificate archive file from orcharhino Server to orcharhino Proxy:
# scp /root/orcharhino-proxy-ca.example.com-certs.tar root@orcharhino-proxy-ca.example.com:orcharhino-proxy-ca.example.com-certs.tar
-
Append the following options to the
foreman-installer
command that you obtain from the output of theforeman-proxy-certs-generate
command:--certs-cname "loadbalancer.example.com" \ --enable-foreman-proxy-plugin-remote-execution-script \ --foreman-proxy-puppetca "true" \ --puppet-ca-server "orcharhino-proxy-ca.example.com" \ --puppet-dns-alt-names "loadbalancer.example.com" \ --puppet-server-ca "true"
-
On orcharhino Proxy, enter the
foreman-installer
command:# foreman-installer --scenario foreman-proxy-content \ --certs-cname "loadbalancer.example.com" \ --certs-tar-file "orcharhino-proxy-ca.example.com-certs.tar" \ --enable-foreman-proxy-plugin-remote-execution-script \ --enable-puppet \ --foreman-proxy-foreman-base-url "https://orcharhino.example.com" \ --foreman-proxy-oauth-consumer-key "oauth key" \ --foreman-proxy-oauth-consumer-secret "oauth secret" \ --foreman-proxy-puppetca "true" \ --foreman-proxy-register-in-foreman "true" \ --foreman-proxy-trusted-hosts "orcharhino.example.com" \ --foreman-proxy-trusted-hosts "orcharhino-proxy-ca.example.com" \ --puppet-ca-server "orcharhino-proxy-ca.example.com" \ --puppet-dns-alt-names "loadbalancer.example.com" \ --puppet-server true \ --puppet-server-ca "true"
-
On orcharhino Proxy that is the Puppetserver Certificate Authority, stop the Puppet server:
# systemctl stop puppetserver
-
Generate Puppet certificates for all other orcharhino Proxies that you configure for load balancing, except the system where you first configured Puppet certificate signing:
# puppetserver ca generate \ --ca-client \ --certname orcharhino-proxy.example.com \ --subject-alt-names loadbalancer.example.com
This command creates the following files:
-
/etc/puppetlabs/puppet/ssl/certs/orcharhino-proxy.example.com.pem
-
/etc/puppetlabs/puppet/ssl/private_keys/orcharhino-proxy.example.com.pem
-
/etc/puppetlabs/puppet/ssl/public_keys/orcharhino-proxy.example.com.pem
-
/etc/puppetlabs/puppetserver/ca/signed/orcharhino-proxy.example.com.pem
-
-
Start the Puppet server:
# systemctl start puppetserver
5.3. Configuring remaining orcharhino Proxies with default SSL certificates for load balancing
On each load-balancing orcharhino Proxy, excluding the orcharhino Proxy configured to sign Puppet certificates, configure the system to use Puppet certificates.
-
On orcharhino Server, generate Katello certificates for orcharhino Proxy:
# foreman-proxy-certs-generate \ --certs-tar "/root/orcharhino-proxy.example.com-certs.tar" \ --foreman-proxy-cname loadbalancer.example.com \ --foreman-proxy-fqdn orcharhino-proxy.example.com
Retain a copy of the example
foreman-installer
command that is output by theforeman-proxy-certs-generate
command for installing orcharhino Proxy certificate. -
Copy the certificate archive file from orcharhino Server to orcharhino Proxy:
# scp /root/orcharhino-proxy.example.com-certs.tar root@orcharhino-proxy.example.com:/root/orcharhino-proxy.example.com-certs.tar
-
On orcharhino Proxy, install the
puppetserver
package:# dnf install puppetserver
-
On orcharhino Proxy, create directories for puppet certificates:
# mkdir -p /etc/puppetlabs/puppet/ssl/certs/ \ /etc/puppetlabs/puppet/ssl/private_keys/ \ /etc/puppetlabs/puppet/ssl/public_keys/
-
On orcharhino Proxy, copy the Puppet certificates for this orcharhino Proxy from the system where you configure orcharhino Proxy to sign Puppet certificates:
# scp root@orcharhino-proxy-ca.example.com:/etc/puppetlabs/puppet/ssl/certs/orcharhino-proxy.example.com.pem /etc/puppetlabs/puppet/ssl/certs/orcharhino-proxy.example.com.pem # scp root@orcharhino-proxy-ca.example.com:/etc/puppetlabs/puppet/ssl/certs/ca.pem /etc/puppetlabs/puppet/ssl/certs/ca.pem # scp root@orcharhino-proxy-ca.example.com:/etc/puppetlabs/puppet/ssl/private_keys/orcharhino-proxy.example.com.pem /etc/puppetlabs/puppet/ssl/private_keys/orcharhino-proxy.example.com.pem # scp root@orcharhino-proxy-ca.example.com:/etc/puppetlabs/puppet/ssl/public_keys/orcharhino-proxy.example.com.pem /etc/puppetlabs/puppet/ssl/public_keys/orcharhino-proxy.example.com.pem
-
On orcharhino Proxy, change the
/etc/puppetlabs/puppet/ssl/
directory ownership to userpuppet
and grouppuppet
:# chown -R puppet:puppet /etc/puppetlabs/puppet/ssl/
-
On orcharhino Proxy, set the SELinux context for the
/etc/puppetlabs/puppet/ssl/
directory:# restorecon -Rv /etc/puppetlabs/puppet/ssl/
-
Append the following options to the
foreman-installer
command that you obtain from the output of theforeman-proxy-certs-generate
command:--certs-cname "loadbalancer.example.com" \ --enable-foreman-proxy-plugin-remote-execution-script \ --foreman-proxy-puppetca "false" \ --puppet-ca-server "orcharhino-proxy-ca.example.com" \ --puppet-dns-alt-names "loadbalancer.example.com" \ --puppet-server-ca "false"
-
On orcharhino Proxy, enter the
foreman-installer
command:# foreman-installer --scenario foreman-proxy-content \ --certs-cname "loadbalancer.example.com" \ --certs-tar-file "orcharhino-proxy.example.com-certs.tar" \ --enable-foreman-proxy-plugin-remote-execution-script \ --foreman-proxy-foreman-base-url "https://orcharhino.example.com" \ --foreman-proxy-oauth-consumer-key "oauth key" \ --foreman-proxy-oauth-consumer-secret "oauth secret" \ --foreman-proxy-puppetca "false" \ --foreman-proxy-register-in-foreman "true" \ --foreman-proxy-trusted-hosts "orcharhino.example.com" \ --foreman-proxy-trusted-hosts "orcharhino-proxy.example.com" \ --puppet-ca-server "orcharhino-proxy-ca.example.com" \ --puppet-dns-alt-names "loadbalancer.example.com" \ --puppet-server-ca "false"
5.4. Managing Puppet limitations with load balancing in orcharhino
If you use Puppet, Puppet certificate signing is assigned to the first orcharhino Proxy that you configure. If the first orcharhino Proxy is down, hosts cannot obtain Puppet content.
Puppet Certificate Authority (CA) management does not support certificate signing in a load-balanced setup. Puppet CA stores certificate information, such as the serial number counter and CRL, on the file system. Multiple writer processes that attempt to use the same data can corrupt it.
To manage this Puppet limitation, complete the following steps:
-
Configure Puppet certificate signing on one orcharhino Proxy, typically the first system where you configure orcharhino Proxy for load balancing.
-
Configure the clients to send CA requests to port 8141 on a load balancer.
-
Configure a load balancer to redirect CA requests from port 8141 to port 8140 on the system where you configure orcharhino Proxy to sign Puppet certificates.
To troubleshoot issues, reproduce the issue on each orcharhino Proxy, bypassing the load balancer. This solution does not use Pacemaker or other similar HA tools to maintain one state across all orcharhino Proxies.
6. Configuring orcharhino Proxies with custom SSL certificates for load balancing (with Puppet)
You can configure one or more orcharhino Proxies that use custom SSL certificates for load balancing.
6.1. Prerequisites
-
Prepare a new orcharhino Proxy to use for load balancing. See Preparing orcharhino Proxies for load balancing.
-
Review Services and features supported in a load-balanced setup.
6.2. Creating a custom SSL certificate for orcharhino Proxy
On each orcharhino Proxy you want to configure for load balancing, create a configuration file for the Certificate Signing Request and include the load balancer and orcharhino Proxy as Subject Alternative Names (SAN).
-
To store all the source certificate files, create a directory that is accessible only to the
root
user:# mkdir /root/orcharhino-proxy_cert
-
Create a private key with which to sign the certificate signing request (CSR).
Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.
If you already have a private key for this orcharhino Proxy, skip this step.
# openssl genrsa -out
/root/orcharhino-proxy_cert/orcharhino-proxy_cert_key.pem
4096 -
Create the
/root/orcharhino-proxy_cert/openssl.cnf
configuration file for the CSR and include the following content:[ req ] req_extensions = v3_req distinguished_name = req_distinguished_name x509_extensions = usr_cert prompt = no [ req_distinguished_name ] commonName = orcharhino-proxy.example.com (1) [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection subjectAltName = @alt_names [alt_names] (2) DNS.1 = loadbalancer.example.com DNS.2 = orcharhino-proxy.example.com
-
The certificate’s common name must match the FQDN of orcharhino Proxy. Ensure to change this when running the command on each orcharhino Proxy that you configure for load balancing. You can also set a wildcard value
*
. If you set a wildcard value, you must add the-t orcharhino-proxy
option when you use thekatello-certs-check
command. -
Under
[alt_names]
, include the FQDN of the load balancer asDNS.1
and the FQDN of orcharhino Proxy asDNS.2
.
-
-
Optional: If you want to add Distinguished Name (DN) details to the CSR, add the following information to the
[ req_distinguished_name ]
section:[req_distinguished_name] CN = orcharhino-proxy.example.com countryName =My_Country_Name (1) stateOrProvinceName = My_State_Or_Province_Name (2) localityName = My_Locality_Name (3) organizationName = My_Organization_Or_Company_Name organizationalUnitName = My_Organizational_Unit_Name (4)
-
Two letter code
-
Full name
-
Full name (example: New York)
-
Division responsible for the certificate (example: IT department)
-
-
Generate CSR:
# openssl req -new \ -key /root/orcharhino-proxy_cert/orcharhino-proxy_cert_key.pem \ (1) -config /root/orcharhino-proxy_cert/openssl.cnf \ (2) -out /root/orcharhino-proxy_cert/orcharhino-proxy_cert_csr.pem (3)
-
Path to the private key
-
Path to the configuration file
-
Path to the CSR to generate
-
-
Send the certificate signing request to the certificate authority (CA). The same CA must sign certificates for orcharhino Server and orcharhino Proxy.
When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the CA for the preferred method. In response to the request, you can expect to receive a CA bundle and a signed certificate, in separate files.
-
Copy the Certificate Authority bundle and orcharhino Proxy certificate file that you receive from the Certificate Authority, and orcharhino Proxy private key to your orcharhino Server.
-
On orcharhino Server, validate orcharhino Proxy certificate input files:
# katello-certs-check \ -c /root/orcharhino-proxy_cert/orcharhino-proxy_cert.pem \ (1) -k /root/orcharhino-proxy_cert/orcharhino-proxy_cert_key.pem \ (2) -b /root/orcharhino-proxy_cert/ca_cert_bundle.pem (3)
-
orcharhino Proxy certificate file, provided by your Certificate Authority
-
orcharhino Proxy private key that you used to sign the certificate
-
Certificate Authority bundle, provided by your Certificate Authority
If you set the
commonName=
to a wildcard value*
, you must add the-t orcharhino-proxy
option to thekatello-certs-check
command.Retain a copy of the example
foreman-proxy-certs-generate
command that is output by thekatello-certs-check
command for creating the Certificate Archive File for this orcharhino Proxy.
-
6.3. Configuring orcharhino Proxy with custom SSL certificates to generate and sign Puppet certificates
On the orcharhino Proxy that will generate Puppet certificates for all other load-balancing orcharhino Proxies, configure Puppet certificate generation and signing.
-
Append the following option to the
foreman-proxy-certs-generate
command that you obtain from the output of thekatello-certs-check
command:--foreman-proxy-cname loadbalancer.example.com
-
On orcharhino Server, enter the
foreman-proxy-certs-generate
command to generate orcharhino Proxy certificates:# foreman-proxy-certs-generate \ --certs-tar /root/orcharhino-proxy_cert/orcharhino-proxy-ca.tar \ --foreman-proxy-cname loadbalancer.example.com \ --foreman-proxy-fqdn orcharhino-proxy-ca.example.com \ --server-ca-cert /root/orcharhino-proxy_cert/ca_cert_bundle.pem \ --server-cert /root/orcharhino-proxy_cert/orcharhino-proxy-ca.pem \ --server-key /root/orcharhino-proxy_cert/orcharhino-proxy-ca.pem
Retain a copy of the example
foreman-installer
command from the output for installing orcharhino Proxy certificates. -
Copy the certificate archive file from orcharhino Server to orcharhino Proxy.
-
Append the following options to the
foreman-installer
command that you obtain from the output of theforeman-proxy-certs-generate
command:--enable-foreman-proxy-plugin-remote-execution-script \ --foreman-proxy-puppetca "true" \ --puppet-ca-server "orcharhino-proxy-ca.example.com" \ --puppet-dns-alt-names "loadbalancer.example.com" \ --puppet-server-ca "true"
-
On orcharhino Proxy, enter the
foreman-installer
command:# foreman-installer --scenario foreman-proxy-content \ --certs-cname "loadbalancer.example.com" \ --certs-tar-file "certs.tgz" \ --enable-foreman-proxy-plugin-remote-execution-script \ --enable-puppet \ --foreman-proxy-foreman-base-url "https://orcharhino.example.com" \ --foreman-proxy-oauth-consumer-key "oauth key" \ --foreman-proxy-oauth-consumer-secret "oauth secret" \ --foreman-proxy-puppetca "true" \ --foreman-proxy-register-in-foreman "true" \ --foreman-proxy-trusted-hosts "orcharhino.example.com" \ --foreman-proxy-trusted-hosts "orcharhino-proxy-ca.example.com" \ --puppet-ca-server "orcharhino-proxy-ca.example.com" \ --puppet-dns-alt-names "loadbalancer.example.com" \ --puppet-server true \ --puppet-server-ca "true"
-
On orcharhino Proxy that is the Puppetserver Certificate Authority, stop the Puppet server:
# systemctl stop puppetserver
-
Generate Puppet certificates for all other orcharhino Proxies that you configure for load balancing, except the system where you first configured Puppet certificate signing:
# puppetserver ca generate \ --ca-client \ --certname orcharhino-proxy.example.com \ --subject-alt-names loadbalancer.example.com
This command creates the following files:
-
/etc/puppetlabs/puppet/ssl/certs/orcharhino-proxy.example.com.pem
-
/etc/puppetlabs/puppet/ssl/private_keys/orcharhino-proxy.example.com.pem
-
/etc/puppetlabs/puppet/ssl/public_keys/orcharhino-proxy.example.com.pem
-
/etc/puppetlabs/puppetserver/ca/signed/orcharhino-proxy.example.com.pem
-
-
Start the Puppet server:
# systemctl start puppetserver
6.4. Configuring remaining orcharhino Proxies with custom SSL certificates for load balancing
On each load-balancing orcharhino Proxy, excluding the orcharhino Proxy configured to sign Puppet certificates, configure the system to use Puppet certificates.
-
Append the following option to the
foreman-proxy-certs-generate
command that you obtain from the output of thekatello-certs-check
command:--foreman-proxy-cname loadbalancer.example.com
-
On orcharhino Server, enter the
foreman-proxy-certs-generate
command to generate orcharhino Proxy certificates:# foreman-proxy-certs-generate \ --certs-tar /root/orcharhino-proxy_cert/orcharhino-proxy.tar \ --foreman-proxy-cname loadbalancer.example.com \ --foreman-proxy-fqdn orcharhino-proxy.example.com \ --server-ca-cert /root/orcharhino-proxy_cert/ca_cert_bundle.pem \ --server-cert /root/orcharhino-proxy_cert/orcharhino-proxy.pem \ --server-key /root/orcharhino-proxy_cert/orcharhino-proxy.pem
Retain a copy of the example
foreman-installer
command from the output for installing orcharhino Proxy certificates. -
Copy the certificate archive file from orcharhino Server to orcharhino Proxy.
# scp /root/orcharhino-proxy.example.com-certs.tar root@orcharhino-proxy.example.com:orcharhino-proxy.example.com-certs.tar
-
On orcharhino Proxy, install the
puppetserver
package:# dnf install puppetserver
-
On orcharhino Proxy, create directories for puppet certificates:
# mkdir -p /etc/puppetlabs/puppet/ssl/certs/ \ /etc/puppetlabs/puppet/ssl/private_keys/ \ /etc/puppetlabs/puppet/ssl/public_keys/
-
On orcharhino Proxy, copy the Puppet certificates for this orcharhino Proxy from the system where you configure orcharhino Proxy to sign Puppet certificates:
# scp root@orcharhino-proxy-ca.example.com:/etc/puppetlabs/puppet/ssl/certs/orcharhino-proxy.example.com.pem /etc/puppetlabs/puppet/ssl/certs/orcharhino-proxy.example.com.pem # scp root@orcharhino-proxy-ca.example.com:/etc/puppetlabs/puppet/ssl/certs/ca.pem /etc/puppetlabs/puppet/ssl/certs/ca.pem # scp root@orcharhino-proxy-ca.example.com:/etc/puppetlabs/puppet/ssl/private_keys/orcharhino-proxy.example.com.pem /etc/puppetlabs/puppet/ssl/private_keys/orcharhino-proxy.example.com.pem # scp root@orcharhino-proxy-ca.example.com:/etc/puppetlabs/puppet/ssl/public_keys/orcharhino-proxy.example.com.pem /etc/puppetlabs/puppet/ssl/public_keys/orcharhino-proxy.example.com.pem
-
On orcharhino Proxy, change the
/etc/puppetlabs/puppet/ssl/
directory ownership to userpuppet
and grouppuppet
:# chown -R puppet:puppet /etc/puppetlabs/puppet/ssl/
-
On orcharhino Proxy, set the SELinux context for the
/etc/puppetlabs/puppet/ssl/
directory:# restorecon -Rv /etc/puppetlabs/puppet/ssl/
-
Append the following options to the
foreman-installer
command that you obtain from the output of theforeman-proxy-certs-generate
command:--certs-cname "loadbalancer.example.com" \ --enable-foreman-proxy-plugin-remote-execution-script \ --foreman-proxy-puppetca "false" \ --puppet-ca-server "orcharhino-proxy-ca.example.com" \ --puppet-dns-alt-names "loadbalancer.example.com" \ --puppet-server-ca "false"
-
On orcharhino Proxy, enter the
foreman-installer
command:# foreman-installer --scenario foreman-proxy-content \ --certs-cname "loadbalancer.example.com" \ --certs-tar-file "orcharhino-proxy.example.com-certs.tar" \ --enable-foreman-proxy-plugin-remote-execution-script \ --foreman-proxy-foreman-base-url "https://orcharhino.example.com" \ --foreman-proxy-oauth-consumer-key "oauth key" \ --foreman-proxy-oauth-consumer-secret "oauth secret" \ --foreman-proxy-puppetca "false" \ --foreman-proxy-register-in-foreman "true" \ --foreman-proxy-trusted-hosts "orcharhino.example.com" \ --foreman-proxy-trusted-hosts "orcharhino-proxy.example.com" \ --puppet-ca-server "orcharhino-proxy-ca.example.com" \ --puppet-dns-alt-names "loadbalancer.example.com" \ --puppet-server-ca "false"
6.5. Managing Puppet limitations with load balancing in orcharhino
If you use Puppet, Puppet certificate signing is assigned to the first orcharhino Proxy that you configure. If the first orcharhino Proxy is down, hosts cannot obtain Puppet content.
Puppet Certificate Authority (CA) management does not support certificate signing in a load-balanced setup. Puppet CA stores certificate information, such as the serial number counter and CRL, on the file system. Multiple writer processes that attempt to use the same data can corrupt it.
To manage this Puppet limitation, complete the following steps:
-
Configure Puppet certificate signing on one orcharhino Proxy, typically the first system where you configure orcharhino Proxy for load balancing.
-
Configure the clients to send CA requests to port 8141 on a load balancer.
-
Configure a load balancer to redirect CA requests from port 8141 to port 8140 on the system where you configure orcharhino Proxy to sign Puppet certificates.
To troubleshoot issues, reproduce the issue on each orcharhino Proxy, bypassing the load balancer. This solution does not use Pacemaker or other similar HA tools to maintain one state across all orcharhino Proxies.
7. Upgrading orcharhino Proxies in a load-balancing setup
There are no additional steps required for orcharhino Proxies in a load-balancing configuration.
8. Setting the load balancer for host registration
You can configure orcharhino to register clients through a load balancer when using the host registration feature.
You will be able to register hosts to the load balancer instead of orcharhino Proxy. The load balancer will decide through which orcharhino Proxy to register the host at the time of request. Upon registration, the subscription manager on the host will be configured to manage content through the load balancer.
-
You configured SSL certificates on all orcharhino Proxies. For more information, see the following sections:
-
Configuring orcharhino Proxies with default SSL certificates for load balancing.
-
Configuring orcharhino Proxies with custom SSL certificates for load balancing.
-
Configuring orcharhino Proxies with default SSL certificates for load balancing (with Puppet).
-
Configuring orcharhino Proxies with custom SSL certificates for load balancing (with Puppet).
-
-
You enabled Registration and Templates plugins on all orcharhino Proxies:
# foreman-installer \ --foreman-proxy-registration true \ --foreman-proxy-templates true
-
On all orcharhino Proxies, set the registration and template URLs using
foreman-installer
:# foreman-installer \ --foreman-proxy-registration-url "https://loadbalancer.example.com:9090" \ --foreman-proxy-template-url "http://loadbalancer.example.com:8000"
-
In the orcharhino management UI, navigate to Infrastructure > orcharhino Proxies.
-
For each orcharhino Proxy, click the dropdown menu in the Actions column and select Refresh.
9. Installing the load balancer
The following example provides general guidance for configuring an HAProxy load balancer using Enterprise Linux 9 or Enterprise Linux 8. However, you can install any suitable load balancing software solution that supports TCP forwarding.
-
Install HAProxy:
# dnf install haproxy
-
Install the following package that includes the
semanage
tool:# dnf install policycoreutils-python-utils
-
Configure SELinux to allow HAProxy to bind any port:
# semanage boolean --modify --on haproxy_connect_any
-
Configure the load balancer to balance the network load for the ports as described in Ports configuration for the load balancer. For example, to configure ports for HAProxy, edit the
/etc/haproxy/haproxy.cfg
file to correspond with the table.Table 1. Ports configuration for the load balancer Service Port Mode Balance Mode Destination HTTP
80
TCP
roundrobin
port 80 on all orcharhino Proxies
HTTPS and RHSM
443
TCP
source
port 443 on all orcharhino Proxies
Anaconda for template retrieval
8000
TCP
roundrobin
port 8000 on all orcharhino Proxies
Puppet (Optional)
8140
TCP
roundrobin
port 8140 on all orcharhino Proxies
PuppetCA (Optional)
8141
TCP
roundrobin
port 8140 only on the system where you configure orcharhino Proxy to sign Puppet certificates
orcharhino Proxy HTTPS for Host Registration and optionally OpenSCAP
9090
TCP
roundrobin
port 9090 on all orcharhino Proxies
-
Configure the load balancer to disable SSL offloading and allow client-side SSL certificates to pass through to back end servers. This is required because communication from clients to orcharhino Proxies depends on client-side SSL certificates.
-
Start and enable the HAProxy service:
# systemctl enable --now haproxy
10. Verifying the load balancing configuration
Use this procedure to verify the load balancing configuration for each orcharhino Proxy.
-
Shut down the base operating system for your orcharhino Proxy.
-
Verify that content or subscription management features are available on clients registered to this orcharhino Proxy. For example, enter the
subscription-manager refresh
command on a client. -
Restart the base operating system for your orcharhino Proxy.
11. Registering clients to the load balancer
To balance the load of network traffic from clients, you must register the clients to the load balancer.
To register clients, proceed with one of the following procedures:
11.1. Registering clients using host registration
You can register hosts with orcharhino using the host registration feature in the orcharhino management UI, Hammer CLI, or the orcharhino API. For more information, see Registering hosts and setting up host integration in Managing hosts.
-
You have set the load balancer for host registration. For more information, see Setting the load balancer for host registration.
-
In the orcharhino management UI, navigate to Hosts > Register Host.
-
From the orcharhino Proxy dropdown list, select the load balancer.
-
Select Force to register a host that has been previously registered to a orcharhino Proxy.
-
From the Activation Keys list, select the activation keys to assign to your host.
-
Click Generate to create the registration command.
-
Click on the files icon to copy the command to your clipboard.
-
Connect to your host using SSH and run the registration command.
-
Ensure that the appropriate repositories have been enabled:
-
On Enterprise Linux: Check the
/etc/yum.repos.d/redhat.repo
file and ensure that the appropriate repositories have been enabled. -
On Debian/Ubuntu: Check the
/etc/apt/sources.list
file and ensure that the appropriate repositories have been enabled. -
On Enterprise Linux: Check the
/etc/yum.repos.d/redhat.repo
file and ensure that the appropriate repositories have been enabled. -
On SUSE Linux Enterprise Server: Check the
/etc/zypp/repos.d/
directory and ensure that the appropriate repositories have been enabled.
-
-
Generate the host registration command using the Hammer CLI:
$ hammer host-registration generate-command \ --activation-keys "My_Activation_Key"
If your hosts do not trust the SSL certificate of orcharhino Server, you can disable SSL validation by adding the
--insecure
flag to the registration command.$ hammer host-registration generate-command \ --activation-keys "My_Activation_Key" \ --insecure true
Include the
--smart-proxy-id My_orcharhino_Proxy_ID
option. You can use the ID of any orcharhino Proxy that you configured for host registration load balancing. orcharhino will apply the load balancer to the registration command automatically.Include the
--force
option to register a host that has been previously registered to a orcharhino Proxy. -
Connect to your host using SSH and run the registration command.
-
Ensure that the appropriate repositories have been enabled:
-
On Enterprise Linux: Check the
/etc/yum.repos.d/redhat.repo
file and ensure that the appropriate repositories have been enabled. -
On Debian/Ubuntu: Check the
/etc/apt/sources.list
file and ensure that the appropriate repositories have been enabled. -
On Enterprise Linux: Check the
/etc/yum.repos.d/redhat.repo
file and ensure that the appropriate repositories have been enabled. -
On SUSE Linux Enterprise Server: Check the
/etc/zypp/repos.d/
directory and ensure that the appropriate repositories have been enabled.
-
-
Generate the host registration command using the orcharhino API:
# curl -X POST https://orcharhino.example.com/api/registration_commands \ --user "My_User_Name" \ -H 'Content-Type: application/json' \ -d '{ "registration_command": { "activation_keys": ["My_Activation_Key_1, My_Activation_Key_2"] }}'
If your hosts do not trust the SSL certificate of orcharhino Server, you can disable SSL validation by adding the
--insecure
flag to the registration command.# curl -X POST https://orcharhino.example.com/api/registration_commands \ --user "My_User_Name" \ -H 'Content-Type: application/json' \ -d '{ "registration_command": { "activation_keys": ["My_Activation_Key_1, My_Activation_Key_2"], "insecure": true }}'
Use an activation key to simplify specifying the environments. For more information, see Managing Activation Keys in Managing content.
Include
{ "smart_proxy_id": My_orcharhino_Proxy_ID }
. You can use the ID of any orcharhino Proxy that you configured for host registration load balancing. orcharhino will apply the load balancer to the registration command automatically.Include
{ "force": true }
to register a host that has been previously registered to a orcharhino Proxy.To enter a password as a command line argument, use
username:password
syntax. Keep in mind this can save the password in the shell history. Alternatively, you can use a temporary personal access token instead of a password. To generate a token in the orcharhino management UI, navigate to My Account > Personal Access Tokens. -
Connect to your host using SSH and run the registration command.
-
Ensure that the appropriate repositories have been enabled:
-
On Enterprise Linux: Check the
/etc/yum.repos.d/redhat.repo
file and ensure that the appropriate repositories have been enabled. -
On Debian/Ubuntu: Check the
/etc/apt/sources.list
file and ensure that the appropriate repositories have been enabled. -
On Enterprise Linux: Check the
/etc/yum.repos.d/redhat.repo
file and ensure that the appropriate repositories have been enabled. -
On SUSE Linux Enterprise Server: Check the
/etc/zypp/repos.d/
directory and ensure that the appropriate repositories have been enabled.
-
11.2. (Deprecated) Registering clients using the bootstrap script
To register clients, enter the following command on the client. You must complete the registration procedure for each client.
-
Ensure that you install the bootstrap script on the client and change file permissions of the script to executable. For more information, see Registering Hosts to orcharhino Using The Bootstrap Script in Managing hosts.
-
On Enterprise Linux 8, enter the following command:
# /usr/libexec/platform-python bootstrap.py \ --activationkey="My_Activation_Key" \ --enablerepos=https://yum.theforeman.org/client/nightly/el8/x86_64/foreman-client-release.rpm \ (1) --force \ (2) --hostgroup="My_Host_Group" \ --location="My_Location" \ --login=admin \ --organization="My_Organization" \ --puppet-ca-port 8141 \ (3) --server loadbalancer.example.com
-
Replace
<arch>
with the client architecture, for examplex86
. -
Include the
--force
option to register the client that has been previously registered to a standalone orcharhino Proxy. -
Include the
--puppet-ca-port 8141
option if you use Puppet.
-
-
On Enterprise Linux 7 or 6, enter the following command:
# python bootstrap.py --login=admin \ --activationkey="My_Activation_Key" \ --enablerepos=https://yum.theforeman.org/client/nightly/el7/x86_64/foreman-client-release.rpm \ --force \ (1) --hostgroup="My_Host_Group" \ --location="My_Location" \ --organization="My_Organization" \ --puppet-ca-port 8141 \ (2) --server loadbalancer.example.com
-
Include the
--force
option to register the client that has been previously registered to a standalone orcharhino Proxy. -
Include the
--puppet-ca-port 8141
option if you use Puppet.
-
The script prompts for the password corresponding to the orcharhino user name you entered with the --login
option.
12. Propagating SCAP content through the load balancer
If you use OpenSCAP to manage security compliance on your clients, you must configure the SCAP client to send ARF reports to the load balancer instead of orcharhino Proxy. The configuration procedure depends on the method you have selected to deploy compliance policies.
12.1. Propagating SCAP content using Ansible deployment
Using this procedure, you can promote Security Content Automation Protocol (SCAP) content through the load balancer in the scope of the Ansible deployment method.
-
Ensure that you have configured orcharhino for Ansible deployment of compliance policies. For more information, see Configuring Compliance Policy Deployment Methods in Managing security compliance.
-
In the orcharhino management UI, navigate to Configure > Ansible > Variables.
-
Search for the
foreman_scap_client_port
variable and click its name. -
In the Default Behavior area, ensure that the Override checkbox is selected.
-
In the Parameter Type list, ensure that
integer
is selected. -
In the Default Value field, enter
9090
. -
In the Specify Matchers area, remove all matchers that override the default value.
-
Click Submit.
-
Search for the
foreman_scap_client_server
variable and click its name. -
In the Default Behavior area, ensure that the Override checkbox is selected.
-
In the Parameter Type list, ensure that
string
is selected. -
In the Default Value field, enter the FQDN of your load balancer, such as
loadbalancer.example.com
. -
In the Specify Matchers area, remove all matchers that override the default value.
-
Click Submit.
-
Continue with deploying a compliance policy using Ansible. For more information, see:
-
Deploying a Policy in a Host Group Using Ansible in Managing security compliance
-
Deploying a Policy on a Host Using Ansible in Managing security compliance
-
-
On the client, verify that the
/etc/foreman_scap_client/config.yaml
file contains the following lines:# Foreman proxy to which reports should be uploaded :server: 'loadbalancer.example.com' :port: 9090
12.2. Propagating SCAP content using Puppet deployment
Using this procedure, you can promote Security Content Automation Protocol (SCAP) content through the load balancer in the scope of the Puppet deployment method.
-
Ensure that you have configured orcharhino for Puppet deployment of compliance policies. For more information, see Configuring Compliance Policy Deployment Methods in Managing security compliance.
-
In the orcharhino management UI, navigate to Configure > Puppet ENC > Classes.
-
Click
foreman_scap_client
. -
Click the Smart Class Parameter tab.
-
In the pane to the left of the Smart Class Parameter window, click
port
. -
In the Default Behavior area, select the Override checkbox.
-
From the Key Type list, select
integer
. -
In the Default Value field, enter
9090
. -
In the pane to the left of the Smart Class Parameter window, click
server
. -
In the Default Behavior area, select the Override checkbox.
-
From the Key Type list, select
string
. -
In the Default Value field, enter the FQDN of your load balancer, such as
loadbalancer.example.com
. -
In the lower left of the Smart Class Parameter window, click Submit.
-
Continue with deploying a compliance policy using Puppet. For more information, see:
-
Deploying a Policy in a Host Group Using Puppet in Managing security compliance
-
Deploying a Policy on a Host Using Puppet in Managing security compliance
-
-
On the client, verify that the
/etc/foreman_scap_client/config.yaml
file contains the following lines:# Foreman proxy to which reports should be uploaded :server: 'loadbalancer.example.com' :port: 9090