Installing a Smart Proxy Server nightly on Enterprise Linux

1. Preparing your environment for installation

Review the following prerequisites before you install Smart Proxy server.

1.1. System requirements

The following requirements apply to the networked base operating system:

x86_64 architecture
4-core 2.0 GHz CPU at a minimum
A minimum of 12 GB RAM is required for Smart Proxy server to function. In addition, a minimum of 4 GB RAM of swap space is also recommended. Smart Proxy running with less RAM than the minimum value might not operate correctly.
Administrative user (root) access
Full forward and reverse DNS resolution using a fully-qualified domain name

Foreman only supports UTF-8 encoding. If your territory is USA and your language is English, set en_US.utf-8 as the system-wide locale settings. For more information about configuring system locale in Enterprise Linux, see Configuring the system locale in Red Hat Enterprise Linux 9 Configuring basic system settings.

Foreman server and Smart Proxy server do not support shortnames in the hostnames. When using custom certificates, the Common Name (CN) of the custom certificate must be a fully qualified domain name (FQDN) instead of a shortname. This does not apply to the clients of a Foreman.

Before you install Smart Proxy server, ensure that your environment meets the requirements for installation.

Warning

The version of Smart Proxy must match with the version of Foreman installed. It should not be different. For example, the Smart Proxy version nightly cannot be registered with the Foreman version 3.15.

Smart Proxy server must be installed on a freshly provisioned system that serves no other function except to run Smart Proxy server. The freshly provisioned system must not have the following users provided by external identity providers to avoid conflicts with the local users that Smart Proxy server creates:

apache
foreman-proxy
postgres
puppet
redis

SELinux mode

SELinux must be enabled, either in enforcing or permissive mode. Installation with disabled SELinux is not supported.

Synchronized system clock

The system clock on the base operating system where you are installing your Smart Proxy server must be synchronized across the network. If the system clock is not synchronized, SSL certificate verification might fail.

FIPS mode

You can install Smart Proxy on a Enterprise Linux system that is operating in FIPS mode. You cannot enable FIPS mode after the installation of Smart Proxy. Red Hat Enterprise Linux clones are not being actively tested in FIPS mode. If you require FIPS, consider using Red Hat Enterprise Linux. For more information, see Switching RHEL to FIPS mode in Red Hat Enterprise Linux 9 Security hardening.

Note

Foreman supports DEFAULT and FIPS crypto-policies. The FUTURE crypto-policy is not supported for Foreman and Smart Proxy installations. The FUTURE policy is a stricter forward-looking security level intended for testing a possible future policy. For more information, see Using system-wide cryptographic policies in Red Hat Enterprise Linux 9 Security hardening.

1.2. Supported operating systems

The following operating systems are supported by the installer, have packages, and are tested for deploying Foreman:

Table 1. Operating systems supported by foreman-installer
Operating System	Architecture	Notes
Enterprise Linux 9	x86_64 only	EPEL is not supported.

Foreman community advises against using an existing system because the Foreman installer will affect the configuration of several components.

1.3. Port and firewall requirements

For the components of Foreman architecture to communicate, ensure that the required network ports are open and free on the base operating system. You must also ensure that the required network ports are open on any network-based firewalls.

The installation of a Smart Proxy server fails if the ports between Foreman server and Smart Proxy server are not open before installation starts.

Use this information to configure any network-based firewalls. Note that some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. If possible, disable the application checking and allow open port communication based on the protocol.

Integrated Smart Proxy

Foreman server has an integrated Smart Proxy and any host that is directly connected to Foreman server is a Client of Foreman in the context of this section. This includes the base operating system on which Smart Proxy server is running.

Clients of Smart Proxy

Hosts which are clients of Smart Proxies, other than Foreman’s integrated Smart Proxy, do not need access to Foreman server. For more information on Foreman Topology, see Smart Proxy networking in Planning for Foreman.

Required ports can change based on your configuration.

The following tables indicate the destination port and the direction of network traffic:

Table 2. Smart Proxy incoming traffic
Destination Port	Protocol	Service	Source	Required For	Description
53	TCP and UDP	DNS	DNS Servers and clients	Name resolution	DNS (optional)
67	UDP	DHCP	Client	Dynamic IP	DHCP (optional)
69	UDP	TFTP	Client	TFTP Server (optional)
8000	TCP	HTTP	Client	Provisioning templates	Template retrieval for client installers, iPXE or UEFI HTTP Boot
8000	TCP	HTTP	Client	PXE Boot	Installation
8140	TCP	HTTPS	Client	Puppet agent	Client updates (optional)
8443	TCP	HTTPS	Foreman	Smart Proxy API	Smart Proxy functionality
8443	TCP	HTTPS	Client	Register Endpoint	Client registration with Smart Proxy servers
8443	TCP	HTTPS	Client	OpenSCAP	Configure Client (if the OpenSCAP plugin is installed)
8443	TCP	HTTPS	Discovered Node	Discovery	Host discovery and provisioning (if the discovery plugin is installed)

Any host that is directly connected to Foreman server is a client in this context because it is a client of the integrated Smart Proxy. This includes the base operating system on which a Smart Proxy server is running.

A DHCP Smart Proxy performs ICMP ping and TCP echo connection attempts to hosts in subnets with DHCP IPAM set to find out if an IP address considered for use is free. This behavior can be turned off using foreman-installer --foreman-proxy-dhcp-ping-free-ip=false.

Table 3. Smart Proxy outgoing traffic
Destination Port	Protocol	Service	Destination	Required For	Description
	ICMP	ping	Client	DHCP	Free IP checking (optional)
7	TCP	echo	Client	DHCP	Free IP checking (optional)
22	TCP	SSH	Target host	Remote execution	Run jobs
53	TCP and UDP	DNS	DNS Servers on the Internet	DNS Server	Resolve DNS records (optional)
53	TCP and UDP	DNS	DNS Server	Smart Proxy DNS	Validation of DNS conflicts (optional)
68	UDP	DHCP	Client	Dynamic IP	DHCP (optional)
443	TCP	HTTPS	Foreman	Smart Proxy	Smart Proxy Configuration management Template retrieval OpenSCAP Remote Execution result upload
443	TCP	HTTPS	Infoblox DHCP Server	DHCP management	When using Infoblox for DHCP, management of the DHCP leases (optional)
623			Client	Power management	BMC On/Off/Cycle/Status
7911	TCP	DHCP, OMAPI	DHCP Server	DHCP	The DHCP target is configured using `--foreman-proxy-dhcp-server` and defaults to localhost ISC and `remote_isc` use a configurable port that defaults to 7911 and uses OMAPI
8443	TCP	HTTPS	Client	Discovery	Smart Proxy sends reboot command to the discovered host (optional)

Note	ICMP to Port 7 UDP and TCP must not be rejected, but can be dropped. The DHCP Smart Proxy sends an ECHO REQUEST to the Client network to verify that an IP address is free. A response prevents IP addresses from being allocated.

1.4. Enabling connections from Foreman server and clients to a Smart Proxy server

On the base operating system on which you want to install Smart Proxy, you must enable incoming connections from Foreman server and clients to Smart Proxy server and make these rules persistent across reboots.

If you do not use firewall-cmd to configure the Linux firewall, implement using the command of your choice.

Procedure

Allow access to services on Smart Proxy server:

# firewall-cmd \
--add-service=dns \
--add-service=dhcp \
--add-service=tftp \
--add-service=foreman-proxy \
--add-service=puppetmaster

Make the changes persistent:
```
# firewall-cmd --runtime-to-permanent
```

Verification

Enter the following command:
```
# firewall-cmd --list-all
```

For more information, see Using and configuring firewalld in Red Hat Enterprise Linux 9 Configuring firewalls and packet filters.

2. Installing Smart Proxy server

Before you install Smart Proxy server, you must ensure that your environment meets the requirements for installation. For more information, see Preparing your Environment for Installation.

2.1. Configuring repositories

Procedure

Clear any metadata:
```
# dnf clean all
```

Install the foreman-release.rpm package:

# dnf install https://yum.theforeman.org/releases/nightly/el9/x86_64/foreman-release.rpm

Install the puppet-release package.

For Puppet 8:

# dnf install https://yum.puppet.com/puppet8-release-el-9.noarch.rpm

For Puppet 7:

# dnf install https://yum.puppet.com/puppet7-release-el-9.noarch.rpm

Verification

Verify that the required repositories are enabled:
```
# dnf repolist enabled
```

2.2. Optional: Using fapolicyd on Smart Proxy server

By enabling fapolicyd on your Foreman server, you can provide an additional layer of security by monitoring and controlling access to files and directories. The fapolicyd daemon uses the RPM database as a repository of trusted binaries and scripts.

You can turn on or off the fapolicyd on your Foreman server or Smart Proxy server at any point.

2.2.1. Installing fapolicyd on Smart Proxy server

You can install fapolicyd along with Smart Proxy server or can be installed on an existing Smart Proxy server. If you are installing fapolicyd along with the new Smart Proxy server, the installation process will detect the fapolicyd in your Enterprise Linux host and deploy the Smart Proxy server rules automatically.

Prerequisites

Ensure your host has access to the BaseOS repositories of Enterprise Linux.

Procedure

For a new installation, install fapolicyd:
```
# dnf install fapolicyd
```
For an existing installation, install fapolicyd using dnf install:
```
# dnf install fapolicyd
```
Start the fapolicyd service:
```
# systemctl enable --now fapolicyd
```

Verification

Verify that the fapolicyd service is running correctly:
```
# systemctl status fapolicyd
```

New Foreman server or Smart Proxy server installations

In case of new Foreman server or Smart Proxy server installation, follow the standard installation procedures after installing and enabling fapolicyd on your Enterprise Linux host.

Additional resources

For more information on fapolicyd, see Blocking and allowing applications using fapolicyd in Red Hat Enterprise Linux 9 Security hardening.

2.3. Installing Smart Proxy server packages

Before installing Smart Proxy server packages, you must update all packages that are installed on the base operating system.

Procedure

To install Smart Proxy server, complete the following steps:

Update all packages:
```
# dnf upgrade
```
Install foreman-installer:
```
# dnf install foreman-installer
```

2.4. Installing Smart Proxy server

Procedure

To install Smart Proxy server, enter the following command:

# foreman-installer \
--enable-foreman-proxy \
--enable-puppet \
--foreman-proxy-foreman-base-url=https://foreman.example.com \
--foreman-proxy-oauth-consumer-key=My_oAuth_Consumer_Key \
--foreman-proxy-oauth-consumer-secret=My_oAuth_Consumer_Secret \
--foreman-proxy-puppetca=false \
--foreman-proxy-tftp=false \
--foreman-proxy-trusted-hosts=foreman.example.com \
--no-enable-foreman \
--no-enable-foreman-cli \
--puppet-server-ca=false

2.5. Assigning the correct organization and location to Smart Proxy server in the Foreman web UI

After installing Smart Proxy server packages, if there is more than one organization or location, you must assign the correct organization and location to Smart Proxy to make Smart Proxy visible in the Foreman web UI.

Procedure

Log into the Foreman web UI.
From the Organization list in the upper-left of the screen, select Any Organization.
From the Location list in the upper-left of the screen, select Any Location.
In the Foreman web UI, navigate to Hosts > All Hosts and select Smart Proxy server.
From the Select Actions list, select Assign Organization.
From the Organization list, select the organization where you want to assign this Smart Proxy.
Click Fix Organization on Mismatch.
Click Submit.
Select Smart Proxy server. From the Select Actions list, select Assign Location.
From the Location list, select the location where you want to assign this Smart Proxy.
Click Fix Location on Mismatch.
Click Submit.
In the Foreman web UI, navigate to Administer > Organizations and click the organization to which you have assigned Smart Proxy.
Click Smart Proxies tab and ensure that Smart Proxy server is listed under the Selected items list, then click Submit.
In the Foreman web UI, navigate to Administer > Locations and click the location to which you have assigned Smart Proxy.
Click Smart Proxies tab and ensure that Smart Proxy server is listed under the Selected items list, then click Submit.

Verification

Optionally, you can verify if Smart Proxy server is correctly listed in the Foreman web UI.

Select the organization from the Organization list.
Select the location from the Location list.
In the Foreman web UI, navigate to Hosts > All Hosts.
In the Foreman web UI, navigate to Infrastructure > Smart Proxies.

3. Performing additional configuration on Smart Proxy server

After installation, you can configure additional settings on your Smart Proxy server.

3.1. Configuring Smart Proxy for host registration and provisioning

Use this procedure to configure Smart Proxy so that you can register and provision hosts using your Smart Proxy server instead of your Foreman server.

Procedure

Enable the Registration and Templates features on your Smart Proxy server and set the template URL:

# foreman-installer \
--foreman-proxy-registration true \
--foreman-proxy-templates true \
--foreman-proxy-template-url "http://smartproxy.example.com:8000"

On your Smart Proxy server, open the corresponding ports:

# firewall-cmd --permanent --zone=public --add-port=8000/tcp

On your Smart Proxy server, reload the firewall configuration:
```
# firewall-cmd --reload
```
On Foreman server, add the Smart Proxy to the list of trusted proxies.

This is required for Foreman to recognize hosts' IP addresses forwarded over the X-Forwarded-For HTTP header set by Smart Proxy. For security reasons, Foreman recognizes this HTTP header only from localhost by default. You can enter trusted proxies as valid IPv4 or IPv6 addresses of Smart Proxies, or network ranges.

Warning

Do not use a network range that is too broad because that might cause a security risk.

Enter the following command. Note that the command overwrites the list that is currently stored in Foreman. Therefore, if you have set any trusted proxies previously, you must include them in the command as well:
```
# foreman-installer \
--foreman-trusted-proxies "127.0.0.1/8" \
--foreman-trusted-proxies "::1" \
--foreman-trusted-proxies "My_IP_address" \
--foreman-trusted-proxies "My_IP_range"
```
The localhost entries are required, do not omit them.

Verification

List the current trusted proxies using the full help of Foreman installer:
```
# foreman-installer --full-help | grep -A 2 "trusted-proxies"
```
The current listing contains all trusted proxies you require.

3.2. Enabling remote execution

Use this procedure to enable remote execution on your Smart Proxy server. To learn more about remote execution, see Configuring and Setting Up Remote Jobs in Managing hosts.

Prerequisites

You have enabled the remote execution plugin on your Foreman server. To do this, run the following command:
```
# foreman-installer --enable-foreman-plugin-remote-execution
```

Procedure

Enable remote execution with foreman-installer:

# foreman-installer --enable-foreman-proxy-plugin-remote-execution-script

3.3. Enabling OpenSCAP on Smart Proxy servers

On Foreman server and the integrated Smart Proxy of your Foreman server, OpenSCAP is enabled by default. To use the OpenSCAP plugin and content on external Smart Proxies, you must enable OpenSCAP on each Smart Proxy.

Procedure

To enable OpenSCAP, enter the following command:

# foreman-installer \
--enable-foreman-proxy-plugin-openscap \
--foreman-proxy-plugin-openscap-ansible-module true \
--foreman-proxy-plugin-openscap-puppet-module true

3.4. Enabling power management on hosts

To perform power management tasks on hosts using the intelligent platform management interface (IPMI) or a similar protocol, you must enable the baseboard management controller (BMC) module on Smart Proxy server.

Prerequisites

All hosts must have a network interface of BMC type. Smart Proxy server uses this NIC to pass the appropriate credentials to the host. For more information, see Configuring a Baseboard Management Controller (BMC) Interface in Managing hosts.

Procedure

To enable BMC, enter the following command:

# foreman-installer \
--foreman-proxy-bmc "true" \
--foreman-proxy-bmc-default-provider "freeipmi"

Appendix A: Smart Proxy server scalability considerations when managing Puppet clients

Smart Proxy server scalability when managing Puppet clients depends on the number of CPUs, the run-interval distribution, and the number of Puppet managed resources. Smart Proxy server has a limitation of 100 concurrent Puppet agents running at any single point in time. Running more than 100 concurrent Puppet agents results in a 503 HTTP error.

For example, assuming that Puppet agent runs are evenly distributed with less than 100 concurrent Puppet agents running at any single point during a run-interval, a Smart Proxy server with 4 CPUs has a maximum of 1250 – 1600 Puppet clients with a moderate workload of 10 Puppet classes assigned to each Puppet client. Depending on the number of Puppet clients required, the Foreman installation can scale out the number of Smart Proxy servers to support them.

If you want to scale your Smart Proxy server when managing Puppet clients, the following assumptions are made:

There are no external Puppet clients reporting directly to your Foreman server.
All other Puppet clients report directly to Smart Proxy servers.
There is an evenly distributed run-interval of all Puppet agents.

Note	Deviating from the even distribution increases the risk of overloading Foreman server. The limit of 100 concurrent requests applies.

The following table describes the scalability limits using the recommended 4 CPUs.

Table 4. Puppet scalability using 4 CPUs
Puppet Managed Resources per Host	Run-Interval Distribution
1	3000 – 2500
10	2400 – 2000
20	1700 – 1400

The following table describes the scalability limits using the minimum 2 CPUs.

Table 5. Puppet scalability using 2 CPUs
Puppet Managed Resources per Host	Run-Interval Distribution
1	1700 – 1450
10	1500 – 1250
20	850 – 700