1. Preparing your environment for installation

Review the following prerequisites before you install Smart Proxy server.

1.1. System requirements

The following requirements apply to the networked base operating system:

  • x86_64 architecture

  • 4-core 2.0 GHz CPU at a minimum

  • A minimum of 12 GB RAM is required for Smart Proxy server to function. In addition, a minimum of 4 GB RAM of swap space is also recommended. Smart Proxy running with less RAM than the minimum value might not operate correctly.

  • A unique host name, which can contain lower-case letters, numbers, dots (.) and hyphens (-)

  • Administrative user (root) access

  • Full forward and reverse DNS resolution using a fully-qualified domain name

Foreman only supports UTF-8 encoding. If your territory is USA and your language is English, set en_US.utf-8 as the system-wide locale settings. For more information about configuring system locale in Enterprise Linux, see Configuring the system locale in Red Hat Enterprise Linux 9 Configuring basic system settings.

Foreman server and Smart Proxy server do not support shortnames in the hostnames. When using custom certificates, the Common Name (CN) of the custom certificate must be a fully qualified domain name (FQDN) instead of a shortname. This does not apply to the clients of a Foreman.

Before you install Smart Proxy server, ensure that your environment meets the requirements for installation.

Warning

The version of Smart Proxy must match with the version of Foreman installed. It should not be different. For example, the Smart Proxy version nightly cannot be registered with the Foreman version 3.14.

Smart Proxy server must be installed on a freshly provisioned system that serves no other function except to run Smart Proxy server. The freshly provisioned system must not have the following users provided by external identity providers to avoid conflicts with the local users that Smart Proxy server creates:

  • apache

  • foreman-proxy

  • postgres

  • pulp

  • puppet

  • redis

SELinux mode

SELinux must be enabled, either in enforcing or permissive mode. Installation with disabled SELinux is not supported.

Synchronized system clock

The system clock on the base operating system where you are installing your Smart Proxy server must be synchronized across the network. If the system clock is not synchronized, SSL certificate verification might fail.

FIPS mode

You can install Smart Proxy on a Enterprise Linux system that is operating in FIPS mode. You cannot enable FIPS mode after the installation of Smart Proxy. Red Hat Enterprise Linux clones are not being actively tested in FIPS mode. If you require FIPS, consider using Red Hat Enterprise Linux. For more information, see Switching RHEL to FIPS mode in Red Hat Enterprise Linux 9 Security hardening.

Note

Foreman supports DEFAULT and FIPS crypto-policies. The FUTURE crypto-policy is not supported for Foreman and Smart Proxy installations. The FUTURE policy is a stricter forward-looking security level intended for testing a possible future policy. For more information, see Using system-wide cryptographic policies in Red Hat Enterprise Linux 9 Security hardening.

1.2. Storage requirements

The following table details storage requirements for specific directories. These values are based on expected use case scenarios and can vary according to individual environments.

The runtime size was measured with Red Hat Enterprise Linux 7, 8, and 9 repositories synchronized.

Table 1. Storage requirements for Smart Proxy server installation
Directory Installation Size Runtime Size

/var/lib/pulp

1 MB

300 GB

/var/lib/pgsql

100 MB

20 GB

/usr

3 GB

Not Applicable

/opt/puppetlabs

500 MB

Not Applicable

The size of the PostgreSQL database on your Smart Proxy server can grow significantly with an increasing number of lifecycle environments, content views, or repositories that are synchronized from your Foreman server. In the largest Foreman environments, the size of /var/lib/pgsql on Smart Proxy server can grow to double or triple the size of /var/lib/pgsql on your Foreman server.

1.3. Storage guidelines

Consider the following guidelines when installing Smart Proxy server to increase efficiency.

  • If you mount the /tmp directory as a separate file system, you must use the exec mount option in the /etc/fstab file. If /tmp is already mounted with the noexec option, you must change the option to exec and re-mount the file system. This is a requirement for the puppetserver service to work.

  • Because most Smart Proxy server data is stored in the /var directory, mounting /var on LVM storage can help the system to scale.

  • Use high-bandwidth, low-latency storage for the /var/lib/pulp/ and PostgreSQL /var/lib/pgsql directories. As Foreman has many operations that are I/O intensive, using high latency, low-bandwidth storage causes performance degradation.

File system guidelines
  • Do not use the GFS2 file system as the input-output latency is too high.

Log file storage

Log files are written to /var/log/messages/, /var/log/httpd/, and /var/lib/foreman-proxy/openscap/content/. You can manage the size of these files using logrotate.

The exact amount of storage you require for log messages depends on your installation and setup.

SELinux considerations for NFS mount

When the /var/lib/pulp directory is mounted using an NFS share, SELinux blocks the synchronization process. To avoid this, specify the SELinux context of the /var/lib/pulp directory in the file system table by adding the following lines to /etc/fstab:

nfs.example.com:/nfsshare  /var/lib/pulp  nfs  context="system_u:object_r:var_lib_t:s0"  1 2

If NFS share is already mounted, remount it using the above configuration and enter the following command:

# restorecon -R /var/lib/pulp
Duplicated packages

Packages that are duplicated in different repositories are only stored once on the disk. Additional repositories containing duplicate packages require less additional storage. The bulk of storage resides in the /var/lib/pulp/ directory. These end points are not manually configurable. Ensure that storage is available on the /var file system to prevent storage problems.

Symbolic links

You cannot use symbolic links for /var/lib/pulp/.

Synchronized RHEL ISO

If you plan to synchronize RHEL content ISOs to Foreman, note that all minor versions of Red Hat Enterprise Linux also synchronize. You must plan to have adequate storage on your Foreman to manage this.

1.4. Supported operating systems

The following operating systems are supported by the installer, have packages, and are tested for deploying Foreman:

Table 2. Operating systems supported by foreman-installer

Operating System

Architecture

Notes

Enterprise Linux 9

x86_64 only

EPEL is not supported.

Foreman community advises against using an existing system because the Foreman installer will affect the configuration of several components.

1.5. Port and firewall requirements

For the components of Foreman architecture to communicate, ensure that the required network ports are open and free on the base operating system. You must also ensure that the required network ports are open on any network-based firewalls.

The installation of a Smart Proxy server fails if the ports between Foreman server and Smart Proxy server are not open before installation starts.

Use this information to configure any network-based firewalls. Note that some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. If possible, disable the application checking and allow open port communication based on the protocol.

Integrated Smart Proxy

Foreman server has an integrated Smart Proxy and any host that is directly connected to Foreman server is a Client of Foreman in the context of this section. This includes the base operating system on which Smart Proxy server is running.

Clients of Smart Proxy

Hosts which are clients of Smart Proxies, other than Foreman’s integrated Smart Proxy, do not need access to Foreman server. For more information on Foreman Topology, see Smart Proxy networking in Planning for Foreman.

Required ports can change based on your configuration.

The following tables indicate the destination port and the direction of network traffic:

Table 3. Smart Proxy incoming traffic
Destination Port Protocol Service Source Required For Description

53

TCP and UDP

DNS

DNS Servers and clients

Name resolution

DNS (optional)

67

UDP

DHCP

Client

Dynamic IP

DHCP (optional)

69

UDP

TFTP

Client

TFTP Server (optional)

443, 80

TCP

HTTPS, HTTP

Client

Content Retrieval

Content

443, 80

TCP

HTTPS, HTTP

Client

Content Host Registration

Smart Proxy CA RPM installation

443

TCP

HTTPS

Foreman

Content Mirroring

Management

443

TCP

HTTPS

Foreman

Smart Proxy API

Smart Proxy functionality

443

TCP

HTTPS

Client

Content Host registration

Initiation

Uploading facts

Sending installed packages and traces

1883

TCP

MQTT

Client

Pull based REX (optional)

Content hosts for REX job notification (optional)

8000

TCP

HTTP

Client

Provisioning templates

Template retrieval for client installers, iPXE or UEFI HTTP Boot

8000

TCP

HTTP

Client

PXE Boot

Installation

8140

TCP

HTTPS

Client

Puppet agent

Client updates (optional)

8443

TCP

HTTPS

Client

Content Host registration

Deprecated and only needed for Client hosts deployed before upgrades

9090

TCP

HTTPS

Foreman

Smart Proxy API

Smart Proxy functionality

9090

TCP

HTTPS

Client

Register Endpoint

Client registration with an external Smart Proxy server

9090

TCP

HTTPS

Client

OpenSCAP

Configure Client (if the OpenSCAP plugin is installed)

9090

TCP

HTTPS

Discovered Node

Discovery

Host discovery and provisioning (if the discovery plugin is installed)

9090

TCP

HTTPS

Client

Pull based REX (optional)

Content hosts for REX job notification (optional)

Any host that is directly connected to Foreman server is a client in this context because it is a client of the integrated Smart Proxy. This includes the base operating system on which a Smart Proxy server is running.

A DHCP Smart Proxy performs ICMP ping and TCP echo connection attempts to hosts in subnets with DHCP IPAM set to find out if an IP address considered for use is free. This behavior can be turned off using foreman-installer --foreman-proxy-dhcp-ping-free-ip=false.

Table 4. Smart Proxy outgoing traffic
Destination Port Protocol Service Destination Required For Description

ICMP

ping

Client

DHCP

Free IP checking (optional)

7

TCP

echo

Client

DHCP

Free IP checking (optional)

22

TCP

SSH

Target host

Remote execution

Run jobs

53

TCP and UDP

DNS

DNS Servers on the Internet

DNS Server

Resolve DNS records (optional)

53

TCP and UDP

DNS

DNS Server

Smart Proxy DNS

Validation of DNS conflicts (optional)

68

UDP

DHCP

Client

Dynamic IP

DHCP (optional)

443

TCP

HTTPS

Foreman

Smart Proxy

Smart Proxy

Configuration management

Template retrieval

OpenSCAP

Remote Execution result upload

443

TCP

HTTPS

Foreman

Content

Sync

443

TCP

HTTPS

Foreman

Client communication

Forward requests from Client to Foreman

443

TCP

HTTPS

Infoblox DHCP Server

DHCP management

When using Infoblox for DHCP, management of the DHCP leases (optional)

623

Client

Power management

BMC On/Off/Cycle/Status

7911

TCP

DHCP, OMAPI

DHCP Server

DHCP

The DHCP target is configured using --foreman-proxy-dhcp-server and defaults to localhost

ISC and remote_isc use a configurable port that defaults to 7911 and uses OMAPI

8443

TCP

HTTPS

Client

Discovery

Smart Proxy sends reboot command to the discovered host (optional)

Note

ICMP to Port 7 UDP and TCP must not be rejected, but can be dropped. The DHCP Smart Proxy sends an ECHO REQUEST to the Client network to verify that an IP address is free. A response prevents IP addresses from being allocated.

1.6. Enabling connections from Foreman server and clients to a Smart Proxy server

On the base operating system on which you want to install Smart Proxy, you must enable incoming connections from Foreman server and clients to Smart Proxy server and make these rules persistent across reboots.

If you do not use firewall-cmd to configure the Linux firewall, implement using the command of your choice.

Procedure
  1. Open the ports for clients on Smart Proxy server:

    # firewall-cmd \
    --add-port="8000/tcp" \
    --add-port="9090/tcp"
  2. Allow access to services on Smart Proxy server:

    # firewall-cmd \
    --add-service=dns \
    --add-service=dhcp \
    --add-service=tftp \
    --add-service=http \
    --add-service=https \
    --add-service=puppetmaster
  3. Make the changes persistent:

    # firewall-cmd --runtime-to-permanent
Verification
  • Enter the following command:

    # firewall-cmd --list-all

For more information, see Using and configuring firewalld in Red Hat Enterprise Linux 9 Configuring firewalls and packet filters.

2. Installing Smart Proxy server

Before you install Smart Proxy server, you must ensure that your environment meets the requirements for installation. For more information, see Preparing your Environment for Installation.

2.1. Registering to Foreman server

Use this procedure to register the base operating system on which you want to install Smart Proxy server to Foreman server.

Registering your Smart Proxy server as a content host is optional unless you wish to download the installation packages from your synced repositories.

Red Hat subscription manifest prerequisites
  • On Foreman server, a manifest must be installed and it must contain the appropriate repositories for the organization you want Smart Proxy to belong to.

  • The manifest must contain repositories for the base operating system on which you want to install Smart Proxy, as well as any clients that you want to connect to Smart Proxy.

  • The repositories must be synchronized.

For more information on manifests and repositories, see Managing Red Hat Subscriptions in Managing content.

Proxy and network prerequisites
  • The Foreman server base operating system must be able to resolve the host name of the Smart Proxy base operating system and vice versa.

  • Ensure HTTPS connection using client certificate authentication is possible between Smart Proxy server and Foreman server. HTTP proxies between Smart Proxy server and Foreman server are not supported.

  • You must configure the host and network-based firewalls accordingly. For more information, see Port and firewall requirements in Installing a Smart Proxy Server nightly on Enterprise Linux. You can register hosts with Foreman using the host registration feature in the Foreman web UI, Hammer CLI, or the Foreman API. For more information, see Registering hosts and setting up host integration in Managing hosts.

Procedure
  1. In the Foreman web UI, navigate to Hosts > Register Host.

  2. From the Activation Keys list, select the activation keys to assign to your host.

  3. Click Generate to create the registration command.

  4. Click on the files icon to copy the command to your clipboard.

  5. Connect to your host using SSH and run the registration command.

  6. Ensure that the appropriate repositories have been enabled:

    • On Enterprise Linux: Check the /etc/yum.repos.d/redhat.repo file and ensure that the appropriate repositories have been enabled.

    • On Debian: Check the /etc/apt/sources.list file and ensure that the appropriate repositories have been enabled.

CLI procedure
  1. Generate the host registration command using the Hammer CLI:

    $ hammer host-registration generate-command \
    --activation-keys "My_Activation_Key"

    If your hosts do not trust the SSL certificate of Foreman server, you can disable SSL validation by adding the --insecure flag to the registration command.

    $ hammer host-registration generate-command \
    --activation-keys "My_Activation_Key" \
    --insecure true
  2. Connect to your host using SSH and run the registration command.

  3. Ensure that the appropriate repositories have been enabled:

    • On Enterprise Linux: Check the /etc/yum.repos.d/redhat.repo file and ensure that the appropriate repositories have been enabled.

    • On Debian: Check the /etc/apt/sources.list file and ensure that the appropriate repositories have been enabled.

API procedure
  1. Generate the host registration command using the Foreman API:

    # curl -X POST https://foreman.example.com/api/registration_commands \
    --user "My_User_Name" \
    -H 'Content-Type: application/json' \
    -d '{ "registration_command": { "activation_keys": ["My_Activation_Key_1, My_Activation_Key_2"] }}'

    If your hosts do not trust the SSL certificate of Foreman server, you can disable SSL validation by adding the --insecure flag to the registration command.

    # curl -X POST https://foreman.example.com/api/registration_commands \
    --user "My_User_Name" \
    -H 'Content-Type: application/json' \
    -d '{ "registration_command": { "activation_keys": ["My_Activation_Key_1, My_Activation_Key_2"], "insecure": true }}'

    Use an activation key to simplify specifying the environments. For more information, see Managing Activation Keys in Managing content.

    To enter a password as a command line argument, use username:password syntax. Keep in mind this can save the password in the shell history. Alternatively, you can use a temporary personal access token instead of a password. To generate a token in the Foreman web UI, navigate to My Account > Personal Access Tokens.

  2. Connect to your host using SSH and run the registration command.

  3. Ensure that the appropriate repositories have been enabled:

    • On Enterprise Linux: Check the /etc/yum.repos.d/redhat.repo file and ensure that the appropriate repositories have been enabled.

    • On Debian: Check the /etc/apt/sources.list file and ensure that the appropriate repositories have been enabled.

2.2. Configuring repositories

Procedure
  1. Clear any metadata:

    # dnf clean all
  2. Install the foreman-release.rpm package:

    # dnf install https://yum.theforeman.org/releases/nightly/el9/x86_64/foreman-release.rpm
  3. Install the katello-repos-latest.rpm package:

    # dnf install https://yum.theforeman.org/katello/nightly/katello/el9/x86_64/katello-repos-latest.rpm
  4. Install the puppet-release package.

    • For Puppet 8:

      # dnf install https://yum.puppet.com/puppet8-release-el-9.noarch.rpm
    • For Puppet 7:

      # dnf install https://yum.puppet.com/puppet7-release-el-9.noarch.rpm
Verification
  • Verify that the required repositories are enabled:

    # dnf repolist enabled

2.3. Optional: Using fapolicyd on Smart Proxy server

By enabling fapolicyd on your Foreman server, you can provide an additional layer of security by monitoring and controlling access to files and directories. The fapolicyd daemon uses the RPM database as a repository of trusted binaries and scripts.

You can turn on or off the fapolicyd on your Foreman server or Smart Proxy server at any point.

2.3.1. Installing fapolicyd on Smart Proxy server

You can install fapolicyd along with Smart Proxy server or can be installed on an existing Smart Proxy server. If you are installing fapolicyd along with the new Smart Proxy server, the installation process will detect the fapolicyd in your Enterprise Linux host and deploy the Smart Proxy server rules automatically.

Prerequisites
  • Ensure your host has access to the BaseOS repositories of Enterprise Linux.

Procedure
  1. For a new installation, install fapolicyd:

    # dnf install fapolicyd
  2. For an existing installation, install fapolicyd using dnf install:

    # dnf install fapolicyd
  3. Start the fapolicyd service:

    # systemctl enable --now fapolicyd
Verification
  • Verify that the fapolicyd service is running correctly:

    # systemctl status fapolicyd
New Foreman server or Smart Proxy server installations

In case of new Foreman server or Smart Proxy server installation, follow the standard installation procedures after installing and enabling fapolicyd on your Enterprise Linux host.

Additional resources

For more information on fapolicyd, see Blocking and allowing applications using fapolicyd in Red Hat Enterprise Linux 9 Security hardening.

2.4. Installing Smart Proxy server packages

Before installing Smart Proxy server packages, you must update all packages that are installed on the base operating system.

Procedure

To install Smart Proxy server, complete the following steps:

  1. Update all packages:

    # dnf upgrade
  2. Install foreman-proxy-content:

    # dnf install foreman-proxy-content

2.5. Installing Smart Proxy server

Procedure

2.6. Configuring Smart Proxy server with SSL certificates

Foreman uses SSL certificates to enable encrypted communications between Foreman server, external Smart Proxy servers, and all hosts. Depending on the requirements of your organization, you must configure your Smart Proxy server with a default or custom certificate.

2.6.1. Configuring Smart Proxy server with a default SSL certificate

Use this section to configure Smart Proxy server with an SSL certificate that is signed by Foreman server default Certificate Authority (CA).

Prerequisites
Procedure
  1. On Foreman server, to store all the source certificate files for your Smart Proxy server, create a directory that is accessible only to the root user, for example /root/smart-proxy_cert:

    # mkdir /root/smart-proxy_cert
  2. On Foreman server, generate the /root/smart-proxy_cert/smartproxy.example.com-certs.tar certificate archive for your Smart Proxy server:

    # foreman-proxy-certs-generate \
    --foreman-proxy-fqdn smartproxy.example.com \
    --certs-tar /root/smart-proxy_cert/smartproxy.example.com-certs.tar

    Retain a copy of the foreman-installer command that the foreman-proxy-certs-generate command returns for deploying the certificate to your Smart Proxy server.

    Example output of foreman-proxy-certs-generate
    output omitted
    foreman-installer --scenario foreman-proxy-content \
    --certs-tar-file "/root/smart-proxy_cert/smartproxy.example.com-certs.tar" \
    --foreman-proxy-register-in-foreman "true" \
    --foreman-proxy-foreman-base-url "https://foreman.example.com" \
    --foreman-proxy-trusted-hosts "foreman.example.com" \
    --foreman-proxy-trusted-hosts "smartproxy.example.com" \
    --foreman-proxy-oauth-consumer-key "s97QxvUAgFNAQZNGg4F9zLq2biDsxM7f" \
    --foreman-proxy-oauth-consumer-secret "6bpzAdMpRAfYaVZtaepYetomgBVQ6ehY"
  3. On Foreman server, copy the certificate archive file to your Smart Proxy server:

    # scp /root/smart-proxy_cert/smartproxy.example.com-certs.tar \
    root@smartproxy.example.com:/root/smartproxy.example.com-certs.tar
  4. On Smart Proxy server, to deploy the certificate, enter the foreman-installer command that the foreman-proxy-certs-generate command returns.

    When network connections or ports to Foreman are not yet open, you can set the --foreman-proxy-register-in-foreman option to false to prevent Smart Proxy from attempting to connect to Foreman and reporting errors. Run the installer again with this option set to true when the network and firewalls are correctly configured.

    Important

    Do not delete the certificate archive file after you deploy the certificate. It is required, for example, when upgrading Smart Proxy server.

2.6.2. Configuring Smart Proxy server with a custom SSL certificate

If you configure Foreman server to use a custom SSL certificate, you must also configure each of your external Smart Proxy servers with a distinct custom SSL certificate.

To configure your Smart Proxy server with a custom certificate, complete the following procedures on each Smart Proxy server:

Creating a custom SSL certificate for Smart Proxy server

On Foreman server, create a custom certificate for your Smart Proxy server. If you already have a custom SSL certificate for Smart Proxy server, skip this procedure.

Procedure
  1. To store all the source certificate files, create a directory that is accessible only to the root user:

    # mkdir /root/smart-proxy_cert
  2. Create a private key with which to sign the certificate signing request (CSR).

    Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.

    If you already have a private key for this Smart Proxy server, skip this step.

    # openssl genrsa -out /root/smart-proxy_cert/smart-proxy_cert_key.pem 4096
  3. Create the /root/smart-proxy_cert/openssl.cnf configuration file for the CSR and include the following content:

    [ req ]
    req_extensions = v3_req
    distinguished_name = req_distinguished_name
    prompt = no
    
    [ req_distinguished_name ]
    commonName = smartproxy.example.com
    
    [ v3_req ]
    basicConstraints = CA:FALSE
    keyUsage = digitalSignature, keyEncipherment
    extendedKeyUsage = serverAuth, clientAuth
    subjectAltName = @alt_names
    
    [ alt_names ]
    DNS.1 = smartproxy.example.com

    For more information about the [ v3_req ] parameters and their purpose, see RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.

  4. Optional: If you want to add Distinguished Name (DN) details to the CSR, add the following information to the [ req_distinguished_name ] section:

    [req_distinguished_name]
    CN = smartproxy.example.com
    countryName = My_Country_Name (1)
    stateOrProvinceName = My_State_Or_Province_Name (2)
    localityName = My_Locality_Name (3)
    organizationName = My_Organization_Or_Company_Name
    organizationalUnitName = My_Organizational_Unit_Name (4)
    1. Two letter code

    2. Full name

    3. Full name (example: New York)

    4. Division responsible for the certificate (example: IT department)

  5. Generate CSR:

    # openssl req -new \
    -key /root/smart-proxy_cert/smart-proxy_cert_key.pem \ (1)
    -config /root/smart-proxy_cert/openssl.cnf \ (2)
    -out /root/smart-proxy_cert/smart-proxy_cert_csr.pem (3)
    1. Path to the private key

    2. Path to the configuration file

    3. Path to the CSR to generate

  6. Send the certificate signing request to the certificate authority (CA). The same CA must sign certificates for Foreman server and Smart Proxy server.

    When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the CA for the preferred method. In response to the request, you can expect to receive a CA bundle and a signed certificate, in separate files.

Deploying a custom SSL certificate to Smart Proxy server

Use this procedure to configure your Smart Proxy server with a custom SSL certificate signed by a Certificate Authority. The foreman-installer command, which the foreman-proxy-certs-generate command returns, is unique to each Smart Proxy server. Do not use the same command on more than one Smart Proxy server.

Prerequisites
Procedure
  1. On your Foreman server, generate a certificate bundle:

    # foreman-proxy-certs-generate \
    --foreman-proxy-fqdn smartproxy.example.com \
    --certs-tar ~/smartproxy.example.com-certs.tar \
    --server-cert /root/smart-proxy_cert/smart-proxy_cert.pem \ (1)
    --server-key /root/smart-proxy_cert/smart-proxy_cert_key.pem \ (2)
    --server-ca-cert /root/smart-proxy_cert/ca_cert_bundle.pem (3)
    1. Path to Smart Proxy server certificate file that is signed by a Certificate Authority.

    2. Path to the private key that was used to sign Smart Proxy server certificate.

    3. Path to the Certificate Authority bundle.

  2. Retain a copy of the foreman-installer command that the foreman-proxy-certs-generate command returns for deploying the certificate to your Smart Proxy server.

    Example output of foreman-proxy-certs-generate
    output omitted
    foreman-installer --scenario foreman-proxy-content \
    --certs-tar-file "/root/smartproxy.example.com-certs.tar" \
    --foreman-proxy-register-in-foreman "true" \
    --foreman-proxy-foreman-base-url "https://foreman.example.com" \
    --foreman-proxy-trusted-hosts "foreman.example.com" \
    --foreman-proxy-trusted-hosts "smartproxy.example.com" \
    --foreman-proxy-oauth-consumer-key "My_OAuth_Consumer_Key" \
    --foreman-proxy-oauth-consumer-secret "My_OAuth_Consumer_Secret"
  3. On your Foreman server, copy the certificate archive file to your Smart Proxy server:

    # scp ~/smartproxy.example.com-certs.tar \
    root@smartproxy.example.com:/root/smartproxy.example.com-certs.tar
  4. On your Smart Proxy server, to deploy the certificate, enter the foreman-installer command that the foreman-proxy-certs-generate command returns.

    If network connections or ports to Foreman are not yet open, you can set the --foreman-proxy-register-in-foreman option to false to prevent Smart Proxy from attempting to connect to Foreman and reporting errors. Run the installer again with this option set to true when the network and firewalls are correctly configured.

    Important

    Do not delete the certificate archive file after you deploy the certificate. It is required, for example, when upgrading Smart Proxy server.

Deploying a SSL certificate to hosts

After you configure Foreman to use a SSL certificate, you must deploy the certificate to hosts registered to Foreman.

Procedure
  • Update the SSL certificate on each host:

    • On Debian and Ubuntu:

      # wget http://smartproxy.example.com/pub/katello-rhsm-consumer
      # chmod +x katello-rhsm-consumer
      # ./katello-rhsm-consumer
    • On Enterprise Linux 8+:

      # dnf install http://smartproxy.example.com/pub/katello-ca-consumer-latest.noarch.rpm
    • On OpenSUSE and SUSE Linux Enterprise Server:

      # zypper install http://smartproxy.example.com/pub/katello-ca-consumer-latest.noarch.rpm

2.7. Resetting SSL certificate to default self-signed certificate on Smart Proxy server

To reset the SSL certificate to default self-signed certificate on your Smart Proxy server, you must re-register your Smart Proxy server through Global Registration. For more information, see Registering hosts by using global registration in Managing hosts.

Verification
  1. In the Foreman web UI, navigate to Infrastructure > Smart Proxies and select any Smart Proxy server.

  2. On the Overview tab, click Refresh features.

Additional Resources

2.8. Assigning the correct organization and location to Smart Proxy server in the Foreman web UI

After installing Smart Proxy server packages, if there is more than one organization or location, you must assign the correct organization and location to Smart Proxy to make Smart Proxy visible in the Foreman web UI.

Procedure
  1. Log into the Foreman web UI.

  2. From the Organization list in the upper-left of the screen, select Any Organization.

  3. From the Location list in the upper-left of the screen, select Any Location.

  4. In the Foreman web UI, navigate to Hosts > All Hosts and select Smart Proxy server.

  5. From the Select Actions list, select Assign Organization.

  6. From the Organization list, select the organization where you want to assign this Smart Proxy.

  7. Click Fix Organization on Mismatch.

  8. Click Submit.

  9. Select Smart Proxy server. From the Select Actions list, select Assign Location.

  10. From the Location list, select the location where you want to assign this Smart Proxy.

  11. Click Fix Location on Mismatch.

  12. Click Submit.

  13. In the Foreman web UI, navigate to Administer > Organizations and click the organization to which you have assigned Smart Proxy.

  14. Click Smart Proxies tab and ensure that Smart Proxy server is listed under the Selected items list, then click Submit.

  15. In the Foreman web UI, navigate to Administer > Locations and click the location to which you have assigned Smart Proxy.

  16. Click Smart Proxies tab and ensure that Smart Proxy server is listed under the Selected items list, then click Submit.

Verification

Optionally, you can verify if Smart Proxy server is correctly listed in the Foreman web UI.

  1. Select the organization from the Organization list.

  2. Select the location from the Location list.

  3. In the Foreman web UI, navigate to Hosts > All Hosts.

  4. In the Foreman web UI, navigate to Infrastructure > Smart Proxies.

3. Performing additional configuration on Smart Proxy server

After installation, you can configure additional settings on your Smart Proxy server.

3.1. Configuring Smart Proxy for host registration and provisioning

Use this procedure to configure Smart Proxy so that you can register and provision hosts using your Smart Proxy server instead of your Foreman server.

Procedure
  • On Foreman server, add the Smart Proxy to the list of trusted proxies.

    This is required for Foreman to recognize hosts' IP addresses forwarded over the X-Forwarded-For HTTP header set by Smart Proxy. For security reasons, Foreman recognizes this HTTP header only from localhost by default. You can enter trusted proxies as valid IPv4 or IPv6 addresses of Smart Proxies, or network ranges.

    Warning

    Do not use a network range that is too broad because that might cause a security risk.

    Enter the following command. Note that the command overwrites the list that is currently stored in Foreman. Therefore, if you have set any trusted proxies previously, you must include them in the command as well:

    # foreman-installer \
    --foreman-trusted-proxies "127.0.0.1/8" \
    --foreman-trusted-proxies "::1" \
    --foreman-trusted-proxies "My_IP_address" \
    --foreman-trusted-proxies "My_IP_range"

    The localhost entries are required, do not omit them.

Verification
  1. List the current trusted proxies using the full help of Foreman installer:

    # foreman-installer --full-help | grep -A 2 "trusted-proxies"
  2. The current listing contains all trusted proxies you require.

3.2. Enabling remote execution

Use this procedure to enable remote execution on your Smart Proxy server. To learn more about remote execution, see Configuring and Setting Up Remote Jobs in Managing hosts.

Procedure
  • Enable remote execution with foreman-installer:

    # foreman-installer --enable-foreman-proxy-plugin-remote-execution-script

3.3. Configuring pull-based transport for remote execution

By default, remote execution uses push-based SSH as the transport mechanism for the Script provider. If your infrastructure prohibits outgoing connections from Smart Proxy server to hosts, you can use remote execution with pull-based transport instead, because the host initiates the connection to Smart Proxy server. The use of pull-based transport is not limited to those infrastructures.

The pull-based transport comprises pull-mqtt mode on Smart Proxies in combination with a pull client running on hosts.

Note

The pull-mqtt mode works only with the Script provider. Ansible and other providers will continue to use their default transport settings.

The mode is configured per Smart Proxy server. Some Smart Proxy servers can be configured to use pull-mqtt mode while others use SSH. If this is the case, it is possible that one remote job on a given host will use the pull client and the next job on the same host will use SSH. If you wish to avoid this scenario, configure all Smart Proxy servers to use the same mode.

Procedure
  1. Enable the pull-based transport on your Smart Proxy server:

    # foreman-installer --foreman-proxy-plugin-remote-execution-script-mode=pull-mqtt
  2. Configure the firewall to allow the MQTT service on port 1883:

    # firewall-cmd --add-service=mqtt
  3. Make the changes persistent:

    # firewall-cmd --runtime-to-permanent
  4. In pull-mqtt mode, hosts subscribe for job notifications to either your Foreman server or any Smart Proxy server through which they are registered. Ensure that Foreman server sends remote execution jobs to that same Foreman server or Smart Proxy server:

    1. In the Foreman web UI, navigate to Administer > Settings.

    2. On the Content tab, set the value of Prefer registered through Smart Proxy for remote execution to Yes.

Next steps

3.4. Enabling OpenSCAP on Smart Proxy servers

On Foreman server and the integrated Smart Proxy of your Foreman server, OpenSCAP is enabled by default. To use the OpenSCAP plugin and content on external Smart Proxies, you must enable OpenSCAP on each Smart Proxy.

Procedure
  • To enable OpenSCAP, enter the following command:

    # foreman-installer \
    --enable-foreman-proxy-plugin-openscap \
    --foreman-proxy-plugin-openscap-ansible-module true \
    --foreman-proxy-plugin-openscap-puppet-module true

    If you want to use Puppet to deploy compliance policies, you must enable it first. For more information, see Configuring hosts by using Puppet.

3.5. Adding lifecycle environments to Smart Proxy servers

If your Smart Proxy server has the content functionality enabled, you must add an environment so that Smart Proxy can synchronize content from Foreman server and provide content to host systems.

Do not assign the Library lifecycle environment to your Smart Proxy server because it triggers an automated Smart Proxy sync every time the CDN updates a repository. This might consume multiple system resources on Smart Proxies, network bandwidth between Foreman and Smart Proxies, and available disk space on Smart Proxies.

You can use Hammer CLI on Foreman server or the Foreman web UI.

Procedure
  1. In the Foreman web UI, navigate to Infrastructure > Smart Proxies, and select the Smart Proxy that you want to add a lifecycle to.

  2. Click Edit and click the Lifecycle Environments tab.

  3. From the left menu, select the lifecycle environments that you want to add to Smart Proxy and click Submit.

  4. To synchronize the content on the Smart Proxy, click the Overview tab and click Synchronize.

  5. Select either Optimized Sync or Complete Sync.

    For definitions of each synchronization type, see Recovering a Repository.

CLI procedure
  1. To display a list of all Smart Proxy servers, on Foreman server, enter the following command:

    # hammer proxy list

    Note the Smart Proxy ID of the Smart Proxy to which you want to add a lifecycle.

  2. Using the ID, verify the details of your Smart Proxy:

    # hammer proxy info \
    --id My_Smart_Proxy_ID
  3. To view the lifecycle environments available for your Smart Proxy server, enter the following command and note the ID and the organization name:

    # hammer proxy content available-lifecycle-environments \
    --id My_Smart_Proxy_ID
  4. Add the lifecycle environment to your Smart Proxy server:

    # hammer proxy content add-lifecycle-environment \
    --id My_Smart_Proxy_ID \
    --lifecycle-environment-id My_Lifecycle_Environment_ID
    --organization "My_Organization"

    Repeat for each lifecycle environment you want to add to Smart Proxy server.

  5. Synchronize the content from Foreman to Smart Proxy.

    • To synchronize all content from your Foreman server environment to Smart Proxy server, enter the following command:

      # hammer proxy content synchronize \
      --id My_Smart_Proxy_ID
    • To synchronize a specific lifecycle environment from your Foreman server to Smart Proxy server, enter the following command:

      # hammer proxy content synchronize \
      --id My_Smart_Proxy_ID \
      --lifecycle-environment-id My_Lifecycle_Environment_ID
    • To synchronize all content from your Foreman server to your Smart Proxy server without checking metadata:

      # hammer proxy content synchronize \
      --id My_Smart_Proxy_ID \
      --skip-metadata-check true

      This equals selecting Complete Sync in the Foreman web UI.

3.6. Enabling power management on hosts

To perform power management tasks on hosts using the intelligent platform management interface (IPMI) or a similar protocol, you must enable the baseboard management controller (BMC) module on Smart Proxy server.

Prerequisites
Procedure
  • To enable BMC, enter the following command:

    # foreman-installer \
    --foreman-proxy-bmc "true" \
    --foreman-proxy-bmc-default-provider "freeipmi"

Appendix A: Smart Proxy server scalability considerations when managing Puppet clients

Smart Proxy server scalability when managing Puppet clients depends on the number of CPUs, the run-interval distribution, and the number of Puppet managed resources. Smart Proxy server has a limitation of 100 concurrent Puppet agents running at any single point in time. Running more than 100 concurrent Puppet agents results in a 503 HTTP error.

For example, assuming that Puppet agent runs are evenly distributed with less than 100 concurrent Puppet agents running at any single point during a run-interval, a Smart Proxy server with 4 CPUs has a maximum of 1250 – 1600 Puppet clients with a moderate workload of 10 Puppet classes assigned to each Puppet client. Depending on the number of Puppet clients required, the Foreman installation can scale out the number of Smart Proxy servers to support them.

If you want to scale your Smart Proxy server when managing Puppet clients, the following assumptions are made:

  • There are no external Puppet clients reporting directly to the Foreman integrated Smart Proxy.

  • All other Puppet clients report directly to an external Smart Proxy.

  • There is an evenly distributed run-interval of all Puppet agents.

Note

Deviating from the even distribution increases the risk of overloading Foreman server. The limit of 100 concurrent requests applies.

The following table describes the scalability limits using the recommended 4 CPUs.

Table 5. Puppet scalability using 4 CPUs
Puppet Managed Resources per Host Run-Interval Distribution

1

3000 – 2500

10

2400 – 2000

20

1700 – 1400

The following table describes the scalability limits using the minimum 2 CPUs.

Table 6. Puppet scalability using 2 CPUs
Puppet Managed Resources per Host Run-Interval Distribution

1

1700 – 1450

10

1500 – 1250

20

850 – 700