Installing Foreman Server nightly on Debian/Ubuntu

1. Preparing your environment for installation

Review the following prerequisites before you install Foreman server.

1.1. System requirements

The following requirements apply to the networked base operating system:

x86_64 architecture
4-core 2.0 GHz CPU at a minimum
A minimum of 4 GB RAM is required for Foreman server to function. Foreman running with less RAM than the minimum value might not operate correctly.
Administrative user (root) access
Full forward and reverse DNS resolution using a fully-qualified domain name

Foreman only supports UTF-8 encoding. If your territory is USA and your language is English, set en_US.utf-8 as the system-wide locale settings. For more information about configuring system locale in Enterprise Linux, see Configuring the system locale in Red Hat Enterprise Linux 9 Configuring basic system settings.

Foreman server and Smart Proxy server do not support shortnames in the hostnames. When using custom certificates, the Common Name (CN) of the custom certificate must be a fully qualified domain name (FQDN) instead of a shortname. This does not apply to the clients of a Foreman.

Before you install Foreman server, ensure that your environment meets the requirements for installation.

Foreman server must be installed on a freshly provisioned system that serves no other function except to run Foreman server. The freshly provisioned system must not have the following users provided by external identity providers to avoid conflicts with the local users that Foreman server creates:

www-data
foreman
foreman-proxy
postgres
puppet
redis

Synchronized system clock

The system clock on the base operating system where you are installing your Foreman server must be synchronized across the network. If the system clock is not synchronized, SSL certificate verification might fail.

1.2. Storage requirements

The following table details storage requirements for specific directories. These values are based on expected use case scenarios and can vary according to individual environments.

Table 1. Storage requirements for a Foreman server installation
Directory	Installation Size	Runtime Size
/var/log	10 MB	10 GB
/var/lib/postgresql	100 MB	20 GB
/usr	10 GB	Not Applicable
/opt/puppetlabs	500 MB	Not Applicable

1.3. Supported operating systems

The following operating systems are supported by the installer, have packages, and are tested for deploying Foreman:

Table 2. Operating systems supported by foreman-installer
Operating System	Architecture	Notes
Debian 12 (Bookworm)	amd64
Ubuntu 22.04 (Jammy)	amd64

Foreman community advises against using an existing system because the Foreman installer will affect the configuration of several components.

1.4. Supported browsers

Using the most recent version of a major browser is highly recommended, as Foreman and the frameworks it uses offer limited support for older versions.

The recommended requirements are as follows for major browsers:

Google Chrome – latest version
Microsoft Edge – latest version
Apple Safari – latest version
Mozilla Firefox – latest version
Mozilla Firefox Extended Support Release (ESR) – latest version

Other browsers may work unpredictably.

The Foreman web UI and command-line interface is translated into various languages.

1.5. Port and firewall requirements

For the components of Foreman architecture to communicate, ensure that the required network ports are open and free on the base operating system. You must also ensure that the required network ports are open on any network-based firewalls.

Use this information to configure any network-based firewalls. Note that some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. If possible, disable the application checking and allow open port communication based on the protocol.

Integrated Smart Proxy

Foreman server has an integrated Smart Proxy and any host that is directly connected to Foreman server is a Client of Foreman in the context of this section. This includes the base operating system on which Smart Proxy server is running.

Clients of Smart Proxy

Hosts which are clients of Smart Proxies, other than Foreman’s integrated Smart Proxy, do not need access to Foreman server.

Required ports can change based on your configuration.

The following tables indicate the destination port and the direction of network traffic:

Table 3. Foreman server incoming traffic
Destination Port	Protocol	Service	Source	Required For	Description
53	TCP and UDP	DNS	DNS Servers and clients	Name resolution	DNS (optional)
67	UDP	DHCP	Client	Dynamic IP	DHCP (optional)
69	UDP	TFTP	Client	TFTP Server (optional)
443	TCP	HTTPS	Smart Proxy	Foreman API	Communication from Smart Proxy
443, 80	TCP	HTTPS, HTTP	Client	Global Registration	Registering hosts to Foreman Port 443 is required for registration initiation, uploading facts, and sending installed packages and traces Port 80 notifies Foreman on the `/unattended/built` endpoint that registration has finished
5910 – 5930	TCP	HTTPS	Browsers	Compute Resource’s virtual console
8000	TCP	HTTP	Client	Provisioning templates	Template retrieval for client installers, iPXE or UEFI HTTP Boot
8000	TCP	HTTPS	Client	PXE Boot	Installation
8140	TCP	HTTPS	Client	Puppet agent	Client updates (optional)
8443	TCP	HTTPS	Foreman	Smart Proxy API	Smart Proxy functionality
8443	TCP	HTTPS	Client	OpenSCAP	Configure Client (if the OpenSCAP plugin is installed)
8443	TCP	HTTPS	Discovered Node	Discovery	Host discovery and provisioning (if the discovery plugin is installed)

Any host that is directly connected to Foreman server is a client in this context because it is a client of the integrated Smart Proxy. This includes the base operating system on which a Smart Proxy server is running.

A DHCP Smart Proxy performs ICMP ping or TCP echo connection attempts to hosts in subnets with DHCP IPAM set to find out if an IP address considered for use is free. This behavior can be turned off using foreman-installer --foreman-proxy-dhcp-ping-free-ip=false.

Note	Some outgoing traffic returns to Foreman to enable internal communication and security operations.

Table 4. Foreman server outgoing traffic
Destination Port	Protocol	Service	Destination	Required For	Description
	ICMP	ping	Client	DHCP	Free IP checking (optional)
7	TCP	echo	Client	DHCP	Free IP checking (optional)
22	TCP	SSH	Target host	Remote execution	Run jobs
22, 16514	TCP	SSH SSH/TLS	Compute Resource	Foreman originated communications, for compute resources in libvirt
53	TCP and UDP	DNS	DNS Servers on the Internet	DNS Server	Resolve DNS records (optional)
53	TCP and UDP	DNS	DNS Server	Smart Proxy DNS	Validation of DNS conflicts (optional)
53	TCP and UDP	DNS	DNS Server	Orchestration	Validation of DNS conflicts
68	UDP	DHCP	Client	Dynamic IP	DHCP (optional)
80	TCP	HTTP	Remote repository	Content Sync	Remote repositories
389, 636	TCP	LDAP, LDAPS	External LDAP Server	LDAP	LDAP authentication, necessary only if external authentication is enabled. The port can be customized when `LDAPAuthSource` is defined
443	TCP	HTTPS	Foreman	Smart Proxy	Smart Proxy Configuration management Template retrieval OpenSCAP Remote Execution result upload
443	TCP	HTTPS	Amazon EC2, Azure, Google GCE	Compute resources	Virtual machine interactions (query/create/destroy) (optional)
443	TCP	HTTPS	Infoblox DHCP Server	DHCP management	When using Infoblox for DHCP, management of the DHCP leases (optional)
623			Client	Power management	BMC On/Off/Cycle/Status
5000	TCP	HTTPS	OpenStack Compute Resource	Compute resources	Virtual machine interactions (query/create/destroy) (optional)
5900 – 5930	TCP	SSL/TLS	Hypervisor	noVNC console	Launch noVNC console
5985	TCP	HTTP	Client	WinRM	Configure Client running Windows
5986	TCP	HTTPS	Client	WinRM	Configure Client running Windows
7911	TCP	DHCP, OMAPI	DHCP Server	DHCP	The DHCP target is configured using `--foreman-proxy-dhcp-server` and defaults to localhost ISC and `remote_isc` use a configurable port that defaults to 7911 and uses OMAPI
8443	TCP	HTTPS	Client	Discovery	Smart Proxy sends reboot command to the discovered host (optional)
8443	TCP	HTTPS	Smart Proxy	Smart Proxy API	Management of Smart Proxies

1.6. AWS Requirements

Installing and running Foreman server and Smart Proxy servers on Amazon Web Services (AWS) has additional requirements to your environment.

Amazon Web Service requirements

If you want Foreman server and Smart Proxy server to communicate using external DNS hostnames, open the required ports for communication in the AWS Security Group that is associated with the instance.

AWS permission requirements

Create and access Debian/Ubuntu images in AWS
Edit network access in AWS Security
Create EC2 instances and EBS volumes
Launch EC2 instances
Import and export of virtual machines in AWS
Usage of AWS Direct Connect

Foreman requirements

Ensure that your Amazon EC2 instance meets or exceeds requirements for Foreman:

For Foreman server, see Preparing your environment for installation in Installing Foreman Server nightly on Debian/Ubuntu.
For Smart Proxy servers, see Preparing your environment for installation in Installing a Smart Proxy Server nightly on Debian/Ubuntu.

Additional resources

For more information about Amazon Web Services and terminology, see Amazon Elastic Compute Cloud Documentation.
For more information about Amazon Web Services Direct Connect, see What is AWS Direct Connect?.

1.7. Enabling connections from a client to Foreman server

Smart Proxies and Content Hosts that are clients of a Foreman server’s internal Smart Proxy require access through Foreman’s host-based firewall and any network-based firewalls.

Use this procedure to configure the host-based firewall on the system that Foreman is installed on, to enable incoming connections from Clients, and to make the configuration persistent across system reboots. For more information on the ports used, see Port and firewall requirements in Installing Foreman Server nightly on Debian/Ubuntu.

If you do not use firewall-cmd to configure the Linux firewall, implement using the command of your choice.

Procedure

Allow access to services on Foreman server:

# firewall-cmd \
--add-service=dns \
--add-service=dhcp \
--add-service=tftp \
--add-service=http \
--add-service=https \
--add-service=foreman-proxy \
--add-service=puppetmaster

Make the changes persistent:
```
# firewall-cmd --runtime-to-permanent
```

Verification

Enter the following command:
```
# firewall-cmd --list-all
```

1.8. Verifying DNS resolution

Verify the full forward and reverse DNS resolution using a fully-qualified domain name to prevent issues while installing Foreman.

Procedure

Ensure that the host name and local host resolve correctly:

# ping -c1 localhost
# ping -c1 `hostname -f` # my_system.domain.com

Successful name resolution results in output similar to the following:

# ping -c1 localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.043 ms

--- localhost ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.043/0.043/0.043/0.000 ms

# ping -c1 `hostname -f`
PING hostname.gateway (XX.XX.XX.XX) 56(84) bytes of data.
64 bytes from hostname.gateway (XX.XX.XX.XX): icmp_seq=1 ttl=64 time=0.019 ms

--- localhost.gateway ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.019/0.019/0.019/0.000 ms

To avoid discrepancies with static and transient host names, set all the host names on the system by entering the following command:
```
# hostnamectl set-hostname name
```

Warning

Name resolution is critical to the operation of Foreman. If Foreman cannot properly resolve its fully qualified domain name, many options fail, such as provisioning.

1.9. Requirements for installation in an IPv4 network

The following requirements apply to installations in an IPv4 network:

An IPv6 loopback must be configured on the base system. The loopback is typically configured by default. Do not disable it.
Do not disable IPv6 in kernel by adding the ipv6.disable=1 kernel parameter.

2. Preparing your environment for Foreman installation in an IPv6 network

You can install and use Foreman in an IPv6 network. Before installing Foreman in an IPv6 network, view the limitations and ensure that you meet the requirements.

To provision hosts in an IPv6 network, after installing Foreman, you must also configure Foreman for the UEFI HTTP boot provisioning. For more information, see Configuring Foreman for UEFI HTTP boot provisioning in an IPv6 network.

2.1. Limitations of Foreman installation in an IPv6 network

Foreman installation in an IPv6 network has the following limitations:

You can install Foreman and Smart Proxies in IPv6-only systems, dual-stack installation is not supported.
Although Foreman provisioning templates include IPv6 support for PXE and HTTP (iPXE) provisioning, the only tested and certified provisioning workflow is the UEFI HTTP Boot provisioning. This limitation only relates to users who plan to use Foreman to provision hosts.
Foreman does not support configuring an HTTP proxy using a direct IPv6 address. Instead, configure the HTTP proxy with a FQDN that resolves to the IPv6 address. Using an IPv6 address as the HTTP proxy URL causes it to fail.

2.2. Requirements for Foreman installation in an IPv6 network

Before installing Foreman in an IPv6 network, ensure that you meet the following requirements:

You must deploy an external DHCPv6 server and configure it manually to communicate with the network boot process and to manage IP address assignment because Foreman cannot integrate with a DHCPv6 server and manage its configuration. For more information about DHCPv6 server configuration, see Options in unmanaged DHCPv6 in Provisioning hosts.
Optional: If you rely on content from IPv4 networks, you must deploy an external IPv4 HTTP proxy server. This is required to access Content Delivery Networks that distribute content only over IPv4 networks, therefore you must use this proxy to pull content into Foreman on your IPv6 network.
You must configure Foreman to use this dual stack (supporting both IPv4 and IPv6) HTTP proxy server as the default proxy. For more information, see Adding a Default HTTP Proxy to Foreman.

3. Installing Foreman server

Use the following procedures to install Foreman server and perform the initial configuration.

Note that the Foreman installation script is based on Puppet, which means that if you run the installation script more than once, it might overwrite any manual configuration changes. ⁠ To avoid this and determine which future changes apply, use the --noop argument when you run the installation script. This argument ensures that no actual changes are made. Potential changes are written to /var/log/foreman-installer/foreman.log.

Files are always backed up and so you can revert any unwanted changes. For example, in the foreman-installer logs, you can see an entry similar to the following about Filebucket:

/Stage[main]/Dhcp/File[/etc/dhcp/dhcpd.conf]: Filebucketed /etc/dhcp/dhcpd.conf to puppet with sum 622d9820b8e764ab124367c68f5fa3a1

You can restore the previous file as follows:

# puppet filebucket -l \
restore /etc/dhcp/dhcpd.conf 622d9820b8e764ab124367c68f5fa3a1

3.1. Configuring repositories

Procedure

Debian 12 (Bookworm)
Ubuntu 22.04 (Jammy)

Install the wget and ca-certificates packages:
```
# apt install wget ca-certificates
```

Change directory to /tmp and retrieve the puppet-release package.

For Puppet 8:

# cd /tmp && wget https://apt.puppet.com/puppet8-release-bookworm.deb

For Puppet 7:

# cd /tmp && wget https://apt.puppet.com/puppet7-release-bookworm.deb

Install the puppet-release package.

For Puppet 8:

# apt install /tmp/puppet8-release-bookworm.deb

For Puppet 7:

# apt install /tmp/puppet7-release-bookworm.deb

Enable the Foreman repository:

# wget https://deb.theforeman.org/foreman.asc -O /etc/apt/trusted.gpg.d/foreman.asc
# echo "deb http://deb.theforeman.org/ bookworm nightly" | sudo tee /etc/apt/sources.list.d/foreman.list
# echo "deb http://deb.theforeman.org/ plugins nightly" | sudo tee -a /etc/apt/sources.list.d/foreman.list

Install the wget and ca-certificates packages:
```
# apt install wget ca-certificates
```

Change directory to /tmp and retrieve the puppet-release package.

For Puppet 8:

# cd /tmp && wget https://apt.puppet.com/puppet8-release-jammy.deb

For Puppet 7:

# cd /tmp && wget https://apt.puppet.com/puppet7-release-jammy.deb

Install the puppet-release package.

For Puppet 8:

# apt install /tmp/puppet8-release-jammy.deb

For Puppet 7:

# apt install /tmp/puppet7-release-jammy.deb

Enable the Foreman repository:

# wget https://deb.theforeman.org/foreman.asc -O /etc/apt/trusted.gpg.d/foreman.asc
# echo "deb http://deb.theforeman.org/ jammy nightly" | sudo tee /etc/apt/sources.list.d/foreman.list
# echo "deb http://deb.theforeman.org/ plugins nightly" | sudo tee -a /etc/apt/sources.list.d/foreman.list

3.2. Installing Foreman server packages

Procedure

Update package lists:
```
# apt update
```
Update all packages:
```
# apt upgrade
```
Install foreman-installer:
```
# apt install foreman-installer
```

3.3. Configuring Foreman server

Install Foreman server by using the foreman-installer installation script.

This method is performed by running the installation script with one or more command options. The command options override the corresponding default initial configuration options and are recorded in the Foreman answer file. You can run the script as often as needed to configure any necessary options.

3.3.1. Configuring Foreman installation

This initial configuration procedure creates an organization, location, user name, and password. After the initial configuration, you can create additional organizations and locations if required. The initial configuration also installs PostgreSQL databases on the same server.

The installation process can take tens of minutes to complete. If you are connecting remotely to the system, use a utility such as tmux that allows suspending and reattaching a communication session so that you can check the installation progress in case you become disconnected from the remote system. If you lose connection to the shell where the installation command is running, see the log at /var/log/foreman-installer/foreman.log to determine if the process completed successfully.

Considerations

Use the foreman-installer --help command to display the most commonly used options and any default values.
Use the foreman-installer --full-help command to display advanced options.
Specify a meaningful value for the option: --foreman-initial-organization. This can be your company name. If you do not specify a value, an organization called Default Organization is created. You can change the organization name later.
By default, all configuration files configured by the installer are managed. When foreman-installer runs, it overwrites any manual changes to the managed files with the intended values. This means that running the installer on a broken system should restore it to working order, regardless of changes made. For more information on how to apply custom configuration on other services, see Applying Custom Configuration to Foreman.
By default, Foreman server is installed with the Puppet agent running as a service. If required, you can disable Puppet agent on Foreman server using the --puppet-runmode=none option.

Procedure

Enter the following command with any additional options that you want to use:

# foreman-installer \
--foreman-initial-organization "My_Organization" \
--foreman-initial-location "My_Location" \
--foreman-initial-admin-username admin_user_name \
--foreman-initial-admin-password admin_password

The script displays its progress and writes logs to /var/log/foreman-installer/foreman.log.

4. Performing additional configuration on Foreman server

4.1. Configuring Foreman for UEFI HTTP boot provisioning in an IPv6 network

Use this procedure to configure Foreman to provision hosts in an IPv6 network with UEFI HTTP Boot provisioning.

Prerequisites

Ensure that your clients can access DHCP and HTTP servers.
Ensure that the UDP ports 67 and 68 are accessible by clients so clients can send DHCP requests and receive DHCP offers.
Ensure that the TCP port 8000 is open for clients to download files and Kickstart templates from Foreman and Smart Proxies.
Ensure that the host provisioning interface subnet has an HTTP Boot Smart Proxy, and Templates Smart Proxy set. For more information, see Adding a Subnet to Foreman server in Provisioning hosts.
In the Foreman web UI, navigate to Administer > Settings > Provisioning and ensure that the Token duration setting is not set to 0. Foreman cannot identify clients that are booting from the network by a remote IPv6 address because of unmanaged DHCPv6 service, therefore provisioning tokens must be enabled.

Procedure

You must disable DHCP management in the installer or not use it.
For all IPv6 subnets created in Foreman, set the DHCP Smart Proxy to blank.
Optional: If the host and the DHCP server are separated by a router, configure the DHCP relay agent and point to the DHCP server.

4.2. Configuring Foreman server with an HTTP proxy

Use the following procedures to configure Foreman with an HTTP proxy.

4.2.1. Adding a default HTTP proxy to Foreman

If your network uses an HTTP Proxy, you can configure Foreman server to use an HTTP proxy for requests to the Red Hat Content Delivery Network (CDN) or another content source. Use the FQDN instead of the IP address where possible to avoid losing connectivity because of network changes.

The following procedure configures a proxy only for downloading content for Foreman. To use the CLI instead of the Foreman web UI, see the CLI procedure.

Procedure

In the Foreman web UI, navigate to Infrastructure > HTTP Proxies.
Click New HTTP Proxy.
In the Name field, enter the name for the HTTP proxy.
In the Url field, enter the URL of the HTTP proxy in the following format: https://http-proxy.example.com:8080.
Optional: If authentication is required, in the Username field, enter the username to authenticate with.
Optional: If authentication is required, in the Password field, enter the password to authenticate with.
To test connection to the proxy, click Test Connection.
Click Submit.

CLI procedure

Verify that the http_proxy, https_proxy, and no_proxy variables are not set:
```
# unset http_proxy https_proxy no_proxy
```

Add an HTTP proxy entry to Foreman:

$ hammer http-proxy create \
--name=My_HTTP_Proxy \
--username=My_HTTP_Proxy_User_Name \
--password=My_HTTP_Proxy_Password \
--url http://http-proxy.example.com:8080

4.2.2. Using an HTTP proxy for all Foreman HTTP requests

If your Foreman server must remain behind a firewall that blocks HTTP and HTTPS, you can configure a proxy for communication with external systems, including compute resources.

Note that if you are using compute resources for provisioning, and you want to use a different HTTP proxy with the compute resources, the proxy that you set for all Foreman communication takes precedence over the proxies that you set for compute resources.

Procedure

In the Foreman web UI, navigate to Administer > Settings.
In the HTTP(S) proxy row, select the adjacent Value column and enter the proxy URL.
Click the tick icon to save your changes.

CLI procedure

Enter the following command:

$ hammer settings set --name=http_proxy --value=Proxy_URL

4.2.3. Excluding hosts from receiving proxied requests

If you use an HTTP Proxy for all Foreman HTTP or HTTPS requests, you can prevent certain hosts from communicating through the proxy.

Procedure

In the Foreman web UI, navigate to Administer > Settings.
In the HTTP(S) proxy except hosts row, select the adjacent Value column and enter the names of one or more hosts that you want to exclude from proxy requests.
Click the tick icon to save your changes.

CLI procedure

Enter the following command:

$ hammer settings set --name=http_proxy_except_list --value=[hostname1.hostname2...]

4.2.4. Configuring a proxy for PXE file downloads

For Red Hat content served through the Content Delivery Network, Smart Proxy downloads PXE files from synchronized repositories. However, when configuring and installing an operating system using Installation Media, Smart Proxy connects directly using the wget utility.

Procedure

On your TFTP Smart Proxy, verify the ports that are permitted by SELinux for the HTTP cache by entering the following command:
```
# systemctl edit foreman-proxy
```

Configure the HTTP proxy in /etc/systemd/system/foreman-proxy.service.d/overrides.conf:

[Service]
Environment="http_proxy=http://http-proxy.example.com:8080"
Environment="https_proxy=https://http-proxy.example.com:8443"

Restart the foreman-proxy service:
```
# systemctl restart foreman-proxy
```
Create a host or enter build mode for an existing host to re-download PXE files to the TFTP Smart Proxy.

4.2.5. Resetting the HTTP proxy

If you want to reset the current HTTP proxy setting, unset the Default HTTP Proxy setting.

Procedure

In the Foreman web UI, navigate to Administer > Settings, and click the Content tab.
Set the Default HTTP Proxy setting to no global default.

CLI procedure

Set the content_default_http_proxy setting to an empty string:

$ hammer settings set --name=content_default_http_proxy --value=""

4.3. Enabling power management on hosts

To perform power management tasks on hosts using the intelligent platform management interface (IPMI) or a similar protocol, you must enable the baseboard management controller (BMC) module on Foreman server.

Prerequisites

All hosts must have a network interface of BMC type. Foreman server uses this NIC to pass the appropriate credentials to the host. For more information, see Configuring a Baseboard Management Controller (BMC) Interface in Managing hosts.

Procedure

To enable BMC, enter the following command:

# foreman-installer \
--foreman-proxy-bmc "true" \
--foreman-proxy-bmc-default-provider "freeipmi"

4.4. Configuring Foreman server for outgoing emails

To send email messages from Foreman server, you can use either an SMTP server, or the sendmail command.

Prerequisites

Some SMTP servers with anti-spam protection or grey-listing features are known to cause problems. To setup outgoing email with such a service either install and configure a vanilla SMTP service on Foreman server for relay or use the sendmail command instead.

Procedure

In the Foreman web UI, navigate to Administer > Settings.

Click the Email tab and set the configuration options to match your preferred delivery method. The changes have an immediate effect.

The following example shows the configuration options for using an SMTP server:

Table 5. Using an SMTP server as a delivery method
Name	Example value	Additional information
Delivery method	SMTP
SMTP address	smtp.example.com
SMTP authentication	login
SMTP HELO/EHLO domain	example.com
SMTP password	password	Use the login credentials for the SMTP server.
SMTP port	25
SMTP username	user@example.com	Use the login credentials for the SMTP server.

The following example uses gmail.com as an SMTP server:

Table 6. Using gmail.com as an SMTP server
Name	Example value	Additional information
Delivery method	SMTP
SMTP address	smtp.gmail.com
SMTP authentication	plain
SMTP HELO/EHLO domain	smtp.gmail.com
SMTP enable StartTLS auto	Yes
SMTP password	app password	Use the Google app password. For more information, see Sign in with app passwords in Google Help Center.
SMTP port	587
SMTP username	user@gmail.com	Use the Google account name.

The following example uses the sendmail command as a delivery method:

Table 7. Using sendmail as a delivery method
Name	Example value	Additional information
Delivery method	Sendmail
Sendmail location	/usr/sbin/sendmail	For security reasons, both Sendmail location and Sendmail argument settings are read-only and can be only set in `/etc/foreman/settings.yaml`. Both settings currently cannot be set via `foreman-installer`. This is being tracked in issue #33543. For more information see the sendmail 1 man page.
Sendmail arguments	-i

If you decide to send email using an SMTP server which uses TLS authentication, also perform one of the following steps:
- Mark the CA certificate of the SMTP server as trusted. To do so, execute the following commands on Foreman server:
  # cp mailca.crt /etc/pki/ca-trust/source/anchors/ # update-ca-trust enable # update-ca-trust
  Where mailca.crt is the CA certificate of the SMTP server.
- Alternatively, in the Foreman web UI, set the SMTP enable StartTLS auto option to No.
Click Test email to send a test message to the user’s email address to confirm the configuration is working. If a message fails to send, the Foreman web UI displays an error. See the log at /var/log/foreman/production.log for further details.

Additional resources

For information on configuring email notifications for individual users or user groups, see Configuring Email Notification Preferences in Administering Foreman.

4.5. Configuring Foreman to manage the lifecycle of a host registered to a FreeIPA realm

As well as providing access to Foreman server, hosts provisioned with Foreman can also be integrated with FreeIPA realms. Foreman has a realm feature that automatically manages the lifecycle of any system registered to a realm or domain provider.

Use this section to configure Foreman server or Smart Proxy server for FreeIPA realm support, then add hosts to the FreeIPA realm group.

Prerequisites

Foreman server that is registered to the Content Delivery Network or an external Smart Proxy server that is registered to Foreman server.
A deployed realm or domain provider such as FreeIPA.

To install and configure FreeIPA packages on Foreman server or Smart Proxy server:

To use FreeIPA for provisioned hosts, complete the following steps to install and configure FreeIPA packages on Foreman server or Smart Proxy server:

Install the ipa-client package on Foreman server or Smart Proxy server:
```
# apt install ipa-client
```
Configure the server as a FreeIPA client:
```
# ipa-client-install
```
Create a realm proxy user, realm-smart-proxy, and the relevant roles in FreeIPA:
```
# foreman-prepare-realm admin realm-smart-proxy
```
Note the principal name that returns and your FreeIPA server configuration details because you require them for the following procedure.

To configure Foreman server or Smart Proxy server for FreeIPA realm support:

Complete the following procedure on Foreman and every Smart Proxy that you want to use:

Copy the /root/freeipa.keytab file to any Smart Proxy server that you want to include in the same principal and realm:
```
# scp /root/freeipa.keytab root@smartproxy.example.com:/etc/foreman-proxy/freeipa.keytab
```
On your Foreman server, move the /root/freeipa.keytab file to the /etc/foreman-proxy directory:
```
# mv /root/freeipa.keytab /etc/foreman-proxy
```
On your Foreman server and Smart Proxy servers, set ownership to the foreman-proxy user and group:
```
# chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab
```
Enter the following command on all Smart Proxies that you want to include in the realm. If you use the integrated Smart Proxy on Foreman, enter this command on Foreman server:
```
# foreman-installer --foreman-proxy-realm true \
--foreman-proxy-realm-keytab /etc/foreman-proxy/freeipa.keytab \
--foreman-proxy-realm-principal realm-smart-proxy@EXAMPLE.COM \
--foreman-proxy-realm-provider freeipa
```
You can also use these options when you first configure the Foreman server.
Ensure that the most updated versions of the ca-certificates package is installed and trust the FreeIPA Certificate Authority:
```
# cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt
# update-ca-trust enable
# update-ca-trust
```
Optional: If you configure FreeIPA on an existing Foreman server or Smart Proxy server, complete the following steps to ensure that the configuration changes take effect:
1. Restart the foreman-proxy service:
  # systemctl restart foreman-proxy
2. In the Foreman web UI, navigate to Infrastructure > Smart Proxies.
3. Locate the Smart Proxy you have configured for FreeIPA and from the list in the Actions column, select Refresh.

To create a realm for the FreeIPA-enabled Smart Proxy

After you configure your integrated or external Smart Proxy with FreeIPA, you must create a realm and add the FreeIPA-configured Smart Proxy to the realm.

Procedure

In the Foreman web UI, navigate to Infrastructure > Realms and click Create Realm.
In the Name field, enter a name for the realm.
From the Realm Type list, select the type of realm.
From the Realm Smart Proxy list, select Smart Proxy server where you have configured FreeIPA.
Click the Locations tab and from the Locations list, select the location where you want to add the new realm.
Click the Organizations tab and from the Organizations list, select the organization where you want to add the new realm.
Click Submit.

Updating host groups with realm information

You must update any host groups that you want to use with the new realm information.

In the Foreman web UI, navigate to Configure > Host Groups, select the host group that you want to update, and click the Network tab.
From the Realm list, select the realm you create as part of this procedure, and then click Submit.

Adding hosts to a FreeIPA host group

FreeIPA supports the ability to set up automatic membership rules based on a system’s attributes. Foreman’s realm feature provides administrators with the ability to map the Foreman host groups to the FreeIPA parameter userclass which allow administrators to configure automembership.

When nested host groups are used, they are sent to the FreeIPA server as they are displayed in the Foreman User Interface. For example, "Parent/Child/Child".

Foreman server or Smart Proxy server sends updates to the FreeIPA server, however automembership rules are only applied at initial registration.

To add hosts to a FreeIPA host group:

On the FreeIPA server, create a host group:

# ipa hostgroup-add hostgroup_name --desc=hostgroup_description

Create an automembership rule:
```
# ipa automember-add --type=hostgroup hostgroup_name automember_rule
```
Where you can use the following options:
- automember-add flags the group as an automember group.
- --type=hostgroup identifies that the target group is a host group, not a user group.
- automember_rule adds the name you want to identify the automember rule by.
Define an automembership condition based on the userclass attribute:
```
# ipa automember-add-condition --key=userclass --type=hostgroup --inclusive-regex=^webserver hostgroup_name
----------------------------------
Added condition(s) to "hostgroup_name"
----------------------------------
Automember Rule: automember_rule
Inclusive Regex: userclass=^webserver
----------------------------
Number of conditions added 1
----------------------------
```
Where you can use the following options:
- automember-add-condition adds regular expression conditions to identify group members.
- --key=userclass specifies the key attribute as userclass.
- --type=hostgroup identifies that the target group is a host group, not a user group.
- --inclusive-regex= ^webserver identifies matching values with a regular expression pattern.
- hostgroup_name – identifies the target host group’s name.

When a system is added to Foreman server’s hostgroup_name host group, it is added automatically to the FreeIPA server’s "hostgroup_name" host group. FreeIPA host groups allow for Host-Based Access Controls (HBAC), sudo policies and other FreeIPA functions.

Appendix A: Restoring manual changes overwritten by a Puppet run

If your manual configuration has been overwritten by a Puppet run, you can restore the files to the previous state.

For example, when you install and configure Foreman for the first time by using foreman-installer, you can use the --foreman-proxy-dns-managed=false and --foreman-proxy-dhcp-managed=false options to specify that the DNS and DHCP configuration files are not to be managed by Puppet. If you do not use these options during the initial foreman-installer run, rerunning foreman-installer overwrites all manual changes. The following example shows you how to restore a DHCP configuration file overwritten by a Puppet run.

Procedure

Copy the file you intend to restore. This allows you to compare the files to check for any mandatory changes required by the upgrade. This is not common for DNS or DHCP services.
```
# cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.backup
```

Check the log files to note down the md5sum of the overwritten file. For example:

# journalctl -xe
...
/Stage[main]/Dhcp/File[/etc/dhcp/dhcpd.conf]: Filebucketed /etc/dhcp/dhcpd.conf to puppet with sum 622d9820b8e764ab124367c68f5fa3a1
...

Restore the overwritten file:

# puppet filebucket restore --local --bucket \
/var/lib/puppet/clientbucket /etc/dhcp/dhcpd.conf \ 622d9820b8e764ab124367c68f5fa3a1

Compare the backup file and the restored file, and edit the restored file to include any mandatory changes required by the upgrade.