1. Preparing your environment for installation
Before you install Foreman, ensure that your environment meets the following requirements.
1.1. System requirements
The following requirements apply to the networked base operating system:
-
x86_64 architecture
-
4-core 2.0 GHz CPU at a minimum
-
A minimum of 20 GB RAM is required for Foreman server to function. In addition, a minimum of 4 GB RAM of swap space is also recommended. Foreman running with less RAM than the minimum value might not operate correctly.
-
A unique host name, which can contain lower-case letters, numbers, dots (.) and hyphens (-)
-
Administrative user (root) access
-
Full forward and reverse DNS resolution using a fully-qualified domain name
Foreman only supports UTF-8
encoding.
If your territory is USA and your language is English, set en_US.utf-8
as the system-wide locale settings.
For more information about configuring system locale in Enterprise Linux, see Configuring the system locale in Red Hat Enterprise Linux 9 Configuring basic system settings.
Foreman server and Smart Proxy server do not support shortnames in the hostnames. When using custom certificates, the Common Name (CN) of the custom certificate must be a fully qualified domain name (FQDN) instead of a shortname. This does not apply to the clients of a Foreman.
Before you install Foreman server, ensure that your environment meets the requirements for installation.
Foreman server must be installed on a freshly provisioned system that serves no other function except to run Foreman server. The freshly provisioned system must not have the following users provided by external identity providers to avoid conflicts with the local users that Foreman server creates:
-
apache
-
foreman
-
foreman-proxy
-
postgres
-
pulp
-
puppet
-
redis
-
tomcat
SELinux must be enabled, either in enforcing or permissive mode. Installation with disabled SELinux is not supported.
The system clock on the base operating system where you are installing your Foreman server must be synchronized across the network. If the system clock is not synchronized, SSL certificate verification might fail.
You can install Foreman on a Enterprise Linux system that is operating in FIPS mode. You cannot enable FIPS mode after the installation of Foreman. Red Hat Enterprise Linux clones are not being actively tested in FIPS mode. If you require FIPS, consider using Red Hat Enterprise Linux. For more information, see Switching RHEL to FIPS mode in Red Hat Enterprise Linux 9 Security hardening or Switching RHEL to FIPS mode in Red Hat Enterprise Linux 8 Security hardening.
Note
|
Foreman supports DEFAULT and FIPS crypto-policies. The FUTURE crypto-policy is not supported for Foreman and Smart Proxy installations. The FUTURE policy is a stricter forward-looking security level intended for testing a possible future policy. For more information, see Using system-wide cryptographic policies in Red Hat Enterprise Linux 9 Security hardening. |
1.2. Storage requirements
The following table details storage requirements for specific directories. These values are based on expected use case scenarios and can vary according to individual environments.
The runtime size was measured with Red Hat Enterprise Linux 7, 8, and 9 repositories synchronized.
Directory | Installation Size | Runtime Size |
---|---|---|
/var/log |
10 MB |
10 GB |
/var/lib/pgsql |
100 MB |
20 GB |
/usr |
10 GB |
Not Applicable |
/opt/puppetlabs |
500 MB |
Not Applicable |
/var/lib/pulp |
1 MB |
300 GB |
For external database servers: /var/lib/pgsql
with installation size of 100 MB and runtime size of 20 GB.
For detailed information on partitioning and size, see Partitioning reference in Performing a standard RHEL 9 installation.
1.3. Storage guidelines
Consider the following guidelines when installing Foreman server to increase efficiency.
-
If you mount the
/tmp
directory as a separate file system, you must use theexec
mount option in the/etc/fstab
file. If/tmp
is already mounted with thenoexec
option, you must change the option toexec
and re-mount the file system. This is a requirement for thepuppetserver
service to work. -
Because most Foreman server data is stored in the
/var
directory, mounting/var
on LVM storage can help the system to scale. -
Use high-bandwidth, low-latency storage for the
/var/lib/pulp/
and PostgreSQL/var/lib/pgsql
directories. As Foreman has many operations that are I/O intensive, using high latency, low-bandwidth storage causes performance degradation.
-
Do not use the GFS2 file system as the input-output latency is too high.
Log files are written to /var/log/messages/,
/var/log/httpd/
, and /var/lib/foreman-proxy/openscap/content/
.
You can manage the size of these files using logrotate.
The exact amount of storage you require for log messages depends on your installation and setup.
When the /var/lib/pulp
directory is mounted using an NFS share, SELinux blocks the synchronization process.
To avoid this, specify the SELinux context of the /var/lib/pulp
directory in the file system table by adding the following lines to /etc/fstab
:
nfs.example.com:/nfsshare /var/lib/pulp nfs context="system_u:object_r:var_lib_t:s0" 1 2
If NFS share is already mounted, remount it using the above configuration and enter the following command:
# restorecon -R /var/lib/pulp
Packages that are duplicated in different repositories are only stored once on the disk.
Additional repositories containing duplicate packages require less additional storage.
The bulk of storage resides in the /var/lib/pulp/
directory.
These end points are not manually configurable.
Ensure that storage is available on the /var
file system to prevent storage problems.
You cannot use symbolic links for /var/lib/pulp/
.
If you plan to synchronize RHEL content ISOs to Foreman, note that all minor versions of Red Hat Enterprise Linux also synchronize. You must plan to have adequate storage on your Foreman to manage this.
1.4. Supported operating systems
The following operating systems are supported by the installer, have packages, and are tested for deploying Foreman:
Operating System |
Architecture |
Notes |
x86_64 only |
EPEL is not supported. |
|
x86_64 only |
EPEL is not supported. |
Foreman community advises against using an existing system because the Foreman installer will affect the configuration of several components.
1.5. Supported browsers
Using the most recent version of a major browser is highly recommended, as Foreman and the frameworks it uses offer limited support for older versions.
The recommended requirements are as follows for major browsers:
-
Google Chrome – latest version
-
Microsoft Edge – latest version
-
Apple Safari – latest version
-
Mozilla Firefox – latest version
-
Mozilla Firefox Extended Support Release (ESR) – latest version
Other browsers may work unpredictably.
The Foreman web UI and command-line interface is translated into various languages.
1.6. Port and firewall requirements
For the components of Foreman architecture to communicate, ensure that the required network ports are open and free on the base operating system. You must also ensure that the required network ports are open on any network-based firewalls.
Use this information to configure any network-based firewalls. Note that some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. If possible, disable the application checking and allow open port communication based on the protocol.
Foreman server has an integrated Smart Proxy and any host that is directly connected to Foreman server is a Client of Foreman in the context of this section. This includes the base operating system on which Smart Proxy server is running.
Hosts which are clients of Smart Proxies, other than Foreman’s integrated Smart Proxy, do not need access to Foreman server.
Required ports can change based on your configuration.
The following tables indicate the destination port and the direction of network traffic:
Destination Port |
Protocol |
Service |
Source |
Required For |
Description |
53 |
TCP and UDP |
DNS |
DNS Servers and clients |
Name resolution |
DNS (optional) |
67 |
UDP |
DHCP |
Client |
Dynamic IP |
DHCP (optional) |
69 |
UDP |
TFTP |
Client |
TFTP Server (optional) |
|
443 |
TCP |
HTTPS |
Smart Proxy |
Foreman API |
Communication from Smart Proxy |
443, 80 |
TCP |
HTTPS, HTTP |
Client |
Global Registration |
Registering hosts to Foreman Port 443 is required for registration initiation, uploading facts, and sending installed packages and traces Port 80 notifies Foreman on the |
443 |
TCP |
HTTPS |
Foreman |
Content Mirroring |
Management |
443 |
TCP |
HTTPS |
Foreman |
Smart Proxy API |
Smart Proxy functionality |
443, 80 |
TCP |
HTTPS, HTTP |
Smart Proxy |
Content Retrieval |
Content |
443, 80 |
TCP |
HTTPS, HTTP |
Client |
Content Retrieval |
Content |
1883 |
TCP |
MQTT |
Client |
Pull based REX (optional) |
Content hosts for REX job notification (optional) |
5910 – 5930 |
TCP |
HTTPS |
Browsers |
Compute Resource’s virtual console |
|
8000 |
TCP |
HTTP |
Client |
Provisioning templates |
Template retrieval for client installers, iPXE or UEFI HTTP Boot |
8000 |
TCP |
HTTPS |
Client |
PXE Boot |
Installation |
8140 |
TCP |
HTTPS |
Client |
Puppet agent |
Client updates (optional) |
9090 |
TCP |
HTTPS |
Foreman |
Smart Proxy API |
Smart Proxy functionality |
9090 |
TCP |
HTTPS |
Client |
OpenSCAP |
Configure Client (if the OpenSCAP plugin is installed) |
9090 |
TCP |
HTTPS |
Discovered Node |
Discovery |
Host discovery and provisioning (if the discovery plugin is installed) |
Any host that is directly connected to Foreman server is a client in this context because it is a client of the integrated Smart Proxy. This includes the base operating system on which a Smart Proxy server is running.
A DHCP Smart Proxy performs ICMP ping or TCP echo connection attempts to hosts in subnets with DHCP IPAM set to find out if an IP address considered for use is free.
This behavior can be turned off using foreman-installer --foreman-proxy-dhcp-ping-free-ip=false
.
Note
|
Some outgoing traffic returns to Foreman to enable internal communication and security operations. |
Destination Port | Protocol | Service | Destination | Required For | Description |
---|---|---|---|---|---|
ICMP |
ping |
Client |
DHCP |
Free IP checking (optional) |
|
7 |
TCP |
echo |
Client |
DHCP |
Free IP checking (optional) |
22 |
TCP |
SSH |
Target host |
Remote execution |
Run jobs |
22, 16514 |
TCP |
SSH SSH/TLS |
Compute Resource |
Foreman originated communications, for compute resources in libvirt |
|
53 |
TCP and UDP |
DNS |
DNS Servers on the Internet |
DNS Server |
Resolve DNS records (optional) |
53 |
TCP and UDP |
DNS |
DNS Server |
Smart Proxy DNS |
Validation of DNS conflicts (optional) |
53 |
TCP and UDP |
DNS |
DNS Server |
Orchestration |
Validation of DNS conflicts |
68 |
UDP |
DHCP |
Client |
Dynamic IP |
DHCP (optional) |
80 |
TCP |
HTTP |
Remote repository |
Content Sync |
Remote repositories |
389, 636 |
TCP |
LDAP, LDAPS |
External LDAP Server |
LDAP |
LDAP authentication, necessary only if external authentication is enabled.
The port can be customized when |
443 |
TCP |
HTTPS |
Foreman |
Smart Proxy |
Smart Proxy Configuration management Template retrieval OpenSCAP Remote Execution result upload |
443 |
TCP |
HTTPS |
Amazon EC2, Azure, Google GCE |
Compute resources |
Virtual machine interactions (query/create/destroy) (optional) |
443 |
TCP |
HTTPS |
Smart Proxy |
Content mirroring |
Initiation |
443 |
TCP |
HTTPS |
Infoblox DHCP Server |
DHCP management |
When using Infoblox for DHCP, management of the DHCP leases (optional) |
623 |
Client |
Power management |
BMC On/Off/Cycle/Status |
||
5000 |
TCP |
HTTPS |
OpenStack Compute Resource |
Compute resources |
Virtual machine interactions (query/create/destroy) (optional) |
5900 – 5930 |
TCP |
SSL/TLS |
Hypervisor |
noVNC console |
Launch noVNC console |
5985 |
TCP |
HTTP |
Client |
WinRM |
Configure Client running Windows |
5986 |
TCP |
HTTPS |
Client |
WinRM |
Configure Client running Windows |
7911 |
TCP |
DHCP, OMAPI |
DHCP Server |
DHCP |
The DHCP target is configured using ISC and |
8443 |
TCP |
HTTPS |
Client |
Discovery |
Smart Proxy sends reboot command to the discovered host (optional) |
9090 |
TCP |
HTTPS |
Smart Proxy |
Smart Proxy API |
Management of Smart Proxies |
1.7. Enabling connections from a client to Foreman server
Smart Proxies and Content Hosts that are clients of a Foreman server’s internal Smart Proxy require access through Foreman’s host-based firewall and any network-based firewalls.
Use this procedure to configure the host-based firewall on the system that Foreman is installed on, to enable incoming connections from Clients, and to make the configuration persistent across system reboots. For more information on the ports used, see Port and firewall requirements in Installing Foreman Server with Katello nightly plugin on Enterprise Linux.
If you do not use firewall-cmd
to configure the Linux firewall, implement using the command of your choice.
-
Open the ports for clients on Foreman server:
# firewall-cmd \ --add-port="8000/tcp" \ --add-port="9090/tcp"
-
Allow access to services on Foreman server:
# firewall-cmd \ --add-service=dns \ --add-service=dhcp \ --add-service=tftp \ --add-service=http \ --add-service=https \ --add-service=puppetmaster
-
Make the changes persistent:
# firewall-cmd --runtime-to-permanent
-
Enter the following command:
# firewall-cmd --list-all
For more information, see Using and configuring firewalld in Red Hat Enterprise Linux 9 Configuring firewalls and packet filters or Using and configuring firewalld in Red Hat Enterprise Linux 8 Configuring and managing networking.
1.8. Verifying DNS resolution
Verify the full forward and reverse DNS resolution using a fully-qualified domain name to prevent issues while installing Foreman.
-
Ensure that the host name and local host resolve correctly:
# ping -c1 localhost # ping -c1 `hostname -f` # my_system.domain.com
Successful name resolution results in output similar to the following:
# ping -c1 localhost PING localhost (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.043 ms --- localhost ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.043/0.043/0.043/0.000 ms # ping -c1 `hostname -f` PING hostname.gateway (XX.XX.XX.XX) 56(84) bytes of data. 64 bytes from hostname.gateway (XX.XX.XX.XX): icmp_seq=1 ttl=64 time=0.019 ms --- localhost.gateway ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.019/0.019/0.019/0.000 ms
-
To avoid discrepancies with static and transient host names, set all the host names on the system by entering the following command:
# hostnamectl set-hostname name
Warning
|
Name resolution is critical to the operation of Foreman. If Foreman cannot properly resolve its fully qualified domain name, tasks such as content management, subscription management, and provisioning will fail. |
1.9. Tuning Foreman server with predefined profiles
If your Foreman deployment includes more than 5000 hosts, you can use predefined tuning profiles to improve performance of Foreman.
Note that you cannot use tuning profiles on Smart Proxies.
You can choose one of the profiles depending on the number of hosts your Foreman manages and available hardware resources.
The tuning profiles are available in the /usr/share/foreman-installer/config/foreman.hiera/tuning/sizes
directory.
When you run the foreman-installer
command with the --tuning
option, deployment configuration settings are applied to Foreman in the following order:
-
The default tuning profile defined in the
/usr/share/foreman-installer/config/foreman.hiera/tuning/common.yaml
file -
The tuning profile that you want to apply to your deployment and is defined in the
/usr/share/foreman-installer/config/foreman.hiera/tuning/sizes/
directory -
Optional: If you have configured a
/etc/foreman-installer/custom-hiera.yaml
file, Foreman applies these configuration settings.
Note that the configuration settings that are defined in the /etc/foreman-installer/custom-hiera.yaml
file override the configuration settings that are defined in the tuning profiles.
Therefore, before applying a tuning profile, you must compare the configuration settings that are defined in the default tuning profile in /usr/share/foreman-installer/config/foreman.hiera/tuning/common.yaml
, the tuning profile that you want to apply and your /etc/foreman-installer/custom-hiera.yaml
file, and remove any duplicated configuration from the /etc/foreman-installer/custom-hiera.yaml
file.
- default
-
Number of hosts: 0 – 5000
RAM: 20G
Number of CPU cores: 4
- medium
-
Number of hosts: 5001 – 10000
RAM: 32G
Number of CPU cores: 8
- large
-
Number of hosts: 10001 – 20000
RAM: 64G
Number of CPU cores: 16
- extra-large
-
Number of hosts: 20001 – 60000
RAM: 128G
Number of CPU cores: 32
- extra-extra-large
-
Number of hosts: 60000+
RAM: 256G
Number of CPU cores: 48+
-
Optional: If you have configured the
custom-hiera.yaml
file on Foreman server, back up the/etc/foreman-installer/custom-hiera.yaml
file tocustom-hiera.original
. You can use the backup file to restore the/etc/foreman-installer/custom-hiera.yaml
file to its original state if it becomes corrupted:# cp /etc/foreman-installer/custom-hiera.yaml \ /etc/foreman-installer/custom-hiera.original
-
Optional: If you have configured the
custom-hiera.yaml
file on Foreman server, review the definitions of the default tuning profile in/usr/share/foreman-installer/config/foreman.hiera/tuning/common.yaml
and the tuning profile that you want to apply in/usr/share/foreman-installer/config/foreman.hiera/tuning/sizes/
. Compare the configuration entries against the entries in your/etc/foreman-installer/custom-hiera.yaml
file and remove any duplicated configuration settings in your/etc/foreman-installer/custom-hiera.yaml
file. -
Enter the
foreman-installer
command with the--tuning
option for the profile that you want to apply. For example, to apply the medium tuning profile settings, enter the following command:# foreman-installer --tuning medium
2. Preparing your environment for Foreman installation in an IPv6 network
You can install and use Foreman in an IPv6 network. Before installing Foreman in an IPv6 network, view the limitations and ensure that you meet the requirements.
To provision hosts in an IPv6 network, after installing Foreman, you must also configure Foreman for the UEFI HTTP boot provisioning. For more information, see Configuring Foreman for UEFI HTTP boot provisioning in an IPv6 network.
2.1. Limitations of Foreman installation in an IPv6 network
Foreman installation in an IPv6 network has the following limitations:
-
You can install Foreman and Smart Proxies in IPv6-only systems, dual-stack installation is not supported.
-
Although Foreman provisioning templates include IPv6 support for PXE and HTTP (iPXE) provisioning, the only tested and certified provisioning workflow is the UEFI HTTP Boot provisioning. This limitation only relates to users who plan to use Foreman to provision hosts.
2.2. Requirements for Foreman installation in an IPv6 network
Before installing Foreman in an IPv6 network, ensure that you meet the following requirements:
-
You must deploy an external DHCP IPv6 server as a separate, unmanaged service to bootstrap clients into GRUB2. GRUB2 configures IPv6 networking by using DHCPv6 or by assigning a static IPv6 address. This is required because the DHCP server in Red Hat Enterprise Linux (ISC DHCP) does not provide an integration API for managing IPv6 records, therefore the Smart Proxy DHCP plugin that provides DHCP management is limited to IPv4 subnets.
-
Optional: If you rely on content from IPv4 networks, you must deploy an external IPv4 HTTP proxy server. This is required to access Content Delivery Networks that distribute content only over IPv4 networks, therefore you must use this proxy to pull content into Foreman on your IPv6 network.
-
You must configure Foreman to use this dual stack (supporting both IPv4 and IPv6) HTTP proxy server as the default proxy. For more information, see Adding a Default HTTP Proxy to Foreman.
3. Installing Foreman server
Use the following procedures to install Foreman server and perform the initial configuration.
Note that the Foreman installation script is based on Puppet, which means that if you run the installation script more than once, it might overwrite any manual configuration changes.
To avoid this and determine which future changes apply, use the --noop
argument when you run the installation script.
This argument ensures that no actual changes are made.
Potential changes are written to /var/log/foreman-installer/katello.log
.
Files are always backed up and so you can revert any unwanted changes. For example, in the foreman-installer logs, you can see an entry similar to the following about Filebucket:
/Stage[main]/Dhcp/File[/etc/dhcp/dhcpd.conf]: Filebucketed /etc/dhcp/dhcpd.conf to puppet with sum 622d9820b8e764ab124367c68f5fa3a1
You can restore the previous file as follows:
# puppet filebucket -l \ restore /etc/dhcp/dhcpd.conf 622d9820b8e764ab124367c68f5fa3a1
3.1. Configuring the HTTP proxy to connect to Red Hat CDN
Your network gateway and the HTTP proxy must allow access to the following hosts:
Host name | Port | Protocol |
---|---|---|
subscription.rhsm.redhat.com |
443 |
HTTPS |
cdn.redhat.com |
443 |
HTTPS |
*.akamaiedge.net |
443 |
HTTPS |
Foreman server uses SSL to communicate with the Red Hat CDN securely. An SSL interception proxy interferes with this communication. These hosts must be allowlisted on your HTTP proxy.
For a list of IP addresses used by the Red Hat CDN (cdn.redhat.com), see the Knowledgebase article Public CIDR Lists for Red Hat on the Red Hat Customer Portal.
To configure the Subscription Manager with the HTTP proxy, follow the procedure below.
-
On Foreman server, complete the following details in the
/etc/rhsm/rhsm.conf
file:# an http proxy server to use (enter server FQDN) proxy_hostname = http-proxy.example.com # port for http proxy server proxy_port = 8080 # user name for authenticating to an http proxy, if needed proxy_user = # password for basic http proxy auth, if needed proxy_password =
3.2. Configuring repositories
-
Enterprise Linux 9
-
Enterprise Linux 8
-
Clear any metadata:
# dnf clean all
-
Install the
foreman-release.rpm
package:# dnf install https://yum.theforeman.org/releases/nightly/el9/x86_64/foreman-release.rpm
-
Install the
katello-repos-latest.rpm
package:# dnf install https://yum.theforeman.org/katello/nightly/katello/el9/x86_64/katello-repos-latest.rpm
-
Install the
puppet-release
package.-
For Puppet 8:
# dnf install https://yum.puppet.com/puppet8-release-el-9.noarch.rpm
-
For Puppet 7:
# dnf install https://yum.puppet.com/puppet7-release-el-9.noarch.rpm
-
-
Clear any metadata:
# dnf clean all
-
Install the
foreman-release.rpm
package:# dnf install https://yum.theforeman.org/releases/nightly/el8/x86_64/foreman-release.rpm
-
Install the
katello-repos-latest.rpm
package:# dnf install https://yum.theforeman.org/katello/nightly/katello/el8/x86_64/katello-repos-latest.rpm
-
Install the
puppet-release
package.-
For Puppet 8:
# dnf install https://yum.puppet.com/puppet8-release-el-8.noarch.rpm
-
For Puppet 7:
# dnf install https://yum.puppet.com/puppet7-release-el-8.noarch.rpm
-
-
Enable the DNF modules:
# dnf module enable katello:el8
NoteIf there is any warning about conflicts with Ruby or PostgreSQL while enabling
katello:el8
module, see Troubleshooting DNF modules. For more information about modules and lifecycle streams on Red Hat Enterprise Linux 8, see Red Hat Enterprise Linux Application Streams Lifecycle.
-
Verify that the required repositories are enabled:
# dnf repolist enabled
3.3. Optional: Using fapolicyd on Foreman server
By enabling fapolicyd
on your Foreman server, you can provide an additional layer of security by monitoring and controlling access to files and directories.
The fapolicyd daemon uses the RPM database as a repository of trusted binaries and scripts.
You can turn on or off the fapolicyd on your Foreman server or Smart Proxy server at any point.
3.3.1. Installing fapolicyd on Foreman server
You can install fapolicyd
along with Foreman server or can be installed on an existing Foreman server.
If you are installing fapolicyd
along with the new Foreman server, the installation process will detect the fapolicyd in your Enterprise Linux host and deploy the Foreman server rules automatically.
-
Ensure your host has access to the BaseOS repositories of Enterprise Linux.
-
For a new installation, install fapolicyd:
# dnf install fapolicyd
-
For an existing installation, install fapolicyd using dnf install:
# dnf install fapolicyd
-
Start the
fapolicyd
service:# systemctl enable --now fapolicyd
-
Verify that the
fapolicyd
service is running correctly:# systemctl status fapolicyd
In case of new Foreman server or Smart Proxy server installation, follow the standard installation procedures after installing and enabling fapolicyd on your Enterprise Linux host.
For more information on fapolicyd, see Blocking and allowing applications using fapolicyd in Red Hat Enterprise Linux 9 Security hardening or Blocking and allowing applications using fapolicyd in Red Hat Enterprise Linux 8 Security hardening.
3.4. Installing Foreman server packages
-
Update all packages:
# dnf upgrade
-
Install
foreman-installer-katello
:# dnf install foreman-installer-katello
3.5. Configuring Foreman server
Install Foreman server by using the foreman-installer
installation script.
This method is performed by running the installation script with one or more command options. The command options override the corresponding default initial configuration options and are recorded in the Foreman answer file. You can run the script as often as needed to configure any necessary options.
3.5.1. Configuring Foreman installation
This initial configuration procedure creates an organization, location, user name, and password. After the initial configuration, you can create additional organizations and locations if required. The initial configuration also installs PostgreSQL databases on the same server.
The installation process can take tens of minutes to complete.
If you are connecting remotely to the system, use a utility such as tmux
that allows suspending and reattaching a communication session so that you can check the installation progress in case you become disconnected from the remote system.
If you lose connection to the shell where the installation command is running, see the log at /var/log/foreman-installer/katello.log
to determine if the process completed successfully.
-
Use the
foreman-installer --scenario katello --help
command to display the most commonly used options and any default values. -
Use the
foreman-installer --scenario katello --full-help
command to display advanced options. -
Specify a meaningful value for the option:
--foreman-initial-organization
. This can be your company name. An internal label that matches the value is also created and cannot be changed afterwards. If you do not specify a value, an organization called Default Organization with the label Default_Organization is created. You can rename the organization name but not the label. -
By default, all configuration files configured by the installer are managed. When
foreman-installer
runs, it overwrites any manual changes to the managed files with the intended values. This means that running the installer on a broken system should restore it to working order, regardless of changes made. For more information on how to apply custom configuration on other services, see Applying Custom Configuration to Foreman.
-
Enter the following command with any additional options that you want to use:
# foreman-installer --scenario katello \ --foreman-initial-organization "My_Organization" \ --foreman-initial-location "My_Location" \ --foreman-initial-admin-username admin_user_name \ --foreman-initial-admin-password admin_password
The script displays its progress and writes logs to
/var/log/foreman-installer/katello.log
.
4. Performing additional configuration on Foreman server
4.1. Configuring Foreman Server to consume content from a custom CDN
If you have an internal Content Delivery Network (CDN) or serve content on an accessible web server, you can configure your Foreman server to consume Red Hat repositories from this CDN server instead of the Red Hat CDN. A CDN server can be any web server that mirrors repositories in the same directory structure as the Red Hat CDN.
You can configure the source of content for each organization. Foreman recognizes automatically which Red Hat repositories from the subscription manifest in your organization are available on your CDN server.
-
You have a CDN server that provides Red Hat content and is accessible by Foreman server.
-
If your CDN server uses HTTPS, ensure you have uploaded the SSL certificate into Foreman. For more information, see Importing Custom SSL Certificates in Managing content.
-
You have uploaded a manifest to your organization.
-
In the Foreman web UI, navigate to Content > Subscriptions.
-
Click Manage Manifest.
-
Select the CDN Configuration tab.
-
Select the Custom CDN tab.
-
In the URL field, enter the URL of your CDN server from which you want Foreman server to consume Red Hat repositories.
-
Optional: In the SSL CA Content Credential, select the SSL certificate of the CDN server.
-
Click Update.
-
You can now enable Red Hat repositories consumed from your internal CDN server.
-
Connect to your Foreman server using SSH.
-
Set CDN configuration to your custom CDN server:
# hammer organization configure-cdn --name="My_Organization" \ --type=custom_cdn \ --url https://my-cdn.example.com \ --ssl-ca-credential-id "My_CDN_CA_Cert_ID"
-
Content Delivery Network Structure in Planning for Foreman
4.2. Configuring Foreman for UEFI HTTP boot provisioning in an IPv6 network
Use this procedure to configure Foreman to provision hosts in an IPv6 network with UEFI HTTP Boot provisioning.
-
Ensure that your clients can access DHCP and HTTP servers.
-
Ensure that the UDP ports 67 and 68 are accessible by clients so clients can send DHCP requests and receive DHCP offers.
-
Ensure that the TCP port 8000 is open for clients to download files and Kickstart templates from Foreman and Smart Proxies.
-
Ensure that the host provisioning interface subnet has an HTTP Boot Smart Proxy, and Templates Smart Proxy set. For more information, see Adding a Subnet to Foreman server in Provisioning hosts.
-
In the Foreman web UI, navigate to Administer > Settings > Provisioning and ensure that the Token duration setting is not set to 0. Foreman cannot identify clients that are booting from the network by a remote IPv6 address because of unmanaged DHCPv6 service, therefore provisioning tokens must be enabled.
-
You must disable DHCP management in the installer or not use it.
-
For all IPv6 subnets created in Foreman, set the DHCP Smart Proxy to blank.
-
Optional: If the host and the DHCP server are separated by a router, configure the DHCP relay agent and point to the DHCP server.
-
On Foreman or Smart Proxy from which you provision, update the
grub2-efi
package to the latest version:# dnf upgrade grub2-efi
4.3. Configuring Foreman server with an HTTP proxy
Use the following procedures to configure Foreman with an HTTP proxy.
4.3.1. Adding a default HTTP proxy to Foreman
If your network uses an HTTP Proxy, you can configure Foreman server to use an HTTP proxy for requests to the Red Hat Content Delivery Network (CDN) or another content source. Use the FQDN instead of the IP address where possible to avoid losing connectivity because of network changes.
The following procedure configures a proxy only for downloading content for Foreman. To use the CLI instead of the Foreman web UI, see the CLI procedure.
-
In the Foreman web UI, navigate to Infrastructure > HTTP Proxies.
-
Click New HTTP Proxy.
-
In the Name field, enter the name for the HTTP proxy.
-
In the Url field, enter the URL of the HTTP proxy in the following format:
https://http-proxy.example.com:8080
. -
Optional: If authentication is required, in the Username field, enter the username to authenticate with.
-
Optional: If authentication is required, in the Password field, enter the password to authenticate with.
-
To test connection to the proxy, click Test Connection.
-
Click Submit.
-
In the Foreman web UI, navigate to Administer > Settings, and click the Content tab.
-
Set the Default HTTP Proxy setting to the created HTTP proxy.
-
Verify that the
http_proxy
,https_proxy
, andno_proxy
variables are not set:# unset http_proxy https_proxy no_proxy
-
Add an HTTP proxy entry to Foreman:
# hammer http-proxy create \ --name=My_HTTP_Proxy \ --username=My_HTTP_Proxy_User_Name \ --password=My_HTTP_Proxy_Password \ --url http://http-proxy.example.com:8080
-
Configure Foreman to use this HTTP proxy by default:
# hammer settings set \ --name=content_default_http_proxy \ --value=My_HTTP_Proxy
4.3.2. Configuring SELinux to ensure access to Foreman on custom ports
SELinux ensures access of Foreman only to specific ports.
In the case of the HTTP cache, the TCP ports are 8080, 8118, 8123, and 10001 – 10010.
If you use a port that does not have SELinux type http_cache_port_t
, complete the following steps.
-
On Foreman, to verify the ports that are permitted by SELinux for the HTTP cache, enter a command as follows:
# semanage port -l | grep http_cache http_cache_port_t tcp 8080, 8118, 8123, 10001-10010 [output truncated]
-
To configure SELinux to permit a port for the HTTP cache, for example 8088, enter a command as follows:
# semanage port -a -t http_cache_port_t -p tcp 8088
4.3.3. Using an HTTP proxy for all Foreman HTTP requests
If your Foreman server must remain behind a firewall that blocks HTTP and HTTPS, you can configure a proxy for communication with external systems, including compute resources.
Note that if you are using compute resources for provisioning, and you want to use a different HTTP proxy with the compute resources, the proxy that you set for all Foreman communication takes precedence over the proxies that you set for compute resources.
-
In the Foreman web UI, navigate to Administer > Settings.
-
In the HTTP(S) proxy row, select the adjacent Value column and enter the proxy URL.
-
Click the tick icon to save your changes.
-
Enter the following command:
# hammer settings set --name=http_proxy --value=Proxy_URL
4.3.4. Excluding hosts from receiving proxied requests
If you use an HTTP Proxy for all Foreman HTTP or HTTPS requests, you can prevent certain hosts from communicating through the proxy.
-
In the Foreman web UI, navigate to Administer > Settings.
-
In the HTTP(S) proxy except hosts row, select the adjacent Value column and enter the names of one or more hosts that you want to exclude from proxy requests.
-
Click the tick icon to save your changes.
-
Enter the following command:
# hammer settings set --name=http_proxy_except_list --value=[hostname1.hostname2...]
4.3.5. Configuring a proxy for PXE file downloads
For Red Hat content served through the Content Delivery Network, Smart Proxy downloads PXE files from synchronized repositories.
However, when configuring and installing an operating system using Installation Media, Smart Proxy connects directly using the wget
utility.
-
On your TFTP Smart Proxy, verify the ports that are permitted by SELinux for the HTTP cache by entering the following command:
# systemctl edit foreman-proxy
-
Configure the HTTP proxy in
/etc/systemd/system/foreman-proxy.service.d/overrides.conf
:[Service] Environment="http_proxy=http://http-proxy.example.com:8080" Environment="https_proxy=https://http-proxy.example.com:8443"
-
Restart the
foreman-proxy
service:# systemctl restart foreman-proxy
-
Create a host or enter build mode for an existing host to re-download PXE files to the TFTP Smart Proxy.
4.3.6. Resetting the HTTP proxy
If you want to reset the current HTTP proxy setting, unset the Default HTTP Proxy setting.
-
In the Foreman web UI, navigate to Administer > Settings, and click the Content tab.
-
Set the Default HTTP Proxy setting to no global default.
-
Set the
content_default_http_proxy
setting to an empty string:# hammer settings set --name=content_default_http_proxy --value=""
4.4. Enabling power management on hosts
To perform power management tasks on hosts using the intelligent platform management interface (IPMI) or a similar protocol, you must enable the baseboard management controller (BMC) module on Foreman server.
-
All hosts must have a network interface of BMC type. Foreman server uses this NIC to pass the appropriate credentials to the host. For more information, see Adding a Baseboard Management Controller (BMC) Interface in Managing hosts.
-
To enable BMC, enter the following command:
# foreman-installer \ --foreman-proxy-bmc "true" \ --foreman-proxy-bmc-default-provider "freeipmi"
4.5. Configuring DNS, DHCP, and TFTP
You can manage DNS, DHCP, and TFTP centrally within the Foreman environment, or you can manage them independently after disabling their maintenance on Foreman. You can also run DNS, DHCP, and TFTP externally, outside of the Foreman environment.
4.5.1. Configuring DNS, DHCP, and TFTP on Foreman server
To configure the DNS, DHCP, and TFTP services on Foreman server, use the foreman-installer
command with the options appropriate for your environment.
Any changes to the settings require entering the foreman-installer
command again.
You can enter the command multiple times and each time it updates all configuration files with the changed values.
-
Ensure that the following information is available to you:
-
DHCP IP address ranges
-
DHCP gateway IP address
-
DHCP nameserver IP address
-
DNS information
-
TFTP server name
-
-
Use the FQDN instead of the IP address where possible in case of network changes.
-
Contact your network administrator to ensure that you have the correct settings.
-
Enter the
foreman-installer
command with the options appropriate for your environment. The following example shows configuring full provisioning services:# foreman-installer \ --foreman-proxy-dns true \ --foreman-proxy-dns-managed true \ --foreman-proxy-dns-zone example.com \ --foreman-proxy-dns-reverse 2.0.192.in-addr.arpa \ --foreman-proxy-dhcp true \ --foreman-proxy-dhcp-managed true \ --foreman-proxy-dhcp-range "192.0.2.100 192.0.2.150" \ --foreman-proxy-dhcp-gateway 192.0.2.1 \ --foreman-proxy-dhcp-nameservers 192.0.2.2 \ --foreman-proxy-tftp true \ --foreman-proxy-tftp-managed true \ --foreman-proxy-tftp-servername 192.0.2.3
You can monitor the progress of the foreman-installer
command displayed in your prompt.
You can view the logs in /var/log/foreman-installer/katello.log
.
-
For more information about the
foreman-installer
command, enterforeman-installer --help
.
4.5.2. Disabling DNS, DHCP, and TFTP for unmanaged networks
If you want to manage TFTP, DHCP, and DNS services manually, you must prevent Foreman from maintaining these services on the operating system and disable orchestration to avoid DHCP and DNS validation errors. However, Foreman does not remove the back-end services on the operating system.
-
On Foreman server, enter the following command:
# foreman-installer --foreman-proxy-dhcp false \ --foreman-proxy-dns false \ --foreman-proxy-tftp false
-
In the Foreman web UI, navigate to Infrastructure > Subnets and select a subnet.
-
Click the Smart Proxies tab and clear the DHCP Smart Proxy, TFTP Smart Proxy, and Reverse DNS Smart Proxy fields.
-
In the Foreman web UI, navigate to Infrastructure > Domains and select a domain.
-
Clear the DNS Smart Proxy field.
-
Optional: If you use a DHCP service supplied by a third party, configure your DHCP server to pass the following options:
Option 66: IP address of Foreman or Smart Proxy Option 67: /pxelinux.0
For more information about DHCP options, see RFC 2132.
Note
|
Foreman does not perform orchestration when a Smart Proxy is not set for a given subnet and domain. When enabling or disabling Smart Proxy associations, orchestration commands for existing hosts can fail if the expected records and configuration files are not present. When associating a Smart Proxy to turn orchestration on, ensure the required DHCP and DNS records as well as the TFTP files are in place for the existing Foreman hosts in order to prevent host deletion failures in the future. |
4.5.3. Additional resources
-
For more information about configuring DNS, DHCP, and TFTP externally, see Configuring Foreman server with external services.
-
For more information about configuring DHCP, DNS, and TFTP services, see Configuring Network Services in Provisioning hosts.
4.6. Configuring Foreman server for outgoing emails
To send email messages from Foreman server, you can use either an SMTP server, or the sendmail
command.
-
Some SMTP servers with anti-spam protection or grey-listing features are known to cause problems. To setup outgoing email with such a service either install and configure a vanilla SMTP service on Foreman server for relay or use the
sendmail
command instead.
-
In the Foreman web UI, navigate to Administer > Settings.
-
Click the Email tab and set the configuration options to match your preferred delivery method. The changes have an immediate effect.
-
The following example shows the configuration options for using an SMTP server:
Table 5. Using an SMTP server as a delivery method Name Example value Delivery method
SMTP
SMTP address
smtp.example.com
SMTP authentication
login
SMTP HELO/EHLO domain
example.com
SMTP password
password
SMTP port
25
SMTP username
user@example.com
The
SMTP username
andSMTP password
specify the login credentials for the SMTP server. -
The following example uses gmail.com as an SMTP server:
Table 6. Using gmail.com as an SMTP server Name Example value Delivery method
SMTP
SMTP address
smtp.gmail.com
SMTP authentication
plain
SMTP HELO/EHLO domain
smtp.gmail.com
SMTP enable StartTLS auto
Yes
SMTP password
password
SMTP port
587
SMTP username
user@gmail.com
-
The following example uses the
sendmail
command as a delivery method:Table 7. Using sendmail as a delivery method Name Example value Delivery method
Sendmail
Sendmail location
/usr/sbin/sendmail
Sendmail arguments
-i
For security reasons, both Sendmail location and Sendmail argument settings are read-only and can be only set in
/etc/foreman/settings.yaml
. Both settings currently cannot be set viaforeman-installer
. This is being tracked in issue #33543. For more information see the sendmail 1 man page.
-
-
If you decide to send email using an SMTP server which uses TLS authentication, also perform one of the following steps:
-
Mark the CA certificate of the SMTP server as trusted. To do so, execute the following commands on Foreman server:
# cp mailca.crt /etc/pki/ca-trust/source/anchors/ # update-ca-trust enable # update-ca-trust
Where
mailca.crt
is the CA certificate of the SMTP server. -
Alternatively, in the Foreman web UI, set the
SMTP enable StartTLS auto
option toNo
.
-
-
Click Test email to send a test message to the user’s email address to confirm the configuration is working. If a message fails to send, the Foreman web UI displays an error. See the log at
/var/log/foreman/production.log
for further details.
-
For information on configuring email notifications for individual users or user groups, see Configuring Email Notification Preferences in Administering Foreman.
4.7. Configuring an alternate CNAME for Foreman
You can configure an alternate CNAME for Foreman. This might be useful if you want to deploy the Foreman web interface on a different domain name than the one that is used by client systems to connect to Foreman. You must plan the alternate CNAME configuration in advance prior to installing Smart Proxies and registering hosts to Foreman to avoid redeploying new certificates to hosts.
4.7.1. Configuring Foreman with an alternate CNAME
Use this procedure to configure Foreman with an alternate CNAME. Note that the procedures for users of a default Foreman certificate and custom certificate differ.
-
If you have installed Foreman with a default Foreman certificate and want to configure Foreman with an alternate CNAME, enter the following command on Foreman to generate a new default Foreman SSL certificate with an additional CNAME.
# foreman-installer --certs-cname alternate_fqdn --certs-update-server
-
If you have not installed Foreman, you can add the
--certs-cname alternate_fqdn
option to theforeman-installer
command to install Foreman with an alternate CNAME.
If you use Foreman with a custom certificate, when creating a custom certificate, include the alternate CNAME records to the custom certificate. For more information, see Creating a Custom SSL Certificate for Foreman server.
4.7.2. Configuring hosts to use an alternate Foreman CNAME for content management
If Foreman is configured with an alternate CNAME, you can configure hosts to use the alternate Foreman CNAME for content management. To do this, you must point hosts to the alternate Foreman CNAME prior to registering the hosts to Foreman. You can do this using the bootstrap script or manually.
On the host, run the bootstrap script with the --server alternate_fqdn.example.com
option to register the host to the alternate Foreman CNAME:
# ./bootstrap.py --server alternate_fqdn.example.com
On the host, edit the /etc/rhsm/rhsm.conf
file to update hostname
and baseurl
settings to point to the alternate host name, for example:
[server]
# Server hostname:
hostname = alternate_fqdn.example.com
content omitted
[rhsm]
# Content base URL:
baseurl=https://alternate_fqdn.example.com/pulp/content/
Now you can register the host with the subscription-manager
.
4.8. Configuring Foreman server with a custom SSL certificate
By default, Foreman uses a self-signed SSL certificate to enable encrypted communications between Foreman server, external Smart Proxy servers, and all hosts. If you cannot use a Foreman self-signed certificate, you can configure Foreman server to use an SSL certificate signed by an external certificate authority (CA).
When you configure Foreman with custom SSL certificates, you must fulfill the following requirements:
-
You must use the privacy-enhanced mail (PEM) encoding for the SSL certificates.
-
You must not use the same SSL certificate for both Foreman server and Smart Proxy server.
-
The same CA must sign certificates for Foreman server and Smart Proxy server.
-
An SSL certificate must not also be a CA certificate.
-
An SSL certificate must include a subject alt name (SAN) entry that matches the common name (CN).
-
An SSL certificate must be allowed for Key Encipherment using a Key Usage extension.
-
An SSL certificate must not have a shortname as the CN.
-
You must not set a passphrase for the private key.
To configure your Foreman server with a custom certificate, complete the following procedures:
-
If you have external Smart Proxy servers registered to Foreman server, configure them with custom SSL certificates. For more information, see Configuring Smart Proxy server with a Custom SSL Certificate in Installing a Smart Proxy Server nightly on Enterprise Linux.
4.8.1. Creating a custom SSL certificate for Foreman server
Use this procedure to create a custom SSL certificate for Foreman server. If you already have a custom SSL certificate for Foreman server, skip this procedure.
-
To store all the source certificate files, create a directory that is accessible only to the
root
user:# mkdir /root/foreman_cert
-
Create a private key with which to sign the certificate signing request (CSR).
Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.
If you already have a private key for this Foreman server, skip this step.
# openssl genrsa -out
/root/foreman_cert/foreman_cert_key.pem
4096 -
Create the
/root/foreman_cert/openssl.cnf
configuration file for the CSR and include the following content:[ req ] req_extensions = v3_req distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] commonName = foreman.example.com [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection subjectAltName = @alt_names [ alt_names ] DNS.1 = foreman.example.com
-
Optional: If you want to add Distinguished Name (DN) details to the CSR, add the following information to the
[ req_distinguished_name ]
section:[req_distinguished_name] CN = foreman.example.com countryName =My_Country_Name (1) stateOrProvinceName = My_State_Or_Province_Name (2) localityName = My_Locality_Name (3) organizationName = My_Organization_Or_Company_Name organizationalUnitName = My_Organizational_Unit_Name (4)
-
Two letter code
-
Full name
-
Full name (example: New York)
-
Division responsible for the certificate (example: IT department)
-
-
Generate CSR:
# openssl req -new \ -key /root/foreman_cert/foreman_cert_key.pem \ (1) -config /root/foreman_cert/openssl.cnf \ (2) -out /root/foreman_cert/foreman_cert_csr.pem (3)
-
Path to the private key
-
Path to the configuration file
-
Path to the CSR to generate
-
-
Send the certificate signing request to the certificate authority (CA). The same CA must sign certificates for Foreman server and Smart Proxy server.
When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the CA for the preferred method. In response to the request, you can expect to receive a CA bundle and a signed certificate, in separate files.
4.8.2. Deploying a custom SSL certificate to Foreman server
Use this procedure to configure your Foreman server to use a custom SSL certificate signed by a Certificate Authority.
The katello-certs-check
command validates the input certificate files and returns the commands necessary to deploy a custom SSL certificate to Foreman server.
Important
|
Do not store the SSL certificates or .tar bundles in |
-
Validate the custom SSL certificate input files. Note that for the
katello-certs-check
command to work correctly, Common Name (CN) in the certificate must match the FQDN of Foreman server.# katello-certs-check \ -c /root/foreman_cert/foreman_cert.pem \ (1) -k /root/foreman_cert/foreman_cert_key.pem \ (2) -b /root/foreman_cert/ca_cert_bundle.pem (3)
-
Path to Foreman server certificate file that is signed by a Certificate Authority.
-
Path to the private key that was used to sign Foreman server certificate.
-
Path to the Certificate Authority bundle.
If the command is successful, it returns two
foreman-installer
commands, one of which you must use to deploy a certificate to Foreman server.Example output ofkatello-certs-check
Validation succeeded. To install the Katello main server with the custom certificates, run: foreman-installer --scenario katello \ --certs-server-cert "/root/foreman_cert/foreman_cert.pem" \ --certs-server-key "/root/foreman_cert/foreman_cert_key.pem" \ --certs-server-ca-cert "/root/foreman_cert/ca_cert_bundle.pem" To update the certificates on a currently running Katello installation, run: foreman-installer --scenario katello \ --certs-server-cert "/root/foreman_cert/foreman_cert.pem" \ --certs-server-key "/root/foreman_cert/foreman_cert_key.pem" \ --certs-server-ca-cert "/root/foreman_cert/ca_cert_bundle.pem" \ --certs-update-server --certs-update-server-ca
Note that you must not access or modify
/root/ssl-build
.
-
-
From the output of the
katello-certs-check
command, depending on your requirements, enter theforeman-installer
command that installs a new Foreman with custom SSL certificates or updates certificates on a currently running Foreman.If you are unsure which command to run, you can verify that Foreman is installed by checking if the file
/etc/foreman-installer/scenarios.d/.installed
exists. If the file exists, run the secondforeman-installer
command that updates certificates.Importantforeman-installer
needs the certificate archive file after you deploy the certificate. Do not modify or delete it. It is required, for example, when upgrading Foreman server. -
On a computer with network access to Foreman server, navigate to the following URL:
https://foreman.example.com
. -
In your browser, view the certificate details to verify the deployed certificate.
4.8.3. Deploying a SSL certificate to hosts
After you configure Foreman to use a SSL certificate, you must deploy the certificate to hosts registered to Foreman.
-
Update the SSL certificate on each host:
-
On Debian and Ubuntu:
# wget http://foreman.example.com/pub/katello-rhsm-consumer # chmod +x katello-rhsm-consumer # ./katello-rhsm-consumer
-
On Enterprise Linux 8+:
# dnf install http://foreman.example.com/pub/katello-ca-consumer-latest.noarch.rpm
-
On OpenSUSE and SUSE Linux Enterprise Server:
# zypper install http://foreman.example.com/pub/katello-ca-consumer-latest.noarch.rpm
-
4.9. Resetting SSL certificate to default self-signed certificate on Foreman server
-
Reset the SSL certificate to default self-signed certificate:
# foreman-installer --certs-reset
Ensure the following parameters in /etc/foreman-installer/scenarios.d/foreman-answers.yaml
have no values:
-
server_cert:
-
server_key:
-
server_cert_req:
-
server_ca_cert:
-
Resetting SSL certificate to default self-signed certificate on Smart Proxy server in Installing a Smart Proxy Server nightly on Enterprise Linux.
-
Resetting SSL certificate to default self-signed certificate on hosts in Managing hosts.
4.10. Using external databases with Foreman
As part of the installation process for Foreman, the foreman-installer command installs PostgreSQL databases on the same server as Foreman. In certain Foreman deployments, using external databases instead of the default local databases can help with the server load.
To create and use external databases for Foreman, you must complete the following procedures:
-
Preparing a host for external databases. Prepare a host for the external databases.
-
Installing PostgreSQL. Prepare PostgreSQL with databases for Foreman, Candlepin and Pulp with dedicated users owning them.
-
Configuring Foreman server to use external databases. Edit the parameters of
foreman-installer
to point to the new databases, and runforeman-installer
.
4.10.1. PostgreSQL as an external database considerations
Foreman, Katello, and Candlepin use the PostgreSQL database. If you want to use PostgreSQL as an external database, the following information can help you decide if this option is right for your Foreman configuration. Foreman supports PostgreSQL version 13.
-
Increase in free memory and free CPU on Foreman
-
Flexibility to set
shared_buffers
on the PostgreSQL database to a high number without the risk of interfering with other services on Foreman -
Flexibility to tune the PostgreSQL server’s system without adversely affecting Foreman operations
-
Increase in deployment complexity that can make troubleshooting more difficult
-
The external PostgreSQL server is an additional system to patch and maintain
-
If either Foreman or the PostgreSQL database server suffers a hardware or storage failure, Foreman is not operational
-
If there is latency between the Foreman server and database server, performance can suffer
4.10.2. Preparing a host for external databases
Install a freshly provisioned system with the latest Enterprise Linux 9 or Enterprise Linux 8 to host the external databases.
-
The prepared host must meet Foreman’s Storage Requirements.
Select the operating system and version you are installing external database on:
Enterprise Linux 9
-
Install the
katello-repos-latest.rpm
package# dnf install https://yum.theforeman.org/releases/nightly/el9/x86_64/foreman-release.rpm \ https://yum.theforeman.org/katello/nightly/katello/el9/x86_64/katello-repos-latest.rpm
-
Verify that the required repositories are enabled:
# dnf repolist enabled
Enterprise Linux 8
-
Install the
katello-repos-latest.rpm
package# dnf install https://yum.theforeman.org/releases/nightly/el8/x86_64/foreman-release.rpm \ https://yum.theforeman.org/katello/nightly/katello/el8/x86_64/katello-repos-latest.rpm
-
Enable the following module:
# dnf module enable katello:el8
NoteEnablement of the module
katello:el8
warns about a conflict withpostgresql:10
andruby:2.5
as these modules are set to the default module versions on Enterprise Linux 8. The modulekatello:el8
has a dependency for the modulespostgresql:12
andruby:2.7
that will be enabled with thekatello:el8
module. These warnings do not cause installation process failure, hence can be ignored safely.
-
Verify that the required repositories are enabled:
# dnf repolist enabled
4.10.3. Installing PostgreSQL
You can install only the same version of PostgreSQL that is installed with the foreman-installer
tool during an internal database installation.
Foreman supports PostgreSQL version 12.
If you do not use firewall-cmd
to configure the Linux firewall, implement using the command of your choice.
-
To install PostgreSQL, enter the following command:
# dnf install postgresql-server postgresql-evr postgresql-contrib
-
To initialize PostgreSQL, enter the following command:
# postgresql-setup initdb
-
Edit the
/var/lib/pgsql/data/postgresql.conf
file:# vi /var/lib/pgsql/data/postgresql.conf
Note that the default configuration of external PostgreSQL needs to be adjusted to work with Foreman. The base recommended external database configuration adjustments are as follows:
-
checkpoint_completion_target: 0.9
-
max_connections: 500
-
shared_buffers: 512MB
-
work_mem: 4MB
-
-
Remove the
#
and edit to listen to inbound connections:listen_addresses = '*'
-
Add the following line to the end of the file to use SCRAM for authentication:
password_encryption=scram-sha-256
-
Edit the
/var/lib/pgsql/data/pg_hba.conf
file:# vi /var/lib/pgsql/data/pg_hba.conf
-
Add the following line to the file:
host all all Foreman_ip/32 scram-sha-256
-
To start, and enable PostgreSQL service, enter the following commands:
# systemctl enable --now postgresql
-
Open the postgresql port on the external PostgreSQL server:
# firewall-cmd --add-service=postgresql
-
Make the changes persistent:
# firewall-cmd --runtime-to-permanent
-
Switch to the
postgres
user and start the PostgreSQL client:$ su - postgres -c psql
-
Create three databases and dedicated roles: one for Foreman, one for Candlepin, and one for Pulp:
CREATE USER "foreman" WITH PASSWORD 'Foreman_Password'; CREATE USER "candlepin" WITH PASSWORD 'Candlepin_Password'; CREATE USER "pulp" WITH PASSWORD 'Pulpcore_Password'; CREATE DATABASE foreman OWNER foreman; CREATE DATABASE candlepin OWNER candlepin; CREATE DATABASE pulpcore OWNER pulp;
-
Connect to the Pulp database:
postgres=# \c pulpcore You are now connected to database "pulpcore" as user "postgres".
-
Create the
hstore
extension:pulpcore=# CREATE EXTENSION IF NOT EXISTS "hstore"; CREATE EXTENSION
-
Exit the
postgres
user:# \q
-
From Foreman server, test that you can access the database. If the connection succeeds, the commands return
1
.# PGPASSWORD='Foreman_Password' psql -h postgres.example.com -p 5432 -U foreman -d foreman -c "SELECT 1 as ping" # PGPASSWORD='Candlepin_Password' psql -h postgres.example.com -p 5432 -U candlepin -d candlepin -c "SELECT 1 as ping" # PGPASSWORD='Pulpcore_Password' psql -h postgres.example.com -p 5432 -U pulp -d pulpcore -c "SELECT 1 as ping"
4.10.4. Configuring Foreman server to use external databases
Use the foreman-installer
command to configure Foreman to connect to an external PostgreSQL database.
-
You have installed and configured a PostgreSQL database on a Enterprise Linux server.
-
To configure the external databases for Foreman, enter the following command:
# foreman-installer \ --katello-candlepin-manage-db false \ --katello-candlepin-db-host postgres.example.com \ --katello-candlepin-db-name candlepin \ --katello-candlepin-db-user candlepin \ --katello-candlepin-db-password Candlepin_Password \ --foreman-proxy-content-pulpcore-manage-postgresql false \ --foreman-proxy-content-pulpcore-postgresql-host postgres.example.com \ --foreman-proxy-content-pulpcore-postgresql-db-name pulpcore \ --foreman-proxy-content-pulpcore-postgresql-user pulp \ --foreman-proxy-content-pulpcore-postgresql-password Pulpcore_Password \ --foreman-db-manage false \ --foreman-db-host postgres.example.com \ --foreman-db-database foreman \ --foreman-db-username foreman \ --foreman-db-password Foreman_Password
To enable the Secure Sockets Layer (SSL) protocol for these external databases, add the following options:
--foreman-db-root-cert <path_to_CA> --foreman-db-sslmode verify-full --foreman-proxy-content-pulpcore-postgresql-ssl true --foreman-proxy-content-pulpcore-postgresql-ssl-root-ca <path_to_CA> --katello-candlepin-db-ssl true --katello-candlepin-db-ssl-ca <path_to_CA> --katello-candlepin-db-ssl-verify true
5. Configuring Foreman server with external services
If you do not want to configure the DNS, DHCP, and TFTP services on Foreman server, use this section to configure your Foreman server to work with external DNS, DHCP, and TFTP services.
5.1. Configuring Foreman server with external DNS
You can configure Foreman server with external DNS.
Foreman server uses the nsupdate
utility to update DNS records on the remote server.
To make any changes persistent, you must enter the foreman-installer
command with the options appropriate for your environment.
-
You must have a configured external DNS server.
-
This guide assumes you have an existing installation.
-
Copy the
/etc/rndc.key
file from the external DNS server to Foreman server:# scp root@dns.example.com:/etc/rndc.key /etc/foreman-proxy/rndc.key
-
Configure the ownership, permissions, and SELinux context:
# restorecon -v /etc/foreman-proxy/rndc.key # chown -v root:foreman-proxy /etc/foreman-proxy/rndc.key # chmod -v 640 /etc/foreman-proxy/rndc.key
-
To test the
nsupdate
utility, add a host remotely:# echo -e "server DNS_IP_Address\n \ update add aaa.example.com 3600 IN A Host_IP_Address\n \ send\n" | nsupdate -k /etc/foreman-proxy/rndc.key # nslookup aaa.example.com DNS_IP_Address # echo -e "server DNS_IP_Address\n \ update delete aaa.example.com 3600 IN A Host_IP_Address\n \ send\n" | nsupdate -k /etc/foreman-proxy/rndc.key
-
Enter the
foreman-installer
command to make the following persistent changes to the/etc/foreman-proxy/settings.d/dns.yml
file:# foreman-installer --foreman-proxy-dns=true \ --foreman-proxy-dns-managed=false \ --foreman-proxy-dns-provider=nsupdate \ --foreman-proxy-dns-server="DNS_IP_Address" \ --foreman-proxy-keyfile=/etc/foreman-proxy/rndc.key
-
In the Foreman web UI, navigate to Infrastructure > Smart Proxies.
-
Locate the Foreman server and select Refresh from the list in the Actions column.
-
Associate the DNS service with the appropriate subnets and domain.
5.2. Configuring Foreman server with external DHCP
To configure Foreman server with external DHCP, you must complete the following procedures:
5.2.1. Configuring an external DHCP server to use with Foreman server
To configure an external DHCP server running Enterprise Linux to use with Foreman server, you must install the ISC DHCP Service and Berkeley Internet Name Domain (BIND) utilities packages. You must also share the DHCP configuration and lease files with Foreman server. The example in this procedure uses the distributed Network File System (NFS) protocol to share the DHCP configuration and lease files.
Note
|
If you use dnsmasq as an external DHCP server, enable the |
If you do not use firewall-cmd
to configure the Linux firewall, implement using the command of your choice.
-
On your Enterprise Linux host, install the ISC DHCP Service and Berkeley Internet Name Domain (BIND) utilities packages:
# dnf install dhcp-server bind-utils
-
Generate a security token:
# tsig-keygen -a hmac-md5 omapi_key
-
Edit the
dhcpd
configuration file for all subnets and add the key generated bytsig-keygen
. The following is an example:# cat /etc/dhcp/dhcpd.conf default-lease-time 604800; max-lease-time 2592000; log-facility local7; subnet 192.168.38.0 netmask 255.255.255.0 { range 192.168.38.10 192.168.38.100; option routers 192.168.38.1; option subnet-mask 255.255.255.0; option domain-search "virtual.lan"; option domain-name "virtual.lan"; option domain-name-servers 8.8.8.8; } omapi-port 7911; key omapi_key { algorithm hmac-md5; secret "My_Secret"; }; omapi-key omapi_key;
Note that the
option routers
value is the IP address of your Foreman server or Smart Proxy server that you want to use with an external DHCP service. -
On Foreman server, define each subnet. Do not set DHCP Smart Proxy for the defined Subnet yet.
To prevent conflicts, set up the lease and reservation ranges separately. For example, if the lease range is 192.168.38.10 to 192.168.38.100, in the Foreman web UI define the reservation range as 192.168.38.101 to 192.168.38.250.
-
Configure the firewall for external access to the DHCP server:
# firewall-cmd --add-service dhcp
-
Make the changes persistent:
# firewall-cmd --runtime-to-permanent
-
On Foreman server, determine the UID and GID of the
foreman
user:# id -u foreman 993 # id -g foreman 990
-
On the DHCP server, create the
foreman
user and group with the same IDs as determined in a previous step:# groupadd -g 990 foreman # useradd -u 993 -g 990 -s /sbin/nologin foreman
-
To ensure that the configuration files are accessible, restore the read and execute flags:
# chmod o+rx /etc/dhcp/ # chmod o+r /etc/dhcp/dhcpd.conf # chattr +i /etc/dhcp/ /etc/dhcp/dhcpd.conf
-
Enable and start the DHCP service:
# systemctl enable --now dhcpd
-
Export the DHCP configuration and lease files using NFS:
# dnf install nfs-utils # systemctl enable --now nfs-server
-
Create directories for the DHCP configuration and lease files that you want to export using NFS:
# mkdir -p /exports/var/lib/dhcpd /exports/etc/dhcp
-
To create mount points for the created directories, add the following line to the
/etc/fstab
file:/var/lib/dhcpd /exports/var/lib/dhcpd none bind,auto 0 0 /etc/dhcp /exports/etc/dhcp none bind,auto 0 0
-
Mount the file systems in
/etc/fstab
:# mount -a
-
Ensure the following lines are present in
/etc/exports
:/exports 192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check) /exports/etc/dhcp 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide) /exports/var/lib/dhcpd 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)
Note that the IP address that you enter is the Foreman or Smart Proxy IP address that you want to use with an external DHCP service.
-
Reload the NFS server:
# exportfs -rva
-
Configure the firewall for DHCP omapi port 7911:
# firewall-cmd --add-port=7911/tcp
-
Optional: Configure the firewall for external access to NFS. Clients are configured using NFSv3.
# firewall-cmd \ --add-service mountd \ --add-service nfs \ --add-service rpc-bind \ --zone public
-
Make the changes persistent:
# firewall-cmd --runtime-to-permanent
5.2.2. Configuring Foreman server with an external DHCP server
You can configure Foreman server with an external DHCP server.
-
Ensure that you have configured an external DHCP server and that you have shared the DHCP configuration and lease files with Foreman server. For more information, see Configuring an external DHCP server to use with Foreman server.
-
Install the
nfs-utils
package:# dnf install nfs-utils
-
Create the DHCP directories for NFS:
# mkdir -p /mnt/nfs/etc/dhcp /mnt/nfs/var/lib/dhcpd
-
Change the file owner:
# chown -R foreman-proxy /mnt/nfs
-
Verify communication with the NFS server and the Remote Procedure Call (RPC) communication paths:
# showmount -e DHCP_Server_FQDN # rpcinfo -p DHCP_Server_FQDN
-
Add the following lines to the
/etc/fstab
file:DHCP_Server_FQDN:/exports/etc/dhcp /mnt/nfs/etc/dhcp nfs ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcp_etc_t:s0" 0 0 DHCP_Server_FQDN:/exports/var/lib/dhcpd /mnt/nfs/var/lib/dhcpd nfs ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcpd_state_t:s0" 0 0
-
Mount the file systems on
/etc/fstab
:# mount -a
-
To verify that the
foreman-proxy
user can access the files that are shared over the network, display the DHCP configuration and lease files:# su foreman-proxy -s /bin/bash $ cat /mnt/nfs/etc/dhcp/dhcpd.conf $ cat /mnt/nfs/var/lib/dhcpd/dhcpd.leases $ exit
-
Enter the
foreman-installer
command to make the following persistent changes to the/etc/foreman-proxy/settings.d/dhcp.yml
file:# foreman-installer \ --enable-foreman-proxy-plugin-dhcp-remote-isc \ --foreman-proxy-dhcp-provider=remote_isc \ --foreman-proxy-dhcp-server=My_DHCP_Server_FQDN \ --foreman-proxy-dhcp=true \ --foreman-proxy-plugin-dhcp-remote-isc-dhcp-config /mnt/nfs/etc/dhcp/dhcpd.conf \ --foreman-proxy-plugin-dhcp-remote-isc-dhcp-leases /mnt/nfs/var/lib/dhcpd/dhcpd.leases \ --foreman-proxy-plugin-dhcp-remote-isc-key-name=omapi_key \ --foreman-proxy-plugin-dhcp-remote-isc-key-secret=My_Secret \ --foreman-proxy-plugin-dhcp-remote-isc-omapi-port=7911
-
Associate the DHCP service with the appropriate subnets and domain.
5.3. Using Infoblox as DHCP and DNS providers
You can use Foreman server to connect to your Infoblox application to create and manage DHCP and DNS records, and to reserve IP addresses.
The supported Infoblox version is NIOS 8.0 or higher.
5.3.1. Infoblox limitations
All DHCP and DNS records can be managed only in a single Network or DNS view.
After you install the Infoblox modules on Foreman server and set up the view using the foreman-installer
command, you cannot edit the view.
Foreman server communicates with a single Infoblox node by using the standard HTTPS web API. If you want to configure clustering and High Availability, make the configurations in Infoblox.
Hosting PXE-related files by using the TFTP functionality of Infoblox is not supported. You must use Foreman server as a TFTP server for PXE provisioning. For more information, see Configuring networking in Provisioning hosts.
Foreman IPAM feature cannot be integrated with Infoblox.
5.3.2. Infoblox prerequisites
-
You must have Infoblox account credentials to manage DHCP and DNS entries in Foreman.
-
Ensure that you have Infoblox administration roles with the names:
DHCP Admin
andDNS Admin
. -
The administration roles must have permissions or belong to an admin group that permits the accounts to perform tasks through the Infoblox API.
5.3.3. Installing the Infoblox CA certificate
You must install Infoblox HTTPS CA certificate on the base system of Foreman server.
-
Download the certificate from the Infoblox web UI or you use the following OpenSSL commands to download the certificate:
# update-ca-trust enable # openssl s_client -showcerts -connect infoblox.example.com:443 </dev/null | \ openssl x509 -text >/etc/pki/ca-trust/source/anchors/infoblox.crt # update-ca-trust extract
The
infoblox.example.com
entry must match the host name for the Infoblox application in the X509 certificate.
-
Test the CA certificate by using a
curl
query:# curl -u admin:password https://infoblox.example.com/wapi/v2.0/network
Example positive response:
[ { "_ref": "network/ZG5zLm5ldHdvcmskMTkyLjE2OC4yMDIuMC8yNC8w:infoblox.example.com/24/default", "network": "192.168.202.0/24", "network_view": "default" } ]
5.3.4. Installing the DHCP Infoblox module
Install the DHCP Infoblox module on Foreman server. Note that you cannot manage records in separate views.
You can also install DHCP and DNS Infoblox modules simultaneously by combining this procedure and Installing the DNS Infoblox module.
If you want to use the DHCP and DNS Infoblox modules together, configure the DHCP Infoblox module with the fixedaddress
record type only.
The host
record type causes DNS conflicts and is not supported.
If you configure the DHCP Infoblox module with the host
record type, you have to unset both DNS Smart Proxy and Reverse DNS Smart Proxy options on your Infoblox-managed subnets, because Infoblox does DNS management by itself.
Using the host
record type leads to creating conflicts and being unable to rename hosts in Foreman.
-
On Foreman server, enter the following command:
# foreman-installer --enable-foreman-proxy-plugin-dhcp-infoblox \ --foreman-proxy-dhcp true \ --foreman-proxy-dhcp-provider infoblox \ --foreman-proxy-dhcp-server infoblox.example.com \ --foreman-proxy-plugin-dhcp-infoblox-username admin \ --foreman-proxy-plugin-dhcp-infoblox-password infoblox \ --foreman-proxy-plugin-dhcp-infoblox-record-type fixedaddress \ --foreman-proxy-plugin-dhcp-infoblox-dns-view default \ --foreman-proxy-plugin-dhcp-infoblox-network-view default
-
Optional: In the Foreman web UI, navigate to Infrastructure > Smart Proxies, select the Smart Proxy with the DHCP Infoblox module, and ensure that the dhcp feature is listed.
-
In the Foreman web UI, navigate to Infrastructure > Subnets.
-
For all subnets managed through Infoblox, ensure that the IP address management (IPAM) method of the subnet is set to
DHCP
.
5.3.5. Installing the DNS Infoblox module
Install the DNS Infoblox module on Foreman server. You can also install DHCP and DNS Infoblox modules simultaneously by combining this procedure and Installing the DHCP Infoblox module.
-
On Foreman server, enter the following command to configure the Infoblox module:
# foreman-installer --enable-foreman-proxy-plugin-dns-infoblox \ --foreman-proxy-dns true \ --foreman-proxy-dns-provider infoblox \ --foreman-proxy-plugin-dns-infoblox-dns-server infoblox.example.com \ --foreman-proxy-plugin-dns-infoblox-username admin \ --foreman-proxy-plugin-dns-infoblox-password infoblox \ --foreman-proxy-plugin-dns-infoblox-dns-view default
Optionally, you can change the value of the
--foreman-proxy-plugin-dns-infoblox-dns-view
option to specify an Infoblox DNS view other than the default view. -
Optional: In the Foreman web UI, navigate to Infrastructure > Smart Proxies, select the Smart Proxy with the Infoblox DNS module, and ensure that the dns feature is listed.
-
In the Foreman web UI, navigate to Infrastructure > Domains.
-
For all domains managed through Infoblox, ensure that the DNS Proxy is set for those domains.
-
In the Foreman web UI, navigate to Infrastructure > Subnets.
-
For all subnets managed through Infoblox, ensure that the DNS Smart Proxy and Reverse DNS Smart Proxy are set for those subnets.
5.4. Configuring Foreman server with external TFTP
You can configure Foreman server with external TFTP services.
-
Create the TFTP directory for NFS:
# mkdir -p /mnt/nfs/var/lib/tftpboot
-
In the
/etc/fstab
file, add the following line:TFTP_Server_IP_Address:/exports/var/lib/tftpboot /mnt/nfs/var/lib/tftpboot nfs rw,vers=3,auto,nosharecache,context="system_u:object_r:tftpdir_rw_t:s0" 0 0
-
Mount the file systems in
/etc/fstab
:# mount -a
-
Enter the
foreman-installer
command to make the following persistent changes to the/etc/foreman-proxy/settings.d/tftp.yml
file:# foreman-installer \ --foreman-proxy-tftp-root /mnt/nfs/var/lib/tftpboot \ --foreman-proxy-tftp=true
-
If the TFTP service is running on a different server than the DHCP service, update the
tftp_servername
setting with the FQDN or IP address of the server that the TFTP service is running on:# foreman-installer --foreman-proxy-tftp-servername=TFTP_Server_FQDN
-
In the Foreman web UI, navigate to Infrastructure > Smart Proxies.
-
Locate the Foreman server and select Refresh from the list in the Actions column.
-
Associate the TFTP service with the appropriate subnets and domain.
5.5. Configuring Foreman server with external IdM DNS
When Foreman server adds a DNS record for a host, it first determines which Smart Proxy is providing DNS for that domain. It then communicates with the Smart Proxy that is configured to provide DNS service for your deployment and adds the record. The hosts are not involved in this process. Therefore, you must install and configure the IdM client on the Foreman or Smart Proxy that is currently configured to provide a DNS service for the domain you want to manage by using the IdM server.
Foreman server can be configured to use a Red Hat Identity Management (IdM) server to provide DNS service.
To configure Foreman server to use a Red Hat Identity Management (IdM) server to provide DNS service, use one of the following procedures:
To revert to internal DNS service, use the following procedure:
Note
|
You are not required to use Foreman server to manage DNS.
When you are using the realm enrollment feature of Foreman, where provisioned hosts are enrolled automatically to IdM, the ipa-client-install script creates DNS records for the client.
Configuring Foreman server with external IdM DNS and realm enrollment are mutually exclusive.
For more information about configuring realm enrollment, see
Configuring Foreman to manage the lifecycle of a host registered to a FreeIPA realm.
|
5.5.1. Configuring dynamic DNS update with GSS-TSIG authentication
You can configure the IdM server to use the generic security service algorithm for secret key transaction (GSS-TSIG) technology defined in RFC3645. To configure the IdM server to use the GSS-TSIG technology, you must install the IdM client on the Foreman server base operating system.
-
You must ensure the IdM server is deployed and the host-based firewall is configured correctly.
-
You must contact the IdM server administrator to ensure that you obtain an account on the IdM server with permissions to create zones on the IdM server.
-
You should create a backup of the answer file. You can use the backup to restore the answer file to its original state if it becomes corrupted. For more information, see Configuring Foreman server.
To configure dynamic DNS update with GSS-TSIG authentication, complete the following steps:
-
Obtain a Kerberos ticket for the account obtained from the IdM administrator:
# kinit idm_user
-
Create a new Kerberos principal for Foreman server to use to authenticate on the IdM server:
# ipa service-add smartproxy/foreman.example.com
-
On the base operating system of either the Foreman or Smart Proxy that is managing the DNS service for your deployment, install the
ipa-client
package:# dnf install ipa-client
-
Configure the IdM client by running the installation script and following the on-screen prompts:
# ipa-client-install
-
Obtain a Kerberos ticket:
# kinit admin
-
Remove any preexisting
keytab
:# rm /etc/foreman-proxy/dns.keytab
-
Obtain the
keytab
for this system:# ipa-getkeytab -p smartproxy/foreman.example.com@EXAMPLE.COM \ -s idm1.example.com -k /etc/foreman-proxy/dns.keytab
NoteWhen adding a keytab to a standby system with the same host name as the original system in service, add the
r
option to prevent generating new credentials and rendering the credentials on the original system invalid. -
For the
dns.keytab
file, set the group and owner toforeman-proxy
:# chown foreman-proxy:foreman-proxy /etc/foreman-proxy/dns.keytab
-
Optional: To verify that the
keytab
file is valid, enter the following command:# kinit -kt /etc/foreman-proxy/dns.keytab \ smartproxy/foreman.example.com@EXAMPLE.COM
-
Create and configure the zone that you want to manage:
-
Navigate to Network Services > DNS > DNS Zones.
-
Select Add and enter the zone name. For example,
example.com
. -
Click Add and Edit.
-
Click the Settings tab and in the BIND update policy box, add the following to the semi-colon separated list:
grant smartproxy\047foreman.example.com@EXAMPLE.COM wildcard * ANY;
-
Set Dynamic update to True.
-
Enable Allow PTR sync.
-
Click Save to save the changes.
-
-
Create and configure the reverse zone:
-
Navigate to Network Services > DNS > DNS Zones.
-
Click Add.
-
Select Reverse zone IP network and add the network address in CIDR format to enable reverse lookups.
-
Click Add and Edit.
-
Click the Settings tab and in the BIND update policy box, add the following to the semi-colon separated list:
grant smartproxy\047foreman.example.com@EXAMPLE.COM wildcard * ANY;
-
Set Dynamic update to True.
-
Click Save to save the changes.
-
-
Configure your Foreman server or Smart Proxy server to connect to your DNS service:
# foreman-installer \ --foreman-proxy-dns-managed=false \ --foreman-proxy-dns-provider=nsupdate_gss \ --foreman-proxy-dns-server="idm1.example.com" \ --foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab \ --foreman-proxy-dns-tsig-principal="smartproxy/foreman.example.com@EXAMPLE.COM" \ --foreman-proxy-dns=true
-
For each affected Smart Proxy, update the configuration of that Smart Proxy in the Foreman web UI:
-
In the Foreman web UI, navigate to Infrastructure > Smart Proxies, locate the Foreman server, and from the list in the Actions column, select Refresh.
-
Configure the domain:
-
In the Foreman web UI, navigate to Infrastructure > Domains and select the domain name.
-
In the Domain tab, ensure DNS Smart Proxy is set to the Smart Proxy where the subnet is connected.
-
-
Configure the subnet:
-
In the Foreman web UI, navigate to Infrastructure > Subnets and select the subnet name.
-
In the Subnet tab, set IPAM to None.
-
In the Domains tab, select the domain that you want to manage using the IdM server.
-
In the Smart Proxies tab, ensure Reverse DNS Smart Proxy is set to the Smart Proxy where the subnet is connected.
-
Click Submit to save the changes.
-
-
5.5.2. Configuring dynamic DNS update with TSIG authentication
You can configure an IdM server to use the secret key transaction authentication for DNS (TSIG) technology that uses the rndc.key
key file for authentication.
The TSIG protocol is defined in RFC2845.
-
You must ensure the IdM server is deployed and the host-based firewall is configured correctly.
-
You must obtain
root
user access on the IdM server. -
You must confirm whether Foreman server or Smart Proxy server is configured to provide DNS service for your deployment.
-
You must configure DNS, DHCP and TFTP services on the base operating system of either the Foreman or Smart Proxy that is managing the DNS service for your deployment.
-
You must create a backup of the answer file. You can use the backup to restore the answer file to its original state if it becomes corrupted. For more information, see Configuring Foreman server.
To configure dynamic DNS update with TSIG authentication, complete the following steps:
-
On the IdM Server, add the following to the top of the
/etc/named.conf
file:######################################################################## include "/etc/rndc.key"; controls { inet _IdM_Server_IP_Address_ port 953 allow { _Foreman_IP_Address_; } keys { "rndc-key"; }; }; ########################################################################
-
Reload the
named
service to make the changes take effect:# systemctl reload named
-
In the IdM web UI, navigate to Network Services > DNS > DNS Zones and click the name of the zone. In the Settings tab, apply the following changes:
-
Add the following in the
BIND update policy
box:grant "rndc-key" zonesub ANY;
-
Set Dynamic update to True.
-
Click Update to save the changes.
-
-
Copy the
/etc/rndc.key
file from the IdM server to the base operating system of your Foreman server. Enter the following command:# scp /etc/rndc.key root@foreman.example.com:/etc/rndc.key
-
To set the correct ownership, permissions, and SELinux context for the
rndc.key
file, enter the following command:# restorecon -v /etc/rndc.key # chown -v root:named /etc/rndc.key # chmod -v 640 /etc/rndc.key
-
Assign the
foreman-proxy
user to thenamed
group manually. Normally, foreman-installer ensures that theforeman-proxy
user belongs to thenamed
UNIX group, however, in this scenario Foreman does not manage users and groups, therefore you need to assign theforeman-proxy
user to thenamed
group manually.# usermod -a -G named foreman-proxy
-
On Foreman server, enter the following
foreman-installer
command to configure Foreman to use the external DNS server:# foreman-installer \ --foreman-proxy-dns-managed=false \ --foreman-proxy-dns-provider=nsupdate \ --foreman-proxy-dns-server="IdM_Server_IP_Address" \ --foreman-proxy-dns-ttl=86400 \ --foreman-proxy-dns=true \ --foreman-proxy-keyfile=/etc/rndc.key
-
Ensure that the key in the
/etc/rndc.key
file on Foreman server is the same key file that is used on the IdM server:key "rndc-key" { algorithm hmac-md5; secret "secret-key=="; };
-
On Foreman server, create a test DNS entry for a host. For example, host
test.example.com
with an A record of192.168.25.20
on the IdM server at192.168.25.1
.# echo -e "server 192.168.25.1\n \ update add test.example.com 3600 IN A 192.168.25.20\n \ send\n" | nsupdate -k /etc/rndc.key
-
On Foreman server, test the DNS entry:
# nslookup test.example.com 192.168.25.1
Example output:
Server: 192.168.25.1 Address: 192.168.25.1#53 Name: test.example.com Address: 192.168.25.20
-
To view the entry in the IdM web UI, navigate to Network Services > DNS > DNS Zones. Click the name of the zone and search for the host by name.
-
If resolved successfully, remove the test DNS entry:
# echo -e "server 192.168.25.1\n \ update delete test.example.com 3600 IN A 192.168.25.20\n \ send\n" | nsupdate -k /etc/rndc.key
-
Confirm that the DNS entry was removed:
# nslookup test.example.com 192.168.25.1
The above
nslookup
command fails and returns theSERVFAIL
error message if the record was successfully deleted.
5.5.3. Reverting to internal DNS service
You can revert to using Foreman server and Smart Proxy server as your DNS providers. You can use a backup of the answer file that was created before configuring external DNS, or you can create a backup of the answer file. For more information about answer files, see Configuring Foreman server.
On the Foreman or Smart Proxy server that you want to configure to manage DNS service for the domain, complete the following steps:
-
If you have created a backup of the answer file before configuring external DNS, restore the answer file and then enter the
foreman-installer
command:# foreman-installer
-
If you do not have a suitable backup of the answer file, create a backup of the answer file now. To configure Foreman or Smart Proxy as DNS server without using an answer file, enter the following
foreman-installer
command on Foreman or Smart Proxy:# foreman-installer \ --foreman-proxy-dns-managed=true \ --foreman-proxy-dns-provider=nsupdate \ --foreman-proxy-dns-server="127.0.0.1" \ --foreman-proxy-dns=true
For more information, see Configuring DNS, DHCP, and TFTP on Smart Proxy server.
After you run the foreman-installer
command to make any changes to your Smart Proxy configuration, you must update the configuration of each affected Smart Proxy in the Foreman web UI.
-
In the Foreman web UI, navigate to Infrastructure > Smart Proxies.
-
For each Smart Proxy that you want to update, from the Actions list, select Refresh.
-
Configure the domain:
-
In the Foreman web UI, navigate to Infrastructure > Domains and click the domain name that you want to configure.
-
In the Domain tab, set DNS Smart Proxy to the Smart Proxy where the subnet is connected.
-
-
Configure the subnet:
-
In the Foreman web UI, navigate to Infrastructure > Subnets and select the subnet name.
-
In the Subnet tab, set IPAM to DHCP or Internal DB.
-
In the Domains tab, select the domain that you want to manage using Foreman or Smart Proxy.
-
In the Smart Proxies tab, set Reverse DNS Smart Proxy to the Smart Proxy where the subnet is connected.
-
Click Submit to save the changes.
-
5.6. Configuring Foreman to manage the lifecycle of a host registered to a FreeIPA realm
As well as providing access to Foreman server, hosts provisioned with Foreman can also be integrated with FreeIPA realms. Foreman has a realm feature that automatically manages the lifecycle of any system registered to a realm or domain provider.
Use this section to configure Foreman server or Smart Proxy server for FreeIPA realm support, then add hosts to the FreeIPA realm group.
-
Foreman server that is registered to the Content Delivery Network or an external Smart Proxy server that is registered to Foreman server.
-
A deployed realm or domain provider such as FreeIPA.
To use FreeIPA for provisioned hosts, complete the following steps to install and configure FreeIPA packages on Foreman server or Smart Proxy server:
-
Install the
ipa-client
package on Foreman server or Smart Proxy server:# dnf install ipa-client
-
Configure the server as a FreeIPA client:
# ipa-client-install
-
Create a realm proxy user,
realm-smart-proxy
, and the relevant roles in FreeIPA:# foreman-prepare-realm admin realm-smart-proxy
Note the principal name that returns and your FreeIPA server configuration details because you require them for the following procedure.
Complete the following procedure on Foreman and every Smart Proxy that you want to use:
-
Copy the
/root/freeipa.keytab
file to any Smart Proxy server that you want to include in the same principal and realm:# scp /root/freeipa.keytab root@smartproxy.example.com:/etc/foreman-proxy/freeipa.keytab
-
Move the
/root/freeipa.keytab
file to the/etc/foreman-proxy
directory and set the ownership settings to theforeman-proxy
user:# mv /root/freeipa.keytab /etc/foreman-proxy # chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab
-
Enter the following command on all Smart Proxies that you want to include in the realm. If you use the integrated Smart Proxy on Foreman, enter this command on Foreman server:
# foreman-installer --foreman-proxy-realm true \ --foreman-proxy-realm-keytab /etc/foreman-proxy/freeipa.keytab \ --foreman-proxy-realm-principal realm-smart-proxy@EXAMPLE.COM \ --foreman-proxy-realm-provider freeipa
You can also use these options when you first configure the Foreman server.
-
Ensure that the most updated versions of the ca-certificates package is installed and trust the FreeIPA Certificate Authority:
# cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt # update-ca-trust enable # update-ca-trust
-
Optional: If you configure FreeIPA on an existing Foreman server or Smart Proxy server, complete the following steps to ensure that the configuration changes take effect:
-
Restart the foreman-proxy service:
# systemctl restart foreman-proxy
-
In the Foreman web UI, navigate to Infrastructure > Smart Proxies.
-
Locate the Smart Proxy you have configured for FreeIPA and from the list in the Actions column, select Refresh.
-
After you configure your integrated or external Smart Proxy with FreeIPA, you must create a realm and add the FreeIPA-configured Smart Proxy to the realm.
-
In the Foreman web UI, navigate to Infrastructure > Realms and click Create Realm.
-
In the Name field, enter a name for the realm.
-
From the Realm Type list, select the type of realm.
-
From the Realm Smart Proxy list, select Smart Proxy server where you have configured FreeIPA.
-
Click the Locations tab and from the Locations list, select the location where you want to add the new realm.
-
Click the Organizations tab and from the Organizations list, select the organization where you want to add the new realm.
-
Click Submit.
You must update any host groups that you want to use with the new realm information.
-
In the Foreman web UI, navigate to Configure > Host Groups, select the host group that you want to update, and click the Network tab.
-
From the Realm list, select the realm you create as part of this procedure, and then click Submit.
FreeIPA supports the ability to set up automatic membership rules based on a system’s attributes.
Foreman’s realm feature provides administrators with the ability to map the Foreman host groups to the FreeIPA parameter userclass
which allow administrators to configure automembership.
When nested host groups are used, they are sent to the FreeIPA server as they are displayed in the Foreman User Interface. For example, "Parent/Child/Child".
Foreman server or Smart Proxy server sends updates to the FreeIPA server, however automembership rules are only applied at initial registration.
-
On the FreeIPA server, create a host group:
# ipa hostgroup-add hostgroup_name --desc=hostgroup_description
-
Create an
automembership
rule:# ipa automember-add --type=hostgroup hostgroup_name automember_rule
Where you can use the following options:
-
automember-add
flags the group as an automember group. -
--type=hostgroup
identifies that the target group is a host group, not a user group. -
automember_rule
adds the name you want to identify the automember rule by.
-
-
Define an automembership condition based on the
userclass
attribute:# ipa automember-add-condition --key=userclass --type=hostgroup --inclusive-regex=^webserver hostgroup_name ---------------------------------- Added condition(s) to "hostgroup_name" ---------------------------------- Automember Rule: automember_rule Inclusive Regex: userclass=^webserver ---------------------------- Number of conditions added 1 ----------------------------
Where you can use the following options:
-
automember-add-condition
adds regular expression conditions to identify group members. -
--key=userclass
specifies the key attribute asuserclass
. -
--type=hostgroup
identifies that the target group is a host group, not a user group. -
--inclusive-regex=
^webserver identifies matching values with a regular expression pattern. -
hostgroup_name – identifies the target host group’s name.
-
When a system is added to Foreman server’s hostgroup_name host group, it is added automatically to the FreeIPA server’s "hostgroup_name" host group. FreeIPA host groups allow for Host-Based Access Controls (HBAC), sudo policies and other FreeIPA functions.
Appendix A: Troubleshooting DNF modules
If DNF modules fails to enable, it can mean an incorrect module is enabled. In that case, you have to resolve dependencies manually as follows. List the enabled modules:
# dnf module list --enabled
Ruby
If Ruby module fails to enable, it can mean an incorrect module is enabled. In that case, you have to resolve dependencies manually as follows:
List the enabled modules:
# dnf module list --enabled
If the Ruby 2.5 module has already been enabled, perform a module reset:
# dnf module reset ruby
PostgreSQL
If PostgreSQL module fails to enable, it can mean an incorrect module is enabled. In that case, you have to resolve dependencies manually as follows:
List the enabled modules:
# dnf module list --enabled
If the PostgreSQL 10 module has already been enabled, perform a module reset:
# dnf module reset postgresql
If you created a PostgreSQL 10 database, perform an upgrade:
-
Enable the DNF modules:
# dnf module enable katello:el8
-
Install the PostgreSQL upgrade package:
# dnf install postgresql-upgrade
-
Perform the upgrade:
# postgresql-setup --upgrade
Appendix B: Troubleshooting sync errors
- "[Errno 1] Operation not permitted: …" during repository syncing
# chown --recursive pulp.pulp /var/lib/pulp/media/
- "{"policy":[""" is not a valid choice."]}" during Debian repository syncing
# foreman-rake katello:migrate_deb_content_attributes_to_pulp3
- 500 API error during syncing with "cryptography.fernet.InvalidToken" in /var/log/messages traceback
-
Run this on the Katello server and every smart proxy.
# sudo -u pulp PULP_SETTINGS='/etc/pulp/settings.py' pulpcore-manager datarepair-2327 --dry-run
If you see values greater than 0 returned from the dry-run:
# sudo -u pulp PULP_SETTINGS='/etc/pulp/settings.py' pulpcore-manager datarepair-2327
Appendix C: Applying custom configuration to Foreman
When you install and configure Foreman for the first time by using foreman-installer
, you can specify that the DNS and DHCP configuration files are not to be managed by Puppet by using the installer flags --foreman-proxy-dns-managed=false
and --foreman-proxy-dhcp-managed=false
.
If these flags are not specified during the initial installer run, rerunning of the installer overwrites all manual changes, for example, rerun for upgrade purposes.
If changes are overwritten, you must run the restore procedure to restore the manual changes.
For more information, see Restoring Manual Changes Overwritten by a Puppet Run.
To view all installer flags available for custom configuration, run foreman-installer --scenario katello --full-help
.
Some Puppet classes are not exposed to the Foreman installer.
To manage them manually and prevent the installer from overwriting their values, specify the configuration values by adding entries to configuration file /etc/foreman-installer/custom-hiera.yaml
.
This configuration file is in YAML format, consisting of one entry per line in the format of <puppet class>::<parameter name>: <value>
.
Configuration values specified in this file persist across installer reruns.
Common examples include:
-
For Apache, to set the ServerTokens directive to return only the product name:
apache::server_tokens: Prod
-
To turn off the Apache server signature entirely:
apache::server_signature: Off
The Puppet modules for the Foreman installer are stored under /usr/share/foreman-installer/modules
.
Check the .pp
files (for example: moduleName/manifests/example.pp) to look up the classes, parameters, and values.
Alternatively, use the grep
command to do keyword searches.
Setting some values may have unintended consequences that affect the performance or functionality of Foreman.
Consider the impact of the changes before you apply them, and test the changes in a non-production environment first.
If you do not have a non-production Foreman environment, run the Foreman installer with the --noop
and --verbose
options.
If your changes cause problems, remove the offending lines from custom-hiera.yaml
and rerun the Foreman installer.
If you have any specific questions about whether a particular value is safe to alter, contact Red Hat support.
Appendix D: Restoring manual changes overwritten by a Puppet run
If your manual configuration has been overwritten by a Puppet run, you can restore the files to the previous state. The following example shows you how to restore a DHCP configuration file overwritten by a Puppet run.
-
Copy the file you intend to restore. This allows you to compare the files to check for any mandatory changes required by the upgrade. This is not common for DNS or DHCP services.
# cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.backup
-
Check the log files to note down the md5sum of the overwritten file. For example:
# journalctl -xe ... /Stage[main]/Dhcp/File[/etc/dhcp/dhcpd.conf]: Filebucketed /etc/dhcp/dhcpd.conf to puppet with sum 622d9820b8e764ab124367c68f5fa3a1 ...
-
Restore the overwritten file:
# puppet filebucket restore --local --bucket \ /var/lib/puppet/clientbucket /etc/dhcp/dhcpd.conf \ 622d9820b8e764ab124367c68f5fa3a1
-
Compare the backup file and the restored file, and edit the restored file to include any mandatory changes required by the upgrade.