Installing orcharhino Server

1. Preparing your environment for installation

Before you install orcharhino, ensure that your environment meets the following requirements.

1.1. System requirements

The following requirements apply to the networked base operating system:

x86_64 architecture
4-core 2.0 GHz CPU at a minimum
A minimum of 20 GB RAM is required for orcharhino Server to function. orcharhino running with less RAM than the minimum value might not operate correctly.
Administrative user (root) access
Full forward and reverse DNS resolution using a fully-qualified domain name

orcharhino only supports UTF-8 encoding. If your territory is USA and your language is English, set en_US.utf-8 as the system-wide locale settings. For more information about configuring system locale in Enterprise Linux, see Configuring the system locale in Red Hat Enterprise Linux 9 Configuring basic system settings.

orcharhino Server and orcharhino Proxy do not support shortnames in the hostnames. When using custom certificates, the Common Name (CN) of the custom certificate must be a fully qualified domain name (FQDN) instead of a shortname. This does not apply to the clients of a orcharhino.

Before you install orcharhino Server, ensure that your environment meets the requirements for installation.

orcharhino Server must be installed on a freshly provisioned system that serves no other function except to run orcharhino Server. The freshly provisioned system must not have the following users provided by external identity providers to avoid conflicts with the local users that orcharhino Server creates:

apache
foreman
foreman-proxy
postgres
pulp
puppet
redis
tomcat

Synchronized system clock

The system clock on the base operating system where you are installing your orcharhino Server must be synchronized across the network. If the system clock is not synchronized, SSL certificate verification might fail.

1.2. Storage requirements

The following table details storage requirements for specific directories. These values are based on expected use case scenarios and can vary according to individual environments.

Table 1. Storage requirements for a orcharhino Server installation
Directory	Installation Size	Runtime Size
/var/log	10 MB	10 GB
/var/lib/pgsql	100 MB	20 GB
/usr	10 GB	Not Applicable
/opt/puppetlabs	500 MB	Not Applicable
/var/lib/pulp	1 MB	300 GB

1.3. Supported operating systems

The following operating systems are supported by the installer, have packages, and are tested for deploying orcharhino:

Table 2. Operating systems supported by foreman-installer
Operating System	Architecture	Notes
Enterprise Linux 9	x86_64 only	EPEL is not supported.

ATIX AG advises against using an existing system because the orcharhino installer will affect the configuration of several components.

1.4. Supported browsers

The orcharhino management UI and command-line interface is translated into various languages.

1.5. Port and firewall requirements

For the components of orcharhino architecture to communicate, ensure that the required network ports are open and free on the base operating system. You must also ensure that the required network ports are open on any network-based firewalls.

Use this information to configure any network-based firewalls. Note that some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. If possible, disable the application checking and allow open port communication based on the protocol.

Integrated orcharhino Proxy

orcharhino Server has an integrated orcharhino Proxy and any host that is directly connected to orcharhino Server is a Client of orcharhino in the context of this section. This includes the base operating system on which orcharhino Proxy is running.

Clients of orcharhino Proxy

Hosts which are clients of orcharhino Proxies, other than orcharhino’s integrated orcharhino Proxy, do not need access to orcharhino Server.

Required ports can change based on your configuration.

The following tables indicate the destination port and the direction of network traffic:

Table 3. orcharhino Server incoming traffic
Destination Port	Protocol	Service	Source	Required For	Description
53	TCP and UDP	DNS	DNS Servers and clients	Name resolution	DNS (optional)
67	UDP	DHCP	Client	Dynamic IP	DHCP (optional)
69	UDP	TFTP	Client	TFTP Server (optional)
443	TCP	HTTPS	orcharhino Proxy	orcharhino API	Communication from orcharhino Proxy
443, 80	TCP	HTTPS, HTTP	Client	Global Registration	Registering hosts to orcharhino Port 443 is required for registration initiation, uploading facts, and sending installed packages and traces Port 80 notifies orcharhino on the `/unattended/built` endpoint that registration has finished
443	TCP	HTTPS	orcharhino	Content Mirroring	Management
443	TCP	HTTPS	orcharhino	orcharhino Proxy API	Smart Proxy functionality
443, 80	TCP	HTTPS, HTTP	orcharhino Proxy	Content Retrieval	Content
443, 80	TCP	HTTPS, HTTP	Client	Content Retrieval	Content
1883	TCP	MQTT	Client	Pull based REX (optional)	Content hosts for REX job notification (optional)
5910 – 5930	TCP	HTTPS	Browsers	Compute Resource’s virtual console
8000	TCP	HTTP	Client	Provisioning templates	Template retrieval for client installers, iPXE or UEFI HTTP Boot
8000	TCP	HTTPS	Client	PXE Boot	Installation
8140	TCP	HTTPS	Client	Puppet agent	Client updates (optional)
9090	TCP	HTTPS	orcharhino	orcharhino Proxy API	Smart Proxy functionality
9090	TCP	HTTPS	Client	OpenSCAP	Configure Client (if the OpenSCAP plugin is installed)
9090	TCP	HTTPS	Discovered Node	Discovery	Host discovery and provisioning (if the discovery plugin is installed)

Any host that is directly connected to orcharhino Server is a client in this context because it is a client of the integrated orcharhino Proxy. This includes the base operating system on which a orcharhino Proxy is running.

A DHCP orcharhino Proxy performs ICMP ping or TCP echo connection attempts to hosts in subnets with DHCP IPAM set to find out if an IP address considered for use is free. This behavior can be turned off using foreman-installer --foreman-proxy-dhcp-ping-free-ip=false.

Note	Some outgoing traffic returns to orcharhino to enable internal communication and security operations.

Table 4. orcharhino Server outgoing traffic
Destination Port	Protocol	Service	Destination	Required For	Description
	ICMP	ping	Client	DHCP	Free IP checking (optional)
7	TCP	echo	Client	DHCP	Free IP checking (optional)
22	TCP	SSH	Target host	Remote execution	Run jobs
22, 16514	TCP	SSH SSH/TLS	Compute Resource	orcharhino originated communications, for compute resources in libvirt
53	TCP and UDP	DNS	DNS Servers on the Internet	DNS Server	Resolve DNS records (optional)
53	TCP and UDP	DNS	DNS Server	orcharhino Proxy DNS	Validation of DNS conflicts (optional)
53	TCP and UDP	DNS	DNS Server	Orchestration	Validation of DNS conflicts
68	UDP	DHCP	Client	Dynamic IP	DHCP (optional)
80	TCP	HTTP	Remote repository	Content Sync	Remote repositories
389, 636	TCP	LDAP, LDAPS	External LDAP Server	LDAP	LDAP authentication, necessary only if external authentication is enabled. The port can be customized when `LDAPAuthSource` is defined
443	TCP	HTTPS	orcharhino	orcharhino Proxy	orcharhino Proxy Configuration management Template retrieval OpenSCAP Remote Execution result upload
443	TCP	HTTPS	Amazon EC2, Azure, Google GCE	Compute resources	Virtual machine interactions (query/create/destroy) (optional)
443	TCP	HTTPS	orcharhino Proxy	Content mirroring	Initiation
443	TCP	HTTPS	Infoblox DHCP Server	DHCP management	When using Infoblox for DHCP, management of the DHCP leases (optional)
623			Client	Power management	BMC On/Off/Cycle/Status
5000	TCP	HTTPS	OpenStack Compute Resource	Compute resources	Virtual machine interactions (query/create/destroy) (optional)
5900 – 5930	TCP	SSL/TLS	Hypervisor	noVNC console	Launch noVNC console
5985	TCP	HTTP	Client	WinRM	Configure Client running Windows
5986	TCP	HTTPS	Client	WinRM	Configure Client running Windows
7911	TCP	DHCP, OMAPI	DHCP Server	DHCP	The DHCP target is configured using `--foreman-proxy-dhcp-server` and defaults to localhost ISC and `remote_isc` use a configurable port that defaults to 7911 and uses OMAPI
8443	TCP	HTTPS	Client	Discovery	orcharhino Proxy sends reboot command to the discovered host (optional)
9090	TCP	HTTPS	orcharhino Proxy	orcharhino Proxy API	Management of orcharhino Proxies

1.6. Enabling connections from a client to orcharhino Server

orcharhino Proxies and Content Hosts that are clients of a orcharhino Server’s internal orcharhino Proxy require access through orcharhino’s host-based firewall and any network-based firewalls.

Use this procedure to configure the host-based firewall on the system that orcharhino is installed on, to enable incoming connections from Clients, and to make the configuration persistent across system reboots. For more information on the ports used, see Port and firewall requirements in Installing orcharhino Server.

Procedure

Open the ports for clients on orcharhino Server:

# firewall-cmd \
--add-port="8000/tcp" \
--add-port="9090/tcp"

Allow access to services on orcharhino Server:

# firewall-cmd \
--add-service=dns \
--add-service=dhcp \
--add-service=tftp \
--add-service=http \
--add-service=https \
--add-service=puppetmaster

Make the changes persistent:
```
# firewall-cmd --runtime-to-permanent
```

Verification

Enter the following command:
```
# firewall-cmd --list-all
```

For more information, see Using and configuring firewalld in Red Hat Enterprise Linux 9 Configuring firewalls and packet filters.

1.7. Verifying DNS resolution

Verify the full forward and reverse DNS resolution using a fully-qualified domain name to prevent issues while installing orcharhino.

Procedure

Ensure that the host name and local host resolve correctly:

# ping -c1 localhost
# ping -c1 `hostname -f` # my_system.domain.com

Successful name resolution results in output similar to the following:

# ping -c1 localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.043 ms

--- localhost ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.043/0.043/0.043/0.000 ms

# ping -c1 `hostname -f`
PING hostname.gateway (XX.XX.XX.XX) 56(84) bytes of data.
64 bytes from hostname.gateway (XX.XX.XX.XX): icmp_seq=1 ttl=64 time=0.019 ms

--- localhost.gateway ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.019/0.019/0.019/0.000 ms

To avoid discrepancies with static and transient host names, set all the host names on the system by entering the following command:
```
# hostnamectl set-hostname name
```

Warning

Name resolution is critical to the operation of orcharhino. If orcharhino cannot properly resolve its fully qualified domain name, tasks such as content management, subscription management, and provisioning will fail.

1.8. Tuning orcharhino Server with predefined profiles

If your orcharhino deployment includes more than 5000 hosts, you can use predefined tuning profiles to improve performance of orcharhino.

Note that you cannot use tuning profiles on orcharhino Proxies.

You can choose one of the profiles depending on the number of hosts your orcharhino manages and available hardware resources.

The tuning profiles are available in the /usr/share/foreman-installer/config/foreman.hiera/tuning/sizes directory.

When you run the foreman-installer command with the --tuning option, deployment configuration settings are applied to orcharhino in the following order:

The default tuning profile defined in the /usr/share/foreman-installer/config/foreman.hiera/tuning/common.yaml file
The tuning profile that you want to apply to your deployment and is defined in the /usr/share/foreman-installer/config/foreman.hiera/tuning/sizes/ directory
Optional: If you have configured a /etc/foreman-installer/custom-hiera.yaml file, orcharhino applies these configuration settings.

Note that the configuration settings that are defined in the /etc/foreman-installer/custom-hiera.yaml file override the configuration settings that are defined in the tuning profiles.

Therefore, before applying a tuning profile, you must compare the configuration settings that are defined in the default tuning profile in /usr/share/foreman-installer/config/foreman.hiera/tuning/common.yaml, the tuning profile that you want to apply and your /etc/foreman-installer/custom-hiera.yaml file, and remove any duplicated configuration from the /etc/foreman-installer/custom-hiera.yaml file.

default: Number of hosts: 0 – 5000

RAM: 20G

Number of CPU cores: 4
medium: Number of hosts: 5001 – 10000

RAM: 32G

Number of CPU cores: 8
large: Number of hosts: 10001 – 20000

RAM: 64G

Number of CPU cores: 16
extra-large: Number of hosts: 20001 – 60000

RAM: 128G

Number of CPU cores: 32
extra-extra-large: Number of hosts: 60000+

RAM: 256G

Number of CPU cores: 48+

Procedure

Optional: If you have configured the custom-hiera.yaml file on orcharhino Server, back up the /etc/foreman-installer/custom-hiera.yaml file to custom-hiera.original. You can use the backup file to restore the /etc/foreman-installer/custom-hiera.yaml file to its original state if it becomes corrupted:
```
# cp /etc/foreman-installer/custom-hiera.yaml \
/etc/foreman-installer/custom-hiera.original
```
Optional: If you have configured the custom-hiera.yaml file on orcharhino Server, review the definitions of the default tuning profile in /usr/share/foreman-installer/config/foreman.hiera/tuning/common.yaml and the tuning profile that you want to apply in /usr/share/foreman-installer/config/foreman.hiera/tuning/sizes/. Compare the configuration entries against the entries in your /etc/foreman-installer/custom-hiera.yaml file and remove any duplicated configuration settings in your /etc/foreman-installer/custom-hiera.yaml file.
Enter the foreman-installer command with the --tuning option for the profile that you want to apply. For example, to apply the medium tuning profile settings, enter the following command:
```
# foreman-installer --tuning medium
```

1.9. Requirements for installation in an IPv4 network

The following requirements apply to installations in an IPv4 network:

An IPv6 loopback must be configured on the base system. The loopback is typically configured by default. Do not disable it.
Do not disable IPv6 in kernel by adding the ipv6.disable=1 kernel parameter.

2. Preparing your environment for orcharhino installation in an IPv6 network

You can install and use orcharhino in an IPv6 network. Before installing orcharhino in an IPv6 network, view the limitations and ensure that you meet the requirements.

To provision hosts in an IPv6 network, after installing orcharhino, you must also configure orcharhino for the UEFI HTTP boot provisioning. For more information, see Configuring orcharhino for UEFI HTTP boot provisioning in an IPv6 network.

2.1. Limitations of orcharhino installation in an IPv6 network

orcharhino installation in an IPv6 network has the following limitations:

You can install orcharhino and orcharhino Proxies in IPv6-only systems, dual-stack installation is not supported.
Although orcharhino provisioning templates include IPv6 support for PXE and HTTP (iPXE) provisioning, the only tested and certified provisioning workflow is the UEFI HTTP Boot provisioning. This limitation only relates to users who plan to use orcharhino to provision hosts.

2.2. Requirements for orcharhino installation in an IPv6 network

Before installing orcharhino in an IPv6 network, ensure that you meet the following requirements:

You must deploy an external DHCPv6 server and configure it manually to communicate with the network boot process and to manage IP address assignment because orcharhino cannot integrate with a DHCPv6 server and manage its configuration. For more information about DHCPv6 server configuration, see Options in unmanaged DHCPv6 in Provisioning hosts.
Optional: If you rely on content from IPv4 networks, you must deploy an external IPv4 HTTP proxy server. This is required to access Content Delivery Networks that distribute content only over IPv4 networks, therefore you must use this proxy to pull content into orcharhino on your IPv6 network.
You must configure orcharhino to use this dual stack (supporting both IPv4 and IPv6) HTTP proxy server as the default proxy. For more information, see Adding a Default HTTP Proxy to orcharhino.

3. Installing orcharhino Server

Use the following procedures to install orcharhino Server and perform the initial configuration.

Note that the orcharhino installation script is based on Puppet, which means that if you run the installation script more than once, it might overwrite any manual configuration changes. ⁠ To avoid this and determine which future changes apply, use the --noop argument when you run the installation script. This argument ensures that no actual changes are made. Potential changes are written to /var/log/foreman-installer/katello.log.

Files are always backed up and so you can revert any unwanted changes. For example, in the foreman-installer logs, you can see an entry similar to the following about Filebucket:

/Stage[main]/Dhcp/File[/etc/dhcp/dhcpd.conf]: Filebucketed /etc/dhcp/dhcpd.conf to puppet with sum 622d9820b8e764ab124367c68f5fa3a1

You can restore the previous file as follows:

# puppet filebucket -l \
restore /etc/dhcp/dhcpd.conf 622d9820b8e764ab124367c68f5fa3a1

3.1. Configuring the HTTP proxy to connect to Red Hat CDN

Prerequisites

Your network gateway and the HTTP proxy must allow access to the following hosts:

Host name	Port	Protocol
subscription.rhsm.redhat.com	443	HTTPS
cdn.redhat.com	443	HTTPS

Host name

Port

Protocol

subscription.rhsm.redhat.com

443

HTTPS

cdn.redhat.com

443

HTTPS

For more information, see Registering orcharhino Server to OCC in the ATIX Service Portal.

orcharhino Server uses SSL to communicate with the Red Hat CDN securely. An SSL interception proxy interferes with this communication. These hosts must be allowlisted on your HTTP proxy.

For a list of IP addresses used by the Red Hat CDN (cdn.redhat.com), see the Knowledgebase article Public CIDR Lists for Red Hat on the Red Hat Customer Portal.

To configure the Subscription Manager with the HTTP proxy, follow the procedure below.

Procedure

On orcharhino Server, complete the following details in the /etc/rhsm/rhsm.conf file:

# an http proxy server to use (enter server FQDN)
proxy_hostname = http-proxy.example.com

# port for http proxy server
proxy_port = 8080

# user name for authenticating to an http proxy, if needed
proxy_user =

# password for basic http proxy auth, if needed
proxy_password =

3.2. Configuring repositories

Ensure the repositories required to install orcharhino Server are enabled on your Enterprise Linux host.

3.3. Optional: Using fapolicyd on orcharhino Server

By enabling fapolicyd on your orcharhino Server, you can provide an additional layer of security by monitoring and controlling access to files and directories. The fapolicyd daemon uses the RPM database as a repository of trusted binaries and scripts.

You can turn on or off the fapolicyd on your orcharhino Server or orcharhino Proxy at any point.

3.3.1. Installing fapolicyd on orcharhino Server

You can install fapolicyd along with orcharhino Server or can be installed on an existing orcharhino Server. If you are installing fapolicyd along with the new orcharhino Server, the installation process will detect the fapolicyd in your Enterprise Linux host and deploy the orcharhino Server rules automatically.

Prerequisites

Ensure your host has access to the BaseOS repositories of Enterprise Linux.

Procedure

For a new installation, install fapolicyd:
```
# dnf install fapolicyd
```
For an existing installation, install fapolicyd using dnf install:
```
# dnf install fapolicyd
```
Start the fapolicyd service:
```
# systemctl enable --now fapolicyd
```

Verification

Verify that the fapolicyd service is running correctly:
```
# systemctl status fapolicyd
```

New orcharhino Server or orcharhino Proxy installations

In case of new orcharhino Server or orcharhino Proxy installation, follow the standard installation procedures after installing and enabling fapolicyd on your Enterprise Linux host.

Additional resources

For more information on fapolicyd, see Blocking and allowing applications using fapolicyd in Red Hat Enterprise Linux 9 Security hardening.

3.4. Installing orcharhino Server packages

3.5. Configuring orcharhino Server

Procedure

Install orcharhino Server by using the foreman-installer installation script.

This method is performed by running the installation script with one or more command options. The command options override the corresponding default initial configuration options and are recorded in the orcharhino answer file. You can run the script as often as needed to configure any necessary options.

3.5.1. Configuring orcharhino installation

This initial configuration procedure creates an organization, location, user name, and password. After the initial configuration, you can create additional organizations and locations if required. The initial configuration also installs PostgreSQL databases on the same server.

The installation process can take tens of minutes to complete. If you are connecting remotely to the system, use a utility such as tmux that allows suspending and reattaching a communication session so that you can check the installation progress in case you become disconnected from the remote system. If you lose connection to the shell where the installation command is running, see the log at /var/log/foreman-installer/katello.log to determine if the process completed successfully.

Considerations

Use the foreman-installer --scenario katello --help command to display the most commonly used options and any default values.
Use the foreman-installer --scenario katello --full-help command to display advanced options.
Specify a meaningful value for the option: --foreman-initial-organization. This can be your company name. An internal label that matches the value is also created and cannot be changed afterwards. If you do not specify a value, an organization called Default Organization with the label Default_Organization is created. You can rename the organization name but not the label.
By default, all configuration files configured by the installer are managed. When foreman-installer runs, it overwrites any manual changes to the managed files with the intended values. This means that running the installer on a broken system should restore it to working order, regardless of changes made. For more information on how to apply custom configuration on other services, see Applying Custom Configuration to orcharhino.

Procedure

Enter the following command with any additional options that you want to use:

# foreman-installer --scenario katello \
--foreman-initial-organization "My_Organization" \
--foreman-initial-location "My_Location" \
--foreman-initial-admin-username admin_user_name \
--foreman-initial-admin-password admin_password

The script displays its progress and writes logs to /var/log/foreman-installer/katello.log.

4. Performing additional configuration on orcharhino Server

4.1. Configuring orcharhino Server to consume content from a custom CDN

If you have an internal Content Delivery Network (CDN) or serve content on an accessible web server, you can configure your orcharhino Server to consume Red Hat repositories from this CDN server instead of the Red Hat CDN. A CDN server can be any web server that mirrors repositories in the same directory structure as the Red Hat CDN.

You can configure the source of content for each organization. orcharhino recognizes automatically which Red Hat repositories from the subscription manifest in your organization are available on your CDN server.

Prerequisites

You have a CDN server that provides Red Hat content and is accessible by orcharhino Server.
If your CDN server uses HTTPS, ensure you have uploaded the SSL certificate into orcharhino. For more information, see Importing Custom SSL Certificates in Managing content.
You have uploaded a manifest to your organization.

Procedure

In the orcharhino management UI, navigate to Content > Subscriptions.
Click Manage Manifest.
Select the CDN Configuration tab.
Select the Custom CDN tab.
In the URL field, enter the URL of your CDN server from which you want orcharhino Server to consume Red Hat repositories.
Optional: In the SSL CA Content Credential, select the SSL certificate of the CDN server.
Click Update.
You can now enable Red Hat repositories consumed from your internal CDN server.

CLI procedure

Connect to your orcharhino Server using SSH.

Set CDN configuration to your custom CDN server:

$ hammer organization configure-cdn --name="My_Organization" \
--type=custom_cdn \
--url https://my-cdn.example.com \
--ssl-ca-credential-id "My_CDN_CA_Cert_ID"

Additional resources

Content Delivery Network Structure in Planning for orcharhino

4.2. Configuring orcharhino for UEFI HTTP boot provisioning in an IPv6 network

Use this procedure to configure orcharhino to provision hosts in an IPv6 network with UEFI HTTP Boot provisioning.

Prerequisites

Ensure that your clients can access DHCP and HTTP servers.
Ensure that the UDP ports 67 and 68 are accessible by clients so clients can send DHCP requests and receive DHCP offers.
Ensure that the TCP port 8000 is open for clients to download files and Kickstart templates from orcharhino and orcharhino Proxies.
Ensure that the host provisioning interface subnet has an HTTP Boot orcharhino Proxy, and Templates orcharhino Proxy set. For more information, see Adding a Subnet to orcharhino Server in Provisioning hosts.
In the orcharhino management UI, navigate to Administer > Settings > Provisioning and ensure that the Token duration setting is not set to 0. orcharhino cannot identify clients that are booting from the network by a remote IPv6 address because of unmanaged DHCPv6 service, therefore provisioning tokens must be enabled.

Procedure

You must disable DHCP management in the installer or not use it.
For all IPv6 subnets created in orcharhino, set the DHCP orcharhino Proxy to blank.
Optional: If the host and the DHCP server are separated by a router, configure the DHCP relay agent and point to the DHCP server.
On orcharhino or orcharhino Proxy from which you provision, update the grub2-efi package to the latest version:
```
# dnf upgrade grub2-efi
```

4.3. Configuring orcharhino Server with an HTTP proxy

Use the following procedures to configure orcharhino with an HTTP proxy.

4.3.1. Adding a default HTTP proxy to orcharhino

If your network uses an HTTP Proxy, you can configure orcharhino Server to use an HTTP proxy for requests to the Red Hat Content Delivery Network (CDN) or another content source. Use the FQDN instead of the IP address where possible to avoid losing connectivity because of network changes.

The following procedure configures a proxy only for downloading content for orcharhino. To use the CLI instead of the orcharhino management UI, see the CLI procedure.

Procedure

In the orcharhino management UI, navigate to Infrastructure > HTTP Proxies.
Click New HTTP Proxy.
In the Name field, enter the name for the HTTP proxy.
In the Url field, enter the URL of the HTTP proxy in the following format: https://http-proxy.example.com:8080.
Optional: If authentication is required, in the Username field, enter the username to authenticate with.
Optional: If authentication is required, in the Password field, enter the password to authenticate with.
To test connection to the proxy, click Test Connection.
Click Submit.
In the orcharhino management UI, navigate to Administer > Settings, and click the Content tab.
Set the Default HTTP Proxy setting to the created HTTP proxy.

CLI procedure

Verify that the http_proxy, https_proxy, and no_proxy variables are not set:
```
# unset http_proxy https_proxy no_proxy
```

Add an HTTP proxy entry to orcharhino:

$ hammer http-proxy create \
--name=My_HTTP_Proxy \
--username=My_HTTP_Proxy_User_Name \
--password=My_HTTP_Proxy_Password \
--url http://http-proxy.example.com:8080

Configure orcharhino to use this HTTP proxy by default:

$ hammer settings set \
--name=content_default_http_proxy \
--value=My_HTTP_Proxy

4.3.2. Configuring SELinux to ensure access to orcharhino on custom ports

Procedure

On orcharhino, to verify the ports that are permitted by SELinux for the HTTP cache, enter a command as follows:

# semanage port -l | grep http_cache
http_cache_port_t       tcp    8080, 8118, 8123, 10001-10010
[output truncated]

To configure SELinux to permit a port for the HTTP cache, for example 8088, enter a command as follows:
```
# semanage port -a -t http_cache_port_t -p tcp 8088
```

4.3.3. Using an HTTP proxy for all orcharhino HTTP requests

If your orcharhino Server must remain behind a firewall that blocks HTTP and HTTPS, you can configure a proxy for communication with external systems, including compute resources.

Note that if you are using compute resources for provisioning, and you want to use a different HTTP proxy with the compute resources, the proxy that you set for all orcharhino communication takes precedence over the proxies that you set for compute resources.

Procedure

In the orcharhino management UI, navigate to Administer > Settings.
In the HTTP(S) proxy row, select the adjacent Value column and enter the proxy URL.
Click the tick icon to save your changes.

CLI procedure

Enter the following command:

$ hammer settings set --name=http_proxy --value=Proxy_URL

4.3.4. Excluding hosts from receiving proxied requests

If you use an HTTP Proxy for all orcharhino HTTP or HTTPS requests, you can prevent certain hosts from communicating through the proxy.

Procedure

In the orcharhino management UI, navigate to Administer > Settings.
In the HTTP(S) proxy except hosts row, select the adjacent Value column and enter the names of one or more hosts that you want to exclude from proxy requests.
Click the tick icon to save your changes.

CLI procedure

Enter the following command:

$ hammer settings set --name=http_proxy_except_list --value=[hostname1.hostname2...]

4.3.5. Configuring a proxy for PXE file downloads

For Red Hat content served through the Content Delivery Network, orcharhino Proxy downloads PXE files from synchronized repositories. However, when configuring and installing an operating system using Installation Media, orcharhino Proxy connects directly using the wget utility.

Procedure

On your TFTP orcharhino Proxy, verify the ports that are permitted by SELinux for the HTTP cache by entering the following command:
```
# systemctl edit foreman-proxy
```

Configure the HTTP proxy in /etc/systemd/system/foreman-proxy.service.d/overrides.conf:

[Service]
Environment="http_proxy=http://http-proxy.example.com:8080"
Environment="https_proxy=https://http-proxy.example.com:8443"

Restart the foreman-proxy service:
```
# systemctl restart foreman-proxy
```
Create a host or enter build mode for an existing host to re-download PXE files to the TFTP orcharhino Proxy.

4.3.6. Resetting the HTTP proxy

If you want to reset the current HTTP proxy setting, unset the Default HTTP Proxy setting.

Procedure

In the orcharhino management UI, navigate to Administer > Settings, and click the Content tab.
Set the Default HTTP Proxy setting to no global default.

CLI procedure

Set the content_default_http_proxy setting to an empty string:

$ hammer settings set --name=content_default_http_proxy --value=""

4.4. Enabling power management on hosts

To perform power management tasks on hosts using the intelligent platform management interface (IPMI) or a similar protocol, you must enable the baseboard management controller (BMC) module on orcharhino Server.

Prerequisites

All hosts must have a network interface of BMC type. orcharhino Server uses this NIC to pass the appropriate credentials to the host. For more information, see Configuring a Baseboard Management Controller (BMC) Interface in Managing hosts.

Procedure

To enable BMC, enter the following command:

# foreman-installer \
--foreman-proxy-bmc "true" \
--foreman-proxy-bmc-default-provider "freeipmi"

4.5. Configuring DNS, DHCP, and TFTP

You can manage DNS, DHCP, and TFTP centrally within the orcharhino environment, or you can manage them independently after disabling their maintenance on orcharhino.

4.5.1. Configuring DNS, DHCP, and TFTP on orcharhino Server

To configure the DNS, DHCP, and TFTP services on orcharhino Server, use the foreman-installer command with the options appropriate for your environment.

Any changes to the settings require entering the foreman-installer command again. You can enter the command multiple times and each time it updates all configuration files with the changed values.

Prerequisites

Ensure that the following information is available to you:
- DHCP IP address ranges
- DHCP gateway IP address
- DHCP nameserver IP address
- DNS information
- TFTP server name
Use the FQDN instead of the IP address where possible in case of network changes.
Contact your network administrator to ensure that you have the correct settings.

Procedure

Enter the foreman-installer command with the options appropriate for your environment. The following example shows configuring full provisioning services:

# foreman-installer \
--foreman-proxy-dns true \
--foreman-proxy-dns-managed true \
--foreman-proxy-dns-zone example.com \
--foreman-proxy-dns-reverse 2.0.192.in-addr.arpa \
--foreman-proxy-dhcp true \
--foreman-proxy-dhcp-managed true \
--foreman-proxy-dhcp-range "192.0.2.100 192.0.2.150" \
--foreman-proxy-dhcp-gateway 192.0.2.1 \
--foreman-proxy-dhcp-nameservers 192.0.2.2 \
--foreman-proxy-tftp true \
--foreman-proxy-tftp-managed true \
--foreman-proxy-tftp-servername 192.0.2.3

You can monitor the progress of the foreman-installer command displayed in your prompt. You can view the logs in /var/log/foreman-installer/katello.log.

Additional resources

For more information about the foreman-installer command, enter foreman-installer --help.

4.5.2. Disabling DNS, DHCP, and TFTP for unmanaged networks

If you want to manage TFTP, DHCP, and DNS services manually, you must prevent orcharhino from maintaining these services on the operating system and disable orchestration to avoid DHCP and DNS validation errors. However, orcharhino does not remove the back-end services on the operating system.

Procedure

On orcharhino Server, enter the following command:

# foreman-installer --foreman-proxy-dhcp false \
--foreman-proxy-dns false \
--foreman-proxy-tftp false

In the orcharhino management UI, navigate to Infrastructure > Subnets and select a subnet.
Click the orcharhino Proxies tab and clear the DHCP orcharhino Proxy, TFTP orcharhino Proxy, and Reverse DNS orcharhino Proxy fields.
In the orcharhino management UI, navigate to Infrastructure > Domains and select a domain.
Clear the DNS orcharhino Proxy field.
Optional: If you use a DHCP service supplied by a third party, configure your DHCP server to pass the following options:
```
Option 66: IP address of orcharhino or orcharhino Proxy
Option 67: /pxelinux.0
```
For more information about DHCP options, see RFC 2132.

Note

orcharhino does not perform orchestration when a orcharhino Proxy is not set for a given subnet and domain. When enabling or disabling orcharhino Proxy associations, orchestration commands for existing hosts can fail if the expected records and configuration files are not present. When associating a orcharhino Proxy to turn orchestration on, ensure the required DHCP and DNS records as well as the TFTP files are in place for the existing orcharhino hosts in order to prevent host deletion failures in the future.

4.5.3. Additional resources

For more information about configuring DHCP, DNS, and TFTP services, see Configuring Network Services in Provisioning hosts.

4.6. Configuring orcharhino Server for outgoing emails

To send email messages from orcharhino Server, you can use either an SMTP server, or the sendmail command.

Prerequisites

Some SMTP servers with anti-spam protection or grey-listing features are known to cause problems. To setup outgoing email with such a service either install and configure a vanilla SMTP service on orcharhino Server for relay or use the sendmail command instead.

Procedure

In the orcharhino management UI, navigate to Administer > Settings.

Click the Email tab and set the configuration options to match your preferred delivery method. The changes have an immediate effect.

The following example shows the configuration options for using an SMTP server:

Table 5. Using an SMTP server as a delivery method
Name	Example value
Delivery method	SMTP
SMTP address	smtp.example.com
SMTP authentication	login
SMTP HELO/EHLO domain	example.com
SMTP password	password
SMTP port	25
SMTP username	user@example.com

The SMTP username and SMTP password specify the login credentials for the SMTP server.

The following example uses gmail.com as an SMTP server:

Table 6. Using gmail.com as an SMTP server
Name	Example value
Delivery method	SMTP
SMTP address	smtp.gmail.com
SMTP authentication	plain
SMTP HELO/EHLO domain	smtp.gmail.com
SMTP enable StartTLS auto	Yes
SMTP password	password
SMTP port	587
SMTP username	user@gmail.com

The following example uses the sendmail command as a delivery method:

Table 7. Using sendmail as a delivery method

Name Example value

Delivery method

Sendmail

Sendmail location

/usr/sbin/sendmail

Sendmail arguments

-i

For security reasons, both Sendmail location and Sendmail argument settings are read-only and can be only set in /etc/foreman/settings.yaml. Both settings currently cannot be set via foreman-installer. For more information see the sendmail 1 man page.

If you decide to send email using an SMTP server which uses TLS authentication, also perform one of the following steps:
- Mark the CA certificate of the SMTP server as trusted. To do so, execute the following commands on orcharhino Server:
  # cp mailca.crt /etc/pki/ca-trust/source/anchors/ # update-ca-trust enable # update-ca-trust
  Where mailca.crt is the CA certificate of the SMTP server.
- Alternatively, in the orcharhino management UI, set the SMTP enable StartTLS auto option to No.
Click Test email to send a test message to the user’s email address to confirm the configuration is working. If a message fails to send, the orcharhino management UI displays an error. See the log at /var/log/foreman/production.log for further details.

Table 7. Using sendmail as a delivery method
Name	Example value
Delivery method	Sendmail
Sendmail location	/usr/sbin/sendmail
Sendmail arguments	-i

Additional resources

For information on configuring email notifications for individual users or user groups, see Configuring Email Notification Preferences in Administering orcharhino.

4.7. Configuring an alternate CNAME for orcharhino

You can configure an alternate CNAME for orcharhino. This might be useful if you want to deploy the orcharhino web interface on a different domain name than the one that is used by client systems to connect to orcharhino. You must plan the alternate CNAME configuration in advance prior to installing orcharhino Proxies and registering hosts to orcharhino to avoid redeploying new certificates to hosts.

4.7.1. Configuring orcharhino with an alternate CNAME

Use this procedure to configure orcharhino with an alternate CNAME. Note that the procedures for users of a default orcharhino certificate and custom certificate differ.

For default orcharhino certificate users

If you have installed orcharhino with a default orcharhino certificate and want to configure orcharhino with an alternate CNAME, enter the following command on orcharhino to generate a new default orcharhino SSL certificate with an additional CNAME.
```
# foreman-installer --certs-cname alternate_fqdn --certs-update-server
```
If you have not installed orcharhino, you can add the --certs-cname alternate_fqdn option to the foreman-installer command to install orcharhino with an alternate CNAME.

For custom certificate users

If you use orcharhino with a custom certificate, when creating a custom certificate, include the alternate CNAME records to the custom certificate. For more information, see Creating a Custom SSL Certificate for orcharhino Server.

4.7.2. Configuring hosts to use an alternate orcharhino CNAME for content management

If orcharhino is configured with an alternate CNAME, you can configure hosts to use the alternate orcharhino CNAME for content management. To do this, you must point hosts to the alternate orcharhino CNAME prior to registering the hosts to orcharhino. You can do this using the bootstrap script or manually.

Configuring hosts with the bootstrap script

On the host, run the bootstrap script with the --server alternate_fqdn.example.com option to register the host to the alternate orcharhino CNAME:

# ./bootstrap.py --server alternate_fqdn.example.com

Configuring hosts manually

On the host, edit the /etc/rhsm/rhsm.conf file to update hostname and baseurl settings to point to the alternate host name, for example:

[server]
# Server hostname:
hostname = alternate_fqdn.example.com

content omitted

[rhsm]
# Content base URL:
baseurl=https://alternate_fqdn.example.com/pulp/content/

Now you can register the host with the subscription-manager.

4.8. Configuring orcharhino Server with a custom SSL certificate

By default, orcharhino uses a self-signed SSL certificate to enable encrypted communications between orcharhino Server, external orcharhino Proxies, and all hosts. If you cannot use a orcharhino self-signed certificate, you can configure orcharhino Server to use an SSL certificate signed by an external certificate authority (CA).

When you configure orcharhino with custom SSL certificates, you must fulfill the following requirements:

You must use the privacy-enhanced mail (PEM) encoding for the SSL certificates.
You must not use the same SSL certificate for both orcharhino Server and orcharhino Proxy.
The same CA must sign certificates for orcharhino Server and orcharhino Proxy.
An SSL certificate must not also be a CA certificate.
An SSL certificate must include a subject alt name (SAN) entry that matches the common name (CN).
An SSL certificate must be allowed for Key Encipherment using a Key Usage extension.
An SSL certificate must not have a shortname as the CN.
You must not set a passphrase for the private key.

To configure your orcharhino Server with a custom certificate, complete the following procedures:

Creating a custom SSL certificate for orcharhino Server
Deploying a custom SSL certificate to orcharhino Server
Deploying a custom SSL certificate to hosts
If you have external orcharhino Proxies registered to orcharhino Server, configure them with custom SSL certificates. For more information, see Configuring orcharhino Proxy with a Custom SSL Certificate in Installing orcharhino Proxy.

4.8.1. Creating a custom SSL certificate for orcharhino Server

Use this procedure to create a custom SSL certificate for orcharhino Server. If you already have a custom SSL certificate for orcharhino Server, skip this procedure.

Procedure

To store all the source certificate files, create a directory that is accessible only to the root user:
```
# mkdir /root/orcharhino_cert
```
Create a private key with which to sign the certificate signing request (CSR).

Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.

If you already have a private key for this orcharhino Server, skip this step.
```
# openssl genrsa -out /root/orcharhino_cert/orcharhino_cert_key.pem 4096
```

Create the /root/orcharhino_cert/openssl.cnf configuration file for the CSR and include the following content:

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
prompt = no

[ req_distinguished_name ]
commonName = orcharhino.example.com

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = orcharhino.example.com

Optional: If you want to add Distinguished Name (DN) details to the CSR, add the following information to the [ req_distinguished_name ] section:

[req_distinguished_name]
CN = orcharhino.example.com
countryName =My_Country_Name (1)
stateOrProvinceName = My_State_Or_Province_Name (2)
localityName = My_Locality_Name (3)
organizationName = My_Organization_Or_Company_Name
organizationalUnitName = My_Organizational_Unit_Name (4)

Two letter code
Full name
Full name (example: New York)
Division responsible for the certificate (example: IT department)

Generate CSR:

# openssl req -new \
-key /root/orcharhino_cert/orcharhino_cert_key.pem \ (1)
-config /root/orcharhino_cert/openssl.cnf \ (2)
-out /root/orcharhino_cert/orcharhino_cert_csr.pem (3)

Path to the private key
Path to the configuration file
Path to the CSR to generate

Send the certificate signing request to the certificate authority (CA). The same CA must sign certificates for orcharhino Server and orcharhino Proxy.

When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the CA for the preferred method. In response to the request, you can expect to receive a CA bundle and a signed certificate, in separate files.

4.8.2. Deploying a custom SSL certificate to orcharhino Server

Use this procedure to configure your orcharhino Server to use a custom SSL certificate signed by a Certificate Authority.

Important

Do not store the SSL certificates or .tar bundles in /tmp or /var/tmp directory. The operating system removes files from these directories periodically. As a result, foreman-installer fails to execute while enabling features or upgrading orcharhino Server.

Procedure

Update certificates on your orcharhino Server:

# foreman-installer \
--certs-server-cert "/root/orcharhino_cert/orcharhino_cert.pem" \ (1)
--certs-server-key "/root/orcharhino_cert/orcharhino_cert_key.pem" \ (2)
--certs-server-ca-cert "/root/orcharhino_cert/ca_cert_bundle.pem" \ (3)
--certs-update-server --certs-update-server-ca

Path to orcharhino Server certificate file that is signed by a Certificate Authority.
Path to the private key that was used to sign orcharhino Server certificate.
Path to the Certificate Authority bundle.

Verification

On a computer with network access to orcharhino Server, navigate to the following URL: https://orcharhino.example.com.
In your browser, view the certificate details to verify the deployed certificate.

4.8.3. Deploying a custom SSL certificate to hosts

After you configure orcharhino to use a custom SSL certificate, you must deploy the certificate to hosts registered to orcharhino.

Procedure

Update the SSL certificate on each host:

# dnf install http://orcharhino.example.com/pub/katello-ca-consumer-latest.noarch.rpm

4.9. Resetting custom SSL certificate to default self-signed certificate on orcharhino Server

Procedure

Reset the custom SSL certificate to default self-signed certificate:
```
# foreman-installer --certs-reset
```

Verification

Verify that the following parameters in /etc/foreman-installer/scenarios.d/katello-answers.yaml have no values:

server_cert:
server_key:
server_cert_req:
server_ca_cert:

Additional resources

Resetting custom SSL certificate to default self-signed certificate on orcharhino Proxy in Installing orcharhino Proxy.
Resetting custom SSL certificate to default self-signed certificate on hosts in Managing hosts.

4.10. Using external databases with orcharhino

The orcharhino installation process includes installing a PostgreSQL database on the same host as orcharhino Server. In certain orcharhino deployments, using external databases instead of the default local databases can help with the server load.

4.10.1. Configuring orcharhino Server with external database

Running the foreman-installer command, used to install a orcharhino Server, also installs PostgreSQL databases on the server. However, you can configure your orcharhino Server to use external databases instead. Moving to external databases distributes the workload and can reduce overall orcharhino memory usage.

Consider using external databases if you plan to use your orcharhino deployment for the following scenarios:

Frequent remote execution tasks. This requires a high volume of records in PostgreSQL and generates heavy database workloads.
High disk I/O workloads from frequent repository synchronization or content view publishing. This requires orcharhino to create a record in PostgreSQL for each job.
High volume of hosts.
High volume of synchronized content.

4.10.2. PostgreSQL as an external database considerations

Foreman, Katello, and Candlepin use the PostgreSQL database. If you want to use PostgreSQL as an external database, the following information can help you decide if this option is right for your orcharhino configuration. orcharhino supports PostgreSQL version 13.

Advantages of external PostgreSQL

Increase in free memory and free CPU on orcharhino
Flexibility to set shared_buffers on the PostgreSQL database to a high number without the risk of interfering with other services on orcharhino
Flexibility to tune the PostgreSQL server’s system without adversely affecting orcharhino operations

Disadvantages of external PostgreSQL

Increase in deployment complexity that can make troubleshooting more difficult
The external PostgreSQL server is an additional system to patch and maintain
If either orcharhino or the PostgreSQL database server suffers a hardware or storage failure, orcharhino is not operational
If there is latency between the orcharhino server and database server, performance can suffer

4.10.3. Installing PostgreSQL

You can install only the same version of PostgreSQL that is installed with the foreman-installer tool during an internal database installation. orcharhino supports PostgreSQL version 13.

Prerequisites

The prepared host must meet orcharhino Storage requirements.
The prepared host has base operating system repositories enabled.

Procedure

To install PostgreSQL, enter the following command:
```
# dnf install postgresql-server postgresql-contrib
```
To initialize PostgreSQL, enter the following command:
```
# postgresql-setup initdb
```
Edit the /var/lib/pgsql/data/postgresql.conf file:
```
# vi /var/lib/pgsql/data/postgresql.conf
```
Note that the default configuration of external PostgreSQL needs to be adjusted to work with orcharhino. The base recommended external database configuration adjustments are as follows:
- checkpoint_completion_target: 0.9
- max_connections: 500
- shared_buffers: 512MB
- work_mem: 4MB
Remove the # and edit to listen to inbound connections:
```
listen_addresses = '*'
```
Add the following line to the end of the file to use SCRAM for authentication:
```
password_encryption=scram-sha-256
```
Edit the /var/lib/pgsql/data/pg_hba.conf file:
```
# vi /var/lib/pgsql/data/pg_hba.conf
```

Add the following line to the file:

  host  all   all   orcharhino_ip/32   scram-sha-256

To start, and enable PostgreSQL service, enter the following commands:
```
# systemctl enable --now postgresql
```
Open the postgresql port on the external PostgreSQL server:
```
# firewall-cmd --add-service=postgresql
```
Make the changes persistent:
```
# firewall-cmd --runtime-to-permanent
```
Switch to the postgres user and start the PostgreSQL client:
```
$ su - postgres -c psql
```

Create three databases and dedicated roles: one for orcharhino, one for Candlepin, and one for Pulp:

CREATE USER "foreman" WITH PASSWORD 'Foreman_Password';
CREATE USER "candlepin" WITH PASSWORD 'Candlepin_Password';
CREATE USER "pulp" WITH PASSWORD 'Pulpcore_Password';
CREATE DATABASE foreman OWNER foreman;
CREATE DATABASE candlepin OWNER candlepin;
CREATE DATABASE pulpcore OWNER pulp;

Connect to the Pulp database:

postgres=# \c pulpcore
You are now connected to database "pulpcore" as user "postgres".

Create the hstore extension:

pulpcore=# CREATE EXTENSION IF NOT EXISTS "hstore";
CREATE EXTENSION

Exit the postgres user:
```
# \q
```

From orcharhino Server, test that you can access the database. If the connection succeeds, the commands return 1.

# PGPASSWORD='Foreman_Password' psql -h postgres.example.com  -p 5432 -U foreman -d foreman -c "SELECT 1 as ping"
# PGPASSWORD='Candlepin_Password' psql -h postgres.example.com -p 5432 -U candlepin -d candlepin -c "SELECT 1 as ping"
# PGPASSWORD='Pulpcore_Password' psql -h postgres.example.com -p 5432 -U pulp -d pulpcore -c "SELECT 1 as ping"

4.10.4. Configuring orcharhino Server to use external databases

Use the foreman-installer command to configure orcharhino to connect to an external PostgreSQL database.

Prerequisites

You have installed and configured a PostgreSQL database on a Enterprise Linux server.

Procedure

To configure the external databases for orcharhino, enter the following command:

# foreman-installer \
--katello-candlepin-manage-db false \
--katello-candlepin-db-host postgres.example.com \
--katello-candlepin-db-name candlepin \
--katello-candlepin-db-user candlepin \
--katello-candlepin-db-password Candlepin_Password \
--foreman-proxy-content-pulpcore-manage-postgresql false \
--foreman-proxy-content-pulpcore-postgresql-host postgres.example.com \
--foreman-proxy-content-pulpcore-postgresql-db-name pulpcore \
--foreman-proxy-content-pulpcore-postgresql-user pulp \
--foreman-proxy-content-pulpcore-postgresql-password Pulpcore_Password \
--foreman-db-manage false \
--foreman-db-host postgres.example.com \
--foreman-db-database foreman \
--foreman-db-username foreman \
--foreman-db-password Foreman_Password

To enable the Secure Sockets Layer (SSL) protocol for these external databases, add the following options:

--foreman-db-root-cert <path_to_CA>
--foreman-db-sslmode verify-full
--foreman-proxy-content-pulpcore-postgresql-ssl true
--foreman-proxy-content-pulpcore-postgresql-ssl-root-ca <path_to_CA>
--katello-candlepin-db-ssl true
--katello-candlepin-db-ssl-ca <path_to_CA>
--katello-candlepin-db-ssl-verify true

5. Configuring orcharhino Server with external services

If you do not want to configure the DNS, DHCP, and TFTP services on orcharhino Server, use this section to configure your orcharhino Server to work with external DNS, DHCP, and TFTP services.

5.1. Configuring orcharhino Server with external DNS

You can configure orcharhino Server with external DNS. orcharhino Server uses the nsupdate utility to update DNS records on the remote server.

To make any changes persistent, you must enter the foreman-installer command with the options appropriate for your environment.

Prerequisites

You must have a configured external DNS server.
This guide assumes you have an existing installation.

Procedure

Copy the /etc/rndc.key file from the external DNS server to orcharhino Server:
```
# scp root@dns.example.com:/etc/rndc.key /etc/foreman-proxy/rndc.key
```

Configure the ownership, permissions, and SELinux context:

# restorecon -v /etc/foreman-proxy/rndc.key
# chown -v root:foreman-proxy /etc/foreman-proxy/rndc.key
# chmod -v 640 /etc/foreman-proxy/rndc.key

To test the nsupdate utility, add a host remotely:

# echo -e "server DNS_IP_Address\n \
update add aaa.example.com 3600 IN A Host_IP_Address\n \
send\n" | nsupdate -k /etc/foreman-proxy/rndc.key
# nslookup aaa.example.com DNS_IP_Address
# echo -e "server DNS_IP_Address\n \
update delete aaa.example.com 3600 IN A Host_IP_Address\n \
send\n" | nsupdate -k /etc/foreman-proxy/rndc.key

Enter the foreman-installer command to make the following persistent changes to the /etc/foreman-proxy/settings.d/dns.yml file:

# foreman-installer --foreman-proxy-dns=true \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dns-provider=nsupdate \
--foreman-proxy-dns-server="DNS_IP_Address" \
--foreman-proxy-keyfile=/etc/foreman-proxy/rndc.key

In the orcharhino management UI, navigate to Infrastructure > orcharhino Proxies.
Locate the orcharhino Server and select Refresh from the list in the Actions column.
Associate the DNS service with the appropriate subnets and domain.

5.2. Configuring orcharhino Server with external DHCP

To configure orcharhino Server with external DHCP, you must complete the following procedures:

Configuring an external DHCP server to use with orcharhino Server
Configuring orcharhino Server with an external DHCP server

5.2.1. Configuring an external DHCP server to use with orcharhino Server

To configure an external DHCP server running Enterprise Linux to use with orcharhino Server, you must install the ISC DHCP Service and Berkeley Internet Name Domain (BIND) utilities packages. You must also share the DHCP configuration and lease files with orcharhino Server. The example in this procedure uses the distributed Network File System (NFS) protocol to share the DHCP configuration and lease files.

Note

If you use dnsmasq as an external DHCP server, enable the dhcp-no-override setting. This is required because orcharhino creates configuration files on the TFTP server under the grub2/ subdirectory. If the dhcp-no-override setting is disabled, hosts fetch the boot loader and its configuration from the root directory, which might cause an error.

Procedure

On your Enterprise Linux host, install the ISC DHCP Service and Berkeley Internet Name Domain (BIND) utilities packages:
```
# dnf install dhcp-server bind-utils
```
Generate a security token:
```
# tsig-keygen -a hmac-md5 omapi_key
```

Edit the dhcpd configuration file for all subnets and add the key generated by tsig-keygen. The following is an example:

# cat /etc/dhcp/dhcpd.conf
default-lease-time 604800;
max-lease-time 2592000;
log-facility local7;

subnet 192.168.38.0 netmask 255.255.255.0 {
	range 192.168.38.10 192.168.38.100;
	option routers 192.168.38.1;
	option subnet-mask 255.255.255.0;
	option domain-search "virtual.lan";
	option domain-name "virtual.lan";
	option domain-name-servers 8.8.8.8;
}

omapi-port 7911;
key omapi_key {
	algorithm hmac-md5;
	secret "My_Secret";
};
omapi-key omapi_key;

Note that the option routers value is the IP address of your orcharhino Server or orcharhino Proxy that you want to use with an external DHCP service.

On orcharhino Server, define each subnet. Do not set DHCP orcharhino Proxy for the defined Subnet yet.

To prevent conflicts, set up the lease and reservation ranges separately. For example, if the lease range is 192.168.38.10 to 192.168.38.100, in the orcharhino management UI define the reservation range as 192.168.38.101 to 192.168.38.250.
Configure the firewall for external access to the DHCP server:
```
# firewall-cmd --add-service dhcp
```
Make the changes persistent:
```
# firewall-cmd --runtime-to-permanent
```
On orcharhino Server, determine the UID and GID of the foreman user:
```
# id -u foreman
993
# id -g foreman
990
```
On the DHCP server, create the foreman user and group with the same IDs as determined in a previous step:
```
# groupadd -g 990 foreman
# useradd -u 993 -g 990 -s /sbin/nologin foreman
```

To ensure that the configuration files are accessible, restore the read and execute flags:

# chmod o+rx /etc/dhcp/
# chmod o+r /etc/dhcp/dhcpd.conf
# chattr +i /etc/dhcp/ /etc/dhcp/dhcpd.conf

Enable and start the DHCP service:
```
# systemctl enable --now dhcpd
```

Export the DHCP configuration and lease files using NFS:

# dnf install nfs-utils
# systemctl enable --now nfs-server

Create directories for the DHCP configuration and lease files that you want to export using NFS:
```
# mkdir -p /exports/var/lib/dhcpd /exports/etc/dhcp
```

To create mount points for the created directories, add the following line to the /etc/fstab file:

/var/lib/dhcpd /exports/var/lib/dhcpd none bind,auto 0 0
/etc/dhcp /exports/etc/dhcp none bind,auto 0 0

Mount the file systems in /etc/fstab:
```
# mount -a
```

Ensure the following lines are present in /etc/exports:

/exports 192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check)

/exports/etc/dhcp 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)

/exports/var/lib/dhcpd 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)

Note that the IP address that you enter is the orcharhino or orcharhino Proxy IP address that you want to use with an external DHCP service.

Reload the NFS server:
```
# exportfs -rva
```
Configure the firewall for DHCP omapi port 7911:
```
# firewall-cmd --add-port=7911/tcp
```

Optional: Configure the firewall for external access to NFS. Clients are configured using NFSv3.

# firewall-cmd \
--add-service mountd \
--add-service nfs \
--add-service rpc-bind \
--zone public

Make the changes persistent:
```
# firewall-cmd --runtime-to-permanent
```

5.2.2. Configuring orcharhino Server with an external DHCP server

You can configure orcharhino Server with an external DHCP server.

Prerequisites

Ensure that you have configured an external DHCP server and that you have shared the DHCP configuration and lease files with orcharhino Server. For more information, see Configuring an external DHCP server to use with orcharhino Server.

Procedure

Install the nfs-utils package:
```
# dnf install nfs-utils
```

Create the DHCP directories for NFS:

# mkdir -p /mnt/nfs/etc/dhcp /mnt/nfs/var/lib/dhcpd

Change the file owner:
```
# chown -R foreman-proxy /mnt/nfs
```
Verify communication with the NFS server and the Remote Procedure Call (RPC) communication paths:
```
# showmount -e DHCP_Server_FQDN
# rpcinfo -p DHCP_Server_FQDN
```

Add the following lines to the /etc/fstab file:

DHCP_Server_FQDN:/exports/etc/dhcp /mnt/nfs/etc/dhcp nfs
ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcp_etc_t:s0" 0 0

DHCP_Server_FQDN:/exports/var/lib/dhcpd /mnt/nfs/var/lib/dhcpd nfs
ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcpd_state_t:s0" 0 0

Mount the file systems on /etc/fstab:
```
# mount -a
```
To verify that the foreman-proxy user can access the files that are shared over the network, display the DHCP configuration and lease files:
```
# su foreman-proxy -s /bin/bash
$ cat /mnt/nfs/etc/dhcp/dhcpd.conf
$ cat /mnt/nfs/var/lib/dhcpd/dhcpd.leases
$ exit
```

Enter the foreman-installer command to make the following persistent changes to the /etc/foreman-proxy/settings.d/dhcp.yml file:

# foreman-installer \
--enable-foreman-proxy-plugin-dhcp-remote-isc \
--foreman-proxy-dhcp-provider=remote_isc \
--foreman-proxy-dhcp-server=My_DHCP_Server_FQDN \
--foreman-proxy-dhcp=true \
--foreman-proxy-plugin-dhcp-remote-isc-dhcp-config /mnt/nfs/etc/dhcp/dhcpd.conf \
--foreman-proxy-plugin-dhcp-remote-isc-dhcp-leases /mnt/nfs/var/lib/dhcpd/dhcpd.leases \
--foreman-proxy-plugin-dhcp-remote-isc-key-name=omapi_key \
--foreman-proxy-plugin-dhcp-remote-isc-key-secret=My_Secret \
--foreman-proxy-plugin-dhcp-remote-isc-omapi-port=7911

Associate the DHCP service with the appropriate subnets and domain.

5.3. Using Infoblox as DHCP and DNS providers

You can use orcharhino Server to connect to your Infoblox application to create and manage DHCP and DNS records, and to reserve IP addresses.

The supported Infoblox version is NIOS 8.0 or higher.

5.3.1. Infoblox limitations

All DHCP and DNS records can be managed only in a single Network or DNS view. After you install the Infoblox modules on orcharhino Server and set up the view using the foreman-installer command, you cannot edit the view.

orcharhino Server communicates with a single Infoblox node by using the standard HTTPS web API. If you want to configure clustering and High Availability, make the configurations in Infoblox.

Hosting PXE-related files by using the TFTP functionality of Infoblox is not supported. You must use orcharhino Server as a TFTP server for PXE provisioning. For more information, see Preparing networking in Provisioning hosts.

orcharhino IPAM feature cannot be integrated with Infoblox.

5.3.2. Infoblox prerequisites

You must have Infoblox account credentials to manage DHCP and DNS entries in orcharhino.
Ensure that you have Infoblox administration roles with the names: DHCP Admin and DNS Admin.
The administration roles must have permissions or belong to an admin group that permits the accounts to perform tasks through the Infoblox API.

5.3.3. Installing the Infoblox CA certificate

You must install Infoblox HTTPS CA certificate on the base system of orcharhino Server.

Procedure

Download the certificate from the Infoblox web UI or you use the following OpenSSL commands to download the certificate:
```
# update-ca-trust enable
# openssl s_client -showcerts -connect infoblox.example.com:443 </dev/null | \
openssl x509 -text >/etc/pki/ca-trust/source/anchors/infoblox.crt
# update-ca-trust extract
```
The infoblox.example.com entry must match the host name for the Infoblox application in the X509 certificate.

Verification

Test the CA certificate by using a curl query:

# curl -u admin:password https://infoblox.example.com/wapi/v2.0/network

Example positive response:

[
    {
        "_ref": "network/ZG5zLm5ldHdvcmskMTkyLjE2OC4yMDIuMC8yNC8w:infoblox.example.com/24/default",
        "network": "192.168.202.0/24",
        "network_view": "default"
    }
]

5.3.4. Installing the DHCP Infoblox module

Install the DHCP Infoblox module on orcharhino Server. Note that you cannot manage records in separate views.

You can also install DHCP and DNS Infoblox modules simultaneously by combining this procedure and Installing the DNS Infoblox module.

DHCP Infoblox record type considerations

If you want to use the DHCP and DNS Infoblox modules together, configure the DHCP Infoblox module with the fixedaddress record type only. The host record type causes DNS conflicts and is not supported.

If you configure the DHCP Infoblox module with the host record type, you have to unset both DNS orcharhino Proxy and Reverse DNS orcharhino Proxy options on your Infoblox-managed subnets, because Infoblox does DNS management by itself. Using the host record type leads to creating conflicts and being unable to rename hosts in orcharhino.

Procedure

On orcharhino Server, enter the following command:

# foreman-installer --enable-foreman-proxy-plugin-dhcp-infoblox \
--foreman-proxy-dhcp true \
--foreman-proxy-dhcp-provider infoblox \
--foreman-proxy-dhcp-server infoblox.example.com \
--foreman-proxy-plugin-dhcp-infoblox-username admin \
--foreman-proxy-plugin-dhcp-infoblox-password infoblox \
--foreman-proxy-plugin-dhcp-infoblox-record-type fixedaddress \
--foreman-proxy-plugin-dhcp-infoblox-dns-view default \
--foreman-proxy-plugin-dhcp-infoblox-network-view default

Optional: In the orcharhino management UI, navigate to Infrastructure > orcharhino Proxies, select the orcharhino Proxy with the DHCP Infoblox module, and ensure that the dhcp feature is listed.
In the orcharhino management UI, navigate to Infrastructure > Subnets.
For all subnets managed through Infoblox, ensure that the IP address management (IPAM) method of the subnet is set to DHCP.

5.3.5. Installing the DNS Infoblox module

Install the DNS Infoblox module on orcharhino Server. You can also install DHCP and DNS Infoblox modules simultaneously by combining this procedure and Installing the DHCP Infoblox module.

Procedure

On orcharhino Server, enter the following command to configure the Infoblox module:

# foreman-installer --enable-foreman-proxy-plugin-dns-infoblox \
--foreman-proxy-dns true \
--foreman-proxy-dns-provider infoblox \
--foreman-proxy-plugin-dns-infoblox-dns-server infoblox.example.com \
--foreman-proxy-plugin-dns-infoblox-username admin \
--foreman-proxy-plugin-dns-infoblox-password infoblox \
--foreman-proxy-plugin-dns-infoblox-dns-view default

Optionally, you can change the value of the --foreman-proxy-plugin-dns-infoblox-dns-view option to specify an Infoblox DNS view other than the default view.

Optional: In the orcharhino management UI, navigate to Infrastructure > orcharhino Proxies, select the orcharhino Proxy with the Infoblox DNS module, and ensure that the dns feature is listed.
In the orcharhino management UI, navigate to Infrastructure > Domains.
For all domains managed through Infoblox, ensure that the DNS Proxy is set for those domains.
In the orcharhino management UI, navigate to Infrastructure > Subnets.
For all subnets managed through Infoblox, ensure that the DNS orcharhino Proxy and Reverse DNS orcharhino Proxy are set for those subnets.

5.4. Configuring orcharhino Server with external TFTP

You can configure orcharhino Server with external TFTP services.

Procedure

Create the TFTP directory for NFS:
```
# mkdir -p /mnt/nfs/var/lib/tftpboot
```

In the /etc/fstab file, add the following line:

TFTP_Server_IP_Address:/exports/var/lib/tftpboot /mnt/nfs/var/lib/tftpboot nfs rw,vers=3,auto,nosharecache,context="system_u:object_r:tftpdir_rw_t:s0" 0 0

Mount the file systems in /etc/fstab:
```
# mount -a
```
Enter the foreman-installer command to make the following persistent changes to the /etc/foreman-proxy/settings.d/tftp.yml file:
```
# foreman-installer \
--foreman-proxy-tftp-root /mnt/nfs/var/lib/tftpboot \
--foreman-proxy-tftp=true
```
If the TFTP service is running on a different server than the DHCP service, update the tftp_servername setting with the FQDN or IP address of the server that the TFTP service is running on:
```
# foreman-installer --foreman-proxy-tftp-servername=TFTP_Server_FQDN
```
In the orcharhino management UI, navigate to Infrastructure > orcharhino Proxies.
Locate the orcharhino Server and select Refresh from the list in the Actions column.
Associate the TFTP service with the appropriate subnets and domain.

5.5. Configuring orcharhino Server with external IdM DNS

When orcharhino Server adds a DNS record for a host, it first determines which orcharhino Proxy is providing DNS for that domain. It then communicates with the orcharhino Proxy that is configured to provide DNS service for your deployment and adds the record. The hosts are not involved in this process. Therefore, you must install and configure the IdM client on the orcharhino or orcharhino Proxy that is currently configured to provide a DNS service for the domain you want to manage by using the IdM server.

orcharhino Server can be configured to use a Red Hat Identity Management (IdM) server to provide DNS service.

To configure orcharhino Server to use a Red Hat Identity Management (IdM) server to provide DNS service, use one of the following procedures:

Configuring dynamic DNS update with GSS-TSIG authentication
Configuring dynamic DNS update with TSIG authentication

To revert to internal DNS service, use the following procedure:

Reverting to internal DNS service

Note

You are not required to use orcharhino Server to manage DNS. When you are using the realm enrollment feature of orcharhino, where provisioned hosts are enrolled automatically to IdM, the ipa-client-install script creates DNS records for the client. Configuring orcharhino Server with external IdM DNS and realm enrollment are mutually exclusive. For more information about configuring realm enrollment, see Configuring orcharhino to manage the lifecycle of a host registered to a FreeIPA realm.

5.5.1. Configuring dynamic DNS update with GSS-TSIG authentication

You can configure the IdM server to use the generic security service algorithm for secret key transaction (GSS-TSIG) technology defined in RFC3645. To configure the IdM server to use the GSS-TSIG technology, you must install the IdM client on the orcharhino Server base operating system.

Prerequisites

You must ensure the IdM server is deployed and the host-based firewall is configured correctly.
You must contact the IdM server administrator to ensure that you obtain an account on the IdM server with permissions to create zones on the IdM server.
You should create a backup of the answer file. You can use the backup to restore the answer file to its original state if it becomes corrupted.

Procedure

To configure dynamic DNS update with GSS-TSIG authentication, complete the following steps:

Creating a Kerberos principal on the IdM server

Obtain a Kerberos ticket for the account obtained from the IdM administrator:
```
# kinit idm_user
```
Create a new Kerberos principal for orcharhino Server to use to authenticate on the IdM server:
```
# ipa service-add orcharhinoproxy/orcharhino.example.com
```

Installing and configuring the idM client

On the base operating system of either the orcharhino or orcharhino Proxy that is managing the DNS service for your deployment, install the ipa-client package:
```
# dnf install ipa-client
```
Configure the IdM client by running the installation script and following the on-screen prompts:
```
# ipa-client-install
```
Obtain a Kerberos ticket:
```
# kinit admin
```
Remove any preexisting keytab:
```
# rm /etc/foreman-proxy/dns.keytab
```

Obtain the keytab for this system:

# ipa-getkeytab -p orcharhinoproxy/orcharhino.example.com@EXAMPLE.COM \
-s idm1.example.com -k /etc/foreman-proxy/dns.keytab

Note	When adding a keytab to a standby system with the same host name as the original system in service, add the `r` option to prevent generating new credentials and rendering the credentials on the original system invalid.

For the dns.keytab file, set the group and owner to foreman-proxy:

# chown foreman-proxy:foreman-proxy /etc/foreman-proxy/dns.keytab

Optional: To verify that the keytab file is valid, enter the following command:

# kinit -kt /etc/foreman-proxy/dns.keytab \
orcharhinoproxy/orcharhino.example.com@EXAMPLE.COM

Configuring DNS zones in the IdM web UI

Create and configure the zone that you want to manage:
1. Navigate to Network Services > DNS > DNS Zones.
2. Select Add and enter the zone name. For example, example.com.
3. Click Add and Edit.
4. Click the Settings tab and in the BIND update policy box, add the following to the semi-colon separated list:
  grant orcharhinoproxy\047orcharhino.example.com@EXAMPLE.COM wildcard * ANY;
5. Set Dynamic update to True.
6. Enable Allow PTR sync.
7. Click Save to save the changes.
Create and configure the reverse zone:
1. Navigate to Network Services > DNS > DNS Zones.
2. Click Add.
3. Select Reverse zone IP network and add the network address in CIDR format to enable reverse lookups.
4. Click Add and Edit.
5. Click the Settings tab and in the BIND update policy box, add the following to the semi-colon separated list:
  grant orcharhinoproxy\047orcharhino.example.com@EXAMPLE.COM wildcard * ANY;
6. Set Dynamic update to True.
7. Click Save to save the changes.

Configuring the orcharhino or orcharhino Proxy that manages the DNS service for the domain

Configure your orcharhino Server or orcharhino Proxy to connect to your DNS service:

# foreman-installer \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dns-provider=nsupdate_gss \
--foreman-proxy-dns-server="idm1.example.com" \
--foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab \
--foreman-proxy-dns-tsig-principal="orcharhinoproxy/orcharhino.example.com@EXAMPLE.COM" \
--foreman-proxy-dns=true

For each affected orcharhino Proxy, update the configuration of that orcharhino Proxy in the orcharhino management UI:
1. In the orcharhino management UI, navigate to Infrastructure > orcharhino Proxies, locate the orcharhino Server, and from the list in the Actions column, select Refresh.
2. Configure the domain:
  1. In the orcharhino management UI, navigate to Infrastructure > Domains and select the domain name.
  2. In the Domain tab, ensure DNS orcharhino Proxy is set to the orcharhino Proxy where the subnet is connected.
3. Configure the subnet:
  1. In the orcharhino management UI, navigate to Infrastructure > Subnets and select the subnet name.
  2. In the Subnet tab, set IPAM to None.
  3. In the Domains tab, select the domain that you want to manage using the IdM server.
  4. In the orcharhino Proxies tab, ensure Reverse DNS orcharhino Proxy is set to the orcharhino Proxy where the subnet is connected.
  5. Click Submit to save the changes.

5.5.2. Configuring dynamic DNS update with TSIG authentication

You can configure an IdM server to use the secret key transaction authentication for DNS (TSIG) technology that uses the rndc.key key file for authentication. The TSIG protocol is defined in RFC2845.

Prerequisites

You must ensure the IdM server is deployed and the host-based firewall is configured correctly.
You must obtain root user access on the IdM server.
You must confirm whether orcharhino Server or orcharhino Proxy is configured to provide DNS service for your deployment.
You must configure DNS, DHCP and TFTP services on the base operating system of either the orcharhino or orcharhino Proxy that is managing the DNS service for your deployment.
You must create a backup of the answer file. You can use the backup to restore the answer file to its original state if it becomes corrupted.

Procedure

To configure dynamic DNS update with TSIG authentication, complete the following steps:

Enabling external updates to the DNS zone in the IdM server

On the IdM Server, add the following to the top of the /etc/named.conf file:

########################################################################

include "/etc/rndc.key";
controls  {
inet _IdM_Server_IP_Address_ port 953 allow { _orcharhino_IP_Address_; } keys { "rndc-key"; };
};
########################################################################

Reload the named service to make the changes take effect:
```
# systemctl reload named
```
In the IdM web UI, navigate to Network Services > DNS > DNS Zones and click the name of the zone. In the Settings tab, apply the following changes:
1. Add the following in the BIND update policy box:
  grant "rndc-key" zonesub ANY;
2. Set Dynamic update to True.
3. Click Update to save the changes.
Copy the /etc/rndc.key file from the IdM server to the base operating system of your orcharhino Server. Enter the following command:
```
# scp /etc/rndc.key root@orcharhino.example.com:/etc/rndc.key
```
To set the correct ownership, permissions, and SELinux context for the rndc.key file, enter the following command:
```
# restorecon -v /etc/rndc.key
# chown -v root:named /etc/rndc.key
# chmod -v 640 /etc/rndc.key
```
Assign the foreman-proxy user to the named group manually. Normally, foreman-installer ensures that the foreman-proxy user belongs to the named UNIX group, however, in this scenario orcharhino does not manage users and groups, therefore you need to assign the foreman-proxy user to the named group manually.
```
# usermod -a -G named foreman-proxy
```

On orcharhino Server, enter the following foreman-installer command to configure orcharhino to use the external DNS server:

# foreman-installer \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dns-provider=nsupdate \
--foreman-proxy-dns-server="IdM_Server_IP_Address" \
--foreman-proxy-dns-ttl=86400 \
--foreman-proxy-dns=true \
--foreman-proxy-keyfile=/etc/rndc.key

Testing external updates to the DNS zone in the IdM server

Ensure that the key in the /etc/rndc.key file on orcharhino Server is the same key file that is used on the IdM server:
```
key "rndc-key" {
        algorithm hmac-md5;
        secret "secret-key==";
};
```
On orcharhino Server, create a test DNS entry for a host. For example, host test.example.com with an A record of 192.168.25.20 on the IdM server at 192.168.25.1.
```
# echo -e "server 192.168.25.1\n \
update add test.example.com 3600 IN A 192.168.25.20\n \
send\n" | nsupdate -k /etc/rndc.key
```

On orcharhino Server, test the DNS entry:

# nslookup test.example.com 192.168.25.1

Example output:

Server:		192.168.25.1
Address:	192.168.25.1#53

Name:	test.example.com
Address: 192.168.25.20

To view the entry in the IdM web UI, navigate to Network Services > DNS > DNS Zones. Click the name of the zone and search for the host by name.

If resolved successfully, remove the test DNS entry:

# echo -e "server 192.168.25.1\n \
update delete test.example.com 3600 IN A 192.168.25.20\n \
send\n" | nsupdate -k /etc/rndc.key

Confirm that the DNS entry was removed:
```
# nslookup test.example.com 192.168.25.1
```
The above nslookup command fails and returns the SERVFAIL error message if the record was successfully deleted.

5.5.3. Reverting to internal DNS service

You can revert to using orcharhino Server and orcharhino Proxy as your DNS providers. You can use a backup of the answer file that was created before configuring external DNS, or you can create a backup of the answer file.

Procedure

On the orcharhino or orcharhino Proxy that you want to configure to manage DNS service for the domain, complete the following steps:

Configuring orcharhino or orcharhino Proxy as a DNS server

If you have created a backup of the answer file before configuring external DNS, restore the answer file and then enter the foreman-installer command:
```
# foreman-installer
```
If you do not have a suitable backup of the answer file, create a backup of the answer file now. To configure orcharhino or orcharhino Proxy as DNS server without using an answer file, enter the following foreman-installer command on orcharhino or orcharhino Proxy:
```
# foreman-installer \
--foreman-proxy-dns-managed=true \
--foreman-proxy-dns-provider=nsupdate \
--foreman-proxy-dns-server="127.0.0.1" \
--foreman-proxy-dns=true
```
For more information, see Configuring DNS, DHCP, and TFTP on orcharhino Proxy.

After you run the foreman-installer command to make any changes to your orcharhino Proxy configuration, you must update the configuration of each affected orcharhino Proxy in the orcharhino management UI.

Updating the configuration in the orcharhino management UI

In the orcharhino management UI, navigate to Infrastructure > orcharhino Proxies.
For each orcharhino Proxy that you want to update, from the Actions list, select Refresh.
Configure the domain:
1. In the orcharhino management UI, navigate to Infrastructure > Domains and click the domain name that you want to configure.
2. In the Domain tab, set DNS orcharhino Proxy to the orcharhino Proxy where the subnet is connected.
Configure the subnet:
1. In the orcharhino management UI, navigate to Infrastructure > Subnets and select the subnet name.
2. In the Subnet tab, set IPAM to DHCP or Internal DB.
3. In the Domains tab, select the domain that you want to manage using orcharhino or orcharhino Proxy.
4. In the orcharhino Proxies tab, set Reverse DNS orcharhino Proxy to the orcharhino Proxy where the subnet is connected.
5. Click Submit to save the changes.

5.6. Configuring orcharhino to manage the lifecycle of a host registered to a FreeIPA realm

As well as providing access to orcharhino Server, hosts provisioned with orcharhino can also be integrated with FreeIPA realms. orcharhino has a realm feature that automatically manages the lifecycle of any system registered to a realm or domain provider.

Use this section to configure orcharhino Server or orcharhino Proxy for FreeIPA realm support, then add hosts to the FreeIPA realm group.

Prerequisites

orcharhino Server that is registered to the Content Delivery Network or an external orcharhino Proxy that is registered to orcharhino Server.
A deployed realm or domain provider such as FreeIPA.

To install and configure FreeIPA packages on orcharhino Server or orcharhino Proxy:

To use FreeIPA for provisioned hosts, complete the following steps to install and configure FreeIPA packages on orcharhino Server or orcharhino Proxy:

Install the ipa-client package on orcharhino Server or orcharhino Proxy:
```
# dnf install ipa-client
```
Configure the server as a FreeIPA client:
```
# ipa-client-install
```
Create a realm proxy user, realm-orcharhino-proxy, and the relevant roles in FreeIPA:
```
# foreman-prepare-realm admin realm-orcharhino-proxy
```
Note the principal name that returns and your FreeIPA server configuration details because you require them for the following procedure.

To configure orcharhino Server or orcharhino Proxy for FreeIPA realm support:

Complete the following procedure on orcharhino and every orcharhino Proxy that you want to use:

Copy the /root/freeipa.keytab file to any orcharhino Proxy that you want to include in the same principal and realm:
```
# scp /root/freeipa.keytab root@orcharhino-proxy.example.com:/etc/foreman-proxy/freeipa.keytab
```
Move the /root/freeipa.keytab file to the /etc/foreman-proxy directory and set the ownership settings to the foreman-proxy user:
```
# mv /root/freeipa.keytab /etc/foreman-proxy
# chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab
```
Enter the following command on all orcharhino Proxies that you want to include in the realm. If you use the integrated orcharhino Proxy on orcharhino, enter this command on orcharhino Server:
```
# foreman-installer --foreman-proxy-realm true \
--foreman-proxy-realm-keytab /etc/foreman-proxy/freeipa.keytab \
--foreman-proxy-realm-principal realm-orcharhino-proxy@EXAMPLE.COM \
--foreman-proxy-realm-provider freeipa
```
You can also use these options when you first configure the orcharhino Server.
Ensure that the most updated versions of the ca-certificates package is installed and trust the FreeIPA Certificate Authority:
```
# cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt
# update-ca-trust enable
# update-ca-trust
```
Optional: If you configure FreeIPA on an existing orcharhino Server or orcharhino Proxy, complete the following steps to ensure that the configuration changes take effect:
1. Restart the foreman-proxy service:
  # systemctl restart foreman-proxy
2. In the orcharhino management UI, navigate to Infrastructure > orcharhino Proxies.
3. Locate the orcharhino Proxy you have configured for FreeIPA and from the list in the Actions column, select Refresh.

To create a realm for the FreeIPA-enabled orcharhino Proxy

After you configure your integrated or external orcharhino Proxy with FreeIPA, you must create a realm and add the FreeIPA-configured orcharhino Proxy to the realm.

Procedure

In the orcharhino management UI, navigate to Infrastructure > Realms and click Create Realm.
In the Name field, enter a name for the realm.
From the Realm Type list, select the type of realm.
From the Realm orcharhino Proxy list, select orcharhino Proxy where you have configured FreeIPA.
Click the Locations tab and from the Locations list, select the location where you want to add the new realm.
Click the Organizations tab and from the Organizations list, select the organization where you want to add the new realm.
Click Submit.

Updating host groups with realm information

You must update any host groups that you want to use with the new realm information.

In the orcharhino management UI, navigate to Configure > Host Groups, select the host group that you want to update, and click the Network tab.
From the Realm list, select the realm you create as part of this procedure, and then click Submit.

Adding hosts to a FreeIPA host group

FreeIPA supports the ability to set up automatic membership rules based on a system’s attributes. orcharhino’s realm feature provides administrators with the ability to map the orcharhino host groups to the FreeIPA parameter userclass which allow administrators to configure automembership.

When nested host groups are used, they are sent to the FreeIPA server as they are displayed in the orcharhino User Interface. For example, "Parent/Child/Child".

orcharhino Server or orcharhino Proxy sends updates to the FreeIPA server, however automembership rules are only applied at initial registration.

To add hosts to a FreeIPA host group:

On the FreeIPA server, create a host group:

# ipa hostgroup-add hostgroup_name --desc=hostgroup_description

Create an automembership rule:
```
# ipa automember-add --type=hostgroup hostgroup_name automember_rule
```
Where you can use the following options:
- automember-add flags the group as an automember group.
- --type=hostgroup identifies that the target group is a host group, not a user group.
- automember_rule adds the name you want to identify the automember rule by.
Define an automembership condition based on the userclass attribute:
```
# ipa automember-add-condition --key=userclass --type=hostgroup --inclusive-regex=^webserver hostgroup_name
----------------------------------
Added condition(s) to "hostgroup_name"
----------------------------------
Automember Rule: automember_rule
Inclusive Regex: userclass=^webserver
----------------------------
Number of conditions added 1
----------------------------
```
Where you can use the following options:
- automember-add-condition adds regular expression conditions to identify group members.
- --key=userclass specifies the key attribute as userclass.
- --type=hostgroup identifies that the target group is a host group, not a user group.
- --inclusive-regex= ^webserver identifies matching values with a regular expression pattern.
- hostgroup_name – identifies the target host group’s name.

When a system is added to orcharhino Server’s hostgroup_name host group, it is added automatically to the FreeIPA server’s "hostgroup_name" host group. FreeIPA host groups allow for Host-Based Access Controls (HBAC), sudo policies and other FreeIPA functions.

Appendix A: Applying custom configuration to orcharhino

When you install and configure orcharhino for the first time by using foreman-installer, you can specify that the DNS and DHCP configuration files are not to be managed by Puppet by using the installer flags --foreman-proxy-dns-managed=false and --foreman-proxy-dhcp-managed=false. If these flags are not specified during the initial installer run, rerunning of the installer overwrites all manual changes, for example, rerun for upgrade purposes. If changes are overwritten, you must run the restore procedure to restore the manual changes. For more information, see Restoring Manual Changes Overwritten by a Puppet Run.

To view all installer flags available for custom configuration, run foreman-installer --scenario katello --full-help. Some Puppet classes are not exposed to the orcharhino installer. To manage them manually and prevent the installer from overwriting their values, specify the configuration values by adding entries to configuration file /etc/foreman-installer/custom-hiera.yaml. This configuration file is in YAML format, consisting of one entry per line in the format of <puppet class>::<parameter name>: <value>. Configuration values specified in this file persist across installer reruns.

Common examples include:

For Apache, to set the ServerTokens directive to return only the product name:
```
apache::server_tokens: Prod
```
To turn off the Apache server signature entirely:
```
apache::server_signature: Off
```

The Puppet modules for the orcharhino installer are stored under /usr/share/foreman-installer/modules. Check the .pp files (for example: moduleName/manifests/example.pp) to look up the classes, parameters, and values. Alternatively, use the grep command to do keyword searches.

Setting some values may have unintended consequences that affect the performance or functionality of orcharhino. Consider the impact of the changes before you apply them, and test the changes in a non-production environment first. If you do not have a non-production orcharhino environment, run the orcharhino installer with the --noop and --verbose options. If your changes cause problems, remove the offending lines from custom-hiera.yaml and rerun the orcharhino installer. If you have any specific questions about whether a particular value is safe to alter, contact Red Hat support.

Appendix B: Restoring manual changes overwritten by a Puppet run

If your manual configuration has been overwritten by a Puppet run, you can restore the files to the previous state. The following example shows you how to restore a DHCP configuration file overwritten by a Puppet run.

Procedure

Copy the file you intend to restore. This allows you to compare the files to check for any mandatory changes required by the upgrade. This is not common for DNS or DHCP services.
```
# cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.backup
```

Check the log files to note down the md5sum of the overwritten file. For example:

# journalctl -xe
...
/Stage[main]/Dhcp/File[/etc/dhcp/dhcpd.conf]: Filebucketed /etc/dhcp/dhcpd.conf to puppet with sum 622d9820b8e764ab124367c68f5fa3a1
...

Restore the overwritten file:

# puppet filebucket restore --local --bucket \
/var/lib/puppet/clientbucket /etc/dhcp/dhcpd.conf \ 622d9820b8e764ab124367c68f5fa3a1

Compare the backup file and the restored file, and edit the restored file to include any mandatory changes required by the upgrade.