Installing orcharhino Server

1. Planning orcharhino Server installation

Review the following guidelines, requirements, and considerations before proceeding with the installation.

1.1. Operating system requirements

The following operating system is supported for deploying orcharhino:

Enterprise Linux 9 (x86_64)

Installing orcharhino on a system with Extra Packages for Enterprise Linux (EPEL) is not supported.

Additional resources

Glossary term for Enterprise Linux

1.2. System requirements

Follow these system requirements when installing orcharhino Server:

Install orcharhino Server on a freshly provisioned system that serves no other function except to run orcharhino Server. Do not use an existing system because the orcharhino installer will affect the configuration of several components.
Ensure you have administrative user (root) access to the system.
Ensure the system meets the following requirements:
- 4 CPU cores
- 20 GB RAM or higher
- A unique host name, which can contain lower-case letters, numbers, dots (.) and hyphens (-)
If you use custom certificates, ensure that the Common Name (CN) of the custom certificate is a fully qualified domain name (FQDN). orcharhino Server and orcharhino Proxy Server do not support shortnames in the hostnames.
Ensure the system clock on the system is synchronized across the network. If the system clock is not synchronized, SSL certificate verification might fail.
Ensure the system uses the UTF-8 encoding. If your territory is USA and your language is English, set en_US.utf-8 as the system-wide locale settings. For more information about configuring system locale in Enterprise Linux, see Configuring the system locale in Red Hat Enterprise Linux 9 Configuring basic system settings.
If you use an external identity provider in your deployment, ensure the provider did not create the following user accounts on the system. These user accounts can cause conflicts with the local users that orcharhino Server creates:
- apache
- foreman
- foreman-proxy
- postgres
- pulp
- puppet
- redis
- tomcat

1.3. Storage requirements

Follow these storage requirements when installing orcharhino Server:

Ensure that the directories used by orcharhino Server have sufficient disk space available:

Table 1. Storage requirements for a orcharhino Server installation
Directory	Installation Size	Runtime Size
/var/log	10 MB	10 GB
/var/lib/pgsql	1 GB	20 GB
/usr	10 GB	Not Applicable
/opt/puppetlabs	500 MB	Not Applicable
/var/lib/pulp	1 MB	300 GB
/var/lib/containers if using Insights in orcharhino	20 GB	30 GB

These values are based on expected use case scenarios and can vary according to individual environments.

If you mount the /tmp directory as a separate file system, use the exec mount option in the /etc/fstab file.

If /tmp is already mounted with the noexec option, change the option to exec and remount the file system. This is a requirement for the puppetserver service to work.
If you mount the /var/lib/pulp directory as an NFS share, specify the SELinux context of the /var/lib/pulp directory in the file system table. Add the following lines to /etc/fstab:
```
nfs.example.com:/nfsshare  /var/lib/pulp  nfs  context="system_u:object_r:pulpcore_var_lib_t:s0"  1 2
```
If the NFS share is already mounted, remount it using the above configuration and restore the SELinux context:
```
# restorecon -R /var/lib/pulp
```
Do not use symbolic links for /var/lib/pulp/.

Additional resources

Disk partitions in Red Hat Enterprise Linux 9 Managing storage devices

1.4. Best practices for optimizing storage

Consider the following storage guidelines for increased storage efficiency:

The exact amount of storage you require for log messages depends on your installation and setup. You can manage the size of the log files by using logrotate.
Consider mounting /var on LVM storage. This can help the system to scale because most orcharhino Server data is stored in the /var directory.
Use high-bandwidth, low-latency storage for the /var/lib/pulp/ and /var/lib/pgsql directories. Using high latency, low-bandwidth storage causes performance degradation because orcharhino has many operations that are I/O intensive.
Use a file system with low input-output latency. Do not use the GFS2 file system because the input-output latency is too high.

Additional resources

Logging and reporting problems in Administering orcharhino

1.5. IPv6 and IPv4 requirements

You can install orcharhino in an IPv4 network or in an IPv6 network.

The following requirements apply to installations in an IPv4 network:

Ensure an IPv6 loopback is configured on the base system. The loopback is typically configured by default. Do not disable it. Using the ipv6.disable=1 kernel parameter or the net.ipv6.conf.lo.disable_ipv6 = 1 sysctl option will break the installation.

The following requirements apply to installations in an IPv6 network:

If you rely on content from IPv4-only networks, use an external dual-stack HTTP proxy. Configure orcharhino to use this dual-stack (supporting both IPv4 and IPv6) HTTP proxy as the default HTTP proxy.
orcharhino does not support configuring an HTTP proxy using a direct IPv6 address. Instead, configure the HTTP proxy with a FQDN that resolves to the IPv6 address.

If you intend to provision hosts in an IPv6 network, the following requirements also apply:

Deploy an external DHCPv6 server and configure it manually to communicate with the network boot process and to manage IP address assignment because orcharhino cannot integrate with a DHCPv6 server and manage its configuration. For more information about DHCPv6 server configuration, see Options in unmanaged DHCPv6 in Provisioning hosts.
Configure orcharhino for UEFI HTTP boot provisioning. Although orcharhino provisioning templates include IPv6 support for PXE and HTTP (iPXE) provisioning, the UEFI HTTP Boot provisioning is the only tested and certified provisioning workflow. For more information, see Configuring orcharhino for UEFI HTTP boot provisioning in an IPv6 network.

Additional resources

Adding a default HTTP proxy to orcharhino

1.6. AWS Requirements

Installing and running orcharhino Server and orcharhino Proxy Servers on Amazon Web Services (AWS) has additional requirements to your environment.

Amazon Web Service requirements

Use Storage requirements in Installing orcharhino Server to understand and assign the correct storage to your AWS EBS volumes. See also an AWS storage optimized instance for further guidance.
Create EBS volumes for directories expected to contain larger amounts of data like /var/lib/pulp and ensure they are correctly mounted on start-up and before continuing the installation.
Optional: Store other data on a separate EBS volume.
If you want orcharhino Server and orcharhino Proxy Server to communicate using external DNS hostnames, open the required ports for communication in the AWS Security Group that is associated with the instance.

AWS permission requirements

Create and access Enterprise Linux images in AWS
Edit network access in AWS Security
Create EC2 instances and EBS volumes
Launch EC2 instances
Import and export of virtual machines in AWS
Usage of AWS Direct Connect

orcharhino requirements

Ensure that your Amazon EC2 instance meets or exceeds requirements for orcharhino:

For orcharhino Server, see Preparing environment for orcharhino Server installation in Installing orcharhino Server.
For orcharhino Proxy Servers, see Preparing your environment for installation in Installing orcharhino Proxy Server.

Additional resources

For more information about Amazon Web Services and terminology, see Amazon Elastic Compute Cloud Documentation.
For more information about Amazon Web Services Direct Connect, see What is AWS Direct Connect?.

2. Preparing environment for orcharhino Server installation

Ensure that your network environment is ready for the orcharhino Server installation.

2.1. Opening required ports

By opening the required ports, you ensure that the components of orcharhino architecture can communicate. You must also ensure that the required network ports are open on any network-based firewalls.

Note

Some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. If possible, disable the application checking and allow open port communication based on the protocol.

Procedure

If you need to prevent the DHCP orcharhino Proxy from pinging hosts to check for available IP addresses, disable DHCP IP address pinging:
```
# orcharhino-installer --foreman-proxy-dhcp-ping-free-ip false
```
By default, a DHCP orcharhino Proxy performs ICMP ping and TCP echo connection attempts to hosts in subnets with DHCP IPAM set to find out if an IP address considered for use is free.

Open the ports for clients on orcharhino Server:

# firewall-cmd \
--add-port="8000/tcp" \
--add-port="9090/tcp"

Allow access to services on orcharhino Server:

# firewall-cmd \
--add-service=dns \
--add-service=dhcp \
--add-service=tftp \
--add-service=http \
--add-service=https \
--add-service=puppetmaster

Make the changes persistent:
```
# firewall-cmd --runtime-to-permanent
```

Verification

View all firewall zones and allowed services:
```
# firewall-cmd --list-all
```

Additional resources

2.2. Verifying DNS resolution

Verify the full forward and reverse DNS resolution using a fully-qualified domain name to prevent issues while installing orcharhino.

Procedure

Ensure that the host name and local host resolve correctly:

# ping -c1 localhost
# ping -c1 `hostname -f` # my_system.domain.com

Successful name resolution results in output similar to the following:

# ping -c1 localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.043 ms

--- localhost ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.043/0.043/0.043/0.000 ms

# ping -c1 `hostname -f`
PING hostname.gateway (XX.XX.XX.XX) 56(84) bytes of data.
64 bytes from hostname.gateway (XX.XX.XX.XX): icmp_seq=1 ttl=64 time=0.019 ms

--- localhost.gateway ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.019/0.019/0.019/0.000 ms

To avoid discrepancies with static and transient host names, set all the host names on the system by entering the following command:
```
# hostnamectl set-hostname name
```

Warning

Name resolution is critical to the operation of orcharhino. If orcharhino cannot properly resolve its fully qualified domain name, tasks such as content management, subscription management, and provisioning will fail.

2.3. Preparing orcharhino for using external databases

By default, the orcharhino installation process includes installing a PostgreSQL database on the same host as orcharhino Server. However, in certain orcharhino deployments, using external databases instead of the default local databases can help with the server load or have other benefits.

Prerequisites

You have considered whether using an external database is beneficial for your use case. For more information, see PostgreSQL as an external database considerations in Administering orcharhino.

Procedure

Install PostgreSQL on an external database host you prepared. For more information, see Installing PostgreSQL in Administering orcharhino.

Next steps

To set up an external database when installing orcharhino, see Configuring orcharhino installation.

Additional resources

Migrating an existing orcharhino deployment to an external database in Administering orcharhino.

3. Installing orcharhino Server

Use the following procedures to install orcharhino Server and perform the initial configuration.

Note that the orcharhino installation script is based on Puppet, which means that if you run the installation script more than once, it might overwrite any manual configuration changes. ⁠ To avoid this and determine which future changes apply, use the --noop argument when you run the installation script. This argument ensures that no actual changes are made. Potential changes are written to /var/log/foreman-installer/katello.log.

Files are always backed up and so you can revert any unwanted changes. For example, in the logs of foreman-installer, you can see an entry similar to the following about Filebucket:

/Stage[main]/Dhcp/File[/etc/dhcp/dhcpd.conf]: Filebucketed /etc/dhcp/dhcpd.conf to puppet with sum 622d9820b8e764ab124367c68f5fa3a1

You can restore the previous file as follows:

# puppet filebucket -l \
restore /etc/dhcp/dhcpd.conf 622d9820b8e764ab124367c68f5fa3a1

3.1. Configuring the HTTP proxy to connect to Red Hat CDN

Prerequisites

Your network gateway and the HTTP proxy must allow access to the following hosts:

Host name Port Protocol

subscription.rhsm.redhat.com

443

HTTPS

cdn.redhat.com

443

HTTPS

For more information, see Registering orcharhino Server to OCC in the ATIX Service Portal.

Host name	Port	Protocol
subscription.rhsm.redhat.com	443	HTTPS
cdn.redhat.com	443	HTTPS

orcharhino Server uses SSL to communicate with the Red Hat CDN securely. An SSL interception proxy interferes with this communication. These hosts must be allowlisted on your HTTP proxy.

For a list of IP addresses used by the Red Hat CDN (cdn.redhat.com), see the Knowledgebase article Public CIDR Lists for Red Hat on the Red Hat Customer Portal.

To configure the Subscription Manager with the HTTP proxy, follow the procedure below.

Procedure

On orcharhino Server, complete the following details in the /etc/rhsm/rhsm.conf file:

# an http proxy server to use (enter server FQDN)
proxy_hostname = http-proxy.example.com

# port for http proxy server
proxy_port = 8080

# user name for authenticating to an http proxy, if needed
proxy_user =

# password for basic http proxy auth, if needed
proxy_password =

3.2. Configuring repositories

Configure the required repositories.

Ensure the repositories required to install orcharhino Server are enabled on your Enterprise Linux host.

3.3. Installing orcharhino Server packages

Procedure

Upgrade all packages:
```
# dnf upgrade
```
Install the packages:
```
# dnf install foreman-installer
```

3.4. Configuring orcharhino Server

Install orcharhino Server by using the orcharhino-installer installation script.

This method is performed by running the installation script with one or more command options. The command options override the corresponding default initial configuration options and are recorded in the orcharhino answer file. You can run the script as often as needed to configure any necessary options.

3.4.1. Configuring orcharhino installation

This initial configuration procedure creates an organization, location, user name, and password. After the initial configuration, you can create additional organizations and locations if required. The initial configuration also installs PostgreSQL databases on the same server.

The installation process can take tens of minutes to complete. If you are connecting remotely to the system, use a utility such as tmux that allows suspending and reattaching a communication session so that you can check the installation progress in case you become disconnected from the remote system. If you lose connection to the shell where the installation command is running, see the log at /var/log/foreman-installer/katello.log to determine if the process completed successfully.

Considerations

Use the orcharhino-installer --scenario katello --help command to display the most commonly used options and any default values.
Use the orcharhino-installer --scenario katello --full-help command to display advanced options.
Specify a meaningful value for the option: --foreman-initial-organization. This can be your company name. An internal label that matches the value is also created and cannot be changed afterwards. If you do not specify a value, an organization called Default Organization with the label Default_Organization is created. You can rename the organization name but not the label.
By default, all configuration files configured by the installer are managed. When orcharhino-installer runs, it overwrites any manual changes to the managed files with the intended values. This means that running the installer on a broken system should restore it to working order, regardless of changes made. For more information on how to apply custom configuration on other services, see Applying Custom Configuration to orcharhino.

Prerequisites

If you want to use an external PostgreSQL database for your orcharhino Server, you must have a corresponding PostgreSQL access available, for example on a dedicated host. For more information, see Preparing orcharhino for using external databases.

Procedure

Depending on what type of database you want to use on your orcharhino deployment, do one of the following:

To install orcharhino Server with the default local database, enter the following command with any additional options that you want to use:

# orcharhino-installer --scenario katello \
--foreman-initial-organization "My_Organization" \
--foreman-initial-location "My_Location" \
--foreman-initial-admin-username admin_user_name \
--foreman-initial-admin-password admin_password

To install orcharhino Server with an external PostgreSQL server, enter the following command:

# orcharhino-installer --scenario katello \
--foreman-initial-organization "My_Organization" \
--foreman-initial-location "My_Location" \
--foreman-initial-admin-username admin_user_name \
--foreman-initial-admin-password admin_password \
--katello-candlepin-manage-db false \
--katello-candlepin-db-host postgres.example.com \
--katello-candlepin-db-name candlepin \
--katello-candlepin-db-user candlepin \
--katello-candlepin-db-password Candlepin_Password \
--foreman-proxy-content-pulpcore-manage-postgresql false \
--foreman-proxy-content-pulpcore-postgresql-host postgres.example.com \
--foreman-proxy-content-pulpcore-postgresql-db-name pulpcore \
--foreman-proxy-content-pulpcore-postgresql-user pulp \
--foreman-proxy-content-pulpcore-postgresql-password Pulpcore_Password \
--foreman-db-manage false \
--foreman-db-host postgres.example.com \
--foreman-db-database foreman \
--foreman-db-username foreman \
--foreman-db-password Foreman_Password>*

To also enable encrypted connections for these external databases, use the following command instead:

# orcharhino-installer --scenario katello \
--foreman-initial-organization "My_Organization" \
--foreman-initial-location "My_Location" \
--foreman-initial-admin-username admin_user_name \
--foreman-initial-admin-password admin_password \
--katello-candlepin-manage-db false \
--katello-candlepin-db-host postgres.example.com \
--katello-candlepin-db-name candlepin \
--katello-candlepin-db-user candlepin \
--katello-candlepin-db-password Candlepin_Password \
--katello-candlepin-db-ssl true \
--katello-candlepin-db-ssl-ca My_CA_Certificate \
--katello-candlepin-db-ssl-verify true \
--foreman-proxy-content-pulpcore-manage-postgresql false \
--foreman-proxy-content-pulpcore-postgresql-host postgres.example.com \
--foreman-proxy-content-pulpcore-postgresql-db-name pulpcore \
--foreman-proxy-content-pulpcore-postgresql-user pulp \
--foreman-proxy-content-pulpcore-postgresql-password Pulpcore_Password \
--foreman-proxy-content-pulpcore-postgresql-ssl true \
--foreman-proxy-content-pulpcore-postgresql-ssl-root-ca My_CA_Certificate \
--foreman-db-manage false \
--foreman-db-host postgres.example.com \
--foreman-db-database foreman \
--foreman-db-username foreman \
--foreman-db-password Foreman_Password
--foreman-db-root-cert My_CA_Certificate \
--foreman-db-sslmode verify-full

The script displays its progress and writes logs to /var/log/foreman-installer/katello.log.

3.5. Importing a Red Hat subscription manifest into orcharhino Server

Import a Red Hat subscription manifest into orcharhino Server so that you can enable and synchronize Red Hat repositories.

Note	Simple Content Access (SCA) is set on the organization, not the manifest. Importing a manifest does not change your organization’s Simple Content Access status.

Simple Content Access simplifies the subscription experience for administrators. For more information, see the Subscription Management Administration Guide for Red Hat Enterprise Linux on the Red Hat Customer Portal.

Prerequisites

Ensure you have a Red Hat subscription manifest exported from the Red Hat Hybrid Cloud Console.

3.5.1. Importing Red Hat subscription manifest by using orcharhino management UI

You can import a Red Hat subscription manifest into orcharhino Server by using orcharhino management UI.

Prerequisites

You must have a Red Hat subscription manifest file. For more information, see Importing a Red Hat subscription manifest into orcharhino Server.

Procedure

In the orcharhino management UI, ensure the context is set to the organization you want to use.
In the orcharhino management UI, navigate to Content > Subscriptions.
Click Manage Manifest.
In the Manage Manifest window, click Choose File.
Navigate to the location that contains the Red Hat subscription manifest file, then click Open.

Next steps

You can now enable and synchronize Red Hat repositories. For more information, see Importing content in Managing content.

3.5.2. Importing Red Hat subscription manifest by using Hammer CLI

You can import a Red Hat subscription manifest into orcharhino Server by using Hammer CLI.

Prerequisites

You must have a Red Hat subscription manifest file. For more information, see Importing a Red Hat subscription manifest into orcharhino Server.

Procedure

Copy the Red Hat subscription manifest file from your local machine to orcharhino Server:
```
$ scp ~/manifest_file.zip root@orcharhino.example.com:~/.
```
Log in to orcharhino Server over SSH as the root user.

Import the Red Hat subscription manifest file:

$ hammer subscription upload \
--file ~/manifest_file.zip \
--organization "My_Organization"

Next steps

You can now enable and synchronize Red Hat repositories. For more information, see Importing content in Managing content.

4. Tuning orcharhino Server with predefined profiles

If your orcharhino deployment includes more than 5000 hosts, you can use predefined tuning profiles to improve performance of orcharhino.

Note that you cannot use tuning profiles on orcharhino Proxies.

You can choose one of the profiles depending on the number of hosts your orcharhino manages and available hardware resources.

The tuning profiles are available in the /usr/share/foreman-installer/config/foreman.hiera/tuning/sizes directory.

When you run the orcharhino-installer command with the --tuning option, deployment configuration settings are applied to orcharhino in the following order:

The default tuning profile defined in the /usr/share/foreman-installer/config/foreman.hiera/tuning/common.yaml file
The tuning profile that you want to apply to your deployment and is defined in the /usr/share/foreman-installer/config/foreman.hiera/tuning/sizes/ directory
Optional: If you have configured a /etc/foreman-installer/custom-hiera.yaml file, orcharhino applies these configuration settings.

Note that the configuration settings that are defined in the /etc/foreman-installer/custom-hiera.yaml file override the configuration settings that are defined in the tuning profiles.

Therefore, before applying a tuning profile, you must compare the configuration settings that are defined in the default tuning profile in /usr/share/foreman-installer/config/foreman.hiera/tuning/common.yaml, the tuning profile that you want to apply and your /etc/foreman-installer/custom-hiera.yaml file, and remove any duplicated configuration from the /etc/foreman-installer/custom-hiera.yaml file.

default: Number of hosts: 0 – 5000

RAM: 20G

Number of CPU cores: 4
medium: Number of hosts: 5001 – 10000

RAM: 32G

Number of CPU cores: 8
large: Number of hosts: 10001 – 20000

RAM: 64G

Number of CPU cores: 16
extra-large: Number of hosts: 20001 – 60000

RAM: 128G

Number of CPU cores: 32
extra-extra-large: Number of hosts: 60000+

RAM: 256G

Number of CPU cores: 48+

Procedure

Optional: If you have configured the custom-hiera.yaml file on orcharhino Server, back up the /etc/foreman-installer/custom-hiera.yaml file to custom-hiera.original. You can use the backup file to restore the /etc/foreman-installer/custom-hiera.yaml file to its original state if it becomes corrupted:
```
# cp /etc/foreman-installer/custom-hiera.yaml \
/etc/foreman-installer/custom-hiera.original
```
Optional: If you have configured the custom-hiera.yaml file on orcharhino Server, review the definitions of the default tuning profile in /usr/share/foreman-installer/config/foreman.hiera/tuning/common.yaml and the tuning profile that you want to apply in /usr/share/foreman-installer/config/foreman.hiera/tuning/sizes/. Compare the configuration entries against the entries in your /etc/foreman-installer/custom-hiera.yaml file and remove any duplicated configuration settings in your /etc/foreman-installer/custom-hiera.yaml file.
Enter the orcharhino-installer command with the --tuning option for the profile that you want to apply. For example, you can apply the medium tuning profile settings:
```
# orcharhino-installer --tuning medium
```

5. Performing additional configuration on orcharhino Server

5.1. Installing and configuring Insights in orcharhino

Insights in orcharhino analyzes system health and configuration by applying predefined rules to a small set of local data, such as installed packages, running services, and configuration settings. When you install Insights in orcharhino locally, you can generate Insights recommendations without sending system data to Red Hat services.

Important

With Insights in orcharhino enabled, you cannot use the hosted Insights services for hosts registered to your orcharhino. Enabling Insights in orcharhino prevents you from using any Red Hat Hybrid Cloud Console services on hosts registered to orcharhino.
If you install orcharhino with external databases, you cannot enable Insights in orcharhino. Enabling Insights in orcharhino prevents you from using external databases.

5.1.1. Configuring Podman to use an HTTP proxy

If your orcharhino Server connects to the internet through an HTTP proxy, configure Podman for connections through the same HTTP proxy.

Prerequisites

Podman is installed. For more information, see Installing Podman on Linux.

Procedure

Edit the /etc/containers/containers.conf file to include the following directive:

[engine]
env = ["http_proxy=http://http-proxy.example.com:port", "https_proxy=https://http-proxy.example.com:port"]

5.1.2. Installing Insights in orcharhino on a connected orcharhino Server

You can pull the Insights in orcharhino from the Quay container registry.

Prerequisites

Ensure that the orcharhino Server has access to the Quay container registry.
Ensure that Podman is installed. For more information, see Installing Podman on Linux.

Procedure

Enable the plugin:
```
# orcharhino-installer --enable-iop
```
If you want to use the Insights Vulnerability and your orcharhino Server connects to https://security.access.redhat.com through an HTTP proxy, configure the iop-cvemap-download service to use the same HTTP proxy:
1. Edit the iop-cvemap-download service:
  # systemctl edit iop-cvemap-download.service
2. Input the following content:
  [Service] Environment = HTTPS_PROXY=http://http-proxy.example.com:port Environment = NO_PROXY=localhost

Important

The Insights Vulnerability is a Technology Preview feature only. Technology Preview features are not supported by ATIX AG. ATIX AG does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of ATIX AG Technology Preview features, see Technical Previews in the ATIX Service Portal.

5.2. Configuring orcharhino Server to consume content from a custom CDN

If you have an internal Content Delivery Network (CDN) or serve content on an accessible web server, you can configure your orcharhino Server to consume Red Hat repositories from this CDN server instead of the Red Hat CDN. A CDN server can be any web server that mirrors repositories in the same directory structure as the Red Hat CDN.

You can configure the source of content for each organization. orcharhino recognizes automatically which Red Hat repositories from the subscription manifest in your organization are available on your CDN server.

Prerequisites

You have a CDN server that provides Red Hat content and is accessible by orcharhino Server.
If your CDN server uses HTTPS, ensure you have uploaded the SSL certificate into orcharhino. For more information, see Importing Custom SSL Certificates in Managing content.
You have uploaded a manifest to your organization.

Procedure

In the orcharhino management UI, navigate to Content > Subscriptions.
Click Manage Manifest.
Select the CDN Configuration tab.
Select the Custom CDN tab.
In the URL field, enter the URL of your CDN server from which you want orcharhino Server to consume Red Hat repositories.
Optional: In the SSL CA Content Credential, select the SSL certificate of the CDN server.
Click Update.
You can now enable Red Hat repositories consumed from your internal CDN server.

CLI procedure

Connect to your orcharhino Server using SSH.

Set CDN configuration to your custom CDN server:

$ hammer organization configure-cdn --name="My_Organization" \
--type=custom_cdn \
--url https://my-cdn.example.com \
--ssl-ca-credential-id "My_CDN_CA_Cert_ID"

Additional resources

Content Delivery Network Structure in Planning for orcharhino

5.3. Configuring orcharhino for UEFI HTTP boot provisioning in an IPv6 network

Use this procedure to configure orcharhino to provision hosts in an IPv6 network with UEFI HTTP Boot provisioning.

Prerequisites

Ensure that your clients can access DHCP and HTTP servers.
Ensure that the UDP ports 67 and 68 are accessible by clients so clients can send DHCP requests and receive DHCP offers.
Ensure that the TCP port 8000 is open for clients to download files and Kickstart templates from orcharhino and orcharhino Proxies.
Ensure that the host provisioning interface subnet has an HTTP Boot orcharhino Proxy, and Templates orcharhino Proxy set. For more information, see Adding a Subnet to orcharhino Server in Provisioning hosts.
In the orcharhino management UI, navigate to Administer > Settings > Provisioning and ensure that the Token duration setting is not set to 0. orcharhino cannot identify clients that are booting from the network by a remote IPv6 address because of unmanaged DHCPv6 service, therefore provisioning tokens must be enabled.

Procedure

You must disable DHCP management in the installer or not use it.
For all IPv6 subnets created in orcharhino, set the DHCP orcharhino Proxy to blank.
Optional: If the host and the DHCP server are separated by a router, configure the DHCP relay agent and point to the DHCP server.

5.4. Configuring orcharhino Server with an HTTP proxy

Use the following procedures to configure orcharhino with an HTTP proxy.

5.4.1. Adding a default HTTP proxy to orcharhino

If your network uses an HTTP Proxy, you can configure orcharhino Server to use an HTTP proxy for requests to the Red Hat Content Delivery Network (CDN) or another content source. Use the FQDN instead of the IP address where possible to avoid losing connectivity because of network changes.

The following procedure configures a proxy only for downloading content for orcharhino. To use the CLI instead of the orcharhino management UI, see the CLI procedure.

Procedure

In the orcharhino management UI, navigate to Infrastructure > HTTP Proxies.
Click New HTTP Proxy.
In the Name field, enter the name for the HTTP proxy.
In the Url field, enter the URL of the HTTP proxy in the following format: https://http-proxy.example.com:8080.
Optional: If authentication is required, in the Username field, enter the username to authenticate with.
Optional: If authentication is required, in the Password field, enter the password to authenticate with.
To test connection to the proxy, click Test Connection.
Select the Default content HTTP proxy option to set the new HTTP proxy as default for content synchronization.
Click Submit.

CLI procedure

Verify that the http_proxy, https_proxy, and no_proxy variables are not set:
```
# unset http_proxy https_proxy no_proxy
```

Add an HTTP proxy entry to orcharhino and set the HTTP proxy as default for content synchronization:

$ hammer http-proxy create \
--name=My_HTTP_Proxy \
--username=My_HTTP_Proxy_User_Name \
--password=My_HTTP_Proxy_Password \
--url http://http-proxy.example.com:8080 \
--content-default-http-proxy true

5.4.2. Configuring SELinux to ensure access to orcharhino on custom ports

Procedure

On orcharhino, to verify the ports that are permitted by SELinux for the HTTP cache, enter a command as follows:

# semanage port -l | grep http_cache
http_cache_port_t       tcp    8080, 8118, 8123, 10001-10010
[output truncated]

To configure SELinux to permit a port for the HTTP cache, for example 8088, enter a command as follows:
```
# semanage port -a -t http_cache_port_t -p tcp 8088
```

5.4.3. Using an HTTP proxy for all orcharhino HTTP requests

If your orcharhino Server must remain behind a firewall that blocks HTTP and HTTPS, you can configure a proxy for communication with external systems, including compute resources.

Note that if you are using compute resources for provisioning, and you want to use a different HTTP proxy with the compute resources, the proxy that you set for all orcharhino communication takes precedence over the proxies that you set for compute resources.

Procedure

In the orcharhino management UI, navigate to Administer > Settings.
In the HTTP(S) proxy row, select the adjacent Value column and enter the proxy URL.
Click the tick icon to save your changes.

CLI procedure

Enter the following command:

$ hammer settings set --name=http_proxy --value=Proxy_URL

5.4.4. Excluding hosts from receiving proxied requests

If you use an HTTP Proxy for all orcharhino HTTP or HTTPS requests, you can prevent certain hosts from communicating through the proxy.

Procedure

In the orcharhino management UI, navigate to Administer > Settings.
In the HTTP(S) proxy except hosts row, select the adjacent Value column and enter the names of one or more hosts that you want to exclude from proxy requests.
Click the tick icon to save your changes.

CLI procedure

Enter the following command:

$ hammer settings set --name=http_proxy_except_list --value=[hostname1.hostname2...]

5.4.5. Configuring HTTP proxy for PXE file downloads on orcharhino Proxies

For Red Hat content served through the Content Delivery Network, orcharhino Proxy downloads PXE files from synchronized repositories. However, when configuring and installing an operating system using Installation Media, orcharhino Proxy connects directly using the wget utility.

Procedure

On your TFTP orcharhino Proxy, edit the foreman-proxy service:
```
# systemctl edit foreman-proxy
```

Provide details of your HTTP proxy:

[Service]
Environment="http_proxy=http://http-proxy.example.com:8080"
Environment="https_proxy=https://http-proxy.example.com:8443"

Restart the foreman-proxy service:
```
# systemctl restart foreman-proxy
```

Next steps

Create a host or enter build mode for an existing host to re-download PXE files to the TFTP orcharhino Proxy.

5.4.6. Resetting the HTTP proxy

If you want to reset the current HTTP proxy setting, unset the Default HTTP Proxy setting.

Procedure

In the orcharhino management UI, navigate to Administer > Settings, and click the Content tab.
Set the Default HTTP Proxy setting to no global default.

CLI procedure

Set the content_default_http_proxy setting to an empty string:

$ hammer settings set --name=content_default_http_proxy --value=""

5.5. Enabling power management on hosts

To perform power management tasks on hosts using the intelligent platform management interface (IPMI) or a similar protocol, you must enable the baseboard management controller (BMC) module on orcharhino Server.

orcharhino supports the following BMC providers:

freeipmi
ipmitool
redfish

Prerequisites

Your host has a network interface of the BMC type. orcharhino Server uses this NIC to pass credentials to the host.

Procedure

Enable the BMC module and select the default provider:

# orcharhino-installer \
--foreman-proxy-bmc "true" \
--foreman-proxy-bmc-default-provider "freeipmi"

In the orcharhino management UI, navigate to Infrastructure > Subnets.
Select the subnet of your host.
On the Proxies tab, select your orcharhino Server as BMC Proxy.
Click Submit.

Next steps

Configure a BMC interface on your host. For more information, see Configuring a baseboard management controller (BMC) interface in Managing hosts.

5.6. Configuring orcharhino Server for outgoing emails

To send email messages from orcharhino Server, you can use an SMTP server or the sendmail command.

Important

The sendmail command is a deprecated feature. Deprecated functionality is still included in orcharhino and continues to be supported. However, it will be removed in a future release of this product and is not recommended for new deployments.

Use the SMTP service on orcharhino Server instead.

For the most recent list of major functionality that has been deprecated or removed within orcharhino, refer to the Deprecated features section of the orcharhino release notes.

Prerequisites

Some SMTP servers with anti-spam protection or greylisting features are known to cause problems. To set up outgoing email with such a service, install and configure an SMTP service on orcharhino Server for relay or use the sendmail command.

Procedure

In the orcharhino management UI, navigate to Administer > Settings.

Click the Email tab and set the configuration options to match your preferred delivery method. The changes have an immediate effect.

The following example shows the configuration options for using an SMTP server:

Table 2. Using an SMTP server as a delivery method
Name	Example value	Additional information
Delivery method	SMTP
SMTP address	smtp.example.com
SMTP authentication	login
SMTP HELO/EHLO domain	example.com
SMTP password	password	Use the login credentials for the SMTP server.
SMTP port	25
SMTP username	user@example.com	Use the login credentials for the SMTP server.

The following example uses gmail.com as an SMTP server:

Table 3. Using gmail.com as an SMTP server
Name	Example value	Additional information
Delivery method	SMTP
SMTP address	smtp.gmail.com
SMTP authentication	plain
SMTP HELO/EHLO domain	smtp.gmail.com
SMTP enable StartTLS auto	Yes
SMTP password	app password	Use the Google app password. For more information, see Sign in with app passwords in Google Help Center.
SMTP port	587
SMTP username	user@gmail.com	Use the Google account name.

The following example uses the sendmail command as a delivery method:

Table 4. Using sendmail as a delivery method
Name	Example value	Additional information
Delivery method	Sendmail
Sendmail location	/usr/sbin/sendmail	For security reasons, both Sendmail location and Sendmail argument settings are read-only and can be only set in `/etc/foreman/settings.yaml`. Both settings currently cannot be set via `orcharhino-installer`. For more information see the sendmail 1 man page.
Sendmail arguments	-i

To send email by using an SMTP server that uses TLS authentication, also perform one of the following steps:
- Mark the CA certificate of the SMTP server as trusted. To do so, execute the following commands on orcharhino Server:
  # cp mailca.crt /etc/pki/ca-trust/source/anchors/ # update-ca-trust extract
  Where mailca.crt is the CA certificate of the SMTP server.
- Alternatively, in the orcharhino management UI, set the SMTP enable StartTLS auto option to No.
Click Test email to send a test message to the user’s email address to confirm the configuration is working. If a message fails to send, the orcharhino management UI displays an error. See the log at /var/log/foreman/production.log for further details.

Additional resources

For information on configuring email notifications for individual users or user groups, see Configuring Email Notification Preferences in Administering orcharhino.

5.7. Configuring orcharhino to manage the lifecycle of a host registered to a FreeIPA realm

As well as providing access to orcharhino Server, hosts provisioned with orcharhino can also be integrated with FreeIPA realms. orcharhino has a realm feature that automatically manages the lifecycle of any system registered to a realm or domain provider.

Use this section to configure orcharhino Server or orcharhino Proxy Server for FreeIPA realm support, then add hosts to the FreeIPA realm group.

Prerequisites

A deployed realm or domain provider such as FreeIPA.

To install and configure FreeIPA packages on orcharhino Server or orcharhino Proxy Server:

To use FreeIPA for provisioned hosts, complete the following steps to install and configure FreeIPA packages on orcharhino Server or orcharhino Proxy Server:

Install the ipa-client package on orcharhino Server or orcharhino Proxy Server:
```
# dnf install ipa-client
```
Configure the server as a FreeIPA client:
```
# ipa-client-install
```
Create a realm proxy user, realm-orcharhino-proxy, and the relevant roles in FreeIPA:
```
# foreman-prepare-realm admin realm-orcharhino-proxy
```
Note the principal name that returns and your FreeIPA server configuration details because you require them for the following procedure.

To configure orcharhino Server or orcharhino Proxy Server for FreeIPA realm support:

Complete the following procedure on orcharhino and every orcharhino Proxy that you want to use:

Copy the /root/freeipa.keytab file to any orcharhino Proxy Server that you want to include in the same principal and realm:
```
# scp /root/freeipa.keytab root@orcharhino-proxy.example.com:/etc/foreman-proxy/freeipa.keytab
```
On your orcharhino Server, move the /root/freeipa.keytab file to the /etc/foreman-proxy directory:
```
# mv /root/freeipa.keytab /etc/foreman-proxy
```
On your orcharhino Server and orcharhino Proxy Servers, set ownership to the foreman-proxy user and group:
```
# chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab
```
Enter the following command on all orcharhino Proxies that you want to include in the realm. If you use the integrated orcharhino Proxy on orcharhino, enter this command on orcharhino Server:
```
# orcharhino-installer --foreman-proxy-realm true \
--foreman-proxy-realm-keytab /etc/foreman-proxy/freeipa.keytab \
--foreman-proxy-realm-principal realm-orcharhino-proxy@EXAMPLE.COM \
--foreman-proxy-realm-provider freeipa
```
You can also use these options when you first configure the orcharhino Server.
Ensure that the most updated versions of the ca-certificates package is installed and trust the FreeIPA Certificate Authority:
```
# cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt
# update-ca-trust extract
```
Optional: If you configure FreeIPA on an existing orcharhino Server or orcharhino Proxy Server, complete the following steps to ensure that the configuration changes take effect:
1. Restart the foreman-proxy service:
  # systemctl restart foreman-proxy
2. In the orcharhino management UI, navigate to Infrastructure > orcharhino Proxies.
3. Locate the orcharhino Proxy you have configured for FreeIPA and from the list in the Actions column, select Refresh.

To create a realm for the FreeIPA-enabled orcharhino Proxy

After you configure your orcharhino Proxy with FreeIPA, you must create a realm and add the FreeIPA-configured orcharhino Proxy to the realm.

Procedure

In the orcharhino management UI, navigate to Infrastructure > Realms and click Create Realm.
In the Name field, enter a name for the realm.
From the Realm Type list, select the type of realm.
From the Realm orcharhino Proxy list, select orcharhino Proxy Server where you have configured FreeIPA.
Click the Locations tab and from the Locations list, select the location where you want to add the new realm.
Click the Organizations tab and from the Organizations list, select the organization where you want to add the new realm.
Click Submit.

Updating host groups with realm information

You must update any host groups that you want to use with the new realm information.

In the orcharhino management UI, navigate to Configure > Host Groups, select the host group that you want to update, and click the Network tab.
From the Realm list, select the realm you create as part of this procedure, and then click Submit.

Adding hosts to a FreeIPA host group

FreeIPA supports the ability to set up automatic membership rules based on a system’s attributes. orcharhino’s realm feature provides administrators with the ability to map the orcharhino host groups to the FreeIPA parameter userclass which allow administrators to configure automembership.

When nested host groups are used, they are sent to the FreeIPA server as they are displayed in the orcharhino User Interface. For example, "Parent/Child/Child".

orcharhino Server or orcharhino Proxy Server sends updates to the FreeIPA server, however automembership rules are only applied at initial registration.

To add hosts to a FreeIPA host group:

On the FreeIPA server, create a host group:

# ipa hostgroup-add hostgroup_name --desc=hostgroup_description

Create an automembership rule:
```
# ipa automember-add --type=hostgroup hostgroup_name automember_rule
```
Where you can use the following options:
- automember-add flags the group as an automember group.
- --type=hostgroup identifies that the target group is a host group, not a user group.
- automember_rule adds the name you want to identify the automember rule by.
Define an automembership condition based on the userclass attribute:
```
# ipa automember-add-condition --key=userclass --type=hostgroup --inclusive-regex=^webserver hostgroup_name
----------------------------------
Added condition(s) to "hostgroup_name"
----------------------------------
Automember Rule: automember_rule
Inclusive Regex: userclass=^webserver
----------------------------
Number of conditions added 1
----------------------------
```
Where you can use the following options:
- automember-add-condition adds regular expression conditions to identify group members.
- --key=userclass specifies the key attribute as userclass.
- --type=hostgroup identifies that the target group is a host group, not a user group.
- --inclusive-regex= ^webserver identifies matching values with a regular expression pattern.
- hostgroup_name – identifies the target host group’s name.

When a system is added to orcharhino Server’s hostgroup_name host group, it is added automatically to the FreeIPA server’s "hostgroup_name" host group. FreeIPA host groups allow for Host-Based Access Controls (HBAC), sudo policies and other FreeIPA functions.

5.8. Configuring an alternate CNAME for orcharhino

You can configure an alternate CNAME for orcharhino. This might be useful if you want to deploy the orcharhino web interface on a different domain name than the one that is used by client systems to connect to orcharhino. You must plan the alternate CNAME configuration in advance prior to installing orcharhino Proxies and registering hosts to orcharhino to avoid redeploying new certificates to hosts.

5.8.1. Configuring orcharhino with an alternate CNAME

Use this procedure to configure orcharhino with an alternate CNAME. Note that the procedures for users of a default orcharhino certificate and custom certificate differ.

For default orcharhino certificate users

If you have installed orcharhino with a default orcharhino certificate and want to configure orcharhino with an alternate CNAME, generate a new default orcharhino SSL certificate with an additional CNAME on orcharhino Server:
```
# orcharhino-installer --certs-cname alternate_fqdn --certs-update-server
```
If you have not installed orcharhino, you can add the --certs-cname alternate_fqdn option to the orcharhino-installer command to install orcharhino with an alternate CNAME.

For custom certificate users

If you use orcharhino with a custom certificate, when creating a custom certificate, include the alternate CNAME records to the custom certificate. For more information, see Creating a Custom SSL Certificate for orcharhino Server.

5.8.2. Configuring hosts to use an alternate orcharhino CNAME for content management

If orcharhino is configured with an alternate CNAME, you can configure hosts to use the alternate orcharhino CNAME for content management. To do this, you must point hosts to the alternate orcharhino CNAME prior to registering the hosts to orcharhino. You can do this using the bootstrap script or manually.

Configuring hosts with the bootstrap script

On the host, run the bootstrap script with the --server My-Alternate-FQDN.example.com option to register the host to the alternate orcharhino CNAME:

# ./bootstrap.py --server My-Alternate-FQDN.example.com

Configuring hosts manually

On the host, edit the /etc/rhsm/rhsm.conf file to update hostname and baseurl settings to point to the alternate host name, for example:

[server]
# Server hostname:
hostname = My-Alternate-FQDN.example.com

content omitted

[rhsm]
# Content base URL:
baseurl=https://My-Alternate-FQDN.example.com/pulp/content/

Now you can register the host with the subscription-manager.

5.9. Configuring orcharhino Server with a custom SSL certificate

By default, orcharhino uses a self-signed SSL certificate to enable encrypted communications between orcharhino Server, orcharhino Proxy Servers, and all hosts. If you cannot use a orcharhino self-signed certificate, you can configure orcharhino Server to use an SSL certificate signed by an external certificate authority (CA).

When you configure orcharhino with custom SSL certificates, you must fulfill the following requirements:

You must use the privacy-enhanced mail (PEM) encoding for the SSL certificates.
You must not use the same SSL certificate for both orcharhino Server and orcharhino Proxy Server.
The same CA must sign certificates for orcharhino Server and orcharhino Proxy Server.
An SSL certificate must not also be a CA certificate.
An SSL certificate must include a subject alt name (SAN) entry that matches the common name (CN).
An SSL certificate must be allowed for Key Encipherment using a Key Usage extension.
An SSL certificate must not have a shortname as the CN.
You must not set a passphrase for the private key.

To configure your orcharhino Server with a custom certificate, complete the following procedures:

Creating a custom SSL certificate for orcharhino Server
Deploying a custom SSL certificate to orcharhino Server
Deploying a custom SSL certificate to hosts
If you have orcharhino Proxy Servers registered to orcharhino Server, configure them with custom SSL certificates. For more information, see Configuring orcharhino Proxy Server with a Custom SSL Certificate in Installing orcharhino Proxy Server.

5.9.1. Creating a custom SSL certificate for orcharhino Server

Use this procedure to create a custom SSL certificate for orcharhino Server. If you already have a custom SSL certificate for orcharhino Server, skip this procedure.

Procedure

To store all the source certificate files, create a directory that is accessible only to the root user:
```
# mkdir /root/orcharhino_cert
```
Create a private key with which to sign the certificate signing request (CSR).

Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.

If you already have a private key for this orcharhino Server, skip this step.
```
# openssl genrsa -out /root/orcharhino_cert/orcharhino_cert_key.pem 4096
```

Create the /root/orcharhino_cert/openssl.cnf configuration file for the CSR and include the following content:

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
prompt = no

[ req_distinguished_name ]
commonName = orcharhino.example.com

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = orcharhino.example.com

For more information about the [ v3_req ] parameters and their purpose, see RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.

Optional: If you want to add Distinguished Name (DN) details to the CSR, add the following information to the [ req_distinguished_name ] section:
```
[req_distinguished_name]
CN = orcharhino.example.com
countryName = My_Country_Name
stateOrProvinceName = My_State_Or_Province_Name
localityName = My_Locality_Name
organizationName = My_Organization_Or_Company_Name
organizationalUnitName = My_Organizational_Unit_Name
```
The options used in the configuration file include the following:

countryName

The country represented by a two-letter code

stateOrProvinceName

Full name of the state or province

localityName

Full name of the locality (example: New York)

organizationalUnitName

Division responsible for the certificate (example: IT department)

Generate CSR:

# openssl req -new \
-key /root/orcharhino_cert/orcharhino_cert_key.pem \
-config /root/orcharhino_cert/openssl.cnf \
-out /root/orcharhino_cert/orcharhino_cert_csr.pem

The options used in the configuration file include the following:

-key: Path to the private key
-config: Path to the configuration file
-out: Path to the CSR to generate

Send the certificate signing request to the certificate authority (CA). The same CA must sign certificates for orcharhino Server and orcharhino Proxy Server.

When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the CA for the preferred method. In response to the request, you can expect to receive a CA bundle and a signed certificate, in separate files.

5.9.2. Deploying a custom SSL certificate to orcharhino Server

Use this procedure to configure your orcharhino Server to use a custom SSL certificate signed by a Certificate Authority.

Important

Do not store the SSL certificates or .tar bundles in /tmp or /var/tmp directory. The operating system removes files from these directories periodically. As a result, orcharhino-installer fails to execute while enabling features or upgrading orcharhino Server.

Procedure

Update certificates on your orcharhino Server:

# orcharhino-installer \
--certs-server-cert "/root/orcharhino_cert/orcharhino_cert.pem" \ (1)
--certs-server-key "/root/orcharhino_cert/orcharhino_cert_key.pem" \ (2)
--certs-server-ca-cert "/root/orcharhino_cert/ca_cert_bundle.pem" \ (3)
--certs-update-server --certs-update-server-ca

Path to orcharhino Server certificate file that is signed by a Certificate Authority.
Path to the private key that was used to sign orcharhino Server certificate.
Path to the Certificate Authority bundle.

Verification

On a computer with network access to orcharhino Server, navigate to the following URL: https://orcharhino.example.com.
In your browser, view the certificate details to verify the deployed certificate.

5.9.3. Deploying a custom SSL certificate to hosts

After you configure orcharhino to use a custom SSL certificate, you must deploy the certificate to hosts registered to orcharhino.

Procedure

Update the SSL certificate on each host:

# dnf install http://orcharhino.example.com/pub/katello-ca-consumer-latest.noarch.rpm

5.10. Resetting custom SSL certificate to default self-signed certificate on orcharhino Server

Procedure

Reset the custom SSL certificate to default self-signed certificate:
```
# orcharhino-installer --certs-reset
```

Verification

Verify that the following parameters in /etc/foreman-installer/scenarios.d/katello-answers.yaml have no values:

server_cert:
server_key:
server_cert_req:
server_ca_cert:

Additional resources

Resetting custom SSL certificate to default self-signed certificate on orcharhino Proxy Server in Installing orcharhino Proxy Server.
Resetting custom SSL certificate to default self-signed certificate on hosts in Managing hosts.

Appendix A: Restoring manual changes overwritten by a Puppet run

If your manual configuration has been overwritten by a Puppet run, you can restore the files to the previous state.

For example, when you install and configure orcharhino for the first time by using orcharhino-installer, you can use the --foreman-proxy-dns-managed false and --foreman-proxy-dhcp-managed false options to specify that the DNS and DHCP configuration files are not to be managed by Puppet. If you do not use these options during the initial orcharhino-installer run, rerunning orcharhino-installer overwrites all manual changes. The following example shows you how to restore a DHCP configuration file overwritten by a Puppet run.

Procedure

Copy the file you intend to restore. This allows you to compare the files to check for any mandatory changes required by the upgrade. This is not common for DNS or DHCP services.
```
# cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.backup
```

Check the log files to note down the md5sum of the overwritten file. For example:

# journalctl -xe
...
/Stage[main]/Dhcp/File[/etc/dhcp/dhcpd.conf]: Filebucketed /etc/dhcp/dhcpd.conf to puppet with sum 622d9820b8e764ab124367c68f5fa3a1
...

Restore the overwritten file:

# puppet filebucket restore --local --bucket \
/var/lib/puppet/clientbucket /etc/dhcp/dhcpd.conf \ 622d9820b8e764ab124367c68f5fa3a1

Compare the backup file and the restored file, and edit the restored file to include any mandatory changes required by the upgrade.