diff --git a/guides/common/assembly_configuring-dhcp-integration.adoc b/guides/common/assembly_configuring-dhcp-integration.adoc new file mode 100644 index 00000000000..249e24b6534 --- /dev/null +++ b/guides/common/assembly_configuring-dhcp-integration.adoc @@ -0,0 +1,23 @@ +include::modules/con_configuring-dhcp-integration.adoc[] + +include::modules/con_dhcp-service-providers.adoc[leveloffset=+1] + +include::modules/proc_enabling-the-installer-managed-dhcp-service.adoc[leveloffset=+1] + +include::modules/con_integrating-a-remote-isc-dhcp-server.adoc[leveloffset=+1] + +include::modules/proc_configuring-isc-dhcp-to-use-with-server.adoc[leveloffset=+2] + +include::modules/proc_configuring-server-or-proxy-for-use-with-isc-dhcp.adoc[leveloffset=+2] + +include::modules/proc_integrating-infoblox-dhcp.adoc[leveloffset=+1] + +ifndef::satellite[] +include::modules/proc_integrating-dnsmasq-dhcp-by-using-the-libvirt-api.adoc[leveloffset=+1] +endif::[] + +include::modules/proc_associating-the-dhcp-service-with-a-subnet.adoc[leveloffset=+1] + +include::modules/proc_disabling-dhcp-for-integration.adoc[leveloffset=+1] + +include::modules/proc_troubleshooting-dhcp-problems.adoc[leveloffset=+1] diff --git a/guides/common/assembly_configuring-dns-dhcp-and-tftp.adoc b/guides/common/assembly_configuring-dns-dhcp-and-tftp.adoc deleted file mode 100644 index 95a96311f00..00000000000 --- a/guides/common/assembly_configuring-dns-dhcp-and-tftp.adoc +++ /dev/null @@ -1,7 +0,0 @@ -include::modules/con_configuring-dns-dhcp-and-tftp.adoc[] - -include::modules/proc_configuring-dns-dhcp-and-tftp.adoc[leveloffset=+1] - -include::modules/proc_disabling-dns-dhcp-tftp-for-unmanaged-networks.adoc[leveloffset=+1] - -include::modules/ref_configuring-dns-dhcp-and-tftp-additional-resources.adoc[leveloffset=+1] diff --git a/guides/common/assembly_configuring-dns-integration.adoc b/guides/common/assembly_configuring-dns-integration.adoc new file mode 100644 index 00000000000..8ace5bf09f8 --- /dev/null +++ b/guides/common/assembly_configuring-dns-integration.adoc @@ -0,0 +1,27 @@ +include::modules/con_configuring-dns-integration.adoc[] + +include::modules/con_dns-service-providers.adoc[leveloffset=+1] + +include::modules/proc_enabling-the-installer-managed-dns-service.adoc[leveloffset=+1] + +include::modules/proc_integrating-a-local-self-managed-dns-service.adoc[leveloffset=+1] + +include::modules/proc_integrating-a-generic-rfc-2136-compatible-remote-dns-server.adoc[leveloffset=+1] + +include::modules/proc_integrating-idm-dns-with-tsig-authentication.adoc[leveloffset=+1] + +include::modules/proc_integrating-idm-dns-with-gss-tsig-authentication.adoc[leveloffset=+1] + +include::modules/proc_integrating-infoblox-dns.adoc[leveloffset=+1] + +ifndef::satellite[] +include::modules/proc_integrating-dnsmasq-dns-by-using-the-libvirt-api.adoc[leveloffset=+1] + +include::modules/proc_integrating-powerdns.adoc[leveloffset=+1] + +include::modules/proc_integrating-route-53-dns.adoc[leveloffset=+1] +endif::[] + +include::modules/proc_associating-the-dns-service-with-a-domain-and-subnet.adoc[leveloffset=+1] + +include::modules/proc_disabling-dns-for-integration.adoc[leveloffset=+1] diff --git a/guides/common/assembly_configuring-external-dhcp.adoc b/guides/common/assembly_configuring-external-dhcp.adoc deleted file mode 100644 index a1d47b7764d..00000000000 --- a/guides/common/assembly_configuring-external-dhcp.adoc +++ /dev/null @@ -1,12 +0,0 @@ -ifdef::context[:parent-context: {context}] - -include::modules/con_configuring-project-with-external-dhcp.adoc[] - -//Configuring an External DHCP Server to Use with {ProductName} -include::modules/proc_configuring-an-external-dhcp-server.adoc[leveloffset=+1] - -//Configuring {ProductName} with an External DHCP Server -include::modules/proc_configuring-satellite-deployment-with-an-external-dhcp-server.adoc[leveloffset=+1] - -ifdef::parent-context[:context: {parent-context}] -ifndef::parent-context[:!context:] diff --git a/guides/common/assembly_configuring-external-idm-dns.adoc b/guides/common/assembly_configuring-external-idm-dns.adoc deleted file mode 100644 index 1f55a9a89c1..00000000000 --- a/guides/common/assembly_configuring-external-idm-dns.adoc +++ /dev/null @@ -1,15 +0,0 @@ -ifdef::context[:parent-context: {context}] - -include::modules/con_configuring-project-with-external-idm-dns.adoc[] - -//Configuring Dynamic DNS Update with GSS-TSIG Authentication -include::modules/proc_configuring-dynamic-dns-update-with-gss-tsig-authentication.adoc[leveloffset=+1] - -//Configuring Dynamic DNS Update with TSIG Authentication -include::modules/proc_configuring-dynamic-dns-update-with-tsig-authentication.adoc[leveloffset=+1] - -//Reverting to Internal DNS Service -include::modules/proc_reverting-to-internal-dns-service.adoc[leveloffset=+1] - -ifdef::parent-context[:context: {parent-context}] -ifndef::parent-context[:!context:] diff --git a/guides/common/assembly_configuring-external-services.adoc b/guides/common/assembly_configuring-external-services.adoc deleted file mode 100644 index 71dc52e915f..00000000000 --- a/guides/common/assembly_configuring-external-services.adoc +++ /dev/null @@ -1,20 +0,0 @@ -:parent-context: {context} - -include::modules/con_configuring-project-with-external-services.adoc[] - -include::modules/proc_configuring-external-dns.adoc[leveloffset=+1] - -include::assembly_configuring-external-dhcp.adoc[leveloffset=+1] - -ifeval::[ "{context}" == "{project-context}" ] -include::assembly_using-infoblox-as-dhcp-and-dns-providers.adoc[leveloffset=+1] -endif::[] - -include::modules/proc_configuring-external-tftp.adoc[leveloffset=+1] - -include::assembly_configuring-external-idm-dns.adoc[leveloffset=+1] - -include::assembly_configuring-project-to-manage-the-lifecycle-of-a-host-registered-to-a-freeipa-realm.adoc[leveloffset=+1] - -:context: {parent-context} -:!parent-context: diff --git a/guides/common/assembly_configuring-tftp-integration.adoc b/guides/common/assembly_configuring-tftp-integration.adoc new file mode 100644 index 00000000000..768103b0358 --- /dev/null +++ b/guides/common/assembly_configuring-tftp-integration.adoc @@ -0,0 +1,13 @@ +include::modules/con_configuring-tftp-integration.adoc[] + +include::modules/proc_enabling-the-installer-managed-tftp-service.adoc[leveloffset=+1] + +include::modules/con_integrating-a-generic-tftp-server.adoc[leveloffset=+1] + +//== Configuring TFTP to use with {ProductName} + +include::modules/proc_configuring-server-for-use-with-tftp.adoc[leveloffset=+2] + +include::modules/proc_associating-the-tftp-service-with-a-subnet.adoc[leveloffset=+1] + +include::modules/proc_disabling-tftp-for-integration.adoc[leveloffset=+1] diff --git a/guides/common/assembly_deployment-path.adoc b/guides/common/assembly_deployment-path.adoc index b1db6776f12..e1870316c7b 100644 --- a/guides/common/assembly_deployment-path.adoc +++ b/guides/common/assembly_deployment-path.adoc @@ -4,8 +4,6 @@ include::modules/con_installing-a-project-server.adoc[leveloffset=+1] include::modules/con_configuring-project-server-with-external-database.adoc[leveloffset=+2] -include::modules/con_configuring-dns-dhcp-and-tftp.adoc[leveloffset=+2] - include::modules/con_deploying-project-on-aws.adoc[leveloffset=+1] include::modules/ref_configuring-external-authentication-in-foreman.adoc[leveloffset=+1] diff --git a/guides/common/assembly_managing-dhcp-on-smart-proxies.adoc b/guides/common/assembly_managing-dhcp-on-smart-proxies.adoc deleted file mode 100644 index d49d583aa6b..00000000000 --- a/guides/common/assembly_managing-dhcp-on-smart-proxies.adoc +++ /dev/null @@ -1,7 +0,0 @@ -include::modules/con_managing-dhcp-by-using-smartproxy.adoc[] - -ifndef::satellite[] -include::modules/proc_configuring-dhcp-libvirt.adoc[leveloffset=+1] -endif::[] - -include::modules/proc_securing-the-dhcp-api.adoc[leveloffset=+1] diff --git a/guides/common/assembly_managing-dns-on-smart-proxies.adoc b/guides/common/assembly_managing-dns-on-smart-proxies.adoc deleted file mode 100644 index 6c67e212d59..00000000000 --- a/guides/common/assembly_managing-dns-on-smart-proxies.adoc +++ /dev/null @@ -1,11 +0,0 @@ -include::modules/con_managing-dns-by-using-smartproxy.adoc[] - -include::modules/proc_configuring-dns-nsupdate.adoc[leveloffset=+1] - -ifndef::satellite[] -include::modules/proc_configuring-dns-libvirt.adoc[leveloffset=+1] - -include::modules/proc_configuring-dns-powerdns.adoc[leveloffset=+1] - -include::modules/proc_configuring-dns-route53.adoc[leveloffset=+1] -endif::[] diff --git a/guides/common/assembly_performing-additional-configuration-on-smart-proxy-server.adoc b/guides/common/assembly_performing-additional-configuration-on-smart-proxy-server.adoc index 4092a7339aa..a32895dcade 100644 --- a/guides/common/assembly_performing-additional-configuration-on-smart-proxy-server.adoc +++ b/guides/common/assembly_performing-additional-configuration-on-smart-proxy-server.adoc @@ -23,6 +23,3 @@ endif::[] // Enabling Power Management on Hosts include::modules/proc_enabling-power-management-on-hosts.adoc[leveloffset=+1] - -// Configuring DNS, DHCP, and TFTP on {SmartProxyServer} -include::modules/proc_configuring-dns-dhcp-and-tftp.adoc[leveloffset=+1] diff --git a/guides/common/assembly_preparing-networking.adoc b/guides/common/assembly_preparing-networking.adoc index 7689664fb7b..b31f53338c0 100644 --- a/guides/common/assembly_preparing-networking.adoc +++ b/guides/common/assembly_preparing-networking.adoc @@ -6,24 +6,16 @@ include::modules/proc_optimizing-performance-by-removing-nics-from-database.adoc include::modules/con_network-resources.adoc[leveloffset=+1] -include::modules/con_foreman-and-dhcp-configuration.adoc[leveloffset=+1] - include::modules/ref_options-in-managed-dhcpv4.adoc[leveloffset=+2] include::modules/ref_options-in-unmanaged-dhcpv6.adoc[leveloffset=+2] -include::modules/proc_troubleshooting-dhcp-problems.adoc[leveloffset=+1] - ifdef::provisioning,provisioning-cloud,provisioning-virtual[] include::modules/con_prerequisites-for-image-based-provisioning.adoc[leveloffset=+1] endif::[] -include::modules/proc_configuring-network-services.adoc[leveloffset=+1] - include::modules/ref_multiple-subnets-or-domains-using-installer.adoc[leveloffset=+2] -include::modules/ref_dhcp-options-for-network-configuration.adoc[leveloffset=+2] - include::modules/ref_dns-options-for-network-configuration.adoc[leveloffset=+2] include::modules/ref_tftp-options-for-network-configuration.adoc[leveloffset=+2] diff --git a/guides/common/assembly_using-infoblox-as-dhcp-and-dns-providers.adoc b/guides/common/assembly_using-infoblox-as-dhcp-and-dns-providers.adoc deleted file mode 100644 index 15f1cc19f8e..00000000000 --- a/guides/common/assembly_using-infoblox-as-dhcp-and-dns-providers.adoc +++ /dev/null @@ -1,11 +0,0 @@ -include::modules/con_using-infoblox-as-dhcp-and-dns-providers.adoc[] - -include::modules/con_infoblox-limitations.adoc[leveloffset=+1] - -include::modules/con_infoblox-prerequisites.adoc[leveloffset=+1] - -include::modules/proc_installing-the-infoblox-ca-certificate.adoc[leveloffset=+1] - -include::modules/proc_installing-the-dhcp-infoblox-module.adoc[leveloffset=+1] - -include::modules/proc_installing-the-dns-infoblox-module.adoc[leveloffset=+1] diff --git a/guides/common/attributes-base.adoc b/guides/common/attributes-base.adoc index 55760561a1d..76fa09405d6 100644 --- a/guides/common/attributes-base.adoc +++ b/guides/common/attributes-base.adoc @@ -2,6 +2,7 @@ :BaseFilenameURL: index-{build}.html :AdministeringDocURL: {BaseURL}Administering_Project/{BaseFilenameURL}# :APIDocURL: {BaseURL}Project_API/{BaseFilenameURL}# +:ConfiguringDNSDHCPTFTPDocURL: {BaseURL}Configuring_DNS_DHCP_TFTP/{BaseFilenameURL}# :ConfiguringLoadBalancerDocURL: {BaseURL}Configuring_Load_Balancer/{BaseFilenameURL}# :ConfiguringUserAuthenticationDocURL: {BaseURL}Configuring_User_Authentication/{BaseFilenameURL}# :ContentManagementDocURL: {BaseURL}Managing_Content/{BaseFilenameURL}# @@ -79,6 +80,7 @@ :foreman-maintain: foreman-maintain :FreeIPA: FreeIPA :FreeIPA-context: {FreeIPA} +:freeipaserver-example-com: freeipa-server.example.com :hammer-smart-proxy: hammer proxy :install-on-os: {EL} :installer-log-file: /var/log/foreman-installer/foreman.log diff --git a/guides/common/attributes-satellite.adoc b/guides/common/attributes-satellite.adoc index 89f486a41f2..3c97501fb46 100644 --- a/guides/common/attributes-satellite.adoc +++ b/guides/common/attributes-satellite.adoc @@ -15,7 +15,7 @@ // - downstream_filename_to_link.json in downstream :AdministeringDocURL: {BaseURL}administering_red_hat_satellite/index# :APIDocURL: {BaseURL}using_the_satellite_rest_api/index# -:ConfiguringDNSDHCPTFTPDocURL: {BaseURL}/configuring_dns_dhcp_and_tftp_integration/index# +:ConfiguringDNSDHCPTFTPDocURL: {BaseURL}configuring_dns_dhcp_and_tftp_integration/index# :ConfiguringLoadBalancerDocURL: {BaseURL}configuring_capsules_with_a_load_balancer/index# :ConfiguringUserAuthenticationDocURL: {BaseURL}configuring_authentication_for_red_hat_satellite_users/index# :ConfiguringVMSubscriptionsDocURL: {BaseURL}configuring_virt_who_for_virtual_machine_subscriptions/index# @@ -77,6 +77,7 @@ :foreman-maintain: satellite-maintain :FreeIPA: Identity{nbsp}Management :FreeIPA-context: Identity_Management +:freeipaserver-example-com: idm-server.example.com :hammer-smart-proxy: hammer capsule :installer-log-file: /var/log/foreman-installer/satellite.log :installer-scenario-smartproxy: satellite-installer --scenario capsule diff --git a/guides/common/modules/con_configuring-dhcp-integration.adoc b/guides/common/modules/con_configuring-dhcp-integration.adoc new file mode 100644 index 00000000000..df3ac7d8f26 --- /dev/null +++ b/guides/common/modules/con_configuring-dhcp-integration.adoc @@ -0,0 +1,5 @@ +[id="configuring-dhcp-integration"] += Configuring DHCP integration + +{Project} can manage IP leases on a DHCP server through a {SmartProxy}. +This includes querying for available IP addresses, adding new reservations, and deleting existing reservations from the lease database. diff --git a/guides/common/modules/con_configuring-dns-dhcp-and-tftp.adoc b/guides/common/modules/con_configuring-dns-dhcp-and-tftp.adoc deleted file mode 100644 index 3843543a539..00000000000 --- a/guides/common/modules/con_configuring-dns-dhcp-and-tftp.adoc +++ /dev/null @@ -1,29 +0,0 @@ -[id="configuring-dns-dhcp-and-tftp_{context}"] -= Configuring DNS, DHCP, and TFTP - -You can manage DNS, DHCP, and TFTP centrally within the {Project} environment, or you can manage them independently after disabling their maintenance on {Project}. -ifndef::foreman-deb,orcharhino[] -You can also run DNS, DHCP, and TFTP externally, outside of the {Project} environment. -endif::[] - -ifndef::orcharhino[] -ifeval::["{context}" == "planning"] -.Additional resources -ifndef::satellite[] -* For more information about configuring DNS, DHCP, and TFTP on {ProjectServer}, see {InstallingServerDocURL}configuring-dns-dhcp-and-tftp_{project-context}[Configuring DNS, DHCP, and TFTP] in _{InstallingServerDocTitle}_. -endif::[] -ifdef::satellite[] -* For more information about configuring DNS, DHCP, and TFTP on {ProjectServer}, see the following documents: -** {InstallingServerDocURL}configuring-dns-dhcp-and-tftp_{project-context}[Configuring DNS, DHCP, and TFTP] in _{InstallingServerDocTitle}_ -** {InstallingServerDisconnectedDocURL}configuring-dns-dhcp-and-tftp_{project-context}[Configuring DNS, DHCP, and TFTP] in _{InstallingServerDisconnectedDocTitle}_ -endif::[] -ifndef::foreman-deb,orcharhino,satellite[] -* For more information about configuring DNS, DHCP, and TFTP externally, see {InstallingServerDocURL}configuring-external-services_{project-context}[Configuring external services] in _{InstallingServerDocTitle}_. -endif::[] -ifdef::satellite[] -* For more information about configuring DNS, DHCP, and TFTP externally, see the following documents: -** {InstallingServerDocURL}configuring-external-services_{project-context}[Configuring external services] in _{InstallingServerDocTitle}_. -** {InstallingServerDisconnectedDocURL}configuring-external-services_{project-context}[Configuring external services] in _{InstallingServerDisconnectedDocTitle}_ -endif::[] -endif::[] -endif::[] diff --git a/guides/common/modules/con_configuring-dns-integration.adoc b/guides/common/modules/con_configuring-dns-integration.adoc new file mode 100644 index 00000000000..db359179729 --- /dev/null +++ b/guides/common/modules/con_configuring-dns-integration.adoc @@ -0,0 +1,5 @@ +[id="configuring-dns-integration"] += Configuring DNS integration + +{Project} can manage DNS records by using {SmartProxy}. +This DNS management contains updating and removing DNS records from existing DNS zones. diff --git a/guides/common/modules/con_configuring-project-with-external-dhcp.adoc b/guides/common/modules/con_configuring-project-with-external-dhcp.adoc deleted file mode 100644 index d51012be13f..00000000000 --- a/guides/common/modules/con_configuring-project-with-external-dhcp.adoc +++ /dev/null @@ -1,7 +0,0 @@ -[id="configuring-external-dhcp_{context}"] -= Configuring {ProductName} with external DHCP - -To configure {ProductName} with external DHCP, you must complete the following procedures: - -. xref:configuring-an-external-dhcp-server_{context}[] -. xref:Configuring_Server_with_an_External_DHCP_Server_{context}[] diff --git a/guides/common/modules/con_configuring-project-with-external-idm-dns.adoc b/guides/common/modules/con_configuring-project-with-external-idm-dns.adoc deleted file mode 100644 index 344a0452fe9..00000000000 --- a/guides/common/modules/con_configuring-project-with-external-idm-dns.adoc +++ /dev/null @@ -1,39 +0,0 @@ -[id="configuring-external-idm-dns_{context}"] -= Configuring {ProductName} with external IdM DNS - -When {ProjectServer} adds a DNS record for a host, it first determines which {SmartProxy} is providing DNS for that domain. -It then communicates with the {SmartProxy} that is configured to provide DNS service for your deployment and adds the record. -The hosts are not involved in this process. -Therefore, you must install and configure the IdM client on the {Project} or {SmartProxy} that is currently configured to provide a DNS service for the domain you want to manage by using the IdM server. - -{ProductName} can be configured to use a Red{nbsp}Hat Identity Management (IdM) server to provide DNS service. -ifdef::satellite[] -For more information about Red{nbsp}Hat Identity Management, see the {RHELDocsBaseURL}7/html-single/linux_domain_identity_authentication_and_policy_guide/index[_{RHEL}{nbsp}7 Linux Domain Identity, Authentication, and Policy Guide_]. -endif::[] - -To configure {ProductName} to use a Red{nbsp}Hat Identity Management (IdM) server to provide DNS service, use one of the following procedures: - -* xref:configuring-dynamic-dns-update-with-gss-tsig-authentication_{context}[] - -* xref:configuring-dynamic-dns-update-with-tsig-authentication_{context}[] - -To revert to internal DNS service, use the following procedure: - -* xref:reverting-to-internal-dns-service_{context}[] - -[NOTE] -You are not required to use {ProductName} to manage DNS. -When you are using the realm enrollment feature of {Project}, where provisioned hosts are enrolled automatically to IdM, the `ipa-client-install` script creates DNS records for the client. -Configuring {ProductName} with external IdM DNS and realm enrollment are mutually exclusive. -For more information about configuring realm enrollment, see -ifeval::["{context}" == "{project-context}"] -ifeval::["{mode}" == "connected"] -xref:configuring-project-to-manage-the-lifecycle-of-a-host-registered-to-a-freeipa-realm_{context}[]. -endif::[] -ifeval::["{mode}" == "disconnected"] -{InstallingServerDocURL}configuring-project-to-manage-the-lifecycle-of-a-host-registered-to-a-freeipa-realm_{project-context}[Configuring {Project} to manage the lifecycle of a host registered to a {FreeIPA} realm] in _{InstallingServerDocTitle}_. -endif::[] -endif::[] -ifeval::["{context}" == "{smart-proxy-context}"] -{InstallingServerDocURL}configuring-project-to-manage-the-lifecycle-of-a-host-registered-to-a-freeipa-realm_{project-context}[Configuring {Project} to manage the lifecycle of a host registered to a {FreeIPA} realm] in _{InstallingServerDocTitle}_. -endif::[] diff --git a/guides/common/modules/con_configuring-project-with-external-services.adoc b/guides/common/modules/con_configuring-project-with-external-services.adoc deleted file mode 100644 index 22979d07a79..00000000000 --- a/guides/common/modules/con_configuring-project-with-external-services.adoc +++ /dev/null @@ -1,4 +0,0 @@ -[id="configuring-external-services"] -= Configuring {ProductName} with external services - -If you do not want to configure the DNS, DHCP, and TFTP services on {ProductName}, use this section to configure your {ProductName} to work with external DNS, DHCP, and TFTP services. diff --git a/guides/common/modules/con_configuring-tftp-integration.adoc b/guides/common/modules/con_configuring-tftp-integration.adoc new file mode 100644 index 00000000000..c860987cee6 --- /dev/null +++ b/guides/common/modules/con_configuring-tftp-integration.adoc @@ -0,0 +1,4 @@ +[id="configuring-tftp-integration"] += Configuring TFTP integration + +By integrating a TFTP server, you can perform unattended installations. diff --git a/guides/common/modules/con_dhcp-service-providers.adoc b/guides/common/modules/con_dhcp-service-providers.adoc new file mode 100644 index 00000000000..2f5122a0847 --- /dev/null +++ b/guides/common/modules/con_dhcp-service-providers.adoc @@ -0,0 +1,23 @@ +[id="dhcp-serivce-proviers"] += DHCP service providers + +{SmartProxy} supports the following DHCP providers that you can use to integrate {Project} with your existing DHCP infrastructure or deploy a new one: + +`dhcp_isc`:: Managing IP leases on an ISC DHCP server by using the Object Management Application Programming Interface (OMAPI). +See xref:enabling-the-installer-managed-dhcp-service[]. + +`dhcp_remote_isc`:: Managing IP leases on a remote ISC dhcpd server by using OMAPI. +This provider requires that you share the leases over the network, for example, with NFS. +See xref:integrating-a-remote-isc-dhcp-server[]. + +`dhcp_infoblox`:: Managing IP leases on an Infoblox DHCP server. +See xref:integrating-infoblox-dhcp[]. + +ifndef::satellite[] +`dhcp_libvirt`:: Managing IP leases on a dnsmasq DHCP server by using the `libvirt` API. +See xref:integrating-dnsmasq-dhcp-by-using-the-libvirt-api[]. +endif::[] + +ifdef::orcharhino[] +`dhcp_native_ms`:: Managing IP leases in Microsoft Active Directory. +endif::[] diff --git a/guides/common/modules/con_dns-service-providers.adoc b/guides/common/modules/con_dns-service-providers.adoc new file mode 100644 index 00000000000..16ee03eaa23 --- /dev/null +++ b/guides/common/modules/con_dns-service-providers.adoc @@ -0,0 +1,27 @@ +[id="dns-service-providers"] += DNS service providers + +{SmartProxy} supports the following DNS providers that you can use to integrate {Project} with your existing DNS infrastructure or deploy a new one: + +`dns_nsupdate`:: Dynamic DNS updates on an link:https://datatracker.ietf.org/doc/html/rfc2136[RFC 2136]-compatible DNS server by using the `nsupdate` utility. +See: ++ +** xref:enabling-the-installer-managed-dns-service[] +** xref:integrating-a-local-self-managed-dns-service[] +** xref:integrating-a-generic-rfc-2136-compatible-remote-dns-server[] +** xref:integrating-idm-dns-with-tsig-authentication[]. +`dns_nsupdate_gss`:: Dynamic DNS updates on an link:https://datatracker.ietf.org/doc/html/rfc2136[RFC 2136]-compatible DNS server by using the `nsupdate` utility with Generic Security Service algorithm for Transaction Signature (GSS-TSIG) authentication. +See xref:integrating-idm-dns-update-with-gss-tsig-authentication[]. +`dns_infoblox`:: Dynamic DNS updates on an Infoblox DNS server. +See xref:integrating-infoblox-dns[]. +ifndef::satellite[] +`dns_libvirt`:: Dynamic DNS updates on a dnsmasq DNS server by using the `libvirt` API. +See xref:integrating-dnsmasq-dns-by-using-the-libvirt-api[]. +`dns_powerdns`:: Dynamic DNS updates on a PowerDNS server. +See xref:integrating-powerdns[]. +`dns_route53`:: Dynamic DNS updates on an Amazon Route 53 DNS server. +See xref:integratinig-route-53[]. +endif::[] +ifdef::orcharhino[] +`dns_dnscmd`:: Static DNS records in Microsoft Active Directory. +endif::[] diff --git a/guides/common/modules/con_foreman-and-dhcp-configuration.adoc b/guides/common/modules/con_foreman-and-dhcp-configuration.adoc deleted file mode 100644 index 7864a833770..00000000000 --- a/guides/common/modules/con_foreman-and-dhcp-configuration.adoc +++ /dev/null @@ -1,4 +0,0 @@ -[id="{project-context}-and-dhcp-configuration"] -= {Project} and DHCP configuration - -{Project} manages DHCP reservations through a DHCP {SmartProxy}. diff --git a/guides/common/modules/con_infoblox-limitations.adoc b/guides/common/modules/con_infoblox-limitations.adoc deleted file mode 100644 index d609b91de85..00000000000 --- a/guides/common/modules/con_infoblox-limitations.adoc +++ /dev/null @@ -1,14 +0,0 @@ -[id="Infoblox_Limitations_{context}"] -= Infoblox limitations - -All DHCP and DNS records can be managed only in a single Network or DNS view. -After you install the Infoblox modules on {ProductName} and set up the view using the `{foreman-installer}` command, you cannot edit the view. - -{ProductName} communicates with a single Infoblox node by using the standard HTTPS web API. -If you want to configure clustering and High Availability, make the configurations in Infoblox. - -Hosting PXE-related files by using the TFTP functionality of Infoblox is not supported. -You must use {ProductName} as a TFTP server for PXE provisioning. -For more information, see {ProvisioningDocURL}preparing-networking[Preparing networking] in _{ProvisioningDocTitle}_. - -{Project} IPAM feature cannot be integrated with Infoblox. diff --git a/guides/common/modules/con_infoblox-prerequisites.adoc b/guides/common/modules/con_infoblox-prerequisites.adoc deleted file mode 100644 index 04f08226cd4..00000000000 --- a/guides/common/modules/con_infoblox-prerequisites.adoc +++ /dev/null @@ -1,6 +0,0 @@ -[id="Infoblox_Prerequisites_{context}"] -= Infoblox prerequisites - -* You must have Infoblox account credentials to manage DHCP and DNS entries in {Project}. -* Ensure that you have Infoblox administration roles with the names: `DHCP Admin` and `DNS Admin`. -* The administration roles must have permissions or belong to an admin group that permits the accounts to perform tasks through the Infoblox API. diff --git a/guides/common/modules/con_integrating-a-generic-tftp-server.adoc b/guides/common/modules/con_integrating-a-generic-tftp-server.adoc new file mode 100644 index 00000000000..af2a2bcb91c --- /dev/null +++ b/guides/common/modules/con_integrating-a-generic-tftp-server.adoc @@ -0,0 +1,11 @@ +[id="integrating-a-generic-tftp-server"] += Integrating a generic TFTP server + +If you have an existing TFTP server in your network, you can integrate it into {Project} to perform unattended installations. +If the installer does not manages the TFTP service, you must share the root directory of the TFTP service over the network to enable {Project} to access the files. +However, in this case, {Project} does not manage the files on the TFTP server. + +[NOTE] +==== +If you prefer a low maintenance solution that also manages files on the TFTP server, use the installer-managed TFTP service. +==== diff --git a/guides/common/modules/con_integrating-a-remote-isc-dhcp-server.adoc b/guides/common/modules/con_integrating-a-remote-isc-dhcp-server.adoc new file mode 100644 index 00000000000..ff7e17e86ca --- /dev/null +++ b/guides/common/modules/con_integrating-a-remote-isc-dhcp-server.adoc @@ -0,0 +1,4 @@ +[id="integrating-a-remote-isc-dhcp-server"] += Integrating a remote ISC DHCP server + +If you already have an ISC DHCP server in your network, you can configure {ProjectServer} and {SmartProxyServer} to integrate this server to manage IP leases. diff --git a/guides/common/modules/con_managing-dhcp-by-using-smartproxy.adoc b/guides/common/modules/con_managing-dhcp-by-using-smartproxy.adoc deleted file mode 100644 index 965a5944922..00000000000 --- a/guides/common/modules/con_managing-dhcp-by-using-smartproxy.adoc +++ /dev/null @@ -1,20 +0,0 @@ -[id="managing-dhcp-by-using-{smart-proxy-context}"] -= Managing DHCP by using {SmartProxy} - -{Project} can integrate with a DHCP service by using your {SmartProxy}. -A {SmartProxy} has multiple DHCP providers that you can use to integrate {Project} with your existing DHCP infrastructure or deploy a new one. -You can use the DHCP module of {SmartProxy} to query for available IP addresses, add new, and delete existing reservations. -Note that your {SmartProxy} cannot manage subnet declarations. - -.Available DHCP providers -* `dhcp_infoblox` {endash} For more information, see xref:Using_Infoblox_as_DHCP_and_DNS_Providers_{smart-proxy-context}[]. -* `dhcp_isc` {endash} ISC DHCP server over OMAPI. -For more information, see xref:configuring-dns-dhcp-and-tftp-on-productname_{smart-proxy-context}[]. -* `dhcp_remote_isc` {endash} ISC DHCP server over OMAPI with leases mounted through networking. -For more information, see xref:configuring-external-dhcp_{smart-proxy-context}[]. -ifndef::satellite[] -* `dhcp_libvirt` {endash} dnsmasq DHCP via libvirt API -endif::[] -ifdef::orcharhino[] -* `dhcp_native_ms` {endash} Microsoft Active Directory by using API -endif::[] diff --git a/guides/common/modules/con_managing-dns-by-using-smartproxy.adoc b/guides/common/modules/con_managing-dns-by-using-smartproxy.adoc deleted file mode 100644 index dbf5d3035c0..00000000000 --- a/guides/common/modules/con_managing-dns-by-using-smartproxy.adoc +++ /dev/null @@ -1,31 +0,0 @@ -[id="managing-dns-by-using-{smart-proxy-context}"] -= Managing DNS by using {SmartProxy} - -{Project} can manage DNS records by using your {SmartProxy}. -DNS management contains updating and removing DNS records from existing DNS zones. -A {SmartProxy} has multiple DNS providers that you can use to integrate {Project} with your existing DNS infrastructure or deploy a new one. - -After you have enabled DNS, your {SmartProxy} can manipulate any DNS server that complies with RFC 2136 by using the `dns_nsupdate` provider. -Other providers provide more direct integration, such as `dns_infoblox` for https://www.infoblox.com/[Infoblox]. - -.Available DNS providers -ifdef::orcharhino[] -* `dns_dnscmd` {endash} Static DNS records in Microsoft Active Directory. -endif::[] -* `dhcp_infoblox` {endash} For more information, see xref:Using_Infoblox_as_DHCP_and_DNS_Providers_{smart-proxy-context}[]. -ifndef::satellite[] -* `dns_libvirt` {endash} Dnsmasq DNS via libvirt API. -For more information, see xref:configuring_dns_libvirt_{context}[]. -endif::[] -* `dns_nsupdate` {endash} Dynamic DNS update using nsupdate. -For more information, see xref:configuring_dns_nsupdate_{context}[]. -* `dns_nsupdate_gss` {endash} Dynamic DNS update with GSS-TSIG. -For more information, see xref:configuring-dynamic-dns-update-with-gss-tsig-authentication_{context}[]. -ifndef::satellite[] -* `dns_powerdns` {endash} https://www.powerdns.com/[PowerDNS]. -For more information, see xref:configuring_dns_powerdns_{context}[]. -endif::[] - -ifdef::foreman-el,foreman-deb,katello[] -For more information, see https://projects.theforeman.org/projects/foreman/wiki/List_of_Smart-Proxy_Plugins#DNS-plugins[List of DNS plugins] -endif::[] diff --git a/guides/common/modules/con_using-infoblox-as-dhcp-and-dns-providers.adoc b/guides/common/modules/con_using-infoblox-as-dhcp-and-dns-providers.adoc deleted file mode 100644 index 3f8cc7c239f..00000000000 --- a/guides/common/modules/con_using-infoblox-as-dhcp-and-dns-providers.adoc +++ /dev/null @@ -1,6 +0,0 @@ -[id="Using_Infoblox_as_DHCP_and_DNS_Providers_{context}"] -= Using Infoblox as DHCP and DNS providers - -You can use {ProductName} to connect to your Infoblox application to create and manage DHCP and DNS records, and to reserve IP addresses. - -The supported Infoblox version is NIOS 8.0 or higher. diff --git a/guides/common/modules/proc_associating-the-dhcp-service-with-a-subnet.adoc b/guides/common/modules/proc_associating-the-dhcp-service-with-a-subnet.adoc new file mode 100644 index 00000000000..c82a5d43d2e --- /dev/null +++ b/guides/common/modules/proc_associating-the-dhcp-service-with-a-subnet.adoc @@ -0,0 +1,11 @@ +[id="associating-the-dhcp-service-with-a-subnet"] += Associating the DHCP service with a subnet + +After you configured or changed the DHCP provider, you must update the configuration of each affected {SmartProxy} in the {ProjectWebUI}. + +.Procedure +. In the {ProjectWebUI}, navigate to *Infrastructure* > *Subnets*. +. Select the subnet name. +. On the *Subnet* tab, set *IPAM* to *DHCP*. +. On the *{SmartProxy}* tab, set *DHCP Proxy* to your {SmartProxy}. +. Click *Submit*. diff --git a/guides/common/modules/proc_associating-the-dns-service-with-a-domain-and-subnet.adoc b/guides/common/modules/proc_associating-the-dns-service-with-a-domain-and-subnet.adoc new file mode 100644 index 00000000000..7f970504939 --- /dev/null +++ b/guides/common/modules/proc_associating-the-dns-service-with-a-domain-and-subnet.adoc @@ -0,0 +1,19 @@ +[id="associating-the-dns-service-with-a-domain-and-subnet"] += Associating the DNS service with a domain and subnet + +After you configured or changed the DNS provider, you must update the configuration of each affected {SmartProxy} in the {ProjectWebUI}. + +.Prerequisites +* You configured a DNS provider. + +.Procedure +. Configure the domain: +.. In the {ProjectWebUI}, navigate to *Infrastructure* > *Domains*. +.. Select the domain name. +.. On the *Domain* tab, ensure *DNS {SmartProxy}* is set to the {SmartProxy} where the subnet is connected. +. Configure the subnet: +.. Navigate to *Infrastructure* > *Subnets*. +.. Select the subnet name. +.. On the *Domains* tab, select the domains that are valid on the subnet. +.. In the *{SmartProxies}* tab, ensure *Reverse DNS {SmartProxy}* is set to the {SmartProxy} where the subnet is connected. +.. Click *Submit*. diff --git a/guides/common/modules/proc_associating-the-tftp-service-with-a-subnet.adoc b/guides/common/modules/proc_associating-the-tftp-service-with-a-subnet.adoc new file mode 100644 index 00000000000..e5979e9e723 --- /dev/null +++ b/guides/common/modules/proc_associating-the-tftp-service-with-a-subnet.adoc @@ -0,0 +1,13 @@ +[id="associating-the-tftp-service-with-a-subnet"] += Associating the TFTP service with a subnet + +After you configured or changed the TFTP provider, you must update the configuration of each affected {SmartProxy} in the {ProjectWebUI}. + +.Prerequisites +* You configured a TFTP server. + +.Procedure +. In the {ProjectWebUI}, navigate to *Infrastructure* > *Subnets*. +. Select the subnet name. +. On the *{SmartProxies}* tab, select the {SmartProxy} for TFTP. +. Click *Submit*. diff --git a/guides/common/modules/proc_configuring-an-external-dhcp-server.adoc b/guides/common/modules/proc_configuring-an-external-dhcp-server.adoc deleted file mode 100644 index 9419ca731f7..00000000000 --- a/guides/common/modules/proc_configuring-an-external-dhcp-server.adoc +++ /dev/null @@ -1,168 +0,0 @@ -[id="configuring-an-external-dhcp-server_{context}"] -= Configuring an external DHCP server to use with {ProductName} - -ifdef::foreman-deb[] -[NOTE] -==== -Note that this procedure describes how to run an external DHCP server on {EL} 8. -==== -endif::[] - -To configure an external DHCP server running {EL} to use with {ProductName}, you must install the ISC DHCP Service and Berkeley Internet Name Domain (BIND) utilities packages. -You must also share the DHCP configuration and lease files with {ProductName}. -The example in this procedure uses the distributed Network File System (NFS) protocol to share the DHCP configuration and lease files. - -[NOTE] -==== -If you use dnsmasq as an external DHCP server, enable the `dhcp-no-override` setting. -This is required because {Project} creates configuration files on the TFTP server under the `grub2/` subdirectory. -If the `dhcp-no-override` setting is disabled, hosts fetch the boot loader and its configuration from the root directory, which might cause an error. -==== - -include::snip_firewalld.adoc[] - -.Procedure -. On your {EL} host, install the ISC DHCP Service and Berkeley Internet Name Domain (BIND) utilities packages: -+ -[options="nowrap" subs="+quotes,attributes"] ----- -# {client-package-install-el8} dhcp-server bind-utils ----- -. Generate a security token: -+ -[options="nowrap"] ----- -# tsig-keygen -a hmac-md5 omapi_key ----- -. Edit the `dhcpd` configuration file for all subnets and add the key generated by `tsig-keygen`. -The following is an example: -+ -[options="nowrap" subs="+quotes"] ----- -# cat /etc/dhcp/dhcpd.conf -default-lease-time 604800; -max-lease-time 2592000; -log-facility local7; - -subnet _192.168.38.0_ netmask _255.255.255.0_ { - range _192.168.38.10 192.168.38.100_; - option routers _192.168.38.1_; - option subnet-mask _255.255.255.0_; - option domain-search "_virtual.lan_"; - option domain-name "_virtual.lan_"; - option domain-name-servers _8.8.8.8_; -} - -omapi-port 7911; -key omapi_key { - algorithm hmac-md5; - secret "_My_Secret_"; -}; -omapi-key omapi_key; ----- -+ -Note that the `option routers` value is the IP address of your {ProjectServer} or {SmartProxyServer} that you want to use with an external DHCP service. -. On {ProjectServer}, define each subnet. -Do not set DHCP {SmartProxy} for the defined Subnet yet. -+ -To prevent conflicts, set up the lease and reservation ranges separately. -For example, if the lease range is 192.168.38.10 to 192.168.38.100, in the {ProjectWebUI} define the reservation range as 192.168.38.101 to 192.168.38.250. -. Configure the firewall for external access to the DHCP server: -+ -[options="nowrap"] ----- -# firewall-cmd --add-service dhcp ----- -include::snip_make-firewall-settings-persistent.adoc[] -. On {ProjectServer}, determine the UID and GID of the `foreman` user: -+ -[options="nowrap" subs="+quotes"] ----- -# id -u foreman -__993__ -# id -g foreman -_990_ ----- -. On the DHCP server, create the `foreman` user and group with the same IDs as determined in a previous step: -+ -[options="nowrap" subs="+quotes"] ----- -# groupadd -g _990_ foreman -# useradd -u _993_ -g _990_ -s /sbin/nologin foreman ----- -. To ensure that the configuration files are accessible, restore the read and execute flags: -+ -[options="nowrap"] ----- -# chmod o+rx /etc/dhcp/ -# chmod o+r /etc/dhcp/dhcpd.conf -# chattr +i /etc/dhcp/ /etc/dhcp/dhcpd.conf ----- -. Enable and start the DHCP service: -+ -[options="nowrap"] ----- -# systemctl enable --now dhcpd ----- -. Export the DHCP configuration and lease files using NFS: -+ -[options="nowrap" subs="+quotes,attributes"] ----- -# {client-package-install-el8} {nfs-server-package} -# systemctl enable --now nfs-server ----- -. Create directories for the DHCP configuration and lease files that you want to export using NFS: -+ -[options="nowrap"] ----- -# mkdir -p /exports/var/lib/dhcpd /exports/etc/dhcp ----- -. To create mount points for the created directories, add the following line to the `/etc/fstab` file: -+ -[options="nowrap"] ----- -/var/lib/dhcpd /exports/var/lib/dhcpd none bind,auto 0 0 -/etc/dhcp /exports/etc/dhcp none bind,auto 0 0 ----- -. Mount the file systems in `/etc/fstab`: -+ -[options="nowrap"] ----- -# mount -a ----- -. Ensure the following lines are present in `/etc/exports`: -+ -[options="nowrap" subs="+quotes"] ----- -/exports _192.168.38.1_(rw,async,no_root_squash,fsid=0,no_subtree_check) - -/exports/etc/dhcp _192.168.38.1_(ro,async,no_root_squash,no_subtree_check,nohide) - -/exports/var/lib/dhcpd _192.168.38.1_(ro,async,no_root_squash,no_subtree_check,nohide) ----- -+ -Note that the IP address that you enter is the {Project} or {SmartProxy} IP address that you want to use with an external DHCP service. -. Reload the NFS server: -+ -[options="nowrap"] ----- -# exportfs -rva ----- -. Configure the firewall for DHCP omapi port 7911: -+ -[options="nowrap"] ----- -# firewall-cmd --add-port=7911/tcp ----- -. Optional: Configure the firewall for external access to NFS. -Clients are configured using NFSv3. -+ -[options="nowrap"] ----- -# firewall-cmd \ ---add-service mountd \ ---add-service nfs \ ---add-service rpc-bind \ ---zone public ----- -include::snip_make-firewall-settings-persistent.adoc[] diff --git a/guides/common/modules/proc_configuring-dhcp-libvirt.adoc b/guides/common/modules/proc_configuring-dhcp-libvirt.adoc deleted file mode 100644 index 61d0dff50e2..00000000000 --- a/guides/common/modules/proc_configuring-dhcp-libvirt.adoc +++ /dev/null @@ -1,17 +0,0 @@ -[id="Configuring_dhcp_libvirt_{context}"] -= Configuring dhcp_libvirt - -The _dhcp_libvirt_ plugin manages IP reservations and leases using `dnsmasq` through the libvirt API. -It uses `ruby-libvirt` to connect to the local or remote instance of libvirt daemon. - -.Procedure -* You can use `{foreman-installer}` to configure `dhcp_libvirt`: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -foreman-installer \ ---foreman-proxy-dhcp true \ ---foreman-proxy-dhcp-provider libvirt \ ---foreman-proxy-libvirt-network default \ ---foreman-proxy-libvirt-network qemu:///system ----- diff --git a/guides/common/modules/proc_configuring-dns-dhcp-and-tftp.adoc b/guides/common/modules/proc_configuring-dns-dhcp-and-tftp.adoc deleted file mode 100644 index cbcecb883f2..00000000000 --- a/guides/common/modules/proc_configuring-dns-dhcp-and-tftp.adoc +++ /dev/null @@ -1,62 +0,0 @@ -[id="configuring-dns-dhcp-and-tftp-on-productname_{context}"] -= Configuring DNS, DHCP, and TFTP on {ProductName} - -To configure the DNS, DHCP, and TFTP services on {ProductName}, use the `{foreman-installer}` command with the options appropriate for your environment. - -Any changes to the settings require entering the `{foreman-installer}` command again. -You can enter the command multiple times and each time it updates all configuration files with the changed values. - -.Prerequisites - -ifeval::["{context}" == "{project-context}"] -* Ensure that the following information is available to you: -** DHCP IP address ranges -** DHCP gateway IP address -** DHCP nameserver IP address -** DNS information -** TFTP server name - -* Use the FQDN instead of the IP address where possible in case of network changes. -endif::[] - -ifeval::["{context}" == "{smart-proxy-context}"] -* You must have the correct network name (`dns-interface`) for the DNS server. -* You must have the correct interface name (`dhcp-interface`) for the DHCP server. -endif::[] - -* Contact your network administrator to ensure that you have the correct settings. - -.Procedure - -* Enter the `{foreman-installer}` command with the options appropriate for your environment. -The following example shows configuring full provisioning services: - -+ -[options="nowrap" subs="+quotes,attributes"] ----- -# {foreman-installer} \ ---foreman-proxy-dns true \ ---foreman-proxy-dns-managed true \ ---foreman-proxy-dns-zone _example.com_ \ ---foreman-proxy-dns-reverse _2.0.192.in-addr.arpa_ \ ---foreman-proxy-dhcp true \ ---foreman-proxy-dhcp-managed true \ ---foreman-proxy-dhcp-range "_192.0.2.100_ _192.0.2.150_" \ ---foreman-proxy-dhcp-gateway _192.0.2.1_ \ ---foreman-proxy-dhcp-nameservers _192.0.2.2_ \ ---foreman-proxy-tftp true \ ---foreman-proxy-tftp-managed true \ ---foreman-proxy-tftp-servername _192.0.2.3_ ----- - -You can monitor the progress of the `{foreman-installer}` command displayed in your prompt. -You can view the logs in `{installer-log-file}`. - -.Additional resources -* For more information about the `{foreman-installer}` command, enter `{foreman-installer} --help`. -ifeval::["{context}" == "{smart-proxy-context}"] -ifndef::foreman-deb,orcharhino[] -* For more information about configuring DNS, DHCP, and TFTP externally, see xref:configuring-external-services[]. -endif::[] -* For more information about configuring DHCP, DNS, and TFTP services, see {ProvisioningDocURL}Configuring_Network_Services_provisioning[Configuring Network Services] in _{ProvisioningDocTitle}_. -endif::[] diff --git a/guides/common/modules/proc_configuring-dns-libvirt.adoc b/guides/common/modules/proc_configuring-dns-libvirt.adoc deleted file mode 100644 index fe878871842..00000000000 --- a/guides/common/modules/proc_configuring-dns-libvirt.adoc +++ /dev/null @@ -1,19 +0,0 @@ -[id="configuring_dns_libvirt_{context}"] -= Configuring dns_libvirt - -The _dns_libvirt_ DNS provider manages DNS records using dnsmasq through the libvirt API. -It uses `ruby-libvirt` gem to connect to the local or a remote instance of libvirt daemon. - -.Procedure -* You can use `{foreman-installer}` to configure `dns_libvirt`: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# {foreman-installer} \ ---foreman-proxy-dns true \ ---foreman-proxy-dns-provider libvirt \ ---foreman-proxy-libvirt-network default \ ---foreman-proxy-libvirt-url qemu:///system ----- -+ -Note that you can only use one network and URL for both _dns_libvirt_ and _dhcp_libvirt_. diff --git a/guides/common/modules/proc_configuring-dns-nsupdate.adoc b/guides/common/modules/proc_configuring-dns-nsupdate.adoc deleted file mode 100644 index d968bb84a21..00000000000 --- a/guides/common/modules/proc_configuring-dns-nsupdate.adoc +++ /dev/null @@ -1,20 +0,0 @@ -[id="configuring_dns_nsupdate_{context}"] -= Configuring dns_nsupdate - -The _dns_nsupdate_ DNS provider manages DNS records using the `nsupdate` utility. -You can use _dns_nsupdate_ with any DNS server compatible with https://www.rfc-editor.org/rfc/rfc2136[RFC2136]. -By default, _dns_nsupdate_ installs the ISC BIND server. -For installation without ISC BIND, see xref:configuring-external-dns_{context}[]. - -.Procedure -* Configure `dns_nsupdate`: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# {foreman-installer} \ ---foreman-proxy-dns true \ ---foreman-proxy-dns-provider nsupdate \ ---foreman-proxy-dns-managed true \ ---foreman-proxy-dns-zone _example.com_ \ ---foreman-proxy-dns-reverse _2.0.192.in-addr.arpa_ ----- diff --git a/guides/common/modules/proc_configuring-dns-powerdns.adoc b/guides/common/modules/proc_configuring-dns-powerdns.adoc deleted file mode 100644 index 0d870a7b5cf..00000000000 --- a/guides/common/modules/proc_configuring-dns-powerdns.adoc +++ /dev/null @@ -1,17 +0,0 @@ -[id="configuring_dns_powerdns_{context}"] -= Configuring dns_powerdns - -The _dns_powerdns_ DNS provider manages DNS records using the https://www.powerdns.com/[PowerDNS] REST API. - -.Procedure -* You can use `{foreman-installer}` to configure `dns_powerdns`: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# {foreman-installer} \ ---foreman-proxy-dns true \ ---foreman-proxy-dns-provider powerdns \ ---enable-foreman-proxy-plugin-dns-powerdns \ ---foreman-proxy-plugin-dns-powerdns-rest-api-key _api_key_ \ ---foreman-proxy-plugin-dns-powerdns-rest-url _http://localhost:8081/api/v1/servers/localhost_ ----- diff --git a/guides/common/modules/proc_configuring-dynamic-dns-update-with-gss-tsig-authentication.adoc b/guides/common/modules/proc_configuring-dynamic-dns-update-with-gss-tsig-authentication.adoc deleted file mode 100644 index 480646786c2..00000000000 --- a/guides/common/modules/proc_configuring-dynamic-dns-update-with-gss-tsig-authentication.adoc +++ /dev/null @@ -1,164 +0,0 @@ -[id="configuring-dynamic-dns-update-with-gss-tsig-authentication_{context}"] -= Configuring dynamic DNS update with GSS-TSIG authentication - -You can configure the IdM server to use the generic security service algorithm for secret key transaction (GSS-TSIG) technology defined in https://tools.ietf.org/html/rfc3645[RFC3645]. -To configure the IdM server to use the GSS-TSIG technology, you must install the IdM client on the {ProductName} base operating system. - -.Prerequisites - -* You must ensure the IdM server is deployed and the host-based firewall is configured correctly. -ifdef::satellite[] -For more information, see {RHELDocsBaseURL}9/html/installing_identity_management/preparing-the-system-for-ipa-server-installation_installing-identity-management#port-requirements-for-idm_preparing-the-system-for-ipa-server-installation[Port requirements for IdM] in _{RHEL}{nbsp}9 Installing Identity Management_. -endif::[] -* You must contact the IdM server administrator to ensure that you obtain an account on the IdM server with permissions to create zones on the IdM server. -* You should create a backup of the answer file. -You can use the backup to restore the answer file to its original state if it becomes corrupted. -ifndef::orcharhino[] -For more information, see {InstallingServerDocURL}configuring-server_{project-context}[Configuring {ProjectServer}]. -endif::[] - -.Procedure -To configure dynamic DNS update with GSS-TSIG authentication, complete the following steps: - -.Creating a Kerberos principal on the IdM server - -. Obtain a Kerberos ticket for the account obtained from the IdM administrator: -+ -[options="nowrap" subs="+quotes,attributes"] ----- -# kinit _idm_user_ ----- - -. Create a new Kerberos principal for {ProductName} to use to authenticate on the IdM server: -+ -ifeval::["{context}" == "{smart-proxy-context}"] -[options="nowrap" subs="+quotes,attributes"] ----- -# ipa service-add _{smartproxy-example-com}_ ----- -endif::[] -ifeval::["{context}" == "{project-context}"] -[options="nowrap" subs="+quotes,attributes"] ----- -# ipa service-add _{smart-proxy-principal}/{foreman-example-com}_ ----- -endif::[] - -.Installing and configuring the idM client - -. On the base operating system of either the {Project} or {SmartProxy} that is managing the DNS service for your deployment, install the `ipa-client` package: -+ -[options="nowrap" subs="+quotes,attributes"] ----- -# {project-package-install} ipa-client ----- - -. Configure the IdM client by running the installation script and following the on-screen prompts: -+ -[options="nowrap"] ----- -# ipa-client-install ----- - -. Obtain a Kerberos ticket: -+ -[options="nowrap"] ----- -# kinit admin ----- - -. Remove any preexisting `keytab`: -+ -[options="nowrap"] ----- -# rm /etc/foreman-proxy/dns.keytab ----- - -. Obtain the `keytab` for this system: -+ - -[options="nowrap" subs="+quotes,attributes"] ----- -# ipa-getkeytab -p {smart-proxy-principal}/_{foreman-example-com}@EXAMPLE.COM_ \ --s _idm1.example.com_ -k /etc/foreman-proxy/dns.keytab ----- -+ -[NOTE] -==== -When adding a keytab to a standby system with the same host name as the original system in service, add the `r` option to prevent generating new credentials and rendering the credentials on the original system invalid. -==== -+ -. For the `dns.keytab` file, set the group and owner to `foreman-proxy`: -+ -[options="nowrap"] ----- -# chown foreman-proxy:foreman-proxy /etc/foreman-proxy/dns.keytab ----- - -. Optional: To verify that the `keytab` file is valid, enter the following command: -+ -[options="nowrap" subs="+quotes,attributes"] ----- -# kinit -kt /etc/foreman-proxy/dns.keytab \ -{smart-proxy-principal}/_{foreman-example-com}@EXAMPLE.COM_ ----- - -.Configuring DNS zones in the IdM web UI - -. Create and configure the zone that you want to manage: -.. Navigate to *Network Services* > *DNS* > *DNS Zones*. -.. Select *Add* and enter the zone name. -For example, `example.com`. -.. Click *Add and Edit*. -.. Click the Settings tab and in the *BIND update policy* box, add the following to the semi-colon separated list: -+ -[options="nowrap" subs="+quotes,attributes"] ----- -grant {smart-proxy-principal}\047__{foreman-example-com}@EXAMPLE.COM__ wildcard * ANY; ----- - -.. Set *Dynamic update* to *True*. -.. Enable *Allow PTR sync*. -.. Click *Save* to save the changes. - -. Create and configure the reverse zone: -.. Navigate to *Network Services* > *DNS* > *DNS Zones*. -.. Click *Add*. -.. Select *Reverse zone IP network* and add the network address in CIDR format to enable reverse lookups. -.. Click *Add and Edit*. -.. Click the *Settings* tab and in the *BIND update policy* box, add the following to the semi-colon separated list: -+ -[options="nowrap" subs="+quotes,attributes"] ----- -grant {smart-proxy-principal}\047__{foreman-example-com}@EXAMPLE.COM__ wildcard * ANY; ----- - -.. Set *Dynamic update* to *True*. -.. Click *Save* to save the changes. - - -.Configuring the {Project} or {SmartProxyServer} that manages the DNS service for the domain - -. Configure your {ProjectServer} or {SmartProxyServer} to connect to your DNS service: -+ -[options="nowrap" subs="+quotes,attributes"] ----- -# {foreman-installer} \ ---foreman-proxy-dns-managed=false \ ---foreman-proxy-dns-provider=nsupdate_gss \ ---foreman-proxy-dns-server="_idm1.example.com_" \ ---foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab \ ---foreman-proxy-dns-tsig-principal="{smart-proxy-principal}/_{foreman-example-com}@EXAMPLE.COM_" \ ---foreman-proxy-dns=true ----- -. For each affected {SmartProxy}, update the configuration of that {SmartProxy} in the {ProjectWebUI}: -.. In the {ProjectWebUI}, navigate to *Infrastructure* > *{SmartProxies}*, locate the {ProductName}, and from the list in the *Actions* column, select *Refresh*. -.. Configure the domain: -... In the {ProjectWebUI}, navigate to *Infrastructure* > *Domains* and select the domain name. -... In the *Domain* tab, ensure *DNS {SmartProxy}* is set to the {SmartProxy} where the subnet is connected. -.. Configure the subnet: -... In the {ProjectWebUI}, navigate to *Infrastructure* > *Subnets* and select the subnet name. -... In the *Subnet* tab, set *IPAM* to *None*. -... In the *Domains* tab, select the domain that you want to manage using the IdM server. -... In the *{SmartProxies}* tab, ensure *Reverse DNS {SmartProxy}* is set to the {SmartProxy} where the subnet is connected. -... Click *Submit* to save the changes. diff --git a/guides/common/modules/proc_configuring-dynamic-dns-update-with-tsig-authentication.adoc b/guides/common/modules/proc_configuring-dynamic-dns-update-with-tsig-authentication.adoc deleted file mode 100644 index 9e88f14bd64..00000000000 --- a/guides/common/modules/proc_configuring-dynamic-dns-update-with-tsig-authentication.adoc +++ /dev/null @@ -1,159 +0,0 @@ -[id="configuring-dynamic-dns-update-with-tsig-authentication_{context}"] -= Configuring dynamic DNS update with TSIG authentication - -You can configure an IdM server to use the secret key transaction authentication for DNS (TSIG) technology that uses the `rndc.key` key file for authentication. -The TSIG protocol is defined in https://tools.ietf.org/html/rfc2845[RFC2845]. - - -.Prerequisites - -* You must ensure the IdM server is deployed and the host-based firewall is configured correctly. -ifdef::satellite[] -For more information, see {RHELDocsBaseURL}7/html/linux_domain_identity_authentication_and_policy_guide/installing-ipa#prereq-ports[Port Requirements] in the _{RHEL}{nbsp}7 Linux Domain Identity, Authentication, and Policy Guide_. -endif::[] -* You must obtain `root` user access on the IdM server. -* You must confirm whether {ProjectServer} or {SmartProxyServer} is configured to provide DNS service for your deployment. -* You must configure DNS, DHCP and TFTP services on the base operating system of either the {Project} or {SmartProxy} that is managing the DNS service for your deployment. -* You must create a backup of the answer file. -You can use the backup to restore the answer file to its original state if it becomes corrupted. -ifndef::orcharhino[] -For more information, see {InstallingServerDocURL}configuring-server_{project-context}[Configuring {ProjectServer}]. -endif::[] - -.Procedure -To configure dynamic DNS update with TSIG authentication, complete the following steps: - -.Enabling external updates to the DNS zone in the IdM server - -. On the IdM Server, add the following to the top of the `/etc/named.conf` file: -+ -[source, none, options="nowrap" subs="+attributes"] ----- -######################################################################## - -include "/etc/rndc.key"; -controls { -inet _IdM_Server_IP_Address_ port 953 allow { _{Project}_IP_Address_; } keys { "rndc-key"; }; -}; -######################################################################## ----- - -. Reload the `named` service to make the changes take effect: -+ -[options="nowrap" subs="+quotes,attributes"] ----- -# systemctl reload named ----- - -. In the IdM web UI, navigate to *Network Services* > *DNS* > *DNS Zones* and click the name of the zone. -In the *Settings* tab, apply the following changes: - -.. Add the following in the `BIND update policy` box: -+ -[source, none, options="nowrap" subs="+quotes,attributes"] ----- -grant "rndc-key" zonesub ANY; ----- - -.. Set *Dynamic update* to *True*. - -.. Click *Update* to save the changes. - - -. Copy the `/etc/rndc.key` file from the IdM server to the base operating system of your {ProjectServer}. -Enter the following command: -+ -[options="nowrap" subs="+quotes,attributes"] ----- -# scp /etc/rndc.key root@_{foreman-example-com}_:/etc/rndc.key ----- - -. To set the correct ownership, permissions, and SELinux context for the `rndc.key` file, enter the following command: -+ -[options="nowrap" subs="+quotes,attributes"] ----- -# restorecon -v /etc/rndc.key -# chown -v root:named /etc/rndc.key -# chmod -v 640 /etc/rndc.key ----- - -. Assign the `foreman-proxy` user to the `named` group manually. -Normally, {foreman-installer} ensures that the `foreman-proxy` user belongs to the `named` UNIX group, however, in this scenario {Project} does not manage users and groups, therefore you need to assign the `foreman-proxy` user to the `named` group manually. -+ -[options="nowrap"] ----- -# usermod -a -G named foreman-proxy ----- - -. On {ProjectServer}, enter the following `{foreman-installer}` command to configure {Project} to use the external DNS server: -+ -[options="nowrap" subs="+quotes,attributes"] ----- -# {foreman-installer} \ ---foreman-proxy-dns-managed=false \ ---foreman-proxy-dns-provider=nsupdate \ ---foreman-proxy-dns-server="_IdM_Server_IP_Address_" \ ---foreman-proxy-dns-ttl=86400 \ ---foreman-proxy-dns=true \ ---foreman-proxy-keyfile=/etc/rndc.key ----- - -.Testing external updates to the DNS zone in the IdM server - -. Ensure that the key in the `/etc/rndc.key` file on {ProjectServer} is the same key file that is used on the IdM server: -+ -[source,none, options="nowrap" subs="+quotes,attributes"] ----- -key "rndc-key" { - algorithm hmac-md5; - secret "_secret-key_=="; -}; ----- - -. On {ProjectServer}, create a test DNS entry for a host. -For example, host `_test.example.com_` with an A record of `192.168.25.20` on the IdM server at `192.168.25.1`. -+ -[options="nowrap" subs="+quotes,attributes"] ----- -# echo -e "server 192.168.25.1\n \ -update add _test.example.com_ 3600 IN A 192.168.25.20\n \ -send\n" | nsupdate -k /etc/rndc.key ----- - -. On {ProjectServer}, test the DNS entry: -+ -[options="nowrap" subs="+quotes,attributes"] ----- -# nslookup _test.example.com_ 192.168.25.1 ----- -+ -Example output: -+ -[source, none, options="nowrap", subs="+quotes,attributes"] ----- -Server: 192.168.25.1 -Address: 192.168.25.1#53 - -Name: test.example.com -Address: 192.168.25.20 ----- - -. To view the entry in the IdM web UI, navigate to *Network Services* > *DNS* > *DNS Zones*. -Click the name of the zone and search for the host by name. - -. If resolved successfully, remove the test DNS entry: -+ -[options="nowrap" subs="+quotes,attributes"] ----- -# echo -e "server 192.168.25.1\n \ -update delete _test.example.com_ 3600 IN A 192.168.25.20\n \ -send\n" | nsupdate -k /etc/rndc.key ----- - -. Confirm that the DNS entry was removed: -+ -[options="nowrap" subs="+quotes,attributes"] ----- -# nslookup _test.example.com_ 192.168.25.1 ----- -The above `nslookup` command fails and returns the `SERVFAIL` error message if the record was successfully deleted. diff --git a/guides/common/modules/proc_configuring-external-dns.adoc b/guides/common/modules/proc_configuring-external-dns.adoc deleted file mode 100644 index f745a283513..00000000000 --- a/guides/common/modules/proc_configuring-external-dns.adoc +++ /dev/null @@ -1,54 +0,0 @@ -[id="configuring-external-dns_{context}"] -= Configuring {ProductName} with external DNS - -You can configure {ProductName} with external DNS. -{ProductName} uses the `nsupdate` utility to update DNS records on the remote server. - -To make any changes persistent, you must enter the `{foreman-installer}` command with the options appropriate for your environment. - -.Prerequisites -* You must have a configured external DNS server. -* This guide assumes you have an existing installation. - -.Procedure -. Copy the `/etc/rndc.key` file from the external DNS server to {ProductName}: -+ -[options="nowrap" subs="+quotes"] ----- -# scp root@_dns.example.com_:/etc/rndc.key /etc/foreman-proxy/rndc.key ----- -. Configure the ownership, permissions, and SELinux context: -+ -[options="nowrap"] ----- -ifndef::foreman-deb[] -# restorecon -v /etc/foreman-proxy/rndc.key -endif::[] -# chown -v root:foreman-proxy /etc/foreman-proxy/rndc.key -# chmod -v 640 /etc/foreman-proxy/rndc.key ----- -. To test the `nsupdate` utility, add a host remotely: -+ -[options="nowrap", subs="+quotes"] ----- -# echo -e "server _DNS_IP_Address_\n \ -update add aaa.example.com 3600 IN A _Host_IP_Address_\n \ -send\n" | nsupdate -k /etc/foreman-proxy/rndc.key -# nslookup aaa.example.com _DNS_IP_Address_ -# echo -e "server _DNS_IP_Address_\n \ -update delete aaa.example.com 3600 IN A _Host_IP_Address_\n \ -send\n" | nsupdate -k /etc/foreman-proxy/rndc.key ----- -. Enter the `{foreman-installer}` command to make the following persistent changes to the `/etc/foreman-proxy/settings.d/dns.yml` file: -+ -[options="nowrap", subs="+quotes,attributes"] ----- -# {foreman-installer} --foreman-proxy-dns=true \ ---foreman-proxy-dns-managed=false \ ---foreman-proxy-dns-provider=nsupdate \ ---foreman-proxy-dns-server="_DNS_IP_Address_" \ ---foreman-proxy-keyfile=/etc/foreman-proxy/rndc.key ----- -. In the {ProjectWebUI}, navigate to *Infrastructure* > *{SmartProxies}*. -. Locate the {ProductName} and select *Refresh* from the list in the *Actions* column. -. Associate the DNS service with the appropriate subnets and domain. diff --git a/guides/common/modules/proc_configuring-external-tftp.adoc b/guides/common/modules/proc_configuring-external-tftp.adoc deleted file mode 100644 index 614355eaba1..00000000000 --- a/guides/common/modules/proc_configuring-external-tftp.adoc +++ /dev/null @@ -1,41 +0,0 @@ -[id="configuring-external-tftp_{context}"] -= Configuring {ProductName} with external TFTP - -You can configure {ProductName} with external TFTP services. - -.Procedure -. Create the TFTP directory for NFS: -+ -[options="nowrap"] ----- -# mkdir -p /mnt/nfs/var/lib/tftpboot ----- -. In the `/etc/fstab` file, add the following line: -+ -[options="nowrap" subs="+quotes"] ----- -_TFTP_Server_IP_Address_:/exports/var/lib/tftpboot /mnt/nfs/var/lib/tftpboot nfs rw,vers=3,auto,nosharecache,context="system_u:object_r:tftpdir_rw_t:s0" 0 0 ----- -. Mount the file systems in `/etc/fstab`: -+ -[options="nowrap"] ----- -# mount -a ----- -. Enter the `{foreman-installer}` command to make the following persistent changes to the `/etc/foreman-proxy/settings.d/tftp.yml` file: -+ -[options="nowrap" subs="+quotes,attributes"] ----- -# {foreman-installer} \ ---foreman-proxy-tftp-root /mnt/nfs/var/lib/tftpboot \ ---foreman-proxy-tftp=true ----- -. If the TFTP service is running on a different server than the DHCP service, update the `tftp_servername` setting with the FQDN or IP address of the server that the TFTP service is running on: -+ -[options="nowrap" subs="+quotes,attributes"] ----- -# {foreman-installer} --foreman-proxy-tftp-servername=_TFTP_Server_FQDN_ ----- -. In the {ProjectWebUI}, navigate to *Infrastructure* > *{SmartProxies}*. -. Locate the {ProductName} and select *Refresh* from the list in the *Actions* column. -. Associate the TFTP service with the appropriate subnets and domain. diff --git a/guides/common/modules/proc_configuring-isc-dhcp-to-use-with-server.adoc b/guides/common/modules/proc_configuring-isc-dhcp-to-use-with-server.adoc new file mode 100644 index 00000000000..3fa986e31a6 --- /dev/null +++ b/guides/common/modules/proc_configuring-isc-dhcp-to-use-with-server.adoc @@ -0,0 +1,180 @@ +[id="configuring-isc-dhcp-to-use-with-server"] += Configuring ISC DHCP to use with {ProjectServer} + +To configure an external DHCP server running {EL} to use with {ProductName}, you must install the ISC DHCP Service and Berkeley Internet Name Domain (BIND) utilities packages. +You must also share the DHCP configuration and lease files with {ProductName}. +The example in this procedure uses the distributed Network File System (NFS) protocol to share the DHCP configuration and lease files. + +ifdef::foreman-deb[] +[NOTE] +==== +This procedure describes how to run a remote ISC DHCP server on {EL} 9. +==== +endif::[] + +.Procedure +. Perform the following steps on the DHCP server: +.. Install the required packages: ++ +[options="nowrap" subs="+quotes,attributes"] +---- +# {client-package-install-el8} dhcp-server bind-utils +---- +.. Generate a security token: ++ +[options="nowrap" subs="+quotes"] +---- +# tsig-keygen -a hmac-md5 _omapi_key_ +key "omapi_key" { + algorithm hmac-md5; + secret "4z1jwYO0RGUTJbWDepFBdg=="; +}; +---- +.. Edit the `/etc/dhcp/dhcpd.conf` file for all subnets, and add the key generated by `tsig-keygen`. +The following is an example: ++ +[options="nowrap" subs="+quotes"] +---- +# cat /etc/dhcp/dhcpd.conf +default-lease-time 604800; +max-lease-time 2592000; +log-facility local7; + +subnet _192.168.38.0_ netmask _255.255.255.0_ { + range _192.168.38.10 192.168.38.100_; + option routers _192.168.38.1_; + option subnet-mask _255.255.255.0_; + option domain-search "_virtual.lan_"; + option domain-name "_virtual.lan_"; + option domain-name-servers _8.8.8.8_; +} + +omapi-port 7911; +key _omapi_key_ { + algorithm hmac-md5; + secret "_key_secret_"; +}; +omapi-key _omapi_key_; +---- ++ +Note that the `option routers` value is the IP address of your {ProjectServer} or {SmartProxyServer} that you want to use with an external DHCP service. +.. Open the DHCP port in the `firewalld` service: ++ +[options="nowrap"] +---- +# firewall-cmd --add-service dhcp +---- +.. Make the changes persistent: ++ +[options="nowrap"] +---- +# firewall-cmd --runtime-to-permanent +---- +. On {ProjectServer}, determine both the UID and the primary GID of the `foreman-proxy` user: ++ +[options="nowrap" subs="+quotes"] +---- +# id -u foreman-proxy +_993_ + +# id -g foreman-proxy +_990_ +---- +. Perform the following steps on the DHCP server: +.. Create the `foreman-proxy` group with the same group ID as determined in a previous step: ++ +[options="nowrap" subs="+quotes"] +---- +# groupadd -g _990_ foreman-proxy +---- +.. Create the `foreman-proxy` user with the same user ID and primary group ID as determined in a previous step: ++ +[options="nowrap" subs="+quotes"] +---- +# useradd -u _993_ -g _990_ -s /sbin/nologin foreman-proxy +---- +.. Ensure that the configuration files are accessible: ++ +[options="nowrap"] +---- +# chmod o+rx /etc/dhcp/ +# chmod o+r /etc/dhcp/dhcpd.conf +# chattr +i /etc/dhcp/ /etc/dhcp/dhcpd.conf +---- +.. Enable and start the `dhcpd` service: ++ +[options="nowrap"] +---- +# systemctl enable --now dhcpd +---- +.. Install the `nfs-server` package: ++ +[options="nowrap" subs="+quotes,attributes"] +---- +# {client-package-install-el8} {nfs-server-package} +---- +.. Enable and start the NFS server service: ++ +[options="nowrap" subs="+quotes,attributes"] +---- +# systemctl enable --now nfs-server +---- +.. Create directories for the DHCP configuration and lease files that you want to export by using NFS: ++ +[options="nowrap"] +---- +# mkdir -p /exports/var/lib/dhcpd /exports/etc/dhcp +---- +.. Edit the `/etc/fstab` file and add bind mount entries for the exported directories: ++ +[options="nowrap"] +---- +/var/lib/dhcpd /exports/var/lib/dhcpd none bind,auto 0 0 +/etc/dhcp /exports/etc/dhcp none bind,auto 0 0 +---- ++ +These entries use bind mounts which mount the original directories to the ones you use for the export in NFS. +.. Activate the bind mounts from the `/etc/fstab` file: ++ +[options="nowrap"] +---- +# mount -a +---- +.. Edit the `/etc/exports` file, and export the required directories in NFS: ++ +[options="nowrap" subs="+quotes"] +---- +/exports _192.168.38.1_(rw,async,no_root_squash,fsid=0,no_subtree_check) +/exports/etc/dhcp _192.168.38.1_(ro,async,no_root_squash,no_subtree_check,nohide) +/exports/var/lib/dhcpd _192.168.38.1_(ro,async,no_root_squash,no_subtree_check,nohide) +---- ++ +Use the IP address of the {Project} or {SmartProxy} in the export options to ensure that only these hosts have access. +.. Reload the NFS server: ++ +[options="nowrap"] +---- +# exportfs -rva +---- +.. Enable the `dhcpd` OMAPI port in `firewalld`: ++ +[options="nowrap"] +---- +# firewall-cmd --add-port=7911/tcp +---- +.. Enable the services required for NFSv3 in `firewalld`: ++ +[options="nowrap"] +---- +# firewall-cmd \ +--add-service mountd \ +--add-service nfs \ +--add-service rpc-bind \ +--zone public +---- +.. Make the changes persistent: ++ +[options="nowrap"] +---- +# firewall-cmd --runtime-to-permanent +---- diff --git a/guides/common/modules/proc_configuring-network-services.adoc b/guides/common/modules/proc_configuring-network-services.adoc deleted file mode 100644 index 0e6cd9ecc71..00000000000 --- a/guides/common/modules/proc_configuring-network-services.adoc +++ /dev/null @@ -1,56 +0,0 @@ -[id="Configuring_Network_Services_{context}"] -= Configuring network services - -Some provisioning methods use {SmartProxyServer} services. -For example, a network might require {SmartProxyServer} to act as a DHCP server. -A network can also use PXE boot services to install the operating system on new hosts. -This requires configuring {SmartProxyServer} to use the main PXE boot services: DHCP, DNS, and TFTP. - -Use the `{foreman-installer}` command with the options to configure these services on {ProjectServer}. - -ifdef::satellite,orcharhino[] -To configure these services on an external {SmartProxyServer}, run `{foreman-installer}`. -endif::[] -ifdef::orcharhino[] -For more information, see xref:sources/installation_and_maintenance/installing_orcharhino_proxy_server.adoc[{InstallingSmartProxyDocTitle}]. -endif::[] - -.Procedure -. Enter the `{foreman-installer}` command to configure the required network services: -+ -[options="nowrap" subs="+quotes,attributes"] ----- -# {foreman-installer} --foreman-proxy-dhcp true \ ---foreman-proxy-dhcp-gateway "_192.168.140.1_" \ ---foreman-proxy-dhcp-managed true \ ---foreman-proxy-dhcp-nameservers "_192.168.140.2_" \ ---foreman-proxy-dhcp-range "_192.168.140.10_ _192.168.140.110_" \ ---foreman-proxy-dhcp-server "_192.168.140.2_" \ ---foreman-proxy-dns true \ ---foreman-proxy-dns-forwarders "_8.8.8.8_" \ ---foreman-proxy-dns-forwarders "_8.8.4.4_" \ ---foreman-proxy-dns-managed true \ ---foreman-proxy-dns-reverse "_140.168.192.in-addr.arpa_" \ ---foreman-proxy-dns-server "_127.0.0.1_" \ ---foreman-proxy-dns-zone "_example.com_" \ ---foreman-proxy-tftp true \ ---foreman-proxy-tftp-managed true ----- -. Find {SmartProxyServer} that you configure: -+ -[options="nowrap" subs="+quotes,attributes"] ----- -# {hammer-smart-proxy} list ----- -. Refresh features of {SmartProxyServer} to view the changes: -+ -[options="nowrap" subs="+quotes,attributes"] ----- -# {hammer-smart-proxy} refresh-features --name "_{foreman-example-com}_" ----- -. Verify the services configured on {SmartProxyServer}: -+ -[options="nowrap" subs="+quotes,attributes"] ----- -# {hammer-smart-proxy} info --name "_{foreman-example-com}_" ----- diff --git a/guides/common/modules/proc_configuring-satellite-deployment-with-an-external-dhcp-server.adoc b/guides/common/modules/proc_configuring-satellite-deployment-with-an-external-dhcp-server.adoc deleted file mode 100644 index 8bda9b2d398..00000000000 --- a/guides/common/modules/proc_configuring-satellite-deployment-with-an-external-dhcp-server.adoc +++ /dev/null @@ -1,76 +0,0 @@ -[id="Configuring_Server_with_an_External_DHCP_Server_{context}"] -= Configuring {ProjectServer} with an external DHCP server - -You can configure {ProductName} with an external DHCP server. - -.Prerequisites -* Ensure that you have configured an external DHCP server and that you have shared the DHCP configuration and lease files with {ProductName}. -For more information, see xref:configuring-an-external-dhcp-server_{context}[]. - -.Procedure -. Install the `{nfs-client-package}` package: -+ -[options="nowrap" subs="+quotes,attributes"] ----- -# {project-package-install} {nfs-client-package} ----- -. Create the DHCP directories for NFS: -+ -[options="nowrap"] ----- -# mkdir -p /mnt/nfs/etc/dhcp /mnt/nfs/var/lib/dhcpd ----- -. Change the file owner: -+ -[options="nowrap"] ----- -# chown -R foreman-proxy /mnt/nfs ----- -. Verify communication with the NFS server and the Remote Procedure Call (RPC) communication paths: -+ -[options="nowrap" subs="+quotes"] ----- -# showmount -e _DHCP_Server_FQDN_ -# rpcinfo -p _DHCP_Server_FQDN_ ----- -. Add the following lines to the `/etc/fstab` file: -+ -[options="nowrap" subs="+quotes"] ----- -_DHCP_Server_FQDN_:/exports/etc/dhcp /mnt/nfs/etc/dhcp nfs -ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcp_etc_t:s0" 0 0 - -_DHCP_Server_FQDN_:/exports/var/lib/dhcpd /mnt/nfs/var/lib/dhcpd nfs -ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcpd_state_t:s0" 0 0 ----- -. Mount the file systems on `/etc/fstab`: -+ -[options="nowrap"] ----- -# mount -a ----- -. To verify that the `foreman-proxy` user can access the files that are shared over the network, display the DHCP configuration and lease files: -+ -[options="nowrap"] ----- -# su foreman-proxy -s /bin/bash -$ cat /mnt/nfs/etc/dhcp/dhcpd.conf -$ cat /mnt/nfs/var/lib/dhcpd/dhcpd.leases -$ exit ----- -. Enter the `{foreman-installer}` command to make the following persistent changes to the `/etc/foreman-proxy/settings.d/dhcp.yml` file: -+ -[options="nowrap" subs="+quotes,attributes"] ----- -# {foreman-installer} \ ---enable-foreman-proxy-plugin-dhcp-remote-isc \ ---foreman-proxy-dhcp-provider=remote_isc \ ---foreman-proxy-dhcp-server=_My_DHCP_Server_FQDN_ \ ---foreman-proxy-dhcp=true \ ---foreman-proxy-plugin-dhcp-remote-isc-dhcp-config /mnt/nfs/etc/dhcp/dhcpd.conf \ ---foreman-proxy-plugin-dhcp-remote-isc-dhcp-leases /mnt/nfs/var/lib/dhcpd/dhcpd.leases \ ---foreman-proxy-plugin-dhcp-remote-isc-key-name=omapi_key \ ---foreman-proxy-plugin-dhcp-remote-isc-key-secret=_My_Secret_ \ ---foreman-proxy-plugin-dhcp-remote-isc-omapi-port=7911 ----- -. Associate the DHCP service with the appropriate subnets and domain. diff --git a/guides/common/modules/proc_configuring-server-for-use-with-tftp.adoc b/guides/common/modules/proc_configuring-server-for-use-with-tftp.adoc new file mode 100644 index 00000000000..98a66e47057 --- /dev/null +++ b/guides/common/modules/proc_configuring-server-for-use-with-tftp.adoc @@ -0,0 +1,39 @@ +[id="configuring-server-for-use-with-tftp"] += Configuring {ProductName} for use with tftp + +After you prepared the TFTP server and shared the root directory of the TFTP service over the network, integrate the service into {Project}. + +.Prerequisites +* You shared the `/exports/var/lib/tftpboot` on the TFTP server with NFS. + +.Procedure +. Create the directory into which you later mount the NFS share: ++ +[options="nowrap"] +---- +# mkdir -p /mnt/nfs/var/lib/tftpboot +---- +. Edit the `/etc/fstab` file, and add entry for the NFS share to mount them automatically when the system boots: ++ +[options="nowrap" subs="+quotes"] +---- +_tftp_server_fqdn_:/exports/var/lib/tftpboot /mnt/nfs/var/lib/tftpboot nfs rw,vers=3,auto,nosharecache,context="system_u:object_r:tftpdir_rw_t:s0" 0 0 +---- +. Mount the NFS share: ++ +[options="nowrap"] +---- +# mount /mnt/nfs/var/lib/tftpboot/ +---- +. Configure {ProjectServer} or {SmartProxyServer} to use the TFTP server: ++ +[options="nowrap" subs="+quotes,attributes"] +---- +# {foreman-installer} \ +--foreman-proxy-tftp true \ +--foreman-proxy-managed false \ +--foreman-proxy-tftp-root /mnt/nfs/var/lib/tftpboot \ +--foreman-proxy-tftp-servername _tftp_server_fqdn_ +---- +. For each affected {SmartProxy}, update the configuration of that {SmartProxy} in the {ProjectWebUI}. +For more information, see xref:associating-the-tftp-service-with-a-subnet[]. diff --git a/guides/common/modules/proc_configuring-server-or-proxy-for-use-with-isc-dhcp.adoc b/guides/common/modules/proc_configuring-server-or-proxy-for-use-with-isc-dhcp.adoc new file mode 100644 index 00000000000..5a007ab9882 --- /dev/null +++ b/guides/common/modules/proc_configuring-server-or-proxy-for-use-with-isc-dhcp.adoc @@ -0,0 +1,91 @@ +[id="configuring-server-or-proxy-for-use-with-isc-dhcp"] += Configuring {ProjectServer} or {SmartProxyServer} for use with ISC DHCP + +You can configure {ProductName} with a non-installer-managed DHCP server. Perform the steps on the {ProjectServer} or {SmartProxyServer}. + +.Prerequisites +* You configured the DHCP service and shared the configuration and lease files over the network. +For more information, see xref:configuring-isc-dhcp-to-use-with-server[]. + +.Procedure +. Install the required package: ++ +[options="nowrap" subs="+quotes,attributes"] +---- +# {project-package-install} {nfs-client-package} +---- +. Create the directories into which you later mount the NFS shares: ++ +[options="nowrap"] +---- +# mkdir -p /mnt/nfs/etc/dhcp /mnt/nfs/var/lib/dhcpd +---- +. Set the owner of the `/mnt/nfs` and sub-directories to `foreman-proxy`: ++ +[options="nowrap"] +---- +# chown -R foreman-proxy /mnt/nfs +---- +. Verify that the NFS server exports the required directories: ++ +[options="nowrap" subs="+quotes"] +---- +# showmount -e _DHCP_Server_FQDN_ +---- +. Edit the `/etc/fstab` file, and add entries for the NFS shares to mount them automatically when the system boots: ++ +[options="nowrap" subs="+quotes"] +---- +_dhcp_server_fqdn_:/exports/etc/dhcp /mnt/nfs/etc/dhcp nfs ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcp_etc_t:s0" 0 0 + +_dhcp_server_fqdn_:/exports/var/lib/dhcpd /mnt/nfs/var/lib/dhcpd nfs ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcpd_state_t:s0" 0 0 +---- +. Mount the NFS shares: ++ +[options="nowrap"] +---- +# mount /mnt/nfs/etc/dhcp/ +# mount /mnt/nfs/var/lib/dhcpd/ +---- +. Optional: Verify that the `foreman-proxy` user can access the files on the NFS server: +.. Switch to the `foreman-proxy` user: ++ +[options="nowrap"] +---- +# su foreman-proxy -s /bin/bash +---- +.. Display the `/mnt/nfs/etc/dhcp/dhcpd.conf` file: ++ +[options="nowrap"] +---- +$ cat /mnt/nfs/etc/dhcp/dhcpd.conf +---- +.. Display the `/mnt/nfs/var/lib/dhcpd/dhcpd.leases` file: ++ +[options="nowrap"] +---- +$ cat /mnt/nfs/var/lib/dhcpd/dhcpd.leases +---- +.. Log out the `foreman-proxy` user to switch back to the `root` user: ++ +[options="nowrap"] +---- +$ exit +---- +. Configure {ProjectServer} or {SmartProxyServer} to use the DHCP server: ++ +[options="nowrap" subs="+quotes,attributes"] +---- +# {foreman-installer} \ +--foreman-proxy-dhcp true \ +--foreman-proxy-dhcp-provider remote_isc \ +--enable-foreman-proxy-plugin-dhcp-remote-isc \ +--foreman-proxy-dhcp-server _dhcp_server_fqdn_ \ +--foreman-proxy-plugin-dhcp-remote-isc-dhcp-config /mnt/nfs/etc/dhcp/dhcpd.conf \ +--foreman-proxy-plugin-dhcp-remote-isc-dhcp-leases /mnt/nfs/var/lib/dhcpd/dhcpd.leases \ +--foreman-proxy-plugin-dhcp-remote-isc-key-name omapi_key \ +--foreman-proxy-plugin-dhcp-remote-isc-key-secret _key_secret_ \ +--foreman-proxy-plugin-dhcp-remote-isc-omapi-port 7911 +---- +. For each affected {SmartProxy}, update the configuration of that {SmartProxy} in the {ProjectWebUI}. +For more information, see xref:associating-the-dhcp-service-with-a-subnet[]. diff --git a/guides/common/modules/proc_disabling-dhcp-for-integration.adoc b/guides/common/modules/proc_disabling-dhcp-for-integration.adoc new file mode 100644 index 00000000000..18d264a52f3 --- /dev/null +++ b/guides/common/modules/proc_disabling-dhcp-for-integration.adoc @@ -0,0 +1,28 @@ +[id="disabling-dhcp-for-integration"] += Disabling DHCP for integration + +If you want to manually manage a DHCP service, you must prevent {Project} from maintaining this service on the operating system and disable orchestration to avoid errors. + +[NOTE] +==== +Disabling DHCP in {Project} does not remove the related backend service on the operating system. +==== + +.Procedure +. In the {ProjectWebUI}, navigate to *Infrastructure* > *Subnets*. +. For each subnet that is associated with the DHCP {SmartProxy}: +.. Select the subnet. +.. On the *{SmartProxies}* tab, clear the *DHCP {SmartProxy}* field. +.. Click *Submit*. +. On {ProjectServer} and {SmartProxyServer}, enter: ++ +[options="nowrap", subs="+quotes,attributes"] +---- +# {foreman-installer} --foreman-proxy-dhcp false +---- ++ +[NOTE] +==== +{Project} does not perform orchestration when a {SmartProxy} is not set for a given subnet. +When you disable {SmartProxy} associations, orchestration commands for existing hosts can fail if the expected records and configuration files are not present. +==== diff --git a/guides/common/modules/proc_disabling-dns-dhcp-tftp-for-unmanaged-networks.adoc b/guides/common/modules/proc_disabling-dns-dhcp-tftp-for-unmanaged-networks.adoc deleted file mode 100644 index 31f83ed4bb7..00000000000 --- a/guides/common/modules/proc_disabling-dns-dhcp-tftp-for-unmanaged-networks.adoc +++ /dev/null @@ -1,45 +0,0 @@ -[id="disabling-dns-dhcp-tftp-for-unmanaged-networks_{context}"] -= Disabling DNS, DHCP, and TFTP for unmanaged networks - -If you want to manage TFTP, DHCP, and DNS services manually, you must prevent {Project} from maintaining these services on the operating system and disable orchestration to avoid DHCP and DNS validation errors. - -[IMPORTANT] -==== -Disabling these {SmartProxy} features means {Project} will no longer orchestrate DNS, DHCP, and TFTP, but it does not stop or remove the corresponding services. -==== - -.Procedure - -. Disable DHCP, DNS, and TFTP integration on your {ProjectServer}: -+ -[options="nowrap", subs="+quotes,attributes"] ----- -# {foreman-installer} --foreman-proxy-dhcp false \ ---foreman-proxy-dns false \ ---foreman-proxy-tftp false ----- - -. Disable the {SmartProxy} integration for every subnet: - -.. In the {ProjectWebUI}, navigate to *Infrastructure* > *Subnets*. -.. Select a subnet. -.. On the *{SmartProxies}* tab, clear the *DHCP {SmartProxy}*, *TFTP {SmartProxy}*, and *Reverse DNS {SmartProxy}* fields. - -. In the {ProjectWebUI}, navigate to *Infrastructure* > *Domains* and select a domain. - -. Clear the *DNS {SmartProxy}* field. - -. Optional: If you use a DHCP service supplied by a third party, configure your DHCP server to pass the following options: -+ -[options="nowrap" subs="+quotes,attributes"] ----- -Option 66: __IP address of {Project} or {SmartProxy}__ -Option 67: /pxelinux.0 ----- -+ -For more information about DHCP options, see https://tools.ietf.org/html/rfc2132[RFC 2132]. - -[NOTE] -{Project} does not perform orchestration when a {SmartProxy} is not set for a given subnet and domain. -When enabling or disabling {SmartProxy} associations, orchestration commands for existing hosts can fail if the expected records and configuration files are not present. -When associating a {SmartProxy} to turn orchestration on, ensure the required DHCP and DNS records as well as the TFTP files are in place for the existing {Project} hosts in order to prevent host deletion failures in the future. diff --git a/guides/common/modules/proc_disabling-dns-for-integration.adoc b/guides/common/modules/proc_disabling-dns-for-integration.adoc new file mode 100644 index 00000000000..981cd01e2df --- /dev/null +++ b/guides/common/modules/proc_disabling-dns-for-integration.adoc @@ -0,0 +1,33 @@ +[id="disabling-dns-for-integration"] += Disabling DNS for integration + +If you want to manually manage a DNS service, you must prevent {Project} from maintaining this service on the operating system and disable orchestration to avoid errors. + +[NOTE] +==== +Disabling DNS in {Project} does not remove the related backend service on the operating system. +==== + +.Procedure +. In the {ProjectWebUI}, navigate to *Infrastructure* > *Subnets*. +. For each subnet that is associated with the DNS {SmartProxy}: +.. Select the subnet. +.. On the *{SmartProxies}* tab, clear the *Reverse DNS {SmartProxy}* field. +.. Click *Submit*. +. Navigate to *Infrastructure* > *Domains*. +. For each domain that is associated with the DNS {SmartProxy}: +.. Select the domain. +.. Clear the *DNS {SmartProxy}* field. +.. Click *Submit*. +. On {ProjectServer}, enter: ++ +[options="nowrap", subs="+quotes,attributes"] +---- +# {foreman-installer} --foreman-proxy-dns false +---- ++ +[NOTE] +==== +{Project} does not perform orchestration when a {SmartProxy} is not set for a given subnet and domain. +When you disable {SmartProxy} associations, orchestration commands for existing hosts can fail if the expected records and configuration files are not present. +==== diff --git a/guides/common/modules/proc_disabling-tftp-for-integration.adoc b/guides/common/modules/proc_disabling-tftp-for-integration.adoc new file mode 100644 index 00000000000..3a5314bdb01 --- /dev/null +++ b/guides/common/modules/proc_disabling-tftp-for-integration.adoc @@ -0,0 +1,28 @@ +[id="disabling-tftp-for-integration"] += Disabling TFTP for integration + +If you want to manually manage a TFTP service, you must prevent {Project} from maintaining this service on the operating system and disable orchestration to avoid errors. + +[NOTE] +==== +Disabling TFTP in {Project} does not remove the related backend service on the operating system. +==== + +.Procedure +. In the {ProjectWebUI}, navigate to *Infrastructure* > *Subnets*. +. For each subnet that is associated with the TFTP {SmartProxy}: +.. Select the subnet. +.. On the *{SmartProxies}* tab, clear the *TFTP {SmartProxy}* field. +.. Click *Submit*. +. On {ProjectServer}, enter: ++ +[options="nowrap", subs="+quotes,attributes"] +---- +# {foreman-installer} --foreman-proxy-tftp false +---- ++ +[NOTE] +==== +{Project} does not perform orchestration when a {SmartProxy} is not set for a given subnet. +When you disable {SmartProxy} associations, orchestration commands for existing hosts can fail if the expected records and configuration files are not present. +==== diff --git a/guides/common/modules/proc_enabling-the-installer-managed-dhcp-service.adoc b/guides/common/modules/proc_enabling-the-installer-managed-dhcp-service.adoc new file mode 100644 index 00000000000..65e582a66a1 --- /dev/null +++ b/guides/common/modules/proc_enabling-the-installer-managed-dhcp-service.adoc @@ -0,0 +1,53 @@ +[id="enabling-the-installer-managed-dhcp-service"] += Enabling the installer-managed DHCP service + +If you do not have a DHCP server available in your network, you can use the installer-managed DHCP service. +This feature enables you to provide a DHCP service with low maintenance overhead. + +Perform the steps on the {Project} or {SmartProxyServer} that you want to configure to manage the DHCP service for the subnet. + +.Prerequisites +* You know the following network information: +** The range of IP addresses the DHCP should manage +** The IP address of the default gateway in the subnet +** The IP addresses of the name servers for the subnet + +.Procedure +. Configure {ProjectServer} or {SmartProxyServer} as DHCP server: ++ +[options="nowrap" subs="+quotes,attributes"] +---- +# {foreman-installer} \ +--foreman-proxy-dhcp true \ +--foreman-proxy-dhcp-provider isc \ +--foreman-proxy-dhcp-managed true \ +--foreman-proxy-dhcp-range "192.0.2.100 192.0.2.150" \ +--foreman-proxy-dhcp-gateway 192.0.2.1 \ +--foreman-proxy-dhcp-nameservers 192.0.2.2,192.0.2.3 +---- +. For each affected {SmartProxy}, update the configuration of that {SmartProxy} in the {ProjectWebUI}. See xref:associating-the-dhcp-service-with-a-subnet[]. +. Optional: Secure the `dhcpd` API on the {SmartProxy} by using an Object Management Application Programming Interface (OMAPI) key: +.. Install the required package: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# {project-package-install} {bind-package} +---- +.. Generate an OMAPI key: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# tsig-keygen -a hmac-md5 _omapi_key_ +key "omapi_key" { + algorithm hmac-md5; + secret "hJBge7QC5AaUkRVsZmFUlg=="; +}; +---- +. Add the `dhcpd` API key to the {SmartProxy} configuration: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# {foreman-installer} \ +--foreman-proxy-dhcp-key-name "_omapi_key_" \ +--foreman-proxy-dhcp-key-secret "_key_secret_" +---- diff --git a/guides/common/modules/proc_enabling-the-installer-managed-dns-service.adoc b/guides/common/modules/proc_enabling-the-installer-managed-dns-service.adoc new file mode 100644 index 00000000000..79758df6de8 --- /dev/null +++ b/guides/common/modules/proc_enabling-the-installer-managed-dns-service.adoc @@ -0,0 +1,21 @@ +[id="enabling-the-installer-managed-dns-service"] += Enabling the installer-managed DNS service + +If you do not have a DNS server available in your network, you can use the installer-managed DNS service. +This feature enables you to provide a DNS service with low maintenance overhead. + +Perform the steps on the {Project} or {SmartProxyServer} that you want to configure to manage the DNS service for the domain. + +.Procedure +. Configure {Project} or {SmartProxy} as DNS server: ++ +[options="nowrap",subs="+quotes,attributes"] +---- +# {foreman-installer} \ +--foreman-proxy-dns true \ +--foreman-proxy-dns-provider nsupdate \ +--foreman-proxy-dns-managed true \ +--reset-foreman-proxy-dns-server +---- +. For each affected {SmartProxy}, update the configuration of that {SmartProxy} in the {ProjectWebUI}. +For more information, see xref:associating-the-dns-service-with-a-domain-and-subnet[]. diff --git a/guides/common/modules/proc_enabling-the-installer-managed-tftp-service.adoc b/guides/common/modules/proc_enabling-the-installer-managed-tftp-service.adoc new file mode 100644 index 00000000000..90fd14a5a94 --- /dev/null +++ b/guides/common/modules/proc_enabling-the-installer-managed-tftp-service.adoc @@ -0,0 +1,15 @@ +[id="enabling-the-installer-managed-tftp-service"] += Enabling the installer-managed TFTP service + +If you do not have a TFTP server available in your network, you can use the installer-managed TFTP service to perform unattended installations. +With the installer-managed TFTP service, you can run a TFTP server with a low maintenance effort because {Project} fully manages the TFTP service, including the files on that service. + +.Procedure +* Configure {Project} or {SmartProxy} as the TFTP server: ++ +[options="nowrap",subs="+quotes,attributes"] +---- +# {foreman-installer} \ +--foreman-proxy-tftp true \ +--foreman-proxy-tftp-managed true +---- diff --git a/guides/common/modules/proc_installing-the-dhcp-infoblox-module.adoc b/guides/common/modules/proc_installing-the-dhcp-infoblox-module.adoc deleted file mode 100644 index 574751e624d..00000000000 --- a/guides/common/modules/proc_installing-the-dhcp-infoblox-module.adoc +++ /dev/null @@ -1,33 +0,0 @@ -[id="Installing_the_DHCP_Infoblox_Module_{context}"] -= Installing the DHCP Infoblox module - -Install the DHCP Infoblox module on {ProductName}. -Note that you cannot manage records in separate views. - -You can also install DHCP and DNS Infoblox modules simultaneously by combining this procedure and xref:Installing_the_DNS_Infoblox_Module_{context}[]. - -.DHCP Infoblox record type considerations -If you want to use the DHCP and DNS Infoblox modules together, configure the DHCP Infoblox module with the `fixedaddress` record type only. -The `host` record type causes DNS conflicts and is not supported. - -If you configure the DHCP Infoblox module with the `host` record type, you have to unset both DNS {SmartProxy} and Reverse DNS {SmartProxy} options on your Infoblox-managed subnets, because Infoblox does DNS management by itself. -Using the `host` record type leads to creating conflicts and being unable to rename hosts in {Project}. - -.Procedure -. On {ProductName}, enter the following command: -+ -[options="nowrap" subs="+quotes,attributes"] ----- -# {foreman-installer} --enable-foreman-proxy-plugin-dhcp-infoblox \ ---foreman-proxy-dhcp true \ ---foreman-proxy-dhcp-provider infoblox \ ---foreman-proxy-dhcp-server _infoblox.example.com_ \ ---foreman-proxy-plugin-dhcp-infoblox-username _admin_ \ ---foreman-proxy-plugin-dhcp-infoblox-password _infoblox_ \ ---foreman-proxy-plugin-dhcp-infoblox-record-type fixedaddress \ ---foreman-proxy-plugin-dhcp-infoblox-dns-view default \ ---foreman-proxy-plugin-dhcp-infoblox-network-view default ----- -. Optional: In the {ProjectWebUI}, navigate to *Infrastructure* > *{SmartProxies}*, select the {SmartProxy} with the DHCP Infoblox module, and ensure that the *dhcp* feature is listed. -. In the {ProjectWebUI}, navigate to *Infrastructure* > *Subnets*. -. For all subnets managed through Infoblox, ensure that the IP address management (*IPAM*) method of the subnet is set to `DHCP`. diff --git a/guides/common/modules/proc_installing-the-dns-infoblox-module.adoc b/guides/common/modules/proc_installing-the-dns-infoblox-module.adoc deleted file mode 100644 index 6b6fdba1161..00000000000 --- a/guides/common/modules/proc_installing-the-dns-infoblox-module.adoc +++ /dev/null @@ -1,26 +0,0 @@ -[id="Installing_the_DNS_Infoblox_Module_{context}"] -= Installing the DNS Infoblox module - -Install the DNS Infoblox module on {ProductName}. -You can also install DHCP and DNS Infoblox modules simultaneously by combining this procedure and xref:Installing_the_DHCP_Infoblox_Module_{context}[]. - -.Procedure -. On {ProductName}, enter the following command to configure the Infoblox module: -+ -[options="nowrap" subs="+quotes,attributes"] ----- -# {foreman-installer} --enable-foreman-proxy-plugin-dns-infoblox \ ---foreman-proxy-dns true \ ---foreman-proxy-dns-provider infoblox \ ---foreman-proxy-plugin-dns-infoblox-dns-server _infoblox.example.com_ \ ---foreman-proxy-plugin-dns-infoblox-username _admin_ \ ---foreman-proxy-plugin-dns-infoblox-password _infoblox_ \ ---foreman-proxy-plugin-dns-infoblox-dns-view _default_ ----- -+ -Optionally, you can change the value of the `--foreman-proxy-plugin-dns-infoblox-dns-view` option to specify an Infoblox DNS view other than the default view. -. Optional: In the {ProjectWebUI}, navigate to *Infrastructure* > *{SmartProxies}*, select the {SmartProxy} with the Infoblox DNS module, and ensure that the *dns* feature is listed. -. In the {ProjectWebUI}, navigate to *Infrastructure* > *Domains*. -. For all domains managed through Infoblox, ensure that the *DNS Proxy* is set for those domains. -. In the {ProjectWebUI}, navigate to *Infrastructure* > *Subnets*. -. For all subnets managed through Infoblox, ensure that the *DNS {SmartProxy}* and *Reverse DNS {SmartProxy}* are set for those subnets. diff --git a/guides/common/modules/proc_installing-the-infoblox-ca-certificate.adoc b/guides/common/modules/proc_installing-the-infoblox-ca-certificate.adoc deleted file mode 100644 index 6574830189e..00000000000 --- a/guides/common/modules/proc_installing-the-infoblox-ca-certificate.adoc +++ /dev/null @@ -1,40 +0,0 @@ -[id="Installing_the_Infoblox_CA_Certificate_{context}"] -= Installing the Infoblox CA certificate - -You must install Infoblox HTTPS CA certificate on the base system of {ProductName}. - -.Procedure -* Download the certificate from the Infoblox web UI or you use the following OpenSSL commands to download the certificate: -+ -[options="nowrap" subs="+quotes"] ----- -# update-ca-trust enable -# openssl s_client -showcerts -connect _infoblox.example.com_:443 /etc/pki/ca-trust/source/anchors/infoblox.crt -# update-ca-trust extract ----- -+ -The `_infoblox.example.com_` entry must match the host name for the Infoblox application in the X509 certificate. - -.Verification -* Test the CA certificate by using a `curl` query: -+ -[options="nowrap" subs="+quotes"] ----- -$ curl \ ---user _My_User_Name_:__My_Password__ \ -https://_infoblox.example.com_/wapi/v2.0/network ----- -+ -Example positive response: -+ -[options="nowrap" subs="+quotes"] ----- -[ - { - "_ref": "network/ZG5zLm5ldHdvcmskMTkyLjE2OC4yMDIuMC8yNC8w:__infoblox.example.com__/24/default", - "network": "192.168.202.0/24", - "network_view": "default" - } -] ----- diff --git a/guides/common/modules/proc_integrating-a-generic-rfc-2136-compatible-remote-dns-server.adoc b/guides/common/modules/proc_integrating-a-generic-rfc-2136-compatible-remote-dns-server.adoc new file mode 100644 index 00000000000..ffc96dfaee1 --- /dev/null +++ b/guides/common/modules/proc_integrating-a-generic-rfc-2136-compatible-remote-dns-server.adoc @@ -0,0 +1,84 @@ +[id="integrating-a-generic-rfc-2136-compatible-remote-dns-server"] += Integrating a generic RFC 2136-compatible remote DNS server + +You can configure {ProductName} to integrate a remote DNS server that supports dynamic updates as defined in link:https://datatracker.ietf.org/doc/html/rfc2136[RFC 2136]. +In this case, {ProductName} uses the `nsupdate` utility to update DNS records on the remote server. + +.Prerequisites +* The remote DNS service is configured and can be queried. +* The remote DNS service supports RFC 2136-compatible dynamic updates +* The Remote Name Daemon Control (RNDC) key file to connect to the remote DNS server is placed in `/etc/foreman-proxy/rndc.key` on your {ProjectServer} or {SmartProxyServer}. + +.Procedure +. Update the permissions on `/etc/foreman-proxy/rndc.key` to enable members of the `foreman-proxy` group to read this file: ++ +[options="nowrap"] +---- +# chown -v root:foreman-proxy /etc/foreman-proxy/rndc.key +# chmod -v 640 /etc/foreman-proxy/rndc.key +---- +ifndef::foreman-deb[] +. Restore the SELinux context on `/etc/foreman-proxy/rndc.key`:: ++ +[options="nowrap"] +---- +# restorecon -v /etc/foreman-proxy/rndc.key +---- +endif::[] +. Optional: Verify if you can use the key file to manually manage DNS entries: +.. Create a test DNS entry. +For example, host `_test.example.com_` with an `A` record of `192.168.25.20` on the DNS server at `192.168.25.1`. ++ +[options="nowrap" subs="+quotes,attributes"] +---- +# echo -e "server 192.168.25.1\n \ +update add _test.example.com_ 3600 IN A 192.168.25.20\n \ +send\n" | nsupdate -k /etc/foreman-proxy/rndc.key +---- +.. Verify that you can query the new DNS entry: ++ +[options="nowrap" subs="+quotes,attributes"] +---- +# host _test.example.com_ 192.168.25.1 +---- ++ +Example output: ++ +[source, none, options="nowrap", subs="+quotes,attributes"] +---- +Using domain server: +Name: 192.168.25.1 +Address: 192.168.25.1#53 +Aliases: + +test.example.com has address 192.168.25.20 +---- +.. If resolved successfully, remove the test DNS entry: ++ +[options="nowrap" subs="+quotes,attributes"] +---- +# echo -e "server 192.168.25.1\n \ +update delete _test.example.com_ 3600 IN A 192.168.25.20\n \ +send\n" | nsupdate -k /etc/foreman-proxy/rndc.key +---- +.. Confirm that the DNS entry was removed: ++ +[options="nowrap" subs="+quotes,attributes"] +---- +# host _test.example.com_ 192.168.25.1 +---- ++ +If the command returns `Host _test.example.com_ not found: 3(NXDOMAIN)`, the record was successfully deleted. +. Configure {ProjectServer} or {SmartProxyServer} to use the DNS server: ++ +[options="nowrap", subs="+quotes,attributes"] +---- +# {foreman-installer} \ +--foreman-proxy-dns true \ +--foreman-proxy-dns-provider nsupdate \ +--foreman-proxy-dns-managed false \ +--foreman-proxy-dns-server "_dns_server_ip_address_" \ +--foreman-proxy-keyfile /etc/foreman-proxy/rndc.key +---- +. For the affected {SmartProxy}, update the configuration of that {SmartProxy} in the {ProjectWebUI}. +For more information, see xref:associating-the-dns-service-with-a-domain-and-subnet[]. diff --git a/guides/common/modules/proc_integrating-a-local-self-managed-dns-service.adoc b/guides/common/modules/proc_integrating-a-local-self-managed-dns-service.adoc new file mode 100644 index 00000000000..13d3a4057e3 --- /dev/null +++ b/guides/common/modules/proc_integrating-a-local-self-managed-dns-service.adoc @@ -0,0 +1,26 @@ +[id="integrating-a-local-self-managed-dns-service"] += Integrating a local self-managed DNS service + +The installer exposes a limited feature set for the {Project} installer-managed DNS service. +For example, you can configure only a single forward DNS zone. +As an alternative to the installer-managed DNS service, you can run a DNS server locally on the {Project} or {SmartProxyServer} to bypass these limitations. + +Perform the steps on the {ProjectServer} or {SmartProxyServer} that runs the self-managed DNS service. + +.Prerequisites +* You installed and configured a DNS service on the {ProjectServer} or {SmartProxyServer} host. +* The DNS service supports link:https://datatracker.ietf.org/doc/html/rfc2136[RFC 2136]-compatible updates + +.Procedure +. Set the local, self-managed DNS service on your {ProjectServer} or {SmartProxyServer}: ++ +[options="nowrap",subs="+quotes,attributes"] +---- +# {foreman-installer} \ +--foreman-proxy-dns true \ +--foreman-proxy-dns-provider nsupdate \ +--foreman-proxy-dns-managed false \ +--foreman-proxy-dns-server "127.0.0.1" +---- +. For each affected {SmartProxy}, update the configuration of that {SmartProxy} in the {ProjectWebUI}. +For more information, see xref:associating-the-dns-service-with-a-domain-and-subnet[]. diff --git a/guides/common/modules/proc_integrating-dnsmasq-dhcp-by-using-the-libvirt-api.adoc b/guides/common/modules/proc_integrating-dnsmasq-dhcp-by-using-the-libvirt-api.adoc new file mode 100644 index 00000000000..417c7b1de8a --- /dev/null +++ b/guides/common/modules/proc_integrating-dnsmasq-dhcp-by-using-the-libvirt-api.adoc @@ -0,0 +1,21 @@ +[id="integrating-dnsmasq-dhcp-by-using-the-libvirt-api"] += Integrating dnsmasq DHCP by using the libvirt API + +The `dhcp_libvirt` plugin manages IP reservations and leases using `dnsmasq` through the `libvirt` API. +It uses `ruby-libvirt` to connect to the local or remote instance of the `libvirt` service. + +.Procedure +. Configure {ProjectServer} or {SmartProxyServer} to connect to the `libvirt` API: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# {foreman-installer} \ +--foreman-proxy-dhcp true \ +--foreman-proxy-dhcp-provider libvirt \ +--foreman-proxy-libvirt-network default \ +--foreman-proxy-libvirt-url qemu:///system +---- ++ +Note that you can only use one network and URL for both the `dns_libvirt` and `dhcp_libvirt` providers. +. For each affected {SmartProxy}, update the configuration of that {SmartProxy} in the {ProjectWebUI}. +For more information, see xref:associating-the-dhcp-service-with-a-subnet[]. diff --git a/guides/common/modules/proc_integrating-dnsmasq-dns-by-using-the-libvirt-api.adoc b/guides/common/modules/proc_integrating-dnsmasq-dns-by-using-the-libvirt-api.adoc new file mode 100644 index 00000000000..876ccd02b86 --- /dev/null +++ b/guides/common/modules/proc_integrating-dnsmasq-dns-by-using-the-libvirt-api.adoc @@ -0,0 +1,21 @@ +[id="integrating-dnsmasq-dns-by-using-the-libvirt-api"] += Integrating dnsmasq DNS by using the libvirt API + +The `dns_libvirt` DNS provider manages DNS records using `dnsmasq` through the `libvirt` API. +It uses `ruby-libvirt` gem to connect to the local or a remote instance of the `libvirt` service. + +.Procedure +. Configure {ProjectServer} or {SmartProxyServer} to connect to the `libvirt` API: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# {foreman-installer} \ +--foreman-proxy-dns true \ +--foreman-proxy-dns-provider libvirt \ +--foreman-proxy-libvirt-network default \ +--foreman-proxy-libvirt-url qemu:///system +---- ++ +Note that you can only use one network and URL for both the `dns_libvirt` and `dhcp_libvirt` providers. +. For each affected {SmartProxy}, update the configuration of that {SmartProxy} in the {ProjectWebUI}. +For more information, see xref:associating-the-dns-service-with-a-domain-and-subnet[]. diff --git a/guides/common/modules/proc_integrating-idm-dns-with-gss-tsig-authentication.adoc b/guides/common/modules/proc_integrating-idm-dns-with-gss-tsig-authentication.adoc new file mode 100644 index 00000000000..066a5e14728 --- /dev/null +++ b/guides/common/modules/proc_integrating-idm-dns-with-gss-tsig-authentication.adoc @@ -0,0 +1,128 @@ +[id="integrating-idm-dns-update-with-gss-tsig-authentication"] += Integrating {FreeIPA} DNS with GSS-TSIG authentication + +You can configure the {FreeIPA} server to use the generic security service algorithm for secret key transaction (GSS-TSIG) technology defined in https://tools.ietf.org/html/rfc3645[RFC3645]. +To configure the {FreeIPA} server to use the GSS-TSIG technology, you must install the {FreeIPA} client on the {ProductName} base operating system. + +.Prerequisites +* The {FreeIPA} server is deployed and functional. +* The firewall on the {FreeIPA} server allows access to the required ports. +ifndef::orcharhino[] +For more information, see {RHELDocsBaseURL}/9/html/installing_identity_management/preparing-the-system-for-ipa-server-installation_installing-identity-management#port-requirements-for-idm_preparing-the-system-for-ipa-server-installation[Port requirements for IdM] in _{RHEL}{nbsp}9 Installing Identity Management_. +endif::[] +* The {FreeIPA} account has permissions to create zones on the {FreeIPA} server. + +.Procedure +. Create a Kerberos principal on the {FreeIPA} server: +.. Obtain a Kerberos ticket: ++ +[options="nowrap" subs="+quotes,attributes"] +---- +# kinit _My_{FreeIPA}_User_ +---- +.. Create a new Kerberos principal {ProductName} to use to authenticate on the {FreeIPA} server: +*** For a {ProjectServer}, enter: ++ +[options="nowrap" subs="+quotes,attributes"] +---- +# ipa service-add _{smart-proxy-principal}/{foreman-example-com}_ +---- +*** For a {SmartProxyServer}, enter: ++ +[options="nowrap" subs="+quotes,attributes"] +---- +# ipa service-add _{smartproxy-example-com}_ +---- +. Install and configure the {FreeIPA} client on either the {Project} or {SmartProxy} that is managing the DNS service for your deployment: +.. Install the `ipa-client` package: ++ +[options="nowrap" subs="+quotes,attributes"] +---- +# {project-package-install} ipa-client +---- +.. Install the {FreeIPA} client: ++ +[options="nowrap"] +---- +# ipa-client-install +---- ++ +Follow the on-screen prompts. +.. Obtain a Kerberos ticket: ++ +[options="nowrap"] +---- +# kinit admin +---- +.. Remove any preexisting `keytab`: ++ +[options="nowrap"] +---- +# rm --force /etc/foreman-proxy/dns.keytab +---- +.. Obtain a `keytab` file for this system: ++ +[options="nowrap" subs="+quotes,attributes"] +---- +# ipa-getkeytab -p {smart-proxy-principal}/_{foreman-example-com}@EXAMPLE.COM_ \ +-s _{freeipaserver-example-com}_ -k /etc/foreman-proxy/dns.keytab +---- ++ +[NOTE] +==== +When adding a keytab to a standby system with the same host name as the original system in service, add the `r` option to prevent generating new credentials and rendering the credentials on the original system invalid. +==== +.. Set the owner and group of the `/etc/foreman-proxy/dns.keytab` to `foreman-proxy`: ++ +[options="nowrap"] +---- +# chown foreman-proxy:foreman-proxy /etc/foreman-proxy/dns.keytab +---- +.. Optional: Verify that the `keytab` file is valid: ++ +[options="nowrap" subs="+quotes,attributes"] +---- +# kinit -kt /etc/foreman-proxy/dns.keytab \ +{smart-proxy-principal}/_{foreman-example-com}@EXAMPLE.COM_ +---- +. Add a forward DNS zone in the {FreeIPA} web UI: +.. Navigate to *Network Services* > *DNS* > *DNS Zones*. +.. Select *Add*, and enter the zone name. +For example, `example.com`. +.. Click *Add and Edit*. +.. On the *Settings* tab, append the following to the semicolon-separated list in the *BIND update policy* field: ++ +[options="nowrap" subs="+quotes,attributes"] +---- +grant {smart-proxy-principal}\047__{foreman-example-com}@EXAMPLE.COM__ wildcard * ANY; +---- +.. Set *Dynamic update* to *True*. +.. Enable *Allow PTR sync*. +.. Click *Save* to save the changes. +. Add a reverse DNS zone in the {FreeIPA} web UI: +.. Navigate to *Network Services* > *DNS* > *DNS Zones*. +.. Click *Add*. +.. Select *Reverse zone IP network*, and add the network address in CIDR format to enable reverse lookups. +.. Click *Add and Edit*. +.. On the *Settings* tab, append the following to the semicolon-separated list in the *BIND update policy* field: ++ +[options="nowrap" subs="+quotes,attributes"] +---- +grant {smart-proxy-principal}\047__{foreman-example-com}@EXAMPLE.COM__ wildcard * ANY; +---- +.. Set *Dynamic update* to *True*. +.. Click *Save* to save the changes. +. Configure {ProjectServer} or {SmartProxyServer} to connect to the {FreeIPA} DNS service: ++ +[options="nowrap" subs="+quotes,attributes"] +---- +# {foreman-installer} \ +--foreman-proxy-dns true \ +--foreman-proxy-dns-provider nsupdate_gss \ +--foreman-proxy-dns-managed false \ +--foreman-proxy-dns-server "_{freeipaserver-example-com}_" \ +--foreman-proxy-dns-tsig-keytab /etc/foreman-proxy/dns.keytab \ +--foreman-proxy-dns-tsig-principal "{smart-proxy-principal}/_{foreman-example-com}@EXAMPLE.COM_" +---- +. For each affected {SmartProxy}, update the configuration of that {SmartProxy} in the {ProjectWebUI}. +For more information, see xref:associating-the-dns-service-with-a-domain-and-subnet[]. diff --git a/guides/common/modules/proc_integrating-idm-dns-with-tsig-authentication.adoc b/guides/common/modules/proc_integrating-idm-dns-with-tsig-authentication.adoc new file mode 100644 index 00000000000..5c5b37dba0c --- /dev/null +++ b/guides/common/modules/proc_integrating-idm-dns-with-tsig-authentication.adoc @@ -0,0 +1,45 @@ +[id="integrating-idm-dns-with-tsig-authentication"] += Integrating {FreeIPA} DNS with TSIG authentication + +You can configure {FreeIPA} to use the secret key transaction authentication for DNS (TSIG) technology that uses a key file for authentication. +The TSIG protocol is defined in https://tools.ietf.org/html/rfc2845[RFC2845]. + +.Prerequisites +* The {FreeIPA} server is deployed and functional. +* The firewall on the {FreeIPA} server allows access to the required ports. +ifndef::orcharhino[] +See {RHELDocsBaseURL}9/html/installing_identity_management/preparing-the-system-for-ipa-server-installation_installing-identity-management#port-requirements-for-idm_preparing-the-system-for-ipa-server-installation[Port requirements for {FreeIPA}] in the _{RHEL}{nbsp}9 Installing Identity Management guide_. +endif::[] +* You have `root` access on the {FreeIPA} server. + +.Procedure +. Perform the following steps on the {FreeIPA} Server: +.. Insert the following settings at the top of the `/etc/named.conf` file: ++ +[source, none, options="nowrap" subs="+quotes,attributes"] +---- +include "/etc/rndc.key"; +controls { + inet _{FreeIPA}_server_ip_address_ port 953 allow { _{Project}_ip_address_; } keys { "rndc-key"; }; +}; +---- +.. Reload the `named` service: ++ +[options="nowrap" subs="+quotes,attributes"] +---- +# systemctl reload named +---- +. In the {FreeIPA} web UI: +.. Navigate to *Network Services* > *DNS* > *DNS Zones* +.. Click the name of the zone. +.. Open the *Settings* tab. +.. Enter in the *BIND update policy* field: ++ +[source, none, options="nowrap"] +---- +grant "rndc-key" zonesub ANY; +---- +.. Set *Dynamic update* to *True*. +.. Click *Update* to save the changes. +. Configure dynamic DNS updates in {ProjectServer} or {SmartProxyServer}. +For more information, see xref:integrating-a-generic-rfc-2136-compatible-remote-dns-server[]. diff --git a/guides/common/modules/proc_integrating-infoblox-dhcp.adoc b/guides/common/modules/proc_integrating-infoblox-dhcp.adoc new file mode 100644 index 00000000000..eeba6fedbd7 --- /dev/null +++ b/guides/common/modules/proc_integrating-infoblox-dhcp.adoc @@ -0,0 +1,73 @@ +[id="integrating-infoblox-dhcp"] += Integrating Infoblox DHCP + +Install the DHCP Infoblox provider on {ProductName}. + +.Limitations +* You can manage DHCP entries only in a single network and view, and you cannot edit the view after you create it. +* {ProductName} uses the standard HTTPS web API to communicate with Infoblox. +By default, it communicates only with a single node. +If you require high availability, configure this feature in Infoblox. + +.Prerequisites +* You have an Infoblox account with the roles `DHCP Admin` and `DNS Admin`. +* The Infoblox roles have permissions or belong to an admin group that permits the accounts to perform tasks through the Infoblox API. + +.Procedure +. Download the certificate from the Infoblox server, and store it in the `/etc/pki/ca-trust/source/anchors/infoblox.crt` file: ++ +[options="nowrap" subs="+quotes"] +---- +# openssl s_client -showcerts -connect _infoblox.example.com_:443 /etc/pki/ca-trust/source/anchors/infoblox.crt +---- ++ +The hostname must match the one for the Infoblox application in the X.509 certificate. +. Add the Infoblox certificate to the system truststore: ++ +[options="nowrap" subs="+quotes"] +---- +# update-ca-trust extract +---- +. Test the CA certificate by using it in a query to the Infoblox API: ++ +[options="nowrap" subs="+quotes"] +---- +# curl -u admin:__password__ https://_infoblox.example.com_/wapi/v2.0/network +---- ++ +Example of a positive response: ++ +[options="nowrap" subs="+quotes"] +---- +[ + { + "_ref": "network/ZG5zLm5ldHdvcmskMTkyLjE2OC4yMDIuMC8yNC8w:__infoblox.example.com__/24/default", + "network": "192.168.202.0/24", + "network_view": "default" + } +] +---- +. Configure {ProjectServer} or {SmartProxyServer} to connect to the Infoblox DHCP service: ++ +[options="nowrap" subs="+quotes,attributes"] +---- +# {foreman-installer} \ +--foreman-proxy-dhcp true \ +--foreman-proxy-dhcp-provider infoblox \ +--enable-foreman-proxy-plugin-dhcp-infoblox \ +--foreman-proxy-dhcp-server _infoblox.example.com_ \ +--foreman-proxy-plugin-dhcp-infoblox-username _admin_ \ +--foreman-proxy-plugin-dhcp-infoblox-password _password_ \ +--foreman-proxy-plugin-dhcp-infoblox-record-type fixedaddress \ +--foreman-proxy-plugin-dhcp-infoblox-dns-view default \ +--foreman-proxy-plugin-dhcp-infoblox-network-view default +---- ++ +[NOTE] +==== +If you want to use the DHCP and DNS Infoblox modules together, configure the DHCP Infoblox module with the `fixedaddress` record type only. +The `host` record type is not supported in this scenario because it causes conflicts and you cannot rename hosts in {Project}. +==== +. For each affected {SmartProxy}, update the configuration of that {SmartProxy} in the {ProjectWebUI}. +For more information, see xref:associating-the-dhcp-service-with-a-subnet[]. diff --git a/guides/common/modules/proc_integrating-infoblox-dns.adoc b/guides/common/modules/proc_integrating-infoblox-dns.adoc new file mode 100644 index 00000000000..3666c135ee4 --- /dev/null +++ b/guides/common/modules/proc_integrating-infoblox-dns.adoc @@ -0,0 +1,68 @@ +[id="integrating-infoblox-dns"] += Integrating Infoblox DNS + +Install the DNS Infoblox provider on {ProductName}. + +.Limitations +* You can manage DNS entries only in a single view, and you cannot edit the view after you create it. +* {ProductName} uses the standard HTTPS web API to communicate with Infoblox. +By default, it communicates only with a single node. +If you require high availability, configure this feature in Infoblox. +* You cannot integrate the {Project} IP address management (IPAM) feature into Infoblox. + +.Prerequisites +* You have an Infoblox account with the roles `DHCP Admin` and `DNS Admin`. +* The Infoblox roles have permissions or belong to an admin group that permits the accounts to perform tasks through the Infoblox API. + +.Procedure +. Download the certificate from the Infoblox server, and store it in the `/etc/pki/ca-trust/source/anchors/infoblox.crt` file: ++ +[options="nowrap" subs="+quotes"] +---- +# openssl s_client -showcerts -connect _infoblox.example.com_:443 /etc/pki/ca-trust/source/anchors/infoblox.crt +---- ++ +The hostname must match the one for the Infoblox application in the X.509 certificate. +. Add the Infoblox certificate to the system truststore: ++ +[options="nowrap" subs="+quotes"] +---- +# update-ca-trust extract +---- +. Test the CA certificate by using it in a query to the Infoblox API: ++ +[options="nowrap" subs="+quotes"] +---- +# curl -u admin:__password__ https://_infoblox.example.com_/wapi/v2.0/network +---- ++ +Example of a positive response: ++ +[options="nowrap" subs="+quotes"] +---- +[ + { + "_ref": "network/ZG5zLm5ldHdvcmskMTkyLjE2OC4yMDIuMC8yNC8w:__infoblox.example.com__/24/default", + "network": "192.168.202.0/24", + "network_view": "default" + } +] +---- +. Configure {ProjectServer} or {SmartProxyServer} to connect to the Infoblox DNS service: ++ +[options="nowrap" subs="+quotes,attributes"] +---- +# {foreman-installer} \ +--foreman-proxy-dns true \ +--foreman-proxy-dns-provider infoblox \ +--enable-foreman-proxy-plugin-dns-infoblox \ +--foreman-proxy-plugin-dns-infoblox-dns-server _infoblox.example.com_ \ +--foreman-proxy-plugin-dns-infoblox-username _admin_ \ +--foreman-proxy-plugin-dns-infoblox-password _password_ \ +--foreman-proxy-plugin-dns-infoblox-dns-view _view_name_ +---- ++ +Omit the `--foreman-proxy-plugin-dns-infoblox-dns-view` option if you use the `default` view in Infoblox DNS. +. For each affected {SmartProxy}, update the configuration of that {SmartProxy} in the {ProjectWebUI}. +For more information, see xref:associating-the-dns-service-with-a-domain-and-subnet[]. diff --git a/guides/common/modules/proc_integrating-powerdns.adoc b/guides/common/modules/proc_integrating-powerdns.adoc new file mode 100644 index 00000000000..ea4b9e96290 --- /dev/null +++ b/guides/common/modules/proc_integrating-powerdns.adoc @@ -0,0 +1,19 @@ +[id="integrating-powerdns"] += Integrating PowerDNS + +The _dns_powerdns_ DNS provider manages DNS records using the https://www.powerdns.com/[PowerDNS] REST API. + +.Procedure +. Configure {ProjectServer} or {SmartProxyServer} to connect to the PowerDNS service: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# {foreman-installer} \ +--foreman-proxy-dns true \ +--foreman-proxy-dns-provider powerdns \ +--enable-foreman-proxy-plugin-dns-powerdns \ +--foreman-proxy-plugin-dns-powerdns-rest-api-key _My_API_Key_ \ +--foreman-proxy-plugin-dns-powerdns-rest-url http://_powerdns.example.com_:8081/api/v1/servers/localhost +---- +. For each affected {SmartProxy}, update the configuration of that {SmartProxy} in the {ProjectWebUI}. +For more information, see xref:associating-the-dns-service-with-a-domain-and-subnet[]. diff --git a/guides/common/modules/proc_configuring-dns-route53.adoc b/guides/common/modules/proc_integrating-route-53-dns.adoc similarity index 58% rename from guides/common/modules/proc_configuring-dns-route53.adoc rename to guides/common/modules/proc_integrating-route-53-dns.adoc index 77de03e74a9..69c4a4609f9 100644 --- a/guides/common/modules/proc_configuring-dns-route53.adoc +++ b/guides/common/modules/proc_integrating-route-53-dns.adoc @@ -1,18 +1,20 @@ -[id="configuring_dns_route53_{context}"] -= Configuring dns_route53 +[id="integratinig-route-53"] += Integrating Route 53 DNS _Route 53_ is a DNS provider by Amazon. For more information, see https://aws.amazon.com/route53/[aws.amazon.com/route53]. .Procedure -* Enable _Route 53_ DNS on your {SmartProxy}: +. Configure {ProjectServer} or {SmartProxyServer} to connect to the Amazon Route 53 DNS service: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- # {foreman-installer} \ ---enable-foreman-proxy-plugin-dns-route53 \ --foreman-proxy-dns true \ --foreman-proxy-dns-provider route53 \ +--enable-foreman-proxy-plugin-dns-route53 \ --foreman-proxy-plugin-dns-route53-aws-access-key _My_AWS_Access_Key_ \ --foreman-proxy-plugin-dns-route53-aws-secret-key _My_AWS_Secret_Key_ ---- +. For each affected {SmartProxy}, update the configuration of that {SmartProxy} in the {ProjectWebUI}. +For more information, see xref:associating-the-dns-service-with-a-domain-and-subnet[]. diff --git a/guides/common/modules/proc_reverting-to-internal-dns-service.adoc b/guides/common/modules/proc_reverting-to-internal-dns-service.adoc deleted file mode 100644 index 1ab231aa91e..00000000000 --- a/guides/common/modules/proc_reverting-to-internal-dns-service.adoc +++ /dev/null @@ -1,60 +0,0 @@ -[id="reverting-to-internal-dns-service_{context}"] -= Reverting to internal DNS service - -You can revert to using {ProjectServer} and {SmartProxyServer} as your DNS providers. -You can use a backup of the answer file that was created before configuring external DNS, or you can create a backup of the answer file. -ifndef::orcharhino[] -For more information about answer files, see {InstallingServerDocURL}configuring-server_{project-context}[Configuring {ProjectServer}]. -endif::[] - - -.Procedure -On the {Project} or {SmartProxyServer} that you want to configure to manage DNS service for the domain, complete the following steps: - -.Configuring {Project} or {SmartProxy} as a DNS server -* If you have created a backup of the answer file before configuring external DNS, restore the answer file and then enter the `{foreman-installer}` command: -+ -[options="nowrap", subs="+quotes,attributes"] ------ -# {foreman-installer} ------ -+ -* If you do not have a suitable backup of the answer file, create a backup of the answer file now. -To configure {Project} or {SmartProxy} as DNS server without using an answer file, enter the following `{foreman-installer}` command on {Project} or {SmartProxy}: -+ -[options="nowrap" subs="+quotes,attributes"] ----- -# {foreman-installer} \ ---foreman-proxy-dns-managed=true \ ---foreman-proxy-dns-provider=nsupdate \ ---foreman-proxy-dns-server="127.0.0.1" \ ---foreman-proxy-dns=true ----- -+ -ifeval::["{context}" == "{smart-proxy-context}"] -For more information, see xref:configuring-dns-dhcp-and-tftp-on-productname_{smart-proxy-context}[]. -endif::[] -ifeval::["{context}" == "{project-context}"] -For more information, see {InstallingSmartProxyDocURL}configuring-dns-dhcp-and-tftp-on-productname_{smart-proxy-context}[Configuring DNS, DHCP, and TFTP on {SmartProxyServer}]. -endif::[] - -After you run the `{foreman-installer}` command to make any changes to your {SmartProxy} configuration, you must update the configuration of each affected {SmartProxy} in the {ProjectWebUI}. - - -.Updating the configuration in the {ProjectWebUI} - -. In the {ProjectWebUI}, navigate to *Infrastructure* > *{SmartProxies}*. -. For each {SmartProxy} that you want to update, from the *Actions* list, select *Refresh*. - -. Configure the domain: - -.. In the {ProjectWebUI}, navigate to *Infrastructure* > *Domains* and click the domain name that you want to configure. -.. In the *Domain* tab, set *DNS {SmartProxy}* to the {SmartProxy} where the subnet is connected. - -. Configure the subnet: - -.. In the {ProjectWebUI}, navigate to *Infrastructure* > *Subnets* and select the subnet name. -.. In the *Subnet* tab, set *IPAM* to *DHCP* or *Internal DB*. -.. In the *Domains* tab, select the domain that you want to manage using {Project} or {SmartProxy}. -.. In the *{SmartProxies}* tab, set *Reverse DNS {SmartProxy}* to the {SmartProxy} where the subnet is connected. -.. Click *Submit* to save the changes. diff --git a/guides/common/modules/proc_securing-the-dhcp-api.adoc b/guides/common/modules/proc_securing-the-dhcp-api.adoc deleted file mode 100644 index bdf0a6a443f..00000000000 --- a/guides/common/modules/proc_securing-the-dhcp-api.adoc +++ /dev/null @@ -1,29 +0,0 @@ -[id="Securing_the_dhcpd_API_{context}"] -= Securing the dhcpd API - -{SmartProxy} interacts with DHCP daemon using the dhcpd API to manage DHCP. -By default, the dhcpd API listens to any host without access control. -You can add an `omapi_key` to provide basic security. - -.Procedure -. On your {SmartProxy}, install the required packages: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# {project-package-install} {bind-package} ----- -. Generate a key: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST omapi_key -# cat Komapi_key.+*.private | grep ^Key|cut -d ' ' -f2- ----- -. Use `{foreman-installer}` to secure the dhcpd API: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# {foreman-installer} \ ---foreman-proxy-dhcp-key-name "_My_Name_" \ ---foreman-proxy-dhcp-key-secret "_My_Secret_" ----- diff --git a/guides/common/modules/proc_troubleshooting-dhcp-problems.adoc b/guides/common/modules/proc_troubleshooting-dhcp-problems.adoc index 5efc5a21b81..436973be06c 100644 --- a/guides/common/modules/proc_troubleshooting-dhcp-problems.adoc +++ b/guides/common/modules/proc_troubleshooting-dhcp-problems.adoc @@ -1,5 +1,5 @@ -[id="Troubleshooting_DHCP_Problems_{context}"] -= Troubleshooting DHCP problems in {Project} +[id="troubleshooting-dhcp-problems"] += Troubleshooting DHCP problems {Project} can manage an ISC DHCP server on internal or external DHCP {SmartProxy}. {Project} can list, create, and delete DHCP reservations and leases. diff --git a/guides/common/modules/ref_configuring-dns-dhcp-and-tftp-additional-resources.adoc b/guides/common/modules/ref_configuring-dns-dhcp-and-tftp-additional-resources.adoc deleted file mode 100644 index 6828ac0cf32..00000000000 --- a/guides/common/modules/ref_configuring-dns-dhcp-and-tftp-additional-resources.adoc +++ /dev/null @@ -1,7 +0,0 @@ -[id="configuring-dns-dhcp-and-tftp-additional-resources_{context}"] -= Additional resources - -ifndef::foreman-deb,orcharhino[] -* For more information about configuring DNS, DHCP, and TFTP externally, see xref:configuring-external-services[]. -endif::[] -* For more information about configuring DHCP, DNS, and TFTP services, see {ProvisioningDocURL}Configuring_Network_Services_provisioning[Configuring Network Services] in _{ProvisioningDocTitle}_. diff --git a/guides/common/modules/ref_dhcp-isc-settings.adoc b/guides/common/modules/ref_dhcp-isc-settings.adoc deleted file mode 100644 index 34ff54b9383..00000000000 --- a/guides/common/modules/ref_dhcp-isc-settings.adoc +++ /dev/null @@ -1,43 +0,0 @@ -[id="DHCP_ISC_Settings_{context}"] -= dhcp_isc settings - -The _dhcp_isc_ provider uses a combination of the ISC DHCP server OMAPI management interface and parsing of configuration and lease files. -This requires it to be run on the same host as the DHCP server. -The following settings are defined in `dhcp_isc.yml`: - -.Configuring the path to the _config_ and _leases_ files: -ifndef::foreman-deb[] -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -:config: /etc/dhcp/dhcpd.conf -:leases: /var/lib/dhcpd/dhcpd.leases ----- -endif::[] -ifdef::foreman-deb[] -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -:dhcp_config: /etc/dhcp3/dhcpd.conf -:dhcp_leases: /var/lib/dhcp3/dhcpd.leases ----- -endif::[] - -.Securing the DHCP server with an _omapi_key_ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -:key_name: _My_OMAPI_Key_ -:key_secret: _My_Key_Secret_ ----- - -.Setting a port on which the DHCP server listens -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -:omapi_port: _My_DHCP_Server_Port_ # default: 7911 ----- - -The server is defined in `dhcp.yml`: - -.Setting the host on which the DHCP server runs on -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -:server: _My_DHCP_Server_FQDN_ ----- diff --git a/guides/common/modules/ref_dhcp-options-for-network-configuration.adoc b/guides/common/modules/ref_dhcp-options-for-network-configuration.adoc deleted file mode 100644 index cbd1c6bf5a3..00000000000 --- a/guides/common/modules/ref_dhcp-options-for-network-configuration.adoc +++ /dev/null @@ -1,36 +0,0 @@ -[id="DHCP_Options_For_Network_Configuration_{context}"] -= DHCP options for network configuration - ---foreman-proxy-dhcp:: - Enables the DHCP service. -You can set this option to `true` or `false`. - ---foreman-proxy-dhcp-managed:: - Enables Foreman to manage the DHCP service. -You can set this option to `true` or `false`. - ---foreman-proxy-dhcp-gateway:: - The DHCP pool gateway. -Set this to the address of the external gateway for hosts on your private network. - ---foreman-proxy-dhcp-interface:: - Sets the interface for the DHCP service to listen for requests. -Set this to `eth1`. - ---foreman-proxy-dhcp-nameservers:: - Sets the addresses of the nameservers provided to clients through DHCP. -Set this to the address for {ProjectServer} on `eth1`. - ---foreman-proxy-dhcp-range:: - A space-separated DHCP pool range for Discovered and Unmanaged services. - ---foreman-proxy-dhcp-server:: - Sets the address of the DHCP server to manage. - -ifdef::orcharhino[] ---foreman-proxy-dhcp-subnets:: - Sets the subnets of the DHCP server to manage. -Example: `--foreman-proxy-dhcp-subnets 192.168.205.0/255.255.255.128` or `--foreman-proxy-dhcp-subnets 192.168.205.128/255.255.255.128` -endif::[] - -Run `{foreman-installer} --help` to view more options related to DHCP and other {SmartProxy} services. diff --git a/guides/doc-Configuring_DNS_DHCP_TFTP/master.adoc b/guides/doc-Configuring_DNS_DHCP_TFTP/master.adoc index f35fabe6026..2308619a44c 100644 --- a/guides/doc-Configuring_DNS_DHCP_TFTP/master.adoc +++ b/guides/doc-Configuring_DNS_DHCP_TFTP/master.adoc @@ -10,4 +10,9 @@ ifdef::satellite[] include::common/modules/proc_providing-feedback-on-red-hat-documentation.adoc[leveloffset=+1] endif::[] +include::common/assembly_configuring-dns-integration.adoc[leveloffset=+1] + +include::common/assembly_configuring-dhcp-integration.adoc[leveloffset=+1] + +include::common/assembly_configuring-tftp-integration.adoc[leveloffset=+1] diff --git a/guides/doc-Installing_Proxy/master.adoc b/guides/doc-Installing_Proxy/master.adoc index 4e344942fcf..e7a9c1c544d 100644 --- a/guides/doc-Installing_Proxy/master.adoc +++ b/guides/doc-Installing_Proxy/master.adoc @@ -26,26 +26,9 @@ include::common/assembly_installing-capsule-server.adoc[leveloffset=+1] include::common/assembly_performing-additional-configuration-on-smart-proxy-server.adoc[leveloffset=+1] -// Configuring {SmartProxyServer} with External Services -include::common/assembly_configuring-external-services.adoc[leveloffset=+1] - -include::common/assembly_managing-dhcp-on-smart-proxies.adoc[leveloffset=+1] - -include::common/assembly_managing-dns-on-smart-proxies.adoc[leveloffset=+1] - -include::common/assembly_using-infoblox-as-dhcp-and-dns-providers.adoc[leveloffset=+1] - :numbered!: // {SmartProxyServer} Scalability Considerations [appendix] include::common/modules/ref_smart-proxy-server-scalability-considerations-when-managing-puppet-clients.adoc[leveloffset=+1] - -ifndef::satellite[] -[appendix] -include::common/modules/ref_dhcp-isc-settings.adoc[leveloffset=+1] - -[appendix] -include::common/modules/ref_dhcp-options-for-network-configuration.adoc[leveloffset=+1] -endif::[] endif::[] diff --git a/guides/doc-Installing_Server/master.adoc b/guides/doc-Installing_Server/master.adoc index 213a1551f9a..9a93c35be70 100644 --- a/guides/doc-Installing_Server/master.adoc +++ b/guides/doc-Installing_Server/master.adoc @@ -45,10 +45,10 @@ include::common/assembly_configuring-satellite-with-an-http-proxy.adoc[leveloffs include::common/modules/proc_enabling-power-management-on-hosts.adoc[leveloffset=+2] -include::common/assembly_configuring-dns-dhcp-and-tftp.adoc[leveloffset=+2] - include::common/modules/proc_configuring-satellite-for-outgoing-emails.adoc[leveloffset=+2] +include::common/assembly_configuring-project-to-manage-the-lifecycle-of-a-host-registered-to-a-freeipa-realm.adoc[leveloffset=+2] + ifdef::katello,orcharhino,satellite[] include::common/assembly_configuring-an-alternate-cname.adoc[leveloffset=+2] @@ -59,8 +59,6 @@ include::common/modules/proc_resetting-custom-ssl-certificate-to-default-self-si include::common/assembly_using-external-databases.adoc[leveloffset=+2] endif::[] -include::common/assembly_configuring-external-services.adoc[leveloffset=+1] - :numbered!: ifdef::katello[] diff --git a/guides/doc-Installing_Server_Disconnected/master.adoc b/guides/doc-Installing_Server_Disconnected/master.adoc index e20bdd70aa7..bcceeefa031 100644 --- a/guides/doc-Installing_Server_Disconnected/master.adoc +++ b/guides/doc-Installing_Server_Disconnected/master.adoc @@ -30,19 +30,16 @@ include::common/modules/proc_configuring-pull-based-transport-for-remote-executi include::common/modules/proc_enabling-power-management-on-hosts.adoc[leveloffset=+2] -include::common/assembly_configuring-dns-dhcp-and-tftp.adoc[leveloffset=+2] - include::common/modules/proc_configuring-satellite-for-outgoing-emails.adoc[leveloffset=+2] +include::common/assembly_configuring-project-to-manage-the-lifecycle-of-a-host-registered-to-a-freeipa-realm.adoc[leveloffset=+2] + ifdef::katello,orcharhino,satellite[] include::common/assembly_configuring-satellite-custom-server-certificate.adoc[leveloffset=+2] include::common/assembly_using-external-databases.adoc[leveloffset=+2] endif::[] - -include::common/assembly_configuring-external-services.adoc[leveloffset=+1] - :numbered!: [appendix]