Foreman 3.10 + Puppet + Katello + Discovery Plugin-Installation- & PXE Beginners Guide for RHEL_9 (using local-DHCP&TFTP)
In this Guide i will show you how to install Forman with puppet, katello and discovery plugin. You will also learn how to install and setup DHCP- and TFTP-Server. I will also show you how to setup Foreman and how to use the Foreman Boot Image via PXE. You will be ready to discover and provision your physical servers and workstations after following this Guide.
before we start:
- foreman comes without its own dhcp/tftp unlike MAAS, Tinkerbell, etc
- you either need to have external dhcp, or you need to install the servers locally
- we will install and we will use Foreman on a single node without external DHCP
- we wont use Smartproxy DNS since its not required if using a local DHCP
- we install Discovery Plugin before setting up TFTP because we have less work
- Its demanded that you install Foreman with Katello on a freshly provisioned machine > - you cannot install katello plugin if you installed foreman without it before
- make sure that you have a Backup before using the Installer
- especially if you have set up Foreman successfully before
- you can make backup by using:
- img (dd, gparted)
- rsync (standalone, or better: rsnapshot)
- we use
Rocky Linux 9.4
in this example
sequenceDiagram
participant PC as Client
participant VLAN as VLAN
participant DNS as DNS Server
participant DHCP as DHCP in Router
participant Storage as Storage (PC)
Note over PC: Boot process begins
PC->>+VLAN: Sends DHCPDISCOVER
VLAN->>-PC: Redirects DHCPDISCOVER to DHCP
PC->>+DHCP: Sends DHCPREQUEST
DHCP->>-PC: Sends DHCPOFFER with IP, Gateway, DNS Server, and Subnet Mask
Note over DNS: PC stores DNS server address
PC->>+Storage: Stores network configuration (IP, Gateway, DNS)
Storage-->>-PC: Confirms storage
Note over VLAN: PC sends ARP queries to determine MAC addresses
PC->>+DNS: Sends DNS queries for domain names
DNS->>-PC: Sends answers with IP addresses
Note over Storage: PC stores host domain (if present)
PC->>+Storage: Stores host domain
Storage-->>-PC: Confirms storage
Note over PC: PC is now fully configured and connected
This diagram provides a visual representation of the network configuration process, detailing how a client PC interacts with various components such as VLAN, DNS Server, DHCP in Router, and Storage during the boot process
- make sure you have a static hostname (we will use
my_hostname
)
switch to root because its easier:
$ su root
get your NIC's IP and Name:
# ifconfig
enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.2.100 netmask 255.255.255.0 broadcast 192.168.2.255 ```.
- my NIC is enp2s0 and my IP is 129.168.2.100:
find your NIC's DNS-Server's IP and Domain
- we need this for the hosts mapping
- The Domain of your Router should be printed on it, or it was given by your switch, vlan (vlan-routing), etc...
- , but we can also find it out via console:
- we find the connected DNS IP and ask the server for its Domain-name using
nslookup
- you can also use
dig
instead of nslookup
- you can also use
- we find the connected DNS IP and ask the server for its Domain-name using
# nmcli device show enp2s0 | grep IP4.DNS
# DNS-Server-IP: IP4.DNS[1]: 192.168.2.1
# nslookup 192.168.2.1
1.2.168.192.in-addr.arpa name = speedport.ip.
- you can also check in the
/etc/resolv.conf
- this is set by NetworkManager and the dhcp/dns of your router
# Generated by NetworkManager search speedport.ip nameserver 192.168.2.1 nameserver fe80::1%enp2s0
edit the hosts file
- edit
/etc/hosts
- the Domain for the host mapping should be:
- <host name+routers domain>
- the Domain for the host mapping should be:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.2.100 my_hostname.speedport.ip
firewall settings:
# firewall-cmd --add-port="5646/tcp"
# firewall-cmd \
--add-port="5647/tcp" \
--add-port="8000/tcp" \
--add-port="9090/tcp"
# firewall-cmd \
--add-service=dns \
--add-service=dhcp \
--add-service=tftp \
--add-service=http \
--add-service=https \
--add-service=puppetmaster
# firewall-cmd --runtime-to-permanent
>> check if it works <<
# firewall-cmd --list-all
... interfaces: enp2s0 sources: services: cockpit dhcp dhcpv6-client dns http https mdns puppetmaster ssh tftp ports: 5646/tcp 5647/tcp 8000/tcp 9090/tcp ...
get the repos
# dnf install https://yum.theforeman.org/releases/3.10/el9/x86_64/foreman-release.rpm
# dnf install https://yum.theforeman.org/katello/4.12/katello/el9/x86_64/katello-repos-latest.rpm
# dnf install https://yum.puppet.com/puppet7-release-el-9.noarch.rpm
install foreman 3.10 with katello plugin
# dnf update
# dnf install foreman-installer-katello
# foreman-installer --scenario katello
...
Success!
* Foreman is running at https://my_hostname.speedport.ip
Initial credentials are admin / <pass>
* To install an additional Foreman proxy on separate machine continue by running:
foreman-proxy-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY" --certs-tar "/root/$FOREMAN_PROXY-certs.tar.gz"
* Foreman Proxy is running at https://my_hostname.speedport.ip:9090
The full log is at /var/log/foreman-installer/katello.log
we connect to foreman dashboard by using
URL: https://my_hostname.speedport.ip user: admin pass: <pass>`
install the Discovery Plugin
# foreman-installer --enable-foreman-plugin-discovery
...
Success!
* Foreman is running at https://my_hostname.speedport.ip
* To install an additional Foreman proxy on separate machine continue by running:
foreman-proxy-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY" --certs-tar "/root/$FOREMAN_PROXY-certs.tar.gz"
* Foreman Proxy is running at https://my_hostname.speedport.ip:9090
The full log is at /var/log/foreman-installer/katello.log
>> check if it worked <<
# dnf repolist enabled
... foreman Foreman 3.10 foreman-plugins Foreman plugins 3.10 katello Katello 4.12 pulpcore pulpcore: Fetch, Upload, Organize, and Distribute Software Packages. puppet7 Puppet 7 Repository el 9 - x86_64
(optional) delete old/wrong repo:
- edit the foreman.repo file and remove the flawed ones:
# dnf clean all # dnf install nano # sudo nano /etc/yum.repos.d/foreman.repo # sudo dnf clean all # sudo dnf makecache
Install:
# dnf install dhcp-server -y
Config:
- we add a Subnet
- we choose a Range of 100
- huge Networks can be unnecessary security Risk
- our subnetmask is
255.255.255.0
, hence our CIDR is24
- we choose a Range of 100
# sudo nano /etc/dhcp/dhcpd.conf
... # speedport.ip subnet 192.168.2.0 netmask 255.255.255.0 { pool { range 192.168.2.101 192.168.2.200; } option subnet-mask 255.255.255.0; option routers 192.168.2.100; }
- Now we can enable the dhcp service
- if this this fails you most likely have wrong subnet or firewall settings
# sudo systemctl enable --now dhcpd
(optional) check if dhcp server is already installed and running
# nmap -sU 127.0.0.1 -p 67
# if its not installed or not running: ... PORT STATE SERVICE 67/udp closed dhcps ...
# if up and running: ... PORT STATE SERVICE 67/udp open|filtered dhcps ...
of course you can check systemctl as well, but since we dont know the name of the service we just check the port directly (DHCP is Port 67 followed by TFTP port 68) you can also use telnet, lsof, etc
install
# sudo dnf install tftp-server -y
check if Discovery-Plugin created the Boot-image Files:
- there should be a
/var/lib/tftpboot/boot/fdi-image
dir that holds thevmlinuz
andinitrd
files - you also need to create a config file:
nano /var/lib/tftpboot/pxelinux.cfg/default
- the user has to be nobody (system-user) and it should be fully writable
# nano /var/lib/tftpboot/pxelinux.cfg/default
default menu.c32 timeout 300 label ForemanBootImage menu label ^Foreman Boot Image kernel /path/to/your/boot/image/vmlinuz append initrd=/path/to/your/boot/image/initrd.img root=/dev/nfs nfsroot=:192.168.0.1:/var> > /lib/tftboot/boot ip=dhcp
# sudo chmod -R 777 /var/lib/tftpboot
# sudo chown -R nobody: /var/lib/tftpboot
- Change tftpboot dir if required:
$ nano /usr/lib/systemd/system/tftp.service
[Unit] Description=Tftp Server Requires=tftp.socket Documentation=man:in.tftpd [Service] ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot StandardInput=socket [Install] Also=tftp.socket
- not sure if this was required:
sudo nano /etc/xinetd.d/tftp
service tftp { socket_type = dgram protocol = udp wait = yes user = root server = /usr/sbin/in.tftpd server_args = -s /var/lib/tftpboot disable = no # needs to be "no" per_source = 11 cps = 100 2 flags = IPv4 }
- tftp service can be activated by
using systemctl enable tftp
(not xintetd)!
# systemctl enable tftp
- we set managed dns to false:
--foreman-proxy-dns-managed false \
# foreman-installer \
--foreman-proxy-dns true \
--foreman-proxy-dns-managed false \
--foreman-proxy-dhcp true \
--foreman-proxy-dhcp-managed true \
--foreman-proxy-dhcp-range "192.168.2.101 192.168.2.200" \
--foreman-proxy-dhcp-gateway 192.168.2.100 \
--foreman-proxy-dhcp-nameservers 192.168.2.100 \
--foreman-proxy-tftp true \
--foreman-proxy-tftp-managed true \
--foreman-proxy-tftp-servername 192.168.2.100