SupportConsoleDevelopersStart a trialContact

Chapter 4. Configuring External Services

Use this section to configure your Red Hat Satellite Capsule Server to work with external DNS, DHCP and TFTP services.

4.1. Configuring Capsule Server with External DNS

  1. On the Red Hat Enterprise Linux Server, install the ISC DNS Service. 

    # yum install bind bind-utils

    Ensure that the nsupdate utility was installed. The Capsule uses the nsupdate utility to update DNS records on the remote server.

  2. Copy the /etc/rndc.key file from the services server to the Capsule Server. 

    # scp localfile username@hostname:remotefile

  3. Ensure that the ownership, permissions, and SELinux context are correct. 

    # restorecon -v /etc/rndc.key
# chown -v root:named /etc/rndc.key
# chmod -v 640 /etc/rndc.key

  4. Test the nsupdate utility by adding a host remotely. 

    # echo -e "server 192.168.38.2\n \
update add aaa.virtual.lan 3600 IN A 192.168.38.10\n \
send\n" | nsupdate -k /etc/rndc.key
# nslookup aaa.virtual.lan 192.168.38.2
# echo -e "server 192.168.38.2\n \
update delete aaa.virtual.lan 3600 IN A 192.168.38.10\n \
send\n" | nsupdate -k /etc/rndc.key

  5. Run the satellite-installer script to make the following persistent changes to the /etc/foreman-proxy/settings.d/dns.yml file. 

    # satellite-installer --foreman-proxy-dns=true \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dns-provider=nsupdate \
--foreman-proxy-dns-server="192.168.38.2" \
--foreman-proxy-keyfile=/etc/rndc.key \
--foreman-proxy-dns-ttl=86400

  6. Restart the foreman-proxy service. 

    # systemctl restart foreman-proxy
  7. Log in to the Satellite Server web UI.
  8. Go to Infrastructure > Capsules. Locate the appropriate Capsule Server and from the Actions drop-down list, select Refresh. The DNS feature should appear.
  9. Associate the DNS service with the appropriate subnets and domain.

4.2. Configuring Capsule Server with External DHCP

To configure Capsule Server with external DHCP, you must have previously configured a DHCP server, and shared the DHCP configuration and lease files via NFS.

To configure the DHCP server and share the DHCP configuration and lease files

  1. Deploy a Red Hat Enterprise Linux Server and install the ISC DHCP Service and Berkeley Internet Name Domain (BIND). 

    # yum install dhcp bind

  2. Generate a security token in an empty directory. 

    # dnssec-keygen -a HMAC-MD5 -b 512 -n HOST omapi_key

    The above command can take a long time, for less-secure proof-of-concept deployments you can use a non-blocking random number generator. 

    # dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST omapi_key

    This creates the key pair in two files in the current directory.

  3. Copy the secret hash from the key. 

    # cat Komapi_key.+*.private |grep ^Key|cut -d ' ' -f2

  4. Edit the dhcpd configuration file for all of the subnets and add the key as in the example: 

    # cat /etc/dhcp/dhcpd.conf
default-lease-time 604800;
max-lease-time 2592000;
log-facility local7;

subnet 192.168.38.0 netmask 255.255.255.0 {
	range 192.168.38.10 192.168.38.100;
	option routers 192.168.38.1;
	option subnet-mask 255.255.255.0;
	option domain-search "virtual.lan";
	option domain-name "virtual.lan";
	option domain-name-servers 8.8.8.8;
}

omapi-port 7911;
key omapi_key {
	algorithm HMAC-MD5;
	secret "jNSE5YI3H1A8Oj/tkV4...A2ZOHb6zv315CkNAY7DMYYCj48Umw==";
};
omapi-key omapi_key;
  5. Delete the two key files from the directory where you created them.

  6. Define each subnet on the Satellite Server.

    It is recommended to set up a lease range and reservation range separately to prevent conflicts. For example, the lease range is 192.168.38.10 to 192.168.38.100 so the reservation range (defined in the Satellite web UI) is 192.168.38.101 to 192.168.38.250. Do not set DHCP Capsule for the defined Subnet yet.

  7. Configure the firewall for external access to the DHCP server. 

    # firewall-cmd --add-service dhcp \
&& firewall-cmd --runtime-to-permanent

  8. Determine the UID and GID numbers of the foreman user on the Satellite Server. 

    # id -u foreman
993
# id -g foreman
990

  9. Create the same user and group with the same IDs on the DHCP server. 

    # groupadd -g 990 foreman
# useradd -u 993 -g 990 -s /sbin/nologin foreman

  10. To make the configuration files readable, restore the read and execute flags. 

    # chmod o+rx /etc/dhcp/
# chmod o+r /etc/dhcp/dhcpd.conf
# chattr +i /etc/dhcp/ /etc/dhcp/dhcpd.conf

  11. Start the DHCP service. 

    # systemctl start dhcpd

  12. Export the DHCP configuration and leases files using NFS. 

    # yum install nfs-utils
# systemctl enable rpcbind nfs-server
# systemctl start rpcbind nfs-server nfs-lock nfs-idmapd

  13. Create the DHCP configuration and leases files to be exported using NFS. 

    # mkdir -p /exports/var/lib/dhcpd /exports/etc/dhcp

  14. Add the following line to the /etc/fstab file to create mount points for the newly created directories. 

    /var/lib/dhcpd /exports/var/lib/dhcpd none bind,auto 0 0
/etc/dhcp /exports/etc/dhcp none bind,auto 0 0

  15. Mount the file systems in /etc/fstab. 

    # mount -a

  16. Ensure the following lines are present in /etc/exports: 

    /exports 192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check)

/exports/etc/dhcp 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)

/exports/var/lib/dhcpd 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)

  17. Reload the NFS server. 

    # exportfs -rva

  18. Configure the firewall for the DHCP omapi port 7911 for the Satellite Server. 

    # firewall-cmd --add-port="7911/tcp" \
&& firewall-cmd --runtime-to-permanent

  19. If required, configure the firewall for external access to NFS.

    Clients are configured using NFSv3.

    • Use the firewalld daemon’s NFS service to configure the firewall. 

      # firewall-cmd --zone public --add-service mountd \
&& firewall-cmd --zone public --add-service rpc-bind \
&& firewall-cmd --zone public --add-service nfs \
&& firewall-cmd --runtime-to-permanent

To Configure Capsule Server with External DHCP

  1. Install the NFS client. 

    # yum install nfs-utils

  2. Create the DHCP directories for NFS. 

    # mkdir -p /mnt/nfs/etc/dhcp /mnt/nfs/var/lib/dhcpd

  3. Change the file owner. 

    # chown -R foreman-proxy /mnt/nfs

  4. Verify communication with the NFS server and RPC communication paths. 

    # showmount -e your_DHCP_server_FQDN
# rpcinfo -p your_DHCP_server_FQDN

  5. Add the following lines to the /etc/fstab file: 

    your_DHCP_server_FQDN:/exports/etc/dhcp /mnt/nfs/etc/dhcp nfs
ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcp_etc_t:s0" 0 0

your_DHCP_server_FQDN:/exports/var/lib/dhcpd /mnt/nfs/var/lib/dhcpd nfs
ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcpd_state_t:s0" 0 0

  6. Mount the file systems on /etc/fstab. 

    # mount -a

  7. Read the relevant files. 

    # su foreman-proxy -s /bin/bash
bash-4.2$ cat /mnt/nfs/etc/dhcp/dhcpd.conf
bash-4.2$ cat /mnt/nfs/var/lib/dhcpd/dhcpd.leases
bash-4.2$ exit

  8. Run the satellite-installer script to make the following persistent changes to the /etc/foreman-proxy/settings.d/dhcp.yml file. 

    # satellite-installer --foreman-proxy-dhcp=true \
--foreman-proxy-dhcp-provider=remote_isc \
--foreman-proxy-plugin-dhcp-remote-isc-dhcp-config /mnt/nfs/etc/dhcp/dhcpd.conf \
--foreman-proxy-plugin-dhcp-remote-isc-dhcp-leases /mnt/nfs/var/lib/dhcpd/dhcpd.leases \
--foreman-proxy-plugin-dhcp-remote-isc-key-name=omapi_key \
--foreman-proxy-plugin-dhcp-remote-isc-key-secret=jNSE5YI3H1A8Oj/tkV4...A2ZOHb6zv315CkNAY7DMYYCj48Umw== \
--foreman-proxy-plugin-dhcp-remote-isc-omapi-port=7911 \
--enable-foreman-proxy-plugin-dhcp-remote-isc \
--foreman-proxy-dhcp-server=your_DHCP_server_FQDN

  9. Restart the foreman-proxy service. 

    # systemctl restart foreman-proxy
  10. Log in to the Satellite Server web UI.
  11. Go to Infrastructure > Capsules. Locate the appropriate Capsule Server and from the Actions drop-down list, select Refresh. The DHCP feature should appear.
  12. Associate the DHCP service with the appropriate subnets and domain.

4.3. Configuring Capsule Server with External TFTP

  1. Create the TFTP directory to prepare for NFS. 

    # mkdir -p /mnt/nfs/var/lib/tftpboot

  2. Add the following line in the /etc/fstab file: 

    192.168.38.2:/exports/var/lib/tftpboot /mnt/nfs/var/lib/tftpboot nfs rw,vers=3,auto,nosharecache,context="system_u:object_r:tftpdir_rw_t:s0" 0 0

  3. Mount the file systems in /etc/fstab. 

    # mount -a

  4. Run the satellite-installer script to make the following persistent changes to the /etc/foreman-proxy/settings.d/tftp.yml file. 

    # satellite-installer --foreman-proxy-tftp=true \
--foreman-proxy-tftp-root /mnt/nfs/var/lib/tftpboot

  5. If the TFTP service is running on a different server than the DHCP service, update the tftp_servername setting with the FQDN or IP address of that server. 

    # satellite-installer --foreman-proxy-tftp-servername=new_FQDN

    This updates all configuration files with the new value.

  6. Log in to the Satellite Server web UI.
  7. Go to Infrastructure > Capsules. Locate the appropriate Capsule Server and from the Actions drop-down list, select Refresh. The TFTP feature should appear.
  8. Associate the TFTP service with the appropriate subnets and domain.

4.4. Configuring Satellite or Capsule with External IdM DNS

Red Hat Satellite can be configured to use a Red Hat Identity Management (IdM) server to provide the DNS service. Two methods are described here to achieve this, both using a transaction key. For more information on Red Hat Identity Management, see the Linux Domain Identity, Authentication, and Policy Guide.

The first method is to install the IdM client which automates the process with the generic security service algorithm for secret key transaction (GSS-TSIG) technology defined in RFC3645. This method requires installing the IdM client on the Satellite Server or Capsule’s base system and having an account created by the IdM server administrator for use by the Satellite administrator. See Section 4.4.1, “Configuring Dynamic DNS Update with GSS-TSIG Authentication” to use this method.

The second method, secret key transaction authentication for DNS (TSIG), uses an rndc.key for authentication. It requires root access to the IdM server to edit the BIND configuration file, installing the BIND utility on the Satellite Server’s base system, and coping the rndc.key to between the systems. This technology is defined in RFC2845. See Section 4.4.2, “Configuring Dynamic DNS Update with TSIG Authentication” to use this method.

Note

You are not required to use Satellite to manage DNS. If you are using the Realm enrollment feature of Satellite, where provisioned hosts are enrolled automatically to IdM, then the ipa-client-install script creates DNS records for the client. The following procedure and Realm enrollment are therefore mutually exclusive. For more information on configuring Realm enrollment, see External Authentication for Provisioned Hosts in Administering Red Hat Satellite.

Determining where to install the IdM Client

When Satellite Server wants to add a DNS record for a host, it first determines which Capsule is providing DNS for that domain. It then communicates with the Capsule and adds the record. The hosts themselves are not involved in this process. This means you should install and configure the IdM client on the Satellite or Capsule that is currently configured to provide a DNS service for the domain you want to manage using the IdM server.

4.4.1. Configuring Dynamic DNS Update with GSS-TSIG Authentication

In this example, Satellite Server has the following settings.

Host name

satellite.example.com

Network

192.168.55.0/24

The IdM server has the following settings.

Host name

idm1.example.com

Domain name

example.com

Before you Begin.

  1. Confirm the IdM server is deployed and the host-based firewall has been configured correctly. For more information, see Port Requirements in the Linux Domain Identity, Authentication, and Policy Guide.
  2. Obtain an account on the IdM server with permissions to create zones on the IdM server.
  3. Confirm if the Satellite or an external Capsule is managing DNS for a domain.
  4. Confirm that the Satellite or external Capsule are currently working as expected.
  5. In the case of a newly installed system, complete the installation procedures in this guide first. In particular, DNS and DHCP configuration should have been completed.
  6. Make a backup of the answer file in case you have to revert the changes. See Specifying Installation Options for more information.

Create a Kerberos Principal on the IdM Server.

  1. Ensure you have a Kerberos ticket. 

    # kinit idm_user

    Where idm_user is the account created for you by the IdM administrator.

  2. Create a new Kerberos principal for the Satellite or Capsule to use to authenticate to the IdM server. 

    # ipa service-add capsule/satellite.example.com

Install and Configure the IdM Client.

Do this on the Satellite or Capsule Server that is managing the DNS service for a domain.

  1. Install the IdM client package. 

    # yum install ipa-client

  2. Configure the IdM client by running the installation script and following the on-screen prompts. 

    # ipa-client-install

  3. Ensure you have a Kerberos ticket. 

    # kinit admin

  4. Remove any preexisting keytab. 

    # rm /etc/foreman-proxy/dns.keytab

  5. Get the keytab created for this system. 

    # ipa-getkeytab -p capsule/satellite.example.com@EXAMPLE.COM \
-s idm1.example.com -k /etc/foreman-proxy/dns.keytab
    Note

    When adding a keytab to a standby system with the same host name as the original system in service, add the r option to prevent generating new credentials and rendering the credentials on the original system invalid.

  6. Set the group and owner for the keytab file to foreman-proxy as follows. 

    # chown foreman-proxy:foreman-proxy /etc/foreman-proxy/dns.keytab

  7. If required, check the keytab is valid. 

    # kinit -kt /etc/foreman-proxy/dns.keytab \
capsule/satellite.example.com@EXAMPLE.COM

Configure DNS Zones in the IdM web UI.

  1. Create and configure the zone to be managed:

    1. Navigate to Network Services > DNS > DNS Zones.
    2. Select Add and enter the zone name. In this example, example.com.
    3. Click Add and Edit.

    4. On the Settings tab, in the BIND update policy box, add an entry as follows to the semi-colon separated list. 

      grant capsule\047satellite.example.com@EXAMPLE.COM wildcard * ANY;
    5. Ensure Dynamic update is set to True.
    6. Enable Allow PTR sync.
    7. Select Save to save the changes.

  2. Create and Configure the reverse zone.

    1. Navigate to Network Services > DNS > DNS Zones.
    2. Select Add.
    3. Select Reverse zone IP network and add the network address in CIDR format to enable reverse lookups.
    4. Click Add and Edit.

    5. On the Settings tab, in the BIND update policy box, add an entry as follows to the semi-colon separated list: 

      grant capsule\047satellite.example.com@EXAMPLE.COM wildcard * ANY;
    6. Ensure Dynamic update is set to True.
    7. Select Save to save the changes.

Configure the Satellite or Capsule Server Managing the DNS Service for the Domain.

  • On a Satellite Server’s Base System. 

    satellite-installer --scenario satellite \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=true \
--foreman-proxy-dns-provider=nsupdate_gss \
--foreman-proxy-dns-server="idm1.example.com" \
--foreman-proxy-dns-tsig-principal="capsule/satellite.example.com@EXAMPLE.COM" \
--foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab \
--foreman-proxy-dns-reverse="55.168.192.in-addr.arpa" \
--foreman-proxy-dns-zone=example.com \
--foreman-proxy-dns-ttl=86400

  • On a Capsule Server’s Base System. 

    satellite-installer --scenario capsule \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=true \
--foreman-proxy-dns-provider=nsupdate_gss \
--foreman-proxy-dns-server="idm1.example.com" \
--foreman-proxy-dns-tsig-principal="capsule/satellite.example.com@EXAMPLE.COM" \
--foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab \
--foreman-proxy-dns-reverse="55.168.192.in-addr.arpa" \
--foreman-proxy-dns-zone=example.com \
--foreman-proxy-dns-ttl=86400

Restart the Satellite or Capsule’s Proxy Service. 

# systemctl restart foreman-proxy

Update the Configuration in Satellite web UI.

After you have run the installation script to make any changes to a Capsule, instruct Satellite to scan the configuration on each affected Capsule as follows:

  1. Navigate to Infrastructure > Capsules.
  2. For each Capsule to be updated, from the Actions drop-down menu, select Refresh.

  3. Configure the domain:

    1. Go to Infrastructure > Domains and select the domain name.
    2. On the Domain tab, ensure DNS Capsule is set to the Capsule where the subnet is connected.

  4. Configure the subnet:

    1. Go to Infrastructure > Subnets and select the subnet name.
    2. On the Subnet tab, set IPAM to None.
    3. On the Domains tab, ensure the domain to be managed by the IdM server is selected.
    4. On the Capsules tab, ensure Reverse DNS Capsule is set to the Capsule where the subnet is connected.
    5. Click Submit to save the changes.

4.4.2. Configuring Dynamic DNS Update with TSIG Authentication

In this example, Satellite Server has the following settings.

IP address

192.168.25.1

Host name

satellite.example.com

The IdM server has the following settings.

Host name

idm1.example.com

IP address

192.168.25.2

Domain name

example.com

Before you Begin

  1. Confirm the IdM Server is deployed and the host-based firewall has been configured correctly. For more information, see Port Requirements in the Linux Domain Identity, Authentication, and Policy Guide.
  2. Obtain root user privileges on the IdM server.
  3. Confirm if the Satellite or an external Capsule is managing DNS for a domain.
  4. Confirm that the Satellite or external Capsule are currently working as expected.
  5. In the case of a newly installed system, complete the installation procedures in this guide first. In particular, DNS and DHCP configuration should have been completed.
  6. Make a backup of the answer file in case you have to revert the changes. See Specifying Installation Options for more information.

Enabling External Updates to the DNS Zone in the IdM Server

  1. On the IdM Server, add the following to the top of the /etc/named.conf file. 

    // This was added to allow Satellite Server at 192.168.25.1 to make DNS updates.
########################################################################
include "/etc/rndc.key";
controls  {
inet 192.168.25.2 port 953 allow { 192.168.25.1; } keys { "rndc-key"; };
};
########################################################################

  2. Reload named to make the changes take effect. 

    # systemctl reload named

  3. In the IdM web UI, go to Network Services > DNS > DNS Zones. Select the name of the zone. On the Settings tab:

    1. Add the following in the BIND update policy box. 

      grant "rndc-key" zonesub ANY;
    2. Ensure Dynamic update is set to True.
    3. Click Update to save the changes.

  4. Copy the /etc/rndc.key file from the IdM server to Satellite’s base system as follows. 

    # scp /etc/rndc.key root@satellite.example.com:/etc/rndc.key

  5. Ensure that the ownership, permissions, and SELinux context are correct. 

    # restorecon -v /etc/rndc.key
# chown -v root:named /etc/rndc.key
# chmod -v 640 /etc/rndc.key

  6. On Satellite Server, run the installation script as follows to use the external DNS server. 

    # satellite-installer --scenario satellite \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dns-provider=nsupdate \
--foreman-proxy-dns-server="192.168.25.2" \
--foreman-proxy-keyfile=/etc/rndc.key \
--foreman-proxy-dns-ttl=86400

Testing External Updates to the DNS Zone in the IdM Server

  1. Install bind-utils for testing with nsupdate. 

    # yum install bind-utils

  2. Ensure the key in the /etc/rndc.key file on Satellite Server is the same one as used on the IdM server. 

    key "rndc-key" {
        algorithm hmac-md5;
        secret "secret-key==";
};

  3. On Satellite Server, create a test DNS entry for a host. For example, host test.example.com with an A record of 192.168.25.20 on the IdM server at 192.168.25.1. 

    # echo -e "server 192.168.25.1\n \
update add test.example.com 3600 IN A 192.168.25.20\n \
send\n" | nsupdate -k /etc/rndc.key

  4. On Satellite Server, test the DNS entry. 

    # nslookup test.example.com 192.168.25.1
Server:		192.168.25.1
Address:	192.168.25.1#53

Name:	test.example.com
Address: 192.168.25.20
  5. To view the entry in the IdM web UI, go to Network Services > DNS > DNS Zones. Select the name of the zone and search for the host by name.

  6. If resolved successfully, remove the test DNS entry. 

    # echo -e "server 192.168.25.1\n \
update delete test.example.com 3600 IN A 192.168.25.20\n \
send\n" | nsupdate -k /etc/rndc.key

  7. Confirm that the DNS entry was removed. 

    # nslookup test.example.com 192.168.25.1

    The above nslookup command fails and outputs the SERVFAIL error message if the record was successfully deleted.

4.4.3. Reverting to Internal DNS Service

To revert to using Satellite Server and Capsule Server as DNS providers, follow this procedure.

On the Satellite or Capsule Server that is to manage DNS for the domain.

  • If you backed up the answer file before the change to external DNS, restore the answer file and then run the installation script: 

    # satellite-installer

  • If you do not have a suitable backup of the answer file, back up the answer file now, and then run the installation script on Satellite and Capsules as described below.

    See Specifying Installation Options for more information on the answer file.

To configure Satellite or Capsule as DNS server without using an answer file.

# satellite-installer \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=true \
--foreman-proxy-dns-provider=nsupdate \
--foreman-proxy-dns-server="127.0.0.1"  \
--foreman-proxy-dns-tsig-principal="foremanproxy/satellite.example.com@EXAMPLE.COM" \
--foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab

See Configuring DNS, DHCP, and TFTP on Capsule Server for more information.

Update the Configuration in Satellite web UI.

After you have run the installation script to make any changes to a Capsule, instruct Satellite to scan the configuration on each affected Capsule as follows:

  1. Navigate to Infrastructure > Capsules.
  2. For each Capsule to be updated, from the Actions drop-down menu, select Refresh.

  3. Configure the domain:

    1. Go to Infrastructure > Domains and select the domain name.
    2. On the Domain tab, ensure DNS Capsule is set to the Capsule where the subnet is connected.

  4. Configure the subnet:

    1. Go to Infrastructure > Subnets and select the subnet name.
    2. On the Subnet tab, set IPAM to DHCP or Internal DB.
    3. On the Domains tab, ensure the domain to be managed by the Satellite or Capsule is selected.
    4. On the Capsules tab, ensure Reverse DNS Capsule is set to the Capsule where the subnet is connected.
    5. Click Submit to save the changes.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.