4.2. Configuring Capsule Server with External DHCP

Procedure

1. On a Red Hat Enterprise Linux Server server, install the ISC DHCP Service and Berkeley Internet Name Domain (BIND) packages:

   # yum install dhcp bind

2. Generate a security token:

   # dnssec-keygen -a HMAC-MD5 -b 512 -n HOST omapi_key

   As a result, a key pair that consists of two files is created in the current directory.

3. Copy the secret hash from the key:

   # cat Komapi_key.+*.private |grep ^Key|cut -d ' ' -f2

4. Edit the dhcpd configuration file for all of the subnets and add the key. The following is an example:

   # cat /etc/dhcp/dhcpd.conf
   default-lease-time 604800;
   max-lease-time 2592000;
   log-facility local7;
   
   subnet 192.168.38.0 netmask 255.255.255.0 {
   	range 192.168.38.10 192.168.38.100;
   	option routers 192.168.38.1;
   	option subnet-mask 255.255.255.0;
   	option domain-search "virtual.lan";
   	option domain-name "virtual.lan";
   	option domain-name-servers 8.8.8.8;
   }
   
   omapi-port 7911;
   key omapi_key {
   	algorithm HMAC-MD5;
   	secret "jNSE5YI3H1A8Oj/tkV4...A2ZOHb6zv315CkNAY7DMYYCj48Umw==";
   };
   omapi-key omapi_key;

   Note that the option routers value is the Satellite or Capsule IP address that you want to use with an external DHCP service.

5. Delete the two key files from the directory that they were created in.

6. On Satellite Server, define each subnet. Do not set DHCP Capsule for the defined Subnet yet.

   To prevent conflicts, set up the lease and reservation ranges separately. For example, if the lease range is 192.168.38.10 to 192.168.38.100, in the Satellite web UI define the reservation range as 192.168.38.101 to 192.168.38.250.

7. Configure the firewall for external access to the DHCP server:

   # firewall-cmd --add-service dhcp \
   && firewall-cmd --runtime-to-permanent

8. On Satellite Server, determine the UID and GID of the foreman user:

   # id -u foreman
   993
   # id -g foreman
   990

9. On the DHCP server, create the foreman user and group with the same IDs as determined in a previous step:

   # groupadd -g 990 foreman
   # useradd -u 993 -g 990 -s /sbin/nologin foreman

10. To ensure that the configuration files are accessible, restore the read and execute flags:

    # chmod o+rx /etc/dhcp/
    # chmod o+r /etc/dhcp/dhcpd.conf
    # chattr +i /etc/dhcp/ /etc/dhcp/dhcpd.conf

11. Start the DHCP service:

    # systemctl start dhcpd

12. Export the DHCP configuration and lease files using NFS:

    # yum install nfs-utils
    # systemctl enable rpcbind nfs-server
    # systemctl start rpcbind nfs-server nfs-lock nfs-idmapd

13. Create directories for the DHCP configuration and lease files that you want to export using NFS:

    # mkdir -p /exports/var/lib/dhcpd /exports/etc/dhcp

14. To create mount points for the created directories, add the following line to the /etc/fstab file:

    /var/lib/dhcpd /exports/var/lib/dhcpd none bind,auto 0 0
    /etc/dhcp /exports/etc/dhcp none bind,auto 0 0

15. Mount the file systems in /etc/fstab:

    # mount -a

16. Ensure the following lines are present in /etc/exports:

    /exports 192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check)
    
    /exports/etc/dhcp 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)
    
    /exports/var/lib/dhcpd 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)

    Note that the IP address that you enter is the Satellite or Capsule IP address that you want to use with an external DHCP service.

17. Reload the NFS server:

    # exportfs -rva

18. Configure the firewall for the DHCP omapi port 7911:

    # firewall-cmd --add-port="7911/tcp" \
    && firewall-cmd --runtime-to-permanent

19. Optional: Configure the firewall for external access to NFS. Clients are configured using NFSv3.

    # firewall-cmd --zone public --add-service mountd \
    && firewall-cmd --zone public --add-service rpc-bind \
    && firewall-cmd --zone public --add-service nfs \
    && firewall-cmd --runtime-to-permanent