Version 19 - History - Settingsyml - Smart Proxy - Foreman

Settingsyml » History » Version 19

Sander Hoentjen, 04/13/2012 08:17 AM
fix foreman-proxy username in sudoers

-Paul Kelly
+h1. Settings
-Ohad Levy
+The configuration for Smart-Proxy is held in the @/etc/foreman-proxy/settings.yml@ or @config/settings.yml@ file.
 Paul Kelly
-Paul Kelly
+h2. YAML start
-Paul Kelly
+The first non-comment line of this file must be three dashes.
-Paul Kelly
+<pre>
 ---
-Paul Kelly
+</pre>
 Paul Kelly
-Paul Kelly
+h2. SSL configuration
 Paul Kelly
-Paul Kelly
+The existence of all the three ssl key entries below enables the use of an SSL connections.
 NOTE that both client certificates need to be signed by the same CA, which must be in the *ssl_ca_file*, in order for this to work
-Jochen Schalanda
+see [[SSL]] for more information
 Paul Kelly
-Paul Kelly
+<pre>
 :ssl_certificate: ssl/certs/fqdn.pem
 :ssl_ca_file: ssl/certs/ca.pem
 :ssl_private_key: ssl/private_keys/fqdn.key
 </pre>
 Paul Kelly
 This is the list of hosts from which the smart proxy will accept connections. If this list is empty then every verified SSL connection is allowed to access the API.
 <pre>
-Paul Kelly
+:trusted_hosts:
 - foreman.prod.domain
 - foreman.dev.domain
 </pre>
-Paul Kelly
+h2. Instance attributes
-Jochen Schalanda
+If this entry is present and not false then Smart-Proxy will attempt to disconnect itself from the controlling terminal and daemonize itself.
-Paul Kelly
+<pre>
-Paul Kelly
+:daemon: true
 </pre>
 Paul Kelly
 The port listened to by the proxy. If this is not present then the default Sinatra port of 4567 is used.
 <pre>
-Paul Kelly
+:port: 8443
 </pre>
-Paul Kelly
+h2. TFTP section
-Jochen Schalanda
+Activate the TFTP management module within the Smart-Proxy instance.
 Paul Kelly
-Paul Kelly
+The *tftproot* value is directory into which tftp files are copied and then served from. The tftp daemon will also be expected to chroot to this location. This component is only supported in the Unix environment
-Paul Kelly
+<pre>
-Paul Kelly
+:tftp: true
-Ohad Levy
+:tftproot: /var/lib/tftpboot
-Ohad Levy
+:tftp_servername: name of your tftp server (used for next server value in your dhcp reservation) - defaults to the host name of your proxy.
-Paul Kelly
+</pre>
 Paul Kelly
-Ohad Levy
+*NOTE*: the foreman proxy user must have read/write access to the _tftpboot/pxelinux.cfg_ and _tftpboot/boot_ directories.
-Paul Kelly
+h2. DNS section
 Paul Kelly
-Jochen Schalanda
+Activate the DNS management module within the Smart-Proxy instance.
 Paul Kelly
 The DNS module can manipulate any DNS server that complies with the ISC Dynamic DNS Update standard and can therefore be used to manage both Microsoft and Bind servers.
 The *dns_key* is used to validate the client request. If it is not present then the update operation is performed without peer verification, (not recommended.)
-Jochen Schalanda
+The *dns_server* option is used if the Smart-Proxy is not located on the same physical host as the DNS server. If it is not specified then localhost is presumed.
-Paul Kelly
+<pre>
-Paul Kelly
+:dns: true
 :dns_key: /home/proxy/keys/Kapi.+157+47848.private
-Paul Kelly
+:dns_server: dnsserver.site.domain.com
 </pre>
 Paul Kelly
-Ohad Levy
+*NOTE*: if you use a key, make sure that the foreman proxy account can read that file.
-Paul Kelly
+h2. DHCP section
-Jochen Schalanda
+Activate the DHCP management module within the Smart-Proxy instance.
 Paul Kelly
-Paul Kelly
+<pre>
-Paul Kelly
+:dhcp: true
-Paul Kelly
+</pre>
-Jochen Schalanda
+If the DHCP server is ISC compliant then set *dhcp_vendor* to *isc*. In this case Smart-Proxy must run on the same host as the DHCP server.
 If the proxy is managing a Microsoft DHCP server then set *dhcp_vendor* to *native_ms*. Smart-Proxy must then be run on an NT server so as to access the Microsoft native tools, though it does not have to be the same machine as the DHCP server. More details can be found at [[Foreman:Foreman Architecture]].
-Paul Kelly
+<pre>
-Paul Kelly
+:dhcp_vendor: isc
-Paul Kelly
+</pre>
-Jochen Schalanda
+The DHCP component needs access to the DHCP configuration file as well as the currently allocated leases. The section below shows these values for a RedHat client. In the case of a Smart-Proxy hosted on an Ubuntu machine then these values would be more appropriate: */etc/dhcp3/dhcpd.conf* and */var/lib/dhcp3/dhcpd.leases*
-Paul Kelly
+<pre>
-Paul Kelly
+:dhcp_config: etc/dhcpd.conf
 :dhcp_leases: etc/dhcpd.leases
-Paul Kelly
+</pre>
 Paul Kelly
-Ohad Levy
+*NOTE*: Make sure that the foreman proxy account can read both ISC configuration files.
-Paul Kelly
+If your *native_ms* implementation is slow then you can request that the smart proxy only operate on a subset of the subnets managed by the dhcp server.
 <pre>
 :dhcp_subnets: [192.168.1.0/255.255.255.0, 192.168.11.0/255.255.255.0]
 </pre>
-Marcello de Sousa
+If you secured your DHCP with an "omapi_key", add the entries:
 <pre>
 :dhcp_key_name: omapi_key
 :dhcp_key_secret: XXXXXXXX
 </pre>
-Paul Kelly
+h2. Puppet Certificate Authority section
-Jochen Schalanda
+Activate the Puppet CA management module within the Smart-Proxy instance.
 Paul Kelly
-Jochen Schalanda
+This should only be enabled in the Smart-Proxy that is hosted on the machine responsible for providing certificates to your puppet clients. You would expect to see a directory */var/lib/puppet/ssl/ca* on such a host.
-Paul Kelly
+<pre>
 :puppetca: true
-Paul Kelly
+</pre>
-Mark Bainter
+If your puppet SSL directory is located elsewhere, you'll need to set 'ssldir' as well.
 <pre>
-Ohad Levy
+:ssldir: /etc/puppet/ssl
-Mark Bainter
+</pre>
-Anthony Newman
+The proxy requires write access to the puppet autosign.conf file, which is usually owner and group puppet, and has mode 0644 according to the puppet defaults.
 Ensure the foreman-proxy user is added to the puppet group ( e.g. `gpasswd -a foreman-proxy puppet` or `usermod -aG puppet foreman-proxy`)
 puppet.conf:
 <pre>
 [master]
 autosign = $confdir/autosign.conf { mode = 664 }
 </pre>
-Ohad Levy
+Sudo access to the proxy is required - in your sudoers file ensure you have the following lines:
-Anthony Newman
+For older puppet (pre-2.6.0) with separate sub-commands:
-Paul Kelly
+<pre>
-Anthony Newman
+foreman-proxy ALL = NOPASSWD: /usr/sbin/puppetca *
-Ohad Levy
+Defaults:foreman-proxy !requiretty
-Paul Kelly
+</pre>
 Anthony Newman
 For newer monolithic puppet (2.6.0-on)
 <pre>
 foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *
 Defaults:foreman-proxy !requiretty
 </pre>
 Ohad Levy
-Paul Kelly
+h2. Puppet section
-Jochen Schalanda
+Activate the puppet management module within the Smart-Proxy instance.
 Paul Kelly
-Jochen Schalanda
+This should only be enabled in the Smart-Proxy that is hosted on the machine capable of executing *puppetrun*. This will be a puppetmaster.
 Paul Kelly
 <pre>
 :puppet: true
-Ohad Levy
+</pre>
 Sudo access to the proxy is required - in your sudoers file ensure you have the following lines:
 <pre>
-Sander Hoentjen
+foreman-proxy ALL = NOPASSWD: /usr/bin/puppetrun
-Paul Kelly
+</pre>
-Corey Osman
+If running puppet version 2.6+ you will need to use the following  (use /opt/puppet/bin/puppet for Puppet Enterprise)
 <pre>
-Sander Hoentjen
+foreman-proxy ALL = NOPASSWD: /usr/bin/puppet
 Paul Kelly
-Corey Osman
+</pre>
 Ohad Levy
-Paul Kelly
+h2. Logging
-Jochen Schalanda
+The proxy's output is captured to the the *log_file* and may be filtered via the usual unix syslog levels:
-Mark Bainter
+* @WARN@
 * @DEBUG@
 * @ERROR@
 * @FATAL@
 * @INFO@
 * @UNKNOWN@
 Jochen Schalanda
 See Ruby's "Logger class":http://www.ruby-doc.org/stdlib/libdoc/logger/rdoc/classes/Logger.html for details.
 Paul Kelly
 <pre>
-Paul Kelly
+:log_file: /tmp/proxy.log
-Mark Bainter
+:log_level: DEBUG
-Paul Kelly
+</pre>

Project

General

Profile

Foreman » Smart Proxy

Settingsyml » History » Version 19