Giter VIP home page Giter VIP logo

part-2-satellite-612-external-services's Introduction

Part 2: Red Hat Satellite 6.12 - DNS and DHCP Integration

Tutorial Menu

Introduction

In this tutorial we will follow step-by-step instructions to integrate external DNS and DHCP services to a Satellite server.

Steps for in installing and configuring the base DNS and DHCP services on a separate server for use with this tutorial are covered in the appendix section of this article.

Satellite DNS Integration

First we will want to test DNS updates from the server hosting Satellite. To test DNS updates with nsupdate, you will need the bind utility installed on the Satellite server. Check to see if the bind-utils are installed. If bind-utils is is not installed, then we will Install bind-utils on the Satellite Server.

# dnf list installed | grep bind-utils
# yum dnf install bind-utils

From the server running named, copy the rndc.key to the Satellite Server and set it up for use with Satellite.

# scp [email protected]:/etc/rndc.key /etc/foreman-proxy/rndc.key
# restorecon -v /etc/foreman-proxy/rndc.key
# chown -v root:foreman-proxy /etc/foreman-proxy/rndc.key
# chmod -v 640 /etc/foreman-proxy/rndc.key

From the Satellite server test an update to the forward zone (add -d to nsupdate command for debug: nsupdate -d -k ...)

# echo -e "zone example.com.\n server 10.1.10.253\n update add atest.example.com 3600 IN A 10.1.10.10\n send\n" | nsupdate -k /etc/foreman-proxy/rndc.key
# nslookup atest.example.com
# echo -e "zone example.com.\n server 10.1.10.253\n update delete atest.example.com 3600 IN A 10.1.10.10\n send\n" | nsupdate -k /etc/foreman-proxy/rndc.key

From the Satellite server test an update to the reverse zone (add -d to nsupdate command for debug: nsupdate -d -k ...)

# echo -e "zone 10.1.10.in-addr.arpa.\n server 10.1.10.253\n update add 10.10.1.10.in-addr.arpa. 300 PTR atest.example.com\n send\n" | nsupdate -k /etc/foreman-proxy/rndc.key
# nslookup 10.1.10.10
# dig +short -x 10.1.10.10
# echo -e "zone 10.1.10.in-addr.arpa.\n server 10.1.10.253\n update delete 10.10.1.10.in-addr.arpa. 300 PTR atest.example.com\n send\n" | nsupdate -k /etc/foreman-proxy/rndc.key

Note - Typically the forward and reverse zone files are "permanently" updated around 15 minutes after the DNS update is issued from the client machine.

Finally you run the following satellite-installer command to make the changes persistent to the /etc/foreman-proxy/settings.d/dns.yml file.

# satellite-installer --foreman-proxy-dns=true \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dns-provider=nsupdate \
--foreman-proxy-dns-server="10.1.10.253" \
--foreman-proxy-keyfile=/etc/foreman-proxy/rndc.key \
--foreman-proxy-dns-ttl=86400

Restart the foreman-proxy service:

# systemctl restart foreman-proxy

Satellite DHCP Integration

For Satellite to interact with an external DHCP service you will need to share the DHCP configuration and lease files with the Satellite Server. In this example we are using NFS to share the configuration and lease files, and I have provided step-by-step instructions on enabling NFS services on both the server hosting DHCP and the Satellite server.

First we need to generate a security token on the server hosting DHCP.

# dnssec-keygen -a HMAC-MD5 -b 512 -n HOST omapi_key
Komapi_key.+157+56839

Copy the secret from the key.

# cat Komapi_key.+*.private |grep ^Key|cut -d ' ' -f2
jNSE5YI3H1A8Oj/tkV4...A2ZOHb6zv315CkNAY7DMYYCj48Umw==

Add the following information to the /etc/dhcp/dhcpd.conf file.

omapi-port 7911;
key omapi_key {
        algorithm HMAC-MD5;
        secret "jNSE5YI3H1A8Oj/tkV4...A2ZOHb6zv315CkNAY7DMYYCj48Umw==";
};
omapi-key omapi_key;

On the Satellite server gather foreman user UID and GID.

# id -u foreman
975
# id -g foreman
974

On the server hosting DNS and DHCP services create the foreman userid and group.

# groupadd -g 974 foreman
# useradd -u 975 -g 974 -s /sbin/nologin foreman

Restore the read and execute flags.

# chmod o+rx /etc/dhcp/
# chmod o+r /etc/dhcp/dhcpd.conf
# chattr +i /etc/dhcp/ /etc/dhcp/dhcpd.conf

On the server hosting the DHCP service, export the DHCP configuration and lease files using NFS.

# dnf install nfs-utils
...
complete!
# systemctl enable rpcbind nfs-server
# systemctl enable rpcbind nfs-server
# systemctl start rpcbind nfs-server nfs-idmapd

Create directories for the DHCP configuration and lease files that you want to export using NFS:

# mkdir -p /exports/var/lib/dhcpd /exports/etc/dhcp

To create mount points for the created directories, add the following line to the /etc/fstab file:

/var/lib/dhcpd /exports/var/lib/dhcpd none bind,auto 0 0
/etc/dhcp /exports/etc/dhcp none bind,auto 0 0

Mount the file systems in /etc/fstab:

# mount -a

Add these lines to the /etc/exports file. The ip address is from your Satellite server.

/exports 10.1.10.254(rw,async,no_root_squash,fsid=0,no_subtree_check)

/exports/etc/dhcp 10.1.10.254(ro,async,no_root_squash,no_subtree_check,nohide)

/exports/var/lib/dhcpd 10.1.10.254(ro,async,no_root_squash,no_subtree_check,nohide)

Reload the NFS server:

# exportfs -rva

Configure the firewall for DHCP:

# firewall-cmd --add-port="7911/tcp" \
&& firewall-cmd --runtime-to-permanent
success
success

Configure the firewall for the DHCP omapi port 7911:

# firewall-cmd --add-service dhcp \
&& firewall-cmd --runtime-to-permanent
success
success

Configure the firewall for external access to NFS. Clients are configured using NFSv3.

# firewall-cmd --zone public --add-service mountd \
&& firewall-cmd --zone public --add-service rpc-bind \
&& firewall-cmd --zone public --add-service nfs \
&& firewall-cmd --runtime-to-permanent
success
success
success
success

Preparing the Satellite Server

Install the nfs-utils utility:

# foreman-maintain packages install nfs-utils

Create the DHCP directories for NFS:

# mkdir -p /mnt/nfs/etc/dhcp /mnt/nfs/var/lib/dhcpd

Change the file owner:

# chown -R foreman-proxy /mnt/nfs

Verify communication with the NFS server and the Remote Procedure Call (RPC) communication paths

# showmount -e ns02.example.com
Export list for ns02.example.com:
/exports/var/lib/dhcpd 10.1.10.254
/exports/etc/dhcp      10.1.10.254
/exports               10.1.10.254
rpcinfo -p 10.1.10.254
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper

Add the following lines to the /etc/fstab file:

ns02.example.com:/exports/etc/dhcp /mnt/nfs/etc/dhcp nfs ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcp_etc_t:s0" 0 0

ns02.example.com:/exports/var/lib/dhcpd /mnt/nfs/var/lib/dhcpd nfs ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcpd_state_t:s0" 0 0

Mount the file systems on /etc/fstab:

# mount -a

To verify that the foreman-proxy user can access the files that are shared over the network, display the DHCP configuration and lease files:

# su foreman-proxy -s /bin/bash
bash-4.2$ cat /mnt/nfs/etc/dhcp/dhcpd.conf
bash-4.2$ cat /mnt/nfs/var/lib/dhcpd/dhcpd.leases
bash-4.2$ exit

Enter the satellite-installer command to make the following persistent changes to the /etc/foreman-proxy/settings.d/dhcp.yml file:

# satellite-installer --foreman-proxy-dhcp=true \
--foreman-proxy-dhcp-provider=remote_isc \
--foreman-proxy-plugin-dhcp-remote-isc-dhcp-config /mnt/nfs/etc/dhcp/dhcpd.conf \
--foreman-proxy-plugin-dhcp-remote-isc-dhcp-leases /mnt/nfs/var/lib/dhcpd/dhcpd.leases \
--foreman-proxy-plugin-dhcp-remote-isc-key-name=omapi_key \
--foreman-proxy-plugin-dhcp-remote-isc-key-secret=jNSE5YI3H1A8Oj/tkV4...A2ZOHb6zv315CkNAY7DMYYCj48Umw== \
--foreman-proxy-plugin-dhcp-remote-isc-omapi-port=7911 \
--enable-foreman-proxy-plugin-dhcp-remote-isc \
--foreman-proxy-dhcp-server=ns02.example.com

Restart the foreman-proxy service:

# systemctl restart foreman-proxy

Satellite will now use external DNS and DHCP services when provisioning and managing the RHEL lifecycle.

Conclusion

Satellite provides you all the components you need to easily and efficiently provision, patch and manage the lifecycle of your RHEL environment. While everything you need is provided with Satellite for managing your RHEL lifecycle, Satellite also easily integrates with other services. In this tutorial we provided you the steps to integrate your Satellite RHEL lifecycle management with existing DNS and DHCP services that you may have already deployed in your organization.

Appendix

Note: For this example tutorial, the DNS and DHCP services are running on a RHEL 8.7 server VM. For this example the subnet is 10.1.10.0/24 and domain is example.com.

Install named and dhcpd

We will install named, the bind utilities, the dns caching server and dhcpd.

# sudo dnf -y install bind* caching* dhcp*
...
Complete!

Update firewall settings

# firewall-cmd \
--add-service dns \
--add-service dhcp

Make the firewall changes permanent

# sudo firewall-cmd --runtime-to-permanent

Verify the firewall changes

# sudo firewall-cmd --list-all

Setup system Clock with chrony. I have a local time server that my systems use for synching time. Type the following command to check the time sync status.

# chronyc sources -v

Configuring named

In my example setup I externalize the options and zones information for easier maintenance and readability.

File Name Location Info
named.conf /etc named configuration file
options.conf /etc/named named.conf options information
zones.conf /etc/named named.conf zone information
db.10.1.10.in-addr.arpa /var/named/dynamic reverse zone file
db.example.com /var/named/dynamic forward zone file
named.rfc1912.zones /etc Generated by the installation
rndc.key /etc Generated first time named is started

named.conf example

// named.conf

include "/etc/rndc.key";

controls  {
        inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };
};

options  {
        include "/etc/named/options.conf";
};

include "/etc/named.rfc1912.zones";


// Public view read by Server Admin
include "/etc/named/zones.conf";

options.conf example

directory "/var/named";
forwarders { 10.1.1.254; };

recursion yes;
allow-query { any; };
dnssec-enable yes;
dnssec-validation yes;

empty-zones-enable yes;

listen-on-v6 { any; };

allow-recursion { localnets; localhost; };

zones.conf example

zone "10.1.10.in-addr.arpa" {
    type master;
    file "/var/named/dynamic/db.10.1.10.in-addr.arpa";
    update-policy {
            grant rndc-key zonesub ANY;
    };
};
zone "example.com" {
    type master;
    file "/var/named/dynamic/db.example.com";
    update-policy {
            grant rndc-key zonesub ANY;
    };
};

Forward zone file - db.example.com

$ORIGIN .
$TTL 10800	; 3 hours
example.com		IN SOA	ns02.example.com. root.example.com. (
				12         ; serial
				86400      ; refresh (1 day)
				3600       ; retry (1 hour)
				604800     ; expire (1 week)
				3600       ; minimum (1 hour)
				)
			NS	ns02.example.com.
$ORIGIN example.com.
ns02			A	10.1.10.253
sat01			A	10.1.10.254

Reverse zone file - db.10.1.10.in-addr.arpa

$ORIGIN .
$TTL 10800	; 3 hours
10.1.10.in-addr.arpa	IN SOA	ns02.example.com. root.10.1.10.in-addr.arpa. (
				12         ; serial
				86400      ; refresh (1 day)
				3600       ; retry (1 hour)
				604800     ; expire (1 week)
				3600       ; minimum (1 hour)
				)
			NS	ns02.example.com.
$ORIGIN 10.1.10.in-addr.arpa.
254			PTR	sat01.example.com.
253			PTR	ns02.example.com.
ns02			A	10.1.10.253
sat01			A	10.1.10.254

Setup named as a service

# systemctl start named.service
# systemctl enable named.service
Created symlink /etc/systemd/system/multi-user.target.wants/named.service โ†’ /usr/lib/systemd/system/named.service.

Configuring dhcpd

dhcpd.conf

I made additions to the dhcpd.conf file below the section title "# example.com"

#
# DHCP Server Configuration file.
#   see /usr/share/doc/dhcp-server/dhcpd.conf.example
#   see dhcpd.conf(5) man page
#
omapi-port 7911;
key omapi_key {
	algorithm HMAC-MD5;
	secret "BWb...EAA==";
};
omapi-key omapi_key;

default-lease-time 43200;
max-lease-time 86400;
log-facility local7;

# example.com
subnet 10.1.10.0 netmask 255.255.255.0 {
  pool
  {
    range 10.1.10.101 10.1.10.199;
  }

  option subnet-mask 255.255.255.0;
  option routers 10.1.10.1;
  option domain-name "example.com";
  option domain-name-servers 10.1.10.253;
  option domain-search "example.com";
  option domain-name "example.com";
}

References

part-2-satellite-612-external-services's People

Contributors

pslucas0212 avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.