Can I switch from --scenario foreman-proxy-content to --scenario katello

I seem to have installed the above content-only smart-proxy, but I actually need a “full” smart proxy with dhcp+tftpd.

I did

foreman-installer \
                --scenario foreman-proxy-content \
                --certs-node-fqdn                             "proxy.dom.tld" \
                --certs-tar-file                              "/root/proxy.dom.tld-certs.tar" \
                --foreman-proxy-register-in-foreman           "true" \
                --foreman-proxy-registered-name               "proxy.dom.tld" \
                --foreman-proxy-registered-proxy-url          "https://proxy.dom.tld:9090" \
                --foreman-proxy-foreman-base-url              "https://foreman.dom.tld" \
                --foreman-proxy-trusted-hosts                 "foreman.dom.tld" \
                --foreman-proxy-trusted-hosts                 "proxy.dom.tld" \
                --foreman-proxy-trusted-hosts                 "proxy.i.dom.tld" \
                --foreman-proxy-trusted-hosts                 "proxy.nat.dom.tld" \
                --foreman-proxy-trusted-hosts                 "proxy.pxe.dom.tld" \
                --foreman-proxy-oauth-consumer-key            "KEY" \
                --foreman-proxy-oauth-consumer-secret         "SECRET" \
                --puppet-server-foreman-url                   "https://foreman.dom.tld" \
                --foreman-proxy-dhcp true \
                --foreman-proxy-dhcp-managed true \
                --foreman-proxy-dhcp-range "" \
                --foreman-proxy-dhcp-interface "ens224" \
                --foreman-proxy-tftp true \
                --foreman-proxy-tftp-managed true \
                --foreman-proxy-tftp-servername               "proxy.pxe.dom.tld" \
                --enable-foreman-proxy-plugin-ansible \
                --enable-foreman-proxy-plugin-openscap \
                --foreman-proxy-plugin-openscap-proxy-name    "proxy.dom.tld" \

Expected outcome:
I ask this because it seems dhcpd und tftpd configs aren’t updated.
I’ve created a host for provisioning and I assume there should be some configuration in dhdpd.conf and for tftpd

Foreman and Proxy versions:

Foreman and Proxy plugin versions:

Distribution and version:

CentOS 8
Other relevant data:

That’s not really the right way to do it. Katello is not a “full” smart proxy, it’s a full blown Foreman + Katello.

That’s odd, because it should be. Is there anything particular in the logs? Note that only when you actually provision a host that a host entry will be created in the leases file.

Also, you printed your oauth consumer key and secret. These give full and unlimited API control over your Foreman instance. If those are the real values, I urge you to rotate them ASAP.

From the top of my head, this is done on the main Foreman server:

# Clear the cache entries
rm /opt/puppetlabs/puppet/cache/foreman_cache_data/oauth_consumer_{key,secret}
foreman-installer --reset-foreman-oauth-consumer-key --reset-foreman-oauth-consumer-secret

Ah, great, I forgot to purge them before pasting.


Do I then run the installer on the proxy with the new values again or how do I change them?
Or are they written in a config-file somewhere?

Currently, the instance is for test and IP-restricted to our office and my address at home, we’ll do a re-install once I feel I’m ready for production.

OK, so what I did should be correct?
It did install those services, but it seems nothing is configured.

The (supposed) pxe-interface is set to “managed” and “provision”.
I don’t see anything in the logs of the smart-proxy (I assume it should show up there?).

I did notice I hadn’t even set an IP for the pxe-interface of the smartproxy - but even after I correct that, nothing changed.

Can you explain what you mean by “nothing is configured”?

First of all, if you check the Smart Proxy in the UI (Infrastructure → Smart Proxies), does it report the DHCP and TFTP features? Are the services running on the Smart Proxy (systemctl status dhcpd.service tftp.socket)?

OK, the services were not running (somehow, they used to…).

I asssume, there should at least be some file with the MAC-address in /var/lib/tftpboot/pxelinux.cfg/ ?
At least, that’s what I have on cobbler.

Also, there’s no host-specific dhcp config generated (which I assume should also happen)?

When pxe-booted, the host obviously complains that it can’t locate a configuration file (for tftpd).


the pxe-net is a /16. I’ve created various /24 subnets (with ranges) inside it that I intend to assign to the pxe-boot interfaces of the hosts.
These ranges should also show up in the dhcpd-config, right?

What you should do from the Foreman (sadly this hasn’t been automated) is to build the default pxelinux config. To do so, in the UI you go to Hosts → Provisioning Templates. Then in the top right you have a button Build PXE Default. That should create the default entry. If you create a new host to provision, it should also create specific entries for the specific mac address.

By default the DHCP config that’s laid out by the installer doesn’t look at what’s in Foreman’s subnet config. From Foreman you can import what’s on the actual server, but out of the box you can’t sync the other way around.

OK, technically I don’t think I need to configure much by DHCP, as long as I get an IP and there’s a pxelinux config for tftp.

After generating the default configuration per your advice, it boots into the “unknown host” menu.

There’s still no pxelinux cfg for that mac address.

IIRC that only happens when a host enters or exists build mode or is freshly created. So if you create a new host, it should create one. Also if you rebuild an existing host or if you click “cancel build mode”.

1 Like

Ah, now we’re talking.

I’m not running DNS on the proxy, so it can’t really fetch the kickstart file.

I will try just running unbound with minimal local-data and forward the rest to our resolvers.

Thank you very much and have a nice weekend!

You can configure different DNS servers on your DHCP server. It doesn’t need to run on the same host. Try --foreman-proxy-dhcp-nameservers ip1,ip2.

Yes, but I can’t reach these resolvers from the PXE-boot network.

I can reach the proxy now (it’s no big deal setting up unbound for this), it starts to download but stops due a problem with fetching sg3_utils (see my other posting, if you’re interested).

Unfortunately, there are a perceived million ways to do things wrong in foreman and little indication if it’s an actual bug or some dumb decision on setting things up.

1 Like