Expected outcome: Connection established between Foreman and DHCP for PXE booting
Foreman and Proxy versions: 3.7
Distribution and version: Ubuntu 20.04 LTS
Other relevant data:
The error I continue to receive is:
“[Foreman:WrappedException]: Unable to connect ([ProxyAPI::ProxyException]: Unable to detection version ([Errno:ECONNREFUSED]: Failed to open TCP connection to dhcpServerName.dev:67 (Connection refused - connect(2) for “dhcpServerName.dev” port 67]) for proxy https://dhcpServerName.dev:67/version)”
Firewall is fine as far as I can tell and netstat -tulnp shows port 67 as listening on the dhcp server.
This seems like you have configured dhcpserver:67 as your Foreman Proxy, but it needs to be a Foreman Proxy running on dhcpserver (and then probably exposed in port 8443 or 9090 or something).
We are running the webGUI through NGINX, so would that be something I could leverage here as well? I’m going to review the documentation you linked over.
Yeah. So you end up with a Foreman machine foreman.example.com and a DHCP machine dhcp.example.com that runs Foreman Proxy, and then Foreman talks to the Foreman Proxy via its API (that’s the one throwing the exception you posted above), and then the Proxy talks to the (to it) local DHCPd.
Well, I guess this leads to another question, what is the “easier” route?
Setting up DHCP on the Foreman server following Installing Foreman Server nightly on Debian/Ubuntu, using the external server following Installing Foreman Server nightly on Debian/Ubuntu (which doesn’t like the HMAC-MD5 call out nor the -n HOST option), or setting up the external Foreman Proxy that you mentioned? I have done some quick searching and not been able to find if it’s something beyond installing Foreman but only configuring the “foreman-proxy” bit on the DHCP server to establish as a proxy, or what… I’m new to all of this, so apologies in advanced if this is something simpler that I’m over complicating
(Disclaimer: while I am familiar with the overall Foreman architecture, external DHCP/DNS is not something I used in the past)
Well, I guess it depends on the rest of your setup.
I am a huge non-fan of NFS, and given that is used for the “external DHCP” setup, that would be (in my book) a point against it.
On the other hand, if you only have a single external DHCP to manage (and know NFS), it might be easier than setting up an external Foreman Proxy.
If you have multiple DHCP servers to manage, you won’t get around setting up external FPs anyway, so can then also use that kind of setup for all subnets…
I am fairly familiar with NFS and its workings, plus setting it up via the guides was simple enough (though we do have a separate NFS server, it makes us set up NFS on the server to connect into the dhcpd.conf and dhcpd.leases files, which is fine).
We only have one DHCP server.
Caveat to all of this, this is only going to be used to manage/spin up a handful (50 or less) VMs. Apparently it was functioning some time ago, but the developer who left the company let it go to the wayside (according to the bossman) and its been failing since.
Unfortunately, the current guide’s instructions have failures in the commands that are negating progressing to the next steps… basically stuck at needing the omapi_key and I think once I have that, it could work, or at least lead to the next steps.
Is there anyone in particular in the “Developer” category that would know what to poke in regards to utilizing the external DHCP server (in the same subnet) OR is it as easy to set up the foreman-installer on the foreman server to manage DHCP?
Sorry for chiming in, especially in the area that I am also not to familiar with. But looking at the error in your initial post I’d say you might have provided a wrong omapi port to your installer. It looks like you specified 67. Am I right?
You configure it using ther --foreman-proxy-dhcp-omapi-port installer parameter
Assuming you are running ISC dhcp server, you want to enable the OMAPI by specifying a port in the dhcpd.conf. Here is some guide to configure dhcpd server side of things (step #7)
Obviously, you have to configure the key on foran-proxy too, here’s how to do that - 4.3.4.2 ISC DHCP.
Please never apologize (at least to me) for bringing an idea to the table
I do not have Port 67 specified anywhere. DHCP uses UDP/67 on the server side by default.
The issue I’m having is generating the omapi_key to see if these processes will work. Whenever I try to use the -a HMAC-MD5 call out, it doesn’t recognize that algorithm (which aligns with the man dnssec-keygen) page… additionally, if I change the algorithm for the hash and use the -n HOST flag, it craps out with invalid DNSKEY nametype HOST
I’ve also changed the Smart Proxy URL in the webGUI to point to 7911 vs 67… still no dice on connecting.
Now I am seeing:
ERF50-5345 [Foreman::Wrapped Exception]: Unable to connect ([ProxyAPI::ProxyException]: ERF12-1764 [ProxyAPI::ProxyException]: Unable to detect version ([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=error: wrong version number) for proxy https://dnsServer.dev:7911/version)
This may be way off, but the error reminded me of something I’d seen recently for something else.
Have you updated crypto-policies recently?
I found that foreman isn’t ready yet for FUTURE crypto-policy.
You can check with update-crypto-policies --show
I had set up a “Smart Proxy” via the webGUI to point to the external DNS/DHCP server. I followed every guide, doing what I could along the way to get it to work. I kept getting random errors as mentioned in this post.
Ultimately, I decided to just establish DHCP management via Foreman, and have it point to that server IP address vs trying to do the smart proxy route, and it accepted it… so, now I just need to test it and make changes as appropriate to ensure functionality.
