Trouble setting up DHCP via Foreman

Problem: Cannot get DHCP connectivity to work between Foreman server and DHCP server, even followed the Google Docs document found here Configuring Foreman with existing services - Google Docs

Expected outcome: Connection established between Foreman and DHCP for PXE booting

Foreman and Proxy versions: 3.7

Distribution and version: Ubuntu 20.04 LTS

Other relevant data:
The error I continue to receive is:
“[Foreman:WrappedException]: Unable to connect ([ProxyAPI::ProxyException]: Unable to detection version ([Errno:ECONNREFUSED]: Failed to open TCP connection to (Connection refused - connect(2) for “” port 67]) for proxy”

Firewall is fine as far as I can tell and netstat -tulnp shows port 67 as listening on the dhcp server.

This seems like you have configured dhcpserver:67 as your Foreman Proxy, but it needs to be a Foreman Proxy running on dhcpserver (and then probably exposed in port 8443 or 9090 or something).

The current docs how to manage an external DHCP without having a dedicated Proxy running there can be found on Installing Foreman Server 3.7 on Debian/Ubuntu

But having an external Proxy might be easier.

evgeni, thanks for the speedy reply.

We are running the webGUI through NGINX, so would that be something I could leverage here as well? I’m going to review the documentation you linked over.

After a quick click of that link, it states that guide is not ready yet. Is there another link you meant to use?

No, that is the one I wanted. It’s not ready, but it’s better than the 2016 copy you found on Gdocs :wink:

I found this Installing Foreman Server nightly on Debian/Ubuntu - so I’m going to review it… I think that may be similar to what your link would have.

When you stated external proxy previously, were you stating to install a Foreman Proxy on the dhcpserver and utilize it that way?

Yeah. So you end up with a Foreman machine and a DHCP machine that runs Foreman Proxy, and then Foreman talks to the Foreman Proxy via its API (that’s the one throwing the exception you posted above), and then the Proxy talks to the (to it) local DHCPd.

Well, I guess this leads to another question, what is the “easier” route?

Setting up DHCP on the Foreman server following Installing Foreman Server nightly on Debian/Ubuntu, using the external server following Installing Foreman Server nightly on Debian/Ubuntu (which doesn’t like the HMAC-MD5 call out nor the -n HOST option), or setting up the external Foreman Proxy that you mentioned? I have done some quick searching and not been able to find if it’s something beyond installing Foreman but only configuring the “foreman-proxy” bit on the DHCP server to establish as a proxy, or what… I’m new to all of this, so apologies in advanced if this is something simpler that I’m over complicating

(Disclaimer: while I am familiar with the overall Foreman architecture, external DHCP/DNS is not something I used in the past)

Well, I guess it depends on the rest of your setup.

I am a huge non-fan of NFS, and given that is used for the “external DHCP” setup, that would be (in my book) a point against it.
On the other hand, if you only have a single external DHCP to manage (and know NFS), it might be easier than setting up an external Foreman Proxy.
If you have multiple DHCP servers to manage, you won’t get around setting up external FPs anyway, so can then also use that kind of setup for all subnets…

I am fairly familiar with NFS and its workings, plus setting it up via the guides was simple enough (though we do have a separate NFS server, it makes us set up NFS on the server to connect into the dhcpd.conf and dhcpd.leases files, which is fine).

We only have one DHCP server.

Caveat to all of this, this is only going to be used to manage/spin up a handful (50 or less) VMs. Apparently it was functioning some time ago, but the developer who left the company let it go to the wayside (according to the bossman) and its been failing since.

Unfortunately, the current guide’s instructions have failures in the commands that are negating progressing to the next steps… basically stuck at needing the omapi_key and I think once I have that, it could work, or at least lead to the next steps.

Is there anyone in particular in the “Developer” category that would know what to poke in regards to utilizing the external DHCP server (in the same subnet) OR is it as easy to set up the foreman-installer on the foreman server to manage DHCP?

Sorry for chiming in, especially in the area that I am also not to familiar with. But looking at the error in your initial post I’d say you might have provided a wrong omapi port to your installer. It looks like you specified 67. Am I right?

You configure it using ther --foreman-proxy-dhcp-omapi-port installer parameter

Assuming you are running ISC dhcp server, you want to enable the OMAPI by specifying a port in the dhcpd.conf.
Here is some guide to configure dhcpd server side of things (step #7)

Obviously, you have to configure the key on foran-proxy too, here’s how to do that - ISC DHCP.

Sorry if i am completely off.

Please never apologize (at least to me) for bringing an idea to the table :slight_smile:

I do not have Port 67 specified anywhere. DHCP uses UDP/67 on the server side by default.

The issue I’m having is generating the omapi_key to see if these processes will work. Whenever I try to use the -a HMAC-MD5 call out, it doesn’t recognize that algorithm (which aligns with the man dnssec-keygen) page… additionally, if I change the algorithm for the hash and use the -n HOST flag, it craps out with invalid DNSKEY nametype HOST

I’ve also changed the Smart Proxy URL in the webGUI to point to 7911 vs 67… still no dice on connecting.

Now I am seeing:

ERF50-5345 [Foreman::Wrapped Exception]: Unable to connect ([ProxyAPI::ProxyException]: ERF12-1764 [ProxyAPI::ProxyException]: Unable to detect version ([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=error: wrong version number) for proxy

Additionally, I’m seeing more and more that the omapi_key is optional. Is that anyone’s proven use-case?

This may be way off, but the error reminded me of something I’d seen recently for something else.
Have you updated crypto-policies recently?
I found that foreman isn’t ready yet for FUTURE crypto-policy.
You can check with update-crypto-policies --show

I just tried and it spit out that I don’t have the command, but can install

I’m running on Ubuntu 20.04 LTS

Well, to update anyone invested in this…

I had set up a “Smart Proxy” via the webGUI to point to the external DNS/DHCP server. I followed every guide, doing what I could along the way to get it to work. I kept getting random errors as mentioned in this post.

Ultimately, I decided to just establish DHCP management via Foreman, and have it point to that server IP address vs trying to do the smart proxy route, and it accepted it… so, now I just need to test it and make changes as appropriate to ensure functionality.

1 Like