To configure an external DHCP server running {EL} to use with {ProductName}, you must install the ISC DHCP Service and Berkeley Internet Name Domain (BIND) utilities packages. You must also share the DHCP configuration and lease files with {ProductName}. The example in this procedure uses the distributed Network File System (NFS) protocol to share the DHCP configuration and lease files.
|
Note
|
If you use dnsmasq as an external DHCP server, enable the dhcp-no-override setting.
This is required because {Project} creates configuration files on the TFTP server under the grub2/ subdirectory.
If the dhcp-no-override setting is disabled, clients fetch the bootloader and its configuration from the root directory, which might cause an error.
|
-
On your {EL} host, install the ISC DHCP Service and Berkeley Internet Name Domain (BIND) utilities packages:
# {client-package-install-el8} dhcp-server bind-utils -
Generate a security token:
# dnssec-keygen -a HMAC-MD5 -b 512 -n HOST omapi_key
As a result, a key pair that consists of two files is created in the current directory.
-
Copy the secret hash from the key:
# grep ^Key Komapi_key.+*.private | cut -d ' ' -f2
-
Edit the
dhcpdconfiguration file for all subnets and add the key. The following is an example:# cat /etc/dhcp/dhcpd.conf default-lease-time 604800; max-lease-time 2592000; log-facility local7; subnet 192.168.38.0 netmask 255.255.255.0 { range 192.168.38.10 192.168.38.100; option routers 192.168.38.1; option subnet-mask 255.255.255.0; option domain-search "virtual.lan"; option domain-name "virtual.lan"; option domain-name-servers 8.8.8.8; } omapi-port 7911; key omapi_key { algorithm HMAC-MD5; secret "jNSE5YI3H1A8Oj/tkV4...A2ZOHb6zv315CkNAY7DMYYCj48Umw=="; }; omapi-key omapi_key;Note that the
option routersvalue is the {Project} or {SmartProxy} IP address that you want to use with an external DHCP service. -
Delete the two key files from the directory that they were created in.
-
On {ProjectServer}, define each subnet. Do not set DHCP {SmartProxy} for the defined Subnet yet.
To prevent conflicts, set up the lease and reservation ranges separately. For example, if the lease range is 192.168.38.10 to 192.168.38.100, in the {ProjectWebUI} define the reservation range as 192.168.38.101 to 192.168.38.250.
-
Configure the firewall for external access to the DHCP server:
# firewall-cmd --add-service dhcp \ && firewall-cmd --runtime-to-permanent
-
On {ProjectServer}, determine the UID and GID of the
foremanuser:# id -u foreman 993 # id -g foreman 990
-
On the DHCP server, create the
foremanuser and group with the same IDs as determined in a previous step:# groupadd -g 990 foreman # useradd -u 993 -g 990 -s /sbin/nologin foreman
-
To ensure that the configuration files are accessible, restore the read and execute flags:
# chmod o+rx /etc/dhcp/ # chmod o+r /etc/dhcp/dhcpd.conf # chattr +i /etc/dhcp/ /etc/dhcp/dhcpd.conf
-
Enable and start the DHCP service:
# systemctl enable --now dhcpd
-
Export the DHCP configuration and lease files using NFS:
# {client-package-install-el8} {nfs-server-package} # systemctl enable --now nfs-server -
Create directories for the DHCP configuration and lease files that you want to export using NFS:
# mkdir -p /exports/var/lib/dhcpd /exports/etc/dhcp
-
To create mount points for the created directories, add the following line to the
/etc/fstabfile:/var/lib/dhcpd /exports/var/lib/dhcpd none bind,auto 0 0 /etc/dhcp /exports/etc/dhcp none bind,auto 0 0
-
Mount the file systems in
/etc/fstab:# mount -a
-
Ensure the following lines are present in
/etc/exports:/exports 192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check) /exports/etc/dhcp 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide) /exports/var/lib/dhcpd 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)
Note that the IP address that you enter is the {Project} or {SmartProxy} IP address that you want to use with an external DHCP service.
-
Reload the NFS server:
# exportfs -rva
-
Configure the firewall for DHCP omapi port 7911:
# firewall-cmd --add-port=7911/tcp # firewall-cmd --runtime-to-permanent
-
Optional: Configure the firewall for external access to NFS. Clients are configured using NFSv3.
# firewall-cmd --zone public --add-service mountd \ && firewall-cmd --zone public --add-service rpc-bind \ && firewall-cmd --zone public --add-service nfs \ && firewall-cmd --runtime-to-permanent