Configuring orcharhino Proxies with a Load Balancer
Load balancing solution architecture
You can configure orcharhino Server to use a load balancer to distribute client requests and network load across multiple orcharhino Proxy Servers. This results in an overall performance improvement on orcharhino Proxy Servers.
This guide outlines how to prepare orcharhino Server and orcharhino Proxy Server for load balancing, and provides guidelines on how to configure a load balancer and register clients in a load-balanced setup.
A load-balanced setup consists of the following components:
-
orcharhino Server
-
Two or more orcharhino Proxy Servers
-
A load balancer
-
Multiple clients
In a load-balanced setup, nearly all orcharhino Proxy functionality continues to work as expected when one orcharhino Proxy Server is down, for planned or unplanned maintenance. A load balancer works with the following services and features:
-
Registration using
subscription-manager
-
Content management with Yum repositories
-
Optional: Puppet
In the load-balanced setup, a load balancer distributes load only for the services and features mentioned above. If other services, such as provisioning or virt-who, are running on the individual orcharhino Proxies, you must access them directly through orcharhino Proxies and not through the load balancer. |
Puppet Certificate Authority (CA) management does not support certificate signing in a load-balanced setup. Puppet CA stores certificate information, such as the serial number counter and CRL, on the file system. Multiple writer processes that attempt to use the same data can corrupt it.
To manage this Puppet limitation, complete the following steps:
-
Configure Puppet certificate signing on one orcharhino Proxy Server, typically the first system where you configure orcharhino Proxy Server for load balancing.
-
Configure the clients to send CA requests to port 8141 on a load balancer.
-
Configure a load balancer to redirect CA requests from port 8141 to port 8140 on the system where you configure orcharhino Proxy Server to sign Puppet certificates.
Load balancing considerations
Distributing load between several orcharhino Proxy Servers prevents any one orcharhino Proxy from becoming a single point of failure. Configuring orcharhino Proxies to use a load balancer can provide resilience against planned and unplanned outages. This improves availability and responsiveness.
Consider the following guidelines when configuring load balancing:
-
If you use Puppet, Puppet certificate signing is assigned to the first orcharhino Proxy that you configure. If the first orcharhino Proxy is down, clients cannot obtain Puppet content.
-
This solution does not use Pacemaker or other similar HA tools to maintain one state across all orcharhino Proxies. To troubleshoot issues, reproduce the issue on each orcharhino Proxy, bypassing the load balancer.
Configuring orcharhino Proxies to use a load balancer results in a more complex environment and requires additional maintenance.
The following additional steps are required for load balancing:
-
You must ensure that all orcharhino Proxies have the same content views and synchronize all orcharhino Proxies to the same content view versions
-
You must upgrade each orcharhino Proxy in sequence
-
You must backup each orcharhino Proxy that you configure regularly
There are no additional steps required for orcharhino Proxy Servers in a load balancing configuration.
Prerequisites for configuring orcharhino Proxy Servers for load balancing
You can find a list of requirements for orcharhino Proxy Server in Installing orcharhino Proxy Server.
Configuring orcharhino Proxy Servers for load balancing
This chapter outlines how to configure orcharhino Proxy Servers for load balancing. Proceed to one of the following sections depending on your orcharhino Server configuration:
-
Configuring orcharhino Proxy Server with default SSL certificates for load balancing without Puppet
-
Configuring orcharhino Proxy Server with default SSL certificates for load balancing with Puppet
-
Configuring orcharhino Proxy Server with custom SSL certificates for load balancing without Puppet
-
Configuring orcharhino Proxy Server with custom SSL certificates for load balancing with Puppet
Use different file names for the Katello certificates you create for each orcharhino Proxy Server. For example, name the certificate archive file with orcharhino Proxy Server FQDN.
Configuring orcharhino Proxy Server with default SSL certificates for load balancing without Puppet
The following section describes how to configure orcharhino Proxy Servers that use default SSL certificates for load balancing without Puppet. Complete this procedure on each orcharhino Proxy Server that you want to configure for load balancing.
-
On orcharhino Server, generate Katello certificates for orcharhino Proxy Server:
$ foreman-proxy-certs-generate \ --certs-tar "/root/orcharhino-proxy.network2.example.com-certs.tar" \ --foreman-proxy-cname loadbalancer.example.com \ --foreman-proxy-fqdn orcharhino-proxy.network2.example.com
Retain a copy of the example
orcharhino-installer
command that is output by theforeman-proxy-certs-generate
command for installing orcharhino Proxy Server certificate. -
Copy the certificate archive file from orcharhino Server to orcharhino Proxy Server.
$ scp /root/orcharhino-proxy.network2.example.com-certs.tar root@orcharhino-proxy.network2.example.com:/root/orcharhino-proxy.network2.example.com-certs.tar
-
Append the following options to the
orcharhino-installer
command that you obtain from the output of theforeman-proxy-certs-generate
command:--certs-cname "loadbalancer.example.com" \ --enable-foreman-proxy-plugin-remote-execution-script
-
On orcharhino Proxy Server, enter the
orcharhino-installer
command:$ orcharhino-installer \ --certs-cname "loadbalancer.example.com" \ --certs-tar-file "orcharhino-proxy.network2.example.com-certs.tar" \ --enable-foreman-proxy-plugin-remote-execution-script \ --foreman-proxy-foreman-base-url "https://orcharhino.example.com" \ --foreman-proxy-oauth-consumer-key "oauth key" \ --foreman-proxy-oauth-consumer-secret "oauth secret" \ --foreman-proxy-register-in-foreman "true" \ --foreman-proxy-trusted-hosts "orcharhino.example.com" \ --foreman-proxy-trusted-hosts "orcharhino-proxy.network2.example.com"
Configuring orcharhino Proxy Server with default SSL certificates for load balancing with Puppet
The following section describes how to configure orcharhino Proxy Servers that use default SSL certificates for load balancing with Puppet.
If you use Puppet in your orcharhino configuration, you must complete the following procedures:
Configuring orcharhino Proxy Server with default SSL certificates to generate and sign Puppet certificates
Complete this procedure only for the system where you want to configure orcharhino Proxy Server to generate and sign Puppet certificates for all other orcharhino Proxy Servers that you configure for load balancing.
-
On orcharhino Server, generate Katello certificates for the system where you configure orcharhino Proxy Server to generate and sign Puppet certificates:
$ foreman-proxy-certs-generate \ --certs-tar "/root/orcharhino-proxy-ca.example.com-certs.tar" \ --foreman-proxy-cname loadbalancer.example.com \ --foreman-proxy-fqdn orcharhino-proxy-ca.example.com
Retain a copy of the example
orcharhino-installer
command that is output by theforeman-proxy-certs-generate
command for installing orcharhino Proxy Server certificate. -
Copy the certificate archive file from orcharhino Server to orcharhino Proxy Server:
$ scp /root/orcharhino-proxy-ca.example.com-certs.tar root@orcharhino-proxy-ca.example.com:orcharhino-proxy-ca.example.com-certs.tar
-
Append the following options to the
orcharhino-installer
command that you obtain from the output of theforeman-proxy-certs-generate
command:--certs-cname "loadbalancer.example.com" \ --enable-foreman-proxy-plugin-remote-execution-script \ --foreman-proxy-puppetca "true" \ --puppet-ca-server "orcharhino-proxy-ca.example.com" \ --puppet-dns-alt-names "loadbalancer.example.com" \ --puppet-server-ca "true"
-
On orcharhino Proxy Server, enter the
orcharhino-installer
command:$ orcharhino-installer \ --certs-cname "loadbalancer.example.com" \ --certs-tar-file "orcharhino-proxy-ca.example.com-certs.tar" \ --enable-foreman-proxy-plugin-remote-execution-script \ --enable-puppet \ --foreman-proxy-foreman-base-url "https://orcharhino.example.com" \ --foreman-proxy-oauth-consumer-key "oauth key" \ --foreman-proxy-oauth-consumer-secret "oauth secret" \ --foreman-proxy-puppetca "true" \ --foreman-proxy-register-in-foreman "true" \ --foreman-proxy-trusted-hosts "orcharhino.example.com" \ --foreman-proxy-trusted-hosts "orcharhino-proxy-ca.example.com" \ --puppet-ca-server "orcharhino-proxy-ca.example.com" \ --puppet-dns-alt-names "loadbalancer.example.com" \ --puppet-server true \ --puppet-server-ca "true"
-
On orcharhino Proxy Server, stop the Puppet server:
$ puppet resource service puppetserver ensure=stopped
-
Generate Puppet certificates for all other orcharhino Proxy Servers that you configure for load balancing, except the first system where you configure Puppet certificates signing:
$ puppetserver ca generate \ --ca-client \ --certname orcharhino-proxy.network2.example.com \ --subject-alt-names loadbalancer.example.com
This command creates the following files on the system where you configure orcharhino Proxy Server to sign Puppet certificates:
-
/etc/puppetlabs/puppet/ssl/certs/orcharhino-proxy.network2.example.com.pem
-
/etc/puppetlabs/puppet/ssl/certs/ca.pem
-
/etc/puppetlabs/puppet/ssl/private_keys/orcharhino-proxy.network2.example.com.pem
-
/etc/puppetlabs/puppet/ssl/public_keys/orcharhino-proxy.network2.example.com.pem
-
-
Resume the Puppet server:
$ puppet resource service puppetserver ensure=running
Configuring remaining orcharhino Proxy Servers with default SSL certificates for load balancing
Complete this procedure on each orcharhino Proxy Server excluding the system where you configure orcharhino Proxy Server to sign Puppet certificates.
-
On orcharhino Server, generate Katello certificates for orcharhino Proxy Server:
$ foreman-proxy-certs-generate \ --certs-tar "/root/orcharhino-proxy.network2.example.com-certs.tar" \ --foreman-proxy-cname loadbalancer.example.com \ --foreman-proxy-fqdn orcharhino-proxy.network2.example.com
Retain a copy of the example
orcharhino-installer
command that is output by theforeman-proxy-certs-generate
command for installing orcharhino Proxy Server certificate. -
Copy the certificate archive file from orcharhino Server to orcharhino Proxy Server:
$ scp /root/orcharhino-proxy.network2.example.com-certs.tar root@orcharhino-proxy.network2.example.com:/root/orcharhino-proxy.network2.example.com-certs.tar
-
On orcharhino Proxy Server, install the
puppetserver
package:$ dnf install puppetserver
-
On orcharhino Proxy Server, create directories for puppet certificates:
$ mkdir -p /etc/puppetlabs/puppet/ssl/certs/ \ /etc/puppetlabs/puppet/ssl/private_keys/ \ /etc/puppetlabs/puppet/ssl/public_keys/
-
On orcharhino Proxy Server, copy the Puppet certificates for this orcharhino Proxy Server from the system where you configure orcharhino Proxy Server to sign Puppet certificates:
$ scp root@orcharhino-proxy-ca.example.com:/etc/puppetlabs/puppet/ssl/certs/orcharhino-proxy.network2.example.com.pem /etc/puppetlabs/puppet/ssl/certs/orcharhino-proxy.network2.example.com.pem $ scp root@orcharhino-proxy-ca.example.com:/etc/puppetlabs/puppet/ssl/certs/ca.pem /etc/puppetlabs/puppet/ssl/certs/ca.pem $ scp root@orcharhino-proxy-ca.example.com:/etc/puppetlabs/puppet/ssl/private_keys/orcharhino-proxy.network2.example.com.pem /etc/puppetlabs/puppet/ssl/private_keys/orcharhino-proxy.network2.example.com.pem $ scp root@orcharhino-proxy-ca.example.com:/etc/puppetlabs/puppet/ssl/public_keys/orcharhino-proxy.network2.example.com.pem /etc/puppetlabs/puppet/ssl/public_keys/orcharhino-proxy.network2.example.com.pem
-
On orcharhino Proxy Server, change the
/etc/puppetlabs/puppet/ssl/
directory ownership to userpuppet
and grouppuppet
:$ chown -R puppet:puppet /etc/puppetlabs/puppet/ssl/
-
On orcharhino Proxy Server, set the SELinux context for the
/etc/puppetlabs/puppet/ssl/
directory:$ restorecon -Rv /etc/puppetlabs/puppet/ssl/
-
Append the following options to the
orcharhino-installer
command that you obtain from the output of theforeman-proxy-certs-generate
command:--certs-cname "loadbalancer.example.com" \ --enable-foreman-proxy-plugin-remote-execution-script \ --foreman-proxy-puppetca "false" \ --puppet-ca-server "orcharhino-proxy-ca.example.com" \ --puppet-dns-alt-names "loadbalancer.example.com" \ --puppet-server-ca "false"
-
On orcharhino Proxy Server, enter the
orcharhino-installer
command:$ orcharhino-installer \ --certs-cname "loadbalancer.example.com" \ --certs-tar-file "orcharhino-proxy.network2.example.com-certs.tar" \ --enable-foreman-proxy-plugin-remote-execution-script \ --foreman-proxy-foreman-base-url "https://orcharhino.example.com" \ --foreman-proxy-oauth-consumer-key "oauth key" \ --foreman-proxy-oauth-consumer-secret "oauth secret" \ --foreman-proxy-puppetca "false" \ --foreman-proxy-register-in-foreman "true" \ --foreman-proxy-trusted-hosts "orcharhino.example.com" \ --foreman-proxy-trusted-hosts "orcharhino-proxy.network2.example.com" \ --puppet-ca-server "orcharhino-proxy-ca.example.com" \ --puppet-dns-alt-names "loadbalancer.example.com" \ --puppet-server-ca "false"
Configuring orcharhino Proxy Server with custom SSL certificates for load balancing without Puppet
The following section describes how to configure orcharhino Proxy Servers that use custom SSL certificates for load balancing without Puppet.
Creating a custom SSL certificate for orcharhino
-
To store all the source certificate files, create a directory that is accessible only to the
root
user:$ mkdir /root/orcharhino-proxy_cert
-
Create a private key with which to sign the certificate signing request (CSR).
Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.
If you already have a private key for this orcharhino, skip this step.
$ openssl genrsa -out
/root/orcharhino-proxy_cert/orcharhino-proxy_cert_key.pem
4096 -
Create the
/root/orcharhino-proxy_cert/openssl.cnf
configuration file for the CSR and include the following content:[ req ] req_extensions = v3_req distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] commonName = orcharhino-proxy.network2.example.com [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection subjectAltName = @alt_names [ alt_names ] DNS.1 = orcharhino-proxy.network2.example.com
-
Optional: If you want to add Distinguished Name (DN) details to the CSR, add the following information to the
[ req_distinguished_name ]
section:[req_distinguished_name] CN = orcharhino-proxy.network2.example.com countryName =My_Country_Name (1) stateOrProvinceName = My_State_Or_Province_Name (2) localityName = My_Locality_Name (3) organizationName = My_Organization_Or_Company_Name organizationalUnitName = My_Organizational_Unit_Name (4)
1 Two letter code 2 Full name 3 Full name (example: New York) 4 Division responsible for the certificate (example: IT department) -
Generate CSR:
$ openssl req -new \ -key /root/orcharhino-proxy_cert/orcharhino-proxy_cert_key.pem \ (1) -config /root/orcharhino-proxy_cert/openssl.cnf \ (2) -out /root/orcharhino-proxy_cert/orcharhino-proxy_cert_csr.pem (3)
1 Path to the private key 2 Path to the configuration file 3 Path to the CSR to generate -
Send the certificate signing request to the certificate authority (CA). The same CA must sign certificates for orcharhino Server and orcharhino Proxy Server.
When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the CA for the preferred method. In response to the request, you can expect to receive a CA bundle and a signed certificate, in separate files.
Configuring orcharhino Proxy Server with custom SSL certificates for load balancing without Puppet
The following section describes how to configure orcharhino Proxy Servers that use custom SSL certificates for load balancing without Puppet. Complete this procedure on each orcharhino Proxy Server that you want to configure for load balancing.
-
Append the following option to the
foreman-proxy-certs-generate
command that you obtain from the output of thekatello-certs-check
command:--foreman-proxy-cname loadbalancer.example.com
-
On orcharhino Server, enter the
foreman-proxy-certs-generate
command to generate orcharhino Proxy certificates:$ foreman-proxy-certs-generate \ --certs-tar /root/orcharhino-proxy_cert/orcharhino-proxy.tar \ --foreman-proxy-cname loadbalancer.example.com \ --foreman-proxy-fqdn orcharhino-proxy.network2.example.com \ --server-ca-cert /root/orcharhino-proxy_cert/ca_cert_bundle.pem \ --server-cert /root/orcharhino-proxy_cert/orcharhino-proxy.pem \ --server-key /root/orcharhino-proxy_cert/orcharhino-proxy.pem
Retain a copy of the example
orcharhino-installer
command from the output for installing orcharhino Proxy Server certificates. -
Copy the certificate archive file from orcharhino Server to orcharhino Proxy Server:
$ scp /root/orcharhino-proxy.network2.example.com-certs.tar root@orcharhino-proxy.network2.example.com:orcharhino-proxy.network2.example.com-certs.tar
-
Append the following options to the
orcharhino-installer
command that you obtain from the output of theforeman-proxy-certs-generate
command:--certs-cname "loadbalancer.example.com" \ --enable-foreman-proxy-plugin-remote-execution-script
-
On orcharhino Proxy Server, enter the
orcharhino-installer
command:$ orcharhino-installer \ --certs-cname "loadbalancer.example.com" \ --certs-tar-file "orcharhino-proxy.network2.example.com-certs.tar" \ --enable-foreman-proxy-plugin-remote-execution-script \ --foreman-proxy-foreman-base-url "https://orcharhino.example.com" \ --foreman-proxy-oauth-consumer-key "oauth key" \ --foreman-proxy-oauth-consumer-secret "oauth secret" \ --foreman-proxy-register-in-foreman "true" \ --foreman-proxy-trusted-hosts "orcharhino.example.com" \ --foreman-proxy-trusted-hosts "orcharhino-proxy.network2.example.com"
Configuring orcharhino Proxy Server with custom SSL certificates for load balancing with Puppet
If you use Puppet in your orcharhino configuration, then you must complete the following procedures:
Creating a custom SSL certificate for orcharhino
-
To store all the source certificate files, create a directory that is accessible only to the
root
user:$ mkdir /root/orcharhino-proxy_cert
-
Create a private key with which to sign the certificate signing request (CSR).
Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.
If you already have a private key for this orcharhino, skip this step.
$ openssl genrsa -out
/root/orcharhino-proxy_cert/orcharhino-proxy_cert_key.pem
4096 -
Create the
/root/orcharhino-proxy_cert/openssl.cnf
configuration file for the CSR and include the following content:[ req ] req_extensions = v3_req distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] commonName = orcharhino-proxy.network2.example.com [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection subjectAltName = @alt_names [ alt_names ] DNS.1 = orcharhino-proxy.network2.example.com
-
Optional: If you want to add Distinguished Name (DN) details to the CSR, add the following information to the
[ req_distinguished_name ]
section:[req_distinguished_name] CN = orcharhino-proxy.network2.example.com countryName =My_Country_Name (1) stateOrProvinceName = My_State_Or_Province_Name (2) localityName = My_Locality_Name (3) organizationName = My_Organization_Or_Company_Name organizationalUnitName = My_Organizational_Unit_Name (4)
1 Two letter code 2 Full name 3 Full name (example: New York) 4 Division responsible for the certificate (example: IT department) -
Generate CSR:
$ openssl req -new \ -key /root/orcharhino-proxy_cert/orcharhino-proxy_cert_key.pem \ (1) -config /root/orcharhino-proxy_cert/openssl.cnf \ (2) -out /root/orcharhino-proxy_cert/orcharhino-proxy_cert_csr.pem (3)
1 Path to the private key 2 Path to the configuration file 3 Path to the CSR to generate -
Send the certificate signing request to the certificate authority (CA). The same CA must sign certificates for orcharhino Server and orcharhino Proxy Server.
When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the CA for the preferred method. In response to the request, you can expect to receive a CA bundle and a signed certificate, in separate files.
Configuring orcharhino Proxy Server with custom SSL certificates to generate and sign Puppet certificates
Complete this procedure only for the system where you want to configure orcharhino Proxy Server to generate Puppet certificates for all other orcharhino Proxy Servers that you configure for load balancing.
-
Append the following option to the
foreman-proxy-certs-generate
command that you obtain from the output of thekatello-certs-check
command:--foreman-proxy-cname loadbalancer.example.com
-
On orcharhino Server, enter the
foreman-proxy-certs-generate
command to generate orcharhino Proxy certificates:$ foreman-proxy-certs-generate \ --certs-tar /root/orcharhino-proxy_cert/orcharhino-proxy-ca.tar \ --foreman-proxy-cname loadbalancer.example.com \ --foreman-proxy-fqdn orcharhino-proxy-ca.example.com \ --server-ca-cert /root/orcharhino-proxy_cert/ca_cert_bundle.pem \ --server-cert /root/orcharhino-proxy_cert/orcharhino-proxy-ca.pem \ --server-key /root/orcharhino-proxy_cert/orcharhino-proxy-ca.pem
Retain a copy of the example
orcharhino-installer
command from the output for installing orcharhino Proxy Server certificates. -
Copy the certificate archive file from orcharhino Server to orcharhino Proxy Server.
-
Append the following options to the
orcharhino-installer
command that you obtain from the output of theforeman-proxy-certs-generate
command:--enable-foreman-proxy-plugin-remote-execution-script \ --foreman-proxy-puppetca "true" \ --puppet-ca-server "orcharhino-proxy-ca.example.com" \ --puppet-dns-alt-names "loadbalancer.example.com" \ --puppet-server-ca "true"
-
On orcharhino Proxy Server, enter the
orcharhino-installer
command:$ orcharhino-installer \ --certs-cname "loadbalancer.example.com" \ --certs-tar-file "certs.tgz" \ --enable-foreman-proxy-plugin-remote-execution-script \ --enable-puppet \ --foreman-proxy-foreman-base-url "https://orcharhino.example.com" \ --foreman-proxy-oauth-consumer-key "oauth key" \ --foreman-proxy-oauth-consumer-secret "oauth secret" \ --foreman-proxy-puppetca "true" \ --foreman-proxy-register-in-foreman "true" \ --foreman-proxy-trusted-hosts "orcharhino.example.com" \ --foreman-proxy-trusted-hosts "orcharhino-proxy-ca.example.com" \ --puppet-ca-server "orcharhino-proxy-ca.example.com" \ --puppet-dns-alt-names "loadbalancer.example.com" \ --puppet-server true \ --puppet-server-ca "true"
-
On orcharhino Proxy Server, generate Puppet certificates for all other orcharhino Proxies that you configure for load balancing, except this first system where you configure Puppet certificates signing:
$ puppet cert generate orcharhino-proxy.network2.example.com \ --dns_alt_names=loadbalancer.example.com
This command creates the following files on the Puppet certificate signing orcharhino Proxy Server instance:
-
/etc/puppetlabs/puppet/ssl/certs/ca.pem
-
/etc/puppetlabs/puppet/ssl/certs/orcharhino-proxy.network2.example.com.pem
-
/etc/puppetlabs/puppet/ssl/private_keys/orcharhino-proxy.network2.example.com.pem
-
/etc/puppetlabs/puppet/ssl/public_keys/orcharhino-proxy.network2.example.com.pem
-
Configuring remaining orcharhino Proxy Servers with custom SSL certificates for load balancing
Complete this procedure for each orcharhino Proxy Server excluding the system where you configure orcharhino Proxy Server to sign Puppet certificates.
-
Append the following option to the
foreman-proxy-certs-generate
command that you obtain from the output of thekatello-certs-check
command:--foreman-proxy-cname loadbalancer.example.com
-
On orcharhino Server, enter the
foreman-proxy-certs-generate
command to generate orcharhino Proxy certificates:$ foreman-proxy-certs-generate \ --certs-tar /root/orcharhino-proxy_cert/orcharhino-proxy.tar \ --foreman-proxy-cname loadbalancer.example.com \ --foreman-proxy-fqdn orcharhino-proxy.network2.example.com \ --server-ca-cert /root/orcharhino-proxy_cert/ca_cert_bundle.pem \ --server-cert /root/orcharhino-proxy_cert/orcharhino-proxy.pem \ --server-key /root/orcharhino-proxy_cert/orcharhino-proxy.pem
Retain a copy of the example
orcharhino-installer
command from the output for installing orcharhino Proxy Server certificates. -
Copy the certificate archive file from orcharhino Server to orcharhino Proxy Server.
$ scp /root/orcharhino-proxy.network2.example.com-certs.tar root@orcharhino-proxy.network2.example.com:orcharhino-proxy.network2.example.com-certs.tar
-
On orcharhino Proxy Server, install the
puppetserver
package:$ dnf install puppetserver
-
On orcharhino Proxy Server, create directories for puppet certificates:
$ mkdir -p /etc/puppetlabs/puppet/ssl/certs/ \ /etc/puppetlabs/puppet/ssl/private_keys/ \ /etc/puppetlabs/puppet/ssl/public_keys/
-
On orcharhino Proxy Server, copy the Puppet certificates for this orcharhino Proxy Server from the system where you configure orcharhino Proxy Server to sign Puppet certificates:
$ scp root@orcharhino-proxy-ca.example.com:/etc/puppetlabs/puppet/ssl/certs/orcharhino-proxy.network2.example.com.pem /etc/puppetlabs/puppet/ssl/certs/orcharhino-proxy.network2.example.com.pem $ scp root@orcharhino-proxy-ca.example.com:/etc/puppetlabs/puppet/ssl/certs/ca.pem /etc/puppetlabs/puppet/ssl/certs/ca.pem $ scp root@orcharhino-proxy-ca.example.com:/etc/puppetlabs/puppet/ssl/private_keys/orcharhino-proxy.network2.example.com.pem /etc/puppetlabs/puppet/ssl/private_keys/orcharhino-proxy.network2.example.com.pem $ scp root@orcharhino-proxy-ca.example.com:/etc/puppetlabs/puppet/ssl/public_keys/orcharhino-proxy.network2.example.com.pem /etc/puppetlabs/puppet/ssl/public_keys/orcharhino-proxy.network2.example.com.pem
-
On orcharhino Proxy Server, change the
/etc/puppetlabs/puppet/ssl/
directory ownership to userpuppet
and grouppuppet
:$ chown -R puppet:puppet /etc/puppetlabs/puppet/ssl/
-
On orcharhino Proxy Server, set the SELinux context for the
/etc/puppetlabs/puppet/ssl/
directory:$ restorecon -Rv /etc/puppetlabs/puppet/ssl/
-
Append the following options to the
orcharhino-installer
command that you obtain from the output of theforeman-proxy-certs-generate
command:--certs-cname "loadbalancer.example.com" \ --enable-foreman-proxy-plugin-remote-execution-script \ --foreman-proxy-puppetca "false" \ --puppet-ca-server "orcharhino-proxy-ca.example.com" \ --puppet-dns-alt-names "loadbalancer.example.com" \ --puppet-server-ca "false"
-
On orcharhino Proxy Server, enter the
orcharhino-installer
command:$ orcharhino-installer \ --certs-cname "loadbalancer.example.com" \ --certs-tar-file "orcharhino-proxy.network2.example.com-certs.tar" \ --enable-foreman-proxy-plugin-remote-execution-script \ --foreman-proxy-foreman-base-url "https://orcharhino.example.com" \ --foreman-proxy-oauth-consumer-key "oauth key" \ --foreman-proxy-oauth-consumer-secret "oauth secret" \ --foreman-proxy-puppetca "false" \ --foreman-proxy-register-in-foreman "true" \ --foreman-proxy-trusted-hosts "orcharhino.example.com" \ --foreman-proxy-trusted-hosts "orcharhino-proxy.network2.example.com" \ --puppet-ca-server "orcharhino-proxy-ca.example.com" \ --puppet-dns-alt-names "loadbalancer.example.com" \ --puppet-server-ca "false"
Setting the load balancer for host registration
You can configure orcharhino to register clients through a load balancer when using the host registration feature.
You will be able to register hosts to the load balancer instead of orcharhino Proxy. The load balancer will decide through which orcharhino Proxy to register the host at the time of request. Upon registration, the subscription manager on the host will be configured to manage content through the load balancer.
-
You configured SSL certificates on all orcharhino Proxy Servers. For more information, see Configuring orcharhino Proxy Servers for load balancing.
-
You enabled Registration and Templates plugins on all orcharhino Proxy Servers:
$ orcharhino-installer \ --foreman-proxy-registration true \ --foreman-proxy-templates true
-
On all orcharhino Proxy Servers, set the registration and template URLs using
orcharhino-installer
:$ orcharhino-installer \ --foreman-proxy-registration-url "https://loadbalancer.example.com:9090" \ --foreman-proxy-template-url "http://loadbalancer.example.com:8000"
-
In the orcharhino management UI, navigate to Infrastructure > orcharhino Proxies.
-
For each orcharhino Proxy, click the dropdown menu in the Actions column and select Refresh.
Installing the load balancer
The following example provides general guidance for configuring an HAProxy load balancer using Enterprise Linux 8 server. However, you can install any suitable load balancing software solution that supports TCP forwarding.
-
Install HAProxy:
$ dnf install haproxy
-
Install the following package that includes the
semanage
tool:$ dnf install policycoreutils-python-utils
-
Configure SELinux to allow HAProxy to bind any port:
$ semanage boolean --modify --on haproxy_connect_any
-
Configure the load balancer to balance the network load for the ports as described in Ports configuration for the load balancer. For example, to configure ports for HAProxy, edit the
/etc/haproxy/haproxy.cfg
file to correspond with the table.Table 1. Ports configuration for the load balancer Service Port Mode Balance Mode Destination HTTP
80
TCP
roundrobin
port 80 on all orcharhino Proxy Servers
HTTPS and RHSM
443
TCP
source
port 443 on all orcharhino Proxy Servers
Anaconda for template retrieval
8000
TCP
roundrobin
port 8000 on all orcharhino Proxy Servers
Puppet (Optional)
8140
TCP
roundrobin
port 8140 on all orcharhino Proxy Servers
PuppetCA (Optional)
8141
TCP
roundrobin
port 8140 only on the system where you configure orcharhino Proxy Server to sign Puppet certificates
orcharhino Proxy HTTPS for Host Registration and optionally OpenSCAP
9090
TCP
roundrobin
port 9090 on all orcharhino Proxy Servers
-
Configure the load balancer to disable SSL offloading and allow client-side SSL certificates to pass through to back end servers. This is required because communication from clients to orcharhino Proxy Servers depends on client-side SSL certificates.
-
Start and enable the HAProxy service:
$ systemctl enable --now haproxy
Registering clients to the load balancer
To balance the load of network traffic from clients, you must register the clients to the load balancer.
To register clients, proceed with one of the following procedures:
Registering clients using host registration
You can register hosts with orcharhino using the host registration feature in the orcharhino management UI, Hammer CLI, or the orcharhino API. For more information, see Registering Hosts in Managing Hosts.
-
You have set the load balancer for host registration. For more information, see Setting the Load Balancer for Host Registration.
-
In the orcharhino management UI, navigate to Hosts > Register Host.
-
From the Activation Keys list, select the activation keys to assign to your host.
-
Click Generate to create the registration command.
-
Click on the files icon to copy the command to your clipboard.
-
Connect to your host using SSH and run the registration command.
-
Ensure that the appropriate repositories have been enabled:
-
Generate the host registration command using the Hammer CLI:
$ hammer host-registration generate-command \ --activation-keys "My_Activation_Key"
If your hosts do not trust the SSL certificate of orcharhino Server, you can disable SSL validation by adding the
--insecure
flag to the registration command.$ hammer host-registration generate-command \ --activation-keys "My_Activation_Key" \ --insecure true
-
Connect to your host using SSH and run the registration command.
-
Ensure that the appropriate repositories have been enabled:
-
Generate the host registration command using the orcharhino API:
$ curl -X POST https://orcharhino.example.com/api/registration_commands \ --user "My_User_Name" \ -H 'Content-Type: application/json' \ -d '{ "registration_command": { "activation_keys": ["My_Activation_Key_1, My_Activation_Key_2"] }}'
If your hosts do not trust the SSL certificate of orcharhino Server, you can disable SSL validation by adding the
--insecure
flag to the registration command.$ curl -X POST https://orcharhino.example.com/api/registration_commands \ --user "My_User_Name" \ -H 'Content-Type: application/json' \ -d '{ "registration_command": { "activation_keys": ["My_Activation_Key_1, My_Activation_Key_2"], "insecure": true }}'
Use an activation key to simplify specifying the environments. For more information, see Managing Activation Keys in Managing Content.
To enter a password as a command line argument, use
username:password
syntax. Keep in mind this can save the password in the shell history. Alternatively, you can use a temporary personal access token instead of a password. To generate a token in the orcharhino management UI, navigate to My Account > Personal Access Tokens. -
Connect to your host using SSH and run the registration command.
-
Ensure that the appropriate repositories have been enabled:
= (Deprecated) Registering clients using the bootstrap script
To register clients, enter the following command on the client. You must complete the registration procedure for each client.
-
Ensure that you install the bootstrap script on the client and change file permissions of the script to executable. For more information, see Registering Hosts to orcharhino Using The Bootstrap Script in Managing Hosts.
-
On Enterprise Linux 8, enter the following command:
$ /usr/libexec/platform-python bootstrap.py \ --activationkey="My_Activation_Key" \ --enablerepos=orcharhino Client \ (1) --force \ (2) --hostgroup="My_Host_Group" \ --location="My_Location" \ --login=admin \ --organization="My_Organization" \ --puppet-ca-port 8141 \ (3) --server loadbalancer.example.com
1 Replace <arch>
with the client architecture, for examplex86
.2 Include the --force
option to register the client that has been previously registered to a standalone orcharhino Proxy.3 Include the --puppet-ca-port 8141
option if you use Puppet. -
On Enterprise Linux 7 or 6, enter the following command:
$ python bootstrap.py --login=admin \ --activationkey="My_Activation_Key" \ --enablerepos=orcharhino Client \ --force \ (1) --hostgroup="My_Host_Group" \ --location="My_Location" \ --organization="My_Organization" \ --puppet-ca-port 8141 \ (2) --server loadbalancer.example.com
1 Include the --force
option to register the client that has been previously registered to a standalone orcharhino Proxy.2 Include the --puppet-ca-port 8141
option if you use Puppet.
The script prompts for the password corresponding to the orcharhino user name you entered with the --login
option.
Verifying the load balancing configuration
Use this procedure to verify the load balancing configuration for each orcharhino Proxy Server.
-
Shut down the base operating system for your orcharhino Proxy Server.
-
Verify that content or subscription management features are available on clients registered to this orcharhino Proxy. For example, enter the
subscription-manager refresh
command on a client. -
Restart the base operating system for your orcharhino Proxy Server.
The text and illustrations on this page are licensed by ATIX AG under a Creative Commons Attribution Share Alike 4.0 International ("CC BY-SA 4.0") license. This page also contains text from the official Foreman documentation which uses the same license ("CC BY-SA 4.0"). |