Administering orcharhino

The first time you log on to orcharhino, you might see a warning informing you that you are using the default self-signed certificate and you might not be able to connect this browser to orcharhino until the root CA certificate is installed in the browser. Use the following procedure to locate the root CA certificate on orcharhino and to install it in your browser.

Use the web user interface to log on to orcharhino for further configuration.

Use the navigation tabs to browse the orcharhino management UI.

These steps show how to change your password.

Use the following procedures to reset the administrative password to randomly generated characters or to set a new administrative password.

Unless you update the ~/.hammer/cli.modules.d/foreman.yml file, you cannot use the new password with Hammer CLI.

Unless you update the ~/.hammer/cli.modules.d/foreman.yml file, you cannot use the new password with Hammer CLI.

Foreman, Katello, and Candlepin use the PostgreSQL database. If you want to use PostgreSQL as an external database, the following information can help you decide if this option is right for your orcharhino configuration. orcharhino supports PostgreSQL version 12.

Install a freshly provisioned system with the latest CentOS 7, Oracle Linux 7, or Enterprise Linux 7 to host the external databases.

You can install only the same version of PostgreSQL that is installed with the foreman-installer tool during an internal database installation. You can install PostgreSQL using Enterprise Linux 8 or Red Hat Enterprise Linux Server 7 repositories. orcharhino supports PostgreSQL version 12.

Back up and transfer existing data, then use the foreman-installer command to configure orcharhino to connect to an external PostgreSQL database server.

Use this procedure to install the orcharhino Ansible modules.

You can view the installed orcharhino Ansible modules by listing the content of the following directory:

As an administrator, you can create, modify and remove orcharhino users. You can also configure access permissions for a user or a group of users by assigning them different roles.

Adding SSH keys to a user allows deployment of SSH keys during provisioning. For information on deploying SSH keys during provisioning, see Deploying SSH Keys during Provisioning in the Provisioning guide.

orcharhino provides a set of predefined roles with permissions sufficient for standard tasks, as listed in Predefined Roles. It is also possible to configure custom roles, and assign one or more permission filters to them. Permission filters define the actions allowed for a certain resource type. Certain orcharhino plug-ins create roles automatically.

You can configure orcharhino to send email messages to individual users registered to orcharhino. orcharhino sends the email to the email address that has been added to the account, if present. Users can edit the email address by clicking on their name in the top-right of the orcharhino management UI and selecting My account.

Configure email notifications for a user from the orcharhino management UI.

To verify the delivery of emails, send a test email to a user. If the email gets delivered, the settings are correct.

If the email is delivered, the verification is complete. Otherwise, you must perform the following diagnostic steps:

To verify that users are correctly subscribed to notifications, trigger the notifications manually.

This triggers all notifications scheduled for the specified frequency for all the subscribed users. If every subscribed user receives the notifications, the verification succeeds.

The following are the notifications created by orcharhino:

orcharhino can send event notifications for a host to the host’s registered owner. You can configure orcharhino to send email notifications either to an individual user or a user group. When set to a user group, all group members who are subscribed to the email type receive a message.

To view the notification status for a host, navigate to Hosts > All Hosts and click the host you want to view. In the host details page, click the Additional Information tab, you can view the email notification status.

Receiving email notifications for a host can be useful, but also overwhelming if you are expecting to receive frequent errors, for example, because of a known issue or error you are working around. To change the email notification settings for a host, complete the following steps.

orcharhino uses the Security Content Automation Protocol (SCAP) to define security configuration policies. For example, a security policy might specify that for hosts running RHEL, login via SSH is not permitted for the root account. With orcharhino, you can schedule compliance auditing and reporting on all managed hosts.

You can install and enable the OpenSCAP plug-in to generate OpenSCAP compliance reports. The OpenSCAP plug-in consists of the main OpenSCAP plug-in itself, the OpenSCAP smart proxy plug-in, and the OpenSCAP Hammer CLI plug-in.

Tailoring Files allow existing OpenSCAP policies to be customized without forking or rewriting the policy. You can assign a Tailoring File to a policy when creating or updating a policy.

You can create a Tailoring File using the SCAP Workbench. For more information on using the SCAP Workbench tool, see Customizing SCAP Security Guide for your use-case.

Use this procedure to configure all the OpenSCAP requirements for a host group.

For information about creating and administering hosts, see the Managing Hosts guide.

The full backup creates uncompressed archives of PostgreSQL and Pulp database files, and orcharhino configuration files. Compression occurs after the archives are created to decrease the time when orcharhino services are unavailable.

A full backup requires space to store the following data:

orcharhino uses the foreman-maintain backup command to make backups.

There are three main methods of backing up orcharhino Server:

The foreman-maintain backup command creates a time-stamped subdirectory in the backup directory that you specify. The foreman-maintain backup command does not overwrite backups, therefore you must select the correct directory or subdirectory when restoring from a backup or an incremental backup. The foreman-maintain backup command stops and restarts services as required.

When you run the foreman-maintain backup offline command, the following default backup directories are created:

If you want to set a custom directory name, add the --preserve-directory option and add a directory name. The backup is then stored in the directory you provide in the command line. If you use the --preserve-directory option, no data is removed if the backup fails.

Note that if you use a local PostgreSQL database, the postgres user requires write access to the backup directory.

You can use the foreman-maintain backup command to back up remote databases.

You can use both online and offline methods to back up remote databases, but if you use offline methods, such as snapshot, the foreman-maintain backup command performs a database dump.

You can perform an offline backup that excludes the contents of the Pulp directory. The backup without Pulp content is useful for debugging purposes and is only intended to provide access to configuration files without backing up the Pulp database. You cannot restore from a directory that does not contain Pulp content.

Use this procedure to perform an offline backup of any changes since a previous backup.

To perform incremental backups, you must perform a full backup as a reference to create the first incremental backup of a sequence. Keep the most recent full backup and a complete sequence of incremental backups to restore from.

The following script performs a full backup on a Sunday followed by incremental backups for each of the following days. A new subdirectory is created for each day that an incremental backup is performed. The script requires a daily cron job.

Note that the foreman-maintain backup command requires /sbin and /usr/sbin directories to be in PATH and the --assumeyes option is used to skip the confirmation prompt.

Perform an online backup only for debugging purposes.

When performing an online backup, if there are procedures affecting the Pulp database, the Pulp part of the backup procedure repeats until it is no longer being altered. Because the backup of the Pulp database is the most time consuming part of backing up orcharhino, if you make a change that alters the Pulp database during this time, the backup procedure keeps restarting.

For production environments, use the snapshot method. For more information, see Performing a Snapshot Backup. If you want to use the online backup method in production, proceed with caution and ensure that no modifications occur during the backup.

You can perform a snapshot backup that uses Logical Volume Manager (LVM) snapshots of the Pulp, and PostgreSQL directories. Creating a backup from LVM snapshots mitigates the risk of an inconsistent backup.

The snapshot backup method is faster than a full offline backup and therefore reduces orcharhino downtime.

To view the usage statement, enter the following command:

The foreman-maintain backup snapshot command creates snapshots when the services are active, and stops all services which can impact the backup. This makes the maintenance window shorter. After the successful snapshot, all services are restarted and LVM snapshots are removed.

A backup using the foreman-maintain backup command proceeds in a sequence of steps. To skip part of the backup add the --whitelist option to the command and add the step label that you want to omit.

Use this procedure to restore orcharhino or orcharhino Proxy from a full backup. When the restore process completes, all processes are online, and all databases and system configuration revert to the state at the time of the backup.

Use this procedure to restore orcharhino or orcharhino Proxy from incremental backups. If you have multiple branches of incremental backups, select your full backup and each incremental backup for the branch you want to restore, in chronological order.

When the restore process completes, all processes are online, and all databases and system configuration revert to the state at the time of the backup.

If your orcharhino Proxy is a virtual machine, you can restore it from a snapshot. Creating weekly snapshots to restore from is recommended. In the event of failure, you can install, or configure a new orcharhino Proxy, and then synchronize the database content from orcharhino Server.

If required, deploy a new orcharhino Proxy, ensuring the host name is the same as before, and then install the orcharhino Proxy certificates. You may still have them on orcharhino Server, the package name ends in -certs.tar, alternately create new ones. Follow the procedures in Installing orcharhino Proxy until you can confirm, in the orcharhino management UI, that orcharhino Proxy is connected to orcharhino Server. Then use the procedure Synchronizing an External Smart Proxy to synchronize from orcharhino.

Use this procedure to configure all the OpenSCAP requirements for a host.

For information about creating and administering hosts, see the Managing Hosts guide.

orcharhino enables centralized compliance monitoring and management. A compliance dashboard provides an overview of compliance of hosts and the ability to view details for each host within the scope of that policy. Compliance reports provide a detailed analysis of compliance of each host with the applicable policy. With this information, you can evaluate the risks presented by each host and manage the resources required to bring hosts into compliance.

Common objectives when monitoring compliance using SCAP include the following:

The following specifications are supported by OpenSCAP:

The host name of orcharhino Server is used by orcharhino Server components, all orcharhino Proxys, and hosts registered to it for communication. This procedure ensures that you update all references to the new host name.

If you use external authentication, you must reconfigure orcharhino Server for external authentication after you run the katello-change-hostname script. The katello-change-hostname script breaks external authentication for orcharhino Server. For more information about configuring external authentication, see Configuring External Authentication.

If you use virt-who, you must update the virt-who configuration files with the new host name after you run the katello-change-hostname script.

The host name of orcharhino Proxy is referenced by orcharhino Server components, and all hosts registered to it. This procedure ensures that you update all references to the new host name.

Audit records are created automatically in orcharhino. You can use the foreman-rake audits:expire command to remove audits at any time. You can also use a cron job to schedule audit record deletions at the set interval that you want.

By default, using the foreman-rake audits:expire command removes audit records that are older than 90 days. You can specify the number of days to keep the audit records by adding the days option and add the number of days.

For example, if you want to delete audit records that are older than seven days, enter the following command:

You can use the foreman-rake audits:anonymize command to remove any user account or IP information while maintaining the audit records in the database. You can also use a cron job to schedule anonymizing the audit records at the set interval that you want.

By default, using the foreman-rake audits:anonymize command anonymizes audit records that are older than 90 days. You can specify the number of days to keep the audit records by adding the days option and add the number of days.

For example, if you want to anonymize audit records that are older than seven days, enter the following command:

Report records are created automatically in orcharhino. You can use the foreman-rake reports:expire command to remove reports at any time. You can also use a cron job to schedule report record deletions at the set interval that you want.

By default, using the foreman-rake reports:expire command removes report records that are older than 90 days. You can specify the number of days to keep the report records by adding the days option and add the number of days.

For example, if you want to delete report records that are older than seven days, enter the following command:

orcharhino performs regular cleaning to reduce disc space in the database and limit the rate of disk growth. As a result, orcharhino backup completes faster and overall performance is higher.

By default, orcharhino executes a cron job that cleans tasks every day at 19:45. orcharhino removes the following tasks during the cleaning:

You can configure the cleaning unused tasks feature using these options:

Task records are created automatically in orcharhino. You can use the foreman-rake foreman_tasks:cleanup command to remove tasks at any time. You can also use a cron job to schedule Task record deletions at the set interval that you want.

For example, if you want to delete task records from successful repository synchronizations, enter the following command:

You can delete tasks by ID, for example if you have submitted confidential data by mistake.

The following procedure describes how to resolve the situation when a logical volume (LV) with the Pulp database on it has no free space.

The PostgreSQL database can use a large amount of disk space especially in heavily loaded deployments. Use this procedure to reclaim some of this disk space on orcharhino.

Debug logging provides the most detailed log information and can help with troubleshooting issues that can arise with orcharhino and its components. In the orcharhino CLI, enable debug logging to log detailed debugging information for orcharhino.

By default, orcharhino comes with :INFO level logging enabled. You can increase or decrease the log levels on your orcharhino.

orcharhino uses a set of back-end services to perform tasks. You you experience an issue with your orcharhino, check the status of orcharhino services.

You can enable individual loggers for selective logging. orcharhino uses the following loggers:

You can configure orcharhino to manage logging with Journal. Journal then forwards log messages to rsyslog and rsyslog writes the log messages to /var/log/messages. Note that after this change the log messages do not appear in /var/log/foreman/production.log or /var/log/foreman-proxy.log any more.

orcharhino provides system information in the form of notifications and log files.

You can also use the foreman-tail command to follow many of the log files related to orcharhino. You can run foreman-tail -l to list the processes and services that it follows.

You can collect information from log files to troubleshoot orcharhino.

Additionally, the foreman-debug command exports tasks run during the last 60 days. By default, the output tar file is located at /tmp/task-export-xxx.tar.xz. If the file is missing, see the file /tmp/task-export.log to learn why task export was unsuccessful. There is no timeout when running this command.

For more information, run orcharhino-debug -h.

orcharhino supports LDAP authentication using one or multiple LDAP directories.

If you require orcharhino to use TLS to establish a secure LDAP connection (LDAPS), first obtain certificates used by the LDAP server you are connecting to and mark them as trusted on the base operating system of your orcharhino Server as described below. If your LDAP server uses a certificate chain with intermediate certificate authorities, all of the root and intermediate certificates in the chain must be trusted, so ensure all certificates are obtained. If you do not require secure LDAP at this time, proceed to Configuring Project to Use LDAP.

Though direct LDAP integration is covered in this section, Red Hat recommends that you use SSSD and configure it against FreeIPA, AD, or an LDAP server. SSSD improves the consistency of the authentication process. For more information about the preferred configurations, see Using Active Directory. You can also cache the SSSD credentials and use them for LDAP authentication.

This section shows how to integrate orcharhino Server with a FreeIPA server and how to enable host-based access control.

The examples in this chapter assume separation between FreeIPA and orcharhino configuration.

This section shows how to use direct Active Directory (AD) as an external authentication source for orcharhino Server.

Direct AD integration means that orcharhino Server is joined directly to the AD domain where the identity is stored. The recommended setup consists of two steps:

orcharhino does not associate external users with their user group automatically. You must create a user group with the same name as in the external source on orcharhino. Members of the external user group then automatically become members of the orcharhino user group and receive the associated permissions.

The configuration of external user groups depends on the type of external authentication.

To assign additional permissions to an external user, add this user to an internal user group that has no external mapping specified. Then assign the required roles to this group.

To set the LDAP source to synchronize user group membership automatically on user login, in the Auth Source page, select the Usergroup Sync option. If this option is not selected, LDAP user groups are refreshed automatically through a scheduled cron job synchronizing the LDAP Authentication source every 30 minutes by default.

If the user groups in the LDAP Authentication source change in the lapse of time between scheduled tasks, the user can be assigned to incorrect external user groups. This is corrected automatically when the scheduled task runs.

Use this procedure to refresh the LDAP source manually.

External user groups based on FreeIPA or AD are refreshed only when a group member logs in to orcharhino. It is not possible to alter user membership of external user groups in the orcharhino management UI, such changes are overwritten on the next group refresh.

Use this section to configure orcharhino Server or orcharhino Proxy for FreeIPA realm support, then add hosts to the FreeIPA realm group.

To use FreeIPA for provisioned hosts, complete the following steps to install and configure FreeIPA packages on orcharhino Server or orcharhino Proxy:

Complete the following procedure on orcharhino and every orcharhino Proxy that you want to use:

After you configure your integrated or external orcharhino Proxy with FreeIPA, you must create a realm and add the FreeIPA-configured orcharhino Proxy to the realm.

You must update any host groups that you want to use with the new realm information.

FreeIPA supports the ability to set up automatic membership rules based on a system’s attributes. orcharhino’s realm feature provides administrators with the ability to map the orcharhino host groups to the FreeIPA parameter userclass which allow administrators to configure automembership.

When nested host groups are used, they are sent to the FreeIPA server as they are displayed in the orcharhino User Interface. For example, "Parent/Child/Child".

orcharhino Server or orcharhino Proxy sends updates to the FreeIPA server, however automembership rules are only applied at initial registration.

When a system is added to orcharhino Server’s hostgroup_name host group, it is added automatically to the FreeIPA server’s "hostgroup_name" host group. FreeIPA host groups allow for Host-Based Access Controls (HBAC), sudo policies and other FreeIPA functions.

Use this section to configure orcharhino to use Keycloak as an OpenID provider for external authentication.

Use this section to configure orcharhino to use Keycloak as an OpenID provider for external authentication with TOTP cards.

If you want to disable Keycloak authentication in orcharhino, complete this procedure.

The orcharhino content dashboard contains various widgets which provide an overview of the host configuration, Content Views, compliance reports, subscriptions and hosts currently registered, promotions and synchronization, and a list of the latest notifications.

In the orcharhino management UI, navigate to Monitor > Dashboard to access the content dashboard. The dashboard can be rearranged by clicking on a widget and dragging it to a different position. The following widgets are available:

To view orcharhino event notification alerts, click the Notifications icon in the upper right of the screen.

By default, the Notifications area displays RSS feed events published in the orcharhino news.

The feed is refreshed every 12 hours and the Notifications area is updated whenever new events become available.

You can configure the RSS feed notifications by changing the URL feed. The supported feed format is RSS 2.0 and Atom.

From the About page in orcharhino management UI, you can find an overview of the following:

To navigate to the About page:

The following section shows how to use the orcharhino management UI to find orcharhino Proxy information valuable for maintenance and troubleshooting.

The legacy foreman_hooks plugin provided full access to model objects that the webhooks plugin does not intentionally provide.

The scope of what is available is limited by the safemode and all objects and macros are both subject to an API stability promise and are fully documented.

The number of events triggered by webhooks is substantially fewer than with foreman_hooks.

Webhooks are processed asynchronously so there is minimal risk of tampering with internals of the system. It is not possible to migrate from foreman_hooks without creating payloads for each individual webhook script. However, the webhooks plugin comes with several example payload templates. You can also use the example payloads with shellhooks to simplify migration.

Both script and payload templates must be customized to achieve similar results.

Use the following procedure to install webhooks. After installing webhooks, you can configure orcharhino Server to send webhook requests.

Use the following procedure to create a webhook template in the orcharhino management UI.

You can customize events, payloads, HTTP authentication, content type, and headers through the orcharhino management UI.

Use the following procedure to create a webhook in the orcharhino management UI.

When configuring webhooks with endpoints with non-standard HTTP or HTTPS ports, an SELinux port must be assigned, see Configuring SELinux to Ensure Access to orcharhino on Custom Ports in Installing orcharhino Server.

The following table contains a list of webhook events that are available from the orcharhino management UI. Action events trigger webhooks only on success, so if an action fails, a webhook is not triggered.

For more information about payload, go to Administer > About > Support > Templates DSL. A list of available types is provided in the following table. Some events are marked as custom, in that case, the payload is an object object but a Ruby hash (key-value data structure) so syntax is different.

With webhooks, one orcharhino event can only be mapped to one API call. For advanced integrations, where a single shell script can contain multiple commands, you can install a orcharhino Proxy shellhooks plugin that exposes executables using a REST HTTP API.

A webhook can then be configured to reach out to a orcharhino Proxy API to run a predefined shellhook, which, for example, can contain commands or edit files.

Scripts must be placed in /var/lib/foreman-proxy/shellhooks as executables with only alphanumeric characters and underscores in the name.

The HTTPS payload is passed using standard input, optional command line arguments can be provided using X-Shellhook-Arg-1 to N.

The HTTP method must be POST. An example URL would be: https://orcharhino-proxy.network2.example.com:8443/shellhook/my_script.

You must enable Proxy Authorization for each webhook that is connected to a shellhook, to enable it to authorize a call.

Standard output and error are redirected to the orcharhino Proxy log as messages with debug or warning levels respectively.

There is no return value from shellhook HTTPS calls.

Optionally, you can install and enable the shellhooks plugin on each orcharhino Proxy used for shellhooks, using the following command:

To pass arguments into a shellhook script, create the following HTTP headers:

Ensure the content renders to a valid JSON. Also, only pass safe fields like database ID, name, or labels which do not include new lines or quote characters.

As you start typing a search query, a list of valid options to complete the current part of the query appears. You can either select an option from the list and keep building the query using the prediction, or continue typing. To learn how free text is interpreted by the search engine, see Using Free Text Search.

When you enter free text, it will be searched for across multiple fields. For example, if you type "64", the search will return all hosts that have that number in their name, IP address, MAC address, and architecture.

Because of searching across all fields, free text search results are not very accurate and searching can be slow, especially on a large number of hosts. For this reason, we recommend that you avoid free text and use more specific, syntax-based queries whenever possible.

You can save search queries as bookmarks for reuse. You can also delete or modify a bookmark.

Bookmarks appear only on the page on which they were created. On some pages, there are default bookmarks available for the common searches, for example, all active or disabled hosts.