Registering Hosts

You can register existing hosts with orcharhino. There are three methods to register an existing host with orcharhino: running the bootstrap script, manually installing the subscription manager, or by using the register host page.

For a better understanding of provisioning hosts using orcharhino, see our glossary for terminology and key terms. Key terms include deployment, compute resource, provisioning template, and virtualization.

We recommend using the bootstrap.py script to register existing hosts to orcharhino.

The Register Host feature is considered a technical preview and only works for managed hosts running Alma Linux, CentOS, Red Hat Enterprise Linux, and Rocky Linux.

Registering Hosts

Hosts can be registered to orcharhino by generating a curl command on orcharhino and running this command on hosts. This method uses two templates: global registration template and host initial configuration template. That gives you complete control over the host registration process. You can set default templates by navigating to Administer > Settings, and clicking the Provisioning tab.

Prerequisites
  • The orcharhino user that generates the curl command must have the create_hosts permission.

  • You must have root privileges on the host that you want to register.

  • orcharhino Server, any orcharhino Proxies, and all hosts must be synchronized with the same NTP server, and have a time synchronization tool enabled and running.

  • The daemon rhsmcertd must be running on the hosts.

  • An activation key must be available for the host. For more information, see Managing Activation Keys in Managing Content.

  • If you want to use orcharhino Proxies instead of your orcharhino Server, ensure that you have configured your orcharhino Proxies accordingly. For more information, see [configuring-orcharhino-proxy-for-host-registration-and-provisioning_managing-hosts].

Procedure
  1. In the orcharhino management UI, navigate to Hosts > Register Host.

  2. Optional: Select a different Organization.

  3. Optional: Select a different Location.

  4. Optional: From the Host Group list, select the host group to associate the hosts with. Fields that inherit value from Host group: Operating system, Activation Keys and Lifecycle environment.

  5. Optional: From the Operating system list, select the operating system of hosts that you want to register.

  6. Optional: From the orcharhino Proxy list, select the orcharhino Proxy to register hosts through.

  7. Optional: Select the Insecure option, if you want to make the first call insecure. During this first call, hosts download the CA file from orcharhino. Hosts will use this CA file to connect to orcharhino with all future calls making them secure.

    ATIX AG recommends that you avoid insecure calls.

    If an attacker, located in the network between orcharhino and a host, fetches the CA file from the first insecure call, the attacker will be able to access the content of the API calls to and from the registered host and the JSON Web Tokens (JWT). Therefore, if you have chosen to deploy SSH keys during registration, the attacker will be able to access the host using the SSH key.

    Instead, you can manually copy and install the CA file on each host before registering the host.

    To do this, find where orcharhino stores the CA file by navigating to Administer > Settings > Authentication and locating the value of the SSL CA file setting.

    Copy the CA file to the /etc/pki/ca-trust/source/anchors/ directory on hosts and enter the following commands:

    $ update-ca-trust enable
    $ update-ca-trust

    Then register the hosts with a secure curl command, such as:

    $ curl -sS https://orcharhino.example.com/register ...

    The following is an example of the curl command with the --insecure option:

    $ curl -sS --insecure https://orcharhino.example.com/register ...
  8. Select the Advanced tab.

  9. From the Setup REX list, select whether you want to deploy orcharhino SSH keys to hosts or not.

    If set to Yes, public SSH keys will be installed on the registered host. The inherited value is based on the host_registration_remote_execution parameter. It can be inherited, for example from a host group, an operating system, or an organization. When overridden, the selected value will be stored on host parameter level.

  10. From the Setup Insights list, select whether you want to install insights-client and register the hosts to Insights.

    The Insights tool is available for Rocky Linux only. It has no effect on other operating systems.

    You must enable the following repositories on a registered machine:

    • Rocky Linux 6: rhel-6-server-rpms

    • Rocky Linux 7: rhel-7-server-rpms

    • Rocky Linux 8: rhel-8-for-x86_64-appstream-rpms

      The insights-client package is installed by default on Rocky Linux 8 except in environments whereby Rocky Linux 8 was deployed with "Minimal Install" option.

  11. Optional: In the Install packages field, list the packages (separated with spaces) that you want to install on the host upon registration. This can be set by the host_packages parameter.

  12. Optional: Select the Update packages option to update all packages on the host upon registration. This can be set by the host_update_packages parameter.

  13. Optional: In the Repository field, enter a repository to be added before the registration is performed. For example, it can be useful to make the subscription-manager package available for the purpose of the registration. For Rocky Linux, enter the path to the orcharhino Client for Rocky Linux repository, for example http://orcharhino.example.com/pulp/content/Example/Library/custom/rocky_linux_client/rocky_linux_client/.

  14. Optional: In the Repository GPG key URL field, specify the public key to verify the signatures of GPG-signed packages. It needs to be specified in the ASCII form with the GPG public key header.

  15. Optional: In the Token lifetime (hours) field, change the validity duration of the JSON Web Token (JWT) that orcharhino uses for authentication. The duration of this token defines how long the generated curl command works. You can set the duration to 0 – 999 999 hours or unlimited.

    Note that orcharhino applies the permissions of the user who generates the curl command to authorization of hosts. If the user loses or gains additional permissions, the permissions of the JWT change too. Therefore, do not delete, block, or change permissions of the user during the token duration.

    The scope of the JWTs is limited to the registration endpoints only and cannot be used anywhere else.

  16. Optional: In the Remote Execution Interface field, enter the identifier of a network interface that hosts must use for the SSH connection. If you keep this field blank, orcharhino uses the default network interface.

  17. From the REX pull mode list, select whether you want to deploy orcharhino remote execution pull client.

    If set to Yes, the remote execution pull client is installed on the registered host. The inherited value is based on the host_registration_remote_execution_pull parameter. It can be inherited, for example from a host group, an operating system, or an organization. When overridden, the selected value is stored on the host parameter level.

    The registered host must have access to the ATIX AG orcharhino Client for Rocky Linux repository.

    For more information about the pull mode, see Transport Modes for Remote Execution in Managing Hosts.

  18. In the Activation Keys field, enter one or more activation keys to assign to hosts.

  19. Optional: Select the Lifecycle environment.

  20. Optional: Select the Ignore errors option if you want to ignore subscription manager errors.

  21. Optional: Select the Force option if you want to remove any katello-ca-consumer rpms before registration and run subscription-manager with the --force argument.

  22. Click the Generate button.

  23. Copy the generated curl command.

  24. On the hosts that you want to register, run the curl command as root.

If running remote execution jobs fail on your registered host due to Could not resolve hostname: Name or service not known, disable Ignore interfaces facts for provisioning.

Procedure
  1. In the orcharhino management UI, navigate to Hosts > All hosts.

  2. Locate your registered host and click Edit.

  3. On the Interfaces tab, check if the host has an IP address. If the host has no IP address, continue with this procedure.

  4. In the orcharhino management UI, navigate to Administer > Settings.

  5. On the Facts tab, set Ignore interfaces facts for provisioning to No. This ensures that an IP address is assigned to the host during registration.

Customizing the Registration Templates

Use information in this section if you want to customize the registration process.

Note that all default templates in orcharhino are locked. If you want to customize the registration process, you need to clone the default templates and edit the clones. Then, in Administer > Settings > Provisioning change the Default Global registration template and Default 'Host initial configuration' template settings to point to your custom templates.

Templates

The registration process uses the following registration templates:

  • The Global Registration template contains steps for registering hosts to orcharhino. This template renders when hosts access the /register endpoint.

  • The Linux host_init_config default template contains steps for initial configuration of hosts after they are registered.

Global Parameters

You can configure the following global parameters by navigating to Configure > Global Parameters:

  • The host_registration_remote_execution parameter is used in the remote_execution_ssh_keys snippet, the default value is true.

  • The host_registration_insights parameter is used in the insights snippet, the default value is false. Set the parameter type to boolean to override the parameter value. If the parameter is set to false, it prevents orcharhino and the Insights client from uploading Inventory reports to your Red Hat Hybrid Cloud Console.

  • The host_packages parameter is for installing packages on the host.

  • The remote_execution_ssh_keys, remote_execution_ssh_user, remote_execution_create_user and remote_execution_effective_user_method parameters are used in the remote_execution_ssh_keys. For more details se the details of the snippet.

  • The encrypt_grub parameter is to enable setting of an encrypted bootloader password for the host, the default value is false.

    To actually set the password, use the grub_pass macro in your template.

Snippets

Snippet is used in the Linux host_init_config default template:

  • The remote_execution_ssh_keys snippet deploys SSH keys to the host only when the host_registration_remote_execution parameter is true.

  • The insights snippet downloads and installs the Red Hat Insights client when global parameter host_registration_insights is set to true.

  • The puppetlabs_repo and puppet_setup snippets download and install Puppet agent on the host (only when a Puppet server is assigned)

  • The host_init_config_post is empty snippet for user’s custom actions on during host initial configuration.

Variables

This table describes what variables are used in the Global Registration template.

Table 1. The Global Registration Template Variables
Variable Command argument Description

@user

none

Current authenticated user object.

@organization

organization_id

If organization_id is not set, then user’s default organization is set, or the first organization from user’s organizations list.

@location

location_id

If location_id is not set, user’s default location is set, or the first location from user’s locations list.

@hostgroup

hostgroup_id

Host group of the host.

@operatingsystem

operatingsystem_id

Host operating system.

@setup_insights

setup_insights

Override the value of the host_registration_insights global parameter for the registered host and install insights client.

@setup_remote_execution

setup_remote_execution

Override the value of host_registration_remote_execution global parameter for the registered host and deploy SSH keys for remote execution.

@setup_remote_execution

setup_remote_execution

Set default interface of host for the remote execution.

@packages

packages

Packages to install

@repo

repo

Add repository on the host

@repo_gpg_key_url

repo_gpg_key_url

Set repository GPG key form URL

@activation_keys

activation_keys

Host activation keys.

@force

force

Remove any katello-ca-consumer* rpms and run subscription-manager register command with --force argument.

@ignore_subman_errors

ignore_subman_errors

Ignore subscription-manager errors

@lifecycle_environment_id

lifecycle_environment_id

Life cycle environment id

@registration_url

none

URL for the /register endpoint.

Registering Hosts Using the Bootstrap Script

orcharhino comes with a bootstrap.py script to register existing hosts to orcharhino. It is available on your orcharhino Server at https://orcharhino.example.com/pub/bootstrap.py.

We recommend creating a backup or snapshot of your host before running the bootstrap script.

Prerequisites
  • You need root access on any hosts you want to register to orcharhino.

  • Hosts need to be able to communicate with orcharhino or any orcharhino Proxy through HTTP(S).

  • If you use a self-signed certificate on your orcharhino, ensure hosts trust the SSL certificate before running the bootstrap.py script.

  • You have created an activation key for the host that contains the necessary software content. For more information, see Creating an Activation Key.

  • You have configured a host group to manage the hosts through orcharhino. For more information, see Creating a Host Group.

    Ensure to select a host group without any predefined deploy on compute resource. Otherwise, registering an existing host starts deploying a new host to the compute resource selected in the deploy on drop down menu.

  • You have synchronized the orcharhino Client for Rocky Linux. Navigate to Content > Products, select the orcharhino Clients product, select the orcharhino Client repository on the Repositories tab, and select the appropriate orcharhino Client repository. Pass the Published At URL using --deps-repository-url, for example --deps-repository-url https://orcharhino.example.com/pulp/deb/Example/Library/custom/rocky_linux_Client/rocky_linux_9_Client/. For more information, see Adding orcharhino Clients.

  • Your host has access to the BaseOS repository that provides subscription-manager and its dependencies.

  • You have provided the required content credentials from your orcharhino instance to your host:

    $ curl --insecure https://My_User_Name:My_Password@orcharhino.example.com/katello/api/content_credentials/My_ID/content > /etc/pki/rpm-gpg/RPM-GPG-KEY-kt-bootstrap
Procedure
  1. Download the bootstrap.py script using wget:

    $ wget https://orcharhino.example.com/pub/bootstrap.py
  2. Use the --help option to display a list of mandatory options:

    $ python bootstrap.py --help
  3. Register an existing host to orcharhino:

    $ ./bootstrap.py \
    --fqdn "my-host.example.com" \
    --skip "puppet" \
    -L "Munich" \
    -a "rocky_linux" \
    -g "Rocky Linux" \
    -l "admin" \
    -o "Example" \
    -p "password" \
    --deps-repository-url https://orcharhino.example.com/pulp/deb/Example/Library/custom/rocky_linux_Client/rocky_linux_9/ \
    --deps-repository-gpg-key file:///etc/pki/rpm-gpg/RPM-GPG-KEY-kt-bootstrap \
    -s "orcharhino.example.com"
    • Use --deps-repository-gpg-key file:///etc/pki/rpm-gpg/RPM-GPG-KEY-kt-bootstrap to provide the required GPG public key for the dependency repository.

    • Use --fqdn to specify the FQDN of the new host, for example --fqdn my-host.example.com.

    • Use -L to specify the location, for example -L Munich.

    • Use -a to specify the activation key, for example -a rocky_linux or -a rocky_linux_puppet.

    • Use -g to add the host to a host group, for example -g "Rocky Linux with Puppet".

    • Use -l to specify the orcharhino user, for example -l admin.

    • Use -o to specify the organization, for example -o Example.

    • Use -p to specify the corresponding password, for example -p password.

    • Use -s to specify the orcharhino FQDN, for example -s orcharhino.example.com.

    • Optional: Use --skip "puppet" to skip the installation of Puppet.

      You can use additional options to have orcharhino manage DHCP, provisioning, and configuration management for your existing host.

Using a Custom User for Remote Execution for bootstrap.py

If you set the remote execution user, you must create that user prior to running the bootstrap.py script on the host.

Procedure
  1. Install sudo on your managed host:

    $ dnf install -y sudo
  2. Add your custom user:

    $ useradd -m My_Custom_User
  3. Set up SSH for your custom user:

    $ mkdir -p ~My_Custom_User/.ssh
    $ chmod 0700 ~My_Custom_User/.ssh
    $ chown -R My_Custom_User: ~My_Custom_User/.ssh
  4. Add your custom user to the sudoers file:

    $ echo "My_Custom_User ALL = (root) NOPASSWD : ALL" >> /etc/sudoers
    $ echo "Defaults:_My_Custom_User_ My_Custom_User_Password" >> /etc/sudoers
  5. Run the bootstrap.py script:

    $ ./bootstrap.py --force

    Add required flags and options as described in Registering Hosts Using the Bootstrap Script.

Associating Registered Hosts with a Compute Resource

If you register hosts to orcharhino using the bootstrap.py script, the hosts are not automatically associated with their compute resource. You have to manually disassociate the host and then reassociate it again.

Procedure
  1. Navigate to Hosts > All Hosts and select your host.

  2. In the Select Action menu, click Disassociate Hosts.

  3. Navigate to Infrastructure > Compute Resources and select your compute resource.

  4. Click Associate VMs.

  5. In case your orcharhino Server or orcharhino Proxies run on the same compute resource, disassociate the VMs on the All Hosts page again.

Registering Hosts Running Rocky Linux Manually

Procedure
  1. Install the subscription-manager.

    • On Rocky Linux 8 and 9:

      $ dnf install subscription-manager
    • On Rocky Linux 7:

      $ yum install subscription-manager
  2. Install the necessary certificates to connect to your orcharhino:

    $ rpm -Uvh http://orcharhino.example.com/pub/katello-ca-consumer-latest.noarch.rpm
  3. Register your host with an activation key:

    $ subscription-manager register --name="rocky_linux.example.com" --org="Example" --activationkey="Myrocky_linux_Activation_Key_"
  4. Install the katello-host-tools.

    • On Rocky Linux 8 and 9:

      $ dnf install katello-host-tools katello-host-tools-tracer
    • On Rocky Linux 7:

      $ yum install katello-host-tools katello-host-tools-tracer
  5. To use remote execution, add the SSH public key from orcharhino Server. For more information, see Adding SSH Keys for Remote Execution.

Adding SSH Keys for Remote Execution

Add the SSH public key from orcharhino to your managed hosts to use remote execution and to patch your hosts.

Procedure
  1. Create the required directory:

    $ mkdir -p ~root/.ssh
  2. Add the SSH public key from your orcharhino:

    $ cat << EOF >> ~root/.ssh/authorized_keys
    ssh-rsa My_SSH_Public_Key foreman-proxy@orcharhino.example.com
    EOF

    Ensure that you use a user with root privileges. This can either be root or any user being part of the sudo group.

Associating Registered Hosts with a Compute Resource

If you register hosts to orcharhino manually, the hosts are not automatically associated with their compute resource. You have to manually enter networking information before you can associate the VMs.

Procedure
  1. On your managed hosts, view the MAC address, IP address, and device identifier of the network interface providing a connection to your orcharhino:

    $ ip a
  2. Navigate to Hosts > All Hosts, select your host, and click Edit.

  3. On the Interfaces tab, click Edit and enter the MAC address, IPv4 address, and the device identifier.

  4. Click Submit to save your changes.

  5. Navigate to Hosts > All hosts and tick the checkbox of your host.

  6. In the Select Action drop down menu, click Disassociate Hosts.

  7. Navigate to Infrastructure > Compute Resources and select the compute resource your host runs on.

  8. On the Compute Resources tab, click Associate VMs.

  9. Optional: Navigate to Hosts > All Hosts, select your host, and verify your change by changing the power status of the host.

Migrating From Katello Agent to Remote Execution

Remote Execution is the preferred way to manage package content on hosts. The Katello Agent is deprecated and will be removed in a future orcharhino version. Follow these steps to switch to Remote Execution.

Prerequisites
  • You have previously installed the katello-agent package on content hosts.

Procedure
  1. If you have Remote Execution configured to use ssh mode, distribute the remote execution SSH keys to the hosts. For more information, see Distributing SSH Keys for Remote Execution.

  2. If you have Remote Execution configured to use pull-mqtt mode, deploy the remote execution pull client to the hosts. For more information, see Configuring a Host to Use the Pull Client.

  3. Stop the goferd service on content hosts:

    $ systemctl stop goferd
  4. Disable the goferd service on content hosts:

    $ systemctl disable goferd
  5. Remove the Katello agent on content hosts:

    If your host is installed on oVirt version 4.4 or lower, do not remove the katello-agent package because the removed dependencies corrupt the host.
    $ dnf remove katello-agent
  6. In the orcharhino management UI, navigate to Administer > Settings.

  7. Select the Content tab.

  8. Set the Use remote execution by default parameter to Yes.

The orcharhino server now uses host management by remote execution instead of Katello Agent.

The following table shows the remote execution equivalent commands to perform specific package actions. See hammer job-invocation create --help to learn how to specify search queries to determine the target hosts or host collections.

Table 2. Hammer Commands
Action Katello Agent Remote Execution

Install a package

hammer host package install

hammer job-invocation create --feature katello_package_install

Install a package (host collection)

hammer host-collection package install

hammer job-invocation create --feature katello_package_install

Remove a package

hammer host package remove

hammer job-invocation create --feature katello_package_remove

Remove a package (host collection)

hammer host-collection package remove

hammer job-invocation create --feature katello_package_remove

Update a package

hammer host package upgrade

hammer job-invocation create --feature katello_package_update

Update a package (host collection)

hammer host-collection package update

hammer job-invocation create --feature katello_package_update

Update all packages

hammer host package update

hammer job-invocation create --feature katello_package_update

Install errata

hammer host errata apply

hammer job-invocation create --feature katello_errata_install

Install errata (host collection)

hammer host-collection errata install

hammer job-invocation create --feature katello_errata_install

Install a package group

hammer host package-group install

hammer job-invocation create --feature katello_group_install

Install a package group (host collection)

hammer host-collection package-group install

hammer job-invocation create --feature katello_group_install

Remove a package group

hammer host package-group remove

hammer job-invocation create --feature katello_group_remove

Remove a package group (host collection)

hammer host-collection package-group remove

hammer job-invocation create --feature katello_group_remove

Update a package group

hammer host package-group update

hammer job-invocation create --feature katello_group_update

Update a package group (host collection)

hammer host-collection package-group update

hammer job-invocation create --feature katello_group_update

The text and illustrations on this page are licensed by ATIX AG under a Creative Commons Attribution–Share Alike 3.0 Unported ("CC-BY-SA") license. This page also contains text from the official Foreman documentation which uses the same license ("CC-BY-SA").