Registering hosts and setting up host integration

You must register hosts that have not been provisioned through orcharhino to be able to manage them with orcharhino. You can register hosts through orcharhino Server or orcharhino Proxy.

Note that the entitlement-based subscription model is deprecated and will be removed in a future release. ATIX AG recommends that you use the access-based subscription model of Simple Content Access instead.

You must also install and configure tools on your hosts, depending on which integration features you want to use. Use the following procedures to install and configure host tools:

Registering a host to orcharhino temporarily adds repository files on your host to install subscription-manager and its dependencies. Those temporary repositories are removed before registering your host to orcharhino. After your host is registered to orcharhino, it has access to the content depending on its activation key.

Registration methods

You can use the following methods to register hosts to orcharhino:

Global registration

You generate a curl command from orcharhino and run this command from an unlimited number of hosts to register them using provisioning templates over the orcharhino API. For more information, see Registering Hosts by Using Global Registration.

By using this method, you can also deploy orcharhino SSH keys to hosts during registration to orcharhino to enable hosts for remote execution jobs. For more information, see Configuring and Setting Up Remote Jobs.

By using this method, you can also configure hosts with Red Hat Insights during registration to orcharhino. For more information, see Monitoring Hosts Using Red Hat Insights.

Katello RHSM Consumer script

You download and install the consumer script from orcharhino.example.com/pub/katello-rhsm-consumer on the host and then run the script. This method is suitable for hosts that run Debian/Ubuntu.

(Deprecated) Katello CA Consumer

You download and install the consumer RPM from orcharhino.example.com/pub/katello-ca-consumer-latest.noarch.rpm on the host and then run subscription-manager.

(Deprecated) Bootstrap script

You download the bootstrap script from orcharhino.example.com/pub/bootstrap.py on the host and then run the script. For more information, see Registering Hosts by Using the Bootstrap Script.

ATIX AG recommends using the bootstrap.py script to register existing hosts to orcharhino.

The Register Host feature is considered a technical preview and only works for managed hosts running AlmaLinux, CentOS, Red Hat Enterprise Linux, and Rocky Linux.

Registering hosts by using global registration

You can register a host to orcharhino by generating a curl command on orcharhino and running this command on hosts. This method uses two provisioning templates: Global Registration template and Linux host_init_config default template. That gives you complete control over the host registration process.

You can also customize the default templates if you need greater flexibility. For more information, see Customizing the Registration Templates.

Global parameters for registration

You can configure the following global parameters by navigating to Configure > Global Parameters:

  • The host_registration_insights parameter is used in the insights snippet. If the parameter is set to true, the registration installs and enables the Red Hat Insights client on the host. If the parameter is set to false, it prevents orcharhino and the Red Hat Insights client from uploading Inventory reports to your Red Hat Hybrid Cloud Console. The default value is false. When overriding the parameter value, set the parameter type to boolean.

  • The host_packages parameter is for installing packages on the host.

  • The host_registration_remote_execution parameter is used in the remote_execution_ssh_keys snippet. If it is set to true, the registration enables remote execution on the host. The default value is true.

  • The remote_execution_ssh_keys, remote_execution_ssh_user, remote_execution_create_user, and remote_execution_effective_user_method parameters are used in the remote_execution_ssh_keys snippet. For more details, see the snippet.

You can navigate to snippets in the orcharhino management UI through Hosts > Templates > Provisioning Templates.

Registering a host

You can register a host by using registration templates and set up various integration features and host tools during the registration process.

Prerequisites
  • Your user account has a role assigned that has the create_hosts permission.

  • You must have root privileges on the host that you want to register.

  • orcharhino Server, any orcharhino Proxies, and all hosts must be synchronized with the same NTP server, and have a time synchronization tool enabled and running.

  • An activation key must be available for the host. For more information, see Managing Activation Keys in Managing Content.

  • If you want to use orcharhino Proxies instead of your orcharhino Server, ensure that you have configured your orcharhino Proxies accordingly. For more information, see Configuring orcharhino Proxy for Host Registration and Provisioning in Installing orcharhino Proxy.

  • If your orcharhino Server or orcharhino Proxy is behind an HTTP proxy, configure the Subscription Manager on your host to use the HTTP proxy for connection.

  • You have setup the operating system entry on orcharhino for Ubuntu.

    You can use a script to add operating system entries to your orcharhino Server.

    On your orcharhino Server, uncomment the operating systems and orcharhino Client for Ubuntu that you want to add in /etc/orcharhino-ansible/or_operating_systems_vars.yaml, replace the default organization and location names, and run /opt/orcharhino/automation/play_operating_systems.sh. For more information, see /usr/share/orcharhino-ansible/README.md on your orcharhino Server.

Procedure
  1. In the orcharhino management UI, navigate to Hosts > Register Host.

  2. Optional: Select a different Organization.

  3. Optional: Select a different Location.

  4. Optional: From the Host Group list, select the host group to associate the hosts with. Fields that inherit value from Host group: Operating system, Activation Keys and Lifecycle environment.

  5. Optional: From the Operating system list, select the operating system of hosts that you want to register.

  6. Optional: From the orcharhino Proxy list, select the orcharhino Proxy to register hosts through.

    A orcharhino Proxy behind a load balancer takes precedence over a orcharhino Proxy selected in the orcharhino management UI as the host’s content source.

  7. In the Activation Keys field, enter one or more activation keys to assign to hosts.

  8. Optional: Select the Insecure option, if you want to make the first call insecure. During this first call, hosts download the CA file from orcharhino. Hosts will use this CA file to connect to orcharhino with all future calls making them secure.

    ATIX AG recommends that you avoid insecure calls.

    If an attacker, located in the network between orcharhino and a host, fetches the CA file from the first insecure call, the attacker will be able to access the content of the API calls to and from the registered host and the JSON Web Tokens (JWT). Therefore, if you have chosen to deploy SSH keys during registration, the attacker will be able to access the host using the SSH key.

    Instead, you can manually copy and install the CA file on each host before registering the host.

    To do this, find where orcharhino stores the CA file by navigating to Administer > Settings > Authentication and locating the value of the SSL CA file setting.

    Copy the CA file to the /etc/pki/ca-trust/source/anchors/ directory on hosts and enter the following commands:

    $ update-ca-trust enable
    $ update-ca-trust

    Then register the hosts with a secure curl command, such as:

    $ curl -sS https://orcharhino.example.com/register ...

    The following is an example of the curl command with the --insecure option:

    $ curl -sS --insecure https://orcharhino.example.com/register ...
  9. Select the Advanced tab.

  10. Optional: From the Setup REX list, select whether you want to deploy orcharhino SSH keys to hosts or not.

    If set to Yes, public SSH keys will be installed on the registered host. The inherited value is based on the host_registration_remote_execution parameter. It can be inherited, for example from a host group, an operating system, or an organization. When overridden, the selected value will be stored on host parameter level.

  11. Optional: In the Install packages field, list the packages (separated with spaces) that you want to install on the host upon registration. This can be set by the host_packages parameter.

  12. Optional: Select the Update packages option to update all packages on the host upon registration. This can be set by the host_update_packages parameter.

  13. In the Repositories field, click the + symbol.

    On the Repository list window, add content that is required before performing the registration. For example, it can be useful to make the subscription-manager package available for the purpose of the registration. For more information, see Prerequisites for Ubuntu.

    • In the Repository field, enter a repository to be added before the registration is performed. For Ubuntu, enter the orcharhino Client for Ubuntu repository, for example deb http://orcharhino.example.com/pulp/content/Example/Library/custom/ubuntu_client/ubuntu_client/ stable main.

    • Optional: In the Repository GPG key URL field, specify the public key to verify the signatures of GPG-signed packages. It needs to be specified in the ASCII form with the GPG public key header. If you use self-signed certificates, ensure to use http instead of https for the URL.

  14. Optional: In the Token lifetime (hours) field, change the validity duration of the JSON Web Token (JWT) that orcharhino uses for authentication. The duration of this token defines how long the generated curl command works. You can set the duration to 0 – 999 999 hours or unlimited.

    Note that orcharhino applies the permissions of the user who generates the curl command to authorization of hosts. If the user loses or gains additional permissions, the permissions of the JWT change too. Therefore, do not delete, block, or change permissions of the user during the token duration.

    The scope of the JWTs is limited to the registration endpoints only and cannot be used anywhere else.

  15. Optional: In the Remote Execution Interface field, enter the identifier of a network interface that hosts must use for the SSH connection. If you keep this field blank, orcharhino uses the default network interface.

  16. Optional: From the REX pull mode list, select whether you want to deploy orcharhino remote execution pull client.

    If set to Yes, the remote execution pull client is installed on the registered host. The inherited value is based on the host_registration_remote_execution_pull parameter. It can be inherited, for example from a host group, an operating system, or an organization. When overridden, the selected value is stored on the host parameter level.

    The registered host must have access to the ATIX AG orcharhino Client for Ubuntu repository.

    For more information about the pull mode, see Transport Modes for Remote Execution in Managing Hosts.

  17. Optional: Select the Ignore errors option if you want to ignore subscription manager errors.

  18. Optional: Select the Force option if you want to remove any katello-ca-consumer packages before registration and run subscription-manager with the --force argument.

  19. Click Generate.

  20. Copy the generated curl command.

  21. On the host that you want to register, run the curl command as root.

If running remote execution jobs fail on your registered host due to Could not resolve hostname: Name or service not known, disable Ignore interfaces facts for provisioning.

Procedure
  1. In the orcharhino management UI, navigate to Hosts > All hosts.

  2. Locate your registered host and click Edit.

  3. On the Interfaces tab, check if the host has an IP address. If the host has no IP address, continue with this procedure.

  4. In the orcharhino management UI, navigate to Administer > Settings.

  5. On the Facts tab, set Ignore interfaces facts for provisioning to No. This ensures that an IP address is assigned to the host during registration.

Customizing host registration by using snippets

You can customize the registration process by creating snippets with pre-defined names. The Global Registration template includes these snippets automatically. Therefore, you do not have to edit the template.

To add custom steps to registration, create one or both of the following snippets:

before_registration

This snippet is loaded and executed by the Global Registration template before registering your host to orcharhino.

after_registration

This snippet is loaded and executed by the Global Registration template after registering your host to orcharhino.

Ensure you name the snippets precisely. Otherwise, the Global Registration template cannot load them.

Prerequisites
  • Your orcharhino account has a role that grants the permissions view_provisioning_templates, create_provisioning_templates, assign_organizations, and assign_locations.

  • You have selected a particular organization and location context.

Procedure
  1. In the orcharhino management UI, navigate to Hosts > Templates > Provisioning Templates.

  2. Click Create Template.

  3. In the Name field, enter the name of the required snippet: before_registration or after_registration.

  4. In the template editor, create your snippet.

  5. On the Type tab, select Snippet.

  6. On the Locations tab, assign the snippet to required locations.

  7. On the Organizations tab, assign the snippet to required organizations.

  8. Click Submit.

Additional resources

Customizing the registration templates

You can customize the registration process by editing the provisioning templates. Note that all default templates in orcharhino are locked. If you want to customize the registration templates, you must clone the default templates and edit the clones.

ATIX AG only provides support for the original unedited templates. Customized templates do not receive updates released by ATIX AG.

The registration process uses the following provisioning templates:

  • The Global Registration template contains steps for registering hosts to orcharhino. This template renders when hosts access the /register orcharhino API endpoint.

  • The Linux host_init_config default template contains steps for initial configuration of hosts after they are registered.

Procedure
  1. Navigate to Hosts > Templates > Provisioning Templates.

  2. Search for the template you want to edit.

  3. In the row of the required template, click Clone.

  4. Edit the template as needed. For more information, see Template Writing Reference.

  5. Click Submit.

  6. Navigate to Administer > Settings > Provisioning.

  7. Change the following settings as needed:

    • Point the Default Global registration template setting to your custom global registration template,

    • Point the Default 'Host initial configuration' template setting to your custom initial configuration template.

Registering Hosts Using the Bootstrap Script

orcharhino comes with a bootstrap.py script to register existing hosts to orcharhino. It is available on your orcharhino Server at https://orcharhino.example.com/pub/bootstrap.py.

ATIX AG recommends creating a backup or snapshot of your host before running the bootstrap script.

Prerequisites
  • You need root access on any hosts you want to register to orcharhino.

  • Hosts need to be able to communicate with orcharhino Server or orcharhino Proxies through HTTP(S).

  • If you use a self-signed certificate on your orcharhino, ensure that hosts trust the SSL certificate before running the bootstrap.py script.

  • You have created an activation key for the host that contains the necessary software content. For more information, see Creating an Activation Key.

  • You have configured a host group to manage the hosts through orcharhino. For more information, see Creating a Host Group.

    Ensure to select a host group without any predefined deploy on compute resource. Otherwise, registering an existing host starts deploying a new host to the compute resource selected in the deploy on drop down menu.

  • You have synchronized the orcharhino Client for Ubuntu. Navigate to Content > Products, select the orcharhino Clients product, select the orcharhino Client repository on the Repositories tab, and select the appropriate orcharhino Client repository. Pass the Published At URL using --deps-repository-url, for example --deps-repository-url https://orcharhino.example.com/pulp/content/Example/Library/custom/ubuntu_Client/ubuntu_22.04_Client/. For more information, see Adding orcharhino Clients.

  • If your host runs Ubuntu 16.04 or Ubuntu 18.04, explicitly use python2 to run the bootstrap.py script.

  • If the repositories on your host do not contain the security component, provide a repository containing openssl and python. These packages are upgraded when running the bootstrap.py script.

Procedure
  1. Download the bootstrap.py script using wget:

    $ wget https://orcharhino.example.com/pub/bootstrap.py
  2. Use the --help option to display a list of mandatory options:

    $ python bootstrap.py --help
  3. Register an existing host to orcharhino:

    $ ./bootstrap.py \
    --fqdn "my-host.example.com" \
    --skip "puppet" \
    -L "Munich" \
    -a "ubuntu" \
    -g "Ubuntu" \
    -l "admin" \
    -o "Example" \
    -p "password" \
    --deps-repository-url https://orcharhino.example.com/pulp/content/Example/Library/custom/ubuntu_Client/ubuntu_22.04/ \
    --deps-repository-gpg-key https://orcharhino.example.com/pub/pulp_deb_signing.key \
    -s "orcharhino.example.com"

    You can provide multiple dependency repositories and GPG public keys for dependency repositories. Ensure that the number and order of the GPG public keys matches the number and order of the repository URLs.

    • Use --deps-repository-url with the Published At URL of the orcharhino Client repository.

    • Use --deps-repository-gpg-key with the required GPG public key of the orcharhino Client repository.

    • Optional: Add further instances of --deps-repository-url and --deps-repository-gpg-key if you require additional dependency repositories.

    • Use --fqdn to specify the FQDN of the new host, for example --fqdn my-host.example.com.

    • Use -L to specify the location, for example -L Munich.

    • Use -a to specify the activation key, for example -a ubuntu or -a ubuntu_puppet.

    • Use -g to add the host to a host group, for example -g "Ubuntu with Puppet".

    • Use -l to specify your orcharhino user, for example -l admin.

    • Use -o to specify your organization, for example -o Example.

    • Use -p to specify your corresponding password, for example -p password.

    • Use -s to specify your orcharhino FQDN, for example -s orcharhino.example.com.

    • Optional: Use --skip "puppet" to skip the installation of Puppet.

      You can use additional options to have orcharhino manage DHCP, provisioning, and configuration management for your existing host.

Using a Custom User for Remote Execution for bootstrap.py

If you set the remote execution user, you must create that user prior to running the bootstrap.py script on the host.

Procedure
  1. Install sudo on your managed host:

    $ apt install -y sudo
  2. Add your custom user:

    $ useradd -m My_Custom_User
  3. Set up SSH for your custom user:

    $ mkdir -p ~My_Custom_User/.ssh
    $ chmod 0700 ~My_Custom_User/.ssh
    $ chown -R My_Custom_User: ~My_Custom_User/.ssh
  4. Add your custom user to the sudoers file:

    $ echo "My_Custom_User ALL = (root) NOPASSWD : ALL" >> /etc/sudoers
    $ echo "Defaults:_My_Custom_User_ My_Custom_User_Password" >> /etc/sudoers
  5. Run the bootstrap.py script:

    $ ./bootstrap.py --force

    Add required flags and options as described in Registering Hosts Using the Bootstrap Script.

Associating Registered Hosts with a Compute Resource

If you register hosts to orcharhino using the bootstrap.py script, the hosts are not automatically associated with their compute resource. You have to manually disassociate the host and then reassociate it again.

Procedure
  1. Navigate to Hosts > All Hosts and select your host.

  2. In the Select Action menu, click Disassociate Hosts.

  3. Navigate to Infrastructure > Compute Resources and select your compute resource.

  4. Click Associate VMs.

  5. In case your orcharhino Server or orcharhino Proxies run on the same compute resource, disassociate the VMs on the All Hosts page again.

Registering Hosts Running Ubuntu Manually

Procedure
  1. Add the GPG public key used to sign deb packages from your orcharhino Server to download the orcharhino Client for Ubuntu:

    $ apt-get install gnupg
    $ mkdir -p /etc/apt/trusted.gpg.d
    $ wget "https://orcharhino.example.com/pub/pulp_deb_signing.key" -O - | apt-key add -
  2. Create a repository file which contains the orcharhino Client for Ubuntu:

    $ mkdir -p /etc/apt/sources.list.d
    $ cat > /etc/apt/sources.list.d/orcharhino.list <<'EOF'
    deb http://orcharhino.example.com/pulp/content/Example/Library/custom/ubuntu_orcharhino_Client/ubuntu_orcharhino_Client/ default all
    EOF
  3. Install apt-transport-katello and katello-upload-profile. This depends on and automatically installs subscription-manager for Ubuntu, which replaces the katello-host-tools:

    $ apt-get update
    $ apt-get install apt-transport-katello katello-upload-profile
  4. Download and execute a script from your orcharhino Server to install all necessary certificates:

    $ wget --no-check-certificate -O - https://orcharhino.example.com/pub/katello-rhsm-consumer | /bin/bash -x 2> /root/katello-rhsm-consumer.log
  5. Register your host with an activation key:

    $ subscription-manager register \
    --activationkey="Myubuntu_Activation_Key_" \
    --name="ubuntu.example.com" \
    --org="My_Organization"
  6. To use remote execution, add the SSH public key from orcharhino Server. For more information, see Adding SSH Keys for Remote Execution.

Adding SSH Keys for Remote Execution

Add the SSH public key from orcharhino to your managed hosts to use remote execution and to patch your hosts.

Procedure
  1. Create the required directory:

    $ mkdir -p ~root/.ssh
  2. Add the SSH public key from your orcharhino:

    $ cat << EOF >> ~root/.ssh/authorized_keys
    ssh-rsa My_SSH_Public_Key foreman-proxy@orcharhino.example.com
    EOF

    Ensure that you use a user with root privileges. This can either be root or any user being part of the sudo group.

Associating Registered Hosts with a Compute Resource

If you register hosts to orcharhino manually, the hosts are not automatically associated with their compute resource. You have to manually enter networking information before you can associate the VMs.

Procedure
  1. On your managed hosts, view the MAC address, IP address, and device identifier of the network interface providing a connection to your orcharhino:

    $ ip a
  2. Navigate to Hosts > All Hosts, select your host, and click Edit.

  3. On the Interfaces tab, click Edit and enter the MAC address, IPv4 address, and the device identifier.

  4. Click Submit to save your changes.

  5. Navigate to Hosts > All hosts and tick the checkbox of your host.

  6. In the Select Action drop down menu, click Disassociate Hosts.

  7. Navigate to Infrastructure > Compute Resources and select the compute resource your host runs on.

  8. On the Compute Resources tab, click Associate VMs.

  9. Optional: Navigate to Hosts > All Hosts, select your host, and verify your change by changing the power status of the host.

Installing and configuring Puppet agent during host registration

You can install and configure the Puppet agent on the host during registration. A configured Puppet agent is required on the host for Puppet integration with your orcharhino. For more information about Puppet, see Configuring Hosts Using Puppet.

Prerequisites
  • Puppet must be enabled in your orcharhino. For more information, see Enabling Puppet integration with orcharhino in Configuring Hosts Using Puppet.

  • You created a product and repository containing the Puppet agent and synchronized the repository to orcharhino. For more information, see Importing content in Managing Content.

  • You created an activation key that enables the Puppet agent repository for hosts. For more information, see Managing activation keys in Managing Content.

Procedure
  1. In the orcharhino management UI, navigate to Configure > Global Parameters to add host parameters globally. Alternatively, you can navigate to Configure > Host Groups and edit or create a host group to add host parameters only to a host group.

  2. Enable the Puppet agent using a host parameter in global parameters or a host group. Add a host parameter named enable-puppet7, select the boolean type, and set the value to true.

  3. Specify configuration for the Puppet agent using the following host parameters in global parameters or a host group:

    • Add a host parameter named puppet_server, select the string type, and set the value to the hostname of your Puppet server, such as puppet.example.com.

    • Optional: Add a host parameter named puppet_ca_server, select the string type, and set the value to the hostname of your Puppet CA server, such as puppet-ca.example.com. If puppet_ca_server is not set, the Puppet agent will use the same server as puppet_server.

    • Optional: Add a host parameter named puppet_environment, select the string type, and set the value to the Puppet environment you want the host to use.

  4. Navigate to Hosts > Register Host and register your host using an appropriate activation key. For more information, see Registering Hosts in Managing Hosts.

  5. Navigate to Infrastructure > orcharhino Proxies.

  6. From the list in the Actions column for the required orcharhino Proxy, select Certificates.

  7. Click Sign to the right of the required host to sign the SSL certificate for the Puppet agent.

Installing and configuring Puppet agent manually

You can install and configure the Puppet agent on a host manually. A configured Puppet agent is required on the host for Puppet integration with your orcharhino. For more information about Puppet, see Configuring Hosts Using Puppet.

Prerequisites
Procedure
  1. Log in to the host as the root user.

  2. Install the Puppet agent package:

    $ apt install puppet-agent
  3. Add the Puppet agent to PATH in your current shell using the following script:

    . /etc/profile.d/puppet-agent.sh
  4. Configure the Puppet agent. Set the environment parameter to the name of the Puppet environment to which the host belongs:

    $ puppet config set server orcharhino.example.com --section agent
    $ puppet config set environment My_Puppet_Environment --section agent
  5. Start the Puppet agent service:

    $ puppet resource service puppet ensure=running enable=true
  6. Create a certificate for the host:

    $ puppet ssl bootstrap
  7. In the orcharhino management UI, navigate to Infrastructure > orcharhino Proxies.

  8. From the list in the Actions column for the required orcharhino Proxy, select Certificates.

  9. Click Sign to the right of the required host to sign the SSL certificate for the Puppet agent.

  10. On the host, run the Puppet agent again:

    $ puppet ssl bootstrap

The text and illustrations on this page are licensed by ATIX AG under a Creative Commons Attribution Share Alike 4.0 International ("CC BY-SA 4.0") license. This page also contains text from the official Foreman documentation which uses the same license ("CC BY-SA 4.0").