This section of the introduction provides a quick overview of topline orcharhino features. At the lower levels orcharhino supports a large set of core and optional features, which may be dependent on the installation and configuration of additional plugins.
Automatic System Deployment
By utilising orcharhino’s provisioning setup it is possible to deploy preconfigured servers (both virtual and physical) at the click of a button via a network based installation. A wide range of common virtualization solutions are supported, and any necessary changes to your TFTP, DHCP, and DNS services can be performed automatically. New servers can automatically register with orcharhino’s content management to receive any additional software needed to provide their intended services. Once deployed, orcharhino provides reports on system health, as well as lifecycle management, accompanying your servers from creation to retirement.
Patch and Release Management
Patch and Release Management describes the process of acquiring, managing and installing patches and software updates to your infrastructure. Successful patch management allows you to identify vulnerable systems in the blink of an eye and take measures to fix these vulnerabilities. orcharhino provides you with valuable errata information and the ability to apply these errata for the following operating systems:
Configuration management describes the task of configuring and maintaining your servers. In other words, making your servers behave as they should.
A configuration management solution will keep your configuration in one centrally managed place, and allow you to scale your services rapidly. orcharhino enables you to set up a configuration management environment comprised of a wide range of different operating systems and services, while still maintaining everything in one place.
orcharhino uses Puppet as its default configuration management solution. However, it is also possible to setup or connect to an existing Salt infrastructure or to use Ansible.
Most modern IT infrastructures make extensive use of virtualization. In addition to bare metal deploys, orcharhino supports a wide range of virtualization solutions and providers. orcharhino supports Amazon EC2, Google GCE, KVM, Microsoft Azure, Oracle Linux Virtualization Manager, oVirt, Proxmox, Red Hat Virtualization, and VMware as compute resource providers. The exact list of supported features may vary for different providers.
Application Centric Deployment
Application Centric Deployment (short: ACD) describes a fundamentally different approach to provisioning and configuring hosts. Traditionally, orcharhino has pursued a host centric approach. With an application centric approach, you can deploy and configure hosts to run an application that requires a predefined set of services using the ACD plugin.
Generally, an application consists of multiple services and therefore requires different kinds of hosts connected to each other. These hosts have dependencies on each other, for example, an application server might require a database server. ACD simplifies this process by using an Ansible playbook to describe the deployed application.
For more information, see the Application Centric Deployment Guide.
Patching Hosts Using OpenSCAP
The OpenSCAP plugin allows orcharhino to collect automated vulnerability and security compliance audits from managed hosts using SCAP.
Run OpenSCAP scans to ensure your managed hosts are compliant.
Use a Puppet module to install and configure the OpenSCAP client on your managed hosts. The OpenSCAP plugin uses Puppet to install and configure software on managed hosts and manage OpenSCAP content on orcharhino itself.
Distribute SCAP content to content hosts with orcharhino.
Import SCAP content into orcharhino, for example from the
scap-security-guidepackage. For more information on how to obtain additional SCAP content or modify existing SCAP content, see the official OpenSCAP documentation.
For more information, see Managing Security Compliance in the Administering orcharhino Guide.
You can use the host discovery plugin to provision already existing hosts. This is useful when orcharhino is not able to create the hosts itself.
The host discovery plugin provides an additional option to the default network boot menu, which orcharhino provides for the networks it manages. When network booting a host, select Foreman Discovery Image. This will boot a Linux system, which automatically sends facts about the system to orcharhino. These facts can be used to initiate an automatic provisioning of the host.
orcharhino supports advanced user management options including user groups, roles and permissions, filters, LDAP authentication, and context based restrictions.
Finally, the context menu in the management UI is also relevant to orcharhino’s user management. User access in orcharhino is restricted based on context which represents real world organizational structures. An organization might be a business unit and a location might be a data centre.
Restricting access to different parts is convenient in order to avoid accidental changes by unauthorised personnel if your orcharhino is administered by more than one person. orcharhino provides the possibility to assign specific roles with fine-grained access filtering configurations to every user.
A role is a set of permissions that can be allocated to users or user groups. Every user has one or more roles and obtains all permissions that are defined within.
Note that you can create any number of roles fitting your needs but you have to save them first before providing them with filters.
Depending on the number of users with access to your system, it might be more efficient to create groups to bundle permissions instead of targeting users individually.
Filters are part of the roles and describe a set of allowed actions on a specific element, that is a resource type. You have to create a filter for every resource type you want to be accessible by users with a specific role. For example, you can create a filter of the resource type host which allows the role to only edit a specified list of hosts instead of all hosts.
By default, every user bears at least the permissions of the anonymous role which can be edited but not deleted. The permission set of the anonymous role will be automatically granted to every user account within orcharhino. You can edit this role and even deprive it of all of its filters, but you cannot delete the role itself.
A resource type describes entities of the orcharhino that require permissions to interact with. They are similar to the types of resources that are managed by orcharhino, like hosts, products, or content views. The number of actions available varies for each resource type. The default actions to which permissions can be granted to for almost every resource type are view, create, edit, and destroy.
Note that some filters depend on each other in order to take effect. For example, the permissions of the reports resource type are only valid if the user also has access to the orcharhino dashboard and the permission to view hosts.
The most convenient way to manage orcharhino user accounts is to connect orcharhino to an LDAP server. This allows you to delegate the task of authentication and authorization of orcharhino users to a trusted source in your environment.