Uyuni Proxy Setup

Uyuni Proxy requires additional configuration.

1. Install the uyuni_proxy pattern

Check that the Proxy pattern is installed correctly. This step is part of Install Uyuni Proxy with openSUSE Leap. To verify a successful installation, on the server select the pattern_uyuni_proxy package for installation.

The salt-broker service will be automatically started after installation is complete. This service forwards Salt interactions to the Uyuni Server.

Proxy Chains

It is possible to arrange proxies in a chain. In such a case, the upstream proxy is named parent.

Make sure the TCP ports 4505 and 4506 are open on the proxy. The proxy must be able to reach the Uyuni Server or a parent proxy on these ports.

2. Copy Server Certificate and Key

The proxy will share some SSL information with the Uyuni Server. Copy the certificate and its key from the Uyuni Server or the parent proxy.

As root, enter the following commands on the proxy using your Uyuni Server or parent Proxy (named PARENT):

mkdir -m 700 /root/ssl-build
cd /root/ssl-build
scp root@PARENT:/root/ssl-build/RHN-ORG-PRIVATE-SSL-KEY .
scp root@PARENT:/root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT .
scp root@PARENT:/root/ssl-build/rhn-ca-openssl.cnf .

To keep the security chain intact, the Uyuni Proxy functionality requires the SSL certificate to be signed by the same CA as the Uyuni Server certificate. Using certificates signed by different CAs for proxies and server is not supported.

3. Run configure-proxy.sh

The configure-proxy.sh script finalizes the setup of your Uyuni Proxy.

Execute the interactive configure-proxy.sh script. Pressing Enter without further input will make the script use the default values provided between brackets []. Here is some information about the requested settings:

Uyuni Parent

The Uyuni parent can be either another proxy or the Uyuni Server.

HTTP Proxy

A HTTP proxy enables your Uyuni proxy to access the Web. This is needed if direct access to the Web is prohibited by a firewall.

Traceback Email

An email address where to report problems.

Use SSL

For safety reasons, press Y.

Do You Want to Import Existing Certificates?

Answer N. This ensures using the new certificates that were copied previously from the Uyuni server.

Organization

The next questions are about the characteristics to use for the SSL certificate of the proxy. The organization might be the same organization that was used on the server, unless of course your proxy is not in the same organization as your main server.

Organization Unit

The default value here is the proxy’s hostname.

City

Further information attached to the proxy’s certificate.

State

Further information attached to the proxy’s certificate.

Country Code

In the country code field, enter the country code set during the Uyuni installation. For example, if your proxy is in the US and your Uyuni is in DE, enter DE for the proxy.

The country code must be two upper case letters. For a complete list of country codes, see https://www.iso.org/obp/ui/#search.

Cname Aliases (Separated by Space)

Use this if your proxy can be accessed through various DNS CNAME aliases. Otherwise it can be left empty.

CA Password

Enter the password that was used for the certificate of your Uyuni Server.

Do You Want to Use an Existing SSH Key for Proxying SSH-Push Salt Minion?

Use this option if you want to reuse a SSH key that was used for SSH-Push Salt clients on the server.

If parts are missing, such as CA key and public certificate, the script prints commands that you must execute to integrate the needed files. When the mandatory files are copied, run configure-proxy.sh again. If you receive an HTTP error during script execution, run the script again.

configure-proxy.sh activates services required by Uyuni Proxy, such as squid, apache2, salt-broker, and jabberd.

To check the status of the proxy system and its clients, click the proxy system’s details page on the Web UI (Systems  Proxy, then the system name). Connection and Proxy subtabs display various status information.

4. Enable PXE Boot

4.1. Synchronize Profiles and System Information

To enable PXE boot through a proxy, additional software must be installed and configured on both the Uyuni Proxy and the Uyuni Server.

  1. On the Uyuni Proxy, install the susemanager-tftpsync-recv package:

    zypper in susemanager-tftpsync-recv
  2. On the Uyuni Proxy, run the configure-tftpsync.sh setup script and enter the requested information:

    configure-tftpsync.sh

    You need to provide the hostname and IP address of the Uyuni Server and the proxy. You also need to enter the path to the tftpboot directory on the proxy.

  3. On the Uyuni Server, install susemanager-tftpsync:

    zypper in susemanager-tftpsync
  4. On the Uyuni Server, run configure-tftpsync.sh. This creates the configuration, and uploads it to the Uyuni Proxy:

    configure-tftpsync.sh FQDN_of_Proxy
  5. Start an initial synchronization on the Uyuni Server:

    cobbler sync

    It can also be done after a change within Cobbler that needs to be synchronized immediately. Otherwise Cobbler synchronization will run automatically when needed. For more information about PXE booting, see Install via the Network.

4.2. Configure DHCP for PXE through Proxy

Uyuni uses Cobbler for client provisioning. PXE (tftp) is installed and activated by default. Clients must be able to find the PXE boot on the Uyuni Proxy using DHCP. Use this DHCP configuration for the zone which contains the clients to be provisioned:

next-server: <IP_Address_of_Proxy>
filename: "pxelinux.0"

5. Replace the Uyuni Proxy

A proxy does not contain any information about the clients that are connected to it. Therefore, a proxy can be replaced by a new one at any time. The replacement proxy must have the same name and IP address as its predecessor.

Shut down the old proxy, and leave it installed while you prepare the replacement. Create a reactivation key for this system and then register the new proxy using the reactivation key. If you do not use the reactivation key, you will need to re-register all the clients against the new proxy.

The reactivation key is only needed if you do not want to lose the history of the machine. If you do not use a reactivation key, the replacement proxy will become a "new" one with a new ID.

Procedure: Replacing a Proxy and Keeping the Clients Registered
  1. Before starting the actual migration procedure, save the data from the old proxy, if needed. Consider copying important or manually created data to a central place that can also be accessed by the new proxy.

  2. Shut down the proxy.

  3. Install a new Uyuni Proxy. For installation instructions, see Proxy Installation.

  4. In the Uyuni Web UI, select the newly installed Uyuni Proxy, and delete it from the systems list.

  5. In the Web UI, create a reactivation key for the old proxy system: On the System Details tab of the old proxy click Reactivation. Click Generate New Key, and make a note of the new key, as you will need it later. For more information about reactivation keys, see Reactivation Keys.

  6. OPTIONAL: After the installation of the new proxy, you might also need to:

    • Copy the centrally saved data to the new proxy system

    • Install any other needed software

    • Set up TFTP synchronization if the proxy is used for autoinstallation

During the installation of the proxy, clients will not be able to reach the Uyuni Server. After you have deleted a proxy, the systems list can be temporarily incorrect. All clients that were previously connected to the proxy will show as being directly connected to the server instead. After the first successful operation on a client, such as execution of a remote command or installation of a package or patch, this information will automatically be corrected. This may take some hours.