Add missing steps for disabling TFTP and DNS #3509
Conversation
|
The PR preview for cf5c517 is available at theforeman-foreman-documentation-preview-pr-3509.surge.sh The following output files are affected by this PR: |
| # systemctl mask --now xinetd && yum remove xinetd | ||
| ---- | ||
|
|
||
| . For every subnet where the Capsule is set as a TFTP proxy, disable the proxies: |
| # systemctl mask --now tftp.service tftp.socket systemd-resolved.service | ||
| ---- | ||
|
|
||
| . Optional: On RHEL7 hosts, disable the eXtended Internet Services Daemon (xinetd) and delete the `xinetd` package: |
There was a problem hiding this comment.
This procedure is about the Foreman/Katello platform which does not run on EL7/8 anymore. If you absolutely need these lines, then please create a follow-up PR that only targets the relevant X.Y branches.
pr-processor
bot
added
Waiting on contributor
maximiliankolb
added
Needs tech review
There was a problem hiding this comment.
I don't think this change is correct, but the whole file is confusing in its purpose.
If we analyze the title and the first sentence, that's:
Disabling DNS, DHCP, and TFTP for unmanaged networks
If you want to manage TFTP, DHCP, and DNS services manually, you must prevent {Project} from maintaining these services on the operating system and disable orchestration to avoid DHCP and DNS validation errors.
So the purpose is to have services installed, but managed manually by sysadmin. Then an instruction is given to disable the Foreman Proxy features (DHCP, DNS, TFTP). This effectively means the services may still run, but at least Foreman no longer orchestrates them.
If the intent was to let the sysadmin manage these services themselves, then that should be sufficient. Masking them would be part of a procedure to really remove the services, but I don't think we document that at all today.
There was a problem hiding this comment.
Line 5 in this file is technically still true since it doesn't remove them, but by masking tftp you do stop it from functioning like it used to so it doesn't feel quite correct anymore.
Additionally, there's also the old line 26:
. Optional: If you use a DHCP service supplied by a third party, configure your DHCP server to pass the following options:
That procedure step is invalidated if you mask the TFTP service.
| + | ||
| [options="nowrap", subs="+quotes,attributes"] | ||
| ---- | ||
| # systemctl mask --now tftp.service tftp.socket systemd-resolved.service |
There was a problem hiding this comment.
Why mask systemd-resolved? That looks really invasive because it's a service we never mention in our documentation or code.
Perhaps you're confusing it with the DNS service named?
There is also the dhcpd service for DHCP that you don't mention.
What changes are you introducing?
Adding missing steps for disabling TFTP and DNS for unmanaged networks.
Why are you introducing these changes? (Explanation, links to references, issues, etc.)
https://issues.redhat.com/browse/SAT-18574
Anything else to add? (Considerations, potential downsides, alternative solutions you have explored, etc.)
Checklists
Please cherry-pick my commits into: