1COBBLER.CONF(5) Cobbler COBBLER.CONF(5)
2
3
4
6 cobbler.conf - Cobbler Configuration File Documentation
7
8 There are two main settings files: settings and modules.conf. Both
9 files can be found under /etc/cobbler/ and both are written in YAML.
10
12 allow_duplicate_hostnames
13 if 1, cobbler will allow insertions of system records that duplicate
14 the --dns-name information of other system records. In general, this
15 is undesirable and should be left 0.
16
17 default: 0
18
19 allow_duplicate_ips
20 if 1, cobbler will allow insertions of system records that duplicate
21 the ip address information of other system records. In general, this
22 is undesirable and should be left 0.
23
24 default: 0
25
26 allow_duplicate_macs
27 If 1, cobbler will allow insertions of system records that duplicate
28 the mac address information of other system records. In general, this
29 is undesirable.
30
31 default: 0
32
33 allow_dynamic_settings
34 If 1, cobbler will allow settings to be changed dynamically without a
35 restart of the cobblerd daemon. You can only change this variable by
36 manually editing the settings file, and you MUST restart cobblerd after
37 changing it.
38
39 default: 0
40
41 anamon_enabled
42 By default, installs are not set to send installation logs to the cob‐
43 bler server. With anamon_enabled, automatic installation templates may
44 use the pre_anamon snippet to allow remote live monitoring of their
45 installations from the cobbler server. Installation logs will be stored
46 under /var/log/cobbler/anamon/.
47
48 Note: This does allow an xmlrpc call to send logs to this directory,
49 without authentication, so enable only if you are ok with this limita‐
50 tion.
51
52 default: 0
53
54 authn_pam_service
55 If using authn_pam in the modules.conf, this can be configured to
56 change the PAM service authentication will be tested against.
57
58 default: "login"
59
60 auth_token_expiration
61 How long the authentication token is valid for, in seconds.
62
63 default: 3600
64
65 autoinstall_snippets_dir
66 This is a directory of files that cobbler uses to make templating eas‐
67 ier. See the Wiki for more information. Changing this directory should
68 not be required.
69
70 default: /var/lib/cobbler/snippets
71
72 autoinstall_templates_dir
73 This is a directory of files that cobbler uses to make templating eas‐
74 ier. See the Wiki for more information. Changing this directory should
75 not be required.
76
77 default: /var/lib/cobbler/templates
78
79 boot_loader_conf_template_dir
80 Location of templates used for boot loader config generation.
81
82 default: "/etc/cobbler/boot_loader_conf"
83
84 build_reporting_*
85 Email out a report when cobbler finishes installing a system.
86
87 · enabled: set to 1 to turn this feature on
88
89 · sender: optional
90
91 · email: which addresses to email
92
93 · smtp_server: used to specify another server for an MTA
94
95 · subject: use the default subject unless overridden
96
97 defaults:
98
99 build_reporting_enabled: 0
100 build_reporting_sender: ""
101 build_reporting_email: [ 'root@localhost' ]
102 build_reporting_smtp_server: "localhost"
103 build_reporting_subject: ""
104 build_reporting_ignorelist: [ "" ]
105
106 cheetah_import_whitelist
107 Cheetah-language autoinstall templates can import Python modules. while
108 this is a useful feature, it is not safe to allow them to import any‐
109 thing they want. This whitelists which modules can be imported through
110 Cheetah. Users can expand this as needed but should never allow modules
111 such as subprocess or those that allow access to the filesystem as
112 Cheetah templates are evaluated by cobblerd as code.
113
114 default:
115
116 · "random"
117
118 · "re"
119
120 · "time"
121
122 · "netaddr"
123
124 createrepo_flags
125 Default createrepo_flags to use for new repositories. If you have cre‐
126 aterepo >= 0.4.10, consider -c cache --update -C, which can dramati‐
127 cally improve your cobbler reposync time. -s sha enables working with
128 Fedora repos from F11/F12 from EL-4 or EL-5 without python-hashlib
129 installed (which is not available on EL-4)
130
131 default: "-c cache -s sha"
132
133 default_autoinstall
134 If no autoinstall template is specified to profile add, use this tem‐
135 plate.
136
137 default: /var/lib/cobbler/autoinstall_templates/default.ks
138
139 default_name_*
140 Configure all installed systems to use these nameservers by default
141 unless defined differently in the profile. For DHCP configurations you
142 probably do /not/ want to supply this.
143
144 defaults:
145
146 default_name_servers: []
147 default_name_servers_search: []
148
149 default_ownership
150 if using the authz_ownership module (see the Wiki), objects created
151 without specifying an owner are assigned to this owner and/or group.
152 Can be a comma seperated list.
153
154 default:
155
156 · "admin"
157
158 default_password_crypted
159 Cobbler has various sample automatic installation templates stored in
160 /var/lib/cobbler/autoinstall_templates/. This controls what install
161 (root) password is set up for those systems that reference this vari‐
162 able. The factory default is "cobbler" and cobbler check will warn if
163 this is not changed. The simplest way to change the password is to run
164 openssl passwd -1 and put the output between the "".
165
166 default: "$1$mF86/UHC$WvcIcX2t6crBz2onWxyac."
167
168 default_template_type
169 The default template type to use in the absence of any other detected
170 template. If you do not specify the template with #template=<tem‐
171 plate_type> on the first line of your templates/snippets, cobbler will
172 assume try to use the following template engine to parse the templates.
173
174 Current valid values are: cheetah, jinja2
175
176 default: "cheetah"
177
178 default_virt_bridge
179 For libvirt based installs in koan, if no virt-bridge is specified,
180 which bridge do we try? For EL 4/5 hosts this should be xenbr0, for all
181 versions of Fedora, try virbr0. This can be overriden on a per-profile
182 basis or at the koan command line though this saves typing to just set
183 it here to the most common option.
184
185 default: xenbr0
186
187 default_virt_file_size
188 Use this as the default disk size for virt guests (GB).
189
190 default: 5
191
192 default_virt_ram
193 Use this as the default memory size for virt guests (MB).
194
195 default: 512
196
197 default_virt_type
198 If koan is invoked without --virt-type and no virt-type is set on the
199 profile/system, what virtualization type should be assumed?
200
201 Current valid values are: xenpv, xenfv, qemu, vmware
202
203 NOTE: this does not change what virt_type is chosen by import.
204
205 default: xenpv
206
207 enable_gpxe
208 Enable gPXE booting? Enabling this option will cause cobbler to copy
209 the undionly.kpxe file to the tftp root directory, and if a pro‐
210 file/system is configured to boot via gpxe it will chain load off
211 pxelinux.0.
212
213 default: 0
214
215 enable_menu
216 Controls whether cobbler will add each new profile entry to the default
217 PXE boot menu. This can be over-ridden on a per-profile basis when
218 adding/editing profiles with --enable-menu=0/1. Users should ordinarily
219 leave this setting enabled unless they are concerned with accidental
220 reinstalls from users who select an entry at the PXE boot menu. Adding
221 a password to the boot menus templates may also be a good solution to
222 prevent unwanted reinstallations
223
224 default: 1
225
226 http_port
227 Change this port if Apache is not running plaintext on port 80. Most
228 people can leave this alone.
229
230 default: 80
231
232 kernel_options
233 Kernel options that should be present in every cobbler installation.
234 Kernel options can also be applied at the distro/profile/system level.
235
236 default: {}
237
238 ldap_*
239 Configuration options if using the authn_ldap module. See the the Wiki
240 for details. This can be ignored if you are not using LDAP for
241 WebUI/XMLRPC authentication.
242
243 defaults:
244
245 ldap_server: "ldap.example.com"
246 ldap_base_dn: "DC=example,DC=com"
247 ldap_port: 389
248 ldap_tls: 1
249 ldap_anonymous_bind: 1
250 ldap_search_bind_dn: ''
251 ldap_search_passwd: ''
252 ldap_search_prefix: 'uid='
253 ldap_tls_cacertfile: ''
254 ldap_tls_keyfile: ''
255 ldap_tls_certfile: ''
256
257 mgmt_*
258 Cobbler has a feature that allows for integration with config manage‐
259 ment systems such as Puppet. The following parameters work in conjunc‐
260 tion with --mgmt-classes and are described in further detail at:
261 https://github.com/cobbler/cobbler/wiki/Using-cobbler-with-a-configuration-management-system
262
263 mgmt_classes: []
264 mgmt_parameters:
265 from_cobbler: 1
266
267 puppet_auto_setup
268 If enabled, this setting ensures that puppet is installed during
269 machine provision, a client certificate is generated and a certificate
270 signing request is made with the puppet master server.
271
272 default: 0
273
274 sign_puppet_certs_automatically
275 When puppet starts on a system after installation it needs to have its
276 certificate signed by the puppet master server. Enabling the following
277 feature will ensure that the puppet server signs the certificate after
278 installation if the puppet master server is running on the same machine
279 as cobbler. This requires puppet_auto_setup above to be enabled.
280
281 default: 0
282
283 puppetca_path
284 Location of the puppet executable, used for revoking certificates.
285
286 default: "/usr/bin/puppet"
287
288 remove_old_puppet_certs_automatically
289 When a puppet managed machine is reinstalled it is necessary to remove
290 the puppet certificate from the puppet master server before a new cer‐
291 tificate is signed (see above). Enabling the following feature will
292 ensure that the certificate for the machine to be installed is removed
293 from the puppet master server if the puppet master server is running on
294 the same machine as cobbler. This requires puppet_auto_setup above to
295 be enabled
296
297 default: 0
298
299 puppet_server
300 Choose a --server argument when running puppetd/puppet agent during
301 autoinstall. This one is commented out by default.
302
303 default: 'puppet'
304
305 puppet_version
306 Let cobbler know that you're using a newer version of puppet. Choose
307 version 3 to use: 'puppet agent'; version 2 uses status quo: 'puppetd'.
308 This one is commented out by default.
309
310 default: 2
311
312 puppet_parameterized_classes
313 Choose whether to enable puppet parameterized classes or not. Puppet
314 versions prior to 2.6.5 do not support parameters. This one is com‐
315 mented out by default.
316
317 default: 1
318
319 manage_dhcp
320 Set to 1 to enable Cobbler's DHCP management features. The choice of
321 DHCP management engine is in /etc/cobbler/modules.conf
322
323 default: 0
324
325 manage_dns
326 Set to 1 to enable Cobbler's DNS management features. The choice of DNS
327 mangement engine is in /etc/cobbler/modules.conf
328
329 default: 0
330
331 bind_chroot_path
332 Set to path of bind chroot to create bind-chroot compatible bind con‐
333 figuration files. This should be automatically detected.
334
335 default: ""
336
337 bind_master
338 Set to the ip address of the master bind DNS server for creating sec‐
339 ondary bind configuration files.
340
341 default: 127.0.0.1
342
343 manage_tftpd
344 Set to 1 to enable Cobbler's TFTP management features. the choice of
345 TFTP mangement engine is in /etc/cobbler/modules.conf
346
347 default: 1
348
349 tftpboot_location
350 This variable contains the location of the tftpboot directory. If this
351 directory is not present cobbler does not start.
352
353 Default: /srv/tftpboot
354
355 manage_rsync
356 Set to 1 to enable Cobbler's RSYNC management features.
357
358 default: 0
359
360 manage_*
361 If using BIND (named) for DNS management in /etc/cobbler/modules.conf
362 and manage_dns is enabled (above), this lists which zones are managed.
363 See the Wiki (https://github.com/cobbler/cobbler/wiki/Dns-management)
364 for more info
365
366 defaults:
367
368 manage_forward_zones: []
369 manage_reverse_zones: []
370
371 next_server
372 If using cobbler with manage_dhcp, put the IP address of the cobbler
373 server here so that PXE booting guests can find it. If you do not set
374 this correctly, this will be manifested in TFTP open timeouts.
375
376 default: 127.0.0.1
377
378 power_management_default_type
379 Settings for power management features. These settings are optional.
380 See https://github.com/cobbler/cobbler/wiki/Power-management to learn
381 more.
382
383 Choices (refer to codes.py):
384
385 · apc_snmp
386
387 · bladecenter
388
389 · bullpap
390
391 · drac
392
393 · ether_wake
394
395 · ilo
396
397 · integrity
398
399 · ipmilan
400
401 · ipmitool
402
403 · lpar
404
405 · rsa
406
407 · virsh
408
409 · wti
410
411 default: ipmitool
412
413 power_template_dir
414 The commands used by the power management module are sourced from what
415 directory?
416
417 default: "/etc/cobbler/power"
418
419 pxe_just_once
420 If this setting is set to 1, cobbler systems that pxe boot will request
421 at the end of their installation to toggle the --netboot-enabled record
422 in the cobbler system record. This eliminates the potential for a PXE
423 boot loop if the system is set to PXE first in it's BIOS order. Enable
424 this if PXE is first in your BIOS boot order, otherwise leave this dis‐
425 abled. See the manpage for --netboot-enabled.
426
427 default: 1
428
429 nopxe_with_triggers
430 If this setting is set to one, triggers will be executed when systems
431 will request to toggle the --netboot-enabled record at the end of their
432 installation.
433
434 default: 1
435
436 redhat_management_server
437 This setting is only used by the code that supports using Space‐
438 walk/Satellite authentication within Cobbler Web and Cobbler XMLRPC.
439
440 default: "xmlrpc.rhn.redhat.com"
441
442 redhat_management_permissive
443 If using authn_spacewalk in modules.conf to let cobbler authenticate
444 against Satellite/Spacewalk's auth system, by default it will not allow
445 per user access into Cobbler Web and Cobbler XMLRPC. In order to permit
446 this, the following setting must be enabled HOWEVER doing so will per‐
447 mit all Spacewalk/Satellite users of certain types to edit all of cob‐
448 bler's configuration. these roles are: config_admin and org_admin.
449 Users should turn this on only if they want this behavior and do not
450 have a cross-multi-org seperation concern. If you have a single org in
451 your satellite, it's probably safe to turn this on and then you can use
452 CobblerWeb alongside a Satellite install.
453
454 default: 0
455
456 redhat_management_key
457 Specify the default Red Hat authorization key to use to register sys‐
458 tem. If left blank, no registration will be attempted. Similarly you
459 can set the --redhat-management-key to blank on any system to keep it
460 from trying to register.
461
462 default: ""
463
464 register_new_installs
465 If set to 1, allows /usr/bin/cobbler-register (part of the koan pack‐
466 age) to be used to remotely add new cobbler system records to cobbler.
467 This effectively allows for registration of new hardware from system
468 records.
469
470 default: 0
471
472 reposync_flags
473 Flags to use for yum's reposync. If your version of yum reposync does
474 not support -l, you may need to remove that option.
475
476 default: "-l -n -d"
477
478 restart_*
479 When DHCP and DNS management are enabled, cobbler sync can automati‐
480 cally restart those services to apply changes. The exception for this
481 is if using ISC for DHCP, then omapi eliminates the need for a restart.
482 omapi, however, is experimental and not recommended for most configura‐
483 tions. If DHCP and DNS are going to be managed, but hosted on a box
484 that is not on this server, disable restarts here and write some other
485 script to ensure that the config files get copied/rsynced to the desti‐
486 nation box. This can be done by modifying the restart services trigger.
487 Note that if manage_dhcp and manage_dns are disabled, the respective
488 parameter will have no effect. Most users should not need to change
489 this.
490
491 defaults:
492
493 restart_dns: 1
494 restart_dhcp: 1
495
496 run_install_triggers
497 Install triggers are scripts in /var/lib/cobbler/triggers/install that
498 are triggered in autoinstall pre and post sections. Any executable
499 script in those directories is run. They can be used to send email or
500 perform other actions. They are currently run as root so if you do not
501 need this functionality you can disable it, though this will also dis‐
502 able cobbler status which uses a logging trigger to audit install
503 progress.
504
505 default: 1
506
507 scm_track_*
508 enables a trigger which version controls all changes to /var/lib/cob‐
509 bler when add, edit, or sync events are performed. This can be used to
510 revert to previous database versions, generate RSS feeds, or for other
511 auditing or backup purposes. Git and Mercurial are currently supported,
512 but Git is the recommend SCM for use with this feature.
513
514 default:
515
516 scm_track_enabled: 0
517 scm_track_mode: "git"
518 scm_track_author: "cobbler <cobbler@localhost>"
519 scm_push_script: "/bin/true"
520
521 server
522 This is the address of the cobbler server -- as it is used by systems
523 during the install process, it must be the address or hostname of the
524 system as those systems can see the server. if you have a server that
525 appears differently to different subnets (dual homed, etc), you need to
526 read the --server-override section of the manpage for how that works.
527
528 default: 127.0.0.1
529
530 client_use_localhost
531 If set to 1, all commands will be forced to use the localhost address
532 instead of using the above value which can force commands like cobbler
533 sync to open a connection to a remote address if one is in the configu‐
534 ration and would traceback.
535
536 default: 0
537
538 client_use_https
539 If set to 1, all commands to the API (not directly to the XMLRPC
540 server) will go over HTTPS instead of plaintext. Be sure to change the
541 http_port setting to the correct value for the web server.
542
543 default: 0
544
545 virt_auto_boot
546 Should new profiles for virtual machines default to auto booting with
547 the physical host when the physical host reboots? This can be overrid‐
548 den on each profile or system object.
549
550 default: 1
551
552 webdir
553 Cobbler's web directory. Don't change this setting -- see the Wiki on
554 "relocating your cobbler install" if your /var partition is not large
555 enough.
556
557 default: @@webroot@@/cobbler
558
559 webdir_whitelist
560 Directories that will not get wiped and recreated on a cobbler sync.
561
562 default:
563
564 webdir_whitelist:
565 - misc
566 - web
567 - webui
568 - localmirror
569 - repo_mirror
570 - distro_mirror
571 - images
572 - links
573 - pub
574 - repo_profile
575 - repo_system
576 - svc
577 - rendered
578 - .link_cache
579
580 xmlrpc_port
581 Cobbler's public XMLRPC listens on this port. Change this only if abso‐
582 lutely needed, as you'll have to start supplying a new port option to
583 koan if it is not the default.
584
585 default: 25151
586
587 yum_post_install_mirror
588 cobbler repo add commands set cobbler up with repository information
589 that can be used during autoinstall and is automatically set up in the
590 cobbler autoinstall templates. By default, these are only available at
591 install time. To make these repositories usable on installed systems
592 (since cobbler makes a very convenient mirror) set this to 1. Most
593 users can safely set this to 1. Users who have a dual homed cobbler
594 server, or are installing laptops that will not always have access to
595 the cobbler server may wish to leave this as 0. In that case, the cob‐
596 bler mirrored yum repos are still accessible at http://cobbler.exam‐
597 ple.org/cblr/repo_mirror and yum configuration can still be done manu‐
598 ally. This is just a shortcut.
599
600 default: 1
601
602 yum_distro_priority
603 The default yum priority for all the distros. This is only used if
604 yum-priorities plugin is used. 1 is the maximum value. Tweak with cau‐
605 tion.
606
607 default: 1
608
609 yumdownloader_flags
610 Flags to use for yumdownloader. Not all versions may support --resolve.
611
612 default: "--resolve"
613
614 serializer_pretty_json
615 Sort and indent JSON output to make it more human-readable.
616
617 default: 0
618
619 replicate_rsync_options
620 replication rsync options for distros, autoinstalls, snippets set to
621 override default value of -avzH
622
623 default: "-avzH"
624
625 replicate_repo_rsync_options
626 Replication rsync options for repos set to override default value of
627 -avzH
628
629 default: "-avzH"
630
631 always_write_dhcp_entries
632 Always write DHCP entries, regardless if netboot is enabled.
633
634 default: 0
635
636 proxy_url_ext:
637 External proxy - used by: get-loaders, reposync, signature update. Per
638 default commented out.
639
640 defaults:
641
642 http: http://192.168.1.1:8080
643 https: https://192.168.1.1:8443
644
645 proxy_url_int
646 Internal proxy - used by systems to reach cobbler for kickstarts.
647
648 E.g.: proxy_url_int: http://10.0.0.1:8080
649
650 default: ""
651
652 jinja2_includedir
653 This is a directory of files that cobbler uses to include files into
654 Jinja2 templates. Per default this settings is commented out.
655
656 default: /var/lib/cobbler/jinja2
657
658 include
659 Include other configuration snippets with this regular expresion.
660
661 default: [ "/etc/cobbler/settings.d/*.settings" ]
662
664 If you have own custom modules which are not shipped with Cobbler
665 directly you may have additional sections here.
666
667 authentication
668 What users can log into the WebUI and Read-Write XMLRPC?
669
670 Choices:
671
672 · authn_denyall -- no one (default)
673
674 · authn_configfile -- use /etc/cobbler/users.digest (for basic setups)
675
676 · authn_passthru -- ask Apache to handle it (used for kerberos)
677
678 · authn_ldap -- authenticate against LDAP
679
680 · authn_spacewalk -- ask Spacewalk/Satellite (experimental)
681
682 · authn_pam -- use PAM facilities
683
684 · authn_testing -- username/password is always testing/testing
685 (debug)
686
687 · (user supplied) -- you may write your own module
688
689 WARNING: this is a security setting, do not choose an option blindly.
690
691 For more information:
692
693 · https://github.com/cobbler/cobbler/wiki/Cobbler-web-interface
694
695 · https://github.com/cobbler/cobbler/wiki/Security-overview
696
697 · https://github.com/cobbler/cobbler/wiki/Kerberos
698
699 · https://github.com/cobbler/cobbler/wiki/Ldap
700
701 default: authn_configfile
702
703 authorization
704 Once a user has been cleared by the WebUI/XMLRPC, what can they do?
705
706 Choices:
707
708 · authz_allowall -- full access for all authneticated users (default)
709
710 · authz_ownership -- use users.conf, but add object ownership seman‐
711 tics
712
713 · (user supplied) -- you may write your own module
714
715 WARNING: this is a security setting, do not choose an option blindly.
716 If you want to further restrict cobbler with ACLs for various groups,
717 pick authz_ownership. authz_allowall does not support ACLs. config‐
718 file does but does not support object ownership which is useful as an
719 additional layer of control.
720
721 For more information:
722
723 · https://github.com/cobbler/cobbler/wiki/Cobbler-web-interface
724
725 · https://github.com/cobbler/cobbler/wiki/Security-overview
726
727 · https://github.com/cobbler/cobbler/wiki/Web-authorization
728
729 default: authz_allowall
730
731 dns
732 Chooses the DNS management engine if manage_dns is enabled in /etc/cob‐
733 bler/settings, which is off by default.
734
735 Choices:
736
737 · manage_bind -- default, uses BIND/named
738
739 · manage_dnsmasq -- uses dnsmasq, also must select dnsmasq for dhcp
740 below
741
742 · manage_ndjbdns -- uses ndjbdns
743
744 NOTE: More configuration is still required in /etc/cobbler
745
746 For more information:
747 https://github.com/cobbler/cobbler/wiki/Dns-management
748
749 default: manage_bind
750
751 dhcp
752 Chooses the DHCP management engine if manage_dhcp is enabled in
753 /etc/cobbler/settings, which is off by default.
754
755 Choices:
756
757 · manage_isc -- default, uses ISC dhcpd
758
759 · manage_dnsmasq -- uses dnsmasq, also must select dnsmasq for dns
760 above
761
762 NOTE: More configuration is still required in /etc/cobbler
763
764 For more information:
765 https://github.com/cobbler/cobbler/wiki/Dhcp-management
766
767 default: manage_isc
768
769 tftpd
770 Chooses the TFTP management engine if manage_tftp is enabled in
771 /etc/cobbler/settings, which is ON by default.
772
773 Choices:
774
775 · manage_in_tftpd -- default, uses the system's tftp server
776
777 · manage_tftpd_py -- uses cobbler's tftp server
778
779 default: manage_in_tftpd
780
782 Enno Gotthold
783
785 2020, Jörgen Maas
786
787
788
789
7903.0 Feb 21, 2020 COBBLER.CONF(5)