1COBBLER.CONF(5) Cobbler COBBLER.CONF(5)
2
3
4
6 cobbler.conf - Cobbler Configuration File Documentation
7
8 There are two main settings files: settings and modules.conf. Both
9 files can be found under /etc/cobbler/ and both are written in YAML.
10
12 allow_duplicate_hostnames
13 if 1, Cobbler will allow insertions of system records that duplicate
14 the --dns-name information of other system records. In general, this
15 is undesirable and should be left 0.
16
17 default: 0
18
19 allow_duplicate_ips
20 if 1, Cobbler will allow insertions of system records that duplicate
21 the IP address information of other system records. In general, this
22 is undesirable and should be left 0.
23
24 default: 0
25
26 allow_duplicate_macs
27 If 1, Cobbler will allow insertions of system records that duplicate
28 the mac address information of other system records. In general, this
29 is undesirable.
30
31 default: 0
32
33 allow_dynamic_settings
34 If 1, Cobbler will allow settings to be changed dynamically without a
35 restart of the cobblerd daemon. You can only change this variable by
36 manually editing the settings file, and you MUST restart cobblerd after
37 changing it.
38
39 default: 0
40
41 anamon_enabled
42 By default, installs are not set to send installation logs to the Cob‐
43 bler server. With anamon_enabled, automatic installation templates may
44 use the pre_anamon snippet to allow remote live monitoring of their
45 installations from the Cobbler server. Installation logs will be stored
46 under /var/log/cobbler/anamon/.
47
48 Note: This does allow an XML-RPC call to send logs to this directory,
49 without authentication, so enable only if you are ok with this limita‐
50 tion.
51
52 default: 0
53
54 authn_pam_service
55 If using authn_pam in the modules.conf, this can be configured to
56 change the PAM service authentication will be tested against.
57
58 default: "login"
59
60 auth_token_expiration
61 How long the authentication token is valid for, in seconds.
62
63 default: 3600
64
65 autoinstall_snippets_dir
66 This is a directory of files that Cobbler uses to make templating eas‐
67 ier. See the Wiki for more information. Changing this directory should
68 not be required.
69
70 default: /var/lib/cobbler/snippets
71
72 autoinstall_templates_dir
73 This is a directory of files that Cobbler uses to make templating eas‐
74 ier. See the Wiki for more information. Changing this directory should
75 not be required.
76
77 default: /var/lib/cobbler/templates
78
79 boot_loader_conf_template_dir
80 Location of templates used for boot loader config generation.
81
82 default: "/etc/cobbler/boot_loader_conf"
83
84 build_reporting_*
85 Email out a report when Cobbler finishes installing a system.
86
87 · enabled: set to 1 to turn this feature on
88
89 · sender: optional
90
91 · email: which addresses to email
92
93 · smtp_server: used to specify another server for an MTA
94
95 · subject: use the default subject unless overridden
96
97 defaults:
98
99 build_reporting_enabled: 0
100 build_reporting_sender: ""
101 build_reporting_email: [ 'root@localhost' ]
102 build_reporting_smtp_server: "localhost"
103 build_reporting_subject: ""
104 build_reporting_ignorelist: [ "" ]
105
106 cache_enabled
107 If cache_enabled is 1, a cache will keep converted records in memory to
108 make checking them faster. This helps with use cases like writing out
109 large numbers of records. There is a known issue with cache and remote
110 XML-RPC API calls. If you will use Cobbler with config management or
111 infrastructure-as-code tools such as Terraform, it is recommended to
112 disable by setting to 0.
113
114 default: 1
115
116 cheetah_import_whitelist
117 Cheetah-language autoinstall templates can import Python modules. while
118 this is a useful feature, it is not safe to allow them to import any‐
119 thing they want. This whitelists which modules can be imported through
120 Cheetah. Users can expand this as needed but should never allow modules
121 such as subprocess or those that allow access to the filesystem as
122 Cheetah templates are evaluated by cobblerd as code.
123
124 default:
125
126 · "random"
127
128 · "re"
129
130 · "time"
131
132 · "netaddr"
133
134 createrepo_flags
135 Default createrepo_flags to use for new repositories. If you have cre‐
136 aterepo >= 0.4.10, consider -c cache --update -C, which can dramati‐
137 cally improve your cobbler reposync time. -s sha enables working with
138 Fedora repos from F11/F12 from EL-4 or EL-5 without python-hashlib
139 installed (which is not available on EL-4)
140
141 default: "-c cache -s sha"
142
143 default_autoinstall
144 If no autoinstall template is specified to profile add, use this tem‐
145 plate.
146
147 default: /var/lib/cobbler/autoinstall_templates/default.ks
148
149 default_name_*
150 Configure all installed systems to use these name servers by default
151 unless defined differently in the profile. For DHCP configurations you
152 probably do /not/ want to supply this.
153
154 defaults:
155
156 default_name_servers: []
157 default_name_servers_search: []
158
159 default_ownership
160 if using the authz_ownership module (see the Wiki), objects created
161 without specifying an owner are assigned to this owner and/or group.
162 Can be a comma separated list.
163
164 default:
165
166 · "admin"
167
168 default_password_crypted
169 Cobbler has various sample automatic installation templates stored in
170 /var/lib/cobbler/autoinstall_templates/. This controls what install
171 (root) password is set up for those systems that reference this vari‐
172 able. The factory default is "cobbler" and Cobbler check will warn if
173 this is not changed. The simplest way to change the password is to run
174 openssl passwd -1 and put the output between the "".
175
176 default: "$1$mF86/UHC$WvcIcX2t6crBz2onWxyac."
177
178 default_template_type
179 The default template type to use in the absence of any other detected
180 template. If you do not specify the template with #template=<tem‐
181 plate_type> on the first line of your templates/snippets, Cobbler will
182 assume try to use the following template engine to parse the templates.
183
184 Current valid values are: cheetah, jinja2
185
186 default: "cheetah"
187
188 default_virt_bridge
189 For libvirt based installs in Koan, if no virt-bridge is specified,
190 which bridge do we try? For EL 4/5 hosts this should be xenbr0, for all
191 versions of Fedora, try virbr0. This can be overridden on a per-profile
192 basis or at the Koan command line though this saves typing to just set
193 it here to the most common option.
194
195 default: xenbr0
196
197 default_virt_file_size
198 Use this as the default disk size for virt guests (GB).
199
200 default: 5
201
202 default_virt_ram
203 Use this as the default memory size for virt guests (MB).
204
205 default: 512
206
207 default_virt_type
208 If Koan is invoked without --virt-type and no virt-type is set on the
209 profile/system, what virtualization type should be assumed?
210
211 Current valid values are: xenpv, xenfv, qemu, vmware
212
213 NOTE: this does not change what virt_type is chosen by import.
214
215 default: xenpv
216
217 enable_gpxe
218 Enable gPXE booting? Enabling this option will cause Cobbler to copy
219 the undionly.kpxe file to the TFTP root directory, and if a pro‐
220 file/system is configured to boot via gPXE it will chain load off
221 pxelinux.0.
222
223 default: 0
224
225 enable_menu
226 Controls whether Cobbler will add each new profile entry to the default
227 PXE boot menu. This can be over-ridden on a per-profile basis when
228 adding/editing profiles with --enable-menu=0/1. Users should ordinarily
229 leave this setting enabled unless they are concerned with accidental
230 reinstalls from users who select an entry at the PXE boot menu. Adding
231 a password to the boot menus templates may also be a good solution to
232 prevent unwanted reinstallations.
233
234 default: 1
235
236 http_port
237 Change this port if Apache is not running plain text on port 80. Most
238 people can leave this alone.
239
240 default: 80
241
242 kernel_options
243 Kernel options that should be present in every Cobbler installation.
244 Kernel options can also be applied at the distro/profile/system level.
245
246 default: {}
247
248 ldap_*
249 Configuration options if using the authn_ldap module. See the Wiki for
250 details. This can be ignored if you are not using LDAP for
251 WebUI/XML-RPC authentication.
252
253 defaults:
254
255 ldap_server: "ldap.example.com"
256 ldap_base_dn: "DC=example,DC=com"
257 ldap_port: 389
258 ldap_tls: 1
259 ldap_anonymous_bind: 1
260 ldap_search_bind_dn: ''
261 ldap_search_passwd: ''
262 ldap_search_prefix: 'uid='
263 ldap_tls_cacertfile: ''
264 ldap_tls_keyfile: ''
265 ldap_tls_certfile: ''
266
267 mgmt_*
268 Cobbler has a feature that allows for integration with config manage‐
269 ment systems such as Puppet. The following parameters work in conjunc‐
270 tion with --mgmt-classes and are described in further detail at config‐
271 uration-management.
272
273 mgmt_classes: []
274 mgmt_parameters:
275 from_cobbler: 1
276
277 puppet_auto_setup
278 If enabled, this setting ensures that puppet is installed during
279 machine provision, a client certificate is generated and a certificate
280 signing request is made with the puppet master server.
281
282 default: 0
283
284 sign_puppet_certs_automatically
285 When puppet starts on a system after installation it needs to have its
286 certificate signed by the puppet master server. Enabling the following
287 feature will ensure that the puppet server signs the certificate after
288 installation if the puppet master server is running on the same machine
289 as Cobbler. This requires puppet_auto_setup above to be enabled.
290
291 default: 0
292
293 puppetca_path
294 Location of the puppet executable, used for revoking certificates.
295
296 default: "/usr/bin/puppet"
297
298 remove_old_puppet_certs_automatically
299 When a puppet managed machine is reinstalled it is necessary to remove
300 the puppet certificate from the puppet master server before a new cer‐
301 tificate is signed (see above). Enabling the following feature will
302 ensure that the certificate for the machine to be installed is removed
303 from the puppet master server if the puppet master server is running on
304 the same machine as Cobbler. This requires puppet_auto_setup above to
305 be enabled
306
307 default: 0
308
309 puppet_server
310 Choose a --server argument when running puppetd/puppet agent during
311 autoinstall. This one is commented out by default.
312
313 default: 'puppet'
314
315 puppet_version
316 Let Cobbler know that you're using a newer version of puppet. Choose
317 version 3 to use: 'puppet agent'; version 2 uses status quo: 'puppetd'.
318 This one is commented out by default.
319
320 default: 2
321
322 puppet_parameterized_classes
323 Choose whether to enable puppet parameterized classes or not. Puppet
324 versions prior to 2.6.5 do not support parameters. This one is com‐
325 mented out by default.
326
327 default: 1
328
329 manage_dhcp
330 Set to 1 to enable Cobbler's DHCP management features. The choice of
331 DHCP management engine is in /etc/cobbler/modules.conf.
332
333 default: 0
334
335 manage_dns
336 Set to 1 to enable Cobbler's DNS management features. The choice of DNS
337 management engine is in /etc/cobbler/modules.conf.
338
339 default: 0
340
341 bind_chroot_path
342 Set to path of bind chroot to create bind-chroot compatible bind con‐
343 figuration files. This should be automatically detected.
344
345 default: ""
346
347 bind_master
348 Set to the ip address of the master bind DNS server for creating sec‐
349 ondary bind configuration files.
350
351 default: 127.0.0.1
352
353 manage_tftpd
354 Set to 1 to enable Cobbler's TFTP management features. the choice of
355 TFTP management engine is in /etc/cobbler/modules.conf.
356
357 default: 1
358
359 tftpboot_location
360 This variable contains the location of the tftpboot directory. If this
361 directory is not present Cobbler does not start.
362
363 Default: /srv/tftpboot
364
365 manage_rsync
366 Set to 1 to enable Cobbler's RSYNC management features.
367
368 default: 0
369
370 manage_*
371 If using BIND (named) for DNS management in /etc/cobbler/modules.conf
372 and manage_dns is enabled (above), this lists which zones are managed.
373 See dns-management for more information.
374
375 defaults:
376
377 manage_forward_zones: []
378 manage_reverse_zones: []
379
380 next_server
381 If using Cobbler with manage_dhcp, put the IP address of the Cobbler
382 server here so that PXE booting guests can find it. If you do not set
383 this correctly, this will be manifested in TFTP open timeouts.
384
385 default: 127.0.0.1
386
387 power_management_default_type
388 Settings for power management features. These settings are optional.
389 See power-management to learn more.
390
391 Choices (refer to codes.py):
392
393 · apc_snmp
394
395 · bladecenter
396
397 · bullpap
398
399 · drac
400
401 · ether_wake
402
403 · ilo
404
405 · integrity
406
407 · ipmilan
408
409 · ipmitool
410
411 · lpar
412
413 · rsa
414
415 · virsh
416
417 · wti
418
419 default: ipmitool
420
421 pxe_just_once
422 If this setting is set to 1, Cobbler systems that pxe boot will request
423 at the end of their installation to toggle the --netboot-enabled record
424 in the Cobbler system record. This eliminates the potential for a PXE
425 boot loop if the system is set to PXE first in it's BIOS order. Enable
426 this if PXE is first in your BIOS boot order, otherwise leave this dis‐
427 abled. See the manpage for --netboot-enabled.
428
429 default: 1
430
431 nopxe_with_triggers
432 If this setting is set to one, triggers will be executed when systems
433 will request to toggle the --netboot-enabled record at the end of their
434 installation.
435
436 default: 1
437
438 redhat_management_server
439 This setting is only used by the code that supports using Space‐
440 walk/Satellite authentication within Cobbler Web and Cobbler XML-RPC.
441
442 default: "xmlrpc.rhn.redhat.com"
443
444 redhat_management_permissive
445 If using authn_spacewalk in modules.conf to let Cobbler authenticate
446 against Satellite/Spacewalk's auth system, by default it will not allow
447 per user access into Cobbler Web and Cobbler XML-RPC. In order to per‐
448 mit this, the following setting must be enabled HOWEVER doing so will
449 permit all Spacewalk/Satellite users of certain types to edit all of
450 Cobbler's configuration. these roles are: config_admin and org_admin.
451 Users should turn this on only if they want this behavior and do not
452 have a cross-multi-org separation concern. If you have a single org in
453 your satellite, it's probably safe to turn this on and then you can use
454 CobblerWeb alongside a Satellite install.
455
456 default: 0
457
458 redhat_management_key
459 Specify the default Red Hat authorization key to use to register sys‐
460 tem. If left blank, no registration will be attempted. Similarly you
461 can set the --redhat-management-key to blank on any system to keep it
462 from trying to register.
463
464 default: ""
465
466 register_new_installs
467 If set to 1, allows /usr/bin/cobbler-register (part of the Koan pack‐
468 age) to be used to remotely add new Cobbler system records to Cobbler.
469 This effectively allows for registration of new hardware from system
470 records.
471
472 default: 0
473
474 reposync_flags
475 Flags to use for yum's reposync. If your version of yum reposync does
476 not support -l, you may need to remove that option.
477
478 default: "-l -n -d"
479
480 reposync_rsync_flags
481 Flags to use for rysync's reposync. If archive mode (-a,--archive) is
482 used then createrepo is not ran after the rsync as it pulls down the
483 repodata as well. This allows older OS's to mirror modular repos using
484 rsync.
485
486 default: "-rltDv --copy-unsafe-links"
487
488 restart_*
489 When DHCP and DNS management are enabled, cobbler sync can automati‐
490 cally restart those services to apply changes. The exception for this
491 is if using ISC for DHCP, then OMAPI eliminates the need for a restart.
492 omapi, however, is experimental and not recommended for most configura‐
493 tions. If DHCP and DNS are going to be managed, but hosted on a box
494 that is not on this server, disable restarts here and write some other
495 script to ensure that the config files get copied/rsynced to the desti‐
496 nation box. This can be done by modifying the restart services trigger.
497 Note that if manage_dhcp and manage_dns are disabled, the respective
498 parameter will have no effect. Most users should not need to change
499 this.
500
501 defaults:
502
503 restart_dns: 1
504 restart_dhcp: 1
505
506 run_install_triggers
507 Install triggers are scripts in /var/lib/cobbler/triggers/install that
508 are triggered in autoinstall pre and post sections. Any executable
509 script in those directories is run. They can be used to send email or
510 perform other actions. They are currently run as root so if you do not
511 need this functionality you can disable it, though this will also dis‐
512 able cobbler status which uses a logging trigger to audit install
513 progress.
514
515 default: 1
516
517 scm_track_*
518 enables a trigger which version controls all changes to /var/lib/cob‐
519 bler when add, edit, or sync events are performed. This can be used to
520 revert to previous database versions, generate RSS feeds, or for other
521 auditing or backup purposes. Git and Mercurial are currently supported,
522 but Git is the recommend SCM for use with this feature.
523
524 default:
525
526 scm_track_enabled: 0
527 scm_track_mode: "git"
528 scm_track_author: "cobbler <cobbler@localhost>"
529 scm_push_script: "/bin/true"
530
531 server
532 This is the address of the Cobbler server -- as it is used by systems
533 during the install process, it must be the address or hostname of the
534 system as those systems can see the server. if you have a server that
535 appears differently to different subnets (dual homed, etc), you need to
536 read the --server-override section of the manpage for how that works.
537
538 default: 127.0.0.1
539
540 client_use_localhost
541 If set to 1, all commands will be forced to use the localhost address
542 instead of using the above value which can force commands like Cobbler
543 sync to open a connection to a remote address if one is in the configu‐
544 ration and would traceback.
545
546 default: 0
547
548 client_use_https
549 If set to 1, all commands to the API (not directly to the XML-RPC
550 server) will go over HTTPS instead of plain text. Be sure to change the
551 http_port setting to the correct value for the web server.
552
553 default: 0
554
555 virt_auto_boot
556 Should new profiles for virtual machines default to auto booting with
557 the physical host when the physical host reboots? This can be overrid‐
558 den on each profile or system object.
559
560 default: 1
561
562 webdir
563 Cobbler's web directory. Don't change this setting -- see the Wiki on
564 "relocating your Cobbler install" if your /var partition is not large
565 enough.
566
567 default: @@webroot@@/cobbler
568
569 webdir_whitelist
570 Directories that will not get wiped and recreated on a cobbler sync.
571
572 default:
573
574 webdir_whitelist:
575 - misc
576 - web
577 - webui
578 - localmirror
579 - repo_mirror
580 - distro_mirror
581 - images
582 - links
583 - pub
584 - repo_profile
585 - repo_system
586 - svc
587 - rendered
588 - .link_cache
589
590 xmlrpc_port
591 Cobbler's public XML-RPC listens on this port. Change this only if
592 absolutely needed, as you'll have to start supplying a new port option
593 to Koan if it is not the default.
594
595 default: 25151
596
597 yum_post_install_mirror
598 cobbler repo add commands set Cobbler up with repository information
599 that can be used during autoinstall and is automatically set up in the
600 Cobbler autoinstall templates. By default, these are only available at
601 install time. To make these repositories usable on installed systems
602 (since Cobbler makes a very convenient mirror) set this to 1. Most
603 users can safely set this to 1. Users who have a dual homed Cobbler
604 server, or are installing laptops that will not always have access to
605 the Cobbler server may wish to leave this as 0. In that case, the Cob‐
606 bler mirrored yum repos are still accessible at http://cobbler.exam‐
607 ple.org/cblr/repo_mirror and yum configuration can still be done manu‐
608 ally. This is just a shortcut.
609
610 default: 1
611
612 yum_distro_priority
613 The default yum priority for all the distros. This is only used if
614 yum-priorities plugin is used. 1 is the maximum value. Tweak with cau‐
615 tion.
616
617 default: 1
618
619 yumdownloader_flags
620 Flags to use for yumdownloader. Not all versions may support --resolve.
621
622 default: "--resolve"
623
624 serializer_pretty_json
625 Sort and indent JSON output to make it more human-readable.
626
627 default: 0
628
629 replicate_rsync_options
630 replication rsync options for distros, autoinstalls, snippets set to
631 override default value of -avzH.
632
633 default: "-avzH"
634
635 replicate_repo_rsync_options
636 Replication rsync options for repos set to override default value of
637 -avzH.
638
639 default: "-avzH"
640
641 always_write_dhcp_entries
642 Always write DHCP entries, regardless if netboot is enabled.
643
644 default: 0
645
646 proxy_url_ext:
647 External proxy - used by: get-loaders, reposync, signature update. Per
648 default commented out.
649
650 defaults:
651
652 http: http://192.168.1.1:8080
653 https: https://192.168.1.1:8443
654
655 proxy_url_int
656 Internal proxy - used by systems to reach Cobbler for kickstarts.
657
658 E.g.: proxy_url_int: http://10.0.0.1:8080
659
660 default: ""
661
662 jinja2_includedir
663 This is a directory of files that Cobbler uses to include files into
664 Jinja2 templates. Per default this settings is commented out.
665
666 default: /var/lib/cobbler/jinja2
667
668 include
669 Include other configuration snippets with this regular expression.
670
671 default: [ "/etc/cobbler/settings.d/*.settings" ]
672
674 If you have own custom modules which are not shipped with Cobbler
675 directly you may have additional sections here.
676
677 authentication
678 What users can log into the WebUI and Read-Write XML-RPC?
679
680 Choices:
681
682 · authn_denyall -- no one (default)
683
684 · authn_configfile -- use /etc/cobbler/users.digest (for basic setups)
685
686 · authn_passthru -- ask Apache to handle it (used for kerberos)
687
688 · authn_ldap -- authenticate against LDAP
689
690 · authn_spacewalk -- ask Spacewalk/Satellite (experimental)
691
692 · authn_pam -- use PAM facilities
693
694 · authn_testing -- username/password is always testing/testing
695 (debug)
696
697 · (user supplied) -- you may write your own module
698
699 WARNING: this is a security setting, do not choose an option blindly.
700
701 For more information:
702
703 · web-interface
704
705 · https://cobbler.readthedocs.io/en/release28/5_web-interface/security_overview.html
706
707 · https://cobbler.readthedocs.io/en/release28/5_web-interface/web_authentication.html#defer-to-apache-kerberos
708
709 · https://cobbler.readthedocs.io/en/release28/5_web-interface/web_authentication.html#ldap
710
711 default: authn_configfile
712
713 authorization
714 Once a user has been cleared by the WebUI/XML-RPC, what can they do?
715
716 Choices:
717
718 · authz_allowall -- full access for all authenticated users (default)
719
720 · authz_ownership -- use users.conf, but add object ownership seman‐
721 tics
722
723 · (user supplied) -- you may write your own module
724
725 WARNING: this is a security setting, do not choose an option blindly.
726 If you want to further restrict Cobbler with ACLs for various groups,
727 pick authz_ownership. authz_allowall does not support ACLs. Configura‐
728 tion file does but does not support object ownership which is useful as
729 an additional layer of control.
730
731 For more information:
732
733 · web-interface
734
735 · https://cobbler.readthedocs.io/en/release28/5_web-interface/security_overview.html
736
737 · https://cobbler.readthedocs.io/en/release28/5_web-interface/web_authentication.html
738
739 default: authz_allowall
740
741 dns
742 Chooses the DNS management engine if manage_dns is enabled in /etc/cob‐
743 bler/settings, which is off by default.
744
745 Choices:
746
747 · manage_bind -- default, uses BIND/named
748
749 · manage_dnsmasq -- uses dnsmasq, also must select dnsmasq for DHCP
750 below
751
752 · manage_ndjbdns -- uses ndjbdns
753
754 NOTE: More configuration is still required in /etc/cobbler
755
756 For more information see dns-management.
757
758 default: manage_bind
759
760 dhcp
761 Chooses the DHCP management engine if manage_dhcp is enabled in
762 /etc/cobbler/settings, which is off by default.
763
764 Choices:
765
766 · manage_isc -- default, uses ISC dhcpd
767
768 · manage_dnsmasq -- uses dnsmasq, also must select dnsmasq for DNS
769 above
770
771 NOTE: More configuration is still required in /etc/cobbler
772
773 For more information see dhcp-management.
774
775 default: manage_isc
776
777 tftpd
778 Chooses the TFTP management engine if manage_tftp is enabled in
779 /etc/cobbler/settings, which is ON by default.
780
781 Choices:
782
783 · manage_in_tftpd -- default, uses the system's TFTP server
784
785 · manage_tftpd_py -- uses Cobbler's TFTP server
786
787 default: manage_in_tftpd
788
790 Enno Gotthold
791
793 2020, Enno Gotthold
794
795
796
797
7983.2 Oct 25, 2020 COBBLER.CONF(5)