1COBBLER.CONF(5) Cobbler COBBLER.CONF(5)
2
6 cobbler.conf - Cobbler Configuration File Documentation
7 There are two main settings files: settings and modules.conf. Both
9 files can be found under /etc/cobbler/ and both are written in YAML.
10
12 allow_duplicate_hostnames
13 if 1, Cobbler will allow insertions of system records that duplicate
14 the --dns-name information of other system records. In general, this
15 is undesirable and should be left 0.
16 default: 0
18 allow_duplicate_ips
20 if 1, Cobbler will allow insertions of system records that duplicate
21 the IP address information of other system records. In general, this
22 is undesirable and should be left 0.
23 default: 0
25 allow_duplicate_macs
27 If 1, Cobbler will allow insertions of system records that duplicate
28 the mac address information of other system records. In general, this
29 is undesirable.
30 default: 0
32 allow_dynamic_settings
34 If 1, Cobbler will allow settings to be changed dynamically without a
35 restart of the cobblerd daemon. You can only change this variable by
36 manually editing the settings file, and you MUST restart cobblerd after
37 changing it.
38 default: 0
40 anamon_enabled
42 By default, installs are not set to send installation logs to the Cob‐
43 bler server. With anamon_enabled, automatic installation templates may
44 use the pre_anamon snippet to allow remote live monitoring of their
45 installations from the Cobbler server. Installation logs will be stored
46 under /var/log/cobbler/anamon/.
47 Note: This does allow an XML-RPC call to send logs to this directory,
49 without authentication, so enable only if you are ok with this limita‐
50 tion.
51 default: 0
53 authn_pam_service
55 If using authn_pam in the modules.conf, this can be configured to
56 change the PAM service authentication will be tested against.
57 default: "login"
59 auth_token_expiration
61 How long the authentication token is valid for, in seconds.
62 default: 3600
64 autoinstall_snippets_dir
66 This is a directory of files that Cobbler uses to make templating eas‐
67 ier. See the Wiki for more information. Changing this directory should
68 not be required.
69 default: /var/lib/cobbler/snippets
71 autoinstall_templates_dir
73 This is a directory of files that Cobbler uses to make templating eas‐
74 ier. See the Wiki for more information. Changing this directory should
75 not be required.
76 default: /var/lib/cobbler/templates
78 boot_loader_conf_template_dir
80 Location of templates used for boot loader config generation.
81 default: "/etc/cobbler/boot_loader_conf"
83 build_reporting_*
85 Email out a report when Cobbler finishes installing a system.
86 · enabled: set to 1 to turn this feature on
88 · sender: optional
90 · email: which addresses to email
92 · smtp_server: used to specify another server for an MTA
94 · subject: use the default subject unless overridden
96 defaults:
98 build_reporting_enabled: 0
100 build_reporting_sender: ""
101 build_reporting_email: [ 'root@localhost' ]
102 build_reporting_smtp_server: "localhost"
103 build_reporting_subject: ""
104 build_reporting_ignorelist: [ "" ]
105 cache_enabled
107 If cache_enabled is 1, a cache will keep converted records in memory to
108 make checking them faster. This helps with use cases like writing out
109 large numbers of records. There is a known issue with cache and remote
110 XML-RPC API calls. If you will use Cobbler with config management or
111 infrastructure-as-code tools such as Terraform, it is recommended to
112 disable by setting to 0.
113 default: 1
115 cheetah_import_whitelist
117 Cheetah-language autoinstall templates can import Python modules. while
118 this is a useful feature, it is not safe to allow them to import any‐
119 thing they want. This whitelists which modules can be imported through
120 Cheetah. Users can expand this as needed but should never allow modules
121 such as subprocess or those that allow access to the filesystem as
122 Cheetah templates are evaluated by cobblerd as code.
123 default:
125 · "random"
127 · "re"
129 · "time"
131 · "netaddr"
133 createrepo_flags
135 Default createrepo_flags to use for new repositories. If you have cre‐
136 aterepo >= 0.4.10, consider -c cache --update -C, which can dramati‐
137 cally improve your cobbler reposync time. -s sha enables working with
138 Fedora repos from F11/F12 from EL-4 or EL-5 without python-hashlib
139 installed (which is not available on EL-4)
140 default: "-c cache -s sha"
142 default_autoinstall
144 If no autoinstall template is specified to profile add, use this tem‐
145 plate.
146 default: /var/lib/cobbler/autoinstall_templates/default.ks
148 default_name_*
150 Configure all installed systems to use these name servers by default
151 unless defined differently in the profile. For DHCP configurations you
152 probably do /not/ want to supply this.
153 defaults:
155 default_name_servers: []
157 default_name_servers_search: []
158 default_ownership
160 if using the authz_ownership module (see the Wiki), objects created
161 without specifying an owner are assigned to this owner and/or group.
162 Can be a comma separated list.
163 default:
165 · "admin"
167 default_password_crypted
169 Cobbler has various sample automatic installation templates stored in
170 /var/lib/cobbler/autoinstall_templates/. This controls what install
171 (root) password is set up for those systems that reference this vari‐
172 able. The factory default is "cobbler" and Cobbler check will warn if
173 this is not changed. The simplest way to change the password is to run
174 openssl passwd -1 and put the output between the "".
175 default: "$1$mF86/UHC$WvcIcX2t6crBz2onWxyac."
177 default_template_type
179 The default template type to use in the absence of any other detected
180 template. If you do not specify the template with #template=<tem‐
181 plate_type> on the first line of your templates/snippets, Cobbler will
182 assume try to use the following template engine to parse the templates.
183 Current valid values are: cheetah, jinja2
185 default: "cheetah"
187 default_virt_bridge
189 For libvirt based installs in Koan, if no virt-bridge is specified,
190 which bridge do we try? For EL 4/5 hosts this should be xenbr0, for all
191 versions of Fedora, try virbr0. This can be overridden on a per-profile
192 basis or at the Koan command line though this saves typing to just set
193 it here to the most common option.
194 default: xenbr0
196 default_virt_file_size
198 Use this as the default disk size for virt guests (GB).
199 default: 5
201 default_virt_ram
203 Use this as the default memory size for virt guests (MB).
204 default: 512
206 default_virt_type
208 If Koan is invoked without --virt-type and no virt-type is set on the
209 profile/system, what virtualization type should be assumed?
210 Current valid values are: xenpv, xenfv, qemu, vmware
212 NOTE: this does not change what virt_type is chosen by import.
214 default: xenpv
216 enable_gpxe
218 Enable gPXE booting? Enabling this option will cause Cobbler to copy
219 the undionly.kpxe file to the TFTP root directory, and if a pro‐
220 file/system is configured to boot via gPXE it will chain load off
221 pxelinux.0.
222 default: 0
224 enable_menu
226 Controls whether Cobbler will add each new profile entry to the default
227 PXE boot menu. This can be over-ridden on a per-profile basis when
228 adding/editing profiles with --enable-menu=0/1. Users should ordinarily
229 leave this setting enabled unless they are concerned with accidental
230 reinstalls from users who select an entry at the PXE boot menu. Adding
231 a password to the boot menus templates may also be a good solution to
232 prevent unwanted reinstallations.
233 default: 1
235 http_port
237 Change this port if Apache is not running plain text on port 80. Most
238 people can leave this alone.
239 default: 80
241 kernel_options
243 Kernel options that should be present in every Cobbler installation.
244 Kernel options can also be applied at the distro/profile/system level.
245 default: {}
247 ldap_*
249 Configuration options if using the authn_ldap module. See the Wiki for
250 details. This can be ignored if you are not using LDAP for
251 WebUI/XML-RPC authentication.
252 defaults:
254 ldap_server: "ldap.example.com"
256 ldap_base_dn: "DC=example,DC=com"
257 ldap_port: 389
258 ldap_tls: 1
259 ldap_anonymous_bind: 1
260 ldap_search_bind_dn: ''
261 ldap_search_passwd: ''
262 ldap_search_prefix: 'uid='
263 ldap_tls_cacertfile: ''
264 ldap_tls_keyfile: ''
265 ldap_tls_certfile: ''
266 mgmt_*
268 Cobbler has a feature that allows for integration with config manage‐
269 ment systems such as Puppet. The following parameters work in conjunc‐
270 tion with --mgmt-classes and are described in further detail at config‐
271 uration-management.
272 mgmt_classes: []
274 mgmt_parameters:
275 from_cobbler: 1
276 puppet_auto_setup
278 If enabled, this setting ensures that puppet is installed during
279 machine provision, a client certificate is generated and a certificate
280 signing request is made with the puppet master server.
281 default: 0
283 sign_puppet_certs_automatically
285 When puppet starts on a system after installation it needs to have its
286 certificate signed by the puppet master server. Enabling the following
287 feature will ensure that the puppet server signs the certificate after
288 installation if the puppet master server is running on the same machine
289 as Cobbler. This requires puppet_auto_setup above to be enabled.
290 default: 0
292 puppetca_path
294 Location of the puppet executable, used for revoking certificates.
295 default: "/usr/bin/puppet"
297 remove_old_puppet_certs_automatically
299 When a puppet managed machine is reinstalled it is necessary to remove
300 the puppet certificate from the puppet master server before a new cer‐
301 tificate is signed (see above). Enabling the following feature will
302 ensure that the certificate for the machine to be installed is removed
303 from the puppet master server if the puppet master server is running on
304 the same machine as Cobbler. This requires puppet_auto_setup above to
305 be enabled
306 default: 0
308 puppet_server
310 Choose a --server argument when running puppetd/puppet agent during
311 autoinstall. This one is commented out by default.
312 default: 'puppet'
314 puppet_version
316 Let Cobbler know that you're using a newer version of puppet. Choose
317 version 3 to use: 'puppet agent'; version 2 uses status quo: 'puppetd'.
318 This one is commented out by default.
319 default: 2
321 puppet_parameterized_classes
323 Choose whether to enable puppet parameterized classes or not. Puppet
324 versions prior to 2.6.5 do not support parameters. This one is com‐
325 mented out by default.
326 default: 1
328 manage_dhcp
330 Set to 1 to enable Cobbler's DHCP management features. The choice of
331 DHCP management engine is in /etc/cobbler/modules.conf.
332 default: 0
334 manage_dns
336 Set to 1 to enable Cobbler's DNS management features. The choice of DNS
337 management engine is in /etc/cobbler/modules.conf.
338 default: 0
340 bind_chroot_path
342 Set to path of bind chroot to create bind-chroot compatible bind con‐
343 figuration files. This should be automatically detected.
344 default: ""
346 bind_master
348 Set to the ip address of the master bind DNS server for creating sec‐
349 ondary bind configuration files.
350 default: 127.0.0.1
352 manage_tftpd
354 Set to 1 to enable Cobbler's TFTP management features. the choice of
355 TFTP management engine is in /etc/cobbler/modules.conf.
356 default: 1
358 tftpboot_location
360 This variable contains the location of the tftpboot directory. If this
361 directory is not present Cobbler does not start.
362 Default: /srv/tftpboot
364 manage_rsync
366 Set to 1 to enable Cobbler's RSYNC management features.
367 default: 0
369 manage_*
371 If using BIND (named) for DNS management in /etc/cobbler/modules.conf
372 and manage_dns is enabled (above), this lists which zones are managed.
373 See dns-management for more information.
374 defaults:
376 manage_forward_zones: []
378 manage_reverse_zones: []
379 next_server
381 If using Cobbler with manage_dhcp, put the IP address of the Cobbler
382 server here so that PXE booting guests can find it. If you do not set
383 this correctly, this will be manifested in TFTP open timeouts.
384 default: 127.0.0.1
386 power_management_default_type
388 Settings for power management features. These settings are optional.
389 See power-management to learn more.
390 Choices (refer to codes.py):
392 · apc_snmp
394 · bladecenter
396 · bullpap
398 · drac
400 · ether_wake
402 · ilo
404 · integrity
406 · ipmilan
408 · ipmitool
410 · lpar
412 · rsa
414 · virsh
416 · wti
418 default: ipmitool
420 pxe_just_once
422 If this setting is set to 1, Cobbler systems that pxe boot will request
423 at the end of their installation to toggle the --netboot-enabled record
424 in the Cobbler system record. This eliminates the potential for a PXE
425 boot loop if the system is set to PXE first in it's BIOS order. Enable
426 this if PXE is first in your BIOS boot order, otherwise leave this dis‐
427 abled. See the manpage for --netboot-enabled.
428 default: 1
430 nopxe_with_triggers
432 If this setting is set to one, triggers will be executed when systems
433 will request to toggle the --netboot-enabled record at the end of their
434 installation.
435 default: 1
437 redhat_management_server
439 This setting is only used by the code that supports using Space‐
440 walk/Satellite authentication within Cobbler Web and Cobbler XML-RPC.
441 default: "xmlrpc.rhn.redhat.com"
443 redhat_management_permissive
445 If using authn_spacewalk in modules.conf to let Cobbler authenticate
446 against Satellite/Spacewalk's auth system, by default it will not allow
447 per user access into Cobbler Web and Cobbler XML-RPC. In order to per‐
448 mit this, the following setting must be enabled HOWEVER doing so will
449 permit all Spacewalk/Satellite users of certain types to edit all of
450 Cobbler's configuration. these roles are: config_admin and org_admin.
451 Users should turn this on only if they want this behavior and do not
452 have a cross-multi-org separation concern. If you have a single org in
453 your satellite, it's probably safe to turn this on and then you can use
454 CobblerWeb alongside a Satellite install.
455 default: 0
457 redhat_management_key
459 Specify the default Red Hat authorization key to use to register sys‐
460 tem. If left blank, no registration will be attempted. Similarly you
461 can set the --redhat-management-key to blank on any system to keep it
462 from trying to register.
463 default: ""
465 register_new_installs
467 If set to 1, allows /usr/bin/cobbler-register (part of the Koan pack‐
468 age) to be used to remotely add new Cobbler system records to Cobbler.
469 This effectively allows for registration of new hardware from system
470 records.
471 default: 0
473 reposync_flags
475 Flags to use for yum's reposync. If your version of yum reposync does
476 not support -l, you may need to remove that option.
477 default: "-l -n -d"
479 reposync_rsync_flags
481 Flags to use for rysync's reposync. If archive mode (-a,--archive) is
482 used then createrepo is not ran after the rsync as it pulls down the
483 repodata as well. This allows older OS's to mirror modular repos using
484 rsync.
485 default: "-rltDv --copy-unsafe-links"
487 restart_*
489 When DHCP and DNS management are enabled, cobbler sync can automati‐
490 cally restart those services to apply changes. The exception for this
491 is if using ISC for DHCP, then OMAPI eliminates the need for a restart.
492 omapi, however, is experimental and not recommended for most configura‐
493 tions. If DHCP and DNS are going to be managed, but hosted on a box
494 that is not on this server, disable restarts here and write some other
495 script to ensure that the config files get copied/rsynced to the desti‐
496 nation box. This can be done by modifying the restart services trigger.
497 Note that if manage_dhcp and manage_dns are disabled, the respective
498 parameter will have no effect. Most users should not need to change
499 this.
500 defaults:
502 restart_dns: 1
504 restart_dhcp: 1
505 run_install_triggers
507 Install triggers are scripts in /var/lib/cobbler/triggers/install that
508 are triggered in autoinstall pre and post sections. Any executable
509 script in those directories is run. They can be used to send email or
510 perform other actions. They are currently run as root so if you do not
511 need this functionality you can disable it, though this will also dis‐
512 able cobbler status which uses a logging trigger to audit install
513 progress.
514 default: 1
516 scm_track_*
518 enables a trigger which version controls all changes to /var/lib/cob‐
519 bler when add, edit, or sync events are performed. This can be used to
520 revert to previous database versions, generate RSS feeds, or for other
521 auditing or backup purposes. Git and Mercurial are currently supported,
522 but Git is the recommend SCM for use with this feature.
523 default:
525 scm_track_enabled: 0
527 scm_track_mode: "git"
528 scm_track_author: "cobbler <cobbler@localhost>"
529 scm_push_script: "/bin/true"
530 server
532 This is the address of the Cobbler server -- as it is used by systems
533 during the install process, it must be the address or hostname of the
534 system as those systems can see the server. if you have a server that
535 appears differently to different subnets (dual homed, etc), you need to
536 read the --server-override section of the manpage for how that works.
537 default: 127.0.0.1
539 client_use_localhost
541 If set to 1, all commands will be forced to use the localhost address
542 instead of using the above value which can force commands like Cobbler
543 sync to open a connection to a remote address if one is in the configu‐
544 ration and would traceback.
545 default: 0
547 client_use_https
549 If set to 1, all commands to the API (not directly to the XML-RPC
550 server) will go over HTTPS instead of plain text. Be sure to change the
551 http_port setting to the correct value for the web server.
552 default: 0
554 virt_auto_boot
556 Should new profiles for virtual machines default to auto booting with
557 the physical host when the physical host reboots? This can be overrid‐
558 den on each profile or system object.
559 default: 1
561 webdir
563 Cobbler's web directory. Don't change this setting -- see the Wiki on
564 "relocating your Cobbler install" if your /var partition is not large
565 enough.
566 default: @@webroot@@/cobbler
568 webdir_whitelist
570 Directories that will not get wiped and recreated on a cobbler sync.
571 default:
573 webdir_whitelist:
575 - misc
576 - web
577 - webui
578 - localmirror
579 - repo_mirror
580 - distro_mirror
581 - images
582 - links
583 - pub
584 - repo_profile
585 - repo_system
586 - svc
587 - rendered
588 - .link_cache
589 xmlrpc_port
591 Cobbler's public XML-RPC listens on this port. Change this only if
592 absolutely needed, as you'll have to start supplying a new port option
593 to Koan if it is not the default.
594 default: 25151
596 yum_post_install_mirror
598 cobbler repo add commands set Cobbler up with repository information
599 that can be used during autoinstall and is automatically set up in the
600 Cobbler autoinstall templates. By default, these are only available at
601 install time. To make these repositories usable on installed systems
602 (since Cobbler makes a very convenient mirror) set this to 1. Most
603 users can safely set this to 1. Users who have a dual homed Cobbler
604 server, or are installing laptops that will not always have access to
605 the Cobbler server may wish to leave this as 0. In that case, the Cob‐
606 bler mirrored yum repos are still accessible at http://cobbler.exam‐
607 ple.org/cblr/repo_mirror and yum configuration can still be done manu‐
608 ally. This is just a shortcut.
609 default: 1
611 yum_distro_priority
613 The default yum priority for all the distros. This is only used if
614 yum-priorities plugin is used. 1 is the maximum value. Tweak with cau‐
615 tion.
616 default: 1
618 yumdownloader_flags
620 Flags to use for yumdownloader. Not all versions may support --resolve.
621 default: "--resolve"
623 serializer_pretty_json
625 Sort and indent JSON output to make it more human-readable.
626 default: 0
628 replicate_rsync_options
630 replication rsync options for distros, autoinstalls, snippets set to
631 override default value of -avzH.
632 default: "-avzH"
634 replicate_repo_rsync_options
636 Replication rsync options for repos set to override default value of
637 -avzH.
638 default: "-avzH"
640 always_write_dhcp_entries
642 Always write DHCP entries, regardless if netboot is enabled.
643 default: 0
645 proxy_url_ext:
647 External proxy - used by: get-loaders, reposync, signature update. Per
648 default commented out.
649 defaults:
651 http: http://192.168.1.1:8080
653 https: https://192.168.1.1:8443
654 proxy_url_int
656 Internal proxy - used by systems to reach Cobbler for kickstarts.
657 E.g.: proxy_url_int: http://10.0.0.1:8080
659 default: ""
661 jinja2_includedir
663 This is a directory of files that Cobbler uses to include files into
664 Jinja2 templates. Per default this settings is commented out.
665 default: /var/lib/cobbler/jinja2
667 include
669 Include other configuration snippets with this regular expression.
670 default: [ "/etc/cobbler/settings.d/*.settings" ]
672
674 If you have own custom modules which are not shipped with Cobbler
675 directly you may have additional sections here.
676 authentication
678 What users can log into the WebUI and Read-Write XML-RPC?
679 Choices:
681 · authn_denyall -- no one (default)
683 · authn_configfile -- use /etc/cobbler/users.digest (for basic setups)
685 · authn_passthru -- ask Apache to handle it (used for kerberos)
687 · authn_ldap -- authenticate against LDAP
689 · authn_spacewalk -- ask Spacewalk/Satellite (experimental)
691 · authn_pam -- use PAM facilities
693 · authn_testing -- username/password is always testing/testing
695 (debug)
696 · (user supplied) -- you may write your own module
698 WARNING: this is a security setting, do not choose an option blindly.
700 For more information:
702 · web-interface
704 · https://cobbler.readthedocs.io/en/release28/5_web-interface/security_overview.html
706 · https://cobbler.readthedocs.io/en/release28/5_web-interface/web_authentication.html#defer-to-apache-kerberos
708 · https://cobbler.readthedocs.io/en/release28/5_web-interface/web_authentication.html#ldap
710 default: authn_configfile
712 authorization
714 Once a user has been cleared by the WebUI/XML-RPC, what can they do?
715 Choices:
717 · authz_allowall -- full access for all authenticated users (default)
719 · authz_ownership -- use users.conf, but add object ownership seman‐
721 tics
722 · (user supplied) -- you may write your own module
724 WARNING: this is a security setting, do not choose an option blindly.
726 If you want to further restrict Cobbler with ACLs for various groups,
727 pick authz_ownership. authz_allowall does not support ACLs. Configura‐
728 tion file does but does not support object ownership which is useful as
729 an additional layer of control.
730 For more information:
732 · web-interface
734 · https://cobbler.readthedocs.io/en/release28/5_web-interface/security_overview.html
736 · https://cobbler.readthedocs.io/en/release28/5_web-interface/web_authentication.html
738 default: authz_allowall
740 dns
742 Chooses the DNS management engine if manage_dns is enabled in /etc/cob‐
743 bler/settings, which is off by default.
744 Choices:
746 · manage_bind -- default, uses BIND/named
748 · manage_dnsmasq -- uses dnsmasq, also must select dnsmasq for DHCP
750 below
751 · manage_ndjbdns -- uses ndjbdns
753 NOTE: More configuration is still required in /etc/cobbler
755 For more information see dns-management.
757 default: manage_bind
759 dhcp
761 Chooses the DHCP management engine if manage_dhcp is enabled in
762 /etc/cobbler/settings, which is off by default.
763 Choices:
765 · manage_isc -- default, uses ISC dhcpd
767 · manage_dnsmasq -- uses dnsmasq, also must select dnsmasq for DNS
769 above
770 NOTE: More configuration is still required in /etc/cobbler
772 For more information see dhcp-management.
774 default: manage_isc
776 tftpd
778 Chooses the TFTP management engine if manage_tftp is enabled in
779 /etc/cobbler/settings, which is ON by default.
780 Choices:
782 · manage_in_tftpd -- default, uses the system's TFTP server
784 · manage_tftpd_py -- uses Cobbler's TFTP server
786 default: manage_in_tftpd
788
790 Enno Gotthold
791
793 2020, Enno Gotthold
7943.2 Oct 25, 2020 COBBLER.CONF(5)