Installation Guide - Red Hat Customer Portal
advertisement
Red Hat Satellite 6.1
Installation Guide
Installing and Configuring Satellite
Edition 4
Red Hat Satellite Documentation Team
Red Hat Satellite 6.1 Installation Guide
Installing and Configuring Satellite
Edition 4
Red Hat Satellite Documentation Team
Legal No tice
Copyright © 2015 Red Hat.
This document is licensed by Red Hat under the Creative Commons AttributionShareAlike 3.0 Unported License. If you distribute this document, or a modified version
of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If
the document is modified, all Red Hat trademarks must be removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees
not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable
law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora,
the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United
States and other countries.
Linux ® is the registered trademark of Linus Torvalds in the United States and other
countries.
Java ® is a registered trademark of Oracle and/or its affiliates.
XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the
United States and/or other countries.
MySQL ® is a registered trademark of MySQL AB in the United States, the European
Union and other countries.
Node.js ® is an official trademark of Joyent. Red Hat Software Collections is not
formally related to or endorsed by the official Joyent Node.js open source or
commercial project.
The OpenStack ® Word Mark and OpenStack logo are either registered
trademarks/service marks or trademarks/service marks of the OpenStack
Foundation, in the United States and other countries and are used with the
OpenStack Foundation's permission. We are not affiliated with, endorsed or
sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Abstract
This document describes how to install Red Hat Satellite. It also steps through the
basic configuration requirements to get Satellite running in your environment.
T able o f Co nt e nt s
T able o f Co ntents
. .hapt
C
. . . .e.r. 1.
. . Int
. . .r.o.duc
. . .t.io
. .n. t.o. .Re
. .d. Hat
. . . .Sat
. . .e. llit
. . .e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3. . . . . . . . .
1 .1. Red Hat Satellite 6 System Architecture
3
1 .2. Red Hat Satellite 6 System C om ponents
7
1 .3. Red Hat Satellite 6 Supported Usage
7
1 .4. P rerequisites
9
. .hapt
C
. . . .e.r. 2.
. . Ins
. . .t.alling
. . . . . Re
..d
. .Hat
. . . .Sat
. . .e.llit
. .e
. .Se
. . r.ve
. . r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
..........
2.1. O btaining the Required P ackages
21
2.2. Running the Installation and C onfiguration P rogram
24
2.3. O ptional C onfiguration O ptions
27
. .hapt
C
. . . .e.r. 3.
. . Lo
. . gging
. . . . . .in
. .t.o. Re
. . .d. Hat
. . . .Sat
. . .e.llit
. . .e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
..........
3 .1. O rganizations
34
3 .2. C hanging Your Account P references
36
3 .3. Additional Resources
37
. .hapt
C
. . . .e.r. 4. .. Po
. . .pulat
. . . . ing
. . . .Re
. .d. Hat
. . . .Sat
. . .e. llit
. . .e. wit
. . .h. .Co
. .nt
. .e.nt
. . . . . . . . . . . . . . . . . . . . . . . . . .38
..........
4 .1. C onnected Satellite
38
4 .2. Disconnected Satellite
46
. .hapt
C
. . . .e.r. 5.
. . Co
. . nf
. . igur
. . . . ing
...a
. .Se
. . lf
. .-Re
. . .gis
. . t. e. r. e. d
. .Sat
. . .e.llit
. . .e. . . . . . . . . . . . . . . . . . . . . . . . . . .56
..........
5.1. Registering a Satellite to Itself
56
5.2. Updating a Self-Registered Satellite
59
. .hapt
C
. . . .e.r. 6. .. Managing
. . . . . . . . . Hype
. . . . .r.vis
. .o
. r. s. .and
. . . Vir
. . .t.ual
. . .Gue
. . . .s.t .Subs
. . . . c. r. ipt
. . .io
. ns
. . . . . . . . . . . . . . .6.2. . . . . . . . .
6 .1. Introduction to virt-who
62
6 .2. Before You Begin
63
6 .3. Supported Hypervisors
65
6 .4. Setting up a Red Hat Enterprise Virtualization Manager Server or Libvirt (KVM)
Hypervisor
66
6 .5. Using virt-who with Hyper-V
68
6 .6. Setting up a VMware Hypervisor
69
6 .7. C onfigure virt-who with an Encrypted P assword
72
6 .8. vC enter C onfiguration Exam ple for Reporting Data to Multiple O rganizations
6 .9. Registering Guest Instances
6 .10. Rem oving a Guest Entry
6 .11. Rem oving a Hypervisor Entry
6 .12. Troubleshooting virt-who
73
75
75
76
76
. .hapt
C
. . . .e.r. 7.
. . Ins
. . .t.alling
. . . . . Re
..d
. .Hat
. . . .Sat
. . .e.llit
. .e
. .Caps
. . . . ule
. . . Se
. . .r.ve
. .r. . . . . . . . . . . . . . . . . . . . . . . .78
..........
7.1. Red Hat Satellite C apsule Server Scalability
78
7.2. Red Hat Satellite C apsule Server P rerequisites
79
7.3. O btaining the Required P ackages for the C apsule Server
84
7.4. Running the Installation and C onfiguration P rogram for C apsule Server
87
7.5. O ptional C onfiguration O ptions
90
7.6. Adding Life C ycle Environm ents to a Red Hat Satellite C apsule Server
96
7.7. Rem oving Life C ycle Environm ents from the Red Hat Satellite C apsule Server
98
7.8. Registering Host System s to a Red Hat Satellite C apsule Server
99
7.9. C onfiguring Satellite 6 with External Services
100
. .hapt
C
. . . .e.r. 8. .. Upgr
. . . . .ading
. . . . .Re
. .d
. .Hat
. . . Sat
...e
. .llit
. . e. .Se
. .r.ve
. .r. and
. . . .Caps
. . . . ule
. . . .Se
. .r.ve
. .r. . . . . . . . . . . .116
...........
8 .1. Upgrading Red Hat Satellite
116
8 .2. Upgrading Red Hat Satellite C apsule
122
8 .3. Upgrading the Discovery Feature
125
1
Ins t allat io n Guide
8 .3. Upgrading the Discovery Feature
8 .4. Upgrading Red Hat Satellite C lients
125
126
8 .5. Upgrading Between Minor Versions of Satellite
127
. .hapt
C
. . . .e.r. 9. .. Ne
. . .xt
. .St
. .e.ps
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
...........
. .hapt
C
. . . .e.r. 10
. . .. Unins
. . . . . t. alling
. . . . . .Re
. .d. Hat
. . . .Sat
. . .e. llit
. . .e. Se
. . .r ve
. . .r .and
. . . .Caps
. . . .ule
. . . Se
. . r. ve
. . r. . . . . . . . . .131
...........
Rem oving Satellite Server
131
Rem oving C apsule Server
131
. .ppe
A
. . .ndix
. . . . A.
. . Glo
. . . s. s. ar
. . y. .o.f .T. e
. r. ms
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
...........
. .ppe
A
. . .ndix
. . . . B.
. . Re
. . .vis
. . io
. .n. His
. . . t. o. r. y. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
...........
2
C hapt e r 1. Int r o duc t io n t o Re d Hat Sat e llit e
Chapt er 1. Int roduct ion t o Red Hat Sat ellit e
Re d Hat Sate llite 6 is the e volution of Re d Hat's life cycle manage me nt platform. It
provide s the capabilitie s that adminis trators have come to e xpe ct in a tool focus e d on
managing s ys te ms and conte nt for a global e nte rpris e . Sate llite 6 cove rs the us e cas e s
re que s te d by Sate llite 5 cus tome rs , but als o include s functionality that e nable s large r
s cale , fe de ration of conte nt, be tte r control of s ys te ms during the provis ioning proce s s ,
and a much more s implifie d approach to life cycle manage me nt. Sate llite 6 als o furthe r
e volve s the inhe re nt approach to ce rtificate -bas e d e ntitle me nts and inte grate d
s ubs cription manage me nt. Sate llite 6 is bas e d on ye ars of cus tome r fe e dback and is an
e volution of pre vious ve rs ions .
1.1. Red Hat Sat ellit e 6 Syst em Archit ect ure
The following diagram re pre s e nts the high-le ve l archite cture of Re d Hat Sate llite 6.
3
Ins t allat io n Guide
Figure 1.1. Red Hat Sat ellit e 6 Syst em Archit ect ure
The re are four s tage s through which conte nt flows in this archite cture :
Ext ernal Co nt ent So urces
The Re d Hat Sate llite Se rve r can cons ume dive rs e type s of conte nt from various
s ource s . The re quire d conne ction is the one with Re d Hat Cus tome r Portal, which
is the primary s ource of s oftware package s , e rrata, Puppe t module s , and
containe r image s . In addition, you can us e othe r s upporte d conte nt s ource s (Git
re pos itorie s , Docke r Hub, Puppe t Forge , SCAP re pos itorie s ) as we ll as your
organiz ation's inte rnal data s tore .
Red Hat Sat ellit e Server
4
C hapt e r 1. Int r o duc t io n t o Re d Hat Sat e llit e
The Re d Hat Sate llite Se rve r e nable s you to plan and manage the conte nt life
cycle and the configuration of Caps ule Se rve rs and hos ts through GUI, CLI, or API.
The Sate llite Se rve r organiz e s the life cycle manage me nt by us ing organizations
as principal divis ion units . Organiz ations is olate conte nt for groups of hos ts with
s pe cific re quire me nts and adminis tration tas ks . For e xample , the OS build te am
can us e a diffe re nt organiz ation than the we b de ve lopme nt te am.
The Sate llite Se rve r als o contains a fine -graine d authe ntication s ys te m to provide
Sate llite ope rators with pe rmis s ions to acce s s pre cis e ly the parts of the
infras tructure that lie in the ir are a of re s pons ibility.
C apsule Servers
Caps ule Se rve rs mirror conte nt from the Sate llite Se rve r to e s tablis h conte nt
s ource s in various ge ographical locations . This allows hos t s ys te ms to pull
conte nt and configuration from the Sate llite Caps ule Se rve rs in the ir location and
not from the ce ntral Sate llite Se rve r. The re comme nde d minimal numbe r of
Caps ule Se rve rs is the re fore give n by the numbe r of ge ographic re gions whe re
the organiz ation that us e s Sate llite ope rate s .
Us ing Conte nt Vie ws , you can s pe cify the e xact s ubs e t of conte nt that the
Caps ule Se rve r make s available to hos ts . Se e Figure 1.2, “Conte nt Life Cycle in
Re d Hat Sate llite 6” for a clos e r look at life cycle manage me nt with the us e of
Conte nt Vie ws .
The communication be twe e n manage d hos ts and the Sate llite Se rve r is route d
through the Caps ule Se rve r that can als o manage multiple s e rvice s on be half of
hos ts . Many of the s e s e rvice s us e de dicate d ne twork ports , but the Caps ule
Se rve r e ns ure s that a s ingle s ource IP addre s s is us e d for all communications
from the hos t to the Sate llite Se rve r, which s implifie s fire wall adminis tration.
Managed Ho st s
Hos ts are the re cipie nts of conte nt from Caps ule Se rve rs . Hos ts can be e ithe r
phys ical or virtual (de ploye d on KVM, VMware vSphe re , Ope nStack, Amaz on EC2,
Racks pace Cloud Se rvice s , Google Compute Engine , or in a Docke r containe r). The
Sate llite Se rve r can have dire ctly manage d hos ts . The bas e s ys te m running a
Caps ule Se rve r is als o a manage d hos t of the Sate llite Se rve r.
The following diagram provide s a clos e r look at the dis tribution of conte nt from the
Sate llite Se rve r to Caps ule s .
5
Ins t allat io n Guide
Figure 1.2. Co nt ent Lif e Cycle in Red Hat Sat ellit e 6
By de fault, e ach organiz ation has a Library of conte nt from e xte rnal s ource s . Conte nt
Vie ws are s ubs e ts of conte nt from the Library cre ate d by inte llige nt filte ring. You can
publis h and promote Conte nt Vie ws into life cycle e nvironme nts (typically De v, QA, and
Production). Whe n cre ating a Caps ule Se rve r, you can choos e which life cycle
e nvironme nts will be copie d to that Caps ule and made available to manage d hos ts .
Conte nt Vie ws can be combine d to cre ate Compos ite Conte nt Vie ws . For e xample , it is
be ne ficial to have a s e parate Conte nt Vie w for package s re quire d by an ope rating s ys te m
and a s e parate one for package s re quire d by an application. Which Conte nt Vie ws s hould
be promote d to which Caps ule Se rve r de pe nds on the Caps ule 's inte nde d functionality.
Any Caps ule Se rve r can run DNS, DHCP, and TFTP as infras tructure s e rvice s that can be
s upple me nte d, for e xample , with conte nt or configuration s e rvice s .
You can update the Caps ule Se rve r by cre ating a ne w ve rs ion of a Conte nt Vie w us ing
s ynchroniz e d conte nt from the Library. The ne w Conte nt Vie w ve rs ion is the n promote d
6
C hapt e r 1. Int r o duc t io n t o Re d Hat Sat e llit e
through life cycle e nvironme nts . You can als o cre ate in-s itu update s of Conte nt Vie ws ,
which me ans that a minor ve rs ion of the Conte nt Vie w is cre ate d in its curre nt life cycle
e nvironme nt without promoting it from the Library.
1.2. Red Hat Sat ellit e 6 Syst em Component s
Re d Hat Sate llite 6 cons is ts of s e ve ral ope n s ource proje cts which are inte grate d,
ve rifie d, de live re d and s upporte d as Sate llite 6. It is ofte n important to unde rs tand which
ups tre am ve rs ions of the s e proje cts are de live re d. This information is maintaine d and
re gularly update d on the Re d Hat Cus tome r Portal [1] .
Re d Hat Sate llite 6 cons is ts of the following ope n s ource proje cts :
Fo reman
Fore man is an ope n s ource application us e d for provis ioning and life cycle
manage me nt of phys ical and virtual s ys te ms . Fore man automatically configure s
the s e s ys te ms us ing various me thods , including kicks tart and Puppe t module s .
Fore man als o provide s his torical data for re porting, auditing, and trouble s hooting.
Kat ello
Kate llo is a Fore man plug-in for s ubs cription and re pos itory manage me nt. It
provide s a me ans to s ubs cribe to Re d Hat re pos itorie s and download conte nt. You
can cre ate and manage diffe re nt ve rs ions of this conte nt and apply the m to
s pe cific s ys te ms within us e r-de fine d s tage s of the application life cycle .
C andlepin
Candle pin is a s e rvice within Kate llo that handle s s ubs cription manage me nt.
P ulp
Pulp is a s e rvice within Kate llo that handle s re pos itory and conte nt manage me nt.
Hammer
Hamme r is a CLI tool that provide s command line and s he ll e quivale nts of mos t
We b UI functions .
REST API
Re d Hat Sate llite 6 include s a RESTful API s e rvice that allows s ys te m
adminis trators and de ve lope rs to write cus tom s cripts and third-party applications
that inte rface with Re d Hat Sate llite .
1.3. Red Hat Sat ellit e 6 Support ed Usage
Each Re d Hat Sate llite s ubs cription include s one s upporte d ins tance of Re d Hat
Ente rpris e Linux Se rve r. This ins tance s hould be re s e rve d s ole ly for the purpos e of
running Re d Hat Sate llite . Us ing the ope rating s ys te m include d with Sate llite to run othe r
dae mons , applications , or s e rvice s within your e nvironme nt is not s upporte d.
7
Ins t allat io n Guide
No te
All Re d Hat Sate llite compone nts and the ir us age are s upporte d within the conte xt of
Re d Hat Sate llite only. Third-party us age of any compone nts falls be yond s upporte d
us age .
Support for Re d Hat Sate llite compone nts is de s cribe d be low.
Puppet
Re d Hat Sate llite 6 include s s upporte d puppe t package s . The ins tallation program allows
us e rs to ins tall and configure Puppe t Mas te rs as a part of Re d Hat Sate llite Caps ule
Se rve rs . The s e rve r ins talls the Hie ra ke y-value databas e , which can be us e d to re fine
how Puppe t module s are applie d. A Puppe t module , running on a Puppe t Mas te r on the
Re d Hat Sate llite Se rve r or Sate llite Caps ule Se rve r, us ing Hie ra, is s upporte d by Re d Hat.
Re d Hat s upports many diffe re nt s cripting and othe r frame works , including puppe t
module s . Support for the s e frame works is bas e d on the article "How doe s Re d Hat s upport
s cripting frame works ?" [2]
Pulp
Pulp is the conte nt manage me nt s ubs ys te m within Re d Hat Sate llite 6. Pulp us age is only
s upporte d via the Sate llite Se rve r we b UI, CLI, and API. Dire ct modification or inte raction
with Pulp's local API or databas e is not s upporte d.
Re d Hat doe s not s upport dire ct modification with Pulp as this can caus e irre parable
damage to the Re d Hat Sate llite 6 databas e s .
Fo reman
Fore man make s up a large amount of Re d Hat Sate llite 's core functionality including the
we b UI containe r, us e rs , organiz ations , s e curity and othe r s ignificant functions . Fore man
can be e xte nde d us ing plug-ins . Howe ve r, only Re d Hat Sate llite package d plug-ins are
s upporte d. Re d Hat doe s not s upport plug-ins in the Re d Hat Sate llite Optional re pos itory.
Re d Hat Sate llite als o include s compone nts , configuration and functionality to provis ion and
configure ope rating s ys te ms othe r than Re d Hat Ente rpris e Linux. While the s e fe ature s
are include d and can be e mploye d, Re d Hat s upports the ir us age for Re d Hat
Ente rpris e Linux.
Candlepin
Candle pin is the s ubs cription manage me nt s ubs ys te m within Re d Hat Sate llite 6. The only
s upporte d me thods of us ing Candle pin are through the Re d Hat Sate llite 6 we b UI, CLI, and
API.
8
C hapt e r 1. Int r o duc t io n t o Re d Hat Sat e llit e
Re d Hat doe s not s upport dire ct modification and inte ractions with Candle pin, its local API
or databas e , as this can caus e irre parable damage to the Re d Hat Sate llite 6 databas e s .
Embedded T o mcat Applicat io n Server
The only s upporte d me thods of us ing the e mbe dde d Tomcat application s e rve r are
through the Re d Hat Sate llite 6 we b UI, API, and databas e . Re d Hat doe s not s upport dire ct
inte ractions and modifications of the e mbe dde d Tomcat application s e rve r's local API or
databas e .
1.4. Prerequisit es
The following conditions mus t be me t be fore ins talling Re d Hat Sate llite 6:
Impo rtant
The Re d Hat Sate llite s e rve r and Caps ule s e rve r ve rs ions mus t match. For
e xample , a Sate llite 6.0 s e rve r cannot run a 6.1 Caps ule s e rve r and a Sate llite 6.1
s e rve r cannot run a 6.0 Caps ule s e rve r. Mis matching Sate llite s e rve r and Caps ule
s e rve r ve rs ions will re s ult in the Caps ule s e rve r failing s ile ntly.
1.4.1. Base Operat ing Syst em
Impo rtant
Re d Hat Sate llite is only s upporte d on the late s t ve rs ion of Re d Hat Ente rpris e Linux
6 Se rve r or 7 Se rve r. Pre vious ve rs ions of Re d Hat Ente rpris e Linux including EUS
or z -s tre am are not s upporte d.
Ins tall the ope rating s ys te m from dis c, local ISO image , kicks tart, or any othe r me thod that
Re d Hat s upports . Re gis te r and attach a s ubs cription to the s ys te m as follows :
# subscription-manager register
# subscription-manager list --available --all
# subscription-manager subscribe --pool=Red_Hat_Enterprise_Linux_Pool_Id
9
Ins t allat io n Guide
Impo rtant
Re d Hat Sate llite Se rve r re quire s Re d Hat Ente rpris e Linux ins tallations with the
@Bas e package group with no othe r package -s e t modifications , and without thirdparty configurations or s oftware that is not dire ctly ne ce s s ary for the dire ct
ope ration of the s e rve r. This re s triction include s harde ning or othe r non-Re d Hat
s e curity s oftware . If s uch s oftware is re quire d in your infras tructure , ins tall and
ve rify a comple te working Sate llite Se rve r firs t, the n cre ate a backup of the
s ys te m be fore adding any non-Re d Hat s oftware .
Your s ubs cription-manage r 'Re le as e ' fie ld mus t be s e t to 6Se rve r or 7Se rve r in
orde r to re ce ive the late s t ve rs ion of Re d Hat Ente rpris e Linux and Re d Hat
Sate llite during the ins tallation. Se t the fie ld by us ing the command:
# subscription-manager release --set=Release
Only re le as e ve rs ions 6Se rve r and 7Se rve r are s upporte d by Re d Hat Sate llite .
Update the s ys te m to the late s t s e t of package s in Re d Hat Ente rpris e Linux afte r
s e tting the re le as e :
# yum update
Re d Hat re comme nds that the Sate llite Se rve r be a fre s hly provis ione d s ys te m
that s e rve s no othe r function e xce pt as a Sate llite Se rve r.
Re d Hat Sate llite re quire s a ne tworke d bas e s ys te m with the following minimum
s pe cifications :
64-bit archite cture
The late s t ve rs ion of Re d Hat Ente rpris e Linux 6 Se rve r or 7 Se rve r
A minimum of two CPU core s , but four CPU core s are re comme nde d.
A minimum of 12 GB me mory but ide ally 16 GB of me mory for e ach ins tance of
Sate llite . A minimum of 4 GB of s wap s pace is re comme nde d.
A unique hos tname . The hos tname can contain lowe r-cas e le tte rs , numbe rs , dots (.)
and hyphe ns (-).
No Java virtual machine ins talle d on the s ys te m, re move any if the y e xis t.
No Puppet RPM file s ins talle d on the s ys te m.
No third-party uns upporte d yum re pos itorie s e nable d. Third-party re pos itorie s may
offe r conflicting or uns upporte d package ve rs ions that may caus e ins tallation or
configuration e rrors .
A curre nt Re d Hat Ne twork s ubs cription.
Adminis trative us e r (root) acce s s .
Full forward and re ve rs e DNS re s olution us ing a fully qualifie d domain name . Ens ure
that hostname and localhost re s olve corre ctly, us ing the following commands :
10
C hapt e r 1. Int r o duc t io n t o Re d Hat Sat e llit e
# ping -c1 localhost
# ping -c1 `hostname -f` # my_system.domain.com
Impo rtant
Ens ure that the hos t s ys te m is fully update d be fore ins talling Re d Hat Sate llite .
Atte mpts to ins tall on hos t s ys te ms that are not fully update d may le ad to difficulty
in trouble s hooting, as we ll as unpre dictable re s ults .
1.4.2. Support ed Browsers
Brows e r s upport is divide d into 4 le ve ls :
1. Le ve l 1: Fully s upporte d pre fe rre d brows e rs for ide al e xpe rie nce .
2. Le ve l 2: Mos tly s upporte d. The inte rface functions but s ome de s ign e le me nts may
not align corre ctly, UI controls and layout may be mis aligne d and the re maybe
de grade d pe rformance e xpe rie nce d.
3. Le ve l 3: De s ign e le me nts may not align corre ctly.
4. Le ve l 4: Uns upporte d
The table be low outline s the s upporte d brows e rs and the ir le ve l of s upport:
T able 1.1. Suppo rt ed Bro wser Mat rix
Bro wser
Versio n
Suppo rt Level
Fire fox
Fire fox
Fire fox
Fire fox
Fire fox
Chrome
Chrome
Chrome
Inte rne t Explore r
Inte rne t Explore r
Safari
3.6
17, 18, 19, 20
21
22, 23, 24
Late s t
19, 20
21, 27
Late s t
7, 8
9, 10, 11
ALL
L3
L4
L2
L1
L1
L4
L2
L1
L4
L2
L4
No te
The we b UI and command-line inte rface for Sate llite Se rve r s upports Englis h,
Portugue s e , Simplifie d Chine s e , Traditional Chine s e , Kore an, Japane s e , Italian,
Spanis h, Rus s ian, Fre nch, and Ge rman.
1.4.3. St orage
Sate llite Se rve r s torage s pe cifications are as follows :
11
Ins t allat io n Guide
A minimum of 6 GB s torage for bas e ope rating s ys te m ins tallation of Re d Hat
Ente rpris e Linux.
A minimum of 400 MB s torage for the Re d Hat Sate llite 6 s oftware ins tallation.
A minimum of 20 GB s torage for e ach unique s oftware re pos itory. Package s that are
duplicate d in diffe re nt re pos itorie s are only s tore d once on the dis k. Additional
re pos itorie s containing duplicate package s will re quire le s s additional s torage . The bulk
of s torage re s ide s on the /var/lib/mongodb and /var/lib/pulp dire ctorie s . The s e
e nd points are not manually configurable . Make s ure that s torage is available on the
/var file s ys te m to pre ve nt s torage is s ue s .
A minimum of 2 GB of available s torage in /var/lib/pgsql with the ability to grow the
partition containing this dire ctory as data s torage re quire me nts grow.
If you are us ing a dis conne cte d ins tallation, a copy of the re pos itorie s us e d in the
ins tallation are s tore d in the /opt/ dire ctory. Ens ure you have a minimum of 2GB of
s pace for this file s ys te m and dire ctory.
No te
Mos t Sate llite Se rve r data is s tore d within the /var dire ctory. It is s trongly
re comme nde d to mount /var on LVM s torage that the s ys te m can s cale to me e t data
s torage re quire me nts .
No te
The XFS file s ys te m is re comme nde d for Re d Hat Sate llite 6. XFS is the de fault file
s ys te m in Re d Hat Ente rpris e Linux 7, which make s it the pre fe rable bas e ope rating
s ys te m. If you inte nd to us e Re d Hat Ente rpris e Linux 6 ins te ad, contact your
account te am to le arn about e nabling XFS on this s ys te m. Alte rnative ly, make s ure
that you have an e xt4 file s ys te m with s ufficie nt amount of inode s for your inte nde d
Sate llite de ployme nt.
The following table de tails re comme nde d s torage re quire me nts for s pe cific dire ctorie s .
The s e value s are bas e d on e xpe cte d us e cas e s ce narios and may vary according to
individual e nvironme nts .
T able 1.2. Reco mmended St o rage Co nsiderat io ns
Direct o ry
Inst allat io n Size
Requirement
Runt ime Requirement
wit h Red Hat
Ent erprise Linux 5/6/7
synchro nized
/var/lib/pulp
/var/lib/mongodb
/var/log
/var/lib/pgs ql
1 MB
3.5 GB
10 MB
100 MB
200 GB
15 GB
100 MB
250 MB
12
C hapt e r 1. Int r o duc t io n t o Re d Hat Sat e llit e
Impo rtant
Se ve ral compone nts of Re d Hat Sate llite are s e ns itive to ne twork late ncy. Re d Hat
re comme nds local or SAN-bas e d s torage . Avoid NFS s torage whe ne ve r pos s ible .
1.4.4. Applicat ion Specif icat ions
Sate llite Se rve r application ins tallation s pe cifications are as follows :
Re d Hat re comme nds that a time s ynchroniz e r s uch as nt p is ins talle d and e nable d on
the hos t ope rating s ys te m be fore ins talling Sate llite to minimiz e the e ffe cts of any time
drift.
For Re d Hat Ente rpris e Linux 6, run the following commands to s tart the ntpd s e rvice and
have it pe rs is t acros s re s tarts :
# service ntpd start
# chkconfig ntpd on
In Re d Hat Ente rpris e Linux 7, chro ny is the de fault time s ynchroniz e r. Run the following
commands to s tart the chronyd s e rvice and have it pe rs is t acros s re s tarts :
# systemctl start chronyd
# systemctl enable chronyd
1.4.5. Net work Port s Required f or Sat ellit e Communicat ions
The following ne twork ports ne e d to be ope n and fre e on the bas e ope rating s ys te m
be fore continuing with the ins tallation:
T able 1.3. Po rt s f o r Bro wser-based User Int erf ace Access t o Sat ellit e
Po rt
Pro t o c
ol
Service
Required f o r
443
Opt io n
al
80
TCP
HTTPS
For Brows e r-bas e d UI Acce s s to Sate llite
TCP
HTTP
To e nable re dire ction to HTTPS for we b UI Acce s s to
Sate llite
T able 1.4. Po rt s f o r Sat ellit e t o Red Hat CDN Co mmunicat io n
Po rt
Pro t o c
ol
Service
Required f o r
443
TCP
HTTPS
Subs cription Manage me nt Se rvice s , conne cting to the
Re d Hat CDN
T able 1.5. Po rt s f o r Client t o Sat ellit e Co mmunicat io n
13
Ins t allat io n Guide
Po rt
Pro t o c
ol
Service
Required f o r
53
DNS
Que rie s to the Sate llite 's inte grate d DNS s e rvice
67
69
TCP and
UDP
UDP
UDP
DHCP
TFTP
80
TCP
HTTP
443
TCP
HTTPS
5647
TCP
amqp
8140
TCP
HTTPS
For Clie nt provis ioning from the inte grate d Caps ule
Downloading PXE boot image file s from the inte grate d
Caps ule
Anaconda, yum, for obtaining Kate llo ce rtificate s ,
te mplate s , and for downloading iPXE firmware
Subs cription Manage me nt Se rvice s , yum, Te le me try
Se rvice s , and for conne ction to the Kate llo Age nt
The Kate llo age nt to communicate with the Sate llite 's
Qpid dis patch route r
Puppe t age nt to Puppe t mas te r conne ctions
Any manage d hos t that is dire ctly conne cte d to the Sate llite Se rve r is a Clie nt in this
conte xt. This include s the bas e s ys te m on which a Caps ule Se rve r is running.
T able 1.6. Opt io nal Net wo rk Po rt s
Po rt
Pro t o c
ol
Service
Required f o r
7911
TCP
DHCP
Caps ule originate d, for orche s tration of DHCP re cords
(local or e xte rnal) [a]
5000
TCP
HTTP
22,
16514
389,
636
from
5910 to
5930
TCP
SSH/TLS
Sate llite originate d, for compute re s ource s in Ope nStack
or for running Docke r containe rs
Sate llite originate d, for compute re s ource s in libvirt
TCP
SSH/TLS
TCP
SSH/TLS
Sate llite originate d, for LDAP and s e cure d LDAP
authe ntication s ource s
Sate llite originate d, for NoVNC cons ole in We b UI to
hype rvis ors
[a] If the DHC P service is provided by an external service, opening this port is required on the
external server.
No te
Port 8080 ne e ds to be fre e , but not ope n, in orde r for s ubs cription manage me nt
s e rvice s to acce s s the Sate llite Se rve r.
No te
To configure the fire wall on a Capsule to e nable incoming conne ctions from the
Sat ellit e, s e e Se ction 7.2.3, “Conne ctions from Sate llite to Caps ule ”.
Connect ions f rom Client t o Sat ellit e
14
C hapt e r 1. Int r o duc t io n t o Re d Hat Sat e llit e
To configure the fire wall on a Sat ellit e to e nable incoming conne ctions from a Client ,
and to make the s e rule s pe rs is te nt during re boots , e nte r the commands be low
appropriate to the Re d Hat re le as e .
The ports in the s e commands are take n from the table Table 1.5, “Ports for Clie nt to
Sate llite Communication”. Note that port 80 and 443 are als o lis te d in the Table 1.3, “Ports
for Brows e r-bas e d Us e r Inte rface Acce s s to Sate llite ”. Re vie w the commands to avoid
duplicating e ntrie s .
On a Re d Hat Ente rpris e Linux 6 Sate llite , e xe cute as root:
# iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT \
&& iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
\
&& iptables -A INPUT -m state --state NEW -p udp --dport 67 -j ACCEPT
\
&& iptables -A INPUT -m state --state NEW -p udp --dport 69 -j ACCEPT
\
&& iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
\
&& iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
\
&& iptables -A INPUT -m state --state NEW -p tcp --dport 5647 -j
ACCEPT \
&& iptables -A INPUT -m state --state NEW -p tcp --dport 8140 -j
ACCEPT \
&& service iptables save
Make s ure the iptables s e rvice is s tarte d and e nable d:
# service iptables start
# chkconfig iptables on
On a Re d Hat Ente rpris e Linux 7 Sate llite , e xe cute as root:
# firewall-cmd --add-port="53/udp" --add-port="53/tcp" \
--add-port="67/udp" \
--add-port="69/udp" --add-port="80/tcp" \
--add-port="443/tcp" --add-port="5647/tcp" \
--add-port="8140/tcp" \
&& firewall-cmd --permanent --add-port="53/udp" --add-port="53/tcp" \
--add-port="67/udp" \
--add-port="69/udp" --add-port="80/tcp" \
--add-port="443/tcp" --add-port="5647/tcp" \
--add-port="8140/tcp"
1.4.6. SELinux Policy on Sat ellit e 6
Re d Hat Sate llite 6 us e s a s e t of pre de fine d ports , as de s cribe d in the pre ce ding s e ction
and in Se ction 7.2.3, “Ne twork Ports Re quire d for Caps ule Communications ”. Be caus e
Re d Hat re comme nds that SELinux on Sate llite 6 s ys te ms be s e t to e nforcing, if you ne e d
to change the port for any s e rvice , you als o ne e d to change the as s ociate d SELinux port
type to allow acce s s to the re s ource s . For e xample , if you change the we b UI ports
(HTTP/HTTPS) to 8018/8019, you ne e d to add the s e port numbe rs to the httpd_port_t
SELinux port type .
15
Ins t allat io n Guide
Table 1.7, “SELinux Commands to Change De fault Port As s ignme nts ” lis ts the re quire d
commands to change the Sate llite 6 de fault ports to a us e r-s pe cifie d port. The s e
e xample s us e port 99999 for de mons tration purpos e s ; e ns ure you change this value to
s uit your de ployme nt.
No te
This change is als o re quire d for targe t ports ; for e xample , whe n Sate llite 6 conne cts
to an e xte rnal s ource , s uch as Re d Hat Ente rpris e Virtualiz ation Manage r or
Ope nStack.
You only ne e d to make change s to de fault port as s ignme nts once . Updating or
upgrading Sate llite has no e ffe ct on the s e as s ignme nts . Any update s only add
de fault SELinux ports if no as s ignme nts e xis t.
T able 1.7. SELinux Co mmands t o Change Def ault Po rt Assignment s
Def ault Po rt
SELinux Co mmand
80, 443, 8443
8080
8140
9090
69
53 (TCP)
53 (UDP)
67, 68
5671
8000
7911
5000 on Re d Hat Ente rpris e Linux
6
5000 on Re d Hat Ente rpris e Linux
7
22
16514 (libvirt)
389, 636
5910 to 5930
s e manage
s e manage
s e manage
s e manage
s e manage
s e manage
s e manage
s e manage
s e manage
s e manage
s e manage
s e manage
port
port
port
port
port
port
port
port
port
port
port
port
s e manage
99999
s e manage
s e manage
s e manage
s e manage
port -a -t commple x_main_port_t -p tcp
port
port
port
port
-a
-a
-a
-a
-a
-a
-a
-a
-a
-a
-a
-a
-a
-a
-a
-a
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
http_port_t -p tcp 99999
http_cache _port_t -p tcp 99999
puppe t_port_t -p tcp 99999
we bs m_port_t -p tcp 99999
tftp_port_t -p udp 99999
dns _port_t -p tcp 99999
dns _port_t -p udp 99999
dhcpd_port_t -p udp 99999
amqp_port_t -p tcp 99999
s oundd_port_t -p tcp 99999
dhcpd_port_t -p tcp 99999
commple x_port_t -p tcp 99999
s s h_port_t -p tcp 99999
virt_port_t -p tcp 99999
ldap_port_t -p tcp 99999
vnc_port_t -p tcp 99999
To allow Sate llite 6 to conne ct to a s e rvice that is on a diffe re nt port, for e xample , EC2 or
an e xte rnal re pos itory s e rve d by an Apache httpd s e rve r, you ne e d to add this port to
the virt_port_t SELinux type , as follows :
# semanage port -a -t virt_port_t -p tcp 99999
16
C hapt e r 1. Int r o duc t io n t o Re d Hat Sat e llit e
Impo rtant
If SELinux was disabled (as compare d to e nable d and running in pe rmis s ive mode ),
whe n you ins talle d Sate llite , the n you ne e d to e nable SELinux and run the following
commands in permissive mode afte r you have comple te d the ins tallation:
# foreman-selinux-enable
# foreman-selinux-relabel
Failure to run the s e commands can re s ult in mis labe le d file s , AVC de nials whe n
atte mpting to acce s s the we b UI, and difficult trouble s hooting.
Us e the semanage command if you ne e d to dis as s ociate the pre vious ly us e d port numbe r
and port type . For e xample :
# semanage port -d -t virt_port_t -p tcp 99999
For more information about configuring SELinux, and e ns uring that it is e nable d on s tartup,
s e e the following re s ource s :
Enabling SELinux on Re d Hat Ente rpris e Linux 6 [3]
Enabling SELinux on Re d Hat Ente rpris e Linux 7 [4]
1.4.7. Considerat ions f or Large Deployment s
With more than 225 conte nt hos ts , the qpidd me s s age broke r can re ach s e ve ral s ys te mle ve l limits , re s ulting in Sate llite 's failure to ope rate . To avoid this , one or more of the s e
limits mus t be incre as e d be fore de ploying a large numbe r of conte nt hos ts .
Re fe r to the following table to confirm which value s mus t be change d de pe nding on the
numbe r of conte nt hos ts you plan to de ploy. The n re fe r to the following s e ctions for
ins tructions on how to s e t the s e limits .
T able 1.8. Limit s t o be Increased f o r Large Deplo yment s
Number o f
Co nt ent
Ho st s
Client
Co nnect io n
s
More than
225
More than
500
More than
1900
More than
30,000
More than
32,900
✔
File
Parallel
Descript o rs Asynchro no
us I/O
Operat io ns
Co ncurrent
Lo cks
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
Memo ry
Map Areas
✔
17
Ins t allat io n Guide
Increasing t he Maximum Number of Client Connect ions
With more than 225 conte nt hos ts , qpidd re ache s the maximum numbe r of clie nt
conne ctions . To incre as e it, firs t e s tablis h the ne w value of the limit that is calculate d as :
(number_of_content_hosts x 2) + 100
For e xample , a de ployme nt with 300 conte nt hos ts re quire s at le as t 700 conne ctions . Us e
the calculate d value in /etc/qpid/qpidd.conf:
max-connections=value
Increasing t he Maximum Number of File Descript ors
With more than 500 conte nt hos ts , qpidd re ache s the maximum numbe r of file
de s criptors . To incre as e it, firs t e s tablis h the ne w value of the limit that is calculate d as :
(number_of_content_hosts x 4) + 500
For e xample , a de ployme nt with 600 conte nt hos ts re quire s 2900 file de s criptors . Us e the
calculate d value in appropriate configuration file s :
On Re d Hat Ente rpris e Linux 6, add the following line to /etc/security/limits.conf:
qpidd x nofile value
On Re d Hat Ente rpris e Linux 7, add the following line to
/usr/lib/systemd/system/qpidd.service at the e nd of the [Se rvice ] s e ction:
LimitNOFILE=value
Increasing t he Maximum Number of Parallel Asynchronous I/O Operat ions
With more than 1900 conte nt hos ts , qpidd re ache s the ke rne l limit of maximum paralle l
as ynchronous I/O ope rations . To incre as e it, firs t e s tablis h the ne w value of the limit that
is calculate d as :
33 x number_of_content_hosts
Us e the calculate d value in /etc/sysctl.conf:
fs.aio-max-nr=value
Re load the s e tting by e xe cuting:
# sysctl -p
Increasing t he Maximum Number of Concurrent Locks
18
C hapt e r 1. Int r o duc t io n t o Re d Hat Sat e llit e
With more than 30,000 conte nt hos ts , the back-e nd databas e of qpidd might re ach the
maximum numbe r of concurre nt locks . To incre as e this limit, cre ate a configuration file in
the dire ctory whe re the exchanges.db file is s tore d. The dire ctory location can vary.
Confirm its location by s e arching the /var/lib/qpidd/ dire ctory:
# find /var/lib/qpidd -name exchanges.db
/var/lib/qpidd/qls/dat/exchanges.db
In the above e xample , exchanges.db is s tore d in the /var/lib/qpidd/qls/dat/
dire ctory. In this dire ctory, cre ate a DB_CONFIG file that mus t be owne d and re adable by
the qpidd us e r. Add the following conte nt to DB_CONFIG:
set_lk_max_locks 10000
set_lk_max_objects 10000
Increasing t he Maximum Number of Memory Map Areas
With more than 32,900 conte nt hos ts , qpidd re ache s the ke rne l limit of maximum numbe r
of me mory map are as pe r proce s s . This proble m occurs only on Re d Hat Ente rpris e Linux
7.
Incre as e the limit by adding the following line to /etc/sysctl.conf:
vm.max_map_count = 655300
Re load the s e tting by e xe cuting:
# sysctl -p
Impo rtant
It is re quire d to re s tart qpidd to apply any change s to the afore me ntione d limits :
On Re d Hat Ente rpris e Linux 6:
# service qpidd restart
On Re d Hat Ente rpris e Linux 7:
# systemctl restart qpidd
1.4.8. T roubleshoot ing
Re d Hat re comme nds to ins tall the sos package on the hos t ope rating s ys te m be fore
ins talling Sate llite . The sos package provide s the sosreport command that colle cts
configuration and diagnos tic information from a Re d Hat Ente rpris e Linux s ys te m and is
us e d to provide the initial analys is of a s ys te m re quire d whe n ope ning a s e rvice re que s t
with Re d Hat Te chnical Support. For more information on us ing sosreport, re fe r to the
What is a s os re port and how to cre ate one in Re d Hat Ente rpris e Linux 4.6 and late r?
article on Re d Hat Cus tome r Portal [5] .
19
Ins t allat io n Guide
To ins tall the sos package run the following command:
# yum install sos
[1] https://access.redhat.com /articles/1343683
[2] https://access.redhat.com /articles/369183
[3] https://access.redhat.com /docum entation/en-US/Red_Hat_Enterprise_Linux/6/htm l/SecurityEnhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinuxC hanging_SELinux_Modes.htm l#sect-Security-Enhanced_LinuxEnabling_and_Disabling_SELinux-Enabling_SELinux
[4] https://access.redhat.com /docum entation/enUS/Red_Hat_Enterprise_Linux/7/htm l/SELinux_Users_and_Adm inistrators_Guide/sect-SecurityEnhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.htm l#sect-SecurityEnhanced_Linux-Enabling_and_Disabling_SELinux-Enabling_SELinux
[5] https://access.redhat.com /solutions/3592
20
C hapt e r 2. Ins t alling Re d Hat Sat e llit e Se r ve r
Chapt er 2. Inst alling Red Hat Sat ellit e Server
This chapte r de s cribe s how to obtain the re quire d package s to ins tall Re d Sate llite Se rve r,
whe the r you are conne cte d to the ne twork or not. You can the n us e the ins tallation
program, katello-installer, to ins tall and configure the Sate llite Se rve r. Se ve ral
configuration options are available ; the s e are de s cribe d in Se ction 2.3, “Optional
Configuration Options ”.
2.1. Obt aining t he Required Packages
The re are two ways to obtain the package s re quire d to ins tall a Sate llite Se rve r:
Download the package s dire ctly from the Re d Hat Conte nt De live ry Ne twork (CDN).
Download an ISO image of the package s re quire d from an e xte rnal compute r.
Both me thods are de s cribe d in this s e ction. Howe ve r, for hos ts that have ne twork
conne ctivity, Re d Hat re comme nds downloading the package s dire ctly from the CDN. Us ing
ISO image s is only re comme nde d for hos ts in a dis conne cte d e nvironme nt be caus e ISO
image s may not contain the late s t update s .
2.1.1. Downloading f rom a Connect ed Net work
This s e ction de s cribe s how to us e Subs cription Manage r to download the re quire d
package s for Re d Hat Sate llite Se rve r from the re pos itory.
Pro cedure 2.1. T o Do wnlo ad Sat ellit e Server o n a Cert if icat e-managed Syst em:
1. Lis t all the available s ubs criptions to find the corre ct Re d Hat Sate llite and Re d Hat
Ente rpris e Linux product to allocate to your s ys te m:
# subscription-manager list --available --all
This command dis plays output s imilar to the following:
+-------------------------------------------+
Available Subscriptions
+-------------------------------------------+
Subscription Name: Red Hat Satellite Subscription
Provides:
Red Hat
Red Hat Satellite Capsule 6
Red Hat Enterprise Linux 7
Red Hat Satellite 6
SKU:
SKU123456
Pool ID:
e1730d1f4eaa448397bfd30c8c7f3d334bd8b
Available:
6
Suggested:
1
Service Level:
Self-Support
Service Type:
L1-L3
Multi-Entitlement: No
Ends:
01/01/2022
System Type:
Physical
21
Ins t allat io n Guide
No te
The SKU and Pool ID de pe nd on the Re d Hat Sate llite product type that
corre s ponds to your s ys te m ve rs ion and product type . Take note of the pool
IDs for Re d Hat Sate llite 6.1, Re d Hat Ente rpris e Linux and Re d Hat Software
colle ctions that corre s pond to your s ys te m ve rs ion and product type .
2. Attach a s ubs cription to the re gis te re d s ys te m:
# subscription-manager subscribe --pool=Red_Hat_Satellite_Pool_Id
\
&& subscription-manager subscribe -pool=Red_Hat_Enterprise_Linux_Pool_Id \
&& subscription-manager subscribe \
--pool=Red_Hat_Enterprise_Linux_Software_Collections_Pool_Id
3. Dis able all e xis ting re pos itorie s :
# subscription-manager repos --disable "*"
4. Enable the Re d Hat Sate llite and Re d Hat Ente rpris e Linux and Re d Hat Software
Colle ctions re pos itorie s . Ens ure the Re d Hat Ente rpris e Linux re pos itory matche s
the s pe cific ve rs ion you are us ing.
For Re d Hat Ente rpris e Linux 6:
# subscription-manager repos --enable rhel-6-server-rpms \
--enable rhel-server-rhscl-6-rpms \
--enable rhel-6-server-satellite-6.1-rpms
For Re d Hat Ente rpris e Linux 7:
# subscription-manager repos --enable rhel-7-server-rpms \
--enable rhel-server-rhscl-7-rpms \
--enable rhel-7-server-satellite-6.1-rpms
No te
The commands above are bas e d on Re d Hat Ente rpris e Linux 6 and 7. If you
are us ing a diffe re nt ve rs ion of Re d Hat Ente rpris e Linux, change the
re pos itory bas e d on your s pe cific ve rs ion.
5. If re quire d, to ve rify what re pos itorie s have be e n e nable d, us e the yum repolist
enabled command. For e xample , on Re d Hat Ente rpris e Linux 7:
# yum repolist enabled
Loaded plugins: product-id, subscription-manager
repo id
repo name
status
!rhel-7-server-rpms/x86_64
Red Hat Enterprise
22
C hapt e r 2. Ins t alling Re d Hat Sat e llit e Se r ve r
Linux 7 Server (RPMs)
9,889
!rhel-7-server-satellite-6.1-rpms/x86_64
Red Hat Satellite
6.1 (for RHEL 7 Server) (RPMs)
545
!rhel-server-rhscl-7-rpms/x86_64
Red Hat Software
Collections RPMs for Red Hat Enterprise Linux 7 Server
4,279
repolist: 14,713
6. Ins tall the katello package :
# yum install katello
Impo rtant
The re quire d package s are now ins talle d. Proce e d to Se ction 2.2, “Running the
Ins tallation and Configuration Program” to run the ins tallation and configuration
program.
2.1.2. Downloading f rom a Disconnect ed Net work
No te
Whe n the inte nde d hos t for the Re d Hat Sate llite s e rve r is in a dis conne cte d
e nvironme nt, it is pos s ible to ins tall the Sate llite Se rve r by us ing an ISO image . This
me thod is not re comme nde d for any othe r s ituation as ISO image s may not contain
the late s t update s to Sate llite ; the re fore , by ins talling Re d Hat Sate llite with an ISO
Image you may be ins talling olde r ve rs ions of Sate llite . Olde r ve rs ions may be
mis s ing bug fixe s and functionality.
Prerequisit es
Be fore ins talling, you mus t have a re pos itory configure d with Re d Hat Ente rpris e Linux 6.6
and late r or Re d Hat Ente rpris e Linux 7.0 and late r. For more information on how to update
a dis conne cte d s ys te m, in Re d Hat Ente rpris e Linux 6 s e e Upgrading the Sys te m Off-line
with ISO and Yum in De ployme nt guide , and for Re d Hat Ente rpris e Linux 7 s e e Upgrading
the Sys te m Off-line with ISO and Yum in Sys te m Adminis trator's Guide .
A copy of the re pos itorie s us e d in the ins tallation are s tore d in the /opt/ dire ctory.
Ens ure you have a minimum of 2GB of s pace for this file s ys te m and dire ctory.
ISO ins tallations re quire importe d Re d Hat GPG ke ys be fore ins tallation. Run the following
command as root be fore running the ins tallation s cript:
# rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
The following proce dure de tails how to ins tall Sate llite Se rve r on a hos t through ISO.
1. Download the ISO image from the Re d Hat Cus tome r Portal.
2. As the root us e r, mount the ISO image to a dire ctory:
23
Ins t allat io n Guide
# mkdir /media/iso
# mount -o loop iso_filename /media/iso
3. Change to the /media/iso dire ctory.
4. Run the ins talle r s cript in the mounte d dire ctory:
# ./install_packages
Impo rtant
The re quire d package s are now ins talle d. Proce e d to Se ction 2.2, “Running the
Ins tallation and Configuration Program”.
2.2. Running t he Inst allat ion and Configurat ion Program
Now that the re quire d package s have be e n downloade d, the ins tallation and configuration
program, katello-installer mus t be run to ins tall the Sate llite Se rve r. The re are two
main me thods to do s o:
Manual Configuration - manually run the command and configuration options on the
command-line inte rface (CLI).
Automatic Configuration - mos t of the ins tallation and configuration proce s s can be
automate d by us ing an ans we r file .
Both me thods are s upporte d and available in this chapte r. Choos ing one or the othe r
would de pe nd on your organiz ation's re quire me nts .
Othe r configuration options are als o docume nte d in this chapte r to as s is t in ins talling the
Sate llite Se rve r. For e xample , if the re is an HTTP Proxy in the hos t s ys te m's ne twork, or if
the organiz ation us e s cus tomiz e d s e rve r ce rtificate s .
2.2.1. Conf iguring Red Hat Sat ellit e Manually
Sate llite Se rve r has an automatic initial configuration that pre pare s the s e rve r for us e .
The katello-installer s cript s upports the ability to ove rride various de fault s e ttings
within the diffe re nt compone nts of Sate llite Se rve r. For e xample , for organiz ations that
have an e xis ting HTTP proxy, additional configuration options ne e d to be pas s e d to the
Sate llite Se rve r ins talle r. Se e Se ction 2.3, “Optional Configuration Options ” for othe r
configuration options that can be us e d bas e d on your e nvironme nt's re quire me nts .
Pro cedure 2.2. T o Run t he Inst aller Script :
1. Run the following command as the root us e r to manually configure Re d Hat Sate llite :
# katello-installer --foreman-initial-organization
"initial_organization_name" \
--foreman-initial-location "initial_location_name" \
--foreman-admin-username admin-username \
--foreman-admin-password admin-password
24
C hapt e r 2. Ins t alling Re d Hat Sat e llit e Se r ve r
This s cript can be run multiple time s without any is s ue s .
Impo rtant
If you do not s pe cify any of the s e value s , the de fault value s are us e d. Us e
the katello-installer --help command to dis play the available options
and any de fault value s .
Whe n the configuration s cript has comple te d s ucce s s fully, it dis plays output s imilar
to the following:
# katello-installer
Installing
Done
[100%] [........................................]
Success!
* Katello is running at https://satellite.example.com
Default credentials are 'admin:changeme'
* Capsule is running at https://satellite.example.com:9090
* To install additional capsule on separate machine continue by
running:
capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar
"~/$CAPSULE-certs.tar"
The full log is at /var/log/katello-installer/katelloinstaller.log
2. Afte r configuration, run the following commands to configure the fire wall to limit
elast icsearch to the foreman and root us e rs and make the s e rule s pe rs is te nt
during re boots :
A. On Re d Hat Ente rpris e Linux 6, e xe cute as root:
# iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner -uid-owner \
foreman -j ACCEPT \
&& iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner
--uid-owner root -j ACCEPT \
&& iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -j DROP \
&& service iptables save
Make s ure the iptables s e rvice is s tarte d and e nable d:
# service iptables start
# chkconfig iptables on
B. On Re d Hat Ente rpris e Linux 7, e xe cute as root:
# firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p
tcp -m tcp --dport 9200 -m owner --uid-owner foreman -j ACCEPT \
&& firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -o lo p tcp -m tcp --dport 9200 -m owner --uid-owner foreman -j ACCEPT
\
25
Ins t allat io n Guide
&& firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo p tcp -m tcp --dport 9200 -m owner --uid-owner root -j ACCEPT \
&& firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -o lo p tcp -m tcp --dport 9200 -m owner --uid-owner root -j ACCEPT \
&& firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -o lo p tcp -m tcp --dport 9200 -j DROP \
&& firewall-cmd --direct --add-rule ipv6 filter OUTPUT 1 -o lo p tcp -m tcp --dport 9200 -j DROP \
&& firewall-cmd --permanent --direct --add-rule ipv4 filter
OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner
foreman -j ACCEPT \
&& firewall-cmd --permanent --direct --add-rule ipv6 filter
OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner
foreman -j ACCEPT \
&& firewall-cmd --permanent --direct --add-rule ipv4 filter
OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner
root -j ACCEPT \
&& firewall-cmd --permanent --direct --add-rule ipv6 filter
OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner
root -j ACCEPT \
&& firewall-cmd --permanent --direct --add-rule ipv4 filter
OUTPUT 1 -o lo -p tcp -m tcp --dport 9200 -j DROP \
&& firewall-cmd --permanent --direct --add-rule ipv6 filter
OUTPUT 1 -o lo -p tcp -m tcp --dport 9200 -j DROP
The Re d Hat Sate llite Se rve r cre ate s an initial organiz ation and location calle d "De fault
Organiz ation" and "De fault Location", re s pe ctive ly. Afte r the initial configuration, you can
cre ate additional organiz ations and locations . You can re name the de fault organiz ation or
location and you can de le te the de fault organiz ation, but you cannot de le te the de fault
location.
2.2.2. Conf iguring Red Hat Sat ellit e wit h an Answer File
You can us e answer files to automate ins tallations with cus tomiz e d options . The initial
ans we r file is s pars e ly populate d. Afte r you run katello-installer for the firs t time , the
ans we r file is populate d with the s tandard parame te r value s for ins tallation.
The following proce dure de s cribe s how to configure Re d Hat Sate llite Se rve r with an
ans we r file .
Pro cedure 2.3. T o Co nf igure and Use an Answer File f o r Inst allat io n:
1. Copy the de fault ans we r file locate d at /etc/katelloinstaller/answers.katello-installer.yaml to a location on your local file
s ys te m:
# cp /etc/katello-installer/answers.katello-installer.yaml
/etc/katello-installer/my-answer-file.yaml
2. Ope n your copy of the ans we r file , e dit the value s to s uit your e nvironme nt, and
s ave the file .
26
C hapt e r 2. Ins t alling Re d Hat Sat e llit e Se r ve r
No te
The parame te rs for e ach module are s pe cifie d in the module 's params.pp
file . Run the following command to vie w available module s with parame te r
file s :
# rpm -ql katello-installer-base | grep params.pp
3. Ope n the /etc/katello-installer/katello-installer.yaml file and e dit the
ans we r file e ntry to point to your cus tom ans we r file :
:answer_file: /etc/katello-installer/my-answer-file.yaml
4. Run the katello-installer command.
# katello-installer
2.3. Opt ional Configurat ion Opt ions
2.3.1. Conf iguring Red Hat Sat ellit e wit h an HT T P Proxy
This s e ctions s hows how to configure Re d Hat Sate llite for ne tworks that go through an
HTTP Proxy. As a pre re quis ite , make s ure that the http_proxy, https_proxy, and
no_proxy e nvironme nt variable s are not s e t:
# export http_proxy=""
# export https_proxy=$http_proxy
# export no_proxy=$http_proxy
Run katello-installer with the following options :
# katello-installer --katello-proxy-url=http://myproxy.example.com \
--katello-proxy-port=8080 \
--katello-proxy-username=proxy_username \
--katello-proxy-password=proxy_password
Whe re :
--katello-proxy-url is the URL of the HTTP proxy s e rve r.
--katello-proxy-port is the port the HTTP proxy s e rve r is lis te ning on.
--katello-proxy-username (optional) is the HTTP proxy us e rname for authe ntication.
If your HTTP proxy s e rve r doe s not re quire a us e rname , you are not re quire d to
s pe cify the us e rname .
--katello-proxy-password (optional) is the HTTP proxy pas s word for authe ntication. If
your HTTP proxy s e rve r doe s not re quire a pas s word, you are not re quire d to s pe cify
the pas s word. The following lis t of s pe cial characte rs us e d in a pas s word, as we ll as
any white s pace , mus t be e s cape d us ing the back s las h \ characte r: ] [ ? \ < ~ # `
27
Ins t allat io n Guide
! @ $ % ^ & * ( ) + = } | : " ; ' , > { . Alte rnative ly, us e quotation marks
around the pas s word.
Afte r configuring the Sate llite Se rve r to go through the HTTP Proxy, make s ure that yum
or subscript io n-manager can conne ct to the Re d Hat Conte nt De live ry Ne twork (CDN)
and that the Sate llite Se rve r can s ynchroniz e its re pos itorie s to the CDN by following
the s e s te ps :
Pro cedure 2.4. T o Co nf igure Sat ellit e Server t o Allo w Red Hat Subscript io n
Manager Access t o t he CDN:
1. On the ne twork gate way and the HTTP Proxy, ope n the following hos tname s , ports
and protocols :
T able 2.1. Required Ho st names, Po rt s and Pro t o co ls
Ho st name
Po rt
Pro t o co l
s ubs cription.rhn.re dhat.co
m
cdn.re dhat.com
*.akamaie dge .ne t
443
https
443
443
https
https
2. In the Sate llite Se rve r, comple te the following de tails in the /etc/rhsm/rhsm.conf
file . For e xample :
# an http proxy server to use (enter server FQDN)
proxy_hostname = http_proxy.example.com
# port for http proxy server
proxy_port = 3128
# user name for authenticating to an http proxy, if needed
proxy_user =
# password for basic http proxy auth, if needed
proxy_password =
2.3.2. Conf iguring Red Hat Sat ellit e wit h a Cust om Server Cert if icat e
Re d Hat Sate llite come s with a de fault ce rtificate authority (CA) us e d by both the s e rve r
and clie nt SSL ce rtificate s for authe ntication of s ubs e rvice s . The s e rve r and clie nt
ce rtificate s can be re place d with cus tom one s . For more information on cre ating cus tom
ce rtificate s , s e e the Re d Hat Ente rpris e Linux 7 Se curity Guide . [6]
Cus tom s e rve r and clie nt ce rtificate s may be imple me nte d e ithe r be fore or afte r running
the Kate llo ins talle r. Imple me nting cus tom ce rtificate s after ins tallation re quire s additional
e ffort, s o doing s o before is re comme nde d.
No te
The ce rtificate 's Common Name (CN) mus t match the fully qualifie d domain name of
the s e rve r on which it is us e d.
28
C hapt e r 2. Ins t alling Re d Hat Sat e llit e Se r ve r
Prerequisit es
You mus t have the following file s :
Cert if icat e f ile f o r t he Sat ellit e Server, signed by yo ur cert if icat e
aut ho rit y (o r self -signed)
Kate llo ins talle r parame te r --certs-server-cert. In this e xample ,
satellite.crt.
Cert if icat e signing request f ile t hat was used t o creat e t he cert if icat e
f o r t he Sat ellit e Server
Kate llo ins talle r parame te r --certs-server-cert-req. In this e xample ,
satellite.crt.req.
Sat ellit e Server's privat e key used t o sign t he cert if icat e
Kate llo ins talle r parame te r --certs-server-key. In this e xample ,
satellite.crt.key.
CA cert if icat e
Kate llo ins talle r parame te r --certs-server-ca-cert. In this e xample ,
ca_cert.crt.
If you have alre ady run the Kate llo ins talle r, s e e Proce dure 2.6, “To Se t a Cus tom Se rve r
Ce rtificate Afte r Running the Kate llo Ins talle r:”, othe rwis e s e e Proce dure 2.5, “To Se t a
Cus tom Se rve r Ce rtificate Be fore Running the Kate llo Ins talle r:”.
Pro cedure 2.5. T o Set a Cust o m Server Cert if icat e Bef o re Running t he Kat ello
Inst aller:
No te
In this e xample the file s are s tore d in the dire ctory /root/sat_cert. Us ing an
abs olute path in the root us e rs ' dire ctory provide s a fixe d location that is available
to all us e rs who log in to the s e rve r with root pe rmis s ions . Be fore running this
command, e ns ure the dire ctory alre ady e xis ts .
Run the following command on the Re d Hat Sate llite Se rve r to us e the cus tom
ce rtificate .
# katello-installer \
--certs-server-cert /root/sat_cert/satellite.crt \
--certs-server-cert-req /root/sat_cert/satellite.crt.req \
--certs-server-key /root/sat_cert/satellite.crt.key \
--certs-server-ca-cert /root/sat_cert/ca_cert.crt
29
Ins t allat io n Guide
Impo rtant
If you configure a Sate llite Se rve r to us e cus tom ce rtificate s , you mus t do the s ame
for all Caps ule Se rve rs . For ins tructions s e e Se ction 7.5.1, “Configuring Re d Hat
Sate llite Caps ule Se rve r with a Cus tom Se rve r Ce rtificate ”
Pro cedure 2.6. T o Set a Cust o m Server Cert if icat e Af t er Running t he Kat ello
Inst aller:
Whe n the Kate llo ins talle r is run for the firs t time without ce rtificate parame te rs , it us e s
the de fault CA to s ign both s e rve r and clie nt ce rtificate s . To e nforce cus tom ce rtificate s
de ployme nt afte r the Kate llo ins talle r is firs t run, the ce rtificate s ins talle d mus t be
update d.
No te
In this e xample the file s are s tore d in the dire ctory /root/sat_cert. Us ing an
abs olute path in the root us e rs ' dire ctory provide s a fixe d location that is available
to all us e rs who log in to the s e rve r with root pe rmis s ions . Be fore running this
command, e ns ure the dire ctory alre ady e xis ts .
1. Run the following command on the Re d Hat Sate llite Se rve r to re ge ne rate the
katello-ca-consumer package and the Sate llite Se rve r's ce rtificate .
# katello-installer \
--certs-server-cert /root/sat_cert/satellite.crt \
--certs-server-cert-req /root/sat_cert/satellite.crt.req \
--certs-server-key /root/sat_cert/private.crt.key \
--certs-server-ca-cert /root/sat_cert/ca_cert.crt \
--certs-update-server \
--certs-update-server-ca
2. Run the following command on the clie nt s ys te ms to ins tall the ne w clie nt and
s e rve r ce rtificate s .
# rpm -Uvh http://satellite.example.com/pub/katello-ca-consumerlatest.noarch.rpm
Impo rtant
If you configure a Sate llite Se rve r to us e cus tom ce rtificate s , you mus t do the s ame
for all Caps ule Se rve rs . For ins tructions s e e Se ction 7.5.1, “Configuring Re d Hat
Sate llite Caps ule Se rve r with a Cus tom Se rve r Ce rtificate ”.
2.3.3. Conf iguring DNS, DHCP, and T FT P
This s e ction de s cribe s how to configure Sate llite to run BIND (named) to provide
authoritative DNS s e rvice s for the example.com domain and the 172.17.13.x s ubne t. This
30
C hapt e r 2. Ins t alling Re d Hat Sat e llit e Se r ve r
re quire s s e tting up a DNS z one for forward lookups , which will be containe d in the
example.com z one file . Additionally, a DNS z one for re ve rs e lookups will be cre ate d for
the 172.17.13.x s ubne t, which will be containe d in the 13.17.172.in-addr.arpa re ve rs e
z one file . This e ns ure s that hos ts provis ione d from Sate llite us e the corre ct name
re s olution parame te rs . This s e ction als o de s cribe s how to configure the TFTP proxy s o
that hos ts can boot us ing PXE.
Clie nts on this ne twork will have the following characte ris tics :
Have acce s s to IP addre s s e s in the range 172.17.13.100 to 172.17.13.150 for DHCP.
Us e the Sate llite (satellite.example.com at 172.17.13.2) for DNS.
Re ce ive a pxelinux.0 file from Sate llite (satellite.example.com at 172.17.13.2) to
e nable PXE-booting.
Have hos t name s of hostname.example.com, whe re hostname is configure d whe n the
hos t is provis ione d.
Impo rtant
This e xample e nable s DHCP s e rvice s on the Sate llite s e rve r. Cons ult your ne twork
adminis trator be fore proce e ding.
Run the following katello-installer command as root, us ing the s pe cifie d options to
configure the re quire d s e rvice s on the Sate llite s e rve r. Re me mbe r to s ubs titute your
de s ire d adminis trator us e r name and pas s word.
Impo rtant
If you have cre ate d an admin us e r and pas s word by running katello-installer
pre vious ly , do not include the --foreman-admin-username and --foremanadmin-password options in the following command.
If you do not s pe cify the adminis trator us e r name and pas s word, the de fault us e r
admin is cre ate d, and the pas s word is automatically ge ne rate d. The cre de ntials
are dis playe d at the e nd of the ins tallation proce s s . Make a note of this
pas s word. You can als o re trie ve the pas s word from admin_password parame te r
in the /etc/katello-installer/answers.katello-installer.yaml file .
# katello-installer --foreman-admin-username admin-username \
--foreman-admin-password admin-password \
--capsule-dns true \
--capsule-dns-interface eth0 \
--capsule-dns-zone example.com \
--capsule-dns-forwarders 172.17.13.1 \
--capsule-dns-reverse 13.17.172.in-addr.arpa \
--capsule-dhcp true \
--capsule-dhcp-interface eth0 \
--capsule-dhcp-range "172.17.13.100 172.17.13.150" \
--capsule-dhcp-gateway 172.17.13.1 \
--capsule-dhcp-nameservers 172.17.13.2 \
31
Ins t allat io n Guide
--capsule-tftp true \
--capsule-tftp-servername $(hostname) \
--capsule-puppet true \
--capsule-puppetca true
At the e nd of the ins tallation proce s s , katello-installer outputs the s tatus of the
ins tallation.
Success!
* Katello is running at
Default credentials
* Capsule is running at
* To install additional
running:"
https://satellite.example.com
are 'admin:*******'
https://satellite.example.com:9090
capsule on separate machine continue by
capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar
"~/$CAPSULE-certs.tar"
The full log is at /var/log/katello-installer/katello-installer.log
Us e a we b brows e r to navigate to https ://s ate llite .e xample .com to dis play the Sate llite
home page . This e xample us e s the de fault organiz ation (De fault_Organiz ation) and the
de fault location.
Alte rnative ly, you can configure Sate llite to us e e xte rnal DNS and DHCP s e rvice s as
de s cribe d in Se ction 7.9, “Configuring Sate llite 6 with Exte rnal Se rvice s ”. If re quire d to
allocate s pe cific IP addre s s e s to hos t name s or MAC addre s s e s , s e e the DHCP chapte r in
the Re d Hat Ente rpris e Linux 7 Ne tworking Guide [7] .
2.3.3.1. Addit ional DNS, DHCP and T FT P Opt ions
The following table de s cribe s the various options and the value s re quire d to corre ctly
configure the Sate llite s e rve r. The katello-installer command us e s Puppe t;
cons e que ntly, it will ins tall additional package s (bind, dhcp, xine td, and s o on) and configure
the m to add the re que s te d functionality.
For a comple te lis t of available options , run katello-installer --help.
T able 2.2. Sat ellit e Co nf igurat io n Opt io ns
Opt io n
Descript io n
Value
--fore man-admin-us e rname
The us e r name for the initial adminis trator.
--fore man-admin-pas s word
The pas s word for the initial adminis trator.
--caps ule -dns
--caps ule -dns -inte rface
--caps ule -dns -z one
Enable DNS proxy capability
Which inte rface named s hould lis te n on
The Forward DNS z one that the Sate llite
will hos t
The DNS s e rve r that unknown que rie s are
forwarde d to
Us e r
s pe cifie d.
Us e r
s pe cifie d.
ye s
e th0
e xample .com
--caps ule -dns -forwarde rs
32
172.17.13.1
C hapt e r 2. Ins t alling Re d Hat Sat e llit e Se r ve r
Opt io n
Descript io n
Value
--caps ule -dns -re ve rs e
The Re ve rs e DNS z one the Sate llite hos ts .
This is us ually the firs t thre e octe ts of the
IP addre s s (172.17.13) re ve rs e d , and
appe nde d with ".in-addr.arpa".
Enable DHCP proxy capability
The inte rface that DHCP lis te ns on
The range of IP addre s s e s to is s ue to
clie nts .
13.17.172.inaddr.arpa
--caps ule -dhcp
--caps ule -dhcp-inte rface
--caps ule -dhcp-range
--caps ule -dhcp-gate way
--caps ule -dhcpname s e rve rs
--caps ule -tftp
--caps ule -tftp-s e rve rname
--caps ule -puppe t
--caps ule -puppe tca
The de fault gate way IP to is s ue to clie nts .
The hos t that the clie nts s hould us e for
name re s olution. This s hould be configure d
with the Sate llite 's IP in this de ployme nt
mode l.
Enable TFTP proxy capability. This is
ne e de d to PXE boot the clie nts .
Se ts the TFTP hos t name . Se t this to match
the s e rve r's hos t name
(s ate llite .e xample .com).
Enable the Puppe t Mas te r.
Enable the Puppe t CA.
ye s
e th0
172.17.13.10
0
172.172.13.15
0
172.17.13.1
172.17.13.2
ye s
$(hos tname )
ye s
ye s
[6] https://access.redhat.com /docum entation/enUS/Red_Hat_Enterprise_Linux/7/htm l/Security_Guide/sec-Using_O penSSL.htm l
[7] https://access.redhat.com /docum entation/enUS/Red_Hat_Enterprise_Linux/7/htm l/Networking_Guide/
33
Ins t allat io n Guide
Chapt er 3. Logging in t o Red Hat Sat ellit e
Afte r Re d Hat Sate llite has be e n ins talle d and configure d us e the we b us e r inte rface to
log in to Sate llite for furthe r configuration.
The s e s te ps s how how to log in to Re d Hat Sate llite .
1. Acce s s the Sate llite s e rve r we b UI us ing a we b brows e r us ing the hos t name or
FQDN:
https://host_name/
To ide ntify the Sate llite s e rve rs hos t name , us e the hostname command on the
Sate llite s e rve r. Add the -f option to dis play the FQDN:
# hostname -f
Impo rtant
An untrus te d conne ction warning appe ars on your we b brows e r whe n
acce s s ing Sate llite for the firs t time . Acce pt the s e lf-s igne d ce rtificate and
add the Sate llite URL as a s e curity e xce ption to ove rride the s e ttings . This
proce dure might diffe r de pe nding on the brows e r be ing us e d.
Only do this if you are s ure that the Sate llite URL is a trus te d s ource .
2. Ente r the us e r name and pas s word cre ate d during the configuration proce s s . If a
us e r was not cre ate d during the configuration proce s s , the de fault us e r name is
admin.
No te
If you have forgotte n the adminis trative pas s word, us e the Sate llite command-line
inte rface to re s e t the adminis tration us e r and pas s word:
# foreman-rake permissions:reset
Reset to user: admin, password: qwJxBptxb7Gfcjj5
This will re s e t the pas s word of the de fault us e r to the one printe d on the command
line . Change this pas s word upon logging in to pre ve nt any s e curity is s ue s from
occurring.
3.1. Organizat ions
Organizations divide hos ts into logical groups bas e d on owne rs hip, purpos e , conte nt,
s e curity le ve l, or othe r divis ions .
34
C hapt e r 3. Lo gging in t o Re d Hat Sat e llit e
Multiple organiz ations can be vie we d, cre ate d, and manage d within the we b inte rface .
Software and hos t e ntitle me nts can be allocate d acros s many organiz ations , and acce s s
to thos e organiz ations controlle d.
Each organiz ation mus t be cre ate d and us e d by a s ingle Re d Hat cus tome r account,
howe ve r e ach account can manage multiple organiz ations . Subs cription manife s ts can only
be importe d into a s ingle organiz ation and Sate llite will not upload a ce rtificate that has
alre ady be e n uploade d into a diffe re nt organiz ation.
By de fault, Red Hat Sat ellit e will have one organiz ation alre ady cre ate d, calle d "De fault
Organiz ation", which can be modifie d to s uit your own ins tallation, or de le te d. The
organiz ation name has a corre s ponding labe l Default_Organization for us e on the
command line .
Impo rtant
If a ne w us e r is not as s igne d a de fault organiz ation the ir acce s s will be limite d. To
grant the us e r s ys te ms rights , as s ign the m a de fault organiz ation and have the m
log out and log back in again.
3.1.1. Creat ing an Organizat ion
The s e s te ps s how how to cre ate a ne w organiz ation.
Pro cedure 3.1. Creat ing an Organizat io n
1. Click Administ er → Organizat io ns.
2. Click New Organization.
3. Spe cify the name of the ne w organiz ation in the Name fie ld. Take care not to add an
e xtra s pace at the e nd of the name as this will affe ct the corre s ponding labe l
cre ate d.
4. In the Label fie ld, optionally e nte r a te xt s tring s imilar to the name but without
s pace s . If omitte d, a labe l to match the name of the ne w organiz ation, but with
unde rs core s in place of s pace s , is cre ate d automatically. The labe l is for us e on
the command line and cannot be change d once this proce dure has be e n comple te d.
Having a cons is te nt name to labe l corre s ponde nce will re duce e rrors on the
command line . Cons ide r cre ating name s without s pace s .
5. Ente r a de s cription of the ne w organiz ation in the Description fie ld.
6. Click Submit.
7. Se le ct the hos ts to as s ign to the ne w organiz ation.
Click Assign All to as s ign all hos ts with no organiz ation to the ne w organiz ation.
Click Manually Assign to manually s e le ct and as s ign the hos ts with no
organiz ation.
Click Proceed to Edit to s kip as s igning hos ts .
3.1.2. Edit ing an Organizat ion
35
Ins t allat io n Guide
You can update your organiz ation information as re quire d. You cannot change the
organiz ation labe l.
Pro cedure 3.2. Edit ing an Organizat io n
1. Click Administ er → Organizat io ns.
2. Click the name of the organiz ation you want to e dit.
3. Se le ct the re s ource to e dit.
4. Click the name of the de s ire d ite ms to add the m to the Selected Items lis t.
5. Click Submit.
3.1.3. Removing an Organizat ion
Pro cedure 3.3. Remo ving an Organizat io n
1. Click the Administ er → Organizat io ns me nu on the top right hand corne r.
2. Se le ct Delet e from the drop down me nu to the right of the name of the
organiz ation you want to re move .
3. An ale rt box appe ars :
Delete Organization Name?
4. Click the OK button.
Result
The organiz ation is re move d from Red Hat Sat ellit e.
3.2. Changing Your Account Preferences
Se tting up de fault account pre fe re nce s e ns ure s that s ubs e que nt logins will e nable the
corre ct conte xt within the Re d Hat Sate llite Se rve r for a s pe cific us e r. It als o allows
change s in us e r pre fe re nce s .
The following pre fe re nce s can be change d:
1. User - Change pe rs onal data about your login name , as we ll as your pas s word and
de fault location/organiz ation.
a. Firs t Name
b. Surname
c. Email Addre s s
d. De fault Location
e . De fault Organiz ation
f. Pas s word
36
C hapt e r 3. Lo gging in t o Re d Hat Sat e llit e
2. Lo cat io ns - Add or re move locations on your account bas e d on the locations
cre ate d within the Re d Hat Sate llite Se rve r.
3. Organizat io ns - Add or re move organiz ations on your us e r account bas e d on the
organiz ations cre ate d within the Re d Hat Sate llite Se rve r.
4. Ro les - Add or re move role s on your us e r account bas e d on a s e t of role s cre ate d
within the Re d Hat Sate llite Se rve r.
Pro cedure 3.4. Changing yo ur Acco unt Pref erences
To change the s e pre fe re nce s :
1. At the uppe r right corne r, hove r your mous e ove r the admin us e r and on the dropdown me nu that appe ars , click on My Acco unt .
2. Choos e the s ubtab of the pre fe re nce you wis h to change and click on the s ubtab.
3. Change the pre fe re nce s you wis h to change and click on Submit.
No te
Se t your de fault location/organiz ation in the User s ubtab afte r your initial login. This
will make s ure that s ubs e que nt logins will s e t you in the corre ct conte xt for your
us e r.
3.3. Addit ional Resources
For more information on configuring us e rs in Re d Hat Sate llite , s e e the re s ource s lis te d
be low.
The Us e rs and Role s chapte r in the Re d Hat Sate llite 6.1 Us e r Guide de s cribe s cre ating
us e rs and the ir role s .
The Configuring Exte rnal Authe ntication chapte r in the Re d Hat Sate llite 6.1 Us e r Guide
de s cribe s us ing e xte rnal authe ntication s ource s , s uch as LDAP or Red Hat Enterprise
Linux Identity Management (IdM), to de rive us e r and us e r group pe rmis s ions .
37
Ins t allat io n Guide
Chapt er 4. Populat ing Red Hat Sat ellit e wit h Cont ent
Re d Hat Sate llite provide s multiple type s of conte nt to s ubs cribe d clie nt hos ts including
s oftware package s , e rrata, Puppe t module s , and containe r image s .
The primary s ource of this conte nt is the Re d Hat Cus tome r Portal, in orde r to acce s s it,
you ne e d to upload a subscription manifest file to the Sate llite s e rve r. A s ubs cription
manife s t provide s s ubs criptions to clie nt hos ts through the Re d Hat Sate llite rathe r than
through Re d Hat Ne twork. Obtain the s ubs cription manife s t file from the Re d Hat Cus tome r
Portal as de s cribe d in Se ction 4.1.1.1, “Cre ating a Subs cription Manife s t”, or by contacting
Re d Hat Support.
This chapte r outline s the proce s s of populating your Re d Hat Sate llite s e rve r with conte nt.
Some of the following proce dure s are not ne e de d fre que ntly and are us ually pe rforme d
only once afte r ins tallation. Othe rs , like Se ction 4.1.3, “Synchroniz ing Conte nt” mus t be
re pe ate d re gularly to ke e p the conte nt up to date .
The s te ps re quire d to ge t the conte nt from Re d Hat Cus tome r Portal to the Sate llite
Se rve r de pe nd on the type of de ployme nt:
If your Sate llite s e rve r can acce s s the Inte rne t dire ctly, s e e Se ction 4.1, “Conne cte d
Sate llite ”.
If your Sate llite s e rve r is is olate d from the Inte rne t, s e e Se ction 4.2, “Dis conne cte d
Sate llite ”.
4.1. Connect ed Sat ellit e
A conne cte d Sate llite s e rve r has acce s s to the Inte rne t and the re fore can download
s oftware package s , e rrata, Puppe t module s , and containe r image s dire ctly from the
Re d Hat Cus tome r Portal.
4.1.1. Accessing Red Hat Cont ent Providers
This s e ction outline s the s te ps re quire d to re ce ive conte nt from Re d Hat Cus tome r Portal.
Firs t cre ate a manife s t on the Re d Hat Cus tome r Portal, the n upload it to the Sate llite
s e rve r, and e nable Re d Hat re pos itorie s .
4.1.1.1. Creat ing a Subscript ion Manif est
A subscription manifest can be obtaine d through the me thod be low or by contacting
Re d Hat Support. The manife s t is us e d to s e t up Re d Hat conte nt provide rs and contains
re pos itory information and s ubs criptions . It is us e d as a bas is of dis pe ns ing s ubs criptions
and Re d Hat Ne twork (RHN) conte nt to clie nt s ys te ms from Red Hat Sat ellit e.
Impo rtant
Manife s ts are organiz ation-s pe cific, which me ans you have to cre ate and upload a
s e parate manife s t for e ve ry organiz ation on your Sate llite .
Prerequisit es
38
C hapt e r 4 . Po pulat ing Re d Hat Sat e llit e wit h Co nt e nt
You mus t me e t the following conditions be fore continuing with this tas k:
A Cus tome r Portal us e r name and pas s word.
Sufficie nt s ubs criptions to add to the manife s t.
Pro cedure 4.1. T o Creat e a Manif est f o r Sat ellit e 6:
1. Navigate to https ://acce s s .re dhat.com and click SUBSCRIPTIONS on the main me nu
at the top of the page .
2. Scroll down to the Red Hat Subscription Management s e ction, and click
Satellite unde r Subscription Management Applications.
3. To cre ate a manife s t for a ne w s ys te m, click Register a Satellite. Se le ct the
Satellite version and Name that mus t match the name of the organiz ation on
your Sate llite . Click Register.
To add or modify s ubs criptions of an e xis ting manife s t, click the name of the
s ys te m this manife s t is as s ociate d to, and click Attach a subscription.
4. For e ach s ubs cription that you want to attach, s e le ct the che ck box for that
s ubs cription, and s pe cify the quantity of s ubs criptions to attach.
5. Click Attach Selected.
No te
It can take s e ve ral minute s for all the s ubs criptions to attach. Re fre s h the
s cre e n e ve ry fe w minute s until you re ce ive confirmation that the
s ubs criptions are attache d.
6. Afte r the s ubs criptions have be e n attache d, click Download Manifest to ge ne rate
an archive in .z ip format containing the manife s t for Re d Hat Sate llite .
4.1.1.2. Uploading a Subscript ion Manif est t o Sat ellit e
This s e ction de s cribe s how to upload a s ubs cription manife s t to an organiz ation. Be caus e
s ubs cription manife s ts are organiz ation-s pe cific, e ns ure you s e le ct the corre ct
organiz ation be fore you try to upload a s ubs cription manife s t. Failing to do s o will caus e a
pe rmis s ion de nie d e rror (Error 403).
Pro cedure 4.2. T o Uplo ad a Subscript io n Manif est :
1. Log in to the Sat ellit e s e rve r and s e le ct the de s ire d organiz ation from the me nu
in the top le ft hand corne r.
2. Click Co nt ent → Red Hat Subscript io ns and the n click Manage Manifest at the
uppe r right of the page .
3. In the Subscription Manifest s e ction, click Actions and unde r the Upload New
Manifest s ubs e ction, click Browse.
4. Se le ct the manife s t file to upload, and the n click Upload.
4.1.1.3. Enabling Red Hat Reposit ories
39
Ins t allat io n Guide
The Re d Hat Sate llite manife s t file provide s acce s s to Re d Hat products and re pos itorie s .
Be caus e mos t products have s e ve ral archite cture s and product ve rs ions , Re d Hat
Sate llite Se rve r allows the Sate llite adminis trators to choos e which re pos itorie s are
re quire d by the ir organiz ations . You ne e d to e nable the re pos itorie s in Re d Hat Sate llite
Se rve r to pre pare the m for s ynchroniz ation.
Pro cedure 4.3. T o Enable Red Hat Repo sit o ries:
1. On the main me nu, click Co nt ent → Red Hat Repo sit o ries and the n click the tab
for the type of conte nt that you want to e nable .
2. Click the product name for which you want to add re pos itorie s . This e xpands the lis t
of available re pos itory s e ts .
3. Click e ach re pos itory s e t from which you want to s e le ct re pos itorie s , and s e le ct the
che ck box for e ach re quire d re pos itory. The re pos itory is automatically e nable d.
The conte nt from this re pos itory will be downloade d during the ne xt
s ynchroniz ation, s e e Se ction 4.1.3, “Synchroniz ing Conte nt”. Afte r e nabling a
Re d Hat re pos itory, a product for this re pos itory is automatically cre ate d.
Impo rtant
Ens ure you e nable the Sate llite Tools re pos itory. This re pos itory provide s
the katello-agent and puppet-agent package s for clie nts re gis te re d to the
Sate llite Se rve r.
The following is an e xample s e t of s ubs criptions that contain re pos itorie s with the late s t
package s for Re d Hat Ente rpris e Linux 6:
Re d Hat Ente rpris e Linux 6 Se rve r Kicks tart x86_64 6Se rve r Re pos itory
Re d Hat Ente rpris e Linux 6 Se rve r RPMs x86_64 6Se rve r Re pos itory
Re d Hat Ente rpris e Linux 6 Se rve r - Sate llite Tools RPMs x86_64 Re pos itory
4.1.2. Using Product s
A product is a group of re late d re pos itorie s that acts as the s malle s t unit of the
s ynchroniz ation proce s s . Products e ns ure that re pos itorie s that de pe nd on e ach othe r are
s ynchroniz e d toge the r. For Re d Hat re pos itorie s , products are cre ate d automatically afte r
e nabling the re pos itory. The re fore , you only ne e d to cre ate products manually for
re pos itorie s with cus tom or third-party conte nt.
4.1.2.1. Creat ing a Product
The s e s te ps s how how to cre ate a ne w product.
Pro cedure 4.4. T o Creat e a Pro duct :
1. Click Co nt ent → Pro duct s.
2. Click New Product.
3. Spe cify the name of the ne w product in the Name fie ld.
40
C hapt e r 4 . Po pulat ing Re d Hat Sat e llit e wit h Co nt e nt
4. Spe cify the labe l for the ne w product in the Label fie ld.
5. Se le ct a GPG ke y from the GPG Key drop-down me nu.
6. Se le ct a s ynchroniz ation plan from the Sync Plan drop-down me nu. You can als o
s e le ct the New Sync Plan link to cre ate a ne w s ynchroniz ation plan.
7. Ente r a de s cription of the ne w product in the Description fie ld.
8. Click Save.
4.1.2.2. Adding Reposit ories t o a Product
The s e s te ps s how how to add re pos itorie s to a product in Red Hat Sat ellit e.
Pro cedure 4.5. T o Add Repo sit o ries t o a Pro duct :
1. Click Co nt ent → Pro duct s.
2. Click the product to add a re pos itory.
3. Click Repositories.
4. Click Create Repository.
5. Spe cify the name of the ne w re pos itory in the Name fie ld.
6. Spe cify a labe l for the ne w re pos itory in the Label fie ld.
7. Se le ct the type of the re pos itory from the Type drop-down me nu.
8. Spe cify the URL of the re pos itory in the URL fie ld.
9. Choos e whe the r to publis h the re pos itory via HTTP by s e le cting Publish via HTTP.
10. Se le ct a GPG ke y for the re pos itory from the GPG Key drop-down me nu.
11. Click Create.
4.1.2.3. Using Bulk Act ions f or Product s
This s e ction de s cribe s how to us e bulk actions to s ynchroniz e or re move products in
Re d Hat Sate llite . The proce dure de s cribe d he re re quire s that at le as t one product be
available .
Pro cedure 4.6. T o Synchro nize Mult iple Pro duct s:
1. Navigate to Co nt ent → Pro duct s.
2. Se le ct the che ck box for the products you want to work with.
3. Click Bulk Actions.
4. Click the Pro duct Sync tab and the n click Sync Now.
Pro cedure 4.7. T o Remo ve Mult iple Pro duct s:
1. Navigate to Co nt ent → Pro duct s.
2. Se le ct the che ck box for the products you want to work with.
41
Ins t allat io n Guide
3. Click Bulk Actions.
4. Click Remove Products and the n click Remove.
Pro cedure 4.8. T o Updat e Synchro nizat io n Plans f o r Mult iple Pro duct s:
1. Navigate to Co nt ent → Pro duct s.
2. Se le ct the che ck box for the products you want to work with.
3. Click Bulk Actions.
4. Click the Alter Sync Plans tab. De pe nding on the type of action you want to
pe rform s e le ct from the following alte rnative s .
A. To cre ate a ne w s ynchroniz ation plan, click Creat e Sync Plan. Spe cify the
re quire d de tails and click Save.
B. To re move the s ynchroniz ation plans from the s e le cte d products , click
Unat t ach Sync Plan.
C. To update the s ynchroniz ation plans for the s e le cte d products , click Updat e
Sync Plan.
4.1.2.4. Using Reposit ory Discovery
Re pos itory dis cove ry e nable s you to s e arch us ing a URL to dis cove r re pos itorie s available
to include in a product.
Pro cedure 4.9. T o Use Repo sit o ry Disco very:
1. Navigate to Co nt ent → Pro duct s.
2. Click Repo Discovery.
3. Ins e rt the URL whe re the re pos itorie s are locate d in the Yum Repo Discovery fie ld.
4. Click Discover.
A lis t of the re pos itorie s at the URL is dis playe d unde r Results.
5. Click Discovered URLs to add the re pos itorie s to the product.
6. Click Create selected.
7. Choos e whe the r to add the re pos itorie s to an e xis ting product or cre ate a ne w
product.
a. To add the re pos itorie s to an e xis ting product:
i. Se le ct Existing Product.
ii. Se le ct the re quire d product from the drop-down me nu.
b. To cre ate a ne w product to add the re pos itorie s to:
i. Se le ct New Product.
ii. Ente r the Name and Label for the ne w product and s e le ct a GPG Key
from the drop-down me nu.
42
C hapt e r 4 . Po pulat ing Re d Hat Sat e llit e wit h Co nt e nt
8. Se le ct Serve via HTTP to s e rve the re pos itory via HTTP.
9. Edit the Name and Label for the Selected URLs.
10. Click Create.
4.1.2.5. Removing a Product
This s e ction de s cribe s how to re move products from Re d Hat Sate llite .
Pro cedure 4.10 . T o Remo ve a Pro duct f ro m Sat ellit e:
1. Navigate to Co nt ent → Pro duct s.
2. Se le ct the che ck box ne xt to the products you want to re move .
3. Click Bulk Actions and the n click Remove Products.
4. Click Remove to confirm that you want to re move the products .
4.1.3. Synchronizing Cont ent
Synchronization is the act of coordinating update s be twe e n the Re d Hat Sate llite
re pos itorie s and the s ource re pos itorie s be ing us e d. It is a re quire d s te p afte r e nabling
re pos itorie s , in orde r to populate the Re d Hat Sate llite with conte nt from the s ource
re pos itorie s .
Cons tant, s che dule d s ynchroniz ation will re s ult in:
Data inte grity be twe e n package s
Update d package s , s e curity fixe s , and e rrata
Re d Hat Sate llite 's s ynchroniz ation manage me nt capabilitie s allows an organiz ation's
adminis trators to cre ate s ynchroniz ation plans to configure how ofte n a hos t s hould look
for and ins tall update s . Synchroniz ation plans are the n paire d with the product re pos itorie s
to s pe cify a s ynchroniz ation s che dule that will allow products to be update d at s pe cific
inte rvals that are conve nie nt for the organiz ation's ne twork.
4.1.3.1. Synchronizat ion St at us
Impo rtant
The manual s ynchroniz ation of re pos itorie s is re quire d afte r e nabling the m. It is at
this point that the local re pos itory in the Sate llite is populate d by the re quire d
package s .
The s e s te ps s how how to s ynchroniz e products in Re d Hat Sate llite .
Pro cedure 4.11. Synchro nize Pro duct s
1. Navigate to Co nt ent → Sync St at us. Bas e d on the s ubs criptions and re pos itorie s
e nable d, the lis t of product re pos itorie s available for s ynchroniz ation is dis playe d.
2. Click the arrow ne xt to the product name to s e e available conte nt.
43
Ins t allat io n Guide
3. Se le ct the conte nt you want to s ynchroniz e .
4. Click Synchronize Now to s tarting s ynchroniz ing. The s tatus of the s ynchroniz ation
proce s s will appe ar in the Result column. If s ynchroniz ation is s ucce s s ful, Sync
complete will appe ar in the Result column. If s ynchroniz ation faile d, Error
syncing will appe ar.
No te
Conte nt s ynchroniz ation can take a long time . The le ngth of time re quire d de pe nds
on the s pe e d of dis k drive s , ne twork conne ction s pe e d, and the amount of conte nt
s e le cte d for s ynchroniz ation.
4.1.3.2. Creat ing a Synchronizat ion Plan
Re gular, fre que nt s ynchroniz ation is re quire d to maintain data inte grity be twe e n package s
as we ll as making s ure that package s are update d to the late s t s e curity fixe s . Re d Hat
Sate llite provide s the ability to cre ate s che dule d s ynchroniz ation plans that allow package
update s at inte rvals conve nie nt to the organiz ation.
Pro cedure 4.12. T o Creat e a Synchro nizat io n Plan:
1. Navigate to Co nt ent → Sync Plans.
2. Click New Sync Plan to cre ate a ne w s ynchroniz ation plan.
3. Spe cify the Name, Description, Interval and Start Date for the plan.
4. Click Save.
Afte r cre ating a s ynchroniz ation plan, s e le ct products that will be s ynchroniz e d according
to this plan as de s cribe d in Se ction 4.1.3.3, “Applying a Synchroniz ation Sche dule ”.
No te
Synchroniz ation plans are applie d pe r product, the re fore all re pos itorie s as s ociate d
with the product are s ynchroniz e d with the s ame fre que ncy. It is not pos s ible to s e t
diffe re nt s ynchroniz ation inte rvals for re pos itorie s in the s ame product.
4.1.3.3. Applying a Synchronizat ion Schedule
Afte r you have cre ate d a s ynchroniz ation plan, you ne e d to as s ociate products with that
plan to cre ate a s ynchroniz ation s che dule . The following proce dure de s cribe s how to
cre ate a s ynchroniz ation s che dule in Re d Hat Sate llite 6.
Pro cedure 4.13. T o Creat e a Synchro nizat io n Schedule:
1. Click Co nt ent → Sync Plans and s e le ct the s ynchroniz ation plan you want to
imple me nt.
2. Click Pro duct s → Add in the s ynchroniz ation plan main page .
3. Se le ct the che ck box of the product to as s ociate with the s ynchroniz ation plan.
44
C hapt e r 4 . Po pulat ing Re d Hat Sat e llit e wit h Co nt e nt
4. Click Add Selected.
4.1.4. Using a Cont ent ISO f or Init ial Synchronizat ion
Eve n if the Sate llite Se rve r can conne ct dire ctly to the Re d Hat Cus tome r Portal, you can
pe rform the initial s ynchroniz ation from a locally mounte d conte nt ISO. Such
s ynchroniz ation is not limite d by ne twork bandwidth and the re fore is us ually fas te r,
e s pe cially whe n s ynchroniz ing large re pos itorie s for the firs t time . Once the initial
s ynchroniz ation is comple te d from the conte nt ISO, you can s witch back to downloading
conte nt through the ne twork conne ction.
A conne ction to the Re d Hat Cus tome r Portal is re quire d for downloading re pos itory
me tadata. The following e xample us e s the Re d Hat Sate llite conte nt ISO, but you can als o
us e the e xporte d conte nt from katello-disconnected (s e e Se ction 4.2.2, “Us ing the
Synchroniz ation Hos t”).
Example 4.1. Synchro nizing a Repo sit o ry f ro m a Lo cal So urce
This e xample s hows how to pe rform the firs t s ynchroniz ation of the Re d Hat
Ente rpris e Linux 6 re pos itory from a conte nt ISO.
1. Download the conte nt ISO for Re d Hat Ente rpris e Linux 6 from the Re d Hat
Cus tome r Portal (s e e Se ction 4.2.1, “Us ing Conte nt ISO” for de taile d ins tructions ).
Copy the conte nt ISO to your Sate llite s e rve r, for e xample to the /root/isos/
dire ctory.
2. On the Sate llite s e rve r, cre ate a mount point, mount the ISO and copy its conte nt
to a writable dire ctory that Sate llite can acce s s , in this e xample /mnt/rhel6/:
# mkdir /mnt/iso
# mount -o loop /root/isos/sat-6-isos--rhel-6-server-x86_64.iso
/mnt/iso
# cp -ruv /mnt/iso/ /mnt/rhel6/
The n unmount the ISO and re move the mount point:
# umount /mnt/iso
# rmdir /mnt/iso
3. Se t the corre ct SELinux conte xt and owne rs hip for the conte nt dire ctory:
# chcon -R --type=httpd_sys_rw_content_t /mnt/rhel6/
# chown -R apache:apache /mnt/rhel6/
4. Cre ate or e dit the /etc/pulp/content/sources/conf.d/local.conf file . Ins e rt
the following te xt to the file :
[rhel-6-server]
enabled: 1
priority: 0
expires: 3d
45
Ins t allat io n Guide
name: Red Hat Enterprise Linux 6 Server
type: yum
base_url:
file:///mnt/rhel6/content/dist/rhel/server/6/6Server/x86_64/os/
The base_url path may diffe r in your conte nt ISO. The dire ctory s pe cifie d in
base_url mus t contain the repodata dire ctory, othe rwis e the s ynchroniz ation
will fail. To s ynchroniz e multiple re pos itorie s , cre ate a s e parate e ntry for e ach of
the m in the configuration file /etc/pulp/content/sources/conf.d/local.conf.
5. In the Sate llite we b UI, navigate to Co nt ent → Red Hat Repo sit o ries and
s e le ct the re pos itory to be e nable d, in this e xample Red Hat Enterprise Linux 6
Server RPMs x86_64 6Server.
Unde r Co nt ent → Sync St at us s e le ct the re pos itory to be s ynchroniz e d and
click Synchronize Now.
Note that the re is no indication in the Sate llite we b UI of which s ource is be ing
us e d. In cas e of proble ms with a local s ource , Sate llite pulls conte nt through the
ne twork. To monitor the proce s s , run the following command in the cons ole on
Sate llite (limite d to Re d Hat Ente rpris e Linux 7 bas e s ys te ms ):
# journalctl -f -l SYSLOG_IDENTIFIER=pulp | grep -v worker[\,\.]heartbeat
The above command dis plays inte ractive logs . Firs t, the Sate llite s e rve r
conne cts to the Re d Hat Cus tome r Portal to download and proce s s re pos itory
me tadata. The n, the local re pos itory is loade d. In cas e of any e rrors , cance l the
s ynchroniz ation in the Sate llite we b UI and ve rify your configuration.
6. Afte r s ucce s s ful s ynchroniz ation you can de tach the local s ource by re moving its
e ntry from /etc/pulp/content/sources/conf.d/local.conf.
4.2. Disconnect ed Sat ellit e
In high s e curity e nvironme nts whe re hos ts are re quire d to function in a clos e d ne twork
dis conne cte d from the Inte rne t, the Re d Hat Sate llite can provis ion s ys te ms with the late s t
s e curity update s , e rrata, and package s . The re comme nde d way to populate a
dis conne cte d Sate llite with conte nt is by us ing an ISO file downloade d form the Re d Hat
Cus tome r Portal. Alte rnative ly, you can configure a s ynchroniz ation hos t.
4.2.1. Using Cont ent ISO
The following proce dure s hows how to us e the conte nt ISO to add conte nt to Re d Hat
Sate llite .
1. Download the product ISO from the Re d Hat Cus tome r Portal, as follows :
a. Go to Downloads (at the ve ry top of the window) and s e le ct Re d Hat Sate llite .
b. Ope n the Content ISOs tab. All products to which the account is s ubs cribe d
are lis te d the re .
c. Click the link for the product name , s uch as Re d Hat Ente rpris e Linux 6
Se rve r (x86_64)(2015-03-12) to download the ISO.
46
C hapt e r 4 . Po pulat ing Re d Hat Sat e llit e wit h Co nt e nt
d. Save to me dia.
2. Copy all of the Sate llite conte nt ISOs to a dire ctory that Sate llite can acce s s . This
e xample us e s /root/isos.
3. Cre ate a local dire ctory that will be s hare d via httpd on the Sate llite . This e xample
us e s /var/www/html/pub/sat-import/.
# mkdir -p /var/www/html/pub/sat-import/
4. Re curs ive ly copy the conte nts of the firs t ISO to the local dire ctory:
#
#
#
#
#
mkdir /mnt/iso
mount -o loop /root/isos/first_iso /mnt/iso
cp -ruv /mnt/iso/* /var/www/html/pub/sat-import/
umount /mnt/iso
rmdir /mnt/iso
5. Re pe at the above s te p for e ach ISO until you have copie d all the data from the
s e rie s of ISOs into the local dire ctory /var/www/html/pub/sat-import/.
6. Ens ure that the SELinux conte xts are corre ct:
# restorecon -rv /var/www/html/pub/sat-import/
7. Modify the de fault provide r URL the Sate llite we b inte rface :
a. Log in to the Sate llite we b inte rface .
b. Se le ct the re quire d organiz ation from the Organization me nu.
c. Click Co nt ent → Red Hat Subscript io ns and the n click Manage Manifest.
d. On the Subscription Manifest information s cre e n s e le ct the Actions tab.
Unde r Red Hat Provider Details click the e dit icon on the Red Hat CDN
URL e ntry and change it to the Sate llite hos t name with the ne wly cre ate d
dire ctory, for e xample :
http://server.example.com/pub/sat-import/
Click Save.
e . Click Bro wse to choos e the manife s t file .
f. Click Uplo ad to import your manife s t.
No te
The Sate llite is now acting as its own CDN with the file s locate d in
http://localhost. This is not a re quire me nt. The CDN can be hos te d on a
diffe re nt machine ins ide the s ame dis conne cte d ne twork as long as it is
acce s s ible to the Sate llite s e rve r via HTTP.
47
Ins t allat io n Guide
8. To e nable the re pos itorie s from the local CDN, click Co nt ent → Red Hat
Repo sit o ries
9. Click Co nt ent → Sync St at us.
10. Se le ct the re pos itorie s you want to s ynchroniz e and click Synchro nize No w.
Once the s ynchroniz e finis he s , the dis conne cte d Sate llite is now re ady to s e rve the
conte nt to hos ts .
4.2.2. Using t he Synchronizat ion Host
Impo rtant
The s ynchroniz ation hos t fe ature is planne d to be de pre cate d in future re le as e s of
Re d Hat Sate llite . The re fore , it is re comme nde d to us e the proce dure de s cribe d in
Se ction 4.2.1, “Us ing Conte nt ISO”
The diagram be low illus trate s how a dis conne cte d Sate llite is able to ke e p its conte nt
update d e ve n without an Inte rne t conne ction. An inte rme diary s ys te m with an Inte rne t
conne ction is ne e de d to act as a s ynchroniz ation hos t. This s ynchroniz ation hos t is in a
s e parate ne twork from the Sate llite s e rve r.
The s ynchroniz ation hos t imports conte nt from the Re d Hat Conte nt De live ry Ne twork
(CDN) through pulp. The conte nt is the n e xporte d onto a me dia, s uch as DVDs , CDs , or
e xte rnal hard drive s and trans fe rre d to the dis conne cte d Sate llite s e rve r. The following
s e ctions in this chapte r will guide you through the whole proce s s .
Figure 4.1. Disco nnect ed Sat ellit e
4.2.2.1. Conf iguring t he Synchronizat ion Host
48
C hapt e r 4 . Po pulat ing Re d Hat Sat e llit e wit h Co nt e nt
The following s e ction s hows how to configure the s ynchroniz ation hos t.
Prerequisit es
To import conte nt from the Re d Hat Conte nt Dis tribution Ne twork (CDN), the
s ynchroniz ation hos t re quire s :
An Inte rne t conne ction
Valid Re d Hat Ne twork s ubs criptions
A valid manife s t (Se e Se ction 4.1.1.1, “Cre ating a Subs cription Manife s t” for ins tructions
on how to obtain one .)
Pro cedure 4.14. T o Co nf igure a Ho st t o Synchro nize and Expo rt Co nt ent f ro m
t he Red Hat CDN:
1. Us e Re d Hat Subs cription Manage r to re gis te r the s ynchroniz ation hos t to RHN.
2. Lis t all the available s ubs criptions to find the corre ct Re d Hat Sate llite product to
allocate to your s ys te m:
# subscription-manager list --available --all
This command dis plays output s imilar to the following:
+-------------------------------------------+
Available Subscriptions
+-------------------------------------------+
ProductName:
ProductId:
PoolId:
Quantity:
Multi-Entitlement:
Expires:
MachineType:
Red Hat Satellite
SKU123456
e1730d1f4eaa448397bfd30c8c7f3d334bd8b
10
No
08/20/2013
physical
No te
The Product ID and Pool ID de pe nd on the Re d Hat Sate llite product type that
corre s ponds to your s ys te m ve rs ion and product type .
3. Subs cribe to the re quire d pool IDs :
# subscription-manager subscribe \
--pool=Red_Hat_Satellite_Pool_ID \
--pool=Red_Hat_Enterprise_Linux_Pool_ID \
--pool=Red_Hat_Enterprise_Linux_Software_Collections_Pool_ID
4. Dis able all e xis ting re pos itorie s :
49
Ins t allat io n Guide
# subscription-manager repos --disable "*"
5. Enable the Re d Hat Sate llite and Re d Hat Ente rpris e Linux and Re d Hat Software
Colle ctions re pos itorie s . Ens ure the Re d Hat Ente rpris e Linux re pos itory matche s
the s pe cific ve rs ion you are us ing.
# subscription-manager repos --enable rhel-6-server-rpms \
--enable rhel-server-rhscl-6-rpms \
--enable rhel-6-server-satellite-6.1-rpms
No te
The commands above are bas e d on Re d Hat Ente rpris e Linux 6. If you are
us ing a diffe re nt ve rs ion of Re d Hat Ente rpris e Linux, change the re pos itory
bas e d on your s pe cific ve rs ion.
6. Ins tall katello-utils:
# yum install katello-utils
katello-utils include s the katello-disconnected utility that is re quire d to s e t up
re pos itorie s for import while qpid re late d package s are ne ce s s ary for pulp
configuration.
7. Ge ne rate a 32-characte r alphanume ric s tring for the oauth_secret e ntry in the
/etc/pulp/server.conf file :
$ tr -dc "[:alnum:]" < /dev/urandom | head -c 32
8. In the /etc/pulp/server.conf, uncomme nt the [oauth] e ntry and add the
randomly-ge ne rate d value from the pre vious s te p as the oauth_secret value :
[oauth]
enabled: true
oauth_key: katello
oauth_secret: v8SeYqvS5QUfmg0dIrJOBG58lAHDRZnN
9. Dis able authe ntication in /etc/qpid/qpidd.conf:
# Configuration file for qpidd. Entries are of the form:
#
name=value
#
# (Note: no spaces on either side of '=').
# Run "qpidd --help" or see "man qpidd" for more details.
auth=no
All incoming conne ctions authe nticate us ing the Sate llite 's de fault re alm.
10. Configure the conne ction from katello-disconnected to Pulp with the pre vious ly
ge ne rate d value as your --oauth-secret option:
50
C hapt e r 4 . Po pulat ing Re d Hat Sat e llit e wit h Co nt e nt
# katello-disconnected setup --oauth-key=katello --oauthsecret=v8SeYqvS5QUfmg0dIrJOBG58lAHDRZnN
This place s a configuration value in ~/.katello-disconnected.
11. Configure Pulp on the s ynchroniz ation s e rve r:
sudo service qpidd start
sudo chkconfig qpidd on
sudo service mongod start
sleep 10
sudo chkconfig mongod on
sudo -u apache pulp-manage-db
sudo service httpd restart
sudo chkconfig httpd on
sudo chkconfig pulp_workers on
sudo service pulp_workers start
sudo chkconfig pulp_celerybeat on
sudo service pulp_celerybeat start
sudo chkconfig pulp_resource_manager on
sudo service pulp_resource_manager start
12. Import the manife s t to s e t up the lis t of available re pos itorie s to s ynchroniz e bas e d
on the s e le cte d s ubs criptions :
# katello-disconnected import -m ./manifest.zip
The s ynchroniz ation hos t is now re ady to s ynchroniz e conte nt from the Re d Hat CDN.
4.2.2.2. Synchronizing Cont ent
By de fault, katello-disconnected e nable s all re pos itorie s that are include d in the
manife s t for s ynchroniz ation. Synchroniz ation time is dire ctly re late d to the amount of
re pos itorie s to be s ynchroniz e d. If the manife s t has a large amount of re pos itorie s , the
s ynchroniz ation will take time and ne twork re s ource s .
katello-disconnected allows for the s ynchroniz ation of s pe cific re pos itorie s . This
s e ction will s e t up Pulp for s ynchroniz ing conte nt.
1. Dis able all re pos itorie s :
# katello-disconnected disable --all
katello-disconnected e nable s all re pos itorie s by de fault.
2. Choos e which re pos itorie s you wis h to s ync by lis ting all available re pos itorie s from
the manife s t:
# katello-disconnected list --disabled
rhel-6-server-rhn-tools-rpms-6_6-x86_64
rhel-6-server-rhn-tools-rpms-6Server-x86_64
rhel-6-server-kickstart-6Server-x86_64
rhel-6-server-kickstart-6_6-x86_64
rhel-6-server-rh-common-rpms-6_6-x86_64
rhel-6-server-rpms-6_6-x86_64
51
Ins t allat io n Guide
3. Enable the chos e n re pos itorie s for s ynchroniz ation:
# katello-disconnected enable -r rhel-6-server-rh-common-rpms-6_6x86_64
4. Cre ate the re pos itorie s and pus h the m to Pulp to allow s ynchroniz ation:
# katello-disconnected configure
No te
The configure option for katello-disconnected re ads the manife s t, cre ate s
pulp re pos itorie s , and ge ne rate s s cripts be fore s ynchroniz ation. It ne e ds to
be run e ach time a re pos itory is e nable d or dis able d.
5. Synchroniz e the re pos itorie s :
# katello-disconnected sync
You can us e the watch option to monitor the s ynchroniz ation proce s s .
# katello-disconnected watch
Watching sync... (this may be safely interrupted with Ctrl+C)
running:
rhel-6-server-rh-common-rpms-6_6-x86_64
running:
rhel-6-server-rh-common-rpms-6_6-x86_64
...
finished:
rhel-6-server-rh-common-rpms-6_6-x86_64
Watching finished
4.2.2.3. Export ing Cont ent
The s ynchroniz e d conte nt ne e ds to be e xporte d to e nable importing into the dis conne cte d
Re d Hat Sate llite . An e xte rnal e xport me dia s uch as a CD, DVD, or e xte rnal hard drive is
re quire d for this proce dure . Pe rform the following s te ps :
1. Export the s ynchroniz e d re pos itorie s :
# katello-disconnected export -t /var/tmp/export
You can us e the watch option to monitor the s ynchroniz ation proce s s . The output
will look s imilar to:
# katello-disconnected watch
Watching sync... (this may be safely interrupted with Ctrl+C)
running:
52
C hapt e r 4 . Po pulat ing Re d Hat Sat e llit e wit h Co nt e nt
rhel-6-server-rh-common-rpms-6_6-x86_64
finished:
rhel-6-server-rh-common-rpms-6_6-x86_64
Watching finished
Done watching ...
Copying content to /var/tmp/export
Archiving contents of /var/tmp/export into 4600M tar archives.
NOTE: This may take a while.
tar: Removing leading `/' from member names
Done exporting content, please copy /var/tmp/export/* to your
disconnected host
This ope ration will cre ate the following file s in /var/tmp/export:
# ls /var/tmp/export/
content-export-00 content-export-01 content-export-02
expand_export.sh
2. Copy the file s from /var/tmp/export to the e xte rnal me dia.
No te
If the file s are too big for your e xte rnal me dia, the file s can be copie d
s e que ntially in a s e rie s of DVDs .
The s ynchroniz e d conte nt has now be e n e xporte d and re ady for importing to the
dis conne cte d Sate llite s e rve r.
4.2.2.4. Import ing Cont ent t o a Disconnect ed Sat ellit e Server
Be fore importing conte nt, e ns ure that the dire ctory and file s ys te m containing the e xports
has e nough s pace to contain the e xtracte d archive s . For e xample , if your e xport is 40 GB,
the dis conne cte d Sate llite Se rve r dire ctory and file s ys te m whe re you are importing the
conte nt will ne e d an e xtra 40 GB of s pace to e xpand it on the s ame file s ys te m.
1. Copy all of the Sate llite Conte nt ISOs to a dire ctory that the Sate llite can acce s s .
This e xample us e s /root/isos.
2. Cre ate a local dire ctory that will be s hare d via httpd on the Sate llite . This e xample
us e s /var/www.html/pub/sat-import/.
# mkdir -p /var/www/html/pub/sat-import/
3. Re curs ive ly copy the conte nts of the firs t ISO to the local dire ctory:
#
#
#
#
#
mkdir /mnt/iso
mount -o loop /root/isos/first iso /mnt/iso
cp -ruv /mnt/iso/* /var/www/html/pub/sat-import/
umount /mnt/iso
rmdir /mnt/iso
53
Ins t allat io n Guide
4. Re pe at the above s te p for e ach ISO until you have copie d all the data from the
s e rie s of ISOs into the local dire ctory /var/www/html/pub/sat-import/.
5. Ens ure that the SELinux conte xts are corre ct:
# restorecon -rv /var/www/html/pub/sat-import/
6. Change the de fault provide r URL in the Sate llite we b inte rface :
a. Log in to the Sate llite we b inte rface and s e le ct the re quire d organiz ation.
b. Click Co nt ent → Red Hat Subscript io ns and the n click Manage Manifest.
c. On the Subscription Manifest information s cre e n s e le ct the Actions tab.
Unde r Red Hat Provider Details, click the e dit icon ne xt to the Red Hat
CDN URL e ntry and change the URL to re fe re nce the location that the ISOs
we re copie d to. This e xample us e s the Sate llite fully qualifie d domain name
(FQDN) server.example.com, s o the URL is :
http://server.example.com/pub/sat-import/
d. Click Bro wse to choos e the manife s t file .
e . Click Uplo ad to import your manife s t.
7. Enable the re pos itorie s from the local CDN:
a. Click Co nt ent → Red Hat Repo sit o ries
b. Enable the re pos itorie s that we re e nable d and s ynchroniz e d in the
Synchroniz ing Conte nt s e ction.
8. Click Co nt ent → Sync St at us.
9. Se le ct the re pos itorie s you want to s ynchroniz e and click Synchro nize No w.
No te
The Sate llite is now acting as its own CDN with the file s locate d in
http://localhost. This is not a re quire me nt. The CDN can be hos te d on a diffe re nt
machine ins ide the s ame dis conne cte d ne twork as long as it is acce s s ible to the
Sate llite s e rve r via HTTP.
Once the s ynchroniz e finis he s , the dis conne cte d Sate llite is now re ady to s e rve the
conte nt to clie nt s ys te ms .
4.2.3. Migrat ing f rom Disconnect ed t o Connect ed Sat ellit e
If your e nvironme nt change d from dis conne cte d to conne cte d, you can re configure a
dis conne cte d Sate llite to pull conte nt dire ctly from Re d Hat Cus tome r Portal:
1. Ens ure the corre ct organiz ation is s e le cte d. Navigate to Co nt ent → Red Hat
Subscript io ns and click Manage Manif est .
54
C hapt e r 4 . Po pulat ing Re d Hat Sat e llit e wit h Co nt e nt
2. On the Subscription Manifest s cre e n s e le ct the Actions tab. Click the e dit icon
ne xt to the Red Hat CDN URL e ntry and ins e rt the following URL:
https://cdn.redhat.com
Click Save.
On ne xt s ynchroniz ation, Sate llite will pull conte nt dire ctly from Re d Hat Cus tome r Portal.
55
Ins t allat io n Guide
Chapt er 5. Configuring a Self-Regist ered Sat ellit e
A Re d Hat Sate llite s e rve r is normally re gis te re d to the Re d Hat Cus tome r Portal, the n
activate d as a Sate llite Se rve r and ge ts ne w conte nt from the Re d Hat Cus tome r Portal. A
s e lf-re gis te re d Re d Hat Sate llite 6 Se rve r is re gis te re d to its e lf rathe r than the Re d Hat
Cus tome r Portal.
Once a Re d Hat Sate llite 6 s e rve r is ins talle d, the re are s e ve ral advantage s to
re gis te ring it as a clie nt to its e lf:
The s ame life cycle manage me nt proce dure s can be applie d to the Sate llite 6 s e rve r
its e lf that have be e n applie d to the re s t of the manage d e s tate .
By s ubs cribing the Sate llite 6 s e rve r to its own conte nt vie ws , it will re ce ive the s ame
update s on the s ame s che dule as the re s t of the manage d hos ts .
A virt-who s e rvice can be run dire ctly on the Sate llite 6 s e rve r without the ne e d for an
additional hos t.
The re are als o s e ve ral limitations of a s e lf-re gis te re d Sate llite s e rve r:
A s e lf-re gis te re d Sate llite Se rve r cannot te s t package update s by us ing life cycle
e nvironme nts . It is e s s e ntial to make a full backup of a s e lf-re gis te re d Sate llite Se rve r
be fore doing an upgrade to unte s te d package s .
Not all puppe t module s are s upporte d by a s e lf-re gis te re d Sate llite s e rve r. Whe n
applying puppe t module s to a s e lf-re gis te re d Sate llite s e rve r e ns ure that the y will not
cre ate an uns upporte d configuration.
5.1. Regist ering a Sat ellit e t o It self
Be fore a s e lf-re gis te re d Sate llite can be configure d to ge t update s from its e lf, the
Sate llite s ubs cription mus t be adde d to the Sate llite ’s manife s t. Whe n the s ubs cription is
in the manife s t, the appropriate Sate llite re pos itorie s can be s ynchroniz e d into the
Sate llite .
Pro cedure 5.1. T o Regist er a Sat ellit e t o It self :
1. If the Sate llite is alre ady re gis te re d to the Re d Hat Cus tome r Portal, unre gis te r the
Sate llite from the Re d Hat Cus tome r Portal us ing the following commands :
# subscription-manager remove --all
# subscription-manager unregister
2. The Sate llite s ubs cription on the Re d Hat Cus tome r Portal is now available and can
be trans fe rre d into the Sate llite 's manife s t. For furthe r information on Manife s ts
s e e Se ction 4.1.1, “Acce s s ing Re d Hat Conte nt Provide rs ”.
Trans fe r the s ubs cription to the Sate llite 's manife s t:
a. Navigate to https ://acce s s .re dhat.com and click SUBSCRIPTIONS on the main
me nu at the top of the page .
b. Scroll down to the Red Hat Subscription Management s e ction, and click
Satellite unde r Subscription Management Applications.
56
C hapt e r 5. Co nf igur ing a Se lf -Re gis t e r e d Sat e llit e
c. Se le ct the re quire d Sate llite s e rve r by clicking its hos t name in the table .
d. Click Attach a subscription and s e le ct s ubs criptions you want to attach.
Spe cify the quantity for e ach s ubs cription, and click Attach Selected.
3. Re fre s h the manife s t on the Sate llite Se rve r:
a. Log in to the Sat ellit e s e rve r.
b. Ens ure that the corre ct organiz ation is s e le cte d.
c. Click Co nt ent → Red Hat Subscript io ns and the n click Manage Manifest
at the uppe r right of the page .
d. In the Subscription Manifest s e ction, click Actions and unde r the
Subscription Manifest s ubs e ction, click Refresh Manifest.
4. Enable Re d Hat re pos itorie s us ing the Sate llite we b inte rface :
a. Click Co nt ent → Red Hat Repo sit o ries.
b. Navigate to the re quire d re pos itorie s . Click e ach re pos itory s e t from which
you want to s e le ct re pos itorie s and s e le ct the che ck box for e ach re quire d
re pos itory. The re pos itory is automatically e nable d.
For Re d Hat Ente rpris e Linux 6 the re pos itorie s that ne e d to be e nable d are :
Re d Hat Ente rpris e Linux 6 Se rve r RPMs x86_64 6Se rve r
Re d Hat Sate llite 6.1 for RHEL 6 Se rve r RPMs x86_64
Re d Hat Software Colle ctions RPMs for Re d Hat Ente rpris e Linux 6 Se rve r
x86_64 6Se rve r
Re d Hat Ente rpris e Linux 6 Se rve r - Sate llite Tools RPMs x86_64
Re pos itory
For Re d Hat Ente rpris e Linux 7 the re pos itorie s that ne e d to be e nable d are :
Re d Hat Ente rpris e Linux 7 Se rve r RPMs x86_64 6Se rve r
Re d Hat Sate llite 6.1 for RHEL 7 Se rve r RPMs x86_64
Re d Hat Software Colle ctions RPMs for Re d Hat Ente rpris e Linux 7 Se rve r
x86_64 6Se rve r
Re d Hat Ente rpris e Linux 7 Se rve r - Sate llite Tools RPMs x86_64
Re pos itory
5. Synchroniz e the Sate llite s e rve r:
a. Navigate to Co nt ent → Sync St at us. Bas e d on the s ubs criptions and
re pos itorie s e nable d, the lis t of product re pos itorie s available for
s ynchroniz ation is dis playe d.
b. Click the arrow ne xt to the product name to s e e available conte nt.
c. Se le ct the conte nt you want to s ynchroniz e .
57
Ins t allat io n Guide
d. Click Synchronize Now to s tarting s ynchroniz ing. The s tatus of the
s ynchroniz ation proce s s will appe ar in the Result column. If s ynchroniz ation
is s ucce s s ful, Sync complete will appe ar in the Result column. If
s ynchroniz ation faile d, Error syncing will appe ar.
No te
Conte nt s ynchroniz ation can take a long time . The le ngth of time re quire d
de pe nds on the s pe e d of dis k drive s , ne twork conne ction s pe e d, and the
amount of conte nt s e le cte d for s ynchroniz ation.
6. Optionally, cre ate a conte nt vie w to re pre s e nt the Sate llite s e rve r. This will allow
the Sate llite to follow the s ame life cycle manage me nt proce dure s as the re s t of
the conte nt on the s e rve r. For furthe r information about conte nt vie ws s e e the
Conte nt Vie ws chapte r in the Re d Hat Sate llite 6.1 Us e r Guide
a. To cre ate a conte nt vie w:
i. Log into the we b inte rface as a Sate llite adminis trator.
ii. Click Co nt ent → Co nt ent Views.
iii. Click Creat e New View.
iv. Spe cify the Name of the conte nt vie w. The Label fie ld is automatically
populate d whe n the Name fie ld is fille d out. Optionally, provide a
de s cription of the conte nt vie w.
v. Click Save.
b. Edit the conte nt vie w to add the Re d Hat Ente rpris e Linux s e rve r and
Sate llite re pos itorie s :
i. Click Co nt ent → Co nt ent Views and choos e the Conte nt Vie w to
add re pos itorie s to.
ii. Click Yum Content and s e le ct Repo sit o ries from the drop-down
me nu. From the s ubme nu, click Add.
iii. Se le ct the re quire d re pos itorie s to add and click Add Re pos itorie s .
The re quire d re pos itorie s for a s e lf-re gis te re d Sate llite are all the
re pos itorie s for the Sate llite its e lf, any s upporting re pos itorie s and
the re pos itory for the Bas e OS. The re pos itorie s re quire d for a s e lfre gis te re d Sate llite are lis te d in Ste p 4 of this proce dure .
7. Download and ins tall the re quire d ce rtificate s by running:
# rpm -Uvh /var/www/html/pub/katello-ca-consumer-latest.noarch.rpm
8. Re gis te r the Sate llite s e rve r and attach the appropriate e ntitle me nts us ing
s ubs cription manage r. Whe n re gis te ring the s e rve r you mus t s pe cify the
organiz ation to which the s e rve r be longs , als o the life cycle e nvironme nt.
# subscription-manager register --org=organization -environment=environment
58
C hapt e r 5. Co nf igur ing a Se lf -Re gis t e r e d Sat e llit e
Example 5.1.
# subscription-manager register --org=ExampleCompany -environment=Library
You will be prompte d for your Re d Hat Sate llite us e r name and pas s word. The
Sate llite Se rve r adminis trator can configure ne w us e rs . Se e the Us e rs and Role s
chapte r in the Re d Hat Sate llite 6.1 Us e r Guide for more information.
9. Find the pool IDs for the Sate llite and for Re d Hat Ente rpris e Linux by running the
following command:
# subscription-manager list --available
10. Attach the e ntitle me nts by running the following command:
# subscription-manager attach --pool Red_Hat_Satellite_Pool_ID -pool Red_Hat_Enterprise_Linux_ID
A conte nt hos t has now be e n cre ate d for the Sate llite s e rve r ins ide of the Sate llite
s e rve r.
11. Enable the re pos itorie s re quire d for the Sate llite s e rve r by running the following
command:
# subscription-manager repos --enable=repository-to-be-enabled
Se e Ste p 4 of this proce dure for the lis t of re pos itorie s that ne e d to be e nable d.
12. Ins tall the Kate llo Age nt package to allow e rrata manage me nt and package
ins tallation through the Sate llite we b inte rface . The katello-agent package de pe nds
on the gofe r package that provide s the gofe rd s e rvice . The gofe rd s e rvice mus t be
e nable d s o that the Re d Hat Sate llite Se rve r or Caps ule Se rve r can provide
information about e rrata that are applicable for conte nt hos ts .
To ins tall the katello-agent run the following command:
# yum install katello-agent
The gofe rd s e rvice is s tarte d and e nable d automatically afte r s ucce s s ful
ins tallation of kate llo-age nt.
5.2. Updat ing a Self-Regist ered Sat ellit e
A s e lf-re gis te re d Re d Hat Sate llite s e rve r is re gis te re d to its e lf rathe r than dire ctly to the
Re d Hat Cus tome r Portal. A s e lf-re gis te re d Sate llite s e rve r is able to s ynchroniz e with the
Re d Hat Cus tome r Portal the n apply update s to its e lf at the s ame time as providing othe r
re quire d update s .
Pro cedure 5.2. T o Updat e a Self -Regist ered Sat ellit e:
59
Ins t allat io n Guide
1. It is e s s e ntial to make a full backup of a s e lf-re gis te re d Sate llite s e rve r prior to
doing an upgrade as package update s cannot be te s te d. For ins tructions on how to
backup and, if ne ce s s ary, re s tore a Sate llite s e rve r s e e Backup and Dis as te r
Re cove ry in the Re d Hat Sate llite 6.1 Us e r Guide .
a. Ens ure your backup location has e nough dis k s pace to contain a copy of all of
the following dire ctorie s :
/etc/
/var/lib/pulp
/var/lib/mongodb
/var/lib/pgsql/
This can be a cons ide rable amount of s pace s o plan accordingly.
b. Stop all s e rvice s :
# katello-service stop
c. Run the backup s cript:
# /usr/bin/katello-backup backup_directory
This proce s s can take a long time to comple te , due to the amount of data to
copy.
d. Re s tart all s e rvice s :
# katello-service start
2. Synchroniz e to Sate llite s e rve r:
a. Navigate to Co nt ent → Sync St at us. Bas e d on the s ubs criptions and
re pos itorie s e nable d, the lis t of product re pos itorie s available for
s ynchroniz ation is dis playe d.
b. Click the arrow ne xt to the product name to s e e available conte nt.
c. Se le ct the conte nt you want to s ynchroniz e .
d. Click Synchronize Now to s tarting s ynchroniz ing. The s tatus of the
s ynchroniz ation proce s s will appe ar in the Result column. If s ynchroniz ation
is s ucce s s ful, Sync complete will appe ar in the Result column. If
s ynchroniz ation faile d, Error syncing will appe ar.
No te
Conte nt s ynchroniz ation can take a long time , and de pe nds on the s pe e d of
dis k drive s , ne twork conne ction s pe e d, and the amount of conte nt s e le cte d
for s ynchroniz ation.
3. Optionally, publis h and promote the re quire d conte nt vie ws :
60
C hapt e r 5. Co nf igur ing a Se lf -Re gis t e r e d Sat e llit e
a. Afte r a conte nt vie w has be e n cre ate d, it ne e ds to be publis he d in orde r for
it to be vis ible and us able by hos ts . Be fore publis hing the conte nt vie w
de finition, make s ure that the conte nt vie w de finition has the ne ce s s ary
products , re pos itorie s and filte rs .
To publis h the conte nt vie w:
i. Click Co nt ent → Co nt ent Views.
ii. Click on the conte nt vie w that re pre s e nts the Sate llite s e rve r.
iii. Click Publish New Version.
iv. Fill in a comme nt.
v. Click Save.
b. Afte r the conte nt vie w has be e n publis he d it ne e ds to promote d into the
re quire d life cycle e nvironme nt.
To promote the conte nt vie w:
i. On the main me nu, click Co nt ent → Co nt ent Views.
ii. In the Name column, s e le ct the conte nt vie w that re pre s e nts the
Sate llite s e rve r.
iii. On the Versions tab, ide ntify the late s t ve rs ion, and click Promote.
iv. Ide ntify the promotion path whe re you want to promote the conte nt
vie w, s e le ct the appropriate life cycle e nvironme nt, and click Promote
Version.
v. Afte r the promotion has comple te d, the Versions tab update s to
dis play the ne w s tatus of your conte nt vie ws .
4. Update the Sate llite s e rve r:
# yum update
# katello-installer --upgrade
5. Re s tart the s e rvice s :
# katello-service restart
61
Ins t allat io n Guide
Chapt er 6. Managing Hypervisors and Virt ual Guest
Subscript ions
Re d Hat Sate llite can track the hype rvis ors (hos ts ) that are attache d dire ctly to it and the
s ubs criptions of thos e hos ts . Howe ve r, the hype rvis ors ’ gue s ts are not inde xe d through
this me chanis m. For the s e curity of the hype rvis or infras tructure , this hos t to gue s t
mapping is not provide d during Sate llite re gis tration.
The virt -who utility colle cts information about the conne ction be twe e n the hype rvis or and
its virtual gue s ts and provide s Subs cription Manage r with a mapping file containing the
hype rvis or-gue s t pairs . This utility is provide d both in the main Re d Hat Ente rpris e Linux
re pos itory (rhe l-6-s e rve r-rpms or rhe l-7-s e rve r-rpms ) as we ll as in the Re d Hat Sate llite
Tools re pos itory (rhe l-6-s e rve r-s ate llite -tools -6.1-rpms or rhe l-7-s e rve r-s ate llite -tools -6.1rpms ). The Sate llite Tools re pos itory is the re comme nde d s ource of virt -who for Sate llite
ins tallations . To e nable this re pos itory on Re d Hat Ente rpris e Linux 7, e xe cute :
# subscription-manager repos --enable=rhel-7-server-satellite-tools-6.1rpms
The n ins tall virt -who as follows :
# yum install virt-who
6.1. Int roduct ion t o virt -who
Re d Hat us e s virt -who to ke e p track of the hype rvis ors ’ s ubs criptions and the gue s ts
who can inhe rit thos e s ubs criptions . The virt-who s ys te m:
1. Scans the hype rvis or (hos t) manage me nt platform and its gue s ts
2. Cre ate s the hos t/gue s t mapping
3. Communicate s this hos t/gue s t mapping to Sate llite
This hos t/gue s t mapping as s ociate s e ve ry gue s t with a s pe cific hos t. The n, a s ubs cription
s e rvice can attach a s ingle s ubs cription to a virtual hos t and apply an include d and
inhe ritable s ubs cription to a gue s t, rathe r than cons uming two s e parate s ubs criptions for
e ach ins tance .
Afte r you s tart virt-who the firs t time , a virt-who dae mon automatically runs in the
background and make s update s bas e d on a s che dule you s e le ct (the de fault is hourly).
6.1.1. T he Universally Unique Ident if ier (UUID)
The virt-who s ys te m make s this hos t/gue s t as s ociation by e xtracting a unive rs ally
unique ide ntifie r (UUID) for e ach gue s t from the hype rvis or and the n as s ociating e ach
UUID with its hype rvis or in the Sate llite inve ntory.
6.1.2. Import ant Condit ions f or virt -who t o Correct ly At t ach
Subscript ions
The s e factors mus t be true for the s ubs cription s e rvice to re cogniz e the hos t/gue s t
as s ociation and corre ctly attach s ubs criptions :
62
C hapt e r 6 . Managing Hype r vis o r s and Vir t ual Gue s t Subs c r ipt io ns
The virt-who s ys te m mus t be run pe riodically to de te ct ne w gue s t ins tance s .
The hype rvis or and the gue s t s ys te ms mus t be re gis te re d to the s ame s ubs cription
s e rvice (that is , the s ame Sate llite organiz ation).
The hype rvis or mus t have a s ubs cription attache d to it that include s virtual
s ubs criptions or inhe ritable s ubs criptions .
6.1.3. Subscript ion St at us and virt -who
A re gis te re d hos t is as s igne d a s ubs cription s tatus color bas e d on its ins talle d products
and attache d s ubs criptions . Whe n you firs t re gis te r a virtual gue s t, the hos t lis t dis plays
that virtual gue s t's hos t s ubs cription s tatus as ye llow. The re as on is that the Sate llite
doe s not know which hype rvis or the gue s t re s ide s on. You mus t run virt-who s o that the
Sate llite knows which hype rvis or the gue s t re s ide s on. With the de fault auto-attach
configuration e nable d, and as s uming virt-who runs s ucce s s fully, the gue s t s ubs cription
dis plays as gre e n in 24 hours .
6.2. Before You Begin
6.2.1. Prerequisit es
To ins tall and run virt-who:
You mus t have cre de ntials that allow virt-who to communicate with:
a Sate llite us e r account
your virtualiz ation s ys te m
The s ys te m running virt-who is re gis te re d alre ady to the Sate llite s e rve r(virt-who
will us e the hos t cre de ntials ).
The ports configure d for your hype rvis or allow communication (the de fault virt-who
port is 443).
6.2.2. User Login f or virt -who
Login cre de ntials to the data ce nte r are re quire d for the following hype rvis or type s :
Re d Hat Ente rpris e Virtualiz ation Manage r
VMware vSphe re
Micros oft Hype r-V
63
Ins t allat io n Guide
No te
Whe n configuring the pe rmis s ions to the login cre de ntials , the pe rmis s ions mus t
allow acce s s to the virtual machine s and hype rvis ors . Re d Hat re comme nds the
following:
The login has re ad-only pe rmis s ion.
The login is for a s e rvice account or non-us e r login.
The pas s word doe s not e xpire .
6.2.3. virt -who Conf igurat ion File Locat ion
The virt-who configuration is s tore d in the following configuration file s :
/etc/sysconfig/virt-who (de fault)
Sample Configuration File :
$ cat /etc/sysconfig/virt-who
[rdu]
VIRTWHO_BACKGROUND=1
VIRTWHO_DEBUG=1
VIRTWHO_ESX=1
VIRTWHO_ESX_OWNER=Organization_label
VIRTWHO_ESX_SERVER=vcenter-server.example.com
VIRTWHO_ESX_USERNAME=esx-readonly-user
VIRTWHO_ESX_PASSWORD=password
VIRTWHO_ESX_ENV=Library
/etc/virt-who.d/exampleconfig.conf
(only for e ncrypte d pas s words )
Sample Configuration File :
$ cat /etc/virt-who.d/exampleconfig.conf
[rdu]
type=abc
owner=virtwho
server=abc-server.example.com
username=root
password=password
rhsm_username=admin
rhsm_password=admin
#rhsm_encrypted_password=61fde1a1e2cbe95faef0ef0ecfd85057
6.2.4. Limit at ions Relat ed t o Sat ellit e Organizat ions
Subs criptions are arrange d according to Sate llite organiz ations . Although the curre nt
virt-who can re port to multiple Sate llite organiz ations , you cannot s hare s ubs criptions
acros s organiz ations .
64
C hapt e r 6 . Managing Hype r vis o r s and Vir t ual Gue s t Subs c r ipt io ns
Impo rtant
You mus t have one virtual data ce nte r s ubs cription for e ach organiz ation and for
e ach hype rvis or.
6.3. Support ed Hypervisors
The virt-who s ys te m can work with any of the hype rvis ors outline d in the following table .
T able 6.1. Suppo rt ed Hyperviso rs
If yo u have...
Go here f o r set up
inst ruct io ns...
Warnings:
Se ction 6.4, “Se tting up a
Re d Hat
Ente rpris e Virtualiz ation
Manage r Se rve r or Libvirt
(KVM) Hype rvis or”
None
Micros oft Hype r-V
Se ction 6.5, “Us ing virt-who
with Hype r-V”
VMware : vCe nte r, vSphe re ,
or ESX
Se ction 6.6, “Se tting up a
VMware Hype rvis or”
You cannot ins tall virt-who
dire ctly on the Hype r-V
hype rvis ors . Ins te ad. you
mus t ins tall virt-who on a
Re d Hat Ente rpris e Linux
platform that can
communicate with the
Hype r-V s e rve r.
You cannot ins tall virt-who
dire ctly on the VMware
hype rvis ors . Ins te ad, you
mus t ins tall virt-who on a
Re d Hat Ente rpris e Linux
platform that can
communicate with the
vCe nte r s e rve r.
A Re d Hat
Ente rpris e Linux s ys te m
running KVM
Re d Hat
Ente rpris e Virtualiz ation
Manage r
6.3.1. Rerunning virt -who
Re running virt-who doe s not change a pre vious ly cre ate d hype rvis or's e nvironme nt or
conte nt vie w. This le ts you manually move a hype rvis or to a diffe re nt e nvironme nt and
conte nt vie w in Sate llite . You can als o change the virt-who hos t without impacting
e xis ting hype rvis ors . To re run virt-who, us e the command option:
# virt-who --one-shot
Re -re gis te ring the hos t on which virt-who is running to a ne w organiz ation cre ate s ne w
hype rvis ors in that organiz ation. Pre vious ly cre ate d hype rvis ors in anothe r organiz ation
re main unchange d (until you de le te the m manually). If you add an organiz ation, you mus t
re s tart virt-who.
65
Ins t allat io n Guide
6.4. Set t ing up a Red Hat Ent erprise Virt ualizat ion Manager
Server or Libvirt (KVM) Hypervisor
1. Configure Subs cription Manage r on the virtual s ys te m to us e Sate llite and the CA
ce rtificate :
# rpm -ivh \
http://satellite.example.com/pub/katello-ca-consumerlatest.noarch.rpm
2. Re gis te r the Re d Hat Ente rpris e Linux s ys te m (which communicate s with Re d Hat
Ente rpris e Virtualiz ation Manage r) to Sate llite :
# subscription-manager register --username=admin --password=secret
--org=organization_label --auto-attach
The organiz ation labe l is available in the Sate llite we b UI. If anothe r s ys te m is
alre ady re gis te re d to that organiz ation, the n you can ge t the labe l by us ing the
subscription-manager orgs command.
3. Ins tall the virt-who package s on the hype rvis or.
No te
For both the Re d Hat Ente rpris e Virtualiz ation Manage r s e rve r and the libvirt
(KVM) hype rvis or, Re d Hat re comme nds that you ins tall the virt-who package
on a phys ical s ys te m.
# yum install virt-who
4. Edit the virt-who configuration file (/etc/sysconfig/virt-who) and s e t the
parame te rs as follows :
For a Re d Hat Ente rpris e Virtualiz ation Manage r s e rve r:
VIRTWHO_DEBUG=1
VIRTWHO_SATELLITE6=1
VIRTWHO_RHEVM=1
VIRTWHO_RHEVM_OWNER=organization_label
VIRTWHO_RHEVM_ENV=environment
VIRTWHO_RHEVM_SERVER=RHEV-server_URL
VIRTWHO_RHEVM_USERNAME=desired_user_name
VIRTWHO_RHEVM_PASSWORD=desired_password
Note that to de te rmine the organiz ation labe l for the VIRTWHO_RHEVM_OWNER
parame te r e xe cute the subscription-manager identity command. The us e r
name for the VIRTWHO_RHEVM_USERNAME parame te r has the form admin@inte rnal.
With the VIRTWHO_SATELLITE6 parame te r e nable d, virt-who s e nds re ports to the
Sate llite s e rve r.
For a libvirt (KVM) hype rvis or:
66
C hapt e r 6 . Managing Hype r vis o r s and Vir t ual Gue s t Subs c r ipt io ns
VIRTWHO_BACKGROUND=1
VIRTWHO_DEBUG=1
VIRTWHO_SATELLITE6=1
VIRTWHO_LIBVIRT=1
With the VIRTWHO_SATELLITE6 parame te r e nable d, virt-who s e nds re ports to
Re d Hat Sate llite .
5. Start and e nable the virt-who s e rvice :
On Re d Hat Ente rpris e Linux 6:
# service virt-who start
# chkconfig virt-who on
On Re d Hat Ente rpris e Linux 7:
# systemctl start virt-who
# systemctl enable virt-who
6. Afte r s tarting the virt-who s e rvice , monitor the /var/log/rhsm/rhsm.log/ file on
the s ame s ys te m to confirm whe the r or not hos ts and gue s ts mappings are s e nt.
2015-01-10 13:44:38,651 [DEBUG] @subscriptionmanager.py:112 Sending update in hosts-to-guests mapping: {44454c4c-3900-1057804c-b2c04f375231: [42346e7b-f3df-6651-4d43-6de0c769c6c7,
564ddf1c-1eec-aba5-aec4-03d311ca298e, 4234ee7d-b239-ebb1-738f55a83861d1a5, 42343eb8-838f-18f3-24f9-682455093072, 42345839-63166733-f5a1-bd4213d693b3, 42344725-cf73-f8d9-6bff-c88d4df5c67c]}
7. On the Sate llite s e rve r, go to Ho st → Co nt ent Ho st s and confirm that hos t
(hype rvis or) s ys te m profile s dis play. By de fault, the hype rvis or name is as follows :
For a Re d Hat Ente rpris e Virtualiz ation Manage r s e rve r:
hypervisor UUID
For a libvirt (KVM) hype rvis or:
hypervisor UUID
If de s ire d, change this name in the Re d Hat Sate llite UI by e diting the s ys te m e ntry.
8. To make virtual s ubs criptions available for virtual machine s , the hos t s ys te m ne e ds
a s ubs cription. To know on which hos t the virtual machine is running, ope n the
virtual machine profile from the Content Hosts page . In the Details tab, the
virtual machine dis plays as Virtual Host UUID. Click the UUID link that ope ns the
hos t s ys te m profile . The n, in the Subscriptions tab, as s ign the s ubs cription to the
hos t s ys te m. If you have multiple hype rvis ors running Re d Hat Ente rpris e Linux
gue s ts , attach a s ubs cription to all the hype rvis ors .
9. To cons ume the s ubs cription as s igne d to the hype rvis or profile on the machine
running virt-who,uns ubs cribe and the n auto s ubs cribe :
67
Ins t allat io n Guide
# subscription-manager remove --all
# subscription-manager attach --auto
10. Confirm whe the r the s ubs cription attache d to the hype rvis or is cons ume d by the
gue s t running virt-who:
# subscription-manager list --consumed
11. Whe n you ins tall ne w virtual machine s on the hype rvis or, you mus t re gis te r the
ne w virtual machine s and us e the s ubs cription attache d to the hype rvis or:
# rpm -ivh \
http://satellite.example.com/pub/katello-ca-consumerlatest.noarch.rpm
12. Re gis te r the ne w virtual machine s and us e the s ubs cription attache d to the
hype rvis or:
# subscription-manager register --org=organization_label
# subscription-manager attach --auto
# subscription-manager list --consumed
6.5. Using virt -who wit h Hyper-V
1. To make the virt-who conne ction to Hype r-V work, e nable Windows Re mote
Manage me nt and e ithe r HTTP or HTTPS lis te ne r mus t be running. On the Hype r-V
s e rve r:
# winrm quickconfig
2. The fire wall mus t allow re mote adminis tration. On the Hype r-V s e rve r:
# netsh advfirewall firewall set rule group="Remote
Administration" new enable=yes
3. If you are us ing HTTP, e nable the une ncrypte d conne ction. On the Hype r-V s e rve r:
# winrm set winrm/config/service @{AllowUnencrypted="true"}
4. Only Bas ic and NTLM authe ntication me thods are s upporte d. To ve rify that e ithe r
Bas ic or Ne gotiate is e nable d (True ):
# winrm get winrm/config/service/auth
5. On the Re d Hat s e rve r, log in as root. Ins tall the virt-who package :
# yum install virt-who
6. Edit the /etc/sysconfig/virt-who file and s e t the parame te rs as follows :
VIRTWHO_BACKGROUND=1
68
C hapt e r 6 . Managing Hype r vis o r s and Vir t ual Gue s t Subs c r ipt io ns
VIRTWHO_DEBUG=1
VIRTWHO_ONE_SHOT=0
VIRTWHO_INTERVAL=0
VIRTWHO_SATELLITE6=1
VIRTWHO_HYPERV=1
VIRTWHO_HYPERV_OWNER=Satellite_Organization
VIRTWHO_HYPERV_ENV=Library
VIRTWHO_HYPERV_SERVER=IP or FQDN
VIRTWHO_HYPERV_USERNAME=Your_User_Name (you must use your Hyper-V
administrator account)
VIRTWHO_HYPERV_PASSWORD=Your_Password
With the VIRTWHO_SATELLITE6 parame te r e nable d, virt-who s e nds re ports to
Re d Hat Sate llite .
7. Start and e nable the virt-who s e rvice :
On Re d Hat Ente rpris e Linux 6:
# service virt-who start
# chkconfig virt-who on
On Re d Hat Ente rpris e Linux 7:
# systemctl start virt-who
# systemctl enable virt-who
8. Optional: To configure the virt-who s e rvice to us e a Windows domain account, e dit
your us e rname with a double backs las h in the virt-who configuration file .
For e xample :
VIRTWHO_HYPERV_USERNAME="MYDOMAIN\\user"
6.6. Set t ing up a VMware Hypervisor
The virt-who package s that cre ate the hos t/gue s t mapping are available for Re d Hat
Ente rpris e Linux. In a VMware e nvironme nt, you mus t have Re d Hat Ente rpris e Linux 6.6
or late r available to run the virt-who s e rvice which conne cts to the VMware hype rvis or.
The s ys te m running virt-who re quire s ope n acce s s to vCe nte r on ports 80 and 443.
Be fore following the s e s te ps , cre ate a fire wall e xce ption to allow conne ctions on port 80
and 443 from the Re d Hat Sate llite s e rve r to the vCe nte r:
On Re d Hat Ente rpris e Linux 6:
# iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT \
&& iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
\
&& service iptables save
Make s ure the iptables s e rvice is s tarte d and e nable d:
69
Ins t allat io n Guide
# service iptables start
# chkconfig iptables on
On Re d Hat Ente rpris e Linux 7:
# firewall-cmd --add-port="80/tcp" --add-port="443/tcp" \
&& firewall-cmd --permanent --add-port="80/tcp" --add-port="443/tcp"
Pe rform the following s te ps to s e t up a VMware hype rvis or:
1. Configure Subs cription Manage r on the virtual s ys te m to us e the Sate llite and the
CA ce rtificate , as follows :
# rpm -ivh \
http://satellite.example.com/pub/katello-ca-consumerlatest.noarch.rpm
2. Re gis te r the Re d Hat Ente rpris e Linux s ys te m (which communicate s with the
VMware s e rve r) to Sate llite .
# subscription-manager register --username=admin --password=secret
--org=organization_label --auto-attach
The organiz ation labe l is available in the Sate llite UI for the organiz ation. If anothe r
s ys te m is alre ady re gis te re d to that organiz ation, the n you can ge t the labe l by
us ing the subscription-manager orgs command.
3. Ins tall the virt-who package s .
# yum install virt-who
4. On the Re d Hat Ente rpris e Linux s ys te m (which communicate s with the VMware
hype rvis or), e dit the virt-who configuration file (/etc/sysconfig/virt-who) and
s e t the following parame te rs (to ide ntify the location of your ESX manage me nt
s e rve r):
VIRTWHO_BACKGROUND=1
VIRTWHO_DEBUG=1
VIRTWHO_SATELLITE6=1
VIRTWHO_ESX=1
VIRTWHO_ESX_OWNER=Organization_label
VIRTWHO_ESX_SERVER=vcenter-server.example.com
VIRTWHO_ESX_USERNAME=esx-readonly-user
VIRTWHO_ESX_PASSWORD=MyGNU4pass!!
VIRTWHO_ESX_ENV=Library
The VIRTWHO_ESX_USERNAME is the local VMware vCe nte r or Micros oft Active
Dire ctory us e r with re ad-only pe rmis s ion to the virtual machine s and hype rvis ors .
With the VIRTWHO_SATELLITE6 parame te r e nable d, virt-who s e nds re ports to
Re d Hat Sate llite .
5. Start and e nable the virt-who s e rvice :
On Re d Hat Ente rpris e Linux 6:
70
C hapt e r 6 . Managing Hype r vis o r s and Vir t ual Gue s t Subs c r ipt io ns
# service virt-who start
# chkconfig virt-who on
On Re d Hat Ente rpris e Linux 7:
# systemctl start virt-who
# systemctl enable virt-who
The data are adde d to the following file :
/var/lib/virt-who/hypervisor-systemid-UUID
6. Afte r s tarting the virt-who s e rvice , monitor the /var/log/rhsm/rhsm.log file on
the s ame s ys te m to confirm whe the r or not hos ts and gue s ts mappings are s e nt.
2015-01-10 13:44:38,651 [DEBUG] @subscriptionmanager.py:112 Sending update in hosts-to-guests mapping: {44454c4c-3900-1057804c-b2c04f375231: [42346e7b-f3df-6651-4d43-6de0c769c6c7,
564ddf1c-1eec-aba5-aec4-03d311ca298e, 4234ee7d-b239-ebb1-738f55a83861d1a5, 42343eb8-838f-18f3-24f9-682455093072, 42345839-63166733-f5a1-bd4213d693b3, 42344725-cf73-f8d9-6bff-c88d4df5c67c]}
7. On the Sate llite s e rve r, go to HOST S → CONT ENT HOST and confirm that hos t
(hype rvis or) s ys te ms profile s dis play.
By de fault, the hype rvis or name is esx hypervisor UUID. If de s ire d, change this
name in the Re d Hat Sate llite GUI by e diting the s ys te m e ntry.
8. To make virtual s ubs criptions available for virtual machine s , the hos t s ys te m ne e ds
a s ubs cription. To know on which hos t the virtual machine is running, ope n the
virtual machine profile from the Content Host page . In the Details tab, the virtual
machine dis plays as Virtual Host UUID. Click the UUID link that ope ns the hos t
s ys te m profile . The n, in the Subscriptions tab, as s ign the s ubs cription to the hos t
s ys te m. If you have multiple VMware hype rvis ors running Re d Hat Ente rpris e Linux
gue s ts , the n attach a s ubs cription to all the VMware hype rvis ors .
9. To attach the s ubs cription as s igne d to the hype rvis or profile on the machine
running the virt-who s e rvice , uns ubs cribe and the n auto s ubs cribe :
# subscription-manager remove --all
# subscription-manager attach --auto
10. Confirm whe the r the s ubs cription attache d to the hype rvis or is cons ume d by the
gue s t running virt-who:
# subscription-manager list --consumed
11. Whe n you ins tall ne w virtual machine s on the hype rvis or, you mus t re gis te r the
ne w virtual machine s and us e the s ubs cription attache d to the hype rvis or:
# rpm -ivh \
http://satellite.example.com/pub/katello-ca-consumerlatest.noarch.rpm
12. Re gis te r the ne w virtual machine s and us e the s ubs cription attache d to the
71
Ins t allat io n Guide
hype rvis or:
# subscription-manager register --org=organization_label
# subscription-manager attach --auto
# subscription-manager list --consumed
6.7. Configure virt -who wit h an Encrypt ed Password
virt-who can e ncrypt the pas s words for the hype rvis or and give you the s tring to us e .
The e ncrypte d pas s word is locate d in the /etc/virt-who.d/ configuration file .
To ge ne rate an e ncrypte d pas s word:
1. Ve rify /var/lib/virt-who/key e ncryption file has root re ad and write pe rmis s ion.
2. To ge t an e ncrypte d pas s word s tring, run the virt-who-password as root:
# virt-who-password
Password:
Use the following as a value for the encrypted_password key in the
configuration file:
encrypted_password_string
Type the pas s word of your hype rvis or and write down the e ncrypte d s tring.
3. Cre ate a ne w configuration file for virt-who ins ide /etc/virt-who.d/.
No te
Since a configuration file is cre ate d unde r /etc/virt-who.d/, do not s pe cify
the hype rvis or de tails in /etc/sysconfig/virt-who. For more information,
s e e the man page :
$ man virt-who-config
For e xample , on vCe nte r:
# vi /etc/virt-who.d/config
[config]
type=esx
server=vcenter/esx_host>
username=vcenter/esx_username
encrypted_password=encrypted_password_string
owner=owner
env=Library
4. Ve rify that the /var/lib/virt-who/key e ncryption ke y file has root re ad and write
pe rmis s ion.
# ll /var/lib/virt-who/key
-rw-------. 1 root root 130 Jun 29 14:43 /var/lib/virt-who/key
72
C hapt e r 6 . Managing Hype r vis o r s and Vir t ual Gue s t Subs c r ipt io ns
5. Afte r the configuration change , re s tart the virt-who s e rvice .
On Re d Hat Ente rpris e Linux 6:
# service virt-who restart
On Re d Hat Ente rpris e Linux 7:
# systemctl restart virt-who
6. To de te rmine the value of owner in the /etc/virt-who.d/ configuration file , run
the following command. The org ID string is the owner value :
# subscription-manager identity
org ID : string
6.8. vCent er Configurat ion Example for Report ing Dat a t o
Mult iple Organizat ions
In this e xample , you have two vCe nte r e nvironme nts , and you want to do the following:
Place hype rvis ors from the firs t ins tance of vCe nte r into the Organiz ation 'Engine e ring'
on your Sate llite 6.
Place hype rvis ors from the s e cond ins tance of vCe nte r into the Organiz ation
'Ope rations ' on your Sate llite 6.
No te
You mus t have virt-who running on two s ys te ms , one for e ach organiz ation. The
following s ys te m hos tname s de note the diffe re nce be twe e n the two virt-who
s ys te ms :
hostname - eng-virt-who.example.com (virt-who instance reports
hypervisors in vCenter1 to the 'Engineering' Organization)
hostname - ops-virt-who.example.com (virt-who instance reports
hypervisors in vCenter2 to the 'Operations' Organization)
This e xample us e s the following information:
Vcenter1:
Hostname - vcenter1.example.com
username - read_write@vsphere.local
password - supersecret
73
Ins t allat io n Guide
Vcenter2:
Hostname - vcenter2.example.com
username - read_only@vsphere.local
password - notsosecret
Pro cedure 6.1. Part 1
1. On s ys te m eng-virt-who.example.com, ins tall virt-who:
[root@eng-virt-who.example.com]# yum install virt-who
2. Cre ate an e ncrypte d pas s word s tring for vcenter1:
[root@eng-virt-who.example.com]# virt-who-password
Password: type the 'supersecret' password
Use following as value for encrypted_password key in the
configuration file:
5e7367195d9fe2aa4b6667f93f17c5bd
3. Edit /etc/virt-who.d/vcenter-1 and add the following conte nt:
[vcenter-1]
type=esx
server=vcenter1.example.com
username=read_only@vsphere.local
encrypted_password=5e7367195d9fe2aa4b6667f93f17c5bd
owner=Engineering
env=Library
4. Re s tart virt-who.
On Re d Hat Ente rpris e Linux 6:
# service virt-who restart
On Re d Hat Ente rpris e Linux 7:
# systemctl restart virt-who
Pro cedure 6.2. Part 2
On s ys te m ops-virt-who.example.com, comple te the following s te ps :
1. Ins tall virt-who:
[root@ops-virt-who.example.com]# yum install virt-who
2. Cre ate an e ncrypte d pas s word s tring for vcenter2:
[root@ops-virt-who.example.com]# virt-who-password
Password: type the 'notsosecret' password
Use following as value for encrypted_password key in the
configuration file:
74
C hapt e r 6 . Managing Hype r vis o r s and Vir t ual Gue s t Subs c r ipt io ns
4ff5da2eee0648d99fd0c24337f98bd6
3. Edit /etc/virt-who.d/vcenter-2 and add the following conte nt:
[vcenter-2]
type=esx
server=vcenter2.example.com
username=read_only@vsphere.local
encrypted_password=4ff5da2eee0648d99fd0c24337f98bd6
owner=Operations
env=Library
4. Re s tart virt-who.
On Re d Hat Ente rpris e Linux 6:
# service virt-who restart
On Re d Hat Ente rpris e Linux 7:
# systemctl restart virt-who
6.9. Regist ering Guest Inst ances
Re gis te r a virtual s ys te m the s ame as a phys ical s ys te m.
The virt-who s e rvice mus t be running on the virtual hos t or on a hype rvis or in the
e nvironme nt (for VMware ). This e ns ure s that the virt-who s e rvice maps the gue s t to a
phys ical hos t, s o the s ys te m is re gis te re d as a virtual s ys te m. Othe rwis e , the virtual
ins tance is tre ate d as a phys ical ins tance .
1. Configure Subs cription Manage r on the virtual s ys te m to us e the Sate llite s e rvice
and the CA ce rtificate .
# rpm -Uvh \
http://satellite.example.com/pub/katello-ca-consumerlatest.noarch.rpm
2. Re gis te r the s ys te m to the s ame organiz ation as its hos t.
# subscription-manager register --username=admin --password=secret
--org=organization_label --auto-attach
The organiz ation ID is available in the Portal e ntry for the organiz ation. If anothe r
s ys te m is alre ady re gis te re d to that organiz ation, the n ge t the organiz ation ID by
us ing the following command:
# subscription-manager orgs
6.10. Removing a Guest Ent ry
To re move a gue s t e ntry, you mus t unre gis te r the gue s t from the Sate llite .
75
Ins t allat io n Guide
# subscription-manager unregister
If the s ys te m has be e n de le te d, howe ve r, the virtual s e rvice (like virt-who) cannot te ll
whe the r the s e rvice is de le te d or paus e d. In that cas e , manually re move the s ys te m from
Sate llite .
1. Log into the Sate llite UI.
2. in the top me nu, hove r ove r the Systems ite m and click the All ite m.
3. In the le ft column, click the name of the s ys te m.
4. At the top of the s ys te m's de tails page , click the Remove System link.
6.11. Removing a Hypervisor Ent ry
1. Unre gis te r the hype rvis or.
# subscription-manager unregister
2. For VMware , de le te the UUID file to re move the hos t/gue s t mapping
re cords :/var/lib/virt-who/hypervisor-systemid-UUID
6.12. T roubleshoot ing virt -who
This s e ction lis ts s e le cte d proble ms that can occur whe n inte grating Sate llite with virt-who.
Scenario 1: You have Sate llite running toge the r
hype rvis or and run the virt-who command. The
dis plays two gre e n hype rvis ors . One hype rvis or
cre ate a gue s t ID. Run virt-who again. The hos t
but the ne w gue s t ID is dis playe d as re d.
with a hype rvis or. You ins tall anothe r
hos t lis t in the Sate llite we b UI now
has a s ubs cription attache d, and you
lis t now dis plays two gre e n hype rvis ors ,
Solution: The hype rvis or tool migrate d the gue s t from hype rvis or 1 to hype rvis or 2. To fix
this proble m, choos e one of the following options :
Move the virtual data s ubs cription to hype rvis or 2.
Move the gue s t to hype rvis or 1.
Stop us ing this gue s t.
Scenario 2: In Sate llite , you provis ion a gue s t on a hype rvis or that doe s not have a
s ubs cription. The hos t lis t in the Sate llite we b UI dis plays the hype rvis or as ye llow. 24
hours late r, the hype rvis or is dis playe d as re d.
Solution: The hype rvis or probably doe s not have a corre ctly attache d s ubs cription. Obtain
a s ubs cription for this hype rvis or.
Scenario 3: Eithe r of the following e rror me s s age s dis play:
Host unknown status
Late binding to a host through virt-who (host/guest mapping)
76
C hapt e r 6 . Managing Hype r vis o r s and Vir t ual Gue s t Subs c r ipt io ns
Solution: Se arch for the e rror output from virt-who in the /var/log/rhsm/rhsm.log file .
The n, s e arch the e rrors in the knowle dge bas e in Re d Hat Cus tome r Portal.
Scenario 4: In Sate llite , you provis ion a gue s t on a hype rvis or that has a s ubs cription.
The hos t lis t in the Sate llite we b UI dis plays the hype rvis or as ye llow.
Solution: Eithe r wait for virt-who to run and fix the proble m its e lf, or run virt-who
manually.
77
Ins t allat io n Guide
Chapt er 7. Inst alling Red Hat Sat ellit e Capsule Server
The Re d Sate llite Caps ule Se rve r is a Sate llite compone nt that provide s fe de rate d
s e rvice s to dis cove r, provis ion, and configure hos ts outs ide of the primary Sate llite
s e rve r. A Sate llite Caps ule Se rve r provide s the following fe ature s :
Pulp Se rve r fe ature s , including:
Re pos itory s ynchroniz ation
Conte nt de live ry
Re d Hat Sate llite Provis ioning Smart Proxy fe ature s , including:
DHCP, including ISC DHCP s e rve rs
DNS, including Bind
Any UNIX-bas e d TFTP s e rve r
Puppe t Mas te r s e rve rs from 0.24
Puppe t CA to manage ce rtificate s igning and cle aning
Bas e board Manage me nt Controlle r (BMC) for powe r manage me nt
The Sate llite Caps ule Se rve r is a me ans to s cale out the Sate llite ins tallation.
Organiz ations can cre ate various caps ule s in diffe re nt ge ographical locations whe re the
data ce nte rs are locate d. The s e are ce ntrally manage d through the Sate llite Se rve r.
Whe n a Sate llite us e r promote s conte nt to the production e nvironme nt, the Sate llite
Se rve r will pus h the conte nt from the Sate llite Se rve r to e ach of the Sate llite Caps ule
Se rve rs . Hos t s ys te ms pull conte nt and configuration from the Sate llite Caps ule Se rve rs
in the ir location and not from the ce ntral Sate llite Se rve r.
Cre ating various Sate llite Caps ule Se rve rs will de cre as e the load on the ce ntral s e rve r,
incre as e re dundancy, and re duce bandwidth us age .
7.1. Red Hat Sat ellit e Capsule Server Scalabilit y
The maximum numbe r of Caps ule Se rve rs that the Sate llite Se rve r can s upport has no
fixe d limit but has be e n te s te d on a Sate llite Se rve r with a Re d Hat Ente rpris e Linux 6.6
and 7 hos ts . Curre ntly, running fourte e n caps ule s with two vCPUs have be e n te s te d
without is s ue s .
7.1.1. Capsule Scalabilit y wit h Puppet Client s
Caps ule s calability de pe nds he avily on the following factors , e s pe cially whe n managing
puppe t clie nts :
Numbe r of CPUs
Run-inte rval dis tribution
Numbe r of puppe t clas s e s
78
C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r
The Caps ule Se rve r has a concurre ncy limitations of 100 concurre nt puppe t age nts
running at any s ingle point in time . Running more than 100 concurre nt puppe t age nts will
re s ult in a 503 HTTP e rror.
For e xample , as s uming that the puppe t age nt runs are e ve nly dis tribute d with le s s than
100 concurre nt puppe t age nts running at any s ingle point during a run-inte rval, a Caps ule
Se rve r with four CPUs can e xpe ct a maximum of 1250-1600 puppe t clie nts with a
mode rate workload of 10 puppe t clas s e s as s igne d to e ach puppe t clie nt. De pe nding on
the numbe r of puppe t clie nts re quire d, the Sate llite ins tallation can s cale out the numbe r
of Caps ule Se rve rs to s upport the m.
Bas e d on the following as s umptions :
The re are no e xte rnal puppe t clie nts re porting dire ctly to the Sate llite 6 inte grate d
caps ule .
All othe r puppe t clie nts re port dire ctly to an e xte rnal caps ule .
Puppe t s calability within Sate llite on Re d Hat Ente rpris e Linux 6.6 Caps ule s is as follows :
With minimum numbe r of CPUs (two CPUs ):
At 1 puppe t clas s pe r hos t: Not te s te d
At 10 puppe t clas s e s pe r hos t: Maximum of 1020-860
At 20 puppe t clas s e s pe r hos t: Maximum of 375-330
With re comme nde d numbe r of CPUs (four CPUs ):
At 1 puppe t clas s pe r hos t: Maximum of 2250-1875
At 10 puppe t clas s e s pe r hos t: Maximum of 1600-1250
At 20 puppe t clas s e s pe r hos t: Maximum of 700-560
No te
The information above re pre s e nts an e ve nly dis tribute d run inte rval of all puppe t
age nts . Any de viation runs the ris k of filling the pas s e nge r re que s t que ue and is
s ubje ct to the concurre ncy limitation of 100 concurre nt re que s ts .
7.2. Red Hat Sat ellit e Capsule Server Prerequisit es
The Sate llite Caps ule 's re quire me nts are ide ntical to the Sate llite Se rve r. The s e
conditions mus t be me t be fore ins talling Re d Hat Sate llite Caps ule :
Impo rtant
The Re d Hat Sate llite s e rve r and Caps ule s e rve r ve rs ions mus t match. For
e xample , a Sate llite 6.0 s e rve r cannot run a 6.1 Caps ule s e rve r and a Sate llite 6.1
s e rve r cannot run a 6.0 Caps ule s e rve r. Mis matching Sate llite s e rve r and Caps ule
s e rve r ve rs ions will re s ult in the Caps ule s e rve r failing s ile ntly.
79
Ins t allat io n Guide
7.2.1. Base Operat ing Syst em
Ins tall the ope rating s ys te m from dis c, local ISO image , kicks tart, or any othe r me thods
that Re d Hat s upports . Re d Hat Sate llite Caps ule re quire s Re d Hat Ente rpris e Linux
ins tallations with the @Bas e package group with no othe r package -s e t modifications , and
without third-party configurations or s oftware that is not dire ctly ne ce s s ary for the dire ct
ope ration of the s e rve r. This re s triction include s harde ning or othe r non-Re d Hat s e curity
s oftware . If s uch s oftware is re quire d in your infras tructure , ins tall and ve rify a comple te
working Re d Hat Sate llite Caps ule firs t, the n cre ate a backup of the s ys te m be fore adding
any non-Re d Hat s oftware .
Whe n ins talling Re d Hat Ente rpris e Linux from CD or ISO image , the re is no ne e d to s e le ct
any package groups ; Re d Hat Sate llite Caps ule only re quire s the bas e ope rating s ys te m
ins tallation. Whe n ins talling the ope rating s ys te m via kicks tart, s e le ct the @Bas e package
group.
Re d Hat Sate llite Caps ule re quire s a ne tworke d bas e s ys te m with the following
minimum s pe cifications :
64-bit archite cture .
The late s t ve rs ion of Re d Hat Ente rpris e Linux 6 Se rve r or 7 Se rve r.
A minimum of two CPU core s , but four CPU core s are re comme nde d.
A minimum of 12 GB me mory but ide ally 16 GB of me mory for e ach Sate llite
ins tance . A minimum of 4 GB of s wap is re comme nde d.
A minimum of 5 GB s torage for the bas e ins tall of Re d Hat Ente rpris e Linux, 300 MB
for the ins tallation of Re d Hat Sate llite Caps ule and at le as t 10 GB s torage for e ach
unique s oftware re pos itory to be s ynchroniz e d in the /var file s ys te m.
Package s that are duplicate d in diffe re nt re pos itorie s are only s tore d once on the
dis k. Additional re pos itorie s containing duplicate package s will re quire le s s additional
s torage .
No te
The bulk of s torage re s ide s on the /var/lib/mongodb and /var/lib/pulp
dire ctorie s . The s e e nd points are not manually configurable . Ens ure that
s torage is available on the /var file s ys te m to pre ve nt s torage is s ue s .
No Java virtual machine ins talle d on the s ys te m, re move any if the y e xis t.
No Puppet RPM file s ins talle d on the s ys te m.
No third-party uns upporte d yum re pos itorie s e nable d. Third-party re pos itorie s may
offe r conflicting or uns upporte d package ve rs ions that may caus e ins tallation or
configuration e rrors .
Adminis trative us e r (root) acce s s .
Full forward and re ve rs e DNS re s olution us ing a fully qualifie d domain name . Che ck that
hostname and localhost re s olve corre ctly, us ing the following commands :
80
C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r
# ping -c1 localhost
# ping -c1 `hostname -f` # my_system.domain.com
Ens ure the Sate llite Se rve r's bas e s ys te m can re s olve the Caps ule 's hos t name .
Available s ubs criptions on the Re d Hat Sate llite Se rve r.
Impo rtant
Make s ure that the hos t s ys te m is fully update d be fore ins talling Re d Hat Sate llite
Caps ule Se rve r. Atte mpts to ins tall on hos t s ys te ms running Re d Hat Ente rpris e
Linux that are not fully update d may le ad to difficulty in trouble s hooting, as we ll as
unpre dictable re s ults .
Re d Hat re comme nds that the Sate llite Caps ule s ys te m be a fre s hly provis ione d
s ys te m that s e rve s no othe r function e xce pt as a Sate llite Caps ule .
7.2.2. Applicat ion Specif icat ions
Sate llite application ins tallation s pe cifications are as follows :
It is re comme nde d that a time s ynchroniz e r s uch as nt pd is ins talle d and e nable d on
Sate llite . Run the following command to s tart the time s ynchroniz e r and have it pe rs is t
acros s re s tarts :
For Re d Hat Ente rpris e Linux 6:
# chkconfig ntpd on; service ntpd start
For Re d Hat Ente rpris e Linux 7:
# systemctl start chronyd; systemctl enable chronyd
7.2.3. Net work Port s Required f or Capsule Communicat ions
The following table s lis t the ports re quire d for configuring a Re d Hat Sate llite Caps ule :
T able 7.1. Po rt s f o r Sat ellit e t o Capsule Co mmunicat io n
Po rt
Pro t o c
ol
Service
Required f o r
9090
80
443
TCP
TCP
TCP
HTTPS
HTTP
HTTPS
Conne ctions to the proxy in the Caps ule
Sate llite to Caps ule , for downloading a bootdis k (Optional)
Conne ctions to the Pulp s e rve r in the Caps ule [a]
[a] Added in Satellite 6.1.9
T able 7.2. Po rt s f o r Capsule t o Sat ellit e Co mmunicat io n
81
Ins t allat io n Guide
Po rt
Pro t o c
ol
Service
Required f o r
443
5646
TCP
TCP
HTTPS
amqp
5647
TCP
amqp
Conne ctions to Kate llo, Fore man, Fore man API, and Pulp
Caps ule 's Qpid dis patch route r to Qpid dis patch route r in
the Sate llite
The Kate llo age nt to communicate with the Sate llite 's
Qpid dis patch route r
The bas e s ys te m on which a Caps ule Se rve r is running is a manage d hos t, a clie nt, that is
dire ctly conne cte d to the Sate llite Se rve r. Se e Table 1.5, “Ports for Clie nt to Sate llite
Communication”.
T able 7.3. Po rt s f o r Client t o Capsule Co mmunicat io n
Po rt
Pro t o c
ol
Service
Required f o r
53
DNS
Que rie s to the DNS s e rvice
67
69
80
TCP and
UDP
UDP
UDP
TCP
DHCP
TFTP
HTTP
443
5647
TCP
TCP
HTTPS
amqp
8000
TCP
HTTPS
8140
8443
TCP
TCP
HTTPS
HTTPS
9090
TCP
HTTPS
For Clie nt provis ioning from the Caps ule
Downloading PXE boot image file s
Anaconda, yum, and for obtaining Kate llo ce rtificate
update s
Anaconda, yum, Te le me try Se rvice s , and Puppe t
The Kate llo age nt to communicate with the Caps ule 's Qpid
dis patch route r
Anaconda to download kicks tart te mplate s to hos ts , and
for downloading iPXE firmware
Puppe t age nt to Puppe t mas te r conne ctions
Subs cription Manage me nt Se rvice s conne ction to the
re ve rs e proxy for the ce rtificate -bas e d API
Se nding ge ne rate d SCAP re ports to the proxy in the
Caps ule for s pooling
Connect ions f rom Sat ellit e t o Capsule
To configure the fire wall on a Capsule to e nable incoming conne ctions from the
Sat ellit e, and to make the s e rule s pe rs is te nt during re boots , e nte r the commands be low
appropriate to the Re d Hat re le as e .
The ports in the s e commands are take n from the table Table 7.1, “Ports for Sate llite to
Caps ule Communication”. Note that port 9090 is als o lis te d in the Table 7.3, “Ports for
Clie nt to Caps ule Communication”. Re vie w the commands to avoid duplicating e ntrie s .
On a Re d Hat Ente rpris e Linux 6 Caps ule , e xe cute as root:
# iptables -A INPUT -m state --state NEW -p tcp --dport 9090 -j ACCEPT
\
&& iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
\
&& service iptables save
Make s ure the iptables s e rvice is s tarte d and e nable d:
82
C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r
# service iptables restart
# chkconfig iptables on
On a Re d Hat Ente rpris e Linux 7 Caps ule , e xe cute as root:
# firewall-cmd --add-port="9090/tcp" \
--add-port="443/tcp" \
&& firewall-cmd --permanent --add-port="9090/tcp" \
--add-port="443/tcp"
Connect ions f rom Capsule t o Sat ellit e
To configure the fire wall on a Sat ellit e to e nable incoming conne ctions from a Capsule,
and to make the s e rule s pe rs is te nt during re boots , e nte r the commands be low
appropriate to the Re d Hat re le as e .
The ports in the s e commands are take n from the table Table 7.2, “Ports for Caps ule to
Sate llite Communication”. Note that port 443 and 5647 are als o lis te d in the Table 1.5,
“Ports for Clie nt to Sate llite Communication”. Re vie w the commands to avoid duplicating
e ntrie s .
On a Re d Hat Ente rpris e Linux 6 Sate llite , e xe cute as root:
# iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
\
&& iptables -A INPUT -m state --state NEW -p tcp --dport 5646 -j
ACCEPT \
&& iptables -A INPUT -m state --state NEW -p tcp --dport 5647 -j
ACCEPT \
&& service iptables save
Make s ure the iptables s e rvice is s tarte d and e nable d:
# service iptables restart
# chkconfig iptables on
On a Re d Hat Ente rpris e Linux 7 Sate llite , e xe cute as root:
# firewall-cmd --add-port="443/tcp" \
--add-port="5646/tcp" --add-port="5647/tcp" \
&& firewall-cmd --permanent --add-port="443/tcp" \
--add-port="5646/tcp" --add-port="5647/tcp"
Connect ions f rom Client t o Capsule
To configure the fire wall on a Capsule to e nable incoming conne ctions from a Client , and
to make the s e rule s pe rs is te nt during re boots , e nte r the commands be low appropriate to
the Re d Hat re le as e .
The ports in the s e commands are take n from the table Table 7.3, “Ports for Clie nt to
Caps ule Communication”. Note that port 443 and 9090 are als o lis te d in the Table 7.1,
“Ports for Sate llite to Caps ule Communication”. Re vie w the commands to avoid duplicating
e ntrie s .
83
Ins t allat io n Guide
On a Re d Hat Ente rpris e Linux 6 Caps ule , e xe cute as root:
# iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT \
&& iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
\
&& iptables -A INPUT -m state --state NEW -p udp --dport 67 -j ACCEPT
\
&& iptables -A INPUT -m state --state NEW -p udp --dport 69 -j ACCEPT
\
&& iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
\
&& iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
\
&& iptables -A INPUT -m state --state NEW -p tcp --dport 5647 -j
ACCEPT \
&& iptables -A INPUT -m state --state NEW -p tcp --dport 8000 -j
ACCEPT \
&& iptables -A INPUT -m state --state NEW -p tcp --dport 8140 -j
ACCEPT \
&& iptables -A INPUT -m state --state NEW -p tcp --dport 8443 -j
ACCEPT \
&& iptables -A INPUT -m state --state NEW -p tcp --dport 9090 -j
ACCEPT \
&& service iptables save
Make s ure the iptables s e rvice is s tarte d and e nable d:
# service iptables restart
# chkconfig iptables on
On a Re d Hat Ente rpris e Linux 7 Caps ule , e xe cute as root:
# firewall-cmd --add-port="53/udp" --add-port="53/tcp" \
--add-port="67/udp" \
--add-port="69/udp" --add-port="80/tcp" \
--add-port="443/tcp" --add-port="5647/tcp" \
--add-port="8000/tcp" --add-port="8140/tcp" \
--add-port="8443/tcp" --add-port="9090/tcp" \
&& firewall-cmd --permanent --add-port="53/udp" --add-port="53/tcp" \
--add-port="67/udp" \
--add-port="69/udp" --add-port="80/tcp" \
--add-port="443/tcp" --add-port="5647/tcp" \
--add-port="8000/tcp" --add-port="8140/tcp" \
--add-port="8443/tcp" --add-port="9090/tcp"
No te
For information on SELinux type s for the ports me ntione d in this s e ction, s e e
Se ction 1.4.6, “SELinux Policy on Sate llite 6”
7.3. Obt aining t he Required Packages for t he Capsule
Server
84
C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r
Server
Prerequisit es
The Sate llite Se rve r's bas e s ys te m mus t be able to re s olve the hos t name of the
Caps ule Se rve r's bas e s ys te m.
You will ne e d a Re d Hat Sate llite us e r name and pas s word.
Re gis te r the Caps ule Se rve r to the Re d Hat Sate llite Se rve r to us e the Re d Hat
Sate llite Se rve r products and s ubs criptions :
1. Ins tall the Re d Hat Sate llite Se rve r's CA ce rtificate in the Caps ule Se rve r:
# rpm -Uvh http://satellite.example.com/pub/katello-ca-consumerlatest.noarch.rpm
2. Re gis te r the Caps ule s e rve r with your organiz ation by us ing the organiz ation label:
# subscription-manager register --org organization_label
You will be prompte d for your Re d Hat Sate llite us e r name and pas s word. The
Sate llite Se rve r adminis trator can configure ne w us e rs . Se e the Us e rs and Role s
chapte r in the Re d Hat Sate llite 6.1 Us e r Guide for more information.
Pro cedure 7.1. T o Inst all a Sat ellit e Capsule Server o n a Cert if icat e-managed
Syst em:
1. Lis t all the available s ubs criptions to find the corre ct Re d Hat Sate llite and Re d Hat
Ente rpris e Linux product to allocate to your s ys te m:
# subscription-manager list --available --all
The s cre e n dis plays :
Subscription Name: Red Hat Satellite Capsule Server
Provides:
Red Hat Satellite Proxy
Red Hat Satellite Capsule
Red Hat Software Collections (for RHEL Server)
Red Hat Satellite Capsule
Red Hat Enterprise Linux Server
Red Hat Enterprise Linux High Availability (for
RHEL Server)
Red Hat Software Collections (for RHEL Server)
Red Hat Enterprise Linux Load Balancer (for
RHEL Server)
SKU:
MCT0369
Pool ID:
9e4cc4e9b9fb407583035861bb6be501
Available:
3
Suggested:
1
Service Level:
Premium
85
Ins t allat io n Guide
Service Type:
Multi-Entitlement:
Ends:
System Type:
L1-L3
No
10/07/2015
Physical
No te
The SKU and Pool ID de pe nd on the Re d Hat Sate llite product type that
corre s ponds to your s ys te m ve rs ion and product type .
2. Subs cribe to the re quire d pool IDs :
# subscription-manager subscribe -pool=Red_Hat_Satellite_Capsule_Pool_Id
3. Dis able all e xis ting re pos itorie s :
# subscription-manager repos --disable "*"
4. Enable the Sate llite and Re d Hat Ente rpris e Linux re pos itorie s by running
subscription-manager. You might ne e d to alte r the Re d Hat Ente rpris e Linux
re pos itory to match the s pe cific ve rs ion you are us ing. If e nabling a re pos itory
une xpe cte dly fails , che ck the corre ct re pos itory is e nable d on the Sate llite Se rve r.
In the we b UI, navigate to Co nt ent → Red Hat Repo sit o ries and che ck the s tatus
of the re pos itory unde r Co nt ent → Sync St at us.
For Re d Hat Ente rpris e Linux 6:
# subscription-manager repos --enable rhel-6-server-rpms \
--enable rhel-6-server-satellite-capsule-6.1-rpms
For Re d Hat Ente rpris e Linux 7:
# subscription-manager repos --enable rhel-7-server-rpms \
--enable rhel-7-server-satellite-capsule-6.1-rpms
5. If re quire d, to ve rify what re pos itorie s have be e n e nable d, us e the yum repolist
enabled command. For e xample , on Re d Hat Ente rpris e Linux 7:
# yum repolist enabled
Loaded plugins: langpacks, product-id, subscription-manager
repo id
repo name
status
!rhel-7-server-rpms/7Server/x86_64
Red Hat
Enterprise Linux 7 Server (RPMs)
7,617
!rhel-7-server-satellite-capsule-6.1-rpms/x86_64
Red Hat
Satellite Capsule 6.1 (for RHEL 7 Server) (RPMs)
176
repolist: 7,793
6. Run the following command as the root us e r to ins tall the capsule-installer package :
# yum install capsule-installer
86
C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r
The capsule-installer package provide s the capsule-installer functionality.
7.4. Running t he Inst allat ion and Configurat ion Program for
Capsule Server
Prerequisit es
You mus t me e t the following conditions be fore continuing on this tas k:
Ins tall the Re d Hat Sate llite Se rve r.
Re d Hat re comme nds that SELinux on the Sate llite 6 Caps ule Se rve r is s e t to
e nforcing.
Cre ate a Caps ule Se rve r ce rtificate on the Sate llite Se rve r:
On the Sate llite Se rve r, us e the capsule-certs-generate command:
# capsule-certs-generate --capsule-fqdn capsule.example.com -certs-tar ~/capsule.example.com-certs.tar
Whe re :
capsule-fqdn is the Sate llite Caps ule Se rve r's fully qualifie d domain name .
Mandatory.
certs-tar is the name of the file to ge ne rate that will contain the ce rtificate
for the Sate llite Caps ule ins talle r.
The capsule-certs-generate command re turns the ins tallation ins tructions with
the commands to be e xe cute d on the Caps ule Se rve r. Note that the s yntax of
thos e commands de pe nds on the parame te rs of capsule-certs-generate and
the fully qualifie d domain name of your Sate llite . For e xample , the capsulecerts-generate command e xe cute d on Sate llite with FQDN
satellite.example.com ge ne rate s the following output:
To finish the installation, follow these steps:
1. Ensure that the capsule-installer package is available on
the system.
2. Copy ~/capsule.example.com-certs.tar to the capsule system
capsule.example.com
3. Run the following commands on the capsule (possibly with
the customized
parameters, see capsule-installer --help and
documentation for more info on setting up additional
services):
rpm -Uvh http://satellite.example.com/pub/katello-ca-consumerlatest.noarch.rpm
subscription-manager register --org "Default_Organization"
capsule-installer --parent-fqdn
"satellite.example.com"\
87
Ins t allat io n Guide
--register-in-foreman
--foreman-oauth-key
"xmmQCGYdkoCRcbviGfuPdX7ZiCsdExf"\
--foreman-oauth-secret
"w5ZDpyPJ24eSBNo53AFybcnqoDYXgLUA"\
--pulp-oauth-secret
"doajBEXqNcANy93ZbciFyysWaiwt6BWU"\
--certs-tar
"~/capsule.example.com-certs.tar"\
--puppet
--puppetca
--pulp
"true"\
"true"\
"true"\
"true"
Impo rtant
The capsule-certs-generate command re turns the argume nts re quire d
to s ucce s s fully ins tall a Caps ule with the capsule-installer command.
The --foreman-oauth-key and --foreman-oauth-secret argume nts are
always re quire d, the --pulp-oauth-secret argume nt is re quire d if the
Caps ule will hos t conte nt (the --pulp option s e t to true ). Se e Se ction 7.4.1,
“Ins talling a Caps ule Se rve r” for more information on ins talling a Caps ule .
Copy the archive file cre ate d by capsule-certs-generate, in this cas e calle d
capsule.example.com-certs.tar, from the Sate llite Se rve r to the Caps ule
Se rve r.
No te
If you have a cus tom ce rtificate , s e e Se ction 7.5.1, “Configuring Re d Hat
Sate llite Caps ule Se rve r with a Cus tom Se rve r Ce rtificate ” for ins tructions .
On the Caps ule Se rve r, ins tall the katello-ca-consumer-latest package from the Sate llite
s e rve r:
# rpm -Uvh http://satellite.example.com/pub/katello-ca-consumerlatest.noarch.rpm
Re gis te r the Caps ule Se rve r with your organiz ation by us ing the organiz ation label:
# subscription-manager register --org organization_label
You will be prompte d for your Re d Hat Sate llite us e r name and pas s word. The Sate llite
Se rve r adminis trator can configure ne w us e rs . Se e the Us e rs and Role s chapte r in the
Re d Hat Sate llite 6.1 Us e r Guide for more information.
The following s e ctions will as s is t in configuring a Sate llite Caps ule Se rve r for us e with
your Re d Hat Sate llite Se rve r. This include s the following type s of Sate llite Caps ule
Se rve rs :
Sate llite Caps ule Se rve r with conte nt functionality.
88
C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r
Sate llite Caps ule Se rve r without conte nt functionality.
7.4.1. Inst alling a Capsule Server
You can ins tall a Caps ule Se rve r by us ing cus tomiz e d parame te rs , de pe nding on your
inte nde d us e cas e . Se e capsule-installer --help for a lis t of the available
parame te rs .
To ins tall a Caps ule by us ing the de fault me thod, run the following command (als o found in
the output from capsule-certs-generate):
# capsule-installer --parent-fqdn
--register-in-foreman
--foreman-oauth-key
"xmmQCGYdkoCRcbviGfuPdX7ZiCsdExf"\
--foreman-oauth-secret
"w5ZDpyPJ24eSBNo53AFybcnqoDYXgLUA"\
--pulp-oauth-secret
"doajBEXqNcANy93ZbciFyysWaiwt6BWU"\
--certs-tar
certs.tar"\
--puppet
--puppetca
--pulp
"satellite.example.com"\
"true"\
"~/capsule.example.com"true"\
"true"\
"true"
To e nable or dis able othe r s e rvice s , run capsule-installer --help and s pe cify the
de s ire d value from the lis t of command options .
7.4.2. Verif ying Your Capsule Server Inst allat ion
If the configuration is s ucce s s ful, run this command as the root us e r on the Sate llite
Caps ule Se rve r:
# echo $?
This command s hould re turn a "0" to indicate s ucce s s . If it doe s not, che ck the
/var/log/katello-installer/capsule-installer.log file to de bug the caus e of
failure . This log file contains the output ge ne rate d by the capsule-certs-generate and
capsule-installer commands .
The Sate llite Caps ule Se rve r s hould als o appe ar in the Sate llite Se rve r's Us e r Inte rface
unde r Inf rast ruct ure → Capsules.
89
Ins t allat io n Guide
No te
If the ne w caps ule doe s not appe ar unde r Inf rast ruct ure → Capsules, you might
have to as s ociate it with your organiz ation. Navigate to Administ er →
Organizat io ns. On the Organizations page , the following me s s age indicate s an
unas s igne d caps ule :
Notice: There is 1 host with no organization assigned
On the s ame page , s e le ct your organiz ation and pick the caps ule from the lis t on the
Capsule tab.
7.5. Opt ional Configurat ion Opt ions
The following s e ctions s how how to e nable additional configuration options for the Sate llite
Caps ule Se rve r.
7.5.1. Conf iguring Red Hat Sat ellit e Capsule Server wit h a Cust om
Server Cert if icat e
Re d Hat Sate llite come s with a de fault ce rtificate authority (CA) us e d by both the s e rve r
and clie nt SSL ce rtificate s for authe ntication of s ubs e rvice s . The s e rve r and clie nt
ce rtificate s can be re place d with cus tom one s . For more information on cre ating cus tom
ce rtificate s , s e e the Re d Hat Ente rpris e Linux 7 Se curity Guide . [8]
Cus tom s e rve r and clie nt ce rtificate s may be imple me nte d e ithe r whe n the command
capsule-certs-generate is firs t run or any time afte rward. If capsule-certs-generate
has not be e n run be fore , s e e Proce dure 7.2, “To Se t a Cus tom Se rve r Ce rtificate Whe n
Running caps ule -ce rts -ge ne rate for the Firs t Time :”, othe rwis e s e e Proce dure 7.3, “To Se t
a Cus tom Se rve r Ce rtificate Afte r Running caps ule -ce rts -ge ne rate :”.
Impo rtant
Whe n us ing cus tom SSL ce rtificate s with chaine d trus ts or is s ue rs , include all
ce rtificate s in the chain into a s ingle file and us e that file as the CA ce rtificate value
to katello-installer parame te r --certs-server-ca-cert. It is important to
concate nate the ce rtificate s in the right orde r s o that the trus t chain can be
validate d.
# cat 1st_ca.cert 2nd_ca.cert 3th_ca.cert >
/root/sat_cert/ca.bundle
# katello-installer --certs-server-ca-cert /root/sat_cert/ca.bundle
--certs-update-server-ca
The ce rtificate 's Common Name (CN) mus t match the fully qualifie d domain name of
the s e rve r on which it is us e d.
90
C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r
Impo rtant
The ce rtificate 's Common Name (CN) mus t match the fully qualifie d domain name of
the s e rve r on which it is us e d.
Prerequisit es
You mus t have the following file s :
Cert if icat e f ile f o r t he Capsule Server.
Caps ule ce rtificate s ge ne rate parame te r --server-cert. In this e xample ,
capsule.crt.
Cert if icat e signing request f ile f o r t he Capsule Server.
Caps ule ce rtificate s ge ne rate parame te r --server-cert-req. In this e xample ,
capsule.crt.req.
Capsule Server's privat e key used t o sign t he cert if icat e.
Caps ule ce rtificate s ge ne rate parame te r --server-key. In this e xample ,
capsule.key.
CA cert if icat e.
Caps ule ce rtificate s ge ne rate parame te r --server-ca-cert. In this e xample ,
e xample cacert.crt.
Ot her capsule-cert s-generat e Paramet ers
The parame te r --certs-tar s pe cifie s the name of the archive file to be output by the
capsule-certs-generate.
The parame te r --capsule-fqdn is the Sate llite Caps ule Se rve r's fully qualifie d domain
name .
Pro cedure 7.2. T o Set a Cust o m Server Cert if icat e When Running capsulecert s-generat e f o r t he First T ime:
No te
In this e xample the file s are s tore d in the dire ctory /root/sat_cert. Us ing an
abs olute path in the root us e rs ' dire ctory provide s a fixe d location that is available
to all us e rs who log in to the s e rve r with root pe rmis s ions . Be fore running this
command, e ns ure the dire ctory alre ady e xis ts .
1. Run the following command on the Re d Hat Sate llite Se rve r to cre ate the
ce rtificate s archive :
# capsule-certs-generate \
--capsule-fqdn "capsule.example.com" \
--certs-tar /root/sat_cert/capsule.example.com-certs.tar \
--server-cert /root/sat_cert/capsule.crt \
91
Ins t allat io n Guide
--server-cert-req /root/sat_cert/capsule.crt.req \
--server-key /root/sat_cert/capsule.key \
--server-ca-cert /root/sat_cert/cacert.crt
Whe re :
--capsule-fqdn is the Sate llite Caps ule Se rve r's fully qualifie d domain name .
Mandatory.
--certs-tar is the name of the tar file to be ge ne rate d that contains the
ce rtificate to be us e d by the Sate llite Caps ule ins talle r.
--server-cert is the path to your ce rtificate , s igne d by your ce rtificate
authority (or s e lf-s igne d).
--server-cert-req is the path to your ce rtificate s igning re que s t file that was
us e d to cre ate the ce rtificate .
--server-key is the private ke y us e d to s ign the ce rtificate .
--server-ca-cert is the path to the CA ce rtificate on this s ys te m.
2. Copy the ge ne rate d archive file , capsule.example.com-certs.tar, from the
Sate llite Se rve r to the Sate llite Caps ule Se rve r.
3. On the Sate llite Caps ule Se rve r:
a. Run the following commands to re gis te r your Sate llite Caps ule Se rve r to the
Sate llite Se rve r:
# rpm -Uvh http://satellite.example.redhat.com/pub/katelloca-consumer-latest.noarch.rpm
# subscription-manager register --org "ACME_Corporation" -env [environment]/[content_view_name]
No te
The Sate llite Caps ule Se rve r mus t be as s igne d to an organiz ation,
be caus e it re quire s an e nvironme nt to s ynchroniz e conte nt from the
Sate llite Se rve r. Only organiz ations have e nvironme nts .
As s igning a location is optional, but re comme nde d, to indicate
proximity to the hos ts that the Sate llite Caps ule Se rve r is managing.
b. De pe nding on the de s ire d Sate llite Caps ule Se rve r type , choos e one of the
following options :
A. Sat ellit e Capsule Server wit h co nt ent f unct io nalit y
Run the following command on the Sate llite Caps ule Se rve r to e nable the
cus tom ce rtificate . The s ignificant parame te r is --pulp="true", which
indicate s that conte nt functionality is to be e nable d.
# capsule-installer --pulp="true" \
--qpid-router="true" \
92
C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r
--puppet="true" \
--puppetca="true" \
--reverse-proxy="true" \
--certs-tar "~/capsule.example.com-certs.tar"
B. Sat ellit e Capsule Server wit ho ut co nt ent f unct io nalit y
Run the following command on the Sate llite Caps ule Se rve r to e nable the
cus tom ce rtificate . The s ignificant parame te r is --pulp="false", which
indicate s that conte nt functionality is not to be e nable d.
# capsule-installer --pulp="false" \
--qpid-router="false" \
--puppet="true" \
--puppetca="true" \
--reverse-proxy="true" \
--certs-tar "~/capsule.example.com-certs.tar"
Pro cedure 7.3. T o Set a Cust o m Server Cert if icat e Af t er Running capsulecert s-generat e:
Us ing cus tom s e rve r ce rtificate s for the Sate llite Se rve r me ans that the s ame cus tom
s e rve r ce rtificate s ne e d to be de ploye d in the Sate llite Caps ule Se rve rs . Each Sate llite
Caps ule Se rve r re quire s the following s te ps :
1. Run the following command as the root us e r on the Sate llite Se rve r to ge ne rate a
ne w ce rtificate bas e d on your cus tom s e rve r ce rtificate :
No te
In this e xample the file s are s tore d in the dire ctory /root/sat_cert. Us ing
an abs olute path in the root us e rs ' dire ctory provide s a fixe d location that is
available to all us e rs who log in to the s e rve r with root pe rmis s ions . Be fore
running this command, e ns ure the dire ctory alre ady e xis ts .
# capsule-certs-generate \
--capsule-fqdn "capsule.example.com" \
--certs-tar /root/sat_cert/capsule-certs.tar \
--server-cert /root/sat_cert/capsule.crt \
--server-cert-req /root/sat_cert/capsule.crt.req \
--server-key /root/sat_cert/capsule.key \
--server-ca-cert /root/sat_cert/cacert.crt \
--certs-update-server
2. Copy the ge ne rate d archive file , capsule.example.com-certs.tar, from the
Sate llite Se rve r to the Sate llite Caps ule hos t s ys te m.
3. On the Sate llite Caps ule Se rve r, re -run the capsule-installer command to
re fre s h the ce rtificate s . De pe nding on the de s ire d Sate llite Caps ule Se rve r type ,
choos e one of the following options :
A. Sat ellit e Capsule Server wit h co nt ent f unct io nalit y
93
Ins t allat io n Guide
Run the following command on the Sate llite Caps ule Se rve r to re fre s h the
ce rtificate s . The s ignificant parame te r is --pulp="true", which indicate s that
conte nt functionality is to be e nable d.
# capsule-installer --pulp="true" \
--qpid-router="true" \
--puppet="true" \
--puppetca="true" \
--reverse-proxy="true" \
--certs-tar "capsule.example.com-certs.tar"
B. Sat ellit e Capsule Server wit ho ut co nt ent f unct io nalit y
Run the following command on the Sate llite Caps ule Se rve r to re fre s h the
ce rtificate s . The s ignificant parame te r is --pulp="false", which indicate s that
conte nt functionality is not to be e nable d.
# capsule-installer --pulp="false" \
--qpid-router="false" \
--puppet="true" \
--puppetca="true" \
--reverse-proxy="true" \
--certs-tar "capsule.example.com-certs.tar"
7.5.2. Using Power Management Feat ures on Managed Host s
Whe n you e nable the baseboard management controller (BMC) module on the Caps ule
Se rve r, you can us e powe r manage me nt commands on manage d hos ts us ing the
intelligent platform management interface (IPMI) or a s imilar protocol.
The BMC s e rvice on the s ate llite Caps ule Se rve r allows you to pe rform a range of powe r
manage me nt tas ks . The unde rlying protocol for this fe ature is IPMI; als o re fe rre d to as the
BMC function. IPMI us e s a s pe cial ne twork inte rface on the manage d hardware that is
conne cte d to a de dicate d proce s s or that runs inde pe nde ntly of the hos t's CPUs . In many
ins tance s the BMC functionality is built into chas s is -bas e d s ys te ms as part of chas s is
manage me nt (a de dicate d module in the chas s is ).
To take advantage of BMC fe ature s you ne e d to add a ne w ne twork inte rface of type
"BMC" to e ach manage d hos t. IPMI inte rface s are ne arly always pas s word prote cte d, to
pre ve nt unauthoriz e d pe ople on the s ame ne twork from gaining control of that hos t.
Sate llite us e s this NIC to pas s the appropriate cre de ntials to the hos t.
Re d Hat Sate llite s upports by e xte ns ion e ve rything that e ithe r ipmitool or freeipmi BMC
provide rs s upport. You can s witch be twe e n the two pe r caps ule . Note that diffe re nt
hardware ve ndors might not imple me nt all IPMI s pe cifications , bugs , and s o on.
7.5.2.1. Inst alling a Capsule Server wit h BMC Opt ions
This s e ction s hows how to e nable the BMC module as part of the Caps ule Se rve r
ins tallation proce s s .
Prerequisit es
94
C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r
Have a baseboard management controller (BMC) provide r s e t up for your de ployme nt of
Caps ule Se rve r.
To add BMC functionality, you will ne e d to appe nd the options to the capsule-installer.
You are re quire d to choos e e ithe r a Caps ule Se rve r with conte nt functionality or one
without. Se e Se ction 7.4.1, “Ins talling a Caps ule Se rve r” for more information.
Appe nd the following line s to the command in e ach option:
--bmc "enabled"\
--bmc_default_provider "freeipmi"
For e xample :
For Caps ule Se rve r Ins tallations with conte nt functionality:
# capsule-installer --pulp=true
--foreman-oauth-key
"xmmQCGYdkoCRcbviGfuPdX7ZiCsdExf"\
--foreman-oauth-secret "w5ZDpyPJ24eSBNo53AFybcnqoDYXgLUA"\
--pulp-oauth-secret
"doajBEXqNcANy93ZbciFyysWaiwt6BWU"\
--certs-tar
"~/capsule.example.com-certs.tar"\
--qpid-router=true\
--puppet=true\
--puppetca=true\
--reverse-proxy=true\
--bmc "enabled"\
--bmc_default_provider "freeipmi"
For Caps ule Se rve r Ins tallations without conte nt functionality:
# capsule-installer --pulp=false
--foreman-oauth-key
"xmmQCGYdkoCRcbviGfuPdX7ZiCsdExf"\
--foreman-oauth-secret "w5ZDpyPJ24eSBNo53AFybcnqoDYXgLUA"\
--certs-tar
"~/capsule.example.com-certs.tar"\
--qpid-router=false\
--puppet=true\
--puppetca=true\
--reverse-proxy=true
For more information and how to configure a BMC inte rface , s e e To Add a BMC Inte rface in
the Re d Hat Sate llite 6.1 Us e r Guide .
7.5.3. Provisioning Opt ions f or Capsule Server
The re are s e ve ral options that provide provis ioning s e rvice s s uch as TFTP, DHCP, DNS
and Re alm that can be adde d to e ithe r type of Caps ule Se rve r. For a full lis t of options ,
us e the command:
# capsule-installer --help
He re is an e xample of ins talling a caps ule s e rve r with full provis ioning s e rvice s :
# capsule-installer --tftp=true\
--foreman-oauth-key
"xmmQCGYdkoCRcbviGfuPdX7ZiCsdExf"\
--foreman-oauth-secret "w5ZDpyPJ24eSBNo53AFybcnqoDYXgLUA"\
95
Ins t allat io n Guide
--certs-tar
"~/capsule.example.com-certs.tar"\
--templates=true\
--dhcp=true\
--dhcp-gateway=192.168.122.1\
--dhcp-nameservers=192.168.122.1\
--dhcp-range="192.168.122.100 192.168.122.200"\
--dhcp-interface=eth0\
--dns=true\
--dns-forwarders=8.8.8.8\
--dns-interface=eth0\
--dns-zone=example.com
Ens ure the dns-interface argume nt is s e t with the corre ct ne twork inte rface name for
the DNS s e rve r to lis te n on. Als o e ns ure that the dhcp-interface argume nt is s e t
corre ctly with the inte rface name for the DHCP s e rve r. Afte r configuration, cre ate a s ubne t
on the Sate llite s e rve r unde r Inf rast ruct ure → Subnet s for the Caps ule which re gis te rs
automatically.
No te
While it is pos s ible to de fine the s ame DHCP range with the caps ule -ins talle r
command and in the Sate llite GUI, it is a good practice to make the s e range s
dis joint. In the Sate llite GUI, s e le ct a range from outs ide the pool de fine d with
caps ule -ins talle r, but s till in the range de fine d on the s ubne t. For the e xample
above , it is re comme nde d to de fine the DHCP range from 192.168.122.1 to
192.168.122.99 in the Sate llite GUI which give s the following IP addre s s dis tribution:
192.168.122.1 to 192.168.122.99 (reservation pool) are addre s s e s re s e rve d
during bare -me tal provis ioning by Sate llite .
192.168.122.100 to 192.168.122.200 (lease pool) are addre s s e s re s e rve d for
dynamic clie nts in the s ubne t (dis cove re d hos ts and unmanage d hos ts ).
It is pos s ible to ins tall a Sate llite Caps ule without ins talling DNS and DHCP s e rvice s on the
s ame s e rve r. Ins te ad you can configure the Sate llite Caps ule to us e e xte rnal DNS and
DHCP s e rvice s as de s cribe d in Se ction 7.9, “Configuring Sate llite 6 with Exte rnal
Se rvice s ”. Alte rnative ly, you can manually allocate s pe cific IP addre s s e s to hos t name s or
MAC addre s s e s , s e e the DHCP chapte r in the Re d Hat Ente rpris e Linux 7 Ne tworking Guide
[9] .
7.6. Adding Life Cycle Environment s t o a Red Hat Sat ellit e
Capsule Server
If the ne wly cre ate d Re d Hat Sate llite Caps ule Se rve r has conte nt functionality e nable d,
the Sate llite Caps ule Se rve r ne e ds an e nvironme nt adde d to the Sate llite Caps ule
Se rve r. Adding an e nvironme nt to the Re d Hat Sate llite Caps ule Se rve r will allow the
Sate llite Caps ule Se rve r to s ynchroniz e conte nt from the Sate llite Se rve r and provide
conte nt to hos t s ys te ms .
96
C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r
Impo rtant
The Sate llite Caps ule Se rve r is configure d through the Sate llite Se rve r's command
line inte rface (CLI). Exe cute all hammer commands on the Sate llite Se rve r.
Pro cedure 7.4. T o Add Enviro nment s t o t he Sat ellit e Capsule Server:
1. Log in to the Sate llite Se rve r CLI as root.
2. Choos e the de s ire d Re d Hat Sate llite Caps ule Se rve r from the lis t and take note of
its id:
# hammer capsule list
The Sate llite Caps ule Se rve r's de tails can be ve rifie d us ing the command:
# hammer capsule info --id capsule_id_number
3. Ve rify the lis t of life cycle e nvironme nts available for the Re d Hat Caps ule Se rve r
and note down the environment id:
# hammer capsule content available-lifecycle-environments --id
capsule_id_number
Whe re :
available-lifecycle-environments are life cycle e nvironme nts that are
available to the Sate llite Caps ule but are curre ntly not attache d to the Sate llite
Caps ule .
4. Add the life cycle e nvironme nt to the Sate llite Caps ule Se rve r:
# hammer capsule content add-lifecycle-environment --id
capsule_id_number --environment-id environment_id_number
Whe re :
capsule_id_number s tands for the Sate llite Caps ule Se rve r's ide ntification
numbe r.
environment_id_number s tands for the life cycle e nvironme nt's ide ntification
numbe r.
Re pe at this s te p for e ve ry life cycle e nvironme nt to be adde d to the Caps ule
Se rve r.
5. Synchroniz e the conte nt from the Sate llite Se rve r's e nvironme nt to the Sate llite
Caps ule Se rve r:
# hammer capsule content synchronize --id capsule_id_number
Whe n an e xte rnal Sate llite Caps ule Se rve r has various life cycle e nvironme nts ,
and only one life cycle e nvironme nt ne e ds to be s ynchroniz e d, it is pos s ible to
targe t a s pe cific e nvironme nt by s pe cifying the e nvironme nt ide ntification:
97
Ins t allat io n Guide
# hammer capsule content synchronize --id
external_capsule_id_number --environment-id environment_id_number
7.7. Removing Life Cycle Environment s from t he Red Hat
Sat ellit e Capsule Server
The re are multiple re as ons to re move life cycle e nvironme nts from the Re d Hat Sate llite
Caps ule Se rve r. For e xample :
Whe n life cycle e nvironme nts are no longe r re le vant to the hos t s ys te ms
Whe n life cycle e nvironme nts have be e n incorre ctly adde d to the Sate llite Caps ule
Se rve r
Pro cedure 7.5. T o remo ve a lif e cycle enviro nment f ro m t he Sat ellit e Capsule
Server:
1. Log in to the Sate llite Se rve r CLI as the root us e r.
2. Choos e the de s ire d Re d Hat Sate llite Caps ule Se rve r from the lis t and take note of
its id:
# hammer capsule list
The Sate llite Caps ule Se rve r's de tails can be ve rifie d us ing the command:
# hammer capsule info --id capsule_id_number
3. Ve rify the lis t of life cycle e nvironme nts curre ntly attache d to the Re d Hat Caps ule
Se rve r and take note of the environment id:
# hammer capsule content lifecycle-environments --id
capsule_id_number
4. Re move the life cycle e nvironme nt from the Sate llite Caps ule Se rve r:
# hammer capsule content remove-lifecycle-environment --id
capsule_id_number --environment-id environment_id
Whe re :
capsule_id_number is the Sate llite Caps ule Se rve r's ide ntification numbe r.
environment_id is the life cycle e nvironme nt's ide ntification numbe r.
Re pe at this s te p for e ve ry life cycle e nvironme nt to be re move d from the Caps ule
Se rve r.
5. Synchroniz e the conte nt from the Sate llite Se rve r's e nvironme nt to the Sate llite
Caps ule Se rve r:
# hammer capsule content synchronize --id capsule_id_number
98
C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r
7.8. Regist ering Host Syst ems t o a Red Hat Sat ellit e
Capsule Server
Prerequisit es
The clie nt s ys te m mus t be configure d for re gis tration. Se e the following chapte rs in the
Re d Hat Sate llite 6.1 Us e r Guide for information about configuring a clie nt to re gis te r with a
Re d Hat Sate llite Caps ule :
Configuring Hosts
Configuring Activation Keys
Ens ure the Sate llite tools re pos itory appropriate to the hos t to be re gis te re d is e nable d
and s ynchroniz e d. If re quire d, s e e Proce dure 8.3, “Enable Ne w Re d Hat Re pos itorie s ” and
Se ction 4.1.3, “Synchroniz ing Conte nt”.
Re gis te r s ys te ms to a Sate llite Caps ule as follows :
Pro cedure 7.6. Regist ering Ho st Syst ems t o t he Capsule Server
1. In the we b UI, s e le ct Ho st s → Co nt ent Ho st s and the n click Register Content
Host.
2. Choos e the re quire d Caps ule Se rve r in the Content Source drop-down lis t.
3. Conne ct to the hos t and ins tall the boots trap RPM:
# rpm -Uvh http://capsule.example.com/pub/katello-ca-consumerlatest.noarch.rpm
Whe re capsule.example.com is the hos t name of the Caps ule to be us e d as the
conte nt s ource . If the Sate llite Se rve r's inte grate d Caps ule is to be us e d, the n us e
the Sate llite Se rve r's hos t name .
4. Run subscription-manager in a cons ole on the clie nt hos t.
a. You can us e an Activation Ke y to re gis te r:
# subscription-manager register --org=organization_label -activationkey="activation_key"
b. Alte rnative ly:
authe nticate with a us e r name and pas s word:
# subscription-manager register --org=organization_label -environment="Library"
and attach a s ubs cription:
# subscription-manager list --available --all
# subscription-manager attach --pool=pool_ID
99
Ins t allat io n Guide
5. Enable the Sate llite tools re pos itory:
# subscription-manager repos --enable=rhel-version-serversatellite-tools-6.1-rpms
Re place version with 6 or 7 de pe nding on the Re d Hat Ente rpris e Linux ve rs ion you
are us ing.
6. Enable any additional re pos itorie s re quire d for this hos t:
# subscription-manager repos --enable=repository-to-be-enabled
7. Ins tall katello-agent for re mote actions and dis playing e rrata information:
# yum install katello-agent
Your conte nt hos t is now re gis te re d to a Sate llite Caps ule Se rve r.
7.9. Configuring Sat ellit e 6 wit h Ext ernal Services
By de fault, the Caps ule ins talle r ins talls and configure s the TFTP s e rvice available in
Re d Hat Ente rpris e Linux. It can optionally ins tall DNS and DHCP s e rvice s . If re quire d to us e
Caps ule with e xte rnal s e rvice s , pre ve nt ins tallation of the unwante d s e rvice s by running
the ins talle r with the re le vant options s e t to false.
Example 7.1. Inst alling Capsule Wit ho ut Services
To ins tall Caps ule without the de fault ins tallation of TFTP, e nte r a command as follows :
# katello-installer \
--capsule-tftp true
If Caps ule has alre ady be e n ins talle d, e xe cute the ins talle r again with the re le vant options
s e t to false to re s e t the configuration file s back to the de s ire d s tate . This will not
unins tall the package s for the s e rvice s , s uch as bind or tftp-server. If re quire d, unins tall
the unus e d package s manually.
Example 7.2. Reinst alling Capsule Wit ho ut Services
To ins tall Caps ule without ins talling DNS, DHCP, and TFTP, e nte r a command as follows :
# katello-installer \
--capsule-dns false \
--capsule-dns-managed false \
--capsule-dhcp false \
--capsule-dhcp-managed false \
--foreman-proxy-tftp false
100
C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r
Impo rtant
The s e proce dure s we re writte n and te s te d for Re d Hat Ente rpris e Linux 7.1. The y
are bas e d on the us e of NFSv3. The proce dure s s hould work for othe r re le as e s ,
s uch as Re d Hat Ente rpris e Linux 6 or Re d Hat Ente rpris e Linux 7.0, but note the re
may be diffe re nce s in NFS e xporting. Se e the Re d Hat Ente rpris e Linux 7 Storage
Adminis tration Guide and Re d Hat Ente rpris e Linux 6 Storage Adminis tration Guide
for more information on e xporting file s ys te ms us ing NFS.
In the e xample configurations be low, the s ubne t is 192.168.38.0/24, the domain is calle d
virtual.lan, the s e rve r for the e xte rnal s e rvice s is 192.168.38.2/24, and the Caps ule
Se rve r is at 192.168.38.1/24.
7.9.1. Conf iguring an Ext ernal DNS Service
De ploy a Re d Hat Ente rpris e Linux Se rve r (the re comme nde d and te s te d ve rs ion is
Re d Hat Ente rpris e Linux 7.1) and ins tall the ISC DNS s e rvice (package s bind and bind-utils
are re quire d):
# yum install bind bind-utils
Pro cedure 7.7. Co nf iguring t he Ext ernal DNS Server
Configure the e xte rnal DNS s e rve r as follows :
1. Cre ate the configuration for the domain with a configuration s imilar to the following:
# cat /etc/named.conf
include "/etc/rndc.key";
controls {
inet 192.168.38.2 port 953 allow { 192.168.38.1; 192.168.38.2;
} keys { "capsule"; };
};
options {
directory "/var/named";
forwarders { 8.8.8.8; 8.8.4.4; };
};
include "/etc/named.rfc1912.zones";
zone "38.168.192.in-addr.arpa" IN {
type master;
file "dynamic/38.168.192-rev";
update-policy {
grant "capsule" zonesub ANY;
};
};
zone "virtual.lan" IN {
type master;
file "dynamic/virtual.lan";
101
Ins t allat io n Guide
update-policy {
grant "capsule" zonesub ANY;
};
};
Note that the inet line mus t be e nte re d as one line in the configuration file .
The e xample above configure s a domain virtual.lan as one s ubne t
192.168.38.0/24, a s e curity ke y name d foreman, and s e ts forwarde rs to Google 's
public DNS addre s s e s (8.8.8.8 and 8.8.4.4).
2. Cre ate a ke y file :
# ddns-confgen -k capsule
The above command can take a long time as the program is re ading a ps e udo
random de vice . For te s ting or proof-of-conce pt de ployme nts , an ins e cure nonblocking de vice can be us e d as follows :
# ddns-confgen -k capsule -r /dev/urandom
3. The above command will print the ke y s e ction with s ome ins tructions as comme nts .
Copy and pas te the ke y s e ction into a s e parate file name d /etc/rndc.key, which
is include d by a s tate me nt in named.conf, s o that the file looks as follows :
# cat /etc/rndc.key
key "capsule" {
algorithm hmac-sha256;
secret "GeBbgGoLedEAAwNQPtPh3zP56MJbkwM84UJDtaUS9mw=";
};
This is the s e cre t ke y that is us e d to change DNS s e rve r configuration, ke e p it s afe
and make s ure only root can re ad and write it. This file will be copie d ove r to
Caps ule s e rve r in a late r s te p.
4. Cre ate z one file s as follows :
# cat /var/named/dynamic/virtual.lan
$ORIGIN .
$TTL 10800
; 3 hours
virtual.lan
IN SOA service.virtual.lan.
root.virtual.lan. (
9
; serial
86400
; refresh (1 day)
3600
; retry (1 hour)
604800
; expire (1 week)
3600
; minimum (1 hour)
)
NS
service.virtual.lan.
$ORIGIN virtual.lan.
$TTL 86400
; 1 day
capsule
A
192.168.38.1
service
A
192.168.38.2
5. Cre ate the re ve rs e z one file :
102
C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r
# cat /var/named/dynamic/38.168.192-rev
$ORIGIN .
$TTL 10800
; 3 hours
38.168.192.in-addr.arpa IN SOA service.virtual.lan.
root.38.168.192.in-addr.arpa. (
4
; serial
86400
; refresh (1 day)
3600
; retry (1 hour)
604800
; expire (1 week)
3600
; minimum (1 hour)
)
NS
service.virtual.lan.
$ORIGIN 38.168.192.in-addr.arpa.
$TTL 86400
; 1 day
1
PTR
capsule.virtual.lan.
2
PTR
service.virtual.lan.
Impo rtant
Make s ure the re are no e xtra non-US-ASCII characte rs as BIND is s e ns itive to
this .
Pro cedure 7.8. T est ing and St art ing t he DNS Service
To te s t the configuration and s tart the DNS s e rvice , proce e d as follows :
1. Validate the s yntax as follows :
# named-checkconf -z /etc/named.conf
2. Start the s e rve r:
On Re d Hat Ente rpris e Linux 7:
# systemctl restart named
On Re d Hat Ente rpris e Linux 6:
# service named restart
3. Try to add a ne w hos t dynamically:
# echo -e "server 192.168.38.2\n \
update add aaa.virtual.lan 3600 IN A 192.168.38.10\n \
send\n" | nsupdate -k /etc/rndc.key
4. Te s t that the DNS s e rvice can re s olve the ne w hos t adde d in the pre vious s te p:
# nslookup aaa.virtual.lan 192.168.38.2
5. If re quire d, de le te the ne w e ntry:
103
Ins t allat io n Guide
# echo -e "server 192.168.38.2\n \
update delete aaa.virtual.lan 3600 IN A 192.168.38.10\n \
send\n" | nsupdate -k /etc/rndc.key
6. Configure the fire wall for e xte rnal acce s s to the DNS s e rvice (UDP and TCP on port
53):
On a Re d Hat Ente rpris e Linux 6 Sate llite , e xe cute as root:
# iptables -A INPUT -m state --state NEW -p udp --dport 53 -j
ACCEPT \
&& iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j
ACCEPT \
&& service iptables save
Make s ure the iptables s e rvice is s tarte d and e nable d:
# service iptables start
# chkconfig iptables on
On a Re d Hat Ente rpris e Linux 7 Sate llite , e xe cute as root:
# firewall-cmd --add-port="53/udp" --add-port="53/tcp" \
&& firewall-cmd --permanent --add-port="53/udp" --addport="53/tcp"
Pro cedure 7.9. Co nf iguring a Capsule Server t o Use an Ext ernal DNS Service
To configure a Caps ule Se rve r to us e an e xte rnal DNS s e rvice , proce e d as follows :
1. Ens ure that the nsupdat e utility, from the bind-utils package , is ins talle d:
# yum install bind-utils
2. Copy the /etc/rndc.key file from the s e rvice s s e rve r to the Caps ule Se rve r. For
e xample :
On the s e rvice s s e rve r:
scp localfile username@hostname:remotefile
Alte rnative ly, on the Caps ule Se rve r:
scp username@hostname:remotefile localfile
3. Make s ure the ke y file has the corre ct owne r, pe rmis s ions , and SELinux labe l:
# ls /etc/rndc.key -Zla
-rw-r-----. root named system_u:object_r:dnssec_t:s0
/etc/rndc.key
4. The Caps ule us e s the nsupdat e utility to update DNS re cords on the re mote
s e rve r. Be fore configuring it, te s t adding one additional hos t re mote ly as follows :
104
C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r
# echo -e "server 192.168.38.2\n \
update add aaa.virtual.lan 3600 IN A 192.168.38.10\n \
send\n" | nsupdate -k /etc/rndc.key
# nslookup aaa.virtual.lan 192.168.38.2
# echo -e "server 192.168.38.2\n \
update delete aaa.virtual.lan 3600 IN A 192.168.38.10\n \
send\n" | nsupdate -k /etc/rndc.key
5. Edit /etc/foreman-proxy/settings.d/dns.yml file and e nable the s mart-proxy
module s e tting provide r to be nsupdate, add addre s s to the DNS s e rve r
(dns_server option) and s e t the de fault time to live for re cords cre ate d by this
Caps ule (dns_ttl). For e xample :
--:enabled: true
:dns_provider: nsupdate
:dns_key: /etc/rndc.key
:dns_server: 192.168.38.2
:dns_ttl: 86400
No te
The configuration file is in YAML format, the thre e das h characte rs on the firs t
line are re quire d.
6. Re s tart fore man-proxy s e rvice :
On Re d Hat Ente rpris e Linux 7:
# systemctl restart foreman-proxy
On Re d Hat Ente rpris e Linux 6:
# service foreman-proxy restart
7. Vie w the Sate llite Se rve r GUI in your brows e r;
https://satellite_host.example.com.
8. Se le ct Inf rast ruct ure → Capsules. Locate the Caps ule be ing configure d and
s e le ct Ref resh f eat ures from the drop-down lis t. The DNS fe ature s hould appe ar.
9. Se le ct Inf rast ruct ure → Capsules and as s ociate the DNS s e rvice with the
appropriate s ubne ts and domain.
7.9.2. Conf iguring an Ext ernal DHCP Service
De ploy a Re d Hat Ente rpris e Linux Se rve r (the re comme nde d and te s te d ve rs ion is
Re d Hat Ente rpris e Linux 7.1) and ins tall the ISC DHCP s e rve r package dhcp.
# yum install dhcp
105
Ins t allat io n Guide
Pro cedure 7.10 . Co nf iguring t he Ext ernal DHCP Server
Configure the e xte rnal DHCP s e rve r as follows :
1. Ge ne rate a s e curity toke n in an e mpty dire ctory as follows :
# dnssec-keygen -a HMAC-MD5 -b 512 -n HOST omapi_key
The above command can take a long time , for le s s -s e cure proof-of-conce pt
de ployme nts you can us e a non-blocking random numbe r ge ne rator:
# dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST
omapi_key
This will cre ate the ke y pair in two file s in the curre nt dire ctory.
2. Copy the s e cre t has h from the ke y:
# cat Komapi_key.+*.private |grep ^Key|cut -d ' ' -f2
3. Edit the dhcpd configuration file for all the s ubne ts , and add the s e cre t ke y from the
pre vious s te p:
# cat /etc/dhcp/dhcpd.conf
default-lease-time 604800;
max-lease-time 2592000;
log-facility local7;
subnet 192.168.38.0 netmask 255.255.255.0 {
range 192.168.38.10 192.168.38.100;
option routers 192.168.38.1;
option subnet-mask 255.255.255.0;
option domain-search "virtual.lan";
option domain-name "virtual.lan";
option domain-name-servers 8.8.8.8;
}
omapi-port 7911;
key omapi_key {
algorithm HMAC-MD5;
secret "jNSE5YI3H1A8Oj/tkV4...A2ZOHb6zv315CkNAY7DMYYCj48Umw==";
};
omapi-key omapi_key;
4. De le te the two ke y file s from the dire ctory whe re you cre ate d the m.
5. For e ach s ubne t de fine d (192.168.38.0 in this e xample ) de fine Subnet on the
Sate llite s e rve r. It is re comme nde d to s e t up a le as e range and re s e rvation range
s e parate ly to pre ve nt conflicts . In this e xample , the le as e range is 192.168.38.10
to 192.168.38.100 s o the re s e rvation range (de fine d in Sate llite GUI) would be
192.168.38.101 to 192.168.38.250. Do not s e t DHCP Capsule for the de fine d
Subnet ye t.
Note that ISC DHCP lis te ns only on inte rface s that match de fine d s ubne ts . In this
e xample , the s e rve r has an inte rface that route s to 192.168.38.0 s ubne t dire ctly.
106
C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r
6. Configure the fire wall for e xte rnal acce s s to the DHCP s e rvice :
On a Re d Hat Ente rpris e Linux 7:
# firewall-cmd --add-service dhcp \
&& firewall-cmd --permanent --add-service dhcp
On a Re d Hat Ente rpris e Linux 6:
# iptables -A INPUT -m state --state NEW -p tcp --dport 67 -j
ACCEPT \
&& service iptables save
Make s ure the iptables s e rvice is s tarte d and e nable d:
# service iptables start
# chkconfig iptables on
7. Configuration file s are re ad by foreman-proxy us e r, firs t de te rmine the UID and
GID numbe rs of the foreman-proxy us e r on the Caps ule Se rve r, the n cre ate the
s ame us e r and group with s ame IDs on this s e rve r:
# groupadd -g 990 foreman-proxy
# useradd -u 992 -g 990 -s /sbin/nologin foreman-proxy
8. Configuration file s mus t be re adable for this us e r. Re ce nt dhcp package update s
re move d re ad and e xe cute flags from the configuration dire ctory which pre ve nts
that. To re s tore the re quire d flags and pre ve nt this change in be havior on the ne xt
package update , e nte r the following commands :
# chmod o+rx /etc/dhcp/
# chmod o+r /etc/dhcp/dhcpd.conf
# chattr +i /etc/dhcp/ /etc/dhcp/dhcpd.conf
9. Start the DHCP s e rvice :
On Re d Hat Ente rpris e Linux 7:
# systemctl start dhcpd
On Re d Hat Ente rpris e Linux 6:
# service dhcpd start
10. Export DHCP configuration and le as e s file us ing NFS, s o that the Caps ule Se rve r can
re ad it:
# yum install nfs-utils
# systemctl enable rpcbind nfs-server
# systemctl start rpcbind nfs-server nfs-lock nfs-idmapd
11. Cre ate the DHCP configuration and le as e s file s to be e xporte d us ing NFS:
107
Ins t allat io n Guide
# mkdir -p /exports/var/lib/dhcpd /exports/etc/dhcp
12. Add the ne wly cre ate d mount point to /etc/fstab file :
/var/lib/dhcpd /exports/var/lib/dhcpd none bind,auto 0 0
/etc/dhcp /exports/etc/dhcp none bind,auto 0 0
13. Mount the file s ys te ms in /etc/fstab:
# mount -a
14. Ens ure the following line s are pre s e nt in /etc/exports:
/exports
192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check)
/exports/etc/dhcp
192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)
/exports/var/lib/dhcpd
192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)
15. Re load the NFS s e rve r:
# exportfs -rva
16. Configure the fire wall for the DHCP omapi port 7911 for the Caps ule Se rve r:
On a Re d Hat Ente rpris e Linux 7:
# firewall-cmd --add-port="7911/tcp" \
&& firewall-cmd --permanent --add-port="7911/tcp"
On a Re d Hat Ente rpris e Linux 6:
# iptables -A INPUT -m state --state NEW -p tcp --dport 7911 -j
ACCEPT \
&& service iptables save
Make s ure the iptables s e rvice is s tarte d and e nable d:
# service iptables start
# chkconfig iptables on
17. This s te p is common to both the DHCP and TFTP proce dure s and ne e d only be
carrie d out once pe r s ys te m. If re quire d, follow this s te p to configure the fire wall
for e xte rnal acce s s to the NFS s e rvice .
108
C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r
No te
In this guide the clie nts are configure d to us e NFSv3 and this s te p is
the re fore NFSv3 s pe cific.
On Re d Hat Ente rpris e Linux 7:
It is re comme nde d to us e firewalld dae mon's NFS s e rvice option be caus e NFS
us e s multiple ports to initiate conne ctions . To do s o, e nte r the following
commands :
#
&&
&&
&&
&&
\
&&
firewall-cmd
firewall-cmd
firewall-cmd
firewall-cmd
firewall-cmd
--zone public --add-service mountd \
--zone public --add-service rpc-bind \
--zone public --add-service nfs \
--permanent --zone public --add-service mountd \
--permanent --zone public --add-service rpc-bind
firewall-cmd --permanent --zone public --add-service nfs
For additional information on us ing NFSv3 be hind a fire wall on Re d Hat
Ente rpris e Linux 7, s e e the “Running NFS Be hind a Fire wall” s e ction in the
Re d Hat Ente rpris e Linux 7 Storage Adminis tration Guide and the “Se curing NFS”
s e ction in the Re d Hat Ente rpris e Linux 7 Se curity Guide .
On Re d Hat Ente rpris e Linux 6:
Configure ports for NFSv3 in the /etc/sysconfig/nfs file as follows :
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
RQUOTAD_PORT=875
STATD_PORT=662
STATD_OUTGOING_PORT=2020
Re s tart the s e rvice for the change s to take e ffe ct:
# service nfs restart
Add the following rule s to the /etc/sysconfig/iptables file by e nte ring
commands as follows :
# iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p
udp --dport 111 -j ACCEPT \
&& iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p
tcp --dport 111 -j ACCEPT \
&& iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p
udp --dport 2049 -j ACCEPT \
&& iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p
tcp --dport 2049 -j ACCEPT \
&& iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p
tcp --dport 32803 -j ACCEPT \
&& iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p
109
Ins t allat io n Guide
udp --dport 32769 -j ACCEPT \
&& iptables -A INPUT -s 192.168.1.0/24
udp --dport 892 -j ACCEPT \
&& iptables -A INPUT -s 192.168.1.0/24
tcp --dport 892 -j ACCEPT \
&& iptables -A INPUT -s 192.168.1.0/24
udp --dport 875 -j ACCEPT \
&& iptables -A INPUT -s 192.168.1.0/24
tcp --dport 875 -j ACCEPT \
&& iptables -A INPUT -s 192.168.1.0/24
udp --dport 662 -j ACCEPT \
&& iptables -A INPUT -s 192.168.1.0/24
tcp --dport 662 -j ACCEPT \
&& service iptables save
-m state --state NEW -p
-m state --state NEW -p
-m state --state NEW -p
-m state --state NEW -p
-m state --state NEW -p
-m state --state NEW -p
Re s tart the fire wall for the change s to take e ffe ct:
# service iptables restart
For additional information on us ing NFSv3 be hind a fire wall on Re d Hat
Ente rpris e Linux 6, s e e the Re d Hat Ente rpris e Linux 6 Storage Adminis tration
Guide and the “Running NFS Be hind a Fire wall” s e ction in the “Se curing NFS”
s e ction in the Re d Hat Ente rpris e Linux 6 Se curity Guide .
Pro cedure 7.11. Co nf iguring a Capsule Server t o Use an Ext ernal DHCP Service
To configure a Caps ule Se rve r to us e an e xte rnal DHCP s e rvice , proce e d as follows :
1. Ins tall the NFS clie nt:
# yum install nfs-utils
2. Cre ate the DHCP dire ctorie s to pre pare for NFS:
# mkdir -p /mnt/nfs/etc/dhcp /mnt/nfs/var/lib/dhcpd
3. Change the file owne r as follows :
# chown -R foreman-proxy /mnt/nfs
4. Try to re ach the NFS s e rve r and ve rify RPC communication paths :
# showmount -e 192.168.38.2
# rpcinfo -p 192.168.38.2
5. Add the s e t wo line s to the /etc/fstab file :
192.168.38.2:/exports/etc/dhcp /mnt/nfs/etc/dhcp nfs
ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcp_etc_t:
s0" 0 0
110
C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r
192.168.38.2:/exports/var/lib/dhcpd /mnt/nfs/var/lib/dhcpd nfs
ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcpd_state
_t:s0" 0 0
6. Mount the file s ys te ms in /etc/fstab:
# mount -a
7. Try to re ad the re le vant file s :
# su foreman-proxy -s /bin/bash
bash-4.2$ cat /mnt/nfs/etc/dhcp/dhcpd.conf
bash-4.2$ cat /mnt/nfs/var/lib/dhcpd/dhcpd.leases
bash-4.2$ exit
In cas e of proble ms , inve s tigate the NFS configuration, logs , and fire wall rule s .
8. On the Caps ule Se rve r, e dit /etc/foreman-proxy/settings.d/dhcp.yml as
follows . As this is YAML s yntax, ke e p the ope ning thre e das h characte rs :
--:enabled: true
:dhcp_vendor: isc
:dhcp_config: /mnt/nfs/etc/dhcp/dhcpd.conf
:dhcp_leases: /mnt/nfs/var/lib/dhcpd/dhcpd.leases
:dhcp_key_name: omapi_key
:dhcp_key_secret:
jNSE5YI3H1A8Oj/tkV4...A2ZOHb6zv315CkNAY7DMYYCj48Umw==
:dhcp_server: dhcp.example.com
Ens ure the dhcp_key_secret value is corre ctly e nte re d without quote s . The trailing
= characte r is optional.
9. Re s tart the proxy:
On Re d Hat Ente rpris e Linux 7:
# systemctl restart foreman-proxy
On Re d Hat Ente rpris e Linux 6:
# service foreman-proxy restart
10. Vie w the Sate llite Se rve r GUI in your brows e r;
https://satellite_host.example.com.
11. Se le ct Inf rast ruct ure → Capsules. Locate the Caps ule and s e le ct Ref resh
f eat ures from the drop-down lis t. The DHCP fe ature s hould appe ar.
12. Se le ct Inf rast ruct ure → Capsules and as s ociate the DHCP s e rvice with the
appropriate s ubne ts and domain.
7.9.3. Conf iguring an Ext ernal T FT P Service
111
Ins t allat io n Guide
De ploy a Re d Hat Ente rpris e Linux Se rve r (the re comme nde d and te s te d ve rs ion is
Re d Hat Ente rpris e Linux 7.1).
Pro cedure 7.12. Co nf iguring t he T FT P Server
Configure the e xte rnal TFTP s e rve r as follows :
1. Ins tall and e nable the TFTP s e rve r:
# yum install tftp-server syslinux
On Re d Hat Ente rpris e Linux 7, e nable and activate the tftp.socket unit:
# systemctl enable tftp.socket
# systemctl start tftp.socket
On Re d Hat Ente rpris e Linux 6, e nable and s tart the xinetd s e rvice :
# service xinetd enable
# service xinetd start
2. Configure the PXELinux e nvironme nt as follows :
# mkdir -p /var/lib/tftpboot/{boot,pxelinux.cfg}
# chown foreman-proxy /var/lib/tftpboot/{boot,pxelinux.cfg}
# cp /usr/share/syslinux/{pxelinux.0,menu.c32,chain.c32}
/var/lib/tftpboot/
3. Cre ate the TFTP dire ctory to be e xporte d us ing NFS:
# mkdir -p /exports/var/lib/tftpboot
4. Add the ne wly cre ate d mount point to the /etc/fstab file :
/var/lib/tftpboot /exports/var/lib/tftpboot none bind,auto 0 0
5. Mount the file s ys te ms in /etc/fstab:
# mount -a
6. Ens ure the following line s are pre s e nt in /etc/exports:
/exports
192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check)
/exports/var/lib/tftpboot
192.168.38.1(rw,async,no_root_squash,no_subtree_check,nohide)
The firs t line is common to the DHCP configuration and the re fore s hould alre ady be
pre s e nt if the pre vious proce dure was comple te d on this s ys te m.
7. Re load the NFS s e rve r:
112
C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r
# exportfs -rva
8. This s te p is common to both the DHCP and TFTP proce dure s and ne e d only be
carrie d out once pe r s ys te m. If re quire d, follow this s te p to configure the fire wall
for e xte rnal acce s s to the NFS s e rvice .
No te
In this guide the clie nts are configure d to us e NFSv3 and this s te p is
the re fore NFSv3 s pe cific.
On Re d Hat Ente rpris e Linux 7:
It is re comme nde d to us e firewalld dae mon's NFS s e rvice option be caus e NFS
us e s multiple ports to initiate conne ctions . To do s o, e nte r the following
commands :
#
&&
&&
&&
&&
\
&&
firewall-cmd
firewall-cmd
firewall-cmd
firewall-cmd
firewall-cmd
--zone public --add-service mountd \
--zone public --add-service rpc-bind \
--zone public --add-service nfs \
--permanent --zone public --add-service mountd \
--permanent --zone public --add-service rpc-bind
firewall-cmd --permanent --zone public --add-service nfs
For additional information on us ing NFSv3 be hind a fire wall on Re d Hat
Ente rpris e Linux 7, s e e the “Running NFS Be hind a Fire wall” s e ction in the
Re d Hat Ente rpris e Linux 7 Storage Adminis tration Guide and the “Se curing NFS”
s e ction in the Re d Hat Ente rpris e Linux 7 Se curity Guide .
On Re d Hat Ente rpris e Linux 6:
Configure ports for NFSv3 in the /etc/sysconfig/nfs file as follows :
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
RQUOTAD_PORT=875
STATD_PORT=662
STATD_OUTGOING_PORT=2020
Re s tart the s e rvice for the change s to take e ffe ct:
# service nfs restart
Add the following rule s to the /etc/sysconfig/iptables file by e nte ring
commands as follows :
# iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p
udp --dport 111 -j ACCEPT \
&& iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p
tcp --dport 111 -j ACCEPT \
&& iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p
113
Ins t allat io n Guide
udp --dport 2049 -j ACCEPT \
&& iptables -A INPUT -s 192.168.1.0/24
tcp --dport 2049 -j ACCEPT \
&& iptables -A INPUT -s 192.168.1.0/24
tcp --dport 32803 -j ACCEPT \
&& iptables -A INPUT -s 192.168.1.0/24
udp --dport 32769 -j ACCEPT \
&& iptables -A INPUT -s 192.168.1.0/24
udp --dport 892 -j ACCEPT \
&& iptables -A INPUT -s 192.168.1.0/24
tcp --dport 892 -j ACCEPT \
&& iptables -A INPUT -s 192.168.1.0/24
udp --dport 875 -j ACCEPT \
&& iptables -A INPUT -s 192.168.1.0/24
tcp --dport 875 -j ACCEPT \
&& iptables -A INPUT -s 192.168.1.0/24
udp --dport 662 -j ACCEPT \
&& iptables -A INPUT -s 192.168.1.0/24
tcp --dport 662 -j ACCEPT \
&& service iptables save
-m state --state NEW -p
-m state --state NEW -p
-m state --state NEW -p
-m state --state NEW -p
-m state --state NEW -p
-m state --state NEW -p
-m state --state NEW -p
-m state --state NEW -p
-m state --state NEW -p
Re s tart the fire wall for the change s to take e ffe ct:
# service iptables restart
For additional information on us ing NFSv3 be hind a fire wall on Re d Hat
Ente rpris e Linux 6, s e e the Re d Hat Ente rpris e Linux 6 Storage Adminis tration
Guide and the “Running NFS Be hind a Fire wall” s e ction in the “Se curing NFS”
s e ction in the Re d Hat Ente rpris e Linux 6 Se curity Guide .
Pro cedure 7.13. Co nf igure t he Firewall f o r Ext ernal access t o t he T FT P service
1. Configure the fire wall for e xte rnal acce s s to the TFTP s e rvice (UDP on port 69):
On a Re d Hat Ente rpris e Linux 7:
# firewall-cmd --add-port="69/udp" \
&& firewall-cmd --permanent --add-port="69/udp"
On a Re d Hat Ente rpris e Linux 6:
# iptables -A INPUT -m state --state NEW -p tcp --dport 69 -j
ACCEPT \
&& service iptables save
Make s ure the iptables s e rvice is s tarte d and e nable d:
# service iptables start
# chkconfig iptables on
2. Re s tore SELinux file conte xts :
# restorecon -RvF /var/lib/tftpboot/
114
C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r
Pro cedure 7.14. Co nf iguring a Capsule Server t o Use an Ext ernal T FT P Service
To configure a Caps ule Se rve r to us e an e xte rnal TFTP s e rvice , proce e d as follows :
1. Cre ate the TFTP dire ctory to pre pare for NFS:
# mkdir -p /mnt/nfs/var/lib/tftpboot
2. Add the ne wly cre ate d mount point to the /etc/fstab file :
/mnt/nfs/var/lib/tftpboot /exports/mnt/nfs/var/lib/tftpboot none
bind,auto 0 0
3. Mount the file s ys te ms in /etc/fstab:
# mount -a
4. In the /etc/fstab, add a line as follows :
192.168.38.2:/exports/var/lib/tftpboot /mnt/nfs/var/lib/tftpboot
nfs
rw,vers=3,auto,nosharecache,context="system_u:object_r:tftpdir_rw_
t:s0" 0 0
5. To e nable TFTP s upport in fore man-proxy, e dit /usr/share/foremanproxy/config/settings.d/tftp.yml file :
:enabled: true
:tftproot: /mnt/nfs/var/lib/tftpboot
If the TFTP s e rvice is running on a diffe re nt s e rve r than the DHCP s e rvice , us e the
tftp_servername s e tting to s e tup the IP addre s s of that s e rve r.
6. Vie w the Sate llite Se rve r GUI in your brows e r;
https://satellite_host.example.com.
7. Se le ct Inf rast ruct ure → Capsules in the us e r inte rface . Locate the Caps ule and
s e le ct Ref resh f eat ures from the drop-down lis t. The TFTP fe ature s hould
appe ar.
8. Se le ct Inf rast ruct ure → Capsules and as s ociate the TFTP s e rvice with the
appropriate s ubne ts and domain.
[8] https://access.redhat.com /docum entation/enUS/Red_Hat_Enterprise_Linux/7/htm l/Security_Guide/sec-Using_O penSSL.htm l
[9] https://access.redhat.com /docum entation/enUS/Red_Hat_Enterprise_Linux/7/htm l/Networking_Guide/
115
Ins t allat io n Guide
Chapt er 8. Upgrading Red Hat Sat ellit e Server and
Capsule Server
The Sate llite Se rve r and Caps ule Se rve rs are upgrade d inde pe nde ntly. Upgrade the
Sate llite s e rve r firs t, and the n upgrade any Caps ule s . Sate llite 6.0 Caps ule s are not
compatible with Sate llite 6.1, and mus t be upgrade d be fore atte mpting to s ynchroniz e any
re pos itorie s . You mus t als o manually upgrade Sate llite clie nts to the ne w ve rs ion of
kate llo-age nt afte r upgrading the Se rve r and Caps ule s .
Impo rtant
The Re d Hat Sate llite s e rve r and Caps ule s e rve r ve rs ions mus t match. For
e xample , a Sate llite 6.0 s e rve r cannot run a 6.1 Caps ule s e rve r and a Sate llite 6.1
s e rve r cannot run a 6.0 Caps ule s e rve r. Mis matching Sate llite s e rve r and Caps ule
s e rve r ve rs ions will re s ult in the Caps ule s e rve r failing s ile ntly.
Supporte d upgrade paths for Sate llite 6.1 GA:
Sate llite 6.0 to Sate llite 6.1
Sate llite 6.1 Public Be ta (non-production) to Sate llite 6.1 GA
Impo rtant
Upgrading from Sate llite 6.1 Public Be ta in a production e nvironme nt to Sate llite 6.1
is not s upporte d.
The following conditions mus t be me t be fore upgrading Re d Hat Sate llite 6:
Ve rify that the Sate llite has the 6.1 satellite-tools and capsule re pos itorie s fully
s ynchroniz e d and available to update the Sate llite Caps ule s e rve rs to the late s t
upgrade package ve rs ions .
Ens ure that the e xis ting Conte nt Vie ws are update d to include the ne wly s ynchroniz e d
re pos itorie s . If you us e Activation Ke ys for conte nt hos t re gis tration, e ns ure that your
Activation Ke y is update d with the ne wly s ynchroniz e d re pos itorie s . If you cre ate d a
ne w Conte nt Vie w for the s e re pos itorie s , include this Conte nt Vie w in the Activation
Ke y. Se e the Re d Hat Sate llite 6.1 Us e r Guide [10] for more information on Activation
Ke ys .
Re fre s h s ubs criptions to include the ne wly s ynchroniz e d re pos itorie s both on Caps ule s
and Hos ts .
8.1. Upgrading Red Hat Sat ellit e
This s e ction s hows how to upgrade Re d Hat Sate llite from ve rs ion 6.0 or 6.1 Public Be ta
(non-production) to 6.1.
Prerequisit es
116
C hapt e r 8 . Upgr ading Re d Hat Sat e llit e Se r ve r and Caps ule Se r ve r
Upgrade to the late s t minor ve rs ion of Re d Hat Sate llite 6.0 be fore proce e ding. Dire ct
upgrade to 6.1 from e arlie r minor ve rs ions is not s upporte d.
The Re d Hat Sate llite 6.1 re le as e re quire s the Re d Hat Sate llite 6.1 Tools re pos itory to be
available in the s ubs cription manife s t. This re pos itory provide s the katello-agent and
puppet-agent package s for clie nts re gis te re d to the Sate llite Se rve r. Ens ure the re quire d
re pos itorie s are e nable d by following the proce dure be low to update the s ubs cription
manife s t. Re move any that are no longe r re quire d.
Pro cedure 8.1. Updat ing t he Subscript io n Manif est
This proce dure de s cribe s updating the s ubs cription manife s t.
1. Navigate to https ://acce s s .re dhat.com and click SUBSCRIPTIONS on the main me nu
at the top of the page .
2. Scroll down to the Red Hat Subscription Management s e ction, and click
Satellite unde r Subscription Management Applications.
3. Click the name of the s ys te m this manife s t is as s ociate d to, and click Attach a
subscription.
4. For e ach s ubs cription that you want to attach, s e le ct the che ck box for that
s ubs cription, and s pe cify the quantity of s ubs criptions to attach.
5. Click Attach Selected. It can take s e ve ral minute s for all the s ubs criptions to
attach. Re fre s h the s cre e n e ve ry fe w minute s until you re ce ive confirmation that
the s ubs criptions are attache d.
6. Afte r the s ubs criptions have be e n attache d, click Download Manifest to ge ne rate
an archive in .zip format containing the manife s t for Re d Hat Sate llite and s ave the
manife s t file to a known location.
7. Upload the update d manife s t to the Re d Hat Sate llite Se rve r.
a. Log in to the Sat ellit e s e rve r.
b. In the top le ft corne r me nu, s e le ct the organiz ation that you want to
as s ociate with the s ubs cription manife s t.
c. Click Co nt ent → Red Hat Subscript io ns and the n click Manage Manifest
at the uppe r right of the page .
d. In the Subscription Manifest s e ction, click Actions and unde r the Upload
New Manifest s ubs e ction, click Browse.
e . Se le ct the manife s t file to upload, and the n click Upload.
Pro cedure 8.2. Upgrading Red Hat Sat ellit e
1. If the Sate llite s e rve r is running on a virtual machine , take a s naps hot prior to
upgrading. Othe rwis e , run katello-service stop and cre ate a backup of the
re le vant databas e s . Se e How to ge ne rate databas e backup for Re d Hat Sate llite
6.0 for ins tructions on backing up your databas e s .
2. Update the ope rating s ys te m:
# yum update
117
Ins t allat io n Guide
3. Dis able the re pos itorie s for the pre vious ve rs ion of Sate llite .
A. If upgrading from Sate llite 6.0 on Re d Hat Ente rpris e Linux 7:
# subscription-manager repos --disable rhel-7-server-satellite6.0-rpms
B. If upgrading from Sate llite 6.1 Be ta on Re d Hat Ente rpris e Linux 7:
# subscription-manager repos --disable rhel-server-7-satellite6-beta-rpms
C. If upgrading from Sate llite 6.0 on Re d Hat Ente rpris e Linux 6:
# subscription-manager repos --disable rhel-6-server-satellite6.0-rpms
D. If upgrading from Sate llite 6.1 Be ta on Re d Hat Ente rpris e Linux 6:
# subscription-manager repos --disable rhel-server-6-satellite6-beta-rpms
4. Enable the ne w re pos itorie s .
A. On Re d Hat Ente rpris e Linux 7:
# subscription-manager repos --enable rhel-7-server-satellite6.1-rpms
B. On Re d Hat Ente rpris e Linux 6:
# subscription-manager repos --enable rhel-6-server-satellite6.1-rpms
5. If the re are dis cove re d hos ts available , turn the m off and de le te all e ntrie s unde r
the Discovered hosts page .
6. Stop s e rvice s :
# katello-service stop
output omitted
Success!
Wait for the command to comple te . If re quire d, confirm s e rvice s have s toppe d:
# katello-service status
mongod is stopped
qdrouterd is stopped
qpidd is stopped
celery init v10.0.
Using configuration: /etc/default/pulp_workers,
/etc/default/pulp_celerybeat
pulp_celerybeat is stopped.
elasticsearch is stopped
118
C hapt e r 8 . Upgr ading Re d Hat Sat e llit e Se r ve r and Caps ule Se r ve r
celery init v10.0.
Using config script: /etc/default/pulp_resource_manager
node resource_manager is stopped...
foreman-proxy is stopped
tomcat6 is stopped
[
output truncated
OK
]
Re s tart the Mongo databas e as it is re quire d for upgrading the Pulp databas e :
# service-wait mongod start
7. Cle ar the re pos itory cache and update all package s :
# yum clean all
# yum update
8. Run the ins talle r with the --upgrade option:
# katello-installer --upgrade
If re quire d, add the --noop option to the command and re vie w the
/var/log/katello-installer/katello-installer.log to s e e what change s
would be applie d if the --noop was omitte d.
Impo rtant
If you have made manual e dits to DNS and DHCP configuration file s , the y will
be ove rwritte n during the upgrade proce s s . To avoid this , appe nd the -capsule-dns-managed=false and --capsule-dhcp-managed=false options
to the --upgrade ins talle r command.
The katello-installer utility will backup file s that it change s and log this . For
e xample :
/Stage[main]/Dhcp/File[/etc/dhcp/dhcpd.conf]: Filebucketed
/etc/dhcp/dhcpd.conf to puppet with sum
622d9820b8e764ab124367c68f5fa3a1
The old file can be re s tore d with this command:
# puppet filebucket -l restore /etc/dhcp/dhcpd.conf
622d9820b8e764ab124367c68f5fa3a1
9. Re s tart all s e rvice s :
# katello-service restart
If you are us ing the Dis cove ry fe ature , you mus t als o comple te Se ction 8.3, “Upgrading
the Dis cove ry Fe ature ”
Enabling T he New Reposit ories
119
Ins t allat io n Guide
The Re d Hat Sate llite manife s t file provide s acce s s to Re d Hat products and re pos itorie s .
Any ne w re pos itorie s mus t be e nable d and s ynchroniz e d in Re d Hat Sate llite Se rve r to
pre pare the m for us e by Re d Hat Sate llite Caps ule Se rve rs .
Pro cedure 8.3. Enable New Red Hat Repo sit o ries
1. On the main me nu, click Co nt ent → Red Hat Repo sit o ries and the n click the tab
for the type of conte nt that you want to e nable .
2. Click the product name for which you want to add re pos itorie s . This e xpands the lis t
of available re pos itory s e ts .
3. Click e ach re pos itory s e t from which you want to s e le ct re pos itorie s , and s e le ct the
che ck box for e ach re quire d re pos itory. The re pos itory is automatically e nable d.
Afte r e nabling a Re d Hat re pos itory, a product for this re pos itory is automatically
cre ate d. The conte nt from this re pos itory will be downloade d during the ne xt
s ynchroniz ation.
Impo rtant
Ens ure you e nable the Sate llite Tools re pos itory. This re pos itory provide s
the katello-agent and puppet-agent package s for clie nts re gis te re d to the
Sate llite Se rve r.
4. Start the s ynchroniz ation proce s s as de s cribe d in Se ction 4.1.3, “Synchroniz ing
Conte nt”.
8.1.1. Upgrading Disconnect ed Sat ellit e
This s e ction s hows how to upgrade a dis conne cte d Re d Hat Sate llite ins tance .
Prerequisit es
Upgrade to the late s t minor ve rs ion of Re d Hat Sate llite 6.0 be fore proce e ding. Dire ct
upgrade to 6.1 from e arlie r minor ve rs ions is not s upporte d.
Run katello-service start to re s tart all s e rvice s and update the ope rating s ys te m.
For ins tructions on how to update a dis conne cte d s ys te m s e e De ployme nt Guide [11]
for Re d Hat Ente rpris e Linux 6 or Sys te m Adminis trator's Guide [12] for Re d Hat
Ente rpris e Linux 7.
Pro cedure 8.4. Upgrading Disco nnect ed Sat ellit e
1. If the re are dis cove re d hos ts available , turn the m off and de le te all e ntrie s unde r
the Discovered hosts page .
2. Stop s e rvice s :
# katello-service stop
output omitted
Success!
Wait for the command to comple te . If re quire d, confirm s e rvice s have s toppe d:
120
C hapt e r 8 . Upgr ading Re d Hat Sat e llit e Se r ve r and Caps ule Se r ve r
# katello-service status
mongod is stopped
qdrouterd is stopped
qpidd is stopped
celery init v10.0.
Using configuration: /etc/default/pulp_workers,
/etc/default/pulp_celerybeat
pulp_celerybeat is stopped.
elasticsearch is stopped
celery init v10.0.
Using config script: /etc/default/pulp_resource_manager
node resource_manager is stopped...
foreman-proxy is stopped
tomcat6 is stopped
[
output truncated
OK
]
Re s tart the Mongo databas e as it is re quire d for upgrading the Pulp databas e :
# service-wait mongod start
3. Obtain the ISO file , mount it, and run the ins tall_package s s cript as de s cribe d in
Se ction 2.1.2, “Downloading from a Dis conne cte d Ne twork”. Afte r e xe cuting
s ucce s s fully, the s cript re turns the following me s s age :
Upgrade is complete. Please backup your data and run katelloinstaller.
4. Cre ate a backup of the re le vant databas e s . Se e How to ge ne rate databas e backup
for Re d Hat Sate llite 6.0 for ins tructions on backing up your databas e s .
5. Run the ins talle r with the --upgrade option:
# katello-installer --upgrade
If re quire d, add the --noop option to the command and re vie w the
/var/log/katello-installer/katello-installer.log to s e e what change s
would be applie d if the --noop was omitte d.
Impo rtant
If you have made manual e dits to DNS and DHCP configuration file s , the y will
be ove rwritte n during the upgrade proce s s . To avoid this , appe nd the -capsule-dns-managed=false and --capsule-dhcp-managed=false options
to the --upgrade ins talle r command.
The katello-installer utility will backup file s that it change s and log this . For
e xample :
/Stage[main]/Dhcp/File[/etc/dhcp/dhcpd.conf]: Filebucketed
/etc/dhcp/dhcpd.conf to puppet with sum
622d9820b8e764ab124367c68f5fa3a1
121
Ins t allat io n Guide
The old file can be re s tore d with this command:
# puppet filebucket -l restore /etc/dhcp/dhcpd.conf
622d9820b8e764ab124367c68f5fa3a1
6. Re s tart all s e rvice s :
# katello-service restart
7. Update the Dis cove ry te mplate :
a. At the Hosts tab, s e le ct Provisioning templates.
b. Se le ct PXELinux global default.
c. At the Template editor dialog box, in the Pro visio ning T emplat e tab,
modify the PXELinux global default te mplate dis cove ry me nu e ntry.
Ins e rt the following te xt at the e nd of the te mplate :
LABEL discovery
MENU LABEL Satellite 6 Discovery
MENU DEFAULT
KERNEL boot/fdi-image-rhel_7-vmlinuz
APPEND initrd=boot/fdi-image-rhel_7-img rootflags=loop
root=live:/fdi.iso rootfstype=auto ro rd.live.image
acpi=force rd.luks=0 rd.md=0 rd.dm=0 rd.lvm=0 rd.bootif=0
rd.neednet=0 nomodeset
proxy.url=https://SATELLITE_CAPSULE_URL:9090 proxy.type=proxy
IPAPPEND 2
The proxy.type option can be e ithe r proxy or foreman. For proxy, all
communication goe s through the Caps ule . For foreman, the communication
goe s dire ctly to Sate llite Se rve r, which was the be havior in Sate llite 6.0.
The proxy.url s pe cifie s the URL of the Sate llite Caps ule or Se rve r. Both
HTTP and HTTPS protocols are s upporte d.
8.2. Upgrading Red Hat Sat ellit e Capsule
Pro cedure 8.5. T o Upgrade Red Hat Sat ellit e Capsule:
1. Update the ope rating s ys te m:
# yum update
2. Dis able the re pos itorie s for the pre vious ve rs ion of Sate llite .
A. If upgrading from Sate llite 6.0 on Re d Hat Ente rpris e Linux 7:
# subscription-manager repos --disable rhel-7-server-satellitecapsule-6.0-rpms
B. If upgrading from Sate llite 6.1 Be ta on Re d Hat Ente rpris e Linux 7:
122
C hapt e r 8 . Upgr ading Re d Hat Sat e llit e Se r ve r and Caps ule Se r ve r
# subscription-manager repos --disable rhel-server-7-satellitecapsule-6-beta-rpms
C. If upgrading from Sate llite 6.0 on Re d Hat Ente rpris e Linux 6:
# subscription-manager repos --disable rhel-6-server-satellitecapsule-6.0-rpms
D. If upgrading from Sate llite 6.1 Be ta on Re d Hat Ente rpris e Linux 6:
# subscription-manager repos --disable rhel-server-6-satellitecapsule-6-beta-rpms
3. Enable the ne w re pos itorie s .
A. On Re d Hat Ente rpris e Linux 7:
# subscription-manager repos --enable rhel-7-server-satellitecapsule-6.1-rpms
B. On Re d Hat Ente rpris e Linux 6:
# subscription-manager repos --enable rhel-6-server-satellitecapsule-6.1-rpms
4. If the re are dis cove re d hos ts available , turn the m off and de le te all e ntrie s unde r
the Discovered hosts page .
5. Stop the following s e rvice s to pre ve nt de pe nde ncy e rrors during the databas e
migration:
# for i in qpidd pulp_workers pulp_celerybeat
pulp_resource_manager httpd; do service $i stop; done
6. Cle ar the re pos itory cache and update all package s :
# yum clean all
# yum update
7. The following s te ps are re quire d only if you upgrade from Sate llite 6.0:
a. Ins tall the capsule-installer package :
# yum install capsule-installer
No te
In Re d Hat Sate llite 6.0, the katello-installer s cript provide d the
Sate llite Caps ule Se rve r ins talle r. In Sate llite 6.1, the capsuleinstaller s cript has its own package .
123
Ins t allat io n Guide
Ins talling capsule-installer automatically re move s the katello-installer package
and s ave s the pre vious Caps ule configuration and ans we r file s .
b. Copy the pre vious ans we r file to the ne w capsule-installer dire ctory:
# cp /etc/katello-installer/answers.capsuleinstaller.yaml.rpmsave /etc/capsuleinstaller/answers.capsule-installer.yaml
8. On the Sate llite Se rve r, ge ne rate an archive with ne w ce rtificate s :
# capsule-certs-generate --capsule-fqdn "capsule.example.com" -certs-tar "capsule.example.com-certs.tar"
Re place capsule.example.com with the fully qualifie d domain name of the Caps ule .
Copy the archive file to the Caps ule .
9. Ins tall the Dis cove ry plug-in if you plan to us e the Caps ule as a proxy for
dis cove re d hos ts :
# yum install rubygem-smart_proxy_discovery.noarch
10. Ve rify if the fore man_url s e tting re fe rs to the Sate llite Se rve r corre ctly. On the
Caps ule e xe cute :
# grep foreman_url /etc/foreman-proxy/settings.yml
The above command s hould re turn the fully qualifie d domain name (FQDN) of the
Sate llite s e rve r, for e xample :
:foreman_url: https://satellite.example.com
11. Re s tart the fore man-proxy compone nt on the Sate llite Caps ule s e rve r:
# service foreman-proxy restart
12. Run the ins talle r with the --upgrade option:
# capsule-installer --upgrade --certs-tar capsule.example.comcerts.tar
Re place capsule.example.com-certs.tar with the path to the ce rtificate archive on
the Caps ule .
Impo rtant
If you have made manual e dits to DNS and DHCP configuration file s , the y will
be ove rwritte n during the upgrade proce s s . To avoid this , appe nd the --dnsmanaged=false and --dhcp-managed=false options to the --upgrade
ins talle r command.
124
C hapt e r 8 . Upgr ading Re d Hat Sat e llit e Se r ve r and Caps ule Se r ve r
13. Upgrade the foreman-discovery-image package on the Sate llite s e rve r and turn on
the hos ts that we re s hut down prior the upgrade .
8.3. Upgrading t he Discovery Feat ure
The following s te ps de s cribe how to upgrade the Dis cove ry fe ature of Re d Hat Sate llite 6.
Pro cedure 8.6. Ho w t o Upgrade t he Disco very Feat ure o f Sat ellit e 6
1. Ve rify that all re le vant package s are up-to-date on the Sate llite s e rve r:
# yum upgrade ruby193-rubygem-foreman_discovery
Re s tart the Sate llite s e rve r if any package s we re update d.
2. Upgrade the Dis cove ry image on the Sate llite Caps ule that is e ithe r conne cte d to
the provis ioning ne twork with dis cove re d hos ts or provide s TFTP s e rvice s for
dis cove re d hos ts .
# yum upgrade foreman-discovery-image
3. On the s ame ins tance , ins tall the package which provide s the Proxy s e rvice , and
the n re s tart foreman-proxy s e rvice . Dis cove re d hos ts in Sate llite 6.1 are no
longe r re quire d to have dire ct conne ction to Sate llite Se rve r.
# yum install rubygem-smart_proxy_discovery
# service foreman-proxy restart
4. All s ubne ts with dis cove re d node s ne e d this s pe cifie d in Sate llite Se rve r s o it
conne cts via the Fore man Proxy. In the we b UI, navigate to Inf rast ruct ure →
Capsules and ve rify that the de s ire d proxy lis ts the Dis cove ry fe ature . If it doe s
not, click Refresh features.
5. Navigate to Inf rast ruct ure → Subnet s and s e le ct the re quire d Smart Proxy for
e ach s ubne t that you want to us e dis cove ry, and ve rify that it is conne cte d to the
Dis cove ry Proxy.
6. Navigate to Pro visio ning T emplat es, e dit the PXELinux global de fault te mplate
and modify it according to the e xample be low.
No te
Diffe re nt options appe ar on the APPEND line compare d to the Sate llite 6.0
re le as e .
LABEL discovery
MENU LABEL Satellite 6 Discovery
MENU DEFAULT
KERNEL boot/fdi-image-rhel_7-vmlinuz
APPEND initrd=boot/fdi-image-rhel_7-img rootflags=loop
root=live:/fdi.iso rootfstype=auto ro rd.live.image acpi=force
125
Ins t allat io n Guide
rd.luks=0 rd.md=0 rd.dm=0 rd.lvm=0 rd.bootif=0 rd.neednet=0
nomodeset proxy.url=https://SATELLITE_CAPSULE_URL:9090
proxy.type=proxy
IPAPPEND 2
The proxy.type option can be e ithe r proxy or foreman. If you s pe cify proxy the n
all communication goe s through the Sate llite Caps ule . This is the pre fe rre d me thod.
If you s pe cify foreman the n all communication goe s dire ctly to the Sate llite Se rve r.
This is the me thod us e d by Sate llite 6.0.
No te
Whe n us ing proxy type , the de fault port on Sate llite Caps ule is 9090, but for
dire ct communication with Sate llite Se rve r, you ne e d to us e port 80.
The proxy.url option s pe cifie s the URL of the Sate llite Caps ule or Se rve r
de pe nding on the pre vious s e tting. Both HTTP and HTTPS s che me s are s upporte d.
It is pos s ible to omit the proxy.url option to de te rmine the Caps ule DNS name
from its SRV re cord. This might be us e ful whe n the re are multiple dis cove ry
s ubne ts . Re vie w the global s e ttings and pe rmis s ions in the Sate llite Se rve r us e r
inte rface . Se e the Red Hat Satellite 6.1 User Guide for more information.
8.4. Upgrading Red Hat Sat ellit e Client s
The katello-agent package from Sate llite 6.0 is not compatible with Re d Hat Sate llite 6.1.
You ne e d to manually upgrade to the ne w ve rs ion of katello-agent on all Sate llite clie nts .
Pro cedure 8.7. T o Upgrade t he kat ello -agent Package:
1. Log in to the clie nt s ys te m and e nable the Sate llite tools re pos itory.
# subscription-manager repos --enable=rhel-version-serversatellite-tools-6.1-rpms
Re place version with 6 or 7 de pe nding on the Re d Hat Ente rpris e Linux ve rs ion you
are us ing.
2. Synchroniz e the re pos itory. Re place ID with the ID of the tools re pos itory.
# hammer repository synchronize --id ID
3. Upgrade the katello-agent package .
# yum upgrade katello-agent
Impo rtant
It is curre ntly not pos s ible to upgrade the age nt us ing Re d Hat Sate llite be fore
upgrading Sate llite its e lf.
126
C hapt e r 8 . Upgr ading Re d Hat Sat e llit e Se r ve r and Caps ule Se r ve r
8.5. Upgrading Bet ween Minor Versions of Sat ellit e
This proce dure mus t be followe d to upgrade be twe e n minor ve rs ions , for e xample , from
6.1.8 to 6.1.9.
Prerequisit es
Ens ure you have s ynchroniz e d Sate llite Se rve r re pos itorie s for Sate llite , Caps ule , and
Sate llite Tools .
Ens ure e ach e xte rnal Caps ule and Conte nt Hos t can be upgrade d by promoting the
update d re pos itorie s to all re le vant conte nt vie ws .
Pro cedure 8.8. Upgrading t he Sat ellit e Server t o t he Next Mino r Versio n
1. On a s e lf-re gis te re d Sate llite , download all package s bef o re s topping Sate llite
Se rve r:
# yum update --downloadonly
2. Stop s e rvice s :
# katello-service stop
output omitted
Success!
3. Update all package s :
# yum update
4. If a ke rne l update occurs , re boot the s ys te m:
# reboot
5. Pe rform the upgrade :
# katello-installer --upgrade
6. On a s e lf-re gis te re d Sate llite , re s tart goferd:
A. On Re d Hat Ente rpris e Linux 6:
# service goferd restart
B. On Re d Hat Ente rpris e Linux 7:
# systemctl restart goferd
Pro cedure 8.9. Upgrading a Capsule Server t o t he Next Mino r Versio n
1. Stop s e rvice s :
# katello-service stop
127
Ins t allat io n Guide
output omitted
Success!
2. Update all package s :
# yum update
3. If a ke rne l update occurs , re boot the s ys te m:
# reboot
4. Pe rform the upgrade :
# capsule-installer --upgrade
5. Re s tart goferd:
A. On Re d Hat Ente rpris e Linux 6:
# service goferd restart
B. On Re d Hat Ente rpris e Linux 7:
# systemctl restart goferd
Pro cedure 8.10 . Upgrading a Co nt ent Ho st t o t he Next Mino r Versio n
1. Update all package s :
# yum update
2. If a ke rne l update occurs , re boot the s ys te m:
# reboot
3. Re s tart goferd:
A. On Re d Hat Ente rpris e Linux 6:
# service goferd restart
B. On Re d Hat Ente rpris e Linux 7:
# systemctl restart goferd
[10] https://access.redhat.com /docum entation/enUS/Red_Hat_Satellite/6.1/htm l/User_Guide/chap-Red_Hat_Satellite-User_GuideC onfiguring_Activation_Keys.htm l
[11] https://access.redhat.com /docum entation/enUS/Red_Hat_Enterprise_Linux/6/htm l/Deploym ent_Guide/ch-yum .htm l#s1-yum -upgrade-system
128
C hapt e r 8 . Upgr ading Re d Hat Sat e llit e Se r ve r and Caps ule Se r ve r
[12] https://access.redhat.com /docum entation/en-US/Red_Hat_Enterprise_Linux/7Beta/htm l/System _Adm inistrators_Guide/ch-yum .htm l#s1-yum -upgrade-system
129
Ins t allat io n Guide
Chapt er 9. Next St eps
The conte nt of the Ins tallation Guide take s you through ins talling Re d Hat Sate llite Se rve r,
Caps ule Se rve r, and s e tting up the re pos itorie s s o that clie nt hos t s ys te ms can update
from the Sate llite Se rve r. The re are othe r configuration s te ps you will ne e d to take to
take full advantage of your Re d Hat Sate llite Se rve r and Caps ule Se rve r. The Red Hat
Satellite 6.1 User Guide can as s is t in configuring life cycle e nvironme nts , products ,
organiz ations , locations , and othe r compone nts while the Red Hat Satellite Provisioning
Guide can as s is t with s e tting up a working provis ioning e nvironme nt for your Re d Hat
Sate llite Se rve r.
130
C hapt e r 10 . Unins t alling Re d Hat Sat e llit e Se r ve r and Caps ule Se r ve r
Chapt er 10. Uninst alling Red Hat Sat ellit e Server and
Capsule Server
Warning
The following proce dure s will e ras e all applications that are us e d with Re d Hat
Sate llite Se rve r or Re d Hat Sate llite Caps ule Se rve r on the targe t s ys te m. If you
are us ing any of the s e applications or application data for any othe r purpos e s than
Re d Hat Sate llite , back up the information be fore running the s e s cripts .
Removing Sat ellit e Server
The command to unins tall Re d Hat Sate llite Se rve r is katello-remove. The unins tall s cript
will is s ue a warning twice , re quiring confirmation be fore it re move s all package s and
configuration file s in the s ys te m. Be low is a s ample output of the command:
# katello-remove
WARNING: This script will erase many packages and config files.
Important packages such as the following will be removed:
* elasticsearch
* httpd (apache)
* mongodb
* tomcat6
* puppet
* ruby
* rubygems
* All Katello and Foreman Packages
Once these packages and configuration files are removed there is no
going back.
If you use this system for anything other than Katello and Foreman you
probably
do not want to execute this script.
Read the source for a list of what is removed. Are you sure(Y/N)? y
ARE YOU SURE?: This script permanently deletes data and configuration.
Read the source for a list of what is removed. Type [remove] to
continue? remove
Shutting down Katello services...
...
Removing Capsule Server
The command to unins tall Re d Hat Sate llite Caps ule Se rve r is capsule-remove from the
capsule-installer package . Same as katello-remove, capsule-remove will is s ue a warning
twice , re quiring confirmation be fore re moving the conte nt.
131
Ins t allat io n Guide
Appendix A. Glossary of Terms
The following te rms are us e d throughout this docume nt. Familiariz e yours e lf with the s e
te rms to he lp your unde rs tanding of Re d Hat Sate llite 6.
A ct ivat io n Key
A re gis tration toke n us e d in a Kicks tart file to control actions at re gis tration. The s e
are s imilar to Activation Ke ys in Re d Hat Sate llite 5, but provide a s ubs e t of
fe ature s be caus e Puppe t controls package and configuration manage me nt afte r
re gis tration.
A pplicat io n Lif e Cycle Enviro nment
An Application Life Cycle Environment re pre s e nts a s te p, or s tage , in a promotion
path through the Software De ve lopme nt Life Cycle (SDLC). Promotion paths are
als o known as de ve lopme nt paths . Conte nt s uch as package s and Puppe t
module s move through life cycle e nvironme nts by publis hing and promoting
Conte nt Vie ws . All Conte nt Vie ws have ve rs ions , which me ans you can promote a
s pe cific ve rs ion through a typical promotion path; for e xample , from de ve lopme nt
to te s t to production. Channe l cloning imple me nts this conce pt in Re d Hat
Sate llite 5.
A t t ach
The proce s s of as s ociating a Subs cription to a Hos t that provide s acce s s to RPM
conte nt.
C apsule
A Capsule is an additional s e rve r that can be us e d in a Re d Hat Sate llite 6
de ployme nt to facilitate conte nt fe de ration and dis tribution in addition to othe r
localiz e d s e rvice s (Puppe t Mas te r, DHCP, DNS, TFTP, and more ).
C at alo g
A Catalog is a docume nt that de s cribe s the de s ire d s ys te m s tate for one s pe cific
compute r. It lis ts all of the re s ource s that ne e d to be manage d, as we ll as any
de pe nde ncie s be twe e n thos e re s ource s .
C o mput e Pro f ile
Compute Profiles s pe cify de fault attribute s for ne w virtual machine s on a compute
re s ource .
C o mput e Reso urce
A Compute Resource is virtual or cloud infras tructure , which Re d Hat Sate llite 6
us e s for de ployme nt of hos ts and s ys te ms . Example s include Re d Hat
Ente rpris e Virtualiz ation Manage r, Ope nStack, EC2, and VMWare .
C o nt ent
Content include s s oftware package s (RPM file s ) and Puppe t module s . The s e are
s ynchroniz e d into the Library and the n promote d into Life Cycle Environme nts
us ing Conte nt Vie ws s o that the y can be cons ume d by Hos ts .
C o nt ent Delivery Net wo rk (CDN)
132
A ppe ndix A. Glo s s ar y o f T e r ms
The Content Delivery Network (CDN) is the me chanis m us e d to de live r Re d Hat
conte nt in a ge ographically co-locate d fas hion. For e xample , conte nt that is
s ynchroniz e d by a Sate llite in Europe pulls conte nt from a s ource in Europe .
C o nt ent Ho st
A Content Host is the part of a hos t that manage s tas ks re late d to conte nt and
s ubs criptions .
C o nt ent View
A Content View is a de finition of conte nt that combine s products , package s , and
Puppe t module s with capabilitie s for inte llige nt filte ring and cre ating s naps hots .
Conte nt Vie ws are a re fine me nt of the combination of channe ls and cloning from
Re d Hat Sate llite 5.
Ext ernal No de Classif ier
An External Node Classifier is a Puppe t cons truct that provide s additional data for a
Puppe t Mas te r to us e whe n configuring Hos ts . Re d Hat Sate llite 6 acts as an
Exte rnal Node Clas s ifie r to Puppe t Mas te rs in a Sate llite de ployme nt.
Fact er
Facter is a program that provide s information (facts ) about the s ys te m on which it
is run; for e xample , Facte r can re port total me mory, ope rating s ys te m ve rs ion,
archite cture , and more . Puppe t module s e nable s pe cific configurations bas e d on
hos t data gathe re d by Facte r.
Hammer
Hammer is a command line tool for Re d Hat Sate llite 6. Us e Hamme r to manage
Re d Hat Sate llite 6 as a s tandard CLI, for s cripts , and als o through an inte ractive
s he ll.
Hiera
Hie ra is a ke y/value look-up tool for configuration data which allows ke e ping s ite s pe cific data out of puppe t manife s ts .
Ho st
A Host re fe rs to any s ys te m, e ithe r phys ical or virtual, that Re d Hat Sate llite 6
manage s .
Ho st Co llect io n
A Host Collection is e quivale nt to a Sate llite 5 System Group, that is , a us e r
de fine d group of one or more Hos ts .
Ho st Gro up
A Host Group is a te mplate for building a Hos t. This include s the conte nt vie w
(which de fine s the available RPM file s and Puppe t module s ) and the Puppe t
clas s e s to apply (which ultimate ly de te rmine s the s oftware and configuration).
Lo cat io n
A Location is colle ction of de fault s e ttings that re pre s e nt a phys ical place . The s e
can be ne s te d s o that you can s e t up an hie rarchical colle ction of locations . For
133
Ins t allat io n Guide
e xample , you can s e t up de faults for "Middle Eas t", which are re fine d by "Te l
Aviv", which are furthe r re fine d by "Data Ce nte r Eas t", and the n finally by "Rack
22".
Library
The Library contains every ve rs ion, including the late s t s ynchroniz e d ve rs ion, of
the s oftware that the us e r will e ve r de ploy. For an Information Te chnology
Infras tructure Library (ITIL) [13] organiz ation or de partme nt, this is the De finitive
Me dia Library [14] (pre vious ly name d the De finitive Software Library).
Manif est
A Manifest trans fe rs s ubs criptions from the Cus tome r Portal to Re d Hat Sate llite 6.
This is s imilar in function to ce rtificate s us e d with Re d Hat Sate llite 5.
For more information about ce rtificate s and s ubs cription type s , s e e :
RHN Clas s ic, Re d Hat Sate llite , and Channe l Entitle me nts [15]
The Structure of Sate llite Ce rtificate s (Clas s ic Style of Ce rtificate s ) [16]
O rganizat io n
An Organization is an is olate d colle ction of s ys te ms , conte nt, and othe r
functionality within a Sate llite 6 de ployme nt.
P ro duct
A colle ction of conte nt re pos itorie s . Products can be Re d Hat products or ne wlycre ate d products made up of s oftware and configuration conte nt.
P ro mo t e
The act of moving a conte nt vie w compris e d of s oftware and configuration conte nt
from one Application Life Cycle Environme nt to anothe r, s uch as moving from
de ve lopme nt to QA to production.
P ro visio ning T emplat e
A Provisioning Template is a us e r-de fine d te mplate for Kicks tart file s , s nippe ts ,
and othe r provis ioning actions . In Sate llite 6 the y provide s imilar functionality to
Kicks tart Profile s and cobble r Snippe ts in Re d Hat Sate llite 5.
P ulp No de
A Pulp Node is a Caps ule Se rve r compone nt that mirrors conte nt. This is s imilar to
the Re d Hat Sate llite 5 Proxy. The main diffe re nce is that conte nt can be s tage d
on the Pulp Node be fore it is us e d by a Hos t.
P uppet Agent
The Puppet Agent is an age nt that runs on a Hos t and applie s configuration
change s to that Hos t.
P uppet Mast er
A Puppet Master is a Caps ule Se rve r compone nt that provide s Puppe t manife s ts
to Hos ts for e xe cution by the Puppe t Age nt.
134
A ppe ndix A. Glo s s ar y o f T e r ms
P uppet Mo dule
A Puppet Module is a s e lf-containe d bundle of code and data that you can us e to
manage re s ource s s uch as us e rs , file s , and s e rvice s .
Repo sit o ry
A Repository provide s s torage for a colle ction of conte nt. For e xample , a YUM
re pos itory or a Puppe t re pos itory.
Ro le
A Role s pe cifie s a colle ction of pe rmis s ions that are applie d to a s e t of re s ource s ,
s uch as Hos ts .
Smart Pro xy
A Smart Proxy is a Caps ule Se rve r compone nt that can inte grate with e xte rnal
s e rvice s , s uch as DNS or DHCP.
Smart Variable
A Smart Variable is a configuration value that controls how a Puppe t Clas s
be have s . This can be s e t on a Hos t, a Hos t Group, an Organiz ation, or a Location.
St andard Operat ing Enviro nment (SOE)
A Standard Operating Environment (SOE) is a controlle d ve rs ion of the ope rating
s ys te m on which applications are de ploye d.
Subscript io n
Subscriptions are the me ans by which you re ce ive conte nt and s e rvice from
Re d Hat.
Synchro nizing
Synchronizing re fe rs to mirroring conte nt from e xte rnal re s ource s into the
Re d Hat Sate llite 6 Library.
Synchro nizat io n Plans
Synchronization Plans provide s che dule d e xe cution of conte nt s ynchroniz ation.
User Gro up
A User Group is a colle ction of role s which can be as s igne d to a colle ction of
us e rs . This is s imilar to a Role in Re d Hat Sate llite 5.
User
A us e r is anyone re gis te re d to us e Re d Hat Sate llite . Authe ntication and
authoriz ation is pos s ible through built-in logic, through e xte rnal LDAP re s ource s ,
or with Ke rbe ros .
[13] http://en.wikipedia.org/wiki/Inform ation_Technology_Infrastructure_Library
[14] http://en.wikipedia.org/wiki/Definitive_Media_Library
135
Ins t allat io n Guide
[15] https://access.redhat.com /site/docum entation/enUS/Red_Hat_Subscription_Managem ent/1/htm l/MigratingRHN/sat-certs.htm l
[16] https://access.redhat.com /site/docum entation/enUS/Red_Hat_Subscription_Managem ent/1/htm l/Subscription_C oncepts_and_Workflows/index.ht
m l#subscr-legacy
136
A ppe ndix B. Re vis io n His t o r y
Appendix B. Revision Hist ory
Revisio n 1-68
T ue 13 Sept 20 16
Brandi Munilla
Bug 1364249 - Incorre ct commands in s ate llite 6.1 ins tallation docume nt.
Revisio n 1-67
T ue 18 Aug 20 16
St ephen Wadeley
Bug 1362527 - Provide ins tructions on how to pe rform upgrade s be twe e n minor re le as e s .
Revisio n 1-66
T ue 0 2 Aug 20 16
St ephen Wadeley
Bug 1346928 - Mis s ing port in Sate llite to Caps ule communication in chapte r 7.2.3.
Revisio n 1-65
Wed Apr 27 20 16
Russell Dickenso n
BZ#1322207 - Ame nde d s ubs cription manage r e xample command.
Revisio n 1-64
T ue Dec 15 20 15
Russell Dickenso n
BZ#1249288 - Update d the s e ction on s e tting a cus tom s e rve r ce rtificate .
Revisio n 1-63
Building for as ync 2.
Mo n No v 16 20 15
Hayley Hudgeo ns
Revisio n 1-62
Building for as ync 1.
Mo n Oct 12 20 15
Hayley Hudgeo ns
Revisio n 1-61
T hu Sept 24 20 15
BZ#1146946 - Inte grate d pe e r re vie w fe e dback.
Megan Lewis
Revisio n 1-60
Mo n Sept 21 20 15
Megan Lewis
BZ#1146946 - Adde d chapte r on Configuring a Se lf-Re gis te re d Sate llite .
Revisio n 1-59
T ues August 25 20 15
Re -building GA docs to include html-s ingle format.
Hayley Hudgeo ns
Revisio n 1-58
Building for GA.
Ella Deo n Ballard
Fri August 7 20 15
Revisio n 1-57
Mo n August 3 20 15
Jo So mers
BZ#1243608 Adde d s upporte d upgrade paths to chapte r 7 Upgrading Re d Hat Sate llite
Se rve r and Caps ule Se rve r
Revisio n 1-56
Fri July 24 20 15
Megan Lewis
BZ#1209249 Re ve rte d change s to 2.2.3.2. Configuring Re d Hat Sate llite with a Cus tom
Se rve r Ce rtificate .
Revisio n 1-55
T hu July 23 20 15
Jo So mers
BZ 1206788: Se ction 4.2 Dis conne cte d Sate llite , update d to match Sate llite 6.1 Us e r
Guide , s e ction Dis conne cte d Sate llite .
Revisio n 1-54
T hu July 23 20 15
David O'Brien
BZ 1205469: Re vie w s e ction on obtaining package s for conne cte d and dis conne cte d
e nvironme nts . Minor update s .
137
Ins t allat io n Guide
Revisio n 1-53
T ue July 21 20 15
Jo So mers
BZ#1234016 Change d s ubs cription-manage r --e nv option in s e ction Obtaining the Re quire d
Package s for the Caps ule Se rve r, Pre re quis ite s , Ste p 2.
Revisio n 1-52
Mo n July 20 20 15
Megan Lewis
BZ#1243608 Adde d important note to 1.4. Pre re quis ite s , 6.2. Re d Hat Sate llite Caps ule
Se rve r Pre re quis ite s , and Chapte r 7. Upgrading Re d Hat Sate llite Se rve r and Caps ule
Se rve r s tating that Sate llite s e rve r and Caps ule ve rs ions mus t match.
BZ#1209249 Update d 2.2.3.2. Configuring Re d Hat Sate llite with a Cus tom Se rve r
Ce rtificate with --fore man-s e rve r flags .
Revisio n 1-51
Fri July 17 20 15
Jo So mers
Fix BZ1242526 s e ction 7.1 Upgrading RH Sate llite Caps ule Se rve rs , Adde d warning
Fix BZ1241273 s e ction 7.1 Upgrading RH Sate llite Caps ule Se rve rs , Adde d ne w s te p 9
Re s tart all s e rvice s '
Fix BZ1235777 Se ction 6.4 Running the Ins tallation and Configuration Program for Caps ule
Se rve r, Pre re quis ite s : Adde d two commands afte r note and re wrote Se ction 6.4.1 Adding
a Caps ule Se rve r
Revisio n 1-50
T hu July 16 20 15
Jo So mers
Fix BZ1241461 s e ction 7.1 Upgrading Re d Hat Sate llite Se rve r and Caps ule s e rve r,s te p 6
change d
Fix BZ1230332 s e ction 2.2.1 Configuring Re d Hat Sate llite Manually,s te p 2a and s te p 2b
change d uid-owne r kate llo to uid-owne r fore man
Revisio n 1-49
T ue July 14 20 15
Re move draft s tatus .
Re build for te chnical re vie w.
David O'Brien
Revisio n 1-48
Mo n July 13 20 15
Megan Lewis
BZ#1200617 Corre cte d the dire ctory us e d throughout the proce dure .
Revisio n 1-47
Sat July 11 20 15
David O'Brien
BZ #1241581 Clarify re quire me nt to manually upgrade kate llo-age nt on all clie nts .
Revisio n 1-46
Wed July 8 20 15
Jo So mers
BZ#1200617 Corre cte d Ste p 4 and combine d s te ps 7 and 8 in s e ction 4.2 Dis conne cte d
Sate llite .
Revisio n 1-45
T hu July 2 20 15
Jo So mers
BZ#1171611 Corre cte d e rror in Ste p 2 of s e ction 6.7 Re gis te ring Hos t Sys te ms to a Re d
Hat Sate llite Caps ule Se rve r.
Revisio n 1-44
Wed July 1 20 15
Megan Lewis
BZ#1206788 Corre cte d e rror in Ste p 2 of 4.2.4. Importing Conte nt to a Dis conne cte d
Sate llite Se rve r.
Revisio n 1-43
T hu Jun 25 20 15
Jo So mers
BZ 1234705 Change d channe l to re pos itory in s e ctions Re d Hat Sate llite 6 Supporte d
Us age , Pre re quis ite s , Synchroniz ation Status , Bas e Ope rating Sys te ms , Downloading from
a Dis conne cte d Ne twork
Revisio n 1-42
138
Wed Jun 24 20 15
Jo So mers
A ppe ndix B. Re vis io n His t o r y
BZ 1200617 De le te d s e ctions :Configuring the Synchroniz ation Hos t, Synchroniz ing
Conte nt, Exporting Conte nt
Revisio n 1-41
6.1 Public Be ta re le as e .
Add e dition numbe r.
Mo n Jun 15 20 15
David O'Brien
Revisio n 1-40
T hu June 8 20 15
Jo So mers
BZ 1180277 Change d fire wall-cmd --re load in s e ction Re quire d Ne twork Ports .
BZ 1180277 In s e ction Application Spe cifications , adde d Re d Hat Ente rpris e Linux 7
chronyd command.
Revisio n 1-39
T hu June 4 20 15
Jo So mers
BZ 1180277 Adde d fire wall-cmd --re load to s e ction Configuring Re d Hat Sate llite Manually.
Revisio n 1-38
Wed May 27 20 15
David O'Brien
BZ 1216072 Cle ane d up ins tance s of "be ta" in GA re le as e .
Revisio n 1-37
Wed May 13 20 15
Add chapte r on virt-who for te ch re vie w.
David O'Brien
Revisio n 1-36
Te ch re vie w ve rs ion.
David O'Brien
Mo n May 11 20 15
Revisio n 1-35
Mo n May 4 20 15
At hene Chan
BZ#1195556 Update d the "Re gis te ring Hos t Sys te ms to the Re d Hat Caps ule Se rve r
s e ction.
Update d the ins tructions to ins talling a Caps ule Se rve r and the type s of Caps ule Se rve rs .
Re arrange d configuration options .
BZ#1209761 Re move d the option "-v" in the "kate llo-ins talle r" command from the
"Configuring DNS, DHCP and TFTP" s e ction.
BZ#1212974 Adde d UDP fire wall rule s to port 53 in the "Re quire d Ne twork Ports " s e ction.
BZ#1129498 Re move d the "#" at the be ginning of the commands in the "Re quire d Ne twork
Ports " s e ction of the Caps ule Se rve r s e ction.
BZ#1167898 Re move d uns upporte d DNS s upport from the "Re d Hat Sate llite Caps ule
Se rve r" s e ction.
BZ#1188300 Adde d port 8443 as a re quire d fre e port for s ubs cription manage me nt
s e rvice s in the Pre re quis ite s s e ction.
Revisio n 1-34
T hu April 30 20 15
Megan Lewis
BZ#1175924 Update d note in 4.2.4. Importing Conte nt to a Dis conne cte d Sate llite Se rve r.
Revisio n 1-33
Wed April 29 20 15
Megan Lewis
BZ#1175835 Update d e xample in 4.2.2 Synchroniz ing Conte nt.
BZ#1175924 Update d Ste p 7 of 4.2.4. Importing Conte nt to a Dis conne cte d Sate llite
Se rve r.
Fixe d typos in 4.2.4. Importing Conte nt to a Dis conne cte d Sate llite Se rve r.
Revisio n 1-32
T ue April 28 20 15
At hene Chan
BZ#1202055 Change d the ins tructions as pe r comme nt #8 in the bug to re fle ct the
corre ct proce dure for upgrading Caps ule Se rve rs .
139
Ins t allat io n Guide
Revisio n 1-31
Mo n April 27 20 15
Jo So mers
BZ#1171697 In s e ction Pre re quis ite s , adde d hos tname re quire me nts
Revisio n 1-30
Fri April 24 20 15
Jo So mers
BZ#1171611 In s e ction Re gis te ring Hos t Sys te ms to a Re d Hat Sate llite Caps ule , change d
s ubs cription-manage r command from org name to org labe l
Revisio n 1-29
T hu April 23 20 15
Megan Lewis
BZ#1192272 Corre cte d e rror in Configuring Re d Hat Sate llite with an Ans we r File .
Revisio n 1-28
Wed April 22 20 15
At hene Chan
Update d all pre re quis ite s from Re d Hat Ente rpris e Linux 6.5 to 6.6.
Revisio n 1-29
Wed April 22 20 15
Jo So mers
In s e ction Pre re quis ite s , update d ports in table 1.26.5 to 6.6.
Revisio n 1-27
Wed April 15 20 15
At hene Chan
BZ#1180715 Adde d a table to the "Storage " pre re quis ite s .
BZ#1174453 Change d "kate llo-ins talle r" to "caps ule -ins talle r" in the "Obtaining the
Re quire d Package s for the Caps ule Se rve r" s e ction.
BZ#1205493 Update d proce dure for cre ating a manife s t.
Revisio n 1-26
Update d brand.
Wed April 8 20 15
Revisio n 1-25
Fri April 1 20 15
Re s tructure d the ins tallation guide 's table of conte nts .
Megan Lewis
At hene Chan
Revisio n 1-24
Fri April 1 20 15
At hene Chan
BZ#1166191 Adde d a note about chaine d ce rtificate s .
Change d the proce dure to "Se tting Up a Manife s t" in accordance to the change s in the
Cus tome r Portal.
BZ#1145823 Change d a s te p to make s ure that organiz ation name s are us e d for the
"Sate llite Name " whe n re gis te ring a Sate llite for manife s ts .
BZ#1194392 Clarifie d that the Sate llite s ubs cription s hould not be attache d to the
manife s t.
BZ#1185849 Change d the output if the s ubs cription SKU and change d the s e cond s te p in
the proce dure "To Ins tall a Sate llite Caps ule Se rve r on a Ce rtificate -manage d Sys te m"
BZ#1185836 Adde d "Caps ule " to the note in the "Re d Hat Sate llite Caps ule Se rve r
Pre re quis ite s " s e ction.
BZ#1174578 Re move d duplicate d caps ule re gis tration s te ps in "Ins talling a Re d Hat
Sate llite Caps ule Se rve r" and ""Configuring a Re d Hat Sate llite Caps ule Se rve r".
BZ#1173816 Re move d the fire wall rule s on e las tics e arch in the "Configuring a Re d Hat
Sate llite Caps ule Se rve r" s e ction as the Caps ule s e rve r doe s not us e e las tics e arch.
Change d the re pos itory name s to corre ct Be ta re pos itorie s for both the Sate llite Se rve r
and Caps ule .
BZ#1173680 Adde d a note on the Storage pre re quis ite s s e ction about late ncy and
ne tworke d s torage .
BZ#1176479 Adde d information on configuring DNS, DHCP, and TFTP to the Configuration
Options .
Adde d fire wall port 5674 for amqp conne ctions and SELinux cons ide rations for amqp in the
pre re quis ite s s e ction.
Revisio n 1-23
140
Mo n Mar 30 20 15
David O'Brien
A ppe ndix B. Re vis io n His t o r y
BZ 1203878: Update RH Common re pos itory name to Sate llite Tools .
Revisio n 1-22
Wed Mar 23 20 15
Jo So mers
BZ#1201194 In s e ction Pre re quis ite s , adde d Re d Hat Ente rpris e Linux 6.6 or late r
Revisio n 1-21
Wed Mar 23 20 15
Jo So mers
BZ#1201193 Adde d Re d Hat Ente rpris e Linux 6.6 or late r and re fe re nce to s olution article
in s e ction Ins talling Re d Hat Sate llite with an ISO Image -Pre re quis ite s
Revisio n 1-20
Wed Mar 18 20 15
Jo So mers
BZ#1200617 Adde d ne w s te ps 1-6 in s e ction Importing Conte nt to a Dis conne cte d
Sate llite Se rve r.
Revisio n 1-19
T ue Mar 17 20 15
At hene Chan
BZ#1170334 Adde d ne twork ports to be ope ne d as a pre re quis ite to ins tallation.
BZ#1193153 s e nte nce s tructure change to proce dure s tate me nt.
Revisio n 1-18
T hu Mar 12 20 15
Jo So mers
BZ#1119934 In s e ction Configuring Re d Hat Sate llite Manually, Proce dure 2.2 Running the
Ins talle r Script: change d Ste p 1 kate llo-ins talle r command
Revisio n 1-17
Mo n Mar 0 9 20 15
David O'Brien
BZ#1166642 Add comme nt to e nable SELinux and re labe l file s afte r ins tallation if SELinux
was dis able d during ins tallation.
Revisio n 1-16
Wed Mar 0 3 20 15
Jo So mers
Fix BZ 1170713 In s e ction Ins talling Re d Hat Sate llite , Proce dure 2.1, for Re d Hat
Ente rpris e Linux 7, adde d re po name s be fore yum ins tall
Revisio n 1-15
Fri Feb 27 20 15
David O'Brien
BZ#1183657 Add "puppe t module " and "catalog" to Glos s ary
Revisio n 1-14
Wed Feb 25 20 15
At hene Chan
BZ#1180191 Corre cte d the re quire d RPMs to ins tall for s ynchroniz ing hos ts in a
dis conne cte d Sate llite Se rve r.
Revisio n 1-13
T ue Feb 18 20 15
Jo So mers
BZ#1180277 Corre cte d fire wall command from comple te re load to re load in s e ction
Re d Hat Sate llite Caps ule Se rve r Pre re quis ite s .
BZ#1180277 Adde d fire wall re load command in s e ction Configuring a Re d Hat Sate llite
Caps ule Se rve r.
Revisio n 1-12
Mo n Feb 9 20 15
Megan Lewis
BZ#1178176 Furthe r corre ctions in 4.2.4. Importing Conte nt to a Dis conne cte d Sate llite
Se rve r.
BZ#1177574 Adde d line bre aks to Proce dure 2.5 in 2.3.2. Configuring Re d Hat Sate llite with
a Cus tom Se rve r Ce rtificate .
Revisio n 1-11
Fri Jan 23 20 15
At hene Chan
BZ#1184589 Emphas iz e what bas e ope rating s ys te m variants is re quire d for Re d Hat
Sate llite .
Revisio n 1-10
Fri Jan 23 20 15
Megan Lewis
141
Ins t allat io n Guide
BZ#1178176 Corre cte d 40G to 40GB in 4.2.4. Importing Conte nt to a Dis conne cte d
Sate llite Se rve r.
BZ#1179022 Corre cte d e rrors in e xample s in 5.4. Configuring a Re d Hat Sate llite Caps ule
Se rve r.
Revisio n 1-9
Fri Jan 23 20 15
At hene Chan
BZ#1177568 Re place d the "s e rvice " and "chkconfig" command for chronyd to the
re comme nde d "s ys te mctl" command ins te ad.
Revisio n 1-8
Wed Jan 21 20 15
David O'Brien
BZ 1184306 - Make the re quire me nt for a Bas e ins tall more obvious .
Revisio n 1-7
T hu Dec 18 20 14
Megan Lewis
BZ#1168273 Corre cte d package name for ins talling puppe t age nt.
BZ#1169499 Clarifie d s upporte d Re d Hat Ente rpris e Linux variants in Pre re quis ite s .
BZ#1164251 Corre cte d e xample in Adding Life cycle Environme nts to a Re d Hat Sate llite
Caps ule Se rve r.
BZ#1167904 Adde d chrony and s os into the pre re quis ite s for ins tall.
Revisio n 1-6.2
T hu No v 19 20 14
At hene Chan
Adde d additional admin and pas s word options to the kate llo-ins talle r.
Re move d has he s on the fire wall re quire me nts .
Include d re fe re nce s to s upport for s cripting frame works in the Puppe t Supporte d Us age
paragraph.
Revisio n 1-6.1
Friday No v 14 20 14
BZ#1153567 Adde d a "Caps ule Scalability" s e ction.
At hene Chan
Revisio n 1-6
T hu No v 13 20 14
At hene Chan
BZ#1153564 Adde d a "Ne xt Ste ps " chapte r.
BZ#1153772 Adde d fire wall configuration and additional s te ps to e ns ure that the Sate llite
Se rve r can go through the HTTP Proxy without is s ue s .
BZ#1146574 Change d the gpg file name .
Revisio n 1-5
BZ#1132840
BZ#1152630
BZ#1150412
BZ#1143746
T ue No v 11 20 14
At hene Chan
Adde d two advance d fire wall cons ide ration table s in the pre re quis ite s .
Edite d incorre ct re fe re nce to Re d Hat Ente rpris e Linux 7.
Adde d "--comple te -re load" to the fire wall-cmd fire wall commands .
Change d incorre ct ce rts -s e rve r-ke y in proce dure 2.4.
Revisio n 1-4
Mo n No v 10 20 14
At hene Chan
BZ#1152630 Adde d RHEL7 fire wall-cmd command e xample s for the fire wall re quire me nts .
Revisio n 1-3
Fri No v 7 20 14
At hene Chan
BZ#1161254 Adde d a ne w fire wall rule to the lis t of fire wall rule s to allow kate llo-ins talle r
to run afte r initial ins tall. Move d the fire wall rule s to the "Configuring Re d Hat Sate llite "
s e ctions to pre ve nt e rrors .
Revisio n 1-2.0 2
142
Fri Oct 3 20 14
At hene Chan
A ppe ndix B. Re vis io n His t o r y
Various e dits from trans lators ' fe e dback.
BZ#1147673 Re move d MS DHCP from s upporte d DHCP fe ature s .
BZ#1140520 Change d all "ACME_Corporation" e ntrie s to the corre ct de fault organiz ation
e ntry "De fault Organiz ation".
BZ#1139806 Adde d a note in the Pre re quis ite s s e ctions for Re d Hat Sate llite Se rve r and
Re d Hat Sate llite Caps ule Se rve r that the hos t s ys te m has to be update d be fore ins talling
Re d Hat Sate llite . BZ#1138430 Change d "yum-config-manage r" to "s ubs cription-manage r"
to match the proce dure de s cription to the command block.
BZ#1141954 Adde d e xample re pos itorie s to the "Enabling Re d Hat Re pos itorie s " s e ction
and a note to e nable RH Common re pos itorie s for clie nt s ys te ms .
BZ#1140722 Adde d note to highlight that the command ne e ds to change if the re pos itory
is diffe re nt from the e xample command.
Revisio n 1-2.0 1
Fri Sep 12 20 14
At hene Chan
BZ#1140875 Adde d fire wall rule s afte r the Sate llite Se rve r and Caps ule Se rve r
ins tallation.
Revisio n 1-2
T hu Sep 11 20 14
At hene Chan
BZ#1140422 Change d the re pos itory name s for Re d Hat Sate llite Se rve r and Re d Hat
Sate llite Caps ule Se rve r.
Revisio n 1-1
Wed Sep 10 20 14
Adde d additional ports in the Pre re quis ite s s e ction.
At hene Chan
Revisio n 1-0
T ue Sep 9 20 14
Re d Hat Sate llite 6.0 GA Re le as e
At hene Chan
Revisio n 0 -34
T hu Aug 21 20 14
At hene Chan
BZ#1131360 Re place d an option on the command to re fle ct the corre ct one .
Revisio n 0 -33
T ue Aug 12 20 14
At hene Chan
143
Ins t allat io n Guide
BZ#1130208 Adde d "Re d Hat Software Colle ctions " as a channe l to e nable .
BZ#1129104 Add re quire me nt to make port 8080 available for kate llo ins tallation. Update
how to configure iptable s accordingly.
BZ#1125241 Adde d a note that de fault location and de fault organiz ation can be change d
afte r initial configuration.
BZ#1044558 Adde d chapte r on http proxy configuration options in kate llo-ins talle r.
BZ#1120492 Adde d a note in "Re d Hat Sate llite Se rve r Supporte d Us age " about
e mbe dde d tomcat de ployme nts .
BZ#1125299 Adde d re fe re nce s to "ne xt s te ps " s e ctions in the "Ins talling Re d Hat
Sate llite " chapte r.
BZ#1125357 Re move d the de pre cate d re pos itory dire ctorie s .
BZ#1121814 Corre cte d the Sate llite Caps ule Se rve r ins talle r option.
BZ#1089086 Include d file s iz e re comme ndations in the Pre re quis ite s .
BZ#1119866 Adde d the Re d Hat Software Colle ctions package as a re quire d package for
the Sate llite Caps ule Se rve r ins tallation.
BZ#1118406 Adde d a table of ports , protocols and s e rvice s in the Pre re quis ite s s e ction.
BZ#1120855 Various corre ctions on file name s and commands .
BZ#1121676 Adde d a note that all hamme r commands are ran on the Sate llite Se rve r.
BZ#1113811 Cre ate d the s e ction "Re d Hat Sate llite 6 Supporte d Us age ".
BZ#1128922 Adde d a "Re s ults " s ubs e ction.
BZ#754728 Adde d s e ctions "Configuring Re d Hat Sate llite with a Cus tom Se rve r
Ce rtificate " and "Configuring Re d Hat Sate llite Caps ule Se rve r with a Cus tom Se rve r
Ce rtificate "
BZ#1122183 Change d the e ntry on Account Us e rname and adde d an e xample for Bas e
DN.
BZ#1129498 Group iptable s commands for be tte r re adability.
Revisio n 0 -32
Fri Jul 11 20 14
At hene Chan
BZ#1157545, BZ#115047, BZ#1116471, BZ#1117052, BZ#1117052, BZ#1115065 Minor
e dits , s pe lling e rrors and re vis ions to te xt.
Revisio n 0 -31
Mo n Jun 30 20 14
Book publis he d for Be ta Re le as e .
At hene Chan
Revisio n 0 -30
T ue Jun 24 20 14
Se cond te s t bre wing for Be ta.
Dan Macpherso n
Revisio n 0 -29
Te s t bre wing for Be ta.
T ue Jun 24 20 14
Dan Macpherso n
Revisio n 0 -28
Fixing minor e rror.
Mo n No v 11 20 13
Dan Macpherso n
Revisio n 0 -27
Pre paration for MDP2.
Mo n 11 No v 20 13
Dan Macpherso n
Revisio n 0 -26
Mo n 11 No v 20 13
At hene Chan
BZ#1024530, 1027466 Additional e dits to s te ps for Sate llite node s .
Revisio n 0 -25
T hu 7 No v 20 13
Megan Lewis
BZ#1027461 Adde d s te ps to cre ate activation ke y and re trie ve oauth s e cre t. Adde d note
to ve rify node s e xis t.
Revisio n 0 -24
144
T hu 7 No v 20 13
At hene Chan
A ppe ndix B. Re vis io n His t o r y
BZ#1027466 Adde d a s mall s e citon on us ing Sate llite node s . Adde d s ynchroniz ation s te p.
Revisio n 0 -23
Wed 30 Oct 20 13
At hene Chan
BZ#1024438 change d proce dure s to accommodate yum-utils ins tallation.
BZ#1024529 re move d kate llo.yml ins tructions as this is not pre fe rre d way of LDAP
configuration.
BZ#1024559 Adde d fore man-libvirt to the yum ins tall command.
BZ#1024530 Adde d ne w information to the s e ction on Sate llite Node s .
Revisio n 0 -22
T ue 29 Oct 20 13
BZ#1024094 yum-utils command update d.
At hene Chan
Revisio n 0 -21
Wed 0 9 Oct 20 13
Finaliz ing QE re vie w imple me ntation
Dan Macpherso n
Revisio n 0 -20
Wed 2 Oct 20 13
BZ#1014402 Ins tallation re quire me nts update d.
At hene Chan
Revisio n 0 -19
Wed 2 Oct 20 13
BZ#1014402 Pre re quis ite s for ins tallation update d.
At hene Chan
Revisio n 0 -18
T ue 1 Oct 20 13
BZ#1009719, 971944 Minor s pe lling and grammar e dits .
At hene Chan
Revisio n 0 -17
T hu 19 Sep 20 13
At hene Chan
BZ#1009719 Update d the Pre re quis ite s and the ins tall ins tructions .
Revisio n 0 -16
T ue 17 Sep 20 13
BZ#971944 Adde d s torage re quire me nts for Sate llite .
At hene Chan
Revisio n 0 -15
Inte grating QE fe e dback.
Megan Lewis
Wed 11 Sep 20 13
Revisio n 0 -14
Mo n 12 Aug 20 13
Re moving draft wate rmark.
Dan Macpherso n
Revisio n 0 -13
Mo n 12 Aug 20 13
Pre paring docume ntation for te chnical re vie w.
Dan Macpherso n
Revisio n 0 -0 9
T hu 20 June 20 13
Corre ction to re po labe l for ins tallation.
Dan Macpherso n
Revisio n 0 -0 8
Adde d MDP1 s tatus .
Dan Macpherso n
T hu 20 June 20 13
Revisio n 0 -0 7
Wed 19 June 20 13
Re vis e d channe l for ins tallation.
At hene Chan
Revisio n 0 -0 6
T hu 13 June 20 13
At hene Chan
Edite d book for grammatical e rrors and s e nte nce s tructure .
Revisio n 0 -0 5
T ue 11 June 20 13
At hene Chan
145
Ins t allat io n Guide
Adde d Chapte rs for manife s ts and for s ynchroniz ation.
Edite d s e ctions bas e d on te chnical re vie w fe e dback.
Revisio n 0 -0 4
Fri 31 May 20 13
At hene Chan
Change d fie ld name s in the Sate llite :Provis ioning LDAP s e ction.
Revisio n 0 -0 3
T hu 30 May 20 13
At hene Chan
Re name d all we b application compone nts to the re brande d name s of "Re d Hat Sate llite :
Conte nt and Entitle me nt" and "Re d Hat Sate llite : Provis ioning and Configuration".
Revisio n 0 -0 2
T ue 28 May 20 13
Incorporate d te chnical re vie w e dits .
Update d commands for ins talling Re d Hat Sate llite .
Standardiz e d tagging of compone nts .
At hene Chan
Revisio n 0 -0 1
Initial book cre ation
At hene Chan
146
Fri 17 May 20 13
