Red Hat Satellite 6.1 Installation Guide Installing and Configuring Satellite Edition 4 Red Hat Satellite Documentation Team Red Hat Satellite 6.1 Installation Guide Installing and Configuring Satellite Edition 4 Red Hat Satellite Documentation Team Legal No tice Copyright © 2015 Red Hat. This document is licensed by Red Hat under the Creative Commons AttributionShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. Linux ® is the registered trademark of Linus Torvalds in the United States and other countries. Java ® is a registered trademark of Oracle and/or its affiliates. XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries. MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and other countries. Node.js ® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project. The OpenStack ® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community. All other trademarks are the property of their respective owners. Abstract This document describes how to install Red Hat Satellite. It also steps through the basic configuration requirements to get Satellite running in your environment. T able o f Co nt e nt s T able o f Co ntents . .hapt C . . . .e.r. 1. . . Int . . .r.o.duc . . .t.io . .n. t.o. .Re . .d. Hat . . . .Sat . . .e. llit . . .e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3. . . . . . . . . 1 .1. Red Hat Satellite 6 System Architecture 3 1 .2. Red Hat Satellite 6 System C om ponents 7 1 .3. Red Hat Satellite 6 Supported Usage 7 1 .4. P rerequisites 9 . .hapt C . . . .e.r. 2. . . Ins . . .t.alling . . . . . Re ..d . .Hat . . . .Sat . . .e.llit . .e . .Se . . r.ve . . r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 .......... 2.1. O btaining the Required P ackages 21 2.2. Running the Installation and C onfiguration P rogram 24 2.3. O ptional C onfiguration O ptions 27 . .hapt C . . . .e.r. 3. . . Lo . . gging . . . . . .in . .t.o. Re . . .d. Hat . . . .Sat . . .e.llit . . .e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 .......... 3 .1. O rganizations 34 3 .2. C hanging Your Account P references 36 3 .3. Additional Resources 37 . .hapt C . . . .e.r. 4. .. Po . . .pulat . . . . ing . . . .Re . .d. Hat . . . .Sat . . .e. llit . . .e. wit . . .h. .Co . .nt . .e.nt . . . . . . . . . . . . . . . . . . . . . . . . . .38 .......... 4 .1. C onnected Satellite 38 4 .2. Disconnected Satellite 46 . .hapt C . . . .e.r. 5. . . Co . . nf . . igur . . . . ing ...a . .Se . . lf . .-Re . . .gis . . t. e. r. e. d . .Sat . . .e.llit . . .e. . . . . . . . . . . . . . . . . . . . . . . . . . .56 .......... 5.1. Registering a Satellite to Itself 56 5.2. Updating a Self-Registered Satellite 59 . .hapt C . . . .e.r. 6. .. Managing . . . . . . . . . Hype . . . . .r.vis . .o . r. s. .and . . . Vir . . .t.ual . . .Gue . . . .s.t .Subs . . . . c. r. ipt . . .io . ns . . . . . . . . . . . . . . .6.2. . . . . . . . . 6 .1. Introduction to virt-who 62 6 .2. Before You Begin 63 6 .3. Supported Hypervisors 65 6 .4. Setting up a Red Hat Enterprise Virtualization Manager Server or Libvirt (KVM) Hypervisor 66 6 .5. Using virt-who with Hyper-V 68 6 .6. Setting up a VMware Hypervisor 69 6 .7. C onfigure virt-who with an Encrypted P assword 72 6 .8. vC enter C onfiguration Exam ple for Reporting Data to Multiple O rganizations 6 .9. Registering Guest Instances 6 .10. Rem oving a Guest Entry 6 .11. Rem oving a Hypervisor Entry 6 .12. Troubleshooting virt-who 73 75 75 76 76 . .hapt C . . . .e.r. 7. . . Ins . . .t.alling . . . . . Re ..d . .Hat . . . .Sat . . .e.llit . .e . .Caps . . . . ule . . . Se . . .r.ve . .r. . . . . . . . . . . . . . . . . . . . . . . .78 .......... 7.1. Red Hat Satellite C apsule Server Scalability 78 7.2. Red Hat Satellite C apsule Server P rerequisites 79 7.3. O btaining the Required P ackages for the C apsule Server 84 7.4. Running the Installation and C onfiguration P rogram for C apsule Server 87 7.5. O ptional C onfiguration O ptions 90 7.6. Adding Life C ycle Environm ents to a Red Hat Satellite C apsule Server 96 7.7. Rem oving Life C ycle Environm ents from the Red Hat Satellite C apsule Server 98 7.8. Registering Host System s to a Red Hat Satellite C apsule Server 99 7.9. C onfiguring Satellite 6 with External Services 100 . .hapt C . . . .e.r. 8. .. Upgr . . . . .ading . . . . .Re . .d . .Hat . . . Sat ...e . .llit . . e. .Se . .r.ve . .r. and . . . .Caps . . . . ule . . . .Se . .r.ve . .r. . . . . . . . . . . .116 ........... 8 .1. Upgrading Red Hat Satellite 116 8 .2. Upgrading Red Hat Satellite C apsule 122 8 .3. Upgrading the Discovery Feature 125 1 Ins t allat io n Guide 8 .3. Upgrading the Discovery Feature 8 .4. Upgrading Red Hat Satellite C lients 125 126 8 .5. Upgrading Between Minor Versions of Satellite 127 . .hapt C . . . .e.r. 9. .. Ne . . .xt . .St . .e.ps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130 ........... . .hapt C . . . .e.r. 10 . . .. Unins . . . . . t. alling . . . . . .Re . .d. Hat . . . .Sat . . .e. llit . . .e. Se . . .r ve . . .r .and . . . .Caps . . . .ule . . . Se . . r. ve . . r. . . . . . . . . .131 ........... Rem oving Satellite Server 131 Rem oving C apsule Server 131 . .ppe A . . .ndix . . . . A. . . Glo . . . s. s. ar . . y. .o.f .T. e . r. ms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132 ........... . .ppe A . . .ndix . . . . B. . . Re . . .vis . . io . .n. His . . . t. o. r. y. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137 ........... 2 C hapt e r 1. Int r o duc t io n t o Re d Hat Sat e llit e Chapt er 1. Int roduct ion t o Red Hat Sat ellit e Re d Hat Sate llite 6 is the e volution of Re d Hat's life cycle manage me nt platform. It provide s the capabilitie s that adminis trators have come to e xpe ct in a tool focus e d on managing s ys te ms and conte nt for a global e nte rpris e . Sate llite 6 cove rs the us e cas e s re que s te d by Sate llite 5 cus tome rs , but als o include s functionality that e nable s large r s cale , fe de ration of conte nt, be tte r control of s ys te ms during the provis ioning proce s s , and a much more s implifie d approach to life cycle manage me nt. Sate llite 6 als o furthe r e volve s the inhe re nt approach to ce rtificate -bas e d e ntitle me nts and inte grate d s ubs cription manage me nt. Sate llite 6 is bas e d on ye ars of cus tome r fe e dback and is an e volution of pre vious ve rs ions . 1.1. Red Hat Sat ellit e 6 Syst em Archit ect ure The following diagram re pre s e nts the high-le ve l archite cture of Re d Hat Sate llite 6. 3 Ins t allat io n Guide Figure 1.1. Red Hat Sat ellit e 6 Syst em Archit ect ure The re are four s tage s through which conte nt flows in this archite cture : Ext ernal Co nt ent So urces The Re d Hat Sate llite Se rve r can cons ume dive rs e type s of conte nt from various s ource s . The re quire d conne ction is the one with Re d Hat Cus tome r Portal, which is the primary s ource of s oftware package s , e rrata, Puppe t module s , and containe r image s . In addition, you can us e othe r s upporte d conte nt s ource s (Git re pos itorie s , Docke r Hub, Puppe t Forge , SCAP re pos itorie s ) as we ll as your organiz ation's inte rnal data s tore . Red Hat Sat ellit e Server 4 C hapt e r 1. Int r o duc t io n t o Re d Hat Sat e llit e The Re d Hat Sate llite Se rve r e nable s you to plan and manage the conte nt life cycle and the configuration of Caps ule Se rve rs and hos ts through GUI, CLI, or API. The Sate llite Se rve r organiz e s the life cycle manage me nt by us ing organizations as principal divis ion units . Organiz ations is olate conte nt for groups of hos ts with s pe cific re quire me nts and adminis tration tas ks . For e xample , the OS build te am can us e a diffe re nt organiz ation than the we b de ve lopme nt te am. The Sate llite Se rve r als o contains a fine -graine d authe ntication s ys te m to provide Sate llite ope rators with pe rmis s ions to acce s s pre cis e ly the parts of the infras tructure that lie in the ir are a of re s pons ibility. C apsule Servers Caps ule Se rve rs mirror conte nt from the Sate llite Se rve r to e s tablis h conte nt s ource s in various ge ographical locations . This allows hos t s ys te ms to pull conte nt and configuration from the Sate llite Caps ule Se rve rs in the ir location and not from the ce ntral Sate llite Se rve r. The re comme nde d minimal numbe r of Caps ule Se rve rs is the re fore give n by the numbe r of ge ographic re gions whe re the organiz ation that us e s Sate llite ope rate s . Us ing Conte nt Vie ws , you can s pe cify the e xact s ubs e t of conte nt that the Caps ule Se rve r make s available to hos ts . Se e Figure 1.2, “Conte nt Life Cycle in Re d Hat Sate llite 6” for a clos e r look at life cycle manage me nt with the us e of Conte nt Vie ws . The communication be twe e n manage d hos ts and the Sate llite Se rve r is route d through the Caps ule Se rve r that can als o manage multiple s e rvice s on be half of hos ts . Many of the s e s e rvice s us e de dicate d ne twork ports , but the Caps ule Se rve r e ns ure s that a s ingle s ource IP addre s s is us e d for all communications from the hos t to the Sate llite Se rve r, which s implifie s fire wall adminis tration. Managed Ho st s Hos ts are the re cipie nts of conte nt from Caps ule Se rve rs . Hos ts can be e ithe r phys ical or virtual (de ploye d on KVM, VMware vSphe re , Ope nStack, Amaz on EC2, Racks pace Cloud Se rvice s , Google Compute Engine , or in a Docke r containe r). The Sate llite Se rve r can have dire ctly manage d hos ts . The bas e s ys te m running a Caps ule Se rve r is als o a manage d hos t of the Sate llite Se rve r. The following diagram provide s a clos e r look at the dis tribution of conte nt from the Sate llite Se rve r to Caps ule s . 5 Ins t allat io n Guide Figure 1.2. Co nt ent Lif e Cycle in Red Hat Sat ellit e 6 By de fault, e ach organiz ation has a Library of conte nt from e xte rnal s ource s . Conte nt Vie ws are s ubs e ts of conte nt from the Library cre ate d by inte llige nt filte ring. You can publis h and promote Conte nt Vie ws into life cycle e nvironme nts (typically De v, QA, and Production). Whe n cre ating a Caps ule Se rve r, you can choos e which life cycle e nvironme nts will be copie d to that Caps ule and made available to manage d hos ts . Conte nt Vie ws can be combine d to cre ate Compos ite Conte nt Vie ws . For e xample , it is be ne ficial to have a s e parate Conte nt Vie w for package s re quire d by an ope rating s ys te m and a s e parate one for package s re quire d by an application. Which Conte nt Vie ws s hould be promote d to which Caps ule Se rve r de pe nds on the Caps ule 's inte nde d functionality. Any Caps ule Se rve r can run DNS, DHCP, and TFTP as infras tructure s e rvice s that can be s upple me nte d, for e xample , with conte nt or configuration s e rvice s . You can update the Caps ule Se rve r by cre ating a ne w ve rs ion of a Conte nt Vie w us ing s ynchroniz e d conte nt from the Library. The ne w Conte nt Vie w ve rs ion is the n promote d 6 C hapt e r 1. Int r o duc t io n t o Re d Hat Sat e llit e through life cycle e nvironme nts . You can als o cre ate in-s itu update s of Conte nt Vie ws , which me ans that a minor ve rs ion of the Conte nt Vie w is cre ate d in its curre nt life cycle e nvironme nt without promoting it from the Library. 1.2. Red Hat Sat ellit e 6 Syst em Component s Re d Hat Sate llite 6 cons is ts of s e ve ral ope n s ource proje cts which are inte grate d, ve rifie d, de live re d and s upporte d as Sate llite 6. It is ofte n important to unde rs tand which ups tre am ve rs ions of the s e proje cts are de live re d. This information is maintaine d and re gularly update d on the Re d Hat Cus tome r Portal [1] . Re d Hat Sate llite 6 cons is ts of the following ope n s ource proje cts : Fo reman Fore man is an ope n s ource application us e d for provis ioning and life cycle manage me nt of phys ical and virtual s ys te ms . Fore man automatically configure s the s e s ys te ms us ing various me thods , including kicks tart and Puppe t module s . Fore man als o provide s his torical data for re porting, auditing, and trouble s hooting. Kat ello Kate llo is a Fore man plug-in for s ubs cription and re pos itory manage me nt. It provide s a me ans to s ubs cribe to Re d Hat re pos itorie s and download conte nt. You can cre ate and manage diffe re nt ve rs ions of this conte nt and apply the m to s pe cific s ys te ms within us e r-de fine d s tage s of the application life cycle . C andlepin Candle pin is a s e rvice within Kate llo that handle s s ubs cription manage me nt. P ulp Pulp is a s e rvice within Kate llo that handle s re pos itory and conte nt manage me nt. Hammer Hamme r is a CLI tool that provide s command line and s he ll e quivale nts of mos t We b UI functions . REST API Re d Hat Sate llite 6 include s a RESTful API s e rvice that allows s ys te m adminis trators and de ve lope rs to write cus tom s cripts and third-party applications that inte rface with Re d Hat Sate llite . 1.3. Red Hat Sat ellit e 6 Support ed Usage Each Re d Hat Sate llite s ubs cription include s one s upporte d ins tance of Re d Hat Ente rpris e Linux Se rve r. This ins tance s hould be re s e rve d s ole ly for the purpos e of running Re d Hat Sate llite . Us ing the ope rating s ys te m include d with Sate llite to run othe r dae mons , applications , or s e rvice s within your e nvironme nt is not s upporte d. 7 Ins t allat io n Guide No te All Re d Hat Sate llite compone nts and the ir us age are s upporte d within the conte xt of Re d Hat Sate llite only. Third-party us age of any compone nts falls be yond s upporte d us age . Support for Re d Hat Sate llite compone nts is de s cribe d be low. Puppet Re d Hat Sate llite 6 include s s upporte d puppe t package s . The ins tallation program allows us e rs to ins tall and configure Puppe t Mas te rs as a part of Re d Hat Sate llite Caps ule Se rve rs . The s e rve r ins talls the Hie ra ke y-value databas e , which can be us e d to re fine how Puppe t module s are applie d. A Puppe t module , running on a Puppe t Mas te r on the Re d Hat Sate llite Se rve r or Sate llite Caps ule Se rve r, us ing Hie ra, is s upporte d by Re d Hat. Re d Hat s upports many diffe re nt s cripting and othe r frame works , including puppe t module s . Support for the s e frame works is bas e d on the article "How doe s Re d Hat s upport s cripting frame works ?" [2] Pulp Pulp is the conte nt manage me nt s ubs ys te m within Re d Hat Sate llite 6. Pulp us age is only s upporte d via the Sate llite Se rve r we b UI, CLI, and API. Dire ct modification or inte raction with Pulp's local API or databas e is not s upporte d. Re d Hat doe s not s upport dire ct modification with Pulp as this can caus e irre parable damage to the Re d Hat Sate llite 6 databas e s . Fo reman Fore man make s up a large amount of Re d Hat Sate llite 's core functionality including the we b UI containe r, us e rs , organiz ations , s e curity and othe r s ignificant functions . Fore man can be e xte nde d us ing plug-ins . Howe ve r, only Re d Hat Sate llite package d plug-ins are s upporte d. Re d Hat doe s not s upport plug-ins in the Re d Hat Sate llite Optional re pos itory. Re d Hat Sate llite als o include s compone nts , configuration and functionality to provis ion and configure ope rating s ys te ms othe r than Re d Hat Ente rpris e Linux. While the s e fe ature s are include d and can be e mploye d, Re d Hat s upports the ir us age for Re d Hat Ente rpris e Linux. Candlepin Candle pin is the s ubs cription manage me nt s ubs ys te m within Re d Hat Sate llite 6. The only s upporte d me thods of us ing Candle pin are through the Re d Hat Sate llite 6 we b UI, CLI, and API. 8 C hapt e r 1. Int r o duc t io n t o Re d Hat Sat e llit e Re d Hat doe s not s upport dire ct modification and inte ractions with Candle pin, its local API or databas e , as this can caus e irre parable damage to the Re d Hat Sate llite 6 databas e s . Embedded T o mcat Applicat io n Server The only s upporte d me thods of us ing the e mbe dde d Tomcat application s e rve r are through the Re d Hat Sate llite 6 we b UI, API, and databas e . Re d Hat doe s not s upport dire ct inte ractions and modifications of the e mbe dde d Tomcat application s e rve r's local API or databas e . 1.4. Prerequisit es The following conditions mus t be me t be fore ins talling Re d Hat Sate llite 6: Impo rtant The Re d Hat Sate llite s e rve r and Caps ule s e rve r ve rs ions mus t match. For e xample , a Sate llite 6.0 s e rve r cannot run a 6.1 Caps ule s e rve r and a Sate llite 6.1 s e rve r cannot run a 6.0 Caps ule s e rve r. Mis matching Sate llite s e rve r and Caps ule s e rve r ve rs ions will re s ult in the Caps ule s e rve r failing s ile ntly. 1.4.1. Base Operat ing Syst em Impo rtant Re d Hat Sate llite is only s upporte d on the late s t ve rs ion of Re d Hat Ente rpris e Linux 6 Se rve r or 7 Se rve r. Pre vious ve rs ions of Re d Hat Ente rpris e Linux including EUS or z -s tre am are not s upporte d. Ins tall the ope rating s ys te m from dis c, local ISO image , kicks tart, or any othe r me thod that Re d Hat s upports . Re gis te r and attach a s ubs cription to the s ys te m as follows : # subscription-manager register # subscription-manager list --available --all # subscription-manager subscribe --pool=Red_Hat_Enterprise_Linux_Pool_Id 9 Ins t allat io n Guide Impo rtant Re d Hat Sate llite Se rve r re quire s Re d Hat Ente rpris e Linux ins tallations with the @Bas e package group with no othe r package -s e t modifications , and without thirdparty configurations or s oftware that is not dire ctly ne ce s s ary for the dire ct ope ration of the s e rve r. This re s triction include s harde ning or othe r non-Re d Hat s e curity s oftware . If s uch s oftware is re quire d in your infras tructure , ins tall and ve rify a comple te working Sate llite Se rve r firs t, the n cre ate a backup of the s ys te m be fore adding any non-Re d Hat s oftware . Your s ubs cription-manage r 'Re le as e ' fie ld mus t be s e t to 6Se rve r or 7Se rve r in orde r to re ce ive the late s t ve rs ion of Re d Hat Ente rpris e Linux and Re d Hat Sate llite during the ins tallation. Se t the fie ld by us ing the command: # subscription-manager release --set=Release Only re le as e ve rs ions 6Se rve r and 7Se rve r are s upporte d by Re d Hat Sate llite . Update the s ys te m to the late s t s e t of package s in Re d Hat Ente rpris e Linux afte r s e tting the re le as e : # yum update Re d Hat re comme nds that the Sate llite Se rve r be a fre s hly provis ione d s ys te m that s e rve s no othe r function e xce pt as a Sate llite Se rve r. Re d Hat Sate llite re quire s a ne tworke d bas e s ys te m with the following minimum s pe cifications : 64-bit archite cture The late s t ve rs ion of Re d Hat Ente rpris e Linux 6 Se rve r or 7 Se rve r A minimum of two CPU core s , but four CPU core s are re comme nde d. A minimum of 12 GB me mory but ide ally 16 GB of me mory for e ach ins tance of Sate llite . A minimum of 4 GB of s wap s pace is re comme nde d. A unique hos tname . The hos tname can contain lowe r-cas e le tte rs , numbe rs , dots (.) and hyphe ns (-). No Java virtual machine ins talle d on the s ys te m, re move any if the y e xis t. No Puppet RPM file s ins talle d on the s ys te m. No third-party uns upporte d yum re pos itorie s e nable d. Third-party re pos itorie s may offe r conflicting or uns upporte d package ve rs ions that may caus e ins tallation or configuration e rrors . A curre nt Re d Hat Ne twork s ubs cription. Adminis trative us e r (root) acce s s . Full forward and re ve rs e DNS re s olution us ing a fully qualifie d domain name . Ens ure that hostname and localhost re s olve corre ctly, us ing the following commands : 10 C hapt e r 1. Int r o duc t io n t o Re d Hat Sat e llit e # ping -c1 localhost # ping -c1 `hostname -f` # my_system.domain.com Impo rtant Ens ure that the hos t s ys te m is fully update d be fore ins talling Re d Hat Sate llite . Atte mpts to ins tall on hos t s ys te ms that are not fully update d may le ad to difficulty in trouble s hooting, as we ll as unpre dictable re s ults . 1.4.2. Support ed Browsers Brows e r s upport is divide d into 4 le ve ls : 1. Le ve l 1: Fully s upporte d pre fe rre d brows e rs for ide al e xpe rie nce . 2. Le ve l 2: Mos tly s upporte d. The inte rface functions but s ome de s ign e le me nts may not align corre ctly, UI controls and layout may be mis aligne d and the re maybe de grade d pe rformance e xpe rie nce d. 3. Le ve l 3: De s ign e le me nts may not align corre ctly. 4. Le ve l 4: Uns upporte d The table be low outline s the s upporte d brows e rs and the ir le ve l of s upport: T able 1.1. Suppo rt ed Bro wser Mat rix Bro wser Versio n Suppo rt Level Fire fox Fire fox Fire fox Fire fox Fire fox Chrome Chrome Chrome Inte rne t Explore r Inte rne t Explore r Safari 3.6 17, 18, 19, 20 21 22, 23, 24 Late s t 19, 20 21, 27 Late s t 7, 8 9, 10, 11 ALL L3 L4 L2 L1 L1 L4 L2 L1 L4 L2 L4 No te The we b UI and command-line inte rface for Sate llite Se rve r s upports Englis h, Portugue s e , Simplifie d Chine s e , Traditional Chine s e , Kore an, Japane s e , Italian, Spanis h, Rus s ian, Fre nch, and Ge rman. 1.4.3. St orage Sate llite Se rve r s torage s pe cifications are as follows : 11 Ins t allat io n Guide A minimum of 6 GB s torage for bas e ope rating s ys te m ins tallation of Re d Hat Ente rpris e Linux. A minimum of 400 MB s torage for the Re d Hat Sate llite 6 s oftware ins tallation. A minimum of 20 GB s torage for e ach unique s oftware re pos itory. Package s that are duplicate d in diffe re nt re pos itorie s are only s tore d once on the dis k. Additional re pos itorie s containing duplicate package s will re quire le s s additional s torage . The bulk of s torage re s ide s on the /var/lib/mongodb and /var/lib/pulp dire ctorie s . The s e e nd points are not manually configurable . Make s ure that s torage is available on the /var file s ys te m to pre ve nt s torage is s ue s . A minimum of 2 GB of available s torage in /var/lib/pgsql with the ability to grow the partition containing this dire ctory as data s torage re quire me nts grow. If you are us ing a dis conne cte d ins tallation, a copy of the re pos itorie s us e d in the ins tallation are s tore d in the /opt/ dire ctory. Ens ure you have a minimum of 2GB of s pace for this file s ys te m and dire ctory. No te Mos t Sate llite Se rve r data is s tore d within the /var dire ctory. It is s trongly re comme nde d to mount /var on LVM s torage that the s ys te m can s cale to me e t data s torage re quire me nts . No te The XFS file s ys te m is re comme nde d for Re d Hat Sate llite 6. XFS is the de fault file s ys te m in Re d Hat Ente rpris e Linux 7, which make s it the pre fe rable bas e ope rating s ys te m. If you inte nd to us e Re d Hat Ente rpris e Linux 6 ins te ad, contact your account te am to le arn about e nabling XFS on this s ys te m. Alte rnative ly, make s ure that you have an e xt4 file s ys te m with s ufficie nt amount of inode s for your inte nde d Sate llite de ployme nt. The following table de tails re comme nde d s torage re quire me nts for s pe cific dire ctorie s . The s e value s are bas e d on e xpe cte d us e cas e s ce narios and may vary according to individual e nvironme nts . T able 1.2. Reco mmended St o rage Co nsiderat io ns Direct o ry Inst allat io n Size Requirement Runt ime Requirement wit h Red Hat Ent erprise Linux 5/6/7 synchro nized /var/lib/pulp /var/lib/mongodb /var/log /var/lib/pgs ql 1 MB 3.5 GB 10 MB 100 MB 200 GB 15 GB 100 MB 250 MB 12 C hapt e r 1. Int r o duc t io n t o Re d Hat Sat e llit e Impo rtant Se ve ral compone nts of Re d Hat Sate llite are s e ns itive to ne twork late ncy. Re d Hat re comme nds local or SAN-bas e d s torage . Avoid NFS s torage whe ne ve r pos s ible . 1.4.4. Applicat ion Specif icat ions Sate llite Se rve r application ins tallation s pe cifications are as follows : Re d Hat re comme nds that a time s ynchroniz e r s uch as nt p is ins talle d and e nable d on the hos t ope rating s ys te m be fore ins talling Sate llite to minimiz e the e ffe cts of any time drift. For Re d Hat Ente rpris e Linux 6, run the following commands to s tart the ntpd s e rvice and have it pe rs is t acros s re s tarts : # service ntpd start # chkconfig ntpd on In Re d Hat Ente rpris e Linux 7, chro ny is the de fault time s ynchroniz e r. Run the following commands to s tart the chronyd s e rvice and have it pe rs is t acros s re s tarts : # systemctl start chronyd # systemctl enable chronyd 1.4.5. Net work Port s Required f or Sat ellit e Communicat ions The following ne twork ports ne e d to be ope n and fre e on the bas e ope rating s ys te m be fore continuing with the ins tallation: T able 1.3. Po rt s f o r Bro wser-based User Int erf ace Access t o Sat ellit e Po rt Pro t o c ol Service Required f o r 443 Opt io n al 80 TCP HTTPS For Brows e r-bas e d UI Acce s s to Sate llite TCP HTTP To e nable re dire ction to HTTPS for we b UI Acce s s to Sate llite T able 1.4. Po rt s f o r Sat ellit e t o Red Hat CDN Co mmunicat io n Po rt Pro t o c ol Service Required f o r 443 TCP HTTPS Subs cription Manage me nt Se rvice s , conne cting to the Re d Hat CDN T able 1.5. Po rt s f o r Client t o Sat ellit e Co mmunicat io n 13 Ins t allat io n Guide Po rt Pro t o c ol Service Required f o r 53 DNS Que rie s to the Sate llite 's inte grate d DNS s e rvice 67 69 TCP and UDP UDP UDP DHCP TFTP 80 TCP HTTP 443 TCP HTTPS 5647 TCP amqp 8140 TCP HTTPS For Clie nt provis ioning from the inte grate d Caps ule Downloading PXE boot image file s from the inte grate d Caps ule Anaconda, yum, for obtaining Kate llo ce rtificate s , te mplate s , and for downloading iPXE firmware Subs cription Manage me nt Se rvice s , yum, Te le me try Se rvice s , and for conne ction to the Kate llo Age nt The Kate llo age nt to communicate with the Sate llite 's Qpid dis patch route r Puppe t age nt to Puppe t mas te r conne ctions Any manage d hos t that is dire ctly conne cte d to the Sate llite Se rve r is a Clie nt in this conte xt. This include s the bas e s ys te m on which a Caps ule Se rve r is running. T able 1.6. Opt io nal Net wo rk Po rt s Po rt Pro t o c ol Service Required f o r 7911 TCP DHCP Caps ule originate d, for orche s tration of DHCP re cords (local or e xte rnal) [a] 5000 TCP HTTP 22, 16514 389, 636 from 5910 to 5930 TCP SSH/TLS Sate llite originate d, for compute re s ource s in Ope nStack or for running Docke r containe rs Sate llite originate d, for compute re s ource s in libvirt TCP SSH/TLS TCP SSH/TLS Sate llite originate d, for LDAP and s e cure d LDAP authe ntication s ource s Sate llite originate d, for NoVNC cons ole in We b UI to hype rvis ors [a] If the DHC P service is provided by an external service, opening this port is required on the external server. No te Port 8080 ne e ds to be fre e , but not ope n, in orde r for s ubs cription manage me nt s e rvice s to acce s s the Sate llite Se rve r. No te To configure the fire wall on a Capsule to e nable incoming conne ctions from the Sat ellit e, s e e Se ction 7.2.3, “Conne ctions from Sate llite to Caps ule ”. Connect ions f rom Client t o Sat ellit e 14 C hapt e r 1. Int r o duc t io n t o Re d Hat Sat e llit e To configure the fire wall on a Sat ellit e to e nable incoming conne ctions from a Client , and to make the s e rule s pe rs is te nt during re boots , e nte r the commands be low appropriate to the Re d Hat re le as e . The ports in the s e commands are take n from the table Table 1.5, “Ports for Clie nt to Sate llite Communication”. Note that port 80 and 443 are als o lis te d in the Table 1.3, “Ports for Brows e r-bas e d Us e r Inte rface Acce s s to Sate llite ”. Re vie w the commands to avoid duplicating e ntrie s . On a Re d Hat Ente rpris e Linux 6 Sate llite , e xe cute as root: # iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT \ && iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT \ && iptables -A INPUT -m state --state NEW -p udp --dport 67 -j ACCEPT \ && iptables -A INPUT -m state --state NEW -p udp --dport 69 -j ACCEPT \ && iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT \ && iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT \ && iptables -A INPUT -m state --state NEW -p tcp --dport 5647 -j ACCEPT \ && iptables -A INPUT -m state --state NEW -p tcp --dport 8140 -j ACCEPT \ && service iptables save Make s ure the iptables s e rvice is s tarte d and e nable d: # service iptables start # chkconfig iptables on On a Re d Hat Ente rpris e Linux 7 Sate llite , e xe cute as root: # firewall-cmd --add-port="53/udp" --add-port="53/tcp" \ --add-port="67/udp" \ --add-port="69/udp" --add-port="80/tcp" \ --add-port="443/tcp" --add-port="5647/tcp" \ --add-port="8140/tcp" \ && firewall-cmd --permanent --add-port="53/udp" --add-port="53/tcp" \ --add-port="67/udp" \ --add-port="69/udp" --add-port="80/tcp" \ --add-port="443/tcp" --add-port="5647/tcp" \ --add-port="8140/tcp" 1.4.6. SELinux Policy on Sat ellit e 6 Re d Hat Sate llite 6 us e s a s e t of pre de fine d ports , as de s cribe d in the pre ce ding s e ction and in Se ction 7.2.3, “Ne twork Ports Re quire d for Caps ule Communications ”. Be caus e Re d Hat re comme nds that SELinux on Sate llite 6 s ys te ms be s e t to e nforcing, if you ne e d to change the port for any s e rvice , you als o ne e d to change the as s ociate d SELinux port type to allow acce s s to the re s ource s . For e xample , if you change the we b UI ports (HTTP/HTTPS) to 8018/8019, you ne e d to add the s e port numbe rs to the httpd_port_t SELinux port type . 15 Ins t allat io n Guide Table 1.7, “SELinux Commands to Change De fault Port As s ignme nts ” lis ts the re quire d commands to change the Sate llite 6 de fault ports to a us e r-s pe cifie d port. The s e e xample s us e port 99999 for de mons tration purpos e s ; e ns ure you change this value to s uit your de ployme nt. No te This change is als o re quire d for targe t ports ; for e xample , whe n Sate llite 6 conne cts to an e xte rnal s ource , s uch as Re d Hat Ente rpris e Virtualiz ation Manage r or Ope nStack. You only ne e d to make change s to de fault port as s ignme nts once . Updating or upgrading Sate llite has no e ffe ct on the s e as s ignme nts . Any update s only add de fault SELinux ports if no as s ignme nts e xis t. T able 1.7. SELinux Co mmands t o Change Def ault Po rt Assignment s Def ault Po rt SELinux Co mmand 80, 443, 8443 8080 8140 9090 69 53 (TCP) 53 (UDP) 67, 68 5671 8000 7911 5000 on Re d Hat Ente rpris e Linux 6 5000 on Re d Hat Ente rpris e Linux 7 22 16514 (libvirt) 389, 636 5910 to 5930 s e manage s e manage s e manage s e manage s e manage s e manage s e manage s e manage s e manage s e manage s e manage s e manage port port port port port port port port port port port port s e manage 99999 s e manage s e manage s e manage s e manage port -a -t commple x_main_port_t -p tcp port port port port -a -a -a -a -a -a -a -a -a -a -a -a -a -a -a -a -t -t -t -t -t -t -t -t -t -t -t -t -t -t -t -t http_port_t -p tcp 99999 http_cache _port_t -p tcp 99999 puppe t_port_t -p tcp 99999 we bs m_port_t -p tcp 99999 tftp_port_t -p udp 99999 dns _port_t -p tcp 99999 dns _port_t -p udp 99999 dhcpd_port_t -p udp 99999 amqp_port_t -p tcp 99999 s oundd_port_t -p tcp 99999 dhcpd_port_t -p tcp 99999 commple x_port_t -p tcp 99999 s s h_port_t -p tcp 99999 virt_port_t -p tcp 99999 ldap_port_t -p tcp 99999 vnc_port_t -p tcp 99999 To allow Sate llite 6 to conne ct to a s e rvice that is on a diffe re nt port, for e xample , EC2 or an e xte rnal re pos itory s e rve d by an Apache httpd s e rve r, you ne e d to add this port to the virt_port_t SELinux type , as follows : # semanage port -a -t virt_port_t -p tcp 99999 16 C hapt e r 1. Int r o duc t io n t o Re d Hat Sat e llit e Impo rtant If SELinux was disabled (as compare d to e nable d and running in pe rmis s ive mode ), whe n you ins talle d Sate llite , the n you ne e d to e nable SELinux and run the following commands in permissive mode afte r you have comple te d the ins tallation: # foreman-selinux-enable # foreman-selinux-relabel Failure to run the s e commands can re s ult in mis labe le d file s , AVC de nials whe n atte mpting to acce s s the we b UI, and difficult trouble s hooting. Us e the semanage command if you ne e d to dis as s ociate the pre vious ly us e d port numbe r and port type . For e xample : # semanage port -d -t virt_port_t -p tcp 99999 For more information about configuring SELinux, and e ns uring that it is e nable d on s tartup, s e e the following re s ource s : Enabling SELinux on Re d Hat Ente rpris e Linux 6 [3] Enabling SELinux on Re d Hat Ente rpris e Linux 7 [4] 1.4.7. Considerat ions f or Large Deployment s With more than 225 conte nt hos ts , the qpidd me s s age broke r can re ach s e ve ral s ys te mle ve l limits , re s ulting in Sate llite 's failure to ope rate . To avoid this , one or more of the s e limits mus t be incre as e d be fore de ploying a large numbe r of conte nt hos ts . Re fe r to the following table to confirm which value s mus t be change d de pe nding on the numbe r of conte nt hos ts you plan to de ploy. The n re fe r to the following s e ctions for ins tructions on how to s e t the s e limits . T able 1.8. Limit s t o be Increased f o r Large Deplo yment s Number o f Co nt ent Ho st s Client Co nnect io n s More than 225 More than 500 More than 1900 More than 30,000 More than 32,900 ✔ File Parallel Descript o rs Asynchro no us I/O Operat io ns Co ncurrent Lo cks ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ Memo ry Map Areas ✔ 17 Ins t allat io n Guide Increasing t he Maximum Number of Client Connect ions With more than 225 conte nt hos ts , qpidd re ache s the maximum numbe r of clie nt conne ctions . To incre as e it, firs t e s tablis h the ne w value of the limit that is calculate d as : (number_of_content_hosts x 2) + 100 For e xample , a de ployme nt with 300 conte nt hos ts re quire s at le as t 700 conne ctions . Us e the calculate d value in /etc/qpid/qpidd.conf: max-connections=value Increasing t he Maximum Number of File Descript ors With more than 500 conte nt hos ts , qpidd re ache s the maximum numbe r of file de s criptors . To incre as e it, firs t e s tablis h the ne w value of the limit that is calculate d as : (number_of_content_hosts x 4) + 500 For e xample , a de ployme nt with 600 conte nt hos ts re quire s 2900 file de s criptors . Us e the calculate d value in appropriate configuration file s : On Re d Hat Ente rpris e Linux 6, add the following line to /etc/security/limits.conf: qpidd x nofile value On Re d Hat Ente rpris e Linux 7, add the following line to /usr/lib/systemd/system/qpidd.service at the e nd of the [Se rvice ] s e ction: LimitNOFILE=value Increasing t he Maximum Number of Parallel Asynchronous I/O Operat ions With more than 1900 conte nt hos ts , qpidd re ache s the ke rne l limit of maximum paralle l as ynchronous I/O ope rations . To incre as e it, firs t e s tablis h the ne w value of the limit that is calculate d as : 33 x number_of_content_hosts Us e the calculate d value in /etc/sysctl.conf: fs.aio-max-nr=value Re load the s e tting by e xe cuting: # sysctl -p Increasing t he Maximum Number of Concurrent Locks 18 C hapt e r 1. Int r o duc t io n t o Re d Hat Sat e llit e With more than 30,000 conte nt hos ts , the back-e nd databas e of qpidd might re ach the maximum numbe r of concurre nt locks . To incre as e this limit, cre ate a configuration file in the dire ctory whe re the exchanges.db file is s tore d. The dire ctory location can vary. Confirm its location by s e arching the /var/lib/qpidd/ dire ctory: # find /var/lib/qpidd -name exchanges.db /var/lib/qpidd/qls/dat/exchanges.db In the above e xample , exchanges.db is s tore d in the /var/lib/qpidd/qls/dat/ dire ctory. In this dire ctory, cre ate a DB_CONFIG file that mus t be owne d and re adable by the qpidd us e r. Add the following conte nt to DB_CONFIG: set_lk_max_locks 10000 set_lk_max_objects 10000 Increasing t he Maximum Number of Memory Map Areas With more than 32,900 conte nt hos ts , qpidd re ache s the ke rne l limit of maximum numbe r of me mory map are as pe r proce s s . This proble m occurs only on Re d Hat Ente rpris e Linux 7. Incre as e the limit by adding the following line to /etc/sysctl.conf: vm.max_map_count = 655300 Re load the s e tting by e xe cuting: # sysctl -p Impo rtant It is re quire d to re s tart qpidd to apply any change s to the afore me ntione d limits : On Re d Hat Ente rpris e Linux 6: # service qpidd restart On Re d Hat Ente rpris e Linux 7: # systemctl restart qpidd 1.4.8. T roubleshoot ing Re d Hat re comme nds to ins tall the sos package on the hos t ope rating s ys te m be fore ins talling Sate llite . The sos package provide s the sosreport command that colle cts configuration and diagnos tic information from a Re d Hat Ente rpris e Linux s ys te m and is us e d to provide the initial analys is of a s ys te m re quire d whe n ope ning a s e rvice re que s t with Re d Hat Te chnical Support. For more information on us ing sosreport, re fe r to the What is a s os re port and how to cre ate one in Re d Hat Ente rpris e Linux 4.6 and late r? article on Re d Hat Cus tome r Portal [5] . 19 Ins t allat io n Guide To ins tall the sos package run the following command: # yum install sos [1] https://access.redhat.com /articles/1343683 [2] https://access.redhat.com /articles/369183 [3] https://access.redhat.com /docum entation/en-US/Red_Hat_Enterprise_Linux/6/htm l/SecurityEnhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinuxC hanging_SELinux_Modes.htm l#sect-Security-Enhanced_LinuxEnabling_and_Disabling_SELinux-Enabling_SELinux [4] https://access.redhat.com /docum entation/enUS/Red_Hat_Enterprise_Linux/7/htm l/SELinux_Users_and_Adm inistrators_Guide/sect-SecurityEnhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.htm l#sect-SecurityEnhanced_Linux-Enabling_and_Disabling_SELinux-Enabling_SELinux [5] https://access.redhat.com /solutions/3592 20 C hapt e r 2. Ins t alling Re d Hat Sat e llit e Se r ve r Chapt er 2. Inst alling Red Hat Sat ellit e Server This chapte r de s cribe s how to obtain the re quire d package s to ins tall Re d Sate llite Se rve r, whe the r you are conne cte d to the ne twork or not. You can the n us e the ins tallation program, katello-installer, to ins tall and configure the Sate llite Se rve r. Se ve ral configuration options are available ; the s e are de s cribe d in Se ction 2.3, “Optional Configuration Options ”. 2.1. Obt aining t he Required Packages The re are two ways to obtain the package s re quire d to ins tall a Sate llite Se rve r: Download the package s dire ctly from the Re d Hat Conte nt De live ry Ne twork (CDN). Download an ISO image of the package s re quire d from an e xte rnal compute r. Both me thods are de s cribe d in this s e ction. Howe ve r, for hos ts that have ne twork conne ctivity, Re d Hat re comme nds downloading the package s dire ctly from the CDN. Us ing ISO image s is only re comme nde d for hos ts in a dis conne cte d e nvironme nt be caus e ISO image s may not contain the late s t update s . 2.1.1. Downloading f rom a Connect ed Net work This s e ction de s cribe s how to us e Subs cription Manage r to download the re quire d package s for Re d Hat Sate llite Se rve r from the re pos itory. Pro cedure 2.1. T o Do wnlo ad Sat ellit e Server o n a Cert if icat e-managed Syst em: 1. Lis t all the available s ubs criptions to find the corre ct Re d Hat Sate llite and Re d Hat Ente rpris e Linux product to allocate to your s ys te m: # subscription-manager list --available --all This command dis plays output s imilar to the following: +-------------------------------------------+ Available Subscriptions +-------------------------------------------+ Subscription Name: Red Hat Satellite Subscription Provides: Red Hat Red Hat Satellite Capsule 6 Red Hat Enterprise Linux 7 Red Hat Satellite 6 SKU: SKU123456 Pool ID: e1730d1f4eaa448397bfd30c8c7f3d334bd8b Available: 6 Suggested: 1 Service Level: Self-Support Service Type: L1-L3 Multi-Entitlement: No Ends: 01/01/2022 System Type: Physical 21 Ins t allat io n Guide No te The SKU and Pool ID de pe nd on the Re d Hat Sate llite product type that corre s ponds to your s ys te m ve rs ion and product type . Take note of the pool IDs for Re d Hat Sate llite 6.1, Re d Hat Ente rpris e Linux and Re d Hat Software colle ctions that corre s pond to your s ys te m ve rs ion and product type . 2. Attach a s ubs cription to the re gis te re d s ys te m: # subscription-manager subscribe --pool=Red_Hat_Satellite_Pool_Id \ && subscription-manager subscribe -pool=Red_Hat_Enterprise_Linux_Pool_Id \ && subscription-manager subscribe \ --pool=Red_Hat_Enterprise_Linux_Software_Collections_Pool_Id 3. Dis able all e xis ting re pos itorie s : # subscription-manager repos --disable "*" 4. Enable the Re d Hat Sate llite and Re d Hat Ente rpris e Linux and Re d Hat Software Colle ctions re pos itorie s . Ens ure the Re d Hat Ente rpris e Linux re pos itory matche s the s pe cific ve rs ion you are us ing. For Re d Hat Ente rpris e Linux 6: # subscription-manager repos --enable rhel-6-server-rpms \ --enable rhel-server-rhscl-6-rpms \ --enable rhel-6-server-satellite-6.1-rpms For Re d Hat Ente rpris e Linux 7: # subscription-manager repos --enable rhel-7-server-rpms \ --enable rhel-server-rhscl-7-rpms \ --enable rhel-7-server-satellite-6.1-rpms No te The commands above are bas e d on Re d Hat Ente rpris e Linux 6 and 7. If you are us ing a diffe re nt ve rs ion of Re d Hat Ente rpris e Linux, change the re pos itory bas e d on your s pe cific ve rs ion. 5. If re quire d, to ve rify what re pos itorie s have be e n e nable d, us e the yum repolist enabled command. For e xample , on Re d Hat Ente rpris e Linux 7: # yum repolist enabled Loaded plugins: product-id, subscription-manager repo id repo name status !rhel-7-server-rpms/x86_64 Red Hat Enterprise 22 C hapt e r 2. Ins t alling Re d Hat Sat e llit e Se r ve r Linux 7 Server (RPMs) 9,889 !rhel-7-server-satellite-6.1-rpms/x86_64 Red Hat Satellite 6.1 (for RHEL 7 Server) (RPMs) 545 !rhel-server-rhscl-7-rpms/x86_64 Red Hat Software Collections RPMs for Red Hat Enterprise Linux 7 Server 4,279 repolist: 14,713 6. Ins tall the katello package : # yum install katello Impo rtant The re quire d package s are now ins talle d. Proce e d to Se ction 2.2, “Running the Ins tallation and Configuration Program” to run the ins tallation and configuration program. 2.1.2. Downloading f rom a Disconnect ed Net work No te Whe n the inte nde d hos t for the Re d Hat Sate llite s e rve r is in a dis conne cte d e nvironme nt, it is pos s ible to ins tall the Sate llite Se rve r by us ing an ISO image . This me thod is not re comme nde d for any othe r s ituation as ISO image s may not contain the late s t update s to Sate llite ; the re fore , by ins talling Re d Hat Sate llite with an ISO Image you may be ins talling olde r ve rs ions of Sate llite . Olde r ve rs ions may be mis s ing bug fixe s and functionality. Prerequisit es Be fore ins talling, you mus t have a re pos itory configure d with Re d Hat Ente rpris e Linux 6.6 and late r or Re d Hat Ente rpris e Linux 7.0 and late r. For more information on how to update a dis conne cte d s ys te m, in Re d Hat Ente rpris e Linux 6 s e e Upgrading the Sys te m Off-line with ISO and Yum in De ployme nt guide , and for Re d Hat Ente rpris e Linux 7 s e e Upgrading the Sys te m Off-line with ISO and Yum in Sys te m Adminis trator's Guide . A copy of the re pos itorie s us e d in the ins tallation are s tore d in the /opt/ dire ctory. Ens ure you have a minimum of 2GB of s pace for this file s ys te m and dire ctory. ISO ins tallations re quire importe d Re d Hat GPG ke ys be fore ins tallation. Run the following command as root be fore running the ins tallation s cript: # rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release The following proce dure de tails how to ins tall Sate llite Se rve r on a hos t through ISO. 1. Download the ISO image from the Re d Hat Cus tome r Portal. 2. As the root us e r, mount the ISO image to a dire ctory: 23 Ins t allat io n Guide # mkdir /media/iso # mount -o loop iso_filename /media/iso 3. Change to the /media/iso dire ctory. 4. Run the ins talle r s cript in the mounte d dire ctory: # ./install_packages Impo rtant The re quire d package s are now ins talle d. Proce e d to Se ction 2.2, “Running the Ins tallation and Configuration Program”. 2.2. Running t he Inst allat ion and Configurat ion Program Now that the re quire d package s have be e n downloade d, the ins tallation and configuration program, katello-installer mus t be run to ins tall the Sate llite Se rve r. The re are two main me thods to do s o: Manual Configuration - manually run the command and configuration options on the command-line inte rface (CLI). Automatic Configuration - mos t of the ins tallation and configuration proce s s can be automate d by us ing an ans we r file . Both me thods are s upporte d and available in this chapte r. Choos ing one or the othe r would de pe nd on your organiz ation's re quire me nts . Othe r configuration options are als o docume nte d in this chapte r to as s is t in ins talling the Sate llite Se rve r. For e xample , if the re is an HTTP Proxy in the hos t s ys te m's ne twork, or if the organiz ation us e s cus tomiz e d s e rve r ce rtificate s . 2.2.1. Conf iguring Red Hat Sat ellit e Manually Sate llite Se rve r has an automatic initial configuration that pre pare s the s e rve r for us e . The katello-installer s cript s upports the ability to ove rride various de fault s e ttings within the diffe re nt compone nts of Sate llite Se rve r. For e xample , for organiz ations that have an e xis ting HTTP proxy, additional configuration options ne e d to be pas s e d to the Sate llite Se rve r ins talle r. Se e Se ction 2.3, “Optional Configuration Options ” for othe r configuration options that can be us e d bas e d on your e nvironme nt's re quire me nts . Pro cedure 2.2. T o Run t he Inst aller Script : 1. Run the following command as the root us e r to manually configure Re d Hat Sate llite : # katello-installer --foreman-initial-organization "initial_organization_name" \ --foreman-initial-location "initial_location_name" \ --foreman-admin-username admin-username \ --foreman-admin-password admin-password 24 C hapt e r 2. Ins t alling Re d Hat Sat e llit e Se r ve r This s cript can be run multiple time s without any is s ue s . Impo rtant If you do not s pe cify any of the s e value s , the de fault value s are us e d. Us e the katello-installer --help command to dis play the available options and any de fault value s . Whe n the configuration s cript has comple te d s ucce s s fully, it dis plays output s imilar to the following: # katello-installer Installing Done [100%] [........................................] Success! * Katello is running at https://satellite.example.com Default credentials are 'admin:changeme' * Capsule is running at https://satellite.example.com:9090 * To install additional capsule on separate machine continue by running: capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar "~/$CAPSULE-certs.tar" The full log is at /var/log/katello-installer/katelloinstaller.log 2. Afte r configuration, run the following commands to configure the fire wall to limit elast icsearch to the foreman and root us e rs and make the s e rule s pe rs is te nt during re boots : A. On Re d Hat Ente rpris e Linux 6, e xe cute as root: # iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner -uid-owner \ foreman -j ACCEPT \ && iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner root -j ACCEPT \ && iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -j DROP \ && service iptables save Make s ure the iptables s e rvice is s tarte d and e nable d: # service iptables start # chkconfig iptables on B. On Re d Hat Ente rpris e Linux 7, e xe cute as root: # firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner foreman -j ACCEPT \ && firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -o lo p tcp -m tcp --dport 9200 -m owner --uid-owner foreman -j ACCEPT \ 25 Ins t allat io n Guide && firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo p tcp -m tcp --dport 9200 -m owner --uid-owner root -j ACCEPT \ && firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -o lo p tcp -m tcp --dport 9200 -m owner --uid-owner root -j ACCEPT \ && firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -o lo p tcp -m tcp --dport 9200 -j DROP \ && firewall-cmd --direct --add-rule ipv6 filter OUTPUT 1 -o lo p tcp -m tcp --dport 9200 -j DROP \ && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner foreman -j ACCEPT \ && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner foreman -j ACCEPT \ && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner root -j ACCEPT \ && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner root -j ACCEPT \ && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -o lo -p tcp -m tcp --dport 9200 -j DROP \ && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 1 -o lo -p tcp -m tcp --dport 9200 -j DROP The Re d Hat Sate llite Se rve r cre ate s an initial organiz ation and location calle d "De fault Organiz ation" and "De fault Location", re s pe ctive ly. Afte r the initial configuration, you can cre ate additional organiz ations and locations . You can re name the de fault organiz ation or location and you can de le te the de fault organiz ation, but you cannot de le te the de fault location. 2.2.2. Conf iguring Red Hat Sat ellit e wit h an Answer File You can us e answer files to automate ins tallations with cus tomiz e d options . The initial ans we r file is s pars e ly populate d. Afte r you run katello-installer for the firs t time , the ans we r file is populate d with the s tandard parame te r value s for ins tallation. The following proce dure de s cribe s how to configure Re d Hat Sate llite Se rve r with an ans we r file . Pro cedure 2.3. T o Co nf igure and Use an Answer File f o r Inst allat io n: 1. Copy the de fault ans we r file locate d at /etc/katelloinstaller/answers.katello-installer.yaml to a location on your local file s ys te m: # cp /etc/katello-installer/answers.katello-installer.yaml /etc/katello-installer/my-answer-file.yaml 2. Ope n your copy of the ans we r file , e dit the value s to s uit your e nvironme nt, and s ave the file . 26 C hapt e r 2. Ins t alling Re d Hat Sat e llit e Se r ve r No te The parame te rs for e ach module are s pe cifie d in the module 's params.pp file . Run the following command to vie w available module s with parame te r file s : # rpm -ql katello-installer-base | grep params.pp 3. Ope n the /etc/katello-installer/katello-installer.yaml file and e dit the ans we r file e ntry to point to your cus tom ans we r file : :answer_file: /etc/katello-installer/my-answer-file.yaml 4. Run the katello-installer command. # katello-installer 2.3. Opt ional Configurat ion Opt ions 2.3.1. Conf iguring Red Hat Sat ellit e wit h an HT T P Proxy This s e ctions s hows how to configure Re d Hat Sate llite for ne tworks that go through an HTTP Proxy. As a pre re quis ite , make s ure that the http_proxy, https_proxy, and no_proxy e nvironme nt variable s are not s e t: # export http_proxy="" # export https_proxy=$http_proxy # export no_proxy=$http_proxy Run katello-installer with the following options : # katello-installer --katello-proxy-url=http://myproxy.example.com \ --katello-proxy-port=8080 \ --katello-proxy-username=proxy_username \ --katello-proxy-password=proxy_password Whe re : --katello-proxy-url is the URL of the HTTP proxy s e rve r. --katello-proxy-port is the port the HTTP proxy s e rve r is lis te ning on. --katello-proxy-username (optional) is the HTTP proxy us e rname for authe ntication. If your HTTP proxy s e rve r doe s not re quire a us e rname , you are not re quire d to s pe cify the us e rname . --katello-proxy-password (optional) is the HTTP proxy pas s word for authe ntication. If your HTTP proxy s e rve r doe s not re quire a pas s word, you are not re quire d to s pe cify the pas s word. The following lis t of s pe cial characte rs us e d in a pas s word, as we ll as any white s pace , mus t be e s cape d us ing the back s las h \ characte r: ] [ ? \ < ~ # ` 27 Ins t allat io n Guide ! @ $ % ^ & * ( ) + = } | : " ; ' , > { . Alte rnative ly, us e quotation marks around the pas s word. Afte r configuring the Sate llite Se rve r to go through the HTTP Proxy, make s ure that yum or subscript io n-manager can conne ct to the Re d Hat Conte nt De live ry Ne twork (CDN) and that the Sate llite Se rve r can s ynchroniz e its re pos itorie s to the CDN by following the s e s te ps : Pro cedure 2.4. T o Co nf igure Sat ellit e Server t o Allo w Red Hat Subscript io n Manager Access t o t he CDN: 1. On the ne twork gate way and the HTTP Proxy, ope n the following hos tname s , ports and protocols : T able 2.1. Required Ho st names, Po rt s and Pro t o co ls Ho st name Po rt Pro t o co l s ubs cription.rhn.re dhat.co m cdn.re dhat.com *.akamaie dge .ne t 443 https 443 443 https https 2. In the Sate llite Se rve r, comple te the following de tails in the /etc/rhsm/rhsm.conf file . For e xample : # an http proxy server to use (enter server FQDN) proxy_hostname = http_proxy.example.com # port for http proxy server proxy_port = 3128 # user name for authenticating to an http proxy, if needed proxy_user = # password for basic http proxy auth, if needed proxy_password = 2.3.2. Conf iguring Red Hat Sat ellit e wit h a Cust om Server Cert if icat e Re d Hat Sate llite come s with a de fault ce rtificate authority (CA) us e d by both the s e rve r and clie nt SSL ce rtificate s for authe ntication of s ubs e rvice s . The s e rve r and clie nt ce rtificate s can be re place d with cus tom one s . For more information on cre ating cus tom ce rtificate s , s e e the Re d Hat Ente rpris e Linux 7 Se curity Guide . [6] Cus tom s e rve r and clie nt ce rtificate s may be imple me nte d e ithe r be fore or afte r running the Kate llo ins talle r. Imple me nting cus tom ce rtificate s after ins tallation re quire s additional e ffort, s o doing s o before is re comme nde d. No te The ce rtificate 's Common Name (CN) mus t match the fully qualifie d domain name of the s e rve r on which it is us e d. 28 C hapt e r 2. Ins t alling Re d Hat Sat e llit e Se r ve r Prerequisit es You mus t have the following file s : Cert if icat e f ile f o r t he Sat ellit e Server, signed by yo ur cert if icat e aut ho rit y (o r self -signed) Kate llo ins talle r parame te r --certs-server-cert. In this e xample , satellite.crt. Cert if icat e signing request f ile t hat was used t o creat e t he cert if icat e f o r t he Sat ellit e Server Kate llo ins talle r parame te r --certs-server-cert-req. In this e xample , satellite.crt.req. Sat ellit e Server's privat e key used t o sign t he cert if icat e Kate llo ins talle r parame te r --certs-server-key. In this e xample , satellite.crt.key. CA cert if icat e Kate llo ins talle r parame te r --certs-server-ca-cert. In this e xample , ca_cert.crt. If you have alre ady run the Kate llo ins talle r, s e e Proce dure 2.6, “To Se t a Cus tom Se rve r Ce rtificate Afte r Running the Kate llo Ins talle r:”, othe rwis e s e e Proce dure 2.5, “To Se t a Cus tom Se rve r Ce rtificate Be fore Running the Kate llo Ins talle r:”. Pro cedure 2.5. T o Set a Cust o m Server Cert if icat e Bef o re Running t he Kat ello Inst aller: No te In this e xample the file s are s tore d in the dire ctory /root/sat_cert. Us ing an abs olute path in the root us e rs ' dire ctory provide s a fixe d location that is available to all us e rs who log in to the s e rve r with root pe rmis s ions . Be fore running this command, e ns ure the dire ctory alre ady e xis ts . Run the following command on the Re d Hat Sate llite Se rve r to us e the cus tom ce rtificate . # katello-installer \ --certs-server-cert /root/sat_cert/satellite.crt \ --certs-server-cert-req /root/sat_cert/satellite.crt.req \ --certs-server-key /root/sat_cert/satellite.crt.key \ --certs-server-ca-cert /root/sat_cert/ca_cert.crt 29 Ins t allat io n Guide Impo rtant If you configure a Sate llite Se rve r to us e cus tom ce rtificate s , you mus t do the s ame for all Caps ule Se rve rs . For ins tructions s e e Se ction 7.5.1, “Configuring Re d Hat Sate llite Caps ule Se rve r with a Cus tom Se rve r Ce rtificate ” Pro cedure 2.6. T o Set a Cust o m Server Cert if icat e Af t er Running t he Kat ello Inst aller: Whe n the Kate llo ins talle r is run for the firs t time without ce rtificate parame te rs , it us e s the de fault CA to s ign both s e rve r and clie nt ce rtificate s . To e nforce cus tom ce rtificate s de ployme nt afte r the Kate llo ins talle r is firs t run, the ce rtificate s ins talle d mus t be update d. No te In this e xample the file s are s tore d in the dire ctory /root/sat_cert. Us ing an abs olute path in the root us e rs ' dire ctory provide s a fixe d location that is available to all us e rs who log in to the s e rve r with root pe rmis s ions . Be fore running this command, e ns ure the dire ctory alre ady e xis ts . 1. Run the following command on the Re d Hat Sate llite Se rve r to re ge ne rate the katello-ca-consumer package and the Sate llite Se rve r's ce rtificate . # katello-installer \ --certs-server-cert /root/sat_cert/satellite.crt \ --certs-server-cert-req /root/sat_cert/satellite.crt.req \ --certs-server-key /root/sat_cert/private.crt.key \ --certs-server-ca-cert /root/sat_cert/ca_cert.crt \ --certs-update-server \ --certs-update-server-ca 2. Run the following command on the clie nt s ys te ms to ins tall the ne w clie nt and s e rve r ce rtificate s . # rpm -Uvh http://satellite.example.com/pub/katello-ca-consumerlatest.noarch.rpm Impo rtant If you configure a Sate llite Se rve r to us e cus tom ce rtificate s , you mus t do the s ame for all Caps ule Se rve rs . For ins tructions s e e Se ction 7.5.1, “Configuring Re d Hat Sate llite Caps ule Se rve r with a Cus tom Se rve r Ce rtificate ”. 2.3.3. Conf iguring DNS, DHCP, and T FT P This s e ction de s cribe s how to configure Sate llite to run BIND (named) to provide authoritative DNS s e rvice s for the example.com domain and the 172.17.13.x s ubne t. This 30 C hapt e r 2. Ins t alling Re d Hat Sat e llit e Se r ve r re quire s s e tting up a DNS z one for forward lookups , which will be containe d in the example.com z one file . Additionally, a DNS z one for re ve rs e lookups will be cre ate d for the 172.17.13.x s ubne t, which will be containe d in the 13.17.172.in-addr.arpa re ve rs e z one file . This e ns ure s that hos ts provis ione d from Sate llite us e the corre ct name re s olution parame te rs . This s e ction als o de s cribe s how to configure the TFTP proxy s o that hos ts can boot us ing PXE. Clie nts on this ne twork will have the following characte ris tics : Have acce s s to IP addre s s e s in the range 172.17.13.100 to 172.17.13.150 for DHCP. Us e the Sate llite (satellite.example.com at 172.17.13.2) for DNS. Re ce ive a pxelinux.0 file from Sate llite (satellite.example.com at 172.17.13.2) to e nable PXE-booting. Have hos t name s of hostname.example.com, whe re hostname is configure d whe n the hos t is provis ione d. Impo rtant This e xample e nable s DHCP s e rvice s on the Sate llite s e rve r. Cons ult your ne twork adminis trator be fore proce e ding. Run the following katello-installer command as root, us ing the s pe cifie d options to configure the re quire d s e rvice s on the Sate llite s e rve r. Re me mbe r to s ubs titute your de s ire d adminis trator us e r name and pas s word. Impo rtant If you have cre ate d an admin us e r and pas s word by running katello-installer pre vious ly , do not include the --foreman-admin-username and --foremanadmin-password options in the following command. If you do not s pe cify the adminis trator us e r name and pas s word, the de fault us e r admin is cre ate d, and the pas s word is automatically ge ne rate d. The cre de ntials are dis playe d at the e nd of the ins tallation proce s s . Make a note of this pas s word. You can als o re trie ve the pas s word from admin_password parame te r in the /etc/katello-installer/answers.katello-installer.yaml file . # katello-installer --foreman-admin-username admin-username \ --foreman-admin-password admin-password \ --capsule-dns true \ --capsule-dns-interface eth0 \ --capsule-dns-zone example.com \ --capsule-dns-forwarders 172.17.13.1 \ --capsule-dns-reverse 13.17.172.in-addr.arpa \ --capsule-dhcp true \ --capsule-dhcp-interface eth0 \ --capsule-dhcp-range "172.17.13.100 172.17.13.150" \ --capsule-dhcp-gateway 172.17.13.1 \ --capsule-dhcp-nameservers 172.17.13.2 \ 31 Ins t allat io n Guide --capsule-tftp true \ --capsule-tftp-servername $(hostname) \ --capsule-puppet true \ --capsule-puppetca true At the e nd of the ins tallation proce s s , katello-installer outputs the s tatus of the ins tallation. Success! * Katello is running at Default credentials * Capsule is running at * To install additional running:" https://satellite.example.com are 'admin:*******' https://satellite.example.com:9090 capsule on separate machine continue by capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar "~/$CAPSULE-certs.tar" The full log is at /var/log/katello-installer/katello-installer.log Us e a we b brows e r to navigate to https ://s ate llite .e xample .com to dis play the Sate llite home page . This e xample us e s the de fault organiz ation (De fault_Organiz ation) and the de fault location. Alte rnative ly, you can configure Sate llite to us e e xte rnal DNS and DHCP s e rvice s as de s cribe d in Se ction 7.9, “Configuring Sate llite 6 with Exte rnal Se rvice s ”. If re quire d to allocate s pe cific IP addre s s e s to hos t name s or MAC addre s s e s , s e e the DHCP chapte r in the Re d Hat Ente rpris e Linux 7 Ne tworking Guide [7] . 2.3.3.1. Addit ional DNS, DHCP and T FT P Opt ions The following table de s cribe s the various options and the value s re quire d to corre ctly configure the Sate llite s e rve r. The katello-installer command us e s Puppe t; cons e que ntly, it will ins tall additional package s (bind, dhcp, xine td, and s o on) and configure the m to add the re que s te d functionality. For a comple te lis t of available options , run katello-installer --help. T able 2.2. Sat ellit e Co nf igurat io n Opt io ns Opt io n Descript io n Value --fore man-admin-us e rname The us e r name for the initial adminis trator. --fore man-admin-pas s word The pas s word for the initial adminis trator. --caps ule -dns --caps ule -dns -inte rface --caps ule -dns -z one Enable DNS proxy capability Which inte rface named s hould lis te n on The Forward DNS z one that the Sate llite will hos t The DNS s e rve r that unknown que rie s are forwarde d to Us e r s pe cifie d. Us e r s pe cifie d. ye s e th0 e xample .com --caps ule -dns -forwarde rs 32 172.17.13.1 C hapt e r 2. Ins t alling Re d Hat Sat e llit e Se r ve r Opt io n Descript io n Value --caps ule -dns -re ve rs e The Re ve rs e DNS z one the Sate llite hos ts . This is us ually the firs t thre e octe ts of the IP addre s s (172.17.13) re ve rs e d , and appe nde d with ".in-addr.arpa". Enable DHCP proxy capability The inte rface that DHCP lis te ns on The range of IP addre s s e s to is s ue to clie nts . 13.17.172.inaddr.arpa --caps ule -dhcp --caps ule -dhcp-inte rface --caps ule -dhcp-range --caps ule -dhcp-gate way --caps ule -dhcpname s e rve rs --caps ule -tftp --caps ule -tftp-s e rve rname --caps ule -puppe t --caps ule -puppe tca The de fault gate way IP to is s ue to clie nts . The hos t that the clie nts s hould us e for name re s olution. This s hould be configure d with the Sate llite 's IP in this de ployme nt mode l. Enable TFTP proxy capability. This is ne e de d to PXE boot the clie nts . Se ts the TFTP hos t name . Se t this to match the s e rve r's hos t name (s ate llite .e xample .com). Enable the Puppe t Mas te r. Enable the Puppe t CA. ye s e th0 172.17.13.10 0 172.172.13.15 0 172.17.13.1 172.17.13.2 ye s $(hos tname ) ye s ye s [6] https://access.redhat.com /docum entation/enUS/Red_Hat_Enterprise_Linux/7/htm l/Security_Guide/sec-Using_O penSSL.htm l [7] https://access.redhat.com /docum entation/enUS/Red_Hat_Enterprise_Linux/7/htm l/Networking_Guide/ 33 Ins t allat io n Guide Chapt er 3. Logging in t o Red Hat Sat ellit e Afte r Re d Hat Sate llite has be e n ins talle d and configure d us e the we b us e r inte rface to log in to Sate llite for furthe r configuration. The s e s te ps s how how to log in to Re d Hat Sate llite . 1. Acce s s the Sate llite s e rve r we b UI us ing a we b brows e r us ing the hos t name or FQDN: https://host_name/ To ide ntify the Sate llite s e rve rs hos t name , us e the hostname command on the Sate llite s e rve r. Add the -f option to dis play the FQDN: # hostname -f Impo rtant An untrus te d conne ction warning appe ars on your we b brows e r whe n acce s s ing Sate llite for the firs t time . Acce pt the s e lf-s igne d ce rtificate and add the Sate llite URL as a s e curity e xce ption to ove rride the s e ttings . This proce dure might diffe r de pe nding on the brows e r be ing us e d. Only do this if you are s ure that the Sate llite URL is a trus te d s ource . 2. Ente r the us e r name and pas s word cre ate d during the configuration proce s s . If a us e r was not cre ate d during the configuration proce s s , the de fault us e r name is admin. No te If you have forgotte n the adminis trative pas s word, us e the Sate llite command-line inte rface to re s e t the adminis tration us e r and pas s word: # foreman-rake permissions:reset Reset to user: admin, password: qwJxBptxb7Gfcjj5 This will re s e t the pas s word of the de fault us e r to the one printe d on the command line . Change this pas s word upon logging in to pre ve nt any s e curity is s ue s from occurring. 3.1. Organizat ions Organizations divide hos ts into logical groups bas e d on owne rs hip, purpos e , conte nt, s e curity le ve l, or othe r divis ions . 34 C hapt e r 3. Lo gging in t o Re d Hat Sat e llit e Multiple organiz ations can be vie we d, cre ate d, and manage d within the we b inte rface . Software and hos t e ntitle me nts can be allocate d acros s many organiz ations , and acce s s to thos e organiz ations controlle d. Each organiz ation mus t be cre ate d and us e d by a s ingle Re d Hat cus tome r account, howe ve r e ach account can manage multiple organiz ations . Subs cription manife s ts can only be importe d into a s ingle organiz ation and Sate llite will not upload a ce rtificate that has alre ady be e n uploade d into a diffe re nt organiz ation. By de fault, Red Hat Sat ellit e will have one organiz ation alre ady cre ate d, calle d "De fault Organiz ation", which can be modifie d to s uit your own ins tallation, or de le te d. The organiz ation name has a corre s ponding labe l Default_Organization for us e on the command line . Impo rtant If a ne w us e r is not as s igne d a de fault organiz ation the ir acce s s will be limite d. To grant the us e r s ys te ms rights , as s ign the m a de fault organiz ation and have the m log out and log back in again. 3.1.1. Creat ing an Organizat ion The s e s te ps s how how to cre ate a ne w organiz ation. Pro cedure 3.1. Creat ing an Organizat io n 1. Click Administ er → Organizat io ns. 2. Click New Organization. 3. Spe cify the name of the ne w organiz ation in the Name fie ld. Take care not to add an e xtra s pace at the e nd of the name as this will affe ct the corre s ponding labe l cre ate d. 4. In the Label fie ld, optionally e nte r a te xt s tring s imilar to the name but without s pace s . If omitte d, a labe l to match the name of the ne w organiz ation, but with unde rs core s in place of s pace s , is cre ate d automatically. The labe l is for us e on the command line and cannot be change d once this proce dure has be e n comple te d. Having a cons is te nt name to labe l corre s ponde nce will re duce e rrors on the command line . Cons ide r cre ating name s without s pace s . 5. Ente r a de s cription of the ne w organiz ation in the Description fie ld. 6. Click Submit. 7. Se le ct the hos ts to as s ign to the ne w organiz ation. Click Assign All to as s ign all hos ts with no organiz ation to the ne w organiz ation. Click Manually Assign to manually s e le ct and as s ign the hos ts with no organiz ation. Click Proceed to Edit to s kip as s igning hos ts . 3.1.2. Edit ing an Organizat ion 35 Ins t allat io n Guide You can update your organiz ation information as re quire d. You cannot change the organiz ation labe l. Pro cedure 3.2. Edit ing an Organizat io n 1. Click Administ er → Organizat io ns. 2. Click the name of the organiz ation you want to e dit. 3. Se le ct the re s ource to e dit. 4. Click the name of the de s ire d ite ms to add the m to the Selected Items lis t. 5. Click Submit. 3.1.3. Removing an Organizat ion Pro cedure 3.3. Remo ving an Organizat io n 1. Click the Administ er → Organizat io ns me nu on the top right hand corne r. 2. Se le ct Delet e from the drop down me nu to the right of the name of the organiz ation you want to re move . 3. An ale rt box appe ars : Delete Organization Name? 4. Click the OK button. Result The organiz ation is re move d from Red Hat Sat ellit e. 3.2. Changing Your Account Preferences Se tting up de fault account pre fe re nce s e ns ure s that s ubs e que nt logins will e nable the corre ct conte xt within the Re d Hat Sate llite Se rve r for a s pe cific us e r. It als o allows change s in us e r pre fe re nce s . The following pre fe re nce s can be change d: 1. User - Change pe rs onal data about your login name , as we ll as your pas s word and de fault location/organiz ation. a. Firs t Name b. Surname c. Email Addre s s d. De fault Location e . De fault Organiz ation f. Pas s word 36 C hapt e r 3. Lo gging in t o Re d Hat Sat e llit e 2. Lo cat io ns - Add or re move locations on your account bas e d on the locations cre ate d within the Re d Hat Sate llite Se rve r. 3. Organizat io ns - Add or re move organiz ations on your us e r account bas e d on the organiz ations cre ate d within the Re d Hat Sate llite Se rve r. 4. Ro les - Add or re move role s on your us e r account bas e d on a s e t of role s cre ate d within the Re d Hat Sate llite Se rve r. Pro cedure 3.4. Changing yo ur Acco unt Pref erences To change the s e pre fe re nce s : 1. At the uppe r right corne r, hove r your mous e ove r the admin us e r and on the dropdown me nu that appe ars , click on My Acco unt . 2. Choos e the s ubtab of the pre fe re nce you wis h to change and click on the s ubtab. 3. Change the pre fe re nce s you wis h to change and click on Submit. No te Se t your de fault location/organiz ation in the User s ubtab afte r your initial login. This will make s ure that s ubs e que nt logins will s e t you in the corre ct conte xt for your us e r. 3.3. Addit ional Resources For more information on configuring us e rs in Re d Hat Sate llite , s e e the re s ource s lis te d be low. The Us e rs and Role s chapte r in the Re d Hat Sate llite 6.1 Us e r Guide de s cribe s cre ating us e rs and the ir role s . The Configuring Exte rnal Authe ntication chapte r in the Re d Hat Sate llite 6.1 Us e r Guide de s cribe s us ing e xte rnal authe ntication s ource s , s uch as LDAP or Red Hat Enterprise Linux Identity Management (IdM), to de rive us e r and us e r group pe rmis s ions . 37 Ins t allat io n Guide Chapt er 4. Populat ing Red Hat Sat ellit e wit h Cont ent Re d Hat Sate llite provide s multiple type s of conte nt to s ubs cribe d clie nt hos ts including s oftware package s , e rrata, Puppe t module s , and containe r image s . The primary s ource of this conte nt is the Re d Hat Cus tome r Portal, in orde r to acce s s it, you ne e d to upload a subscription manifest file to the Sate llite s e rve r. A s ubs cription manife s t provide s s ubs criptions to clie nt hos ts through the Re d Hat Sate llite rathe r than through Re d Hat Ne twork. Obtain the s ubs cription manife s t file from the Re d Hat Cus tome r Portal as de s cribe d in Se ction 4.1.1.1, “Cre ating a Subs cription Manife s t”, or by contacting Re d Hat Support. This chapte r outline s the proce s s of populating your Re d Hat Sate llite s e rve r with conte nt. Some of the following proce dure s are not ne e de d fre que ntly and are us ually pe rforme d only once afte r ins tallation. Othe rs , like Se ction 4.1.3, “Synchroniz ing Conte nt” mus t be re pe ate d re gularly to ke e p the conte nt up to date . The s te ps re quire d to ge t the conte nt from Re d Hat Cus tome r Portal to the Sate llite Se rve r de pe nd on the type of de ployme nt: If your Sate llite s e rve r can acce s s the Inte rne t dire ctly, s e e Se ction 4.1, “Conne cte d Sate llite ”. If your Sate llite s e rve r is is olate d from the Inte rne t, s e e Se ction 4.2, “Dis conne cte d Sate llite ”. 4.1. Connect ed Sat ellit e A conne cte d Sate llite s e rve r has acce s s to the Inte rne t and the re fore can download s oftware package s , e rrata, Puppe t module s , and containe r image s dire ctly from the Re d Hat Cus tome r Portal. 4.1.1. Accessing Red Hat Cont ent Providers This s e ction outline s the s te ps re quire d to re ce ive conte nt from Re d Hat Cus tome r Portal. Firs t cre ate a manife s t on the Re d Hat Cus tome r Portal, the n upload it to the Sate llite s e rve r, and e nable Re d Hat re pos itorie s . 4.1.1.1. Creat ing a Subscript ion Manif est A subscription manifest can be obtaine d through the me thod be low or by contacting Re d Hat Support. The manife s t is us e d to s e t up Re d Hat conte nt provide rs and contains re pos itory information and s ubs criptions . It is us e d as a bas is of dis pe ns ing s ubs criptions and Re d Hat Ne twork (RHN) conte nt to clie nt s ys te ms from Red Hat Sat ellit e. Impo rtant Manife s ts are organiz ation-s pe cific, which me ans you have to cre ate and upload a s e parate manife s t for e ve ry organiz ation on your Sate llite . Prerequisit es 38 C hapt e r 4 . Po pulat ing Re d Hat Sat e llit e wit h Co nt e nt You mus t me e t the following conditions be fore continuing with this tas k: A Cus tome r Portal us e r name and pas s word. Sufficie nt s ubs criptions to add to the manife s t. Pro cedure 4.1. T o Creat e a Manif est f o r Sat ellit e 6: 1. Navigate to https ://acce s s .re dhat.com and click SUBSCRIPTIONS on the main me nu at the top of the page . 2. Scroll down to the Red Hat Subscription Management s e ction, and click Satellite unde r Subscription Management Applications. 3. To cre ate a manife s t for a ne w s ys te m, click Register a Satellite. Se le ct the Satellite version and Name that mus t match the name of the organiz ation on your Sate llite . Click Register. To add or modify s ubs criptions of an e xis ting manife s t, click the name of the s ys te m this manife s t is as s ociate d to, and click Attach a subscription. 4. For e ach s ubs cription that you want to attach, s e le ct the che ck box for that s ubs cription, and s pe cify the quantity of s ubs criptions to attach. 5. Click Attach Selected. No te It can take s e ve ral minute s for all the s ubs criptions to attach. Re fre s h the s cre e n e ve ry fe w minute s until you re ce ive confirmation that the s ubs criptions are attache d. 6. Afte r the s ubs criptions have be e n attache d, click Download Manifest to ge ne rate an archive in .z ip format containing the manife s t for Re d Hat Sate llite . 4.1.1.2. Uploading a Subscript ion Manif est t o Sat ellit e This s e ction de s cribe s how to upload a s ubs cription manife s t to an organiz ation. Be caus e s ubs cription manife s ts are organiz ation-s pe cific, e ns ure you s e le ct the corre ct organiz ation be fore you try to upload a s ubs cription manife s t. Failing to do s o will caus e a pe rmis s ion de nie d e rror (Error 403). Pro cedure 4.2. T o Uplo ad a Subscript io n Manif est : 1. Log in to the Sat ellit e s e rve r and s e le ct the de s ire d organiz ation from the me nu in the top le ft hand corne r. 2. Click Co nt ent → Red Hat Subscript io ns and the n click Manage Manifest at the uppe r right of the page . 3. In the Subscription Manifest s e ction, click Actions and unde r the Upload New Manifest s ubs e ction, click Browse. 4. Se le ct the manife s t file to upload, and the n click Upload. 4.1.1.3. Enabling Red Hat Reposit ories 39 Ins t allat io n Guide The Re d Hat Sate llite manife s t file provide s acce s s to Re d Hat products and re pos itorie s . Be caus e mos t products have s e ve ral archite cture s and product ve rs ions , Re d Hat Sate llite Se rve r allows the Sate llite adminis trators to choos e which re pos itorie s are re quire d by the ir organiz ations . You ne e d to e nable the re pos itorie s in Re d Hat Sate llite Se rve r to pre pare the m for s ynchroniz ation. Pro cedure 4.3. T o Enable Red Hat Repo sit o ries: 1. On the main me nu, click Co nt ent → Red Hat Repo sit o ries and the n click the tab for the type of conte nt that you want to e nable . 2. Click the product name for which you want to add re pos itorie s . This e xpands the lis t of available re pos itory s e ts . 3. Click e ach re pos itory s e t from which you want to s e le ct re pos itorie s , and s e le ct the che ck box for e ach re quire d re pos itory. The re pos itory is automatically e nable d. The conte nt from this re pos itory will be downloade d during the ne xt s ynchroniz ation, s e e Se ction 4.1.3, “Synchroniz ing Conte nt”. Afte r e nabling a Re d Hat re pos itory, a product for this re pos itory is automatically cre ate d. Impo rtant Ens ure you e nable the Sate llite Tools re pos itory. This re pos itory provide s the katello-agent and puppet-agent package s for clie nts re gis te re d to the Sate llite Se rve r. The following is an e xample s e t of s ubs criptions that contain re pos itorie s with the late s t package s for Re d Hat Ente rpris e Linux 6: Re d Hat Ente rpris e Linux 6 Se rve r Kicks tart x86_64 6Se rve r Re pos itory Re d Hat Ente rpris e Linux 6 Se rve r RPMs x86_64 6Se rve r Re pos itory Re d Hat Ente rpris e Linux 6 Se rve r - Sate llite Tools RPMs x86_64 Re pos itory 4.1.2. Using Product s A product is a group of re late d re pos itorie s that acts as the s malle s t unit of the s ynchroniz ation proce s s . Products e ns ure that re pos itorie s that de pe nd on e ach othe r are s ynchroniz e d toge the r. For Re d Hat re pos itorie s , products are cre ate d automatically afte r e nabling the re pos itory. The re fore , you only ne e d to cre ate products manually for re pos itorie s with cus tom or third-party conte nt. 4.1.2.1. Creat ing a Product The s e s te ps s how how to cre ate a ne w product. Pro cedure 4.4. T o Creat e a Pro duct : 1. Click Co nt ent → Pro duct s. 2. Click New Product. 3. Spe cify the name of the ne w product in the Name fie ld. 40 C hapt e r 4 . Po pulat ing Re d Hat Sat e llit e wit h Co nt e nt 4. Spe cify the labe l for the ne w product in the Label fie ld. 5. Se le ct a GPG ke y from the GPG Key drop-down me nu. 6. Se le ct a s ynchroniz ation plan from the Sync Plan drop-down me nu. You can als o s e le ct the New Sync Plan link to cre ate a ne w s ynchroniz ation plan. 7. Ente r a de s cription of the ne w product in the Description fie ld. 8. Click Save. 4.1.2.2. Adding Reposit ories t o a Product The s e s te ps s how how to add re pos itorie s to a product in Red Hat Sat ellit e. Pro cedure 4.5. T o Add Repo sit o ries t o a Pro duct : 1. Click Co nt ent → Pro duct s. 2. Click the product to add a re pos itory. 3. Click Repositories. 4. Click Create Repository. 5. Spe cify the name of the ne w re pos itory in the Name fie ld. 6. Spe cify a labe l for the ne w re pos itory in the Label fie ld. 7. Se le ct the type of the re pos itory from the Type drop-down me nu. 8. Spe cify the URL of the re pos itory in the URL fie ld. 9. Choos e whe the r to publis h the re pos itory via HTTP by s e le cting Publish via HTTP. 10. Se le ct a GPG ke y for the re pos itory from the GPG Key drop-down me nu. 11. Click Create. 4.1.2.3. Using Bulk Act ions f or Product s This s e ction de s cribe s how to us e bulk actions to s ynchroniz e or re move products in Re d Hat Sate llite . The proce dure de s cribe d he re re quire s that at le as t one product be available . Pro cedure 4.6. T o Synchro nize Mult iple Pro duct s: 1. Navigate to Co nt ent → Pro duct s. 2. Se le ct the che ck box for the products you want to work with. 3. Click Bulk Actions. 4. Click the Pro duct Sync tab and the n click Sync Now. Pro cedure 4.7. T o Remo ve Mult iple Pro duct s: 1. Navigate to Co nt ent → Pro duct s. 2. Se le ct the che ck box for the products you want to work with. 41 Ins t allat io n Guide 3. Click Bulk Actions. 4. Click Remove Products and the n click Remove. Pro cedure 4.8. T o Updat e Synchro nizat io n Plans f o r Mult iple Pro duct s: 1. Navigate to Co nt ent → Pro duct s. 2. Se le ct the che ck box for the products you want to work with. 3. Click Bulk Actions. 4. Click the Alter Sync Plans tab. De pe nding on the type of action you want to pe rform s e le ct from the following alte rnative s . A. To cre ate a ne w s ynchroniz ation plan, click Creat e Sync Plan. Spe cify the re quire d de tails and click Save. B. To re move the s ynchroniz ation plans from the s e le cte d products , click Unat t ach Sync Plan. C. To update the s ynchroniz ation plans for the s e le cte d products , click Updat e Sync Plan. 4.1.2.4. Using Reposit ory Discovery Re pos itory dis cove ry e nable s you to s e arch us ing a URL to dis cove r re pos itorie s available to include in a product. Pro cedure 4.9. T o Use Repo sit o ry Disco very: 1. Navigate to Co nt ent → Pro duct s. 2. Click Repo Discovery. 3. Ins e rt the URL whe re the re pos itorie s are locate d in the Yum Repo Discovery fie ld. 4. Click Discover. A lis t of the re pos itorie s at the URL is dis playe d unde r Results. 5. Click Discovered URLs to add the re pos itorie s to the product. 6. Click Create selected. 7. Choos e whe the r to add the re pos itorie s to an e xis ting product or cre ate a ne w product. a. To add the re pos itorie s to an e xis ting product: i. Se le ct Existing Product. ii. Se le ct the re quire d product from the drop-down me nu. b. To cre ate a ne w product to add the re pos itorie s to: i. Se le ct New Product. ii. Ente r the Name and Label for the ne w product and s e le ct a GPG Key from the drop-down me nu. 42 C hapt e r 4 . Po pulat ing Re d Hat Sat e llit e wit h Co nt e nt 8. Se le ct Serve via HTTP to s e rve the re pos itory via HTTP. 9. Edit the Name and Label for the Selected URLs. 10. Click Create. 4.1.2.5. Removing a Product This s e ction de s cribe s how to re move products from Re d Hat Sate llite . Pro cedure 4.10 . T o Remo ve a Pro duct f ro m Sat ellit e: 1. Navigate to Co nt ent → Pro duct s. 2. Se le ct the che ck box ne xt to the products you want to re move . 3. Click Bulk Actions and the n click Remove Products. 4. Click Remove to confirm that you want to re move the products . 4.1.3. Synchronizing Cont ent Synchronization is the act of coordinating update s be twe e n the Re d Hat Sate llite re pos itorie s and the s ource re pos itorie s be ing us e d. It is a re quire d s te p afte r e nabling re pos itorie s , in orde r to populate the Re d Hat Sate llite with conte nt from the s ource re pos itorie s . Cons tant, s che dule d s ynchroniz ation will re s ult in: Data inte grity be twe e n package s Update d package s , s e curity fixe s , and e rrata Re d Hat Sate llite 's s ynchroniz ation manage me nt capabilitie s allows an organiz ation's adminis trators to cre ate s ynchroniz ation plans to configure how ofte n a hos t s hould look for and ins tall update s . Synchroniz ation plans are the n paire d with the product re pos itorie s to s pe cify a s ynchroniz ation s che dule that will allow products to be update d at s pe cific inte rvals that are conve nie nt for the organiz ation's ne twork. 4.1.3.1. Synchronizat ion St at us Impo rtant The manual s ynchroniz ation of re pos itorie s is re quire d afte r e nabling the m. It is at this point that the local re pos itory in the Sate llite is populate d by the re quire d package s . The s e s te ps s how how to s ynchroniz e products in Re d Hat Sate llite . Pro cedure 4.11. Synchro nize Pro duct s 1. Navigate to Co nt ent → Sync St at us. Bas e d on the s ubs criptions and re pos itorie s e nable d, the lis t of product re pos itorie s available for s ynchroniz ation is dis playe d. 2. Click the arrow ne xt to the product name to s e e available conte nt. 43 Ins t allat io n Guide 3. Se le ct the conte nt you want to s ynchroniz e . 4. Click Synchronize Now to s tarting s ynchroniz ing. The s tatus of the s ynchroniz ation proce s s will appe ar in the Result column. If s ynchroniz ation is s ucce s s ful, Sync complete will appe ar in the Result column. If s ynchroniz ation faile d, Error syncing will appe ar. No te Conte nt s ynchroniz ation can take a long time . The le ngth of time re quire d de pe nds on the s pe e d of dis k drive s , ne twork conne ction s pe e d, and the amount of conte nt s e le cte d for s ynchroniz ation. 4.1.3.2. Creat ing a Synchronizat ion Plan Re gular, fre que nt s ynchroniz ation is re quire d to maintain data inte grity be twe e n package s as we ll as making s ure that package s are update d to the late s t s e curity fixe s . Re d Hat Sate llite provide s the ability to cre ate s che dule d s ynchroniz ation plans that allow package update s at inte rvals conve nie nt to the organiz ation. Pro cedure 4.12. T o Creat e a Synchro nizat io n Plan: 1. Navigate to Co nt ent → Sync Plans. 2. Click New Sync Plan to cre ate a ne w s ynchroniz ation plan. 3. Spe cify the Name, Description, Interval and Start Date for the plan. 4. Click Save. Afte r cre ating a s ynchroniz ation plan, s e le ct products that will be s ynchroniz e d according to this plan as de s cribe d in Se ction 4.1.3.3, “Applying a Synchroniz ation Sche dule ”. No te Synchroniz ation plans are applie d pe r product, the re fore all re pos itorie s as s ociate d with the product are s ynchroniz e d with the s ame fre que ncy. It is not pos s ible to s e t diffe re nt s ynchroniz ation inte rvals for re pos itorie s in the s ame product. 4.1.3.3. Applying a Synchronizat ion Schedule Afte r you have cre ate d a s ynchroniz ation plan, you ne e d to as s ociate products with that plan to cre ate a s ynchroniz ation s che dule . The following proce dure de s cribe s how to cre ate a s ynchroniz ation s che dule in Re d Hat Sate llite 6. Pro cedure 4.13. T o Creat e a Synchro nizat io n Schedule: 1. Click Co nt ent → Sync Plans and s e le ct the s ynchroniz ation plan you want to imple me nt. 2. Click Pro duct s → Add in the s ynchroniz ation plan main page . 3. Se le ct the che ck box of the product to as s ociate with the s ynchroniz ation plan. 44 C hapt e r 4 . Po pulat ing Re d Hat Sat e llit e wit h Co nt e nt 4. Click Add Selected. 4.1.4. Using a Cont ent ISO f or Init ial Synchronizat ion Eve n if the Sate llite Se rve r can conne ct dire ctly to the Re d Hat Cus tome r Portal, you can pe rform the initial s ynchroniz ation from a locally mounte d conte nt ISO. Such s ynchroniz ation is not limite d by ne twork bandwidth and the re fore is us ually fas te r, e s pe cially whe n s ynchroniz ing large re pos itorie s for the firs t time . Once the initial s ynchroniz ation is comple te d from the conte nt ISO, you can s witch back to downloading conte nt through the ne twork conne ction. A conne ction to the Re d Hat Cus tome r Portal is re quire d for downloading re pos itory me tadata. The following e xample us e s the Re d Hat Sate llite conte nt ISO, but you can als o us e the e xporte d conte nt from katello-disconnected (s e e Se ction 4.2.2, “Us ing the Synchroniz ation Hos t”). Example 4.1. Synchro nizing a Repo sit o ry f ro m a Lo cal So urce This e xample s hows how to pe rform the firs t s ynchroniz ation of the Re d Hat Ente rpris e Linux 6 re pos itory from a conte nt ISO. 1. Download the conte nt ISO for Re d Hat Ente rpris e Linux 6 from the Re d Hat Cus tome r Portal (s e e Se ction 4.2.1, “Us ing Conte nt ISO” for de taile d ins tructions ). Copy the conte nt ISO to your Sate llite s e rve r, for e xample to the /root/isos/ dire ctory. 2. On the Sate llite s e rve r, cre ate a mount point, mount the ISO and copy its conte nt to a writable dire ctory that Sate llite can acce s s , in this e xample /mnt/rhel6/: # mkdir /mnt/iso # mount -o loop /root/isos/sat-6-isos--rhel-6-server-x86_64.iso /mnt/iso # cp -ruv /mnt/iso/ /mnt/rhel6/ The n unmount the ISO and re move the mount point: # umount /mnt/iso # rmdir /mnt/iso 3. Se t the corre ct SELinux conte xt and owne rs hip for the conte nt dire ctory: # chcon -R --type=httpd_sys_rw_content_t /mnt/rhel6/ # chown -R apache:apache /mnt/rhel6/ 4. Cre ate or e dit the /etc/pulp/content/sources/conf.d/local.conf file . Ins e rt the following te xt to the file : [rhel-6-server] enabled: 1 priority: 0 expires: 3d 45 Ins t allat io n Guide name: Red Hat Enterprise Linux 6 Server type: yum base_url: file:///mnt/rhel6/content/dist/rhel/server/6/6Server/x86_64/os/ The base_url path may diffe r in your conte nt ISO. The dire ctory s pe cifie d in base_url mus t contain the repodata dire ctory, othe rwis e the s ynchroniz ation will fail. To s ynchroniz e multiple re pos itorie s , cre ate a s e parate e ntry for e ach of the m in the configuration file /etc/pulp/content/sources/conf.d/local.conf. 5. In the Sate llite we b UI, navigate to Co nt ent → Red Hat Repo sit o ries and s e le ct the re pos itory to be e nable d, in this e xample Red Hat Enterprise Linux 6 Server RPMs x86_64 6Server. Unde r Co nt ent → Sync St at us s e le ct the re pos itory to be s ynchroniz e d and click Synchronize Now. Note that the re is no indication in the Sate llite we b UI of which s ource is be ing us e d. In cas e of proble ms with a local s ource , Sate llite pulls conte nt through the ne twork. To monitor the proce s s , run the following command in the cons ole on Sate llite (limite d to Re d Hat Ente rpris e Linux 7 bas e s ys te ms ): # journalctl -f -l SYSLOG_IDENTIFIER=pulp | grep -v worker[\,\.]heartbeat The above command dis plays inte ractive logs . Firs t, the Sate llite s e rve r conne cts to the Re d Hat Cus tome r Portal to download and proce s s re pos itory me tadata. The n, the local re pos itory is loade d. In cas e of any e rrors , cance l the s ynchroniz ation in the Sate llite we b UI and ve rify your configuration. 6. Afte r s ucce s s ful s ynchroniz ation you can de tach the local s ource by re moving its e ntry from /etc/pulp/content/sources/conf.d/local.conf. 4.2. Disconnect ed Sat ellit e In high s e curity e nvironme nts whe re hos ts are re quire d to function in a clos e d ne twork dis conne cte d from the Inte rne t, the Re d Hat Sate llite can provis ion s ys te ms with the late s t s e curity update s , e rrata, and package s . The re comme nde d way to populate a dis conne cte d Sate llite with conte nt is by us ing an ISO file downloade d form the Re d Hat Cus tome r Portal. Alte rnative ly, you can configure a s ynchroniz ation hos t. 4.2.1. Using Cont ent ISO The following proce dure s hows how to us e the conte nt ISO to add conte nt to Re d Hat Sate llite . 1. Download the product ISO from the Re d Hat Cus tome r Portal, as follows : a. Go to Downloads (at the ve ry top of the window) and s e le ct Re d Hat Sate llite . b. Ope n the Content ISOs tab. All products to which the account is s ubs cribe d are lis te d the re . c. Click the link for the product name , s uch as Re d Hat Ente rpris e Linux 6 Se rve r (x86_64)(2015-03-12) to download the ISO. 46 C hapt e r 4 . Po pulat ing Re d Hat Sat e llit e wit h Co nt e nt d. Save to me dia. 2. Copy all of the Sate llite conte nt ISOs to a dire ctory that Sate llite can acce s s . This e xample us e s /root/isos. 3. Cre ate a local dire ctory that will be s hare d via httpd on the Sate llite . This e xample us e s /var/www/html/pub/sat-import/. # mkdir -p /var/www/html/pub/sat-import/ 4. Re curs ive ly copy the conte nts of the firs t ISO to the local dire ctory: # # # # # mkdir /mnt/iso mount -o loop /root/isos/first_iso /mnt/iso cp -ruv /mnt/iso/* /var/www/html/pub/sat-import/ umount /mnt/iso rmdir /mnt/iso 5. Re pe at the above s te p for e ach ISO until you have copie d all the data from the s e rie s of ISOs into the local dire ctory /var/www/html/pub/sat-import/. 6. Ens ure that the SELinux conte xts are corre ct: # restorecon -rv /var/www/html/pub/sat-import/ 7. Modify the de fault provide r URL the Sate llite we b inte rface : a. Log in to the Sate llite we b inte rface . b. Se le ct the re quire d organiz ation from the Organization me nu. c. Click Co nt ent → Red Hat Subscript io ns and the n click Manage Manifest. d. On the Subscription Manifest information s cre e n s e le ct the Actions tab. Unde r Red Hat Provider Details click the e dit icon on the Red Hat CDN URL e ntry and change it to the Sate llite hos t name with the ne wly cre ate d dire ctory, for e xample : http://server.example.com/pub/sat-import/ Click Save. e . Click Bro wse to choos e the manife s t file . f. Click Uplo ad to import your manife s t. No te The Sate llite is now acting as its own CDN with the file s locate d in http://localhost. This is not a re quire me nt. The CDN can be hos te d on a diffe re nt machine ins ide the s ame dis conne cte d ne twork as long as it is acce s s ible to the Sate llite s e rve r via HTTP. 47 Ins t allat io n Guide 8. To e nable the re pos itorie s from the local CDN, click Co nt ent → Red Hat Repo sit o ries 9. Click Co nt ent → Sync St at us. 10. Se le ct the re pos itorie s you want to s ynchroniz e and click Synchro nize No w. Once the s ynchroniz e finis he s , the dis conne cte d Sate llite is now re ady to s e rve the conte nt to hos ts . 4.2.2. Using t he Synchronizat ion Host Impo rtant The s ynchroniz ation hos t fe ature is planne d to be de pre cate d in future re le as e s of Re d Hat Sate llite . The re fore , it is re comme nde d to us e the proce dure de s cribe d in Se ction 4.2.1, “Us ing Conte nt ISO” The diagram be low illus trate s how a dis conne cte d Sate llite is able to ke e p its conte nt update d e ve n without an Inte rne t conne ction. An inte rme diary s ys te m with an Inte rne t conne ction is ne e de d to act as a s ynchroniz ation hos t. This s ynchroniz ation hos t is in a s e parate ne twork from the Sate llite s e rve r. The s ynchroniz ation hos t imports conte nt from the Re d Hat Conte nt De live ry Ne twork (CDN) through pulp. The conte nt is the n e xporte d onto a me dia, s uch as DVDs , CDs , or e xte rnal hard drive s and trans fe rre d to the dis conne cte d Sate llite s e rve r. The following s e ctions in this chapte r will guide you through the whole proce s s . Figure 4.1. Disco nnect ed Sat ellit e 4.2.2.1. Conf iguring t he Synchronizat ion Host 48 C hapt e r 4 . Po pulat ing Re d Hat Sat e llit e wit h Co nt e nt The following s e ction s hows how to configure the s ynchroniz ation hos t. Prerequisit es To import conte nt from the Re d Hat Conte nt Dis tribution Ne twork (CDN), the s ynchroniz ation hos t re quire s : An Inte rne t conne ction Valid Re d Hat Ne twork s ubs criptions A valid manife s t (Se e Se ction 4.1.1.1, “Cre ating a Subs cription Manife s t” for ins tructions on how to obtain one .) Pro cedure 4.14. T o Co nf igure a Ho st t o Synchro nize and Expo rt Co nt ent f ro m t he Red Hat CDN: 1. Us e Re d Hat Subs cription Manage r to re gis te r the s ynchroniz ation hos t to RHN. 2. Lis t all the available s ubs criptions to find the corre ct Re d Hat Sate llite product to allocate to your s ys te m: # subscription-manager list --available --all This command dis plays output s imilar to the following: +-------------------------------------------+ Available Subscriptions +-------------------------------------------+ ProductName: ProductId: PoolId: Quantity: Multi-Entitlement: Expires: MachineType: Red Hat Satellite SKU123456 e1730d1f4eaa448397bfd30c8c7f3d334bd8b 10 No 08/20/2013 physical No te The Product ID and Pool ID de pe nd on the Re d Hat Sate llite product type that corre s ponds to your s ys te m ve rs ion and product type . 3. Subs cribe to the re quire d pool IDs : # subscription-manager subscribe \ --pool=Red_Hat_Satellite_Pool_ID \ --pool=Red_Hat_Enterprise_Linux_Pool_ID \ --pool=Red_Hat_Enterprise_Linux_Software_Collections_Pool_ID 4. Dis able all e xis ting re pos itorie s : 49 Ins t allat io n Guide # subscription-manager repos --disable "*" 5. Enable the Re d Hat Sate llite and Re d Hat Ente rpris e Linux and Re d Hat Software Colle ctions re pos itorie s . Ens ure the Re d Hat Ente rpris e Linux re pos itory matche s the s pe cific ve rs ion you are us ing. # subscription-manager repos --enable rhel-6-server-rpms \ --enable rhel-server-rhscl-6-rpms \ --enable rhel-6-server-satellite-6.1-rpms No te The commands above are bas e d on Re d Hat Ente rpris e Linux 6. If you are us ing a diffe re nt ve rs ion of Re d Hat Ente rpris e Linux, change the re pos itory bas e d on your s pe cific ve rs ion. 6. Ins tall katello-utils: # yum install katello-utils katello-utils include s the katello-disconnected utility that is re quire d to s e t up re pos itorie s for import while qpid re late d package s are ne ce s s ary for pulp configuration. 7. Ge ne rate a 32-characte r alphanume ric s tring for the oauth_secret e ntry in the /etc/pulp/server.conf file : $ tr -dc "[:alnum:]" < /dev/urandom | head -c 32 8. In the /etc/pulp/server.conf, uncomme nt the [oauth] e ntry and add the randomly-ge ne rate d value from the pre vious s te p as the oauth_secret value : [oauth] enabled: true oauth_key: katello oauth_secret: v8SeYqvS5QUfmg0dIrJOBG58lAHDRZnN 9. Dis able authe ntication in /etc/qpid/qpidd.conf: # Configuration file for qpidd. Entries are of the form: # name=value # # (Note: no spaces on either side of '='). # Run "qpidd --help" or see "man qpidd" for more details. auth=no All incoming conne ctions authe nticate us ing the Sate llite 's de fault re alm. 10. Configure the conne ction from katello-disconnected to Pulp with the pre vious ly ge ne rate d value as your --oauth-secret option: 50 C hapt e r 4 . Po pulat ing Re d Hat Sat e llit e wit h Co nt e nt # katello-disconnected setup --oauth-key=katello --oauthsecret=v8SeYqvS5QUfmg0dIrJOBG58lAHDRZnN This place s a configuration value in ~/.katello-disconnected. 11. Configure Pulp on the s ynchroniz ation s e rve r: sudo service qpidd start sudo chkconfig qpidd on sudo service mongod start sleep 10 sudo chkconfig mongod on sudo -u apache pulp-manage-db sudo service httpd restart sudo chkconfig httpd on sudo chkconfig pulp_workers on sudo service pulp_workers start sudo chkconfig pulp_celerybeat on sudo service pulp_celerybeat start sudo chkconfig pulp_resource_manager on sudo service pulp_resource_manager start 12. Import the manife s t to s e t up the lis t of available re pos itorie s to s ynchroniz e bas e d on the s e le cte d s ubs criptions : # katello-disconnected import -m ./manifest.zip The s ynchroniz ation hos t is now re ady to s ynchroniz e conte nt from the Re d Hat CDN. 4.2.2.2. Synchronizing Cont ent By de fault, katello-disconnected e nable s all re pos itorie s that are include d in the manife s t for s ynchroniz ation. Synchroniz ation time is dire ctly re late d to the amount of re pos itorie s to be s ynchroniz e d. If the manife s t has a large amount of re pos itorie s , the s ynchroniz ation will take time and ne twork re s ource s . katello-disconnected allows for the s ynchroniz ation of s pe cific re pos itorie s . This s e ction will s e t up Pulp for s ynchroniz ing conte nt. 1. Dis able all re pos itorie s : # katello-disconnected disable --all katello-disconnected e nable s all re pos itorie s by de fault. 2. Choos e which re pos itorie s you wis h to s ync by lis ting all available re pos itorie s from the manife s t: # katello-disconnected list --disabled rhel-6-server-rhn-tools-rpms-6_6-x86_64 rhel-6-server-rhn-tools-rpms-6Server-x86_64 rhel-6-server-kickstart-6Server-x86_64 rhel-6-server-kickstart-6_6-x86_64 rhel-6-server-rh-common-rpms-6_6-x86_64 rhel-6-server-rpms-6_6-x86_64 51 Ins t allat io n Guide 3. Enable the chos e n re pos itorie s for s ynchroniz ation: # katello-disconnected enable -r rhel-6-server-rh-common-rpms-6_6x86_64 4. Cre ate the re pos itorie s and pus h the m to Pulp to allow s ynchroniz ation: # katello-disconnected configure No te The configure option for katello-disconnected re ads the manife s t, cre ate s pulp re pos itorie s , and ge ne rate s s cripts be fore s ynchroniz ation. It ne e ds to be run e ach time a re pos itory is e nable d or dis able d. 5. Synchroniz e the re pos itorie s : # katello-disconnected sync You can us e the watch option to monitor the s ynchroniz ation proce s s . # katello-disconnected watch Watching sync... (this may be safely interrupted with Ctrl+C) running: rhel-6-server-rh-common-rpms-6_6-x86_64 running: rhel-6-server-rh-common-rpms-6_6-x86_64 ... finished: rhel-6-server-rh-common-rpms-6_6-x86_64 Watching finished 4.2.2.3. Export ing Cont ent The s ynchroniz e d conte nt ne e ds to be e xporte d to e nable importing into the dis conne cte d Re d Hat Sate llite . An e xte rnal e xport me dia s uch as a CD, DVD, or e xte rnal hard drive is re quire d for this proce dure . Pe rform the following s te ps : 1. Export the s ynchroniz e d re pos itorie s : # katello-disconnected export -t /var/tmp/export You can us e the watch option to monitor the s ynchroniz ation proce s s . The output will look s imilar to: # katello-disconnected watch Watching sync... (this may be safely interrupted with Ctrl+C) running: 52 C hapt e r 4 . Po pulat ing Re d Hat Sat e llit e wit h Co nt e nt rhel-6-server-rh-common-rpms-6_6-x86_64 finished: rhel-6-server-rh-common-rpms-6_6-x86_64 Watching finished Done watching ... Copying content to /var/tmp/export Archiving contents of /var/tmp/export into 4600M tar archives. NOTE: This may take a while. tar: Removing leading `/' from member names Done exporting content, please copy /var/tmp/export/* to your disconnected host This ope ration will cre ate the following file s in /var/tmp/export: # ls /var/tmp/export/ content-export-00 content-export-01 content-export-02 expand_export.sh 2. Copy the file s from /var/tmp/export to the e xte rnal me dia. No te If the file s are too big for your e xte rnal me dia, the file s can be copie d s e que ntially in a s e rie s of DVDs . The s ynchroniz e d conte nt has now be e n e xporte d and re ady for importing to the dis conne cte d Sate llite s e rve r. 4.2.2.4. Import ing Cont ent t o a Disconnect ed Sat ellit e Server Be fore importing conte nt, e ns ure that the dire ctory and file s ys te m containing the e xports has e nough s pace to contain the e xtracte d archive s . For e xample , if your e xport is 40 GB, the dis conne cte d Sate llite Se rve r dire ctory and file s ys te m whe re you are importing the conte nt will ne e d an e xtra 40 GB of s pace to e xpand it on the s ame file s ys te m. 1. Copy all of the Sate llite Conte nt ISOs to a dire ctory that the Sate llite can acce s s . This e xample us e s /root/isos. 2. Cre ate a local dire ctory that will be s hare d via httpd on the Sate llite . This e xample us e s /var/www.html/pub/sat-import/. # mkdir -p /var/www/html/pub/sat-import/ 3. Re curs ive ly copy the conte nts of the firs t ISO to the local dire ctory: # # # # # mkdir /mnt/iso mount -o loop /root/isos/first iso /mnt/iso cp -ruv /mnt/iso/* /var/www/html/pub/sat-import/ umount /mnt/iso rmdir /mnt/iso 53 Ins t allat io n Guide 4. Re pe at the above s te p for e ach ISO until you have copie d all the data from the s e rie s of ISOs into the local dire ctory /var/www/html/pub/sat-import/. 5. Ens ure that the SELinux conte xts are corre ct: # restorecon -rv /var/www/html/pub/sat-import/ 6. Change the de fault provide r URL in the Sate llite we b inte rface : a. Log in to the Sate llite we b inte rface and s e le ct the re quire d organiz ation. b. Click Co nt ent → Red Hat Subscript io ns and the n click Manage Manifest. c. On the Subscription Manifest information s cre e n s e le ct the Actions tab. Unde r Red Hat Provider Details, click the e dit icon ne xt to the Red Hat CDN URL e ntry and change the URL to re fe re nce the location that the ISOs we re copie d to. This e xample us e s the Sate llite fully qualifie d domain name (FQDN) server.example.com, s o the URL is : http://server.example.com/pub/sat-import/ d. Click Bro wse to choos e the manife s t file . e . Click Uplo ad to import your manife s t. 7. Enable the re pos itorie s from the local CDN: a. Click Co nt ent → Red Hat Repo sit o ries b. Enable the re pos itorie s that we re e nable d and s ynchroniz e d in the Synchroniz ing Conte nt s e ction. 8. Click Co nt ent → Sync St at us. 9. Se le ct the re pos itorie s you want to s ynchroniz e and click Synchro nize No w. No te The Sate llite is now acting as its own CDN with the file s locate d in http://localhost. This is not a re quire me nt. The CDN can be hos te d on a diffe re nt machine ins ide the s ame dis conne cte d ne twork as long as it is acce s s ible to the Sate llite s e rve r via HTTP. Once the s ynchroniz e finis he s , the dis conne cte d Sate llite is now re ady to s e rve the conte nt to clie nt s ys te ms . 4.2.3. Migrat ing f rom Disconnect ed t o Connect ed Sat ellit e If your e nvironme nt change d from dis conne cte d to conne cte d, you can re configure a dis conne cte d Sate llite to pull conte nt dire ctly from Re d Hat Cus tome r Portal: 1. Ens ure the corre ct organiz ation is s e le cte d. Navigate to Co nt ent → Red Hat Subscript io ns and click Manage Manif est . 54 C hapt e r 4 . Po pulat ing Re d Hat Sat e llit e wit h Co nt e nt 2. On the Subscription Manifest s cre e n s e le ct the Actions tab. Click the e dit icon ne xt to the Red Hat CDN URL e ntry and ins e rt the following URL: https://cdn.redhat.com Click Save. On ne xt s ynchroniz ation, Sate llite will pull conte nt dire ctly from Re d Hat Cus tome r Portal. 55 Ins t allat io n Guide Chapt er 5. Configuring a Self-Regist ered Sat ellit e A Re d Hat Sate llite s e rve r is normally re gis te re d to the Re d Hat Cus tome r Portal, the n activate d as a Sate llite Se rve r and ge ts ne w conte nt from the Re d Hat Cus tome r Portal. A s e lf-re gis te re d Re d Hat Sate llite 6 Se rve r is re gis te re d to its e lf rathe r than the Re d Hat Cus tome r Portal. Once a Re d Hat Sate llite 6 s e rve r is ins talle d, the re are s e ve ral advantage s to re gis te ring it as a clie nt to its e lf: The s ame life cycle manage me nt proce dure s can be applie d to the Sate llite 6 s e rve r its e lf that have be e n applie d to the re s t of the manage d e s tate . By s ubs cribing the Sate llite 6 s e rve r to its own conte nt vie ws , it will re ce ive the s ame update s on the s ame s che dule as the re s t of the manage d hos ts . A virt-who s e rvice can be run dire ctly on the Sate llite 6 s e rve r without the ne e d for an additional hos t. The re are als o s e ve ral limitations of a s e lf-re gis te re d Sate llite s e rve r: A s e lf-re gis te re d Sate llite Se rve r cannot te s t package update s by us ing life cycle e nvironme nts . It is e s s e ntial to make a full backup of a s e lf-re gis te re d Sate llite Se rve r be fore doing an upgrade to unte s te d package s . Not all puppe t module s are s upporte d by a s e lf-re gis te re d Sate llite s e rve r. Whe n applying puppe t module s to a s e lf-re gis te re d Sate llite s e rve r e ns ure that the y will not cre ate an uns upporte d configuration. 5.1. Regist ering a Sat ellit e t o It self Be fore a s e lf-re gis te re d Sate llite can be configure d to ge t update s from its e lf, the Sate llite s ubs cription mus t be adde d to the Sate llite ’s manife s t. Whe n the s ubs cription is in the manife s t, the appropriate Sate llite re pos itorie s can be s ynchroniz e d into the Sate llite . Pro cedure 5.1. T o Regist er a Sat ellit e t o It self : 1. If the Sate llite is alre ady re gis te re d to the Re d Hat Cus tome r Portal, unre gis te r the Sate llite from the Re d Hat Cus tome r Portal us ing the following commands : # subscription-manager remove --all # subscription-manager unregister 2. The Sate llite s ubs cription on the Re d Hat Cus tome r Portal is now available and can be trans fe rre d into the Sate llite 's manife s t. For furthe r information on Manife s ts s e e Se ction 4.1.1, “Acce s s ing Re d Hat Conte nt Provide rs ”. Trans fe r the s ubs cription to the Sate llite 's manife s t: a. Navigate to https ://acce s s .re dhat.com and click SUBSCRIPTIONS on the main me nu at the top of the page . b. Scroll down to the Red Hat Subscription Management s e ction, and click Satellite unde r Subscription Management Applications. 56 C hapt e r 5. Co nf igur ing a Se lf -Re gis t e r e d Sat e llit e c. Se le ct the re quire d Sate llite s e rve r by clicking its hos t name in the table . d. Click Attach a subscription and s e le ct s ubs criptions you want to attach. Spe cify the quantity for e ach s ubs cription, and click Attach Selected. 3. Re fre s h the manife s t on the Sate llite Se rve r: a. Log in to the Sat ellit e s e rve r. b. Ens ure that the corre ct organiz ation is s e le cte d. c. Click Co nt ent → Red Hat Subscript io ns and the n click Manage Manifest at the uppe r right of the page . d. In the Subscription Manifest s e ction, click Actions and unde r the Subscription Manifest s ubs e ction, click Refresh Manifest. 4. Enable Re d Hat re pos itorie s us ing the Sate llite we b inte rface : a. Click Co nt ent → Red Hat Repo sit o ries. b. Navigate to the re quire d re pos itorie s . Click e ach re pos itory s e t from which you want to s e le ct re pos itorie s and s e le ct the che ck box for e ach re quire d re pos itory. The re pos itory is automatically e nable d. For Re d Hat Ente rpris e Linux 6 the re pos itorie s that ne e d to be e nable d are : Re d Hat Ente rpris e Linux 6 Se rve r RPMs x86_64 6Se rve r Re d Hat Sate llite 6.1 for RHEL 6 Se rve r RPMs x86_64 Re d Hat Software Colle ctions RPMs for Re d Hat Ente rpris e Linux 6 Se rve r x86_64 6Se rve r Re d Hat Ente rpris e Linux 6 Se rve r - Sate llite Tools RPMs x86_64 Re pos itory For Re d Hat Ente rpris e Linux 7 the re pos itorie s that ne e d to be e nable d are : Re d Hat Ente rpris e Linux 7 Se rve r RPMs x86_64 6Se rve r Re d Hat Sate llite 6.1 for RHEL 7 Se rve r RPMs x86_64 Re d Hat Software Colle ctions RPMs for Re d Hat Ente rpris e Linux 7 Se rve r x86_64 6Se rve r Re d Hat Ente rpris e Linux 7 Se rve r - Sate llite Tools RPMs x86_64 Re pos itory 5. Synchroniz e the Sate llite s e rve r: a. Navigate to Co nt ent → Sync St at us. Bas e d on the s ubs criptions and re pos itorie s e nable d, the lis t of product re pos itorie s available for s ynchroniz ation is dis playe d. b. Click the arrow ne xt to the product name to s e e available conte nt. c. Se le ct the conte nt you want to s ynchroniz e . 57 Ins t allat io n Guide d. Click Synchronize Now to s tarting s ynchroniz ing. The s tatus of the s ynchroniz ation proce s s will appe ar in the Result column. If s ynchroniz ation is s ucce s s ful, Sync complete will appe ar in the Result column. If s ynchroniz ation faile d, Error syncing will appe ar. No te Conte nt s ynchroniz ation can take a long time . The le ngth of time re quire d de pe nds on the s pe e d of dis k drive s , ne twork conne ction s pe e d, and the amount of conte nt s e le cte d for s ynchroniz ation. 6. Optionally, cre ate a conte nt vie w to re pre s e nt the Sate llite s e rve r. This will allow the Sate llite to follow the s ame life cycle manage me nt proce dure s as the re s t of the conte nt on the s e rve r. For furthe r information about conte nt vie ws s e e the Conte nt Vie ws chapte r in the Re d Hat Sate llite 6.1 Us e r Guide a. To cre ate a conte nt vie w: i. Log into the we b inte rface as a Sate llite adminis trator. ii. Click Co nt ent → Co nt ent Views. iii. Click Creat e New View. iv. Spe cify the Name of the conte nt vie w. The Label fie ld is automatically populate d whe n the Name fie ld is fille d out. Optionally, provide a de s cription of the conte nt vie w. v. Click Save. b. Edit the conte nt vie w to add the Re d Hat Ente rpris e Linux s e rve r and Sate llite re pos itorie s : i. Click Co nt ent → Co nt ent Views and choos e the Conte nt Vie w to add re pos itorie s to. ii. Click Yum Content and s e le ct Repo sit o ries from the drop-down me nu. From the s ubme nu, click Add. iii. Se le ct the re quire d re pos itorie s to add and click Add Re pos itorie s . The re quire d re pos itorie s for a s e lf-re gis te re d Sate llite are all the re pos itorie s for the Sate llite its e lf, any s upporting re pos itorie s and the re pos itory for the Bas e OS. The re pos itorie s re quire d for a s e lfre gis te re d Sate llite are lis te d in Ste p 4 of this proce dure . 7. Download and ins tall the re quire d ce rtificate s by running: # rpm -Uvh /var/www/html/pub/katello-ca-consumer-latest.noarch.rpm 8. Re gis te r the Sate llite s e rve r and attach the appropriate e ntitle me nts us ing s ubs cription manage r. Whe n re gis te ring the s e rve r you mus t s pe cify the organiz ation to which the s e rve r be longs , als o the life cycle e nvironme nt. # subscription-manager register --org=organization -environment=environment 58 C hapt e r 5. Co nf igur ing a Se lf -Re gis t e r e d Sat e llit e Example 5.1. # subscription-manager register --org=ExampleCompany -environment=Library You will be prompte d for your Re d Hat Sate llite us e r name and pas s word. The Sate llite Se rve r adminis trator can configure ne w us e rs . Se e the Us e rs and Role s chapte r in the Re d Hat Sate llite 6.1 Us e r Guide for more information. 9. Find the pool IDs for the Sate llite and for Re d Hat Ente rpris e Linux by running the following command: # subscription-manager list --available 10. Attach the e ntitle me nts by running the following command: # subscription-manager attach --pool Red_Hat_Satellite_Pool_ID -pool Red_Hat_Enterprise_Linux_ID A conte nt hos t has now be e n cre ate d for the Sate llite s e rve r ins ide of the Sate llite s e rve r. 11. Enable the re pos itorie s re quire d for the Sate llite s e rve r by running the following command: # subscription-manager repos --enable=repository-to-be-enabled Se e Ste p 4 of this proce dure for the lis t of re pos itorie s that ne e d to be e nable d. 12. Ins tall the Kate llo Age nt package to allow e rrata manage me nt and package ins tallation through the Sate llite we b inte rface . The katello-agent package de pe nds on the gofe r package that provide s the gofe rd s e rvice . The gofe rd s e rvice mus t be e nable d s o that the Re d Hat Sate llite Se rve r or Caps ule Se rve r can provide information about e rrata that are applicable for conte nt hos ts . To ins tall the katello-agent run the following command: # yum install katello-agent The gofe rd s e rvice is s tarte d and e nable d automatically afte r s ucce s s ful ins tallation of kate llo-age nt. 5.2. Updat ing a Self-Regist ered Sat ellit e A s e lf-re gis te re d Re d Hat Sate llite s e rve r is re gis te re d to its e lf rathe r than dire ctly to the Re d Hat Cus tome r Portal. A s e lf-re gis te re d Sate llite s e rve r is able to s ynchroniz e with the Re d Hat Cus tome r Portal the n apply update s to its e lf at the s ame time as providing othe r re quire d update s . Pro cedure 5.2. T o Updat e a Self -Regist ered Sat ellit e: 59 Ins t allat io n Guide 1. It is e s s e ntial to make a full backup of a s e lf-re gis te re d Sate llite s e rve r prior to doing an upgrade as package update s cannot be te s te d. For ins tructions on how to backup and, if ne ce s s ary, re s tore a Sate llite s e rve r s e e Backup and Dis as te r Re cove ry in the Re d Hat Sate llite 6.1 Us e r Guide . a. Ens ure your backup location has e nough dis k s pace to contain a copy of all of the following dire ctorie s : /etc/ /var/lib/pulp /var/lib/mongodb /var/lib/pgsql/ This can be a cons ide rable amount of s pace s o plan accordingly. b. Stop all s e rvice s : # katello-service stop c. Run the backup s cript: # /usr/bin/katello-backup backup_directory This proce s s can take a long time to comple te , due to the amount of data to copy. d. Re s tart all s e rvice s : # katello-service start 2. Synchroniz e to Sate llite s e rve r: a. Navigate to Co nt ent → Sync St at us. Bas e d on the s ubs criptions and re pos itorie s e nable d, the lis t of product re pos itorie s available for s ynchroniz ation is dis playe d. b. Click the arrow ne xt to the product name to s e e available conte nt. c. Se le ct the conte nt you want to s ynchroniz e . d. Click Synchronize Now to s tarting s ynchroniz ing. The s tatus of the s ynchroniz ation proce s s will appe ar in the Result column. If s ynchroniz ation is s ucce s s ful, Sync complete will appe ar in the Result column. If s ynchroniz ation faile d, Error syncing will appe ar. No te Conte nt s ynchroniz ation can take a long time , and de pe nds on the s pe e d of dis k drive s , ne twork conne ction s pe e d, and the amount of conte nt s e le cte d for s ynchroniz ation. 3. Optionally, publis h and promote the re quire d conte nt vie ws : 60 C hapt e r 5. Co nf igur ing a Se lf -Re gis t e r e d Sat e llit e a. Afte r a conte nt vie w has be e n cre ate d, it ne e ds to be publis he d in orde r for it to be vis ible and us able by hos ts . Be fore publis hing the conte nt vie w de finition, make s ure that the conte nt vie w de finition has the ne ce s s ary products , re pos itorie s and filte rs . To publis h the conte nt vie w: i. Click Co nt ent → Co nt ent Views. ii. Click on the conte nt vie w that re pre s e nts the Sate llite s e rve r. iii. Click Publish New Version. iv. Fill in a comme nt. v. Click Save. b. Afte r the conte nt vie w has be e n publis he d it ne e ds to promote d into the re quire d life cycle e nvironme nt. To promote the conte nt vie w: i. On the main me nu, click Co nt ent → Co nt ent Views. ii. In the Name column, s e le ct the conte nt vie w that re pre s e nts the Sate llite s e rve r. iii. On the Versions tab, ide ntify the late s t ve rs ion, and click Promote. iv. Ide ntify the promotion path whe re you want to promote the conte nt vie w, s e le ct the appropriate life cycle e nvironme nt, and click Promote Version. v. Afte r the promotion has comple te d, the Versions tab update s to dis play the ne w s tatus of your conte nt vie ws . 4. Update the Sate llite s e rve r: # yum update # katello-installer --upgrade 5. Re s tart the s e rvice s : # katello-service restart 61 Ins t allat io n Guide Chapt er 6. Managing Hypervisors and Virt ual Guest Subscript ions Re d Hat Sate llite can track the hype rvis ors (hos ts ) that are attache d dire ctly to it and the s ubs criptions of thos e hos ts . Howe ve r, the hype rvis ors ’ gue s ts are not inde xe d through this me chanis m. For the s e curity of the hype rvis or infras tructure , this hos t to gue s t mapping is not provide d during Sate llite re gis tration. The virt -who utility colle cts information about the conne ction be twe e n the hype rvis or and its virtual gue s ts and provide s Subs cription Manage r with a mapping file containing the hype rvis or-gue s t pairs . This utility is provide d both in the main Re d Hat Ente rpris e Linux re pos itory (rhe l-6-s e rve r-rpms or rhe l-7-s e rve r-rpms ) as we ll as in the Re d Hat Sate llite Tools re pos itory (rhe l-6-s e rve r-s ate llite -tools -6.1-rpms or rhe l-7-s e rve r-s ate llite -tools -6.1rpms ). The Sate llite Tools re pos itory is the re comme nde d s ource of virt -who for Sate llite ins tallations . To e nable this re pos itory on Re d Hat Ente rpris e Linux 7, e xe cute : # subscription-manager repos --enable=rhel-7-server-satellite-tools-6.1rpms The n ins tall virt -who as follows : # yum install virt-who 6.1. Int roduct ion t o virt -who Re d Hat us e s virt -who to ke e p track of the hype rvis ors ’ s ubs criptions and the gue s ts who can inhe rit thos e s ubs criptions . The virt-who s ys te m: 1. Scans the hype rvis or (hos t) manage me nt platform and its gue s ts 2. Cre ate s the hos t/gue s t mapping 3. Communicate s this hos t/gue s t mapping to Sate llite This hos t/gue s t mapping as s ociate s e ve ry gue s t with a s pe cific hos t. The n, a s ubs cription s e rvice can attach a s ingle s ubs cription to a virtual hos t and apply an include d and inhe ritable s ubs cription to a gue s t, rathe r than cons uming two s e parate s ubs criptions for e ach ins tance . Afte r you s tart virt-who the firs t time , a virt-who dae mon automatically runs in the background and make s update s bas e d on a s che dule you s e le ct (the de fault is hourly). 6.1.1. T he Universally Unique Ident if ier (UUID) The virt-who s ys te m make s this hos t/gue s t as s ociation by e xtracting a unive rs ally unique ide ntifie r (UUID) for e ach gue s t from the hype rvis or and the n as s ociating e ach UUID with its hype rvis or in the Sate llite inve ntory. 6.1.2. Import ant Condit ions f or virt -who t o Correct ly At t ach Subscript ions The s e factors mus t be true for the s ubs cription s e rvice to re cogniz e the hos t/gue s t as s ociation and corre ctly attach s ubs criptions : 62 C hapt e r 6 . Managing Hype r vis o r s and Vir t ual Gue s t Subs c r ipt io ns The virt-who s ys te m mus t be run pe riodically to de te ct ne w gue s t ins tance s . The hype rvis or and the gue s t s ys te ms mus t be re gis te re d to the s ame s ubs cription s e rvice (that is , the s ame Sate llite organiz ation). The hype rvis or mus t have a s ubs cription attache d to it that include s virtual s ubs criptions or inhe ritable s ubs criptions . 6.1.3. Subscript ion St at us and virt -who A re gis te re d hos t is as s igne d a s ubs cription s tatus color bas e d on its ins talle d products and attache d s ubs criptions . Whe n you firs t re gis te r a virtual gue s t, the hos t lis t dis plays that virtual gue s t's hos t s ubs cription s tatus as ye llow. The re as on is that the Sate llite doe s not know which hype rvis or the gue s t re s ide s on. You mus t run virt-who s o that the Sate llite knows which hype rvis or the gue s t re s ide s on. With the de fault auto-attach configuration e nable d, and as s uming virt-who runs s ucce s s fully, the gue s t s ubs cription dis plays as gre e n in 24 hours . 6.2. Before You Begin 6.2.1. Prerequisit es To ins tall and run virt-who: You mus t have cre de ntials that allow virt-who to communicate with: a Sate llite us e r account your virtualiz ation s ys te m The s ys te m running virt-who is re gis te re d alre ady to the Sate llite s e rve r(virt-who will us e the hos t cre de ntials ). The ports configure d for your hype rvis or allow communication (the de fault virt-who port is 443). 6.2.2. User Login f or virt -who Login cre de ntials to the data ce nte r are re quire d for the following hype rvis or type s : Re d Hat Ente rpris e Virtualiz ation Manage r VMware vSphe re Micros oft Hype r-V 63 Ins t allat io n Guide No te Whe n configuring the pe rmis s ions to the login cre de ntials , the pe rmis s ions mus t allow acce s s to the virtual machine s and hype rvis ors . Re d Hat re comme nds the following: The login has re ad-only pe rmis s ion. The login is for a s e rvice account or non-us e r login. The pas s word doe s not e xpire . 6.2.3. virt -who Conf igurat ion File Locat ion The virt-who configuration is s tore d in the following configuration file s : /etc/sysconfig/virt-who (de fault) Sample Configuration File : $ cat /etc/sysconfig/virt-who [rdu] VIRTWHO_BACKGROUND=1 VIRTWHO_DEBUG=1 VIRTWHO_ESX=1 VIRTWHO_ESX_OWNER=Organization_label VIRTWHO_ESX_SERVER=vcenter-server.example.com VIRTWHO_ESX_USERNAME=esx-readonly-user VIRTWHO_ESX_PASSWORD=password VIRTWHO_ESX_ENV=Library /etc/virt-who.d/exampleconfig.conf (only for e ncrypte d pas s words ) Sample Configuration File : $ cat /etc/virt-who.d/exampleconfig.conf [rdu] type=abc owner=virtwho server=abc-server.example.com username=root password=password rhsm_username=admin rhsm_password=admin #rhsm_encrypted_password=61fde1a1e2cbe95faef0ef0ecfd85057 6.2.4. Limit at ions Relat ed t o Sat ellit e Organizat ions Subs criptions are arrange d according to Sate llite organiz ations . Although the curre nt virt-who can re port to multiple Sate llite organiz ations , you cannot s hare s ubs criptions acros s organiz ations . 64 C hapt e r 6 . Managing Hype r vis o r s and Vir t ual Gue s t Subs c r ipt io ns Impo rtant You mus t have one virtual data ce nte r s ubs cription for e ach organiz ation and for e ach hype rvis or. 6.3. Support ed Hypervisors The virt-who s ys te m can work with any of the hype rvis ors outline d in the following table . T able 6.1. Suppo rt ed Hyperviso rs If yo u have... Go here f o r set up inst ruct io ns... Warnings: Se ction 6.4, “Se tting up a Re d Hat Ente rpris e Virtualiz ation Manage r Se rve r or Libvirt (KVM) Hype rvis or” None Micros oft Hype r-V Se ction 6.5, “Us ing virt-who with Hype r-V” VMware : vCe nte r, vSphe re , or ESX Se ction 6.6, “Se tting up a VMware Hype rvis or” You cannot ins tall virt-who dire ctly on the Hype r-V hype rvis ors . Ins te ad. you mus t ins tall virt-who on a Re d Hat Ente rpris e Linux platform that can communicate with the Hype r-V s e rve r. You cannot ins tall virt-who dire ctly on the VMware hype rvis ors . Ins te ad, you mus t ins tall virt-who on a Re d Hat Ente rpris e Linux platform that can communicate with the vCe nte r s e rve r. A Re d Hat Ente rpris e Linux s ys te m running KVM Re d Hat Ente rpris e Virtualiz ation Manage r 6.3.1. Rerunning virt -who Re running virt-who doe s not change a pre vious ly cre ate d hype rvis or's e nvironme nt or conte nt vie w. This le ts you manually move a hype rvis or to a diffe re nt e nvironme nt and conte nt vie w in Sate llite . You can als o change the virt-who hos t without impacting e xis ting hype rvis ors . To re run virt-who, us e the command option: # virt-who --one-shot Re -re gis te ring the hos t on which virt-who is running to a ne w organiz ation cre ate s ne w hype rvis ors in that organiz ation. Pre vious ly cre ate d hype rvis ors in anothe r organiz ation re main unchange d (until you de le te the m manually). If you add an organiz ation, you mus t re s tart virt-who. 65 Ins t allat io n Guide 6.4. Set t ing up a Red Hat Ent erprise Virt ualizat ion Manager Server or Libvirt (KVM) Hypervisor 1. Configure Subs cription Manage r on the virtual s ys te m to us e Sate llite and the CA ce rtificate : # rpm -ivh \ http://satellite.example.com/pub/katello-ca-consumerlatest.noarch.rpm 2. Re gis te r the Re d Hat Ente rpris e Linux s ys te m (which communicate s with Re d Hat Ente rpris e Virtualiz ation Manage r) to Sate llite : # subscription-manager register --username=admin --password=secret --org=organization_label --auto-attach The organiz ation labe l is available in the Sate llite we b UI. If anothe r s ys te m is alre ady re gis te re d to that organiz ation, the n you can ge t the labe l by us ing the subscription-manager orgs command. 3. Ins tall the virt-who package s on the hype rvis or. No te For both the Re d Hat Ente rpris e Virtualiz ation Manage r s e rve r and the libvirt (KVM) hype rvis or, Re d Hat re comme nds that you ins tall the virt-who package on a phys ical s ys te m. # yum install virt-who 4. Edit the virt-who configuration file (/etc/sysconfig/virt-who) and s e t the parame te rs as follows : For a Re d Hat Ente rpris e Virtualiz ation Manage r s e rve r: VIRTWHO_DEBUG=1 VIRTWHO_SATELLITE6=1 VIRTWHO_RHEVM=1 VIRTWHO_RHEVM_OWNER=organization_label VIRTWHO_RHEVM_ENV=environment VIRTWHO_RHEVM_SERVER=RHEV-server_URL VIRTWHO_RHEVM_USERNAME=desired_user_name VIRTWHO_RHEVM_PASSWORD=desired_password Note that to de te rmine the organiz ation labe l for the VIRTWHO_RHEVM_OWNER parame te r e xe cute the subscription-manager identity command. The us e r name for the VIRTWHO_RHEVM_USERNAME parame te r has the form admin@inte rnal. With the VIRTWHO_SATELLITE6 parame te r e nable d, virt-who s e nds re ports to the Sate llite s e rve r. For a libvirt (KVM) hype rvis or: 66 C hapt e r 6 . Managing Hype r vis o r s and Vir t ual Gue s t Subs c r ipt io ns VIRTWHO_BACKGROUND=1 VIRTWHO_DEBUG=1 VIRTWHO_SATELLITE6=1 VIRTWHO_LIBVIRT=1 With the VIRTWHO_SATELLITE6 parame te r e nable d, virt-who s e nds re ports to Re d Hat Sate llite . 5. Start and e nable the virt-who s e rvice : On Re d Hat Ente rpris e Linux 6: # service virt-who start # chkconfig virt-who on On Re d Hat Ente rpris e Linux 7: # systemctl start virt-who # systemctl enable virt-who 6. Afte r s tarting the virt-who s e rvice , monitor the /var/log/rhsm/rhsm.log/ file on the s ame s ys te m to confirm whe the r or not hos ts and gue s ts mappings are s e nt. 2015-01-10 13:44:38,651 [DEBUG] @subscriptionmanager.py:112 Sending update in hosts-to-guests mapping: {44454c4c-3900-1057804c-b2c04f375231: [42346e7b-f3df-6651-4d43-6de0c769c6c7, 564ddf1c-1eec-aba5-aec4-03d311ca298e, 4234ee7d-b239-ebb1-738f55a83861d1a5, 42343eb8-838f-18f3-24f9-682455093072, 42345839-63166733-f5a1-bd4213d693b3, 42344725-cf73-f8d9-6bff-c88d4df5c67c]} 7. On the Sate llite s e rve r, go to Ho st → Co nt ent Ho st s and confirm that hos t (hype rvis or) s ys te m profile s dis play. By de fault, the hype rvis or name is as follows : For a Re d Hat Ente rpris e Virtualiz ation Manage r s e rve r: hypervisor UUID For a libvirt (KVM) hype rvis or: hypervisor UUID If de s ire d, change this name in the Re d Hat Sate llite UI by e diting the s ys te m e ntry. 8. To make virtual s ubs criptions available for virtual machine s , the hos t s ys te m ne e ds a s ubs cription. To know on which hos t the virtual machine is running, ope n the virtual machine profile from the Content Hosts page . In the Details tab, the virtual machine dis plays as Virtual Host UUID. Click the UUID link that ope ns the hos t s ys te m profile . The n, in the Subscriptions tab, as s ign the s ubs cription to the hos t s ys te m. If you have multiple hype rvis ors running Re d Hat Ente rpris e Linux gue s ts , attach a s ubs cription to all the hype rvis ors . 9. To cons ume the s ubs cription as s igne d to the hype rvis or profile on the machine running virt-who,uns ubs cribe and the n auto s ubs cribe : 67 Ins t allat io n Guide # subscription-manager remove --all # subscription-manager attach --auto 10. Confirm whe the r the s ubs cription attache d to the hype rvis or is cons ume d by the gue s t running virt-who: # subscription-manager list --consumed 11. Whe n you ins tall ne w virtual machine s on the hype rvis or, you mus t re gis te r the ne w virtual machine s and us e the s ubs cription attache d to the hype rvis or: # rpm -ivh \ http://satellite.example.com/pub/katello-ca-consumerlatest.noarch.rpm 12. Re gis te r the ne w virtual machine s and us e the s ubs cription attache d to the hype rvis or: # subscription-manager register --org=organization_label # subscription-manager attach --auto # subscription-manager list --consumed 6.5. Using virt -who wit h Hyper-V 1. To make the virt-who conne ction to Hype r-V work, e nable Windows Re mote Manage me nt and e ithe r HTTP or HTTPS lis te ne r mus t be running. On the Hype r-V s e rve r: # winrm quickconfig 2. The fire wall mus t allow re mote adminis tration. On the Hype r-V s e rve r: # netsh advfirewall firewall set rule group="Remote Administration" new enable=yes 3. If you are us ing HTTP, e nable the une ncrypte d conne ction. On the Hype r-V s e rve r: # winrm set winrm/config/service @{AllowUnencrypted="true"} 4. Only Bas ic and NTLM authe ntication me thods are s upporte d. To ve rify that e ithe r Bas ic or Ne gotiate is e nable d (True ): # winrm get winrm/config/service/auth 5. On the Re d Hat s e rve r, log in as root. Ins tall the virt-who package : # yum install virt-who 6. Edit the /etc/sysconfig/virt-who file and s e t the parame te rs as follows : VIRTWHO_BACKGROUND=1 68 C hapt e r 6 . Managing Hype r vis o r s and Vir t ual Gue s t Subs c r ipt io ns VIRTWHO_DEBUG=1 VIRTWHO_ONE_SHOT=0 VIRTWHO_INTERVAL=0 VIRTWHO_SATELLITE6=1 VIRTWHO_HYPERV=1 VIRTWHO_HYPERV_OWNER=Satellite_Organization VIRTWHO_HYPERV_ENV=Library VIRTWHO_HYPERV_SERVER=IP or FQDN VIRTWHO_HYPERV_USERNAME=Your_User_Name (you must use your Hyper-V administrator account) VIRTWHO_HYPERV_PASSWORD=Your_Password With the VIRTWHO_SATELLITE6 parame te r e nable d, virt-who s e nds re ports to Re d Hat Sate llite . 7. Start and e nable the virt-who s e rvice : On Re d Hat Ente rpris e Linux 6: # service virt-who start # chkconfig virt-who on On Re d Hat Ente rpris e Linux 7: # systemctl start virt-who # systemctl enable virt-who 8. Optional: To configure the virt-who s e rvice to us e a Windows domain account, e dit your us e rname with a double backs las h in the virt-who configuration file . For e xample : VIRTWHO_HYPERV_USERNAME="MYDOMAIN\\user" 6.6. Set t ing up a VMware Hypervisor The virt-who package s that cre ate the hos t/gue s t mapping are available for Re d Hat Ente rpris e Linux. In a VMware e nvironme nt, you mus t have Re d Hat Ente rpris e Linux 6.6 or late r available to run the virt-who s e rvice which conne cts to the VMware hype rvis or. The s ys te m running virt-who re quire s ope n acce s s to vCe nte r on ports 80 and 443. Be fore following the s e s te ps , cre ate a fire wall e xce ption to allow conne ctions on port 80 and 443 from the Re d Hat Sate llite s e rve r to the vCe nte r: On Re d Hat Ente rpris e Linux 6: # iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT \ && iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT \ && service iptables save Make s ure the iptables s e rvice is s tarte d and e nable d: 69 Ins t allat io n Guide # service iptables start # chkconfig iptables on On Re d Hat Ente rpris e Linux 7: # firewall-cmd --add-port="80/tcp" --add-port="443/tcp" \ && firewall-cmd --permanent --add-port="80/tcp" --add-port="443/tcp" Pe rform the following s te ps to s e t up a VMware hype rvis or: 1. Configure Subs cription Manage r on the virtual s ys te m to us e the Sate llite and the CA ce rtificate , as follows : # rpm -ivh \ http://satellite.example.com/pub/katello-ca-consumerlatest.noarch.rpm 2. Re gis te r the Re d Hat Ente rpris e Linux s ys te m (which communicate s with the VMware s e rve r) to Sate llite . # subscription-manager register --username=admin --password=secret --org=organization_label --auto-attach The organiz ation labe l is available in the Sate llite UI for the organiz ation. If anothe r s ys te m is alre ady re gis te re d to that organiz ation, the n you can ge t the labe l by us ing the subscription-manager orgs command. 3. Ins tall the virt-who package s . # yum install virt-who 4. On the Re d Hat Ente rpris e Linux s ys te m (which communicate s with the VMware hype rvis or), e dit the virt-who configuration file (/etc/sysconfig/virt-who) and s e t the following parame te rs (to ide ntify the location of your ESX manage me nt s e rve r): VIRTWHO_BACKGROUND=1 VIRTWHO_DEBUG=1 VIRTWHO_SATELLITE6=1 VIRTWHO_ESX=1 VIRTWHO_ESX_OWNER=Organization_label VIRTWHO_ESX_SERVER=vcenter-server.example.com VIRTWHO_ESX_USERNAME=esx-readonly-user VIRTWHO_ESX_PASSWORD=MyGNU4pass!! VIRTWHO_ESX_ENV=Library The VIRTWHO_ESX_USERNAME is the local VMware vCe nte r or Micros oft Active Dire ctory us e r with re ad-only pe rmis s ion to the virtual machine s and hype rvis ors . With the VIRTWHO_SATELLITE6 parame te r e nable d, virt-who s e nds re ports to Re d Hat Sate llite . 5. Start and e nable the virt-who s e rvice : On Re d Hat Ente rpris e Linux 6: 70 C hapt e r 6 . Managing Hype r vis o r s and Vir t ual Gue s t Subs c r ipt io ns # service virt-who start # chkconfig virt-who on On Re d Hat Ente rpris e Linux 7: # systemctl start virt-who # systemctl enable virt-who The data are adde d to the following file : /var/lib/virt-who/hypervisor-systemid-UUID 6. Afte r s tarting the virt-who s e rvice , monitor the /var/log/rhsm/rhsm.log file on the s ame s ys te m to confirm whe the r or not hos ts and gue s ts mappings are s e nt. 2015-01-10 13:44:38,651 [DEBUG] @subscriptionmanager.py:112 Sending update in hosts-to-guests mapping: {44454c4c-3900-1057804c-b2c04f375231: [42346e7b-f3df-6651-4d43-6de0c769c6c7, 564ddf1c-1eec-aba5-aec4-03d311ca298e, 4234ee7d-b239-ebb1-738f55a83861d1a5, 42343eb8-838f-18f3-24f9-682455093072, 42345839-63166733-f5a1-bd4213d693b3, 42344725-cf73-f8d9-6bff-c88d4df5c67c]} 7. On the Sate llite s e rve r, go to HOST S → CONT ENT HOST and confirm that hos t (hype rvis or) s ys te ms profile s dis play. By de fault, the hype rvis or name is esx hypervisor UUID. If de s ire d, change this name in the Re d Hat Sate llite GUI by e diting the s ys te m e ntry. 8. To make virtual s ubs criptions available for virtual machine s , the hos t s ys te m ne e ds a s ubs cription. To know on which hos t the virtual machine is running, ope n the virtual machine profile from the Content Host page . In the Details tab, the virtual machine dis plays as Virtual Host UUID. Click the UUID link that ope ns the hos t s ys te m profile . The n, in the Subscriptions tab, as s ign the s ubs cription to the hos t s ys te m. If you have multiple VMware hype rvis ors running Re d Hat Ente rpris e Linux gue s ts , the n attach a s ubs cription to all the VMware hype rvis ors . 9. To attach the s ubs cription as s igne d to the hype rvis or profile on the machine running the virt-who s e rvice , uns ubs cribe and the n auto s ubs cribe : # subscription-manager remove --all # subscription-manager attach --auto 10. Confirm whe the r the s ubs cription attache d to the hype rvis or is cons ume d by the gue s t running virt-who: # subscription-manager list --consumed 11. Whe n you ins tall ne w virtual machine s on the hype rvis or, you mus t re gis te r the ne w virtual machine s and us e the s ubs cription attache d to the hype rvis or: # rpm -ivh \ http://satellite.example.com/pub/katello-ca-consumerlatest.noarch.rpm 12. Re gis te r the ne w virtual machine s and us e the s ubs cription attache d to the 71 Ins t allat io n Guide hype rvis or: # subscription-manager register --org=organization_label # subscription-manager attach --auto # subscription-manager list --consumed 6.7. Configure virt -who wit h an Encrypt ed Password virt-who can e ncrypt the pas s words for the hype rvis or and give you the s tring to us e . The e ncrypte d pas s word is locate d in the /etc/virt-who.d/ configuration file . To ge ne rate an e ncrypte d pas s word: 1. Ve rify /var/lib/virt-who/key e ncryption file has root re ad and write pe rmis s ion. 2. To ge t an e ncrypte d pas s word s tring, run the virt-who-password as root: # virt-who-password Password: Use the following as a value for the encrypted_password key in the configuration file: encrypted_password_string Type the pas s word of your hype rvis or and write down the e ncrypte d s tring. 3. Cre ate a ne w configuration file for virt-who ins ide /etc/virt-who.d/. No te Since a configuration file is cre ate d unde r /etc/virt-who.d/, do not s pe cify the hype rvis or de tails in /etc/sysconfig/virt-who. For more information, s e e the man page : $ man virt-who-config For e xample , on vCe nte r: # vi /etc/virt-who.d/config [config] type=esx server=vcenter/esx_host> username=vcenter/esx_username encrypted_password=encrypted_password_string owner=owner env=Library 4. Ve rify that the /var/lib/virt-who/key e ncryption ke y file has root re ad and write pe rmis s ion. # ll /var/lib/virt-who/key -rw-------. 1 root root 130 Jun 29 14:43 /var/lib/virt-who/key 72 C hapt e r 6 . Managing Hype r vis o r s and Vir t ual Gue s t Subs c r ipt io ns 5. Afte r the configuration change , re s tart the virt-who s e rvice . On Re d Hat Ente rpris e Linux 6: # service virt-who restart On Re d Hat Ente rpris e Linux 7: # systemctl restart virt-who 6. To de te rmine the value of owner in the /etc/virt-who.d/ configuration file , run the following command. The org ID string is the owner value : # subscription-manager identity org ID : string 6.8. vCent er Configurat ion Example for Report ing Dat a t o Mult iple Organizat ions In this e xample , you have two vCe nte r e nvironme nts , and you want to do the following: Place hype rvis ors from the firs t ins tance of vCe nte r into the Organiz ation 'Engine e ring' on your Sate llite 6. Place hype rvis ors from the s e cond ins tance of vCe nte r into the Organiz ation 'Ope rations ' on your Sate llite 6. No te You mus t have virt-who running on two s ys te ms , one for e ach organiz ation. The following s ys te m hos tname s de note the diffe re nce be twe e n the two virt-who s ys te ms : hostname - eng-virt-who.example.com (virt-who instance reports hypervisors in vCenter1 to the 'Engineering' Organization) hostname - ops-virt-who.example.com (virt-who instance reports hypervisors in vCenter2 to the 'Operations' Organization) This e xample us e s the following information: Vcenter1: Hostname - vcenter1.example.com username - read_write@vsphere.local password - supersecret 73 Ins t allat io n Guide Vcenter2: Hostname - vcenter2.example.com username - read_only@vsphere.local password - notsosecret Pro cedure 6.1. Part 1 1. On s ys te m eng-virt-who.example.com, ins tall virt-who: [root@eng-virt-who.example.com]# yum install virt-who 2. Cre ate an e ncrypte d pas s word s tring for vcenter1: [root@eng-virt-who.example.com]# virt-who-password Password: type the 'supersecret' password Use following as value for encrypted_password key in the configuration file: 5e7367195d9fe2aa4b6667f93f17c5bd 3. Edit /etc/virt-who.d/vcenter-1 and add the following conte nt: [vcenter-1] type=esx server=vcenter1.example.com username=read_only@vsphere.local encrypted_password=5e7367195d9fe2aa4b6667f93f17c5bd owner=Engineering env=Library 4. Re s tart virt-who. On Re d Hat Ente rpris e Linux 6: # service virt-who restart On Re d Hat Ente rpris e Linux 7: # systemctl restart virt-who Pro cedure 6.2. Part 2 On s ys te m ops-virt-who.example.com, comple te the following s te ps : 1. Ins tall virt-who: [root@ops-virt-who.example.com]# yum install virt-who 2. Cre ate an e ncrypte d pas s word s tring for vcenter2: [root@ops-virt-who.example.com]# virt-who-password Password: type the 'notsosecret' password Use following as value for encrypted_password key in the configuration file: 74 C hapt e r 6 . Managing Hype r vis o r s and Vir t ual Gue s t Subs c r ipt io ns 4ff5da2eee0648d99fd0c24337f98bd6 3. Edit /etc/virt-who.d/vcenter-2 and add the following conte nt: [vcenter-2] type=esx server=vcenter2.example.com username=read_only@vsphere.local encrypted_password=4ff5da2eee0648d99fd0c24337f98bd6 owner=Operations env=Library 4. Re s tart virt-who. On Re d Hat Ente rpris e Linux 6: # service virt-who restart On Re d Hat Ente rpris e Linux 7: # systemctl restart virt-who 6.9. Regist ering Guest Inst ances Re gis te r a virtual s ys te m the s ame as a phys ical s ys te m. The virt-who s e rvice mus t be running on the virtual hos t or on a hype rvis or in the e nvironme nt (for VMware ). This e ns ure s that the virt-who s e rvice maps the gue s t to a phys ical hos t, s o the s ys te m is re gis te re d as a virtual s ys te m. Othe rwis e , the virtual ins tance is tre ate d as a phys ical ins tance . 1. Configure Subs cription Manage r on the virtual s ys te m to us e the Sate llite s e rvice and the CA ce rtificate . # rpm -Uvh \ http://satellite.example.com/pub/katello-ca-consumerlatest.noarch.rpm 2. Re gis te r the s ys te m to the s ame organiz ation as its hos t. # subscription-manager register --username=admin --password=secret --org=organization_label --auto-attach The organiz ation ID is available in the Portal e ntry for the organiz ation. If anothe r s ys te m is alre ady re gis te re d to that organiz ation, the n ge t the organiz ation ID by us ing the following command: # subscription-manager orgs 6.10. Removing a Guest Ent ry To re move a gue s t e ntry, you mus t unre gis te r the gue s t from the Sate llite . 75 Ins t allat io n Guide # subscription-manager unregister If the s ys te m has be e n de le te d, howe ve r, the virtual s e rvice (like virt-who) cannot te ll whe the r the s e rvice is de le te d or paus e d. In that cas e , manually re move the s ys te m from Sate llite . 1. Log into the Sate llite UI. 2. in the top me nu, hove r ove r the Systems ite m and click the All ite m. 3. In the le ft column, click the name of the s ys te m. 4. At the top of the s ys te m's de tails page , click the Remove System link. 6.11. Removing a Hypervisor Ent ry 1. Unre gis te r the hype rvis or. # subscription-manager unregister 2. For VMware , de le te the UUID file to re move the hos t/gue s t mapping re cords :/var/lib/virt-who/hypervisor-systemid-UUID 6.12. T roubleshoot ing virt -who This s e ction lis ts s e le cte d proble ms that can occur whe n inte grating Sate llite with virt-who. Scenario 1: You have Sate llite running toge the r hype rvis or and run the virt-who command. The dis plays two gre e n hype rvis ors . One hype rvis or cre ate a gue s t ID. Run virt-who again. The hos t but the ne w gue s t ID is dis playe d as re d. with a hype rvis or. You ins tall anothe r hos t lis t in the Sate llite we b UI now has a s ubs cription attache d, and you lis t now dis plays two gre e n hype rvis ors , Solution: The hype rvis or tool migrate d the gue s t from hype rvis or 1 to hype rvis or 2. To fix this proble m, choos e one of the following options : Move the virtual data s ubs cription to hype rvis or 2. Move the gue s t to hype rvis or 1. Stop us ing this gue s t. Scenario 2: In Sate llite , you provis ion a gue s t on a hype rvis or that doe s not have a s ubs cription. The hos t lis t in the Sate llite we b UI dis plays the hype rvis or as ye llow. 24 hours late r, the hype rvis or is dis playe d as re d. Solution: The hype rvis or probably doe s not have a corre ctly attache d s ubs cription. Obtain a s ubs cription for this hype rvis or. Scenario 3: Eithe r of the following e rror me s s age s dis play: Host unknown status Late binding to a host through virt-who (host/guest mapping) 76 C hapt e r 6 . Managing Hype r vis o r s and Vir t ual Gue s t Subs c r ipt io ns Solution: Se arch for the e rror output from virt-who in the /var/log/rhsm/rhsm.log file . The n, s e arch the e rrors in the knowle dge bas e in Re d Hat Cus tome r Portal. Scenario 4: In Sate llite , you provis ion a gue s t on a hype rvis or that has a s ubs cription. The hos t lis t in the Sate llite we b UI dis plays the hype rvis or as ye llow. Solution: Eithe r wait for virt-who to run and fix the proble m its e lf, or run virt-who manually. 77 Ins t allat io n Guide Chapt er 7. Inst alling Red Hat Sat ellit e Capsule Server The Re d Sate llite Caps ule Se rve r is a Sate llite compone nt that provide s fe de rate d s e rvice s to dis cove r, provis ion, and configure hos ts outs ide of the primary Sate llite s e rve r. A Sate llite Caps ule Se rve r provide s the following fe ature s : Pulp Se rve r fe ature s , including: Re pos itory s ynchroniz ation Conte nt de live ry Re d Hat Sate llite Provis ioning Smart Proxy fe ature s , including: DHCP, including ISC DHCP s e rve rs DNS, including Bind Any UNIX-bas e d TFTP s e rve r Puppe t Mas te r s e rve rs from 0.24 Puppe t CA to manage ce rtificate s igning and cle aning Bas e board Manage me nt Controlle r (BMC) for powe r manage me nt The Sate llite Caps ule Se rve r is a me ans to s cale out the Sate llite ins tallation. Organiz ations can cre ate various caps ule s in diffe re nt ge ographical locations whe re the data ce nte rs are locate d. The s e are ce ntrally manage d through the Sate llite Se rve r. Whe n a Sate llite us e r promote s conte nt to the production e nvironme nt, the Sate llite Se rve r will pus h the conte nt from the Sate llite Se rve r to e ach of the Sate llite Caps ule Se rve rs . Hos t s ys te ms pull conte nt and configuration from the Sate llite Caps ule Se rve rs in the ir location and not from the ce ntral Sate llite Se rve r. Cre ating various Sate llite Caps ule Se rve rs will de cre as e the load on the ce ntral s e rve r, incre as e re dundancy, and re duce bandwidth us age . 7.1. Red Hat Sat ellit e Capsule Server Scalabilit y The maximum numbe r of Caps ule Se rve rs that the Sate llite Se rve r can s upport has no fixe d limit but has be e n te s te d on a Sate llite Se rve r with a Re d Hat Ente rpris e Linux 6.6 and 7 hos ts . Curre ntly, running fourte e n caps ule s with two vCPUs have be e n te s te d without is s ue s . 7.1.1. Capsule Scalabilit y wit h Puppet Client s Caps ule s calability de pe nds he avily on the following factors , e s pe cially whe n managing puppe t clie nts : Numbe r of CPUs Run-inte rval dis tribution Numbe r of puppe t clas s e s 78 C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r The Caps ule Se rve r has a concurre ncy limitations of 100 concurre nt puppe t age nts running at any s ingle point in time . Running more than 100 concurre nt puppe t age nts will re s ult in a 503 HTTP e rror. For e xample , as s uming that the puppe t age nt runs are e ve nly dis tribute d with le s s than 100 concurre nt puppe t age nts running at any s ingle point during a run-inte rval, a Caps ule Se rve r with four CPUs can e xpe ct a maximum of 1250-1600 puppe t clie nts with a mode rate workload of 10 puppe t clas s e s as s igne d to e ach puppe t clie nt. De pe nding on the numbe r of puppe t clie nts re quire d, the Sate llite ins tallation can s cale out the numbe r of Caps ule Se rve rs to s upport the m. Bas e d on the following as s umptions : The re are no e xte rnal puppe t clie nts re porting dire ctly to the Sate llite 6 inte grate d caps ule . All othe r puppe t clie nts re port dire ctly to an e xte rnal caps ule . Puppe t s calability within Sate llite on Re d Hat Ente rpris e Linux 6.6 Caps ule s is as follows : With minimum numbe r of CPUs (two CPUs ): At 1 puppe t clas s pe r hos t: Not te s te d At 10 puppe t clas s e s pe r hos t: Maximum of 1020-860 At 20 puppe t clas s e s pe r hos t: Maximum of 375-330 With re comme nde d numbe r of CPUs (four CPUs ): At 1 puppe t clas s pe r hos t: Maximum of 2250-1875 At 10 puppe t clas s e s pe r hos t: Maximum of 1600-1250 At 20 puppe t clas s e s pe r hos t: Maximum of 700-560 No te The information above re pre s e nts an e ve nly dis tribute d run inte rval of all puppe t age nts . Any de viation runs the ris k of filling the pas s e nge r re que s t que ue and is s ubje ct to the concurre ncy limitation of 100 concurre nt re que s ts . 7.2. Red Hat Sat ellit e Capsule Server Prerequisit es The Sate llite Caps ule 's re quire me nts are ide ntical to the Sate llite Se rve r. The s e conditions mus t be me t be fore ins talling Re d Hat Sate llite Caps ule : Impo rtant The Re d Hat Sate llite s e rve r and Caps ule s e rve r ve rs ions mus t match. For e xample , a Sate llite 6.0 s e rve r cannot run a 6.1 Caps ule s e rve r and a Sate llite 6.1 s e rve r cannot run a 6.0 Caps ule s e rve r. Mis matching Sate llite s e rve r and Caps ule s e rve r ve rs ions will re s ult in the Caps ule s e rve r failing s ile ntly. 79 Ins t allat io n Guide 7.2.1. Base Operat ing Syst em Ins tall the ope rating s ys te m from dis c, local ISO image , kicks tart, or any othe r me thods that Re d Hat s upports . Re d Hat Sate llite Caps ule re quire s Re d Hat Ente rpris e Linux ins tallations with the @Bas e package group with no othe r package -s e t modifications , and without third-party configurations or s oftware that is not dire ctly ne ce s s ary for the dire ct ope ration of the s e rve r. This re s triction include s harde ning or othe r non-Re d Hat s e curity s oftware . If s uch s oftware is re quire d in your infras tructure , ins tall and ve rify a comple te working Re d Hat Sate llite Caps ule firs t, the n cre ate a backup of the s ys te m be fore adding any non-Re d Hat s oftware . Whe n ins talling Re d Hat Ente rpris e Linux from CD or ISO image , the re is no ne e d to s e le ct any package groups ; Re d Hat Sate llite Caps ule only re quire s the bas e ope rating s ys te m ins tallation. Whe n ins talling the ope rating s ys te m via kicks tart, s e le ct the @Bas e package group. Re d Hat Sate llite Caps ule re quire s a ne tworke d bas e s ys te m with the following minimum s pe cifications : 64-bit archite cture . The late s t ve rs ion of Re d Hat Ente rpris e Linux 6 Se rve r or 7 Se rve r. A minimum of two CPU core s , but four CPU core s are re comme nde d. A minimum of 12 GB me mory but ide ally 16 GB of me mory for e ach Sate llite ins tance . A minimum of 4 GB of s wap is re comme nde d. A minimum of 5 GB s torage for the bas e ins tall of Re d Hat Ente rpris e Linux, 300 MB for the ins tallation of Re d Hat Sate llite Caps ule and at le as t 10 GB s torage for e ach unique s oftware re pos itory to be s ynchroniz e d in the /var file s ys te m. Package s that are duplicate d in diffe re nt re pos itorie s are only s tore d once on the dis k. Additional re pos itorie s containing duplicate package s will re quire le s s additional s torage . No te The bulk of s torage re s ide s on the /var/lib/mongodb and /var/lib/pulp dire ctorie s . The s e e nd points are not manually configurable . Ens ure that s torage is available on the /var file s ys te m to pre ve nt s torage is s ue s . No Java virtual machine ins talle d on the s ys te m, re move any if the y e xis t. No Puppet RPM file s ins talle d on the s ys te m. No third-party uns upporte d yum re pos itorie s e nable d. Third-party re pos itorie s may offe r conflicting or uns upporte d package ve rs ions that may caus e ins tallation or configuration e rrors . Adminis trative us e r (root) acce s s . Full forward and re ve rs e DNS re s olution us ing a fully qualifie d domain name . Che ck that hostname and localhost re s olve corre ctly, us ing the following commands : 80 C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r # ping -c1 localhost # ping -c1 `hostname -f` # my_system.domain.com Ens ure the Sate llite Se rve r's bas e s ys te m can re s olve the Caps ule 's hos t name . Available s ubs criptions on the Re d Hat Sate llite Se rve r. Impo rtant Make s ure that the hos t s ys te m is fully update d be fore ins talling Re d Hat Sate llite Caps ule Se rve r. Atte mpts to ins tall on hos t s ys te ms running Re d Hat Ente rpris e Linux that are not fully update d may le ad to difficulty in trouble s hooting, as we ll as unpre dictable re s ults . Re d Hat re comme nds that the Sate llite Caps ule s ys te m be a fre s hly provis ione d s ys te m that s e rve s no othe r function e xce pt as a Sate llite Caps ule . 7.2.2. Applicat ion Specif icat ions Sate llite application ins tallation s pe cifications are as follows : It is re comme nde d that a time s ynchroniz e r s uch as nt pd is ins talle d and e nable d on Sate llite . Run the following command to s tart the time s ynchroniz e r and have it pe rs is t acros s re s tarts : For Re d Hat Ente rpris e Linux 6: # chkconfig ntpd on; service ntpd start For Re d Hat Ente rpris e Linux 7: # systemctl start chronyd; systemctl enable chronyd 7.2.3. Net work Port s Required f or Capsule Communicat ions The following table s lis t the ports re quire d for configuring a Re d Hat Sate llite Caps ule : T able 7.1. Po rt s f o r Sat ellit e t o Capsule Co mmunicat io n Po rt Pro t o c ol Service Required f o r 9090 80 443 TCP TCP TCP HTTPS HTTP HTTPS Conne ctions to the proxy in the Caps ule Sate llite to Caps ule , for downloading a bootdis k (Optional) Conne ctions to the Pulp s e rve r in the Caps ule [a] [a] Added in Satellite 6.1.9 T able 7.2. Po rt s f o r Capsule t o Sat ellit e Co mmunicat io n 81 Ins t allat io n Guide Po rt Pro t o c ol Service Required f o r 443 5646 TCP TCP HTTPS amqp 5647 TCP amqp Conne ctions to Kate llo, Fore man, Fore man API, and Pulp Caps ule 's Qpid dis patch route r to Qpid dis patch route r in the Sate llite The Kate llo age nt to communicate with the Sate llite 's Qpid dis patch route r The bas e s ys te m on which a Caps ule Se rve r is running is a manage d hos t, a clie nt, that is dire ctly conne cte d to the Sate llite Se rve r. Se e Table 1.5, “Ports for Clie nt to Sate llite Communication”. T able 7.3. Po rt s f o r Client t o Capsule Co mmunicat io n Po rt Pro t o c ol Service Required f o r 53 DNS Que rie s to the DNS s e rvice 67 69 80 TCP and UDP UDP UDP TCP DHCP TFTP HTTP 443 5647 TCP TCP HTTPS amqp 8000 TCP HTTPS 8140 8443 TCP TCP HTTPS HTTPS 9090 TCP HTTPS For Clie nt provis ioning from the Caps ule Downloading PXE boot image file s Anaconda, yum, and for obtaining Kate llo ce rtificate update s Anaconda, yum, Te le me try Se rvice s , and Puppe t The Kate llo age nt to communicate with the Caps ule 's Qpid dis patch route r Anaconda to download kicks tart te mplate s to hos ts , and for downloading iPXE firmware Puppe t age nt to Puppe t mas te r conne ctions Subs cription Manage me nt Se rvice s conne ction to the re ve rs e proxy for the ce rtificate -bas e d API Se nding ge ne rate d SCAP re ports to the proxy in the Caps ule for s pooling Connect ions f rom Sat ellit e t o Capsule To configure the fire wall on a Capsule to e nable incoming conne ctions from the Sat ellit e, and to make the s e rule s pe rs is te nt during re boots , e nte r the commands be low appropriate to the Re d Hat re le as e . The ports in the s e commands are take n from the table Table 7.1, “Ports for Sate llite to Caps ule Communication”. Note that port 9090 is als o lis te d in the Table 7.3, “Ports for Clie nt to Caps ule Communication”. Re vie w the commands to avoid duplicating e ntrie s . On a Re d Hat Ente rpris e Linux 6 Caps ule , e xe cute as root: # iptables -A INPUT -m state --state NEW -p tcp --dport 9090 -j ACCEPT \ && iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT \ && service iptables save Make s ure the iptables s e rvice is s tarte d and e nable d: 82 C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r # service iptables restart # chkconfig iptables on On a Re d Hat Ente rpris e Linux 7 Caps ule , e xe cute as root: # firewall-cmd --add-port="9090/tcp" \ --add-port="443/tcp" \ && firewall-cmd --permanent --add-port="9090/tcp" \ --add-port="443/tcp" Connect ions f rom Capsule t o Sat ellit e To configure the fire wall on a Sat ellit e to e nable incoming conne ctions from a Capsule, and to make the s e rule s pe rs is te nt during re boots , e nte r the commands be low appropriate to the Re d Hat re le as e . The ports in the s e commands are take n from the table Table 7.2, “Ports for Caps ule to Sate llite Communication”. Note that port 443 and 5647 are als o lis te d in the Table 1.5, “Ports for Clie nt to Sate llite Communication”. Re vie w the commands to avoid duplicating e ntrie s . On a Re d Hat Ente rpris e Linux 6 Sate llite , e xe cute as root: # iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT \ && iptables -A INPUT -m state --state NEW -p tcp --dport 5646 -j ACCEPT \ && iptables -A INPUT -m state --state NEW -p tcp --dport 5647 -j ACCEPT \ && service iptables save Make s ure the iptables s e rvice is s tarte d and e nable d: # service iptables restart # chkconfig iptables on On a Re d Hat Ente rpris e Linux 7 Sate llite , e xe cute as root: # firewall-cmd --add-port="443/tcp" \ --add-port="5646/tcp" --add-port="5647/tcp" \ && firewall-cmd --permanent --add-port="443/tcp" \ --add-port="5646/tcp" --add-port="5647/tcp" Connect ions f rom Client t o Capsule To configure the fire wall on a Capsule to e nable incoming conne ctions from a Client , and to make the s e rule s pe rs is te nt during re boots , e nte r the commands be low appropriate to the Re d Hat re le as e . The ports in the s e commands are take n from the table Table 7.3, “Ports for Clie nt to Caps ule Communication”. Note that port 443 and 9090 are als o lis te d in the Table 7.1, “Ports for Sate llite to Caps ule Communication”. Re vie w the commands to avoid duplicating e ntrie s . 83 Ins t allat io n Guide On a Re d Hat Ente rpris e Linux 6 Caps ule , e xe cute as root: # iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT \ && iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT \ && iptables -A INPUT -m state --state NEW -p udp --dport 67 -j ACCEPT \ && iptables -A INPUT -m state --state NEW -p udp --dport 69 -j ACCEPT \ && iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT \ && iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT \ && iptables -A INPUT -m state --state NEW -p tcp --dport 5647 -j ACCEPT \ && iptables -A INPUT -m state --state NEW -p tcp --dport 8000 -j ACCEPT \ && iptables -A INPUT -m state --state NEW -p tcp --dport 8140 -j ACCEPT \ && iptables -A INPUT -m state --state NEW -p tcp --dport 8443 -j ACCEPT \ && iptables -A INPUT -m state --state NEW -p tcp --dport 9090 -j ACCEPT \ && service iptables save Make s ure the iptables s e rvice is s tarte d and e nable d: # service iptables restart # chkconfig iptables on On a Re d Hat Ente rpris e Linux 7 Caps ule , e xe cute as root: # firewall-cmd --add-port="53/udp" --add-port="53/tcp" \ --add-port="67/udp" \ --add-port="69/udp" --add-port="80/tcp" \ --add-port="443/tcp" --add-port="5647/tcp" \ --add-port="8000/tcp" --add-port="8140/tcp" \ --add-port="8443/tcp" --add-port="9090/tcp" \ && firewall-cmd --permanent --add-port="53/udp" --add-port="53/tcp" \ --add-port="67/udp" \ --add-port="69/udp" --add-port="80/tcp" \ --add-port="443/tcp" --add-port="5647/tcp" \ --add-port="8000/tcp" --add-port="8140/tcp" \ --add-port="8443/tcp" --add-port="9090/tcp" No te For information on SELinux type s for the ports me ntione d in this s e ction, s e e Se ction 1.4.6, “SELinux Policy on Sate llite 6” 7.3. Obt aining t he Required Packages for t he Capsule Server 84 C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r Server Prerequisit es The Sate llite Se rve r's bas e s ys te m mus t be able to re s olve the hos t name of the Caps ule Se rve r's bas e s ys te m. You will ne e d a Re d Hat Sate llite us e r name and pas s word. Re gis te r the Caps ule Se rve r to the Re d Hat Sate llite Se rve r to us e the Re d Hat Sate llite Se rve r products and s ubs criptions : 1. Ins tall the Re d Hat Sate llite Se rve r's CA ce rtificate in the Caps ule Se rve r: # rpm -Uvh http://satellite.example.com/pub/katello-ca-consumerlatest.noarch.rpm 2. Re gis te r the Caps ule s e rve r with your organiz ation by us ing the organiz ation label: # subscription-manager register --org organization_label You will be prompte d for your Re d Hat Sate llite us e r name and pas s word. The Sate llite Se rve r adminis trator can configure ne w us e rs . Se e the Us e rs and Role s chapte r in the Re d Hat Sate llite 6.1 Us e r Guide for more information. Pro cedure 7.1. T o Inst all a Sat ellit e Capsule Server o n a Cert if icat e-managed Syst em: 1. Lis t all the available s ubs criptions to find the corre ct Re d Hat Sate llite and Re d Hat Ente rpris e Linux product to allocate to your s ys te m: # subscription-manager list --available --all The s cre e n dis plays : Subscription Name: Red Hat Satellite Capsule Server Provides: Red Hat Satellite Proxy Red Hat Satellite Capsule Red Hat Software Collections (for RHEL Server) Red Hat Satellite Capsule Red Hat Enterprise Linux Server Red Hat Enterprise Linux High Availability (for RHEL Server) Red Hat Software Collections (for RHEL Server) Red Hat Enterprise Linux Load Balancer (for RHEL Server) SKU: MCT0369 Pool ID: 9e4cc4e9b9fb407583035861bb6be501 Available: 3 Suggested: 1 Service Level: Premium 85 Ins t allat io n Guide Service Type: Multi-Entitlement: Ends: System Type: L1-L3 No 10/07/2015 Physical No te The SKU and Pool ID de pe nd on the Re d Hat Sate llite product type that corre s ponds to your s ys te m ve rs ion and product type . 2. Subs cribe to the re quire d pool IDs : # subscription-manager subscribe -pool=Red_Hat_Satellite_Capsule_Pool_Id 3. Dis able all e xis ting re pos itorie s : # subscription-manager repos --disable "*" 4. Enable the Sate llite and Re d Hat Ente rpris e Linux re pos itorie s by running subscription-manager. You might ne e d to alte r the Re d Hat Ente rpris e Linux re pos itory to match the s pe cific ve rs ion you are us ing. If e nabling a re pos itory une xpe cte dly fails , che ck the corre ct re pos itory is e nable d on the Sate llite Se rve r. In the we b UI, navigate to Co nt ent → Red Hat Repo sit o ries and che ck the s tatus of the re pos itory unde r Co nt ent → Sync St at us. For Re d Hat Ente rpris e Linux 6: # subscription-manager repos --enable rhel-6-server-rpms \ --enable rhel-6-server-satellite-capsule-6.1-rpms For Re d Hat Ente rpris e Linux 7: # subscription-manager repos --enable rhel-7-server-rpms \ --enable rhel-7-server-satellite-capsule-6.1-rpms 5. If re quire d, to ve rify what re pos itorie s have be e n e nable d, us e the yum repolist enabled command. For e xample , on Re d Hat Ente rpris e Linux 7: # yum repolist enabled Loaded plugins: langpacks, product-id, subscription-manager repo id repo name status !rhel-7-server-rpms/7Server/x86_64 Red Hat Enterprise Linux 7 Server (RPMs) 7,617 !rhel-7-server-satellite-capsule-6.1-rpms/x86_64 Red Hat Satellite Capsule 6.1 (for RHEL 7 Server) (RPMs) 176 repolist: 7,793 6. Run the following command as the root us e r to ins tall the capsule-installer package : # yum install capsule-installer 86 C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r The capsule-installer package provide s the capsule-installer functionality. 7.4. Running t he Inst allat ion and Configurat ion Program for Capsule Server Prerequisit es You mus t me e t the following conditions be fore continuing on this tas k: Ins tall the Re d Hat Sate llite Se rve r. Re d Hat re comme nds that SELinux on the Sate llite 6 Caps ule Se rve r is s e t to e nforcing. Cre ate a Caps ule Se rve r ce rtificate on the Sate llite Se rve r: On the Sate llite Se rve r, us e the capsule-certs-generate command: # capsule-certs-generate --capsule-fqdn capsule.example.com -certs-tar ~/capsule.example.com-certs.tar Whe re : capsule-fqdn is the Sate llite Caps ule Se rve r's fully qualifie d domain name . Mandatory. certs-tar is the name of the file to ge ne rate that will contain the ce rtificate for the Sate llite Caps ule ins talle r. The capsule-certs-generate command re turns the ins tallation ins tructions with the commands to be e xe cute d on the Caps ule Se rve r. Note that the s yntax of thos e commands de pe nds on the parame te rs of capsule-certs-generate and the fully qualifie d domain name of your Sate llite . For e xample , the capsulecerts-generate command e xe cute d on Sate llite with FQDN satellite.example.com ge ne rate s the following output: To finish the installation, follow these steps: 1. Ensure that the capsule-installer package is available on the system. 2. Copy ~/capsule.example.com-certs.tar to the capsule system capsule.example.com 3. Run the following commands on the capsule (possibly with the customized parameters, see capsule-installer --help and documentation for more info on setting up additional services): rpm -Uvh http://satellite.example.com/pub/katello-ca-consumerlatest.noarch.rpm subscription-manager register --org "Default_Organization" capsule-installer --parent-fqdn "satellite.example.com"\ 87 Ins t allat io n Guide --register-in-foreman --foreman-oauth-key "xmmQCGYdkoCRcbviGfuPdX7ZiCsdExf"\ --foreman-oauth-secret "w5ZDpyPJ24eSBNo53AFybcnqoDYXgLUA"\ --pulp-oauth-secret "doajBEXqNcANy93ZbciFyysWaiwt6BWU"\ --certs-tar "~/capsule.example.com-certs.tar"\ --puppet --puppetca --pulp "true"\ "true"\ "true"\ "true" Impo rtant The capsule-certs-generate command re turns the argume nts re quire d to s ucce s s fully ins tall a Caps ule with the capsule-installer command. The --foreman-oauth-key and --foreman-oauth-secret argume nts are always re quire d, the --pulp-oauth-secret argume nt is re quire d if the Caps ule will hos t conte nt (the --pulp option s e t to true ). Se e Se ction 7.4.1, “Ins talling a Caps ule Se rve r” for more information on ins talling a Caps ule . Copy the archive file cre ate d by capsule-certs-generate, in this cas e calle d capsule.example.com-certs.tar, from the Sate llite Se rve r to the Caps ule Se rve r. No te If you have a cus tom ce rtificate , s e e Se ction 7.5.1, “Configuring Re d Hat Sate llite Caps ule Se rve r with a Cus tom Se rve r Ce rtificate ” for ins tructions . On the Caps ule Se rve r, ins tall the katello-ca-consumer-latest package from the Sate llite s e rve r: # rpm -Uvh http://satellite.example.com/pub/katello-ca-consumerlatest.noarch.rpm Re gis te r the Caps ule Se rve r with your organiz ation by us ing the organiz ation label: # subscription-manager register --org organization_label You will be prompte d for your Re d Hat Sate llite us e r name and pas s word. The Sate llite Se rve r adminis trator can configure ne w us e rs . Se e the Us e rs and Role s chapte r in the Re d Hat Sate llite 6.1 Us e r Guide for more information. The following s e ctions will as s is t in configuring a Sate llite Caps ule Se rve r for us e with your Re d Hat Sate llite Se rve r. This include s the following type s of Sate llite Caps ule Se rve rs : Sate llite Caps ule Se rve r with conte nt functionality. 88 C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r Sate llite Caps ule Se rve r without conte nt functionality. 7.4.1. Inst alling a Capsule Server You can ins tall a Caps ule Se rve r by us ing cus tomiz e d parame te rs , de pe nding on your inte nde d us e cas e . Se e capsule-installer --help for a lis t of the available parame te rs . To ins tall a Caps ule by us ing the de fault me thod, run the following command (als o found in the output from capsule-certs-generate): # capsule-installer --parent-fqdn --register-in-foreman --foreman-oauth-key "xmmQCGYdkoCRcbviGfuPdX7ZiCsdExf"\ --foreman-oauth-secret "w5ZDpyPJ24eSBNo53AFybcnqoDYXgLUA"\ --pulp-oauth-secret "doajBEXqNcANy93ZbciFyysWaiwt6BWU"\ --certs-tar certs.tar"\ --puppet --puppetca --pulp "satellite.example.com"\ "true"\ "~/capsule.example.com"true"\ "true"\ "true" To e nable or dis able othe r s e rvice s , run capsule-installer --help and s pe cify the de s ire d value from the lis t of command options . 7.4.2. Verif ying Your Capsule Server Inst allat ion If the configuration is s ucce s s ful, run this command as the root us e r on the Sate llite Caps ule Se rve r: # echo $? This command s hould re turn a "0" to indicate s ucce s s . If it doe s not, che ck the /var/log/katello-installer/capsule-installer.log file to de bug the caus e of failure . This log file contains the output ge ne rate d by the capsule-certs-generate and capsule-installer commands . The Sate llite Caps ule Se rve r s hould als o appe ar in the Sate llite Se rve r's Us e r Inte rface unde r Inf rast ruct ure → Capsules. 89 Ins t allat io n Guide No te If the ne w caps ule doe s not appe ar unde r Inf rast ruct ure → Capsules, you might have to as s ociate it with your organiz ation. Navigate to Administ er → Organizat io ns. On the Organizations page , the following me s s age indicate s an unas s igne d caps ule : Notice: There is 1 host with no organization assigned On the s ame page , s e le ct your organiz ation and pick the caps ule from the lis t on the Capsule tab. 7.5. Opt ional Configurat ion Opt ions The following s e ctions s how how to e nable additional configuration options for the Sate llite Caps ule Se rve r. 7.5.1. Conf iguring Red Hat Sat ellit e Capsule Server wit h a Cust om Server Cert if icat e Re d Hat Sate llite come s with a de fault ce rtificate authority (CA) us e d by both the s e rve r and clie nt SSL ce rtificate s for authe ntication of s ubs e rvice s . The s e rve r and clie nt ce rtificate s can be re place d with cus tom one s . For more information on cre ating cus tom ce rtificate s , s e e the Re d Hat Ente rpris e Linux 7 Se curity Guide . [8] Cus tom s e rve r and clie nt ce rtificate s may be imple me nte d e ithe r whe n the command capsule-certs-generate is firs t run or any time afte rward. If capsule-certs-generate has not be e n run be fore , s e e Proce dure 7.2, “To Se t a Cus tom Se rve r Ce rtificate Whe n Running caps ule -ce rts -ge ne rate for the Firs t Time :”, othe rwis e s e e Proce dure 7.3, “To Se t a Cus tom Se rve r Ce rtificate Afte r Running caps ule -ce rts -ge ne rate :”. Impo rtant Whe n us ing cus tom SSL ce rtificate s with chaine d trus ts or is s ue rs , include all ce rtificate s in the chain into a s ingle file and us e that file as the CA ce rtificate value to katello-installer parame te r --certs-server-ca-cert. It is important to concate nate the ce rtificate s in the right orde r s o that the trus t chain can be validate d. # cat 1st_ca.cert 2nd_ca.cert 3th_ca.cert > /root/sat_cert/ca.bundle # katello-installer --certs-server-ca-cert /root/sat_cert/ca.bundle --certs-update-server-ca The ce rtificate 's Common Name (CN) mus t match the fully qualifie d domain name of the s e rve r on which it is us e d. 90 C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r Impo rtant The ce rtificate 's Common Name (CN) mus t match the fully qualifie d domain name of the s e rve r on which it is us e d. Prerequisit es You mus t have the following file s : Cert if icat e f ile f o r t he Capsule Server. Caps ule ce rtificate s ge ne rate parame te r --server-cert. In this e xample , capsule.crt. Cert if icat e signing request f ile f o r t he Capsule Server. Caps ule ce rtificate s ge ne rate parame te r --server-cert-req. In this e xample , capsule.crt.req. Capsule Server's privat e key used t o sign t he cert if icat e. Caps ule ce rtificate s ge ne rate parame te r --server-key. In this e xample , capsule.key. CA cert if icat e. Caps ule ce rtificate s ge ne rate parame te r --server-ca-cert. In this e xample , e xample cacert.crt. Ot her capsule-cert s-generat e Paramet ers The parame te r --certs-tar s pe cifie s the name of the archive file to be output by the capsule-certs-generate. The parame te r --capsule-fqdn is the Sate llite Caps ule Se rve r's fully qualifie d domain name . Pro cedure 7.2. T o Set a Cust o m Server Cert if icat e When Running capsulecert s-generat e f o r t he First T ime: No te In this e xample the file s are s tore d in the dire ctory /root/sat_cert. Us ing an abs olute path in the root us e rs ' dire ctory provide s a fixe d location that is available to all us e rs who log in to the s e rve r with root pe rmis s ions . Be fore running this command, e ns ure the dire ctory alre ady e xis ts . 1. Run the following command on the Re d Hat Sate llite Se rve r to cre ate the ce rtificate s archive : # capsule-certs-generate \ --capsule-fqdn "capsule.example.com" \ --certs-tar /root/sat_cert/capsule.example.com-certs.tar \ --server-cert /root/sat_cert/capsule.crt \ 91 Ins t allat io n Guide --server-cert-req /root/sat_cert/capsule.crt.req \ --server-key /root/sat_cert/capsule.key \ --server-ca-cert /root/sat_cert/cacert.crt Whe re : --capsule-fqdn is the Sate llite Caps ule Se rve r's fully qualifie d domain name . Mandatory. --certs-tar is the name of the tar file to be ge ne rate d that contains the ce rtificate to be us e d by the Sate llite Caps ule ins talle r. --server-cert is the path to your ce rtificate , s igne d by your ce rtificate authority (or s e lf-s igne d). --server-cert-req is the path to your ce rtificate s igning re que s t file that was us e d to cre ate the ce rtificate . --server-key is the private ke y us e d to s ign the ce rtificate . --server-ca-cert is the path to the CA ce rtificate on this s ys te m. 2. Copy the ge ne rate d archive file , capsule.example.com-certs.tar, from the Sate llite Se rve r to the Sate llite Caps ule Se rve r. 3. On the Sate llite Caps ule Se rve r: a. Run the following commands to re gis te r your Sate llite Caps ule Se rve r to the Sate llite Se rve r: # rpm -Uvh http://satellite.example.redhat.com/pub/katelloca-consumer-latest.noarch.rpm # subscription-manager register --org "ACME_Corporation" -env [environment]/[content_view_name] No te The Sate llite Caps ule Se rve r mus t be as s igne d to an organiz ation, be caus e it re quire s an e nvironme nt to s ynchroniz e conte nt from the Sate llite Se rve r. Only organiz ations have e nvironme nts . As s igning a location is optional, but re comme nde d, to indicate proximity to the hos ts that the Sate llite Caps ule Se rve r is managing. b. De pe nding on the de s ire d Sate llite Caps ule Se rve r type , choos e one of the following options : A. Sat ellit e Capsule Server wit h co nt ent f unct io nalit y Run the following command on the Sate llite Caps ule Se rve r to e nable the cus tom ce rtificate . The s ignificant parame te r is --pulp="true", which indicate s that conte nt functionality is to be e nable d. # capsule-installer --pulp="true" \ --qpid-router="true" \ 92 C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r --puppet="true" \ --puppetca="true" \ --reverse-proxy="true" \ --certs-tar "~/capsule.example.com-certs.tar" B. Sat ellit e Capsule Server wit ho ut co nt ent f unct io nalit y Run the following command on the Sate llite Caps ule Se rve r to e nable the cus tom ce rtificate . The s ignificant parame te r is --pulp="false", which indicate s that conte nt functionality is not to be e nable d. # capsule-installer --pulp="false" \ --qpid-router="false" \ --puppet="true" \ --puppetca="true" \ --reverse-proxy="true" \ --certs-tar "~/capsule.example.com-certs.tar" Pro cedure 7.3. T o Set a Cust o m Server Cert if icat e Af t er Running capsulecert s-generat e: Us ing cus tom s e rve r ce rtificate s for the Sate llite Se rve r me ans that the s ame cus tom s e rve r ce rtificate s ne e d to be de ploye d in the Sate llite Caps ule Se rve rs . Each Sate llite Caps ule Se rve r re quire s the following s te ps : 1. Run the following command as the root us e r on the Sate llite Se rve r to ge ne rate a ne w ce rtificate bas e d on your cus tom s e rve r ce rtificate : No te In this e xample the file s are s tore d in the dire ctory /root/sat_cert. Us ing an abs olute path in the root us e rs ' dire ctory provide s a fixe d location that is available to all us e rs who log in to the s e rve r with root pe rmis s ions . Be fore running this command, e ns ure the dire ctory alre ady e xis ts . # capsule-certs-generate \ --capsule-fqdn "capsule.example.com" \ --certs-tar /root/sat_cert/capsule-certs.tar \ --server-cert /root/sat_cert/capsule.crt \ --server-cert-req /root/sat_cert/capsule.crt.req \ --server-key /root/sat_cert/capsule.key \ --server-ca-cert /root/sat_cert/cacert.crt \ --certs-update-server 2. Copy the ge ne rate d archive file , capsule.example.com-certs.tar, from the Sate llite Se rve r to the Sate llite Caps ule hos t s ys te m. 3. On the Sate llite Caps ule Se rve r, re -run the capsule-installer command to re fre s h the ce rtificate s . De pe nding on the de s ire d Sate llite Caps ule Se rve r type , choos e one of the following options : A. Sat ellit e Capsule Server wit h co nt ent f unct io nalit y 93 Ins t allat io n Guide Run the following command on the Sate llite Caps ule Se rve r to re fre s h the ce rtificate s . The s ignificant parame te r is --pulp="true", which indicate s that conte nt functionality is to be e nable d. # capsule-installer --pulp="true" \ --qpid-router="true" \ --puppet="true" \ --puppetca="true" \ --reverse-proxy="true" \ --certs-tar "capsule.example.com-certs.tar" B. Sat ellit e Capsule Server wit ho ut co nt ent f unct io nalit y Run the following command on the Sate llite Caps ule Se rve r to re fre s h the ce rtificate s . The s ignificant parame te r is --pulp="false", which indicate s that conte nt functionality is not to be e nable d. # capsule-installer --pulp="false" \ --qpid-router="false" \ --puppet="true" \ --puppetca="true" \ --reverse-proxy="true" \ --certs-tar "capsule.example.com-certs.tar" 7.5.2. Using Power Management Feat ures on Managed Host s Whe n you e nable the baseboard management controller (BMC) module on the Caps ule Se rve r, you can us e powe r manage me nt commands on manage d hos ts us ing the intelligent platform management interface (IPMI) or a s imilar protocol. The BMC s e rvice on the s ate llite Caps ule Se rve r allows you to pe rform a range of powe r manage me nt tas ks . The unde rlying protocol for this fe ature is IPMI; als o re fe rre d to as the BMC function. IPMI us e s a s pe cial ne twork inte rface on the manage d hardware that is conne cte d to a de dicate d proce s s or that runs inde pe nde ntly of the hos t's CPUs . In many ins tance s the BMC functionality is built into chas s is -bas e d s ys te ms as part of chas s is manage me nt (a de dicate d module in the chas s is ). To take advantage of BMC fe ature s you ne e d to add a ne w ne twork inte rface of type "BMC" to e ach manage d hos t. IPMI inte rface s are ne arly always pas s word prote cte d, to pre ve nt unauthoriz e d pe ople on the s ame ne twork from gaining control of that hos t. Sate llite us e s this NIC to pas s the appropriate cre de ntials to the hos t. Re d Hat Sate llite s upports by e xte ns ion e ve rything that e ithe r ipmitool or freeipmi BMC provide rs s upport. You can s witch be twe e n the two pe r caps ule . Note that diffe re nt hardware ve ndors might not imple me nt all IPMI s pe cifications , bugs , and s o on. 7.5.2.1. Inst alling a Capsule Server wit h BMC Opt ions This s e ction s hows how to e nable the BMC module as part of the Caps ule Se rve r ins tallation proce s s . Prerequisit es 94 C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r Have a baseboard management controller (BMC) provide r s e t up for your de ployme nt of Caps ule Se rve r. To add BMC functionality, you will ne e d to appe nd the options to the capsule-installer. You are re quire d to choos e e ithe r a Caps ule Se rve r with conte nt functionality or one without. Se e Se ction 7.4.1, “Ins talling a Caps ule Se rve r” for more information. Appe nd the following line s to the command in e ach option: --bmc "enabled"\ --bmc_default_provider "freeipmi" For e xample : For Caps ule Se rve r Ins tallations with conte nt functionality: # capsule-installer --pulp=true --foreman-oauth-key "xmmQCGYdkoCRcbviGfuPdX7ZiCsdExf"\ --foreman-oauth-secret "w5ZDpyPJ24eSBNo53AFybcnqoDYXgLUA"\ --pulp-oauth-secret "doajBEXqNcANy93ZbciFyysWaiwt6BWU"\ --certs-tar "~/capsule.example.com-certs.tar"\ --qpid-router=true\ --puppet=true\ --puppetca=true\ --reverse-proxy=true\ --bmc "enabled"\ --bmc_default_provider "freeipmi" For Caps ule Se rve r Ins tallations without conte nt functionality: # capsule-installer --pulp=false --foreman-oauth-key "xmmQCGYdkoCRcbviGfuPdX7ZiCsdExf"\ --foreman-oauth-secret "w5ZDpyPJ24eSBNo53AFybcnqoDYXgLUA"\ --certs-tar "~/capsule.example.com-certs.tar"\ --qpid-router=false\ --puppet=true\ --puppetca=true\ --reverse-proxy=true For more information and how to configure a BMC inte rface , s e e To Add a BMC Inte rface in the Re d Hat Sate llite 6.1 Us e r Guide . 7.5.3. Provisioning Opt ions f or Capsule Server The re are s e ve ral options that provide provis ioning s e rvice s s uch as TFTP, DHCP, DNS and Re alm that can be adde d to e ithe r type of Caps ule Se rve r. For a full lis t of options , us e the command: # capsule-installer --help He re is an e xample of ins talling a caps ule s e rve r with full provis ioning s e rvice s : # capsule-installer --tftp=true\ --foreman-oauth-key "xmmQCGYdkoCRcbviGfuPdX7ZiCsdExf"\ --foreman-oauth-secret "w5ZDpyPJ24eSBNo53AFybcnqoDYXgLUA"\ 95 Ins t allat io n Guide --certs-tar "~/capsule.example.com-certs.tar"\ --templates=true\ --dhcp=true\ --dhcp-gateway=192.168.122.1\ --dhcp-nameservers=192.168.122.1\ --dhcp-range="192.168.122.100 192.168.122.200"\ --dhcp-interface=eth0\ --dns=true\ --dns-forwarders=8.8.8.8\ --dns-interface=eth0\ --dns-zone=example.com Ens ure the dns-interface argume nt is s e t with the corre ct ne twork inte rface name for the DNS s e rve r to lis te n on. Als o e ns ure that the dhcp-interface argume nt is s e t corre ctly with the inte rface name for the DHCP s e rve r. Afte r configuration, cre ate a s ubne t on the Sate llite s e rve r unde r Inf rast ruct ure → Subnet s for the Caps ule which re gis te rs automatically. No te While it is pos s ible to de fine the s ame DHCP range with the caps ule -ins talle r command and in the Sate llite GUI, it is a good practice to make the s e range s dis joint. In the Sate llite GUI, s e le ct a range from outs ide the pool de fine d with caps ule -ins talle r, but s till in the range de fine d on the s ubne t. For the e xample above , it is re comme nde d to de fine the DHCP range from 192.168.122.1 to 192.168.122.99 in the Sate llite GUI which give s the following IP addre s s dis tribution: 192.168.122.1 to 192.168.122.99 (reservation pool) are addre s s e s re s e rve d during bare -me tal provis ioning by Sate llite . 192.168.122.100 to 192.168.122.200 (lease pool) are addre s s e s re s e rve d for dynamic clie nts in the s ubne t (dis cove re d hos ts and unmanage d hos ts ). It is pos s ible to ins tall a Sate llite Caps ule without ins talling DNS and DHCP s e rvice s on the s ame s e rve r. Ins te ad you can configure the Sate llite Caps ule to us e e xte rnal DNS and DHCP s e rvice s as de s cribe d in Se ction 7.9, “Configuring Sate llite 6 with Exte rnal Se rvice s ”. Alte rnative ly, you can manually allocate s pe cific IP addre s s e s to hos t name s or MAC addre s s e s , s e e the DHCP chapte r in the Re d Hat Ente rpris e Linux 7 Ne tworking Guide [9] . 7.6. Adding Life Cycle Environment s t o a Red Hat Sat ellit e Capsule Server If the ne wly cre ate d Re d Hat Sate llite Caps ule Se rve r has conte nt functionality e nable d, the Sate llite Caps ule Se rve r ne e ds an e nvironme nt adde d to the Sate llite Caps ule Se rve r. Adding an e nvironme nt to the Re d Hat Sate llite Caps ule Se rve r will allow the Sate llite Caps ule Se rve r to s ynchroniz e conte nt from the Sate llite Se rve r and provide conte nt to hos t s ys te ms . 96 C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r Impo rtant The Sate llite Caps ule Se rve r is configure d through the Sate llite Se rve r's command line inte rface (CLI). Exe cute all hammer commands on the Sate llite Se rve r. Pro cedure 7.4. T o Add Enviro nment s t o t he Sat ellit e Capsule Server: 1. Log in to the Sate llite Se rve r CLI as root. 2. Choos e the de s ire d Re d Hat Sate llite Caps ule Se rve r from the lis t and take note of its id: # hammer capsule list The Sate llite Caps ule Se rve r's de tails can be ve rifie d us ing the command: # hammer capsule info --id capsule_id_number 3. Ve rify the lis t of life cycle e nvironme nts available for the Re d Hat Caps ule Se rve r and note down the environment id: # hammer capsule content available-lifecycle-environments --id capsule_id_number Whe re : available-lifecycle-environments are life cycle e nvironme nts that are available to the Sate llite Caps ule but are curre ntly not attache d to the Sate llite Caps ule . 4. Add the life cycle e nvironme nt to the Sate llite Caps ule Se rve r: # hammer capsule content add-lifecycle-environment --id capsule_id_number --environment-id environment_id_number Whe re : capsule_id_number s tands for the Sate llite Caps ule Se rve r's ide ntification numbe r. environment_id_number s tands for the life cycle e nvironme nt's ide ntification numbe r. Re pe at this s te p for e ve ry life cycle e nvironme nt to be adde d to the Caps ule Se rve r. 5. Synchroniz e the conte nt from the Sate llite Se rve r's e nvironme nt to the Sate llite Caps ule Se rve r: # hammer capsule content synchronize --id capsule_id_number Whe n an e xte rnal Sate llite Caps ule Se rve r has various life cycle e nvironme nts , and only one life cycle e nvironme nt ne e ds to be s ynchroniz e d, it is pos s ible to targe t a s pe cific e nvironme nt by s pe cifying the e nvironme nt ide ntification: 97 Ins t allat io n Guide # hammer capsule content synchronize --id external_capsule_id_number --environment-id environment_id_number 7.7. Removing Life Cycle Environment s from t he Red Hat Sat ellit e Capsule Server The re are multiple re as ons to re move life cycle e nvironme nts from the Re d Hat Sate llite Caps ule Se rve r. For e xample : Whe n life cycle e nvironme nts are no longe r re le vant to the hos t s ys te ms Whe n life cycle e nvironme nts have be e n incorre ctly adde d to the Sate llite Caps ule Se rve r Pro cedure 7.5. T o remo ve a lif e cycle enviro nment f ro m t he Sat ellit e Capsule Server: 1. Log in to the Sate llite Se rve r CLI as the root us e r. 2. Choos e the de s ire d Re d Hat Sate llite Caps ule Se rve r from the lis t and take note of its id: # hammer capsule list The Sate llite Caps ule Se rve r's de tails can be ve rifie d us ing the command: # hammer capsule info --id capsule_id_number 3. Ve rify the lis t of life cycle e nvironme nts curre ntly attache d to the Re d Hat Caps ule Se rve r and take note of the environment id: # hammer capsule content lifecycle-environments --id capsule_id_number 4. Re move the life cycle e nvironme nt from the Sate llite Caps ule Se rve r: # hammer capsule content remove-lifecycle-environment --id capsule_id_number --environment-id environment_id Whe re : capsule_id_number is the Sate llite Caps ule Se rve r's ide ntification numbe r. environment_id is the life cycle e nvironme nt's ide ntification numbe r. Re pe at this s te p for e ve ry life cycle e nvironme nt to be re move d from the Caps ule Se rve r. 5. Synchroniz e the conte nt from the Sate llite Se rve r's e nvironme nt to the Sate llite Caps ule Se rve r: # hammer capsule content synchronize --id capsule_id_number 98 C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r 7.8. Regist ering Host Syst ems t o a Red Hat Sat ellit e Capsule Server Prerequisit es The clie nt s ys te m mus t be configure d for re gis tration. Se e the following chapte rs in the Re d Hat Sate llite 6.1 Us e r Guide for information about configuring a clie nt to re gis te r with a Re d Hat Sate llite Caps ule : Configuring Hosts Configuring Activation Keys Ens ure the Sate llite tools re pos itory appropriate to the hos t to be re gis te re d is e nable d and s ynchroniz e d. If re quire d, s e e Proce dure 8.3, “Enable Ne w Re d Hat Re pos itorie s ” and Se ction 4.1.3, “Synchroniz ing Conte nt”. Re gis te r s ys te ms to a Sate llite Caps ule as follows : Pro cedure 7.6. Regist ering Ho st Syst ems t o t he Capsule Server 1. In the we b UI, s e le ct Ho st s → Co nt ent Ho st s and the n click Register Content Host. 2. Choos e the re quire d Caps ule Se rve r in the Content Source drop-down lis t. 3. Conne ct to the hos t and ins tall the boots trap RPM: # rpm -Uvh http://capsule.example.com/pub/katello-ca-consumerlatest.noarch.rpm Whe re capsule.example.com is the hos t name of the Caps ule to be us e d as the conte nt s ource . If the Sate llite Se rve r's inte grate d Caps ule is to be us e d, the n us e the Sate llite Se rve r's hos t name . 4. Run subscription-manager in a cons ole on the clie nt hos t. a. You can us e an Activation Ke y to re gis te r: # subscription-manager register --org=organization_label -activationkey="activation_key" b. Alte rnative ly: authe nticate with a us e r name and pas s word: # subscription-manager register --org=organization_label -environment="Library" and attach a s ubs cription: # subscription-manager list --available --all # subscription-manager attach --pool=pool_ID 99 Ins t allat io n Guide 5. Enable the Sate llite tools re pos itory: # subscription-manager repos --enable=rhel-version-serversatellite-tools-6.1-rpms Re place version with 6 or 7 de pe nding on the Re d Hat Ente rpris e Linux ve rs ion you are us ing. 6. Enable any additional re pos itorie s re quire d for this hos t: # subscription-manager repos --enable=repository-to-be-enabled 7. Ins tall katello-agent for re mote actions and dis playing e rrata information: # yum install katello-agent Your conte nt hos t is now re gis te re d to a Sate llite Caps ule Se rve r. 7.9. Configuring Sat ellit e 6 wit h Ext ernal Services By de fault, the Caps ule ins talle r ins talls and configure s the TFTP s e rvice available in Re d Hat Ente rpris e Linux. It can optionally ins tall DNS and DHCP s e rvice s . If re quire d to us e Caps ule with e xte rnal s e rvice s , pre ve nt ins tallation of the unwante d s e rvice s by running the ins talle r with the re le vant options s e t to false. Example 7.1. Inst alling Capsule Wit ho ut Services To ins tall Caps ule without the de fault ins tallation of TFTP, e nte r a command as follows : # katello-installer \ --capsule-tftp true If Caps ule has alre ady be e n ins talle d, e xe cute the ins talle r again with the re le vant options s e t to false to re s e t the configuration file s back to the de s ire d s tate . This will not unins tall the package s for the s e rvice s , s uch as bind or tftp-server. If re quire d, unins tall the unus e d package s manually. Example 7.2. Reinst alling Capsule Wit ho ut Services To ins tall Caps ule without ins talling DNS, DHCP, and TFTP, e nte r a command as follows : # katello-installer \ --capsule-dns false \ --capsule-dns-managed false \ --capsule-dhcp false \ --capsule-dhcp-managed false \ --foreman-proxy-tftp false 100 C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r Impo rtant The s e proce dure s we re writte n and te s te d for Re d Hat Ente rpris e Linux 7.1. The y are bas e d on the us e of NFSv3. The proce dure s s hould work for othe r re le as e s , s uch as Re d Hat Ente rpris e Linux 6 or Re d Hat Ente rpris e Linux 7.0, but note the re may be diffe re nce s in NFS e xporting. Se e the Re d Hat Ente rpris e Linux 7 Storage Adminis tration Guide and Re d Hat Ente rpris e Linux 6 Storage Adminis tration Guide for more information on e xporting file s ys te ms us ing NFS. In the e xample configurations be low, the s ubne t is 192.168.38.0/24, the domain is calle d virtual.lan, the s e rve r for the e xte rnal s e rvice s is 192.168.38.2/24, and the Caps ule Se rve r is at 192.168.38.1/24. 7.9.1. Conf iguring an Ext ernal DNS Service De ploy a Re d Hat Ente rpris e Linux Se rve r (the re comme nde d and te s te d ve rs ion is Re d Hat Ente rpris e Linux 7.1) and ins tall the ISC DNS s e rvice (package s bind and bind-utils are re quire d): # yum install bind bind-utils Pro cedure 7.7. Co nf iguring t he Ext ernal DNS Server Configure the e xte rnal DNS s e rve r as follows : 1. Cre ate the configuration for the domain with a configuration s imilar to the following: # cat /etc/named.conf include "/etc/rndc.key"; controls { inet 192.168.38.2 port 953 allow { 192.168.38.1; 192.168.38.2; } keys { "capsule"; }; }; options { directory "/var/named"; forwarders { 8.8.8.8; 8.8.4.4; }; }; include "/etc/named.rfc1912.zones"; zone "38.168.192.in-addr.arpa" IN { type master; file "dynamic/38.168.192-rev"; update-policy { grant "capsule" zonesub ANY; }; }; zone "virtual.lan" IN { type master; file "dynamic/virtual.lan"; 101 Ins t allat io n Guide update-policy { grant "capsule" zonesub ANY; }; }; Note that the inet line mus t be e nte re d as one line in the configuration file . The e xample above configure s a domain virtual.lan as one s ubne t 192.168.38.0/24, a s e curity ke y name d foreman, and s e ts forwarde rs to Google 's public DNS addre s s e s (8.8.8.8 and 8.8.4.4). 2. Cre ate a ke y file : # ddns-confgen -k capsule The above command can take a long time as the program is re ading a ps e udo random de vice . For te s ting or proof-of-conce pt de ployme nts , an ins e cure nonblocking de vice can be us e d as follows : # ddns-confgen -k capsule -r /dev/urandom 3. The above command will print the ke y s e ction with s ome ins tructions as comme nts . Copy and pas te the ke y s e ction into a s e parate file name d /etc/rndc.key, which is include d by a s tate me nt in named.conf, s o that the file looks as follows : # cat /etc/rndc.key key "capsule" { algorithm hmac-sha256; secret "GeBbgGoLedEAAwNQPtPh3zP56MJbkwM84UJDtaUS9mw="; }; This is the s e cre t ke y that is us e d to change DNS s e rve r configuration, ke e p it s afe and make s ure only root can re ad and write it. This file will be copie d ove r to Caps ule s e rve r in a late r s te p. 4. Cre ate z one file s as follows : # cat /var/named/dynamic/virtual.lan $ORIGIN . $TTL 10800 ; 3 hours virtual.lan IN SOA service.virtual.lan. root.virtual.lan. ( 9 ; serial 86400 ; refresh (1 day) 3600 ; retry (1 hour) 604800 ; expire (1 week) 3600 ; minimum (1 hour) ) NS service.virtual.lan. $ORIGIN virtual.lan. $TTL 86400 ; 1 day capsule A 192.168.38.1 service A 192.168.38.2 5. Cre ate the re ve rs e z one file : 102 C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r # cat /var/named/dynamic/38.168.192-rev $ORIGIN . $TTL 10800 ; 3 hours 38.168.192.in-addr.arpa IN SOA service.virtual.lan. root.38.168.192.in-addr.arpa. ( 4 ; serial 86400 ; refresh (1 day) 3600 ; retry (1 hour) 604800 ; expire (1 week) 3600 ; minimum (1 hour) ) NS service.virtual.lan. $ORIGIN 38.168.192.in-addr.arpa. $TTL 86400 ; 1 day 1 PTR capsule.virtual.lan. 2 PTR service.virtual.lan. Impo rtant Make s ure the re are no e xtra non-US-ASCII characte rs as BIND is s e ns itive to this . Pro cedure 7.8. T est ing and St art ing t he DNS Service To te s t the configuration and s tart the DNS s e rvice , proce e d as follows : 1. Validate the s yntax as follows : # named-checkconf -z /etc/named.conf 2. Start the s e rve r: On Re d Hat Ente rpris e Linux 7: # systemctl restart named On Re d Hat Ente rpris e Linux 6: # service named restart 3. Try to add a ne w hos t dynamically: # echo -e "server 192.168.38.2\n \ update add aaa.virtual.lan 3600 IN A 192.168.38.10\n \ send\n" | nsupdate -k /etc/rndc.key 4. Te s t that the DNS s e rvice can re s olve the ne w hos t adde d in the pre vious s te p: # nslookup aaa.virtual.lan 192.168.38.2 5. If re quire d, de le te the ne w e ntry: 103 Ins t allat io n Guide # echo -e "server 192.168.38.2\n \ update delete aaa.virtual.lan 3600 IN A 192.168.38.10\n \ send\n" | nsupdate -k /etc/rndc.key 6. Configure the fire wall for e xte rnal acce s s to the DNS s e rvice (UDP and TCP on port 53): On a Re d Hat Ente rpris e Linux 6 Sate llite , e xe cute as root: # iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT \ && iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT \ && service iptables save Make s ure the iptables s e rvice is s tarte d and e nable d: # service iptables start # chkconfig iptables on On a Re d Hat Ente rpris e Linux 7 Sate llite , e xe cute as root: # firewall-cmd --add-port="53/udp" --add-port="53/tcp" \ && firewall-cmd --permanent --add-port="53/udp" --addport="53/tcp" Pro cedure 7.9. Co nf iguring a Capsule Server t o Use an Ext ernal DNS Service To configure a Caps ule Se rve r to us e an e xte rnal DNS s e rvice , proce e d as follows : 1. Ens ure that the nsupdat e utility, from the bind-utils package , is ins talle d: # yum install bind-utils 2. Copy the /etc/rndc.key file from the s e rvice s s e rve r to the Caps ule Se rve r. For e xample : On the s e rvice s s e rve r: scp localfile username@hostname:remotefile Alte rnative ly, on the Caps ule Se rve r: scp username@hostname:remotefile localfile 3. Make s ure the ke y file has the corre ct owne r, pe rmis s ions , and SELinux labe l: # ls /etc/rndc.key -Zla -rw-r-----. root named system_u:object_r:dnssec_t:s0 /etc/rndc.key 4. The Caps ule us e s the nsupdat e utility to update DNS re cords on the re mote s e rve r. Be fore configuring it, te s t adding one additional hos t re mote ly as follows : 104 C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r # echo -e "server 192.168.38.2\n \ update add aaa.virtual.lan 3600 IN A 192.168.38.10\n \ send\n" | nsupdate -k /etc/rndc.key # nslookup aaa.virtual.lan 192.168.38.2 # echo -e "server 192.168.38.2\n \ update delete aaa.virtual.lan 3600 IN A 192.168.38.10\n \ send\n" | nsupdate -k /etc/rndc.key 5. Edit /etc/foreman-proxy/settings.d/dns.yml file and e nable the s mart-proxy module s e tting provide r to be nsupdate, add addre s s to the DNS s e rve r (dns_server option) and s e t the de fault time to live for re cords cre ate d by this Caps ule (dns_ttl). For e xample : --:enabled: true :dns_provider: nsupdate :dns_key: /etc/rndc.key :dns_server: 192.168.38.2 :dns_ttl: 86400 No te The configuration file is in YAML format, the thre e das h characte rs on the firs t line are re quire d. 6. Re s tart fore man-proxy s e rvice : On Re d Hat Ente rpris e Linux 7: # systemctl restart foreman-proxy On Re d Hat Ente rpris e Linux 6: # service foreman-proxy restart 7. Vie w the Sate llite Se rve r GUI in your brows e r; https://satellite_host.example.com. 8. Se le ct Inf rast ruct ure → Capsules. Locate the Caps ule be ing configure d and s e le ct Ref resh f eat ures from the drop-down lis t. The DNS fe ature s hould appe ar. 9. Se le ct Inf rast ruct ure → Capsules and as s ociate the DNS s e rvice with the appropriate s ubne ts and domain. 7.9.2. Conf iguring an Ext ernal DHCP Service De ploy a Re d Hat Ente rpris e Linux Se rve r (the re comme nde d and te s te d ve rs ion is Re d Hat Ente rpris e Linux 7.1) and ins tall the ISC DHCP s e rve r package dhcp. # yum install dhcp 105 Ins t allat io n Guide Pro cedure 7.10 . Co nf iguring t he Ext ernal DHCP Server Configure the e xte rnal DHCP s e rve r as follows : 1. Ge ne rate a s e curity toke n in an e mpty dire ctory as follows : # dnssec-keygen -a HMAC-MD5 -b 512 -n HOST omapi_key The above command can take a long time , for le s s -s e cure proof-of-conce pt de ployme nts you can us e a non-blocking random numbe r ge ne rator: # dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST omapi_key This will cre ate the ke y pair in two file s in the curre nt dire ctory. 2. Copy the s e cre t has h from the ke y: # cat Komapi_key.+*.private |grep ^Key|cut -d ' ' -f2 3. Edit the dhcpd configuration file for all the s ubne ts , and add the s e cre t ke y from the pre vious s te p: # cat /etc/dhcp/dhcpd.conf default-lease-time 604800; max-lease-time 2592000; log-facility local7; subnet 192.168.38.0 netmask 255.255.255.0 { range 192.168.38.10 192.168.38.100; option routers 192.168.38.1; option subnet-mask 255.255.255.0; option domain-search "virtual.lan"; option domain-name "virtual.lan"; option domain-name-servers 8.8.8.8; } omapi-port 7911; key omapi_key { algorithm HMAC-MD5; secret "jNSE5YI3H1A8Oj/tkV4...A2ZOHb6zv315CkNAY7DMYYCj48Umw=="; }; omapi-key omapi_key; 4. De le te the two ke y file s from the dire ctory whe re you cre ate d the m. 5. For e ach s ubne t de fine d (192.168.38.0 in this e xample ) de fine Subnet on the Sate llite s e rve r. It is re comme nde d to s e t up a le as e range and re s e rvation range s e parate ly to pre ve nt conflicts . In this e xample , the le as e range is 192.168.38.10 to 192.168.38.100 s o the re s e rvation range (de fine d in Sate llite GUI) would be 192.168.38.101 to 192.168.38.250. Do not s e t DHCP Capsule for the de fine d Subnet ye t. Note that ISC DHCP lis te ns only on inte rface s that match de fine d s ubne ts . In this e xample , the s e rve r has an inte rface that route s to 192.168.38.0 s ubne t dire ctly. 106 C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r 6. Configure the fire wall for e xte rnal acce s s to the DHCP s e rvice : On a Re d Hat Ente rpris e Linux 7: # firewall-cmd --add-service dhcp \ && firewall-cmd --permanent --add-service dhcp On a Re d Hat Ente rpris e Linux 6: # iptables -A INPUT -m state --state NEW -p tcp --dport 67 -j ACCEPT \ && service iptables save Make s ure the iptables s e rvice is s tarte d and e nable d: # service iptables start # chkconfig iptables on 7. Configuration file s are re ad by foreman-proxy us e r, firs t de te rmine the UID and GID numbe rs of the foreman-proxy us e r on the Caps ule Se rve r, the n cre ate the s ame us e r and group with s ame IDs on this s e rve r: # groupadd -g 990 foreman-proxy # useradd -u 992 -g 990 -s /sbin/nologin foreman-proxy 8. Configuration file s mus t be re adable for this us e r. Re ce nt dhcp package update s re move d re ad and e xe cute flags from the configuration dire ctory which pre ve nts that. To re s tore the re quire d flags and pre ve nt this change in be havior on the ne xt package update , e nte r the following commands : # chmod o+rx /etc/dhcp/ # chmod o+r /etc/dhcp/dhcpd.conf # chattr +i /etc/dhcp/ /etc/dhcp/dhcpd.conf 9. Start the DHCP s e rvice : On Re d Hat Ente rpris e Linux 7: # systemctl start dhcpd On Re d Hat Ente rpris e Linux 6: # service dhcpd start 10. Export DHCP configuration and le as e s file us ing NFS, s o that the Caps ule Se rve r can re ad it: # yum install nfs-utils # systemctl enable rpcbind nfs-server # systemctl start rpcbind nfs-server nfs-lock nfs-idmapd 11. Cre ate the DHCP configuration and le as e s file s to be e xporte d us ing NFS: 107 Ins t allat io n Guide # mkdir -p /exports/var/lib/dhcpd /exports/etc/dhcp 12. Add the ne wly cre ate d mount point to /etc/fstab file : /var/lib/dhcpd /exports/var/lib/dhcpd none bind,auto 0 0 /etc/dhcp /exports/etc/dhcp none bind,auto 0 0 13. Mount the file s ys te ms in /etc/fstab: # mount -a 14. Ens ure the following line s are pre s e nt in /etc/exports: /exports 192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check) /exports/etc/dhcp 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide) /exports/var/lib/dhcpd 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide) 15. Re load the NFS s e rve r: # exportfs -rva 16. Configure the fire wall for the DHCP omapi port 7911 for the Caps ule Se rve r: On a Re d Hat Ente rpris e Linux 7: # firewall-cmd --add-port="7911/tcp" \ && firewall-cmd --permanent --add-port="7911/tcp" On a Re d Hat Ente rpris e Linux 6: # iptables -A INPUT -m state --state NEW -p tcp --dport 7911 -j ACCEPT \ && service iptables save Make s ure the iptables s e rvice is s tarte d and e nable d: # service iptables start # chkconfig iptables on 17. This s te p is common to both the DHCP and TFTP proce dure s and ne e d only be carrie d out once pe r s ys te m. If re quire d, follow this s te p to configure the fire wall for e xte rnal acce s s to the NFS s e rvice . 108 C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r No te In this guide the clie nts are configure d to us e NFSv3 and this s te p is the re fore NFSv3 s pe cific. On Re d Hat Ente rpris e Linux 7: It is re comme nde d to us e firewalld dae mon's NFS s e rvice option be caus e NFS us e s multiple ports to initiate conne ctions . To do s o, e nte r the following commands : # && && && && \ && firewall-cmd firewall-cmd firewall-cmd firewall-cmd firewall-cmd --zone public --add-service mountd \ --zone public --add-service rpc-bind \ --zone public --add-service nfs \ --permanent --zone public --add-service mountd \ --permanent --zone public --add-service rpc-bind firewall-cmd --permanent --zone public --add-service nfs For additional information on us ing NFSv3 be hind a fire wall on Re d Hat Ente rpris e Linux 7, s e e the “Running NFS Be hind a Fire wall” s e ction in the Re d Hat Ente rpris e Linux 7 Storage Adminis tration Guide and the “Se curing NFS” s e ction in the Re d Hat Ente rpris e Linux 7 Se curity Guide . On Re d Hat Ente rpris e Linux 6: Configure ports for NFSv3 in the /etc/sysconfig/nfs file as follows : LOCKD_TCPPORT=32803 LOCKD_UDPPORT=32769 MOUNTD_PORT=892 RQUOTAD_PORT=875 STATD_PORT=662 STATD_OUTGOING_PORT=2020 Re s tart the s e rvice for the change s to take e ffe ct: # service nfs restart Add the following rule s to the /etc/sysconfig/iptables file by e nte ring commands as follows : # iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 111 -j ACCEPT \ && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 111 -j ACCEPT \ && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 2049 -j ACCEPT \ && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 2049 -j ACCEPT \ && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 32803 -j ACCEPT \ && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p 109 Ins t allat io n Guide udp --dport 32769 -j ACCEPT \ && iptables -A INPUT -s 192.168.1.0/24 udp --dport 892 -j ACCEPT \ && iptables -A INPUT -s 192.168.1.0/24 tcp --dport 892 -j ACCEPT \ && iptables -A INPUT -s 192.168.1.0/24 udp --dport 875 -j ACCEPT \ && iptables -A INPUT -s 192.168.1.0/24 tcp --dport 875 -j ACCEPT \ && iptables -A INPUT -s 192.168.1.0/24 udp --dport 662 -j ACCEPT \ && iptables -A INPUT -s 192.168.1.0/24 tcp --dport 662 -j ACCEPT \ && service iptables save -m state --state NEW -p -m state --state NEW -p -m state --state NEW -p -m state --state NEW -p -m state --state NEW -p -m state --state NEW -p Re s tart the fire wall for the change s to take e ffe ct: # service iptables restart For additional information on us ing NFSv3 be hind a fire wall on Re d Hat Ente rpris e Linux 6, s e e the Re d Hat Ente rpris e Linux 6 Storage Adminis tration Guide and the “Running NFS Be hind a Fire wall” s e ction in the “Se curing NFS” s e ction in the Re d Hat Ente rpris e Linux 6 Se curity Guide . Pro cedure 7.11. Co nf iguring a Capsule Server t o Use an Ext ernal DHCP Service To configure a Caps ule Se rve r to us e an e xte rnal DHCP s e rvice , proce e d as follows : 1. Ins tall the NFS clie nt: # yum install nfs-utils 2. Cre ate the DHCP dire ctorie s to pre pare for NFS: # mkdir -p /mnt/nfs/etc/dhcp /mnt/nfs/var/lib/dhcpd 3. Change the file owne r as follows : # chown -R foreman-proxy /mnt/nfs 4. Try to re ach the NFS s e rve r and ve rify RPC communication paths : # showmount -e 192.168.38.2 # rpcinfo -p 192.168.38.2 5. Add the s e t wo line s to the /etc/fstab file : 192.168.38.2:/exports/etc/dhcp /mnt/nfs/etc/dhcp nfs ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcp_etc_t: s0" 0 0 110 C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r 192.168.38.2:/exports/var/lib/dhcpd /mnt/nfs/var/lib/dhcpd nfs ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcpd_state _t:s0" 0 0 6. Mount the file s ys te ms in /etc/fstab: # mount -a 7. Try to re ad the re le vant file s : # su foreman-proxy -s /bin/bash bash-4.2$ cat /mnt/nfs/etc/dhcp/dhcpd.conf bash-4.2$ cat /mnt/nfs/var/lib/dhcpd/dhcpd.leases bash-4.2$ exit In cas e of proble ms , inve s tigate the NFS configuration, logs , and fire wall rule s . 8. On the Caps ule Se rve r, e dit /etc/foreman-proxy/settings.d/dhcp.yml as follows . As this is YAML s yntax, ke e p the ope ning thre e das h characte rs : --:enabled: true :dhcp_vendor: isc :dhcp_config: /mnt/nfs/etc/dhcp/dhcpd.conf :dhcp_leases: /mnt/nfs/var/lib/dhcpd/dhcpd.leases :dhcp_key_name: omapi_key :dhcp_key_secret: jNSE5YI3H1A8Oj/tkV4...A2ZOHb6zv315CkNAY7DMYYCj48Umw== :dhcp_server: dhcp.example.com Ens ure the dhcp_key_secret value is corre ctly e nte re d without quote s . The trailing = characte r is optional. 9. Re s tart the proxy: On Re d Hat Ente rpris e Linux 7: # systemctl restart foreman-proxy On Re d Hat Ente rpris e Linux 6: # service foreman-proxy restart 10. Vie w the Sate llite Se rve r GUI in your brows e r; https://satellite_host.example.com. 11. Se le ct Inf rast ruct ure → Capsules. Locate the Caps ule and s e le ct Ref resh f eat ures from the drop-down lis t. The DHCP fe ature s hould appe ar. 12. Se le ct Inf rast ruct ure → Capsules and as s ociate the DHCP s e rvice with the appropriate s ubne ts and domain. 7.9.3. Conf iguring an Ext ernal T FT P Service 111 Ins t allat io n Guide De ploy a Re d Hat Ente rpris e Linux Se rve r (the re comme nde d and te s te d ve rs ion is Re d Hat Ente rpris e Linux 7.1). Pro cedure 7.12. Co nf iguring t he T FT P Server Configure the e xte rnal TFTP s e rve r as follows : 1. Ins tall and e nable the TFTP s e rve r: # yum install tftp-server syslinux On Re d Hat Ente rpris e Linux 7, e nable and activate the tftp.socket unit: # systemctl enable tftp.socket # systemctl start tftp.socket On Re d Hat Ente rpris e Linux 6, e nable and s tart the xinetd s e rvice : # service xinetd enable # service xinetd start 2. Configure the PXELinux e nvironme nt as follows : # mkdir -p /var/lib/tftpboot/{boot,pxelinux.cfg} # chown foreman-proxy /var/lib/tftpboot/{boot,pxelinux.cfg} # cp /usr/share/syslinux/{pxelinux.0,menu.c32,chain.c32} /var/lib/tftpboot/ 3. Cre ate the TFTP dire ctory to be e xporte d us ing NFS: # mkdir -p /exports/var/lib/tftpboot 4. Add the ne wly cre ate d mount point to the /etc/fstab file : /var/lib/tftpboot /exports/var/lib/tftpboot none bind,auto 0 0 5. Mount the file s ys te ms in /etc/fstab: # mount -a 6. Ens ure the following line s are pre s e nt in /etc/exports: /exports 192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check) /exports/var/lib/tftpboot 192.168.38.1(rw,async,no_root_squash,no_subtree_check,nohide) The firs t line is common to the DHCP configuration and the re fore s hould alre ady be pre s e nt if the pre vious proce dure was comple te d on this s ys te m. 7. Re load the NFS s e rve r: 112 C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r # exportfs -rva 8. This s te p is common to both the DHCP and TFTP proce dure s and ne e d only be carrie d out once pe r s ys te m. If re quire d, follow this s te p to configure the fire wall for e xte rnal acce s s to the NFS s e rvice . No te In this guide the clie nts are configure d to us e NFSv3 and this s te p is the re fore NFSv3 s pe cific. On Re d Hat Ente rpris e Linux 7: It is re comme nde d to us e firewalld dae mon's NFS s e rvice option be caus e NFS us e s multiple ports to initiate conne ctions . To do s o, e nte r the following commands : # && && && && \ && firewall-cmd firewall-cmd firewall-cmd firewall-cmd firewall-cmd --zone public --add-service mountd \ --zone public --add-service rpc-bind \ --zone public --add-service nfs \ --permanent --zone public --add-service mountd \ --permanent --zone public --add-service rpc-bind firewall-cmd --permanent --zone public --add-service nfs For additional information on us ing NFSv3 be hind a fire wall on Re d Hat Ente rpris e Linux 7, s e e the “Running NFS Be hind a Fire wall” s e ction in the Re d Hat Ente rpris e Linux 7 Storage Adminis tration Guide and the “Se curing NFS” s e ction in the Re d Hat Ente rpris e Linux 7 Se curity Guide . On Re d Hat Ente rpris e Linux 6: Configure ports for NFSv3 in the /etc/sysconfig/nfs file as follows : LOCKD_TCPPORT=32803 LOCKD_UDPPORT=32769 MOUNTD_PORT=892 RQUOTAD_PORT=875 STATD_PORT=662 STATD_OUTGOING_PORT=2020 Re s tart the s e rvice for the change s to take e ffe ct: # service nfs restart Add the following rule s to the /etc/sysconfig/iptables file by e nte ring commands as follows : # iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 111 -j ACCEPT \ && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 111 -j ACCEPT \ && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p 113 Ins t allat io n Guide udp --dport 2049 -j ACCEPT \ && iptables -A INPUT -s 192.168.1.0/24 tcp --dport 2049 -j ACCEPT \ && iptables -A INPUT -s 192.168.1.0/24 tcp --dport 32803 -j ACCEPT \ && iptables -A INPUT -s 192.168.1.0/24 udp --dport 32769 -j ACCEPT \ && iptables -A INPUT -s 192.168.1.0/24 udp --dport 892 -j ACCEPT \ && iptables -A INPUT -s 192.168.1.0/24 tcp --dport 892 -j ACCEPT \ && iptables -A INPUT -s 192.168.1.0/24 udp --dport 875 -j ACCEPT \ && iptables -A INPUT -s 192.168.1.0/24 tcp --dport 875 -j ACCEPT \ && iptables -A INPUT -s 192.168.1.0/24 udp --dport 662 -j ACCEPT \ && iptables -A INPUT -s 192.168.1.0/24 tcp --dport 662 -j ACCEPT \ && service iptables save -m state --state NEW -p -m state --state NEW -p -m state --state NEW -p -m state --state NEW -p -m state --state NEW -p -m state --state NEW -p -m state --state NEW -p -m state --state NEW -p -m state --state NEW -p Re s tart the fire wall for the change s to take e ffe ct: # service iptables restart For additional information on us ing NFSv3 be hind a fire wall on Re d Hat Ente rpris e Linux 6, s e e the Re d Hat Ente rpris e Linux 6 Storage Adminis tration Guide and the “Running NFS Be hind a Fire wall” s e ction in the “Se curing NFS” s e ction in the Re d Hat Ente rpris e Linux 6 Se curity Guide . Pro cedure 7.13. Co nf igure t he Firewall f o r Ext ernal access t o t he T FT P service 1. Configure the fire wall for e xte rnal acce s s to the TFTP s e rvice (UDP on port 69): On a Re d Hat Ente rpris e Linux 7: # firewall-cmd --add-port="69/udp" \ && firewall-cmd --permanent --add-port="69/udp" On a Re d Hat Ente rpris e Linux 6: # iptables -A INPUT -m state --state NEW -p tcp --dport 69 -j ACCEPT \ && service iptables save Make s ure the iptables s e rvice is s tarte d and e nable d: # service iptables start # chkconfig iptables on 2. Re s tore SELinux file conte xts : # restorecon -RvF /var/lib/tftpboot/ 114 C hapt e r 7. Ins t alling Re d Hat Sat e llit e Caps ule Se r ve r Pro cedure 7.14. Co nf iguring a Capsule Server t o Use an Ext ernal T FT P Service To configure a Caps ule Se rve r to us e an e xte rnal TFTP s e rvice , proce e d as follows : 1. Cre ate the TFTP dire ctory to pre pare for NFS: # mkdir -p /mnt/nfs/var/lib/tftpboot 2. Add the ne wly cre ate d mount point to the /etc/fstab file : /mnt/nfs/var/lib/tftpboot /exports/mnt/nfs/var/lib/tftpboot none bind,auto 0 0 3. Mount the file s ys te ms in /etc/fstab: # mount -a 4. In the /etc/fstab, add a line as follows : 192.168.38.2:/exports/var/lib/tftpboot /mnt/nfs/var/lib/tftpboot nfs rw,vers=3,auto,nosharecache,context="system_u:object_r:tftpdir_rw_ t:s0" 0 0 5. To e nable TFTP s upport in fore man-proxy, e dit /usr/share/foremanproxy/config/settings.d/tftp.yml file : :enabled: true :tftproot: /mnt/nfs/var/lib/tftpboot If the TFTP s e rvice is running on a diffe re nt s e rve r than the DHCP s e rvice , us e the tftp_servername s e tting to s e tup the IP addre s s of that s e rve r. 6. Vie w the Sate llite Se rve r GUI in your brows e r; https://satellite_host.example.com. 7. Se le ct Inf rast ruct ure → Capsules in the us e r inte rface . Locate the Caps ule and s e le ct Ref resh f eat ures from the drop-down lis t. The TFTP fe ature s hould appe ar. 8. Se le ct Inf rast ruct ure → Capsules and as s ociate the TFTP s e rvice with the appropriate s ubne ts and domain. [8] https://access.redhat.com /docum entation/enUS/Red_Hat_Enterprise_Linux/7/htm l/Security_Guide/sec-Using_O penSSL.htm l [9] https://access.redhat.com /docum entation/enUS/Red_Hat_Enterprise_Linux/7/htm l/Networking_Guide/ 115 Ins t allat io n Guide Chapt er 8. Upgrading Red Hat Sat ellit e Server and Capsule Server The Sate llite Se rve r and Caps ule Se rve rs are upgrade d inde pe nde ntly. Upgrade the Sate llite s e rve r firs t, and the n upgrade any Caps ule s . Sate llite 6.0 Caps ule s are not compatible with Sate llite 6.1, and mus t be upgrade d be fore atte mpting to s ynchroniz e any re pos itorie s . You mus t als o manually upgrade Sate llite clie nts to the ne w ve rs ion of kate llo-age nt afte r upgrading the Se rve r and Caps ule s . Impo rtant The Re d Hat Sate llite s e rve r and Caps ule s e rve r ve rs ions mus t match. For e xample , a Sate llite 6.0 s e rve r cannot run a 6.1 Caps ule s e rve r and a Sate llite 6.1 s e rve r cannot run a 6.0 Caps ule s e rve r. Mis matching Sate llite s e rve r and Caps ule s e rve r ve rs ions will re s ult in the Caps ule s e rve r failing s ile ntly. Supporte d upgrade paths for Sate llite 6.1 GA: Sate llite 6.0 to Sate llite 6.1 Sate llite 6.1 Public Be ta (non-production) to Sate llite 6.1 GA Impo rtant Upgrading from Sate llite 6.1 Public Be ta in a production e nvironme nt to Sate llite 6.1 is not s upporte d. The following conditions mus t be me t be fore upgrading Re d Hat Sate llite 6: Ve rify that the Sate llite has the 6.1 satellite-tools and capsule re pos itorie s fully s ynchroniz e d and available to update the Sate llite Caps ule s e rve rs to the late s t upgrade package ve rs ions . Ens ure that the e xis ting Conte nt Vie ws are update d to include the ne wly s ynchroniz e d re pos itorie s . If you us e Activation Ke ys for conte nt hos t re gis tration, e ns ure that your Activation Ke y is update d with the ne wly s ynchroniz e d re pos itorie s . If you cre ate d a ne w Conte nt Vie w for the s e re pos itorie s , include this Conte nt Vie w in the Activation Ke y. Se e the Re d Hat Sate llite 6.1 Us e r Guide [10] for more information on Activation Ke ys . Re fre s h s ubs criptions to include the ne wly s ynchroniz e d re pos itorie s both on Caps ule s and Hos ts . 8.1. Upgrading Red Hat Sat ellit e This s e ction s hows how to upgrade Re d Hat Sate llite from ve rs ion 6.0 or 6.1 Public Be ta (non-production) to 6.1. Prerequisit es 116 C hapt e r 8 . Upgr ading Re d Hat Sat e llit e Se r ve r and Caps ule Se r ve r Upgrade to the late s t minor ve rs ion of Re d Hat Sate llite 6.0 be fore proce e ding. Dire ct upgrade to 6.1 from e arlie r minor ve rs ions is not s upporte d. The Re d Hat Sate llite 6.1 re le as e re quire s the Re d Hat Sate llite 6.1 Tools re pos itory to be available in the s ubs cription manife s t. This re pos itory provide s the katello-agent and puppet-agent package s for clie nts re gis te re d to the Sate llite Se rve r. Ens ure the re quire d re pos itorie s are e nable d by following the proce dure be low to update the s ubs cription manife s t. Re move any that are no longe r re quire d. Pro cedure 8.1. Updat ing t he Subscript io n Manif est This proce dure de s cribe s updating the s ubs cription manife s t. 1. Navigate to https ://acce s s .re dhat.com and click SUBSCRIPTIONS on the main me nu at the top of the page . 2. Scroll down to the Red Hat Subscription Management s e ction, and click Satellite unde r Subscription Management Applications. 3. Click the name of the s ys te m this manife s t is as s ociate d to, and click Attach a subscription. 4. For e ach s ubs cription that you want to attach, s e le ct the che ck box for that s ubs cription, and s pe cify the quantity of s ubs criptions to attach. 5. Click Attach Selected. It can take s e ve ral minute s for all the s ubs criptions to attach. Re fre s h the s cre e n e ve ry fe w minute s until you re ce ive confirmation that the s ubs criptions are attache d. 6. Afte r the s ubs criptions have be e n attache d, click Download Manifest to ge ne rate an archive in .zip format containing the manife s t for Re d Hat Sate llite and s ave the manife s t file to a known location. 7. Upload the update d manife s t to the Re d Hat Sate llite Se rve r. a. Log in to the Sat ellit e s e rve r. b. In the top le ft corne r me nu, s e le ct the organiz ation that you want to as s ociate with the s ubs cription manife s t. c. Click Co nt ent → Red Hat Subscript io ns and the n click Manage Manifest at the uppe r right of the page . d. In the Subscription Manifest s e ction, click Actions and unde r the Upload New Manifest s ubs e ction, click Browse. e . Se le ct the manife s t file to upload, and the n click Upload. Pro cedure 8.2. Upgrading Red Hat Sat ellit e 1. If the Sate llite s e rve r is running on a virtual machine , take a s naps hot prior to upgrading. Othe rwis e , run katello-service stop and cre ate a backup of the re le vant databas e s . Se e How to ge ne rate databas e backup for Re d Hat Sate llite 6.0 for ins tructions on backing up your databas e s . 2. Update the ope rating s ys te m: # yum update 117 Ins t allat io n Guide 3. Dis able the re pos itorie s for the pre vious ve rs ion of Sate llite . A. If upgrading from Sate llite 6.0 on Re d Hat Ente rpris e Linux 7: # subscription-manager repos --disable rhel-7-server-satellite6.0-rpms B. If upgrading from Sate llite 6.1 Be ta on Re d Hat Ente rpris e Linux 7: # subscription-manager repos --disable rhel-server-7-satellite6-beta-rpms C. If upgrading from Sate llite 6.0 on Re d Hat Ente rpris e Linux 6: # subscription-manager repos --disable rhel-6-server-satellite6.0-rpms D. If upgrading from Sate llite 6.1 Be ta on Re d Hat Ente rpris e Linux 6: # subscription-manager repos --disable rhel-server-6-satellite6-beta-rpms 4. Enable the ne w re pos itorie s . A. On Re d Hat Ente rpris e Linux 7: # subscription-manager repos --enable rhel-7-server-satellite6.1-rpms B. On Re d Hat Ente rpris e Linux 6: # subscription-manager repos --enable rhel-6-server-satellite6.1-rpms 5. If the re are dis cove re d hos ts available , turn the m off and de le te all e ntrie s unde r the Discovered hosts page . 6. Stop s e rvice s : # katello-service stop output omitted Success! Wait for the command to comple te . If re quire d, confirm s e rvice s have s toppe d: # katello-service status mongod is stopped qdrouterd is stopped qpidd is stopped celery init v10.0. Using configuration: /etc/default/pulp_workers, /etc/default/pulp_celerybeat pulp_celerybeat is stopped. elasticsearch is stopped 118 C hapt e r 8 . Upgr ading Re d Hat Sat e llit e Se r ve r and Caps ule Se r ve r celery init v10.0. Using config script: /etc/default/pulp_resource_manager node resource_manager is stopped... foreman-proxy is stopped tomcat6 is stopped [ output truncated OK ] Re s tart the Mongo databas e as it is re quire d for upgrading the Pulp databas e : # service-wait mongod start 7. Cle ar the re pos itory cache and update all package s : # yum clean all # yum update 8. Run the ins talle r with the --upgrade option: # katello-installer --upgrade If re quire d, add the --noop option to the command and re vie w the /var/log/katello-installer/katello-installer.log to s e e what change s would be applie d if the --noop was omitte d. Impo rtant If you have made manual e dits to DNS and DHCP configuration file s , the y will be ove rwritte n during the upgrade proce s s . To avoid this , appe nd the -capsule-dns-managed=false and --capsule-dhcp-managed=false options to the --upgrade ins talle r command. The katello-installer utility will backup file s that it change s and log this . For e xample : /Stage[main]/Dhcp/File[/etc/dhcp/dhcpd.conf]: Filebucketed /etc/dhcp/dhcpd.conf to puppet with sum 622d9820b8e764ab124367c68f5fa3a1 The old file can be re s tore d with this command: # puppet filebucket -l restore /etc/dhcp/dhcpd.conf 622d9820b8e764ab124367c68f5fa3a1 9. Re s tart all s e rvice s : # katello-service restart If you are us ing the Dis cove ry fe ature , you mus t als o comple te Se ction 8.3, “Upgrading the Dis cove ry Fe ature ” Enabling T he New Reposit ories 119 Ins t allat io n Guide The Re d Hat Sate llite manife s t file provide s acce s s to Re d Hat products and re pos itorie s . Any ne w re pos itorie s mus t be e nable d and s ynchroniz e d in Re d Hat Sate llite Se rve r to pre pare the m for us e by Re d Hat Sate llite Caps ule Se rve rs . Pro cedure 8.3. Enable New Red Hat Repo sit o ries 1. On the main me nu, click Co nt ent → Red Hat Repo sit o ries and the n click the tab for the type of conte nt that you want to e nable . 2. Click the product name for which you want to add re pos itorie s . This e xpands the lis t of available re pos itory s e ts . 3. Click e ach re pos itory s e t from which you want to s e le ct re pos itorie s , and s e le ct the che ck box for e ach re quire d re pos itory. The re pos itory is automatically e nable d. Afte r e nabling a Re d Hat re pos itory, a product for this re pos itory is automatically cre ate d. The conte nt from this re pos itory will be downloade d during the ne xt s ynchroniz ation. Impo rtant Ens ure you e nable the Sate llite Tools re pos itory. This re pos itory provide s the katello-agent and puppet-agent package s for clie nts re gis te re d to the Sate llite Se rve r. 4. Start the s ynchroniz ation proce s s as de s cribe d in Se ction 4.1.3, “Synchroniz ing Conte nt”. 8.1.1. Upgrading Disconnect ed Sat ellit e This s e ction s hows how to upgrade a dis conne cte d Re d Hat Sate llite ins tance . Prerequisit es Upgrade to the late s t minor ve rs ion of Re d Hat Sate llite 6.0 be fore proce e ding. Dire ct upgrade to 6.1 from e arlie r minor ve rs ions is not s upporte d. Run katello-service start to re s tart all s e rvice s and update the ope rating s ys te m. For ins tructions on how to update a dis conne cte d s ys te m s e e De ployme nt Guide [11] for Re d Hat Ente rpris e Linux 6 or Sys te m Adminis trator's Guide [12] for Re d Hat Ente rpris e Linux 7. Pro cedure 8.4. Upgrading Disco nnect ed Sat ellit e 1. If the re are dis cove re d hos ts available , turn the m off and de le te all e ntrie s unde r the Discovered hosts page . 2. Stop s e rvice s : # katello-service stop output omitted Success! Wait for the command to comple te . If re quire d, confirm s e rvice s have s toppe d: 120 C hapt e r 8 . Upgr ading Re d Hat Sat e llit e Se r ve r and Caps ule Se r ve r # katello-service status mongod is stopped qdrouterd is stopped qpidd is stopped celery init v10.0. Using configuration: /etc/default/pulp_workers, /etc/default/pulp_celerybeat pulp_celerybeat is stopped. elasticsearch is stopped celery init v10.0. Using config script: /etc/default/pulp_resource_manager node resource_manager is stopped... foreman-proxy is stopped tomcat6 is stopped [ output truncated OK ] Re s tart the Mongo databas e as it is re quire d for upgrading the Pulp databas e : # service-wait mongod start 3. Obtain the ISO file , mount it, and run the ins tall_package s s cript as de s cribe d in Se ction 2.1.2, “Downloading from a Dis conne cte d Ne twork”. Afte r e xe cuting s ucce s s fully, the s cript re turns the following me s s age : Upgrade is complete. Please backup your data and run katelloinstaller. 4. Cre ate a backup of the re le vant databas e s . Se e How to ge ne rate databas e backup for Re d Hat Sate llite 6.0 for ins tructions on backing up your databas e s . 5. Run the ins talle r with the --upgrade option: # katello-installer --upgrade If re quire d, add the --noop option to the command and re vie w the /var/log/katello-installer/katello-installer.log to s e e what change s would be applie d if the --noop was omitte d. Impo rtant If you have made manual e dits to DNS and DHCP configuration file s , the y will be ove rwritte n during the upgrade proce s s . To avoid this , appe nd the -capsule-dns-managed=false and --capsule-dhcp-managed=false options to the --upgrade ins talle r command. The katello-installer utility will backup file s that it change s and log this . For e xample : /Stage[main]/Dhcp/File[/etc/dhcp/dhcpd.conf]: Filebucketed /etc/dhcp/dhcpd.conf to puppet with sum 622d9820b8e764ab124367c68f5fa3a1 121 Ins t allat io n Guide The old file can be re s tore d with this command: # puppet filebucket -l restore /etc/dhcp/dhcpd.conf 622d9820b8e764ab124367c68f5fa3a1 6. Re s tart all s e rvice s : # katello-service restart 7. Update the Dis cove ry te mplate : a. At the Hosts tab, s e le ct Provisioning templates. b. Se le ct PXELinux global default. c. At the Template editor dialog box, in the Pro visio ning T emplat e tab, modify the PXELinux global default te mplate dis cove ry me nu e ntry. Ins e rt the following te xt at the e nd of the te mplate : LABEL discovery MENU LABEL Satellite 6 Discovery MENU DEFAULT KERNEL boot/fdi-image-rhel_7-vmlinuz APPEND initrd=boot/fdi-image-rhel_7-img rootflags=loop root=live:/fdi.iso rootfstype=auto ro rd.live.image acpi=force rd.luks=0 rd.md=0 rd.dm=0 rd.lvm=0 rd.bootif=0 rd.neednet=0 nomodeset proxy.url=https://SATELLITE_CAPSULE_URL:9090 proxy.type=proxy IPAPPEND 2 The proxy.type option can be e ithe r proxy or foreman. For proxy, all communication goe s through the Caps ule . For foreman, the communication goe s dire ctly to Sate llite Se rve r, which was the be havior in Sate llite 6.0. The proxy.url s pe cifie s the URL of the Sate llite Caps ule or Se rve r. Both HTTP and HTTPS protocols are s upporte d. 8.2. Upgrading Red Hat Sat ellit e Capsule Pro cedure 8.5. T o Upgrade Red Hat Sat ellit e Capsule: 1. Update the ope rating s ys te m: # yum update 2. Dis able the re pos itorie s for the pre vious ve rs ion of Sate llite . A. If upgrading from Sate llite 6.0 on Re d Hat Ente rpris e Linux 7: # subscription-manager repos --disable rhel-7-server-satellitecapsule-6.0-rpms B. If upgrading from Sate llite 6.1 Be ta on Re d Hat Ente rpris e Linux 7: 122 C hapt e r 8 . Upgr ading Re d Hat Sat e llit e Se r ve r and Caps ule Se r ve r # subscription-manager repos --disable rhel-server-7-satellitecapsule-6-beta-rpms C. If upgrading from Sate llite 6.0 on Re d Hat Ente rpris e Linux 6: # subscription-manager repos --disable rhel-6-server-satellitecapsule-6.0-rpms D. If upgrading from Sate llite 6.1 Be ta on Re d Hat Ente rpris e Linux 6: # subscription-manager repos --disable rhel-server-6-satellitecapsule-6-beta-rpms 3. Enable the ne w re pos itorie s . A. On Re d Hat Ente rpris e Linux 7: # subscription-manager repos --enable rhel-7-server-satellitecapsule-6.1-rpms B. On Re d Hat Ente rpris e Linux 6: # subscription-manager repos --enable rhel-6-server-satellitecapsule-6.1-rpms 4. If the re are dis cove re d hos ts available , turn the m off and de le te all e ntrie s unde r the Discovered hosts page . 5. Stop the following s e rvice s to pre ve nt de pe nde ncy e rrors during the databas e migration: # for i in qpidd pulp_workers pulp_celerybeat pulp_resource_manager httpd; do service $i stop; done 6. Cle ar the re pos itory cache and update all package s : # yum clean all # yum update 7. The following s te ps are re quire d only if you upgrade from Sate llite 6.0: a. Ins tall the capsule-installer package : # yum install capsule-installer No te In Re d Hat Sate llite 6.0, the katello-installer s cript provide d the Sate llite Caps ule Se rve r ins talle r. In Sate llite 6.1, the capsuleinstaller s cript has its own package . 123 Ins t allat io n Guide Ins talling capsule-installer automatically re move s the katello-installer package and s ave s the pre vious Caps ule configuration and ans we r file s . b. Copy the pre vious ans we r file to the ne w capsule-installer dire ctory: # cp /etc/katello-installer/answers.capsuleinstaller.yaml.rpmsave /etc/capsuleinstaller/answers.capsule-installer.yaml 8. On the Sate llite Se rve r, ge ne rate an archive with ne w ce rtificate s : # capsule-certs-generate --capsule-fqdn "capsule.example.com" -certs-tar "capsule.example.com-certs.tar" Re place capsule.example.com with the fully qualifie d domain name of the Caps ule . Copy the archive file to the Caps ule . 9. Ins tall the Dis cove ry plug-in if you plan to us e the Caps ule as a proxy for dis cove re d hos ts : # yum install rubygem-smart_proxy_discovery.noarch 10. Ve rify if the fore man_url s e tting re fe rs to the Sate llite Se rve r corre ctly. On the Caps ule e xe cute : # grep foreman_url /etc/foreman-proxy/settings.yml The above command s hould re turn the fully qualifie d domain name (FQDN) of the Sate llite s e rve r, for e xample : :foreman_url: https://satellite.example.com 11. Re s tart the fore man-proxy compone nt on the Sate llite Caps ule s e rve r: # service foreman-proxy restart 12. Run the ins talle r with the --upgrade option: # capsule-installer --upgrade --certs-tar capsule.example.comcerts.tar Re place capsule.example.com-certs.tar with the path to the ce rtificate archive on the Caps ule . Impo rtant If you have made manual e dits to DNS and DHCP configuration file s , the y will be ove rwritte n during the upgrade proce s s . To avoid this , appe nd the --dnsmanaged=false and --dhcp-managed=false options to the --upgrade ins talle r command. 124 C hapt e r 8 . Upgr ading Re d Hat Sat e llit e Se r ve r and Caps ule Se r ve r 13. Upgrade the foreman-discovery-image package on the Sate llite s e rve r and turn on the hos ts that we re s hut down prior the upgrade . 8.3. Upgrading t he Discovery Feat ure The following s te ps de s cribe how to upgrade the Dis cove ry fe ature of Re d Hat Sate llite 6. Pro cedure 8.6. Ho w t o Upgrade t he Disco very Feat ure o f Sat ellit e 6 1. Ve rify that all re le vant package s are up-to-date on the Sate llite s e rve r: # yum upgrade ruby193-rubygem-foreman_discovery Re s tart the Sate llite s e rve r if any package s we re update d. 2. Upgrade the Dis cove ry image on the Sate llite Caps ule that is e ithe r conne cte d to the provis ioning ne twork with dis cove re d hos ts or provide s TFTP s e rvice s for dis cove re d hos ts . # yum upgrade foreman-discovery-image 3. On the s ame ins tance , ins tall the package which provide s the Proxy s e rvice , and the n re s tart foreman-proxy s e rvice . Dis cove re d hos ts in Sate llite 6.1 are no longe r re quire d to have dire ct conne ction to Sate llite Se rve r. # yum install rubygem-smart_proxy_discovery # service foreman-proxy restart 4. All s ubne ts with dis cove re d node s ne e d this s pe cifie d in Sate llite Se rve r s o it conne cts via the Fore man Proxy. In the we b UI, navigate to Inf rast ruct ure → Capsules and ve rify that the de s ire d proxy lis ts the Dis cove ry fe ature . If it doe s not, click Refresh features. 5. Navigate to Inf rast ruct ure → Subnet s and s e le ct the re quire d Smart Proxy for e ach s ubne t that you want to us e dis cove ry, and ve rify that it is conne cte d to the Dis cove ry Proxy. 6. Navigate to Pro visio ning T emplat es, e dit the PXELinux global de fault te mplate and modify it according to the e xample be low. No te Diffe re nt options appe ar on the APPEND line compare d to the Sate llite 6.0 re le as e . LABEL discovery MENU LABEL Satellite 6 Discovery MENU DEFAULT KERNEL boot/fdi-image-rhel_7-vmlinuz APPEND initrd=boot/fdi-image-rhel_7-img rootflags=loop root=live:/fdi.iso rootfstype=auto ro rd.live.image acpi=force 125 Ins t allat io n Guide rd.luks=0 rd.md=0 rd.dm=0 rd.lvm=0 rd.bootif=0 rd.neednet=0 nomodeset proxy.url=https://SATELLITE_CAPSULE_URL:9090 proxy.type=proxy IPAPPEND 2 The proxy.type option can be e ithe r proxy or foreman. If you s pe cify proxy the n all communication goe s through the Sate llite Caps ule . This is the pre fe rre d me thod. If you s pe cify foreman the n all communication goe s dire ctly to the Sate llite Se rve r. This is the me thod us e d by Sate llite 6.0. No te Whe n us ing proxy type , the de fault port on Sate llite Caps ule is 9090, but for dire ct communication with Sate llite Se rve r, you ne e d to us e port 80. The proxy.url option s pe cifie s the URL of the Sate llite Caps ule or Se rve r de pe nding on the pre vious s e tting. Both HTTP and HTTPS s che me s are s upporte d. It is pos s ible to omit the proxy.url option to de te rmine the Caps ule DNS name from its SRV re cord. This might be us e ful whe n the re are multiple dis cove ry s ubne ts . Re vie w the global s e ttings and pe rmis s ions in the Sate llite Se rve r us e r inte rface . Se e the Red Hat Satellite 6.1 User Guide for more information. 8.4. Upgrading Red Hat Sat ellit e Client s The katello-agent package from Sate llite 6.0 is not compatible with Re d Hat Sate llite 6.1. You ne e d to manually upgrade to the ne w ve rs ion of katello-agent on all Sate llite clie nts . Pro cedure 8.7. T o Upgrade t he kat ello -agent Package: 1. Log in to the clie nt s ys te m and e nable the Sate llite tools re pos itory. # subscription-manager repos --enable=rhel-version-serversatellite-tools-6.1-rpms Re place version with 6 or 7 de pe nding on the Re d Hat Ente rpris e Linux ve rs ion you are us ing. 2. Synchroniz e the re pos itory. Re place ID with the ID of the tools re pos itory. # hammer repository synchronize --id ID 3. Upgrade the katello-agent package . # yum upgrade katello-agent Impo rtant It is curre ntly not pos s ible to upgrade the age nt us ing Re d Hat Sate llite be fore upgrading Sate llite its e lf. 126 C hapt e r 8 . Upgr ading Re d Hat Sat e llit e Se r ve r and Caps ule Se r ve r 8.5. Upgrading Bet ween Minor Versions of Sat ellit e This proce dure mus t be followe d to upgrade be twe e n minor ve rs ions , for e xample , from 6.1.8 to 6.1.9. Prerequisit es Ens ure you have s ynchroniz e d Sate llite Se rve r re pos itorie s for Sate llite , Caps ule , and Sate llite Tools . Ens ure e ach e xte rnal Caps ule and Conte nt Hos t can be upgrade d by promoting the update d re pos itorie s to all re le vant conte nt vie ws . Pro cedure 8.8. Upgrading t he Sat ellit e Server t o t he Next Mino r Versio n 1. On a s e lf-re gis te re d Sate llite , download all package s bef o re s topping Sate llite Se rve r: # yum update --downloadonly 2. Stop s e rvice s : # katello-service stop output omitted Success! 3. Update all package s : # yum update 4. If a ke rne l update occurs , re boot the s ys te m: # reboot 5. Pe rform the upgrade : # katello-installer --upgrade 6. On a s e lf-re gis te re d Sate llite , re s tart goferd: A. On Re d Hat Ente rpris e Linux 6: # service goferd restart B. On Re d Hat Ente rpris e Linux 7: # systemctl restart goferd Pro cedure 8.9. Upgrading a Capsule Server t o t he Next Mino r Versio n 1. Stop s e rvice s : # katello-service stop 127 Ins t allat io n Guide output omitted Success! 2. Update all package s : # yum update 3. If a ke rne l update occurs , re boot the s ys te m: # reboot 4. Pe rform the upgrade : # capsule-installer --upgrade 5. Re s tart goferd: A. On Re d Hat Ente rpris e Linux 6: # service goferd restart B. On Re d Hat Ente rpris e Linux 7: # systemctl restart goferd Pro cedure 8.10 . Upgrading a Co nt ent Ho st t o t he Next Mino r Versio n 1. Update all package s : # yum update 2. If a ke rne l update occurs , re boot the s ys te m: # reboot 3. Re s tart goferd: A. On Re d Hat Ente rpris e Linux 6: # service goferd restart B. On Re d Hat Ente rpris e Linux 7: # systemctl restart goferd [10] https://access.redhat.com /docum entation/enUS/Red_Hat_Satellite/6.1/htm l/User_Guide/chap-Red_Hat_Satellite-User_GuideC onfiguring_Activation_Keys.htm l [11] https://access.redhat.com /docum entation/enUS/Red_Hat_Enterprise_Linux/6/htm l/Deploym ent_Guide/ch-yum .htm l#s1-yum -upgrade-system 128 C hapt e r 8 . Upgr ading Re d Hat Sat e llit e Se r ve r and Caps ule Se r ve r [12] https://access.redhat.com /docum entation/en-US/Red_Hat_Enterprise_Linux/7Beta/htm l/System _Adm inistrators_Guide/ch-yum .htm l#s1-yum -upgrade-system 129 Ins t allat io n Guide Chapt er 9. Next St eps The conte nt of the Ins tallation Guide take s you through ins talling Re d Hat Sate llite Se rve r, Caps ule Se rve r, and s e tting up the re pos itorie s s o that clie nt hos t s ys te ms can update from the Sate llite Se rve r. The re are othe r configuration s te ps you will ne e d to take to take full advantage of your Re d Hat Sate llite Se rve r and Caps ule Se rve r. The Red Hat Satellite 6.1 User Guide can as s is t in configuring life cycle e nvironme nts , products , organiz ations , locations , and othe r compone nts while the Red Hat Satellite Provisioning Guide can as s is t with s e tting up a working provis ioning e nvironme nt for your Re d Hat Sate llite Se rve r. 130 C hapt e r 10 . Unins t alling Re d Hat Sat e llit e Se r ve r and Caps ule Se r ve r Chapt er 10. Uninst alling Red Hat Sat ellit e Server and Capsule Server Warning The following proce dure s will e ras e all applications that are us e d with Re d Hat Sate llite Se rve r or Re d Hat Sate llite Caps ule Se rve r on the targe t s ys te m. If you are us ing any of the s e applications or application data for any othe r purpos e s than Re d Hat Sate llite , back up the information be fore running the s e s cripts . Removing Sat ellit e Server The command to unins tall Re d Hat Sate llite Se rve r is katello-remove. The unins tall s cript will is s ue a warning twice , re quiring confirmation be fore it re move s all package s and configuration file s in the s ys te m. Be low is a s ample output of the command: # katello-remove WARNING: This script will erase many packages and config files. Important packages such as the following will be removed: * elasticsearch * httpd (apache) * mongodb * tomcat6 * puppet * ruby * rubygems * All Katello and Foreman Packages Once these packages and configuration files are removed there is no going back. If you use this system for anything other than Katello and Foreman you probably do not want to execute this script. Read the source for a list of what is removed. Are you sure(Y/N)? y ARE YOU SURE?: This script permanently deletes data and configuration. Read the source for a list of what is removed. Type [remove] to continue? remove Shutting down Katello services... ... Removing Capsule Server The command to unins tall Re d Hat Sate llite Caps ule Se rve r is capsule-remove from the capsule-installer package . Same as katello-remove, capsule-remove will is s ue a warning twice , re quiring confirmation be fore re moving the conte nt. 131 Ins t allat io n Guide Appendix A. Glossary of Terms The following te rms are us e d throughout this docume nt. Familiariz e yours e lf with the s e te rms to he lp your unde rs tanding of Re d Hat Sate llite 6. A ct ivat io n Key A re gis tration toke n us e d in a Kicks tart file to control actions at re gis tration. The s e are s imilar to Activation Ke ys in Re d Hat Sate llite 5, but provide a s ubs e t of fe ature s be caus e Puppe t controls package and configuration manage me nt afte r re gis tration. A pplicat io n Lif e Cycle Enviro nment An Application Life Cycle Environment re pre s e nts a s te p, or s tage , in a promotion path through the Software De ve lopme nt Life Cycle (SDLC). Promotion paths are als o known as de ve lopme nt paths . Conte nt s uch as package s and Puppe t module s move through life cycle e nvironme nts by publis hing and promoting Conte nt Vie ws . All Conte nt Vie ws have ve rs ions , which me ans you can promote a s pe cific ve rs ion through a typical promotion path; for e xample , from de ve lopme nt to te s t to production. Channe l cloning imple me nts this conce pt in Re d Hat Sate llite 5. A t t ach The proce s s of as s ociating a Subs cription to a Hos t that provide s acce s s to RPM conte nt. C apsule A Capsule is an additional s e rve r that can be us e d in a Re d Hat Sate llite 6 de ployme nt to facilitate conte nt fe de ration and dis tribution in addition to othe r localiz e d s e rvice s (Puppe t Mas te r, DHCP, DNS, TFTP, and more ). C at alo g A Catalog is a docume nt that de s cribe s the de s ire d s ys te m s tate for one s pe cific compute r. It lis ts all of the re s ource s that ne e d to be manage d, as we ll as any de pe nde ncie s be twe e n thos e re s ource s . C o mput e Pro f ile Compute Profiles s pe cify de fault attribute s for ne w virtual machine s on a compute re s ource . C o mput e Reso urce A Compute Resource is virtual or cloud infras tructure , which Re d Hat Sate llite 6 us e s for de ployme nt of hos ts and s ys te ms . Example s include Re d Hat Ente rpris e Virtualiz ation Manage r, Ope nStack, EC2, and VMWare . C o nt ent Content include s s oftware package s (RPM file s ) and Puppe t module s . The s e are s ynchroniz e d into the Library and the n promote d into Life Cycle Environme nts us ing Conte nt Vie ws s o that the y can be cons ume d by Hos ts . C o nt ent Delivery Net wo rk (CDN) 132 A ppe ndix A. Glo s s ar y o f T e r ms The Content Delivery Network (CDN) is the me chanis m us e d to de live r Re d Hat conte nt in a ge ographically co-locate d fas hion. For e xample , conte nt that is s ynchroniz e d by a Sate llite in Europe pulls conte nt from a s ource in Europe . C o nt ent Ho st A Content Host is the part of a hos t that manage s tas ks re late d to conte nt and s ubs criptions . C o nt ent View A Content View is a de finition of conte nt that combine s products , package s , and Puppe t module s with capabilitie s for inte llige nt filte ring and cre ating s naps hots . Conte nt Vie ws are a re fine me nt of the combination of channe ls and cloning from Re d Hat Sate llite 5. Ext ernal No de Classif ier An External Node Classifier is a Puppe t cons truct that provide s additional data for a Puppe t Mas te r to us e whe n configuring Hos ts . Re d Hat Sate llite 6 acts as an Exte rnal Node Clas s ifie r to Puppe t Mas te rs in a Sate llite de ployme nt. Fact er Facter is a program that provide s information (facts ) about the s ys te m on which it is run; for e xample , Facte r can re port total me mory, ope rating s ys te m ve rs ion, archite cture , and more . Puppe t module s e nable s pe cific configurations bas e d on hos t data gathe re d by Facte r. Hammer Hammer is a command line tool for Re d Hat Sate llite 6. Us e Hamme r to manage Re d Hat Sate llite 6 as a s tandard CLI, for s cripts , and als o through an inte ractive s he ll. Hiera Hie ra is a ke y/value look-up tool for configuration data which allows ke e ping s ite s pe cific data out of puppe t manife s ts . Ho st A Host re fe rs to any s ys te m, e ithe r phys ical or virtual, that Re d Hat Sate llite 6 manage s . Ho st Co llect io n A Host Collection is e quivale nt to a Sate llite 5 System Group, that is , a us e r de fine d group of one or more Hos ts . Ho st Gro up A Host Group is a te mplate for building a Hos t. This include s the conte nt vie w (which de fine s the available RPM file s and Puppe t module s ) and the Puppe t clas s e s to apply (which ultimate ly de te rmine s the s oftware and configuration). Lo cat io n A Location is colle ction of de fault s e ttings that re pre s e nt a phys ical place . The s e can be ne s te d s o that you can s e t up an hie rarchical colle ction of locations . For 133 Ins t allat io n Guide e xample , you can s e t up de faults for "Middle Eas t", which are re fine d by "Te l Aviv", which are furthe r re fine d by "Data Ce nte r Eas t", and the n finally by "Rack 22". Library The Library contains every ve rs ion, including the late s t s ynchroniz e d ve rs ion, of the s oftware that the us e r will e ve r de ploy. For an Information Te chnology Infras tructure Library (ITIL) [13] organiz ation or de partme nt, this is the De finitive Me dia Library [14] (pre vious ly name d the De finitive Software Library). Manif est A Manifest trans fe rs s ubs criptions from the Cus tome r Portal to Re d Hat Sate llite 6. This is s imilar in function to ce rtificate s us e d with Re d Hat Sate llite 5. For more information about ce rtificate s and s ubs cription type s , s e e : RHN Clas s ic, Re d Hat Sate llite , and Channe l Entitle me nts [15] The Structure of Sate llite Ce rtificate s (Clas s ic Style of Ce rtificate s ) [16] O rganizat io n An Organization is an is olate d colle ction of s ys te ms , conte nt, and othe r functionality within a Sate llite 6 de ployme nt. P ro duct A colle ction of conte nt re pos itorie s . Products can be Re d Hat products or ne wlycre ate d products made up of s oftware and configuration conte nt. P ro mo t e The act of moving a conte nt vie w compris e d of s oftware and configuration conte nt from one Application Life Cycle Environme nt to anothe r, s uch as moving from de ve lopme nt to QA to production. P ro visio ning T emplat e A Provisioning Template is a us e r-de fine d te mplate for Kicks tart file s , s nippe ts , and othe r provis ioning actions . In Sate llite 6 the y provide s imilar functionality to Kicks tart Profile s and cobble r Snippe ts in Re d Hat Sate llite 5. P ulp No de A Pulp Node is a Caps ule Se rve r compone nt that mirrors conte nt. This is s imilar to the Re d Hat Sate llite 5 Proxy. The main diffe re nce is that conte nt can be s tage d on the Pulp Node be fore it is us e d by a Hos t. P uppet Agent The Puppet Agent is an age nt that runs on a Hos t and applie s configuration change s to that Hos t. P uppet Mast er A Puppet Master is a Caps ule Se rve r compone nt that provide s Puppe t manife s ts to Hos ts for e xe cution by the Puppe t Age nt. 134 A ppe ndix A. Glo s s ar y o f T e r ms P uppet Mo dule A Puppet Module is a s e lf-containe d bundle of code and data that you can us e to manage re s ource s s uch as us e rs , file s , and s e rvice s . Repo sit o ry A Repository provide s s torage for a colle ction of conte nt. For e xample , a YUM re pos itory or a Puppe t re pos itory. Ro le A Role s pe cifie s a colle ction of pe rmis s ions that are applie d to a s e t of re s ource s , s uch as Hos ts . Smart Pro xy A Smart Proxy is a Caps ule Se rve r compone nt that can inte grate with e xte rnal s e rvice s , s uch as DNS or DHCP. Smart Variable A Smart Variable is a configuration value that controls how a Puppe t Clas s be have s . This can be s e t on a Hos t, a Hos t Group, an Organiz ation, or a Location. St andard Operat ing Enviro nment (SOE) A Standard Operating Environment (SOE) is a controlle d ve rs ion of the ope rating s ys te m on which applications are de ploye d. Subscript io n Subscriptions are the me ans by which you re ce ive conte nt and s e rvice from Re d Hat. Synchro nizing Synchronizing re fe rs to mirroring conte nt from e xte rnal re s ource s into the Re d Hat Sate llite 6 Library. Synchro nizat io n Plans Synchronization Plans provide s che dule d e xe cution of conte nt s ynchroniz ation. User Gro up A User Group is a colle ction of role s which can be as s igne d to a colle ction of us e rs . This is s imilar to a Role in Re d Hat Sate llite 5. User A us e r is anyone re gis te re d to us e Re d Hat Sate llite . Authe ntication and authoriz ation is pos s ible through built-in logic, through e xte rnal LDAP re s ource s , or with Ke rbe ros . [13] http://en.wikipedia.org/wiki/Inform ation_Technology_Infrastructure_Library [14] http://en.wikipedia.org/wiki/Definitive_Media_Library 135 Ins t allat io n Guide [15] https://access.redhat.com /site/docum entation/enUS/Red_Hat_Subscription_Managem ent/1/htm l/MigratingRHN/sat-certs.htm l [16] https://access.redhat.com /site/docum entation/enUS/Red_Hat_Subscription_Managem ent/1/htm l/Subscription_C oncepts_and_Workflows/index.ht m l#subscr-legacy 136 A ppe ndix B. Re vis io n His t o r y Appendix B. Revision Hist ory Revisio n 1-68 T ue 13 Sept 20 16 Brandi Munilla Bug 1364249 - Incorre ct commands in s ate llite 6.1 ins tallation docume nt. Revisio n 1-67 T ue 18 Aug 20 16 St ephen Wadeley Bug 1362527 - Provide ins tructions on how to pe rform upgrade s be twe e n minor re le as e s . Revisio n 1-66 T ue 0 2 Aug 20 16 St ephen Wadeley Bug 1346928 - Mis s ing port in Sate llite to Caps ule communication in chapte r 7.2.3. Revisio n 1-65 Wed Apr 27 20 16 Russell Dickenso n BZ#1322207 - Ame nde d s ubs cription manage r e xample command. Revisio n 1-64 T ue Dec 15 20 15 Russell Dickenso n BZ#1249288 - Update d the s e ction on s e tting a cus tom s e rve r ce rtificate . Revisio n 1-63 Building for as ync 2. Mo n No v 16 20 15 Hayley Hudgeo ns Revisio n 1-62 Building for as ync 1. Mo n Oct 12 20 15 Hayley Hudgeo ns Revisio n 1-61 T hu Sept 24 20 15 BZ#1146946 - Inte grate d pe e r re vie w fe e dback. Megan Lewis Revisio n 1-60 Mo n Sept 21 20 15 Megan Lewis BZ#1146946 - Adde d chapte r on Configuring a Se lf-Re gis te re d Sate llite . Revisio n 1-59 T ues August 25 20 15 Re -building GA docs to include html-s ingle format. Hayley Hudgeo ns Revisio n 1-58 Building for GA. Ella Deo n Ballard Fri August 7 20 15 Revisio n 1-57 Mo n August 3 20 15 Jo So mers BZ#1243608 Adde d s upporte d upgrade paths to chapte r 7 Upgrading Re d Hat Sate llite Se rve r and Caps ule Se rve r Revisio n 1-56 Fri July 24 20 15 Megan Lewis BZ#1209249 Re ve rte d change s to 2.2.3.2. Configuring Re d Hat Sate llite with a Cus tom Se rve r Ce rtificate . Revisio n 1-55 T hu July 23 20 15 Jo So mers BZ 1206788: Se ction 4.2 Dis conne cte d Sate llite , update d to match Sate llite 6.1 Us e r Guide , s e ction Dis conne cte d Sate llite . Revisio n 1-54 T hu July 23 20 15 David O'Brien BZ 1205469: Re vie w s e ction on obtaining package s for conne cte d and dis conne cte d e nvironme nts . Minor update s . 137 Ins t allat io n Guide Revisio n 1-53 T ue July 21 20 15 Jo So mers BZ#1234016 Change d s ubs cription-manage r --e nv option in s e ction Obtaining the Re quire d Package s for the Caps ule Se rve r, Pre re quis ite s , Ste p 2. Revisio n 1-52 Mo n July 20 20 15 Megan Lewis BZ#1243608 Adde d important note to 1.4. Pre re quis ite s , 6.2. Re d Hat Sate llite Caps ule Se rve r Pre re quis ite s , and Chapte r 7. Upgrading Re d Hat Sate llite Se rve r and Caps ule Se rve r s tating that Sate llite s e rve r and Caps ule ve rs ions mus t match. BZ#1209249 Update d 2.2.3.2. Configuring Re d Hat Sate llite with a Cus tom Se rve r Ce rtificate with --fore man-s e rve r flags . Revisio n 1-51 Fri July 17 20 15 Jo So mers Fix BZ1242526 s e ction 7.1 Upgrading RH Sate llite Caps ule Se rve rs , Adde d warning Fix BZ1241273 s e ction 7.1 Upgrading RH Sate llite Caps ule Se rve rs , Adde d ne w s te p 9 Re s tart all s e rvice s ' Fix BZ1235777 Se ction 6.4 Running the Ins tallation and Configuration Program for Caps ule Se rve r, Pre re quis ite s : Adde d two commands afte r note and re wrote Se ction 6.4.1 Adding a Caps ule Se rve r Revisio n 1-50 T hu July 16 20 15 Jo So mers Fix BZ1241461 s e ction 7.1 Upgrading Re d Hat Sate llite Se rve r and Caps ule s e rve r,s te p 6 change d Fix BZ1230332 s e ction 2.2.1 Configuring Re d Hat Sate llite Manually,s te p 2a and s te p 2b change d uid-owne r kate llo to uid-owne r fore man Revisio n 1-49 T ue July 14 20 15 Re move draft s tatus . Re build for te chnical re vie w. David O'Brien Revisio n 1-48 Mo n July 13 20 15 Megan Lewis BZ#1200617 Corre cte d the dire ctory us e d throughout the proce dure . Revisio n 1-47 Sat July 11 20 15 David O'Brien BZ #1241581 Clarify re quire me nt to manually upgrade kate llo-age nt on all clie nts . Revisio n 1-46 Wed July 8 20 15 Jo So mers BZ#1200617 Corre cte d Ste p 4 and combine d s te ps 7 and 8 in s e ction 4.2 Dis conne cte d Sate llite . Revisio n 1-45 T hu July 2 20 15 Jo So mers BZ#1171611 Corre cte d e rror in Ste p 2 of s e ction 6.7 Re gis te ring Hos t Sys te ms to a Re d Hat Sate llite Caps ule Se rve r. Revisio n 1-44 Wed July 1 20 15 Megan Lewis BZ#1206788 Corre cte d e rror in Ste p 2 of 4.2.4. Importing Conte nt to a Dis conne cte d Sate llite Se rve r. Revisio n 1-43 T hu Jun 25 20 15 Jo So mers BZ 1234705 Change d channe l to re pos itory in s e ctions Re d Hat Sate llite 6 Supporte d Us age , Pre re quis ite s , Synchroniz ation Status , Bas e Ope rating Sys te ms , Downloading from a Dis conne cte d Ne twork Revisio n 1-42 138 Wed Jun 24 20 15 Jo So mers A ppe ndix B. Re vis io n His t o r y BZ 1200617 De le te d s e ctions :Configuring the Synchroniz ation Hos t, Synchroniz ing Conte nt, Exporting Conte nt Revisio n 1-41 6.1 Public Be ta re le as e . Add e dition numbe r. Mo n Jun 15 20 15 David O'Brien Revisio n 1-40 T hu June 8 20 15 Jo So mers BZ 1180277 Change d fire wall-cmd --re load in s e ction Re quire d Ne twork Ports . BZ 1180277 In s e ction Application Spe cifications , adde d Re d Hat Ente rpris e Linux 7 chronyd command. Revisio n 1-39 T hu June 4 20 15 Jo So mers BZ 1180277 Adde d fire wall-cmd --re load to s e ction Configuring Re d Hat Sate llite Manually. Revisio n 1-38 Wed May 27 20 15 David O'Brien BZ 1216072 Cle ane d up ins tance s of "be ta" in GA re le as e . Revisio n 1-37 Wed May 13 20 15 Add chapte r on virt-who for te ch re vie w. David O'Brien Revisio n 1-36 Te ch re vie w ve rs ion. David O'Brien Mo n May 11 20 15 Revisio n 1-35 Mo n May 4 20 15 At hene Chan BZ#1195556 Update d the "Re gis te ring Hos t Sys te ms to the Re d Hat Caps ule Se rve r s e ction. Update d the ins tructions to ins talling a Caps ule Se rve r and the type s of Caps ule Se rve rs . Re arrange d configuration options . BZ#1209761 Re move d the option "-v" in the "kate llo-ins talle r" command from the "Configuring DNS, DHCP and TFTP" s e ction. BZ#1212974 Adde d UDP fire wall rule s to port 53 in the "Re quire d Ne twork Ports " s e ction. BZ#1129498 Re move d the "#" at the be ginning of the commands in the "Re quire d Ne twork Ports " s e ction of the Caps ule Se rve r s e ction. BZ#1167898 Re move d uns upporte d DNS s upport from the "Re d Hat Sate llite Caps ule Se rve r" s e ction. BZ#1188300 Adde d port 8443 as a re quire d fre e port for s ubs cription manage me nt s e rvice s in the Pre re quis ite s s e ction. Revisio n 1-34 T hu April 30 20 15 Megan Lewis BZ#1175924 Update d note in 4.2.4. Importing Conte nt to a Dis conne cte d Sate llite Se rve r. Revisio n 1-33 Wed April 29 20 15 Megan Lewis BZ#1175835 Update d e xample in 4.2.2 Synchroniz ing Conte nt. BZ#1175924 Update d Ste p 7 of 4.2.4. Importing Conte nt to a Dis conne cte d Sate llite Se rve r. Fixe d typos in 4.2.4. Importing Conte nt to a Dis conne cte d Sate llite Se rve r. Revisio n 1-32 T ue April 28 20 15 At hene Chan BZ#1202055 Change d the ins tructions as pe r comme nt #8 in the bug to re fle ct the corre ct proce dure for upgrading Caps ule Se rve rs . 139 Ins t allat io n Guide Revisio n 1-31 Mo n April 27 20 15 Jo So mers BZ#1171697 In s e ction Pre re quis ite s , adde d hos tname re quire me nts Revisio n 1-30 Fri April 24 20 15 Jo So mers BZ#1171611 In s e ction Re gis te ring Hos t Sys te ms to a Re d Hat Sate llite Caps ule , change d s ubs cription-manage r command from org name to org labe l Revisio n 1-29 T hu April 23 20 15 Megan Lewis BZ#1192272 Corre cte d e rror in Configuring Re d Hat Sate llite with an Ans we r File . Revisio n 1-28 Wed April 22 20 15 At hene Chan Update d all pre re quis ite s from Re d Hat Ente rpris e Linux 6.5 to 6.6. Revisio n 1-29 Wed April 22 20 15 Jo So mers In s e ction Pre re quis ite s , update d ports in table 1.26.5 to 6.6. Revisio n 1-27 Wed April 15 20 15 At hene Chan BZ#1180715 Adde d a table to the "Storage " pre re quis ite s . BZ#1174453 Change d "kate llo-ins talle r" to "caps ule -ins talle r" in the "Obtaining the Re quire d Package s for the Caps ule Se rve r" s e ction. BZ#1205493 Update d proce dure for cre ating a manife s t. Revisio n 1-26 Update d brand. Wed April 8 20 15 Revisio n 1-25 Fri April 1 20 15 Re s tructure d the ins tallation guide 's table of conte nts . Megan Lewis At hene Chan Revisio n 1-24 Fri April 1 20 15 At hene Chan BZ#1166191 Adde d a note about chaine d ce rtificate s . Change d the proce dure to "Se tting Up a Manife s t" in accordance to the change s in the Cus tome r Portal. BZ#1145823 Change d a s te p to make s ure that organiz ation name s are us e d for the "Sate llite Name " whe n re gis te ring a Sate llite for manife s ts . BZ#1194392 Clarifie d that the Sate llite s ubs cription s hould not be attache d to the manife s t. BZ#1185849 Change d the output if the s ubs cription SKU and change d the s e cond s te p in the proce dure "To Ins tall a Sate llite Caps ule Se rve r on a Ce rtificate -manage d Sys te m" BZ#1185836 Adde d "Caps ule " to the note in the "Re d Hat Sate llite Caps ule Se rve r Pre re quis ite s " s e ction. BZ#1174578 Re move d duplicate d caps ule re gis tration s te ps in "Ins talling a Re d Hat Sate llite Caps ule Se rve r" and ""Configuring a Re d Hat Sate llite Caps ule Se rve r". BZ#1173816 Re move d the fire wall rule s on e las tics e arch in the "Configuring a Re d Hat Sate llite Caps ule Se rve r" s e ction as the Caps ule s e rve r doe s not us e e las tics e arch. Change d the re pos itory name s to corre ct Be ta re pos itorie s for both the Sate llite Se rve r and Caps ule . BZ#1173680 Adde d a note on the Storage pre re quis ite s s e ction about late ncy and ne tworke d s torage . BZ#1176479 Adde d information on configuring DNS, DHCP, and TFTP to the Configuration Options . Adde d fire wall port 5674 for amqp conne ctions and SELinux cons ide rations for amqp in the pre re quis ite s s e ction. Revisio n 1-23 140 Mo n Mar 30 20 15 David O'Brien A ppe ndix B. Re vis io n His t o r y BZ 1203878: Update RH Common re pos itory name to Sate llite Tools . Revisio n 1-22 Wed Mar 23 20 15 Jo So mers BZ#1201194 In s e ction Pre re quis ite s , adde d Re d Hat Ente rpris e Linux 6.6 or late r Revisio n 1-21 Wed Mar 23 20 15 Jo So mers BZ#1201193 Adde d Re d Hat Ente rpris e Linux 6.6 or late r and re fe re nce to s olution article in s e ction Ins talling Re d Hat Sate llite with an ISO Image -Pre re quis ite s Revisio n 1-20 Wed Mar 18 20 15 Jo So mers BZ#1200617 Adde d ne w s te ps 1-6 in s e ction Importing Conte nt to a Dis conne cte d Sate llite Se rve r. Revisio n 1-19 T ue Mar 17 20 15 At hene Chan BZ#1170334 Adde d ne twork ports to be ope ne d as a pre re quis ite to ins tallation. BZ#1193153 s e nte nce s tructure change to proce dure s tate me nt. Revisio n 1-18 T hu Mar 12 20 15 Jo So mers BZ#1119934 In s e ction Configuring Re d Hat Sate llite Manually, Proce dure 2.2 Running the Ins talle r Script: change d Ste p 1 kate llo-ins talle r command Revisio n 1-17 Mo n Mar 0 9 20 15 David O'Brien BZ#1166642 Add comme nt to e nable SELinux and re labe l file s afte r ins tallation if SELinux was dis able d during ins tallation. Revisio n 1-16 Wed Mar 0 3 20 15 Jo So mers Fix BZ 1170713 In s e ction Ins talling Re d Hat Sate llite , Proce dure 2.1, for Re d Hat Ente rpris e Linux 7, adde d re po name s be fore yum ins tall Revisio n 1-15 Fri Feb 27 20 15 David O'Brien BZ#1183657 Add "puppe t module " and "catalog" to Glos s ary Revisio n 1-14 Wed Feb 25 20 15 At hene Chan BZ#1180191 Corre cte d the re quire d RPMs to ins tall for s ynchroniz ing hos ts in a dis conne cte d Sate llite Se rve r. Revisio n 1-13 T ue Feb 18 20 15 Jo So mers BZ#1180277 Corre cte d fire wall command from comple te re load to re load in s e ction Re d Hat Sate llite Caps ule Se rve r Pre re quis ite s . BZ#1180277 Adde d fire wall re load command in s e ction Configuring a Re d Hat Sate llite Caps ule Se rve r. Revisio n 1-12 Mo n Feb 9 20 15 Megan Lewis BZ#1178176 Furthe r corre ctions in 4.2.4. Importing Conte nt to a Dis conne cte d Sate llite Se rve r. BZ#1177574 Adde d line bre aks to Proce dure 2.5 in 2.3.2. Configuring Re d Hat Sate llite with a Cus tom Se rve r Ce rtificate . Revisio n 1-11 Fri Jan 23 20 15 At hene Chan BZ#1184589 Emphas iz e what bas e ope rating s ys te m variants is re quire d for Re d Hat Sate llite . Revisio n 1-10 Fri Jan 23 20 15 Megan Lewis 141 Ins t allat io n Guide BZ#1178176 Corre cte d 40G to 40GB in 4.2.4. Importing Conte nt to a Dis conne cte d Sate llite Se rve r. BZ#1179022 Corre cte d e rrors in e xample s in 5.4. Configuring a Re d Hat Sate llite Caps ule Se rve r. Revisio n 1-9 Fri Jan 23 20 15 At hene Chan BZ#1177568 Re place d the "s e rvice " and "chkconfig" command for chronyd to the re comme nde d "s ys te mctl" command ins te ad. Revisio n 1-8 Wed Jan 21 20 15 David O'Brien BZ 1184306 - Make the re quire me nt for a Bas e ins tall more obvious . Revisio n 1-7 T hu Dec 18 20 14 Megan Lewis BZ#1168273 Corre cte d package name for ins talling puppe t age nt. BZ#1169499 Clarifie d s upporte d Re d Hat Ente rpris e Linux variants in Pre re quis ite s . BZ#1164251 Corre cte d e xample in Adding Life cycle Environme nts to a Re d Hat Sate llite Caps ule Se rve r. BZ#1167904 Adde d chrony and s os into the pre re quis ite s for ins tall. Revisio n 1-6.2 T hu No v 19 20 14 At hene Chan Adde d additional admin and pas s word options to the kate llo-ins talle r. Re move d has he s on the fire wall re quire me nts . Include d re fe re nce s to s upport for s cripting frame works in the Puppe t Supporte d Us age paragraph. Revisio n 1-6.1 Friday No v 14 20 14 BZ#1153567 Adde d a "Caps ule Scalability" s e ction. At hene Chan Revisio n 1-6 T hu No v 13 20 14 At hene Chan BZ#1153564 Adde d a "Ne xt Ste ps " chapte r. BZ#1153772 Adde d fire wall configuration and additional s te ps to e ns ure that the Sate llite Se rve r can go through the HTTP Proxy without is s ue s . BZ#1146574 Change d the gpg file name . Revisio n 1-5 BZ#1132840 BZ#1152630 BZ#1150412 BZ#1143746 T ue No v 11 20 14 At hene Chan Adde d two advance d fire wall cons ide ration table s in the pre re quis ite s . Edite d incorre ct re fe re nce to Re d Hat Ente rpris e Linux 7. Adde d "--comple te -re load" to the fire wall-cmd fire wall commands . Change d incorre ct ce rts -s e rve r-ke y in proce dure 2.4. Revisio n 1-4 Mo n No v 10 20 14 At hene Chan BZ#1152630 Adde d RHEL7 fire wall-cmd command e xample s for the fire wall re quire me nts . Revisio n 1-3 Fri No v 7 20 14 At hene Chan BZ#1161254 Adde d a ne w fire wall rule to the lis t of fire wall rule s to allow kate llo-ins talle r to run afte r initial ins tall. Move d the fire wall rule s to the "Configuring Re d Hat Sate llite " s e ctions to pre ve nt e rrors . Revisio n 1-2.0 2 142 Fri Oct 3 20 14 At hene Chan A ppe ndix B. Re vis io n His t o r y Various e dits from trans lators ' fe e dback. BZ#1147673 Re move d MS DHCP from s upporte d DHCP fe ature s . BZ#1140520 Change d all "ACME_Corporation" e ntrie s to the corre ct de fault organiz ation e ntry "De fault Organiz ation". BZ#1139806 Adde d a note in the Pre re quis ite s s e ctions for Re d Hat Sate llite Se rve r and Re d Hat Sate llite Caps ule Se rve r that the hos t s ys te m has to be update d be fore ins talling Re d Hat Sate llite . BZ#1138430 Change d "yum-config-manage r" to "s ubs cription-manage r" to match the proce dure de s cription to the command block. BZ#1141954 Adde d e xample re pos itorie s to the "Enabling Re d Hat Re pos itorie s " s e ction and a note to e nable RH Common re pos itorie s for clie nt s ys te ms . BZ#1140722 Adde d note to highlight that the command ne e ds to change if the re pos itory is diffe re nt from the e xample command. Revisio n 1-2.0 1 Fri Sep 12 20 14 At hene Chan BZ#1140875 Adde d fire wall rule s afte r the Sate llite Se rve r and Caps ule Se rve r ins tallation. Revisio n 1-2 T hu Sep 11 20 14 At hene Chan BZ#1140422 Change d the re pos itory name s for Re d Hat Sate llite Se rve r and Re d Hat Sate llite Caps ule Se rve r. Revisio n 1-1 Wed Sep 10 20 14 Adde d additional ports in the Pre re quis ite s s e ction. At hene Chan Revisio n 1-0 T ue Sep 9 20 14 Re d Hat Sate llite 6.0 GA Re le as e At hene Chan Revisio n 0 -34 T hu Aug 21 20 14 At hene Chan BZ#1131360 Re place d an option on the command to re fle ct the corre ct one . Revisio n 0 -33 T ue Aug 12 20 14 At hene Chan 143 Ins t allat io n Guide BZ#1130208 Adde d "Re d Hat Software Colle ctions " as a channe l to e nable . BZ#1129104 Add re quire me nt to make port 8080 available for kate llo ins tallation. Update how to configure iptable s accordingly. BZ#1125241 Adde d a note that de fault location and de fault organiz ation can be change d afte r initial configuration. BZ#1044558 Adde d chapte r on http proxy configuration options in kate llo-ins talle r. BZ#1120492 Adde d a note in "Re d Hat Sate llite Se rve r Supporte d Us age " about e mbe dde d tomcat de ployme nts . BZ#1125299 Adde d re fe re nce s to "ne xt s te ps " s e ctions in the "Ins talling Re d Hat Sate llite " chapte r. BZ#1125357 Re move d the de pre cate d re pos itory dire ctorie s . BZ#1121814 Corre cte d the Sate llite Caps ule Se rve r ins talle r option. BZ#1089086 Include d file s iz e re comme ndations in the Pre re quis ite s . BZ#1119866 Adde d the Re d Hat Software Colle ctions package as a re quire d package for the Sate llite Caps ule Se rve r ins tallation. BZ#1118406 Adde d a table of ports , protocols and s e rvice s in the Pre re quis ite s s e ction. BZ#1120855 Various corre ctions on file name s and commands . BZ#1121676 Adde d a note that all hamme r commands are ran on the Sate llite Se rve r. BZ#1113811 Cre ate d the s e ction "Re d Hat Sate llite 6 Supporte d Us age ". BZ#1128922 Adde d a "Re s ults " s ubs e ction. BZ#754728 Adde d s e ctions "Configuring Re d Hat Sate llite with a Cus tom Se rve r Ce rtificate " and "Configuring Re d Hat Sate llite Caps ule Se rve r with a Cus tom Se rve r Ce rtificate " BZ#1122183 Change d the e ntry on Account Us e rname and adde d an e xample for Bas e DN. BZ#1129498 Group iptable s commands for be tte r re adability. Revisio n 0 -32 Fri Jul 11 20 14 At hene Chan BZ#1157545, BZ#115047, BZ#1116471, BZ#1117052, BZ#1117052, BZ#1115065 Minor e dits , s pe lling e rrors and re vis ions to te xt. Revisio n 0 -31 Mo n Jun 30 20 14 Book publis he d for Be ta Re le as e . At hene Chan Revisio n 0 -30 T ue Jun 24 20 14 Se cond te s t bre wing for Be ta. Dan Macpherso n Revisio n 0 -29 Te s t bre wing for Be ta. T ue Jun 24 20 14 Dan Macpherso n Revisio n 0 -28 Fixing minor e rror. Mo n No v 11 20 13 Dan Macpherso n Revisio n 0 -27 Pre paration for MDP2. Mo n 11 No v 20 13 Dan Macpherso n Revisio n 0 -26 Mo n 11 No v 20 13 At hene Chan BZ#1024530, 1027466 Additional e dits to s te ps for Sate llite node s . Revisio n 0 -25 T hu 7 No v 20 13 Megan Lewis BZ#1027461 Adde d s te ps to cre ate activation ke y and re trie ve oauth s e cre t. Adde d note to ve rify node s e xis t. Revisio n 0 -24 144 T hu 7 No v 20 13 At hene Chan A ppe ndix B. Re vis io n His t o r y BZ#1027466 Adde d a s mall s e citon on us ing Sate llite node s . Adde d s ynchroniz ation s te p. Revisio n 0 -23 Wed 30 Oct 20 13 At hene Chan BZ#1024438 change d proce dure s to accommodate yum-utils ins tallation. BZ#1024529 re move d kate llo.yml ins tructions as this is not pre fe rre d way of LDAP configuration. BZ#1024559 Adde d fore man-libvirt to the yum ins tall command. BZ#1024530 Adde d ne w information to the s e ction on Sate llite Node s . Revisio n 0 -22 T ue 29 Oct 20 13 BZ#1024094 yum-utils command update d. At hene Chan Revisio n 0 -21 Wed 0 9 Oct 20 13 Finaliz ing QE re vie w imple me ntation Dan Macpherso n Revisio n 0 -20 Wed 2 Oct 20 13 BZ#1014402 Ins tallation re quire me nts update d. At hene Chan Revisio n 0 -19 Wed 2 Oct 20 13 BZ#1014402 Pre re quis ite s for ins tallation update d. At hene Chan Revisio n 0 -18 T ue 1 Oct 20 13 BZ#1009719, 971944 Minor s pe lling and grammar e dits . At hene Chan Revisio n 0 -17 T hu 19 Sep 20 13 At hene Chan BZ#1009719 Update d the Pre re quis ite s and the ins tall ins tructions . Revisio n 0 -16 T ue 17 Sep 20 13 BZ#971944 Adde d s torage re quire me nts for Sate llite . At hene Chan Revisio n 0 -15 Inte grating QE fe e dback. Megan Lewis Wed 11 Sep 20 13 Revisio n 0 -14 Mo n 12 Aug 20 13 Re moving draft wate rmark. Dan Macpherso n Revisio n 0 -13 Mo n 12 Aug 20 13 Pre paring docume ntation for te chnical re vie w. Dan Macpherso n Revisio n 0 -0 9 T hu 20 June 20 13 Corre ction to re po labe l for ins tallation. Dan Macpherso n Revisio n 0 -0 8 Adde d MDP1 s tatus . Dan Macpherso n T hu 20 June 20 13 Revisio n 0 -0 7 Wed 19 June 20 13 Re vis e d channe l for ins tallation. At hene Chan Revisio n 0 -0 6 T hu 13 June 20 13 At hene Chan Edite d book for grammatical e rrors and s e nte nce s tructure . Revisio n 0 -0 5 T ue 11 June 20 13 At hene Chan 145 Ins t allat io n Guide Adde d Chapte rs for manife s ts and for s ynchroniz ation. Edite d s e ctions bas e d on te chnical re vie w fe e dback. Revisio n 0 -0 4 Fri 31 May 20 13 At hene Chan Change d fie ld name s in the Sate llite :Provis ioning LDAP s e ction. Revisio n 0 -0 3 T hu 30 May 20 13 At hene Chan Re name d all we b application compone nts to the re brande d name s of "Re d Hat Sate llite : Conte nt and Entitle me nt" and "Re d Hat Sate llite : Provis ioning and Configuration". Revisio n 0 -0 2 T ue 28 May 20 13 Incorporate d te chnical re vie w e dits . Update d commands for ins talling Re d Hat Sate llite . Standardiz e d tagging of compone nts . At hene Chan Revisio n 0 -0 1 Initial book cre ation At hene Chan 146 Fri 17 May 20 13