Red Hat Satellite
This article will go over content for Red Hat Satellite 6.
Red Hat Satellite is a management tool that helps system administrators to build and maintain Linux (Red Hat only?) systems.
Satellite has the following components:
- Foreman - Open Source application used to provision and life cycle manage hosts using kickstart and puppet modules. It also provides historical data on hosts
- Katello - Subscription and repository management. It pulls upstream packages from Red Hat's CDN
- Katello/Pulp - Repository / content management as part of katello
- Katello/Candlepin - handles subscription management (to Red Hat's CDN)
- Capsule Server - A capsule module is a proxy for some of Satellite's services (repository, dns, dhcp, puppet master). An integrated capsule server is bundled with a Satellite install, but additional capsule servers can be created to offer HA/Redundancy.
Satellite should be installed on a clean install of Red Hat Enterprise 6 or 7 on a minimum of:
- 2 CPU
- 12GB RAM
- 6GB disk (for base install)
Installing using Subscription Manager
If your machine has the proper subscription, Satellite can be installed using
## Show all subscriptions that are available # subscription-manager list --available --all +-------------------------------------------+ Available Subscriptions +-------------------------------------------+ Subscription Name: Red Hat Satellite Subscription Provides: Red Hat Red Hat Satellite Capsule 6 Red Hat Enterprise Linux 7 Red Hat Satellite 6 SKU: SKU123456 Pool ID: e1730d1f4eaa448397bfd30c8c7f3d334bd8b Available: 6 Suggested: 1 Service Level: Self-Support Service Type: L1-L3 Multi-Entitlement: No Ends: 01/01/2022 System Type: Physical ## Attach the subscription to this system # subscription-manager attach --pool=e1730d1f4eaa448397bfd30c8c7f3d334bd8b Successfully attached a subscription for: Red Hat Satellite Subscription ## Disable all repositories # subscription-manager repos --disable "*" Repo rhel-lb-for-rhel-7-server-eus-rpms is disabled for this system. Repo rhel-7-server-rhs-client-1-source-rpms is disabled for this system. Repo rhel-7-server-cf-tools-1-beta-source-rpms is disabled for this system. ## Enable the Red Hat Satellite, Red Hat Enterprise Linux, and Red Hat Software Collections repositories. Make sure the release matches the repo (7 in this case). # subscription-manager repos --enable rhel-7-server-rpms \ --enable rhel-server-rhscl-7-rpms \ --enable rhel-7-server-satellite-6.2-rpms Repo rhel-7-server-rpms is enabled for this system. Repo rhel-server-rhscl-7-rpms is enabled for this system. Repo rhel-7-server-satellite-6.2-rpms is enabled for this system. ## Update and install # yum -y update && yum -y install satellite
Installing from ISO
You can also install Satellite using the ISO image from the Red Hat Customer Portal.
In the RedHat Satellite training, the ISO can be obtained by running:
# cd /tmp # wget http://content.example.com/rhsat6.2.1/x86_64/isos/satellite-6.2.1-rhel-7-x86_64-dvd.iso
# mount -o loop /tmp/satellite-6.2.1-rhel-7-x86_64-dvd.iso /mnt/iso # cd /mnt/iso ; ./install_packages This script will install the satellite packages on the current machine. - Ensuring we are in an expected directory. - Copying installation files. - Creating a Repository File - Creating RHSCL Repository File - Checking to see if Katello is already installed. - Importing the gpg key. - Installation repository will remain configured for future package installs. - Installation media can now be safely unmounted. Install is complete. Please run foreman-installer --scenario katello
After installing Satellite, configure it using the
satellite-installer --scenario satellite --foreman-admin-username admin --foreman-admin-password Red Hat Installing Done [100%] [...................................] Success! * Satellite is running at https://satellite.lab.example.com Initial credentials are admin / Red Hat * To install additional capsule on separate machine continue by running: capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar "~/$CAPSULE-certs.tar" The full log is at /var/log/foreman-installer/satellite.log
The installer will save the installation parameters in
If you wish to use
satellite-installer with an existing answers file, edit
/etc/foreman-installer/scenarios.d/satellite.yaml to point to your answers file, and rerun the
To reset the admin account password:
# foreman-rake permissions:reset Reset to user: admin, password: NEW_RANDOMIZED_PASSWORD
Firewall must be configured to allow satellite services. A service
RH-Satellite-6 is predefined as part of the package and can be applied using:
# firewall-cmd --add-service=RH-Satellite-6 --permanent # firewall-cmd --reload
If the Satellite server is also providing DHCP/DNS/TFTP, those ports should also be allowed through using:
# firewall-cmd --permanent --add-port="53/udp" --add-port="53/tcp" --add-port="67/udp" --add-port="68/udp" --add-port="69/udp" # firewall-cmd --reload
SELinux must also be set to enforcing:
# selinux --enforcing
Verify that Satellite is indeed running by accessing http://satellite.example.com.
Ensure that you have the proper entitlements by uploading the subscription manifest (Under 'Content' -> 'Red Hat Subscriptions' -> 'Manage Manifest'). Ensure that the Red Hat CDN URL is valid as well.
Clients once connected to this Satellite instance will download packages exclusively from the server. Certain packages are required for the clients to work. Ensure that the 'Red Hat Satellite Tools 6.2 (for RHEL 7 Server) (RPMs)' repository is enabled under 'Content' -> 'Red Hat Repositories' -> 'RPMs' -> 'Red Hat Enterprise Linux Server'.
Synchronize all repositories that have been added under 'Content' -> 'Sync Status'.
On the satellite server, generate the capsule certificates using the
# capsule-certs-generate --capsule-fqdn capsule.lab.example.com --certs-tar ~/capsule.lab.example.com-certs.tar ... To finish the installation, follow these steps: If you do not have the capsule registered to the Satellite instance, then please do the following: 1. yum -y localinstall http://satellite.lab.example.com/pub/katello-ca-consumer-latest.noarch.rpm 2. subscription-manager register --org "Default_Organization" Once this is completed run the steps below to start the capsule installation: 1. Ensure that the satellite-capsule package is installed on the system. 2. Copy /root/capsule.lab.example.com-certs.tar to the system capsule.lab.example.com 3. Run the following commands on the capsule (possibly with the customized parameters, see satellite-installer --scenario capsule --help and documentation for more info on setting up additional services): satellite-installer --scenario capsule\ --capsule-parent-fqdn "satellite.lab.example.com"\ --foreman-proxy-register-in-foreman "true"\ --foreman-proxy-foreman-base-url "https://satellite.lab.example.com"\ --foreman-proxy-trusted-hosts "satellite.lab.example.com"\ --foreman-proxy-trusted-hosts "capsule.lab.example.com"\ --foreman-proxy-oauth-consumer-key "S5EVNBrjxaW9qKV7omorF6nU43BjcMMt"\ --foreman-proxy-oauth-consumer-secret "Kctj8K26M8yLTTCFtQrWFAyxb28ssHch"\ --capsule-pulp-oauth-secret "AFnPpEru7UuwMNGDnjRkzGrVNwTGwA9Q"\ --capsule-certs-tar "/root/capsule.lab.example.com-certs.tar" The full log is at /var/log/capsule-certs-generate.log
Make a note of the
satellite-installer command that is generated as we will need it later to complete the capsule server installation below.
Copy the generated tar file containing the certificates to the capsule server, then run the following on the capsule server:
## Ensure firewall is configured # for i in 53 67 69 ; do firewall-cmd --permanent --add-port="$i/udp" ; done # for i in 53 80 443 5647 8000 8140 8443 9090 ; do firewall-cmd --permanent --add-port="$i/tcp" ; done ## Install katello from the satellite server # yum -y localinstall http://satellite.lab.example.com/pub/katello-ca-consumer-latest.noarch.rpm ## Register the capsule server to the proper organization # subscription-manager register --org "Default_Organization" Registering to: satellite.lab.example.com:443/rhsm Username: admin Password: Red Hat The system has been registered with ID: f7855ac5-531a-4b09-bc78-13a11e500e5f ## Install capsule from the ISO image # wget http://content/rhsat6.2.1/x86_64/isos/satellite-capsule-6.2.1-rhel-7-x86_64-dvd.iso # mount -o loop satellite-capsule-6.2.1-rhel-7-x86_64-dvd.iso /mnt/iso # cp /mnt/iso/*repo /etc/yum.repos.d/capsule.repo ## Add 'baseurl=file:///mnt/iso' to the repository file # vi /etc/yum.repos.d/capsule.repo # yum -y install satellite-capsule ## Run the installer command noted above. # satellite-installer --scenario capsule\ --capsule-parent-fqdn "satellite.lab.example.com"\ --foreman-proxy-register-in-foreman "true"\ --foreman-proxy-foreman-base-url "https://satellite.lab.example.com"\ --foreman-proxy-trusted-hosts "satellite.lab.example.com"\ --foreman-proxy-trusted-hosts "capsule.lab.example.com"\ --foreman-proxy-oauth-consumer-key "S5EVNBrjxaW9qKV7omorF6nU43BjcMMt"\ --foreman-proxy-oauth-consumer-secret "Kctj8K26M8yLTTCFtQrWFAyxb28ssHch"\ --capsule-pulp-oauth-secret "AFnPpEru7UuwMNGDnjRkzGrVNwTGwA9Q"\ --capsule-certs-tar "/root/capsule.lab.example.com-certs.tar"
Registering Satellite Clients
Clients use the
subscription-manager to register with the Red Hat Network or to a Satellite server.
## Update subscription manager package # yum update subscription-manager yum ## Install CA Certificate from the Satellite server: # yum -y localinstall http://satellite.lab.example.com/pub/katello-ca-consumer-latest.noarch.rpm ## Clear old subscription info # subscription-manager clean ## Register with an organization by its label name. # subscription-manager register --org 'Default_Organization' Username: admin Password: The system has been registered with ID: d56b875c-3017-450f-a438-d5b8db35276e Installed Product Current Status: Product Name: Red Hat Enterprise Linux Server Status: Subscribed
Once a client is registered to the Satellite Server, it will gain access to repository contents. However, administrators will not yet be able to perform package and errata management on the client from the Satellite web UI. These client management functions require the installation of Katello Agent on the client system.
# yum install katello-agent
katello-agent package is provided by the 'Red Hat Satellite Tools 6.x' repository. Ensure it's enabled for the client to see it.
Changes made to a host will be automatically applied but not immediately.
To initiate an update, run on the client:
# subscription-manager refresh
Products / Repositories
A repository contains software packages. Multiple repositories can be grouped together to form a 'product'. Products created under an organization context will only be visible in that organization.
- Create custom repositories/products through manual package upload via the web interface
- Find existing products/packages through the discovery feature
- Manage GPG keys and host subscriptions automatically.
3rd party repositories can either have their packages copied to an existing product or cloned as a new product using the Repository Discovery feature.
Repositories with no GPG public key associated will have the
gpgcheck option set to disabled.
Lifecycle Environment Paths is a feature in Satellite that provides a way for administrators to staging software package/errata releases through clearly defined phases.
A lifecycle environment is a stage in a lifecycle path. For example, any one of 'Dev', 'QA', 'Production' would be a lifecycle environment.
An environment path is a sequence of lifecycle environments. All environment paths begin with the 'Library' environment. For example, a path could be: 'Library -> Dev -> QA -> production'.
You may only delete the last lifecycle environment in an environment path.
After creating a lifecyce environment, adding additional hosts using
subscription-manager register will require you to provide an environment. Environment names must be given in full
You can use the katello client bootstrap project's
bootstrap.py to manually register and place a host to a particular host group in Satellite. This is typically desired if you are deploying a machine not from kickstart but from something like a virtual machine clone and the host isn't added to Satellite as part of the post-installation process.
bootstrap.py script from the project at https://github.com/Katello/katello-client-bootstrap. On a host that is to be added to a particular host group in Satellite, run:
# wget https://raw.githubusercontent.com/Katello/katello-client-bootstrap/master/bootstrap.py # chmod 755 bootstrap.py # ./bootstrap.py -l admin \ -s itsosatwebp01.ucalgary.ca \ -o UofcServers \ -L Calgary \ -g vRA \ -a vRA-EL7-Activation \ --force
-s- satellite server
-g- Host group
-a- activation key
--force- removes old host if it exists
|Product||A set of repositories makes up a product|
|Organization||Satellite lets the administrator restrict policies/packages based on a machine's group. (Similar to what I already do with labs in CPSC).|