Red Hat Satellite

From Leo's Notes
Last edited on 14 June 2020, at 23:22.

This article will go over content for Red Hat Satellite 6.

Overview

Red Hat Satellite is a management tool that helps system administrators to build and maintain Linux (Red Hat only?) systems.

Satellite has the following components:

  1. Foreman - Open Source application used to provision and life cycle manage hosts using kickstart and puppet modules. It also provides historical data on hosts
  2. Katello - Subscription and repository management. It pulls upstream packages from Red Hat's CDN
  3. Katello/Pulp - Repository / content management as part of katello
  4. Katello/Candlepin - handles subscription management (to Red Hat's CDN)
  5. Capsule Server - A capsule module is a proxy for some of Satellite's services (repository, dns, dhcp, puppet master). An integrated capsule server is bundled with a Satellite install, but additional capsule servers can be created to offer HA/Redundancy.


Satellite Installation

Satellite should be installed on a clean install of Red Hat Enterprise 6 or 7 on a minimum of:

  • x86_64
  • 2 CPU
  • 12GB RAM
  • 6GB disk (for base install)

Installing using Subscription Manager

If your machine has the proper subscription, Satellite can be installed using subscription-manager.

## Show all subscriptions that are available
# subscription-manager list --available --all
+-------------------------------------------+
    Available Subscriptions
+-------------------------------------------+

Subscription Name: Red Hat Satellite Subscription
Provides:          Red Hat 
                   Red Hat Satellite Capsule 6
                   Red Hat Enterprise Linux 7
                   Red Hat Satellite 6
SKU:               SKU123456
Pool ID:           e1730d1f4eaa448397bfd30c8c7f3d334bd8b
Available:         6
Suggested:         1
Service Level:     Self-Support
Service Type:      L1-L3
Multi-Entitlement: No
Ends:              01/01/2022
System Type:       Physical

## Attach the subscription to this system
# subscription-manager attach --pool=e1730d1f4eaa448397bfd30c8c7f3d334bd8b
Successfully attached a subscription for: Red Hat Satellite Subscription

## Disable all repositories
# subscription-manager repos --disable "*"
Repo rhel-lb-for-rhel-7-server-eus-rpms is disabled for this system.
Repo rhel-7-server-rhs-client-1-source-rpms is disabled for this system.
Repo rhel-7-server-cf-tools-1-beta-source-rpms is disabled for this system.

## Enable the Red Hat Satellite, Red Hat Enterprise Linux, and Red Hat Software Collections repositories. Make sure the release matches the repo (7 in this case).
# subscription-manager repos --enable rhel-7-server-rpms \
                     --enable rhel-server-rhscl-7-rpms \
                     --enable rhel-7-server-satellite-6.2-rpms
Repo rhel-7-server-rpms is enabled for this system.
Repo rhel-server-rhscl-7-rpms is enabled for this system.
Repo rhel-7-server-satellite-6.2-rpms is enabled for this system.

## Update and install
# yum -y update && yum -y install satellite

Installing from ISO

You can also install Satellite using the ISO image from the Red Hat Customer Portal.

In the RedHat Satellite training, the ISO can be obtained by running:

# cd /tmp
# wget http://content.example.com/rhsat6.2.1/x86_64/isos/satellite-6.2.1-rhel-7-x86_64-dvd.iso
# mount -o loop /tmp/satellite-6.2.1-rhel-7-x86_64-dvd.iso /mnt/iso
# cd /mnt/iso ; ./install_packages
This script will install the satellite packages on the current machine.
   - Ensuring we are in an expected directory.
   - Copying installation files.
   - Creating a Repository File
   - Creating RHSCL Repository File
   - Checking to see if Katello is already installed.
   - Importing the gpg key.
   - Installation repository will remain configured for future package installs.
   - Installation media can now be safely unmounted.

Install is complete. Please run foreman-installer --scenario katello

Configuring Satellite

After installing Satellite, configure it using the satellite-installer script.

satellite-installer --scenario satellite --foreman-admin-username admin --foreman-admin-password Red Hat
    Installing    Done   [100%] [...................................]
      Success!
      * Satellite is running at https://satellite.lab.example.com
          Initial credentials are admin / Red Hat
      * To install additional capsule on separate machine continue by running:

          capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar "~/$CAPSULE-certs.tar"

      The full log is at /var/log/foreman-installer/satellite.log

The installer will save the installation parameters in /etc/foreman-installer/scenarios.d/satellite-answers.yaml.

If you wish to use satellite-installer with an existing answers file, edit /etc/foreman-installer/scenarios.d/satellite.yaml to point to your answers file, and rerun the satellite-installer.

To reset the admin account password:

# foreman-rake permissions:reset
Reset to user: admin, password: NEW_RANDOMIZED_PASSWORD

Post Installation

Firewall must be configured to allow satellite services. A service RH-Satellite-6 is predefined as part of the package and can be applied using:

# firewall-cmd --add-service=RH-Satellite-6 --permanent
# firewall-cmd --reload

If the Satellite server is also providing DHCP/DNS/TFTP, those ports should also be allowed through using:

# firewall-cmd --permanent --add-port="53/udp" --add-port="53/tcp" --add-port="67/udp" --add-port="68/udp" --add-port="69/udp"
# firewall-cmd --reload

SELinux must also be set to enforcing:

# selinux --enforcing

Verify Installation

Verify that Satellite is indeed running by accessing http://satellite.example.com.

Ensure that you have the proper entitlements by uploading the subscription manifest (Under 'Content' -> 'Red Hat Subscriptions' -> 'Manage Manifest'). Ensure that the Red Hat CDN URL is valid as well.

Clients once connected to this Satellite instance will download packages exclusively from the server. Certain packages are required for the clients to work. Ensure that the 'Red Hat Satellite Tools 6.2 (for RHEL 7 Server) (RPMs)' repository is enabled under 'Content' -> 'Red Hat Repositories' -> 'RPMs' -> 'Red Hat Enterprise Linux Server'.

Synchronize all repositories that have been added under 'Content' -> 'Sync Status'.


Capsule Installation

On the satellite server, generate the capsule certificates using the capsule-certs-generate command.

# capsule-certs-generate --capsule-fqdn capsule.lab.example.com --certs-tar ~/capsule.lab.example.com-certs.tar

...

  To finish the installation, follow these steps:

  If you do not have the capsule registered to the Satellite instance, then please do the following:

  1. yum -y localinstall http://satellite.lab.example.com/pub/katello-ca-consumer-latest.noarch.rpm
  2. subscription-manager register --org "Default_Organization"

  Once this is completed run the steps below to start the capsule installation:

  1. Ensure that the satellite-capsule package is installed on the system.
  2. Copy /root/capsule.lab.example.com-certs.tar to the system capsule.lab.example.com
  3. Run the following commands on the capsule (possibly with the customized
     parameters, see satellite-installer --scenario capsule --help and
     documentation for more info on setting up additional services):

  satellite-installer --scenario capsule\
    --capsule-parent-fqdn                  "satellite.lab.example.com"\
    --foreman-proxy-register-in-foreman    "true"\
    --foreman-proxy-foreman-base-url       "https://satellite.lab.example.com"\
    --foreman-proxy-trusted-hosts          "satellite.lab.example.com"\
    --foreman-proxy-trusted-hosts          "capsule.lab.example.com"\
    --foreman-proxy-oauth-consumer-key     "S5EVNBrjxaW9qKV7omorF6nU43BjcMMt"\
    --foreman-proxy-oauth-consumer-secret  "Kctj8K26M8yLTTCFtQrWFAyxb28ssHch"\
    --capsule-pulp-oauth-secret            "AFnPpEru7UuwMNGDnjRkzGrVNwTGwA9Q"\
    --capsule-certs-tar                    "/root/capsule.lab.example.com-certs.tar"
  The full log is at /var/log/capsule-certs-generate.log

Make a note of the satellite-installer command that is generated as we will need it later to complete the capsule server installation below.

Copy the generated tar file containing the certificates to the capsule server, then run the following on the capsule server:

## Ensure firewall is configured
# for i in 53 67 69 ; do firewall-cmd --permanent --add-port="$i/udp" ; done
# for i in 53 80 443 5647 8000 8140 8443 9090 ; do firewall-cmd --permanent --add-port="$i/tcp" ; done

## Install katello from the satellite server
# yum -y localinstall http://satellite.lab.example.com/pub/katello-ca-consumer-latest.noarch.rpm

## Register the capsule server to the proper organization
# subscription-manager register --org "Default_Organization"
Registering to: satellite.lab.example.com:443/rhsm
Username: admin
Password: Red Hat
The system has been registered with ID: f7855ac5-531a-4b09-bc78-13a11e500e5f

## Install capsule from the ISO image
# wget http://content/rhsat6.2.1/x86_64/isos/satellite-capsule-6.2.1-rhel-7-x86_64-dvd.iso
# mount -o loop satellite-capsule-6.2.1-rhel-7-x86_64-dvd.iso /mnt/iso
# cp /mnt/iso/*repo /etc/yum.repos.d/capsule.repo
## Add 'baseurl=file:///mnt/iso' to the repository file
# vi /etc/yum.repos.d/capsule.repo
# yum -y install satellite-capsule

## Run the installer command noted above.
# satellite-installer --scenario capsule\
	--capsule-parent-fqdn                         "satellite.lab.example.com"\
	--foreman-proxy-register-in-foreman           "true"\
	--foreman-proxy-foreman-base-url              "https://satellite.lab.example.com"\
	--foreman-proxy-trusted-hosts                 "satellite.lab.example.com"\
	--foreman-proxy-trusted-hosts                 "capsule.lab.example.com"\
	--foreman-proxy-oauth-consumer-key            "S5EVNBrjxaW9qKV7omorF6nU43BjcMMt"\
	--foreman-proxy-oauth-consumer-secret         "Kctj8K26M8yLTTCFtQrWFAyxb28ssHch"\
	--capsule-pulp-oauth-secret                   "AFnPpEru7UuwMNGDnjRkzGrVNwTGwA9Q"\
	--capsule-certs-tar                           "/root/capsule.lab.example.com-certs.tar"

Registering Satellite Clients

Clients use the subscription-manager to register with the Red Hat Network or to a Satellite server.

## Update subscription manager package
# yum update subscription-manager yum

## Install CA Certificate from the Satellite server:
# yum -y localinstall http://satellite.lab.example.com/pub/katello-ca-consumer-latest.noarch.rpm

## Clear old subscription info
# subscription-manager clean

## Register with an organization by its label name.
# subscription-manager register --org 'Default_Organization'
Username: admin
Password: 
The system has been registered with ID: d56b875c-3017-450f-a438-d5b8db35276e 
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux Server
Status:       Subscribed

Once a client is registered to the Satellite Server, it will gain access to repository contents. However, administrators will not yet be able to perform package and errata management on the client from the Satellite web UI. These client management functions require the installation of Katello Agent on the client system.

# yum install katello-agent

The katello-agent package is provided by the 'Red Hat Satellite Tools 6.x' repository. Ensure it's enabled for the client to see it.


Applying Changes

Changes made to a host will be automatically applied but not immediately.

To initiate an update, run on the client:

# subscription-manager refresh


Products / Repositories

A repository contains software packages. Multiple repositories can be grouped together to form a 'product'. Products created under an organization context will only be visible in that organization.

Satellite can:

  • Create custom repositories/products through manual package upload via the web interface
  • Find existing products/packages through the discovery feature
  • Manage GPG keys and host subscriptions automatically.

3rd party repositories can either have their packages copied to an existing product or cloned as a new product using the Repository Discovery feature.

Repositories with no GPG public key associated will have the gpgcheck option set to disabled.

Lifecycle Environment

Lifecycle Environment Paths is a feature in Satellite that provides a way for administrators to staging software package/errata releases through clearly defined phases.

A lifecycle environment is a stage in a lifecycle path. For example, any one of 'Dev', 'QA', 'Production' would be a lifecycle environment.

An environment path is a sequence of lifecycle environments. All environment paths begin with the 'Library' environment. For example, a path could be: 'Library -> Dev -> QA -> production'.

You may only delete the last lifecycle environment in an environment path.

After creating a lifecyce environment, adding additional hosts using subscription-manager register will require you to provide an environment. Environment names must be given in full


Bootstrap.py

You can use the katello client bootstrap project's bootstrap.py to manually register and place a host to a particular host group in Satellite. This is typically desired if you are deploying a machine not from kickstart but from something like a virtual machine clone and the host isn't added to Satellite as part of the post-installation process.

Get the bootstrap.py script from the project at https://github.com/Katello/katello-client-bootstrap. On a host that is to be added to a particular host group in Satellite, run:

# wget https://raw.githubusercontent.com/Katello/katello-client-bootstrap/master/bootstrap.py
# chmod 755 bootstrap.py
# ./bootstrap.py -l admin \
    -s itsosatwebp01.ucalgary.ca \
    -o UofcServers \
    -L Calgary \
    -g vRA \
    -a vRA-EL7-Activation \
    --force

Where:

  • -l - username
  • -s - satellite server
  • -o - Organization
  • -L - Location
  • -g - Host group
  • -a - activation key
  • --force - removes old host if it exists

See Also:

Glossary

Terminology Definition
Product A set of repositories makes up a product
Organization Satellite lets the administrator restrict policies/packages based on a machine's group. (Similar to what I already do with labs in CPSC).