Configuring Red Hat Satellite 6 for hosting firmware updates from the Linux Vendor Firmware Service
Table of Contents
Overview
The Linux Vendor Firmware Service (LVFS) is a secure portal which allows hardware vendors to upload firmware updates. The site is used by all major Linux distributions to provide metadata for clients such as fwupdmgr and GNOME Software. Red Hat does not distribute these firmware updates as official content, as they tend to not be in RPM form, contain binary blobs without access to the source code and vendors update them very frequently. Also, some customers want the ability to host the updates for clients that are not allowed to update directly from the public internet. This document will offer a work flow to allow Red Hat Satellite to synchronize content from the LVFS as well as act as the source for client updates.
Requirements
Firmware updates are not pushed to clients using the normal errata/rpm based work flow. Instead, the clients run fwmgr commands, which will download and install firmware. Normally, fwupd is set to pull content from https://fwupd.org/ but the agent can be set to pull from other locations as well. On Red Hat Enterprise Linux or on Fedora, this functionally is part of the fwupd package.
The easiest path forward is for the Satellite server to have full internet access but one can also manually download the required firmware packages and transfer them over to the Satellite server if it's running in disconnected mode. Please follow only ONE of the below instruction sets (based on if you are using a connected or disconnected Satellite) and then jump down to Client Configuration.
Configuring a connected Satellite
We will be following the procedure on Creating a Custom File Type Repository from the product documentation for Satellite. We will demonstrate using the hammer commands.
-
List your organizations, as you will need the org name to proceed. Also, if you need to assign a sync plan, list those as well.
[root@gagarin ~]# hammer organization list ---|-----------|-----------|-------------|---------- ID | TITLE | NAME | DESCRIPTION | LABEL ---|-----------|-----------|-------------|---------- 3 | testorg | testorg | | testorg 1 | unclemarc | unclemarc | | unclemarc ---|-----------|-----------|-------------|---------- [root@gagarin ~]# [root@gagarin ~]# hammer sync-plan list --organization "unclemarc" ---|---------|---------------------|----------|---------|-----------------|------------------- ID | NAME | START DATE | INTERVAL | ENABLED | CRON EXPRESSION | RECURRING LOGIC ID ---|---------|---------------------|----------|---------|-----------------|------------------- 1 | nightly | 2017/11/21 08:06:00 | daily | yes | | 4 ---|---------|---------------------|----------|---------|-----------------|------------------- -
Create a new custom product. Replace the sync-plan and organization values with the ones on your Satellite. For example, on our lab server:
# hammer product create \ --name "fwupdates" \ --sync-plan "nightly" \ --description "LVFS updates" \ --organization "unclemarc" -
Create the actual repository. The url should point to https://cdn.fwupd.org/downloads/
# hammer repository create \ --name "fwupdates" \ --content-type "file" \ --product "fwupdates" \ --organization "unclemarc" \ --publish-via-http "true" \ --url "https://cdn.fwupd.org/downloads/" -
Synchronize the repository. This may take quite a while, depending upon the speed of the Satellite's internet connection.
[root@gagarin ~]# hammer repository synchronize --product "fwupdates" --name "fwupdates" --organization "unclemarc" [.......................................................................] [100%] New Files: 1916 -
Examine the repository to see if it has content as well as to determine the path where it is published. We need this path to configure the client.
[root@gagarin ~]# hammer repository info --organization "unclemarc" --name "fwupdates" --product "fwupdates" ID: 915 Name: fwupdates Label: fwupdates Organization: unclemarc Red Hat Repository: no Content Type: file Mirror on Sync: yes URL: https://cdn.fwupd.org/downloads/ Publish Via HTTP: yes Published At: http://gagarin.unclemarc.local/pulp/isos/unclemarc/Library/custom/fwupdates/fwupdates/ Relative Path: unclemarc/Library/custom/fwupdates/fwupdates Download Policy: HTTP Proxy: HTTP Proxy Policy: global_default_http_proxy Product: ID: 66 Name: fwupdates GPG Key: Sync: Status: Success Last Sync Date: 1 day Created: 2020/07/09 15:00:19 Updated: 2020/07/09 15:00:24 Content Counts: Files: 1916In this case, the files will be available from http://gagarin.unclemarc.local/pulp/isos/unclemarc/Library/custom/fwupdates/fwupdates/. That path will be used in the section Client Configuration.
Configuring a disconnected Satellite
We will be following the procedure on Creating a Custom File Type Repository in a Local Directory from the product documentation for Satellite. We will also be using a custom Python script to download the firmware content so it can be transferred to local directory.
-
The Satellite will require the Pulp Manifest package. Make sure that it has access to the installation media and then perform the install step.
Note:This will NOT interrupt Satellite services. Therefore, it should not cause any downtime for clients.
# foreman-maintain packages unlock # yum install python-pulp-manifest -y # foreman-maintain packages lock -
Download the synchronization script used to pull the firmware and supporting files from the LVFS site.
-
On an Internet connected machine, start the sync process. This may take quite a bit of time, depending on the speed of the connection. Assuming that the script is in the /tmp directory, the following commands would work.
chmod 755 /tmp/sync-pulp.py mkdir /firmware /tmp/sync-pulp.py https://cdn.fwupd.org/downloads /firmware -
Copy the contents of /firmware to a USB drive or some other media that can be mounted on the Satellite server
-
Create a directory on the Satellite server under the shared web space. Copy the contents of the firmware over (assuming mounted at /mnt/firmware)
mkdir /var/www/html/pub/fw cp -R /mnt/firmware /var/www/html/pub/fw -
Build a new manifest for the firmware repo. IMPORTANT: This step must be performed every time new content is added.
/usr/bin/pulp-manifest /var/www/html/pub/fw -
List your organizations, as you will need the org name to proceed.
[root@gagarin ~]# hammer organization list ---|-----------|-----------|-------------|---------- ID | TITLE | NAME | DESCRIPTION | LABEL ---|-----------|-----------|-------------|---------- 3 | testorg | testorg | | testorg 1 | unclemarc | unclemarc | | unclemarc ---|-----------|-----------|-------------|---------- [root@gagarin ~]# -
Create a new custom product. Replace the organization value with the one on your Satellite. For example, on our lab server:
# hammer product create \ --name "fwupdates" \ --description "LVFS updates" \ --organization "unclemarc" -
Create the actual repository. The URL is going to be http://your_satellite_name/pub/fw (path based on our example so far)
# hammer repository create \ --name "fwupdates" \ --content-type "file" \ --product "fwupdates" \ --organization "unclemarc" \ --publish-via-http "true" \ --url "http://gagarin.unclemarc.local/pub/fw" -
Synchronize the repository.
[root@gagarin ~]# hammer repository synchronize --product "fwupdates" --name "fwupdates" --organization "unclemarc" [.......................................................................] [100%] New Files: 1916 -
Examine the repository to see if it has content as well as to determine the path where it is published. We need this path to configure the client.
[root@gagarin ~]# hammer repository info --organization "unclemarc" --name "fwupdates" --product "fwupdates" ID: 915 Name: fwupdates Label: fwupdates Organization: unclemarc Red Hat Repository: no Content Type: file Mirror on Sync: yes URL: http://gagarin.unclemarc.local/pub/fw Publish Via HTTP: yes Published At: http://gagarin.unclemarc.local/pulp/isos/unclemarc/Library/custom/fwupdates/fwupdates/ Relative Path: unclemarc/Library/custom/fwupdates/fwupdates Download Policy: HTTP Proxy: HTTP Proxy Policy: global_default_http_proxy Product: ID: 66 Name: fwupdates GPG Key: Sync: Status: Success Last Sync Date: 1 day Created: 2020/07/09 15:00:19 Updated: 2020/07/09 15:00:24 Content Counts: Files: 1916In this case, the files will be available from http://gagarin.unclemarc.local/pulp/isos/unclemarc/Library/custom/fwupdates/fwupdates/. That path will be used in the section Client Configuration.
Client Configuration
-
Ensure that the client has the fwupdate packages installed. If not, install using yum or DNF.
[mrichter@tammit ~]$ rpm -q fwupd fwupd-1.4.4-1.fc32.x86_64 -
Once fwupd is installed, create a configuration file at /etc/fwupd/remotes.d/. fwupd will default to using lvfs.conf, so you will need to either delete the file or set it to Enabled=false.
-
The two lines that point to the Satellite repository are MetadataURI= and FirmwareBaseURI=.
- FirmwareBaseURI= is just the path from "Published At:" from our procedure above.
-
MetadataURI= is the "Published At:" path with /firmware.xml.gz added to the end. This file has the catalog of available firmware and is needed by fwupd to process requests.
[mrichter@tammit ~]$ cd /etc/fwupd/remotes.d/ [mrichter@tammit remotes.d]$ ls dell-esrt.conf gagarin.conf lvfs.conf lvfs-testing.conf vendor.conf vendor-directory.conf [mrichter@tammit remotes.d]$ cat gagarin.conf [fwupd Remote] # this remote provides metadata and firmware marked as 'stable' from the LVFS, mirrored to gagarin Enabled=true Type=download MetadataURI=http://gagarin.unclemarc.local/pulp/isos/unclemarc/Library/custom/fwupdate/fwupdates/firmware.xml.gz FirmwareBaseURI=http://gagarin.unclemarc.local/pulp/isos/unclemarc/Library/custom/fwupdate/fwupdates -
To test the configuration file, issue the command fwupdmgr refresh --force. If all is well, you will see files fetched from the local Satellite as well as a count of supported devices.
[mrichter@tammit ~]$ fwupdmgr refresh --force Fetching signature http://gagarin.unclemarc.local/pulp/isos/unclemarc/Library/custom/fwupdates/fwupdates/firmware.xml.gz.jcat Downloading… [***************************************] Fetching metadata http://gagarin.unclemarc.local/pulp/isos/unclemarc/Library/custom/fwupdates/fwupdates/firmware-00681-stable.xml.gz Downloading… [***************************************] Successfully downloaded new metadata: 4 local devices supported [mrichter@tammit ~]$ -
To actually perform firwmare updates, issue the fwupdmgr update command. NOTE: This often requires restarting the system and can result in loss of data if interrupted. Please be sure to have a good system backup and follow all prompts and instructions.
[mrichter@tammit ~]$ fwupdmgr update • Thunderbolt Controller has the latest available firmware version • Lenovo ThinkPad Dock has no available firmware updates • Lenovo ThinkPad Dock has no available firmware updates • Embedded Controller has the latest available firmware version • Intel Management Engine has the latest available firmware version • SAMSUNG MZVLW256HEHP-000L7 has no available firmware updates • System Firmware has the latest available firmware version • UEFI Device Firmware has no available firmware updates • VMM2322 has no available firmware updates [mrichter@tammit ~]$
Comments