Questions and Answers from the January 2017 Satellite Ask-Me-Anything session

Satellite 6 Ask Me Anything FAQ

As promised, listed below are the responses to the questions we received in our Jan 2017 Satellite Ask Me Anything session. We are running another Ask Me Anything on 14 Feb, so feel free to join us again.

SUBSCRIPTIONS

Question: On the subscription comments... you have to give it a subscription id with hammer. I have a bunch of VMs that came in with the wrong license that should be under the datacenter model. The only way I've found to fix this through the UI remove the subscription and then run auto attach. Shouldn't auto attach fix this on it's own? Or virt who fix it? Is there a way for me to do this in bulk?

Answer: Generally speaking, once a system has a valid subscription, the tools do not modify it. You can solve this in one of two manners:

• Remove the subscription from the guest and do nothing. Within the rhsmcertd checkin interval, the guest will consume its hypervisors subscription. (Assuming it has been reported via virt-who)
• Remove the subscription from the guest, and run auto-attach. With Satellite 6.2.2 and newer, you can do this ‘en masse’ for large numbers of hosts if needed.

Question: How have subscriptions been remedied in 6.2? I'm currently looking into the upgrade as I have clients losing repo subscriptions.

Answer: With Satellite 6.2.2 and newer, a number of tools were added to improve the subscription experience:
- New CLI tooling to attach subscriptions to hosts (via hammer host)
- New GUI tooling to perform subscription actions (run auto-attach, attach a specific subscription) on large numbers of hosts
- New CLI tooling to import/export subscription status as a CSV file (for reporting, or modification).
These are documented in Subscription-manager for the former Red Hat Network User: Part 6 - understanding and improving the renewal experience

Question: How would I get a report out of Satellite mapping Guests to Hypervisors? The link I know is virt-who.....

Answer: Assuming you are on Satellite 6.2.2 or newer, ‘hammer csv’ is the best command for this. Earlier versions of Satellite (6.0 -> 6.2.1) can use sat6Inventory

Question: How do we start candlepin service and what is it for?

Answer: Candlepin does entitlement management in Satellite 6. It tracks subscriptions, issues entitlement certificates (which provide access to content). Candlepin is started by default as it is a core part of the provide.

Question: Is there a way to declarate hypervisor node on satellite to benefit datacenter licence without using virt-who ?

Answer: Subscriptions that require virt-who have to be used with virt-who as the host/guest mapping needs to be created first.

Question: Are there improvements in virt-who+candlepin coming in 6.3? We currently have a problem (on 6.2.2) where one of our vCenters have >80 hypervisors and more than a thousand linux servers (in Satellite): Candlepin uses >more than 4 minutes chewing through the host-to-guest mapping.

Answer: There are a number of improvements that you should see in Satellite 6.2 regarding virt-who’s efficiency in larger environments. As virt-who is a critical piece of the subscription toolkit, fixes that impact customers are delivered asynchronously and aren’t always aligned with a product release.

Question: If I'm having subscription issues, should I simply upgrade from 6.1.9 to 6.2.x or should I build a new environment fresh with 6.2.x?

Answer: This is a matter of choice. The upgrade from 6.1.9 to 6.2.x is a supported method. If you’d want to build a 6.2 instance and move the clients over, the bootstrap script can do this for you.

CONTENT/HOW TO USE

Question: is there an easy way to make a content view only contain the most recent rpms instead of all of them?

Answer: Not currently.

Question: I have been looking at Pulp, Katello, and Sat 6 as possible solutions. My question is, can I import non-RHSM channel RPMs into Sat 6 (like OEL (sorry not my choice ...) or Oracle ASMLib for our older RHEL servers)? In this area, Pulp appears to be maybe easier to work with?

Answer: Satellite 6 includes Pulp as a core component, so the underlying tooling is the same. Satellite 6 can import RPMs from non Red Hat sources, and this is described in our (content management guide)[https://access.redhat.com/documentation/en/red-hat-satellite/6.2/paged/content-management-guide/chapter-5-importing-custom-content]

*
Question: I would like to know how to stand up an automated patching methodology and timetable. Additionally, I'd like to know, if I am subscribed to the 7Server repo, how do I restrict my clients to just 7.2 (now that 7.3 is release)

Answer:
Restricting clients to a specific release can be done in one of two ways
- Using content view filters
- Using the special dot-release repos (7.1, 7.2, etc)

Best practices for each repository type are described in Understanding Red Hat Content Delivery Network Repositories and their usage with Satellite 6

Question: I look at my Sync Status and it says I have new packages for a product e.g. RHEL EPEL had 104(71.5) MB) last sync. How do I see exactly what packages were updated?

Answer: Today, the best way to accomplish this is to increase pulp’s logging verbosity (in /etc/pulp/server.conf or via ‘hammer admin logging’), and which RPMs are downloaded are logged via syslog

We have an outstanding RFE) to improve this and deliver this via an email report, similar to what we do for errata.

Question: What's the best practice on CVs to create say a 7 server CV that contains, optional, extras etc + Oracle Java for RHEL Server

Answer: A content view, at its core is ‘a grouping of repositories that are managed together’. As Optional, extras, oracle java are all additional repositories for the Base Operating System, it makes sense to combine them into a single CV.

Question: I'm new to Sat 6 and am having trouble mapping the DevOps environment in Sat 6.x, into our current Sat 5 environment. We just need Satellite in order to manage/patch our Linux systems without the overhead of DevOps. Is that possible in Satellite 6?

Answer: It depends on the use case. Some customers have rather structured workflows with the desire to move content through a lifecycle (Dev->Test->Prod). Others want a more relaxed workflow of “freeze a content view at a point in time”. Others want just access to the repositories, without freezing the content. Satellite supports them both.

Question: I have a CV with custom products and RH errata excluding a date. A critical errata comes out which I want to add - I create an incremental view, eg version 10.1. I then want to add RPM's to the custom product. If I publish the view - version 11.0 - will it contain my critical errata added in 10.1?

Answer: No. Content view versions do not ‘carry over’ changes made via an incremental update between versions. Thus, it is necessary in the scenario above that the administrator explicitly ensures that the errata that were incrementally added is included.

Question: What's your recommendation about the creation of content views when satellite manage hundred servers ? Per project ? Per OS ? Per product ?

Answer: Content view are ‘grouping of repositories that share a similar lifecycle’. Generally, you’d have a small number of CVs that represent a BaseOS, additional CVs to represent layered or 3rd party applications. And lastly, you’d use composite views to combine specific versions. (Say v4.0 of your RHEL6 CV + v2.0 of your web stack = v1 of RHEL6 + LAMP CCV) 

Question: How would I get a report out of Satellite mapping Guests to Hypervisors?

Assuming you are on Satellite 6.2.2 or newer, ‘hammer csv’ is the best command for this. Earlier versions of Satellite (6.0 -> 6.2.1) can use sat6Inventory - https://github.com/RedHatSatellite/sat6Inventory

Question: What is the recommended way to register host to Satellite 6 which wasn't provisioned from it ?

Answer: The bootstrap script is the recommended way to register a host that wasn’t provisioned from Satellite.

Question: When would you use Composite Content View and when just Content View ?

Answer: Composite Content Views are useful when you have two types of content that are on different lifecycles. Example, your operating system is generally fairly static, but you may content such as a line-of-business (LOB) application which develops on a different cadence. Composite Content Views all you to match (for example) version 2.0 of your RHEL7 Operating System Build with version 52 of your LOB app to create version 1.0 of your ‘RHEL7 + App’ Composite Content View 

TRANSITION

Question: We have Satellite 5.6, with a dev, stage and production groups, we plan to migrate to satellite 6.2, what would the transition process look like? Would we be able to use the same groups we have? what impact and updates would we need to do for the client servers?

Answer:
Transition is pretty straightforward.

Firstly, you’d get your transaction subscriptions from the transition landing page. This allows you to build your Satellite 6 infrastructure in parallel to your Satellite 5. Next you’d setup your Satellite using the best practices for Satellite 6 such as via the 10 Steps to an SOE guide

As far as grouping, Satellite 6 has Host collections, which are a direct equivalent to Satellite 5’s system groups. Additionally Satellite 6 has powerful searching allowing you to arbitrarily group systems and perform actions against them.

Regarding the clients, once you have Satellite 6 configured to your liking, use the bootstrap script to migrate them.

Question: In Sat 5 I could assign servers to any cloned channel (very flexible approach). In Sat 6 I am forced to move along environment paths (i.e. dev->test->uat->preprod->prod ). (Am I ?) Is there any way to have the flexibility from Sat 5 ?

Answer: Yes. With Satellite 6, you effectively have two models to manage content for your systems:

Yes. Customers usually fall into one of two disciplines:
- define the workflow and move content to the systems.
- define the content and create a workflow to move the systems to the content.

The former uses lifecycle environments, the latter does not, if you are interested in doing the latter, you could (as an example):

• create a content view named Q1_2016 with appropriate filters for Q1.
• publish Q1_2016 view to the library
• assign whatever systems to that view using hammer host update

...90 days later:

• create a content view named Q2_2016 with appropriate filters for Q2.
• publish Q2_2016 view.
• assign whatever systems to that view.

Repeat as necessary

Question: have any tips/hints for least painful ways to port/migrate snippets from Sat 5.x to Sat 6.x to maintain functionality/investment in work we have already done? Sat trans guide was not a lot of help or the way it is described did not import cleanly into Sat 6

SECURITY & COMPLIANCE

Question: Do you have any good resources for openscap? Setup/content sources.
Answer: The scap-security-guide which is shipped in Red Hat Enterprise Linux contains a number of good baseline policies that can be used as a baseline for SCAP. Satellite uses these by default.

Question: How do you customize compliance policies? For example we're evaluating satellite now and when we run scans, they show failures for items like "install openswan" which does not apply to our systems. Can that be customized so that machines not show as failing compliance for items that do not apply?

Answer: Compliance policies have the ability to be tailored using an (aptly named) tailoring file. These can be created using the scap-workbench tool. Satellite 6 doesn’t currently support a tailoring file (see bz1292510) , but we do have a document describing how to ‘respin’ a datastream file including your tailored changes. (https://access.redhat.com/solutions/2377951)

Question: How do you make custom datastreams to install for OpenSCAP (especially for CIS benchmark)? For example, oscap ds sds-compose.

Answer: You can convert any existing xccdf via oscap ds sds-compose. Alternatively, you can use the OpenSCAP policies that are included in the scap-security-guide package. (which are already in DataStream format)

Question: OpenSCAP - Is it possible to apply multiple policies (ie, RHEL server base + Oracle), it looks like the current setup is a one-to-one mapping between Host Groups and SCAP policies

Answer: A policy can apply to one or more host groups. In your example, you’d define two policies (one for RHEL, one for Oracle), and you’d assign BOTH to the host group in question.

PORTFOLIO/ANSIBLE/PUPPET

Question: Can you review how Ansible is going to be integrated with Satellite, and how you might recommend somebody start using Ansible now in a way that could be easily integrated later? ETAs on these things would be cool too.

Answer: Red Hat Satellite 6 currently supports integration with Ansible Tower. We plan to provide integration of Ansible Core into Red Hat Satellite 6 in a future near-term release.

Question: Will that cost extra to use Ansible in Satellite?

Answer: Red Hat Satellite 6 currently supports integration with Ansible Tower today, and Ansible Tower is sold separately and have additional capabilities above/beyond Ansible Core. When we integrate Ansible Core technology, it will not cost extra for that functionality. Ansible Tower will remain a separate offering with a separate price.

Question: Any chance for Chef integration into Satellite 6
Answer: Integration with Chef is not currently on the Satellite 6 roadmap.

Question: When Satellite 6.3 arrives will it be a normal upgrade from 6.2. I'm curious because of the addition of Ansible to the Satellite structure.

Answer: The upgrade to Satellite 6.3 will be similar (with regards to the steps that are required) to the upgrade from Satellite 6.1 to 6.2. More or less, the process will be:

• Disable Satellite 6.2 repo.
• Enable Satellite 6.3 repo.
• Perform some minor pre-upgrade checks.
• Install 6.3 packages
• run installer with the --upgrade switches.

HIGH AVAILABILITY & DISASTER RECOVERY

Question: Can you talk about Satellite HA and DR setups.

Answer: Best practices for HA & DR setups can be found in our HA Guide

Question: So HA requires 2 licenses for Satellite? I was also told that a capsule server could become Satellite in the case of a loss of Satellite. I have been told a few different things regarding this from RH employees.

Yes, HA requires 2 subscriptions to Satellite. However, the second subscription is sold at 50% similar to a 'disaster recovery' subscription. Reach out to your account team for more details.

In the event of a 'loss of Satellite', capsule servers cannot be 'promoted' to become Satellites.

Question: What about HA options for Sat 6 ? Any active-passive supported configuration ?

Answer: See our HA Guide

OTHER

Question: with bootstrap files, do we have to provide a user name/passwd in order to register a system using the bootstrap process

Answer The information required by the bootstrap script is dependent on which features are being used. If you are registering a system and want to configure it with puppet (and in the correct organization/location/hostgroup), it requires a username/password to create the host record via the API. If you are merely registering the system for content, you can leverage the --skip-foreman switch which does not require username/password (only an activation key and organization)

Question: Can you tell me what the difference is between 7Server and 7Server EUS repos? I get the 7.X and 7.X EUS repos differences, but the other ones?

Answer: See Understanding Red Hat Content Delivery Network Repositories and their usage with Satellite 6

Question: does the roadmap for Satellite 6.x include any support for using external DHCP providers beyond ISC DHCP? As an example Foreman can use a smart proxy to use an MS DHCP provider.

Answer: Not currently.

Question: If I use say 7.2 EUS repos, and I have a client who says, "Can I have version X.Y of Postgres?" that I discover is in 7.3 repo or 7.4 repo....how do I get that to them with dependencies resolved etc etc…

Answer: That is difficult to do. As the 7.2 repo gets no content after 7.3 is released, there is no way for Satellite to 'backport' newer RPMs into a 7.2 repo. It is suggested for this usage to use the 7Server repo, locked to a specific date via content view filters, and selectively add errata as needed.

Question: is it possible to run remote scripts as a non-root user? The default info for ssh keys appears to assume root can ssh to a system, which we can't do.

Answer: You can set the effective user via the remote_execution_ssh_user setting/parameter.

Question: Concerning Lazy sync when configured with "on demand", how will that work with available errata for clients?

Answer: on_demand doesn't change anything in the errata workflow. Clients will still have errata applicability calculated based on their pubished content views and last Synchronization of the Satellite with the Red Hat CDN.

Question: What is the preferred provisioning methodology when DHCP/PXE/TFTP are not available w/in the env...FDI is the path we are tracking down, is this a reasonable option or do you have a better suggestion? Trying to simulate as close to as possible our legacy kickstarts out of Sat 5.x

Answer: Correct. PXE-Less Discovery is the path here. I'd suggest leveraging the Discovery Rules to further automate the provisioning process.

Question: Can you use a pfx certificate as a custom certificate for Red Hat Satellite 6.2 or do you need to break them out in pem files?

Answer: They need to be PEM files. Use the openssl command to convert them.