COOKBOOK - a basic install for patch control - Work in Progress

Latest response

Does a cookbook description exist for installing a new Satellite 6 system on RedHat 7? My guess that it does not. I have been thru the docs that are listed on the site and the install doc read like one of those old books that you could not get from page 1 to page 2 because there are questions at the bottom of the page that say if you select this answer got to page XX. But you can never get to page 2 and if you turn to page 2 it says why are you here. Is it because you are stupid enough not to read the directions.

So can I get help in developing a Cookbook for the basic install using RedHat 7 and Satellite 6 for a company that has development, test and production machines that need to have phased patching across the environments. This is one of the most basic environments that I know of and every company that needs/uses Satellite would start from here.

One additional item. As my Network people hate anyone messing with the stuff. Satellite will not be configured to do dns, dhcp, or tftp.

One more additional item. Since the purpose of setting up Satellite for this is to control the patch cycle. Our environment will be:
1. place to hold all patches
2. patch a group of machine that will be used for testing patches and making sure that nothing breaks.
3. patch all other boxes - ie. production and critical test boxes.

Also the purpose of the Cookbook is to be an example appendix for the install document.

Bob

Cook book for RHEL 7.0 and Satellite 6.0 install and build.

Basic RHEL 7.0 install for Satellite 6 system
1. install RHEL 7.0 basic install.
a. also install sos as it is NOT part of the basic package and you need it to file an error report with RedHat.
b. also install ntp as these systems will not list subscriptions or repos if the time does not match RedHat.
c. "yum -y update" the box so that you are current on all existing packages.

  1. next you need to attach your satellite subscriptions.
    a. attach your satellite subscription to your machine on the redhat site like the books says.
    b. subscription-manager repos --enable rhel-server-rhscl-7-rpms --enable rhel-7-server-satellite-6.0-rpms
    These are the speciality repos for satellite. You should already have the basic subscription for the machine.
    c. to validate that you have the subscriptions done correctly do a "yum repolist" and display that the repos are available to you.

[root@satellite services]# yum repolist
Loaded plugins: product-id, subscription-manager
repo id repo name status
!katello-local katello-local 398
!rhel-7-server-rpms/7Server/x86_64 Red Hat Enterprise Linux 7 Server (RPMs) 4,817
!rhel-7-server-satellite-6.0-rpms/7Server/x86_64 Red Hat Satellite 6.0 (for RHEL 7 Server) (RPMs) 408
!rhel-ha-for-rhel-7-server-rpms/7Server/x86_64 Red Hat Enterprise Linux High Availability (for RHEL 7 S 45
!rhel-server-rhscl-7-rpms/7Server/x86_64 Red Hat Software Collections RPMs for Red Hat Enterprise 779
repolist: 6,447

  1. Next you need to install all of the base rpms.
    yum install @base -y
    This will add about 75 packages that are not part of the system base install.
    Also you need to update all the patches installed
    yum -y update

The start of the Satellite 6 build
3. Next you need to install the satellite software. Wait for the drum roll.
a. "yum install katello" This will result in 597 packages being added to your machine.

  1. to configure the package
    a. "katello-installer" this will configure the software and tell you that:

[root@satellite ~]# katello-installer
Installing Done [100%] [......................]
Success!
* Katello is running at https://satellite.example.com
Initial credentials are admin / SgwrqpDWRrV7Bf3y
* Capsule is running at https://satellite.example.com:9090
* To install additional capsule on separate machine continue by running:"

  capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar "~/$CAPSULE-certs.tar"

The full log is at /var/log/katello-installer/katello-installer.log

This means that it is suppose to be running and it is but not on IPV4. What I found on my machine is:

tcp 0 0 10.64.91.20:46206 10.64.91.20:5671 ESTABLISHED
tcp 0 0 10.64.91.20:46200 10.64.91.20:5671 ESTABLISHED
tcp 0 0 127.0.0.1:27017 127.0.0.1:41653 ESTABLISHED
tcp 0 0 127.0.0.1:52140 127.0.0.1:9300 ESTABLISHED
tcp6 0 0 :::443 :::* LISTEN
tcp6 0 0 :::8443 :::* LISTEN
tcp6 0 0 127.0.0.1:8005 :::* LISTEN
tcp6 0 0 :::5671 :::* LISTEN
tcp6 0 0 :::5672 :::* LISTEN
tcp6 0 0 :::8009 :::* LISTEN
tcp6 0 0 :::8140 :::* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::8080 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 127.0.0.1:34483 127.0.0.1:5432 ESTABLISHED
tcp6 0 0 127.0.0.1:34481 127.0.0.1:5432 ESTABLISHED
tcp6 0 0 127.0.0.1:34546 127.0.0.1:5432 ESTABLISHED
tcp6 0 0 127.0.0.1:34482 127.0.0.1:5432 ESTABLISHED
udp 0 0 0.0.0.0:43540 0.0.0.0:*
udp 0 0 127.0.0.1:48004 127.0.0.1:48004 ESTABLISHED

The software which uses port 443 appears to start on IPV6 and not on IPV4. Problems is we do not route ipv6 in our company.

To correct the IPV6 problem you need to do an ifconfig and find the name of your interface - mine was:

[root@satellite services]# ifconfig
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.64.91.20 netmask 255.255.255.0 broadcast 10.64.91.255
ether 38:ea:a7:10:af:38 txqueuelen 1000 (Ethernet)
RX packets 136324 bytes 8578421 (8.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5130 bytes 3770810 (3.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

go to /etc/sysconfig/network-scripts and edit the ifcfg-eno1 file and turn off the IPV6 items:

IPV6INIT=no
IPV6_AUTOCONF=no
IPV6_DEFROUTE=no
IPV6_FAILURE_FATAL=no

The final way to correct this problem is to edit /etc/sysctl.conf and add the following line:
net.ipv6.conf.all.disable_ipv6 = 1

This will shutdown the IPV6 usage on the interface. This is step 1 of fixing the ports on the interface.
Next we need to add the correct files to make firewalld work correctly.
copy the httpd.xml file from /usr/lib/firewalld/services to /etc/firewalld/services then using httpd.xml as a master file copy it
to httpds.xml and edit it to change the short parameter WWW (HTTP),/short> and the port parameter to 443.

Here is the list of items and ports that need to be created from the hppd.xml master file.

elasticsearch - 9200
foreman - 9090
https - 443
port5671 - 5671
puppet - 8140
xhttp - 8080

With these change reboot the machine and the port will be open and available to connect to.

I then used my browser to access my satellite machine on https://satellite.mydomain.com and it worked.
Also do not close the terminal session as it has the login and passwd that is default to get in. And it is not something simple.

Satellite structure
I have decided to structure my patch system as such:
Library -> TestGroup -> Production

The Library is where all the patches are stored as received. And you CANNOT remove it. I know I tried. What a waste of time for that stupid try.
The TestGroup are a bunch of servers that we have decided to do initial patch testing on. Some development and also QA machines.
The Production group are the rest of the machine that we have which include production, production support and user testing. In other words everything else.

Next Step
You now need to load your Manifest from the RedHat site. A couple of items of note.
When you go to specify how may of the licenses to include when you have multiple units on a license you MUST check the count on the right had side of the screen otherwise it defaults to "1". So if you do not increase the count you will have to do this multiple times and each pass add the license as a separate item in the manifest with a count of "1" instead of 8 or 16 or 20 items if that is how many units are on the license. It just makes a mess of the information that you are transferring to the Satellite system.

After transferring the manifest.zip file to your Satellite system then you need to import the info it to the system.

OK - now that you have subscriptions on the Satellite system you can start connecting your machines to the Satellite system for patching.
The easiest way to connect a machine is to first remove the machine from RedHat's site by deleting it from there.
Next you need to delete a file from the target machine which is located in /etc/sysconfig/rhn and is called systemid also remove the file systemid.save if it exists as this is a copy from an upgrade of this file.
Next on the system default web page select the "Hosts" tab and select the "Content Host" from the pull down list. When your screen appears on the upper right of the screen is a button called "Register Content Host" in blue. Click on the button and it will generate a screen with info that you can use based upon you specific environment. The first command will be a rpm command that will load a bootstrap file into your system that is specific to your setup. The second command then can be used to register your machine to the Satellite system so that it knows about it. It puts your machine in the default "Library" group which means that if you "yum update" the machine the latest set of patches will be installed on that box.

The next step is to select your target machine from the list on the screen. On the resulting screen will be detailed info on your target box. You need to select the "Subscriptions" tab and it will display a screen that has several useful pieces of info on it. The first is the "status" light indicator that informs you if you have a valid subscription attached to this machine. And first indication is that we do not have a valid subscription. So select the "Add" tab and this will show a screen with the listed available subscriptions that this machine can use. Check the box of the subscription that is to be used for this machine. Click the button on the right that says "Add Selected". This will then attach that subscription to this machine.

NOTE ABOUT SUBSCRIPTIONS
If when you add a machine to Satellite you find that the subscription indicator is GREEN and not RED. Then the system thinks you have a subscription but you have not applied one yet. PROBLEM what this says is that you are missing the 69.pem file from /etc/pki/product directory. This file is placed when then "katello-ca-consumer-latest.noarch.rpm" is installed BUT I have found that it is not always there. So if you already have a machine with the same release level (ie. REDHAT 5 or REDHAT 6) in Satellite then you can copy it from there. ELSE contact support and they can supply the correct file for you.

NOTE
We have a "Bunch" of VMWare virtual machines and the above process is a little different for the virtual machines. I will create another thread on how I was able to get those machines to my environment . It is relatively simple but it is different enough that a separate thread will help.

After you have applied the subscription to the machine in Satellite 6 then go back to the command line on the target machine and run this command:
subscription-manager repos
Since you applied the subscription in Satellite you will not have to figure out the poolid to be applied from the command. The system just ask for the repos that the subscription that you just applied has. It is as simple as that.

Next you need to enable the common repos for your machines release level. So go to /etc/yum.repos.d and vi the redhat.repo file. Search for common ( /common) and then go down in the definitions and change enable = 0 to enable = 1. Save the file.

Next you need to sync yum for the repos enabled. yum repolist This will sync only the repos that are to be used.
After that finishes the there is one more thing to do. yum install katello-agent. If you have a dependency problem you will have to remove the offending rpms to clear the problem. Otherwise just answer "y" to the install and it will finish. In the process of installing katello is will start a service call "goferd". This is the katello agent running. To check if it is running do: *** ps -eadf | grep gof***. If "python /usr/bin/goferd --foreground" is in the listing then the katello agent is running.

It will take a while (ie overnight) for the katello agent to indicate that it is installed on Satellite.

At this point you have a operational Satellite 6 system

Bob

Responses