Satellite 6 - Adding an existing host with full management
Following up from the discussion in the Satellite video thread:
https://access.redhat.com/discussions/1517523
I have a requirement to add RHEL hosts built outside of Satellite to the Satellite 6 server. Doing this for subscription manager services (eg. yum) is fairly straightforward and the host will be displayed under 'Content Hosts', but to get an existing server (that isn't provisioned through Satellite) to appear in 'All Hosts' to allow management with Puppet appears a little more involved.
As suggested in the linked thread above, I have investigated using the hammer-cli and API to carry out the add automatically but it appears there are still some gaps in the process, so would appreciate any input on your experiences/solutions.
The goal of this process:
1. Build host outside of Satellite
2. Register with Satellite for updates / package management
3. Register with Satellite to assign Puppet classes / remediate configuration
This is currently achieved with another product, but am looking to combine multiple products into Satellite 6. The steps listed here can be run from the freshly built host (and packages etc. cleaned up afterwards) or from an orchestration host.
Process:
1. Build standard RHEL X.x build
2. Install katello-ca package rpm from Satellite 6 server
rpm -ivh http://sat61b.network.local/pub/katello-ca-consumer-latest.noarch.rpm
3. Use subscription-manager to subscribe the system to Satellite 6 for packages / updates
subscription-manager register --username=admin --password=password --org=Default_Organization --auto-attach
At this stage the host will appear under Host -> Content Hosts on the Satellite 6 server.
4. Subscribe the host to the Satellite tools repo for installation of additional components
subscription-manager repos --enable=rhel-7-server-satellite-tools-6-beta-rpms
5. Install additional tools that are used for host creation/registration on Satellite 6 server
yum install -y facter katello-agent puppet rubygem-hammer_cli rubygem-hammer_cli_katello
6. Use the hammer CLI to create the empty host record on the Satellite 6 server (facter used to pull MAC). Note: to determine the numbers to pass in you need to call hammer against each item to determine the ID number it has been allocated eg. hammer environment list. This is a long command, scroll right to see the whole thing!
hammer --server https://sat61b.network.local --username admin --password password host create --name "$(facter hostname) --environment-id 1 --architecture-id 1 --domain-id 1 --puppet-proxy-id 1 --operatingsystem-id 1 --partition-table-id 7 --location-id 2 --organization-id 1 --medium-id 7 --root-password "password" --mac "$(facter macaddress)" --build 0
At this stage you will now have a host record under 'All Hosts' matching the hostname of your new host.
7. Next, create a Puppet certificate signing request. You will need to modify the Puppet configuration file before running the following command, or alternatively pass the Satellite 6 hostname at the command line for the initial request.
puppet agent -t --server sat61b.network.local
The Puppet signing request will now be listed under Infrastructure -> Capsules -> Capsule Name -> Certificates
This is where the automated process falls down. I haven't been able to find a way for Hammer CLI or the API to sign the certificates remotely. Additionally, there doesn't appear to be a method to create Autosign entries using the CLI/API (this could be done after step 6). I have found an associated bug report here:
https://bugzilla.redhat.com/show_bug.cgi?id=1140671
Is anyone able to provide/suggest workaround? or a different method to do the scripted registration of existing hosts? Does anyone have a single line answer that makes all of the above look irrelevant?
Responses
Community Member
47 points
wow, thanks for detailing this out fine sir ... I was just looking for EXACTLY the same solution ... Trying it out now.
Community Member
47 points
Just a follow up ... AWESOME, it worked as advertised ... I did it on a RHEL5.11 system and it's now showing in All Hosts. This is definitely the kind of thing that should be covered in the docs because anyone coming from a non-satellite environment to Satellite will require this ability. Now to do it 3,000 more times ... yay.
Red Hat
Guru
2305 points
I have been working on a similar effort (my effort was initially focused at moving systems from Satellite 5 to Satellite 6), but should be easily adaptable to work for hosts provisioned outside of Satellite (which is your usage) . See github. PRs accepted :)
A couple of items worth noting.
-
in my script, I cheat a little bit. Instead of creating the host record (via hammer or the API), I install puppet and then issue a puppet agent -t, which creates the host entry and submits a cert request.
-
I think (and should probably confirm) that if you add autosign entries into autosign.conf, that they are respected.
-
I am a firm believer in not installing additional packages if I could avoid it, hence why the script is in python. (It could proably be ported to ruby if you need that)
Let me know if this gets you closer to your destination.
Red Hat
Guru
2305 points
The host ends up 'Any Context' /'Any Location' if you do not specify (and send a org/location fact). Switch to Any Context/Any Location and then go to 'All Hosts' and you should see your host. You can then assign an org/location in the UI. That doesn't work from an automation perspective, but that's why you don't see your host (yet it 'works')
You can set a default org/location for hosts that don't report it (such as those you are bootstrapping) under Administer->Settings->Puppet in the UI.
What I did in my script is make it mandatory to specify the org/location, as I make additional API calls to set the user-specfied org/location. (effectively what you did in your invocation of hammer).
The expected invocation of my bootstrap script is that it is copied from the Satellite to the client (via wget, curl, etc) and run locally on the client. In full disclosure, I haven't tested it with the overhauled 6.1 capsules, so there may be bugs there that I haven't accounted for.
Thanks Rich!
The hammer/api approach is REALLY convoluted way of getting hosts in. I appreciate the bootstrap script, but a simpler approach needs to be taken here, esp. when we are talking about migrating a few hundered or in some people's situations, 1000's of systems from RHN to Sat 6.
But I will test out the bootstrap on our side as well!
PS - Keep on Cookin!
Hi, thanks for the article.
One observation, with:
--server mysatellite.example.com
One will get: "Error: 301 Moved Permanently"
This will work:
--server https://mysatellite.example.com
Ref: https://projects.theforeman.org/issues/11147
hammer says "Error: 301 Moved Permanently" when you are missing "https://" in server option
Cheers.
Thanks Guillermo, that solved my problem.
Cheers,
Ahmed.
Step 6, "--root-password". That's the root password for the machine you're adding, right? This is a required value.
Pixel, how do you solve the "Location" issue? Also, do you know the use of specifying "activation key" when creating a "Host group". As far as I know the important thing is to specify the " --hostgroup-id" with "hammer host create" to make puppet work. What I mean is as far as I see specifying act key withing the host group does not change anything. Thanks in advance.
Thanks a lot Pixel. That seems to be a good idea to solve the location issue. The trick is "how can we install the needed packages without registering with the Satellite first?"
Here is my customized version of the procedure which does not solve the location issue but automates the puppet client conf (the hostgroup should be created beforehand so that we can use the "--hostgroup-id" option - and the activation key too of course):
host# rpm -ivh http://satellite.example.com/pub/katello-ca-consumer-latest.noarch.rpm
host# subscription-manager register --org=Organization --activationkey=actkey
host# yum install -y facter katello-agent puppet rubygem-hammer_cli rubygem-hammer_cli_katello
host# echo "server=satellite.example.com" >> /etc/puppet/puppet.conf
host # hammer --server https://satellite.example.com --username admin --password redhat host create --name "$(facter hostname)" --environment-id 14 --architecture-id 1 --domain-id 1 --puppet-proxy-id 1 --operatingsystem-id 1 --partition-table-id 7 --location-id 2 --organization-id 9 --medium-id 8 --root-password "any_string" --mac "$(facter macaddress)" --build 0 --hostgroup-id X
satellite# cat /etc/puppet/autosign.conf
servera.example.com
host# puppet agent -t
host# systemctl enable puppet
host# systemctl start puppet
This has helped me considerably over the last week, thanks v.much :-)
QQ - I've been able to automate setting the location by adding foreman_location=mylocation to a file in /etc/facter/facts.d but can't set hostgroup by using foreman_hostgroup=myhostgroup. Any idea how to set hostgroup without using hammer?
TIA Steve
When I add an Rhel 5 host that was built outside of sat server 6. I get the message "No Products Available"
I am getting this error message when I run the command. Any ideas?
Could not create the host: ERROR: insert or update on table "hosts" violates foreign key constraint "hosts_medium_id_fk" DETAIL: Key (medium_id)=(7) is not present in table "media".
Okay, this explains a lot...
Running into the following attempting to implement this solution:
[root@sabre01 ~]# yum install rubygem-hammer_cli rubygem-hammer_cli_katello
Loaded plugins: package_upload, product-id, security, subscription-manager
rhel-5-server-rpms | 2.1 kB 00:00
rhel-5-server-satellite-tools-6.1-rpms | 1.8 kB 00:00
Setting up Install Process
No package rubygem-hammer_cli available.
No package rubygem-hammer_cli_katello available.
Nothing to do
[root@sabre01 ~]# subscription-manager repos --list
+----------------------------------------------------------+
Available Repositories in /etc/yum.repos.d/redhat.repo
+----------------------------------------------------------+
Repo ID: rhel-5-server-rpms
Repo Name: Red Hat Enterprise Linux 5 Server (RPMs)
Repo URL: https://satellite6.solipsys.com/pulp/repos/Solipsys/Library/rhel-5/co
ntent/dist/rhel/server/5/$releasever/$basearch/os
Enabled: 1
Repo ID: rhel-5-server-satellite-tools-6.1-rpms Repo Name: Red Hat Satellite Tools 6.1 (for RHEL 5 Server) (RPMs) Repo URL: https://satellite6.solipsys.com/pulp/repos/Solipsys/Library/rhel-5/co ntent/dist/rhel/server/5/5Server/$basearch/sat-tools/6.1/os
Enabled: 1facter katello-agent and puppet install without issue.
Red Hat
Pro
755 points
The command line tools such as hammer are only available on RHEL 6 and 7.
Active Contributor
347 points
can you please confirm: WHEN DELETING A HOST, do I have the backward process exactly ? 1- remove puppet certificate 2- delete host 3- unregister or id does not matter ?
When I attempt to register to puppet I get the following error:
puppet agent -t --server sat6serverExiting; no certificate found and waitforcert is disabled
I you get this error: puppet agent -t --server sat6server Exiting; no certificate found and waitforcert is disabled
then you can do: -on master: add in:
/etc/puppet/puppet.conf
[main]
certificate_revocation = false
-on client:
rm -rf /var/lib/puppet/ssl/*
puppet agent -t --server sat6server
and certificate will be regenerated...So you can sign cert on Satellite UI
A variant use-case : I want to create a "bare metal" VMWare VM outside of Satellite (due to more options available). From this thread, I think I can add a host record using a similar "hammer host create . . . build=0" command. Now for the question : How might I initiate provisioning on the VM ?
I'm trying to add hosts to satellite puppet that were not provisioned from satellite via a script I can give my local admins. I'm trying to do this without exposing a hammer command in the script with a satellite account/password. So far I'm able to join satellite and puppet, but it's not dropping into the correct org and environment. It places the host in the any host list as having no org and the default "production" environment. It doesn't appear to look at the org that the host is subscribed to. Is there a way to manually join a host to the puppet part of satellite via the command line or puppet.conf without using a hammer command? I am setting my environment in the puppet.conf file, but that does not set the org. I don't want to have to pre-populate satellite via the hammer command.
Is this possible?
Red Hat
Guru
2305 points
You can specify which organization, location and puppet environment that unknown hosts are placed in if they do not report those facts. See Administer -> Settings -> Puppet and see the following settings
Default location
Default organization
Default Puppet Environment
This will allow you to configure puppet.conf and just run a puppet agent -tv to enroll them. Alternatively (and this is my preference), use the bootstrap script to register hosts not provisioned via Satellite.
I don't want to set the default since I have more than one organization. Is the bootstrap method something that's run on the host being added? I wonder if there is a way to preload satellite with the hostname/org/location/environment of a list of hosts prior to provisioning them, such that when I set up the /etc/puppet.conf and run "puppet agent -t" it drops into the correct org/environment?
I've set my capsule up to autosign.
My requirements are that the local admins will not get access to satellite server (I'm on 6.1.9) nor a satellite admin account. They can have access local admin to the capsule. So I've setup unattended via PXE boot on the capsule to allow for provisioning. they can provision and via keys register into the correct patch life cycles.
Thanks
Red Hat
Guru
2305 points
Correct. Bootstrap runs on the host being added. You can scope the permissions of the user account being used by the bootstrap script to be minimal. (Basically, view and add hosts)
If you need to not allow users even those permissions, you can precreate the host entry using any supported method:
- the UI (under Hosts->New Host)
- the CLI (hammer host create).
- the API (a POST to /api/hosts)
In the original post, the hammer CLI tools were installed on the individual clients as they were being added. You can use that method, but that requires the person adding the client to have some level of credentials. It is an identical workflow that the bootstrap script uses.
(_....as an aside...)_Early in the development of bootstrap, we debated on whether to write the script in Ruby (or install hammer as above). We opted not to so as to not install packages unnecessarily. (It is also why we use python-urllib to connect to the API in lieu of python-requests - it is on *every* RHEL system).
For your usage (not wanting to give your admins credentials in Satellite, but allowing them to register systems for both puppet and content), I would suggest the following:
- use
hammer host createfrom Satellite (or your admin workstation that you've installed hammer on) to precreate the host entry, associated with the correct hostgroup, organization and location. This will ensure that the host record is where you need to it to be. - give the local admins an activation key to register via
subscription-managerthat provides access to a subscription AND a Content VIew that provides the satellite-tools repo.
Their workflow is:
- Install the
katello-ca-consumer-latestRPM from their Satellite or Capsule. - Register via
subscription-manager. - Enable the satellite-tools repo (if your activation key isn't configured to do it, or if your version of
subscription-manageris < 1.10 yum install puppet katello-agent- Configure puppet.conf
- Run puppet
puppet agent --test --noop --tags no_such_tag --waitforcert 10 - Celebrate!!!
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.