Red Hat Training
A Red Hat training course is available for Red Hat Satellite
User Guide
Using and administering Red Hat Satellite
Red Hat Satellite Documentation Team
satellite-doc-list@redhat.com
Abstract
Chapter 1. Managing User Accounts
1.1. Creating and Deleting User Accounts
Before Satellite users can register with the Satellite server to request product updates or to perform other maintenance, they need a suitable user account. Only certain Satellite Administrators
can create user accounts.
Procedure 1.1. Creating User Accounts
- Navigate to the Satellite web server page, and click the Users tab on the navigation bar.
- On the right side of the page, click create new user to open the Create User page.
- Complete all of the required fields.
Note
The login value must be at least five characters long, and may only contain alphanumeric, hyphen, underscore, comma, period, and commercial at (@) characters. - Click Create Login to create the new user. An email will be sent to the user, using the address specified during creation, to inform them of the new account details. This will include the password in plain text.
- When the account has been successfully created, you will be redirected to the User List page. To change permissions and set options for the new user, select their name from the displayed list to display the User Details page, and navigate to the appropriate tabs to make your changes.
Only Satellite Administrators
can delete user accounts. Deleted accounts cannot be used to log in to the Satellite server interface, or to schedule actions.
Warning
Procedure 1.2. Deleting User Accounts
- Navigate to the Satellite web server page, and click the Users tab on the navigation bar.
- Click the user name of the account that you want to delete from the Username list. The User Details page displays.
- Ensure that the user account is not a Satellite administrator.If the user is a Satellite administrator, clear the associated check box, and click Submit.If the user is not a Satellite administrator, continue to the next step.
- Click Delete User. The Confirm User Deletion page displays.
- Ensure that you want to completely delete this user account, and click Delete User.
Procedure 1.3. Activating and Deactivating Users
Note
- Select the user's name from the list in the Users tab, to display the User Details page.
- Check to see if the user is a Satellite administrator.If the user is a Satellite administrator, uncheck the box next to that role, and click Submit.If the user is not a Satellite administrator, continue to the next step.
- Click Deactivate User.You will be asked to confirm this action, by clicking it again. Check the details, and then click Deactivate User again to confirm.
- Once the account has been successfully deactivated, the user's name will not appear in the Active Users list. Click the Deactivated link from the User List menu to view deactivated user accounts.
- To reactivate the user account, view the Deactivated list, check the box next to the user to be reactivate, and click Reactivate.
1.2. Assigning Roles to User Accounts
User Roles
- Satellite Administrator
- A special role for Satellite administrative tasks such as creating organizations, managing subscriptions, and configuring global Satellite Server settings.This role cannot be assigned on the User Details page. A user that already has the Satellite Server administrator role can assign the role to another user by going to Admin → Users.
- Organization Administrator
- Performs management functions such as managing users, systems, and channels within the context of their organization. Organization administrators are automatically granted administration access to all other roles, which are signified by the checkboxes for the other roles being selected and grayed-out.
- Activation Key Administrator
- Performs activation key functions for such as creating, modifying, and deleting keys within the account.
- Channel Administrator
- Provides complete access to the software channels and related associations within the organization. Performs functions such as making channels globally subscribable, and creating new channels, and managing the packages within channels.
- Configuration Administrator
- Has complete access to the configuration channels and related associations within the organization. Also has complete access to the kickstart profiles and associated items within the organization. Performs kickstart profile, channel and file management configuration functions in the organization.
- System Group Administrator
- This role has complete authority over the systems and system groups to which it is granted access. Performs administrative functions such as creating new system groups, deleting assigned system groups, adding systems to groups, and managing user access to groups.
1.3. Customizing Selected Parts of Red Hat Satellite
- Open the
rhn.conf
file of Red Hat Satellite in a text editor. - Edit the file with the required content. To enter content that spans multiple lines escape every new line with a backslash character. Backslashes themselves can be escaped but HTML is not escaped.
Note
Red Hat Satellite does not currently support UTF-8 encoding forrhn.conf
.- To customize the header edit
java.custom_header
with the required content. - To customize the footer edit
java.custom_footer
with the required content. - To customize the login banner edit
java.login_banner
with the required content.
- Restart Satellite for the changes to take effect.
Chapter 2. Automatically Synchronizing the Red Hat Satellite Server Repository
cron
utility to effectively automate synchronization.
Procedure 2.1. To Use the cron Utility to Automate Synchronization:
- Switch to the root user, and run the following command to open the
crontab
in a text editor:# crontab -e
- Create a suitable job definition to schedule the synchronization. To create a random synchronization time, use the following entry:
0 1 * * * perl -le 'sleep rand 9000' && cdn-sync --email >/dev/null 2>1
This entry runs the synchronization job randomly between 01:00 and 03:30, and discardsstdout
andstderr
messages from thecron
utility. This prevents duplicating messages from thecdn-sync
command. Other options can be included as needed. See thecrontab
manual pageman crontab
for more information. - Exit the text editor to save the updated
crontab
file. The new rules take effect immediately.
Note
crontab
file opens in vi by default. To change this behavior, change the EDITOR
variable to the name of the text editor you prefer.
Chapter 3. Planning for Disaster Recovery
3.1. Backing up a Red Hat Satellite Server
Red Hat recommends that you back up at least the following files and directories:
/var/opt/rh/rh-postgresql95/lib/pgsql/
(Embedded database only)/etc/sysconfig/rhn/
/etc/rhn/
/etc/sudoers
/var/www/html/pub/
/var/satellite/redhat/[0-9]*/
(This is the location of any custom RPMs)/root/.gnupg/
/root/ssl-build/
/etc/dhcp.conf
/etc/httpd
/var/lib/tftpboot/
(In Red Hat Enterprise Linux 6)/var/lib/cobbler/
/var/lib/rhn/kickstarts/
/var/www/
/var/lib/nocpulse/
/etc/tomcat*/
/etc/jabberd/
/etc/cobbler/
/var/satellite/
as well. In case of failure, this will save lengthy download times. The /var/satellite/
directory (specifically /var/satellite/redhat/NULL/
) is primarily a duplicate of Red Hat's RPM repository, and can be regenerated using the cdn-sync
command. Red Hat recommends that the entire /var/satellite/
tree be backed up. In the case of disconnected satellites, /var/satellite/
must be backed up.
- Reinstall the Red Hat Satellite ISO RPMs.
- Reregister the server.
- Use the
cdn-sync
command to resynchronize Red Hat packages. - Reinstall the
/root/ssl-build/rhn-org-httpd-ssl-key-pair-MACHINE_NAME-VER-REL.noarch.rpm
file.
Another method is to back up all of the files and directories mentioned above but reinstall the Satellite server without reregistering it. During the installation, cancel or skip the Red Hat Network registration and SSL certificate generation sections.
The final and most comprehensive method is to back up the entire machine. This saves download and reinstallation time but requires additional disk space and back-up time.
Important
rhn-search
service is started:
# service rhn-search cleanindex
3.2. Backing up an Embedded Database
db-control
command provides features to create, verify, and restore backups, to obtain database status information and to restart the database when necessary. See the db-control
manual page (man db-control
) for a full listing of the features available.
3.2.1. Performing Online Database Backups
db-control
command make this functionality possible.
db-control
command:
online-backup FILENAME:
Performs an online backup of the Satellite database (embedded PostgreSQL only).reset-password:
Resets the user password and unlocks the account.restore DIRECTORY | FILENAME:
Restores the database from either:- An offline backup taken by
db-control
and saved in the DIRECTORY directory. The database must be stopped for both thebackup
backup
andrestore
operations in order to run successfully. - An online backup taken by
db-control
and saved as FILENAME. The database itself must be running for both theonline-backup
online-backup
andrestore
operations in order to run successfully, but all other Satellite services must be stopped.
3.2.1.1. Performing an Online Backup
FILENAME
option with the full path to the backup file that you want to create. This location needs to be writable by the PostgreSQL user:
# db-control online-backup
FILENAME
Note
3.2.1.2. Restoring a Database from an Online Backup
db-control restore
FILENAME
command to restore an embedded database from a backup created using the db-control online-backup
command. Before you restore a database, you need to shut down all Satellite services except the database itself.
Procedure 3.1. To Restore a Database from an Online Backup:
- Change to the root user, and run the following command to stop all Satellite services except the database:
# rhn-satellite
stop
--exclude=rh-postgresql95-postgresql
- Run the following command to restore the database. Replace the
FILENAME
option with the full path to the backup file created with thedb-control
command:online-backup
# db-control
restore
FILENAME
- After the restoration is complete, run the following command to restart the database and all related services:
# rhn-satellite
start
3.2.2. Performing Offline Database Backups
3.2.2.1. Performing an Offline Backup
Procedure 3.2. To Create an Offline Backup:
- Change to the root user, and run the following command to stop the Satellite server:
# rhn-satellite stop
- Run the following command to create the backup:
# db-control
backup DIRECTORY
Replace DIRECTORY with the absolute path to the location where you want to store your database backup. This process will take several minutes. - When the backup is complete, run the following command to restart the Satellite server:
# rhn-satellite start
- Copy the backup to another system using rsync or another file-transfer utility. Red Hat strongly recommends scheduling the backup process automatically using cron jobs. For instance, back up the system at 03:00 and then copy the backup to the separate repository (partition, disk, or system) at 06:00.
3.2.2.2. Verifying the Backup
# db-control examine
BACKUP_FILE
# db-control verify
BACKUP_FILE
Note
3.2.2.3. Restoring the Database
db-control restore
command to restore embedded databases from backup. Before you attempt to restore a database, you need to shut down the database and any related services.
Procedure 3.3. To Restore an Embedded Database from a Backup:
- Run the following command to stop all of the Red Hat Satellite services:
# rhn-satellite
stop
- Run the following command, including the directory containing the backup, to begin the restoration. Ensure that you replace directory with the absolute path to the location that contains the backup. This process will verify the contents of the backup before restoring the database. The process will take several minutes.
# db-control
restore directory
This not only restores the embedded database but first verifies the contents of the backup directory using checksums. - After the restoration is complete, restart the database and related services:
# rhn-satellite
start
- Regardless of whether you are backing up an external or embedded database, when the database is restored from a backup, you should schedule the restoration of search indexes the next time the
rhn-search
service is started:# service rhn-search
cleanindex
3.3. Cloning a Red Hat Satellite with an Embedded Database
Procedure 3.4. To Clone a Satellite Server with an Embedded Database:
- Install Red Hat Satellite with an embedded database on a base install of Red Hat Enterprise Linux on a separate machine. That is, a machine separate from your primary Red Hat Satellite server. Omit the SSL Certificate generation step.
- Back up the primary server's database daily using the commands described in Section 3.2.2.1, “Performing an Offline Backup”. This ensures that only changes made the day of the failure are lost.
- Establish a mechanism to copy the backup to the secondary server. Keep these repositories synchronized using a file transfer program such as rsync. Copying is not necessary if using a Storage Area Network (SAN).
- Use the
db-control
command to import duplicate data.restore
- If the primary server fails, transfer the SSL key pair RPM package in
/root/ssl-build
from the primary to the secondary server, and install that package. This ensures that Red Hat Satellite clients can authenticate with and securely connect to the secondary server. - Update your DNS to reference the secondary server, or configure your load balancer appropriately.
3.4. Creating Redundant Satellites with External Databases
Important
Procedure 3.5. To Create a Redundant Satellite with an External Database:
- Install Red Hat Satellite on a separate machine, but omit the database configuration, database schema, SSL certificate, and bootstrap script generation steps. Include the same Red Hat Network account and database connection information provided during the initial Satellite installation.
- Register the new Satellite server. See the Red Hat Satellite Installation Guide for more information.
- If your original SSL certificate does not take your high-availability solution into account, create a new one with a more appropriate
Common Name
value (see The SSL Maintenance Tool in the Red Hat Satellite Client Configuration Guide). In this case, generate a new bootstrap script (as defined in Generating Bootstrap Scripts in the Red Hat Satellite Client Configuration Guide) that captures this new value. Ensure theCommon Name
value represents the combined Satellite solution, not a single machine's host name. - After installation, copy the following files from the primary server to the secondary:
/etc/rhn/rhn.conf
/etc/tnsnames.ora
(Oracle database only.)
- Copy the server-side SSL certificate RPMs from the primary server and install them on the secondary server.If, during the installation process, you generated a new SSL certificate that included a new Common Name value, copy the SSL certificate RPMs from the secondary to the primary server and redistribute the client-side certificate. If you also created another bootstrap script, use it to install the certificate on all client systems.
- If you created a new bootstrap script, copy the contents of
/var/www/html/pub/bootstrap/
to the primary server. - If you did not create a new bootstrap script, copy the contents of
/var/www/html/pub/bootstrap/
from the primary server to the secondary server.
- Run the following command on the secondary server to stop the Red Hat Network Task Engine service:
# service taskomatic stop
You can use custom scripting or other means to establish automatic start-up/failover of the Red Hat Network Task Engine on the secondary server. Regardless, you need to ensure that it starts in the event of a failure. - Share channel package data (by default located in
/var/satellite
) and cache data (by default located in/var/cache/rhn
) between the primary and secondary servers over some type of networked storage device. This eliminates data replication and ensures a consistent store of data for each server. - Make the various servers available on your network using a suitable Common Name and a method that suits your infrastructure. Options include round-robin DNS, a network load balancer, and a reverse-proxy setup.
3.5. Automating Satellite Database Backups
cron
.
Procedure 3.6. To Automate Satellite Server Database Backups:
backup-db.sh
containing the following script. This script will stop the satellite, perform a database backup, and restart the satellite:
#!/bin/bash { /usr/sbin/rhn-satellite stop d=db-backup-$(date "+%F"); mkdir -p /tmp/$d; db-control backup /tmp/$d /usr/sbin/rhn-satellite start } &> /dev/null
- Create a new file called
move-files.sh
containing the following script. This script will usersync
to move the backup files to a directory to be stored:#!/bin/bash rsync -avz /tmp/db-backup-$(date "+%F") <destination> &> /dev/null
Replace <destination> with the path to the backup directory.Alternatively, use the following script to achieve the same goal:#!/bin/bash scp -r /tmp/db-backup-$(date "+%F") <destination> &> /dev/null
- Switch to the root user, and open the
crontab
file in a text editor:# crontab -e
Note
Thecrontab
file opens in vi by default. To change this behavior, change theEDITOR
variable to the name of the text editor you prefer. - Create a suitable job definition to schedule the backup scripts to run:
0 3 * * * backup-db.sh 0 6 * * * move-files.sh
Thiscrontab
entry will run the backup at 03:00, and transfer the backup files at 06:00. Other options can be included as needed. You can also include a clean up script to remove older backup directories and prevent the backup storage from filling up. - Exit the editor to save the
crontab
file. The new rules take effect immediately.
Chapter 4. Using Command Line Configuration Management Tools
Note
/var/lib/rhncfg/backups/
directory on the affected system. The backup retains its filename but has a .rhn-cfg-backup
extension appended.
4.1. Using Red Hat Network Actions Control
rhn-actions-control
) application is used to enable and disable configuration management of a system. Client systems cannot be managed in this fashion by default. This tool allows System Administrators to enable or disable specific modes of allowable actions such as: deploying a configuration file onto the system, uploading a file from the system, using diff to find out what is currently managed on a system and what is available, or allowing running arbitrary remote commands. These various modes are enabled/disabled by placing/removing files and directories in the /etc/sysconfig/rhn/allowed-actions/
directory. Due to the default permissions on the /etc/sysconfig/rhn/
directory, Red Hat Network Actions Control have to be run by someone with root access.
4.1.1. Using General Command Line Options
man
page available, as there are for most command line tools. Simply decide what Red Hat Network scheduled actions should be enabled for use by system administrators. These options enable the various scheduled action modes:
Table 4.1. rhn-actions-control
options
Option | Description |
---|---|
--enable-deploy | Allow rhncfg-client to deploy files. |
--enable-diff | Allow rhncfg-client to diff files. |
--enable-upload | Allow rhncfg-client to upload files. |
--enable-mtime-upload | Allow rhncfg-client to upload mtime. |
--enable-all | Allow rhncfg-client to do everything. |
--enable-run | Enable script.run |
--disable-deploy | Disable deployment. |
--disable-diff | Disable diff |
--disable-upload | Disable upload |
--disable-mtime-upload | Disable mtime upload |
--disable-all | Disable all options |
--disable-run | Disable script.run |
--report | Report whether the modes are enabled or disabled |
-f, --force | Force the operation without asking first |
-h, --help | show help message and exit |
rhn-actions-control --enable-all
is a common option.
4.2. Using the Red Hat Network Configuration Client
rhncfg-client
) is installed and run from an individual client system. From there you may use it to gain knowledge about how Red Hat Network deploys configuration files to the client.
4.2.1. Listing Configuration Files
rhncfg-client list
Config Channel File config-channel-17 /etc/example-config.txt config-channel-17 /var/spool/aalib.rpm config-channel-14 /etc/rhn/rhn.conf
rhncfg-manager list config-channel-14
Files in config channel 'config-channel-14' /etc/example-config.txt /etc/rhn/rhn.conf
/etc/example-config.txt
went. The rank of the /etc/example-config.txt
file in config-channel-17
was higher than that of the same file in config-channel-14
. As a result, the version of the configuration file in config-channel-14
is not deployed for this system, although the file still resides in the channel. The rhncfg-client
command does not list the file because it will not be deployed on this system.
4.2.2. Getting a Configuration File
rhncfg-client get /etc/example-config.txt
Deploying /etc/example-config.txt
less
or another pager. Note that the file is selected as the most relevant based upon the rank of the config channel containing it. This is accomplished within the Configuration tab of the System Details page.
4.2.3. Viewing Configuration Channels
rhncfg-client channels
Config channels: Label Name ----- ---- config-channel-17 config chan 2 config-channel-14 config chan 1
rhncfg-client get
:
Table 4.2. rhncfg-client get
options
Option | Description |
---|---|
--topdir=TOPDIR | Make all file operations relative to this string. |
--exclude=EXCLUDE | Excludes a file from being deployed with 'get'/ May be used multiple times. |
-h, --help | Show help message and exit |
4.2.4. Differentiating between Configuration Files
rhncfg-client diff
[root@testsatellite root]# rhncfg-client diff --- /etc/test +++ /etc/test 2013-08-28 00:14:49.405152824 +1000 @@ -1 +1,2 @@ This is the first line +This is the second line added
--topdir
option to compare config files in Red Hat Network with those located in an arbitrary (and unused) location on the client system, like so:
[root@ root]# rhncfg-client diff --topdir /home/test/blah/ /usr/bin/diff: /home/test/blah/etc/example-config.txt: No such file or directory /usr/bin/diff: /home/test/blah/var/spool/aalib.rpm: No such file or directory
4.2.5. Verifying Configuration Files
rhncfg-client verify
modified /etc/example-config.txt /var/spool/aalib.rpm
example-config.txt
is locally modified, while aalib.rpm
is not.
rhncfg-client verify
:
Table 4.3. rhncfg-client verify
options
Option | Description |
---|---|
-v, --verbose | Increase the amount of output detail. Displays differences in the mode, owner, and group permissions for the specified config file. |
-o, --only | Only show files that differ. |
-h, --help | Show help message and exit |
4.3. Using the Red Hat Network Configuration Manager
rhncfg-manager
) is designed to maintain Red Hat Network's central repository of config files and channels, not those located on client systems. This tool offers a command line alternative to the configuration management features within the Red Hat Network website, as well as the ability to script some or all of the related maintenance.
/etc/sysconfig/rhn/rhncfg-manager.conf
or in the [rhncfg-manager] section of ~/.rhncfgrc
.
~/.rhncfgrc
file. The session file is cached in ~/.rhncfg-manager-session
to prevent logging in for every command.
server.session_lifetime
option and new value to the /etc/rhn/rhn.conf
file on the server running the manager, like so:
server.session_lifetime = 120
rhncfg-manager mode --help
rhncfg-manager diff-revisions --help
4.3.1. Creating a Configuration Channel
rhncfg-manager create-channel channel-label
Red Hat Network username: rhn-user Password: Creating config channel channel-label Config channel channel-label created
4.3.2. Adding Files to a Configuration Channel
rhncfg-manager add --channel=channel-label
/path/to/file
--dest-file
option in the command, like:
rhncfg-manager add --channel=channel-label
--dest-file=/new/path/to/file.txt
/path/to/file
Pushing to channel example-channel Local file >/path/to/file -> remote file /new/path/to/file.txt
rhncfg-manager add
:
Table 4.4. rhncfg-manager add
options
Option | Description |
---|---|
-c CHANNEL --channel=CHANNEL | Upload files in this config channel |
-d DEST_FILE --dest-file=DEST_FILE | Upload the file as this path |
--delim-start=DELIM_START | Start delimiter for variable interpolation |
--delim-end=DELIM_END | End delimiter for variable interpolation |
-i, --ignore-missing | Ignore missing local files |
--selinux-context=SELINUX_CONTEXT | Overwrite the SELinux context |
-h, --help | show help message and exit |
Note
/usr/share/rhn/config-defaults/rhn_web.conf
(in bytes):
maximum_config_file_size = 131072
/usr/share/rhn/config-defaults/rhn_server.conf
(in bytes):
maximum_config_file_size = 131072
/usr/share/rhn/config-defaults/rhn_java.conf
(in kilobytes):
java.config_file_edit_size = 128
4.3.3. Differentiating between Latest Configuration Files
rhncfg-manager diff --channel=channel-label
--dest-file=/path/to/file.txt
\ /local/path/to/file
--- /tmp/dest_path/example-config.txt config_channel: example-channel revision: 1 +++ /home/test/blah/hello_world.txt 2003-12-14 19:08:59.000000000 -0500 @@ -1 +1 @@ -foo +hello, world
rhncfg-manager diff
:
Table 4.5. rhncfg-manager diff
options
Option | Description |
---|---|
-c CHANNEL, --channel=CHANNEL | Get file(s) from this config channel |
-r REVISION, --revision=REVISION | Use this revision |
-d DEST_FILE, --dest-file=DEST_FILE | Upload the file as this path |
-t TOPDIR, --topdir=TOPDIR | Make all files relative to this string |
-h, --help | Show help message and exit |
4.3.4. Differentiating between Various Versions
-r
flag to indicate which revision of the file should be compared and the -n
flag to identify the two channels to be checked. See Section 4.3.11, “Determining the Number of File Revisions” for related instructions. Specify only one file name here, since you are comparing the file against another version of itself. For example:
rhncfg-manager diff-revisions -n=channel-label1
-r=1
-n=channel-label2
-r=1
/path/to/file.txt
--- /tmp/dest_path/example-config.txt 2004-01-13 14:36:41 \ config channel: example-channel2 revision: 1 --- /tmp/dest_path/example-config.txt 2004-01-13 14:42:42 \ config channel: example-channel3 revision: 1 @@ -1 +1,20 @@ -foo +blah +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.0.6 (GNU/Linux) +Comment: For info see http://www.gnupg.org + +iD8DBQA9ZY6vse4XmfJPGwgRAsHcAJ9ud9dabUcdscdcqB8AZP7e0Fua0NmKsdhQCeOWHX +VsDTfen2NWdwwPaTM+S+Cow= +=Ltp2 +-----END PGP SIGNATURE-----
rhncfg-manager diff-revisions
:
Table 4.6. rhncfg-manager diff-revisions
options
Option | Description |
---|---|
-c CHANNEL, --channel=CHANNEL | Use this config channel |
-r REVISION, --revision=REVISION | Use this revision |
-h, --help | Show help message and exit |
4.3.5. Downloading All Files in a Channel
rhncfg-manager download-channel channel-label --topdir .
Copying /tmp/dest_path/example-config.txt -> \ blah2/tmp/dest_path/example-config.txt
rhncfg-manager download-channel
:
Table 4.7. rhncfg-manager download-channel
options
Option | Description |
---|---|
-t TOPDIR, --topdir=TOPDIR | Directory all the file paths are relative to. This option must be set. |
-h, --help | Show help message and exit |
4.3.6. Getting the Contents of a File
rhncfg-manager get --channel=channel-label
\ /tmp/dest_path/example-config.txt
4.3.7. Listing All Files in a Channel
rhncfg-manager list channel-label
Files in config channel `example-channel3': /tmp/dest_path/example-config.txt
rhncfg-manager get
:
Table 4.8. rhncfg-manager get
options
Option | Description |
---|---|
-c CHANNEL, --channel=CHANNEL | Get file(s) from this config channel |
-t TOPDIR, --topdir=TOPDIR | Make all files relative to this string |
-r REVISION, --revision=REVISION | Get this file revision |
-h, --help | Show help message and exit |
4.3.8. Listing All Configuration Channels
rhncfg-manager list-channels
Available config channels: example-channel example-channel2 example-channel3 config-channel-14 config-channel-17
local_override
or server_import
channels.
4.3.9. Removing a File from a Channel
rhncfg-manager remove --channel=channel-label
/tmp/dest_path/example-config.txt
Red Hat Network username: rhn-user Password: Removing from config channel example-channel3 /tmp/dest_path/example-config.txt removed
rhncfg-manager remove
:
Table 4.9. rhncfg-manager remove
options
Option | Description |
---|---|
-c CHANNEL, --channel=CHANNEL | Remove files from this config channel |
-t TOPDIR, --topdir=TOPDIR | Make all files relative to this string |
-h, --help | Show help message and exit |
4.3.10. Deleting a Configuration Channel
rhncfg-manager remove-channel channel-label
Removing config channel example-channel Config channel example-channel removed
4.3.11. Determining the Number of File Revisions
rhncfg-manager revisions channel-label /tmp/dest_path/example-config.txt
Analyzing files in config channel example-channel \ /tmp/dest_path/example-config.txt: 1
4.3.12. Updating a File in a Channel
rhncfg-manager update \ --channel=channel-label
--dest-file=/path/to/file.txt
/local/path/to/file
Pushing to channel example-channel: Local file example-channel/tmp/dest_path/example-config.txt -> \ remote file /tmp/dest_path/example-config.txt
rhncfg-manager update
:
Table 4.10. rhncfg-manager update
options
Option | Description |
---|---|
-c CHANNEL, --channel=CHANNEL | Upload files in this config channel |
-d DEST_FILE, --dest-file=DEST_FILE | Upload the file as this path |
-t TOPDIR, --topdir=TOPDIR | Make all files relative to this string |
--delim-start=DELIM_START | Start delimiter for variable interpolation |
--delim-end=DELIM_END | End delimiter for variable interpolation |
-h, --help | Show help message and exit |
4.3.13. Uploading Multiple Files at Once
rhncfg-manager upload-channel --topdir=topdir
channel-label
Using config channel example-channel4 Uploading /tmp/ola_world.txt from blah4/tmp/ola_world.txt
rhncfg-manager upload-channel
:
Table 4.11. rhncfg-manager upload-channel
options
Option | Description |
---|---|
-t TOPDIR, --topdir=TOPDIR | Directory all the file paths are relative to |
-c CHANNEL, --channel=CHANNEL | List of channels the config info will be uploaded into. Channels delimited by ','. Example: --channel=foo,bar,baz |
-h, --help | Show help message and exit |
4.4. Using the Red Hat Satellite Command Line Tool (spacecmd)
spacecmd
tool interacts with Red Hat Satellite's XML-RPC API. This provides users with a simple way of executing Satellite functionality from the command line.
Note
spacecmd
requires your username and password. This opens a session ticket for the chosen user and all subsequent usage of spacecmd
uses this session until it expires, after one hour. Change the user and password using the -u USERNAME
and -p PASSWORD
options.
spacecmd
uses two methods of execution.
From the Interactive Shell
spacecmd
alone to start the interactive shell.
[root@satellite57 ~]# spacecmd Welcome to spacecmd, a command-line interface to Spacewalk. Type: 'help' for a list of commands 'help <cmd>' for command-specific help 'quit' to quit INFO: Connected to https://localhost/rpc/api as admin spacecmd {SSM:0}>
spacecmd
prompt, which also indicates the number of system attached to the System Set Manager (SSM).
system_list
:
spacecmd {SSM:0}> system_list system001.example.com system002.example.com system003.example.com system004.example.com ...
system_list
followed by the name of the system:
spacecmd {SSM:0}> system_listbasechannel system001.example.com rhel-x86_64-server-6
help
command.
From the Terminal
spacecmd
commands directly from the your Linux terminal. For example, use spacecmd system_list
to list all your systems:
[root@satellite57 ~]# spacecmd system_list INFO: Connected to https://localhost/rpc/api as admin system001.example.com system002.example.com system003.example.com system004.example.com ...
spacecmd system_listbasechannel systemname
:
[root@satellite57 ~]# spacecmd system_listbasechannel system001.example.com INFO: Connected to https://localhost/rpc/api as admin rhel-x86_64-server-6
spacecmd help
.
4.5. Using the Red Hat Satellite Final Archive Tool (spacewalk-final-archive)
spacewalk-final-archive
is used to generate a final archive of your Red Hat Satellite 5 server before decomissioning it. The command generates an archive file found at /tmp/spacewalk-final/final-archive.tar.bz2
. This archive includes:
- A backup of the database stored in the
archive/db_backup
directory. This backup is created with thedb-control
command. - A copy of all relevant system files stored in the
archive/debug
directory. This backup is created with thespacewalk-debug
command. - A final copy of all reports in CSV format stored in the
archive/reports
directory. This backup is created with thespacewalk-report
command. - Transition data in CSV format for use with Red Hat Satellite 6 stored in the
archive/transition
directory. This backup is created with thespacewalk-export
command.
[root@satellite57 ~]# spacewalk-final-archive
-h
option to see other options to restrict certain content from the archive or to change the archive export directory.
Chapter 5. Cloning Software Channels and Errata
spacewalk-clone-by-date
command to create custom cloned Red Hat Enterprise Linux channels based on the date an erratum was made available to the Red Hat Enterprise Linux system.
5.1. Features
spacewalk-clone-by-date
:
- Cloning the channel errata and associated package states as they were on a specific date
- Automating the cloning by scripts and template files
- Removing or blocking packages from channels
- Resolving package dependencies within the parent and child channels
- Filtering and acting on specific errata while ignoring others. For example, acting only on security errata and ignoring bugfixes and enhancements.
Note
spacewalk-clone-by-date
command as the root user and the username
needs to be either an Organizational Administrator or Channel Administrator.
Important
spacewalk-clone-by-date
is limited to Red Hat Enterprise Linux 5 and higher versions because spacewalk-clone-by-date
uses yum
metadata to complete dependency resolution.
5.2. Example Usage
rhel-i386-server-5
channel errata as it is on January 1st, 2012, into the channel named my-clone-RHEL-5.
# spacewalk-clone-by-date --username=your_username --password=your_password --server=satellite_server_url --channels=rhel-i386-server-5 my-clone-RHEL-5 --to_date=2012-01-01
Important
# spacewalk-clone-by-date --username=your_username --password=your_password --server=satellite_server_url --channels=rhel-i386-server-5 my-clone-RHEL-5 --to_date=2012-01-01 --security_only --background --blacklist=kernel,vim-extended --assumeyes
spacewalk-clone-by-date
for more information about the available options and how to use them.
Chapter 6. Maintaining System Security Using OpenSCAP
6.1. OpenSCAP Features
6.2. OpenSCAP Prerequisites
- A tool to verify that a system conforms to a standard.Satellite Server 5.5 and later use OpenSCAP as an auditing feature. This allows you to use the web interface to schedule and view compliance scans for any system.
- SCAP content.You can generate your own SCAP content if you have an understanding of at least XCCDF or OVAL. XCCDF content is also frequently published online under open source licenses, and you can customize this content to suit your needs instead.
Note
Red Hat supports the use of templates to evaluate your systems. However, custom content authoring of these templates is not supported.Some examples of bodies that publish XCCDF content are:- The United States Government Configuration Baseline (USGCB): Official SCAP content for desktops within federal agencies that has been developed at NIST in collaboration with Red Hat, Inc. and the United States Department of Defense (DoD) using OVAL.
- Community-provided content:
- SCAP Security Guide: Active community-run content that sources from the USGCB requirements and widely-accepted policies and contains profiles for desktop, server, and FTP server. Suitable for Red Hat Enterprise Linux 6 and JBoss Enterprise Application Server 5.
- OpenSCAP Content for Red Hat Enterprise Linux 6: The openscap-content package from the Red Hat Enterprise Linux 6 Optional Channel also provides default content guidance by means of a template.
6.3. Red Hat Satellite Prerequisites for Using OpenSCAP
- Satellite Server: Satellite 5.5 or later.
- Satellite Client: spacewalk-oscap package (available from the Red Hat Network Tools Child Channel).
A Management entitlement is required for scheduling scans.
Satellite Client: Distribution of the XCCDF content to all client machines.
- Traditional methods, such as CD, USB, NFS, SCP, FTP.
- Satellite scripts.
- RPM packages.Custom RPMs are the recommended way to distribute SCAP content to other machines. RPM packages can be signed and verified to ensure their integrity. Installation, removal, and verification of RPM packages can be managed from the user interface.
6.4. Performing Audit Scans
6.4.1. Using the Web Interface to Perform Audit Scans
Procedure 6.1. To Perform an Audit Scan Using the Web Interface:
- Log in to the Satellite web interface.
- Click Systems → system_name.
- Click Audit → Schedule.
- Complete the
Schedule New XCCDF Scan
page. See Section 6.5.2.3, “Schedule Page” for information about the fields on this page.Warning
The XCCDF content is validated before it is run on the remote system. Specifying invalid command-line arguments can causespacewalk-oscap
to fail to validate or run. Due to security concerns theoscap xccdf eval
command only accepts a limited set of parameters.
Note
rhn_check
command to ensure that the action is being picked up by the client system.
# rhn_check -vv
rhnsd
or osad
are running on the client system, the action will be picked up by these services. To check if they are running, run one of the following commands.
# service rhnsd start
# chkconfig rhnsd on
OR# service osad start
# chkconfig osad on
# systemctl enable rhnsd
# systemctl start rhnsd
OR# systemctl enable osad
# systemctl start osad
6.4.2. Using the API to Perform Audit Scans
Procedure 6.2. To Perform an Audit Scan Using the API:
- Choose an existing script or create a script for scheduling a system scan through
system.scap.scheduleXccdfScan
, the front-end API, for example:#!/usr/bin/python import xmlrpclib client = xmlrpclib.Server('https://satellite.example.com/rpc/api') key = client.auth.login('username', 'password') client.system.scap.scheduleXccdfScan(key, 1000010001, '/usr/local/share/scap/usgcb-rhel5desktop-xccdf.xml', '--profile united_states_government_configuration_baseline')
Where:- 1000010001 is the
system ID (sid)
. /usr/local/share/scap/usgcb-rhel5desktop-xccdf.xml
is the path to the content location on the client system. In this case, it assumes USGCB content in the/usr/local/share/scap
directory.--profile united_states_government_configuration_baseline
is an additional argument to theoscap
command. In this case, it is using the USGCB.
- Run the script on the command-line interface of any system. The system needs the appropriate Python and XML-RPC libraries installed.
Note
rhn_check
command to ensure that the action is being picked up by the client system.
# rhn_check -vv
rhnsd
or osad
are running on the client system, the action will be picked up by these services. To check if they are running, run one of the following commands:
# service rhnsd start
# chkconfig rhnsd on
OR# service osad start
# chkconfig osad on
# systemctl enable rhnsd
# systemctl start rhnsd
OR# systemctl enable osad
# systemctl start osad
6.4.3. Viewing the Results of SCAP Audits
- Using the web interface. After the scan has finished, the results are available on the Audit page of specific system. See Section 6.5, “OpenSCAP Satellite Web Interface”.
- Using the API functions in handler
system.scap
. - Using the
spacewalk-report
command, as follows:# spacewalk-report system-history-scap
# spacewalk-report scap-scan
# spacewalk-report scap-scan-results
6.5. OpenSCAP Satellite Web Interface
6.5.1. OpenSCAP Scans Page
6.5.1.1. All Scans
- System: the system that was scanned.
- XCCDF Profile: the evaluated profile.
- Completed: the time the scan was completed.
- Satisfied: the number of rules that were satisfied. A rule is considered to be Satisfied if the result of the evaluation is either Pass or Fixed.
- Dissatisfied: the number of rules that were not satisfied. A rule is considered to be Dissatisfied if the result of the evaluation is Fail.
- Unknown: the number of rules that failed to evaluate. A rule is considered to be Unknown if the result of the evaluation is Error, Unknown or Not Checked.
6.5.1.2. XCCDF Diff
diff
output of similar scans. Alternatively, or you can specify the ID of arbitrary scans.
6.5.1.3. Advanced Search
- Rule results.
- Targeted machine.
- Time frame of the scan.
6.5.2. Systems Audit Page
Security Content Automation Protocol (SCAP).
Before you scan a system, ensure that the SCAP content is prepared and all prerequisites are met.
6.5.2.1. List Scans
Table 6.1. OpenSCAP Scan Labels
Column Label | Definition |
---|---|
XCCDF Test Result | The scan test result name. This is also a link to the detailed results of the scan. |
Completed | The exact time the scan finished. |
Compliance | The unweighted pass:fail ratio of compliance based on the standard that was used. |
P | The number of checks that passed. |
F | The number of checks that failed. |
E | The number of errors that occurred during the scan. |
U | Unknown |
N | Not applicable to the machine. |
K | Not checked. |
S | Not selected. |
I | Informational |
X | Fixed |
Total | Total number of checks. |
- No difference between the compared scans.
- Arbitrary differences between the compared scans.
- Major differences between the compared scans. Either there are more failures than the previous scan or less passes.
- No comparable scan was found, and therefore no comparison was made.
6.5.2.2. Scan Details
This section displays various details about the scan, including:
File System Path:
The path to the XCCDF file used for the scan.Command-line Arguments:
Any additional command-line arguments that were used.Profile Identifier:
The profile identifier used for the scan.Profile Title:
The title of the profile used for the scan.Scan's Error output:
Any errors encountered during the scan.
The rule results provide the full list of XCCDF rule identifiers, identifying tags, and the result for each of these rule checks. This list can be filtered by a specific result.
6.5.2.3. Schedule Page
- Command-line Arguments: Optional arguments to the
oscap
command, either:--profile PROFILE
: Specifies a particular profile from the XCCDF document.Profiles are determined by theProfile
tag in the XCCDF XML file. Use theoscap
command to see a list of profiles within a given XCCDF file, for example:$ oscap info /usr/share/openscap/scap-rhel6-xccdf.xml Document type: XCCDF Checklist Checklist version: 1.1 Status: draft Generated: 2011-10-12 Imported: 2012-11-15T22:10:41 Resolved: false Profiles: RHEL6-Default
If not specified, the default profile is used.Note
Some early versions of OpenSCAP in Red Hat Enterprise Linux 5 require that you use the--profile
option or the scan will fail.--skip-valid
: Do not validate input and output files. You can use this option to bypass the file validation process if you do not have well-formed XCCDF content.
- Path to XCCDF Document: This is a required field. The
path
parameter points to the XCCDF content location on the client system. For example:/usr/local/scap/dist_rhel6_scap-rhel6-oval.xml
Warning
The XCCDF content is validated before it is run on the remote system. Specifying invalid arguments can causespacewalk-oscap
to fail to validate or run. Due to security concerns, theoscap xccdf eval
command only accepts a limited set of parameters.
Chapter 7. Reporting Client Software Failures
7.1. Viewing Software Failures for a Single Client
Procedure 7.1. To View Software Failures for a Single Client:
- Log in to the Red Hat Satellite Web UI.
- Click Systems → system_name → Software → Software Crashes to see the list of software failures that occurred on the registered system.
- Click the required failure to display its details and the files captured for this software failure report.
7.2. Grouping Similar Software Failures
Procedure 7.2. To view similar software failures across clients
- Log into your Red Hat Satellite Web UI.
- Click Systems → Software Crashes to see a list of all software failures across all registered systems.
- Click the on a Crash UUID to see the systems affected by the software failure.
- Click on a specific system to see details and the files captured for the individual software failure report.
7.3. Changing Organization-wide Settings for Software Failure Reports
Procedure 7.3. To Change the Organization-wide Settings for Software Failures:
- In the Satellite Web UI, click Admin → <organization_name> → Configuration.
- Modify the desired organization-wide and upload size settings, and then click Update Organization.
7.4. Log Files of Software Failures
/var/satellite/systems/$org_id/$system_id/crashes/$crash_name/
directory.
Chapter 8. Generating Red Hat Satellite Reports
channel-packages
- Packages in channelschannels
- Channel reportcustom-info
- Display system custom infoentitlements
- Entitlement and channel list and usageerrata-channels
- List of errata in channelserrata-list
- Errata information based upon compliance checks against systemserrata-list-all
- List of all errataserrata-systems
- Listing of each errata applicable to each affected systeminactive-systems
- Inactive systems in Satelliteinventory
- Inventory reportkickstartable-trees
- List of kickstartable treespackages-updates-all
- List of packages that can be upgradedpackages-updates-newest
- List of packages that can be upgradedscap-scan
- Results of OpenSCAP xccdf evaluationscap-scan-results
- Results of OpenSCAP xccdf evaluationsystem-crash-count
- Crash count for systemssystem-crash-details
- Crash details for systemssystem-currency
- System currency listsystem-groups
- System groups in Satellitesystem-groups-keys
- Activation keys for system groupssystem-groups-systems
- Systems in system groupssystem-groups-users
- System groups users reportsystem-history
- System event historysystem-history-channels
- Channel event historysystem-history-configuration
- Configuration event historysystem-history-entitlements
- System entitlement event historysystem-history-errata
- Errata event historysystem-history-kickstart
- Kickstart event historysystem-history-packages
- Package event historysystem-history-scap
- OpenSCAP event historysystem-packages-installed
- Packages installed on systemsusers
- Users in the systemusers-systems
- Systems administered by individual users
spacewalk-report
command as follows:
# spacewalk-report report-name
Note
spacewalk-report
command with the -h
option.
Chapter 9. Scheduling Red Hat Satellite Administrative Tasks
taskomatic
service. These operations are segregated into individual tasks and grouped logically into a bunch that is defined by schedules. You can modify these schedules to execute at specific time intervals. Satellite schedules are used to:
- Remove the administrative burden from the organizational administrator by automating tasks.
- Schedule operational tasks for time frames that will not tax the organization's daily network traffic.
Table 9.1. Default Schedules in Red Hat Satellite 5.8
Schedule Name | Bunch Name | Bunch Function |
---|---|---|
channel-repodata-default | channel-repodata-bunch | Generates channel repository data. |
cleanup-data-default | cleanup-data-bunch | Cleans up orphaned and outdated data. |
clear-taskologs-default | clear-taskologs-bunch | Clears taskomatic run log history. |
cobbler-sync-default | cobbler-sync-bunch | Applies any cobbler configuration changes. |
compare-configs-default | compare-configs-bunch | Schedules a comparison of configuration files on all systems. |
daily-status-queue | daily-status-bunch | Sends daily report. |
errata-cache-default | errata-cache-bunch | Recalculates errata cache for a given server or channel. |
errata-queue-default | errata-queue-bunch | Processes errata. |
kickstart-cleanup-default | kickstart-cleanup-bunch | Cleans up stale kickstart files. |
kickstartfile-sync-default | kickstartfile-sync-bunch | Synchronizes kickstart profiles that were generated using the wizard. |
package-cleanup-default | package-cleanup-bunch | Cleans up orphaned packages. |
sandbox-cleanup-default | sandbox-cleanup-bunch | Cleans up sandbox. |
satcert-check-default | satcert-check-bunch | Determines expiration status of Satellite certificate. |
session-cleanup-default | session-cleanup-bunch | Deletes expired rows from the PXTSessions table to prevent it from growing too large. |
9.1. Scheduling a Run
Procedure 9.1. Creating a Schedule Template
- Log in to Satellite as the Organization Administrator.
- Click Admin → Task Schedules → Create Schedule.
- Complete the following fields:
- Schedule Name: must begin with a letter and contain only lowercase characters, hyphens, periods, underscores, or numerals.
- Bunch: the default bunch of administrative tasks the administrator can choose from.
- FrequencyThe following frequency options are available:
- Disable Schedule: only recommended for administrators who have advanced knowledge of the scheduled tasks and their consequences. Disabling schedules can change Satellite behavior.
- Daily: creates a daily schedule for a specific time of day.
- Weekly: creates a weekly schedule for a specific day and time of day.
- Monthly: creates a monthly schedule for a specific day and time of day.
- Custom Quartz Format: this format relies on cron expressions to define the schedule. For more information about this format, see the crontab man page (
man 5 crontab
.)
- Click Create Schedule.
Procedure 9.2. Editing Schedule Templates
- Log in to Satellite as the Organization Administrator.
- Click Admin → Task Schedules.
- Click the schedule that you want to modify.
- Change the Frequency type as required.
- Click Edit Schedule.
9.2. Setting Up a Self-Subscribed Red Hat Satellite
cdn-sync
command get new packages and content from the Red Hat CDN.
Important
- A self-subscribed Satellite treats the self-registration as it does any other client system registration. To prevent accidental changes to your self-subscribed Satellite lock the self-subscribed Satellite's system profile using Lock system in the system profile.
- A self-subscribed Satellite cannot use
osad
. Installing the client-sideosad
package will break the provisioning feature of Satellite.
9.2.1. Installing and Configuring a Self-Subscribed Satellite
Procedure 9.3. Installing and Configuring a Self-Subscribed Satellite
- Install Red Hat Enterprise Linux following the instructions provided in Scenario 1: Installing Satellite with Embedded Database in the Red Hat Satellite 5 Installation Guide. The installation has to be run in disconnected mode.
- After the installation, change the value of the
disconnected
parameter back to0
in the/etc/rhn/rhn.conf
configuration file so that you are able to use thecdn-sync
command in the next step.disconnected=0
- Use the
cdn-sync
command to download and import the base channel that matches the version of Red Hat Enterprise Linux installed on the Satellite server. Thecdn-sync
command can import the necessary files from the Red Hat CDN. Optionally, use thesatellite-sync
command to import the base channel content ISOs available for download. - Use the Satellite 5 web interface to create a cloned channel of the imported base channel. See Chapter 5, Cloning Software Channels and Errata for more information.
- Install the client side Satellite SSL certificate onto the Satellite server using the following command.
# rpm -Uvh /var/www/html/pub/rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm
- Reconfigure
Red Hat Update Agent
to use the Satellite hostname and SSL certificate by editing the/etc/sysconfig/rhn/up2date
. Change the following options:sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT noSSLServerURL=http://satellite-server-hostname/XMLRPC serverURL=https://satellite-server-hostname/XMLRPC
- Register the Satellite server:
# rhnreg_ks --username satellite_username --password satellite_password
- Log into the Satellite web interface. Go to System Details → Channels then select the cloned base channel from the drop-down menu. Click Modify Base Channel.
9.2.2. Testing Self-Subscribed Satellite Functionality
Procedure 9.4. Testing Self-Subscribed Satellite Functionality
- Verify that synchronization from the Red Hat CDN is working.
# cdn-sync -l
Running thecdn-sync
command should list all the channels available to be synchronized. The output should resemble the following:17:34:02 p = previously imported/synced channel 17:34:02 . = channel not yet imported/synced
- Verify the source of package updates.
- Red Hat Enterprise Linux 6:
yum check-update
This should display information indicating that packages are downloaded from the Satellite rather than from the Red Hat CDN.
9.2.3. Client-Side Application Functionality with a Self-Subscribed Satellite
Important
- If a client-side application is not listed here it has not been tested.
- Red Hat recommends that Administrators lock the registered Self-Subscribed Satellite within the Satellite web interface. This prevents any scheduled event from executing. Before unlocking the Satellite review the pending events and delete those you do not want to run.
- Red Hat recommends Administrators entitle the Self-Subscribed Satellite to the Management level but not with the Provisioning entitlement. This helps to avoid possible harmful or accidental changes to the Satellite server.
- If the self-subscribed Satellite has been granted a Provisioning entitlement do not attempt to use the Satellite to re-provision itself. The Satellite will attempt to perform the re-installation of the Red Hat Enterprise Linux operating system but on reboot the Red Hat installation program will be unable to download the necessary packages from the Satellite to perform the installation. There is a high risk of data loss and service interruption for your Satellite, especially if external kickstart trees are used.
- Red Hat Update Agent ToolsThe
rhn_check
,rhnsd
and,yum
packages will all function normally on a self-subscribed Satellite. - PushThe
osad
package will not install. Theosad
package is used to push packages to client systems but it conflicts with the server-sideosa-dispatcher
package. Do not attempt to force the installation ofosad
on a self-subscribed Satellite. - Configuration Client ToolThe
rhncfg-client
package will function normally. - Configuration Management ToolThe
rhncfg-manager
package will function normally. - Custom InfoThe
rhn-custom-info
package will function normally.
Chapter 10. Troubleshooting
tail -f
command for all log files and then run yum list
. You should then examine all new log entries for potential clues.
- 10.1. Disk Space
- 10.2. Installing and Updating
- 10.3. Services
- 10.4. Connectivity
- 10.5. Logging and Reporting
- 10.6. Errors
- Q: I'm getting an "Error validating satellite certificate" error during a Red Hat Satellite installation. How do I fix it?
- Q: I'm getting an "ERROR: server.mount_point not set in the configuration file" error when I try to activate or synchronize the Red Hat Satellite. How do I fix it?
- Q: Why does cobbler check give an error saying that it needs a different version of yum-utils?
- Q: I'm getting an "unsupported version" error when I try to activate the Red Hat Satellite certificate. How do I fix it?
- Q: I'm getting an "Internal Server Error" complaining about ASCII when I try to edit the kickstart profile. What's going on?
- Q: I'm getting "Host Not Found" or "Could Not Determine FQDN" errors. What do I do now?
- Q: I'm getting a "This server is not an entitled Satellite" when I try to synchronize the Red Hat Satellite server. How do fix it?
- 10.7. Web Interface
- 10.8. Anaconda
- 10.9. Tracebacks
- 10.10. Registration
- 10.11. Kickstarts and Snippets
- 10.12. Multi-Organization Satellites and Satellite Certificate
- 10.13. Proxy Installation and Configuration
- Q: After configuring the Red Hat Network Package Manager how can I determine if the local packages were successfully added to the private Red Hat Network channel?
- Q: How can I determine whether the clients are connecting to the Squid server?
- Q: The Red Hat Update Agent on the client systems does not connect through the Red Hat Satellite Proxy. How can I resolve this error?
- Q: My Red Hat Satellite Proxy configuration does not work. Where do I begin troubleshooting it?
- Q: How do I troubleshoot general problems in the Red Hat Satellite Proxy?
- Q: My Red Hat Satellite Proxy encountered the error "Host Not Found"/"Could not Determine FQDN". What should I do?
- Q: I am having issues with Red Hat Satellite Proxy and network connection errors. What should I do?
- Q: I am having issues with package delivery errors and object corruption. What should I check for?
10.1. Disk Space
# df -h
# /usr/sbin/rhn-satellite status
# service httpd status
10.2. Installing and Updating
audit.log
files available so that Red Hat Support personnel can assist you. You can find the file in /var/log/audit/audit.log
and can attach the file to your Support ticket for engineers to assist you.
/var/satellite
to an NFS mount, and now SELinux is stopping it from working properly. What do I need to do?
# /usr/sbin/setsebool -P spacewalk_nfs_mountpoint on
# /usr/sbin/setsebool -P cobbler_use_nfs on
- Red Hat Developer Suite
- Red Hat Application Server
- Red Hat Extras
- JBoss product channels
10.3. Services
/etc/hosts
file may be incorrect.
# service taskomatic status
# db-control status
# service jabberd stop # rm -f /var/lib/jabberd/db/_db* # service jabberd start
10.4. Connectivity
- Attempt to connect to the Red Hat Satellite's database at the command line using the correct connection string as found in
/etc/rhn/rhn.conf
:# sqlplus username/password@sid
- Make sure that Red Hat Satellite is using Network Time Protocol (NTP) and set to the appropriate time zone. This also applies to all client systems and the separate database machine in Red Hat Satellite with Stand-Alone Database.
- Confirm the correct package:
rhn-org-httpd-ssl-key-pair-MACHINE_NAME-VER-REL.noarch.rpm
is installed on the Red Hat Satellite and the correspondingrhn-org-trusted-ssl-cert-*.noarch.rpm
or raw CA SSL public (client) certificate is installed on all client systems. - Verify the client systems are configured to use the appropriate certificate.
- If also using one or more Red Hat Satellite Proxy Servers, ensure each Proxy's SSL certificates are prepared correctly. The Proxy should have both its own server SSL key-pair and CA SSL public (client) certificate installed, since it will serve in both capacities. See the SSL Certificates chapter of the Red Hat Satellite Client Configuration Guide for specific instructions.
- Make sure client systems are not using firewalls of their own, blocking required ports as identified in the Red Hat Satellite Installation Guide's Additional Requirements section.
# rm -rf temporary-directory
Note
/var/rhn-sat-import/
as the temporary directory.
SSL_CONNECT
errors, is the result of a Satellite being installed on a machine whose time had been improperly set. During the Satellite installation process, SSL certificates are created with inaccurate times. If the Satellite's time is then corrected, the certificate start date and time may be set in the future, making it invalid.
# date
# openssl x509 -dates -noout -in /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
# openssl x509 -dates -noout -in /etc/httpd/conf/ssl.crt/server.crt
10.5. Logging and Reporting
/var/log/rhn/
directory. These are rotated logs, which are log files created with a .<NUMBER> extension when the current rhn_satellite_install.log
file fills up to a size as specified by the logrotate(8)
daemon and the contents written to a rotated log file. For example, the rhn_satellite_install.log.1
contains the oldest rotated log file, while rhn_satellite_install.log.4
contains the most recently rotated log.
Table 10.1. Log Files
Component/Task | Log File Location |
---|---|
Apache Web server | /var/log/httpd/ directory |
Red Hat Satellite | /var/log/rhn/ directory |
Red Hat Satellite Installation Program | /var/log/rhn/rhn_satellite_install.log |
Database installation - Embedded Database | /var/log/rhn/install_db.log |
Database population | /var/log/rhn/populate_db.log |
Red Hat Satellite Synchronization Tool | /var/log/rhn/rhn_server_satellite.log |
Red Hat Network DB Control - Embedded Database | /var/log/rhn/rhn_database.log |
Red Hat Network Task Engine (taskomatic) | /var/log/messages |
yum | /var/log/yum.log |
XML-RPC transactions | /var/log/rhn/rhn_server_xmlrpc.log |
spacewalk-report
?
spacewalk-report
command to gather and display vital Satellite information at once.
Note
spacewalk-report
you must have the spacewalk-reports
package installed.
spacewalk-report
allows administrators to organize and display reports about content, errata, systems, system event history, and user resources across the Satellite. The spacewalk-report
command is used to generate reports on:
- System Inventory - Lists all of the systems registered to the Satellite.
- Entitlements - Lists all organizations on the Satellite, sorted by system or channel entitlements.
- Errata - Lists all the errata relevant to the registered systems, sorts errata by severity as well as the systems that apply to a particular erratum.
- Users - Lists all the users registered to the Satellite, and lists any systems associated with a particular user.
- System History - Lists all, or a subset, of the system events that have occurred.
# spacewalk-report report_name
Table 10.2. spacewalk-report
Reports
Report | Invoked as | Description |
---|---|---|
Group Audit | audit-server-groups | Audit of user changes in group |
Server Audit | audit-servers | Audit of server changes |
User Audit | audit-users | Audit of user changes |
Packages Report | channel-packages | Lists the packages, as well as the channels they are in |
Channels | channels | Lists the channels available on the server |
Cloned Channels | cloned-channels | Lists channels that have been cloned |
Custom Information | custom-info | Displays any custom information about the system |
Entitlements | entitlements | Lists all organizations on the Satellite with their system or channel entitlements |
Errata in channels | errata-channels | Lists errata in channels |
Errata Compliance | errata-list | Lists the details of errata out of compliance information |
All Errata | errata-list-all | Complete list of all errata |
Errata for systems | errata-systems | Lists applicable errata and any registered systems that are affected |
Relationship Mapping | host-guests | Provides host-guest mapping details |
Inactive Systems | inactive-systems | |
System Inventory | inventory | List of systems registered to the server, together with hardware and software information |
Kickstart Trees | kickstartable-trees | Lists trees able to be kickstarted |
Package Update | packages-updates-all | List of all packages that can be updated |
Newest Package Update | package-updates-newest | Lists the newest updates to packages |
SCAP Scans | scap-scan
scap-scan-results
| Displays the results of an OpenSCAP xccdf evaluation |
Splice Reporting | splice-export | Displays system data needed for splice integration for enhanced reporting |
Crash Count | system-crash-count | Displays the number of times systems have crashed |
Crash Details | system-crash-details | Lists the systems' crash details |
System Currency | system-currency | Lists system currency values |
System Groups | system-groups | Lists system groups in the Satellite server |
Group Activation keys | system-groups-keys | Lists all existing activation keys for the system groups |
Systems in System Groups | system-groups-systems | Lists all system groups and systems within each group |
Users in System Groups | system-groups-users | Lists all system groups and their affiliated users |
System history | system-history | Lists system event history |
System history channels | system-history-channels | Lists system event history |
System history configuration | system-history-configuration | Lists system configuration event history |
System history entitlements | system-history-entitlements | Lists system entitlement event history |
System history errata | system-history-errata | Lists system errata event history |
System history kickstart | system-history-kickstart | Lists system kickstart and provisioning event history |
System history packages | system-history-packages | Lists system package event history |
SCAP Event History | system-history-scap | Lists systems' OpenSCAP event history |
Installed Packages | system-packages-installed | Lists all packages installed on the systems |
Users in the system | users | Lists all users registered to the Satellite |
Systems administered | users-systems | Lists systems that can be administered by individual users |
spacewalk-report
with the --info
or --list-fields-info
and the report name. The description and list of possible fields in the report will be shown.
spacewalk-report(8)
manpage as well as the --help
parameter of the spacewalk-report
program can be used to get additional information about the program invocations and their options.
# rhn-schema-version
# rhn-charsets
traceback_mail
in /etc/rhn/rhn.conf
.
web.default_mail_from
option and appropriate value in /etc/rhn/rhn.conf
.
10.6. Errors
install.log
file, and locating the following error:
ERROR: unhandled exception occurred: Traceback (most recent call last): File "/usr/bin/rhn-satellite-activate", line 45, in ? sys.exit(abs(mod.main() or 0)) File "/usr/share/rhn/satellite_tools/rhn_satellite_activate.py", line 585, in main activateSatellite_remote(options) File "/usr/share/rhn/satellite_tools/rhn_satellite_activate.py", line 291, in activateSatellite_remote ret = s.satellite.deactivate_satellite(systemid, rhn_cert) File "/usr/lib/python2.4/site-packages/rhn/rpclib.py", line 603, in __call__ return self._send(self._name, args) File "/usr/lib/python2.4/site-packages/rhn/rpclib.py", line 326, in _request self._handler, request, verbose=self._verbose) File "/usr/lib/python2.4/site-packages/rhn/transports.py", line 171, in request headers, fd = req.send_http(host, handler) File "/usr/lib/python2.4/site-packages/rhn/transports.py", line 698, in send_http self._connection.connect() File "/usr/lib/python2.4/site-packages/rhn/connections.py", line 193, in connect sock.connect((self.host, self.port)) File "<string>", line 1, in connect socket.timeout: timed out
- Run the install script in disconnected mode, and skip the database installation which has already been done:
# ./install.pl --disconnected --skip-db-install
- Open
/etc/rhn/rhn.conf
with your preferred text editor, and add or modify the following line:server.satellite.rhn_parent = satellite.rhn.redhat.com
Remove the following line:disconnected=1
If you are using a proxy for the connection to Red Hat Network, you will also need to add or modify the following lines to reflect the proxy settings.server.satellite.http_proxy = <hostname>:<port> server.satellite.http_proxy_username = <username> server.satellite.http_proxy_password = <password>
- Re-activate Satellite in connected mode, using the
rhn-satellite-activate
command as the root user, including the path and filename of the Satellite manifest:# rhn-satellite-activate --manifest=manifest.zip --verbose
install.pl
script in connected mode, but with the --answer-file=answer file
option. Ensure the answer file has the HTTP proxy information specified as follows:
rhn-http-proxy = <hostname>:<port> rhn-http-proxy-username = <username> rhn-http-proxy-password = <password>
mount_point
configuration parameter in /etc/rhn/rhn.conf
does not point to a directory path, or the directory path it points to is not present or does not have permission to access the directory.
mount_point
configuration parameter in /etc/rhn/rhn.conf
. If it set to the default value of /var/satellite
, verify that the /var/satellite
and /var/satellite/redhat
directories exist. For all values, check that path to the file is accurate, and that the permissions are set correctly.
cobbler check
give an error saying that it needs a different version of yum-utils
?
cobbler check
command can give an error similar to the following:
# cobbler check The following potential problems were detected: #0: yum-utils need to be at least version 1.1.17 for reposync -l, current version is 1.1.16
reposync
package. The error is spurious and can be safely ignored. This error will be resolved in future versions of Red Hat Satellite.
ERROR: <Fault -2: 'unhandled internal exception: unsupported version: 96'>
RHN_PARENT: satellite.rhn.redhat.com Error reported from RHN: <Fault -2: 'unhandled internal exception: unsupported version: 115'> ERROR: unhandled XMLRPC fault upon remote activation: <Fault -2: 'unhandled internal exception: unsupported version: 115'> ERROR: <Fault -2: 'unhandled internal exception: unsupported version: 115'>
Invalid satellite certificate
'ascii' codec can't encode character u'\u2013'
- Ssh directly onto the Satellite server as the root user:
# ssh root@satellite.fqdn.com
- Find the kickstart profile that is causing the problem by looking at the dates of the files in
/var/lib/cobbler/config/profiles.d
and locating the one that was edited most recently:# ls -l /var/lib/cobbler/config/profiles.d/
- Open the profile in your preferred text editor, and locate the following text:
\u2013hostname
Change the entry to read:--hostname
- Save changes to the profile and close the file.
- Restart the Red Hat Satellite services to pick up the updated profile:
# rhn-satellite restart Shutting down rhn-satellite... Stopping RHN Taskomatic... Stopped RHN Taskomatic. Stopping cobbler daemon: [ OK ] Stopping rhn-search... Stopped rhn-search. Stopping MonitoringScout ... [ OK ] Stopping Monitoring ... [ OK ] Stopping httpd: [ OK ] Stopping tomcat5: [ OK ] Shutting down osa-dispatcher: [ OK ] Shutting down Oracle Net Listener ... [ OK ] Shutting down Oracle DB instance "rhnsat" ... [ OK ] Shutting down Jabber router: [ OK ] Done. Starting rhn-satellite... Starting Jabber services [ OK ] Starting Oracle Net Listener ... [ OK ] Starting Oracle DB instance "rhnsat" ... [ OK ] Starting osa-dispatcher: [ OK ] Starting tomcat5: [ OK ] Starting httpd: [ OK ] Starting Monitoring ... [ OK ] Starting MonitoringScout ... [ OK ] Starting rhn-search... Starting cobbler daemon: [ OK ] Starting RHN Taskomatic... Done.
- Return to the web interface. Note that the interface can take some time to resolve the services. It should return to normal after some time.
/etc/hosts
file. You may confirm this by examining /etc/nsswitch.conf
, which defines the methods and the order by which domain names are resolved. Usually, the /etc/hosts
file is checked first, followed by Network Information Service (NIS) if used, followed by DNS. One of these has to succeed for the Apache Web server to start and the Red Hat Network client applications to work.
/etc/hosts
file. It may look like this:
127.0.0.1 this_machine.example.com this_machine localhost.localdomain \ localhost
127.0.0.1 localhost.localdomain.com localhost
127.0.0.1 localhost.localdomain.com localhost 123.45.67.8 this_machine.example.com this_machine
cdn-sync
reports that the server is not activated as a Red Hat Satellite, it isn't subscribed to the respective Red Hat Satellite channel. If this is a newly installed system, make sure that the satellite manifest is activated on the system. If it was activated earlier, then it has become deactivated.
# yum repolist
# rhn-satellite-activate --manifest=manifest.zip --verbose
10.7. Web Interface
/var/log/tomcat6/catalina.out
log file.
/var/log/httpd/error_log
log file.
10.8. Anaconda
Error downloading kickstart file
. What is the problem and how do I fix it?
cobbler check
command, and read the output, which should look something like this:
# cobbler check The following potential problems were detected: #0: reposync is not installed, need for cobbler reposync, install/upgrade yum-utils? #1: yumdownloader is not installed, needed for cobbler repo add with --rpm-list parameter, install/upgrade yum-utils? #2: The default password used by the sample templates for newly installed machines (default_password_crypted in /etc/cobbler/settings) is still set to 'cobbler' and should be changed #3: fencing tools were not found, and are required to use the (optional) power management features. install cman to use them
cobbler check
does not provide any answers, check the following:
- Verify
httpd
is running:service httpd status
- Verify
cobblerd
is running:service cobblerd status
- Verify that you can fetch the kickstart file using
wget
from a different host:wget http://satellite.example.com/cblr/svc/op/ks/profile/rhel5-i386-u3:1:Example-Org
The file chkconfig-1.3.30.1-2.i386.rpm cannot be opened
. What is the problem and how do I fix it?
--url
parameter in the kickstart. For example:
url --url http://satellite.example.com/ks/dist/ks-rhel-i386-server-5-u3
200 OK
response. You can do this by attempting to wget
the file located at that URL:
wget http://satellite.example.com/ks/dist/ks-rhel-i386-server-5-u3 --2011-08-19 15:06:55-- http://satellite.example.com/ks/dist/ks-rhel-i386-server-5-u3 Resolving satellite.example.com... 10.10.77.131 Connecting to satellite.example.com|10.10.77.131|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 0 [text/plain] Saving to: `ks-rhel-i386-server-5-u3.1' 2011-08-19 15:06:55 (0.00 B/s) - `ks-rhel-i386-server-5-u3.1' saved [0/0]
200 OK
, check the error logs to find out what the problem is. You can also check the actual file Anaconda tried to download by searching the access_log
file:
# grep chkconfig /var/log/httpd/access_log 10.10.77.131 - - [19/Aug/2011:15:12:36 -0400] "GET /rhn/common/DownloadFile.do?url=/ks/dist/ks-rhel-i386-server- 5-u3/Server /chkconfig-1.3.30.1-2.i386.rpm HTTP/1.1" 206 24744 "-" "urlgrabber/3.1.0 yum/3.2.19" 10.10.76.143 - - [19/Aug/2011:15:12:36 -0400] "GET /ks/dist/ks-rhel-i386-server-5-u3/Server/chkconfig- 1.3.30.1-2.i386.rpm HTTP/1.1" 206 24744 "-" "urlgrabber/3.1.0 yum/3.2.19" 10.10.76.143 - - [19/Aug/2011:15:14:20 -0400] "GET /ks/dist/ks-rhel-i386-server-5-u3/Server/chkconfig- 1.3.30.1-2.i386.rpm HTTP/1.1" 200 162580 "-" "urlgrabber/3.1.0 yum/3.2.19" 10.10.77.131 - - [19/Aug/2011:15:14:20 -0400] "GET /rhn/common/DownloadFile.do?url=/ks/dist/ks-rhel-i386-server- 5-u3/Server/chkconfig-1.3.30.1-2.i386.rpm HTTP/1.1" 200 162580 "-" "urlgrabber/3.1.0 yum/3.2.19"
access_log
file, the system might be having trouble with the networking setup. If the requests are appearing but are generating errors, check the error logs.
wget http://satellite.example.com/ks/dist/ks-rhel-i386-server-5-u3/Server/chkconfig-1.3.30.1-2.i386.rpm
10.9. Tracebacks
Subject: WEB TRACEBACK from satellite.example.com Date: Wed, 19 Aug 2011 20:28:01 -0400 From:Red Hat Satellite <dev-null@redhat.com> To: admin@example.com java.lang.RuntimeException: XmlRpcException calling cobbler. at com.redhat.rhn.manager.kickstart.cobbler.CobblerXMLRPCHelper.invokeMethod(CobblerXMLRPCHelper.java:72) at com.redhat.rhn.taskomatic.task.CobblerSyncTask.execute(CobblerSyncTask.java:76) at com.redhat.rhn.taskomatic.task.SingleThreadedTestableTask.execute(SingleThreadedTestableTask.java:54) at org.quartz.core.JobRunShell.run(JobRunShell.java:203) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:520) Caused by: redstone.xmlrpc.XmlRpcException: The response could not be parsed. at redstone.xmlrpc.XmlRpcClient.handleResponse(XmlRpcClient.java:434) at redstone.xmlrpc.XmlRpcClient.endCall(XmlRpcClient.java:376) at redstone.xmlrpc.XmlRpcClient.invoke(XmlRpcClient.java:165) at com.redhat.rhn.manager.kickstart.cobbler.CobblerXMLRPCHelper.invokeMethod(CobblerXMLRPCHelper.java:69) ... 4 more Caused by: java.io.IOException: Server returned HTTP response code: 503 for URL: http://someserver.example.com:80/cobbler_api at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1236) at redstone.xmlrpc.XmlRpcClient.handleResponse(XmlRpcClient.java:420) ... 7 more
taskomatic
service. Try checking the following:
- Verify
httpd
is running:# service httpd status
- Verify
cobblerd
is running:# service cobblerd status
- Verify that there are no firewall rules that would prevent
localhost
connections
10.10. Registration
rhnreg_ks
command is failing when I run it, saying ERROR: unable to read system id
. What is the problem?
%post
section that registers the machine to the Red Hat Satellite:
# begin Red Hat management server registration mkdir -p /usr/share/rhn/ wget http://satellite.example.com/pub/RHN-ORG-TRUSTED-SSL-CERT -O /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT perl -npe 's/RHNS-CA-CERT/RHN-ORG-TRUSTED-SSL-CERT/g' -i /etc/sysconfig/rhn/* rhnreg_ks --serverUrl=https://satellite.example.com/XMLRPC --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT --activationkey=1-c8d01e2f23c6bbaedd0f6507e9ac079d # end Red Hat management server registration
- Create a directory to house the custom SSL cert used by the Red Hat Satellite.
- Fetch the SSL certificate to use during registration.
- Search and replace the SSL certificate strings from the
rhn_register
configuration files, and then register to the Red Hat Satellite using the SSL certificate and an activation key. Every kickstart profile includes an activation key that assures that the system is assigned the correct base and child channels, and gets the correct system entitlements. If it is a reprovisioning of an existing system, the activation key will also ensure it is associated with the previous system profile.
rhnreg_ks
command fails, you might see errors like this in the ks-post.log
log file:
ERROR: unable to read system id.
rhn_check
and the system has not registered to the Red Hat Satellite.
10.11. Kickstarts and Snippets
/var/lib/rhn/kickstarts/
. Within this directory, raw kickstarts are in the upload
subdirectory, and wizard-generated kickstarts are in the wizard
subdirectory:
Raw Kickstarts: /var/lib/rhn/kickstarts/upload/$profile_name--$org_id.cfg Wizard Kickstarts: /var/lib/rhn/kickstarts/wizard/$profile_name--$org_id.cfg
/var/lib/rhn/kickstarts/snippets
. Cobbler accesses snippets using the symbolic link /var/lib/cobbler/snippets/spacewalk
.
Snippets: /var/lib/rhn/kickstarts/snippets/$org_id/$snippet_name
Important
10.12. Multi-Organization Satellites and Satellite Certificate
- In the
/etc/rhn/rhn.conf
file, setweb.force_unentitlement
to 1. - Restart the Satellite.
- Reduce the allocated entitlements to the desired organizations either via each organization's Subscriptions tab or via individual entitlement's Organizations tabs.
- A number of systems in the organization should now be in an unentitled state. The number of systems unentitled in the organization will be equal to the difference between the total number of entitlements you removed from the organization and the number of entitlements the organization did not have applied to the systems.For example, if you removed 10 entitlements from the organization in step 3, and the organization has 4 entitlements that were not in use by systems, then 6 systems in the organization will be unentitled.
web.force_unentitlement
variable is only necessary to reduce an organization's allocated entitlements below what they are using. If an organization has more entitlements than are being actively used, you do not need to set this variable to remove them.
10.13. Proxy Installation and Configuration
rhn_package_manager -l -c "name_of_private_channel"
to list the private channel packages known to the Satellite. Or visit the Satellite interface.
yum --disablerepo="*" --enablerepo="your_repo_name" list available
on the registered system and look for the packages from the private Satellite channel.
/var/log/squid/access.log
file logs all connections to the Squid server.
yum update yum
as root or from http://www.redhat.com/support/errata/.
/etc/sysconfig/rhn/systemid
is owned by root.apache with the permissions 0640.
df -h
service httpd status
service squid status
traceback_mail
in /etc/rhn/rhn.conf
.
/etc/hosts
file. Confirm this by examining the /etc/nsswitch.conf
file, which defines the methods and the order by which domain names are resolved. Usually, the /etc/hosts
file is checked first, followed by Network Information Service (NIS) if it is being used, followed by DNS. One of these has to succeed for the Apache Web server to start and the Red Hat Network client applications to work.
/etc/hosts
file. It may look like this:
127.0.0.1 this_machine.example.com this_machine localhost.localdomain \ localhost
127.0.0.1 localhost.localdomain.com localhost
127.0.0.1 localhost.localdomain.com localhost 123.45.67.8 this_machine.example.com this_machine
- Confirm the correct package:
rhn-org-httpd-ssl-key-pair-MACHINE_NAME-VER-REL.noarch.rpm
is installed on the Red Hat Satellite Proxy and the correspondingrhn-org-trusted-ssl-cert-*.noarch.rpm
or raw CA SSL public (client) certificate is installed on all client systems. - Verify the client systems are configured to use the appropriate certificate.
- If using one or more Red Hat Satellite Proxies, ensure each Proxy's SSL certificate is prepared correctly. If using the Red Hat Satellite Proxy in conjunction with a Red Hat Satellite, the Proxy should have both its own server SSL key-pair and CA SSL public (client) certificate installed, since it will serve in both capacities. See the SSL Certificates chapter of the Red Hat Satellite Client Configuration Guide for specific instructions.
- If the Red Hat Satellite Proxy is connecting through an HTTP Proxy, make sure the URL listed is valid. For instance, the HTTP Proxy URL field should not contain references to protocols, such as http:// or https://. Only the hostname and port should be included in the form hostname:port, such as
your-gateway.example.com:8080
. - Make sure client systems are not using firewalls of their own, blocking required ports, as identified in the Additional Requirements section of the Red Hat Satellite Proxy Installation Guide.
/var/spool/squid/
. To clear it:
- Stop the Apache Web server:
service httpd stop
- Stop the Squid server:
service squid stop
- Delete the contents of that directory:
rm -fv /var/spool/squid/*
- Restart both services:
service squid start service httpd start
rm -fv /var/spool/squid/*
Note
satellite-debug
. To use this tool, issue the command as root. You will see the pieces of information collected and the single tarball created, like so:
# satellite-debug Collecting and packaging relevant diagnostic information. Warning: this may take some time... * copying configuration information * copying logs * querying RPM database (versioning of Red Hat Satellite, etc.) * querying schema version and database character sets * get diskspace available * timestamping * creating tarball (may take some time): /tmp/satellite-debug.tar.bz2 * removing temporary debug tree Debug dump created, stored in /tmp/satellite-debug.tar.bz2 Deliver the generated tarball to your Red Hat Network contact or support channel.
/tmp/
directory to your Red Hat representative for immediate diagnosis.
sosreport
. This tool collects your Proxy's configuration parameters, log files, and database information and sends it directly to Red Hat.
sos
package installed. Type sosreport -o satellite
as root on the Satellite server to create a report. For example:
[root@satserver ~]# sosreport -o satellite sosreport (version 3.2) This command will collect diagnostic and configuration information from this Red Hat Enterprise Linux system and installed applications. An archive containing the collected information will be generated in /tmp and may be provided to a Red Hat support representative. Any information provided to Red Hat will be treated in accordance with the published support policies at: https://access.redhat.com/support/ The generated archive may contain data considered sensitive and its content should be reviewed by the originating organization before being passed to any third party. No changes will be made to system configuration. Press ENTER to continue, or CTRL-C to quit.
/tmp/
directory to your Red Hat representative for immediate diagnosis.
Appendix A. Revision History
Revision History | |||
---|---|---|---|
Revision 1.1-0 | Wed Feb 1 2017 | Satellite Documentation Team | |
|