Show Table of Contents
5.4. Configuring a Red Hat Satellite Capsule Server
Prerequisite
You must meet the following conditions before continuing on this task:
- Install the Red Hat Satellite Server.
- Set the SELinux permissions on the system designated as the Satellite Capsule Server as enforcing.
The following procedures configure a Satellite Capsule Server for use with your Red Hat Satellite Server. This includes the following types of Satellite Capsule Servers:
- Satellite Capsule Server with Smart Proxy
- Satellite Capsule Server as a Content Node
- Satellite Capsule Server as a Content Node with Smart Proxy
To configure a Satellite Capsule Server:
- On the Satellite Server:
- Generate a Satellite Capsule Server certificate:
capsule-certs-generate --capsule-fqdn capsule_FQDN --certs-tar ~/capsule.example.com-certs.tar
Where:capsule_FQDNis the Satellite Capsule Server's fully qualified domain name. (REQUIRED)certs-taris the name of the tar file to be generated that contains the certificate to be used by the Satellite Capsule installer.
Runningcapsule-certs-generatewill generate the following output message:To finish the installation, follow these steps: 1. Ensure that the capsule-installer is available on the system. The capsule-installer comes from the katello-installer package and should be acquired through the means that are appropriate to your deployment. 2. Copy ~/capsule.example.com-certs.tar to the capsule system capsule.example.com 3. Run the following commands on the capsule (possibly with the customized parameters, see capsule-installer --help and documentation for more info on setting up additional services): rpm -Uvh http://master.com/pub/katello-ca-consumer-latest.noarch.rpm subscription-manager register --org "Default Organization" capsule-installer --parent-fqdn "sat6.example.com"\ --register-in-foreman "true"\ --foreman-oauth-key "xmmQCGYdkoCRcbviGfuPdX7ZiCsdExf"\ --foreman-oauth-secret "w5ZDpyPJ24eSBNo53AFybcnqoDYXgLUA"\ --pulp-oauth-secret "doajBEXqNcANy93ZbciFyysWaiwt6BWU"\ --certs-tar "~/capsule.example.com-certs.tar"\ --puppet "true"\ --puppetca "true"\ --pulp "true" - Copy the generated tarball, capsule.example.com-certs.tar, from the Satellite Server to the Satellite Capsule host system.
- On the Satellite Capsule Server:
- Register your Satellite Capsule Server to the Satellite Server:
# rpm -Uvh http://sat6host.example.redhat.com/pub/katello-ca-consumer-latest.noarch.rpm # subscription-manager register --org "Default Organization" --env [environment]/[content_view_name]
Note
The Satellite Capsule Server must be assigned to an organization as the Satellite Capsule Server requires an environment to synchronize content from the Satellite Server. Only organizations have environments.Assigning a location is optional though recommended to indicate proximity to the hosts that the Satellite Capsule Server is managing. - Depending on the desired Satellite Capsule Server type, choose one of the following options:
- Option 1: Satellite Capsule Server with Smart Proxy: This installs a Satellite Capsule Server with Smart Proxy features (DHCP, DNS, Puppet). Run the following commands as the root user on the Satellite Capsule Server:
# capsule-installer --parent-fqdn "satellite.example.com"\ --register-in-foreman "true"\ --foreman-oauth-key "xmmQCGYdkoCRcbviGfuPdX7ZiCsdExf"\ --foreman-oauth-secret "w5ZDpyPJ24eSBNo53AFybcnqoDYXgLUA"\ --pulp-oauth-secret "doajBEXqNcANy93ZbciFyysWaiwt6BWU"\ --certs-tar "/root/capsule.example.com-certs.tar"\ --puppet "true"\ --puppetca "true"\ --pulp "true"\ --tftp "true"\ --dhcp "true"\ --dhcp-interface "virbr1"\ --dns "true"\ --dns-forwarders "8.8.8.8"\ --dns-forwarders "8.8.4.4"\ --dns-interface "virbr1"\ --dns-zone "example.com" - Option 2 - Satellite Capsule Server as a Content Node with Smart Proxy: This installs a Satellite Capsule Server with all the features. Run the following commands as the root user on the Satellite Capsule Server:
# capsule-installer --parent-fqdn "sat6.example.com"\ --register-in-foreman "true"\ --foreman-oauth-key "xmmQCGYdkoCRcbviGfuPdX7ZiCsdExf"\ --foreman-oauth-secret "w5ZDpyPJ24eSBNo53AFybcnqoDYXgLUA"\ --pulp-oauth-secret "doajBEXqNcANy93ZbciFyysWaiwt6BWU"\ --certs-tar "/root/capsule.example.com-certs.tar"\ --puppet "true"\ --puppetca "true"\ --pulp "true"\ --tftp "true"\ --dhcp "true"\ --dhcp-interface "virbr1"\ --dns "true"\ --dns-forwarders "8.8.8.8"\ --dns-forwarders "8.8.4.4"\ --dns-interface "virbr1"\ --dns-zone "example.com"
- Run the following commands to configure the firewall to limit elasticsearch to the
foreman,katelloand root users and make these rules persistent during reboots:- For Red Hat Enterprise Linux 6:
iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner foreman -j ACCEPT \ && iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner katello -j ACCEPT \ && iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner root -j ACCEPT \ && iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -j DROP iptables-save > /etc/sysconfig/iptables
- For Red Hat Enterprise Linux 7:
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner foreman -j ACCEPT \ && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner foreman -j ACCEPT \ && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner katello -j ACCEPT \ && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner katello -j ACCEPT \ && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner root -j ACCEPT \ && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner root -j ACCEPT \ && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -o lo -p tcp -m tcp --dport 9200 -j DROP \ && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 1 -o lo -p tcp -m tcp --dport 9200 -j DROP
Note
If the configuration is successful, run this command as the root user on the Satellite Capsule Server:
# echo $?
This command should return a "0" to indicate success. If it does not, check
/var/log/kafo to debug the cause of failure. /var/log/kafo is the log file for the output generated by the commands capsule-certs-generate and capsule-installer.
The Satellite Capsule Server should also appear in the Satellite Server's User Interface under → .
Result:
The Satellite Capsule Server is now configured and registered with the Satellite Server.
5.4.1. Configuring Red Hat Satellite Capsule Server with a Custom Server Certificate
katello-installer comes with a default CA used both for the server ssl certificates as well as the client certificates used for authentication of the subservices. These certificates can be replaced with custom ones.
There are two instances wherein you can configure the Satellite Capsule Server to use a custom CA certificate:
- When
capsule-certs-generateis run the first time - After
capsule-certs-generatehas already been run
Procedure 5.2. Setting a Custom Server Certificate while running capsule-certs-generate for the first time
- Run this command on the Red Hat Satellite Server:
capsule-certs-generate --capsule-fqdn "$CAPSULE"\ --certs-tar "~/$CAPSULE-certs.tar"\ --server-cert ~/path/to/server.crt\ --server-cert-req ~/path/to/server.crt.req\ --server-key ~/path/to/server.key\ --server-ca-cert ~/cacert.crtWhere:capsule_FQDNis the Satellite Capsule Server's fully qualified domain name. (REQUIRED)certs-taris the name of the tar file to be generated that contains the certificate to be used by the Satellite Capsule installer.server-certis the path to your certificate, signed by your certificate authority (or self signed)server-cert-reqis the path to your certificate signing request file that was used to create the certificate.server-keyis the private key used to sign the certificateserver-ca-cert~/path/to/cacert.crt the path to the CA certificate on this system.
- Copy the generated tarball, capsule.example.com-certs.tar, from the Satellite Server to the Satellite Capsule host system.
- On the Satellite Capsule Server:
- Register your Satellite Capsule Server to the Satellite Server:
# rpm -Uvh http://sat6host.example.redhat.com/pub/katello-ca-consumer-latest.noarch.rpm # subscription-manager register --org "ACME_Corporation" --env [environment]/[content_view_name]
Note
The Satellite Capsule Server must be assigned to an organization as the Satellite Capsule Server requires an environment to synchronize content from the Satellite Server. Only organizations have environments.Assigning a location is optional though recommended to indicate proximity to the hosts that the Satellite Capsule Server is managing. - Depending on the desired Satellite Capsule Server type, choose one of the following options:
- Option 1: Satellite Capsule Server with Smart Proxy: This installs a Satellite Capsule Server with Smart Proxy features (DHCP, DNS, Puppet). Run the following commands as the root user on the Satellite Capsule Server:
# capsule-installer --parent-fqdn "satellite.example.com"\ --register-in-foreman "true"\ --foreman-oauth-key "xmmQCGYdkoCRcbviGfuPdX7ZiCsdExf"\ --foreman-oauth-secret "w5ZDpyPJ24eSBNo53AFybcnqoDYXgLUA"\ --pulp-oauth-secret "doajBEXqNcANy93ZbciFyysWaiwt6BWU"\ --certs-tar "/root/capsule.example.com-certs.tar"\ --puppet "true"\ --puppetca "true"\ --pulp "true"\ --tftp "true"\ --dhcp "true"\ --dhcp-interface "virbr1"\ --dns "true"\ --dns-forwarders "8.8.8.8"\ --dns-forwarders "8.8.4.4"\ --dns-interface "virbr1"\ --dns-zone "example.com" - Option 2 - Satellite Capsule Server as a Content Node: This installs a Satellite Capsule Server with content management features and a Puppet Master. Run the following commands as the root user on the Satellite Capsule Server:
# capsule-installer --parent-fqdn "sat6.example.com"\ --register-in-foreman "true"\ --pulp-oauth-secret "doajBEXqNcANy93ZbciFyysWaiwt6BWU"\ --certs-tar "~/capsule.example.com-certs.tar"\ --puppet "false"\ --puppetca "false"\ --pulp "true" - Option 3 - Satellite Capsule Server as a Content Node with Smart Proxy: This installs a Satellite Capsule Server with all the features. Run the following commands as the root user on the Satellite Capsule Server:
# capsule-installer --parent-fqdn "sat6.example.com"\ --register-in-foreman "true"\ --foreman-oauth-key "xmmQCGYdkoCRcbviGfuPdX7ZiCsdExf"\ --foreman-oauth-secret "w5ZDpyPJ24eSBNo53AFybcnqoDYXgLUA"\ --pulp-oauth-secret "doajBEXqNcANy93ZbciFyysWaiwt6BWU"\ --certs-tar "/root/capsule.example.com-certs.tar"\ --puppet "true"\ --puppetca "true"\ --pulp "true"\ --tftp "true"\ --dhcp "true"\ --dhcp-interface "virbr1"\ --dns "true"\ --dns-forwarders "8.8.8.8"\ --dns-forwarders "8.8.4.4"\ --dns-interface "virbr1"\ --dns-zone "example.com"
Procedure 5.3. Setting a Custom Server Certificate after running capsule-certs-generate
Using custom server certificates for the Satellite Server means that the same custom server certificates need to be deployed in the Satellite Capsule Servers. Each Satellite Capsule Server will require the following steps:
- Generate a new certificate based on your custom server certificate:
capsule-certs-generate --capsule-fqdn "satcapsule.example.com"\ --certs-tar "~/$CAPSULE-certs.tar"\ --server-cert ~/path/to/server.crt\ --server-cert-req ~/path/to/server.crt.req\ --server-key ~/path/to/server.key\ --server-ca-cert ~/cacert.crt\ --certs-update-server --certs-update-server-ca - Copy the generated tarball, capsule.example.com-certs.tar, from the Satellite Server to the Satellite Capsule host system.
- On the Satellite Capsule Server, re-run the capsule-installer command to refresh the certificates. Depending on the desired Satellite Capsule Server type, choose one of the following options:
- Option 1: Satellite Capsule Server with Smart Proxy: This installs a Satellite Capsule Server with Smart Proxy features (DHCP, DNS, Puppet). Run the following commands as the root user on the Satellite Capsule Server:
# capsule-installer --parent-fqdn "satellite.example.com"\ --register-in-foreman "true"\ --foreman-oauth-key "xmmQCGYdkoCRcbviGfuPdX7ZiCsdExf"\ --foreman-oauth-secret "w5ZDpyPJ24eSBNo53AFybcnqoDYXgLUA"\ --pulp-oauth-secret "doajBEXqNcANy93ZbciFyysWaiwt6BWU"\ --certs-tar "/root/capsule.example.com-certs.tar"\ --puppet "true"\ --puppetca "true"\ --pulp "true"\ --tftp "true"\ --dhcp "true"\ --dhcp-interface "virbr1"\ --dns "true"\ --dns-forwarders "8.8.8.8"\ --dns-forwarders "8.8.4.4"\ --dns-interface "virbr1"\ --dns-zone "example.com" - Option 2 - Satellite Capsule Server as a Content Node: This installs a Satellite Capsule Server with content management features and a Puppet Master. Run the following commands as the root user on the Satellite Capsule Server:
# capsule-installer --parent-fqdn "sat6.example.com"\ --register-in-foreman "true"\ --pulp-oauth-secret "doajBEXqNcANy93ZbciFyysWaiwt6BWU"\ --certs-tar "~/capsule.example.com-certs.tar"\ --puppet "false"\ --puppetca "false"\ --pulp "true" - Option 3 - Satellite Capsule Server as a Content Node with Smart Proxy: This installs a Satellite Capsule Server with all the features. Run the following commands as the root user on the Satellite Capsule Server:
# capsule-installer --parent-fqdn "sat6.example.com"\ --register-in-foreman "true"\ --foreman-oauth-key "xmmQCGYdkoCRcbviGfuPdX7ZiCsdExf"\ --foreman-oauth-secret "w5ZDpyPJ24eSBNo53AFybcnqoDYXgLUA"\ --pulp-oauth-secret "doajBEXqNcANy93ZbciFyysWaiwt6BWU"\ --certs-tar "/root/capsule.example.com-certs.tar"\ --puppet "true"\ --puppetca "true"\ --pulp "true"\ --tftp "true"\ --dhcp "true"\ --dhcp-interface "virbr1"\ --dns "true"\ --dns-forwarders "8.8.8.8"\ --dns-forwarders "8.8.4.4"\ --dns-interface "virbr1"\ --dns-zone "example.com"
Important
Use the same custom server certificate on both the Red Hat Satellite Server and the Red Hat Satellite Capsule Server to ensure that the trusted relationship between the two hosts is maintained.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.