5.4. Configuring a Red Hat Satellite Capsule Server

Prerequisite

You must meet the following conditions before continuing on this task:

  • Install the Red Hat Satellite Server.
  • Set the SELinux permissions on the system designated as the Satellite Capsule Server as enforcing.
The following procedures configure a Satellite Capsule Server for use with your Red Hat Satellite Server. This includes the following types of Satellite Capsule Servers:
  • Satellite Capsule Server with Smart Proxy
  • Satellite Capsule Server as a Content Node
  • Satellite Capsule Server as a Content Node with Smart Proxy
To configure a Satellite Capsule Server:
  1. On the Satellite Server:
    1. Generate a Satellite Capsule Server certificate:
      capsule-certs-generate --capsule-fqdn capsule_FQDN --certs-tar ~/capsule.example.com-certs.tar
      
      Where:
      • capsule_FQDN is the Satellite Capsule Server's fully qualified domain name. (REQUIRED)
      • certs-tar is the name of the tar file to be generated that contains the certificate to be used by the Satellite Capsule installer.
      Running capsule-certs-generate will generate the following output message:
          To finish the installation, follow these steps:
        1. Ensure that the capsule-installer is available on the system.
           The capsule-installer comes from the katello-installer package and
           should be acquired through the means that are appropriate to your deployment.
        2. Copy ~/capsule.example.com-certs.tar to the capsule system capsule.example.com
        3. Run the following commands on the capsule (possibly with the customized
           parameters, see capsule-installer --help and
           documentation for more info on setting up additional services):
        rpm -Uvh http://master.com/pub/katello-ca-consumer-latest.noarch.rpm
        subscription-manager register --org "Default Organization"
        capsule-installer --parent-fqdn          "sat6.example.com"\
                          --register-in-foreman  "true"\
                          --foreman-oauth-key    "xmmQCGYdkoCRcbviGfuPdX7ZiCsdExf"\
                          --foreman-oauth-secret "w5ZDpyPJ24eSBNo53AFybcnqoDYXgLUA"\
                          --pulp-oauth-secret    "doajBEXqNcANy93ZbciFyysWaiwt6BWU"\
                          --certs-tar            "~/capsule.example.com-certs.tar"\
                          --puppet               "true"\
                          --puppetca             "true"\
                          --pulp                 "true"
      
    2. Copy the generated tarball, capsule.example.com-certs.tar, from the Satellite Server to the Satellite Capsule host system.
  2. On the Satellite Capsule Server:
    1. Register your Satellite Capsule Server to the Satellite Server:
      # rpm -Uvh http://sat6host.example.redhat.com/pub/katello-ca-consumer-latest.noarch.rpm
      # subscription-manager register --org "Default Organization" --env [environment]/[content_view_name]
      

      Note

      The Satellite Capsule Server must be assigned to an organization as the Satellite Capsule Server requires an environment to synchronize content from the Satellite Server. Only organizations have environments.
      Assigning a location is optional though recommended to indicate proximity to the hosts that the Satellite Capsule Server is managing.
    2. Depending on the desired Satellite Capsule Server type, choose one of the following options:
      1. Option 1: Satellite Capsule Server with Smart Proxy: This installs a Satellite Capsule Server with Smart Proxy features (DHCP, DNS, Puppet). Run the following commands as the root user on the Satellite Capsule Server:
          
        # capsule-installer --parent-fqdn          "satellite.example.com"\
                            --register-in-foreman  "true"\
                            --foreman-oauth-key    "xmmQCGYdkoCRcbviGfuPdX7ZiCsdExf"\
                            --foreman-oauth-secret "w5ZDpyPJ24eSBNo53AFybcnqoDYXgLUA"\
                            --pulp-oauth-secret    "doajBEXqNcANy93ZbciFyysWaiwt6BWU"\
                            --certs-tar            "/root/capsule.example.com-certs.tar"\
                            --puppet               "true"\
                            --puppetca             "true"\
                            --pulp                 "true"\
                            --tftp                 "true"\
                            --dhcp                 "true"\
                            --dhcp-interface       "virbr1"\
                           --dns                  "true"\
                           --dns-forwarders       "8.8.8.8"\
                           --dns-forwarders       "8.8.4.4"\
                           --dns-interface        "virbr1"\
                           --dns-zone             "example.com"
        
        
      2. Option 2 - Satellite Capsule Server as a Content Node with Smart Proxy: This installs a Satellite Capsule Server with all the features. Run the following commands as the root user on the Satellite Capsule Server:
        # capsule-installer --parent-fqdn          "sat6.example.com"\
                            --register-in-foreman  "true"\
                            --foreman-oauth-key    "xmmQCGYdkoCRcbviGfuPdX7ZiCsdExf"\
                            --foreman-oauth-secret "w5ZDpyPJ24eSBNo53AFybcnqoDYXgLUA"\
                            --pulp-oauth-secret    "doajBEXqNcANy93ZbciFyysWaiwt6BWU"\
                            --certs-tar            "/root/capsule.example.com-certs.tar"\
                            --puppet               "true"\
                            --puppetca             "true"\
                            --pulp                 "true"\
                            --tftp                 "true"\
                            --dhcp                 "true"\
                            --dhcp-interface       "virbr1"\
                           --dns                  "true"\
                           --dns-forwarders       "8.8.8.8"\
                           --dns-forwarders       "8.8.4.4"\
                           --dns-interface        "virbr1"\
                           --dns-zone             "example.com"
        
        
  3. Run the following commands to configure the firewall to limit elasticsearch to the foreman, katello and root users and make these rules persistent during reboots:
    • For Red Hat Enterprise Linux 6:
      iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner foreman -j ACCEPT \
      && iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner katello -j ACCEPT \
      && iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner root -j ACCEPT \
      && iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -j DROP
      iptables-save > /etc/sysconfig/iptables
      
    • For Red Hat Enterprise Linux 7:
      firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner foreman -j ACCEPT \
      && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner foreman -j ACCEPT \
      && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner katello -j ACCEPT \
      && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner katello -j ACCEPT \
      && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner root -j ACCEPT \
      && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner root -j ACCEPT \
      && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -o lo -p tcp -m tcp --dport 9200 -j DROP \
      && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 1 -o lo -p tcp -m tcp --dport 9200 -j DROP
      

Note

If the configuration is successful, run this command as the root user on the Satellite Capsule Server:
# echo $?
This command should return a "0" to indicate success. If it does not, check /var/log/kafo to debug the cause of failure. /var/log/kafo is the log file for the output generated by the commands capsule-certs-generate and capsule-installer.
The Satellite Capsule Server should also appear in the Satellite Server's User Interface under InfrastructureCapsules.
Result:

The Satellite Capsule Server is now configured and registered with the Satellite Server.

5.4.1. Configuring Red Hat Satellite Capsule Server with a Custom Server Certificate

katello-installer comes with a default CA used both for the server ssl certificates as well as the client certificates used for authentication of the subservices. These certificates can be replaced with custom ones.
There are two instances wherein you can configure the Satellite Capsule Server to use a custom CA certificate:
  1. When capsule-certs-generate is run the first time
  2. After capsule-certs-generate has already been run

Procedure 5.2. Setting a Custom Server Certificate while running capsule-certs-generate for the first time

  1. Run this command on the Red Hat Satellite Server:
    capsule-certs-generate --capsule-fqdn "$CAPSULE"\
                           --certs-tar "~/$CAPSULE-certs.tar"\
                           --server-cert ~/path/to/server.crt\
                           --server-cert-req ~/path/to/server.crt.req\
                           --server-key ~/path/to/server.key\
                           --server-ca-cert ~/cacert.crt
    
    Where:
    • capsule_FQDN is the Satellite Capsule Server's fully qualified domain name. (REQUIRED)
    • certs-tar is the name of the tar file to be generated that contains the certificate to be used by the Satellite Capsule installer.
    • server-cert is the path to your certificate, signed by your certificate authority (or self signed)
    • server-cert-req is the path to your certificate signing request file that was used to create the certificate.
    • server-key is the private key used to sign the certificate
    • server-ca-cert ~/path/to/cacert.crt the path to the CA certificate on this system.
  2. Copy the generated tarball, capsule.example.com-certs.tar, from the Satellite Server to the Satellite Capsule host system.
  3. On the Satellite Capsule Server:
    1. Register your Satellite Capsule Server to the Satellite Server:
      # rpm -Uvh http://sat6host.example.redhat.com/pub/katello-ca-consumer-latest.noarch.rpm
      # subscription-manager register --org "ACME_Corporation" --env [environment]/[content_view_name]
      

      Note

      The Satellite Capsule Server must be assigned to an organization as the Satellite Capsule Server requires an environment to synchronize content from the Satellite Server. Only organizations have environments.
      Assigning a location is optional though recommended to indicate proximity to the hosts that the Satellite Capsule Server is managing.
    2. Depending on the desired Satellite Capsule Server type, choose one of the following options:
      1. Option 1: Satellite Capsule Server with Smart Proxy: This installs a Satellite Capsule Server with Smart Proxy features (DHCP, DNS, Puppet). Run the following commands as the root user on the Satellite Capsule Server:
          
        # capsule-installer --parent-fqdn          "satellite.example.com"\
                            --register-in-foreman  "true"\
                            --foreman-oauth-key    "xmmQCGYdkoCRcbviGfuPdX7ZiCsdExf"\
                            --foreman-oauth-secret "w5ZDpyPJ24eSBNo53AFybcnqoDYXgLUA"\
                            --pulp-oauth-secret    "doajBEXqNcANy93ZbciFyysWaiwt6BWU"\
                            --certs-tar            "/root/capsule.example.com-certs.tar"\
                            --puppet               "true"\
                            --puppetca             "true"\
                            --pulp                 "true"\
                            --tftp                 "true"\
                            --dhcp                 "true"\
                            --dhcp-interface       "virbr1"\
                           --dns                  "true"\
                           --dns-forwarders       "8.8.8.8"\
                           --dns-forwarders       "8.8.4.4"\
                           --dns-interface        "virbr1"\
                           --dns-zone             "example.com"
        
        
      2. Option 2 - Satellite Capsule Server as a Content Node: This installs a Satellite Capsule Server with content management features and a Puppet Master. Run the following commands as the root user on the Satellite Capsule Server:
        # capsule-installer --parent-fqdn          "sat6.example.com"\
                            --register-in-foreman  "true"\
                            --pulp-oauth-secret    "doajBEXqNcANy93ZbciFyysWaiwt6BWU"\
                            --certs-tar           "~/capsule.example.com-certs.tar"\
                            --puppet               "false"\
                            --puppetca             "false"\
                            --pulp                 "true"
        
      3. Option 3 - Satellite Capsule Server as a Content Node with Smart Proxy: This installs a Satellite Capsule Server with all the features. Run the following commands as the root user on the Satellite Capsule Server:
        # capsule-installer --parent-fqdn          "sat6.example.com"\
                            --register-in-foreman  "true"\
                            --foreman-oauth-key    "xmmQCGYdkoCRcbviGfuPdX7ZiCsdExf"\
                            --foreman-oauth-secret "w5ZDpyPJ24eSBNo53AFybcnqoDYXgLUA"\
                            --pulp-oauth-secret    "doajBEXqNcANy93ZbciFyysWaiwt6BWU"\
                            --certs-tar            "/root/capsule.example.com-certs.tar"\
                            --puppet               "true"\
                            --puppetca             "true"\
                            --pulp                 "true"\
                            --tftp                 "true"\
                            --dhcp                 "true"\
                            --dhcp-interface       "virbr1"\
                           --dns                  "true"\
                           --dns-forwarders       "8.8.8.8"\
                           --dns-forwarders       "8.8.4.4"\
                           --dns-interface        "virbr1"\
                           --dns-zone             "example.com"
        
        

Procedure 5.3. Setting a Custom Server Certificate after running capsule-certs-generate

Using custom server certificates for the Satellite Server means that the same custom server certificates need to be deployed in the Satellite Capsule Servers. Each Satellite Capsule Server will require the following steps:
  1. Generate a new certificate based on your custom server certificate:
    capsule-certs-generate --capsule-fqdn "satcapsule.example.com"\
                           --certs-tar "~/$CAPSULE-certs.tar"\
                           --server-cert ~/path/to/server.crt\
                           --server-cert-req ~/path/to/server.crt.req\
                           --server-key ~/path/to/server.key\
                           --server-ca-cert ~/cacert.crt\
                           --certs-update-server --certs-update-server-ca
    
  2. Copy the generated tarball, capsule.example.com-certs.tar, from the Satellite Server to the Satellite Capsule host system.
  3. On the Satellite Capsule Server, re-run the capsule-installer command to refresh the certificates. Depending on the desired Satellite Capsule Server type, choose one of the following options:
    1. Option 1: Satellite Capsule Server with Smart Proxy: This installs a Satellite Capsule Server with Smart Proxy features (DHCP, DNS, Puppet). Run the following commands as the root user on the Satellite Capsule Server:
        
      # capsule-installer --parent-fqdn          "satellite.example.com"\
                          --register-in-foreman  "true"\
                          --foreman-oauth-key    "xmmQCGYdkoCRcbviGfuPdX7ZiCsdExf"\
                          --foreman-oauth-secret "w5ZDpyPJ24eSBNo53AFybcnqoDYXgLUA"\
                          --pulp-oauth-secret    "doajBEXqNcANy93ZbciFyysWaiwt6BWU"\
                          --certs-tar            "/root/capsule.example.com-certs.tar"\
                          --puppet               "true"\
                          --puppetca             "true"\
                          --pulp                 "true"\
                          --tftp                 "true"\
                          --dhcp                 "true"\
                          --dhcp-interface       "virbr1"\
                         --dns                  "true"\
                         --dns-forwarders       "8.8.8.8"\
                         --dns-forwarders       "8.8.4.4"\
                         --dns-interface        "virbr1"\
                         --dns-zone             "example.com"
      
      
    2. Option 2 - Satellite Capsule Server as a Content Node: This installs a Satellite Capsule Server with content management features and a Puppet Master. Run the following commands as the root user on the Satellite Capsule Server:
      # capsule-installer --parent-fqdn          "sat6.example.com"\
                          --register-in-foreman  "true"\
                          --pulp-oauth-secret    "doajBEXqNcANy93ZbciFyysWaiwt6BWU"\
                          --certs-tar           "~/capsule.example.com-certs.tar"\
                          --puppet               "false"\
                          --puppetca             "false"\
                          --pulp                 "true"
      
    3. Option 3 - Satellite Capsule Server as a Content Node with Smart Proxy: This installs a Satellite Capsule Server with all the features. Run the following commands as the root user on the Satellite Capsule Server:
      # capsule-installer --parent-fqdn          "sat6.example.com"\
                          --register-in-foreman  "true"\
                          --foreman-oauth-key    "xmmQCGYdkoCRcbviGfuPdX7ZiCsdExf"\
                          --foreman-oauth-secret "w5ZDpyPJ24eSBNo53AFybcnqoDYXgLUA"\
                          --pulp-oauth-secret    "doajBEXqNcANy93ZbciFyysWaiwt6BWU"\
                          --certs-tar            "/root/capsule.example.com-certs.tar"\
                          --puppet               "true"\
                          --puppetca             "true"\
                          --pulp                 "true"\
                          --tftp                 "true"\
                          --dhcp                 "true"\
                          --dhcp-interface       "virbr1"\
                         --dns                  "true"\
                         --dns-forwarders       "8.8.8.8"\
                         --dns-forwarders       "8.8.4.4"\
                         --dns-interface        "virbr1"\
                         --dns-zone             "example.com"
      
      

Important

Use the same custom server certificate on both the Red Hat Satellite Server and the Red Hat Satellite Capsule Server to ensure that the trusted relationship between the two hosts is maintained.