Chapter 12. Running Jobs on Satellite Hosts

Red Hat Satellite supports the ability to run arbitrary commands on hosts. This is referred to as remote execution. Remote execution is enabled by default on the Satellite Server, but must be enabled manually on all desired Capsule Servers. Communication occurs through the Capsule Server which means that the Satellite Server does not require direct access to the target host, and can scale to control many hosts. Remote execution uses the SSH service which must be enabled and running on the target host. Ensure the Capsule has access to port 22 on the target hosts.
Commands can be customized in a similar fashion to provisioning templates or partition tables. Several job templates are included by default, that you can use to run commands. See Section 12.2.1, “Setting up Job Templates”.

Note

Any Capsule Server's base system is a client of Satellite Server's internal Capsule, and therefore this section applies to any type of host connected to Satellite Server, including Capsule Servers.
You can execute commands on multiple hosts at once, and you can use variables in your commands to suit your deployment. Variable values can be filled by host fact, smart class parameter, smart variable, or even host parameter. In addition, you can specify custom values for templates when you run the command. See Section 12.2.2, “Executing Jobs”.
The following list provides some examples of how you can use remote execution:
  • Install, update, or remove software packages
  • Bootstrap a configuration management agent
  • Trigger a Puppet, Salt, or Chef run
By default, each Capsule is installed with the remote execution feature disabled. To use remote execution on a Capsule Server you need to enable it. To enable, run the following command:
# satellite-installer --scenario capsule --enable-foreman-proxy-plugin-remote-execution-ssh
To verify that remote execution is running on the Capsule Server and in the web UI navigate to InfrastructureCapsules. The Capsule Server should now list in the Features column that SSH is running.
By default, Satellite Server is configured to use remote execution rather than Katello Agent. If required, these settings can be changed by first creating custom job templates and then selecting these new templates in the web UI by going to AdministerRemote Execution Features. For each action you want to change, select the label and then select the job template to use.

12.1. Establishing a Secure Connection for Remote Commands

The SSH keys used for remote execution are created automatically when installing a Capsule and the settings are in the /etc/foreman-proxy/settings.d/remote_execution_ssh.yml file. They include the following options:
ssh_identity_file
File to load the SSH key from. By default, set to /usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy.
local_working_dir
Directory used on the Satellite or Capsule to run the scripts necessary for remote execution. By default, set to /var/tmp.
remote_working_dir
Directory on the client system that is used to execute the remote execution jobs. By default, set to /var/tmp.

Note

If the client system has noexec set for the /var/ volume or file system, change the remote_working_dir as otherwise the remote execution job will fail since the script cannot be executed.
If required to use an alternative directory, create the new directory, for example new_place, and then copy the SELinux context from the default directory. For example:
# chcon --reference=/var new_place
See the Maintaining SELinux Labels section of the SELinux User's and Administrator's Guide for more information on working with SELinux labels.

Distributing the SSH Keys for Remote Execution

To enable remote execution, distribute the public SSH key from a Capsule to the hosts that you want to manage. Ensure the SSH service is enabled and running on the hosts. Configure any network or host-based firewalls to enable access to port 22.
There are three ways to distribute the public key from a Capsule to target hosts:
  • To distribute keys manually, execute the following command on the Capsule:
    # ssh-copy-id -i ~foreman-proxy/.ssh/id_rsa_foreman_proxy.pub root@target.example.com
    Here target.example.com is the host name of the target host. Repeat for each target host you want to manage.
    To confirm the key was successfully copied to the target host, execute the following command on the Capsule:
    # ssh -i ~foreman-proxy/.ssh/id_rsa_foreman_proxy root@target.example.com
  • To use the Satellite API to download the public key directly from the Capsule, execute the following command on each target host:
    # curl https://myproxy.example.com:9090/ssh/pubkey >> ~/.ssh/authorized_keys
    Here myproxy.example.com stands for the host name of the Capsule.
  • To include the public key in newly-provisioned hosts, modify for example the Kickstart default finish template to include the following line:
    <%= snippet 'remote_execution_ssh_keys' %>