Red Hat Satellite supports the ability to run arbitrary commands on hosts. This is referred to as remote execution. Remote execution is enabled by default on the Satellite Server, but must be enabled manually on all desired Capsule Servers. Communication occurs through the Capsule Server which means that the Satellite Server does not require direct access to the target host, and can scale to control many hosts. Remote execution uses the SSH service which must be enabled and running on the target host. Ensure the Capsule has access to port 22 on the target hosts.
Commands can be customized in a similar fashion to provisioning templates or partition tables. Several job templates are included by default, that you can use to run commands. See Section 12.2.1, “Setting up Job Templates”
Any Capsule Server's base system is a client of Satellite Server's internal Capsule, and therefore this section applies to any type of host connected to Satellite Server, including Capsule Servers.
You can execute commands on multiple hosts at once, and you can use variables in your commands to suit your deployment. Variable values can be filled by host fact, smart class parameter, smart variable, or even host parameter. In addition, you can specify custom values for templates when you run the command. See Section 12.2.2, “Executing Jobs”
The following list provides some examples of how you can use remote execution:
Install, update, or remove software packages
Bootstrap a configuration management agent
Trigger a Puppet, Salt, or Chef run
By default, each Capsule is installed with the remote execution feature disabled. To use remote execution on a Capsule Server you need to enable it. To enable, run the following command:
# satellite-installer --scenario capsule --enable-foreman-proxy-plugin-remote-execution-ssh
To verify that remote execution is running on the Capsule Server and in the web UI navigate to → . The Capsule Server should now list in the Features
column that SSH
By default, Satellite Server is configured to use remote execution rather than Katello Agent. If required, these settings can be changed by first creating custom job templates and then selecting these new templates in the web UI by going to
→ . For each action you want to change, select the label and then select the job template to use.
12.1. Establishing a Secure Connection for Remote Commands
The SSH keys used for remote execution are created automatically when installing a Capsule and the settings are in the
/etc/foreman-proxy/settings.d/remote_execution_ssh.yml file. They include the following options:
File to load the SSH key from. By default, set to
Directory used on the Satellite or Capsule to run the scripts necessary for remote execution. By default, set to
Directory on the client system that is used to execute the remote execution jobs. By default, set to
If the client system has
noexec set for the
/var/ volume or file system, change the
remote_working_dir as otherwise the remote execution job will fail since the script cannot be executed.
If required to use an alternative directory, create the new directory, for example new_place
, and then copy the SELinux context from the default directory. For example:
# chcon --reference=/var new_place
See the Maintaining SELinux Labels
section of the SELinux User's and Administrator's Guide
for more information on working with SELinux labels.
Distributing the SSH Keys for Remote Execution
To enable remote execution, distribute the public SSH key from a Capsule to the hosts that you want to manage. Ensure the SSH service is enabled and running on the hosts. Configure any network or host-based firewalls to enable access to port 22.
There are three ways to distribute the public key from a Capsule to target hosts:
To distribute keys manually, execute the following command on the Capsule:
# ssh-copy-id -i ~foreman-proxy/.ssh/id_rsa_foreman_proxy.pub firstname.lastname@example.org
Here target.example.com is the host name of the target host. Repeat for each target host you want to manage.
To confirm the key was successfully copied to the target host, execute the following command on the Capsule:
# ssh -i ~foreman-proxy/.ssh/id_rsa_foreman_proxy email@example.com
To use the Satellite API to download the public key directly from the Capsule, execute the following command on each target host:
# curl https://myproxy.example.com:9090/ssh/pubkey >> ~/.ssh/authorized_keys
Here myproxy.example.com stands for the host name of the Capsule.
To include the public key in newly-provisioned hosts, modify for example the Kickstart default finish template to include the following line:
<%= snippet 'remote_execution_ssh_keys' %>