Red Hat Training

A Red Hat training course is available for Red Hat Satelitte

Chapter 3. Installing Satellite Server

You can use this chapter to find information about installing Red Hat Satellite Server, performing the initial configuration, creating and installing manifests, and performing additional configuration.

Red Hat Satellite 6.3 uses Puppet 3 by default, but you can optionally install Puppet 4 as part of the following installation procedures by enabling the Puppet 4 upgrade repository before running the installation script. To upgrade to Puppet 4 after installation, and for information on upgrading Puppet modules, see the Upgrading Puppet section in the Upgrading and Updating Red Hat Satellite guide.

There are two methods of installing Satellite Server:

Connected:

You can obtain the packages required to install Satellite Server directly from the Red Hat Content Delivery Network (CDN). Using the CDN ensures that your system always receives the latest updates.

Disconnected:

You must use an external computer to download an ISO image of the packages and copy the packages to the system you want to install Satellite Server on. Use an ISO image only if you require a disconnected environment. The ISO image might not contain the latest updates.

Note

You cannot register Satellite Server to itself.

3.1. Installing Satellite Server from a Connected Network

When you install Satellite Server from a connected network, you can obtain packages and receive updates directly from the Red Hat Content Delivery Network.

Note that the Satellite 6 installation script is based on Puppet, which means that if you run the installation script more than once, it might overwrite any manual configuration changes. ⁠ To avoid this and determine which future changes apply, use the --noop argument when you run the installation script. This argument ensures that no actual changes are made. Potential changes are written to /var/log/katello-installer.log.

Files are always backed up and so you can revert any unwanted changes. For example, in the katello-installer logs, you can see an entry similar to the following about Filebucket:

/Stage[main]/Dhcp/File[/etc/dhcp/dhcpd.conf]: Filebucketed /etc/dhcp/dhcpd.conf to puppet with sum 622d9820b8e764ab124367c68f5fa3a1

You can restore the previous file as follows:

# puppet filebucket -l \
restore /etc/dhcp/dhcpd.conf 622d9820b8e764ab124367c68f5fa3a1

3.1.1. Registering to Red Hat Subscription Management

Registering the host to Red Hat Subscription Management enables the host to subscribe to and consume content for any subscriptions available to the user. This includes content such as Red Hat Enterprise Linux, Red Hat Software Collections (RHSCL), and Red Hat Satellite.

Register your system with the Red Hat Content Delivery Network, entering your Customer Portal user name and password when prompted:

# subscription-manager register

The command displays output similar to the following:

# subscription-manager register
Username: user_name
Password:
The system has been registered with ID: 541084ff2-44cab-4eb1-9fa1-7683431bcf9a

3.1.2. Identifying and Attaching the Satellite Subscription to the Host

After you have registered your host, you need to identify and attach an available Satellite subscription. The Satellite subscription provides access to the Satellite content, as well as Red Hat Enterprise Linux, Red Hat Software Collections (RHSCL), and Red Hat Satellite. This is the only subscription required. Every Red Hat subscription is identified by a Pool ID.

  1. Identify your Satellite subscription.

    # subscription-manager list --available --matches 'Red Hat Satellite'

    This command performs a case-insensitive search of all available subscriptions' fields, including Subscription Name and Provides, matching any instances of Red Hat Satellite. Subscriptions are classified as available if they are not already attached to a system. The search string may also contain the wildcards ? or * to match a single character or zero or more characters, respectively. The wildcard characters may be escaped with a backslash to represent a literal question mark or asterisk. Likewise, to represent a backslash, it must be escaped with another backslash.

    If you are unable to find an available Satellite subscription, see the Red Hat Knowledgebase solution How do I figure out which subscriptions have been consumed by clients registered under Red Hat Subscription Manager? to run a script to allow you to see if your subscription is being consumed by another system.

    If the output is too long, pipe it into a pager utility, such as less or more, so that you can look over the output one screenful at a time.

    1. Regardless of which form of the subscription-manager command is run, the output should be similar to the following:

      Subscription Name: Red Hat Satellite
      Provides:          Red Hat Satellite 6
                         Red Hat Enterprise Linux Server
                         Red Hat Satellite
                         Red Hat Enterprise Linux Load Balancer (for RHEL Server)
      SKU:               MCT0370
      Pool ID:           8a85f9874152663c0541943739717d11
      Available:         3
      Suggested:         1
      Service Level:     Premium
      Service Type:      L1-L3
      Multi-Entitlement: No
      Ends:              10/07/2014
      System Type:       Physical
  2. Make a note of the Pool ID so that you can attach it to your Satellite host. Your Pool ID is different than the example provided.
  3. To attach your subscription to your Satellite Server, enter the following command, using your Pool ID:

    # subscription-manager attach --pool=pool_id

    The output should be similar to the following:

    Successfully attached a subscription for: Red Hat Satellite
  4. To verify that the subscriptions are successfully attached, enter the following command:

    # subscription-manager list --consumed

    The outputs displays something similar to the following:

    +-------------------------------------------+
       Consumed Subscriptions
    +-------------------------------------------+
    Subscription Name: Red Hat Satellite
    Provides:          Red Hat Satellite
                       Red Hat Enterprise Linux Server
                       Red Hat Software Collections (for RHEL Server)
                       Red Hat Satellite
                       Red Hat Satellite 6
                       Red Hat Software Collections  (for RHEL Server)
                       Red Hat Satellite Capsule
                       Red Hat Enterprise Linux Load Balancer (for RHEL Server)
                       Red Hat Satellite with Embedded Oracle
                       Red Hat Satellite Capsule
                       Red Hat Enterprise Linux High Availability (for RHEL Server)
    SKU:               MCT0370
    Contract:          10293569
    Account:           5361051
    Serial:            1653856191250699363
    Pool ID:           8a85f9874152663c0541943739717d11
    Active:            True
    Quantity Used:     1
    Service Level:     Premium
    Service Type:      L1-L3
    Status Details:
    Starts:            10/08/2013
    Ends:              10/07/2014
    System Type:       Physical

3.1.3. Configuring Repositories

  1. Disable all existing repositories.

    # subscription-manager repos --disable "*"
  2. Enable the required repositories:

    • To enable the Red Hat Satellite, Red Hat Enterprise Linux, Red Hat Software Collections, and Puppet 4 repositories, enter the following command:

      # subscription-manager repos \
      --enable=rhel-7-server-rpms \
      --enable=rhel-server-rhscl-7-rpms \
      --enable=rhel-7-server-satellite-6.3-rpms \
      --enable=rhel-7-server-satellite-6.3-puppet4-rpms
    • Alternatively, to enable the Red Hat Satellite, Red Hat Enterprise Linux, Red Hat Software Collections, and Puppet 3 repositories, enter the following command:

      # subscription-manager repos \
      --enable=rhel-7-server-rpms \
      --enable=rhel-server-rhscl-7-rpms \
      --enable=rhel-7-server-satellite-6.3-rpms
      Note

      Satellite 6.3 is the last supported release for Puppet 3. You must upgrade from Puppet 3 to Puppet 4 while on Satellite 6.3, and before upgrading to Satellite 6.4. Satellite 6.4 only supports Puppet 5, and the upgrade to Puppet 5 will be made during the Satellite upgrade.

      Note

      If you are installing Red Hat Satellite as a virtual machine hosted on Red Hat Virtualization (RHV), you also need to enable the Red Hat Common repository, and install RHV guest agents and drivers. For more information, see Installing the Guest Agents and Drivers on Red Hat Enterprise Linux in the Virtual Machine Management Guide for more information.

  3. Ensure that Red Hat Subscription Manager is not set to use a specific operating system release.

    # subscription-manager release --unset
  4. Clear out any metadata left from any non-Red Hat yum repositories.

    # yum clean all
  5. Verify that the repositories have been enabled.

    # yum repolist enabled

    Output similar to the following displays:

    Loaded plugins: product-id, subscription-manager
    repo id                                    repo name                                                                status
    !rhel-7-server-rpms/x86_64                 Red Hat Enterprise Linux 7 Server (RPMs)                                 9,889
    !rhel-7-server-satellite-6.3-rpms/x86_64   Red Hat Satellite 6.3 (for RHEL 7 Server) (RPMs)                           545
    !rhel-server-rhscl-7-rpms/x86_64           Red Hat Software Collections RPMs for Red Hat Enterprise Linux 7 Server  4,279
    repolist: 14,713

3.1.4. Installing the Satellite Server Packages

You must update all packages before installing the Satellite Server packages. After installation, you must perform the initial configuration of Satellite Server, including configuring server certificates, setting your user name, password, and the default organization and location.

  1. Update all packages.

    # yum update
  2. Install the installation package.

    # yum install satellite
  3. Go to Section 3.3, “Performing the Initial Configuration” to run the installation script and perform the initial configuration of your Satellite Server.

3.2. Downloading and Installing from a Disconnected Network

When the intended host for the Red Hat Satellite Server is in a disconnected environment, it is possible to install the Satellite Server by using an ISO image. This method is not recommended for any other situation as ISO images might not contain the latest updates, bug fixes, and functionality.

Note

If the base system has not been updated from the Red Hat CDN, package dependency errors are possible. You must manually download and install the latest version of the required packages. For more information, see Section 3.2.4, “Downloading Packages Manually”.

Before You Begin

  • A copy of the repositories used in the installation are stored in the /opt/ directory. Ensure you have a minimum of 3 GB of space for this file system and directory.

3.2.1. Downloading the Binary DVD Images

  1. Go to Red Hat Customer Portal and log in.
  2. Click DOWNLOADS.
  3. Select Red Hat Enterprise Linux.
  4. Ensure that you have the correct product and version for your environment.

    • Product Variant is set to Red Hat Enterprise Linux Server.
    • Version is set to the latest minor version of the product you plan to use as the base system.
    • Architecture is set to the 64 bit version.
  5. On the Product Software tab, download the Binary DVD image for the latest Red Hat Enterprise Linux Server version.
  6. Click DOWNLOADS and select Red Hat Satellite.
  7. Ensure that you have the correct product and version for your environment.

    • Product Variant is set to Red Hat Satellite.
    • Version is set to the latest minor version of the product you plan to use as the base system.
    • Architecture is set to the 64 bit version.
  8. On the Product Software tab, download the Binary DVD image for the latest Red Hat Satellite version.
  9. Copy the ISO files to the Satellite base system or other accessible storage device.

    # scp localfile username@hostname:remotefile

3.2.2. Configuring the Base System with Offline Repositories

  1. Create a directory to serve as the mount point for the ISO file corresponding to the base system’s version.

    # mkdir /media/rhel7-server
  2. Mount the ISO image for Red Hat Enterprise Linux to the mount point.

    # mount -o loop rhel7-Server-DVD.iso /media/rhel7-server

    The following example shows mounting the ISO using Red Hat Enterprise Linux 7.2:

    # mount -o loop RHEL-7.2-20151030.0-Server-x86_64-dvd1.iso \
    /media/rhel7-server
    mount: /dev/loop0 is write-protected, mounting read-only
  3. Copy the ISO file’s repository data file.

    # cp /media/rhel7-server/media.repo /etc/yum.repos.d/rhel7-server.repo
  4. Edit the repository data file and add the baseurl directive.

    baseurl=file:///media/rhel7-server/

    The following example shows the repository data file using Red Hat Enterprise Linux 7.2:

    # vi /etc/yum.repos.d/rhel7-server.repo
    [InstallMedia]
    name=Red Hat Enterprise Linux 7.2
    mediaid=1446216863.790260
    metadata_expire=-1
    gpgcheck=0
    cost=500
    baseurl=file:///media/rhel7-server/
    enabled=1
  5. Verify that the repository has been configured.

    # yum repolist
    Loaded plugins: product-id, search-disabled-repos, subscription-manager
    This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
    repo id          repo name                       status
    InstallMedia     Red Hat Enterprise Linux 7.2    4,620
  6. Create a directory to serve as the mount point for the ISO file of the Satellite Server.

    # mkdir /media/sat6
  7. Mount the ISO image for Red Hat Satellite Server to the mount point.

    # mount -o loop sat6-DVD.iso /media/sat6

    The following example shows mounting the ISO using Red Hat Satellite 6.3.0 for Red Hat Enterprise Linux 7:

    # mount -o loop satellite-6.3.0-rhel-7-x86_64-dvd.iso /media/sat6
    mount: /dev/loop1 is write-protected, mounting read-only
  8. Red Hat Satellite 6.3 uses Puppet 3 by default, but you can also use Puppet 4. To use Puppet 4, create a local repository to access the required packages and add the following contents:

    # vi /etc/yum.repos.d/satellite-puppet4.repo
    [satellite-puppet4]
    name=satellite-puppet4
    baseurl=file:///media/sat6/addons/Puppet4
    enabled=1
    gpgcheck=1

3.2.3. Installing from the Offline Repositories

  1. Ensure the ISO images for Red Hat Enterprise Linux Server and Red Hat Satellite are mounted:

    # findmnt -t iso9660
  2. Import the Red Hat GPG keys.

    # rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
  3. Ensure the base system is up to date with the Binary DVD image.

    # yum update
  4. Change to the directory where the Satellite ISO is mounted.

    # cd /media/sat6/
  5. Run the installation script in the mounted directory.

    # ./install_packages
    	This script will install the foreman packages on the current machine.
       - Ensuring we are in an expected directory.
       - Copying installation files.
       - Creating a Repository File
       - Creating RHSCL Repository File
       - Checking to see if Foreman is already installed.
       - Importing the gpg key.
       - Foreman is not yet installed, installing it.
       - Installation repository will remain configured for future package installs.
       - Installation media can now be safely unmounted.
    
    Install is complete. Please run satellite-installer --scenario satellite.

    If the script fails due to missing or outdated packages, you must download and install these separately. See Section 3.2.4, “Downloading Packages Manually” for instructions.

    If the script fails due to installed packages being newer than those required, enter yum distribution-synchronization to downgrade the installed packages to the versions that came from the Red Hat Enterprise Linux ISO, then run the installation script again. This should only occur if you have repositories configured whose source is not the Red Hat Enterprise Linux ISO. Use of such repositories is an unsupported configuration.

3.2.4. Downloading Packages Manually

If required to download a package manually, proceed as follows:

  1. Go to Red Hat Customer Portal and log in.
  2. Click DOWNLOADS.
  3. Select Red Hat Satellite.
  4. Ensure that you have the correct product and version for your environment.

    • Product Variant is set to Red Hat Satellite.
    • Version is set to the latest minor version of the product you are using as the base system.
    • Architecture is set to the 64 bit version.
  5. On the Packages tab, enter the name of the package required in the Search box.
  6. Click Download Latest next to the package required.

3.3. Performing the Initial Configuration

This section details how to perform the initial configuration of the host operating system when installing Red Hat Satellite Server. This includes synchronizing the time, installing the sos package, and specifying an installation option.

Before you continue, consider which manifests or packages are relevant for your environment. For more information on manifests, see Managing Subscriptions in the Red Hat Satellite Content Management Guide.

3.3.1. Synchronizing Time

You must start and enable a time synchronizer on the host operating system to minimize the effects of time drift. If a system’s time is incorrect, certificate verification can fail.

Two NTP based time synchronizers are available: chronyd and ntpd. The chronyd implementation is specifically recommended for systems that are frequently suspended and for systems that have intermittent network access. The ntpd implementation should only be used when you specifically need support for a protocol or driver not yet supported by chronyd.

For more information about the differences between ntpd and chronyd, see Differences Between ntpd and chronyd in the Red Hat Enterprise Linux 7 System Administrator’s Guide.

Synchronizing Time using chronyd

  1. Install chronyd.

    # yum install chrony
  2. Start and enable the chronyd service.

    # systemctl start chronyd
    # systemctl enable chronyd

3.3.2. Installing the SOS Package on the Host Operating System

You should install the sos package on the host operating system. The sos package enables you to collect configuration and diagnostic information from a Red Hat Enterprise Linux system. You can also use it to provide the initial system analysis, which is required when opening a service request with Red Hat Technical Support. For more information on using sos, see the Knowledgebase solution What is a sosreport and how to create one in Red Hat Enterprise Linux 4.6 and later? on the Red Hat Customer Portal.

Install the sos package.

# yum install sos

3.3.3. Specifying Installation Options

Satellite Server is installed using the satellite-installer installation script and as part of the initial configuration, you either automatically or manually configure Satellite.

Choose from one of these two methods:

  • Automatic Configuration - This method is performed by using an answer file to automate the configuration process when running the installation script. An answer file is a file containing a list of parameters that are read by a command or script. The default Satellite answer file is /etc/foreman-installer/scenarios.d/satellite-answers.yaml. The answer file in use is set by the answer_file directive in the /etc/foreman-installer/scenarios.d/satellite.yaml configuration file.

    To perform the initial configuration using the installation script with an answer file, see Section 3.3.3.2, “Performing the Initial Configuration Automatically using an Answer File”.

  • Manual Configuration - This method is performed by running the installation script with one or more command options. The command options override the corresponding default initial configuration options and are recorded in the Satellite answer file. You can run the script as often as needed to configure any necessary options.

    To perform the initial configuration using the installation script with command-line options, see Section 3.3.3.1, “Performing the Initial Configuration Manually”.

Note

Depending on the options that you use when running the Satellite installer, the configuration can take several minutes to complete. An administrator is able to view the answer file to see previously used options for both methods.

3.3.3.1. Performing the Initial Configuration Manually

This initial configuration procedure creates an organization, location, user name, and password. After the initial configuration, you can create additional organizations and locations if required.

The installation process can take tens of minutes to complete. If you are connecting remotely to the system, consider using a utility such as screen that allows suspending and reattaching a communication session so that you can check the installation progress in case you become disconnected from the remote system. The Red Hat Knowledgebase article How to use the screen command describes installing screen; alternately see the screen manual page for more information. If you lose connection to the shell where the installation command is running, see the log at /var/log/foreman-installer/satellite.log to determine if the process completed successfully.

Manually configuring Satellite Server

Use the satellite-installer --scenario satellite --help command to display the available options and any default values. If you do not specify any values, the default values are used.

It is recommended to specify a meaningful value for the option: --foreman-initial-organization. This can be your company name. An internal label that matches the value is also created and cannot be changed later on. If you do not specify a value, an organization called Default Organization with the label Default_Organization is created. You can rename the organization name but not the label.

By default, all configuration files configured by the installer are managed by Puppet. When satellite-installer runs, it overwrites any manual changes to the Puppet managed files with the initial values. By default, Satellite Server is installed with the Puppet agent running as a service. If required, you can disable Puppet agent on Satellite Server using the --puppet-runmode=none option.

If you want to be able to manage DNS files and DHCP files manually, use the --foreman-proxy-dns-managed=false and --foreman-proxy-dhcp-managed=false options so that Puppet does not manages the files related to the respective services. For more information on how to apply custom configuration on other services, see Appendix C, Applying Custom Configuration to Red Hat Satellite.

# satellite-installer --scenario satellite \
--foreman-initial-organization "initial_organization_name" \
--foreman-initial-location "initial_location_name" \
--foreman-admin-username admin_user_name \
--foreman-admin-password admin_password \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dhcp-managed=false

The script displays its progress and writes logs to /var/log/foreman-installer/satellite.log.

If you have been installing in a disconnected environment, unmount the ISO images.

# umount /media/sat6
# umount /media/rhel7-server

3.3.3.2. Performing the Initial Configuration Automatically using an Answer File

You can use answer files to automate installations with customized options. The initial answer file is sparsely populated and after you run the satellite-installer script the first time, the answer file is populated with the standard parameter values for installation. If you have already installed Satellite Server using the method described in Section 3.3.3.1, “Performing the Initial Configuration Manually”, then you do not need to use this method. You can, however, use it to make changes to the configuration of Satellite Server at any time.

You should use the FQDN instead of the IP address where possible in case of network changes.

Automatically configuring Satellite Server using an Answer File

  1. Copy the default answer file /etc/foreman-installer/scenarios.d/satellite-answers.yaml to a location on your local file system.

    # cp /etc/foreman-installer/scenarios.d/satellite-answers.yaml \
    /etc/foreman-installer/scenarios.d/my-answer-file.yaml
  2. To view all of the configurable options, enter the satellite-installer --scenario satellite --help command.
  3. Open your copy of the answer file, edit the values to suit your environment, and save the file.
  4. Open the /etc/foreman-installer/scenarios.d/satellite.yaml file and edit the answer file entry to point to your custom answer file.

    :answer_file: /etc/foreman-installer/scenarios.d/my-answer-file.yaml
  5. Run the satellite-installer script.

    # satellite-installer --scenario satellite
  6. If you have been installing in a disconnected environment, unmount the ISO images.

    # umount /media/sat6
    # umount /media/rhel7-server

3.3.4. Creating a Subscription Allocation in Customer Portal

You can access your subscription information on the Red Hat Customer Portal. You can also assign subscriptions for use in on-premise management applications, such as Red Hat Satellite, using subscription allocations.

  1. Open https://access.redhat.com/ in your browser and log in to your Red Hat account.
  2. Navigate to Subscriptions in the upper-left corner of the Customer Portal.
  3. Navigate to Subscription Allocations.
  4. Click Create New subscription allocation.
  5. In the Name field, enter a name.
  6. From the Type list, select the type and version that corresponds to your Satellite Server.
  7. Click Create.

3.3.5. Adding Subscriptions to an Allocation

The following procedure explains how to add subscriptions to an allocation.

  1. Navigate to Subscription Allocations.
  2. Select the name of the subscription you want to change.
  3. Click the Subscriptions tab.
  4. Click Add Subscriptions.
  5. A list of your Red Hat product subscriptions appears. Enter the Entitlement Quantity for each product.
  6. Click Submit to complete the assignment.

When you have added subscriptions to the allocation, export the manifest file.

3.3.6. Exporting a Subscription Manifest from the Customer Portal

While viewing a subscription allocation that has at least one subscription, you can export a manifest in either of two places:

  • From the Details tab, under the Subscription section, by clicking the Export Manifest button.
  • From the Subscriptions tab, by clicking the Export Manifest button.

When the manifest is exported, the Customer Portal encodes the selected subscriptions certificates and creates a .zip archive. This is the Subscription Manifest, which can be uploaded into the Satellite Server.

3.3.6.1. Importing a Subscription Manifest into the Satellite Server

Both the Red Hat Satellite 6 Web UI and CLI provide methods for importing the manifest.

For Web UI Users

  1. Ensure the context is set to the organization you want to use.
  2. Navigate to Content > Red Hat Subscriptions.
  3. Click Manage Manifest to display the manifest page for the organization.
  4. Click Choose file, select the Subscription Manifest, then click Upload.

For CLI Users

The Red Hat Satellite 6 CLI requires the manifest to be on the Satellite Server. On your local client system, copy the manifest to the Satellite Server:

[user@client ~]$ scp ~/manifest_file.zip root@satellite.example.com:~/.

Then import it using the following command:

[root@satellite ~]# hammer subscription upload \
--file ~/manifest_file.zip \
--organization "organization_name"

After a few minutes, the CLI reports a successful manifest import.

When you complete this section, you can enable repositories and import Red Hat content. This is a prerequisite for some of the following procedures. For more information, see Importing Red Hat Content in the Red Hat Satellite Content Management Guide.

3.4. Performing Additional Configuration

3.4.1. Installing the Satellite Tools Repository

The Satellite Tools repository provides the katello-agent and puppet packages for clients registered to Satellite Server. Installing the katello agent is recommended to allow remote updates of clients. The base system of a Capsule Server is a client of Satellite Server and therefore should also have the katello agent installed.

To Install the Satellite Tools Repository:

  1. In the Satellite web UI, go to Content > Red Hat Repositories and select the RPMs tab.
  2. Find and expand the Red Hat Enterprise Linux Server item.
  3. Find and expand the Red Hat Satellite Tools 6.3 (for Red Hat Enterprise Linux 7 Server) (RPMs) item.

    If the Red Hat Satellite Tools 6.3 items are not visible, it may be because they are not included in the Subscription Manifest obtained from the Customer Portal. To correct that, log in to the Customer Portal, add these repositories, download the Subscription Manifest and import it into Satellite.

  4. Select the Enabled check box next to the Satellite 6.3 Tools repository’s name.

Enable the Satellite Tools repository for every supported major version of Red Hat Enterprise Linux running on your hosts. After enabling a Red Hat repository, a Product for this repository is automatically created.

To Synchronize the Satellite Tools Repository:

  1. Go to Content > Sync Status.

    A list of product repositories available for synchronization is displayed.

  2. Click the arrow next to the product content to view available content.
  3. Select the content you want to synchronize.
  4. Click Synchronize Now.

3.4.2. Configuring Satellite Server with HTTP Proxy

If your network uses an HTTP Proxy, you can configure Satellite Server to use it. Use the FQDN instead of the IP address where possible to avoid losing connectivity because of network changes.

Authentication Methods

Only basic authentication is supported: add your username and password information to the --katello-proxy-url option, or use the --katello-proxy-username and --katello-proxy-password options.

To Configure Satellite with an HTTP Proxy

  1. Verify that the http_proxy, https_proxy, and no_proxy variables are not set.

    # unset http_proxy
    # unset https_proxy
    # unset no_proxy
  2. Run satellite-installer with the HTTP proxy options.

    # satellite-installer --scenario satellite \
    --katello-proxy-url=http://myproxy.example.com \
    --katello-proxy-port=8080 \
    --katello-proxy-username=proxy_username \
    --katello-proxy-password=proxy_password
  3. Verify that Satellite Server can connect to the Red Hat Content Delivery Network (CDN) and can synchronize its repositories.

    1. On the network gateway and the HTTP Proxy, enable TCP for the following host names:

      Host namePortProtocol

      subscription.rhsm.redhat.com

      443

      HTTPS

      cdn.redhat.com

      443

      HTTPS

      *.akamaiedge.net

      443

      HTTPS

      cert-api.access.redhat.com (if using Red Hat Insights)

      443

      HTTPS

      api.access.redhat.com (if using Red Hat Insights)

      443

      HTTPS

      Satellite Server communicates with the Red Hat CDN securely over SSL. Use of an SSL interception proxy interferes with this communication. These hosts must be whitelisted on the proxy.

      For a list of IP addresses used by the Red Hat CDN (cdn.redhat.com), see the Knowledgebase article Public CIDR Lists for Red Hat on the Red Hat Customer Portal.

    2. On Satellite Server, complete the following details in the /etc/rhsm/rhsm.conf file:

      # an http proxy server to use (enter server FQDN)
      proxy_hostname = myproxy.example.com
      
      # port for http proxy server
      proxy_port = 8080
      
      # user name for authenticating to an http proxy, if needed
      proxy_user =
      
      # password for basic http proxy auth, if needed
      proxy_password =

SELinux Considerations for Custom Ports

SELinux ensures access of Red Hat Satellite 6 and Red Hat Subscription Manager only to specific ports. In the case of the HTTP cache, the TCP ports are 8080, 8118, 8123, and 10001 - 10010. If you use a port that does not have SELinux type http_cache_port_t, complete the following steps:

  1. To verify the ports that are permitted by SELinux for the HTTP cache, enter a command as follows:

    # semanage port -l | grep http_cache
    http_cache_port_t       tcp    8080, 8118, 8123, 10001-10010
    [output truncated]
  2. To configure SELinux to permit a port for the HTTP cache, for example 8088, enter a command as follows:

    # semanage port -a -t http_cache_port_t -p tcp 8088

For more information on SELinux port settings, see Section 2.11, “Changing Default SELinux ports”.

3.4.3. Enabling Power Management on Managed Hosts

When you enable the baseboard management controller (BMC) module on Satellite Server, you can use power management commands on managed hosts using the intelligent platform management interface (IPMI) or a similar protocol.

The BMC service enables you to perform a range of power management tasks. The underlying protocol for this feature is IPMI; also referred to as the BMC function. IPMI uses a special network interface on the managed hardware that is connected to a dedicated processor that runs independently of the host’s CPUs. In many instances the BMC functionality is built into chassis-based systems as part of chassis management (a dedicated module in the chassis).

For more information on the BMC service, see Configuring an Additional Network Interface in Managing Hosts.

Before You Begin

  • All managed hosts must have a network interface, with type BMC. Satellite uses this NIC to pass the appropriate credentials to the host.

Enable Power Management on Managed Hosts

  1. Run the installer with the options to enable BMC.

    # satellite-installer --foreman-proxy-bmc "true" \
    --foreman-proxy-bmc-default-provider "freeipmi"

3.4.4. Configuring DNS, DHCP, and TFTP on Satellite Server

You can configure DNS, DHCP, and TFTP on Satellite Server.

If you want to configure external services, see Chapter 5, Configuring External Services for more information.

If you want to disable these services in Satellite in order to manage them manually, see Section 3.4.5, “Disabling DNS, DHCP, and TFTP for Unmanaged Networks” for more information.

To view a complete list of configurable options, enter the satellite-installer --scenario satellite --help command.

Before You Begin

  • Contact your network administrator to ensure that you have the correct settings.
  • You should have the following information available:

    • DHCP IP address ranges
    • DHCP gateway IP address
    • DHCP nameserver IP address
    • DNS information
    • TFTP server name
  • Use the FQDN instead of the IP address where possible in case of network changes.
Note

The information in the task is an example. You should use the information relevant to your own environment.

Configure DNS, DHCP, and TFTP on Satellite Server

  1. Run satellite-installer with the options appropriate for your environment.

    # satellite-installer --scenario satellite \
    --foreman-proxy-dns true \
    --foreman-proxy-dns-managed true \
    --foreman-proxy-dns-interface eth0 \
    --foreman-proxy-dns-zone example.com \
    --foreman-proxy-dns-forwarders 172.17.13.1 \
    --foreman-proxy-dns-reverse 13.17.172.in-addr.arpa \
    --foreman-proxy-dhcp true \
    --foreman-proxy-dhcp-managed true \
    --foreman-proxy-dhcp-interface eth0 \
    --foreman-proxy-dhcp-range "172.17.13.100 172.17.13.150" \
    --foreman-proxy-dhcp-gateway 172.17.13.1 \
    --foreman-proxy-dhcp-nameservers 172.17.13.2 \
    --foreman-proxy-tftp true \
    --foreman-proxy-tftp-managed true \
    --foreman-proxy-tftp-servername $(hostname)

    For more information about configuring DHCP, DNS, and TFTP services, see the Configuring Network Services section in the Provisioning Guide.

    The script displays its progress and writes logs to /var/log/foreman-installer/satellite.log. You can view the settings used, including the admin_password parameter, in the /etc/foreman-installer/scenarios.d/satellite-answers.yaml file.

Note

Any changes to the settings require running satellite-installer again. You can run the script multiple times and it updates all configuration files with the changed values.

3.4.5. Disabling DNS, DHCP, and TFTP for Unmanaged Networks

Satellite 6 provides full management capabilities for TFTP, DHCP, and DNS network services running on Satellite’s internal or external Capsules. If you want to manage those services manually or use some external method, then Satellite 6 cannot directly integrate with them. While it is possible to develop custom integration scripts using Foreman Hooks (such as creating DNS records after a new host is created), this integration, also known as orchestration, must be disabled in order to prevent DHCP and DNS validation errors.

  1. In the web UI, go to Infrastructure > Subnets and select a subnet.
  2. On the Capsules tab, ensure that there is no DHCP Capsule or TFTP Capsule associated by setting the drop-down list to None.
  3. Disable forward record orchestration.

    1. Go to Infrastructure > Domains and select a domain.
    2. On the Domain tab, setting the DNS Capsule drop-down list to None.
  4. Disable reverse (PTR) record orchestration.

    1. Go to Infrastructure > Subnets and select a subnet.
    2. On the Capsules tab, setting the Reverse DNS Capsule drop-down list to None.
  5. Optional: If you use a DHCP service supplied by a third party, configure your DHCP server to pass the following options:

    Option 66: IP_address_of_Satellite_or_Capsule
    Option 67: /pxelinux.0

    For more information about DHCP options, see RFC 2132.

Note

Satellite 6 does not perform orchestration when a Capsule is not set for a given subnet and domain. When enabling or disabling Capsule associations, orchestration commands for existing hosts can fail if the expected records and configuration files are not present. When associating a Capsule in order to turn orchestration on, make sure the required DHCP and DNS records as well as the TFTP files are in place for existing Satellite 6 managed hosts in order to prevent host deletion failures in the future.

3.4.6. Configuring Satellite Server for Outgoing Emails

To send email messages from Satellite Server, you can use either an SMTP server, or the sendmail command.

Prerequisites

If you have upgraded from a previous release, rename or remove the configuration file /usr/share/foreman/config/email.yaml and restart the httpd service. For example:

# mv /usr/share/foreman/config/email.yaml \
/usr/share/foreman/config/email.yaml-backup
# systemctl restart httpd

To Configure Satellite Server for Outgoing Emails:

  1. In the Satellite web UI, navigate to AdministerSettings.
  2. Click the Email tab and set the configuration options to match your preferred delivery method. The changes have an immediate effect.

    1. The following example shows the configuration options for using an SMTP server:

      Table 3.1. Using an SMTP server as a delivery method

      NameExample value

      Delivery method

      SMTP

      SMTP address

      smtp.example.com

      SMTP authentication

      login

      SMTP HELO/EHLO domain

      example.com

      SMTP password

      password

      SMTP port

      25

      SMTP username

      satellite@example.com

      The SMTP username and SMTP password specify the login credentials for the SMTP server.

    2. The following example uses gmail.com as an SMTP server:

      Table 3.2. Using gmail.com as an SMTP server

      NameExample value

      Delivery method

      SMTP

      SMTP address

      smtp.gmail.com

      SMTP authentication

      plain

      SMTP HELO/EHLO domain

      smtp.gmail.com

      SMTP enable StartTLS auto

      Yes

      SMTP password

      password

      SMTP port

      587

      SMTP username

      user@gmail.com

    3. The following example uses the sendmail command as a delivery method:

      Table 3.3. Using sendmail as a delivery method

      NameExample value

      Delivery method

      Sendmail

      Sendmail arguments

      -i -t -G

      The Sendmail arguments specify the options passed to the sendmail command. The default value is -i -t. For more information see the sendmail 1 man page.

  3. If you decide to send email using an SMTP server which uses TLS authentication, also perform one of the following steps:

    • Mark the CA certificate of the SMTP server as trusted. To do so, execute the following commands on Satellite Server:

      # cp mailca.crt /etc/pki/ca-trust/source/anchors/
      # update-ca-trust enable
      # update-ca-trust

      Where mailca.crt is the CA certificate of the SMTP server.

    • Alternatively, in the web UI, set the SMTP enable StartTLS auto option to No.
  4. Click Test email to send a test message to the user’s email address to confirm the configuration is working. If a message fails to send, the web UI displays an error. See the log at /var/log/foreman/production.log for further details.
Note

For information on configuring email notifications for individual users or user groups, see Configuring Email Notifications in Administering Red Hat Satellite.

3.4.7. Configuring Satellite Server with a Custom Server Certificate

SSL certificates are used to protect information and enable secure communication. Red Hat Satellite 6 creates self-signed SSL certificates to enable encrypted communications between the Satellite Server, external Capsule Servers, and all hosts. Instead of using these self-signed certificates, you can install custom SSL certificates issued by a Certificate Authority which is an external, trusted company. For example, your company might have a security policy stating that SSL certificates must be obtained from a Certificate Authority. To obtain the certificate, create a Certificate Signing Request and send it to the Certificate Authority, as described in Section 3.4.7.1, “Obtain an SSL Certificate for the Satellite Server”. In return, you receive a signed SSL certificate.

Note

Obtain custom SSL certificates for the Satellite Server and all external Capsule Servers before starting this procedure.

To use a custom certificate on Satellite Server, complete these steps:

If you have external Capsule Servers, you must also complete the steps in Section 4.7.6, “Configuring Capsule Server with a Custom Server Certificate”.

3.4.7.1. Obtain an SSL Certificate for the Satellite Server

Important

Only PEM encoding must be used for the SSL Certificates.

Note

If you already have a custom SSL Certificate for the Satellite Server, skip this procedure.

  1. Create a directory to contain all the source certificate files, accessible to only the root user.

    In these examples, the directory is /root/sat_cert.

    # mkdir /root/sat_cert
    # cd /root/sat_cert
  2. Create a private key with which to sign the Certificate Signing Request (CSR).

    Note

    If you already have a private key for the Satellite Server, skip this step.

    # openssl genrsa -out /root/sat_cert/satellite_cert_key.pem 4096
  3. Create a Certificate Signing Request (CSR)

    A Certificate Signing Request is a text file containing details of the server for which you are requesting a certificate. For this command, you provide the private key (output by the previous step), answer some questions about the Satellite Server, and the Certificate Signing Request is created.

    Note

    The certificate’s Common Name (CN) must match the fully-qualified domain name (FQDN) of the server on which it is used. If you are requesting a certificate for a Satellite Server, this is the FQDN of the Satellite Server. If you are requesting a certificate for a Capsule Server, this is the FQDN of the Capsule Server.

    To confirm a server’s FQDN, enter the following command on that server: hostname -f.

    # openssl req -new \
      -key /root/sat_cert/satellite_cert_key.pem \ 1
      -out /root/sat_cert/satellite_cert_csr.pem   2
    1
    Satellite Server’s private key, used to sign the certificate
    2
    Certificate Signing Request file

    Example Certificate Signing Request session

    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    
    Country Name (2 letter code) [XX]:AU
    State or Province Name (full name) []:Queensland
    Locality Name (eg, city) [Default City]:Brisbane
    Organization Name (eg, company) [Default Company Ltd]:Example
    Organizational Unit Name (eg, section) []:Sales
    Common Name (eg, your name or your server's hostname) []:satellite.example.com
    Email Address []:example@example.com
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:password
    An optional company name []:Example

  4. Send the certificate signing request to the Certificate Authority. The same Certificate Authority must sign certificates for Satellite Server and Capsule Server.

    When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the Certificate Authority for the preferred method. In response to the request you can expect to receive a Certificate Authority bundle, and a signed certificate, in separate files.

3.4.7.2. Validate the Satellite Server’s SSL Certificate

Enter the katello-certs-check command with the required parameters as per the following example. This validates the input files required for custom certificates and outputs the commands necessary to install them on the Satellite Server, all Capsule Servers, and hosts under management with Satellite.

  1. Validate the custom SSL certificate input files. Change the files' names to match your files.

    # katello-certs-check \
       -c /root/sat_cert/satellite_cert.pem \      1
       -k /root/sat_cert/satellite_cert_key.pem \  2
       -b /root/sat_cert/ca_cert_bundle.pem     \  3
       -r /root/sat_cert/satellite_cert_csr.pem        4
    1
    Certificate file for the Satellite Server, signed by your Certificate Authority
    2
    Satellite Server’s private key, used to sign the certificate
    3
    Certificate Authority bundle
    4
    Certificate signing request file for Satellite Server

Example output of katello-certs-check

Checking expiration of certificate: [OK]
Checking expiration of CA bundle: [OK]
Validating the certificate subject= /C=AU/ST=Queensland/L=Brisbane/O=Example/OU=Sales/CN=satellite.example.com/emailAddress=example@example.com
Checking to see if the private key matches the certificate: [OK]
Checking ca bundle against the cert file: [OK]
Checking for non ascii characters[OK]

Validation succeeded.

To install the Satellite server with the following custom certificates, run:

    satellite-installer --scenario satellite\
              --certs-server-cert "/root/sat_cert/satellite_cert.pem"\
              --certs-server-cert-req "/root/sat_cert/satellite_cert_csr.pem"\
              --certs-server-key "/root/sat_cert/satellite_cert_key.pem"\
              --certs-server-ca-cert "/root/sat_cert/ca_cert_bundle.pem"

To update the certificates on a currently running Satellite installation, run:

    satellite-installer --scenario satellite\
              --certs-server-cert "/root/sat_cert/satellite_cert.pem"\
              --certs-server-cert-req "/root/sat_cert/satellite_cert_csr.pem"\
              --certs-server-key "/root/sat_cert/satellite_cert_key.pem"\
              --certs-server-ca-cert "/root/sat_cert/ca_cert_bundle.pem"\
              --certs-update-server --certs-update-server-ca

To use them inside a NEW $CAPSULE, run this command:

    capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE"\
              --certs-tar  "~/$CAPSULE-certs.tar"\
              --server-cert "/root/sat_cert/satellite_cert.pem"\
              --server-cert-req "/root/sat_cert/satellite_cert_csr.pem"\
              --server-key "/root/sat_cert/satellite_cert_key.pem"\
              --server-ca-cert "/root/sat_cert/ca_cert_bundle.pem"\

To use them inside an EXISTING $CAPSULE, run this command INSTEAD:

    capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE"\
              --certs-tar  "~/$CAPSULE-certs.tar"\
              --server-cert "/root/sat_cert/satellite_cert.pem"\
              --server-cert-req "/root/sat_cert/satellite_cert_csr.pem"\
              --server-key "/root/sat_cert/satellite_cert_key.pem"\
              --server-ca-cert "/root/sat_cert/ca_cert_bundle.pem"\
              --certs-update-server

3.4.7.3. Run the Satellite Installer with Custom Certificate Parameters

Now that you have created an SSL certificate and verified it is valid for use with Red Hat Satellite 6, the next step is to install the custom SSL certificate on the Satellite Server and all its hosts.

There is a minor variation to this step, depending on whether or not the Satellite Server is already installed. If it is already installed, the existing certificates must be updated with those in the certificates archive.

The commands in this section are output by the katello-certs-check command, as detailed in Section 3.4.7.2, “Validate the Satellite Server’s SSL Certificate”, and can be copied and pasted into a terminal.

  1. Enter the satellite-installer command, depending on your situation:

    1. If Satellite is already installed, enter the following command on the Satellite Server:

      # satellite-installer --scenario satellite \
      --certs-server-cert /root/sat_cert/satellite_cert.pem \
      --certs-server-cert-req /root/sat_cert/satellite_cert_csr.pem \
      --certs-server-key /root/sat_cert/satellite_cert_key.pem \
      --certs-server-ca-cert /root/sat_cert/ca_cert_bundle.pem \
      --certs-update-server --certs-update-server-ca

      Important parameters in this command include --certs-update-server and --certs-update-server-ca, which specify that the server’s SSL certificate and certificate authority are to be updated. For a brief description of all the installer’s parameters, enter the command: satellite-installer --scenario satellite --help.

      Note

      For all files in the satellite-installer command, use full path names, not relative path names. The installer records all files' paths and names, and if you enter the installer again, but from a different directory, it may fail as it is unable to find the original files.

    2. If Satellite is not already installed, enter the following command on the Satellite Server:

      # satellite-installer --scenario satellite \
      --certs-server-cert /root/sat_cert/satellite_cert.pem \
      --certs-server-cert-req /root/sat_cert/satellite_cert_csr.pem \
      --certs-server-key /root/sat_cert/satellite_cert_key.pem \
      --certs-server-ca-cert /root/sat_cert/ca_cert_bundle.pem
      Note

      For all files in the satellite-installer command, use full path names, not relative path names. The installer records all files' paths and names, and if you enter the installer again, but from a different directory, it may fail as it is unable to find the original files.

  2. Verify the certificate has been successfully installed on the Satellite Server before installing it on hosts. On a computer with network access to the Satellite Server, start a web browser, navigate to the URL https://satellite.example.com and view the certificate’s details.

3.4.7.4. Install the New Certificate on all Hosts Connected to the Satellite Server

Now that the custom SSL certificate has been installed on the Satellite Server, it must also be installed on every host registered to the Satellite Server. Enter the following commands on all applicable hosts.

  1. Delete the current katello-ca-consumer package on the host.

    # yum remove 'katello-ca-consumer*'
  2. Install the custom SSL certificate on the host.

    # yum localinstall http://satellite.example.com/pub/katello-ca-consumer-latest.noarch.rpm

3.4.8. Restricting Access to mongod

Only the apache and root users should be allowed access to the MongoDB database daemon, mongod, to reduce the risk of data loss.

Restrict access to mongod on Satellite and Capsule Servers using the following commands.

  1. Configure the Firewall.

    # firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \
    tcp -m tcp --dport 27017 -m owner --uid-owner apache -j ACCEPT \
    && firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \
    tcp -m tcp --dport 27017 -m owner --uid-owner apache -j ACCEPT \
    && firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \
    tcp -m tcp --dport 27017 -m owner --uid-owner root -j ACCEPT \
    && firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \
    tcp -m tcp --dport 27017 -m owner --uid-owner root -j ACCEPT \
    && firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 1 -o lo -p \
    tcp -m tcp --dport 27017 -j DROP \
    && firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 1 -o lo -p \
    tcp -m tcp --dport 27017 -j DROP \
    && firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \
    tcp -m tcp --dport 28017 -m owner --uid-owner apache -j ACCEPT \
    && firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \
    tcp -m tcp --dport 28017 -m owner --uid-owner apache -j ACCEPT \
    && firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \
    tcp -m tcp --dport 28017 -m owner --uid-owner root -j ACCEPT \
    && firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \
    tcp -m tcp --dport 28017 -m owner --uid-owner root -j ACCEPT \
    && firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 1 -o lo -p \
    tcp -m tcp --dport 28017 -j DROP \
    && firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 1 -o lo -p \
    tcp -m tcp --dport 28017 -j DROP
  2. Repeat the command adding the --permanent option to make the settings persistent.

    # firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 \
    -o lo -p tcp -m tcp --dport 27017 -m owner \
    --uid-owner apache -j ACCEPT \
    && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 \
    -o lo -p tcp -m tcp --dport 27017 -m owner \
    --uid-owner apache -j ACCEPT \
    && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 \
    -o lo -p tcp -m tcp --dport 27017 -m owner \
    --uid-owner root -j ACCEPT \
    && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 \
    -o lo -p tcp -m tcp --dport 27017 -m owner \
    --uid-owner root -j ACCEPT \
    && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 \
    -o lo -p tcp -m tcp --dport 27017 -j DROP \
    && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 1 \
    -o lo -p tcp -m tcp --dport 27017 -j DROP \
    && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 \
    -o lo -p tcp -m tcp --dport 28017 -m owner \
    --uid-owner apache -j ACCEPT \
    && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 \
    -o lo -p tcp -m tcp --dport 28017 -m owner \
    --uid-owner apache -j ACCEPT \
    && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 \
    -o lo -p tcp -m tcp --dport 28017 -m owner \
    --uid-owner root -j ACCEPT \
    && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 \
    -o lo -p tcp -m tcp --dport 28017 -m owner \
    --uid-owner root -j ACCEPT \
    && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 \
    -o lo -p tcp -m tcp --dport 28017 -j DROP \
    && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 1 \
    -o lo -p tcp -m tcp --dport 28017 -j DROP