Language:
Format:

Red Hat Training

A Red Hat training course is available for Red Hat Satellite

Managing Hosts

Red Hat Satellite 6.4

A guide to managing hosts in a Red Hat Satellite 6 environment.

Red Hat Satellite Documentation Team

satellite-doc-list@redhat.com

Legal Notice

Abstract

This guide describes how to configure and work with hosts in a Red Hat Satellite environment. Before continuing with this workflow you must have successfully installed a Red Hat Satellite 6 Server and any required Capsule Servers.

Chapter 1. Introduction

This chapter describes what a host is, types of hosts, and actions you can perform on them.

1.1. Understanding Hosts

A host is any Red Hat Enterprise Linux system that Red Hat Satellite manages. Hosts may be physical or virtual. Virtual hosts may be deployed on any platform supported by Red Hat Satellite, including: KVM, VMware vSphere, OpenStack, Amazon EC2, Rackspace Cloud Services, Google Compute Engine, or in a Docker container.

1.2. Understanding Host Management

Red Hat Satellite enables host management at scale, including monitoring, provisioning, remote execution, configuration management, software management, and subscription management. You can manage your hosts via the Red Hat Satellite web UI, or the command line. For more information on managing hosts, see Chapter 2, Managing Hosts.

Chapter 2. Managing Hosts

This chapter describes creating, registering, managing, and removing hosts. This includes changing the group, and environment of a host, configuring an additional network interface, assigning the host to a specific organization, and location.

2.1. Browsing Hosts

The Satellite Server web UI provides an opportunity to browse all hosts recognized by the Satellite Server. Navigate to Hosts tab at the top of the screen to open the drop-down menu with the following items:

All Hosts - a list of all hosts recognized by the Satellite Server.
Discovered Hosts - a list of bare-metal hosts detected on the provisioning network by the Discovery plug-in.
Content Hosts - a list of hosts which manage tasks related to content and subscriptions.
Host Collections - a list of user-defined collections of hosts used for bulk actions such as Errata Installation.

To search for a host, type in the Search field, and use an asterisk (*) to perform a partial string search. For example, if searching for a content host named dev-node.example.com, click the Content Hosts page, type dev-node* in the Search field. Alternatively, *node* will also find the content host dev-node.example.com.

Warning

Satellite Server will be listed as a host itself even if it is not self-registered. Do not delete the Satellite Server from the list of hosts.

2.2. Host Status Types

Each host recognized by the Satellite Server is assigned a status type in accordance with the most recent action performed on or upcoming changes to be applied to that host. Navigate to Hosts → All hosts to view the status of each host. The following table outlines the status types to which hosts can be assigned:

Table 2.1. Host Status Types

Icon	Status	Description
	Error	An error has been detected on the host. If you hover the mouse over the error icon, a tooltip showing the actual reason of the error will appear. You can see a more detailed report of issues by clicking on the host.
	Warning	The host has been configured, but no reports have been collected for that host over the last reporting interval.
	OK	There are no pending actions on the host, no pending changes, and no errors over the last reporting interval.

2.3. Host Overview

The host overview page displays information about a given host and the connection between the host and the installer. To view the host overview page, select Hosts → All hosts, then click the name of a host.

Details

The details bar contains a row of buttons that provide shortcuts to more information about the host, and tabs that display summaries of important details and events.

Audits: a page containing audit entries for the current host.
Facts: a page containing a list of facts for the current host. This button is only available after the installer has collected facts from the host.
Reports: a page containing a list of reports for the current host. This button is only available after the installer has collected reports from the host.
YAML: a page containing details about the host in YAML format, such as its IP address, MAC address, name, and values of parameters that have been applied to the host.
Properties: a list of general details about the host, such as its IP address, MAC address, and the operating system entry that has been applied to the host.
Metrics: a table showing a summary of all events reported for the host.
Templates: a list of all provisioning templates currently accessible by the host. The provisioning templates include in this list are automatically configured in accordance with the operating system entry applied to the host.
NICs: a table showing detailed information on NICs configured for the host.

Host Actions

Click each of these buttons to perform common actions on the host.

Schedule Remote Job: allows running jobs on the host. For more information on running jobs see Chapter 4, Running Jobs on Hosts.
Boot disk: a menu that allows you to select the boot disk for the host. For more information on creating a boot ISO for a host see Creating New Hosts with PXE-less Provisioning in the Red Hat Satellite Provisioning Guide.
Edit: opens the host details page which allows you to configure settings for the host. Note that the installer configures all the settings automatically and normally no manual configurations are required.
Build: flags the host to be provisioned on the next host boot. Note that the installer manages all aspects of the provisioning process and normally there is no need to provision hosts manually.
Delete: deletes the host from the user interface.

Host Graphs

The host overview page contains two graphs that display the status of recent Puppet runs executed on the host.

Runtime: tracks two data points: Config Retrieval and Runtime. The Config Retrieval data point represents the amount of time taken to collect information about the host during a given Puppet run, and the Runtime data point represents the amount of time required to execute the Puppet run. Both data points are measured in seconds.
Resources: tracks the number of actions performed on the host during a Puppet run. The categories displayed in this graph are identical to those displayed in the Reports page, and are measured using the number of actions in each category.

2.4. Creating a Host

The following procedure describes how to create a host in Red Hat Satellite.

To Create a Host:

Click Hosts > Create Host.
On the Host tab, enter the required details.
Click the Ansible Roles tab, and from the Ansible Roles list, select one or more roles that you want to add to the host. Use the arrow icon to manage the roles that you add or remove.
On the Puppet Classes tab, select the Puppet classes you want to include.
On the Interfaces tab:
1. For each interface, click Edit in the Actions column and configure the following settings as required:
  - Type — For a Bond or BMC interface, use the Type list and select the interface type.
  - MAC address — Enter the MAC address.
  - DNS name — Enter the DNS name that is known to the DNS server. This is used for the host part of the FQDN.
  - Domain — Select the domain name of the provisioning network. This automatically updates the Subnet list with a selection of suitable subnets.
  - IPv4 Subnet — Select an IPv4 subnet for the host from the list.
  - IPv6 Subnet — Select an IPv6 subnet for the host from the list.
  - IPv4 address — If IP address management (IPAM) is enabled for the subnet, the IP address is automatically suggested. Alternatively, you can enter an address. The address can be omitted if provisioning tokens are enabled, if the domain does not mange DNS, if the subnet does not manage reverse DNS, or if the subnet does not manage DHCP reservations.
  - IPv6 address — If IP address management (IPAM) is enabled for the subnet, the IP address is automatically suggested. Alternatively, you can enter an address.
  - Managed — Select this check box to configure the interface during provisioning to use the Capsule provided DHCP and DNS services.
  - Primary — Select this check box to use the DNS name from this interface as the host portion of the FQDN.
  - Provision — Select this check box to use this interface for provisioning. This means TFTP boot will take place using this interface, or in case of image based provisioning, the script to complete the provisioning will be executed through this interface. Note that many provisioning tasks, such as downloading RPMs by anaconda, Puppet setup in a %post script, will use the primary interface.
  - Virtual NIC — Select this check box if this interface is not a physical device. This setting has two options:
    Tag — Optionally set a VLAN tag. If unset, the tag will be the VLAN ID of the subnet.
    Attached to — Enter the device name of the interface this virtual interface is attached to.
2. Click OK to save the interface configuration.
3. Optionally, click Add Interface to include an additional network interface. See Section 2.16, “Configuring an Additional Network Interface” for details.
4. Press Submit to apply the changes and exit.
On the Operating System tab, enter the required details. For Red Hat operating systems, select Synced Content for Media Selection. If you want to use non Red Hat operating systems, select All Media, then select the installation media from the Media Selection list. You can select a partition table from the drop-down list or enter a custom partition table in the Custom partition table field. You cannot specify both.
On the Parameters tab, click Add Parameter to add any parameter variables that you want to pass to job templates at run time. This includes all Puppet Class, Ansible playbook parameters and host parameters that you want to associate with the host. To use a parameter variable with an Ansible job template, you must add a Host Parameter.
On the Additional Information tab, enter additional information about the host.
Click Submit to complete your provisioning request.

2.5. Assigning Ansible Roles to Existing Hosts

You can use Ansible roles for remote management of Red Hat Enterprise Linux version 6.9 or later.

Before you can assign Ansible roles to hosts in Satellite, ensure that you import the roles to Satellite. For more information, see Adding Red Hat Enterprise Linux System Roles in the Administering Red Hat Satellite.

If you have a host that you want to add or modify Ansible roles for that host, complete the following procedure:

In the Satellite web UI, navigate to Hosts > All Hosts, and on the host that you want to add an Ansible role to, click Edit.
Select the Ansible Roles tab, and in the All items list, search for the roles that you want to add.
Select the roles that you want to add, and click the arrow icon to move the roles to the Selected items list.
Click Submit to save your changes.

When you assign Ansible roles to hosts, you can then use Ansible for remote execution. For more information, see Section 4.1, “Establishing a Secure Connection for Remote Commands”.

Overiding Parameter Variables

On the Parameters tab, click Add Parameter to add any parameter variables that you want to pass to job templates at run time. This includes all Ansible playbook parameters and host parameters that you want to associate with the host. To use a parameter variable with an Ansible job template, you must add a Host Parameter.

2.6. Running Ansible Roles on a Host

Before you begin, you must import Ansible roles in Satellite and assign the roles to your hosts. For more information, see Section 2.5, “Assigning Ansible Roles to Existing Hosts”.

To Run an Ansible Role:

In the Satellite web UI, navigate to Hosts > All Hosts, and select the check box of the host that contains the Ansible role you want to run.
From the Select Actions list, select Play Ansible roles.

On the Run Ansible Roles page, you can view the status of your Ansible job. To rerun a job, click the Rerun button.

2.7. Registration

This section shows you how to register hosts to Satellite Server or Capsule Server. There are two main methods for registering a host:

Download and install the consumer RPM (server.example.com/pub/katello-ca-consumer-latest.noarch.rpm) and then run subscription manager. This method is suited for freshly installed hosts. See ] and xref:sect-Red_Hat_Satellite-Managing_Hosts-Registration-Registering_a_Host[ for more information.
Download and run the bootstrap script (server.example.com/pub/bootstrap.py). This method is suited for both freshly installed hosts and hosts that have been previously registered, for example, to Satellite 5 or another Satellite 6. See Section 2.7.7, “Registering Hosts to Satellite 6 Using The Bootstrap Script” for more information.

Hosts registered to the Satellite Server via Red Hat Subscription Manager, which can occur either during the post phase of a kickstart or through the terminal, will appear on the Content Hosts page accessible through Hosts > Content Hosts. Hosts provisioned by Satellite Server appear on the Hosts page accessible through Hosts > All hosts.

2.7.1. Configuring a Host for Registration

Red Hat Enterprise Linux hosts register to the Customer Portal Subscription Management by default. You must update each host configuration so that they receive updates from the correct Satellite Server or Capsule Server.

Supported Host Operating Systems

Hosts must use the following Red Hat Enterprise Linux version:

5.7 or later
6.1 or later*
7.0 or later

Note

Red Hat Enterprise Linux versions 6.1, 6.2 and 6.3 GA require subscription-manager and related packages to be updated manually. For more information, see https://access.redhat.com/solutions/1256763

Supported Architectures

All architectures of Red Hat Enterprise Linux are supported:

i386
x86_64
s390x
ppc_64

Prerequisites

Ensure that the Satellite Servers, any Capsule Servers, and all hosts are synchronized with the same NTP server.
Ensure that a time synchronization tool is enabled and running on the Satellite Servers, any Capsule Servers, and the hosts.
- For Red Hat Enterprise Linux 6:
```
# chkconfig ntpd on; service ntpd start
```
- For Red Hat Enterprise Linux 7:
```
# systemctl start chronyd; systemctl enable chronyd
```
Ensure that the daemon rhsmcertd is running on the hosts.
- For Red Hat Enterprise Linux 6:
```
# service rhsmcertd start
```
- For Red Hat Enterprise Linux 7:
```
# systemctl start rhsmcertd
```

The following procedure shows how to configure your host to register to Red Hat Satellite.

To Configure a Host for Registration:

Take note of the fully qualified domain name (FQDN) of the Satellite Server or Capsule Server, for example server.example.com.
In a terminal, connect to the host as the root user.
Install the consumer RPM from the Satellite Server or Capsule Server to which the host is to be registered. The consumer RPM updates the content source location of the host and allows the host to download content from the content source specified in Red Hat Satellite.
```
# rpm -Uvh http://server.example.com/pub/katello-ca-consumer-latest.noarch.rpm
```
Note
The RPM package is not signed, if required, you can add the --nosignature option to install the package. The katello-ca-consumer-hostname-1.0-1.noarch.rpm is an additional katello-ca-consumer RPM available that contains the server’s host name. The katello-ca-consumer-latest.noarch.rpm rpm will always reflect the most recent version. Both serve the same purpose.

2.7.2. Registering a Host

Prerequisites

Complete all steps in Section 2.7.1, “Configuring a Host for Registration”.
Ensure that an activation key associated with the appropriate Content View and environment exists for the host. If not, see Managing Activation Keys in the Content Management Guide for more information. By default, an activation key has the auto-attach function enabled. The feature is commonly used with hosts used as hypervisors.
Ensure that the version of the subscription-manager utility installed is 1.10 or later. The package is available in the standard Red Hat Enterprise Linux repository.

To Register Hosts:

In a terminal, connect to the host as the root user.
Clear any old host data related to Red Hat Subscription Manager (RHSM):
```
# subscription-manager clean
```

# subscription-manager register --org=your_org_name \
--activationkey=your_activation_key

Example 2.1. Command Output after Registration:

# subscription-manager register --org=MyOrg --activationkey=TestKey-1
The system has been registered with id: 62edc0f8-855b-4184-b1b8-72a9dc793b96

Note

You can use the --environment option to override the Content View and life cycle environment defined by the activation key. For example, to register a host to the Content View "MyView" in a "Development" life cycle environment:

 # subscription-manager register --org=your_org_name \
 --environment=Development/MyView \
 --activationkey=your_activation_key

Note

For Red Hat Enterprise Linux 6.3 hosts, the release version defaults to Red Hat Enterprise Linux 6 Server and needs to be pointed to the 6.3 repository.

To Point Red Hat Enterprise Linux 6.3 to the Repository:

On Red Hat Satellite, select Hosts > Content Hosts.
Click the name of the host that needs to be changed.
In the Content Host Content section click the edit icon to the right of Release Version.
Select "6.3" from the Release Version drop-down menu.
Click Save.

2.7.3. Registering an Atomic Host

Use the following procedure to register an Atomic Host with Subscription Manager.

Retrieve katello-rhsm-consumer from Satellite server:

[root@atomic_client ~]# wget http://satellite.example.com/pub/katello-rhsm-consumer

Change the mode of katello-rhsm-consumer in order to make it executable:
```
[root@atomic_client ~]# chmod +x katello-rhsm-consumer
```

Run katello-rhsm-consumer:

[root@atomic_client ~]# ./katello-rhsm-consumer

[root@atomic_client ~]# subscription-manager register

Because Atomic is functionally an appliance, do not install katello-agent on it.

2.7.4. Installing the Katello Agent

The following procedure shows how to install the Katello agent on a host registered to Satellite 6. The katello-agent package depends on the gofer package that provides the goferd service. This service must be enabled so that the Red Hat Satellite Server or Capsule Server can provide information about errata that are applicable for content hosts.

Note that yum is the only package management command that will update Satellite by triggering a Katello package upload. Avoid using rpm commands to install or update packages.

Prerequisites

Satellite version 6.1 and later require that you enable the Red Hat Satellite Tools 6 repository. The Red Hat Common repositories are no longer used and are not compatible with Satellite version 6.1 and later.

The Red Hat Satellite Tools 6 repository must be enabled, synchronized to the Red Hat Satellite Server and made available to your hosts as it provides the required packages.

To Verify the Red Hat Satellite Tools 6 Repository is Enabled:

Open the Satellite web UI, navigate to Content > Red Hat Repositories and click the RPMs tab.
Find and expand the Red Hat Enterprise Linux Server item.
Find and expand the Red Hat Satellite Tools 6 (for RHEL VERSION Server) (RPMs) item.
If the Red Hat Satellite Tools 6 items are not visible, it may be because they are not included in the subscription manifest obtained from the Customer Portal. To correct that, log in to the Customer Portal, add these repositories, download the subscription manifest and import it into Satellite.
Ensure the Enabled check box beside the repository’s name is selected. If not, select it.

Enable the Red Hat Satellite Tools 6 repository for every supported major version of Red Hat Enterprise Linux running on your hosts.

To Install Katello Agent:

On the host, verify that the rhel-version-server-satellite-tools-6-rpms repository is enabled. If you registered the host using an activation key with auto-attach enabled, the repository is enabled automatically already.
```
# yum repolist enabled | grep -i rhel-version-server-satellite-tools-6-rpms
```
If the rhel-version-server-satellite-tools-6-rpms is not enabled, enable it using the following command:
```
# subscription-manager repos --enable=rhel-version-server-satellite-tools-6-rpms
```
Install the katello-agent RPM package using the following command:
```
# yum install katello-agent
```
Ensure the goferd service is running.
- On Red Hat Enterprise Linux 6, run the following command:
```
# service goferd start
```
- On Red Hat Enterprise Linux 7, run the following command:
```
# systemctl start goferd
```

2.7.5. Installing Tracer

This section describes how you can integrate Red Hat Satellite 6.4 with Tracer, and provides instructions on how to install Tracer and access Traces.

Tracer displays a list of services and applications that are outdated and require to be restarted. The list is labeled Traces and you can access this in the Satellite web UI.

Note

The integration of Tracer with Satellite Server is a Technology Preview feature. Technology Preview features are not fully supported under Red Hat Subscription Service Level Agreements (SLAs), may not be functionally complete, and are not intended for production use. However, these features provide early access to upcoming product innovations, enabling customers to test functionality and provide feedback during the development process.

Prerequisite

For your content host, enable and synchronize the Red Hat Satellite Tools 6.4 repository.

Procedure

Tracer is an optional component, therefore you must install it separately from the rest of the Katello host tools.

On the content host, install the katello-host-tools-tracer RPM package:
```
# yum install katello-host-tools-tracer
```
Enter the following command:
```
# katello-tracer-upload
```
In the Satellite web UI, navigate to Hosts > All hosts, and then click the required host name.
In the Properties tab, examine the Properties table, and then find the Traces item. If you cannot find a Traces item in the Properties table, then Tracer is not installed.

To Access Traces:

Traces is the output generated by Tracer in the Satellite web UI.

In the Satellite web UI, navigate to Hosts > Content Hosts, and then click the required host name.
Click the Traces tab to view Traces.

2.7.6. Installing and Configuring the Puppet Agent

This section describes how to install and configure the Puppet agent on a host. When you have correctly installed and configured the Puppet agent, you can navigate to Hosts > All hosts to list all hosts visible to Red Hat Satellite Server.

Prerequisites

The rhel-7-server-satellite-tools-6.4-rpms repository must be enabled, synchronized to the Red Hat Satellite Server and made available to your hosts as it provides the required packages.

To Verify the rhel-7-server-satellite-tools-6.4-rpms Repository is Enabled:

In the Satellite web UI, navigate to Content > Red Hat Repositories.
In the search field, enter Red Hat Satellite Tools 6.4 for RHEL 7 Server RPMs.
Select Red Hat Satellite Tools 6.4 (for RHEL 7 Server) (RPMs) and select the enable icon next to x86_64.
If the Red Hat Satellite Tools 6.4 (for RHEL 7 Server) (RPMs) items are not visible, it might be because they are not included in the subscription manifest obtained from the Customer Portal. To correct that, log in to the Customer Portal, add these repositories, download the subscription manifest and import it into Satellite.

To Install and Enable the Puppet Agent:

On the host, open a terminal console and log in as the root user.
Verify that the rhel-7-server-satellite-tools-6.4-rpms repository is enabled, using the following command:
```
# yum repolist enabled | grep -i rhel-7-server-satellite-tools-6.4-rpms
```
If the rhel-7-server-satellite-tools-6.4-rpms is not enabled, enable it using the following command:
```
# subscription-manager repos \
--enable=rhel-7-server-satellite-tools-6.4-rpms
```
Install the Puppet agent RPM package using the following command:
```
# yum install puppet
```
Configure the puppet agent to start at boot:
1. On Red Hat Enterprise Linux 6:
```
# chkconfig puppet on
```
2. On Red Hat Enterprise Linux 7:
```
# systemctl enable puppet
```

Prerequisites

The following conditions must be met before configuring the Puppet Agent:

The host must be registered to the Red Hat Satellite Server.
The Red Hat Satellite Tools 6 repository must be enabled.
Puppet packages must be installed on the host.

A Puppet environment is a collection of Puppet modules that can be associated with a host or a host group. Before you configure the Puppet agent environment, complete the following steps:

To find the host’s Puppet environment, in the Satellite web UI, navigate to Hosts > All Hosts and view the Environment column in the host table.
To assign a Puppet environment to a host, navigate to Hosts > All Hosts and click Edit next to the selected host.
To list Puppet environments enabled on the Satellite Server, navigate to Configure > Environments. You can also inspect the /etc/puppetlabs/code/environments directory on the Satellite Server to find what Puppet modules and manifests are associated with Puppet environments.

For more information see the Red Hat Satellite Puppet Guide.

To Configure the Puppet Agent:

Append the following server and environment settings to the /etc/puppetlabs/puppet/puppet.conf file. Set the environment parameter to the name of the Puppet environment to which the host belongs:
```
environment = My_Example_Org_Library
server = satellite.example.com
ca_server = satellite.example.com
```
Run the Puppet agent on the host:
```
# puppet agent -t
```
Sign the SSL certificate for the Puppet client in the Satellite Server web UI:
1. Log in to the Satellite Server web UI.
2. Select Infrastructure > Capsules.
3. Select Certificates from the drop-down menu to the right of the required Capsule.
4. Click Sign to the right of the required host.
5. Enter the puppet agent command again:
```
# puppet agent -t
```

Assigning Context to a Host

When the Puppet agent is configured on the host, it appears in All Hosts but only when Any Organization is selected because the host is not assigned to an organization or location.

To assign the host to an organization, see Section 2.14, “Assigning a Host to a Specific Organization”.
To assign the host to a location, see Section 2.15, “Assigning a Host to a Specific Location”.

2.7.7. Registering Hosts to Satellite 6 Using The Bootstrap Script

The bootstrap script, which is included in 6.2 and later, can be used to register new hosts or migrate existing hosts to Satellite 6.

The bootstrap script handles content registration, product certificates, and Puppet configuration. The bootstrap script has the advantage of taking a Red Hat Enterprise Linux system, regardless of where it is registered (RHN, Satellite 5, SAM, RHSM), or if it is registered at all, and subscribing it to Satellite 6.

The bootstrap script package, katello-client-bootstrap, is installed by default on the Satellite Server’s base system and the script itself is installed in the /var/www/html/pub/ directory to make it available to hosts. It can be accessed using a URL in the following form:

satellite6.example.com/pub/bootstrap.py

The script includes documentation in a readme file. To view the file on the Satellite CLI:

$ less /usr/share/doc/katello-client-bootstrap-version/README.md

Installing the Bootstrap Script on the Host:

As the script is only required once, and only for the root user, you can place it in /root and remove it after use, or place it in /usr/local/sbin. This example will use /root.

As root, install the bootstrap script on the host as follows:

Ensure you are in the correct directory. For example, to change to /root:
```
# cd
```
Download the script:
```
# curl -O http://satellite6.example.com/pub/bootstrap.py
```
This installs the script in the current directory.
Make the script executable:
```
# chmod +x bootstrap.py
```
To confirm that the script can now be run, view the usage statement as follows:
```
# ./bootstrap.py -h
```
Optionally, when the transition process is complete, remove the script:
```
# cd
# rm bootstrap.py
```

Required Permissions The user requires certain permissions in order to run the bootstrap script. You can set these permissions using roles through the web UI or using the Hammer command line tool.

Using the web UI to set permissions for the bootstrap script:

Navigate to Administer > Users.
Select an existing user or create a new user especially for the purpose of running this script. Users are located under the Username field. A new pane will open with tabs to modify information about the selected user.
Click the Roles tab.
Select Viewer and Edit hosts from the Roles list. The selected roles should appear on the Selected Items list confirming that they have been selected.
Warning
Be aware that the following role Edit hosts allows the user to edit and delete hosts as well as being able to add hosts. If this is not acceptable to your security policy, create a new role with the minimal permissions required by the bootstrap script. Create the bootstrap role using the Hammer command line tool, see Using Hammer to set permissions for the bootstrap script:, then assign this role alone, to the user who will be running the bootstrap script. Alternatively, create an appropriate role using the web UI, navigate to Administer > Roles. Subsequently, use the web UI to create a role and set up the appropriate filters.
Click Submit. The permissions required for the bootstrap script to run will now be set for the user you have specified.

Using Hammer to set permissions for the bootstrap script:

Create a role with the minimum permissions required by the bootstrap script. This example creates a role with the name Bootstrap. Modify this to provide a more specific name if you wish.

$ ROLE='Bootstrap'
$ hammer role create --name "$ROLE"
$ hammer filter create --role "$ROLE" --permissions view_organizations
$ hammer filter create --role "$ROLE" --permissions view_locations
$ hammer filter create --role "$ROLE" --permissions view_domains
$ hammer filter create --role "$ROLE" --permissions view_hostgroups
$ hammer filter create --role "$ROLE" --permissions view_hosts
$ hammer filter create --role "$ROLE" --permissions view_architectures
$ hammer filter create --role "$ROLE" --permissions view_ptables
$ hammer filter create --role "$ROLE" --permissions view_operatingsystems
$ hammer filter create --role "$ROLE" --permissions create_hosts

Assign the new role to an existing user.
```
$ hammer user add-role --id user_id --role Bootstrap
```
There is also the option to create a new user and assign this new role to them. For more information on how to create users through Hammer see Creating Users in the Red Hat Satellite Hammer CLI Guide.

Running the Bootstrap Script

Prerequisites

The bootstrap script is installed as described previously.
You have an activation key for your hosts. For configuring activation keys, see Managing Activation Keys in the Content Management Guide.
You have created a host group. For creating host groups, see Section 2.8, “Creating a Host Group”.
Note
Puppet fails to retrieve the Puppet CA certificate while registering a host with a host group associated with a Puppet environment created inside a Production environment. To create a suitable Puppet environment to be associated with a host group, follow these steps:
1. Manually create a directory and change the owner:
  # mkdir /etc/puppetlabs/code/environments/example_environment # chown apache /etc/puppetlabs/code/environments/example_environment
2. Navigate to Configure → Environments and click Import environment from. The button name will include the FQDN of the internal or external Capsule.
3. Choose the created directory and click Update.
To run the bootstrap script:
1. Enter the bootstrap command as follows with values suitable for your environment.
  Warning
  The example in this section specifies the admin user. If this is not acceptable to your security policy, create a new role with the minimal permissions required by the bootstrap script that can be added to the appropriate user. This is achieved using the web UI or Hammer, see ] and xref:proc-hammer_set_permissions[ for more information.
  For the --server option, specify the FQDN name of Satellite Server or Capsule Server. For --location, --organization, and --hostgroup options, use quoted names, not labels, as arguments to the options. See Section 2.7.8, “Advanced Bootstrap Script Configuration” for advanced use cases.
```
# bootstrap.py --login=admin \
--server satellite6.example.com \
--location="Example Location" \
--organization="Example Organization" \
--hostgroup="Example Host Group" \
--activationkey=activation_key
```
  The script will prompt you for the password corresponding to the Satellite user name you entered with the --login option.
2. The script will run and send notices of progress to stdout. Watch for output prompting you to approve the certificate. For example:
```
[NOTIFICATION], [2016-04-26 10:16:00], [Visit the UI and approve this certificate via Infrastructure->Capsules]
[NOTIFICATION], [2016-04-26 10:16:00], [if auto-signing is disabled]
[RUNNING], [2016-04-26 10:16:00], [/usr/bin/puppet agent --test --noop --tags no_such_tag --waitforcert 10]
```
  The host will wait indefinitely until an administrator approves the Puppet certificate.
  1. In the web UI, navigate to Infrastructure > Capsules.
  2. Select Certificates to the right of the name of the Capsule corresponding to the FQDN given with --server option.
  3. In the Actions column select Sign to approve the host’s Puppet certificate.
  4. Return to the host to see the remainder of the bootstrap process completing.
3. In the web UI, navigate to Hosts > All hosts and ensure that the host is connected to the correct host group.

If the Katello agent is not installed on the host, proceed to Section 2.7.4, “Installing the Katello Agent”.

2.7.8. Advanced Bootstrap Script Configuration

The standard workflow of using the bootstrap script has been outlined in Running the Bootstrap Script. This section covers some more examples.

Warning

The examples in this section specify the admin user. If this is not acceptable to your security policy, create a new role with the minimal permissions required by the bootstrap script. See ] and xref:proc-hammer_set_permissions[ for more information.

Migrating a host from one Satellite 6 to another Satellite 6.

Use the script with --force, and the script will remove the katello-ca-consumer-* packages from the old Satellite and install the katello-ca-consumer-* packages from the new Satellite. For example:

# bootstrap.py --login=admin \
--server satellite6.example.com \
--location="Example Location" \
--organization="Example Organization" \
--hostgroup="Example Host Group" \
--activationkey=activation_key \
--force

Migrating a host from Red Hat Network (RHN) or Satellite 5 to Satellite 6.

The bootstrap script detects the presence of /etc/syconfig/rhn/systemid and a valid connection to RHN as an indicator that the system is registered to a legacy platform. The script then calls rhn-classic-migrate-to-rhsm to migrate the system from RHN. By default, the script does not delete the system’s legacy profile due to auditing reasons. To remove the legacy profile, use --legacy-purge and use --legacy-login to supply an user account that has appropriate permissions to remove a profile. Enter the user account password when prompted. For example:

# bootstrap.py --login=admin \
--server satellite6.example.com \
--location="Example Location" \
--organization="Example Organization" \
--hostgroup="Example Host Group" \
--activationkey=activation_key \
--legacy-purge \
--legacy-login rhn-user

Registering a host to Satellite 6, omitting Puppet setup.

By default, the bootstrap script configures the host for content management and configuration management. If you have an existing configuration management system and do not want to install puppet on the host, use --skip-puppet. For example:

# bootstrap.py --login=admin \
--server satellite6.example.com \
--location="Example Location" \
--organization="Example Organization" \
--hostgroup="Example Host Group" \
--activationkey=activation_key \
--skip-puppet

Registering a host to Satellite 6 for content management only.

To register a system as a content host, and leave out the provisioning and configuration management functions, use --skip-foreman. For example:

# bootstrap.py --server satellite6.example.com \
--organization="Example Organization" \
--activationkey=activation_key \
--skip-foreman

Changing the method the bootstrap script uses to download the consumer RPM.

By default, the bootstrap script uses HTTP to download the consumer RPM (server.example.com/pub/katello-ca-consumer-latest.noarch.rpm). In some environments, you might want to allow HTTPS only between the host and Satellite. Use --download-method to change the download method from HTTP to HTTPS. For example:

# bootstrap.py --login=admin \
--server satellite6.example.com \
--location="Example Location" \
--organization="Example Organization" \
--hostgroup="Example Host Group" \
--activationkey=activation_key \
--download-method https

Providing the host’s IP address to Satellite

On hosts with multiple interfaces or multiple IP addresses on one interface, you may need to override the auto-detection of the IP address and provide a specific IP address to Satellite. Use --ip. For example:

# bootstrap.py --login=admin \
--server satellite6.example.com \
--location="Example Location" \
--organization="Example Organization" \
--hostgroup="Example Host Group" \
--activationkey=activation_key \
--ip 192.x.x.x

Enabling Remote Execution on the host.

Use --rex and --rex-user to enable remote execution and add the required SSH keys for the specified user. For example:

# bootstrap.py --login=admin \
--server satellite6.example.com \
--location="Example Location" \
--organization="Example Organization" \
--hostgroup="Example Host Group" \
--activationkey=activation_key \
--rex \
--rex-user root

Creating a domain for a host at registration time.

To create a host record, the DNS domain of a host needs to exist in Satellite prior to running script. If the domain does not exist, add it using --add-domain. For example:

# bootstrap.py --login=admin \
--server satellite6.example.com \
--location="Example Location" \
--organization="Example Organization" \
--hostgroup="Example Host Group" \
--activationkey=activation_key \
--add-domain

Providing an arbitrary Fully Qualified Domain Name (FQDN) for the host.

If the host’s host name is not an FQDN, or is not RFC compliant (containing a character such as an underscore), the script will fail at the host name validation stage. Use --fqdn to specify the FQDN that will be reported to Satellite. To do so, you will need to set create_new_host_when_facts_are_uploaded and create_new_host_when_report_is_uploaded to false using hammer. For example:

# hammer settings set \
--name  create_new_host_when_facts_are_uploaded \
--value false
# hammer settings set \
--name  create_new_host_when_report_is_uploaded \
--value false

# bootstrap.py --login=admin \
--server satellite6.example.com \
--location="Example Location" \
--organization="Example Organization" \
--hostgroup="Example Host Group" \
--activationkey=activation_key \
--fqdn node100.example.com

2.8. Creating a Host Group

If you create a high volume of hosts, many of the hosts can have common settings and attributes. Adding these settings and attributes for every new host is time consuming. If you use host groups, you can apply common attributes to hosts that you create.

A host group functions as a template for common host settings, containing many of the same details that you provide to hosts. When you create a host with a host group, the host inherits the defined settings from the host group. You can then provide additional details to individualize the host.

Host Group Hierarchy

You can also create a hierarchy of host groups. Aim to have one base level host group that represents all hosts in your organization and provide general settings, and then nested groups to provide specific settings. For example, you can have a base host level group that defines the operating system, and two nested host groups that inherit the base level host group:

Hostgroup: Base (Red Hat Enterprise Linux 7.2)
- Hostgroup: Webserver (applies the httpd Puppet class)
  - Host: webserver1.example.com (web server)
  - Host: webserver2.example.com (web server)
- Hostgroup: Storage (applies the nfs Puppet class)
  - Host: storage1.example.com (storage server)
  - Host: storage2.example.com (storage server)
- Host: custom.example.com (custom host)

In this example, all hosts use Red Hat Enterprise Linux 7.2 as their operating system because of their inheritance of the Base host group. The two web server hosts inherit the settings from the Webserver host group, which includes the httpd Puppet class and the settings from the Base host group. The two storage servers inherit the settings from the Storage host group, which includes the nfs Puppet class and the settings from the Base host group. The custom host only inherits the settings from the Base host group.

To Create a Host Group

In the Satellite web UI, navigate to Configure > Host Groups and click Create Host Group.
If you have an existing host group that you want to inherit attributes from, you can select a host group from the Parent list. If you do not, leave this field blank.
In the Name field, enter a name for the new host group.
Enter any further information that you want future hosts to inherit.
Click the Ansible Roles tab, and from the Ansible Roles list, select one or more roles that you want to add to the host. Use the arrow icon to manage the roles that you add or remove.
Click the additional tabs and add any details that you want to attribute to the host group.
Note
Puppet fails to retrieve the Puppet CA certificate while registering a host with a host group associated with a Puppet environment created inside a Production environment. To create a suitable Puppet environment to be associated with a host group, follow these steps:
1. Manually create a directory and change the owner:
  # mkdir /etc/puppetlabs/code/environments/example_environment # chown apache /etc/puppetlabs/code/environments/example_environment
Click Submit to save the host group.

For CLI Users

Create the host group with the hammer hostgroup create command. For example:

# hammer hostgroup create --name "Base" \
--lifecycle-environment "Production" --content-view "Base" \
--environment "production" --content-source-id 1 \
--puppet-ca-proxy-id 1 --puppet-proxy-id 1 --domain "example.com" \
--subnet `ACME's Internal Network` --architecture "x86_64" \
--operatingsystem "RedHat 7.2" --medium-id 9 \
--partition-table "Kickstart default" --root-pass "p@55w0rd!" \
--locations "New York" --organizations "ACME"

2.9. Changing the Group of a Host

The following steps show you how to change the group of a host.

Navigate to Hosts > All hosts.
Select the check box of the host you want to change.
From the Select Action menu at the upper right of the screen, select Change Group. A new option window will open.
From the Host Group menu, select the group that you want for your host.
Click Submit.

2.10. Changing the Environment of a Host

The following steps show you how to change the environment of a host.

Navigate to Hosts > All hosts.
Select the check box of the host you want to change.
From the Select Action menu at the upper right of the screen, select Change Environment. A new option window will open.
From the Environment menu, select the new environment for your host.
Click Submit.

2.11. Adding an Ansible Role to a Host Group

You can use Ansible roles for remote management of Red Hat Enterprise Linux version 6.9 or later.

Before you can assign Ansible roles to host groups in Satellite, ensure that you import the roles to Satellite. For more information, see Adding Red Hat Enterprise Linux System Roles in the Administering Red Hat Satellite.

If you have an existing host group that you want to add Ansible Roles to, complete the following steps:

In the Satellite web UI, navigate to Configure > Host Groups.
From the list of host groups, click the host group name that you want to add an Ansible Role to.
Click the Ansible Roles tab, and from the Ansible roles list, select one or more roles that you want to add to the host. Use the arrow icon to manage the roles that you add or remove.
Click Submit to save your changes.

2.12. Running Ansible Roles on a Host Group

Before you begin, you must import Ansible roles in Satellite and assign the roles to your host group. For more information, see Section 2.11, “Adding an Ansible Role to a Host Group”.

You must have at least one host in your host group.

To Run an Ansible Role:

In the Satellite web UI, navigate to Configure > Host Groups, and select the check box of the host group that contains the Ansible role you want to run.
From the Actions column for the host group, select the arrow icon to the right of the Nest button, and then select Play Roles.

On the Run Ansible Roles page, you can view the status of your Ansible job. To rerun a job, click the Rerun button.

2.13. Managing Hosts

Hosts provisioned by Satellite are managed by default. When the host is set to managed, it is possible to configure additional host parameters from Satellite Server. These additional parameters are listed on the Operating System tab.

If you change any settings on the Operating System tab they will not take effect until you set the host to build and reboot it.

If there is a necessity to obtain reports about configuration management in systems using an operating system not supported by Satellite it is recommended to unmanage the host.

The following procedure shows how to switch a host between Managed and Unmanaged status.

Navigate to Hosts > All hosts.
Select the host.
Click Edit.
Click Manage host or Unmanage host to change the host’s status.
Click Submit to save the changes.

2.14. Assigning a Host to a Specific Organization

The following steps show you how to assign a host to a specific organization. For general information about organizations and how to configure them, see Managing Organizations in the Content Management Guide.

Navigate to Hosts > All hosts.
Select the check box of the host you want to change.
From the Select Action menu at the upper right of the screen, select Assign Organization. A new option window will open.
Navigate to the Select Organization menu and choose the organization that you want to assign for your host. Select the check box Fix Organization on Mismatch.
Note
A mismatch happens if there is a resource associated with a host, such as a domain or subnet, and at the same time not associated with the organization you want to assign the host to. The option Fix Organization on Mismatch will add such a resource to the organization, and is therefore the recommended choice. The option Fail on Mismatch, on the other hand, will always result in an error message. For example, reassigning a host from one organization to another will fail, even if there is no actual mismatch in settings.
Click Submit.

2.15. Assigning a Host to a Specific Location

The following steps show you how to assign a host to a specific location. For general information about locations and how to configure them, see Creating a Location in the Provisioning Guide.

Navigate to Hosts > All hosts.
Select the check box of the host you want to change.
From the Select Action menu at the upper right of the screen, select Assign Location. A new option window will open.
Navigate to the Select Location menu and choose the location that you want for your host. Select the check box Fix Location on Mismatch.
Note
A mismatch happens if there is a resource associated with a host, such as a domain or subnet, and at the same time not associated with the organization you want to assign the host to. The option Fix Organization on Mismatch will add such a resource to the organization, and is therefore the recommended choice. The option Fail on Mismatch, on the other hand, will always result in an error message. For example, reassigning a host from one organization to another will fail, even if there is no actual mismatch in settings.
Click Submit to complete the assigning of the location to your host.

2.16. Configuring an Additional Network Interface

Red Hat Satellite supports specifying multiple network interfaces for a single host. You can configure these interfaces when creating a new host as described in Section 2.4, “Creating a Host” or when editing an existing host.

There are several types of network interfaces that you can attach to a host. When adding a new interface, select one of:

Interface: Allows you to specify an additional physical or virtual interface. There are two types of virtual interfaces you can create. Use VLAN when the host needs to communicate with several (virtual) networks using a single interface, while these networks are not accessible to each other. Another type of virtual interface is alias, which is an additional IP address attached to an existing interface. See ], or xref:sect-Red_Hat_Satellite-Managing_Hosts-Configuring_an_Additional_Network_Interface-Adding_a_Physical_Interface[ for details.
Bond: Creates a bonded interface. NIC bonding is a way to bind multiple network interfaces together into a single interface that appears as a single device and has a single MAC address. This enables two or more network interfaces to act as one, simultaneously increasing the bandwidth and providing redundancy. See Section 2.16.3, “Adding a Bonded Interface” for details.
BMC: Baseboard Management Controller (BMC) allows you to remotely monitor and manage physical state of machines. For more information about BMC, see Enabling Power Management on Managed Hosts in Installing Satellite Server from a Connected Network and for more information about configuring BMC interfaces, see Section 2.16.4, “Adding a Baseboard Management Controller (BMC) Interface”.

Note

Additional interfaces have by default the Managed flag enabled, which means the new interface is configured automatically during provisioning by the DNS and DHCP Capsule Servers associated with the selected subnet. This requires a subnet with correctly configured DNS and DHCP Capsule Servers. If you use a kickstart method for host provisioning, configuration files are automatically created for managed interfaces in the post-installation phase at /etc/sysconfig/network-scripts/ifcfg-$interface_id.

Note

Virtual and bonded interfaces currently require a MAC address of a physical device. Therefore, the configuration of these interfaces works only on bare-metal hosts.

2.16.1. Adding a Physical Interface

The following steps show how to add and additional physical interface to a host.

To Add a Physical Interface:

Navigate to Hosts > All hosts to view available hosts.
Click Edit next to the host you want to edit.
On the Interfaces tab, click Add Interface.
Keep the Interface option selected in the Type menu.
Specify a MAC address of the additional interface. This setting is required.
Specify the device Identifier, for example eth0 or eth1.1. Identifier is used for bonded interfaces (in the Attached devices field, see ]), VLANs and aliases (in the Attached to field, see xref:proc-Red_Hat_Satellite-Managing_Hosts-Adding_a_Virtual_Interface-To_Add_a_Virtual_Interface[).
Specify the DNS name associated with the host’s IP address. Satellite saves this name in the Capsule Server associated with the selected domain (the "DNS A" field) and the Capsule Server associated with the selected subnet (the "DNS PTR" field). A single host can therefore have several DNS entries.
Select a domain from the Domain drop-down menu. To create and manage domains, navigate to Infrastructure > Domains.
Select a subnet from the Subnet drop-down menu. To create and manage subnets, navigate to Infrastructure > Subnets.
Specify the interface IP address. Managed interfaces with assigned DHCP Capsule Server require this setting for creating a DHCP lease. DHCP-enabled managed interfaces provide an automatic suggestion of IP address.
Decide if the interface will be managed. If the Managed check box is selected, the interface configuration is pulled from the associated Capsule Server during provisioning, and DNS and DHCP entries are created. If using kickstart provisioning, a configuration file is automatically created for the interface.
Select the Virtual NIC check box to create a virtual interface. See Section 2.16.2, “Adding a Virtual Interface” for details.
Click OK to save the interface configuration, and then click Submit to apply the changes to the host.

2.16.2. Adding a Virtual Interface

The following procedure shows how to configure an additional virtual interface for a host. This can be either a VLAN or an alias interface.

An alias interface is an additional IP address attached to an existing interface. Note that:

An alias interface automatically inherits a MAC address from the interface it is attached to, therefore you can create an alias without specifying a MAC address.
The interface must be specified in a subnet with boot mode set to static.

To Add a Virtual Interface:

Navigate to Hosts > All hosts to view available hosts.
Click Edit next to the host you want to edit.
On the Interfaces tab, click Add Interface.
Keep the Interface option selected in the Type menu.
Specify the general interface settings. The applicable configuration options are the same as for the physical interfaces described in Section 2.16.1, “Adding a Physical Interface”.
Specify MAC address for managed virtual interfaces so that the configuration files for provisioning are generated correctly. However, MAC address is not required for virtual interfaces that are not managed.
If creating a VLAN, specify ID in the form of eth1.10 in the Identifier field. If creating an alias, use ID in the form of eth1:10.
Select the Virtual NIC check box. Additional configuration options specific to virtual interfaces are appended to the form:
- Tag: You can specify tags per interface to provide a higher-level segmentation of the network. If left blank, managed interfaces inherit the tag form the VLAN ID of the associated subnet, given that this subnet has the VLAN ID specified. User-specified entries from this field are not applied on alias interfaces.
- Attached to: Specify the identifier of the physical interface to which the virtual interface belongs, for example eth1. This setting is required.
Click OK to save the interface configuration. Then click Submit to apply the changes to the host.

2.16.3. Adding a Bonded Interface

The following steps show how to configure a bonded interface for a host.

To Add a Bonded Interface:

Navigate to Hosts > All hosts to view available hosts.
Click Edit next to the host you want to edit.
On the Interfaces tab, click Add Interface.
Select Bond from the Type menu. Additional type-specific configuration options are appended to the form.
Specify the general interface settings. The applicable configuration options are the same as for the physical interfaces described in Section 2.16.1, “Adding a Physical Interface”. Bonded interfaces use IDs in the form of bond0 in the Identifier field. It is sufficient if you specify a single MAC address in the MAC address field.
Specify the configuration options specific to bonded interfaces:
- Mode: Select the bonding mode that defines a policy for fault tolerance and load balancing. See Table 2.2, “Bonding Modes Available in Red Hat Satellite” for a brief description of individual bonding modes.
- Attached devices: Specify a comma separated list of identifiers of attached devices. These can be physical interfaces or VLANs.
- Bond options: Specify a space separated list of configuration options, for example miimon=100. There are several configuration options you can specify for the bonded interface, see Red Hat Enterprise Linux 7 Networking Guide for details.
Click OK to save the interface configuration. Then click Submit to apply the changes to the host.

Table 2.2. Bonding Modes Available in Red Hat Satellite

Bonding Mode	Description
balance-rr	Transmissions are received and sent out sequentially on each bonded interface.
active-backup	Transmissions are received and sent out via the first available bonded interface. Another bonded interface is only used if the active bonded interface fails.
balance-xor	Transmissions are based on the selected hash policy. In this mode, traffic destined for specific peers will always be sent over the same interface.
broadcast	All transmissions are sent on all bonded interfaces.
802.a3	Creates aggregation groups that share the same settings. Transmits and receives on all interfaces in the active group.
balance-tlb	The outgoing traffic is distributed according to the current load on each bonded interface.
balance-alb	Receive load balancing is achieved through Address Resolution Protocol (ARP) negotiation.

2.16.4. Adding a Baseboard Management Controller (BMC) Interface

This section describes how to configure a baseboard management controller (BMC) interface for a host that supports this feature.

Prerequisites

Ensure the following prerequisites are satisfied before proceeding:

BMC is enabled on the Capsule Server. If required, see To Enable BMC Power Management on an Existing Capsule Server:.
The ipmitool package is installed.
You know the MAC address, IP address, and other details of the BMC interface on the host, and the appropriate credentials for that interface.
Note
You only need the MAC address for the BMC interface if the BMC interface is managed. This is so that it can create a DHCP reservation.

To Enable BMC Power Management on an Existing Capsule Server:

Use the satellite-installer routine to configure BMC power management on the Capsule Server by running the following command with the following options:
```
# satellite-installer --foreman-proxy-bmc=true \ --foreman-proxy-bmc-default-provider=ipmitool
```
Refresh the features for the Capsule Server.
1. Log in to the Satellite web UI, and navigate to Infrastructure > Capsules.
2. Identify the Capsule Server whose features you need to refresh. In the drop-down list on the right, click Refresh. The list of features in the Features column should now include BMC.

To Add a BMC Interface:

Navigate to Hosts > All hosts to view available hosts.
Click Edit next to the host you want to edit.
On the Interfaces tab, click Add Interface.
Select BMC from the Type menu. Type-specific configuration options are appended to the form.
Specify the general interface settings. The applicable configuration options are the same as for the physical interfaces described in Section 2.16.1, “Adding a Physical Interface”.
Specify the configuration options specific to BMC interfaces:
- Username, Password: Specify any authentication credentials required by BMC.
- Provider: Specify the BMC provider.
Click OK to save the interface configuration, and then click Submit to apply the changes to the host.

2.17. Removing a Host

The following procedure shows how to remove a host from Red Hat Satellite.

To Remove a Host:

Click Hosts > All hosts or Hosts > Content Hosts.
Select the hosts that you want to remove.
Click Select Action and select Delete Hosts from the drop-down menu.
Click Submit to remove the host from Red Hat Satellite permanently.

Warning

If a host record that is associated with a virtual machine is deleted, the virtual machine will be deleted as well. To avoid deleting the virtual machine in this situation, disassociate the virtual machine from Satellite without removing it from the hypervisor.

To Disassociate A Virtual Machine from Satellite without Removing it from a Hypervisor

In the Satellite web UI, navigate to Hosts > All Hosts and select the check box to the left of the hosts to be disassociated.
From the Select Action drop-down menu, select the Disassociate Hosts button.
In the confirmation window:
1. Optionally, select the check box to keep the hosts for future action.
2. Click Submit to save your changes.

Chapter 3. Configuring Host Collections

A host collection is a group of multiple content hosts. This feature enables you to perform the same action on multiple hosts at once. These actions can include the installation, removal, and update of packages and errata, change of assigned life cycle environment, and change of Content View. You can create host collections to suit your requirements, and those of your company. For example, group hosts in host collections by function, department, or business unit.

3.1. Creating a Host Collection

The following procedure shows how to create host collections.

To Create a Host Collection:

Click Hosts > Host Collections.
Click New Host Collection.
Add the Name of the host collection.
Clear Unlimited Content Hosts, and enter the desired maximum number of hosts in the Limit field.
Add the Description of the host collection.
Click Save.

3.2. Cloning a Host Collection

The following procedure shows how to clone a host collection.

To Clone a Host Collection:

Click Hosts > Host Collections.
On the left hand panel, click the host collection you want to clone.
Click Copy Collection.
Specify a name for the cloned collection.
Click Create.

3.3. Removing a Host Collection

The following procedure shows how to remove a host collection.

To Remove a Host Collection:

Click Hosts > Host Collections.
Choose the host collection to be removed.

Click Remove. An alert box appears:

Are you sure you want to remove host collection Host Collection Name?

Click Remove.

3.4. Adding a Host to a Host Collection

The following procedure shows how to add hosts to host collections.

Prerequisites

A host must be registered to Red Hat Satellite in order to add it to a Host Collection. Refer to Section 2.7, “Registration” for information on how to register a host.

To Add Hosts to a Host Collection:

Click Hosts > Host Collections.
Click the host collection where the host should be added.
On the Hosts tab, select the Add subtab.
Select the hosts to be added from the table and click Add Selected.

3.5. Removing a Host from a Host Collection

The following procedure shows how to remove hosts from host collections.

To Remove Hosts from a Host Collection:

Click Hosts > Host Collections.
Choose the desired host collection.
On the Hosts tab, select the List/Remove subtab.
Select the hosts you want to remove from the host collection and click Remove Selected.

3.6. Adding Content to a Host Collection

These steps show how to add content to host collections in Red Hat Satellite.

3.6.1. Adding Packages to a Host Collection

The following procedure shows how to add packages to host collections.

Prerequisites

The content to be added should be available in one of the existing repositories or added prior to this procedure.
Content should be promoted to the environment where the hosts are assigned.

To Add Packages to Host Collections:

Click Hosts > Host Collections.
Click the host collection where the package should be added.
On the Collection Actions tab, click Package Installation, Removal, and Update.
To update all packages, click the Update All Packages button to use the default method. Alternatively, select the drop-down icon to the right of the button to select a method to use. Selecting the via remote execution - customize first menu entry will take you to the Job invocation page where you can customize the action.
Select the Package or Package Group radio button as required.
In the field provided, specify the package or package group name. Then click:
- Install — to install a new package using the default method. Alternatively, select the drop-down icon to the right of the button and select a method to use. Selecting the via remote execution - customize first menu entry will take you to the Job invocation page where you can customize the action.
- Update — to update an existing package in the host collection using the default method. Alternatively, select the drop-down icon to the right of the button and select a method to use. Selecting the via remote execution - customize first menu entry will take you to the Job invocation page where you can customize the action.

3.6.2. Adding Errata to a Host Collection

The following procedure shows how to add errata to host collections.

Prerequisites

The errata to be added should be available in one of the existing repositories or added prior to this procedure.
Errata should be promoted to the environment where the hosts are assigned.

To Add Errata to a Host Collection:

Click Hosts > Host Collections.
Select the host collection where the errata should be added.
On the Collection Actions tab, click Errata Installation.
Select the errata you want to add to the host collection and click the Install Selected button to use the default method. Alternatively, select the drop-down icon to the right of the button to select a method to use. Selecting the via remote execution - customize first menu entry will take you to the Job invocation page where you can customize the action.

3.7. Removing Content from a Host Collection

The following procedure shows how to remove packages from host collections.

To Remove Content from a Host Collection:

Click Hosts > Host Collections.
Click the host collection where the package should be removed.
On the Collection Actions tab, click Package Installation, Removal, and Update.
Select the Package or Package Group radio button as required.
In the field provided, specify the package or package group name.
Click the Remove button to remove the package or package group using the default method. Alternatively, select the drop-down icon to the right of the button and select a method to use. Selecting the via remote execution - customize first menu entry will take you to the Job invocation page where you can customize the action.

3.8. Changing the Life Cycle Environment or Content View of a Host Collection

The following procedure shows how to change the assigned life cycle environment or Content View of host collections.

To Change the Life Cycle Environment or Content View of a Host Collection:

Click Hosts > Host Collection.
Selection the host collection where the life cycle environment or Content View should be changed.
On the Collection Actions tab, click Change assigned Life Cycle Environment or Content View.
Select the life cycle environment to be assigned to the host collection.
Select the required Content View from the drop-down list.
Click Assign.
Note
The changes take effect in approximately 4 hours. To make the changes take effect immediately, on the host, enter the following command:
```
# subscription-manager refresh
```
You can use remote execution to run this command on multiple hosts at the same time.

Chapter 4. Running Jobs on Hosts

Red Hat Satellite supports the ability to run jobs with arbitrary commands on hosts using shell scripts and to run Ansible tasks and playbooks. This is referred to as remote execution.

Remote execution is enabled by default on the Satellite Server, but must be enabled manually on Capsule Servers. For custom Ansible roles that you create, or roles that you download, the package containing the roles must be installed on the Capsule’s base system where a task is executed, or a playbook is run. The roles must also be imported into Satellite from the Capsule where they are installed before Satellite can use them.

Communication occurs through the Capsule Server which means that Satellite Server does not require direct access to the target host, and can scale to control many hosts. Remote execution uses the SSH service which must be enabled and running on the target host. Ensure the Capsule has access to port 22 on the target hosts.

Satellite uses ERB syntax job templates similar to the provisioning templates. Several job templates for shell scripts and Ansible are included by default. See Section 4.4.1, “Setting up Job Templates”.

Note

Any Capsule Server’s base system is a client of Satellite Server’s internal Capsule, and therefore this section applies to any type of host connected to Satellite Server, including Capsule Servers.

You can run jobs on multiple hosts at once, and you can use variables in your commands to suit your deployment. Variable values can be filled by host fact, Smart Class Parameter, Smart Variable, or even host parameter. In addition, you can specify custom values for templates when you run the command. See Section 4.4.2, “Executing Jobs”.

By default, each Capsule is installed with the remote execution feature disabled. To enable remote execution, enter the following command:

# satellite-installer --scenario capsule \
--enable-foreman-proxy-plugin-remote-execution-ssh

To verify that remote execution is enabled on the Capsule Server, in the web UI navigate to Infrastructure > Capsules and in the Actions column, to the right of the edit icon, select Refresh features and confirm the feature is listed.

By default, Satellite Server is configured to use remote execution rather than Katello Agent. These settings can be changed by first creating custom job templates and then selecting these new templates in the web UI by going to Administer > Remote Execution Features. For each action you want to change, select the label and then select the job template to use.

4.1. Establishing a Secure Connection for Remote Commands

The SSH keys used for remote execution are created automatically when installing a Capsule and the settings are in the /etc/foreman-proxy/settings.d/remote_execution_ssh.yml file. They include the following options:

ssh_identity_file: File to load the SSH key from. By default, set to /usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy.
local_working_dir: Directory used on the Satellite or Capsule to run the scripts necessary for remote execution. By default, set to /var/tmp.
remote_working_dir: Directory on the client system that is used to execute the remote execution jobs. By default, set to /var/tmp.

Note

If the client system has noexec set for the /var/ volume or file system, change the remote_working_dir as otherwise the remote execution job will fail since the script cannot be run.

If you must use an alternative directory, create the new directory, for example new_place, and then copy the SELinux context from the default directory. For example:

# chcon --reference=/var new_place

See Maintaining SELinux Labels in the SELinux User’s and Administrator’s Guide for more information on working with SELinux labels.

Distributing SSH Keys for Remote Execution

To use SSH keys for authenticating remote execution connections, distribute the public SSH key from a Capsule to its attached hosts that you want to manage. Ensure the SSH service is enabled and running on the hosts. Configure any network or host-based firewalls to enable access to port 22.

There are three ways to distribute the public key from a Capsule to target hosts:

To distribute SSH keys manually, enter the following command on the Capsule:
```
# ssh-copy-id -i ~foreman-proxy/.ssh/id_rsa_foreman_proxy.pub root@target.example.com
```
Where target.example.com is the host name of the target host. Repeat for each target host you want to manage.
To confirm the key was successfully copied to the target host, enter the following command on the Capsule:
```
# ssh -i ~foreman-proxy/.ssh/id_rsa_foreman_proxy root@target.example.com
```
To use the Satellite API to download the public key directly from the Capsule, enter the following command on each target host:
```
# curl https://capsule.example.com:9090/ssh/pubkey >> ~/.ssh/authorized_keys
```
Where capsule.example.com is the host name of the Capsule that the host is attached to.
To include the public key in newly-provisioned hosts, modify for example the Kickstart default finish template to include the following line:
```
<%= snippet 'remote_execution_ssh_keys' %>
```

4.2. Configuring a keytab for Kerberos Ticket Granting Tickets

Use this procedure to configure Satellite to use a keytab to obtain Kerberos ticket granting tickets. If you do not set up a keytab, you must manually retrieve tickets.

To ensure that the foreman-proxy user on Satellite can obtain Kerberos ticket granting tickets, complete the following steps:

Find the ID of the foreman-proxy user:
```
# id -u foreman-proxy
```
Modify the umask value so that new files have the permissions 600:
```
# umask 077
```

Create the directory for the keytab:

# mkdir -p "/var/kerberos/krb5/user/USER_ID"

Create a keytab or copy an existing keytab to the directory:

# cp your_client.keytab /var/kerberos/krb5/user/USER_ID/client.keytab

Change the directory owner to the foreman-proxy user:

# chown -R foreman-proxy:foreman-proxy "/var/kerberos/krb5/user/USER_ID"

Ensure that the keytab file is read-only:

# chmod -wx "/var/kerberos/krb5/user/USER_ID/client.keytab"

Restore the SELinux context:
```
# restorecon -RvF /var/kerberos/krb5
```

4.3. Setting Up Kerberos Authentication for Remote Execution

From Satellite 6.4, you can use Kerberos authentication to establish an SSH connection for remote execution on Satellite hosts.

Prerequisites

Before you can use Kerberos authentication for remote execution on Red Hat Satellite, you must set up a Kerberos server for identity management and ensure that you complete the following prerequisites:

Enroll Satellite Server on the Kerberos server
Enroll the Satellite target host on the Kerberos server
Configure and initialize a Kerberos user account for remote execution
Ensure that the foreman-proxy user on Satellite has a valid Kerberos ticket granting ticket

To set up Satellite to use Kerberos authentication for remote execution on hosts, complete the following steps:

Before installing the tfm-rubygem-net-ssh-krb package, you must temporarily set SELinux to permissive until Red Hat bug 1541481 is resolved:
```
# setenforce 0
```
To install the tfm-rubygem-net-ssh-krb package, enter the following command:
```
# yum install tfm-rubygem-net-ssh-krb
```

To install and enable Kerberos authentication for remote execution, enter the following command:

# satellite-installer --scenario satellite \
 --foreman-proxy-plugin-remote-execution-ssh-ssh-kerberos-auth true

Set SELinux to enforcing:
```
# setenforce 1
```
To edit the default user for remote execution, in the Satellite web UI, navigate to Administer > Settings and click the RemoteExecution tab. In the remote_execution_ssh_user row, edit the second column and add the user name for the Kerberos account.
Navigate to remote_execution_effective_user and edit the second column to add the user name for the Kerberos account.

To confirm that Kerberos authentication is ready to use, run a remote job on the host.

4.4. Configuring and Running Remote Jobs

Any command that you want to apply to a remote host must be defined as a job template. After you have defined a job template you can execute it multiple times.

4.4.1. Setting up Job Templates

Satellite provides default job templates that you can use for executing jobs. To view the list of job templates, navigate to Hosts > Job templates. If want to use a template without making changes, proceed to Section 4.4.2, “Executing Jobs”.

You can use default templates as a base for developing your own. Default job templates are locked for editing. Clone the template and edit the clone.

To clone a template, in the Actions column, select Clone.
Enter a unique name for the clone and click Submit to save the changes.

Job templates use the Embedded Ruby (ERB) syntax. For more information about writing templates, see the Appendix A, Template Writing Reference.

Ansible Considerations

To create an Ansible job template, use the following procedure and instead of ERB syntax, use YAML syntax. Begin the template with --- and to the first line, you must add - hosts: all. You can embed an Ansible playbook YAML file into the job template body. You can also add ERB syntax to customize your YAML Ansible template. You can also import Ansible playbooks in Satellite. For more information, see Synchronizing Templates with Git in the Content Management Guide.

Parameter Variables

At run time, job templates can accept parameter variables that you define for a host. Note that only the parameters visible on the Parameters tab at the host’s edit page can be used as input parameters for job templates. If you do not want your Ansible job template to accept parameter variables at run time, in the Satellite web UI, navigate to Administer > Settings and click the Ansible tab. In the Top level Ansible variables row, change the Value parameter to No.

To Create a Job Template:

Navigate to Hosts > Job templates.
Click New Job Template.
Click the Template tab, and in the Name field, enter a unique name for your job template.
Select Default to make the template available for all organizations and locations.
Create the template directly in the template editor or upload it from a text file by clicking Import.
Optional: In the Audit Comment field, add information about the change.
Click the Job tab, and in the Job category field, enter your own category or select from the default categories listed in Table 4.1, “Default Job Template Categories”.
Optional: In the Description Format field, enter a description template. For example, Install package %{package_name}. You can also use %{template_name} and %{job_category} in your template.
From the Provider Type menu, select SSH for shell scripts and Ansible for Ansible tasks or playbooks.
Optional: In the Timeout to kill field, enter a timeout value to terminate the job if it does not complete.
Optional: Click Add Input to define an input parameter. Parameters are requested when executing the job and do not have to be defined in the template. For examples, see the Help tab.
Optional: Click Foreign input set to include other templates in this job.
Optional: In the Effective user area, configure a user if the command cannot use the default remote_execution_effective_user setting.
Optional: If this template is a snippet to be included in other templates, click the Type tab and select Snippet.
Click the Location tab and add the locations where you want to use the template.
Click the Organizations tab and add the organizations where you want to use the template.
Click Submit to save your changes.

You can create advanced templates by including other templates in the template syntax, see ] for more information. An advanced template is required, for example, for executing jobs that perform power actions; see xref:exam-Managing_Hosts-Including_Power_Actions_in_Templates[ for information on how to include the Power Action - SSH Default template in a custom template.

Table 4.1. Default Job Template Categories

Job template category	Description
Packages	Templates for performing package related actions. Install, update, and remove actions are included by default.
Puppet	Templates for executing Puppet runs on target hosts.
Power	Templates for performing power related actions. Restart and shutdown actions are included by default.
Commands	Templates for executing custom commands on remote hosts.
Services	Templates for performing service related actions. Start, stop, restart, and status actions are included by default.
Katello	Templates for performing content related actions. These templates are used mainly from different parts of the Satellite web UI (for example bulk actions UI for content hosts), but can be used separately to perform operations such as errata installation.

Example 4.1. Creating a restorecon Template

This example shows how to create a template called Run Command - restorecon that will restore the default SELinux context for all files in the selected directory on target hosts.

Navigate to Hosts > Job templates. Click New Job Template.
Enter Run Command - restorecon in the Name field. Select Default to make the template available to all organizations. Add the following text to the template editor:
```
restorecon -RvF <%= input("directory") %>
```
The <%= input("directory") %> string will be replaced by a user-defined directory during job invocation.
On the Job tab, set Job category to Commands.
Click Add Input to allow job customization. Enter directory to the Name field. The input name must match the value specified in the template editor.
Click Required so that the command cannot be executed without the user specified parameter.
Select User input from the Input type drop-down list. Enter a description to be shown during job invocation, for example Target directory for restorecon.
Click Submit.

See Example 4.2, “Executing a restorecon Template on Multiple Hosts” for information on how to execute a job based on this template.

4.4.2. Executing Jobs

This section shows how to run a job based on a job template against one or more hosts.

To Execute a Remote Job:

Navigate to Hosts > All hosts and select the target hosts for your job. You can use the search field to filter the host list.
From the Select Action menu, select Schedule Remote Job.
On the Job invocation page, define the main job settings:
1. Select the Job category and the job template you want to use.
2. Optionally, select a stored search string in the Bookmark list to specify the target hosts.
3. Optionally, further limit the targeted hosts by entering a Search query. The Resolves to line displays the number of hosts affected by your query. Use the refresh button to recalculate the number after changing the query. The preview icon will list the targeted hosts.
4. The remaining settings depend on the selected job template. See To Create a Job Template: for information on adding custom parameters to a template.
Clicking Display advanced fields will show advanced setting for the job. Some of the advanced settings depend on the job template, the following settings are general:
- Effective user defines the user for executing the job, by default it is the SSH user.
- Concurrency level defines maximum number of jobs executed at once, which can prevent overload of systems' resources in a case of executing the job on a large number of hosts.
- Time span defines time interval in seconds after which the job should be killed, if it is not finished already. A task which could not be started during the defined interval, for example, if the previous task took too long to finish, is canceled.
- Type of query defines when the search query is evaluated. This helps to keep the query up to date for scheduled tasks.
  Concurrency level and Time span settings enable you to tailor job execution to fit your infrastructure hardware and needs.
If you want to run the job immediately, ensure that Schedule is set to Execute now. You can also define a one-time future job, or set up a recurring job. For recurring tasks, you can define start and end dates, number and frequency of runs. You can also use cron syntax to define repetition. For more information about cron, see the Automating System Tasks section of the Red Hat Enterprise Linux 7 System Administrator’s Guide.
Click Submit. This displays the Job Overview page, and when the job completes, also displays the status of the job.

Example 4.2. Executing a restorecon Template on Multiple Hosts

This example shows how to run a job based on the template created in Example 4.1, “Creating a restorecon Template” on multiple hosts. The job will restore the SELinux context in all files under the /home/ directory.

Navigate to Hosts > All hosts and select target hosts. Select Schedule Remote Job from the Select Action drop-down list.
In the Job invocation page, select the Commands job category and the Run Command - restorecon job template.
Type /home in the directory field.
Set Schedule to Execute now.
Click Submit. You are taken to the Job invocation page where you can monitor the status of job execution.

4.4.3. Monitoring Jobs

You can monitor the progress of the job while it is running. This can help in any troubleshooting that may be required.

To Monitor a Job:

Navigate to the Job page. This page is automatically displayed if you triggered the job with the Execute now setting. To monitor scheduled jobs, navigate to Monitor > Jobs and select the job run you wish to inspect.
On the Job page, click the Hosts tab. This displays the list of hosts on which the job is running.
In the Host column, click the name of the host that you want to inspect. This displays the Detail of Commands page where you can monitor the job execution in real time.
Click Back to Job at any time to return to the Job Details page.

4.4.4. Creating Advanced Templates

When creating a job template, you can include an existing template in the template editor field. This way you can combine templates, or create more specific templates from the general ones.

The following template combines default templates to install and start the httpd service on Red Hat Enterprise Linux systems:

<%= render_template 'Package Action - SSH Default', :action => 'install', :package => 'httpd' %>
<%= render_template 'Service Action - SSH Default', :action => 'start', :service_name => 'httpd' %>

The above template specifies parameter values for the rendered template directly. It is also possible to use the input() method to allow users to define input for the rendered template on job execution. For example, you can use the following syntax:

<%= render_template 'Package Action - SSH Default', :action => 'install', :package => input("package") %>

With the above template, you have to import the parameter definition from the rendered template. To do so, navigate to the Jobs tab, click Add Foreign Input Set, and select the rendered template from the Target template drop-down list. You can import all parameters or specify a comma separated list.

Example 4.3. Rendering a restorecon Template

This example shows how to create a template derived from the Run command - restorecon template created in Example 4.1, “Creating a restorecon Template”. This template does not require user input on job execution, it will restore the SELinux context in all files under the /home/ directory on target hosts.

Create a new template as described in Section 4.4.1, “Setting up Job Templates”, and specify the following string in the template editor:

<%= render_template("Run Command - restorecon", :directory => "/home") %>

Example 4.4. Including Power Actions in Templates

This example shows how to set up a job template for performing power actions, such as reboot. This procedure prevents Satellite from interpreting the disconnect exception upon reboot as an error, and consequently, remote execution of the job works correctly.

Create a new template as described in Section 4.4.1, “Setting up Job Templates”, and specify the following string in the template editor:

<%= render_template("Power Action - SSH Default", :action => "restart") %>

4.5. Configuring Global Settings

The Satellite remote execution feature provides numerous global settings that you can use to configure its behavior. These are listed in Table 4.2, “Global Settings for Remote Execution”. To review and update these settings, navigate to Administer > Settings and click the Remote Execution tab.

Table 4.2. Global Settings for Remote Execution

Parameter Name	Description
Default SSH key passphrase	Defines the default key passphrase to use for SSH. You can override this for each host by setting the `remote_execution_ssh_key_passphrase` parameter.
Enable Global Capsule	When enabled, searches the host for any Capsule with remote execution configured. This is useful when the host has no subnet configured or if the subnet does not have a Capsule with remote execution enabled.
Fallback Without Capsule	When enabled, the remote execution will try to run the commands directly, when no Capsule with remote execution feature is configured for the host.
Fallback to Any Capsule	When enabled, searches for a remote execution Capsule outside of the Capsules assigned to the host. If the location or organization is configured, the search will be limited to the host’s organization or location.
Effective User Method	Defines which method to use to set the effective user on the target host. One of `sudo`, `dzdo`, `su`.
Effective User	Defines the default effective user for any job. When the job is executed, the effective user of the process is changed accordingly. You can override this for each job template and job invocation.
Connect by IP	When enabled, the IP addresses on host interfaces is preferred over the FQDN. It is useful when DNS is not resolving the FQDNs properly. You can override this for each host by setting the `remote_execution_connect_by_ip` parameter.
SSH User	Defines the default user to use while the Capsule connects to the target using SSH. You can override this for each host by setting the `remote_execution_ssh_user` parameter. You can set this by host, host group, operating system, domain, location, or organization. This can also be a different user from the effective user.
Sudo password	Defines the `sudo` password.
Default SSH password	Defines the default password to use for SSH. You can override this for each host by setting the `remote_execution_ssh_password` parameter.
SSH Port	Defines the port to use for SSH communication. The default port is 22. You can override this for each host by setting the `remote_execution_ssh_port` parameter.
Sync Job Templates	When enabled, job templates are synchronized from disk when seeding a database.
Cleanup working directories	When enabled, working directories will be removed after task completion. You can override this for each host by setting a `remote_execution_cleanup_working_dirs` parameter.
Workers pool size	Defines the number of workers in the pool to handle the execution of the remote execution jobs. Restart of the `dynflowd/foreman-tasks` service is required.

Important

Modify these parameters in the web UI, because any manual changes that you make in the /etc/foreman/settings.yaml file are overwritten the next time you run satellite-installer. Alternatively, use the foreman-rake config command from a console.

4.6. Remote Execution and Capsules

By default, Capsules have the remote execution provider feature enabled. You can use any Capsule that you add to the host’s organization and location to perform remote execution.

In more complex environments, where not all Capsules can be used because of possible network isolation, you can set the remote_execution_global_proxy variable to false to disable remote execution on Capsules. In this configuration, you can assign a pool of Capsules to each subnet, and jobs are load balanced across them. To use remote execution for a host, any Capsule Server that you want to use for remote execution must reside within the host’s subnet. Ensure that the host’s interface for that subnet is enabled for remote execution.

Alternatively, you can set the remote_execution_fallback_proxy variable to true to enable fallback mode. In this configuration, remote execution will use any Capsule associated with the host, such as its Puppet Master, provided that Capsule also has remote execution configured.

4.7. Delegating Permissions for Remote Execution

You can control which users can run which jobs within your infrastructure, including which hosts they can target. The remote execution feature provides two built-in roles:

Remote Execution Manager: This role allows access to all remote execution features and functionality.
Remote Execution User: This role only allows running jobs; it does not provide permission to modify job templates.

You can clone the Remote Execution User role and customize its filter for increased granularity. If you adjust the filter with the view_job_templates permission, the user can only see and trigger jobs based on matching job templates. You can use the view_hosts and view_smart_proxies permissions to limit which hosts or Capsules are visible to the role.

The execute_template_invocation permission is a special permission that is checked immediately before execution of a job begins. This permission defines which job template you can run on a particular host. This allows for even more granularity when specifying permissions. For more information on working with roles and permissions see Creating and Managing Roles in the Administering Red Hat Satellite.

The following example shows filters for the execute_template_invocation permission:

name = Reboot and host.name = staging.example.com
name = Reboot and host.name ~ *.staging.example.com
name = "Restart service" and host_group.name = webservers

The first line in the above example permits the user to apply the Reboot template to one selected host. The second line defines a pool of hosts with names ending with .staging.example.com. The third line binds the template with a host group.

Note

Permissions assigned to users can change over time. If a user has already scheduled some jobs to run in the future, and the permissions have changed, this can result in execution failure because the permissions are checked immediately before job execution.

Chapter 5. Discovering Bare-metal Hosts on Satellite

Red Hat Satellite 6.4 includes the Discovery plug-in. The Discovery plug-in enables automatic bare-metal discovery of unknown hosts on the provisioning network. These new hosts are registered to the Satellite Server and the Puppet agent on the client uploads system facts collected by Facter, such as serial ID, network interface, memory, and disk information. After registration, the hosts are displayed on the Discovered Hosts page in the Satellite web UI. You can then initiate provisioning either manually (using the web UI, CLI, or API) or automatically, using predefined discovery rules.

The Discovery plug-in communicates through the Satellite Capsule Server, which has direct access both to the provisioning network and the Satellite Server instance. It is possible to discover hosts directly from the Satellite Server, but Red Hat recommends the following scheme be used:

Satellite Server (Satellite Server Discovery plug-in) <--> Satellite Capsule (Satellite Capsule Discovery plug-in) <--> Discovered Host (Satellite Discovery image)

The Satellite Discovery plug-in consists of three different components:

The Satellite Server Discovery plug-in: This runs on the Satellite Server and provides API and UI functionality for working with discovered hosts. The tfm-rubygem-foreman_discovery package contains this plug-in.

The Satellite Capsule Server Discovery plug-in: This is a communication proxy between discovered hosts on a provisioning network and the Satellite Server. The rubygem-smart_proxy_discovery package contains this plug-in.

The Satellite Discovery image: This is the minimal operating system based on Red Hat Enterprise Linux that is PXE-booted on hosts to acquire initial hardware information and to check in to the Satellite Server. Discovered hosts keep running the Satellite Discovery image until they are rebooted into Anaconda, which then initiates the provisioning process. The foreman-discovery-image package contains this image. It must be installed on the Satellite Capsule Server that provides TFTP services.

5.1. Network Configuration for PXE-based Discovery

The discovery process is based on PXE: Systems must boot from the network using a single Ethernet connection to the LAN or VLAN. All other network interface configurations are not supported (bonding, teaming, bridging, DSL, Wi-Fi and others).

You must have a separate LAN or VLAN for discovery and PXE provisioning. You can configure systems to use VLAN trunks, but you must also configure the provisioning interface with the correct VLAN tag for the provisioning VLAN, and then change the tag to the production VLAN using a post-installation script.

Although using special network configurations is technically possible in PXE-less mode, where discovered systems use kexec to load a new kernel with Anaconda which avoids PXE booting completely, the discovery image currently does not allow such a configuration. While it is possible to use discovery extensions or a script to re-configure the network, Satellite 6 discovery plug-in cannot work with such a configuration.

Because the discovery process currently has limited possibilities for configuring network interfaces, and because the provisioning interface is also the primary interface, to simplify the configuration, have a separate primary interface from the interface used in production. Satellite 6 template features can be used to deploy post-installation scripts to configure interfaces if required.

5.2. Configuring the Satellite Discovery Plug-in

The following sections describe how to configure the Satellite Discovery plug-in and how to prepare the PXE-boot template on the Satellite Server.

5.2.1. Deploying the Satellite Discovery Image

Install the package containing the Satellite Discovery image on the Satellite Capsule Server that provides TFTP services (not on the Satellite Server itself):

# yum install foreman-discovery-image

This package contains the Linux kernel and initial RAM disk image as a bootable ISO file which is used for PXE-booting discovered hosts. You can run the following command to investigate the contents of the package. This produces output similar to the following:

$ rpm -ql foreman-discovery-image
/usr/share/foreman-discovery-image
/usr/share/foreman-discovery-image/fdi-image-rhel_7-2.1.0-20150212.1.iso

When you install this package, it extracts the kernel and image from the ISO file into the TFTP directory and creates symbolic links to the latest versions of the image and kernel. Use the symbolic links in the PXE-boot provisioning template to make sure that you do not need to change the version in the template every time the foreman-discovery-image package is upgraded. For example:

$ find /var/lib/tftpboot/boot
/var/lib/tftpboot/boot
/var/lib/tftpboot/boot/fdi-image-rhel_7-2.1.0-20150212.1-img
/var/lib/tftpboot/boot/fdi-image-rhel_7-2.1.0-20150212.1-vmlinuz
/var/lib/tftpboot/boot/fdi-image-rhel_7-img
/var/lib/tftpboot/boot/fdi-image-rhel_7-vmlinuz

Note

Currently, only Red Hat Enterprise Linux 7 Discovery images are provided, even for Satellite 6 installations on Red Hat Enterprise Linux 6. If there are discovered hosts running during the upgrade of the foreman-discovery-image package, reboot them all to load the updated version of the image as soon as possible. This can be done using the Satellite 6 web UI, CLI, or API.

5.2.2. Configuring PXE-booting

When an unknown host is booted on the provisioning network, Satellite Server provides a PXELinux boot menu with a single option: to boot from the local hard drive. You can use following procedure to build a default PXE template in Satellite to enable hardware discovery.

To Configure PXE-booting for host discovery:

In the Satellite web UI, navigate to Hosts > Provisioning Templates.
In the upper-right of the Provisioning Templates page, click Build PXE Default, and click OK.

The template becomes the default template on all TFTP servers. Every new unknown host that is in the provisioning subnet uses this configuration and uses the Foreman Discovery Image as the default.

5.2.3. Reviewing Global Discovery Settings

You can review global settings related to the Discovery plug-in in the Satellite web UI. Navigate to Administer > Settings and open the Discovered tab. Notable settings are:

Discovery organization, Discovery location: These variables specify where to place the discovered hosts. By default, the discovered hosts are automatically placed under the first organization and location created.

Interface fact: This variable specifies which incoming fact to use to determine the MAC address of the discovered host. By default, the PXELinux BOOTIF kernel command line option is used.

Hostname facts: This variable allows you to list facts to use for the host name. These are separated by commas, and the first fact in the list takes precedence.

Auto provisioning: This variable enables automatic provisioning according to specified rules. Set to false by default. Red Hat recommends that you test the configuration with manual provisioning before enabling Auto provisioning. See Section 5.4, “Provisioning Discovered Hosts” for more information.

Reboot: This variable enables automatic reboot of a host discovered by PXE, or the use of kexec for a host booted from local media, during provisioning. This is set to true by default.

Hostname prefix: This variable specifies the default prefix to use for the host name. Set to "mac" by default. The variable must start with a letter.

Fact columns: This variable allows you to add any fact reported by Facter as an additional column in discovered host lists.

Highlighted facts: This variable uses regular expressions to organize facts for the highlights section.

Storage facts: This variable uses regular expressions to organize facts for the storage section.

Hardware facts: This variable uses regular expressions to organize facts for the hardware section.

Network facts: This variable uses regular expressions to organize facts for the network section.

IPMI facts: This variable uses regular expressions to organize facts for the IPMI section.

5.3. Configuring the Satellite Capsule Server Discovery Plug-in

Ensure the foreman_url setting exists in the Satellite Capsule Server configuration file. The setting can appear as follows:

# grep foreman_url /etc/foreman-proxy/settings.yml
:foreman_url: https://satellite.example.com

The satellite-installer command configures this variable automatically, but Red Hat recommends that you check that the host responds correctly and there are no firewall rules blocking communication.

5.3.1. Configuring Discovery Subnets

You need to configure all subnets with discovered hosts to communicate to the Satellite Server or a Capsule Server for host discovery and provisioning. You must first enable a Capsule to provide a proxy service for provisioning templates for the subnet. The template Capsule for a subnet does not have to be the same Capsule that is set as the TFTP Capsule.

If you want to configure a new subnet, see Adding a Subnet to the Satellite Server in the Provisioning Guide.

To enable a Template Capsule:

You can enable the Satellite’s integrated Capsule and any external Capsule Servers to provide a proxy service for provisioning templates with the following command:

# satellite-installer --foreman-proxy-templates=1

To verify that a Capsule Server provides a template proxy service:

Navigate to Infrastructure > Capsules.
From the Actions menu, select Refresh to ensure that the list is up-to-date.
In the Features column, search for the word "Templates".

To Configure a Subnet with a TFTP Capsule, Template Capsule, and Discovery Capsule:

In the Satellite web UI, navigate to Infrastructure > Subnets.
Select the subnet you want to configure.
On the Capsules tab, select the TFTP Capsule, Template Capsule, and Discovery Capsule for this subnet.

5.3.2. Using Hammer with the Discovery Plug-in

To use the hammer command with the Discovery plug-in, you need to enable the Discovery plug-in in /etc/hammer/cli.modules.d/foreman_discovery.yml as follows:

:foreman_discovery:
  :enable_module: true

See hammer configuration directories for more information about the files and directories that hammer uses.

5.3.3. Reviewing User Permissions

When it first starts, the Satellite Capsule Server Discovery plug-in creates a role called Discovery. You can assign this role to non-administrative users to allow them to use the Discovery plug-in. Alternatively, assign the perform_discovery permission to an existing role. For more information on roles and permissions, see Creating and Managing Users in Administering Red Hat Satellite.

5.4. Provisioning Discovered Hosts

After you have correctly configured Discovery plug-ins on both Satellite Server and Capsule Server, you can automatically detect bare-metal hosts. To do so, boot a machine in any provisioning network that was configured with the PXE configuration template described in Section 5.2.2, “Configuring PXE-booting”. The machine is automatically registered with the Satellite Server and appears in the Hosts > Discovered Hosts list in the Satellite web UI.

You can either provision the discovered host manually, or you can configure automatic provisioning.

5.4.1. Manually Provisioning Hosts

The following procedure describes how to manually provision discovered hosts from the Satellite web UI.

To Manually Provision a Discovered Host:

Navigate to Hosts > Discovered Hosts.
Select the host you want to provision and click Provision.
On the host’s Edit page, complete the necessary details, and then click Save.

When the host configuration is saved, Satellite modifies the host’s PXELinux file on the TFTP server and reboots the discovered host. It then boots into an installer for the chosen operating system, and finally into the installed operating system.

If you decide to re-provision an existing discovered host, delete the operating system from the machine and reboot it. The host then reappears on the Discovered Hosts page.

5.4.2. Decommissioning Discovered Hosts

If you no longer require Red Hat Satellite to manage a specific host, you need to decommission that host to prevent it from being discovered.

To Decommission a Discovered Host:

Shut down the host.
Navigate to Hosts > Discovered Hosts.
In the Name column find the host you want to decommission and then select Delete from the corresponding Edit drop-down menu.

5.4.3. Automatically Provisioning Hosts

With Satellite 6.4, it is possible to define provisioning rules that will assign a host group to provisioned hosts and trigger provisioning automatically.

To Create a Provisioning Rule:

Navigate to Configure > Discovery rules.
Click New Rule. Specify the following parameters of the provisioning rule:
- Name is the name of the rule displayed in the list of rules. This name must not contain spaces or non-alphanumeric characters.
- Search is the search statement used to match discovered hosts for the particular rule. You can use scoped search syntax to define it. See Section 5.4.4, “Scoped Search Syntax” for examples of using scoped search.
- Host Group is the host group to be assigned to a matching host before starting the provisioning process. Make sure that the selected host group has all the required parameters set; required parameters are marked with an asterisk (*).
- Hostname defines a pattern for assigning human-readable host names to the matching hosts. When left blank, the host name is assigned in the format "macMACADDRESS" by default. The same syntax used for provisioning templates is used in this instance. See Section 5.4.5, “Host Name Patterns” for more information and examples.
- Hosts limit is the maximum number of provisioned hosts per rule. If the limit is reached, the rule will not take effect until one or more hosts are deleted. Typical use cases are rules per server rack or row when it is necessary to change provisioning parameters such as host name or host group per entry. You can set this value to zero (0) to specify no limit.
- Priority specifies the order of execution of rules. The value must be greater than or equal to zero. A lower value indicates a higher priority. If two rules have the same priority, the first rule encountered is applied.
- Enabled provides the option to temporarily enable or disable rules.
Click Submit to save the rule.

By default, Satellite does not enable automatic discovery of hosts. The following procedure describes how to enable the Auto provisioning variable to provide automatic provisioning according to specified rules.

To Enable Automatic Provisioning:

Navigate to Administer > Settings > Discovered in the Satellite web UI.
Locate Auto provisioning in the Name column, and set its value to true.
Click Save.

After you have defined some rules, Red Hat recommends that you discover a host and apply the rules using the Auto discover button on the host. This triggers auto-provisioning without the need to enable the global option.

5.4.4. Scoped Search Syntax

This section shows how to use scoped search syntax to filter the discovered hosts according to selected parameters. This is useful when creating a rule for automatic provisioning (see Section 5.4.3, “Automatically Provisioning Hosts”).

The search fields in the Satellite web UI support automatic completion to make building search strings easier. For example, you can test search patterns on the Hosts > Discovered Hosts page. The following are examples of typical search queries:

facts.architecture = x86_64
facts.bios_vendor ~ 'Dell*'
facts.macaddress = "aa:bb:cc:dd:ee:ff"
facts.macaddress_eth0 = "aa:bb:cc:dd:ee:ff"
facts.ipaddress_eth1 ~ "192.168.*"
facts.architecture ^ (x86_64,i386)

Note

The caret symbol (^) in scoped searches means "in" (the same usage as in SQL) and not "starts with" as it is used in regular expressions. You can review the full list of scoped search operators at https://github.com/wvanbergen/scoped_search/blob/master/lib/scoped_search/query_language/tokenizer.rb

In Satellite 6.4, all facts are strings, so it is not possible to do numeric comparisons. However, three important facts are extracted and converted to numbers. These are described in Table 5.1, “Facts that Allow Numerical Comparison”.

Table 5.1. Facts that Allow Numerical Comparison

Search Parameter	Description	Example Usage
cpu_count	The number of CPUs	cpu_count >= 8
disk_count	The number of disks attached	disk_count < 10
disks_size	The total amount of disk space (in MiB)	disks_size > 1000000

5.4.5. Host Name Patterns

This section lists the host name patterns that you can use when creating a rule for automatic provisioning (see Section 5.4.3, “Automatically Provisioning Hosts”).

The target host name template pattern has the same syntax as the provisioning templates (ERB). The domain is appended automatically. In addition to the @host attribute, the rand() function for random integers is available. For example:

application-server-<%= rand(99999) %>
load-balancer-<%= @host.facts['bios_vendor'] + '-' + rand(99999) %>
wwwsrv-<%= @host.hostgroup.name %>
minion-<%= @host.discovery_rule.name %>
db-server-<%= @host.ip.gsub('.','-') + '-' + @host.hostgroup.subnet.name %>

Important

When creating host name patterns, ensure the resulting host names are unique. Host names must not start with numbers. A good approach is to use unique information provided by Facter (for example, the MAC address, BIOS or serial ID) or to otherwise randomize the host name.

5.4.6. Using the Discovery Plug-in on the Command Line

You can use the hammer command to perform certain tasks related to discovery. Run the hammer -h command to verify your configuration:

$ hammer -h | grep discovery
discovery                     Manipulate discovered hosts.
discovery_rule                Manipulate discovered rules.

Use the hammer discovery -h command to view the available options. For example, you can use the following command to reboot a discovered host (assuming its ID is 130):

$ hammer discovery reboot -id 130
Host reboot started

5.5. Extending the Discovery Image

It is possible to extend the Satellite Discovery image with custom facts, software, or device drivers. You can also provide a compressed archive file containing extra code for the image to use.

First, create the following directory structure:

.
├── autostart.d
│   └── 01_zip.sh
├── bin
│   └── ntpdate
├── facts
│   └── test.rb
└── lib
    ├── libcrypto.so.1.0.0
    └── ruby
        └── test.rb

Where:

The autostart.d directory contains scripts that are executed in POSIX order by the image when it starts, but before the host is registered to Satellite.
The bin directory is added to the $PATH variable; you can place binary files here and use them in the autostart scripts.
The facts directory is added to the FACTERLIB variable so that custom facts can be configured and sent to Satellite.
The lib directory is added to the LD_LIBRARY_PATH variable and lib/ruby is added to the RUBYLIB variable, so that binary files in /bin can be executed correctly.

New directives and options are appended to the existing environment variables (PATH, LD_LIBRARY_PATH, RUBYLIB and FACTERLIB). If you need to specify the path to something explicitly in your scripts, the zip contents are extracted to the /opt/extension directory on the image.

After creating the above directory structure, package it into a zip archive with the following command:

zip -r my_extension.zip .

You can create multiple zip files but be aware they will be extracted to the same place on the Discovery image, so files in later zips will overwrite earlier ones if they have the same file name.

To inform the Discovery image of the extensions it should use, place your zip files on your TFTP server with the Discovery image, and then update the APPEND line of the PXELinux template with the fdi.zips option where the paths are relative to the TFTP root. For example, if you have two archives at $TFTP/zip1.zip and $TFTP/boot/zip2.zip, use the following syntax:

fdi.zips=zip1.zip,boot/zip2.zip

See Section 5.2.2, “Configuring PXE-booting” for more information on updating the PXE template.

5.6. Troubleshooting Satellite Discovery

If a machine is not listed in the Satellite web UI under Hosts > Discovered Hosts, inspect the following configuration areas to help isolate the error:

Navigate to Hosts > Provisioning Templates and redeploy the default PXELinux template using the Build PXE Default button.
Verify the pxelinux.cfg/default configuration file on the TFTP Capsule Server.
Ensure adequate network connectivity between hosts, Capsule Server, and Satellite Server.
Check the PXELinux template in use and determine the PXE discovery snippet it includes. Snippets are named as follows: pxelinux_discovery, pxegrub_discovery, or pxegrub2_discovery. Verify the proxy.url and proxy.type options in the PXE discovery snippet.
Ensure that DNS is working correctly for the discovered nodes, or use an IP address in the proxy.url option in the PXE discovery snippet included in the PXELinux template you are using.
Ensure that the DHCP server is delivering IP addresses to the booted image correctly.
Ensure the discovered host or virtual machine has at least 1200 MB of memory. Less memory can lead to various random kernel panic errors as the image needs to be extracted in-memory.

For gathering important system facts, use the discovery-debug command. It prints out system logs, network configuration, list of facts, and other information on the standard output. The typical use case is to redirect this output and copy it with the scp command for further investigation.

The first virtual console on the discovered host is reserved for systemd logs. Particularly useful system logs are tagged as follows:

discover-host — initial facts upload
foreman-discovery — facts refresh, reboot remote commands
nm-prepare — boot script which pre-configures NetworkManager
NetworkManager — networking information

Use TTY2 or higher to log in to a discovered host. The root account and SSH access are disabled by default, but you can enable SSH and set the root password using the following kernel command-line options in the Default PXELinux template on the APPEND line:

fdi.ssh=1 fdi.rootpw=redhat

Chapter 6. Integrating Red Hat Satellite and Ansible Tower

You can integrate Red Hat Satellite 6.4 and Ansible Tower to use Satellite Server as a dynamic inventory source for Ansible Tower.

You can also use the provisioning callback function to run playbooks on hosts managed by Satellite, from either the host or Ansible Tower. When provisioning new hosts from Satellite Server, you can use the provisioning callback function to trigger playbook runs from Ansible Tower. The playbook configures the host following Kickstart deployment.

6.1. Adding Satellite Server to Ansible Tower as a Dynamic Inventory Item

To add Satellite Server to Ansible Tower as a dynamic inventory item, you must create a credential for a Satellite Server user on Ansible Tower, add an Ansible Tower user to the credential, and then configure an inventory source.

Prerequisites

You must have a Satellite Server user with an integration role that includes the necessary permission filters. For more information about managing users, roles, and permission filters, see Managing Users and Roles and Creating and Managing Roles in Administering Red Hat Satellite.

You must specify the following permission filters and assign the role to the user.

Table 6.1. Permission Filters

Resource	Permissions	Access Description
Host	`view_hosts`	To view Satellite Server hosts.
Host Group	`view_hostgroups`	To view Satellite Server host groups.
Fact value	`view_facts`	To view Satellite Server Facts.

You must host your Satellite Server and Ansible Tower on the same network or subnet.

Procedure

To add Satellite Server to Ansible Tower as a Dynamic Inventory Item, complete the following procedure:

In the Ansible Tower web UI, create a credential for your Satellite. For more information about creating credentials, see Add a New Credential and Red Hat Satellite 6 Credentials in the Ansible Tower User Guide.

Table 6.2. Satellite Credentials

Credential Type:	Red Hat Satellite 6
Satellite 6 URL:	https://satellite.example.com
Username:	The username of the Satellite user with the integration role.
Password:	The password of the Satellite user.

Add an Ansible Tower user to the new credential. For more information about adding a user to a credential, see Getting Started with Credentials in the Ansible Tower User Guide.
Add a new inventory. For more information, see Add a new inventory in the Ansible Tower User Guide.

In the new inventory, add Satellite Server as the inventory source, specifying the following inventory source options. For more information, see Add Source in the Ansible Tower User Guide.

Table 6.3. Inventory Source Options

Source	Red Hat Satellite 6
Credential	The credential you create for Satellite Server.
Overwrite	Select
Overwrite Variables	Select
Update on Launch	Select
Cache Timeout	90

Ensure that you synchronize the source that you add.

6.2. Configuring Provisioning Callback for a Host

When you create hosts in Satellite, you can use Ansible Tower to run playbooks to configure your newly created hosts. This is called provisioning callback in Ansible Tower.

The provisioning callback function triggers a playbook run from Ansible Tower as part of the provisioning process. The playbook configures the host after Kickstart deployment.

For more information about provisioning callbacks, see Provisioning Callbacks in the Ansible Tower User Guide.

In Satellite Server, the Kickstart Default and Kickstart Default Finish templates include three snippets:

ansible_provisioning_callback
ansible_tower_callback_script
ansible_tower_callback_service

You can add parameters to hosts or host groups to provide the credentials that these snippets can use to run Ansible playbooks on your newly created hosts.

Prerequisites

Before you can configure provisioning callbacks, you must add Satellite as a dynamic inventory in Ansible Tower. For more information, see Integrating Satellite and Ansible Tower.

In the Ansible Tower web UI, you must complete the following tasks:

Create a machine credential for your new host. Ensure that you enter the same password in the credential that you plan to assign to the host that you create in Satellite. For more information, see Add a New Credential in the Ansible Tower User Guide.
Create a project. For more information, see Projects in the Ansible Tower User Guide.
Add a job template to your project. For more information, see Job Templates in the Ansible Tower User Guide.
In your job template, you must enable provisioning callbacks, generate the host configuration key, and note the template_ID of your job template. For more information about job templates, see Job Templates in the Ansible Tower User Guide.

Procedure

To configure provisioning callback for a new host in Satellite, complete the following steps:

In the Red Hat Satellite web UI, navigate to Configure > Host Group.
Create a host group or edit an existing host group.
In the Host Group window, click the Parameters tab.
Click Add Parameter.

Enter the following information for each new parameter:

Table 6.4. Host Parameters

Name	Value	Description
`ansible_tower_provisioning`	true	Enables Provisioning Callback.
`ansible_tower_fqdn`	tower.example.com	The fully qualified domain name (FQDN) of your Ansible Tower. Do not add `https` because this is appended by Ansible Tower.
`ansible_job_template_id`	template_ID	The ID of your provisioning template that you can find in the URL of the template: `/templates/job_template/5`.
`ansible_host_config_key`	config_KEY	The host configuration key that your job template generates in Ansible Tower.

Click Submit.
Create a host using the host group.
On the new host, enter the following command to start the ansible-callback service:
```
# systemctl start ansible-callback
```
On the new host, enter the following command to output the status of the ansible-callback service:
```
# systemctl status ansible-callback
```
Provisioning callback is configured correctly if the command returns the following output:
```
SAT_host systemd[1]: Started Provisioning callback to Ansible Tower...
```

Manual Provisioning Callback

You can use the provisioning callback URL and the host configuration key from a host to call Ansible Tower. For example:

# curl -k -s --data curl --insecure --data host_config_key=my_config_key \
 https://tower.example.com/api/v2/job_templates/8/callback/

Ensure that you use https when you enter the provisioning callback URL.

This triggers the playbook run specified in the template against the host.

Chapter 7. Sample Scenarios

7.1. Simple Scenario

The simple scenario shows how to add a single host, register it, set up, and run a job on it.

7.1.1. Creating the Host

The following procedure provides an example on how to create a host in Red Hat Satellite.

To Create a Host:

Click Hosts > Create Host.
On the Host tab, enter the required details:
1. In the Name field, enter the host name, for example host1.example.com.
2. In the Organization field, enter the organization name, for example MyOrg.
3. In the Location field, enter the location name, for example MyLoc.
Optionally, on the Puppet Classes tab, select the Puppet classes you want to include.
On the Interfaces tab, edit the primary interface:
1. Click the Edit button in the Actions column.
2. Select a type from the Type drop-down menu, for example Interface.
3. In the MAC address field, enter the MAC address of your host.
4. In the Device Identifier field, specify the device identifier for this interface, for example eth0.
5. In the DNS name field, specify the DNS name of your host. For the primary interface, this host name is used with the domain name to form the FQDN.
6. Select a domain from the Domain drop-down menu, for example satellite.example.com. This automatically updates the IPv4 Subnet and IPv6 Subnet lists with a selection of available subnets. Optionally, select the subnets.
7. In the IPv4 address field, specify the IPv4 address of your host.
8. Click Ok.
On the Operating System tab, enter the required details:
1. Select an architecture from the Architecture drop-down menu, for example x86_64.
2. Select an operating system from the Operating system drop-down menu, for example RHEL Server 7.4.
3. Select a partition table from the Partition table drop-down menu, for example Kickstart default.
4. In the Root password field, enter the root password for your host.
Optionally, on the Parameters tab, select the parameters you want to supply to the Puppet master to override the default values.
Optionally, on the Additional Information tab, enter additional information about the host.
Click Submit.

7.1.2. Registering the Host

After you have created host1.example.com, you must register it so that it can receive updates. The following procedure assumes the host is running Red Hat Enterprise Linux 7.

To Register the Host:

In a terminal, connect to the host as the root user.
Ensure that a time synchronization tool is enabled and running on the host:
```
# systemctl start chronyd; systemctl enable chronyd
```
Install the consumer RPM from the Satellite Server or Capsule Server to which the host is to be registered. The consumer RPM updates the content source location of the host and allows the host to download content from the content source specified in Red Hat Satellite.
```
# rpm -Uvh http://satellite.example.com/pub/katello-ca-consumer-latest.noarch.rpm
```
Ensure that an activation key associated with the appropriate Content View and environment exists for the host. If not, see Managing Activation Keys in the Content Management Guide for more information.
Clear any old host data related to Red Hat Subscription Manager (RHSM):
```
# subscription-manager clean
```

# subscription-manager register --org=MyOrg \
--activationkey=my_activation_key

Command output after registration:

# subscription-manager register --org=MyOrg --activationkey=my_activation_key
The system has been registered with id: 62edc0f8-855b-4184-b1b8-72a9dc793b96

Enable the Red Hat Satellite Tools 6 repository:

# subscription-manager repos --enable=rhel-version-server-satellite-tools-6-rpms

Install the katello-agent:
```
# yum install katello-agent
```
Ensure the goferd service is running:
```
# systemctl start goferd
```
Install and configure the Puppet agent:
1. Install the Puppet agent:
```
# yum install puppet
```
2. Configure the Puppet agent to start at boot:
```
# systemctl enable puppet
```
Append the following server and environment settings to the /etc/puppetlabs/puppet/puppet.conf file. Set the environment parameter to the name of the Puppet environment to which the host belongs:
```
environment = My_Example_Org_Library
server = satellite.example.com
ca_server = satellite.example.com
```
Run the Puppet agent on the host:
```
# puppet agent -t
```
Sign the SSL certificate for the Puppet client in the Satellite Server web UI:
1. Log in to the Satellite Server web UI.
2. Select Infrastructure > Capsules.
3. Select Certificates from the drop-down menu to the right of the required Capsule.
4. Click Sign to the right of the required host.
5. Enter the puppet agent command again:
```
# puppet agent -t
```

7.1.3. Running a Job on the Host

The following procedure shows how to run a job template on the previously created and registered host host1.example.com.

To Execute a Remote Job:

Navigate to Hosts > All hosts and select the target host, in our example host1.example.com.
From the Select Action menu at the upper right of the screen select Schedule Remote Job.
On the Job invocation page, define the main job settings:
1. Select a job category from the Job category drop-down menu, for example Commands.
2. Select a job template from the Job template drop-down menu, for example Run Command - SSH Default.
3. In the command field, enter the command you want to run on the host. For example, timedatectl set-timezone Europe/Prague will set the time zone to Prague in Europe.
Click Submit.

Appendix A. Template Writing Reference

Embedded Ruby (ERB) is a tool for generating text files based on templates that combine plain text with Ruby code. Red Hat Satellite uses ERB syntax in provisioning templates (Creating Provisioning Templates in the Provisioning Guide), remote execution job templates (Chapter 4, Running Jobs on Hosts), templates for partition tables (Creating Partition Tables in the Provisioning Guide), Smart Variables (Configuring Smart Variables in the Puppet Guide), and Smart Class Parameters (Configuring Smart Class Parameters in the Puppet Guide). This section provides an overview of Satellite specific functions and variables that can be used in ERB templates along with some usage examples. Note that the default templates provided by Red Hat Satellite (Hosts > Provisioning templates, Hosts > Job templates) also provide a good source of ERB syntax examples.

When provisioning a host or running a remote job, the code in the ERB is executed and the variables are replaced with the host specific values. This process is referred to as rendering. The Satellite Server has the safemode rendering option enabled by default, which prevents any harmful code being executed from templates.

A.1. Writing ERB Templates

The following points summarize the ERB syntax:

<% %> – marks enclosing Ruby code within the ERB template. The code is executed when the template is rendered. It can contain Ruby control flow structures as well as Satellite specific functions and variables. For example:

<% if @host.operatingsystem.family == "Redhat" && @host.operatingsystem.major.to_i > 6 %>
systemctl <%= input("action") %> <%= input("service") %>
<% else %>
service <%= input("service") %> <%= input("action") %>
<% end -%>

<%= %> – the code output is inserted into the template. This is useful for variable substitution, for example:
```
echo <%= @host.name %>
```
<% -%>, <%= -%> – by default, a newline character is inserted after a Ruby block if it is closed at the end of a line. To suppress this behavior, modify the enclosing mark. For example, the following template:
```
curl <%= @host.ip -%>
/mydir
```
is rendered the same as:
```
curl <%= @host.ip %>/mydir
```
In practice, this is used to reduce the number of lines in rendered templates (where Ruby syntax permits).
<%# %> – marks enclosing a comment that will be ignored during template rendering:
```
<%# A comment %>
```

A.2. Troubleshooting ERB Templates

The Satellite web UI provides two ways to verify the template rendering for a specific host:

Directly in the template editor – when editing a template (under Hosts > Partition tables, Hosts > Provisioning templates, or Hosts > Job templates), on the Template tab click Preview and select a host from the drop-down menu. The template then renders in the text field using the selected host’s parameters. Preview failures can help to identify issues in your template.
At the host’s details page – select a host at Hosts > All hosts and click the Templates tab to list templates associated with the host. Select Review from the drop-down menu next to the selected template to view it’s rendered version.

A.3. Satellite Specific Functions and Variables

This section lists Satellite specific functions and variables for ERB templates. Note that some of them can be used in any kind of template, others are limited, for example job templates accept only @host variables and variables from Table A.4, “Kickstart Specific Variables” are only applicable in Kickstart templates.

You can use the functions listed in the following table across all kinds of templates.

Table A.1. Generic Functions

Name	Description
indent(n)	Indents the block of code by n spaces, useful when using a snippet template that is not indented.
foreman_url(kind)	Returns the full URL to host-rendered templates of the given kind. For example, templates of the "provision" type usually reside at http://HOST/unattended/provision.
snippet(name)	Renders the specified snippet template. Useful for nesting provisioning templates.
snippets(file)	Renders the specified snippet found in the Foreman database, attempts to load it from the unattended/snippets/ directory if it is not found in the database.
snippet_if_exists(name)	Renders the specified snippet, skips if no snippet with the specified name is found.

Example A.1. Using the snippet and indent Functions

The following syntax imports the subscription_manager_registration snippet to the template and indents it by four spaces:

<%= indent 4 do
snippet 'subscription_manager_registration'
end %>

The following functions can be used in job templates. See Section 4.4.4, “Creating Advanced Templates” for usage examples.

Table A.2. Functions Specific to Job Templates

Name	Description
input(input_name)	Returns the value of the specified input on the job execution.
render_template(name, parameters)	Renders the specified template, similar to the generic snippet() function but enables passing arguments to the template.

The following variables enable using host data within templates.

Table A.3. Host Specific Variables and Functions

Name	Description
@host.architecture	The architecture of the host.
@host.bond_interfaces	Returns an array of all bonded interfaces. See Note.
@host.capabilities	The method of system provisioning, can be either build (for example kickstart) or image.
@host.certname	The SSL certificate name of the host.
@host.diskLayout	The disk layout of the host. Can be inherited from the operating system.
@host.domain	The domain of the host.
@host.environment	The Puppet environment of the host.
@host.facts	Returns a Ruby hash of facts from Facter. For example to access the 'ipaddress' fact from the output, specify @host.facts['ipaddress'].
@host.grub_pass	Returns the host’s GRUB password.
@host.hostgroup	The host group of the host.
host_enc['parameters']	Returns a Ruby hash containing information on host parameters. For example, use host_enc['parameters']['lifecycle_environment'] to get the life cycle environment of a host.
@host.image_build?	Returns `true` if the host is provisioned using an image.
@host.interfaces	Contains an array of all available host interfaces including the primary interface. See Note.
@host.interfaces_with_identifier('IDs')	Returns array of interfaces with given identifier. You can pass an array of multiple identifiers as an input, for example @host.interfaces_with_identifier(['eth0', 'eth1']). See Note.
@host.ip	The IP address of the host.
@host.location	The location of the host.
@host.mac	The MAC address of the host.
@host.managed_interfaces	Returns an array of managed interfaces (excluding BMC and bonded interfaces). See Note.
@host.medium	The assigned operating system installation medium.
@host.name	The full name of the host.
@host.operatingsystem.family	The operating system family.
@host.operatingsystem.major	The major version number of the assigned operating system.
@host.operatingsystem.minor	The minor version number of the assigned operating system.
@host.operatingsystem.name	The assigned operating system name.
@host.operatingsystem.boot_files_uri(@host.medium,@host.architecture)	Full path to the kernel and initrd, returns an array.
@host.os.medium_uri(@host)	The URI used for provisioning (path configured in installation media).
host_param('parameter_name')	Returns the value of the specified host parameter.
host_param_false?('parameter_name')	Returns `false` if the specified host parameter evaluates to false.
host_param_true?('parameter_name')	Returns `true` if the specified host parameter evaluates to true.
@host.primary_interface	Returns the primary interface of the host.
@host.provider	The compute resource provider.
@host.provision_interface	Returns the provisioning interface of the host. Returns an interface object.
@host.ptable	The partition table name.
@host.puppetmaster	The Puppet master the host should use.
@host.pxe_build?	Returns `true` if the host is provisioned using the network or PXE.
@host.shortname	The short name of the host.
@host.sp_ip	The IP address of the BMC interface.
@host.sp_mac	The MAC address of the BMC interface.
@host.sp_name	The name of the BMC interface.
@host.sp_subnet	The subnet of the BMC network.
@host.subnet.dhcp	Returns `true` if a DHCP proxy is configured for this host.
@host.subnet.dns_primary	The primary DNS server of the host.
@host.subnet.dns_secondary	The secondary DNS server of the host.
@host.subnet.gateway	The gateway of the host.
@host.subnet.mask	The subnet mask of the host.
@host.url_for_boot(:initrd)	Full path to the initrd image associated with this host. Not recommended, as it does not interpolate variables.
@host.url_for_boot(:kernel)	Full path to the kernel associated with this host. Not recommended, as it does not interpolate variables, prefer boot_files_uri.
@provisioning_type	Equals to 'host' or 'hostgroup' depending on type of provisioning.
@static	Returns `true` if the network configuration is static.
@template_name	Name of the template being rendered.
grub_pass	Returns the GRUB password wrapped in md5pass argument, that is --md5pass=#{@host.grub_pass}.
ks_console	Returns a string assembled using the port and the baud rate of the host which can be added to a kernel line. For example console=ttyS1,9600.
root_pass	Returns the root password configured for the system.

Note

Host variables related to network interfaces, such as @host.interfaces or @host.bond_interfaces return interface data grouped in an array. To extract a parameter value of a specific interface, use Ruby methods to parse the array. For example, to get information about the first interface from an array and use it in a kickstart template:

<% myinterface = @host.interfaces.first %>
IPADDR="<%= myinterface.ip %>"
NETMASK="<%= myinterface.subnet.mask %>"
GATEWAY="<%= myinterface.subnet.gateway %>"

You can iterate over the interface array, for example to extract an array of interface names use:

<% ifnames = []
@host.interfaces.each do |i|
  ifnames.push(i.name)
end %>

Example A.2. Using Host Specific Variables

The following example checks if the host has Puppet and the Puppetlabs repository enabled:

<%
pm_set = @host.puppetmaster.empty? ? false : true
puppet_enabled = pm_set || host_param_true?('force-puppet')
puppetlabs_enabled = host_param_true?('enable-puppetlabs-repo')
%>

The following example shows how to capture the minor and major version of the host’s operating system, which can be used for package related decisions:

<%
os_major = @host.operatingsystem.major.to_i
os_minor = @host.operatingsystem.minor.to_i
%>

<% if ((os_minor < 2) && (os_major < 14)) -%>
...
<% end -%>

The following example imports the 'kickstart_networking_setup' snippet if the host’s subnet has the DHCP boot mode enabled:

<% subnet = @host.subnet %>
<% if subnet.respond_to?(:dhcp_boot_mode?) -%>
<%= snippet 'kickstart_networking_setup' %>
<% end -%>

The majority of common Ruby methods can be applied on host specific variables. For example, to extract the last segment of the host’s IP address, you can use:

<% @host.ip.split('.').last %>

The following variables are designed to be used within kickstart provisioning templates.

Table A.4. Kickstart Specific Variables

Name	Description
@arch	The host architecture name, same as @host.architecture.name.
@dynamic	Returns `true` if the partition table being used is a %pre script (has the #Dynamic option as the first line of the table).
@epel	A command which will automatically install the correct version of the epel-release rpm. Use in a %post script.
@mediapath	The full kickstart line to provide the URL command.
@osver	The operating system major version number, same as @host.operatingsystem.major.

Appendix B. Host Management Without Goferd

From Satellite 6.2.11 onward, errata and package management via remote execution is available using a yum plugin. This allows the goferd service daemon to be disabled, thereby reducing memory and CPU load on content hosts.

The yum plugin is included with the katello-host-tools. This shipped with the Satellite 6.2.11 client update.

B.1. Prerequisites

The following must be made on all content hosts to allow host management by remote execution.

Ensure katello-agent is installed on the content host by following Section 2.7.4, “Installing the Katello Agent”.
Stop the goferd service:
```
# systemctl stop goferd.service
```
Disable the goferd service:
```
# systemctl disable goferd.service
```
Distribute the SSH keys to the content hosts by following Section 4.1, “Establishing a Secure Connection for Remote Commands”.

B.2. Configuring Host Management Without Goferd as the System Default

These steps configure host management to use remote execution as the system default for future package deployments.

To Configure Host Management Without Goferd as the System Default:

Log in to the Satellite web UI.
Navigate to Administer > Settings.
Select the Content tab.
Set the Use remote execution by default parameter to Yes.

The Satellite server now uses host management by remote execution instead of goferd.

B.3. Limitations with Hammer

The following applies if you are using the hammer command to push errata. The hammer command is dependent on goferd to manage errata on content hosts. As a workaround, use Satellite’s remote execution feature to apply errata.

To Use Hammer Remote Execution Commands:

For example, perform a yum -y update on host123.example.org:

# hammer job-invocation create \
--job-template "Run Command - SSH Default" \
--inputs command="yum -y update" \
--search-query "name ~ host123"
Job invocation 24 created
[.........................................] [100%]
1 task(s), 1 success, 0 fail

Legal Notice

The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.

Linux® is the registered trademark of Linus Torvalds in the United States and other countries.

Java® is a registered trademark of Oracle and/or its affiliates.

XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.

MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.

Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.

The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.

All other trademarks are the property of their respective owners.

Language and Page Formatting Options

Red Hat Training

Managing Hosts

A guide to managing hosts in a Red Hat Satellite 6 environment.

Red Hat Satellite Documentation Team

Chapter 1. Introduction

1.1. Understanding Hosts

1.2. Understanding Host Management

Chapter 2. Managing Hosts

2.1. Browsing Hosts

2.2. Host Status Types

2.3. Host Overview

2.4. Creating a Host

2.5. Assigning Ansible Roles to Existing Hosts

2.6. Running Ansible Roles on a Host

2.7. Registration

2.7.1. Configuring a Host for Registration

2.7.2. Registering a Host

2.7.3. Registering an Atomic Host

2.7.4. Installing the Katello Agent

2.7.5. Installing Tracer

2.7.6. Installing and Configuring the Puppet Agent

2.7.7. Registering Hosts to Satellite 6 Using The Bootstrap Script

2.7.8. Advanced Bootstrap Script Configuration

2.8. Creating a Host Group

2.9. Changing the Group of a Host

2.10. Changing the Environment of a Host

2.11. Adding an Ansible Role to a Host Group

2.12. Running Ansible Roles on a Host Group

2.13. Managing Hosts

2.14. Assigning a Host to a Specific Organization

2.15. Assigning a Host to a Specific Location

2.16. Configuring an Additional Network Interface

2.16.1. Adding a Physical Interface

2.16.2. Adding a Virtual Interface

2.16.3. Adding a Bonded Interface

2.16.4. Adding a Baseboard Management Controller (BMC) Interface

2.17. Removing a Host

Chapter 3. Configuring Host Collections

3.1. Creating a Host Collection

3.2. Cloning a Host Collection

3.3. Removing a Host Collection

3.4. Adding a Host to a Host Collection

3.5. Removing a Host from a Host Collection

3.6. Adding Content to a Host Collection

3.6.1. Adding Packages to a Host Collection

3.6.2. Adding Errata to a Host Collection

3.7. Removing Content from a Host Collection

3.8. Changing the Life Cycle Environment or Content View of a Host Collection

Chapter 4. Running Jobs on Hosts

4.1. Establishing a Secure Connection for Remote Commands

4.2. Configuring a keytab for Kerberos Ticket Granting Tickets

4.3. Setting Up Kerberos Authentication for Remote Execution

4.4. Configuring and Running Remote Jobs

4.4.1. Setting up Job Templates

4.4.2. Executing Jobs

4.4.3. Monitoring Jobs

4.4.4. Creating Advanced Templates

4.5. Configuring Global Settings

4.6. Remote Execution and Capsules

4.7. Delegating Permissions for Remote Execution

Chapter 5. Discovering Bare-metal Hosts on Satellite

5.1. Network Configuration for PXE-based Discovery

5.2. Configuring the Satellite Discovery Plug-in

5.2.1. Deploying the Satellite Discovery Image

5.2.2. Configuring PXE-booting

5.2.3. Reviewing Global Discovery Settings

5.3. Configuring the Satellite Capsule Server Discovery Plug-in

5.3.1. Configuring Discovery Subnets

5.3.2. Using Hammer with the Discovery Plug-in

5.3.3. Reviewing User Permissions

5.4. Provisioning Discovered Hosts

5.4.1. Manually Provisioning Hosts

5.4.2. Decommissioning Discovered Hosts

5.4.3. Automatically Provisioning Hosts

5.4.4. Scoped Search Syntax

5.4.5. Host Name Patterns

5.4.6. Using the Discovery Plug-in on the Command Line

5.5. Extending the Discovery Image

5.6. Troubleshooting Satellite Discovery