Chapter 3. Performing Additional Configuration on Capsule Server

3.1. Installing the katello Agent

Installing the katello agent is recommended to allow remote updates of clients. The base system of a Capsule Server is a client of Satellite Server and therefore should also have the katello agent installed.

Before You Begin

  • You must have enabled the Satellite Tools repositories in Satellite Server.
  • You must have synchronized the Satellite Tools repositories in Satellite Server.

To Install katello-agent:

  1. Log into the system.

  2. Enable the Satellite tools repository for this version of Satellite. 

    # subscription-manager repos \
--enable=rhel-7-server-satellite-tools-6.4-rpms

  3. Install the package. 

    # yum install katello-agent

3.2. Enabling Remote Execution on Capsule Server

If you want to run commands on a Capsule Server’s hosts, ensure that you enable the remote execution.

Note

Remote execution on external Capsules is disabled by default. To use remote execution on a Capsule Server you need to enable it by running the following command: 

# satellite-installer --scenario capsule \
--enable-foreman-proxy-plugin-remote-execution-ssh

3.3. Adding Life Cycle Environments to Capsule Servers

If your Capsule Server has content functionality enabled, you must add one or more life cycle environments to it. Adding an environment enables Capsule Server to synchronize content from Satellite Server and provide content to host systems.

Red Hat recommends that you create one or multiple life cycle environments and assign them to your Capsule Server. This ensures that Capsule receives only the repositories contained in Content Views that are promoted to the respective life cycle environments, and results in optimizing the usage of system resources.

Note

Avoid assigning the Library Lifecycle Environment to your Capsule Server as it triggers an automated Capsule sync every time a repository is updated from the CDN. This may consume multiple system resources on Capsules, network bandwidth between Satellite and Capsules, and available disk space on Capsules.

Capsule Server is configurable using Hammer CLI on Satellite Server, or through the web UI.

To add Life Cycle Environments to Capsule Servers using Hammer CLI:

  1. Log in to the Satellite Server CLI as root.

  2. Display a list of all Capsule Servers and note the ID: 

    # hammer capsule list

  3. Using the ID, verify the details of your Capsule Server: 

    # hammer capsule info --id capsule_id_number

  4. Verify the life cycle environments available and note the environment ID: 

    # hammer capsule content available-lifecycle-environments \
--id capsule_id_number

    Available life cycle environments are available for Capsule Server, but not currently attached.

  5. Add the life cycle environment to your Capsule Server: 

    # hammer capsule content add-lifecycle-environment \
--id capsule_id_number --environment-id environment_id_number
  6. Repeat for each life cycle environment you want to add to Capsule Server.

  7. To synchronize all content from your Satellite Server environment to Capsule Server, enter the following command: 

    # hammer capsule content synchronize --id capsule_id_number

  8. To synchronize a specific life cycle environment from your Satellite Server to Capsule Server, enter the following command: 

    # hammer capsule content synchronize --id external_capsule_id_number \
--environment-id environment_id_number

For more information on working with Life Cycle Environments, see Creating an Application Life Cycle in the Red Hat Satellite Content Management Guide.

To Add Life Cycle Environments to Capsule Servers using Web UI:

  1. In the Satellite web UI, go to Infrastructure > Capsules, and select the Capsule.
  2. Click Edit.
  3. Select Env in the Life Cycle Environments tab.
  4. To synchronize capsule’s content, click the Synchronize button in the Overview tab.

  5. Select one of two options:

    • Optimized Sync
    • Complete Sync

3.4. Enabling Power Management on Managed Hosts

When you enable the baseboard management controller (BMC) module on the Capsule Server, you can use power management commands on managed hosts using the intelligent platform management interface (IPMI) or a similar protocol.

The BMC service on the satellite Capsule Server enables you to perform a range of power management tasks. The underlying protocol for this feature is IPMI; also referred to as the BMC function. IPMI uses a special network interface on the managed hardware that is connected to a dedicated processor that runs independently of the host’s CPUs. In many instances the BMC functionality is built into chassis-based systems as part of chassis management (a dedicated module in the chassis).

For more information on the BMC service, see Configuring an Additional Network Interface in Managing Hosts.

Before You Begin

  • All managed hosts must have a network interface, with type BMC. Satellite uses this NIC to pass the appropriate credentials to the host.

Enable Power Management on Managed Hosts

  1. Run the installer with the options to enable BMC. 

    # satellite-installer --scenario capsule \
--foreman-proxy-bmc "true" \
--foreman-proxy-bmc-default-provider "freeipmi"

3.5. Configuring DNS, DHCP, and TFTP on Capsule Server

You can configure DNS, DHCP, and TFTP on Capsule Server.

You can also configure Capsule Server to use external DNS and DHCP services. See Configuring External Services for more information.

To view a complete list of configurable options, enter the satellite-installer --scenario capsule --help command.

Before You Begin

  • You must have the correct network name (dns-interface) for the DNS server.
  • You must have the correct interface name (dhcp-interface) for the DHCP server.

Configure DNS, DHCP, and TFTP on Capsule Server

  1. Run capsule installer with the options applicable to your environment.

    The following example shows full provisioning services: 

    # satellite-installer --scenario capsule \
--foreman-proxy-dns true \
--foreman-proxy-dns-managed true \
--foreman-proxy-dns-interface eth0 \
--foreman-proxy-dns-zone example.com \
--foreman-proxy-dns-forwarders 172.17.13.1 \
--foreman-proxy-dns-reverse 13.17.172.in-addr.arpa \
--foreman-proxy-dhcp true \
--foreman-proxy-dhcp-managed true \
--foreman-proxy-dhcp-interface eth0 \
--foreman-proxy-dhcp-range "172.17.13.100 172.17.13.150" \
--foreman-proxy-dhcp-gateway 172.17.13.1 \
--foreman-proxy-dhcp-nameservers 172.17.13.2 \
--foreman-proxy-tftp true \
--foreman-proxy-tftp-managed true \
--foreman-proxy-tftp-servername $(hostname)

For more information about configuring DHCP, DNS, and TFTP services, see the Configuring Network Services section in the Provisioning Guide.

3.6. Configuring Capsule Server with a Custom Server Certificate

Red Hat Satellite 6 includes default SSL certificates to enable encrypted communications between the Satellite Server, Capsule Servers, and all hosts. You can replace the default certificates with custom certificates if required. For example, your company’s security policy might dictate that SSL certificates must be obtained from a specific Certificate Authority.

Prerequisites

To use custom certificates on each Capsule Server, complete these procedures:

  1. Section 3.6.1, “Obtain an SSL Certificate for the Capsule Server”
  2. Section 3.6.2, “Validate the Capsule Server’s SSL Certificate”
  3. Section 3.6.3, “Create the Capsule Server’s Certificate Archive File”
  4. Section 3.6.4, “Install the Capsule Server’s Custom Certificate”
  5. Section 3.6.5, “Install the Capsule Server’s New Certificate on All Hosts”

3.6.1. Obtain an SSL Certificate for the Capsule Server

Important

This procedure generates PEM encoded certificates. Only PEM encoding must be used for the SSL Certificates.

Note
  • Do not use the Satellite Server’s certificate on any Capsule Server as each server’s certificate is unique.

  1. Create a directory to contain all the source certificate files, accessible to only the root user. 

    # mkdir /root/capsule_cert
# cd /root/capsule_cert

    In these examples, the directory is /root/capsule_cert. If you have multiple Capsule Servers, name the directory to match. For example, if you have Capsule Servers named capsule_apac and capsule_emea, you might create directories named capsule_apac and capsule_emea respectively. This is not required, but reduces the risk of using files from one Capsule Server on another Capsule Server.

  2. Create a private key with which to sign the Certificate Signing Request (CSR).

    Note

    If you already have a private key for the Capsule Server, skip this step. 

    # openssl genrsa -out /root/capsule_cert/capsule_cert_key.pem 4096

  3. Create a Certificate Signing Request (CSR).

    A Certificate Signing Request is a text file containing details of the server for which you are requesting a certificate. For this command, you provide the private key (output by the previous step), answer some questions about the Capsule Server, and the Certificate Signing Request is stored in a file.

    Note

    The certificate’s Common Name (CN) must match the fully-qualified domain name (FQDN) of the server on which it is used.

    To confirm a server’s FQDN, enter the command hostname -f on the server. 

    # openssl req -new \
  -key /root/capsule_cert/capsule_cert_key.pem \ 1
  -out /root/capsule_cert/capsule_cert_csr.pem   2
    1
    Capsule Server’s private key, used to sign the certificate
    2
    Certificate Signing Request file

    Example Certificate Signing Request session

    You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

Country Name (2 letter code) [XX]:AU
State or Province Name (full name) []:Queensland
Locality Name (eg, city) [Default City]:Brisbane
Organization Name (eg, company) [Default Company Ltd]:Example
Organizational Unit Name (eg, section) []:Sales
Common Name (eg, your name or your server's hostname) []:capsule.example.com
Email Address []:example@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:Example

  4. Send the certificate signing request to the Certificate Authority.

    When you submit the request, be sure to specify the lifespan of the certificate. The method for sending the certificate signing request varies, so consult the Certificate Authority for the preferred method. In response to the request you can expect to receive a Certificate Authority bundle, and a signed certificate, in separate files.

3.6.2. Validate the Capsule Server’s SSL Certificate

On the Satellite Server, validate the Capsule Server’s certificate input files with the katello-certs-check command. This process requires that you have copied the Capsule Server key, CSR, and SSL certificate from Capsule Server to Satellite Server. 

# katello-certs-check \
   -c /root/capsule_cert/capsule_cert.pem \      1
   -k /root/capsule_cert/capsule_cert_key.pem \  2
   -b /root/capsule_cert/ca_cert_bundle.pem      3
1
Capsule Server certificate file, provided by your Certificate Authority
2
Capsule Server’s private key, used to sign the certificate
3
Certificate Authority bundle, provided by your Certificate Authority

If the certificate is successfully validated, the output contains the following information. 

Check private key matches the certificate: [OK]
Check ca bundle verifies the cert file: [OK]

Retain a copy of the example capsule-certs-generate command that is output by the katello-certs-check command for use in the following procedure.

Proceed to Section 3.6.3, “Create the Capsule Server’s Certificate Archive File”.

3.6.3. Create the Capsule Server’s Certificate Archive File

The Capsule Server’s installer requires the server certificates to be in an archive file. To create this file, use the capsule-certs-generate command on the Satellite Server.

The capsule-certs-generate command must be run once for every external Capsule Server. In these examples, capsule.example.com is the example FQDN and capsule_certs.tar the example archive file’s name. Replace these with values appropriate to your environment, taking care not to overwrite an existing certificate archive file. For example, if you have Capsule Servers named capsule1 and capsule2, you can name the certificate archive files capsule1_certs.tar and capsule2_certs.tar.

The capsule-certs-generate command, including parameters, is output by the katello-certs-check when run on Satellite Server. For more information, see Configuring Satellite Server with a Custom Server Certificate in Installing Satellite Server from a Connected Network.

  1. In an editor, prepare a copy of the capsule-certs-generate command.
  2. Edit the values for --foreman-proxy-fqdn to match the Capsule Server’s FQDN, and --certs-tar to the file path and name for the certificate archive file.
  3. If the Capsule Server has not already been installed, remove the --certs-update-server parameter. This is used only to update an existing Capsule Server’s certificate.
  4. Copy the modified capsule-certs-generate command from the text editor to the terminal.

  5. Run the modified capsule-certs-generate command.

    Example capsule-certs-generate command

    # capsule-certs-generate --foreman-proxy-fqdn capsule.example.com \
--certs-tar  /root/capsule_cert/capsule_certs.tar \
--server-cert /root/capsule_cert/capsule_cert.pem \
--server-cert-req /root/capsule_cert/capsule_cert_csr.pem \
--server-key /root/capsule_cert/capsule_cert_key.pem \
--server-ca-cert /root/sat_cert/ca_cert_bundle.pem \
--certs-update-server

  6. On the Satellite Server, copy the certificate archive file to the Capsule Server, providing the root user’s password when prompted.

    In this example the archive file is copied to the root user’s home directory, but you may prefer to copy it elsewhere. 

    # scp /root/capsule_cert/capsule_certs.tar root@capsule.example.com:

Retain a copy of the example satellite-installer command that is output by the capsule-certs-generate command for use in the following procedure.

Proceed to Section 3.6.4, “Install the Capsule Server’s Custom Certificate”.

3.6.4. Install the Capsule Server’s Custom Certificate

Warning

Complete this procedure on the Capsule Server.

To install the Capsule Server’s custom certificates, run the satellite-installer script with custom parameters. The command, including parameters, is output by the capsule-certs-generate command in Section 3.6.3, “Create the Capsule Server’s Certificate Archive File”.

  1. In an editor, prepare a copy of the satellite-installer command.
  2. Edit the value for --foreman-proxy-content-certs-tar to match the location of the certificates archive file.
  3. If you want to enable additional features on the Capsule Server, append their parameters to the satellite-installer command. For a description of all the installer’s parameters, enter the command satellite-installer --scenario capsule --help.
  4. Copy the modified satellite-installer command from the text editor to the terminal.

  5. Run the modified satellite-installer command.

    Example custom satellite-installer command

    # satellite-installer --scenario capsule \
--foreman-proxy-content-parent-fqdn "satellite.example.com" \
--foreman-proxy-register-in-foreman "true" \
--foreman-proxy-foreman-base-url "https://satellite.example.com" \
--foreman-proxy-trusted-hosts "satellite.example.com" \
--foreman-proxy-trusted-hosts "capsule.example.com" \
--foreman-proxy-oauth-consumer-key "FeQsbASvCjvvaqE6duKH6SoYZWg4jwjg" \
--foreman-proxy-oauth-consumer-secret "7UhPXFPDBongvdTbNixbsWR5WFZsKEgF" \
--foreman-proxy-content-pulp-oauth-secret "VpQ9587tVmYeuY4Du6VitmZpZE5vy9ac" \
--foreman-proxy-content-certs-tar "/root/capsule_certs.tar"

Note

The satellite-installer command, as output by the capsule-certs-generate command, is unique to each Capsule Server. Do not use the same command on more than one Capsule Server.

Do NOT delete the certificates archive file (the .tar file) even after the certificates have been deployed to all relevant hosts. It is required, for example, when upgrading the Capsule Server. If the certificates archive file is not found by the installer, it fails with a message similar to the following: 

[ERROR YYYY-MM-DD hh:mm:ss main]  tar -xzf /var/tmp/srvcapsule01.tar returned 2 instead of one of [0]

Proceed to Section 3.6.5, “Install the Capsule Server’s New Certificate on All Hosts”.

3.6.5. Install the Capsule Server’s New Certificate on All Hosts

Hosts which connect to an external Capsule Server require that server’s custom certificate. Run the following command on all the Capsule Server’s hosts.

Note

Use the Capsule Server’s host name, not that of the Satellite Server. 

# yum -y localinstall \
http://capsule.example.com/pub/katello-ca-consumer-latest.noarch.rpm

3.7. Restricting Access to mongod

Only the apache and root users should be allowed access to the MongoDB database daemon, mongod, to reduce the risk of data loss.

Restrict access to mongod on Satellite and Capsule Servers using the following commands.

  1. Configure the Firewall. 

    # firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \
tcp -m tcp --dport 27017 -m owner --uid-owner apache -j ACCEPT \
&& firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \
tcp -m tcp --dport 27017 -m owner --uid-owner apache -j ACCEPT \
&& firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \
tcp -m tcp --dport 27017 -m owner --uid-owner root -j ACCEPT \
&& firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \
tcp -m tcp --dport 27017 -m owner --uid-owner root -j ACCEPT \
&& firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 1 -o lo -p \
tcp -m tcp --dport 27017 -j DROP \
&& firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 1 -o lo -p \
tcp -m tcp --dport 27017 -j DROP \
&& firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \
tcp -m tcp --dport 28017 -m owner --uid-owner apache -j ACCEPT \
&& firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \
tcp -m tcp --dport 28017 -m owner --uid-owner apache -j ACCEPT \
&& firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \
tcp -m tcp --dport 28017 -m owner --uid-owner root -j ACCEPT \
&& firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \
tcp -m tcp --dport 28017 -m owner --uid-owner root -j ACCEPT \
&& firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 1 -o lo -p \
tcp -m tcp --dport 28017 -j DROP \
&& firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 1 -o lo -p \
tcp -m tcp --dport 28017 -j DROP

  2. Make the changes persistent: 

    # firewall-cmd --runtime-to-permanent