Chapter 3. Performing Additional Configuration on Satellite Server

3.1. Installing the Satellite Tools Repository

The Satellite Tools repository provides the katello-agent and puppet packages for clients registered to Satellite Server. Installing the katello agent is recommended to allow remote updates of clients. The base system of a Capsule Server is a client of Satellite Server and therefore should also have the katello agent installed.

To Install the Satellite Tools Repository:

  1. In the Satellite web UI, navigate to Content > Red Hat Repositories.
  2. Use the Search field to enter the following repository name: Red Hat Satellite Tools 6.4 (for RHEL 7 Server) (RPMs).

  3. In the Available Repositories pane, click on Red Hat Satellite Tools 6.4 (for RHEL 7 Server) (RPMs) to expand the repository set.

    If the Red Hat Satellite Tools 6.4 items are not visible, it may be because they are not included in the Subscription Manifest obtained from the Customer Portal. To correct that, log in to the Customer Portal, add these repositories, download the Subscription Manifest and import it into Satellite.

  4. For the x86_64 entry, click the Enable icon to enable the repository.

Enable the Satellite Tools repository for every supported major version of Red Hat Enterprise Linux running on your hosts. After enabling a Red Hat repository, a Product for this repository is automatically created.

To Synchronize the Satellite Tools Repository:

  1. Navigate to Content > Sync Status.

    A list of product repositories available for synchronization is displayed.

  2. Click the arrow next to the product content to view available content.
  3. Select the content you want to synchronize.
  4. Click Synchronize Now.

3.2. Configuring Satellite Server with HTTP Proxy

If your network uses an HTTP Proxy, you can configure Satellite Server to use it. Use the FQDN instead of the IP address where possible to avoid losing connectivity because of network changes.

Authentication Methods

Only basic authentication is supported: add your username and password information to the --katello-proxy-url option, or use the --katello-proxy-username and --katello-proxy-password options.

To Configure Satellite with an HTTP Proxy

  1. Verify that the http_proxy, https_proxy, and no_proxy variables are not set. 

    # unset http_proxy
# unset https_proxy
# unset no_proxy

  2. Run satellite-installer with the HTTP proxy options. 

    # satellite-installer --scenario satellite \
--katello-proxy-url=http://myproxy.example.com \
--katello-proxy-port=8080 \
--katello-proxy-username=proxy_username \
--katello-proxy-password=proxy_password

  3. Verify that Satellite Server can connect to the Red Hat Content Delivery Network (CDN) and can synchronize its repositories.

    1. On the network gateway and the HTTP Proxy, enable TCP for the following host names:

      Host namePortProtocol

      subscription.rhsm.redhat.com

      443

      HTTPS

      cdn.redhat.com

      443

      HTTPS

      *.akamaiedge.net

      443

      HTTPS

      cert-api.access.redhat.com (if using Red Hat Insights)

      443

      HTTPS

      api.access.redhat.com (if using Red Hat Insights)

      443

      HTTPS

      Satellite Server communicates with the Red Hat CDN securely over SSL. Use of an SSL interception proxy interferes with this communication. These hosts must be whitelisted on the proxy.

      For a list of IP addresses used by the Red Hat CDN (cdn.redhat.com), see the Knowledgebase article Public CIDR Lists for Red Hat on the Red Hat Customer Portal.

    2. On Satellite Server, complete the following details in the /etc/rhsm/rhsm.conf file: 

      # an http proxy server to use (enter server FQDN)
proxy_hostname = myproxy.example.com

# port for http proxy server
proxy_port = 8080

# user name for authenticating to an http proxy, if needed
proxy_user =

# password for basic http proxy auth, if needed
proxy_password =

SELinux Considerations for Custom Ports

SELinux ensures access of Red Hat Satellite 6 and Red Hat Subscription Manager only to specific ports. In the case of the HTTP cache, the TCP ports are 8080, 8118, 8123, and 10001 - 10010. If you use a port that does not have SELinux type http_cache_port_t, complete the following steps:

  1. To verify the ports that are permitted by SELinux for the HTTP cache, enter a command as follows: 

    # semanage port -l | grep http_cache
http_cache_port_t       tcp    8080, 8118, 8123, 10001-10010
[output truncated]

  2. To configure SELinux to permit a port for the HTTP cache, for example 8088, enter a command as follows: 

    # semanage port -a -t http_cache_port_t -p tcp 8088

For more information on SELinux port settings, see Section 1.9, “Changing Default SELinux ports”.

3.3. Enabling Power Management on Managed Hosts

When you enable the baseboard management controller (BMC) module on Satellite Server, you can use power management commands on managed hosts using the intelligent platform management interface (IPMI) or a similar protocol.

The BMC service enables you to perform a range of power management tasks. The underlying protocol for this feature is IPMI; also referred to as the BMC function. IPMI uses a special network interface on the managed hardware that is connected to a dedicated processor that runs independently of the host’s CPUs. In many instances the BMC functionality is built into chassis-based systems as part of chassis management (a dedicated module in the chassis).

For more information on the BMC service, see Configuring an Additional Network Interface in Managing Hosts.

Before You Begin

  • All managed hosts must have a network interface, with type BMC. Satellite uses this NIC to pass the appropriate credentials to the host.

Enable Power Management on Managed Hosts

  1. Run the installer with the options to enable BMC. 

    # satellite-installer --foreman-proxy-bmc "true" \
--foreman-proxy-bmc-default-provider "freeipmi"

3.4. Configuring DNS, DHCP, and TFTP on Satellite Server

You can configure DNS, DHCP, and TFTP on Satellite Server.

If you want to configure external services, see Configuring External Services for more information.

If you want to disable these services in Satellite in order to manage them manually, see Disabling DNS, DHCP, and TFTP for Unmanaged Networks for more information.

To view a complete list of configurable options, enter the satellite-installer --scenario satellite --help command.

Before You Begin

  • Contact your network administrator to ensure that you have the correct settings.

  • You should have the following information available:

    • DHCP IP address ranges
    • DHCP gateway IP address
    • DHCP nameserver IP address
    • DNS information
    • TFTP server name
  • Use the FQDN instead of the IP address where possible in case of network changes.
Note

The information in the task is an example. You should use the information relevant to your own environment.

Configure DNS, DHCP, and TFTP on Satellite Server

  1. Run satellite-installer with the options appropriate for your environment. 

    # satellite-installer --scenario satellite \
--foreman-proxy-dns true \
--foreman-proxy-dns-managed true \
--foreman-proxy-dns-interface eth0 \
--foreman-proxy-dns-zone example.com \
--foreman-proxy-dns-forwarders 172.17.13.1 \
--foreman-proxy-dns-reverse 13.17.172.in-addr.arpa \
--foreman-proxy-dhcp true \
--foreman-proxy-dhcp-managed true \
--foreman-proxy-dhcp-interface eth0 \
--foreman-proxy-dhcp-range "172.17.13.100 172.17.13.150" \
--foreman-proxy-dhcp-gateway 172.17.13.1 \
--foreman-proxy-dhcp-nameservers 172.17.13.2 \
--foreman-proxy-tftp true \
--foreman-proxy-tftp-managed true \
--foreman-proxy-tftp-servername $(hostname)

    For more information about configuring DHCP, DNS, and TFTP services, see the Configuring Network Services section in the Provisioning Guide.

    The script displays its progress and writes logs to /var/log/foreman-installer/satellite.log. You can view the settings used, including the admin_password parameter, in the /etc/foreman-installer/scenarios.d/satellite-answers.yaml file.

Note

Any changes to the settings require running satellite-installer again. You can run the script multiple times and it updates all configuration files with the changed values.

3.5. Disabling DNS, DHCP, and TFTP for Unmanaged Networks

Satellite 6 provides full management capabilities for TFTP, DHCP, and DNS network services running on Satellite’s internal or external Capsules. If you want to manage those services manually or use some external method, then Satellite 6 cannot directly integrate with them. While it is possible to develop custom integration scripts using Foreman Hooks (such as creating DNS records after a new host is created), this integration, also known as orchestration, must be disabled in order to prevent DHCP and DNS validation errors.

  1. In the web UI, go to Infrastructure > Subnets and select a subnet.
  2. On the Capsules tab, ensure that there is no DHCP Capsule or TFTP Capsule associated by setting the drop-down list to None.

  3. Disable forward record orchestration.

    1. Go to Infrastructure > Domains and select a domain.
    2. On the Domain tab, setting the DNS Capsule drop-down list to None.

  4. Disable reverse (PTR) record orchestration.

    1. Go to Infrastructure > Subnets and select a subnet.
    2. On the Capsules tab, setting the Reverse DNS Capsule drop-down list to None.

  5. Optional: If you use a DHCP service supplied by a third party, configure your DHCP server to pass the following options: 

    Option 66: IP_address_of_Satellite_or_Capsule
Option 67: /pxelinux.0

    For more information about DHCP options, see RFC 2132.

Note

Satellite 6 does not perform orchestration when a Capsule is not set for a given subnet and domain. When enabling or disabling Capsule associations, orchestration commands for existing hosts can fail if the expected records and configuration files are not present. When associating a Capsule in order to turn orchestration on, make sure the required DHCP and DNS records as well as the TFTP files are in place for existing Satellite 6 managed hosts in order to prevent host deletion failures in the future.

3.6. Configuring Satellite Server for Outgoing Emails

To send email messages from Satellite Server, you can use either an SMTP server, or the sendmail command.

Prerequisites

If you have upgraded from a previous release, rename or remove the configuration file /usr/share/foreman/config/email.yaml and restart the httpd service. For example: 

# mv /usr/share/foreman/config/email.yaml \
/usr/share/foreman/config/email.yaml-backup
# systemctl restart httpd

To Configure Satellite Server for Outgoing Emails:

  1. In the Satellite web UI, navigate to AdministerSettings.

  2. Click the Email tab and set the configuration options to match your preferred delivery method. The changes have an immediate effect.

    1. The following example shows the configuration options for using an SMTP server:

      Table 3.1. Using an SMTP server as a delivery method

      NameExample value

      Delivery method

      SMTP

      SMTP address

      smtp.example.com

      SMTP authentication

      login

      SMTP HELO/EHLO domain

      example.com

      SMTP password

      password

      SMTP port

      25

      SMTP username

      satellite@example.com

      The SMTP username and SMTP password specify the login credentials for the SMTP server.

    2. The following example uses gmail.com as an SMTP server:

      Table 3.2. Using gmail.com as an SMTP server

      NameExample value

      Delivery method

      SMTP

      SMTP address

      smtp.gmail.com

      SMTP authentication

      plain

      SMTP HELO/EHLO domain

      smtp.gmail.com

      SMTP enable StartTLS auto

      Yes

      SMTP password

      password

      SMTP port

      587

      SMTP username

      user@gmail.com

    3. The following example uses the sendmail command as a delivery method:

      Table 3.3. Using sendmail as a delivery method

      NameExample value

      Delivery method

      Sendmail

      Sendmail arguments

      -i -t -G

      The Sendmail arguments specify the options passed to the sendmail command. The default value is -i -t. For more information see the sendmail 1 man page.

  3. If you decide to send email using an SMTP server which uses TLS authentication, also perform one of the following steps:

    • Mark the CA certificate of the SMTP server as trusted. To do so, execute the following commands on Satellite Server: 

      # cp mailca.crt /etc/pki/ca-trust/source/anchors/
# update-ca-trust enable
# update-ca-trust

      Where mailca.crt is the CA certificate of the SMTP server.

    • Alternatively, in the web UI, set the SMTP enable StartTLS auto option to No.
  4. Click Test email to send a test message to the user’s email address to confirm the configuration is working. If a message fails to send, the web UI displays an error. See the log at /var/log/foreman/production.log for further details.
Note

For information on configuring email notifications for individual users or user groups, see Configuring Email Notifications in Administering Red Hat Satellite.

3.7. Configuring Satellite Server with a Custom Server Certificate

SSL certificates are used to protect information and enable secure communication. Red Hat Satellite 6 creates self-signed SSL certificates to enable encrypted communications between the Satellite Server, external Capsule Servers, and all hosts. Instead of using these self-signed certificates, you can install custom SSL certificates issued by a Certificate Authority which is an external, trusted company. For example, your company might have a security policy stating that SSL certificates must be obtained from a Certificate Authority. To obtain the certificate, create a Certificate Signing Request and send it to the Certificate Authority, as described in Section 3.7.1, “Obtain an SSL Certificate for the Satellite Server”. In return, you receive a signed SSL certificate.

Note

Obtain custom SSL certificates for the Satellite Server and all external Capsule Servers before starting this procedure.

To use a custom certificate on Satellite Server, complete these steps:

  1. Section 3.7.1, “Obtain an SSL Certificate for the Satellite Server”
  2. Section 3.7.2, “Validate the Satellite Server’s SSL Certificate”
  3. Section 3.7.3, “Run the Satellite Installer with Custom Certificate Parameters”
  4. Section 3.7.4, “Install the New Certificate on all Hosts Connected to the Satellite Server”

If you have external Capsule Servers, you must also complete the steps in Configuring Capsule Server with a Custom Server Certificate.

3.7.1. Obtain an SSL Certificate for the Satellite Server

Important

Only PEM encoding must be used for the SSL Certificates.

Note

If you already have a custom SSL Certificate for the Satellite Server, skip this procedure.

  1. Create a directory to contain all the source certificate files, accessible to only the root user.

    In these examples, the directory is /root/sat_cert. 

    # mkdir /root/sat_cert
# cd /root/sat_cert

  2. Create a private key with which to sign the Certificate Signing Request (CSR).

    Note

    If you already have a private key for the Satellite Server, skip this step. 

    # openssl genrsa -out /root/sat_cert/satellite_cert_key.pem 4096

  3. Create a Certificate Signing Request (CSR)

    A Certificate Signing Request is a text file containing details of the server for which you are requesting a certificate. For this command, you provide the private key (output by the previous step), answer some questions about the Satellite Server, and the Certificate Signing Request is created.

    Note

    The certificate’s Common Name (CN) must match the fully-qualified domain name (FQDN) of the server on which it is used. If you are requesting a certificate for a Satellite Server, this is the FQDN of the Satellite Server. If you are requesting a certificate for a Capsule Server, this is the FQDN of the Capsule Server.

    To confirm a server’s FQDN, enter the following command on that server: hostname -f. 

    # openssl req -new \
  -key /root/sat_cert/satellite_cert_key.pem \ 1
  -out /root/sat_cert/satellite_cert_csr.pem   2
    1
    Satellite Server’s private key, used to sign the certificate
    2
    Certificate Signing Request file

    Example Certificate Signing Request session

    You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

Country Name (2 letter code) [XX]:AU
State or Province Name (full name) []:Queensland
Locality Name (eg, city) [Default City]:Brisbane
Organization Name (eg, company) [Default Company Ltd]:Example
Organizational Unit Name (eg, section) []:Sales
Common Name (eg, your name or your server's hostname) []:satellite.example.com
Email Address []:example@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:Example

  4. Send the certificate request to the Certificate Authority.

    When you submit the request, be sure to specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the Certificate Authority for the preferred method. In response to the request you can expect to receive a Certificate Authority bundle, and a signed certificate, in separate files.

3.7.2. Validate the Satellite Server’s SSL Certificate

Enter the katello-certs-check command with the required parameters as per the following example. This validates the input files required for custom certificates and outputs the commands necessary to install them on the Satellite Server, all Capsule Servers, and hosts under management with Satellite.

  1. Validate the custom SSL certificate input files. Change the files' names to match your files. 

    # katello-certs-check \
   -c /root/sat_cert/satellite_cert.pem \      1
   -k /root/sat_cert/satellite_cert_key.pem \  2
   -b /root/sat_cert/ca_cert_bundle.pem        3
    1
    Certificate file for the Satellite Server, signed by your Certificate Authority
    2
    Satellite Server’s private key, used to sign the certificate
    3
    Certificate Authority bundle

Example output of katello-certs-check

Checking expiration of certificate: [OK]
Checking expiration of CA bundle: [OK]
Validating the certificate subject= /C=AU/ST=Queensland/L=Brisbane/O=Example/OU=Sales/CN=satellite.example.com/emailAddress=example@example.com
Checking to see if the private key matches the certificate: [OK]
Checking ca bundle against the cert file: [OK]
Checking for non ascii characters[OK]

Validation succeeded.

To install the Satellite server with the following custom certificates, run:

    satellite-installer --scenario satellite\
              --certs-server-cert "/root/sat_cert/satellite_cert.pem"\
              --certs-server-key "/root/sat_cert/satellite_cert_key.pem"\
              --certs-server-ca-cert "/root/sat_cert/ca_cert_bundle.pem"

To update the certificates on a currently running Satellite installation, run:

    satellite-installer --scenario satellite\
              --certs-server-cert "/root/sat_cert/satellite_cert.pem"\
              --certs-server-key "/root/sat_cert/satellite_cert_key.pem"\
              --certs-server-ca-cert "/root/sat_cert/ca_cert_bundle.pem"\
              --certs-update-server --certs-update-server-ca

To use them inside a NEW $CAPSULE, run this command:

    capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE"\
              --certs-tar  "~/$CAPSULE-certs.tar"\
              --server-cert "/root/sat_cert/satellite_cert.pem"\
              --server-key "/root/sat_cert/satellite_cert_key.pem"\
              --server-ca-cert "/root/sat_cert/ca_cert_bundle.pem"\

To use them inside an EXISTING $CAPSULE, run this command INSTEAD:

    capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE"\
              --certs-tar  "~/$CAPSULE-certs.tar"\
              --server-cert "/root/sat_cert/satellite_cert.pem"\
              --server-cert-req "/root/sat_cert/satellite_cert_csr.pem"\
              --server-key "/root/sat_cert/satellite_cert_key.pem"\
              --server-ca-cert "/root/sat_cert/ca_cert_bundle.pem"\
              --certs-update-server

3.7.3. Run the Satellite Installer with Custom Certificate Parameters

Now that you have created an SSL certificate and verified it is valid for use with Red Hat Satellite 6, the next step is to install the custom SSL certificate on the Satellite Server and all its hosts.

There is a minor variation to this step, depending on whether or not the Satellite Server is already installed. If it is already installed, the existing certificates must be updated with those in the certificates archive.

The commands in this section are output by the katello-certs-check command, as detailed in Section 3.7.2, “Validate the Satellite Server’s SSL Certificate”, and can be copied and pasted into a terminal.

  1. Enter the satellite-installer command, depending on your situation:

    1. If Satellite is already installed, enter the following command on the Satellite Server: 

      # satellite-installer --scenario satellite \
--certs-server-cert /root/sat_cert/satellite_cert.pem \
--certs-server-key /root/sat_cert/satellite_cert_key.pem \
--certs-server-ca-cert /root/sat_cert/ca_cert_bundle.pem \
--certs-update-server --certs-update-server-ca

      Important parameters in this command include --certs-update-server and --certs-update-server-ca, which specify that the server’s SSL certificate and certificate authority are to be updated. For a brief description of all the installer’s parameters, enter the command: satellite-installer --scenario satellite --help.

      Note

      For all files in the satellite-installer command, use full path names, not relative path names. The installer records all files' paths and names, and if you enter the installer again, but from a different directory, it may fail as it is unable to find the original files.

    2. If Satellite is not already installed, enter the following command on the Satellite Server: 

      # satellite-installer --scenario satellite \
--certs-server-cert /root/sat_cert/satellite_cert.pem \
--certs-server-key /root/sat_cert/satellite_cert_key.pem \
--certs-server-ca-cert /root/sat_cert/ca_cert_bundle.pem
      Note

      For all files in the satellite-installer command, use full path names, not relative path names. The installer records all files' paths and names, and if you enter the installer again, but from a different directory, it may fail as it is unable to find the original files.

  2. Verify the certificate has been successfully installed on the Satellite Server before installing it on hosts. On a computer with network access to the Satellite Server, start a web browser, navigate to the URL https://satellite.example.com and view the certificate’s details.

3.7.4. Install the New Certificate on all Hosts Connected to the Satellite Server

Now that the custom SSL certificate has been installed on the Satellite Server, it must also be installed on every host registered to the Satellite Server. Enter the following commands on all applicable hosts.

  1. Delete the current katello-ca-consumer package on the host. 

    # yum remove 'katello-ca-consumer*'

  2. Install the custom SSL certificate on the host. 

    # yum localinstall http://satellite.example.com/pub/katello-ca-consumer-latest.noarch.rpm

3.8. Using External Databases with Satellite

As part of the installation process for Red Hat Satellite, the satellite-installer command installs MongoDB and PostgreSQL databases on the same server as Satellite. In certain Satellite deployments, using external databases can help with the server load. However, there are many factors that can affect Satellite Server’s performance. Moving to an external database might not help your specific problem.

Depending on your requirements, you can use external databases for either MongoDB or PostgreSQL database, or both.

Red Hat does not provide support or tools for external database maintenance. This includes backups, upgrades, and database tuning. Customers using an external database require their own database administrator to support and maintain the database.

If your Satellite deployment requires external databases, use the following information to set up and point to external databases from Satellite.

3.8.1. MongoDB as an External Database Considerations

Pulp uses the MongoDB database. If you want to use MongoDB as an external database, the following information can help you discern if this option is right for your Satellite configuration.

Advantages of External MongoDB

  • Increase in free memory and free CPU on Satellite
  • Flexibility to tune the MongoDB server’s system without adversely affecting Satellite operations

Disadvantages of External MongoDB

  • Increase in deployment complexity that can make troubleshooting more difficult
  • An external MongoDB server is an additional system to patch and maintain
  • If either the Satellite or the Mongo database server suffers a hardware or storage failure, Satellite is not operational
  • If there is latency between the Satellite and the external database server, performance can suffer

If you suspect that your Mongo database is slow, you can work with Red Hat Support to troubleshoot. You might be encountering a configuration problem or existing performance problems with Satellite 6 that moving to an external database server might not help. Red Hat Support can examine existing known issues and also work with the Satellite Engineering team to determine the root cause.

3.8.2. PostgreSQL as an External Database Considerations

Foreman, Katello, and Candlepin use the PostgreSQL database. If you want to use PostgreSQL as an external database, the following information can help you discern if this option is right for your Satellite configuration.

Advantages of External PostgreSQL:

  • Increase in free memory and free CPU on Satellite
  • Flexibility to set shared_buffers on the PostgreSQL database to a high number without the risk of interfering with other services on Satellite
  • Flexibility to tune the PostgreSQL server’s system without adversely affecting Satellite operations

Disadvantages of External PostgreSQL

  • Increase in deployment complexity that can make troubleshooting more difficult
  • The external PostgreSQL server is an additional system to patch and maintain
  • If either Satellite or the PostgreSQL database server suffers a hardware or storage failure, Satellite is not operational
  • If there is latency between the Satellite server and database server, performance can suffer

If you suspect that the PostgreSQL database on your Satellite is causing performance problems, use the information in Satellite 6: How to enable postgres query logging to detect slow running queries to determine if you have slow queries. Queries that take longer than one second are typically caused by performance issues with large installations, and moving to an external database might not help. If you have slow queries, contact Red Hat Support.

3.8.3. Overview

To create and use a remote database for Satellite, you must complete the following procedures:

  1. Use Section 1.2, “Storage Requirements and Guidelines” to plan the storage requirements for your external databases
  2. Prepare PostgreSQL with databases for Foreman and Candlepin and dedicated users owning them
  3. Prepare MongoDB with user pulp owning the pulp_database
  4. Follow the initial steps to install Satellite and ensure that the databases are accessible from Satellite
  5. Edit the parameters of satellite-installer to point to the new databases, and run satellite-installer

Preparing Red Hat Enterprise Linux Server 7 for Database Installation

You require a freshly provisioned system with the latest Red Hat Enterprise Linux Server 7 that meets the storage requirements from Section 1.2, “Storage Requirements and Guidelines”.

  1. Use the instructions in Identifying and Attaching the Satellite Subscription to the Host to attach a Satellite subscription to your server.

  2. To install MongoDB and PostgreSQL servers on Red Hat Enterprise Linux Server 7, you must disable all repositories and enable only the following repositories: 

    # subscription-manager repos --disable "*"
# subscription-manager repos --enable=rhel-server-rhscl-7-rpms \
--enable=rhel-7-server-rpms

3.8.4. Installing MongoDB

You can install only the same version of MongoDB that is installed with the satellite-installer tool during an internal database installation. You can install MongoDB using Red Hat Software Collections (RHSCL) repositories or from an external source, as long as the version is supported. Satellite supports MongoDB version 3.4.

  1. To install MongoDB, enter the following command: 

    # yum install rh-mongodb34

  2. Start and enable the rh-mongodb34 service: 

    # systemctl start rh-mongodb34-mongod
# systemctl enable rh-mongodb34-mongod

  3. Create a Pulp user on MongoDB for database pulp_database: 

    # scl enable rh-mongodb34 -- mongo pulp_database --eval "db.createUser({user:'pulp',pwd:'Pulp_Password',roles:[{role:'dbOwner', db:'pulp_database'},{ role: 'readWrite', db: 'pulp_database'}]})"

  4. In the /etc/opt/rh/rh-mongodb34/mongod.conf file, specify the bind IP: 

    bindIp: your_mongodb_server_bind_IP,::1

  5. Edit the /etc/opt/rh/rh-mongodb34/mongod.conf file to enable authentication in the security section: 

    security:
  authorization: enabled

  6. Restart the rh-mongodb34-mongod service: 

    # systemctl restart rh-mongodb34-mongod

  7. Open port 27017 for MongoDB: 

    # firewall-cmd --add-port=27017/tcp
# firewall-cmd --runtime-to-permanent

  8. Test the connection from Satellite to the external MongoDB for database pulp_database: 

    # scl enable rh-mongodb34 "mongo --host mongo.example.com -u pulp -p Pulp_Password --port 27017 --eval 'ping:1' pulp_database"

3.8.5. Installing PostgreSQL

You can install only the same version of PostgreSQL that is installed with the satellite-installer tool during an internal database installation. Satellite supports only a specific version of PostgreSQL that is available through Red Hat Enterprise Linux Server 7 repositories. You can install PostgreSQL using rhel-7-server-rpms repositories or from an external source, as long as the version is supported. For more information about the repository that contains the supported version of PostgreSQL, and what version is supported, see the Package Manifest.

  1. To install PostgreSQL, enter the following command: 

    # yum install postgresql-server

  2. To initialize, start, and enable PostgreSQL service, enter the following commands: 

    # postgresql-setup initdb
# systemctl start postgresql
# systemctl enable postgresql

  3. Edit the /var/lib/pgsql/data/postgresql.conf file: 

    # vi /var/lib/pgsql/data/postgresql.conf

  4. Remove the # and edit to listen to inbound connections: 

    listen_addresses = "*"

  5. Edit the /var/lib/pgsql/data/pg_hba.conf file: 

    # vi /var/lib/pgsql/data/pg_hba.conf

  6. Add the following line to the file: 

      host  all   all   satellite_server_ip/24   md5

  7. Restart PostgreSQL service to update with the changes: 

    # systemctl restart postgresql

  8. Open the postgresql port on the external PostgreSQL server: 

    # firewall-cmd --add-service=postgresql
# firewall-cmd --runtime-to-permanent

  9. Switch to the postgres user and start the PostgreSQL client: 

    $ su - postgres -c psql

  10. Create two databases and dedicated roles, one for Satellite and one for Candlepin: 

    CREATE USER "foreman" WITH PASSWORD 'Foreman_Password';
CREATE USER "candlepin" WITH PASSWORD 'Candlepin_Password';
CREATE DATABASE foreman OWNER foreman;
CREATE DATABASE candlepin OWNER candlepin;

  11. From Satellite Server, test that you can access the database: 

    # PGPASSWORD='Foreman_Password' psql -h postgres.example.com  -p 5432 -U foreman -d foreman -c "SELECT 1 as ping"
# PGPASSWORD='Candlepin_Password' psql -h postgres.example.com -p 5432 -U candlepin -d candlepin -c "SELECT 1 as ping"

  12. To install and configure the remote database for Satellite, enter the following command: 

    satellite-installer --scenario satellite \
  --foreman-db-host postgres.example.com \
  --foreman-db-password Foreman_Password \
  --foreman-db-database foreman \
  --katello-candlepin-db-host postgres.example.com \
  --katello-candlepin-db-name candlepin \
  --katello-candlepin-db-password Candlepin_Password \
  --katello-candlepin-manage-db false \
  --katello-pulp-db-username pulp \
  --katello-pulp-db-password Pulp_Password \
  --katello-pulp-db-seeds mongo.example.com:27017 \
  --katello-pulp-db-name pulp_database

You can query the status of your databases. For example, enter the following command with the --only and add postgresql or rh-mongodb34-mongod:

For PostgreSQL, enter the following command: 

# foreman-maintain service status --only postgresql

For MongoDB, enter the following command: 

# foreman-maintain service status --only rh-mongodb34-mongod

3.9. Restricting Access to mongod

Only the apache and root users should be allowed access to the MongoDB database daemon, mongod, to reduce the risk of data loss.

Restrict access to mongod on Satellite and Capsule Servers using the following commands.

  1. Configure the Firewall. 

    # firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \
tcp -m tcp --dport 27017 -m owner --uid-owner apache -j ACCEPT \
&& firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \
tcp -m tcp --dport 27017 -m owner --uid-owner apache -j ACCEPT \
&& firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \
tcp -m tcp --dport 27017 -m owner --uid-owner root -j ACCEPT \
&& firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \
tcp -m tcp --dport 27017 -m owner --uid-owner root -j ACCEPT \
&& firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 1 -o lo -p \
tcp -m tcp --dport 27017 -j DROP \
&& firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 1 -o lo -p \
tcp -m tcp --dport 27017 -j DROP \
&& firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \
tcp -m tcp --dport 28017 -m owner --uid-owner apache -j ACCEPT \
&& firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \
tcp -m tcp --dport 28017 -m owner --uid-owner apache -j ACCEPT \
&& firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \
tcp -m tcp --dport 28017 -m owner --uid-owner root -j ACCEPT \
&& firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \
tcp -m tcp --dport 28017 -m owner --uid-owner root -j ACCEPT \
&& firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 1 -o lo -p \
tcp -m tcp --dport 28017 -j DROP \
&& firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 1 -o lo -p \
tcp -m tcp --dport 28017 -j DROP

  2. Make the changes persistent: 

    # firewall-cmd --runtime-to-permanent