Chapter 3. Performing Additional Configuration on Capsule Server

Use this chapter to configure additional settings on your Capsule Server.

3.1. Installing the Katello Agent

To remotely update Satellite clients, you must install the Katello agent.

The katello-agent package depends on the gofer package that provides the goferd service. This service must be enabled so that Satellite Server or Capsule Server can provide information about errata that are applicable for content hosts.

Prerequisites

Before installing the Katello agent, ensure the following conditions are met:

  • You have enabled the Satellite Tools repository on Satellite Server. For more information, see Enabling the Satellite Tools Repository in Installing Satellite Server from a Connected Network.
  • You have synchronized the Satellite Tools repository on Satellite Server. For more information, see Synchronizing the Satellite Tools Repository in Installing Satellite Server from a Connected Network.
  • You have enabled the Satellite Tools repository on the client. For example, to ensure that the repository is enabled on the Red Hat Enterprise Linux 7 client, enter the following command on the client:

    # subscription-manager repos --enable rhel-7-server-satellite-tools-6.6-rpms

Procedure

To install the Katello agent, complete the following steps:

  1. Install the katello-agent package:

    # yum install katello-agent
  2. Start the goferd service :

    # systemctl start goferd

3.2. Enabling Remote Execution on Capsule Server

To run commands on hosts that are registered to Capsule Server, you must enable the remote execution feature on your Capsule.

Remote execution on external Capsules is disabled by default.

Procedure

  • To enable remote execution on Capsule Server, enter the following command:

    # satellite-installer --scenario capsule \
    --enable-foreman-proxy-plugin-remote-execution-ssh

3.3. Enabling OpenSCAP on External Capsules

On Satellite Server and the integrated Capsule of your Satellite Server, OpenSCAP is enabled by default.

To use the OpenSCAP plug-in and content on an external Capsule, you must enable OpenSCAP on each Capsule.

Procedure

  • To enable OpenSCAP, enter the following command:

    # satellite-installer --scenario capsule \
    --enable-foreman-proxy-plugin-openscap

3.4. Adding Life Cycle Environments to Capsule Servers

If your Capsule Server has the content functionality enabled, you must add an environment so that Capsule can synchronize content from Satellite Server and provide content to host systems.

Do not assign the Library lifecycle environment to your Capsule Server because it triggers an automated Capsule sync every time the CDN updates a repository. This might consume multiple system resources on Capsules, network bandwidth between Satellite and Capsules, and available disk space on Capsules.

You can use Hammer CLI on Satellite Server or the Satellite web UI.

Procedure

To add a life cycle environment to Capsule Server, complete the following steps:

  1. In the Satellite web UI, navigate to Infrastructure > Capsules, and select the Capsule that you want to add a life cycle to.
  2. Click Edit and click the Life Cycle Environments tab.
  3. From the left menu, select the life cycle environments that you want to add to Capsule and click Submit.
  4. To synchronize the content on the Capsule, click the Overview tab and click Synchronize.
  5. Select either Optimized Sync or Complete Sync.

    For definitions of each synchronization type, see Recovering a Repository in the Content Management Guide.

For CLI Users

  1. To display a list of all Capsule Servers, on Satellite Server, enter the following command:

    # hammer capsule list

    Note the Capsule ID of the Capsule that you want to add a life cycle to.

  2. Using the ID, verify the details of your Capsule:

    # hammer capsule info --id capsule_id
  3. Display the life cycle environments that are available and note the environment ID:

    # hammer capsule content available-lifecycle-environments \
    --id capsule_id
  4. To view the life cycle environments available for your Capsule Server, enter the following command and note the ID and the organization name:

    # hammer capsule content available-lifecycle-environments --id capsule_id
  5. Add the life cycle environment to your Capsule Server:

    # hammer capsule content add-lifecycle-environment \
    --id capsule_id --organization "My_Organization" \
    --environment-id environment_id

    Repeat for each life cycle environment you want to add to Capsule Server.

  6. Synchronize the content from Satellite to Capsule.

    • To synchronize all content from your Satellite Server environment to Capsule Server, enter the following command:

      # hammer capsule content synchronize --id capsule_id
    • To synchronize a specific life cycle environment from your Satellite Server to Capsule Server, enter the following command:

      # hammer capsule content synchronize --id external_capsule_id \
      --environment-id environment_id

3.5. Enabling Power Management on Managed Hosts

To perform power management tasks on managed hosts using the intelligent platform management interface (IPMI) or a similar protocol, you must enable the baseboard management controller (BMC) module on Capsule Server.

Prerequisites

Procedure

  • To enable BMC, enter the following command:

    # satellite-installer --scenario capsule \
    --foreman-proxy-bmc "true" \
    --foreman-proxy-bmc-default-provider "freeipmi"

3.6. Configuring DNS, DHCP, and TFTP on Capsule Server

To configure the DNS, DHCP, and TFTP services on Capsule Server, use the satellite-installer command with the options appropriate for your environment.

To view a complete list of configurable options, enter the satellite-installer --scenario satellite --help command.

Any changes to the settings require entering the satellite-installer command again. You can enter the command multiple times and each time it updates all configuration files with the changed values.

Prerequisites

Before you can configure DNS, DHCP and TFTP services, ensure that the following conditions are met:

  • You must have the correct network name (dns-interface) for the DNS server.
  • You must have the correct interface name (dhcp-interface) for the DHCP server.
  • Contact your network administrator to ensure that you have the correct settings.

Procedure

  • Enter the satellite-installer command with the options appropriate for your environment. The following example shows configuring full provisioning services:

    # satellite-installer --scenario capsule \
    --foreman-proxy-dns true \
    --foreman-proxy-dns-managed true \
    --foreman-proxy-dns-interface eth0 \
    --foreman-proxy-dns-zone example.com \
    --foreman-proxy-dns-reverse 2.0.192.in-addr.arpa \
    --foreman-proxy-dhcp true \
    --foreman-proxy-dhcp-managed true \
    --foreman-proxy-dhcp-interface eth0 \
    --foreman-proxy-dhcp-range "192.0.2.100 192.0.2.150" \
    --foreman-proxy-dhcp-gateway 192.0.2.1 \
    --foreman-proxy-dhcp-nameservers 192.0.2.2 \
    --foreman-proxy-tftp true \
    --foreman-proxy-tftp-managed true \
    --foreman-proxy-tftp-servername 192.0.2.3

For more information about configuring DHCP, DNS, and TFTP services, see the Configuring Network Services section in the Provisioning Guide.

3.7. Restricting Access to mongod

To reduce the risk of data loss, configure only the apache and root users to have access to the MongoDB database daemon, mongod.

To restrict access to mongod on your Capsule Server, you must update your firewall configuration.

Procedure

  1. Update the firewall configuration by entering the following command:

    # firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \
    tcp -m tcp --dport 27017 -m owner --uid-owner apache -j ACCEPT \
    && firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \
    tcp -m tcp --dport 27017 -m owner --uid-owner apache -j ACCEPT \
    && firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \
    tcp -m tcp --dport 27017 -m owner --uid-owner root -j ACCEPT \
    && firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \
    tcp -m tcp --dport 27017 -m owner --uid-owner root -j ACCEPT \
    && firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 1 -o lo -p \
    tcp -m tcp --dport 27017 -j DROP \
    && firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 1 -o lo -p \
    tcp -m tcp --dport 27017 -j DROP \
    && firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \
    tcp -m tcp --dport 28017 -m owner --uid-owner apache -j ACCEPT \
    && firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \
    tcp -m tcp --dport 28017 -m owner --uid-owner apache -j ACCEPT \
    && firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \
    tcp -m tcp --dport 28017 -m owner --uid-owner root -j ACCEPT \
    && firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \
    tcp -m tcp --dport 28017 -m owner --uid-owner root -j ACCEPT \
    && firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 1 -o lo -p \
    tcp -m tcp --dport 28017 -j DROP \
    && firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 1 -o lo -p \
    tcp -m tcp --dport 28017 -j DROP
  2. Make the changes persistent:

    # firewall-cmd --runtime-to-permanent