Chapter 1. Introduction to Red Hat Update Infrastructure

The Red Hat Update Infrastructure (RHUI) enables cloud providers to deploy Red Hat solutions into their cloud environments. Using Red Hat Update Infrastructure, cloud providers enable customers to update Red Hat technology in a customer’s cloud-based deployment.
An X.509 certificate grants access to the Red Hat Enterprise Linux and Red Hat Update Infrastructure channels, including ISO images and RPM packages.

Important

Both Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6 require appropriate GPG keys to work with Red Hat Update Infrastructure, and different packages supply these keys to the two operating systems. The packages required are:
  • for Red Hat Enterprise Linux 5 — redhat-release-5Server
  • for Red Hat Enterprise Linux 6 — redhat-release-server
Once installed and configured, Red Hat Update Infrastructure tools are used to create Red Hat Update Appliance (RHUA) and Content Delivery Server (CDS) instances. CDS instances are then managed and monitored by the Red Hat Update Appliance.
Using Red Hat Update Infrastructure, initial configuration, initialization, and synchronization of cloud-based Red Hat technology instances requires little user configuration or intervention. In some use cases, however, cloud-specific configuration is required. For example:
  • Setting a storage volume mount point in the cloud to store installation or update packages synchronized from the Red Hat Customer Portal.
  • Configuring network security for intra-cloud communications.
  • Adding monitoring checks other than those offered by Red Hat.

Note

Because Red Hat Update Infrastructure updates packages, when the yum list command is run on an system using Red Hat Update Infrastructure, all package versions are returned. Despite this, Red Hat Update Infrastructure can only supply the latest available version of a package when clients are updated.

1.1. System Overview

Red Hat Update Infrastructure comprises the following technologies:
  • the Red Hat Update Appliance (RHUA). The Red Hat Update Appliance is a system instance that runs in the cloud by default. It
    • synchronizes packages from an external source (such as the Red Hat Customer Portal).
    • monitors status and provides both machine and human-readable update reports.
    • manages one or more Content Delivery Servers.
  • the Content Delivery Server (CDS). A CDS serves packages to cloud-based clients via HTTPS.

1.1.1. Communication

  1. The cloud provider accesses a central third-party content repository, such as Red Hat Customer Portal. Note: the Red Hat Update Appliance can connect to the content repository using a cloud provider’s network proxy server.
  2. The Red Hat Update Appliance synchronizes content to the CDS instances, and evenly distributes requests. Note: Each CDS serves as a load balancer. There is no need to install the load balancer either as a seperate instance or as part of the Red Hat Update Appliance.
  3. CDS instances distribute content via HTTPS to cloud-hosted Red Hat Enterprise Linux instances.
Report a bug

1.1.2. Certificates

Red Hat Update Infrastructure uses three different types of X.509 certificates:
Content certificate
The content certificate and its associated private key are given to the customer to allow access to Red Hat Customer Portal. This grants permission to the customer to download the Red Hat Update Infrastructure packages or ISO. Additionally, the Red Hat Update Appliance uses this certificate when authenticating with Red Hat Customer Portal to download updated packages into the Red Hat Update Infrastructure environment.
Content certificates are signed by the Red Hat Certificate Authority (CA). This is the only certificate in the Red Hat Update Infrastructure public key infrastructure (PKI) that is not signed by the cloud provider.
Entitlement certificate
Clients use an entitlement certificate when connecting to CDS instances. The entitlement certificate contains entitlements for some or all of the products initially granted to the cloud provider in the content certificate. A client using an entitlement certificate can only get access to channels for which the certificate provides an entitlement.
The entitlement certificate must be signed by a Certificate Authority (CA). This allows you to generate entitlement certificates for use in your environment without having to request them from Red Hat. All requests to the Red Hat Update Infrastructure that test the entitlement certificate will check that it was signed by the CA. This prevents users from spoofing the Red Hat Update Infrastructure with self-signed certificates.
SSL Certificates
SSL is used for communicating with CDS instances. SSL requires that a new SSL certificate is generated for each instance. For example, in an environment with three CDS instances, three separate certificates will need to be generated. The common name (CN) of the certificate must match the hostname of the instance.
Red Hat does not restrict CA certificate choice. CA certificates can be: from a trusted source (for example VeriSign); subordinate certificates in a trust chain from an established certificate; or generated new using a tool such as openSSL.

Important

Always ensure your private key is well protected to avoid security breaches.
Report a bug