Chapter 11. Create Client Profiles for the Red Hat Update Infrastructure Servers

11.1. Generate GPG Keys

  1. Create a GPG key that you can use to sign custom packages (including client configuration RPMs) for the Red Hat Update Infrastructure (RHUI) client profile.

    • A 4,096-bit RSA key is used because this profile will be used for RHUI servers that run on Red Hat Enterprise Linux (RHEL) 6 or RHEL 7. Gathering sufficient random data to generate a 4,096-bit key may take a significant amount of time, particularly if the Red Hat Update Appliance (RHUA) is a virtual machine. The disk activity created by a repository or content delivery server (CDS) synchronization may speed up the process.
    • The name of the client profile RPM (in this case, rhui-client-rhui), which will be created in a later step, is used as the comment portion of the user ID. It is recommended that a different signing key be used for each client profile; the client profile name is used to distinguish the user IDs of the different keys.

      # gpg --gen-key
      
      gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
      
      This is free software; you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
      
      Please select what kind of key you want:
      
      1. RSA and RSA (default)
      2. DSA and Elgamal
      3. DSA (sign only)
      4. RSA (sign only)
      
      Your selection? 4
      
      RSA keys may be between 1024 and 4096 bits long.
      
      What keysize do you want? (2048) 4096
      Requested keysize is 4096 bits
      
      Please specify how long the key should be valid.
      
      0 = key does not expire
       = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
      
      Key is valid for? (0) 0
      Key does not expire at all.
      
      Is this correct? y
      
      GnuPG needs to construct a user ID to identify your key.
      
      Real name: $YOURNAME
      
      Email address: $USER@$HOST.com
      
      Comment: rhui-client-rhui
      
      You selected this user ID:
      
      “$USERID (rhui-client-rhui) <$USER@$HOST.com>"
      
      Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
      
      You need a Passphrase to protect your secret key.
  2. Enter a high-quality password and record it in a secure location.

    gpg: key EDD092F4 marked as ultimately trusted
    
    public and secret key created and signed.
    
    gpg: checking the trustdb
    
    gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
    
    gpg: depth: 0   valid:   1   signed:   0   trust:  0-, 0q, 0n, 0m, 0f, 1u
    
    pub    4096R/EDD092F4  2015-11-25
    
    Key fingerprint = 1139 932A 26E2 981A 1341 D636 0DDB B5F6 EDD0 925F4
    
    uid Red Hat $USERID (rhui-client-rhui) <user@redhat.com>
    
    Note that this key cannot be used for encryption. You may want to use the command “--edit-key” to generate a subkey for this purpose.
  3. Create a second key. This time choose option 3, DSA (sign only), as the key type and enter 1024 bits as the key size. These options create a key that can be used to sign RPMs for both RHEL 6 and RHEL 7. Use rhui-client-all as the comment portion of the user ID.
  4. Export the two keys by running the following commands.

    # mkdir /root/rpm-gpg
    # gpg --export --armor rhui-client-rhui >> /root/rpm-gpg/rhui-client-rhui
    # gpg --export --armor rhui-client-all >> /root/rpm-gpg/rhui-client-all

    GPG defaults to substring matching when searching for keys. It is only necessary to specify the unique portion of the user ID (the client profile RPM name in this case). The traditional RPM-GPG-KEY- prefix will be added to the GPG key file names when the Red Hat Update Infrastructure Management Tool creates client configuration packages.

11.2. Set Up Custom Repositories

Create custom repositories that can be used to distribute updated client configuration packages or other non-Red Hat software to the RHUI servers. A protected repository for 64-bit RHUI servers (for example, client-rhui-x86_64) will be the preferred vehicle for distributing new non-Red Hat packages (such as an updated client configuration package) to the RHUI servers.

Like Red Hat content repositories, all of which are protected, protected custom repositories that differ only in processor architecture (i386 versus AMD64) are consolidated into a single entitlement within an entitlement certificate, using the $basearch yum variable.

In the event of certificate problems, an unprotected repository for RHUI servers can be used as a fallback method for distributing updated RPMs to the RHUI servers.

  1. Navigate to the Red Hat Update Infrastructure Management Tool home screen.

    [root@rhua ~]# rhui-manager
  2. From the Repository Management screen, press c to select create a new custom repository (RPM content only).

    ------------------------------------------------------------------------------
                 -= Red Hat Update Infrastructure Management Tool =-
    
    -= Repository Management =-
    
       l   list repositories currently managed by the RHUI
       i   display detailed information on a repository
       a   add a new Red Hat content repository
       ad  add a new Red Hat docker container
       c   create a new custom repository (RPM content only)
       d   delete a repository from the RHUI
       u   upload content to a custom repository (RPM content only)
       p   list packages in a repository (RPM content only)
    
                                                       Connected: rhua.example.com
    ------------------------------------------------------------------------------
  3. Enter a unique ID for the repository. Only alphanumeric characters, _ (underscore), and - (hyphen) are permitted. You cannot use spaces in the unique ID. For example, repo1, repo_1, and repo-1 are all valid entries.

    Unique ID for the custom repository (alphanumerics, _, and - only):
  4. Enter a display name for the repository. This name is used to identify the repository within the Red Hat Update Infrastructure Management Tool.
  5. Specify the path that will host the repository. The path must be unique across all repositories hosted by RHUI. For example, if you specify the path at this step as some/unique/name, then the repository will be located at //server/pulp/repos/some/unique/name.
  6. Select sha256 as the checksum type to be used for the repository metadata.

    Note

    Use sha256 when you create a custom repository for RHEL 6 or RHEL 7. Use sha1 if you create repositories for RHEL 5 client.

  7. Choose whether to protect the new repository. If you answer no to this question, any client can access the repository. If you answer yes, only clients with an appropriate entitlement certificate can access the repository.

    Note

    As the name implies, the content in an unprotected repository is available to any system that requests it, without any need for a client entitlement certificate. Be careful when using an unprotected repository to distribute any content, particularly content such as updated client configuration RPMs, which will then provide access to protected repositories.

    Use of unprotected repositories is a “break glass in case of emergency” course of action.

    If you choose to protect the new repository, the Red Hat Update Infrastructure Management Tool will ask for the entitlement path. It will also suggest the entitlement path based on the repository’s relative path.

    Client entitlement certificates contain the download URLs that they are allowed to access. The RHUI analyzes the contents of the certificate to determine if the repository requested matches any of the permitted URLs, which determines whether to allow the client to authenticate. For example, if an entitlement certificate grants access to /some/unique/name and the request is made to a repository located at //server/pulp/repos/some/unique/name/os/repodata, the RHUI will approve the request and grant the authentication because the path begins with one of the entitled download URLs. The URL only needs to begin with the correct information; it does not need to match exactly.

    Note

    If the /some/unique/name repository that was created in pulp-admin was not added in a custom group, /some/unique/name is not displayed in the Red Hat Update Infrastructure Management Tool. If you try to create a repository with the same ID /some/unique/name in the Red Hat Update Infrastructure Management Tool and are not aware that /some/unique/name repository was created in pulp-admin, you will see a message saying "A repository with ID /some/unique/name already exists".

    Entitlements can also contain variables, as long as yum knows the value for the variable. The two most common variables to use are $basearch and $releasever, which are populated with details of the client making the request. For example, if an entitlement certificate grants access to /unique-name/$basearch/bar and the request is made to a repository located at //server/pulp/repos/unique-name/x86_64/bar, the RHUI will approve the request and grant the authentication because the path matches when the variable is populated.

    The Red Hat Update Infrastructure Management Tool suggests a path to use based on the variables you used when you gave it a path for the repository. Leave the field blank to accept the suggested path.

    The Red Hat Update Infrastructure Management Tool will ask if you want GNU Privacy Guard (GPG) signature turned on for content in that repository. If you press y, you will be asked if the content will be signed by Red Hat. Answering yes will include Red Hat’s GPG key in the repository configuration. You are then asked if the content will be signed by a custom GPG key. Answering yes will prompt for a path to a public GPG key to include in the repository configuration. You can continue entering multiple paths to public GPG keys.

    Should the repository require clients to perform a GPG check and verify packages are signed by a GPG key? (y/n) y
    
    Will the repository be used to host any Red&nbsp;Hat GPG signed content? (y/n) y
    
    Will the repository be used to host any custom GPG signed content? (y/n) y
    
    Enter the absolute path to the public key of the GPG key pair:
    /root/rpm-gpg/rhui-client-rhui.gpg
    
    Would you like to enter another public key? (y/n) y
    
    Enter the absolute path to the public key of the GPG key pair:
    /root/rpm-gpg/rhui-client-all.gpg
    
    Would you like to enter another public key? (y/n) n
  8. The details of the new repository displays. Press y at the prompt to confirm the information and create the repository.

11.3. Create an Entitlement Certificate

See Section 10.1, “Create an Entitlement Certificate” for details.

11.4. Create a Client Configuration RPM

See Section 10.2, “Create a Client Configuration RPM” for details.

11.5. Install the Client Configuration RPM on a Client Node

  1. Install the client configuration RPM on each client node that requires updating.

    # yum install /path/to/client_custom.rpm
  2. The client configuration RPM will configure a yum repository called rhui-$ORIGINALNAME. Use yum update to update each node.

    # yum update
    Note

    Running yum update pulls updates from all enabled yum repositories. To pull updates from the rhui-rhui-3 yum repository only, use the following command.

    # yum --disablerepo=* --enablerepo=rhui-rhui-3 update

Report a bug