Chapter 6. Install Red Hat Update Infrastructure

The following sections describe how to install Red Hat Update Infrastructure.

6.1. Generate an RSA Key Pair

Important

It is necessary to generate the RSA key pair on the Red Hat Update Appliance (RHUA) node and copy the public key to content delivery server (CDS) and HAProxy nodes so rhui-manager can set up the CDS and HAProxy nodes.

6.1.1. RSA Key Pair for Version 2 of the SSH Protocol

Follow these steps to generate an RSA key pair for version 2 of the SSH protocol.

  1. Generate an RSA key pair.

    [USER@rhua ~]$ ssh-keygen -t rsa
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/USER/.ssh/id_rsa):
  2. Press Enter to confirm the default location, ~/.ssh/id_rsa, for the newly created key.
  3. Leave the passphrase field blank. The CDS installation and registration will fail if a passphrase is provided while generating the key pair.

    Your identification has been saved in /home/USER/.ssh/id_rsa.
    Your public key has been saved in /home/USER/.ssh/id_rsa.pub.
    The key fingerprint is:
    e7:97:c7:e2:0e:f9:0e:fc:c4:d7:cb:e5:31:11:92:14 USER@rhua.example.com
    The key's randomart image is:
    +--[ RSA 2048]----+
    |             E.  |
    |            . .  |
    |             o . |
    |              . .|
    |        S .    . |
    |         + o o ..|
    |          * * +oo|
    |           O +..=|
    |           o*  o.|
    +-----------------+
  4. By default, the permissions of the ~/.ssh/ directory are set to rwx------ or 700 expressed in octal notation. This is to ensure that only <$USER> can view the contents. If required, this can be confirmed with the following command.

    [USER@rhua ~]$ ls -ld ~/.ssh
    drwx------. 2 USER USER 54 Nov 25 16:56 /home/USER/.ssh/
  5. Copy the public key to the HAProxy and CDS nodes.

    [USER@rhua ~]$ ssh-copy-id user@<haproxy1>
    [USER@rhua ~]$ ssh-copy-id user@<cds1>
    [USER@rhua ~]$ ssh-copy-id user@<cds2>

    This command copies the most recently modified ~/.ssh/id*.pub public key if it is not yet installed. Alternatively, specify the public key’s file name.

    [USER@rhua ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub user@hostname

    This command copies the content of ~/.ssh/id_rsa.pub into the ~/.ssh/authorized_keys file on the machine to which you want to connect. If the file already exists, the keys are appended to its end.

6.1.2. ECDSA Key Pair for Version 2 of the SSH Protocol

Follow these steps to generate an ECDSA key pair for version 2 of the SSH protocol.

  1. Generate an ECDSA key pair.

    [USER@rhua ~]$ ssh-keygen -t ecdsa
    Generating public/private ecdsa key pair.
    Enter file in which to save the key (/home/USER/.ssh/id_ecdsa):
  2. Press Enter to confirm the default location, ~/.ssh/id_ecdsa, for the newly created key.
  3. Leave the passphrase field blank. The CDS installation and registration will fail if a passphrase is provided while generating the key pair.

    [USER@rhua ~]$
    Your identification has been saved in /home/USER/.ssh/id_ecdsa.
    Your public key has been saved in /home/USER/.ssh/id_ecdsa.pub.
    The key fingerprint is:
    fd:1d:ca:10:52:96:21:43:7e:bd:4c:fc:5b:35:6b:63 USER@rhua.example.com
    The key's randomart image is:
    +--[ECDSA  256]---+
    |       .+ +o     |
    |       . =.o     |
    |        o o +  ..|
    |         + + o  +|
    |        S o o oE.|
    |           + oo+.|
    |            + o  |
    |                 |
    |                 |
    +-----------------+
  4. By default, the permissions of the ~/.ssh/ directory are set to rwx------ or 700 expressed in octal notation. This is to ensure that only <$USER> can view the contents. If required, this can be confirmed.

    [USER@rhua ~]$ ls -ld ~/.ssh
    drwx------. 2 USER USER 54 Nov 25 16:56 /home/USER/.ssh/
  5. Copy the public key to the HAProxy and CDS nodes.

    [USER@rhua ~]$ ssh-copy-id user@<haproxy1>
    [USER@rhua ~]$ ssh-copy-id user@<cds1>
    [USER@rhua ~]$ ssh-copy-id user@<cds2>

    This command copies the most recently modified ~/.ssh/id*.pub public key if it is not yet installed. Alternatively, specify the public key’s file name.

    [USER@rhua ~]$ ssh-copy-id -i ~/.ssh/id_ecdsa.pub USER@hostname

    This command copies the content of ~/.ssh/id_ecdsa.pub into the ~/.ssh/authorized_keys on the machine to which you want to connect. If the file already exists, the keys are appended to its end.

6.2. Apply Updates

  1. Before installing Red Hat Update Appliance (RHUA) packages, apply any available operating system updates to all nodes (RHUA, content delivery server [CDS], and HAProxy) and reboot.
  2. Verify that all configuration changes have persisted.

    Warning

    Make sure the host name of the RHUA is set correctly. If the host name is unset and its value is reported as localhost.localdomain or localhost, you will not be able to proceed.

6.3. Mount Red Hat Update Infrastructure ISO

To install the RHUI packages on the RHUA node, CDS nodes, and HAProxy nodes, mount the ISO to a suitable directory (or burn the ISO to a CD, insert the CD, and mount the ISO), and enter the mount point.

6.4. Run the setup_package_repos Script

The setup_package_repos script is provided in the root directory of the RHUI ISO image.

Important

The setup_package_repos script creates a Yum configuration entry that requires the RHUI packages to be signed with the Red Hat Release key.

Perform the following step on the RHUA node, CDS nodes, and HAProxy nodes to install the RHUI packages.

  1. Execute the script from the mount point for the applicable system component.

    [root@rhua ~]# ./setup_package_repos
    [root@<cds1> ~]# ./setup_package_repos
    [root@<haproxy1> ~]# ./setup_package_repos

6.5. Install the rhui-installer Script

  1. Install the rhui-installer script.

    [root@rhua ~]# yum install -y rhui-installer
    This script will install the RHUI packages on the current machine.
    - Ensuring we are in an expected directory.
    - Copying installation files.
    - Creating a Repository File
    - Importing the gpg key.
    - Installation repository will remain configured for future package installs.
    - Installation media can now be safely unmounted.
    
    Installation packages are now available on this system. If you are installing a RHUA, please run yum install -y rhui-installer; rhui-installer.
    If you are installing a CDS, please log into the RHUA and run rhui-manager to begin the installation. Do not run rhui-installer to install a CDS.

6.6. Run the rhui-installer

The rhui-installer sets the initial Red Hat Update Infrastructure login password and displays it in its output. It is also written in the /etc/rhui-installer/answers.yaml file. You can override the initial password with the --rhui-manager-password option. If you want to change the initial password later, you can only change it via the rhui-manager tool. Run the rhui-installer --help command to see the full list of rhui-installer options.

  1. Run rhui-installer on the RHUA.

    [root@rhua ~]# rhui-installer --remote-fs-type=glusterfs --remote-fs-server=cds1.example.com:rhui_content_0 --cds-lb-hostname=cds.example.com
    
    Installing         	Done                                           	[100%]
    
    [..............................................................................]
    
    Success!
    The initial credentials are admin / <system-generated password>
    
    Re-running the installer will not update your password.
    
    The full log is at /var/log/kafo/configuration.log

    Following are explanations of the command arguments.

    • --remote-fs-type=glusterfs means the remote file system type is GlusterFS.
    • --remote-fs-server=cds1.example.com means the name of the remote file system server is cds1.example.com
    • rhui_content_0 means the name of the GlusterFS volume on cds1.example.com
    • --cds-lb-hostname=cds.example.com means the name of the load balancer on cds1.example.com is cds.example.com.

      If using NFS, the rhui-installer command line is different. Instead of

      --remote-fs-type=glusterfs --remote-fs-server=cds1.example.com:rhui_content_0

      specify the NFS server name and the exported directory, joined by the colon sign, as the parameter of the --remote-fs-server option. For example:

      --remote-fs-server=filer.example.com:/export
  2. Verify that the remote share is mounted.

    [root@rhua ~]# mount | grep rhui
    
    cds1.example.com:rhui_content_0 on /var/lib/rhui/remote_share type fuse.glusterfs (rw,relatime,user_id=0,group_id=0,default_permissions,allow_other,max_read=131072)

6.7. Change the Initial Password

Note

Rerunning the rhui-installer will not update the rhui-manager login password.

  1. Navigate to the Red Hat Update Infrastructure Management Tool home screen.

    [root@rhua ~]# rhui-manager
    
    Previous authentication credentials could not be found. Logging into the RHUI.
    
    If this is the first time using the RHUI, it is recommended to change the user's password in the User Management section of RHUI Tools.
  2. Enter the RHUI Username (admin) and RHUI Password (provided by the rhui-installer output). The initial password is also stored in /etc/rhui-installer/answers.yaml.
  3. After successfully logging in for the first time, you should change the password. Press u on the Red Hat Update Infrastructure Management Tool home screen to select manage RHUI users.

    -= Red Hat Update Infrastructure Management Tool =-
    
    -= Home =-
    
    r   manage repositories
    c   manage content delivery servers (CDS)
    l   manage HAProxy load-balancer instances
    s   synchronization status and scheduling
    e   create entitlement certificates and client configuration RPMs
    n   manage Red Hat entitlement certificates
    u   manage RHUI users
    
                                          Connected: rhua.example.com
    ---------------
  4. Press p to select change a user’s password.

    ------------------------------------------------------------------------------
    = Red Hat Update Infrastructure Management Tool =
    
    = User Manager =
    
      p   change a user's password
    
                                                  	Connected: rhua.example.com
    
    ------------------------------------------------------------------------------
    rhui (users) => p
    
    Username: admin
  5. Enter the new password and press Enter. Re-enter the new password and press Enter.

    New Password:
    Re-enter Password:
    
    Password successfully updated.
    ------------------------------------------------------------------------------
  6. Log out and log in with the new password.

    Note

    If you do not log out and log back in, the certificate upload will fail, but you will not know why without looking at /root/.rhui/rhui.log.

Note

If a user has forgotten the password, they can reset the password by doing a database query to set the password to a known hashed value from another pulp instance.

Report a bug