Chapter 11. Create client profiles for the Red Hat Update Infrastructure servers
11.1. Generate GPG keys
Create a GPG key that you can use to sign custom packages (including client configuration RPMs) for the Red Hat Update Infrastructure (RHUI) client profile.
- A 4,096-bit RSA key is used because this profile will be used for RHUI servers that run on Red Hat Enterprise Linux (RHEL) 6 or RHEL 7. Gathering sufficient random data to generate a 4,096-bit key may take a significant amount of time, particularly if the Red Hat Update Appliance (RHUA) is a virtual machine. The disk activity created by a repository or content delivery server (CDS) synchronization may speed up the process.
The name of the client profile RPM (in this case,
rhui-client-rhui), which will be created in a later step, is used as the comment portion of the user ID. It is recommended that a different signing key be used for each client profile; the client profile name is used to distinguish the user IDs of the different keys.
# gpg --gen-key gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc. This is free software; you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: 1. RSA and RSA (default) 2. DSA and Elgamal 3. DSA (sign only) 4. RSA (sign only) Your selection? 4 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 0 Key does not expire at all. Is this correct? y GnuPG needs to construct a user ID to identify your key. Real name: $YOURNAME Email address: $USER@$HOST.com Comment: rhui-client-rhui You selected this user ID: “$USERID (rhui-client-rhui) <$USER@$HOST.com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key.
Enter a high-quality password and record it in a secure location:
gpg: key EDD092F4 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 4096R/EDD092F4 2015-11-25 Key fingerprint = 1139 932A 26E2 981A 1341 D636 0DDB B5F6 EDD0 925F4 uid Red Hat $USERID (rhui-client-rhui) <firstname.lastname@example.org> Note that this key cannot be used for encryption. You may want to use the command “--edit-key” to generate a subkey for this purpose.
Create a second key. This time choose option 3, DSA (sign only), as the key type and enter 1024 bits as the key size. These options create a key that can be used to sign RPMs for RHEL 6 and RHEL 7. Use
rhui-client-allas the comment portion of the user ID.
Export the two keys:
# mkdir /root/rpm-gpg # gpg --export --armor rhui-client-rhui >> /root/rpm-gpg/rhui-client-rhui # gpg --export --armor rhui-client-all >> /root/rpm-gpg/rhui-client-all
GPG defaults to substring matching when searching for keys. It is only necessary to specify the unique portion of the user ID (the client profile RPM name in this case). The traditional RPM-GPG-KEY- prefix will be added to the GPG key file names when the Red Hat Update Infrastructure Management Tool creates client configuration packages.
11.2. Set up custom repositories
You can create custom repositories that can be used to distribute updated client configuration packages or other non-Red Hat software to the RHUI servers. A protected repository for 64-bit RHUI servers (for example,
client-rhui-x86_64) will be the preferred vehicle for distributing new non-Red Hat packages (such as an updated client configuration package) to the RHUI servers.
Like Red Hat content repositories, all of which are protected, protected custom repositories that differ only in processor architecture (i386 versus AMD64) are consolidated into a single entitlement within an entitlement certificate, using the
$basearch yum variable.
In the event of certificate problems, an unprotected repository for RHUI servers can be used as a fallback method for distributing updated RPMs to the RHUI servers.
Navigate to the Red Hat Update Infrastructure Management Tool home screen:
[root@rhua ~]# rhui-manager
From the Repository Management screen, press
cto select create a new custom repository (RPM content only).
------------------------------------------------------------------------------ -= Red Hat Update Infrastructure Management Tool =- -= Repository Management =- l list repositories currently managed by the RHUI i display detailed information on a repository a add a new Red Hat content repository ad add a new Red Hat docker container c create a new custom repository (RPM content only) d delete a repository from the RHUI u upload content to a custom repository (RPM content only) ur upload content from a remote web site (RPM content only) p list packages in a repository (RPM content only) Connected: rhua.example.com ------------------------------------------------------------------------------
Enter a unique ID for the repository. Only alphanumeric characters, _ (underscore), and - (hyphen) are permitted. You cannot use spaces in the unique ID. For example,
repo-1are all valid entries.
Unique ID for the custom repository (alphanumerics, _, and - only):
- Enter a display name for the repository. This name is used to identify the repository within the Red Hat Update Infrastructure Management Tool.
Specify the path that will host the repository. The path must be unique across all repositories hosted by RHUI. For example, if you specify the path at this step as
some/unique/name, then the repository will be located at
Select sha256 as the checksum type to be used for the repository metadata.Note
Use sha256 when you create a custom repository for RHEL 6 or RHEL 7. Use sha1 if you create repositories for RHEL 5 client.
Choose whether to protect the new repository. If you answer no to this question, any client can access the repository. If you answer yes, only clients with an appropriate entitlement certificate can access the repository.Note
As the name implies, the content in an unprotected repository is available to any system that requests it, without any need for a client entitlement certificate. Be careful when using an unprotected repository to distribute any content, particularly content such as updated client configuration RPMs, which will then provide access to protected repositories.
Use of unprotected repositories is a “break glass in case of emergency” course of action.
If you choose to protect the new repository, the Red Hat Update Infrastructure Management Tool will ask for the entitlement path. It will also suggest the entitlement path based on the repository’s relative path.
Client entitlement certificates contain the download URLs that they are allowed to access. The RHUI analyzes the contents of the certificate to determine if the repository requested matches any of the permitted URLs, which determines whether to allow the client to authenticate. For example, if an entitlement certificate grants access to
/some/unique/nameand the request is made to a repository located at
//server/pulp/repos/some/unique/name/os/repodata, the RHUI will approve the request and grant the authentication because the path begins with one of the entitled download URLs. The URL only needs to begin with the correct information; it does not need to match exactly.Note
/some/unique/namerepository that was created in
pulp-adminwas not added in a custom group,
/some/unique/nameis not displayed in the Red Hat Update Infrastructure Management Tool. If you try to create a repository with the same ID
/some/unique/namein the Red Hat Update Infrastructure Management Tool and are not aware that
/some/unique/namerepository was created in
pulp-admin, you will see a message saying "A repository with ID
Entitlements can also contain variables, as long as
yumknows the value for the variable. The two most common variables to use are
$releasever, which are populated with details of the client making the request. For example, if an entitlement certificate grants access to
/unique-name/$basearch/barand the request is made to a repository located at
//server/pulp/repos/unique-name/x86_64/bar, the RHUI will approve the request and grant the authentication because the path matches when the variable is populated.
The Red Hat Update Infrastructure Management Tool suggests a path to use based on the variables you used when you gave it a path for the repository. Leave the field blank to accept the suggested path.
The Red Hat Update Infrastructure Management Tool will ask if you want GNU Privacy Guard (GPG) signature turned on for content in that repository. If you press
y, you will be asked if the content will be signed by Red Hat. Answering yes will include the Red Hat GPG key in the repository configuration. You are then asked if the content will be signed by a custom GPG key. Answering yes will prompt for a path to a public GPG key to include in the repository configuration. You can continue entering multiple paths to public GPG keys.
Should the repository require clients to perform a GPG check and verify packages are signed by a GPG key? (y/n) y Will the repository be used to host any Red Hat GPG signed content? (y/n) y Will the repository be used to host any custom GPG signed content? (y/n) y Enter the absolute path to the public key of the GPG key pair: /root/rpm-gpg/rhui-client-rhui.gpg Would you like to enter another public key? (y/n) y Enter the absolute path to the public key of the GPG key pair: /root/rpm-gpg/rhui-client-all.gpg Would you like to enter another public key? (y/n) n
The details of the new repository displays. Press
yat the prompt to confirm the information and create the repository.
11.3. Install the client configuration RPM on a client node
Install the client configuration RPM on each client node that requires updating:
# yum install /path/to/client_custom.rpm
The client configuration RPM will configure a yum repository called
rhui-$ORIGINALNAME. Use the
yum updatecommand to update each node.
# yum updateNote
yum updatecommand pulls updates from all enabled
yumrepositories. To pull updates from the
rhui-rhui-3 yumrepository only, use the following command:
# yum --disablerepo=* --enablerepo=rhui-rhui-3 update