Chapter 6. Install Red Hat Update Infrastructure

The following sections describe how to install Red Hat Update Infrastructure.

6.1. Generate an RSA key pair

Important

It is necessary to generate the RSA key pair on the Red Hat Update Appliance (RHUA) node and copy the public key to content delivery server (CDS) and HAProxy nodes so rhui-manager can set up the CDS and HAProxy nodes.

6.1.1. RSA key pair for Version 2 of the SSH protocol

Follow these steps to generate an RSA key pair for version 2 of the SSH protocol.

Procedure

  1. Generate an RSA key pair: 

    [USER@rhua ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/USER/.ssh/id_rsa):
  2. Press Enter to confirm the default location, ~/.ssh/id_rsa, for the newly created key.

  3. Leave the passphrase field blank. The CDS installation and registration will fail if a passphrase is provided while generating the key pair. 

    Your identification has been saved in /home/USER/.ssh/id_rsa.
Your public key has been saved in /home/USER/.ssh/id_rsa.pub.
The key fingerprint is:
e7:97:c7:e2:0e:f9:0e:fc:c4:d7:cb:e5:31:11:92:14 USER@rhua.example.com
The key's randomart image is:
+--[ RSA 2048]----+
|             E.  |
|            . .  |
|             o . |
|              . .|
|        S .    . |
|         + o o ..|
|          * * +oo|
|           O +..=|
|           o*  o.|
+-----------------+

  4. By default, the permissions of the ~/.ssh/ directory are set to rwx------ or 700 expressed in octal notation. This is to ensure that only <$USER> can view the contents. If required, this can be confirmed with the following command: 

    [USER@rhua ~]$ ls -ld ~/.ssh
drwx------. 2 USER USER 54 Nov 25 16:56 /home/USER/.ssh/

  5. Copy the public key to the HAProxy and CDS nodes: 

    [USER@rhua ~]$ ssh-copy-id user@<haproxy1>
[USER@rhua ~]$ ssh-copy-id user@<cds1>
[USER@rhua ~]$ ssh-copy-id user@<cds2>

    This command copies the most recently modified ~/.ssh/id*.pub public key if it is not yet installed. Alternatively, specify the public key’s file name: 

    [USER@rhua ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub user@hostname

    This command copies the content of ~/.ssh/id_rsa.pub into the ~/.ssh/authorized_keys file on the machine to which you want to connect. If the file already exists, the keys are appended to its end.

6.1.2. ECDSA key pair for Version 2 of the SSH protocol

Follow these steps to generate an ECDSA key pair for version 2 of the SSH protocol.

Procedure

  1. Generate an ECDSA key pair: 

    [USER@rhua ~]$ ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/USER/.ssh/id_ecdsa):
  2. Press Enter to confirm the default location, ~/.ssh/id_ecdsa, for the newly created key.

  3. Leave the passphrase field blank. The CDS installation and registration will fail if a passphrase is provided while generating the key pair. 

    [USER@rhua ~]$
Your identification has been saved in /home/USER/.ssh/id_ecdsa.
Your public key has been saved in /home/USER/.ssh/id_ecdsa.pub.
The key fingerprint is:
fd:1d:ca:10:52:96:21:43:7e:bd:4c:fc:5b:35:6b:63 USER@rhua.example.com
The key's randomart image is:
+--[ECDSA  256]---+
|       .+ +o     |
|       . =.o     |
|        o o +  ..|
|         + + o  +|
|        S o o oE.|
|           + oo+.|
|            + o  |
|                 |
|                 |
+-----------------+

  4. By default, the permissions of the ~/.ssh/ directory are set to rwx------ or 700 expressed in octal notation. This is to ensure that only <$USER> can view the contents. If required, this can be confirmed: 

    [USER@rhua ~]$ ls -ld ~/.ssh
drwx------. 2 USER USER 54 Nov 25 16:56 /home/USER/.ssh/

  5. Copy the public key to the HAProxy and CDS nodes: 

    [USER@rhua ~]$ ssh-copy-id user@<haproxy1>
[USER@rhua ~]$ ssh-copy-id user@<cds1>
[USER@rhua ~]$ ssh-copy-id user@<cds2>

    This command copies the most recently modified ~/.ssh/id*.pub public key if it is not yet installed. Alternatively, specify the public key’s file name: 

    [USER@rhua ~]$ ssh-copy-id -i ~/.ssh/id_ecdsa.pub USER@hostname

    This command copies the content of ~/.ssh/id_ecdsa.pub into the ~/.ssh/authorized_keys on the machine to which you want to connect. If the file already exists, the keys are appended to its end.

6.2. Apply updates

Procedure

  1. Before installing Red Hat Update Appliance (RHUA) packages, apply any available operating system updates to all nodes (RHUA, content delivery server [CDS], and HAProxy) and reboot.

  2. Verify that all configuration changes have persisted.

    Warning

    Make sure the host name of the RHUA is set correctly. If the host name is unset and its value is reported as localhost.localdomain or localhost, you will not be able to proceed.

6.3. Mount Red Hat Update Infrastructure ISO

Note

This section is optional and can be skipped if you are using a subscription to install Red Hat Update Infrastructure 3.1.9.

Procedure

  1. To install the RHUI packages on the RHUA node, CDS nodes, and HAProxy nodes, mount the ISO to a suitable directory (or burn the ISO to a CD, insert the CD, and mount the ISO), and enter the mount point.

6.4. Run the setup_package_repos script

Note

This section is optional and can be skipped if you are using a subscription to install Red Hat Update Infrastructure 3.1.9.

The setup_package_repos script is provided in the root directory of the RHUI ISO image.

Important

The setup_package_repos script creates a yum configuration entry that requires the RHUI packages to be signed with the Red Hat Release key.

Perform the following step on the RHUA node, CDS nodes, and HAProxy nodes to install the RHUI packages.

Procedure

  1. Execute the script from the mount point for the applicable system component: 

    [root@rhua ~]# ./setup_package_repos
[root@<cds1> ~]# ./setup_package_repos
[root@<haproxy1> ~]# ./setup_package_repos

6.5. Install the rhui-installer script

Procedure

  1. Install the rhui-installer script: 

    [root@rhua ~]# yum install -y rhui-installer
    This script will install the RHUI packages on the current machine.
- Ensuring we are in an expected directory.
- Copying installation files.
- Creating a Repository File
- Importing the gpg key.
- Installation repository will remain configured for future package installs.
- Installation media can now be safely unmounted.

Installation packages are now available on this system. If you are installing a RHUA, please run yum install -y rhui-installer; rhui-installer.
If you are installing a CDS, please log into the RHUA and run rhui-manager to begin the installation. Do not run rhui-installer to install a CDS.

6.6. Run the rhui-installer

The rhui-installer sets the initial Red Hat Update Infrastructure login password and displays it in its output. It is also written in the /etc/rhui-installer/answers.yaml file. You can override the initial password with the --rhui-manager-password option. If you want to change the initial password later, you can only change it via the rhui-manager tool. Run the rhui-installer --help command to see the full list of rhui-installer options.

Procedure

  1. Run rhui-installer on the RHUA: 

    [root@rhua ~]# rhui-installer --remote-fs-type=glusterfs --remote-fs-server=cds1.example.com:rhui_content_0 --cds-lb-hostname=cds.example.com

Installing         	Done                                           	[100%]

[..............................................................................]

Success!
The initial credentials are admin / <system-generated password>

Re-running the installer will not update your password.

The full log is at /var/log/kafo/configuration.log

    Following are explanations of the command arguments:

    • --remote-fs-type=glusterfs means the remote file system type is GlusterFS.
    • --remote-fs-server=cds1.example.com means the name of the remote file system server is cds1.example.com
    • rhui_content_0 means the name of the GlusterFS volume on cds1.example.com

    • --cds-lb-hostname=cds.example.com means the name of the load balancer on cds1.example.com is cds.example.com.

      Note

      During installation, the cds-lb-hostname option is not included and prepopulates from the answers file provided with the rhui-installer RPM. The host name is preset in the answers file to cds.example.com, and certificates are created for the RHUI environment with this cds-lb-hostname included. See Chapter 18, Migrate to a new load balancer, or change the name of an existing load balancer for details on changing the name of a load balancer.

      If using NFS, the rhui-installer command line is different. Instead of 

      --remote-fs-type=glusterfs --remote-fs-server=cds1.example.com:rhui_content_0

      specify the NFS server name and the exported directory, joined by the colon sign, as the parameter of the --remote-fs-server option. For example: 

      --remote-fs-server=filer.example.com:/export

  2. Verify that the remote share is mounted: 

    [root@rhua ~]# mount | grep rhui

cds1.example.com:rhui_content_0 on /var/lib/rhui/remote_share type fuse.glusterfs (rw,relatime,user_id=0,group_id=0,default_permissions,allow_other,max_read=131072)

6.7. Change the initial password

Note

Rerunning the rhui-installer will not update the rhui-manager login password.

Procedure

  1. Navigate to the Red Hat Update Infrastructure Management Tool home screen: 

    [root@rhua ~]# rhui-manager

Previous authentication credentials could not be found. Logging into the RHUI.

If this is the first time using the RHUI, it is recommended to change the user's password in the User Management section of RHUI Tools.
  2. Enter the RHUI Username (admin) and RHUI Password (provided by the rhui-installer output). The initial password is also stored in /etc/rhui-installer/answers.yaml.

  3. After successfully logging in for the first time, you should change the password. Press u on the Red Hat Update Infrastructure Management Tool home screen to select manage RHUI users. 

                 -= Red Hat Update Infrastructure Management Tool =-

-= Home =-

   r   manage repositories
   c   manage content delivery servers (CDS)
   l   manage HAProxy load-balancer instances
   s   synchronization status and scheduling
   e   create entitlement certificates and client configuration RPMs
   n   manage Red Hat entitlement certificates
   u   manage RHUI users

                                                   Connected: rhua.example.com

  4. Press p to select p change a user’s password (followed by logout). 

    ------------------------------------------------------------------------------
= Red Hat Update Infrastructure Management Tool =

= User Manager =

  p   change a user's password (followed by logout)

                                              	Connected: rhua.example.com

------------------------------------------------------------------------------
rhui (users) => p
Warning: After password change you will be logged out.
Use ctrl-c to cancel password change.
Username: admin

  5. Enter the new password and press Enter. Re-enter the new password and press Enter. 

    New Password:
Re-enter Password:

Password successfully updated.
----------------------------------------------------------------------------------

6.8. Enable automatic entitlement certificate updates

Set your Red Hat Update Infrastructure entitlement certificate to be updated automatically. Automatic updates can occur whenever the entitlement certificate expires or when it is revoked in the Red Hat subscription management service.

The subscription synchronization service at /etc/cron.hourly/synchronize-rhui-subscriptions on the RHUA node checks the validity of the certificate hourly. To ensure that the automatic update service works, make sure your rhui-manager user name and password are set in the /etc/rhui/rhui-subscription-sync.conf file. By default, this file contains the following configuration: 

username = admin
password =

If you changed the password, as described in Section 6.7, “Change the initial password”, your new password has been saved in the /etc/rhui/rhui-subscription-sync.conf file. If you did not change the password, or if your rhui-manager user name is not admin, edit this file to set your rhui-manager password.

Important

The subscription synchronization service only works if your contract with Red Hat is valid and your subscription is active. The service can renew entitlement certificates but not the subscription.

Note

The subscription synchronization service logs its actions in the /var/log/rhui-subscription-sync.log file.

6.9. Install additional packages

At present, the only additional package that you might install on the RHUA is the Qpid Persistence Extension. By default, only a limited number of repositories are being synchronized at a time. The exact number is controlled by the PULP_CONCURRENCY variable in the /etc/default/pulp_workers file, which was automatically set to 3 or 8 depending on the number of CPUs detected when RHUI was installed. If you schedule the synchronization of more repositories, those that are above the limit remain in the waiting state until a running synchronization task completes. If you reboot the system or restart Qpid now, the waiting tasks will be lost.

Procedure

  1. To prevent losing the waiting tasks, do not reboot or restart Qpid while there are some waiting tasks. If you often have to do so anyway, you can keep at least the waiting tasks by installing the Qpid persistence extension: 

    # yum install qpid-cpp-server-linearstore

  2. Restart Qpid so it can load the extension: 

    # systemctl restart qpidd

    Waiting tasks will be saved on the disk and resumed after rebooting.