Language:
Format:

Installing Red Hat Update Infrastructure

Red Hat Update Infrastructure 4

List of requirements, setting up nodes, configuring storage, and installing Red Hat Update Infrastructure 4

Red Hat Customer Content Services

Abstract

This document lists the installation requirements and provides detailed instructions to help cloud providers install Red Hat Update Infrastructure 4 (RHUI 4).

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.

Chapter 1. Installation options

The following table presents the various Red Hat Update Infrastructure 4 components.

Table 1.1. Red Hat Update Infrastructure components and functions

Component	Acronym	Function	Alternative
Red Hat Update Appliance	RHUA	Downloads new packages from the Red Hat content delivery network and copies new packages to each CDS node	None
Content Delivery Server	CDS	Provides the `yum` repositories that clients connect to for the updated packages	None
HAProxy	None	Provides load balancing across CDS nodes	Existing load balancing solution
Shared storage	None	Provides shared storage	Existing storage solution

The following table describes how to perform installation tasks.

Table 1.2. Red Hat Update Infrastructure installation tasks

Installation Task	Performed on
Install RHEL 8	RHUA, CDS, and HAProxy
Subscribe the system	RHUA, CDS, and HAProxy
Attach a RHUI subscription	RHUA, CDS, and HAProxy
Apply updates	RHUA, CDS and HAProxy
Install `rhui-installer`	RHUA
Run `rhui-installer`	RHUA

1.1. Option 1: Full installation

A RHUA
Two or more CDS nodes with shared storage
One or more HAProxy load-balancers

1.2. Option 2: Installation with an existing storage solution

A RHUA
Two or more CDS nodes with an existing storage solution
One or more HAProxy load-balancers

1.3. Option 3: Installation with an existing load-balancer solution

A RHUA
Two or more CDS nodes with shared storage
An existing load-balancer

1.4. Option 4: Installation with existing storage and load-balancer solutions

A RHUA
Two or more CDS nodes with existing shared storage
An existing load-balancer

The following figure depicts a high-level view of how the various Red Hat Update Infrastructure 4 components interact.

Figure 1.1. Red Hat Update Infrastructure 4 overview

Note

You need to subscribe the RHUA as --type rhui and have a Red Hat Certified Cloud and Service Provider subscription to install RHUI. You also need an appropriate content certificate.

Install the RHUA and CDS nodes on separate x86_64 servers (bare metal or virtual machines). Ensure all the servers and networks that connect to RHUI can access the Red Hat Subscription Management service.

Chapter 2. Installation checklist

Before you begin installing Red Hat Update Infrastructure (RHUI), refer to the following checklist to ensure that you have all the necessary components and information required for installation.

Table 2.1. List of components required for installing RHUI

Required Information	Information Usage	Resources and Notes
Red Hat Credentials	Red Hat credentials to manage subscription and access to Red Hat repositories.	Red Hat Customer Portal
Network and Firewall access	Network and firewall requirements for the Red Hat Update Appliance (RHUA) and Content Delivery Server (CDS) nodes.	It is possible for a CDS to have a client-facing host name that differs from the host name used for intra-Red Hat Update Infrastructure communication. If you are using client-facing host names, note each CDS’s client-facing FQDN and the corresponding IP address.
Proxy settings	Proxy for access to the Red Hat content delivery network.	Proxy settings for RHUI are set automatically during installation on the RHUA and CDS nodes. They are set in the `/etc/rhsm/rhsm.conf` files.
Content Repository Size	Storage space for the RPM packages required by Red Hat Update Infrastructure.	See Preparing your Environment for Installation for specific storage requirements, or use the `du` command from the command line interface to determine its size. Also, all repositories are placed in the `/var/lib/rhui/remote_share` directory which the system creates by default during the installation process. However, if you need to create a new mount point for it, you can manually create this directory.
Client Profiles	RHUI content available to the client	A client profile determines the RHUI content that is available to the client and the CDS from which the client downloads that content.

Important

Use a separate storage volume for the installation if you expect to store a large amount of data.

In addition, each RHUI server (RHUA node or CDS node) requires a separate file system of the required size. It is important to use technologies such as LVM, SAN, or NAS storage that allow you to increase the size of the content repository if needed.

Chapter 3. Technical configuration required for installing RHUI

Before you install Red Hat Update Infrastructure (RHUI), you must configure your system and components as follows.

Complete the initial stages of the Red Hat Certified Cloud and Service Provider (CCSP) certification:
- Virtualization, image creation, and instance provisioning technologies, tools, and processes.
- Proposed process for measuring and reporting consumption of Red Hat software.
- Proposed process for notifying customers of errata updates to Red Hat software.
- Proposed process for making images that include Red Hat software available to customers, including image life cycle management and retiring outdated images.
For more information, see Product Documentation for Red Hat Certified Cloud and Service Provider Certification Browse Knowledgebase.
Self-signed certificates are typically used for RHUI deployment. However, If you wish to use SSL certificates signed by a third-party certificate authority, you must ensure that they are obtained by the client and reviewed by Red Hat.
Note
You can use the Red Hat consultant to assist with the development of self-signed certificates. This will not affect the user experience of the client’s customers.
Ensure that the client will provide systems, virtual machines, or tenant instances for installation of all Red Hat Update Appliances (RHUAs), external load balancers, and content delivery servers (CDSs).
Make sure you have the latest version of Red Hat Enterprise Linux (RHEL) 8 available, either as an ISO or as a subscription.
Ensure that you have one RHUA node with the following configuration:
- Latest version of RHEL 8 with Minimal Installation
- SELinux is enabled
- An x86_64 processor with cores equivalent to or greater than 4 cores of Intel Xeon 2 GHz
  Note
  You must increase the number of cores to 8 if you wish to provide more than 100 repositories with multiple major RHEL releases.
- 8 GB memory
  Note
  You must increase the minimum memory to 16 GB if you wish to provide more than 100 repositories with multiple major RHEL releases.
- A 20 GB disk for the operating system
- A 50 GB disk dedicated for PostgresSQL and mounted to /var/lib/pgsql.
  Note
  You must increase the disk capacity to at least 100 GB if you wish to provide more than 100 repositories with multiple major RHEL releases.
  For even larger installations, of 500 or more repositories, you must also scale the database storage.
Ensure that you have one HAProxy node with the following configuration:
- Latest version of RHEL 8 with Minimal Installation
- SELinux is enabled
- An x86_64 processor with cores equivalent to or greater than 2 cores of Intel Xeon 2 GHz
  Note
  You must increase the number of cores to 4 if you wish to provide more than 100 repositories with multiple major RHEL releases.
- 4 GB memory
  Note
  You must increase the minimum memory to 8 GB if you wish to provide more than 100 repositories with multiple major RHEL releases.
- A 20 GB disk for the operating system
Ensure that you have at least two CDS nodes (physical or virtual) with the following recommended configuration:
- Latest version of RHEL 8 with Minimal Installation
- SELinux is enabled
- An x86_64 processor with cores equivalent to or greater than 4 cores of Intel Xeon 2GHz
  Note
  You must increase the number of cores to 8 if you wish to provide more than 100 repositories with multiple major RHEL releases.
- 8 GB memory
- A 50 GB disk with default Nginx log rotation
Ensure that image certification is performed on RHEL guest templates as provided:
- A minimum 10 GB disk for the operating system
- iptables is enabled
- SELinux is enabled
- If password authentication is enabled, you must use the strongest possible hash
- Default logging is enabled
Ensure that the client’s network is properly configured as follows:
- IP addresses must be allocated for all RHUAs, CDSs, and external load balancers (if any).
- DNS records (forward and reverse) or /etc/hosts entries have been created for all IP addresses. For example, rhua.example.com, cds1.example.com, cds2.example.com, and rhui-lb.example.com.
- If your server has multiple network interface cards (NICs), the fully qualified domain name (FQDN) of the RHUA and the CDSs must be resolved to the IP of the NIC that is used to communicate between the RHUA and the CDSs.
- RHUI uses DNS to reach the CDN. In most cases, your instance should be preconfigured to talk to the proper DNS servers hosted as part of the cloud’s infrastructure. If you run your own DNS servers or update your client DNS configuration, there is a chance you will see errors similar to yum Could not contact any CDS load balancers. In these cases, check that your DNS server is forwarding to the cloud’s DNS servers for the request or that your DNS client is configured to fall back to the cloud’s DNS server for name resolution.
- Using more than one HAProxy node requires a round-robin DNS entry for the host name used as the value of the --cds-lb-hostname parameter when rhui-installer is run (cds.example.com in this guide) that resolves to the IP addresses of all HAProxy nodes. How to Configure DNS Round Robin presents one way to configure a round-robin DNS. In the context of RHUI, these will be the IP addresses of the HAProxy nodes, and they are to be mapped to the host name specified as --cds-lb-hostname while calling rhui-installer. See HAProxy Configuration for more information.

Ensure that all required network ports are open and that network access is restricted to only the nodes that you plan to use.

Table 3.1. List of ports and their usage

Connection	Port	Usage
RHUA to CDS	22/TCP	SSH configuration and access
RHUA to HAProxy servers	22/TCP	SSH configuration and access
Clients to HAProxy	443/TCP	Access to content
HAProxy to CDS	443/TCP	Load balancing
NFS ports open for CDS and RHUA	2049/TCP	File system
CDS to RHUA	443/TCP	Retrieve content that has not been symlinked

Ensure that the network proxy settings between RHUA and the Red Hat CDN are configured appropriately.
Ensure that the network proxy settings between the CDSs and the clients via yum.conf are configured appropriately.
Ensure a round-robin DNS entry is used if more than one HAProxy node is used.

Chapter 4. Installing Red Hat Enterprise Linux

To use RHUI efficiently and to access Red Hat repositories and support, you must first install Red Hat Enterprise Linux (RHEL) on each of your RHUA, CDS, and HAProxy nodes.

Prerequisite

Make sure you have the latest version of RHEL 8 available, either as an ISO or as a subscription.

Procedure

Navigate to the node on which you wish to install RHEL.
Install RHEL.
For detailed instructions on how to install RHEL, see Performing a standard RHEL 8 installation.

Chapter 5. Setting up RHUA nodes

To access the RHUI interface and manage various RHUI functionalities, you must first set up the RHUA node.

The following process explains how to:

Register the RHUA node
Attach a subscription to the RHUA node
Enable the required repositories on the RHUA node
Include additional architectures on a registered RHUA node

5.1. Registering the RHUA node

The following instructions explain how to register your Red Hat Update Appliance (RHUA) node.

Prerequisites

Latest version of RHEL 8 is installed.
Ensure you have root access to the RHUA node.

Procedure

Optional: Enable all the required architectures.
By default, only the architecture on which the RHUA node is running, for example, x86_64, will be available in the RHUI content listings. However, if you want to provide content to ARM64 virtual machines (VMs), in addition to x86_64 VMs, then you must enable the respective architecture.
Note
You must enable the required architectures before you register the RHUA node. If you have already registered the node, see Section 5.4, “Including required architectures on a registered RHUA node”.
To enable architectures on an unregistered RHUA node, create a override.facts file and add the required architectures.
```
# echo '{ "supported_architectures": "x86_64,i386,aarch64" }' > /etc/rhsm/facts/override.facts
```

On the RHUA node, enter the following command to register the system:

# subscription-manager register --type=rhui --username <admin-example> --password <secret>
Registering to: subscription.rhsm.redhat.com:443/subscription
The system has been registered with ID: <a12b34c5-6d78-9ef1-2345-ghi678jk91l2m>

Optional: If your system is already registered, you can override the subscription using the --force option.
```
# subscription-manager register --type=rhui --force
```
The new system will be available on the Red Hat Customer Portal, and the new RHUA instance will not have any subscriptions attached to it.

Verification

Navigate to the Red Hat Customer Portal.
Verify that your system is available by locating it within the Customer Portal.

5.2. Attaching a subscription to the RHUA node

The following instructions explain how to attach a subscription to your Red Hat Update Appliance (RHUA) node.

Note

You do not need to perform the following steps if you are using Simple Content Access.

Prerequisites

Ensure you have root access to the RHUA node.

Procedure

On the RHUA node, check for available subscriptions that you can attach.

# subscription-manager list --available
+-------------------------------------------+
    Available Subscriptions
+-------------------------------------------+
Subscription Name:   Red Hat Enterprise Linux Atomic Host for Certified Cloud
                     and Service Providers (via Red Hat Update Infrastructure)
Provides:            Red Hat Enterprise Linux Atomic Host Beta from RHUI
                     Red Hat Enterprise Linux Atomic Host from RHUI
SKU:                 RH00731
Contract:            11312089
Pool ID:             8a85f15a71f0bd015a72445adf0223
Provides Management: No
Available:           19
Suggested:           1
Service Level:       Premium
Service Type:        L1-L3
Subscription Type:   Standard
Ends:                02/22/2018
System Type:         Physical

Subscription Name:   Red Hat Update Infrastructure and RHEL Add-Ons for
                     Providers
Provides:            dotNET on RHEL (for RHEL Server) from RHUI
                     Red Hat Enterprise Linux Server from RHUI
                     Red Hat Software Collections (for RHEL Server) from RHUI
                     Red Hat Enterprise Linux for SAP from RHUI
                     Red Hat Enterprise Linux Resilient Storage (for RHEL
                     Server) from RHUI
                     Red Hat Enterprise Linux Scalable File System (for RHEL
                     Server) from RHUI
                     Red Hat Enterprise Linux Server - Extended Update Support
                     from RHUI
                     dotNET on RHEL Beta (for RHEL Server) from RHUI
                     Red Hat Enterprise Linux for SAP Hana from RHUI
                     RHEL Software Test Suite (for RHEL Server) from RHUI
                     Red Hat Enterprise Linux High Availability (for RHEL
                     Server) from RHUI
                     Red Hat Update Infrastructure
                     Red Hat Enterprise Linux Load Balancer (for RHEL Server)
                     from RHUI
SKU:                 RC1116415
Contract:            1134314
Pool ID:             8a85f15a71f0bd015a72445adf0223
Provides Management: No
Available:           20
Suggested:           1
Service Level:       Premium
Service Type:        L1-L3
Subscription Type:   Standard
Ends:                02/23/2018
System Type:         Physical

Attach a subscription using its pool ID.

For example, the following command attaches the Red Hat Update Infrastructure and RHEL Add-Ons for Providers subscription.

# subscription-manager attach --pool=8a85f9815a71f0bd015a72445adf0223
Successfully attached a subscription for: Red Hat Update Infrastructure and RHEL Add-Ons for Providers

5.3. Enabling the required repositories on the RHUA node

To install RHUI on your system, you must first enable certain repositories on your nodes which contain the required packages. The following instructions explain how to enable the rhel-8-for-x86_64-baseos-rhui-rpms, rhel-8-for-x86_64-appstream-rhui-rpms, and ansible-2-for-rhel-8-x86_64-rhui-rpms repositories on the RHUA node.

If you are planning to use Ceph File System (CephFS) as your shared storage, you must also enable the rhceph-5-tools-for-rhel-8-x86_64-rhui-rpms repository.

Note

RHUA nodes require RHEL installations with base packages, and with all repositories disabled except for the rhel-8-for-x86_64-baseos-rhui-rpms, rhel-8-for-x86_64-appstream-rhui-rpms, ansible-2-for-rhel-8-x86_64-rhui-rpms and, optionally, rhceph-5-tools-for-rhel-8-x86_64-rhui-rpms repositories. This requirement means that you cannot install any third-party configurations or software that are not necessary for the direct operation of the server. This restriction includes hardening or other non-Red Hat security software.

Prerequisites

Ensure you have root access to the RHUA node.

Procedure

Navigate to the RHUA node, list the enabled repositories, and verify that your system is correctly subscribed.

If not using Simple Content Access (SCA):

# subscription-manager list --consumed
+-------------------------------------------+
   Consumed Subscriptions
+-------------------------------------------+
Subscription Name:   Red Hat Update Infrastructure and RHEL Add-Ons for Providers
Provides:            JBoss Enterprise Application Platform from RHUI
                     JBoss Enterprise Web Server from RHUI
                     JBoss Operations Network from RHUI
                     RHEL for SAP - Update Services for SAP Solutions from RHUI
                     Red Hat Developer Tools from RHUI (for RHEL Server)
                     Red Hat Enterprise Linux Server - Extended Update Support from RHUI
                     RHEL for SAP HANA - Update Services for SAP Solutions from RHUI
                     Red Hat Developer Tools Beta from RHUI (for RHEL Server)
                     Red Hat Enterprise Linux High Availability (for RHEL Server) from RHUI
                     Red Hat JBoss Core Services from RHUI
                     Red Hat Enterprise Linux for x86_64 from RHUI
                     Red Hat Enterprise Linux for x86_64 Beta from RHUI
                     Red Hat Enterprise Linux Load Balancer (for RHEL Server) from RHUI
                     Red Hat Enterprise Linux Resilient Storage (for RHEL Server) from RHUI
                     Red Hat Enterprise Linux Scalable File System (for RHEL Server) from RHUI
                     Red Hat Enterprise Linux High Performance Networking (for RHEL Server) from RHUI
                     Red Hat Enterprise Linux for SAP from RHUI
                     Red Hat CodeReady Linux Builder for x86_64 from RHUI
                     Red Hat Enterprise Linux for SAP Hana from RHUI
                     Red Hat CodeReady Linux Builder for ARM 64 from RHUI
                     RHEL Software Test Suite (for RHEL Server) from RHUI
                     Red Hat Gluster Storage Server for On-premise from RHUI
                     Red Hat Single Sign-On from RHUI
                     Red Hat Enterprise Linux High Availability for x86_64 from RHUI
                     Red Hat Enterprise Linux Resilient Storage for x86_64 from RHUI
                     Red Hat Enterprise Linux High Availability (for RHEL Server) - Extended Update Support from RHUI
                     Red Hat Enterprise Linux Server - Extended Life Cycle Support (from RHUI)
                     Red Hat Enterprise Linux Load Balancer (for RHEL Server) - Extended Update Support from RHUI
                     RHEL for SAP HANA - Extended Update Support (from RHUI)
                     RHEL for SAP - Extended Update Support (from RHUI)
                     Red Hat Enterprise Linux Resilient Storage (for RHEL Server) - Extended Update Support from RHUI
                     Red Hat Enterprise Linux High Performance Networking (for RHEL Server) - Extended Update Support from RHUI
                     Red Hat Enterprise Linux for ARM 64 from RHUI
                     Red Hat Enterprise Linux Server - Update Services for SAP Solutions from RHUI
                     Red Hat Software Collections (for RHEL Server) from RHUI
                     Red Hat Enterprise Linux Server for ARM from RHUI
                     Red Hat Enterprise Linux High Availability - Update Services for SAP Solutions from RHUI
                     Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support from RHUI
                     Red Hat Software Collections (for RHEL Server for ARM) from RHUI
                     Red Hat Ansible Engine from RHUI
                     Red Hat Software Collections Beta (for RHEL Server for ARM) from RHUI
                     Red Hat Enterprise Linux for ARM 64 Beta from RHUI
                     Red Hat Developer Tools (for RHEL Server for ARM) from RHUI
                     Red Hat Developer Tools Beta (for RHEL Server for ARM) from RHUI
                     dotNET on RHEL (for RHEL Server) from RHUI
                     dotNET on RHEL Beta (for RHEL Server) from RHUI
                     Red Hat Update Infrastructure
                     Red Hat Enterprise Linux Server from RHUI
SKU:                 RC11164
Contract:            126839
Account:             5401
Serial:              5744492009337488
Pool ID:             8a85f9a1790fb0ed017961af515b7
Provides Management: No
Active:              True
Quantity Used:       1
Service Type:        L1-L3
Roles:
Service Level:       Premium
Usage:
Add-ons:
Status Details:      Subscription is current
Subscription Type:   Standard
Starts:              05/12/2021
Ends:                05/11/2022
Entitlement Type:    Physical
---------------------------------------------------------------------------------

If using Simple Content Access (SCA):

# subscription-manager status
+-------------------------------------------+
   System Status Details
+-------------------------------------------+
Overall Status: Disabled
Content Access Mode is set to Simple Content Access. This host has access to content, regardless of subscription status.

System Purpose Status: Disabled
---------------------------------------------------------------------------------

Disable all repositories.

# subscription-manager repos --disable=*

Enable the relevant repositories.

# subscription-manager repos --enable=rhel-8-for-x86_64-baseos-rhui-rpms --enable=rhel-8-for-x86_64-appstream-rhui-rpms

Optional: If you are planning to use CephFS, enable the Ceph tools repository.

# subscription-manager repos --enable rhceph-5-tools-for-rhel-8-x86_64-rhui-rpms

Enable the Ansible repository.

# subscription-manager repos --enable=ansible-2-for-rhel-8-x86_64-rhui-rpms

Enable the RHUI 4 repository.

# subscription-manager repos --enable=rhui-4-for-rhel-8-x86_64-rpms

5.4. Including required architectures on a registered RHUA node

By default, only the architecture on which the RHUA node is running, for example, x86_64, will be available in the RHUI content listings. However, if you want to provide content to ARM64 virtual machines (VMs), in addition to x86_64 VMs, then you can add the additional architectures to a RHUA node and register the node again.

Prerequisites

Ensure you have root access to the RHUA node.

Procedure

Create a override.facts file and add the required architectures.

# echo '{ "supported_architectures": "x86_64,i386,aarch64" }' > /etc/rhsm/facts/override.facts

Override the subscription using the --force option.

# subscription-manager register --type=rhui --force

Delete the current RHUI cert and repository mapping cache.
```
# rm /etc/pki/rhui/redhat/* /var/cache/rhui/*
```
Optional: If you do not have Simple Content Access enabled, then manually attach the RHUI pool.
```
# subscription-manager attach --pool <id>
```
Synchronize the subscription.
```
# rhui-subscription-sync
```

Chapter 6. Setting up CDS nodes

To provide repositories that clients can connect to and access the updated packages, you must first set up the CDS nodes.

The following process explains how to:

Register the CDS node
Attach a subscription to the CDS node
Enable the required repositories on the CDS node

6.1. Registering the CDS node

The following instructions explain how to register your Content Delivery Server (CDS) nodes.

Prerequisites

Latest version of RHEL 8 is installed.
Ensure you have root access to each of the CDS nodes.

Procedure

On the CDS nodes, enter the following command:

# subscription-manager register --username <admin-example> --password <secret>
Registering to: subscription.rhsm.redhat.com:443/subscription
The system has been registered with ID: <a1b2c3-d4e5-f6g7-2345-hij890klm123>

Optional: If your system is already registered, you can override the subscription using the --force option.
```
# subscription-manager register --force
```
The new system will be available on the Red Hat Customer Portal, and the new CDS instance will not have any subscriptions attached to it.

Verification

Navigate to the Red Hat Customer Portal.
Verify that your system is available by locating it within the Customer Portal.

6.2. Attaching a subscription to the CDS node

The following instructions explain how to attach a subscription to your content delivery server (CDS) node.

Note

You do not need to perform the following steps if you are using Simple Content Access.

Prerequisites

Ensure you have root access to the CDS node.

Procedure

On the CDS node, check for available subscriptions that you can attach.

# subscription-manager list --available
+-------------------------------------------+
    Available Subscriptions
+-------------------------------------------+
...
Subscription Name: <Subscription-Name>
Pool ID: <pool-ID>
...

Attach a subscription using its pool ID.

# subscription-manager attach --pool=<pool-ID>
Successfully attached a subscription for: <Subscription-Name>

6.3. Enabling the required repositories on the CDS node

To install RHUI on your system, you must first enable certain repositories on your nodes which contain the required packages. The following instructions explain how to enable the rhel-8-for-x86_64-baseos-rpms and rhel-8-for-x86_64-appstream-rpms repositories on the CDS node.

If you are planning to use Ceph File System (CephFS) as your shared storage, then you must also enable the rhceph-5-tools-for-rhel-8-x86_64-rpms repository.

Note

CDS nodes require RHEL installations with base packages and with all repositories disabled except for the rhel-8-for-x86_64-baseos-rpms, rhel-8-for-x86_64-appstream-rpms, and, optionally, rhceph-5-tools-for-rhel-8-x86_64-rpms repositories. This requirement means that you cannot install any third-party configurations or softwares that are not necessary for the direct operation of the server. This restriction includes hardening or other non-Red Hat security software.

Prerequisites

Ensure that you have root access to all the CDS nodes you plan to use.

Procedure

Navigate to a CDS node, list the enabled repositories, and verify that your system is correctly subscribed.

If not using Simple Content Access (SCA):

# subscription-manager list --consumed
+-------------------------------------------+
   Consumed Subscriptions
+-------------------------------------------+
Subscription Name:   Red Hat Update Infrastructure and RHEL Add-Ons for Providers
Provides:            JBoss Enterprise Application Platform from RHUI
                     JBoss Enterprise Web Server from RHUI
                     JBoss Operations Network from RHUI
                     RHEL for SAP - Update Services for SAP Solutions from RHUI
                     Red Hat Developer Tools from RHUI (for RHEL Server)
                     Red Hat Enterprise Linux Server - Extended Update Support from RHUI
                     RHEL for SAP HANA - Update Services for SAP Solutions from RHUI
                     Red Hat Developer Tools Beta from RHUI (for RHEL Server)
                     Red Hat Enterprise Linux High Availability (for RHEL Server) from RHUI
                     Red Hat JBoss Core Services from RHUI
                     Red Hat Enterprise Linux for x86_64 from RHUI
                     Red Hat Enterprise Linux for x86_64 Beta from RHUI
                     Red Hat Enterprise Linux Load Balancer (for RHEL Server) from RHUI
                     Red Hat Enterprise Linux Resilient Storage (for RHEL Server) from RHUI
                     Red Hat Enterprise Linux Scalable File System (for RHEL Server) from RHUI
                     Red Hat Enterprise Linux High Performance Networking (for RHEL Server) from RHUI
                     Red Hat Enterprise Linux for SAP from RHUI
                     Red Hat CodeReady Linux Builder for x86_64 from RHUI
                     Red Hat Enterprise Linux for SAP Hana from RHUI
                     Red Hat CodeReady Linux Builder for ARM 64 from RHUI
                     RHEL Software Test Suite (for RHEL Server) from RHUI
                     Red Hat Gluster Storage Server for On-premise from RHUI
                     Red Hat Single Sign-On from RHUI
                     Red Hat Enterprise Linux High Availability for x86_64 from RHUI
                     Red Hat Enterprise Linux Resilient Storage for x86_64 from RHUI
                     Red Hat Enterprise Linux High Availability (for RHEL Server) - Extended Update Support from RHUI
                     Red Hat Enterprise Linux Server - Extended Life Cycle Support (from RHUI)
                     Red Hat Enterprise Linux Load Balancer (for RHEL Server) - Extended Update Support from RHUI
                     RHEL for SAP HANA - Extended Update Support (from RHUI)
                     RHEL for SAP - Extended Update Support (from RHUI)
                     Red Hat Enterprise Linux Resilient Storage (for RHEL Server) - Extended Update Support from RHUI
                     Red Hat Enterprise Linux High Performance Networking (for RHEL Server) - Extended Update Support from RHUI
                     Red Hat Enterprise Linux for ARM 64 from RHUI
                     Red Hat Enterprise Linux Server - Update Services for SAP Solutions from RHUI
                     Red Hat Software Collections (for RHEL Server) from RHUI
                     Red Hat Enterprise Linux Server for ARM from RHUI
                     Red Hat Enterprise Linux High Availability - Update Services for SAP Solutions from RHUI
                     Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support from RHUI
                     Red Hat Software Collections (for RHEL Server for ARM) from RHUI
                     Red Hat Ansible Engine from RHUI
                     Red Hat Software Collections Beta (for RHEL Server for ARM) from RHUI
                     Red Hat Enterprise Linux for ARM 64 Beta from RHUI
                     Red Hat Developer Tools (for RHEL Server for ARM) from RHUI
                     Red Hat Developer Tools Beta (for RHEL Server for ARM) from RHUI
                     dotNET on RHEL (for RHEL Server) from RHUI
                     dotNET on RHEL Beta (for RHEL Server) from RHUI
                     Red Hat Update Infrastructure
                     Red Hat Enterprise Linux Server from RHUI
SKU:                 RC11164
Contract:            126839
Account:             5401
Serial:              5744492009337488
Pool ID:             8a85f9a1790fb0ed017961af515b7
Provides Management: No
Active:              True
Quantity Used:       1
Service Type:        L1-L3
Roles:
Service Level:       Premium
Usage:
Add-ons:
Status Details:      Subscription is current
Subscription Type:   Standard
Starts:              05/12/2021
Ends:                05/11/2022
Entitlement Type:    Physical
---------------------------------------------------------------------------------

If using Simple Content Access (SCA):

# subscription-manager status
+-------------------------------------------+
   System Status Details
+-------------------------------------------+
Overall Status: Disabled
Content Access Mode is set to Simple Content Access. This host has access to content, regardless of subscription status.

System Purpose Status: Disabled
---------------------------------------------------------------------------------

Disable all repositories.

# subscription-manager repos --disable=*

Enable the relevant repositories.

# subscription-manager repos --enable rhel-8-for-x86_64-appstream-rpms --enable rhel-8-for-x86_64-baseos-rpms

Optional: If you are planning to use CephFS, enable the Ceph tools repository.
```
# subscription-manager repos --enable rhceph-5-tools-for-rhel-8-x86_64-rpms
```
Repeat the steps on all the CDS nodes you plan to use.

Verification

List the enabled repositories and verify whether the relevant repositories appear on the list.

# yum repolist enabled
repo id                                repo name
rhel-8-for-x86_64-appstream-rpms         Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)
rhel-8-for-x86_64-baseos-rpms            Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)

Chapter 7. Setting up HAProxy nodes

To provide load balancing capabilities across the CDS nodes, you must first set up the HAProxy nodes.

The following process explains how to:

Register the HAProxy node
Attach a subscription to the HAProxy node
Enable the required repositories on the HAProxy node

7.1. Registering the HAProxy node

The following instructions explain how to register your HAProxy nodes.

Prerequisites

Latest version of RHEL 8 is installed.
Ensure you have root access to the HAProxy nodes.

Procedure

On the HAProxy node, enter the following command:

# subscription-manager register --username <admin-example> --password <secret>
Registering to: subscription.rhsm.redhat.com:443/subscription
The system has been registered with ID: <a1b2c3-d4e5-f6g7-2345-hij890klm123>

Optional: If your system is already registered, you can override the subscription using the --force option.
```
# subscription-manager register --force
```
The new system will be available on the Red Hat Customer Portal, and the new HAProxy instance will not have any subscriptions attached to it.

Verification

Navigate to the Red Hat Customer Portal.
Verify that your system is available by locating it within the Customer Portal.

7.2. Attaching a subscription to the HAProxy node

The following instructions explain how to attach a subscription to your HAProxy node.

Note

You do not need to perform the following steps if you are using Simple Content Access.

Prerequisites

Ensure you have root access to the HAProxy node.

Procedure

On the HAProxy node, check for available subscriptions that you can attach.

# subscription-manager list --available
+-------------------------------------------+
    Available Subscriptions
+-------------------------------------------+
...
Subscription Name: <Subscription-Name>
Pool ID: <pool-ID>
...

Attach a subscription using its pool ID.

# subscription-manager attach --pool=<pool-ID>
Successfully attached a subscription for: <Subscription-Name>

7.3. Enabling the required repositories on the HAProxy node

To install RHUI on your system, you must first enable certain repositories on your nodes which contain the required packages. The following instructions explain how to enable the rhel-8-for-x86_64-baseos-rpms and rhel-8-for-x86_64-appstream-rpms repositories on the HAProxy node.

Prerequisites

Ensure you have root access to the HAProxy node.

Procedure

Navigate to a HAProxy node, list the enabled repositories, and verify that your system is correctly subscribed.

If not using Simple Content Access (SCA):

# subscription-manager list --consumed
+-------------------------------------------+
   Consumed Subscriptions
+-------------------------------------------+
Subscription Name:   Red Hat Update Infrastructure and RHEL Add-Ons for Providers
Provides:            JBoss Enterprise Application Platform from RHUI
                     JBoss Enterprise Web Server from RHUI
                     JBoss Operations Network from RHUI
                     RHEL for SAP - Update Services for SAP Solutions from RHUI
                     Red Hat Developer Tools from RHUI (for RHEL Server)
                     Red Hat Enterprise Linux Server - Extended Update Support from RHUI
                     RHEL for SAP HANA - Update Services for SAP Solutions from RHUI
                     Red Hat Developer Tools Beta from RHUI (for RHEL Server)
                     Red Hat Enterprise Linux High Availability (for RHEL Server) from RHUI
                     Red Hat JBoss Core Services from RHUI
                     Red Hat Enterprise Linux for x86_64 from RHUI
                     Red Hat Enterprise Linux for x86_64 Beta from RHUI
                     Red Hat Enterprise Linux Load Balancer (for RHEL Server) from RHUI
                     Red Hat Enterprise Linux Resilient Storage (for RHEL Server) from RHUI
                     Red Hat Enterprise Linux Scalable File System (for RHEL Server) from RHUI
                     Red Hat Enterprise Linux High Performance Networking (for RHEL Server) from RHUI
                     Red Hat Enterprise Linux for SAP from RHUI
                     Red Hat CodeReady Linux Builder for x86_64 from RHUI
                     Red Hat Enterprise Linux for SAP Hana from RHUI
                     Red Hat CodeReady Linux Builder for ARM 64 from RHUI
                     RHEL Software Test Suite (for RHEL Server) from RHUI
                     Red Hat Gluster Storage Server for On-premise from RHUI
                     Red Hat Single Sign-On from RHUI
                     Red Hat Enterprise Linux High Availability for x86_64 from RHUI
                     Red Hat Enterprise Linux Resilient Storage for x86_64 from RHUI
                     Red Hat Enterprise Linux High Availability (for RHEL Server) - Extended Update Support from RHUI
                     Red Hat Enterprise Linux Server - Extended Life Cycle Support (from RHUI)
                     Red Hat Enterprise Linux Load Balancer (for RHEL Server) - Extended Update Support from RHUI
                     RHEL for SAP HANA - Extended Update Support (from RHUI)
                     RHEL for SAP - Extended Update Support (from RHUI)
                     Red Hat Enterprise Linux Resilient Storage (for RHEL Server) - Extended Update Support from RHUI
                     Red Hat Enterprise Linux High Performance Networking (for RHEL Server) - Extended Update Support from RHUI
                     Red Hat Enterprise Linux for ARM 64 from RHUI
                     Red Hat Enterprise Linux Server - Update Services for SAP Solutions from RHUI
                     Red Hat Software Collections (for RHEL Server) from RHUI
                     Red Hat Enterprise Linux Server for ARM from RHUI
                     Red Hat Enterprise Linux High Availability - Update Services for SAP Solutions from RHUI
                     Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support from RHUI
                     Red Hat Software Collections (for RHEL Server for ARM) from RHUI
                     Red Hat Ansible Engine from RHUI
                     Red Hat Software Collections Beta (for RHEL Server for ARM) from RHUI
                     Red Hat Enterprise Linux for ARM 64 Beta from RHUI
                     Red Hat Developer Tools (for RHEL Server for ARM) from RHUI
                     Red Hat Developer Tools Beta (for RHEL Server for ARM) from RHUI
                     dotNET on RHEL (for RHEL Server) from RHUI
                     dotNET on RHEL Beta (for RHEL Server) from RHUI
                     Red Hat Update Infrastructure
                     Red Hat Enterprise Linux Server from RHUI
SKU:                 RC11164
Contract:            126839
Account:             5401
Serial:              5744492009337488
Pool ID:             8a85f9a1790fb0ed017961af515b7
Provides Management: No
Active:              True
Quantity Used:       1
Service Type:        L1-L3
Roles:
Service Level:       Premium
Usage:
Add-ons:
Status Details:      Subscription is current
Subscription Type:   Standard
Starts:              05/12/2021
Ends:                05/11/2022
Entitlement Type:    Physical
---------------------------------------------------------------------------------

If using Simple Content Access (SCA):

# subscription-manager status
+-------------------------------------------+
   System Status Details
+-------------------------------------------+
Overall Status: Disabled
Content Access Mode is set to Simple Content Access. This host has access to content, regardless of subscription status.

System Purpose Status: Disabled
---------------------------------------------------------------------------------

Disable all repositories.

# subscription-manager repos --disable=*

Enable the relevant repositories.

# subscription-manager repos --enable rhel-8-for-x86_64-appstream-rpms --enable rhel-8-for-x86_64-baseos-rpms

Verification

List the enabled repositories and verify whether the relevant repositories appear on the list.

# yum repolist enabled
repo id                                repo name
rhel-8-for-x86_64-appstream-rpms         Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)
rhel-8-for-x86_64-baseos-rpms            Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)

Chapter 8. Generating a cryptographic key pair

To ensure secure data transmission between the Red Hat Update Appliance (RHUA), content delivery system (CDS), and HAProxy nodes, and to use rhui-manager to set up those nodes, you must generate a key pair on the RHUA node and copy the public key to CDS and HAProxy nodes.

You can generate either an RSA or an ECDSA key, depending on your use case.

8.1. Generating an RSA key pair

The following steps explain how to generate an RSA key pair for version 2 of the SSH protocol.

Procedure

On the RHUA node, run the ssh-keygen command with the RSA argument, and save the key in the default location.

Warning

Leave the passphrase field blank. CDS installation and registration fails if you provide a passphrase while generating the key pair.

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/USER/.ssh/id_rsa):
Created directory '/home/USER/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/USER/.ssh/id_rsa.
Your public key has been saved in /home/USER/.ssh/id_rsa.pub.
The key fingerprint is:
e7:97:c7:e2:0e:f9:0e:fc:c4:d7:cb:e5:31:11:92:14 USER@rhua.example.com
The key's randomart image is:
+--[ RSA 2048]----+
|             E.  |
|            . .  |
|             o . |
|              . .|
|        S .    . |
|         + o o ..|
|          * * +oo|
|           O +..=|
|           o*  o.|
+-----------------+

Confirm that the permissions for the ~/.ssh/ directory are set to rwx------, or 700 in octal notation.
```
$ ls -ld ~/.ssh
drwx------. 2 USER USER 54 Nov 25 16:56 /home/USER/.ssh/
```

Copy the public key to the CDS and HAProxy nodes.

$ ssh-copy-id user@<haproxy1>
$ ssh-copy-id user@<cds1>
$ ssh-copy-id user@<cds2>

8.2. Generating an ecdsa key pair

The following steps explain how to generate an ECDSA key pair for version 2 of the SSH protocol.

Procedure

On the RHUA node, run the ssh-keygen command with the ECDSA argument, and save the key in the default location.

Warning

Leave the passphrase field blank. CDS installation and registration fails if you provide a passphrase while generating the key pair.

$ ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/USER/.ssh/id_ecdsa):
Created directory '/home/USER/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/USER/.ssh/id_ecdsa.
Your public key has been saved in /home/USER/.ssh/id_ecdsa.pub.
The key fingerprint is:
fd:1d:ca:10:52:96:21:43:7e:bd:4c:fc:5b:35:6b:63 USER@rhua.example.com
The key's randomart image is:
+--[ECDSA  256]---+
|       .+ +o     |
|       . =.o     |
|        o o +  ..|
|         + + o  +|
|        S o o oE.|
|           + oo+.|
|            + o  |
|                 |
|                 |
+-----------------+

Confirm that the permissions for the ~/.ssh/ directory are set to rwx------, or 700 in octal notation.
```
$ ls -ld ~/.ssh
drwx------. 2 USER USER 54 Nov 25 16:56 /home/USER/.ssh/
```

Copy the public key to the CDS and HAProxy nodes.

$ ssh-copy-id user@<haproxy1>
$ ssh-copy-id user@<cds1>
$ ssh-copy-id user@<cds2>

Chapter 9. Configuring shared storage

The RHUA and CDS nodes require a shared storage volume, which can be accessed by both, to store content managed by RHUI.

Currently, RHUI supports the following storage solutions:

Network File System (NFS)
Ceph File System (CephFS)

9.1. Configuring shared storage using NFS

When using Network File System (NFS) as your shared storage, you must set up an NFS server either on the RHUA node or on a dedicated machine.

The following instructions explain how to create, configure, and verify NFS to work with RHUI.

Note

Setting up your NFS server on a dedicated machine allows the CDS nodes and your RHUI clients to continue working even if something happens to the RHUA node.

Prerequisites

Ensure you have root access to the NFS server
Ensure you have root access to the RHUA node
Ensure you have root access to all the CDS nodes you plan to use.

Procedure

Install the nfs-utils package on the node hosting the NFS server, the RHUA node (if it differs from the NFS node), and all the CDS nodes.
```
# dnf install nfs-utils
```
Create a suitable directory to hold all the RHUI content.
```
# mkdir /export
```

Allow your RHUA and CDS nodes access to the directory by editing the /etc/exports file and adding the following line:

/export rhua.example.com(rw,no_root_squash) cds01.example.com(rw,no_root_squash) cds02.example.com(rw,no_root_squash)

Start and enable the NFS service.
```
# systemctl start nfs-server
# systemctl start rpcbind
# systemctl enable nfs-server
# systemctl enable rpcbind
```
Note
If the NFS service is already running use the restart command instead of the start command.

Verification

To test whether an NFS server is set up on a machine named filer.example.com, run the following commands on a CDS node:
```
# mkdir /mnt/nfstest
# mount filer.example.com:/export /mnt/nfstest
# touch /mnt/nfstest/test
```
Your setup is working properly if you do not get any error messages.

9.2. Configuring shared storage using CephFS

When using Ceph File System (CephFS) as your shared storage, you must set up a file system and share it over the network. RHUI treats the shared file system as a simple mount point, which you can mount on the file systems of the RHUA and CDS nodes.

Important

Do not set up the Ceph shared file storage on the RHUI nodes. You must configure CephFS on independent dedicated machines.

The following instructions explain how to verify whether an existing Ceph file system can work with RHUI.

Note

This document does not provide instructions to set up Ceph shared file storage. For instructions on how to do so, consult your system administrator.

Prerequisites

Ensure you have the following identification information:
- The IP Address and port of the host where the cluster monitor daemon for the Ceph distributed file system is running.
  - As a CephFS system administrator, run the command ceph mon dump on the Ceph master node. You can find the IP address and port listed as <ceph_monip>:<ceph_port>.
- The Ceph username, usually admin.
- The Ceph file system name.
  - As a CephFS system administrator, run the command ceph fs ls on the Ceph master node. You can find the file system name listed as <cephfs_name>.
- The Ceph secret key.
  - As a CephFS system administrator, run the command ceph auth get client.admin on the Ceph master node. You can find the secret key listed as <ceph_secretkey>.
Ensure you have root access to the RHUA node and all the CDS nodes you plan to use.
Enable the Ceph Tools repository on the RHUA and CDS nodes. For more information, see:
- Section 5.3, “Enabling the required repositories on the RHUA node”
- Section 6.3, “Enabling the required repositories on the CDS node”

Procedure

On the RHUA and CDS nodes install the ceph-common package:
```
# dnf install ceph-common
```

Verification

To test whether a Ceph File Share is available and whether RHUI can use it, run the following commands on the RHUA node or on one of the CDS nodes:
```
# mkdir /mnt/mycephfs_test
# mount -t ceph <ceph_monip>:<ceph_port>:/ /mnt/mycephfs_test -o name=admin,secret=<ceph_secretkey>,fs=<cephfs_name>
# touch /mnt/cephfs_test/testfile
# ls /mnt/mycephfs_test
```
Your setup is working properly if you do not get any error messages.

Clean up the test mount point.

# rm /mnt/cephfs_test/testfile
# umount /mnt/mycephfs_test

Chapter 10. Updating your system

Before you install RHUI, it is a good practice to secure your system by installing all the latest available updates.

Prerequisites

Ensure that the system is registered to Red Hat.
All the relevant repositories are enabled.

Procedure

Navigate to each of your nodes and apply any available operating system updates.
For detailed information about updating your system, see the Securing your system.
Reboot the nodes.
Verify that all configuration changes have persisted.
Warning
Make sure the host name of the RHUA is set correctly. If the host name is not set and its value is reported as localhost.localdomain or localhost, you will not be able to proceed.

Chapter 11. Installing Red Hat Update Infrastructure

Once you have completed the prerequisites, you can install RHUI on your system using repositories and a network connection to resolve dependencies.

You can install RHUI using the following shared storage solutions:

Network File System (NFS)
Ceph File System (CephFS)

11.1. RHUI Installer arguments

You can use the RHUI Installer command, rhui-installer, with a combination of the following arguments to install and configure Red Hat Update Infrastructure (RHUI) based on your use case.

Mandatory RHUI Installer Arguments

Table 11.1. Mandatory RHUI Installer arguments

Argument	Description
--cds-lb-hostname CDS_LB_HOSTNAME	The hostname of the load balancer used by clients to access the CDS, specified as a fully qualified domain name (FQDN).
--rhua-hostname RHUA_HOSTNAME	The hostname of the RHUA node, specified as an FQDN.
--remote-fs-server REMOTE_FS_SERVER	The remote mount point for the shared file system. For example, `my-server.example.com:/share`.
-u --user	An optional username without administrative privileges. It is used to run the Ansible installation playbooks on the RHUA node. Note By default, RHUI Installer uses the output from the logname(1) command for the username. However, if logname(1) does not return a username or you want to run the installer as a different user, you can use the --user or -u flag. To find the default username value, run the following command: # rhui-installer --help
--rerun	Argument to rerun RHUI Installer. By default, the flag is set to false. Note Running rhui-installer generates an `answers.yaml` file in the `/root/.rhui/` directory. This argument is mandatory when running RHUI Installer again with an existing `answers.yaml` file.

Optional RHUI Installer Arguments

Table 11.2. Optional RHUI Installer arguments

Argument	Description
--colors-off	Turn off colored output. By default, the argument is set to false.
--log-level	Sets the level of detailed output. The valid values are error,warn,success,info, and debug. By default, the argument is set to `info`.
--answers-file ANSWERS_FILE	The location of a user supplied optional answers file. Note When you run RHUI Installer initially, it generates an `answers.yaml` file in the `/root/.rhui/` directory. This file stores the values of all the arguments passed along with the command. However, you can also manually create a `answers.yaml` file, or edit the existing file, and pass it using this argument.
--retain-package-versions RETAIN_PACKAGE_VERSIONS	The number of retained package versions. By default, the value is set to `0`.
--remote-fs-mountpoint REMOTE_FS_MOUNTPOINT	The location of the file system to mount the remote share. By default, the location is `/var/lib/rhui/remote_share`.
--remote-fs-conf-server REMOTE_FS_CONF_SERVER	Remote shared filesystem to be mounted at `/etc/rhui` for RHUI config files; for example, `my-server.example.com:/share`
--remote-fs-cert-server REMOTE_FS_CERT_SERVER	Remote shared filesystem to be mounted at `/etc/pki/rhui` for RHUI certificate files; for example, `my-server.example.com:/share`
--remote-fs-logs-server REMOTE_FS_LOGS_SERVER	Remote shared filesystem to be mounted at `/var/log/rhui` for RHUI log files; for example, `my-server.example.com:/share`
--remote-fs-type REMOTE_FS_TYPE	The file system type to use. The valid values are `ceph` and `nfs`. By default, the value is set to `nfs`.
--rhui-manager-password RHUI_MANAGER_PASSWORD	The `rhui-manager` password. By default, RHUI Installer generates a new password when initially run. The password is stored in the `/etc/rhui/rhui-subscription-sync.conf` file. In case you run the RHUI Installer command again, it uses the current existing password.
--pulp-workers NUMBER_OF_WORKERS	The number of pulp workers associated with the RHUI instance. The number must be greater than 0. The default number of workers is 8.
--ignore-newer-rhui-packages	Use this flag to prevent the installation of any available newer RHUI packages. This flag is ignored if there is no newer rhui-installer package. It is not saved in the answers.yaml file. It must be specified every time this functionality is desired. The default value is False.
--ignore-newer-rhel-packages	Use this flag to prevent the installation of any available newer packages. It is not saved in the answers.yaml file. It must be specified every time this functionality is desired. The default value is False, meaning the RHUA will get updated. Note RHUA must be rebooted if any package has been updated that requires rebooting. The command to check this is: `needs-restarting -r`
--fetch-missing-symlinks FETCH_MISSING_SYMLINKS	The flag to configure CDS nodes to fetch missing symlinks from the RHUA node. The values are True and False. The default value is True. To configure CDS nodes in an already installed RHUI instance, rerun the installer with the flag and apply the change to all CDS nodes. Note If your clients try to fetch the content before it is exported, they will encounter HTTP 404 errors.
--container-support-enabled CONTAINER_SUPPORT_ENABLED	The flag to enable container support in RHUI. The values are True and False. The default value is False.
--rhua-mount-options RHUA_MOUNT_OPTIONS	The flag to specify the options for mounting a remote shared filesystem on RHUA and CDS nodes. Before you set it up, ensure that it is possible to umount the current remote filesystem. If RHUA is already running, the pulp service needs to be stopped prior to using this flag. You must also resinstall all CDS nodes after you set the flag. The default value is `rw`. Note This flag does not apply to Ceph file systems.
--client-repo-prefix PREFIX	The argument to use a custom prefix, or no prefix at all, when creating RHUI repository IDs. To remove the prefix entirely, use two quotation marks, `--client-repo-prefix ""`.

Optional Ceph File System Arguments

Table 11.3. Optional CephFS arguments

Argument	Description
--cephfs-username CEPHFS_USERNAME	The username associated with the Ceph file system. The default username is `admin`.
--cephfs-secretkey-file CEPHFS_SECRETKEY_FILE	The path to the file containing the CephFS secret key.
--cephfs-name CEPHFS_NAME	The name of the Ceph file system.

Optional Proxy Arguments

Table 11.4. Optional Proxy arguments

Argument	Description
--proxy-hostname PROXY_HOSTNAME	The hostname of the proxy server that the RHUA node will use to communicate with the Red Hat CDN (cdn.redhat.com:443).
--proxy-password PROXY_PASSWORD	The password to access the proxy server. Specify a password only if your proxy server requires authentication.
--proxy-port PROXY_PORT	The TCP port on the proxy server. Note that the Squid proxy server normally uses port `3128`.
--proxy-protocol PROXY_PROTOCOL	The application layer protocol that the proxy server is configured to support, either `HTTP` or `HTTPS`.
--proxy-username PROXY_USERNAME	The username associated with the proxy server. Specify a username only if your proxy server requires authentication.

Optional Certificate Authority Arguments

Table 11.5. Optional arguments for generating Certification Authorities

Argument	Description
--certs-ca-common-name CERTS_CA_COMMON_NAME	The common name for the generated CA certificate. By default, the name is `RHUI Certificate Authority`.
--certs-country CERTS_COUNTRY	The country attributes for managed certificates. The default is `US`.
--certs-state CERTS_STATE	The state attributes for managed certificates. The default is `North Carolina`.
--certs-city CERTS_CITY	The city attributes for managed certificates. The default is `Raleigh`.
--certs-org CERTS_ORG	The org attributes for managed certificates. The default is `SomeOrg`.
--certs-org-unit CERTS_ORG_UNIT	The org unit attributes for managed certificates. The default is `SomeOrgUnit`.
--certs-ca-expiration CERTS_CA_EXPIRATION	The number of days after which the CA expires. The default value is `36500`.
--cds-certs-expiration CDS_CERTS_EXPIRATION	The number of days after which the certificate expires. The default value is `7300`.

Arguments for configuring RHUI using Certificate Authorities

You can configure RHUI using the following CAs:

RHUI CA: Signs certificates generated by RHUI.
Client SSL CA: Signs certificates generated by RHUI and secures the exchange of content between the client and the HAProxy and CDS nodes.
Client Entitlement CA: Signs entitlement certificates generated by RHUI and secures the content that the client requests from RHUI.
Note
If you do not provide a RHUI CA, the command will automatically generate one.
If you do not provide a Client SSL CA or a Client Entitlement CA, the command will use the configured RHUI CA instead.

Depending on your use case, you must provide the respective arguments:

Configuring using a RHUI CA
- --user-supplied-rhui-ca-crt USER_SUPPLIED_RHUI_CA_CRT: The path to the digital certificate crt file issued by a CA. If you do not provide a crt file, the command automatically generates one.
- --user-supplied-rhui-ca-key USER_SUPPLIED_RHUI_CA_KEY: The path to the key file used to generate the --user-supplied-rhui-ca-crt file. If you do not provide a key, it is automatically generated.
Configuring using a Client SSL CA
- --user-supplied-client-ssl-ca-crt USER_SUPPLIED_CLIENT_SSL_CA_CRT: The path to a digital certificate crt file issued by the CA. You can use this crt file to generate the client SSL certificate. The client SSL certificate secures the content returned to a client from RHUI. If you do not provide a file, the command uses the RHUI crt file, --user-supplied-rhui-ca-crt.
- --user-supplied-client-ssl-ca-key USER_SUPPLIED_CLIENT_SSL_CA_KEY: The path to the key file that generates the --user-supplied-client-ssl-ca-crt file. If you do not provide a key, the command uses the RHUI key, --user-supplied-rhui-ca-key.
Configuring using a Client Entitlement CA:
- --user-supplied-client-entitlement-ca-crt USER_SUPPLIED_CLIENT_ENTITLEMENT_CA_CRT: The path to a digital certificate crt file issued by the CA. You can use this crt file to generate the client entitlement certificate. The client entitlement certificate secures requests made by a client to RHUI. If you do not provide a file, the command uses the RHUI crt file, --user-supplied-rhui-ca-crt.
- --user-supplied-client-entitlement-ca-key USER_SUPPLIED_CLIENT_ENTITLEMENT_CA_KEY: The path to the key file that generates the --user-supplied-client-entitlement-ca-crt file. If you do not provide a key, the command use the RHUI key, --user-supplied-rhui-ca-key.

Additional resources

Installing RHUI using Network File System (NFS)
Installing RHUI using Ceph File System (CephFS)

11.2. Installing Red Hat Update Infrastructure using NFS

Perform the following steps to install Red Hat Update Infrastructure (RHUI) on your system using repositories along with network file system (NFS).

Prerequisites

Ensure that your system can access the internet.
Ensure you have root access to the RHUA node.
Optional: Ensure you have configured your proxy server if you plan to use one with RHUI.

Procedure

Navigate to the RHUA node and install the rhui-installer package.
```
# dnf install rhui-installer
```
Run rhui-installer and specify the arguments based on your use case.
- To set up RHUI without a proxy server:
```
# rhui-installer --remote-fs-server <nfs_server>:/ --rhua-hostname <public-hostname-of-your-rhua> --cds-lb-hostname <public-hostname-of-your-cds-or-lb>
```
  The following arguments are mandatory when using NFS.
  - --remote-fs-server: The remote mountpoint for the shared file system.
  - --cds-lb-hostname: The name of the load balancer that clients use to access the CDS. You must specify the name as a Fully Qualified Domain Name (FQDN).
  - --rhua-hostname: The hostname of the RHUA node. You must specify the name as a Fully Qualified Domain Name (FQDN).
  - --rhua-mount-options (Optional): The flag to specify the options for mounting a remote shared filesystem on RHUA and CDS nodes. The default value is rw.
    To change mount options in an already running RHUI environment:
    Stop Pulp services
    systemctl stop pulpcore
    Re-run RHUI installer and specify the new options:
    --rerun --rhua-mount-options [new options]
    Apply the options to all CDS nodes:
    rhui-manager --noninteractive cds reinstall --all
- To set up RHUI with a proxy server:
```
# rhui-installer --remote-fs-server <nfs_server>:/ --rhua-hostname <public-hostname-of-your-rhua> --cds-lb-hostname <public-hostname-of-your-cds-or-lb> --proxy-hostname <public-hostname-of-your-proxy-server> --proxy-port <TCP-port> --proxy-protocol <supported-protocol> --proxy-username <proxy-username> --proxy-password <proxy-password>
```
  The following arguments are mandatory when using NFS and a proxy server.
  - --remote-fs-server: The remote mountpoint for the shared file system.
  - --cds-lb-hostname: The name of the load balancer that clients use to access the CDS. You must specify the name as a fully qualified domain name (FQDN).
  - --rhua-hostname: The hostname of the RHUA node. You must specify the name as a fully qualified domain name (FQDN).
  - --proxy-hostname: The hostname of the proxy server that the RHUA node will use to communicate with the Red Hat CDN (cdn.redhat.com:443).
  - --proxy-port: The TCP port on the proxy server. Note that the Squid proxy server normally uses port 3128.
  - --proxy-protocol: The application layer protocol that the proxy server is configured to support, either HTTP or HTTPS.
  - --proxy-username: The user name associated with the proxy server. Specify the user name only if your proxy server requires authentication.
  - --proxy-password: The password to access the proxy server. Specify the password only if your proxy server requires authentication.

Important

The rhui-installer command sets the initial RHUI login password by default and stores it in the /etc/rhui/rhui-subscription-sync.conf file.

If you wish to set your own password, you can override the initial password with the --rhui-manager-password argument.

Verification

On the RHUA node, verify if you can access the RHUI Terminal User Interface (TUI).
```
# rhui-manager
```

11.3. Installing Red Hat Update Infrastructure using CephFS

Perform the following steps to install Red Hat Update Infrastructure (RHUI) on your system using repositories along with the Ceph file system (CephFS).

Prerequisites

Ensure that your system can access the internet.
Ensure you have root access to the RHUA node.
Enable the Ceph Tools repository on the RHUA and CDS nodes. For more information, see:
- Section 5.3, “Enabling the required repositories on the RHUA node”
- Section 6.3, “Enabling the required repositories on the CDS node”
Ensure you have configured your shared storage using CephFS, see Section 9.2, “Configuring shared storage using CephFS”.
Optional: Ensure you have configured your proxy server if you plan to use one with RHUI.

Procedure

Navigate to the RHUA node and install the rhui-installer package.
```
# dnf install rhui-installer
```

Create a file containing the CephFS secret key.

# echo "cephfs secretkey" > <path to file containing the CephFS secret key>
# chmod 400 <path to file containing the CephFS secretkey>

Run rhui-installer and specify the arguments based on your use case.
1. To set up RHUI without a proxy server:
```
# rhui-installer --remote-fs-server <ceph_monip>:<ceph_port>:/ --remote-fs-type ceph --cephfs-secretkey-file <ceph_secretkey_file> --cephfs-name <cephfs_name> --cephfs-username <ceph-fs-username> --rhua-hostname <public-hostname-of-your-rhua> --cds-lb-hostname <public-hostname-of-your-cds-or-lb>
```
  The following arguments are mandatory when using CephFS.
  - --remote-fs-server: The remote mountpoint for the shared file system. The format is <ceph_monip>:<ceph_port>.
  - --cds-lb-hostname: The name of the load balancer that clients use to access the CDS. You must specify the name as a Fully Qualified Domain Name (FQDN).
  - --rhua-hostname: The hostname of the RHUA node. You must specify the name as a Fully Qualified Domain Name (FQDN).
  - --remote-fs-type: The type of file system to use. You must set this to Ceph.
  - --cephfs-secretkey-file: The path to the file containing the CephFS secret key.
  - --cephfs-name: The name of the Ceph file system.
  - --cephfs-username: The username associated with the Ceph file system.
2. To set up RHUI with a proxy server:
```
# rhui-installer --remote-fs-server <ceph_monip>:<ceph_port>:/ --remote-fs-type ceph --cephfs-secretkey-file <ceph_secretkey_file> --cephfs-name <cephfs_name> --cephfs-username <ceph-fs-username> --rhua-hostname <public-hostname-of-your-rhua> --cds-lb-hostname <public-hostname-of-your-cds-or-lb> --proxy-hostname <public-hostname-of-your-proxy-server> --proxy-port <TCP-port> --proxy-protocol <supported-protocol> --proxy-username <proxy-username> --proxy-password <proxy-password>
```
  The following arguments are mandatory when using CephFS and a proxy server.
  - --remote-fs-server: The remote mountpoint for the shared file system. The format is <ceph_monip>:<ceph_port>.
  - --cds-lb-hostname: The name of the load balancer that clients use to access the CDS. You must specify the name as a fully qualified domain name (FQDN).
  - --rhua-hostname: The hostname of the RHUA node. You must specify the name as a fully qualified domain name (FQDN).
  - --remote-fs-type: The type of file system to use. You must set this to Ceph.
  - --cephfs-secretkey-file: The path to the file containing the CephFS secret key.
  - --cephfs-name: The name of the Ceph file system.
  - --cephfs-username: The username associated with the Ceph file system.
  - --proxy-hostname: The hostname of the proxy server that the RHUA node will use to communicate with the Red Hat CDN (cdn.redhat.com:443).
  - --proxy-port: The TCP port on the proxy server. Note that the Squid proxy server normally uses port 3128.
  - --proxy-protocol: The application layer protocol that the proxy server is configured to support, either HTTP or HTTPS.
  - --proxy-username: The user name associated with the proxy server. Specify the user name only if your proxy server requires authentication.
  - --proxy-password: The password to access the proxy server. Specify the password only if your proxy server requires authentication.

Important

The rhui-installer command sets the initial RHUI login password by default and stores it in the /etc/rhui/rhui-subscription-sync.conf file.

If you wish to set your own password, you can override the initial password with the --rhui-manager-password argument.

Verification

On the RHUA node, verify if you can access the RHUI Terminal User Interface (TUI).
```
# rhui-manager
```

Legal Notice

The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.

Linux® is the registered trademark of Linus Torvalds in the United States and other countries.

Java® is a registered trademark of Oracle and/or its affiliates.

XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.

MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.

Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.

The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.

All other trademarks are the property of their respective owners.

Language and Page Formatting Options

Installing Red Hat Update Infrastructure

List of requirements, setting up nodes, configuring storage, and installing Red Hat Update Infrastructure 4

Making open source more inclusive

Chapter 1. Installation options

1.1. Option 1: Full installation

1.2. Option 2: Installation with an existing storage solution

1.3. Option 3: Installation with an existing load-balancer solution

1.4. Option 4: Installation with existing storage and load-balancer solutions

Chapter 2. Installation checklist

Chapter 3. Technical configuration required for installing RHUI

Chapter 4. Installing Red Hat Enterprise Linux

Chapter 5. Setting up RHUA nodes

5.1. Registering the RHUA node

5.2. Attaching a subscription to the RHUA node

5.3. Enabling the required repositories on the RHUA node

5.4. Including required architectures on a registered RHUA node

Chapter 6. Setting up CDS nodes

6.1. Registering the CDS node

6.2. Attaching a subscription to the CDS node

6.3. Enabling the required repositories on the CDS node

Chapter 7. Setting up HAProxy nodes

7.1. Registering the HAProxy node

7.2. Attaching a subscription to the HAProxy node

7.3. Enabling the required repositories on the HAProxy node

Chapter 8. Generating a cryptographic key pair

8.1. Generating an RSA key pair

8.2. Generating an ecdsa key pair

Chapter 9. Configuring shared storage

9.1. Configuring shared storage using NFS

9.2. Configuring shared storage using CephFS

Chapter 10. Updating your system

Chapter 11. Installing Red Hat Update Infrastructure

11.1. RHUI Installer arguments

11.2. Installing Red Hat Update Infrastructure using NFS

11.3. Installing Red Hat Update Infrastructure using CephFS

Legal Notice

Quick Links

Help

Site Info

Related Sites

Systems Status

About

Red Hat legal and privacy links

Red Hat legal and privacy links