Chapter 11. Installing Red Hat Update Infrastructure

Once you have completed the prerequisites, you can install RHUI on your system using repositories and a network connection to resolve dependencies.

You can install RHUI using the following shared storage solutions:

11.1. RHUI Installer arguments

You can use the RHUI Installer command, rhui-installer, with a combination of the following arguments to install and configure Red Hat Update Infrastructure (RHUI) based on your use case.

Mandatory RHUI Installer Arguments

Table 11.1. Mandatory RHUI Installer arguments

ArgumentDescription

--cds-lb-hostname CDS_LB_HOSTNAME

The hostname of the load balancer used by clients to access the CDS, specified as a fully qualified domain name (FQDN).

--rhua-hostname RHUA_HOSTNAME

The hostname of the RHUA node, specified as an FQDN.

--remote-fs-server REMOTE_FS_SERVER

The remote mount point for the shared file system. For example, my-server.example.com:/share.

  • -u
  • --user

An optional username without administrative privileges. It is used to run the Ansible installation playbooks on the RHUA node.

Note

By default, RHUI Installer uses the output from the logname(1) command for the username. However, if logname(1) does not return a username or you want to run the installer as a different user, you can use the --user or -u flag.

To find the default username value, run the following command: 

# rhui-installer --help

--rerun

Argument to rerun RHUI Installer. By default, the flag is set to false.

Note

Running rhui-installer generates an answers.yaml file in the /root/.rhui/ directory. This argument is mandatory when running RHUI Installer again with an existing answers.yaml file.

Optional RHUI Installer Arguments

Table 11.2. Optional RHUI Installer arguments

ArgumentDescription

--colors-off

Turn off colored output. By default, the argument is set to false.

--log-level

Sets the level of detailed output. The valid values are error,warn,success,info, and debug. By default, the argument is set to info.

--answers-file ANSWERS_FILE

The location of a user supplied optional answers file.

Note

When you run RHUI Installer initially, it generates an answers.yaml file in the /root/.rhui/ directory. This file stores the values of all the arguments passed along with the command. However, you can also manually create a answers.yaml file, or edit the existing file, and pass it using this argument.

--retain-package-versions RETAIN_PACKAGE_VERSIONS

The number of retained package versions. By default, the value is set to 0.

--remote-fs-mountpoint REMOTE_FS_MOUNTPOINT

The location of the file system to mount the remote share. By default, the location is /var/lib/rhui/remote_share.

--remote-fs-conf-server REMOTE_FS_CONF_SERVER

Remote shared filesystem to be mounted at /etc/rhui for RHUI config files; for example, my-server.example.com:/share

--remote-fs-cert-server REMOTE_FS_CERT_SERVER

Remote shared filesystem to be mounted at /etc/pki/rhui for RHUI certificate files; for example, my-server.example.com:/share

--remote-fs-logs-server REMOTE_FS_LOGS_SERVER

Remote shared filesystem to be mounted at /var/log/rhui for RHUI log files; for example, my-server.example.com:/share

--remote-fs-type REMOTE_FS_TYPE

The file system type to use. The valid values are ceph and nfs. By default, the value is set to nfs.

--rhui-manager-password RHUI_MANAGER_PASSWORD

The rhui-manager password. By default, RHUI Installer generates a new password when initially run. The password is stored in the /etc/rhui/rhui-subscription-sync.conf file. In case you run the RHUI Installer command again, it uses the current existing password.

--pulp-workers NUMBER_OF_WORKERS

The number of pulp workers associated with the RHUI instance. The number must be greater than 0. The default number of workers is 8.

--ignore-newer-rhui-packages 

Use this flag to prevent the installation of any available newer RHUI packages. This flag is ignored if there is no newer rhui-installer package. It is not saved in the answers.yaml file. It must be specified every time this functionality is desired. The default value is False.

--ignore-newer-rhel-packages 

Use this flag to prevent the installation of any available newer packages. It is not saved in the answers.yaml file. It must be specified every time this functionality is desired. The default value is False, meaning the RHUA will get updated.

Note

RHUA must be rebooted if any package has been updated that requires rebooting. The command to check this is: needs-restarting -r

--fetch-missing-symlinks FETCH_MISSING_SYMLINKS

The flag to configure CDS nodes to fetch missing symlinks from the RHUA node. The values are True and False. The default value is True.

To configure CDS nodes in an already installed RHUI instance, rerun the installer with the flag and apply the change to all CDS nodes.

Note

If your clients try to fetch the content before it is exported, they will encounter HTTP 404 errors.

--container-support-enabled CONTAINER_SUPPORT_ENABLED

The flag to enable container support in RHUI. The values are True and False. The default value is False.

--rhua-mount-options RHUA_MOUNT_OPTIONS

The flag to specify the options for mounting a remote shared filesystem on RHUA and CDS nodes. Before you set it up, ensure that it is possible to umount the current remote filesystem.

If RHUA is already running, the pulp service needs to be stopped prior to using this flag. You must also resinstall all CDS nodes after you set the flag.

The default value is rw.

Note

This flag does not apply to Ceph file systems.

--client-repo-prefix PREFIX

The argument to use a custom prefix, or no prefix at all, when creating RHUI repository IDs.

To remove the prefix entirely, use two quotation marks, --client-repo-prefix "".

Optional Ceph File System Arguments

Table 11.3. Optional CephFS arguments

ArgumentDescription

--cephfs-username CEPHFS_USERNAME

The username associated with the Ceph file system. The default username is admin.

--cephfs-secretkey-file CEPHFS_SECRETKEY_FILE

The path to the file containing the CephFS secret key.

--cephfs-name CEPHFS_NAME

The name of the Ceph file system.

Optional Proxy Arguments

Table 11.4. Optional Proxy arguments

ArgumentDescription

--proxy-hostname PROXY_HOSTNAME

The hostname of the proxy server that the RHUA node will use to communicate with the Red Hat CDN (cdn.redhat.com:443).

--proxy-password PROXY_PASSWORD

The password to access the proxy server. Specify a password only if your proxy server requires authentication.

--proxy-port PROXY_PORT

The TCP port on the proxy server. Note that the Squid proxy server normally uses port 3128.

--proxy-protocol PROXY_PROTOCOL

The application layer protocol that the proxy server is configured to support, either HTTP or HTTPS.

--proxy-username PROXY_USERNAME

The username associated with the proxy server. Specify a username only if your proxy server requires authentication.

Optional Certificate Authority Arguments

Table 11.5. Optional arguments for generating Certification Authorities

ArgumentDescription

--certs-ca-common-name CERTS_CA_COMMON_NAME

The common name for the generated CA certificate. By default, the name is RHUI Certificate Authority.

--certs-country CERTS_COUNTRY

The country attributes for managed certificates. The default is US.

--certs-state CERTS_STATE

The state attributes for managed certificates. The default is North Carolina.

--certs-city CERTS_CITY

The city attributes for managed certificates. The default is Raleigh.

--certs-org CERTS_ORG

The org attributes for managed certificates. The default is SomeOrg.

--certs-org-unit CERTS_ORG_UNIT

The org unit attributes for managed certificates. The default is SomeOrgUnit.

--certs-ca-expiration CERTS_CA_EXPIRATION

The number of days after which the CA expires. The default value is 36500.

--cds-certs-expiration CDS_CERTS_EXPIRATION

The number of days after which the certificate expires. The default value is 7300.

Arguments for configuring RHUI using Certificate Authorities

You can configure RHUI using the following CAs:

  • RHUI CA: Signs certificates generated by RHUI.
  • Client SSL CA: Signs certificates generated by RHUI and secures the exchange of content between the client and the HAProxy and CDS nodes.

  • Client Entitlement CA: Signs entitlement certificates generated by RHUI and secures the content that the client requests from RHUI.

    Note

    If you do not provide a RHUI CA, the command will automatically generate one.

    If you do not provide a Client SSL CA or a Client Entitlement CA, the command will use the configured RHUI CA instead.

Depending on your use case, you must provide the respective arguments:

  • Configuring using a RHUI CA

    • --user-supplied-rhui-ca-crt USER_SUPPLIED_RHUI_CA_CRT: The path to the digital certificate crt file issued by a CA. If you do not provide a crt file, the command automatically generates one.
    • --user-supplied-rhui-ca-key USER_SUPPLIED_RHUI_CA_KEY: The path to the key file used to generate the --user-supplied-rhui-ca-crt file. If you do not provide a key, it is automatically generated.

  • Configuring using a Client SSL CA

    • --user-supplied-client-ssl-ca-crt USER_SUPPLIED_CLIENT_SSL_CA_CRT: The path to a digital certificate crt file issued by the CA. You can use this crt file to generate the client SSL certificate. The client SSL certificate secures the content returned to a client from RHUI. If you do not provide a file, the command uses the RHUI crt file, --user-supplied-rhui-ca-crt.
    • --user-supplied-client-ssl-ca-key USER_SUPPLIED_CLIENT_SSL_CA_KEY: The path to the key file that generates the --user-supplied-client-ssl-ca-crt file. If you do not provide a key, the command uses the RHUI key, --user-supplied-rhui-ca-key.

  • Configuring using a Client Entitlement CA:

    • --user-supplied-client-entitlement-ca-crt USER_SUPPLIED_CLIENT_ENTITLEMENT_CA_CRT: The path to a digital certificate crt file issued by the CA. You can use this crt file to generate the client entitlement certificate. The client entitlement certificate secures requests made by a client to RHUI. If you do not provide a file, the command uses the RHUI crt file, --user-supplied-rhui-ca-crt.
    • --user-supplied-client-entitlement-ca-key USER_SUPPLIED_CLIENT_ENTITLEMENT_CA_KEY: The path to the key file that generates the --user-supplied-client-entitlement-ca-crt file. If you do not provide a key, the command use the RHUI key, --user-supplied-rhui-ca-key.

Additional resources

11.2. Installing Red Hat Update Infrastructure using NFS

Perform the following steps to install Red Hat Update Infrastructure (RHUI) on your system using repositories along with network file system (NFS).

Prerequisites

  • Ensure that your system can access the internet.
  • Ensure you have root access to the RHUA node.
  • Optional: Ensure you have configured your proxy server if you plan to use one with RHUI.

Procedure

  1. Navigate to the RHUA node and install the rhui-installer package. 

    # dnf install rhui-installer

  2. Run rhui-installer and specify the arguments based on your use case.

    • To set up RHUI without a proxy server: 

      # rhui-installer --remote-fs-server <nfs_server>:/ --rhua-hostname <public-hostname-of-your-rhua> --cds-lb-hostname <public-hostname-of-your-cds-or-lb>

      The following arguments are mandatory when using NFS.

      • --remote-fs-server: The remote mountpoint for the shared file system.
      • --cds-lb-hostname: The name of the load balancer that clients use to access the CDS. You must specify the name as a Fully Qualified Domain Name (FQDN).
      • --rhua-hostname: The hostname of the RHUA node. You must specify the name as a Fully Qualified Domain Name (FQDN).

      • --rhua-mount-options (Optional): The flag to specify the options for mounting a remote shared filesystem on RHUA and CDS nodes. The default value is rw.

        To change mount options in an already running RHUI environment:

        1. Stop Pulp services 

          systemctl stop pulpcore

        2. Re-run RHUI installer and specify the new options: 

          --rerun --rhua-mount-options [new options]

        3. Apply the options to all CDS nodes: 

          rhui-manager --noninteractive cds reinstall --all

    • To set up RHUI with a proxy server: 

      # rhui-installer --remote-fs-server <nfs_server>:/ --rhua-hostname <public-hostname-of-your-rhua> --cds-lb-hostname <public-hostname-of-your-cds-or-lb> --proxy-hostname <public-hostname-of-your-proxy-server> --proxy-port <TCP-port> --proxy-protocol <supported-protocol> --proxy-username <proxy-username> --proxy-password <proxy-password>

      The following arguments are mandatory when using NFS and a proxy server.

      • --remote-fs-server: The remote mountpoint for the shared file system.
      • --cds-lb-hostname: The name of the load balancer that clients use to access the CDS. You must specify the name as a fully qualified domain name (FQDN).
      • --rhua-hostname: The hostname of the RHUA node. You must specify the name as a fully qualified domain name (FQDN).
      • --proxy-hostname: The hostname of the proxy server that the RHUA node will use to communicate with the Red Hat CDN (cdn.redhat.com:443).
      • --proxy-port: The TCP port on the proxy server. Note that the Squid proxy server normally uses port 3128.
      • --proxy-protocol: The application layer protocol that the proxy server is configured to support, either HTTP or HTTPS.
      • --proxy-username: The user name associated with the proxy server. Specify the user name only if your proxy server requires authentication.
      • --proxy-password: The password to access the proxy server. Specify the password only if your proxy server requires authentication.
Important

The rhui-installer command sets the initial RHUI login password by default and stores it in the /etc/rhui/rhui-subscription-sync.conf file.

If you wish to set your own password, you can override the initial password with the --rhui-manager-password argument.

Verification

  • On the RHUA node, verify if you can access the RHUI Terminal User Interface (TUI). 

    # rhui-manager

11.3. Installing Red Hat Update Infrastructure using CephFS

Perform the following steps to install Red Hat Update Infrastructure (RHUI) on your system using repositories along with the Ceph file system (CephFS).

Prerequisites

Procedure

  1. Navigate to the RHUA node and install the rhui-installer package. 

    # dnf install rhui-installer

  2. Create a file containing the CephFS secret key. 

    # echo "cephfs secretkey" > <path to file containing the CephFS secret key>
# chmod 400 <path to file containing the CephFS secretkey>

  3. Run rhui-installer and specify the arguments based on your use case.

    1. To set up RHUI without a proxy server: 

      # rhui-installer --remote-fs-server <ceph_monip>:<ceph_port>:/ --remote-fs-type ceph --cephfs-secretkey-file <ceph_secretkey_file> --cephfs-name <cephfs_name> --cephfs-username <ceph-fs-username> --rhua-hostname <public-hostname-of-your-rhua> --cds-lb-hostname <public-hostname-of-your-cds-or-lb>

      The following arguments are mandatory when using CephFS.

      • --remote-fs-server: The remote mountpoint for the shared file system. The format is <ceph_monip>:<ceph_port>.
      • --cds-lb-hostname: The name of the load balancer that clients use to access the CDS. You must specify the name as a Fully Qualified Domain Name (FQDN).
      • --rhua-hostname: The hostname of the RHUA node. You must specify the name as a Fully Qualified Domain Name (FQDN).
      • --remote-fs-type: The type of file system to use. You must set this to Ceph.
      • --cephfs-secretkey-file: The path to the file containing the CephFS secret key.
      • --cephfs-name: The name of the Ceph file system.
      • --cephfs-username: The username associated with the Ceph file system.

    2. To set up RHUI with a proxy server: 

      # rhui-installer --remote-fs-server <ceph_monip>:<ceph_port>:/ --remote-fs-type ceph --cephfs-secretkey-file <ceph_secretkey_file> --cephfs-name <cephfs_name> --cephfs-username <ceph-fs-username> --rhua-hostname <public-hostname-of-your-rhua> --cds-lb-hostname <public-hostname-of-your-cds-or-lb> --proxy-hostname <public-hostname-of-your-proxy-server> --proxy-port <TCP-port> --proxy-protocol <supported-protocol> --proxy-username <proxy-username> --proxy-password <proxy-password>

      The following arguments are mandatory when using CephFS and a proxy server.

      • --remote-fs-server: The remote mountpoint for the shared file system. The format is <ceph_monip>:<ceph_port>.
      • --cds-lb-hostname: The name of the load balancer that clients use to access the CDS. You must specify the name as a fully qualified domain name (FQDN).
      • --rhua-hostname: The hostname of the RHUA node. You must specify the name as a fully qualified domain name (FQDN).
      • --remote-fs-type: The type of file system to use. You must set this to Ceph.
      • --cephfs-secretkey-file: The path to the file containing the CephFS secret key.
      • --cephfs-name: The name of the Ceph file system.
      • --cephfs-username: The username associated with the Ceph file system.
      • --proxy-hostname: The hostname of the proxy server that the RHUA node will use to communicate with the Red Hat CDN (cdn.redhat.com:443).
      • --proxy-port: The TCP port on the proxy server. Note that the Squid proxy server normally uses port 3128.
      • --proxy-protocol: The application layer protocol that the proxy server is configured to support, either HTTP or HTTPS.
      • --proxy-username: The user name associated with the proxy server. Specify the user name only if your proxy server requires authentication.
      • --proxy-password: The password to access the proxy server. Specify the password only if your proxy server requires authentication.
Important

The rhui-installer command sets the initial RHUI login password by default and stores it in the /etc/rhui/rhui-subscription-sync.conf file.

If you wish to set your own password, you can override the initial password with the --rhui-manager-password argument.

Verification

  • On the RHUA node, verify if you can access the RHUI Terminal User Interface (TUI). 

    # rhui-manager