Red Hat Training

A Red Hat training course is available for Red Hat Satellite

Chapter 10. Synchronization between Multiple Satellites

Inter-Satellite Synchronization (ISS) allows a Satellite to synchronize content and permissions from another Satellite instance in a peer-to-peer relationship. However, in the following section, a Satellite who receives content will be referred to as a "Slave Satellite" and a Satellite who acts as the source where the content is pulled is called a "Master Satellite". When using ISS to synchronize content, the Slave Satellite instance may have a different setup from that of the Master for non-content entities such as Users and Organizations. The Satellite Administrator on the Slave instance is free to add, remove, and change entities independently from what occurs on the Master instance.

Note

Master and Slave are legacy terms that carry connotations that are not enforced by the ISS protocol. Please keep their restricted meanings, as described above, in mind while studying this section.
The ISS feature can be used in different ways depending on the needs of the organization. There are ISS configurations where two Satellites may act as both masters and slaves of each other. This section contains a section on use cases, and how best to set up ISS to suit your organization.

ISS Requirements

The following are the required conditions to be able to use ISS:
  • Two or more Red Hat Satellite servers
  • At least one Red Hat Satellite populated with at least one channel
  • Satellite Administrator privileges on all Satellite systems intended for ISS

10.1. Inter-Satellite Synchronization

ISS can be configured manually or by a new tool called spacewalk-sync-setup. Both methods are effective, and it would be left to the user's choice on which one to use.

10.1.1. Manual Configuration

Procedure 10.1. Configuring the Master Satellite Server

With Satellite 5, ISS allows the Slave Satellite to duplicate the organizational trust hierarchy and the custom channel permissions from the settings configured on the master. This is accomplished by exporting information about specific organizations from the Master Satellite to the receiving Slave Satellite. The Satellite Administrator on the Slave Satellite can then choose to map the Master Organizations to specific Slave Organizations. Future satellite-sync operations use this information to assign custom channel ownership to the Slave Organization which is mapped to a specific Master Organization. It can also map the trust relationships between the exposed Master Organization to matching Slave Organizations, creating the equivalent relationships on the Slave.
  1. On the Web Interface:
    1. Log in as the Satellite Administrator.
    2. Click AdminISS ConfigurationMaster Setup.
    3. On the top right-hand corner, click Add New Slave.
    4. Fill in the following information:
      • Slave Fully Qualified Domain Name (FQDN)
      • Allow Slave to Sync? - Choosing this field will allow the Slave Satellite to access this Master Satellite. Otherwise, contact with this Slave will be denied.
      • Sync all orgs to Slave? - Checking this field will synchronize all organizations to the Slave Satellite.

      Note

      Choosing the Sync All Orgs to Slave? option on the Master Setup page will override any specifically selected organizations in the Local Organization table below.
    5. Click Create.
    6. (Optional) Click on any local organization to be exported to the Slave Satellite.
    7. Click Allow Orgs.

      Note

      In Satellite 5.5 and previous versions, the Master Satellite used the iss_slaves parameter in the /etc/rhn/rhn.conf file to identify which slaves could contact the Master Satellite. Satellite 5.6 and later uses the information in the Master Setup page to determine this information.
  2. On the Command Line:
    1. Enable the inter-satellite synchronization (ISS) feature in the /etc/rhn/rhn.conf file: 
      disable_iss=0
    2. Save the configuration file, and restart the httpd service: 
      service httpd restart

Procedure 10.2. Configuring Slave Servers

Slave Satellite servers are the machines that will receive content synchronized from the master server.
  1. In order to securely transfer content to the slave servers, the ORG-SSL certificate from the master server is needed. The certificate can be downloaded over HTTP from the /pub/ directory of any satellite. The file is called RHN-ORG-TRUSTED-SSL-CERT, but can be renamed and placed anywhere in the local filesystem of the slave, such as the /usr/share/rhn/ directory.
  2. Log in to the Slave Satellite as the Satellite Administrator.
  3. Click AdminISS ConfigurationSlave Setup.
  4. On the top right-hand corner, click Add New Master.
  5. Fill in the following information:
    • Master Fully-Qualified Domain Name
    • Default Master?
    • Filename of this Master's CA Certificate - Use the full path of the CA Certificate downloaded in the initial step of this procedure.
  6. Click Add New Master.

Procedure 10.3. Performing an Inter-Satellite Synchronization

Once the master and slave servers are configured, a synchronization can be performed between them.
  • Begin the synchronization by running the satellite-sync command: 
    satellite-sync -c your-channel

    Note

    Command line options that are manually provided with the satellite-sync command will override any custom settings in the /etc/rhn/rhn.conf file.

Procedure 10.4. Mapping the Master Satellite's Exported Organizations to the Slave Satellite's Organizations

Prerequisite

After following the procedures preceding this one, the Master Satellite should show up in the Slave Satellite's Slave Setup under AdminISS ConfigurationSlave Setup. If it does not, please re-check the steps above.

A mapping between organizational names on the master Satellite allows for channel access permissions to be set on the Master Satellite and propagated when content is synced to a Slave Satellite. Not all organization and channel details need to be mapped for all Slave Satellites, Satellite administrators can select which permissions and organizations can be synchronized by allowing or omitting mappings.
To complete the mapping, follow this procedure on the Slave Satellite:
  1. Log in as the Satellite Administrator.
  2. Click on AdminISS ConfigurationSlave Setup.
  3. Select a Master Satellite by clicking on it's name.
  4. Use the drop-down box to map the exported master organization name to a matching local organization in the Slave Satellite.
  5. Click Update Mapping.
  6. On the command line, issue the satellite-sync on each of the custom channels to obtain the correct trust structure and channel permissions: 
    satellite-sync -c your-channel

10.1.2. Automated Configuration

spacewalk-sync-setup allows users to specify a Master and Slave Satellite instance and uses configuration files to set up the information described in both the Master and Slave setup. It can create a set of default configuration files if requested. Essentially, it automates the previously setup and mapped configuration for Master-Slave relationships.
Prerequisites

In order for automated configuration to succeed:

  • The spacewalk-utils package needs to be installed on the system that will issue the command spacewalk-sync-setup.
  • Existing organizations with custom permissions on the Master Satellite must be present.
  • Existing organizations within the Slave Satellite must be present.

Procedure 10.5. Configuring the Master Satellite Server

  1. Enable the inter-satellite synchronization (ISS) feature in the /etc/rhn/rhn.conf file: 
    disable_iss=0
  2. Save the configuration file, and restart the httpd service: 
    service httpd restart

Procedure 10.6. Configuring Slave Servers

Slave Satellite servers are the machines that will have their content synchronized to the master server.
  1. In order to securely transfer content to the slave servers, the ORG-SSL certificate from the master server is needed. The certificate can be downloaded over HTTP from the /pub/ directory of any satellite. The file is called RHN-ORG-TRUSTED-SSL-CERT, but can be renamed and placed anywhere in the local filesystem of the slave, such as the /usr/share/rhn/ directory.
  2. Log in to the Slave Satellite as the Satellite Administrator.
  3. Click AdminISS ConfigurationSlave Setup.
  4. On the top right-hand corner, click Add New Master.
  5. Fill in the following information:
    • Master Fully-Qualified Domain Name
    • Default Master?
    • Filename of this Master's CA Certificate - Use the full path of the CA Certificate downloaded in the initial step of this procedure.
  6. Click Add New Master.

Procedure 10.7. Mapping Master Satellite Organizations to Slave Satellite Organizations with spacewalk-sync-setup

  1. Log in to a system. It does not matter if it is a Master Satellite, a Slave Satellite or a different system altogether, as long as the system can access the public XMLRPC API of the Master and Slave Satellites.
  2. Issue the spacewalk-sync-setup on a command line interface: 
    spacewalk-sync-setup --ms=[Master_FQDN] \
--ml=[Master_Sat_Admin_login] \
--mp=[Master_Sat_Admin_password] \
--ss=[Slave FQDN]  --sl=[Slave_Sat_Admin_login] \
--sp=[Slave_Sat_Admin_password> \
--create-templates --apply
    Where:
    • --ms=MASTER, --master-server=MASTER is the FQDN of the Master to connect to
    • --ml=MASTER_LOGIN, --master-login=MASTER_LOGIN is the Satellite Administrator login for the Master Satellite
    • --mp=MASTER_PASSWORD, --master-password=MASTER_PASSWORD is the password for the Satellite Administrator login on the Master Satellite
    • --ss=SLAVE, --slave-server=SLAVE is the FQDN of the Slave Satellite to connect to.
    • --sl=SLAVE_LOGIN, --slave-login=SLAVE_LOGIN is the Satellite Administrator login for the Slave Satellite
    • --sp=SLAVE_PASSWORD, --slave-password=SLAVE_PASSWORD is the password for the Satellite Administrator login on the Slave Satellite
    • --ct, --create-templates is the option that creates both a master and a slave setup file for the master/slave pair we've pointed at
    • --apply tells the Satellite instances to make the changes specified by the setup files to the specified Satellite instances

    Note

    For more setup options: 
    spacewalk-sync-setup --help
    The output from this command will be as follows: 
    INFO: Connecting to [admin@master-fqdn]
INFO: Connecting to [admin@slave-fqdn]
INFO: Generating master-setup file $HOME/.spacewalk-sync-setup/master.txt
INFO: Generating slave-setup file $HOME/.spacewalk-sync-setup/slave.txt
INFO: Applying master-setup $HOME/.spacewalk-sync-setup/master.txt
INFO: Applying slave-setup $HOME/.spacewalk-sync-setup/slave.txt
  3. On the command line, issue the satellite-sync command on each of the custom channels to obtain the correct trust structure and channel permissions: 
    satellite-sync -c your-channel