Installing Red Hat Update Infrastructure
List of requirements, setting up nodes, configuring storage, and installing Red Hat Update Infrastructure 4
Abstract
Making open source more inclusive
Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.
Chapter 1. Installation options
The following table presents the various Red Hat Update Infrastructure 4 components.
Table 1.1. Red Hat Update Infrastructure components and functions
Component | Acronym | Function | Alternative |
---|---|---|---|
Red Hat Update Appliance | RHUA | Downloads new packages from the Red Hat content delivery network and copies new packages to each CDS node | None |
Content Delivery Server | CDS |
Provides the | None |
HAProxy | None | Provides load balancing across CDS nodes | Existing load balancing solution |
Shared storage | None | Provides shared storage | Existing storage solution |
The following table describes how to perform installation tasks.
Table 1.2. Red Hat Update Infrastructure installation tasks
Installation Task | Performed on |
---|---|
Install RHEL 8 | RHUA, CDS, and HAProxy |
Subscribe the system | RHUA, CDS, and HAProxy |
Attach a RHUI subscription | RHUA, CDS, and HAProxy |
Apply updates | RHUA, CDS and HAProxy |
Install | RHUA |
Run | RHUA |
1.1. Option 1: Full installation
- A RHUA
- Two or more CDS nodes with shared storage
- One or more HAProxy load-balancers
1.2. Option 2: Installation with an existing storage solution
- A RHUA
- Two or more CDS nodes with an existing storage solution
- One or more HAProxy load-balancers
1.3. Option 3: Installation with an existing load-balancer solution
- A RHUA
- Two or more CDS nodes with shared storage
- An existing load-balancer
1.4. Option 4: Installation with existing storage and load-balancer solutions
- A RHUA
- Two or more CDS nodes with existing shared storage
- An existing load-balancer
The following figure depicts a high-level view of how the various Red Hat Update Infrastructure 4 components interact.
Figure 1.1. Red Hat Update Infrastructure 4 overview
You need to subscribe the RHUA as --type rhui
and have a Red Hat Certified Cloud and Service Provider subscription to install RHUI. You also need an appropriate content certificate.
Install the RHUA and CDS nodes on separate x86_64
servers (bare metal or virtual machines). Ensure all the servers and networks that connect to RHUI can access the Red Hat Subscription Management service.
Chapter 2. Installation checklist
Before you begin installing Red Hat Update Infrastructure (RHUI), refer to the following checklist to ensure that you have all the necessary components and information required for installation.
Table 2.1. List of components required for installing RHUI
Required Information | Information Usage | Resources and Notes |
---|---|---|
Red Hat Credentials | Red Hat credentials to manage subscription and access to Red Hat repositories. | |
Network and Firewall access | Network and firewall requirements for the Red Hat Update Appliance (RHUA) and Content Delivery Server (CDS) nodes. | It is possible for a CDS to have a client-facing host name that differs from the host name used for intra-Red Hat Update Infrastructure communication. If you are using client-facing host names, note each CDS’s client-facing FQDN and the corresponding IP address. |
Proxy settings | Proxy for access to the Red Hat content delivery network. |
Proxy settings for RHUI are set automatically during installation on the RHUA and CDS nodes. They are set in the |
Content Repository Size | Storage space for the RPM packages required by Red Hat Update Infrastructure. |
See Preparing your Environment for Installation for specific storage requirements, or use the
Also, all repositories are placed in the |
Client Profiles | RHUI content available to the client | A client profile determines the RHUI content that is available to the client and the CDS from which the client downloads that content. |
Use a separate storage volume for the installation if you expect to store a large amount of data.
In addition, each RHUI server (RHUA node or CDS node) requires a separate file system of the required size. It is important to use technologies such as LVM, SAN, or NAS storage that allow you to increase the size of the content repository if needed.
Chapter 3. Technical configuration required for installing RHUI
Before you install Red Hat Update Infrastructure (RHUI), you must configure your system and components as follows.
Complete the initial stages of the Red Hat Certified Cloud and Service Provider (CCSP) certification:
- Virtualization, image creation, and instance provisioning technologies, tools, and processes.
- Proposed process for measuring and reporting consumption of Red Hat software.
- Proposed process for notifying customers of errata updates to Red Hat software.
- Proposed process for making images that include Red Hat software available to customers, including image life cycle management and retiring outdated images.
For more information, see Product Documentation for Red Hat Certified Cloud and Service Provider Certification Browse Knowledgebase.
Self-signed certificates are typically used for RHUI deployment. However, If you wish to use SSL certificates signed by a third-party certificate authority, you must ensure that they are obtained by the client and reviewed by Red Hat.
NoteYou can use the Red Hat consultant to assist with the development of self-signed certificates. This will not affect the user experience of the client’s customers.
- Ensure that the client will provide systems, virtual machines, or tenant instances for installation of all Red Hat Update Appliances (RHUAs), external load balancers, and content delivery servers (CDSs).
- Make sure you have the latest version of Red Hat Enterprise Linux (RHEL) 8 available, either as an ISO or as a subscription.
Ensure that you have one RHUA node with the following configuration:
-
Latest version of RHEL 8 with
Minimal Installation
- SELinux is enabled
An x86_64 processor with cores equivalent to or greater than 4 cores of Intel Xeon 2 GHz
NoteYou must increase the number of cores to 8 if you wish to provide more than 100 repositories with multiple major RHEL releases.
8 GB memory
NoteYou must increase the minimum memory to 16 GB if you wish to provide more than 100 repositories with multiple major RHEL releases.
- A 20 GB disk for the operating system
A 50 GB disk dedicated for PostgresSQL and mounted to
/var/lib/pgsql
.NoteYou must increase the disk capacity to at least 100 GB if you wish to provide more than 100 repositories with multiple major RHEL releases.
For even larger installations, of 500 or more repositories, you must also scale the database storage.
-
Latest version of RHEL 8 with
Ensure that you have one HAProxy node with the following configuration:
-
Latest version of RHEL 8 with
Minimal Installation
- SELinux is enabled
An x86_64 processor with cores equivalent to or greater than 2 cores of Intel Xeon 2 GHz
NoteYou must increase the number of cores to 4 if you wish to provide more than 100 repositories with multiple major RHEL releases.
4 GB memory
NoteYou must increase the minimum memory to 8 GB if you wish to provide more than 100 repositories with multiple major RHEL releases.
- A 20 GB disk for the operating system
-
Latest version of RHEL 8 with
Ensure that you have at least two CDS nodes (physical or virtual) with the following recommended configuration:
-
Latest version of RHEL 8 with
Minimal Installation
- SELinux is enabled
An x86_64 processor with cores equivalent to or greater than 4 cores of Intel Xeon 2GHz
NoteYou must increase the number of cores to 8 if you wish to provide more than 100 repositories with multiple major RHEL releases.
- 8 GB memory
- A 50 GB disk with default Nginx log rotation
-
Latest version of RHEL 8 with
Ensure that image certification is performed on RHEL guest templates as provided:
- A minimum 10 GB disk for the operating system
-
iptables
is enabled - SELinux is enabled
- If password authentication is enabled, you must use the strongest possible hash
- Default logging is enabled
Ensure that the client’s network is properly configured as follows:
- IP addresses must be allocated for all RHUAs, CDSs, and external load balancers (if any).
-
DNS records (forward and reverse) or
/etc/hosts
entries have been created for all IP addresses. For example, rhua.example.com, cds1.example.com, cds2.example.com, and rhui-lb.example.com. - If your server has multiple network interface cards (NICs), the fully qualified domain name (FQDN) of the RHUA and the CDSs must be resolved to the IP of the NIC that is used to communicate between the RHUA and the CDSs.
-
RHUI uses DNS to reach the CDN. In most cases, your instance should be preconfigured to talk to the proper DNS servers hosted as part of the cloud’s infrastructure. If you run your own DNS servers or update your client DNS configuration, there is a chance you will see errors similar to
yum Could not contact any CDS load balancers
. In these cases, check that your DNS server is forwarding to the cloud’s DNS servers for the request or that your DNS client is configured to fall back to the cloud’s DNS server for name resolution. -
Using more than one HAProxy node requires a round-robin DNS entry for the host name used as the value of the
--cds-lb-hostname
parameter when rhui-installer is run (cds.example.com in this guide) that resolves to the IP addresses of all HAProxy nodes. How to Configure DNS Round Robin presents one way to configure a round-robin DNS. In the context of RHUI, these will be the IP addresses of the HAProxy nodes, and they are to be mapped to the host name specified as --cds-lb-hostname while calling rhui-installer. See HAProxy Configuration for more information.
Ensure that all required network ports are open and that network access is restricted to only the nodes that you plan to use.
Table 3.1. List of ports and their usage
Connection Port Usage RHUA to CDS
22/TCP
SSH configuration and access
RHUA to HAProxy servers
22/TCP
SSH configuration and access
Clients to HAProxy
443/TCP
Access to content
HAProxy to CDS
443/TCP
Load balancing
NFS ports open for CDS and RHUA
2049/TCP
File system
CDS to RHUA
443/TCP
Retrieve content that has not been symlinked
- Ensure that the network proxy settings between RHUA and the Red Hat CDN are configured appropriately.
-
Ensure that the network proxy settings between the CDSs and the clients via
yum.conf
are configured appropriately. - Ensure a round-robin DNS entry is used if more than one HAProxy node is used.
Chapter 4. Installing Red Hat Enterprise Linux
To use RHUI efficiently and to access Red Hat repositories and support, you must first install Red Hat Enterprise Linux (RHEL) on each of your RHUA, CDS, and HAProxy nodes.
Prerequisite
- Make sure you have the latest version of RHEL 8 available, either as an ISO or as a subscription.
Procedure
- Navigate to the node on which you wish to install RHEL.
Install RHEL.
For detailed instructions on how to install RHEL, see Performing a standard RHEL 8 installation.
Chapter 5. Setting up RHUA nodes
To access the RHUI interface and manage various RHUI functionalities, you must first set up the RHUA node.
The following process explains how to:
5.1. Registering the RHUA node
The following instructions explain how to register your Red Hat Update Appliance (RHUA) node.
Prerequisites
- Latest version of RHEL 8 is installed.
- Ensure you have root access to the RHUA node.
Procedure
Optional: Enable all the required architectures.
By default, only the architecture on which the RHUA node is running, for example, x86_64, will be available in the RHUI content listings. However, if you want to provide content to ARM64 virtual machines (VMs), in addition to x86_64 VMs, then you must enable the respective architecture.
NoteYou must enable the required architectures before you register the RHUA node. If you have already registered the node, see Section 5.4, “Including required architectures on a registered RHUA node”.
To enable architectures on an unregistered RHUA node, create a
override.facts
file and add the required architectures.# echo '{ "supported_architectures": "x86_64,i386,aarch64" }' > /etc/rhsm/facts/override.facts
On the RHUA node, enter the following command to register the system:
# subscription-manager register --type=rhui --username <admin-example> --password <secret> Registering to: subscription.rhsm.redhat.com:443/subscription The system has been registered with ID: <a12b34c5-6d78-9ef1-2345-ghi678jk91l2m>
Optional: If your system is already registered, you can override the subscription using the
--force
option.# subscription-manager register --type=rhui --force
The new system will be available on the Red Hat Customer Portal, and the new RHUA instance will not have any subscriptions attached to it.
Verification
- Navigate to the Red Hat Customer Portal.
- Verify that your system is available by locating it within the Customer Portal.
5.2. Attaching a subscription to the RHUA node
The following instructions explain how to attach a subscription to your Red Hat Update Appliance (RHUA) node.
You do not need to perform the following steps if you are using Simple Content Access.
Prerequisites
- Ensure you have root access to the RHUA node.
Procedure
On the RHUA node, check for available subscriptions that you can attach.
# subscription-manager list --available +-------------------------------------------+ Available Subscriptions +-------------------------------------------+ Subscription Name: Red Hat Enterprise Linux Atomic Host for Certified Cloud and Service Providers (via Red Hat Update Infrastructure) Provides: Red Hat Enterprise Linux Atomic Host Beta from RHUI Red Hat Enterprise Linux Atomic Host from RHUI SKU: RH00731 Contract: 11312089 Pool ID: 8a85f15a71f0bd015a72445adf0223 Provides Management: No Available: 19 Suggested: 1 Service Level: Premium Service Type: L1-L3 Subscription Type: Standard Ends: 02/22/2018 System Type: Physical Subscription Name: Red Hat Update Infrastructure and RHEL Add-Ons for Providers Provides: dotNET on RHEL (for RHEL Server) from RHUI Red Hat Enterprise Linux Server from RHUI Red Hat Software Collections (for RHEL Server) from RHUI Red Hat Enterprise Linux for SAP from RHUI Red Hat Enterprise Linux Resilient Storage (for RHEL Server) from RHUI Red Hat Enterprise Linux Scalable File System (for RHEL Server) from RHUI Red Hat Enterprise Linux Server - Extended Update Support from RHUI dotNET on RHEL Beta (for RHEL Server) from RHUI Red Hat Enterprise Linux for SAP Hana from RHUI RHEL Software Test Suite (for RHEL Server) from RHUI Red Hat Enterprise Linux High Availability (for RHEL Server) from RHUI Red Hat Update Infrastructure Red Hat Enterprise Linux Load Balancer (for RHEL Server) from RHUI SKU: RC1116415 Contract: 1134314 Pool ID: 8a85f15a71f0bd015a72445adf0223 Provides Management: No Available: 20 Suggested: 1 Service Level: Premium Service Type: L1-L3 Subscription Type: Standard Ends: 02/23/2018 System Type: Physical
Attach a subscription using its
pool ID
.For example, the following command attaches the Red Hat Update Infrastructure and RHEL Add-Ons for Providers subscription.
# subscription-manager attach --pool=8a85f9815a71f0bd015a72445adf0223 Successfully attached a subscription for: Red Hat Update Infrastructure and RHEL Add-Ons for Providers
5.3. Enabling the required repositories on the RHUA node
To install RHUI on your system, you must first enable certain repositories on your nodes which contain the required packages. The following instructions explain how to enable the rhel-8-for-x86_64-baseos-rhui-rpms
, rhel-8-for-x86_64-appstream-rhui-rpms
, and ansible-2-for-rhel-8-x86_64-rhui-rpms
repositories on the RHUA node.
If you are planning to use Ceph File System (CephFS) as your shared storage, you must also enable the rhceph-5-tools-for-rhel-8-x86_64-rhui-rpms
repository.
RHUA nodes require RHEL installations with base packages, and with all repositories disabled except for the rhel-8-for-x86_64-baseos-rhui-rpms
, rhel-8-for-x86_64-appstream-rhui-rpms
, ansible-2-for-rhel-8-x86_64-rhui-rpms
and, optionally, rhceph-5-tools-for-rhel-8-x86_64-rhui-rpms
repositories. This requirement means that you cannot install any third-party configurations or software that are not necessary for the direct operation of the server. This restriction includes hardening or other non-Red Hat security software.
Prerequisites
- Ensure you have root access to the RHUA node.
Procedure
Navigate to the RHUA node, list the enabled repositories, and verify that your system is correctly subscribed.
If not using Simple Content Access (SCA):
# subscription-manager list --consumed +-------------------------------------------+ Consumed Subscriptions +-------------------------------------------+ Subscription Name: Red Hat Update Infrastructure and RHEL Add-Ons for Providers Provides: JBoss Enterprise Application Platform from RHUI JBoss Enterprise Web Server from RHUI JBoss Operations Network from RHUI RHEL for SAP - Update Services for SAP Solutions from RHUI Red Hat Developer Tools from RHUI (for RHEL Server) Red Hat Enterprise Linux Server - Extended Update Support from RHUI RHEL for SAP HANA - Update Services for SAP Solutions from RHUI Red Hat Developer Tools Beta from RHUI (for RHEL Server) Red Hat Enterprise Linux High Availability (for RHEL Server) from RHUI Red Hat JBoss Core Services from RHUI Red Hat Enterprise Linux for x86_64 from RHUI Red Hat Enterprise Linux for x86_64 Beta from RHUI Red Hat Enterprise Linux Load Balancer (for RHEL Server) from RHUI Red Hat Enterprise Linux Resilient Storage (for RHEL Server) from RHUI Red Hat Enterprise Linux Scalable File System (for RHEL Server) from RHUI Red Hat Enterprise Linux High Performance Networking (for RHEL Server) from RHUI Red Hat Enterprise Linux for SAP from RHUI Red Hat CodeReady Linux Builder for x86_64 from RHUI Red Hat Enterprise Linux for SAP Hana from RHUI Red Hat CodeReady Linux Builder for ARM 64 from RHUI RHEL Software Test Suite (for RHEL Server) from RHUI Red Hat Gluster Storage Server for On-premise from RHUI Red Hat Single Sign-On from RHUI Red Hat Enterprise Linux High Availability for x86_64 from RHUI Red Hat Enterprise Linux Resilient Storage for x86_64 from RHUI Red Hat Enterprise Linux High Availability (for RHEL Server) - Extended Update Support from RHUI Red Hat Enterprise Linux Server - Extended Life Cycle Support (from RHUI) Red Hat Enterprise Linux Load Balancer (for RHEL Server) - Extended Update Support from RHUI RHEL for SAP HANA - Extended Update Support (from RHUI) RHEL for SAP - Extended Update Support (from RHUI) Red Hat Enterprise Linux Resilient Storage (for RHEL Server) - Extended Update Support from RHUI Red Hat Enterprise Linux High Performance Networking (for RHEL Server) - Extended Update Support from RHUI Red Hat Enterprise Linux for ARM 64 from RHUI Red Hat Enterprise Linux Server - Update Services for SAP Solutions from RHUI Red Hat Software Collections (for RHEL Server) from RHUI Red Hat Enterprise Linux Server for ARM from RHUI Red Hat Enterprise Linux High Availability - Update Services for SAP Solutions from RHUI Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support from RHUI Red Hat Software Collections (for RHEL Server for ARM) from RHUI Red Hat Ansible Engine from RHUI Red Hat Software Collections Beta (for RHEL Server for ARM) from RHUI Red Hat Enterprise Linux for ARM 64 Beta from RHUI Red Hat Developer Tools (for RHEL Server for ARM) from RHUI Red Hat Developer Tools Beta (for RHEL Server for ARM) from RHUI dotNET on RHEL (for RHEL Server) from RHUI dotNET on RHEL Beta (for RHEL Server) from RHUI Red Hat Update Infrastructure Red Hat Enterprise Linux Server from RHUI SKU: RC11164 Contract: 126839 Account: 5401 Serial: 5744492009337488 Pool ID: 8a85f9a1790fb0ed017961af515b7 Provides Management: No Active: True Quantity Used: 1 Service Type: L1-L3 Roles: Service Level: Premium Usage: Add-ons: Status Details: Subscription is current Subscription Type: Standard Starts: 05/12/2021 Ends: 05/11/2022 Entitlement Type: Physical ---------------------------------------------------------------------------------
If using Simple Content Access (SCA):
# subscription-manager status +-------------------------------------------+ System Status Details +-------------------------------------------+ Overall Status: Disabled Content Access Mode is set to Simple Content Access. This host has access to content, regardless of subscription status. System Purpose Status: Disabled ---------------------------------------------------------------------------------
Disable all repositories.
# subscription-manager repos --disable=*
Enable the relevant repositories.
# subscription-manager repos --enable=rhel-8-for-x86_64-baseos-rhui-rpms --enable=rhel-8-for-x86_64-appstream-rhui-rpms
Optional: If you are planning to use CephFS, enable the Ceph tools repository.
# subscription-manager repos --enable rhceph-5-tools-for-rhel-8-x86_64-rhui-rpms
Enable the Ansible repository.
# subscription-manager repos --enable=ansible-2-for-rhel-8-x86_64-rhui-rpms
Enable the RHUI 4 repository.
# subscription-manager repos --enable=rhui-4-for-rhel-8-x86_64-rpms
5.4. Including required architectures on a registered RHUA node
By default, only the architecture on which the RHUA node is running, for example, x86_64, will be available in the RHUI content listings. However, if you want to provide content to ARM64 virtual machines (VMs), in addition to x86_64 VMs, then you can add the additional architectures to a RHUA node and register the node again.
Prerequisites
- Ensure you have root access to the RHUA node.
Procedure
Create a
override.facts
file and add the required architectures.# echo '{ "supported_architectures": "x86_64,i386,aarch64" }' > /etc/rhsm/facts/override.facts
Override the subscription using the
--force
option.# subscription-manager register --type=rhui --force
Delete the current RHUI cert and repository mapping cache.
# rm /etc/pki/rhui/redhat/* /var/cache/rhui/*
Optional: If you do not have Simple Content Access enabled, then manually attach the RHUI pool.
# subscription-manager attach --pool <id>
Synchronize the subscription.
# rhui-subscription-sync
Chapter 6. Setting up CDS nodes
To provide repositories that clients can connect to and access the updated packages, you must first set up the CDS nodes.
The following process explains how to:
6.1. Registering the CDS node
The following instructions explain how to register your Content Delivery Server (CDS) nodes.
Prerequisites
- Latest version of RHEL 8 is installed.
- Ensure you have root access to each of the CDS nodes.
Procedure
On the CDS nodes, enter the following command:
# subscription-manager register --username <admin-example> --password <secret> Registering to: subscription.rhsm.redhat.com:443/subscription The system has been registered with ID: <a1b2c3-d4e5-f6g7-2345-hij890klm123>
Optional: If your system is already registered, you can override the subscription using the
--force
option.# subscription-manager register --force
The new system will be available on the Red Hat Customer Portal, and the new CDS instance will not have any subscriptions attached to it.
Verification
- Navigate to the Red Hat Customer Portal.
- Verify that your system is available by locating it within the Customer Portal.
6.2. Attaching a subscription to the CDS node
The following instructions explain how to attach a subscription to your content delivery server (CDS) node.
You do not need to perform the following steps if you are using Simple Content Access.
Prerequisites
- Ensure you have root access to the CDS node.
Procedure
On the CDS node, check for available subscriptions that you can attach.
# subscription-manager list --available +-------------------------------------------+ Available Subscriptions +-------------------------------------------+ ... Subscription Name: <Subscription-Name> Pool ID: <pool-ID> ...
Attach a subscription using its
pool ID
.# subscription-manager attach --pool=<pool-ID> Successfully attached a subscription for: <Subscription-Name>
6.3. Enabling the required repositories on the CDS node
To install RHUI on your system, you must first enable certain repositories on your nodes which contain the required packages. The following instructions explain how to enable the rhel-8-for-x86_64-baseos-rpms
and rhel-8-for-x86_64-appstream-rpms
repositories on the CDS node.
If you are planning to use Ceph File System (CephFS) as your shared storage, then you must also enable the rhceph-5-tools-for-rhel-8-x86_64-rpms
repository.
CDS nodes require RHEL installations with base packages and with all repositories disabled except for the rhel-8-for-x86_64-baseos-rpms
, rhel-8-for-x86_64-appstream-rpms
, and, optionally, rhceph-5-tools-for-rhel-8-x86_64-rpms
repositories. This requirement means that you cannot install any third-party configurations or softwares that are not necessary for the direct operation of the server. This restriction includes hardening or other non-Red Hat security software.
Prerequisites
- Ensure that you have root access to all the CDS nodes you plan to use.
Procedure
Navigate to a CDS node, list the enabled repositories, and verify that your system is correctly subscribed.
If not using Simple Content Access (SCA):
# subscription-manager list --consumed +-------------------------------------------+ Consumed Subscriptions +-------------------------------------------+ Subscription Name: Red Hat Update Infrastructure and RHEL Add-Ons for Providers Provides: JBoss Enterprise Application Platform from RHUI JBoss Enterprise Web Server from RHUI JBoss Operations Network from RHUI RHEL for SAP - Update Services for SAP Solutions from RHUI Red Hat Developer Tools from RHUI (for RHEL Server) Red Hat Enterprise Linux Server - Extended Update Support from RHUI RHEL for SAP HANA - Update Services for SAP Solutions from RHUI Red Hat Developer Tools Beta from RHUI (for RHEL Server) Red Hat Enterprise Linux High Availability (for RHEL Server) from RHUI Red Hat JBoss Core Services from RHUI Red Hat Enterprise Linux for x86_64 from RHUI Red Hat Enterprise Linux for x86_64 Beta from RHUI Red Hat Enterprise Linux Load Balancer (for RHEL Server) from RHUI Red Hat Enterprise Linux Resilient Storage (for RHEL Server) from RHUI Red Hat Enterprise Linux Scalable File System (for RHEL Server) from RHUI Red Hat Enterprise Linux High Performance Networking (for RHEL Server) from RHUI Red Hat Enterprise Linux for SAP from RHUI Red Hat CodeReady Linux Builder for x86_64 from RHUI Red Hat Enterprise Linux for SAP Hana from RHUI Red Hat CodeReady Linux Builder for ARM 64 from RHUI RHEL Software Test Suite (for RHEL Server) from RHUI Red Hat Gluster Storage Server for On-premise from RHUI Red Hat Single Sign-On from RHUI Red Hat Enterprise Linux High Availability for x86_64 from RHUI Red Hat Enterprise Linux Resilient Storage for x86_64 from RHUI Red Hat Enterprise Linux High Availability (for RHEL Server) - Extended Update Support from RHUI Red Hat Enterprise Linux Server - Extended Life Cycle Support (from RHUI) Red Hat Enterprise Linux Load Balancer (for RHEL Server) - Extended Update Support from RHUI RHEL for SAP HANA - Extended Update Support (from RHUI) RHEL for SAP - Extended Update Support (from RHUI) Red Hat Enterprise Linux Resilient Storage (for RHEL Server) - Extended Update Support from RHUI Red Hat Enterprise Linux High Performance Networking (for RHEL Server) - Extended Update Support from RHUI Red Hat Enterprise Linux for ARM 64 from RHUI Red Hat Enterprise Linux Server - Update Services for SAP Solutions from RHUI Red Hat Software Collections (for RHEL Server) from RHUI Red Hat Enterprise Linux Server for ARM from RHUI Red Hat Enterprise Linux High Availability - Update Services for SAP Solutions from RHUI Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support from RHUI Red Hat Software Collections (for RHEL Server for ARM) from RHUI Red Hat Ansible Engine from RHUI Red Hat Software Collections Beta (for RHEL Server for ARM) from RHUI Red Hat Enterprise Linux for ARM 64 Beta from RHUI Red Hat Developer Tools (for RHEL Server for ARM) from RHUI Red Hat Developer Tools Beta (for RHEL Server for ARM) from RHUI dotNET on RHEL (for RHEL Server) from RHUI dotNET on RHEL Beta (for RHEL Server) from RHUI Red Hat Update Infrastructure Red Hat Enterprise Linux Server from RHUI SKU: RC11164 Contract: 126839 Account: 5401 Serial: 5744492009337488 Pool ID: 8a85f9a1790fb0ed017961af515b7 Provides Management: No Active: True Quantity Used: 1 Service Type: L1-L3 Roles: Service Level: Premium Usage: Add-ons: Status Details: Subscription is current Subscription Type: Standard Starts: 05/12/2021 Ends: 05/11/2022 Entitlement Type: Physical ---------------------------------------------------------------------------------
If using Simple Content Access (SCA):
# subscription-manager status +-------------------------------------------+ System Status Details +-------------------------------------------+ Overall Status: Disabled Content Access Mode is set to Simple Content Access. This host has access to content, regardless of subscription status. System Purpose Status: Disabled ---------------------------------------------------------------------------------
Disable all repositories.
# subscription-manager repos --disable=*
Enable the relevant repositories.
# subscription-manager repos --enable rhel-8-for-x86_64-appstream-rpms --enable rhel-8-for-x86_64-baseos-rpms
Optional: If you are planning to use CephFS, enable the Ceph tools repository.
# subscription-manager repos --enable rhceph-5-tools-for-rhel-8-x86_64-rpms
- Repeat the steps on all the CDS nodes you plan to use.
Verification
List the enabled repositories and verify whether the relevant repositories appear on the list.
# yum repolist enabled repo id repo name rhel-8-for-x86_64-appstream-rpms Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs) rhel-8-for-x86_64-baseos-rpms Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)
Chapter 7. Setting up HAProxy nodes
To provide load balancing capabilities across the CDS nodes, you must first set up the HAProxy nodes.
The following process explains how to:
7.1. Registering the HAProxy node
The following instructions explain how to register your HAProxy nodes.
Prerequisites
- Latest version of RHEL 8 is installed.
- Ensure you have root access to the HAProxy nodes.
Procedure
On the HAProxy node, enter the following command:
# subscription-manager register --username <admin-example> --password <secret> Registering to: subscription.rhsm.redhat.com:443/subscription The system has been registered with ID: <a1b2c3-d4e5-f6g7-2345-hij890klm123>
Optional: If your system is already registered, you can override the subscription using the
--force
option.# subscription-manager register --force
The new system will be available on the Red Hat Customer Portal, and the new HAProxy instance will not have any subscriptions attached to it.
Verification
- Navigate to the Red Hat Customer Portal.
- Verify that your system is available by locating it within the Customer Portal.
7.2. Attaching a subscription to the HAProxy node
The following instructions explain how to attach a subscription to your HAProxy node.
You do not need to perform the following steps if you are using Simple Content Access.
Prerequisites
- Ensure you have root access to the HAProxy node.
Procedure
On the HAProxy node, check for available subscriptions that you can attach.
# subscription-manager list --available +-------------------------------------------+ Available Subscriptions +-------------------------------------------+ ... Subscription Name: <Subscription-Name> Pool ID: <pool-ID> ...
Attach a subscription using its
pool ID
.# subscription-manager attach --pool=<pool-ID> Successfully attached a subscription for: <Subscription-Name>
7.3. Enabling the required repositories on the HAProxy node
To install RHUI on your system, you must first enable certain repositories on your nodes which contain the required packages. The following instructions explain how to enable the rhel-8-for-x86_64-baseos-rpms
and rhel-8-for-x86_64-appstream-rpms
repositories on the HAProxy node.
Prerequisites
- Ensure you have root access to the HAProxy node.
Procedure
Navigate to a HAProxy node, list the enabled repositories, and verify that your system is correctly subscribed.
If not using Simple Content Access (SCA):
# subscription-manager list --consumed +-------------------------------------------+ Consumed Subscriptions +-------------------------------------------+ Subscription Name: Red Hat Update Infrastructure and RHEL Add-Ons for Providers Provides: JBoss Enterprise Application Platform from RHUI JBoss Enterprise Web Server from RHUI JBoss Operations Network from RHUI RHEL for SAP - Update Services for SAP Solutions from RHUI Red Hat Developer Tools from RHUI (for RHEL Server) Red Hat Enterprise Linux Server - Extended Update Support from RHUI RHEL for SAP HANA - Update Services for SAP Solutions from RHUI Red Hat Developer Tools Beta from RHUI (for RHEL Server) Red Hat Enterprise Linux High Availability (for RHEL Server) from RHUI Red Hat JBoss Core Services from RHUI Red Hat Enterprise Linux for x86_64 from RHUI Red Hat Enterprise Linux for x86_64 Beta from RHUI Red Hat Enterprise Linux Load Balancer (for RHEL Server) from RHUI Red Hat Enterprise Linux Resilient Storage (for RHEL Server) from RHUI Red Hat Enterprise Linux Scalable File System (for RHEL Server) from RHUI Red Hat Enterprise Linux High Performance Networking (for RHEL Server) from RHUI Red Hat Enterprise Linux for SAP from RHUI Red Hat CodeReady Linux Builder for x86_64 from RHUI Red Hat Enterprise Linux for SAP Hana from RHUI Red Hat CodeReady Linux Builder for ARM 64 from RHUI RHEL Software Test Suite (for RHEL Server) from RHUI Red Hat Gluster Storage Server for On-premise from RHUI Red Hat Single Sign-On from RHUI Red Hat Enterprise Linux High Availability for x86_64 from RHUI Red Hat Enterprise Linux Resilient Storage for x86_64 from RHUI Red Hat Enterprise Linux High Availability (for RHEL Server) - Extended Update Support from RHUI Red Hat Enterprise Linux Server - Extended Life Cycle Support (from RHUI) Red Hat Enterprise Linux Load Balancer (for RHEL Server) - Extended Update Support from RHUI RHEL for SAP HANA - Extended Update Support (from RHUI) RHEL for SAP - Extended Update Support (from RHUI) Red Hat Enterprise Linux Resilient Storage (for RHEL Server) - Extended Update Support from RHUI Red Hat Enterprise Linux High Performance Networking (for RHEL Server) - Extended Update Support from RHUI Red Hat Enterprise Linux for ARM 64 from RHUI Red Hat Enterprise Linux Server - Update Services for SAP Solutions from RHUI Red Hat Software Collections (for RHEL Server) from RHUI Red Hat Enterprise Linux Server for ARM from RHUI Red Hat Enterprise Linux High Availability - Update Services for SAP Solutions from RHUI Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support from RHUI Red Hat Software Collections (for RHEL Server for ARM) from RHUI Red Hat Ansible Engine from RHUI Red Hat Software Collections Beta (for RHEL Server for ARM) from RHUI Red Hat Enterprise Linux for ARM 64 Beta from RHUI Red Hat Developer Tools (for RHEL Server for ARM) from RHUI Red Hat Developer Tools Beta (for RHEL Server for ARM) from RHUI dotNET on RHEL (for RHEL Server) from RHUI dotNET on RHEL Beta (for RHEL Server) from RHUI Red Hat Update Infrastructure Red Hat Enterprise Linux Server from RHUI SKU: RC11164 Contract: 126839 Account: 5401 Serial: 5744492009337488 Pool ID: 8a85f9a1790fb0ed017961af515b7 Provides Management: No Active: True Quantity Used: 1 Service Type: L1-L3 Roles: Service Level: Premium Usage: Add-ons: Status Details: Subscription is current Subscription Type: Standard Starts: 05/12/2021 Ends: 05/11/2022 Entitlement Type: Physical ---------------------------------------------------------------------------------
If using Simple Content Access (SCA):
# subscription-manager status +-------------------------------------------+ System Status Details +-------------------------------------------+ Overall Status: Disabled Content Access Mode is set to Simple Content Access. This host has access to content, regardless of subscription status. System Purpose Status: Disabled ---------------------------------------------------------------------------------
Disable all repositories.
# subscription-manager repos --disable=*
Enable the relevant repositories.
# subscription-manager repos --enable rhel-8-for-x86_64-appstream-rpms --enable rhel-8-for-x86_64-baseos-rpms
Verification
List the enabled repositories and verify whether the relevant repositories appear on the list.
# yum repolist enabled repo id repo name rhel-8-for-x86_64-appstream-rpms Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs) rhel-8-for-x86_64-baseos-rpms Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)
Chapter 8. Generating a cryptographic key pair
To ensure secure data transmission between the Red Hat Update Appliance (RHUA), content delivery system (CDS), and HAProxy nodes, and to use rhui-manager
to set up those nodes, you must generate a key pair on the RHUA node and copy the public key to CDS and HAProxy nodes.
You can generate either an RSA or an ECDSA key, depending on your use case.
8.1. Generating an RSA key pair
The following steps explain how to generate an RSA key pair for version 2 of the SSH protocol.
Procedure
On the RHUA node, run the
ssh-keygen
command with the RSA argument, and save the key in the default location.WarningLeave the passphrase field blank. CDS installation and registration fails if you provide a passphrase while generating the key pair.
$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/USER/.ssh/id_rsa): Created directory '/home/USER/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/USER/.ssh/id_rsa. Your public key has been saved in /home/USER/.ssh/id_rsa.pub. The key fingerprint is: e7:97:c7:e2:0e:f9:0e:fc:c4:d7:cb:e5:31:11:92:14 USER@rhua.example.com The key's randomart image is: +--[ RSA 2048]----+ | E. | | . . | | o . | | . .| | S . . | | + o o ..| | * * +oo| | O +..=| | o* o.| +-----------------+
Confirm that the permissions for the
~/.ssh/
directory are set torwx------
, or700
in octal notation.$ ls -ld ~/.ssh drwx------. 2 USER USER 54 Nov 25 16:56 /home/USER/.ssh/
Copy the public key to the CDS and HAProxy nodes.
$ ssh-copy-id user@<haproxy1> $ ssh-copy-id user@<cds1> $ ssh-copy-id user@<cds2>
8.2. Generating an ecdsa key pair
The following steps explain how to generate an ECDSA key pair for version 2 of the SSH protocol.
Procedure
On the RHUA node, run the
ssh-keygen
command with the ECDSA argument, and save the key in the default location.WarningLeave the passphrase field blank. CDS installation and registration fails if you provide a passphrase while generating the key pair.
$ ssh-keygen -t ecdsa Generating public/private ecdsa key pair. Enter file in which to save the key (/home/USER/.ssh/id_ecdsa): Created directory '/home/USER/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/USER/.ssh/id_ecdsa. Your public key has been saved in /home/USER/.ssh/id_ecdsa.pub. The key fingerprint is: fd:1d:ca:10:52:96:21:43:7e:bd:4c:fc:5b:35:6b:63 USER@rhua.example.com The key's randomart image is: +--[ECDSA 256]---+ | .+ +o | | . =.o | | o o + ..| | + + o +| | S o o oE.| | + oo+.| | + o | | | | | +-----------------+
Confirm that the permissions for the
~/.ssh/
directory are set torwx------
, or700
in octal notation.$ ls -ld ~/.ssh drwx------. 2 USER USER 54 Nov 25 16:56 /home/USER/.ssh/
Copy the public key to the CDS and HAProxy nodes.
$ ssh-copy-id user@<haproxy1> $ ssh-copy-id user@<cds1> $ ssh-copy-id user@<cds2>
Chapter 9. Configuring shared storage
The RHUA and CDS nodes require a shared storage volume, which can be accessed by both, to store content managed by RHUI.
Currently, RHUI supports the following storage solutions:
9.1. Configuring shared storage using NFS
When using Network File System (NFS) as your shared storage, you must set up an NFS server either on the RHUA node or on a dedicated machine.
The following instructions explain how to create, configure, and verify NFS to work with RHUI.
Setting up your NFS server on a dedicated machine allows the CDS nodes and your RHUI clients to continue working even if something happens to the RHUA node.
Prerequisites
- Ensure you have root access to the NFS server
- Ensure you have root access to the RHUA node
- Ensure you have root access to all the CDS nodes you plan to use.
Procedure
Install the
nfs-utils
package on the node hosting the NFS server, the RHUA node (if it differs from the NFS node), and all the CDS nodes.# dnf install nfs-utils
Create a suitable directory to hold all the RHUI content.
# mkdir /export
Allow your RHUA and CDS nodes access to the directory by editing the
/etc/exports
file and adding the following line:/export rhua.example.com(rw,no_root_squash) cds01.example.com(rw,no_root_squash) cds02.example.com(rw,no_root_squash)
Start and enable the NFS service.
# systemctl start nfs-server # systemctl start rpcbind # systemctl enable nfs-server # systemctl enable rpcbind
NoteIf the NFS service is already running use the
restart
command instead of thestart
command.
Verification
To test whether an NFS server is set up on a machine named
filer.example.com
, run the following commands on a CDS node:# mkdir /mnt/nfstest # mount filer.example.com:/export /mnt/nfstest # touch /mnt/nfstest/test
Your setup is working properly if you do not get any error messages.
9.2. Configuring shared storage using CephFS
When using Ceph File System (CephFS) as your shared storage, you must set up a file system and share it over the network. RHUI treats the shared file system as a simple mount point, which you can mount on the file systems of the RHUA and CDS nodes.
Do not set up the Ceph shared file storage on the RHUI nodes. You must configure CephFS on independent dedicated machines.
The following instructions explain how to verify whether an existing Ceph file system can work with RHUI.
This document does not provide instructions to set up Ceph shared file storage. For instructions on how to do so, consult your system administrator.
Prerequisites
Ensure you have the following identification information:
The IP Address and port of the host where the cluster monitor daemon for the Ceph distributed file system is running.
-
As a CephFS system administrator, run the command
ceph mon dump
on the Ceph master node. You can find the IP address and port listed as<ceph_monip>:<ceph_port>
.
-
As a CephFS system administrator, run the command
-
The Ceph username, usually
admin
. The Ceph file system name.
-
As a CephFS system administrator, run the command
ceph fs ls
on the Ceph master node. You can find the file system name listed as<cephfs_name>
.
-
As a CephFS system administrator, run the command
The Ceph secret key.
-
As a CephFS system administrator, run the command
ceph auth get client.admin
on the Ceph master node. You can find the secret key listed as<ceph_secretkey>
.
-
As a CephFS system administrator, run the command
- Ensure you have root access to the RHUA node and all the CDS nodes you plan to use.
Enable the Ceph Tools repository on the RHUA and CDS nodes. For more information, see:
Procedure
On the RHUA and CDS nodes install the
ceph-common
package:# dnf install ceph-common
Verification
To test whether a Ceph File Share is available and whether RHUI can use it, run the following commands on the RHUA node or on one of the CDS nodes:
# mkdir /mnt/mycephfs_test # mount -t ceph <ceph_monip>:<ceph_port>:/ /mnt/mycephfs_test -o name=admin,secret=<ceph_secretkey>,fs=<cephfs_name> # touch /mnt/cephfs_test/testfile # ls /mnt/mycephfs_test
Your setup is working properly if you do not get any error messages.
Clean up the test mount point.
# rm /mnt/cephfs_test/testfile # umount /mnt/mycephfs_test
Chapter 10. Updating your system
Before you install RHUI, it is a good practice to secure your system by installing all the latest available updates.
Prerequisites
- Ensure that the system is registered to Red Hat.
- All the relevant repositories are enabled.
Procedure
Navigate to each of your nodes and apply any available operating system updates.
For detailed information about updating your system, see the Securing your system.
- Reboot the nodes.
Verify that all configuration changes have persisted.
WarningMake sure the host name of the RHUA is set correctly. If the host name is not set and its value is reported as
localhost.localdomain
orlocalhost
, you will not be able to proceed.
Chapter 11. Installing Red Hat Update Infrastructure
Once you have completed the prerequisites, you can install RHUI on your system using repositories and a network connection to resolve dependencies.
You can install RHUI using the following shared storage solutions:
11.1. RHUI Installer arguments
You can use the RHUI Installer command, rhui-installer
, with a combination of the following arguments to install and configure Red Hat Update Infrastructure (RHUI) based on your use case.
Mandatory RHUI Installer Arguments
Table 11.1. Mandatory RHUI Installer arguments
Argument | Description |
---|---|
--cds-lb-hostname CDS_LB_HOSTNAME | The hostname of the load balancer used by clients to access the CDS, specified as a fully qualified domain name (FQDN). |
--rhua-hostname RHUA_HOSTNAME | The hostname of the RHUA node, specified as an FQDN. |
--remote-fs-server REMOTE_FS_SERVER |
The remote mount point for the shared file system. For example, |
| An optional username without administrative privileges. It is used to run the Ansible installation playbooks on the RHUA node. Note By default, RHUI Installer uses the output from the logname(1) command for the username. However, if logname(1) does not return a username or you want to run the installer as a different user, you can use the --user or -u flag. To find the default username value, run the following command: # rhui-installer --help |
--rerun | Argument to rerun RHUI Installer. By default, the flag is set to false. Note
Running rhui-installer generates an |
Optional RHUI Installer Arguments
Table 11.2. Optional RHUI Installer arguments
Argument | Description |
---|---|
--colors-off | Turn off colored output. By default, the argument is set to false. |
--log-level |
Sets the level of detailed output. The valid values are error,warn,success,info, and debug. By default, the argument is set to |
--answers-file ANSWERS_FILE | The location of a user supplied optional answers file. Note
When you run RHUI Installer initially, it generates an |
--retain-package-versions RETAIN_PACKAGE_VERSIONS |
The number of retained package versions. By default, the value is set to |
--remote-fs-mountpoint REMOTE_FS_MOUNTPOINT |
The location of the file system to mount the remote share. By default, the location is |
--remote-fs-conf-server REMOTE_FS_CONF_SERVER |
Remote shared filesystem to be mounted at |
--remote-fs-cert-server REMOTE_FS_CERT_SERVER |
Remote shared filesystem to be mounted at |
--remote-fs-logs-server REMOTE_FS_LOGS_SERVER |
Remote shared filesystem to be mounted at |
--remote-fs-type REMOTE_FS_TYPE |
The file system type to use. The valid values are |
--rhui-manager-password RHUI_MANAGER_PASSWORD |
The |
--pulp-workers NUMBER_OF_WORKERS | The number of pulp workers associated with the RHUI instance. The number must be greater than 0. The default number of workers is 8. |
--ignore-newer-rhui-packages | Use this flag to prevent the installation of any available newer RHUI packages. This flag is ignored if there is no newer rhui-installer package. It is not saved in the answers.yaml file. It must be specified every time this functionality is desired. The default value is False. |
--ignore-newer-rhel-packages | Use this flag to prevent the installation of any available newer packages. It is not saved in the answers.yaml file. It must be specified every time this functionality is desired. The default value is False, meaning the RHUA will get updated. Note
RHUA must be rebooted if any package has been updated that requires rebooting. The command to check this is: |
--fetch-missing-symlinks FETCH_MISSING_SYMLINKS | The flag to configure CDS nodes to fetch missing symlinks from the RHUA node. The values are True and False. The default value is True. To configure CDS nodes in an already installed RHUI instance, rerun the installer with the flag and apply the change to all CDS nodes. Note If your clients try to fetch the content before it is exported, they will encounter HTTP 404 errors. |
--container-support-enabled CONTAINER_SUPPORT_ENABLED | The flag to enable container support in RHUI. The values are True and False. The default value is False. |
--rhua-mount-options RHUA_MOUNT_OPTIONS | The flag to specify the options for mounting a remote shared filesystem on RHUA and CDS nodes. Before you set it up, ensure that it is possible to umount the current remote filesystem. If RHUA is already running, the pulp service needs to be stopped prior to using this flag. You must also resinstall all CDS nodes after you set the flag.
The default value is Note This flag does not apply to Ceph file systems. |
--client-repo-prefix PREFIX | The argument to use a custom prefix, or no prefix at all, when creating RHUI repository IDs.
To remove the prefix entirely, use two quotation marks, |
Optional Ceph File System Arguments
Table 11.3. Optional CephFS arguments
Argument | Description |
---|---|
--cephfs-username CEPHFS_USERNAME |
The username associated with the Ceph file system. The default username is |
--cephfs-secretkey-file CEPHFS_SECRETKEY_FILE | The path to the file containing the CephFS secret key. |
--cephfs-name CEPHFS_NAME | The name of the Ceph file system. |
Optional Proxy Arguments
Table 11.4. Optional Proxy arguments
Argument | Description |
---|---|
--proxy-hostname PROXY_HOSTNAME | The hostname of the proxy server that the RHUA node will use to communicate with the Red Hat CDN (cdn.redhat.com:443). |
--proxy-password PROXY_PASSWORD | The password to access the proxy server. Specify a password only if your proxy server requires authentication. |
--proxy-port PROXY_PORT |
The TCP port on the proxy server. Note that the Squid proxy server normally uses port |
--proxy-protocol PROXY_PROTOCOL |
The application layer protocol that the proxy server is configured to support, either |
--proxy-username PROXY_USERNAME | The username associated with the proxy server. Specify a username only if your proxy server requires authentication. |
Optional Certificate Authority Arguments
Table 11.5. Optional arguments for generating Certification Authorities
Argument | Description |
---|---|
--certs-ca-common-name CERTS_CA_COMMON_NAME |
The common name for the generated CA certificate. By default, the name is |
--certs-country CERTS_COUNTRY |
The country attributes for managed certificates. The default is |
--certs-state CERTS_STATE |
The state attributes for managed certificates. The default is |
--certs-city CERTS_CITY |
The city attributes for managed certificates. The default is |
--certs-org CERTS_ORG |
The org attributes for managed certificates. The default is |
--certs-org-unit CERTS_ORG_UNIT |
The org unit attributes for managed certificates. The default is |
--certs-ca-expiration CERTS_CA_EXPIRATION |
The number of days after which the CA expires. The default value is |
--cds-certs-expiration CDS_CERTS_EXPIRATION |
The number of days after which the certificate expires. The default value is |
Arguments for configuring RHUI using Certificate Authorities
You can configure RHUI using the following CAs:
- RHUI CA: Signs certificates generated by RHUI.
- Client SSL CA: Signs certificates generated by RHUI and secures the exchange of content between the client and the HAProxy and CDS nodes.
Client Entitlement CA: Signs entitlement certificates generated by RHUI and secures the content that the client requests from RHUI.
NoteIf you do not provide a RHUI CA, the command will automatically generate one.
If you do not provide a Client SSL CA or a Client Entitlement CA, the command will use the configured RHUI CA instead.
Depending on your use case, you must provide the respective arguments:
Configuring using a RHUI CA
- --user-supplied-rhui-ca-crt USER_SUPPLIED_RHUI_CA_CRT: The path to the digital certificate crt file issued by a CA. If you do not provide a crt file, the command automatically generates one.
-
--user-supplied-rhui-ca-key USER_SUPPLIED_RHUI_CA_KEY: The path to the key file used to generate the
--user-supplied-rhui-ca-crt
file. If you do not provide a key, it is automatically generated.
Configuring using a Client SSL CA
-
--user-supplied-client-ssl-ca-crt USER_SUPPLIED_CLIENT_SSL_CA_CRT: The path to a digital certificate crt file issued by the CA. You can use this crt file to generate the client SSL certificate. The client SSL certificate secures the content returned to a client from RHUI. If you do not provide a file, the command uses the RHUI crt file,
--user-supplied-rhui-ca-crt
. -
--user-supplied-client-ssl-ca-key USER_SUPPLIED_CLIENT_SSL_CA_KEY: The path to the key file that generates the
--user-supplied-client-ssl-ca-crt
file. If you do not provide a key, the command uses the RHUI key,--user-supplied-rhui-ca-key
.
-
--user-supplied-client-ssl-ca-crt USER_SUPPLIED_CLIENT_SSL_CA_CRT: The path to a digital certificate crt file issued by the CA. You can use this crt file to generate the client SSL certificate. The client SSL certificate secures the content returned to a client from RHUI. If you do not provide a file, the command uses the RHUI crt file,
Configuring using a Client Entitlement CA:
-
--user-supplied-client-entitlement-ca-crt USER_SUPPLIED_CLIENT_ENTITLEMENT_CA_CRT: The path to a digital certificate crt file issued by the CA. You can use this crt file to generate the client entitlement certificate. The client entitlement certificate secures requests made by a client to RHUI. If you do not provide a file, the command uses the RHUI crt file,
--user-supplied-rhui-ca-crt
. -
--user-supplied-client-entitlement-ca-key USER_SUPPLIED_CLIENT_ENTITLEMENT_CA_KEY: The path to the key file that generates the
--user-supplied-client-entitlement-ca-crt
file. If you do not provide a key, the command use the RHUI key,--user-supplied-rhui-ca-key
.
-
--user-supplied-client-entitlement-ca-crt USER_SUPPLIED_CLIENT_ENTITLEMENT_CA_CRT: The path to a digital certificate crt file issued by the CA. You can use this crt file to generate the client entitlement certificate. The client entitlement certificate secures requests made by a client to RHUI. If you do not provide a file, the command uses the RHUI crt file,
11.2. Installing Red Hat Update Infrastructure using NFS
Perform the following steps to install Red Hat Update Infrastructure (RHUI) on your system using repositories along with network file system (NFS).
Prerequisites
- Ensure that your system can access the internet.
- Ensure you have root access to the RHUA node.
- Optional: Ensure you have configured your proxy server if you plan to use one with RHUI.
Procedure
Navigate to the RHUA node and install the
rhui-installer
package.# dnf install rhui-installer
Run
rhui-installer
and specify the arguments based on your use case.To set up RHUI without a proxy server:
# rhui-installer --remote-fs-server <nfs_server>:/ --rhua-hostname <public-hostname-of-your-rhua> --cds-lb-hostname <public-hostname-of-your-cds-or-lb>
The following arguments are mandatory when using NFS.
- --remote-fs-server: The remote mountpoint for the shared file system.
- --cds-lb-hostname: The name of the load balancer that clients use to access the CDS. You must specify the name as a Fully Qualified Domain Name (FQDN).
- --rhua-hostname: The hostname of the RHUA node. You must specify the name as a Fully Qualified Domain Name (FQDN).
--rhua-mount-options (Optional): The flag to specify the options for mounting a remote shared filesystem on RHUA and CDS nodes. The default value is
rw
.To change mount options in an already running RHUI environment:
Stop Pulp services
systemctl stop pulpcore
Re-run RHUI installer and specify the new options:
--rerun --rhua-mount-options [new options]
Apply the options to all CDS nodes:
rhui-manager --noninteractive cds reinstall --all
To set up RHUI with a proxy server:
# rhui-installer --remote-fs-server <nfs_server>:/ --rhua-hostname <public-hostname-of-your-rhua> --cds-lb-hostname <public-hostname-of-your-cds-or-lb> --proxy-hostname <public-hostname-of-your-proxy-server> --proxy-port <TCP-port> --proxy-protocol <supported-protocol> --proxy-username <proxy-username> --proxy-password <proxy-password>
The following arguments are mandatory when using NFS and a proxy server.
- --remote-fs-server: The remote mountpoint for the shared file system.
- --cds-lb-hostname: The name of the load balancer that clients use to access the CDS. You must specify the name as a fully qualified domain name (FQDN).
- --rhua-hostname: The hostname of the RHUA node. You must specify the name as a fully qualified domain name (FQDN).
- --proxy-hostname: The hostname of the proxy server that the RHUA node will use to communicate with the Red Hat CDN (cdn.redhat.com:443).
- --proxy-port: The TCP port on the proxy server. Note that the Squid proxy server normally uses port 3128.
-
--proxy-protocol: The application layer protocol that the proxy server is configured to support, either
HTTP
orHTTPS
. - --proxy-username: The user name associated with the proxy server. Specify the user name only if your proxy server requires authentication.
- --proxy-password: The password to access the proxy server. Specify the password only if your proxy server requires authentication.
The rhui-installer
command sets the initial RHUI login password by default and stores it in the /etc/rhui/rhui-subscription-sync.conf
file.
If you wish to set your own password, you can override the initial password with the --rhui-manager-password
argument.
Verification
On the RHUA node, verify if you can access the RHUI Terminal User Interface (TUI).
# rhui-manager
11.3. Installing Red Hat Update Infrastructure using CephFS
Perform the following steps to install Red Hat Update Infrastructure (RHUI) on your system using repositories along with the Ceph file system (CephFS).
Prerequisites
- Ensure that your system can access the internet.
- Ensure you have root access to the RHUA node.
Enable the Ceph Tools repository on the RHUA and CDS nodes. For more information, see:
- Ensure you have configured your shared storage using CephFS, see Section 9.2, “Configuring shared storage using CephFS”.
- Optional: Ensure you have configured your proxy server if you plan to use one with RHUI.
Procedure
Navigate to the RHUA node and install the
rhui-installer
package.# dnf install rhui-installer
Create a file containing the CephFS secret key.
# echo "cephfs secretkey" > <path to file containing the CephFS secret key> # chmod 400 <path to file containing the CephFS secretkey>
Run
rhui-installer
and specify the arguments based on your use case.To set up RHUI without a proxy server:
# rhui-installer --remote-fs-server <ceph_monip>:<ceph_port>:/ --remote-fs-type ceph --cephfs-secretkey-file <ceph_secretkey_file> --cephfs-name <cephfs_name> --cephfs-username <ceph-fs-username> --rhua-hostname <public-hostname-of-your-rhua> --cds-lb-hostname <public-hostname-of-your-cds-or-lb>
The following arguments are mandatory when using CephFS.
-
--remote-fs-server: The remote mountpoint for the shared file system. The format is
<ceph_monip>:<ceph_port>
. - --cds-lb-hostname: The name of the load balancer that clients use to access the CDS. You must specify the name as a Fully Qualified Domain Name (FQDN).
- --rhua-hostname: The hostname of the RHUA node. You must specify the name as a Fully Qualified Domain Name (FQDN).
- --remote-fs-type: The type of file system to use. You must set this to Ceph.
- --cephfs-secretkey-file: The path to the file containing the CephFS secret key.
- --cephfs-name: The name of the Ceph file system.
- --cephfs-username: The username associated with the Ceph file system.
-
--remote-fs-server: The remote mountpoint for the shared file system. The format is
To set up RHUI with a proxy server:
# rhui-installer --remote-fs-server <ceph_monip>:<ceph_port>:/ --remote-fs-type ceph --cephfs-secretkey-file <ceph_secretkey_file> --cephfs-name <cephfs_name> --cephfs-username <ceph-fs-username> --rhua-hostname <public-hostname-of-your-rhua> --cds-lb-hostname <public-hostname-of-your-cds-or-lb> --proxy-hostname <public-hostname-of-your-proxy-server> --proxy-port <TCP-port> --proxy-protocol <supported-protocol> --proxy-username <proxy-username> --proxy-password <proxy-password>
The following arguments are mandatory when using CephFS and a proxy server.
-
--remote-fs-server: The remote mountpoint for the shared file system. The format is
<ceph_monip>:<ceph_port>
. - --cds-lb-hostname: The name of the load balancer that clients use to access the CDS. You must specify the name as a fully qualified domain name (FQDN).
- --rhua-hostname: The hostname of the RHUA node. You must specify the name as a fully qualified domain name (FQDN).
- --remote-fs-type: The type of file system to use. You must set this to Ceph.
- --cephfs-secretkey-file: The path to the file containing the CephFS secret key.
- --cephfs-name: The name of the Ceph file system.
- --cephfs-username: The username associated with the Ceph file system.
- --proxy-hostname: The hostname of the proxy server that the RHUA node will use to communicate with the Red Hat CDN (cdn.redhat.com:443).
- --proxy-port: The TCP port on the proxy server. Note that the Squid proxy server normally uses port 3128.
-
--proxy-protocol: The application layer protocol that the proxy server is configured to support, either
HTTP
orHTTPS
. - --proxy-username: The user name associated with the proxy server. Specify the user name only if your proxy server requires authentication.
- --proxy-password: The password to access the proxy server. Specify the password only if your proxy server requires authentication.
-
--remote-fs-server: The remote mountpoint for the shared file system. The format is
The rhui-installer
command sets the initial RHUI login password by default and stores it in the /etc/rhui/rhui-subscription-sync.conf
file.
If you wish to set your own password, you can override the initial password with the --rhui-manager-password
argument.
Verification
On the RHUA node, verify if you can access the RHUI Terminal User Interface (TUI).
# rhui-manager