-
Language:
English
-
Language:
English
Installing Red Hat Update Infrastructure
List of requirements, setting up nodes, configuring storage, and installing Red Hat Update Infrastructure 4
Abstract
This is a beta version!
This document is provided as a preview and only includes or highlights features that are new as part of the public Beta. It is under development and is subject to substantial change. Consider the included information incomplete and use it with caution. This content will later be incorporated into the regular product documentation.
Making open source more inclusive
Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.
Chapter 1. Installation checklist
Before you begin installing Red Hat Update Infrastructure (RHUI), refer to the following checklist to ensure that you have all the necessary components and information required for installation.
Table 1.1. List of components required for installing RHUI
Required Information | Information Usage | Resources and Notes |
---|---|---|
Red Hat Credentials | Red Hat credentials to manage subscription and access to Red Hat repositories. | |
Network and Firewall access | Network and firewall requirements for the Red Hat Update Appliance (RHUA) and Content Delivery Server (CDS) nodes. | It is possible for a CDS to have a client-facing host name that differs from the host name used for intra-Red Hat Update Infrastructure communication. If you are using client-facing host names, note each CDS’s client-facing FQDN and the corresponding IP address. |
Proxy settings | Proxy for access to the Red Hat content delivery network. |
Proxy settings for RHUI are set automatically during the installation. They are set on the CDS nodes in the |
Content Repository Size | Storage space for the RPM packages required by Red Hat Update Infrastructure. |
See Preparing your Environment for Installation for specific storage requirements, or use the
Also, all repositories are placed in the |
Client Profiles | RHUI content available to the client | A client profile determines the RHUI content that is available to the client and the CDS from which the client downloads that content. |
Use a separate storage volume for the installation if you expect to store a large amount of data.
In addition, each RHUI server (RHUA node or CDS node) requires a separate file system of the required size. It is important to use technologies such as LVM, SAN, or NAS storage that allow you to increase the size of the content repository if needed.
Chapter 2. Technical configuration required for installing RHUI
Before you install Red Hat Update Infrastructure (RHUI), you must configure your system and components as follows.
Complete the initial stages of the Red Hat Certified Cloud and Service Provider (CCSP) certification:
- Virtualization, image creation, and instance provisioning technologies, tools, and processes.
- Proposed process for measuring and reporting consumption of Red Hat software.
- Proposed process for notifying customers of errata updates to Red Hat software.
- Proposed process for making images that include Red Hat software available to customers, including image lifecycle management and retiring outdated images.
For more information, see Product Documentation for Red Hat Certified Cloud and Service Provider Certification Browse Knowledgebase.
Self-signed certificates are typically used for RHUI deployment. However, If you wish to use SSL certificates signed by a third-party certificate authority, you must ensure that they are obtained by the client and reviewed by Red Hat.
NoteYou can use the Red Hat consultant to assist with the development of self-signed certificates. This will not affect the user experience of the client’s customers.
- Ensure that the client will provide systems, virtual machines, or tenant instances for installation of all Red Hat Update Appliances (RHUAs), external load balancers, and content delivery servers (CDSs).
- Make sure access to RHEL 8 is available, either by ISO or by subscription.
Ensure that you have one RHUA node with the following configuration:
-
RHEL 8 or greater with
Minimal Installation
- SELinux is enabled
An x86_64 processor with cores equivalent to or greater than 4 cores of Intel Xeon 2 GHz
NoteYou must increase the number of cores to 8 if you wish to provide more than 100 repositories with multiple major RHEL releases.
8 GB memory
NoteYou must increase the minimum memory to 16 GB if you wish to provide more than 100 repositories with multiple major RHEL releases.
- A 50 GB disk
A 50 GB disk dedicated for PostgresSQL and mounted to
/var/lib/pgsql
.NoteYou must increase the disk capacity to at least 100 GB if you wish to provide more than 100 repositories with multiple major RHEL releases.
-
RHEL 8 or greater with
Ensure that you have one HAProxy node with the following configuration:
-
RHEL 8 or greater with
Minimal installation
- SELinux is enabled
An x86_64 processor with cores equivalent to or greater than 2 cores of Intel Xeon 2 GHz
NoteYou must increase the number of cores to 4 if you wish to provide more than 100 repositories with multiple major RHEL releases.
4 GB memory
NoteYou must increase the minimum memory to 8 GB if you wish to provide more than 100 repositories with multiple major RHEL releases.
- A 50 GB disk
-
RHEL 8 or greater with
Ensure that you have at least two CDS nodes (physical or virtual) with the following recommended configuration:
-
RHEL 8 or greater with
Minimal installation
- SELinux is enabled
An x86_64 processor with cores equivalent to or greater than 4 cores of Intel Xeon 2GHz
NoteYou must increase the number of cores to 8 if you wish to provide more than 100 repositories with multiple major RHEL releases.
- 8 GB memory
- A 100 GB disk per major RHEL release
-
RHEL 8 or greater with
Ensure that image certification is performed on RHEL guest templates as provided:
- A minimum 10 GB disk for the operating system
-
iptables
is enabled - SELinux is enabled
- If password authentication is enabled, you must use the strongest possible hash
- Default logging is enabled
Ensure that the client’s network is properly configured as follows:
- IP addresses must be allocated for all RHUAs, CDSs, and external load balancers (if any).
- DNS records (forward and reverse) have been created for all IP addresses, for example, rhua.company.com, cds1.company.com, cds2.company.com, and certs.company.com.
- If your server has multiple network interface cards (NICs), the fully qualified domain name (FQDN) of the RHUA and the CDSs must be resolved to the IP of the NIC that is used to communicate between the RHUA and the CDSs.
-
RHUI uses DNS to reach the CDN. In most cases, your instance should be preconfigured to talk to the proper DNS servers hosted as part of the cloud’s infrastructure. If you run your own DNS servers or update your client DNS configuration, there is a chance you will see errors similar to
yum Could not contact any CDS load balancers
. In these cases, check that your DNS server is forwarding to the cloud’s DNS servers for the request or that your DNS client is configured to fall back to the cloud’s DNS server for name resolution. -
Using more than one HAProxy node requires a round-robin DNS entry for the host name used as the value of the
--cds-lb-hostname
parameter when rhui-installer is run (cds.example.com in this guide) that resolves to the IP addresses of all HAProxy nodes. How to Configure DNS Round Robin presents one way to configure a round-robin DNS. In the context of RHUI, these will be the IP addresses of the HAProxy nodes, and they are to be mapped to the host name specified as --cds-lb-hostname while calling rhui-installer. See HAProxy Configuration for more information.
Ensure that all required network ports are open.
Table 2.1. List of ports and their usage
Connection Port Usage RHUA to CDSs
22/TCP
SSH configuration and access
RHUA to HAProxy servers
22/TCP
SSH configuration and access
Clients to CDS or HAProxy
443/TCP
Access to content
HAProxy to CDS
443/TCP
Load balancing
NFS ports
2049/TCP
File system
CDSs to RHUA
443/TCP
Retrieve content that has not been symlinked
- Ensure that the network proxy settings between RHUA and the Red Hat CDN are configured appropriately.
-
Ensure that the network proxy settings between the CDSs and the clients via
yum.conf
are configured appropriately. - Ensure a round-robin DNS entry is used if more than one HAProxy node is used.
Chapter 3. Registering your system and attaching subscriptions
To use RHUI efficiently and gain access to Red Hat repositories and support, you must register RHUI and attach the relevant subscriptions to your RHUA, CDS, and HAProxy nodes.
3.1. Installing Red Hat Enterprise Linux
To register and attach the subscriptions to your nodes, you must install Red Hat Enterprise Linux (RHEL) on each of them.
Procedure
- Navigate to the node on which you wish to install RHEL.
Install RHEL.
For detailed instructions on how to install RHEL, see Performing a standard RHEL installation.
3.2. Registering nodes
To use RHUI on your system, you must register each node with Red Hat.
Procedure
On the RHUA node, enter the following command to register the system:
# subscription-manager register --type=rhui --username <admin-example> --password <secret> Registering to: subscription.rhsm.redhat.com:443/subscription The system has been registered with ID: <a12b34c5-6d78-9ef1-2345-ghi678jk91l2m>
On the CDS and HAProxy nodes, enter the following command:
# subscription-manager register --username <admin-example> --password <secret> Registering to: subscription.rhsm.redhat.com:443/subscription The system has been registered with ID: <a1b2c3-d4e5-f6g7-2345-hij890klm123>
Optional: If your system is already registered, you can override the subscription using the
--force
option.# subscription-manager register --force
The new system will be available on the Red Hat Customer Portal, and the new RHUA instance will not have any subscriptions attached to it.
Verification
- Navigate to the Red Hat Customer Portal.
- Verify that your system is available by locating it within the Customer Portal.
3.3. Attaching a subscription to the RHUA node
The following instructions explain how to attach a subscription to your Red Hat Update Appliance (RHUA) node.
Prerequisites
- Ensure you have root access to the RHUA node.
Procedure
On the RHUA node, check for available subscriptions that you can attach.
# subscription-manager list --available +-------------------------------------------+ Available Subscriptions +-------------------------------------------+ Subscription Name: Red Hat Enterprise Linux Atomic Host for Certified Cloud and Service Providers (via Red Hat Update Infrastructure) Provides: Red Hat Enterprise Linux Atomic Host Beta from RHUI Red Hat Enterprise Linux Atomic Host from RHUI SKU: RH00731 Contract: 11312089 Pool ID: 8a85f9815a6c4c9d015a6c6acb373ed9 Provides Management: No Available: 19 Suggested: 1 Service Level: Premium Service Type: L1-L3 Subscription Type: Standard Ends: 02/22/2018 System Type: Physical Subscription Name: Red Hat Update Infrastructure and RHEL Add-Ons for Providers Provides: dotNET on RHEL (for RHEL Server) from RHUI Red Hat Enterprise Linux Server from RHUI Red Hat Software Collections (for RHEL Server) from RHUI Red Hat Enterprise Linux for SAP from RHUI Red Hat Enterprise Linux Resilient Storage (for RHEL Server) from RHUI Red Hat Enterprise Linux Scalable File System (for RHEL Server) from RHUI Red Hat Enterprise Linux Server - Extended Update Support from RHUI dotNET on RHEL Beta (for RHEL Server) from RHUI Red Hat Enterprise Linux for SAP Hana from RHUI RHEL Software Test Suite (for RHEL Server) from RHUI Red Hat Enterprise Linux High Availability (for RHEL Server) from RHUI Red Hat Update Infrastructure Red Hat Enterprise Linux Load Balancer (for RHEL Server) from RHUI SKU: RC1116415 Contract: 11314314 Pool ID: 8a85f9815a71f0bd015a72445adf0223 Provides Management: No Available: 20 Suggested: 1 Service Level: Premium Service Type: L1-L3 Subscription Type: Standard Ends: 02/23/2018 System Type: Physical
Attach a subscription using its
pool ID
.For example, the following command attaches the Red Hat Update Infrastructure and RHEL Add-Ons for Providers subscription.
# subscription-manager attach --pool=8a85f9815a71f0bd015a72445adf0223 Successfully attached a subscription for: Red Hat Update Infrastructure and RHEL Add-Ons for Providers
3.4. Attaching a subscription to the CDS node
The following instructions explain how to attach a subscription to your content delivery server (CDS) node.
You do not need to perform the following steps if you are using Simple Content Access.
Prerequisites
- Ensure you have root access to the CDS node.
Procedure
On the CDS node, check for available subscriptions that you can attach.
# subscription-manager list --available +-------------------------------------------+ Available Subscriptions +-------------------------------------------+ ... Subscription Name: <Subscription-Name> Pool ID: <pool-ID> ...
Attach a subscription using its
pool ID
.# subscription-manager attach --pool=<pool-ID> Successfully attached a subscription for: <Subscription-Name>
3.5. Attaching a subscription to the HAProxy node
The following instructions explain how to attach a subscription to your HAProxy node.
You do not need to perform the following steps if you are using Simple Content Access.
Prerequisites
- Ensure you have root access to the HAProxy node.
Procedure
On the HAProxy node, check for available subscriptions that you can attach.
# subscription-manager list --available +-------------------------------------------+ Available Subscriptions +-------------------------------------------+ ... Subscription Name: <Subscription-Name> Pool ID: <pool-ID> ...
Attach a subscription using its
pool ID
.# subscription-manager attach --pool=<pool-ID> Successfully attached a subscription for: <Subscription-Name>
Chapter 4. Enabling the required repositories
To install RHUI on your system and enable complete functionality, you must install certain repositories that contain the necessary software packages. The rhel-8-for-x86_64-baseos-rhui-rpms
and rhel-8-for-x86_64-appstream-rhui-rpms
repositories provide all the necessary packages required for installing RHUI on your system.
The following instructions explain how to enable these repositories on your system.
The RHUA and CDS nodes require RHEL installations with base packages and with all repositories disabled except for the rhel-8-for-x86_64-baseos-rhui-rpms
and the rhel-8-for-x86_64-appstream-rhui-rpms
repositories. This requirement means that you cannot install any third-party configurations or software that is not necessary for the direct operation of the server. This restriction includes hardening or other non-Red Hat security software.
4.1. Enabling the required repositories on the RHUA node
The following instructions explain how to enable the rhel-8-for-x86_64-baseos-rhui-rpms
and rhel-8-for-x86_64-appstream-rhui-rpms
repositories on the RHUA node.
Prerequisites
- Ensure you have root access to the RHUA node.
Procedure
Navigate to the RHUA node, list the enabled repositories, and verify that your system is correctly subscribed.
# yum repolist enabled repo id repo name codeready-builder-for-rhel-8-rhui-rpms Red Hat CodeReady Linux Builder for RHEL 8 x86_64 (RPMs) from RHUI rhel-8-appstream-rhui-rpms Red Hat Enterprise Linux 8 for x86_64 - AppStream from RHUI (RPMs) rhel-8-baseos-rhui-rpms Red Hat Enterprise Linux 8 for x86_64 - BaseOS from RHUI (RPMs)
Disable all repositories.
# subscription-manager repos --disable=*
Enable the relevant repositories.
#subscription-manager repos --enable=rhel-8-for-x86_64-baseos-rhui-rpms --enable=rhel-8-for-x86_64-appstream-rhui-rpms
Enable the RHUI 4 repository.
# subscription-manager repos --enable=rhui-4-beta-for-rhel-8-x86_64-rpms
4.2. Enabling the required repositories on the CDS node
The following instructions explain how to enable the rhel-8-for-x86_64-baseos-rpms
and rhel-8-for-x86_64-appstream-rpms
repositories on the CDS nodes.
Prerequisites
- Ensure that you have root access to all the CDS nodes you plan to use.
Procedure
Navigate to a CDS node, list the enabled repositories, and verify that your system is correctly subscribed.
# yum repolist enabled repo id repo name codeready-builder-for-rhel-8-x86_64-rpms Red Hat CodeReady Linux Builder for RHEL 8 x86_64 (RPMs) rhel-8-for-x86_64-appstream-rpms Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs) rhel-8-for-x86_64-baseos-rpms Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)
Disable all repositories.
# subscription-manager repos --disable=*
Enable the relevant repositories.
# subscription-manager repos --enable rhel-8-for-x86_64-appstream-rpms --enable rhel-8-for-x86_64-baseos-rpms
- Repeat the steps on all the CDS nodes you plan to use.
Verification
List the enabled repositories and verify whether the relevant repositories appear on the list.
# yum repolist enabled repo id repo name rhel-8-for-x86_64-appstream-rpms Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs) rhel-8-for-x86_64-baseos-rpms Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)
4.3. Enabling the required repositories on the HAProxy node
The following instructions explain how to enable the rhel-8-for-x86_64-baseos-rpms
and rhel-8-for-x86_64-appstream-rpms
repositories on the HAProxy node.
Prerequisites
- Ensure you have root access to the HAProxy node.
Procedure
Navigate to a HAProxy node, list the enabled repositories, and verify that your system is correctly subscribed.
# yum repolist enabled repo id repo name codeready-builder-for-rhel-8-x86_64-rpms Red Hat CodeReady Linux Builder for RHEL 8 x86_64 (RPMs) rhel-8-for-x86_64-appstream-rpms Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs) rhel-8-for-x86_64-baseos-rpms Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)
Disable all repositories.
# subscription-manager repos --disable=*
Enable the relevant repositories.
# subscription-manager repos --enable rhel-8-for-x86_64-appstream-rpms --enable rhel-8-for-x86_64-baseos-rpms
Verification
List the enabled repositories and verify whether the relevant repositories appear on the list.
# yum repolist enabled repo id repo name rhel-8-for-x86_64-appstream-rpms Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs) rhel-8-for-x86_64-baseos-rpms Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)
Chapter 5. Configuring shared storage using NFS
The RHUA and CDS nodes require a shared storage volume that both can access to store content managed by RHUI. Currently, RHUI supports only network file system (NFS) solutions. You can set up an NFS server either on the RHUA node or on a dedicated machine.
The following instructions explain how to create and configure an NFS to work with RHUI.
Setting up your NFS server on a dedicated machine allows the CDS nodes and your RHUI clients to continue working even if something happens to the RHUA node.
Prerequisites
- Ensure you have root access to the NFS server
- Ensure you have root access to the RHUA node
- Ensure you have root access to all the CDS nodes you plan to use.
Procedure
Install the
nfs-utils
package on the node hosting the NFS server, the RHUA node (if it differs from the NFS node), and all the CDS nodes.# yum install nfs-utils
Create a suitable directory to hold all the RHUI content.
# mkdir /export
Allow your RHUA and CDS nodes access to the directory by editing the
/etc/exports
file and adding the following line:/export rhua.example.com(rw,no_root_squash) cds01.example.com(rw,no_root_squash) cds02.example.com(rw,no_root_squash)
Start and enable the NFS service.
# systemctl start nfs-server # systemctl start rpcbind # systemctl enable nfs-server # systemctl enable rpcbind
NoteIf the NFS service is already running use the
restart
command instead of thestart
command.
Verification
To test whether an NFS server is set up on a machine named
filer.example.com
, run the following commands on a CDS node:# mkdir /mnt/nfstest # mount filer.example.com:/export /mnt/nfstest # touch /mnt/nfstest/test
Your setup is working properly if you do not get any error messages.
Chapter 6. Generating a cryptographic key pair
To ensure secure data transmission between the Red Hat Update Appliance (RHUA), content delivery system (CDS), and HAProxy nodes, and to use rhui-manager
to set up those nodes, you must generate a key pair on the RHUA node and copy the public key to CDS and HAProxy nodes.
You can generate either an RSA or an ECDSA key, depending on your use case.
6.1. Generating an RSA key pair
The following steps explain how to generate an RSA key pair for version 2 of the SSH protocol.
Procedure
On the RHUA node, run the
ssh-keygen
command with the RSA argument, and save the key in the default location.WarningLeave the passphrase field blank. CDS installation and registration fails if you provide a passphrase while generating the key pair.
$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/USER/.ssh/id_rsa): Created directory '/home/USER/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/USER/.ssh/id_rsa. Your public key has been saved in /home/USER/.ssh/id_rsa.pub. The key fingerprint is: e7:97:c7:e2:0e:f9:0e:fc:c4:d7:cb:e5:31:11:92:14 USER@rhua.example.com The key's randomart image is: +--[ RSA 2048]----+ | E. | | . . | | o . | | . .| | S . . | | + o o ..| | * * +oo| | O +..=| | o* o.| +-----------------+
Confirm that the permissions for the
~/.ssh/
directory are set torwx------
, or700
in octal notation.$ ls -ld ~/.ssh drwx------. 2 USER USER 54 Nov 25 16:56 /home/USER/.ssh/
Copy the public key to the CDS and HAProxy nodes.
$ ssh-copy-id user@<haproxy1> $ ssh-copy-id user@<cds1> $ ssh-copy-id user@<cds2>
6.2. Generating an ecdsa key pair
The following steps explain how to generate an ECDSA key pair for version 2 of the SSH protocol.
Procedure
On the RHUA node, run the
ssh-keygen
command with the ECDSA argument, and save the key in the default location.WarningLeave the passphrase field blank. CDS installation and registration fails if you provide a passphrase while generating the key pair.
$ ssh-keygen -t ecdsa Generating public/private ecdsa key pair. Enter file in which to save the key (/home/USER/.ssh/id_ecdsa): Created directory '/home/USER/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/USER/.ssh/id_ecdsa. Your public key has been saved in /home/USER/.ssh/id_ecdsa.pub. The key fingerprint is: fd:1d:ca:10:52:96:21:43:7e:bd:4c:fc:5b:35:6b:63 USER@rhua.example.com The key's randomart image is: +--[ECDSA 256]---+ | .+ +o | | . =.o | | o o + ..| | + + o +| | S o o oE.| | + oo+.| | + o | | | | | +-----------------+
Confirm that the permissions for the
~/.ssh/
directory are set torwx------
, or700
in octal notation.$ ls -ld ~/.ssh drwx------. 2 USER USER 54 Nov 25 16:56 /home/USER/.ssh/
Copy the public key to the CDS and HAProxy nodes.
$ ssh-copy-id user@<haproxy1> $ ssh-copy-id user@<cds1> $ ssh-copy-id user@<cds2>
Chapter 7. Updating your system
Before you install RHUI, it is a good practice to secure your system by installing all the latest available updates.
Prerequisites
- Ensure that the system is registered to Red Hat.
- All the relevant repositories are enabled.
Procedure
Navigate to each of your nodes and apply any available operating system updates.
For detailed information about updating your system, see the Securing your system.
- Reboot the nodes.
Verify that all configuration changes have persisted.
WarningMake sure the host name of the RHUA is set correctly. If the host name is not set and its value is reported as
localhost.localdomain
orlocalhost
, you will not be able to proceed.
Chapter 8. Installing Red Hat Update Infrastructure
Once you have completed the prerequisites, you can install RHUI on your system. You can install RHUI using repositories and a network connection to resolve dependencies.
8.1. Installing Red Hat Update Infrastructure using repositories
Perform the following steps to install Red Hat Update Infrastructure (RHUI) on your system using repositories.
Prerequisites
- Ensure that you have registered all the nodes and attached the relevant subscriptions. For more information, see Chapter 3, Registering your system and attaching subscriptions.
- Ensure that your system can access the internet.
- Ensure you have root access to the RHUA node.
Procedure
Navigate to the RHUA node and install the
rhui-installer
package.# dnf install rhui-installer
Run the installer and specify the arguments based on your use case.
Note that the following arguments are mandatory:
- --remote-fs-server: The remote mountpoint for the shared file system.
- --cds-lb-hostname: The name of the load balancer that clients use to access the CDS. You must specify the name as a fully qualified domain name (FQDN).
--rhua-hostname: The hostname of the RHUA node. You must specify the name as a fully qualified domain name (FQDN).
ImportantThe rhui-installer sets the initial RHUI login password by default and stores it in the
/etc/rhui/rhui-subscription-sync.conf
file.If you wish to set your own password, you can override the initial password with the
--rhui-manager-password
argument.# rhui-installer --remote-fs-server <nfs_server>:/ --rhua-hostname <public-hostname-of-your-rhua> --cds-lb-hostname <public-hostname-of-your-cds-or-lb>
Verification
On the RHUA node, verify if you can access the RHUI Terminal User Interface (TUI).
# rhui-manager