Pages

Monday, November 10, 2014

Red Hat Satellite 6.0 - Getting provisioning to work

I have a lot of time attempting to get provisioning to work with Red Hat Satellite 6. The current official documentation only describes how to configure provisioning if your sat 6 server is also your DHCP, DNS, everything server.  In most enterprise environments, these services already exist elsewhere.

I hope to document the issues I ran into on this page so that others can hopefully save a bunch of time.

Environment
  • Single Satellite 6 server with an integrated capsule.  
  • Windows 2008 R2 for DHCP and DNS.  
  • A VLAN (with an ip helper pointing at the windows dhcp server) just for linux provisioning.  I placed my Satellite 6 server directly in this VLAN.  If your environment already has some PXE booting solution like SCCM, I highly recommend creating a new VLAN.
Configure Satellite 6 for provisioning
The default installation of Satellite 6 does not include all the necessary configuration options for provisioning services.  Enable everything necessary by running the following command as root on the satellite 6 server

  • # katello-installer --capsule-parent-fqdn $(hostname) --capsule-dns true --capsule-dns-forwarders <X.X.X.X> --capsule-dns-interface <interface> --capsule-dns-zone <dns zone> --capsule-dns-reverse <X.X.X.in-addr.arpa> --capsule-tftp true --capsule-tftp-servername <servername.fqdn.tld>
Change the items in <>'s to whatever they are in your environment.  After issuing this command, the installer will run (takes a few moments) and enables the provisioning items that were missing.  To verify, browse to the Satellite 6 interface, select Infrastructure > Capsules.  The satellite server should be listed and have "TFTP, DNS, Puppet, Puppet CA, and Pulp" listed as features.


Configure Foreman Discovery Module
The discovery module allows "unknown" hosts to automatically register with the Satellite server. This means that you can rack a new server, network boot and then configure the rest from Satellite.  

  1. Install some packages that might be missing on the satellite 6 server
    1.  yum -y install foreman-discovery-image rubygem-hammer_cli_import
  2. Configure the "PXELinux global default" provisioning template so it will know where the discovery image is located.
    1. In 6.0.1, there is a bug which "locks" this template from editing. Unlock it from the command line using these commands:
      1. foreman-rake console (will ask for admin password)
      2. ct = ConfigTemplate.find_by_name("PXELinux global default"); ct.locked = false; ct.save!
      3. exit
  3. In the Satellite 6 web interface, browse to Hosts > Provisioning Templates. Find the PXELinux global default template and click on it.  
  4. In the template editor on the right, put in the following code after the "local" section:


    1. LABEL discovery
      MENU LABEL Foreman Discovery
      MENU DEFAULT
      KERNEL boot/foreman-discovery-image-latest.el6.iso-vmlinuz
      APPEND rootflags=loop initrd=boot/foreman-discovery-image-latest.el6.iso-img root=live:/foreman.iso rootfstype=auto ro rd.live.image rd.live.check rd.lvm=0 rootflags=ro crashkernel=128M elevator=deadline max_loop=256 rd.luks=0 rd.md=0 rd.dm=0 rd.bootif=0 rd.neednet=0 nomodeset selinux=0 stateless
      IPAPPEND 2

      Press submit

  5. In the upper right corner of the Provisioning Templates screen, Click Build PXE default.
Configure Windows DHCP Server Scope
  1. Open the DHCP management console as a domain adminstrator. Find the DHCP scope for the vlan that will be provisoning Linux servers from Satellite. 
  2. Expand the scope and click on scope options.  Right click on scope options and click configure options.  
  3. Scroll down to option 066, Boot Server Host Name. Check the checkbox and type in the FQDN of the Satellite server. Click Apply
  4. Check the check box next to option 067, Bootfile Name. Type in pxelinux.0
  5. Make sure the network configuration on the router has an IP Helper setup for this vlan so it knows where to send DHCP requests.
  6. Also make sure the DHCP scope actually has an address range configured.
Configure SRV Record in Windows DNS
When the server loads the boot image, it starts loading up a 180 mb linux image that connects to the Satellite server and adds an entry for the server so it can be provisioned. There are a couple ways of doing this, adding the "foreman.url" option to the kernel boot parameter in the provisioning image or creating a srv record.  Using the foreman.url option did not work for me at all, but using the SRV record did.
  1. Open the DNS management console as domain admin.
  2. Right click on the DNS zone to add the SRV record to, click New Other Records.
  3. Scroll down to Service Location (SRV). Select it and click on Create Record.
  4. In the service field, type: _x-foreman
  5. In the Protocol field, type: _tcp
  6. In the priority field, type: 0
  7. in the Weight field, type; 5
  8. In the port number field, type: 443
  9. In the Host offering this service field: type the FQDN of the satellite server.
  10. Click OK

Provisioning an Unknown Host
After performing all of the above steps, you should now be able to provision a new host by just network booting it.  
  1. Power on the server to be provisioned and select network boot. The server should PXE boot and start downloading the foreman discovery image.
  2. Wait for the image to download and for the OS to load. Eventually, the console will show "Registering with foreman."
  3. Open up the satellite 6 interface. Click on Hosts > Discovered Hosts. The server should be listed there.
  4. Click the server name and then click on Provision in the upper right.
  5. Select host group or manually enter all the information.
  6. Click build
  7. The server to be provisioned should automatically reboot and then start installing Linux
To Do:
Will come back and update this later. I still need to:
  • Integrate an activation key into the build process so systems can get packages from Satellite
  • Figure out how to make the provisioned server actually use the IP address entered into the provisioning screen. Out of the box, seems like Sat 6 tries to do MAC address reservation with DHCP which will not work when using an external DHCP server.
  • Mess with the kickstart file so that it will enable the rh-common repository and install the katello-agent after the OS installation is done. The subscription-manager that is on RHEL 5 and RHEL 6 does not support enabling repositories from the Satellite web interface. Pretty silly.


Friday, September 19, 2014

Red Hat Satellite 6.0 - Part 4 - Creating a custom repository

In this section of my adventure with Satellite 6, I am going to setup a custom "Product" which will contain a non-Red Hat repository (VM Ware tools).  I've already one of these up for the RHEL 6 servers, so in this example I will be creating a product for RHEL 5 VM Ware tools.

Creating a GPG key
First thing is to create a GPG key. In the satellite 6 web interface, select Content > GPG Keys.

Click +New Gpg Key in the upper right.

Type in a name for the gpg key, I called it "vmware-tools-gpg."  There is a box to copy they key into or you can upload one if you have it downloaded. The one I'm using is from vmware and is located at:

  • http://packages.vmware.com/tools/keys/VMWARE-PACKAGING-GPG-RSA-KEY.pub
Either download that and upload it through the web interface or just paste it in. Click save. The gpg key should now be showing in the list.

Creating a Product
Click on Content > Products

There is probably already one product listed here from when we selected the RHEL repositories. Click on +New Product in the upper right.

Type in a name for the product, the Label section should automatically fill out. Select the gpg key (not required) and leave the sync plan empty for now. Enter a description if you want to. Click save.
A new product has been created! Now, a repository has to be added to the product so it will actually do something. On the product page, click on Create Repository.

Type in a name, the label should fill out by itself. Select yum for a type. In the URL section, put the URL of the repository you wish to sync. In this example, I am syncing VM Ware tools. The url is this:
  • RHEL 5
    • http://packages.vmware.com/tools/esx/5.5latest/rhel5/x86_64/
  • RHEL 6
    • http://packages.vmware.com/tools/esx/5.5latest/rhel6/x86_64/
Select the GPG key created for the product (optional). Click save when done.

Click on Sync Now to sync the repository. This will download the VM Ware tools to the Satellite.


Packages should start syncing. A details page will show itself and will present sync status as well as how many packages it found. This particular repository did not take very much time to sync.



Red Hat Satellite 6.0 - Part 3 - Syncing Repositories

In part 3 of my adventure into installing Red Hat Satellite 6, I am going to be selecting and syncing official Red Hat package repositories.

Selecting Repositories
After logging into the Satellite web interface and making sure your organization is selected, we can start getting some packages sync'd up.  Click on Content > Red Hat Repositories
A list of products should appear.  This list populates based upon the manifest and subscriptions you have attached to the Satellite. If something is missing, you will have to go back to the RH customer portal, make sure the subscription is attached to the satellite and redownload / reimport the manifest.

My environment is RHEL 5 and RHEL 6, so I'm going to be syncing those repositories. A fun new feature of sat 6 is that specific release levels of RHEL can be selected like RHEL 6.4, 5.3 or whatever. In satellite 5, it was very difficult to do this kind of thing to stay compliant with vendor support requirements and security patches.

I'm running RHEL 6.5 and 5.10, so I'm going to sync just those repositories. I think that selecting "Red Hat Enterprise Linux 6 Server RPMs x86_64 6Server" is the latest repository. Since I don't want my systems to start getting RHEL 6.6 stuff when it is released, I'm going to select the following repos to make sure my servers stay at the release level I want them to stay at.
  • Red Hat Enterprise Linux 6 Server RPMs x86_64 6.5
  • Red Hat Enterprise Linux 6 Server Kickstart x86_64 6.5
  • RHN Tools for Red Hat Enterprise Linux 6 Server RPMs x86_64 6.5
  • Red Hat Enterprise Linux 5 Server Kickstart x86_64 5.10
  • Red Hat Enterprise Linux 5 Server RPMs x86_64 5.10
  • RHN Tools for Red Hat Enterprise Linux 5 Server RPMs x86_64 5.10
I can always come back here and select other repositories to sync to my organization, but I think this should get me most of what I need for now.

Synchronizing Repositories
In Satellite 5, channels were sync'd by running commands on the command line and then putting those commands into cron jobs so new packages would get downloaded.  However, in Satellite 6, that is no longer the case. Click on Content > Sync Status.
The sync status page should appear. The repositories which were selected before will be listed here.

Selecting repositories and clicking Synchronize Now will start to download packages from Red Hat to the Satellite server. You can click "select all" on the top or do each one separately. The initial sync is going to take a long time for each repository, so I'm going to do one at a time. The page will give you a cool status bar showing progress when clicking the button. Time to go do some other work for a while.

In part 4, I will attempt to create a repository to get the latest VM Ware tools for ESX 5.5 right from VM Ware so I can manage VM Ware tools from the satellite instead of having to go through the vsphere console and manually updating everything.

Thursday, September 18, 2014

Red Hat Satellite 6.0 - Part 2 - Attaching Subscriptions

In Red Hat Satellite 6 - Part 1, I went through the process of installing Red Hat Satellite 6 and getting it to the point of continuing the configuration from the web interface.  Part 2 will cover initial configuration of the satellite. Keep in mind I've never done this before and I'm just documenting my steps, failures and lessons learned for all to read.

Logging in
Browse to https://servername in your favorite browser. After accepting the self signed certificate, you should get the fancy new satellite 6 logon page. Login with admin and the password which was given to you in the console after running the install process.









Configuring an organization
Satellite 6 seems to do a lot more with "organizations" and "locations" than Sat 5 did.  So, my first thing I'm going to do in the new installation is rename the default organization to what I want my organization to be called. Click on Any Context > Manage organizations.


On the Organizations screen, there will be a "Default_Organization" already created.  Click the edit button on the right. On the edit Default_Organization screen, type in the name of your company or group. Scroll down and click submit.

Generating a manifest
Now that we have defined an organization, we can import the licenses from the customer portal so we can start syncing repositories and adding systems.  Log into the Red Hat customer portal with the account that has all of your RHEL licenses attached to it.

First, we have to create a new subscription manager application. Click on subscriptions, subscription management, subscription management applications. Once there, click on "Register a subscription management application"

Select Satellite for the type from the drop down list. Type in the name of your satellite server. Select Satellite 6.0 from the drop down list and press register.
The satellite entry should show up in the table now. Click on the server name. On the next page, click on "Attach a Subscription."  A window should open up that lists all of your available RHEL subscriptions. Select each one which you want your satellite to manage and click Add on the bottom.

After attaching the subscriptions to the satellite, we have to download the manifest so it can be uploaded to the satellite server. Click on Download Manifest in the upper right corner. A zip file should start downloading.

Attach the Manifest to the Satellite
Once the manifest is downloaded, it has to be uploaded to the satellite server.  In the satellite web interface, make sure you have your organization selected and not "Any Context." To do this, click on "Any Context" and select your organization. Performing this step will ensure your subscriptions will be available to servers which are added to the organization.

Click on Content and then Red Hat Subscriptions
Click the Choose File button and select your downloaded manifest file.
Click on upload. After a couple moments, all of your subscriptions should show up in the left window pane.

That is it for part 2. In part 3 I will start syncing some repositories. 



Red Hat Satellite 6.0 - Part 1 - Installation

Red Hat Satellite 6 was released last week and it has a lot of cool stuff that I want to get implemented in my environment. In this post I will attempt to document my installation of Sat 6.  I will make a new post for my migration from Sat 5 to 6.  I am following along the doc located at the official documentation.

I decided to live on the edge and try to deploy with RHEL 7 instead of 6. Much learning will have had! Also note, all commands in this guide are ran as root from a root shell.

Server specifications I'm using:
OS: RHEL 7
Hardware: VMWare 5.5
CPU: 4 cpu single socket
RAM: 8 GB
Disk: /boot 500 MB, / 30 GB, /var/lib/mongodb 50 GB, /var/lib/pulp 200 GB.

RHEL 7 Installation
For the installation, I didn't do anything special. Selected minimal install for packages and manually setup my partitions. The most important part is to make sure you have enough disk for the internal database and for all the repositories.  Some guy on the internet said that he had RHEL 6,7 and openstack repositories sync'd, his DB was 10 gig and his repositories were 65 gig.

In sat5, /var/satellite was where all the repositories were stored, in sat6, they are located in /var/lib/pulp. The satellite mongo database is in /var/lib/mongodb.  

Attach the server to a valid RHEL license using the subscription-manager command. Update all packages and reboot since there is probably a kernel update.  You will also need to attach to a Satellite license of some kind.

Satellite Installation
After installation and patching, I made sure all repositories accept the ones necessary are enabled.

  • subscription-manager repos --disable "*"
  • subscription-manager repos --enable rhel-7-server-rpms --enable rhel-server-rhscl-7-rpms --enable rhel-7-server-satellite-6.0-rpms
Install Satellite 
  • yum install katello
If it comes back and says that katello is not found, then you either don't have the correct repositories selected or the wrong subscription attached to the system. 

Run the Satellite installer
  • katello-installer
This process takes a while to run. Use this time to add a DNS A record for the server or even a CNAME if you want to get fancy if you have not already done so.  When the installer is complete, it will tell you what the admin password is for the satellite web page. If you forget what the password is, run this command and it will generate a new one.

  • foreman-rake permissions:reset
Also, disable the firewall so you can actually get to the page. If you want to keep the firewall on, refer to the official doc on which ports to keep open.
  • systemctl stop firewalld
We're now ready to log onto the Satellite management webpage.

Wednesday, February 19, 2014

Kickstart - Setting required dynamic options for Oracle Database install

When setting up a RHEL server to be an Oracle database, there is a ton of stuff that has to be done post install that takes quite a bit of time.  I found a nice guide from Red Hat at the following URL:

http://www.redhat.com/resourcelibrary/reference-architectures/deploying-oracle-11gr2-on-rhel-6

Since I have my new fancy Satellite setup at work, I want to utilize a kickstart process to deploy these servers so they're always the same.  The issue I ran into was that different machines have different amounts of RAM and other things, so hard coding a bunch of kernel parameters into a kickstart post section wouldn't work out on multiple machine types.

I came up with the following, chrooted, post script for kickstart that will dynamically figure out what the required kernel parameters should be and build /etc/sysctrl.conf with that information. It also creates the required oracle user, groups and directory structure.

#config kernel params

#math section

#get system ram
TOTALRAM=`free|grep Mem|awk '{ print $2 }'`

#get page_size
PAGESIZE=`getconf PAGE_SIZE`

#figure out shmall
((SHMALL=$TOTALRAM / $PAGESIZE))

#figure out shmax
((SHMAX=$TOTALRAM / 2))

#shmini oracle recommendation
SHMINI=4096

#get file max
CURFILEMAX=`cat /proc/sys/fs/file-max`
TOTALPROC=300
((ADDEDPROC=512 * $TOTALPROC))
((FILEMAX=$CURFILEMAX + $ADDEDPROC))



#build sysctl.conf
echo "net.ipv4.ip_forward = 0" > /etc/sysctl.conf
echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_source_route" = 0 >> /etc/sysctl.conf
echo "net.ipv4.conf.eth0.rp_filter = 2" >> /etc/sysctl.conf
echo "net.ipv4.conf.eth2.rp_filter = 2" >> /etc/sysctl.conf
echo "kernel.sysrq = 0" >> /etc/sysctl.conf
echo "kernel.core_uses_pid = 1" >> /etc/sysctl.conf
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
echo "net.ipv4.ip_local_port_range = 9000 65500" >> /etc/sysctl.conf
echo "kernel.msgmnb = 65536" >> /etc/sysctl.conf
echo "kernel.msgmax = 65536" >> /etc/sysctl.conf
echo "kernel.shmmax = $SHMAX" >> /etc/sysctl.conf
echo "kernel.shmall = $SHMALL" >> /etc/sysctl.conf
echo "kernel.shmmni = $SHMINI" >> /etc/sysctl.conf
echo "kernel.sem = 250 32000 100 128" >> /etc/sysctl.conf
echo "vm.swappiness = 0" >> /etc/sysctl.conf
echo "vm.dirty_background_ratio = 3" >> /etc/sysctl.conf
echo "vm.dirty_ratio = 80" >> /etc/sysctl.conf
echo "vm.dirty_expire_centisecs = 500" >> /etc/sysctl.conf
echo "vm.dirty_writeback_centisecs = 100" >> /etc/sysctl.conf
echo "net.core.rmem_default = 262144" >> /etc/sysctl.conf
echo "net.core.rmem_max = 4194304" >> /etc/sysctl.conf
echo "net.core.wmem_default = 262144" >> /etc/sysctl.conf
echo "net.core.wmem_max = 1048576" >> /etc/sysctl.conf
echo "fs.aio-max-nr = 1048576" >> /etc/sysctl.conf
echo "fs.file-max = $FILEMAX" >> /etc/sysctl.conf

#make sure time is right and turn on ntp
ntpdate 10.3.254.20
service ntpd start
chkconfig ntpd on

#add oracle groups and users. I hardset the GID and UID so that they match up on NFS
#exports that are mounted between multiple servers
groupadd --gid 501 oinstall
groupadd --gid 502 dba
groupadd --gid 503 asmdba
groupadd --gid 504 asmoper
groupadd --gid 505 asmadmin
groupadd --gid 506 oper
useradd --uid 501 --gid oinstall --groups dba,oper,asmdba,asmoper oracle
useradd --uid 502 --gid oinstall --groups dba,asmadmin,asmdba,asmoper grid

#set limits for oracle and grid. add to the bottom of limits.conf
echo "oracle soft nproc 2047" >> /etc/security/limits.conf
echo "oracle hard nproc 16384" >> /etc/security/limits.conf
echo "oracle soft nofile 1024" >> /etc/security/limits.conf
echo "oracle hard nofile 65536" >> /etc/security/limits.conf
echo "oracle soft stack 10240" >> /etc/security/limits.conf
echo "oracle hard stack 32768" >> /etc/security/limits.conf
echo "grid soft nproc 2047" >> /etc/security/limits.conf
echo "grid hard nproc 16384" >> /etc/security/limits.conf
echo "grid soft nofile 1024" >> /etc/security/limits.conf
echo "grid hard nofile 65536" >> /etc/security/limits.conf
echo "grid soft stack 10240" >> /etc/security/limits.conf
echo "grid hard stack 32768" >> /etc/security/limits.conf

#require pam
echo "session required pam_limits.so" >> /etc/pam.d/login

#create directories for oracle
mkdir --parents /u01/app/grid
chown --recursive grid.oinstall /u01/

Force yum to refresh it's cache

Sometimes yum misbehaves and needs to be cleaned. I have found that running these commands will sometimes help resolve weird issues with yum not seeing updates/packages at all or seeing updates/packages it should not see!


  1. yum clean all
  2. yum makecache
After running these commands, yum should have refreshed it's data on the local system and will hopefully have cleaned up the issue.

Red Hat Satellite - Regenerating repository data

I've been running into a problem where the web interface says there are updated packages available for a system, but yet when I sign on to the system and do a yum update, it reports no updates available.  If I try to deploy the updates from the web interface, the process fails with

Error while executing packages action: empty transaction [[6]]

After digging around, someone suggested rebuilding the repodata for the channel in question might fix it. I tried it out and it worked for me.

To do this process, a python script is needed. It can be obtained from here:
https://github.com/FDewaleyne/regen-repodata/blob/master/regen-repodata.py

Download the script to the satellite server. On the satellite server, delete the repodata that is there already and then run the script to regenerate it.

  1. Repodata is kept in  /var/cache/rhn/repodata by default
    • Doing an "ls" here will show directories for each channel that is sync'd to the satellite. Change directory to the channel to be regenerated.
  2. Delete all files within the directory.
  3. Run the python script
    • python /path/to/regen-repodata.py -c channelname --cleandb --force --db --url https://satellite.domain.local/rpc/api
    • The username and password it asks for is the admin account for the Satellite web interface.
  4. Depending on how large the channel is, this process could take a while.


Friday, February 7, 2014

Red Hat Kickstart - Prompting for input

I have progressed in my implementation of Red Hat Satellite to the point of setting up a kickstart file for automated deployments.  Setting up the kickstart file throught he Satellite web interface was pretty easy to do. I was deploying a fully automated RHEL installation fairly quickly.

I wanted more though. I want all the normal stuff that I normally have to do after installation to already be done.  Such as setting the hostname and IP Address.  From my research, the way to do this is with pre and post scripts in the kickstart file.

To start off simple, I wanted the kickstart process to prompt me for hostname, IP and gateway.  Here is what I came up with for my pre and post sections:

%pre
#change to tty6 to get input
chvt 6
exec </dev/tty6 > /dev/tty6

#Get hostname
echo "What is my hostname?"
read NAME

#Get IP
echo "What is my IP?"
read ADDR 

#Get Gateway
echo "What is the Gateway?"
read GW


#build /etc/sysconfig/network
echo "NETWORKING=yes" > network
echo "HOSTNAME=${NAME}" >> network
echo "GATEWAY=${GW}" >> network

#build /etc/sysconfig/network-scripts/ifcfg-eth0
echo "DEVICE=eth0" > ifcfg-eth0
echo "BOOTPROTO=none" >> ifcfg-eth0
echo "IPV6INIT=no" >> ifcfg-eth0
echo "MTU=1500" >> ifcfg-eth0
echo "NM_CONTROLLED=no" >> ifcfg-eth0
echo "ONBOOT=yes" >> ifcfg-eth0
echo "TYPE=Ethernet" >> ifcfg-eth0
echo "IPADDR=${ADDR}" >> ifcfg-eth0
echo "NETMASK=255.255.254.0" >> ifcfg-eth0

#change back to tty1 and continue script
chvt 1
exec < /dev/tty1 > /dev/tty1
%end

%post --nochroot
# bring in hostname collected from %pre
cp network /mnt/sysimage/etc/sysconfig/network
. /mnt/sysimage/etc/sysconfig/network
# force hostname change
/mnt/sysimage/bin/hostname $HOSTNAME

#copy prebuilt ifcfg-eth0 script to set IP
cp ifcfg-eth0 /mnt/sysimage/etc/sysconfig/network-scripts/ifcfg-eth0

%end

After I made these changes to my pre and post scripts, the kickstart processed asked me for the IP, Gateway and hostname.  When the install completed, all 3 were set correctly.

Monday, February 3, 2014

Red Hat Satellite 5.6 - Create RHN tools child channel for a custom cloned channel

When creating a custom cloned channel in Satellite, which would be done to keep subscribed systems at a specific release level, you have to clone the RHN Tools child channel as well. The RHN Tools channel provides the osad daemon as well as other important packages that allow the satellite to perform better management of subscribed systems.

This process can only be completed if there is already a base channel with the rhn-tools child channel and a cloned channel created.  Run this command on the command line of the Satellite server.

The command:

spacewalk-clone-by-date --parents=rhel-x86_64-server-6 rhel-x86_64-server-6.4 --channels=rhn-tools-rhel-x86_64-server-6 tools-rhel-x86_64-server-6.4 --to_date=2013-02-21 -u username

Explanation:

  • rhel-x86_64-server-6                = original base channel
  • rhel-x86_64-server-6.4             = name of custom clone channel
  • rhn-tools-rhel-x86_64-server-6 = original base tools channel
  • tools-rhel-x86_64-server-6.4    = what you want to name the rhn-tools channel. Note, this channel name cannot start with "rhel" or "rhn"
  • 2013-02-21                              = locks packages to 6.4.
  • username                                   = admin user of the Satellite




Thursday, January 30, 2014

Red Hat Satellite 5.6 - Installing and Configuring

Overview:

I recently setup a Red Hat Satellite instance at work.  I'm hoping to use it to better manage system patching and common configuration files such as resolv.conf and sudoers.  Some of the instructions from Red Hat are very good, while some of it is kind of confusing. Here is what I did to configure it in our environment.

Important links (requires Red Hat account):


Goals:

  1. Install Red Hat satellite 5.6
  2. Configure Satellite to manage software and package updates on Red Hat systems
  3. Ability to keep some systems at specific patch levels
  4. Configure Satellite to manage common configuration files such as resolv.conf and sudoers

Satellite Server Specifications:

Installing Satellite on Red Hat 6.5 x86_64 guest on a VM Ware 5.5 hypervisor.  According to the installation guide, minimum requirements are:
  • Dual 2.4 CPU
  • 4 GB RAM
  • 5 GB for OS
  • 40 GB for RPM / Channel storage
  • 10 GB for database
Actual specs used for this install:
  • Dual 2.4 CPU
  • 8 GB RAM
  • 40 GB for OS
  • 80 GB for RPM / Channel storage
  • 40 GB for database
Satellite downloads every RPM available for a release level, so I wanted to give plenty of room for growth. Especially for the RPM / Channel storage. 
Verify that DNS is correctly setup so that the name of the satellite server resolves to the IP of the satellite server.

OS Installation and patching:

  • Boot to the Red Hat 6.5 installation media and go through the installation process. The installation guide says to only select the "base" package and nothing else. This document does not cover OS installation.
  • When setting up the disk partitioning. Setup separate volume groups for the RPM storage and the database. Mount the RPM storage at /var/satellite. Mount the database volume group at /var/lib/pgsql
  • After OS Installation is complete. 
    • Setup the Network interface
    • setup /etc/resolv.conf
    • sync with an ntp server, chkconfig ntpd on
    • edit /etc/hosts. put in the IP address of the server followed by the hostname and fqdn.
    • edit /etc/sysconfig/iptables. comment out everything. restart iptables /etc/init.d/iptables restart. iptables -L should report all accept and have no chain entries.
    • Register the server to the RHN classic entitlement service through the customer access portal using "rhn_register"  Satellite will not work with the newer Red Hat Subscription service.  Perform all updates using with "yum update". Reboot when the update is done. Install VM Ware Tools and reboot again.

Get the Entitlement Certificate:

  • Sign into Red Hat account at access.redhat.com
  • Subscriptions > subscription management > subscription applications
  • Click on Satellite and then register a satellite
  • Type in the name of the satellite server. Select correct version (5.6)
  • Click register
  • Attach all subscriptions the satellite will manage
  • Download manifest and satellite certificate. Copy these files to the satellite server. Should be an xml file and a zip file.

Installation of Satellite:

  • Verify /var/satellite and /var/lib/pgsql are mounted
  • Verify ntpd is running and the time is correct
  • Download the Satellite ISO from the Satellite product page. Copy it to the Satellite server
  • Mount the ISO
    • mount -o loop satellite-5.6.0-20130927-rhel-6-x86_64.iso /mnt/cdrom/
  • Fix selinux context on /var/lib/pgsql or the install will fail
    •  restorecon -Rv /var/lib/pgsql
  • Run /mnt/cdrom/install.pl
  • Answer yes to the dependency question
  • Watch the cool ASCII animations
  • Enter in an email address when prompted. I used a shared mailbox.
  • Type in the location of the satellite certificate. It is the .xml file that was downloaded previously.
  • Answer yes to use a self signed SSL cert
    • Follow the prompts to create a self signed cert
  • Answer Yes to the cobbler question
  • The installer will finish and provide a link to the Satellite web page.
  • Un-mount the satellite installer iso
    • umount /mnt/cdrom
  • Check for updates again. There are a bunch of satellite updates
    • yum update -y

Initial Configuration:

  • Browse to the satellite web interface
  • Create the initial user. This user is the king of the installation. Because of this, I used a generic account.
  • Satellite overview page appears. Click on the blue bar on the top that directs you to configure more options
    • Configure any options that are needed
  • Go to the users tab, select the account created, go to preferences, uncheck email notifications.
    • if you do not uncheck this, the email account will be spammed with a notification for every new package that is released from red hat

Sync a base channel from RHN:

After installing Satellite, it will have no base update and package channels. These channels need to be downloaded from the Red Hat Network.  Make sure the following command is ran either in a screen session, background task or on the console. It will take about 14 hours to complete.
  • satellite-sync -c rhel-x86_64-server-6
Also sync the rhn-tools
  • satellite-sync -c rhn-tools-rhel-x86_64-server-6
  • Takes approx 5 minutes
The channel created will contain the latest RHEL 6 packages. To create a custom 6.4 channel, use
  • spacewalk-clone-by-date --channels=rhel-x86_64-server-6 clone-rhel-x86_64-server-6 --to_date=2013-02-21 -u username
    • rhel-x86_64-server-6.4 is what the name of the cloned channel is.
    • username is the admin username for logging into satellite
    • Takes approx 45 minutes
In the satellite web interface, there should now be some channels listed. Systems will be assigned to these channels.

Adding a system to the satellite for updates.

Create and activation key. The activation key will be used easily register a system to the satellite and set the system up to use a package channel.
  • In the web interface, go to the systems tab.
  • Click on activation keys on the left
  • Click on create new key in the upper right
  • Type in a description
  • Type in a name for the key, otherwise satellite will make up it's own.
  • Select the base channel. In the case of this document, it should have the red hat server 6 and the RHEL 6.4 channels.
  • Select the add-on entitlements if needed.
  • Click create activation key.
Apply activation key to a client system.
On the client system as root:
  • install the SSL Certificate RPM
    • rpm -Uvh http://satellite.example.com/pub/rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm
  • Register the system with the Satellite
    • rhnreg_ks --activationkey mykey --serverUrl https://satellite.example.com/XMLRPC --sslCACert /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
      • mykey is the name of the activation key created previously. Not the description!
  • Make sure to use the FQDN of the satellite server, otherwise the client system will not work correctly when installing or updating packages
  • The system should now show up in the "systems" tab on the satellite web interface.
  • The system should now be able to be updated with either "yum update" or from the web interface.

Deploy a common configuration file

Satellite can manage common files across multiple systems or a single file on one system. It can be used to make sure that a configuration file is always a specific way, even if someone changes it on the local system. 
  • In the web interface, click on configuration tab
  • Click on Configuration Channels menu on the left
  • Click create new config channel in the upper right
  • Type in a name and a label. I used the same for both. Type in a description.
  • Click on Add files
  • Upload, import or create a file to manage. Change any selinux, file permissions or ownership required
Add the configuration channel to a system
  • In the web interface, click on the configuration tab
  • click on configuration channels
  • click on a created configuration channel
  • click on systems
  • click on target systems
  • select the systems to deploy to 
  • click on subscribe systems.

Deploy configuration file
  • In the web interface, click on the configuration tab
  • click on a configuration channel to deploy
  • click on deploy files
  • select the systems to deploy to
  • deploy selected files
  • select the system again and confirm and deploy
  • click deploy
  • Look on the target system, the file should be updated with the changes.


SELinux is still on. Victory!