Thursday, January 30, 2014

Red Hat Satellite 5.6 - Installing and Configuring


I recently setup a Red Hat Satellite instance at work.  I'm hoping to use it to better manage system patching and common configuration files such as resolv.conf and sudoers.  Some of the instructions from Red Hat are very good, while some of it is kind of confusing. Here is what I did to configure it in our environment.

Important links (requires Red Hat account):


  1. Install Red Hat satellite 5.6
  2. Configure Satellite to manage software and package updates on Red Hat systems
  3. Ability to keep some systems at specific patch levels
  4. Configure Satellite to manage common configuration files such as resolv.conf and sudoers

Satellite Server Specifications:

Installing Satellite on Red Hat 6.5 x86_64 guest on a VM Ware 5.5 hypervisor.  According to the installation guide, minimum requirements are:
  • Dual 2.4 CPU
  • 4 GB RAM
  • 5 GB for OS
  • 40 GB for RPM / Channel storage
  • 10 GB for database
Actual specs used for this install:
  • Dual 2.4 CPU
  • 8 GB RAM
  • 40 GB for OS
  • 80 GB for RPM / Channel storage
  • 40 GB for database
Satellite downloads every RPM available for a release level, so I wanted to give plenty of room for growth. Especially for the RPM / Channel storage. 
Verify that DNS is correctly setup so that the name of the satellite server resolves to the IP of the satellite server.

OS Installation and patching:

  • Boot to the Red Hat 6.5 installation media and go through the installation process. The installation guide says to only select the "base" package and nothing else. This document does not cover OS installation.
  • When setting up the disk partitioning. Setup separate volume groups for the RPM storage and the database. Mount the RPM storage at /var/satellite. Mount the database volume group at /var/lib/pgsql
  • After OS Installation is complete. 
    • Setup the Network interface
    • setup /etc/resolv.conf
    • sync with an ntp server, chkconfig ntpd on
    • edit /etc/hosts. put in the IP address of the server followed by the hostname and fqdn.
    • edit /etc/sysconfig/iptables. comment out everything. restart iptables /etc/init.d/iptables restart. iptables -L should report all accept and have no chain entries.
    • Register the server to the RHN classic entitlement service through the customer access portal using "rhn_register"  Satellite will not work with the newer Red Hat Subscription service.  Perform all updates using with "yum update". Reboot when the update is done. Install VM Ware Tools and reboot again.

Get the Entitlement Certificate:

  • Sign into Red Hat account at
  • Subscriptions > subscription management > subscription applications
  • Click on Satellite and then register a satellite
  • Type in the name of the satellite server. Select correct version (5.6)
  • Click register
  • Attach all subscriptions the satellite will manage
  • Download manifest and satellite certificate. Copy these files to the satellite server. Should be an xml file and a zip file.

Installation of Satellite:

  • Verify /var/satellite and /var/lib/pgsql are mounted
  • Verify ntpd is running and the time is correct
  • Download the Satellite ISO from the Satellite product page. Copy it to the Satellite server
  • Mount the ISO
    • mount -o loop satellite-5.6.0-20130927-rhel-6-x86_64.iso /mnt/cdrom/
  • Fix selinux context on /var/lib/pgsql or the install will fail
    •  restorecon -Rv /var/lib/pgsql
  • Run /mnt/cdrom/
  • Answer yes to the dependency question
  • Watch the cool ASCII animations
  • Enter in an email address when prompted. I used a shared mailbox.
  • Type in the location of the satellite certificate. It is the .xml file that was downloaded previously.
  • Answer yes to use a self signed SSL cert
    • Follow the prompts to create a self signed cert
  • Answer Yes to the cobbler question
  • The installer will finish and provide a link to the Satellite web page.
  • Un-mount the satellite installer iso
    • umount /mnt/cdrom
  • Check for updates again. There are a bunch of satellite updates
    • yum update -y

Initial Configuration:

  • Browse to the satellite web interface
  • Create the initial user. This user is the king of the installation. Because of this, I used a generic account.
  • Satellite overview page appears. Click on the blue bar on the top that directs you to configure more options
    • Configure any options that are needed
  • Go to the users tab, select the account created, go to preferences, uncheck email notifications.
    • if you do not uncheck this, the email account will be spammed with a notification for every new package that is released from red hat

Sync a base channel from RHN:

After installing Satellite, it will have no base update and package channels. These channels need to be downloaded from the Red Hat Network.  Make sure the following command is ran either in a screen session, background task or on the console. It will take about 14 hours to complete.
  • satellite-sync -c rhel-x86_64-server-6
Also sync the rhn-tools
  • satellite-sync -c rhn-tools-rhel-x86_64-server-6
  • Takes approx 5 minutes
The channel created will contain the latest RHEL 6 packages. To create a custom 6.4 channel, use
  • spacewalk-clone-by-date --channels=rhel-x86_64-server-6 clone-rhel-x86_64-server-6 --to_date=2013-02-21 -u username
    • rhel-x86_64-server-6.4 is what the name of the cloned channel is.
    • username is the admin username for logging into satellite
    • Takes approx 45 minutes
In the satellite web interface, there should now be some channels listed. Systems will be assigned to these channels.

Adding a system to the satellite for updates.

Create and activation key. The activation key will be used easily register a system to the satellite and set the system up to use a package channel.
  • In the web interface, go to the systems tab.
  • Click on activation keys on the left
  • Click on create new key in the upper right
  • Type in a description
  • Type in a name for the key, otherwise satellite will make up it's own.
  • Select the base channel. In the case of this document, it should have the red hat server 6 and the RHEL 6.4 channels.
  • Select the add-on entitlements if needed.
  • Click create activation key.
Apply activation key to a client system.
On the client system as root:
  • install the SSL Certificate RPM
    • rpm -Uvh
  • Register the system with the Satellite
    • rhnreg_ks --activationkey mykey --serverUrl --sslCACert /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
      • mykey is the name of the activation key created previously. Not the description!
  • Make sure to use the FQDN of the satellite server, otherwise the client system will not work correctly when installing or updating packages
  • The system should now show up in the "systems" tab on the satellite web interface.
  • The system should now be able to be updated with either "yum update" or from the web interface.

Deploy a common configuration file

Satellite can manage common files across multiple systems or a single file on one system. It can be used to make sure that a configuration file is always a specific way, even if someone changes it on the local system. 
  • In the web interface, click on configuration tab
  • Click on Configuration Channels menu on the left
  • Click create new config channel in the upper right
  • Type in a name and a label. I used the same for both. Type in a description.
  • Click on Add files
  • Upload, import or create a file to manage. Change any selinux, file permissions or ownership required
Add the configuration channel to a system
  • In the web interface, click on the configuration tab
  • click on configuration channels
  • click on a created configuration channel
  • click on systems
  • click on target systems
  • select the systems to deploy to 
  • click on subscribe systems.

Deploy configuration file
  • In the web interface, click on the configuration tab
  • click on a configuration channel to deploy
  • click on deploy files
  • select the systems to deploy to
  • deploy selected files
  • select the system again and confirm and deploy
  • click deploy
  • Look on the target system, the file should be updated with the changes.

SELinux is still on. Victory!


ranjith k said...

why most of the environment does not use sattelite server for managing configurations ..? instead Puppet is used. Is there any specific reason behind it? such as security concern etc..


Lunchbox said...


Puppet and Spacewalk/Satellite don't really occupy the same space, although there is some overlap. The ability to configure some files in Spw/Sat is very limited, and Puppet (or Chef) can better coordinate config changes between hosts: set up a monitoring host, for instance, and you can ensure all other hosts are assigned to it as required.

There is no added risk in using Spw/Sat to configure these files, but mixing tools (like puppet and ansible) isn't recommended unless a lot of work is done to prevent contention. Since no tool covers everything well, I've seen shops using Chef for depth and Ansible for the pieces Chef is missing (run from a dutch rudder host), but those shops will constantly work to ensure Ansible is only used in a limited fashion on those things (usually switches) that need the injected client or monkey editing of Ansible instead of an embedded client install like Chef or Puppet.