15.4. Configuring a Red Hat Satellite Capsule Server
Prerequisite
You must meet the following conditions before continuing on this task:
- Install the Red Hat Satellite Server.
- Set the SELinux permissions on the system designated as the Satellite Capsule Server as enforcing.
The following procedures configure a Satellite Capsule Server for use with your Red Hat Satellite Server. This includes the following types of Satellite Capsule Servers:
- Satellite Capsule Server with Smart Proxy
- Satellite Capsule Server as a Content Node
- Satellite Capsule Server as a Content Node with Smart Proxy
To configure a Satellite Capsule Server:
- On the Satellite Server:
- Generate a Satellite Capsule Server certificate:
capsule-certs-generate --capsule-fqdn capsule_FQDN --certs-tar ~/capsule.example.com-certs.tar
Where:capsule_FQDN
is the Satellite Capsule Server's fully qualified domain name. (REQUIRED)certs-tar
is the name of the tar file to be generated that contains the certificate to be used by the Satellite Capsule installer.
Runningcapsule-certs-generate
will generate the following output message:To finish the installation, follow these steps: 1. Ensure that the capsule-installer is available on the system. The capsule-installer comes from the katello-installer package and should be acquired through the means that are appropriate to your deployment. 2. Copy ~/capsule.example.com-certs.tar to the capsule system capsule.example.com 3. Run the following commands on the capsule (possibly with the customized parameters, see capsule-installer --help and documentation for more info on setting up additional services): rpm -Uvh http://master.com/pub/katello-ca-consumer-latest.noarch.rpm subscription-manager register --org "Default Organization" capsule-installer --parent-fqdn "sat6.example.com"\ --register-in-foreman "true"\ --foreman-oauth-key "xmmQCGYdkoCRcbviGfuPdX7ZiCsdExf"\ --foreman-oauth-secret "w5ZDpyPJ24eSBNo53AFybcnqoDYXgLUA"\ --pulp-oauth-secret "doajBEXqNcANy93ZbciFyysWaiwt6BWU"\ --certs-tar "~/capsule.example.com-certs.tar"\ --puppet "true"\ --puppetca "true"\ --pulp "true"
- Copy the generated tarball, capsule.example.com-certs.tar, from the Satellite Server to the Satellite Capsule host system.
- On the Satellite Capsule Server:
- Register your Satellite Capsule Server to the Satellite Server:
# rpm -Uvh http://sat6host.example.redhat.com/pub/katello-ca-consumer-latest.noarch.rpm # subscription-manager register --org "Default Organization" --env [environment]/[content_view_name]
Note
The Satellite Capsule Server must be assigned to an organization as the Satellite Capsule Server requires an environment to synchronize content from the Satellite Server. Only organizations have environments.Assigning a location is optional though recommended to indicate proximity to the hosts that the Satellite Capsule Server is managing. - Depending on the desired Satellite Capsule Server type, choose one of the following options:
- Option 1: Satellite Capsule Server with Smart Proxy: This installs a Satellite Capsule Server with Smart Proxy features (DHCP, DNS, Puppet). Run the following commands as the root user on the Satellite Capsule Server:
# capsule-installer --parent-fqdn "satellite.example.com"\ --register-in-foreman "true"\ --foreman-oauth-key "xmmQCGYdkoCRcbviGfuPdX7ZiCsdExf"\ --foreman-oauth-secret "w5ZDpyPJ24eSBNo53AFybcnqoDYXgLUA"\ --pulp-oauth-secret "doajBEXqNcANy93ZbciFyysWaiwt6BWU"\ --certs-tar "/root/capsule.example.com-certs.tar"\ --puppet "true"\ --puppetca "true"\ --pulp "true"\ --tftp "true"\ --dhcp "true"\ --dhcp-interface "virbr1"\ --dns "true"\ --dns-forwarders "8.8.8.8"\ --dns-forwarders "8.8.4.4"\ --dns-interface "virbr1"\ --dns-zone "example.com"
- Option 2 - Satellite Capsule Server as a Content Node with Smart Proxy: This installs a Satellite Capsule Server with all the features. Run the following commands as the root user on the Satellite Capsule Server:
# capsule-installer --parent-fqdn "sat6.example.com"\ --register-in-foreman "true"\ --foreman-oauth-key "xmmQCGYdkoCRcbviGfuPdX7ZiCsdExf"\ --foreman-oauth-secret "w5ZDpyPJ24eSBNo53AFybcnqoDYXgLUA"\ --pulp-oauth-secret "doajBEXqNcANy93ZbciFyysWaiwt6BWU"\ --certs-tar "/root/capsule.example.com-certs.tar"\ --puppet "true"\ --puppetca "true"\ --pulp "true"\ --tftp "true"\ --dhcp "true"\ --dhcp-interface "virbr1"\ --dns "true"\ --dns-forwarders "8.8.8.8"\ --dns-forwarders "8.8.4.4"\ --dns-interface "virbr1"\ --dns-zone "example.com"
- Run the following commands to configure the firewall to limit elasticsearch to the
foreman
,katello
and root users and make these rules persistent during reboots:- For Red Hat Enterprise Linux 6:
iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner foreman -j ACCEPT \ && iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner katello -j ACCEPT \ && iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner root -j ACCEPT \ && iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -j DROP iptables-save > /etc/sysconfig/iptables
- For Red Hat Enterprise Linux 7:
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner foreman -j ACCEPT \ && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner foreman -j ACCEPT \ && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner katello -j ACCEPT \ && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner katello -j ACCEPT \ && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner root -j ACCEPT \ && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner root -j ACCEPT \ && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -o lo -p tcp -m tcp --dport 9200 -j DROP \ && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 1 -o lo -p tcp -m tcp --dport 9200 -j DROP
Note
If the configuration is successful, run this command as the root user on the Satellite Capsule Server:
# echo $?
This command should return a "0" to indicate success. If it does not, check
/var/log/kafo
to debug the cause of failure. /var/log/kafo
is the log file for the output generated by the commands capsule-certs-generate
and capsule-installer
.
The Satellite Capsule Server should also appear in the Satellite Server's User Interface under .
Result:
The Satellite Capsule Server is now configured and registered with the Satellite Server.