Search
SupportConsoleDevelopersStart a trialContact

Chapter 2. Installing Capsule Server

download PDF

Before you install Capsule Server, you must ensure that your environment meets the requirements for installation. For more information, see Preparing your Environment for Installation.

2.1. Registering to Satellite Server

Use this procedure to register the base operating system on which you want to install Capsule Server to Satellite Server.

Red Hat subscription manifest prerequisites

  • On Satellite Server, a manifest must be installed and it must contain the appropriate repositories for the organization you want Capsule to belong to.
  • The manifest must contain repositories for the base operating system on which you want to install Capsule, as well as any clients that you want to connect to Capsule.
  • The repositories must be synchronized.

For more information on manifests and repositories, see Managing Red Hat Subscriptions in Managing content.

Proxy and network prerequisites

  • The Satellite Server base operating system must be able to resolve the host name of the Capsule base operating system and vice versa.
  • Ensure HTTPS connection using client certificate authentication is possible between Capsule Server and Satellite Server. HTTP proxies between Capsule Server and Satellite Server are not supported.
  • You must configure the host and network-based firewalls accordingly. For more information, see Port and firewall requirements in Installing Capsule Server. You can register hosts with Satellite using the host registration feature in the Satellite web UI, Hammer CLI, or the Satellite API. For more information, see Registering Hosts in Managing hosts.

Procedure

  1. In the Satellite web UI, navigate to Hosts > Register Host.
  2. From the Activation Keys list, select the activation keys to assign to your host.
  3. Click Generate to create the registration command.
  4. Click on the files icon to copy the command to your clipboard.
  5. Connect to your host using SSH and run the registration command.
  6. Check the /etc/yum.repos.d/redhat.repo file and ensure that the appropriate repositories have been enabled.

CLI procedure

  1. Generate the host registration command using the Hammer CLI: 

    # hammer host-registration generate-command \
--activation-keys "My_Activation_Key"

    If your hosts do not trust the SSL certificate of Satellite Server, you can disable SSL validation by adding the --insecure flag to the registration command. 

    # hammer host-registration generate-command \
--activation-keys "My_Activation_Key" \
--insecure true
  2. Connect to your host using SSH and run the registration command.
  3. Check the /etc/yum.repos.d/redhat.repo file and ensure that the appropriate repositories have been enabled.

API procedure

  1. Generate the host registration command using the Satellite API: 

    # curl -X POST https://satellite.example.com/api/registration_commands \
--user "My_User_Name" \
-H 'Content-Type: application/json' \
-d '{ "registration_command": { "activation_keys": ["My_Activation_Key_1, My_Activation_Key_2"] }}'

    If your hosts do not trust the SSL certificate of Satellite Server, you can disable SSL validation by adding the --insecure flag to the registration command. 

    # curl -X POST https://satellite.example.com/api/registration_commands \
--user "My_User_Name" \
-H 'Content-Type: application/json' \
-d '{ "registration_command": { "activation_keys": ["My_Activation_Key_1, My_Activation_Key_2"], "insecure": true }}'

    Use an activation key to simplify specifying the environments. For more information, see Managing Activation Keys in Managing content.

    To enter a password as a command line argument, use username:password syntax. Keep in mind this can save the password in the shell history. Alternatively, you can use a temporary personal access token instead of a password. To generate a token in the Satellite web UI, navigate to My Account > Personal Access Tokens.

  2. Connect to your host using SSH and run the registration command.
  3. Check the /etc/yum.repos.d/redhat.repo file and ensure that the appropriate repositories have been enabled.

2.2. Attaching the Satellite Infrastructure subscription

Note

Skip this step if you have SCA enabled on Satellite. There is no requirement of attaching the Red Hat Satellite Infrastructure Subscription to the Capsule Server using subscription-manager. For more information about SCA, see Simple Content Access.

After you have registered Capsule Server, you must identify your subscription Pool ID and attach an available subscription. The Red Hat Satellite Infrastructure subscription provides access to the Red Hat Satellite and Red Hat Enterprise Linux content.

Red Hat Satellite Infrastructure is included with all subscriptions that include Satellite, formerly known as Smart Management. For more information, see Satellite Infrastructure Subscriptions MCT3718 MCT3719 in the Red Hat Knowledgebase.

Subscriptions are classified as available if they are not already attached to a system. If you are unable to find an available Satellite subscription, see the Red Hat Knowledgebase solution How do I figure out which subscriptions have been consumed by clients registered under Red Hat Subscription Manager? to run a script to see if another system is consuming your subscription.

Procedure

  1. Identify the Pool ID of the Satellite Infrastructure subscription: 

    # subscription-manager list --all --available --matches 'Red Hat Satellite Infrastructure Subscription'

    The command displays output similar to the following: 

    Subscription Name:   Red Hat Satellite Infrastructure Subscription
Provides:            Red Hat Satellite
                     Red Hat Software Collections (for RHEL Server)
                     Red Hat CodeReady Linux Builder for x86_64
                     Red Hat Satellite Capsule
                     Red Hat Ansible Engine
                     Red Hat Satellite with Embedded Oracle
                     Red Hat Satellite 5 Managed DB
                     Red Hat Enterprise Linux Load Balancer (for RHEL Server)
                     Red Hat Beta
                     Red Hat Software Collections Beta (for RHEL Server)
                     Red Hat Enterprise Linux Server
                     Red Hat Enterprise Linux for x86_64
                     Red Hat Satellite Proxy
                     Red Hat Enterprise Linux High Availability for x86_64
                     Red Hat Discovery
SKU:                 MCT3718
Contract:
Pool ID:             8aca43dd771bf31101771c0231f906a5
Provides Management: Yes
Available:           10
Suggested:           1
Service Type:        L1-L3
Roles:
Service Level:       Premium
Usage:
Add-ons:
Subscription Type:   Standard
Starts:              11/11/2020
Ends:                11/11/2023
Entitlement Type:    Physical
  2. Make a note of the subscription Pool ID. Your subscription Pool ID is different from the example provided.

  3. Attach the Satellite Infrastructure subscription to the base operating system that your Capsule Server is running on. If SCA is enabled on Satellite Server, you can skip this step: 

    # subscription-manager attach --pool=pool_id

    The command displays output similar to the following: 

    Successfully attached a subscription for: Red Hat Satellite Infrastructure Subscription

  4. Optional: Verify that the Satellite Infrastructure subscription is attached: 

    # subscription-manager list --consumed

2.3. Configuring repositories

Use this procedure to enable the repositories that are required to install Capsule Server.

  1. Disable all repositories: 

    # subscription-manager repos --disable "*"

  2. Enable the following repositories: 

    # subscription-manager repos --enable=rhel-8-for-x86_64-baseos-rpms \
--enable=rhel-8-for-x86_64-appstream-rpms \
--enable=satellite-capsule-6.15-for-rhel-8-x86_64-rpms \
--enable=satellite-maintenance-6.15-for-rhel-8-x86_64-rpms

  3. Enable the module: 

    # dnf module enable satellite-capsule:el8
    Note

    If there is any warning about conflicts with Ruby or PostgreSQL while enabling satellite-capsule:el8 module, see Troubleshooting DNF modules. For more information about modules and lifecycle streams on Red Hat Enterprise Linux 8, see Red Hat Enterprise Linux Application Streams Lifecycle.

    Note

    If you are installing Capsule Server as a virtual machine hosted on Red Hat Virtualization, you must also enable the Red Hat Common repository and then install Red Hat Virtualization guest agents and drivers. For more information, see Installing the Guest Agents and Drivers on Red Hat Enterprise Linux in the Virtual Machine Management Guide.

  4. Optional: Verify that the required repositories are enabled: 

    # dnf repolist enabled

2.4. Optional: Using fapolicyd on Capsule Server

By enabling fapolicyd on your Satellite Server, you can provide an additional layer of security by monitoring and controlling access to files and directories. The fapolicyd daemon uses the RPM database as a repository of trusted binaries and scripts.

You can turn on or off the fapolicyd on your Satellite Server or Capsule Server at any point.

2.4.1. Installing fapolicyd on Capsule Server

You can install fapolicyd along with Capsule Server or can be installed on an existing Capsule Server. If you are installing fapolicyd along with the new Capsule Server, the installation process will detect the fapolicyd in your Red Hat Enterprise Linux host and deploy the Capsule Server rules automatically.

Prerequisites

  • Ensure your host has access to the BaseOS repositories of Red Hat Enterprise Linux.

Procedure

  1. Install fapolicyd: 

    # dnf install fapolicyd

  2. Start the fapolicyd service: 

    # systemctl enable --now fapolicyd

Verification

  • Verify that the fapolicyd service is running correctly: 

    # systemctl status fapolicyd

New Satellite Server or Capsule Server installations

In case of new Satellite Server or Capsule Server installation, follow the standard installation procedures after installing and enabling fapolicyd on your Red Hat Enterprise Linux host.

Additional resources

For more information on fapolicyd, see Blocking and allowing applications using fapolicyd in Red Hat Enterprise Linux 8 Security hardening.

2.5. Installing Capsule Server packages

Before installing Capsule Server packages, you must update all packages that are installed on the base operating system.

Procedure

To install Capsule Server, complete the following steps:

  1. Update all packages: 

    # dnf update

  2. Install the Satellite Server packages: 

    # dnf install satellite-capsule

2.6. Synchronizing the system clock with chronyd

To minimize the effects of time drift, you must synchronize the system clock on the base operating system on which you want to install Capsule Server with Network Time Protocol (NTP) servers. If the base operating system clock is configured incorrectly, certificate verification might fail.

For more information about the chrony suite, see Using the Chrony suite to configure NTP in Red Hat Enterprise Linux 8 Configuring basic system settings.

Procedure

  1. Install the chrony package: 

    # dnf install chrony

  2. Start and enable the chronyd service: 

    # systemctl enable --now chronyd

2.7. Configuring Capsule Server with SSL certificates

Red Hat Satellite uses SSL certificates to enable encrypted communications between Satellite Server, external Capsule Servers, and all hosts. Depending on the requirements of your organization, you must configure your Capsule Server with a default or custom certificate.

2.7.1. Configuring Capsule Server with a default SSL certificate

Use this section to configure Capsule Server with an SSL certificate that is signed by Satellite Server default Certificate Authority (CA).

Prerequisites

Procedure

  1. On Satellite Server, to store all the source certificate files for your Capsule Server, create a directory that is accessible only to the root user, for example /root/capsule_cert: 

    # mkdir /root/capsule_cert

  2. On Satellite Server, generate the /root/capsule_cert/capsule.example.com-certs.tar certificate archive for your Capsule Server: 

    # capsule-certs-generate \
--foreman-proxy-fqdn capsule.example.com \
--certs-tar /root/capsule_cert/capsule.example.com-certs.tar

    Retain a copy of the satellite-installer command that the capsule-certs-generate command returns for deploying the certificate to your Capsule Server.

    Example output of capsule-certs-generate

    output omitted
satellite-installer --scenario capsule \
--certs-tar-file "/root/capsule_cert/capsule.example.com-certs.tar" \
--foreman-proxy-register-in-foreman "true" \
--foreman-proxy-foreman-base-url "https://satellite.example.com" \
--foreman-proxy-trusted-hosts "satellite.example.com" \
--foreman-proxy-trusted-hosts "capsule.example.com" \
--foreman-proxy-oauth-consumer-key "s97QxvUAgFNAQZNGg4F9zLq2biDsxM7f" \
--foreman-proxy-oauth-consumer-secret "6bpzAdMpRAfYaVZtaepYetomgBVQ6ehY"

  3. On Satellite Server, copy the certificate archive file to your Capsule Server: 

    # scp /root/capsule_cert/capsule.example.com-certs.tar \
root@capsule.example.com:/root/capsule.example.com-certs.tar

  4. On Capsule Server, to deploy the certificate, enter the satellite-installer command that the capsule-certs-generate command returns.

    When network connections or ports to Satellite are not yet open, you can set the --foreman-proxy-register-in-foreman option to false to prevent Capsule from attempting to connect to Satellite and reporting errors. Run the installer again with this option set to true when the network and firewalls are correctly configured.

    Important

    Do not delete the certificate archive file after you deploy the certificate. It is required, for example, when upgrading Capsule Server.

2.7.2. Configuring Capsule Server with a custom SSL certificate

If you configure Satellite Server to use a custom SSL certificate, you must also configure each of your external Capsule Servers with a distinct custom SSL certificate.

To configure your Capsule Server with a custom certificate, complete the following procedures on each Capsule Server:

  1. Section 2.7.2.1, “Creating a custom SSL certificate for Capsule Server”
  2. Section 2.7.2.2, “Deploying a custom SSL certificate to Capsule Server”
  3. Section 2.7.2.3, “Deploying a custom SSL certificate to hosts”

2.7.2.1. Creating a custom SSL certificate for Capsule Server

On Satellite Server, create a custom certificate for your Capsule Server. If you already have a custom SSL certificate for Capsule Server, skip this procedure.

Procedure

  1. To store all the source certificate files, create a directory that is accessible only to the root user: 

    # mkdir /root/capsule_cert

  2. Create a private key with which to sign the certificate signing request (CSR).

    Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.

    If you already have a private key for this Capsule Server, skip this step. 

    # openssl genrsa -out /root/capsule_cert/capsule_cert_key.pem 4096

  3. Create the /root/capsule_cert/openssl.cnf configuration file for the CSR and include the following content: 

    [ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
prompt = no

[ req_distinguished_name ]
commonName = capsule.example.com

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = capsule.example.com

  4. Optional: If you want to add Distinguished Name (DN) details to the CSR, add the following information to the [ req_distinguished_name ] section: 

    [req_distinguished_name]
CN = capsule.example.com
countryName =My_Country_Name 1
stateOrProvinceName = My_State_Or_Province_Name 2
localityName = My_Locality_Name 3
organizationName = My_Organization_Or_Company_Name
organizationalUnitName = My_Organizational_Unit_Name 4
    1
    Two letter code
    2
    Full name
    3
    Full name (example: New York)
    4
    Division responsible for the certificate (example: IT department)

  5. Generate CSR: 

    # openssl req -new \
-key /root/capsule_cert/capsule_cert_key.pem \ 1
-config /root/capsule_cert/openssl.cnf \ 2
-out /root/capsule_cert/capsule_cert_csr.pem 3
    1
    Path to the private key
    2
    Path to the configuration file
    3
    Path to the CSR to generate

  6. Send the certificate signing request to the certificate authority (CA). The same CA must sign certificates for Satellite Server and Capsule Server.

    When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the CA for the preferred method. In response to the request, you can expect to receive a CA bundle and a signed certificate, in separate files.

2.7.2.2. Deploying a custom SSL certificate to Capsule Server

Use this procedure to configure your Capsule Server with a custom SSL certificate signed by a Certificate Authority. The satellite-installer command, which the capsule-certs-generate command returns, is unique to each Capsule Server. Do not use the same command on more than one Capsule Server.

Prerequisites

Procedure

  1. On your Satellite Server, generate a certificate bundle: 

    # capsule-certs-generate \
--foreman-proxy-fqdn capsule.example.com \
--certs-tar ~/capsule.example.com-certs.tar \
--server-cert /root/capsule_cert/capsule_cert.pem \ 1
--server-key /root/capsule_cert/capsule_cert_key.pem \ 2
--server-ca-cert /root/capsule_cert/ca_cert_bundle.pem \ 3
--certs-update-server
    1
    Path to Capsule Server certificate file that is signed by a Certificate Authority.
    2
    Path to the private key that was used to sign Capsule Server certificate.
    3
    Path to the Certificate Authority bundle.

  2. Retain a copy of the satellite-installer command that the capsule-certs-generate command returns for deploying the certificate to your Capsule Server.

    Example output of capsule-certs-generate

    output omitted
satellite-installer --scenario capsule \
--certs-tar-file "/root/capsule.example.com-certs.tar" \
--foreman-proxy-register-in-foreman "true" \
--foreman-proxy-foreman-base-url "https://satellite.example.com" \
--foreman-proxy-trusted-hosts "satellite.example.com" \
--foreman-proxy-trusted-hosts "capsule.example.com" \
--foreman-proxy-oauth-consumer-key "My_OAuth_Consumer_Key" \
--foreman-proxy-oauth-consumer-secret "My_OAuth_Consumer_Secret"

  3. On your Satellite Server, copy the certificate archive file to your Capsule Server: 

    # scp ~/capsule.example.com-certs.tar \
root@capsule.example.com:/root/capsule.example.com-certs.tar

  4. On your Capsule Server, to deploy the certificate, enter the satellite-installer command that the capsule-certs-generate command returns.

    If network connections or ports to Satellite are not yet open, you can set the --foreman-proxy-register-in-foreman option to false to prevent Capsule from attempting to connect to Satellite and reporting errors. Run the installer again with this option set to true when the network and firewalls are correctly configured.

    Important

    Do not delete the certificate archive file after you deploy the certificate. It is required, for example, when upgrading Capsule Server.

2.7.2.3. Deploying a custom SSL certificate to hosts

After you configure Satellite to use a custom SSL certificate, you must deploy the certificate to hosts registered to Satellite.

Procedure

  • Update the SSL certificate on each host: 

    # dnf install http://capsule.example.com/pub/katello-ca-consumer-latest.noarch.rpm

2.8. Assigning the correct organization and location to Capsule Server in the Satellite web UI

After installing Capsule Server packages, if there is more than one organization or location, you must assign the correct organization and location to Capsule to make Capsule visible in the Satellite web UI.

Note

Assigning a Capsule to the same location as your Satellite Server with an embedded Capsule prevents Red Hat Insights from uploading the Insights inventory. To enable the inventory upload, synchronize SSH keys for both Capsules.

Procedure

  1. Log into the Satellite web UI.
  2. From the Organization list in the upper-left of the screen, select Any Organization.
  3. From the Location list in the upper-left of the screen, select Any Location.
  4. In the Satellite web UI, navigate to Hosts > All Hosts and select Capsule Server.
  5. From the Select Actions list, select Assign Organization.
  6. From the Organization list, select the organization where you want to assign this Capsule.
  7. Click Fix Organization on Mismatch.
  8. Click Submit.
  9. Select Capsule Server. From the Select Actions list, select Assign Location.
  10. From the Location list, select the location where you want to assign this Capsule.
  11. Click Fix Location on Mismatch.
  12. Click Submit.
  13. In the Satellite web UI, navigate to Administer > Organizations and click the organization to which you have assigned Capsule.
  14. Click Capsules tab and ensure that Capsule Server is listed under the Selected items list, then click Submit.
  15. In the Satellite web UI, navigate to Administer > Locations and click the location to which you have assigned Capsule.
  16. Click Capsules tab and ensure that Capsule Server is listed under the Selected items list, then click Submit.

Verification

Optionally, you can verify if Capsule Server is correctly listed in the Satellite web UI.

  1. Select the organization from the Organization list.
  2. Select the location from the Location list.
  3. In the Satellite web UI, navigate to Hosts > All Hosts.
  4. In the Satellite web UI, navigate to Infrastructure > Capsules.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.