Chapter 2. Installing Capsule Server


Before you install Capsule Server, you must ensure that your environment meets the requirements for installation. For more information, see Preparing your Environment for Installation.

2.1. Registering to Satellite Server

Use this procedure to register the base operating system on which you want to install Capsule Server to Satellite Server.

Red Hat subscription manifest prerequisites

  • On Satellite Server, a manifest must be installed and it must contain the appropriate repositories for the organization you want Capsule to belong to.
  • The manifest must contain repositories for the base operating system on which you want to install Capsule, as well as any clients that you want to connect to Capsule.
  • The repositories must be synchronized.

For more information on manifests and repositories, see Managing Red Hat Subscriptions in Managing content.

Proxy and network prerequisites

  • The Satellite Server base operating system must be able to resolve the host name of the Capsule base operating system and vice versa.
  • Ensure HTTPS connection using client certificate authentication is possible between Capsule Server and Satellite Server. HTTP proxies between Capsule Server and Satellite Server are not supported.
  • You must configure the host and network-based firewalls accordingly. For more information, see Port and firewall requirements in Installing Capsule Server. You can register hosts with Satellite using the host registration feature in the Satellite web UI, Hammer CLI, or the Satellite API. For more information, see Registering Hosts in Managing hosts.

Procedure

  1. In the Satellite web UI, navigate to Hosts > Register Host.
  2. From the Activation Keys list, select the activation keys to assign to your host.
  3. Click Generate to create the registration command.
  4. Click on the files icon to copy the command to your clipboard.
  5. Connect to your host using SSH and run the registration command.
  6. Check the /etc/yum.repos.d/redhat.repo file and ensure that the appropriate repositories have been enabled.

CLI procedure

  1. Generate the host registration command using the Hammer CLI:

    # hammer host-registration generate-command \
    --activation-keys "My_Activation_Key"

    If your hosts do not trust the SSL certificate of Satellite Server, you can disable SSL validation by adding the --insecure flag to the registration command.

    # hammer host-registration generate-command \
    --activation-keys "My_Activation_Key" \
    --insecure true
  2. Connect to your host using SSH and run the registration command.
  3. Check the /etc/yum.repos.d/redhat.repo file and ensure that the appropriate repositories have been enabled.

API procedure

  1. Generate the host registration command using the Satellite API:

    # curl -X POST https://satellite.example.com/api/registration_commands \
    --user "My_User_Name" \
    -H 'Content-Type: application/json' \
    -d '{ "registration_command": { "activation_keys": ["My_Activation_Key_1, My_Activation_Key_2"] }}'

    If your hosts do not trust the SSL certificate of Satellite Server, you can disable SSL validation by adding the --insecure flag to the registration command.

    # curl -X POST https://satellite.example.com/api/registration_commands \
    --user "My_User_Name" \
    -H 'Content-Type: application/json' \
    -d '{ "registration_command": { "activation_keys": ["My_Activation_Key_1, My_Activation_Key_2"], "insecure": true }}'

    Use an activation key to simplify specifying the environments. For more information, see Managing Activation Keys in Managing content.

    To enter a password as a command line argument, use username:password syntax. Keep in mind this can save the password in the shell history. Alternatively, you can use a temporary personal access token instead of a password. To generate a token in the Satellite web UI, navigate to My Account > Personal Access Tokens.

  2. Connect to your host using SSH and run the registration command.
  3. Check the /etc/yum.repos.d/redhat.repo file and ensure that the appropriate repositories have been enabled.

2.2. Configuring repositories

Use this procedure to enable the repositories that are required to install Capsule Server.

  1. Disable all repositories:

    # subscription-manager repos --disable "*"
  2. Enable the following repositories:

    # subscription-manager repos --enable=rhel-8-for-x86_64-baseos-rpms \
    --enable=rhel-8-for-x86_64-appstream-rpms \
    --enable=satellite-capsule-6.15-for-rhel-8-x86_64-rpms \
    --enable=satellite-maintenance-6.15-for-rhel-8-x86_64-rpms
  3. Enable the module:

    # dnf module enable satellite-capsule:el8
    Note

    If there is any warning about conflicts with Ruby or PostgreSQL while enabling satellite-capsule:el8 module, see Troubleshooting DNF modules. For more information about modules and lifecycle streams on Red Hat Enterprise Linux 8, see Red Hat Enterprise Linux Application Streams Lifecycle.

    Note

    If you are installing Capsule Server as a virtual machine hosted on Red Hat Virtualization, you must also enable the Red Hat Common repository and then install Red Hat Virtualization guest agents and drivers. For more information, see Installing the Guest Agents and Drivers on Red Hat Enterprise Linux in the Virtual Machine Management Guide.

  4. Optional: Verify that the required repositories are enabled:

    # dnf repolist enabled

2.3. Optional: Using fapolicyd on Capsule Server

By enabling fapolicyd on your Satellite Server, you can provide an additional layer of security by monitoring and controlling access to files and directories. The fapolicyd daemon uses the RPM database as a repository of trusted binaries and scripts.

You can turn on or off the fapolicyd on your Satellite Server or Capsule Server at any point.

2.3.1. Installing fapolicyd on Capsule Server

You can install fapolicyd along with Capsule Server or can be installed on an existing Capsule Server. If you are installing fapolicyd along with the new Capsule Server, the installation process will detect the fapolicyd in your Red Hat Enterprise Linux host and deploy the Capsule Server rules automatically.

Prerequisites

  • Ensure your host has access to the BaseOS repositories of Red Hat Enterprise Linux.

Procedure

  1. For a new installation, install fapolicyd:

    # dnf install fapolicyd
  2. For an existing installation, install fapolicyd using satellite-maintain packages install:

    # satellite-maintain packages install fapolicyd
  3. Start the fapolicyd service:

    # systemctl enable --now fapolicyd

Verification

  • Verify that the fapolicyd service is running correctly:

    # systemctl status fapolicyd

New Satellite Server or Capsule Server installations

In case of new Satellite Server or Capsule Server installation, follow the standard installation procedures after installing and enabling fapolicyd on your Red Hat Enterprise Linux host.

Additional resources

For more information on fapolicyd, see Blocking and allowing applications using fapolicyd in Red Hat Enterprise Linux 8 Security hardening.

2.4. Installing Capsule Server packages

Before installing Capsule Server packages, you must update all packages that are installed on the base operating system.

Procedure

To install Capsule Server, complete the following steps:

  1. Update all packages:

    # dnf upgrade
  2. Install the Satellite Server packages:

    # dnf install satellite-capsule

2.5. Synchronizing the system clock with chronyd

To minimize the effects of time drift, you must synchronize the system clock on the base operating system on which you want to install Capsule Server with Network Time Protocol (NTP) servers. If the base operating system clock is configured incorrectly, certificate verification might fail.

For more information about the chrony suite, see Using the Chrony suite to configure NTP in Red Hat Enterprise Linux 8 Configuring basic system settings.

Procedure

  1. Install the chrony package:

    # dnf install chrony
  2. Start and enable the chronyd service:

    # systemctl enable --now chronyd

2.6. Configuring Capsule Server with SSL certificates

Red Hat Satellite uses SSL certificates to enable encrypted communications between Satellite Server, external Capsule Servers, and all hosts. Depending on the requirements of your organization, you must configure your Capsule Server with a default or custom certificate.

2.6.1. Configuring Capsule Server with a default SSL certificate

Use this section to configure Capsule Server with an SSL certificate that is signed by Satellite Server default Certificate Authority (CA).

Prerequisites

Procedure

  1. On Satellite Server, to store all the source certificate files for your Capsule Server, create a directory that is accessible only to the root user, for example /root/capsule_cert:

    # mkdir /root/capsule_cert
  2. On Satellite Server, generate the /root/capsule_cert/capsule.example.com-certs.tar certificate archive for your Capsule Server:

    # capsule-certs-generate \
    --foreman-proxy-fqdn capsule.example.com \
    --certs-tar /root/capsule_cert/capsule.example.com-certs.tar

    Retain a copy of the satellite-installer command that the capsule-certs-generate command returns for deploying the certificate to your Capsule Server.

    Example output of capsule-certs-generate

    output omitted
    satellite-installer --scenario capsule \
    --certs-tar-file "/root/capsule_cert/capsule.example.com-certs.tar" \
    --foreman-proxy-register-in-foreman "true" \
    --foreman-proxy-foreman-base-url "https://satellite.example.com" \
    --foreman-proxy-trusted-hosts "satellite.example.com" \
    --foreman-proxy-trusted-hosts "capsule.example.com" \
    --foreman-proxy-oauth-consumer-key "s97QxvUAgFNAQZNGg4F9zLq2biDsxM7f" \
    --foreman-proxy-oauth-consumer-secret "6bpzAdMpRAfYaVZtaepYetomgBVQ6ehY"

  3. On Satellite Server, copy the certificate archive file to your Capsule Server:

    # scp /root/capsule_cert/capsule.example.com-certs.tar \
    root@capsule.example.com:/root/capsule.example.com-certs.tar
  4. On Capsule Server, to deploy the certificate, enter the satellite-installer command that the capsule-certs-generate command returns.

    When network connections or ports to Satellite are not yet open, you can set the --foreman-proxy-register-in-foreman option to false to prevent Capsule from attempting to connect to Satellite and reporting errors. Run the installer again with this option set to true when the network and firewalls are correctly configured.

    Important

    Do not delete the certificate archive file after you deploy the certificate. It is required, for example, when upgrading Capsule Server.

2.6.2. Configuring Capsule Server with a custom SSL certificate

If you configure Satellite Server to use a custom SSL certificate, you must also configure each of your external Capsule Servers with a distinct custom SSL certificate.

To configure your Capsule Server with a custom certificate, complete the following procedures on each Capsule Server:

2.6.2.1. Creating a custom SSL certificate for Capsule Server

On Satellite Server, create a custom certificate for your Capsule Server. If you already have a custom SSL certificate for Capsule Server, skip this procedure.

Procedure

  1. To store all the source certificate files, create a directory that is accessible only to the root user:

    # mkdir /root/capsule_cert
  2. Create a private key with which to sign the certificate signing request (CSR).

    Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.

    If you already have a private key for this Capsule Server, skip this step.

    # openssl genrsa -out /root/capsule_cert/capsule_cert_key.pem 4096
  3. Create the /root/capsule_cert/openssl.cnf configuration file for the CSR and include the following content:

    [ req ]
    req_extensions = v3_req
    distinguished_name = req_distinguished_name
    prompt = no
    
    [ req_distinguished_name ]
    commonName = capsule.example.com
    
    [ v3_req ]
    basicConstraints = CA:FALSE
    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
    subjectAltName = @alt_names
    
    [ alt_names ]
    DNS.1 = capsule.example.com
  4. Optional: If you want to add Distinguished Name (DN) details to the CSR, add the following information to the [ req_distinguished_name ] section:

    [req_distinguished_name]
    CN = capsule.example.com
    countryName =My_Country_Name 1
    stateOrProvinceName = My_State_Or_Province_Name 2
    localityName = My_Locality_Name 3
    organizationName = My_Organization_Or_Company_Name
    organizationalUnitName = My_Organizational_Unit_Name 4
    1
    Two letter code
    2
    Full name
    3
    Full name (example: New York)
    4
    Division responsible for the certificate (example: IT department)
  5. Generate CSR:

    # openssl req -new \
    -key /root/capsule_cert/capsule_cert_key.pem \ 1
    -config /root/capsule_cert/openssl.cnf \ 2
    -out /root/capsule_cert/capsule_cert_csr.pem 3
    1
    Path to the private key
    2
    Path to the configuration file
    3
    Path to the CSR to generate
  6. Send the certificate signing request to the certificate authority (CA). The same CA must sign certificates for Satellite Server and Capsule Server.

    When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the CA for the preferred method. In response to the request, you can expect to receive a CA bundle and a signed certificate, in separate files.

2.6.2.2. Deploying a custom SSL certificate to Capsule Server

Use this procedure to configure your Capsule Server with a custom SSL certificate signed by a Certificate Authority. The satellite-installer command, which the capsule-certs-generate command returns, is unique to each Capsule Server. Do not use the same command on more than one Capsule Server.

Prerequisites

Procedure

  1. On your Satellite Server, generate a certificate bundle:

    # capsule-certs-generate \
    --foreman-proxy-fqdn capsule.example.com \
    --certs-tar ~/capsule.example.com-certs.tar \
    --server-cert /root/capsule_cert/capsule_cert.pem \ 1
    --server-key /root/capsule_cert/capsule_cert_key.pem \ 2
    --server-ca-cert /root/capsule_cert/ca_cert_bundle.pem 3
    1
    Path to Capsule Server certificate file that is signed by a Certificate Authority.
    2
    Path to the private key that was used to sign Capsule Server certificate.
    3
    Path to the Certificate Authority bundle.
  2. Retain a copy of the satellite-installer command that the capsule-certs-generate command returns for deploying the certificate to your Capsule Server.

    Example output of capsule-certs-generate

    output omitted
    satellite-installer --scenario capsule \
    --certs-tar-file "/root/capsule.example.com-certs.tar" \
    --foreman-proxy-register-in-foreman "true" \
    --foreman-proxy-foreman-base-url "https://satellite.example.com" \
    --foreman-proxy-trusted-hosts "satellite.example.com" \
    --foreman-proxy-trusted-hosts "capsule.example.com" \
    --foreman-proxy-oauth-consumer-key "My_OAuth_Consumer_Key" \
    --foreman-proxy-oauth-consumer-secret "My_OAuth_Consumer_Secret"

  3. On your Satellite Server, copy the certificate archive file to your Capsule Server:

    # scp ~/capsule.example.com-certs.tar \
    root@capsule.example.com:/root/capsule.example.com-certs.tar
  4. On your Capsule Server, to deploy the certificate, enter the satellite-installer command that the capsule-certs-generate command returns.

    If network connections or ports to Satellite are not yet open, you can set the --foreman-proxy-register-in-foreman option to false to prevent Capsule from attempting to connect to Satellite and reporting errors. Run the installer again with this option set to true when the network and firewalls are correctly configured.

    Important

    Do not delete the certificate archive file after you deploy the certificate. It is required, for example, when upgrading Capsule Server.

2.6.2.3. Deploying a custom SSL certificate to hosts

After you configure Satellite to use a custom SSL certificate, you must deploy the certificate to hosts registered to Satellite.

Procedure

  • Update the SSL certificate on each host:

    # dnf install http://capsule.example.com/pub/katello-ca-consumer-latest.noarch.rpm

2.7. Assigning the correct organization and location to Capsule Server in the Satellite web UI

After installing Capsule Server packages, if there is more than one organization or location, you must assign the correct organization and location to Capsule to make Capsule visible in the Satellite web UI.

Note

Assigning a Capsule to the same location as your Satellite Server with an embedded Capsule prevents Red Hat Insights from uploading the Insights inventory. To enable the inventory upload, synchronize SSH keys for both Capsules.

Procedure

  1. Log into the Satellite web UI.
  2. From the Organization list in the upper-left of the screen, select Any Organization.
  3. From the Location list in the upper-left of the screen, select Any Location.
  4. In the Satellite web UI, navigate to Hosts > All Hosts and select Capsule Server.
  5. From the Select Actions list, select Assign Organization.
  6. From the Organization list, select the organization where you want to assign this Capsule.
  7. Click Fix Organization on Mismatch.
  8. Click Submit.
  9. Select Capsule Server. From the Select Actions list, select Assign Location.
  10. From the Location list, select the location where you want to assign this Capsule.
  11. Click Fix Location on Mismatch.
  12. Click Submit.
  13. In the Satellite web UI, navigate to Administer > Organizations and click the organization to which you have assigned Capsule.
  14. Click Capsules tab and ensure that Capsule Server is listed under the Selected items list, then click Submit.
  15. In the Satellite web UI, navigate to Administer > Locations and click the location to which you have assigned Capsule.
  16. Click Capsules tab and ensure that Capsule Server is listed under the Selected items list, then click Submit.

Verification

Optionally, you can verify if Capsule Server is correctly listed in the Satellite web UI.

  1. Select the organization from the Organization list.
  2. Select the location from the Location list.
  3. In the Satellite web UI, navigate to Hosts > All Hosts.
  4. In the Satellite web UI, navigate to Infrastructure > Capsules.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.