Chapter 3. Performing additional configuration on Capsule Server


After installation, you can configure additional settings on your Capsule Server.

3.1. Configuring Capsule for host registration and provisioning

Use this procedure to configure Capsule so that you can register and provision hosts using your Capsule Server instead of your Satellite Server.

Procedure

  • On Satellite Server, add the Capsule to the list of trusted proxies.

    This is required for Satellite to recognize hosts' IP addresses forwarded over the X-Forwarded-For HTTP header set by Capsule. For security reasons, Satellite recognizes this HTTP header only from localhost by default. You can enter trusted proxies as valid IPv4 or IPv6 addresses of Capsules, or network ranges.

    Warning

    Do not use a network range that is too wide, because that poses a potential security risk.

    Enter the following command. Note that the command overwrites the list that is currently stored in Satellite. Therefore, if you have set any trusted proxies previously, you must include them in the command as well:

    # satellite-installer \
    --foreman-trusted-proxies "127.0.0.1/8" \
    --foreman-trusted-proxies "::1" \
    --foreman-trusted-proxies "My_IP_address" \
    --foreman-trusted-proxies "My_IP_range"

    The localhost entries are required, do not omit them.

Verification

  1. List the current trusted proxies using the full help of Satellite installer:

    # satellite-installer --full-help | grep -A 2 "trusted-proxies"
  2. The current listing contains all trusted proxies you require.

3.2. Configuring pull-based transport for remote execution

By default, remote execution uses push-based SSH as the transport mechanism for the Script provider. If your infrastructure prohibits outgoing connections from Capsule Server to hosts, you can use remote execution with pull-based transport instead, because the host initiates the connection to Capsule Server. The use of pull-based transport is not limited to those infrastructures.

The pull-based transport comprises pull-mqtt mode on Capsules in combination with a pull client running on hosts.

Note

The pull-mqtt mode works only with the Script provider. Ansible and other providers will continue to use their default transport settings.

The mode is configured per Capsule Server. Some Capsule Servers can be configured to use pull-mqtt mode while others use SSH. If this is the case, it is possible that one remote job on a given host will use the pull client and the next job on the same host will use SSH. If you wish to avoid this scenario, configure all Capsule Servers to use the same mode.

Procedure

  1. Enable the pull-based transport on your Capsule Server:

    # satellite-installer --foreman-proxy-plugin-remote-execution-script-mode=pull-mqtt
  2. Configure the firewall to allow the MQTT service on port 1883:

    # firewall-cmd --add-service=mqtt
  3. Make the changes persistent:

    # firewall-cmd --runtime-to-permanent
  4. In pull-mqtt mode, hosts subscribe for job notifications to either your Satellite Server or any Capsule Server through which they are registered. Ensure that Satellite Server sends remote execution jobs to that same Satellite Server or Capsule Server:

    1. In the Satellite web UI, navigate to Administer > Settings.
    2. On the Content tab, set the value of Prefer registered through Capsule for remote execution to Yes.

Next steps

3.3. Enabling OpenSCAP on Capsule Servers

On Satellite Server and the integrated Capsule of your Satellite Server, OpenSCAP is enabled by default. To use the OpenSCAP plugin and content on external Capsules, you must enable OpenSCAP on each Capsule.

Procedure

  • To enable OpenSCAP, enter the following command:

    # satellite-installer \
    --enable-foreman-proxy-plugin-openscap \
    --foreman-proxy-plugin-openscap-ansible-module true \
    --foreman-proxy-plugin-openscap-puppet-module true

    If you want to use Puppet to deploy compliance policies, you must enable it first. For more information, see Managing configurations using Puppet integration.

3.4. Adding lifecycle environments to Capsule Servers

If your Capsule Server has the content functionality enabled, you must add an environment so that Capsule can synchronize content from Satellite Server and provide content to host systems.

Do not assign the Library lifecycle environment to your Capsule Server because it triggers an automated Capsule sync every time the CDN updates a repository. This might consume multiple system resources on Capsules, network bandwidth between Satellite and Capsules, and available disk space on Capsules.

You can use Hammer CLI on Satellite Server or the Satellite web UI.

Procedure

  1. In the Satellite web UI, navigate to Infrastructure > Capsules, and select the Capsule that you want to add a lifecycle to.
  2. Click Edit and click the Lifecycle Environments tab.
  3. From the left menu, select the lifecycle environments that you want to add to Capsule and click Submit.
  4. To synchronize the content on the Capsule, click the Overview tab and click Synchronize.
  5. Select either Optimized Sync or Complete Sync.

    For definitions of each synchronization type, see Recovering a Repository.

CLI procedure

  1. To display a list of all Capsule Servers, on Satellite Server, enter the following command:

    # hammer capsule list

    Note the Capsule ID of the Capsule to which you want to add a lifecycle.

  2. Using the ID, verify the details of your Capsule:

    # hammer capsule info \
    --id My_capsule_ID
  3. To view the lifecycle environments available for your Capsule Server, enter the following command and note the ID and the organization name:

    # hammer capsule content available-lifecycle-environments \
    --id My_capsule_ID
  4. Add the lifecycle environment to your Capsule Server:

    # hammer capsule content add-lifecycle-environment \
    --id My_capsule_ID \
    --lifecycle-environment-id My_Lifecycle_Environment_ID
    --organization "My_Organization"

    Repeat for each lifecycle environment you want to add to Capsule Server.

  5. Synchronize the content from Satellite to Capsule.

    • To synchronize all content from your Satellite Server environment to Capsule Server, enter the following command:

      # hammer capsule content synchronize \
      --id My_capsule_ID
    • To synchronize a specific lifecycle environment from your Satellite Server to Capsule Server, enter the following command:

      # hammer capsule content synchronize \
      --id My_capsule_ID
      --lifecycle-environment-id My_Lifecycle_Environment_ID
    • To synchronize all content from your Satellite Server to your Capsule Server without checking metadata:

      # hammer capsule content synchronize \
      --id My_capsule_ID \
      --skip-metadata-check true

      This equals selecting Complete Sync in the Satellite web UI.

3.5. Enabling power management on hosts

To perform power management tasks on hosts using the intelligent platform management interface (IPMI) or a similar protocol, you must enable the baseboard management controller (BMC) module on Capsule Server.

Prerequisites

Procedure

  • To enable BMC, enter the following command:

    # satellite-installer \
    --foreman-proxy-bmc "true" \
    --foreman-proxy-bmc-default-provider "freeipmi"

3.6. Configuring DNS, DHCP, and TFTP on Capsule Server

To configure the DNS, DHCP, and TFTP services on Capsule Server, use the satellite-installer command with the options appropriate for your environment.

Any changes to the settings require entering the satellite-installer command again. You can enter the command multiple times and each time it updates all configuration files with the changed values.

Prerequisites

  • You must have the correct network name (dns-interface) for the DNS server.
  • You must have the correct interface name (dhcp-interface) for the DHCP server.
  • Contact your network administrator to ensure that you have the correct settings.

Procedure

  • Enter the satellite-installer command with the options appropriate for your environment. The following example shows configuring full provisioning services:

    # satellite-installer \
    --foreman-proxy-dns true \
    --foreman-proxy-dns-managed true \
    --foreman-proxy-dns-zone example.com \
    --foreman-proxy-dns-reverse 2.0.192.in-addr.arpa \
    --foreman-proxy-dhcp true \
    --foreman-proxy-dhcp-managed true \
    --foreman-proxy-dhcp-range "192.0.2.100 192.0.2.150" \
    --foreman-proxy-dhcp-gateway 192.0.2.1 \
    --foreman-proxy-dhcp-nameservers 192.0.2.2 \
    --foreman-proxy-tftp true \
    --foreman-proxy-tftp-managed true \
    --foreman-proxy-tftp-servername 192.0.2.3

You can monitor the progress of the satellite-installer command displayed in your prompt. You can view the logs in /var/log/foreman-installer/satellite.log.

Additional resources

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.