Chapter 4. Importing content


This chapter outlines how you can import different types of custom content to Satellite. For example, you can use the following chapters for information on specific types of custom content but the underlying procedures are the same:

4.1. Products and repositories in Satellite

Both Red Hat content and custom content in Satellite have similarities:

  • The relationship between a product and its repositories is the same and the repositories still require synchronization.
  • Custom products require a subscription for hosts to access, similar to subscriptions to Red Hat products. Satellite creates a subscription for each custom product you create.

Red Hat content is already organized into products. For example, Red Hat Enterprise Linux Server is a product in Satellite. The repositories for that product consist of different versions, architectures, and add-ons. For Red Hat repositories, products are created automatically after enabling the repository. For more information, see Section 4.6, “Enabling Red Hat repositories”.

Other content can be organized into custom products however you want. For example, you might create an EPEL (Extra Packages for Enterprise Linux) Product and add an "EPEL 7 x86_64" repository to it.

For more information about creating and packaging RPMs, see the Red Hat Enterprise Linux 7 RPM Packaging Guide.

4.2. Best practices for products and repositories

  • Use one content type per product and content view, for example, yum content only.
  • Make file repositories available over HTTP. If you set Protected to true, you can only download content using a global debugging certificate.
  • Automate the creation of multiple products and repositories by using a Hammer script or an Ansible Playbook.
  • For Red Hat content, import your Red Hat manifest into Satellite. For more information, see Chapter 2, Managing Red Hat subscriptions.
  • Avoid uploading content to repositories with an Upstream URL. Instead, create a repository to synchronize content and upload content to without setting an Upstream URL.

    If you upload content to a repository that already synchronizes another repository, the content might be overwritten, depending on the mirroring policy and content type.

4.3. Importing custom SSL certificates

Before you synchronize custom content from an external source, you might need to import SSL certificates into your custom product. This might include client certs and keys or CA certificates for the upstream repositories you want to synchronize.

If you require SSL certificates and keys to download packages, you can add them to Satellite.

To use the CLI instead of the Satellite web UI, see the CLI procedure.

Procedure

  1. In the Satellite web UI, navigate to Content > Content Credentials. In the Content Credentials window, click Create Content Credential.
  2. In the Name field, enter a name for your SSL certificate.
  3. From the Type list, select SSL Certificate.
  4. In the Content Credentials Content field, paste your SSL certificate, or click Browse to upload your SSL certificate.
  5. Click Save.

CLI procedure

  1. Copy the SSL certificate to your Satellite Server:

    $ scp My_SSL_Certificate root@satellite.example.com:~/.

    Or download the SSL certificate to your Satellite Server from an online source:

    $ wget -P ~ http://upstream-satellite.example.com/pub/katello-server-ca.crt
  2. Upload the SSL Certificate to Satellite:

    # hammer content-credential create \
    --content-type cert \
    --name "My_SSL_Certificate" \
    --organization "My_Organization" \
    --path ~/My_SSL_Certificate

4.4. Creating a custom product

Create a custom product so that you can add repositories to the custom product. To use the CLI instead of the Satellite web UI, see the CLI procedure.

Procedure

  1. In the Satellite web UI, navigate to Content > Products, click Create Product.
  2. In the Name field, enter a name for the product. Satellite automatically completes the Label field based on what you have entered for Name.
  3. Optional: From the GPG Key list, select the GPG key for the product.
  4. Optional: From the SSL CA Cert list, select the SSL CA certificate for the product.
  5. Optional: From the SSL Client Cert list, select the SSL client certificate for the product.
  6. Optional: From the SSL Client Key list, select the SSL client key for the product.
  7. Optional: From the Sync Plan list, select an existing sync plan or click Create Sync Plan and create a sync plan for your product requirements.
  8. In the Description field, enter a description of the product.
  9. Click Save.

CLI procedure

To create the product, enter the following command:

# hammer product create \
--name "My_Product" \
--sync-plan "Example Plan" \
--description "Content from My Repositories" \
--organization "My_Organization"

4.5. Adding custom RPM repositories

Use this procedure to add custom RPM repositories in Satellite. To use the CLI instead of the Satellite web UI, see the CLI procedure.

The Products window in the Satellite web UI also provides a Repo Discovery function that finds all repositories from a URL and you can select which ones to add to your custom product. For example, you can use the Repo Discovery to search https://download.postgresql.org/pub/repos/yum/16/redhat/ and list all repositories for different Red Hat Enterprise Linux versions and architectures. This helps users save time importing multiple repositories from a single source.

Support for custom RPMs

Red Hat does not support the upstream RPMs directly from third-party sites. These RPMs are used to demonstrate the synchronization process. For any issues with these RPMs, contact the third-party developers.

Procedure

  1. In the Satellite web UI, navigate to Content > Products and select the product that you want to use, and then click New Repository.
  2. In the Name field, enter a name for the repository. Satellite automatically completes the Label field based on what you have entered for Name.
  3. Optional: In the Description field, enter a description for the repository.
  4. From the Type list, select yum as type of repository.
  5. Optional: From the Restrict to Architecture list, select an architecture. If you want to make the repository available to all hosts regardless of the architecture, ensure to select No restriction.
  6. Optional: From the Restrict to OS Version list, select the OS version. If you want to make the repository available to all hosts regardless of the OS version, ensure to select No restriction.
  7. Optional: In the Upstream URL field, enter the URL of the external repository to use as a source. Satellite supports three protocols: http://, https://, and file://. If you are using a file:// repository, you have to place it under /var/lib/pulp/sync_imports/ directory.

    If you do not enter an upstream URL, you can manually upload packages.

  8. Optional: Check the Ignore SRPMs checkbox to exclude source RPM packages from being synchronized to Satellite.
  9. Optional: Check the Ignore treeinfo checkbox if you receive the error Treeinfo file should have INI format. All files related to Kickstart will be missing from the repository if treeinfo files are skipped.
  10. Select the Verify SSL checkbox if you want to verify that the upstream repository’s SSL certificates are signed by a trusted CA.
  11. Optional: In the Upstream Username field, enter the user name for the upstream repository if required for authentication. Clear this field if the repository does not require authentication.
  12. Optional: In the Upstream Password field, enter the corresponding password for the upstream repository. Clear this field if the repository does not require authentication.
  13. Optional: In the Upstream Authentication Token field, provide the token of the upstream repository user for authentication. Leave this field empty if the repository does not require authentication.
  14. From the Download Policy list, select the type of synchronization Satellite Server performs. For more information, see Section 4.9, “Download policies overview”.
  15. From the Mirroring Policy list, select the type of content synchronization Satellite Server performs. For more information, see Section 4.12, “Mirroring policies overview”.
  16. Optional: In the Retain package versions field, enter the number of versions you want to retain per package.
  17. Optional: In the HTTP Proxy Policy field, select an HTTP proxy.
  18. From the Checksum list, select the checksum type for the repository.
  19. Optional: You can clear the Unprotected checkbox to require a subscription entitlement certificate for accessing this repository. By default, the repository is published through HTTP.
  20. Optional: From the GPG Key list, select the GPG key for the product.
  21. Optional: In the SSL CA Cert field, select the SSL CA Certificate for the repository.
  22. Optional: In the SSL Client cert field, select the SSL Client Certificate for the repository.
  23. Optional: In the SSL Client Key field, select the SSL Client Key for the repository.
  24. Click Save to create the repository.

CLI procedure

  1. Enter the following command to create the repository:

    # hammer repository create \
    --arch "My_Architecture" \
    --content-type "yum" \
    --gpg-key-id My_GPG_Key_ID \
    --name "My_Repository" \
    --organization "My_Organization" \
    --os-version "My_OS_Version" \
    --product "My_Product" \
    --publish-via-http true \
    --url My_Upstream_URL

Continue to synchronize the repository.

4.6. Enabling Red Hat repositories

If outside network access requires usage of an HTTP proxy, configure a default HTTP proxy for your server. For more information, see Adding a Default HTTP Proxy to Satellite.

To select the repositories to synchronize, you must first identify the product that contains the repository, and then enable that repository based on the relevant release version and base architecture.

For Red Hat Enterprise Linux 8 hosts

To provision Red Hat Enterprise Linux 8 hosts, you require the Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs) and Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs) repositories.

For Red Hat Enterprise Linux 7 hosts

To provision Red Hat Enterprise Linux 7 hosts, you require the Red Hat Enterprise Linux 7 Server (RPMs) repository.

The difference between associating Red Hat Enterprise Linux operating system release version with either 7Server repositories or 7.X repositories is that 7Server repositories contain all the latest updates while Red Hat Enterprise Linux 7.X repositories stop getting updates after the next minor version release. Note that Kickstart repositories only have minor versions.

Procedure

  1. In the Satellite web UI, navigate to Content > Red Hat Repositories.
  2. To find repositories, either enter the repository name, or toggle the Recommended Repositories button to the on position to view a list of repositories that you require.
  3. In the Available Repositories pane, click a repository to expand the repository set.
  4. Click the Enable icon next to the base architecture and release version that you want.

CLI procedure

  1. To search for your product, enter the following command:

    # hammer product list --organization "My_Organization"
  2. List the repository set for the product:

    # hammer repository-set list \
    --product "Red Hat Enterprise Linux Server" \
    --organization "My_Organization"
  3. Enable the repository using either the name or ID number. Include the release version, such as 7Server, and base architecture, such as x86_64.

    # hammer repository-set enable \
    --name "Red Hat Enterprise Linux 7 Server (RPMs)" \
    --releasever "7Server" \
    --basearch "x86_64" \
    --product "Red Hat Enterprise Linux Server" \
    --organization "My_Organization"

4.7. Synchronizing repositories

You must synchronize repositories to download content into Satellite. You can use this procedure for an initial synchronization of repositories or to synchronize repositories manually as you need.

You can also sync all repositories in an organization. For more information, see Section 4.8, “Synchronizing all repositories in an organization”.

Create a sync plan to ensure updates on a regular basis. For more information, see Section 4.24, “Creating a sync plan”.

The synchronization duration depends on the size of each repository and the speed of your network connection. The following table provides estimates of how long it would take to synchronize content, depending on the available Internet bandwidth:

 Single Package (10Mb)Minor Release (750Mb)Major Release (6Gb)

256 Kbps

5 Mins 27 Secs

6 Hrs 49 Mins 36 Secs

2 Days 7 Hrs 55 Mins

512 Kbps

2 Mins 43.84 Secs

3 Hrs 24 Mins 48 Secs

1 Day 3 Hrs 57 Mins

T1 (1.5 Mbps)

54.33 Secs

1 Hr 7 Mins 54.78 Secs

9 Hrs 16 Mins 20.57 Secs

10 Mbps

8.39 Secs

10 Mins 29.15 Secs

1 Hr 25 Mins 53.96 Secs

100 Mbps

0.84 Secs

1 Min 2.91 Secs

8 Mins 35.4 Secs

1000 Mbps

0.08 Secs

6.29 Secs

51.54 Secs

Procedure

  1. In the Satellite web UI, navigate to Content > Products and select the product that contains the repositories that you want to synchronize.
  2. Select the repositories that you want to synchronize and click Sync Now.
  3. Optional: To view the progress of the synchronization in the Satellite web UI, navigate to Content > Sync Status and expand the corresponding product or repository tree.

CLI procedure

  • Synchronize an entire product:

    # hammer product synchronize \
    --name "My_Product" \
    --organization "My_Organization"
  • Synchronize an individual repository:

    # hammer repository synchronize \
    --name "My_Repository" \
    --organization "My_Organization" \
    --product "My Product"

4.8. Synchronizing all repositories in an organization

Use this procedure to synchronize all repositories within an organization.

Procedure

  1. Log in to your Satellite Server using SSH.
  2. Run the following Bash script:

    ORG="My_Organization"
    
    for i in $(hammer --no-headers --csv repository list --organization $ORG --fields Id)
    do
      hammer repository synchronize --id ${i} --organization $ORG --async
    done

4.9. Download policies overview

Red Hat Satellite provides multiple download policies for synchronizing RPM content. For example, you might want to download only the content metadata while deferring the actual content download for later.

Satellite Server has the following policies:

Immediate
Satellite Server downloads all metadata and packages during synchronization.
On Demand
Satellite Server downloads only the metadata during synchronization. Satellite Server only fetches and stores packages on the file system when Capsules or directly connected clients request them. This setting has no effect if you set a corresponding repository on a Capsule to Immediate because Satellite Server is forced to download all the packages.

The On Demand policy acts as a Lazy Synchronization feature because they save time synchronizing content. The lazy synchronization feature must be used only for Yum repositories. You can add the packages to content views and promote to lifecycle environments as normal.

Capsule Server has the following policies:

Immediate
Capsule Server downloads all metadata and packages during synchronization. Do not use this setting if the corresponding repository on Satellite Server is set to On Demand as Satellite Server is forced to download all the packages.
On Demand
Capsule Server only downloads the metadata during synchronization. Capsule Server fetches and stores packages only on the file system when directly connected clients request them. When you use an On Demand download policy, content is downloaded from Satellite Server if it is not available on Capsule Server.
Inherit
Capsule Server inherits the download policy for the repository from the corresponding repository on Satellite Server.
Streamed Download Policy
Streamed Download Policy for Capsules permits Capsules to avoid caching any content. When content is requested from the Capsule, it functions as a proxy and requests the content directly from the Satellite.

4.10. Changing the default download policy

You can set the default download policy that Satellite applies to repositories that you create in all organizations.

Depending on whether it is a Red Hat or non-Red Hat custom repository, Satellite uses separate settings. Changing the default value does not change existing settings.

Procedure

  1. In the Satellite web UI, navigate to Administer > Settings.
  2. Click the Content tab.
  3. Change the default download policy depending on your requirements:

    • To change the default download policy for a Red Hat repository, change the value of the Default Red Hat Repository download policy setting.
    • To change the default download policy for a custom repository, change the value of the Default Custom Repository download policy setting.

CLI procedure

  • To change the default download policy for Red Hat repositories to one of immediate or on_demand, enter the following command:

    # hammer settings set \
    --name default_redhat_download_policy \
    --value immediate
  • To change the default download policy for a non-Red Hat custom repository to one of immediate or on_demand, enter the following command:

    # hammer settings set \
    --name default_download_policy \
    --value immediate

4.11. Changing the download policy for a repository

You can set the download policy for a repository.

Procedure

  1. In the Satellite web UI, navigate to Content > Products.
  2. Select the required product name.
  3. On the Repositories tab, click the required repository name, locate the Download Policy field, and click the edit icon.
  4. From the list, select the required download policy and then click Save.

CLI procedure

  1. List the repositories for an organization:

    # hammer repository list \
    --organization-label My_Organization_Label
  2. Change the download policy for a repository to immediate or on_demand:

    # hammer repository update \
    --download-policy immediate \
    --name "My_Repository" \
    --organization-label My_Organization_Label \
    --product "My_Product"

4.12. Mirroring policies overview

Mirroring keeps the local repository exactly in synchronization with the upstream repository. If any content is removed from the upstream repository since the last synchronization, with the next synchronization, it will be removed from the local repository as well.

You can use mirroring policies for finer control over mirroring of repodata and content when synchronizing a repository. For example, if it is not possible to mirror the repodata for a repository, you can set the mirroring policy to mirror only content for this repository.

Satellite Server has the following mirroring policies:

Additive
Neither the content nor the repodata is mirrored. Thus, only new content added since the last synchronization is added to the local repository and nothing is removed.
Content Only
Mirrors only content and not the repodata. Some repositories do not support metadata mirroring, in such cases you can set the mirroring policy to content only to only mirror the content.
Complete Mirroring

Mirrors content as well as repodata. This is the fastest method. This mirroring policy is only available for Yum content.

Warning

Avoid republishing metadata for repositories with Complete Mirror mirroring policy. This also applies to content views containing repositories with the Complete Mirror mirroring policy.

4.13. Changing the mirroring policy for a repository

You can set the mirroring policy for a repository.

To use the CLI instead of the Satellite web UI, see the CLI procedure.

Procedure

  1. In the Satellite web UI, navigate to Content > Products.
  2. Select the product name.
  3. On the Repositories tab, click the repository name, locate the Mirroring Policy field, and click the edit icon.
  4. From the list, select a mirroring policy and click Save.

CLI procedure

  1. List the repositories for an organization:

    # hammer repository list \
    --organization-label My_Organization_Label
  2. Change the mirroring policy for a repository to additive, mirror_complete, or mirror_content_only:

    # hammer repository update \
    --id 1 \
    --mirroring-policy mirror_complete

4.14. Uploading content to custom RPM repositories

You can upload individual RPMs and source RPMs to custom RPM repositories. You can upload RPMs using the Satellite web UI or the Hammer CLI. You must use the Hammer CLI to upload source RPMs.

Procedure

  1. In the Satellite web UI, navigate to Content > Products.
  2. Click the name of the custom product.
  3. In the Repositories tab, click the name of the custom RPM repository.
  4. Under Upload Package, click Browse…​ and select the RPM you want to upload.
  5. Click Upload.

To view all RPMs in this repository, click the number next to Packages under Content Counts.

CLI procedure

  • Enter the following command to upload an RPM:

    # hammer repository upload-content \
    --id My_Repository_ID \
    --path /path/to/example-package.rpm
  • Enter the following command to upload a source RPM:

    # hammer repository upload-content \
    --content-type srpm \
    --id My_Repository_ID \
    --path /path/to/example-package.src.rpm

    When the upload is complete, you can view information about a source RPM by using the commands hammer srpm list and hammer srpm info --id srpm_ID.

4.15. Refreshing content counts on Capsule

If your Capsules have synchronized content enabled, you can refresh the number of content counts available to the environments associated with the Capsule. This displays the content views inside those environments available to the Capsule. You can then expand the content view to view the repositories associated with that content view version.

Procedure

  1. In the Satellite web UI, navigate to Infrastructure > Capsules, and select the Capsule where you want to see the synchronized content.
  2. Select the Overview tab.
  3. Under Content Sync, toggle the Synchronize button to do an Optimized Sync or a Complete Sync to synchronize the Capsule which refreshes the content counts.
  4. Select the Content tab.
  5. Choose an Environment to view content views available to those Capsules by clicking >.
  6. Expand the content view by clicking > to view repositories available to the content view and the specific version for the environment.
  7. View the number of content counts under Packages specific to yum repositories.
  8. View the number of errata, package groups, files, container tags, container manifests, and Ansible collections under Additional content.
  9. Click the vertical ellipsis in the column to the right next to the environment and click Refresh counts to refresh the content counts synchronized on the Capsule under Packages.

4.16. Configuring SELinux to permit content synchronization on custom ports

SELinux permits access of Satellite for content synchronization only on specific ports. By default, connecting to web servers running on the following ports is permitted: 80, 81, 443, 488, 8008, 8009, 8443, and 9000.

Procedure

  1. On Satellite, to verify the ports that are permitted by SELinux for content synchronization, enter a command as follows:

    # semanage port -l | grep ^http_port_t
    http_port_t     tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
  2. To configure SELinux to permit a port for content synchronization, for example 10011, enter a command as follows:

    # semanage port -a -t http_port_t -p tcp 10011

4.17. Recovering a corrupted repository

In case of repository corruption, you can recover it by using an advanced synchronization, which has three options:

Optimized Sync
Synchronizes the repository bypassing packages that have no detected differences from the upstream packages.
Complete Sync
Synchronizes all packages regardless of detected changes. Use this option if specific packages could not be downloaded to the local repository even though they exist in the upstream repository.
Verify Content Checksum

Synchronizes all packages and then verifies the checksum of all packages locally. If the checksum of an RPM differs from the upstream, it re-downloads the RPM. This option is relevant only for Yum content. Use this option if you have one of the following errors:

  • Specific packages cause a 404 error while synchronizing with yum.
  • Package does not match intended download error, which means that specific packages are corrupted.

Procedure

  1. In the Satellite web UI, navigate to Content > Products.
  2. Select the product containing the corrupted repository.
  3. Select the name of a repository you want to synchronize.
  4. To perform optimized sync or complete sync, select Advanced Sync from the Select Action menu.
  5. Select the required option and click Sync.
  6. Optional: To verify the checksum, click Verify Content Checksum from the Select Action menu.

CLI procedure

  1. Obtain a list of repository IDs:

    # hammer repository list \
    --organization "My_Organization"
  2. Synchronize a corrupted repository using the necessary option:

    • For the optimized synchronization:

      # hammer repository synchronize \
      --id My_ID
    • For the complete synchronization:

      # hammer repository synchronize \
      --id My_ID \
      --skip-metadata-check true
    • For the validate content synchronization:

      # hammer repository synchronize \
      --id My_ID \
      --validate-contents true

4.18. Recovering corrupted content on Capsule

If the client is unable to consume content from a published repository to which it has a subscription, the content has been corrupted and needs to be repaired. In case of content corruption on a Capsule, you can recover it by using the verify-checksum command in Hammer CLI. The verify-checksum command can repair content in a content view, lifecycle environment, repository, or all content on Capsule. You can track the progress of a command by navigating to Monitor > Satellite Tasks > Tasks and searching for the action Verify checksum for content on smart proxy.

CLI procedure

  • To repair content in a content view, run Hammer on your Capsule:

    $ hammer capsule content verify-checksum \
    --id My_Capsule_ID \
    --organization-id 1 --content-view-id 3
  • To repair content in a lifecycle environment, run Hammer on your Capsule:

    $ hammer capsule content verify-checksum \
    --id My_Capsule_ID \
    --organization-id 1 --lifecycle-environment-id 1
  • To repair content in a repository, run Hammer on your Capsule:

    $ hammer capsule content verify-checksum \
    --id My_Capsule_ID \
    --organization-id 1 --repository-id 1
  • To repair all content on Capsule, run the following command:

    $ hammer capsule content verify-checksum \
    --id My_Capsule_ID

4.19. Republishing repository metadata

You can republish repository metadata when a repository distribution does not have the content that should be distributed based on the contents of the repository.

Use this procedure with caution. Red Hat recommends a complete repository sync or publishing a new content view version to repair broken metadata.

Procedure

  1. In the Satellite web UI, navigate to Content > Products.
  2. Select the product that includes the repository for which you want to republish metadata.
  3. On the Repositories tab, select a repository.
  4. To republish metadata for the repository, click Republish Repository Metadata from the Select Action menu.

    Note

    This action is not available for repositories that use the Complete Mirroring policy because the metadata is copied verbatim from the upstream source of the repository.

4.20. Republishing content view metadata

Use this procedure to republish content view metadata.

Procedure

  1. In the Satellite web UI, navigate to Content > Lifecycle > Content Views.
  2. Select a content view.
  3. On the Versions tab, select a content view version.
  4. To republish metadata for the content view version, click Republish repository metadata from the vertical ellipsis icon.

Republishing repository metadata will regenerate metadata for all repositories in the content view version that do not adhere to the Complete Mirroring policy.

4.21. Adding an HTTP proxy

Use this procedure to add HTTP proxies to Satellite. You can then specify which HTTP proxy to use for products, repositories, and supported compute resources.

Prerequisites

Your HTTP proxy must allow access to the following hosts:

Host namePortProtocol

subscription.rhsm.redhat.com

443

HTTPS

cdn.redhat.com

443

HTTPS

*.akamaiedge.net

443

HTTPS

cert.console.redhat.com (if using Red Hat Insights)

443

HTTPS

api.access.redhat.com (if using Red Hat Insights)

443

HTTPS

cert-api.access.redhat.com (if using Red Hat Insights)

443

HTTPS

If Satellite Server uses a proxy to communicate with subscription.rhsm.redhat.com and cdn.redhat.com then the proxy must not perform SSL inspection on these communications.

To use the CLI instead of the Satellite web UI, see the CLI procedure.

Procedure

  1. In the Satellite web UI, navigate to Infrastructure > HTTP Proxies.
  2. Select New HTTP Proxy.
  3. In the Name field, enter a name for the HTTP proxy.
  4. In the URL field, enter the URL for the HTTP proxy, including the port number.
  5. If your HTTP proxy requires authentication, enter a Username and Password.
  6. Optional: In the Test URL field, enter the HTTP proxy URL, then click Test Connection to ensure that you can connect to the HTTP proxy from Satellite.
  7. Click the Locations tab and add a location.
  8. Click the Organization tab and add an organization.
  9. Click Submit.

CLI procedure

  • On Satellite Server, enter the following command to add an HTTP proxy:

    # hammer http-proxy create \
    --name My_HTTP_Proxy \
    --url http-proxy.example.com:8080

    If your HTTP proxy requires authentication, add the --username My_User_Name and --password My_Password options.

For further information, see the Knowledgebase article How to access Red Hat Subscription Manager (RHSM) through a firewall or proxy on the Red Hat Customer Portal.

4.22. Changing the HTTP proxy policy for a product

For granular control over network traffic, you can set an HTTP proxy policy for each product. A product’s HTTP proxy policy applies to all repositories in the product, unless you set a different policy for individual repositories.

To set an HTTP proxy policy for individual repositories, see Section 4.23, “Changing the HTTP proxy policy for a repository”.

Procedure

  1. In the Satellite web UI, navigate to Content > Products and select the products that you want to change.
  2. From the Select Action list, select Manage HTTP Proxy.
  3. Select an HTTP Proxy Policy from the list:

    • Global Default: Use the global default proxy setting.
    • No HTTP Proxy: Do not use an HTTP proxy, even if a global default proxy is configured.
    • Use specific HTTP Proxy: Select an HTTP Proxy from the list. You must add HTTP proxies to Satellite before you can select a proxy from this list. For more information, see Section 4.21, “Adding an HTTP proxy”.
  4. Click Update.

4.23. Changing the HTTP proxy policy for a repository

For granular control over network traffic, you can set an HTTP proxy policy for each repository. To use the CLI instead of the Satellite web UI, see the CLI procedure.

To set the same HTTP proxy policy for all repositories in a product, see Section 4.22, “Changing the HTTP proxy policy for a product”.

Procedure

  1. In the Satellite web UI, navigate to Content > Products and click the name of the product that contains the repository.
  2. In the Repositories tab, click the name of the repository.
  3. Locate the HTTP Proxy field and click the edit icon.
  4. Select an HTTP Proxy Policy from the list:

    • Global Default: Use the global default proxy setting.
    • No HTTP Proxy: Do not use an HTTP proxy, even if a global default proxy is configured.
    • Use specific HTTP Proxy: Select an HTTP Proxy from the list. You must add HTTP proxies to Satellite before you can select a proxy from this list. For more information, see Section 4.21, “Adding an HTTP proxy”.
  5. Click Save.

CLI procedure

  • On Satellite Server, enter the following command, specifying the HTTP proxy policy you want to use:

    # hammer repository update \
    --http-proxy-policy HTTP_Proxy_Policy \
    --id Repository_ID

    Specify one of the following options for --http-proxy-policy:

    • none: Do not use an HTTP proxy, even if a global default proxy is configured.
    • global_default_http_proxy: Use the global default proxy setting.
    • use_selected_http_proxy: Specify an HTTP proxy using either --http-proxy My_HTTP_Proxy_Name or --http-proxy-id My_HTTP_Proxy_ID. To add a new HTTP proxy to Satellite, see Section 4.21, “Adding an HTTP proxy”.

4.24. Creating a sync plan

A sync plan checks and updates the content at a scheduled date and time. In Satellite, you can create a sync plan and assign products to the plan.

To use the CLI instead of the Satellite web UI, see the CLI procedure.

Procedure

  1. In the Satellite web UI, navigate to Content > Sync Plans and click New Sync Plan.
  2. In the Name field, enter a name for the plan.
  3. Optional: In the Description field, enter a description of the plan.
  4. From the Interval list, select the interval at which you want the plan to run.
  5. From the Start Date and Start Time lists, select when to start running the synchronization plan.
  6. Click Save.

CLI procedure

  1. To create the synchronization plan, enter the following command:

    # hammer sync-plan create \
    --description "My_Description" \
    --enabled true \
    --interval daily \
    --name "My_Products" \
    --organization "My_Organization" \
    --sync-date "2023-01-01 01:00:00"
  2. View the available sync plans for an organization to verify that the sync plan has been created:

    # hammer sync-plan list --organization "My_Organization"

4.25. Assigning a sync plan to a product

A sync plan checks and updates the content at a scheduled date and time. In Satellite, you can assign a sync plan to products to update content regularly.

To use the CLI instead of the Satellite web UI, see the CLI procedure.

Procedure

  1. In the Satellite web UI, navigate to Content > Products.
  2. Select a product.
  3. On the Details tab, select a Sync Plan from the drop down menu.

CLI procedure

  1. Assign a sync plan to a product:

    # hammer product set-sync-plan \
    --name "My_Product_Name" \
    --organization "My_Organization" \
    --sync-plan "My_Sync_Plan_Name"

4.26. Assigning a sync plan to multiple products

Use this procedure to assign a sync plan to the products in an organization that have been synchronized at least once and contain at least one repository.

Procedure

  1. Run the following Bash script:

    ORG="My_Organization"
    SYNC_PLAN="daily_sync_at_3_a.m"
    
    hammer sync-plan create --name $SYNC_PLAN --interval daily --sync-date "2023-04-5 03:00:00" --enabled true --organization $ORG
    for i in $(hammer --no-headers --csv --csv-separator="|" product list --organization $ORG --per-page 999 | grep -vi not_synced | awk -F'|' '$5 != "0" { print $1}')
    do
      hammer product set-sync-plan --sync-plan $SYNC_PLAN --organization $ORG --id $i
    done
  2. After executing the script, view the products assigned to the sync plan:

    # hammer product list --organization $ORG --sync-plan $SYNC_PLAN

4.27. Best practices for sync plans

  • Add sync plans to products and regularly synchronize content to keep the load on Satellite low during synchronization. Synchronize content rather more often than less often. For example, setup a sync plan to synchronize content every day rather than only once a month.
  • Automate the creation and update of sync plans by using a Hammer script or an Ansible Playbook.
  • Distribute synchronization tasks over several hours to reduce the task load by creating multiple sync plans with the Custom Cron tool.
Table 4.1. Cron expression examples
Cron expressionExplanation

0 22 * * 1-5

every day at 22:00 from Monday to Friday

30 3 * * 6,0

at 03:30 every Saturday and Sunday

30 2 8-14 * *

at 02:30 every day between the 8th and the 14th days of the month

4.28. Limiting synchronization concurrency

By default, each Repository Synchronization job can fetch up to ten files at a time. This can be adjusted on a per repository basis.

Increasing the limit may improve performance, but can cause the upstream server to be overloaded or start rejecting requests. If you are seeing Repository syncs fail due to the upstream servers rejecting requests, you may want to try lowering the limit.

CLI procedure

# hammer repository update \
--download-concurrency 5 \
--id Repository_ID \
--organization "My_Organization"

4.29. Importing a custom GPG key

When clients are consuming signed custom content, ensure that the clients are configured to validate the installation of packages with the appropriate GPG Key. This helps to ensure that only packages from authorized sources can be installed.

Red Hat content is already configured with the appropriate GPG key and thus GPG Key management of Red Hat Repositories is not supported.

To use the CLI instead of the Satellite web UI, see the CLI procedure.

Prerequisites

Ensure that you have a copy of the GPG key used to sign the RPM content that you want to use and manage in Satellite. Most RPM distribution providers provide their GPG Key on their website. You can also extract this manually from an RPM:

  1. Download a copy of the version specific repository package to your local machine:

    $ wget http://www.example.com/9.5/example-9.5-2.noarch.rpm
  2. Extract the RPM file without installing it:

    $ rpm2cpio example-9.5-2.noarch.rpm | cpio -idmv

The GPG key is located relative to the extraction at etc/pki/rpm-gpg/RPM-GPG-KEY-EXAMPLE-95.

Procedure

  1. In the Satellite web UI, navigate to Content > Content Credentials and in the upper-right of the window, click Create Content Credential.
  2. Enter the name of your repository and select GPG Key from the Type list.
  3. Either paste the GPG key into the Content Credential Contents field, or click Browse and select the GPG key file that you want to import.

    If your custom repository contains content signed by multiple GPG keys, you must enter all required GPG keys in the Content Credential Contents field with new lines between each key, for example:

    -----BEGIN PGP PUBLIC KEY BLOCK-----
    
    mQINBFy/HE4BEADttv2TCPzVrre+aJ9f5QsR6oWZMm7N5Lwxjm5x5zA9BLiPPGFN
    4aTUR/g+K1S0aqCU+ZS3Rnxb+6fnBxD+COH9kMqXHi3M5UNzbp5WhCdUpISXjjpU
    XIFFWBPuBfyr/FKRknFH15P+9kLZLxCpVZZLsweLWCuw+JKCMmnA
    =F6VG
    -----END PGP PUBLIC KEY BLOCK-----
    
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    
    mQINBFw467UBEACmREzDeK/kuScCmfJfHJa0Wgh/2fbJLLt3KSvsgDhORIptf+PP
    OTFDlKuLkJx99ZYG5xMnBG47C7ByoMec1j94YeXczuBbynOyyPlvduma/zf8oB9e
    Wl5GnzcLGAnUSRamfqGUWcyMMinHHIKIc1X1P4I=
    =WPpI
    -----END PGP PUBLIC KEY BLOCK-----
  4. Click Save.

CLI procedure

  1. Copy the GPG key to your Satellite Server:

    $ scp ~/etc/pki/rpm-gpg/RPM-GPG-KEY-EXAMPLE-95 root@satellite.example.com:~/.
  2. Upload the GPG key to Satellite:

    # hammer content-credentials create \
    --content-type gpg_key \
    --name "My_GPG_Key" \
    --organization "My_Organization" \
    --path ~/RPM-GPG-KEY-EXAMPLE-95

4.30. Restricting a custom repository to a specific operating system or architecture in Satellite

You can configure Satellite to make a custom repository available only on hosts with a specific operating system version or architecture. For example, you can restrict a custom repository only to Red Hat Enterprise Linux 9 hosts.

Note

Only restrict architecture and operating system version for custom products. Satellite applies these restrictions automatically for Red Hat repositories.

Procedure

  1. In the Satellite web UI, navigate to Content > Products.
  2. Click the product that contains the repository sets you want to restrict.
  3. In the Repositories tab, click the repository you want to restrict.
  4. In the Publishing Settings section, set the following options:

    • Set Restrict to OS version to restrict the operating system version.
    • Set Restrict to architecture to restrict the architecture.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.