Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 3. Performing Additional Configuration on Satellite Server

3.1. Installing the Satellite Tools Repository
Copy link

The Satellite Tools repository provides the katello-agent and puppet packages for clients registered to Satellite Server. Installing the katello agent is recommended to allow remote updates of clients. The base system of a Capsule Server is a client of Satellite Server and therefore should also have the katello agent installed.

To Install the Satellite Tools Repository Using the Web UI:

  1. In the Satellite web UI, navigate to Content > Red Hat Repositories.
  2. Use the Search field to enter the following repository name: Red Hat Satellite Tools 6.4 (for RHEL 7 Server) (RPMs).

  3. In the Available Repositories pane, click on Red Hat Satellite Tools 6.4 (for RHEL 7 Server) (RPMs) to expand the repository set.

    If the Red Hat Satellite Tools 6.4 items are not visible, it may be because they are not included in the Subscription Manifest obtained from the Customer Portal. To correct that, log in to the Customer Portal, add these repositories, download the Subscription Manifest and import it into Satellite.

  4. For the x86_64 entry, click the Enable icon to enable the repository.

Enable the Satellite Tools repository for every supported major version of Red Hat Enterprise Linux running on your hosts. After enabling a Red Hat repository, a Product for this repository is automatically created.

For CLI Users

Enable the Satellite Tools repository: 

# hammer repository-set enable --organization "initial_organization_name" \
--product 'Red Hat Enterprise Linux Server' \
--basearch='x86_64' \
--name 'Red Hat Satellite Tools 6.4 (for RHEL 7 Server) (RPMs)'
Copy to Clipboard Toggle word wrap

To Synchronize the Satellite Tools Repository Using the Web UI:

  1. Navigate to Content > Sync Status.

    A list of product repositories available for synchronization is displayed.

  2. Click the arrow next to the product content to view available content.
  3. Select the content you want to synchronize.
  4. Click Synchronize Now.

For CLI Users

Synchronize your Satellite Tools repository: 

$ hammer repository synchronize --organization "initial_organization_name" \
--product 'Red Hat Enterprise Linux Server' \
--name 'Red Hat Satellite Tools 6.4 for RHEL 7 Server RPMs x86_64' \
--async
Copy to Clipboard Toggle word wrap

3.2. Enabling Power Management on Managed Hosts
Copy link

When you enable the baseboard management controller (BMC) module on Satellite Server, you can use power management commands on managed hosts using the intelligent platform management interface (IPMI) or a similar protocol.

The BMC service enables you to perform a range of power management tasks. The underlying protocol for this feature is IPMI; also referred to as the BMC function. IPMI uses a special network interface on the managed hardware that is connected to a dedicated processor that runs independently of the host’s CPUs. In many instances the BMC functionality is built into chassis-based systems as part of chassis management (a dedicated module in the chassis).

For more information on the BMC service, see Configuring an Additional Network Interface in Managing Hosts.

Before You Begin

  • All managed hosts must have a network interface, with type BMC. Satellite uses this NIC to pass the appropriate credentials to the host.

Enable Power Management on Managed Hosts

  1. Run the installer with the options to enable BMC. 

    # satellite-installer --foreman-proxy-bmc "true" \
--foreman-proxy-bmc-default-provider "freeipmi"
    Copy to Clipboard Toggle word wrap

You can configure DNS, DHCP, and TFTP on Satellite Server.

If you want to configure external services, see Chapter 4, Configuring External Services.

If you want to disable these services in Satellite in order to manage them manually, see Section 3.4, “Disabling DNS, DHCP, and TFTP for Unmanaged Networks”.

To view a complete list of configurable options, enter the satellite-installer --scenario satellite --help command.

Before You Begin

  • Contact your network administrator to ensure that you have the correct settings.

  • You should have the following information available:

    • DHCP IP address ranges
    • DHCP gateway IP address
    • DHCP nameserver IP address
    • DNS information
    • TFTP server name
  • Use the FQDN instead of the IP address where possible in case of network changes.

Configure DNS, DHCP, and TFTP on Satellite Server

  1. Run satellite-installer with the options appropriate for your environment. 

    # satellite-installer --scenario satellite \
--foreman-proxy-dns true \
--foreman-proxy-dns-managed true \
--foreman-proxy-dns-interface eth0 \
--foreman-proxy-dns-zone example.com \
--foreman-proxy-dns-forwarders 172.17.13.1 \
--foreman-proxy-dns-reverse 13.17.172.in-addr.arpa \
--foreman-proxy-dhcp true \
--foreman-proxy-dhcp-managed true \
--foreman-proxy-dhcp-interface eth0 \
--foreman-proxy-dhcp-range "172.17.13.100 172.17.13.150" \
--foreman-proxy-dhcp-gateway 172.17.13.1 \
--foreman-proxy-dhcp-nameservers 172.17.13.2 \
--foreman-proxy-tftp true \
--foreman-proxy-tftp-managed true \
--foreman-proxy-tftp-servername $(hostname)
    Copy to Clipboard Toggle word wrap

    For more information about configuring DHCP, DNS, and TFTP services, see the Configuring Network Services section in the Provisioning Guide.

    The script displays its progress and writes logs to /var/log/foreman-installer/satellite.log. You can view the settings used, including the admin_password parameter, in the /etc/foreman-installer/scenarios.d/satellite-answers.yaml file.

Note

Any changes to the settings require running satellite-installer again. You can run the script multiple times and it updates all configuration files with the changed values.

If you want to manage TFTP, DHCP, and DNS services manually, you must prevent Satellite from maintaining these services on the operating system and disable orchestration to avoid DHCP and DNS validation errors. However, Satellite does not remove the back-end services on the operating system.

Procedure

To prevent Satellite from maintaining DHCP, DNS, and TFTP services on the operating system, and disable orchestration, complete the following steps:

  1. On Satellite Server, enter the following command: 

    # satellite-installer --foreman-proxy-dhcp false \
--foreman-proxy-dns false \
--foreman-proxy-tftp false
    Copy to Clipboard Toggle word wrap
  2. In the Satellite web UI, navigate to Infrastructure > Subnets and select a subnet.
  3. Click the Capsules tab and clear the DHCP Capsule, TFTP Capsule, and Reverse DNS Capsule fields.
  4. Navigate to Infrastructure > Domains and select a domain.
  5. Clear the DNS Capsule field.

  6. Optional: If you use a DHCP service supplied by a third party, configure your DHCP server to pass the following options: 

    Option 66: IP_address_of_Satellite_or_Capsule
Option 67: /pxelinux.0
    Copy to Clipboard Toggle word wrap

    For more information about DHCP options, see RFC 2132.

Note

Satellite 6 does not perform orchestration when a Capsule is not set for a given subnet and domain. When enabling or disabling Capsule associations, orchestration commands for existing hosts can fail if the expected records and configuration files are not present. When associating a Capsule to turn orchestration on, make sure the required DHCP and DNS records as well as the TFTP files are in place for the existing Satellite hosts in order to prevent host deletion failures in the future.

To send email messages from Satellite Server, you can use either an SMTP server, or the sendmail command.

Prerequisites

If you have upgraded from a previous release, rename or remove the configuration file /usr/share/foreman/config/email.yaml and restart the httpd service. For example: 

# mv /usr/share/foreman/config/email.yaml \
/usr/share/foreman/config/email.yaml-backup
# systemctl restart httpd
Copy to Clipboard Toggle word wrap

To Configure Satellite Server for Outgoing Emails:

  1. In the Satellite web UI, navigate to Administer Settings.

  2. Click the Email tab and set the configuration options to match your preferred delivery method. The changes have an immediate effect.

    1. The following example shows the configuration options for using an SMTP server:

      Expand
      Table 3.1. Using an SMTP server as a delivery method
      NameExample value

      Delivery method

      SMTP

      SMTP address

      smtp.example.com

      SMTP authentication

      login

      SMTP HELO/EHLO domain

      example.com

      SMTP password

      password

      SMTP port

      25

      SMTP username

      satellite@example.com

      The SMTP username and SMTP password specify the login credentials for the SMTP server.

    2. The following example uses gmail.com as an SMTP server:

      Expand
      Table 3.2. Using gmail.com as an SMTP server
      NameExample value

      Delivery method

      SMTP

      SMTP address

      smtp.gmail.com

      SMTP authentication

      plain

      SMTP HELO/EHLO domain

      smtp.gmail.com

      SMTP enable StartTLS auto

      Yes

      SMTP password

      password

      SMTP port

      587

      SMTP username

      user@gmail.com

    3. The following example uses the sendmail command as a delivery method:

      Expand
      Table 3.3. Using sendmail as a delivery method
      NameExample value

      Delivery method

      Sendmail

      Sendmail arguments

      -i -t -G

      The Sendmail arguments specify the options passed to the sendmail command. The default value is -i -t. For more information see the sendmail 1 man page.

  3. If you decide to send email using an SMTP server which uses TLS authentication, also perform one of the following steps:

    • Mark the CA certificate of the SMTP server as trusted. To do so, execute the following commands on Satellite Server: 

      # cp mailca.crt /etc/pki/ca-trust/source/anchors/
# update-ca-trust enable
# update-ca-trust
      Copy to Clipboard Toggle word wrap

      Where mailca.crt is the CA certificate of the SMTP server.

    • Alternatively, in the web UI, set the SMTP enable StartTLS auto option to No.
  4. Click Test email to send a test message to the user’s email address to confirm the configuration is working. If a message fails to send, the web UI displays an error. See the log at /var/log/foreman/production.log for further details.
Note

For information on configuring email notifications for individual users or user groups, see Configuring Email Notifications in Administering Red Hat Satellite.

SSL certificates are used to protect information and enable secure communication. Red Hat Satellite 6 creates self-signed SSL certificates to enable encrypted communications between the Satellite Server, external Capsule Servers, and all hosts. Instead of using these self-signed certificates, you can install custom SSL certificates issued by a Certificate Authority which is an external, trusted company. For example, your company might have a security policy stating that SSL certificates must be obtained from a Certificate Authority. To obtain the certificate, create a Certificate Signing Request and send it to the Certificate Authority, as described in Section 3.6.1, “Obtain an SSL Certificate for Satellite Server”. In return, you receive a signed SSL certificate.

To use a custom certificate on Satellite Server, complete these steps:

  1. Section 3.6.1, “Obtain an SSL Certificate for Satellite Server”
  2. Section 3.6.2, “Validate the Satellite Server’s SSL Certificate”
  3. Section 3.6.3, “Run the Satellite Installer with Custom Certificate Parameters”
  4. Section 3.6.4, “Install the New Certificate on all Hosts Connected to the Satellite Server”
  5. If you have external Capsule Servers registered to the Satellite Server, proceed to Configuring Capsule Server with a Custom Server Certificate in the Installing Capsule Server guide to configure the Capsule Servers to use a custom certificate.

If you already have a custom SSL Certificate for the Satellite Server, skip this procedure.

Important

Use PEM encoding for the SSL Certificates.

Procedure

To obtain custom SSL certificates for Satellite Server, complete the following steps:

  1. Create a directory to store all the source certificate files, accessible only to the root user, for example /root/sat_cert. 

    # mkdir /root/sat_cert
    Copy to Clipboard Toggle word wrap

  2. Create a private key with which to sign the Certificate Signing Request (CSR).

    Note

    If you already have a private key for the Satellite Server, skip this step. 

    # openssl genrsa -out /root/sat_cert/satellite_cert_key.pem 4096
    Copy to Clipboard Toggle word wrap

  3. Create the /root/sat_cert/openssl.cnf configuration file for the Certificate Signing Request (CSR) and include the following content. In the [ req_distinguished_name ] section, enter information about your organization.

    Note

    The certificate’s Common Name (CN) and the Subject Alternative Name (SAN) DNS.1 must match the fully-qualified domain name (FQDN) of the server on which it is used. If you are requesting a certificate for a Satellite Server, this is the FQDN of Satellite Server. If you are requesting a certificate for a Capsule Server, this is the FQDN of Capsule Server.

    To confirm a server’s FQDN, enter the following command on that server: hostname -f. 

    [ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
x509_extensions = usr_cert
prompt = no

[ req_distinguished_name ]
C  = Country Name (2 letter code)
ST = State or Province Name (full name)
L  = Locality Name (eg, city)
O  = Organization Name (eg, company)
OU = The division of your organization handling the certificate
CN = satellite.example.com

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
subjectAltName = @alt_names

[ usr_cert ]
basicConstraints=CA:FALSE
nsCertType = client, server, email
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

[ alt_names ]
DNS.1 = satellite.example.com
    Copy to Clipboard Toggle word wrap

  4. Generate the Certificate Signing Request (CSR): 

    # openssl req -new \
-key /root/sat_cert/satellite_cert_key.pem \
-out /root/sat_cert/satellite_cert_csr.pem \
-config /root/sat_cert/openssl.cnf
    Copy to Clipboard Toggle word wrap

  5. Send the certificate signing request to the Certificate Authority. The same Certificate Authority must sign certificates for Satellite Server and Capsule Server.

    When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the Certificate Authority for the preferred method. In response to the request you can expect to receive a Certificate Authority bundle, and a signed certificate, in separate files.

Enter the katello-certs-check command with the required parameters as per the following example. This validates the input files required for custom certificates and outputs the commands necessary to install them on the Satellite Server, all Capsule Servers, and hosts under management with Satellite.

  1. Validate the custom SSL certificate input files. Change the files' names to match your files. Note that for the katello-certs-check command to work correctly, Common Name (CN) in the certificate must match the FQDN of Satellite Server. 

    # katello-certs-check \
   -c /root/sat_cert/satellite_cert.pem \
    1 
    
   -k /root/sat_cert/satellite_cert_key.pem \
    2 
    
   -b /root/sat_cert/ca_cert_bundle.pem
    3
    Copy to Clipboard Toggle word wrap
    1
    Certificate file for the Satellite Server, signed by your Certificate Authority
    2
    Satellite Server’s private key, used to sign the certificate
    3
    Certificate Authority bundle

Now that you have created an SSL certificate and verified it is valid for use with Red Hat Satellite 6, the next step is to install the custom SSL certificate on the Satellite Server and all its hosts.

There is a minor variation to this step, depending on whether or not the Satellite Server is already installed. If it is already installed, the existing certificates must be updated with those in the certificates archive.

The commands in this section are output by the katello-certs-check command, as detailed in Section 3.6.2, “Validate the Satellite Server’s SSL Certificate”, and can be copied and pasted into a terminal.

  1. Enter the satellite-installer command, depending on your situation:

    1. If Satellite is already installed, enter the following command on the Satellite Server: 

      # satellite-installer --scenario satellite \
--certs-server-cert /root/sat_cert/satellite_cert.pem \
--certs-server-key /root/sat_cert/satellite_cert_key.pem \
--certs-server-ca-cert /root/sat_cert/ca_cert_bundle.pem \
--certs-update-server --certs-update-server-ca
      Copy to Clipboard Toggle word wrap

      Important parameters in this command include --certs-update-server and --certs-update-server-ca, which specify that the server’s SSL certificate and certificate authority are to be updated. For a brief description of all the installer’s parameters, enter the command: satellite-installer --scenario satellite --help.

      Note

      For all files in the satellite-installer command, use full path names, not relative path names. The installer records all files' paths and names, and if you enter the installer again, but from a different directory, it may fail as it is unable to find the original files.

    2. If Satellite is not already installed, enter the following command on the Satellite Server: 

      # satellite-installer --scenario satellite \
--certs-server-cert /root/sat_cert/satellite_cert.pem \
--certs-server-key /root/sat_cert/satellite_cert_key.pem \
--certs-server-ca-cert /root/sat_cert/ca_cert_bundle.pem
      Copy to Clipboard Toggle word wrap
      Note

      For all files in the satellite-installer command, use full path names, not relative path names. The installer records all files' paths and names, and if you enter the installer again, but from a different directory, it may fail as it is unable to find the original files.

  2. Verify the certificate has been successfully installed on the Satellite Server before installing it on hosts. On a computer with network access to the Satellite Server, start a web browser, navigate to the URL https://satellite.example.com and view the certificate’s details.

Now that the custom SSL certificate has been installed on the Satellite Server, it must also be installed on every host registered to the Satellite Server.

Until BZ#1683835 is resolved, you cannot upgrade the katello-ca-consumer package; you must remove the old package and install the new one. Upgrading the katello-ca-consumer package fails because the upgrade reverts the baseurl setting in rhsm.conf to subscription.rhsm.redhat.com.

Procedure

Enter the following commands on all applicable hosts.

  1. Delete the current katello-ca-consumer package on the host. 

    # yum remove 'katello-ca-consumer*'
    Copy to Clipboard Toggle word wrap

  2. Install the custom SSL certificate on the host. 

    # yum localinstall http://satellite.example.com/pub/katello-ca-consumer-latest.noarch.rpm
    Copy to Clipboard Toggle word wrap

3.7. Using External Databases with Satellite
Copy link

As part of the installation process for Red Hat Satellite, the satellite-installer command installs MongoDB and PostgreSQL databases on the same server as Satellite. In certain Satellite deployments, using external databases can help with the server load. However, there are many factors that can affect Satellite Server’s performance. Moving to an external database might not help your specific problem.

Depending on your requirements, you can use external databases for either MongoDB or PostgreSQL database, or both.

Red Hat does not provide support or tools for external database maintenance. This includes backups, upgrades, and database tuning. Customers using an external database require their own database administrator to support and maintain the database.

If your Satellite deployment requires external databases, use the following information to set up and point to external databases from Satellite.

Pulp uses the MongoDB database. If you want to use MongoDB as an external database, the following information can help you discern if this option is right for your Satellite configuration.

Advantages of External MongoDB

  • Increase in free memory and free CPU on Satellite
  • Flexibility to tune the MongoDB server’s system without adversely affecting Satellite operations

Disadvantages of External MongoDB

  • Increase in deployment complexity that can make troubleshooting more difficult
  • An external MongoDB server is an additional system to patch and maintain
  • If either the Satellite or the Mongo database server suffers a hardware or storage failure, Satellite is not operational
  • If there is latency between the Satellite and the external database server, performance can suffer

If you suspect that your Mongo database is slow, you can work with Red Hat Support to troubleshoot. You might be encountering a configuration problem or existing performance problems with Satellite 6 that moving to an external database server might not help. Red Hat Support can examine existing known issues and also work with the Satellite Engineering team to determine the root cause.

Foreman, Katello, and Candlepin use the PostgreSQL database. If you want to use PostgreSQL as an external database, the following information can help you discern if this option is right for your Satellite configuration.

Advantages of External PostgreSQL:

  • Increase in free memory and free CPU on Satellite
  • Flexibility to set shared_buffers on the PostgreSQL database to a high number without the risk of interfering with other services on Satellite
  • Flexibility to tune the PostgreSQL server’s system without adversely affecting Satellite operations

Disadvantages of External PostgreSQL

  • Increase in deployment complexity that can make troubleshooting more difficult
  • The external PostgreSQL server is an additional system to patch and maintain
  • If either Satellite or the PostgreSQL database server suffers a hardware or storage failure, Satellite is not operational
  • If there is latency between the Satellite server and database server, performance can suffer

If you suspect that the PostgreSQL database on your Satellite is causing performance problems, use the information in Satellite 6: How to enable postgres query logging to detect slow running queries to determine if you have slow queries. Queries that take longer than one second are typically caused by performance issues with large installations, and moving to an external database might not help. If you have slow queries, contact Red Hat Support.

3.7.3. Overview
Copy link

To create and use a remote database for Satellite, you must complete the following procedures:

  1. Use Section 1.2, “Storage Requirements and Guidelines” to plan the storage requirements for your external databases
  2. Prepare PostgreSQL with databases for Foreman and Candlepin and dedicated users owning them
  3. Prepare MongoDB with user pulp owning the pulp_database
  4. Follow the initial steps to install Satellite and ensure that the databases are accessible from Satellite
  5. Edit the parameters of satellite-installer to point to the new databases, and run satellite-installer

Preparing Red Hat Enterprise Linux Server 7 for Database Installation

You require a freshly provisioned system with the latest Red Hat Enterprise Linux Server 7 that meets the storage requirements from Section 1.2, “Storage Requirements and Guidelines”.

Subscriptions for Red Hat Software Collections and Red Hat Enterprise Linux do not provide the correct service level agreement for using Satellite with external databases. You must also attach a Satellite subscription to the base system that you want to use for the external database.

  1. Use the instructions in Identifying and Attaching the Satellite Subscription to the Host to attach a Satellite subscription to your server.

  2. To install MongoDB and PostgreSQL servers on Red Hat Enterprise Linux Server 7, you must disable all repositories and enable only the following repositories: 

    # subscription-manager repos --disable '*'
# subscription-manager repos --enable=rhel-server-rhscl-7-rpms \
--enable=rhel-7-server-rpms
    Copy to Clipboard Toggle word wrap

3.7.4. Installing MongoDB
Copy link

You can install only the same version of MongoDB that is installed with the satellite-installer tool during an internal database installation. You can install MongoDB using Red Hat Software Collections (RHSCL) repositories or from an external source, as long as the version is supported. Satellite supports MongoDB version 3.4.

  1. To install MongoDB, enter the following command: 

    # yum install rh-mongodb34 rh-mongodb34-syspaths
    Copy to Clipboard Toggle word wrap

  2. Start and enable the rh-mongodb34 service: 

    # systemctl start rh-mongodb34-mongod
# systemctl enable rh-mongodb34-mongod
    Copy to Clipboard Toggle word wrap

  3. Create a Pulp user on MongoDB for database pulp_database: 

    # mongo pulp_database \
--eval "db.createUser({user:'pulp',pwd:'pulp_password',roles:[{role:'dbOwner', db:'pulp_database'},{ role: 'readWrite', db: 'pulp_database'}]})"
    Copy to Clipboard Toggle word wrap

  4. In the /etc/opt/rh/rh-mongodb34/mongod.conf file, specify the bind IP: 

    bindIp: your_mongodb_server_bind_IP,::1
    Copy to Clipboard Toggle word wrap

  5. Edit the /etc/opt/rh/rh-mongodb34/mongod.conf file to enable authentication in the security section: 

    security:
  authorization: enabled
    Copy to Clipboard Toggle word wrap

  6. Restart the rh-mongodb34-mongod service: 

    # systemctl restart rh-mongodb34-mongod
    Copy to Clipboard Toggle word wrap

  7. Open port 27017 for MongoDB: 

    # firewall-cmd --add-port=27017/tcp
# firewall-cmd --runtime-to-permanent
    Copy to Clipboard Toggle word wrap

  8. From Satellite Server, test that you can access the database. If the connection succeeds, the command returns 1. 

    # scl enable rh-mongodb34 " mongo --host mongo.example.com \
-u pulp -p pulp_password --port 27017 --eval 'ping:1' pulp_database"
    Copy to Clipboard Toggle word wrap

3.7.5. Installing PostgreSQL
Copy link

You can install only the same version of PostgreSQL that is installed with the satellite-installer tool during an internal database installation. Satellite supports only a specific version of PostgreSQL that is available through Red Hat Enterprise Linux Server 7 repositories. You can install PostgreSQL using rhel-7-server-rpms repositories or from an external source, as long as the version is supported. For more information about the repository that contains the supported version of PostgreSQL, and what version is supported, see the Package Manifest.

  1. To install PostgreSQL, enter the following command: 

    # yum install postgresql-server
    Copy to Clipboard Toggle word wrap

  2. To initialize, start, and enable PostgreSQL service, enter the following commands: 

    # postgresql-setup initdb
# systemctl start postgresql
# systemctl enable postgresql
    Copy to Clipboard Toggle word wrap

  3. Edit the /var/lib/pgsql/data/postgresql.conf file: 

    # vi /var/lib/pgsql/data/postgresql.conf
    Copy to Clipboard Toggle word wrap

  4. Remove the # and edit to listen to inbound connections: 

    listen_addresses = '*'
    Copy to Clipboard Toggle word wrap

  5. Edit the /var/lib/pgsql/data/pg_hba.conf file: 

    # vi /var/lib/pgsql/data/pg_hba.conf
    Copy to Clipboard Toggle word wrap

  6. Add the following line to the file: 

      host  all   all   satellite_server_ip/24   md5
    Copy to Clipboard Toggle word wrap

  7. Restart PostgreSQL service to update with the changes: 

    # systemctl restart postgresql
    Copy to Clipboard Toggle word wrap

  8. Open the postgresql port on the external PostgreSQL server: 

    # firewall-cmd --add-service=postgresql
# firewall-cmd --runtime-to-permanent
    Copy to Clipboard Toggle word wrap

  9. Switch to the postgres user and start the PostgreSQL client: 

    $ su - postgres -c psql
    Copy to Clipboard Toggle word wrap

  10. Create two databases and dedicated roles, one for Satellite and one for Candlepin: 

    CREATE USER "foreman" WITH PASSWORD 'Foreman_Password';
CREATE USER "candlepin" WITH PASSWORD 'Candlepin_Password';
CREATE DATABASE foreman OWNER foreman;
CREATE DATABASE candlepin OWNER candlepin;
    Copy to Clipboard Toggle word wrap

  11. From Satellite Server, test that you can access the database. If the connection succeeds, the commands return 1. 

    # PGPASSWORD='Foreman_Password' psql -h postgres.example.com  -p 5432 -U foreman -d foreman -c "SELECT 1 as ping"
# PGPASSWORD='Candlepin_Password' psql -h postgres.example.com -p 5432 -U candlepin -d candlepin -c "SELECT 1 as ping"
    Copy to Clipboard Toggle word wrap

  12. To install and configure the remote database for Satellite, enter the following command: 

    satellite-installer --scenario satellite \
  --foreman-db-host postgres.example.com \
  --foreman-db-password Foreman_Password \
  --foreman-db-database foreman \
  --katello-candlepin-db-host postgres.example.com \
  --katello-candlepin-db-name candlepin \
  --katello-candlepin-db-password Candlepin_Password \
  --katello-candlepin-manage-db false \
  --katello-pulp-db-username pulp \
  --katello-pulp-db-password pulp_password \
  --katello-pulp-db-seeds mongo.example.com:27017 \
  --katello-pulp-db-name pulp_database
    Copy to Clipboard Toggle word wrap

You can query the status of your databases. For example, enter the following command with the --only and add postgresql or rh-mongodb34-mongod:

For PostgreSQL, enter the following command: 

# foreman-maintain service status --only postgresql
Copy to Clipboard Toggle word wrap

For MongoDB, enter the following command: 

# foreman-maintain service status --only rh-mongodb34-mongod
Copy to Clipboard Toggle word wrap

3.8. Restricting Access to mongod
Copy link

Only the apache and root users should be allowed access to the MongoDB database daemon, mongod, to reduce the risk of data loss.

Restrict access to mongod on Satellite and Capsule Servers using the following commands.

  1. Configure the Firewall. 

    # firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \
tcp -m tcp --dport 27017 -m owner --uid-owner apache -j ACCEPT \
&& firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \
tcp -m tcp --dport 27017 -m owner --uid-owner apache -j ACCEPT \
&& firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \
tcp -m tcp --dport 27017 -m owner --uid-owner root -j ACCEPT \
&& firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \
tcp -m tcp --dport 27017 -m owner --uid-owner root -j ACCEPT \
&& firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 1 -o lo -p \
tcp -m tcp --dport 27017 -j DROP \
&& firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 1 -o lo -p \
tcp -m tcp --dport 27017 -j DROP \
&& firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \
tcp -m tcp --dport 28017 -m owner --uid-owner apache -j ACCEPT \
&& firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \
tcp -m tcp --dport 28017 -m owner --uid-owner apache -j ACCEPT \
&& firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \
tcp -m tcp --dport 28017 -m owner --uid-owner root -j ACCEPT \
&& firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \
tcp -m tcp --dport 28017 -m owner --uid-owner root -j ACCEPT \
&& firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 1 -o lo -p \
tcp -m tcp --dport 28017 -j DROP \
&& firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 1 -o lo -p \
tcp -m tcp --dport 28017 -j DROP
    Copy to Clipboard Toggle word wrap

  2. Make the changes persistent: 

    # firewall-cmd --runtime-to-permanent
    Copy to Clipboard Toggle word wrap
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat