Chapter 3. Performing Additional Configuration on Capsule Server
3.1. Installing the Katello Agent
To remotely update Satellite clients, you must install the Katello agent.
The katello-agent
package depends on the gofer
package that provides the goferd
service. This service must be enabled so that Satellite Server or Capsule Server can provide information about errata that are applicable for content hosts.
Prerequisites
Before installing the Katello agent, ensure the following conditions are met:
- You have enabled the Satellite Tools repository on Satellite Server. For more information, see Enabling the Satellite Tools Repository in Installing Satellite Server from a Connected Network.
- You have synchronized the Satellite Tools repository on Satellite Server. For more information, see Synchronizing the Satellite Tools Repository in Installing Satellite Server from a Connected Network.
You have enabled the Satellite Tools repository on the client. For example, to ensure that the repository is enabled on the Red Hat Enterprise Linux 7 client, enter the following command on the client:
# subscription-manager repos --enable rhel-7-server-satellite-tools-6.5-rpms
Procedure
To install the Katello agent, complete the following steps:
Install the
katello-agent
package:# yum install katello-agent
Start the
goferd
service :# systemctl start goferd
3.2. Enabling Remote Execution on Capsule Server
If you want to run commands on a Capsule Server’s hosts, ensure that you enable the remote execution.
Remote execution on external Capsules is disabled by default. To use remote execution on a Capsule Server you need to enable it by running the following command:
# satellite-installer --scenario capsule \ --enable-foreman-proxy-plugin-remote-execution-ssh
3.3. Enabling OpenSCAP on External Capsules
On Satellite Server and the integrated Capsule of your Satellite Server, OpenSCAP is enabled by default.
If you want to use the OpenSCAP plug-in and content on an external Capsule, you must enable OpenSCAP on each Capsule.
Procedure
To enable OpenSCAP, enter the following command:
# satellite-installer --scenario capsule \ --enable-foreman-proxy-plugin-openscap
3.4. Adding Life Cycle Environments to Capsule Servers
If your Capsule Server has the content functionality enabled, you must add an environment so that Capsule can synchronize content from Satellite Server and provide content to host systems.
Do not assign the Library lifecycle environment to your Capsule Server because it triggers an automated Capsule sync every time the CDN updates a repository. This might consume multiple system resources on Capsules, network bandwidth between Satellite and Capsules, and available disk space on Capsules.
You can use Hammer CLI on Satellite Server or the Satellite web UI.
Procedure
To add a life cycle environment to Capsule Server, complete the following step:
- In the Satellite web UI, navigate to Infrastructure > Capsules, and select the Capsule that you want to add a life cycle to.
- Click Edit and click the Life Cycle Environments tab.
- From the left menu, select the life cycle environments that you want to add to Capsule, and then click Submit.
- To synchronize Capsule’s content, click the Overview tab, and then click Synchronize.
- Select either Optimized Sync or Complete Sync.
For CLI Users
To display a list of all Capsule Servers, enter the following command:
# hammer capsule list
Note the ID that returns.
Using the ID, verify the details of your Capsule Server:
# hammer capsule info --id capsule_id
Verify the life cycle environments available and note the environment ID:
# hammer capsule content available-lifecycle-environments \ --id capsule_id
To view the life cycle environments available for your Capsule Server, enter the following command and note the ID and the organization name:
# hammer capsule content available-lifecycle-environments --id capsule_id
Add the life cycle environment to your Capsule Server:
# hammer capsule content add-lifecycle-environment \ --id capsule_id --organization "My_Organization" \ --environment-id environment_id
Repeat for each life cycle environment you want to add to Capsule Server.
To synchronize all content from your Satellite Server environment to Capsule Server, enter the following command:
# hammer capsule content synchronize --id capsule_id
To synchronize a specific life cycle environment from your Satellite Server to Capsule Server, enter the following command:
# hammer capsule content synchronize --id external_capsule_id \ --environment-id environment_id
3.5. Enabling Power Management on Managed Hosts
When you enable the baseboard management controller (BMC) module on the Capsule Server, you can use power management commands on managed hosts using the intelligent platform management interface (IPMI) or a similar protocol.
The BMC service on the satellite Capsule Server enables you to perform a range of power management tasks. The underlying protocol for this feature is IPMI; also referred to as the BMC function. IPMI uses a special network interface on the managed hardware that is connected to a dedicated processor that runs independently of the host’s CPUs. In many instances the BMC functionality is built into chassis-based systems as part of chassis management (a dedicated module in the chassis).
For more information on the BMC service, see Adding a Baseboard Management Controller (BMC) Interface in the Managing Hosts guide.
Before You Begin
- All managed hosts must have a network interface, with type BMC. Satellite uses this NIC to pass the appropriate credentials to the host.
Enable Power Management on Managed Hosts
Run the installer with the options to enable BMC.
# satellite-installer --scenario capsule \ --foreman-proxy-bmc "true" \ --foreman-proxy-bmc-default-provider "freeipmi"
3.6. Configuring DNS, DHCP, and TFTP on Capsule Server
You can configure DNS, DHCP, and TFTP on Capsule Server.
You can also configure Capsule Server to use external DNS and DHCP services. See Configuring External Services for more information.
To view a complete list of configurable options, enter the satellite-installer --scenario capsule --help
command.
Before You Begin
-
You must have the correct network name (
dns-interface
) for the DNS server. -
You must have the correct interface name (
dhcp-interface
) for the DHCP server.
Configure DNS, DHCP, and TFTP on Capsule Server
Run capsule installer with the options applicable to your environment.
The following example shows full provisioning services:
# satellite-installer --scenario capsule \ --foreman-proxy-dns true \ --foreman-proxy-dns-managed true \ --foreman-proxy-dns-interface eth0 \ --foreman-proxy-dns-zone example.com \ --foreman-proxy-dns-forwarders 172.17.13.1 \ --foreman-proxy-dns-reverse 13.17.172.in-addr.arpa \ --foreman-proxy-dhcp true \ --foreman-proxy-dhcp-managed true \ --foreman-proxy-dhcp-interface eth0 \ --foreman-proxy-dhcp-range "172.17.13.100 172.17.13.150" \ --foreman-proxy-dhcp-gateway 172.17.13.1 \ --foreman-proxy-dhcp-nameservers 172.17.13.2 \ --foreman-proxy-tftp true \ --foreman-proxy-tftp-managed true \ --foreman-proxy-tftp-servername $(hostname)
For more information about configuring DHCP, DNS, and TFTP services, see the Configuring Network Services section in the Provisioning Guide.
3.7. Configuring Capsule Server with a Custom Server Certificate
Red Hat Satellite 6 includes default SSL certificates to enable encrypted communications between the Satellite Server, Capsule Servers, and all hosts. You can replace the default certificates with custom certificates if required. For example, your company’s security policy might dictate that SSL certificates must be obtained from a specific Certificate Authority.
Prerequisites
- Satellite Server configured with custom certificates. For more information, see Configuring Satellite Server with a Custom Server Certificate in Installing Satellite Server from a Connected Network.
- Capsule Server installed and registered to the Satellite Server. For more information, see Chapter 2, Installing Capsule Server.
To use custom certificates on each Capsule Server, complete these procedures:
- Section 3.7.1, “Obtain an SSL Certificate for Capsule Server”
- Section 3.7.2, “Validate the Capsule Server’s SSL Certificate”
- Section 3.7.3, “Create the Capsule Server’s Certificate Archive File”
- Section 3.7.4, “Install the Capsule Server’s Custom Certificate”
- Section 3.7.5, “Install the Capsule Server’s New Certificate on All Hosts”
3.7.1. Obtain an SSL Certificate for Capsule Server
Use PEM encoding for the SSL Certificates.
- Do not use the Satellite Server’s certificate on any Capsule Server as each server’s certificate is unique.
Procedure
On Satellite Server, obtain custom SSL certificates for Capsule Server:
Create a directory to store all the source certificate files, accessible only to the
root
user, for example/root/capsule_cert
.# mkdir
/root/capsule_cert
In these examples, the directory is
/root/capsule_cert
. If you have multiple Capsule Servers, name the directory to match. For example, if you have Capsule Servers namedcapsule_apac
andcapsule_emea
, you might create directories named capsule_apac and capsule_emea respectively. This is not required, but reduces the risk of using files from one Capsule Server on another Capsule Server.Create a private key with which to sign the Certificate Signing Request (CSR).
Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.
If you already have a private key for the Capsule Server, skip this step.
# openssl genrsa -out
/root/capsule_cert/capsule_cert_key.pem
4096Create the
/root/capsule_cert/openssl.cnf
configuration file for the Certificate Signing Request (CSR) and include the following content. In the[ req_distinguished_name ]
section, enter information about your organization.NoteThe certificate’s Common Name (CN) and the Subject Alternative Name (SAN) DNS.1 must match the fully-qualified domain name (FQDN) of the server on which it is used. If you are requesting a certificate for a Satellite Server, this is the FQDN of Satellite Server. If you are requesting a certificate for a Capsule Server, this is the FQDN of Capsule Server.
To confirm a server’s FQDN, enter the following command on that server:
hostname -f
.[ req ] req_extensions = v3_req distinguished_name = req_distinguished_name x509_extensions = usr_cert prompt = no [ req_distinguished_name ] C = Country Name (2 letter code) ST = State or Province Name (full name) L = Locality Name (eg, city) O = Organization Name (eg, company) OU = The division of your organization handling the certificate CN = capsule.example.com [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection subjectAltName = @alt_names [ usr_cert ] basicConstraints=CA:FALSE nsCertType = client, server, email keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer [ alt_names ] DNS.1 = capsule.example.com
Generate the Certificate Signing Request (CSR):
# openssl req -new \ -key /root/capsule_cert/capsule_cert_key.pem \ -out /root/capsule_cert/capsule_cert_csr.pem \ -config /root/capsule_cert/openssl.cnf
Send the certificate signing request to the Certificate Authority. The same Certificate Authority must sign certificates for Satellite Server and Capsule Server.
When you submit the request, specify the lifespan of the certificate. The method for sending the certificate signing request varies, so consult the Certificate Authority for the preferred method. In response to the request you can expect to receive a Certificate Authority bundle, and a signed certificate, in separate files.
3.7.2. Validate the Capsule Server’s SSL Certificate
On the Satellite Server, validate the Capsule Server’s certificate input files with the katello-certs-check
command. This process requires that you have copied the Capsule Server key, CSR, and SSL certificate from Capsule Server to Satellite Server.
# katello-certs-check \ -c /root/capsule_cert/capsule_cert.pem \ 1 -k /root/capsule_cert/capsule_cert_key.pem \ 2 -b /root/capsule_cert/ca_cert_bundle.pem 3
If the certificate is successfully validated, the output contains the following information.
Validation succeeded
Retain a copy of the example capsule-certs-generate
command that is output by the katello-certs-check
command for use in the following procedure.
Proceed to Section 3.7.3, “Create the Capsule Server’s Certificate Archive File”.
3.7.3. Create the Capsule Server’s Certificate Archive File
The Capsule Server’s installer requires the server certificates to be in an archive file. To create this file, use the capsule-certs-generate
command on the Satellite Server.
The capsule-certs-generate
command must be run once for every external Capsule Server. In these examples, capsule.example.com
is the example FQDN and capsule_certs.tar
the example archive file’s name. Replace these with values appropriate to your environment, taking care not to overwrite an existing certificate archive file. For example, if you have Capsule Servers named capsule1
and capsule2
, you can name the certificate archive files capsule1_certs.tar
and capsule2_certs.tar
.
The capsule-certs-generate
command, including parameters, is output by the katello-certs-check
when run on Satellite Server. For more information, see Configuring Satellite Server with a Custom Server Certificate in Installing Satellite Server from a Connected Network.
-
In an editor, prepare a copy of the
capsule-certs-generate
command. -
Edit the values for
--foreman-proxy-fqdn
to match the Capsule Server’s FQDN, and--certs-tar
to the file path and name for the certificate archive file. -
If the Capsule Server has not already been installed, remove the
--certs-update-server
parameter. This is used only to update an existing Capsule Server’s certificate. -
Copy the modified
capsule-certs-generate
command from the text editor to the terminal. Run the modified
capsule-certs-generate
command.Example
capsule-certs-generate
command# capsule-certs-generate --foreman-proxy-fqdn capsule.example.com \ --certs-tar /root/capsule_cert/capsule_certs.tar \ --server-cert /root/capsule_cert/capsule_cert.pem \ --server-key /root/capsule_cert/capsule_cert_key.pem \ --server-ca-cert /root/capsule_cert/ca_cert_bundle.pem \ --certs-update-server
On the Satellite Server, copy the certificate archive file to the Capsule Server, providing the
root
user’s password when prompted.In this example the archive file is copied to the
root
user’s home directory, but you may prefer to copy it elsewhere.# scp /root/capsule_cert/capsule_certs.tar root@capsule.example.com:
Retain a copy of the example satellite-installer
command that is output by the capsule-certs-generate
command for use in the following procedure.
Proceed to Section 3.7.4, “Install the Capsule Server’s Custom Certificate”.
3.7.4. Install the Capsule Server’s Custom Certificate
Complete this procedure on the Capsule Server.
To install the Capsule Server’s custom certificates, run the satellite-installer
script with custom parameters. The command, including parameters, is output by the capsule-certs-generate
command in Section 3.7.3, “Create the Capsule Server’s Certificate Archive File”.
-
In an editor, prepare a copy of the
satellite-installer
command. -
Edit the value for
--foreman-proxy-content-certs-tar
to match the location of the certificates archive file. -
If you want to enable additional features on the Capsule Server, append their parameters to the
satellite-installer
command. For a description of all the installer’s parameters, enter the commandsatellite-installer --scenario capsule --help
. -
Copy the modified
satellite-installer
command from the text editor to the terminal. Run the modified
satellite-installer
command.Example custom
satellite-installer
command# satellite-installer --scenario capsule \ --foreman-proxy-content-parent-fqdn "satellite.example.com" \ --foreman-proxy-register-in-foreman "true" \ --foreman-proxy-foreman-base-url "https://satellite.example.com" \ --foreman-proxy-trusted-hosts "satellite.example.com" \ --foreman-proxy-trusted-hosts "capsule.example.com" \ --foreman-proxy-oauth-consumer-key "FeQsbASvCjvvaqE6duKH6SoYZWg4jwjg" \ --foreman-proxy-oauth-consumer-secret "7UhPXFPDBongvdTbNixbsWR5WFZsKEgF" \ --foreman-proxy-content-certs-tar "/root/capsule_certs.tar" \ --puppet-server-foreman-url "https://satellite.example.com"
The satellite-installer
command, as output by the capsule-certs-generate
command, is unique to each Capsule Server. Do not use the same command on more than one Capsule Server.
Do NOT delete the certificates archive file (the .tar file) even after the certificates have been deployed to all relevant hosts. It is required, for example, when upgrading the Capsule Server. If the certificates archive file is not found by the installer, it fails with a message similar to the following:
[ERROR YYYY-MM-DD hh:mm:ss main] tar -xzf /var/tmp/srvcapsule01.tar returned 2 instead of one of [0]
Proceed to Section 3.7.5, “Install the Capsule Server’s New Certificate on All Hosts”.
3.7.5. Install the Capsule Server’s New Certificate on All Hosts
Hosts which connect to an external Capsule Server require that server’s custom certificate.
Until BZ#1683835 is resolved, you cannot upgrade the katello-ca-consumer
package; you must remove the old package and install the new one. Upgrading the katello-ca-consumer
package fails because the upgrade reverts the baseurl
setting in rhsm.conf
to subscription.rhsm.redhat.com
.
Procedure
Enter the following commands on all applicable hosts. Use the Capsule Server’s host name, not that of the Satellite Server.
Delete the current
katello-ca-consumer
package on the host.# yum remove 'katello-ca-consumer*'
Install the custom SSL certificate on the host.
# yum localinstall \ http://capsule.example.com/pub/katello-ca-consumer-latest.noarch.rpm
3.8. Restricting Access to mongod
Only the apache
and root
users should be allowed access to the MongoDB database daemon, mongod
, to reduce the risk of data loss.
Restrict access to mongod
on Satellite and Capsule Servers using the following commands.
Configure the Firewall.
# firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \ tcp -m tcp --dport 27017 -m owner --uid-owner apache -j ACCEPT \ && firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \ tcp -m tcp --dport 27017 -m owner --uid-owner apache -j ACCEPT \ && firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \ tcp -m tcp --dport 27017 -m owner --uid-owner root -j ACCEPT \ && firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \ tcp -m tcp --dport 27017 -m owner --uid-owner root -j ACCEPT \ && firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -o lo -p \ tcp -m tcp --dport 27017 -j DROP \ && firewall-cmd --direct --add-rule ipv6 filter OUTPUT 1 -o lo -p \ tcp -m tcp --dport 27017 -j DROP \ && firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \ tcp -m tcp --dport 28017 -m owner --uid-owner apache -j ACCEPT \ && firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \ tcp -m tcp --dport 28017 -m owner --uid-owner apache -j ACCEPT \ && firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \ tcp -m tcp --dport 28017 -m owner --uid-owner root -j ACCEPT \ && firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \ tcp -m tcp --dport 28017 -m owner --uid-owner root -j ACCEPT \ && firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -o lo -p \ tcp -m tcp --dport 28017 -j DROP \ && firewall-cmd --direct --add-rule ipv6 filter OUTPUT 1 -o lo -p \ tcp -m tcp --dport 28017 -j DROP
Make the changes persistent:
# firewall-cmd --runtime-to-permanent