Chapter 1. Introduction
Red Hat Update Infrastructure is a collection of technologies that offers cloud providers the ability to easily deploy Red Hat solutions into their environments. Cloud solution providers can use Red Hat Update Infrastructure to give their customers the ability to update Red Hat technology in the cloud.
Red Hat Update Infrastructure streamlines the deployment of Red Hat technologies into a cloud environment. Initial configuration, initialization, and synchronization of available instances in the cloud are done with very little user configuration or intervention. However, cloud-specific configuration is sometimes required, such as in these use cases:
- Setting a storage volume mountpoint in the cloud to store installation or update packages that have been synchronized from Red Hat Network (RHN)
- Configuring network security to safeguard communications within the cloud
- Adding supplemental monitoring checks that are outside those offered by Red Hat
Cloud providers are given an X.509 content certificate that grants access to the Red Hat Enterprise Linux and Red Hat Update Infrastructure content stream, including ISO images and RPM packages. Once installed and configured, the Red Hat Update Infrastructure tools can used to create Red Hat Update Appliance (RHUA) and content distribution server (CDS) instances. CDS instances are then managed and monitored by the RHUA.
Important
Always ensure that you include the package that installs the GPG keys when installing client configuration RPMs. For Red Hat Enterprise Linux 6, the package required is
redhat-release-server
.
1.1. Architecture
Red Hat Update Infrastructure encompasses the following technologies:
- Red Hat Update Appliance (RHUA) is a system instance that runs in the cloud by default and performs the following tasks:
- Synchronizing packages from the external source (such as RHN)
- Providing monitoring status updates for both machine and human readability
- The content delivery server (CDS) serves packages over HTTPS to clients in the cloud. One RHUA can manage multiple CDS instances.
- The client provides customer Red Hat Enterprise Linux instances in the cloud, which connect to a CDS for package updates.
- The load balancer schedules requests to all CDS instances using a round-robin method. The load balancer can run either on the RHUA or on a separate instance.
1.1.1. Communications
- The cloud provider accesses a central third-party content repository, such as RHN. A provider can choose to configure the RHUA to connect using their network proxy server to access the content repository.
- The RHUA synchronizes content to the CDS instances, and evenly distributes requests.
- The CDS instances distribute content via HTTPS to a Red Hat Enterprise Linux client instance.
1.1.2. Certificates
Red Hat Update Infrastructure uses three different types of X.509 certificates:
- Content certificate
- The content certificate and its associated private key are given to the customer to allow access to RHN. This grants permission to the customer to download the Red Hat Update Infrastructure packages or ISO. Additionally, the RHUA uses this certificate when authenticating with RHN to download updated packages into the Red Hat Update Infrastructure environment.Content certificates are signed by the Red Hat Certificate Authority (CA). This is the only certificate in the Red Hat Update Infrastructure public key infrastructure (PKI) that is not signed by the cloud provider.
- Entitlement certificate
- Clients use an entitlement certificate when connecting to the load balancer and CDS instances. The entitlement certificate contains entitlements for some or all of the products initially granted to the cloud provider in the content certificate. A client using an entitlement certificate can only get access to channels for which the certificate provides an entitlement.The entitlement certificate must be signed by a Certificate Authority (CA). This allows you to generate entitlement certificates for use in your environment without having to request them from Red Hat. All requests to the Red Hat Update Infrastructure that test the entitlement certificate will check that it was signed by the CA. This prevents users from spoofing the Red Hat Update Infrastructure with self-signed certificates.
- Server Certificates
- SSL is used for communicating with the load balancer and CDS instances. A new server certificate is generated for each load balancer and CDS instance. For example, in an environment with three CDS instances, three separate server certificates will need to be generated. The common name (CN) of the certificate must match the hostname of the instance.
Red Hat does not impose requirements on which CA certificate you choose to use. You can acquire one from a trusted source (such as VeriSign, for example), use a subordinate certificate in a trust chain from their established CA certificate, or generate a new one manually using a tool such as openSSL.
Important
Always ensure your private key is well protected to avoid security breaches.