Chapter 6. Install Red Hat Update Infrastructure
The following sections describe how to install Red Hat Update Infrastructure.
6.1. Generate an RSA key pair
It is necessary to generate the RSA key pair on the Red Hat Update Appliance (RHUA) node and copy the public key to content delivery server (CDS) and HAProxy nodes so rhui-manager
can set up the CDS and HAProxy nodes.
6.1.1. RSA key pair for Version 2 of the SSH protocol
Follow these steps to generate an RSA key pair for version 2 of the SSH protocol.
Procedure
Generate an RSA key pair:
[USER@rhua ~]$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/USER/.ssh/id_rsa):
-
Press
Enter
to confirm the default location,~/.ssh/id_rsa
, for the newly created key. Leave the passphrase field blank. The CDS installation and registration will fail if a passphrase is provided while generating the key pair.
Your identification has been saved in /home/USER/.ssh/id_rsa. Your public key has been saved in /home/USER/.ssh/id_rsa.pub. The key fingerprint is: e7:97:c7:e2:0e:f9:0e:fc:c4:d7:cb:e5:31:11:92:14 USER@rhua.example.com The key's randomart image is: +--[ RSA 2048]----+ | E. | | . . | | o . | | . .| | S . . | | + o o ..| | * * +oo| | O +..=| | o* o.| +-----------------+
By default, the permissions of the
~/.ssh/
directory are set torwx------
or700
expressed in octal notation. This is to ensure that only <$USER> can view the contents. If required, this can be confirmed with the following command:[USER@rhua ~]$ ls -ld ~/.ssh drwx------. 2 USER USER 54 Nov 25 16:56 /home/USER/.ssh/
Copy the public key to the HAProxy and CDS nodes:
[USER@rhua ~]$ ssh-copy-id user@<haproxy1> [USER@rhua ~]$ ssh-copy-id user@<cds1> [USER@rhua ~]$ ssh-copy-id user@<cds2>
This command copies the most recently modified
~/.ssh/id*.pub
public key if it is not yet installed. Alternatively, specify the public key’s file name:[USER@rhua ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub user@hostname
This command copies the content of
~/.ssh/id_rsa.pub
into the~/.ssh/authorized_keys
file on the machine to which you want to connect. If the file already exists, the keys are appended to its end.
6.1.2. ECDSA key pair for Version 2 of the SSH protocol
Follow these steps to generate an ECDSA key pair for version 2 of the SSH protocol.
Procedure
Generate an ECDSA key pair:
[USER@rhua ~]$ ssh-keygen -t ecdsa Generating public/private ecdsa key pair. Enter file in which to save the key (/home/USER/.ssh/id_ecdsa):
-
Press
Enter
to confirm the default location,~/.ssh/id_ecdsa
, for the newly created key. Leave the passphrase field blank. The CDS installation and registration will fail if a passphrase is provided while generating the key pair.
[USER@rhua ~]$ Your identification has been saved in /home/USER/.ssh/id_ecdsa. Your public key has been saved in /home/USER/.ssh/id_ecdsa.pub. The key fingerprint is: fd:1d:ca:10:52:96:21:43:7e:bd:4c:fc:5b:35:6b:63 USER@rhua.example.com The key's randomart image is: +--[ECDSA 256]---+ | .+ +o | | . =.o | | o o + ..| | + + o +| | S o o oE.| | + oo+.| | + o | | | | | +-----------------+
By default, the permissions of the
~/.ssh/
directory are set torwx------
or700
expressed in octal notation. This is to ensure that only <$USER> can view the contents. If required, this can be confirmed:[USER@rhua ~]$ ls -ld ~/.ssh drwx------. 2 USER USER 54 Nov 25 16:56 /home/USER/.ssh/
Copy the public key to the HAProxy and CDS nodes:
[USER@rhua ~]$ ssh-copy-id user@<haproxy1> [USER@rhua ~]$ ssh-copy-id user@<cds1> [USER@rhua ~]$ ssh-copy-id user@<cds2>
This command copies the most recently modified
~/.ssh/id*.pub
public key if it is not yet installed. Alternatively, specify the public key’s file name:[USER@rhua ~]$ ssh-copy-id -i ~/.ssh/id_ecdsa.pub USER@hostname
This command copies the content of
~/.ssh/id_ecdsa.pub
into the~/.ssh/authorized_keys
on the machine to which you want to connect. If the file already exists, the keys are appended to its end.
6.2. Apply updates
Procedure
- Before installing Red Hat Update Appliance (RHUA) packages, apply any available operating system updates to all nodes (RHUA, content delivery server [CDS], and HAProxy) and reboot.
Verify that all configuration changes have persisted.
WarningMake sure the host name of the RHUA is set correctly. If the host name is unset and its value is reported as
localhost.localdomain
orlocalhost
, you will not be able to proceed.
6.3. Mount Red Hat Update Infrastructure ISO
This section is optional and can be skipped if you are using a subscription to install Red Hat Update Infrastructure 3.1.9.
Procedure
- To install the RHUI packages on the RHUA node, CDS nodes, and HAProxy nodes, mount the ISO to a suitable directory (or burn the ISO to a CD, insert the CD, and mount the ISO), and enter the mount point.
6.4. Run the setup_package_repos script
This section is optional and can be skipped if you are using a subscription to install Red Hat Update Infrastructure 3.1.9.
The setup_package_repos
script is provided in the root directory of the RHUI ISO image.
The setup_package_repos
script creates a yum
configuration entry that requires the RHUI packages to be signed with the Red Hat Release key.
Perform the following step on the RHUA node, CDS nodes, and HAProxy nodes to install the RHUI packages.
Procedure
Execute the script from the mount point for the applicable system component:
[root@rhua ~]# ./setup_package_repos [root@<cds1> ~]# ./setup_package_repos [root@<haproxy1> ~]# ./setup_package_repos
6.5. Install the rhui-installer script
Procedure
Install the
rhui-installer
script:[root@rhua ~]# yum install -y rhui-installer
This script will install the RHUI packages on the current machine. - Ensuring we are in an expected directory. - Copying installation files. - Creating a Repository File - Importing the gpg key. - Installation repository will remain configured for future package installs. - Installation media can now be safely unmounted. Installation packages are now available on this system. If you are installing a RHUA, please run yum install -y rhui-installer; rhui-installer. If you are installing a CDS, please log into the RHUA and run rhui-manager to begin the installation. Do not run rhui-installer to install a CDS.
6.6. Run the rhui-installer
The rhui-installer
sets the initial Red Hat Update Infrastructure login password and displays it in its output. It is also written in the /etc/rhui-installer/answers.yaml
file. You can override the initial password with the --rhui-manager-password
option. If you want to change the initial password later, you can only change it via the rhui-manager
tool. Run the rhui-installer --help
command to see the full list of rhui-installer
options.
Procedure
Run
rhui-installer
on the RHUA:[root@rhua ~]# rhui-installer --remote-fs-type=glusterfs --remote-fs-server=cds1.example.com:rhui_content_0 --cds-lb-hostname=cds.example.com Installing Done [100%] [..............................................................................] Success! The initial credentials are admin / <system-generated password> Re-running the installer will not update your password. The full log is at /var/log/kafo/configuration.log
Following are explanations of the command arguments:
-
--remote-fs-type=glusterfs
means the remote file system type is GlusterFS. -
--remote-fs-server=cds1.example.com
means the name of the remote file system server is cds1.example.com -
rhui_content_0
means the name of the GlusterFS volume on cds1.example.com --cds-lb-hostname=cds.example.com
means the name of the load balancer on cds1.example.com is cds.example.com.NoteDuring installation, the
cds-lb-hostname
option is not included and prepopulates from the answers file provided with therhui-installer
RPM. The host name is preset in the answers file tocds.example.com
, and certificates are created for the RHUI environment with this cds-lb-hostname included. See Chapter 18, Migrate to a new load balancer, or change the name of an existing load balancer for details on changing the name of a load balancer.If using NFS, the
rhui-installer
command line is different. Instead of--remote-fs-type=glusterfs --remote-fs-server=cds1.example.com:rhui_content_0
specify the NFS server name and the exported directory, joined by the colon sign, as the parameter of the
--remote-fs-server
option. For example:--remote-fs-server=filer.example.com:/export
-
Verify that the remote share is mounted:
[root@rhua ~]# mount | grep rhui cds1.example.com:rhui_content_0 on /var/lib/rhui/remote_share type fuse.glusterfs (rw,relatime,user_id=0,group_id=0,default_permissions,allow_other,max_read=131072)
6.7. Change the initial password
Rerunning the rhui-installer
will not update the rhui-manager
login password.
Procedure
Navigate to the Red Hat Update Infrastructure Management Tool home screen:
[root@rhua ~]# rhui-manager Previous authentication credentials could not be found. Logging into the RHUI. If this is the first time using the RHUI, it is recommended to change the user's password in the User Management section of RHUI Tools.
-
Enter the RHUI Username (admin) and RHUI Password (provided by the
rhui-installer
output). The initial password is also stored in/etc/rhui-installer/answers.yaml
. After successfully logging in for the first time, you should change the password. Press
u
on the Red Hat Update Infrastructure Management Tool home screen to select manage RHUI users.-= Red Hat Update Infrastructure Management Tool =- -= Home =- r manage repositories c manage content delivery servers (CDS) l manage HAProxy load-balancer instances s synchronization status and scheduling e create entitlement certificates and client configuration RPMs n manage Red Hat entitlement certificates u manage RHUI users Connected: rhua.example.com
Press
p
to select p change a user’s password (followed by logout).------------------------------------------------------------------------------ = Red Hat Update Infrastructure Management Tool = = User Manager = p change a user's password (followed by logout) Connected: rhua.example.com ------------------------------------------------------------------------------ rhui (users) => p Warning: After password change you will be logged out. Use ctrl-c to cancel password change. Username: admin
Enter the new password and press
Enter
. Re-enter the new password and pressEnter
.New Password: Re-enter Password: Password successfully updated. ----------------------------------------------------------------------------------
6.8. Enable automatic entitlement certificate updates
Set your Red Hat Update Infrastructure entitlement certificate to be updated automatically. Automatic updates can occur whenever the entitlement certificate expires or when it is revoked in the Red Hat subscription management service.
The subscription synchronization service at /etc/cron.hourly/synchronize-rhui-subscriptions
on the RHUA node checks the validity of the certificate hourly. To ensure that the automatic update service works, make sure your rhui-manager
user name and password are set in the /etc/rhui/rhui-subscription-sync.conf
file. By default, this file contains the following configuration:
username = admin password =
If you changed the password, as described in Section 6.7, “Change the initial password”, your new password has been saved in the /etc/rhui/rhui-subscription-sync.conf
file. If you did not change the password, or if your rhui-manager
user name is not admin, edit this file to set your rhui-manager
password.
The subscription synchronization service only works if your contract with Red Hat is valid and your subscription is active. The service can renew entitlement certificates but not the subscription.
The subscription synchronization service logs its actions in the /var/log/rhui-subscription-sync.log
file.
6.9. Install additional packages
At present, the only additional package that you might install on the RHUA is the Qpid Persistence Extension. By default, only a limited number of repositories are being synchronized at a time. The exact number is controlled by the PULP_CONCURRENCY
variable in the /etc/default/pulp_workers
file, which was automatically set to 3 or 8 depending on the number of CPUs detected when RHUI was installed. If you schedule the synchronization of more repositories, those that are above the limit remain in the waiting state until a running synchronization task completes. If you reboot the system or restart Qpid now, the waiting tasks will be lost.
Procedure
To prevent losing the waiting tasks, do not reboot or restart Qpid while there are some waiting tasks. If you often have to do so anyway, you can keep at least the waiting tasks by installing the Qpid persistence extension:
# yum install qpid-cpp-server-linearstore
Restart Qpid so it can load the extension:
# systemctl restart qpidd
Waiting tasks will be saved on the disk and resumed after rebooting.