Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 3. Technical configuration required for installing RHUI

Before you install Red Hat Update Infrastructure (RHUI), you must configure your system and components as follows.

  • Complete the initial stages of the Red Hat Certified Cloud and Service Provider (CCSP) certification:

    • Virtualization, image creation, and instance provisioning technologies, tools, and processes.
    • Proposed process for measuring and reporting consumption of Red Hat software.
    • Proposed process for notifying customers of errata updates to Red Hat software.
    • Proposed process for making images that include Red Hat software available to customers, including image life cycle management and retiring outdated images.

    For more information, see Product Documentation for Red Hat Certified Cloud and Service Provider Certification Browse Knowledgebase.

  • Self-signed certificates are typically used for RHUI deployment. However, If you wish to use SSL certificates signed by a third-party certificate authority, you must ensure that they are obtained by the client and reviewed by Red Hat.

    Note

    You can use the Red Hat consultant to assist with the development of self-signed certificates. This will not affect the user experience of the client’s customers.

  • Ensure that the client will provide systems, virtual machines, or tenant instances for installation of all Red Hat Update Appliances (RHUAs), external load balancers, and content delivery servers (CDSs).
  • Make sure you have the latest version of Red Hat Enterprise Linux (RHEL) 8 available, either as an ISO or as a subscription.

  • Ensure that you have one RHUA node with the following configuration:

    • Latest version of RHEL 8 with Minimal Installation
    • SELinux is enabled

    • An x86_64 processor with cores equivalent to or greater than 4 cores of Intel Xeon 2 GHz

      Note

      You must increase the number of cores to 8 if you wish to provide more than 100 repositories with multiple major RHEL releases.

    • 8 GB memory

      Note

      You must increase the minimum memory to 16 GB if you wish to provide more than 100 repositories with multiple major RHEL releases.

    • A 20 GB disk for the operating system

    • A 100 GB disk dedicated for PostgreSQL and mounted to /var/lib/pgsql.

      Note

      You must increase the disk capacity to at least 300 GB if you wish to provide more than 100 repositories with multiple major RHEL releases.

  • Ensure that you have one HAProxy node with the following configuration:

    • Latest version of RHEL 8 with Minimal Installation
    • SELinux is enabled

    • An x86_64 processor with cores equivalent to or greater than 2 cores of Intel Xeon 2 GHz

      Note

      You must increase the number of cores to 4 if you wish to provide more than 100 repositories with multiple major RHEL releases.

    • 4 GB memory

      Note

      You must increase the minimum memory to 8 GB if you wish to provide more than 100 repositories with multiple major RHEL releases.

    • A 20 GB disk for the operating system

  • Ensure that you have at least two CDS nodes (physical or virtual) with the following recommended configuration:

    • Latest version of RHEL 8 with Minimal Installation
    • SELinux is enabled

    • An x86_64 processor with cores equivalent to or greater than 4 cores of Intel Xeon 2GHz

      Note

      You must increase the number of cores to 8 if you wish to provide more than 100 repositories with multiple major RHEL releases.

    • 8 GB memory
    • A 50 GB disk with default Nginx log rotation

  • Ensure that image certification is performed on RHEL guest templates as provided:

    • A minimum 10 GB disk for the operating system
    • iptables is enabled
    • SELinux is enabled
    • If password authentication is enabled, you must use the strongest possible hash
    • Default logging is enabled

  • Ensure that the client’s network is properly configured as follows:

    • IP addresses must be allocated for all RHUAs, CDSs, and external load balancers (if any).

    • DNS records (forward and reverse) or /etc/hosts entries have been created for all IP addresses. For example, rhua.example.com, cds1.example.com, cds2.example.com, and rhui-lb.example.com.

      Warning

      Make sure the host name of the RHUA is set correctly. If the host name is not set and its value is reported as localhost.localdomain or localhost, you will not be able to proceed.

    • If your server has multiple network interface cards (NICs), the fully qualified domain name (FQDN) of the RHUA and the CDSs must be resolved to the IP of the NIC that is used to communicate between the RHUA and the CDSs.
    • RHUI uses DNS to reach the CDN. In most cases, your instance should be preconfigured to talk to the proper DNS servers hosted as part of the cloud’s infrastructure. If you run your own DNS servers or update your client DNS configuration, there is a chance you will see errors similar to yum Could not contact any CDS load balancers. In these cases, check that your DNS server is forwarding to the cloud’s DNS servers for the request or that your DNS client is configured to fall back to the cloud’s DNS server for name resolution.
    • Using more than one HAProxy node requires a round-robin DNS entry for the host name used as the value of the --cds-lb-hostname parameter when rhui-installer is run (cds.example.com in this guide) that resolves to the IP addresses of all HAProxy nodes. How to Configure DNS Round Robin presents one way to configure a round-robin DNS. In the context of RHUI, these will be the IP addresses of the HAProxy nodes, and they are to be mapped to the host name specified as --cds-lb-hostname while calling rhui-installer. See HAProxy Configuration for more information.

  • Ensure that all required network ports are open and that network access is restricted to only the nodes that you plan to use.

    Expand
    Table 3.1. List of ports and their usage
    ConnectionPortUsage

    RHUA to CDS

    22/TCP

    SSH configuration and access

    RHUA to HAProxy servers

    22/TCP

    SSH configuration and access

    Clients to HAProxy

    443/TCP

    Access to content

    HAProxy to CDS

    443/TCP

    Load balancing

    NFS ports open for CDS and RHUA

    2049/TCP

    File system

    CDS to RHUA

    443/TCP

    Retrieve content that has not been symlinked

  • In addition, you (and possibly other RHUI administrators) will need SSH access to all the nodes, and the ability to become root. Be sure to limit this access appropriately to protect the nodes from attacks and misuse.
  • Do not open internal services, such as the Pulp API, to the whole world. Make them listen on the local interface or create appropriate firewall rules.
  • Ensure that the network proxy settings between RHUA and the Red Hat CDN are configured appropriately.
  • Ensure that the network proxy settings between the CDSs and the clients via yum.conf are configured appropriately.
  • Ensure a round-robin DNS entry is used if more than one HAProxy node is used.
  • Do not set the file-creation mask, also known as umask, to a mode other than the default, which is 0022. Using a more restrictive mode is unsupported, and RHUI would not work.
  • Ensure that sudo is configured so as not to require the user that sets up CDS and HAProxy nodes from the RHUA to authenticate by entering the password interactively. For more information, see the description of the NOPASSWD tag in the sudoers(5) man page.
  • If a third-party security service operates between the client VMs and the load balancer, it must be configured to allow the traffic and the SSL certificates that are used in the communication. The latter is especially important if SSL inspection is enabled. This configuration is outside the scope of RHUI.

  • If outgoing traffic from the RHUA is restricted in your environment, allow at least the following host names and ports in order for the RHUA to function:

    Expand
    Table 3.2. List of Red Hat host names and their ports and usage
    Host namePortUsage

    cdn.redhat.com

    443/TCP

    repository synchronization

    subscription.rhsm.redhat.com

    443/TCP

    entitlement certificate renewals

    If using a proxy server, allow them there.

    Note

    Keep in mind that cdn.redhat.com is in fact handled by a third-party company named Akamai, which uses cdn.redhat.com as an alias for its own host names. There are numerous IP addresses for these host names, and your RHUA or proxy server may need access to one or more IP addresses according to its geolocation and Akamai’s load-balancing needs. For detailed information, see Public CIDR Lists for Red Hat (IP Addresses for cdn.redhat.com).

Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top