Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 3. Performing Additional Configuration on Capsule Server
Use this chapter to configure additional settings on your Capsule Server.
3.1. Configuring Capsule for Host Registration and Provisioning
Use this procedure to configure Capsule so that you can register and provision hosts using your Capsule Server instead of your Satellite Server.
Procedure
On Satellite Server, add the Capsule to the list of trusted proxies.
This is required for Satellite to recognize hosts' IP addresses forwarded over the
X-Forwarded-ForHTTP header set by Capsule. For security reasons, Satellite recognizes this HTTP header only from localhost by default. You can enter trusted proxies as valid IPv4 or IPv6 addresses of Capsules, or network ranges.WarningDo not use a network range that is too wide, because that poses a potential security risk.
Enter the following command. Note that the command overwrites the list that is currently stored in Satellite. Therefore, if you have set any trusted proxies previously, you must include them in the command as well:
satellite-installer \ --foreman-trusted-proxies "127.0.0.1/8" \ --foreman-trusted-proxies "::1" \ --foreman-trusted-proxies "My_IP_address" \ --foreman-trusted-proxies "My_IP_range"
# satellite-installer \ --foreman-trusted-proxies "127.0.0.1/8" \ --foreman-trusted-proxies "::1" \ --foreman-trusted-proxies "My_IP_address" \ --foreman-trusted-proxies "My_IP_range"Copy to Clipboard Copied! Toggle word wrap Toggle overflow The localhost entries are required, do not omit them.
Verification
List the current trusted proxies using the full help of Satellite installer:
satellite-installer --full-help | grep -A 2 "trusted-proxies"
# satellite-installer --full-help | grep -A 2 "trusted-proxies"Copy to Clipboard Copied! Toggle word wrap Toggle overflow - The current listing contains all trusted proxies you require.
3.2. Enabling Katello Agent on External Capsules
Remote Execution is the primary method of managing packages on Content Hosts. To be able to use the deprecated Katello Agent it must be enabled on each Capsule.
Procedure
To enable Katello Agent infrastructure, enter the following command:
satellite-installer --scenario capsule \ --foreman-proxy-content-enable-katello-agent=true
# satellite-installer --scenario capsule \ --foreman-proxy-content-enable-katello-agent=trueCopy to Clipboard Copied! Toggle word wrap Toggle overflow
3.3. Configuring Remote Execution for Pull Client
By default, Remote Execution uses SSH as the transport mechanism for the Script provider. However, Remote Execution also offers pull-based transport, which you can use if your infrastructure prohibits outgoing connections from Capsule to hosts.
This is comprised of pull-mqtt mode on Capsule in combination with a pull client running on hosts. Configure the pull-mqtt mode to migrate from Katello Agent, which is a deprecated method of pull-based transport.
The pull-mqtt mode works only with the Script provider. Ansible and other providers will continue to use their default transport settings.
The mode is configured per Capsule. Some Capsules can be configured to use pull-mqtt mode while others use SSH. If this is the case, it is possible that one remote job on a given host will use the pull client and the next job on the same host will use SSH. If you wish to avoid this scenario, configure all Capsules to use the same mode.
Procedure
Enable the pull-based transport on each relevant Capsule Server:
satellite-installer --scenario capsule \ --foreman-proxy-plugin-remote-execution-script-mode pull-mqtt
# satellite-installer --scenario capsule \ --foreman-proxy-plugin-remote-execution-script-mode pull-mqttCopy to Clipboard Copied! Toggle word wrap Toggle overflow Configure the firewall to allow MQTT service on port 1883:
firewall-cmd --add-port="1883/tcp" firewall-cmd --runtime-to-permanent
# firewall-cmd --add-port="1883/tcp" # firewall-cmd --runtime-to-permanentCopy to Clipboard Copied! Toggle word wrap Toggle overflow -
In
pull-mqttmode, hosts subscribe for job notifications to the Capsule through which they are registered. Therefore, it is recommended to ensure that Satellite Server sends remote execution jobs to that same Capsule. To do this, in the Satellite web UI, navigate to Administer > Settings. On the Content tab, set the value of Prefer registered through Capsule for remote execution to Yes. - After you set up the pull-based transport on Capsule, you must also configure it on each host. For more information, see Transport Modes for Remote Execution in Managing Hosts.
3.4. Enabling OpenSCAP on Capsule Servers
On Satellite Server and the integrated Capsule of your Satellite Server, OpenSCAP is enabled by default. To use the OpenSCAP plug-in and content on external Capsules, you must enable OpenSCAP on each Capsule.
Procedure
To enable OpenSCAP, enter the following command:
satellite-installer --scenario capsule \ --enable-foreman-proxy-plugin-openscap \ --foreman-proxy-plugin-openscap-puppet-module true
# satellite-installer --scenario capsule \ --enable-foreman-proxy-plugin-openscap \ --foreman-proxy-plugin-openscap-puppet-module trueCopy to Clipboard Copied! Toggle word wrap Toggle overflow If you want to use Puppet to deploy compliance policies, you must enable it first. For more information, see Managing Configurations Using Puppet Integration in Red Hat Satellite.
3.5. Adding Life Cycle Environments to Capsule Servers
If your Capsule Server has the content functionality enabled, you must add an environment so that Capsule can synchronize content from Satellite Server and provide content to host systems.
Do not assign the Library lifecycle environment to your Capsule Server because it triggers an automated Capsule sync every time the CDN updates a repository. This might consume multiple system resources on Capsules, network bandwidth between Satellite and Capsules, and available disk space on Capsules.
You can use Hammer CLI on Satellite Server or the Satellite web UI.
Procedure
- In the Satellite web UI, navigate to Infrastructure > Capsules, and select the Capsule that you want to add a life cycle to.
- Click Edit and click the Life Cycle Environments tab.
- From the left menu, select the life cycle environments that you want to add to Capsule and click Submit.
- To synchronize the content on the Capsule, click the Overview tab and click Synchronize.
Select either Optimized Sync or Complete Sync.
For definitions of each synchronization type, see Recovering a Repository.
CLI procedure
To display a list of all Capsule Servers, on Satellite Server, enter the following command:
hammer capsule list
# hammer capsule listCopy to Clipboard Copied! Toggle word wrap Toggle overflow Note the Capsule ID of the Capsule that you want to add a life cycle to.
Using the ID, verify the details of your Capsule:
hammer capsule info \ --id My_capsule_ID
# hammer capsule info \ --id My_capsule_IDCopy to Clipboard Copied! Toggle word wrap Toggle overflow To view the life cycle environments available for your Capsule Server, enter the following command and note the ID and the organization name:
hammer capsule content available-lifecycle-environments \ --id My_capsule_ID
# hammer capsule content available-lifecycle-environments \ --id My_capsule_IDCopy to Clipboard Copied! Toggle word wrap Toggle overflow Add the life cycle environment to your Capsule Server:
hammer capsule content add-lifecycle-environment \ --id My_capsule_ID \ --lifecycle-environment-id My_Lifecycle_Environment_ID
# hammer capsule content add-lifecycle-environment \ --id My_capsule_ID \ --lifecycle-environment-id My_Lifecycle_Environment_ID --organization "My_Organization"Copy to Clipboard Copied! Toggle word wrap Toggle overflow Repeat for each life cycle environment you want to add to Capsule Server.
Synchronize the content from Satellite to Capsule.
To synchronize all content from your Satellite Server environment to Capsule Server, enter the following command:
hammer capsule content synchronize \ --id My_capsule_ID
# hammer capsule content synchronize \ --id My_capsule_IDCopy to Clipboard Copied! Toggle word wrap Toggle overflow To synchronize a specific life cycle environment from your Satellite Server to Capsule Server, enter the following command:
hammer capsule content synchronize \ --id My_capsule_ID
# hammer capsule content synchronize \ --id My_capsule_ID --lifecycle-environment-id My_Lifecycle_Environment_IDCopy to Clipboard Copied! Toggle word wrap Toggle overflow
3.6. Enabling Power Management on Managed Hosts
To perform power management tasks on managed hosts using the intelligent platform management interface (IPMI) or a similar protocol, you must enable the baseboard management controller (BMC) module on Capsule Server.
Prerequisites
- All managed hosts must have a network interface of BMC type. Capsule Server uses this NIC to pass the appropriate credentials to the host. For more information, see Adding a Baseboard Management Controller (BMC) Interface in Managing Hosts.
Procedure
To enable BMC, enter the following command:
satellite-installer --scenario capsule \ --foreman-proxy-bmc "true" \ --foreman-proxy-bmc-default-provider "freeipmi"
# satellite-installer --scenario capsule \ --foreman-proxy-bmc "true" \ --foreman-proxy-bmc-default-provider "freeipmi"Copy to Clipboard Copied! Toggle word wrap Toggle overflow
3.7. Configuring DNS, DHCP, and TFTP on Capsule Server
To configure the DNS, DHCP, and TFTP services on Capsule Server, use the satellite-installer command with the options appropriate for your environment. To view a complete list of configurable options, enter the satellite-installer --scenario satellite --help command.
Any changes to the settings require entering the satellite-installer command again. You can enter the command multiple times and each time it updates all configuration files with the changed values.
To use external DNS, DHCP, and TFTP services instead, see Chapter 4, Configuring Capsule Server with External Services.
Adding Multihomed DHCP details
If you want to use Multihomed DHCP, you must inform the installer.
Prerequisites
-
You must have the correct network name (
dns-interface) for the DNS server. -
You must have the correct interface name (
dhcp-interface) for the DHCP server. - Contact your network administrator to ensure that you have the correct settings.
Procedure
Enter the
satellite-installercommand with the options appropriate for your environment. The following example shows configuring full provisioning services:Copy to Clipboard Copied! Toggle word wrap Toggle overflow
For more information about configuring DHCP, DNS, and TFTP services, see Configuring Network Services in Provisioning Hosts.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}