Red Hat Summit Red Hat Summit지원콘솔개발자평가판 시작연락처

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Configuring Capsules with a Load Balancer

Red Hat Satellite 6.11

Distributing load between Capsule Servers

Red Hat Satellite Documentation Team

Abstract

This guide describes how to configure Red Hat Satellite to use a load balancer to distribute load between Capsule Servers.

Providing Feedback on Red Hat Documentation
링크 복사

We appreciate your input on our documentation. Please let us know how we could make it better.

You can submit feedback by filing a ticket in Bugzilla:

  1. Navigate to the Bugzilla website.
  2. In the Component field, use Documentation.
  3. In the Description field, enter your suggestion for improvement. Include a link to the relevant parts of the documentation.
  4. Click Submit Bug.

Chapter 1. Load Balancing Solution Architecture
링크 복사

You can configure Satellite Server to use a load balancer to distribute client requests and network load across multiple Capsule Servers. This results in an overall performance improvement on Capsule Servers.

This guide outlines how to prepare Satellite Server and Capsule Server for load balancing, and provides guidelines on how to configure a load balancer and register clients in a load-balanced setup.

A load-balanced setup consists of the following components:

  • Satellite Server
  • Two or more Capsule Servers
  • A load balancer
  • Multiple clients

Figure 1.1. Satellite Load Balancing Solution Architecture

Load Balancing Solution Architecture

In a load-balanced setup, nearly all Capsule functionality continues to work as expected when one Capsule Server is down, for planned or unplanned maintenance. Load balancer works with the following services and features:

  • Registration using subscription-manager
  • Content Management with yum repositories
  • Optional: Puppet
Note

In the load-balanced setup, a load balancer distributes load only for the services and features mentioned above. If other services, such as provisioning or virt-who, are running on the individual Capsules, you must access them directly through Capsules and not through the load balancer.

Managing Puppet Limitations

Puppet Certificate Authority (CA) management does not support certificate signing in a load-balanced setup. Puppet CA stores certificate information, such as the serial number counter and CRL, on the file system. Multiple writer processes that attempt to use the same data can corrupt it.

To manage this Puppet limitation, complete the following steps:

  1. Configure Puppet certificate signing on one Capsule Server, typically the first system where you configure Capsule Server for load balancing.
  2. Configure the clients to send CA requests to port 8141 on a load balancer.
  3. Configure a load balancer to redirect CA requests from port 8141 to port 8140 on the system where you configure Capsule Server to sign Puppet certificates.

Chapter 2. Load Balancing Considerations
링크 복사

Distributing load between several Capsule Servers prevents any one Capsule from becoming a single point of failure. Configuring Capsules to use a load balancer can provide resilience against planned and unplanned outages. This improves availability and responsiveness.

Consider the following guidelines when configuring load balancing:

  • If you use Puppet, Puppet certificate signing is assigned to the first Capsule that you configure. If the first Capsule is down, clients cannot obtain Puppet content.
  • This solution does not use Pacemaker or other similar HA tools to maintain one state across all Capsules. To troubleshoot issues, reproduce the issue on each Capsule, bypassing the load balancer.

Additional Maintenance Required for Load Balancing

Configuring Capsules to use a load balancer results in a more complex environment and requires additional maintenance.

The following additional steps are required for load balancing:

  • You must ensure that all Capsules have the same Content Views and synchronize all Capsules to the same Content View versions
  • You must upgrade each Capsule in sequence
  • You must backup each Capsule that you configure regularly

Upgrading Capsule Servers in a Load Balancing Configuration

To upgrade Capsule Servers from 6.10 to 6.11, complete the Upgrading Capsule Servers procedure in Upgrading and Updating Red Hat Satellite. There are no additional steps required for Capsule Servers in a load balancing configuration.

Chapter 3. Prerequisites for Configuring Capsule Servers for Load Balancing
링크 복사

To configure Capsule Servers for load balancing, complete the following procedures described in Installing Capsule Server. Satellite does not support configuring existing Capsule Servers for load balancing.

  1. Registering Capsule Server to Satellite Server
  2. Attaching the Satellite Infrastructure Subscription
  3. Configuring Repositories
  4. Synchronizing the System Clock With chronyd
  5. Installing Capsule Server Packages

Chapter 4. Configuring Capsule Servers for Load Balancing
링크 복사

This chapter outlines how to configure Capsule Servers for load balancing. Proceed to one of the following sections depending on your Satellite Server configuration:

  1. Section 4.1, “Configuring Capsule Server with Default SSL Certificates for Load Balancing without Puppet”
  2. Section 4.2, “Configuring Capsule Server with Default SSL Certificates for Load Balancing with Puppet”
  3. Section 4.3, “Configuring Capsule Server with Custom SSL Certificates for Load Balancing without Puppet”
  4. Section 4.4, “Configuring Capsule Server with Custom SSL Certificates for Load Balancing with Puppet”

Use different file names for the Katello certificates you create for each Capsule Server. For example, name the certificate archive file with Capsule Server FQDN.

The following section describes how to configure Capsule Servers that use default SSL certificates for load balancing without Puppet.

Complete this procedure on each Capsule Server that you want to configure for load balancing.

Procedure

  1. On Satellite Server, generate Katello certificates for Capsule Server, for example: 

    # capsule-certs-generate \
--foreman-proxy-fqdn capsule.example.com \
--certs-tar "/root/capsule.example.com-certs.tar" \
--foreman-proxy-cname loadbalancer.example.com
    Copy to Clipboard Toggle word wrap

    Retain a copy of the example satellite-installer command that is output by the capsule-certs-generate command for installing Capsule Server certificate.

  2. Copy the certificate archive file from Satellite Server to Capsule Server. 

    # scp /root/capsule.example.com-certs.tar \
root@capsule.example.com:/root/capsule.example.com-certs.tar
    Copy to Clipboard Toggle word wrap

  3. Append the following options to the satellite-installer command that you obtain from the output of the capsule-certs-generate command. 

    --certs-cname "loadbalancer.example.com" \
--enable-foreman-proxy-plugin-remote-execution-ssh
    Copy to Clipboard Toggle word wrap

  4. On Capsule Server, enter the satellite-installer command, for example: 

    # satellite-installer --scenario capsule \
--foreman-proxy-register-in-foreman "true" \
--foreman-proxy-foreman-base-url "https://satellite.example.com" \
--foreman-proxy-trusted-hosts "satellite.example.com" \
--foreman-proxy-trusted-hosts "capsule.example.com" \
--foreman-proxy-oauth-consumer-key "oauth key" \
--foreman-proxy-oauth-consumer-secret "oauth secret" \
--certs-tar-file "capsule.example.com-certs.tar" \
--certs-cname "loadbalancer.example.com" \
--enable-foreman-proxy-plugin-remote-execution-ssh
    Copy to Clipboard Toggle word wrap

The following section describes how to configure Capsule Servers that use default SSL certificates for load balancing with Puppet.

If you use Puppet in your Satellite configuration, you must complete the following procedures:

  1. Configuring Capsule Server to Generate and Sign Puppet Certificates
  2. Configuring Remaining Capsule Servers for Load Balancing

Configuring Capsule Server to Generate and Sign Puppet Certificates

Complete this procedure only for the system where you want to configure Capsule Server to generate and sign Puppet certificates for all other Capsule Servers that you configure for load balancing. In the examples in this procedure, the FQDN of this Capsule Server is capsule-ca.example.com.

  1. On Satellite Server, generate Katello certificates for the system where you configure Capsule Server to generate and sign Puppet certificates: 

    # capsule-certs-generate \
--foreman-proxy-fqdn capsule-ca.example.com \
--certs-tar "/root/capsule-ca.example.com-certs.tar" \
--foreman-proxy-cname loadbalancer.example.com
    Copy to Clipboard Toggle word wrap

    Retain a copy of the example satellite-installer command that is output by the capsule-certs-generate command for installing Capsule Server certificate.

  2. Copy the certificate archive file from Satellite Server to Capsule Server: 

    # scp /root/capsule-ca.example.com-certs.tar \
root@capsule-ca.example.com:capsule-ca.example.com-certs.tar
    Copy to Clipboard Toggle word wrap

  3. Append the following options to the satellite-installer command that you obtain from the output of the capsule-certs-generate command: 

    --certs-cname "loadbalancer.example.com" \
--puppet-dns-alt-names "loadbalancer.example.com" \
--puppet-ca-server "capsule-ca.example.com" \
--foreman-proxy-puppetca "true" \
--puppet-server-ca "true" \
--enable-foreman-proxy-plugin-remote-execution-ssh
    Copy to Clipboard Toggle word wrap

  4. On Capsule Server, enter the satellite-installer command, for example: 

    # satellite-installer --scenario capsule \
--foreman-proxy-register-in-foreman "true" \
--foreman-proxy-foreman-base-url "https://satellite.example.com" \
--foreman-proxy-trusted-hosts "satellite.example.com" \
--foreman-proxy-trusted-hosts "capsule-ca.example.com" \
--foreman-proxy-oauth-consumer-key "oauth key" \
--foreman-proxy-oauth-consumer-secret "oauth secret" \
--certs-tar-file "capsule-ca.example.com-certs.tar" \
--puppet-server-foreman-url "https://satellite.example.com" \
--certs-cname "loadbalancer.example.com" \
--puppet-dns-alt-names "loadbalancer.example.com" \
--puppet-ca-server "capsule-ca.example.com" \
--foreman-proxy-puppetca "true" \
--puppet-server-ca "true" \
--enable-foreman-proxy-plugin-remote-execution-script \
--foreman-proxy-content-puppet true \
--enable-puppet \
--puppet-server true \
--puppet-server-foreman-ssl-ca /etc/pki/katello/puppet/puppet_client_ca.crt \
--puppet-server-foreman-ssl-cert /etc/pki/katello/puppet/puppet_client.crt \
--puppet-server-foreman-ssl-key /etc/pki/katello/puppet/puppet_client.key
    Copy to Clipboard Toggle word wrap

  5. On Capsule Server, stop the Puppet server: 

    # puppet resource service puppetserver ensure=stopped
    Copy to Clipboard Toggle word wrap

  6. Generate Puppet certificates for all other Capsule Servers that you configure for load balancing, except the first system where you configure Puppet certificates signing: 

    # puppetserver ca generate --certname capsule.example.com \
--subject-alt-names loadbalancer.example.com --ca-client
    Copy to Clipboard Toggle word wrap

    This command creates the following files on the system where you configure Capsule Server to sign Puppet certificates:

    • /etc/puppetlabs/puppet/ssl/certs/ca.pem
    • /etc/puppetlabs/puppet/ssl/certs/capsule.example.com.pem
    • /etc/puppetlabs/puppet/ssl/private_keys/capsule.example.com.pem
    • /etc/puppetlabs/puppet/ssl/public_keys/capsule.example.com.pem

  7. Resume the Puppet server: 

    # puppet resource service puppetserver ensure=running
    Copy to Clipboard Toggle word wrap

Configuring Remaining Capsule Servers for Load Balancing

Complete this procedure on each Capsule Server excluding the system where you configure Capsule Server to sign Puppet certificates.

  1. On Satellite Server, generate Katello certificates for Capsule Server: 

    # capsule-certs-generate \
--foreman-proxy-fqdn capsule.example.com \
--certs-tar "/root/capsule.example.com-certs.tar" \
--foreman-proxy-cname loadbalancer.example.com
    Copy to Clipboard Toggle word wrap

    Retain a copy of the example satellite-installer command that is output by the capsule-certs-generate command for installing Capsule Server certificate.

  2. Copy the certificate archive file from Satellite Server to Capsule Server: 

    # scp /root/capsule.example.com-certs.tar \
root@capsule.example.com:/root/capsule.example.com-certs.tar
    Copy to Clipboard Toggle word wrap

  3. On Capsule Server, install the puppetserver package: 

    # satellite-maintain packages install puppetserver
    Copy to Clipboard Toggle word wrap

  4. On Capsule Server, create directories for puppet certificates: 

    # mkdir -p /etc/puppetlabs/puppet/ssl/certs/ \
/etc/puppetlabs/puppet/ssl/private_keys/ \
/etc/puppetlabs/puppet/ssl/public_keys/
    Copy to Clipboard Toggle word wrap

  5. On Capsule Server, copy the Puppet certificates for this Capsule Server from the system where you configure Capsule Server to sign Puppet certificates: 

    # scp root@capsule-ca.example.com:/etc/puppetlabs/puppet/ssl/certs/ca.pem \
/etc/puppetlabs/puppet/ssl/certs/ca.pem
# scp root@capsule-ca.example.com:/etc/puppetlabs/puppet/ssl/certs/capsule.example.com.pem \
/etc/puppetlabs/puppet/ssl/certs/capsule.example.com.pem
# scp root@capsule-ca.example.com:/etc/puppetlabs/puppet/ssl/private_keys/capsule.example.com.pem \
/etc/puppetlabs/puppet/ssl/private_keys/capsule.example.com.pem
# scp root@capsule-ca.example.com:/etc/puppetlabs/puppet/ssl/public_keys/capsule.example.com.pem \
/etc/puppetlabs/puppet/ssl/public_keys/capsule.example.com.pem
    Copy to Clipboard Toggle word wrap

  6. On Capsule Server, change the directory ownership to user puppet, group puppet and set the SELinux contexts: 

    # chown -R puppet:puppet /etc/puppetlabs/puppet/ssl/
# restorecon -Rv /etc/puppetlabs/puppet/ssl/
    Copy to Clipboard Toggle word wrap

  7. Append the following options to the satellite-installer command that you obtain from the output of the capsule-certs-generate command: 

    --certs-cname "loadbalancer.example.com" \
--puppet-dns-alt-names "loadbalancer.example.com" \
--puppet-ca-server "capsule-ca.example.com" \
--foreman-proxy-puppetca "false" \
--puppet-server-ca "false" \
--enable-foreman-proxy-plugin-remote-execution-ssh
    Copy to Clipboard Toggle word wrap

  8. On Capsule Server, enter the satellite-installer command, for example: 

    # satellite-installer --scenario capsule \
--foreman-proxy-register-in-foreman "true" \
--foreman-proxy-foreman-base-url "https://satellite.example.com" \
--foreman-proxy-trusted-hosts "satellite.example.com" \
--foreman-proxy-trusted-hosts "capsule.example.com" \
--foreman-proxy-oauth-consumer-key "oauth key" \
--foreman-proxy-oauth-consumer-secret "oauth secret" \
--certs-tar-file "capsule.example.com-certs.tar" \
--puppet-server-foreman-url "https://satellite.example.com" \
--certs-cname "loadbalancer.example.com" \
--puppet-dns-alt-names "loadbalancer.example.com" \
--puppet-ca-server "capsule-ca.example.com" \
--foreman-proxy-puppetca "false" \
--puppet-server-ca "false" \
--enable-foreman-proxy-plugin-remote-execution-ssh
    Copy to Clipboard Toggle word wrap

The following section describes how to configure Capsule Servers that use custom SSL certificates for load balancing without Puppet.

4.3.1. Creating Custom SSL Certificates for Capsule Server
링크 복사

This procedure outlines how to create a configuration file for the Certificate Signing Request and include the load balancer and Capsule Server as Subject Alternative Names (SAN). Complete this procedure on each Capsule Server that you want to configure for load balancing.

Procedure

  1. On Capsule Server, create a directory to contain all the source certificate files, accessible to only the root user: 

    # mkdir /root/capsule_cert
# cd /root/capsule_cert
    Copy to Clipboard Toggle word wrap

  2. Create a private key with which to sign the Certificate Signing Request (CSR).

    Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.

    If you already have a private key for this Capsule Server, skip this step. 

    # openssl genrsa -out /root/capsule_cert/capsule_cert_key.pem 4096
    Copy to Clipboard Toggle word wrap

  3. Create the certificate request configuration file with the following content: 

    [ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt = no

[ req_distinguished_name ]
countryName=2 Letter Country Code
stateOrProvinceName=State or Province Full Name
localityName=Locality Name
0.organizationName=Organization Name
organizationalUnitName=Capsule Organization Unit Name
commonName=capsule.example.com
    1 
    
emailAddress=Email Address

[ req_ext ]
#authorityKeyIdentifier=keyid,issuer
#basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
    2 
    
DNS.1 = loadbalancer.example.com
DNS.2 = capsule.example.com
    Copy to Clipboard Toggle word wrap
    1
    The certificate’s common name must match the FQDN of Capsule Server. Ensure to change this when running the command on each Capsule Server that you configure for load balancing. You can also set a wildcard value *. If you set a wildcard value, you must add the -t capsule option when you use the katello-certs-check command.
    2
    Under [alt_names], include the FQDN of the load balancer as DNS.1 and the FQDN of Capsule Server as DNS.2.

  4. Create a Certificate Signing Request (CSR) for the SAN certificate. 

    # openssl req -new \
-key /root/capsule_cert/capsule_cert_key.pem \
    1 
    
-config SAN_config.cfg \
    2 
    
-out /root/capsule_cert/capsule_cert_csr.pem
    3
    Copy to Clipboard Toggle word wrap
    1
    Capsule Server’s private key, used to sign the certificate
    2
    The certificate request configuration file
    3
    Certificate Signing Request file

  5. Send the certificate request to the Certificate Authority:

    When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the Certificate Authority for the preferred method. In response to the request, you can expect to receive a Certificate Authority bundle and a signed certificate, in separate files.

  6. Copy the Certificate Authority bundle and Capsule Server certificate file that you receive from the Certificate Authority, and Capsule Server private key to your Satellite Server.

  7. On Satellite Server, validate Capsule Server certificate input files: 

    # katello-certs-check \
-c /root/capsule_cert/capsule_cert.pem \
    1 
    
-k /root/capsule_cert/capsule_cert_key.pem \
    2 
    
-b /root/capsule_cert/ca_cert_bundle.pem
    3
    Copy to Clipboard Toggle word wrap
    1
    Capsule Server certificate file, provided by your Certificate Authority
    2
    Capsule Server’s private key that you used to sign the certificate
    3
    Certificate Authority bundle, provided by your Certificate Authority

    If you set the commonName= to a wildcard value *, you must add the -t capsule option to the katello-certs-check command.

    Retain a copy of the example capsule-certs-generate command that is output by the katello-certs-check command for creating the Certificate Archive File for this Capsule Server.

Complete this procedure on each Capsule Server that you want to configure for load balancing.

Procedure

  1. Append the following option to the capsule-certs-generate command that you obtain from the output of the katello-certs-check command: 

    --foreman-proxy-cname loadbalancer.example.com
    Copy to Clipboard Toggle word wrap

  2. On Satellite Server, enter the capsule-certs-generate command to generate Capsule certificates. For example: 

    # capsule-certs-generate \
--foreman-proxy-fqdn capsule.example.com \
--certs-tar /root/capsule_cert/capsule.tar \
--server-cert /root/capsule_cert/capsule.pem \
--server-key /root/capsule_cert/capsule.pem \
--server-ca-cert /root/capsule_cert/ca_cert_bundle.pem \
--foreman-proxy-cname loadbalancer.example.com
    Copy to Clipboard Toggle word wrap

    Retain a copy of the example satellite-installer command from the output for installing Capsule Server certificates.

  3. Copy the certificate archive file from Satellite Server to Capsule Server: 

    # scp /root/capsule.example.com-certs.tar \
root@capsule.example.com:capsule.example.com-certs.tar
    Copy to Clipboard Toggle word wrap

  4. Append the following options to the satellite-installer command that you obtain from the output of the capsule-certs-generate command. 

    --certs-cname "loadbalancer.example.com" \
--enable-foreman-proxy-plugin-remote-execution-ssh
    Copy to Clipboard Toggle word wrap

  5. On Capsule Server, enter the satellite-installer command, for example: 

    # satellite-installer --scenario capsule \
--foreman-proxy-register-in-foreman "true" \
--foreman-proxy-foreman-base-url "https://satellite.example.com" \
--foreman-proxy-trusted-hosts "satellite.example.com" \
--foreman-proxy-trusted-hosts "capsule.example.com" \
--foreman-proxy-oauth-consumer-key "oauth key" \
--foreman-proxy-oauth-consumer-secret "oauth secret" \
--certs-tar-file "capsule.example.com-certs.tar" \
--certs-cname "loadbalancer.example.com" \
--enable-foreman-proxy-plugin-remote-execution-ssh
    Copy to Clipboard Toggle word wrap

The following section describes how to configure Capsule Servers that use custom SSL certificates for load balancing with Puppet.

4.4.1. Creating Custom SSL Certificates for Capsule Server
링크 복사

This procedure outlines how to create a configuration file for the Certificate Signing Request and include the load balancer and Capsule Server as Subject Alternative Names (SAN). Complete this procedure on each Capsule Server that you want to configure for load balancing.

Procedure

  1. On Capsule Server, create a directory to contain all the source certificate files, accessible to only the root user: 

    # mkdir /root/capsule_cert
# cd /root/capsule_cert
    Copy to Clipboard Toggle word wrap

  2. Create a private key with which to sign the Certificate Signing Request (CSR).

    Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.

    If you already have a private key for this Capsule Server, skip this step. 

    # openssl genrsa -out /root/capsule_cert/capsule.pem 4096
    Copy to Clipboard Toggle word wrap

  3. Create the certificate request configuration file with the following content: 

    [ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt = no

[ req_distinguished_name ]
countryName=2 Letter Country Code
stateOrProvinceName=State or Province Full Name
localityName=Locality Name
0.organizationName=Organization Name
organizationalUnitName=Capsule Organization Unit Name
commonName=capsule.example.com
    1 
    
emailAddress=Email Address

[ req_ext ]
#authorityKeyIdentifier=keyid,issuer
#basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
    2 
    
DNS.1 = loadbalancer.example.com
DNS.2 = capsule.example.com
    Copy to Clipboard Toggle word wrap
    1
    The certificate’s common name must match the FQDN of Capsule Server. Ensure to change this when running the command on each Capsule Server. You can also set a wildcard value *. If you set a wildcard value, you must add the -t capsule option when you use the katello-certs-check command.
    2
    Under [alt_names], include the FQDN of the load balancer as DNS.1 and the FQDN of Capsule Server as DNS.2.

  4. Create a Certificate Signing Request (CSR) for the SAN certificate: 

    # openssl req -new \
-key /root/capsule_cert/capsule.pem \
    1 
    
-config SAN_config.cfg \
    2 
    
-out /root/capsule_cert/capsule.pem
    3
    Copy to Clipboard Toggle word wrap
    1
    Capsule Server’s private key, used to sign the certificate
    2
    The certificate request configuration file
    3
    Certificate Signing Request file

  5. Send the certificate request to the Certificate Authority:

    When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the Certificate Authority for the preferred method. In response to the request, you can expect to receive a Certificate Authority bundle and a signed certificate, in separate files.

  6. Copy the Certificate Authority bundle and Capsule Server certificate file that you receive from the Certificate Authority, and Capsule Server private key to your Satellite Server to validate them.

  7. On Satellite Server, validate Capsule Server certificate input files: 

    # katello-certs-check \
-c /root/capsule_cert/capsule.pem \
    1 
    
-k /root/capsule_cert/capsule.pem \
    2 
    
-b /root/capsule_cert/ca_cert_bundle.pem
    3
    Copy to Clipboard Toggle word wrap
    1
    Capsule Server certificate file, provided by your Certificate Authority
    2
    Capsule Server’s private key that you used to sign the certificate
    3
    Certificate Authority bundle, provided by your Certificate Authority

    If you set the commonName= to a wildcard value *, you must add the -t capsule option to the katello-certs-check command.

    Retain a copy of the example capsule-certs-generate command that is output by the katello-certs-check command for creating the Certificate Archive File for this Capsule Server.

If you use Puppet in your Satellite configuration, then you must complete the following procedures:

  1. Configuring Capsule Server to Generate and Sign Puppet Certificates
  2. Configuring Remaining Capsule Servers for Load Balancing

Configuring Capsule Server to Generate and Sign Puppet Certificates

Complete this procedure only for the system where you want to configure Capsule Server to generate Puppet certificates for all other Capsule Servers that you configure for load balancing. In the examples in this procedure, the FQDN of this Capsule Server is capsule-ca.example.com.

  1. Append the following option to the capsule-certs-generate command that you obtain from the output of the katello-certs-check command: 

    --foreman-proxy-cname loadbalancer.example.com
    Copy to Clipboard Toggle word wrap

  2. On Satellite Server, enter the capsule-certs-generate command to generate Capsule certificates. For example: 

    # capsule-certs-generate \
--foreman-proxy-fqdn capsule-ca.example.com \
--certs-tar /root/capsule_cert/capsule-ca.tar \
--server-cert /root/capsule_cert/capsule-ca.pem \
--server-key /root/capsule_cert/capsule-ca.pem \
--server-ca-cert /root/capsule_cert/ca_cert_bundle.pem \
--foreman-proxy-cname loadbalancer.example.com
    Copy to Clipboard Toggle word wrap

    Retain a copy of the example satellite-installer command from the output for installing Capsule Server certificates.

  3. Copy the certificate archive file from Satellite Server to Capsule Server.

  4. Append the following options to the satellite-installer command that you obtain from the output of the capsule-certs-generate command: 

    --puppet-dns-alt-names "loadbalancer.example.com" \
--puppet-ca-server "capsule-ca.example.com" \
--foreman-proxy-puppetca "true" \
--puppet-server-ca "true" \
--enable-foreman-proxy-plugin-remote-execution-ssh
    Copy to Clipboard Toggle word wrap

  5. On Capsule Server, enter the satellite-installer command, for example: 

    satellite-installer --scenario capsule \
--foreman-proxy-register-in-foreman "true" \
--foreman-proxy-foreman-base-url "https://satellite.example.com" \
--foreman-proxy-trusted-hosts "satellite.example.com" \
--foreman-proxy-trusted-hosts "capsule-ca.example.com" \
--foreman-proxy-oauth-consumer-key "oauth key" \
--foreman-proxy-oauth-consumer-secret "oauth secret" \
--certs-tar-file "certs.tgz" \
--puppet-server-foreman-url "https://satellite.example.com" \
--certs-cname "loadbalancer.example.com" \
--puppet-dns-alt-names "loadbalancer.example.com" \
--puppet-ca-server "capsule-ca.example.com" \
--foreman-proxy-puppetca "true" \
--puppet-server-ca "true" \
--enable-foreman-proxy-plugin-remote-execution-script \
--foreman-proxy-content-puppet true \
--enable-puppet \
--puppet-server true \
--puppet-server-foreman-ssl-ca /etc/pki/katello/puppet/puppet_client_ca.crt \
--puppet-server-foreman-ssl-cert /etc/pki/katello/puppet/puppet_client.crt \
--puppet-server-foreman-ssl-key /etc/pki/katello/puppet/puppet_client.key
    Copy to Clipboard Toggle word wrap

  6. On Capsule Server, generate Puppet certificates for all other Capsules that you configure for load balancing, except this first system where you configure Puppet certificates signing: 

    # puppet cert generate capsule.example.com \
--dns_alt_names=loadbalancer.example.com
    Copy to Clipboard Toggle word wrap

    This command creates the following files on the Puppet certificate signing Capsule Server instance:

    • /etc/puppetlabs/puppet/ssl/certs/ca.pem
    • /etc/puppetlabs/puppet/ssl/certs/capsule.example.com.pem
    • /etc/puppetlabs/puppet/ssl/private_keys/capsule.example.com.pem
    • /etc/puppetlabs/puppet/ssl/public_keys/capsule.example.com.pem

Configuring Remaining Capsule Servers for Load Balancing

Complete this procedure for each Capsule Server excluding the system where you configure Capsule Server to sign Puppet certificates.

  1. Append the following option to the capsule-certs-generate command that you obtain from the output of the katello-certs-check command: 

    --foreman-proxy-cname loadbalancer.example.com
    Copy to Clipboard Toggle word wrap

  2. On Satellite Server, enter the capsule-certs-generate command to generate Capsule certificates. For example: 

    # capsule-certs-generate \
--foreman-proxy-fqdn capsule.example.com \
--certs-tar /root/capsule_cert/capsule.tar \
--server-cert /root/capsule_cert/capsule.pem \
--server-key /root/capsule_cert/capsule.pem \
--server-ca-cert /root/capsule_cert/ca_cert_bundle.pem \
--foreman-proxy-cname loadbalancer.example.com
    Copy to Clipboard Toggle word wrap

    Retain a copy of the example satellite-installer command from the output for installing Capsule Server certificates.

  3. Copy the certificate archive file from Satellite Server to Capsule Server. 

    # scp /root/capsule.example.com-certs.tar \
root@capsule.example.com:capsule.example.com-certs.tar
    Copy to Clipboard Toggle word wrap

  4. On Capsule Server, install the puppetserver package: 

    # satellite-maintain packages install puppetserver
    Copy to Clipboard Toggle word wrap

  5. On Capsule Server, create directories for puppet certificates: 

    # mkdir -p /etc/puppetlabs/puppet/ssl/certs/ \
/etc/puppetlabs/puppet/ssl/private_keys/ \
/etc/puppetlabs/puppet/ssl/public_keys/
    Copy to Clipboard Toggle word wrap

  6. On Capsule Server, copy the Puppet certificates for this Capsule Server from the system where you configure Capsule Server to sign Puppet certificates: 

    # scp root@capsule-ca.example.com:/etc/puppetlabs/puppet/ssl/certs/ca.pem \
/etc/puppetlabs/puppet/ssl/certs/ca.pem
# scp root@capsule-ca.example.com:/etc/puppetlabs/puppet/ssl/certs/capsule.example.com.pem \
/etc/puppetlabs/puppet/ssl/certs/capsule.example.com.pem
# scp root@capsule-ca.example.com:/etc/puppetlabs/puppet/ssl/private_keys/capsule.example.com.pem \
/etc/puppetlabs/puppet/ssl/private_keys/capsule.example.com.pem
# scp root@capsule-ca.example.com:/etc/puppetlabs/puppet/ssl/public_keys/capsule.example.com.pem \
/etc/puppetlabs/puppet/ssl/public_keys/capsule.example.com.pem
    Copy to Clipboard Toggle word wrap

  7. On Capsule Server, change the directory ownership to user puppet, group puppet and set the SELinux contexts: 

    # chown -R puppet:puppet /etc/puppetlabs/puppet/ssl/
# restorecon -Rv /etc/puppetlabs/puppet/ssl/
    Copy to Clipboard Toggle word wrap

  8. Append the following options to the satellite-installer command that you obtain from the output of the capsule-certs-generate command: 

    --certs-cname "loadbalancer.example.com" \
--puppet-dns-alt-names "loadbalancer.example.com" \
--puppet-ca-server "capsule-ca.example.com" \
--foreman-proxy-puppetca "false" \
--puppet-server-ca "false" \
--enable-foreman-proxy-plugin-remote-execution-ssh
    Copy to Clipboard Toggle word wrap

  9. On Capsule Server, enter the satellite-installer command, for example: 

    # satellite-installer --scenario capsule \
--foreman-proxy-register-in-foreman "true" \
--foreman-proxy-foreman-base-url "https://satellite.example.com" \
--foreman-proxy-trusted-hosts "satellite.example.com" \
--foreman-proxy-trusted-hosts "capsule.example.com" \
--foreman-proxy-oauth-consumer-key "oauth key" \
--foreman-proxy-oauth-consumer-secret "oauth secret" \
--certs-tar-file "capsule.example.com-certs.tar" \
--puppet-server-foreman-url "https://satellite.example.com" \
--certs-cname "loadbalancer.example.com" \
--puppet-dns-alt-names "loadbalancer.example.com" \
--puppet-ca-server "capsule-ca.example.com" \
--foreman-proxy-puppetca "false" \
--puppet-server-ca "false" \
--enable-foreman-proxy-plugin-remote-execution-ssh
    Copy to Clipboard Toggle word wrap

Chapter 5. Installing the Load Balancer
링크 복사

The following example provides general guidance for configuring an HAProxy load balancer. However, you can install any suitable load balancing software solution that supports TCP forwarding.

  1. On a Red Hat Enterprise Linux 7 host, install HAProxy: 

    # yum install haproxy
    Copy to Clipboard Toggle word wrap

  2. Install the following package that includes the semanage tool: 

    # yum install policycoreutils-python
    Copy to Clipboard Toggle word wrap

  3. Configure SELinux to allow HAProxy to bind any port: 

    # semanage boolean --modify --on haproxy_connect_any
    Copy to Clipboard Toggle word wrap

  4. Configure the load balancer to balance the network load for the ports as described in Table 5.1, “Ports Configuration for the Load Balancer”. For example, to configure ports for HAProxy, edit the /etc/haproxy/haproxy.cfg file to correspond with the table. For more information, see Configuration example for haproxy.cfg for HAProxy load balancer with Satellite 6 in the Red Hat Knowledgebase.

    Expand
    Table 5.1. Ports Configuration for the Load Balancer
    ServicePortModeBalance ModeDestination

    HTTP

    80

    TCP

    roundrobin

    port 80 on all Capsule Servers

    HTTPS and RHSM

    443

    TCP

    source

    port 443 on all Capsule Servers

    AMQP

    5647

    TCP

    roundrobin

    port 5647 on all Capsule Servers

    Puppet (Optional)

    8140

    TCP

    roundrobin

    port 8140 on all Capsule Servers

    PuppetCA (Optional)

    8141

    TCP

    roundrobin

    port 8140 only on the system where you configure Capsule Server to sign Puppet certificates

    SmartProxy (Optional for OpenScap)

    9090

    TCP

    roundrobin

    port 9090 on all Capsule Servers

  5. Configure the load balancer to disable SSL offloading and allow client-side SSL certificates to pass through to back end servers. This is required because communication from clients to Capsule Servers depends on client-side SSL certificates.

  6. Start and enable the HAProxy service: 

    # systemctl start haproxy
# systemctl enable haproxy
    Copy to Clipboard Toggle word wrap

Chapter 6. Registering Clients
링크 복사

You can register a client running a Red Hat Enterprise Linux 6, 7, or 8 operating system to Capsule Servers that you configure for load balancing. For more information about registering clients and configuring them to use Puppet, see Registering Hosts in the Managing Hosts guide.

To register clients, proceed to one of the following procedures:

6.1. Red Hat Satellite host registration
링크 복사

You can register hosts with Satellite using the host registration feature, the Satellite API, or Hammer CLI.

Procedure

  1. In the Satellite web UI, navigate to Hosts > Register Host.
  2. Click Generate to create the registration command.
  3. Click on the files icon to copy the command to your clipboard.
  4. Log in to the host you want register and run the previously generated command.

  5. Update subscription manager configuration for rhsm.baseurl and server.hostname: 

    # subscription-manager config \
--rhsm.baseurl=https://loadbalancer.example.com/pulp/content \
--server.hostname=loadbalancer.example.com
    Copy to Clipboard Toggle word wrap
  6. Check the /etc/yum.repos.d/redhat.repo file and ensure that the appropriate repositories have been enabled.

CLI procedure

  1. Generate the host registration command using the Hammer CLI: 

    # hammer host-registration generate-command \
--activation-keys "My_Activation_Key"
    Copy to Clipboard Toggle word wrap

    If your hosts do not trust the SSL certificate of Satellite Server, you can disable SSL validation by adding the --insecure flag to the registration command. 

    # hammer host-registration generate-command \
--activation-keys "My_Activation_Key" \
--insecure true
    Copy to Clipboard Toggle word wrap
  2. Log in to the host you want register and run the previously generated command.

  3. Update subscription manager configuration for rhsm.baseurl and server.hostname: 

    # subscription-manager config \
--rhsm.baseurl=https://loadbalancer.example.com/pulp/content \
--server.hostname=loadbalancer.example.com
    Copy to Clipboard Toggle word wrap
  4. Check the /etc/yum.repos.d/redhat.repo file and ensure that the appropriate repositories have been enabled.

API procedure

  1. Generate the host registration command using the Satellite API: 

    # curl -X POST https://satellite.example.com/api/registration_commands \
--user "My_User_Name" \
-H 'Content-Type: application/json' \
-d '{ "registration_command": { "activation_keys": ["My_Activation_Key_1, My_Activation_Key_2"] }}'
    Copy to Clipboard Toggle word wrap

    If your hosts do not trust the SSL certificate of Satellite Server, you can disable SSL validation by adding the --insecure flag to the registration command. 

    # curl -X POST https://satellite.example.com/api/registration_commands \
--user "My_User_Name" \
-H 'Content-Type: application/json' \
-d '{ "registration_command": { "activation_keys": ["My_Activation_Key_1, My_Activation_Key_2"], "insecure": true }}'
    Copy to Clipboard Toggle word wrap

    Use an activation key to simplify specifying the environments. For more information, see Managing Activation Keys in the Content Management guide.

    To enter a password as command line argument, use username:password syntax. Keep in mind this can save the password in the shell history.

    For more information about registration see Registering a Host to Red Hat Satellite in Managing Hosts.

  2. Log in to the host you want register and run the previously generated command.

  3. Update subscription manager configuration for rhsm.baseurl and server.hostname: 

    # subscription-manager config \
--rhsm.baseurl=https://loadbalancer.example.com/pulp/content \
--server.hostname=loadbalancer.example.com
    Copy to Clipboard Toggle word wrap
  4. Check the /etc/yum.repos.d/redhat.repo file and ensure that the appropriate repositories have been enabled.

6.2. (Deprecated) Registering Clients Using the Bootstrap Script
링크 복사

To register clients, enter the following command on the client. You must complete the registration procedure for each client.

Prerequisite

Ensure that you install the bootstrap script on the client and change the script’s file permissions to executable. For more information, see Registering Hosts to Red Hat Satellite Using The Bootstrap Script in the Managing Hosts guide.

  • On Red Hat Enterprise Linux 8, enter the following command: 

    # /usr/libexec/platform-python bootstrap.py \
--login=admin \
--server loadbalancer.example.com \
--organization="My_Organization" \
--location="My_Location" \
--hostgroup="My_Hostgroup" \
--activationkey="My_Activation_Key" \
--enablerepos=satellite-client-6-for-rhel-8-<arch>-rpms \
--puppet-ca-port 8141 \
    1 
    
--force
    2
    Copy to Clipboard Toggle word wrap
    1
    Include the --puppet-ca-port 8141 option if you use Puppet.
    2
    Include the --force option to register the client that has been previously registered to a standalone Capsule.

  • On Red Hat Enterprise Linux 7, 6, or 5, enter the following command: 

    # python bootstrap.py --login=admin \
--server loadbalancer.example.com \
--organization="My_Organization" \
--location="My_Location" \
--hostgroup="My_Hostgroup" \
--activationkey="My_Activation_Key" \
--enablerepos=rhel-7-server-satellite-client-6-rpms \
--puppet-ca-port 8141 \
    1 
    
--force
    2
    Copy to Clipboard Toggle word wrap
    1
    Include the --puppet-ca-port 8141 option if you use Puppet.
    2
    Include the --force option to register the client that has been previously registered to a standalone Capsule.

The script prompts for the password corresponding to the Satellite user name you entered with the --login option.

6.3. (Deprecated) Registering Clients Manually with katello-ca-consumer rpm
링크 복사

To register clients manually, complete the following procedure on each client that you register.

Procedure

  1. Remove the katello-ca-consumer package if it is installed: 

    # yum remove 'katello-ca-consumer*'
    Copy to Clipboard Toggle word wrap

  2. Install the katello-ca-consumer package from the load balancer: 

    # rpm -Uvh http://loadbalancer.example.com/pub/katello-ca-consumer-latest.noarch.rpm
    Copy to Clipboard Toggle word wrap

  3. Register the client and include the --serverurl and --baseurl options: 

    # subscription-manager register \
--activationkey=My_Activation_Key \
--baseurl=https://loadbalancer.example.com/pulp/content/ \
--org=Your_Organization \
--serverurl=https://loadbalancer.example.com/rhsm
    Copy to Clipboard Toggle word wrap

Chapter 7. Verifying the Load Balancing Configuration
링크 복사

You can verify the load balancing configuration by completing the following steps for each Capsule Server that you configure:

  1. Shut down the base operating system for your Capsule Server.
  2. Verify that content or subscription management features are available on the client registered to this Capsule. For example, enter the subscription-manager refresh command on the client.
  3. Restart the base operating system for your Capsule Server.

Chapter 8. Propagating SCAP Content through the Load Balancer
링크 복사

If you use OpenSCAP to manage security compliance on your clients, you must configure the SCAP client to send ARF reports to the load balancer instead of Capsule. The configuration procedure depends on the method you have selected to deploy compliance policies.

8.1. Propagating SCAP Content using Ansible Deployment
링크 복사

Using this procedure, you can promote Security Content Automation Protocol (SCAP) content through the load balancer in the scope of the Ansible deployment method.

Prerequisite

Procedure

  1. In the Satellite web UI, navigate to Configure > Variables.
  2. Search for the foreman_scap_client_port variable and click its name.
  3. In the Default Behavior area, ensure that the Override checkbox is selected.
  4. In the Parameter Type list, ensure that integer is selected.
  5. In the Default Value field, enter 9090.
  6. In the Specify Matchers area, remove all matchers that override the default value.
  7. Click Submit.
  8. Search for the foreman_scap_client_server variable and click its name.
  9. In the Default Behavior area, ensure that the Override checkbox is selected.
  10. In the Parameter Type list, ensure that string is selected.
  11. In the Default Value field, enter the FQDN of your load balancer, such as loadbalancer.example.com.
  12. In the Specify Matchers area, remove all matchers that override the default value.
  13. Click Submit.

  14. Continue with deploying a compliance policy using Ansible. For more information, see:

Verification

  • On the client, verify that the /etc/foreman_scap_client/config.yaml file contains the following lines: 

    # Foreman proxy to which reports should be uploaded
:server: 'loadbalancer.example.com'
:port: 9090
    Copy to Clipboard Toggle word wrap

8.2. Propagating SCAP Content using Puppet Deployment
링크 복사

Using this procedure, you can promote Security Content Automation Protocol (SCAP) content through the load balancer in the scope of the Puppet deployment method.

Prerequisite

Procedure

  1. In the Satellite web UI, navigate to Configure > Classes and click foreman_scap_client.
  2. Click the Smart Class Parameter tab.
  3. In the pane to the left of the Smart Class Parameter window, click port.
  4. In the Default Behavior area, select the Override checkbox.
  5. From the Key Type list, select integer.
  6. In the Default Value field, enter 9090.
  7. In the pane to the left of the Smart Class Parameter window, click server.
  8. In the Default Behavior area, select the Override checkbox.
  9. From the Key Type list, select string.
  10. In the Default Value field, enter the FQDN of your load balancer, such as loadbalancer.example.com.
  11. In the lower left of the Smart Class Parameter window, click Submit.

  12. Continue with deploying a compliance policy using Puppet. For more information, see:

Verification

  • On the client, verify that the /etc/foreman_scap_client/config.yaml file contains the following lines: 

    # Foreman proxy to which reports should be uploaded
:server: 'loadbalancer.example.com'
:port: 9090
    Copy to Clipboard Toggle word wrap

Legal Notice
링크 복사

Copyright © 2024 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Red Hat logoGithubredditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다. 최신 업데이트를 확인하세요.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

Theme

© 2026 Red Hat맨 위로 이동