이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 4. Configuring Capsule Server with external services
If you do not want to configure the DNS, DHCP, and TFTP services on Capsule Server, use this section to configure your Capsule Server to work with external DNS, DHCP, and TFTP services.
4.1. Configuring Capsule Server with external DNS
You can configure Capsule Server with external DNS. Capsule Server uses the nsupdate
utility to update DNS records on the remote server.
To make any changes persistent, you must enter the satellite-installer
command with the options appropriate for your environment.
Prerequisites
- You must have a configured external DNS server.
- This guide assumes you have an existing installation.
Procedure
Copy the
/etc/rndc.key
file from the external DNS server to Capsule Server:# scp root@dns.example.com:/etc/rndc.key /etc/foreman-proxy/rndc.key
Configure the ownership, permissions, and SELinux context:
# restorecon -v /etc/foreman-proxy/rndc.key # chown -v root:foreman-proxy /etc/foreman-proxy/rndc.key # chmod -v 640 /etc/foreman-proxy/rndc.key
To test the
nsupdate
utility, add a host remotely:# echo -e "server DNS_IP_Address\n \ update add aaa.example.com 3600 IN A Host_IP_Address\n \ send\n" | nsupdate -k /etc/foreman-proxy/rndc.key # nslookup aaa.example.com DNS_IP_Address # echo -e "server DNS_IP_Address\n \ update delete aaa.example.com 3600 IN A Host_IP_Address\n \ send\n" | nsupdate -k /etc/foreman-proxy/rndc.key
Enter the
satellite-installer
command to make the following persistent changes to the/etc/foreman-proxy/settings.d/dns.yml
file:# satellite-installer --foreman-proxy-dns=true \ --foreman-proxy-dns-managed=false \ --foreman-proxy-dns-provider=nsupdate \ --foreman-proxy-dns-server="DNS_IP_Address" \ --foreman-proxy-keyfile=/etc/foreman-proxy/rndc.key
- In the Satellite web UI, navigate to Infrastructure > Capsules.
- Locate the Capsule Server and select Refresh from the list in the Actions column.
- Associate the DNS service with the appropriate subnets and domain.
4.2. Configuring Capsule Server with external DHCP
To configure Capsule Server with external DHCP, you must complete the following procedures:
4.2.1. Configuring an external DHCP server to use with Capsule Server
To configure an external DHCP server running Red Hat Enterprise Linux to use with Capsule Server, you must install the ISC DHCP Service and Berkeley Internet Name Domain (BIND) utilities packages. You must also share the DHCP configuration and lease files with Capsule Server. The example in this procedure uses the distributed Network File System (NFS) protocol to share the DHCP configuration and lease files.
If you use dnsmasq as an external DHCP server, enable the dhcp-no-override
setting. This is required because Satellite creates configuration files on the TFTP server under the grub2/
subdirectory. If the dhcp-no-override
setting is disabled, hosts fetch the bootloader and its configuration from the root directory, which might cause an error.
Procedure
On your Red Hat Enterprise Linux host, install the ISC DHCP Service and Berkeley Internet Name Domain (BIND) utilities packages:
# dnf install dhcp-server bind-utils
Generate a security token:
# tsig-keygen -a hmac-md5 omapi_key
Edit the
dhcpd
configuration file for all subnets and add the key generated bytsig-keygen
. The following is an example:# cat /etc/dhcp/dhcpd.conf default-lease-time 604800; max-lease-time 2592000; log-facility local7; subnet 192.168.38.0 netmask 255.255.255.0 { range 192.168.38.10 192.168.38.100; option routers 192.168.38.1; option subnet-mask 255.255.255.0; option domain-search "virtual.lan"; option domain-name "virtual.lan"; option domain-name-servers 8.8.8.8; } omapi-port 7911; key omapi_key { algorithm hmac-md5; secret "My_Secret"; }; omapi-key omapi_key;
Note that the
option routers
value is the IP address of your Satellite Server or Capsule Server that you want to use with an external DHCP service.On Satellite Server, define each subnet. Do not set DHCP Capsule for the defined Subnet yet.
To prevent conflicts, set up the lease and reservation ranges separately. For example, if the lease range is 192.168.38.10 to 192.168.38.100, in the Satellite web UI define the reservation range as 192.168.38.101 to 192.168.38.250.
Configure the firewall for external access to the DHCP server:
# firewall-cmd --add-service dhcp
Make the changes persistent:
# firewall-cmd --runtime-to-permanent
On Satellite Server, determine the UID and GID of the
foreman
user:# id -u foreman 993 # id -g foreman 990
On the DHCP server, create the
foreman
user and group with the same IDs as determined in a previous step:# groupadd -g 990 foreman # useradd -u 993 -g 990 -s /sbin/nologin foreman
To ensure that the configuration files are accessible, restore the read and execute flags:
# chmod o+rx /etc/dhcp/ # chmod o+r /etc/dhcp/dhcpd.conf # chattr +i /etc/dhcp/ /etc/dhcp/dhcpd.conf
Enable and start the DHCP service:
# systemctl enable --now dhcpd
Export the DHCP configuration and lease files using NFS:
# dnf install nfs-utils # systemctl enable --now nfs-server
Create directories for the DHCP configuration and lease files that you want to export using NFS:
# mkdir -p /exports/var/lib/dhcpd /exports/etc/dhcp
To create mount points for the created directories, add the following line to the
/etc/fstab
file:/var/lib/dhcpd /exports/var/lib/dhcpd none bind,auto 0 0 /etc/dhcp /exports/etc/dhcp none bind,auto 0 0
Mount the file systems in
/etc/fstab
:# mount -a
Ensure the following lines are present in
/etc/exports
:/exports 192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check) /exports/etc/dhcp 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide) /exports/var/lib/dhcpd 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)
Note that the IP address that you enter is the Satellite or Capsule IP address that you want to use with an external DHCP service.
Reload the NFS server:
# exportfs -rva
Configure the firewall for DHCP omapi port 7911:
# firewall-cmd --add-port=7911/tcp
Optional: Configure the firewall for external access to NFS. Clients are configured using NFSv3.
# firewall-cmd \ --add-service mountd \ --add-service nfs \ --add-service rpc-bind \ --zone public
Make the changes persistent:
# firewall-cmd --runtime-to-permanent
4.2.2. Configuring Satellite Server with an external DHCP server
You can configure Capsule Server with an external DHCP server.
Prerequisites
- Ensure that you have configured an external DHCP server and that you have shared the DHCP configuration and lease files with Capsule Server. For more information, see Section 4.2.1, “Configuring an external DHCP server to use with Capsule Server”.
Procedure
Install the
nfs-utils
package:# satellite-maintain packages install nfs-utils
Create the DHCP directories for NFS:
# mkdir -p /mnt/nfs/etc/dhcp /mnt/nfs/var/lib/dhcpd
Change the file owner:
# chown -R foreman-proxy /mnt/nfs
Verify communication with the NFS server and the Remote Procedure Call (RPC) communication paths:
# showmount -e DHCP_Server_FQDN # rpcinfo -p DHCP_Server_FQDN
Add the following lines to the
/etc/fstab
file:DHCP_Server_FQDN:/exports/etc/dhcp /mnt/nfs/etc/dhcp nfs ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcp_etc_t:s0" 0 0 DHCP_Server_FQDN:/exports/var/lib/dhcpd /mnt/nfs/var/lib/dhcpd nfs ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcpd_state_t:s0" 0 0
Mount the file systems on
/etc/fstab
:# mount -a
To verify that the
foreman-proxy
user can access the files that are shared over the network, display the DHCP configuration and lease files:# su foreman-proxy -s /bin/bash $ cat /mnt/nfs/etc/dhcp/dhcpd.conf $ cat /mnt/nfs/var/lib/dhcpd/dhcpd.leases $ exit
Enter the
satellite-installer
command to make the following persistent changes to the/etc/foreman-proxy/settings.d/dhcp.yml
file:# satellite-installer \ --enable-foreman-proxy-plugin-dhcp-remote-isc \ --foreman-proxy-dhcp-provider=remote_isc \ --foreman-proxy-dhcp-server=My_DHCP_Server_FQDN \ --foreman-proxy-dhcp=true \ --foreman-proxy-plugin-dhcp-remote-isc-dhcp-config /mnt/nfs/etc/dhcp/dhcpd.conf \ --foreman-proxy-plugin-dhcp-remote-isc-dhcp-leases /mnt/nfs/var/lib/dhcpd/dhcpd.leases \ --foreman-proxy-plugin-dhcp-remote-isc-key-name=omapi_key \ --foreman-proxy-plugin-dhcp-remote-isc-key-secret=My_Secret \ --foreman-proxy-plugin-dhcp-remote-isc-omapi-port=7911
- Associate the DHCP service with the appropriate subnets and domain.
4.3. Configuring Capsule Server with external TFTP
You can configure Capsule Server with external TFTP services.
Procedure
Create the TFTP directory for NFS:
# mkdir -p /mnt/nfs/var/lib/tftpboot
In the
/etc/fstab
file, add the following line:TFTP_Server_IP_Address:/exports/var/lib/tftpboot /mnt/nfs/var/lib/tftpboot nfs rw,vers=3,auto,nosharecache,context="system_u:object_r:tftpdir_rw_t:s0" 0 0
Mount the file systems in
/etc/fstab
:# mount -a
Enter the
satellite-installer
command to make the following persistent changes to the/etc/foreman-proxy/settings.d/tftp.yml
file:# satellite-installer \ --foreman-proxy-tftp-root /mnt/nfs/var/lib/tftpboot \ --foreman-proxy-tftp=true
If the TFTP service is running on a different server than the DHCP service, update the
tftp_servername
setting with the FQDN or IP address of the server that the TFTP service is running on:# satellite-installer --foreman-proxy-tftp-servername=TFTP_Server_FQDN
- In the Satellite web UI, navigate to Infrastructure > Capsules.
- Locate the Capsule Server and select Refresh from the list in the Actions column.
- Associate the TFTP service with the appropriate subnets and domain.
4.4. Configuring Capsule Server with external IdM DNS
When Satellite Server adds a DNS record for a host, it first determines which Capsule is providing DNS for that domain. It then communicates with the Capsule that is configured to provide DNS service for your deployment and adds the record. The hosts are not involved in this process. Therefore, you must install and configure the IdM client on the Satellite or Capsule that is currently configured to provide a DNS service for the domain you want to manage by using the IdM server.
Capsule Server can be configured to use a Red Hat Identity Management (IdM) server to provide DNS service. For more information about Red Hat Identity Management, see the Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide.
To configure Capsule Server to use a Red Hat Identity Management (IdM) server to provide DNS service, use one of the following procedures:
To revert to internal DNS service, use the following procedure:
You are not required to use Capsule Server to manage DNS. When you are using the realm enrollment feature of Satellite, where provisioned hosts are enrolled automatically to IdM, the ipa-client-install
script creates DNS records for the client. Configuring Capsule Server with external IdM DNS and realm enrollment are mutually exclusive. For more information about configuring realm enrollment, see Configuring Satellite to manage the lifecycle of a host registered to a Identity Management realm in Installing Satellite Server in a connected network environment.
4.4.1. Configuring dynamic DNS update with GSS-TSIG authentication
You can configure the IdM server to use the generic security service algorithm for secret key transaction (GSS-TSIG) technology defined in RFC3645. To configure the IdM server to use the GSS-TSIG technology, you must install the IdM client on the Capsule Server base operating system.
Prerequisites
- You must ensure the IdM server is deployed and the host-based firewall is configured correctly. For more information, see Port requirements for IdM in Red Hat Enterprise Linux 9 Installing Identity Management or Port requirements for IdM in Red Hat Enterprise Linux 8 Installing Identity Management.
- You must contact the IdM server administrator to ensure that you obtain an account on the IdM server with permissions to create zones on the IdM server.
- You should create a backup of the answer file. You can use the backup to restore the answer file to its original state if it becomes corrupted. For more information, see Configuring Satellite Server.
Procedure
To configure dynamic DNS update with GSS-TSIG authentication, complete the following steps:
Creating a Kerberos principal on the IdM server
Obtain a Kerberos ticket for the account obtained from the IdM administrator:
# kinit idm_user
Create a new Kerberos principal for Capsule Server to use to authenticate on the IdM server:
# ipa service-add capsule.example.com
Installing and configuring the idM client
On the base operating system of either the Satellite or Capsule that is managing the DNS service for your deployment, install the
ipa-client
package:# satellite-maintain packages install ipa-client
Configure the IdM client by running the installation script and following the on-screen prompts:
# ipa-client-install
Obtain a Kerberos ticket:
# kinit admin
Remove any preexisting
keytab
:# rm /etc/foreman-proxy/dns.keytab
Obtain the
keytab
for this system:# ipa-getkeytab -p capsule/satellite.example.com@EXAMPLE.COM \ -s idm1.example.com -k /etc/foreman-proxy/dns.keytab
NoteWhen adding a keytab to a standby system with the same host name as the original system in service, add the
r
option to prevent generating new credentials and rendering the credentials on the original system invalid.For the
dns.keytab
file, set the group and owner toforeman-proxy
:# chown foreman-proxy:foreman-proxy /etc/foreman-proxy/dns.keytab
Optional: To verify that the
keytab
file is valid, enter the following command:# kinit -kt /etc/foreman-proxy/dns.keytab \ capsule/satellite.example.com@EXAMPLE.COM
Configuring DNS zones in the IdM web UI
Create and configure the zone that you want to manage:
- Navigate to Network Services > DNS > DNS Zones.
-
Select Add and enter the zone name. For example,
example.com
. - Click Add and Edit.
Click the Settings tab and in the BIND update policy box, add the following to the semi-colon separated list:
grant capsule\047satellite.example.com@EXAMPLE.COM wildcard * ANY;
- Set Dynamic update to True.
- Enable Allow PTR sync.
- Click Save to save the changes.
Create and configure the reverse zone:
- Navigate to Network Services > DNS > DNS Zones.
- Click Add.
- Select Reverse zone IP network and add the network address in CIDR format to enable reverse lookups.
- Click Add and Edit.
Click the Settings tab and in the BIND update policy box, add the following to the semi-colon separated list:
grant capsule\047satellite.example.com@EXAMPLE.COM wildcard * ANY;
- Set Dynamic update to True.
- Click Save to save the changes.
Configuring the Satellite or Capsule Server that manages the DNS service for the domain
Configure your Satellite Server or Capsule Server to connect to your DNS service:
# satellite-installer \ --foreman-proxy-dns-managed=false \ --foreman-proxy-dns-provider=nsupdate_gss \ --foreman-proxy-dns-server="idm1.example.com" \ --foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab \ --foreman-proxy-dns-tsig-principal="capsule/satellite.example.com@EXAMPLE.COM" \ --foreman-proxy-dns=true
For each affected Capsule, update the configuration of that Capsule in the Satellite web UI:
- In the Satellite web UI, navigate to Infrastructure > Capsules, locate the Capsule Server, and from the list in the Actions column, select Refresh.
Configure the domain:
- In the Satellite web UI, navigate to Infrastructure > Domains and select the domain name.
- In the Domain tab, ensure DNS Capsule is set to the Capsule where the subnet is connected.
Configure the subnet:
- In the Satellite web UI, navigate to Infrastructure > Subnets and select the subnet name.
- In the Subnet tab, set IPAM to None.
- In the Domains tab, select the domain that you want to manage using the IdM server.
- In the Capsules tab, ensure Reverse DNS Capsule is set to the Capsule where the subnet is connected.
- Click Submit to save the changes.
4.4.2. Configuring dynamic DNS update with TSIG authentication
You can configure an IdM server to use the secret key transaction authentication for DNS (TSIG) technology that uses the rndc.key
key file for authentication. The TSIG protocol is defined in RFC2845.
Prerequisites
- You must ensure the IdM server is deployed and the host-based firewall is configured correctly. For more information, see Port Requirements in the Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide.
-
You must obtain
root
user access on the IdM server. - You must confirm whether Satellite Server or Capsule Server is configured to provide DNS service for your deployment.
- You must configure DNS, DHCP and TFTP services on the base operating system of either the Satellite or Capsule that is managing the DNS service for your deployment.
- You must create a backup of the answer file. You can use the backup to restore the answer file to its original state if it becomes corrupted. For more information, see Configuring Satellite Server.
Procedure
To configure dynamic DNS update with TSIG authentication, complete the following steps:
Enabling external updates to the DNS zone in the IdM server
On the IdM Server, add the following to the top of the
/etc/named.conf
file:######################################################################## include "/etc/rndc.key"; controls { inet _IdM_Server_IP_Address_ port 953 allow { _Satellite_IP_Address_; } keys { "rndc-key"; }; }; ########################################################################
Reload the
named
service to make the changes take effect:# systemctl reload named
In the IdM web UI, navigate to Network Services > DNS > DNS Zones and click the name of the zone. In the Settings tab, apply the following changes:
Add the following in the
BIND update policy
box:grant "rndc-key" zonesub ANY;
- Set Dynamic update to True.
- Click Update to save the changes.
Copy the
/etc/rndc.key
file from the IdM server to the base operating system of your Satellite Server. Enter the following command:# scp /etc/rndc.key root@satellite.example.com:/etc/rndc.key
To set the correct ownership, permissions, and SELinux context for the
rndc.key
file, enter the following command:# restorecon -v /etc/rndc.key # chown -v root:named /etc/rndc.key # chmod -v 640 /etc/rndc.key
Assign the
foreman-proxy
user to thenamed
group manually. Normally, satellite-installer ensures that theforeman-proxy
user belongs to thenamed
UNIX group, however, in this scenario Satellite does not manage users and groups, therefore you need to assign theforeman-proxy
user to thenamed
group manually.# usermod -a -G named foreman-proxy
On Satellite Server, enter the following
satellite-installer
command to configure Satellite to use the external DNS server:# satellite-installer \ --foreman-proxy-dns-managed=false \ --foreman-proxy-dns-provider=nsupdate \ --foreman-proxy-dns-server="IdM_Server_IP_Address" \ --foreman-proxy-dns-ttl=86400 \ --foreman-proxy-dns=true \ --foreman-proxy-keyfile=/etc/rndc.key
Testing external updates to the DNS zone in the IdM server
Ensure that the key in the
/etc/rndc.key
file on Satellite Server is the same key file that is used on the IdM server:key "rndc-key" { algorithm hmac-md5; secret "secret-key=="; };
On Satellite Server, create a test DNS entry for a host. For example, host
test.example.com
with an A record of192.168.25.20
on the IdM server at192.168.25.1
.# echo -e "server 192.168.25.1\n \ update add test.example.com 3600 IN A 192.168.25.20\n \ send\n" | nsupdate -k /etc/rndc.key
On Satellite Server, test the DNS entry:
# nslookup test.example.com 192.168.25.1
Example output:
Server: 192.168.25.1 Address: 192.168.25.1#53 Name: test.example.com Address: 192.168.25.20
- To view the entry in the IdM web UI, navigate to Network Services > DNS > DNS Zones. Click the name of the zone and search for the host by name.
If resolved successfully, remove the test DNS entry:
# echo -e "server 192.168.25.1\n \ update delete test.example.com 3600 IN A 192.168.25.20\n \ send\n" | nsupdate -k /etc/rndc.key
Confirm that the DNS entry was removed:
# nslookup test.example.com 192.168.25.1
The above
nslookup
command fails and returns theSERVFAIL
error message if the record was successfully deleted.
4.4.3. Reverting to internal DNS service
You can revert to using Satellite Server and Capsule Server as your DNS providers. You can use a backup of the answer file that was created before configuring external DNS, or you can create a backup of the answer file. For more information about answer files, see Configuring Satellite Server.
Procedure
On the Satellite or Capsule Server that you want to configure to manage DNS service for the domain, complete the following steps:
Configuring Satellite or Capsule as a DNS server
If you have created a backup of the answer file before configuring external DNS, restore the answer file and then enter the
satellite-installer
command:# satellite-installer
If you do not have a suitable backup of the answer file, create a backup of the answer file now. To configure Satellite or Capsule as DNS server without using an answer file, enter the following
satellite-installer
command on Satellite or Capsule:# satellite-installer \ --foreman-proxy-dns-managed=true \ --foreman-proxy-dns-provider=nsupdate \ --foreman-proxy-dns-server="127.0.0.1" \ --foreman-proxy-dns=true
For more information, see Section 3.6, “Configuring DNS, DHCP, and TFTP on Capsule Server”.
After you run the satellite-installer
command to make any changes to your Capsule configuration, you must update the configuration of each affected Capsule in the Satellite web UI.
Updating the configuration in the Satellite web UI
- In the Satellite web UI, navigate to Infrastructure > Capsules.
- For each Capsule that you want to update, from the Actions list, select Refresh.
Configure the domain:
- In the Satellite web UI, navigate to Infrastructure > Domains and click the domain name that you want to configure.
- In the Domain tab, set DNS Capsule to the Capsule where the subnet is connected.
Configure the subnet:
- In the Satellite web UI, navigate to Infrastructure > Subnets and select the subnet name.
- In the Subnet tab, set IPAM to DHCP or Internal DB.
- In the Domains tab, select the domain that you want to manage using Satellite or Capsule.
- In the Capsules tab, set Reverse DNS Capsule to the Capsule where the subnet is connected.
- Click Submit to save the changes.
4.5. Configuring Satellite to manage the lifecycle of a host registered to a Identity Management realm
As well as providing access to Satellite Server, hosts provisioned with Satellite can also be integrated with Identity Management realms. Red Hat Satellite has a realm feature that automatically manages the lifecycle of any system registered to a realm or domain provider.
Use this section to configure Satellite Server or Capsule Server for Identity Management realm support, then add hosts to the Identity Management realm group.
Prerequisites
- Satellite Server that is registered to the Content Delivery Network or an external Capsule Server that is registered to Satellite Server.
- A deployed realm or domain provider such as Identity Management.
To install and configure Identity Management packages on Satellite Server or Capsule Server:
To use Identity Management for provisioned hosts, complete the following steps to install and configure Identity Management packages on Satellite Server or Capsule Server:
Install the
ipa-client
package on Satellite Server or Capsule Server:# satellite-maintain packages install ipa-client
Configure the server as a Identity Management client:
# ipa-client-install
Create a realm proxy user,
realm-capsule
, and the relevant roles in Identity Management:# foreman-prepare-realm admin realm-capsule
Note the principal name that returns and your Identity Management server configuration details because you require them for the following procedure.
To configure Satellite Server or Capsule Server for Identity Management realm support:
Complete the following procedure on Satellite and every Capsule that you want to use:
Copy the
/root/freeipa.keytab
file to any Capsule Server that you want to include in the same principal and realm:# scp /root/freeipa.keytab root@capsule.example.com:/etc/foreman-proxy/freeipa.keytab
Move the
/root/freeipa.keytab
file to the/etc/foreman-proxy
directory and set the ownership settings to theforeman-proxy
user:# mv /root/freeipa.keytab /etc/foreman-proxy # chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab
Enter the following command on all Capsules that you want to include in the realm. If you use the integrated Capsule on Satellite, enter this command on Satellite Server:
# satellite-installer --foreman-proxy-realm true \ --foreman-proxy-realm-keytab /etc/foreman-proxy/freeipa.keytab \ --foreman-proxy-realm-principal realm-capsule@EXAMPLE.COM \ --foreman-proxy-realm-provider freeipa
You can also use these options when you first configure the Satellite Server.
Ensure that the most updated versions of the ca-certificates package is installed and trust the Identity Management Certificate Authority:
# cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt # update-ca-trust enable # update-ca-trust
Optional: If you configure Identity Management on an existing Satellite Server or Capsule Server, complete the following steps to ensure that the configuration changes take effect:
Restart the foreman-proxy service:
# systemctl restart foreman-proxy
- In the Satellite web UI, navigate to Infrastructure > Capsules.
- Locate the Capsule you have configured for Identity Management and from the list in the Actions column, select Refresh.
To create a realm for the Identity Management-enabled Capsule
After you configure your integrated or external Capsule with Identity Management, you must create a realm and add the Identity Management-configured Capsule to the realm.
Procedure
- In the Satellite web UI, navigate to Infrastructure > Realms and click Create Realm.
- In the Name field, enter a name for the realm.
- From the Realm Type list, select the type of realm.
- From the Realm Capsule list, select Capsule Server where you have configured Identity Management.
- Click the Locations tab and from the Locations list, select the location where you want to add the new realm.
- Click the Organizations tab and from the Organizations list, select the organization where you want to add the new realm.
- Click Submit.
Updating host groups with realm information
You must update any host groups that you want to use with the new realm information.
- In the Satellite web UI, navigate to Configure > Host Groups, select the host group that you want to update, and click the Network tab.
- From the Realm list, select the realm you create as part of this procedure, and then click Submit.
Adding hosts to a Identity Management host group
Identity Management supports the ability to set up automatic membership rules based on a system’s attributes. Red Hat Satellite’s realm feature provides administrators with the ability to map the Red Hat Satellite host groups to the Identity Management parameter userclass
which allow administrators to configure automembership.
When nested host groups are used, they are sent to the Identity Management server as they are displayed in the Red Hat Satellite User Interface. For example, "Parent/Child/Child".
Satellite Server or Capsule Server sends updates to the Identity Management server, however automembership rules are only applied at initial registration.
To add hosts to a Identity Management host group:
On the Identity Management server, create a host group:
# ipa hostgroup-add hostgroup_name --desc=hostgroup_description
Create an
automembership
rule:# ipa automember-add --type=hostgroup hostgroup_name automember_rule
Where you can use the following options:
-
automember-add
flags the group as an automember group. -
--type=hostgroup
identifies that the target group is a host group, not a user group. -
automember_rule
adds the name you want to identify the automember rule by.
-
Define an automembership condition based on the
userclass
attribute:# ipa automember-add-condition --key=userclass --type=hostgroup --inclusive-regex=^webserver hostgroup_name ---------------------------------- Added condition(s) to "hostgroup_name" ---------------------------------- Automember Rule: automember_rule Inclusive Regex: userclass=^webserver ---------------------------- Number of conditions added 1 ----------------------------
Where you can use the following options:
-
automember-add-condition
adds regular expression conditions to identify group members. -
--key=userclass
specifies the key attribute asuserclass
. -
--type=hostgroup
identifies that the target group is a host group, not a user group. -
--inclusive-regex=
^webserver identifies matching values with a regular expression pattern. - hostgroup_name – identifies the target host group’s name.
-
When a system is added to Satellite Server’s hostgroup_name host group, it is added automatically to the Identity Management server’s "hostgroup_name" host group. Identity Management host groups allow for Host-Based Access Controls (HBAC), sudo policies and other Identity Management functions.