System Administrator's Guide

Procedure

1. Install Red Hat Enterprise Linux on the Red Hat Update Appliance (RHUA), each content delivery server (CDS), and on the HAProxy load balancer if you are using it. See the Red Hat Enterprise Linux 7 Installation Guide for installation details.

Procedure

1. Register the system that you are going to use as the RHUA instance:

   [root@rhua ~]# subscription-manager register --type=rhui --username <admin-example> --password <secret>
   Registering to: subscription.rhsm.redhat.com:443/subscription
   The system has been registered with ID: <a12b34c5-6d78-9ef1-2345-ghi678jk91l2m>

   Note

   If you are using a system as the RHUA that has already been registered and the RHUA already has an attached subscription, you will see This system is already registered. Use --force to override when you try to register it using # subscription-manager register --type=rhui. If that occurs, you can override the subscription by adding --force to the command line argument.

   Another option in this situation is to unregister the system (# subscription-manager unregister) and register it again (# subscription-manager register --type=rhui).

2. Register each CDS node that will be used unless existing, external, already registered systems are used:

   [root@cds1 ~]# subscription-manager register --type=rhui --username <admin-example> --password <secret>
   Registering to: subscription.rhsm.redhat.com:443/subscription
   The system has been registered with ID: <a12b34c5-6d78-9ef1-2345-ghi678jk91l2m>

3. Register each HAProxy node that will be used unless existing, external, already registered systems are used:

   [root@haproxy1 ~]# subscription-manager register --type=rhui --username <admin-example> --password <secret>
   Registering to: subscription.rhsm.redhat.com:443/subscription
   The system has been registered with ID: <a12b34c5-6d78-9ef1-2345-ghi678jk91l2m>

   The new system will be available on the Customer Portal, and the new RHUA instance will not have any subscriptions applied to it.

Procedure

1. Check for available subscriptions to add to the RHUA:

   [root@rhua ~]# subscription-manager list --available
   +-------------------------------------------+
       Available Subscriptions
   +-------------------------------------------+
   Subscription Name:   Red Hat Enterprise Linux Atomic Host for Certified Cloud
                        and Service Providers (via Red Hat Update Infrastructure)
   Provides:            Red Hat Enterprise Linux Atomic Host Beta from RHUI
                        Red Hat Enterprise Linux Atomic Host from RHUI
   SKU:                 RH00731
   Contract:            11312089
   Pool ID:             8a85f9815a6c4c9d015a6c6acb373ed9
   Provides Management: No
   Available:           19
   Suggested:           1
   Service Level:       Premium
   Service Type:        L1-L3
   Subscription Type:   Standard
   Ends:                02/22/2018
   System Type:         Physical
   
   Subscription Name:   Red Hat Update Infrastructure and RHEL Add-Ons for
                        Providers
   Provides:            dotNET on RHEL (for RHEL Server) from RHUI
                        Red Hat Enterprise Linux Server from RHUI
                        Red Hat Software Collections (for RHEL Server) from RHUI
                        Red Hat Enterprise Linux for SAP from RHUI
                        Red Hat Enterprise Linux Resilient Storage (for RHEL
                        Server) from RHUI
                        Red Hat Enterprise Linux Scalable File System (for RHEL
                        Server) from RHUI
                        Red Hat Enterprise Linux Server - Extended Update Support
                        from RHUI
                        dotNET on RHEL Beta (for RHEL Server) from RHUI
                        Red Hat Enterprise Linux for SAP Hana from RHUI
                        RHEL Software Test Suite (for RHEL Server) from RHUI
                        Red Hat Enterprise Linux High Availability (for RHEL
                        Server) from RHUI
                        Red Hat Update Infrastructure
                        Red Hat Enterprise Linux Load Balancer (for RHEL Server)
                        from RHUI
   SKU:                 RC1116415
   Contract:            11314314
   Pool ID:             8a85f9815a71f0bd015a72445adf0223
   Provides Management: No
   Available:           20
   Suggested:           1
   Service Level:       Premium
   Service Type:        L1-L3
   Subscription Type:   Standard
   Ends:                02/23/2018
   System Type:         Physical

2. Use the pool ID for your subscription to attach the subscription. Because there are two SKUs and two subscription names, you need to run subscription-manager attach --pool=<Pool ID> for each <Pool ID>:

   # subscription-manager attach --pool=<Pool ID>
   Successfully attached a subscription for: <Subscription_Name>
   
   # subscription-manager attach --pool=<Pool ID>
   Successfully attached a subscription for: <Subscription_Name>

Procedure

1. Check for available subscriptions that you can add to the CDS nodes:

   [root@<cds1> ~]# subscription-manager list --available
   +-------------------------------------------+
       Available Subscriptions
   +-------------------------------------------+
   Subscription Name:   <Your_Subscription_Name>

2. Use the pool ID of Red Hat Update Infrastructure and RHEL Add-Ons for Providers subscription. This subscription provides access to Red Hat Enterprise Linux and Gluster Storage.

   # subscription-manager attach --pool=<Pool_ID>
   Successfully attached a subscription for: Red Hat Update Infrastructure and RHEL Add-Ons for Providers

Procedure

1. Check for available subscriptions that you can add to the HAProxy nodes:

   [root@<haproxy1> ~]# subscription-manager list --available
   +-------------------------------------------+
       Available Subscriptions
   +-------------------------------------------+
   Subscription Name:   <Your_Subscription_Name>

2. Use the pool ID of the Red Hat Update Infrastructure and RHEL Add-Ons for Providers subscription. This subscription provides access to Red Hat Enterprise Linux and HAProxy.

   # subscription-manager attach --pool=<Pool_ID>
   Successfully attached a subscription for: Red Hat Update Infrastructure and RHEL Add-Ons for Providers

Procedure

1. List the enabled repositories to verify that your system is correctly subscribed:

   # yum repolist enabled
   Loaded plugins: search-disabled-repos
   rhel-7-server-rhui-rpms
   
   repo id                                           repo name                                                        status
   !local-rhui3                                      local-rhui3                                                         101
   !rhui-REGION-client-config-server-7/x86_64        Red Hat Update Infrastructure 2.0 Client Configuration Server 7       6
   !rhui-REGION-rhel-server-releases/7Server/x86_64  Red Hat Enterprise Linux Server 7 (RPMs)                         13,578
   !rhui-REGION-rhel-server-rh-common/7Server/x86_64 Red Hat Enterprise Linux Server 7 RH Common (RPMs)                  209
   repolist: 13,894

2. Disable all repositories for the RHUA and enable the relevant repository:

   [root@<rhua> ~]# subscription-manager repos --disable=*; subscription-manager repos --enable=rhel-7-server-rhui-rpms

3. Enable the RHUI 3 repository:

   [root@<rhua> ~]# subscription-manager repos --enable=rhel-7-server-rhui-3-rpms

4. Disable all repositories for the CDS nodes and enable the relevant:

   [root@<cds$> ~]# subscription-manager repos --disable=*; subscription-manager repos --enable=rhel-7-server-rhui-rpms --enable=rh-gluster-3-for-rhel-7-server-rhui-rpms

5. Enable the RHUI 3 repository:

   [root@<cds$> ~]# subscription-manager repos --enable=rhel-7-server-rhui-3-rpms

6. Disable all repositories for the HAProxy nodes and enable the relevant repository:

   [root@<haproxy$> ~]# subscription-manager repos --disable=*; subscription-manager repos --enable=rhel-7-server-rhui-rpms

7. Enable the RHUI 3 repository:

   [root@<haproxy$> ~]# subscription-manager repos --enable=rhel-7-server-rhui-3-rpms

Procedure

1. Install the nfs-utils package on the node hosting the NFS server, on the RHUA node (if it differs), and also on all CDS nodes:

   # yum install nfs-utils

2. Edit the /etc/exports file on the NFS server. Choose a suitable directory to hold the RHUI content and allow the RHUA node and all your CDS nodes to access it. For example, to use the /export directory and make it available to all systems in the example.com domain, put the following line in /etc/exports:

   /export *.example.com(rw,no_root_squash)

3. Create the directory for the RHUI content as defined in /export:

   # mkdir /export

4. Start and enable the NFS service:

   # systemctl start nfs
   # systemctl start rpcbind
   # systemctl enable nfs-server
   # systemctl enable rpcbind

   Note

   If you are using an existing NFS server and the NFS service is running, use the restart command instead of the start command.

5. Test your setup. On a CDS node, run the following commands, which assume that the NFS server has been set up on a machine named filer.example.com:

   # mkdir /mnt/nfstest
   # mount filer.example.com:/export /mnt/nfstest
   # touch /mnt/nfstest/test

   You should not get any error messages.

6. To clean up after this test, remove the test file, unmount the remote share, and remove the test directory:

   # rm /mnt/nfstest/test
   # umount /mnt/nfstest
   # rmdir /mnt/nfstest

   Your NFS server is now set up. See Section 8.7. NFS Server Configuration for more information on NFS server configuration for RHEL 7.

Procedure

1. Before installing Red Hat Update Appliance (RHUA) packages, apply any available operating system updates to all nodes (RHUA, content delivery server [CDS], and HAProxy) and reboot.

2. Verify that all configuration changes have persisted.

   Warning

   Make sure the host name of the RHUA is set correctly. If the host name is unset and its value is reported as localhost.localdomain or localhost, you will not be able to proceed.

Procedure

1. To install the RHUI packages on the RHUA node, CDS nodes, and HAProxy nodes, mount the ISO to a suitable directory (or burn the ISO to a CD, insert the CD, and mount the ISO), and enter the mount point.

Procedure

1. Execute the script from the mount point for the applicable system component:

   [root@rhua ~]# ./setup_package_repos
   [root@<cds1> ~]# ./setup_package_repos
   [root@<haproxy1> ~]# ./setup_package_repos

Procedure

1. Install the rhui-installer script:

   [root@rhua ~]# yum install -y rhui-installer

   This script will install the RHUI packages on the current machine.
   - Ensuring we are in an expected directory.
   - Copying installation files.
   - Creating a Repository File
   - Importing the gpg key.
   - Installation repository will remain configured for future package installs.
   - Installation media can now be safely unmounted.
   
   Installation packages are now available on this system. If you are installing a RHUA, please run yum install -y rhui-installer; rhui-installer.
   If you are installing a CDS, please log into the RHUA and run rhui-manager to begin the installation. Do not run rhui-installer to install a CDS.

Procedure

1. Run rhui-installer on the RHUA:

   [root@rhua ~]# rhui-installer --remote-fs-type=glusterfs --remote-fs-server=cds1.example.com:rhui_content_0 --cds-lb-hostname=cds.example.com
   
   Installing         	Done                                           	[100%]
   
   [..............................................................................]
   
   Success!
   The initial credentials are admin / <system-generated password>
   
   Re-running the installer will not update your password.
   
   The full log is at /var/log/kafo/configuration.log

   Following are explanations of the command arguments:

   • --remote-fs-type=glusterfs means the remote file system type is GlusterFS.
   • --remote-fs-server=cds1.example.com means the name of the remote file system server is cds1.example.com
   • rhui_content_0 means the name of the GlusterFS volume on cds1.example.com

   • --cds-lb-hostname=cds.example.com means the name of the load balancer on cds1.example.com is cds.example.com.

     Note

     During installation, the cds-lb-hostname option is not included and prepopulates from the answers file provided with the rhui-installer RPM. The host name is preset in the answers file to cds.example.com, and certificates are created for the RHUI environment with this cds-lb-hostname included. See Chapter 18, Migrate to a new load balancer, or change the name of an existing load balancer for details on changing the name of a load balancer.

     If using NFS, the rhui-installer command line is different. Instead of

     --remote-fs-type=glusterfs --remote-fs-server=cds1.example.com:rhui_content_0

     specify the NFS server name and the exported directory, joined by the colon sign, as the parameter of the --remote-fs-server option. For example:

     --remote-fs-server=filer.example.com:/export

2. Verify that the remote share is mounted:

   [root@rhua ~]# mount | grep rhui
   
   cds1.example.com:rhui_content_0 on /var/lib/rhui/remote_share type fuse.glusterfs (rw,relatime,user_id=0,group_id=0,default_permissions,allow_other,max_read=131072)

Procedure

1. Navigate to the Red Hat Update Infrastructure Management Tool home screen:

   [root@rhua ~]# rhui-manager
   
   Previous authentication credentials could not be found. Logging into the RHUI.
   
   If this is the first time using the RHUI, it is recommended to change the user's password in the User Management section of RHUI Tools.

2. Enter the RHUI Username (admin) and RHUI Password (provided by the rhui-installer output). The initial password is also stored in /etc/rhui-installer/answers.yaml.

3. After successfully logging in for the first time, you should change the password. Press u on the Red Hat Update Infrastructure Management Tool home screen to select manage RHUI users.

                -= Red Hat Update Infrastructure Management Tool =-
   
   -= Home =-
   
      r   manage repositories
      c   manage content delivery servers (CDS)
      l   manage HAProxy load-balancer instances
      s   synchronization status and scheduling
      e   create entitlement certificates and client configuration RPMs
      n   manage Red Hat entitlement certificates
      u   manage RHUI users
   
                                                      Connected: rhua.example.com

4. Press p to select p change a user’s password (followed by logout).

   ------------------------------------------------------------------------------
   = Red Hat Update Infrastructure Management Tool =
   
   = User Manager =
   
     p   change a user's password (followed by logout)
   
                                                 	Connected: rhua.example.com
   
   ------------------------------------------------------------------------------
   rhui (users) => p
   Warning: After password change you will be logged out.
   Use ctrl-c to cancel password change.
   Username: admin

5. Enter the new password and press Enter. Re-enter the new password and press Enter.

   New Password:
   Re-enter Password:
   
   Password successfully updated.
   ----------------------------------------------------------------------------------

Procedure

1. To prevent losing the waiting tasks, do not reboot or restart Qpid while there are some waiting tasks. If you often have to do so anyway, you can keep at least the waiting tasks by installing the Qpid persistence extension:

   # yum install qpid-cpp-server-linearstore

2. Restart Qpid so it can load the extension:

   # systemctl restart qpidd

   Waiting tasks will be saved on the disk and resumed after rebooting.

Procedure

1. Make sure sshd is running on the CDS node and that ports 443 and 5000 are open.

2. Navigate to the Red Hat Update Infrastructure Management Tool home screen.

   [root@rhua ~]# rhui-manager

3. Press c to select manage content delivery servers (CDS).

                -= Red Hat Update Infrastructure Management Tool =-
   
   -= Home =-
   
      r   manage repositories
      c   manage content delivery servers (CDS)
      l   manage HAProxy load-balancer instances
      s   synchronization status and scheduling
      e   create entitlement certificates and client configuration RPMs
      n   manage Red Hat entitlement certificates
      u   manage RHUI users
   
                                                      Connected: rhua.example.com

4. Type a to select register (add) a new Content Delivery Server instance.

   ------------------------------------------------------------------------------
   = Red Hat Update Infrastructure Management Tool =
   
   = Content Delivery Server (CDS) Management =
   
   l   list all known CDS instances managed by the RHUI
   a   register (add) a new CDS instance
   r   reinstall and reapply configuration to an existing CDS instance
   d   unregister (delete) a CDS instance from the RHUI
   
                                                 	Connected: rhua.example.com
   ------------------------------------------------------------------------------
   rhui (cds) => a

5. Enter the host name of the CDS to add.

   Hostname of the CDS instance to register:
   cds1.example.com

6. Enter the user name that will have SSH access to the CDS and have sudo privileges.

   Username with SSH access to <cds1.example.com> and sudo privileges:
   root

7. Enter the absolute path to the SSH private key for logging in to the CDS and press Enter.

   Absolute path to an SSH private key to log into <cds1.example.com> as root:
   /root/.ssh/id_rsa
   .........................................................................
   The following CDS has been successfully added:
   
   Hostname:             <cds1.example.com>
   SSH Username:     root
   SSH Private Key:  /root/.ssh/id_rsa
   
   The CDS will now be configured:
   …………………………………………………………..
   The CDS was successfully configured.

8. If adding the content delivery server fails, check that the firewall rules permit access between the RHUA and the CDS.

9. Run the mount command to see if Gluster Storage is mounted as read-write.

   [root@rhua ~]# mount | grep cds1.example.com
   
   cds1.example.com:rhui_content_0 on /var/lib/rhui/remote_share type fuse.glusterfs (rw,relatime,user_id=0,group_id=0,default_permissions,allow_other,max_read=131072)

10. After successful configuration, repeat these steps for any remaining CDSs. You can also add a CDS using the command line interface.

    [root@rhua ~]# rhui cds add cds1.example.com root /root/.ssh/id_rsa -u

Procedure

1. Navigate to the Red Hat Update Infrastructure Management Tool home screen.

   [root@rhua ~]# rhui-manager

2. Press c to select manage content delivery servers (CDS).

   -= Red Hat Update Infrastructure Management Tool =-
   
   -= Home =-
   
   r   manage repositories
   c   manage content delivery servers (CDS)
   l   manage HAProxy load-balancer instances
   s   synchronization status and scheduling
   e   create entitlement certificates and client configuration RPMs
   n   manage Red Hat entitlement certificates
   u   manage RHUI users
   
                                                         Connected: rhua.example.com

3. Type d to select unregister (delete) a CDS instance from the RHUI.

   ------------------------------------------------------------------------------
   = Red Hat Update Infrastructure Management Tool =
   
   = Content Delivery Server (CDS) Management =
   
   l   list all known CDS instances managed by the RHUI
   a   register (add) a new CDS instance
   r   reinstall and reapply configuration to an existing CDS instance
   d   unregister (delete) a CDS instance from the RHUI
   
                                                      Connected: rhua.example.com
   ------------------------------------------------------------------------------
    rhui (cds) => d

4. Enter the host name of the CDS to delete.

   Hostname of the CDS instance to unregister:
   cds1.example.com

5. Confirm the /etc/haproxy/haproxy.cfg file in the HAProxy instance

   #  cat /etc/haproxy/haproxy.cfg

Procedure

1. Make sure all your RHUI nodes are running version 3.1 or later. If you have originally installed RHUI from an older version, you have to reinstall your CDS nodes in rhui-manager first.
2. Transfer your legacy CA certificate to your CDS nodes and save it in the /etc/pki/rhui/legacy-ca/ directory.

3. Get the subject hash value from the certificate and keep it in a shell variable:

   #hash=`openssl x509 -hash -noout -in /etc/pki/rhui/legacy-ca/YOUR_CERT.crt`

4. Create a symbolic link to the certificate file in the /etc/pki/tls/certs/ directory with the hash and an unused number, starting from 0, as the symbolic link name:

   #ln -s /etc/pki/rhui/legacy-ca/YOUR_CERT.crt /etc/pki/tls/certs/$hash.0

Procedure

1. On the Red Hat Update Appliance (RHUA), log in to the Red Hat Update Infrastructure Management Tool:

   [root@rhua ~]# rhui-manager

2. In the Red Hat Update Infrastructure Management Tool home screen, press r to select manage repositories:

                -= Red Hat Update Infrastructure Management Tool =-
   
   -= Home =-
   
      r   manage repositories
      c   manage content delivery servers (CDS)
      l   manage HAProxy load-balancer instances
      s   synchronization status and scheduling
      e   create entitlement certificates and client configuration RPMs
      n   manage Red Hat entitlement certificates
      u   upload content to a custom repository (RPM content only)
      ur  upload content from a remote web site (RPM content only)
      p   list packages in a repository (RPM content only)
   
   Connected: rhua.example.com

3. Press a to select add a new Red Hat content repository:

   ----------------------------------------------------------------------------------
           	-= Red Hat Update Infrastructure Management Tool =-
   
   = Repository Management =-
   
   l   list repositories currently managed by the RHUI
   i   display detailed information on a repository
   a   add a new Red Hat content repository
   c   create a new custom repository (RPM content only)
   d   delete a repository from the RHUI
   u   upload content to a custom repository (RPM content only)
   ur  upload content from a remote web site (RPM content only)
   p   list packages in a repository (RPM content only)
   
   Connected: rhua.example.com
   ------------------------------------------------------------------------------
   
   rhui (repo) => a

4. Wait for the Red Hat Update Infrastructure Management Tool to determine the entitled repositories. This might take several minutes.

   Connected: rhua.example.com
   
   ------------------------------------------------------------------------------
   
   rhui (repo) => a
   
   Loading latest entitled products from Red Hat...
   
   Determining undeployed products...

5. The Red Hat Update Infrastructure Management Tool prompts for a selection method.

   ... product list calculated
   
   Import Repositories:
   
   1  - All in Certificate
   2  - By Product
   3  - By Repository
   
   Enter value (1-3) or 'b' to abort:

6. Press 2 to select the By Product method.
7. Add Red Hat repositories to the RHUA by entering the number beside each repository that you want to include. The only repositories that will display are Red Hat repositories that are included in your entitlement certificate but have not yet been added.
8. Press c when your are finished selecting the repositories. The Red Hat Update Infrastructure Management Tool displays the repositories to be deployed and prompts for confirmation.
9. Press y to proceed. A screen message indicates each successful deployment.
10. Check that the correct repositories have been installed by pressing l to access the list repositories currently managed by the RHUI screen.

Procedure

1. Navigate to the Red Hat Update Infrastructure Management Tool home screen:

   [root@rhua ~]# rhui-manager

2. Press s to select synchronization status and scheduling:

                -= Red Hat Update Infrastructure Management Tool =-
   
   -= Home =-
   
      r   manage repositories
      c   manage content delivery servers (CDS)
      l   manage HAProxy load-balancer instances
      s   synchronization status and scheduling
      e   create entitlement certificates and client configuration RPMs
      n   manage Red Hat entitlement certificates
      u   manage RHUI users
   
   Connected: rhua.example.com

3. Press sr to select sync an individual repository immediately:

   ------------------------------------------------------------------------------
           	-= Red Hat Update Infrastructure Management Tool =-
   
   -= Synchronization Status =-
   
   dr  display repo sync summary
   vr  view the details of the last repository sync
   sr  sync an individual repository immediately
   
   Connected: rhua.example.com
   
   ------------------------------------------------------------------------------

4. Select the repository and press c to confirm.
5. Press y to proceed.

6. Enter dr to select display repo sync summary.

   ------------------------------------------------------------------------------
   
   rhui (sync) => dr
   ------------------------------------------------------------------------------
           	-= Red Hat Update Infrastructure Management Tool =-
   
   -= Repository Synchronization Status =-
   
   Last Refreshed: 13:59:27
   
   (updated every 5 seconds, ctrl+c to exit)
   
   Next Sync                	Last Sync                	Last Result
   
   ------------------------------------------------------------------------------
   
   Red Hat Enterprise Linux 7 Server - Extras from RHUI (RPMs) (x86_64)
   
   02-29-2016 19:54         	02-29-2016 13:59         	Success
   
   Connected: rhua.example.com
   ------------------------------------------------------------------------------

Procedure

1. On the RHUA, log in to the Red Hat Update Infrastructure Management Tool.

   [root@rhua ~]# rhui-manager

2. In the Red Hat Update Infrastructure Management Tool home screen, press e to select create entitlement certificates and client configuration RPMs.

                -= Red Hat Update Infrastructure Management Tool =-
   
   -= Home =-
   
      r   manage repositories
      c   manage content delivery servers (CDS)
      l   manage HAProxy load-balancer instances
      s   synchronization status and scheduling
      e   create entitlement certificates and client configuration RPMs
      n   manage Red Hat entitlement certificates
      u   manage RHUI users
   
                                                      Connected: rhua.example.com

3. Press e to select generate an entitlement certificate.

   ------------------------------------------------------------------------------
           	-= Red Hat Update Infrastructure Management Tool =-
   
   -= Client Entitlement Management =-
   
   e   generate an entitlement certificate
   c   create a client configuration RPM from an entitlement certificate
   
                                                 	Connected: rhua.example.com
   ------------------------------------------------------------------------------
   
   rhui (client) => e

4. Select which repositories to include in the entitlement certificate by typing the number of the repository at the prompt. Typing the number of a repository places a checkmark next to the name of that repository. Continue until all repositories you want to add have been checked.

   Important

   Include only repositories for a single Red Hat Enterprise Linux version in a single entitlement. Adding repositories for multiple Red Hat Enterprise Linux versions will lead to an unusable yum configuration file.

5. Press c at the prompt to confirm.

6. Enter a name for the certificate. This name helps identify the certificate within the Red Hat Update Infrastructure Management Tool and to generate the name of the certificate and key files.

   Name of the certificate. This will be used as the name of the certificate file
   (name.crt) and its associated private key (name.key). Choose something that will
   help identify the products contained with it:

7. Enter a path to save the certificate to. Leave the field blank to save it to the current working directory.
8. Enter the number of days the certificate should be valid for. Leave the field blank for 365 days. The details of the repositories to be included in the certificate display.

9. Press y at the prompt to confirm the information and create the entitlement certificate.

   Repositories to be included in the entitlement certificate:
   
   Red Hat Repositories
   
   	Red Hat Enterprise Linux for SAP (RHEL 6 Server) (RPMs) from RHUI
   
   Proceed? (y/n) y
   .................................................+++
   Entitlement certificate created at /root/clientcert/rhuiclientexample.crt
   
   ------------------------------------------------------------------------------

Procedure

1. From the Red Hat Update Infrastructure Management Tool home screen, press e to select create entitlement certificates and client configuration RPMs.

                -= Red Hat Update Infrastructure Management Tool =-
   
   -= Home =-
   
      r   manage repositories
      c   manage content delivery servers (CDS)
      l   manage HAProxy load-balancer instances
      s   synchronization status and scheduling
      e   create entitlement certificates and client configuration RPMs
      n   manage Red Hat entitlement certificates
      u   manage RHUI users
   
                                                      Connected: rhua.example.com

2. Press c to select create a client configuration RPM from an entitlement certificate.

3. Enter the full path of a local directory to save the configuration files to.

   Full path to local directory in which the client configuration files generated by this tool
   should be stored (if this directory does not exist, it will be created):
   
   /tmp

4. Enter the RPM’s name.

   clientrpmtest

5. Enter the version of the configuration RPM. The default version is 2.0.
6. Enter the release of the configuration RPM. The default version is 1.

7. Enter the full path to the entitlement certificate authorizing the client to access specific channels.

   Full path to the entitlement certificate authorizing the client to access
   specific channels:
   /root/clientcert/rhuiclientexample.crt

8. Enter the full path to the private key for the entitlement certificate.

   Full path to the private key for the above entitlement certificate:
   /root/clientcert/rhuiclientexample.key

9. Select any unprotected custom repositories to be included in the client configuration.

   - 1 : unprotected_repo1

10. Press c to confirm selections or ? for more commands.

    Successfully created client configuration RPM.
    Location: /tmp/clientrpmtest-2.0/build/RPMS/noarch/clientrpmtest-2.0-1.noarch.rpm

Procedure

1. Copy the RPM to the client machine and install it:

   [client1 ~]# yum localinstall <rpm>

2. Verify the RPM has been installed:

   [client1 ~]# yum list <rpm>

   Note

   The rhn-plugin and subscription-manager plugin will be disabled in yum after the client RPM has been installed.

3. View yum repositories to ensure the repository was added and packages are available for installing:

   [client1 ~]# yum repolist
   Loaded plugins: search-disabled-repos, security
   rhui-rhel-sap-for-rhel-6-server-rhui-rpms                | 2.0 kB     00:00
   rhui-rhel-sap-for-rhel-6-server-rhui-rpms/primary        |  26 kB     00:00
   rhui-rhel-sap-for-rhel-6-server-rhui-rpms                                 77/77
   repo id                                   repo name                       status
   rhui-rhel-sap-for-rhel-6-server-rhui-rpms Red Hat Enterprise Linux for SA 77
   repolist: 77

4. Install a package from that repository:

   [client1 ~]# yum install compat-locales-sap

Procedure

1. To set the yum releasever variable to version, which creates the /etc/yum/vars/releasever file, which in turn makes yum use EUS repositories with this particular version, run the following command:

   rhui-set-release --set <version>

2. To unset the releasever variable (to remove the file), run the following command:

   rhui-set-release --unset

3. To print the currently set version, run the following command:

   rhui-set-release

   Note

   If there is no output, it means no particular version is set.

Procedure

1. Create a GPG key that you can use to sign custom packages (including client configuration RPMs) for the Red Hat Update Infrastructure (RHUI) client profile.

   • A 4,096-bit RSA key is used because this profile will be used for RHUI servers that run on Red Hat Enterprise Linux (RHEL) 6 or RHEL 7. Gathering sufficient random data to generate a 4,096-bit key may take a significant amount of time, particularly if the Red Hat Update Appliance (RHUA) is a virtual machine. The disk activity created by a repository or content delivery server (CDS) synchronization may speed up the process.

   • The name of the client profile RPM (in this case, rhui-client-rhui), which will be created in a later step, is used as the comment portion of the user ID. It is recommended that a different signing key be used for each client profile; the client profile name is used to distinguish the user IDs of the different keys.

     # gpg --gen-key
     
     gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
     
     This is free software; you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
     
     Please select what kind of key you want:
     
     1. RSA and RSA (default)
     2. DSA and Elgamal
     3. DSA (sign only)
     4. RSA (sign only)
     
     Your selection? 4
     
     RSA keys may be between 1024 and 4096 bits long.
     
     What keysize do you want? (2048) 4096
     Requested keysize is 4096 bits
     
     Please specify how long the key should be valid.
     
     0 = key does not expire
      = key expires in n days
     w = key expires in n weeks
     m = key expires in n months
     y = key expires in n years
     
     Key is valid for? (0) 0
     Key does not expire at all.
     
     Is this correct? y
     
     GnuPG needs to construct a user ID to identify your key.
     
     Real name: $YOURNAME
     
     Email address: $USER@$HOST.com
     
     Comment: rhui-client-rhui
     
     You selected this user ID:
     
     “$USERID (rhui-client-rhui) <$USER@$HOST.com>"
     
     Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
     
     You need a Passphrase to protect your secret key.

2. Enter a high-quality password and record it in a secure location:

   gpg: key EDD092F4 marked as ultimately trusted
   
   public and secret key created and signed.
   
   gpg: checking the trustdb
   
   gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
   
   gpg: depth: 0   valid:   1   signed:   0   trust:  0-, 0q, 0n, 0m, 0f, 1u
   
   pub    4096R/EDD092F4  2015-11-25
   
   Key fingerprint = 1139 932A 26E2 981A 1341 D636 0DDB B5F6 EDD0 925F4
   
   uid Red Hat $USERID (rhui-client-rhui) <user@redhat.com>
   
   Note that this key cannot be used for encryption. You may want to use the command “--edit-key” to generate a subkey for this purpose.

3. Create a second key. This time choose option 3, DSA (sign only), as the key type and enter 1024 bits as the key size. These options create a key that can be used to sign RPMs for RHEL 6 and RHEL 7. Use rhui-client-all as the comment portion of the user ID.

4. Export the two keys:

   # mkdir /root/rpm-gpg
   # gpg --export --armor rhui-client-rhui >> /root/rpm-gpg/rhui-client-rhui
   # gpg --export --armor rhui-client-all >> /root/rpm-gpg/rhui-client-all

   GPG defaults to substring matching when searching for keys. It is only necessary to specify the unique portion of the user ID (the client profile RPM name in this case). The traditional RPM-GPG-KEY- prefix will be added to the GPG key file names when the Red Hat Update Infrastructure Management Tool creates client configuration packages.

Procedure

1. Navigate to the Red Hat Update Infrastructure Management Tool home screen:

   [root@rhua ~]# rhui-manager

2. From the Repository Management screen, press c to select create a new custom repository (RPM content only).

   ------------------------------------------------------------------------------
                -= Red Hat Update Infrastructure Management Tool =-
   
   -= Repository Management =-
   
      l   list repositories currently managed by the RHUI
      i   display detailed information on a repository
      a   add a new Red Hat content repository
      ad  add a new Red Hat docker container
      c   create a new custom repository (RPM content only)
      d   delete a repository from the RHUI
      u   upload content to a custom repository (RPM content only)
      ur  upload content from a remote web site (RPM content only)
      p   list packages in a repository (RPM content only)
   
   Connected: rhua.example.com
   ------------------------------------------------------------------------------

3. Enter a unique ID for the repository. Only alphanumeric characters, _ (underscore), and - (hyphen) are permitted. You cannot use spaces in the unique ID. For example, repo1, repo_1, and repo-1 are all valid entries.

   Unique ID for the custom repository (alphanumerics, _, and - only):

4. Enter a display name for the repository. This name is used to identify the repository within the Red Hat Update Infrastructure Management Tool.
5. Specify the path that will host the repository. The path must be unique across all repositories hosted by RHUI. For example, if you specify the path at this step as some/unique/name, then the repository will be located at //server/pulp/repos/some/unique/name.

6. Select sha256 as the checksum type to be used for the repository metadata.

   Note

   Use sha256 when you create a custom repository for RHEL 6 or RHEL 7. Use sha1 if you create repositories for RHEL 5 client.

7. Choose whether to protect the new repository. If you answer no to this question, any client can access the repository. If you answer yes, only clients with an appropriate entitlement certificate can access the repository.

   Note

   As the name implies, the content in an unprotected repository is available to any system that requests it, without any need for a client entitlement certificate. Be careful when using an unprotected repository to distribute any content, particularly content such as updated client configuration RPMs, which will then provide access to protected repositories.

   Use of unprotected repositories is a “break glass in case of emergency” course of action.

   If you choose to protect the new repository, the Red Hat Update Infrastructure Management Tool will ask for the entitlement path. It will also suggest the entitlement path based on the repository’s relative path.

   Client entitlement certificates contain the download URLs that they are allowed to access. The RHUI analyzes the contents of the certificate to determine if the repository requested matches any of the permitted URLs, which determines whether to allow the client to authenticate. For example, if an entitlement certificate grants access to /some/unique/name and the request is made to a repository located at //server/pulp/repos/some/unique/name/os/repodata, the RHUI will approve the request and grant the authentication because the path begins with one of the entitled download URLs. The URL only needs to begin with the correct information; it does not need to match exactly.

   Note

   If the /some/unique/name repository that was created in pulp-admin was not added in a custom group, /some/unique/name is not displayed in the Red Hat Update Infrastructure Management Tool. If you try to create a repository with the same ID /some/unique/name in the Red Hat Update Infrastructure Management Tool and are not aware that /some/unique/name repository was created in pulp-admin, you will see a message saying "A repository with ID /some/unique/name already exists".

   Entitlements can also contain variables, as long as yum knows the value for the variable. The two most common variables to use are $basearch and $releasever, which are populated with details of the client making the request. For example, if an entitlement certificate grants access to /unique-name/$basearch/bar and the request is made to a repository located at //server/pulp/repos/unique-name/x86_64/bar, the RHUI will approve the request and grant the authentication because the path matches when the variable is populated.

   The Red Hat Update Infrastructure Management Tool suggests a path to use based on the variables you used when you gave it a path for the repository. Leave the field blank to accept the suggested path.

   The Red Hat Update Infrastructure Management Tool will ask if you want GNU Privacy Guard (GPG) signature turned on for content in that repository. If you press y, you will be asked if the content will be signed by Red Hat. Answering yes will include the Red Hat GPG key in the repository configuration. You are then asked if the content will be signed by a custom GPG key. Answering yes will prompt for a path to a public GPG key to include in the repository configuration. You can continue entering multiple paths to public GPG keys.

   Should the repository require clients to perform a GPG check and verify packages are signed by a GPG key? (y/n) y
   
   Will the repository be used to host any Red Hat GPG signed content? (y/n) y
   
   Will the repository be used to host any custom GPG signed content? (y/n) y
   
   Enter the absolute path to the public key of the GPG key pair:
   /root/rpm-gpg/rhui-client-rhui.gpg
   
   Would you like to enter another public key? (y/n) y
   
   Enter the absolute path to the public key of the GPG key pair:
   /root/rpm-gpg/rhui-client-all.gpg
   
   Would you like to enter another public key? (y/n) n

8. The details of the new repository displays. Press y at the prompt to confirm the information and create the repository.

Procedure

1. Install the client configuration RPM on each client node that requires updating:

   # yum install /path/to/client_custom.rpm

2. The client configuration RPM will configure a yum repository called rhui-$ORIGINALNAME. Use the yum update command to update each node.

   # yum update

   Note

   Running the yum update command pulls updates from all enabled yum repositories. To pull updates from the rhui-rhui-3 yum repository only, use the following command:

   # yum --disablerepo=* --enablerepo=rhui-rhui-3 update

Procedure

1. Integrate the image with the Red Hat Update Infrastructure (RHUI) by transferring the RHUI entitlement RPM and GPG key to the target RHEL client system.

2. Install the appropriate client configuration RPM:

   # yum install <rhui-client-rhel7>

3. Import the Red Hat release GPG key (/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release) into the entitlement RPM, along with any custom repository keys.

4. Import the entitlement RPM GPG key:

   #rpm --import <rhui-client-rhui>

5. Updates will come from RHUI instead of the Red Hat Subscription Manager (rhsm); turn off rhsm by editing ./rhsm.conf to reflect enabled=0.
6. Optionally (but strongly recommended), run the yum update command to apply all available updates.

Procedure

1. Run the following script:

   #!/bin/bash
   
   # RHEL 7
   if ! [[ `runlevel | cut -d " " -f 2` =~ ^[1S]$ ]]; then
   echo "Please *boot* to runlevel 1"
   exit 3
   fi
   
   # Kill udev
   killall -9 udevd
   
   # Clean out /root
   rm -rf /root/*
   rm -f /root/.bash_history
   rm -rf /root/.ssh
   
   # SSH host keys
   rm -f /etc/ssh/ssh_host_*
   # Remove all files in /var that are not owned by an RPM
   
   for FILE in `find /var -type f`; do
   rpm -qf --quiet "$FILE" || rm -f "$FILE"
   
   done
   
   # Remove empty directories in /var that are not owned by an RPM
   
   until [ "$REMOVED_DIR" = false ]; do
        REMOVED_DIR=false
        for DIR in `find /var -type d -empty`; do
       if ! rpm -qf --quiet "$DIR"; then
            REMOVED_DIR=true
            rmdir "$DIR"
       fi
    done
   
   done
   
   # Truncate any remaining files in /var/log
   for FILE in `find /var/log -type f`; do
      echo -n > "$FILE"
   
   done
   
   # Make sure the RPM GPG key has been imported
   rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 2> /dev/null
   
   # Remove MAC addresses from /etc/sysconfig/network-scripts/ifcfg-*
   for FILE in /etc/sysconfig/network-scripts/ifcfg-*; do
   
      sed -i /^HWADDR/d "$FILE"
   
   done
   
   # Remove auto-generated udev rules for CD-ROM and network devices
   rm -f /etc/udev/rules.d/70-persistent-{cd,net}.rules
   
   # Clean out /tmp
   find /tmp -mindepth 1 -delete

2. Copy the script to /mktemplate.sh and reboot the system to runlevel 1.

   Note

   Do not change to runlevel 1 instead of rebooting (with init 1, for example). Changing to runlevel 1 leaves certain daemons running that are not running when the system is booted to single-user mode (notably rsyslog).

3. When the system has rebooted into single-user mode, run the following commands:

   # unset HISTFILE
   # chmod 0755  /mktemplate.sh
   # /mktemplate.sh
   # rm -f /mktemplate.sh
   # poweroff

Procedure

1. Run the following command from the RHUA to display orphaned packages:

   [root@rhua ~]# pulp-admin -u admin -p admin orphan list

2. Run the following command to see available arguments:

   [root@rhua ~]# pulp-admin -u admin -p admin orphan list --help
   Command: list
   Description: display a list of orphaned units
   
   Available Arguments:
   
     --type    - restrict to one content type such as "rpm", "errata",
                 "puppet_module", etc.
     --details - include a detailed list of the individual orphaned units, ignored
                 when content type is not specified

3. There are three flags for removing orphans:

           --type=<type> to remove all the orphaned content units of a particular type
           --id=<id> to remove a particular orphaned content unit
           --all to remove all the orphaned content units on the server

   Here is one example of how to delete an orphan:

   [root@rhua ~]# pulp-admin orphan remove --all

4. Run the following command to see a list of arguments:

   [root@rhua ~]# pulp-admin -u admin -p admin orphan remove --help
   Command: remove
   Description: remove one or more orphaned units
   
   Available Arguments:
   
     --bg      - if specified, the client process will end immediately (the task
                 will continue to run on the server)
     --type    - restrict to one content type such as "rpm", "errata",
                 "puppet_module", etc.
     --unit-id - ID of a content unit; if specified, you must also specify a type
     --all     - remove all orphaned units, ignoring other options

Procedure

1. In the Red Hat Update Infrastructure Management Tool home screen, press c to access the Content Delivery Server (CDS) Management screen:

                -= Red Hat Update Infrastructure Management Tool =-
   
   -= Home =-
   
      r   manage repositories
      c   manage content delivery servers (CDS)
      l   manage HAProxy load-balancer instances
      s   synchronization status and scheduling
      e   create entitlement certificates and client configuration RPMs
      n   manage Red Hat entitlement certificates
      u   manage RHUI users
   
                                                      Connected: rhua.example.com

2. From the Content Delivery Server (CDS) Management screen, press l at the prompt to list the CDS nodes that RHUI manages:

   ------------------------------------------------------------------------------
          	-= Red Hat Update Infrastructure Management Tool =-
   
   -= Content Delivery Server (CDS) Management =-
   
   l   list all known CDS instances managed by the RHUI
   a   register (add) a new CDS instance
   r   reinstall and reapply configuration to an existing CDS instance
   d   unregister (delete) a CDS instance from the RHUI
   
                                   	Connected: ip-10-99-206-124.ec2.internal
   ------------------------------------------------------------------------------
   rhui (cds) =>l
   
   -= RHUI Content Delivery Servers =-
   
   Hostname:         	cds1.example.com
   SSH Username:     	root
   SSH Private Key:  	/root/.ssh/cds.rsa
   
   Hostname:         	cds2.example.com
   SSH Username:     	root
   SSH Private Key:  	/root/.ssh/cds.rsa
   
   Hostname:         	cds3.example.com
   SSH Username:     	root
   SSH Private Key:  	/root/.ssh/cds.rsa
   ------------------------------------------------------------------------------

Procedure

1. The /var/lib/pulp directory may be large, depending on how many repositories have been deployed on the Red Hat Update Appliance. See Preparing your Environment for Installation for specific storage requirements, or use the du command from the command line interface to determine its size.

2. Stop the pulp-server services.

   # systemctl stop pulp_workers; systemctl stop pulp_resource_manager; systemctl stop pulp_celerybeat

3. Replace stop with status in the above commands to verify each service has stopped.

4. It is important that the following files retain their current attributes when backed up:

   • /etc/httpd/conf.d/05-pulp-https.conf
   • /etc/httpd/conf.d/pulp*
   • /etc/httpd/conf.d/ssl.conf
   • /etc/pki/katello-certs-tools/*
   • /etc/pki/pulp/*
   • /etc/pki/rhui/*
   • /etc/pulp/*
   • /etc/puppet/*
   • /etc/rhui/*
   • /etc/rhui/rhui-tools.conf
   • /etc/rhui-installer/*
   • /etc/qpid/qpidd.conf
   • /var/lib/mongodb/pulp_database*
   • /var/lib/pulp/*
   • /var/log/pulp/*
   • /var/log/httpd/*

   • /var/lib/puppet/*

     Use the following command to back up the files:

     # cp -a source_files_path destination_files_path

5. You may want to back up any generated client entitlement certificates and client configuration RPMs.

6. Restart the pulp-server services.

   # systemctl start pulp_workers; systemctl start pulp_resource_manager; systemctl start pulp_celerybeat

7. Replace start with status in the above commands to verify each service has started.

Procedure

1. Prepare a new Red Hat Update Appliance instance by following Section 4.2, “Register Red Hat Update Infrastructure” and Section 4.3, “Attach a subscription to the Red Hat Update Appliance”. When those steps are completed, proceed with the following restoration steps.

2. Stop the pulp-server services.

   # systemctl stop pulp_workers; systemctl stop pulp_resource_manager; systemctl stop pulp_celerybeat

3. Replace stop with status in the above commands to verify each service has stopped.

   Important

   It is crucial that the files included in the restore retain their current attributes.

4. Use the following command to restore the files to their original locations:

   # cp -a source_files_path destination_files_path

5. Restart the pulp-server services.

   # systemctl start pulp_workers; systemctl start pulp_resource_manager; systemctl start pulp_celerybeat

6. Replace start with status in the above commands to verify each service has started.

Procedure

1. The /var/lib/pulp directory may be large, depending on how many repositories have been deployed on the Red Hat Update Appliance. See Preparing your Environment for Installation for specific storage requirements, or use the du command from the command line interface to determine its size.

2. Stop the httpd service.

   # systemctl stop httpd

3. Replace stop with status in the above commands to verify each service has stopped.

4. It is important that the following files retain their current attributes when backed up:

   • /etc/httpd/conf.d/*.conf
   • /var/lib/pulp/*
   • /var/log/pulp/*
   • /var/log/httpd/*
   • /etc/pki/rhui/*
   • /etc/pulp/*

   • /var/lib/puppet/*

     Use the following command to back up the files:

     # cp -a source_files_path destination_files_path

5. In addition to the above files, you may want to back up any generated client entitlement certificates and client configuration RPMs.

6. Restart the service.

   # systemctl start httpd

7. Replace start with status in the above commands to verify each service has started.

Procedure

1. Prepare a new CDS instance by following all steps in Section 7.1, “Add a content delivery server”. When those steps are completed, proceed with the following restoration steps.

2. Stop the httpd service.

   # systemctl stop httpd

3. Replace stop with status in the above commands to verify each service has stopped.

   Important

   It is crucial that the files included in the restore retain their current attributes.

4. Use the following command to restore the files to their original locations:

   # cp -a source_files_path destination_files_path

5. Restart the httpd service.

   # systemctl start httpd

6. Replace start with status in the above commands to verify each service has started.

Procedure

1. It is important that the following files retain their current attributes when backed up:

   • /etc/haproxy/haproxy.cfg
   • /etc/pki/rhui/*
   • /var/lib/puppet/*

2. Use the following command to back up the files:

   # cp -a source_files_path destination_files_path

3. In addition to the above files, you may want to back up any generated client entitlement certificates and client configuration RPMs.

Procedure

1. Prepare a new HAProxy instance by following all steps in Chapter 8, Add an HAProxy load balancer. When those steps are completed, proceed with the following restoration steps.

   Important

   It is crucial that the files included in the restore retain their current attributes.

2. Use the following command to restore the files to their original locations:

   # cp -a source_files_path destination_files_path