Foreman, Katello, puppet

Red Hat Satellite 6 is a re-engineering of the Red Hat Satellite product, it has been built from the ground-up on different and more modern technologies. Red Hat Satellite 6 is a federation of several upstream open source projects, including Katello, Foreman, Pulp and Candlepin. All products are open source projects, and Red Hat is the biggest contributor in each case.

What does each product do?

1. Foreman: provisioning on new clients.
2. Pulp: patch and content (package repository) management.
3. Candlepin: subscription and entitlement management.
4. Puppet: configuration management (actual running of modules assigned in Foreman).
5. Katello: unified workflow and WebUI for content (Pulp) and subscriptions (Candlepin).

Initially Katello was a standalone application, but it’s now a plugin to the Foreman. Foreman is a complete lifecycle management tool for physical and virtual servers. When we talk about Katello, we have in mind a Foreman server with Katello plugin.

Software

Software used in this article:

1. CentOS 7.2
2. Foreman 1.13
3. Katello 3.2
4. Puppet 3.6
5. Pulp server 2.8
6. Candelpin 0.9

Hardware Requirements

Katello may be installed onto a baremetal host or on a virtual guest. The minimum requirements are:

• Two Logical CPUs
• 8 GB of memory minimum
• The filesystem holding /var/lib/pulp needs to be large, but may vary depending on how many different Operating Systems you wish to syncronize:
  • Allocate 30 GB of space for each operating system. Even though an operating system may not take up this much space now, this allows space for future updates that will be syncronized later.
• The path /var/spool/squid/ is used as a temporary location for some types of repository syncs and may grow to consume 10s of GB of space before the files are migrated to /var/lib/pulp. You may wish to put this on the same partition as /var/lib/pulp.
• The filesystem holding /var/lib/mongodb needs at least 4 GB to install, but will vary depending on how many different Operating Systems you wish to syncronize:
  • Allocate around 40% of the capacity that has been given to the /var/lib/pulp filesystem
• The root filesystem needs at least 20 GB of Disk Space

Required Ports

The following ports need to be open to external connections:

• 80 TCP - HTTP, used for provisioning purposes
• 443 TCP - HTTPS, used for web access and api communication
• 5647 TCP - qdrouterd - used for client and capsule actions
• 9090 TCP - HTTPS - used for communication with the smart proxy

Step:2 Set the firewall rules for katello

Run the below command to open the ports in OS firewall for katello setup.

[root@cos-foreman ~]# firewall-cmd --permanent --add-port="80/tcp" --add-port="443/tcp" --add-port="5646/tcp" --add-port="5647/tcp" --add-port="5671/tcp" --add-port="5672/tcp"  --add-port="8140/tcp" --add-port="9090/tcp"

[root@cos-foreman ~]# firewall-cmd --reload

Step:3 Set the required repositories for katello

Run the beneath commands one after the other to set the required repositories for katello setup.

[root@cos-foreman-pa ~]# yum -y localinstall http://fedorapeople.org/groups/katello/releases/yum/3.2/katello/el7/x86_64/katello-repos-latest.rpm

[root@cos-foreman-pa ~]# yum -y localinstall http://yum.theforeman.org/releases/1.13/el7/x86_64/foreman-release.rpm

[root@cos-foreman-pa ~]# yum -y localinstall http://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm

[root@cos-foreman-pa ~]# yum -y localinstall http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

[root@cos-foreman-pa ~]# yum -y install foreman-release-scl

Now again update your system as we have added new repositories.

[root@cos-foreman-pa ~]# yum -y update

Step:4 Put the server to the Active directory domain

Join Debian to Active Directory

As we want to login to Katello with my Active Directory credentiel, I need to configure external authentification

The katello-installer command is by default set for the IdM/IPA integration. Change this setting by creating the /etc/ipa/default.conf file with the following content:

[global]

   server = unused

   realm = EXAMPLE.ORG

4.1 Create the /etc/net-keytab.conf file with the following content :

[global]

   workgroup = EXAMPLE

   realm = EXAMPLE.ORG

   kerberos method = system keytab

   security = ads

4.2 Create a keytab file for HTTP using the following command :

# KRB5_KTNAME=FILE:/etc/gssproxy/http.keytab net ads keytab add HTTP -U administrator -d3 -s /etc/net-keytab.conf

This command fetches the HTTP service keytab file from the AD server and stores it at /etc/gssproxy/http.keytab. Make sure this file is owned by the root user and group:

# chown root:root /etc/gssproxy/http.keytab

4.3 Create an empty keytab file at /etc/httpd/conf/http.keytab :

# touch /etc/httpd/conf/http.keytab

4.4 Place the following text at the beginning of the /etc/gssproxy/gssproxy.conf configuration file:

[service/HTTP]

  mechs = krb5

  cred_store = keytab:/etc/gssproxy/http.keytab

  cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U

  euid = 48

Here, 48 is the effective UID of the Apache user. This text must precede any section containing the allow_any_uid=yes directive, therefore place it before the [service/nfs-client] section in the file.

4.5 Create a separate cache directory for Kerberos to avoid AVC denials :

# mkdir /var/lib/gssproxy/rcache

To configure the gssproxy service to use the cache, create the /etc/systemd/system/gssproxy.service file and insert the following text:

.include /usr/lib/systemd/system/gssproxy.service

[Service]

Environment=KRB5RCACHEDIR=/var/lib/gssproxy/rcache

Apply changes to the service:

# systemctl daemon-reload

Start and enable the gssproxy service:

# systemctl restart gssproxy.service

# systemctl enable gssproxy.service

Configure the Apache server to use GSS-proxy by creating the /etc/systemd/system/httpd.service file with the following content:

.include /lib/systemd/system/httpd.service

[Service]

Environment=GSS_USE_PROXY=1

Apply changes to the service:

# systemctl daemon-reload

Start and enable the httpd service:

# systemctl restart httpd.service

Step:5 Install Katello Package and start the installation

Run the following yum command to install katello packages.

root@ # yum -y install katello

At this point the foreman-installer should be available to setup the server.

Foreman can be installed without Katello, as Katello is now a plugin to Foreman (Katello was a standalone application in early days, not the case anymore). As we want to have a WebUI, we are going for Foreman with Katello.

# foreman-installer --list-scenarios

Available scenarios

  Capsule (use: --scenario capsule)

        Install a stand-alone Capsule.

  Katello (use: --scenario katello)

        Install Foreman with Katello

  Foreman (use: --scenario foreman)

        Default installation of Foreman

Foreman is the main part, as whole architecture is based on it. The rest is just integration to do certain tasks.

To customise the installation, check a list of parameters available:

# foreman-installer --scenario katello --help

We can now start the installation of Katello with Active Directory External authentification

root@ # foreman-installer \

--scenario katello \

--katello-proxy-url=http://proxy.YOURDOMAIN.lan \

--katello-proxy-port=9876 \

--foreman-ipa-authentication=true

Installing             Done                                               [100%] [.................................................................................................................]

  Success!

  * Katello is running at https://cos-foreman.YOURDOMAIN.COM

      Initial credentials are admin / BsAoWjT57qteSLpV

  * To install an additional capsule on a separate machine run the following command:

      capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar "/root/$CAPSULE-certs.tar"

  The full log is at /var/log/foreman-installer/katello.log