Adding non RHEL products to your Red Hat Satellite 6

 

Red Hat Satellite 6 has features that allow you to import content that is not Red Hat related and distribute this content across your Linux fleet. If you are on a disconnected environment and you want to ensure that you are the sole source of this content, synchronising content through Red Hat Satellite 6 is a great way to ensure that your end users are only obtaining content from one source. If they are already getting RHEL content from your Satellite, you can value add and provide other repositories, such as hardware, EPEL, Foreman, Jenkis and so on. If you have a routine to bring in RHEL content into your disconnected Satellite 6, adding non RHEL products to this takes a matter minutes and the overhead is fairly low. The initial export and import is the only time consuming process.

For this example, I will use EPEL as it is widely used by a Linux fleet of hosts. As I am located in Australia and on the Optus network, I have picked the Optus Mirror located at http://mirror.optus.net/epel/

To start with, browse to the site and grab the GPG keys as you want users to be able to access them and verify the packages themselves if required. Upload the GPG keys

Now to add the EPEL product into Satellite. Fill in the necessary details, associate the product with the EPEL GPG key that we just uploaded and add the product to a sync plan if you chose to.

We will use Repo Discovery to add EPEL 7. Insert the URL of the repo (in this case EPEL 7 Server x86_64 from the Optus mirror) and click discover.

Once we have created the repo, we can begin to sync this content and start distributing the product to customers. We now have some options on how we want to distribute the product and we can either chose to add it into a content view or not. We can chose to make this content available via HTTP and users do not need to register to Satellite to grab any package and can use the repo as they would normally on non RHEL products such as Fedora or CentOS.

A quick and dirty way to add this repo to a host, just create epel.repo (can be anything as long as it ends with .repo)

[examplerepo]
name=Example Repository
baseurl=http://voyager.lab.dev/pulp/repos/Lab/Library/custom/EPEL_7/x86_64/
enabled=1
gpgcheck=0

If you make the EPEL GPG keys available for users, they can download this and import them onto the host.

For users that are registered to Red Hat Satellite 6, we have the option of doing what we did above or we can publish this into a content view and allow users to enable this repo through subscription manager. Once you have added this product into the content view, through Satellite, you can have the repo enable or disabled by default once a host is registered.

It is highly recommend to remove or filter the “epel-release”package as this will create another EPEL repo pointed towards the internet.

Checking which errata is outstanding from the Red Hat Satellite 6 GUI

In the light of the latest vulnerabilities Meltdown and Spectre, it is recommended to patch your services as soon as possible to minimise any exposure. There are multiple ways to check which errata and patching is outstanding on your RHEL hosts. If you’re accustomed to the Red Hat Satellite 6 GUI or as a Satellite administrator, you may not have access to certain RHEL hosts, you can still check which hosts have outstanding security errata.

The first way to check an individual host, would be to check the host details.

Hosts –> Content Hosts 

Pick the content host you wish to see what errata is outstanding by clicking on the number next to the red security icon.

In the below picture you can see two servers. One that has no applicable updates, bug fixes and product enhancements (voyager.lab.dev) while the other host (discovery.lab.dev) has a number of outstanding updates that need to be applied. 

It will bring up a page of all the applicable Errata, you can click on the individual Red hat Security Advisory to bring up further details, which CVE’s are applicable etc. You can also click through the affected CVE link and it will bring you to the offical Red Hat page with further details of the CVE.

In the below image, you can see that the latest Red Hat Security Advisory RHSA-2018:0007 is applicable to this host.  

What if you wanted to check all your hosts that have a particular errata outstanding

Navigate to Content –> Errata

It will bring up a list of all Errata is applicable to all hosts, however we want to narrow this down. In the search field you will need to type:

id = RHSA-2018:0007 (we’ll keep with the common theme here)

Select Content Hosts and it will bring up all content hosts that have the following Errata applicable. You can remotely install the errata if you chose to however Katello Agent requires to be installed for this.

The below image indicates the following hosts have RHSA-2017:0008 outstanding and can be applied from the Satellite 6 GUI.

You can perform these functions on individual hosts through the yum security plugin however this may not be feasible if you do not have access to the host. Red Hat Satellite 6 will not reboot your hosts, this requires the owner to develop a strategy on when to reboot a host, particularly if it’s a production host and can lead to an outage.

Populating your air gapped Red Hat Satellite 6

One of the great features that I have become accustomed to using in Red Hat Satellite 6, is the ability to provide content and patching services to your entire Red Hat Enterprise Linux (RHEL) fleet on an air gapped network. Anyone that has worked on an air gapped network will understand the challenges there are in using internet connected products that cannot dial home.

This is where Satellite 6 can step up and provide continuity to your RHEL fleet and ensure these hosts receive the latest security errata and packages. One of the Red Hat recommendations for a disconnected content transfer to populate your disconnected Satellite 6 is through content ISO’s. Another method is through the Inter-Satellite Sync

You can find this through the Red Hat website here: (sign in required)

Export Content ISO’s
https://access.redhat.com/articles/1375133

Inter-Satellite Sync
https://access.redhat.com/articles/2390791

There is another method that can be performed to ensure that your air gapped Satellite 6 continues to replicate an internet connected Satellite 6 with the latest errata and packages. This is done through a series of scripts that were written by Geoff Gatward and continue to be updated and fine tuned. These scripts are now active on the various Satellite 6 instances I sustain for the customer and are the backbone of content transfers across various networks. Weekly exports of various RHEL products and EPEL are brought across and ingested within hours for customers to apply security errata or install packages.

You are able to download the scripts from here.

https://github.com/RedHatSatellite/sat6_scripts

One caveat, these scripts are not supported by Red Hat however feel free to leave comments if you require further clarification. Geoff has put a lot of time and effort into these scripts and are now used by various users of air gapped Satellite 6 instances.

There are extremely detailed instructions provided with the package as there are some configuration changes that you will need to make on both your Satellite 6 instances. Depending on your process to transfer files across to your air gapped network, these scripts can be automated to import content, promote and publish your content views through cron.  I will talk a bit more about how to configure the scripts and automate these functions in my next post.

In the mean time, feel free to reach out if you have any questions.

Learning to love Red Hat Satellite 6

Red Hat Satellite 6 is one beast of a product based on various upstream projects and brought together by Red Hat. Satellite 6 can certainly change theway you manage your Red Hat Enterprise Linux fleet and simplify your tasks in  configuration management, patch management, provisioning and subscriptions.

You can also bring Red Hat Satellite 6 into your environment to minimise bandwidth requirements or to enable Red Hat content onto your disconnected and air gapped networks through established procedures.

I am an avid user of Satellite 6 and work with a customer with multiple Satellite 6 instances and over 10 capsules to enable Red Hat Content to over 4000+ registered content hosts with the number increasing daily. There are established procedures from syncing content from the Red Hat CDN to disconnected Satellite 6 instances to provide content in a timely fashion to customers.

Working closely with the customer, I have been a part of migrating users from Satellite 5 and bringing them across to Satellite 6 which presented multiple challenges and push backs from a variety of stake holders.

Learning to love Red Hat Satellite 6 can be a challenge in itself and a journey to understand all the features and benefits using this product can provide. Every customer will have different requirements and Satellite 6 aims to work in some of the most challenging environments.

Through a series of blogs, I aim to break down some of the difficulties users have with the product and provide an insight into how Satellite 6 works as a disconnected product for content and subscription management. Stay tuned!