A Red Hat Satellite server is a solution that allows you to automatically deploy Red Hat OS via PXE/DHCP. You can then manage different installation profiles, manage updates, and perform a variety of simplified administrative tasks.
If you don’t have the money or simply want to create a lab, you can use its free equivalent: Spacewalk (hence the logo).
Make sure that all future clients (as well as the server) have access to the DNS server!!! In our case, the server will be called ‘satellite-master’, and it’s very important that it remains accessible by any server with this name, otherwise PXE will not work.
To install it, it’s quite simple - there’s an installer that does everything. However, you’ll need the Red Hat DVD for dependencies (I recommend a local repository), and to copy the Satellite installer locally (/home/sat in my case).
Note: use the ‘–disconnected’ option if you are behind a proxy during installation.
Then we’ll simply launch the installation:
1
2
3
4
5
6
7
8
9
10
11
12
13
> /home/sat/install.pl
* Starting the Red Hat Network Satellite installer.
* Performing pre-install checks.
* Pre-install checks complete. Beginning installation.
* RHN Registration.
** Registration: Disconnected mode. Not registering with RHN.
* Checking for uninstalled prerequisites.
** Checking if yum is available ...
There are some packages from Red Hat Enterprise Linux that are not part
of the @base group that Satellite will require to be installed on this
system. The installer will try resolve the dependencies automatically.
However, you may want to install these prerequisites manually.
Do you want the installer to resolve dependencies [y/N]? y
We answer ‘y’ to this question so it installs the necessary packages automatically.
We’ll wait a bit and then provide the email and certificate:
* Applying updates.
* Installing RHN packages.
Warning: more packages were installed by yum than expected:
cdparanoia-libs
cups
cvs
foomatic
foomatic-db
foomatic-db-filesystem
foomatic-db-ppds
gdb
gettext
ghostscript
ghostscript-fonts
gstreamer
gstreamer-plugins-base
gstreamer-tools
iso-codes
java-1.5.0-gcj
java_cup
lcms-libs
libICE
libSM
libXfont
libXt
libXv
libXxf86vm
libfontenc
libgomp
libmng
libogg
liboil
libtheora
libvisual
libvorbis
mailcap
make
mesa-dri-drivers
mesa-libGL
mesa-libGLU
openjpeg-libs
patch
pax
perl-CGI
perl-Compress-Raw-Zlib
perl-Error
perl-ExtUtils-MakeMaker
perl-ExtUtils-ParseXS
perl-IO-Compress-Base
perl-IO-Compress-Zlib
perl-Test-Harness
perl-Test-Simple
perl-YAML-Syck
perl-devel
phonon-backend-gstreamer
poppler
poppler-data
poppler-utils
portreserve
python-setuptools
qt
qt-sqlite
qt-x11
qt3
redhat-lsb
redhat-lsb-graphics
redhat-lsb-printing
sinjdoc
urw-fonts
xml-common
xorg-x11-font-utils
Warning: yum did not install the following packages:
libXpm
* Now running spacewalk-setup.
* Setting up Oracle environment.
* Setting up database.
** Database: Installing the database:
** Database: This is a long process that is logged in:
** Database: /var/log/rhn/install_db.log
*** Progress: ############################** Database: Installation complete.
** Database: Setting up database connection for Oracle backend.
** Database: Testing database connection.
** Database: Populating database.
*** Progress: #########################################################* Setting up users and groups.
** GPG: Initializing GPG and importing key.
** GPG: Creating /root/.gnupg directory
You must enter an email address.
Admin Email Address? deimos@deimos.fr
* Performing initial configuration.
* Activating RHN Satellite.
Where is your satellite certificate file? /root/deimos.cert
We’ll answer ‘y’ to this question:
1
2
3
4
5
6
** Loading RHN Satellite Certificate.
** Verifying certificate locally.
** Activating RHN Satellite.
* Enabling Monitoring.
* Configuring apache SSL virtual host.
Should setup configure apache's default ssl server for you (saves original ssl.conf)[Y]? y
Enter a password for the certificate:
1
2
3
4
5
6
7
8
9
** /etc/httpd/conf.d/ssl.conf has been backed up to ssl.conf-swsave
* Configuring tomcat.
** /etc/tomcat6/tomcat6.conf has been backed up to tomcat6.conf-swsave
** /etc/tomcat6/server.xml has been backed up to server.xml-swsave
** /etc/tomcat6/web.xml has been backed up to web.xml-swsave
* Configuring jabberd.
* Creating SSL certificates.
CA certificate password?
Re-enter CA certificate password?
** /etc/httpd/conf.d/ssl.conf has been backed up to ssl.conf-swsave
* Configuring tomcat.
** /etc/tomcat6/tomcat6.conf has been backed up to tomcat6.conf-swsave
** /etc/tomcat6/server.xml has been backed up to server.xml-swsave
** /etc/tomcat6/web.xml has been backed up to web.xml-swsave
* Configuring jabberd.
* Creating SSL certificates.
CA certificate password?
Re-enter CA certificate password?
Organization? deimos
Organization Unit [satellite-master.deimos.fr]?
Email Address [deimos@deimos.fr]?
City? Paris
State? IDF
Country code (Examples: "US", "JP", "IN", or type"?" to see a list)? FR
** SSL: Generating CA certificate.
** SSL: Deploying CA certificate.
** SSL: Generating server certific
** SSL: Storing SSL certificates.
* Deploying configuration files.
* Update configuration in database.
* Setting up Cobbler..
Cobbler requires tftp and xinetd services be turned on for PXE provisioning functionality. Enable these services [Y/n]?y
cobblerd does not appear to be running/accessible
* Restarting services.
Installation complete.
Visit https://satellite-master.deimos.fr to create the RHN Satellite administrator account.
And the installation is complete. Now let’s update yum to install 2 missing packages:
We’re going to install a DHCP server to be able to push OS via PXE/TFTP (already done by the Satellite installer). If you already have a DHCP server, go directly to the configuration.
# dhcpd.conf## Sample configuration file for ISC dhcpd## option definitions common to all supported networks...option domain-name "deimos.fr";
option domain-name-servers ns1.deimos.fr, ns2.deimos.fr;
default-lease-time 600;
max-lease-time 7200;
# Use this to enble / disable dynamic dns updates globally.ddns-update-style none;
allow booting;
allow bootp;
# If this DHCP server is the official DHCP server for the local# network, the authoritative directive should be uncommented.authoritative;
# Use this to send dhcp log messages to a different log file (you also# have to hack syslog.conf to complete the redirection).log-facility local7;
# No service will be given on this subnet, but declaring it helps the# DHCP server to understand the network topology.subnet 10.102.2.32 netmask 255.255.255.224 { option routers 10.102.2.63;
option subnet-mask 255.255.255.224;
option domain-name-servers 192.168.0.69;
range 10.102.2.33 10.102.2.62;
next-server 10.102.2.1;
filename "pxelinux.0";
}subnet 10.102.2.64 netmask 255.255.255.224 { option routers 10.102.2.65;
option subnet-mask 255.255.255.224;
option domain-name-servers 192.168.0.69;
range 10.102.2.66 10.102.2.94;
next-server 10.102.2.1;
filename "pxelinux.0";
}# This is a very basic subnet declaration.#subnet 10.254.239.0 netmask 255.255.255.224 {# range 10.254.239.10 10.254.239.20;# option routers rtr-239-0-1.deimos.fr, rtr-239-0-2.deimos.fr;#}# This declaration allows BOOTP clients to get dynamic addresses,# which we don't really recommend.#subnet 10.254.239.32 netmask 255.255.255.224 {# range dynamic-bootp 10.254.239.40 10.254.239.60;# option broadcast-address 10.254.239.31;# option routers rtr-239-32-1.deimos.fr;#}# A slightly different configuration for an internal subnet.#subnet 10.5.5.0 netmask 255.255.255.224 {# range 10.5.5.26 10.5.5.30;# option domain-name-servers ns1.internal.deimos.fr;# option domain-name "internal.deimos.fr";# option routers 10.5.5.1;# option broadcast-address 10.5.5.31;# default-lease-time 600;# max-lease-time 7200;#}# Hosts which require special configuration options can be listed in# host statements. If no address is specified, the address will be# allocated dynamically (if possible), but the host-specific information# will still come from the host declaration.#host passacaglia {# hardware ethernet 0:0:c0:5d:bd:95;# filename "vmunix.passacaglia";# server-name "toccata.fugue.com";#}# Fixed IP addresses can also be specified for hosts. These addresses# should not also be listed as being available for dynamic assignment.# Hosts for which fixed IP addresses have been specified can boot using# BOOTP or DHCP. Hosts for which no fixed address is specified can only# be booted with DHCP, unless there is an address range on the subnet# to which a BOOTP client is connected which has the dynamic-bootp flag# set.# You can declare a class of clients and then do address allocation# based on that. The example below shows a case where all clients# in a certain class get addresses on the 10.17.224/24 subnet, and all# other clients get addresses on the 10.0.29/24 subnet.#class "foo" {# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";#}#shared-network 224-29 {# subnet 10.17.224.0 netmask 255.255.255.0 {# option routers rtr-224.deimos.fr;# }# subnet 10.0.29.0 netmask 255.255.255.0 {# option routers rtr-29.deimos.fr;# }# pool {# allow members of "foo";# range 10.17.224.10 10.17.224.250;# }# pool {# deny members of "foo";# range 10.0.29.10 10.0.29.230;# }#}
Then I’ll declare the interfaces on which the dhcpd service should listen:
1
2
# Command line options hereDHCPDARGS="eth1 eth2";
As I mentioned above, I have one interface per range, so we’ll add the appropriate routes:
Then restart the Satellite services to see the user creation options:
1
rhn-satellite restart
A new checkbox will appear in the user creation section:
Use PAM to authenticate via LDAP, Kerberos, and other network-based authentication systems.
Note: The password fields above are not required when this box is checked; however, you can enter a password that will only work when PAM authentication for this user's account is disabled.
Create your repository in the “Custom Channels” and set the Red Hat version as parent if you want to add additional packages and keep the standard packages available on Red Hat.
We’ll need to generate a GPG key to sign our packages:
1
2
3
4
5
6
7
8
9
10
11
> gpg --gen-key
gpg (GnuPG) 2.0.14; Copyright (C)2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Select the type of key you want:
(1) RSA and RSA (default)(2) DSA and Elgamal
(3) DSA (signature only)(4) RSA (signature only)Your choice? 1
So we’ll choose the first option.
Then generate the default key size without expiration:
1
2
3
4
5
6
7
8
9
10
11
12
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)Requested keysize is 2048 bits
Specify how long the key should be valid.
0= key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
How long is the key valid for? (0)Key doesn't expire at all
Is this correct? (y/N) y
Enter your information for package signing:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"Real name: Deimos FR
Email address: deimos@deimos.fr
Comment:
You selected this USER-ID:
"Deimos <deimos@deimos.fr>"Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a passphrase to protect your secret key.
can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory
gpg-agent[25522]: directory `/root/.gnupg/private-keys-v1.d' created
Then enter a passphrase, and the key validity:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
/-----------------------------------------------------\
| Please re-enter this passphrase |
| |
| Passphrase ________________________________________ |
| |
| <OK> <Cancel> |
\-----------------------------------------------------/
Specify how long the key should be valid.
0= key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
How long is the key valid for? (0)Key doesn't expire at all
Is this correct? (y/N) y
The key is created and you are given the key ID:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory
A large number of random bytes need to be generated. You should dosomething else(type on the keyboard, move the mouse, use the disks)during the generation of prime numbers; this gives the random number
generator a better chance of gathering enough entropy.
gpg: key DFC7E56C marked as ultimately trusted.
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 2048R/DFC7E56A 2012-03-12
Key fingerprint= 4EC2 939F 3986 96CE 826C 665A 83D7 D404 DFC7 E56D
uid Deimos FR <deimos@deimos.fr>
sub 2048R/4425ACDD 2012-03-12
The key is now created, and we can sign our packages with it.
We can list our keys at any time like this:
1
gpg --list-keys
To export our newly created public key:
1
gpg --export -a 'Deimos fr' > /etc/pki/rpm-gpg/RPM-GPG-KEY-deimos
This key will be used to deploy packages for all our future clients.
To help us with bulk package signing, we’ll create a small preferences file:
1
2
%_signature gpg
%_gpg_name DFC7E56A
Replace the value of ‘%_gpg_name’ with your key ID.
Now we’ll declare our new key in Satellite at the kickstart level so our automated installations have this key present:
And finally the custom repository must contain the GPG information:
> rpm --resign tmux-1.5-1.el6.x86_64.rpm
Enter passphrase:
Pass phrase is good.
Then add this RPM to your custom repository:
1
2
3
> rhnpush -c repo-test tmux-1.5-1.el6.x86_64.rpm
Red Hat Network username: deimos
Red Hat Network password:
-c repo-test: -c allows you to specify the repository where you want to put this package.
Now you need to update the package list in the web interface so clients can see them:
Now, on the client, you just need to do:
1
2
yum clean all
yum install tmux
Automating and simplifying package signing and adding link
If you don’t want to have to constantly type your credentials, passphrase etc… every time you set up new packages, I created a small Python tool to save time:
For various reasons, you may want to re-register a machine. It’s very simple - you need to remove the current references to the satellite, then restart the registration:
If you want to restart the installation at any time, you can do it with the –skip-db-install option, because generally, the database installation operation went well, but not necessarily the rest:
Tomcat failed to start properly or the installer ran out of tries. Please check /var/log/tomcat*/catalina.out for errors link
If you have this type of message, it’s because the hostname is incorrectly configured. To fix this problem, check that this section is correctly filled in, then restart the installer like this:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
spacewalk-hostname-rename x.x.x.x
Validating IP ... OK=============================================hostname: satellite-master.deimos.fr
ip: x.x.x.x
=============================================Stopping rhn-satellite services ... OK
Testing DB connection ... OK
Updating /etc/rhn/rhn.conf ... OK
Actual SSL key pair package: rhn-org-httpd-ssl-key-pair-satellite-master-1.0-1.noarch
No need to re-generate SSL certificate.
Regenerating new bootstrap client-config-overrides.txt ... OK
Updating NOCpulse.ini ... OK
Updating monitoring data ... OK
Updating other DB entries ... OK
Changing cobbler settings ... OK
Changing jabberd settings ... OK
Starting rhn-satellite services ... OK
If all is well, you’ll see OK everywhere :-)
ERROR: Server not registered? No systemid: /etc/sysconfig/rhn/systemid link
If you have this kind of message when activating a satellite:
1
2
3
> rhn-satellite-activate --rhn-cert=/root/deimos.cert
RHN_PARENT: satellite.rhn.redhat.com
ERROR: Server not registered? No systemid: /etc/sysconfig/rhn/systemid
It’s likely because you have an internet access problem. Or, your machine needs to be registered again:
1
rhn-register
Add the ‘–proxy=proxy:port’ option with the correct values if you’re behind a proxy.
unable to extend index RHNSAT.RHN_ERRATAFILE_EID_FILE_IDX by 128 in tablespace DATA_TBS link
If you get this type of error message during a satellite sync:
...
SYNC ERROR: unhandled exception occurred:
(Check logs/email for potentially more detail)
<rhnFault class (code = 54, text = 'ORA-01654: unable to extend index RHNSAT.RHN_ERRATAFILE_EID_FILE_IDX by 128 in tablespace DATA_TBS
')>
(54, 'ORA-01654: unable to extend index RHNSAT.RHN_ERRATAFILE_EID_FILE_IDX by 128 in tablespace DATA_TBS\n', '\n Package Upload Failed due to uniqueness constraint violation.\n Make sure the package does not have any duplicate dependencies or\n does not alre
It means you’re at 100% utilization of your Oracle database. First check your disk space size. If all is ok, let’s verify that we’re out of space:
I don’t know if it’s a bug with the Satellite server, or if I forgot something, but the menu.c32 file is not in the right place and PXE clients refuse to boot. So to fix the problem:
warning: rpmts_HdrFromFdno: Header V4 RSA/SHA1 Signature, key ID link
You might have this kind of message:
1
2
3
warning: rpmts_HdrFromFdno: Header V4 RSA/SHA1 Signature, key ID dfc7eded: NOKEY
Public key for tmux-1.5-1.el6.x86_64.rpm is not installed
To solve this problem, you need to create GPG keys and sign your packages.
error was [Errno -1] Package does not match intended download link
If you have this kind of message on the client side during a yum:
Error Downloading Packages:
puppet-2.7.9-2.el6.noarch: failed to retrieve getPackage/puppet-2.7.9-2.el6.noarch.rpm from custom-repo
error was [Errno -1] Package does not match intended download. Suggestion: run yum --enablerepo=deimos-repo clean metadata