Install and configure Satellite 6.1.x on Red Hat Enterprise Linux 6.x and 7.x. This collection can also be used to set up Satellite on AWS.
Fundamental steps are based on the process outlined at the Satellite 6.1 Installation Guide on the Red Hat Customer Portal.
At the last revision of this document, the current stable version of Satellite is 6.1.8.
Reference standup.yml, which is the installation playbook, to see an example of how the playbooks may be structured, or take a look at any of the listed playbooks below.
The following roles are called by several playbooks to orchestrate tasks on the Satellite server. Please review the playbooks to see how these come together to work.
- satellite-auth
- satellite-content
- satellite-install
- satellite-maintenance
- satellite-route53
- satellite-selfsubscribe
- satellite-setup
- satellite-upgrade
These playbooks are executed by Ansible Core or Ansible Tower.
- ec2_content_hosts_cleanup.yml
- ec2_content_hosts_report.yml
- customer_portal_api_test.yml
- maintenance.yml
- refresh_ldap_groups.yml
- refresh_s3_rpms.yml
- self-subscribe.yml
- standup.yml
- upgrade.yml
These scripts are written to aid in refreshing subscriptions on all the hosts, based on the .csv file that is generated by ec2_content_hosts_report.yml. These are only for emergencies, when the Satellite server is scheduled to be rebuilt. These depend on the .csv list of the systems generated by that playbook, so in the case of rebuilding Satellite, run that playbook first to make sure you have that file to reference. Usage of these scripts assumes that you have access to the SSH keys for your AWS instances, and that they are placed in your ${HOME}/.ssh/ directory.
This role sets up the Satellite Server with authenticated local users, or ties it into a central LDAP server for authentication.
Invoke the role in the following way. Please note the configuration values specified in roles/satellite-auth/vars/main.yml, all.yml and secrets.yml.
---
- hosts: satellite6-server-prod
become: yes
vars_files:
- group_vars/all.yml
- group_vars/secrets.yml
gather_facts: yes
# satellite-auth | Define users and assign them roles
- role: satellite-auth
# local_users: yes
# ldap_users: yes
# ldap_refresh: yesThis role creates lifecycle environments on the Satellite Server, creates content views and filters them, then sets up activation keys pointing to each, and a release version with wich to activate RHEL systems.
Invoke the role in the following way. Please note the configuration values specified in roles/satellite-content/vars/main.yml, all.yml and secrets.yml.
---
- hosts: satellite6-server-prod
become: yes
vars_files:
- group_vars/all.yml
- group_vars/secrets.yml
gather_facts: yes
roles:
- role: satellite-contentThis role installs Satellite to a RHEL host.
Invoke the role in the following way. Please note the configuration values specified in roles/satellite-install/vars/main.yml, all.yml and secrets.yml.
---
- hosts: satellite6-server-prod
become: yes
vars_files:
- group_vars/all.yml
- group_vars/secrets.yml
gather_facts: yes
# satellite-install | Install Satellite 6 to a host
- role: satellite-install
This role covers several items with regard to maintaining the security of the Satellite server, such as SSL configuration. It also provides orchestration of rpm content to the Satellite server, so that it can be made available to hosts on a regular basis. It leverages some variables from the satellite-content role as well.
Invoke the role in the following way. Please note the configuration values specified in satellite-maintenance/vars/main.yml, satellite-content/vars/main.yml, all.yml and secrets.yml.
---
- hosts: satellite6-server-prod
become: yes
gather_facts: yes
roles:
# satellite-maintenance | Apply maintenance or tweaks
- role: satellite-maintenance
security_tweaks: yes
# upload_rpms: no
# autoupdate_content_views: no
# promote_content_views_to_prod: noThis role adds an entry into Amazon Route53 DNS for the Satellite server.
Invoke the role in the following way. Please note the configuration values specified in all.yml.
---
- hosts: satellite6-server-prod
become: yes
vars_files:
- group_vars/all.yml
- group_vars/secrets.yml
gather_facts: yes
roles:
- role: satellite-route53
# Won't register in DNS if you don't set this to true
register_route53: TrueThis roles subscribes the Satellite server to itself. It pauses for a period to allow someone to update the Satellite server manifest at the Red Hat Customer Portal > Subscription Management > Subscription Management Applications > Satellite, and will then continue to set Satellite up to receive content filtered in the same way as other systems.
Invoke the role in the following way. Please note the configuration values specified in roles/satellite-selfsubscribe/vars/main.yml, all.yml and secrets.yml.
---
- hosts: satellite6-server-prod
become: yes
vars_files:
- group_vars/all.yml
- group_vars/secrets.yml
gather_facts: yes
roles:
# satellite-selfsubscribe | Subscribe the server to itself
- role: satellite-selfsubscribePrerequisite to using the satellite-setup role, you must create a manifest at the Red Hat Customer Portal > Subscription Management > Subscription Management Applications > Satellite and add it to the role in the files folder.
Note: A manifest can been created and included as part of this playbook. It can be overwritten, and/or refreshed from Satellite after it has been imported. It will then pull the up-to-date subscription information from Red Hat. The manifest should be in roles/satellite-setup/files/manifest.zip.
This role ties the Satellite server to Red Hat using the manifest mentioned above, activates products, repositories, and also brings in Docker images from the Red Hat Registry, along with 3rd party and custom repositories for your own generated RPM content.
Invoke the role in the following way. Please note the configuration values specified in roles/satellite-setup/vars/main.yml, all.yml and secrets.yml
---
- hosts: satellite6-server-prod
become: yes
vars_files:
- group_vars/all.yml
- group_vars/secrets.yml
gather_facts: yes
roles:
- role: satellite-setupThis role performs an in-place upgrade of Satellite 6.1 to the current 6.1.x release.
Invoke the role in the following way. Please note the configuration values specified in all.yml.
---
- hosts: satellite6-server-prod
become: yes
gather_facts: yes
roles:
# satellite-upgrade | Perform Satellite Upgrade
- role: satellite-upgrade
slack_upgrade_notify: yesAnsible Tower scheduled job, that removes systems that are registered in Satellite if they are not present in EC2 inventory.
Inline tasks. No roles invoked.
Queries the Satellite API and AWS CLI, then generates a .csv file with details about hosts that are subscribed to Satellite, pulling in security key and other information from EC2. This is needed to resubscribe servers in a scripted fashion.
Inline tasks. No roles invoked.
Starts to test some pulling of entitlement information from the Red Hat Customer Portal, via the Candlepin API.
Inline tasks. No roles invoked.
Called ad-hoc to perform tasks, post-installation. Can update the custom RPMs uploaded from S3, update the content views with the most current packages, promote those to production, and also apply OpenSSL security tweaks to Apache.
| Roles Invoked | Extra Vars |
|---|---|
| satellite-maintenance | upload_rpms (boolean), autoupdate_content_views (boolean), promote_content_views_to_prod (boolean), security_tweaks (boolean), slack_pubpromo_notify (boolean), restart_services (boolean) |
Ansible Tower scheduled job, that refreshes the groups internal to Satellite with information from their counterparts in Active Directory, then assigns roles and users as needed.
| Roles Invoked | Extra Vars |
|---|---|
| satellite-auth | ldap_refresh (boolean) |
Ansible Tower scheduled job, that downloads RPMs from the bucket specified in the configuration variables, then uploads them to custom repositories in Satellite if they have changed.
| Roles Invoked | Extra Vars |
|---|---|
| satellite-maintenance | upload_rpms (boolean) |
Subscribes the Satellite server to itself, to take advantage of the ability to release updates on a cycle, with the rest of the systems. Requires some manual interation with the Red Hat Customer Portal. Afterwards, runs the ansible-common playbook against Satellite.
| Roles Invoked | Extra Vars |
|---|---|
| satellite-selfsubscribe | n/a |
| satellite-common (ansible-common) | yum_update (boolean) |
Spins up an AWS instance, installs Satellite, brings in entitlements and content, and then makes it available for consumption by systems.
| Roles Invoked | Extra Vars |
|---|---|
| satellite-install | n/a |
| satellite-setup | n/a |
| satellite-route53 | n/a |
| satellite-auth | local_users (boolean), ldap_users (boolean) |
| satellite-content | n/a |
| satellite-maintenance | security_tweaks (boolean) |
Performs an in-place upgrade of the Satellite server.
| Roles Invoked | Extra Vars |
|---|---|
| satellite-upgrade | slack_upgrade_notify (boolean) |
| satellite-maintenance | security_tweaks (boolean) |
Refresh subscriptions on all content hosts, iterating on an exported .csv file
Usage: # ./bash-refresh_subscriptions.sh ${pathToContentHostCSV}
Unsubscribe and resubscribe all content hosts, iterating on an exported .csv file
Usage: # ./bash-recreate_subscriptions.sh ${pathToContentHostCSV} ${satellite_fqdn} ${organization_name}