redhat enterprise satellite server 6

Red Hat Enterprise Deployment andSystems ManagementStudent WorkbookRed Hat Enterprise Linux 6Release en-1-20110713

RED HATENTERPRISEDEPLOYMENTAND SYSTEMSMANAGEMENT

RH401

Red Hat Enterprise Linux 6 RH401Red Hat Enterprise Deployment and Systems ManagementEdition 1

Author George HackerAuthor Forrest TaylorEditor Steven Bonneville

Copyright © 2011 Red Hat, Inc.

The contents of this course and all its modules and related materials, including handouts toaudience members, are Copyright © 2011 Red Hat, Inc.

No part of this publication may be stored in a retrieval system, transmitted or reproduced inany way, including, but not limited to, photocopy, photograph, magnetic, electronic or otherrecord, without the prior written permission of Red Hat, Inc.

This instructional program, including all material provided herein, is supplied without anyguarantees from Red Hat, Inc. Red Hat, Inc. assumes no liability for damages or legal actionarising from the use or misuse of contents or details contained herein.

If you believe Red Hat training materials are being used, copied, or otherwise improperlydistributed please e-mail [email protected] or phone toll-free (USA) +1 (866) 626-2994or +1 (919) 754-3700.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, Hibernate, Fedora, theInfinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States andother countries.

Linux® is the registered trademark of Linus Torvalds in the United States and othercountries.

Java® is a registered trademark of Oracle and/or its affiliates.

XFS® is a registered trademark of Silicon Graphics International Corp. or its subsidiaries inthe United States and/or other countries.

All other trademarks are the property of their respective owners.

RH401-6-en-1-20110713 iii

Document Conventions viiNotes and Warnings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Introduction ixWelcome to class! .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ixAbout Red Hat Enterprise Linux ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ixAdditional Red Hat Enterprise Linux Software ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xContacting Red Hat Technical Support ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

About This Course xvRed Hat Enterprise Deployment and Systems Management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvStructure of the Course ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvOrientation to the Classroom Network ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Internationalization xviiLanguage Support ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviiSystem-wide Default Language ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviiPer-user Language Selection ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviiInput Methods ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviiiLanguage Codes Reference ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

1. Essential System Management 1Enterprise Management Best Practices ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2PXE/Kickstart Installation ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Criterion Test ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2. Installing a Red Hat Network Satellite Server 13RHN Satellite Server Concepts ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14RHN Satellite Server Installation ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Obtaining Software from Hosted RHN .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Importing Initial Software Packages ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Criterion Test ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3. Red Hat Network Organization 33RHN Organization Administration ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34RHN User Administration ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36System Groups ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

4. Using Subversion to Manage Changes 45Revision Control Concepts ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Subversion Administration ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Revision Management with Subversion ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

5. Red Hat Network Client Configuration 63Client Registration Concepts ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Interactive Client Registration ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Registration Automation: Activation Keys ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Registration Automation: bootstrap.sh ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Resolving Registration Problems ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

6. Red Hat Network Software Management 81Software Channels ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Custom Software Channels ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Loading RPMS into RHN Satellite ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Using a Custom Channel .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

RH401

iv RH401-6-en-1-20110713

Software Management Using Cloned Channels ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Managing Software Updates ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

7. Building RPMs 101RPM Package Design/Architecture ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Spec File Directives and Sections ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Creating a Spec File ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Software Build Process ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Criterion Test ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

8. Configuration File Management with RHN 119Configuration Channel Management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Client Configuration ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Configuration File Management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127Flexible Configuration with Macros ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

9. Provisioning with PXE 135Provisioning Requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136Tuning RHN Satellite for Provisioning ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Dynamic Host Configuration Protocol .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Cobbler and Koan ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

10. RHN Virtual Machine Management 157Virtual Host Configuration ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Virtual Machine Provisioning ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

11. RHN Satellite Server Administration 171RHN Satellite Database Management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172Satellite Server Management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177Software Channel Synchronization ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181High Availability Options ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183Troubleshooting Satellite Server Issues ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

12. RHN Application Programming Interface 189Application Programming Interface Scripting ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190RHN Satellite Reporting Tool .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196Criterion Test ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

13. Comprehensive Review 201Preparations/Do You Still Have Questions? ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202Criterion Test ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

A. Solutions 209Essential System Management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209Installing a Red Hat Network Satellite Server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212Red Hat Network Organization ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220Using Subversion to Manage Changes ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223Red Hat Network Client Configuration ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230Red Hat Network Software Management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236Building RPMs ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245Configuration File Management with RHN .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248Provisioning with PXE ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252RHN Virtual Machine Management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262RHN Satellite Server Administration ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

RH401-6-en-1-20110713 v

RHN Application Programming Interface ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273Comprehensive Review ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

RH401-6-en-1-20110713 vii

Document Conventions

Notes and Warnings

Note"Notes" are tips, shortcuts or alternative approaches to the task at hand. Ignoring a noteshould have no negative consequences, but you might miss out on a trick that makes yourlife easier.

Comparison"Comparisons" look at similarities and differences between the technology or topic beingdiscussed and similar technologies or topics in other operating systems or environments.

References"References" describe where to find external documentation relevant to a subject.

Important"Important" boxes detail things that are easily missed: configuration changes that only applyto the current session, or services that need restarting before an update will apply. Ignoringa box labeled "Important" will not cause data loss, but may cause irritation and frustration.

Warning"Warnings" should not be ignored. Ignoring warnings will most likely cause data loss.

RH401-6-en-1-20110713 ix

Introduction

Welcome to class!Thank you for attending this Red Hat training class. Please let us know if you have any specialneeds while at our training facility.

Please ask the instructor if you have any questions about the facility, such as operating hoursof the facility and when you will have access to the classroom, locations of restrooms and breakrooms, availability of telephones and network connectivity, and information about the local area.

As a courtesy to other students, please place your pager or cell phone's ringer on vibrate ormute, or turn off your devices during class. We ask that you only make calls during break periods.

If you have a personal emergency and are unable to attend or complete the class, please let usknow. Thank you!

About Red Hat Enterprise LinuxThis course is taught using Red Hat Enterprise Linux, an enterprise-targeted Linux distributionfocused on mature open source software designed specifically for organizations using Linux inproduction settings.

Red Hat Enterprise Linux is sold on a subscription basis, where the subscription gives youcontinues access to all supported versions of the operating system in binary and source form,not just the latest one, including all updates and bug fixes. Extensive support services areincluded: a support contract and Update Module entitlement to Red Hat Network are includedfor the subscription period. Various Service Level Agreements are available that may provide upto 24x7 coverage with a guaranteed one hour response time for Severity 1 issues. Support willbe available for up to seven years after a particular major release (ten years with the optional"Extended Update Support" Add-On).

Red Hat Enterprise Linux is released on a multi-year cycle between major releases. Minorupdates to major releases are released roughly every six months during the lifecycle of theproduct. Systems certified on one minor update of a major release continue to be certified forfuture minor updates of the major release. A core set of shared libraries have APIs and ABIswhich will be preserved between major releases. Many other shared libraries are provided, whichhave APIs and ABIs which are guaranteed within a major release (for all minor updates) butwhich are not guaranteed to be stable across major releases.

Red Hat Enterprise Linux is based on code developed by the open source community, whichis often first packaged through the Red Hat sponsored, freely-available Fedora distribution(http://fedoraproject.org/). Red Hat then adds performance enhancements, intensivetesting, and certification on products produced by top independent software and hardwarevendors. Red Hat Enterprise Linux provides a high degree of standardization through its supportfor four processor architectures (32-bit Intel x86-compatible, AMD64/Intel 64 (x86-64), IBMPOWER, and IBM mainframe on System z). Furthermore, we support the 4000+ ISV certificationson Red Hat Enterprise Linux whether the RHEL operating system those applications are using

Introduction

x RH401-6-en-1-20110713

is running on “bare metal”, in a virtual machine, as a software appliance, or in the cloud usingtechnologies such as Amazon EC2.

Currently, the Red Hat Enterprise Linux product family includes:

• Red Hat Enterprise Linux for Servers: the datacenter platform for mission-critical serversrunning Red Hat Enterprise Linux. This product includes support for the largest x86-64 andx86-compatible servers and the highest levels of technical support, deployable on bare metal,as a guest on the major hypervisors, or in the cloud. Subscriptions are available with flexibleguest entitlements of one, four, or unlimited guests per physical host. Pricing is based on thebasis of the number of socket-pairs populated on the system motherboard, the number ofguests supported, the level of support desired, and the length of subscription desired.

Red Hat Enterprise Linux for IBM POWER and Red Hat Enterprise Linux for IBM System z aresimilar variants intended for those system architectures.

• Red Hat Enterprise Linux Desktop: built for the administrator and end-user, Red Hat EnterpriseLinux Desktop provides an attractive and highly productive environment for knowledgeworkers on desktops and laptops. Client installations can be finely tailored and locked down forsimplicity and security for any workstation task.

The basic Desktop variant is designed for task workers who have a limited amount ofadministrative control over the system, who primarily use productivity applications like FirefoxEvolution/Thunderbird, OpenOffice.org, and Planner/TaskJuggler. The more sophisticatedWorkstation variant is designed for advanced Linux users who need a stand-alone developmentenvironment, and who are expected to have local super-user privileges or selected super-userprivileges.

In addition, other variants exist such as Red Hat Enterprise Linux for HPC Head Node and RedHat Enterprise Linux for HPC Compute Node (targeted at high-performance computing clusters),and Red Hat Enterprise Linux for SAP Business Applications. For more information please visithttp://www.redhat.com/.

Additional Red Hat Enterprise Linux SoftwareTwo additional software update channels are provided with Red Hat Enterprise Linux beyond thecore software packages shipped:

• Supplementary: the "Supplementary" channel provides selected closed source packages,built for Red Hat Enterprise Linux as a convenience to the customer. These include things likeAdobe Flash or proprietary Java JVMs.

• Optional: the "Optional" channel provides selected open source packages, as a convenienceonly. They are generally included in another Red Hat Enterprise Linux variant as a fully-supported package, or are a build requirement for the distribution. These packages are onlyavailable through a Red Hat Network child channel.

Additional Red Hat Enterprise Linux Software

RH401-6-en-1-20110713 xi

ImportantSupplementary and Optional packages are provided with limited support, as a customerconvenience only.

Red Hat also offers a portfolio of fully-supported Add-Ons for Red Hat Enterprise Linux whichextend the features of your Red Hat Enterprise Linux subscription. These add-ons allow you toadd capabilities and tailor your computing environment to your particular needs. These Add-Onsinclude support for high availability application clustering, cluster file systems and very large filesystems, enhanced system management with Red Hat Network, extended update support, andmore.

NotePlease visit http://www.redhat.com/rhel/add-ons/ for more information aboutavailable Add-Ons for Red Hat Enterprise Linux.

For information about other products which are provided by Red Hat, such as Red HatEnterprise Virtualization, JBoss Enterprise Middleware, Red Hat Enterprise MRG, and variouscustom consulting and engineering services, http://www.redhat.com/products/ alsohas useful information.

The Fedora Project also provides additional packages for Red Hat Enterprise Linux through EPEL(Extra Packages for Enterprise Linux). EPEL is a volunteer-based community effort to create arepository of high-quality add-on packages which can be used with Red Hat Enterprise Linux andcompatible derivatives. It accepts legally-unencumbered free and open source software whichdoes not conflict with packages in Red Hat Enterprise Linux or Red Hat add-on products. EPELpackages are built for a particular major release of Red Hat Enterprise Linux and will be updatedby EPEL for the standard support lifetime of that major release.

Red Hat does not provide commercial support or service level agreements for EPEL packages.While not supported officially by Red Hat, EPEL provides a useful way to reduce support costsfor unsupported packages which your enterprise wishes to use with Red Hat Enterprise Linux.EPEL allows you to distribute support work you would need to do by yourself across otherorganizations which share your desire to use this open source software in RHEL. The softwarepackages themselves go through the same review process as Fedora packages, meaning thatexperienced Linux developers have examined the packages for issues. As EPEL does not replaceor conflict with software packages shipped in RHEL, you can use EPEL with confidence that it willnot cause problems with your normal software packages.

For developers who wish to see their open source software become part of Red Hat EnterpriseLinux, often a first stage is to sponsor it in EPEL so that RHEL users have the opportunity to useit, and so experience is gained with managing the package for a Red Hat distribution.

Visit http://fedoraproject.org/wiki/EPEL/ for more information about EPEL.

Introduction

xii RH401-6-en-1-20110713

ImportantEPEL is supported by the community-managed Fedora Project and not by Red Hat Support.

Contacting Red Hat Technical SupportOne of the benefits of your subscription to Red Hat Enterprise Linux is access to technicalsupport through Red Hat's customer portal at http://access.redhat.com/. If you do nothave a Red Hat account on the customer portal or are not able to log in, you can go to https://access.redhat.com/support/faq/LoginAssistance.html or contact Customer Servicefor assistance.

You may be able to resolve your problem without formal technical support by searchingKnowledgebase (https://access.redhat.com/kb/knowledgebase/). Otherwise,Red Hat Support may be contacted through a web form or by phone depending onyour support level. Phone numbers and business hours for different regions vary; seehttps://access.redhat.com/support/contact/technicalSupport.html forcurrent information. Information about the support process is available at https://access.redhat.com/support/policy/support_process.html.

Some tips on preparing your bug report to most effectively engage Red Hat Support:

• Define the problem. Make certain that you can articulate the problem and its symptoms beforeyou contact Red Hat. Be as specific as possible, and detail the steps you can use (if any) toreproduce the problem.

• Gather background information. What version of our software are you running? Are you usingthe latest update? What steps led to the failure? Can the problem be recreated and what stepsare required? Have any recent changes been made that could have triggered the issue? Weremessages or other diagnostic messages issued? What exactly were they (exact wording may becritical)?

• Gather relevant diagnostic information. Be ready to provide as much relevant information aspossible; logs, core dumps, traces, the output of sosreport, etc. Technical Support can assistyou in determining what is relevant.

• Determine the Severity Level of your issue. Red Hat uses a four-level scale to indicate thecriticality of issues; criteria may be found at https://access.redhat.com/support/policy/GSS_severity.html.

Contacting Red Hat Technical Support

RH401-6-en-1-20110713 xiii

WarningBugzilla is not a support tool! For support issues affecting Red Hat Enterprise Linux,customers should file their bugs through the support channels discussed above in orderto ensure that Red Hat is fully aware of your issue and can respond under the terms ofyour Service Level Agreement. Customers should not file bugs directly in the http://bugzilla.redhat.com/ web interface.

For Red Hat Enterprise Linux, Bugzilla is used by engineering to track issues and changes, and tocommunicate on a technical level with Engineering partners and other external parties. Anyone,even non-customers, can file issues against Bugzilla, and Red Hat does monitor them and reviewthem for inclusion in errata.

However, Red Hat does not guarantee any SLA for bugs filed directly in Bugzilla (bypassingnormal support channels). A review might happen immediately, or after a time span of anylength. Issues coming through Support are always prioritized above issues of similar impact andseverity filed against Bugzilla. Also, work arounds and hotfixes if possible and appropriate maybe provided to customers by Support even before a permanent fix is issued through Red HatNetwork.

Red Hat considers issues directly entered into Bugzilla important feedback, and it allows usto provide efficient interaction with the open source development community and as muchtransparency as possible to customers as issues are processed. Nevertheless, for customersencountering production issues in Red Hat Enterprise Linux, Bugzilla is not the right channel.

RH401-6-en-1-20110713 xv

About This Course

Red Hat Enterprise Deployment and SystemsManagement

RH401 Red Hat Enterprise Deployment and Systems Management is a four-day lab-based coursethat explores the concepts and methods necessary for successful large-scale deployment andmanagement of Red Hat Enterprise Linux systems. Course participants will learn how to installand use a Red Hat Network Satellite Server to deploy and manage systems.

Subjects covered in the course include: installing and managing a Red Hat Network SatelliteServer; provisioning systems using RHN, DHCP, and PXE; using revision control software tomanage script and configuration file development; and building custom RPMS. Attention will begiven on how to structure RHN organizations and user accounts, modify programs which use theRHN programming API, and look at routine RHN Satellite Server maintenance functions.

Objectives• Understand large-scale deployment issues

• Install, configure, and maintain RHN Satellite Server

• Build custom RPM software packages

• Use Subversion revision control software to manage changes

• Use RHN Satellite for effective software life cycle management

• Deploy a PXE infrastructure for bare metal provisioning

• Understand and deploy RHN Proxy Server

Audience and Prerequisites• RH401 is aimed at senior Red Hat Enterprise Linux system administrators and other IT

professionals working in enterprise environments.

• RH401 requires RHCE-level system administration skills. A current RHCE certification isrecommended, but not required.

Structure of the CourseRed Hat training courses are interactive, hands-on, performance-based, real world classes meantto engage your mind and give you an opportunity to use real systems to develop real skills. Weencourage students to participate in class and ask questions in order to get the most out of theirtraining sessions.

About This Course

xvi RH401-6-en-1-20110713

This course is divided up into a number of Units organized around a particular topic area. EachUnit is divided up into multiple Sections which focus on a specific skill or task. The unit will startwith an introduction to the material, then move on to the first section.

In each section, there will be a presentation led by the instructor. During the presentation, it maybe a good idea to take notes in your student workbook (this book), and the instructor may remindyou to do so. The presentation is followed by a short activity or assessment to give you theopportunity to practice with the material or review procedures. After a review of the assessment,the instructor will move on to the next section. At the end of the unit, there will normally be ahands-on lab exercise of some sort (a "criterion test") which will give you an opportunity to learnby doing and review your understanding of the unit's content. Please feel free ask questions inclass, or asking the instructor for advice and help during the end-of-unit exercise. We want theclassroom environment to be a "low risk" place where you feel comfortable asking questions andlearning from things that work and things that do not at first.

Orientation to the Classroom NetworkTwo subnets may be used in this course. The primary classroom network is 192.168.0.0/24, andbelongs to hosts in the DNS domain "example.com". This network will be used for most classroomactivities. Some courses use a second subnet, 192.168.1.0/24, belonging to hosts in the DNSdomain "remote.test". This network can be reached from hosts in example.com, and is used inlab exercises which require testing services or security settings from machines (theoretically)outside your administrative control.

Students are each assigned two physical machines (desktopX.example.com on 192.168.0.X)and (desktopY.example.com on 192.168.0.Y). The first machine will server as the RHN SatelliteServer which will be used to manage the second machine which is the client. When bare-metalprovisioning becomes the focus of the course, the client machine will be cabled to a privatenetwork behind the RHN Satellite Server and will assume the identity (station1.privateX.com on10.100.X.1).

The instructor controls a number of machines which students may see as well. Theinstructor.example.com machine is the classroom utility server, providing default routing services,DHCP, DNS name service, one or more Yum repositories of software used by the class, and othernetwork services. It is also connected to the classroom video projector to allow the instructor todisplay slides and demonstrations.

Machine name IP addresses Role

desktopX.example.com 192.168.0.X Physical student workstation -RHN Satellite Server

desktopY.example.com 192.168.0.Y Physical student workstation -RHN client

station1.privateX.com 10.100.X.1 RHN client on a privatenetwork

instructor.example.com 192.168.0.254 Physical instructor machineand utility server

Table 1. Classroom Machines

RH401-6-en-1-20110713 xvii

Internationalization

Language SupportRed Hat Enterprise Linux 6 officially supports twenty-two languages: English, Assamese, Bengali,Chinese (Simplified), Chinese (Traditional), French, German, Gujarati, Hindi, Italian, Japanese,Kannada, Korean, Malayalam, Marathi, Oriya, Portuguese (Brazilian), Punjabi, Russian, Spanish,Tamil, and Telugu. Support for Maithili, Nepalese, and Sinhala are provided as TechnologyPreviews.

System-wide Default LanguageThe operating system's default language is normally set to US English (en_US.UTF-8), but thiscan be changed during or after installation.

To use other languages, you may need to install additional package groups to provide theappropriate fonts, translations, dictionaries, and so forth. By convention, these packagegroups are always named language-support. These package groups can be selected during

installation, or after installation with PackageKit (System → Administration → Add/Remove

Software) or yum.

A system's default language can be changed with system-config-language (System →Administration → Language), which affects the /etc/sysconfig/i18n file.

Per-user Language SelectionUsers may prefer to use a different language for their own desktop environment or interactiveshells than is set as the system default. This is indicated to the system through the LANGenvironment variable.

This may be set automatically for the GNOME desktop environment by selecting a language fromthe graphical login screen by clicking on the Language item at the bottom left corner of thegraphical login screen immediately prior to login. The user will be prompted about whether thelanguage selected should be used just for this one login session or as a default for the user fromnow on. The setting is saved in the user's ~/.dmrc file by GDM.

If a user wants to make their shell environment use the same LANG setting as their graphicalenvironment even when they login through a text console or over ssh, they can set code similarto the following in their ~/.bashrc file. This code will set their preferred language if one issaved in ~/.dmrc or will use the system default if one is not:

i=$(grep 'Language=' ${HOME}/.dmrc | sed 's/Language=//')if [ "$i" != "" ]; then export LANG=$ifi

Internationalization

xviii RH401-6-en-1-20110713

Languages with non-ASCII characters may have problems displaying in some environments. Kanjicharacters, for example, may not display as expected on a virtual console. Individual commandscan be made to use another language by setting LANG on the command-line:

[user@host ~]$ LANG=fr_FR.UTF-8 datelun. oct. 24 10:37:53 CDT 2011

Subsequent commands will revert to using the system's default language for output. The localecommand can be used to check the current value of LANG and other related environmentvariables.

Input MethodsIBus (Intelligent Input Bus) can be used to input text in various languages under X if theappropriate language support packages are installed. You can enable IBus with the im-chooser

command (System → Preferences → Input Method).

Language Codes Reference

Language $LANG value Language package group

English (US) en_US.UTF-8 (default)

Assamese as_IN.UTF-8 assamese-support

Bengali bn_IN.UTF-8 bengali-support

Chinese (Simplified) zh_CN.UTF-8 chinese-support

Chinese (Traditional) zh_TW.UTF-8 chinese-support

French fr_FR.UTF-8 french-support

German de_DE.UTF-8 german-support

Gujarati gu_IN.UTF-8 gujarati-support

Hindi hi_IN.UTF-8 hindi-support

Italian it_IT.UTF-8 italian-support

Japanese ja_JP.UTF-8 japanese-support

Kannada kn_IN.UTF-8 kannada-support

Korean ko_KR.UTF-8 korean-support

Malayalam ml_IN.UTF-8 malayalam-support

Marathi mr_IN.UTF-8 marathi-support

Oriya or_IN.UTF-8 oriya-support

Portuguese (Brazilian) pt_BR.UTF-8 brazilian-support

Punjabi pa_IN.UTF-8 punjabi-support

Russian ru_RU.UTF-8 russian-support

Language Codes Reference

RH401-6-en-1-20110713 xix

Language $LANG value Language package group

Spanish es_ES.UTF-8 spanish-support

Tamil ta_IN.UTF-8 tamil-support

Telugu te_IN.UTF-8 telugu-support

Technology Previews

Maithili mai_IN.UTF-8 maithili-support

Nepali ne_NP.UTF-8 nepali-support

Sinhala si_LK.UTF-8 sinhala-support

Table 2. Language Codes

Chapter 1.

RH401-6-en-1-20110713 1

UNIT ONE

ESSENTIAL SYSTEMMANAGEMENT

IntroductionTopics covered in this unit:

• Define enterprise management best practices

• Standardization

• Centralization

• Scalability

• Provisioning

• Automation

• Avoid the “one-off” trap

Chapter 1. Essential System Management

2 RH401-6-en-1-20110713

Enterprise Management Best Practices

Fill in the enterprise best practices below and take notes as your instructor explains them:

1.

2.

3.

4.

5.

StandardizationStandardization is a very important piece of the puzzle of successful system administration.Generally standardization is a prerequisite of automation, and automation is the ultimate goal.By performing tasks with the same, well thought out method each and every time you will reducethe possibility of human error and increase the amount you know about every installed system.

Procedures: A software installation procedure might be a follows:

1. Install new software on test machines to determine appropriate configuration

2. Create RPM packages for third party software that does not natively support RPM

3. Deploy RPM packages on test machines

4. Deploy tested RPM packages to production machines

5. Verify proper operation of affected systems

6. Rollback to a previous configuration if necessary

Baselines: In System Administration a system baseline describes the state of the machine whenit is considered installed and ready for use. Whatever must be done to take the system from baremetal to this state must be documented and preferably automated.

The baseline must include:

• OS package install list

• Filesystem layout

Centralization

RH401-6-en-1-20110713 3

• Third party software

• Configuration files

• Anything else!

CentralizationBy centralizing policies, procedures, and baselines into one easily managed system you make allaspects of system administration more efficient. Having multiple places to search to find answersabout your systems is tedious and should be avoided.

ScalabilityScalability is growth in capacity with minimal system administrator impact. Goal: increasedproduction with minimal cost growth.

In defining every project and procedure, scalability must always be an important consideration. Alittle extra work up front will pay off in multitudes of saved time and avoided errors.

A Simple Example: OS Installation

Manual installation of individual machines requires much time to perform and lends itself todeviation from a corporate standard. In contrast installing new machines using kickstart yieldsmachines that conform to a standard build specification, require little human interaction toperform the install process, and allows for many installs to occur simultaneously.

ProvisioningProvisioning is the process taken to turn a system from bare-metal to installed and configured tomeet the defined baseline. This should be as close to a fully automated process as possible.

Components of a provisioning environment:

DHCP Server: Dispenses configuration information, for example IP addresses, PXE images, andother information including the addresses of network file servers.

Network Installation Server: Stores and shares to the network all the files that make up the OSinstallation and possibly in-house or 3rd party software as well.

RHN Satellite Server: Centrally managed server that deploys, maintains, and monitors Red HatEnterprise Linux systems.

PXE Capable Hardware: Most systems now include the ability to boot from the network. Oldersystems may require upgrading with PXE capable NICs or software can be used such as gPXE, anopen-source implementation of PXE.

Kickstart Files: The kickstart file can be thought of as the complete set of instructions to installa new machine and bring it to a full state of readiness. This text file includes install settings,options, and scripts.

AutomationInstead of repetitive work, automation generally requires more upfront work. Investing timewriting kickstart files allows one to install more systems simultaneously and more quickly thancould be achieved by hand.


4 RH401-6-en-1-20110713

Tools: Bash, Perl, and Ruby are all scripting languages that may be used in the %post section ofa kickstart file.

sed is the streaming editor that is useful for making changes to existing files as well as editingthe output from other programs.

In the %post section of a kickstart file, all scripts run in a chroot'ed environment by default,allowing you to easily use any interpreter installed on the new system. With the wide varietyof tools included in Red Hat Enterprise Linux, there is virtually no limit to what may beautomatically performed for system installation or management.

The "One-off" TrapOne-off systems require special care and extra work to maintain. Generally the longer they arekept running the worse of a headache they become.

Unique Installations: Every uniquely installed system requires extra work to maintain. Avoidunique installations.

Package Management: Ideally, package management should be pervasive. Every piece ofsoftware install outside of package management will require more work and at the same time beless visible as a potential problem.

Configuration Files: The use of a version control system to maintain configuration files, combinedwith a centralized system to manage them allows for quick and efficient deployment as well asrollbacks, when needed.

Documentation: Everything should be documented. This includes software versions, baselinedefinitions, configuration files, and procedures.

Centralization

RH401-6-en-1-20110713 5

Practice Resequencing Exercise


For each of the keywords below, write down the number of its definition from the list at thebottom.

Standardization

Centralization

Scalability

Provisioning

Automation

1. Growth in capacity with minimal system administrator impact.

2. Performing tasks with the same, well thought out method each and every time.

3. The process taken to turn a system from bare-metal to installed and configured to meet thedefined baseline. This should be as close to a fully automated process as possible.

4. Generally requires more upfront work. Investing time writing kickstart files allows one toinstall more systems simultaneously and more quickly than could be achieved by hand.

5. Gather policies, procedures, and baselines into one easily managed system.


6 RH401-6-en-1-20110713

PXE/Kickstart Installation

PXE Peer TutoringYour instructor will split the class into teams. Gather around one of your machines anddetermine how to initiate a PXE installation. Write the steps needed to PXE boot below.

Centralization

RH401-6-en-1-20110713 7

Practice Exercise

PXE Boot

Carefully perform the following steps. Ask your instructor if you have problems or questions.

The purpose of this exercise is to become familiar with the PXE capabilities of the classroomhardware. You will also look at the menu and capabilities that are provided by the classroomprovisioning environment. You will not be installing your workstations - that is for a laterexercise.

1. PXE boot one of your two machines, either of your machines will work.

2. In the PXE menu, edit the “Install minimal RHEL 5 for RHN Satellite use” option. What arethe two options included for Kickstart?


8 RH401-6-en-1-20110713

Test

Criterion Test

Exercise

Provisioning PreviewBefore you begin...You have two servers: desktopX and desktopY. Both servers are currently connectedto the classroom network (192.168.0.0/24) which includes the instructor's machine,instructor.example.com. desktopX should be equipped with two Ethernet interfaces.


Let's preview the capabilities and conveniences of a bare-metal provisioning environment. Theinstructor's machine, instructor.example.com, has been configured to provide bare-metalprovisioning services. Your task is to configure both of your servers to PXE-boot and kickstartthemselves.

1. Reboot desktopX and go into the system BIOS configuration screens and make adjustmentsso desktopX will attempt to PXE boot from the network. Ask your instructor for help sincethis process can vary between various classroom environments.

2. Reboot desktopX, but this time allow it to PXE boot from the network. If everything isproperly configured, you should be presented with a PXE boot menu similar to the following:

Choose the “Install minimal RHEL 5 for RHN Satellite use” option without any argumentsto begin the installation. While the installation begins, repeat these steps on your second

Centralization

RH401-6-en-1-20110713 9

server, desktopY. Be sure to choose the “Install minimal RHEL 5 for RHN Satellite use” optionwithout any arguments to begin the installation.


10 RH401-6-en-1-20110713

Personal Notes

Centralization

RH401-6-en-1-20110713 11

Unit Summary


In this section you learned the value of:

• Standardization

• Centralization

• Scalability

• Provisioning

• Automation

.PXE/Kickstart Installation

In this section you learned how to:

• Initiate a PXE installation

• Determine kickstart arguments in an installation

.

Chapter 2.

RH401-6-en-1-20110713 13

UNIT TWO

INSTALLING A RED HATNETWORK SATELLITE SERVER


• Advantages of the RHN Satellite Server

• Installing Red Hat Network Satellite software

• Downloading channel content ISOs

• Importing channel content into a RHN Satellite server

• Troubleshooting a Satellite Server installation

Chapter 2. Installing a Red Hat Network Satellite Server

14 RH401-6-en-1-20110713

RHN Satellite Server Concepts

Features of RHN Satellite ServerThe original Red Hat Network solution provided users with the ability to get immediate andeasy access to the latest updated software, thus solving the critically important problemof errata concurrency. With the success of this product came the problem of data accessspeeds, particularly in enterprises containing a large number of systems: many systems weresynchronizing with the Red Hat Network servers from a single location, often downloading thesame data.

The RHN Satellite Server was created to solve this problem. The RHN Satellite Server provides anon-site server that feeds updates within an enterprise with minimal (or potentially no) access tothe Red Hat Network servers over the Internet. This permits updates to happen over LAN speeds,instead of WAN speeds. Furthermore, tiered with a number of RHN Proxy or additional Satelliteservers, a large enterprise can distribute updates efficiently across a geographically dispersedintranet.

Some high security data centers are disconnected from the Internet and cannot access theservices of RHN provided by Red Hat's servers. A Satellite server allows these types of centers tohave RHN software deployment features that their disconnected requirements wouldn't allow forotherwise.

Another key feature of RHN Satellite is the ability to create custom software channels. This givesyou the ability to add your own software into the RHN Satellite system and the ability to do bare-metal provisioning, installing across a large number of systems with relative ease.

Advantages of RHN Satellite ServerFive major advantages of using RHN Satellite server include:

1.

2.

3.

4.

5.

RHN Satellite Server Components

RH401-6-en-1-20110713 15

RHN Satellite Server improves security by ensuring that software updates are rolled out in atimely manner. The disconnection from the Internet assures that all transactions are performedwithin the intranet. Coupled with RHN Proxy servers or with multiple RHN Satellite servers,highly geographically dispersed environments can get rapid access to updates.

RHN Satellite server allows local administrators (not Red Hat) control over which systems canaccess the server with what permissions.

The ability to load third-party or custom software packages into the RHN Satellite server and tocreate custom channels permits a high level of customization.

RHN Satellite Server ComponentsThe RHN Satellite Server is a large and complex subsystem, consisting of:

• Red Hat Network Satellite Server: the underlying software.

• An Oracle Database: the RHN Satellite Server requires a database to store informationabout the systems it manages. This database can be an existing Oracle database or it can beembedded in the Satellite Server software.

• Web Interface: much of the management of the RHN Satellite Server happens through the webinterface. This looks very similar to Red Hat's RHN web interface.

• RPM Repository: the part of the system taking the most disk space, this repository holds thesoftware to be distributed by the RHN Satellite Server.

• Management Tools: a number of command line and web based management tools permittingthe setup and maintenance of the server. RHN Satellite also has an API for access to Satelliteinformation and functions.

ReferencesRed Hat Network Satellite Installation Guide

• Section 1.1: Red Hat Network

• Section 1.2: RHN Satellite


16 RH401-6-en-1-20110713

RHN Satellite Server Installation

Standalone vs. Embedded DatabaseThe RHN Satellite Server requires a database. If you already have an Oracle database withsufficient disk space and power, you can use it to hold the RHN Satellite Server databaseprovided that you have a database administrator who can manage the setup of the service. Itis important you do not run the RHN Satellite Server on the same system that runs the Oracledatabase.

If you do not have an Oracle database, or if it does not have sufficient disk, RAM, or CPUresources, you can install the RHN Satellite Server with an embedded database. This databaserequires additional disk space. It has the advantage of having a single system acting as bothSatellite Server and database server. Further, the database is already fully configured, requiringless effort on the part of the database administrator.

Hardware RequirementsRHN Satellite Servers have relatively high hardware requirements since they can run an instanceof the Oracle database (for the embedded version) as well as deliver a large amount of data toremote systems. Because the Oracle database runs multiple processes, multiple processors cansignificantly improve performance.

The RHN Satellite Server uses a considerable amount of disk space and it is time consuming torepopulate a database should a disk fail. It is strongly recommended to use redundant storage tohold the underlying data.

The hardware specifications outlined in the Red Hat Network Satellite Installation Guide arestandard minimal and recommended specifications for Red Hat Network Satellite. The followingtable shows typical specifications and capacity of RHN Satellite server deployments:

Hardware specifications RHN client system capacity

32-bit x86 with 2GB of RAM ~500 RHN client systems

32-bit x86 with 4GB of RAM ~2,000 RHN client systems

64-bit x86 with 8-16GB of RAM ~15,000 RHN client systems

Table 2.1. RHN Satellite Server Capacity

File System RequirementsThe embedded database is installed in /rhnsat and RPM channel content is stored in /var/satellite. Do not skimp on the hard disk requirements! Red Hat Network Satellite Serverwill not run on systems with insufficient disk space. For example, /var/satellite may needapproximately 120 GB of disk capacity to maintain content for Red Hat Enterprise Linux versions4 through 6 for two architectures.

Furthermore, when populating the database using channel content ISOs you will needsubstantially large amounts of temporary disk space. For example the base channel content ISOsfor Red Hat Enterprise Linux 5 Client/Server i386 (11 CD ISOs) originally took almost 7 GB ofstorage. As of April, 2011 they have grown to almost 47 GB of storage (11 DVD ISOs) to includeall revisions including RHEL 5.6. To use these ISOs, you will need to mount each one and copy itover to a temporary location which will take an additional 47 GB of disk space. Therefore, for this

Installing Satellite Server: The Base Install

RH401-6-en-1-20110713 17

one channel, almost 100 GB of temporary space will be needed to expand the channel content tobe synchronized into a RHN Satellite server.

Older versions of RHEL require more space because of their longer history of package updates.Red Hat Enterprise Linux 5 Server (ia64) + EUS + AMC + RHN Tools + Supplementary (Base2011-04-13) is published, at the time of this writing, on 7 DVD ISOs.

Installing Satellite Server: The Base InstallThe base install of the RHN Satellite Server is substantially similar to other Red Hat operatingsystem installations. However, note the following:

SELinux: The RHN Satellite Server installer requires SELinux to be enabled. Enable SELinux inPermissive Mode when installing the base operating system.

Disk space: Refer to the previous information on disk space allocations. Follow or exceed theguidelines, as the RHN Satellite Server will not install properly without a sufficient amount of diskspace.

Time: The SSL parts of the server installation require proper synchronization of time with thecomputers that must communicate with one another. Use UTC for the hardware time and ifpossible run the Network Time Protocol daemon on all RHN Satellite Servers, RHN Proxy Serversand on their client systems.

Software Packages: Only install the @Base package group to avoid RPM dependency conflicts.The @GNOME package group may also be selected if you want to administer the Satellite Serverlocally, but it is not required. Provide additional RPMS to satisfy package dependencies: eitherregister the Satellite system with Red Hat Network or point to a yum repository with RHEL RPMs.

Installing the Satellite SoftwareInstalling the RHN Satellite Server software is a time consuming process, made faster bypowerful dual processors and a large amount of RAM. To begin the installation, download thelatest RHN Satellite software ISO from Red Hat Network. Note that two versions of the softwareare provided: the standalone version and the embedded version. Only one is needed.

The RHN Satellite Server ISO contains an installation script called install.pl. Execute thisscript to begin the installation process. install.pl will update some system libraries andinstall additional packages required by the Satellite Server software. After installing all relevantsoftware RPMs, this application prompts the user for the following information:

Administrator's e-mail address: Specify the e-mail address where automated Satellite Servermessages are sent.

RHN connection information: If you intend to operate your Satellite Server so it connects toRed Hat, you will need to enter your Red Hat Network account name and password. Web proxyinformation also must be specified when using a proxy to access the Internet.

RHN Entitlement certificate: Specify the absolute path name to the file that contains the SatelliteEntitlement certificate sent to you by Red Hat.

Database connection information: When installing a standalone Satellite Server, Oracleauthentication information must be provided. This information isn't prompted for when installingthe embedded database version of the Satellite Server software.


18 RH401-6-en-1-20110713

SSL certificate information: All communication between your Satellite Server and its clients willbe done through encrypted tunnels. This requires an SSL certificate. You will have to provideinformation about your organization, its location, and a certificate password which you shouldrecord and put in a safe place.

This is a long process, typically taking near an hour to complete, including the time needed toanswer the installer's questions and for the computer to process the data. Installer log messagescan be found in a file called /var/log/rhn/rhn-installation.log.

install.pl OptionsOptions can be passed to install.pl to modify how it behaves when installing the SatelliteServer software.

The --disconnected option indicates the Satellite Server will operate disconnected from theInternet. In this case install.pl will not prompt for RHN credentials used to connect to RedHat's servers.

An answer file can be specified at install time with the --answer-file option. The userprovides install.pl with the absolute path name to a text file with answers to the installer'squestions which the user created beforehand. This allows the installation process to beperformed in an unattended manner which prevents mistakes from being committed during theinstallation process. A sample answers.txt file can be found on the Satellite Server installmedia in the install subdirectory.

NoteThe --answer-file option requires an absolute path name. When a relative path name isspecified, the RHN Satellite installer will silently ignore this option and start prompting theuser with questions.

The --re-register option causes install.pl to re-register the Satellite Server with Red HatNetwork, even if it is already registered.

--clear-db tells install.pl to clear any existing database schema before installing on apreviously installed server. This is useful when Satellite Server software needs to be reinstalled.

A best practice is to install a RHN Satellite Server in disconnected mode and initially populateit from local media. The eliminates any dependence upon Internet connectivity and grants bestinstallation performance. Later the Satellite Server can be registered and reactivated with RedHat Network, then channel content can be brought up to date against Red Hat's servers.


• Chapter 2: Requirements

• Chapter 4: Installation

Installing Satellite Server: The Base Install

RH401-6-en-1-20110713 19

Practice Performance Checklist

Installing Red Hat Network Satellite SoftwareBefore you begin...You should have a Red Hat Enterprise Linux 5 Server with a minimal installation on desktopX.

Install RHN Satellite software on your provisioning server, desktopX.

Copy the sample RHN Entitlement Certificate, redhat-gls-minimal-5.4.cert,from the instructor's machine to root's home directory (~). This file can be found in theautomounted /misc/instructor/rh401-satellite directory.

Copy the satellite-embedded-*.iso image found on the instructor's machine to /tmp then mount it using a loopback device to /mnt. Don't execute /mnt/install.pl.We will use this script shortly. Instead list the contents of /mnt/install and lookfor a file called answers.txt. This file can be modified and used with install.plto perform an unattended installation of the RHN Satellite Server software. Copyanswers.txt to root's home directory.

Use your favorite text editor to modify root's answers.txt file. Find the followingvariable definitions and make all necessary adjustments:

# RHN Satellite Server administratoradmin-email = [email protected]

# Satellite Server CA certificate infossl-set-org = Red Hat Inc.ssl-set-org-unit = Trainingssl-set-city = your cityssl-set-state = your statessl-set-country = your two-letter country codessl-set-email = [email protected] = a password you can remember

# Location of RHN Satellite Entitlement certificatesatellite-cert-file = /root/redhat-gls-minimal-5.4.cert

run-updater = yesssl-config-sslvhost = yesenable-tftp = yes

Although comments in the file suggest ssl-set-mail defaults to the value of admin-email, that is not the case and the installer will stop and prompt you for the SSL e-mail address. Also the run-updater, ssl-config-sslvhost, and enable-tftpdirectives either do not exist or are commented in the sample answers.txt file.Uncomment them or add them to the file as needed.

Double check your modifications to your answers.txt file because the Satellite Serverinstall process takes a long time. It is best to catch mistakes sooner than later.

Begin the Satellite Server installation process using your answers file. Be sure to specifythe option to install the software so it will operate without an external connection toRed Hat Network. Monitor the log files that are created during the installation process toensure the installation is functioning properly.


20 RH401-6-en-1-20110713

Once the SSL certificate has been generated and imported into the Satellite Server,install.pl will restart the Satellite Server then exit. A URI will be displayed which youcan use with a browser to complete the installation process.

Launch a web browser and visit the URI displayed by install.pl: https://desktopX.example.com. Examine the certificate offered to your browser and see ifyou recognize some of the values about the certificate subject and the issuer. Once youare satisfied with the contents of the certificate, accept it into your browser permanently.

Create a RHN user called satadmin with a password of redhat. The e-mail addressfor this account should be [email protected]. Provide your name for theadditional account information. You are now logged in as the Satellite Administrator,satadmin, of a functioning Red Hat Network Satellite Server.

Unmount the ISO image from /mnt since the installation of the RHN Satellite Serversoftware is complete.

Use yum to install updated packages for the Red Hat Network Satellite Server software.The classroom kickstart process configures yum to point to repositories provided by theinstructor's server. After the packages have been updated, restart your Satellite Server.

Obtaining Software from Hosted RHN

RH401-6-en-1-20110713 21

Obtaining Software from Hosted RHN

Populating the Satellite Server over the NetworkPopulating the database over the network takes less administrator time but more clock timeoverall. Use the satellite-sync command to perform a network synchronization, specifyingthe channel you wish to download:

[root@host ~]# satellite-sync -c rhel-i386-client-vt-5

This single command will perform the task, but it may take several hours for base channels withthousands of packages.

Channel Content ISOsChannel Content ISOs contain the information, including RPMs and metadata, needed topopulate a Satellite Server. They are not a package-for-package match to a channel, insteadthey are a superset. A particular Channel Content ISO may contain channel data for that basechannel, for its child channels, and even for related, but different, base channels. For example,a listing of the channels included on the channel content ISOs distributed for “RHEL 5 Client/Server (i386) + vt + cluster + supplementary + workstation” might read as follows (fromsatellite-sync --list-channels):

Retrieving / parsing channel data p = previously imported/synced channel . = channel not yet imported/synced base-channels: p rhel-i386-client-5 1807 p rhel-i386-server-5 2411 rhel-i386-client-5: . rhn-tools-rhel-i386-client-5 348 . rhel-i386-client-workstation-5 891 . rhel-i386-client-supplementary-5 27 . rhel-i386-client-vt-5 34 rhel-i386-server-5: . rhn-tools-rhel-i386-server-5 348 . rhel-i386-server-hts-5 4 p rhel-i386-server-vt-5 34 . rhel-i386-server-supplementary-5 46 . rhel-i386-server-cluster-5 39 . rhel-i386-server-cluster-storage-5 51

In this example, the Channel Content ISOs include both client and server base channels andrelevant child channels. In this sample listing, an administrator installed both client and serverbase channels and virtualization technology packages for the server base channel. Since bothbase channels share many packages; the Satellite software understands this and will only loadthe differences after the first channel is installed. For example installing rhel-i386-client-vt-5will take only a few seconds since it shares the same packages as the rhel-i386-server-vt-5 childchannel which has already been imported into the Satellite Server.


22 RH401-6-en-1-20110713

NoteImporting channel content into a RHN Satellite server can take a long time to complete. Thisis especially true when a Satellite server is freshly installed. Installing a small base channeland restarting the Satellite server causes the embedded database to initialize itself so thatfurther channel installs are much quicker. In the lab exercise, a simple base channel calledone-rpm-channel will be used for this purpose.

Using Channel ISOs to Populate the Satellite ServerTo populate the database using the Channel Content ISOs:

1. Confirm you have sufficient disk space. You will need disk space for the ISOs and the datato be extracted from the ISOs, in addition to the disk space needed to store the data in thedatabase.

2. Download the Channel Content ISOs from Red Hat Network.

• Log onto Red Hat Network and click the Software Downloads icon.

• Expand the base channel called Red Hat Enterprise Linux (v. 5 for 64-bit x86_64), or theversion of Red Hat Enterprise Linux you are using, by clicking the plus symbol to the leftof the channel name. Then click the link for the latest Red Hat Network Satellite channel.For example, you might select Red Hat Network Satellite (v5.4 for Server v5 AMD64 /Intel64).

• Click View Base Channel Content ISOs for Satellite to list the Channel Content ISOs. Scrolldown to find the Channel Content ISOs for the channel you wish to download. For example,scroll down to Red Hat Enterprise Linux 5 Client/Server (i386) + rhn-tools + vt + cluster+ supplementary + workstation (Base 2009-09-30) to download the content ISOs forthat channel.

3. For each channel, mount each ISO in turn and copy the data to a temporary directory. If youintend to use the expanded channel content on more than one Satellite Server (or back it up),be sure to mount it read only since satellite-sync will attempt to remove the content asit imports the RPMS.

4. List the channels available from the Channel Content ISOs. For example, if you have copiedthe ISO data into a directory called /rhn-sat-import, then list the available channels byrunning:

[root@host ~]# satellite-sync -m /rhn-sat-import --list-channels

5. Run the satellite-sync command to upload the information from this directory into theSatellite Server. For example, to load the rhel-i386-server-5 channel into the database thathas been copied into /rhn-sat-import, run:

[root@host ~]# satellite-sync -m /rhn-sat-import -c rhel-i386-server-5

Using Channel ISOs to Populate the Satellite Server

RH401-6-en-1-20110713 23

Installing a base channel does not include the child channels or the related channels. Theymust be installed separately.


• Chapter 7: Troubleshooting


24 RH401-6-en-1-20110713


Preparing Channel Content for ImportBefore you begin...The RHN Satellite software installation on your desktopX machine should be completed.

Channel content ISOs are available from the instructor's machine, instructor.example.com.Extract their contents into a common directory on your Satellite server, desktopX, so the channelcontent can be imported in a later lab exercise.

The first step to take is make sure you have enough disk space to extract the contentISOs. They will require over 8 GB of space. Notify your instructor if you don't haveenough room on your machine to extract them.

The content ISOs are published to the classroom in the /misc/instructor/rh401-satellite/sat-rhel6-content/ directory. Mount the content ISOs using a loopinterface to /mnt and copy the contents of both ISOs to a directory called /root/sat-rhel6-content/.

Importing Initial Software Packages

RH401-6-en-1-20110713 25

Importing Initial Software Packages

RHN Software ChannelsThe Red Hat Network system deploys packages based on the concept of software channels. Asoftware channel is essentially a collection of packages. The two types of software channels arebase channels and child channels. A base channel is the collection of packages that all systemsusing a particular type of software typically will install (it is not always necessary to install allpackages, but a full install would include all of these packages). Child channels provide additionalsoftware related to the base channel.

For example, if you browse Red Hat Network's Channels tab, you will see the latest version ofthe Red Hat Enterprise Linux base channel along with its associated child channels. It will looksomething like this:

Channel Name ArchitectureRed Hat Enterprise Linux Server 5 IA-32, IA-64, PPC, s390x, x86_64Red Hat FasTrack Server 5 IA-32, IA-64, PPC, s390x, x86_64Red Hat Network Tools Server 5 IA-32, IA-64, x86_64Red Hat Productivity Apps Server 5 IA-32, x86_64Red Hat Supplementary Server 5 IA-32, IA-64, PPC, s390x, x86_64Red Hat Virtualization Server 5 IA-32, IA-64, x86_64

The channels are listed in alphabetical order by name, followed by the architectures relevant tothat channel.

The channel listing on a Satellite Server looks a little different. The software channels aredisplayed in a way that shows their relationship to each other. The base channel is displayed firstwith its child channels appearing immediately below their parent:

Channel Name Packages Systems-Red Hat Enterprise Linux (v. 5 for 32-bit x86) 3239 10|--RHEL Virtualization (v. 5 for 32-bit x86) 67 3...

RHN Entitlement CertificateEntitlement Certificates unlock the services of Satellite Servers. They define how many systemscan register with the Satellite Server and what types of system entitlements they have, suchas Update, Management, Provisioning, or Monitoring. They also define the number and type ofsoftware channels that can be subscribed to.

An Entitlement Certificate can limit which menus appear on the RHN Web Interface of a SatelliteServer. For example a Satellite Server without Provisioning system slots won't present theKickstart menu or features that apply only to systems with Provisioning entitlements.

RHN Satellite Entitlement Certificates are issued and digitally signed by Red Hat so they can't betampered with. Below is a portion of a sample certificate:

<?xml version="1.0" encoding="UTF-8"?><rhn-cert version="0.1"> <rhn-cert-field name="product">RHN-SATELLITE-001</rhn-cert-field> <rhn-cert-field name="owner">Red Hat GLS Cert</rhn-cert-field>


26 RH401-6-en-1-20110713

<rhn-cert-field name="issued">2011-02-11 00:00:00</rhn-cert-field> <rhn-cert-field name="expires">2013-02-11 00:00:00</rhn-cert-field> <rhn-cert-field name="slots">6</rhn-cert-field> <rhn-cert-field name="monitoring-slots">3</rhn-cert-field> <rhn-cert-field name="provisioning-slots">3</rhn-cert-field> <rhn-cert-field name="channel-families" quantity="4" family="rhel-server"/> <rhn-cert-field name="channel-families" quantity="2" family="rhel-client"/> <rhn-cert-field name="channel-families" quantity="6" family="rhn-tools"/> <rhn-cert-field name="channel-families" quantity="1" family="rhn-proxy"/> <rhn-cert-field name="satellite-version">5.0</rhn-cert-field> <rhn-cert-field name="virtualization_host_platform">4</rhn-cert-field> <rhn-cert-signature>...

Populating the Satellite Server: OptionsOnce you have set up the RHN Satellite Server, you must populate the server with informationfor the various channels you wish to distribute. Red Hat provides two methods to accomplishthis: network and Channel Content ISOs. Neither method is fast, but the network method isconsiderably slower, often taking eight hours per channel to download.

Using the network method, your server will download the RPMS and metadata over the Internet.While relatively simple to implement, this is a fundamentally inefficient method which consumesa lot of network bandwidth.

TroubleshootingTroubleshooting tips:

Disk space! This is the number one culprit when having difficulties with the RHN Satellite Server.At install time, the system may complain of insufficient disk space, but if the Oracle embeddeddatabase has an insufficient amount of disk space, often the only symptom is that it refuses tostart.

Log files: The RHN Satellite Server consists of multiple subsystems: the server itself; the Oracledatabase; the web interface; and many other less obvious but still important elements. Therefore,the entire system uses several log files and log directories, including:

• /var/log/rhn/ for the RHN Satellite Server software itself;

• /var/log/rhn_database.log for the embedded Oracle database;

• /var/log/up2date for the Red Hat Update agent.

Even standard log files contain logging information important to this product, including:

• /var/log/messages for taskomatic

• /var/log/httpd/ for the web server

Subsystems: Confirm all subsystems are running. On RHN Satellite 5.4, use the followingcommand to check their status:

[root@host ~]# /usr/sbin/rhn-satellite status

Earlier versions of RHN Satellite software used an init script:

Troubleshooting

RH401-6-en-1-20110713 27

[root@host ~]# service rhn-satellite status

Time: Use the date -u command on all RHN Satellite and Proxy Servers to confirm their time isclosely coordinated.

SSL certificate: Confirm the /etc/sysconfig/rhn/{rhn_register,up2date} files on theclients are using the newly created RHN-ORG-TRUSTED-SSL-CERT certificate and not the originalRHNS-CA-CERT certificate.


• Section 6.2: Importing with RHN Satellite Synchronization Tool

• Section 6.3: Synchronizing

Red Hat Network Satellite Installation Guide



28 RH401-6-en-1-20110713


Populating RHN Satellite with RHEL6 SoftwareBefore you begin...The RHN Satellite software installation on your desktopX machine should be completed and RHNchannel content from both ISOs should be expanded into the /root/sat-rhel6-content/directory on that server.

Import the RHN base channel content for the Red Hat Enterprise Linux 6 Server software for 64-bit x86 machines into your RHN Satellite server.

The first software channel to be imported into a RHN Satellite 5.4 server takes muchmore time to import that subsequent channels. To conserve time, import the one-rpm-channel base software channel published in the /misc/instructor/rh401-satellite/one-rpm-channel.tar tar archive. Change into root's home directoryon desktopX, extract the archive, import the one-rpm-channel software channel, thenreboot your Satellite server before importing the Red Hat software channels.

Log back into desktopX as root. The sat-rhel6-content directory below root's homedirectory contains the software channel content needed to deploy Red Hat EnterpriseLinux 6 Server.

Before you populate the database with RPMs and other information for a particularchannel you must first find out which channels are available. Which software channelsare provided by the content in the sat-rhel6-content directory?

Now that you have determined which channels are available, import the rhel-x86_64-server-6 channel data from the sat-rhel6-content directory into your SatelliteServer's database. This process takes a very long time to complete.

Use a web browser to browse https://desktopX.example.com, where X is themachine number of your Satellite Server. You probably want to bookmark this page sinceyou will refer to it often in upcoming lab exercises.

Log in as the Satellite Administrator, satadmin. Navigate around the web site,particularly looking at the Errata, Channels, Users, and Admin tabs.

Your RHN Satellite Server is now installed and will be ready to be used by clients whenthe channel content sync is complete. In a later lab you will configure clients to use thisserver.

Criterion Test

RH401-6-en-1-20110713 29

Test

Criterion Test

Case Study

Deploying a RHN Satellite ServerBefore you begin...You should have a Red Hat Enterprise Linux 5 Server with a minimal installation on desktopY.

Your department deploys and manages several servers running Red Hat Enterprise Linux. Yourfacility is an extremely secure site so you don't have access to hosted Red Hat Network servicesvia the Internet. Your manager has invested in a Red Hat Network Satellite software to manageyour systems.

Your task is to install the RHN Satellite software on your desktopY machine and load it withthe software channels needed to deploy Red Hat Enterprise Linux 6 Server systems. All of thematerial you need to install the system can be found in the /misc/instructor/rh401-satellite directory. Use the redhat-gls-minimal-5.4.cert RHN Entitlement Certificateto activate the server.

When you install the Satellite server, make sure the SSL CA certificate information is specified asfollows:

• Organization = Red Hat Inc.

• Organization Unit = Training

• City = your city

• State = your state

• Country = your two-letter country code

Also specify [email protected] for all e-mail addresses requested duringinstallation.

The Satellite Administrator should log in as satadmin with a password of redhat.

How would you address the case study described above? Take notes on your process in thespace below and then implement it.


30 RH401-6-en-1-20110713

Personal Notes

Criterion Test

RH401-6-en-1-20110713 31

Unit Summary

RHN Satellite Server Concepts

In this section you learned about the features, benefits, and components of Red HatNetwork Satellite software.

.RHN Satellite Server Installation


• Install Red Hat Network Satellite Server software

.Obtaining Software from Hosted RHN


• Get RHN software channel content from Red Hat

• Prepare channel content ISOs for use with RHN Satellite

.Importing Initial Software Packages


• Import Red Hat software content into a Satellite server

.

Chapter 3.

RH401-6-en-1-20110713 33

UNIT THREE

RED HAT NETWORKORGANIZATION


• Red Hat Network organization management

• User account management

• Purpose and privileges of RHN user roles

• Red Hat Network system groups

Chapter 3. Red Hat Network Organization

34 RH401-6-en-1-20110713

RHN Organization AdministrationTime invested in the initial planning and design of Red Hat Network organizations and systemgroups saves time spent on RHN Satellite Server administration later. Organizing Red HatNetwork to fit with the way your company does business will allow your system administrators tomaximize the benefits of using RHN.

Trust relationships between organizations allow them to share custom software channels witheach other. Trust is always bi-directional between two organizations. This feature was introducedwith the release of Red Hat Network Satellite 5.3.

Trust relationships also facilitate the migration of systems between organizations that trusteach other. Note this is not a trivial process that can be handled using the web interface.Command-line tools must be used to migrate a system profile from one organization to the other.Remember that organizations were originally created to provide a layer of isolation betweenusers and systems using Red Hat Network.

A freshly installed Satellite Server starts with a single organization which has a single user -the Satellite Administrator. A best practice is to always use organizations on a new SatelliteServer deployment. Even if only one managed organization is created and used, it allows for thecreation of other organizations if and when the need arises.

ReferencesRed Hat Network Satellite Deployment Guide

• Chapter 3: Multiple Organizations

Red Hat Network Satellite Reference Guide

• Chapter 9: Multiple Organizations

RH401-6-en-1-20110713 35

Practice Exercise

Organization Creation and EntitlementBefore you begin...Students should have a functioning Red Hat Network Satellite Server, desktopX, installed withRed Hat Enterprise Linux Server base channel content loaded.


Log in as the Satellite Administrator of your desktopX Satellite server. Create an organizationcalled “Example Inc.” and assign it entitlements for provisioning and managing Red HatEnterprise Linux Server systems.

• Create an organization in your Red Hat Network Satellite Server named “ExampleInc.”. The Organization Administrator is Mr. Edward Example and he should log inas example with a password of redhat. E-mail for this account should be sent [email protected].

System entitlements should be assigned to this new organization as follows:

• Management: 3

• Monitoring: 0

• Provisioning: 1

• Virtualization: 1

• Virtualization Platform: 0

The following quantity of software entitlements should be assigned as well:

• Red Hat Enterprise Linux Server (v. 6): 2

• Red Hat Network Tools for RHEL (v. 6): 2


36 RH401-6-en-1-20110713

RHN User Administration

Red Hat Network Users and RolesUser accounts are managed by the Organization Administrator within each organization. Usernames (login) must be at least 5 characters in length and must be unique across the SatelliteServer. For example there can't be two users named “wayne” even though they belong to twodifferent organizations.

To create a user, login as an Organization Administrator and select the Users tab. Click createnew user link and assign the user a unique login name, a password, and fill in other pertinentinformation about the user's identity. Once the Create Login button is clicked, the account iscreated and appears in the list of organization users. On the Details tab of the user's page, checkboxes can be selected for the roles in which they will serve.

The following outline lists the different Red Hat Network roles that can be assigned to a RHNSatellite user:

• Satellite administrative roles

• Satellite Administrator

• Organization Administrator

• Other individual roles

• User/System Group User (default/baseline)

• System Group Administrator

• Activation Key Administrator

• Channel Administrator

• Configuration Administrator

• Monitoring Administrator

Each role's function and capabilities will be covered in more detail below.

Satellite AdministratorThe Satellite Administrator account manages the overall function of a Satellite Server. Theunique functions provided by this role include creating and deleting organizations, establishingtrusted relationships between organizations, managing Satellite-wide subscriptions andentitlements, and other global administrative functions. These functions are available under theAdmin tab which only appears when the Satellite Administrator is using the system.

A new Satellite entitlement certificate can be activated by the Satellite Administrator usingthe web interface. Periodically this function has to be performed to keep a Satellite Serverfunctioning since each certificate issued by Red Hat has a limited life based on its expiration.

Organization Administrator

RH401-6-en-1-20110713 37

Organization AdministratorThe Organization Administrator can perform all functions within the scope of the organizationwhich they manage. Typically they manage user accounts and assign them roles, althoughOrganization Administrators can perform all of the functions that belong to all of those roles.

Organizations can have multiple Organization Administrators, therefore multiple administratorsdon't have to use a common account and share the master “organization superuser password”.Lost or forgotten Organization Administrator passwords can be e-mailed to the e-mailaccount associated with their RHN account or they can be changed by another OrganizationAdministrator within their organization. They cannot be recovered or overridden by theSatellite Administrator so it is wise to have more than one Organization Administrator for eachorganization as a safeguard.

System Group and Activation Key AdministratorsSystem Group Administrators can create and delete system groups. They can remove systemsfrom their system groups and can add systems to additional groups which they control, but theycannot add systems to any of their groups if there is no initial association with at least one ofthe system groups they control. System Group Administrators are automatically assigned controlover the groups they create. An Organization Administrator must assign unassociated systems toone of the system groups of a Group Administrator to put it under their control, but this can beautomated with the use of activation keys.

Activation Key Administrators create and manage activation keys that are used when registeringa client system to Red Hat Network. They have the authority to associate their keys with oneor more of any of the system groups within their organization. Activation Key Administratorsare also able to manage any activation key within their organization, regardless of whichadministrator created the activation key.

Channel and Configuration AdministratorsChannel Administrators can create, clone, and delete software channels. They can import RPMSinto and delete packages from custom software channels and assign similar privileges to otherusers to specific software channels. All software channels can be administered by any ChannelAdministrator within an organization, but other users can only administrate the particularchannels assigned to them. Channel Administrators can also manage errata.

Configuration Administrators serve similar functions as Channel Administrators, butthey manage and control access to configuration channels instead of software channels.Administrative responsibilities for configuration channels cannot be delegated to users whoaren't Configuration Administrators. Provisioning add-on entitlements must be assigned tosystems before they can be considered as a target system for configuration channels.

Monitoring Administrator and Default UserMonitoring Administrators can schedule probes and administrate other system monitoringfunctions. Although this role can be assigned to any user by an Organization Administrator, itonly serves a purpose on Satellite Servers where system monitoring has been enabled by theSatellite Administrator on a Satellite-wide basis.

All accounts serve as System Group Users when they aren't assigned an additional Red HatNetwork administrative role. Organization Administrators can assign system groups to System


38 RH401-6-en-1-20110713

Group Users for administration by going to the System Groups tab within the Users tab. ChannelAdministrators can also grant software channel administrative privileges for specific channels toSystem Group Users.


• Chapter 1: Users


RH401-6-en-1-20110713 39

Practice Exercise

Creating User Accounts and Assigning Roles


• Log in to the Satellite server on desktopX as the Organization Administrator for theExample Inc. organization and create the following users as members of thatorganization:

Standard user Privileged user

Login normal grouper

Password redhat redhat

Full name Mr. Norman Normal Ms. Gladys Grouper

Roles System Group User System Group Administrator

Specify [email protected] as the e-mail address for both RHN Satelliteaccounts.


40 RH401-6-en-1-20110713

System Groups

System GroupsThe most important organizational unit for massive deployment is the system group. Red HatNetwork can organize systems into groups allowing for a variety of configuration changes to thegroup as a whole, including application of new and updated packages and individual files.

Red Hat Network user accounts can be given administrative access to RHN systems by group.

Note that an individual system can belong to multiple system groups.

ReferencesRed Hat Network Satellite Reference Guide

• Section 7.4.3: System Groups


RH401-6-en-1-20110713 41

Practice Exercise

Managing System Groups


1. Log in to the Satellite server on desktopX as the Organization Administrator for theExample Inc. organization, if necessary, and create a system group called “exampleservers.” Fill the group description with useful information of your choice.

Do not make any security adjustments or assign administrators to the new group. Examinethe initial access privileges for normal and grouper to the example servers group.

2. Modify the example servers system group so grouper can administrate the group. Signin as grouper and normal and observe what access they have to the system group.

3. Log in as grouper and modify the group so normal can administer systems in that group.Log in as normal and confirm he has access to the group.


42 RH401-6-en-1-20110713

Personal Notes


RH401-6-en-1-20110713 43

Unit Summary

RHN Organization Administration


• Create a Red Hat Network organization

• Assign base and software entitlements to a RHN organization

.RHN User Administration


• Create users within a RHN organization

• Modify the role of a RHN user

.System Groups


• Create a system group within an organization

• Assign a System Group Administrator control over a system group

• Assign a normal user as a system administrator within a system group

.

Chapter 4.

RH401-6-en-1-20110713 45

UNIT FOUR

USING SUBVERSION TOMANAGE CHANGES


• Introduction to Subversion

• System administration uses for revision control

• Creating a new repository and starting projects

• Using Subversion to manage files

Chapter 4. Using Subversion to Manage Changes

46 RH401-6-en-1-20110713

Revision Control Concepts

What Is Revision Control?Revision control software is a useful tool for system administrators who write scripts, writedocumentation, and develop configuration files. Revision control keeps a record of changes madeto files under its control, but the only changes it can manage are the ones checked into it by theuser. Subversion is a revision control system normally used for software development. We will useSubversion throughout this course to manage changes and revisions made in later lab exercises.

Subversion maintains a history of the four W's of changes: who committed what changes tothe storage system when and why. The user who commits changes is the who. Subversioncalculates the what - the differences between the previous version of a file and the version beingchecked in. The time when the revisions are committed is the when. The log messages enteredby the user explain why the changes were made. Since log messages document the reasons whychanges are made, they are often used when building and releasing errata packages.

Revision control software does not replace communication or good management. It can helpmerge changes made by multiple users, but it isn't going to make sure the changes make sensetogether -- that is the human's job! Subversion does not check for syntax errors (although it canbe configured to run syntax checkers). However, Subversion can make coordination of changesand repair of mistakes simple.

How Subversion WorksAll the files and directories under Subversion control are stored in a central repository. Arepository is a directory structure that contains a database, lock files, and other administrativefiles. The database in the repository stores all the information necessary to recreate any versionof the files and the log messages submitted for all of the revisions. The repository may be storedin a local directory or it may be accessed remotely using ssh or WebDAV.

Files should never be edited in the repository directly. Instead, each user creates a personalworking directory where changes are made. When a user wants to edit files stored in theSubversion repository, they check out current copies of those files into a Subversion workingdirectory. Copies of those files are put into a Subversion working directory and they can beedited normally. After the changes have been made, the user commits the files back to therepository so other users can check them out and edit them further.

If a user has old, outdated copies of files from the repository, they can update them beforethey start work to get the latest versions of the files and minimize conflicts when they committheir changed copies. Once a user has files checked out of Subversion, the user typically keepsmodifying them in an update-edit-commit cycle.

Each subdirectory of a Subversion working directory has a .svn directory. This directorycontains important support files for Subversion so it can keep track of changes to the files in theworking directory:

• .svn/entries lists each of the Subversion-managed files in the directory and someinformation about them.

• .svn/text-base contains the latest editions of files that were copied from the repositorywhen svn update was executed. This allows for comparisons with working copies withouthaving to access the repository.

Selecting a Repository

RH401-6-en-1-20110713 47

There are other files in this directory that haven't been mentioned. These files should never beedited by hand! Let Subversion manage them automatically.

Selecting a RepositoryLater in this unit you will learn how to use Subversion with files in an existing repository. Therepository could be a directory on the local computer or it may be accessed remotely throughone of several access methods. The repository URL is specified when the project is originallychecked out into a local Subversion working directory. The .svn/entries files in the workingdirectory contain the repository URL so the URL doesn't have to be specified when working inthe Subversion working directory.

Remote Repositories

Frequently the Subversion repository is hosted on a different machine than the Subversionworking directory. In this case one of Subversion's remote access methods will have to be used tocontact the repository. The available methods depends on which access methods the Subversionadministrator has configured.

A simple method that allows secure read-write access is svn+ssh, which uses the ssh programfor transport. This method requires shell access to the system hosting the Subversion repository.SSH public key authentication eliminates the need to enter a password multiple times whenaccessing the Subversion repository.


48 RH401-6-en-1-20110713

Subversion Administration

Initializing a New RepositoryThe svnadmin create command creates a new repository. This command must be executed bya user who has write permissions to the directory where the repository will be created. Althougha user can create a private repository, most repositories are used by multiple users on a systemso root usually must create and secure system-wide repositories.

A simple way to set up a repository that will allow secure authentication is to allow Subversionover SSH (svn+ssh). Make sure the sshd daemon is started and is configured to start on boot.User accounts will have to be created and passwords assigned for each of the remote users whowill access the repository.

Subversion SecurityOnce a new Subversion repository is created, determine which users need read-only and read-write access to the projects that will be added to the repository. The best way to handle this isto put all of the appropriate users into a group and make the db directory read-write and set-gid for that group. When two groups of users have conflicting security requirements, create twoseparate repositories for their projects.

[root@host ~]# groupadd -g 20000 svnuser[root@host ~]# chgrp -R svnuser $REPO_PATH[root@host ~]# chmod -R g+w $REPO_PATH/db

ACLs on ext3 filesystems can be used to restrict or allow access to a repository by additionalgroups or individual users.

Starting a Subversion ProjectStarting a project in Subversion is very simple. First, create a directory and populate it with theinitial revisions of files that make up the project. Create and populate subdirectories as needed.Once you have decided on your project directory structure and created your initial content,import it into your repository. Change into the top level directory of your new directory tree andtype:

[user@host tmp]$ svn import $REPO_URL/newproject

Notice the name of the original directory used to organize the project and the name of theproject in the repository do not have to be the same. Choose a short, but descriptive, projectname so it is easy to identify it when listing a repository's contents.

The svn import command will recursively search through subdirectories. Like svn commit,the import command will open the default text editor for an initial log message. Since this is theoriginal import of a project's content, the log message should briefly describe what the project is.

Other Revision Control SoftwareRCS is the great-grandfather of open source revision control software. It works on a singlesystem (it doesn't have network capability) and works on the premise that users have to check

Other Revision Control Software

RH401-6-en-1-20110713 49

out locked copies of files they want to edit. The rcs RPM provides the suite of RCS tools and issupported with Red Hat Enterprise Linux.

CVS (Concurrent Versions System) is a popular revision control system. Its commands areaccessed using cvs followed by a subcommand then options and arguments. The CVSsubcommands were based upon the RCS commands, except CVS provided functionality over anetwork with a central repository. Subversion was designed to function like CVS, but withoutsome of its limitations.

The cvs RPM provides the CVS revision control system for Linux and is supported by Red HatEnterprise Linux. The info pages for CVS are much more useful than the man pages. A goodreference book for CVS is also available online at the following URL: http://cvsbook.red-bean.com/cvsbook.html.

Another distributed revision control system is Mercurial. It provides similar functionality toSubversion, but it is invoked as hg on the command line and it has additional subcommands thatSubversion doesn't provide. Mercurial is written in Python and has an integrated web interface.Red Hat Enterprise Linux does not provide Mercurial at this time, but it is provided by Fedora.

git is a distributed revision control system that operates on the principle that every workingdirectory acts as a complete repository managing complete change history. Developers use gitto coordinate and facilitate Linux kernel development. Like Mercurial, git is provided by Fedora,but not Red Hat Enterprise Linux at this time.

References“Version Control with Subversion” book available on-line at http://svnbook.red-bean.com

svnadmin(1) man page and svnadmin help Subversion subcommand


50 RH401-6-en-1-20110713

Practice Exercise

Preparing the Subversion Repository and UsersBefore you begin...In this lab one of your two machines will be referred to as desktopX and will host the Subversionrepository. This machine should be your RHN Satellite Server since you will reinstall desktopY tocomplete later labs.

Your client machine, desktopY, will serve as the remote workstation of one of your Subversionusers. Make sure the clocks on both of your machines are synchronized with each other.

If you need to install packages, yum should already be configured on desktopX and desktopY.


Your internal DNS servers have had some problems lately. The DNS administrators, Stan andOliver, have been modifying configuration files in such a way they have been stepping on eachothers' changes. Your task is to deploy a Subversion server which will allow Stan and Oliver towork together and stop the configuration file conflicts.

Build a Subversion repository on desktopX that will allow two users, oliver and stan, to createprojects and work collaboratively.

1. Reinstall desktopY with Red Hat Enterprise Linux 6 to prepare it for this and future labexercises. PXE boot desktopY and select the “Install a standard RHEL 6 workstation” option.

2. Log in as root on desktopX and install Subversion if necessary. Create a repo named /var/local/svn on desktopX while desktopY reinstalls. After the installation finishes, check ifSubversion is installed on desktopY. If not, then install it on desktopY also.

3. On desktopX, create a group called svnuser with a group ID of 60000. Modify theSubversion repository so all users in that group can create and modify projects.

4. Create user accounts for oliver and stan on both workstations. Assign their accounts thepassword of password on both systems.

Make all necessary adjustments to their accounts to allow them to use Subversion fromeither host. Both users should be able to commit their changes to the Subversion repositorywithout typing a password when they are logged into desktopY.

Other Revision Control Software

RH401-6-en-1-20110713 51

Practice Exercise

Starting a New Project in Subversion


Set up a new project in the Subversion repository for DNS configuration files.

1. Log in as oliver on desktopX and create a subdirectory in Oliver's home directorycalled source. Create etc and var/named subdirectories below ~/source to provide atemporary DNS chroot hierarchy.

2. Use anonymous FTP to download all the files in /pub/materials/namedfiles frominstructor.example.com into ~/source. Move the files into the appropriate directoriesin the temporary tree. Do not change their names at this time.

3. Have oliver create a new project called dnsfiles in the Subversion repository. Theproject should initially be populated with the files from his ~/source directory.

If the group ownership and permissions assigned to the repository are correct, Oliver shouldbe able to create the project since he is a member of the svnuser group.

4. Confirm the files are safely in the repository. Check the dnsfiles project out from theSubversion repository on desktopX and compare its contents with the files in ~/source.

5. Remove the ~/source directory from Oliver's home directory once it is confirmed the DNSfiles are properly stored in the Subversion repository.


52 RH401-6-en-1-20110713

Revision Management with Subversion

Preparing to Use SubversionWhen using Subversion with an existing repository, only a few basic commands are needed toget started. These commands will be introduced in the following pages. Before we examine them,there are a couple of configuration items that need to be taken care of.

Subversion requires an environment variable specify which text editor to use to enter logmessages. Valid environment variables include EDITOR, VISUAL, or SVN_EDITOR. One of theseenvironment variables should be defined in a Subversion user's .bash_profile configurationfile.

export EDITOR=vim

In Red Hat Enterprise Linux 6 and recent Fedora versions, the Subversion RPM provides aconfiguration file for bash that teaches it how to complete Subversion sub-commands. Thefollowing added to a user's ~/.bashrc would activate this feature:

. /etc/bash_completion.d/subversion

Starting a Working DirectoryThe svn checkout command copies the files of a project from a repository into your currentworking directory. The Subversion administrator must provide the URL to the repository and thename of the project. Projects can be listed if only the URL to the repository is given:

[user@host ~]$ svn list file:///var/local/svnmyproject/oneproject/twoproject/... Output Omitted ...

A project is usually the relative path to a set of related files stored in the repository. A singleSubversion repository can store several different projects in its database. Given the outputabove, the following command would checkout the oneproject project from the repository intoa Subversion working directory called oneproject below your current directory:

[user@host ~]$ svn checkout file:///var/local/svn/oneprojectA oneproject/index.htmlA oneproject/imagesA oneproject/images/banner.pngA oneproject/images/logo.pngChecked out revision 7.

The lines that start with an A indicate these files have been added from the repository into yourSubversion working directory.

Committing Changed FilesAfter one has finished editing files in the Subversion working directory, the new revision needsto be put into the repository. The svn commit command accomplishes this task. Without

Updating a Working Directory

RH401-6-en-1-20110713 53

arguments, svn commit will recursively check the current directory and all subdirectories forchanged files and commit them to the repository.

Log messages are critically important!

Before the commit completes, a text editor launches and prompts for a log message which willbe associated with this revision. Log messages should be brief descriptions explaining whythe changes were made for future reference. When the log message is brief, the -m option canspecify the log message on the command line:

[user@host myproject]$ svn commit -m 'Restrict cracker.org host access.'Sending etc/hosts.denyTransmitting file data .Committed revision 15.

Particular files can be committed individually. The following command is an example ofcommitting a file that is finished when other files are not ready to be committed:

[user@host myproject]$ svn commit filename

Updating a Working DirectoryAs files are edited in a Subversion working directory and the changes are committed, so are thechanges of co-workers. If the current Subversion working directory was checked out some timeago, it may not have the latest revision of the files that need to be edited. The svn updatecommand contacts the repository and updates the Subversion working directory with the latestrevisions committed. It's a good idea to run svn update at the start of the day (before you startwork) and any time a co-worker may have revised a file you plan to edit. Like checkout, updateoutputs a line for each file updated starting with a letter to indicate the state of the file:

• U: The file in the working directory has been updated from the repository.

• G: A file in the working directory was in conflict but Subversion was able to update it andmerge the changes automatically.

• A: There is a new file in your Subversion working directory from the repository.

• D: A file was deleted from the Subversion working directory and will be marked as deletedfrom the repository.

• ?: A file is in your working directory, but it does not correspond to anything in the repository,and it is not scheduled for addition to the repository.

• M: A file in the repository has local modifications that haven't been saved.

• C: There is a modified file with a copy in the repository that has changed and the changesconflict. The changes need to be resolved manually.

Merging Conflicting ChangesWhen a file being committed has changed in the repository since the last update, svn commitwill fail. svn update must be executed to merge the changes into the modified working copy.If the changes conflict (for instance, if the edits are on the same line as the changes in therepository copy), the conflict must be resolved. The svn update command displays a C in thefirst column when conflicts occur.


54 RH401-6-en-1-20110713

[user@host sample]$ svn commit -m "fixed michael's last name"Sending namelistsvn: Commit failed (details follow):svn: File '/sample/namelist' is out of date[user@host sample]$ svn updateC namelistUpdated to revision 29.

When a conflict occurs, four files can be consulted for a possible fix. In the example above,namelist.mine is the original working copy of the file that has the changes that were beingcommitted before the conflict was flagged. namelist.r28 is the pristine version of the filebefore any changes were made and namelist.r29 is the new update that came from therepository. The file, namelist, is modified so all conflicts are delimited by <<<<<<<, =======,and >>>>>>> markers:

[user@host sample]$ lshello namelist.mine namelist.r29 sample2 sample4namelist namelist.r28 sample1 sample3[user@host sample]$ cat namelist... Output omitted ...<<<<<<< .minemichael thomason=======michael thompson>>>>>>> .r29... Output omitted ...

Once the conflict has been resolved, the svn resolved command will clean up the extraversion files and ready the Subversion working directory for a commit:

[user@host sample]$ svn resolved namelistResolved conflicted state of 'namelist'[user@host sample]$ svn commit -m "fixed michael's last name"Sending namelistTransmitting file data .Committed revision 30.

File ManipulationAdding a new file to a Subversion repository is simple. Create the new file, run svn addfilename to schedule it for addition, and then run svn commit. There are two importantthings to remember: first, svn add doesn't actually add the file to the repository immediately;it just schedules it for addition on the next svn commit. Second, svn commit can take oneor more filenames as arguments and commit only those files. This is useful when working onmultiple edits at the same time and a subset of the changes. The svn add command can also beused to add a directory to the repository.

svn add should not be used to start a new project. When an entire directory tree of files needsto be added the svn import command is used instead.

Scheduling a file for removal from the repository is very similar to adding a file. svn deletefilename deletes the file from the Subversion working directory and marks it for deletion fromthe repository upon commit. However, the file is not completely removed from the repository.Subversion will record that the file no longer exists, but the repository still stores old revisionsand the change log of the file.

Viewing Working File Status

RH401-6-en-1-20110713 55

Viewing Working File StatusThe svn status command displays the current status of files in the Subversion workingdirectory. The -v option causes this command to list all files, not just those with changes. The -u option causes the command to check the repository for more recent updates. Each status linestarts with a letter code indicating if an item was added, deleted, or otherwise changed.

[user@host sample]$ svn status -vuM 19 19 stan sample1 * 19 19 stan sample2 20 20 oliver sample3 19 19 stan .Status against revision: 21

The asterisk on the second line of output means the repository has a newer version of sample2than the Subversion working directory. Some common letter codes are:

Letter Code Meaning

A File will be added when committed

C File has unresolved conflicts

D File has been marked for deletion

M File has been modified

Space No modifications

? File is not under version control

! File is missing (removed by non-Subversioncommand)

Table 4.1. Common Subversion Status Codes

The svn info command displays detailed information about a specific working file including thefile and repository URL and information about the last commit made to the file.

[user@host sample]$ svn info sample3Path: sample3Name: sample3URL: file:///var/local/svn/sample/sample3Repository Root: file:///var/local/svnRepository UUID: b0f33f46-1ad6-4fca-8fb7-0d51367b9b16Revision: 20Node Kind: fileSchedule: normalLast Changed Author: oliverLast Changed Rev: 20Last Changed Date: 2009-12-16 14:46:23 -0800 (Wed, 16 Dec 2009)Text Last Updated: 2009-12-16 14:45:52 -0800 (Wed, 16 Dec 2009)Checksum: 53375d898de9837e1f9c6565f45f7600

Examining Old RevisionsRather than being interested in the history of all operations on the repository, you may beinterested in specific changes made to a particular file. There are a few commands that areuseful for this purpose.


56 RH401-6-en-1-20110713

svn log filename will output all the log messages recorded for each revision of filenameincluding when and who committed those revisions.

The svn cat can be used with the -r option to display a specific revision of a file to standardoutput. svn cat -rversion filename displays a specific This output can be piped to lessfor more controlled viewing or it can be redirected to a file for further review:

[user@host wrappers]$ svn cat -r 23 hosts.deny | less

Another useful command is svn diff which compares an old version in the repository with thecopy of the file in the Subversion working directory:

[user@host wrappers]$ svn diff -r 16 hosts.deny

This command may take many different options to output various diff formats. The diffsubcommand is useful if the comments in the change log aren't sufficiently clear.

Rolling Back to Old RevisionsSometimes it is necessary to undo all edits made on a file after a particular revision. This canbe accomplished with the svn cat command. First the specific revision number of the file inits previous state needs to be identified. This can be accomplished with the svn log and svndiff commands. Use svn cat to display the file in its original, desired state and redirect theoutput so it overwrites the copy in the working directory. Commit your changes to the repositoryand mention in the log that a rollback has occurred.

The svn revert command discards uncommitted, recent changes to a working copy of a file.This command restores the files specified to the state they were in when they were last updatedfrom the repository.

Properties and Keyword SubstitutionSubversion maintains additional properties about the files in its repository. You can create andmanipulate your own properties or you can use the built-in Subversion properties that impactits behavior. For example the svn:executable property will cause a file to be made executablewhen checked out of the repository when it is set to a value of 1:

[user@host sample]$ svn propset svn:executable 1 hello

The Subversion subcommands to manipulate properties include propset, propget, proplist,propdel, and propedit. Note: properties have to be committed to the repository for them tobe persistent.

The svn:keywords property contains a string of keywords separated by spaces the Subversionshould expand when a file is checked out of a repository. By default Subversion doesn't performkeyword substitution to avoid damaging binary files. Keywords enclosed in dollar signs areexpanded only when the svn:keywords property is set:

[user@host sample]$ svn proplist sample2Properties on 'sample2': svn:keywords[user@host sample]$ svn propget svn:keywords sample2

Next Steps with Subversion

RH401-6-en-1-20110713 57

Author Id[user@host sample]$ grep Id sample2# $Id: sample2 19 2010-02-02 17:31:52Z stapleton $

The following table lists the keywords that Subversion expands:

Keyword Value

Date The date/time the file was last changed andcommitted into the repository

Revision The revision when the file was last updated

Author The username of the person who committedthe last change

HeadURL The URL that points to this specific file in therepository

Id A useful combination of the above keywords

Table 4.2. Subversion Keyword Expansion

Next Steps with SubversionThis unit introduced you to the most commonly used Subversion commands. Other usefulSubversion subcommands which we won't discuss include:

Subcommand Use

export a variant of checkout, to copy the contentsof a project without the .svn subdirectories

annotate display a file preceding each line of text withauthor and revision information

lock set a lock on a file in the repository so otherscannot commit changes to that file in therepository

unlock clear a lock on a file in the repository soothers can commit changes to that file in therepository

Table 4.3. Other useful Subversion subcommands

References“Version Control with Subversion” book available on-line at http://svnbook.red-bean.com

svn(1) man page and svn help Subversion subcommand


58 RH401-6-en-1-20110713

Practice Exercise

Managing Changes with Subversion


Create working directories and observe how Subversion manages concurrent changes by twousers.

1. Log in as oliver on desktopX. If the dnsfiles working directory doesn't exist, check out aworking copy of the dnsfiles project below Oliver's home directory.

2. Change to the top level directory of your Subversion working directory and modify etc/named.conf. Find the comments that read “REPLACE FIX HERE WITH YOUR STATIONNUMBER” and change all occurrences of the string “FIX” in the zone declarations to the lastoctet of desktopX's IP address.

Note: This changes the files that DNS will try to reference. There are comments in the filenoting that the actual files must be renamed for consistency. For now disregard thosecomments since you will fix the repository files to match the new names in a later labexercise.

Commit Oliver's changes with a log message of “Replaced FIX with station's IP.”

3. In another window, log in as Stan on desktopY. Create a Subversion working directory inStan's home directory and have Stan checkout a copy of the dnsfiles project. Examinenamed.conf. The changes made by Oliver should appear in that file.

4. As Stan, edit var/named/192.168.0.FIX.zone in the Subversion working directory andreplace every occurrence of “FIX” with the last octet of desktopX's IP address. Be sure toupdate the serial number to YYYYMMDD00 using the digits of the current date. CommitStan's changes with the same log message that Oliver used previously.

5. On desktopX update Oliver's Subversion working directory so Stan's revisions areincorporated into Oliver's files.


RH401-6-en-1-20110713 59

Practice Exercise

Moving Files in a Subversion Project


Previously Stan modified the contents of a file. Modify file names and observe how Subversionmanages the changes.

1. Using Stan's account on desktopY, use Subversion to change the name of the192.168.0.FIX.zone file so “FIX” is replaced with the last octet of desktopX's IP address.Commit the changes into the Subversion repository with a descriptive log message.

2. Review the log messages of the 192.168.0.X.zone file.

Rename the file domainFIX.example.com.zone so “FIX” is replaced with the last octet ofdesktopX's IP address. Make sure the changes are committed into the Subversion repository.

3. Examine Oliver's Subversion working directory on desktopX. Use Subversion to update hisworking files and see what happens.


60 RH401-6-en-1-20110713

Practice Exercise

Subversion Conflict Resolution


Observe how Subversion behaves when two users modify the same file, sometimes withconflicting changes.

1. As Stan on desktopY, open domainX.example.com.zone in a text editor. Modify the SOAline of the file so all occurrences of “FIX” are changed to the last octet of desktopX's IPaddress. For example the student whose Satellite Server is station3.example.com wouldmodify the line to look like the following:

@ IN SOA desktop3.domain3.example.com. root.desktop3.domain3.example.com. (

Save, exit, and commit the changes to the Subversion repository.

2. Without updating first, as Oliver on desktopX open domainX.example.com.zone in a texteditor. Fix the NS resource record by replacing each “FIX” with the last octet of desktopX'sIP address. Save, exit, and have Oliver commit the changes. This shouldn't require too mucheffort since Oliver's changes do not conflict with Stan's.

3. Have Stan on desktopY update his Subversion working directory and get Oliver's changes.As Stan, edit domainX.example.com.zone and change each “FIX” in the MX line to thelast octet of desktopX's IP address. Update the serial number with the current date followedby a two digit sequence number. Commit Stan's changes to the Subversion repository.

4. As Oliver on desktopX, make the same changes that Stan made but also change the MXrecord priority to 15. Attempt to commit your changes. This will fail since Oliver's Subversionworking directory is not updated. Also update the zone file serial number to be greater thanthe previous value.

Commit Oliver's changes into the repository since his changes are more complete thanStan's changes.

5. As either Oliver or Stan, update the remaining resource records indomainX.example.com.zone that contain “FIX” with desktopX's number. Update theserial numbers in the .zone zone files. Commit the changes into the Subversion repository.


RH401-6-en-1-20110713 61

Personal Notes


62 RH401-6-en-1-20110713

Unit Summary

Revision Control Concepts

In this section you learned:

• The benefits of using revision control

• How Subversion works at a high level

• How to select a Subversion repository

.Subversion Administration


• Create a new Subversion repository

• Secure a Subversion repository

• Start a project in Subversion

.Revision Management with Subversion


• Check out a Subversion working directory

• Commit changes made to files in a project

• Update a Subversion working directory with changes made by others

• Merge and resolve changes that conflict

• Adding, deleting, and changing file names in a project

• Roll back to a previous edition of a file

.

Chapter 5.

RH401-6-en-1-20110713 63

UNIT FIVE

RED HAT NETWORK CLIENTCONFIGURATION


• Configure a client system to use an RHN Satellite Server

• Use SSL encryption for secure communications

• Register systems using Activation Keys and bootstrap scripts

• Troubleshoot client registration problems

Chapter 5. Red Hat Network Client Configuration

64 RH401-6-en-1-20110713

Client Registration Concepts• Objective: register client systems with Red Hat Network

• Steps to take

1. Update Red Hat Network software tools

2. Point to relevant Red Hat Network server

3. Install SSL CA certificate (Satellite/Proxy only)

4. Register the RHN client system

• Authenticate as valid Red Hat Network user, or

• Register with an activation key

In this unit the various methods of registering a client machine with Red Hat Network will beexamined. It is assumed the client machine is installed and functioning before the registrationprocess begins.

The steps above outline the overall procedure needed to register a client system with Red HatNetwork. Each of the steps will be examined in more detail as we go through the rest of this unit.

When a Client Registers Multiple TimesThe default RHN host profile name is defined as the host name of the client system thatregistered. When a client system registers multiple times (often this requires additional workto do), multiple system profiles with the same name will appear. The key to determining whichprofile is the current one in use is to identify the RHN system ID of the client and compare it toeach of the RHN system profiles in the Satellite server. The system ID of the client is found in the/etc/sysconfig/rhn/systemid file:

[root@host ~]# grep ID /etc/sysconfig/rhn/systemid<value><string>ID-1000010027</string></value>

The numeric part of the string found on the client should match the RHN Satellite System IDdisplayed in the Overview page within the Details tab of the system profile.

ReferencesRed Hat Network Satellite Client Configuration Guide

• Chapter 6: Manually Scripting the Configuration

RH401-6-en-1-20110713 65

Practice Quiz

RHN Registration StepsList the four steps (in order) that are taken when a client workstation registers with a RHNSatellite server.

1.

2.

3.

4.


66 RH401-6-en-1-20110713

Interactive Client Registration

Update RHN Client SoftwareBefore registering a client with Red Hat Network, it is important to bring the registrationand package updating software up to date. Sometimes newer packages are needed becauseof features provided by the updated tools or changes in their configuration. In practice theregistration process will perform this function for you, but you may wish to do this yourself if youare scripting the installation.

Publish the latest versions of the software packages listed below on your RHN Satellite Server'sweb site. The best place to provide these files is under the http://satellite.fqdn/pubdirectory. Have the client systems download and freshen these packages before they registerwith Red Hat Network. For example, a command similar to the following should be run for eachpackage:

[root@host ~]# rpm -Fvh http://satellite.fqdn/pub/yum-version.i386.rpm

• Install the latest version of RHN-related packages

• Red Hat Enterprise Linux 5 and later packages

• rhn-setup

• rhn-setup-gnome

• yum

• Pre-Red Hat Enterprise Linux 5 packages

• rhn_register

• rhn_register-gnome

• up2date

• up2date-gnome

Red Hat Network Server SelectionWhen a system is installed with Red Hat Enterprise Linux, it is configured to point to hosted RedHat Network by default. The assumption is that the new system will talk directly with Red Hat'sservers over the Internet (https://xmlrpc.rhn.redhat.com/XMLRPC).

/etc/sysconfig/rhn/up2date is the primary configuration file for Red Hat Network clienttools. Many of the registration programs modify settings in that file or the changes can bescripted or made manually. For example, the serverURL directive defines which RHN servershould be queried for updates:

serverURL=https://satellite.fqdn/XMLRPC

Additionally, HTTP/HTTPS proxy settings can also be defined by assigning the following values in/etc/sysconfig/rhn/up2date:

Secure Communication with SSL

RH401-6-en-1-20110713 67

enableProxy=1httpProxy=hostname:port

NoteAlways use fully qualified domain names when specifying Red Hat Network Satellite and/orProxy servers.

Secure Communication with SSLA best practice is to have all Red Hat Network communication secured using SSL encryption.

SSL server certificates must be considered trustworthy before a secure communication tunnelis created. Certificate authority (CA) certificates are used to confirm the authenticity of a host'sSSL server certificate. The CA certificate used to verify Red Hat's server certificates can befound in a file called /usr/share/rhn/RHNS-CA-CERT. Red Hat installation media deploys anRPM called rhn-client-tools that installs this CA certificate on all Red Hat Enterprise Linuxhosts by default.

The Red Hat Network Satellite Server and Proxy Server installers generate a CA certificate,an RPM package which includes the CA certificate, and an SSL server certificate signed bythe CA certificate. Installing the RPM package with the CA certificate causes clients to trustthe server's SSL certificate. This RPM is normally distributed through the Satellite Server'sweb site in the /pub directory and the RPM is typically called: rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm. This RPM must be installed on every client who connects to aRed Hat Network Satellite or Proxy server using SSL. This is defined by sslCACert in /etc/sysconfig/rhn/up2date.

Red Hat Network AuthenticationUser accounts are unique on Red Hat Network Hosted and on a Red Hat Network Satellite Server.On a RHN Satellite Server each user account, and systems registered using that account, belongto the organization the account was originally created in. Unless there is a universal defaultactivation key, the newly registered system does not belong to any system groups.

Users must authenticate using a RHN user account. User accounts used to register systems donot have administrative privileges to administer those systems by default. To enable RHN usersto administer clients they register, the client systems will have to join a system group the usershave permissions to administer. An Organization Administrator can modify user accounts so thatsystems they register automatically join default system groups for that account.

Each registration consumes one Red Hat Network entitlement. Minimally this includes a base slotand a base software channel entitlement. Optionally add-on and child channel entitlements couldbe included.

Another option is to create a universal default activation key that associates newly registeredsystems to a generic system group that every RHN user can access. Note that activation keysoverride default system group assignments associated with a user account.


68 RH401-6-en-1-20110713


• Chapter 2: The rhn_register Client

rhn_register(8) man page

Secure Communication with SSL

RH401-6-en-1-20110713 69


Graphical Red Hat Network Registration

You will register a system with a Red Hat Network Satellite using rhn_register in a graphicalenvironment. Since SSL encryption will be used, the organization CA certificate will have to belocated and used when registering the client system.

Your client workstation, desktopY.example.com, should already be installed toprovide a graphical environment. The classroom installation configures yum to pointto the instructor's server for additional RPMS. Remove the /etc/yum.repos.d/dvd.repo configuration file and reset yum by executing the following command asroot:

[root@desktopY ~]# yum clean all[root@desktopY ~]# rm /etc/yum.repos.d/dvd.repo

Browse http://desktopX.example.com/pub and locate the CA certificate for thelocal organization provided by the Satellite Server. Download the CA certificate to the /tmp directory on desktopY.

Log in as root on desktopX and monitor your Satellite server's Apache log files. Usetail -f to monitor them continuously.

Open a terminal window on desktopY and execute rhn_register so itdisplays a graphical dialog box. Configure the client to use the Satellite Server,desktopX.example.com, for software updates. Use the SSL certificate you previouslydownloaded and authenticate as the Red Hat Network user normal. Once the client isconfigured, use yum repolist to verify it is talking with the Satellite Server.

Use a web browser to log into the Satellite server web user interface as normal and seeif the newly registered system shows up in the system list. Do the same for the Red HatNetwork user grouper. Finally log in as the Organization Administrator, example, andsee if the client shows up in his system list.


70 RH401-6-en-1-20110713


Text-based Red Hat Network Registration

Register a system with a Red Hat Network Satellite using rhn_register in a text-basedenvironment. You should already have the CA certificate copied to the filesystem on the clientmachine.

Log into a text-based virtual console (Ctrl+Alt+F2) as root on desktopY andexecute rhn_register to re-register your client with your Satellite server. Whenrhn_register asks for RHN authentication information, provide the login of normalwith the password redhat.

Log into the Satellite server web interface as example. There should be two systemprofiles labeled desktopY.example.com.

Registration Automation: Activation Keys

RH401-6-en-1-20110713 71

Registration Automation: Activation KeysOne major benefit of activation keys is they remove the requirement to authenticate as a RedHat Network user when registering a client system with RHN. This greatly facilitates automationof system registration.

Activation keys also automate other Red Hat Network functions such as subscribing to childsoftware channels, joining system groups, installing specific packages or including add-onentitlements such as Provisioning, monitoring, virtualization, virtualization platform, etc.Multiple activation keys can be used when registering a system with RHN, so there are a coupleof approaches that can be taken when using them. One approach uses a single activationkey to perform multiple actions on the RHN Satellite server. The other approach involvesseveral activation keys, with each key performing a single, simple action on the Satellite server.When systems are registered using this approach, multiple keys are used together in variouscombinations depending on what needs to be accomplished for a given client system. Thisapproach has more flexibility in terms of activation key maintenance.

One activation key can be designated as the “universal default” activation key for anorganization. Each organization has its own universal default and only one activation key canbe designated as the universal default. The actions and associations assigned to the universaldefault are taken for hosts that register with an organization without an activation key. It is abest practice to assign a universal default activation key that assigns a newly registered systemto a system group as a minimum.

Activation keys are an essential component to Red Hat Network client registration automation.Use the procedure below to generate an activation key. Each activation key has five attributes:

1. Description of what the key is for

2. Usage limit - number of times the key may be used for activation

3. Base software channel the client should subscribe to when activated

4. Add-on entitlements such as Provisioning, Monitoring, Virtualization, or VirtualizationPlatform

5. A flag indicating whether a key is the universal default

After an activation key is created, additional attributes can be associated with the key such as:

• Child software channels

• Packages to install at registration time

• One or more system groups to join

Clients may only subscribe to relevant software channels. For example a Red Hat EnterpriseLinux 5 Server host cannot subscribe to the Red Hat Enterprise Linux AS 4 channel.

Use the activation key to register a system with the Satellite server at client installation time.

Activation Key Creation• Generate an activation key on the RHN Satellite server:


72 RH401-6-en-1-20110713

• Login as an Organization or Activation Key Administrator

• Click on the Overview tab

• Select the Manage Activation Keys task

• Follow the create new key link

• Provide a key description, a key name, usage limit, base software channel and whether it isthe universal default for the organization

• Click Create Activation Key

RHN Registration Using an Activation KeyAn activation key can be used without the necessity of RHN authentication. Use the followingcommand to invoke rhnreg_ks with the essential options needed to specify the target RHNserver, the needed CA certificate for SSL encryption, and the activation key:

rhnreg_ks--serverUrl=https://satellite.fqdn/XMLRPC \ --sslCACert=/path/to-ca-cert \ --activationkey=activation-key-name

To interactively register a system to a satellite server, run rhn_register [--nox] andanswer all questions posed. You can also modify /etc/sysconfig/rhn/up2date and updateserverURL and sslCACert values before running rhn_register to provide some defaultanswers.

Since Red Hat Network Satellite Server version 5.2, the activation key has a numeric prefix(for example, 2-webserver). This prefix represents the organization ID that prefixes everyactivation key created and associated within that organization.

To specify multiple activation keys with the rhnreg_kscommand, a single --activationkeyoption is specified followed by a comma-separated list of activation key names. Specifyingmultiple --activationkey options does not work like one might expect: the last optionspecified is the only activation key that is applied.

To re-register a system already registered with Red Hat Network, perform the following steps:

1. Delete the original system profile from Red Hat Network to reclaim entitlements

2. Use the --force option with rhn_register or rhnreg_ks

RHN Registration Using an Activation Key

RH401-6-en-1-20110713 73


• Section 7.4.6: Activation Keys

• Section 4.5: Registering with Activation Keys

Red Hat Network Satellite Client Configuration Guide

• Section 2.2.1: Registering with Activation Keys

rhnreg_ks(8) man page


74 RH401-6-en-1-20110713

Practice Exercise

Automating Registration with Activation Keys


The previous exercises demonstrated how to register a machine with a Red Hat Network SatelliteServer using interactive utilities. Automate the registration process by creating an activation keythat registers with the Example RHN organization and use it to re-register your client.

1. Log into your Satellite server as example and create an activation key named example-servers. It should have a description of “Example Servers”, not have a usage limit, andsubscribe the client to the default RHN Satellite base channel for the system being installed.This activation key should not consume any add-on entitlements and do not use it as theuniversal default.

All systems registered with this activation key should automatically join the examplesystems system group.

2. Log in as root on the client, desktopY.example.com, and use rhnreg_ks to registeryour system using the activation key you just created. If the registration doesn't workimmediately, diagnose what the problem is and fix it.

The Satellite Server host name and information about the CA certificate already have usefuldefault values. Normally they would have to be specified, but the previous registrationsmodified /etc/sysconfig/rhn/up2date so it points to valid values so the defaults canbe taken.

3. Check the system profile of your client system in the Satellite Server. Is it a member ofthe example servers system group? If not, make the necessary adjustments to youractivation key and re-register the client again. When you are finished with this exercise,delete all of the system profiles in the Satellite Server.

Registration Automation: bootstrap.sh

RH401-6-en-1-20110713 75

Registration Automation: bootstrap.shMany steps must be taken to register client machines with a RHN Satellite Server. Thebootstrap.sh script can be used to fully automate this process. By default, this script containsa few useful commands, but you can expand it to do whatever you wish. It may be used in akickstart %post section or it can be manually executed on a freshly installed Red Hat EnterpriseLinux host.

If rhnreg_ks is invoked with an activation key from the bootstrap.sh script, a system can beregistered with Red Hat Network before its first boot.

The following steps outline the process of creating the bootstrap.sh script using the RHNSatellite web interface:

• Login as the Satellite Administrator (not an Organization Admin)

• On the Overview tab, select Configure RHN Satellite

• Select the Bootstrap Script tab

• Make any adjustments, then click Update

bootstrap.sh is disabled by default (contains exit 1 shell command). It is a good startingpoint/template, and can be used with activation keys.

To create bootstrap.sh:

• Use web interface as Satellite Admin (not Organization Admin)

• Use the rhn-bootstrap command on the Satellite Server

• Result is http://satellite.fqdn/pub/bootstrap/bootstrap.sh

ReferencesRed Hat Network Satellite Client Configuration Guide

• Chapter 5: Using RHN Bootstrap

• Appendix A: Sample Bootstrap Script

rhn-bootstrap(1) man page


76 RH401-6-en-1-20110713

Practice Exercise

Registering Clients with a Bootstrap Script


Red Hat Network Satellite software can create a template shell script, called a bootstrap script,that can register a client system with the Satellite server. Customize and use a bootstrap script toregister a freshly installed system with your Satellite server.

1. Reinstall your client workstation, desktopY, with a minimal footprint installation. Initiatea PXE boot and choose the “Install a minimal RHEL 6 installation” option without anyarguments to begin the installation. While desktopY is installing, continue to the next step.

2. A Satellite Server provides bootstrap scripts to all of its clients, not just to a specificorganization, so they must be created and managed by the Satellite Administrator.

While the client workstation installs, log in as the Satellite Administrator, satadmin, and inthe web interface create a bootstrap script template as a starting point. The script shouldenable SSL and client GPG checking. It should not enable remote configuration and remotecommands. These options will be introduced later in the course.

Optional - Use Subversion to manage the changes you make to the bootstrap script youdevelop. Create a new Subversion project and check in the original version before you makeany changes.

3. Edit your bootstrap script on your Satellite Server. Disable the exit 1 line and modify theACTIVATION_KEYS shell variable to point to the activation key you created earlier in thislab.

4. Once the client machine has finished installing, log in as root, download the bootstrapscript, and execute it manually. Normally this step would be performed in the %post sectionof a kickstart installation for full automation.

Sign into the Satellite Server web interface as normal and confirm the system is registeredand belongs to the example-servers system group.

Resolving Registration Problems

RH401-6-en-1-20110713 77

Resolving Registration ProblemsTo begin resolving RHN registration issues, start with network connectivity issues:

• Can the RHN server be pinged?

• Does DNS work properly?

• Having an HTTP/HTTPS proxy or firewall issue?

• Do all references to the Satellite server use its FQDN?

From the client, use rhn_check and rhn-profile-sync -vv to view errors. The following arethe most common “Error Class Codes”:

• 9 - client not registered

• 70 - no entitlements available

Once basic connectivity issues are resolved, there are a couple of other areas that should bechecked concerning Red Hat Network client/server communication. First, the fully qualifieddomain name should always be used when referring to the Red Hat Network server, whether itis hosted RHN, a RHN Satellite Server, or a RHN Proxy Server. The fully qualified domain nameshould resolve to the appropriate IP address for the server. If DNS isn't functioning, a temporaryentry could be made in /etc/hosts for testing purposes. Ultimately any long-term solutionwould fix DNS name resolution.

When using SSL encryption for secure communication, the clocks of the Red Hat Network hosts(both client and server) need to be accurate and synchronized. A good solution for this is to useNTP to keep all the system clocks set to an accurate time to enable SSL to work. Also make surethe fully qualified host name of the Satellite server is being used since the subject of the hostcertificate is the FQDN of the server.

Red Hat Network creates a new host profile when a system re-registers with RHN (for exampleusing rhn_register with the --force option). When multiple profiles exist for a specific host,its old, unused profiles should be removed to free up system and software entitlements. First,determine the current system ID of the RHN client:

[root@host ~]# grep ID /etc/sysconfig/rhn/systemid<value><string>ID-1234567890</string></value>

Navigate to each of the system profiles for the matching hosts and note the value of the RHNSatellite System ID field for each profile. This field can be found by selecting the Overview sub-tab within the Details tab of each system profile.


78 RH401-6-en-1-20110713

Personal Notes

Resolving Registration Problems

RH401-6-en-1-20110713 79

Unit Summary

Client Registration Concepts

In this section you learned:

• RHN client registration concepts

.Interactive Client Registration


• Update RHN Client Software

• Select the Red Hat Network Servers

• Secure Communication with SSL

.Registration Automation: Activation Keys


• Create an activation key

• Use an activation key to automate RHN registration

.Registration Automation: bootstrap.sh


• Automate registration using bootstrap.sh

.Resolving Registration Problems


• Resolve RHN registration issues

.

Chapter 6.

RH401-6-en-1-20110713 81

UNIT SIX

RED HAT NETWORK SOFTWAREMANAGEMENT


• Software channel relationships

• Custom software channels

• Loading RPMS into RHN Satellite

• Cloned software channels

• Change notifications using errata

Chapter 6. Red Hat Network Software Management

82 RH401-6-en-1-20110713

Software ChannelsSoftware channels are a collection of RPM packages. RPMS are the packages that are deployedon systems managed by Red Hat Network and software channels define which packages a givensystem has access to.

Base channels contain packages which are grouped together by a combination of Red Hatrelease (RHEL5 Server, RHEL5 Client, RHEL4ES) and architecture (32-bit x86, 64-bit x86). Whena system registers with Red Hat Network, it is subscribed to a base channel consistent with itsoperating system version. Systems may only subscribe to one base channel at a time.

Extended Update Support (EUS) channels, also called z-channels, are base channels foradministrators who need to stay on a specific major release of Red Hat Enterprise Linux (forexample RHEL5.3 Server). The RPMS released by Red Hat to these channels are limited to criticalbug fixes and security updates. These software channels are typically used where applicationscertified to run on specific versions of Red Hat Enterprise Linux are used.

Child channels are usually associated with a base channel and provide extra packages. Forexample RPMS that provide virtualization support for Red Hat Enterprise Linux 5 on 32-bit x86machines are included in the rhel-i386-server-vt-5 channel, which is a child of the rhel-i386-server-5 base channel. Systems can subscribe to multiple child channels.

ReferencesRed Hat Network Satellite Channel Management Guide

• Chapter 2: Introduction to RHN Channels

Custom Software Channels

RH401-6-en-1-20110713 83

Custom Software ChannelsRed Hat provides base and child channels for each release of Red Hat Enterprise Linux.Additional custom child channels can be associated with Red Hat's base channels. With a RHNSatellite or Proxy Server an organization can create their own custom software channels, makingthem child channels to Red Hat's base channels.

Custom software channels are entirely self-administered. Red Hat does not provide supportfor them and since the channels reside on the RHN Satellite or Proxy server they are nevershared with Red Hat. Organizations have complete control over the packages provided by theircustom channels. They aren't required to share their custom RPMS with anyone outside of theirorganization, including Red Hat.

Custom channels can be created using the Satellite Server's web interface. Users with Channel orOrganization Administrator roles have the ability to create and delete custom channels.

When creating a software channel, be sure to associate this new channel with the proper basechannel. Use a meaningful channel label and description so the purpose of the channel is clear:neither overly general so as to be meaningless nor overly specific so as to limit usefulness.Security settings for the new software channel need to be assigned including access level andGPG key information.

Navigate to the Create Software Channel form

• Select the Channels tab

• Choose Managing Software Channels from the navigation menu at the left

• Click on the create new channel link at the upper right

Fill out the Create Software Channel form giving special attention to:

• Parent channel and channel label

• GPG information

One of three access levels must be assigned to the custom software channel. Private accessmakes the software channel available only to systems within the current organization. Protectedaccess additionally makes the channel available to other organizations which have a trustedrelationship with the current one. Public access grants access to the software channel to all RedHat Network organizations hosted by the Satellite Server.

A good security practice is to have RPMS provided by all software channels digitally signed withGPG. All of the RPMS from Red Hat are signed and in a similar manner RPMS provided by acustom channel should be signed as well. The Details tab of each custom channel has fields forGPG information which include the URL where an ASCII armored version of the public key can befound, the eight-digit hexadecimal GPG key ID, and the hexadecimal GPG fingerprint.

Once the channel is created, select the Managers tab to assign management privileges to otherRHN users within the organization. Users who aren't Channel Administrators can import RPMS,add and remove packages from a channel, and change a channel's details, but they cannot createor delete channels.


84 RH401-6-en-1-20110713

Preparing RPMs for Red Hat NetworkRPM packages are normally digitally signed so that users can verify that a package actually camefrom the preparer it claims to belong to. This helps to block forged packages from being installedif a yum repository is compromised in some way. The next few steps detail how to create yourown signing key.

To create a custom channel, you must take some preliminary steps:

1. Generate a GPG key for the user account who manages RPMS and will load them into theSatellite Server.

NoteYou must have a graphical session open to run gpg --gen-key. It uses a graphical boxto accept your input for the passphrase.

[user@host ~]$ gpg --gen-keygpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only)Your selection? EnterRSA keys may be between 1024 and 4096 bits long.What keysize do you want? (2048) EnterRequested keysize is 2048 bitsPlease specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n yearsKey is valid for? (0) EnterKey does not expire at allIs this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: My NameEmail address: [email protected]: EnterYou selected this USER-ID: "My Name <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? oYou need a Passphrase to protect your secret key.

Enter passphrase

Passphrase: testing123

Preparing RPMs for Red Hat Network

RH401-6-en-1-20110713 85

Please re-enter this passphrase.

Passphrase: testing123

We need to generate a lot of random bytes. It is a good idea to performsome other action (type on the keyboard, move the mouse, utilize thedisks) during the prime generation; this gives the random numbergenerator a better chance to gain enough entropy.

gpg: /home/student/.gnupg/trustdb.gpg: trustdb createdgpg: key 54AF5285 marked as ultimately trustedpublic and secret key created and signed.

gpg: checking the trustdbgpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust modelgpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1upub 2048R/54AF5285 2010-12-09 Key fingerprint = 315F E90B 1745 2288 EBAE 4E7B 4BC6 4568 54AF 5285uid My Name <[email protected]>sub 2048R/D08B2951 2010-12-09

2. Find the public key ID from the output of gpg --gen-key, or run gpg --fingerprintthen export the public key into an ASCII armored file.

[user@host ~]$ gpg --fingerprint/home/user/.gnupg/pubring.gpg--------------------------------pub 2048R/54AF5285 2010-12-09 Key fingerprint = 315F E90B 1745 2288 EBAE 4E7B 4BC6 4568 54AF 5285uid My Name <[email protected]>sub 2048R/D08B2951 2010-12-09

The public key ID is the string of eight hexadecimal characters after pub 2048R/(54AF5285 in the example above).

[user@host ~]$ gpg --export --armor 54AF5285 > /tmp/MYORG-GPG-KEY

As root, publish the public key from the RHN Satellite web server so the RHN clients canaccess it.

[root@host ~]# cp /tmp/MYORG-GPG-KEY /var/www/html/pub/

3. Create or modify ~/.rpmmacros so that %_gpg_name is set to the GPG key ID of the keythat was previously created. For example:

[user@host ~]$ echo '%_gpg_name 54AF5285' >> ~/.rpmmacros

4. Resign the packages that will be imported into the custom channel using this new GPG key.

[user@host ~]$ rpm --resign rpm_file_names.rpm

It is a best practice to use a non-root account for RPM creation and package signing.


86 RH401-6-en-1-20110713


• Chapter 4: Custom Channel and Package Management

Preparing RPMs for Red Hat Network

RH401-6-en-1-20110713 87

Practice Exercise

Custom Software Channel Administration


Create Linux and RHN Satellite accounts for the responsible person who is in charge of managingcustom channel content. Create a GPG key for signing trusted third-party packages. Once thepieces are in place, create a custom software channel for Example, Inc. third-party softwarepackages.

1. Create Linux and RHN Satellite accounts on desktopX.example.com for CharlesChannelman, the person responsible for managing software channels on the Satellite Server.The login/user name for his accounts should be channelman with passwords of redhat.His Red Hat Network account on the Satellite Server should permit him to manage softwarechannels and the systems in the example servers system group.

2. Log into a shell account on desktopX as channelman and create a GPG key. The keyshould be a 2048-bit RSA key used for signing packages only. It shouldn't expire andshould be protected with a passphrase of redhat. The owner of the key should be “CharlesChannelman <[email protected]>”.

Export an ASCII-armored version of the public key and copy it to /var/www/html/pub/EXAMPLE-GPG-KEY.

What is the GPG key id and fingerprint of the key you just created?

3. Create a custom child software channel named “Example custom” with a label of example-custom and configure it to advertise Charles Channelman's GPG key for verifying packagesignatures. It should be a child channel of the Red Hat Enterprise Linux Server(v.6 for 64-bit x86_64) base software channel.


88 RH401-6-en-1-20110713

Loading RPMS into RHN SatelliteThe satellite-sync and rhnpush commands import RPMS into a Red Hat Network SatelliteServer. satellite-sync loads multiple RPMS, SRPMS, channel metadata, and kickstart treesinto the server. This command is typically used with Red Hat content. The rhnpush command isused to import individual RPMS and SRPMS. This command is used with custom packages/third-party software.

Both of these tools are used from the command-line so shell access is required. The Red HatNetwork web interface does not provide a way to import software into a Satellite Server or RHNProxy.

Using satellite-syncSoftware channel content can be transferred and loaded from Red Hat's servers via the Internet.This is the default behavior of the satellite-sync utility. Without special options, it interactswith the local Satellite Server and Red Hat's hosted RHN servers to try to keep the local Satelliteserver in sync.

Channel content ISOs can be downloaded from Red Hat Network. Each ISO in a set is mountedand its contents are copied into a temporary directory. satellite-sync is used with the -moption to load the extracted content into the Satellite Server. The content is deleted from thetemporary directory as it is imported into the Satellite Server.

Using the above two methods to import channel content into a RHN Satellite Server wasdiscussed in more detail earlier in this course in the Installation unit. A third method to getchannel content is from a channel dump created from another Satellite Server using the rhn-satellite-exporter command. Creating channel dumps will be covered later in this course,but importing channel dump content into a RHN Satellite Server is the same as importingcontent extracted from ISOs, the satellite-sync command is used with the -m option to pointto the channel dump content. This is what you did earlier in the course when you installed yourSatellite Server and imported channel content.

The satellite-sync command is used from the command line on the Satellite Server. Itdoesn't require Red Hat Network authentication, but it does require root access on the SatelliteServer to work.

Warningsatellite-sync removes packages from the channel content it is importing to helpconserve disk space. If the channel content will be reused for other Satellite servers or willbe kept as a backup, then the media it is stored on should be mounted read-only.

Other useful options to satellite-sync include -l which lists the available channels, and -cchannel-to-sync which specifies the channel name to sync.

Using rhnpushThe rhnpush command is used to import individual binary and source RPMS into a SatelliteServer. It is a command-line utility that doesn't require root privileges and it doesn't have to

Using rhnpush

RH401-6-en-1-20110713 89

be executed from the RHN Satellite Server. The rhnpush RPM provides this utility and can beinstalled on any system that is subscribed to the Red Hat Network Tools software channel.

When a channel is specified, the RPM is imported into that channel and its correspondingorganization. An RPM can be imported into multiple channels when multiple -c options arespecified. When the channel is omitted, the RPM is loaded into the No Channels section of theorganization specified with the -o option.

The default configuration file for rhnpush is located at /etc/sysconfig/rhn/rhnpushrc.It can be copied to ~/.rhnpushrc and modified with preferred settings for a particular user/RPM administrator. Command-line options override any of the values specified in these files. Thefollowing are a couple useful directives:

server = https://satellite.fqdn/APPusername = RHN-login

The rhnpush command imports RPM content into RHN Satellite Servers. There is another toolthat imports content into RHN Proxy Servers, but that utility will be introduced in a later unit.

Option Function

--server=https://hostname/APP push packages into the RHN Satellite serverspecified

-l list the specified channels

-c channel-label channel to list or import packages into

-o org-ID associate a package with an organization(when -c is not specified)

--source indicates the package being pushed is asource RPM

Table 6.1. Useful rhnpush Options

To use the rhnpush command, you must authenticate as one of the following:

• System Group User with channel management privileges

• Channel Administrator

• Satellite or Organization Administrator


• Section 2.5: RPM Building

Red Hat Network Satellite Channel Management Guide

• Chapter 3: Building Custom Packages

• Section 6.2: Uploading Packages to RHN Satellite Server

rhnpush(8) and satellite-sync(8) man pages


90 RH401-6-en-1-20110713

Practice Exercise

Loading Red Hat Content into RHN Satellite


All Red Hat base software channels have a child channel called “Red Hat Network Tools.” Thischannel provides useful packages for machines that are clients of a RHN Satellite Server.

• Log in as root on desktopX. In root's home directory you will find a subdirectory calledsat-rhel6-content. Examine its contents and import the channel that provides the “RedHat Network Tools” which pertain to the base channel content you already loaded in yourSatellite Server.

Using rhnpush

RH401-6-en-1-20110713 91


Loading Third-party Content into RHN Satellite

As channelman, take a third-party RPM provided by the instructor, sign it, and import it into theRHN Satellite Server and associate it with the example-custom software channel.

Log in as Charles Channelman, channelman, on desktopX.example.com.

Copy the example-1.0-1.noarch.rpm RPM from /misc/instructor/RPMS toCharles' home directory, and sign it with his GPG key.

Import the RPM into the Satellite Server so it is associated with the example-customsoftware channel.


92 RH401-6-en-1-20110713

Using a Custom ChannelOnce created and populated, the channel can then be associated with particular systems.Subscribe client systems to the channel. The yum list available command can be used toconfirm the client is subscribed to the custom channel. For example, the following command willconfirm whether a client is subscribed to a custom channel with a channel label of example-extras:

[root@host ~]# yum list available | grep example-extras

Once the channel subscription is verified, use yum to install packages on particular systems orschedule the installation of the software using the Satellite Server's web interface.

Log into RHN Satellite Server web interface as

• System Group User who can manage the target system, or

• Organization Administrator

Navigate to the Alter Channel Subscriptions link

• Select the Systems tab

• Choose the Systems link in the navigation bar to the left

• Select the target host's link by its profile name

• Click the Alter Channel Subscriptions link

• Check desired channels, click Change Subscriptions

Use yum to list available software from this channel


• Section 2.2: Subscribing to Channels

Using rhnpush

RH401-6-en-1-20110713 93


Subscribing to a Custom Channel

Associate your client system, desktopY.example.com, with your custom software channel andinstall the example RPM on the client host.

Subscribe your client system to the example-custom custom software channel.

Import the GPG key used to sign the packages provided by the custom channel into theRPM database on the client system. Install the example RPM on the client machine usingthe yum command.


94 RH401-6-en-1-20110713

Software Management Using Cloned Channels

Cloning ChannelsCloning software channels is another way to create custom software channels. Typically, cloningis used to create a custom software channel populated with packages from Red Hat rather thanthird party software or custom RPMS.

Cloned channels can be customized to fit the administrator's needs. For example, unneededRPMS can be deleted from the list of available packages. Note this only affects the clone, not theoriginal channel from Red Hat. If a mistake is made, RPMS can easily be added back to the clone.Also specific versions of packages can be merged into a cloned channel. In other words, both thewidth and the depth of a cloned channel can be customized with respect to the packages that areoffered.

Cloned channels do not provide kickstart installation trees. Installations can use standard RedHat channels for builds then subscribe to cloned channels for more controlled RPM releases.

Cloning provides complete control over release of packages. Updates from Red Hat can bemerged back by Channel Admins. Although this requires more work to set up initially, you havecomplete control over package releases.

Software Management Life CycleThe primary goal of the software management life cycle is to control which packages andupdates are available for installation on the client systems. Cloned software channels allowsystem administrators to publish a subset of packages originally from a Red Hat channel. Alsoerrata can be cloned and published after they have been thoroughly tested.

One possible use of cloned channels involves three types of systems: development, QA, andproduction. Development machines use packages directly from Red Hat. Programmers andprototype systems have the latest and greatest releases of packages available to them. Oncea solution has been built, specific versions of RPMS can be merged with the QA channels fortesting purposes and software validation. Once QA verifies the soundness of the updates, theyare merged into the production channels.

A variation on the above scheme uses a cloned channel for development purposes insteadof using pristine Red Hat channels. This provides an additional level of control over softwaredeployed to development machines.

Software channel cloning controls which packages are made available to the client systems, buthow the packages are deployed is another consideration. RHN client machines can be configuredto automatically install errata so there is no manual effort required to propagate updates. Thiscould be accomplished by periodically invoking yum -y update from a cron job. Other Red HatNetwork users prefer to install available errata manually during a scheduled downtime.

Creating a Cloned ChannelTo clone a software channel, log into RHN Satellite Server web interface as a ChannelAdministrator or an Organization Administrator. Select the Channels tab, Manage SoftwareChannels from the menu at the left, then click the clone channel link. Use the pull-down menuto choose the original channel to clone from then pick which errata to include. A channel can becloned from its original state, its current state, or specific errata can be selected to be included

Updating a Custom Channel RPM

RH401-6-en-1-20110713 95

in the clone. Once the basis for the clone has been determined, the remaining screens are similarto those that appear when a custom software channel is created - a channel name and summaryare chosen and user and organization access are assigned.

Cloning a base software channel does not clone its child channels automatically. Each of thesoftware channels in related family of channels must be cloned individually.

Updating a Custom Channel RPMPackages that belong to custom channels will eventually need to be updated. Build the updatedRPM in the usual way, being sure to increment the version or release. Then you use rhnpush toimport the new package into the Satellite Server. The Satellite Server will recognize it as a morerecent version of the package and will automatically make it available to systems subscribedto the software channel which contains the update. If the custom channel has been cloned, theupdate will not propagate automatically - it must be merged with the cloned channels.

Once the new package is ready for distribution, an errata notification can be published to send ane-mail making system administrators aware of the update. This step isn't required, but it is a bestpractice to group related packages that fix a related problem together with an errata.


• Section 4.7: Cloning Software Channels


96 RH401-6-en-1-20110713


Managing Updates with Cloned Channels

Create clones of standard Red Hat channels and custom channels to control how softwareupdates are rolled out to client systems.

Create clones of standard Red Hat software channels (both base and child channels)and the custom software channel in your Satellite Server. These channels will be“Production” versions of their original counterparts so assign them labels identical tothe original channels with a “prod-” prefix. Use the default values provided for the accesscontrols of the cloned channels.

Change the subscriptions of your client machine, desktopY, so it subscribes to the newcloned channels. Include “production” versions of the base channel and the Examplecustom child channel.

Remove, then reinstall, the example RPM and confirm it comes from one of the clonedchannels just created.

Managing Software Updates

RH401-6-en-1-20110713 97

Managing Software UpdatesAll errata management is handled by Organization Administrators and/or Channel Administratorssince it is a software management function. Selecting the Errata tab will bring up a menu tothe left that includes Manage Errata and Clone Errata links. This is where errata managementoccurs.

When creating an erratum, an advisory field needs to be specified. Note that customer generatedadvisories cannot begin with the letters RH. These are reserved for Red Hat generated advisories.Cloned errata derive their advisory names from the original and replace the RH* prefix with CLA,which stands for CLoned Advisory. Also the severity of the erratum need to be selected, whetherfor a software enhancement, a bug fix, or a security related issue.

Once an erratum is created and packages are assigned to it, the final step is to publish theerratum. Optionally an e-mail notification can be sent to the administrators of relevant systems.It usually takes a few minutes for published errata to become available to client systems. Thisdelay allows for all pieces of each erratum to be in place before client systems try to accessthem.

Errata can be cloned, but it is restricted to channels cloned from the channel of the originalerrata.

Best practice: Always clone errata instead of the updated RPMS individually. This approach tocloning updates preserves errata data.


• Chapter 5: Custom Errata Management


98 RH401-6-en-1-20110713

Practice Exercise

Update Notifications with RHN Errata


Sign and import a newer (fixed) RPM into the Satellite Server. Create an errata to notify clientsystem administrators that a fix has been published. Observe its impact on the client systems.

1. Log in as Charles Channelman, channelman, on desktopX.example.com. Copy theimproved RPM, example-1.0-2.noarch.rpm, from /misc/instructor/RPMS toCharles' home directory and sign it with his GPG key. Import the new RPM into the SatelliteServer so it is associated with the example-custom software channel.

2. Create and publish an errata notification that announces the availability of theexample-1.0-2.noarch.rpm package. The errata synopsis should read, “example - fileownerships fixed”. Advisory EXBA2010:0001 release 1 is a bug fix advisory.

3. Browse the Satellite Server's web UI and verify that the Errata is published. Notice that theclient system is not impacted because we changed its software channel subscriptions to theProduction channels.

4. Clone the errata and make it available to the prod-example-custom channel. Log intothe client system, desktopY, as root and confirm the new RPM is available for installation.Note: The update may take up to 10 minutes to become available for installation becausethe default yum settings cause metadata to expire after 10 minutes. Use yum clean all toclear the caches and verify you can view the update.

Managing Software Updates

RH401-6-en-1-20110713 99

Personal Notes


100 RH401-6-en-1-20110713

Unit Summary

Software Channels


• Describe the base/child relationship between software channels

.Custom Software Channels


• Create and manage custom software channels

.Loading RPMS into RHN Satellite


• Use satellite-sync to import Red Hat channel content

• Use rhnpush to import custom channel content

.Using a Custom Channel


• Subscribe a client to a custom software channel

.Software Management Using Cloned Channels


• Create and manage cloned software channels

.Managing Software Updates


• Create, clone, and manage errata

.

Chapter 7.

RH401-6-en-1-20110713 101

UNIT SEVEN

BUILDING RPMS


• rpm-build package

• ~/rpmbuild directory structure

• Syntax of SPEC file

• rpmbuild command

Chapter 7. Building RPMs

102 RH401-6-en-1-20110713

RPM Package Design/ArchitectureManaging software in the form of RPM packages is much simpler than working with softwarewhich has simply been extracted into a file system from an archive. It lets you track which fileswere installed by the software package, which ones need to be removed if it is uninstalled, andcheck to ensure supporting packages are present when it is installed. Therefore, it is useful toknow how to create RPM packages for your own software. For the remainder of this unit, we willlook at how to create a basic RPM package and point you to resources which will help you learnhow to create more complex packages as your skills grow.

Design and Structure of an RPMEach RPM package is made up of three basic components:

• metadata - Data about the package: the package name, version, release, builder, date,dependencies, etc.

• files - archive of files provided by the package (including file attributes)

• scripts - these execute when the package is installed, updated, and/or removed

When building an RPM package, the metadata about the package needs to be specified, thefiles in the archive need to be provided, and the scripts that should be run when the package isinstalled or uninstalled need to be embedded.

NoteInternally, files are stored as a cpio archive inside the package file. The rpm2cpiocommand can be used to extract them to the current working directory without installing thepackage:

rpm2cpio package-1.2.3-4.el6.x86_64.rpm | cpio -id

The Midnight Commander (mc) text tool or the Archive Manager (file-roller) GUI toolcan be used to browse through an RPM package.

The following rpm queries are useful for investigating the structure of an RPM package:

• rpm -qd - list documentation files (%doc)

• rpm -qc - list configuration files (%config)

• rpm -q --scripts - list %pre, %post, %preun, and %postun scripts

To construct an RPM package, you will need a build specification file or spec file. A spec file issimply a text file that contains information on how to build the installable RPM package. You canthink of it as being roughly divided into five parts:

• The introduction or preamble, listing metadata about the package (name, version, license, etc.)

• The build instructions, which specify how to compile and prepare the software

Design and Structure of an RPM

RH401-6-en-1-20110713 103

• The scriptlets, which specify commands to run on install, uninstall, or upgrade

• The manifest, a list of files to package and their permissions on package installation

• The changelog, which tracks changes made to this RPM package

ReferencesRed Hat Enterprise Linux Deployment Guide, Section 3.2.6: Querying RPM

rpm(8), rpm2cpio(8), and cpio(1) man pages


104 RH401-6-en-1-20110713

Spec File Directives and Sections

Important Preamble Directives

• Name - The name of the package, usually chosen by the developers. For detailed guidance, lookat the Fedora Naming Guidelines, at http://fedoraproject.org/wiki/Packaging:NamingGuidelines

• Version - The version of the package (usually numeric), usually chosen by the developers.

• Release - The release of the package, chosen by the packager. This should increase each timeyou release a new package for distribution if you still use the same Version of the software.

• Group - The group to which the package belongs. See /usr/share/doc/rpm-*/GROUPS forthe default set of groups, or use one of your own. This field is semi-obsolete and is not relatedto yum package groups.

• URL - The web page of the open source software

• License - The “Short License identifier” of the license used for the software. Detailedguidance on how to set this in a standard way can be found at http://fedoraproject.org/wiki/Packaging/LicensingGuidelines

• Summary - A short one-line description of the software. (Keep to about 50 characters or less.)

• Source - The file to be used as the source code. If there are more than one file used as source,add a number. E.g., Source0, Source1, Source2, etc.

• BuildArch - The architecture to use when building the package. Defaults to the systemarchitecture. A common argument is noarch, which means that the package is architectureindependent (often these packages consist of scripts or data files).

• Requires - A list of explicit requirements this package depends on. This could be a list of filesor other packages. rpmbuild can generally autodetect most library dependencies, but thereare some cases where you may need to list an explicit dependency. See http://fedoraproject.org/wiki/Packaging/Guidelines#Requires for additional guidance on Requires.

• BuildRequires - A list of requirements that are needed to build this package. This is a listwith similar syntax to that of Requires, for example BuildRequires: /usr/bin/gcc,gimp-libs >= 2.6.11. See the link in Requires above for information on how to tell if youneed missing BuildRequires.

Spec File Sections• %description section - A long description of the software. No line should be more than 80

characters long, but you may have multiple lines.

• %prep section - Uncompress and unarchive files in the BUILD directory. Prepare for the buildphase.

• %build section - Build the software (optional). Compile the software if needed.

http://fedoraproject.org/wiki/Packaging:NamingGuidelines

http://fedoraproject.org/wiki/Packaging/LicensingGuidelines

http://fedoraproject.org/wiki/Packaging/LicensingGuidelines

http://fedoraproject.org/wiki/Packaging/Guidelines#Requires

http://fedoraproject.org/wiki/Packaging/Guidelines#Requires

Spec File Sections

RH401-6-en-1-20110713 105

• %install section - Install the files in the correct location. The make command usuallyuses the DESTDIR=$RPM_BUILD_ROOT. If you copy or install files, the destination isusually prepended with $RPM_BUILD_ROOT so the software will be placed in the chroot'edenvironment in preparation for packaging.

• %clean section - Post build cleanup. This section usually includes: rm -rf$RPM_BUILD_ROOT to clean the chroot environment.

• %files section - All files should be included here. You may mark files as %config or %docwhich are presented with rpm -qc and rpm -qd, respectively.

• %changelog section - A log of changes made to the software. Include the bug trackingnumbers if used. This information can be displayed with rpm -q --changelog.

ReferencesFedora RPM Guide -

http://docs.fedoraproject.org/en-US/Fedora_Draft_Documentation/0.1/html/RPM_Guide/

Fedora Packaging Guidelines -http://fedoraproject.org/wiki/Packaging:Guidelines


http://fedoraproject.org/wiki/Packaging:Guidelines


106 RH401-6-en-1-20110713

Practice Quiz

RPM Spec File1. The package is usually derived from the

open source project while the package is thepackager's version.

2. The name of the tarball containing the files used to buildthe package is specified with the directive.

3. The directive specifies the target architecture thepackage is being built for. will be its value whenthe package can be installed on any architecture.

4. The directive specifies the one-line descriptionof a package while the section provides a morethorough explanation of what that package is for.

5. The section contains the code used to place filesin the chroot directory structure.

6. The section defines which files and directories topackage into the RPM.

7. The , , and sectionscontain shell code used to assemble a package and cleanup after it has been built.

Creating a Spec File

RH401-6-en-1-20110713 107

Creating a Spec FileOn Red Hat Enterprise Linux 6, vim has a macro that helps to create a specification file. Simplypass a file name that ends in .spec:

[user@host ~]$ vim sample.spec

The Red Hat Enterprise Linux 6 version of vim will use the spec template to provide somecommon entries for RPM building.

NoteWhen an RPM package is built, a source RPM (SRPM) package is also created, with anarchitecture of src. Another way to get a spec file is to install a source package by runningrpm -ivh package-1.2.3-4.src.rpm as a non-root user. The spec file for the packagewill be in ~/rpmbuild/SPECS.

Example Spec FileAn annotated example of a spec file follows.

%define debug_package %{nil}%define product_family Red Hat Enterprise Linux%define release_name Santiago%define base_release_version 6%define full_release_version 6.0%define beta Beta

Name: redhat-release

Version: %{base_release_version}

Release: 6.0.0.24%{?dist}

Summary: %{product_family} release file Group: System Environment/BaseLicense: GPLv2

Obsoletes: rawhide-release redhat-release-as redhat-release-es redhat-release-ws

Source0: redhat-release-6-4.tar.gz

%description %{product_family} release files

%prep %setup -q

%build echo OK

%install rm -rf $RPM_BUILD_ROOT


108 RH401-6-en-1-20110713

# create /etcmkdir -p $RPM_BUILD_ROOT/etc

# create /etc/system-release and /etc/redhat/releaseecho "%{product_family} release %{full_release_version}%{?beta: %{beta}} (%{release_name})" > $RPM_BUILD_ROOT/etc/redhat-releaseln -s redhat-release $RPM_BUILD_ROOT/etc/system-release

# write cpe to /etc/system/release-cpeecho "cpe:/o:redhat:enterprise_linux:%{version}:%{?beta:%{beta}}%{!?beta:GA}" > $RPM_BUILD_ROOT/etc/system-release-cpe

# create /etc/issue and /etc/issue.netcp $RPM_BUILD_ROOT/etc/redhat-release $RPM_BUILD_ROOT/etc/issueecho "Kernel \r on an \m" >> $RPM_BUILD_ROOT/etc/issuecp $RPM_BUILD_ROOT/etc/issue $RPM_BUILD_ROOT/etc/issue.netecho >> $RPM_BUILD_ROOT/etc/issue

# copy yum repos to /etc/yum.repos.dmkdir -p $RPM_BUILD_ROOT/etc/yum.repos.dfor file in *.repo; do install -m 644 $file $RPM_BUILD_ROOT/etc/yum.repos.ddone

# copy GPG keysmkdir -p -m 755 $RPM_BUILD_ROOT/etc/pki/rpm-gpgfor file in RPM-GPG-KEY* ; do install -m 644 $file $RPM_BUILD_ROOT/etc/pki/rpm-gpgdone

# set up the dist tag macrosinstall -d -m 755 $RPM_BUILD_ROOT/etc/rpmcat >> $RPM_BUILD_ROOT/etc/rpm/macros.dist << EOF# dist macros.

%%rhel %{base_release_version}%%dist .el%{base_release_version}%%el%{base_release_version} 1EOF

%clean rm -rf $RPM_BUILD_ROOT

%files %defattr(-,root,root)%doc EULA GPL autorun-template%attr(0644,root,root) /etc/redhat-release/etc/system-release%config %attr(0644,root,root) /etc/system-release-cpe%config(noreplace) %attr(0644,root,root) /etc/issue%config(noreplace) %attr(0644,root,root) /etc/issue.net%config %attr(0644,root,root) /etc/yum.repos.d/*%dir /etc/pki/rpm-gpg/etc/pki/rpm-gpg/*/etc/rpm/macros.dist

%changelog * Mon Mar 29 2010 Dennis Gregorovic <[email protected]> - 6-6.0.0.24- Add beta debuginfo repos- Resolves: rhbz#572308

Example Spec File

RH401-6-en-1-20110713 109

Macros (like variables) that can be used in the spec file

The name of the package

The version of the package. Notice it uses the %{base_release_version} macrodefined above.The release of the package

A short summary

A list of package names that this package makes obsolete. If you had one of these packagesinstalled on your machine, an update of this package would remove that package.A source file

A long description

The %prep section. Unfortunately, the RPM spec file uses % for sections as well as macros.%prep is a section, %setup is a macro.The %build section

The %install section. $RPM_BUILD_ROOT is a variable that expands to the “build root”.Files are copied from the build directory to $RPM_BUILD_ROOT, as if $RPM_BUILD_ROOTwas / on the file system the software will be installed in. Then the contents of$RPM_BUILD_ROOT listed in %files will be packaged into the final RPM file. You mustcreate all necessary directories in $RPM_BUILD_ROOT before copying files to thatlocation. Source files can be referenced using a relative path from the top-level %{name}-%{version} source directory. For example, if you wanted to have a file placed in /root/bin/ (found in the %{name}-%{version}/bin directory) , you would need to dosomething like the following:

mkdir -p $RPM_BUILD_ROOT/root/bincp bin/my-script $RPM_BUILD_ROOT/root/bin

The %clean section. Normally clean only has the rm command above.

The list of files to be included in this package. Note that %defattr sets the defaultpermissions the files will have, %attr can override that on a file-by-file basis.%config and %doc mark configuration files and documentation respectively.%dir marks a directory owned by the package. See http://fedoraproject.org/wiki/Packaging:Guidelines#File_and_Directory_Ownership and http://fedoraproject.org/wiki/Packaging:Guidelines#Configuration_files for more information.The %changelog section is for the packager to list items that changed in this release.Newest entries to the changelog go at the start of the section. Each entry has the formatseen in the example and entries are separated by a blank line.

The example above does not use any scriptlets. For more information on scriptlets, see the draftFedora RPM Guide referenced below.

http://fedoraproject.org/wiki/Packaging:Guidelines#File_and_Directory_Ownership

http://fedoraproject.org/wiki/Packaging:Guidelines#File_and_Directory_Ownership

http://fedoraproject.org/wiki/Packaging:Guidelines#Configuration_files

http://fedoraproject.org/wiki/Packaging:Guidelines#Configuration_files


110 RH401-6-en-1-20110713






Software Build Process

RH401-6-en-1-20110713 111

Software Build ProcessThe five steps for building an RPM package:

1. Tarball

Get the tar file containing the source. By default rpmbuild assumes the top-level directoryof the archive is named %{name}-%{version}. Place this file in the ~/rpmbuild/SOURCES/ directory.

2. Spec file

Create a spec file and populate the required fields. Place this file in the ~/rpmbuild/SPECS/ directory.

3. rpmbuild

Use the rpmbuild command to build the package(s). For example,

[user@host BUILD]$ rpmbuild -ba ../SPECS/demo.spec

4. Sign

Use a GPG key to sign the RPM package. After you build the package, use rpm --resigndemo-1.0-1.x86_64.rpm to add (or change) a GPG signature.

5. Test

Test the package by installing it on a development system to ensure the correct payload,scripts, etc.

Example RPM Package BuildThe following shows an example of building an RPM package. The name of the package is test,version is 1.0 and release is 1. It will provide a single file, /usr/local/bin/myscript, whichsimply runs the date command.

First, create a non-root user called student on your RHEL 6 workstation, desktopY. You will usethis account to safely build your RPM packages.

[root@desktopY ~]# useradd student[root@desktopY ~]# passwd student

Log in as student and create the source directory, file and tarball:

[student@desktopY ~]$ mkdir test-1.0[student@desktopY ~]$ cat << EOF > test-1.0/myscript#!/bin/bashdateEOF[student@desktopY ~]$ tar czvf test-1.0.tar.gz test-1.0

Create a spec file using vim in your home directory:


112 RH401-6-en-1-20110713

[student@desktopY ~]$ vim test.spec

NoteIn Red Hat Enterprise Linux 6, vim will automatically create a template spec file when youopen a new file with a name that ends in .spec.

Fill in the fields as follows.

Name: testVersion: 1.0Release: 1%{?dist}Summary: A test package

Group: TestingLicense: GPLURL: http://www.example.com/testing

Source0: %{name}-%{version}.tar.gzBuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)

BuildArch: noarch

BuildRequires: /bin/rm, /bin/mkdir, /bin/cpRequires: /bin/bash, /bin/date

%descriptionA testing package meant to deploy a single file.

%prep%setup -q

%build

#configure#make %{?_smp_mflags}

%installrm -rf $RPM_BUILD_ROOT#make install DESTDIR=$RPM_BUILD_ROOTmkdir -p $RPM_BUILD_ROOT/usr/local/bincp myscript $RPM_BUILD_ROOT/usr/local/bin

%cleanrm -rf $RPM_BUILD_ROOT

%files%defattr(-,root,root,-)#%doc

%attr(0755,root,root)/usr/local/bin/myscript

%changelog* Thu Dec 09 2010 Forrest <[email protected]> 1.0-1- Initial RPM

Example RPM Package Build

RH401-6-en-1-20110713 113

- Added /usr/local/bin/myscript

The %{name} and %{version} macros are defined from the Name: and Version: linesabove. Alternately, you could have used test-1.0.tar.gz.Since the RPM contains only a shell script which will work on all architectures, specify theBuildArch as noarch.rm, mkdir and cp all come from the coreutils package, so you could have specified thatpackage instead of the commands. These are the commands that are used in the %installsection.There are some macros that run even if they are commented, and %configure is one ofthem. If you comment %configure like: #%configure, it will complain about not finding./configure. Remove the %configure line entirely or remove the % from configure.The %attr was added to force the permission to 0755. Notice that the %defattr has a -in the permissions place. This means that the files will get the same permissions that theyhave inside the tarball. An alternate means to produce the same result would be to runchmod 755 test-1.0/myscript and rebuild the tarball.

Install the rpm-build package as root:

[root@desktopY ~]# yum install -y rpm-build

Run rpmbuild as student. The first time you run it, you will get an error. You will fix the errorshortly. Running the rpmbuild command will create the directory structure needed to build theRPM package.

[student@desktopY ~]$ rpmbuild test.specerror: File /home/student/rpmbuild/SOURCES/test-1.0.tar.gz: No such file or directory

NoteIn Red Hat Enterprise Linux 6, running rpmbuild against a spec file automatically createsyour ~/rpmbuild build environment.

WarningYou should always run rpmbuild to build packages as a non-root user. Do not build packagesas root. The reason for this is that mistakes in the spec file, especially in the %install and%clean sections, are more likely to damage your build machine's installation if run as root.

Copy the files to the correct location:

[student@desktopY ~]$ cp test-1.0.tar.gz rpmbuild/SOURCES/[student@desktopY ~]$ cp test.spec rpmbuild/SPECS/[student@desktopY ~]$ cd rpmbuild/SPECS/


114 RH401-6-en-1-20110713

Build and sign the package:

[student@desktopY ~]$ rpmbuild -ba test.spec[student@desktopY ~]$ rpm --resign ~/rpmbuild/RPMS/x86_64/test-1.0-1.el6.x86_64.rpmEnter pass phrase: testing123Pass phrase is good....

Look for errors in the output of rpmbuild and fix any issues you find. If there are no errors, youshould find:

...Wrote: /home/student/rpmbuild/SRPMS/test-1.0-1.el6.src.rpmWrote: /home/student/rpmbuild/RPMS/x86_64/test-1.0-1.el6.x86_64.rpm...

Test the package by installing the key, installing the package and running the command:

[root@desktopY ~]# rpm --import /home/student/RPM-GPG-KEY-student[root@desktopY ~]# cd /home/student/rpmbuild/RPMS/x86_64[root@desktopY ~]# yum localinstall test-1.0-1.el6.x86_64.rpm[student@desktopY ~]$ /usr/local/bin/myscriptThu Dec 09 10:21:53 EST 2010

NoteWhen reviewing a completed package for release, you may find the formal Fedora PackageReview Guidelines (in the References below) to be useful.




Fedora Package Review Guidelines -http://fedoraproject.org/wiki/Packaging:ReviewGuidelines

rpmbuild(8) man page



http://fedoraproject.org/wiki/Packaging:ReviewGuidelines

Criterion Test

RH401-6-en-1-20110713 115

Test

Criterion Test

Performance Checklist

Building an RPM PackageBefore you begin...If you haven't already done so, create a non-root user called student on your RHEL 6workstation, desktopY. You will use this unprivileged account to build your RPM packages forRHEL 6 systems.

In this exercise you will create an RPM for a package called “hello”. It should have version 1.0with a release of 1 and it should be able to be installed on multiple architectures.

Log in as root on desktopY and create a student account with a password of student.

Login as student on desktopY and make a directory called hello-1.0. Download the fileftp://instructor.example.com/pub/materials/hello.sh and save it in that directory.

Create a simple RPM that installs hello.sh in /usr/local/bin. Make sure hello.shis installed with a mode of 755 and is owned by root on machines it is installed on. Alsomake sure the RPM can be installed on all architectures.

Copy the binary and source RPMs to channelman's account on desktopX so he can signthe package and publish it via the Satellite server.

Log into desktopX as channelman and sign the hello binary and source RPMS. Importboth packages into the example-custom channel on your Satellite server.

ftp://instructor.example.com/pub/materials/hello.sh


116 RH401-6-en-1-20110713

Personal Notes

Criterion Test

RH401-6-en-1-20110713 117

Unit Summary

RPM Package Design/Architecture


• Use rpm to explore the structure of a package file

.Spec File Directives and Sections


• Include preamble directives in an RPM software package

.Creating a Spec File


• Include preamble directives in an RPM software package

.Software Build Process


• Use rpmbuild to build a new RPM package file

.

Chapter 8.

RH401-6-en-1-20110713 119

UNIT EIGHT

CONFIGURATION FILEMANAGEMENT WITH RHN


• Red Hat Network configuration channel vs. software channel

• Managing and populating configuration channels

• Configure client systems for RHN configuration provisioning

• rhncfg-client

• rhncfg-manager

• RHN configuration file macros

Chapter 8. Configuration File Management with RHN

120 RH401-6-en-1-20110713

Configuration Channel ManagementRed Hat Network Configuration Channels provide an easy way to deploy configuration files in anenterprise environment. They were primarily designed to deliver text files to client systems, butthey also handle binary files.

Configuration channels deploy individual files using a web interface to provide content.Permissions and user/group ownership can also be specified.

The configuration file processes performed on a Red Hat Network Satellite Server includes thefollowing steps:

• Create configuration channel(s)

• Create and manage configuration files

• Schedule deployment of updated configuration files

A high-level view of the actions taken on a Red Hat Network client that receives configurationfiles from RHN include:

• Client system subscribes to configuration channel

• Configuration files may be deployed at client registration

• Scheduled config file updates deploy when the client checks in

Most configuration channel setup and management is accessed via the Configuration top-leveltab within the RHN web interface. There is a different Configuration tab that appears in thesystem profile screen of systems that are subscribed to one or more configuration channels. Itexposes configuration file management functions that can be performed on each system.

NoteConfiguration channels are a RHN provisioning feature; the clients must have a provisioningadd-on entitlement.

Configuration vs. Software ChannelsIt is important to know the similarities and differences between configuration channels andsoftware channels and what their purpose is. Configuration channels are designed to deployindividual text and binary configuration files. Software channels are used for deployingwhole RPM packages. File ownerships and permissions have to be specified for each files in aconfiguration channel. RPM packages have file ownership and permission metadata bundledwithin the package. They also include shell code used to make adjustments to the system (suchas configure a service to start at boot time). Configuration channels don't have any sort ofscripting capability.

A single system can subscribe to multiple channels. Only a single Provisioning systementitlement is required despite the number of subscribed channels. When multiple configurationchannels are involved, the highest ranking channels win when the same file is provided by two or

Managing Configuration Channels

RH401-6-en-1-20110713 121

more channels. Centrally-managed configuration files are files in a configuration channel that areavailable to all of the systems that subscribe to that channel. Single systems can have customconfiguration files that apply only to them called locally-managed configuration files. When thereare conflicts, locally-managed configuration files will override and be installed over centrally-managed files.

Systems with Provisioning entitlements can be subscribed to configuration channels using theRed Hat Network web interface. This is done by selecting the Configuration tab within the systemprofile screen (not the top-level Configuration tab). Select the Manage Configuration Channelstab then click the Subscribe to Channels sub-tab to assign available configuration channels tothe system being viewed. Configuration channel subscription can also be accomplished usingactivation keys.

Managing Configuration ChannelsConfiguration channel management functions are accessed within the Red Hat Network webinterface by selecting the top-level Configuration tab then selecting the Configuration Channelsmenu item. A screen will appear listing the current configuration channels available within thecurrent organization and new channels can be created by clicking the create new config channellink. The Configuration tab appears only for Organization and Configuration Administrators andonly when Provisioning system entitlements have been assigned to the organization.

When a new configuration channel is created, the channel name, a label, and a description mustbe specified. The channel name is displayed when browsing content using the RHN web interface.Command-line tools, which will be discussed later, use the channel label to specify configurationchannels.

Once the configuration channel has been created and its profile is displayed, click the Add Filestab to assign files to the channel. Files can be uploaded from the local hard drive, they can beimported from another configuration channel, or they can be created using a web-based form/editor. When creating or uploading configuration files, the following attributes must be specifiedfor each file:

• Absolute path where the file will be deployed on the target system

• Whether the file is text or a binary file

• User and group ownership

• Numeric permissions

• Which delimiter characters to use for macro expansion

The default maximum configuration file size is 128KB. It can be changed if necessary. Forexample, to allow 1MB files and smaller to be managed by the Satellite Server, make the followingadjustments. Edit /etc/rhn/rhn.conf and add the following line:

web.maximum_config_file_size=1048576

Also edit /etc/rhn/default/rhn_server.conf and locate themaximum_config_file_size setting and adjust it as follows:

maximum_config_file_size=1048576


122 RH401-6-en-1-20110713

Note that both values are specified in bytes and the RHN Satellite Server software must berestarted to make the changes go into effect.


• Section 7.7.3: Configuration Channels

Managing Configuration Channels

RH401-6-en-1-20110713 123


Creating and Populating a Configuration Channel

Use your RHN Satellite Server to deploy configuration files. In this exercise you will create aConfiguration Administrator account, create a configuration channel, and populate it with acustom configuration file for Example Inc.

Create a Configuration Administrator account for the Example Inc. organization on yourRHN Satellite Server. The account is for Ms. Janice Configurator and should have thelogin of configurator with a password of redhat. RHN Satellite generated e-mail forher should go to [email protected]. Also she should be able to administersystems in the example servers system group.

Log in to your RHN Satellite Server as configurator and create a configurationchannel called “Example Configs” with the label example-configs.

Add a configuration file to the example-configs configuration channel. The fileshould provide a custom login banner for Example Inc. servers. The file to add tothe configuration channel should be /etc/issue. It should be have user and groupownership of root in both cases and should have permissions of -r--r--r--. The filecontents should be:

*** Example Inc. ***blank line


124 RH401-6-en-1-20110713

Client ConfigurationWhen a client subscribes to “Red Hat Network Tools” channel, the rhncfg-actions packageis available (rhncfg and rhncfg-client are also installed as dependencies). The rhncfg-actions package provides the rhn-actions-control command.

The rhn-actions-control command is used to display and control the actions that arepermitted to occur on the client system as a result of a command from a Red Hat Network server.It can be used to:

• Display current settings: rhn-actions-control --report

• Enable an action: rhn-actions-control --enable-feature

• Disable an action: rhn-actions-control --disable-feature

The table below lists the features controlled by rhn-actions-control:

Feature? Permissions Granted

--enable-deploy Allow rhncfg-client to deploy files.

--enable-diff Allow rhncfg-client to diff files.

--enable-upload Allow rhncfg-client to upload files.

--enable-mtime-upload Allow rhncfg-client to upload mtime.

--enable-run Allow rhncfg-client the ability to executeremote scripts.

--enable-all Allow rhncfg-client to do everything.

When a system is provisioned with a kickstart profile from Red Hat Network and configuration filedeployment is enabled, the client system is configured with the --enable-all capability. Thishas obvious security implications.

The rhncfg-client utility runs on the client and does the actual work of RHN configurationfile administration on the local machine. The table below summarizes the various functionsperformed by this utility:

Subcommand Function

verify Compare the local config files with the RHNserver's versions.

get [file-path] Download the most current version ofthe config files, overwriting any localmodifications.

list List the config files provided by the RHNserver.

elist Perform an extended (ls -l) listing of theconfig files provided.

channels List the config channels the client issubscribed to.

Client Configuration

RH401-6-en-1-20110713 125


• Section 7.7.1: Preparing Systems for Configuration Management

rhncfg-client(8) and rhn-actions-control(8) man pages


126 RH401-6-en-1-20110713


Deploying Configuration Files to a RHN Client

Configure your client server so it will pull custom configuration file content from theconfiguration channel you created on your RHN Satellite Server.

Entitle your client server, desktopY, to be able to install the tools necessary to provisionit from your Satellite Server.

Install all necessary RHN configuration client software on desktopY. Configure yourclient system so it will permit configuration files to be deployed on it.

Modify the desktopY.example.com system profile so it subscribes to the example-configs configuration channel. Execute commands on the client system so it downloadsthe configuration files provided by example-configs. Verify the new /etc/issue filesuccessfully deploys.

Configuration File Management

RH401-6-en-1-20110713 127

Configuration File Managementrhncfg-manager is a command-line management tool used to manage Red Hat Networkconfiguration channel content (included in the rhncfg-management package). This commandcan create, remove, and list configuration channels. It is also used to manage files within aconfiguration channel, and works like Subversion.

The rhncfg-manager subcommand is always specified first, followed by any required options.The following table lists the most frequently used rhncfg-manager subcommands:

File Subcommand File Subcommand

list channel-name diff file ...

add file ... remove file ...

get file ... update file ...

Channel Subcommand Channel Subcommand

list-channels

download-channel -t tld ch-label upload-channel ch-label

create-channel ch-label remove-channel ch-label

Table 8.1. rhncfg-manager Subcommands

Many rhncfg-manager commands require options. The most common options used include:

• -c ch-label: config channel of interest

• -t top-level-directory: this option is used most frequently with channel-relatedcommands

• -d destination-path: used to specify the absolute path name of a file on the target system

• --help: display context sensitive help

The channel-related subcommands create and use directories which act as chroot environmentsfor the files that are managed for the target system. The -t option specifies a top-level directorywhere all channel content is stored. Subdirectories hang off of that directory with the channellabels as their names.

Take care when using the create-channel subcommand. It expects the channel name andthe directory containing the files to be the same, so the original directory name will become thechannel label for the new channel. The channel label cannot be changed.

When root uses rhncfg-manager, the command communicates with the Red Hat Networkthe system is registered as a client with. An unprivileged account can use this tool if a file called~/.rhncfgrc is created with the following content:

[rhncfg-manager]server_url = https://satellite.fqdn/CONFIG-MANAGEMENT-TOOLsslCACert = /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERTusername = RHN_config_admin_login


128 RH401-6-en-1-20110713

Referencesrhncfg-manager(8) man page

Configuration File Management

RH401-6-en-1-20110713 129


Command-line Configuration File Management

Red Hat provides tools that allow and administrator to manage configuration channel contentfrom the command-line. Use commands from the shell to update the configuration file content inyour RHN Satellite Server.

Install all necessary software on desktopY to perform configuration file managementfrom the command-line. Create a directory called ~/config-mgmt where configurationfiles can be downloaded, modified, and uploaded back into the RHN Satellite Server.

Use the RHN command-line management tools to download the files for the example-configs configuration channel below ~/config-mgmt. Modify the configurationchannel's /etc/issue file so it contains the following content:

*** Example Inc. ***No trespassing allowed.blank line

Use the command-line management tools to upload your change into your RHN SatelliteServer.

Pull configuration files from the Satellite Server down to desktopY. Verify the mostcurrent version of /etc/issue has been deployed.


130 RH401-6-en-1-20110713

Flexible Configuration with MacrosRed Hat Network configuration file macros permit string substitutions to occur whenconfiguration files are deployed on a particular system. This helps with standardization sincea generic template can be used for multiple hosts instead of maintaining locally-managedconfiguration files for each system. The default delimiters for macro references are {| and |},but these can be changed for a particular config file if these strings are used literally in theconfiguration file.

The following is a list of standard configuration file macros provided by Red Hat Network:

• rhn.system.sid

• rhn.system.profile_name

• rhn.system.description

• rhn.system.hostname

• rhn.system.ip_address

• rhn.system.net_interface.ip_address(eth_device)

• rhn.system.net_interface.netmask(eth_device)

• rhn.system.net_interface.broadcast(eth_device)

• rhn.system.net_interface.hardware_address(eth_device)

• rhn.system.net_interface.driver_module(eth_device)

Custom macros are created/referenced with the rhn.system.custom_info(key_name)macro. How to define values and use custom macros will be discussed in more detail later.

Sample Configuration FileThe following is a sample /etc/hosts file that uses RHN Configuration file macros:

# Do not remove the following 2 lines, or programs# that require network functionality will fail.127.0.0.1 localhost.localdomain localhost::1 localhost6.localdomain6 localhost6

{| rhn.system.net_interface.ip_address(eth0) |} {| rhn.system.hostname |}192.168.0.254 instructor.example.com instructor

# This system is located in the {| rhn.system.custom_info(rackcolor) |} rack

The above example demonstrates the use of standard built-in Red Hat Network configuration filemacros rhn.system.hostname and rhn.system.net_interface.ip_address. They areenclosed in the default macro delimiters {| and |}. These macros will be expanded to the hostname and the IP address of the eth0 interface of the system on which this configuration file getsdeployed.

Sample Configuration File

RH401-6-en-1-20110713 131

The example is interesting because it also shows a macro that uses a custom key, in thisparticular example a key called rackcolor. The parameter to the rhn.system.custom_infomacro is a custom key label. To create a custom configuration file key, select the Systems top-level tab then choose the Custom System Info menu item from the menu that appears. Followthe create new key link, provide a key label and description, then click the Create Key button toconfirm your specifications and create a new configuration file key.

Once the configuration file key label is created, it can be assigned an arbitrary value for the hoststhat use that label. To use/define a custom key for a system, navigate to the system profile, selectthe Details tab then the Custom Info sub-tab. Select the link for an existing defined key value orclick the create new value link to assign a value to one of the custom variables defined for thisorganization.

Custom keys are simply used for macro replacement - RHN does not currently provide logic ormath operations for them. The Red Hat Network API can be used to assign values to customkeys so scripts can perform calculations and store the results in custom keys and thereforeconfiguration files. The relevant API method to use is setCustomValues which is defined in thesystem namespace.


• Section 7.7.5.1: Including Macros in your Configuration Files


132 RH401-6-en-1-20110713

Personal Notes

Sample Configuration File

RH401-6-en-1-20110713 133

Unit Summary

Configuration Channel Management


• Describe the uses for RHN configuration channels

• Create and manage configuration channels

.Client Configuration


• Use RHN to deploy configuration files to client machines

.Configuration File Management


• Manage configuration channel content from the command-line

.Flexible Configuration with Macros


• Create templates using RHN config file macros

.

Chapter 9.

RH401-6-en-1-20110713 135

UNIT NINE

PROVISIONING WITH PXE


• Components of bare metal provisioning

• Kickstart profile management

• Deployment of DHCP services

• Use Cobbler and Koan

Chapter 9. Provisioning with PXE

136 RH401-6-en-1-20110713

Provisioning RequirementsThere are three kinds of provisioning: bare-metal, virtual machine deployment, and rebuilding.The goal of bare metal provisioning is to non-interactively prepare a new computer for use -unpack a new system, cable it, and push a button. In this unit you will learn how to build thenetwork infrastructure to facilitate the deployment of Red Hat Enterprise Linux servers.

The following shows the order network services are used to accomplish bare metal provisioningin a PXE-boot environment. We will look at each of these services in the following pages fromhighest level to lowest rather than chronological sequence:

1. DHCP server provides:

• General networking information

• next-server: name of tftp server

• filename: file to retrieve from tftp server (usually pxelinux.0)

2. TFTP server provides:

• Network boot loader (pxelinux.0 with menu.c32)

• PXE configuration files (location of kernel, initrd, kickstart file)

• Anaconda stage 1 (vmlinuz, initrd)

3. Kickstart/installation file server provides:

• Anaconda stage 2 from kickstart tree

• HTTP provides kickstart file to Anaconda

• Install server provides RPM packages

Red Hat Network Satellite can provide several critical pieces of this infrastructure, managingkickstart profiles and packages needed to install Red Hat Enterprise Linux. TFTP services will beprovided by the Cobbler component of RHN Satellite.


• Section 11.1: Cobbler Requirements

Tuning RHN Satellite for Provisioning

RH401-6-en-1-20110713 137

Tuning RHN Satellite for Provisioning

Kickstart ProfilesKickstart profiles act as blueprints for the systems being provisioned. They define the diskpartitioning for the new system, the network configuration, and other system attributes suchas time zone and authentication methods. Package groups and individual packages determinewhich software gets installed on the system. The base software channel defines which Red HatEnterprise Linux distribution on the Satellite Server the software will come from.

Kickstart profiles facilitate system recovery and replication. Each organization within a SatelliteServer manages their own kickstart profiles. The URI used to access a profile includes theprofile's name, so difficult to guess names should be used when the Satellite Server can beaccessed from an insecure network.

Provisioning in an enterprise environment starts with defining kickstart profiles that buildsystems suited for the IT needs of the organization. Additional steps must be taken to build thenetwork infrastructure in place to deliver the kickstart profiles and installation media to thetarget systems.

RHN Satellite operations can be performed in the kickstart %post section. These include:

• Child software channel subscriptions

• System group assignments

• Activation keys

Creating a Kickstart ProfileRed Hat Network requires provisioning add-on entitlements for machines that will beinstalled using the resources of the Satellite Server. If these entitlements aren't available, theKickstart and Provisioning tabs and menus will not appear in the web interface. OrganizationAdministrators are responsible for kickstart management so proper authentication is required tosee these functions as well.

First a unique kickstart profile label must chosen and specified. The Base Channel determineswhich packages and package groups are available at install time. These packages and packagegroups can be listed in the Package Groups form below the Software tab once the kickstartprofile is created.

The base software channel determines which choices will be presented by the KickstartableTree pull-down menu. The specific tree chosen defines which install media must be used at buildtime. The install trees correspond to subdirectories found below the /var/satellite/rhn/kickstart directory. These directories contain the necessary ISO and PXE images used to beginkickstart installations.

The resulting kickstart file generated, including scripts, can be found beneath the Kickstart Filetab. It can be viewed on the screen or downloaded to a file using a web browser. Pre-existingkickstart files can be imported into a Satellite Server by selecting the upload new kickstart filelink instead of create new kickstart profile.

Kickstart profiles can be tested without other components of a provisioning infrastructure inplace. The URI of a particular kickstart profile can be found by selecting the Kickstart Details tab


138 RH401-6-en-1-20110713

followed by the Bare Metal Kickstart tab. The URI begins with http://satellite.fqdn in theBare Metal Kickstart section towards the top of the page.

To create a kickstart profile in the Satellite Server, navigate to the Create Kickstart Profile formand select the Systems tab. Choose Kickstart from the navigation menu at the left. Click on thecreate new kickstart profile link at the upper right. Fill out the Create Kickstart Profile form.Note that the Base channel chosen will determine which kickstart trees are presented.

Kickstart Profile ExtrasFile Preservation

Red Hat Network Satellite Server provides a file preservation feature that allows files anddirectories to be saved and restored when a system is reinstalled. The target system must bealready managed by the Satellite Server and a file preservation profile must be enabled for thehost. File preservation only works when kickstarts are initiated within the Satellite Server webinterface.

A file preservation list is created by going to the Systems → Kickstart → File preservation page

and selecting the create new file preservation list link. Give the list a unique label and specifythe list of files and directories, one per line, to be preserved by this list. Click the Create Listbutton to complete the list creation process. One or more file preservation lists can be applied

to a kickstart profile by selecting System Details → File Preservation when editing a specific

kickstart profile.

SSL and GPG Key Provisioning

SSL certificate authority certificates and GPG keys can be provisioned by kickstart as well.These permit secure communication with the Satellite Server and RPM signatures to be verified.

Certificates and keys are managed in the Systems → Kickstart → GPG and SSL Keys page.

When editing a specific kickstart profile, keys can be selected for inclusion by selecting GPG &SSL sub-tab below the System Details tab. Satellite Server kickstart profiles install the RHN-ORG-TRUSTED-SSL-CERT CA certificate by default, but the GPG key which verifies the signaturesof Red Hat's production packages, RPM-GPG-KEY-redhat-release is not.

Example TemplateTemplates: Variables and Snippets

Scripts can be defined in the %pre and %post sections of a kickstart file. When scripts aredefined using the Red Hat Network Satellite web interface, there is a “Template” mode thatpermits variables and code snippets to be substituted into the scripts.

Variables can be defined in a couple of places: the kickstart profile or a system definition. The

Kickstart Details → Variables tab is used to define kickstart profile variables when editing a

kickstart profile. Variables for a particular system are defined by selecting the Kickstart Details

→ Variables tab is used to define kickstart profile variables when editing a kickstart profile.

Variables for a particular system are defined by selecting the Provisioning → Kickstart →Variables tab when editing a system profile. More local variable definitions will override generaldefinitions. For example if a kickstart profile definition of a variable called pet is cat and thesame variable is defined as dog in the system profile, then the variable reference $pet in thescripts will evaluate to dog.

PXE Boot

RH401-6-en-1-20110713 139

Since $ and # are special characters when a script is created as a template, these charactersmust be escaped with a backslash when template variable substitution should not occur. Largeblocks of code can be enclosed with the #raw and #endraw directives to disable templatevariable substitution for that section of code. In fact when the Template checkbox is leftunchecked, these directives are automatically added so they surround the entire contents of theuser's script.

Snippets are macros that expand multiple lines of predefined code. They make maintenanceof reusable code more manageable since correcting a bug in a snippet corrects the code inevery kickstart profile that references the snippet. They also simplify kickstart scripts and make

them easier to read. They can be viewed and managed by going to the System → Kickstart

→ Kickstart Snippets page. There are several predefined, default snippets you can use in

your scripts. Including $SNIPPET('koan_environment') in a %post kickstart script willgenerate code that creates a couple system profile files that define a shell variable calledCOBBLER_SERVER that points to the Satellite Server performing the kickstart.

$SNIPPET('koan_environment')

expands to:

# Start koan environment setupecho "export COBBLER_SERVER=$server" > /etc/profile.d/cobbler.shecho "setenv COBBLER_SERVER $server" > /etc/profile.d/cobbler.csh# End koan environment setup

PXE BootPreboot eXecution Environment (PXE) is an environment to bootstrap computers using anetwork card. The network card must support PXE (many modern cards do) as well as the BIOS.Motherboards with integrated NICs often have PXE functionality.

The network interface card broadcasts a DHCPDISCOVER packet extended with PXE-specificoptions. A DHCP server replies with a DHCPOFFER giving the client information about the PXEserver and offering it an IP address. Once the client responds with a DHCPREQUEST, the serversends back a DHCPACK containing the path to a file to boot the client can download via theTrivial FTP (TFTP) protocol.

The client connects to the TFTP server (frequently the same machine as the DHCP server),downloads the specified file to RAM and verifies the file using a checksum. Once verified, it isexecuted.

This is useful for system maintenance. Ideally, machines are configured in the BIOS to boot fromlocal hard drive first, and if that fails then to boot from the network. A network boot is set up totrigger an automatic kickstart. So, as long as the machine has a valid boot loader on the harddrive, the installation is left alone. If the hard drive has no boot loader, it is a new machine and itgets kickstarted. With this type of configuration, an automatic re-installation can be started bydestroying the hard drive boot loader and rebooting.

Cobbler Setup and pxelinux.0To find pxelinux.0 on your system, run


140 RH401-6-en-1-20110713

[user@host ~]$ rpm -ql syslinux | grep pxelinux

pxelinux.0 is a network-aware boot loader. Once executed by the client system's BIOS,pxelinux.0 searches the same directory from which it was downloaded for a configuration filein the pxelinux.cfg/ subdirectory. The loop ends on the first successful get operation. Thisprocedure is documented in /usr/share/doc/syslinux-*/pxelinux.doc.

Additional files from the syslinux package are required by pxelinux.0 to support the menuconfigurations created by Cobbler. The RHN Satellite installer, install.pl, can be used todeploy Cobbler when a Satellite server is installed, but the cobbler-setup can also installCobbler and enable tftp services post installation. The cobbler-sync command performsthe additional step of deploying menu.c32 and pxelinux.0 to support menus in the x86environment.


• Chapter 5: Provisioning with Satellite

PXE Boot

RH401-6-en-1-20110713 141

Practice Exercise

Automating RHN Satellite Client Configuration


Use an activation key to register newly installed machines to your Red Hat Network SatelliteServer. It should subscribe the systems to useful software channels and join the ExampleServers system group.

1. Create an activation key with a label of example-web. When clients are registered with thisactivation key, the following actions should be performed:

• Subscribe to the Red Hat Enterprise Linux Server (v. 6 for 64-bitx86_64) base software channel

• Subscribe to the related Red Hat Network Tools and Example custom childsoftware channels

• Provide a provisioning entitlement

• Subscribe to the Example Configs configuration channel

• Deploy configuration files provided by the Example Configs configuration channel

• Associate with the Example Servers system group

2. Since signed packages will probably be deployed when the new systems are provisioned,the GPG keys used to verify their signatures need to be deployed as well. Import theGPG key used to verify custom packages built for Example, Inc. and the GPG key usedto verify standard Red Hat released RPMS. These keys are found in /var/www/html/pub/EXAMPLE-GPG-KEY and /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-releaserespectively.


142 RH401-6-en-1-20110713

Practice Exercise

Creating a Web Server Kickstart Profile


Create a kickstart profile to build a web server that is ready to use immediately after it isinstalled from bare metal.

1. Create a kickstart profile labeled web-server that uses Red Hat Enterprise Linux 6 Serverto install a new machine. This profile will be used for bare-metal installations without anyuse of virtualization. The most recent kickstart tree available should be used to perform theinstallation. The initial root password for systems built with this profile should be redhat.

2. The kickstart profile should create three native disk partitions. The first partition shouldcontain a 256MB ext3 file system mounted as /boot. A swap partition should be created2048MB large. The final native disk partition should be a 17GB LVM physical volume.

Create a volume group named vol0 that includes the 17GB physical volume. Two logicalvolumes should be created within the vol0 volume group. The first logical volume should benamed home and it should be 512MB in size. It will contain the /home filesystem. The secondlogical volume should be named root and it should consume the rest of the unused storagein vol0. It will be used for the / filesystem.

Choose the appropriate time zone for your locale. Systems in this organization havehardware clocks which keep time using UTC instead of local time.

The kickstart should install the GPG keys used to verify package signatures for RPMSreleased from Red Hat and custom packages provided by Example, Inc.

3. Systems built with this kickstart profile are web servers, but they are also used withgraphical utilities and Subversion. Ensure the subversion RPM and the following packagegroups are installed: x11, basic-desktop, and web-server.

4. Update the kickstart profile so systems built with this profile register with the Red HatNetwork Satellite Server using the Example Web Server activation key.

5. Create a post script in the kickstart profile that performs the following tasks:

• Create a user named oliver with a password of password

• Install the example RPM provided by the custom software channel

• Update all system software to its most current release

• Configure the web server to start at boot

PXE Boot

RH401-6-en-1-20110713 143

Practice Exercise

Set up the Provisioning Network


Before desktopX provides any network services, it must be configured to communicate with andact as a gateway for its backend network. Also configure the Cobbler component of Red HatNetwork Satellite Server to provide tftp and pxelinux capabilities for provisioning. Make sureCobbler is installed and functioning properly.

1. Physically disconnect your client workstation, desktopY, from the classroom network. CabledesktopY so it is connected to the second NIC of desktopX. This can be accomplished witheither cross-over cables or with a small switch with two patch cables. Your instructor shouldhave provided you with all necessary hardware to accomplish this task.

2. Configure the backend interface of desktopX to have a static IP address of 10.100.X.254/24.You will not be able to fully test the backend interface until you power up and configuredesktopY. Do a preliminary test by pinging the interface address.

3. Enable IPv4 packet forwarding on desktopX. Make sure this feature is persistent acrossreboots.

4. The following diagram represents the configuration of your lab environment when you finishthis sequence:

RH401 Student Network Configuration ===================================

-----+-------------------- Classroom intranet | eth0 | 192.168.0.X ,---+---. | | desktopX.example.com (desktopX) | | `---+---' | eth1 | 10.100.X.254 | | eth0 | 10.100.X.1 ,---+---. | | station1.privateX.com (desktopY) | | `-------'

5. When installing Red Hat Network Satellite Server, the installer asks if Cobbler should beused to provide provisioning services. If it isn't already installed, use the cobbler-setupcommand to install Cobbler and enable tftp services.

6. Run cobbler sync as root to install the necessary files to support PXE networkbootloading.


144 RH401-6-en-1-20110713

7. Confirm xinetd and tftp are configured to run at boot time and that xinetd is currentlyrunning.

Dynamic Host Configuration Protocol

RH401-6-en-1-20110713 145

Dynamic Host Configuration ProtocolDynamic Host Configuration Protocol, DHCP, allows a server to offer provisioning informationto clients in a managed, automated fashion. DHCP is a superset of the BOOTP protocol; dhcpdhas been designed to answer requests from BOOTP clients. BOOTP clients will retain theirconfiguration information indefinitely; there is no notion of a lease in BOOTP. The DHCP serversends and receives on UDP port 67 and the client uses UDP port 68.

When a client network interface is configured for a dynamic IP address, it sends aDHCPDISCOVER packet to the broadcast destination of 255.255.255.255. The broadcast packetwill be handled by either a DHCP server connected to the local physical network or routers maybe configured to forward the packet to a DHCP server on a different subnet. The client also sendsits previous IP address in this packet.

The first DHCP server to receive the broadcast packet from the client will respond by sending theclient a DHCPOFFER packet based on its configuration. DHCPOFFER packets contain the DHCPserver's IP address, the router, the IP address and subnet mask the client should use, and thelease time. The DHCP server may also offer other information such as NTP servers, DNS servers,timezones, domain names, etc.

The client then broadcasts a DHCPREQUEST back to the server, requesting the IP address theDHCP server offered. At first glance this seems redundant, but there may be multiple DHCPservers on the subnet, or the router may be forwarding the DHCPOFFER to multiple networks. Inthis case the client's DHCPREQUEST packet includes the client's IP address and the IP address ofthe DHCP server the client received its address from.

Once the DHCP server gets the DHCPREQUEST, it sends a DHCPACK acknowledging the clienthas exclusive rights to the client IP address until the lease time is up.

The DHCP server may offer additional options such as filename and the IP address of next serverfor PXE boot.

To configure a DHCP server, first use ip addr to verify that a BROADCAST address is specifiedin your network configuration. Initial DHCP requests in IPv4 are broadcast and not sent to aspecific server.

The dhcp package provides an IPv4 DHCP server and the dhcpv6 package provides an IPv6DHCP server. We will concentrate on the installation and configuration of an IPv4 DHCP serverin this course. The DHCP client packages, dhclient for IPv4 and dhcpv6_client for IPv6, arenormally installed by default.

/etc/sysconfig/dhcpd can be used to configure dhcpd by setting the DHCPDARGS variable.The following line in that file would cause dhcpd to listen on eth0 only:

DHCPDARGS=eth0

Best Practice: Always run service dhcpd configtest after editing /etc/dhcpd.confsince configuration errors can prevent dhcpd from starting.

The DHCP server is an SELinux restricted service when enforcing the default targeted policy on aRHEL5 system. The server uses a number of SELinux contexts for its various files as indicated in/etc/selinux/targeted/contexts/files/file_contexts.


146 RH401-6-en-1-20110713

The dhcp package in Red Hat Enterprise Linux 5 installs with an empty /etc/dhcpd.confhaving the correct SELinux context and a sample configuration in /usr/share/doc/dhcp-*.To start with the sample configuration while preserving the SELinux context, run:

[root@host ~]# cp /usr/share/doc/dhcp-*/dhcpd.conf.sample /etc/dhcpd.conf

Gotcha: dhcpd will not start if /var/lib/dhcpd/dhcpd.leases is missing, has the wrongownership/permissions, or has the wrong SELinux context. See the dhcpd.conf and dhcp-options man pages for detailed descriptions of options.

Run service dhcpd configtest to check syntax. There must be at least one subnet blockdefined in /etc/dhcpd.conf for the dhcpd service to start. The subnet must correspond withstatically-configured interfaces.

Essential dhcpd.conf Configuration

authoritative;ddns-update-style none;

subnet 192.168.0.0 netmask 255.255.255.0 { option routers 192.168.0.254; option subnet-mask 255.255.255.0; option domain-name-servers 192.168.0.1; option time-offset -18000; # EST

# DHCP clients range 192.168.0.1 192.168.0.100; default-lease-time 21600; # 6 hours max-lease-time 43200; # 12 hours}

One subnet section must be defined for each configured interface on the DHCP server. Overridethis requirement in /etc/sysconfig/dhcpd with the DHCPDARGS variable, which can containa space-separated list of interfaces to which dhcpd should bind. Placing DHCPDARGS=eth0 in /etc/sysconfig/dhcpd would only require one subnet declaration, and that declaration wouldapply to eth0's network.

ddns-update-style is the dynamic DNS update style. It should always be specified and maybe one of ad-hoc, interim, or none. Using interim, the DHCP server will send the client hostname to the DNS server.

range versus range dynamic-bootp

The range line determines the range of IP addresses the server will assign to DHCP clients only.Another option would be to specify range dynamic-bootp instead of range. Such a commandwould determine the range of IP addresses the server will pass to both DHCP and BOOTP clients.The difference between the two is that BOOTP clients do not relinquish their IP addresses. DHCPclients, on the other hand, recognize and use lease times in order to better manage the IP range.

If a client does not ask for any particular lease length, the server will use the default-lease-time. The max-lease-time determines the maximum possible lease time. These time valuesare expressed in seconds and they determine the amount of time the DHCP server will reservethe IP address for the client. In a QA lab these lease times may be a few seconds--just enough

Reserved IP Addresses

RH401-6-en-1-20110713 147

time to run a few network tests on a certain machine. Having a small lease time would mean theDHCP server could rotate through the IP address range fairly quickly. In an office environmentthe lease times could be hours or days since the clients might rarely change.


authoritative;ddns-update-style none;subnet 192.168.0.0 netmask 255.255.255.0 { option routers 192.168.0.254; ...truncated... range 192.168.0.1 192.168.0.100;}

host station151 { hardware ethernet 12:34:56:78:AB:CD; # this IP must be outside DHCP and BOOTP ranges fixed-address 192.168.0.151;}

The host declaration can bind a MAC address to an IP address - in essence giving it a static IPaddress. The entry after the host parameter (in this case station151) may be passed to theDNS server when using ddns-update-style interim.

In the example host entry above, we assign a host name and IP address to a certain MACaddress. If a DHCP client having the MAC address 12:34:56:78:AB:CD attempts to get an IPaddress from this DHCP server, the server will offer it an IP address of 192.168.0.151.

Offering Files via DHCP

subnet 192.168.0.0 netmask 255.255.255.0 { option routers 192.168.0.1; ...truncated... # specify server and file locations next-server 192.168.0.254; # could be DNS name filename "pxelinux.0"; # always use quotes}

host station151 { hardware ethernet 12:34:56:78:AB:CD; # this IP must be outside DHCP and BOOTP range fixed-address 192.168.0.151;}

This example adds two lines to the subnet stanza in order to offer it a pxelinux boot loader. Ifstation151 is capable of PXE booting and it contacts the DHCP server via its 192.168.0.0/24subnet NIC, station151 will use tftp to get the file pxelinux.0 from host 192.168.0.254. Theserver could also be identified with a DNS host name instead of an IP address.


148 RH401-6-en-1-20110713

References/usr/share/doc/dhcp-*/replaceable>/README

dhcpd.conf(5) and dhcp-options(5) man pages

Red Hat Network Satellite Reference Guide

• Section 11.1.2: Cobbler and DHCP


RH401-6-en-1-20110713 149

Practice Exercise

Configure DHCP to Support PXE


Install a DHCP server that will issue IP addresses, both generally and based on MAC address, toyour provisioning network.

1. Install the dhcp package on desktopX.

2. Use the /usr/share/doc/dhcp-*/dhcpd.conf.sample file as a starting point for theDHCP server.

• Change the subnet to 10.100.X.0/255.255.255.0.

• Change the router to the IP address of the backend network interface of your DHCPserver.

• Set the DNS server to 192.168.0.254.

• Set the default DNS search domain to example.com.

• Issue IP addresses in the range from 10.100.X.2 to 10.100.X.10.

• Deploy the network boot loader to support PXE booting.

Configure your DHCP service to only issue IP addresses on the Ethernet card attached to thebackend subnet.

3. In another terminal window or virtual console follow /var/log/messages. In your originalshell start dhcpd and configure it to start at boot-time.

PXE boot your client workstation. You may need to press a function key during the bootsequence to choose network boot. Observe /var/log/messages as well as the bootmessages on desktopY. Record desktopY's MAC address for future reference:

4. Use the MAC address of your second machine as recorded in /var/log/messages ondesktopX to add a host IP reservation for 10.100.X.1 to /etc/dhcpd.conf. The name ofthe client host will be station1.privateX.com. Restart the dhcpd service.

PXE boot the client machine and verify that it gets the new address. It should also displaythe Cobbler PXE boot menu.


150 RH401-6-en-1-20110713

Cobbler and Koan

CobblerCobbler is a great tool for building and maintaining a network infrastructure that supportskickstart installations. Red Hat Network Satellite Server uses Cobbler to facilitate all types ofprovisioning: bare-metal, virtual machine, and reinstallation. Cobbler was written by MichaelDeHaan for the purpose of taking many separate technologies used for provisioning andmanaging them with a single tool. Cobbler is used to manage distributions (distros), kickstartprofiles (profiles), and system provisioning configurations (system).

Distributions, or distros define the locations for the installation kernel, its initial ramdiskimage, and other installer parameters. Each kickstart tree in a RHN Satellite Server defines astandard installer distribution and a distribution that works with Xen. Also when base channelsare cloned, Satellite creates distributions for the installation trees used with the cloned channels.

Cobbler profiles define the location of the kickstart file associated with the profile and thedistribution to be used. They also contain other metadata such as RHN Satellite organization.When a Cobbler kickstart profile is associated with a provisioned virtual guests, fields within theprofile define the virtual machine's characteristics such as number of virtual CPUs and memorysize.

When systems are provisioned, Cobbler creates a system definition that defines which kickstartprofile should be used to build the system. Other information such as the installation media pathand network settings are kept in the system definition. Note the media path in system definitionscreated by RHN Satellite contain a hashed pathname that expires. So you will need to refresh thesystem profile by using the Satellite web interface to initiate the kickstart (select the system thenclick on the Provisioning tab, then Kickstart sub-tab, then the Schedule tab).

Cobbler provides a network boot infrastructure:

• Installs and configures a TFTP server

• Deploys and configures pxelinux

• Links to RHN Satellite kickstart profiles

• Does not implement DHCP services

Cobbler can be executed from the shell on the system which hosts it, typically the SatelliteServer. The cobbler command is immediately followed by the Cobbler sub-command to beexecuted. Options are specified last and some options are required for certain commands. Built-in help messages appear when the -h option is specified on a partial command line.

The default configuration allows only root to successfully execute Cobbler commands. Thecobbler aclsetup command controls Cobbler access for other users.

The cobbler list command displays a list of all known distros, their associated kickstartprofiles, and the system definitions which are configured to use those profiles. The cobblerreport command produces a detailed list of the settings associated with each distro,profile, and system in that order. Cobbler also has distro, profile, and system sub-commands. For example, the following command displays detailed information about theguest2:2:Example profile:

Provisioning with Cobbler

RH401-6-en-1-20110713 151

[root@host ~]# cobbler profile report --name=guest2:2:Example

Cobbler Installation

Cobbler should be installed when a Red Hat Network Satellite Server will be used forprovisioning. The RHN Satellite installer prompts and asks if Cobbler should be installed. WhenCobbler is chosen, the tftp-server package and its dependencies are installed and configuredto provide pxelinux support on the network. It generates the necessary pxelinux menus andconfiguration to provide network installation services. Sometimes a few adjustments have to bemade to the server running RHN Satellite to support Cobbler.

After Cobbler is installed, the cobbler check command should be used to checks its currentoperating environment. This command displays suggestions for making adjustments to getCobbler to work. Some of the suggestions should be implemented but there may be others thatare not relevant to a particular installation.

Cobbler should be restarted and synchronized whenever its configuration file, /etc/cobbler/settings, is modified:

[root@host ~]# service cobblerd restart[root@host ~]# cobbler sync

Cobbler can be used to:

• Inspect and modify its own configuration

• Generate a custom installation ISO

• Reprovision systems using kickstart

• Control power management functions

Provisioning with CobblerChanging a kickstart profile of a system allows for easy reprovisioning. The following commandchanges the kickstart profile of station3.example.com to the template used to install FTPservers:

[root@host ~]# cobbler system edit --name=station3.example.com:2 --profile=ftp-server:2:Example --netboot-enabled=1

The :2 in the names above represent the organization ID number of the organization whichcreated them. To begin the installation station3.example.com needs to be rebooted, then thechanges will go into effect.

When using Red Hat Network Satellite, Cobbler is typically used behind the scenes. Many of theprovisioning adjustments made in the Satellite web interface make changes to Cobbler's profiles.For example, importing additional content using satellite-sync creates additional distros.Changing kickstart profiles for a system can be accomplished using a few mouse clicks. Cobblerprovides a command-line interface to provisioning tasks.

To PXE provision a system using cobbler, set the client system BIOS to boot from network firstthen the hard drive. Enable the Cobbler pxe_just_once global setting and use the netboot-enabled flag on each system to control installation.


152 RH401-6-en-1-20110713

WarningRHN Satellite uses Cobbler as a back-end provisioning engine. It should not be used as astandalone tool. Do not use Cobbler subcommands and features that are outside of thescope of RHN Satellite documentation.

The cobbler buildiso command creates a bootable ISO CD image for use with machines thatdon't have PXE support. Each ISO is customized to fit the current Cobbler configuration of theSatellite Server they are created on. Because of their custom nature, these images need to berebuilt whenever additional kickstart profiles are created within the Satellite Server.

KoanKoan allows remote access to Cobbler. The $SNIPPET('koan_environment') macroexpands to shell code that creates files on kickstarted machines which define a shell variable,COBBLER_SERVER. Its value is the host name of the Satellite Server used to provision the clientand Koan uses this variable as the default Cobbler server to access. COBBLER_SERVER can betemporarily overridden by specifying the --server option when using the koan command.

Koan can query Cobbler settings on a Red Hat Network Satellite Server. For example, thefollowing command displays a list of distributions provided by Cobbler:

[user@host ~]$ koan --list=distros --server=satellite.fqdn

The following command lists the kickstart profiles provided by the Satellite Server used to installthe client machine:

[user@host ~]$ koan --list=profiles

Koan can cause Cobbler to initiate a kickstart installation. This type of action requires rootshell access. The following command changes Cobbler's configuration so the local client will bereinstalled when it is rebooted:

[root@host ~]# koan --replace-self

Specifying the --profile option causes Koan to select a different kickstart profile than thecurrent one for reinstalling a system.

Koan can also be used to provision virtual guests. The following koan command installs a virtualguest on the current host according to the kickstart file specified by the --profile option:

[root@host ~]# koan --virt --profile=virt_guest_profile

Koan can interact with Cobbler to update its configuration. Koan is provided by the koan RPM(rhn-tools channel)

Koan

RH401-6-en-1-20110713 153


• Chapter 11: Cobbler

Red Hat Network Satellite Deployment Guide

• Section 5.9: Advanced Topics

cobbler(1) koan(1) man pages


154 RH401-6-en-1-20110713

Practice Exercise

PXE Installation of a Web Server


Now that all the pieces are in place, kickstart a client system as a web server within the Example,Inc. organization.

1. Delete all previous system profiles from the Satellite Server. This is required to free up allentitlements needed for the new web server that will be kickstarted.

2. Power on or reboot the client machine and select PXE boot. How PXE boot is selected variesbetween various hardware vendors. Notice the Cobbler menu that appears has a new menuitem:

web-server:orgID:ExampleInc

Use the arrow keys and choose this menu item to begin the installation of your web server.

3. Once the installation completes, confirm the new web server is built according tospecification. If anything didn't work properly, ask your instructor for help and troubleshootyour RHN Satellite configurations.

4. Completely automate the PXE installation of your web server. Delete the existing systemprofile to free up entitlements before you being the automated installation. Configure thesystem BIOS to PXE boot first then boot from the local hard drive.

Create a Cobbler system profile for your system called station1 based on the machine'sIP address. Configure Cobbler to PXE boot only once by default and use the netboot-enabled flag within the system profile to control installation.

After you install your system and confirm everything worked correctly, delete the station1Cobbler system profile so it doesn't conflict with later lab exercises.

Koan

RH401-6-en-1-20110713 155

Personal Notes


156 RH401-6-en-1-20110713

Unit Summary

Provisioning Requirements


• Define components of bare metal provisioning

.Tuning RHN Satellite for Provisioning


• Tune RHN Satellite for Provisioning

.Dynamic Host Configuration Protocol


• Install and configure DHCP

• Implement a bare metal install environment with DHCP

.Cobbler and Koan


• Implement a bare metal install environment with Cobbler/Koan

• Use Cobbler and Koan to support kickstart

.

Chapter 10.

RH401-6-en-1-20110713 157

UNIT TEN

RHN VIRTUAL MACHINEMANAGEMENT


• System entitlements: Regular, Inherited Guest, Flex Guest

• Add-on entitlements: Virtualization and Virtualization Platform

• Virtual host and guest provisioning

• Virtual guest destruction

Chapter 10. RHN Virtual Machine Management

158 RH401-6-en-1-20110713

Virtual Host Configuration

RHN VirtualizationVirtualization technology is becoming more common in the datacenter. Red Hat Networksoftware, including Satellite Server, is virtualization aware. Virtual guest machines are handleddifferently and don't consume system entitlements if they are properly registered.

The Red Hat Network web interface can manage virtual guests without the user having toauthenticate into the physical system hosting the guests, called the virtualization host. Thevirtual guests can be booted or shutdown remotely, or they can be suspended from using CPUresources or resumed.

Red Hat Network Satellite can provision virtualization hosts from bare metal. KVM and Xenguests virtual machines can be provisioned as well. In this course we will examine how to managevirtualization hosts and guests that utilize KVM virtualization technology since Xen is onlysupported in Red Hat Enterprise Linux 5.

Types of EntitlementsRegular entitlements are consumed when physical systems register with Red Hat Network.These are defined as slots in the Satellite entitlement certificate. Physical systems cannotsuccessfully register with Red Hat Network if no regular entitlements are available.

Virtualization and Virtualization Platform add-on entitlements should be assigned tophysical systems serving as virtualization hosts that supports virtual guest machines. Theseentitlements are respectively defined by the values for the virtualization_host andvirtualization_host_platform fields in the Satellite entitlement certificate.

Guest virtual machines hosted on properly entitled virtualization hosts consume InheritedGuest entitlements. When Inherited Guest entitlements are exhausted, regular entitlements areconsumed. Inherited Guest entitlements are calculated based on the type of entitlement thehosting server has. A virtualization host with a Virtualization add-on entitlement provides 4Inherited Guest entitlements. A host with a Virtualization Platform add-on entitlement providesan unlimited number of Inherited Guest entitlements for the guests it hosts.

Flex Guest entitlements are consumed by virtual machines that are hosted by a machine thatisn't registered with Red Hat Network. They are also consumed by guests of host machinesthat do not have Virtualization nor Virtualization Platform add-on entitlements. Currently FlexGuest and regular entitlements are combined together on the Satellite server and the SatelliteCertificate.

Virtual Host RHN Configuration• Register the virtualization host to RHN normally

• Ensure it has Virtualization or Virtualization Platform add-on entitlement

• Ensure it is registered to appropriate RHN Tools child channel

• Install the virtualization, virtualization-platform, and virtualization-client package groups

• Install the rhn-virtualization-host package

Bridge Network Interface Configuration

RH401-6-en-1-20110713 159

• Install osad and start the service

• Allows RHN Satellite to push management commands to clients

• With VMs running, run rhn_check; rhn-profile-sync

To allow management of a virtualization host's guest machines through RHN, it must be properlyconfigured in advance.

The virtualization host should be registered normally to RHN, with either the “Virtualization”or “Virtualization Platform” add-on entitlement; these come with Red Hat Enterprise Linux andRHEL Advanced Platform, and “Virtualization” is available as an add-on to Red Hat EnterpriseLinux Desktop. The virtualization host should also be registered to use the RHN Tools childchannels for the version of RHEL that it is running.

Three package groups must be installed for a server to act as a KVM virtualization host. Each ofthem are listed below with the functionality they provide:

• virtualization - provides the qemu hardware emulation functionality used by KVM

• virtualization-platform - provides the libvirt virtualization library used to managevirtual machines

• virtualization-client - provides applications sed to interact with libvirt such as virshand virt-manager

The rhn-virtualization-host RPM needs to be installed on the, as well as the osad service(if running RHN Satellite and the ability to immediately push commands is desired). The osadservice should be configured to start at boot and started up.

Finally, on the virtualization host with its virtual guests running, the command rhn_checkshould be run, then the virtualization host should have its profiles updated by running rhn-profile-sync. Any virtual guests running at this time should show up in the RHN webinterface.

Bridge Network Interface ConfigurationA network bridge must be created on a virtualization host for virtual guests to be reachable fromthe external network. A private network called virbr0 is created by default that allows virtualmachines to connect to the outside using the virtualization host as a NAT firewall.

To create a bridge interface called br0 that uses the eth0 physical network card, two files haveto be created and/or modified: /etc/sysconfig/network-scripts/ifcfg-br0 and /etc/sysconfig/network-scripts/ifcfg-eth0. Before you modify these files, disableNetworkManager to keep it from manipulating them and undoing your changes:

[root@host ~]# chkconfig NetworkManager off[root@host ~]# service NetworkManager stop

Next, create /etc/sysconfig/network-scripts/ifcfg-br0 with the following contents:

DEVICE=br0TYPE=BridgeBOOTPROTO=dhcpDELAY=0


160 RH401-6-en-1-20110713

ONBOOT=yes

The BOOTPROTO directive in the example indicates the virtualization host should get its networkassignments from DHCP. Static assignments can be specified instead with the IPADDR andNETMASK directives when BOOTPROTO is defined as static. After the ifcfg-br0 is created,modify the ifcfg-eth0 network interface file to look like the following:

DEVICE=eth0BRIDGE=br0HWADDR=mac-address-of-eth0ONBOOT=yes

Once these files are in place, use the service network restart command to apply yourchanges or reboot the system. The br0 bridge should be specified when virtual guests arecreated to allow them direct access to the external network.


• Section 10.1: Setting Up the Host System for Your Virtual Systems

Bridge Network Interface Configuration

RH401-6-en-1-20110713 161

Practice Exercise

Converting a Server to a Virtualization HostBefore you begin...Your client machine, station1.privateX.com, will be transformed into a server that will hostvirtualization guest machines.


Example, Inc. has existing machines registered with their Red Hat Network Satellite Server.Virtualization is being introduced to their server room so existing hosts need to be convertedinto virtualization hosts running virtual guests.

1. First the network needs to be configured to provide a bridge network interface for virtualguests. Disable the NetworkManager service to prevent network configuration files fromautomatic modifications:

[root@station1 ~]# chkconfig NetworkManager off[root@station1 ~]# service NetworkManager stop

Create/modify the network configuration files on station1 to support a network bridge. /etc/sysconfig/network-scripts/ifcfg-br0 should contain the following lines:

DEVICE=br0TYPE=BridgeBOOTPROTO=dhcpDELAY=0ONBOOT=yes

Modify /etc/sysconfig/network-scripts/ifcfg-eth0 so it contains the followinglines:


Once the files have been modified, restart the network service and confirm station1 has aworking network with br0 bridge.

2. Install additional software needed to support virtualization. Install the virtualization,virtualization-client, and virtualization-platform package groups. Once allthe software is installed, reboot your client system.

3. Copy the install-vserver script from the instructor's machine to your clientsystem, station1, and execute it. It will use kickstart to install a virtual guest calledvserver on the local machine. The script can be found at the following URL: ftp://instructor.example.com/pub/materials/install-vserver.


162 RH401-6-en-1-20110713

Practice Exercise

Red Hat Network Registration of Virtual MachinesBefore you begin...A virtualization host (station1.privateX.com) running RHEL 6 registered to your RHNSatellite Server and a vserver virtual machine installed with RHEL 6 running as a guest.


In this sequence, you will register vserver with Red Hat Network under station1'sentitlement. Note the first couple steps of this exercise can be completed on the Satellite serverand virtualization host while vserver finishes installing.

1. Log into your RHN Satellite using an account that can manage station1.privateX.com,and ensure it is entitled to Virtualization service and its software channel subscriptionsinclude “RHN Tools for RHEL”.

2. Log in as root on the virtualization host. Use yum to install the rhn-virtualization-host and osad packages. Start the osad service and ensure it will start automatically atboot. This enables remote management of virtual machines from the RHN web interface.

3. After the virtualization guest has finished installing, make sure the vserver domain isrunning. On the virtualization host run rhn_check and rhn-profile-sync as root.

4. Log into the virtualization guest and download the bootstrap.sh script you completed ina previous lab from your Satellite Server. Use it to register the guest with your RHN SatelliteServer.

5. In the RHN web interface, select the Systems tab. You should see your newly-registeredvserver virtual machine listed under its host name. Note the different system icon.Now click on your station1.privateX.com host name link, then on the systemdetail page find its Virtualization link/tab and click on that. You should see the list ofthe virtual machines running on station1 when you updated its RHN profile. If anyof them are not registered with Red Hat Network, you will see “Unregistered System”instead of a host name for its profile name. Click on the hostname link for vserver (e.g.station9.privateX.com) to see its RHN profile.

Virtual Machine Provisioning

RH401-6-en-1-20110713 163

Virtual Machine Provisioning

Provisioning Virtualization Hosts Using RHN• Prepare an activation key for registration

• Subscribe to base + rhn-tools + vt channels as a minimum

• Virtualization or Virtualization Platform add-on entitlement

• Creation of kickstart profile

• Important - virtualization type should be None for a KVM virtualization host, Xen VirtualizedHost for Xen only

• Incorporate activation key in previous step

• Install osad and rhn-virtualization-host RPMS in %post

• Create necessary network bridges in %post

The best way to automate the provisioning of a virtualization host using Red Hat Networkinvolves an activation key and a kickstart profile. The primary purpose of the activation key isto assign entitlements to the freshly installed virtualization host. It should subscribe to the basechannel for Red Hat Enterprise Linux and the related RHN Tools child channel. The Virtualizationor Virtualization Platform add-on entitlement can also be assigned to the new host using theactivation key. This activation key can be modified or used with other activation keys to assignthe new system to a system group for administration.

Create a kickstart profile that uses the activation key described above. Although Xen VirtualizedHost is presented as a Virtualization Type as part of the first step of creating the profile, selectNone when creating a KVM-based virtualization host. Xen Virtualized Host is used on Xen-basedRed Hat Enterprise Linux 5 virtualization hosts and it enables capabilities and default selectionsin the kickstart profile that aid the building of a virtualization host, such as selecting the VTinstallation repository to be available during installation.

Although the activation key subscribes the host to the RHN Tools child channel, the kickstartprofile can perform that step as well. These channels can be selected in the kickstart profileby clicking the Kickstart Details tab then selecting the Operating System sub-tab. Note thekickstart profile child channel selection is overridden by activation keys, so consider this as abackup child channel assignment.

Finally, create a kickstart %post script to install the osad and rhn-virtualization-hostRPMS. This will permit administration of guest machines using the RHN web interface. You can'tinclude these packages in the kickstart package list because the RHN Tools child channel isn'tavailable during the installation of the core operating system. The relevant code in the %postsection could be as follows:

yum -y install rhn-virtualization-host osadchkconfig osad on


164 RH401-6-en-1-20110713

Provisioning Guest Machines Using RHN• Prepare an activation key for registration

• Creation of kickstart profile

• Important - virtualization type should be one of 3 types of guests:

• KVM Virtualized Guest

• Xen Fully-Virtualized Guest

• Xen Para-Virtualized Guest

• Specify virtual machine characteristics

• Virtual memory and virtual CPU resources

• Virtual disk space to be allocated

• Network bridge interface

• Use web interface to initiate guest kickstart

Provisioning a virtualized guest is simpler than provisioning a virtualization host in some ways,but it requires more decisions in others. Registering with an activation key isn't really necessary,but is still useful for subscribing to other software channels and joining specific system groups.

Create a kickstart profile and select one of the three virtual guest types when specifying thevirtualization type. After kickstart location and the root password has been provided, tabs willappear that allow for further customization of the kickstart profile. Click the Kickstart Detailstab then select the Details sub-tab. It is here you can change the virtualization type or determinevirtual machine characteristics, such as:

• virtual machine memory (default 512MB)

• virtual CPUs (default 1)

• virtual disk space (default 3GB)

• network bridge

The virtual disk will be allocated as a file on the virtualization host located in the /var/lib/libvirt/images directory. The network bridge can be external facing, such as br0, or virbr0(for a connection to the private, memory-based network provided by libvirt).

Once all settings have been determined, use the web interface to initiate a kickstart of a guestmachine. Navigate to the system profile of the virtualization host. Click on the Virtualization tabthen select the Provisioning sub-tab. Click a radio button to select the guest kickstart profile touse and choose a unique name for the guest (it will serve as its Xen domain name). The final stepis to schedule when the kickstart will occur.

Virtual Guest Deletion• Deleting a virtual guest requires a few steps:

Virtual Guest Deletion

RH401-6-en-1-20110713 165

• Shut down the virtual guest

• Delete the virtual guest system profile from RHN

• Remove the virtual guest configuration on the host

• Remove the virtual storage image file

Red Hat Network doesn't have a turn-key way to delete a virtual guest machine. Deleting a virtualguest involves a few steps to make sure it is thoroughly removed from the virtualization host andall disk space is reclaimed.

First, shut down the guest machine. The Red Hat Network web interface can be used to shutdown the virtual guest. Another option is to log into the virtualization host and use virshdestroy or virsh shutdown to shut down the guest VM. ssh can be used to log into the guestdirectly and use the shutdown.

The next step is to delete the virtualization guest system profile from Red Hat Network. Log intoRHN as a user who can administrate the virtual guest system, navigate and pull up the systemprofile of the virtual guest, then click the delete system button and confirm.

Delete the domain configuration files from the virtualization host. Use the following command toremove the virtual system information out of the libvirt database:

[root@host ~]# virsh undefine domainname

Finally, reclaim the disk space used as the disk image for the virtual guest. The followingcommand should work on the virtualization host:

[root@host ~]# rm -f /var/lib/libvirt/images/domainname


• Section 10.2: Setting Up Your Virtual Systems


• Section 5.8.3: Virtualized Guest Provisioning


166 RH401-6-en-1-20110713

Practice Exercise

Provisioning a Virtualization Host


In previous exercises you converted an existing host to a virtualization host. Use RHN Satellitekickstart capabilities to provision a virtualization host from bare metal.

1. Create a kickstart profile called kvm-host in your Satellite Server to build a virtualizationhost. The installing system should use the Red Hat Enterprise Linux Server (v. 6for 64-bit x86_64) base channel for software and install from the ks-rhel-x86_64-server-6-6.0 kickstart tree. Set the root password to redhat.

2. Once the kvm-host kickstart profile is created, adjust the timezone to use the localtimezone and installed systems use UTC in their hardware clocks. Automate installationof the standard Red Hat release GPG key. The @virtualization, @virtualization-client, and @virtualization-platform package groups should be installed.

Use the %post script of the kickstart file to install the rhn-virtualization-host andosad packages. Configure the osad service to start at boot time. Also provide some shellcode to configure the network to use a bridged network interface.

3. Use the Satellite Server to schedule station1.privateX.com to kickstart install itselfusing the kvm-host kickstart profile. The kickstart should be initiated immediately.

While the client system installs, use Cobbler to determine the system profile name of thekickstarting system. Delete all other Cobbler system profiles then disable the netbootfeature for the installing system.


RH401-6-en-1-20110713 167

Practice Exercise

Provisioning a Virtualized Guest


With the virtualization host built, now it is time to use Red Hat Network Satellite to provision thevirtual guests running on the host.

1. Create a kickstart profile called kvm-guest in your Satellite Server to build a virtual guest.The installing system should use the Red Hat Enterprise Linux Server (v. 6for 64-bit x86_64) base channel for software and install from the ks-rhel-x86_64-server-6-6.0 kickstart tree. Set the initial root password to redhat.

2. Modify the virtual machine network configuration to use the br0 bridge interface of thevirtualization host and send console messages to ttyS0. Adjust the timezone to use thelocal timezone and installed systems use UTC in their hardware clocks.

3. Use the RHN Satellite to provision a virtual guest on station1.privateX.com. Schedulea guest system to install using the kvm-guest kickstart profile. The guest name should benamed vserver and initiate the kickstart installation immediately.

4. After the installation of the virtual guest completes, use the Satellite web interface toconfirm that it has registered with the Satellite server.


168 RH401-6-en-1-20110713

Personal Notes


RH401-6-en-1-20110713 169

Unit Summary

Virtual Host Configuration


• Manage RHN entitlements in a virtualized environment

• Convert an existing Red Hat Enterprise Linux system into a KVM-based virtualizationhost

• Create a network interface bridge

.Virtual Machine Provisioning


• Use RHN Satellite to provision a KVM-based virtualization host

• Use RHN Satellite to provision a virtual guest

• Delete a virtual guest and reclaim its resources

.

Chapter 11.

RH401-6-en-1-20110713 171

UNIT ELEVEN

RHN SATELLITE SERVERADMINISTRATION


• db-control

• rhn-satellite-activate

• rhn-ssl-tool and rhn-ssl-dbstore

• rhn-satellite-exporter

• High-availability options

• Troubleshooting

Chapter 11. RHN Satellite Server Administration

172 RH401-6-en-1-20110713

RHN Satellite Database Management

The /usr/sbin/rhn-satellite script is a wrapper that launches, checks the status, orshutdowns the various daemons that provide the Red Hat Network Satellite service. It workslike an init script except it is executed directly. All of the daemons that make up RHN SatelliteServer are installed and configured to start at boot. The rhn-satellite command immediatelycontrols the current status of those daemons.

RHN Satellite Server components:

Component Function

rhn-satellite wrapper that holds everything together

oracle database engine

osa-dispatcher push events to client systems

jabberd transport layer for osa-dispatchermessages

Apache/httpd web interface for users and xmlrpc

tomcat/catalina Java support, implements Java Servlets andJSP

taskomaticd handles scheduled jobs

rhnsearchd RHN search engine

cobblerd RHN provisioning engine

Embedded Database Management

RH401-6-en-1-20110713 173

Embedded Database ManagementThe db-control utility is used to manage the Oracle database on Red Hat Network SatelliteServers that use the embedded database. SQL manipulation of the embedded database is notsupported by Red Hat and is discouraged. db-control is a wrapper provided by Red Hat toperform basic database system administration functions.

[root@host ~]# db-control statusError: please run this command as the oracle user ('su - oracle').[root@host ~]# su - oracle-bash-3.2$ db-control stopShutting down database... done.-bash-3.2$ db-control statusThe database is in the process of shutting down.-bash-3.2$ db-control statusThe database is offline.-bash-3.2$ db-control startStarting database... done.-bash-3.2$ db-control statusThe database is running and accepting connections.

The db-control utility must be executed as the oracle user.

Table MaintenanceThe db-control command can be used to manage the size of the database tables. Afterapproximately 3 base software channels are imported into the Satellite Server an increaseis needed, but the need for space only becomes known through strange tracebacks. Thetables cannot expand themselves due to possible exponential growth, so the Satellite systemadministrator must expand them manually. Usually the tables that need some attention are theDATA_TBS and/or the UNDO_TBS tables.

[root@host ~]# su - oracle-bash-3.2$ db-control reportTablespace Size Used Avail Use%DATA_TBS 3.9G 609.2M 3.3G 15%SYSAUX 500M 64.1M 435.8M 13%SYSTEM 400M 242.6M 157.3M 61%TEMP_TBS 1000M 0B 1000M 0%UNDO_TBS 1000M 87.4M 912.5M 9%USERS 128M 64K 127.9M 0% -bash-3.2$ db-control extend UNDO_TBSExtending UNDO_TBS... done.-bash-3.2$ db-control reportTablespace Size Used Avail Use%DATA_TBS 3.9G 609.2M 3.3G 15%SYSAUX 500M 64.1M 435.8M 13%SYSTEM 400M 242.6M 157.3M 61%TEMP_TBS 1000M 0B 1000M 0%UNDO_TBS 1.4G 88.5M 1.3G 6%USERS 128M 64K 127.9M 0%

If necessary, run db-control extend multiple times to extend further, since size cannot bespecified.

• Internal tables can be:

• Inspected: db-control {report|tablesizes}


174 RH401-6-en-1-20110713

• Analyzed: db-control {gather-stats|report-stats}

• Expanded: db-control extend TABLE

• Shrunken: db-control shrink-segments

Database Backup and RestoreThe db_control backup location command saves the contents of the database to disk. It isa cold backup that requires the database to be offline during the backup, db_control does notstop the database automatically.

-bash-3.2$ mkdir backup-YYYYMMDD-bash-3.2$ db-control stopShutting down database... done.-bash-3.2$ db-control backup backup-YYYYMMDDInitiating cold backup of database rhnsat... /opt/apps/oracle/config/10.2.0/lkRHNSAT -> backup-YYYYMMDD/lkRHNSAT.gz ... done.... Output omitted ...Full cold backup complete.

An alternate method for performing backups of the Satellite Server database includes thefollowing steps:

1. Stop the database

2. Snapshot the /rhnsat partition

3. Start the database

4. Backup /rhnsat and remove the snapshot when finished

To restore a Satellite Server from backups, first reinstall the base operating system. Install thesame version of the Satellite Server software. An answer file would help automate this processand make sure the server is built consistently. Once the Satellite Server finishes installing, do notgo to the web page and create the Satellite Administrator account.

Instead, stop the Satellite Server software and restore the filesystem backups for /rhnsat and /var/satellite. Make the most recent backup of the database available and restore the backupwith the following command:

-bash-3.2$ db-control restore path-to-backups

Restore the SSL key and certificate for the Satellite Server (more on that a little later) then startthe RHN Satellite Server software.

You can check the state of the backups by running db-control {examine|verify}.

Database Backup and Restore

RH401-6-en-1-20110713 175


• Section 8.4: Using RHN DB Control


• Section 2.2.1: Backing up the Embedded Database

• Section 2.2.3: Restoring the Embedded Database

db-control(1) man page


176 RH401-6-en-1-20110713

Practice Exercise

RHN Satellite Embedded Database Maintenance


Perform basic RHN Satellite embedded database maintenance functions such as extending aninternal table space and making a backup of your RHN Satellite database.

1. Sometimes RHN Satellite embedded database performance can suffer when an internal tablebecomes full. Determine the current size and utilization of the UNDO_TBS table then extendit. Record both its original and new size and utilization below:

2. Perform a backup of your Red Hat Network embedded database. Save the backup in adirectory called rhn-sat-backup-YYYYMMDD below the home directory of the oracleaccount. How much disk space does the backup take?

3. Confirm the integrity of the RHN Satellite embedded database backup you just created.

Satellite Server Management

RH401-6-en-1-20110713 177

Satellite Server Management

RHN Certificate ManagementEntitlement certificates have to be updated for a couple of reasons. Each certificate issued byRed Hat has an expiration date so they must be renewed and reactivated. Also a new certificatewill need to be activated when additional capabilities are purchased - perhaps more slots ordifferent software entitlements are needed.

Entitlement certificates are generated by Red Hat customer service. Check the expiration ofyour current certificate and be sure to call well ahead of the expiration when renewing. When acertificate expires there is a 7-day grace period, then the Satellite Server stops functioning untila new certificate is activated.

Check the new certificate for correctness. It must match the version of Red Hat Network SatelliteServer and always double check the number of system entitlements and software channelentitlements. Excess systems are unsubscribed by taskomatic and systems are unsubscribedbased on taskomatic's queue which is random. When a system gets unsubscribed in this mannerit loses its association with all channels including configuration channels. Once an entitlementbecause available it must be resubscribed manually which is a time consuming process.

The tool of choice for RHN certificate management is rhn-satellite-activate. Use the --rhn-cert=PATH option to rhn-satellite-activate to specify the RHN certificate. Thisoption verifies the integrity of the certificate, inserts it into the local Satellite Server databaseand then inserts it into the Red Hat database on RHN. The --disconnected option to rhn-satellite-activate prevents the remote insertion.

Disconnected to Connected OperationMany Red Hat consultants prefer to install Red Hat Network Satellite in disconnected mode thenconnect to hosted RHN once the server is running and has much of the software channel contentloaded. This approach saves bandwidth and the installation process doesn't require Internetavailability.

First, the Satellite Server must be registered as a client of hosted Red Hat Network. It isvery important that the server be registered with the RHN account that meets the followingrequirements:

• it has an available RHN Satellite software entitlement

• the Entitlement certificate is associated with it

Next /etc/rhn/rhn.conf must be modified to point the Satellite Server back to hosted RHN'sservers:

server.satellite.rhn_parent = satellite.rhn.redhat.com

Finally, reactivate the Satellite Server with the RHN entitlement certificate using rhn-satellite-activate:

# rhn-satellite-activate --rhn-cert=PATH-TO-CERT


178 RH401-6-en-1-20110713

SSL Certificate ManagementThe RHN Satellite installer generates SSL keys and certificates. Original copies of CA and hostcertificates are stored in the /root/ssl-build directory. At the top-level directory is thecertificate authority key and certificate. There is a subdirectory with the Satellite Server's hostname that has the SSL key and certificate used by the RHN Satellite Apache daemon. Bothdirectories also have source and binary RPMS used to deploy the keys.

In /root/ssl-build the certificate authority certificate is store in a file called RHN-ORG-TRUSTED-SSL-CERT. This file is embedded in an RPM called rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm and both are published to RHN clients of the Satellite Server. RHN-ORG-PRIVATE-SSL-KEY is the certificate authority private key and it should be carefullyguarded.

/root/ssl-build/hostname contains the SSL host key and certificates used by the SatelliteServer. The host certificate is signed by the CA in the top-level directory. The rhn-org-httpd-ssl-key-pair-hostname-1.0-1.noarch.rpm RPM contains all of the SSL files used by theRed Hat Network daemons that run on the Satellite Server. Here is the list of files provided bysuch an RPM:

[root@host ssl-build]# rpm -qlp host/rhn-org-httpd-ssl-key-pair-host-1.0-1.noarch.rpm/etc/httpd/conf/ssl.crt/server.crt/etc/httpd/conf/ssl.csr/server.csr/etc/httpd/conf/ssl.key/server.key/etc/pki/spacewalk/jabberd/server.pem

The rhn-ssl-tool generates SSL keys/certs (and RPM) for Satellite use. Certificates areinstalled in ~/ssl-build. You must include either the --gen-server or the --gen-ca optionto rhn-ssl-tool. When CA certificate changes it must be imported into Satellite database(rhn-ssl-dbstore).

Satellite Host Name ChangeOccasionally a Red Hat Network Satellite server's host name is changed to accommodatenetwork changes. When the IP address changes, but there is no change in host name, existingSSL host certificates can be used without any changes. But when the host name changes, newSSL host certificates must be created to match the new Satellite host name.

The spacewalk-hostname-rename command takes a single argument, the new IP address,and generates new SSL host certificates for the RHN Satellite server. This tool does not updateany RHN Proxy or client system configurations. Their configurations will have to be updated topoint to the new Satellite server host name.

Satellite Host Name Change

RH401-6-en-1-20110713 179


• Section 5.3: Managing the RHN Certificate with RHN Satellite Activate

Red Hat Network Satellite Client Configuration Guide

• Section 3.2: The RHN SSL Maintenance Tool

rhn-satellite-activate(8), rhn-ssl-tool(1), rhn-ssl-dbstore(8), andsatellite-hostname-rename(8) man pages


180 RH401-6-en-1-20110713

Practice Exercise

Activating a New Satellite Entitlement Certificate


There are a couple of reasons a new RHN Satellite entitlement certificate is issued to a RedHat customer: expanded capabilities or an extension on the certificate expiration date. Inthis exercise you will activate a new Satellite entitlement certificate that will provide morecapabilities.

• On the instructor's server there is a more robust RHN Satellite entitlement certificateavailable for your use. You can access the certificate using the following pathnameon your Satellite Server: /misc/instructor/rh401-satellite/redhat-gls-maximum-5.4.cert. Reactivate your Satellite Server using this certificate.

Log in as your Satellite Administrator, satadmin, and inspect the system and softwareentitlements available for deployment.

Software Channel Synchronization

RH401-6-en-1-20110713 181

Software Channel Synchronization

Exporting Software PackagesThe rhn-satellite-exporter utility writes software channel information to the file systemincluding packages, errata, kickstart trees, and metadata. Channel dumps created with thistool can be used to update disconnected Satellite servers. It can also be used to backup customsoftware channel content.

Child channels cannot be exported by themselves. rhn-satellite-exporter will createan archive, but satellite-sync cannot use the child channel content by itself - it must beassociated with a base channel. The following process properly exports a child channel sosatellite-sync will use it:

[root@host ~]# mkdir export-tmp[root@host ~]# rhn-satellite-exporter --step=short -d export-tmp -c base-channel-label... Output omitted ...[root@host ~]# rhn-satellite-exporter -d export-tmp -c child-channel-label... Output omitted ...

The --step=short option causes only the metadata to be dumped, no packages, no kickstarttrees, no errata, just essentials.

Useful rhn-satellite-exporter options:

• --list-channels - shows available channels

• --channel=LABEL - channel to include in dump

• --dir=DIRECTORY - preexisting directory to put content into

NoteThe Inter-Satellite Sync (ISS) feature allows Satellite servers that are connected to eachother to synchronize software channel content with each other. Normally there is a master/slave relationship between servers, but bi-directional synchronization between two servers isalso possible.

Referencesrhn-satellite-exporter(8) man page

Red Hat Network Satellite Installation Guide

• Section 6.4: Inter-Satellite Sync

• Section 6.5: Using Inter-Satellite Sync


182 RH401-6-en-1-20110713

Practice Exercise

Exporting Custom Child Software Channel Content


Backing up the RHN Satellite embedded database does not preserve custom software channelcontent. Use rhn-satellite-exporter to backup your custom software channel content.

1. Log in as root on desktopX and display the list of software channels currently in your RHNSatellite Server. Take note of the labels of the channels you want to save and the names oftheir parent channel.

2. Create a directory called custom-dump. Export the software channel content for theexample-custom channel into custom-dump so it can be taken and imported into anotherdisconnected Satellite Server.

3. Confirm the channel content is usable with the satellite-sync command. Checkcarefully and be sure the example-custom channel appears in the output of satellite-sync.

High Availability Options

RH401-6-en-1-20110713 183

High Availability OptionsSome companies demand high availability Red Hat Network services within their datacenters.The following solutions maintain high availability at differing expense levels in terms of cost andmaintenance.

One solution would be to implement RHN Satellite services on a high availability cluster. Theservices could be gracefully migrated to another node in the cluster during scheduled downtimesand would failover in the event of a crash.

Larger corporations which have multiple Satellite servers can configure them in a horizontallytiered topology. Section 3.2 of the Red Hat Network Satellite 5.4 Installation Guide provides moredetails on this approach. It would require more maintenance to keep the content of the peerssynchronized. Client machines would be configured to get updates from multiple servers. Theservers are prioritized according to the order they appear in /etc/sysconfig/rhn/up2date:

serverURL[comment]=Remote server URLserverURL=https://primary.satellite.fqdn/XMLRPC; https://backup.satellite.fqdn/XMLRPC

Another possible solution would be to clone a Satellite Server with an embedded databaseand keep a hot spare available. This process involves installing a second Satellite Server andsynchronizing the database of the primary Satellite with the backup on a daily basis. Section 8.5of the Red Hat Network Satellite 5.4 Installation Guide provides more details on this approach.


• Section 8.5: Cloning the Satellite with Embedded DB

• Section 8.6: Establishing Redundant Satellites with Stand-Alone DB


184 RH401-6-en-1-20110713

Troubleshooting Satellite Server IssuesBefore we have seen that the rhn-satellite command is used to start and stop all ofthe daemons that implement Red Hat Network Satellite services. This tool can also displaygeneral status information about those daemons as well when passed the status argument.Additionally the status of the individual components of Red Hat Network can be checked usinginit scripts:

[root@host ~]# service oracle statusOracle Net Listener (pid 2842) is running...Oracle DB instance rhnsat (pid 2854) is running...[root@host ~]# service httpd statushttpd (pid 3514) is running...[root@host ~]# service taskomatic statusRHN Taskomatic is running (3886).

Once a service has been identified as having problems, examining its log files is the next logicalstep in troubleshooting. Since RHN Satellite has many components, there are a variety of logfiles that could contain useful information. Debugging can be made more verbose by defininga debug value in /etc/rhn/rhn.conf. The possible values for debug range from 0 (disablesmost debug statements) to 6 (this is as verbose as it gets).

Although some daemons write log messages in the system-wide log file, /var/log/messages,many RHN daemons have their own log files:

• db-control operations and messages - /var/log/rhn/rhn_database.log

• Messages related to push events to client systems - /var/log/rhn/osa-dispatcher.log

• Log files for the Apache component - /var/log/httpd/*

• Messages pertaining to Java support - /var/log/tomcat5/catalina.out

• Messages concerning RHN scheduled tasks - /var/log/rhn/rhn_taskomatic_daemon.log

• Messages relevant to provisioning - /var/log/cobbler/*

Red Hat Network also uses e-mail notifications. Make sure the traceback_mail variable in /etc/rhn/rhn.conf points to the e-mail address that should receive error message e-mailsfrom the Satellite Server.

E-mail messages that originate from the Satellite Server appear to come from the user [email protected]. Define a value for web.default_mail_from in /etc/rhn/rhn.conf to have a legitimate e-mail address appear in notifications.

DNS issues

If you see “host not found” on the clients, make sure DNS is working and the host name of theSatellite Server resolves. If the web server on the Satellite server produces “Could not determinethe server's fully qualified domain name,” check /etc/hosts and make sure the entry for127.0.0.1 only refers to localhost entries.

Connection errors

Troubleshooting Satellite Server Issues

RH401-6-en-1-20110713 185

Make sure the clients and server are using the same time (best to synchronize with NTP). Alsomake sure the SSL certificate for the Satellite server hasn't expired:

[root@host ~]# openssl x509 -dates -noout -in FILE

where FILE is /etc/httpd/conf/ssl.crt/server.crt on the Satellite Server and /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT on the errant client.

Update agent (yum/up2date) errors

Sometimes the problem may be corrupt jabberd logs. Perform the following steps to resolvethis particular issue:

[root@host ~]# service jabberd stopShutting down Jabber router: [ OK ][root@host ~]# rm -f /var/lib/jabberd/_db*[root@host ~]# service jabberd startStarting Jabber services [ OK ]

It is recommended that you do not install extra software and you avoid subscribing to otherchannels (such as Red Hat Developer Suite, Application Server, Extras, etc.) on the SatelliteServer. This will avoid installing incompatible RPM packages.

Some common problems

• Not using FQDN for Satellite server URIs

• Disk full?

• DNS issues?

• Connection errors

• yum/up2date or push failing?




186 RH401-6-en-1-20110713

Personal Notes

Troubleshooting Satellite Server Issues

RH401-6-en-1-20110713 187

Unit Summary

RHN Satellite Database Management


• Maintain the RHN Satellite embedded database

.Satellite Server Management


• Activate a new RHN Entitlement Certificate

• Manage SSL certificates for secure communication

• Connect a disconnected Satellite server to Hosted RHN

.Software Channel Synchronization


• Export software channel content

.High Availability Options


• Configure a hot-spare Satellite Server

.Troubleshooting Satellite Server Issues


• Troubleshoot common Satellite server issues

.

Chapter 12.

RH401-6-en-1-20110713 189

UNIT TWELVE

RHN APPLICATIONPROGRAMMING INTERFACE


• Uses for Red Hat Network API

• Basic API program structure

• Sample API scripts

• RHN Satellite reporting tool

Chapter 12. RHN Application Programming Interface

190 RH401-6-en-1-20110713

Application Programming Interface Scripting

Red Hat Network APIThe Red Hat Network Application Programming Interface (API) provides a mechanism that allowsprogrammers to write programs which interact with a RHN Satellite Server. Many tasks that canbe performed through the web user interface can also be accomplished by the methods providedby the RHN API.

The API extends the functionality of RHN because it allows scripts to replace repetitive tasks thatwould be extremely difficult to do using the web interface This added functionality facilitatesautomation and scalability within the enterprise.

Supported Programming LanguagesXML-RPC is a client/server remote procedure call communications protocol that uses XML tagsto encode its messages. It uses the HTTP protocol as its transport mechanism.

Perl scripts that interact with the Red Hat Network API typically use the Frontier::Clientmodules provided by the perl-Frontier-RPC package. The perl-Frontier-RPC RPM is notprovided as part of the standard Red Hat Enterprise Linux channels. It is provided as part of theRed Hat Network Satellite software channel.

The python RPM provides, xmlrpclib, a library that implements XML-RPC client support. Sinceit is part of the standard Python installation, no additional packages are required to write Pythonscripts that use the Red Hat Network API.

RHN API Program StructureBefore calling any Red Hat Network API methods, an XML-RPC connection must be establishedwith the RHN server. This is the scripted parallel to using a URL with a browser to connect to theserver.

Next the login method in the auth namespace is called with a valid RHN login and passwordto authenticate into the RHN server. The session key returned by the method is passed as anargument to other method calls. This session key represents an authenticated user's access tothe RHN server and determines which privileges and access is given to the other methods. Forexample, many of the user namespace methods will only work with a session key generated bythe successful authentication by the Satellite Administrator or Organization Administrator toaccess information about other RHN users on the system. Also queries and changes will be madewithin the organization of the authenticated user.

API Namespaces and Methods• api

• Provides getVersion and systemVersion methods

• preferences

• Methods for locale and timezone configuration

• proxy

API Namespaces and Methods

RH401-6-en-1-20110713 191

• Provides methods to manage RHN Proxies

• satellite

• Provides RHN Satellite management methods

• auth

• Provides login and logout methods

• org

• Provides methods for Organization management

• user

• Provides methods for RHN user administration

• channel

• Provides methods for managing Software Channels

• configchannel

• Provides methods for Configuration Channel management

• errata

• Provides methods to manage RHN errata

• packages

• Methods that search for and deletes packages within RHN

• activationkey

• Provides methods for managing Activation Keys

• kickstart

• Provides methods to manage kickstart profiles

• schedule

• Methods to search and manage scheduled events

• system

• Provides methods for queries and management of registered systems

• systemgroup

• Provides methods for System Group administration


192 RH401-6-en-1-20110713

Sample Python Script

#!/usr/bin/pythonimport xmlrpclib URL = "https://satellite.example.com/rpc/api"user = "rhn-username"pswd = "rhn-password" client = xmlrpclib.Server(URL, verbose=0)session = client.auth.login(user, pswd) list = client.user.list_assigned_system_groups(session, user)for group in list: print group.get('name') client.auth.logout(session)

The Python script above lists the system groups that the user rhn-username can manage.It connects to the Satellite Server and authenticates as rhn-username with the passwordof rhn-password. The listAssignedSystemGroups method in the user namespace iscalled to generate a list of system groups that rhn-username (passed as the variable user)can administrate. The for loop prints the name field of each of the values in the list of systemgroups.

This script should work as long as rhn-username is a valid Red Hat Network user. Permissionsaren't an issue since the user authenticating is accessing his own system group information. Ifthis script were used to inspect the system groups of other users, it would have to authenticateas an Organization Administrator.

Sample Perl Script

#!/usr/bin/perluse Frontier::Client; my $URL = 'https://satellite.example.com/rpc/api';my $user = 'rhn-username';my $pass = 'rhn-password'; my $client = new Frontier::Client(url => $URL);my $session = $client->call('auth.login', $user, $pass); my $systems = $client->call('system.listUserSystems', $session);foreach my $system (@$systems) { print $system->{'name'}."\n";}$client->call('auth.logout', $session);

The Perl script above lists the systems the user named rhn-username can manage. It connectsto the Satellite Server and authenticates as rhn-username with the password of rhn-password. The listUserSystems method in the system namespace is called to generate alist of systems that rhn-username can administrate. The foreach loop prints the name field ofeach of the values in the list of systems.

Sample Perl Script

RH401-6-en-1-20110713 193

This script should work as long as rhn-username is a valid Red Hat Network user. Permissionsaren't an issue since the user authenticating is accessing his own system group information.The listUserSystems method can take a second argument which would be a user's loginname, but since it is omitted in this example it lists the systems managed by the authenticatedRHN user. If this script were used to list the systems owned by other users, then it would have toauthenticate as an Organization Administrator.

ReferencesRed Hat Network Satellite API Documentation

• http://satellite.fqdn/rhn/apidoc/


194 RH401-6-en-1-20110713

Practice Exercise

Getting Started with the Red Hat Network API


This exercise will introduce you to the Red Hat Network API. Modify two versions of a scriptwritten in Perl and Python so that they successfully query your RHN Satellite Server.

1. There is a Perl script, list-users.pl, and a Python script, list-users.py, which list allthe users within an Red Hat Network organization. The scripts can be found in the /misc/instructor/materials/rhn-api directory.

Log in as stan on desktopX, copy the scripts, and modify them so they will successfullyquery your Satellite Server and list the users in the “Example Inc.” organization.

Optional - Use revision control software to log and manage the changes you make to yourcopies of the scripts.

2. Modify one of your working scripts to authenticate as the Satellite Administrator. How doesthis affect the behavior of the script?

Sample Perl Script

RH401-6-en-1-20110713 195

Practice Exercise

Using the Red Hat API to Produce Reports


Modify one of the provided scripts to produce a useful report by using the Red Hat Network APIto get more detailed information about the users from your Satellite Server.

• Write a script, list-user-roles.pl or list-user-roles.py, that lists all of the userswithin the Example Inc. organization. Print the following information about each user: theirlogin name and the list of their RHN administrative roles.

Copy one of your working scripts as a starting point for your new script. Optionally maintainyour script with revision control software.


196 RH401-6-en-1-20110713

RHN Satellite Reporting Tool

Satellite Reporting ToolThe Satellite Reporting Tool, spacewalk-report, is a command-line tool that produces ahandful of CSV reports with information found in the RHN Satellite server database. This toolmust be executed from a shell by root on the Satellite server. spacewalk-report has a useful--help option that lists the reports it provides when executed without an argument:

[root@host ~]# spacewalk-report --helpusage: /usr/bin/spacewalk-report [options] [report_name]... Output omitted ...[root@host ~]# spacewalk-reporterrata-listentitlementsinventoryusers-systemserrata-systemsusers

This reporting tool queries the Satellite database directly and bypasses the RHN APIwhich means it has access to all of the data stored in the database. Red Hat Network userauthentication isn't required and the reports aren't confined to a single user or an organization'sview of the data. Each report prints a header on the first line of output and the --list-fields-info option provides a brief description of each of the fields:

[root@host ~]# spacewalk-report inventory | headserver_id,profile_name,hostname,ip_address,registered_by,...1000010000,station139.example.com,station139.example.com,192.168.0.139,satadmin,...... Output omitted ...[root@host ~]# spacewalk-report --list-fields-info inventory | head -n 5server_id: System identifierprofile_name: Profile name, as stored on serverhostname: Hostname, as reported by the systemip_address: IP address, as reported by the systemregistered_by: User under which the system is registered

The Satellite Reporting Tool was a later feature added because of customer demand so it isnot provided as part of the standard RHN Satellite 5.3.0 installation media. The spacewalk-reports RPM is provided by the redhat-rhn-satellite software channel and can beinstalled after a Satellite server is installed and registered with Red Hat Network.

Referencesspacewalk-report(8) man page

Criterion Test

RH401-6-en-1-20110713 197

Test

Criterion Test

Exercise

Using the RHN API to Perform SatelliteAdministration


Write a couple Red Hat Network API scripts that perform RHN Satellite administration functions.

1. Write two scripts that use the Red Hat Network API to administrate users. The user-disable.pl, or user-disable.py, script should deactivate a RHN user account. Itspositive counterpart, user-enable.pl or user-enable.py, should reactivate an existinguser account. Use a program variable for the RHN login to be enabled/disabled.

These programs don't have to be fancy, they just have to be functional. There is no need toprocess command-line arguments or do extensive error checking.

Optionally use revision control software to manage the changes you make to your newscript.

2. Use one of your scripts to disable the channelman account. Go into the RHN Satellite webinterface and verify his account has been disabled. Execute the other script to reactivate hisaccount and verify that channelman can log into your Satellite Server.

Optionally commit your changes to Subversion once your scripts are working and debugged.


198 RH401-6-en-1-20110713

Personal Notes

Criterion Test

RH401-6-en-1-20110713 199

Unit Summary

Application Programming Interface Scripting


• Write simple reports with the Red Hat Network API

• Use the RHN API to perform Satellite administration

.RHN Satellite Reporting Tool


• Perform queries with the RHN Satellite Reporting Tool

.

Chapter 13.

RH401-6-en-1-20110713 201

UNIT THIRTEEN

COMPREHENSIVE REVIEW

Chapter 13. Comprehensive Review

202 RH401-6-en-1-20110713

Preparations/Do You Still Have Questions?This unit is the final, comprehensive review for this course. Hopefully it will give you anopportunity to see see how much you have learned and to solidify the content that was learned.

To prepare for the hands-on comprehensive review, cable both of your workstations to theclassroom network. PXE provision desktopX with a minimal RHEL 5 installation and desktopYas a RHEL 6 workstation. Once desktopY finishes installing, cable it back to the second NIC ofdesktopX.

As the machines reinstall, let's spend a few minutes reviewing any of the topics introduced in thiscourse that you feel uncomfortable with.

RH401-6-en-1-20110713 203


Provisioning with a RHN Satellite Server

Below are the steps you will take to deploy a provisioning Red Hat Network Satellite server. Take5-10 minutes to prioritize and order the following steps. We will discuss them as a class beforeyou begin to implement them.

Configure desktopX to serve as a Subversion repository.

Clone the RHEL 6 Server base channel and all of its child channels.

Create a kickstart profile.

Import the relevant Red Hat software channels into the Satellite server.

Install desktopX with Red Hat Network Satellite software.

Prepare software channel content for import into the RHN Satellite.

Deploy DHCP on desktopX and configure it to support PXE.

Build and sign a custom RPM package on desktopY.

Configure desktopX as a routing gateway for the backend network.

Create a RHN system group.

Create an activation key to automate system registration.

Create a custom software channel as a child of the Red Hat RHEL 6 Server base channel.

Provision the client system using PXE menu.

Create RHN user accounts, assign appropriate roles, and allow them to administrate acommon system group.

Import GPG keys into the Satellite server for deployment.

Create a Red Hat Network organization and assign it system and software subscriptions.

Import the open source project code into the Subversion repository.


204 RH401-6-en-1-20110713

Test

Criterion Test

Case Study

Red Hat Network Satellite Server DeploymentRequirements

The following are the specifics for setting up your Red Hat Network Satellite server and clientmachine. desktopX should already be installed with a minimal RHEL 5 installation and desktopYwill serve as your client server and should be installed with RHEL 6 server.

The requirements for this review are specified in more detail below. They aren't necessarily listedin the order they are to be performed.

• Install desktopX as a Red Hat Network Satellite software. The materials you need to performthe installation can be found in the /misc/instructor/rh401-satellite directory ondesktopX. The installation ISO is named satellite-embedded-oracle-5.4.0-20101025-rhel-5-x86_64.iso. Activate the Satellite server using the certificate named redhat-gls-maximum-5.4.cert.

After the Satellite server is installed, create a satellite administrator account with a login ofrhnsatadm and a password of redhat.

• Prepare software channel content for import into the RHN Satellite. The content ISO's are inthe rh401-satellite directory in a sub-directory called sat-rhel6-content.

• Import the Red Hat software channels into the Satellite server that will support provisioning ofRHEL 6 Servers.

• Configure desktopX as a routing gateway for the backend network. The network addresses willbe in the 10.100.X.0 subnet with a netmask of 255.255.255.0. The second network interfaceof desktopX should have a static address of 10.100.X.254. Ensure IPv4 packet forwarding isenabled persistently in the kernel.

• Deploy DHCP on desktopX and configure it to support PXE provisioning. Determine the MACaddress of desktopY and have DHCP consistently assign it the 10.100.X.7 IP address. Continueto use 192.168.0.254 for DNS services.

• Build a custom RPM package on desktopY for the bubbles application. Consult the READMEand Makefile for information about building the package. Make sure both the binaryexecutable and README are provided by the binary RPM that you create. The README shouldbe classified as documentation by RPM.

Generate a GPG key pair and sign the package.

• Create a custom software channel as a child of the Red Hat RHEL 6 Server base channel. Setthe channel name to Custom Software with a label of custom-software. Specify the GPGkey information you will use to verify the signature of RPMS you create.

RH401-6-en-1-20110713 205

• Create a Red Hat Network organization called Review Inc.. The organization administratorshould log in as review with a password of redhat. Assign all available entitlements to thisorganization.

• Create a RHN system group in the Review Inc. organization called Review Systems. Putsome meaningful text in the Description field.

• Configure desktopX to serve as a Subversion repository. The top-level URL to access thedirectory should be svn+ssh://desktopX/var/local/svn. Create a group calledsvnusers and set permissions on the repository that allows all users in that group to createnew projects and modify files.

Create a user called builder on both systems. This user should be a member of thesvnusers group on desktopX. Also create ssh keys on desktopY and deploy them so buildercan check in files to the repository without providing a password.

• Create RHN user accounts, assign appropriate roles, and allow them to administrate systems inthe Review Systems system group according to the following table:

Login swadmin cfgadmin


Roles Channel Administrator Configuration Administrator

• Import the open source project code for the "bubbles" program into the Subversion repository.The source code for this program can be found at the following URL: http://instructor/pub/materials/bubbles-1.0.tar.gz.

• Clone the RHEL 6 Server base channel and all of its child channels. Prefix the channel nameswith "Development" and the channel labels should have a "dev-" prefix.

• Create an activation key to automate system registration. The key ID should be review-reg.It should register systems in the Review Inc. organization. Systems should join the ReviewSystems system group. They should also subscribe to cloned base software channel and rhn-tools and custom cloned channels. Also allow for configuration file provisioning and subscribeto the Review Configurations configuration channel.

• Create a kickstart profile. It should register the provisioned system with the review-serveractivation key for Review Inc. It should install the web-server package group and update allavailable errata during its installation. The bubbles custom package should be installed andany available configuration files should be deployed.

• Create a configuration channel called Review Configurations with a label of review-configs. It provides /etc/issue which should contain the following text:

Red Hat Enterprise Linux Server release 6.0 (Santiago)Kernel \r on an \m

Review Inc.

• Import GPG keys into the Satellite server for deployment. Import the standard Red Hat key,RPM-GPG-KEY-redhat-release, and the GPG key used to verify custom packages.


206 RH401-6-en-1-20110713

• Provision the client system using PXE menu provided by Cobbler. Confirm that it installedproperly and is properly configured.

How would you address the case study described above? Take notes on your process in thespace below and then implement it.

RH401-6-en-1-20110713 207

Personal Notes

RH401-6-en-1-20110713 209

Appendix A. Solutions

Essential System Management

Fill in the enterprise best practices below and take notes as your instructor explains them:

1. Standardization

2. Centralization

3. Scalability

4. Provisioning

5. Automation



For each of the keywords below, write down the number of its definition from the list at thebottom.

2 Standardization5 Centralization1 Scalability3 Provisioning4 Automation

1. Growth in capacity with minimal system administrator impact.

2. Performing tasks with the same, well thought out method each and every time.

3. The process taken to turn a system from bare-metal to installed and configured to meet thedefined baseline. This should be as close to a fully automated process as possible.

4. Generally requires more upfront work. Investing time writing kickstart files allows one toinstall more systems simultaneously and more quickly than could be achieved by hand.


210 RH401-6-en-1-20110713

5. Gather policies, procedures, and baselines into one easily managed system.

Practice Exercise

PXE Boot

The purpose of this exercise is to become familiar with the PXE capabilities of the classroomhardware. You will also look at the menu and capabilities that are provided by the classroomprovisioning environment. You will not be installing your workstations - that is for a laterexercise.

1. PXE boot one of your two machines, either of your machines will work.

Initiating a PXE installation usually involves pressing one of the F-keys. F12 is often the keythat will allow you to choose which method to boot.

2. In the PXE menu, edit the “Install minimal RHEL 5 for RHN Satellite use” option. What arethe two options included for Kickstart?

Use the arrow keys to select the “Install minimal RHEL 5 for RHN Satellite use” option andpress Tab. The options used for Kickstart are:

• ksdevice=eth0

This option forces the Kickstart installation to use the eth0 network device.

• ks=http://instructor.example.com/satellite.cfg

This option shows that the Kickstart file comes from the instructor web server.

Test

Criterion Test

Exercise

Provisioning PreviewBefore you begin...You have two servers: desktopX and desktopY. Both servers are currently connectedto the classroom network (192.168.0.0/24) which includes the instructor's machine,instructor.example.com. desktopX should be equipped with two Ethernet interfaces.

Let's preview the capabilities and conveniences of a bare-metal provisioning environment. Theinstructor's machine, instructor.example.com, has been configured to provide bare-metalprovisioning services. Your task is to configure both of your servers to PXE-boot and kickstartthemselves.

RH401-6-en-1-20110713 211

1. Reboot desktopX and go into the system BIOS configuration screens and make adjustmentsso desktopX will attempt to PXE boot from the network. Ask your instructor for help sincethis process can vary between various classroom environments.

2. Reboot desktopX, but this time allow it to PXE boot from the network. If everything isproperly configured, you should be presented with a PXE boot menu similar to the following:

Choose the “Install minimal RHEL 5 for RHN Satellite use” option without any argumentsto begin the installation. While the installation begins, repeat these steps on your secondserver, desktopY. Be sure to choose the “Install minimal RHEL 5 for RHN Satellite use” optionwithout any arguments to begin the installation.


212 RH401-6-en-1-20110713

Installing a Red Hat Network Satellite Server

Advantages of RHN Satellite ServerFive major advantages of using RHN Satellite server include:

1. Security

2. Efficiency

3. Control

4. Customization

5. Scalability


Installing Red Hat Network Satellite SoftwareBefore you begin...You should have a Red Hat Enterprise Linux 5 Server with a minimal installation on desktopX.

Install RHN Satellite software on your provisioning server, desktopX.

Copy the sample RHN Entitlement Certificate, redhat-gls-minimal-5.4.cert,from the instructor's machine to root's home directory (~). This file can be found in theautomounted /misc/instructor/rh401-satellite directory.

[root@desktopX ~]# cd /misc/instructor/rh401-satellite[root@desktopX rh401-satellite]# cp redhat-gls-minimal-5.4.cert ~

Copy the satellite-embedded-*.iso image found on the instructor's machine to /tmp then mount it using a loopback device to /mnt. Don't execute /mnt/install.pl.We will use this script shortly. Instead list the contents of /mnt/install and lookfor a file called answers.txt. This file can be modified and used with install.plto perform an unattended installation of the RHN Satellite Server software. Copyanswers.txt to root's home directory.

[root@desktopX rh401-satellite]# cp satellite-*.iso /tmp

RH401-6-en-1-20110713 213

[root@desktopX rh401-satellite]# mount -o loop /tmp/satellite-*.iso /mnt[root@desktopX rh401-satellite]# cp /mnt/install/answers.txt ~

Use your favorite text editor to modify root's answers.txt file. Find the followingvariable definitions and make all necessary adjustments:

# RHN Satellite Server administratoradmin-email = [email protected]

# Satellite Server CA certificate infossl-set-org = Red Hat Inc.ssl-set-org-unit = Trainingssl-set-city = your cityssl-set-state = your statessl-set-country = your two-letter country codessl-set-email = [email protected] = a password you can remember

# Location of RHN Satellite Entitlement certificatesatellite-cert-file = /root/redhat-gls-minimal-5.4.cert

run-updater = yesssl-config-sslvhost = yesenable-tftp = yes

Although comments in the file suggest ssl-set-mail defaults to the value of admin-email, that is not the case and the installer will stop and prompt you for the SSL e-mail address. Also the run-updater, ssl-config-sslvhost, and enable-tftpdirectives either do not exist or are commented in the sample answers.txt file.Uncomment them or add them to the file as needed.

Double check your modifications to your answers.txt file because the Satellite Serverinstall process takes a long time. It is best to catch mistakes sooner than later.

[root@desktopX rh401-satellite]# vi ~/answers.txt

Begin the Satellite Server installation process using your answers file. Be sure to specifythe option to install the software so it will operate without an external connection toRed Hat Network. Monitor the log files that are created during the installation process toensure the installation is functioning properly.

[root@desktopX rh401-satellite]# /mnt/install.pl --disconnected --answer-file=/root/answers.txt

install.pl installs all necessary RHN software, imports Red Hat's RHN entitlementcertificate, then creates and populates its database. The installation should be totallyhands free when an answer file is provided. The installer will prompt the user forquestions when either the answer file name is misspelled or one of the answers in the fileis misspelled or omitted.

Log information can be found in /var/log/rhn/*. Use watch ls -l /var/log/rhnin another window to view the logs that get created by install.pl. As log files in thisdirectory get created or grow you may want to use tail -f to briefly observe what getswritten to them.


214 RH401-6-en-1-20110713

Once the SSL certificate has been generated and imported into the Satellite Server,install.pl will restart the Satellite Server then exit. A URI will be displayed which youcan use with a browser to complete the installation process.

Launch a web browser and visit the URI displayed by install.pl: https://desktopX.example.com. Examine the certificate offered to your browser and see ifyou recognize some of the values about the certificate subject and the issuer. Once youare satisfied with the contents of the certificate, accept it into your browser permanently.

Create a RHN user called satadmin with a password of redhat. The e-mail addressfor this account should be [email protected]. Provide your name for theadditional account information. You are now logged in as the Satellite Administrator,satadmin, of a functioning Red Hat Network Satellite Server.

Unmount the ISO image from /mnt since the installation of the RHN Satellite Serversoftware is complete.

A URI will be displayed which you can use with a browser to complete the installationprocess. Launch a web browser and visit the URI displayed by install.pl and fill in thefollowing fields:

Field Value

Desired Login satadmin

Desired Password redhat

First, Last Name Provide your name

E-mail [email protected]

Click the Create Login button to confirm your selections. You are now logged in as theSatellite Administrator, satadmin, of a functioning Red Hat Network Satellite Server.

Unmount the ISO image from /mnt:

[root@desktopX rh401-satellite]# umount /mnt

Use yum to install updated packages for the Red Hat Network Satellite Server software.The classroom kickstart process configures yum to point to repositories provided by theinstructor's server. After the packages have been updated, restart your Satellite Server.

[root@desktopX ~]# yum -y update

Restart your Satellite Server after the Satellite software has been updated. For now,reboot the server. You will learn more graceful ways of controlling the Satellite Server ina later unit.

[root@desktopX rh401-satellite]# reboot

RH401-6-en-1-20110713 215


Preparing Channel Content for ImportBefore you begin...The RHN Satellite software installation on your desktopX machine should be completed.

Channel content ISOs are available from the instructor's machine, instructor.example.com.Extract their contents into a common directory on your Satellite server, desktopX, so the channelcontent can be imported in a later lab exercise.

The first step to take is make sure you have enough disk space to extract the contentISOs. They will require over 8 GB of space. Notify your instructor if you don't haveenough room on your machine to extract them.

[root@desktopX ~]# df -h

The content ISOs are published to the classroom in the /misc/instructor/rh401-satellite/sat-rhel6-content/ directory. Mount the content ISOs using a loopinterface to /mnt and copy the contents of both ISOs to a directory called /root/sat-rhel6-content/.

[root@desktopX ~]# mkdir sat-rhel6-content[root@desktopX ~]# cd /misc/instructor/rh401-satellite/sat-rhel6-content/[root@desktopX sat-rhel6-content]# mount -o loop rhn-export-rhel-x86_64-6-*-01.iso /mnt[root@desktopX sat-rhel6-content]# rsync -aPv /mnt/* /root/sat-rhel6-content[root@desktopX sat-rhel6-content]# umount /mnt

Repeat the above steps for the second channel content ISO.

[root@desktopX sat-rhel6-content]# mount -o loop rhn-export-rhel-x86_64-6-*-02.iso /mnt[root@desktopX sat-rhel6-content]# rsync -aPv /mnt/* /root/sat-rhel6-content[root@desktopX sat-rhel6-content]# umount /mnt


Populating RHN Satellite with RHEL6 SoftwareBefore you begin...The RHN Satellite software installation on your desktopX machine should be completed and RHNchannel content from both ISOs should be expanded into the /root/sat-rhel6-content/directory on that server.

Import the RHN base channel content for the Red Hat Enterprise Linux 6 Server software for 64-bit x86 machines into your RHN Satellite server.

The first software channel to be imported into a RHN Satellite 5.4 server takes muchmore time to import that subsequent channels. To conserve time, import the one-rpm-channel base software channel published in the /misc/instructor/rh401-satellite/one-rpm-channel.tar tar archive. Change into root's home directory


216 RH401-6-en-1-20110713

on desktopX, extract the archive, import the one-rpm-channel software channel, thenreboot your Satellite server before importing the Red Hat software channels.

[root@desktopX sat-rhel6-content]# cd[root@desktopX ~]# tar xvf /misc/instructor/rh401-satellite/one-rpm-channel.tarone-rpm-channel/one-rpm-channel/rpms/... Output omitted ...[root@desktopX ~]# satellite-sync -m one-rpm-channel --list-channels09:24:17 Red Hat Network Satellite - file-system synchronization09:24:17 mp: /root/one-rpm-channel09:24:17 db: rhnsat/<password>@rhnsat09:24:17 09:24:17 Retrieving / parsing channel-families data09:24:17 channel-families data complete09:24:17 09:24:17 Retrieving / parsing channel data09:24:17 p = previously imported/synced channel09:24:17 . = channel not yet imported/synced09:24:17 base-channels:09:24:17 . one-rpm-channel 109:24:17 Import complete: Begin time: Fri Jun 10 09:24:17 PDT 2011 End time: Fri Jun 10 09:24:17 PDT 2011 Elapsed: 0 hours, 0 minutes, 0 seconds

[root@desktopX ~]# satellite-sync -m one-rpm-channel -c one-rpm-channel... Output omitted ...[root@desktopX ~]# reboot

Log back into desktopX as root. The sat-rhel6-content directory below root's homedirectory contains the software channel content needed to deploy Red Hat EnterpriseLinux 6 Server.

Before you populate the database with RPMs and other information for a particularchannel you must first find out which channels are available. Which software channelsare provided by the content in the sat-rhel6-content directory?

Run the following command to identify which software channels are provided by thecontent in the sat-rhel6-content directory:

[root@desktopX ~]# satellite-sync -m /root/sat-rhel6-content --list-channels09:38:39 Red Hat Network Satellite - file-system synchronization09:38:39 mp: /root/sat-rhel6-content09:38:39 db: rhnsat/<password>@rhnsat09:38:39 09:38:39 Retrieving / parsing channel-families data09:38:40 channel-families data complete09:38:40 09:38:40 Retrieving / parsing channel data09:38:40 p = previously imported/synced channel09:38:40 . = channel not yet imported/synced09:38:40 base-channels:09:38:40 . rhel-x86_64-client-6 291109:38:40 . rhel-x86_64-server-6 3583... Output omitted ...09:38:40 rhel-x86_64-server-6:09:38:40 . rhel-x86_64-server-fastrack-6 0

Criterion Test

RH401-6-en-1-20110713 217

... Output omitted ...09:38:40 . rhn-tools-rhel-x86_64-server-6 21... Output omitted ...

Now that you have determined which channels are available, import the rhel-x86_64-server-6 channel data from the sat-rhel6-content directory into your SatelliteServer's database. This process takes a very long time to complete.

[root@desktopX ~]# satellite-sync -m /root/sat-rhel6-content -c rhel-x86_64-server-6

Use a web browser to browse https://desktopX.example.com, where X is themachine number of your Satellite Server. You probably want to bookmark this page sinceyou will refer to it often in upcoming lab exercises.

Log in as the Satellite Administrator, satadmin. Navigate around the web site,particularly looking at the Errata, Channels, Users, and Admin tabs.

Your RHN Satellite Server is now installed and will be ready to be used by clients whenthe channel content sync is complete. In a later lab you will configure clients to use thisserver.

Test

Criterion Test

Case Study

Deploying a RHN Satellite ServerBefore you begin...You should have a Red Hat Enterprise Linux 5 Server with a minimal installation on desktopY.

Your department deploys and manages several servers running Red Hat Enterprise Linux. Yourfacility is an extremely secure site so you don't have access to hosted Red Hat Network servicesvia the Internet. Your manager has invested in a Red Hat Network Satellite software to manageyour systems.

Your task is to install the RHN Satellite software on your desktopY machine and load it withthe software channels needed to deploy Red Hat Enterprise Linux 6 Server systems. All of thematerial you need to install the system can be found in the /misc/instructor/rh401-satellite directory. Use the redhat-gls-minimal-5.4.cert RHN Entitlement Certificateto activate the server.

When you install the Satellite server, make sure the SSL CA certificate information is specified asfollows:

• Organization = Red Hat Inc.

• Organization Unit = Training

• City = your city


218 RH401-6-en-1-20110713

• State = your state

• Country = your two-letter country code

Also specify [email protected] for all e-mail addresses requested duringinstallation.

The Satellite Administrator should log in as satadmin with a password of redhat.

1. First, mount the RHN Satellite software installation DVD and copy the answers.txt filefrom the install subdirectory. Modify the answers.txt file to allow for an automatedinstallation.

[root@desktopY ~]# cd /misc/instructor/rh401-satellite[root@desktopY rh401-satellite]# cp redhat-gls-minimal-5.4.cert ~[root@desktopY rh401-satellite]# rsync -aPv satellite-*.iso /tmp... Output omitted ...[root@desktopY rh401-satellite]# cd[root@desktopY ~]# mount -o loop /tmp/satellite-*.iso /mnt[root@desktopY ~]# cp /mnt/answers.txt ~[root@desktopY ~]# vim /root/answers.txt

Add/change the following in answers.txt:

admin-email = [email protected] = Red Hat Inc.ssl-set-org-unit = Trainingssl-set-city = your cityssl-set-state = your statessl-set-country = your two-letter country codessl-set-email = [email protected] = a password you can remembersatellite-cert-file = /root/redhat-gls-minimal-5.4.certrun-updater = yesssl-config-sslvhost = yesenable-tftp = yes

2. Run the install.pl script with the --disconnected and --answer-file options. Makesure you specify the absolute path name of your answers.txt file.

[root@desktopY ~]# /mnt/install.pl --disconnected --answer-file=/root/answers.txt

3. After the RHN Satellite installer completes, access the URL printed by the installerand create a RHN account for the Satellite Administrator. Open a browser and point tohttps://desktopY.example.com. Create a user called satadmin with a password ofredhat. Use your name as the full name and provide [email protected] forthe e-mail address.

4. Update all of the Satellite packages and reboot desktopY.

[root@desktopY ~]# umount /mnt[root@desktopY ~]# yum update -y[root@desktopY ~]# reboot

Criterion Test

RH401-6-en-1-20110713 219

5. Use satellite-sync to import the one-rpm-channel base channel then rebootdesktopY again. Remember the import of larger channels to work more quickly when thisstep is taken first.

[root@desktopY ~]# tar xvf /misc/instructor/rh401-satellite/one-rpm-channel.tarone-rpm-channel/one-rpm-channel/rpms/... Output omitted ...[root@desktopY ~]# satellite-sync -m one-rpm-channel -l10:17:53 Red Hat Network Satellite - file-system synchronization10:17:53 mp: /root/one-rpm-channel10:17:53 db: rhnsat/<password>@rhnsat... Output Omitted ...[root@desktopY ~]# satellite-sync -m one-rpm-channel -c one-rpm-channel... Output Omitted ...[root@desktopY ~]# reboot

6. Extract both of the RHN Satellite content ISOs into a local directory on desktopY.

[root@desktopY ~]# mkdir /root/sat-rhel6-content[root@desktopY ~]# cd /misc/instructor/rh401-satellite/sat-rhel6-content[root@desktopY sat-rhel6-content]# mount -o loop rhn-export-rhel-x86_64-6-*01.iso /mnt[root@desktopY sat-rhel6-content]# rsync -aPv /mnt/* /root/sat-rhel6-content... Output omitted ...[root@desktopY sat-rhel6-content]# umount /mnt[root@desktopY sat-rhel6-content]# mount -o loop rhn-export-rhel-x86_64-6-*02.iso /mnt[root@desktopY sat-rhel6-content]# rsync -aPv /mnt/* /root/sat-rhel6-content... Output omitted ...[root@desktopY sat-rhel6-content]# umount /mnt[root@desktopY sat-rhel6-content]# cd

7. Run satellite-sync to list the software channels provided by the content ISOs. Identifythe base channel that provides the Red Hat Enterprise Linux 6 Server software and usesatellite-sync to import that channel into your Satellite server.

[root@desktopY ~]# satellite-sync -m /root/sat-rhel6-content --list-channels[root@desktopY ~]# satellite-sync -m /root/sat-rhel6-content -c rhel-x86_64-server-6


220 RH401-6-en-1-20110713

Red Hat Network Organization

Practice Exercise

Organization Creation and EntitlementBefore you begin...Students should have a functioning Red Hat Network Satellite Server, desktopX, installed withRed Hat Enterprise Linux Server base channel content loaded.

Log in as the Satellite Administrator of your desktopX Satellite server. Create an organizationcalled “Example Inc.” and assign it entitlements for provisioning and managing Red HatEnterprise Linux Server systems.

• Create an organization in your Red Hat Network Satellite Server named “ExampleInc.”. The Organization Administrator is Mr. Edward Example and he should log inas example with a password of redhat. E-mail for this account should be sent [email protected].

System entitlements should be assigned to this new organization as follows:

• Management: 3

• Monitoring: 0

• Provisioning: 1

• Virtualization: 1

• Virtualization Platform: 0

The following quantity of software entitlements should be assigned as well:

• Red Hat Enterprise Linux Server (v. 6): 2

• Red Hat Network Tools for RHEL (v. 6): 2

Log into the Satellite Server as the Satellite Administrator by opening a web browserand navigating to https://desktopX.example.com. Provide satadmin for the RHNSatellite Login and redhat for the Password. Go to the Admin tab and click the create neworganization link at the upper right-hand corner of the screen. Fill in the appropriate fieldsin the Create New Organization form then click the Create New Organization button whenthe form is complete.

The next screen to appear is the Subscriptions System Entitlements tab. Enter values forthe appropriate entitlement fields according to the specifications above. Click the UpdateOrganization button when the fields are filled in correctly.

Click on the Software Channel Entitlements tab and enter values according to thespecifications above. Click the Update Organization button when the fields are filled incorrectly.

Criterion Test

RH401-6-en-1-20110713 221

Practice Exercise

Creating User Accounts and Assigning Roles

• Log in to the Satellite server on desktopX as the Organization Administrator for theExample Inc. organization and create the following users as members of thatorganization:

Standard user Privileged user

Login normal grouper


Full name Mr. Norman Normal Ms. Gladys Grouper

Roles System Group User System Group Administrator

Specify [email protected] as the e-mail address for both RHN Satelliteaccounts.

You must sign out of the satadmin account and log in as the Organization Administrator,example, to associate the accounts with the “Example Inc.” organization. Select the Userstab and click the create new user link displayed in the upper right-hand corner of thescreen. Fill in the fields for each user according to the above table and click Create Logineach time the form is completed.

No additional changes need to be made for the normal account because a System GroupUser is a user without additional privileges or roles. Click on the login name/link forgrouper to bring up her account's detailed user information page. In the Details tab, checkthe System Group Administrator check box in the Roles section then click the Submitbutton to assign her additional privileges.

Practice Exercise

Managing System Groups

1. Log in to the Satellite server on desktopX as the Organization Administrator for theExample Inc. organization, if necessary, and create a system group called “exampleservers.” Fill the group description with useful information of your choice.

Do not make any security adjustments or assign administrators to the new group. Examinethe initial access privileges for normal and grouper to the example servers group.

Select the Systems tab and click the System Groups menu item in the menubar at left. Clickthe create new group link at the upper right and click the Create Group button after fillingthe form with useful information.

Examine the initial access privileges for example servers group. Log in as normal andgrouper and examine what menus and system groups are available to them. Both usersshould find no system groups for the organization.

2. Modify the example servers system group so grouper can administrate the group. Signin as grouper and normal and observe what access they have to the system group.


222 RH401-6-en-1-20110713

Log into the example account, select the Systems tab and click the System Groups menuitem at the left. Click on the example servers link to bring up the system group details pagethen click the Admins tab. Check the check box by grouper and click the Update button toassign her group administrative privileges.

This time when the system group access of grouper and normal is checked, grouper cansee the system group but normal cannot.

3. Log in as grouper and modify the group so normal can administer systems in that group.Log in as normal and confirm he has access to the group.

Perform the same steps as in the task above, except check the box by normal instead. Login as normal and confirm he has access to the group.

Using Subversion to Manage Changes

RH401-6-en-1-20110713 223


Practice Exercise

Preparing the Subversion Repository and UsersBefore you begin...In this lab one of your two machines will be referred to as desktopX and will host the Subversionrepository. This machine should be your RHN Satellite Server since you will reinstall desktopY tocomplete later labs.

Your client machine, desktopY, will serve as the remote workstation of one of your Subversionusers. Make sure the clocks on both of your machines are synchronized with each other.

If you need to install packages, yum should already be configured on desktopX and desktopY.

Your internal DNS servers have had some problems lately. The DNS administrators, Stan andOliver, have been modifying configuration files in such a way they have been stepping on eachothers' changes. Your task is to deploy a Subversion server which will allow Stan and Oliver towork together and stop the configuration file conflicts.

Build a Subversion repository on desktopX that will allow two users, oliver and stan, to createprojects and work collaboratively.

1. Reinstall desktopY with Red Hat Enterprise Linux 6 to prepare it for this and future labexercises. PXE boot desktopY and select the “Install a standard RHEL 6 workstation” option.

2. Log in as root on desktopX and install Subversion if necessary. Create a repo named /var/local/svn on desktopX while desktopY reinstalls. After the installation finishes, check ifSubversion is installed on desktopY. If not, then install it on desktopY also.

First, log in as root on desktopX and perform the following commands:

[root@desktopX ~]# yum install -y subversion[root@desktopX ~]# svnadmin create /var/local/svn

After desktopY finishes reinstalling, log in as root and repeat the above yum command.

3. On desktopX, create a group called svnuser with a group ID of 60000. Modify theSubversion repository so all users in that group can create and modify projects.

[root@desktopX ~]# groupadd -g 60000 svnuser[root@desktopX ~]# chgrp -R svnuser /var/local/svn[root@desktopX ~]# chmod -R g+w /var/local/svn/db

4. Create user accounts for oliver and stan on both workstations. Assign their accounts thepassword of password on both systems.

Make all necessary adjustments to their accounts to allow them to use Subversion fromeither host. Both users should be able to commit their changes to the Subversion repositorywithout typing a password when they are logged into desktopY.


224 RH401-6-en-1-20110713

Use the following commands on both systems to create accounts for oliver and stan andassign them passwords of password. Replace $user with each of their usernames:

[root@desktopX ~]# useradd $user[root@desktopX ~]# echo password | passwd --stdin $user

Make all necessary adjustments to both their accounts to allow them to use Subversionfrom either host. Their accounts must be members of the svnuser group on the Subversionrepository. Note the following command needs to be performed for both users on desktopX:

[root@desktopX ~]# usermod -a -G svnuser $user

It is useful to define a default editor for Subversion so it can run the editor when changesare committed to the repository. Modify Oliver and Stan's ~/.bash_profile on bothdesktopX and desktopY so the EDITOR environment variable points to your preferred texteditor. The following snippet of shell code should be defined in the ~/.bash_profile ofboth of their accounts on both systems, (note the example below uses vi, but you can useyour preferred editor instead):

export EDITOR=vi

Both users should be able to commit their changes to the Subversion repository withouttyping a password when they are logged into desktopY. Generate ssh keys for both usersand propagate their public keys to desktopX, the Subversion repository. The solution belowshows how to set the keys up for oliver. The same commands need to be performed forstan.

[oliver@desktopY ~]$ ssh-keygen... Output omitted ...[oliver@desktopY ~]$ ssh-copy-id desktopX.example.com... Output omitted ...

Practice Exercise

Starting a New Project in Subversion

Set up a new project in the Subversion repository for DNS configuration files.

1. Log in as oliver on desktopX and create a subdirectory in Oliver's home directorycalled source. Create etc and var/named subdirectories below ~/source to provide atemporary DNS chroot hierarchy.

[oliver@desktopX ~]$ mkdir -p source/{etc,var/named}

2. Use anonymous FTP to download all the files in /pub/materials/namedfiles frominstructor.example.com into ~/source. Move the files into the appropriate directoriesin the temporary tree. Do not change their names at this time.


RH401-6-en-1-20110713 225

[oliver@desktopX ~]$ cd source[oliver@desktopX source]$ wget ftp://instructor.example.com/pub/materials/namedfiles/*[oliver@desktopX source]$ mv named.conf etc/[oliver@desktopX source]$ mv *.zone var/named/

3. Have oliver create a new project called dnsfiles in the Subversion repository. Theproject should initially be populated with the files from his ~/source directory.

If the group ownership and permissions assigned to the repository are correct, Oliver shouldbe able to create the project since he is a member of the svnuser group.

[oliver@desktopX source]$ cd ~[oliver@desktopX ~]$ svn import source file:///var/local/svn/dnsfiles

When the text editor appears, insert “DNS configuration files” as the log message, save yourchanges, then quit the editor. You should see output similar to the following:

Adding source/varAdding source/var/namedAdding source/var/named/127.0.0.zone... Output omitted ...Committed revision 1.

4. Confirm the files are safely in the repository. Check the dnsfiles project out from theSubversion repository on desktopX and compare its contents with the files in ~/source.

[oliver@desktopX ~]$ svn checkout file:///var/local/svn/dnsfiles

Compare the dnsfiles content with the files in ~/source. The only differences you shouldbe the .svn subdirectories below dnsfiles.

[oliver@desktopX ~]$ diff -r dnsfiles sourceOnly in dnsfiles/etc: .svn... Output omitted ...

5. Remove the ~/source directory from Oliver's home directory once it is confirmed the DNSfiles are properly stored in the Subversion repository.

[oliver@desktopX ~]$ rm -r source

Practice Exercise

Managing Changes with Subversion

Create working directories and observe how Subversion manages concurrent changes by twousers.

1. Log in as oliver on desktopX. If the dnsfiles working directory doesn't exist, check out aworking copy of the dnsfiles project below Oliver's home directory.


226 RH401-6-en-1-20110713

If the dnsfiles working directory doesn't exist, run the following command:

[oliver@desktopX ~]$ svn checkout file:///var/local/svn/dnsfiles

2. Change to the top level directory of your Subversion working directory and modify etc/named.conf. Find the comments that read “REPLACE FIX HERE WITH YOUR STATIONNUMBER” and change all occurrences of the string “FIX” in the zone declarations to the lastoctet of desktopX's IP address.

Note: This changes the files that DNS will try to reference. There are comments in the filenoting that the actual files must be renamed for consistency. For now disregard thosecomments since you will fix the repository files to match the new names in a later labexercise.

Commit Oliver's changes with a log message of “Replaced FIX with station's IP.”

[oliver@desktopX ~]$ cd ~/dnsfiles[oliver@desktopX dnsfiles]$ vi etc/named.conf[oliver@desktopX dnsfiles]$ svn commit -m "Replaced FIX with station's IP."

3. In another window, log in as Stan on desktopY. Create a Subversion working directory inStan's home directory and have Stan checkout a copy of the dnsfiles project. Examinenamed.conf. The changes made by Oliver should appear in that file.

[stan@desktopY ~]$ svn checkout svn+ssh://desktopX.example.com/var/local/svn/dnsfiles[stan@desktopY ~]$ cd dnsfiles[stan@desktopY dnsfiles]$ less etc/named.conf

4. As Stan, edit var/named/192.168.0.FIX.zone in the Subversion working directory andreplace every occurrence of “FIX” with the last octet of desktopX's IP address. Be sure toupdate the serial number to YYYYMMDD00 using the digits of the current date. CommitStan's changes with the same log message that Oliver used previously.

[stan@desktopY dnsfiles]$ vi var/named/192.168.0.FIX.zone[stan@desktopY dnsfiles]$ svn commit -m "Replaced FIX with station's IP."

5. On desktopX update Oliver's Subversion working directory so Stan's revisions areincorporated into Oliver's files.

svn update without arguments checks if the current working directory is under controlof Subversion. It uses information found in the .svn subdirectory to identify the repositoryand it recurses down the current directory looking for updates. It is best to change to the toplevel directory of the Subversion working directory to ensure all changes to the project areupdated:

[oliver@desktopX dnsfiles]$ svn status -u[oliver@desktopX dnsfiles]$ svn update[oliver@desktopX dnsfiles]$ less var/named/192.168.0.FIX.zone


RH401-6-en-1-20110713 227

Practice Exercise

Moving Files in a Subversion Project

Previously Stan modified the contents of a file. Modify file names and observe how Subversionmanages the changes.

1. Using Stan's account on desktopY, use Subversion to change the name of the192.168.0.FIX.zone file so “FIX” is replaced with the last octet of desktopX's IP address.Commit the changes into the Subversion repository with a descriptive log message.

[stan@desktopY dnsfiles]$ cd var/named[stan@desktopY named]$ svn mv 192.168.0.FIX.zone 192.168.0.X.zone[stan@desktopY named]$ svn commit -m 'Moved 192.168.0.FIX.zone to 192.168.0.X.zone'

2. Review the log messages of the 192.168.0.X.zone file.

Rename the file domainFIX.example.com.zone so “FIX” is replaced with the last octet ofdesktopX's IP address. Make sure the changes are committed into the Subversion repository.

[stan@desktopY named]$ svn log 192.168.0.X.zone[stan@desktopY named]$ svn mv domainFIX.example.com.zone domainX.example.com.zone[stan@desktopY named]$ svn commit -m 'Moved domainFIX.example.com.zone to domainX.example.com.zone'

3. Examine Oliver's Subversion working directory on desktopX. Use Subversion to update hisworking files and see what happens.

[oliver@desktopX dnsfiles]$ ls -R[oliver@desktopX dnsfiles]$ svn status -u[oliver@desktopX dnsfiles]$ svn update[oliver@desktopX dnsfiles]$ ls -R

Practice Exercise

Subversion Conflict Resolution

Observe how Subversion behaves when two users modify the same file, sometimes withconflicting changes.

1. As Stan on desktopY, open domainX.example.com.zone in a text editor. Modify the SOAline of the file so all occurrences of “FIX” are changed to the last octet of desktopX's IPaddress. For example the student whose Satellite Server is station3.example.com wouldmodify the line to look like the following:

@ IN SOA desktop3.domain3.example.com. root.desktop3.domain3.example.com. (

Save, exit, and commit the changes to the Subversion repository.

[stan@desktopY named]$ vi domainX.example.com.zone[stan@desktopY named]$ svn commit -m 'Replaced FIX in SOA record.'


228 RH401-6-en-1-20110713

2. Without updating first, as Oliver on desktopX open domainX.example.com.zone in a texteditor. Fix the NS resource record by replacing each “FIX” with the last octet of desktopX'sIP address. Save, exit, and have Oliver commit the changes. This shouldn't require too mucheffort since Oliver's changes do not conflict with Stan's.

[oliver@desktopX dnsfiles]$ cd var/named[oliver@desktopX named]$ vi domainX.example.com.zone[oliver@desktopX named]$ svn commit -m 'Replaced FIX in NS record.'Sending named/domainX.example.com.zonesvn: Commit failed (details follow):svn: File '/dnsfiles/var/named/domainX.example.com.zone' is out of date

The commit above failed since Stan committed changes that Oliver hasn't downloaded yet.Download Stan's changes and try to save the changes to the Subversion repository again:

[oliver@desktopX named]$ svn updateG domainX.example.com.zoneUpdated to revision 6.[oliver@desktopX named]$ svn commit -m 'Replaced FIX in NS record.'Sending named/domainX.example.com.zoneTransmitting file data .Committed revision 7.

3. Have Stan on desktopY update his Subversion working directory and get Oliver's changes.As Stan, edit domainX.example.com.zone and change each “FIX” in the MX line to thelast octet of desktopX's IP address. Update the serial number with the current date followedby a two digit sequence number. Commit Stan's changes to the Subversion repository.

[stan@desktopY named]$ svn updateU domainX.example.com.zoneUpdated to revision 7.[stan@desktopY named]$ vi domainX.example.com.zone[stan@desktopY named]$ svn commit -m 'Replaced FIX in MX record.'Sending named/domainX.example.com.zoneTransmitting file data .Committed revision 8.

4. As Oliver on desktopX, make the same changes that Stan made but also change the MXrecord priority to 15. Attempt to commit your changes. This will fail since Oliver's Subversionworking directory is not updated. Also update the zone file serial number to be greater thanthe previous value.

Commit Oliver's changes into the repository since his changes are more complete thanStan's changes.

[oliver@desktopX named]$ vi domainX.example.com.zone

For instance, if desktop3 were your desktopX, change the line in domain3.example.com.zoneto the following:

domain3.example.com. IN MX 15 station3.domain3.example.com.


RH401-6-en-1-20110713 229

Once you have double checked your changes, commit them into the Subversion repository:

[oliver@desktopX named]$ svn commit -m 'Fixed MX priority.'Sending named/domainX.example.com.zonesvn: Commit failed (details follow):svn: File '/dnsfiles/var/named/domainX.example.com.zone' is out of date

The command above failed since Oliver's Subversion working directory did not includethe most recent changes. Update Oliver's Subversion working directory. When a conflictoccurs, a .mine file and other version files are created when the update Subversioncommand is issued. Commit Oliver's changes into the repository since his changesare more complete than Stan's. One way to do this is to accept the changes in thedomainX.example.com.zone.mine file:

[oliver@desktopX named]$ svn updateConflict discovered in 'domainX.example.com.zone'.Select: (p) postpone, (df) diff-full, (e) edit, (mc) mine-conflict, (tc) theirs-conflict, (s) show all options:

At this point, select 'p' to postpone the conflict resolution. This will allow you to view thedifferent versions of this file and compare them. After you see the further output below, usemv and svn resolve to resolve the conflict and commit your changes:

C domainX.example.com.zoneUpdated to revision 8.Summary of conflicts: Text conflicts: 1[oliver@desktopX named]$ mv domainX.example.com.zone.mine domainX.example.com.zone[oliver@desktopX named]$ svn resolved domainX.example.com.zoneResolved conflicted state of 'domainX.example.com.zone'[oliver@desktopX named]$ svn commit -m 'Fixed MX priority.'Sending named/domainX.example.com.zoneTransmitting file data .Committed revision 9.

5. As either Oliver or Stan, update the remaining resource records indomainX.example.com.zone that contain “FIX” with desktopX's number. Update theserial numbers in the .zone zone files. Commit the changes into the Subversion repository.

[stan@desktopY named]$ svn update[stan@desktopY named]$ vi domainX.example.com.zone[stan@desktopY named]$ svn commit -m 'Replaced remaining FIXs with the desktop number.'


230 RH401-6-en-1-20110713

Red Hat Network Client Configuration

Practice Quiz

RHN Registration StepsList the four steps (in order) that are taken when a client workstation registers with a RHNSatellite server.

1. Update Red Hat Network software tools

2. Point to relevant Red Hat Network server

3. Install SSL CA certificate (Satellite/Proxy only)

4. Register the RHN client system: authenticate as valid Red Hat Network user, or registerwith an activation key


Graphical Red Hat Network Registration

You will register a system with a Red Hat Network Satellite using rhn_register in a graphicalenvironment. Since SSL encryption will be used, the organization CA certificate will have to belocated and used when registering the client system.

Your client workstation, desktopY.example.com, should already be installed toprovide a graphical environment. The classroom installation configures yum to pointto the instructor's server for additional RPMS. Remove the /etc/yum.repos.d/dvd.repo configuration file and reset yum by executing the following command asroot:

[root@desktopY ~]# yum clean all[root@desktopY ~]# rm /etc/yum.repos.d/dvd.repo

Browse http://desktopX.example.com/pub and locate the CA certificate for thelocal organization provided by the Satellite Server. Download the CA certificate to the /tmp directory on desktopY.

[root@desktopY ~]# wget http://desktopX/pub/RHN-ORG-TRUSTED-SSL-CERT -P /tmp

Log in as root on desktopX and monitor your Satellite server's Apache log files. Usetail -f to monitor them continuously.

[root@desktopX ~]# tail -f /var/log/httpd/*

Open a terminal window on desktopY and execute rhn_register so itdisplays a graphical dialog box. Configure the client to use the Satellite Server,desktopX.example.com, for software updates. Use the SSL certificate you previously


RH401-6-en-1-20110713 231

downloaded and authenticate as the Red Hat Network user normal. Once the client isconfigured, use yum repolist to verify it is talking with the Satellite Server.

[root@desktopY ~]# rhn_register

After reading the introductory screen, click the Forward button to advance. Selectthe radio button that indicates you have access to a RHN Satellite Server. TheLocation box will become active. Type the URL for desktopX in that box: https://desktopX.example.com. Click the Forward button to advance.

Select the radio button indicating you have an SSL certificate. Browse and locate the filein the /tmp directory of your local filesystem. Click the Forward button.

rhn_register will ask for Red Hat Network authentication. Enter the login normal andthe password redhat. Click Forward once the information is filled in.

On the next screen, take the default values for the system name and the profile data.Click Forward again. rhn_register should contact the Satellite Server and send profileinformation to the server. Click Forward then Finish to complete the registration and exit.

[root@desktopY ~]# yum repolistLoaded plugins: refresh-packagekit, rhnpluginrepo id repo name statusrhel-x86_64-server-6 Red Hat Enterprise Linux Server ... 3,583repolist: 3,583

Use a web browser to log into the Satellite server web user interface as normal and seeif the newly registered system shows up in the system list. Do the same for the Red HatNetwork user grouper. Finally log in as the Organization Administrator, example, andsee if the client shows up in his system list.

The normal and grouper users are unable to see the new system because it is notassociated with a system group they can view or administer. It is interesting that normalcannot see a system that was registered using his login and password.

As the Organization Administrator, example, see if the client shows up in his system listunder the Systems tab. The new system should be visible to this account.


Text-based Red Hat Network Registration

Register a system with a Red Hat Network Satellite using rhn_register in a text-basedenvironment. You should already have the CA certificate copied to the filesystem on the clientmachine.

Log into a text-based virtual console (Ctrl+Alt+F2) as root on desktopY andexecute rhn_register to re-register your client with your Satellite server. Whenrhn_register asks for RHN authentication information, provide the login of normalwith the password redhat.


232 RH401-6-en-1-20110713

When you re-register your client with your Satellite server, it will print a warning:“System Software Updates already setup.” Disregard the warning and select Yes tocontinue.

After rhn_register asks for RHN authentication information, select Next to continue.Accept the default values for profile name and other prompts.

After the system information is sent to the Satellite server, review the systemsubscription details. You should see the software base channel, rhel-x86_64-server-6, on the screen. Select OK then select Finish - the client registration iscomplete.

Log into the Satellite server web interface as example. There should be two systemprofiles labeled desktopY.example.com.

Practice Exercise

Automating Registration with Activation Keys

The previous exercises demonstrated how to register a machine with a Red Hat Network SatelliteServer using interactive utilities. Automate the registration process by creating an activation keythat registers with the Example RHN organization and use it to re-register your client.

1. Log into your Satellite server as example and create an activation key named example-servers. It should have a description of “Example Servers”, not have a usage limit, andsubscribe the client to the default RHN Satellite base channel for the system being installed.This activation key should not consume any add-on entitlements and do not use it as theuniversal default.

All systems registered with this activation key should automatically join the examplesystems system group.

Log into the Satellite Server web interface as the Organization Administrator, example,since this is the only user in the organization who has the privileges needed to create anactivation key. Another option would be to create a new user with the role of an ActivationKey Administrator or promote an existing user into that role.

Select the Systems tab then select Activation Keys from the menu at the left. Click on thecreate new key link in the upper right-hand corner of the window. Provide the followingvalues in the fields of the dialog window that appears:

Field Value

Description Example Servers

Key (*) orgID-example-servers

Usage leave empty

Base Channel Leave as RHN Satellite Default

Add On Entitlements Leave everything unchecked

Universal Default Leave unchecked


RH401-6-en-1-20110713 233

* - Record the organization ID number prefix (orgID) provided by the Satellite Server. Thisprefix associates the system being registered with a specific RHN organization.

Click the Create Activation Key button once you confirm the form is filled out correctly.

Click the Groups tab, then click the Join sub-tab and click the check box to select exampleservers. Click the Join Selected Groups button at the bottom of the screen to confirm theselection.

2. Log in as root on the client, desktopY.example.com, and use rhnreg_ks to registeryour system using the activation key you just created. If the registration doesn't workimmediately, diagnose what the problem is and fix it.

The Satellite Server host name and information about the CA certificate already have usefuldefault values. Normally they would have to be specified, but the previous registrationsmodified /etc/sysconfig/rhn/up2date so it points to valid values so the defaults canbe taken.

Be sure to include the organization ID prefix specified by the Satellite Server when the keywas created.

[root@desktopY ~]# rhnreg_ks --force --activationkey=orgID-example-servers

The two previous registrations consumed all of your subscriptions. One of the two systemprofiles needs to be deleted, but we might as well delete both entries. Log into the SatelliteServer as example and select the Systems tab. Get the list of system profiles then click theprofile name of the system you want to delete. Click the delete system button at the upperright-hand corner of the window then confirm the request by clicking the Delete Profilebutton. Repeat this process with the other system profile.

Try the rhnreg_ks command again. This time it should work.

3. Check the system profile of your client system in the Satellite Server. Is it a member ofthe example servers system group? If not, make the necessary adjustments to youractivation key and re-register the client again. When you are finished with this exercise,delete all of the system profiles in the Satellite Server.

Practice Exercise

Registering Clients with a Bootstrap Script

Red Hat Network Satellite software can create a template shell script, called a bootstrap script,that can register a client system with the Satellite server. Customize and use a bootstrap script toregister a freshly installed system with your Satellite server.

1. Reinstall your client workstation, desktopY, with a minimal footprint installation. Initiatea PXE boot and choose the “Install a minimal RHEL 6 installation” option without anyarguments to begin the installation. While desktopY is installing, continue to the next step.

2. A Satellite Server provides bootstrap scripts to all of its clients, not just to a specificorganization, so they must be created and managed by the Satellite Administrator.


234 RH401-6-en-1-20110713

While the client workstation installs, log in as the Satellite Administrator, satadmin, and inthe web interface create a bootstrap script template as a starting point. The script shouldenable SSL and client GPG checking. It should not enable remote configuration and remotecommands. These options will be introduced later in the course.

Optional - Use Subversion to manage the changes you make to the bootstrap script youdevelop. Create a new Subversion project and check in the original version before you makeany changes.

Select the Admin tab then click the RHN Satellite Configuration menu option at the left.Click the Bootstrap Script sub-menu option. Fill in the form that appears with the followingvalues:

Field Value

RHN Satellite server hostname Confirm it is desktopX.example.com

SSL cert location Confirm the pathname to your local CAcertificate

Enable SSL check

Enable Client GPG checking check

Enable Remote Configuration uncheck

Enable Remote Commands uncheck

Leave the client HTTP proxy information blank since it doesn't apply. Click the Updatebutton to confirm and accept your changes.

Optional - To put the bootstrap script under control of Subversion, create a project called“bootstrap” that manages all of the files under the bootstrap directory.

[root@desktopX ~]# cd /var/www/html/pub[root@desktopX pub]# svn import bootstrap -m 'Bootstrap scripts' file:///var/local/svn/bootstrapAdding bootstrap/bootstrap.sh... Output omitted ...[root@desktopX pub]# rm -rf bootstrap[root@desktopX pub]# svn co file:///var/local/svn/bootstrapA bootstrap/bootstrap.sh... Output omitted ...

3. Edit your bootstrap script on your Satellite Server. Disable the exit 1 line and modify theACTIVATION_KEYS shell variable to point to the activation key you created earlier in thislab.

[root@desktopX pub]# cd /var/www/html/pub/bootstrap[root@desktopX bootstrap]# vi bootstrap.sh

echo "the exit below)"echo#exit 1

# can be edited, but probably correct (unless created during initial


RH401-6-en-1-20110713 235

# install):# NOTE: ACTIVATION_KEYS *must* be used to bootstrap a client machine.ACTIVATION_KEYS=orgID-example-servers

Optional - Commit your changes into Subversion once you are satisfied with them.

[root@desktopX bootstrap]# svn commit -m 'Enabled script and added act key.'Sending bootstrap.shTransmitting file data .Committed revision 14.

4. Once the client machine has finished installing, log in as root, download the bootstrapscript, and execute it manually. Normally this step would be performed in the %post sectionof a kickstart installation for full automation.

Sign into the Satellite Server web interface as normal and confirm the system is registeredand belongs to the example-servers system group.

[root@desktopY ~]# wget http://desktopX/pub/bootstrap/bootstrap.sh[root@desktopY ~]# bash bootstrap.sh


236 RH401-6-en-1-20110713

Red Hat Network Software Management

Practice Exercise

Custom Software Channel Administration

Create Linux and RHN Satellite accounts for the responsible person who is in charge of managingcustom channel content. Create a GPG key for signing trusted third-party packages. Once thepieces are in place, create a custom software channel for Example, Inc. third-party softwarepackages.

1. Create Linux and RHN Satellite accounts on desktopX.example.com for CharlesChannelman, the person responsible for managing software channels on the Satellite Server.The login/user name for his accounts should be channelman with passwords of redhat.His Red Hat Network account on the Satellite Server should permit him to manage softwarechannels and the systems in the example servers system group.

[root@desktopX ~]# useradd -c 'Charles Channelman' channelman[root@desktopX ~]# echo redhat | passwd --stdin channelman

Create a Red Hat Network account for Charles on the Satellite Server. Log into Satellite webUI as example, the Organization Administrator. Select the Users tab then click the createnew user link. Fill in the form that appears with the following values:

Field Value

Desired Login channelman


First, Last Name Mr. Charles Channelman


Click Create Login to create his Red Hat Network account.

He needs additional privileges to do his job. To make him a channel administrator, click onthe channelman link to pull up his account settings. Put a check in the checkbox by theChannel Administrator role then click the Submit button to confirm the change. Click theSystem Groups tab within his account page then check the example servers checkbox.Click the Update Permissions button to confirm your changes to allow channelman toadministrate the system group also.

2. Log into a shell account on desktopX as channelman and create a GPG key. The keyshould be a 2048-bit RSA key used for signing packages only. It shouldn't expire andshould be protected with a passphrase of redhat. The owner of the key should be “CharlesChannelman <[email protected]>”.

Export an ASCII-armored version of the public key and copy it to /var/www/html/pub/EXAMPLE-GPG-KEY.

What is the GPG key id and fingerprint of the key you just created?

[channelman@desktopX ~]$ gpg --gen-key


RH401-6-en-1-20110713 237

... Output Omitted ...Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only)Your selection? 5RSA keys may be between 1024 and 4096 bits long.What keysize do you want? (2048) EnterRequested keysize is 2048 bitsPlease specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n yearsKey is valid for? (0) EnterKey does not expire at allIs this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user IDfrom the Real Name, Comment, and Email Address in this form: "Heinrich Heine (Der Dichter) <[email protected]>"

Real name: Charles ChannelmanEmail address: [email protected]: Enter

You selected this USER-ID: "Charles Channelman <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

You need a Passphrase to protect your secret key.Enter passphrase: redhatRepeat passphrase: redhat... Output Omitted ...pub 2048R/GPG-key-ID 2011-06-09 Key fingerprint = GPG-fingerprintuid Charles Channelman <[email protected]>... Output Omitted ...

Even though the GPG key ID and fingerprint are displayed when a key is created, they canalso be displayed later using the following command:

[channelman@desktopX ~]$ gpg --list-key --fingerprint/home/channelman/.gnupg/pubring.gpg-----------------------------------pub 2048R/GPG-key-ID 2011-06-09 Key fingerprint = GPG-fingerprintuid Charles Channelman <[email protected]>

Export an ASCII armor version of the public key to publish to client machines so they canverify RPM packages signed with the private key:

[channelman@desktopX ~]$ gpg --armor --export GPG-key-ID > /tmp/EXAMPLE-GPG-KEY

[root@desktopX ~]# cp /tmp/EXAMPLE-GPG-KEY /var/www/html/pub/


238 RH401-6-en-1-20110713

3. Create a custom child software channel named “Example custom” with a label of example-custom and configure it to advertise Charles Channelman's GPG key for verifying packagesignatures. It should be a child channel of the Red Hat Enterprise Linux Server(v.6 for 64-bit x86_64) base software channel.

Log into Satellite web UI as channelman. Choose the Channels top-level tab, select ManageSoftware Channels from the menu at the left, then click the create new channel link. Fill outthe form that appears with the following values:

Field Value

Channel Name Example custom

Channel Label example-custom

Parent Channel Red Hat Enterprise Linux Server (v.6 for 64-bit x86_64)

Parent Channel Architecture x86_64

Yum Repository Checksum Type sha256

Channel Summary Example third-party software

Channel Description Example third-party software

Maintainer Name Charles Channelman (not required)

Email Address [email protected]

Phone Number leave empty

Support Policy leave empty

Per-User Subscription Restrictions Leave All users selected

Organization Sharing Leave This channel is private selected

GPG key URL http://desktopX.example.com/pub/EXAMPLE-GPG-KEY

GPG key ID GPG-key-ID

GPG key Fingerprint GPG-fingerprint

Click the Create Channel button to create the custom software channel.

Practice Exercise

Loading Red Hat Content into RHN Satellite

All Red Hat base software channels have a child channel called “Red Hat Network Tools.” Thischannel provides useful packages for machines that are clients of a RHN Satellite Server.

• Log in as root on desktopX. In root's home directory you will find a subdirectory calledsat-rhel6-content. Examine its contents and import the channel that provides the “RedHat Network Tools” which pertain to the base channel content you already loaded in yourSatellite Server.

[root@desktopX ~]# satellite-sync -m /root/sat-rhel6-content -l


RH401-6-en-1-20110713 239

... Output omitted ...19:29:0519:29:05 Retrieving / parsing channel-families data19:29:05 channel-families data complete19:29:0519:29:05 Retrieving / parsing channel data19:29:05 p = previously imported/synced channel19:29:05 . = channel not yet imported/synced19:29:05 base-channels:19:29:05 . rhel-x86_64-client-6 291119:29:05 p rhel-x86_64-server-6 3583... Output omitted ...19:29:05 rhel-x86_64-server-6:19:29:05 . rhel-x86_64-server-fastrack-6 0... Output omitted ...19:29:05 . rhn-tools-rhel-x86_64-server-6 21... Output omitted ...[root@desktopX ~]# satellite-sync -m /root/sat-rhel6-content -c rhn-tools-rhel-x86_64-server-6


Loading Third-party Content into RHN Satellite

As channelman, take a third-party RPM provided by the instructor, sign it, and import it into theRHN Satellite Server and associate it with the example-custom software channel.

Log in as Charles Channelman, channelman, on desktopX.example.com.

Copy the example-1.0-1.noarch.rpm RPM from /misc/instructor/RPMS toCharles' home directory, and sign it with his GPG key.

[channelman@desktopX ~]$ cp /misc/instructor/RPMS/example-1.0-1.* ~[channelman@desktopX ~]$ echo '%_gpg_name GPG-key-ID' > ~/.rpmmacros[channelman@desktopX ~]$ rpm --resign example-1.0-1.noarch.rpmEnter pass phrase: redhatPass phrase is good.example-1.0-1.noarch.rpm:gpg: WARNING: standard input reopenedgpg: WARNING: standard input reopened

Import the RPM into the Satellite Server so it is associated with the example-customsoftware channel.

[channelman@desktopX ~]$ rhnpush --server=desktopX -c example-custom example-1.0-1.noarch.rpmRed Hat Network username: channelmanRed Hat Network password: redhat


240 RH401-6-en-1-20110713


Subscribing to a Custom Channel

Associate your client system, desktopY.example.com, with your custom software channel andinstall the example RPM on the client host.

Subscribe your client system to the example-custom custom software channel.

Login as a RHN user who can administer the client system, either channelman ornormal will do. Select the Systems top-level tab then select Systems from the menu atthe left. Select the link to the client system to access its Details page. Click the Softwaretab then the Software Channels sub-tab. Check the check-box by Example custom in theSoftware Channels Subscriptions then click the Change Subscriptions button to confirmyour change.

Import the GPG key used to sign the packages provided by the custom channel into theRPM database on the client system. Install the example RPM on the client machine usingthe yum command.

Log in as root on desktopY and execute the following commands:

[root@desktopY ~]# rpm --import http://desktopX/pub/EXAMPLE-GPG-KEY[root@desktopY ~]# yum repolistLoaded plugins: refresh-packagekit, rhnpluginrepo id repo name statusexample-custom Example custom 1rhel-x86_64-server-6 Red Hat Enterprise Linux Server ... 3,583repolist: 3,584[root@desktopY ~]# yum install -y example

Warnings will be displayed when the RPM installs because some of the files in the RPMhave broken ownerships.


Managing Updates with Cloned Channels

Create clones of standard Red Hat channels and custom channels to control how softwareupdates are rolled out to client systems.

Create clones of standard Red Hat software channels (both base and child channels)and the custom software channel in your Satellite Server. These channels will be“Production” versions of their original counterparts so assign them labels identical tothe original channels with a “prod-” prefix. Use the default values provided for the accesscontrols of the cloned channels.

First, clone the base channel that is the parent of all the other channels. Log in to theSatellite Server as the Channel Administrator, channelman. Click the Channels tab thenselect the Manage Software Channels menu item from the left. Click the clone channellink in the upper right-hand corner of the frame. Fill in the form that appears with thefollowing values:


RH401-6-en-1-20110713 241

Field Value

Clone FromSelect Red Hat Enterprise LinuxServer (v.6 for 64-bit x86_64)

Clone Select Original state

Click the Create Channel button. Another form will appear requiring additionalinformation. Fill it in with the following values:

Field Value

Channel NameProduction Red Hat EnterpriseLinux Server (v.6 for 64-bitx86_64)

Channel Label prod-rhel-x86_64-server-6

Leave the remaining fields with their default values then click the Create Channel buttonto complete the creation of the cloned base channel.

Now the child channels must be cloned. Click the Channels tab then select the ManageSoftware Channels menu item from the left. Click the clone channel link in the upperright-hand corner of the frame. Fill in the form that appears with the following values:

Field Value

Clone FromSelect RHN Tools for RHEL (v.6for 64-bit x86_64)

Clone Select Current state

Click the Create Channel button. Another form will appear requiring additionalinformation. Fill it in with the following values:

Field Value

Parent ChannelSelect Production Red HatEnterprise Linux (v.6 for 64-bit x86_64)

Channel NameProduction RHN Tools for RHEL(v. 6 for 64-bit x86_64)

Channel Labelprod-rhn-tools-rhel-x86_64-server-6

Leave the remaining fields with their default values then click the Create Channel buttonto complete the creation of the cloned child channel. Repeat the same process for theExample custom child channel.

Change the subscriptions of your client machine, desktopY, so it subscribes to the newcloned channels. Include “production” versions of the base channel and the Examplecustom child channel.


242 RH401-6-en-1-20110713

Remove, then reinstall, the example RPM and confirm it comes from one of the clonedchannels just created.

Pull up the client system profile by selecting the Systems top-level tab, select Systemsfrom the menu at the left, then click the client host name link. Select the Software tabthen the Software Channels sub-tab. In the Base Software Channel frame, highlight theProduction Red Hat Enterprise Linux Server (v. 6 for 64-bit x86_64) base channeland click Confirm. If a warning displays, click Modify Base Software Channel anywayto confirm the assignment to the new base channel you have selected. After the screenrefreshes, check the checkbox to select the Production Example custom child channel.Click the Change Subscriptions button to confirm your selection.

[root@desktopY ~]# yum -y remove example[root@desktopY ~]# yum install -y example... Output Omitted ...Installing: example noarch 1.0-1 prod-example-custom 2.7 k... Output Omitted

Practice Exercise

Update Notifications with RHN Errata

Sign and import a newer (fixed) RPM into the Satellite Server. Create an errata to notify clientsystem administrators that a fix has been published. Observe its impact on the client systems.

1. Log in as Charles Channelman, channelman, on desktopX.example.com. Copy theimproved RPM, example-1.0-2.noarch.rpm, from /misc/instructor/RPMS toCharles' home directory and sign it with his GPG key. Import the new RPM into the SatelliteServer so it is associated with the example-custom software channel.

[channelman@desktopX ~]$ cp /misc/instructor/RPMS/example-1.0-2.* ~[channelman@desktopX ~]$ rpm --resign example-1.0-2.noarch.rpm[channelman@desktopX ~]$ rhnpush --server=desktopX -c example-custom example-1.0-2.noarch.rpm

2. Create and publish an errata notification that announces the availability of theexample-1.0-2.noarch.rpm package. The errata synopsis should read, “example - fileownerships fixed”. Advisory EXBA2010:0001 release 1 is a bug fix advisory.

Log into the Satellite Server as channelman since Channel Administrator privileges areneeded to manage errata. Click on the Errata tab then select Manage Errata from the menuon the left. Click the create new erratum link in upper right-hand corner. Fill in the ErrataManagement form with the following values:

Field Value

Synopsis example - file ownerships fixed

Advisory EXBA-2010:0001


RH401-6-en-1-20110713 243

Field Value

Advisory Release 1

Advisory Type Select Bug Fix Advisory

Product example

Topic Example topic goes here.

Description RPM produces warnings wheninstalling because of incorrectownership.

Solution Fixed file ownership of createdfile.

Leave non-required fields blank

Click the Create Errata button to confirm your changes and create the errata. Another formshould appear entitled “Errata: EXBA-2010:0001-1.” Click the Packages tab then select theAdd sub-tab. Select example-1.0-2.noarch by clicking the checkbox next to its namethen click the Add Packages button. Click the Confirm button to finalize the creation of theerrata. Click the Details tab then click the Publish Errata button to make the errata visible toclient systems. Click checkbox to select the Example custom software channel then click thePublish Errata button.

3. Browse the Satellite Server's web UI and verify that the Errata is published. Notice that theclient system is not impacted because we changed its software channel subscriptions to theProduction channels.

As channelman, click on the Errata tab then select Errata from the left menu. Noticethere are no relevant errata because there are no systems currently subscribed to theExample custom channel. Select All under the Errata in the left menu and verify thatEXBA-2010:0001 shows up.

4. Clone the errata and make it available to the prod-example-custom channel. Log intothe client system, desktopY, as root and confirm the new RPM is available for installation.Note: The update may take up to 10 minutes to become available for installation becausethe default yum settings cause metadata to expire after 10 minutes. Use yum clean all toclear the caches and verify you can view the update.

As channelman, click on the Errata tab then select Clone Errata from the left menu. Findthe example bug fix and check the box next to it. Click on the Clone Errata button at thebottom of the page. On the next page, click the Confirm button. This cloned errata will havea CLA-2010:0001 advisory number. Click on the CLA-2010:0001 cloned errata link, then clickthe Publish Errata button. As before, the next page allows you to choose which channel topublish this erratum. Choose the Production Example custom channel this time andclick on the Publish Errata button. The next page confirms that you do not have the file inthe channel yet, so select the example package and click the Continue button to push thepackage to the channel. Notice there are no relevant errata because there are no systemscurrently subscribed to the Example custom channel. Select All under the Errata in theleft menu and verify that EXBA-2010:0001 shows up.

Log into desktopY as root and confirm the updated package is available for installation:


244 RH401-6-en-1-20110713

[root@desktopY ~]# yum clean all[root@desktopY ~]# yum list updates... Output Omitted ...Loaded plugins: rhnpluginUpdated Packagesexample.noarch 1.0-2 example-custom

Building RPMs

RH401-6-en-1-20110713 245

Building RPMs

Practice Quiz

RPM Spec File1. The package Version is usually derived from the open source project while the

package Release is the packager's version.

2. The name of the tarball containing the files used to build the package is specified withthe Source directive.

3. The BuildArch directive specifies the target architecture the package is being built for.noarch will be its value when the package can be installed on any architecture.

4. The Summary directive specifies the one-line description of a package while the %description section provides a more thorough explanation of what that package isfor.

5. The %install section contains the code used to place files in the $RPM_BUILD_ROOT chroot directory structure.

6. The %files section defines which files and directories to package into the RPM.

7. The %prep , %build , %install and %clean sections contain shell code used toassemble a package and clean up after it has been built.

Test

Criterion Test

Performance Checklist

Building an RPM PackageBefore you begin...If you haven't already done so, create a non-root user called student on your RHEL 6workstation, desktopY. You will use this unprivileged account to build your RPM packages forRHEL 6 systems.

In this exercise you will create an RPM for a package called “hello”. It should have version 1.0with a release of 1 and it should be able to be installed on multiple architectures.

Log in as root on desktopY and create a student account with a password of student.

[root@desktopY ~]# useradd student[root@desktopY ~]# echo student | passwd --stdin student

Login as student on desktopY and make a directory called hello-1.0. Download the fileftp://instructor.example.com/pub/materials/hello.sh and save it in that directory.

ftp://instructor.example.com/pub/materials/hello.sh


246 RH401-6-en-1-20110713

[student@desktopY ~]$ mkdir ~/hello-1.0[student@desktopY ~]$ cd ~/hello-1.0[student@desktopY hello-1.0]$ wget ftp://instructor.example.com/pub/materials/hello.sh

Create a simple RPM that installs hello.sh in /usr/local/bin. Make sure hello.shis installed with a mode of 755 and is owned by root on machines it is installed on. Alsomake sure the RPM can be installed on all architectures.

First, create the necessary directory structure that rpmbuild requires. Also create thetar archive with the source files:

[student@desktopY hello-1.0]$ cd[student@desktopY ~]$ mkdir -p ~/rpmbuild/SOURCES[student@desktopY ~]$ mkdir -p ~/rpmbuild/SPECS[student@desktopY ~]$ tar -czvf ~/rpmbuild/SOURCES/hello-1.0-1.tar.gz hello-1.0

Next create a spec file for the package. Remember that vim on RHEL 6 will provide atemplate if you specify a file with a .spec extension:

[student@desktopY ~]$ vim ~/rpmbuild/SPECS/hello.spec

The contents of ~/rpmbuild/SPECS/hello.spec should look like the following whenyou finish with your changes:

Name: helloVersion: 1.0Release: 1Summary: Hello programGroup: RH401License: GPLURL: http://www.redhat.comSource0: %{name}-%{version}-%{release}.tar.gzBuildRoot: /var/tmp/%{name}-buildrootBuildArch: noarch

%descriptionhello.sh is a very friendly greeting program. It should be installedon every system around the world.

%prep%setup -q -n %{name}-%{version}

%build

%installrm -rf $RPM_BUILD_ROOTmkdir -p $RPM_BUILD_ROOT/usr/local/bininstall -m 755 hello.sh $RPM_BUILD_ROOT/usr/local/bin/hello.sh

%cleanrm -rf $RPM_BUILD_ROOT

%files%defattr(-,root,root,-)/usr/local/bin/hello.sh

Building RPMs

RH401-6-en-1-20110713 247

%changelog* Thu Jun 9 2011 George <[email protected]> - 1.0-1- Original build

Install the rpm-build package if it isn't already installed.

[student@desktopY ~]$ su -Password: redhat[root@desktopY ~]# yum install -y rpm-build... Output omitted ...[root@desktopY ~]# exit[student@desktopY ~]$ rpmbuild -ba ~/rpmbuild/SPECS/hello.spec... Output omitted ...

Copy the binary and source RPMs to channelman's account on desktopX so he can signthe package and publish it via the Satellite server.

[student@desktopY ~]$ scp -p ~/rpmbuild/SRPMS/hello-1.0-1.src.rpm channelman@desktopX:... Output omitted ...[student@desktopY ~]$ scp -p ~/rpmbuild/RPMS/noarch/hello-1.0-1.noarch.rpm channelman@desktopX:... Output omitted ...

Log into desktopX as channelman and sign the hello binary and source RPMS. Importboth packages into the example-custom channel on your Satellite server.

[channelman@desktopX ~]$ rpm --resign hello-1.0-1.noarch.rpm hello-1.0-1.src.rpmEnter pass phrase: redhatPass phrase is good.hello-1.0-1.noarch.rpm:hello-1.0-1.src.rpm:gpg: WARNING: standard input reopenedgpg: WARNING: standard input reopened[channelman@desktopX ~]$ rhnpush --server=desktopX -c example-custom hello-1.0-1.noarch.rpmRed Hat Network username: channelmanRed Hat Network password: redhat[channelman@desktopX ~]$ rhnpush --server=desktopX -c example-custom --source hello-1.0-1.src.rpmRed Hat Network username: channelmanRed Hat Network password: redhat

Confirm these packages are in the Satellite server. Log in to the Satellite web interfaceas the Organization Administrator, example, and select the Channels tab. Expandthe Red Hat Enterprise Linux Server (v.6 for 64-bit x86_64) entrythen click on the Example custom child channel. Click the Packages tab and confirmhello-1.0-1.noarch.rpm package is listed. Click on the package name then scroll to thebottom to see the Source Package link and confirm the source RPM is also imported.


248 RH401-6-en-1-20110713

Configuration File Management with RHN


Creating and Populating a Configuration Channel

Use your RHN Satellite Server to deploy configuration files. In this exercise you will create aConfiguration Administrator account, create a configuration channel, and populate it with acustom configuration file for Example Inc.

Create a Configuration Administrator account for the Example Inc. organization on yourRHN Satellite Server. The account is for Ms. Janice Configurator and should have thelogin of configurator with a password of redhat. RHN Satellite generated e-mail forher should go to [email protected]. Also she should be able to administersystems in the example servers system group.

Log into the Satellite web UI as the Example Inc. Organization Administrator, example.Select the Users tab then click the create new user link. Fill in the form that appearswith the following values:

Field Value

Desired Login configurator


First, Last Name Ms. Janice Configurator


Click the Create Login button to create the account. Find the new account in the list ofActive Users and click on the link to the new user. Check Configuration Administratorunder the list of Roles then click the Submit button. To allow her to administer systemsin the example servers system group, select the System Groups sub-tab and checkthe example servers checkbox. Click the Update Permissions button to confirm yourchanges to her account.

Log in to your RHN Satellite Server as configurator and create a configurationchannel called “Example Configs” with the label example-configs.

Select the Configuration top-level tab, choose Configuration Channels from the menuthat appears, then click the create new config channel link. Fill in the form that appearswith the following values:

Field Value

Name Example Configs

Label example-configs

DescriptionExample Inc. configurationfiles

Click the Create Config Channel button to create the channel. The overview page for thenew configuration channel should appear.

Building RPMs

RH401-6-en-1-20110713 249

Add a configuration file to the example-configs configuration channel. The fileshould provide a custom login banner for Example Inc. servers. The file to add tothe configuration channel should be /etc/issue. It should be have user and groupownership of root in both cases and should have permissions of -r--r--r--. The filecontents should be:

*** Example Inc. ***blank line

Navigate to the Example Configs management page if you are not already there. Selectthe Add Files tab within the page then choose the Create File sub-tab. Specify thefollowing configuration file attributes and content:

Field Value

File Type Select the Text file radio button

Filename/Path /etc/issue

Ownership root/root

File Permissions Mode 444

File Contents*** Example Inc. ***

Click the Create Configuration File button to confirm your changes.


Deploying Configuration Files to a RHN Client

Configure your client server so it will pull custom configuration file content from theconfiguration channel you created on your RHN Satellite Server.

Entitle your client server, desktopY, to be able to install the tools necessary to provisionit from your Satellite Server.

Log in as configurator since she can manage systems in the example serverssystem group. Click the Systems tab then select the desktopY.example.com systemlink. Click on the Details tab followed by the Properties sub-tab. Within the Add-OnEntitlements section select the Provisioning checkbox then click the Update Propertiesbutton.

Install all necessary RHN configuration client software on desktopY. Configure yourclient system so it will permit configuration files to be deployed on it.

First, subscribe your client system to the rhn-tools child software channel. Click theSystems tab then select the desktopY.example.com system link. Click on theSoftware tab followed by the Software Channels sub-tab. Select the checkbox by therelevant RHN Tools child channel then click the Change Subscriptions button to confirmyour change.


250 RH401-6-en-1-20110713

Because you added a new software channel, clean the yum cache on the client and installthe rhncfg-actions RPM on desktopY:

[root@desktopY ~]# yum clean all... Output Omitted ...[root@desktopY ~]# yum install -y rhncfg-actions... Output Omitted ...[root@desktopY ~]# rhn-actions-control --enable-deploy

Modify the desktopY.example.com system profile so it subscribes to the example-configs configuration channel. Execute commands on the client system so it downloadsthe configuration files provided by example-configs. Verify the new /etc/issue filesuccessfully deploys.

Click the Systems tab then select the desktopY.example.com system link. Choose theConfiguration tab within the system overview page. Select the Manage ConfigurationChannels sub-tab then choose the Subscribe to Channels tab that appears. Check theExample Configs checkbox then click the Continue button. A page will appear entitledStep 2: Rank Channels for Subscription. Since we only have a single configurationchannel, click the Update Channel Rankings button to complete the subscription.

Execute the following command as root on desktopY:

[root@desktopY ~]# rhncfg-client getDeploying /etc/issue

Verify the new /etc/issue file was successfully deployed by displaying its contents.

[root@desktopY ~]# cat /etc/issue


Command-line Configuration File Management

Red Hat provides tools that allow and administrator to manage configuration channel contentfrom the command-line. Use commands from the shell to update the configuration file content inyour RHN Satellite Server.

Install all necessary software on desktopY to perform configuration file managementfrom the command-line. Create a directory called ~/config-mgmt where configurationfiles can be downloaded, modified, and uploaded back into the RHN Satellite Server.

[root@desktopY ~]# yum install -y rhncfg-management... Output omitted ...[root@desktopY ~]# mkdir ~/config-mgmt

Use the RHN command-line management tools to download the files for the example-configs configuration channel below ~/config-mgmt. Modify the configurationchannel's /etc/issue file so it contains the following content:

Building RPMs

RH401-6-en-1-20110713 251

*** Example Inc. ***No trespassing allowed.blank line

Use the command-line management tools to upload your change into your RHN SatelliteServer.

[root@desktopY ~]# rhncfg-manager download-channel -t config-mgmt/ example-configsRed Hat Network username: configuratorPassword: redhatDeploying /etc/issue -> config-mgmt/example-configs/etc/issue

When rhncfg-manager prompts for a RHN username and password, you mustauthenticate as either an Organization Administrator or a Configuration Administrator.

[root@desktopY ~]# vi config-mgmt/example-configs/etc/issue[root@desktopY ~]# rhncfg-manager upload-channel -t config-mgmt/ -c example-configsUsing config channel example-configsUploading /etc/issue from config-mgmt/example-configs/etc/issue

Pull configuration files from the Satellite Server down to desktopY. Verify the mostcurrent version of /etc/issue has been deployed.

[root@desktopY ~]# rhncfg-client getDeploying /etc/issue[root@desktopY ~]# cat /etc/issue*** Example Inc. ***No trespassing allowed.


252 RH401-6-en-1-20110713

Provisioning with PXE

Practice Exercise

Automating RHN Satellite Client Configuration

Use an activation key to register newly installed machines to your Red Hat Network SatelliteServer. It should subscribe the systems to useful software channels and join the ExampleServers system group.

1. Create an activation key with a label of example-web. When clients are registered with thisactivation key, the following actions should be performed:

• Subscribe to the Red Hat Enterprise Linux Server (v. 6 for 64-bitx86_64) base software channel

• Subscribe to the related Red Hat Network Tools and Example custom childsoftware channels

• Provide a provisioning entitlement

• Subscribe to the Example Configs configuration channel

• Deploy configuration files provided by the Example Configs configuration channel

• Associate with the Example Servers system group

Log in as an Activation Key Administrator or an Organization Administrator for Example,Inc., in this case log in to the Satellite web interface as example. Navigate to the CreateActivation Key screen. Select the Systems tab, choose Activation Keys from the menu atthe left, then click the create new key link. When the Create Activation Key page appears,make the following selections:

Field Value

Description Example Web Server

Key orgID-example-web

Usage leave this field blank

Base Channels Select Red Hat Enterprise LinuxServer (v. 6 for 64-bit x86_64)

Add-On Entitlements Check the Provisioning checkbox

Universal Default leave this checkbox unchecked

Click the Create Activation Key button to confirm your selections.

Examine each of the tabs that are presented for the new activation key. Start with theDetails tab. Check the Configuration File Deployment check box then click the UpdateActivation Key button to confirm your change.

Building RPMs

RH401-6-en-1-20110713 253

Select the Child Channels tab. Highlight both the Example custom and the RHN Tools forRHEL (v. 6 for 64-bit x86_64) child software channels. Click the Update Key button toregister your changes.

Select the Packages tab. Note the packages that are listed by default. Do not make anychanges to this list.

Click the Configuration tab then select the Subscribe to Channels sub-tab. Check theExample Configs checkbox. Click the Continue button to confirm your selection.

Click the Groups tab then select the Join sub-tab. Check the Example Servers checkbox.Click the Join Selected Groups button to confirm your changes.

2. Since signed packages will probably be deployed when the new systems are provisioned,the GPG keys used to verify their signatures need to be deployed as well. Import theGPG key used to verify custom packages built for Example, Inc. and the GPG key usedto verify standard Red Hat released RPMS. These keys are found in /var/www/html/pub/EXAMPLE-GPG-KEY and /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-releaserespectively.

You should still be logged in your Satellite Server as example, the OrganizationAdministrator for Example, Incorporated. Navigate to the GPG Public Keys and SSLCertificates screen. Select the Systems tab, choose Kickstart from the menu at the left,then click the GPG and SSL Keys option from the sub-menu that appears. When the GPGPublic Keys and SSL Certificates screen appears you should see the RHN-ORG-TRUSTED-SSL-CERT SSL key selected by default.

Click the create new stored key/cert link and when the Create GPG/SSL Key page appears,make the following selections:

Field Value

Description Example Custom Key

Type Select GPG

Select file to upload Click the Browse, then navigate to /var/www/html/pub/EXAMPLE-GPG-KEY

Click the Create Key button to confirm your selections. When the GPG Public Keys and SSLCertificates screen appears you should see your key added.

Perform the same steps listed above to import the GPG key Red Hat uses to check theirpackage signatures. The Description should be Red Hat Release Key and the path tobrowse for that key is /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release.

Practice Exercise

Creating a Web Server Kickstart Profile

Create a kickstart profile to build a web server that is ready to use immediately after it isinstalled from bare metal.


254 RH401-6-en-1-20110713

1. Create a kickstart profile labeled web-server that uses Red Hat Enterprise Linux 6 Serverto install a new machine. This profile will be used for bare-metal installations without anyuse of virtualization. The most recent kickstart tree available should be used to perform theinstallation. The initial root password for systems built with this profile should be redhat.

Click the Systems tab then choose Kickstart from the menu that appears. Click the createnew kickstart profile link to advance to the Step 1: Create Kickstart Profile page. When itappears, make the following selections:

Field Value

Label web-server

Base Channel Select Red Hat Enterprise LinuxServer (v. 6 for 64-bit x86_64)

Kickstartable Tree Select ks-rhel-x86_64-server-6-6.0

Virtualization Type Select None

Click the Next button. The Step 2: Distribution File Location screen should appear. Leavethe Default Download Location radio button selected and click the Next button again. Thefinal screen entitled Step 3: Root Password should appear. Specify a password of redhat,verify it, then click the Finish when done.

2. The kickstart profile should create three native disk partitions. The first partition shouldcontain a 256MB ext3 file system mounted as /boot. A swap partition should be created2048MB large. The final native disk partition should be a 17GB LVM physical volume.

Create a volume group named vol0 that includes the 17GB physical volume. Two logicalvolumes should be created within the vol0 volume group. The first logical volume should benamed home and it should be 512MB in size. It will contain the /home filesystem. The secondlogical volume should be named root and it should consume the rest of the unused storagein vol0. It will be used for the / filesystem.

Choose the appropriate time zone for your locale. Systems in this organization havehardware clocks which keep time using UTC instead of local time.

The kickstart should install the GPG keys used to verify package signatures for RPMSreleased from Red Hat and custom packages provided by Example, Inc.

To specify disk partitioning, within the kickstart profile click on the System Details tab.Select the Partitioning sub-tab and make the following adjustments:

partition swap --size=2048partition pv.01 --size=17000partition /boot --fstype=ext3 --size=256

volgroup vol0 pv.01

logvol /home --vgname=vol0 --name=home --size=512logvol / --vgname=vol0 --name=root --size=1000 --grow

Click the Update Partitions button to confirm your changes.

Building RPMs

RH401-6-en-1-20110713 255

To adjust the timezone, select the Locale sub-tab. Choose the appropriate timezone fromthe pull-down menu and check the Hardware Clock uses UTC check box. Click the UpdateLocale Preferences button to accept your selections.

To install GPG keys used to sign RPMS, click on the System Details tab, then select the GPG& SSL sub-tab. The RHN-ORG-TRUSTED-SSL-CERT key should already be checked. Checkthe checkboxes by the Example Custom Key and the Red Hat Release Key selections.Click the Update keys button to confirm your selections.

3. Systems built with this kickstart profile are web servers, but they are also used withgraphical utilities and Subversion. Ensure the subversion RPM and the following packagegroups are installed: x11, basic-desktop, and web-server.

For package selection, click the Software tab. The Package Groups sub-tab should beselected. Enter the following text into the dialog box on the display, one line per packagegroup/package:

@ Base@ x11@ basic-desktop@ web-serversubversion

Click the Update Packages button to confirm your changes.

4. Update the kickstart profile so systems built with this profile register with the Red HatNetwork Satellite Server using the Example Web Server activation key.

Select the Activation Keys sub-tab (not the menu selection to left). Check the Example WebServer checkbox, then click the Update Activation Keys button to confirm your choice.

5. Create a post script in the kickstart profile that performs the following tasks:

• Create a user named oliver with a password of password

• Install the example RPM provided by the custom software channel

• Update all system software to its most current release

• Configure the web server to start at boot

Select the Scripts tab then click the add new kickstart script link. Complete the form thatappears as follows:

Field Value

Scripting Language Leave this field blank to use bash

Toggle Editor Check/uncheck - your preference

Script Contents *** see below ***

Script Execution Time Select Post Script

nochroot Leave unchecked


256 RH401-6-en-1-20110713

Field Value

Template Leave unchecked

# Create our Subversion useruseradd oliverecho password | passwd --stdin oliver# Install custom Example, Inc. RPMyum install -y example# Bring standard system software up to dateyum update -y# Configure the web server to start at bootchkconfig httpd on

Click the Update Kickstart button to confirm your changes.

Practice Exercise

Set up the Provisioning Network

Before desktopX provides any network services, it must be configured to communicate with andact as a gateway for its backend network. Also configure the Cobbler component of Red HatNetwork Satellite Server to provide tftp and pxelinux capabilities for provisioning. Make sureCobbler is installed and functioning properly.

1. Physically disconnect your client workstation, desktopY, from the classroom network. CabledesktopY so it is connected to the second NIC of desktopX. This can be accomplished witheither cross-over cables or with a small switch with two patch cables. Your instructor shouldhave provided you with all necessary hardware to accomplish this task.

2. Configure the backend interface of desktopX to have a static IP address of 10.100.X.254/24.You will not be able to fully test the backend interface until you power up and configuredesktopY. Do a preliminary test by pinging the interface address.

Edit /etc/sysconfig/network-scripts/ifcfg-eth1 to configure 10.100.X.254 as astatic IP on the backend interface:

DEVICE=eth1ONBOOT=yesBOOTPROTO=staticIPADDR=10.100.X.254NETMASK=255.255.255.0

If your file includes a HWADDR line leave it in the interface configuration file. Do a preliminarytest by pinging the interface address.

[root@desktopX ~]# ifup eth1[root@desktopX ~]# ping -c1 -s0 -W1 10.100.X.254

3. Enable IPv4 packet forwarding on desktopX. Make sure this feature is persistent acrossreboots.

Edit /etc/sysctl.conf to enable IPv4 packet forwarding at boot time:

Building RPMs

RH401-6-en-1-20110713 257

net.ipv4.ip_forward = 1

Load the settings in /etc/sysctl.conf into the kernel:

[root@desktopX ~]# sysctl -p

4. The following diagram represents the configuration of your lab environment when you finishthis sequence:

RH401 Student Network Configuration ===================================

-----+-------------------- Classroom intranet | eth0 | 192.168.0.X ,---+---. | | desktopX.example.com (desktopX) | | `---+---' | eth1 | 10.100.X.254 | | eth0 | 10.100.X.1 ,---+---. | | station1.privateX.com (desktopY) | | `-------'

5. When installing Red Hat Network Satellite Server, the installer asks if Cobbler should beused to provide provisioning services. If it isn't already installed, use the cobbler-setupcommand to install Cobbler and enable tftp services.

[root@desktopX ~]# cobbler-setupCobbler requires tftp and xinetd services be turned on for PXE provisioning functionality. Enable these services (y/n, default = 'y')?y

6. Run cobbler sync as root to install the necessary files to support PXE networkbootloading.

[root@desktopX ~]# cobbler sync

7. Confirm xinetd and tftp are configured to run at boot time and that xinetd is currentlyrunning.

[root@desktopX ~]# chkconfig xinetd --list[root@desktopX ~]# chkconfig tftp --list[root@desktopX ~]# service xinetd status


258 RH401-6-en-1-20110713

Use chkconfig service on to configure tftp or xinetd to start at boot time ifnecessary. service xinetd start will launch xinetd if it is not already running.

Practice Exercise

Configure DHCP to Support PXE

Install a DHCP server that will issue IP addresses, both generally and based on MAC address, toyour provisioning network.

1. Install the dhcp package on desktopX.

[root@desktopX ~]# yum install -y dhcp

2. Use the /usr/share/doc/dhcp-*/dhcpd.conf.sample file as a starting point for theDHCP server.

• Change the subnet to 10.100.X.0/255.255.255.0.

• Change the router to the IP address of the backend network interface of your DHCPserver.

• Set the DNS server to 192.168.0.254.

• Set the default DNS search domain to example.com.

• Issue IP addresses in the range from 10.100.X.2 to 10.100.X.10.

• Deploy the network boot loader to support PXE booting.

Configure your DHCP service to only issue IP addresses on the Ethernet card attached to thebackend subnet.

Copy /usr/share/doc/dhcp-*/dhcpd.conf.sample to /etc/dhcpd.conf.

[root@desktopX ~]# cp /usr/share/doc/dhcp-*/dhcpd.conf.sample /etc/dhcpd.conf

Make changes to that file, so that the file looks something like the following. The X shouldmatch the last octet in the IP address of your frontend network interface.

authoritative;ddns-update-style none;

subnet 10.100.X.0 netmask 255.255.255.0 {

option routers 10.100.X.254; option subnet-mask 255.255.255.0; option domain-name-servers 192.168.0.254; option domain-name "example.com";

# change to your timezone option time-offset -18000; # EST# option time-offset -21600; # CST

Building RPMs

RH401-6-en-1-20110713 259

# option time-offset -25200; # MST# option time-offset -28800; # PST

range 10.100.X.2 10.100.X.10; default-lease-time 600; # 10 minutes max-lease-time 3600; # 1 hour

next-server 10.100.X.254; filename "pxelinux.0";}

Configure your DHCP service to only issue IP addresses on the Ethernet card attached tothe backend subnet. For example if your backend interface is eth1, edit /etc/sysconfig/dhcpd to include this line:

DHCPDARGS=eth1

3. In another terminal window or virtual console follow /var/log/messages. In your originalshell start dhcpd and configure it to start at boot-time.

PXE boot your client workstation. You may need to press a function key during the bootsequence to choose network boot. Observe /var/log/messages as well as the bootmessages on desktopY. Record desktopY's MAC address for future reference:

[root@desktopX ~]# tail -f /var/log/messages

[root@desktopX ~]# service dhcpd start[root@desktopX ~]# chkconfig dhcpd on

desktopY should receive the IP address 10.100.X.10 since dhcpd offers addressesbeginning with the last address in its range. /var/log/messages should contain amessage like the following. Note the MAC address of desktopY.

Jun 6 10:01:48 desktopX dhcpd: DHCPOFFER on 10.100.X.10 to 01:23:45:67:89:ab via eth1

It should have obtained the default Cobbler PXE configuration and therefore bootednormally according to its BIOS settings. If desktopY has no other boot loader in the MBR orremovable media, and PXE is configured in the list of boot options, this means your clientmay enter an endless PXE boot sequence! Power off desktopY.

4. Use the MAC address of your second machine as recorded in /var/log/messages ondesktopX to add a host IP reservation for 10.100.X.1 to /etc/dhcpd.conf. The name ofthe client host will be station1.privateX.com. Restart the dhcpd service.

PXE boot the client machine and verify that it gets the new address. It should also displaythe Cobbler PXE boot menu.

Replace 12:34:56:78:AB:CD with the appropriate MAC address from /var/log/messages. Replace X with your station number. For clarity, place the host declarationbelow the bottom of the subnet scope.

subnet 10.100.X.0 netmask 255.255.255.0 {...options truncated...


260 RH401-6-en-1-20110713

}host station1 { hardware ethernet 12:34:56:78:AB:CD; fixed-address 10.100.X.1;}

[root@desktopX ~]# service dhcpd restart

Practice Exercise

PXE Installation of a Web Server

Now that all the pieces are in place, kickstart a client system as a web server within the Example,Inc. organization.

1. Delete all previous system profiles from the Satellite Server. This is required to free up allentitlements needed for the new web server that will be kickstarted.

Log in to the Satellite Server web interface as example, the Organization Administrator forExample, Inc. Click the Systems tab then select the Systems menu item from the menu thatappears. For each system displayed, click the host name link to bring up each system profile.Click the delete system link that appears at the top of the screen then click the DeleteProfile button to confirm the deletion.

2. Power on or reboot the client machine and select PXE boot. How PXE boot is selected variesbetween various hardware vendors. Notice the Cobbler menu that appears has a new menuitem:

web-server:orgID:ExampleInc

Use the arrow keys and choose this menu item to begin the installation of your web server.

3. Once the installation completes, confirm the new web server is built according tospecification. If anything didn't work properly, ask your instructor for help and troubleshootyour RHN Satellite configurations.

[root@desktopY ~]# df -h... Output Omitted ...[root@desktopY ~]# service httpd status... Output Omitted ...[root@desktopY ~]# rpm -q gpg-pubkeygpg-pubkey-fd431d51-4ae0493bgpg-pubkey-2fa658e0-45700c69gpg-pubkey-KEYID-4df66b78[root@desktopY ~]# rpm -q subversion... Output Omitted ...[root@desktopY ~]# dateShould show your locale[root@desktopY ~]# yum list updatesShould not display any packages[root@desktopY ~]# id oliver... Output Omitted ...

Building RPMs

RH401-6-en-1-20110713 261

4. Completely automate the PXE installation of your web server. Delete the existing systemprofile to free up entitlements before you being the automated installation. Configure thesystem BIOS to PXE boot first then boot from the local hard drive.

Create a Cobbler system profile for your system called station1 based on the machine'sIP address. Configure Cobbler to PXE boot only once by default and use the netboot-enabled flag within the system profile to control installation.

After you install your system and confirm everything worked correctly, delete the station1Cobbler system profile so it doesn't conflict with later lab exercises.

Log in to the Satellite Server web interface as example, the Organization Administrator forExample, Inc. Click the Systems tab then select the Systems menu item from the menu thatappears. Click the host name link for your web server to bring up its system profile. Click thedelete system link that appears at the top of the screen then click the Delete Profile buttonto confirm the deletion.

Configure Cobbler to perform the automated installation via PXE:

[root@desktopX ~]# cobbler listdistros: ks-rhel-x86_64-server-6-6.0

profiles: web-server:orgID:ExampleInc

systems:

repos:

images:

[root@desktopX ~]# cobbler system add --name=station1 --profile=web-server:orgID:ExampleInc --ip=10.100.X.1[root@desktopX ~]# cobbler system report --name=station1 | grep -i netbootNetboot Enabled? : True[root@desktopX ~]# grep pxe_just_once /etc/cobbler/settingspxe_just_once: 1[root@desktopX ~]# rhn-satellite restart

Once the Satellite services have restarted, reboot the client system. The first time it PXEboots it will immediately begin a kickstart installation without displaying a menu. After itfinishes installing, it should PXE boot again then boot from the local hard drive.

After you confirm the installation worked properly, clean up the station1 system withcobbler to free up the IP address so it doesn't interfere with later labs.

[root@desktopX ~]# cobbler system remove --name=station1


262 RH401-6-en-1-20110713

RHN Virtual Machine Management

Practice Exercise

Converting a Server to a Virtualization HostBefore you begin...Your client machine, station1.privateX.com, will be transformed into a server that will hostvirtualization guest machines.

Example, Inc. has existing machines registered with their Red Hat Network Satellite Server.Virtualization is being introduced to their server room so existing hosts need to be convertedinto virtualization hosts running virtual guests.

1. First the network needs to be configured to provide a bridge network interface for virtualguests. Disable the NetworkManager service to prevent network configuration files fromautomatic modifications:

[root@station1 ~]# chkconfig NetworkManager off[root@station1 ~]# service NetworkManager stop

Create/modify the network configuration files on station1 to support a network bridge. /etc/sysconfig/network-scripts/ifcfg-br0 should contain the following lines:

DEVICE=br0TYPE=BridgeBOOTPROTO=dhcpDELAY=0ONBOOT=yes

Modify /etc/sysconfig/network-scripts/ifcfg-eth0 so it contains the followinglines:


Once the files have been modified, restart the network service and confirm station1 has aworking network with br0 bridge.

[root@station1 ~]# vi /etc/sysconfig/network-scripts/ifcfg-br0[root@station1 ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0[root@station1 ~]# service network restart[root@station1 ~]# ip addr show br05: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN link/ether 01:23:45:67:89:ab brd ff:ff:ff:ff:ff:ff inet 10.100.X.1 brd 10.100.X.255 scope global br0 inet6 fe80::223:45ff:fe67:89ab/64 scope link valid_lft forever preferred_lft forever

Building RPMs

RH401-6-en-1-20110713 263

2. Install additional software needed to support virtualization. Install the virtualization,virtualization-client, and virtualization-platform package groups. Once allthe software is installed, reboot your client system.

[root@station1 ~]# yum groupinstall -y virtualization... Output omitted ...[root@station1 ~]# yum groupinstall -y virtualization-platform... Output omitted ...[root@station1 ~]# yum groupinstall -y virtualization-client... Output omitted ...[root@station1 ~]# reboot

3. Copy the install-vserver script from the instructor's machine to your clientsystem, station1, and execute it. It will use kickstart to install a virtual guest calledvserver on the local machine. The script can be found at the following URL: ftp://instructor.example.com/pub/materials/install-vserver.

[root@station1 ~]# wget ftp://instructor.example.com/pub/materials/install-vserver... Output omitted ...[root@station1 ~]# chmod 755 install-vserver[root@station1 ~]# ./install-vserver

Practice Exercise

Red Hat Network Registration of Virtual MachinesBefore you begin...A virtualization host (station1.privateX.com) running RHEL 6 registered to your RHNSatellite Server and a vserver virtual machine installed with RHEL 6 running as a guest.

In this sequence, you will register vserver with Red Hat Network under station1'sentitlement. Note the first couple steps of this exercise can be completed on the Satellite serverand virtualization host while vserver finishes installing.

1. Log into your RHN Satellite using an account that can manage station1.privateX.com,and ensure it is entitled to Virtualization service and its software channel subscriptionsinclude “RHN Tools for RHEL”.

Once you are logged in through the web interface, click on the Systems tab then onstation1.privateX.com's host name hyperlink on the table. This should bring up a detailpage for the host. Under System Properties, find the Edit These Properties link and click onit. On the next page, ensure Provisioning and Virtualization are both checked under Add-OnEntitlements. Click the Update Properties button to confirm your changes.

Back on the system's detail page, verify the system is subscribed to the RHN Tools for RHEL(v. 6 for 64-bit x86_64) child channel. If not, find the Alter Channel Subscriptions link andclick on it. Put a check mark in the “RHN Tools for RHEL” channel check box and click on theChange Subscriptions button.

2. Log in as root on the virtualization host. Use yum to install the rhn-virtualization-host and osad packages. Start the osad service and ensure it will start automatically atboot. This enables remote management of virtual machines from the RHN web interface.


264 RH401-6-en-1-20110713

[root@station1 ~]# yum install -y osad rhn-virtualization-host[root@station1 ~]# service osad start[root@station1 ~]# chkconfig osad on

3. After the virtualization guest has finished installing, make sure the vserver domain isrunning. On the virtualization host run rhn_check and rhn-profile-sync as root.

[root@station1 ~]# virsh start vserver[root@station1 ~]# rhn_check; rhn-profile-sync

4. Log into the virtualization guest and download the bootstrap.sh script you completed ina previous lab from your Satellite Server. Use it to register the guest with your RHN SatelliteServer.

Using the graphical console in virt-manager, log in as root on vserver. Download thebootstrap.sh script you completed in a previous lab from your Satellite Server and use itto register the virtual machine to your RHN Satellite:

[root@station? ~]# wget http://desktopX.example.com/pub/bootstrap/bootstrap.sh[root@station? ~]# chmod 755 bootstrap.sh[root@station? ~]# ./bootstrap.sh

5. In the RHN web interface, select the Systems tab. You should see your newly-registeredvserver virtual machine listed under its host name. Note the different system icon.Now click on your station1.privateX.com host name link, then on the systemdetail page find its Virtualization link/tab and click on that. You should see the list ofthe virtual machines running on station1 when you updated its RHN profile. If anyof them are not registered with Red Hat Network, you will see “Unregistered System”instead of a host name for its profile name. Click on the hostname link for vserver (e.g.station9.privateX.com) to see its RHN profile.

Practice Exercise

Provisioning a Virtualization Host

In previous exercises you converted an existing host to a virtualization host. Use RHN Satellitekickstart capabilities to provision a virtualization host from bare metal.

1. Create a kickstart profile called kvm-host in your Satellite Server to build a virtualizationhost. The installing system should use the Red Hat Enterprise Linux Server (v. 6for 64-bit x86_64) base channel for software and install from the ks-rhel-x86_64-server-6-6.0 kickstart tree. Set the root password to redhat.

Log into your RHN Satellite Server as a Kickstart Administrator or an OrganizationAdministrator for Example, Inc. - the example user will work. Choose the Systems tab,select the Kickstart menu item then click the create new kickstart profile link. When theStep 1: Create Kickstart Profile form appears, complete it with the following values:

Building RPMs

RH401-6-en-1-20110713 265

Field Value

Label kvm-host

Base Channel Select Red Hat Enterprise Linux Server (v.6 for 64-bit x86_64)


Virtualization Type Select None

Click the Next button to confirm your changes. When the Step 2: Distribution File Locationscreen appears, click the Next to accept the default kickstart tree location. Specify redhatas the default root password and click the Finish button to confirm your changes when theStep 3: Root Password screen appears.

2. Once the kvm-host kickstart profile is created, adjust the timezone to use the localtimezone and installed systems use UTC in their hardware clocks. Automate installationof the standard Red Hat release GPG key. The @virtualization, @virtualization-client, and @virtualization-platform package groups should be installed.

Use the %post script of the kickstart file to install the rhn-virtualization-host andosad packages. Configure the osad service to start at boot time. Also provide some shellcode to configure the network to use a bridged network interface.

Once the kvm-host kickstart profile is created, adjust the timezone to use the localtimezone and installed systems use UTC in their hardware clocks. With the System Detailstab selected within the kickstart profile, click the Locale tab and select the local timezonefrom the pull-down menu. Click the checkbox for UTC hardware clock then click the UpdateLocale Preferences to confirm your choices.

Automate installation of the standard Red Hat release GPG key. With the System Detailstab still selected, choose the GPG & SSL sub-tab, check the Red Hat Release Key checkbox,then click the Update keys button to confirm.

Select the Software tab then select the Package Groups sub-tab. In the frame that appears,type @ virtualization, @ virtualization-client, and @ virtualization-platform below the existing @ Base package group. Click on the Update Packages buttonwhen finished.

To install the RHN virtualization management packages and create a bridged networkinterface, select the Scripts tab and create a %post script (not nochroot) with the followingcode:

# Install virtualization management softwareyum install -y rhn-virtualization-host osadchkconfig osad on# Configure a network bridgechkconfig NetworkManager offcat > /etc/sysconfig/network-scripts/ifcfg-br0 << EOFDEVICE=br0TYPE=BridgeBOOTPROTO=dhcpDELAY=0ONBOOT=yes


266 RH401-6-en-1-20110713

EOFecho 'BRIDGE=br0' >> /etc/sysconfig/network-scripts/ifcfg-eth0

Click on the Update Kickstart button to accept your changes.

3. Use the Satellite Server to schedule station1.privateX.com to kickstart install itselfusing the kvm-host kickstart profile. The kickstart should be initiated immediately.

While the client system installs, use Cobbler to determine the system profile name of thekickstarting system. Delete all other Cobbler system profiles then disable the netbootfeature for the installing system.

Use the Satellite Server to schedule station1.privateX.com to kickstart install itselfusing the kvm-host kickstart profile. Navigate to the existing host profile. Choose theSystems tab, select Systems from the menu at the left, then click the host name link for theexisting virtual host. Select the Provisioning tab within the system profile. The Kickstartand Schedule tabs should be selected. In the Select Kickstart Profile section of the pageclick the radio button by the kvm-host profile. The kickstart should be initiated immediatelywhen the client system checks in so leave the radio button selected for Begin kickstart atthe next system check in. Click the Schedule Kickstart and Finish button to confirm yourchanges and schedule the kickstart.

Run rhn_check on station1 to facilitate the process:

[root@station1 ~]# rhn_check

Broadcast warnings that the system will reboot should begin immediately. You can eitherwait a few minutes for the system to reboot itself or you can hurry the process alongmanually:

[root@station1 ~]# reboot

After five minutes of warnings the client system will reboot and start the kickstartinstallation. While the client system installs, use Cobbler to determine the system profilename of the kickstarting system. Log in as root on the Satellite Server and execute thefollowing commands:

[root@desktopX ~]# cobbler listdistros: ks-rhel-x86_64-server-6-6.0

profiles: kvm-host:orgID:ExampleInc web-server:orgID:ExampleInc

systems: station1.privateX.com:orgID

repos:

images:

Building RPMs

RH401-6-en-1-20110713 267

Practice Exercise

Provisioning a Virtualized Guest

With the virtualization host built, now it is time to use Red Hat Network Satellite to provision thevirtual guests running on the host.

1. Create a kickstart profile called kvm-guest in your Satellite Server to build a virtual guest.The installing system should use the Red Hat Enterprise Linux Server (v. 6for 64-bit x86_64) base channel for software and install from the ks-rhel-x86_64-server-6-6.0 kickstart tree. Set the initial root password to redhat.

Log into your RHN Satellite Server as a Kickstart Administrator or an OrganizationAdministrator for Example, Inc. - the example user will work. Choose the Systems tab,select the Kickstart menu item then click the create new kickstart profile link. When theStep 1: Create Kickstart Profile form appears, complete it with the following values:

Field Value

Label kvm-guest

Base Channel Select Red Hat Enterprise Linux Server (v.6 for 64-bit x86_64)


Virtualization Type Select KVM Virtualized Guest

Click the Next button to confirm your changes. When the Step 2: Distribution File Locationscreen appears, click the Next to accept the default kickstart tree location. Specify redhatas the default root password and click the Finish button to confirm your changes when theStep 3: Root Password screen appears.

2. Modify the virtual machine network configuration to use the br0 bridge interface of thevirtualization host and send console messages to ttyS0. Adjust the timezone to use thelocal timezone and installed systems use UTC in their hardware clocks.

Once the kvm-guest kickstart profile is created, notice the various options for CPU,memory, disk and network configuration available under the Details tab within the KickstartDetails tab. Enter br0 for the value of the Virtual Bridge field. In the Kernel Options fieldprovide the value console=ttyS0. Click the Update Kickstart button to accept yourchanges.

With the System Details tab selected within the kickstart profile, click the Locale sub-tab and select the local timezone from the pull-down menu. Click the checkbox for UTChardware clock then click the Update Locale Preferences to confirm your choices.

3. Use the RHN Satellite to provision a virtual guest on station1.privateX.com. Schedulea guest system to install using the kvm-guest kickstart profile. The guest name should benamed vserver and initiate the kickstart installation immediately.

Navigate to the existing virtualization host profile, station1.privateX.com. Choose theSystems tab, select Systems from the menu at the left, then click the hostname link forthe existing virtual host. Select the Virtualization tab within the system profile, then theProvisioning tab. Do not select the higher level Provisioning tab. Check the radio button by


268 RH401-6-en-1-20110713

the kvm-guest kickstart profile and specify a guest name of vserver. The kickstart shouldbe initiated immediately when the client system checks in so leave the radio button selectedfor Begin kickstart at the next system check in. Click the Schedule Kickstart and Finishbutton to confirm your changes and schedule the kickstart.

Log in as root on the client system serving as the virtualization host server. The virshlist command should show vserver running as it installs. Use the virsh consolevserver command to display vserver's console as it installs.

4. After the installation of the virtual guest completes, use the Satellite web interface toconfirm that it has registered with the Satellite server.

Navigate to the existing virtualization host profile, station1.privateX.com. Choose theSystems tab, select Systems from the menu at the left, then click the hostname link forthe existing virtual host. Select the Virtualization tab within the system profile, then theDetails tab. You should see an entry for the vserver virtualization guest in the list of hostsdisplayed.

RHN Satellite Server Administration

RH401-6-en-1-20110713 269


Practice Exercise

RHN Satellite Embedded Database Maintenance

Perform basic RHN Satellite embedded database maintenance functions such as extending aninternal table space and making a backup of your RHN Satellite database.

1. Sometimes RHN Satellite embedded database performance can suffer when an internal tablebecomes full. Determine the current size and utilization of the UNDO_TBS table then extendit. Record both its original and new size and utilization below:

First, log in as root on desktopX then switch to the oracle user so you can performdatabase administration.

[root@desktopX ~]# su - oracle-bash-3.2$ db-control reportTablespace Size Used Avail Use%DATA_TBS 3.9G 641.5M 3.2G 16%SYSAUX 500M 110.8M 389.1M 22%SYSTEM 400M 249.8M 150.1M 62%UNDO_TBS 500M 146.3M 353.6M 29%USERS 128M 64K 127.9M 0%-bash-3.2$ db-control extend UNDO_TBSExtending UNDO_TBS... done.-bash-3.2$ db-control reportTablespace Size Used Avail Use%DATA_TBS 3.9G 641.5M 3.2G 16%SYSAUX 500M 110.8M 389.1M 22%SYSTEM 400M 249.8M 150.1M 62%UNDO_TBS 1000M 146.3M 853.6M 15%USERS 128M 64K 127.9M 0%

What is its new size and utilization?

2. Perform a backup of your Red Hat Network embedded database. Save the backup in adirectory called rhn-sat-backup-YYYYMMDD below the home directory of the oracleaccount. How much disk space does the backup take?

Open another terminal window as root on desktopX so you can shutdown the SatelliteServer so the database can be backed up:

[root@desktopX ~]# rhn-satellite stop

In another window, get access to a shell as the oracle user. Create the directory where thebackup will be stored then perform the backup:

[root@desktopX ~]# su - oracle-bash-3.2$ mkdir rhn-sat-backup-YYYYMMDD-bash-3.2$ db-control backup rhn-sat-backup-YYYYMMDDInitiating cold backup of database rhnsat... /opt/apps/oracle/config/10.2.0/lkRHNSAT -> rhn-sat-backup-20100104/lkRHNSAT.gz ... done.


270 RH401-6-en-1-20110713

/opt/apps/oracle/config/10.2.0/spfilerhnsat.ora -> rhn-sat-backup-20100104/spfilerhnsat.ora.gz ... done.... Output omitted ...Full cold backup complete.

Since the backup is finished, go to your other terminal window as root and restart the RHNSatellite Server software:

[root@desktopX ~]# rhn-satellite start

How much disk space does the backup take? It should take up less than 1 GB of space. Thisis because it only backs up the essential database information - not the RPMS, the RHNSatellite software, nor the kickstart installation trees.

-bash-3.2$ du -sh rhn-sat-backup-YYYYMMDD/699M rhn-sat-backup-YYYYMMDD/

3. Confirm the integrity of the RHN Satellite embedded database backup you just created.

Return to the window where you logged in as the oracle user and execute the followingcommand:

-bash-3.2$ db-control verify rhn-sat-backup-YYYYMMDDVerifying backup from Mon Jan 4 08:52:42 2010... rhn-sat-backup-20100104/lkRHNSAT.gz... done. Checksum verified. rhn-sat-backup-20100104/spfilerhnsat.ora.gz... done. Checksum verified.... Output omitted ...

Practice Exercise

Activating a New Satellite Entitlement Certificate

There are a couple of reasons a new RHN Satellite entitlement certificate is issued to a RedHat customer: expanded capabilities or an extension on the certificate expiration date. Inthis exercise you will activate a new Satellite entitlement certificate that will provide morecapabilities.

• On the instructor's server there is a more robust RHN Satellite entitlement certificateavailable for your use. You can access the certificate using the following pathnameon your Satellite Server: /misc/instructor/rh401-satellite/redhat-gls-maximum-5.4.cert. Reactivate your Satellite Server using this certificate.

Log in as your Satellite Administrator, satadmin, and inspect the system and softwareentitlements available for deployment.

[root@desktopX ~]# cp /misc/instructor/rh401-satellite/redhat-gls-maximum-5.4.cert ~[root@desktopX ~]# rhn-satellite-activate --disconnected --rhn-cert /root/redhat-gls-maximum-5.4.cert


RH401-6-en-1-20110713 271

Log into your RHN Satellite server as the Satellite Administrator, satadmin. Click the Admintab then select Subscriptions from the menu at the left. The total number of entitlementsshould be doubled and a number of free entitlements should be available for use.

Practice Exercise

Exporting Custom Child Software Channel Content

Backing up the RHN Satellite embedded database does not preserve custom software channelcontent. Use rhn-satellite-exporter to backup your custom software channel content.

1. Log in as root on desktopX and display the list of software channels currently in your RHNSatellite Server. Take note of the labels of the channels you want to save and the names oftheir parent channel.

[root@desktopX ~]# rhn-satellite-exporter --list-channelsChannel List:B = Base ChannelC = Child Channel

B rhel-x86_64-server-6C example-customC rhn-tools-rhel-x86_64-server-6... Output omitted ...

2. Create a directory called custom-dump. Export the software channel content for theexample-custom channel into custom-dump so it can be taken and imported into anotherdisconnected Satellite Server.

[root@desktopX ~]# mkdir custom-dump[root@desktopX ~]# rhn-satellite-exporter --step=short -d custom-dump -c rhel-x86_64-server-610:18:36 Gathering channel info...10:18:36 Gathering binary RPM info...10:18:36 Gathering package info...10:18:36 Gathering errata info...10:18:36 Gathering kickstart data...10:18:36 Gathering kickstart files info...... Output omitted ...Exporting: #################### - Done![root@desktopX ~]# rhn-satellite-exporter -d custom-dump -c example-custom10:19:02 Gathering channel info...10:19:02 Gathering binary RPM info...10:19:02 Gathering package info...10:19:02 Gathering errata info...10:19:02 Gathering kickstart data...10:19:02 Gathering kickstart files info...... Output omitted ...Exporting: #################### - Done![root@desktopX ~]# du -sh custom-dump30M custom-dump


272 RH401-6-en-1-20110713

3. Confirm the channel content is usable with the satellite-sync command. Checkcarefully and be sure the example-custom channel appears in the output of satellite-sync.

[root@desktopX ~]# satellite-sync -m custom-dump -l10:19:21 Red Hat Network Satellite - file-system synchronization10:19:21 mp: /root/custom-dump10:19:21 db: rhnsat/<password>@rhnsat10:19:2110:19:21 Retrieving / parsing channel-families data10:19:21 channel-families data complete10:19:2210:19:22 Retrieving / parsing channel data10:19:22 p = previously imported/synced channel10:19:22 . = channel not yet imported/synced10:19:22 base-channels:10:19:22 p rhel-x86_64-server-6 3583full import from Tue Jun 7 10:15:39 201110:19:22 rhel-x86_64-server-6:10:19:22 . example-custom 2full import from Tue Jun 7 10:17:57 201110:19:22 Import complete: Begin time: Tue Jun 7 10:19:21 2011 End time: Tue Jun 7 10:19:22 2011 Elapsed: 0 hours, 0 minutes, 0 seconds

RHN Application Programming Interface

RH401-6-en-1-20110713 273


Practice Exercise

Getting Started with the Red Hat Network API

This exercise will introduce you to the Red Hat Network API. Modify two versions of a scriptwritten in Perl and Python so that they successfully query your RHN Satellite Server.

1. There is a Perl script, list-users.pl, and a Python script, list-users.py, which list allthe users within an Red Hat Network organization. The scripts can be found in the /misc/instructor/materials/rhn-api directory.

Log in as stan on desktopX, copy the scripts, and modify them so they will successfullyquery your Satellite Server and list the users in the “Example Inc.” organization.

Optional - Use revision control software to log and manage the changes you make to yourcopies of the scripts.

Log in as stan on desktopX. Use the following commands to copy the scripts from theinstructor's machine, make the scripts executable then optionally check them into revisioncontrol:

[stan@desktopX ~]$ mkdir api ; cd api[stan@desktopX api]$ cp /misc/instructor/materials/rhn-api/* .[stan@desktopX api]$ chmod 755 *[stan@desktopX api]$ svn import -m 'Sample RHN API scripts' file:///var/local/svn/api[stan@desktopX api]$ cd .. ; rm -r api[stan@desktopX ~]$ svn checkout file:///var/local/svn/api[stan@desktopX ~]$ cd api

Edit list-users.pl and list-users.py and change the host and user authenticationinformation to work for your Satellite Server. For example the following lines need to bemodified in the Perl script:

my $SATELLITE_URL = 'https://desktopX.example.com/rpc/api';my $SATELLITE_LOGIN = 'example';my $SATELLITE_PASSWORD = 'redhat';

Execute both scripts. Their output should look similar to the following:

[stan@desktopX api]$ ./list-users.pyexamplenormalgrouperchannelman[stan@desktopX api]$ ./list-users.plexamplenormalgrouperchannelman

If the scripts don't work, troubleshoot any problems they may have. A few possible issues toinvestigate:


274 RH401-6-en-1-20110713

• Are the scripts executable?

• Does SATELLITE_URL point to your Satellite Server? Were only the SATELLITE_*variable definitions modified?

• Are SATELLITE_LOGIN and SATELLITE_PASSWORD defined to use OrganizationAdministrator credentials for Example Inc.?

Organization Administrator privileges are required to access user account informationabout an organization. API scripts run with privileges determined by the account they use toauthenticate into the Satellite Server with. Optionally commit your changes to Subversiononce your scripts are working and debugged.

[stan@desktopX api]$ svn commit -m 'Scripts working with Satellite server desktopX'

2. Modify one of your working scripts to authenticate as the Satellite Administrator. How doesthis affect the behavior of the script?

In one of the scripts change SATELLITE_LOGIN = 'example' to SATELLITE_LOGIN ='satadmin' and run the script. For example:

[stan@dsk; api]$ ./list-users.pysatadmin

When you execute the script you should notice it doesn't list the users of Example Inc.because the Satellite Administrator is not a member of that organization.

Practice Exercise

Using the Red Hat API to Produce Reports

Modify one of the provided scripts to produce a useful report by using the Red Hat Network APIto get more detailed information about the users from your Satellite Server.

• Write a script, list-user-roles.pl or list-user-roles.py, that lists all of the userswithin the Example Inc. organization. Print the following information about each user: theirlogin name and the list of their RHN administrative roles.

Copy one of your working scripts as a starting point for your new script. Optionally maintainyour script with revision control software.

The following commands copy the working Python script and commits the original versioninto Subversion:

[stan@desktopX api]$ svn copy list-users.py list-user-roles.pyA list-user-roles.py[stan@desktopX api]$ svn commit -m 'Working on new script'... Output omitted ...


RH401-6-en-1-20110713 275

The basic structure of the new program is the same as the sample scripts: connect to RHN,authenticate, list the users, then log out. Some additional work needs to be done whenlisting each user. The User namespace provides a method called listRoles that will getthe information we need. This method takes a session key and a login name and returns anarray of strings which are the RHN administrative roles assigned to the user.

Additional Python code needed (the plus signs are not literal, they indicate which lines toadd to the existing code):

for user in ulist: login=user.get('login') print login+ # Identify and print each user's roles:+ rlist = client.user.list_roles(key, login)+ for role in rlist:+ print ' ' + role

Additional Perl code needed (the plus signs indicate which lines to add to the existing code):

my $ulist = $client->call('user.list_users', $key); foreach my $user (@$ulist) { print $user->{'login'} . "\n";+ # Identify and print each user's roles:+ my $rlist = $client->call('user.list_roles', $key, $user->{'login'});+ foreach my $role (@$rlist) {+ print ' ' . $role . "\n";+ } }

The following shows what the output should look like when the script is working properly:

[stan@desktopX api]$ ./list-user-roles.pyexample activation_key_admin config_admin monitoring_admin channel_admin org_admin system_group_adminnormalgrouper system_group_adminchannelman channel_admin

Optionally check your changes in once your script is working:

[stan@desktopX api]$ svn commit -m 'Working script'


276 RH401-6-en-1-20110713

Test

Criterion Test

Exercise

Using the RHN API to Perform Satellite Administration

Write a couple Red Hat Network API scripts that perform RHN Satellite administration functions.

1. Write two scripts that use the Red Hat Network API to administrate users. The user-disable.pl, or user-disable.py, script should deactivate a RHN user account. Itspositive counterpart, user-enable.pl or user-enable.py, should reactivate an existinguser account. Use a program variable for the RHN login to be enabled/disabled.

These programs don't have to be fancy, they just have to be functional. There is no need toprocess command-line arguments or do extensive error checking.

Optionally use revision control software to manage the changes you make to your newscript.

The basic structure of the new program is the same as the other RHN API scripts: connectto RHN, authenticate, enable/disable the specified user account, then log out. The Usernamespace provides a couple useful methods called enable and disable that will dowhat we need. These methods take a session key and the RHN login name of the account tomanipulate.

Below is working Perl code that implements the disable script:

#!/usr/bin/perl -wuse strict;use Frontier::Client; # Define RHN Satellite host and authentication values:my $SATELLITE_URL = 'https://desktopX.example.com/rpc/api';my $SATELLITE_LOGIN = 'example';my $SATELLITE_PASSWORD = 'redhat'; # Login name of user to disable:my $login_name = 'login_to_disable'; # Connect to the RHN Satellite Server:my $client = new Frontier::Client(url => $SATELLITE_URL); # Authenticate as a valid user to get a session key:my $key = $client->call('auth.login', $SATELLITE_LOGIN,$SATELLITE_PASSWORD); # Disable the user in our organization:$client->call('user.disable', $key, $login_name); # Logout from RHN session:$client->call('auth.logout', $key);

The Python solution is similar to the above code with a few syntactical differences. Also theenable function is a trivial change to the above program.


RH401-6-en-1-20110713 277

2. Use one of your scripts to disable the channelman account. Go into the RHN Satellite webinterface and verify his account has been disabled. Execute the other script to reactivate hisaccount and verify that channelman can log into your Satellite Server.

Optionally commit your changes to Subversion once your scripts are working and debugged.

[stan@desktopX api]$ svn add user-disable.py user-enable.pyOR[stan@desktopX api]$ svn add user-disable.pl user-enable.pl[stan@desktopX api]$ svn commit -m 'Added working administration API scripts'


278 RH401-6-en-1-20110713

Comprehensive Review


Provisioning with a RHN Satellite Server

Below are the steps you will take to deploy a provisioning Red Hat Network Satellite server. Take5-10 minutes to prioritize and order the following steps. We will discuss them as a class beforeyou begin to implement them.

4 Configure desktopX to serve as a Subversion repository.12 Clone the RHEL 6 Server base channel and all of its child channels.16 Create a kickstart profile.7 Import the relevant Red Hat software channels into the Satellite server.1 Install desktopX with Red Hat Network Satellite software.6 Prepare software channel content for import into the RHN Satellite.3 Deploy DHCP on desktopX and configure it to support PXE.13 Build and sign a custom RPM package on desktopY.2 Configure desktopX as a routing gateway for the backend network.9 Create a RHN system group.15 Create an activation key to automate system registration.11 Create a custom software channel as a child of the Red Hat RHEL 6 Server base channel.17 Provision the client system using PXE menu.10 Create RHN user accounts, assign appropriate roles, and allow them to administrate a

common system group.14 Import GPG keys into the Satellite server for deployment.8 Create a Red Hat Network organization and assign it system and software subscriptions.5 Import the open source project code into the Subversion repository.

Test

Criterion Test

Case Study

Red Hat Network Satellite Server Deployment Requirements

The following are the specifics for setting up your Red Hat Network Satellite server and clientmachine. desktopX should already be installed with a minimal RHEL 5 installation and desktopYwill serve as your client server and should be installed with RHEL 6 server.

The requirements for this review are specified in more detail below. They aren't necessarily listedin the order they are to be performed.

• Install desktopX as a Red Hat Network Satellite software. The materials you need to performthe installation can be found in the /misc/instructor/rh401-satellite directory ondesktopX. The installation ISO is named satellite-embedded-oracle-5.4.0-20101025-rhel-5-x86_64.iso. Activate the Satellite server using the certificate named redhat-gls-maximum-5.4.cert.


RH401-6-en-1-20110713 279

After the Satellite server is installed, create a satellite administrator account with a login ofrhnsatadm and a password of redhat.

• Prepare software channel content for import into the RHN Satellite. The content ISO's are inthe rh401-satellite directory in a sub-directory called sat-rhel6-content.

• Import the Red Hat software channels into the Satellite server that will support provisioning ofRHEL 6 Servers.

• Configure desktopX as a routing gateway for the backend network. The network addresses willbe in the 10.100.X.0 subnet with a netmask of 255.255.255.0. The second network interfaceof desktopX should have a static address of 10.100.X.254. Ensure IPv4 packet forwarding isenabled persistently in the kernel.

• Deploy DHCP on desktopX and configure it to support PXE provisioning. Determine the MACaddress of desktopY and have DHCP consistently assign it the 10.100.X.7 IP address. Continueto use 192.168.0.254 for DNS services.

• Build a custom RPM package on desktopY for the bubbles application. Consult the READMEand Makefile for information about building the package. Make sure both the binaryexecutable and README are provided by the binary RPM that you create. The README shouldbe classified as documentation by RPM.

Generate a GPG key pair and sign the package.

• Create a custom software channel as a child of the Red Hat RHEL 6 Server base channel. Setthe channel name to Custom Software with a label of custom-software. Specify the GPGkey information you will use to verify the signature of RPMS you create.

• Create a Red Hat Network organization called Review Inc.. The organization administratorshould log in as review with a password of redhat. Assign all available entitlements to thisorganization.

• Create a RHN system group in the Review Inc. organization called Review Systems. Putsome meaningful text in the Description field.

• Configure desktopX to serve as a Subversion repository. The top-level URL to access thedirectory should be svn+ssh://desktopX/var/local/svn. Create a group calledsvnusers and set permissions on the repository that allows all users in that group to createnew projects and modify files.

Create a user called builder on both systems. This user should be a member of thesvnusers group on desktopX. Also create ssh keys on desktopY and deploy them so buildercan check in files to the repository without providing a password.

• Create RHN user accounts, assign appropriate roles, and allow them to administrate systems inthe Review Systems system group according to the following table:

Login swadmin cfgadmin


Roles Channel Administrator Configuration Administrator


280 RH401-6-en-1-20110713

• Import the open source project code for the "bubbles" program into the Subversion repository.The source code for this program can be found at the following URL: http://instructor/pub/materials/bubbles-1.0.tar.gz.

• Clone the RHEL 6 Server base channel and all of its child channels. Prefix the channel nameswith "Development" and the channel labels should have a "dev-" prefix.

• Create an activation key to automate system registration. The key ID should be review-reg.It should register systems in the Review Inc. organization. Systems should join the ReviewSystems system group. They should also subscribe to cloned base software channel and rhn-tools and custom cloned channels. Also allow for configuration file provisioning and subscribeto the Review Configurations configuration channel.

• Create a kickstart profile. It should register the provisioned system with the review-serveractivation key for Review Inc. It should install the web-server package group and update allavailable errata during its installation. The bubbles custom package should be installed andany available configuration files should be deployed.

• Create a configuration channel called Review Configurations with a label of review-configs. It provides /etc/issue which should contain the following text:

Red Hat Enterprise Linux Server release 6.0 (Santiago)Kernel \r on an \m

Review Inc.

• Import GPG keys into the Satellite server for deployment. Import the standard Red Hat key,RPM-GPG-KEY-redhat-release, and the GPG key used to verify custom packages.

• Provision the client system using PXE menu provided by Cobbler. Confirm that it installedproperly and is properly configured.

•

redhat enterprise satellite server 6

Documents

trademarks of red hat

red hat network organization

red hat training materials

client registration

rhn satellite server

revision management

registration automation

rhn user administration