A guide to installing and configuring Red Hat Satellite Capsule server

With Red Hat Satellite Capsule Server, you can manage Red Hat Enterprise Linux (RHEL) hosts across multiple platforms and geographic locations. A Satellite Capsule Server maximizes availability by enabling content and software to be accessed by systems, even when the Satellite Server is unavailable. In addition, the Satellite Capsule Server helps manage load and congestion when there are a large number of systems.

This article provides a concise guide toSatellite Capsule Server deployment. First, I discuss planning considerations for deploying a Satellite Capsule Server. Next, I review software installation and configuration. Finally, I present the option of configuring alternate content sources (ACS).

The value of Satellite Capsule Servers

Satellite Capsule Servers help scale Red Hat Enterprise Linux environments with the following capabilities:

• Improve the availability of content sources: Satellite Capsule Servers can cache metadata and content from the Satellite Server, so hosts can still access content if the Satellite Server becomes unavailable
• Scale performance: Satellite Capsule Servers help distribute load, maintaining the performance of managing RHEL systems as they scale in volume. Satellite Capsule Servers can also make use of alternate content sources to save on bandwidth costs while maximizing throughput so systems are updated as quickly as possible

With a Satellite Capsule Server, you can extend the reach and scalability of your Satellite deployment. You can mirror content from Satellite Server to establish content sources in various geographical or logical locations. By registering a host to a Satellite Capsule Server, you can configure that host to receive content and configuration from the Satellite Capsule Server in its location rather than from the central Satellite Server. You can run localized services to discover, provision, control and configure hosts.

Planning Satellite Capsule Server deployment

Satellite Capsule Servers can help solve problems related to both availability and scale.

Availability

Satellite Capsule Servers can be used to simplify the patching of Satellite infrastructure. The upgrade or update procedure doesn't require both Satellite and Satellite Capsule Server to be upgraded at the same time. Your Red Hat support includes the ability to run a Satellite Capsule Server that's one major version behind the current version.

Satellite Capsule Servers are asynchronously connected to the Satellite Server, so periodic disconnections between Satellite and Satellite Capsule Servers don't disrupt the availability of content or software provided to your RHEL systems. Computing environments spanning multiple geographic regions or data centers can be serviced  by capsule servers to mitigate the risk of network disruption. 

Scale

For environments with several thousand systems managed, Satellite Capsule Servers can be used to improve the performance of bulk operations (such as remote execution and patching). Rather than dispatching all tasks from a single Satellite Server, the tasks can be distributed across multiple Capsule Servers.

Installing and configuring a Satellite Capsule Server

Before you install a Satellite Capsule Server, you must meet some requirements for storage and performance. You must use high-bandwidth, low-latency storage for the /var/lib/pulp/ directory. Red Hat Satellite has many operations that are I/O intensive, so ensure that your installation has a speed in the range of 60 to 80 Mbps. For full details on scaling performance as compute resources increase, read the Satellite Capsule Server Compute Performance guidelines.

The server you're going to install Satellite Capsule Server onto must be registered to your Satellite Server. If you don't register the server you're going to use as a capsule, then you won't have access to the Satellite Capsule Server software repositories.

Enable the software repositories

You must enable the required repositories on the server you're going to use as a capsule. In this article, commands run on the Satellite Capsule Server are presented with a capsule prompt. Commands run on the Satellite Server use the satellite prompt.

capsule$ sudo subscription-manager repos --disable "*" 
capsule$ sudo subscription-manager repos --enable=rhel-8-for-x86_64-baseos-rpms \ 
--enable=rhel-8-for-x86_64-appstream-rpms \ 
--enable=satellite-capsule-6.15-for-rhel-8-x86_64-rpms \ 
--enable=satellite-maintenance-6.15-for-rhel-8-x86_64-rpm

Open the necessary ports on the Satellite Capsule Server

You must open some ports on the Satellite Capsule Server:

capsule$ sudo firewall-cmd --permanent \ 
--add-port="5647/tcp" \ 
--add-port="8000/tcp" \ 
--add-port="9090/tcp" 

capsule$ sudo firewall-cmd --permanent \ 
--add-service=dns \ 
--add-service=dhcp \ 
--add-service=tftp \ 
--add-service=http \ 
--add-service=https \ 
--add-service=puppetmaster 

capsule$ sudo firewall-cmd --reload 

Open the necessary port on the Satellite Server

Similarly, you must open ports on the Satellite Server:

satellite$ sudo firewall-cmd --permanent --add-port="5646/tcp" 
satellite$ sudo firewall-cmd --reload 

Enable the module

Next, enable the satellite-capsule module:

capsule$ sudo dnf module enable satellite-capsule:el8

Install the Satellite Capsule Server software

With all the preparation work done, it's time to install the Satellite Capsule Server software onto your server. It's just a single command:

capsule$ sudo dnf install satellite-capsule

Install SSL certificate

Once the Satellite Capsule Server software is installed, you need to generate SSL certificates on your Satellite Server, and copy them to your Satellite Capsule Server. Red Hat Satellite uses SSL certificates to enable encrypted communications between Satellite Server, external Satellite Capsule Servers and all hosts. Depending on the requirements of your organization, you must configure your Satellite Capsule Server with either a default or custom certificate. In this example, I use the default self-signed certificate.

On the Satellite Server, make a directory to store your certificate:

satellite$ sudo mkdir /root/capsule_cert

On the Satellite Server, generate the certificate tarball:

satellite$ sudo capsule-certs-generate \ 
--foreman-proxy-fqdn capsule.lab \ 
--certs-tar /root/capsule_cert/capsule.lab-certs.tar

The --foreman-proxy-fqdn option requires the fully qualified domain name (FQDN) of the Satellite Capsule Server. Here's the output of the capsule-certs-generate command:

satellite$ sudo mkdir /root/capsule_cert 
satellite$ sudo capsule-certs-generate \ 
> --foreman-proxy-fqdn capsule.lab \ 
> --certs-tar /root/capsule_cert/capsule.lab-certs.tar 
Preparing installation Done 
  Success! 
  
  To finish the installation, follow these steps: 
  If you do not have the Capsule registered to the Satellite instance, then please do the following: 
  1. yum -y localinstall http://satellite.lab/pub/katello-ca-consumer-latest.noarch.rpm 
  2. subscription-manager register --org "Acme_Org" 

  Then follow these steps to start Capsule installation: 
  1. Ensure that the satellite-capsule package is installed on the system. 
  2. Copy /root/capsule_cert/capsule.lab-certs.tar to the system capsule.lab 
  at /root/capsule.lab-certs.tar: 
  scp /root/capsule_cert/capsule.lab-certs.tar \ 
  root@capsule.lab:/root/capsule.lab-certs.tar 
  3. Run the following commands on the Capsule (possibly with customized 
  parameters; see satellite-installer --scenario capsule --help and 
  documentation for more info on setting up additional services): 
  
satellite-installer --scenario capsule\ 
--certs-tar-file                 "/root/capsule.lab-certs.tar"\ 
--foreman-proxy-register-in-foreman "true"\ 
--foreman-proxy-foreman-base-url "https://satellite.lab"\ 
--foreman-proxy-trusted-hosts   "satellite.lab"\ 
--foreman-proxy-trusted-hosts   "capsule.lab"\ 
--foreman-proxy-oauth-consumer-key  "GgfRRZPDNESFSNe5GUb7uPBe3AFovLod"\ 
--foreman-proxy-oauth-consumer-secret "qn9t6wgLXnS2FULQG2iBprzaBFiZ4WJh" 

As you can see from the example code above, the output gives you instructions for what you need to do next.

First, copy the /root/capsule_cert/capsule.lab-certs.tar (or whatever FQDN you used) file to the Satellite Capsule Server.

Then copy the generated satellite-installer  command (similar to the command at the end of the example output above) and run it on the Satellite Capsule Server. This command is specific for the certificates you previously generated, so it's imperative that you copy the exact output of your capsule-certs-generate command!

Success! 
* Capsule is running at https://capsule.lab:9090 

The full log is at /var/log/foreman-installer/capsule.log... 

Configure the Satellite Capsule Server

The Satellite Capsule Server software is now installed. However, content doesn't get replicated to the Satellite Capsule Server until the Satellite Server is configured to do so. Content replication is managed through Content Views and Lifecycle Environments.

In this example, the Satellite Server only has a Lifecycle Environment (LCE) named Capsule Production. To synchronize all metadata (you have not specified that all software must be synchronized), you could tell the Satellite Server to synchronize Capsule Production to the capsule. In a real-life environment, it's not always practical or desirable to synchronize all software to Satellite Capsule Servers because it can take a long time, and consume a vast amount of storage.

Content Views are used to specify a snapshot of repositories, and provide control over which RPM package versions are added to a lifecycle environment. In this example, I use a combination of a content view and an LCE to synchronize RHEL 9 BaseOS, AppStream, and Satellite Client software to the Satellite Capsule Server.

Refer to the official documentation to create an LCE, Content View, and to synchronize repositories to the Satellite Server.

Here are the components you'll need to synchronize content from the Satellite Server to the capsule:

• Lifecycle Environment: Capsule Production
• Content View: RHEL9
• Repositories:
  • RHEL 9 BaseOS
  • RHEL 9 AppStream
  • Satellite Client 6 for RHEL 9 (contains remote execution pull provider, traces, and so on)

Here's the workflow for the content synchronization process:

1. Create Content View RHEL9
2. Add repositories to Content View RHEL9
3. Publish Content View RHEL9 and promote it to Lifecycle Environment Capsule Production
4. Content begins synchronizing to the capsule server from Satellite

Assuming the Content View has been configured, repositories have been added, and the Content View has been published and promoted to the Capsule Production LCE, you can proceed to the next step.

Configure Capsule synchronization

You must now ensure that the content metadata is automatically synchronized to the capsule. In the Satellite web UI, click on Infrastructure and then select Capsules.

Click on the Satellite Capsule Server (in this example, that's capsule.lab), and then click the Edit button in the top right corner.

In the Edit screen, select the Lifecycle Environments tab.

Configure the Satellite Server satellite.lab to synchronize the Capsule Production Lifecycle environment to capsule.lab:

1. Click on Capsule Production
2. Click the Submit button

Back on the Capsules screen, click capsule.labagain.

Click on Optimized Sync to synchronize repo metadata to the capsule.

Optimized sync only synchronizes repository metadata. When a system installs a package from the capsule, the package is downloaded and stored on the capsule before it's downloaded to the system.

Note that I've left Download Policy set to its default On Demand option. This means that while metadata is synchronized to the Satellite Capsule Server, the software is only synchronized when a host makes a request to the Satellite Capsule Server for software to be installed.

If Download Policy  is configured in On Demand mode, then content cannot be fetched if the connection between the Satellite Server and capsule is disrupted.

Migrate hosts to Capsule server

Next, navigate to the Hosts menu and select All Hosts.

Do the following.

1. Select a host. In this example I use rhel1
2. Click Change Content Source

On the Change Content Source screen:

1. Select the Satellite Capsule Server from the Content source drop-down menu (in this example, it's capsule.lab)
2. In the Lifecycle environment section, choose Capsule Production
3. Choose the RHEL9 Content View
4. Click the Run job button at the bottom of the screen

On the Run job screen, click the Run on selected hosts button.

After the job has run, you can verify that rhel1 was successfully migrated to capsule.lab by viewing the /etc/yum.repo.d/redhat.repo file. The redhat.repo shows that baseurl points to capsule.lab. 

rhel1$ grep baseurl /etc/yum.repos.d/redhat.repo 
baseurl = https://capsule.lab/pulp/content/Acme_Org/capsule_production/RHEL9/content/dist/rhel9/$releasever/x86_64/baseos/os

Optional: Remote Execution Pull mode

If you are using Remote Execution (REX) Pull mode on Satellite, you must perform this extra step to enable it on your capsule:

capsule$ sudo satellite-installer --foreman-proxy-plugin-remote-execution-script-mode pull-mqtt

Allow the mqtt messaging service on the Satellite Capsule Server:

capsule$ sudo firewall-cmd --permanent --add-service=mqtt 
capsule$ sudo firewall-cmd --reload 

Optional: Alternate Content Sources

Alternate Content Sources (ACS) allow a capsule to download Red Hat content directly from the Red Hat Content Delivery Network (CDN) rather than from the Satellite Server. Metadata is still synchronized with the Satellite Server. Content curation is still performed through the Satellite Server.

Configuring the Satellite Capsule Server to synchronize directly with the Red Hat CDN has several benefits. Often, network topologies that span multiple datacenters or geographies utilize network connections that are expensive to use, or are physically incapable of high throughput. In addition to saving money on bandwidth costs, ACS can save the amount of time required to download content because it's downloading from a Red Hat CDN source that's geographically closest to the capsule.

Simplified ACS

In the Satellite webUI, navigate to the Alternate Content Sources menu.

Click the Add source button, and then complete these steps:

1. Click on Simplified. This choice allows you to use the Red Hat CDN as an ACS
2. Select Yum
3. Click Next to continue

Name the ACS and click Next.

Select the capsule you want to use ACS and click Next.

Select the products you wish to sync from the ACS and click Next. In this example, we're selecting all of them.

Review the settings and click Add.

Reduce maintenance with Satellite

Red Hat Satellite is an infrastructure management solution designed to streamline management of Red Hat Enterprise Linux systems, at scale, wherever they reside, whether it's physical, virtual or cloud.

Red Hat Satellite automates common system tasks to increase efficiency. It is integrated with Red Hat Insights, which provides visibility, analysis and recommended updates. Satellite can automate the process to apply those recommendations and help keep systems secure, available and compliant.

Satellite and its Capsule feature provide tools to manage your RHEL infrastructure efficiently in complicated topologies to help your business runs smoothly.  For more information, refer to the following documents:

• Installing Capsule Server
• Capsule overview

Are you interested in learning more about Red Hat Satellite? Talk to a Red Hatter today!