Red Hat Satellite (built from the upstream, Foreman) is a great solution for managing your Red Hat infrastructure. It handles patch management, subscription management, system lifecycle management, and is ultimately a great source of truth for your Red Hat servers.
Red Hat IdM (upstream FreeIPA), is a great product managing your Linux domain. It is focused on user authorization and authentication and zone management.
Together, these products compliment each other well.
This article will discuss deploying a single Red Hat Satellite 6.6 server with integration to Red Hat IdM. We will have Satellite use the IdM server for authentication and send DNS updates to IdM rather than managing its own zone.
Prepare Satellite Server
Chapter 1 of the installation manual covers general system prep.
- Ensure there is 500 GB available at
/var/lib/pulp. - Attach the system to your Red Hat account and assign it a Satellite entitlement.
- Attach the proper repositories. NOTE: Do not attach the EPEL, it will break the install process.
subscription-manager repos --enable=rhel-7-server-rpms \ --enable=rhel-server-rhscl-7-rpms \ --enable=rhel-7-server-satellite-6.6-rpms \ --enable=rhel-7-server-satellite-maintenance-6-rpms \ --enable=rhel-7-server-ansible-2.8-rpms - Join the Satellite server to your IPA Domain. Do this by your standard procedure using
ipa-client-install.
Prepare Satellite for IdM DNS Control
- Create a service account in the Kerberos realm for the Satellite server.
ipa service-add capsule/sputnik.lab.rmkra.us - Create a Keytab file for this account.
ipa-getkeytab -p capsule/sputnik.lab.rmkra.us@LAB.RMKRA.US \ -s ipa.lab.rmkra.us -k /etc/foreman-proxy/dns.keytab chown foreman-proxy:foreman-proxy /etc/foreman-proxy/dns.keytab - Open firewall ports.
firewall-cmd \ --add-port="53/udp" --add-port="53/tcp" \ --add-port="67/udp" --add-port="69/udp" \ --add-port="80/tcp" --add-port="443/tcp" \ --add-port="5000/tcp" --add-port="5647/tcp" \ --add-port="8000/tcp" --add-port="8140/tcp" \ --add-port="9090/tcp" firewall-cmd --runtime-to-permanent
Prepare Satellite for IdM Realm Control
Satellite is able to automatically join hosts to the IdM realm on provisioning. This is how to enable that functionality.
- Install the the IdM admin tools.
foreman-maintain packages install ipa-admintools - Have Satellite setup an IdM account to use for joining clients to the realm.
foreman-prepare-realm admin realm-capsule mv /root/freeipa.keytab /etc/foreman-proxy chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab
Install Satellite
Chapter 2 of the installation manual covers the basic install procedure for a connected install. Refer there for the full version, but here is the short version.
- Download the installation packages.
yum install satellite - Create an answer file to specify how Satellite should be installed.
cp /etc/foreman-installer/scenarios.d/satellite-answers.yaml \ /etc/foreman-installer/scenarios.d/my-answer-file.yaml - Edit the answer file to cover your desired install options. A couple of important ones are noted here, but look at them all.
# ... foreman_proxy: # ... # Enable tftp for PXE booting tftp: true # ... # I don't use Satellite for DHCP in my environment, you can, though dhcp: false # ... # Tell Satellite to send DNS updates to IdM dns: true dns_provider: nsupdate_gss dns_interface: primary dns_zone: lab.rmkra.us dns_reverse: 4.168.192.in-addr.arpa dns_server: ipa.lab.rmkra.us dns_ttl: 86400 dns_tsig_keytab: /etc/foreman-proxy/dns.keytab dns_tsig_principal: capsule/sputnik.lab.rmkra.us@LAB.RMKRA.US dns_forwarders: [] # ... # I have some IPMI servers, so I enable this bmc: true bmc_default_provider: ipmitool # ... # Configure IdM realm support realm: true realm_listen_on: https realm_provider: freeipa realm_keytab: /etc/foreman-proxy/freeipa.keytab realm_principal: realm-capsule@LAB.RMKRA.US # ... foreman_proxy::plugin::discovery: install_images: true # ... - Tell the installer to use your custom answers file by editing
/etc/foreman-installer/scenarios.d/satellite.ymland editing the answers file line.:answer_file: /etc/foreman-installer/scenarios.d/my-answer-file.yaml - Install Satellite
satellite-installer --scenario satellite - Change the admin password. I don’t like hardcoding it into the answers file.
foreman-rake permissions:reset
Enable Bare Metal Discovery
- Install discovery PXE images.
foreman-maintain package install foreman-discovery-image - Set Discovery options in
Administer->Settings->Discoveredtab- Discovery location
- Discovery organization
- Set auto discover to be the default behavior for unknown hosts in
Administer->Settings->Provisioningtab- Default PXE global template entry: discovery
- Build default PXE template.
- In the UI, go to
Hosts->Provisioning Templates - Click
Build PXE Default
Configure Satellite
Login to the GUI and do all the basic configuration. Load a manifest, sync repos, create content views, etc. When creating your domain, ensure the DNS capsule is set to the capsule server you’ve configured to send updates to IdM. When creating your subnet, set IPAM to None, and ensure the Reverse DNS Capsule is set to the capsule server you’ve configured to talk to IdM.
The following are the settings required for configuring authentication back to IdM and making an IdM group called admin map to a Satellite group called Admins that grants administrative access to Satellite.
- In the Satellite GUI, go to
Administer->LDAP Authentication - Click
Create LDAP Source - Answers for the
LDAP servertab: - Name: Whatever you’d like - Server: ipa.lab.rmkra.us - LDAPS: Checked - Port: 636 - Server type: FreeIPA Accounttab: - Account Username: uid=SERVICE,cn=users,cn=accounts,dc=lab,dc=rmkra,dc=us - Account Password: The associated password - Base DN: cn=users,cn=accounts,dc=lab,dc=rmkra,dc=us - Groups base DN: cn=groups,cn=accounts,dc=lab,dc=rmkra,dc=us - Automatically Create Accounts in Satellite: Checked - Usergroup Sync: CheckedAttribute mappingstab: - Login Name Attribute: uid - First Name Attribute: givenName - Surname Attribute: sn - Email Address Attribute: mail- Click
Submit - In the Satellite GUI, go to
Administer->User Groups - Click
Create User Group User Grouptab: - Name: AdminsRolestab: - Administrator: CheckedExternal Groupstab: - Click+ Add external user group- Name: admins - Auth Source: LDAP-ipa.lab.rmkra.us- Click
Submit - Log out and log back in with your standard account.
Configure IdM
Your DNS zones in IdM must be configured to allow updates from Satellite’s service account. Append the following line to the BIND update policy box for the forward and reverse domains:
grant capsule\047sputnik.lab.rmkra.us@LAB.RMKRA.US wildcard * ANY;
On both zones, ensure that Dynamic update is set to True. Ensure that Allow PTR sync is enabled for the forward lookup zone.
Bask in the automated glory that is your life
When new machines are created, DNS entries will appear automatically. Forward and reverse. For custom additional entries (VIPs and the like), you can still manage them in IdM directly. Success.