0

Adventures in Katello – Part 1

Adventures in Katello – Part 1

I have been meaning to rebuild certain parts of my home lab so that I could have faster content access. Previously, I used a Satellite 6.2 instance to mirror Red Hat content and a collection of reposync scripts to mirror other software (CentOS, Fedora, etc).

I’ve decided to migrate all of that over to a new install of Katello (3.3 RC2). And this document covers the journey

Install of Katello

I nabbed the install instructions for the system running Katello directly from theforeman.org. I decided to install Katello on my RHEL7 system that I am dedicating as a software mirror (repos.auroracloud.com).

Firstly, setup all the repos.

yum -y  --disablerepo="*" --enablerepo=rhel-7-server-rpms install yum-utils wget
yum-config-manager --disable "*"
yum-config-manager --enable rhel-7-server-rpms
yum-config-manager --enable rhel-7-server-optional-rpms
yum-config-manager --enable rhel-7-server-extras-rpms

Install the packages:

yum -y localinstall http://fedorapeople.org/groups/katello/releases/yum/3.3/katello/el7/x86_64/katello-repos-latest.rpm
yum -y localinstall http://yum.theforeman.org/releases/1.14/el7/x86_64/foreman-release.rpm
yum -y localinstall https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm # will install with Puppet 4
#yum -y localinstall http://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm # use this instead if you prefer Puppet 3
yum -y localinstall http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum -y install foreman-release-scl

Then update:

yum -y update

Next, let’s get time correct. (Proper timekeeping and sound name resolution are absolutely required due to near every service being SSL enabled.)

yum -y install ntp ntpdate
ntpdate pool.ntp.org
systemctl enable ntpd
systemctl start ntpd

Install Katello packages

yum -y install katello

Finally, let’s configure the software. I like to use the --foreman-initial-* switches to set a default organization/location.

foreman-installer --scenario katello \
  --verbose \
  --foreman-initial-organization Auroracloud \
  --foreman-initial-location PHL \
  --foreman-admin-password [redacted]

Configuration of hammer CLI

Post install, let’s configure some environment variables that will make using the hammer command a bit easier (and also make it easier to copy/paste my examples.)

echo "ORG=Auroracloud" >> ~/.bashrc
echo "LOCATION=PHL" >> ~/.bashrc
echo "DOMAIN=auroracloud.com" >> ~/.bashrc
echo "KATELLOSERVER=$(hostname -f)" >> ~/.bashrc
source ~/.bashrc
mkdir ~/.hammer/
cat > ~/.hammer/cli_config.yml<<EOF
:foreman:
    :host: 'https://$(hostname)/'
    :username: 'admin'
    :password: '[redacted]'
EOF

Preparing for content sync & setting download policies.

One of the first architectural decisions that I had to make was which download policy to use. Pulp, the repository syncing engine, has three ways in which RPM/YUM repositories can be synced:

Download Policy Details
Immediate The default download policy for repositories. When using this policy, all content is downloaded before publishing the repository.
Background A download policy that actively retrieves content units in the background after a publish has been performed.
On-Demand A download policy that only saves a content unit locally after a client has requested that content unit.

The background and on-demand policies are what are known as deferred download policies, meaning that the process of downloading content is completed after the repository is published. This allows the repository to be made available and used elsewhere (such as creating Content Views and Provisioning systems) without necessarily having all of the content downloaded.

Lazy Sync Architecture (from Pulp’s User Guide)

Lazy Sync Architecture

Deferred downloading relies on three services:

  • A reverse proxy that terminates the TLS connection. In this guide Apache httpd is configured to act as the reverse proxy, but any reverse proxy that is capable of running a WSGI application should work. This service proxies the requests to the next service, a caching proxy server.
  • A caching proxy server. In this guide Squid is used, but a simple Varnish configuration is also provided. This service de-duplicates client requests and caches content for Pulp to eventually save to permanent storage. It proxies requests on to the last service, the pulp_streamer
  • The pulp_streamer is a streaming proxy service that translates the files in Pulp repositories to their locations in upstream repositories. This service interacts with Pulp’s core services to determine where the content is located and how to download it. It streams the content back to the client through Squid and Apache httpd as it is downloaded.

For my usage, I decided to use the immediate download policy. This allows me to have ALL of the content of the repository locally at the expense of having to expend disk space to store older RPMs that I may not use again.

I’ll go ahead and set my default download policy via hammer.

hammer settings set --name default_proxy_download_policy --value immediate

Note, the default is immediate today, but I am being extra explicit in case the Katello devs choose to change it in the future.

Products and Repos

Katello uses the concepts of Products and Repos to make repository management a bit easier.

Repositories hold software of various types (puppet, yum, file, docker) and are populated by
– uploading content to the repos (via the UI, CLI or API)
– synchronizing the repository from somewhere else

Products allow multiple repositories to be grouped together and treated as a single unit. (This allows Katello to sync the product as one unit or track usage of a Product across multiple systems)

Selecting content to Sync.

In my lab, I want to support Red Hat, CentOS and Fedora, along with Extra Packages for Enterprise Linux (EPEL) and a mirror of PuppetForge.

Firstly, I’ll setup a sync plan to run daily:

hammer sync-plan create --name 'Daily Sync' \
 --description 'Daily Synchronization Plan' \
 --organization "$ORG" \
 --interval daily \
 --sync-date $(date +"%Y-%m-%d")" 00:00:00" \
 --enabled yes  

Next, time to select some repositories.

Red Hat Enterprise Linux.

Red Hat Repositories can only be synced using a subscription manifest generated from Red Hat’s Customer Portal. I’ve downloaded mine to /tmp/manifest.zip.

hammer subscription upload --organization "$ORG" \
--file /tmp/manifest.zip

Enable some RHEL Repositories

hammer repository-set enable --organization "$ORG" \
 --product 'Red Hat Enterprise Linux Server' \
 --basearch='x86_64' \
 --releasever='7Server' \
 --name 'Red Hat Enterprise Linux 7 Server (RPMs)'  

hammer repository-set enable --organization "$ORG" \
 --product 'Red Hat Enterprise Linux Server' \
 --basearch='x86_64' \
 --releasever='7Server'
 --name 'Red Hat Enterprise Linux 7 Server - Optional (RPMs)'  

hammer repository-set enable --organization "$ORG" \
 --product 'Red Hat Enterprise Linux Server' \
 --basearch='x86_64' \
 --name 'Red Hat Enterprise Linux 7 Server - Extras (RPMs)'  

hammer repository-set enable --organization "$ORG" \
 --product 'Red Hat Enterprise Linux Server' \
 --basearch='x86_64' \
 --releasever='7.3' \
 --name 'Red Hat Enterprise Linux 7 Server (Kickstart)'  

And associate them with the aforementioned sync Plan

hammer product set-sync-plan \
 --name 'Red Hat Enterprise Linux Server' \
 --organization "$ORG" \
 --sync-plan 'Daily Sync'

CentOS

For CentOS (and most other repositories), you’d want to download the GPG key for that repository and upload it to Katello so that clients can ensure that the RPMs haven’t been tampered with:

wget -q https://www.centos.org/keys/RPM-GPG-KEY-CentOS-7 -O /tmp/RPM-GPG-KEY-CentOS-7
hammer gpg create --key /tmp/RPM-GPG-KEY-CentOS-7  --name 'GPG-CentOS-7' --organization "$ORG"

Create a Product for CentOS. You’d notice that we did not have to explicitly create a Product for Red Hat content. Red Hat Products are created implicitly when importing a subscription manifest.

hammer product create \
 --name=CentOS \
 --organization "$ORG" \
 --description CentOS

And create some CentOS repos. We’ll use just the Base and Updates repos for now. If you wanted to add any other repos copy & modify the examples below:

hammer repository create --name='CentOS 7 - Base - x86_64' \
--organization "$ORG" \
--product='CentOS' \
--content-type='yum' \
--publish-via-http=true \
--url=http://mirror.centos.org/centos/7.3.1611/os/x86_64/ \
--checksum-type=sha256 \
--gpg-key=GPG-CentOS-7


hammer repository create --name='CentOS 7 - Updates - x86_64' \
--organization "$ORG" \
--product='CentOS' \
--content-type='yum' \
--publish-via-http=true \
--url=http://mirror.centos.org/centos/7.3.1611/updates/x86_64/ \
--checksum-type=sha256 \
--gpg-key=GPG-CentOS-7

And lastly, add the Product to the Daily sync-plan

hammer product set-sync-plan \
 --organization "$ORG" --sync-plan 'Daily Sync' \
 --name 'CentOS'

Fedora

Get GPG Key

wget -q https://getfedora.org/static/FDB19C98.txt -O /tmp/RPM-GPG-KEY-Fedora-25
hammer gpg create \
 --key /tmp/RPM-GPG-KEY-Fedora-25 \
 --name 'GPG-Fedora-25' \
 --organization "$ORG"

Create the product

hammer product create \
 --name=Fedora \
 --organization "$ORG" \
 --description Fedora

Add create the repositories

hammer repository create --name='Fedora 25 - Release - x86_64' \
--organization "$ORG" \
--product='Fedora' \
--content-type='yum' \
--publish-via-http=true \
--url=https://mirrors.kernel.org/fedora/releases/25/Everything/x86_64/os/ \
--checksum-type=sha256 \
--gpg-key=GPG-Fedora-25

hammer repository create --name='Fedora 25 - Updates - x86_64' \
--organization "$ORG" \
--product='Fedora' \
--content-type='yum' \
--publish-via-http=true \
--url=https://mirrors.kernel.org/fedora/updates/25/x86_64/ \
--checksum-type=sha256 \
--gpg-key=GPG-Fedora-25

Once again, add the product to the sync-plan

hammer product set-sync-plan \
 --organization "$ORG" --sync-plan 'Daily Sync' \
 --name 'Fedora'

EPEL

GPG key

wget -q https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7 -O /tmp/RPM-GPG-KEY-EPEL-7

hammer gpg create \
 --key /tmp/RPM-GPG-KEY-EPEL-7  \
 --name 'GPG-EPEL-7' \
 --organization "$ORG"

Create the custom product

hammer product create \
 --name='Extra Packages for Enterprise Linux' \
 --organization "$ORG" \
 --description 'Extra Packages for Enterprise Linux'

And lastly the repository creation.

hammer repository create \
 --name='EPEL 7 - x86_64' \
 --organization "$ORG" \
 --product='Extra Packages for Enterprise Linux' \
 --content-type='yum' \
 --publish-via-http=true \
 --url=http://dl.fedoraproject.org/pub/epel/7/x86_64/ \
 --checksum-type=sha256 \
 --gpg-key=GPG-EPEL-7  

Once again, add the product to the sync-plan

hammer product set-sync-plan \
 --organization "$ORG" --sync-plan 'Daily Sync' \
 --name 'Extra Packages for Enterprise Linux'

Puppet Forge

Create the product

hammer product create \
 --name='Puppet Forge' \
 --organization "$ORG" \
 --description 'Modules from Puppet Forge'

Create the repository

hammer repository create \
 --name='Puppet Forge Modules' \
 --organization "$ORG" \
 --product='Puppet Forge' \
 --content-type='puppet' \
 --publish-via-http=true \
 --url=http://forge.puppetlabs.com/

And associate the product to the sync-plan

hammer product set-sync-plan \
 --organization "$ORG" --sync-plan 'Daily Sync' \
 --name 'Puppet Forge'

Katello Agent

Lastly, we’ll need to sync the repos for the Katello-agent. I couldn’t seem to find the GPG key online anymore, so I downloaded the katello-client-repos-latest package and extracted it to get the GPG key.

hammer gpg create \
 --key /tmp/RPM-GPG-KEY-katello \
 --name 'GPG-Katello' \
 --organization "$ORG"

(Yet Again), Create the product.

hammer product create \
--name=Katello \
--organization "$ORG" \
--description Katello

And the repos.

hammer repository create --name='Katello 3.3 Client f25 - x86_64' \
--organization "$ORG" \
--product='Katello' \
--content-type='yum' \
--publish-via-http=true \
--url=https://fedorapeople.org/groups/katello/releases/yum/3.3/client/f25/x86_64/ \
--checksum-type=sha256 \
--gpg-key=GPG-Katello

hammer repository create --name='Katello 3.3 Client el7 - x86_64' \
--organization "$ORG" \
--product='Katello' \
--content-type='yum' \
--publish-via-http=true \
--url=https://fedorapeople.org/groups/katello/releases/yum/3.3/client/el7/x86_64/ \
--checksum-type=sha256 \
--gpg-key=GPG-Katello

And associate the Product with the sync plan

hammer product set-sync-plan \
 --organization "$ORG" --sync-plan 'Daily Sync' \
 --name 'Katello'

Syncing repos.

Now that we’ve defined & selected all of the repositories that we want, we have to actually sync them. I can go ahead and kick off a sync for each repo using a command similar to

hammer repository synchronize \
 --organization "$ORG" \
 --product 'Red Hat Enterprise Linux Server'  \
 --name 'Red Hat Enterprise Linux 7 Server Kickstart x86_64 7.2'

But I have like 20 or so repos, and I am lazy, so I have two options.

  • in the UI, under Content->Sync Status, there is an option to Select All repos and sync.
  • Walk away, and allow my Daily Sync sync-plan to download the repositories.

I am doing the latter. 🙂 Stay tuned for part two (to be completed after a couple hundred gigabytes of data downloads)

Rich Jerrido

Leave a Reply