oasis-roles / satellite

GNU General Public License v3.0
17 stars 16 forks source link

Build Status

SATELLITE

Install and configure a main Satellite server

Requirements

Ansible 2.4 or higher

Red Hat Enterprise Linux 7 or equivalent

Valid Red Hat Subscriptions

Role Variables

Currently the following variables are supported:

General

Unlike many other OASIS project roles, there is no satellite_become_user or satellite_become variable. The Satellite installer is very strict about system configuration and setup. Therefore, all tasks that require it must be executed as root.

Dependencies

Before the Satellite installer will operate properly, there are a number of tasks that need to be accomplished on the host system. There are OASIS roles for each one of these tasks, and some example configuration will be given here.

Minimum hardware requirements include 8GB of RAM. Without that, the Satellite installer will simply refuse to run, informing you that it needs that much system memory. There are also significant hard drive space requirements to actually operate Satellite, but the installer will operate without them. So those can be added to and expanded later on.

Satellite is available in a number of RHSM repositories. Specifically you should have the repos rhel-7-server-rpms, rhel-server-rhscl-7-rpms, and rhel-7-server-satellite-<version>-rpms enabled. The <version> string should be substituted with the current version of Satellite that you wish to install. No other repositories should be enabled on the system, to avoid improper masking of dependencies. This can be done by registering with the rhsm role using a snippet similar to the following:

- hosts: satellite
  roles:
    - role: oasis_roles.rhsm
      rhsm_repositories:
        only:
          - rhel-7-server-rpms
          - rhel-server-rhscl-7-rpms
          - rhel-7-server-satellite-6.3-rpms
      rhsm_unregister: true

Satellite is very picky about the hostname for the system, as well. The fully qualified hostname (such as that reported by hostname -f) must be both the forward and reverse DNS name for the system. The easiest way to do this is by setting up true DNS and also setting the system's hostname with the hostname role. An option such as this should accomplish it:

- hosts: satellite
  roles:
    - role: oasis_roles.hostname
      hostname: "fqdn.mydomain.tld"
      hostname_inject_hosts_files: false

Resolving DNS is not sufficient for the Satellite installer. It also will check that at least one of the network interfaces on the host system is configured to respond to the IP address that it detects as the forward DNS host. In some environments, this might not be set on the interface by default. For instance, most VMs in OpenStack will have a set of internal OpenStack IP addresses that are on the host, but then an externally routable IP address will be added to the OpenStack network and that will be the DNS response. However, OpenStack will not configure the host to attach that routable IP address to the interface. Behavior like this is not uncommon in hosted environments, so if the target host is in such a situation, an IP address can be added to the default IPv4 interface with code such as follows:

- hosts: satellite
  roles:
    - role: oasis_roles.nmcli_add_addrs
      nmcli_add_addrs_interface: "{{ ansible_default_ipv4.interface }}"
      nmcli_add_addrs_ipv4:
        - "{{ ansible_host | default(inventory_hostname) }}"

Obviously, the interface and IP address added will be dependent on the host and the infrastructure it lives in and they can be added through hard coded means or through auto-detection such as in the above example. And for hosts that are configured directly with IP addresses that match their DNS entry, this step can be skipped entirely.

There are a large number of firewall ports that need to be opened for Satellite to work properly. Keeping a full list of those ports here is unreasonable and could possibly change with different versions of Satellite in the future. Therefore, refer to the Satellite documentation for a description of which ports should be opened, and open the ones that you find useful. At the very least it is probably desirable to open the standard web ports (80 and 443) to allow browser-based access to the Satellite environment.

- hosts: satellite
  roles:
    - role: oasis_roles.firewalld
      firewalld_zone: public
      firewalld_ports_open:
        - proto: tcp
          port: 80
        - proto: tcp
          port: 443

the others can be opened if you want to use Satellite for the different purposes served by those functions.

Example Playbook

- hosts: satellite-servers
  roles:
    - role: oasis_roles.rhsm
      rhsm_repositories:
        only:
          - rhel-7-server-rpms
          - rhel-server-rhscl-7-rpms
          - rhel-7-server-satellite-6.3-rpms
      rhsm_unregister: true
    - role: oasis_roles.hostname
      hostname: "fqdn.mydomain.tld"
      hostname_inject_hosts_files: false
    - role: oasis_roles.nmcli_add_addrs
      nmcli_add_addrs_interface: "{{ ansible_default_ipv4.interface }}"
      nmcli_add_addrs_ipv4:
        - "{{ ansible_host | default(inventory_hostname) }}"
    - role: oasis_roles.firewalld
      firewalld_zone: public
      firewalld_ports_open:
        - proto: tcp
          port: 80
        - proto: tcp
          port: 443
    - role: oasis_roles.satellite
      satellite_admin_username: my_user
      satellite_admin_password: my_derpy_p4ssw0rd
      satellite_organization: Lexcorp, Inc.
      satellite_location: Metropolis, USA

License

GPLv3

Author Information

Greg Hellings greg.hellings@gmail.com