diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..41acbae --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +*.swp +*~ +*.retry diff --git a/README.md b/README.md index 06d8f80..b26abb0 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,6 @@ Install and configure Satellite 6 on a RHEL 6 or 7 host. -This is based on the process outlined here: - -https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.0/html-single/Installation_Guide/index.html +This is based on the process outlined in the [Red Hat Satellite 6 Installation Guide](https://access.redhat.com/documentation/en/red-hat-satellite/) ======= Invoke the role using only one of the below three include statements, in order to pass in the data required to register the system with RHN: @@ -18,3 +16,59 @@ Invoke the role using only one of the below three include statements, in order t ## This is needed when your version of Ansible uses buggy redhat_subscription module prior to PR 1204. Before that, redhat_subscription won't be able to find subs - { role: role-satellite6-server rhn_pool_ids: ["somelongpoolid", "someotherlongpoolid"] } ``` + +If you don't specify the variable `satellite_version` (6.1 or 6.2), then the latest version is assumed. + +## More complete (and complex) setup + +If you create an empty directory, where you create all the following files in a similar manner (search for `YOUR` to see where you all need to adapt: + +``` +$ head -n-0 ansible.cfg credentials.cfg inventory.cfg satellite6.yml roles/requirements.yml +==> ansible.cfg <== +[defaults] +roles_path = ./roles +inventory = ./inventory.cfg + +==> credentials.cfg <== +--- +rhn_user: YOUR_RHN_USER +rhn_pass: YOUR_RHN_PASSWORD +rhn_pool_pattern: '^$' # optional, the default pattern is IMHO too "greedy" +rhn_pool_ids: # optional, necessary if you keep the empty pool pattern above + - 'abcdef01234567890abcdef123456789' # must contain Satellite subscription + +==> inventory.cfg <== +[YOUR_GROUP_NAME] +YOUR_SATELLITE_SERVER_FQDN + +[YOUR_GROUP_NAME:vars] +satellite_version=6.2 + +==> satellite6.yml <== +- hosts: YOUR_GROUP_NAME + user: root + vars_files: + - credentials.cfg + roles: + - satellite6-server + +==> roles/requirements.yml <== +--- +- src: https://github.com/YOUR_GITHUB_USER/role-satellite6-server + version: master + name: satellite6-server +``` + +Then you may run the following commands to install the role and configure your Satellite 6 server. + +``` +ansible-galaxy -v install --force -r roles/requirements.yml +ansible-playbook satellite6.yml +``` + +The last command is assuming that you''ve already copied your SSH-key to the root user on your Satellite-server, and that the Satellite server has a basic RHEL 7 installation (RHEL 6 might work, hasn''t been tested). + +Once the installation is successful, you can point your browser to https://YOUR_SATELLITE_SERVER_FQDN/ and grab the admin user and password, `admin_username` and `admin_password` from the used answers file `{{ installer_answer_file }}`, as defined under `roles/satellite6-server/vars/main.yml`. + +Next steps would be to generate a manifest on your account at https://access.redhat.com/ and configure the Satellite server. Have fun! diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..40a67c7 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,4 @@ +--- +satellite_version: 6.2 +# Sounds like a defaults-var can't rely on a vars-var, moved to vars/main.yml +#installer_answer_file: "{{ installer_dir }}/role-ansible-satellite6-answers.yaml" diff --git a/files/role-ansible-satellite6-answers.yaml b/files/role-ansible-satellite-6.1-answers.yaml similarity index 100% rename from files/role-ansible-satellite6-answers.yaml rename to files/role-ansible-satellite-6.1-answers.yaml diff --git a/files/role-ansible-satellite-6.2-answers.yaml b/files/role-ansible-satellite-6.2-answers.yaml new file mode 100644 index 0000000..283da1c --- /dev/null +++ b/files/role-ansible-satellite-6.2-answers.yaml @@ -0,0 +1,68 @@ +# Format: +# : false - don't include this class +# : true - include and use the defaults +# : +# : - include and override the default(s) +# +# See params.pp in each class for what options are available +# NOTE: answer file copied from version 6.2.7 +# /etc/foreman-installer/scenarios.d/satellite-answers.yaml +# See https://access.redhat.com/documentation/en/red-hat-satellite/6.2/single/installation-guide/#performing_initial_configuration_sat_server_answerfile + +--- + certs: + generate: true + deploy: true + group: foreman + katello: + package_names: + - katello + - tfm-rubygem-katello + foreman: + organizations_enabled: true + locations_enabled: true + initial_organization: "Default Organization" + initial_location: "Default Location" + custom_repo: true + configure_epel_repo: false + configure_scl_repo: false + ssl: true + server_ssl_cert: /etc/pki/katello/certs/katello-apache.crt + server_ssl_key: /etc/pki/katello/private/katello-apache.key + server_ssl_ca: /etc/pki/katello/certs/katello-default-ca.crt + server_ssl_chain: /etc/pki/katello/certs/katello-default-ca.crt + server_ssl_crl: false + websockets_encrypt: true + websockets_ssl_key: /etc/pki/katello/private/katello-apache.key + websockets_ssl_cert: /etc/pki/katello/certs/katello-apache.crt + passenger_ruby: /usr/bin/tfm-ruby + passenger_ruby_package: tfm-rubygem-passenger-native + capsule: + pulp_master: true + puppet: true + templates: false + "foreman::plugin::tasks": true + "foreman::plugin::remote_execution": true + "foreman::plugin::openscap": true + "foreman_proxy::plugin::remote_execution::ssh": true + "foreman_proxy::plugin::openscap": true + foreman_proxy: + custom_repo: true + http: true + ssl_port: "9090" + templates: false + tftp: false + ssl_ca: /etc/foreman-proxy/ssl_ca.pem + ssl_cert: /etc/foreman-proxy/ssl_cert.pem + ssl_key: /etc/foreman-proxy/ssl_key.pem + foreman_ssl_ca: /etc/foreman-proxy/foreman_ssl_ca.pem + foreman_ssl_cert: /etc/foreman-proxy/foreman_ssl_cert.pem + foreman_ssl_key: /etc/foreman-proxy/foreman_ssl_key.pem + puppetca: true + register_in_foreman: true + "foreman_proxy::plugin::pulp": + enabled: true + pulpnode_enabled: false + "foreman::plugin::discovery": true + "foreman::plugin::bootdisk": false + "foreman_proxy::plugin::discovery": true diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..23d65c7 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,2 @@ +--- +dependencies: [] diff --git a/tasks/firewall-6.yml b/tasks/firewall-6.yml index cbe1451..ee93a91 100644 --- a/tasks/firewall-6.yml +++ b/tasks/firewall-6.yml @@ -28,3 +28,23 @@ - name: Enable Foreman via IPTables lineinfile: dest=/etc/sysconfig/iptables state=present line="-A INPUT -p tcp -m state --state NEW -m tcp --dport 9090 -j ACCEPT" notify: restart iptables + + - block: + + - name: Enable AMQP/SSL-TLS (client to internal capsule) via IPTables + lineinfile: dest=/etc/sysconfig/iptables state=present line="-A INPUT -p tcp -m state --state NEW -m tcp --dport 5647 -j ACCEPT" + notify: restart iptables + + - name: Enable AMQP/SSL-TLS (external capsule to satellite) via IPTables + lineinfile: dest=/etc/sysconfig/iptables state=present line="-A INPUT -p tcp -m state --state NEW -m tcp --dport 5646 -j ACCEPT" + notify: restart iptables + + - name: Enable iPXE template retrieval via IPTables + lineinfile: dest=/etc/sysconfig/iptables state=present line="-A INPUT -p tcp -m state --state NEW -m tcp --dport 8000 -j ACCEPT" + notify: restart iptables + + - name: Enable client registration via IPTables + lineinfile: dest=/etc/sysconfig/iptables state=present line="-A INPUT -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT" + notify: restart iptables + + when: satellite_version >= 6.2 diff --git a/tasks/firewall-7.yml b/tasks/firewall-7.yml index 2bbde71..1fc5628 100644 --- a/tasks/firewall-7.yml +++ b/tasks/firewall-7.yml @@ -5,26 +5,48 @@ - name: Run firewalld now and at boot service: name=firewalld state=started enabled=true - - name: Enable HTTPS via firewalld - firewalld: service=https permanent=true state=enabled - notify: restart firewalld + - block: - - name: Enable HTTP via firewalld - firewalld: service=http permanent=true state=enabled - notify: restart firewalld + - name: Enable HTTPS via firewalld + firewalld: service=https permanent=true state=enabled + notify: restart firewalld - - name: Enable Satellite SSL communication via firewalld - firewalld: port=5671/tcp permanent=true state=enabled - notify: restart firewalld + - name: Enable HTTP via firewalld + firewalld: service=http permanent=true state=enabled + notify: restart firewalld - - name: Enable Tomcat via firewalld - firewalld: port=8080/tcp permanent=true state=enabled - notify: restart firewalld + - name: Enable Satellite SSL communication via firewalld + firewalld: port=5671/tcp permanent=true state=enabled + notify: restart firewalld - - name: Enable Puppet via firewalld - firewalld: port=8140/tcp permanent=true state=enabled - notify: restart firewalld + - name: Enable Tomcat via firewalld + firewalld: port=8080/tcp permanent=true state=enabled + notify: restart firewalld - - name: Enable Foreman via firewalld - firewalld: port=9090/tcp permanent=true state=enabled - notify: restart firewalld + - name: Enable Puppet via firewalld + firewalld: port=8140/tcp permanent=true state=enabled + notify: restart firewalld + + - name: Enable Foreman via firewalld + firewalld: port=9090/tcp permanent=true state=enabled + notify: restart firewalld + + when: satellite_version < 6.2 + + - block: + + # starting with RHEL 7.2 (at least) covers the services: + # tcp/80 tcp/443 tcp/5646-5647 tcp/5671 tcp/8140 tcp/8080 tcp/9090 + - name: Enable Satellite 6 service via firewalld + firewalld: service=RH-Satellite-6 permanent=true state=enabled + notify: restart firewalld + + - name: Enable iPXE template retrieval via firewalld + firewalld: port=8000/tcp permanent=true state=enabled + notify: restart firewalld + + - name: Enable client registration via firewalld + firewalld: port=8443/tcp permanent=true state=enabled + notify: restart firewalld + + when: satellite_version >= 6.2 diff --git a/tasks/main.yml b/tasks/main.yml index 557428d..c838eed 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -42,7 +42,7 @@ command: "ping -c1 localhost" changed_when: False - - name: Confirm DNS resoultion for short domain name of this host + - name: Confirm DNS resolution for short domain name of this host shell: "ping -c1 $(hostname -s)" changed_when: False @@ -58,19 +58,25 @@ state: present username: "{{ rhn_user }}" password: "{{ rhn_pass }}" - pool: ".*Red Hat (Enterprise Linux|Satellite).*" + pool: "{{ rhn_pool_pattern | default('.*Red Hat (Enterprise Linux|Satellite).*') }}" when: rhn_user is defined and rhn_pass is defined - name: Enable RHEL subscription via activation key redhat_subscription: state: present activationkey: "{{ rhn_activationkey }}" - pool: ".*Red Hat (Enterprise Linux|Satellite).*" + pool: "{{ rhn_pool_pattern | default('.*Red Hat (Enterprise Linux|Satellite).*') }}" when: rhn_activation_key is defined + - name: Check which pool IDs are already consumed + command: subscription-manager list --pool-only --consumed + register: consumed_pool_ids + changed_when: false + - name: Add subs by pool id if your version of Ansible has a buggy redhat_subscription module command: "subscription-manager subscribe --pool={{ item }}" with_items: "{{ rhn_pool_ids | default([])}}" + when: item not in consumed_pool_ids.stdout_lines ## FIXME: these two tasks together shouldn't change the end-state, but neither is idempotent - name: Reset enabled yum/rhn distros @@ -82,35 +88,52 @@ command: "subscription-manager repos \ --enable rhel-{{ ansible_distribution_major_version }}-server-rpms \ --enable rhel-server-rhscl-{{ ansible_distribution_major_version }}-rpms \ - --enable rhel-{{ ansible_distribution_major_version }}-server-satellite-6.1-rpms" + --enable rhel-{{ ansible_distribution_major_version }}-server-satellite-{{ satellite_version }}-rpms" ## Installs and activates time sync. This is required for Foreman to function - - include: timesync-6.yml - when: "{{ ansible_distribution_major_version }} == 6" + - include: timesync-{{ ansible_distribution_major_version }}.yml - - include: timesync-7.yml - when: "{{ ansible_distribution_major_version }} == 7" - ## Installs and configures firewall- comment out to leave firewall out - - include: firewall-6.yml - when: "{{ ansible_distribution_major_version }} == 6" + - include: firewall-{{ ansible_distribution_major_version }}.yml - - include: firewall-7.yml - when: "{{ ansible_distribution_major_version }} == 7" + - name: upgrade all the RPMs to their latest version (recommmended) + yum: name='*' state='latest' ## comment this line out to skip recommended but not required packages - include: recommended-packages.yml - - name: Install Katello - yum: name=katello state=installed + - name: Install Katello / Satellite + yum: name="{{ installer_package }}" state=installed - name: Copy answer file into place - copy: src=role-ansible-satellite6-answers.yaml dest=/etc/katello-installer/role-ansible-satellite6-answers.yaml + copy: + src: role-ansible-satellite-{{ satellite_version }}-answers.yaml + dest: "{{ installer_answer_file }}" register: copied_answer_file - - name: Enable answer file - lineinfile: "dest=/etc/katello-installer/katello-installer.yaml line=':answer_file: /etc/katello-installer/role-ansible-satellite6-answers.yaml'" + - block: + + - name: Enable answer file for Satellite 6.1- + lineinfile: + dest: "{{ installer_file }}" + line: ':answer_file: {{ installer_answer_file }}' + + - name: Run Katello installer for Satellite 6.1- + command: "{{ installer_script }}" + when: copied_answer_file.changed == true + + when: satellite_version < 6.2 + + - block: + + - name: Enable answer file for Satellite 6.2+ + lineinfile: + dest: "{{ installer_file }}" + line: ' :answer_file: {{ installer_answer_file }}' + regexp: '^ *:answer_file: ' + + - name: Run Satellite installer for Satellite 6.2+ + command: "{{ installer_script }} --scenario satellite" + when: copied_answer_file.changed == true - - name: Run katello installer - command: katello-installer - when: copied_answer_file.changed == true + when: satellite_version >= 6.2 diff --git a/tasks/recommended-packages.yml b/tasks/recommended-packages.yml index f8df05c..05b2258 100644 --- a/tasks/recommended-packages.yml +++ b/tasks/recommended-packages.yml @@ -2,3 +2,4 @@ yum: state=installed name={{ item }} with_items: - sos + - bash-completion diff --git a/vars/main.yml b/vars/main.yml index e69de29..2032689 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -0,0 +1,19 @@ +--- +installer_packages: + 6.1: katello + 6.2: satellite +installer_dirs: + 6.1: /etc/katello-installer + 6.2: /etc/foreman-installer/scenarios.d +installer_files: + 6.1: /etc/katello-installer/katello-installer.yaml + 6.2: /etc/foreman-installer/scenarios.d/satellite.yaml +installer_scripts: + 6.1: katello-installer + 6.2: satellite-installer +installer_package: "{{ installer_packages[satellite_version] }}" +installer_dir: "{{ installer_dirs[satellite_version] }}" +installer_file: "{{ installer_files[satellite_version] }}" +installer_script: "{{ installer_scripts[satellite_version] }}" +# Sounds like a defaults-var can't rely on a vars-var, hence defined here: +installer_answer_file: "{{ installer_dir }}/role-ansible-satellite6-answers.yaml"