Adding support of Satellite 6.2 (and some more improvements)

.gitignore

@@ -0,0 +1,3 @@
+*.swp
+*~
+*.retry

README.md

@@ -1,8 +1,6 @@
 Install and configure Satellite 6 on a RHEL 6 or 7 host. 
 
-This is based on the process outlined here: 
-
-https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.0/html-single/Installation_Guide/index.html
+This is based on the process outlined in the [Red Hat Satellite 6 Installation Guide](https://access.redhat.com/documentation/en/red-hat-satellite/)
 
 =======
 Invoke the role using only one of the below three include statements, in order to pass in the data required to register the system with RHN: 
@@ -18,3 +16,59 @@ Invoke the role using only one of the below three include statements, in order t
     ##   This is needed when your version of Ansible uses buggy redhat_subscription module prior to PR 1204. Before that, redhat_subscription won't be able to find subs
     - { role: role-satellite6-server rhn_pool_ids: ["somelongpoolid", "someotherlongpoolid"] } 
 ```
+
+If you don't specify the variable `satellite_version` (6.1 or 6.2), then the latest version is assumed.
+
+## More complete (and complex) setup
+
+If you create an empty directory, where you create all the following files in a similar manner (search for `YOUR` to see where you all need to adapt:
+
+```
+$ head -n-0 ansible.cfg credentials.cfg inventory.cfg satellite6.yml roles/requirements.yml 
+==> ansible.cfg <==
+[defaults]
+roles_path = ./roles
+inventory = ./inventory.cfg
+
+==> credentials.cfg <==
+---
+rhn_user: YOUR_RHN_USER
+rhn_pass: YOUR_RHN_PASSWORD
+rhn_pool_pattern: '^$' # optional, the default pattern is IMHO too "greedy"
+rhn_pool_ids: # optional, necessary if you keep the empty pool pattern above
+  - 'abcdef01234567890abcdef123456789' # must contain Satellite subscription
+
+==> inventory.cfg <==
+[YOUR_GROUP_NAME]
+YOUR_SATELLITE_SERVER_FQDN
+
+[YOUR_GROUP_NAME:vars]
+satellite_version=6.2
+
+==> satellite6.yml <==
+- hosts: YOUR_GROUP_NAME
+  user: root
+  vars_files:
+    - credentials.cfg
+  roles:
+    - satellite6-server
+
+==> roles/requirements.yml <==
+---
+- src: https://github.com/YOUR_GITHUB_USER/role-satellite6-server
+  version: master
+  name: satellite6-server
+```
+
+Then you may run the following commands to install the role and configure your Satellite 6 server.
+
+```
+ansible-galaxy -v install --force -r roles/requirements.yml
+ansible-playbook satellite6.yml
+```
+
+The last command is assuming that you''ve already copied your SSH-key to the root user on your Satellite-server, and that the Satellite server has a basic RHEL 7 installation (RHEL 6 might work, hasn''t been tested).
+
+Once the installation is successful, you can point your browser to https://YOUR_SATELLITE_SERVER_FQDN/ and grab the admin user and password, `admin_username` and `admin_password` from the used answers file `{{ installer_answer_file }}`, as defined under `roles/satellite6-server/vars/main.yml`.
+
+Next steps would be to generate a manifest on your account at https://access.redhat.com/ and configure the Satellite server. Have fun!

defaults/main.yml

@@ -0,0 +1,4 @@
+---
+satellite_version: 6.2
+# Sounds like a defaults-var can't rely on a vars-var, moved to vars/main.yml
+#installer_answer_file: "{{ installer_dir }}/role-ansible-satellite6-answers.yaml"

files/role-ansible-satellite-6.2-answers.yaml

@@ -0,0 +1,68 @@
+# Format:
+# <classname>: false - don't include this class
+# <classname>: true - include and use the defaults
+# <classname>:
+#   <param>: <value> - include and override the default(s)
+#
+# See params.pp in each class for what options are available
+# NOTE: answer file copied from version 6.2.7
+# /etc/foreman-installer/scenarios.d/satellite-answers.yaml
+# See https://access.redhat.com/documentation/en/red-hat-satellite/6.2/single/installation-guide/#performing_initial_configuration_sat_server_answerfile
+
+--- 
+  certs: 
+    generate: true
+    deploy: true
+    group: foreman
+  katello: 
+    package_names: 
+      - katello
+      - tfm-rubygem-katello
+  foreman: 
+    organizations_enabled: true
+    locations_enabled: true
+    initial_organization: "Default Organization"
+    initial_location: "Default Location"
+    custom_repo: true
+    configure_epel_repo: false
+    configure_scl_repo: false
+    ssl: true
+    server_ssl_cert: /etc/pki/katello/certs/katello-apache.crt
+    server_ssl_key: /etc/pki/katello/private/katello-apache.key
+    server_ssl_ca: /etc/pki/katello/certs/katello-default-ca.crt
+    server_ssl_chain: /etc/pki/katello/certs/katello-default-ca.crt
+    server_ssl_crl: false
+    websockets_encrypt: true
+    websockets_ssl_key: /etc/pki/katello/private/katello-apache.key
+    websockets_ssl_cert: /etc/pki/katello/certs/katello-apache.crt
+    passenger_ruby: /usr/bin/tfm-ruby
+    passenger_ruby_package: tfm-rubygem-passenger-native
+  capsule: 
+    pulp_master: true
+    puppet: true
+    templates: false
+  "foreman::plugin::tasks": true
+  "foreman::plugin::remote_execution": true
+  "foreman::plugin::openscap": true
+  "foreman_proxy::plugin::remote_execution::ssh": true
+  "foreman_proxy::plugin::openscap": true
+  foreman_proxy: 
+    custom_repo: true
+    http: true
+    ssl_port: "9090"
+    templates: false
+    tftp: false
+    ssl_ca: /etc/foreman-proxy/ssl_ca.pem
+    ssl_cert: /etc/foreman-proxy/ssl_cert.pem
+    ssl_key: /etc/foreman-proxy/ssl_key.pem
+    foreman_ssl_ca: /etc/foreman-proxy/foreman_ssl_ca.pem
+    foreman_ssl_cert: /etc/foreman-proxy/foreman_ssl_cert.pem
+    foreman_ssl_key: /etc/foreman-proxy/foreman_ssl_key.pem
+    puppetca: true
+    register_in_foreman: true
+  "foreman_proxy::plugin::pulp": 
+    enabled: true
+    pulpnode_enabled: false
+  "foreman::plugin::discovery": true
+  "foreman::plugin::bootdisk": false
+  "foreman_proxy::plugin::discovery": true

meta/main.yml

@@ -0,0 +1,2 @@
+---
+dependencies: []

tasks/firewall-6.yml

@@ -28,3 +28,23 @@
   - name: Enable Foreman via IPTables
     lineinfile: dest=/etc/sysconfig/iptables state=present line="-A INPUT -p tcp -m state --state NEW -m tcp --dport 9090 -j ACCEPT"
     notify: restart iptables
+
+  - block:
+
+    - name: Enable AMQP/SSL-TLS (client to internal capsule) via IPTables
+      lineinfile: dest=/etc/sysconfig/iptables state=present line="-A INPUT -p tcp -m state --state NEW -m tcp --dport 5647 -j ACCEPT"
+      notify: restart iptables
+
+    - name: Enable AMQP/SSL-TLS (external capsule to satellite) via IPTables
+      lineinfile: dest=/etc/sysconfig/iptables state=present line="-A INPUT -p tcp -m state --state NEW -m tcp --dport 5646 -j ACCEPT"
+      notify: restart iptables
+
+    - name: Enable iPXE template retrieval via IPTables
+      lineinfile: dest=/etc/sysconfig/iptables state=present line="-A INPUT -p tcp -m state --state NEW -m tcp --dport 8000 -j ACCEPT"
+      notify: restart iptables
+
+    - name: Enable client registration via IPTables
+      lineinfile: dest=/etc/sysconfig/iptables state=present line="-A INPUT -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT"
+      notify: restart iptables
+
+    when: satellite_version >= 6.2

tasks/firewall-7.yml

@@ -5,26 +5,48 @@
   - name: Run firewalld now and at boot
     service: name=firewalld state=started enabled=true
 
-  - name: Enable HTTPS via firewalld
-    firewalld: service=https permanent=true state=enabled
-    notify: restart firewalld
+  - block:
 
-  - name: Enable HTTP via firewalld
-    firewalld: service=http permanent=true state=enabled
-    notify: restart firewalld
+    - name: Enable HTTPS via firewalld
+      firewalld: service=https permanent=true state=enabled
+      notify: restart firewalld
 
-  - name: Enable Satellite SSL communication via firewalld
-    firewalld: port=5671/tcp permanent=true state=enabled
-    notify: restart firewalld
+    - name: Enable HTTP via firewalld
+      firewalld: service=http permanent=true state=enabled
+      notify: restart firewalld
 
-  - name: Enable Tomcat via firewalld
-    firewalld: port=8080/tcp permanent=true state=enabled
-    notify: restart firewalld
+    - name: Enable Satellite SSL communication via firewalld
+      firewalld: port=5671/tcp permanent=true state=enabled
+      notify: restart firewalld
 
-  - name: Enable Puppet via firewalld
-    firewalld: port=8140/tcp permanent=true state=enabled
-    notify: restart firewalld
+    - name: Enable Tomcat via firewalld
+      firewalld: port=8080/tcp permanent=true state=enabled
+      notify: restart firewalld
 
-  - name: Enable Foreman via firewalld
-    firewalld: port=9090/tcp permanent=true state=enabled
-    notify: restart firewalld
+    - name: Enable Puppet via firewalld
+      firewalld: port=8140/tcp permanent=true state=enabled
+      notify: restart firewalld
+
+    - name: Enable Foreman via firewalld
+      firewalld: port=9090/tcp permanent=true state=enabled
+      notify: restart firewalld
+
+    when: satellite_version < 6.2
+
+  - block:
+
+    # starting with RHEL 7.2 (at least) covers the services:
+    # tcp/80 tcp/443 tcp/5646-5647 tcp/5671 tcp/8140 tcp/8080 tcp/9090
+    - name: Enable Satellite 6 service via firewalld
+      firewalld: service=RH-Satellite-6 permanent=true state=enabled
+      notify: restart firewalld
+
+    - name: Enable iPXE template retrieval via firewalld
+      firewalld: port=8000/tcp permanent=true state=enabled
+      notify: restart firewalld
+
+    - name: Enable client registration via firewalld
+      firewalld: port=8443/tcp permanent=true state=enabled
+      notify: restart firewalld
+
+    when: satellite_version >= 6.2

tasks/main.yml

@@ -42,7 +42,7 @@
     command: "ping -c1 localhost"
     changed_when: False
 
-  - name: Confirm DNS resoultion for short domain name of this host
+  - name: Confirm DNS resolution for short domain name of this host
     shell: "ping -c1 $(hostname -s)"
     changed_when: False
 
@@ -58,19 +58,25 @@
       state: present 
       username: "{{ rhn_user }}"
       password: "{{ rhn_pass }}"
-      pool: ".*Red Hat (Enterprise Linux|Satellite).*"
+      pool: "{{ rhn_pool_pattern | default('.*Red Hat (Enterprise Linux|Satellite).*') }}"
     when: rhn_user is defined and rhn_pass is defined
 
   - name: Enable RHEL subscription via activation key
     redhat_subscription: 
       state: present 
       activationkey: "{{ rhn_activationkey }}"
-      pool: ".*Red Hat (Enterprise Linux|Satellite).*"
+      pool: "{{ rhn_pool_pattern | default('.*Red Hat (Enterprise Linux|Satellite).*') }}"
     when: rhn_activation_key is defined
 
+  - name: Check which pool IDs are already consumed
+    command: subscription-manager list --pool-only --consumed
+    register: consumed_pool_ids
+    changed_when: false
+
   - name: Add subs by pool id if your version of Ansible has a buggy redhat_subscription module
     command: "subscription-manager subscribe --pool={{ item }}"
     with_items: "{{ rhn_pool_ids | default([])}}"
+    when: item not in consumed_pool_ids.stdout_lines
 
   ## FIXME: these two tasks together shouldn't change the end-state, but neither is idempotent
   - name: Reset enabled yum/rhn distros
@@ -82,35 +88,52 @@
     command: "subscription-manager repos \
       --enable rhel-{{ ansible_distribution_major_version }}-server-rpms \
       --enable rhel-server-rhscl-{{ ansible_distribution_major_version }}-rpms \
-      --enable rhel-{{ ansible_distribution_major_version }}-server-satellite-6.1-rpms"
+      --enable rhel-{{ ansible_distribution_major_version }}-server-satellite-{{ satellite_version }}-rpms"
 
   ## Installs and activates time sync. This is required for Foreman to function
-  - include: timesync-6.yml
-    when: "{{ ansible_distribution_major_version }} == 6"
+  - include: timesync-{{ ansible_distribution_major_version }}.yml
 
-  - include: timesync-7.yml
-    when: "{{ ansible_distribution_major_version }} == 7"
-
   ## Installs and configures firewall- comment out to leave firewall out
-  - include: firewall-6.yml
-    when: "{{ ansible_distribution_major_version }} == 6"
+  - include: firewall-{{ ansible_distribution_major_version }}.yml
 
-  - include: firewall-7.yml
-    when: "{{ ansible_distribution_major_version }} == 7"
+  - name: upgrade all the RPMs to their latest version (recommmended)
+    yum: name='*' state='latest'
 
   ## comment this line out to skip recommended but not required packages
   - include: recommended-packages.yml
 
-  - name: Install Katello
-    yum: name=katello state=installed
+  - name: Install Katello / Satellite
+    yum: name="{{ installer_package }}" state=installed
 
   - name: Copy answer file into place
-    copy: src=role-ansible-satellite6-answers.yaml dest=/etc/katello-installer/role-ansible-satellite6-answers.yaml
+    copy:
+      src: role-ansible-satellite-{{ satellite_version }}-answers.yaml
+      dest: "{{ installer_answer_file }}"
     register: copied_answer_file
 
-  - name: Enable answer file
-    lineinfile: "dest=/etc/katello-installer/katello-installer.yaml line=':answer_file: /etc/katello-installer/role-ansible-satellite6-answers.yaml'"
+  - block:
+
+    - name: Enable answer file for Satellite 6.1-
+      lineinfile:
+        dest: "{{ installer_file }}"
+        line: ':answer_file: {{ installer_answer_file }}'
+
+    - name: Run Katello installer for Satellite 6.1-
+      command: "{{ installer_script }}"
+      when: copied_answer_file.changed == true
+
+    when: satellite_version < 6.2
+
+  - block:
+
+    - name: Enable answer file for Satellite 6.2+
+      lineinfile:
+        dest: "{{ installer_file }}"
+        line: '  :answer_file: {{ installer_answer_file }}'
+        regexp: '^ *:answer_file: '
+
+    - name: Run Satellite installer for Satellite 6.2+
+      command: "{{ installer_script }} --scenario satellite"
+      when: copied_answer_file.changed == true
 
-  - name: Run katello installer
-    command: katello-installer 
-    when: copied_answer_file.changed == true
+    when: satellite_version >= 6.2

tasks/recommended-packages.yml

@@ -2,3 +2,4 @@
     yum: state=installed name={{ item }}
     with_items:
       - sos
+      - bash-completion

vars/main.yml

@@ -0,0 +1,19 @@
+---
+installer_packages:
+  6.1: katello
+  6.2: satellite
+installer_dirs:
+  6.1: /etc/katello-installer
+  6.2: /etc/foreman-installer/scenarios.d
+installer_files:
+  6.1: /etc/katello-installer/katello-installer.yaml
+  6.2: /etc/foreman-installer/scenarios.d/satellite.yaml
+installer_scripts:
+  6.1: katello-installer
+  6.2: satellite-installer
+installer_package: "{{ installer_packages[satellite_version] }}"
+installer_dir: "{{ installer_dirs[satellite_version] }}"
+installer_file: "{{ installer_files[satellite_version] }}"
+installer_script: "{{ installer_scripts[satellite_version] }}"
+# Sounds like a defaults-var can't rely on a vars-var, hence defined here:
+installer_answer_file: "{{ installer_dir }}/role-ansible-satellite6-answers.yaml"