Containerized Uyuni Proxy Setup

Once container host for Uyuni Proxy containers is prepared, setup of containers require few additional steps to finish configuration.

Procedure

Generate Uyuni Proxy configuration archive file
Transfer configuration archive to the container host prepared in installation step and extract it
Start the proxy sevices with mgrpxy

1. Generate Proxy Configuration

The configuration archive of the Uyuni Proxy is generated by the Uyuni Server. Each additional Proxy requires its own configuration archive.

For the containerized Uyuni Proxy, you must build a new proxy configuration file and then redeploy the container for the changes to take effect. This is the process for updating settings, including the SSL certificate.

For Podman deployment, the container host for the Uyuni Proxy must be registered as a client to the Uyuni Server prior to generating this proxy configuration.

If a proxy FQDN is used to generate a proxy container configuration that is not a registered client (as in the Kubernetes use case), a new system entry will appear in system list. This new entry will be shown under previously entered Proxy FQDN value and will be of Foreign system type.

Peripheral servers are always using third-party SSL certificates. If the hub server has generated the certificates for the peripheral server, it needs to generate the certificate of each proxy too.

On the hub server, run the following command.

mgrctl exec -ti -- rhn-ssl-tool --gen-server --dir="/root/ssl-build" --set-country="COUNTRY" \
  --set-state="STATE" --set-city="CITY" --set-org="ORGANIZATION" \
  --set-org-unit="ORGANIZATION UNIT" --set-email="name@example.com" \
  --set-hostname=PROXY --set-cname="proxy.example.com"

The files to use will be

/root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT as the root CA,
/root/ssl-build/<hostname>/server.crt as the proxy certificate and
/root/ssl-build/<hostname>/server.key as the proxy certificate’s key.

1.1. Generate the Proxy Configuration with Web UI

Procedure: Generating a Proxy Container Configuration Using Web UI

In the Web UI, navigate to Systems Proxy Configuration and fill the required data:

In the Proxy FQDN field type fully qualified domain name for the proxy.

In the Parent FQDN field type fully qualified domain name for the Uyuni Server or another Uyuni Proxy.

In the Proxy SSH port field type SSH port on which SSH service is listening on Uyuni Proxy. Recommended is to keep default 8022.

In the Max Squid cache size [MB] field type maximal allowed size for Squid cache. Recommended is to use at most 80% of available storage for the containers.

2 GB represents the default proxy squid cache size. This will need to be adjusted for your environment.

In the SSL certificate selection list choose if new server certificate should be generated for Uyuni Proxy or an existing one should be used. You can consider generated certificates as Uyuni builtin (self signed) certificates.

Depending on the choice then provide either path to signing CA certificate to generate a new certificate or path to an existing certificate and its key to be used as proxy certificate.

The CA certificates generated by the server are stored in the /var/lib/containers/storage/volumes/root/_data/ssl-build directory.

For more information about existing or custom certificates and the concept of corporate and intermediate certificates, see Import SSL Certificates.

Click Generate to register a new proxy FQDN in the Uyuni Server and generate a configuration archive (config.tar.gz) containing details for the container host.

After a few moments you are presented with file to download. Save this file locally.

1.2. Generate Proxy Configuration With `spacecmd` and Self-Signed Certificate

You can generate a Proxy configuration using spacecmd.

Procedure: Generating Proxy Configuration with spacecmd and Self-Signed Certificate

SSH into your container host.
Execute the following command replacing the Server and Proxy FQDN:
mgrctl exec -ti 'spacecmd proxy_container_config_generate_cert -- dev-pxy.example.com dev-srv.example.com 2048 email@example.com -o /tmp/config.tar.gz'
Copy the generated configuration from the server container:
mgrctl cp server:/tmp/config.tar.gz .

1.3. Generate Proxy Configuration With `spacecmd` and Custom Certificate

You can generate a Proxy configuration using spacecmd for custom certificates rather than the default self-signed certificates.

Procedure: Generating Proxy Configuration with spacecmd and Custom Certificate

SSH into your Server container host.
Execute the following commands, replacing the Server and Proxy FQDN:
for f in ca.crt proxy.crt proxy.key; do
  mgrctl cp $f server:/tmp/$f
done
mgrctl exec -ti 'spacecmd proxy_container_config -- -p 8022 pxy.example.com srv.example.com 2048 email@example.com /tmp/ca.crt /tmp/proxy.crt /tmp/proxy.key -o /tmp/config.tar.gz'
If your setup uses an intermediate CA, copy it as well and include it in the command with the -i option (can be provided multiple times if needed) :
mgrctl cp intermediateCA.pem server:/tmp/intermediateCA.pem
mgrctl exec -ti 'spacecmd proxy_container_config -- -p 8022 -i /tmp/intermediateCA.pem pxy.example.com srv.example.com 2048 email@example.com /tmp/ca.crt /tmp/proxy.crt /tmp/proxy.key -o /tmp/config.tar.gz'
Copy the generated configuration from the server container:
mgrctl cp server:/tmp/config.tar.gz .

2. Transfer Uyuni Proxy Configuration

Both spacecmd command and generating via Web UI ways create a configuration archive. This archive needs to be made available on container host. Transfer this generated archive to the container host.

3. Start Uyuni Proxy Containers

Container can be started with the mgrpxy command.

Procedure: Start Uyuni Proxy Containers

Run command:
```
mgrpxy start uyuni-proxy-pod
```
Check if all containers started up as expected by calling:
```
podman ps
```

Five Uyuni Proxy containers should be present and should be part of proxy-pod container pod.

proxy-salt-broker
proxy-httpd
proxy-tftpd
proxy-squid
proxy-ssh