Registering Red Hat Enterprise Linux Clients with RHUI

If you are running Red Hat Enterprise Linux clients directly, rather than using SUSE Linux Enterprise Server with Expanded Support, you need to use Red Hat sources to retrieve and update packages. This section contains information about using Red Hat update infrastructure (RHUI) to register traditional and Salt clients running Red Hat Enterprise Linux operating systems. If you are running your clients in a public cloud, such as Amazon EC2, use this method.

It is possible to use RHUI in conjunction with the Red Hat content delivery network (CDN) to manage your Red Hat Enterprise Linux subscriptions. For information about using Red Hat CDN, see Registering Red Hat Enterprise Linux Clients with CDN.

Red Hat Enterprise Linux clients are based on Red Hat and are unrelated to SUSE Linux Enterprise Server with Expanded Support, RES, or SUSE Linux Enterprise Server. You are responsible for connecting Uyuni Server to the Red Hat update infrastructure. All clients that get updates using this RHUI certificate need to be correctly licensed, please check with your cloud provider and the Red Hat terms of service for more information.

When Red Hat Enterprise Linux clients registered with RHUI are switched off, Red Hat might declare the certificate invalid. In this case, you need to turn the client on again, or get a new RHUI certificate.

Traditional clients are available on Red Hat Enterprise Linux 6 and 7 only. Red Hat Enterprise Linux 8 clients are supported as Salt clients.

Import Entitlements and Certificates

Red Hat clients require a Red Hat certificate authority (CA) and entitlement certificate, and an entitlement key.

Red Hat clients use a URL to replicate repositories. The URL will change depending on where the Red Hat client is registered.

Red Hat clients can be registered in three different ways:

  • Red Hat content delivery network (CDN) at redhat.com

  • Red Hat Satellite Server

  • Red Hat update infrastructure (RHUI) in the cloud

This guide covers clients registered to Red Hat update infrastructure (RHUI). You must have at least one system registered to RHUI, with an authorized subscription for repository content.

For information about using Red Hat content delivery network (CDN) instead, see Registering Red Hat Enterprise Linux Clients with CDN.

Satellite certificates for client systems require a Satellite server and subscription. Clients using Satellite certificates are not supported with Uyuni Server.

The entitlement certificates and keys need to be copied from the client system to a location that the Uyuni Server can access.

Your entitlement certificate and the Red Hat CA Certificate file have file extensions of .crt. The key has a file extension of .key.

Procedure: Copying Certificates to the Server
  1. Copy your entitlement certificate and key from the client system, to a location that the Uyuni Server can access:

    cp /etc/pki/rhui/product/content-<version>.crt /<example>/entitlement/
    cp /etc/pki/rhui/content-<version>.key /<example>/entitlement/
  2. Copy the Red Hat CA Certificate file from the client system, to the same location as the entitlement certificate and key:

    cp /etc/pki/rhui/cdn.redhat.com-chain.crt /<example>/entitlement

To manage repositories on your Red Hat client, you need to import the CA and entitlement certificates to the Uyuni Server. This requires that you perform the import procedure three times, to create three entries: one each for the entitlement certificate, the entitlement key, and the Red Hat certificate.

Procedure: Importing Certificates to the Server
  1. On the Uyuni Server Web UI, navigate to Systems  Autoinstallation  GPG and SSL Keys.

  2. Click Create Stored Key/Cert and set these parameters for the entitlement certificate:

    • In the Description field, type Entitlement-Cert-Date.

    • In the Type field, select SSL.

    • In the Select file to upload field, browse to the location where you saved the entitlement certificate, and select the .crt certificate file.

  3. Click Create Key.

  4. Click Create Stored Key/Cert and set these parameters for the entitlement key:

    • In the Description field, type Entitlement-Key-Date.

    • In the Type field, select SSL.

    • In the Select file to upload field, browse to the location where you saved the entitlement key, and select the .key key file.

  5. Click Create Key.

  6. Click Create Stored Key/Cert and set these parameters for the Red Hat certificate:

    • In the Description field, type redhat-cert.

    • In the Type field, select SSL.

    • In the Select file to upload field, browse to the location where you saved the Red Hat certificate, and select the certificate file.

  7. Click Create Key.

Prepare Custom Repositories and Channels

To mirror the software from RHUI, you need to create custom channels and repositories in Uyuni that are linked to RHUI by a URL. You must have entitlements to these products in your Red Hat Portal for this to work correctly. You can use the yum utility to get the URLs of the repositories you want to mirror:

yum repolist -v | grep baseurl

You can use these repository URLs to create custom repositories. This allows you to mirror only the content you need to manage your clients.

You can only create custom versions of Red Hat repositories if you have the correct entitlements in your Red Hat Portal.

The details you need for this procedure are:

Table 1. Red Hat Custom Repository Settings
Option Setting

Repository URL

The content URL provided by RHUI

Has Signed Metadata?

Uncheck all Red Hat Enterprise repositories

SSL CA Certificate

redhat-cert

SSL Client Certificate

Entitlement-Cert-Date

SSL Client Key

Entitlement-Key-Date

Procedure: Creating Custom Repositories
  1. On the Uyuni Server Web UI, navigate to Software  Manage  Repositories.

  2. Click Create Repository and set the appropriate parameters for the main repository.

  3. Click Create Repository.

  4. Repeat for all repositories you need to create.

The channels you need for this procedure are:

Table 2. Red Hat Custom Channels
OS Version Base Product Base Channel

Red Hat 6

RHEL6-Pool for x86_64

rhel6-pool-x86_64

Red Hat 7

RHEL7-Pool for x86_64

rhel7-pool-x86_64

Red Hat 8

RHEL8-Pool for x86_64

rhel8-pool-x86_64

When you have created the repositories, you can create the custom channels, one for each repository:

Procedure: Creating Custom Channels
  1. On the Uyuni Server Web UI, navigate to Software  Manage  Channels.

  2. Click Create Channel and set the appropriate parameters for the channels.

  3. In the Parent Channel field, select the appropriate base channel.

  4. Click Create Channel.

  5. Repeat for all channels you need to create. There should be one custom channel for each custom repository.

You can check that you have created all the appropriate channels and repositories, by navigating to Software  Channel List  All.

For Red Hat 8 clients, add both the Base and Appstream channels. You will require packages from both channels. If you do not add both channels, you will not be able to create the bootstrap repository, due to missing packages.

When you have created all the channels, you can associate them with the repositories you created:

Procedure: Associating Channels with Repositories
  1. On the Uyuni Server Web UI, navigate to Software  Manage  Channels, and click the channel to associate.

  2. Navigate to the Repositories tab, and check the repository to associate with this channel.

  3. Click Update Repositories to associate the channel and the repository.

  4. Repeat for all channels and repositories you need to associate.

  5. OPTIONAL: Navigate to the Sync tab to set a recurring schedule for synchronization of this repository.

  6. Click Sync Now to begin synchronization immediately.

Add Software Channels

Before you register Red Hat clients to your Uyuni Server, check that you have the Red Hat product enabled, and the required channels are fully synchronized.

The channels you need for this procedure are:

Table 3. Red Hat Channels - CLI
OS Version Base Channel Client Channel Tools Channel

Red Hat 6

rhel-x86_64-server-6

-

res6-suse-manager-tools-x86_64

Red Hat 7

rhel-x86_64-server-7

-

res7-suse-manager-tools-x86_64

Red Hat 8

rhel-x86_64-server-8

-

res8-suse-manager-tools-x86_64

Procedure: Adding Software Channels at the Command Prompt
  1. At the command prompt on the Uyuni Server, as root, use the spacewalk-common-channels command to add the appropriate channels:

    spacewalk-common-channels \
    <base_channel_name> \
    <child_channel_name_1> \
    <child_channel_name_2> \
    ... <child_channel_name_n>

The client tools channel provided by spacewalk-common-channels is sourced from Uyuni and not from SUSE.

To use RHUI, you need to manually add the required HTTP headers to the configuration file. Without them, you cannot successfully perform a client synchronization.

Procedure: Adding HTTP Headers to the Configuration File
  1. Locate the X-RHUI-ID and X-RHUI-SIGNATURE HTTP headers from your RHUI instance. You can use these commands on the Red Hat client to get the values from the cloud instance metadata API at 169.254.169.254:

    echo "X-RHUI-ID=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document|base64|tr -d '\n')"
    echo "X-RHUI-SIGNATURE=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/signature|base64|tr -d '\n')"
  2. Open the /etc/rhn/spacewalk-repo-sync/extra_headers.conf configuration file, and add or edit these lines with the correct information:

    [channel_label]
    X-RHUI-ID=value
    X-RHUI-SIGNATURE=value

Check Synchronization Status

Procedure: Checking Synchronization Progress
  1. In the Uyuni Web UI, navigate to Software  Manage  Channels, then click the channel associated to the repository.

  2. Navigate to the Repositories tab, then click Sync and check Sync Status.

Procedure: Checking Synchronization Progress from the Command Prompt
  1. At the command prompt on the Uyuni Server, as root, use the tail command to check the synchronization log file:

    tail -f /var/log/rhn/reposync/<channel-label>.log
  2. Each child channel generates its own log during the synchronization progress. You will need to check all the base and child channel log files to be sure that the synchronization is complete.

Red Hat Enterprise Linux channels can be very large. Synchronization can sometimes take several hours.

Trust GPG Keys on Clients

By default, some operating systems do not trust the GPG key for the Uyuni client tools. The clients can be successfully bootstrapped without the GPG key being trusted. However, you will not be able to install new client tool packages or update them until the keys are trusted.

Procedure: Trusting GPG Keys on Clients
  1. On the Uyuni Server, at the command prompt, check the contents of the /srv/www/htdocs/pub/ directory. This directory contains all available public keys. Take a note of the key that applies to the client you are registering.

  2. Open the relevant bootstrap script, locate the ORG_GPG_KEY= parameter and add the required key. For example:

    uyuni-gpg-pubkey-0d20833e.key

    You do not need to delete any previously stored keys.

  3. If you are bootstrapping clients from the Uyuni Web UI, you will need to use a Salt state to trust the key. Create the Salt state and assign it to the organization. You can then use an activation key and configuration channels to deploy the key to the clients.

Register Clients

To register your Red Hat clients, you need a bootstrap repository. By default, bootstrap repositories are automatically created, and regenerated daily for all synchronized products. You can manually create the bootstrap repository from the command prompt, using this command:

mgr-create-bootstrap-repo --with-custom-channels

For more information on registering your clients, see Client Registration Overview.

To register and use Red Hat Enterprise Linux 6 clients, you need to configure the Uyuni Server to support older types of SSL encryption. For more information, see Registering Older Clients at Troubleshooting Clients.

Package Management and Red Hat Enterprise Linux 8 Clients

If you are using Red Hat Enterprise Linux 8 clients, you cannot perform package operations such as installing or upgrading directly from modular repositories like the Red Hat Enterprise Linux Appstream repository. You can use the Appstream filter with content lifecycle management to transform modular repositories into regular repositories.

For more information about content lifecycle management, see Content Lifecycle Management.