Skip to content

stephenpc/ansible-satellite

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
group_vars
group_vars
 
 
roles
roles
 
 
.gitignore
.gitignore
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
bash-recreate_subscriptions.sh
bash-recreate_subscriptions.sh
 
 
bash-refresh_subscriptions.sh
bash-refresh_subscriptions.sh
 
 
customer_portal_api_test.yml
customer_portal_api_test.yml
 
 
ec2_content_hosts_cleanup.yml
ec2_content_hosts_cleanup.yml
 
 
ec2_content_hosts_report-instances.yml
ec2_content_hosts_report-instances.yml
 
 
ec2_content_hosts_report.yml
ec2_content_hosts_report.yml
 
 
maintenance.yml
maintenance.yml
 
 
refresh_ldap_groups.yml
refresh_ldap_groups.yml
 
 
refresh_s3_rpms.yml
refresh_s3_rpms.yml
 
 
self-subscribe.yml
self-subscribe.yml
 
 
standup.yml
standup.yml
 
 
upgrade.yml
upgrade.yml
 
 

Repository files navigation

ansible-satellite | Satellite 6.1.x Orchestration

Install and configure Satellite 6.1.x on Red Hat Enterprise Linux 6.x and 7.x. This collection can also be used to set up Satellite on AWS.

Fundamental steps are based on the process outlined at the Satellite 6.1 Installation Guide on the Red Hat Customer Portal.

At the last revision of this document, the current stable version of Satellite is 6.1.8.

Reference standup.yml, which is the installation playbook, to see an example of how the playbooks may be structured, or take a look at any of the listed playbooks below.

ansible-satellite roles:

The following roles are called by several playbooks to orchestrate tasks on the Satellite server. Please review the playbooks to see how these come together to work.

  1. satellite-auth
  2. satellite-content
  3. satellite-install
  4. satellite-maintenance
  5. satellite-route53
  6. satellite-selfsubscribe
  7. satellite-setup
  8. satellite-upgrade

ansible-satellite playbooks:

These playbooks are executed by Ansible Core or Ansible Tower.

  1. ec2_content_hosts_cleanup.yml
  2. ec2_content_hosts_report.yml
  3. customer_portal_api_test.yml
  4. maintenance.yml
  5. refresh_ldap_groups.yml
  6. refresh_s3_rpms.yml
  7. self-subscribe.yml
  8. standup.yml
  9. upgrade.yml

emergency shell scripts:

These scripts are written to aid in refreshing subscriptions on all the hosts, based on the .csv file that is generated by ec2_content_hosts_report.yml. These are only for emergencies, when the Satellite server is scheduled to be rebuilt. These depend on the .csv list of the systems generated by that playbook, so in the case of rebuilding Satellite, run that playbook first to make sure you have that file to reference. Usage of these scripts assumes that you have access to the SSH keys for your AWS instances, and that they are placed in your ${HOME}/.ssh/ directory.

  1. bash-refresh_subscriptions.sh
  2. bash-recreate_subscriptions.sh

Roles

Satellite Authentication (satellite-auth)

This role sets up the Satellite Server with authenticated local users, or ties it into a central LDAP server for authentication.

Invoke the role in the following way. Please note the configuration values specified in roles/satellite-auth/vars/main.yml, all.yml and secrets.yml.

---
- hosts: satellite6-server-prod
  become: yes
  vars_files:
    - group_vars/all.yml
    - group_vars/secrets.yml
  gather_facts: yes
      # satellite-auth | Define users and assign them roles
    - role: satellite-auth
      # local_users: yes
      # ldap_users: yes
      # ldap_refresh: yes

Satellite Content (satellite-content)

This role creates lifecycle environments on the Satellite Server, creates content views and filters them, then sets up activation keys pointing to each, and a release version with wich to activate RHEL systems.

Invoke the role in the following way. Please note the configuration values specified in roles/satellite-content/vars/main.yml, all.yml and secrets.yml.

---
- hosts: satellite6-server-prod
  become: yes
  vars_files:
    - group_vars/all.yml
    - group_vars/secrets.yml
  gather_facts: yes
  roles:
    - role: satellite-content

Satellite Installation (satellite-install)

This role installs Satellite to a RHEL host.

Invoke the role in the following way. Please note the configuration values specified in roles/satellite-install/vars/main.yml, all.yml and secrets.yml.

---
- hosts: satellite6-server-prod
  become: yes
  vars_files:
    - group_vars/all.yml
    - group_vars/secrets.yml
  gather_facts: yes
    # satellite-install | Install Satellite 6 to a host
    - role: satellite-install

Satellite Maintenance Tasks (satellite-maintenance)

This role covers several items with regard to maintaining the security of the Satellite server, such as SSL configuration. It also provides orchestration of rpm content to the Satellite server, so that it can be made available to hosts on a regular basis. It leverages some variables from the satellite-content role as well.

Invoke the role in the following way. Please note the configuration values specified in satellite-maintenance/vars/main.yml, satellite-content/vars/main.yml, all.yml and secrets.yml.

---
- hosts: satellite6-server-prod
  become: yes
  gather_facts: yes
  roles:
    # satellite-maintenance | Apply maintenance or tweaks
    - role: satellite-maintenance
      security_tweaks: yes
      # upload_rpms: no
      # autoupdate_content_views: no
      # promote_content_views_to_prod: no

Amazon Route53 DNS Registration (satellite-route53)

This role adds an entry into Amazon Route53 DNS for the Satellite server.

Invoke the role in the following way. Please note the configuration values specified in all.yml.

---
- hosts: satellite6-server-prod
  become: yes
  vars_files:
    - group_vars/all.yml
    - group_vars/secrets.yml
  gather_facts: yes
  roles:
    - role: satellite-route53
      # Won't register in DNS if you don't set this to true
      register_route53: True

Satellite Self-Subscription (satellite-selfsubscribe)

This roles subscribes the Satellite server to itself. It pauses for a period to allow someone to update the Satellite server manifest at the Red Hat Customer Portal > Subscription Management > Subscription Management Applications > Satellite, and will then continue to set Satellite up to receive content filtered in the same way as other systems.

Invoke the role in the following way. Please note the configuration values specified in roles/satellite-selfsubscribe/vars/main.yml, all.yml and secrets.yml.

---
- hosts: satellite6-server-prod
  become: yes
  vars_files:
    - group_vars/all.yml
    - group_vars/secrets.yml
  gather_facts: yes
  roles:
    # satellite-selfsubscribe | Subscribe the server to itself
    - role: satellite-selfsubscribe

Prerequisite to using the satellite-setup role, you must create a manifest at the Red Hat Customer Portal > Subscription Management > Subscription Management Applications > Satellite and add it to the role in the files folder.

Note: A manifest can been created and included as part of this playbook. It can be overwritten, and/or refreshed from Satellite after it has been imported. It will then pull the up-to-date subscription information from Red Hat. The manifest should be in roles/satellite-setup/files/manifest.zip.

Satellite Setup (satellite-setup)

This role ties the Satellite server to Red Hat using the manifest mentioned above, activates products, repositories, and also brings in Docker images from the Red Hat Registry, along with 3rd party and custom repositories for your own generated RPM content.

Invoke the role in the following way. Please note the configuration values specified in roles/satellite-setup/vars/main.yml, all.yml and secrets.yml

---
- hosts: satellite6-server-prod
  become: yes
  vars_files:
    - group_vars/all.yml
    - group_vars/secrets.yml
  gather_facts: yes
  roles:
    - role: satellite-setup

Satellite In-Place Upgrade (satellite-upgrade)

This role performs an in-place upgrade of Satellite 6.1 to the current 6.1.x release.

Invoke the role in the following way. Please note the configuration values specified in all.yml.

---
- hosts: satellite6-server-prod
  become: yes
  gather_facts: yes
  roles:
    # satellite-upgrade | Perform Satellite Upgrade
    - role: satellite-upgrade
      slack_upgrade_notify: yes

Playbooks

ec2_content_hosts_cleanup.yml

Ansible Tower scheduled job, that removes systems that are registered in Satellite if they are not present in EC2 inventory.

Inline tasks. No roles invoked.

ec2_content_hosts_report.yml

Queries the Satellite API and AWS CLI, then generates a .csv file with details about hosts that are subscribed to Satellite, pulling in security key and other information from EC2. This is needed to resubscribe servers in a scripted fashion.

Inline tasks. No roles invoked.

customer_portal_api_test.yml

Starts to test some pulling of entitlement information from the Red Hat Customer Portal, via the Candlepin API.

Inline tasks. No roles invoked.

maintenance.yml

Called ad-hoc to perform tasks, post-installation. Can update the custom RPMs uploaded from S3, update the content views with the most current packages, promote those to production, and also apply OpenSSL security tweaks to Apache.

Roles Invoked Extra Vars
satellite-maintenance upload_rpms (boolean), autoupdate_content_views (boolean), promote_content_views_to_prod (boolean), security_tweaks (boolean), slack_pubpromo_notify (boolean), restart_services (boolean)

refresh_ldap_groups.yml

Ansible Tower scheduled job, that refreshes the groups internal to Satellite with information from their counterparts in Active Directory, then assigns roles and users as needed.

Roles Invoked Extra Vars
satellite-auth ldap_refresh (boolean)

refresh_s3_rpms.yml

Ansible Tower scheduled job, that downloads RPMs from the bucket specified in the configuration variables, then uploads them to custom repositories in Satellite if they have changed.

Roles Invoked Extra Vars
satellite-maintenance upload_rpms (boolean)

self-subscribe.yml

Subscribes the Satellite server to itself, to take advantage of the ability to release updates on a cycle, with the rest of the systems. Requires some manual interation with the Red Hat Customer Portal. Afterwards, runs the ansible-common playbook against Satellite.

Roles Invoked Extra Vars
satellite-selfsubscribe n/a
satellite-common (ansible-common) yum_update (boolean)

standup.yml

Spins up an AWS instance, installs Satellite, brings in entitlements and content, and then makes it available for consumption by systems.

Roles Invoked Extra Vars
satellite-install n/a
satellite-setup n/a
satellite-route53 n/a
satellite-auth local_users (boolean), ldap_users (boolean)
satellite-content n/a
satellite-maintenance security_tweaks (boolean)

upgrade.yml

Performs an in-place upgrade of the Satellite server.

Roles Invoked Extra Vars
satellite-upgrade slack_upgrade_notify (boolean)
satellite-maintenance security_tweaks (boolean)

Emergency Shell Scripts

bash-refresh_subscriptions.sh

Refresh subscriptions on all content hosts, iterating on an exported .csv file

Usage: # ./bash-refresh_subscriptions.sh ${pathToContentHostCSV}

bash-recreate_subscriptions.sh

Unsubscribe and resubscribe all content hosts, iterating on an exported .csv file

Usage: # ./bash-recreate_subscriptions.sh ${pathToContentHostCSV} ${satellite_fqdn} ${organization_name}

About

Collection of Satellite 6 playbooks and roles

Topics

ansible satellite foreman ansible-roles systems-management satellite6 katello red-hat

Resources

Readme

License

GPL-3.0 license
Activity

Stars

3 stars

Watchers

3 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages