Satellite 6 Maintenance Mode

6 mars 2018Roy Williams2 minutes (temps de lecture)

Have you ever found yourself in the position where you have an issue with your Satellite or, maybe you just need to do something to it and you don't want to be interrupted while doing so? I'm sure all of us have tried to rectify this by sending out emails to nicely ask people not to login or use the environment. How well did that work for you? I know it never worked well for me. Well, I'm happy to say that we now have a better solution, maintenance mode.

What is Maintenance Mode

Maintenance mode is very simple in design. Enabling maintenance mode rejects access to port 443 on the Satellite server. This means that when your use that didn't check their email tries to use Satellite, it will appear that Satellite is down.

I'm sure the next question is, how do admins get to the Satellite then? Well we will get to that in just a minute.

Using Maintenance Mode

To enable maintenance mode, we will first have to install a new package. Additionally, we have to enable a new repository to access this package. As part of the 6.3 release of Satellite, the Satellite Maintenance repository has been created. This repository contains tools and utilities that can be used to administer and maintain Satellite installations.

Enable the Satellite Maintenance Repository:

# subscription-manager repos --enable rhel-7-server-satellite-maintenance-6-rpms

Install foreman-maintain:
```
# yum install rubygem-foreman_maintain
```

Now that the package has been installed we can use it to enable and disable maintenance mode at will.

Enable:

# foreman-maintain advanced procedure run maintenance-mode-enable

Disable:

# foreman-maintain advanced procedure run maintenance-mode-disable

Admin Access

Now that we have ensured that no one will be able to use our Satellite, we can focus on working on it. So, how do our admins access the Satellite UI? First things first, we have to make sure all of our admins have ssh access. After we have confirmed this, we need to ensure that we have the ability to port forward over ssh. This is achieved by ensuring that AllowTCPForwarding is set to yes in /etc/ssh/sshd_config. Assuming this is all complete, we can gain access to the Satellite UI using the following process.

Establish an ssh tunnel to the Satellite server:

# ssh -L 8443:localhost:443 jdoe@sat6.example.com

Open a browser and navigate to https://localhost:8443.

Obviously, this example assumes that you are using a *nix workstation, but the same can be achieved using PuTTY, SecureCRT, and many other common ssh clients.

Summary

So putting this all together, we now have a way to keep our very energetic Satellite users from gaining access to our Satellite while we are trying to perform maintenance. We have established a way for admins to access our Satellite during maintenance. Finally, we have discussed the system requirements for admin access.

Now, I know that some of you are probably concerned about the fact that we have need enable AllowTCPForwarding. From my experience working in the public sector, I know this is something that is typically flagged on security baselines. So, what I have done in these environments is create a simple wrapper script that will enable this option, restart sshd, and enable maintenance mode. Of course, a similar script would need to be created to back those changes out. Using this method, TCP forwarding is only enabled during maintenance--something that is more permissible by most security teams.

Example Script:

#!/bin/bash

# Enable AllowTCPForwarding
sed -i 's/^AllowTCPForwarding no/AllowTCPForwarding yes/' /etc/ssh/sshd_config
systemctl restart sshd

# Put Satellite in maintenance mode
foreman-maintain advanced procedure run maintenance-mode-enable