订阅内容

Red Hat Satellite facilitates software synchronization in environments where connectivity to the Red Hat Content Delivery Network (CDN) is intermittent or slow. Inter-Satellite Synchronization (ISS) enables software synchronization for air gapped and indirect network environments, so your Red Hat Enterprise Linux hosts are patched and updated while conforming to security requirements or adapting to networking challenges.

This article discusses the different methods of network connectivity and how ISS enables software synchronization through air gapped and indirectly connected networks. Step-by-step instructions for setting up ISS for both network configurations are also provided.

For more information on software synchronization between Satellite servers, please refer to my previous article.

Air gapped environments - ISS export sync

Air gapped environments contain IT infrastructure assets in a network environment that is self contained where direct connections to the internet are not possible or not permitted.

ISS export sync requires that a Satellite server initially downloads software from the Red Hat CDN. An export is created from that initial download, then copied to the air gapped Satellite server. We call the first Satellite server the “upstream” server and the air gapped Satellite server the “downstream” server.

The exported software, or ISS export, can be copied to portable media from the upstream server and transported across the air gap, before it is imported into the downstream server.

Air gapped environments - ISS export sync

Indirectly connected networks - ISS network sync

An indirectly connected network, or indirect network, is connected to the internet through a proxy in order to screen/filter traffic between a network and the internet. An indirectly connected network provides another layer of protection from malevolent external traffic.

ISS network sync enables software synchronization through an “upstream” server with a direct connection to the Red Hat CDN. First, software is synchronized to the upstream server. Next, a downstream server is configured to download software from the upstream server.

Indirectly connected networks - ISS network sync

ISS Export Sync

Assumptions:

  1. Lifecycle environment named Production
  2. Content view named RHEL9_BaseOS
    1. Contains RHEL9 BaseOS repository.
    2. Published and promoted to Production lifecycle environment.
    3. RHEL9 BaseOS repository must be configured with Immediate download policy.
  3. The downstream Satellite server must have a manifest that is valid for the software repositories that will be synchronized from the upstream Satellite server.
ISS Export Sync

Export the content view RHEL9_BaseOS

hammer content-export complete version --content-view "RHEL9 BaseOS" --version "1.0" --organization "Acme Org"
inter-Satellite-sync-network-and-export-sync-image4

 

The exported data can be found in /var/lib/pulp/exports/Acme_Org/RHEL9_BaseOS/1.0/<date and time export was run>

In other words, look for a naming scheme such as /var/lib/pulp/exports/<org>/<content view>/<content view version>/<date and time export was run>.

Copy the data to the downstream Satellite server

Once the data has been exported, three files will be created. They will be named similar to below.

export-ea7f2dc8-60b4-4136-bb15-5398f887aa39-20240419_1447.tar.gz                                                                                                                             
export-ea7f2dc8-60b4-4136-bb15-5398f887aa39-20240419_1447-toc.json                                                                                                                           
metadata.json 

All three must be copied to the downstream server. You can copy them to removable media or via some means of network copy if available.

On the downstream server, the exported data must be copied into /var/lib/pulp/imports. Satellite will only import data from this directory root (unless configured otherwise).

In this example, I will create a directory called Acme_Org and copy the exported data into it.

Import the data on the downstream Satellite server

First, ensure that the pulp service owns the data on the downstream Satellite server.

Pre> chown -R pulp:pulp /var/lib/pulp/imports/Acme_Org/

Import the data.

hammer content-import version --organization "Acme Org" --path "/var/lib/pulp/imports/Acme_Org"

Here’s what the import operation looks like while it is in progress.

inter-Satellite-sync-network-and-export-sync-image5

 

When this operation completes, you’ll find the content view RHEL9 BaseOS  is created. Hosts registered to your downstream Satellite server will be able to access software imported from the upstream server in the RHEL9 BaseOS content view.

Incremental updates

 

inter-Satellite-sync-network-and-export-sync-image6

 

Subsequent updates can be performed incrementally.

In this example, we will publish and promote version 2.0 of the content view RHEL9 BaseOS on the upstream server. This step is not shown.

On the upstream server, run the following command after the content view RHEL9 BaseOS has completed the publish and promotion operation.

hammer content-export incremental version --content-view "RHEL9 BaseOS" --version "2.0" --organization "Acme Org"

Copy the data to the downstream server and then re-run the import command.

hammer content-import version --organization "Acme Org" --path "/var/lib/pulp/imports/Acme_Org/incremental_update_1"

In case you have performed multiple exports and you need to incrementally update multiple downstream servers, you must remember to apply incremental updates based on the last full or incremental update. You can view the history of the exports with the following command.

hammer content-export list

The output is as follows.

inter-Satellite-sync-network-and-export-sync-image7

In this example, the export with ID 2 was imported into the downstream server. When this export was made, the content view RHEL9 BaseOS was published and promoted as version 1.0.

As you might recall, the content view RHEL9 BaseOS was published and promoted to version 2.0. The next incremental export on the upstream server must be made relative to ID 2, which denotes the id of the complete export of version 1.0 of the RHEL9 BaseOS content view. Thus, the export command must contain the --from-history-id flag.

hammer content-export incremental version --content-view "RHEL9 BaseOS" --version "2.0" --from-history-id=2 --organization "Acme Org"

On the downstream server, the content view RHEL9 BaseOS is published as version 1.0 as expected, using the content-export command above.

When the downstream server imports this data, it will create a content view version 2.0 based on previously imported data.

ISS Network Sync

Assumptions

Please refer to the Assumptions section for ISS export sync.

ISS network sync can be configured for repositories set to On-demand download policies.

Import upstream SSL certificates

ISS network sync is performed through an SSL encrypted connection between the upstream and downstream Satellite server. To ensure that the connection is secure and the encryption has not been compromised, the downstream server must import the SSL certificate chain from the upstream server.

First we’ll need to export the SSL certificate chain from the upstream server. You can obtain the upstream certificate with the following command.

curl http://<fqdn of upstream server>/pub/katello-server-ca.crt > katello-server-ca.crt/pub/katello-server-ca.crt > katello-server-ca.crt

The output, katello-server-ca.crt looks like this. Note that multiple certificates may be present in this file, depending on whether custom certificates are used.

[root@ip-172-31-24-152 ~]# cat katello-server-ca.crt
-----BEGIN CERTIFICATE-----
MIIHOzCCBSOgAwIBAgIUDXG3/qbr2MtMtTkVa6AA4HFOLLkwDQYJKoZIhvcNAQEL
BQAwgZUxCzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEQMA4G
A1UEBwwHUmFsZWlnaDEQMA4GA1UECgwHS2F0ZWxsbzEUMBIGA1UECwwLU29tZU9y
Z1VuaXQxMzAxBgNVBAMMKmlwLTE3Mi0zMS0xNi01Ni51cy13ZXN0LTEuY29tcHV0
ZS5pbnRlcm5hbDAeFw0yNDAzMDExOTI5NThaFw0zODAxMTcxOTI5NThaMIGVMQsw
CQYDVQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1Jh
bGVpZ2gxEDAOBgNVBAoMB0thdGVsbG8xFDASBgNVBAsMC1NvbWVPcmdVbml0MTMw
MQYDVQQDDCppcC0xNzItMzEtMTYtNTYudXMtd2VzdC0xLmNvbXB1dGUuaW50ZXJu
YWwwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDAWJFEZq9B21PoeOwb
yU467mz3Byeg++7GrS4+ok4xjym0fJT5oO6uEBmANXTRA99cxS5BTy0hYJK/cC/H
dDAcs6TfyvcA1HOaeZS3MPzW6WPwH1cR+ZORItJf70hewfMadiV4QN7JJQeRx4Xh
AhAM2hS79/y1kyHnRpnejl6seMQmLmrm1ErR/4a0jkwYK9qpjjfMmSGYGaXzmHcY
OKaENlXJAChW/MQScKH+9VB93M+UBqEoJWP3/7B77saTXw90Shw3GcCbcvsaLTpw
276EX0Dvo1DdQaLxR2Ex8WxRKfSDggfmqWycNa6B3s6V1ZhhAB3RT4skqFmf34bk
/us+ZbuSdR6CjG52SD5RVMGZ66KbPtOSkXLmxEbO6hGKXh4XhjDCXrKMsfNUsc1v
sbwR7pB9GJmYYjyHIP6w0SJZjq6VoRmTJKx0I9Uk+ph9GIBaEom0MAi/yLNFqyot
oD85h3cr+O2UJ4pe3jqLjKKSX5wPHxBA06RTFhXX/3u8AVI2ouzbSwqWy3gEmEPU
zdzHUKuR+ed1JD68m0HzfCa6nFDQVFbTnOQA8CzUO0Pp+6VUG4aWo6W0pJc8lWr4
QJbwPgNNHUIsJOTWhw3cTOyC473V7hGwo49oNCGImef9hGmSQ5I2uawSAk7Yo8nJ
KNi6+AsTxiYpG0S1luF61OGjJwIDAQABo4IBfzCCAXswDAYDVR0TBAUwAwEB/zAL
BgNVHQ8EBAMCAaYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBEGCWCG
SAGG+EIBAQQEAwICRDA1BglghkgBhvhCAQ0EKBYmS2F0ZWxsbyBTU0wgVG9vbCBH
ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFAPNXOpt+xzlfS4fmMFCmaDg
dt97MIHVBgNVHSMEgc0wgcqAFAPNXOpt+xzlfS4fmMFCmaDgdt97oYGbpIGYMIGV
MQswCQYDVQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcM
B1JhbGVpZ2gxEDAOBgNVBAoMB0thdGVsbG8xFDASBgNVBAsMC1NvbWVPcmdVbml0
MTMwMQYDVQQDDCppcC0xNzItMzEtMTYtNTYudXMtd2VzdC0xLmNvbXB1dGUuaW50
ZXJuYWyCFA1xt/6m69jLTLU5FWugAOBxTiy5MA0GCSqGSIb3DQEBCwUAA4ICAQAC
eO4VQCOyRuH8FJtA8jdfI5mRSq5sUtaUPFWE/wiKP7+2evEKxPrsuFlV74w/pYJE
v7lkWy9MWEcoeBix/svQxLcGqsS9Mz/bsIaeKraQQnGC0zX7zk0JHcie92aVqFQx
0EE7ETQoHTVqPQjkqnmTXSZQzQB5bajtwZ8y/+TGDOXV0UnGhmTJn/CcD2EPooIl
8B80gLL0xOK5Vyowl9FYBLF5sMf1QNg74EupBFOAh6P3/SY6F0FZZzL+LHktmzKR
2AVL1RwMmteHmMvv5nrCvX/pJVyFPyY1y5f+oeUjxUASdY8Fw4a1IjA7lMjUaDt1
54sXG93riNHSa4SwDLhxIC0n9YDa9mqwHqOYtmlDjL1vTxjXd/1CYfckcerrW8s8
C+hszvQLT+WTEnxG48C8ctvUyQS3Ph4A+iiZ+2nFkePQbFVdlwvhQAEYoUmJh+ag
2D5GYjRjBb5N7r2ds2YDhnuWeXpXx+pzk7wc3zILf9yqOw1dwb1VWCVP6TS8NDeF
TiRXUA/Qg5PV8//EaCBmMlSAfb9/L2UPXectzkVZeA6t24lGKgxmwlibiXhVLTYM
7Oql7+0DX9+BL/sqMBsShY5XpofDD7t881YLf2mo16jPlgxuSLvyCbdduWs8Iotf
TJCRPBY1p/YRcGbdG0/Q7iBSBt+glD4pgyxjwN6IbA==
-----END CERTIFICATE-----

To import the SSL certificate chain, copy it to the downstream server. Then enter the following command:

hammer content-credential create \
--content-type cert \
--name "<fqdn of upstream server>" \
--organization "<your org>" \
--path /<path to cert>/<name of cert>" \ --organization "" \ --path //

The output should look something like this.

inter-Satellite-sync-network-and-export-sync-image8

 

Configure the downstream server’s CDN to point at the upstream server

Navigate to the Subscriptions menu.

inter-Satellite-sync-network-and-export-sync-image9

 

Click on Manage Manifest.

 

inter-Satellite-sync-network-and-export-sync-image10

 

In the Manage Manifest menu, click on CDN Configuration.

 

inter-Satellite-sync-network-and-export-sync-image11

Click on the Network Sync tab.

 

inter-Satellite-sync-network-and-export-sync-image12

Configure the Network Sync.

  1. Enter the URL of the upstream server
  2. Enter the username. The user’s security privileges can be restricted
  3. Enter the password
  4. Enter the upstream organization label you wish to sync from
  5. Enter the upstream lifecycle environment you wish to sync from. To sync all content, enter “Library”
  6. Enter the upstream content view you wish to sync from. To sync all content, enter “Default_Organization_View”
  7. For SSL CA Content Credential, select the SSL certificate you imported earlier
  8. Click update
inter-Satellite-sync-network-and-export-sync-image13

Add repositories from the upstream server on the downstream server

From the downstream Satellite server, navigate to the Red Hat Repositories menu.

inter-Satellite-sync-network-and-export-sync-image14

 

Select the RHEL9 BaseOS repository.

 

inter-Satellite-sync-network-and-export-sync-image15

 

Repositories that have not been synchronized to the upstream server are not available on the downstream server.

 

inter-Satellite-sync-network-and-export-sync-image16

 

Synchronize the RHEL9 BaseOS repository and enable access to it with an activation key to test updates to RHEL9 hosts registered to the downstream server.

Red Hat Satellite simplifies software updates and management

Red Hat Enterprise Linux customers seek to integrate guardrails into their software supply chain and development life cycles to accelerate innovation without compromising security. Red Hat Satellite helps customers bring that secure software supply chain to on-premises and hybrid cloud environments. Inter-Satellite Sync export and network synchronization provide flexibility in conforming to security requirements in these environments.

References


关于作者

As a Senior Principal Technical Marketing Manager in the Red Hat Enterprise Linux business unit, Matthew Yee is here to help everyone understand what our products do. He joined Red Hat in 2021 and is based in Vancouver, Canada.

Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

按频道浏览

automation icon

自动化

有关技术、团队和环境 IT 自动化的最新信息

AI icon

人工智能

平台更新使客户可以在任何地方运行人工智能工作负载

open hybrid cloud icon

开放混合云

了解我们如何利用混合云构建更灵活的未来

security icon

安全防护

有关我们如何跨环境和技术减少风险的最新信息

edge icon

边缘计算

简化边缘运维的平台更新

Infrastructure icon

基础架构

全球领先企业 Linux 平台的最新动态

application development icon

应用领域

我们针对最严峻的应用挑战的解决方案

Original series icon

原创节目

关于企业技术领域的创客和领导者们有趣的故事