RH403 - ch07s06

Bookmark this page

Guided Exercise: Run Remote Puppet Jobs on Managed Hosts

Remotely install the Puppet agent on a managed host, and use it to apply the latest configuration version.

Outcomes

Configure the Puppet remote management service and install the Puppet agent.
Run Puppet commands remotely on a managed host.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

This command prepares your environment and ensures that all required resources are available.

[student@workstation ~]$ lab start remote-puppet

Instructions

Copy the Foreman SSH keys from each Capsule Server to the serverc content host that is the remote execution target.
Important
Satellite Server can delegate any Capsule Server that is authorized to provide remote execution to content hosts in managed locations. Copy the required Foreman SSH public keys from each authorized Capsule Server, including the integrated Capsule Server on the Satellite Server, to each content host that can be a remote execution target.
1. Log in to the capsule system as the student user and switch to the root user.
```
[student@workstation ~]$ ssh student@capsule
[student@capsule ~]$ sudo -i
[sudo] password for student: student
[root@capsule ~]#
```
2. Copy the Capsule Server's Foreman SSH public key to the serverc content host. The key is in the foreman-proxy user's SSH configuration on the capsule system.
```
[root@capsule ~]# ssh-copy-id \
-i ~foreman-proxy/.ssh/id_rsa_foreman_proxy.pub \
root@serverc.lab.example.com
...output omitted...
Are you sure you want to continue connecting (yes/no)? yes
...output omitted...
root@serverc.lab.example.com's password: redhat

Number of key(s) added: 1
...output omitted...
```
3. Use the foreman-proxy identity to test the root@serverc account for passwordless access from the capsule system. If the public key was successfully copied, then you can access the account without a password prompt. You might still be prompted to establish the authenticity of the remote host by continuing to connect. If you are prompted for a password, then diagnose and fix the issue.
```
[root@capsule ~]# ssh -i ~foreman-proxy/.ssh/id_rsa_foreman_proxy root@serverc
...output omitted...
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
...output omitted...
[root@serverc ~]#
```
4. Return to the workstation system as the student user. Log in to the satellite server as the student user and switch to the root user.
```
[root@serverc ~]# exit
logout
[root@capsule ~]# exit
logout
[student@capsule ~]$ exit
logout
[student@workstation ~]$ ssh student@satellite
[student@satellite ~]$ sudo -i
[sudo] password for student: student
[root@satellite ~]#
```
5. Copy the Satellite Server's Foreman SSH public key to the serverc content host. The key is in the foreman-proxy user's SSH configuration on the satellite system.
```
[root@satellite ~]# ssh-copy-id -i \
~foreman-proxy/.ssh/id_rsa_foreman_proxy.pub \
root@serverc.lab.example.com
...output omitted...
Are you sure you want to continue connecting (yes/no)? yes
...output omitted...
root@serverc.lab.example.com's password: redhat

Number of key(s) added: 1
...output omitted...
```
6. Use the foreman-proxy identity to test the root@serverc account for passwordless access from the satellite system. If the public key was successfully copied, then you can access the account without a password prompt. You might still be prompted to establish the authenticity of the remote host by continuing to connect. If you are prompted for a password, then diagnose and fix the issue.
```
[root@satellite ~]# ssh -i ~foreman-proxy/.ssh/id_rsa_foreman_proxy root@serverc
...output omitted...
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
...output omitted...
[root@serverc ~]#
```
7. Exit the serverc system, but keep open the terminal on the satellite system.
```
[root@serverc ~]# exit
logout
[root@satellite ~]#
```

Install the Puppet service on both the Satellite Server and the Capsule Server.

Install and enable the primary Puppet service and components on the Satellite Server. Wait until the process completes.

[root@satellite ~]# satellite-installer --enable-foreman-plugin-puppet \
--enable-foreman-cli-puppet \
--foreman-proxy-puppet true \
--foreman-proxy-puppetca true \
--foreman-proxy-content-puppet true \
--enable-puppet \
--puppet-server true \
--puppet-server-foreman-ssl-ca /etc/pki/katello/puppet/puppet_client_ca.crt \
--puppet-server-foreman-ssl-cert /etc/pki/katello/puppet/puppet_client.crt \
--puppet-server-foreman-ssl-key /etc/pki/katello/puppet/puppet_client.key
...output omitted...

Return to the workstation system as the student user. Log in to the capsule server as the student user and switch to the root user.

[root@serverc ~]# exit
logout
[root@satellite ~]# exit
logout
[student@satellite ~]$ exit
logout
[student@workstation ~]$ ssh student@capsule
[student@capsule ~]$ sudo -i
[sudo] password for student: student
[root@capsule ~]#

Install and enable the proxy Puppet service and components on the Capsule Server. Wait until the process completes.

[root@capsule ~]# satellite-installer --foreman-proxy-puppet true \
--foreman-proxy-puppetca true \
--foreman-proxy-content-puppet true \
--enable-puppet \
--puppet-server true \
--puppet-server-foreman-ssl-ca /etc/pki/katello/puppet/puppet_client_ca.crt \
--puppet-server-foreman-ssl-cert /etc/pki/katello/puppet/puppet_client.crt \
--puppet-server-foreman-ssl-key /etc/pki/katello/puppet/puppet_client.key
...output omitted...

Return to the workstation system as the student user.

[root@capsule ~]# exit
logout
[student@capsule ~]$ exit
logout
[student@workstation ~]$

Log in to the Satellite Server web UI, https://satellite.lab.example.com, as the admin user with redhat as the password.
In the upper-left corner of the web page, set the organization to Operations. Set the location to Any Location.
Move the serverc content host to the Development lifecycle environment and OperationsServerBase content view.
1. Click Hosts → Content Hosts, and then click the serverc.lab.example.com link. On the Details page, Content Host Content section, select the checkbox for the Development lifecycle environment, and then select the OperationsServerBase in the Content view list. Click Save.
2. On the Repository Sets tab, verify that the Red Hat Satellite Client 6 for RHEL 9 x86_64 (RPMs) repository is enabled. If the repository status is Disabled, then select the repository checkbox, and then select Override to Enabled from the Select Action list.
Remotely install the Puppet agent on the serverc content host.
1. Click Hosts → All Hosts, and then click the serverc.lab.example.com link. Click Schedule Remote Job.
2. Select Packages in the Job category field. Select Package Action - SSH Default in the Job template field.
3. Verify that the action field is set to install. Enter puppet in the package field, and then click Submit.
4. On the Overview tab, monitor the remote execution status. Wait for the process to complete. To view the remote command output, scroll down and click the serverc.lab.example.com link. Your results should be similar to the following output.
```
...output omitted...
10: Installing:
11: puppet-agent   x86_64  7.16.0-2.el9sat ...
...output omitted...
```
Remotely enable the Puppet agent on the serverc content host.
1. Click Hosts → All Hosts, and then click the serverc.lab.example.com link. Click Schedule Remote Job.
2. Select Puppet in the Job category field. Select Puppet Agent Enable - SSH Default in the Job template field. Click Submit.
3. On the Overview tab, monitor the remote execution status. Wait for the process to complete.
Remotely apply the latest Puppet configuration version on the serverc content host.
Important
The initial remote Puppet job to each content host is expected to fail. The first Puppet job generates an SSL certificate to use as that content host's identity. The Puppet server must accept and sign the content host's certificate before permitting remote jobs to that content host.
1. Click Hosts → All Hosts, and then click the serverc.lab.example.com link. Click Schedule Remote Job.
2. Select Puppet in the Job category field. Select Puppet Run Once - SSH Default in the Job template field. Enter -t --server satellite.lab.example.com in the puppet_options field. Click Submit.
3. On the Overview tab, monitor the remote execution status. Wait for the process to fail. To view the remote command output, scroll down and click the serverc.lab.example.com link. Your results should be similar to the following output.
```
1: Info Creating a new RSA SSL key for serverc.lab.example.com
...output omitted...
5: Info: Certificate for serverc.lab.example.com has not been signed yet
6: Couldn't fetch certificate from CA server; you might still need to sign this
   agent's certificate (serverc.lab.example.com).
...output omitted...
```
Sign the serverc puppet certificate on the Satellite Server.
1. Click Infrastructure → Capsules, and then click the satellite.lab.example.com link.
2. Click Puppet CA, and then click Certificates. In the serverc.lab.example.com row, click Sign in the Actions column.
Remotely apply again the latest Puppet configuration version on the serverc content host. With a signed content host certificate, the job succeeds.
1. Click Hosts → All Hosts, and then click the serverc.lab.example.com link. Click Schedule Remote Job.
2. Select Puppet in the Job category field. Select Puppet Run Once - SSH Default in the Job template field. Enter -t --server satellite.lab.example.com in the puppet_options field. Click Submit.
3. On the Overview tab, monitor the remote execution status. Wait for the process to complete. To view the remote command output, scroll down and click the serverc.lab.example.com link. Your results should be similar to the following output.
```
...output omitted...
4:   Info: Downloaded certificate for serverc.lab.example.com from ...
...output omitted...
204: Notice: Applied catalog in 0.02 seconds
205: Exit status: 0
```

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish remote-puppet

Discuss Red Hat Satellite 6 Administration

Go to community

Welcome to the Red Hat Satellite 6 Administration (RH403) group in the Red Hat Learning Community!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Satellite 6 Administration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH403.Read more about Red Hat Satellite 6 Administration here.

Revision: rh403-6.11-3ad886e

Red Hat Satellite 6 Administration

Guided Exercise: Run Remote Puppet Jobs on Managed Hosts

Important

Important