Red Hat Satellite 6 Administration

Before configuring the EC2 connection, ensure that your Satellite Server's system time is correctly synchronized. Configure the ntpd or chronyd services with authoritative public NTP peers. An inaccurate clock causes authentication protocols to suspect that communications are being tampered with, resulting in an inability to access Amazon Web Services.

To create an Amazon EC2 connection, navigate to Infrastructure → Compute Resources and click Create Compute Resource. When naming EC2 compute resources, Red Hat recommends to use a convention that includes the AWS region. Also, if you require separate connections for different Satellite locations and organizations, then add the provisioning context to the name. From the Provider list, select EC2. The remaining page refreshes to display fields for EC2-specific parameters.

Use the Description field to enter information to recognize the resource later. From the HTTP proxy list, select a configured HTTP smart proxy to connect to external API services. Satellite supports global HTTP proxies for all HTTP communications between Satellite and any cloud provider.

Amazon EC2 secures its accounts by using access keys that were created during account setup. Enter your access key ID and secret key for the connection to use for all communications. With your keys, Satellite can connect to Amazon to obtain a list of available regions. Click Load Regions to populate the Regions list, and select the EC2 region or data center for this connection.

Navigate to the Locations and Organizations tabs to assign provisioning contexts to this EC2 connection. Deployments that use this connection are limited to those locations and organizations. Finally, save the Amazon EC2 connection.

You can also use the hammer command for the same task. Specify the access key ID and secret key by using the --user and --password options.

[root@satellite ~]# hammer compute-resource create --name "EC2_region_context" \
--provider "EC2" --description "EC2 US-East-1 for Finance" \
--user "my_ami_id" --password "secret_key" --region "us-east-1" \
--locations "Boston" --organizations "Finance"

Amazon EC2 uses image-based provisioning to create hosts. Load your Cloud Access-enabled images to the appropriate Amazon regions. Alternatively, Red Hat provides Gold Amazon Machine Images (AMI) to Amazon for Red Hat Cloud Access clients to use. Depending on the subscription that you specify during Cloud Access enrollment, the AMIs that are shared with your enrolled AWS account are for Red Hat Enterprise Linux, Red Hat Enterprise Linux Atomic Host, Red Hat Gluster Storage, or Red Hat JBoss Enterprise Application Platform. For all other Red Hat products, start with a base RHEL AMI and follow the product's installation guidelines.

Amazon EC2 gold images are preconfigured to use the Red Hat Update Infrastructure (RHUI) by default. You can use RHUI to maintain the cloud instances that are deployed from the gold images, or disable it to maintain the cloud instances with Red Hat Subscription Management or Red Hat Satellite.

To add image details for your uploaded or existing Amazon images to the Satellite Server, including access details and image location, navigate to Infrastructure → Compute Resources and select an Amazon EC2 connection. Use the Images tab to attach a new image definition to this connection. Supply a name to identify the image for future use. Select the operating system and architecture that corresponds with the image. Enter the username and password for an account that is already configured on that image that allows access for post-configuration and ongoing management. Identify the image by entering its AMI ID in the ami-xxxxxxxx format.

You can configure the deployed instances by using either kickstart finish scripts or user-data input such as cloud-init data. Enabling one of these choices disables the other. For user-data input, you must build the image with the cloud-init tool or similar configuration tooling, and configure it to be able to reach the Satellite Server or Capsule Server from the Amazon region where the image is deployed. Similarly, if you enable the kickstart finish script option, then you must create and test the kickstart finish script. Using a finish script requires the use of a remote execution SSH key.

Finally, configure the image definition with the Amazon security role that is used when creating an instance that uses this image. Click Submit to save the image details.

You can use the hammer command for the same task:

[root@satellite ~]# hammer compute-resource image create --name "RHEL 7 EC2 AMI" \
--operatingsystem "RHEL 7.7" --architecture "x86_64" --username root \
--user-data true --uuid "my_ami_id" --compute-resource "EC2_region_context"

A compute profile specifies the hardware settings to use when provisioning content hosts. For the Amazon cloud provider, you must configure the compute profile with EC2 resource parameters to use when you select the EC2 connection.

To create a compute profile, navigate to Infrastructure → Compute Profiles, click the name of your profile, and then click the EC2 connection to configure it with an image. From the lists, select the EC2 instance type, availability zone with the target cluster, and subnet to use when requesting an instance deployment. Select an image from the image definitions that were created earlier.

From the Security Groups list, select the cloud-based access rules for ports and IP addresses to control the host's network access. From the Managed IP list, select either a Public IP or a Private IP, depending on whether external users need to access this host, or only other region-based hosts. Click Submit to save the EC2 compute profile.

You cannot use the hammer tool to accomplish this task, because Red Hat Satellite 6.11 does not include the compute profile CLI commands. Alternatively, you can include the same settings directly during the host creation process.

The Amazon EC2 provisioning process creates hosts from existing images on the Amazon EC2 server.

To deploy a new host, navigate to Hosts → Create Host. After entering a name for the new host, select a host group from the Host Group list to populate most of the new host's fields. Select an EC2 connection and compute profile to automatically populate the virtual-machine-based settings.

On the Interface tab, verify that the host's interface information is already populated. Satellite Server automatically selects an IP address, and sets the Managed, Primary, and Provision options for the first interface on the host. Leave the MAC address field blank, for the cloud provider to autogenerate it.

Verify that the fields on the Operating System and Virtual Machine tabs are populated. On the Parameters tab, ensure that a parameter exists that provides an activation key. If the parameter does not exist, then add an activation key. Click Submit to save your host entry, which immediately triggers the EC2 service to create the instance, by using the specified image as the new host's boot volume.

You can also use the hammer command for the same task. Enter the --compute-attributes option as a long, single line.

[root@satellite ~]# hammer host create --name "ec2-test1" \
--organization "Finance" --location "Boston" --hostgroup "Base" \
--compute-resource "EC2_region_context" --provision-method image \
--image "RHEL7 EC2 AMI" --enabled true --managed true \
--interface "managed=true,primary=true,provision=true,subnet_id=EC2" \
--compute-attributes="flavor_id=m1.small,image_id=TestImage,
availability_zones=us-east-1a,security_group_ids=Default,managed_ip=Public"

You can connect remotely to an Amazon EC2 instance by using SSH. To connect remotely to an Amazon EC2 instance that is provisioned from Satellite Server, use the compute resource's private key to authenticate to the EC2 API and access the deployed instance.

Satellite stores the compute resource private key in the Foreman database in PostgreSQL. You must retrieve the key from the database and save it in a key-file format. On Satellite Server, first determine the ID of the compute resource that you need the access key for. Then, switch to the postgres user, initiate a postgres shell, and connect to the Foreman database. After you connect to the Foreman database, use an SQL command to display the key. For the compute_resource_id parameter, use the compute resource ID from the output of the hammer compute-resource list command.

[root@satellite ~]# hammer compute-resource list
...output omitted...
[root@satellite ~]# su - postgres
[postgres@satellite ~]$ psql
...output omitted...
postgres=# \c foreman
You are now connected to database "foreman" as user "postgres".
postgres=# select secret from key_pairs where compute_resource_id = X; secret

Copy the key between -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----. Do not include the begin and end marking text in the key file. Create a .pem file, paste the key into the file, and set file permissions to allow only the owner to use or read the file. SSH requires the correct permissions for the key to work. Any user can access the EC2 instance with this key.

[root@satellite ~]# vim keyname.pem
[root@satellite ~]# chmod 600 keyname.pem
[root@satellite ~]# ssh -i keyname.pem ec2-user@example.aws.com

The deployed host is now available for management by the cloud-based Satellite or Capsule Server, in a similar fashion to procedures that are discussed in this course for on-premise content hosts.