Red Hat Satellite
This document outlines the high-level design for the installation of Red Hat Satellite. Red Hat Satellite is directly responsible to provide provisioning, software and patch management for the virtual machines present on the cloud provider.
This document provides a comprehensive overview for deploying the Red Hat Satellite solution, tailored to the specified requirements. For further details and step-by-step implementation guidance, refer to the official Red Hat Satellite overview, concepts and deployment guideline documentation and installation guides.
Deployment type will be connected which means that Red Hat Satellite connects directly to the Red Hat Content Delivery Network (CDN) through the internet. Proxy configuration will not be used for internet access.
High Level Design
System Configuration
-
x86_64 architecture
-
The latest version of Red Hat Enterprise Linux 8
-
4-core 2.0 GHz CPU at a minimum
-
32GB of RAM
-
fully qualified hostname
-
Azure virtual instance
E4as -
high-bandwidth, low-latency storage, with standard or premium SSD type disk with 500 GB space
File System Configuration
| /var/lib/pgsql | 20 GB |
|---|---|
/var/lib/pulp |
400 GB |
Certificates
Red Hat Satellite Server will use an SSL certificate signed by an external certificate authority (CA) which is Red Hat Identity Management acting as a subordinate Certificate Authority. Refer to the certificate requirements from the official documentation.
Operating Systems
Operating systems will be configured as below;
| Name | Description |
|---|---|
RedHat 8.9 |
Red Hat Enterprise Linux 8.9 |
RHEL 8.10 |
Red Hat Enterprise Linux 8.10 |
RedHat 9.3 |
Red Hat Enterprise Linux 9.3 |
RedHat 9.4 |
Red Hat Enterprise Linux 9.4 |
Architectural Diagram
Network Requirements
Network ports requirements for Intranet hosts
Network port requirements for DMZ hosts
Firewall configurations could be found on the official documentation for the connected Red Hat Satellite.
Provisioning
In Satellite, you can integrate with RHEL web console to perform actions and monitor your hosts. Satellite can interact with Microsoft Azure Resource Manager, including creating new virtual machines and controlling their power management states. Only image-based provisioning is supported for creating Azure hosts.
DNS, DHCP and TFTP services will not be managed by Satellite, and Red Hat Identity Management (RHDIdM) integration will be configured for user and host management. Cloud Providers option will be used as a provisioning method in Red Hat Satellite.
Organizations
Red Hat Satellite will have only one organization.
| Name | Description |
|---|---|
Showroom |
Showroom Organization |
Locations
Mainly there are two locations,
| Name | Description |
|---|---|
Intranet |
for internal business workloads and infrastructure management services |
DMZ |
for the business workloads which have public access enabled |
Capsule
Additional Red Hat Satellite Capsule deployed in DMZ location, which will act as a content proxy. A connection between Red Hat Satellite and Red Hat Satellite Capsule will have secure, encrypted connection between virtual networks.
Content Lifecycle
Satellite provides features for precise management of the content lifecycle. A lifecycle environment represents a stage in the content lifecycle, a Content View is a filtered set of content, and can be considered as a defined subset of content.
A single lifecycle environment path – both operating system and applications content is promoted through the same path. The path can consist of several stages (for example Development, QA, Production), which enables thorough testing but requires additional effort. The following lifecycle structure will be used:
| Name | Description |
|---|---|
Library |
Default content |
Dev |
Development content |
QA |
QA UAT content |
Prod |
Production content |
Host Groups
Red Hat Satellite provides several logical units for grouping hosts.
Hosts that are members of those groups inherit the group configuration.
Host groups can be nested to inherit parameters from each other allows
for designing host group hierarchies that fit particular workflows. We
consider to use Lifecycle environment based structure. This hierarchy
is based on a lifecycle environment.
Dev environment is aimed in the project to be deployed first of all.
Host groups can be extended based on the daily requirements.
| Name | Parent | Description |
|---|---|---|
hg_mgmt_dev |
- |
Management Servers Host Group for Development |
hg_work_dev |
- |
Workload Servers Host Group for Development |
hg_work_qa |
- |
Workload Servers Host Group for QA |
hg_work_prod |
- |
Workload Servers Host Group for Production |
hg_intranet |
hg_mgmt_dev |
Intranet Management Servers Host Group for Development |
hg_intranet |
hg_work_dev |
Intranet Workload Servers Host Group for Development |
hg_intranet |
hg_work_qa |
Intranet Workload Servers Host Group for QAT |
hg_intranet |
hg_work_prod |
Intranet Workload Servers Host Group for Production |
hg_rhel8.9 |
hg_mgmt_dev/hg_intranet |
Host Group for RHEL8.9 systems |
hg_rhel8.10 |
hg_mgmt_dev/hg_intranet |
Host Group for RHEL8.10 systems |
hg_capsule |
hg_mgmt_dev/hg_intranet/hg_rhel8.10 |
Host Group for Red Hat Satellite Capsule |
hg_epel |
hg_mgmt_dev/hg_intranet/hg_rhel8.10 |
Host Group EPEL enabled systems |
hg_rhel9.3 |
hg_mgmt_dev/hg_intranet |
Host Group for RHEL 9.3 systems |
hg_rhel9.4 |
hg_mgmt_dev/hg_intranet |
Host Group for RHEL 9.4 systems |
hg_aap |
hg_mgmt_dev/hg_intranet/hg_rhel9.4 |
Host Group for Red Hat Ansible Automation Platform |
hg_rhel8.9 |
hg_work_dev/hg_intranet |
Host Group for RHEL8.9 systems |
hg_rhel8.10 |
hg_work_dev/hg_intranet |
Host Group for RHEL8.10 systems |
hg_rhel9.3 |
hg_work_dev/hg_intranet |
Host Group for RHEL 9.3 systems |
hg_rhel9.4 |
hg_work_dev/hg_intranet |
Host Group for RHEL 9.4 systems |
hg_rhel8.9 |
hg_work_qa/hg_intranet |
Host Group for RHEL8.9 systems |
hg_rhel8.10 |
hg_work_qa/hg_intranet |
Host Group for RHEL8.10 systems |
hg_rhel9.3 |
hg_work_qa/hg_intranet |
Host Group for RHEL 9.3 systems |
hg_rhel9.4 |
hg_work_qa/hg_intranet |
Host Group for RHEL 9.4 systems |
hg_rhel8.9 |
hg_work_qa/hg_intranet |
Host Group for RHEL8.9 systems |
hg_rhel8.10 |
hg_work_prod/hg_intranet |
Host Group for RHEL8.10 systems |
hg_rhel9.3 |
hg_work_prod/hg_intranet |
Host Group for RHEL 9.3 systems |
hg_rhel9.4 |
hg_work_prod/hg_intranet |
Host Group for RHEL 9.4 systems |
Security Management
Satellite supports security management in various ways, including update and errata management, OpenSCAP integration for system verification, update and security compliance reporting, and fine grained role based authentication.
SElinux
SELinux enabled as a system default on Red Hat Satellite Server.
FIPS Mode
FIPS mode must be enabled on the system before Red Hat Satellite installation. Satellite also supports provisioning hosts that comply with FIPS. Please refer to the documentation.
Entitlement-based Subscription Management
Simple Content Access (SCA) will be used as a subscription management mode. There is no requirement of attaching the Red Hat Satellite Infrastructure Subscription to the Satellite Server using subscription-manager.
Realms
Red Hat Satellite has a realm feature that will automatically manage the life cycle of any system registered to a realm or domain provider which will be enabled.
Auto Membership
Identity Management (IDM) supports the ability to set up automatic membership rules based on a system’s attributes. Red Hat Satellite’s realm feature provides administrators with the ability to map the Red Hat Satellite host groups to the IDM parameter "userclass" which allow administrators to configure automembership. This feature will be enabled which allows when a system is added to the Satellite Server’s hostgroup_name host group, it will now automatically be added to the Identity Management server’s "hostgroup_name" host group as well. IDM host groups allow for Host-Based Access Controls (HBAC), sudo policies and other IDM functions.
Domains
| Intranet | internal.showroom.run |
|---|---|
DMZ |
showroom.run |
Subnets
All existing subnets to use in the inventory will be configured on Red Hat Satellite.
| Subnet Name | Subnet |
|---|---|
Public |
10.1.0.0/29 |
Intra Management |
10.1.1.0/24 |
Intra Workload |
10.1.2.0/24 |
DMZ Management |
10.1.3.0/29 |
DMZ Workload |
10.1.3.128/25 |
Users, Roles and Role Based Access Controls
Red Hat Satellite support to use Red Hat Identity Management as external Authentication source. Red Hat IdM will be configured as an Authentication provider. Users and groups from Red Hat Identity Management will be configured as follows;
| User Group | Role |
|---|---|
satellite-admins |
Administrator |
satellite-users |
Viewer |
It is expected to use GitOps Framework to configure Red Hat Satellite, and therefore there is no need to define any access to Red Hat Satellite WebUI.
Insights
Red Hat Insights will be installed on Red Hat Satellite and registered with Red Hat Insights to maintain the Satellite Server, and improve ability to monitor and diagnose problems.
Backup
It is planned to use built-in backup functionality to use in Red Hat
Satellite Server to facilitate recovery in the event of disaster.
Online backup mode will be used in the project by scheduling a job
template on Ansible Automation Controller.
Tuning
No tuning option will be applied after deployment as the deployment will
not include more than 5000 hosts and default tuning profile will be
applied.