Red Hat Satellite 6 : How to deploy and use pulp-admin?

Solution Verified - Updated

Environment

  • Red Hat Satellite or Proxy 6.9 and below versions

Issue

  • For some debugging / workaround purposes, we need to use the pulp-admin .. command.

  • How can I install and deploy pulp-admin?

  • pulp-admin commands fail with:

    The server hostname configured on the client did not match the name found in the
server's SSL certificate. The client attempted to connect to [satellite] but
the server returned [DNS:satellite1.example.com,
DNS:satellite2.example.com] as its hostname. The expected hostname can be
changed in the client configuration file.

Resolution

For Satellite 6.10 or newer, please follow this solution.

Warning: The pulp-admin command can easily corrupt your database or put the pulp or katello databases out of sync. The use of pulp-admin outside the scope and direction of Red Hat Global Support Services is unsupported.

Notice: The command is intended to be used as a workaround or debugging tool for Satellite6 issues. The tool itself offers some functionality not integrated with Satellite6. I.e. some pulp-admin commands might not work on Satellite6.

Procedure for Red Hat Satellite/Capsule 6.5-6.9:

Either install packages directly via yum with foreman-protector plugin disabled, or use foreman-maintain:

# pulpversion=$(rpm -qa pulp-server --queryformat "%{VERSION}")
# yum install pulp-admin-client-${pulpversion} pulp-rpm-admin-extensions.noarch --disableplugin=foreman-protector
(or)
# foreman-maintain packages install pulp-admin-client-${pulpversion} pulp-rpm-admin-extensions.noarch

Procedure for Satellite/Capsule 6.4 or older:

In Satellite 6.4 or older, ensure you have enabled Satellite tools repo as that contains some packages from deplist of pulp-admin, identify pulp-server package version and install proper packages:

# subscription-manager repos --enable=rhel-7-server-satellite-tools-6.4-rpms
# pulpversion=$(rpm -qa pulp-server --queryformat "%{VERSION}")
# yum install pulp-admin-client-${pulpversion} pulp-rpm-admin-extensions.noarch pulp-rpm-handlers.noarch

There are several ways how authentication can work with pulp-admin, as described below.

Authenticate to pulp in every pulp-admin call

To run a single pulp-admin command, use:

# pulpAdminPassword=$(grep ^default_password /etc/pulp/server.conf | cut -d' ' -f2)
# pulp-admin -u admin -p $pulpAdminPassword repo list

Using pulp-admin without password

  • Change the host name in /etc/pulp/admin/admin.conf and create pulp dir:
# sed -i.bak "20,30s/^# host:.*/host: $(hostname -f)/g" /etc/pulp/admin/admin.conf
# mkdir ~/.pulp/
# chmod 0700 ~/.pulp/
  • Copy the public client cert and private key to a file together:
# sudo cat /etc/pki/katello/certs/pulp-client.crt /etc/pki/katello/private/pulp-client.key > ~/.pulp/user-cert.pem
  • Run pulp-admin without username and password:
# pulp-admin repo list

Login just once to pulp/pulp-admin for Satellite 6.1

It is possible to get session certificate to prevent providing admin's password every time. This procedure stopped working since 6.2 and hasnt been tested on newer releases.

  • Change the host name in /etc/pulp/admin/admin.conf (manual change is required for Satellite 6.1, due to change of structure of the admin.conf):
sed -i.bak "20,30s/^# host:.*/host: $(hostname -f)/g" /etc/pulp/admin/admin.conf
  • Change the CA_PATH value to the one used on Red Hat Satellite 6 (manual change is required for Satellite 6.1, due to change of structure of the admin.conf):
    • run on Satellite:
default="/etc/pki/katello/certs/katello-default-ca.crt"
ca_cert=$(grep server_ca_cert /etc/foreman-installer/scenarios.d/satellite-answers.yaml /etc/katello-installer/answers.katello-installer.yaml 2> /dev/null | head -n1 | awk '{ print (($3 == "\"\"") || ($3 == "")) ? "'"${default}"'" : $3 } END { if (!NR) print "'"${default}"'" }')
sed -i.bak "s,^# ca_path: /etc.*,ca_path: ${ca_cert},g" /etc/pulp/admin/admin.conf
  • OR run on Capsule:
default="/etc/pki/katello/certs/katello-default-ca.crt"
ca_cert=$(grep server_ca_cert /etc/foreman-installer/scenarios.d/capsule-answers.yaml /etc/capsule-installer/answers.capsule-installer.yaml 2> /dev/null | head -n1 | awk '{ print (($3 == "\"\"") || ($3 == "")) ? "'"${default}"'" : $3 } END { if (!NR) print "'"${default}"'" }')
sed -i.bak "s,^# ca_path: /etc.*,ca_path: ${ca_cert},g" /etc/pulp/admin/admin.conf
  • Log in using the pulp-admin command:
# pulp-admin login -u admin -p $(grep ^default_password /etc/pulp/server.conf | cut -d' ' -f2)
Successfully logged in. Session certificate will expire at Dec 23 03:58:01 2014 GMT.

Use pulp-admin for your own purposes, e.g.:

pulp-admin repo list

  • In case pulp-admin command fails with the error mentioned in the issue section, edit /etc/pulp/admin/admin.conf and (in case it's not there) add a line with the fqdn that is on the certificate

    Something like:

     [server]
 host: satellite1.example.com     <== here
 [client]
 [filesystem]
 [output]

For more KB articles/solutions related to Red Hat Satellite 6.x Pulp 2.0 Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x Pulp 2.0-related Issues

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.