How it Works
Redhat
Loading...
NETWORK PROXY SERVER 4.1.0
User Manual
44 pgs1.21 Mb0
Table of contents
Loading...

Redhat NETWORK PROXY SERVER 4.1.0 User Manual

RHN Proxy Server 4.1.0
Installation Guide
RHN Proxy Server 4.1.0: Installation Guide
Copyright © 2001 - 2005 Red Hat, Inc.
Red Hat, Inc.
1801 Varsity Drive Raleigh NC 27606-2072 USA Phone: +1 919 754 3700 Phone: 888 733 4281 Fax: +1 919 754 3701 PO Box 13588 Research Triangle Park NC 27709 USA
RHNproxy(EN)-4.1.0-RHI (2005-04-20T13:40) Copyright © 2005 by Red Hat, Inc. This material may be distributedonly subject to the terms and conditions set forth in the Open PublicationLicense, V1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/). Distribution of substantively modified versions of this document is prohibitedwithout the explicit permission of the copyright holder. Distribution of the work or derivative of the work in any standard (paper) book form for commercial purposes is prohibited unless prior permission is obtained from the copyrightholder.
Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat, Inc. in the United States and other countries. All other trademarks referencedherein are the property of their respective owners. The GPG fingerprint of the security@redhat.comkey is: CA 20 86 86 2B D6 9D FC 65 F6 EC C4 21 91 80 CD DB 42 A6 0E

Table of Contents

1. Introduction.................................................................................................................... 1
1.1. Red Hat Network ..............................................................................................1
1.2. RHN Proxy Server ............................................................................................1
1.3. Terms to Understand .........................................................................................2
1.4. How it Works ....................................................................................................3
2. Requirements..................................................................................................................7
2.1. Software Requirements .....................................................................................7
2.2. Hardware Requirements....................................................................................8
2.3. Disk Space Requirements .................................................................................8
2.4. Additional Requirements ..................................................................................9
3. Example Topologies .....................................................................................................11
3.1. Single Proxy Topology ...................................................................................11
3.2. Multiple Proxy Horizontally Tiered Topology ...............................................12
3.3. Multiple Proxy Vertically Tiered Topology ....................................................12
3.4. Proxies with RHN Satellite Server .................................................................13
4. Installation ....................................................................................................................15
4.1. Base Install......................................................................................................15
4.2. RHN Proxy Server Installation Process ..........................................................16
5. RHN Package Manager ...............................................................................................27
5.1. Creating a Private Channel .............................................................................27
5.2. Uploading Packages ........................................................................................27
5.3. Command Line Options ..................................................................................29
6. Troubleshooting............................................................................................................31
6.1. Managing the Proxy Service ...........................................................................31
6.2. Log Files .........................................................................................................31
6.3. Questions and Answers...................................................................................32
6.4. General Problems ............................................................................................32
6.5. Host Not Found/Could Not Determine FQDN ...............................................33
6.6. Connection Errors ...........................................................................................34
6.7. Caching Issues ................................................................................................34
6.8. Proxy Debugging by Red Hat .........................................................................35
A. Sample RHN Proxy Server Configuration File ........................................................37
Index..................................................................................................................................39

Chapter 1.

Introduction

1.1. Red Hat Network

Red Hat Network (RHN) is the environment for system-level support and management of Red Hat systems and networks of systems. Red Hat Network brings together the tools, services, and information repositories needed to maximize the reliability, security, and per­formance of their systems. To use RHN, system administrators register the software and hardware profiles, known as System Profiles, of their client systems with Red Hat Network. When a client system requests package updates, only the applicable packages for the client are returned (based upon the software profile stored on the RHN Servers).
Advantages of using Red Hat Network include:
Scalability — with Red Hat Network, a single system administrator can set up and main-
tain hundreds or thousands of Red Hat systems more easily, accurately, and quickly than they could maintain a single system without Red Hat Network.
Standard Protocols — standard protocols are used to maintain security and increase
capability. For example, XML-RPC gives Red Hat Network the ability to do much more than merely download files.
Security — all communication between registered systems and Red Hat Network takes
place over secure Internet connections.
View Errata Alerts — easily view Errata Alerts for all your client systems through one
website.
Scheduled Actions — use the website to schedule actions, including Errata Updates,
package installs, and software profile updates.
Simplification — maintaining Red Hat systems becomes a simple, automated process.

1.2. RHN Proxy Server

An RHN Proxy Server is a package-caching mechanism that reduces the bandwidth re­quirements for RHN and enables custom package deployment. Proxy customers cache RPMs, such as Errata Updates from Red Hat or custom RPMs generated by their organi­zation, on an internal, centrally-located server. Client systems then receive these updates from the Proxy rather than by accessing the Internet individually.
2 Chapter 1. Introduction
Although the packages are served by the Proxy, clients’ System Profiles and user infor­mation are stored on the secure, central RHN Servers1, which also serve the RHN website (rhn.redhat.com). The Proxy acts as a go-between for client systems and Red Hat Net­work (or an RHN Satellite Server). Only the package files are stored on the RHN Proxy Server. Every transaction is authenticated, and the Red Hat Update Agent checks the GPG signature of each package retrieved from the local RHN Proxy Server.
In addition to storing official Red Hat packages, the RHN Proxy Server can be configured to deliver an organization’s own custom packages from private RHN channels, using the RHN Package Manager. For instance, an organization could develop its own software, package it in an RPM, sign it with its own GPG signature, and have the local RHN Proxy Server update all of the individual systems in the network with the latest versions of the custom software.
Advantages of using RHN Proxy Server include:
Scalability — there can be multiple local RHN Proxy Servers within one organization.
Security — an end-to-end secure connection is maintained: from the client systems, to
the local RHN Proxy Server, to the Red Hat Network servers.
Saves time — packages are delivered significantly faster over a local area network than
the Internet.
Saves bandwidth — packages are downloaded from RHN only once (per local Proxy
Server’s caching mechanism) instead of downloading each package to each client sys­tem.
Customized updates — create a truly automated package delivery system for custom
software packages, as well as official Red Hat packages required for the client systems. Custom private RHN channels allow an organization to automate delivery of in-house packages.
Customized configuration — restrict or grant updates to specific architectures and OS
versions.
Only one Internet connection required — Because clients connect only to the RHN
Proxy Server and not the Internet, they require only a Local Area Network connection to the Proxy. Only the RHN Proxy Server needs an Internet connection to contact the RHN Servers, unless the RHN Proxy Server is using a RHN Satellite Server, in which case only the RHN Satellite Server requires an Internet connection.
1. Throughout thisdocument, "RHN" may refer to either RHN’s Hosted site (http://rhn.redhat.com)
or an RHN Satellite Server.
Chapter 1. Introduction 3

1.3. Terms to Understand

Before understanding RHN Proxy Server, it is important to become familiar with the fol­lowing Red Hat Network terms:
Channel
A channel is a list of software packages. There are two types of channels: base chan­nels and child channels. A base channel consists of a list of packages based on a specific architecture and Red Hat release. A child channel is a channel associated with a base channel that contains extra packages.
Organization Administrator
An Organization Administrator is a user role with the highest level of control over an organization’s Red Hat Network account. Members with this role can add other users, other systems, and system groups to the organization, as well as remove them. A Red Hat Network organization must have at least one Organization Administrator.
Channel Administrator
A Channel Administrator is a user role with full access to channel management capa­bilities. Users with this role are capable of creating channels and assigning packages to channels. This role can be assigned by an Organization Administrator through the Users tab of the RHN website.
Red Hat Update Agent<
The Red Hat Update Agent is the Red Hat Network client application (up2date) that allows users to retrieve and install new or updated packages for the client system on which the application is run.
Traceback
A traceback is a detailed description of "what went wrong" that is useful for trou­bleshooting the RHN Proxy Server. Tracebacks are automatically generated when a critical error occurs and are emailed to the individual(s) designated in the RHN Proxy Server’s configuration file.
For more detailed explanations of these terms and others, refer to the Red Hat Network Reference Guide available at http://www.redhat.com/docs/ and http://rhn.redhat.com/help.

1.4. How it Works

The Red Hat Update Agent on the client systems does not directly contact a Red Hat Network Server. Instead, the client (or clients) connects in turn to an RHN Proxy Server that connects to the Red Hat Network Servers or to a RHN Satellite Server. Thus, the client
4 Chapter 1. Introduction
systems do not need direct access to the Internet. They need access only to the RHN Proxy Server.
Important
Red Hat strongly recommends that clients connected to an RHN Proxy Server be running the latest update of Red Hat Enter prise Linux to ensure proper connectivity.
Clients that access RHN directly are authenticated by the RHN servers. Clients that access an RHN Proxy Server are still authenticated by RHN; however, in this case the Proxy pro­vides both authentication and route information to RHN. After a successful authentication, the Red Hat Network Server informs the RHN Proxy Server that it is permitted to execute a specific action for the client. The RHN Proxy Server downloads all of the updated packages (if they are not already present in its cache) and delivers them to the client system.
Requests from the Red Hat Update Agent on the client systems are still authenticated on the server side, but package delivery is significantly faster since the packages are cached in the HTTP Proxy Caching Server or the RHN Proxy Server (for local packages); the RHN Proxy Server and client system are connected via the LAN and are limited only by the speed of the local network.
Authentication is done in the following order:
1. The client performs a login action at the beginning of a client session. This login is passed through one or more RHN Proxy Servers until it reaches a Red Hat Network Server.
2. The Red Hat Network Server attempts to authenticate the client. If authentication is successful, the server then passes back a session token via the chain of RHN Proxy Servers. This token, which has a signature and expiration, contains user information, including channel subscriptions, username, etc.
3. Each RHN Proxy Server caches this token on its local file system in
/var/cache/rhn/. Caching reduces some of the overhead of authenticating with
Red Hat Network Servers and greatly improves the performance of Red Hat Network.
4. This session token is passed back to the client machine and is used in subsequent actions on Red Hat Network.
From the client’s point of view, there is no difference between an RHN Proxy Server and a Red Hat Network Server. From the Red Hat Network Server’s point of view, an RHN Proxy Server is a special type of RHN client. Clients are thus not affected by the route a request takes to reach a Red Hat Network Server. All the logic is implemented in the RHN Proxy Servers and Red Hat Network Servers.
Chapter 1. Introduction 5
Optionally, the RHN Package Manager can be installed and configured to serve custom packages. Any package that is not an official Red Hat package, including custom packages written specifically for an organization, can only be served from a private software channel (also referred to as a custom software channel). After creating a private RHN channel, the custom RPM packages are associated with that channel by uploading the package head­ers to the RHN Servers. Only the headers are uploaded, not the actual package files. The headers are required because they contain crucial RPM information, such as software de­pendencies, that allows RHN to automate package installation. The actual custom RPM packages are stored on the RHN Proxy Server and sent to the client systems from inside the organization’s local area network.
Configuring a computer network to use RHN Proxy Servers is straightforward. The Red Hat Network applications on the client systems must be configured to connect to the RHN Proxy Server instead of the Red Hat Network Servers. Refer to the RHN Client Configu- ration Guide for details. On the proxy side, one has to specify the next proxy in the chain (which eventually ends with a Red Hat Network Server). If the RHN Package Manager is used, the client systems must be subscribed to the private RHN channel.
6 Chapter 1. Introduction

Chapter 2.

Requirements

These requirements must be met before installation. To install RHN Proxy Server version
3.6 or later from RHN Satellite Server, the Satellite itself must be version 3.6 or later.

2.1. Software Requirements

To perform an installation, the following software-related components must be available:
Base operating system — RHN Proxy Server is supported with Red Hat Enterprise
Linux AS 3 Update 5 or later, or Red Hat Enterprise Linux AS 4 only. The operat­ing system can be installed from disc, local ISO image, kickstart, or any of the methods supported by Red Hat.
Important
If you plan to obtain Monitoring-level service, you must install your RHN Proxy Server on Red Hat Enterprise Linux AS 3 Update 5 or Red Hat Enterprise Linux AS 4. These are the only supported base operating systems for Proxies serving Monitoring-entitled systems.
Each version of Red Hat Enterprise Linux AS requires a certain package set to support RHN Proxy Server. Anything more can cause errors during installation. Therefore, Red Hat recommends obtaining the desired package set in the following ways:
Note
For kickstarting either Red Hat Enterprise Linux AS 4 or Red Hat Enterprise Linux AS 3 Update 5, specify the following package group: @ Base
For installing Red Hat Enterprise Linux AS 4 or Red Hat Enterprise Linux AS 3 Update 5 via CD or ISO image, select the following package group: Minimal
Warning
Security-enhanced Linux (SELinux) must be disabled in Red Hat Enterprise Linux AS 4 prior to installation of RHN Proxy Server. This may be done in one of several ways:
During CD or ISO image installation, select Disabled when presented with options
for SELinux support.
8 Chapter 2. Requirements
To do this for kickstart installation, include the command selinux --disabled
After the installation is complete, edit the /etc/selinux/config file to read
SELINUX=disabled and reboot the system.
Finally, you can use the system-config-securitylevel-tui command and reboot
the system.
An available RHN Proxy Server entitlement within your Red Hat Network account.
An available Provisioning entitlement within your Red Hat Network account (which
should come packaged with your RHN Proxy Server entitlement).
Access to the Red Hat Network Tools channel for the installed version of Red Hat En-
terprise Linux AS.
All rhncfg* packages installed on the Proxy (from the RHN Tools channel).
Either the rhns-certs-tools package installed on the Proxy (from the RHN Tools
channel) or the secure sockets layer (SSL) CA certificate password used to generate the parent server certificate (such as on an RHN Satellite Server).
Configuration of the system to accept remote commands and configuration management
through Red Hat Network. Refer to Section 4.2 RHN Proxy Server Installation Process for instructions.

2.2. Hardware Requirements

The following hardware configuration is required for the RHN Proxy Server:
Pentium III processor, 1.26GHz, 512K cache or equivalent
512 MB of memory
3 GB storage for base install of Red Hat Enterprise Linux AS
6 GB storage per distribution/channel
The load on the Apache HTTP Server is directly related to the frequency with which client systems connect to the Proxy. If you reduce the default interval of four hours (or 240 min­utes) as set in the /etc/sysconfig/rhn/rhnsd configuration file of the client systems, you will increase the load on this component significantly.

2.3. Disk Space Requirements

The caching mechanism used by RHN Proxy Server is the Squid HTTPproxy, which saves significant bandwidth for the clients. It should have a reasonable amount of space available. The cached packages are stored in /var/spool/squid. The required free space allotment is 6 GB storage per distribution/channel.
Chapter 2. Requirements 9
If the RHN Proxy Server is configured to distribute custom, or local packages, make sure that the /var mount point on the system storing local packages has sufficient disk space to hold all of the custom packages, which are stored in /var/spool/rhn-proxy. The required disk space for local packages depends on the number of custom packages served.

2.4. Additional Requirements

The following additional requirements must be met before the RHN Proxy Server installa­tion can be considered complete:
Full Access
Client systems need full network access to the RHN Proxy Server services and ports.
Firewall Rules
The RHN Proxy Server solution can be firewalled from the Internet, but it must be able to issue outbound connections to the Internet on ports 80 and 443. In addition, if the Proxy will be connected to an RHN Satellite Server that will be configured to push actions to client systems and the Proxy, you must allow inbound connections on port 5222.
Synchronized System Times
There is great time sensitivity when connecting to a Web server running SSL (Se­cure Sockets Layer); it is imperative the time settings on the clients and server are reasonably close together so the that SSL certificate does not expire before or during use. It is recommended that Network Time Protocol (NTP) be used to synchronize the clocks.
Fully Qualified Domain Name (FQDN)
The system upon which the RHN Proxy Server will be installed must resolve its own FQDN properly.
A Red Hat Network Account
Customers who will be connecting to the central Red Hat Network Servers to receive incremental updates must have a Red Hat Network account. The sales representative assists with the setup of this account at the time of purchase.
Backups of Login Information
It is imperative that customers keep track of all primary login information. For RHN Proxy Server, this includes usernames and passwords for the Organization Adminis­trator account and SSL certificate generation. Red Hat strongly recommends this in­formation be copied onto two separate floppy disks, printed out on paper, and stored in a fireproof safe.
10 Chapter 2. Requirements
Distribution Locations
Since the Proxy forwards virtually all local HTTP requests to the central RHN Servers, you must take care to put files destined for distribution (such as in a kickstart installation tree) in the non-forwarding location on the Proxy:
/var/www/html/pub/. Files placed in this directory can be downloaded directly
from the Proxy. This can be especially useful for distributing GPG keys or establishing installation trees for kickstarts.
In addition, Red Hat recommends that the system running the code not be publicly avail­able. No users but the system administrators should have shell access to these machines. All unnecessary services should be disabled. You can use ntsysv or chkconfig to disable services.
Finally, you should have the following technical documents in hand for use in roughly this order:
1. The RHN Proxy Server Installation Guide — This guide, which you are now reading, provides the essential steps necessary to get an RHN Proxy Server up and running.
2. The RHN Client Configuration Guide — This guide explains how to configure the systems to be served by an RHN Proxy Server or RHN Satellite Server. (This will also likely require referencing The RHN Reference Guide, which contains steps for registering and updating systems.)
3. The RHN Channel Management Guide — This guide identifies in great detail the recommended methods for building custom packages, creating custom channels, and managing private Errata.
4. The RHN Reference Guide — This guide describes how to create RHN accounts, reg­ister and update systems, and use the RHN website to its utmost potential. This guide will probably come in handy throughout the installation and configuration process.
Loading...
+ 30 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use