Red Hat Satellite is Red Hat’s centralized lifecycle management platform for RHEL infrastructure at scale. It combines provisioning, patching, content governance, subscription enforcement, automation, and compliance into a single, API-driven system.
For enterprises managing hundreds to tens of thousands of systems, Satellite becomes the control plane for:
- OS lifecycle enforcement
- CVE and errata governance
- Air-gapped operations
- Compliance reporting (STIG, CIS, PCI)
- Automated remediation
This guide goes far beyond installation basics and dives into production-grade design, scaling limits, internals, and operational realities.
Satellite Architecture
What Each Component Really Does
| Component | Role |
|---|---|
| Foreman | Web UI, REST API, provisioning, orchestration |
| Katello | Content Views, errata, lifecycle environments |
| Pulpcore | Artifact storage, repo sync, content distribution |
| Candlepin | Subscription enforcement & entitlement |
| PostgreSQL | Metadata, host state, content mapping |
| Redis | Task queueing, caching |
| Qpid/AMQP | Messaging between services |
| Capsule | Scaled content delivery + proxy services |
Hardware Sizing:
| Component | Minimum | Recommended (500+ clients) |
|---|---|---|
| CPU | 8 cores | 16+ cores @ 2.5GHz+ |
| RAM | 20 GB | 64 GB+ (with swap) |
| Storage | 500 GB | 2 TB+ RAID10 (separate /var/lib/pulp for content) |
| Network | 1 Gbps NIC, static IP | Bonded 10 Gbps |
Pulpcore storage dominates sizing
RHEL BaseOS + AppStream alone can exceed 300 GB per major release.
Filesystem Recommendations
| Path | FS | Notes |
|---|---|---|
/var/lib/pulp | XFS | Required for large inode counts |
/var/lib/pgsql | XFS | Separate disk recommended |
/var/log | XFS | High write volume |
/ | XFS | Default |
Mount options:
noatime,nodiratime
Networking & Firewall (Common Failure Point)
Required Ports (Satellite → Clients)
| Port | Purpose |
|---|---|
| 443 | HTTPS (repos, API, CA) |
| 5647 | Katello agent (legacy) |
| 5646–5648 | Qpid |
| 9090 | Pulpcore API |
| 8000 | Pulpcore content |
| 67/69 | DHCP/TFTP (provisioning) |
Firewall example:
# firewall-cmd --permanent --add-service=https
# firewall-cmd --permanent --add-port=5646-5648/tcp
# firewall-cmd --reload
Satellite Installation
Installer Flags That Matter
# satellite-installer \
--scenario satellite \
--foreman-proxy-content-parent-fqdn satellite.example.com \
--foreman-proxy-pulp-content true \
--pulp-num-workers 16 \
--foreman-db-pool 30 \
--enable-foreman-plugin-remote-execution \
--enable-foreman-plugin-ansible
Why These Matter
- pulp-num-workers: Controls parallel repo sync speed
- foreman-db-pool: Prevents DB starvation at scale
- Remote execution enables agentless command runs
PostgreSQL Tuning:
Satellite’s DB becomes a bottleneck long before CPU does.
Recommended settings:
shared_buffers = 25% RAM
work_mem = 64MB
maintenance_work_mem = 2GB
max_connections = 300
Location:
/var/lib/pgsql/data/postgresql.conf
Content Views:
Bad Pattern
One Content View with everything
Frequent republishing
No errata filters
Scalable Pattern
Base CV per OS major version
Filtered CVs per environment
Promote, never overwrite
Example:
RHEL9-Base-CV
RHEL9-App-DB-CV
RHEL9-App-Web-CV
Errata filters:
Security only
Severity ≥ High
Release date ≤ 90 days
Hammer CLI:
Bulk Repo Sync
# hammer repository list --organization "Default Org" | \
awk '{print $1}' | \
xargs -n1 hammer repository synchronize --id
Promote Content View Automatically
# hammer content-view version promote \
--content-view "RHEL9-Base" \
--version 3.2 \
--to-lifecycle-environment "Production"
Capsule Servers:
When You Need Capsules
- 500 clients
- Multiple data centers
- WAN latency
- Air-gapped zones
Capsules offload:
- Repo sync
- Host registration
- Puppet/Ansible execution
One capsule per 500–1,000 hosts is typical.
High Availability:
Supported HA Model
- Multiple Capsules
- External PostgreSQL (Patroni / managed DB)
- Load-balanced Pulpcore
Not Supported
- Active/active Satellite servers
- Shared filesystem for Pulp
Satellite itself is single-primary by design.
Ansible & Puppet Integration
Ansible
- Uses ansible-runner
- Inventory auto-generated from Satellite
- Roles synced from Galaxy or Git
# hammer ansible roles import --organization "Default Org"
Puppet (Legacy but still used)
- Puppet CA auto-sign
- ENC data from Satellite
- Suitable for static infra
Compliance & Security (OpenSCAP)
Profiles:
- DISA STIG
- CIS
- PCI-DSS
Workflow:
Scan → Report → Remediate (Ansible) → Re-scan
Satellite stores historical compliance drift, which auditors love.
Common Production Failures:
Pulp Disk Full
Symptoms:
Repo sync hangs
500 errors
Fix:
# df -h /var/lib/pulp
# pulp orphan cleanup
Client Registration Loops
Cause:
Wrong lifecycle environment
Missing CA RPM
Fix:
# subscription-manager clean
# rpm -e katello-ca-consumer*
Satellite Slowness
Cause:
DB pool exhaustion
Too many parallel syncs
Fix:
Increase DB pool
Stagger sync jobs
Operational Best Practices
- Always snapshot before major syncs
- Never delete content views in use
- Promote, don’t modify
- Separate OS and app content
- Monitor Pulp disk I/O
- Keep Satellite updated quarterly
Final Thoughts
Red Hat Satellite is not just a patching tool—it’s a governance platform. When designed correctly, it:
- Eliminates configuration drift
- Enforces security baselines
- Simplifies audits
- Scales predictably
Most Satellite failures are design failures, not software bugs.
No comments:
Post a Comment