dweff
Mission Specialist
Mission Specialist
  • 558 Views

Keeping Satellite up to date

Jump to solution

@jessescott 

Two questions:

  1. What am I supposed to do to keep my Satellite installation up to date between releases?
  2. How often should I plan on upgrading to the latest Satellite release?

Running "dnf update" results in "WARNING: Excluding 50477 packages due to foreman-protector."  I opened a support ticket and was told to run "satellite-maintain packages update".  That command results in its own dire warning message.  I was also informed that Satellite 6.11 (the version we used in the course) product support has ended.

Should I not run any patching/updates on the Satellite server, but just plan on migrating to the latest version every year?

Apparently my Google-foo is very weak on the Red Hat site, so any help you can provide pointing me towards the best practices for maintaining my server would be greatly appreciated!!

3 Solutions

Accepted Solutions
Travis
Moderator
Moderator
  • 488 Views

@dweff -

Layered products, you never want to do a "YUM UPDATE" first. Most layered products should have their own method of updating the system to prevent breakage. Luckily, Red Hat Satellite uses a YUM Version Lock to prevent packages from being installed and updated. Instead, you should use the forema-maintain or satellite-maintain which will unlock the yum repositories and allow installation of packages and upgrading of packages.

This additional command protects the user from accidentally installing or putting on incompatible package versions.

The satellite-maintain --help can be your friend in this instance. It should show there is an upgrade command that lets you do things like an upgrade. There is also a packages command that allows you to install a package and needs to be used instead of yum install on a satellite so it can properly version lock the packages and keep satellite in a proper working order.

 

Second question is a little more difficult as only you can decide how often you want to update. Updating on a regular basis to the most current "dot" release is generally easier and can keep you from going unsupported because sometimes upgrading across more major releases can be much more difficult and definitely more time consuming.

https://access.redhat.com/support/policy/updates/satellite

 

 

Travis Michette, RHCA XIII
https://rhtapps.redhat.com/verify?certId=111-134-086
SENIOR TECHNICAL INSTRUCTOR / CERTIFIED INSTRUCTOR AND EXAMINER
Red Hat Certification + Training

View solution in original post

Travis
Moderator
Moderator
  • 440 Views

@dweff -

This is a totally different question as that has nothing to do with updating Satellite server, but instead updating repositories. The updates here are to either synchronize the channels, or the better solution would be a Sync Plan.

In terms of Satellite versions however or new repository versions, you will first need to go into the setup and add those as repositories that are available, perform the syncs, and add those to your sync plan.

If you are using the full functionalities of Satellite, you are hopefully using Content Views and  Lifecycle environments, so the next step woudl be to publish and promote updated content views so that subscribed systems can consume the updates.

Travis Michette, RHCA XIII
https://rhtapps.redhat.com/verify?certId=111-134-086
SENIOR TECHNICAL INSTRUCTOR / CERTIFIED INSTRUCTOR AND EXAMINER
Red Hat Certification + Training

View solution in original post

dweff
Mission Specialist
Mission Specialist
  • 406 Views

Thanks guys. I got the answer to my questions elsewhere, but I'll post here in case anyone else is taking this class trying to figure out how to keep inherited Satellite servers up to date.

  1. What am I supposed to do to keep my Satellite installation up to date between releases
    1. Most customers need to treat the Satellite as an appliance, the version lock is there for a reason.
      This is your infrastructure to support your infrastructure, you shouldn't have to update your underlying RHEL that is running Satellite specifically.
      Let the major point releases manage all the updates and packages, no need to use the satellite-maintain updates unless there's some direction from RHEL support. The kernel will get updated and all relevant packages get updated when you upgrade to the next major release.
  2. How often should I plan on upgrading to the latest Satellite release?
    1. In terms of cadence, once a year is what I tell customers.
      You don't have to go to 6.15 unless you really need a specific feature.
      Upgrade to 6.13 at minimum now. Then move to 6.14 in fall.

View solution in original post

0 Kudos
10 Replies
Travis
Moderator
Moderator
  • 489 Views

@dweff -

Layered products, you never want to do a "YUM UPDATE" first. Most layered products should have their own method of updating the system to prevent breakage. Luckily, Red Hat Satellite uses a YUM Version Lock to prevent packages from being installed and updated. Instead, you should use the forema-maintain or satellite-maintain which will unlock the yum repositories and allow installation of packages and upgrading of packages.

This additional command protects the user from accidentally installing or putting on incompatible package versions.

The satellite-maintain --help can be your friend in this instance. It should show there is an upgrade command that lets you do things like an upgrade. There is also a packages command that allows you to install a package and needs to be used instead of yum install on a satellite so it can properly version lock the packages and keep satellite in a proper working order.

 

Second question is a little more difficult as only you can decide how often you want to update. Updating on a regular basis to the most current "dot" release is generally easier and can keep you from going unsupported because sometimes upgrading across more major releases can be much more difficult and definitely more time consuming.

https://access.redhat.com/support/policy/updates/satellite

 

 

Travis Michette, RHCA XIII
https://rhtapps.redhat.com/verify?certId=111-134-086
SENIOR TECHNICAL INSTRUCTOR / CERTIFIED INSTRUCTOR AND EXAMINER
Red Hat Certification + Training
jessescott
Flight Engineer Flight Engineer
Flight Engineer
  • 460 Views

@dweff, thank you for reaching out after taking our RH403 course in the Red Hat Learning Subscription! @Travis has done an excellent job answering your questions about Satellite updates. Hope this helps to get you on the right track!

0 Kudos
dweff
Mission Specialist
Mission Specialist
  • 448 Views

Sorry - I don't think I'm asking my question clearly. What's the command to run on Satellite that will update the following repositories from cdn.redhat.com on the Satellite server:
rhel-8-for-x86_64-baseos-rpms
rhel-8-for-x86_64-appstream-rpms
satellite-6.15-for-rhel-8-x86_64-rpms
satellite-maintenance-6.15-for-rhel-8-x86_64-rpms
module satellite:el8

Travis
Moderator
Moderator
  • 441 Views

@dweff -

This is a totally different question as that has nothing to do with updating Satellite server, but instead updating repositories. The updates here are to either synchronize the channels, or the better solution would be a Sync Plan.

In terms of Satellite versions however or new repository versions, you will first need to go into the setup and add those as repositories that are available, perform the syncs, and add those to your sync plan.

If you are using the full functionalities of Satellite, you are hopefully using Content Views and  Lifecycle environments, so the next step woudl be to publish and promote updated content views so that subscribed systems can consume the updates.

Travis Michette, RHCA XIII
https://rhtapps.redhat.com/verify?certId=111-134-086
SENIOR TECHNICAL INSTRUCTOR / CERTIFIED INSTRUCTOR AND EXAMINER
Red Hat Certification + Training
dweff
Mission Specialist
Mission Specialist
  • 407 Views

Thanks guys. I got the answer to my questions elsewhere, but I'll post here in case anyone else is taking this class trying to figure out how to keep inherited Satellite servers up to date.

  1. What am I supposed to do to keep my Satellite installation up to date between releases
    1. Most customers need to treat the Satellite as an appliance, the version lock is there for a reason.
      This is your infrastructure to support your infrastructure, you shouldn't have to update your underlying RHEL that is running Satellite specifically.
      Let the major point releases manage all the updates and packages, no need to use the satellite-maintain updates unless there's some direction from RHEL support. The kernel will get updated and all relevant packages get updated when you upgrade to the next major release.
  2. How often should I plan on upgrading to the latest Satellite release?
    1. In terms of cadence, once a year is what I tell customers.
      You don't have to go to 6.15 unless you really need a specific feature.
      Upgrade to 6.13 at minimum now. Then move to 6.14 in fall.
0 Kudos
Travis
Moderator
Moderator
  • 392 Views

@dweff -

I'm glad you got the answer you wanted elsewhere and happy what you wrote works for you and your environment, so again, based on what you posted above now, it has nothing to do with the channels which Satellite provides packages to other users and more the OS and the actual Satellite layered product/application that is runnign on a given server.

To other users reading this post, I would advise caution with the information provided above as upgrading based on those guidelines can cause potential issues with securtiy and system integrity. If an organization has a patching policy of 90 days or whatever cycle, that is how often you should upgrade. The statellite-maintain command should be used to keep the system patched and upgraded and there could be many kernel and other security updates that come out well before a point (dot) release of Satelltie or in terms of major versions of Satellite. I also posted a link to the Satellite Lifecycle which I will once again share here...

 

https://access.redhat.com/support/policy/updates/satellite

 

If you look at the link above Satellite 6.13 goes EOL November 2024, but that is only for people with the extended maintenance support. Regular support ended for this version in 2023.

No matter what you do to upgrade/update the server or the cadence, you must always use satellite-maintain and the officially supported process. The maintenance channels ensure you are getting only approved packages for your version of the satellite and it also keeps you from upgrading to a newer version of Satellite at a major version level.

https://access.redhat.com/documentation/en-us/red_hat_satellite/6.15/html/updating_red_hat_satellite...

Again this process ensures the correct patching channels are enabled for your system and does the regular RPM patching. It uses DNF to check if restarting is needed and if so, you reboot the system. This applies to all Kernel and security and other bugfix patches.

Travis Michette, RHCA XIII
https://rhtapps.redhat.com/verify?certId=111-134-086
SENIOR TECHNICAL INSTRUCTOR / CERTIFIED INSTRUCTOR AND EXAMINER
Red Hat Certification + Training
0 Kudos
dweff
Mission Specialist
Mission Specialist
  • 383 Views

@Travis 

Please help me to understand - above you've correctly identified my original question as posted - What am I supposed to do to keep my Satellite installation up to date between releases? - "the actual Satellite layered product/application that is runnign on a given server."

You state "The statellite-maintain command should be used to keep the system patched and upgraded"

Please go into more detail.  The satellite-maintain packages command has the following options: check-update -h --help install is-locked lock status unlock update.

When I run satellite-maintain packages update I get the following warning:

Running update packages in unlocked session
=======================================================================
Confirm update all is intentional:

WARNING: No specific packages to update were provided
so we are going to update all available packages.
It is recommended to update everything only as part of upgrade
of the Satellite to the next version.
To Upgrade to next version use 'foreman-maintain upgrade'.

NOTE: --assumeyes is not applicable for this check

Do you want to proceed with update of everything regardless
of the recommendations?, [y(yes), q(quit)]

Are you suggesting that I should ignore the warning and procede with the update in a production Satellite installation?

The link for Chapter 2. Updating Satellite Server doesn't provide any information for keeping a Satellite server up to date between point(dot) releases - it's to Update your connected Satellite Server to the next minor version.

@Travis- please please please!!! I really want to understand this!!  Please provide lesson text or satellite documentation on the process to keep my Satellite installation patched between the point(dot) releases.

0 Kudos
Travis
Moderator
Moderator
  • 376 Views

@dweff -

The key is having the correct channels enabled on Satellite, in this instance the Z-Stream channels (EUS) channels which have the patches. The upgrade can then check for minor releases of the Satellite version along with the other packages for the operating system. What I'm trying to state is that you should never use "YUM" to update packages directly as they are locked for a reason.

You should be able to check for updates in a current version which would be minor releases without a major version bump to get the kernel packages and other bugfixes updated. The current course no longer teaches the updates of Satellite, but I posted the link to the documentation. Really, what is different is terminology here on update (which is packages) vs. upgrade which changes Satellite to a newer version (Typically speaking). The updates are the minor releases and that would yes (update the satellite) but it also updates the other packages on the system, but ensures those updates don't interfere or cause version conflicts with the Satellite processes.

You don't want to do packages upgrade, you want to do the 

satellite-maintain upgrade run

and the target version be the same Z-stream (Major/Minor) release you're already on. 

 

If you are a Red Hat subscriber I would strongly recommend opening a pro-active support ticket to have Red Hat support engineers validate your update/upgrade plan before proceeding forward. Some of our other layered products are a little bit easier in that you can run the "update process" and it will update things if needed, fix yum versionlock, and then you can safely do a regular "yum update". That isn't quite the same with Satellite.

 

 

Travis Michette, RHCA XIII
https://rhtapps.redhat.com/verify?certId=111-134-086
SENIOR TECHNICAL INSTRUCTOR / CERTIFIED INSTRUCTOR AND EXAMINER
Red Hat Certification + Training
0 Kudos
dweff
Mission Specialist
Mission Specialist
  • 374 Views

@TravisThank you!

I will spin up a test Satellite and some test servers tomorrow and try this out!!

0 Kudos
Join the discussion
You must log in to join this conversation.