Hide Forgot
Document URL: Currently me pointing to Sat6.1 link https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.1/pdf/User_Guide/Red_Hat_Satellite-6.1-User_Guide-en-US.pdf Section Number and Name: 9.1 Installation Step 5) Precisely this step needs to be expanded in more detail for the workflow changes. "Import the puppet classes and associate them with specific environments." Describe the issue: Changes required **only** for Satellite 6.2 release. Some background related to puppet-environment related changes between Satellite6.1 and Satellite6.2. Earlier with Satellite6.1: 1) Puppet Environment (kt_<env>) was created for every Content-Views even if no puppet modules were added to the Content-Views. 2) So, when puppet-foreman_scap_client RPM was installed under /usr/share/puppet/modules/ it was automatically made available to all the puppet environments. 3) The puppet environment is visible in the select box, during the "new host" page. 4) This I believe helped the puppet-class 'foreman_scap_client' available for all the "Hosts", irrespective of CV or the puppet-environment. Now with Satellite6.2/Nightlies: 1) Puppet Environments (kt_<env>) are created only if Content-views contains any "puppet modules" in it. 2) so, now when puppet module "foreman_scap_client" is installed. 3) The puppet environment is now not visible in the select box, during the "new host" creation , due to the changes mentioned as per 1). The Problem: 4) So now, asking the user to add "foreman_scap_client" puppet-module to every CV would be difficult to handle for OSCAP functionality. Below Updation Required: --------------------------- Need updation to sat6.2 docs because of changes in work-flow, related to importing of puppet-class (puppet-foreman_scap_client) to a puppet_environment. 5) So, used already existing "production" puppet environment visible via the UI and on the file-system of satellite "mkdir -p /etc/puppet/environments/production/modules" 6) Now only after importing "foreman_scap_client" class to "production" puppet-environment, we can add the puppet-class to the host, via the "new host" page. Isolated Capsule: 8) So, we need to create the DIR on the file-system of capsule, run "mkdir -p /etc/puppet/environments/production/modules". Additional information: a) Usage of "production" puppet-environment will not be required if atleast 1 puppet-module is associated to CV. b) No update required for Sat6.1 docs Document URL: Section Number and Name: Describe the issue: Suggestions for improvement: Additional information:
@Kedar, I understand all the introductory information provided with this BZ ticket, so thank you. What I don't understand is just what a user must now do when enabling OpenSCAP. From reading your notes, I thought the steps were to be as follows, but I've tried this and it's failing. 1. On the Satellite Server, "mkdir -p /etc/puppet/environments/production/modules" 2. In the Satellite web UI, navigate to Configure > Environments and create a new environment titled "Production". 3. In the "Actions" column, click on the drop-down item next to "Classes" and select "Import from sat...". When I select "Import from sat..." I get some activity from the web browser, but nothing further happens. Can you provide further guidance?
@Kedar, Apologies. I expect the failure I reported in comment 1 is due to the fact that on my test Satellite host I have not installed the following RPMs: * puppet-foreman_scap_client * rubygem-smart_proxy_openscap
On the UI, "production" environment already exists, we just need create the directory structure on every capsule being setup. Required on every Capsule : "mkdir -p /etc/puppet/environments/production/modules" 1. On every Capsule Server, "mkdir -p /etc/puppet/environments/production/modules" [ Needed only if no puppet-module associated to CV being used for the Host ] 2. Assign the Org ad Location context to "product environment". 3. Then from the WebUI , "Configure" --> "Classes" --> "Import a Capsule" and select the environment to associate "foreman_scap_client" to "production" puppet environment.
4. Use the "production" puppet environment when creating a "host-group" or "host" and the puppet environment is not auto-suggested or of the type KT_<ENV-ORG> available.
Russell, As shlomi mentioned, there is no need for 2 separate Procedure 5.1 and 5.2, we can have just one. ------------------------------------------------------------------------------- From Procedure 5.1, I feel for more clarity the below step 4) should be moved to 5.2.1 (SCAP Content) , something under it's own section called "populating default OSCAP content". 4) Load the Default OpenSCAP content on the Satellite Server. # foreman-rake foreman_openscap:bulk_upload:default ------------------------------------------------------------------------------- Also the below step 5) from Procedure 5.1 should read as below ( Can we please have a separate section/procedure for this? ) 5) Import the puppet-class "foreman_scap_client" into desired Puppet environments. Each host which is to be audited using the OpenSCAP functionality must be associated with a Puppet environment. ------------------------------------------------------------------------------ Also between step 4) and Step 5) for Procedure 5.1, let's introduce the below step. (I believe we need to expand this section a bit more, something like.) Procedure 5.2 Step 4) : Puppet environment is created automatically only for those content-views that contain a puppet-module. So, If there is no existing Puppet environment, create a directory for the production environment, so that puppet-class "foreman_scap_client" can be associated with it. # mkdir -p /etc/puppet/environments/production/modules ------------------------------------------------------------------------------ If we plan to unify both 5.1 and 5.2, let's change it as below: Refresh the Capsule Server so that the added OpenSCAP features are detected. # hammer capsule refresh-features --id <capsule-id>
@Russell, I said so because they are two different topics. Just the Step1) is right under, 5.2.1.1 "Loading Default OpenSCAP Content" So a separate section for this would be needed as it does not fall under "Loading Default OpenSCAP content" and is about importing puppet modules. 5.2.1.1 is about "OSCAP content" <new section> will be about "importing OSCAP puppet module"
So, Step 2) and Step 3) are related to --: "<new section> will be about 'importing OSCAP puppet module' "
I think the puppet-foreman_scap_client is needed just on the proxy side, right @shlomi? Also, do we need to do some extra steps at clients or everything is handled by the puppet module there?
puppet-foreman_scap_client is needed on the puppet master (usually coupled with the capsule, right?) The clients are configured on the Satellite side (e.g., when assigning policy to hosts)
*** Bug 1334698 has been marked as a duplicate of this bug. ***
This content is now live on the Customer Portal. Closing.