Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
[RHUG Special Satellite, Feb 16, 2017]
Presented by: Domtar Shared Services
Christophe Paulus
James Dubuisson
Gueorgui Tcherecharov
RHUG SPECIAL SATELLITE RED HAT OFFICE MONTREAL, FEBRUARY 16, 2017
[RHUG Special Satellite, Feb 16, 2017]
DOMTAR IN BRIEF
150+ Years Old: From Dominion Tar and Chemical Company, Ltd. To Domtar Corporation
From coal tar distillation to NCC (nanocrystalline cellulose)
Domtar today is 2 Divisions: Pulp and Paper Personal Care
Close to 10,000 employees US $5.3 Billion (83% P&P – 17% PC)
Stock Symbol UFS (NYSE;TSE)
More info at domtar.com
STRICTLY PRIVATE AND CONFIDENTIAL 2
[RHUG Special Satellite, Feb 16, 2017]
THE SYSTEMS ADMINISTRATION TEAM
IT Core Infrastructure Services is responsible for the following technology towers: ■ Data Centers
■ Servers
■ SAN
■ Virtualization
■ Backup
■ Operating System
■ Application Delivery
Shared Services – Systems Administration ■ Windows
■ Linux/Unix
■ F5 Big-IP
STRICTLY PRIVATE AND CONFIDENTIAL 3
Today presenters are part of IT Core Infrastructure Services Shared Services – Systems Administration
[RHUG Special Satellite, Feb 16, 2017]
FEW NUMBERS
1700+ Virtual Machines spread across N.A and E.U, the bulk of them in the 2 Montreal Data Centers.
3 Main OSs in multiple flavors: ■ Windows
■ Linux
■ Unix (hp-ux)
200 RHEL VM (Growing): ■ RHEL5 (25%)
■ RHEL6 (66%)
■ RHEL7 (9%)
50+ Linux Based appliances (Growing Fast!)
STRICTLY PRIVATE AND CONFIDENTIAL 4
[RHUG Special Satellite, Feb 16, 2017]
2013 – Linux VM number is growing Fast
The management Start to become painful, ■ There is a need for a patching tool
■ Plus we want a replacement tool for the current configuration engine.
■ Need to automate VM deployment.
Evaluation of different products led to the conclusion that Red Hat Satellite is the tool. The key words/phrase was:
Greater administration consistency, enhanced security (compliance), increased productivity.
With Satellite all the goal could be achieved.
December 2013 - Starting deployment of Satellite 5.6 with external DB (Oracle)
WHY WE SELECTED SATELLITE
STRICTLY PRIVATE AND CONFIDENTIAL 5
[RHUG Special Satellite, Feb 16, 2017]
2014 – Happy Sysadmin who deploy patches ■ Per scheduled
■ According to our standard
Then Satellite 6 is presented : ■ The architecture, functionality and the road map were appealing to us.
■ Plus we only have implemented one of the need (patching).
Decision is made to switch to Satellite 6
2015 Starting of the Migration
Less Happy Sysadmin for a while
Happiness gets back with 6.1 and Joy with 6.2
WHY WE UPGRADED TO SATELLITE 6
STRICTLY PRIVATE AND CONFIDENTIAL 6
[RHUG Special Satellite, Feb 16, 2017]
DOMTAR PATCHING STANDARD
The goal: Patching every quarter
■ Patches that doesn't require a reboot (eg most of the security patch) every quarter
■ Patches that requires a reboot (e.g: Bug Fix and Product Enhancement) at least once with a twice a year target.
Application Life Cycle:
SandBox, Development, Quality Assurance, Staging (pre-production), Production, Training
STRICTLY PRIVATE AND CONFIDENTIAL 7
Four Time a year we draw a line in the sand that contains all the available patches at that specific time.
[RHUG Special Satellite, Feb 16, 2017]
DOMTAR PATCHING STANDARD CONT’D
Each quarter the set of patches is pushed thru the application Life cycle.
STRICTLY PRIVATE AND CONFIDENTIAL 8
[RHUG Special Satellite, Feb 16, 2017]
DOMTAR PATCHING STANDARD CONT’D
A content view is a set of repositories to which we have subscribed.
The following Domtar composite content-view are associated with the environments:
Those composite “content views” are build from based content view to which we have added our own repos.
STRICTLY PRIVATE AND CONFIDENTIAL 9
dt-jboss-rhel6-x86_64 Library, jboss-sx, jboss-dv, jboss-qa, jboss-st, jboss-pr, jboss-tr
dt-rhel58-x86_64 Library, SX, DV, QA, ST, PR, TR
dt-rhel5-x86_64 Library, SX, DV, QA, ST, PR, TR
dt-rhel6-x86_64 Library, SX, DV, QA, ST, PR, TR
dt-rhel7-x86_64 Library, SX, DV, QA, ST, PR, TR
dt-sap-rhel5-x86_64 Library, sap_sx, sap-qa, sap-st, sap-pr, sap-tr, sap-dv
dt-sap-rhel6-x86_64 Library, sap_sx, sap-qa, sap-st, sap-pr, sap-tr, sap-dv
out-of-sequence-rhel6 Library, out-of-sequence-rhel6_Upgrade
out-of-sequence-rhel7 Library, out-of-sequence-rhel7_Upgrade
[RHUG Special Satellite, Feb 16, 2017]
RATIONALES FOR UPGRADE TO SATELLITE 6 ?
Centralized method for managing servers
Easy way to deploy patches in phases ( Dev, QA, Staging, Prod…etc )
Simple way to manage our RedHat Subscriptions
RBAC for different teams
Configuration Management is integrated
Automatic Server deployment
Nice dashboard
Many more features in roadmap
STRICTLY PRIVATE AND CONFIDENTIAL 10
[RHUG Special Satellite, Feb 16, 2017]
SATELLITE 5 TO 6.0 MIGRATION
Started March 2015
Fresh Install on RHEL6 Server
Import data from Satellite 5 to Satellite 6
Issues when importing content views to new server
Virt-who installed on standalone
Ended up only importing users and host collections
Issues when selecting multiple patches
Some servers were losing their subscription during VMotion
STRICTLY PRIVATE AND CONFIDENTIAL 11
[RHUG Special Satellite, Feb 16, 2017]
MIGRATION SATELLITE 6.0 TO 6.1
Upgraded started September 2015
Issue with the upgrade
Was fixed via Remote session with RedHat Support
Lots of bugs were fixed compared to previous version
Not losing subscriptions anymore
Issue with RBAC
Improved speed
STRICTLY PRIVATE AND CONFIDENTIAL 12
[RHUG Special Satellite, Feb 16, 2017]
MIGRATION SATELLITE 6.1 TO 6.2
Started August 2016
Fresh Install
As per RedHat recommendations, we installed RHEL7
No official tool to export Satellite 6.1 content to 6.2 if you install on new machine at time of migration. A script is now available to do this task.
Imported data using Satellite API to new server
Much improved User Interface
Now using at 6.2.7 ; Works like a charm
STRICTLY PRIVATE AND CONFIDENTIAL 13
[RHUG Special Satellite, Feb 16, 2017]
HOW DO WE PATCH OUR SERVERS
Scheduling is done by our team
Operation team then contact server owners to get patching approval
When server owner approves patching window, Ops team will then patch them
After patches are down, we verify if all patches were completed successfully on our custom dashboard
After 2 weeks testing, we promote the same patches to the next environment using Hammer
STRICTLY PRIVATE AND CONFIDENTIAL 14
[RHUG Special Satellite, Feb 16, 2017]
HOW WE PATCH OUR SERVERS - SCHEDULING
STRICTLY PRIVATE AND CONFIDENTIAL 15
A small shell script generates our patching schedule in a text file
[RHUG Special Satellite, Feb 16, 2017]
HOW WE PATCH OUR SERVERS - OWNERS
We add the Business owner info in the description field for each server
Business owner approves the patches for his/her servers
Ops team uses the info in the description field to create a CR before patching
Below image shows content of this info : Env | Server | Application, Owner ; CC(users)
STRICTLY PRIVATE AND CONFIDENTIAL 16
[RHUG Special Satellite, Feb 16, 2017]
HOW WE PATCH OUR SERVERS - VERIFICATION
STRICTLY PRIVATE AND CONFIDENTIAL 17
Screenshot of our custom Dashboard
[RHUG Special Satellite, Feb 16, 2017]
HOW WE PATCH OUR SERVERS CONT’D
STRICTLY PRIVATE AND CONFIDENTIAL 18
Info we can get on patches that were not installed, or when server owner wants info on patches to install
[RHUG Special Satellite, Feb 16, 2017]
NICE FEATURES – SCHEDULING
STRICTLY PRIVATE AND CONFIDENTIAL 19
[RHUG Special Satellite, Feb 16, 2017]
NICE FEATURES – SCHEDULING CONT’D
STRICTLY PRIVATE AND CONFIDENTIAL 20
[RHUG Special Satellite, Feb 16, 2017]
NICE FEATURES – SCHEDULING CONT’D
STRICTLY PRIVATE AND CONFIDENTIAL 21
[RHUG Special Satellite, Feb 16, 2017]
NICE FEATURES - JOB EXECUTION
STRICTLY PRIVATE AND CONFIDENTIAL 22
[RHUG Special Satellite, Feb 16, 2017]
NICE FEATURES - JOB EXECUTION CONT’D
STRICTLY PRIVATE AND CONFIDENTIAL 23
[RHUG Special Satellite, Feb 16, 2017]
NICE FEATURES - OPENSCAP
STRICTLY PRIVATE AND CONFIDENTIAL 24
Upload new SCAP content
[RHUG Special Satellite, Feb 16, 2017]
NICE FEATURES – OPENSCAP CONT’D
STRICTLY PRIVATE AND CONFIDENTIAL 25
[RHUG Special Satellite, Feb 16, 2017]
NICE FEATURES – OPENSCAP CONT’D
STRICTLY PRIVATE AND CONFIDENTIAL 26
Assign compliance policy to a host(s)
[RHUG Special Satellite, Feb 16, 2017]
NICE FEATURES – OPENSCAP CONT’D
STRICTLY PRIVATE AND CONFIDENTIAL 27
Assign the compliance policy
[RHUG Special Satellite, Feb 16, 2017]
NICE FEATURES – OPENSCAP CONT’D
STRICTLY PRIVATE AND CONFIDENTIAL 28
[RHUG Special Satellite, Feb 16, 2017]
HOW WE USE THE SATELLITE API
STRICTLY PRIVATE AND CONFIDENTIAL 29
https://satellite/apidoc/v2.html
[RHUG Special Satellite, Feb 16, 2017]
HOW WE USE THE SATELLITE API CONT’D
STRICTLY PRIVATE AND CONFIDENTIAL 30
[RHUG Special Satellite, Feb 16, 2017]
HOW WE USE THE SATELLITE API CONT’D
STRICTLY PRIVATE AND CONFIDENTIAL 31
[RHUG Special Satellite, Feb 16, 2017]
API SCRIPT
STRICTLY PRIVATE AND CONFIDENTIAL 32
Example: Simple Perl API Script
[RHUG Special Satellite, Feb 16, 2017]
API SCRIPT
STRICTLY PRIVATE AND CONFIDENTIAL 33
Example 2 : The same information but from all hosts
[RHUG Special Satellite, Feb 16, 2017]
HOW WE USE THE SATELLITE API CONT’D
STRICTLY PRIVATE AND CONFIDENTIAL 34
Export and import comment data
Apply security errata
List errata by server – details and summary
List server name, host collection, activation keys, subscription
List unsubscribed servers
List servers that changed their subscription
Here are some actions that we do using the APIs
[RHUG Special Satellite, Feb 16, 2017]
FUTURE USE OF SATELLITE AT DOMTAR
Integrate new features that Michael just talked about
Ansible to replace our current Configuration Management tool
Deploy OpenScap, now that we have completed the POC
Deployment of servers from RedHat Satellite
Integrate IDM to Satellite
STRICTLY PRIVATE AND CONFIDENTIAL 35
[RHUG Special Satellite, Feb 16, 2017]
RECOMMENDATIONS
Use the recommended settings for Redhat Satellite ■ 16 Gigs Ram
■ 4 CPUs
■ Monitor the server to see if these settings fit your needs ( ~ 300 Servers )
■ Allocate file System size for file systems ( /var/pulp/ , /var/pgsql/, etc.. )
■ Create Capsules Servers for remote locations
■ No need to install virt-who on separate machine. Can now be integrated on Satellite main server
STRICTLY PRIVATE AND CONFIDENTIAL 36
[RHUG Special Satellite, Feb 16, 2017]
RECOMMENDATIONS CONT’D
STRICTLY PRIVATE AND CONFIDENTIAL 37
Snapshot of or disk utilization in Satellite
[RHUG Special Satellite, Feb 16, 2017]
ADDITIONAL RESOURCES
RedHat Satellite Blog ( Rich Jerrido – Technical Product Manager ) ■ http://access.redhat.com/blogs/1169563
STRICTLY PRIVATE AND CONFIDENTIAL 38
[RHUG Special Satellite, Feb 16, 2017]
ADDITIONAL RESOURCES CONT’D
RedHat Satellite Documentation ■ https://access.redhat.com/documention/en/red-hat-satellite/
STRICTLY PRIVATE AND CONFIDENTIAL 39
[RHUG Special Satellite, Feb 16, 2017]
ADDITIONAL RESOURCES CONT’D
Hammer cheat sheet ■ https://access.redhat.com/articles/2258471
STRICTLY PRIVATE AND CONFIDENTIAL 40
[RHUG Special Satellite, Feb 16, 2017]
ADDITIONAL RESOURCES CONT’D
API Description ■ https://yoursatellite.yourdomain.com/apidoc/v2.html
STRICTLY PRIVATE AND CONFIDENTIAL 41
[RHUG Special Satellite, Feb 16, 2017]
ADDITIONAL RESOURCES (SCRIPTS)
STRICTLY PRIVATE AND CONFIDENTIAL 42
[RHUG Special Satellite, Feb 16, 2017]
QUESTIONS
STRICTLY PRIVATE AND CONFIDENTIAL 43
[RHUG Special Satellite, Feb 16, 2017]
THANK YOU
STRICTLY PRIVATE AND CONFIDENTIAL 44