Install Foreman Katello Patch Management on CentOS 7

Install Foreman with Katello on RHEL CentOS 7 Install Foreman with Katello on RHEL CentOS 7


Katello Patch Management or Foreman with Katello is one of the components of the upstream version of Red Hat Satellite. Katello is a life cycle management plugin for Foreman. Katello allows managing thousands of machines in a single click. It pulls content from remote repositories into an isolated environment and makes the subscription’s management easy for us.

The Red Hat Satellite version 5 based on Spacewalk, the current version of Satellite 6 is based on foreman with katello plugins. The most important core components are pulp, candlepin, qpid, puppet and much more.

If you work on Red Hat satellite every day and need a similar environment in your home lab then go-head with Foreman with katello. It provides a decent web interface exactly the same as Red Hat Satellite to manage the physical and virtual servers (Content hosts) by provisioning, managing, patching etc.

Foreman/Katello related articles

  1. Install Foreman Katello Patch Management on CentOS 7
  2. Register a Linux client with Foreman
  3. Provisioning Bare Metal and VM from Foreman in 6 easy steps

Basic OS setup

Before starting with foreman installation let us set up our server with basic configurations by assigning hostname, language settings and much more.

Setting Locale

Set the locale before starting with the installation. Once completed with setting system locale to en_US.utf8 check the status.

# localectl set-locale LC_CTYPE=en_US.utf8
[root@foreman ~]# localectl status
    System Locale: LC_CTYPE=en_US.utf8
        VC Keymap: us
       X11 Layout: us
[root@foreman ~]#

Setting Hostname

The hostname has been assigned from our DNS server.

# hostnamectl status
# dnsdomainname -f
[root@foreman ~]# hostnamectl status
    Static hostname: localhost.localdomain
 Transient hostname: foreman.linuxsysadmins.local
          Icon name: computer-vm
            Chassis: vm
         Machine ID: 36618758588646fb9bd7e5ceb0e73a70
            Boot ID: d88e0660940f45aaa4aed99d0ceec6d9
     Virtualization: kvm
   Operating System: CentOS Linux 7 (Core)
        CPE OS Name: cpe:/o:centos:centos:7
             Kernel: Linux 3.10.0-1062.el7.x86_64
       Architecture: x86-64
[root@foreman ~]#

[root@foreman ~]# dnsdomainname -f
[root@foreman ~]#

The time Synchronization for a foreman with katello is the most important part. Install with chrony, by following enable and start the service.

# yum install chrony
# systemctl enable chronyd
# systemctl start chronyd
# chronyc sources

Enable NTP synchronization.

# timedatectl set-ntp true
[root@foreman ~]# timedatectl status
       Local time: Sat 2020-03-21 02:07:45 +04
   Universal time: Fri 2020-03-20 22:07:45 UTC
         RTC time: Fri 2020-03-20 22:07:44
        Time zone: Asia/Dubai (+04, +0400)
      NTP enabled: yes
 NTP synchronized: yes
  RTC in local TZ: no
       DST active: n/a
[root@foreman ~]#

Starting with Foreman Prerequisites

Firewall Requirement

The ports required to open from foreman side are listed below. If we plan to setup DNS in the same server it’s required to open 53/UDP and TCP.

PortProtocolRequired for
80,443TCPHTTP & HTTPS access to foreman web UI
67,68UDPDHCP Server
69UDPTFTP Server
5647TCPHTTP access to foreman web UI using standalone WEBrick service
9090TCPUsed for communication with the Smart Proxy

Let’s start with adding the ports for katello patch management.

# firewall-cmd --add-port={53,80,443,5647,9090}/tcp --permanent
# firewall-cmd --add-port="67-69,53/udp" --permanent
# firewall-cmd --add-port="53/udp" --permanent
# firewall-cmd --reload
# firewall-cmd --list-all

Once added with required ports let’s follow to set up the storage requirement.

Storage Requirement for Katello Patch Management

The content which we are going to sync from the internet will be stored under /var/lib/pulp. Instead of using default “/” disk it’s advised to use dedicated large size of the mount point. The recommended minimum size should be 30GB for each Operating system we are about to Sync.

We have added with a new 100 GB disk.

[root@foreman ~]# lsblk 
 sda               8:0    0   15G  0 disk 
 ├─sda1            8:1    0    1G  0 part /boot
 └─sda2            8:2    0   14G  0 part 
   ├─centos-root 253:0    0 12.5G  0 lvm  /
   └─centos-swap 253:1    0  1.5G  0 lvm  [SWAP]
 sdb               8:16   0  100G  0 disk 
 sr0              11:0    1 1024M  0 rom  
[root@foreman ~]#

In case, if we have any future plan to sync multiple OS/Repositories it’s good to start with setting up a Logical Volume (LVM).

[root@foreman ~]# pvcreate /dev/sdb
   Physical volume "/dev/sdb" successfully created.
[root@foreman ~]# 
[root@foreman ~]# vgcreate vg_pulp /dev/sdb
   Volume group "vg_pulp" successfully created
[root@foreman ~]# 
[root@foreman ~]# lvcreate -l 100%FREE -n lv_pulp vg_pulp
   Logical volume "lv_pulp" created.
[root@foreman ~]#

Create a filesystem on newly created LVM.

[root@foreman ~]# mkfs.xfs /dev/mapper/vg_pulp-lv_pulp 
 meta-data=/dev/mapper/vg_pulp-lv_pulp isize=512    agcount=4, agsize=6553344 blks
          =                       sectsz=512   attr=2, projid32bit=1
          =                       crc=1        finobt=0, sparse=0
 data     =                       bsize=4096   blocks=26213376, imaxpct=25
          =                       sunit=0      swidth=0 blks
 naming   =version 2              bsize=4096   ascii-ci=0 ftype=1
 log      =internal log           bsize=4096   blocks=12799, version=2
          =                       sectsz=512   sunit=0 blks, lazy-count=1
 realtime =none                   extsz=4096   blocks=0, rtextents=0
[root@foreman ~]#

Mount the filesystem and make it persistent, restore the SELinux label for newly mounted mount point by running restorecon recursively.

[root@foreman ~]# mkdir /var/lib/pulp
[root@foreman ~]# 
[root@foreman ~]# mount /dev/mapper/vg_pulp-lv_pulp /var/lib/pulp/
[root@foreman ~]#  
[root@foreman ~]# echo "/dev/mapper/vg_pulp-lv_pulp /var/lib/pulp/ xfs defaults 0 0" >> /etc/fstab 
[root@foreman ~]#
[root@foreman ~]# tail -n1 /etc/fstab 
 /dev/mapper/vg_pulp-lv_pulp /var/lib/pulp/ xfs defaults 0 0
[root@foreman ~]#
[root@foreman ~]# restorecon -Rv /var/lib/pulp/
 restorecon reset /var/lib/pulp context system_u:object_r:unlabeled_t:s0->system_u:object_r:var_lib_t:s0
[root@foreman ~]#

List the created fileSystem and we are good with a storage requirement.

[root@foreman ~]# df -hP /var/lib/pulp/
 Filesystem                   Size  Used Avail Use% Mounted on
 /dev/mapper/vg_pulp-lv_pulp  100G   33M  100G   1% /var/lib/pulp
[root@foreman ~]#

Installing Foreman with Katello

Before running with katelllo installation make sure to update the existing packages by running

# yum update -y

Add the required Repositories using yum.

# yum -y localinstall
# yum -y localinstall
# yum -y localinstall
# yum -y localinstall
# yum install foreman-release-scl -y

Right after installing the repositories use yum to install the katello.

# yum install katello -y

Output for your reference, The long output has been truncated.

   katello.noarch 0:3.14.1-1.el7                                                                                                                                                      
 Dependency Installed:
   SOAPpy.noarch 0:0.11.6-17.el7                              apache-commons-codec.noarch 0:1.8-7.el7                                                     
   apache-commons-collections.noarch 0:3.2.1-22.el7_2         apache-commons-daemon.x86_64 0:1.0.13-7.el7                                                 
   apache-commons-dbcp.noarch 0:1.4-17.el7                    apache-commons-lang.noarch 0:2.6-15.el7                                                     
   apache-commons-logging.noarch 0:1.1.2-7.el7                apache-commons-pool.noarch 0:1.6-9.el7                                                      
   apr.x86_64 0:1.4.8-5.el7                                   apr-util.x86_64 0:1.5.2-6.el7

Start to setup Katello by running foreman-installer. While running foreman-installer we can use multiple options to set the admin User/Password. If the option --scenario katello not used, it will set up with the puppet.

# foreman-installer --scenario katello --foreman-initial-admin-username admin --foreman-initial-admin-password 'xxxxxxx'

To set up with more modules it possible to add them by editing below YAML file. This should be done before starting with running foreman-installer.

# vim /etc/foreman-installer/scenarios.d/katello.yaml

In my setup, I have appended with QPID, TFTP, DHCP, apt.

 :name: Katello
 :description: Install Foreman with Katello
 :enabled: true
 :log_dir: /var/log/foreman-installer
 :store_dir: ''
 :log_name: katello.log
 :log_level: DEBUG
 :no_prefix: false
 :mapping: {}
 :answer_file: /etc/foreman-installer/scenarios.d/katello-answers.yaml
 :installer_dir: /usr/share/foreman-installer/katello
 :module_dirs: /usr/share/foreman-installer/modules
 :colors: true
 :color_of_background: :dark
 :hook_dirs: []
 :custom: {}
   tuning: default
 :low_priority_modules: []
 :verbose_log_level: info
 :skip_puppet_version_check: false
 :parser_cache_path: /usr/share/foreman-installer/parser_cache/katello.yaml
 :hiera_config: /usr/share/foreman-installer/config/foreman-hiera.yaml

Enable true for required plugins by editing the below answer file. For instance, to enable the ansible plugin, replace “false” with “trueforeman::plugin::ansible: true

If you need to create your custom organization it can be done by replacing initial_organization: Default Organization to initial_organization: something else. However, we are sticking to default one in our setup.

# vim /etc/foreman-installer/scenarios.d/katello-answers.yaml

Start the foreman installer to set up the katello.

[root@foreman ~]# foreman-installer --scenario katello --foreman-initial-admin-username admin --foreman-initial-admin-password 'xxxxxxxx'
 Preparing installation Done                                              
 Katello is running at https://foreman.linuxsysadmins.local
   Initial credentials are admin / xxxxxxxxx
 To install an additional Foreman proxy on separate machine continue by running:
 foreman-proxy-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY" --certs-tar "/root/$FOREMAN_PROXY-certs.tar"
 The full log is at /var/log/foreman-installer/katello.log
[root@foreman ~]# 

To monitor the installation progress run tail on below log file.

# tail -f /var/log/foreman-installer/katello.log

It took 45 minutes to complete our katello patch management installation.

 [DEBUG 2020-03-21T04:22:43 main]  Finishing transaction 49518980
 [DEBUG 2020-03-21T04:22:43 main]  Received report to process from foreman.linuxsysadmins.local
 [ INFO 2020-03-21T04:22:44 main] Puppet has finished, bye
 [ INFO 2020-03-21T04:22:44 main] Executing hooks in group post
 [ INFO 2020-03-21T04:22:45 main] rh-mongodb34-syspaths not present, installing.
 [DEBUG 2020-03-21T04:22:49 main] Hook /usr/share/foreman-installer/katello/hooks/post/09-mongo_syspath.rb returned ""
 [DEBUG 2020-03-21T04:22:50 main] Hook /usr/share/foreman-installer/katello/hooks/post/10-post_install.rb returned nil
 [DEBUG 2020-03-21T04:22:50 main] Hook /usr/share/foreman-installer/katello/hooks/post/30-upgrade.rb returned nil
 [DEBUG 2020-03-21T04:22:50 main] Hook /usr/share/foreman-installer/katello/hooks/post/99-version_locking.rb returned nil
 [ INFO 2020-03-21T04:22:50 main] All hooks in group post finished
 [DEBUG 2020-03-21T04:22:50 main] Exit with status code: 2 (signal was 2)
 [DEBUG 2020-03-21T04:22:50 main] Cleaning /tmp/kafo_installation20200321-2078-zh2bhx
 [DEBUG 2020-03-21T04:22:50 main] Cleaning /tmp/kafo_installation20200321-2078-12llodg
 [DEBUG 2020-03-21T04:22:50 main] Cleaning /tmp/default_values.yaml
 [ INFO 2020-03-21T04:22:50 main] Installer finished in 2656.897177603 seconds

Once completed with the installation verify the service status.

[root@foreman ~]# katello-service status | grep -i "Active"
    Active: active (running) since Sat 2020-03-21 03:38:56 +04; 13h ago
    Active: active (running) since Sat 2020-03-21 03:44:42 +04; 13h ago
    Active: active (running) since Sat 2020-03-21 03:48:39 +04; 13h ago
    Active: active (running) since Sat 2020-03-21 03:48:31 +04; 13h ago
    Active: active (running) since Sat 2020-03-21 03:41:57 +04; 13h ago
    Active: active (running) since Sat 2020-03-21 03:48:36 +04; 13h ago
    Active: active (running) since Sat 2020-03-21 03:48:37 +04; 13h ago
    Active: active (running) since Sat 2020-03-21 03:48:37 +04; 13h ago
    Active: active (exited) since Sat 2020-03-21 03:48:36 +04; 13h ago
    Active: active (running) since Sat 2020-03-21 03:49:48 +04; 13h ago
    Active: active (running) since Sat 2020-03-21 04:21:06 +04; 12h ago
    Active: active (running) since Sat 2020-03-21 03:51:08 +04; 13h ago
    Active: active (running) since Sat 2020-03-21 04:21:43 +04; 12h ago
    Active: active (running) since Sat 2020-03-21 04:22:05 +04; 12h ago
[root@foreman ~]#

We have successfully completed the installation.

Accessing Foreman GUI

Access the foreman GUI using FQDN https://foreman.linuxsysadmins.localUse the Initial credentials which displayed on our screen while completed with the installation.

Right after login to foreman, we will be taken to the overview dashboard.

Moving forward, we will perform all actions from the default user “admin” account.

[root@foreman ~]# hammer user list
ID | LOGIN | NAME       | EMAIL                     | ADMIN | LAST LOGIN          | AUTHORIZED BY
4  | admin | Admin User | root@linuxsysadmins.local | yes   | 2020/03/21 11:51:00 | Internal     
[root@foreman ~]#

Post Installation configuration

Creating Product

After installation, we can create additional organization and locations. However, we are going to use all default org and Location.

If we have a valid subscription from RedHat, log in to Red hat customer portal and download the manifest. By following navigate to Content –> Subscriptions from right-hand side click on “Manage Manifest” then browse the downloaded manifest. This will bring your available subscriptions/Repositories into foreman.

In our case, we are going to set up with CentOS repositories.

Our first step is to create the product. To create the product, we need to know the organization associated with our account. By default, we have one organization with ID 1. List using hammer CLI.

[root@foreman ~]# hammer organization list
ID | TITLE                | NAME                 | DESCRIPTION | LABEL               
1  | Default Organization | Default Organization |             | Default_Organization
[root@foreman ~]#

Creating Product from foreman GUI

Content –> Products

Creating Product from CLI using the hammer.

[root@foreman ~]# hammer product create --organization-id 1 --name "CentOS 7 Linux x86_64" --description "Repository for CentOS 7 Linux"
 Product created.
[root@foreman ~]#

Once the product created it will be listed as shown below.

Importing GPG Key for OS Repo

After creating a product we need to import the GPG key for it. Follow below steps to import the key from CLI

# mkdir -p /etc/pki/rpm-gpg/import
# wget -P /etc/pki/rpm-gpg/import/

To know all GPG keys navigate to

To import the key for our organization, Run this command from the location where we have downloaded the GPG key.

# hammer gpg create --organization-id 1 --key "RPM-GPG-KEY-CentOS-7" --name "RPM-GPG-KEY-CentOS-7"

To perform the import from GUI follow as shown below.

Navigate to Content –> Content Credentials

To get the GPG key access the URL and copy the content to paste under “New Credential contents”.

GPG Key for Storage Repo

Storage repositories required separate GPG key, By following let’s create the Content Credentials for storage repository.

Content –> Content Credentials –> Create Content Credential

In the name use any name “RPM-GPG-KEY-CentOS-SIG-Storage“, Type as “GPG key” and Paste the content from below URL

Click Save.

After creating the storage repository in following steps we can assign the storage key to the storage repository.

Creating Repositories

It’s easy to create a Repository from GUI by navigating to Content –> Products –> CentOS 7 Linux x86_64 –> New Repository

However, Let’s use the hammer to create the repository from the CLI.

Creating the Repository from CLI

Add the CentOS 7 main OS Repository

# hammer repository create --organization-id 1 \
   --product "CentOS 7 Linux x86_64" \
   --name "CentOS 7 OS x86_64" \
   --label "CentOS_7_OS_x86_64" \
   --content-type "yum" \
   --download-policy "on_demand" \
   --gpg-key "RPM-GPG-KEY-CentOS-7" \
   --url "" \
   --mirror-on-sync "no"

Understanding the options.

  • –organization-id – Organization ID to create the repository
  • –product – For which product repository needs to be created
  • –name – Name of the repository
  • –label – Just a label to make the repository
  • –content-type – what type of content, it can be yum, deb, file, puppet and docker.
  • –download-policy – On-demand, if we choose this option the packages will be downloaded when clients try to get the package from katello/Satellite.
  • –gpg-key – GPG key to be used for repository
  • –url – The URL of the repository from where the content about to download.
  • –mirror-on-sync – True if this repository when synced has to be mirrored from the source and Stale RPMs removed.

Additionally, add Extra repository

# hammer repository create --organization-id 1 \
   --product "CentOS 7 Linux x86_64" \
   --name "CentOS 7 Extra x86_64" \
   --label "CentOS_7_Extra_x86_64" \
   --content-type "yum" \
   --download-policy "on_demand" \
   --gpg-key "RPM-GPG-KEY-CentOS-7" \
   --url "" \
   --mirror-on-sync "no"

To receive the updates create the Update Repo

# hammer repository create --organization-id 1 \
   --product "CentOS 7 Linux x86_64" \
   --name "CentOS 7 Updates x86_64" \
   --label "CentOS_7_Updates_x86_64" \
   --content-type "yum" \
   --download-policy "on_demand" \
   --gpg-key "RPM-GPG-KEY-CentOS-7" \
   --url "" \
   --mirror-on-sync "no"

In future we require configuration management packages, Let’s add the Ansible repo.

# hammer repository create --organization-id 1 \
    --product "CentOS 7 Linux x86_64" \
    --name "Ansible x86_64" \
    --label "Ansible_x86_64" \
    --content-type "yum" \
    --download-policy "on_demand" \
    --gpg-key "RPM-GPG-KEY-CentOS-7" \
    --url "" \
    --mirror-on-sync "no"

Finally, I need a storage repository to setup Ceph.

# hammer repository create --organization-id 1 \
 --product "CentOS 7 Linux x86_64" \
    --name "Storage x86_64" \
    --label "Storage_x86_64" \
    --content-type "yum" \
    --download-policy "on_demand" \
    --gpg-key "RPM-GPG-KEY-CentOS-7" \
    --url "" \
    --mirror-on-sync "no"

Now navigate to content –> Products –> click on “CentOS 7 Linux x86_64” under repositories click on “Storage x86_64” scroll down to GPG Key and select the “RPM-GPG-KEY-CentOS-SIG-Storage from the drop-down list and click save.

Here all created repositories can be found under Content –> CentOS 7 Linux x86_64in Repositories Tab.

List the same from the command line using the hammer.

# [root@foreman ~]# hammer repository list --organization-id 1 --product "CentOS 7 Linux x86_64"
ID | NAME                    | PRODUCT               | CONTENT TYPE | URL                                                                   
8  | Ansible x86_64          | CentOS 7 Linux x86_64 | yum          |
3  | CentOS 7 Extra x86_64   | CentOS 7 Linux x86_64 | yum          |                    
2  | CentOS 7 OS x86_64      | CentOS 7 Linux x86_64 | yum          |                        
4  | CentOS 7 Updates x86_64 | CentOS 7 Linux x86_64 | yum          |                   
9  | Storage x86_64          | CentOS 7 Linux x86_64 | yum          |     
[root@foreman ~]#

Continue Reading by clicking Next Page.