BestPracticesforDeploying andManagingLinuxwith RedHatNetwork

Abstract Thistechnicalwhitepaperprovidesabestpracticesoverviewfor companiesdeployingandmanagingtheiropensource environmentthroughRedHatNetwork(RHN).

TableofContents
RedHatNetworkOverview DeployingandManagingOpenSourceSolutions PartI:SettingUpYourEnvironment KickstartwithRHN PartIII:ManagingYourSystems Appendixes: 1.GettingmorefromRHNTheAPIAccessLayer 2.RunningRHNinHighlySecureEnvironments 3.KeyGlossaryTerms 22 23 24 2 5 5 12 13

PartII:RegisteringandTaskingYourSystems 11

Copyright 2005 Red Hat, Inc. Red Hat, Red Hat Linux, the Red Hat Shadowman logo, and the products listed are trademarks or registered trademarks of Red Hat, Inc. in the US and other countries. Linux is a registered trademark of Linus Torvalds. WHP0008US 7/05

RedHatNetworkOverview
Customerstodaydemandmuchmorefromtheirtechnologythan justbitstheyneedfullITsolutionsthatincludedeployment, patch,monitoring,andconfigurationtosolvetheircustomers' problems,reducecostsandcomplexity,increaseproductivity, andenhancesecurity.Thesetoolsneedtobetightlyintegrated withcontent,basedonindustrystandards,andeasytointegrate withtheexistingenvironment. TheRedHatNetworksolutionallowscustomerstochoosethe levelofservicesandarchitecturalmodelsrequireddependingon ITneeds.RHNisintegratedwithRedHatEnterpriseLinuxand otherRedHatofferingstoensurecustomersareabletomanage systemseffectivelyandwithminimumcomplexity.

ServiceEntitlements Thefirstquestioncustomersmustansweriswhatkindofservice entitlementstheywanttheirsystemstohave.RedHatNetwork currentlyconsistsoffourservicemodules:Update,Management, Provisioning,andMonitoring1.Customerspurchaseentitlements totheseservicesonanannualpersystemsubscriptionbasis. UpdateModuleIncludedwitheveryRedHatEnterpriseLinux subscription.UpdateModuleistheentrylevelofferingforRHN.It allowsyoutoeasilymaintainsinglesystemsandincludes functionalitysuchasagraphicaluserinterface,priority notification,erratainformation,RPMdependencychecking,and autoupdate. ManagementModuleManagementModuleallowsyouto manageyourentireRedHatEnterpriseLinuxorSun Solaris infrastructure.Designedforenterprisescalability,the ManagementModulefeaturessystemsgrouping,rolebased administrationforpoliciesandpermissions,scheduledactions, andhigherendfunctionalitywithSatelliteServersuchasthird partychannels,customchannels,localpackagecaching,andoff networkcapability.

1 Foracomparisonofthedifferentserviceentitlements,visitwww.redhat.com/software/rhn/.
BestPracticesforDeployingandManagingLinuxwithRedHatNetwork 2

ProvisioningModuleTheProvisioningModuleenablesyouto managethecompletelifecycleofyourLinuxinfrastructure.The ProvisioningModuleincludesfeaturessuchasOSprovisioning (frombaremetalboxesorpreviouslydeployedboxes), configurationmanagement,multistaterollback,scheduled remoteactions,Kickstartconfigurationtools,andRPMbased applicationprovisioning. MonitoringModuleTheMonitoringModuleallowsyouto maintaintheavailabilityofyourapplicationsonRedHat EnterpriseLinuxwithperformancemonitoring.Themodule includesmonitoringprobes,probesuites,notifications,and reporting. RHNserviceentitlementsarepricedonapersystem(orper node)basis.Thisbestpracticesoverviewassumesthepurchase ofallentitlementsforallexamplesprovided.

ArchitecturalModel Thesecondquestioncustomersmustansweriswhatistheir preferredArchitecturalModel.RHNofferstwobasicmodels: HostedModelThecustomerusesabackend(database, application,andwebserver)hostedbyRedHat.Eachsystem connectsindividuallytoRHNacrosstheInternet.Thismodelis mosteffectivewhenmanagingsinglesystemsorasmallnumber ofsystems.

Figure1.HostedArchitecturalModel

BestPracticesforDeployingandManagingLinuxwithRedHatNetwork

SatelliteModelTheentireRHNsolutionisplacedonthe customer'slocalnetwork.BecauseRHNislocal,itcanbe optimizedandconfiguredforeachcustomer,providingadditional functionalityandsecurity.SatelliteServercanruninaconnected (toRedHat)ordisconnected(completelyoffline)mode.Purchase ofaSatelliteServerincludesRedHatEnterpriseLinux,theRHN SatelliteServersoftware,24x7worldwidesupport,andan embeddedOracledatabase(optional).

Figure2.SatelliteArchitecturalModel

TheHostedmodelisthedefaultoptionwhencustomerspurchase anRHNentitlement.ASatelliteServer,whichiscapableof servingthousandsofsystems,mustbepurchasedseparately. Contactyourlocalsalesrepresentativeformoreinformation regardingscalabilitywithaSatelliteServer. RedHatalsooffersanotheroption:ProxyServer.TheProxy ServercanberunineitheraHostedorSatellitearchitectureand functionsasanintelligentcachingboxonthecustomer'slocal network.TheProxyServerconnectsdirectlytoRHNserversina HostedenvironmentanddirectlytotheSatelliteServerina Satelliteenvironment. ThispaperassumesthepurchaseoftheSatelliteServer(andthe useofProxyServerswhereappropriate)forallexamples.2 2 Forspecificpricinginformation,visitwww.redhat.com/software/rhn/purchase/orcontactaRedHatsales representativetollfree(USonly)at18662733428x45606.
BestPracticesforDeployingandManagingLinuxwithRedHatNetwork 4

DeployingandManagingOpenSourceSolutions
Thiswhitepaperwalksthroughatypicalscenariomostsystem administratorsmightfindwhendeployingandmanagingtheir Linuxsystems.Muchofthefunctionalitydescribedcanbeused inalternateways. Theusecaseassumesthatallsystemsareracked,powered,and networked.Italsoassumesthatthesystemadministratoris responsibleforadynamicenvironment,includingenvironments where:

Newserversarebeingaddedonanetnewbasis Largescalemigrationsaretakingplace(suchasUNIXor WindowstoLinux) Redeploymentsorupgradesarebeingperformed Bothcentralandremotelocationsarebeingmanaged

PartI:SettingUpYourEnvironment
InstallSatellite ThefirststeptoconfiguringyourRHNenvironmentistosetup yourSatelliteServer.ThissystemconnectsbacktoRedHat Network(unlessyourundisconnected)andserveasthecentral repositoryandhubofconnectionforallofyourclientsystems. Tooptimizeyourinstallation,RedHatrecommendspurchasinga oneweekProfessionalServicesconsultingpackage.ARedHat professionalwillcometoyoursitetoandtrainyourstaffon troubleshooting,impendingchanges,andenhancedfunctionality availableforyourSatelliteServer. IfyouchoosetoinstalltheSatelliteServeronyourown,youstill receive24x7x365installationandproductionsupport.Foralist oftechnicalandhardwarerequirementsneededtoinstall SatelliteServer,visit www.redhat.com/software/rhn/requirements/.

BestPracticesforDeployingandManagingLinuxwithRedHatNetwork

IdentifyContent AfterinstallingtheSatelliteServer,customersmustidentifythe contentthattheywishtomanage.Thiscontentwillconsistofthe following:

RedHatEnterpriseLinuxbasechannelsAbasechannel providescontentforRedHatEnterpriseLinux.Basechannels includeRedHatEnterpriseLinuxAS,ES,WS,andDesktop, RedHatApplicationServer,etc. RedHatEnterpriseLinuxcorebuild(s)Manycustomers choosetodevelopacoreLinuxbuildfortheirenvironment. Formoreinformationregardingcorebuilds,speakwithyour localsalesperson. CustomcontentAnycustomcontent(applicationsor otherwise)thatyouwouldliketodistribute,install,and manageonyoursystemsviaRHN. ThirdpartyapplicationsorcontentThirdpartyapplications youwishtomanagewithRHN. SolariscontentSolarispackages,patches,andpatchsets canbedistributed. ConfigurationfilesAlltextbasedconfigurationfilescanbe storedandmanagedusingRHN.

RedHatNetworkusestheRPMpackageformattomanageallof thiscontentwiththeexceptionofSolariscontentand configurationfiles.Customerswhopackagecustomandthird partyapplicationsinthisformatcanupdate,manage,and provisioncontentthroughouttheirenterpriseenvironmentjustas theywouldRedHatEnterpriseLinuxcontent.Inaddition,Red HatNetworkprovidestoolstoassistyouinpushingyourRPM contentintoRedHatNetwork.

BuildRepositories Oncethecontenthasbeenidentified,thenextstepistobuildand populatedifferentrepositories.

BestPracticesforDeployingandManagingLinuxwithRedHatNetwork

AssignallcontenttoabaseorchildchannelRHNusesbase channelstorepresentthemainorparentchanneltowhicha systembelongs.Thischanneltakesprecedenceoverallother channelstowhichthesystemissubscribed.Childchannelsare subchannelsorsecondtierchannels.Asystemcanonlyhavea singlebasechannelbutcanhaveasmanychildchannelsas desired.RHNallowsyourcompanytoestablishpermissionsfor channelsaswellassystems,ensuringonlytheproperusers haveaccesstocontentandsystemsasshowninFigure3.

Figure3.SystemandChannelPermissionsperUser

AssignchannelpermissionsRedHatNetworkallowsyouto assignpermissionstodistinctindividualsorgroups.Onlypeople withpermissiontoaccessachannelcanuploadnewcontentor makechangestotheexistingcontent. PushcontenttochannelsThenextstepistopushthecontent intochannelsthroughasimplecommandlinetoolcalledpush. ThisprocesstakesallRPMfilesandsendsthemintochannels. Youmayautomatethisprocesswithnightly/weeklyscriptsor otheroptionsappropriateforyourenvironment.

BestPracticesforDeployingandManagingLinuxwithRedHatNetwork

StageContent Whenanewpatchorerrataisreceived,thelastthinganysystem administratorwantstodoisblindlyapplythatpackagetoalltheir productionsystemswithouttestingit.Tofacilitatethetesting process,RHNprovidestheabilitytodevelopstaged environments.Whileyourparticularenvironmentmayvary,a typicaltestingenvironmentincludesthefollowingstages:

RedHatbasechannelThischannelthatreceivesnew packagesfromRedHat.Thischannelregularlyreceivesnew contentandisupdatedatanintervalsetbythecustomer, typicallyonanhourlyordailybasis. DevelopmentThischannelreceivesselectedpackagesfrom thebasechannel,butonlythosepackagesthatthe organizationwantstoapplytotheirsystems.Developerscan thentestandconfigurepackagesinthechannel. TestingandQAOncethedevelopersarefinisheddeveloping packages,theyarepushedtothetestingandQAchannels. TheQAorganizationwilltheninstallthesepackagesontest machinessubscribedtotheTesting&QAchannelastheir parentchannel.Aftertestingthesepackages,theQA departmentwillpushthepackagesthatpassedQAtothe productionstage.PackagesthatfailedQAwilleitherstayin QAforfurthertestingorbesentbacktodevelopment. ProductionOncetheproductionstagereceivespackages, theycanbeinstalledonproductionsystems.Thesesystems areregisteredtotheproductionchannelastheirparent channel.Bybreakingthechannelsintoastagedenvironment, RHNmakesiteasierforcompaniestomanagetheflowand testingoftheircontenttoproductionsystems.

Afewfeaturesareusedtosuccessfullyimplementthisprocess:

CloneandmanagechannelsProvidestheabilitytocloneand thenrenameanentirechannel.Forexample,customers mighthaveachannelcalledRedHatEnterpriseLinuxAS4 DevelopmentandwishtoclonethatchanneltocreateRed HatEnterpriseLinux4ASTest/QA.Thisstepisusuallydone inthebeginningwhenfirstestablishingthechannels.

BestPracticesforDeployingandManagingLinuxwithRedHatNetwork

Figure4.ChannelCreation

CloneandmanageerrataThisprovidestheabilitytoclone erratabetweenthechannels.Thisisusedwhenyouwould liketomoveanerratabetweenthetwochannelsbutdonot wishtoclonetheentirechannel(s).RHNallowsyoutoclone andreplicateerrataindividuallyoringroups. AutoupdateSomecustomerschoosetoautoupdatetheir systems,especiallywhenusingstagedenvironmentswhere anynewcontentwillberigorouslytestedbeforemakingitto theproductionchannel.Whenusingautoupdate,theuser canconfiguretheclienttoreceiveupdatesonaregulartime interval(establishedbytheuser),andtheninstallallchanges thathavebeenaddedtothesystem'sparentand/orchild channels.

DefineSystemGroupsandPermissions Withthecontentstagedandbuilt,itthenbecomesnecessaryto understandhowtomanagethesysteminfrastructure.RHN allowsyoutogroupsystemstogethersothatyoucanmanage theentiregroupaseasilyasyouwouldmanageasinglesystem. Thisprocessincludesthefollowingsteps:

DefineGroupsRHNunderstandsthatyouhavedifferent
9

BestPracticesforDeployingandManagingLinuxwithRedHatNetwork

waysofseeingyourinfrastructure.Youmightwanttoviewby hardwaretype,function,location,orsomeothermeans.3RHN allowsyoutogroupsystemsinamanytomanyformat.This meansthatnotonlycanagrouphavemultiplesystems assignedtoit,asystemcanalsobeassignedtomultiple groups.Forexample,adatabaseserverfromXYZVendor locatedinRaleigh,NCcouldbelongtotheXYZVendor, Database,andRaleighgroupssimultaneously.

Figure5.SystemsGrouping

AssignSystemPermissionsJustlikechannelpermissions, systempermissionsallowyoutorestrictaccesstodifferent systemsorgroupsofsystems.Thishelpstoensurethata centralizedsecurityprocessisinplaceandonlythosewith authorizationareallowedtomakechangestoasystem.

BuildActivationKeys Activationkeysarethesecrettofastandeasyregistrationofyour systems.Anactivationkeyisakeythatwhenappliedtoa systemuponregistration,automaticallyassignsthatsystemtoa predefinedsetofchannels,group(s),policies,andpermissions. Theuseofanactivationkeyallowsanyuser(asdefinedbythe 3 Youcanalsoapplypersonalizedassettagstoeachmachine.

BestPracticesforDeployingandManagingLinuxwithRedHatNetwork 10

organizationadministrator)toassignsystemstodistinctgroupsin theorganizationaswellasstreamlinetheprocessforgettingthe systemproperlydeployedandintomanagement.Theuseof activationkeyswillbefurtherexploredinthenextsection,butfor nowitisenoughtoknowthattheyexistandshouldbemapped outaspartoftheprocessofsettingupyourenvironment.

PartII:RegisteringandTaskingYourSystems
1. SystemalreadyrunningRedHatEnterpriseLinux.Ifyour systemalreadyhasRedHatEnterpriseLinuxinstalled, registerthesystemwithRHNbyrunningtheregister command.Whenyouregister,youcanalsogivethesystem anactivationkeytoautomaticallyassignittheproper permissions,group(s),andchannels(contentand configurations).Ifyouareregisteringmultiplesystems,you canwriteasimplescripttoimplementtheactiononall systems. 2. SystemnotrunningRedHatEnterpriseLinuxDVDInstall. InstallRedHatEnterpriseLinuxviatheinstallationDVDor otherformofmedia.Theprocessisthenthesameasabove. 3. SystemnotrunningRedHatEnterpriseLinuxPXEBoot Install.SetupaDHCPandPXEserverthatusesaKickstart scripthostedonRHNtoprovideimagesfortheOS.Duringthis process,theKickstartscriptcanalsoassignthenecessary activationkeyandcompletetheyoursystem'sregistration. Oncethesystem(s)hasbeenregisteredwithRHN,youareready totaskthem.Youcantasktheminthefollowingways: 1. Matchinganothersystem.Pointyournewlyregisteredsystem atanexistingsystemandaskRHNtoreplicatethedesired characteristicsonthenewsystem.Thenrunup2dateonthe newsystem,andRHNwillcompletelyupdateyourboxsothat itmirrorstheoriginalone. 2. Matchingastoredprofile.Liketheprocessabove,thisisdone usingasystemimageratherthanalivesystem.Some companiesprefertobringalloftheirsystemstoaknown genericormasterstateatregistration,whichallowsthema
BestPracticesforDeployingandManagingLinuxwithRedHatNetwork 11

consistentbaselinefromwhichtofullytasktheirsystems. 3. Schedulingaseriesofactionstocustomizeyoursystem(s). Usedaloneorinconjunctionwithsteps1and2,youcan scheduleactionstocompletelytaskyoursystem.Change activationkeydefaults(orsetthem),packages,configuration channels,addchildchannels,setpermissions,etc.,then updateyoursystemtobringittothefullyupdatedstateandit isreadytogo.

KickstartwithRHN
KickstartisawaytoautomateinstallationofRedHatEnterprise Linuxonyoursystems.Thisisaccomplishedbycreatingafile (ks.cfg)thatcontainsresponsestoallthequestionsaskedbythe installationprogramduringinteractiveinstallation.Oncethefileis created,itcanbecopiedontoanormalRedHatEnterpriseLinux bootdiskorsavedinRedHatNetwork.Whenthisdiskordisk imageisusedtobootacomputer,thebootingsequencefindsthe Kickstartfileandautomaticallyinstallsbasedonthevaluesinthe file. Thistypeofinstallationisusefulforseveralreasons.Firstand foremost,itismuchfasterandeasierthanmanuallyenteringall theinformation.Second,theKickstartfilemakesiteasierto executeidenticalinstallations.Third,installationcanbedone overanetwork,meaningthatseveralnodescanbeinstalled simultaneously.Finally,the%postsectioncanautomatemany configurationdetailsthatwouldnormallyhavetobeexecutedby handaftertheinstallationiscomplete. RedHatNetworkaddsvaluetotheprocessbyprovidingyouwith theabilityto:

CreatemultipleKickstartfiles.RHNallowsyoutocreateyour ownKickstartfilethroughasimpleGUIinterfacethat automatesthecreationprocess.RHNcanalsocreatea Kickstartscriptfromstoredprofiles.Whenrun,thescriptwill createacloneoftheprofiledsystem.

BestPracticesforDeployingandManagingLinuxwithRedHatNetwork

12

RemotelyadministerKickstartfilestosystems.RHNprovides remoteadministrationtosystems,includingtheabilityto reprovisionsystems,savingyouthehassleofhavingtousea bootdiskateachindividualsystem. CombineyourKickstartactionswithotherRHNactionsfora completeautomateddeployment.Youcaninsertcommands intothe%postsectionoftheKickstartscriptorschedule actionstooccuraftertheKickstartscriptruns.Throughthe efficientuseofKickstartwithRHNandotherRHNcommands, youcancontrolyourenvironmentinacompletelyremoteand efficientmanner.

PartIII:ManagingYourSystems
Nowthatyouhavedeployedandtaskedallofyoursystems,you canbeginusingandmanagingthem.Thissectionoutlineshow simplepatching,managing,(re)deploying,andmonitoringyour systemscanbewithRHN.

PatchingyourSystems Thefollowingstepskeepyoursystemsupdatedandeasily patched:

ObtainNotificationRHNnotifiesyouofnewerrataforyour systems.Forindividualusers,theappletonyourGUIwill flashwhenupdatesareavailable.Forusersmanaging multiplesystemsthroughthewebinterface,checkingthe channels,systems,orgroupsinRHNdisplaysthosethathave receivedupdatederrata.Administratorsalsoreceiveemail withinformationaboutanynewerrata. UnderstandErrataInformationErratainformationisincluded inemailsenttousersandispresentedonthewebinterface. RHNprovidesthisinformationsothatusersgetacomplete understandingofwhatthepatchisandwhyitisbeingapplied. Alsoincludedarenotesaboutconfigurationspecificationsor otherinformationthatITprofessionalsmayfinduseful.

BestPracticesforDeployingandManagingLinuxwithRedHatNetwork

13

EvaluatethepatchesthroughthestagedenvironmentsAtthis point,yourSatelliteServerwillhavealreadysyncedwith updatedcontentonRHNunlessyouarerunningina disconnectedmode.Thetimingandintervalofthis synchronizationprocessisestablishedbytheSatelliteOrg Admin.AsdiscussedintheStageContentsectionabove,you cannowusetheerratacloningandmanagementfunctionality tomoveerratathroughthedifferentstagedenvironmentsin yourinfrastructure. CustomizeerrataasnecessaryErratamanagementcanalso beusedtomakecustomizedchangestoanerrataasitmoves fromstagetostage.Forexample,youmightwanttoapplyan erratatotwodifferentgroupsoneinTokyo,theotherin Atlanta.Iftheseerratacontaindifferentconfiguration instructions,youcaneasilyspecifythoseinstructionsinthe errataandmakesurethateachgroupreceivesacustom errataspecificfortheirenvironment.

Figure6.CustomizingyourErrata

DefineGroupsOncetheerratahasreachedthechannel(s) whereitisreadyfordistribution,RHNprovidesvariousways toupdateyoursystems.Youcanchooseanentirepredefined group,asinglesystem,orcustomizeatemporarygroup.To customizeyourgroup,usetheRHNsystemsearch

14

BestPracticesforDeployingandManagingLinuxwithRedHatNetwork

functionality(Figure7)andSystemSetManager(Figure8). Thesefeaturesallowyoutosearchforsystemswithvarious characteristics(packages,hardware,drivers,customtags, location,etc.),andthenclickonthegroupsthatyouwouldlike toapplyactionsto.SystemSetManagerallowsyoutomerge andcombinesearchresultsinmanyways.

Figure7.SystemSearch

Figure8.SystemSetManager

SchedulenecessaryactionsWithyoursystemsandgroups nowidentified(eitherthroughpredefinedrulesorthroughthe SystemSetManager),youarenowreadytoscheduleactions suchaspatchesandconfigurationchangesorevencomplete areprovisioningofthesystems.Pickthepackagesto

15

BestPracticesforDeployingandManagingLinuxwithRedHatNetwork

update,applytheseactionsagainstyourselectedsystems, scheduletheactiontotakeplaceatatimeconvenienttoyour environment,andthenlettheactiontakeplace.Youshould notealsothatyoucanschedulemultipleactionsagainsta systematonce.

Figure9.ProvisionyourSystems

ScheduleanyarbitraryactionsorrebootOnceyouhave scheduledyouractions,youcanalsoscheduleadditional arbitraryactionsornecessaryrebootsforamachine.RHN allowsyoutoconfiguretheclientstogivesystem administratorsrootlevelaccesstoasystem.Thisfunctionality allowsadministratorstocentrallyschedulenecessaryactions againstboxesinremoteordistributedlocations.

BestPracticesforDeployingandManagingLinuxwithRedHatNetwork

16

Figure10.ProvisioningConfigurationFiles

FailedactionsnotificationsWhenthetimearrivesforthe scheduledaction(s),RHNexecutestheprearrangedtasks, includingfulldependencycheckingagainstthepackages beingappliedtoyoursystems.Intheeventthatanysystem cannotbeproperlymanagedorthereisanerrorinthe process,RHNissuesascheduledfailedactionreporttothe administrator.

RollbackandRecovery TofullyappreciatehowRHNprovidesrollbackandrecovery,itis necessarytogiveanoverviewofhowRHNrecordssnapshotsof yoursystems.WhenasystemisgivenaProvisioningentitlement, RHNimmediatelybeginsstoringsnapshotprofilesofthatsystem wheneveranychangeismade.Thosechangescaninclude updatedpackages,changedpermissions,addedorsubtracted channels,newconfigurationfiles,oradditionstonewgroups. Eachchangeisrecorded,timestamped,andstoredinthecentral database. BystoringthesesnapshotprofilesasshowninFigure11,auser cancomparetwosuchprofilesagainsteachotheranddirectthe machinetotakeonadesiredstate.Intheeventofarollback,the

BestPracticesforDeployingandManagingLinuxwithRedHatNetwork

17

useriscomparingthecurrentstateofthemachineagainsta previousstateandmakingthenecessarychanges.When cloninganotherimageormachine,theusercomparesthe machinethatwillbechangedagainstthedesiredmachineor imageandasksthemachinetochangetothedesiredstate.

Figure11.SystemSnapshots

RedHatNetworkchosetofollowthismethodofperforming rollbackfortworeasons.First,incaseswheremultiplestateshad toberolledback,thesnapshotmethod(ormultistate)isfar moreeffectivethanrollingbackmanyiterativestatesthrough RPM.Rollingbackthroughmanystatesrisksmismanaging configurationsorothererrorsrepeatedly.Second,thismethod allowsuserstoeasilyrecovertheirsystemsintheeventthat thereisaclientfailure.Sincethesnapshotisstoredcentrallyin thedatabase,itisasimplematterofbringingasystembackup andthenpointingittotheimageofthelatestknowngoodstate. Itshouldbenotedthatwhenasystemisrolledback(orpointed toanotherimagetoclone),itisnotjustpackagechangesthat occur.Thesechangesincludepermissions,grouporchannel changes,configurationfiles,andotheractionsthatmayhave beenmadeagainstthesystem.Theremaybecaseswhenitis cleanertoreinstalltheOScompletely.Inthesecases,RHNuses logictodiscernifreprovisioningthesystemisabetterprocess thanmakingalltheindividualchanges.

BestPracticesforDeployingandManagingLinuxwithRedHatNetwork

18

ReprovisionyourSystems RedHatNetworkcanbeanimportanttoolforenablingaflexible infrastructure.Manytimes,systemsaredeployedforaparticular function,suchasanapplicationserverorwebserver.Business needs,suchaschangingprojectsorcustomerdemand,may requirethatthesystemberepurposedforadifferentuse.Rather thanmanuallyadjustingthepackages,applications,and configurationsonthesystem,RedHatNetworkallowsyouto chooseaprofileandactivationkeyforthetypeofsystemneeded andRHNwillquicklyhandlereprovisioningthesystemtomeet thenewrequirement. Forsomecustomers,itmaymakesensetowipesystemsclean andreinstalltheimagetomakesurethatnootherfilesor changeshavebeenappliedoutsidetheRHNapplication.Inthis event,RHNstoresthestateofyoursystem,andthenre provisionsthesystemaccordingly.Settingsarethenrestored, packagesandconfigurationfilesreapplied,anddatareloaded. Notethatreprovisioningisonlyforserversthatdonotserveas datastoragerepositories.Ifyourserverisusedasastorage device,thedatamusteitherbebackeduptootherserversand/or putintoRPMformatandloadedintoanRHNchannel.

MonitoringyourSystems Beforeyoubringyoursystemsonlineintoproduction environments,youshouldincludeamonitoringsolutiontoensure availabilityandperformance.Onceyouhaveidentifiedsystems thatneedmonitoringfunctionality,youcanuseRedHatNetwork MonitoringModule.

CreateprobesYoucanstartbycreatingmonitoringprobes foryoursystems.Probescanmonitorthesystem,network functionality,orapplications.Dozensofprebuiltprobesare available,includingmanyforapplicationsfromOracle, MySQL,Apache,andBEA.Youcanalsocreatecustom probesusingthetoolsincludedwithRedHatNetwork.

BestPracticesforDeployingandManagingLinuxwithRedHatNetwork

19

Figure12.CreateandConfigureProbes

ConfigureprobesEachprobecanbeconfiguredforwarning andcriticalperformancethresholds.Whenthesethresholds arereached,emailorpagernotificationscanbesentto peopleidentifiedintheprobe. DefineanddeployprobesuitesYouwilloftendeploythe sameprobesacrossyoursystems,particularlyacross systemsofasimilartype.WithRedHatNetwork,youcan creategroups,orsuites,offullyconfiguredprobes.These suitesarethendeployedtoagivensystem,orgroupof systems,allatonceratherthanaddingthemoneatatime. Oncedeployed,youcangloballyadjusttheprobe configurationsforallsystemsthatreceivedthesuite.Youcan alsodecoupledeployedprobesfromaprobesuiteifsystem leveltweaksareneeded.

BestPracticesforDeployingandManagingLinuxwithRedHatNetwork

20

Figure13.ProbeSuites

ViewreportsBeyondreceivingalertswhensystemsexceed thresholds,itmaybehelpfultolookatperformanceovera periodoftime.WithRedHatNetwork,youcancreategraphs ofaprobe'sperformanceoveranyperiodoftime,aswellas viewtherawdatafromtheinformationcollectedbythe MonitoringModule.

UsefulLinks RedHatNetworkhomepage rhn.redhat.com RedHatNetworkproductinformation www.redhat.com/software/rhn/ Worldwidecontactinformation www.redhat.com/about/corporate/wwoffices/

BestPracticesforDeployingandManagingLinuxwithRedHatNetwork

21

APPENDIX1: GettingMorefromRHNTheAPIAccessLayer
RedHatknowsthatcustomersvaluechoice,andwealsoknow thateverycustomer'ssystemsmanagementneedswillbealittle differentdependingontheexactsolutionthatisbeingdesigned. Toaccommodatethis,RedHatNetworkisbuiltwithflexibilityin mindandfeaturesafullsetofAPIstoensureeasyintegration withyourenvironment.Somepotentialadditionalfunctionality availableinconjunctionwithRedHatNetworkAPIsare: AutomationCreatescriptsthatletyouperformactionsmore quicklythannavigatingtheRHNGUI. ThirdpartyintegrationIntegrateactionsfromRHNwithother thirdpartytoolstoprovideamorerobustsolution. CustomapplicationintegrationUseRHNasacomplimentto yourexistingprocessesandsolutions.RHNdoesnotrequirethat youreplaceyourexistingenvironmentorthatyouuseonlyour productsinyoursolution. FormoreinformationregardingtheAPIscurrentlyavailable,goto https://rhn.redhat.com/rpc/api/. Lastly,RedHattakesrecommendationsonnewcallstotheAPI layerwitheachrelease.Ifyouareinterestedinlearningmore aboutthisfunctionalityand/orhavearecommendationforRed HatNetwork,consultyoursalespersonorsalesengineer.

BestPracticesforDeployingandManagingLinuxwithRedHatNetwork

22

APPENDIX2: RunningRHNinHighlySecureEnvironments
KeepingyourSatelliteServerconnectedtothecentralRHN serversviatheInternetprovidesyourcompanywithan immediateandautomatedstreamofRedHatcontent.For increasedsecurity,however,somecustomersopttorunina disconnectedorcompletelyoffnetworkmode.Typically,RedHat seestwokindsofdeployments: 1.DisconnectedInthedisconnectedmode,customerssynctheir SatelliteServerstotheInternetonlyforpredefinedtimeperiods andonlylongenoughtopulldownthenecessarycontent changesfromthecentralRHNservers.Essentially,thisprocess isthesameasbeingalwaysconnectedexceptthatyouwillonly receiveupdatesatpredeterminedtimes. 2.OffNetworkSatelliteServeroffersthecapabilitytotakean infrastructurecompletelyoffthenetwork.Customerscanpull downISOsandpackagesinoneoftwoways: Havephysicalmediashippedtothem. Pulldownpackages/ISOstoaconnectedsystem,andapply thesepackagestophysicalmedia.Packagescanthenbe installedfromthephysicalmediaontotheSatelliteServer directly. TounderstandmoreabouthowyoucanuseRedHatNetworkin highlysecureenvironments,talkwithyoursalespersonorsales engineer.

BestPracticesforDeployingandManagingLinuxwithRedHatNetwork

23

APPENDIX3: KeyGlossaryTerms
DefinitionsoffeaturesandfunctionalityavailableinRedHat Networkandreferencedinthiswhitepaper
ActivationKeysAuniqueRHNgeneratedkeythatcanbeusedbyan administratortoregisterasystemtoRHN,entitlethesystem,subscribe thesystemtoselectedchannels,andthenassignthesystemto predeterminedgroupsandpermissions.Thisprocesssavestimeand allowsnewsystemstobedeployedintoproductionimmediately. APIAccessLayerApplicationProgramInterface.RHNprovidesanAPI layerthatallowsuserstoeasilyinteractandintegratewithRHNtoallow RHNtofitintotheirexistingenvironmentsaswellasaugmentthe functionalityofRHN. ArbitraryActionsActionsthatcanbeexecutedagainstspecificsystems inconjunctionwithotheractionsexecutedbyRHN.Forexample,an administratormaywishtoexecuteareboot(orother)commandona specificsystemafterupdatingthatsystem.Arbitraryactionsallowsthe administratortoschedulethatcommandtotakeplaceaftertheupdate occurs. AutoUpdateTheabilitytohaveasystemautomaticallyupdateitselfof anynewpackagesthathavebeenaddedtothechannelstowhichthat systemissubscribed. BareMetalProvisioning(w/PXE)Theabilitytoprovisionasystem withoutapreinstalledoperatingsystembyusingPXEBootin conjunctionwithRHNSatelliteServer.Thisfunctionalityallowsforrapid deploymentofnewserversintoyourproductionenvironment. BaseChannelAbasechannelisatypeofchannelthatconsistsofalist ofpackagesbasedonaspecificarchitectureandRedHatrelease.For example,allthepackagesinRedHatEnterpriseLinuxAS3forthex86 architecturemakeabasechannel. ChannelAchannelisalistofpackages.Channelsareusedtochoose packagestobeinstalledfromclientsystems.Everyclientsystemmust besubscribedtoonebasechannelandcanbesubscribedtooneor morechildchannel(s). ChannelCloningandManagementTheabilitytocloneachanneland managethedeploymentofchannelsintoyourenvironment.Channel cloningandmanagementisusedtoduplicatechannelsortosetup stagedenvironments.
BestPracticesforDeployingandManagingLinuxwithRedHatNetwork 24

ChannelPermissionsTheabilitywithinRHNtoassignpermissionsto differentusersforaccesstodifferentchannels.Thisfeatureensuresthat onlyuserswhohavebeengrantedaccesscanmanagedefined channels. ConfigurationChannelsChannelsthatfunctionasrepositoriesfor configurationfiles. ConfigurationManagementTheabilityforRHNtomakeremote changestoconfigurationfilesthroughtheRHNinterface.RHNcan maketheseconfigurationchangestoanytextbasedfileinthemanaged system'sfilespace. CustomChannelsChannelsthatfunctionasrepositoriesforcustom content.AslongascontentisproperlypackagedintheRPMformat, administratorscanuseRHNtomanagecustomcontentthroughouttheir environment. DeltabasedActionsThefunctionalityisusedbyRHNwhenperforming systemcloningand/orrollback.RHNlooksatthedifferences(ordeltas) betweenthecurrentanddesiredstateofthesystemandthenexecutes thenecessaryactionstoprovisionyoursystemtothedesiredstate. DependencyCheckingTheprocessundertakenbyRHNthroughRPM toensurethatwhenanupdateisappliedtoasystem,thesystemhasall thenecessarydependencypackagesneededtomaketheupdate.Ifthe systemdoesnothaveallofthenecessarydependentpackages(orif theyareofearlierversionsnotyetupdated),RHNwillincludethose (updated)packagesintheupdate. DisconnectedSatelliteSeeOffNetworkCapability EmailNotificationAnalertsentbyRHNviaemailaboutnewerrata, failedactions,orotherrequestssetbytheuserregardingthestateof theirsystem(s). ErrataInformationpublishedbyRedHatdescribingsecurityfixes,bug fixes,andpackageenhancementsforRedHatEnterpriseLinux.The informationincludesthetopicsoftheerrata,BugzillabugIDs,relevant releases/architectures,solutionsincludingrequiredRPMs,andMD5 checksumsforverification. ErrataCloningandManagementTheabilitytocloneandmanage (createandmakechangesto)thedeploymentoferrataintoyour environment.Erratacloningandmanagementisusedtocreatecustom errataortopasserratathroughstagedenvironments.

BestPracticesforDeployingandManagingLinuxwithRedHatNetwork

25

KickstartKickstartisamethodofautomatingtheinstallationofRedHat EnterpriseLinuxontoacomputer.Thisisaccomplishedbycreatingafile (ks.cfg)thatcontainsresponsestoallthequestionsthatwouldbeasked bytheinstallationprogramduringinteractiveinstallation.RHNuses Kickstarttoprovisionsystems. LocalPackageCachingTheprocessofstoringorcachingcontent locallyonaProxyorSatelliteServerforfasterdownloadsandeasier distribution. OffNetworkCapabilityTheabilityforRHNSatelliteServertorunina completelydisconnectedoroffnetworkenvironment,therebyensuring thehighestlevelofsecurity.TosynctheSatelliteServer,itisnecessary tophysicallyprovidemediatotheSatelliteServer.Thismediacaneither bedownloadedandcreatedbyasystemthatdoeshaveaccesstothe InternetorbymediasenttothecustomerfromRedHat. OrgAdminOrganizationAdministratorsaresetsofusersthathavethe highestlevelofcontroloveranorganization'sRedHatNetworkaccount. Membersofthisgroupcanaddusers,systems,andsystemgroupsto theorganizationaswellasremovethem.AnOrganizationAdministrator canalsogiveusersadministrativeprivilegestosystemgroups.AnRHN organizationmusthaveatleastonememberoftheOrganization Administratorgroup. PackageAllsoftwareinRedHatEnterpriseLinuxisdividedinto softwarepackages.SoftwareupdatesarereleasedintheformofRPM packagesthatcanbeinstalledonaRedHatEnterpriseLinuxsystem. PackageProfileComparisonTheabilityforRHNtocomparesetsof packagesbetweentwosystemsorbetweenasystemandanexisting image.Thisallowstheusertoauditthepackagesofasystemor compareagainstanothersystem.ThisfunctionalityisalsousedbyRHN todeterminenecessarychangestoasystemwhenprovisioningthat system. ProvisioningTheactofprovidingasystemwithallofthenecessary componentstoeffectivelydeploythatserver.RHNusesKickstart functionalityandactivationkeystoprovisionasystemwithallnecessary components:permissions,channelsubscriptions,groups,operating system,additionalpackages,configurationchanges,andanyarbitrary actionsdefinedbytheuser. RPM(RedHatPackageManager)Asoftwarepackagemanagerthat wasdevelopedbyRedHat.Itcanbeusedtobuild,install,query,verify, update,anduninstallsoftwarepackages.Allsoftwareupdatesfrom RHNaredeliveredinRPMformat.

BestPracticesforDeployingandManagingLinuxwithRedHatNetwork

26

RPMbasedApplicationProvisioningTheabilityforRHNtoprovision applicationsthatarepackagedintheproperRPMformat.Thisisdone byputtingtheapplicationpackagesinacustomcontentchanneland thenusingRHNtodistributetothedifferentsystems. ScheduledActionsTheabilitytoscheduleanactiontooccurwithina predefinedinterval.Scheduledactionscanbeusedtoaffectchangesin adeterminedsequenceofeventsortoselectadistincttimeperiodfor anactiontooccur. StateImageSnapshotRHNrecordssnapshotsofyoursystem wheneverthereisachangeinthestate.Thesesnapshotsarethen storedtocreateaprofileofyoursystemthatcanbeusedtorollback yoursystemorintheeventofdisasterrecovery. SystemCloningTheabilitytocloneasystemthroughtheuseofRHN provisioningfunctionality. SystemGroupingTheabilityforRHNtogroupmultipleindividual systemstogethersothattheycanbemanagedasasingleentity.This allowsadministratorstoeffectivelymanageanentiregroupofsystems aseasilyastheycouldmanageasinglesystem. SystemProfileHardwareandsoftwareinformationabouttheclient system.Itiscreatedduringtheregistrationprocessandregularly updatedbyRHN.ThesoftwareinformationisalistofRPMpackages andtheirversionsinstalledontheclientsystem.TheSystemProfileis usedtodetermineeveryerratarelevanttoeachclientsystem. SystemPermissionsTheabilitywithinRHNtoassignpermissionsto differentusersforaccesstodifferentsystems.Thisfeatureensuresthat onlyuserswhohavebeengrantedaccesscanmanagedefined systems. SystemSearchTheabilitytosearchthroughmanagedsystems.RHN allowsyoutosearchbypackages,hardwarecharacteristics,DMI information,networkinformation,definedassettags,andmore. SystemSetInterfacethatallowsuserstocreatetemporarygroupsand performactionsonmultiplesystems.ActionsincludeapplyingErrata Updates,upgradingpackages,andadding/removingsystemsto/from systemgroups.

BestPracticesforDeployingandManagingLinuxwithRedHatNetwork

27