Importing Content

This chapter outlines how you can import different types of custom content to orcharhino. If you want to import RPM or DEB packages, Files, or Puppet Modules to orcharhino, it is done with largely the same procedures in this chapter.

For example, you can use the following chapters for information on specific types of custom content but the underlying procedures are the same:

Products and Repositories in orcharhino

You can organize content in Products. Products bundle an arbitrary number of repositories.

Custom Products require a subscription for hosts to access. orcharhino creates a subscription for each custom product you create.

Importing Custom SSL Certificates

Before you synchronize custom content from an external source, you might need to import SSL certificates into your custom product. This might include client certs and keys or CA certificates for the upstream repositories you want to synchronize.

If you require SSL certificates and keys to download RPMs, you can add them to orcharhino.

To use the CLI instead of the orcharhino management UI, see the CLI procedure.

Procedure
  1. In the orcharhino management UI, navigate to Content > Content Credentials. In the Content Credentials window, click Create Content Credential.

  2. In the Name field, enter a name for your SSL certificate.

  3. From the Type list, select SSL Certificate.

  4. In the Content Credentials Content field, paste your SSL certificate, or click Browse to upload your SSL certificate.

  5. Click Save.

CLI procedure
  1. Copy the SSL certificate to your orcharhino Server:

    $ scp My_SSL_Certificate root@orcharhino.example.com:~/.

    Or download the SSL certificate to your orcharhino Server from an online source:

    $ wget -P ~ http://upstream-orcharhino.example.com/pub/katello-server-ca.crt
  2. Upload the SSL Certificate to orcharhino:

    # hammer content-credential create \
    --content-type cert \
    --name "My_SSL_Certificate" \
    --organization "My_Organization" \
    --path ~/My_SSL_Certificate

Creating a Custom Product

Use this procedure to create a custom product that you can then add repositories to. To use the CLI instead of the orcharhino management UI, see the CLI procedure.

Procedure
  1. In the orcharhino management UI, navigate to Content > Products, click Create Product.

  2. In the Name field, enter a name for the product. orcharhino automatically completes the Label field based on what you have entered for Name.

  3. Optional: From the GPG Key list, select the GPG key for the product.

  4. Optional: From the SSL CA Cert list, select the SSL CA certificate for the product.

  5. Optional: From the SSL Client Cert list, select the SSL client certificate for the product.

  6. Optional: From the SSL Client Key list, select the SSL client key for the product.

  7. Optional: From the Sync Plan list, select an existing sync plan or click Create Sync Plan and create a sync plan for your product requirements.

  8. In the Description field, enter a description of the product.

  9. Click Save.

CLI procedure

To create the product, enter the following command:

# hammer product create \
--name "My_Product" \
--sync-plan "Example Plan" \
--description "Content from My Repositories" \
--organization "My_Organization"

Best Practices for Products and Repositories

  • We recommend keeping products as small as possible. For example, one product each for PostgreSQL-7.0, PostgreSQL-7.1, and PostgreSQL-8.1 with one repository each is better than a single PostgreSQL product including multiple repositories for different versions. Likewise, we recommend separate products for things like Debian-12, Apache 2.0, MySQL-5.1, and PostgreSQL 7.1 rather than a single WebServer product. Because products correspond to subscriptions, small products give you greater control over what subscriptions and what content is used through your activation keys.

  • Separate products by major release, for example Debian 12.

  • Use one content type per product and content view, for example deb or yum only.

  • Make file repositories available through HTTP. Using TLS is currently only working with a global debugging certificate.

  • Add sync plans to products.

  • Spread out starting sync plans over a large time span. We do not recommend to start synchronizing a lot of repositories at the same time.

  • Synchronize your content regularly to avoid overly large changes in repositories. We recommend synchronizing content rather each night than only once a month.

  • Use file repositories for installation media. File repositories require a Pulp Manifest file which you can create using pulp-manifest /path/to/files. Use local repositories with file:///path/to/files as Upstream URL in orcharhino, for example for installation media. Alternatively, place the installation media file repositories on a web server that can be reached from hosts during provisioning.

    ATIX provides file repositories for installation media. Once synchronized, you can perform offline host deployments using a local installation media. See ATIX Service Portal for the upstream URL.

    ATIX provides the following installation media as file repository:

    • Debian 9, 10, and 11

    • Ubuntu 18.04

    • Ubuntu 20.04

  • Use a Hammer script or Ansible Playbook to create a lot of products and repositories when starting with a fresh orcharhino installation.

  • We do not recommend uploading content to repositories with an Upstream URL. Instead, create a repository to synchronize content, for example Debian or nginx, and create a repository to upload content to without setting an Upstream URL.

    If you upload content to a repository that already synchronizes another repository, there might be unwanted side effects depending on the mirroring policy and content type.

Extracting GPG Public Key Fingerprints from a Release Files

You can use GPG public keys the verify the authenticity of APT repositories by verifying the signature of the Release file. This example verifies the signature for the Release file from Debian 11.

Procedure
  1. Download the Release and Release.gpg files:

    $ wget https://deb.debian.org/debian/dists/bullseye/Release
    $ wget https://deb.debian.org/debian/dists/bullseye/Release.gpg
  2. Verify the signature:

    $ gpg --verify Release.gpg Release
  3. If you cannot verify the signature, import the missing GPG public keys based on the output of the command above:

    $ gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 0146DC6D4A0B2914BDED34DB648ACFD622F3D138
    $ gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys A7236886F3CCCAAD148A27F80E98404D386FA1D9
    $ gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys A4285295FC7B1A81600062A9605C66F00D6C9793
  4. Optional: Verify the signature again:

    $ gpg --verify Release.gpg Release
  5. Export the ASCII-armored GPG public keys to a file:

    $ gpg --armor --export 0146DC6D4A0B2914BDED34DB648ACFD622F3D138 A7236886F3CCCAAD148A27F80E98404D386FA1D9 A4285295FC7B1A81600062A9605C66F00D6C9793 > debian_11.txt

    Use this .txt file and upload it to orcharhino as described below.

Continue to import the custom GPG public key into orcharhino.

GPG Keys for Debian

You can download the official GPG public keys from debian.org. You can check which GPG public key is required to verify the Release.gpg file.

Debian 12 (Bookworm) main
$ wget http://ftp.debian.org/debian/dists/bookworm/Release && wget http://ftp.debian.org/debian/dists/bookworm/Release.gpg
$ gpg --verify Release.gpg Release
$ gpg --keyserver keys.gnupg.net --recv-key 0146DC6D4A0B2914BDED34DB648ACFD622F3D138
$ gpg --keyserver keys.gnupg.net --recv-key A7236886F3CCCAAD148A27F80E98404D386FA1D9
$ gpg --keyserver keys.gnupg.net --recv-key 4D64FEC119C2029067D6E791F8D2585B8783D481
$ gpg --armor --export 0146DC6D4A0B2914BDED34DB648ACFD622F3D138 A7236886F3CCCAAD148A27F80E98404D386FA1D9 4D64FEC119C2029067D6E791F8D2585B8783D481 > debian_bookworm_main.txt
Debian 12 (Bookworm) updates
$ wget http://ftp.debian.org/debian/dists/bookworm-updates/Release && wget http://ftp.debian.org/debian/dists/bookworm-updates/Release.gpg
$ gpg --verify Release.gpg Release
$ gpg --keyserver keys.gnupg.net --recv-key A7236886F3CCCAAD148A27F80E98404D386FA1D9
$ gpg --keyserver keys.gnupg.net --recv-key 4CB50190207B4758A3F73A796ED0E7B82643E131
$ gpg --armor --export A7236886F3CCCAAD148A27F80E98404D386FA1D9 4CB50190207B4758A3F73A796ED0E7B82643E131 > debian_bookworm_updates.txt
Debian 12 (Bookworm) security
$ wget https://security.debian.org/debian-security/dists/bookworm-security/Release && wget https://security.debian.org/debian-security/dists/bookworm-security/Release.gpg
$ gpg --verify Release.gpg Release
$ gpg --keyserver keys.gnupg.net --recv-key ED541312A33F1128F10B1C6C54404762BBB6E853
$ gpg --keyserver keys.gnupg.net --recv-key B0CAB9266E8C3929798B3EEEBDE6D2B9216EC7A8
$ gpg --armor --export ED541312A33F1128F10B1C6C54404762BBB6E853 B0CAB9266E8C3929798B3EEEBDE6D2B9216EC7A8 > debian_bookworm_security.txt
Debian 11 (Bullseye) main
$ wget http://ftp.debian.org/debian/dists/bullseye/Release && wget http://ftp.debian.org/debian/dists/bullseye/Release.gpg
$ gpg --verify Release.gpg Release
$ gpg --keyserver pgp.mit.edu --recv-key 0146DC6D4A0B2914BDED34DB648ACFD622F3D138
$ gpg --keyserver pgp.mit.edu --recv-key A4285295FC7B1A81600062A9605C66F00D6C9793
$ gpg --keyserver pgp.mit.edu --recv-key A7236886F3CCCAAD148A27F80E98404D386FA1D9
$ gpg --armor --export DC30D7C23CBBABEE 605C66F00D6C9793 73A4F27B8DD47936 > debian_bullseye_main.txt
Debian 11 (Bullseye) updates
$ wget http://ftp.debian.org/debian/dists/bullseye-updates/Release && wget http://ftp.debian.org/debian/dists/bullseye-updates/Release.gpg
$ gpg --verify Release.gpg Release
$ gpg --keyserver pgp.mit.edu --recv-key 0146DC6D4A0B2914BDED34DB648ACFD622F3D138
$ gpg --keyserver pgp.mit.edu --recv-key A7236886F3CCCAAD148A27F80E98404D386FA1D9
$ gpg --armor --export DC30D7C23CBBABEE 73A4F27B8DD47936 > debian_bullseye_updates.txt
Debian 11 (Bullseye) security
$ wget https://security.debian.org/debian-security/dists/bullseye-security/Release && wget https://security.debian.org/debian-security/dists/bullseye-security/Release.gpg
$ gpg --verify Release.gpg Release
$ gpg --keyserver pgp.mit.edu --recv-key 5237CEEEF212F3D51C74ABE0112695A0E562B32A
$ gpg --keyserver pgp.mit.edu --recv-key ED541312A33F1128F10B1C6C54404762BBB6E853
$ gpg --armor --export 4DFAB270CAA96DFA A48449044AAD5C5D > debian_bullseye_security.txt
Debian 10 (Buster) main
$ wget http://ftp.debian.org/debian/dists/buster/Release && wget http://ftp.debian.org/debian/dists/buster/Release.gpg
$ gpg --verify Release.gpg Release
$ gpg --keyserver keys.gnupg.net --recv-key 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC
$ gpg --keyserver keys.gnupg.net --recv-key 0146DC6D4A0B2914BDED34DB648ACFD622F3D138
$ gpg --keyserver keys.gnupg.net --recv-key 6D33866EDD8FFA41C0143AEDDCC9EFBF77E11517
$ gpg --armor --export E0B11894F66AEC98 DC30D7C23CBBABEE DCC9EFBF77E11517 > debian_buster_main.txt
Debian 10 (Buster) updates
$ wget http://ftp.debian.org/debian/dists/buster-updates/Release && wget http://ftp.debian.org/debian/dists/buster-updates/Release.gpg
$ gpg --verify Release.gpg Release
$ gpg --keyserver keys.gnupg.net --recv-key 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC
$ gpg --keyserver keys.gnupg.net --recv-key 0146DC6D4A0B2914BDED34DB648ACFD622F3D138
$ gpg --armor --export E0B11894F66AEC98 DC30D7C23CBBABEE > debian_buster_updates.txt
Debian 10 (Buster) security
$ wget http://security.debian.org/debian-security/dists/buster/updates/Release && wget http://security.debian.org/debian-security/dists/buster/updates/Release.gpg
$ gpg --verify Release.gpg Release
$ gpg --keyserver keys.gnupg.net --recv-key 379483D8B60160B155B372DDAA8E81B4331F7F50
$ gpg --keyserver keys.gnupg.net --recv-key 5237CEEEF212F3D51C74ABE0112695A0E562B32A
$ gpg --armor --export EDA0D2388AE22BA9 4DFAB270CAA96DFA > debian_buster_security.txt

Adding DEB Repositories

Use this procedure to add DEB repositories in orcharhino. To use the CLI instead of the orcharhino management UI, see the CLI procedure.

Procedure
  1. In the orcharhino management UI, navigate to Content > Products and select the product that you want to use, and then click New Repository.

  2. In the Name field, enter a name for the repository. orcharhino automatically completes the Label field based on what you have entered for Name.

  3. Optional: In the Description field, enter a description for the repository.

  4. From the Type list, select deb as type of repository.

  5. Optional: In the Upstream URL field, enter the URL of the external repository to use as a source. You can find the upstream URLs on Debian-based systems in /etc/apt/sources.list.

    If you do not enter an upstream URL, you can manually upload packages.

  6. In the Releases/Distributions field, set one or multiple releases separated by whitespace. The distributions specify the path from the repository root to the Release file. Repositories that omit the dists directory are using the deprecated flat repository structure. To synchronize a flat repository, you must specify exactly one distribution that ends with a /.

    For official Debian repositories, set a codename in the Releases/Distributions field, for example buster for Debian 10 or bullseye for Debian 11. Avoid using stable or testing because the codename they reference changes over time. This helps to avoid drastic changes once a new Debian version is released and the reference is changed. To keep things easy to manage and to avoid potential performance and network issues during synchronization, create one repository per release in orcharhino. For official Ubuntu repositories, use the Ubuntu suite, for example focal or focal-updates.

  7. Optional: In the Components field, enter a component. This indicates the licensing terms of the software packages.

    In Debian, it is divided into main, contrib, and non-free. For official Debian or Ubuntu repositories, ATIX AG recommends leaving this field empty to synchronize all available components. Note that some third party Debian repositories use the components in ways that may require setting an explicit selection.

    Ensure that you enter both Releases and Components exactly as they are in an /etc/apt/sources.list file.

  8. Optional: In the Architectures field, enter one or multiple architectures. If you want to make the repository available to all hosts regardless of the architecture, ensure to select No restriction.

  9. Optional: In the Errata URL field, enter the URL of an errata service.

    The ATIX AG Debian and Ubuntu Errata service provides errata for Debian and Ubuntu. When creating a repository of type deb, point the Errata URL to ATIX AG Debian and Ubuntu Errata service. Use https://dep.atix.de/dep/api/v1/debian for Debian, https://dep.atix.de/dep/api/v1/ubuntu for Ubuntu, and https://dep.atix.de/dep/api/v1/ubuntu-esm for Ubuntu-ESM.

    An erratum contains the information which packages have to be updated to fix a security issue. Debian and Ubuntu errata are derived from the Debian security announcements (DSA) and the Ubuntu security notices (USN).

    Ensure to only add Debian and Ubuntu errata to Debian and Ubuntu repositories that contain the packages needed to apply the errata. For Debian, you need the My_Debian_Release/updates repository, for example bullseye/updates. For Ubuntu, you need the My_Ubuntu_Release-security repository, for example jammy-security.

  10. Optional: Select the Verify SSL checkbox if you want to verify that the upstream repository’s SSL certificates are signed by a trusted CA.

  11. Optional: In the Upstream Username field, enter the user name for the upstream repository if required for authentication. Clear this field if the repository does not require authentication.

  12. Optional: In the Upstream Password field, enter the corresponding password for the upstream repository. Clear this field if the repository does not require authentication.

  13. Optional: In the Upstream Authentication Token field, provide the token of the upstream repository user for authentication. Leave this field empty if the repository does not require authentication.

  14. From the Download Policy list, select the type of synchronization orcharhino Server performs. For more information, see Download Policies Overview.

  15. From the Mirroring Policy list, select the type of content synchronization orcharhino Server performs. For more information, see Mirroring Policies Overview.

  16. Optional: In the HTTP Proxy Policy field, select an HTTP proxy.

  17. Optional: You can clear the Unprotected checkbox to require a subscription entitlement certificate for accessing this repository. By default, the repository is published through HTTP.

  18. Optional: From the GPG Key list, select the GPG key if you want to verify the signatures of the Release files associated with the Debian repository.

  19. Optional: In the SSL CA Cert field, select the SSL CA Certificate for the repository.

  20. Optional: In the SSL Client cert field, select the SSL Client Certificate for the repository.

  21. Optional: In the SSL Client Key field, select the SSL Client Key for the repository.

  22. Click Save to create the repository.

CLI procedure
  1. Enter the following command to create the repository:

    # hammer repository create \
    --content-type "deb" \
    --deb-architectures "My_DEB_Architectures" \
    --deb-components "_My_DEB_Components" \
    --deb-releases "My_DEB_Releases" \
    --gpg-key-id "My_GPG_Key_ID" \
    --name "_My_Repository" \
    --organization "My_Organization" \
    --product "My_Product" \
    --publish-via-http true \
    --url My_Upstream_URL

Adding DEB Repository Example for Debian 11

This example creates a product and repositories for Debian 11.

Prerequisites
  1. Extract the GPG public keys from the Release file

  2. Import the content credentials into orcharhino

Procedure
  1. In the orcharhino management UI, navigate to Content > Products.

  2. Click Create Product to create a product named Debian 11. For more information, see Creating a Custom Product.

  3. On the Repositories tab, click New Repository to create three repositories of type deb as follows:

    • Debian 11 main

      • Upstream URL: http://deb.debian.org/debian/

      • Releases/Distributions: bullseye

      • Component: main

      • Architecture: amd64

    • Debian 11 updates

      • Upstream URL: http://deb.debian.org/debian/

      • Releases/Distributions: bullseye-updates

      • Component: main

      • Architecture: amd64

    • Debian 11 security

      • Upstream URL: http://deb.debian.org/debian-security/

      • Releases/Distributions: bullseye-security

      • Component: main

      • Architecture: amd64

  4. Click Create Product to create a product named Debian 11 client. For more information, see Creating a Custom Product.

  5. On the Repositories tab, click New Repository to create a repository of type deb as follows:

    • Debian 11 client

      • Upstream URL: see ATIX Service Portal

      • Releases/Distributions: stable

      • Component: main

      • Architecture: amd64

The ATIX Debian and Ubuntu Errata service provides errata for Debian and Ubuntu. When creating a repository of type deb, point the Errata URL at ATIX’s Debian and Ubuntu Errata Parser server. Use https://dep.atix.de/dep/api/v1/debian for Debian, https://dep.atix.de/dep/api/v1/ubuntu for Ubuntu, and https://dep.atix.de/dep/api/v1/ubuntu-esm for Ubuntu-ESM.

An erratum contains the information which packages have to be updated to fix a security issue. Debian and Ubuntu errata are derived from the Debian security announcements (DSA) and the Ubuntu security notices (USN).

Ensure to only add Debian and Ubuntu errata to Debian and Ubuntu repositories that contain the packages needed to apply the errata. For Debian, you need the My_Debian_Release/updates repository, for example bullseye/updates. For Ubuntu, you need the My_Ubuntu_Release-security repository, for example jammy-security.

Adding orcharhino Clients for Debian

orcharhino Clients are required to register hosts to orcharhino. You can add them to your orcharhino during the installation process or afterwards. For more information, see Adding orcharhino Clients manually and Using orcharhino Clients gen2 in the ATIX Service Portal.

Procedure
  1. Create a product named orcharhino Clients for Debian. For more information, see Creating a Custom Product.

  2. Create a repository for Debian 12. You can find the upstream URL of all orcharhino Clients in the ATIX Service Portal. For more information, see Adding Custom deb Repositories.

  3. Synchronize the orcharhino Clients for Debian to your orcharhino. For more information, see Synchronizing Repositories.

  4. Create a content view to make the .deb packages consumable by content hosts. For more information, see Creating an Activation Key.

  5. Create an activation key to register content hosts to orcharhino. For more information, see Creating an Activation Key.

  6. Optional: Create a host group to simplify the process of creating hosts. For more information, see Creating a Host Group.

Synchronizing Repositories

You must synchronize repositories to download content into orcharhino. You can use this procedure for an initial synchronization of repositories or to synchronize repositories manually as you need.

You can also sync all repositories in an organization. For more information, see Synchronizing All Repositories in an Organization.

Create a sync plan to ensure updates on a regular basis. For more information, see Creating a Sync Plan.

The synchronization duration depends on the size of each repository and the speed of your network connection. The following table provides estimates of how long it would take to synchronize content, depending on the available Internet bandwidth:

Single Package (10Mb) Minor Release (750Mb) Major Release (6Gb)

256 Kbps

5 Mins 27 Secs

6 Hrs 49 Mins 36 Secs

2 Days 7 Hrs 55 Mins

512 Kbps

2 Mins 43.84 Secs

3 Hrs 24 Mins 48 Secs

1 Day 3 Hrs 57 Mins

T1 (1.5 Mbps)

54.33 Secs

1 Hr 7 Mins 54.78 Secs

9 Hrs 16 Mins 20.57 Secs

10 Mbps

8.39 Secs

10 Mins 29.15 Secs

1 Hr 25 Mins 53.96 Secs

100 Mbps

0.84 Secs

1 Min 2.91 Secs

8 Mins 35.4 Secs

1000 Mbps

0.08 Secs

6.29 Secs

51.54 Secs

Procedure
  1. In the orcharhino management UI, navigate to Content > Products and select the Product that contains the repositories that you want to synchronize.

  2. Select the repositories that you want to synchronize and click Sync Now.

  3. Optional: To view the progress of the synchronization in the orcharhino management UI, navigate to Content > Sync Status and expand the corresponding Product or repository tree.

CLI procedure
  • Synchronize an entire Product:

    # hammer product synchronize \
    --name "My_Product" \
    --organization "My_Organization"
  • Synchronize an individual repository:

    # hammer repository synchronize \
    --name "My_Repository" \
    --organization "My_Organization" \
    --product "My Product"

Synchronizing All Repositories in an Organization

Use this procedure to synchronize all repositories within an organization.

Procedure
  1. Log in to your orcharhino Server using SSH.

  2. Run the following Bash script:

    ORG="My_Organization"
    
    for i in $(hammer --no-headers --csv repository list --organization $ORG | awk -F, {'print $1'})
    do
      hammer repository synchronize --id ${i} --organization $ORG --async
    done

Download Policies Overview

orcharhino provides multiple download policies for synchronizing RPM and DEB content and container images. For example, you might want to download only the content metadata while deferring the actual content download for later.

orcharhino Server has the following policies:

Immediate

orcharhino Server downloads all metadata and packages during synchronization.

On Demand

orcharhino Server downloads only the metadata during synchronization. orcharhino Server only fetches and stores packages on the file system when orcharhino Proxies or directly connected clients request them. This setting has no effect if you set a corresponding repository on a orcharhino Proxy to Immediate because orcharhino Server is forced to download all the packages.

The On Demand policy acts as a Lazy Synchronization feature because they save time synchronizing content. The lazy synchronization feature must be used only for deb and yum repositories. You can add the packages to Content Views and promote to life cycle environments as normal.

orcharhino Proxy has the following policies:

Immediate

orcharhino Proxy downloads all metadata and packages during synchronization. Do not use this setting if the corresponding repository on orcharhino Server is set to On Demand as orcharhino Server is forced to download all the packages.

On Demand

orcharhino Proxy only downloads the metadata during synchronization. orcharhino Proxy fetches and stores packages only on the file system when directly connected clients request them. When you use an On Demand download policy, content is downloaded from orcharhino Server if it is not available on orcharhino Proxy.

Inherit

orcharhino Proxy inherits the download policy for the repository from the corresponding repository on orcharhino Server.

Streamed Download Policy

Streamed Download Policy for orcharhino Proxies permits orcharhino Proxies to avoid caching any content. When content is requested from the orcharhino Proxy, it functions as a proxy and requests the content directly from the orcharhino.

Changing the Default Download Policy

You can set the default download policy that orcharhino applies to repositories that you create in all organizations.

Depending on whether it is a Red Hat, SUSE, or custom repository, orcharhino uses separate settings. Changing the default value does not change existing settings.

Procedure
  1. In the orcharhino management UI, navigate to Administer > Settings.

  2. Click the Content tab.

  3. Change the default download policy depending on your requirements:

    • To change the default download policy for a Red Hat repository, change the value of the Default Red Hat Repository download policy setting.

    • To change the default download policy for a non-Red Hat custom repository, change the value of the Default Custom Repository download policy setting.

CLI procedure
  • To change the default download policy for Red Hat repositories to one of immediate or on_demand, enter the following command:

    # hammer settings set \
    --name default_redhat_download_policy \
    --value immediate
  • To change the default download policy for a custom repository to one of immediate or on_demand, enter the following command:

    # hammer settings set \
    --name default_download_policy \
    --value immediate

Changing the Download Policy for a Repository

You can set the download policy for a repository.

Procedure
  1. In the orcharhino management UI, navigate to Content > Products.

  2. Select the required product name.

  3. On the Repositories tab, click the required repository name, locate the Download Policy field, and click the edit icon.

  4. From the list, select the required download policy and then click Save.

CLI procedure
  1. List the repositories for an organization:

    # hammer repository list \
    --organization-label My_Organization_Label
  2. Change the download policy for a repository to immediate or on_demand:

    # hammer repository update \
    --download-policy immediate \
    --name "My_Repository" \
    --organization-label My_Organization_Label \
    --product "My_Product"

Mirroring Policies Overview

Mirroring keeps the local repository exactly in synchronization with the upstream repository. If any content is removed from the upstream repository since the last synchronization, with the next synchronization, it will be removed from the local repository as well.

You can use mirroring policies for finer control over mirroring of repodata and content when synchronizing a repository. For example, if it is not possible to mirror the repodata for a repository, you can set the mirroring policy to mirror only content for this repository.

orcharhino Server has the following mirroring policies:

Additive

Neither the content nor the repodata is mirrored. Thus, only new content added since the last synchronization is added to the local repository and nothing is removed.

Content Only

Mirrors only content and not the repodata. Some repositories do not support metadata mirroring, in such cases you can set the mirroring policy to content only to only mirror the content.

Complete Mirroring

Mirrors content as well as repodata. This is the fastest method. This mirroring policy is only available for Yum content.

Changing the Mirroring Policy for a Repository

You can set the mirroring policy for a repository.

To use the CLI instead of the orcharhino management UI, see the CLI procedure.

Procedure
  1. In the orcharhino management UI, navigate to Content > Products.

  2. Select the product name.

  3. On the Repositories tab, click the repository name, locate the Mirroring Policy field, and click the edit icon.

  4. From the list, select a mirroring policy and click Save.

CLI procedure
  1. List the repositories for an organization:

    # hammer repository list \
    --organization-label My_Organization_Label
  2. Change the mirroring policy for a repository to additive, mirror_complete, or mirror_content_only:

    # hammer repository update \
    --id 1 \
    --mirroring-policy mirror_complete

Configuring SELinux to Permit Content Synchronization on Custom Ports

SELinux permits access of orcharhino for content synchronization only on specific ports. By default, connecting to web servers running on the following ports is permitted: 80, 81, 443, 488, 8008, 8009, 8443, and 9000.

Procedure
  1. On orcharhino, to verify the ports that are permitted by SELinux for content synchronization, enter a command as follows:

    # semanage port -l | grep ^http_port_t
    http_port_t     tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
  2. To configure SELinux to permit a port for content synchronization, for example 10011, enter a command as follows:

    # semanage port -a -t http_port_t -p tcp 10011

Recovering a Corrupted Repository

In case of repository corruption, you can recover it by using an advanced synchronization, which has three options:

Optimized Sync

Synchronizes the repository bypassing RPMs that have no detected differences from the upstream RPMs.

Complete Sync

Synchronizes all RPMs regardless of detected changes. Use this option if specific RPMs could not be downloaded to the local repository even though they exist in the upstream repository.

Verify Content Checksum

Synchronizes all RPMs and then verifies the checksum of all RPMs locally. If the checksum of an RPM differs from the upstream, it re-downloads the RPM. This option is relevant only for yum repositories. Use this option if you have one of the following errors:

  • Specific RPMs cause a 404 error while synchronizing with yum.

  • Package does not match intended download error, which means that specific RPMs are corrupted.

Procedure
  1. In the orcharhino management UI, navigate to Content > Products.

  2. Select the product containing the corrupted repository.

  3. Select the name of a repository you want to synchronize.

  4. To perform optimized sync or complete sync, select Advanced Sync from the Select Action menu.

  5. Select the required option and click Sync.

  6. Optional: To verify the checksum, click Verify Content Checksum from the Select Action menu.

CLI procedure
  1. Obtain a list of repository IDs:

    # hammer repository list \
    --organization "My_Organization"
  2. Synchronize a corrupted repository using the necessary option:

    • For the optimized synchronization:

      # hammer repository synchronize \
      --id My_ID
    • For the complete synchronization:

      # hammer repository synchronize \
      --id My_ID \
      --skip-metadata-check true
    • For the validate content synchronization:

      # hammer repository synchronize \
      --id My_ID \
      --validate-contents true

Adding an HTTP Proxy

Use this procedure to add HTTP proxies to orcharhino. You can then specify which HTTP proxy to use for Products, repositories, and supported compute resources.

Prerequisites

Your HTTP proxy must allow access to the following hosts:

Host name Port Protocol

subscription.rhsm.redhat.com

443

HTTPS

cdn.redhat.com

443

HTTPS

*.akamaiedge.net

443

HTTPS

If orcharhino Server uses a proxy to communicate with subscription.rhsm.redhat.com and cdn.redhat.com then the proxy must not perform SSL inspection on these communications.

To use the CLI instead of the orcharhino management UI, see the CLI procedure.

Procedure
  1. In the orcharhino management UI, navigate to Infrastructure > HTTP Proxies and select New HTTP Proxy.

  2. In the Name field, enter a name for the HTTP proxy.

  3. In the URL field, enter the URL for the HTTP proxy, including the port number.

  4. If your HTTP proxy requires authentication, enter a Username and Password.

  5. Optional: In the Test URL field, enter the HTTP proxy URL, then click Test Connection to ensure that you can connect to the HTTP proxy from orcharhino.

  6. Click the Locations tab and add a location.

  7. Click the Organization tab and add an organization.

  8. Click Submit.

CLI procedure
  • On orcharhino Server, enter the following command to add an HTTP proxy:

    # hammer http-proxy create \
    --name proxy-name \
    --url proxy-URL:port-number

    If your HTTP proxy requires authentication, add the --username name and --password password options.

Changing the HTTP Proxy Policy for a Product

For granular control over network traffic, you can set an HTTP proxy policy for each Product. A Product’s HTTP proxy policy applies to all repositories in the Product, unless you set a different policy for individual repositories.

To set an HTTP proxy policy for individual repositories, see Changing the HTTP Proxy Policy for a Repository.

Procedure
  1. In the orcharhino management UI, navigate to Content > Products and select the checkbox next to each of the Products that you want to change.

  2. From the Select Action list, select Manage HTTP Proxy.

  3. Select an HTTP Proxy Policy from the list:

    • Global Default: Use the global default proxy setting.

    • No HTTP Proxy: Do not use an HTTP proxy, even if a global default proxy is configured.

    • Use specific HTTP Proxy: Select an HTTP Proxy from the list. You must add HTTP proxies to orcharhino before you can select a proxy from this list. For more information, see Adding an HTTP Proxy.

  4. Click Update.

Changing the HTTP Proxy Policy for a Repository

For granular control over network traffic, you can set an HTTP proxy policy for each repository. To use the CLI instead of the orcharhino management UI, see the CLI procedure.

To set the same HTTP proxy policy for all repositories in a Product, see Changing the HTTP Proxy Policy for a Product.

Procedure
  1. In the orcharhino management UI, navigate to Content > Products and click the name of the Product that contains the repository.

  2. In the Repositories tab, click the name of the repository.

  3. Locate the HTTP Proxy field and click the edit icon.

  4. Select an HTTP Proxy Policy from the list:

    • Global Default: Use the global default proxy setting.

    • No HTTP Proxy: Do not use an HTTP proxy, even if a global default proxy is configured.

    • Use specific HTTP Proxy: Select an HTTP Proxy from the list. You must add HTTP proxies to orcharhino before you can select a proxy from this list. For more information, see Adding an HTTP Proxy.

  5. Click Save.

CLI procedure
  • On orcharhino Server, enter the following command, specifying the HTTP proxy policy you want to use:

    # hammer repository update \
    --http-proxy-policy HTTP_Proxy_Policy \
    --id Repository_ID

    Specify one of the following options for --http-proxy-policy:

    • none: Do not use an HTTP proxy, even if a global default proxy is configured.

    • global_default_http_proxy: Use the global default proxy setting.

    • use_selected_http_proxy: Specify an HTTP proxy using either --http-proxy My_HTTP_Proxy_Name or --http-proxy-id My_HTTP_Proxy_ID. To add a new HTTP proxy to orcharhino, see Adding an HTTP Proxy.

Creating a Sync Plan

A sync plan checks and updates the content at a scheduled date and time. In orcharhino, you can create a sync plan and assign products to the plan.

To use the CLI instead of the orcharhino management UI, see the CLI procedure.

Procedure
  1. In the orcharhino management UI, navigate to Content > Sync Plans and click New Sync Plan.

  2. In the Name field, enter a name for the plan.

  3. Optional: In the Description field, enter a description of the plan.

  4. From the Interval list, select the interval at which you want the plan to run.

  5. From the Start Date and Start Time lists, select when to start running the synchronization plan.

  6. Click Save.

CLI procedure
  1. To create the synchronization plan, enter the following command:

    # hammer sync-plan create \
    --description "My_Description" \
    --enabled true \
    --interval daily \
    --name "My_Products" \
    --organization "My_Organization" \
    --sync-date "2023-01-01 01:00:00"
  2. View the available sync plans for an organization to verify that the sync plan has been created:

    # hammer sync-plan list --organization "My_Organization"

Best Practices for Sync Plans

  • Use sync plans to periodically synchronize content to orcharhino.

  • Sync plans are associated with products.

  • Use cron line to specify recurring synchronization using cron expressions.

  • We recommend distributing synchronization tasks over several hours if possible to reduce the task load by creating multiple sync plans with cron line. Using a single sync plan would start all sync tasks at the same time resulting in a high load significantly lowering the performance of your orcharhino. This might also lead to occasional difficulties in the correct assigning of the Pulp tasks.

    Table 1. Cron Expression Examples
    Cron Expression Explanation

    0 22 * * 1-5

    every night at 22:00 from Monday through Friday

    30 3 * * 6,0

    at 03:30 on each Saturday and Sunday

    15 1-9/2 * * *

    15 minutes past every second hour from 1 through 9

    30 2 8-14 * *

    at 02:30 every day of the month from 8 through 14

Assigning a Sync Plan to a Product

A sync plan checks and updates the content at a scheduled date and time. In orcharhino, you can assign a sync plan to products to update content regularly.

To use the CLI instead of the orcharhino management UI, see the CLI procedure.

Procedure
  1. In the orcharhino management UI, navigate to Content > Products.

  2. Select a product.

  3. On the Details tab, select a Sync Plan from the drop down menu.

CLI procedure
  1. Assign a sync plan to a product:

    # hammer product set-sync-plan \
    --name "My_Product_Name" \
    --organization "My_Organization" \
    --sync-plan "My_Sync_Plan_Name"

Assigning a Sync Plan to Multiple Products

Use this procedure to assign a sync plan to the products in an organization that have been synchronized at least once and contain at least one repository.

Procedure
  1. Run the following Bash script:

    ORG="My_Organization"
    SYNC_PLAN="daily_sync_at_3_a.m"
    
    hammer sync-plan create --name $SYNC_PLAN --interval daily --sync-date "2023-04-5 03:00:00" --enabled true --organization $ORG
    for i in $(hammer --no-headers --csv --csv-separator="|" product list --organization $ORG --per-page 999 | grep -vi not_synced | awk -F'|' '$5 != "0" { print $1}')
    do
      hammer product set-sync-plan --sync-plan $SYNC_PLAN --organization $ORG --id $i
    done
  2. After executing the script, view the products assigned to the sync plan:

    # hammer product list --organization $ORG --sync-plan $SYNC_PLAN

Limiting Synchronization Concurrency

By default, each Repository Synchronization job can fetch up to ten files at a time. This can be adjusted on a per repository basis.

Increasing the limit may improve performance, but can cause the upstream server to be overloaded or start rejecting requests. If you are seeing Repository syncs fail due to the upstream servers rejecting requests, you may want to try lowering the limit.

CLI procedure
# hammer repository update \
--download-concurrency 5 \
--id Repository_ID \
--organization "My_Organization"

Importing a Custom GPG Key

When clients are consuming signed custom content, ensure that the clients are configured to validate the installation of packages with the appropriate GPG Key. This helps to ensure that only packages from authorized sources can be installed.

To use the CLI instead of the orcharhino management UI, see the CLI procedure.

Procedure
  1. In the orcharhino management UI, navigate to Content > Content Credentials and in the upper-right of the window, click Create Content Credential.

  2. Enter the name of your repository and select GPG Key from the Type list.

  3. Either paste the GPG key into the Content Credential Contents field, or click Browse and select the GPG key file that you want to import.

    If your custom repository contains content signed by multiple GPG keys, you must enter all required GPG keys in the Content Credential Contents field with new lines between each key, for example:

    -----BEGIN PGP PUBLIC KEY BLOCK-----
    
    mQINBFy/HE4BEADttv2TCPzVrre+aJ9f5QsR6oWZMm7N5Lwxjm5x5zA9BLiPPGFN
    4aTUR/g+K1S0aqCU+ZS3Rnxb+6fnBxD+COH9kMqXHi3M5UNzbp5WhCdUpISXjjpU
    XIFFWBPuBfyr/FKRknFH15P+9kLZLxCpVZZLsweLWCuw+JKCMmnA
    =F6VG
    -----END PGP PUBLIC KEY BLOCK-----
    
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    
    mQINBFw467UBEACmREzDeK/kuScCmfJfHJa0Wgh/2fbJLLt3KSvsgDhORIptf+PP
    OTFDlKuLkJx99ZYG5xMnBG47C7ByoMec1j94YeXczuBbynOyyPlvduma/zf8oB9e
    Wl5GnzcLGAnUSRamfqGUWcyMMinHHIKIc1X1P4I=
    =WPpI
    -----END PGP PUBLIC KEY BLOCK-----
  4. Click Save.

CLI procedure
  1. Copy the GPG key to your orcharhino Server:

    $ scp ~/etc/pki/rpm-gpg/RPM-GPG-KEY-EXAMPLE-95 root@orcharhino.example.com:~/.
  2. Upload the GPG key to orcharhino:

    # hammer content-credentials create \
    --content-type gpg_key \
    --name "My_GPG_Key" \
    --organization "My_Organization" \
    --path ~/RPM-GPG-KEY-EXAMPLE-95

The text and illustrations on this page are licensed by ATIX AG under a Creative Commons Attribution–Share Alike 3.0 Unported ("CC-BY-SA") license. This page also contains text from the official Foreman documentation which uses the same license ("CC-BY-SA").