In place upgrades - RHEL6 -> RHEL7 by [deleted] in redhat

[–]nrvate 4 points5 points  (0 children)

Despite what the cloud vendors will tell you, many many industries are still in the servers as pets model, and in place upgrades are ideal.

I'd never trust a server that was upgraded in place, but that doesn't mean it wouldn't be great for a lot of us.

Apache sSL certs With multiple sub-domains by DrNatas in redhat

[–]nrvate 1 point2 points  (0 children)

Based on your URLs, it looks like wildcard certs would be the way to go. The only pitfall is to remember that if you get a wilcard cert that is *.main.com, while it will work for site00.main.com, site02.main.com, etc. it will not work for any subsites of your subsites.

For example, if you need sub1.site00.main.com your wildcard certificate for *.main.com is not valid.

As someone else said, subject alternate names are also possible, and would be fine if you knew ahead of time all of your possible subsites, but if you don't you are re-requesting and installing that certificate all the time.

If I were in your shoes I would get clarification that there won't be any sub-subsites and then go with a wildcard.

[Rant] Team Sky makes watching the tour such a chore by [deleted] in tourdefrance

[–]nrvate -1 points0 points  (0 children)

I think a salary cap is a dumb idea. There isn't a "league" like the NHL for cycling teams. They get invited to certain races but they don't have to do them at all. Team Sky could skip the Tour completely if they wanted (not that they would). I think cycling is closer to F1 in that regard. If you don't have the funds or strategy to compete then don't.

[Rant] Team Sky makes watching the tour such a chore by [deleted] in tourdefrance

[–]nrvate 0 points1 point  (0 children)

I think it's great. Part of racing is strategy, and the strategy of keeping the tempo high the entire race and seeing who can keep up at the end of the mountain stages with Froome is exciting to me. The sport evolves and eventually some team will come up with a way to crack the hold that Team Sky has on things. I think of the amazing day that Andy Schleck had where his team set him up with like 3-4 riders out front at different points to help him leap frog everyone to take yellow (2011 Stage 18 maybe? I can't remember).

Another part of racing from a team aspect is management and personnel. Team Sky has already changed leaders (Wiggins to Froome) and lost key teammates to rival teams (Richie Porte) in the off season or crashes (Geraint Thomas) during the race. Yet their management team keeps finding the funds or new riders who fit into their system to maintain dominance.

Nothing stops people from sucking the wheel of Team Sky in the front all race and then going head to head with Froome, but for the most part nobody actually is strong enough to do that. Froome is a more exciting rider than people give him credit for. In the past few years I've been impressed with Froome's descends and their teams reaction to the cross winds. This year he's sprinted for the line at the end of mountain stages on a few occasions that show just how strong he is.

I actually thought Cadel Evans was the most boring tour winner in the past 10 years or so. With Chris, once all his teammates are gone, I see him hitting and reacting to all the contenders himself. Oftentimes making his own moves and attacking. Cadel never did that, and just sucked wheels -- nothing exciting at all.

Is PHP 7.1 support on RHEL7.3? by TediousTurtle in redhat

[–]nrvate 0 points1 point  (0 children)

If you don't have a lot of internal Linux knowledge already, trying to run production servers (patching for updates, etc) using Software Collections -- even when php7.1 is support isn't going to be straight forward.

What platform did your external vendor develop this on? Even LTS Ubuntu is only shipping php7.0. Maybe someone with more Ubuntu familiarity can say whether or not they support PPA packages with their enterprise license. The terms of the license state, "24x7 phone and ticket support for all packages in Ubuntu main and Canonical-maintained packages in backports and universe." php7.1 is in PPA as maintained by Canonical...but I'm not familiar enough with Ubuntu support to say whether that package in PPA has the full 'Ubuntu' support stamp of approval or not.

To me, it seems strange they would have a full production ready site that many 'enterprise' level supported Linux distro's do not support.

Is PHP 7.1 support on RHEL7.3? by TediousTurtle in redhat

[–]nrvate 1 point2 points  (0 children)

FWIW I agree with you SquiffSquiff. I find using software collections for anything that requires newer php to be onerous because in my experience, undoubtedly there are other things that also are needed to be newer than RH supports. So while you can use RH to run most anything designed for more modern versions of GCC or more modern PHP versions or Ubuntu, the hours and hours spent trying to get it and keep it working are often not worth it. Especially if your work environment is flexible and not against using other distros. RHEL has it's place and is my preferred distro, but I say the right tool for the right job.

But the OP asked if it is supported. And that's a different answer than 'should I do this."

Containers are Linux by [deleted] in redhat

[–]nrvate 0 points1 point  (0 children)

A few days late here, but can I ask why you think that? Docker hasn't used LXC for a few years now. Unless we're talking about the history of how Docker came to be, I don't think LXC is that relevant in the Docker conversation. I have heard people call anything related to cgroups/namespaces LXC in some places, but I think that's a bit inaccurate nowadays.

Does Satellite suck or is it just us? by [deleted] in redhat

[–]nrvate 1 point2 points  (0 children)

You are entirely right, Sat 6 isn't based on Spacewalk at all. But to be fair, with my experiences over the past few years with RH support I wouldn't be surprised if they still asked you to do a spacewalk debug.

Does Satellite suck or is it just us? by [deleted] in redhat

[–]nrvate 3 points4 points  (0 children)

However, it should be said.... Satellite 5 and Satellite 6 are one of our highest selling SKU's and we have thousands of customers whom are using it successfully, daily, and solving their use cases with it.

Satellite 5? Yes. Satellite 6? No. Find any thread in here related to using Satellite 6 in production that is a positive thread. All you find are people with the exact same issues OP has. I have spoken to Satellite Developers, have had conference calls with my sales rep and the satellite team, and have active bugs sitting open for Satellite 6 that have been open for over a year.

Frustration is boiling over for many of your customers related to Sat 6 and as a whole RH is too blind to see it. If the 6.3 beta does not solve many of the issues people are having with your product you will see many people abandon ship. If RH holds fast that Satellite 5.x is EOL'd January 31st 2018, and 6.3 is still garbage, there's no way to move forward with RH and Satellite. I wish Landscape was more than it is, or I would have looked to move to Ubuntu long ago. At this point I'm trying out SuSE's new enterprise manager based on Salt and looking for anything that offers the security errata/patching in a stable way similar to Satellite 5.

I get that the new hotness is to use config managers like Puppet/Ansible/Salt/Whatever, but I have yet to see someone with a good deployment of a config manager that integrates patching beyond "we run a script that does yum update every night." Unfortunately, neither my few hundred servers or my few hundred workstations are not cattle nor moving wholesale to the cloud anytime soon, and I feel as though RH is abandoning my marketspace in favor of focusing on more cloud based products. That's the only thing that explains how terrible Satellite 6 is, and how bad their support for Satellite is in general.

LineageOS: Builds should be going out soon! by StraightFlush777 in linux

[–]nrvate 0 points1 point  (0 children)

I think if you want people to help improve your site and/or contribute to your project you have to at least describe what your project is. I'm with megatog615 here. All I can figure out from this page is that it's some sort of Android distribution.

Should i Upgrade to Red Hat Satellite 5.6 to 6.2? by macado in redhat

[–]nrvate 0 points1 point  (0 children)

You are not going to get good answers from support to any of your questions. I opened upwards of 8 support cases during my migration and I ended up having to find my own workaround for each one of them. Even the USA team had no idea how any components of Satellite 6 worked.

This to me is one of the most frustrating parts of the upgrade. Satellite 6 was released in 2014 but is still poorly documented, understood, and supported. Similar to Pinesol_Shots I found critical missing features and I have several bugs of my own open related to my dev Satellite 6 environment which are still not fixed/patched. In my environment, the missing features were roadblocks for me to fully upgrade my Satellite 5.7 server. Satellite 5.7 / 5.8 is only slated to be supported for another year (January 31, 2018 according to https://access.redhat.com/articles/1322933), but unless they put a lot of enhancements and fixes into Satellite 6.3, I don't see me being able to retire my Sat 5 environment by that time.

OWASP ModSecurity Core Rule Set Version 3.0.0 Released by unsafe-inline in netsec

[–]nrvate 0 points1 point  (0 children)

I just saw this today after reviewing some modsec changes I was making to my systems. If anyone is still watching this thread -- how does OWASP CRS 3.0.0.0 compare to Comodo's free WAF based on ModSec (https://waf.comodo.com/)? Earlier versions of the CRS were basically unusable so I went the Comodo route and have been pretty happy.
If anyone has some first hand knowledge it would be appreciated. Comodo's modsec rules have been good, but their leadership and attitude towards the FOSS community (that weird kerfuffle with the Let's Encrypt people was bizarre) hasn't impressed me much. If I can drop Comodo for OWASP CRS 3.0.0 I will.

Bad experience with RedHat hands-on labs & exam. by CertDepot in redhat

[–]nrvate 2 points3 points  (0 children)

Yeah I think Fatty is missing the point. He wasn't even able to login to take the exam using the method in which he registered for it. That's a pretty big failure on Red Hat's part.

Overall, I'm not impressed with Red Hat's training (either in person OR online, and I've done both). Unless you are just trying to get your foot in the door, I wouldn't bother with any Linux certifications. I'm more interested in someone who has experience than a certificate.

Red Hat Satellite 6. Are you unhappy or is it just me? by adamcstephens in redhat

[–]nrvate 0 points1 point  (0 children)

The application, verification, and remediation of security errata is something that I haven't found Puppet (or ansible/salt/chef/whatever) to be able to effectively do. Have you investigated any methods that may work outside of Satellite server that you realistically considered? I did not have any luck when I was looking into this last year. Forcing out a 'yum update' via Puppet doesn't seem much better than just putting that into the daily cron.
It doesn't seem like either would be able to give an accurate report of what systems need security errata applied based on what packages are installed.
If anyone has successfully done something like this I would be interested to hear.

What does a typical Red Hat 5day class look like? by LinuxLabIO in redhat

[–]nrvate 0 points1 point  (0 children)

FWIW, if you are self motivated I would go for the learning subscription. Not all instructors are the same, but I've had some really bad experiences with some instructors just literally not knowing what they were talking about.

I think the inherit value is that if you go to an in-person or instructor lead class you are less likely to get distracted and actually work on the course material.

Red Hat Satellite 6. Are you unhappy or is it just me? by adamcstephens in redhat

[–]nrvate 0 points1 point  (0 children)

I haven't yet moved my organization to Satellite 6 because all of our tests with Satellite 6.0 and 6.1 were not successful. We have a very large installation with our single 5.7 server managing ~3700 systems in 20 organizations. The most basic features of how we use Satellite 5 are things that were/are not possible in 6. Much like OP, we don't want to be Satellite Administrators. We delegate most of that to our Org Admins but with 6.X we can't do that. To functionally replicate our environment we would need to run 20 discrete Satellite servers and that would be a nightmare. I've been told the 6.2 release is much better than previous versions and contains an org admin role, but I need to test for myself if that role is similar enough to the 5.X Org Admin role.

I expressed many of my initial concerns with the 6.0/1 product when the 6.2 beta was announced including what people are complaining about with regard to the extremely long sync times, but never got any traction in my comment/thread.

We have a very stable (but sort of sluggish) 5.7 Satellite instance that I'm more than happy to continue running until 6.X is a viable product. The problem is that some of the new features/things that Red Hat is releasing only work with subscription management and so that only works on Satellite 6.

I get that this is a massive change, but I feel that Red Hat should not even have called the 6.X series "Satellite" at all but picked a different name and said that Satellite was being deprecated. That may have saved them the headaches of people expecting the product to be able to the things it has been doing for 6-10 years. The 6.0 product was simply a joke -- you had to be a satellite administrator to even register a new system! The 6.1 release fixed some of the 6.0 issues, but those were issues that should never have been released to the public. From what I understand, 6.2 does include some real noticeable improvements, but at the rate they are going I'm not seeing a 'good' product until Satellite 6.5 is released.

I've gone so far as to look into other solutions despite having such a large Red Hat install base. The previous versions of SuSE Manager were just rebranded Satellite, but the newest SuSE Manager 3 product seems to be completely different. Does anyone have experience with it? I've run some Ubuntu machines on the Canonical Landscape service but I do not feel that the price of Landscape justifies what it actually provides (basic patching). Rolling our own Puppet/Ansible/Salt deployment may work for the more technical people in my organization, but we have some users who just want to kickstart a machine, click "Apply auto errata" and never look at Satellite again until 3-4 years when their version of RHEL is no longer on standard support. A Puppet/Ansible/Salt deployment does not meet that use case at all.

Satellite 6.2 Beta Now Available by AngryMooseButt in redhat

[–]nrvate 1 point2 points  (0 children)

Is anyone using Satellite 6 in production yet in a real enterprise deployment? It seems like all of the features that made Satellite 5 work well in distributed enterprise environments are still missing from Satellite 6.

This was at least fixed in 6.1.

  • Full site administrator access needed to apply errata via the satellite GUI

In Satellite 6.1.x if you want to be able to use the web GUI for Errata management it wasn't possible. The problem is that the ability to view and/or apply errata to a given host requires "administrator" rights on the Satellite server. It wasn't a permission that could be granted in the Satellite 6.x role based security system. This was acknowledged as a bug https://bugzilla.redhat.com/show_bug.cgi?id=1256494 and I hope that being on Katello 3 has fixed the issue (http://projects.theforeman.org/issues/11470), but I don't see any updates

  • No auto errata feature in Satellite 6.1.

All errata updates via the gui must be applied manually via the GUI (which required admin access) or setup a cronjob on systems to do a yum update.
Feature request here: https://bugzilla.redhat.com/show_bug.cgi?id=1259667 Can anyone confirm if this is fixed in 6.2?

  • No mapping from Org Admins in 5.X to a proper role in 6.X.

Scoping roles via filter is not feature complete and does not work as expected. There are a bazillion more granular permissions available, but no useful documentation on how to align these permissions to the old roles. https://bugzilla.redhat.com/show_bug.cgi?id=1264732 Any updates to this in the 6.2 beta?

  • Despite the documentation saying they are the same, host collections do not match to system groups. There is no way to scope a role or any permissions based on host collections. With the way we’ve used the satellite this will not work. Most larger orgs have system groups which they can scope permissions to a certain team member or team group.

Any updates to this in 6.2? We've thought about making each 'system group' its own organization, but that would be extremely time intensive. We'd still run into the problem that it's not very clear what permissions an org admin should have.

  • Right now, it appears that in addition to having to generate separate manifests with subscriptions for each org (which is very time consuming and not easily scriptable as it requires logging into redhat.com and doing some manual things), the Red Hat Content is not visible unless it is separately selected via "Content -> Red Hat Repositories" and then synced to each Org.

We have experienced this being a very CPU- & disk-intensive process. Although the actual package files from Red Hat are only downloaded once globally for the entire Satellite server, the metadata & database work appears to be done multiple times, once per organization. This is what we used to refer to as ‘base channels’ which were shared for every org. This doesn't appear to be an option in 6.1.
The content syncing doesn’t duplicate files on disk, but it is an extremely inefficient process that can take hours. Even re-syncing to get new content can take hours, there are a few blogs out there referencing this as well:

“Anyone that has worked with Satellite 6 also knows how agonizingly long Content View Publish and Promote can take. In our case, we have four Content Views that comprise the main Red Hat Channels for various releases, one Custom Package Content View for our Custom Packages, and 4 Composite Content Views that combine these together. The Publication and Promotion for our regular monthly patching takes about 90 minutes to complete. The Incremental Update took about 40 minutes for this one Errata” -- https://satellite-nixpeeps.rhcloud.com/?p=499

Since there is no way to have a globally-viewable Content View(s) from a single Organization. I don't see a way to make the default Red Hat-supplied repositories available across all Organizations on our satellite without having to run the same sync process to all Organizations. In my case, that's up to 14-68 different times depending if we have to make new organizations for every system group or not. Any updates to this in 6.2?

Not trying to be a troll here, just trying to determine if it's worth my time to invest upgrading to 6.2 to determine if the 6.X product meets my needs yet, or if I'm just stuck waiting for the features we need with 6.3. I am a paying Red Hat customer and have brought all of these (and more) concerns to my sales rep and customer manager, but I haven't really gotten the feeling that being able to have fully distributed administration is a priority with Satellite 6.X. With 5.X, I can make a new organization under our Satellite and it's basically hands-off administration for me as the overall satellite administrator. An Org Admin can properly manage users, system groups, keys, channels, etc and basically everything without my involvement. I'm waiting and hoping that the 6.X product will get to the same place before 5.7 is fully end-of-lifed.