1. Patching Guide
  2. Configure Your Environment for Patching
  3. Set the Appliance Upstream ULN Mirror

Set the Appliance Upstream ULN Mirror

By design, compute nodes do not have access outside the appliance. Private Cloud Appliance uses the local mirror inside the data center as its upstream ULN mirror. An internal repository, located on the appliance internal shared storage, is synchronized with the upstream mirror to enable compute node access to the required packages.

Using the Service CLI

  1. Configure the management node cluster to synchronize with the local ULN mirror and receive package updates. Set the fully qualified domain name of the data center mirror server using the setUpstreamUlnMirror command.

    Caution:

    You must use the fully qualified domain name to reference the data center mirror server, not the system IP address.

    PCA-ADMIN> setUpstreamUlnMirror ulnMirrorLocation=http://host.example.com/yum
Data: 
  upstream channels are set UpstreamMirror status = success

  2. To configure a more secure connection, see Using HTTPS to Reach the ULN Mirror Server.

  3. To set up an additional channel for synchronization to the internal appliance repository, use the addUpstreamUlnChannel command. This adds the channel to the local yum repository configuration.

    Note:

    This step is required to set up the registry for the Oracle Container Engine for Kubernetes (OKE). However, it is automatically performed at the end of host patching. 

    PCA-ADMIN> addUpstreamUlnChannel ulnMirrorLocation=http://host.example.com/yum channel=pca302_x86_64_regionregistry

    To unconfigure a synchronized channel, use the removeUpstreamUlnChannel command.

Using the Service Web UI

Note:

This UI function is available in software version 3.0.2-b925538 and later.

Set the upstream ULN mirror as follows:

  1. In the navigation menu, click Maintenance and select ULN Mirrors.

  2. In the top-right corner of the ULN Mirrors page, click Set ULN Mirror.

    The ULN Mirror window appears.

  3. Fill out the parameters:

    • ULN Mirror: the fully qualified domain name of the ULN mirror in your data center.

    • Proxy: If your data center uses a proxy server as an intermediary for Internet access, specify that server here.

  4. Click Set ULN Mirror.

    The ULN mirror is set.

Using HTTPS to Reach the ULN Mirror Server

To connect to the ULN mirror using HTTPS, add the TLS trust information for the ULN mirror server to the appliance. The TLS trust information to add to the appliance must contain only a CA chain or an X.509 server certificate; the trust information on the appliance must not contain keys.

  • If the server certificate is signed by a commercial Certificate Authority, do not add anything to the appliance. Skip this procedure.

  • If the server certificate is signed by a non-commercial Certificate Authority, the TLS trust information to add to the appliance is the non-commercial CA chain file, in PEM or CRT format.

  • If the server certificate is self-signed, the TLS trust information to add to the appliance is a copy of the server certificate, in PEM format.

Repeat this process whenever the X.509 server certificate on the ULN mirror server is replaced, such as when the certificate expires.

  1. On the first management node, create the following directory if it does not already exist:

    /etc/pca3.0/vault/customer_ca/

  2. Copy the CA chain or X.509 server certificate to the /etc/pca3.0/vault/customer_ca/ directory.

    If the ULN server certificate is not self-signed, copy the CA chain. If the ULN server certificate is self-signed (the Subject Key Identifier is the same as the Authority Key Identifier), copy the server certificate.

  3. Run the following command:

    python3 /usr/lib/python3.6/site-packages/pca_foundation/secret_service/cert_generator/cert_generator_app.py -copy_to_mns

    The resulting TLS trust/certificate bundle is in the following directory on each management node:

    /etc/pca3.0/vault/certs/ca_outside_bundle.crt