Different results pushing errata/packages from satellite 6.6

Latest response

Hello All,

So I'm a bit confused because I'm seeing 2 different results when applying errata or installing packages from satellite 6.6.

I can successfully apply errata or install packages if I got to Hosts > All Hosts > click on the host name > click Content > then go to the errata or packages tab and apply via katello agent.

BUT I can not successfully do this if I go to Hosts > All Hosts > check the box next to the same host i just tried earlier > click the Select Action button in the upper right > click "Schduled remote Job" > set job category to Katello > Job template to Install package - katello SSH default > then enter the desired package name. After submitting it this way, it fails after about 2 mins with the following error:

"Error initializing command: Net::SSH::ConnectionTimeout - Net::SSH::ConnectionTimeout
Exit status: EXCEPTION"

I tried the ansible options and get pretty much the same error "Failed to connect to the host via ssh: ssh: connect to host SERVERNAME port 22: Connection timed out'"

Im wondering why it works one way and not the other. It seems they are using 2 different methods of communication? You would think if the host was unreachable it would be unreachable either way I try to apply errata or package.

Can anybody point me in the correct direction as to how these two different methods are communicating and why one way is erroring out?

Thanks in advance !


I figured out exactly why it's not reachable, our network firewall is blocking this communication on port 22. So I guess this is more of a question of how are these two methods communication differently?

One is obviously using ssh, but is the other using https? Is the host establishing an inside firewall to outside solicited connection to the satellite server every min or so which allows the satellite server to talk back to the host? As opposed to ssh where the satellite server is sending an unsolicited connection to the host? Kinda odd.

P.S. I dont have access to see these kinds of details on the network firewall.


If I’m not mistaken, Katello agent interact to Satellite server via Gofer and the message broker QPID!

Indeed. Katello agent uses goferd service/daemon running on the Content Hosts. It connects to Capsule's/Satellite's port 5647 where qdrouterd listens (and that interconnects to qpidd, as Vincius stated). This is in fact a pull activity where goferd pulls the requests from qpidd's dedicated queue (where Remote EXecution writes the request to).

This is bit different to the traditional push activity of (all?) other means of REX "Apply to" implementations.

This is exactly what I was looking for. Thank you so much. I'm still stuck in the 5.8 days where rhnsd on the host was all poll and no push from satellite. Sounds like we have both push and poll methods being utilized in 6.6 which makes sense as to why an unsolicited ssh request to our host was denied.

What's odd though is it seems we can ONLY use a push style action when doing "Schduled remote Job", even when picking Katello. This isnt very ideal if root isnt exposed over ssh and all user accounts are backed by 2-factor auth. I dont understand how using Katello from within the host content tab is different than using katello for a scheduled job.

Katello from hots content tab = wait for host to pull.

Katello from Scheduled remote job = push to host.