2.4. Additional Requirements

Red Hat Satellite has some additional considerations before installation. These additional requirements must be met before starting the Satellite installation.

2.4.1. Firewall

Protect your Red Hat Satellite environment with a firewall by blocking all unnecessary and unused ports.
The following table provides a list of port requirements for Red Hat Satellite.

Table 2.1. Ports to open on the Red Hat Satellite Server

Port Protocol Direction Reason
67 TCP/UDP Inbound Open this port to configure the Red Hat Satellite as a DHCP server for systems requesting IP addresses.
69 TCP/UDP Inbound Open this port to configure Red Hat Satellite as a PXE server and allow installation and re-installation of PXE-boot enabled systems.
80 TCP Inbound Web UI and client requests come in via HTTP.
443 TCP Inbound Web UI and client requests come in via HTTPS.
443 TCP Outbound Red Hat Satellite uses this port to reach Red Hat Subscription Manager (unless running in a disconnected mode for Satellite).
4545 TCP Inbound and Outbound Red Hat Satellite Monitoring makes connections to rhnmd running on client systems, if Monitoring is enabled and probes are configured for registered systems.
5222 TCP Inbound This port pushes actions to client systems.
5269 TCP Inbound and Outbound This port pushes actions to Red Hat Proxy Server.
5432 TCP Inbound and Outbound This is a requirement for communication with a PostgreSQL database server if using an External Database or Managed Database.
Open your firewall to the following hosts for access to Red Hat's Content Delivery Network (CDN):
  • subscription.rhsm.redhat.com
  • cdn.redhat.com
  • cert-api.access.redhat.com (if using Red Hat Insights)
  • api.access.redhat.com (if using Red Hat Insights)

2.4.2. File Permissions

The umask command sets file permissions mask for new files. This helps secure the file permissions for new files created on a system. Users with a restrictive umask value might experience problems with installation and operation of Red Hat Satellite. Use the recommended umask value of 022.

2.4.3. SELinux Policy

SELinux is a set of secure software policies that implement mandatory access control to Red Hat Enterprise Linux and other operating systems. Red Hat Satellite supports SELinux targeted policy in enforcing or permissive mode on Red Hat Enterprise Linux 5 and 6.

2.4.4. Bandwidth

Network bandwith is important for communication among Satellites, Proxies, and Clients. To accomodate high volume traffic, Red Hat recommends a high bandwidth on a network capable of delivering packages to many systems and clients. As a guide, Red Hat provides a set of estimates for package transfer from one system to another over various speeds.

Table 2.2. Bandwidth estimates

Single Package (10Mb)
Minor Release (750Mb)
Major Release (6Gb)
256Kbps
5 Mins 27 Secs
6 Hrs 49 Mins 36 Secs
2 Days 7 Hrs 55 Mins
512Kbps
2 Mins 43.84 Secs
3 Hrs 24 Mins 48 Secs
1 Day 3 Hrs 57 Mins
T1 (1.5Mbps)
54.33 Secs
1 Hr 7 Mins 54.78 Secs
9 Hrs 16 Mins 20.57 Secs
10Mbps
8.39 Secs
10 Mins 29.15 Secs
1 Hr 25 Mins 53.96 Secs
100Mbps
0.84 Secs
1 Min 2.91 Secs
8 Mins 35.4 Secs
1000Mbps
0.08 Secs
6.29 Secs
51.54 Secs
Red Hat recommends at least a 100Mbps network speed for minor and major releases. This avoids timeouts for transfers longer than 10 minutes. All speeds are relative to your network setup.

2.4.5. Caching

Beyond the space needed for the Red Hat Enterprise Linux installation and /var/satellite/, Red Hat Satellite requires space to generate cache files. These cache files are constantly regenerated as they become needed, even if the cache files are deleted. These cache files are stored within /var/cache/rhn, and the storage needs of this directory depend on the following factors:
  • How many channels you synchronize or import from Red Hat or Channel dumps.
  • How many custom packages and channels you have.
  • Whether or not you are using Red Hat Satellite Synchronization.
Provide at least 10 GB of space for /var/cache/rhn/ on a Red Hat Satellite server. For very large environments with numerous channels, packages, and using Inter Satellite Sync, usage can grow to as much as 100 GB of space for cache files in /var/cache/rhn.

2.4.6. Synchronized System Times

The time settings on the server and clients need to be synchronized so the SSL certificate does not expire before or during use. Red Hat requires the Red Hat Satellite and all client systems to use Network Time Protocol (NTP). This also applies to the separate database machine in Red Hat Satellite with External Database or Managed Database, which must also be set to the same time zone as the Red Hat Satellite.

2.4.7. Setting System Language and Locale

Set the UTF-8 encoding for your language and locale on your Red Hat Satellite system via the /etc/sysconfig/i18n file. The LANG setting in the file must be in the following format:
LANG="[language_TERRITORY].UTF-8"
The language and TERRITORY are entered as two-letter codes. For example if your language is English and your locale is the United States, you set your LANG setting to en_US.UTF-8.

2.4.8. Fully Qualified Domain Name (FQDN)

Red Hat Satellite requires the installation to resolve its own FQDN properly. If this is not the case, cookies will not work properly on the web interface.

Important

It is important that the hostname of a Red Hat Satellite contains no uppercase letters. A hostname that includes uppercase letters can cause Satellite Proxy communications (through jabberd) to fail.
Section 12.3, “Changing the Red Hat Satellite Hostname” contains instructions if you change your Red Hat Satellite hostname in the future.

2.4.9. Functioning Domain Name Service (DNS)

Ensure all clients resolve Red Hat Satellite's domain name. All systems, both servers and clients, require connection to a working DNS server in the Satellite environment.

2.4.10. Red Hat Network Account

Customers aiming to connect with central Red Hat Network servers to receive incremental updates require an external account with Red Hat Network. This account is set up at the time of purchase with the sales representative.

Warning

Do not subscribe your Red Hat Satellite to any of the following child channels:
  • Red Hat Enterprise Linux - Optional Packages
  • Red Hat Enterprise Linux - Supplementary Packages
  • Red Hat Developer Suite
  • Red Hat Application Server
  • Red Hat Extras
  • JBoss product channels
Subscribing to these channels and updating Red Hat Satellite might install incompatible versions of critical software components, causing Red Hat Satellite to fail. Make sure to subscribe Red Hat Satellite to only the Red Hat Network Tools channel.

2.4.11. Backups of Login Information

It is imperative that customers keep track of all primary login information. For Red Hat Satellite, this includes usernames and passwords for the Organization Administrator account on access.redhat.com, the primary administrator account on the Red Hat Satellite itself, SSL certificate generation, and database connection (which also requires an SID, or net service name). Red Hat strongly recommends you copy this information to removable storage media, print out on paper, and store in a fireproof safe.

2.4.12. Channel Content ISOs

An Internet connection is not required for Red Hat Satellites running in completely disconnected environments. This feature instead uses Channel Content ISOs to synchronize Red Hat Satellite with the central Red Hat Network Servers. All other Red Hat Satellites should synchronize directly over the Internet.

2.4.13. Service Access

No system components should be directly, publicly available. No user, other than the system administrators, should have shell access to these machines.
All unnecessary services should be disabled using ntsysv or chkconfig.
The following services should be enabled.
  • jabberd
  • postgresql (for Embedded Database Installation)
  • tomcat6 (for installation on Red Hat Enterprise Linux 6)
  • httpd
  • osa-dispatcher
  • Monitoring
  • MonitoringScout
  • rhn-search
  • cobblerd
  • taskomatic
If Red Hat Satellite serves Monitoring-entitled systems and you wish to acknowledge via email the alert notifications you receive, configure sendmail or postfix to properly handle incoming mail.