Red Hat Training
A Red Hat training course is available for Red Hat Satellite
1.5. Prerequisites
The following conditions must be met before installing Red Hat Satellite 6:
Base Operating System
Red Hat Satellite is only supported on either:
- Red Hat Enterprise Linux 6 Server
- Red Hat Enterprise Linux 7 Server
Install the operating system from disc, local ISO image, kickstart, or any other method that Red Hat supports and update the system to the latest set of packages in Red Hat Enterprise Linux.
Important
- Red Hat Satellite Server requires Red Hat Enterprise Linux installations with the @Base package group with no other package-set modifications, and without third-party configurations or software that is not directly necessary for the direct operation of the server. This restriction includes hardening or other non-Red Hat security software. If such software is required in your infrastructure, install and verify a complete working Satellite Server first, then create a backup of the system before adding any non-Red Hat software.
- Your subscription-manager 'Release' field must be set to 6Server or 7Server in order to receive the latest version of Red Hat Enterprise Linux and Red Hat Satellite during the installation. Set the field by using the command:
subscription-manager release --set=Release
Only release versions 6Server and 7Server are supported by Red Hat Satellite.
- There should be at least one networked host with the following minimum specifications:
- 64-bit architecture
- Red Hat Enterprise Linux 6.5 or later
- A minimum of two CPU cores, but four CPU cores are recommended.
- A minimum of 8 GB memory but ideally 12 GB of memory for each instance of Satellite. Use 4 GB of swap space where possible.
- No Java virtual machine installed on the system, remove any if they exist.
- No Puppet RPM files installed on the system.
- No third-party unsupported yum repositories enabled. Third-party repositories may offer conflicting or unsupported package versions that may cause installation or configuration errors.
- A current Red Hat Network subscription.
- Administrative user (
root) access. - Full forward and reverse DNS resolution using a fully qualified domain name. Ensure that
hostnameandlocalhostresolve correctly, using the following commands:# ping -c1 localhost # ping -c1 `hostname -s` # my_system # ping -c1 `hostname -f` # my_system.domain.com
Important
Ensure that the host system is fully updated before installing Red Hat Satellite. Attempts to install on host systems that are not fully updated may lead to difficulty in troubleshooting, as well as unpredictable results.
Supported Browsers
Browser support is divided into 4 levels:
- Level 1: Fully supported preferred browsers for ideal experience.
- Level 2: Mostly supported. The interface functions but some design elements may not align correctly, UI controls and layout may be misaligned and there maybe degraded performance experienced.
- Level 3: Design elements may not align correctly.
- Level 4: Unsupported
The table below outlines the supported browsers and their level of support:
Table 1.1. Supported Browser Matrix
| Browser | Version | Support Level |
|---|---|---|
| Firefox | 3.6 | L3 |
| Firefox | 17, 18, 19, 20 | L4 |
| Firefox | 21 | L2 |
| Firefox | 22, 23, 24 | L1 |
| Firefox | Latest | L1 |
| Chrome | 19, 20 | L4 |
| Chrome | 21, 27 | L2 |
| Chrome | Latest | L1 |
| Internet Explorer | 7, 8 | L4 |
| Internet Explorer | 9, 10, 11 | L2 |
| Safari | ALL | L4 |
Note
The web-based user interface and command-line interface for Satellite Server supports English, Portuguese, Simplified Chinese, Traditional Chinese, Korean, Japanese, Italian, Spanish, Russian, French, and German.
Storage
Satellite Server storage specifications are as follows:
- A minimum of 6 GB storage for base operating system installation of Red Hat Enterprise Linux
- A minimum of 400 MB storage for the Red Hat Satellite 6 software installation
- A minimum of 20 GB storage for each unique software repository. Packages that are duplicated in different channels are only stored once on the disk. Additional repositories containing duplicate packages will require less additional storage. The bulk of storage resides on the
/var/lib/mongodband/var/lib/pulpdirectories. These end points are not manually configurable. Make sure that storage is available on the /var file system to prevent storage issues. - A minimum of 2 GB of available storage in
/var/lib/pgsqlwith the ability to grow the partition containing this directory as data storage requirements grow.
Note
Most Satellite Server data is stored within the /var directory. It is strongly recommended to mount /var on LVM storage that the system can scale to meet data storage requirements.
Application Specifications
Satellite Server application installation specifications are as follows:
It is recommended that a time synchronizer such as ntp is installed and enabled on Satellite as Satellite is susceptible to time drift. Run the following command to start the
ntpd service and have it persist across restarts:
# service ntpd start; chkconfig ntpd on
In Red Hat Enterprise Linux 7 chrony is the default time synchronizer. Run the following command to start the
chronyd service and have it persist across restarts:
systemctl start chronyd; systemctl enable chronyd
Required Network Ports
The following network ports need to be open and free before continuing with the installation:
Table 1.2. Required Network Ports
| Port | Protocol | Service |
|---|---|---|
| 443 | tcp | HTTPS |
| 5671 | tcp | SSL |
| 80 | tcp | HTTP |
| 8080 | tcp | Tomcat6 |
| 8140 | tcp | Puppet |
| 9090 | tcp | Foreman Smart Proxy |
You can use either the
iptables command to configure the firewall, or the system-config-firewall-tui command-line utility. To modify the firewall with the iptables command:
- Port 443 for HTTPS (secure WWW) must be open for incoming connections.
- Port 5671 must be open for SSL communication with managed systems.
- Port 80 for HTTP (WWW) must be open to download the bootstrap files.
- Port 8080 for TCP must be free for java connections.
- Port 8140 must be open for incoming Puppet connections with the managed systems.
- Port 9090 must be open for Foreman Smart Proxy connections with the managed systems.
- Run the following commands to configure the firewall with the
iptablescommand and to make these rules persistent during reboots:Note
Run the firewall commands as the root user.- For Red Hat Enterprise Linux 6:
iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT \ && iptables -I INPUT -m state --state NEW -p tcp --dport 5671 -j ACCEPT \ && iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT \ && iptables -I INPUT -m state --state NEW -p tcp --dport 8140 -j ACCEPT \ && iptables -I INPUT -m state --state NEW -p tcp --dport 9090 -j ACCEPT \ && iptables -I INPUT -m state --state NEW -p tcp --dport 8080 -j ACCEPT \ iptables-save > /etc/sysconfig/iptables
- For Red Hat Enterprise Linux 7:
firewall-cmd --permanent --add-port="443/tcp" --add-port="5671/tcp" --add-port="80/tcp" --add-port="8140/tcp" --add-port="9090/tcp" --add-port="8080/tcp" \ && firewall-cmd --complete-reload
Advanced Firewall Considerations
The following tables provide details about the network connections made to and from the Red Hat Satellite Server.
Table 1.3. Advanced Firewall Considerations with a Red Hat Satellite Server
| Flow | Action | Initiator | Initiator Detail | Endpoint | Endpoint Detail | Port | Protocol | SELinux Type |
|---|---|---|---|---|---|---|---|---|
| Capsule Registration | Capsule Registration (Content Host) | Capsule | subscription-manager | Satellite Server | Apache | 443 | https | http_port_t |
| Capsule Registration (Smart Proxy) | Capsule | Smart Proxy | Satellite Server | Passenger | 8443/9090 | https | http_port_t, websm_port_t | |
| Broker Connections | Capsule | AMQP Broker | Satellite Server | AMQP Broker | 5671 | amqp | amqp_port_t | |
| Content Promotion | Initiation | Server | AMQP Broker | Capsule | AMQP Broker | 5671 | amqp | amqp_port_t |
| Content Mirroring | Capsule | Pulp Node | Server | Apache | 443 | https/http | http_port_t | |
| Puppet Run | Manifest Request | Client | Puppet Agent | Capsule | Puppet Master | 8140 | https | puppet_port_t |
| External Node Classification | Capsule | Puppet Master | Server | Passenger | 443 | https | http_port_t | |
| Run Report | Capsule | Puppet Master | Server | Passenger | 443 | https | http_port_t | |
| Provisioning | IP/TFTP/Etc | Server | Passenger | Capsule | Smart Proxy | 8140/8443/9090 | https | puppet_port_t, http_port_t, websm_port_t |
| Installation | Client | Anaconda/Yum | Capsule | Pulp Node | 8443/80 | https/http | http_port_t | |
| Installation Templates | Client | Anaconda | Server | Passenger | 443/80 | https/http | http_port_t | |
| Orchestration | DNS records | Capsule | nsupdate | DNS server | bind | 53 | dns | dns_port_t |
| DHCP records | Capsule | omapi | DHCP server | ISC dhcp | 7911 | omapi | dhcp_port_t | |
| Yum Run | Yum Execution | Client | Yum | Capsule | Apache | 8443/80 | https/http | http_port_t |
| Power Management | BMC On/Off/Cycle/Status | Capsule | User Initiated API/UI | Client | IPMI Device | n/a | ipmi | n/a |
Table 1.4. Advanced Firewall Considerations without a Red Hat Satellite Capsule Server
| Flow | Action | Initiator | Initiator Detail | Endpoint | Endpoint Detail | Port | Protocol | SELinux Type |
|---|---|---|---|---|---|---|---|---|
| Subscription Management | Subscription-Manager-Execution | Client | subscription-manager | Satellite Server | Passenger | 443 | https | http_port_t |
| Action Initiation | Server | AMQP Broker | Client | katello-agent | 5671 | amqp | amqp_port_t | |
| Installation/Removal/Update | Client | Anaconda/Yum | Capsule | Apache | 8443/80 | https/http | http_port_t | |
| Provisioning | Installation Templates | Client | Anaconda | Server | Passenger | 443/80 | https/http | http_port_t |
| Compute Resources | Fog interactions (query/create destroy/etc) | Server | Fog | Compute Resource | Openstack | 5000 | http | commplex_main_port_t |
| EC2 | 443 | https | http_port_t | |||||
| oVirt | 443 | https | https_port_t | |||||
| Libvirt | 22/16514 | ssh/tls | ssh_port_t, virt_port_t |
SELinux Policy
Red Hat recommends that the SELinux policy on Satellite 6 systems be set to enforcing.
Important
Red Hat recommends that the Satellite Server be a freshly provisioned system that serves no other function except as a Satellite Server.
Troubleshooting
Red Hat recommends that the sos package is installed on Satellite. The sos packages provides the sosreport command. The sosreport command is a tool that collects configuration and diagnostic information from a Red Hat Enterprise Linux system and is used to provide the initial analysis of a system required when opening a service request with Red Hat Technical Support.
To install the sos package run the following command:
# yum install sos
