1.4. Prerequisites

The following conditions must be met before installing Red Hat Satellite 6:

Important

The Red Hat Satellite server and Capsule server versions must match. For example, a Satellite 6.0 server cannot run a 6.1 Capsule server and a Satellite 6.1 server cannot run a 6.0 Capsule server. Mismatching Satellite server and Capsule server versions will result in the Capsule server failing silently.

1.4.1. Base Operating System

Important

Red Hat Satellite is only supported on the latest version of Red Hat Enterprise Linux 6 Server or 7 Server. Previous versions of Red Hat Enterprise Linux including EUS or z-stream are not supported.
Install the operating system from disc, local ISO image, kickstart, or any other method that Red Hat supports. Register and attach a subscription to the system as follows: 
# subscription-manager register
# subscription-manager list --available --all
# subscription-manager subscribe --pool=Red_Hat_Enterprise_Linux_Pool_Id

Important

  • Red Hat Satellite Server requires Red Hat Enterprise Linux installations with the @Base package group with no other package-set modifications, and without third-party configurations or software that is not directly necessary for the direct operation of the server. This restriction includes hardening or other non-Red Hat security software. If such software is required in your infrastructure, install and verify a complete working Satellite Server first, then create a backup of the system before adding any non-Red Hat software.
  • Your subscription-manager 'Release' field must be set to 6Server or 7Server in order to receive the latest version of Red Hat Enterprise Linux and Red Hat Satellite during the installation. Set the field by using the command: 
    # subscription-manager release --set=Release
    Only release versions 6Server and 7Server are supported by Red Hat Satellite.
  • Update the system to the latest set of packages in Red Hat Enterprise Linux after setting the release: 
    # yum update
  • Red Hat recommends that the Satellite Server be a freshly provisioned system that serves no other function except as a Satellite Server.
  • Red Hat Satellite requires a networked base system with the following minimum specifications:
    • 64-bit architecture
    • The latest version of Red Hat Enterprise Linux  6 Server or 7 Server
    • A minimum of two CPU cores, but four CPU cores are recommended.
    • A minimum of 12 GB memory but ideally 16 GB of memory for each instance of Satellite. A minimum of 4 GB of swap space is recommended.
    • A unique hostname. The hostname can contain lower-case letters, numbers, dots (.) and hyphens (-).
    • No Java virtual machine installed on the system, remove any if they exist.
    • No Puppet RPM files installed on the system.
    • No third-party unsupported yum repositories enabled. Third-party repositories may offer conflicting or unsupported package versions that may cause installation or configuration errors.
  • A current Red Hat Network subscription.
  • Administrative user (root) access.
  • Full forward and reverse DNS resolution using a fully qualified domain name. Ensure that hostname and localhost resolve correctly, using the following commands: 
    # ping -c1 localhost
# ping -c1 `hostname -f` # my_system.domain.com

Important

Ensure that the host system is fully updated before installing Red Hat Satellite. Attempts to install on host systems that are not fully updated may lead to difficulty in troubleshooting, as well as unpredictable results.

1.4.2. Supported Browsers

Browser support is divided into 4 levels:
  1. Level 1: Fully supported preferred browsers for ideal experience.
  2. Level 2: Mostly supported. The interface functions but some design elements may not align correctly, UI controls and layout may be misaligned and there maybe degraded performance experienced.
  3. Level 3: Design elements may not align correctly.
  4. Level 4: Unsupported
The table below outlines the supported browsers and their level of support:

Table 1.1. Supported Browser Matrix

Browser Version Support Level
Firefox 3.6 L3
Firefox 17, 18, 19, 20 L4
Firefox 21 L2
Firefox 22, 23, 24 L1
Firefox Latest L1
Chrome 19, 20 L4
Chrome 21, 27 L2
Chrome Latest L1
Internet Explorer 7, 8 L4
Internet Explorer 9, 10, 11 L2
Safari ALL L4

Note

The web UI and command-line interface for Satellite Server supports English, Portuguese, Simplified Chinese, Traditional Chinese, Korean, Japanese, Italian, Spanish, Russian, French, and German.

1.4.3. Storage

Satellite Server storage specifications are as follows:
  • A minimum of 6 GB storage for base operating system installation of Red Hat Enterprise Linux.
  • A minimum of 400 MB storage for the Red Hat Satellite 6 software installation.
  • A minimum of 20 GB storage for each unique software repository. Packages that are duplicated in different repositories are only stored once on the disk. Additional repositories containing duplicate packages will require less additional storage. The bulk of storage resides on the /var/lib/mongodb and /var/lib/pulp directories. These end points are not manually configurable. Make sure that storage is available on the /var file system to prevent storage issues.
  • A minimum of 2 GB of available storage in /var/lib/pgsql with the ability to grow the partition containing this directory as data storage requirements grow.
  • If you are using a disconnected installation, a copy of the repositories used in the installation are stored in the /opt/ directory. Ensure you have a minimum of 2GB of space for this file system and directory.

Note

Most Satellite Server data is stored within the /var directory. It is strongly recommended to mount /var on LVM storage that the system can scale to meet data storage requirements.

Note

The XFS file system is recommended for Red Hat Satellite 6. XFS is the default file system in Red Hat Enterprise Linux 7, which makes it the preferable base operating system. If you intend to use Red Hat Enterprise Linux 6 instead, contact your account team to learn about enabling XFS on this system. Alternatively, make sure that you have an ext4 file system with sufficient amount of inodes for your intended Satellite deployment.
The following table details recommended storage requirements for specific directories. These values are based on expected use case scenarios and may vary according to individual environments.

Important

Several components of Red Hat Satellite are sensitive to network latency. Red Hat recommends local or SAN-based storage. Avoid NFS storage whenever possible.

1.4.4. Application Specifications

Satellite Server application installation specifications are as follows:
Red Hat recommends that a time synchronizer such as ntp is installed and enabled on the host operating system before installing Satellite to minimize the effects of any time drift.
For Red Hat Enterprise Linux 6, run the following commands to start the ntpd service and have it persist across restarts: 
# service ntpd start
# chkconfig ntpd on
In Red Hat Enterprise Linux 7, chrony is the default time synchronizer. Run the following commands to start the chronyd service and have it persist across restarts: 
# systemctl start chronyd
# systemctl enable chronyd

1.4.5. Network Ports Required for Satellite Communications

The tables in this section list the ports required for configuring Red Hat Satellite Server. A list of ports can also be found in the Red Hat Knowledgebase solution Satellite 6.1 Definitive List of Ports.

Table 1.3. Ports for Browser-based User Interface Access to Satellite

Port Protocol Service Required for
443 TCP HTTPS For Browser-based UI Access to Satellite
Optional    
80 TCP HTTP To enable redirection to HTTPS for web UI Access to Satellite

Table 1.4. Ports for Satellite to Red Hat CDN Communication

Port Protocol Service Required for
443 TCP HTTPS Subscription Management Services, connecting to the Red Hat CDN

Table 1.5. Ports for Client to Satellite Communication

Port Protocol Service Required for
53 TCP and UDP DNS Queries to the Satellite's integrated DNS service
67 UDP DHCP For Client provisioning from the integrated Capsule
69 UDP TFTP Downloading PXE boot image files from the integrated Capsule
80 TCP HTTP Anaconda, yum, for obtaining Katello certificates, templates, and for downloading iPXE firmware
443 TCP HTTPS Subscription Management Services, yum, Telemetry Services, and for connection to the Katello Agent
5647 TCP amqp The Katello agent to communicate with the Satellite's Qpid dispatch router
8140 TCP HTTPS Puppet agent to Puppet master connections
Any managed host that is directly connected to the Satellite Server is a Client in this context. This includes the base system on which a Capsule Server is running.

Table 1.6. Optional Network Ports

Port Protocol Service Required for
8443 TCP HTTP Capsule to Client "reboot" command to a discovered host during provisioning
7911 TCP DHCP Capsule originated, for orchestration of DHCP records (local or external)[a]
5000 TCP HTTP Satellite originated, for compute resources in OpenStack or for running Docker containers
22, 16514 TCP SSH/TLS Satellite originated, for compute resources in libvirt
389, 636 TCP SSH/TLS Satellite originated, for LDAP and secured LDAP authentication sources
from 5910 to 5930 TCP SSH/TLS Satellite originated, for NoVNC console in Web UI to hypervisors
[a] If the DHCP service is provided by an external service, opening this port is required on the external server.

Note

Port 8080 needs to be free, but not open, in order for subscription management services to access the Satellite Server.

Note

To configure the firewall on a Capsule to enable incoming connections from the Satellite, see the section called “Connections from Satellite to Capsule”.

Connections from Client to Satellite

To configure the firewall on a Satellite to enable incoming connections from a Client, and to make these rules persistent during reboots, enter the commands below appropriate to the Red Hat release.
The ports in these commands are taken from the table Table 1.5, “Ports for Client to Satellite Communication”. Note that port 80 and 443 are also listed in the Table 1.3, “Ports for Browser-based User Interface Access to Satellite”. Review the commands to avoid duplicating entries.
  • On a Red Hat Enterprise Linux 6 Satellite, execute as root: 
    # iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT \
&& iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT \
&& iptables -A INPUT -m state --state NEW -p udp --dport 67 -j ACCEPT \
&& iptables -A INPUT -m state --state NEW -p udp --dport 69 -j ACCEPT \
&& iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT \
&& iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT \
&& iptables -A INPUT -m state --state NEW -p tcp --dport 5647 -j ACCEPT \
&& iptables -A INPUT -m state --state NEW -p tcp --dport 8140 -j ACCEPT \
&& service iptables save
    Make sure the iptables service is started and enabled: 
    # service iptables start
# chkconfig iptables on
  • On a Red Hat Enterprise Linux 7 Satellite, execute as root: 
    # firewall-cmd --add-port="53/udp" --add-port="53/tcp" \
 --add-port="67/udp" \
 --add-port="69/udp" --add-port="80/tcp" \
 --add-port="443/tcp" --add-port="5647/tcp" \
 --add-port="8140/tcp" \
&& firewall-cmd --permanent --add-port="53/udp" --add-port="53/tcp" \
 --add-port="67/udp" \
 --add-port="69/udp" --add-port="80/tcp" \
 --add-port="443/tcp" --add-port="5647/tcp" \
 --add-port="8140/tcp"

1.4.6. SELinux Policy on Satellite 6

Red Hat Satellite 6 uses a set of predefined ports, as described in the preceding section and in Section 7.2.3, “Network Ports Required for Capsule Communications”. Because Red Hat recommends that SELinux on Satellite 6 systems be set to enforcing, if you need to change the port for any service, you also need to change the associated SELinux port type to allow access to the resources. For example, if you change the web UI ports (HTTP/HTTPS) to 8018/8019, you need to add these port numbers to the httpd_port_t SELinux port type.
Table 1.7, “SELinux Commands to Change Default Port Assignments” lists the required commands to change the Satellite 6 default ports to a user-specified port. These examples use port 99999 for demonstration purposes; ensure you change this value to suit your deployment.

Note

This change is also required for target ports; for example, when Satellite 6 connects to an external source, such as Red Hat Enterprise Virtualization Manager or OpenStack.
You only need to make changes to default port assignments once. Updating or upgrading Satellite has no effect on these assignments. Any updates only add default SELinux ports if no assignments exist.

Table 1.7. SELinux Commands to Change Default Port Assignments

Default Port SELinux Command
80, 443, 8443 semanage port -a -t http_port_t -p tcp 99999
8080 semanage port -a -t http_cache_port_t -p tcp 99999
8140 semanage port -a -t puppet_port_t -p tcp 99999
9090 semanage port -a -t websm_port_t -p tcp 99999
69 semanage port -a -t tftp_port_t -p udp 99999
53 (TCP) semanage port -a -t dns_port_t -p tcp 99999
53 (UDP) semanage port -a -t dns_port_t -p udp 99999
67, 68 semanage port -a -t dhcpd_port_t -p udp 99999
5671 semanage port -a -t amqp_port_t -p tcp 99999
8000 semanage port -a -t soundd_port_t -p tcp 99999
7911 semanage port -a -t dhcpd_port_t -p tcp 99999
5000 on Red Hat Enterprise Linux 6 semanage port -a -t commplex_port_t -p tcp 99999
5000 on Red Hat Enterprise Linux 7 semanage port -a -t commplex_main_port_t -p tcp 99999
22 semanage port -a -t ssh_port_t -p tcp 99999
16514 (libvirt) semanage port -a -t virt_port_t -p tcp 99999
389, 636 semanage port -a -t ldap_port_t -p tcp 99999
5910 to 5930 semanage port -a -t vnc_port_t -p tcp 99999
To allow Satellite 6 to connect to a service that is on a different port, for example, EC2 or an external repository served by an Apache httpd server, you need to add this port to the virt_port_t SELinux type, as follows: 
# semanage port -a -t virt_port_t -p tcp 99999

Important

If SELinux was disabled (as compared to enabled and running in permissive mode), when you installed Satellite, then you need to enable SELinux and run the following commands in permissive mode after you have completed the installation: 
# foreman-selinux-enable
# foreman-selinux-relabel
Failure to run these commands can result in mislabeled files, AVC denials when attempting to access the web UI, and difficult troubleshooting.
Use the semanage command if you need to disassociate the previously used port number and port type. For example: 
# semanage port -d -t virt_port_t -p tcp 99999
For more information about configuring SELinux, and ensuring that it is enabled on startup, see the following resources:

1.4.7. Considerations for Large Deployments

With more than 225 content hosts, the qpidd message broker can reach several system-level limits, resulting in Satellite's failure to operate. To avoid this, one or more of these limits must be increased before deploying a large number of content hosts.
Refer to the following table to confirm which values must be changed depending on the number of content hosts you plan to deploy. Then refer to the following sections for instructions on how to set these limits.

Table 1.8. Limits to be Increased for Large Deployments

Number of Content HostsClient ConnectionsFile Descriptors Parallel Asynchronous I/O OperationsConcurrent LocksMemory Map Areas
More than 225    
More than 500   
More than 1900  
More than 30,000 
More than 32,900

Increasing the Maximum Number of Client Connections

With more than 225 content hosts, qpidd reaches the maximum number of client connections. To increase it, first establish the new value of the limit that is calculated as: 
(number_of_content_hosts x 2) + 100
For example, a deployment with 300 content hosts requires at least 700 connections. Use the calculated value in /etc/qpid/qpidd.conf: 
max-connections=value

Increasing the Maximum Number of File Descriptors

With more than 500 content hosts, qpidd reaches the maximum number of file descriptors. To increase it, first establish the new value of the limit that is calculated as: 
(number_of_content_hosts x 4) + 500
For example, a deployment with 600 content hosts requires 2900 file descriptors. Use the calculated value in appropriate configuration files:
  • On Red Hat Enterprise Linux 6, add the following line to /etc/security/limits.conf: 
    qpidd x nofile value
  • On Red Hat Enterprise Linux 7, add the following line to /usr/lib/systemd/system/qpidd.service at the end of the [Service] section: 
    LimitNOFILE=value

Increasing the Maximum Number of Parallel Asynchronous I/O Operations

With more than 1900 content hosts, qpidd reaches the kernel limit of maximum parallel asynchronous I/O operations. To increase it, first establish the new value of the limit that is calculated as: 
33 x number_of_content_hosts
Use the calculated value in /etc/sysctl.conf: 
fs.aio-max-nr=value
Reload the setting by executing: 
# sysctl -p

Increasing the Maximum Number of Concurrent Locks

With more than 30,000 content hosts, the back-end database of qpidd might reach the maximum number of concurrent locks. To increase this limit, create a configuration file in the directory where the exchanges.db file is stored. The directory location can vary. Confirm its location by searching the /var/lib/qpidd/ directory: 
# find /var/lib/qpidd -name exchanges.db
/var/lib/qpidd/qls/dat/exchanges.db
In the above example, exchanges.db is stored in the /var/lib/qpidd/qls/dat/ directory. In this directory, create a DB_CONFIG file that must be owned and readable by the qpidd user. Add the following content to DB_CONFIG: 
set_lk_max_locks 10000
set_lk_max_objects 10000

Increasing the Maximum Number of Memory Map Areas

With more than 32,900 content hosts, qpidd reaches the kernel limit of maximum number of memory map areas per process. This problem occurs only on Red Hat Enterprise Linux 7.
Increase the limit by adding the following line to /etc/sysctl.conf: 
vm.max_map_count = 655300
Reload the setting by executing: 
# sysctl -p

Important

It is required to restart qpidd to apply any changes to the aforementioned limits:
  • On Red Hat Enterprise Linux 6: 
    # service qpidd restart
  • On Red Hat Enterprise Linux 7: 
    # systemctl restart qpidd

1.4.8. Troubleshooting

Red Hat recommends to install the sos package on the host operating system before installing Satellite. The sos package provides the sosreport command that collects configuration and diagnostic information from a Red Hat Enterprise Linux system and is used to provide the initial analysis of a system required when opening a service request with Red Hat Technical Support. For more information on using sosreport, refer to the What is a sosreport and how to create one in Red Hat Enterprise Linux 4.6 and later? article on Red Hat Customer Portal[5].
To install the sos package run the following command: 
# yum install sos