7.9. Configuring Satellite 6 with External Services

By default, the Capsule installer installs and configures the TFTP service available in Red Hat Enterprise Linux. It can optionally install DNS and DHCP services. If required to use Capsule with external services, prevent installation of the unwanted services by running the installer with the relevant options set to false.

Example 7.1. Installing Capsule Without Services

To install Capsule without the default installation of TFTP, enter a command as follows:
# katello-installer \
--capsule-tftp false
If Capsule has already been installed, execute the installer again with the relevant options set to false to reset the configuration files back to the desired state. This will not uninstall the packages for the services, such as bind or tftp-server. If required, uninstall the unused packages manually.

Example 7.2. Reinstalling Capsule Without Services

To install Capsule without installing DNS, DHCP, and TFTP, enter a command as follows:
# katello-installer \
--capsule-dns false \
--capsule-dns-managed false \
--capsule-dhcp false \
--capsule-dhcp-managed false \
--foreman-proxy-tftp false

Important

These procedures were written and tested on Red Hat Enterprise Linux 7.1. They are based on the use of NFSv3. The procedures should work for other releases, such as Red Hat Enterprise Linux 6 or Red Hat Enterprise Linux 7.0, but note there may be differences in NFS exporting. See the Red Hat Enterprise Linux 7 Storage Administration Guide and Red Hat Enterprise Linux 6 Storage Administration Guide for more information on exporting file systems using NFS.
In the example configurations below, the subnet is 192.168.38.0/24, the domain is called virtual.lan, the server for the external services is 192.168.38.2/24, and the Capsule Server is at 192.168.38.1/24.

7.9.1. Configuring an External DNS Service

Deploy a Red Hat Enterprise Linux Server (Red Hat Enterprise Linux 7.1 or later is recommend) and install the ISC DNS service (packages bind and bind-utils are required):
# yum install bind bind-utils

Procedure 7.7. Configuring the External DNS Server

Configure the external DNS server as follows:
  1. Create the configuration for the domain with a configuration similar to the following:
    # cat /etc/named.conf
    include "/etc/rndc.key";
    
    controls  {
        inet 192.168.38.2 port 953 allow { 192.168.38.1; 192.168.38.2; } keys { "capsule"; };
    };
    
    options  {
        directory "/var/named";
        forwarders { 8.8.8.8; 8.8.4.4; };
    };
    
    include "/etc/named.rfc1912.zones";
    
    zone "38.168.192.in-addr.arpa" IN {
        type master;
        file "dynamic/38.168.192-rev";
        update-policy {
            grant "capsule" zonesub ANY;
        };
    };
    
    zone "virtual.lan" IN {
        type master;
        file "dynamic/virtual.lan";
        update-policy {
            grant "capsule" zonesub ANY;
        };
    };
    Note that the inet line must be entered as one line in the configuration file.
    The example above configures a domain virtual.lan as one subnet 192.168.38.0/24, a security key named foreman, and sets forwarders to Google's public DNS addresses (8.8.8.8 and 8.8.4.4).
  2. Create a key file:
    # ddns-confgen -k capsule
    The above command can take a long time as the program is reading a pseudo random device. For testing or proof-of-concept deployments, an insecure non-blocking device can be used as follows:
    # ddns-confgen -k capsule -r /dev/urandom
  3. The above command will print the key section with some instructions as comments. Copy and paste the key section into a separate file named /etc/rndc.key, which is included by a statement in named.conf, so that the file looks as follows:
    # cat /etc/rndc.key
    key "capsule" {
            algorithm hmac-sha256;
            secret "GeBbgGoLedEAAwNQPtPh3zP56MJbkwM84UJDtaUS9mw=";
    };
    This is the secret key that is used to change DNS server configuration, keep it safe and make sure only root can read and write it. This file will be copied over to Capsule server in a later step.
  4. Create zone files as follows:
    # cat /var/named/dynamic/virtual.lan
    $ORIGIN .
    $TTL 10800      ; 3 hours
    virtual.lan             IN SOA  service.virtual.lan. root.virtual.lan. (
                                    9          ; serial
                                    86400      ; refresh (1 day)
                                    3600       ; retry (1 hour)
                                    604800     ; expire (1 week)
                                    3600       ; minimum (1 hour)
                                    )
                            NS      service.virtual.lan.
    $ORIGIN virtual.lan.
    $TTL 86400      ; 1 day
    capsule                 A       192.168.38.1
    service                 A       192.168.38.2
  5. Create the reverse zone file:
    # cat /var/named/dynamic/38.168.192-rev
    $ORIGIN .
    $TTL 10800      ; 3 hours
    38.168.192.in-addr.arpa IN SOA  service.virtual.lan. root.38.168.192.in-addr.arpa. (
                                    4          ; serial
                                    86400      ; refresh (1 day)
                                    3600       ; retry (1 hour)
                                    604800     ; expire (1 week)
                                    3600       ; minimum (1 hour)
                                    )
                            NS      service.virtual.lan.
    $ORIGIN 38.168.192.in-addr.arpa.
    $TTL 86400      ; 1 day
    1                PTR     capsule.virtual.lan.
    2                PTR     service.virtual.lan.

    Important

    Make sure there are no extra non-US-ASCII characters as BIND is sensitive to this.

Procedure 7.8. Testing and Starting the DNS Service

To test the configuration and start the DNS service, proceed as follows:
  1. Validate the syntax as follows:
    # named-checkconf -z /etc/named.conf
  2. Start the server:
    • On Red Hat Enterprise Linux 7:
      # systemctl restart named
    • On Red Hat Enterprise Linux 6:
      # service named restart
  3. Try to add a new host dynamically:
    # echo -e "server 192.168.38.2\n \
    update add aaa.virtual.lan 3600 IN A 192.168.38.10\n \
    send\n" | nsupdate -k /etc/rndc.key
  4. Test that the DNS service can resolve the new host added in the previous step:
    # nslookup aaa.virtual.lan 192.168.38.2
  5. If required, delete the new entry:
    # echo -e "server 192.168.38.2\n \
    update delete aaa.virtual.lan 3600 IN A 192.168.38.10\n \
    send\n" | nsupdate -k /etc/rndc.key
  6. Configure the firewall for external access to the DNS service (UDP and TCP on port 53):
    • On a Red Hat Enterprise Linux 6 Satellite, execute as root:
      # iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT \
      && iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT \
      && service iptables save
      Make sure the iptables service is started and enabled:
      # service iptables start
      # chkconfig iptables on
    • On a Red Hat Enterprise Linux 7 Satellite, execute as root:
      # firewall-cmd --add-port="53/udp" --add-port="53/tcp" \
      && firewall-cmd --permanent --add-port="53/udp" --add-port="53/tcp"

Procedure 7.9. Configuring a Capsule Server to Use an External DNS Service

To configure a Capsule Server to use an external DNS service, proceed as follows:
  1. Ensure that the nsupdate utility, from the bind-utils package, is installed:
    # yum install bind-utils
  2. Copy the /etc/rndc.key file from the services server to the Capsule Server. For example:
    • On the services server:
      scp localfile username@hostname:remotefile
    • Alternatively, on the Capsule Server:
      scp username@hostname:remotefile localfile
  3. Make sure the key file has the correct owner, permissions, and SELinux label:
    # ls /etc/rndc.key -Zla
    -rw-r-----. root named system_u:object_r:dnssec_t:s0    /etc/rndc.key
  4. The Capsule uses the nsupdate utility to update DNS records on the remote server. Before configuring it, test adding one additional host remotely as follows:
    # echo -e "server 192.168.38.2\n \
    update add aaa.virtual.lan 3600 IN A 192.168.38.10\n \
    send\n" | nsupdate -k /etc/rndc.key
    # nslookup aaa.virtual.lan 192.168.38.2
    # echo -e "server 192.168.38.2\n \
    update delete aaa.virtual.lan 3600 IN A 192.168.38.10\n \
    send\n" | nsupdate -k /etc/rndc.key
  5. Run the katello-installer script to make the following persistent changes to the /etc/foreman-proxy/settings.d/dns.yml file. Enable the smart-proxy module setting provider to be nsupdate, add the address to the DNS server, and set the default time to live for records created by this Capsule. For example:
    # katello-installer --foreman-proxy-dns=true --foreman-proxy-dns-managed=false --foreman-proxy-dns-provider=nsupdate --foreman-proxy-dns-server="192.168.38.2" --foreman-proxy-keyfile=/etc/rndc.key --foreman-proxy-dns-ttl=86400
  6. Restart foreman-proxy service:
    • On Red Hat Enterprise Linux 7:
      # systemctl restart foreman-proxy
    • On Red Hat Enterprise Linux 6:
      # service foreman-proxy restart
  7. View the Satellite Server GUI in your browser; https://satellite_host.example.com.
  8. Select InfrastructureCapsules. Locate the Capsule being configured and select Refresh features from the drop-down list. The DNS feature should appear.
  9. Select InfrastructureCapsules and associate the DNS service with the appropriate subnets and domain.

7.9.2. Configuring an External DHCP Service

Deploy a Red Hat Enterprise Linux Server (Red Hat Enterprise Linux 7.1 or later is recommend) and install the ISC DHCP server package dhcp.
# yum install dhcp

Note

External DHCP configuration via NFS is no longer supported starting from Satellite 6.3. Due to optimizations via inotify, DHCP Capsule will no longer detect changes in remote files.

Procedure 7.10. Configuring the External DHCP Server

Configure the external DHCP server as follows:
  1. Generate a security token in an empty directory as follows:
    # dnssec-keygen -a HMAC-MD5 -b 512 -n HOST omapi_key
    The above command can take a long time, for less-secure proof-of-concept deployments you can use a non-blocking random number generator:
    # dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST omapi_key
    This will create the key pair in two files in the current directory.
  2. Copy the secret hash from the key:
    # cat Komapi_key.+*.private |grep ^Key|cut -d ' ' -f2
  3. Edit the dhcpd configuration file for all the subnets, and add the secret key from the previous step:
    # cat /etc/dhcp/dhcpd.conf
    default-lease-time 604800;
    max-lease-time 2592000;
    log-facility local7;
    
    subnet 192.168.38.0 netmask 255.255.255.0 {
    	range 192.168.38.10 192.168.38.100;
    	option routers 192.168.38.1;
    	option subnet-mask 255.255.255.0;
    	option domain-search "virtual.lan";
    	option domain-name "virtual.lan";
    	option domain-name-servers 8.8.8.8;
    }
    
    omapi-port 7911;
    key omapi_key {
    	algorithm HMAC-MD5;
    	secret "jNSE5YI3H1A8Oj/tkV4...A2ZOHb6zv315CkNAY7DMYYCj48Umw==";
    };
    omapi-key omapi_key;
  4. Delete the two key files from the directory where you created them.
  5. For each subnet defined (192.168.38.0 in this example) define Subnet on the Satellite server. It is recommended to set up a lease range and reservation range separately to prevent conflicts. In this example, the lease range is 192.168.38.10 to 192.168.38.100 so the reservation range (defined in Satellite GUI) would be 192.168.38.101 to 192.168.38.250. Do not set DHCP Capsule for the defined Subnet yet.
    Note that ISC DHCP listens only on interfaces that match defined subnets. In this example, the server has an interface that routes to 192.168.38.0 subnet directly.
  6. Configure the firewall for external access to the DHCP service:
    • On a Red Hat Enterprise Linux 7:
      # firewall-cmd --add-service dhcp \
      && firewall-cmd --permanent --add-service dhcp
    • On a Red Hat Enterprise Linux 6:
      # iptables -A INPUT -m state --state NEW -p tcp --dport 67 -j ACCEPT \
      && service iptables save
      Make sure the iptables service is started and enabled:
      # service iptables start
      # chkconfig iptables on
  7. Configuration files are read by foreman-proxy user, first determine the UID and GID numbers of the foreman-proxy user on the Capsule Server, then create the same user and group with same IDs on this server:
    # groupadd -g 990 foreman-proxy
    # useradd -u 992 -g 990 -s /sbin/nologin foreman-proxy
  8. Configuration files must be readable for this user. Recent dhcp package updates removed read and execute flags from the configuration directory which prevents that. To restore the required flags and prevent this change in behavior on the next package update, enter the following commands:
    # chmod o+rx /etc/dhcp/
    # chmod o+r /etc/dhcp/dhcpd.conf
    # chattr +i /etc/dhcp/ /etc/dhcp/dhcpd.conf
  9. Start the DHCP service:
    • On Red Hat Enterprise Linux 7:
      # systemctl start dhcpd
    • On Red Hat Enterprise Linux 6:
      # service dhcpd start
  10. Export DHCP configuration and leases file using NFS, so that the Capsule Server can read it:
    # yum install nfs-utils
    # systemctl enable rpcbind nfs-server
    # systemctl start rpcbind nfs-server nfs-lock nfs-idmapd
  11. Create the DHCP configuration and leases files to be exported using NFS:
    # mkdir -p /exports/var/lib/dhcpd /exports/etc/dhcp
  12. Add the newly created mount point to /etc/fstab file:
    /var/lib/dhcpd /exports/var/lib/dhcpd none bind,auto 0 0
    /etc/dhcp /exports/etc/dhcp none bind,auto 0 0
  13. Mount the file systems in /etc/fstab:
    # mount -a
  14. Ensure the following lines are present in /etc/exports:
    /exports 192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check)
    /exports/etc/dhcp 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)
    /exports/var/lib/dhcpd 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)
  15. Reload the NFS server:
    # exportfs -rva
  16. Configure the firewall for the DHCP omapi port 7911 for the Capsule Server:
    • On a Red Hat Enterprise Linux 7:
      # firewall-cmd --add-port="7911/tcp" \
      && firewall-cmd --permanent --add-port="7911/tcp"
    • On a Red Hat Enterprise Linux 6:
      # iptables -A INPUT -m state --state NEW -p tcp --dport 7911 -j ACCEPT \
      && service iptables save
      Make sure the iptables service is started and enabled:
      # service iptables start
      # chkconfig iptables on
  17. This step is common to both the DHCP and TFTP procedures and need only be carried out once per system. If required, follow this step to configure the firewall for external access to the NFS service.

    Note

    In this guide the clients are configured to use NFSv3 and this step is therefore NFSv3 specific.
    • On Red Hat Enterprise Linux 7:
      It is recommended to use firewalld daemon's NFS service option because NFS uses multiple ports to initiate connections. To do so, enter the following commands:
      #  firewall-cmd --zone public --add-service mountd \
      && firewall-cmd --zone public --add-service rpc-bind \
      && firewall-cmd --zone public --add-service nfs \
      && firewall-cmd --permanent --zone public --add-service mountd \
      && firewall-cmd --permanent --zone public --add-service rpc-bind \
      && firewall-cmd --permanent --zone public --add-service nfs
      For additional information on using NFSv3 behind a firewall on Red Hat Enterprise Linux 7, see the Running NFS Behind a Firewall section in the Red Hat Enterprise Linux 7 Storage Administration Guide and the Securing NFS section in the Red Hat Enterprise Linux 7 Security Guide.
    • On Red Hat Enterprise Linux 6:
      Configure ports for NFSv3 in the /etc/sysconfig/nfs file as follows:
      LOCKD_TCPPORT=32803
      LOCKD_UDPPORT=32769
      MOUNTD_PORT=892
      RQUOTAD_PORT=875
      STATD_PORT=662
      STATD_OUTGOING_PORT=2020
      Restart the service for the changes to take effect:
      # service nfs restart
      Add the following rules to the /etc/sysconfig/iptables file by entering commands as follows:
      # iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 111 -j ACCEPT \
      && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 111 -j ACCEPT \
      && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 2049 -j ACCEPT \
      && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 2049 -j ACCEPT \
      && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 32803 -j ACCEPT \
      && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 32769 -j ACCEPT \
      && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 892 -j ACCEPT \
      && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 892 -j ACCEPT \
      && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 875 -j ACCEPT \
      && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 875 -j ACCEPT \
      && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 662 -j ACCEPT \
      && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 662 -j ACCEPT \
      && service iptables save
      Restart the firewall for the changes to take effect:
      # service iptables restart
      For additional information on using NFSv3 behind a firewall on Red Hat Enterprise Linux 6, see the Red Hat Enterprise Linux 6 Storage Administration Guide and the Running NFS Behind a Firewall section in the Securing NFS section in the Red Hat Enterprise Linux 6 Security Guide.

Procedure 7.11. Configuring a Capsule Server to Use an External DHCP Service

To configure a Capsule Server to use an external DHCP service, proceed as follows:
  1. Install the NFS client:
    # yum install nfs-utils
  2. Create the DHCP directories to prepare for NFS:
    # mkdir -p /mnt/nfs/etc/dhcp /mnt/nfs/var/lib/dhcpd
  3. Change the file owner as follows:
    # chown -R foreman-proxy /mnt/nfs
  4. Try to reach the NFS server and verify RPC communication paths:
    # showmount -e 192.168.38.2
    # rpcinfo -p 192.168.38.2
  5. Add these two lines to the /etc/fstab file:
    192.168.38.2:/exports/etc/dhcp /mnt/nfs/etc/dhcp nfs ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcp_etc_t:s0" 0 0
    192.168.38.2:/exports/var/lib/dhcpd /mnt/nfs/var/lib/dhcpd nfs ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcpd_state_t:s0" 0 0
  6. Mount the file systems in /etc/fstab:
    # mount -a
  7. Try to read the relevant files:
    # su foreman-proxy -s /bin/bash
    bash-4.2$ cat /mnt/nfs/etc/dhcp/dhcpd.conf
    bash-4.2$ cat /mnt/nfs/var/lib/dhcpd/dhcpd.leases
    bash-4.2$ exit
    In case of problems, investigate the NFS configuration, logs, and firewall rules.
  8. On the Capsule Server, run the katello-installer script to make the following persistent changes to the /etc/foreman-proxy/settings.d/dhcp.yml file:
    # katello-installer --foreman-proxy-dhcp=true --foreman-proxy-dhcp-provider=isc --foreman-proxy-dhcp-config /mnt/nfs/etc/dhcp/dhcpd.conf --foreman-proxy-dhcp-leases /mnt/nfs/var/lib/dhcpd/dhcpd.leases --foreman-proxy-dhcp-key-name=omapi_key --foreman-proxy-dhcp-key-secret=jNSE5YI3H1A8Oj/tkV4...A2ZOHb6zv315CkNAY7DMYYCj48Umw== --foreman-proxy-dhcp-server dhcp.example.com
    Ensure the dhcp_key_secret value is correctly entered without quotes. The trailing = character is optional.
  9. Restart the proxy:
    • On Red Hat Enterprise Linux 7:
      # systemctl restart foreman-proxy
    • On Red Hat Enterprise Linux 6:
      # service foreman-proxy restart
  10. View the Satellite Server GUI in your browser; https://satellite_host.example.com.
  11. Select InfrastructureCapsules. Locate the Capsule and select Refresh features from the drop-down list. The DHCP feature should appear.
  12. Select InfrastructureCapsules and associate the DHCP service with the appropriate subnets and domain.

7.9.3. Configuring an External TFTP Service

Deploy a Red Hat Enterprise Linux Server (Red Hat Enterprise Linux 7.1 or later is recommend).

Procedure 7.12. Configuring the TFTP Server

Configure the external TFTP server as follows:
  1. Install and enable the TFTP server:
    # yum install tftp-server syslinux
    • On Red Hat Enterprise Linux 7, enable and activate the tftp.socket unit:
      # systemctl enable tftp.socket
      # systemctl start tftp.socket
    • On Red Hat Enterprise Linux 6, enable and start the xinetd service:
      # service xinetd enable
      # service xinetd start
  2. Configure the PXELinux environment as follows:
    # mkdir -p /var/lib/tftpboot/{boot,pxelinux.cfg}
    # cp /usr/share/syslinux/{pxelinux.0,menu.c32,chain.c32} /var/lib/tftpboot/
  3. Restore SELinux file contexts:
    # restorecon -RvF /var/lib/tftpboot/
  4. Create the TFTP directory to be exported using NFS:
    # mkdir -p /exports/var/lib/tftpboot
  5. Add the newly created mount point to the /etc/fstab file:
    /var/lib/tftpboot /exports/var/lib/tftpboot none bind,auto 0 0
  6. Mount the file systems in /etc/fstab:
    # mount -a
  7. Ensure the following lines are present in /etc/exports:
    /exports 192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check)
    /exports/var/lib/tftpboot 192.168.38.1(rw,async,no_root_squash,no_subtree_check,nohide)
    The first line is common to the DHCP configuration and therefore should already be present if the previous procedure was completed on this system.
  8. Reload the NFS server:
    # exportfs -rva
  9. This step is common to both the DHCP and TFTP procedures and need only be carried out once per system. If required, follow this step to configure the firewall for external access to the NFS service.

    Note

    In this guide the clients are configured to use NFSv3 and this step is therefore NFSv3 specific.
    • On Red Hat Enterprise Linux 7:
      It is recommended to use firewalld daemon's NFS service option because NFS uses multiple ports to initiate connections. To do so, enter the following commands:
      #  firewall-cmd --zone public --add-service mountd \
      && firewall-cmd --zone public --add-service rpc-bind \
      && firewall-cmd --zone public --add-service nfs \
      && firewall-cmd --permanent --zone public --add-service mountd \
      && firewall-cmd --permanent --zone public --add-service rpc-bind \
      && firewall-cmd --permanent --zone public --add-service nfs
      For additional information on using NFSv3 behind a firewall on Red Hat Enterprise Linux 7, see the Running NFS Behind a Firewall section in the Red Hat Enterprise Linux 7 Storage Administration Guide and the Securing NFS section in the Red Hat Enterprise Linux 7 Security Guide.
    • On Red Hat Enterprise Linux 6:
      Configure ports for NFSv3 in the /etc/sysconfig/nfs file as follows:
      LOCKD_TCPPORT=32803
      LOCKD_UDPPORT=32769
      MOUNTD_PORT=892
      RQUOTAD_PORT=875
      STATD_PORT=662
      STATD_OUTGOING_PORT=2020
      Restart the service for the changes to take effect:
      # service nfs restart
      Add the following rules to the /etc/sysconfig/iptables file by entering commands as follows:
      # iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 111 -j ACCEPT \
      && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 111 -j ACCEPT \
      && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 2049 -j ACCEPT \
      && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 2049 -j ACCEPT \
      && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 32803 -j ACCEPT \
      && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 32769 -j ACCEPT \
      && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 892 -j ACCEPT \
      && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 892 -j ACCEPT \
      && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 875 -j ACCEPT \
      && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 875 -j ACCEPT \
      && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 662 -j ACCEPT \
      && iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 662 -j ACCEPT \
      && service iptables save
      Restart the firewall for the changes to take effect:
      # service iptables restart
      For additional information on using NFSv3 behind a firewall on Red Hat Enterprise Linux 6, see the Red Hat Enterprise Linux 6 Storage Administration Guide and the Running NFS Behind a Firewall section in the Securing NFS section in the Red Hat Enterprise Linux 6 Security Guide.

Procedure 7.13. Configure the Firewall for External access to the TFTP service

  • Configure the firewall for external access to the TFTP service (UDP on port 69):
    • On a Red Hat Enterprise Linux 7:
      # firewall-cmd --add-port="69/udp" \
      && firewall-cmd --permanent --add-port="69/udp"
    • On a Red Hat Enterprise Linux 6:
      # iptables -A INPUT -m state --state NEW -p tcp --dport 69 -j ACCEPT \
      && service iptables save
      Make sure the iptables service is started and enabled:
      # service iptables start
      # chkconfig iptables on

Procedure 7.14. Configuring a Capsule Server to Use an External TFTP Service

To configure a Capsule Server to use an external TFTP service, proceed as follows:
  1. Create the TFTP directory to prepare for NFS:
    # mkdir -p /mnt/nfs/var/lib/tftpboot
  2. In the /etc/fstab, add a line as follows:
    192.168.38.2:/exports/var/lib/tftpboot /mnt/nfs/var/lib/tftpboot nfs rw,vers=3,auto,nosharecache,context="system_u:object_r:tftpdir_rw_t:s0" 0 0
  3. Mount the file systems in /etc/fstab:
    # mount -a
  4. Run the katello-installer script to make the following persistent changes to the /etc/foreman-proxy/settings.d/tftp.yml file:
    # katello-installer --foreman-proxy-tftp=true --foreman-proxy-tftp-root /mnt/nfs/var/lib/tftpboot
    If the TFTP service is running on a different server than the DHCP service, update the tftp_servername setting with the FQDN or IP address of that server.
    # katello-installer --foreman-proxy-tftp-servername=new_FQDN
  5. View the Satellite Server GUI in your browser; https://satellite_host.example.com.
  6. Select InfrastructureCapsules in the user interface. Locate the Capsule and select Refresh features from the drop-down list. The TFTP feature should appear.
  7. Select InfrastructureCapsules and associate the TFTP service with the appropriate subnets and domain.