7.2. Red Hat Satellite Capsule Server Prerequisites

The Satellite Capsule's requirements are identical to the Satellite Server. These conditions must be met before installing Red Hat Satellite Capsule:

Important

The Red Hat Satellite server and Capsule server versions must match. For example, a Satellite 6.0 server cannot run a 6.1 Capsule server and a Satellite 6.1 server cannot run a 6.0 Capsule server. Mismatching Satellite server and Capsule server versions will result in the Capsule server failing silently.

7.2.1. Base Operating System

Install the operating system from disc, local ISO image, kickstart, or any other methods that Red Hat supports. Red Hat Satellite Capsule requires Red Hat Enterprise Linux installations with the @Base package group with no other package-set modifications, and without third-party configurations or software that is not directly necessary for the direct operation of the server. This restriction includes hardening or other non-Red Hat security software. If such software is required in your infrastructure, install and verify a complete working Red Hat Satellite Capsule first, then create a backup of the system before adding any non-Red Hat software.
When installing Red Hat Enterprise Linux from CD or ISO image, there is no need to select any package groups; Red Hat Satellite Capsule only requires the base operating system installation. When installing the operating system via kickstart, select the @Base package group.
  • Red Hat Satellite Capsule requires a networked base system with the following minimum specifications:
    • 64-bit architecture.
    • The latest version of Red Hat Enterprise Linux  6 Server or 7 Server.
    • A minimum of two CPU cores, but four CPU cores are recommended.
    • A minimum of 12 GB memory but ideally 16 GB of memory for each Satellite instance. A minimum of 4 GB of swap is recommended.
    • A minimum of 5 GB storage for the base install of Red Hat Enterprise Linux, 300 MB for the installation of Red Hat Satellite Capsule and at least 10 GB storage for each unique software repository to be synchronized in the /var file system.
      Packages that are duplicated in different repositories are only stored once on the disk. Additional repositories containing duplicate packages will require less additional storage.

      Note

      The bulk of storage resides on the /var/lib/mongodb and /var/lib/pulp directories. These end points are not manually configurable. Ensure that storage is available on the /var file system to prevent storage issues.
    • No Java virtual machine installed on the system, remove any if they exist.
    • No Puppet RPM files installed on the system.
    • No third-party unsupported yum repositories enabled. Third-party repositories may offer conflicting or unsupported package versions that may cause installation or configuration errors.
  • Administrative user (root) access.
  • Full forward and reverse DNS resolution using a fully qualified domain name. Check that hostname and localhost resolve correctly, using the following commands: 
    # ping -c1 localhost
# ping -c1 `hostname -f` # my_system.domain.com
  • Ensure the Satellite Server's base system can resolve the Capsule's host name.
  • Available subscriptions on the Red Hat Satellite Server.

Important

Make sure that the host system is fully updated before installing Red Hat Satellite Capsule Server. Attempts to install on host systems running Red Hat Enterprise Linux that are not fully updated may lead to difficulty in troubleshooting, as well as unpredictable results.
Red Hat recommends that the Satellite Capsule system be a freshly provisioned system that serves no other function except as a Satellite Capsule.

7.2.2. Application Specifications

Satellite application installation specifications are as follows:
It is recommended that a time synchronizer such as ntpd is installed and enabled on Satellite. Run the following command to start the time synchronizer and have it persist across restarts:
For Red Hat Enterprise Linux 6: 
# chkconfig ntpd on; service ntpd start
For Red Hat Enterprise Linux 7: 
# systemctl start chronyd; systemctl enable chronyd

7.2.3. Network Ports Required for Capsule Communications

The tables in this section list the ports required for configuring a Red Hat Satellite Capsule. A list of ports can also be found in the Red Hat Knowledgebase solution Satellite 6.1 Definitive List of Ports.

Table 7.1. Ports for Satellite to Capsule Communication

Port Protocol Service Required for
9090 TCP HTTPS Connections to the proxy in the Capsule
80 TCP HTTP Satellite to Capsule, for downloading a bootdisk (Optional)
443 TCP HTTPS Connections to the Pulp server in the Capsule [a]
[a] Added in Satellite 6.1.9

Table 7.2. Ports for Capsule to Satellite Communication

Port Protocol Service Required for
443 TCP HTTPS Connections to Katello, Foreman, Foreman API, and Pulp
5646 TCP amqp Capsule's Qpid dispatch router to Qpid dispatch router in the Satellite
5647 TCP amqp The Katello agent to communicate with the Satellite's Qpid dispatch router
The base system on which a Capsule Server is running is a managed host, a client, that is directly connected to the Satellite Server. See Table 1.5, “Ports for Client to Satellite Communication”.

Table 7.3. Ports for Client to Capsule Communication

Port Protocol Service Required for
53 TCP and UDP DNS Queries to the DNS service
67 UDP DHCP For Client provisioning from the Capsule
69 UDP TFTP Downloading PXE boot image files
80 TCP HTTP Anaconda, yum, and for obtaining Katello certificate updates
443 TCP HTTPS Anaconda, yum, Telemetry Services, and Puppet
5647 TCP amqp The Katello agent to communicate with the Capsule's Qpid dispatch router
8000 TCP HTTPS Anaconda to download kickstart templates to hosts, and for downloading iPXE firmware
8140 TCP HTTPS Puppet agent to Puppet master connections
8443 TCP HTTPS Subscription Management Services connection to the reverse proxy for the certificate-based API
9090 TCP HTTPS Sending generated SCAP reports to the proxy in the Capsule for spooling

Connections from Satellite to Capsule

To configure the firewall on a Capsule to enable incoming connections from the Satellite, and to make these rules persistent during reboots, enter the commands below appropriate to the Red Hat release.
The ports in these commands are taken from the table Table 7.1, “Ports for Satellite to Capsule Communication”. Note that port 9090 is also listed in the Table 7.3, “Ports for Client to Capsule Communication”. Review the commands to avoid duplicating entries.
  • On a Red Hat Enterprise Linux 6 Capsule, execute as root: 
    # iptables -A INPUT -m state --state NEW -p tcp --dport 9090 -j ACCEPT \
&& iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT \
&& service iptables save
    Make sure the iptables service is started and enabled: 
    # service iptables restart
# chkconfig iptables on
  • On a Red Hat Enterprise Linux 7 Capsule, execute as root: 
    # firewall-cmd --add-port="9090/tcp" \
--add-port="443/tcp" \
&& firewall-cmd --permanent --add-port="9090/tcp" \
--add-port="443/tcp"

Connections from Capsule to Satellite

To configure the firewall on a Satellite to enable incoming connections from a Capsule, and to make these rules persistent during reboots, enter the commands below appropriate to the Red Hat release.
The ports in these commands are taken from the table Table 7.2, “Ports for Capsule to Satellite Communication”. Note that port 443 and 5647 are also listed in the Table 1.5, “Ports for Client to Satellite Communication”. Review the commands to avoid duplicating entries.
  • On a Red Hat Enterprise Linux 6 Satellite, execute as root: 
    # iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT \
&& iptables -A INPUT -m state --state NEW -p tcp --dport 5646 -j ACCEPT \
&& iptables -A INPUT -m state --state NEW -p tcp --dport 5647 -j ACCEPT \
&& service iptables save
    Make sure the iptables service is started and enabled: 
    # service iptables restart
# chkconfig iptables on
  • On a Red Hat Enterprise Linux 7 Satellite, execute as root: 
    # firewall-cmd --add-port="443/tcp" \
 --add-port="5646/tcp" --add-port="5647/tcp" \
&& firewall-cmd --permanent --add-port="443/tcp" \
 --add-port="5646/tcp" --add-port="5647/tcp"

Connections from Client to Capsule

To configure the firewall on a Capsule to enable incoming connections from a Client, and to make these rules persistent during reboots, enter the commands below appropriate to the Red Hat release.
The ports in these commands are taken from the table Table 7.3, “Ports for Client to Capsule Communication”. Note that port 443 and 9090 are also listed in the Table 7.1, “Ports for Satellite to Capsule Communication”. Review the commands to avoid duplicating entries.
  • On a Red Hat Enterprise Linux 6 Capsule, execute as root: 
    # iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT \
&& iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT \
&& iptables -A INPUT -m state --state NEW -p udp --dport 67 -j ACCEPT \
&& iptables -A INPUT -m state --state NEW -p udp --dport 69 -j ACCEPT \
&& iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT \
&& iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT \
&& iptables -A INPUT -m state --state NEW -p tcp --dport 5647 -j ACCEPT \
&& iptables -A INPUT -m state --state NEW -p tcp --dport 8000 -j ACCEPT \
&& iptables -A INPUT -m state --state NEW -p tcp --dport 8140 -j ACCEPT \
&& iptables -A INPUT -m state --state NEW -p tcp --dport 8443 -j ACCEPT \
&& iptables -A INPUT -m state --state NEW -p tcp --dport 9090 -j ACCEPT \
&& service iptables save
    Make sure the iptables service is started and enabled: 
    # service iptables restart
# chkconfig iptables on
  • On a Red Hat Enterprise Linux 7 Capsule, execute as root: 
    # firewall-cmd --add-port="53/udp" --add-port="53/tcp" \
 --add-port="67/udp" \
 --add-port="69/udp" --add-port="80/tcp" \
 --add-port="443/tcp" --add-port="5647/tcp" \
 --add-port="8000/tcp" --add-port="8140/tcp" \
 --add-port="8443/tcp" --add-port="9090/tcp" \
&& firewall-cmd --permanent --add-port="53/udp" --add-port="53/tcp" \
 --add-port="67/udp" \
 --add-port="69/udp" --add-port="80/tcp" \
 --add-port="443/tcp" --add-port="5647/tcp" \
 --add-port="8000/tcp" --add-port="8140/tcp" \
 --add-port="8443/tcp" --add-port="9090/tcp"

Note

For information on SELinux types for the ports mentioned in this section, see Section 1.4.6, “SELinux Policy on Satellite 6”