Chapter 1. Preparing your Environment for Installation

Before you install Satellite, ensure that your environment meets the following requirements.

1.1. System Requirements

The following requirements apply to the networked base operating system:

  • x86_64 architecture
  • The latest version of Red Hat Enterprise Linux 7 Server
  • 4-core 2.0 GHz CPU at a minimum
  • A minimum of 20 GB RAM is required for Satellite Server to function. In addition, a minimum of 4 GB RAM of swap space is also recommended. Satellite running with less RAM than the minimum value might not operate correctly.
  • A unique host name, which can contain lower-case letters, numbers, dots (.) and hyphens (-)
  • A current Red Hat Satellite subscription
  • Administrative user (root) access
  • A system umask of 0022
  • Full forward and reverse DNS resolution using a fully-qualified domain name

Before you install Satellite Server, ensure that your environment meets the requirements for installation.

Satellite Server must be installed on a freshly provisioned system that serves no other function except to run Satellite Server. The freshly provisioned system must not have the following users provided by external identity providers to avoid conflicts with the local users that Satellite Server creates:

  • apache
  • foreman
  • foreman-proxy
  • postgres
  • pulp
  • puppet
  • puppetserver
  • qdrouterd
  • qpidd
  • tomcat

Certified hypervisors

Satellite Server is fully supported on both physical systems and virtual machines that run on hypervisors that are supported to run Red Hat Enterprise Linux. For more information about certified hypervisors, see Which hypervisors are certified to run Red Hat Enterprise Linux?.

SELinux Mode

SELinux must be enabled, either in enforcing or permissive mode. Installation with disabled SELinux is not supported.

FIPS Mode

You can install Satellite Server on a Red Hat Enterprise Linux system that is operating in FIPS mode. For more information, see Enabling FIPS Mode in the Red Hat Enterprise Linux Security Guide.

1.2. Storage Requirements

The following table details storage requirements for specific directories. These values are based on expected use case scenarios and can vary according to individual environments.

The runtime size was measured with Red Hat Enterprise Linux 6, 7, and 8 repositories synchronized.

1.2.1. Red Hat Enterprise Linux 7

Table 1.1. Storage Requirements for a Satellite Server Installation

DirectoryInstallation SizeRuntime Size

/var/log/

10 MB

10 GB

/var/opt/rh/rh-postgresql12

100 MB

20 GB

/usr

3 GB

Not Applicable

/opt

3 GB

Not Applicable

/opt/puppetlabs

500 MB

Not Applicable

/var/lib/pulp/

1 MB

300 GB

/var/lib/qpidd/

25 MB

Not Applicable

1.3. Storage Guidelines

Consider the following guidelines when installing Satellite Server to increase efficiency.

  • If you mount the /tmp directory as a separate file system, you must use the exec mount option in the /etc/fstab file. If /tmp is already mounted with the noexec option, you must change the option to exec and re-mount the file system. This is a requirement for the puppetserver service to work.
  • Because most Satellite Server data is stored in the /var directory, mounting /var on LVM storage can help the system to scale.
  • The /var/lib/qpidd/ directory uses slightly more than 2 MB per Content Host managed by the goferd service. For example, 10 000 Content Hosts require 20 GB of disk space in /var/lib/qpidd/.
  • Use high-bandwidth, low-latency storage for the /var/lib/pulp/ directories. As Red Hat Satellite has many operations that are I/O intensive, using high latency, low-bandwidth storage causes performance degradation. Ensure your installation has a speed in the range 60 - 80 Megabytes per second.

You can use the fio tool to get this data. See the Red Hat Knowledgebase solution Impact of Disk Speed on Satellite Operations for more information on using the fio tool.

File System Guidelines

  • Do not use the GFS2 file system as the input-output latency is too high.

Log File Storage

Log files are written to /var/log/messages/, /var/log/httpd/, and /var/lib/foreman-proxy/openscap/content/. You can manage the size of these files using logrotate. For more information, see Log Rotation in the Red Hat Enterprise Linux 7 System Administrator’s Guide.

The exact amount of storage you require for log messages depends on your installation and setup.

SELinux Considerations for NFS Mount

When the /var/lib/pulp directory is mounted using an NFS share, SELinux blocks the synchronization process. To avoid this, specify the SELinux context of the /var/lib/pulp directory in the file system table by adding the following lines to /etc/fstab:

nfs.example.com:/nfsshare  /var/lib/pulp  nfs  context="system_u:object_r:var_lib_t:s0"  1 2

If NFS share is already mounted, remount it using the above configuration and enter the following command:

# restorecon -R /var/lib/pulp

Duplicated Packages

Packages that are duplicated in different repositories are only stored once on the disk. Additional repositories containing duplicate packages require less additional storage. The bulk of storage resides in the /var/lib/pulp/ directory. These end points are not manually configurable. Ensure that storage is available on the /var file system to prevent storage problems.

Software Collections

Software collections are installed in the /opt/rh/ and /opt/theforeman/ directories.

Write and execute permissions by the root user are required for installation to the /opt directory.

Symbolic links

You cannot use symbolic links for /var/lib/pulp/.

Synchronized RHEL ISO

If you plan to synchronize RHEL content ISOs to Satellite, note that all minor versions of Red Hat Enterprise Linux also synchronize. You must plan to have adequate storage on your Satellite to manage this.

1.4. Supported Operating Systems

You can install the operating system from a disc, local ISO image, kickstart, or any other method that Red Hat supports. Red Hat Satellite Server is supported only on the latest versions of Red Hat Enterprise Linux 7 Server that is available at the time when Satellite Server 6.10 is installed. Previous versions of Red Hat Enterprise Linux including EUS or z-stream are not supported.

The following operating systems are supported by the installer, have packages, and are tested for deploying Satellite:

Table 1.2. Operating Systems supported by satellite-installer

Operating System

Architecture

Notes

Red Hat Enterprise Linux 7

x86_64 only

 

Before you install Satellite, apply all operating system updates if possible.

Red Hat Satellite Server requires a Red Hat Enterprise Linux installation with the @Base package group with no other package-set modifications, and without third-party configurations or software not directly necessary for the direct operation of the server. This restriction includes hardening and other non-Red Hat security software. If you require such software in your infrastructure, install and verify a complete working Satellite Server first, then create a backup of the system before adding any non-Red Hat software.

Install Satellite Server on a freshly provisioned system.

Red Hat does not support using the system for anything other than running Satellite Server.

1.5. Supported Browsers

Satellite supports recent versions of Firefox and Google Chrome browsers.

The Satellite web UI and command-line interface support English, Portuguese, Simplified Chinese Traditional Chinese, Korean, Japanese, Italian, Spanish, Russian, French, and German.

1.6. Ports and Firewalls Requirements

For the components of Satellite architecture to communicate, ensure that the required network ports are open and free on the base operating system. You must also ensure that the required network ports are open on any network-based firewalls.

Use this information to configure any network-based firewalls. Note that some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. If possible, disable the application checking and allow open port communication based on the protocol.

Integrated Capsule

Satellite Server has an integrated Capsule and any host that is directly connected to Satellite Server is a Client of Satellite in the context of this section. This includes the base operating system on which Capsule Server is running.

Clients of Capsule

Hosts which are clients of Capsules, other than Satellite’s integrated Capsule, do not need access to Satellite Server. For more information on Satellite Topology, see Capsule Networking in Planning for Red Hat Satellite 6.

Required ports can change based on your configuration.

The following tables indicate the destination port and the direction of network traffic:

Table 1.3. Satellite Server incoming traffic

Destination Port

Protocol

Service

Source

Required For

Description

53

TCP and UDP

DNS

DNS Servers and clients

Name resolution

DNS (optional)

67

UDP

DHCP

Client

Dynamic IP

DHCP (optional)

69

UDP

TFTP

Client

TFTP Server (optional)

 

443

TCP

HTTPS

Capsule

Red Hat Satellite API

Communication from Capsule

443, 80

TCP

HTTPS, HTTP

Client

Content Retrieval

Content

443, 80

TCP

HTTPS, HTTP

Capsule

Content Retrieval

Content

443, 80

TCP

HTTPS, HTTP

Client

Content Host Registration

Capsule CA RPM installation

443

TCP

HTTPS

Red Hat Satellite

Content Mirroring

Management

443

TCP

HTTPS

Red Hat Satellite

Capsule API

Smart Proxy functionality

5646

TCP

AMQP

Capsule

Katello agent

Forward message to Qpid dispatch router on Satellite (optional)

5910 - 5930

TCP

HTTPS

Browsers

Compute Resource’s virtual console

 

8000

TCP

HTTP

Client

Provisioning templates

Template retrieval for client installers, iPXE or UEFI HTTP Boot

8000

TCP

HTTPS

Client

PXE Boot

Installation

8140

TCP

HTTPS

Client

Puppet agent

Client updates (optional)

8443

TCP

HTTPS

Client

Content Host registration

Initiation

Uploading facts

Sending installed packages and traces

9090

TCP

HTTPS

Client

OpenSCAP

Configure Client

9090

TCP

HTTPS

Discovered Node

Discovery

Host discovery and provisioning

9090

TCP

HTTPS

Red Hat Satellite

Capsule API

Capsule functionality

Any managed host that is directly connected to Satellite Server is a client in this context because it is a client of the integrated Capsule. This includes the base operating system on which a Capsule Server is running.

A DHCP Capsule performs ICMP ping or TCP echo connection attempts to hosts in subnets with DHCP IPAM set to find out if an IP address considered for use is free. This behavior can be turned off using satellite-installer --foreman-proxy-dhcp-ping-free-ip=false.

Table 1.4. Satellite Server outgoing traffic

Destination Port

Protocol

Service

Destination

Required For

Description

 

ICMP

ping

Client

DHCP

Free IP checking (optional)

7

TCP

echo

Client

DHCP

Free IP checking (optional)

22

TCP

SSH

Target host

Remote execution

Run jobs

22, 16514

TCP

SSH SSH/TLS

Compute Resource

Satellite originated communications, for compute resources in libvirt

 

53

TCP and UDP

DNS

DNS Servers on the Internet

DNS Server

Resolve DNS records (optional)

53

TCP and UDP

DNS

DNS Server

Capsule DNS

Validation of DNS conflicts (optional)

53

TCP and UDP

DNS

DNS Server

Orchestration

Validation of DNS conflicts

68

UDP

DHCP

Client

Dynamic IP

DHCP (optional)

80

TCP

HTTP

Remote repository

Content Sync

Remote yum repository

389, 636

TCP

LDAP, LDAPS

External LDAP Server

LDAP

LDAP authenticatiion, necessary only if external authentication is enabled. The port can be customized when LDAPAuthSource is defined

443

TCP

HTTPS

Satellite

Capsule

Capsule

Configuration management

Template retrieval

OpenSCAP

Remote Execution result upload

443

TCP

HTTPS

Amazon EC2, Azure, Google GCE

Compute resources

Virtual machine interactions (query/create/destroy) (optional)

443

TCP

HTTPS

cloud.redhat.com

Red Hat Cloud plugin API calls

 

443

TCP

HTTPS

Red Hat Portal

SOS report

Assisting support cases (optional)

443

TCP

HTTPS

Red Hat CDN

Content Sync

Red Hat CDN

443

TCP

HTTPS

cert-api.access.redhat.com

Telemetry data upload and report

 

443

TCP

HTTPS

Capsule

Content mirroring

Initiation

443

TCP

HTTPS

Infoblox DHCP Server

DHCP management

When using Infoblox for DHCP, management of the DHCP leases (optional)

623

  

Client

Power management

BMC On/Off/Cycle/Status

5000

TCP

HTTPS

OpenStack Compute Resource

Compute resources

Virtual machine interactions (query/create/destroy) (optional)

5646

TCP

AMQP

Satellite Server

Katello agent

Forward message to Qpid dispatch router on Capsule (optional)

5671

  

Qpid

Remote install

Send install command to client

5671

  

Dispatch router (hub)

Remote install

Forward message to dispatch router on Satellite

5671

  

Satellite Server

Remote install for Katello agent

Send install command to client

5671

  

Satellite Server

Remote install for Katello agent

Forward message to dispatch router on Satellite

5900 - 5930

TCP

SSL/TLS

Hypervisor

noVNC console

Launch noVNC console

7911

TCP

DHCP, OMAPI

DHCP Server

DHCP

The DHCP target is configured using --foreman-proxy-dhcp-server and defaults to localhost

ISC and remote_isc use a configurable port that defaults to 7911 and uses OMAPI

8443

TCP

HTTPS

Client

Discovery

Capsule sends reboot command to the discovered host (optional)

9090

TCP

HTTPS

Capsule

Capsule API

Management of Capsules

1.7. Enabling Connections from a Client to Satellite Server

Capsules and Content Hosts that are clients of a Satellite Server’s internal Capsule require access through Satellite’s host-based firewall and any network-based firewalls.

Use this procedure to configure the host-based firewall on the Red Hat Enterprise Linux 7 system that Satellite is installed on, to enable incoming connections from Clients, and to make the configuration persistent across system reboots. For more information on the ports used, see Ports and Firewalls Requirements.

Procedure

  1. To open the ports for client to Satellite communication, enter the following command on the base operating system that you want to install Satellite on:

    # firewall-cmd \
    --add-port="80/tcp" --add-port="443/tcp" \
    --add-port="5647/tcp" --add-port="8000/tcp" \
    --add-port="8140/tcp" --add-port="9090/tcp" \
    --add-port="53/udp" --add-port="53/tcp" \
    --add-port="67/udp" --add-port="69/udp"
  2. Make the changes persistent:

    # firewall-cmd --runtime-to-permanent

1.8. Verifying Firewall Settings

Use this procedure to verify your changes to the firewall settings.

Procedure

  1. Enter the following command:

    # firewall-cmd --list-all

For more information, see Getting Started with firewalld in the Red Hat Enterprise Linux 7 Security Guide.

1.9. Verifying DNS resolution

Verify the full forward and reverse DNS resolution using a fully-qualified domain name to prevent issues while installing Satellite.

Procedure

  1. Ensure that the host name and local host resolve correctly:

    # ping -c1 localhost
    # ping -c1 `hostname -f` # my_system.domain.com

    Successful name resolution results in output similar to the following:

    # ping -c1 localhost
    PING localhost (127.0.0.1) 56(84) bytes of data.
    64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.043 ms
    
    --- localhost ping statistics ---
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 0.043/0.043/0.043/0.000 ms
    
    # ping -c1 `hostname -f`
    PING hostname.gateway (XX.XX.XX.XX) 56(84) bytes of data.
    64 bytes from hostname.gateway (XX.XX.XX.XX): icmp_seq=1 ttl=64 time=0.019 ms
    
    --- localhost.gateway ping statistics ---
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 0.019/0.019/0.019/0.000 ms
  2. To avoid discrepancies with static and transient host names, set all the host names on the system by entering the following command:

    # hostnamectl set-hostname name

For more information, see the Configuring Host Names Using hostnamectl in the Red Hat Enterprise Linux 7 Networking Guide.

Warning

Name resolution is critical to the operation of Satellite 6. If Satellite cannot properly resolve its fully qualified domain name, tasks such as content management, subscription management, and provisioning will fail.