Chapter 1. Preparing your Environment for Installation

Before you install Satellite, ensure that your environment meets the following requirements.

1.1. System Requirements

The following requirements apply to the networked base operating system:

  • x86_64 architecture
  • 4-core 2.0 GHz CPU at a minimum
  • A minimum of 20 GB RAM is required for Satellite Server to function. In addition, a minimum of 4 GB RAM of swap space is also recommended. Satellite running with less RAM than the minimum value might not operate correctly.
  • A supported operating system installed with all available updates applied
  • A unique host name, which can contain lower-case letters, numbers, dots (.) and hyphens (-)
  • A current Red Hat Satellite subscription
  • Administrative user (root) access
  • A system umask of 0022
  • Full forward and reverse DNS resolution using a fully-qualified domain name

Satellite only supports UTF-8 encoding. If your territory is USA and your language is English, set en_US.utf-8 as the system-wide locale settings. For more information about configuring system locale in Red Hat Enterprise Linux, see Configuring the system locale in Red Hat Enterprise Linux 8 Configuring basic system settings.

Your Satellite must have the Red Hat Satellite Infrastructure Subscription manifest in your Customer Portal. Satellite must have satellite-capsule-6.x repository enabled and synced. To create, manage, and export a Red Hat Subscription Manifest in the Customer Portal, see Creating and managing manifests for a connected Satellite Server in Subscription Central.

Satellite Server and Capsule Server do not support shortnames in the hostnames. When using custom certificates, the Common Name (CN) of the custom certificate must be a fully qualified domain name (FQDN) instead of a shortname. This does not apply to the clients of a Satellite.

Before you install Satellite Server, ensure that your environment meets the requirements for installation.

Satellite Server must be installed on a freshly provisioned system that serves no other function except to run Satellite Server. The freshly provisioned system must not have the following users provided by external identity providers to avoid conflicts with the local users that Satellite Server creates:

  • apache
  • foreman
  • foreman-proxy
  • postgres
  • pulp
  • puppet
  • qdrouterd
  • qpidd
  • redis
  • tomcat

Certified hypervisors

Satellite Server is fully supported on both physical systems and virtual machines that run on hypervisors that are supported to run Red Hat Enterprise Linux. For more information about certified hypervisors, see Certified Guest Operating Systems in Red Hat OpenStack Platform, Red Hat Virtualization, Red Hat OpenShift Virtualization and Red Hat Enterprise Linux with KVM.

SELinux Mode

SELinux must be enabled, either in enforcing or permissive mode. Installation with disabled SELinux is not supported.

FIPS mode

You can install Satellite on a Red Hat Enterprise Linux system that is operating in FIPS mode. You cannot enable FIPS mode after the installation of Satellite. For more information, see Installing a RHEL 8 system with FIPS mode enabled in Red Hat Enterprise Linux Security hardening.

Note

Satellite supports DEFAULT and FIPS crypto-policies. The FUTURE crypto-policy is not supported for Satellite and Capsule installations.

Inter-Satellite Synchronization (ISS)

In a scenario with air-gapped Satellite Servers, all your Satellite Servers must be on the same Satellite version for ISS Export Sync to work. ISS Network Sync works across all Satellite versions that support it. For more information, see Synchronizing Content Between Satellite Servers in Managing Content.

1.2. Storage Requirements

The following table details storage requirements for specific directories. These values are based on expected use case scenarios and can vary according to individual environments.

The runtime size was measured with Red Hat Enterprise Linux 6, 7, and 8 repositories synchronized.

Table 1.1. Storage Requirements for a Satellite Server Installation

DirectoryInstallation SizeRuntime Size

/var/log

10 MB

10 GB

/var/lib/pgsql

100 MB

20 GB

/usr

5 GB

Not Applicable

/opt/puppetlabs

500 MB

Not Applicable

/var/lib/pulp

1 MB

300 GB

/var/lib/qpidd

25 MB

Refer Storage Guidelines

For external database servers: /var/lib/pgsql with installation size of 100 MB and runtime size of 20 GB.

For detailed information on partitioning and size, see Partitioning reference in the Red Hat Enterprise Linux 8 System Design Guide.

1.3. Storage Guidelines

Consider the following guidelines when installing Satellite Server to increase efficiency.

  • If you mount the /tmp directory as a separate file system, you must use the exec mount option in the /etc/fstab file. If /tmp is already mounted with the noexec option, you must change the option to exec and re-mount the file system. This is a requirement for the puppetserver service to work.
  • Because most Satellite Server data is stored in the /var directory, mounting /var on LVM storage can help the system to scale.
  • The /var/lib/qpidd/ directory uses slightly more than 2 MB per Content Host managed by the goferd service. For example, 10 000 Content Hosts require 20 GB of disk space in /var/lib/qpidd/.
  • Use high-bandwidth, low-latency storage for the /var/lib/pulp/ directories. As Red Hat Satellite has many operations that are I/O intensive, using high latency, low-bandwidth storage causes performance degradation. Ensure your installation has a speed in the range 60 – 80 Megabytes per second.

You can use the storage-benchmark script to get this data. For more information on using the storage-benchmark script, see Impact of Disk Speed on Satellite Operations.

File System Guidelines

  • Do not use the GFS2 file system as the input-output latency is too high.

Log File Storage

Log files are written to /var/log/messages/, /var/log/httpd/, and /var/lib/foreman-proxy/openscap/content/. You can manage the size of these files using logrotate.

For more information, see How to use logrotate utility to rotate log files.

The exact amount of storage you require for log messages depends on your installation and setup.

SELinux Considerations for NFS Mount

When the /var/lib/pulp directory is mounted using an NFS share, SELinux blocks the synchronization process. To avoid this, specify the SELinux context of the /var/lib/pulp directory in the file system table by adding the following lines to /etc/fstab: 

nfs.example.com:/nfsshare  /var/lib/pulp  nfs  context="system_u:object_r:var_lib_t:s0"  1 2

If NFS share is already mounted, remount it using the above configuration and enter the following command: 

# restorecon -R /var/lib/pulp

Duplicated Packages

Packages that are duplicated in different repositories are only stored once on the disk. Additional repositories containing duplicate packages require less additional storage. The bulk of storage resides in the /var/lib/pulp/ directory. These end points are not manually configurable. Ensure that storage is available on the /var file system to prevent storage problems.

Symbolic links

You cannot use symbolic links for /var/lib/pulp/.

Synchronized RHEL ISO

If you plan to synchronize RHEL content ISOs to Satellite, note that all minor versions of Red Hat Enterprise Linux also synchronize. You must plan to have adequate storage on your Satellite to manage this.

1.4. Supported Operating Systems

Satellite Server is supported on the latest versions of Red Hat Enterprise Linux 8 that are available at the time when Satellite Server is installed. Previous versions of Red Hat Enterprise Linux including EUS or z-stream are not supported.

You can install the operating system from a disc, local ISO image, kickstart, or any other method that Red Hat supports.

The following operating systems are supported by the installer, have packages, and are tested for deploying Satellite:

Table 1.2. Operating Systems supported by satellite-installer

Operating System

Architecture

Notes

Red Hat Enterprise Linux 8

x86_64 only

 

Before you install Satellite, apply all operating system updates if possible.

Satellite Server requires a Red Hat Enterprise Linux installation with the @Base package group with no other package-set modifications, and without third-party configurations or software not directly necessary for the direct operation of the server. This restriction includes hardening and other non-Red Hat security software. If you require such software in your infrastructure, install and verify a complete working Satellite Server first, then create a backup of the system before adding any non-Red Hat software.

Install Satellite Server on a freshly provisioned system.

Red Hat does not support using the system for anything other than running Satellite Server.

1.5. Supported Browsers

Satellite supports recent versions of Firefox and Google Chrome browsers.

The Satellite web UI and command-line interface support English, Portuguese, Simplified Chinese Traditional Chinese, Korean, Japanese, Italian, Spanish, Russian, French, and German.

1.6. Ports and Firewalls Requirements

For the components of Satellite architecture to communicate, ensure that the required network ports are open and free on the base operating system. You must also ensure that the required network ports are open on any network-based firewalls.

Use this information to configure any network-based firewalls. Note that some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. If possible, disable the application checking and allow open port communication based on the protocol.

Integrated Capsule

Satellite Server has an integrated Capsule and any host that is directly connected to Satellite Server is a Client of Satellite in the context of this section. This includes the base operating system on which Capsule Server is running.

Clients of Capsule

Hosts which are clients of Capsules, other than Satellite’s integrated Capsule, do not need access to Satellite Server. For more information on Satellite Topology and an illustration of port connections, see Capsule Networking in Satellite Overview, Concepts, and Deployment Considerations.

Required ports can change based on your configuration.

The following tables indicate the destination port and the direction of network traffic:

Table 1.3. Satellite Server incoming traffic

Destination Port

Protocol

Service

Source

Required For

Description

53

TCP and UDP

DNS

DNS Servers and clients

Name resolution

DNS (optional)

67

UDP

DHCP

Client

Dynamic IP

DHCP (optional)

69

UDP

TFTP

Client

TFTP Server (optional)

 

443

TCP

HTTPS

Capsule

Red Hat Satellite API

Communication from Capsule

443, 80

TCP

HTTPS, HTTP

Client

Global Registration

Registering hosts to Satellite

Port 443 is required for registration initiation, uploading facts, and sending installed packages and traces

Port 80 notifies Satellite on the /unattended/built endpoint that registration has finished

443

TCP

HTTPS

Red Hat Satellite

Content Mirroring

Management

443

TCP

HTTPS

Red Hat Satellite

Capsule API

Smart Proxy functionality

443, 80

TCP

HTTPS, HTTP

Capsule

Content Retrieval

Content

443, 80

TCP

HTTPS, HTTP

Client

Content Retrieval

Content

1883

TCP

MQTT

Client

Pull based REX (optional)

Content hosts for REX job notification (optional)

5646, 5647

TCP

AMQP

Capsule

Katello agent

Forward message to Qpid dispatch router on Satellite (optional)

5910 – 5930

TCP

HTTPS

Browsers

Compute Resource’s virtual console

 

8000

TCP

HTTP

Client

Provisioning templates

Template retrieval for client installers, iPXE or UEFI HTTP Boot

8000

TCP

HTTPS

Client

PXE Boot

Installation

8140

TCP

HTTPS

Client

Puppet agent

Client updates (optional)

9090

TCP

HTTPS

Red Hat Satellite

Capsule API

Smart Proxy functionality

9090

TCP

HTTPS

Client

OpenSCAP

Configure Client (if the OpenSCAP plugin is installed)

9090

TCP

HTTPS

Discovered Node

Discovery

Host discovery and provisioning (if the discovery plugin is installed)

Any managed host that is directly connected to Satellite Server is a client in this context because it is a client of the integrated Capsule. This includes the base operating system on which a Capsule Server is running.

A DHCP Capsule performs ICMP ping or TCP echo connection attempts to hosts in subnets with DHCP IPAM set to find out if an IP address considered for use is free. This behavior can be turned off using satellite-installer --foreman-proxy-dhcp-ping-free-ip=false.

Note

Some outgoing traffic returns to Satellite to enable internal communication and security operations.

Table 1.4. Satellite Server outgoing traffic

Destination PortProtocolServiceDestinationRequired ForDescription
 

ICMP

ping

Client

DHCP

Free IP checking (optional)

7

TCP

echo

Client

DHCP

Free IP checking (optional)

22

TCP

SSH

Target host

Remote execution

Run jobs

22, 16514

TCP

SSH SSH/TLS

Compute Resource

Satellite originated communications, for compute resources in libvirt

 

53

TCP and UDP

DNS

DNS Servers on the Internet

DNS Server

Resolve DNS records (optional)

53

TCP and UDP

DNS

DNS Server

Capsule DNS

Validation of DNS conflicts (optional)

53

TCP and UDP

DNS

DNS Server

Orchestration

Validation of DNS conflicts

68

UDP

DHCP

Client

Dynamic IP

DHCP (optional)

80

TCP

HTTP

Remote repository

Content Sync

Remote yum repository

389, 636

TCP

LDAP, LDAPS

External LDAP Server

LDAP

LDAP authentication, necessary only if external authentication is enabled. The port can be customized when LDAPAuthSource is defined

443

TCP

HTTPS

Satellite

Capsule

Capsule

Configuration management

Template retrieval

OpenSCAP

Remote Execution result upload

443

TCP

HTTPS

Amazon EC2, Azure, Google GCE

Compute resources

Virtual machine interactions (query/create/destroy) (optional)

443

TCP

HTTPS

console.redhat.com

Red Hat Cloud plugin API calls

 

443

TCP

HTTPS

cdn.redhat.com

Content Sync

Red Hat CDN

443

TCP

HTTPS

api.access.redhat.com

SOS report

Assisting support cases filed through the Red Hat Customer Portal (optional)

443

TCP

HTTPS

cert-api.access.redhat.com

Telemetry data upload and report

 

443

TCP

HTTPS

Capsule

Content mirroring

Initiation

443

TCP

HTTPS

Infoblox DHCP Server

DHCP management

When using Infoblox for DHCP, management of the DHCP leases (optional)

623

  

Client

Power management

BMC On/Off/Cycle/Status

5000

TCP

HTTPS

OpenStack Compute Resource

Compute resources

Virtual machine interactions (query/create/destroy) (optional)

5646

TCP

AMQP

Satellite Server

Katello agent

Forward message to Qpid dispatch router on Capsule (optional)

5671

  

Qpid

Remote install

Send install command to client

5671

  

Dispatch router (hub)

Remote install

Forward message to dispatch router on Satellite

5671

  

Satellite Server

Remote install for Katello agent

Send install command to client

5671

  

Satellite Server

Remote install for Katello agent

Forward message to dispatch router on Satellite

5900 – 5930

TCP

SSL/TLS

Hypervisor

noVNC console

Launch noVNC console

7911

TCP

DHCP, OMAPI

DHCP Server

DHCP

The DHCP target is configured using --foreman-proxy-dhcp-server and defaults to localhost

ISC and remote_isc use a configurable port that defaults to 7911 and uses OMAPI

8443

TCP

HTTPS

Client

Discovery

Capsule sends reboot command to the discovered host (optional)

9090

TCP

HTTPS

Capsule

Capsule API

Management of Capsules

1.7. Enabling Connections from a Client to Satellite Server

Capsules and Content Hosts that are clients of a Satellite Server’s internal Capsule require access through Satellite’s host-based firewall and any network-based firewalls.

Use this procedure to configure the host-based firewall on the system that Satellite is installed on, to enable incoming connections from Clients, and to make the configuration persistent across system reboots. For more information on the ports used, see Ports and Firewalls Requirements.

Procedure

  1. To open the ports for client to Satellite communication, enter the following command on the base operating system that you want to install Satellite on: 

    # firewall-cmd \
--add-port="53/udp" --add-port="53/tcp" \
--add-port="67/udp" \
--add-port="69/udp" \
--add-port="80/tcp" --add-port="443/tcp" \
--add-port="5647/tcp" \
--add-port="8000/tcp" --add-port="9090/tcp" \
--add-port="8140/tcp"

  2. Make the changes persistent: 

    # firewall-cmd --runtime-to-permanent

Verification

  • Enter the following command: 

    # firewall-cmd --list-all

For more information, see Using and Configuring firewalld in Red Hat Enterprise Linux 8 Securing networks.

1.8. Verifying DNS resolution

Verify the full forward and reverse DNS resolution using a fully-qualified domain name to prevent issues while installing Satellite.

Procedure

  1. Ensure that the host name and local host resolve correctly: 

    # ping -c1 localhost
# ping -c1 `hostname -f` # my_system.domain.com

    Successful name resolution results in output similar to the following: 

    # ping -c1 localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.043 ms

--- localhost ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.043/0.043/0.043/0.000 ms

# ping -c1 `hostname -f`
PING hostname.gateway (XX.XX.XX.XX) 56(84) bytes of data.
64 bytes from hostname.gateway (XX.XX.XX.XX): icmp_seq=1 ttl=64 time=0.019 ms

--- localhost.gateway ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.019/0.019/0.019/0.000 ms

  2. To avoid discrepancies with static and transient host names, set all the host names on the system by entering the following command: 

    # hostnamectl set-hostname name

For more information, see the Changing a hostname using hostnamectl in the Red Hat Enterprise Linux 8 Configuring and managing networking.

Warning

Name resolution is critical to the operation of Satellite. If Satellite cannot properly resolve its fully qualified domain name, tasks such as content management, subscription management, and provisioning will fail.

1.9. Tuning Satellite Server with Predefined Profiles

If your Satellite deployment includes more than 5000 hosts, you can use predefined tuning profiles to improve performance of Satellite.

Note that you cannot use tuning profiles on Capsules.

You can choose one of the profiles depending on the number of hosts your Satellite manages and available hardware resources.

The tuning profiles are available in the /usr/share/foreman-installer/config/foreman.hiera/tuning/sizes directory.

When you run the satellite-installer command with the --tuning option, deployment configuration settings are applied to Satellite in the following order:

  1. The default tuning profile defined in the /usr/share/foreman-installer/config/foreman.hiera/tuning/common.yaml file
  2. The tuning profile that you want to apply to your deployment and is defined in the /usr/share/foreman-installer/config/foreman.hiera/tuning/sizes/ directory
  3. Optional: If you have configured a /etc/foreman-installer/custom-hiera.yaml file, Satellite applies these configuration settings.

Note that the configuration settings that are defined in the /etc/foreman-installer/custom-hiera.yaml file override the configuration settings that are defined in the tuning profiles.

Therefore, before applying a tuning profile, you must compare the configuration settings that are defined in the default tuning profile in /usr/share/foreman-installer/config/foreman.hiera/tuning/common.yaml, the tuning profile that you want to apply and your /etc/foreman-installer/custom-hiera.yaml file, and remove any duplicated configuration from the /etc/foreman-installer/custom-hiera.yaml file.

default

Number of managed hosts: 0 – 5000

RAM: 20G

Number of CPU cores: 4

medium

Number of managed hosts: 5001 – 10000

RAM: 32G

Number of CPU cores: 8

large

Number of managed hosts: 10001 – 20000

RAM: 64G

Number of CPU cores: 16

extra-large

Number of managed hosts: 20001 – 60000

RAM: 128G

Number of CPU cores: 32

extra-extra-large

Number of managed hosts: 60000+

RAM: 256G

Number of CPU cores: 48+

Procedure

  1. Optional: If you have configured the custom-hiera.yaml file on Satellite Server, back up the /etc/foreman-installer/custom-hiera.yaml file to custom-hiera.original. You can use the backup file to restore the /etc/foreman-installer/custom-hiera.yaml file to its original state if it becomes corrupted: 

    # cp /etc/foreman-installer/custom-hiera.yaml \
/etc/foreman-installer/custom-hiera.original
  2. Optional: If you have configured the custom-hiera.yaml file on Satellite Server, review the definitions of the default tuning profile in /usr/share/foreman-installer/config/foreman.hiera/tuning/common.yaml and the tuning profile that you want to apply in /usr/share/foreman-installer/config/foreman.hiera/tuning/sizes/. Compare the configuration entries against the entries in your /etc/foreman-installer/custom-hiera.yaml file and remove any duplicated configuration settings in your /etc/foreman-installer/custom-hiera.yaml file.

  3. Enter the satellite-installer command with the --tuning option for the profile that you want to apply. For example, to apply the medium tuning profile settings, enter the following command: 

    # satellite-installer --tuning medium