Chapter 3. Installing Satellite Server

There are two methods of installing Satellite Server, connected and disconnected. A connected installation enables you to obtain the packages necessary to install Satellite Server by installing them directly from the Red Hat Content Delivery Network (CDN). A disconnected installation enables you to download an ISO image of the packages from an external computer and copy it to the Satellite Server for installation.

For hosts that have network connectivity, Red Hat recommends installing the packages directly from the CDN. Using ISO images is only recommended for hosts in a disconnected environment because ISO images may not contain the latest updates.

To successfully install Satellite Server, you must have root access.

3.1. Installing Satellite Server from a Connected Network

Installing Satellite Server from a connected network enables you to obtain packages and receive updates directly from the Red Hat Content Delivery Network.

Note that the Satellite 6 installation program is based on Puppet, which means that any manual configuration changes might be overwritten if you run the installation program more than once. ⁠ If you wish to avoid this use the --noop argument when you run the installation program to determine what changes would be applied. This argument ensures that no actual changes are made. Potential changes are written to /var/log/katello-installer.log

Files are always backed up and so you can revert any unwanted changes. For example, in the katello-installer logs you can see an entry similar to the following about Filebucket:

/Stage[main]/Dhcp/File[/etc/dhcp/dhcpd.conf]: Filebucketed /etc/dhcp/dhcpd.conf to puppet with sum 622d9820b8e764ab124367c68f5fa3a1

You can restore the previous file as follows:

# puppet filebucket -l \
restore /etc/dhcp/dhcpd.conf 622d9820b8e764ab124367c68f5fa3a1

3.1.1. Registering to Red Hat Subscription Management

Registering the host to Red Hat Subscription Management enables the host to subscribe to and consume content for any subscriptions available to the user. This includes content such as Red Hat Enterprise Linux, Red Hat Software Collections (RHSCL), and Red Hat Satellite.

Register your system with the Red Hat Content Delivery Network, entering your Customer Portal user name and password when prompted:

# subscription-manager register

The command displays output similar to the following:

# subscription-manager register
Username: user_name
Password:
The system has been registered with ID: 541084ff2-44cab-4eb1-9fa1-7683431bcf9a

3.1.2. Identifying and Attaching the Satellite Subscription to the Host

After you have registered your host, you need to identify and attach an available Satellite subscription. The Satellite subscription provides access to the Satellite content, as well as Red Hat Enterprise Linux, Red Hat Software Collections (RHSCL), and Red Hat Satellite. This is the only subscription required. Every Red Hat subscription is identified by a Pool ID.

  1. Identify your Satellite subscription

    On Red Hat Enterprise Linux 6.7 (or higher) or 7.1 (or higher), you can search all available subscriptions containing the string Red Hat Satellite. On earlier versions of Red Hat Enterprise Linux, you must list all available subscriptions and manually check the output for the appropriate subscription.

    1. On Red Hat Enterprise Linux 6.7 (and higher) or 7.1 (and higher), run the following command:

      # subscription-manager list --available --matches 'Red Hat Satellite'

      This command performs a case-insensitive search of all available subscriptions' fields, including Subscription Name and Provides, matching any instances of Red Hat Satellite. Subscriptions are classified as available if they are not already attached to a system. The search string may also contain the wildcards ? or * to match a single character or zero or more characters, respectively. The wildcard characters may be escaped with a backslash to represent a literal question mark or asterisk. Likewise, to represent a backslash, it must be escaped with another backslash.

      If you are unable to find an available Satellite subscription, see the Red Hat Knowledgebase solution How do I figure out which subscriptions have been consumed by clients registered under Red Hat Subscription Manager? to run a script to allow you to see if your subscription is being consumed by another system.

    2. On other versions of Red Hat Enterprise Linux, run the following command:

      # subscription-manager list --all --available

      If the output is too long, pipe it into a pager utility, such as less or more, so that you can look over the output one screenful at a time.

    3. Regardless of which form of the subscription-manager command is run, the output should be similar to the following:

      Subscription Name: Red Hat Satellite
      Provides:          Red Hat Satellite 6
                         Red Hat Enterprise Linux Server
                         Red Hat Satellite
                         Red Hat Enterprise Linux Load Balancer (for RHEL Server)
      SKU:               MCT0370
      Pool ID:           8a85f9874152663c0541943739717d11
      Available:         3
      Suggested:         1
      Service Level:     Premium
      Service Type:      L1-L3
      Multi-Entitlement: No
      Ends:              10/07/2014
      System Type:       Physical
  2. Make a note of the Pool ID so that you can attach it to your Satellite host. Your Pool ID will be different than the example provided.
  3. To attach your subscription to your Satellite Server, run the following command, using your Pool ID:

    # subscription-manager attach --pool=pool_id

    The output should be similar to the following:

    Successfully attached a subscription for: Red Hat Satellite
  4. To verify that the subscriptions are successfully attached, run the following command:

    # subscription-manager list --consumed

    The outputs displays something similar to the following:

    +-------------------------------------------+
       Consumed Subscriptions
    +-------------------------------------------+
    Subscription Name: Red Hat Satellite
    Provides:          Red Hat Satellite
                       Red Hat Enterprise Linux Server
                       Red Hat Software Collections (for RHEL Server)
                       Red Hat Satellite
                       Red Hat Satellite 6
                       Red Hat Software Collections  (for RHEL Server)
                       Red Hat Satellite Capsule
                       Red Hat Enterprise Linux Load Balancer (for RHEL Server)
                       Red Hat Satellite with Embedded Oracle
                       Red Hat Satellite Capsule
                       Red Hat Enterprise Linux High Availability (for RHEL Server)
    SKU:               MCT0370
    Contract:          10293569
    Account:           5361051
    Serial:            1653856191250699363
    Pool ID:           8a85f9874152663c0541943739717d11
    Active:            True
    Quantity Used:     1
    Service Level:     Premium
    Service Type:      L1-L3
    Status Details:
    Starts:            10/08/2013
    Ends:              10/07/2014
    System Type:       Physical

3.1.3. Configuring Repositories

  1. Disable all existing repositories.

    # subscription-manager repos --disable "*"
  2. Enable the Red Hat Satellite, Red Hat Enterprise Linux, and Red Hat Software Collections repositories.

    Ensure the Red Hat Enterprise Linux repository matches the specific version you are using.

    1. If you are using Red Hat Enterprise Linux 6, run this command.

      # subscription-manager repos --enable=rhel-6-server-rpms \
      --enable=rhel-server-rhscl-6-rpms \
      --enable=rhel-6-server-satellite-6.2-rpms
    2. If you are using Red Hat Enterprise Linux 7, run this command.

      # subscription-manager repos --enable=rhel-7-server-rpms \
      --enable=rhel-server-rhscl-7-rpms \
      --enable=rhel-7-server-satellite-6.2-rpms
      Note

      If you are installing Red Hat Satellite as a virtual machine hosted on Red Hat Virtualization (RHV), you also need to enable the Red Hat Common repository, and install RHV guest agents and drivers. For more information, see Installing the Guest Agents and Drivers on Red Hat Enterprise Linux in the Virtual Machine Management Guide for more information.

  3. Ensure that Red Hat Subscription Manager is not set to use a specific operating system release.

    # subscription-manager release --unset
  4. Clear out any metadata left from any non-Red Hat yum repositories.

    # yum clean all
  5. Verify that the repositories have been enabled.

    # yum repolist enabled

    The following output displays:

    Loaded plugins: product-id, subscription-manager
    repo id                                        repo name                                                                   status
    !rhel-7-server-rpms/x86_64                     Red Hat Enterprise Linux 7 Server (RPMs)                                    9,889
    !rhel-7-server-satellite-6.2-rpms/x86_64    Red Hat Satellite 6.2 (for RHEL 7 Server) (RPMs)                         545
    !rhel-server-rhscl-7-rpms/x86_64               Red Hat Software Collections RPMs for Red Hat Enterprise Linux 7 Server     4,279
    repolist: 14,713

3.1.4. Installing the Satellite Server Packages

You must update all packages before installing the Satellite Server packages. After installation, you must perform the initial configuration of Satellite Server, including configuring server certificates, setting your user name, password, and the default organization and location.

  1. Update all packages.

    # yum update
  2. Install the installation package.

    # yum install satellite
  3. Go to Section 3.3, “Performing the Initial Configuration” to run the installer program and perform the initial configuration of your Satellite Server.

3.2. Downloading and Installing from a Disconnected Network

When the intended host for the Red Hat Satellite Server is in a disconnected environment, it is possible to install the Satellite Server by using an ISO image. This method is not recommended for any other situation as ISO images might not contain the latest updates, bug fixes, and functionality.

Note

If the base system has not been updated from the Red Hat CDN, package dependency errors are possible. The latest version of the required packages will have to be downloaded and installed manually. See Section 3.2.4, “Downloading Packages Manually” for more information.

Before You Begin

  • A copy of the repositories used in the installation are stored in the /opt/ directory. Ensure you have a minimum of 2GB of space for this file system and directory.

3.2.1. Downloading the Binary DVD Images

  1. Go to Red Hat Customer Portal and log in.
  2. Click DOWNLOADS.
  3. Select Red Hat Enterprise Linux.
  4. Ensure that you have the correct product and version for your environment.

    • Product Variant is set to Red Hat Enterprise Linux Server.
    • Version is set to the latest minor version of the product you plan to use as the base system.
    • Architecture is set to the 64 bit version.
  5. On the Product Software tab, download the Binary DVD image for the latest Red Hat Enterprise Linux Server version.
  6. Click DOWNLOADS and select Red Hat Satellite.
  7. Ensure that you have the correct product and version for your environment.

    • Product Variant is set to Red Hat Satellite.
    • Version is set to the latest minor version of the product you plan to use as the base system.
    • Architecture is set to the 64 bit version.
  8. On the Product Software tab, download the Binary DVD image for the latest Red Hat Satellite version.
  9. Copy the ISO files to the Satellite base system or other accessible storage device.

    # scp localfile username@hostname:remotefile

3.2.2. Configuring the Base System with Offline Repositories

  1. Create a directory to serve as the mount point for the ISO file corresponding to the base system’s version.

    # mkdir /media/rhelX-server

    Where X is the major version of Red Hat Enterprise Linux you are using.

  2. Mount the ISO image for Red Hat Enterprise Linux to the mount point.

    # mount -o loop rhelX-Server-DVD.iso /media/rhelX-server

    The following example shows mounting the ISO using Red Hat Enterprise Linux 7.2:

    # mount -o loop RHEL-7.2-20151030.0-Server-x86_64-dvd1.iso \
    /media/rhel7-server
    mount: /dev/loop0 is write-protected, mounting read-only
  3. Copy the ISO file’s repository data file.

    # cp /media/rhelX-server/media.repo /etc/yum.repos.d/rhelX-server.repo
  4. Edit the repository data file and add the baseurl directive.

    baseurl=file:///media/rhelX-server/

    The following example shows the repository data file using Red Hat Enterprise Linux 7.2:

    # vi /etc/yum.repos.d/rhel7-server.repo
    [InstallMedia]
    name=Red Hat Enterprise Linux 7.2
    mediaid=1446216863.790260
    metadata_expire=-1
    gpgcheck=0
    cost=500
    baseurl=file:///media/rhel7-server/
    enabled=1
  5. Verify that the repository has been configured.

    # yum repolist
    Loaded plugins: product-id, search-disabled-repos, subscription-manager
    This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
    repo id          repo name                       status
    InstallMedia     Red Hat Enterprise Linux 7.2    4,620
  6. Create a directory to serve as the mount point for the ISO file of the Satellite Server.

    # mkdir /media/sat6
  7. Mount the ISO image for Red Hat Satellite Server to the mount point.

    # mount -o loop sat6-DVD.iso /media/sat6

    The following example shows mounting the ISO using Red Hat Satellite 6.2.1 for Red Hat Enterprise Linux 7:

    # mount -o loop satellite-6.2.1-rhel-7-x86_64-dvd.iso /media/sat6
    mount: /dev/loop1 is write-protected, mounting read-only

3.2.3. Installing from the Offline Repositories

  1. Import the Red Hat GPG keys.

    # rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
  2. Ensure the base system is up to date with the Binary DVD image.

    # yum update
  3. Change to the directory where the Satellite ISO is mounted.

    # cd /media/sat6/
  4. Run the installer script in the mounted directory.

    # ./install_packages
    	This script will install the foreman packages on the current machine.
       - Ensuring we are in an expected directory.
       - Copying installation files.
       - Creating a Repository File
       - Creating RHSCL Repository File
       - Checking to see if Foreman is already installed.
       - Importing the gpg key.
       - Foreman is not yet installed, installing it.
       - Installation repository will remain configured for future package installs.
       - Installation media can now be safely unmounted.
    
    Install is complete. Please run satellite-installer.

    If the script fails due to missing or outdated packages, you will need to download and install these separately. See Section 3.2.4, “Downloading Packages Manually” for instructions.

    If the script fails due to installed packages being newer than those required, enter yum distribution-synchronization to downgrade the installed packages to the versions that came from the Red Hat Enterprise Linux ISO, then run the installation script again. This should only occur if you have repositories configured whose source is not the Red Hat Enterprise Linux ISO. Use of such repositories is an unsupported configuration.

  5. For a self-registered Satellite, disable the ISO based repositories to avoid conflicts with repositories provided by Satellite Server.

    1. Install yum-config-manager:

      # yum install yum-utils
    2. Disable the ISO based repositories:

      # yum-config-manager --disable InstallMedia --disable satellite-local --disable scl-local --disable satellite-puppet4
    3. Confirm yum repositories are disabled:

      # yum repolist

3.2.4. Downloading Packages Manually

If required to download a package manually, proceed as follows:

  1. Go to Red Hat Customer Portal and log in.
  2. Click DOWNLOADS.
  3. Select Red Hat Satellite.
  4. Ensure that you have the correct product and version for your environment.

    • Product Variant is set to Red Hat Satellite.
    • Version is set to the latest minor version of the product you are using as the base system.
    • Architecture is set to the 64 bit version.
  5. On the Packages tab, enter the name of the package required in the Search box.
  6. Click Download Latest next to the package required.

3.3. Performing the Initial Configuration

As part of the initial configuration, you can configure a custom server certificate and either manually configure Satellite or automatically configure Satellite using an answer file.

  • Manual Configuration - Satellite Server has default initial configuration options that prepare the server for use. You can override these settings depending on your environment’s requirements. You can run the command as often as needed to configure any necessary options.
  • Automatic Configuration - You can automate most of the installation and configuration by using an answer file.
Note

Depending on the options that you use when running the Satellite installer, the configuration can take several minutes to complete.

Before you continue, consider which manifests or packages are relevant for your environment. See the Content Management Guide for more information.

3.3.1. Synchronizing Time

You must start and enable a time synchronizer on the host operating system to minimize the effects of time drift. If a system’s time is incorrect, certificate verification can fail.

Two time synchronizers are available: NTP and chrony. Each of these has its advantages. chrony is recommended for systems that are frequently suspended and for systems—​such as mobile and virtual systems—​that intermittently disconnect from networks and then reestablish network connection. NTP is recommended for systems that are expected to remain in running states and that are expected to be connected to a network without interruption.

For more information on the differences between NTP and chrony, see Differences Between ntpd and chronyd in the Red Hat Enterprise Linux 7 System Administrator’s Guide.

Synchronizing Time by Using NTP

  1. Install ntp.

    # yum install ntp
  2. Verify that your NTP server is available.

    # ntpdate -q ntp_server_address
  3. Set the system time.

    # ntpdate ntp_server_address
  4. Start and enable the ntpd service.

    # chkconfig ntpd on

Synchronizing Time by Using chronyd

  1. Install chronyd.

    # yum install chrony
  2. Start and enable the chrony service.

    # systemctl start chronyd
    # systemctl enable chronyd

3.3.2. Installing the SOS Package on the Host Operating System

You should install the sos package on the host operating system. The sos package enables you to collect configuration and diagnostic information from a Red Hat Enterprise Linux system. You can also use it to provide the initial system analysis, which is required when opening a service request with Red Hat Technical Support. For more information on using sos, see the Knowledgebase solution What is a sosreport and how to create one in Red Hat Enterprise Linux 4.6 and later? on the Red Hat Customer Portal.

Install the sos package.

# yum install sos

3.3.3. Performing the Initial Configuration Manually

The initial configuration creates an organization, location, user name, and password. After the initial configuration, you can create additional organizations and locations if required.

The installation process can take tens of minutes to complete. If you are connecting remotely to the system, consider using a utility such as screen that allows suspending and reattaching a communication session so that you can check the installation progress in case you become disconnected from the remote system. The Red Hat Knowledgebase article How to use the screen command describes installing screen; alternately see the screen manual page for more information. If you lose connection to the shell where the installation command is running, see the log at /var/log/foreman-installer/satellite.log to determine if the process completed successfully.

Manually configuring Satellite Server

Use the satellite-installer --scenario satellite --help command to display the available options and any default values. If you do not specify any values, the default values are used.

It is recommended to specify a meaningful value for the option: --foreman-initial-organization. This may be your company name. An internal label that matches the value is also created and cannot be changed later on. If you do not specify a value, an organization called Default Organization with the label Default_Organization is created. You can rename the organization name but not the label.

By default, all configuration files configured by the installer are managed by Puppet. When satellite-installer is rerun, any manual changes to the Puppet managed files will be overwritten with the initial values. If you want to be able to manage the DNS files and DHCP files manually, use the --foreman-proxy-dns-managed=false and --foreman-proxy-dhcp-managed=false options so that the files related to the respective services will not be managed by Puppet. For more information on how to apply custom configuration on other services, see Appendix C, Applying Custom Configuration to Red Hat Satellite.

# satellite-installer --scenario satellite \
--foreman-initial-organization "initial_organization_name" \
--foreman-initial-location "initial_location_name" \
--foreman-admin-username admin-username \
--foreman-admin-password admin-password \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dhcp-managed=false

When the script completes successfully, the following output is displayed:

Installing             Done
   [100%] [........................................]
   Success!
   * Satellite is running at https://satellite.example.com
       Default credentials are 'admin / changeme'
   * Capsule is running at https://satellite.example.com:9090
   * To install additional capsule on separate machine continue by running:

   capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar "~/$CAPSULE-certs.tar"

   The full log is at /var/log/foreman-installer/satellite.log

If you have been installing in a disconnected environment, unmount the ISO images.

# umount /media/sat6
# umount /media/rhel7-server

3.3.4. Configuring Red Hat Satellite with an Answer File

You can use answer files to automate installations with customized options. The initial answer file is sparsely populated and after you run satellite-installer the first time, the answer file is populated with the standard parameter values for installation.

You should use the FQDN instead of the IP address where possible in case of network changes.

  1. Copy the default answer file /etc/foreman-installer/scenarios.d/satellite-answers.yaml to a location on your local file system.

    # cp /etc/foreman-installer/scenarios.d/satellite-answers.yaml \
    /etc/foreman-installer/scenarios.d/my-answer-file.yaml
  2. To view all of the configurable options, run the satellite-installer --scenario satellite --help command.
  3. Open your copy of the answer file, edit the values to suit your environment, and save the file.
  4. Open the /etc/foreman-installer/scenarios.d/satellite.yaml file and edit the answer file entry to point to your custom answer file.

    :answer_file: /etc/foreman-installer/scenarios.d/my-answer-file.yaml
  5. Run the satellite-installer command.

    # satellite-installer --scenario satellite
  6. If you have been installing in a disconnected environment, unmount the ISO images.

    # umount /media/sat6
    # umount /media/rhel7-server

3.4. Creating and Installing Manifests

The Customer Portal page for Satellite Server provides the ability to collect a group of subscriptions and attach them to the Satellite for distribution to managed systems. To do that, create a Subscription Manifest for your Satellite Server.

Creating a Manifest

  1. Navigate to the Red Hat Customer Portal and log in.
  2. Click Subscriptions.
  3. In the Red Hat Subscription Management section, click Satellite Organizations.

    Note

    You cannot create a new Subscription Manifest if you have no active subscriptions. This can be a Red Hat Enterprise Linux subscription. If you do not have the correct subscription the Create a Satellite button will be greyed out.

  4. On the Subscription Management Applications page, select the Satellite tab.
  5. Click Create a Satellite.
  6. In the Name field, type the host name of the Satellite Server.
  7. Select Satellite 6.2 as the version and click Create.
  8. Click Attach a subscription.
  9. Select the check box for each subscription that you want to attach and specify the number of subscriptions.
  10. Click Attach Selected.

    It can take several minutes for all the subscriptions to attach.

  11. Click Download Manifest and save the manifest file to a known location.

Uploading a Manifest to Your Satellite Server

Both the Red Hat Satellite 6 Web UI and CLI provide methods for importing the manifest.

Uploading a Manifest Using the Web UI

  1. Verify that you are in the correct Organization.
  2. Click Content > Red Hat Subscriptions.
  3. Click Manage Manifest to open the Subscriptions page.
  4. Click Choose File, select the manifest file you created, and click Open.
  5. Click Upload to upload the manifest to the Satellite Server.

Uploading a Manifest Using Hammer CLI

  1. Upload a manifest to Satellite Server.

    # hammer subscription upload --organization-label org_label \
    --file path_to_manifest

When you have completed this section, you can enable repositories and import Red Hat content. This is a prerequisite for some of the following procedures. See Importing Red Hat Content in the Red Hat Satellite Content Management Guide for more information.

3.5. Performing Additional Configuration

3.5.1. Configuring a Self-Registered Satellite

A Red Hat Satellite Server is normally registered to the Red Hat Customer Portal, then activated as a Satellite Server and gets new content from the Red Hat Content Delivery Network (CDN). A self-registered Red Hat Satellite Server is registered to itself rather than the Red Hat Customer Portal. The following items are some highlights and limitations of the feature:

  • You can subscribe Satellite Server to Content Views and manage updates to the Satellite Server as other managed hosts. A common scenario is applying base operating system updates to all managed Red Hat Enterprise Linux hosts, including the Satellite Server. For example, you can create a Composite Content View including a Red Hat Enterprise Linux 7 Content View and a Satellite 6 Content View and apply it to the Satellite. The Satellite Server Content Views should only contain the required repositories listed in the following procedure. Allowing Satellite Server access to non-required repositories can create potential issues.
  • Though a self-registered Satellite allows you to update the Satellite Server through the web UI, you will still need to run satellite-installer to upgrade it for y-stream releases (for example, Satellite 6.1 to Satellite 6.2) and z-stream releases (for example, Satellite 6.2.7 to Satellite 6.2.8). For more information on upgrading a self-registered Satellite Server, see Section 6.8, “Upgrading a Self-Registered Satellite Server”. For more information on updating a self-registered Satellite for z-stream releases, see Chapter 7, Updating Satellite Server, Capsule Server, and Content Hosts.
  • If you have a single self-registered Satellite Server, you should always make a full backup before doing an upgrade to untested packages. Upgrading a self-registered Satellite cannot be tested by using life-cycle environments.
  • Not all Puppet modules are supported by a self-registered Satellite. When applying Puppet modules to a self-registered Satellite, ensure that they will not create an unsupported configuration.

Registering a Satellite to Itself

Before a self-registered Satellite can be configured to get updates from itself, the Satellite subscription must be added to the Satellite’s manifest. When the subscription is in the manifest, the appropriate Satellite repositories can be synchronized into the Satellite.

To Register a Satellite to Itself:

  1. If the Satellite is already registered to the Red Hat Customer Portal, unregister the Satellite from the Red Hat Customer Portal using the following commands:

    # subscription-manager remove --all
    # subscription-manager unregister
  2. The Satellite subscription on the Red Hat Customer Portal is now available and can be transferred into the Satellite’s manifest. For further information on manifests see Managing Subscriptions in the Content Management Guide.

    1. Navigate to https://access.redhat.com and click SUBSCRIPTIONS on the main menu at the top of the page.
    2. Scroll down to the Red Hat Subscription Management section, and click Satellite under Subscription Management Applications.
    3. Select the required Satellite Server by clicking its host name in the table.
    4. Click Attach a subscription and select subscriptions you want to attach. Specify the quantity for each subscription, and click the button Attach Selected.
  3. Refresh the manifest on the Satellite Server:

    1. Log in to the Satellite server.
    2. Ensure that the correct organization is selected.
    3. Click Content > Red Hat Subscriptions and then click Manage Manifest at the upper right of the page.
    4. In the Subscription Manifest section, click Actions and under the Subscription Manifest subsection, click Refresh Manifest.
  4. Enable Red Hat repositories using the Satellite web UI or with the command-line interface:

    • Using the Satellite web UI:

      1. Click Content > Red Hat Repositories.
      2. Navigate to the required repositories. Click each repository set from which you want to select repositories and select the check box for each required repository. The repository is automatically enabled.

        • For Red Hat Enterprise Linux 6 the repositories that need to be enabled are:

          • Red Hat Enterprise Linux 6 Server RPMs x86_64 6Server
          • Red Hat Satellite 6.2 for Red Hat Enterprise Linux 6 Server RPMs x86_64
          • Red Hat Software Collections RPMs for Red Hat Enterprise Linux 6 Server x86_64 6Server
          • Red Hat Enterprise Linux 6 Server - Satellite Tools 6.2 RPMs x86_64 Repository
        • For Red Hat Enterprise Linux 7 the repositories that need to be enabled are:

          • Red Hat Enterprise Linux 7 Server RPMs x86_64 7Server
          • Red Hat Satellite 6.2 for Red Hat Enterprise Linux 7 Server RPMs x86_64
          • Red Hat Software Collections RPMs for Red Hat Enterprise Linux 7 Server x86_64 7Server
          • Red Hat Satellite Tools 6.2 for Red Hat Enterprise Linux 7 Server RPMs x86_64
    • Using the Subscription Manager CLI Tool:

      You can enable the repositories required for the Satellite Server by using the following command:

      • For Red Hat Enterprise Linux 6:

        # subscription-manager repos --enable=rhel-6-server-satellite-6.2-rpms \
        --enable=rhel-6-server-satellite-tools-6.2-rpms \
        --enable=rhel-6-server-rpms \
        --enable=rhel-server-rhscl-6-rpms
      • For Red Hat Enterprise Linux 7:

        # subscription-manager repos --enable=rhel-7-server-satellite-6.2-rpms \
        --enable=rhel-7-server-satellite-tools-6.2-rpms \
        --enable=rhel-7-server-rpms \
        --enable=rhel-server-rhscl-7-rpms
  5. Synchronize the Satellite Server:

    1. Navigate to Content > Sync Status. Based on the subscriptions and repositories enabled, the list of product repositories available for synchronization is displayed.
    2. Click the arrow next to the product name to see available content.
    3. Select the content you want to synchronize.
    4. Click Synchronize Now to starting synchronizing. The status of the synchronization process will appear in the Result column. If synchronization is successful, Sync complete will appear in the Result column. If synchronization failed, Error syncing will appear.

      Note

      Content synchronization can take a long time. The length of time required depends on the speed of disk drives, network connection speed, and the amount of content selected for synchronization.

  6. Optionally, create a Content View to represent the Satellite Server. This will allow the Satellite to follow the same life cycle management procedures as the rest of the content on the server. For more information on Content Views see Using Content Views in the Red Hat Satellite Host Configuration Guide.

    1. To create a Content View:

      1. Log into the web UI as a Satellite administrator.
      2. Click Content > Content Views.
      3. Click Create New View.
      4. Specify the Name of the Content View. The Label field is automatically populated when the Name field is filled out. Optionally, provide a description of the Content View.
      5. Click Save.
    2. Edit the Content View to add the Red Hat Enterprise Linux server and Satellite repositories:

      1. Click Content > Content Views and choose the Content View to add repositories to.
      2. Click Yum Content and select Repositories from the drop-down menu. From the submenu, click Add.
      3. Select the required repositories to add and click Add Repositories. The required repositories for a self-registered Satellite are all the repositories for the Satellite itself, any supporting repositories and the repository for the Base OS. The repositories required for a self-registered Satellite are listed in Step 4 of this procedure.
  7. Download and install the required certificates by running:

    # rpm -Uvh /var/www/html/pub/katello-ca-consumer-latest.noarch.rpm
  8. Register the Satellite Server, and attach the appropriate entitlements. When registering the Satellite Server, you must specify the organization to which the server belongs, and the life cycle environment. To confirm the available organizations and life cycle environments, in the Satellite web UI navigate to Hosts > New host and select the drop-down list for these values.

    # subscription-manager register --org=organization \
    --environment=environment

    Example

    # subscription-manager register --org=ExampleCompany \
    --environment=Library

    You will be prompted for your Red Hat Satellite user name and password. The Satellite Server administrator can configure new users. See Users and Roles in the Red Hat Satellite Server Administration Guide for more information.

  9. Find the pool IDs for the Satellite and for Red Hat Enterprise Linux by running the following command:

    # subscription-manager list --available
  10. Attach the entitlements by running the following command:

    # subscription-manager attach --pool Red_Hat_Satellite_Pool_ID \
    --pool Red_Hat_Enterprise_Linux_ID

    A content host has now been created for the Satellite Server inside of the Satellite Server.

  11. Install the Katello Agent package to allow errata management and package installation through the Satellite web UI. The katello-agent package depends on the gofer package that provides the goferd service. The goferd service must be running so that the Red Hat Satellite Server or Capsule Server can provide information about errata that are applicable for content hosts.

    To install the katello-agent run the following command:

    # yum install katello-agent
  12. Ensure goferd is running:

    • On Red Hat Enterprise Linux 6, run the following command:

      # service goferd start
    • On Red Hat Enterprise Linux 7, run the following command:

      # systemctl start goferd

3.5.2. Installing the Satellite Tools Repository

The Satellite Tools repository provides the katello-agent and puppet packages for clients registered to Satellite Server. Installing the katello agent is recommended to allow remote updates of clients. The base system of a self-registered Satellite Server or of a Capsule Server is a client of Satellite Server and therefore should also have the katello agent installed.

To Install the Satellite Tools Repository:

  1. In the Satellite web UI, go to Content > Red Hat Repositories and select the RPMs tab.
  2. Find and expand the Red Hat Enterprise Linux Server item.
  3. Find and expand the Red Hat Satellite Tools 6.2 (for Red Hat Enterprise Linux VERSION Server) (RPMs) item.

    If the Red Hat Satellite Tools 6.2 items are not visible, it may be because they are not included in the Subscription Manifest obtained from the Customer Portal. To correct that, log in to the Customer Portal, add these repositories, download the Subscription Manifest and import it into Satellite.

  4. Select the Enabled check box next to the Satellite 6.2 Tools repository’s name.

Enable the Satellite Tools repository for every supported major version of Red Hat Enterprise Linux running on your hosts. After enabling a Red Hat repository, a Product for this repository is automatically created.

To Synchronize the Satellite Tools Repository:

  1. Go to Content > Sync Status.

    A list of product repositories available for synchronization is displayed.

  2. Click the arrow next to the product content to view available content.
  3. Select the content you want to synchronize.
  4. Click Synchronize Now.

3.5.3. Configuring Satellite Server with HTTP Proxy

If your network uses an HTTP Proxy, you can enable it. Use the FQDN instead of the IP address where possible in case of network changes.

  1. Verify that the http_proxy, https_proxy, and no_proxy variables are not set.

    # export http_proxy=""
    # export https_proxy=$http_proxy
    # export no_proxy=$http_proxy
  2. Run satellite-installer with the HTTP proxy options.

    # satellite-installer --scenario satellite \
    --katello-proxy-url=http://myproxy.example.com \
    --katello-proxy-port=8080 \
    --katello-proxy-username=proxy_username \
    --katello-proxy-password=proxy_password
  3. Verify that Satellite Server can connect to the Red Hat Content Delivery Network (CDN) and can synchronize its repositories.

    1. On the network gateway and the HTTP Proxy, enable TCP for the following host names:

      Host namePortProtocol

      subscription.rhsm.redhat.com

      443

      HTTPS

      cdn.redhat.com

      443

      HTTPS

      *.akamaiedge.net

      443

      HTTPS

      cert-api.access.redhat.com (if using Red Hat Insights)

      443

      HTTPS

      api.access.redhat.com (if using Red Hat Insights)

      443

      HTTPS

      For a list of IP addresses used by the Red Hat CDN (cdn.redhat.com), see the Knowledgebase article Public CIDR Lists for Red Hat on the Red Hat Customer Portal.

    2. On Satellite Server, complete the following details in the /etc/rhsm/rhsm.conf file:

      # an http proxy server to use (enter server FQDN)
      proxy_hostname = http_proxy.example.com
      
      # port for http proxy server
      proxy_port = 3128
      
      # user name for authenticating to an http proxy, if needed
      proxy_user =
      
      # password for basic http proxy auth, if needed
      proxy_password =
Note

SELinux ensures access of Red Hat Satellite 6 and Red Hat Subscription Manager to specific ports only. In the case of the HTTP cache, the TCP ports are 8080, 8118, 8123, and 10001 - 10010.

To list the ports permitted by SELinux for the HTTP cache, use a command as follows:

# semanage port -l | grep http_cache
http_cache_port_t       tcp    8080, 8118, 8123, 10001-10010
[output truncated]

To configure SELinux to permit a port for the HTTP cache, for example 8088, use a command as follows:

# semanage port -a -t http_cache_port_t -p tcp 8088

For more information on SELinux port settings, see Section 2.10, “Changing Default SELinux ports”.

3.5.4. Enabling Power Management on Managed Hosts

When you enable the baseboard management controller (BMC) module on Satellite Server, you can use power management commands on managed hosts using the intelligent platform management interface (IPMI) or a similar protocol.

The BMC service enables you to perform a range of power management tasks. The underlying protocol for this feature is IPMI; also referred to as the BMC function. IPMI uses a special network interface on the managed hardware that is connected to a dedicated processor that runs independently of the host’s CPUs. In many instances the BMC functionality is built into chassis-based systems as part of chassis management (a dedicated module in the chassis).

For more information on the BMC service, see Configuring an Additional Network Interface in Managing Hosts.

Before You Begin

  • All managed hosts must have a network interface, with type BMC. Satellite uses this NIC to pass the appropriate credentials to the host.

Enable Power Management on Managed Hosts

  1. Run the installer with the options to enable BMC.

    # satellite-installer --foreman-proxy-bmc "true" \
    --foreman-proxy-bmc-default-provider "freeipmi"

3.5.5. Configuring DNS, DHCP, and TFTP on Satellite Server

You can configure DNS, DHCP, and TFTP on Satellite Server.

If you want to configure external services, see Chapter 5, Configuring External Services for more information.

If you want to disable these services in Satellite in order to manage them manually, see Section 3.5.6, “Disabling DNS, DHCP, and TFTP for Unmanaged Networks” for more information.

To view a complete list of configurable options, run the satellite-installer --scenario satellite --help command.

Before You Begin

  • Contact your network administrator to ensure that you have the correct settings.
  • You should have the following information available:

    • DHCP IP address ranges
    • DHCP gateway IP address
    • DHCP nameserver IP address
    • DNS information
    • TFTP server name
  • Use the FQDN instead of the IP address where possible in case of network changes.
Note

The information in the task is an example. You should use the information relevant to your own environment.

Configure DNS, DHCP, and TFTP on Satellite Server

  1. Run satellite-installer with the options appropriate for your environment.

    # satellite-installer --scenario satellite \
    --foreman-proxy-dns true \
    --foreman-proxy-dns-interface eth0 \
    --foreman-proxy-dns-zone example.com \
    --foreman-proxy-dns-forwarders 172.17.13.1 \
    --foreman-proxy-dns-reverse 13.17.172.in-addr.arpa \
    --foreman-proxy-dhcp true \
    --foreman-proxy-dhcp-interface eth0 \
    --foreman-proxy-dhcp-range "172.17.13.100 172.17.13.150" \
    --foreman-proxy-dhcp-gateway 172.17.13.1 \
    --foreman-proxy-dhcp-nameservers 172.17.13.2 \
    --foreman-proxy-tftp true \
    --foreman-proxy-tftp-servername $(hostname)

    The status of the installation is displayed. You can view the user name and password in the command output. You can also retrieve the information from the admin_password parameter in the /etc/foreman-installer/scenarios.d/satellite-answers.yaml file.

    Success!
      * Satellite is running at https://satellite.example.com
          Default credentials are 'admin:*******'
      * Capsule is running at https://satellite.example.com:9090
      * To install additional capsule on separate machine continue by running:"
    
          capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar "~/$CAPSULE-certs.tar"
    
      The full log is at /var/log/foreman-installer/satellite.log
Note

Any changes to the settings require running satellite-installer again. You can run the script multiple times and it updates all configuration files with the changed values.

3.5.6. Disabling DNS, DHCP, and TFTP for Unmanaged Networks

Satellite 6 provides full management capabilities for TFTP, DHCP, and DNS network services running on Satellite’s internal or external Capsules. If you want to manage those services manually or use some external method, then Satellite 6 cannot directly integrate with them. While it is possible to develop custom integration scripts via Foreman Hooks (such as creating DNS records after a new host is created), this integration, also known as orchestration, must be disabled in order to prevent DHCP and DNS validation errors.

  1. Go to Infrastructure > Subnets and select a subnet.
  2. On the Capsules tab, ensure that there is no DHCP Capsule or TFTP Capsule associated by setting the drop-down list to None.
  3. Disable forward record orchestration.

    1. Go to Infrastructure > Domains and select a domain.
    2. On the Domain tab, setting the DNS Capsule drop-down list to None.
  4. Disable reverse (PTR) record orchestration.

    1. Go to Infrastructure > Subnets and select a subnet.
    2. On the Capsules tab, setting the Reverse DNS Capsule drop-down list to None.
Note

Satellite 6 does not perform orchestration when a Capsule is not set for a given subnet and domain. When enabling or disabling Capsule associations, orchestration commands for existing hosts can fail if the expected records and configuration files are not present. When associating a Capsule in order to turn orchestration on, make sure the required DHCP and DNS records as well as the TFTP files are in place for existing Satellite 6 managed hosts in order to prevent host deletion failures in the future.

3.5.7. Configuring Satellite Server for Outgoing Emails

To send email messages from Satellite Server, you can use either an SMTP server, or the sendmail command.

  1. Edit the configuration file /etc/foreman/email.yaml to match your preferred delivery method.

    The following example shows the contents of the configuration file for using an SMTP server:

    production:
       delivery_method: :smtp
       smtp_settings:
          address: smtp.example.com
          port: 25
          domain: example.com
          authentication: :login
          user_name: satellite@example.com
          password: satellite

    Where the user_name and password directives specify the login credentials for the SMTP server. The default /etc/foreman/email.yaml contains authentication: :none.

    The following example uses gmail.com as an SMTP server:

    production:
       delivery_method: :smtp
       smtp_settings:
          enable_starttls_auto: true
          address: smtp.gmail.com
          port: 587
          domain: smtp.gmail.com
          authentication: :plain
          user_name: user@gmail.com
          password: password

    The following example uses the sendmail command as a delivery method:

    production:
       delivery_method: :sendmail
       sendmail_settings:
          arguments: "-i -t -G"

    Where the arguments directive is used to pass command-line options to sendmail. The default value of arguments is "-i -t". For more information see the sendmail 1 man page.

  2. If you decide to send email via an SMTP server which uses TLS authentication, also perform one of the following steps:

    • Mark the CA certificate of the SMTP server as trusted. To do so, execute the following commands on Satellite Server:

      # cp mailca.crt /etc/pki/ca-trust/source/anchors/
      # update-ca-trust enable
      # update-ca-trust

      Where mailca.crt is the CA certificate of the SMTP server.

    • Alternatively, add the following directive to /etc/foreman/email.yaml under smtp_settings:

      enable_starttls_auto: false
  3. After updating the /etc/foreman/email.yaml file, restart Katello services to apply the changes.

    # katello-service restart
  4. Additional email settings, such as the reply address or subject prefix, can be set up in the Satellite web UI at Administer > Settings under the General tab.
Note

For information on configuring email notifications for individual users or user groups, see Configuring Email Notifications in the Red Hat Satellite Server Administration Guide.

3.5.8. Configuring Satellite Server with a Custom Server Certificate

SSL certificates are used to protect information and enable secure communication. Red Hat Satellite 6 creates self-signed SSL certificates to enable encrypted communications between the Satellite Server, external Capsule Servers, and all hosts. Instead of using these self-signed certificates, you can install custom SSL certificates issued by a Certificate Authority which is an external, trusted company. For example, your company might have a security policy stating that SSL certificates must be obtained from a Certificate Authority. To obtain the certificate, create a Certificate Signing Request and send it to the Certificate Authority, as described in Section 3.5.8.1, “Obtain an SSL Certificate for the Satellite Server”. In return, you receive a signed SSL certificate.

Note

Obtain custom SSL certificates for the Satellite Server and all external Capsule Servers before starting this procedure.

To use a custom certificate on Satellite Server, complete these steps:

If you have external Capsule Servers, you must also complete the steps in Section 4.7.6, “Configuring Capsule Server with a Custom Server Certificate”.

3.5.8.1. Obtain an SSL Certificate for the Satellite Server

Note

If you already have a custom SSL Certificate for the Satellite Server, skip this procedure.

  1. Create a directory to contain all the source certificate files, accessible to only the root user.

    In these examples, the directory is /root/sat_cert.

    # mkdir /root/sat_cert
    # cd /root/sat_cert
  2. Create a private key with which to sign the Certificate Signing Request (CSR).

    Note

    If you already have a private key for the Satellite Server, skip this step.

    # openssl genrsa -out /root/sat_cert/satellite_cert_key.pem 4096
  3. Create a Certificate Signing Request (CSR)

    A Certificate Signing Request is a text file containing details of the server for which you are requesting a certificate. For this command, you provide the private key (output by the previous step), answer some questions about the Satellite Server, and the Certificate Signing Request is created.

    Note

    The certificate’s Common Name (CN) must match the fully-qualified domain name (FQDN) of the server on which it is used. If you are requesting a certificate for a Satellite Server, this is the FQDN of the Satellite Server. If you are requesting a certificate for a Capsule Server, this is the FQDN of the Capsule Server.

    To confirm a server’s FQDN, run the following command on that server: hostname -f.

    # openssl req -new \
      -key /root/sat_cert/satellite_cert_key.pem \ 1
      -out /root/sat_cert/satellite_cert_csr.pem   2
    1
    Satellite Server’s private key, used to sign the certificate
    2
    Certificate Signing Request file

    Example Certificate Signing Request session

    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    
    Country Name (2 letter code) [XX]:AU
    State or Province Name (full name) []:Queensland
    Locality Name (eg, city) [Default City]:Brisbane
    Organization Name (eg, company) [Default Company Ltd]:Example
    Organizational Unit Name (eg, section) []:Sales
    Common Name (eg, your name or your server's hostname) []:satellite.example.com
    Email Address []:example@example.com
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:password
    An optional company name []:Example

  4. Send the certificate request to the Certificate Authority.

    When you submit the request, be sure to specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the Certificate Authority for the preferred method. In response to the request you can expect to receive a Certificate Authority bundle, and a signed certificate, in separate files.

3.5.8.2. Validate the Satellite Server’s SSL Certificate

Run the katello-certs-check command with the required parameters as per the following example. This validates the input files required for custom certificates and outputs the commands necessary to install them on the Satellite Server, all Capsule Servers, and hosts under management with Satellite.

  1. Validate the custom SSL certificate input files. Change the files' names to match your files.

    # katello-certs-check \
       -c /root/sat_cert/satellite_cert.pem \      1
       -k /root/sat_cert/satellite_cert_key.pem \  2
       -r /root/sat_cert/satellite_cert_csr.pem \  3
       -b /root/sat_cert/ca_cert_bundle.pem        4
    1
    Certificate file for the Satellite Server, signed by your Certificate Authority
    2
    Satellite Server’s private key, used to sign the certificate
    3
    Certificate signing request file for the Satellite Server
    4
    Certificate Authority bundle

If you do not have a request file, see the following Red Hat Knowledgebase article We do not have certificate request (CSR) file for the custom certificate, how can we complete the satellite v 6.2 installation using satellite-installer command?

Example output of katello-certs-check

Validating the certificate subject= /C=AU/ST=Queensland/L=Brisbane/O=Example/OU=Sales/CN=satellite.example.com/emailAddress=example@example.com
Check private key matches the certificate: [OK]
Check ca bundle verifies the cert file: [OK]

Validation succeeded.

To install the Satellite main server with the custom certificates, run:

satellite-installer --scenario satellite \
--certs-server-cert "/root/sat_cert/satellite_cert.pem" \
--certs-server-cert-req "/root/sat_cert/satellite_cert_csr.pem" \
--certs-server-key "/root/sat_cert/satellite_cert_key.pem" \
--certs-server-ca-cert "/root/sat_cert/ca_cert_bundle.pem"

To update the certificates on a currently running Satellite installation, run:

satellite-installer --scenario satellite \
--certs-server-cert "/root/sat_cert/satellite_cert.pem" \
--certs-server-cert-req "/root/sat_cert/satellite_cert_csr.pem" \
--certs-server-key "/root/sat_cert/satellite_cert_key.pem" \
--certs-server-ca-cert "/root/sat_cert/ca_cert_bundle.pem" \
--certs-update-server --certs-update-server-ca

To use them inside a $CAPSULE, run this command INSTEAD:

capsule-certs-generate --capsule-fqdn "" \
--certs-tar  "/root/certs.tar" \
--server-cert "/root/sat_cert/satellite_cert.pem" \
--server-cert-req "/root/sat_cert/satellite_cert_csr.pem" \
--server-key "/root/sat_cert/satellite_cert_key.pem" \
--server-ca-cert "/root/sat_cert/ca_cert_bundle.pem" \
--certs-update-server

3.5.8.3. Run the Satellite Installer with Custom Certificate Parameters

Now that you have created an SSL certificate and verified it is valid for use with Red Hat Satellite 6, the next step is to install the custom SSL certificate on the Satellite Server and all its hosts.

There is a minor variation to this step, depending on whether or not the Satellite Server is already installed. If it is already installed, the existing certificates must be updated with those in the certificates archive.

The commands in this section are output by the katello-certs-check command, as detailed in Section 3.5.8.2, “Validate the Satellite Server’s SSL Certificate”, and can be copied and pasted into a terminal.

  1. Run the satellite-installer command, depending on your situation:

    1. If Satellite is already installed, run the following command on the Satellite Server:

      # satellite-installer --scenario satellite \
      --certs-server-cert "/root/sat_cert/satellite_cert.pem" \
      --certs-server-cert-req "/root/sat_cert/satellite_cert_csr.pem" \
      --certs-server-key "/root/sat_cert/satellite_cert_key.pem" \
      --certs-server-ca-cert "/root/sat_cert/ca_cert_bundle.pem" \
      --certs-update-server --certs-update-server-ca

      Important parameters in this command include --certs-update-server and --certs-update-server-ca, which specify that the server’s SSL certificate and certificate authority are to be updated. For a brief description of all the installer’s parameters, run the command: satellite-installer --scenario satellite --help.

      Note

      For all files in the satellite-installer command, use full path names, not relative path names. The installer records all files' paths and names, and if you run the installer again, but from a different directory, it may fail as it is unable to find the original files.

    2. If Satellite is not already installed, run the following command on the Satellite Server:

      # satellite-installer --scenario satellite \
      --certs-server-cert "/root/sat_cert/satellite_cert.pem" \
      --certs-server-cert-req "/root/sat_cert/satellite_cert_csr.pem" \
      --certs-server-key "/root/sat_cert/satellite_cert_key.pem" \
      --certs-server-ca-cert "/root/sat_cert/ca_cert_bundle.pem"
      Note

      For all files in the satellite-installer command, use full path names, not relative path names. The installer records all files' paths and names, and if you run the installer again, but from a different directory, it may fail as it is unable to find the original files.

  2. Verify the certificate has been successfully installed on the Satellite Server before installing it on hosts. On a computer with network access to the Satellite Server, start a web browser, navigate to the URL https://satellite.example.com and view the certificate’s details.

3.5.8.4. Install the New Certificate on all Hosts Connected to the Satellite Server

Now that the custom SSL certificate has been installed on the Satellite Server, it must also be installed on every host registered to the Satellite Server. Run the following commands on all applicable hosts.

  1. Delete the current katello-ca-consumer package on the host.

    # yum remove 'katello-ca-consumer*'
  2. Install the custom SSL certificate on the host.

    # yum localinstall http://satellite.example.com/pub/katello-ca-consumer-latest.noarch.rpm

3.5.9. Restricting Access to mongod

Only the apache and root users should be allowed access to the MongoDB database daemon, mongod, to reduce the risk of data loss.

Restrict access to mongod on Satellite and Capsule Servers using the following commands.

Configuring the Firewall on Red Hat Enterprise Linux 6

  1. Configure iptables service on Satellite and Capsule Servers.

    # iptables -I OUTPUT -o lo -p tcp -m tcp --dport 27017 -m owner \
    --uid-owner apache -j ACCEPT \
    && iptables -I OUTPUT -o lo -p tcp -m tcp --dport 27017 -m owner \
    --uid-owner root -j ACCEPT \
    && iptables -I OUTPUT -o lo -p tcp -m tcp --dport 27017 -j DROP \
    && iptables -I OUTPUT -o lo -p tcp -m tcp --dport 28017 -m owner \
    --uid-owner apache -j ACCEPT \
    && iptables -I OUTPUT -o lo -p tcp -m tcp --dport 28017 -m owner \
    --uid-owner root -j ACCEPT \
    && iptables -I OUTPUT -o lo -p tcp -m tcp --dport 28017 -j DROP \
    && service iptables save

Configuring the Firewall on Red Hat Enterprise Linux 7

  1. Configure the firewall on Satellite and Capsule Servers.

    # firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \
    tcp -m tcp --dport 27017 -m owner --uid-owner apache -j ACCEPT \
    && firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \
    tcp -m tcp --dport 27017 -m owner --uid-owner apache -j ACCEPT \
    && firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \
    tcp -m tcp --dport 27017 -m owner --uid-owner root -j ACCEPT \
    && firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \
    tcp -m tcp --dport 27017 -m owner --uid-owner root -j ACCEPT \
    && firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 1 -o lo -p \
    tcp -m tcp --dport 27017 -j DROP \
    && firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 1 -o lo -p \
    tcp -m tcp --dport 27017 -j DROP \
    && firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \
    tcp -m tcp --dport 28017 -m owner --uid-owner apache -j ACCEPT \
    && firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \
    tcp -m tcp --dport 28017 -m owner --uid-owner apache -j ACCEPT \
    && firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \
    tcp -m tcp --dport 28017 -m owner --uid-owner root -j ACCEPT \
    && firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \
    tcp -m tcp --dport 28017 -m owner --uid-owner root -j ACCEPT \
    && firewall-cmd  --direct --add-rule ipv4 filter OUTPUT 1 -o lo -p \
    tcp -m tcp --dport 28017 -j DROP \
    && firewall-cmd  --direct --add-rule ipv6 filter OUTPUT 1 -o lo -p \
    tcp -m tcp --dport 28017 -j DROP
  2. Repeat the command adding the --permanent option to make the settings persistent.

    # firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 \
    -o lo -p tcp -m tcp --dport 27017 -m owner \
    --uid-owner apache -j ACCEPT \
    && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 \
    -o lo -p tcp -m tcp --dport 27017 -m owner \
    --uid-owner apache -j ACCEPT \
    && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 \
    -o lo -p tcp -m tcp --dport 27017 -m owner \
    --uid-owner root -j ACCEPT \
    && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 \
    -o lo -p tcp -m tcp --dport 27017 -m owner \
    --uid-owner root -j ACCEPT \
    && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 \
    -o lo -p tcp -m tcp --dport 27017 -j DROP \
    && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 1 \
    -o lo -p tcp -m tcp --dport 27017 -j DROP \
    && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 \
    -o lo -p tcp -m tcp --dport 28017 -m owner \
    --uid-owner apache -j ACCEPT \
    && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 \
    -o lo -p tcp -m tcp --dport 28017 -m owner \
    --uid-owner apache -j ACCEPT \
    && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 \
    -o lo -p tcp -m tcp --dport 28017 -m owner \
    --uid-owner root -j ACCEPT \
    && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 \
    -o lo -p tcp -m tcp --dport 28017 -m owner \
    --uid-owner root -j ACCEPT \
    && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 \
    -o lo -p tcp -m tcp --dport 28017 -j DROP \
    && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 1 \
    -o lo -p tcp -m tcp --dport 28017 -j DROP