Chapter 2. Preparing your environment for installation

Before you install Satellite Server or Capsule Server, you should ensure that your environment meets the requirements for installation.

Note

The Red Hat Satellite Server and Capsule Server versions must match. For example, a Satellite 6.1 Server cannot run a 6.2 Capsule Server and a Satellite 6.2 Server cannot run a 6.1 Capsule Server. Mismatching Satellite Server and Capsule Server versions results in the Capsule Server failing silently.

If you have a large number of content hosts, see Appendix A, Large Deployment Considerations to ensure that your environment is set up appropriately.

For more information on scaling your Capsule Servers, see Appendix B, Capsule Server Scalability Considerations.

2.1. Storage Requirements and Recommendations

Ensure that your environment meets the minimum requirements before installing Satellite Server or Capsule Server.

Packages that are duplicated in different repositories are only stored once on the disk. Additional repositories containing duplicate packages will require less additional storage. The bulk of storage resides in the /var/lib/mongodb/ and /var/lib/pulp/ directories. These end points are not manually configurable. Make sure that storage is available on the /var file system to prevent storage issues.

The /var/cache/pulp/ directory is used to temporarily store content while it is being synchronized. For content in RPM format, a maximum of 5 RPM files are stored in this directory at any time. After each file is synchronized, it is moved to the /var/lib/pulp/ directory. Up to eight RPM content synchronization tasks can be running simultaneously by default, with each using up to 1 GB of metadata. For content in ISO format, all ISO files per synchronization task are stored in /var/cache/pulp/ until the task is complete, after which they are moved to the /var/lib/pulp/ directory. For example, if you are synchronizing four ISO files, each 4 GB in size, this requires a total of 16 GB in the /var/cache/pulp/ directory. Take into account the number of ISO files you intend synchronizing because the temporary disk space required for them typically exceeds that of RPM content.

The /var/lib/qpidd/ directory uses slightly more than 2 MB per Content Host. For example, 10 000 Content Hosts would require 20 GB of disk space in /var/lib/qpidd/.

Storage Requirements

The following tables detail recommended storage requirements for specific directories. These values are based on expected use case scenarios and can vary according to individual environments. The Capsule Server table also applies to the Satellite Server as it has an integrated Capsule by default. Pay attention to your specific use case when reading the tables. For example, you could have a Capsule Server without Pulp enabled, in which case you do not need the same level of storage requirements for directories related to Pulp such as /var/lib/pulp/.

Table 2.1. Storage Requirements for Satellite Server Installation

DirectoryInstallation SizeRuntime Size with Red Hat Enterprise Linux 5, 6, and 7 synchronizedConsiderations

/var/cache/pulp/

1 MB

10 GB (Minimum)

See the notes in this section’s introduction.

/var/lib/pulp/

1 MB

500 GB

  • Will continue to grow as content is added to Satellite Server. Plan for expansion over time.
  • Symbolic links cannot be used.

/var/lib/mongodb/

3.5 GB

50 GB

  • Will continue to grow as content is added to Satellite Server. Plan for expansion over time.
  • Symbolic links cannot be used.
  • NFS is not recommended with MongoDB.

/var/log/

10 MB

250 MB

None

/var/lib/pgsql/

100 MB

10 GB

A minimum of 2 GB of available storage in /var/lib/pgsql/ with the ability to grow the partition containing this directory as data storage requirements grow. It is recommended not to use NFS with PostgreSQL.

/usr

3 GB

Not Applicable

None

/opt

500 MB (Connected Installations)

Not Applicable

Software collections are installed into the /opt/rh/ and /opt/theforeman/ directories. Write and execute permissions by root are required for installation into to the /opt directory.

/opt

2 GB (Disconnected Installations)

Not Applicable

  • Software collections are installed into the /opt/rh/ and /opt/theforeman/ directories. Write and execute permissions by root are required for installation into to the /opt directory.
  • A copy of the repositories used for installation is stored in this directory.

Table 2.2. Storage Requirements for Capsule Server Installation

DirectoryInstallation SizeRuntime Size with Red Hat Enterprise Linux 5, 6, and 7 synchronizedConsiderations

/var/cache/pulp/

1 MB

10 GB (Minimum)

See the notes in this section’s introduction.

/var/lib/pulp/

1 MB

500 GB

  • Will continue to grow as content is added. Plan for expansion over time.
  • Symbolic links cannot be used.

/var/lib/mongodb/

3.5 GB

50 GB

  • Will continue to grow as content is added. Plan for expansion over time.
  • Symbolic links cannot be used.
  • NFS is not recommended with MongoDB.

Log files are written to /var/log/messages/, /var/log/httpd/, and /var/lib/foreman-proxy/openscap/content/. You can manage the size of these files using logrotate. For further information, see Log Rotation in the System Administrator’s Guide.

Storage Recommendations

  • Because most Satellite as well as Capsule Server data is stored within the /var directory, it is strongly recommended to mount /var on LVM storage, enabling the system to scale.
  • Red Hat recommends the usage of high-bandwidth, low-latency storage for the /var/lib/pulp/ and /var/lib/mongodb/ directories. As Red Hat Satellite has many operations that are I/O intensive, usage of high latency, low-bandwidth storage could potentially have issues with performance degradation. It is recommended not to use NFS with MongoDB as MongoDB does not use conventional I/O to access data files and performance problems will occur when both the data files and the journal files are hosted on NFS. If required to use NFS, mount the volumes with the following option in the /etc/fstab file: bg, nolock, and noatime.
  • Do not use the GFS2 file system as the input-output latency has been found to be too high.
  • For improved performance, use solid state drives (SSD) rather than hard disk drives (HDD).
  • The XFS file system is recommended for Red Hat Satellite 6 because it does not have the inode limitations that ext4 does. As Satellite uses a lot of symbolic links it is likely that your system will run out of inodes if using ext4 and the default number of inodes.

    If you intend to use Red Hat Enterprise Linux 6 instead, contact your account team to learn about enabling XFS on this system. Also consider that long term support for Satellite 6 on Red Hat Enterprise Linux 6 has a shorter lifespan which might necessitate a migration from version 6 to 7 in the future. Red Hat Enterprise Linux 7 is highly recommended for new installations.

  • When /var/lib/pulp directory is mounted using an NFS share, SELinux will block the synchronization process. To avoid this, specify the SELinux context of the /var/lib/pulp directory in the file system table by adding the following lines to /etc/fstab:

    nfs.example.com:/nfsshare  /var/lib/pulp/content  nfs  context="system_u:object_r:httpd_sys_rw_content_t:s0"  1 2

    If NFS share is already mounted, remount it using the above recommendation and run the following command:

    # chcon -R system_u:object_r:httpd_sys_rw_content_t:s0 /var/lib/pulp

2.2. Supported Operating Systems

You can install the operating system from disc, local ISO image, kickstart, or any other method that Red Hat supports. Red Hat Satellite Server and Red Hat Satellite Capsule Server are supported only on the latest versions of Red Hat Enterprise Linux 6 Server or 7 Server that is available when Satellite 6.2 is released. Previous versions of Red Hat Enterprise Linux including EUS or z-stream are not supported.

Red Hat Satellite Server and Red Hat Satellite Capsule Server require Red Hat Enterprise Linux installations with the @Base package group with no other package-set modifications, and without third-party configurations or software not directly necessary for the direct operation of the server. This restriction includes hardening and other non-Red Hat security software. If you require such software in your infrastructure, install and verify a complete working Satellite Server first, then create a backup of the system before adding any non-Red Hat software.

It is recommended that the Satellite Server be a freshly provisioned system. Using the system for anything other than running Satellite is not supported.

If any of the following exist on the system, they must be removed before installation:

  • Java virtual machines
  • Puppet RPM files
  • Additional yum repositories other than those explicitly required in this guide for installation

2.3. Hardware Requirements

The following requirements apply to the networked base system:

  • 64-bit architecture
  • The latest version of Red Hat Enterprise Linux 6 Server or 7 Server
  • A minimum of 2 CPU cores, 4 CPU cores are recommended
  • A minimum of 12 GB memory is required for the Satellite Server to function, 16 GB of memory or more is recommended for each instance of Satellite Server. In addition, a minimum of 4 GB of swap space is also recommended. Satellite running with less memory than the minimum value may not operate correctly.
  • A unique host name, which can contain lower-case letters, numbers, dots (.) and hyphens (-)
  • A current Red Hat Satellite subscription
  • Administrative user (root) access
  • Full forward and reverse DNS resolution using a fully-qualified domain name

2.4. Supported Browsers

The following web browsers are fully supported:

  • Firefox versions 35 and later
  • Chrome versions 28 and later

The following web browsers are partially supported. The Satellite web UI interface will function correctly but certain design elements may not align as expected:

  • Firefox version 38
  • Chrome versions 27
  • Internet Explorer versions 10 and 11
Note

The web UI and command-line interface for Satellite Server supports English, Portuguese, Simplified Chinese, Traditional Chinese, Korean, Japanese, Italian, Spanish, Russian, French, and German.

2.5. Ports and Firewalls Requirements

Specific network ports must be open and free on the base operating system, as well as open in any network-based firewalls, to enable the components of Satellite architecture to communicate. The tables in this section explain the need for the ports, and the corresponding firewall commands for host-based firewalls are given in the following section. The installation of a Capsule Server will fail if the ports between the Satellite Server and the Capsule Server have not been opened before installation is started.

The tables indicate the destination port and the direction of network traffic, use this information to configure any network-based firewalls. Note that some cloud solutions need to be specifically configured to allow communications between machines as they isolate machines similarly to network-based firewalls.

Note

The Satellite Server has an integrated Capsule and any host that is directly connected to the Satellite Server is a Client of the Satellite in the context of these tables. This includes the base system on which a Capsule Server is running. Remember to take this into account when planing any network-based firewall configurations.

Systems which are clients of Capsules, other than the internal Capsule, do not need access to the Satellite Server. See Capsule Networking in the Red Hat Satellite Architecture Guide for more information on Satellite Topology.

Required ports can change based on your configuration.

Table 2.3. Ports for Satellite to Red Hat CDN Communication

PortProtocolServiceRequired For

443

TCP

HTTPS

Subscription Management Services (access.redhat.com) and connecting to the Red Hat CDN (cdn.redhat.com).

Except in the case of a disconnected Satellite, the Satellite Server needs access to the Red Hat CDN.

Table 2.4. Ports for Browser-based User Interface Access to Satellite

PortProtocolServiceRequired For

443

TCP

HTTPS

Browser-based UI access to Satellite

80

TCP

HTTP

Redirection to HTTPS for web UI access to Satellite (Optional)

Table 2.5. Ports for Client to Satellite Communication

PortProtocolServiceRequired For

80

TCP

HTTP

Anaconda, yum, for obtaining Katello certificates, templates, and for downloading iPXE firmware

443

TCP

HTTPS

Subscription Management Services, yum, Telemetry Services, and for connection to the Katello Agent

5647

TCP

amqp

The Katello Agent to communicate with the Satellite’s Qpid dispatch router

8000

TCP

HTTPS

Anaconda to download kickstart templates to hosts, and for downloading iPXE firmware

8140

TCP

HTTPS

Puppet agent to Puppet master connections

9090

TCP

HTTPS

Sending SCAP reports to the Smart Proxy in the integrated Capsule and for the discovery image during provisioning

5000

TCP

HTTPS

Connection to Katello for the Docker registry

Any managed host that is directly connected to the Satellite Server is a Client in this context. This includes the base system on which a Capsule Server is running.

Table 2.6. Ports for Client to Capsule Communication

PortProtocolServiceRequired for

80

TCP

HTTP

Anaconda, yum, and for obtaining Katello certificate updates

443

TCP

HTTPS

Anaconda, yum, Telemetry Services, and Puppet

5647

TCP

amqp

The Katello agent to communicate with the Capsule’s Qpid dispatch router

8000

TCP

HTTPS

Anaconda to download kickstart templates to hosts, and for downloading iPXE firmware

8140

TCP

HTTPS

Puppet agent to Puppet master connections

8443

TCP

HTTPS

Subscription Management Services and Telemetry Services

9090

TCP

HTTPS

Sending SCAP reports to the Smart Proxy in the Capsule and for the discovery image during provisioning

5000

TCP

HTTPS

Connection to Katello for the Docker registry

Table 2.7. Ports for Capsule to Satellite Communication

PortProtocolServiceRequired For

443

TCP

HTTPS

Connections to Katello, Foreman, Foreman API, and Pulp

5646

TCP

amqp

Capsule’s Qpid dispatch router to Qpid dispatch router in the Satellite

5647

TCP

amqp

The Katello agent to communicate with the Satellite’s Qpid dispatch router

5000

TCP

HTTPS

Connection to Katello for the Docker registry

Remember that the base system on which a Capsule Server is running is a client connected to the Satellite Server. See the table Ports for Client to Satellite Communication.

Table 2.8. Ports for Satellite to Capsule Communication

PortProtocolServiceRequired For

443

TCP

HTTPS

Connections to the Pulp server in the Capsule

9090

TCP

HTTPS

Connections to the proxy in the Capsule

80

TCP

HTTP

Downloading a bootdisk (Optional)

Table 2.9. Optional Network Ports

PortProtocolServiceRequired For

53

TCP and UDP

DNS

Client to Capsule DNS queries to a Capsule’s DNS service

67

UDP

DHCP

Client to Capsule broadcasts, DHCP broadcasts for Client provisioning from a Capsule

68

UDP

DHCP

Capsule to Client broadcasts, DHCP broadcasts for Client provisioning from a Capsule

69

UDP

TFTP

Clients downloading PXE boot image files from a Capsule for provisioning

8443

TCP

HTTP

Capsule to Client "reboot" command to a discovered host during provisioning

7911

TCP

DHCP

  • Capsule originated commands for orchestration of DHCP records (local or external)
  • If DHCP is provided by an external service, you must open the port on the external server.

5000

TCP

HTTP

Satellite originated communications, for compute resources in OpenStack or for running Docker containers

22, 16514

TCP

SSH, SSL/TLS

Satellite originated communications, for compute resources in libvirt

389, 636

TCP

LDAP, LDAPS

Satellite originated communications, for LDAP and secured LDAP authentication sources

5900 to 5930

TCP

SSL/TLS

Satellite originated communications, for NoVNC console in web UI to hypervisors

2.6. Enabling Connections from a Client to Satellite Server

Systems which are clients of Satellite Server’s internal Capsule require access thorough host and networked based firewalls. This section describes configuring the host-based firewall on Satellite Server’s base system to enable incoming connections from a Client and to make these rules persistent across system reboots. For more information on the ports used, see Section 2.5, “Ports and Firewalls Requirements”.

Configuring the Firewall on Red Hat Enterprise Linux 6

  1. Open the ports required for Client to Satellite Communications

    # iptables -I INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT \
    && iptables -I INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT \
    && iptables -I INPUT -m state --state NEW -p udp --dport 67 -j ACCEPT \
    && iptables -I INPUT -m state --state NEW -p udp --dport 69 -j ACCEPT \
    && iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT \
    && iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT \
    && iptables -I INPUT -m state --state NEW -p tcp --dport 5647 \
    -j ACCEPT \
    && iptables -I INPUT -m state --state NEW -p tcp --dport 8140 \
    -j ACCEPT \
    && service iptables save
  2. Verify that the iptables service is started and enabled.

    # service iptables start
    # chkconfig iptables on

Configuring the Firewall on Red Hat Enterprise Linux 7

  1. Open the ports required for Client to Satellite Communications.

    # firewall-cmd --add-port="53/udp" --add-port="53/tcp" \
     --add-port="67/udp" --add-port="69/udp" \
     --add-port="80/tcp"  --add-port="443/tcp" \
     --add-port="5647/tcp" \
     --add-port="8000/tcp" --add-port="8140/tcp"
  2. Repeat the command adding the --permanent option to make the settings persistent.

    # firewall-cmd --permanent --add-port="53/udp" --add-port="53/tcp" \
     --add-port="67/udp" --add-port="69/udp" \
     --add-port="80/tcp"  --add-port="443/tcp" \
     --add-port="5647/tcp" \
     --add-port="8000/tcp" --add-port="8140/tcp"

2.7. Enabling Connections from Capsule Server to Satellite Server

Follow this procedure to enable incoming connections from a Capsule Server to a Satellite Server, and make these rules persistent across reboots. If you do not use an external Capsule Server, you do not need to enable this connection.

Prerequisites

A Capsule Server’s base system is a client of the Satellite Server, therefore the procedure in Section 2.6, “Enabling Connections from a Client to Satellite Server” should be completed first. This procedure opens the extra ports required by an external Capsule Server.

For more information on the ports used, see Section 2.5, “Ports and Firewalls Requirements”.

Configuring the Firewall on Red Hat Enterprise Linux 6

  1. Configure iptables service.

    # iptables -I INPUT -m state --state NEW -p tcp --dport 5646 -j ACCEPT \
    && service iptables save
  2. Start iptables service.

    # service iptables restart
    # chkconfig iptables on

Configuring the Firewall on Red Hat Enterprise Linux 7

  1. Configure the firewall on Satellite Server.

    # firewall-cmd --add-port="5646/tcp"
  2. Repeat the command adding the --permanent option to make the settings persistent.

    # firewall-cmd --permanent --add-port="5646/tcp"

2.8. Enabling Connections from Satellite Server and Clients to a Capsule Server

You can enable incoming connections from Satellite Server and clients to Capsule Server and make these rules persistent during reboots. If you do not use an external Capsule Server, you do not need to enable this connection.

For more information on the ports used, see Ports and Firewalls Requirements.

Configuring the Firewall on Red Hat Enterprise Linux 6

  1. Configure iptables service.

    # iptables -I INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT \
    && iptables -I INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT \
    && iptables -I INPUT -m state --state NEW -p udp --dport 67 -j ACCEPT \
    && iptables -I INPUT -m state --state NEW -p udp --dport 69 -j ACCEPT \
    && iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT \
    && iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT \
    && iptables -I INPUT -m state --state NEW -p tcp --dport 5647 \
    -j ACCEPT \
    && iptables -I INPUT -m state --state NEW -p tcp --dport 8000 \
    -j ACCEPT \
    && iptables -I INPUT -m state --state NEW -p tcp --dport 8140 \
    -j ACCEPT \
    && iptables -I INPUT -m state --state NEW -p tcp --dport 8443 \
    -j ACCEPT \
    && iptables -I INPUT -m state --state NEW -p tcp --dport 9090 \
    -j ACCEPT \
    && service iptables save
  2. Start iptables service.

    # service iptables restart
    # chkconfig iptables on

Configuring the Firewall on Red Hat Enterprise Linux 7

  1. Configure the firewall on Capsule Server.

    # firewall-cmd --add-port="53/udp" --add-port="53/tcp" \
     --add-port="67/udp" \
     --add-port="69/udp" --add-port="80/tcp" \
     --add-port="443/tcp" --add-port="5647/tcp" \
     --add-port="8000/tcp" --add-port="8140/tcp" \
     --add-port="8443/tcp" --add-port="9090/tcp"
  2. Repeat the command adding the --permanent option to make the settings persistent.

    # firewall-cmd --permanent --add-port="53/udp" --add-port="53/tcp" \
     --add-port="67/udp" \
     --add-port="69/udp" --add-port="80/tcp" \
     --add-port="443/tcp" --add-port="5647/tcp" \
     --add-port="8000/tcp" --add-port="8140/tcp" \
     --add-port="8443/tcp" --add-port="9090/tcp"

2.9. Verifying DNS resolution

Verifying the full forward and reverse DNS resolution using a fully-qualified domain name enables you to prevent issues while installing Satellite.

Ensure that the host name and local host resolve correctly.

# ping -c1 localhost
# ping -c1 `hostname -f` # my_system.domain.com

Successful name resolution results in output similar to the following:

# ping -c1 localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.043 ms

--- localhost ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.043/0.043/0.043/0.000 ms

# ping -c1 `hostname -f`
PING hostname.gateway (XX.XX.XX.XX) 56(84) bytes of data.
64 bytes from hostname.gateway (XX.XX.XX.XX): icmp_seq=1 ttl=64 time=0.019 ms

--- localhost.gateway ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.019/0.019/0.019/0.000 ms
Warning

Name resolution is critical to the operation of Satellite 6. If Satellite cannot properly resolve its fully qualified domain name, many options will fail. Among these options are content management, subscription management, and provisioning.

2.10. Changing Default SELinux ports

Red Hat Satellite 6 uses a set of predefined ports. Because Red Hat recommends that SELinux on Satellite 6 systems be set to permissive or enforcing, if you need to change the port for any service, you also need to change the associated SELinux port type to allow access to the resources. You only need to change these ports if you use non-standard ports.

For example, if you change the Satellite web UI ports (HTTP/HTTPS) to 8018/8019, you need to add these port numbers to the httpd_port_t SELinux port type.

This change is also required for target ports. For example, when Satellite 6 connects to an external source, like Red Hat Virtualization or Red Hat OpenStack Platform.

You only need to make changes to default port assignments once. Updating or upgrading Satellite has no effect on these assignments. Updating only adds default SELinux ports if no assignments exist.

Before You Begin

Changing default ports to user-specified ports

  1. To change the port from the default port to a user-specified port, execute the commands using values that are relevant to your environment. These examples use port 99999 for demonstration purposes.

    Default PortSELinux Command

    80, 443, 8443

    semanage port -a -t http_port_t -p tcp 99999

    8080

    semanage port -a -t http_cache_port_t -p tcp 99999

    8140

    semanage port -a -t puppet_port_t -p tcp 99999

    9090

    semanage port -a -t websm_port_t -p tcp 99999

    69

    semanage port -a -t tftp_port_t -p udp 99999

    53 (TCP)

    semanage port -a -t dns_port_t -p tcp 99999

    53 (UDP)

    semanage port -a -t dns_port_t -p udp 99999

    67, 68

    semanage port -a -t dhcpd_port_t -p udp 99999

    5671

    semanage port -a -t amqp_port_t -p tcp 99999

    8000

    semanage port -a -t soundd_port_t -p tcp 99999

    7911

    semanage port -a -t dhcpd_port_t -p tcp 99999

    5000 on Red Hat Enterprise Linux 6

    semanage port -a -t commplex_port_t -p tcp 99999

    5000 on Red Hat Enterprise Linux 7

    semanage port -a -t commplex_main_port_t -p tcp 99999

    22

    semanage port -a -t ssh_port_t -p tcp 99999

    16514 (libvirt)

    semanage port -a -t virt_port_t -p tcp 99999

    389, 636

    semanage port -a -t ldap_port_t -p tcp 99999

    5910 to 5930

    semanage port -a -t vnc_port_t -p tcp 99999

  2. Disassociate the previously used port number and port type.
# semanage port -d -t virt_port_t -p tcp 99999