Chapter 1. Preparing your environment for installation

1.1. System Requirements

The following requirements apply to the networked base system:

  • 64-bit architecture
  • The latest version of Red Hat Enterprise Linux 7 Server
  • 4-core 2.0 GHz CPU at a minimum
  • A minimum of 20 GB memory is required for the Satellite Server to function. In addition, a minimum of 4 GB of swap space is also recommended. Satellite running with less memory than the minimum value might not operate correctly.
  • A unique host name, which can contain lower-case letters, numbers, dots (.) and hyphens (-)
  • A current Red Hat Satellite subscription
  • Administrative user (root) access
  • A system umask of 0022
  • Full forward and reverse DNS resolution using a fully-qualified domain name

Before you install Satellite Server or Capsule Server, ensure that your environment meets the requirements for installation.

Satellite Server must be installed on a freshly provisioned system that serves no other function except to run Satellite Server.

Note

The Red Hat Satellite Server and Capsule Server versions must match. For example, a Satellite 6.2 Server cannot run a 6.4 Capsule Server and a Satellite 6.4 Server cannot run a 6.2 Capsule Server. Mismatching Satellite Server and Capsule Server versions results in the Capsule Server failing silently.

Note

Self-registered Satellites are not supported.

If you have a large number of content hosts, see Large Deployment Considerations to ensure that your environment is set up appropriately.

For more information on scaling your Capsule Servers, see Capsule Server Scalability Considerations.

Certified hypervisors

Red Hat Satellite is fully supported on both physical systems and virtual machines that run on hypervisors that are supported to run Red Hat Enterprise Linux. For more information about certified hypervisors, see Which hypervisors are certified to run Red Hat Enterprise Linux?

1.2. Storage Requirements and Guidelines

This section lists minimum storage requirements and provides storage guidelines for Satellite Server and Capsule Server installation.

Storage Architecture

  • Packages that are duplicated in different repositories are only stored once on the disk. Additional repositories containing duplicate packages require less additional storage. The bulk of storage resides in the /var/lib/mongodb/ and /var/lib/pulp/ directories. These end points are not manually configurable. Ensure that storage is available on the /var file system to prevent storage problems.

  • The /var/cache/pulp/ directory is used to temporarily store content while it is being synchronized. For content in RPM format, a maximum of 5 RPM files are stored in this directory at any time. After each file is synchronized, it is moved to the /var/lib/pulp/ directory. Up to 8 RPM content synchronization tasks can run simultaneously by default, with each using up to 1 GB of metadata. For content in ISO format, all ISO files per synchronization task are stored in /var/cache/pulp/ until the task is complete, after which they are moved to the /var/lib/pulp/ directory.

    If you plan to use ISO images for installing or updating, you must provide external storage or allow space in /var/tmp for temporarily storing ISO files.

    For example, if you are synchronizing four ISO files, each 4 GB in size, this requires a total of 16 GB in the /var/cache/pulp/ directory. Consider the number of ISO files you intend synchronizing because the temporary disk space required for them typically exceeds that of RPM content.

  • The /var/lib/qpidd/ directory uses slightly more than 2 MB per Content Host managed by the goferd service. For example, 10 000 Content Hosts require 20 GB of disk space in /var/lib/qpidd/.
  • You can view the log files at the following locations: /var/log/messages/, /var/log/httpd/, and /var/lib/foreman-proxy/openscap/content/. You can manage the size of these files using logrotate. For more information, see Log Rotation in the Red Hat Enterprise Linux 7 System Administrator’s Guide.

Storage Requirements

The following table details storage requirements for specific directories. These values are based on expected use case scenarios and can vary according to individual environments. Pay attention to your specific use case when reading the table. For example, you can have a Capsule Server without Pulp enabled, in which case you do not need the same level of storage requirements for directories related to Pulp such as /var/lib/pulp/.

In the following table, the runtime size was measured with Red Hat Enterprise Linux 5, 6, and 7 repositories synchronized.

Table 1.1. Storage Requirements for Capsule Server Installation

DirectoryInstallation SizeRuntime SizeConsiderations

/var/cache/pulp/

1 MB

20 GB (Minimum)

See the notes in this section’s introduction.

/var/lib/pulp/

1 MB

500 GB

  • Continues to grow as content is added. Plan for expansion over time.
  • Symbolic links cannot be used.

/var/lib/mongodb/

3.5 GB

50 GB

  • Continues to grow as content is added. Plan for expansion over time.
  • Symbolic links cannot be used.
  • Do not use NFS with MongoDB.

Storage Guidelines

  • Because most Satellite as well as Capsule Server data is stored within the /var directory, mount /var on LVM storage, enabling the system to scale.
  • Use high-bandwidth, low-latency storage for the /var/lib/pulp/ and /var/lib/mongodb/ directories. As Red Hat Satellite has many operations that are I/O intensive, using high latency, low-bandwidth storage will cause performance degradation. Ensure your installation has a speed in the range 60 - 80 Megabytes per second. You can use the fio tool to get this data. See the Red Hat Knowledgebase solution Impact of Disk Speed on Satellite 6 Operations for more information on using the fio tool.
  • Use the same volume for the /var/cache/pulp/ and /var/lib/pulp/ directories to decrease the time required to move content from /var/cache/pulp/ to /var/lib/pulp/ after synchronizing.
  • Do not use NFS with MongoDB because MongoDB does not use conventional I/O to access data files and performance problems occur when both the data files and the journal files are hosted on NFS. If required to use NFS, mount the volumes with the following option in the /etc/fstab file: bg, nolock, and noatime.
  • Do not use the GFS2 file system as the input-output latency has been found to be too high.
  • For improved performance, use solid state drives (SSD) rather than hard disk drives (HDD).
  • Use the XFS file system for Red Hat Satellite 6 because it does not have the inode limitations that ext4 does. As Satellite uses a lot of symbolic links it is likely that your system may run out of inodes if using ext4 and the default number of inodes.

  • When /var/lib/pulp directory is mounted using an NFS share, SELinux blocks the synchronization process. To avoid this, specify the SELinux context of the /var/lib/pulp directory in the file system table by adding the following lines to /etc/fstab: 

    nfs.example.com:/nfsshare  /var/lib/pulp/content  nfs  context="system_u:object_r:httpd_sys_rw_content_t:s0"  1 2

    If NFS share is already mounted, remount it using the above configuration and enter the following command: 

    # chcon -R system_u:object_r:httpd_sys_rw_content_t:s0 /var/lib/pulp

1.3. Supported Operating Systems

You can install the operating system from disc, local ISO image, kickstart, or any other method that Red Hat supports. Red Hat Satellite Server and Red Hat Satellite Capsule Server are supported only on the latest versions of Red Hat Enterprise Linux 7 Server that is available at the time when Satellite 6.3 is installed. Previous versions of Red Hat Enterprise Linux including EUS or z-stream are not supported.

Red Hat Satellite Server and Red Hat Satellite Capsule Server require Red Hat Enterprise Linux installations with the @Base package group with no other package-set modifications, and without third-party configurations or software not directly necessary for the direct operation of the server. This restriction includes hardening and other non-Red Hat security software. If you require such software in your infrastructure, install and verify a complete working Satellite Server first, then create a backup of the system before adding any non-Red Hat software.

It is recommended that the Satellite Server be a freshly provisioned system. It is also recommended that Capsule Servers be freshly provisioned systems and not registered to the Red Hat CDN. Using the system for anything other than running Satellite is not supported.

If any of the following exist on the system, they must be removed before installation:

  • Java virtual machines
  • Puppet RPM files
  • Additional yum repositories other than those explicitly required in this guide for installation

1.4. Ports and Firewalls Requirements

To enable the components of Satellite architecture to communicate, specific network ports and network-based firewalls must be open and free on the base operating system that you want to install Capsule on. The installation of a Capsule Server fails if the ports between Satellite Server and Capsule Server are not open before installation starts.

The tables indicate the destination port and the direction of network traffic, use this information to configure any network-based firewalls. Note that some cloud solutions must be specifically configured to allow communications between machines as they isolate machines similarly to network-based firewalls.

Integrated Capsule

Satellite Server has an integrated Capsule and any host that is directly connected to Satellite Server is a Client of Satellite in the context of these tables. This includes the base system on which a Capsule Server is running.

Clients of Capsule

Hosts which are clients of Capsules, other than Satellite’s integrated Capsule, do not need access to Satellite Server. For more information on Satellite Topology, see Capsule Networking in Planning for Red Hat Satellite 6.

Required ports can change based on your configuration.

Table 1.2. Ports for Client to Capsule Communication

PortProtocolServiceRequired for

80

TCP

HTTP

Anaconda, yum, and for obtaining Katello certificate updates

443

TCP

HTTPS

Anaconda, yum, Telemetry Services, and Puppet

5647

TCP

amqp

Katello agent to communicate with Capsule’s Qpid dispatch router

8000

TCP

HTTPS

Anaconda to download kickstart templates to hosts, and for downloading iPXE firmware

8140

TCP

HTTPS

Puppet agent to Puppet master connections

8443

TCP

HTTPS

Subscription Management Services and Telemetry Services

9090

TCP

HTTPS

Sending SCAP reports to the Smart Proxy in the Capsule and for the discovery image during provisioning

5000

TCP

HTTPS

Connection to Katello for the Docker registry

53

TCP and UDP

DNS

Client to Capsule DNS queries to a Capsule’s DNS service (Optional)

67

UDP

DHCP

Client to Capsule broadcasts, DHCP broadcasts for Client provisioning from a Capsule (Optional)

69

UDP

TFTP

Clients downloading PXE boot image files from a Capsule for provisioning (Optional)

Table 1.3. Ports for Capsule to Satellite Communication

PortProtocolServiceRequired For

80

TCP

HTTP

Anaconda, yum, and for obtaining Katello certificate updates

443

TCP

HTTPS

Connections to Katello, Foreman, Foreman API, and Pulp

5646

TCP

amqp

Capsule’s Qpid dispatch router to Qpid dispatch router in Satellite

5647

TCP

amqp

Katello agent to communicate with Satellite’s Qpid dispatch router

5000

TCP

HTTPS

Connection to Katello for the Docker registry

Table 1.4. Ports for Capsule to Client Communication

PortProtocolServiceRequired For

7

TCP and UDP

ICMP

DHCP Capsule to Client network, ICMP ECHO to verify IP address is free (Optional)

68

UDP

DHCP

Capsule to Client broadcasts, DHCP broadcasts for Client provisioning from a Capsule (Optional)

8443

TCP

HTTP

Capsule to Client "reboot" command to a discovered host during provisioning (Optional)

Any managed host that is directly connected to Satellite Server is a client in this context because it is a client of the integrated Capsule. This includes the base system on which a Capsule Server is running.

Table 1.5. Optional Network Ports

PortProtocolServiceRequired For

22

TCP

SSH

Satellite and Capsule originated communications, for Remote Execution (Rex) and Ansible.

7911

TCP

DHCP

  • Capsule originated commands for orchestration of DHCP records (local or external).
  • If DHCP is provided by an external service, you must open the port on the external server.
Note

A DHCP Capsule sends an ICMP ECHO to confirm an IP address is free, no response of any kind is expected. ICMP can be dropped by a networked-based firewall, but any response prevents the allocation of IP addresses.

1.5. Enabling Connections from Satellite Server and Clients to a Capsule Server

You can enable incoming connections from Satellite Server and clients to Capsule Server and make these rules persistent during reboots. If you do not use an external Capsule Server, you do not need to enable this connection.

For more information on the ports used, see Ports and Firewalls Requirements.

  1. Configure the firewall on the base system on which you want to install Capsule: 

    # firewall-cmd --add-port="53/udp" --add-port="53/tcp" \
--add-port="67/udp" --add-port="69/udp" \
--add-port="80/tcp" --add-port="443/tcp" \
--add-port="5000/tcp" --add-port="5647/tcp" \
--add-port="8000/tcp" --add-port="8140/tcp" \
--add-port="8443/tcp" --add-port="9090/tcp"

  2. Make the changes persistent: 

    # firewall-cmd --runtime-to-permanent

1.6. Enabling Connections from Capsule Server to Satellite Server

You can enable incoming connections from Capsule Server to Satellite Server, and make these rules persistent across reboots. This procedure opens the extra ports required by an external Capsule Server and must be performed on the Satellite Server base system.

For more information on the ports used, see Section 1.4, “Ports and Firewalls Requirements”.

  1. Configure the firewall on Satellite Server: 

    # firewall-cmd --add-port="5000/tcp" \
--add-port="5646/tcp" --add-port="443/tcp" \
--add-port="5647/tcp" --add-port="80/tcp"

  2. Make the changes persistent: 

    # firewall-cmd --runtime-to-permanent

1.7. Verifying Firewall Settings

You can verify changes to firewall settings using the firewall-cmd command.

To verify firewall settings:

# firewall-cmd --list-all

For more information, see Configuring the Firewall Using the firewall-cmd Command-Line Tool in the Red Hat Enterprise Linux 7 Security Guide.