Chapter 1. Preparing your Environment for Installation

1.1. System Requirements

The following requirements apply to the networked base operating system:

  • x86_64 architecture
  • The latest version of Red Hat Enterprise Linux 7 Server
  • 4-core 2.0 GHz CPU at a minimum
  • A minimum of 12 GB RAM is required for Capsule Server to function. In addition, a minimum of 4 GB RAM of swap space is also recommended. Capsule running with less RAM than the minimum value might not operate correctly.
  • A unique host name, which can contain lower-case letters, numbers, dots (.) and hyphens (-)
  • A current Red Hat Satellite subscription
  • Administrative user (root) access
  • A system umask of 0022
  • Full forward and reverse DNS resolution using a fully-qualified domain name

Before you install Capsule Server, ensure that your environment meets the requirements for installation.

Capsule Server must be installed on a freshly provisioned system that serves no other function except to run Capsule Server. The freshly provisioned system must not have the following users provided by external identity providers to avoid conflicts with the local users that Capsule Server creates:

  • postgres
  • mongodb
  • apache
  • qpidd
  • qdrouterd
  • squid
  • foreman-proxy
  • puppet
  • puppetserver
Note

The Red Hat Satellite Server and Capsule Server versions must match. For example, a Satellite 6.7 Server cannot run an earlier or later version of Capsule Server. Mismatching Satellite Server and Capsule Server versions results in the Capsule Server failing silently.

For more information on scaling your Capsule Servers, see Capsule Server Scalability Considerations.

Certified hypervisors

Capsule Server is fully supported on both physical systems and virtual machines that run on hypervisors that are supported to run Red Hat Enterprise Linux. For more information about certified hypervisors, see Which hypervisors are certified to run Red Hat Enterprise Linux?.

FIPS Mode

You can install Capsule Server on a Red Hat Enterprise Linux system that is operating in FIPS mode. For more information, see Enabling FIPS Mode in the Red Hat Enterprise Linux Security Guide.

1.2. Storage Requirements

The following table details storage requirements for specific directories. These values are based on expected use case scenarios and can vary according to individual environments.

The runtime size was measured with Red Hat Enterprise Linux 6, 7, and 8 repositories synchronized.

Table 1.1. Storage Requirements for Capsule Server Installation

DirectoryInstallation SizeRuntime Size

/var/cache/pulp/

1 MB

20 GB (Minimum)

/var/lib/pulp/

1 MB

300 GB

/var/lib/mongodb/

3.5 GB

50 GB

/opt

500 MB

Not Applicable

1.3. Storage Guidelines

Consider the following guidelines when installing Capsule Server to increase efficiency.

  • Because most Capsule Server data is stored in the /var directory, mounting /var on LVM storage can help the system to scale.
  • Using the same volume for the /var/cache/pulp/ and /var/lib/pulp/ directories can decrease the time required to move content from /var/cache/pulp/ to /var/lib/pulp/ after synchronizing.
  • The /var/lib/qpidd/ directory uses slightly more than 2 MB per Content Host managed by the goferd service. For example, 10 000 Content Hosts require 20 GB of disk space in /var/lib/qpidd/.
  • Use high-bandwidth, low-latency storage for the /var/lib/pulp/ and /var/lib/mongodb/ directories. As Red Hat Satellite has many operations that are I/O intensive, using high latency, low-bandwidth storage causes performance degradation. Ensure your installation has a speed in the range 60 - 80 Megabytes per second. You can use the fio tool to get this data. See the Red Hat Knowledgebase solution Impact of Disk Speed on Satellite Operations for more information on using the fio tool.

File System Guidelines

  • Use the XFS file system for Red Hat Satellite 6 because it does not have the inode limitations that ext4 does. Because Capsule Server uses a lot of symbolic links it is likely that your system might run out of inodes if using ext4 and the default number of inodes.
  • Do not use NFS with MongoDB because MongoDB does not use conventional I/O to access data files and performance problems occur when both the data files and the journal files are hosted on NFS. If required to use NFS, mount the volume with the following options in the /etc/fstab file: bg, nolock, and noatime.
  • Do not use NFS for Pulp data storage. Using NFS for Pulp has a negative performance impact on content synchronization.
  • Do not use the GFS2 file system as the input-output latency is too high.

Log File Storage

Log files are written to /var/log/messages/, /var/log/httpd/, and /var/lib/foreman-proxy/openscap/content/. You can manage the size of these files using logrotate. For more information, see Log Rotation in the Red Hat Enterprise Linux 7 System Administrator’s Guide.

The exact amount of storage you require for log messages depends on your installation and setup.

SELinux Considerations for NFS Mount

When the /var/lib/pulp directory is mounted using an NFS share, SELinux blocks the synchronization process. To avoid this, specify the SELinux context of the /var/lib/pulp directory in the file system table by adding the following lines to /etc/fstab:

nfs.example.com:/nfsshare  /var/lib/pulp/content  nfs  context="system_u:object_r:httpd_sys_rw_content_t:s0"  1 2

If NFS share is already mounted, remount it using the above configuration and enter the following command:

# chcon -R system_u:object_r:httpd_sys_rw_content_t:s0 /var/lib/pulp

Duplicated Packages

Packages that are duplicated in different repositories are only stored once on the disk. Additional repositories containing duplicate packages require less additional storage. The bulk of storage resides in the /var/lib/mongodb/ and /var/lib/pulp/ directories. These end points are not manually configurable. Ensure that storage is available on the /var file system to prevent storage problems.

Temporary Storage

The /var/cache/pulp/ directory is used to temporarily store content while it is being synchronized. After a full synchronization task is completed, the content is moved to the /var/lib/pulp/ directory.

For content in RPM format, each RPM file is moved to the /var/lib/pulp directory after it is synchronized. A maximum of 5 RPM files are stored in the /var/cache/pulp/ directory at any time. Up to 8 RPM content synchronization tasks can run simultaneously by default, with each using up to 1 GB of metadata.

Software Collections

Software collections are installed in the /opt/rh/ and /opt/theforeman/ directories.

Write and execute permissions by the root user are required for installation to the /opt directory.

Symbolic links

You cannot use symbolic links for /var/lib/pulp/ and /var/lib/mongodb/.

Synchronized RHEL ISO

If you plan to synchronize RHEL content ISOs to Satellite, note that all minor versions of Red Hat Enterprise Linux also synchronize. You must plan to have adequate storage on your Satellite to manage this.

1.4. Supported Operating Systems

You can install the operating system from a disc, local ISO image, kickstart, or any other method that Red Hat supports. Red Hat Capsule Server is supported only on the latest versions of Red Hat Enterprise Linux 7 Server that is available at the time when Capsule Server 6.7 is installed. Previous versions of Red Hat Enterprise Linux including EUS or z-stream are not supported.

Red Hat Capsule Server requires a Red Hat Enterprise Linux installation with the @Base package group with no other package-set modifications, and without third-party configurations or software not directly necessary for the direct operation of the server. This restriction includes hardening and other non-Red Hat security software. If you require such software in your infrastructure, install and verify a complete working Capsule Server first, then create a backup of the system before adding any non-Red Hat software.

Install Capsule Server on a freshly provisioned system.

Do not register Capsule Server to the Red Hat Content Delivery Network (CDN).

Red Hat does not support using the system for anything other than running Capsule Server.

1.5. Ports and Firewalls Requirements

For the components of Satellite architecture to communicate, ensure that the required network ports are open and free on the base operating system. You must also ensure that the required network ports are open on any network-based firewalls.

The installation of a Capsule Server fails if the ports between Satellite Server and Capsule Server are not open before installation starts.

Use this information to configure any network-based firewalls. Note that some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. If possible, disable the application checking and allow open port communication based on the protocol.

Integrated Capsule

Satellite Server has an integrated Capsule and any host that is directly connected to Satellite Server is a Client of Satellite in the context of this section. This includes the base operating system on which Capsule Server is running.

Clients of Capsule

Hosts which are clients of Capsules, other than Satellite’s integrated Capsule, do not need access to Satellite Server. For more information on Satellite Topology, see Capsule Networking in Planning for Red Hat Satellite 6.

Required ports can change based on your configuration.

A matrix table of ports is available in the Red Hat Knowledgebase solution Red Hat Satellite 6.6 List of Network Ports.

The following tables indicate the destination port and the direction of network traffic:

Table 1.2. Ports for Capsule to Satellite Communication

PortProtocolServiceRequired For

5646

TCP

amqp

Capsule’s Qpid dispatch router to Qpid dispatch router in Satellite

Table 1.3. Ports for Client to Capsule Communication

PortProtocolServiceRequired for

80

TCP

HTTP

Anaconda, yum, and for obtaining Katello certificate updates

443

TCP

HTTPS

Anaconda, yum, Telemetry Services, and Puppet

5646

TCP

AMQP

The Capsule Qpid dispatch router to the Qpid dispatch router in Satellite

5647

TCP

AMQP

Katello agent to communicate with Capsule’s Qpid dispatch router

8000

TCP

HTTPS

Anaconda to download kickstart templates to hosts, and for downloading iPXE firmware

8140

TCP

HTTPS

Puppet agent to Puppet master connections

8443

TCP

HTTPS

Subscription Management Services and Telemetry Services

9090

TCP

HTTPS

Sending SCAP reports to the Capsule and for the discovery image during provisioning

53

TCP and UDP

DNS

Client DNS queries to a Capsule’s DNS service (Optional)

67

UDP

DHCP

Client to Capsule broadcasts, DHCP broadcasts for Client provisioning from a Capsule (Optional)

69

UDP

TFTP

Clients downloading PXE boot image files from a Capsule for provisioning (Optional)

5000

TCP

HTTPS

Connection to Katello for the Docker registry (Optional)

Table 1.4. Ports for Capsule to Client Communication

PortProtocolServiceRequired For

7

TCP and UDP

ICMP

DHCP Capsule to Client network, ICMP ECHO to verify IP address is free (Optional)

68

UDP

DHCP

Capsule to Client broadcasts, DHCP broadcasts for Client provisioning from a Capsule (Optional)

8443

TCP

HTTP

Capsule to Client "reboot" command to a discovered host during provisioning (Optional)

Any managed host that is directly connected to Satellite Server is a client in this context because it is a client of the integrated Capsule. This includes the base operating system on which a Capsule Server is running.

Table 1.5. Optional Network Ports

PortProtocolServiceRequired For

22

TCP

SSH

Satellite and Capsule originated communications, for Remote Execution (Rex) and Ansible.

7911

TCP

DHCP

  • Capsule originated commands for orchestration of DHCP records (local or external).
  • If DHCP is provided by an external service, you must open the port on the external server.
Note

A DHCP Capsule sends an ICMP ECHO to confirm an IP address is free, no response of any kind is expected. ICMP can be dropped by a networked-based firewall, but any response prevents the allocation of IP addresses.

1.6. Enabling Connections from Capsule Server to Satellite Server

On Satellite Server, you must enable the incoming connection from Capsule Server to Satellite Server and make this rule persistent across reboots.

Prerequisites

  • Ensure that the firewall rules on Satellite Server are configured to enable connections for client to Satellite communication, because Capsule Server is a client of Satellite Server. For more information, see Enabling Connections from a Client to Satellite Server in Installing Satellite Server from a Connected Network.

Procedure

  1. On Satellite Server, enter the following command to open the port for Capsule to Satellite communication:

    # firewall-cmd --add-port="5646/tcp"
  2. Make the changes persistent:

    # firewall-cmd --runtime-to-permanent

1.7. Enabling Connections from Satellite Server and Clients to a Capsule Server

On the base operating system on which you want to install Capsule, you must enable incoming connections from Satellite Server and clients to Capsule Server and make these rules persistent across reboots.

Procedure

  1. On the base operating system on which you want to install Capsule, enter the following command to open the ports for Satellite Server and clients communication to Capsule Server:

    # firewall-cmd --add-port="53/udp" --add-port="53/tcp" \
    --add-port="67/udp" --add-port="69/udp" \
    --add-port="80/tcp" --add-port="443/tcp" \
    --add-port="5000/tcp" --add-port="5647/tcp" \
    --add-port="8000/tcp" --add-port="8140/tcp" \
    --add-port="8443/tcp" --add-port="9090/tcp"
  2. Make the changes persistent:

    # firewall-cmd --runtime-to-permanent

1.8. Verifying Firewall Settings

Use this procedure to verify your changes to the firewall settings.

Procedure

To verify the firewall settings, complete the following step:

  1. Enter the following command:

    # firewall-cmd --list-all

For more information, see Getting Started with firewalld in the Red Hat Enterprise Linux 7 Security Guide.