Translated message

A translation of this page exists in English.

如何通过防火墙或代理访问 Red Hat Subscription Manager (RHSM)

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 9
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 6.1 (及更高版本)
  • Red Hat Enterprise Linux 5.8 (及更高版本)
  • Red Hat Subscription Management (RHSM)
  • Red Hat Satellite 5.6 和 5.7 (如果从 RHN 迁移到 RHSM)
  • Red Hat Satellite 5.8
  • Red Hat Satellite 6

Issue

  • 如何配置系统,以便 yum 能够通过防火墙或代理访问 Red Hat Subscription Management (RHSM)?
  • 我需要在代理服务器中配置哪些 URL 和端口来访问 RHSM?
  • 如何通过防火墙访问 RHSM (yum)?
  • 因为网络错误而无法注册
  • Red Hat Satellite 6 无法从红帽同步内容。我怀疑是公司的防火墙阻止了流量。我需要向网络安全团队提供什么主机名来允许内容同步?
  • 我们的网络团队需要 IP 地址来允许我们的 Red Hat Satellite 6 安装与内容交付网络进行通信。我们无法使用主机名,必须使用 IP 地址或范围。

Resolution

需要允许传出网络防火墙上的以下主机名和端口,以使 yum 和 subscription-manager 能够访问红帽订阅服务和内容交付网络(这与 Satellite 5.8 和 Satellite 6+ 同步的问题一样):

  • subscription.rhn.redhat.com:443 [https] subscription.rhsm.redhat.com:443 [https] (这是较新版本的 RHEL 7 中的新默认地址)
  • cdn.redhat.com:443 [https]
  • *.akamaiedge.net:443 [https] OR *.akamaitechnologies.com:443 [https]

不建议指定 IP 地址,因为软件包通过 Akamai 网络发布,并且 IP 地址可能会发生改变。但是,如果您的防火墙无法使用主机名过滤,红帽会提供一个应该能够提供 CDN 交付的IP 地址池

  • 对于拉取容器镜像,需要根据文章 aws 将 aws 域列入白名单

注: 如果系统位于 HTTP 代理后面,请在 /etc/rhsm/rhsm.conf 中添加如下信息:

# an http proxy server to use (enter server FQDN)
proxy_hostname = myproxy.example.com

# port for http proxy server
proxy_port = 8080

# user name for authenticating to an http proxy, if needed
proxy_user = proxy_username

# password for basic http proxy auth, if needed
proxy_password = proxy_password

Root Cause

  • 没有为访问 RHSM 配置防火墙或代理。
  • 有些防火墙或机构无法使用主机名,可能需要更精细的控制。

Diagnostic Steps

当 Subscription-Manager 因为防火墙和/或代理而无法访问上述 URL 时,会看到一些错误

  • 尝试运行 'subscription-manager register' 时,看到这个错误(在 /var/log/rhsm/rhsm.log 中):
2014-04-16 18:07:53,063 [INFO]  @connection.py:657 - Connection Built: host: subscription.rhn.redhat.com, port: 443, handler: /subscription
2014-04-16 18:07:53,108 [DEBUG] @connection.py:420 - Loading CA PEM certificates from: /etc/rhsm/ca/
2014-04-16 18:07:53,108 [DEBUG] @connection.py:402 - Loading CA certificate: '/etc/rhsm/ca/redhat-uep.pem'
2014-04-16 18:07:53,109 [DEBUG] @connection.py:402 - Loading CA certificate: '/etc/rhsm/ca/candlepin-stage.pem'
2014-04-16 18:07:53,109 [DEBUG] @connection.py:426 - Using proxy: proxy.example.com:3128
2014-04-16 18:07:53,109 [DEBUG] @connection.py:441 - Making request: GET https://subscription.rhn.redhat.com:443/subscription/
2014-04-16 18:07:53,173 [ERROR] @utils.py:361 - Error while checking server version: [Errno 111] Connection refused
2014-04-16 18:07:53,174 [ERROR] @utils.py:363 - [Errno 111] Connection refused
Traceback (most recent call last):
File "/usr/share/rhsm/subscription_manager/utils.py", line 341, in get_server_versions
if cp.supports_resource("status"):
File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 683, in supports_resource
self._load_supported_resources()
File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 670, in _load_supported_resources
resources_list = self.conn.request_get("/")
File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 541, in request_get
return self._request("GET", method)
File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 448, in _request
conn.request(request_type, handler, body=body, headers=headers)
File "/usr/lib64/python2.6/httplib.py", line 914, in request
self._send_request(method, url, body, headers)
File "/usr/lib64/python2.6/httplib.py", line 951, in _send_request
self.endheaders()
File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 200, in endheaders
httpslib.HTTPSConnection.endheaders(self)
File "/usr/lib64/python2.6/httplib.py", line 908, in endheaders
self._send_output()
File "/usr/lib64/python2.6/httplib.py", line 780, in _send_output
self.send(msg)
File "/usr/lib64/python2.6/httplib.py", line 739, in send
self.connect()
File "/usr/lib64/python2.6/site-packages/M2Crypto/httpslib.py", line 192, in connect
HTTPConnection.connect(self)
File "/usr/lib64/python2.6/httplib.py", line 720, in connect
self.timeout)
File "/usr/lib64/python2.6/socket.py", line 567, in create_connection
raise error, msg
error: [Errno 111] Connection refused

... 解决方案是将客户端机器 IP 添加到公司防火墙中,以允许访问 subscription.rhn.redhat.com。

  • 在运行 yum 时看到这个错误:
[root@rhsm ~]# yum update
Loaded plugins: product-id, rhnplugin, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
This system is receiving updates from RHN Classic or RHN Satellite.
Error: failed to retrieve repodata/89cb7993fa65f2293e1b188014e0266343598f276e1af053c3189f6db6b488b1-primary.xml.gz from rhel-x86_64-server-6
error was [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 407 Proxy Authentication Required"

... 解决方案是将代理信息添加到 /etc/rhsm/rhsm.conf 中

  • 当将防火墙后的系统注册到 RHSM 时看到这个错误:
Unable to verify server's identity: (104, 'Connection reset by peer')
  • tcpdump 输出显示防火墙在 'WEB Filter' 中有规则,可能会阻止/修改发送给服务器的数据包。
  1. 检查系统上的时间设置

SSL 根据合适的日期和时间范围。确保系统具有当前的时间和日期。

# grep ZONE /etc/sysconfig/clock

时间应在 TZ 时间和当前日期/时间之间匹配

# date

RHEL5 和 RHEL6:

# ntpq -p

RHEL7:

# chronyd sources

或者

# chronyd tracking
(To check for any jitter)
  1. 检查内部网和代理配置

确保本地网络设置了合适的路由和 SSL 代理规则,以便能够连接到外部网络。

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments