Why Global Registration method requires the access to port 80 to be opened for the Red Hat Satellite server?

Solution Verified - Updated -

Environment

  • Red Hat Satellite 6

Issue

  • When trying to register a system with Red Hat Satellite using the Global Registration process, The registration completes but

    • Shows one of the following error messages:

      Refreshing subscription data
All local data refreshed
curl: (7) Failed to connect to satellite.example.com port 80: No route to host
Host [host.example.com] successfully configured, but failed to set built status.
Successfully updated the system facts.

      Refreshing subscription data
All local data refreshed
curl: (7) Failed to connect to satellite.example.com port 80: Connection timed out
Host [host.example.com] successfully configured, but failed to set built status.
Successfully updated the system facts.

    • The host profile remains in Build mode.

  • Refering to the Table 1.3. Satellite Server incoming traffic, It suggests that port 80 is required to be opened along with port 443, for registering hosts to the Red Hat Satellite. Why does port 80 need to be opened, since it would result in insecure connectivity?

Resolution

  • Refer to the Root Cause section of this article to understand why port 80 is needed by the global registration process.

  • To avoid opening any incoming connection to port 80 ( http ) for the concerned Red Hat Satellite server,

    • Navigate to the Settings > Provisioning page in the WebUI.
    • Look for the setting called Unattended URL.
    • Change its protocol from http to https and save the new URL value.

  • This would allows the Global Registration to complete using port 443 ( i.e. over https ) only and would remove the requirement of http port 80.

  • NOTE: Despite this approach helping to complete the registration without needing port 80 to be opened, this would affect the system deployment process of Red Hat Satellite which would still require to connect to http endpoints ( port 80 ). Hence the provisioning attempts may fail. This is a known problem and is being improved via JIRA SAT-14987.

Root Cause

  • The Global Registration method of registration comprises of several underlying actions which are not only responsible for registration but also perform some post-registration work e.g. registering with insights or setting up SSH keys for remote execution etc or installing additional packages etc.

  • To be able to do so, The host profile needs to be put into build mode and at the very end it needs to be put out of build mode.

  • When it's time to put the host out of build mode, the following command would be executed where the /unattended/built endpoint is based on http but not https i.e.

    # curl --silent --show-error -o /dev/null --noproxy '*' 'http://satellite.example.com/unattended/built?token=<build token for the host profile>'

    and hence, the concerned Red Hat Satellite server needs to be able to accept the incoming traffic on port 80 ( i.e. http ).

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments