如何透过防火墙来访问 Red Hat Subscription Manager (RHSM)

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7 (以及更高版本)
  • Red Hat Enterprise Linux 6.1 (以及更高版本)
  • Red Hat Enterprise Linux 5.8 (以及更高版本)
  • Red Hat Subscription Management (RHSM)
  • Red Hat Satellite 5.6 和 5.7(如果从 RHN 迁移到 RHSM)
  • Red Hat Satellite 5.8
  • Red Hat Satellite 6

Issue

  • 如何配置系统使得 yum 可以透过防火墙或者代理来访问 Red Hat Subscription Management (RHSM) ?
  • 为访问RHSM,在代理服务器中应该配置哪些URL和端口?
  • 怎样通过防火墙来访问 RHSM (yum)?
  • 由于网络错误而无法注册
  • Red Hat Satellite 6 无法和红帽同步内容,猜测是公司的防火墙阻断了通信。为使得内容同步,需要为网络安全组设置什么主机名?
  • 网络组需要 一些IP 地址使得 Red Hat Satellite 6 installation 可以与Content Delivery Network 建立连接,但是不能使用主机名且必须使用IP地址或者网段。

Resolution

在对外的网络防火墙设置中允许下述的主机名/端口,以允许 yum 和 subscription-manager 把 Satellite 服务器与 Red Hat Satellite 6 的软件仓库进行同步:

  • subscription.rhn.redhat.com:443 [https] AND subscription.rhsm.redhat.com:443 [https] (这是较新的 RHEL 7 版本的新的默认地址)
  • cdn.redhat.com:443 [https]
  • *.akamaiedge.net:443 [https] OR *.akamaitechnologies.com:443 [https]

不推荐使用IP 地址。因为通过Akamai网络发送时,包会分包且IP地址可能会随之改变。然而,如果您的防火墙不能使用主机名过滤, 红帽提供了能使用CDN发送的 IP 地址池

Note: 如果系统配置了http 代理, 在 /etc/rhsm/rhsm.conf 中添加如下细节:

# an http proxy server to use (enter server FQDN)
proxy_hostname =

# port for http proxy server
proxy_port =

# user name for authenticating to an http proxy, if needed
proxy_user =

# password for basic http proxy auth, if needed
proxy_password =

Root Cause

  • 没有配置访问 RHSM 的防火墙或代理
  • 一些防火墙或组件不能使用主机名,可能需要更多细节的控制。

Diagnostic Steps

由于防火墙或者代理 ,Subscription-Manager 不能访问上述 URL时,可看到一些报错的例子

  • 当试图运行 'subscription-manager register' 时,看到这个报错(在 /var/log/rhsm/rhsm.log 中) :
2014-04-16 18:07:53,063 [INFO]  @connection.py:657 - Connection Built: host: subscription.rhn.redhat.com, port: 443, handler: /subscription
2014-04-16 18:07:53,108 [DEBUG]  @connection.py:420 - Loading CA PEM certificates from: /etc/rhsm/ca/
2014-04-16 18:07:53,108 [DEBUG]  @connection.py:402 - Loading CA certificate: '/etc/rhsm/ca/redhat-uep.pem'
2014-04-16 18:07:53,109 [DEBUG]  @connection.py:402 - Loading CA certificate: '/etc/rhsm/ca/candlepin-stage.pem'
2014-04-16 18:07:53,109 [DEBUG]  @connection.py:426 - Using proxy: proxy.example.com:3128
2014-04-16 18:07:53,109 [DEBUG]  @connection.py:441 - Making request: GET https://subscription.rhn.redhat.com:443/subscription/
2014-04-16 18:07:53,173 [ERROR]  @utils.py:361 - Error while checking server version: [Errno 111] Connection refused
2014-04-16 18:07:53,174 [ERROR]  @utils.py:363 - [Errno 111] Connection refused
Traceback (most recent call last):
  File "/usr/share/rhsm/subscription_manager/utils.py", line 341, in get_server_versions
    if cp.supports_resource("status"):
  File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 683, in supports_resource
    self._load_supported_resources()
  File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 670, in _load_supported_resources
    resources_list = self.conn.request_get("/")
  File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 541, in request_get
    return self._request("GET", method)
  File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 448, in _request
    conn.request(request_type, handler, body=body, headers=headers)
  File "/usr/lib64/python2.6/httplib.py", line 914, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.6/httplib.py", line 951, in _send_request
    self.endheaders()
  File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 200, in endheaders
    httpslib.HTTPSConnection.endheaders(self)
  File "/usr/lib64/python2.6/httplib.py", line 908, in endheaders
    self._send_output()
  File "/usr/lib64/python2.6/httplib.py", line 780, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.6/httplib.py", line 739, in send
    self.connect()
  File "/usr/lib64/python2.6/site-packages/M2Crypto/httpslib.py", line 192, in connect
    HTTPConnection.connect(self)
  File "/usr/lib64/python2.6/httplib.py", line 720, in connect
    self.timeout)
  File "/usr/lib64/python2.6/socket.py", line 567, in create_connection
    raise error, msg
error: [Errno 111] Connection refused

... 解决方案是在公司的防火墙中添加客户端的IP ,使其访问 subscription.rhn.redhat.com

  • 当运行 yum 时,看到这个报错:
[root@rhsm ~]# yum update
Loaded plugins: product-id, rhnplugin, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
This system is receiving updates from RHN Classic or RHN Satellite.
Error: failed to retrieve repodata/89cb7993fa65f2293e1b188014e0266343598f276e1af053c3189f6db6b488b1-primary.xml.gz from rhel-x86_64-server-6
error was [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 407 Proxy Authentication Required"

... 解决方案是:在 /etc/rhsm/rhsm.conf 中添加代理信息。
* 位于防火墙后面的系统注册到 RHSM 时看到这个报错:

Unable to verify server's identity: (104, 'Connection reset by peer')
  • tcpdump 的输出显示 'WEB Filter' 中的一些防火墙规则可能 阻塞或修改了送到服务器的包 .

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.