Bug 1160267

Summary: Following install guide causes katello-installer to fail
Product: Red Hat Satellite Reporter: Aaron Hilton <hiltona>
Component: Docs Install GuideAssignee: Athene Chan <achan>
Status: CLOSED DUPLICATE QA Contact: David O'Brien <daobrien>
Severity: high Docs Contact:
Priority: unspecified    
Version: UnspecifiedCC: mmurray
Target Milestone: Unspecified   
Target Release: Unused   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Build Name: 22922, Installation Guide-6.0-1 Build Date: 03-10-2014 10:50:13 Topic ID: 9711-714936 [Latest]
Last Closed: 2014-11-10 07:19:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Aaron Hilton 2014-11-04 13:31:03 UTC 
Title: Installing Red&nbsp;Hat Satellite

Describe the issue:
The problem occurs When following the install instructions on https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.0/html/Installation_Guide/chap-Red_Hat_Satellite_Installation.html#Installing_Red_Hat_Satellite

If you follow the instruction in section 2.1 step 6 - running the following commands 
# iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner foreman -j ACCEPT \
&& iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner katello -j ACCEPT \
&& iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -j DROP
# iptables-save > /etc/sysconfig/iptables

prior to running katello-installer in section 3, katello-installer will fail as it is not able to communicate with elastic search, since the service-wait command in the script is not able to verify that elasticsearch is started since traffic to port 9200 is dropped for all except the foreman and katello users. 

Suggestions for improvement:

Move step 6 of section 2.1 to a point AFTER section 2.3 and 2.4, but before section 3

Additional information:

I am also concerned about how having these ports blocked may cause future upgrades to fail for the same reasons.
Comment 1 Aaron Hilton 2014-11-04 13:31:55 UTC 
This was noted when installing Satellite 6.0.4
Comment 2 Aaron Hilton 2014-11-04 13:32:46 UTC 
Also I ran into this problem when installing on RHEL 6.5, 6.6, and 7.0 before determining the source of the problem
Comment 3 RHEL Program Management 2014-11-04 13:43:05 UTC 
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 5 Athene Chan 2014-11-10 07:19:23 UTC 
Hello Aaron,

Thank you for the feedback! We're addressing this and publishing the solution this week.


The changes would be to run the following firewall rules after running katello-installer:

iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner foreman -j ACCEPT \
&& iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner katello -j ACCEPT \
&& iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner root -j ACCEPT \
&& iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -j DROP
iptables-save > /etc/sysconfig/iptables

The additional rule for root has been added to allow the installer to run.

This is tagged as a duplicate of bug: https://bugzilla.redhat.com/show_bug.cgi?id=1161254

Cheers,
Athene

*** This bug has been marked as a duplicate of bug 1161254 ***