Bug 1161576

Summary: Allow root to connect to port 9200
Product: Red Hat Satellite Reporter: Pavel Moravec <pmoravec>
Component: Docs Install GuideAssignee: Athene Chan <achan>
Status: CLOSED DUPLICATE QA Contact: David O'Brien <daobrien>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.0.4CC: mmurray, xdmoon
Target Milestone: Unspecified   
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Build Name: 22922, Installation Guide-6.0-1 Build Date: 03-10-2014 10:50:13 Topic ID: 9711-714936 [Latest]
Last Closed: 2014-11-10 23:09:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pavel Moravec 2014-11-07 11:20:05 UTC 
Title: Installing Red&nbsp;Hat Satellite

Describe the issue:
Step 6: "Run the following commands to configure the firewall to limit elasticsearch to foreman and katello users and make these rules persistent during reboots: " modifies firewall in such a way, that elasticsearch (on port 9200) can get connections from processes owned by foreman or katello. While during installation, katello-install script runs a check:

/bin/bash /usr/share/katello-installer/modules/service_wait/bin/service-wait elasticsearch start

under root user that tests that port accessibility (wget and curl against http://localhost:9200 are invoked).

Following installation manual, this check would fail with error:

 Could not start Service[elasticsearch]: Execution of '/usr/share/katello-installer/modules/service_wait/bin/service-wait elasticsearch start' returned 5: Starting elasticsearch (via systemctl):  [  OK  ]

(installation will succeed, just the error will appear what's confusing for an end user)


Suggestions for improvement:
Add there a rule allowing root to access the port. I.e.:

- s/to foreman and katello users/to root, foreman and katello users/
- add line:

iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner root -j ACCEPT \
&&

to the box with commands (before "-j DROP" line)


Additional information:
I am curious why installations (with default firewall set and strictly following manual) could ever succeed without hitting this error. I installed Sat6 many times and hit this for the first time - on RHEL7 installed from iso with few packages updated.
Comment 2 Athene Chan 2014-11-10 23:09:06 UTC 
Hello Pavel,

This issue is being resolved today or tomorrow with an async update. Please check BZ#1161254 for more details

Thank you for your feedback!

Cheers,
Athene

*** This bug has been marked as a duplicate of bug 1161254 ***