Bug 2247445
| Summary: | Requirement of port 80 is not clearly mentioned in case of Global Registration Method | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Sayan Das <saydas> |
| Component: | Registration | Assignee: | Malhar Jivrajani <mjivraja> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Satellite QE Team <sat-qe-bz-list> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.13.4 | CC: | ahumbe, ekohlvan, gisoni, lstejska, mjivraja, zuansorg |
| Target Milestone: | 6.15.0 | Keywords: | Documentation, Triaged |
| Target Release: | Unused | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-02-01 10:58:09 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Sayan Das
2023-11-01 10:16:55 UTC
Hello Sayan, Many thanks for reporting this suggestion for improvement. The documentation team will look into it and share update about the progress on its implementation in this ticket. Thank you! (In reply to Sayan Das from comment #0) > Satellite by default does not have template feature enabled and hence to > submit\update build status of a host, This API "GET > /unattended/built?token=<token here>" always targets port 80 of satellite > over http. > > This is the very last step of the Global Registration method and if port 80 > is blocked, This step will fail. > > For external capsules, > --> Templates feature is enabled > --> So any template retrieval or build status submission happens over port > 8000 > > So port 80 is not directly needed here. I think this is actually a bug rather than something we need to fix in documentation. The whole design idea was that registration would happen securely over HTTPS and this breaks that promise. Link to the PR: https://github.com/theforeman/foreman-documentation/pull/2680 (In reply to Ewoud Kohl van Wijngaarden from comment #2) > (In reply to Sayan Das from comment #0) > > Satellite by default does not have template feature enabled and hence to > > submit\update build status of a host, This API "GET > > /unattended/built?token=<token here>" always targets port 80 of satellite > > over http. > > > > This is the very last step of the Global Registration method and if port 80 > > is blocked, This step will fail. > > > > For external capsules, > > --> Templates feature is enabled > > --> So any template retrieval or build status submission happens over port > > 8000 > > > > So port 80 is not directly needed here. > > I think this is actually a bug rather than something we need to fix in > documentation. The whole design idea was that registration would happen > securely over HTTPS and this breaks that promise. I agree and before raising this BZ , i had raised the same point in slack channel but I was told that the default requirement of /unattended/built endpoint in satellite\foreman is http i.e. port 80 I do know that port 8000 can also be used which would make the communication https entirely and perhaps these steps would be good enough i.e. * Enable "Templates" feature via installer option in satellite * Enable incoming connection to port 8000 of satellite * Optionally, select the Templates Capsule for all the applicable subnets But perhaps QE needs to test it out and Dev team needs to agree on this approach before this can be documented and enforced for the end-users (In reply to Sayan Das from comment #5) > (In reply to Ewoud Kohl van Wijngaarden from comment #2) > > (In reply to Sayan Das from comment #0) > > > Satellite by default does not have template feature enabled and hence to > > > submit\update build status of a host, This API "GET > > > /unattended/built?token=<token here>" always targets port 80 of satellite > > > over http. > > > > > > This is the very last step of the Global Registration method and if port 80 > > > is blocked, This step will fail. > > > > > > For external capsules, > > > --> Templates feature is enabled > > > --> So any template retrieval or build status submission happens over port > > > 8000 > > > > > > So port 80 is not directly needed here. > > > > I think this is actually a bug rather than something we need to fix in > > documentation. The whole design idea was that registration would happen > > securely over HTTPS and this breaks that promise. > > I agree and before raising this BZ , i had raised the same point in slack > channel but I was told that the default requirement of /unattended/built > endpoint in satellite\foreman is http i.e. port 80 Yes, the foreman_url method is indeed for the unattended URL. In https://bugzilla.redhat.com/show_bug.cgi?id=2159669 we had some discussion about moving this communication to HTTPS, but I think it's unlikely we'll complete that soon. I'd instead suggest to find some way to enhance foreman_url or introduce some other way to get the HTTPS URL to the unattended controller. > I do know that port 8000 can also be used which would make the communication > https entirely and perhaps these steps would be good enough i.e. > > * Enable "Templates" feature via installer option in satellite > * Enable incoming connection to port 8000 of satellite > * Optionally, select the Templates Capsule for all the applicable subnets > > > But perhaps QE needs to test it out and Dev team needs to agree on this > approach before this can be documented and enforced for the end-users Port 8000 on the Capsule is plain text HTTP. It does not solve anything if you want encrypted communications. I apologize. I perhaps wanted to mention that, That may deflect the usage of port 80 ( which is a red flag for many scanners ) and may allow using port 8000. Even though both are http only, The customers do accept the usage for port 8000. But I do 100% agree, that we need to see how this can be improved i.e. How we can remove the additional need for http during host registrations? As we already have a product RFE opened in https://bugzilla.redhat.com/show_bug.cgi?id=2159669, I believe at some point developers would try to improve this and ensure that Satellite is not dependant on port 80 for any important operations. But for now, It is needed for sure while registering directly with satellite via global-reg method and hence either it needs to be documented or somehow we need to find an alternative and document that, instead.. Yes, I think we both agree that there are 2 issues. This bug is that global registration needs plain text HTTP (which is not how it was intended). Then https://bugzilla.redhat.com/show_bug.cgi?id=2159669 is about the much bigger issue, which is that unattended provisioning needs plain text HTTP, which also relates to external components like Anaconda. Hi, AFAIK the HTTP port 80 is needed just for the callback home in the host_init_config_default template. Otherwise, all the communication should be secured and over the https. [0] https://github.com/theforeman/foreman/blob/develop/app/views/unattended/provisioning_templates/host_init_config/host_init_config_default.erb#L95 Yes, that is exactly the problematic line. That should somehow be changed to use HTTPS. The foreman_url macro doesn't look flexible enough right now. A more accurate name would be foreman_unattended_url since it can only link to the unattended controller, and possibly use a Capsule with the templates feature. The unattended link uses the unattended_url setting, which by default is using HTTP. Changing that to HTTPS would work around this issue partially, but break unattended workflows. Link to the updated and published documents: https://access.redhat.com/documentation/en-us/red_hat_satellite/6.13/html/installing_satellite_server_in_a_connected_network_environment/preparing_your_environment_for_installation_satellite#Ports_and_Firewalls_Requirements_satellite This is applied until Satellite 6.12 Satellite 6.11 is EOL: https://access.redhat.com/support/policy/updates/satellite |