Bug 1160267 - Following install guide causes katello-installer to fail
Summary: Following install guide causes katello-installer to fail
Keywords:
Status: CLOSED DUPLICATE of bug 1161254
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Docs Install Guide
Version: Unspecified
Hardware: x86_64
OS: Unspecified
unspecified
high
Target Milestone: Unspecified
Assignee: Athene Chan
QA Contact: David O'Brien
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-11-04 13:31 UTC by Aaron Hilton
Modified: 2015-05-11 22:10 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Build Name: 22922, Installation Guide-6.0-1 Build Date: 03-10-2014 10:50:13 Topic ID: 9711-714936 [Latest]
Last Closed: 2014-11-10 07:19:23 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Aaron Hilton 2014-11-04 13:31:03 UTC 
Title: Installing Red Hat Satellite

Describe the issue:
The problem occurs When following the install instructions on https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.0/html/Installation_Guide/chap-Red_Hat_Satellite_Installation.html#Installing_Red_Hat_Satellite

If you follow the instruction in section 2.1 step 6 - running the following commands 
# iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner foreman -j ACCEPT \
&& iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner katello -j ACCEPT \
&& iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -j DROP
# iptables-save > /etc/sysconfig/iptables

prior to running katello-installer in section 3, katello-installer will fail as it is not able to communicate with elastic search, since the service-wait command in the script is not able to verify that elasticsearch is started since traffic to port 9200 is dropped for all except the foreman and katello users. 

Suggestions for improvement:

Move step 6 of section 2.1 to a point AFTER section 2.3 and 2.4, but before section 3

Additional information:

I am also concerned about how having these ports blocked may cause future upgrades to fail for the same reasons.
Comment 1 Aaron Hilton 2014-11-04 13:31:55 UTC 
This was noted when installing Satellite 6.0.4
Comment 2 Aaron Hilton 2014-11-04 13:32:46 UTC 
Also I ran into this problem when installing on RHEL 6.5, 6.6, and 7.0 before determining the source of the problem
Comment 3 RHEL Program Management 2014-11-04 13:43:05 UTC 
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 5 Athene Chan 2014-11-10 07:19:23 UTC 
Hello Aaron,

Thank you for the feedback! We're addressing this and publishing the solution this week.


The changes would be to run the following firewall rules after running katello-installer:

iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner foreman -j ACCEPT \
&& iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner katello -j ACCEPT \
&& iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner root -j ACCEPT \
&& iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -j DROP
iptables-save > /etc/sysconfig/iptables

The additional rule for root has been added to allow the installer to run.

This is tagged as a duplicate of bug: https://bugzilla.redhat.com/show_bug.cgi?id=1161254

Cheers,
Athene

*** This bug has been marked as a duplicate of bug 1161254 ***
Note You need to log in before you can comment on or make changes to this bug.