Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1160267 - Following install guide causes katello-installer to fail
Summary: Following install guide causes katello-installer to fail
Keywords:
Status: CLOSED DUPLICATE of bug 1161254
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Docs Install Guide
Version: Unspecified
Hardware: x86_64
OS: Unspecified
unspecified
high
Target Milestone: Unspecified
Assignee: Athene Chan
QA Contact: David O'Brien
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-11-04 13:31 UTC by Aaron Hilton
Modified: 2015-05-11 22:10 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Build Name: 22922, Installation Guide-6.0-1 Build Date: 03-10-2014 10:50:13 Topic ID: 9711-714936 [Latest]
Last Closed: 2014-11-10 07:19:23 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Aaron Hilton 2014-11-04 13:31:03 UTC 
Title: Installing Red Hat Satellite

Describe the issue:
The problem occurs When following the install instructions on https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.0/html/Installation_Guide/chap-Red_Hat_Satellite_Installation.html#Installing_Red_Hat_Satellite

If you follow the instruction in section 2.1 step 6 - running the following commands 
# iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner foreman -j ACCEPT \
&& iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner katello -j ACCEPT \
&& iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -j DROP
# iptables-save > /etc/sysconfig/iptables

prior to running katello-installer in section 3, katello-installer will fail as it is not able to communicate with elastic search, since the service-wait command in the script is not able to verify that elasticsearch is started since traffic to port 9200 is dropped for all except the foreman and katello users. 

Suggestions for improvement:

Move step 6 of section 2.1 to a point AFTER section 2.3 and 2.4, but before section 3

Additional information:

I am also concerned about how having these ports blocked may cause future upgrades to fail for the same reasons.
Comment 1 Aaron Hilton 2014-11-04 13:31:55 UTC 
This was noted when installing Satellite 6.0.4
Comment 2 Aaron Hilton 2014-11-04 13:32:46 UTC 
Also I ran into this problem when installing on RHEL 6.5, 6.6, and 7.0 before determining the source of the problem
Comment 3 RHEL Program Management 2014-11-04 13:43:05 UTC 
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 5 Athene Chan 2014-11-10 07:19:23 UTC 
Hello Aaron,

Thank you for the feedback! We're addressing this and publishing the solution this week.


The changes would be to run the following firewall rules after running katello-installer:

iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner foreman -j ACCEPT \
&& iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner katello -j ACCEPT \
&& iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner root -j ACCEPT \
&& iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -j DROP
iptables-save > /etc/sysconfig/iptables

The additional rule for root has been added to allow the installer to run.

This is tagged as a duplicate of bug: https://bugzilla.redhat.com/show_bug.cgi?id=1161254

Cheers,
Athene

*** This bug has been marked as a duplicate of bug 1161254 ***
Note You need to log in before you can comment on or make changes to this bug.