Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1237092 - Templates isolation feature should only be enabled by default on non-integrated capsule
Summary: Templates isolation feature should only be enabled by default on non-integrat...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Installation
Version: 6.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: Unspecified
Assignee: Katello Bug Bin
QA Contact: Corey Welton
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-06-30 10:56 UTC by Jan Hutař
Modified: 2017-02-23 19:52 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-12 16:04:28 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
rdsosreport.txt from the failed provisioned server (51.69 KB, text/plain)
2015-07-07 15:55 UTC, Eric Lavarde 		no flags Details
View All

Description Jan Hutař 2015-06-30 10:56:02 UTC 
Document URL: 
https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.1/html/Installation_Guide/sect-Red_Hat_Satellite-Installation_Guide-Prerequisites.html#form-Red_Hat_Satellite-Installation_Guide-Prerequisites-Required_Network_Ports


Section Number and Name: 
Table 1.3. Required Network Ports


Describe the issue: 
Table should contain port 8000/tcp. I had to open that port when I was PXE installing libvirt guest (libvirtd was running on same system as Satellite was)


Suggestions for improvement: 
As per mine testing I had to open that port.


Additional information: 
With that port closed, installation was unable to download KS:

  http://<satellite_fqdn>:8000/unattended/provision?token=<some_hash>

Anyway, it would be nice to have somebody knowledgeable to review this request.
Comment 1 Eric Lavarde 2015-07-07 15:55:59 UTC 
Created attachment 1049451 [details]
rdsosreport.txt from the failed provisioned server

I can confirm the issue but I'm not too sure why it should be related to libvirt:
- my Libvirt is running on a different computer
- It's a Foreman process which is listening on port 8000 (on the Satellite, or probably rather on the integrated Capsule):
# lsof -i :8000
COMMAND  PID          USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
ruby    2586 foreman-proxy   10u  IPv4  21869      0t0  TCP *:irdmi (LISTEN)
# COLUMNS=1000 ps -fp 2586
UID        PID  PPID  C STIME TTY          TIME CMD
foreman+  2586     1  0 13:18 ?        00:00:01 ruby /usr/share/foreman-proxy/bin/smart-proxy

In addition to the chapter given by Jan, this new port requirement (like any other) must be added to the upgrade section from 6.0 to 6.1 for Satellite and Satellite Capsule.
Comment 2 Stephen Benjamin 2015-07-07 20:42:02 UTC 
Not a docs problem.

Background:

As part of capsule isolation, the Capsule runs a Templates service on port 8000, it was changed to be turned on by default, but this means its also getting turned on on the Satellite, too.  It really shouldn't be.
Comment 3 Stephen Benjamin 2015-07-07 20:44:30 UTC 
In the interim, you can specifically turn this off with `katello-installer --capsule-templates=false` and then refresh the features on your Capsule. It'll go back to using port 80 in that case.
Comment 5 Stephen Benjamin 2015-07-21 14:25:14 UTC 
This absolutely needs to make 6.1.0, or at best 6.1.z.

Someone else turned the templates feature on for everything, and it's made our firewall rules for provisioning invalid for the Satellite.


PR's are waiting upstream.
Comment 8 Stephen Benjamin 2015-07-21 15:34:29 UTC 
Merged upstream:

katello|db730f332ae13992e5fefc441485a35dc49e7bf6
Comment 11 Stephen Benjamin 2015-07-22 17:57:06 UTC 
The fix doesn't account for upgrades, so hold off on QE until I address everything for this bug.
Comment 12 Stephen Benjamin 2015-07-23 10:47:18 UTC 
katello-installer|ec84f8e954e149ce985049c6b3452bea469b8f91
Comment 14 Corey Welton 2015-07-30 02:26:36 UTC 
i am still seeing port 8000 open in latest SNAP 15....?

[root@qe-sat6-rhel71 ~]# lsof -i :8000
COMMAND   PID          USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
ruby    23526 foreman-proxy    9u  IPv4 108908      0t0  TCP *:irdmi (LISTEN)
Comment 16 Corey Welton 2015-07-30 14:20:04 UTC 
Per discussions w stbenjam, the actual issue is fixed, but the port 8000 open remains.  Will file a separate issue for this.
Comment 17 Corey Welton 2015-07-30 14:37:04 UTC 
Marking verified for snap 15.

New issue for foreman-proxy still listening on port 8000:

https://bugzilla.redhat.com/show_bug.cgi?id=1248665
Comment 18 Bryan Kearney 2015-08-12 16:04:28 UTC 
This bug was fixed in Satellite 6.1.1 which was delivered on 12 August, 2015.
Note You need to log in before you can comment on or make changes to this bug.