1273806 – Capsule http port always enabled

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1273806 - Capsule http port always enabled

Summary: Capsule http port always enabled

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Foreman Proxy
Sub Component:
Version:	6.1.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	Unspecified
Assignee:	Katello Bug Bin
QA Contact:	Katello QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1122832
TreeView+	depends on / blocked

Reported:	2015-10-21 09:35 UTC by Peter Vreman
Modified:	2015-11-17 15:04 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-17 15:04:38 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Peter Vreman 2015-10-21 09:35:35 UTC

Description of problem:
Our company has the policy to disable HTTP when possible. Currently the HTTP port 8000 is always enabled on the capsule:

[crash] root@li-lc-1578:~# lsof -P -n | grep 'foreman-proxy.*TCP'
ruby      12159 foreman-proxy    5u     IPv4            4013285        0t0        TCP *:8000 (LISTEN)
ruby      12159 foreman-proxy    6u     IPv4            4013295        0t0        TCP *:9090 (LISTEN)

This comes from the smart-proxy configuration that is generated by the katello-installer:

[crash] root@li-lc-1017:~# grep http_port /etc/foreman-proxy/settings.yml
# http is disabled by default. To enable, uncomment 'http_port' setting
:http_port: 8000

In the katello-installer there is also no option to disable it.



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Install Sat6
2. Check foreman proxy ports with 'lsof'
3. Check foreman proxy settings

Actual results:
Foreman proxy is using port 8000

Expected results:
HTTP is disabled by default
Option to enable HTTP


Additional info:

Comment 1 Brad Buckingham 2015-11-17 14:50:18 UTC

Port 8000 is currently used by the templates feature to support provisioning as well as capsule isolation.  Until all anaconda versions support https, we need to support serving the templates over http.  We may be able to change this in the future.

If provisioning is not desired, the port could be turned off by using the following installer options:
--capsule-foreman-proxy-http=false --capsule-templates=off

Comment 3 Peter Vreman 2015-11-17 15:04:38 UTC

Ok, i see the option in the katello-installer of Sat6.1.3.
BZ be closed as it is supported to disable during the installation.

Note You need to log in before you can comment on or make changes to this bug.