RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1839781 - [RFE] - Create a firewalld service component for Red Hat Satellite Capsule.
Summary: [RFE] - Create a firewalld service component for Red Hat Satellite Capsule.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: firewalld
Version: 7.8
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Eric Garver
QA Contact: Tomas Dolezal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-05-25 14:20 UTC by Rudnei Bertol Jr.
Modified: 2023-10-06 20:14 UTC (History)
3 users (show)

Fixed In Version: firewalld-0.6.3-11.el7
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-09-29 19:21:17 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:3863 0 None None None 2020-09-29 19:21:27 UTC

Description Rudnei Bertol Jr. 2020-05-25 14:20:21 UTC 
Description of problem:

Create a firewalld service component for Red Hat Satellite Capsule, as for Red Hat Insights on Capsule this connection happens through the port 8443.


Version-Release number of selected component (if applicable):

firewalld-0.6.3-8.el7_8.1.noarch


How reproducible:

Enable the firewalld service RH-Satellite-6.xml 


Steps to Reproduce:
1. firewall-cmd --add-service=RH-Satellite-6
2. firewall-cmd --reload
3. The port 8443 is not opened and it is required on the Satellite Capsule.


Actual results:

According to the Bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=1135634), the service RH-Satellite-6 has been created to open the firewall rules for the Satellite 6 server, however, this same service does not open the Firewall 8443 required by the Satellite Capsule official documentation [1].

[1] - https://access.redhat.com/documentation/en-us/red_hat_satellite/6.7/html/installing_capsule_server/preparing-environment-for-capsule-installation#capsule-ports-and-firewalls-requirements_capsule


Expected results:

A firewalld service called RH-Satellite-6-Capsule should be available to be enabled.

Additional info:
Comment 3 Eric Garver 2020-05-26 11:52:41 UTC 
We went through this pretty recently in bug 1422149. See bug 1422149 comment 14.

Do we really need _more_ ports? If capsule is optional, then maybe it should use a separate service definition, e.g. "satellite-capsule".
Comment 4 Rudnei Bertol Jr. 2020-05-26 12:26:20 UTC 
Hey Eric,

Yes, this would be awesome if we could have a specific service for Capsule i.e. "RH-Satellite-6-Capsule", as the capsule needs the port 8443/tcp opened on the firewall to allow this port for the Subscription Management Services and Telemetry Services.

Please let us know if anything else that we can help from the support.

regards
rbertol
Comment 5 Eric Garver 2020-05-26 13:11:00 UTC 
Can you provide an exhaustive list of ports needed for capsule?

I'll add "satellite-capsule" and also alias "satellite" to "RH-satellite-6". Does that make sense?

Secondly, is this really needed for RHEL-7, or is doing this in RHEL-8 sufficient?
Comment 6 Rudnei Bertol Jr. 2020-05-26 13:56:56 UTC 
Hey Eric,

Q - Can you provide an exhaustive list of ports needed for capsule?
A - Sure, following the port list from the official doc.

Port  Protocol	   Service	  Required For
80    TCP          HTTP           Anaconda, yum, and for obtaining Katello certificate updates
443   TCP          HTTPS          Anaconda, yum, Telemetry Services, and Puppet
5646  TCP          AMQP           The Capsule Qpid dispatch router to the Qpid dispatch router in Satellite
5647  TCP          AMQP           Katello agent to communicate with Capsule’s Qpid dispatch router
8000  TCP          HTTPS          Anaconda to download kickstart templates to hosts, and for downloading iPXE firmware
8140  TCP          HTTPS          Puppet agent to Puppet master connections
8443  TCP          HTTPS          Subscription Management Services and Telemetry Services
9090  TCP          HTTPS          Sending SCAP reports to the Capsule and for the discovery image during provisioning
53    TCP and UDP  DNS            Client DNS queries to a Capsule’s DNS service (Optional)
67    UDP          DHCP           Client to Capsule broadcasts, DHCP broadcasts for Client provisioning from a Capsule (Optional)
69    UDP          TFTP           Clients downloading PXE boot image files from a Capsule for provisioning (Optional)
5000  TCP          HTTPS          Connection to Katello for the Docker registry (Optional)

Q - I'll add "satellite-capsule" and also alias "satellite" to "RH-satellite-6". Does that make sense?
A - Yes, it would be awesome and makes sense to us.

Q - Secondly, is this really needed for RHEL-7, or is doing this in RHEL-8 sufficient?
A - We need on RHEL-7 as the Satellite 6.7 is supported just on RHEL-7 at this moment.

regards
rbertol
Comment 7 Eric Garver 2020-05-26 16:37:17 UTC 
(In reply to Rudnei Bertol Jr. from comment #6)
> Hey Eric,
> 
> Q - Can you provide an exhaustive list of ports needed for capsule?
> A - Sure, following the port list from the official doc.
> 
> Port  Protocol	   Service	  Required For
> 80    TCP          HTTP           Anaconda, yum, and for obtaining Katello
> certificate updates
> 443   TCP          HTTPS          Anaconda, yum, Telemetry Services, and
> Puppet
> 5646  TCP          AMQP           The Capsule Qpid dispatch router to the
> Qpid dispatch router in Satellite
> 5647  TCP          AMQP           Katello agent to communicate with
> Capsule’s Qpid dispatch router
> 8000  TCP          HTTPS          Anaconda to download kickstart templates
> to hosts, and for downloading iPXE firmware
> 8140  TCP          HTTPS          Puppet agent to Puppet master connections
> 8443  TCP          HTTPS          Subscription Management Services and
> Telemetry Services
> 9090  TCP          HTTPS          Sending SCAP reports to the Capsule and
> for the discovery image during provisioning
> 53    TCP and UDP  DNS            Client DNS queries to a Capsule’s DNS
> service (Optional)
> 67    UDP          DHCP           Client to Capsule broadcasts, DHCP
> broadcasts for Client provisioning from a Capsule (Optional)
> 69    UDP          TFTP           Clients downloading PXE boot image files
> from a Capsule for provisioning (Optional)
> 5000  TCP          HTTPS          Connection to Katello for the Docker
> registry (Optional)

Much of this overlaps with the existing definition for "RH-satellite-6".

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Red Hat Satellite 6</short>
  <description>Red Hat Satellite 6 is a systems management server that can be used to configure new systems, subscribe to updates, and maintain installations in distributed environments.</description>
  <include service="dns"/>
  <include service="http"/>
  <include service="https"/>
  <include service="dhcp"/>
  <include service="tftp"/>
  <port protocol="udp" port="68"/>
  <port protocol="tcp" port="5000"/>
  <port protocol="tcp" port="5646-5647"/>
  <port protocol="tcp" port="5671"/>
  <port protocol="tcp" port="8000"/>
  <port protocol="tcp" port="8080"/>
  <port protocol="tcp" port="8140"/>
  <port protocol="tcp" port="9090"/>
</service>

What do you need for satellite capsule exclusively? Only 8443?
Comment 8 Rudnei Bertol Jr. 2020-05-27 12:09:50 UTC 
Hey Eric,

Sorry for the delay.


Yes, basically all Satellite ports and services plus 8443.

regards
rbertol
Comment 17 Eric Garver 2020-06-10 16:17:53 UTC 
upstream:

7beeb958d40c ("test(service): coverage for RH-Satellite-6")
cb20bcfe47ab ("feat(service): add RH-Satellite-6-Capsule")
b2ac0b3c11d5 ("improvement(service): RH-Satellite-6: include foreman service")
e10cae964a26 ("feat(service): add foreman and foreman-proxy")
Comment 25 errata-xmlrpc 2020-09-29 19:21:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (firewalld bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3863
Note You need to log in before you can comment on or make changes to this bug.