Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2247445 - Requirement of port 80 is not clearly mentioned in case of Global Registration Method
Summary: Requirement of port 80 is not clearly mentioned in case of Global Registratio...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Registration
Version: 6.13.4
Hardware: All
OS: All
unspecified
medium
Target Milestone: 6.15.0
Assignee: Malhar Jivrajani
QA Contact: Satellite QE Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-11-01 10:16 UTC by Sayan Das
Modified: 2024-02-01 10:58 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2024-02-01 10:58:09 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker SAT-21078 0 None None None 2023-11-01 10:17:44 UTC

Description Sayan Das 2023-11-01 10:16:55 UTC 
Document URL: 

I am not sure which would be the right docs but I will pin-point both the related doc links:

https://access.redhat.com/documentation/en-us/red_hat_satellite/6.13/html/installing_satellite_server_in_a_connected_network_environment/preparing_your_environment_for_installation_satellite#Ports_and_Firewalls_Requirements_satellite

https://access.redhat.com/documentation/en-us/red_hat_satellite/6.13/html-single/managing_hosts/index#Registering_Hosts_by_Using_Global_Registration_managing-hosts


Applicable for 6.10+ ( any versions ) 


Section Number and Name: 

1.6. Ports and Firewalls Requirements

3.3. Registering Hosts by Using Global Registration


Describe the issue: 

If someone is using "Global Registration" method to register any system directly with Satellite but they have no allowed incoming access to port 80 of satellite, the registration will fail or partially complete. 

It would also leave the host in build mode and no host facts would be uploaded back to the satellite.

This is not an issue if the same method is used to register a system through an external capsule server.


Suggestions for improvement: 

Ports 443 and 80 -> both are needed for Satellite to be opened 

Ports 443, 9090 and 8000 --> are needed for Capsule to be opened. 


While customers are aware of the capsule end requirement, Some customers who are not aware of the port 80 requirement of satellite, can often run into problems during registration and most of them want to block any incoming access to port 80. We should clarify somewhere that, an incoming connection to Port 80 is also needed for the Global Registration method to work with Satellite. 

( as mentioned earlier, for capsule it is not needed )

NOTE: It's not an unusual thing to block port 80 access to a satellite or capsule. 


Additional information: 

I will share some technical background as well. 

Satellite by default does not have template feature enabled and hence to submit\update build status of a host, This API "GET /unattended/built?token=<token here>" always targets port 80 of satellite over http. 

This is the very last step of the Global Registration method and if port 80 is blocked, This step will fail.

For external capsules, 
  --> Templates feature is enabled 
  --> So any template retrieval or build status submission happens over port 8000

So port 80 is not directly needed here.
Comment 1 Marie Hornickova 2023-11-01 14:43:08 UTC 
Hello Sayan,
Many thanks for reporting this suggestion for improvement.
The documentation team will look into it and share update about the progress on its implementation in this ticket.
Thank you!
Comment 2 Ewoud Kohl van Wijngaarden 2024-01-17 11:37:27 UTC 
(In reply to Sayan Das from comment #0)
> Satellite by default does not have template feature enabled and hence to
> submit\update build status of a host, This API "GET
> /unattended/built?token=<token here>" always targets port 80 of satellite
> over http. 
> 
> This is the very last step of the Global Registration method and if port 80
> is blocked, This step will fail.
> 
> For external capsules, 
>   --> Templates feature is enabled 
>   --> So any template retrieval or build status submission happens over port
> 8000
> 
> So port 80 is not directly needed here.

I think this is actually a bug rather than something we need to fix in documentation. The whole design idea was that registration would happen securely over HTTPS and this breaks that promise.
Comment 4 Malhar Jivrajani 2024-01-19 13:27:17 UTC 
Link to the PR: https://github.com/theforeman/foreman-documentation/pull/2680
Comment 5 Sayan Das 2024-01-19 13:36:11 UTC 
(In reply to Ewoud Kohl van Wijngaarden from comment #2)
> (In reply to Sayan Das from comment #0)
> > Satellite by default does not have template feature enabled and hence to
> > submit\update build status of a host, This API "GET
> > /unattended/built?token=<token here>" always targets port 80 of satellite
> > over http. 
> > 
> > This is the very last step of the Global Registration method and if port 80
> > is blocked, This step will fail.
> > 
> > For external capsules, 
> >   --> Templates feature is enabled 
> >   --> So any template retrieval or build status submission happens over port
> > 8000
> > 
> > So port 80 is not directly needed here.
> 
> I think this is actually a bug rather than something we need to fix in
> documentation. The whole design idea was that registration would happen
> securely over HTTPS and this breaks that promise.

I agree and before raising this BZ , i had raised the same point in slack channel but I was told that the default requirement of /unattended/built endpoint in satellite\foreman is http i.e. port 80

I do know that port 8000 can also be used which would make the communication https entirely and perhaps these steps would be good enough i.e. 

* Enable "Templates" feature via installer option in satellite 
* Enable incoming connection to port 8000 of satellite 
* Optionally, select the Templates Capsule for all the applicable subnets 


But perhaps QE needs to test it out and Dev team needs to agree on this approach before this can be documented and enforced for the end-users
Comment 6 Ewoud Kohl van Wijngaarden 2024-01-24 11:50:28 UTC 
(In reply to Sayan Das from comment #5)
> (In reply to Ewoud Kohl van Wijngaarden from comment #2)
> > (In reply to Sayan Das from comment #0)
> > > Satellite by default does not have template feature enabled and hence to
> > > submit\update build status of a host, This API "GET
> > > /unattended/built?token=<token here>" always targets port 80 of satellite
> > > over http. 
> > > 
> > > This is the very last step of the Global Registration method and if port 80
> > > is blocked, This step will fail.
> > > 
> > > For external capsules, 
> > >   --> Templates feature is enabled 
> > >   --> So any template retrieval or build status submission happens over port
> > > 8000
> > > 
> > > So port 80 is not directly needed here.
> > 
> > I think this is actually a bug rather than something we need to fix in
> > documentation. The whole design idea was that registration would happen
> > securely over HTTPS and this breaks that promise.
> 
> I agree and before raising this BZ , i had raised the same point in slack
> channel but I was told that the default requirement of /unattended/built
> endpoint in satellite\foreman is http i.e. port 80

Yes, the foreman_url method is indeed for the unattended URL. In https://bugzilla.redhat.com/show_bug.cgi?id=2159669 we had some discussion about moving this communication to HTTPS, but I think it's unlikely we'll complete that soon. I'd instead suggest to find some way to enhance foreman_url or introduce some other way to get the HTTPS URL to the unattended controller.
 
> I do know that port 8000 can also be used which would make the communication
> https entirely and perhaps these steps would be good enough i.e. 
> 
> * Enable "Templates" feature via installer option in satellite 
> * Enable incoming connection to port 8000 of satellite 
> * Optionally, select the Templates Capsule for all the applicable subnets 
> 
> 
> But perhaps QE needs to test it out and Dev team needs to agree on this
> approach before this can be documented and enforced for the end-users

Port 8000 on the Capsule is plain text HTTP. It does not solve anything if you want encrypted communications.
Comment 7 Sayan Das 2024-01-25 09:09:28 UTC 
I apologize. I perhaps wanted to mention that, 

That may deflect the usage of port 80 ( which is a red flag for many scanners ) and may allow using port 8000. Even though both are http only, The customers do accept the usage for port 8000.

But I do 100% agree, that we need to see how this can be improved i.e. How we can remove the additional need for http during host registrations?

As we already have a product RFE opened in https://bugzilla.redhat.com/show_bug.cgi?id=2159669, I believe at some point developers would try to improve this and ensure that Satellite is not dependant on port 80 for any important operations. But for now, It is needed for sure while registering directly with satellite via global-reg method and hence either it needs to be documented or somehow we need to find an alternative and document that, instead..
Comment 8 Ewoud Kohl van Wijngaarden 2024-01-25 11:54:57 UTC 
Yes, I think we both agree that there are 2 issues. This bug is that global registration needs plain text HTTP (which is not how it was intended). Then https://bugzilla.redhat.com/show_bug.cgi?id=2159669 is about the much bigger issue, which is that unattended provisioning needs plain text HTTP, which also relates to external components like Anaconda.
Comment 9 Leos Stejskal 2024-01-26 09:52:11 UTC 
Hi,
AFAIK the HTTP port 80 is needed just for the callback home in the host_init_config_default template.
Otherwise, all the communication should be secured and over the https.

[0] https://github.com/theforeman/foreman/blob/develop/app/views/unattended/provisioning_templates/host_init_config/host_init_config_default.erb#L95
Comment 10 Ewoud Kohl van Wijngaarden 2024-01-26 10:51:58 UTC 
Yes, that is exactly the problematic line. That should somehow be changed to use HTTPS.

The foreman_url macro doesn't look flexible enough right now. A more accurate name would be foreman_unattended_url since it can only link to the unattended controller, and possibly use a Capsule with the templates feature. The unattended link uses the unattended_url setting, which by default is using HTTP. Changing that to HTTPS would work around this issue partially, but break unattended workflows.
Comment 11 Malhar Jivrajani 2024-02-01 10:58:09 UTC 
Link to the updated and published documents: https://access.redhat.com/documentation/en-us/red_hat_satellite/6.13/html/installing_satellite_server_in_a_connected_network_environment/preparing_your_environment_for_installation_satellite#Ports_and_Firewalls_Requirements_satellite

This is applied until Satellite 6.12

Satellite 6.11 is EOL: https://access.redhat.com/support/policy/updates/satellite
Note You need to log in before you can comment on or make changes to this bug.