Chapter 1. Preparing your Environment for Installation
Before you install Satellite, ensure that your environment meets the following requirements.
1.1. System Requirements
The following requirements apply to the networked base operating system:
- x86_64 architecture
- The latest version of Red Hat Enterprise Linux 7 Server
- 4-core 2.0 GHz CPU at a minimum
- A minimum of 20 GB RAM is required for Satellite Server to function. In addition, a minimum of 4 GB RAM of swap space is also recommended. Satellite running with less RAM than the minimum value might not operate correctly.
- A unique host name, which can contain lower-case letters, numbers, dots (.) and hyphens (-)
- A current Red Hat Satellite subscription
- Administrative user (root) access
- A system umask of 0022
- Full forward and reverse DNS resolution using a fully-qualified domain name
Satellite only supports UTF-8
encoding. If your territory is USA and your language is English, set en_US.utf-8
as the system-wide locale settings. For more information about configuring system locale in Red Hat Enterprise Linux, see Configuring System Locale guide. Before you install Satellite Server, ensure that your environment meets the requirements for installation.
Satellite Server must be installed on a freshly provisioned system that serves no other function except to run Satellite Server. The freshly provisioned system must not have the following users provided by external identity providers to avoid conflicts with the local users that Satellite Server creates:
- apache
- foreman
- foreman-proxy
- postgres
- pulp
- puppet
- puppetserver
- qdrouterd
- qpidd
- redis
- tomcat
Certified hypervisors
Satellite Server is fully supported on both physical systems and virtual machines that run on hypervisors that are supported to run Red Hat Enterprise Linux. For more information about certified hypervisors, see Which hypervisors are certified to run Red Hat Enterprise Linux?.
SELinux Mode
SELinux must be enabled, either in enforcing or permissive mode. Installation with disabled SELinux is not supported.
FIPS Mode
You can install Satellite on a Red Hat Enterprise Linux system that is operating in FIPS mode. You cannot enable FIPS mode after the installation of Satellite. For more information, see Enabling FIPS Mode in the Red Hat Enterprise Linux Security Guide.
1.2. Storage Requirements
The following table details storage requirements for specific directories. These values are based on expected use case scenarios and can vary according to individual environments.
The runtime size was measured with Red Hat Enterprise Linux 6, 7, and 8 repositories synchronized.
1.2.1. Red Hat Enterprise Linux 7
Directory | Installation Size | Runtime Size |
---|---|---|
/var/log/ | 10 MB | 10 GB |
/var/opt/rh/rh-postgresql12/lib/pgsql | 100 MB | 20 GB |
/usr | 3 GB | Not Applicable |
/opt | 3 GB | Not Applicable |
/opt/puppetlabs | 500 MB | Not Applicable |
/var/lib/pulp/ | 1 MB | 300 GB |
/var/lib/qpidd/ | 25 MB | Not Applicable |
1.3. Storage Guidelines
Consider the following guidelines when installing Satellite Server to increase efficiency.
-
If you mount the
/tmp
directory as a separate file system, you must use theexec
mount option in the/etc/fstab
file. If/tmp
is already mounted with thenoexec
option, you must change the option toexec
and re-mount the file system. This is a requirement for thepuppetserver
service to work. -
Because most Satellite Server data is stored in the
/var
directory, mounting/var
on LVM storage can help the system to scale. -
The
/var/lib/qpidd/
directory uses slightly more than 2 MB per Content Host managed by thegoferd
service. For example, 10 000 Content Hosts require 20 GB of disk space in/var/lib/qpidd/
. -
Use high-bandwidth, low-latency storage for the
/var/lib/pulp/
directories. As Red Hat Satellite has many operations that are I/O intensive, using high latency, low-bandwidth storage causes performance degradation. Ensure your installation has a speed in the range 60 - 80 Megabytes per second.
You can use the fio
tool to get this data. See the Red Hat Knowledgebase solution Impact of Disk Speed on Satellite Operations for more information on using the fio
tool.
File System Guidelines
- Do not use the GFS2 file system as the input-output latency is too high.
Log File Storage
Log files are written to /var/log/messages/,
/var/log/httpd/
, and /var/lib/foreman-proxy/openscap/content/
. You can manage the size of these files using logrotate. For more information, see Log Rotation in the Red Hat Enterprise Linux 7 System Administrator’s Guide.
The exact amount of storage you require for log messages depends on your installation and setup.
SELinux Considerations for NFS Mount
When the /var/lib/pulp
directory is mounted using an NFS share, SELinux blocks the synchronization process. To avoid this, specify the SELinux context of the /var/lib/pulp
directory in the file system table by adding the following lines to /etc/fstab
:
nfs.example.com:/nfsshare /var/lib/pulp nfs context="system_u:object_r:var_lib_t:s0" 1 2
If NFS share is already mounted, remount it using the above configuration and enter the following command:
# restorecon -R /var/lib/pulp
Duplicated Packages
Packages that are duplicated in different repositories are only stored once on the disk. Additional repositories containing duplicate packages require less additional storage. The bulk of storage resides in the /var/lib/pulp/
directory. These end points are not manually configurable. Ensure that storage is available on the /var
file system to prevent storage problems.
Software Collections
Software collections are installed in the /opt/rh/
and /opt/theforeman/
directories.
Write and execute permissions by the root user are required for installation to the /opt
directory.
Symbolic links
You cannot use symbolic links for /var/lib/pulp/
.
1.4. Supported Operating Systems
You can install the operating system from a disc, local ISO image, kickstart, or any other method that Red Hat supports. Red Hat Satellite Server is supported only on the latest versions of Red Hat Enterprise Linux 7 Server that is available at the time when Satellite Server 6.10 is installed. Previous versions of Red Hat Enterprise Linux including EUS or z-stream are not supported.
The following operating systems are supported by the installer, have packages, and are tested for deploying Satellite:
Operating System | Architecture | Notes |
Red Hat Enterprise Linux 7 | x86_64 only |
Before you install Satellite, apply all operating system updates if possible.
Red Hat Satellite Server requires a Red Hat Enterprise Linux installation with the @Base
package group with no other package-set modifications, and without third-party configurations or software not directly necessary for the direct operation of the server. This restriction includes hardening and other non-Red Hat security software. If you require such software in your infrastructure, install and verify a complete working Satellite Server first, then create a backup of the system before adding any non-Red Hat software.
Install Satellite Server on a freshly provisioned system.
Red Hat does not support using the system for anything other than running Satellite Server.
1.5. Supported Browsers
Satellite supports recent versions of Firefox and Google Chrome browsers.
The Satellite web UI and command-line interface support English, Portuguese, Simplified Chinese Traditional Chinese, Korean, Japanese, Italian, Spanish, Russian, French, and German.
1.6. Ports and Firewalls Requirements
For the components of Satellite architecture to communicate, ensure that the required network ports are open and free on the base operating system. You must also ensure that the required network ports are open on any network-based firewalls.
Use this information to configure any network-based firewalls. Note that some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. If possible, disable the application checking and allow open port communication based on the protocol.
Integrated Capsule
Satellite Server has an integrated Capsule and any host that is directly connected to Satellite Server is a Client of Satellite in the context of this section. This includes the base operating system on which Capsule Server is running.
Clients of Capsule
Hosts which are clients of Capsules, other than Satellite’s integrated Capsule, do not need access to Satellite Server. For more information on Satellite Topology, see Capsule Networking in Planning for Red Hat Satellite 6.
Required ports can change based on your configuration.
The following tables indicate the destination port and the direction of network traffic:
Destination Port | Protocol | Service | Source | Required For | Description |
53 | TCP and UDP | DNS | DNS Servers and clients | Name resolution | DNS (optional) |
67 | UDP | DHCP | Client | Dynamic IP | DHCP (optional) |
69 | UDP | TFTP | Client | TFTP Server (optional) | |
443 | TCP | HTTPS | Capsule | Red Hat Satellite API | Communication from Capsule |
443, 80 | TCP | HTTPS, HTTP | Client | Content Retrieval | Content |
443, 80 | TCP | HTTPS, HTTP | Capsule | Content Retrieval | Content |
443, 80 | TCP | HTTPS, HTTP | Client | Content Host Registration | Capsule CA RPM installation |
443 | TCP | HTTPS | Red Hat Satellite | Content Mirroring | Management |
443 | TCP | HTTPS | Red Hat Satellite | Capsule API | Smart Proxy functionality |
5646 | TCP | AMQP | Capsule | Katello agent | Forward message to Qpid dispatch router on Satellite (optional) |
5910 - 5930 | TCP | HTTPS | Browsers | Compute Resource’s virtual console | |
8000 | TCP | HTTP | Client | Provisioning templates | Template retrieval for client installers, iPXE or UEFI HTTP Boot |
8000 | TCP | HTTPS | Client | PXE Boot | Installation |
8140 | TCP | HTTPS | Client | Puppet agent | Client updates (optional) |
8443 | TCP | HTTPS | Client | Content Host registration | Initiation Uploading facts Sending installed packages and traces |
9090 | TCP | HTTPS | Client | OpenSCAP | Configure Client |
9090 | TCP | HTTPS | Discovered Node | Discovery | Host discovery and provisioning |
9090 | TCP | HTTPS | Red Hat Satellite | Capsule API | Capsule functionality |
Any managed host that is directly connected to Satellite Server is a client in this context because it is a client of the integrated Capsule. This includes the base operating system on which a Capsule Server is running.
A DHCP Capsule performs ICMP ping or TCP echo connection attempts to hosts in subnets with DHCP IPAM set to find out if an IP address considered for use is free. This behavior can be turned off using satellite-installer --foreman-proxy-dhcp-ping-free-ip=false
.
Destination Port | Protocol | Service | Destination | Required For | Description |
ICMP | ping | Client | DHCP | Free IP checking (optional) | |
7 | TCP | echo | Client | DHCP | Free IP checking (optional) |
22 | TCP | SSH | Target host | Remote execution | Run jobs |
22, 16514 | TCP | SSH SSH/TLS | Compute Resource | Satellite originated communications, for compute resources in libvirt | |
53 | TCP and UDP | DNS | DNS Servers on the Internet | DNS Server | Resolve DNS records (optional) |
53 | TCP and UDP | DNS | DNS Server | Capsule DNS | Validation of DNS conflicts (optional) |
53 | TCP and UDP | DNS | DNS Server | Orchestration | Validation of DNS conflicts |
68 | UDP | DHCP | Client | Dynamic IP | DHCP (optional) |
80 | TCP | HTTP | Remote repository | Content Sync | Remote yum repository |
389, 636 | TCP | LDAP, LDAPS | External LDAP Server | LDAP |
LDAP authenticatiion, necessary only if external authentication is enabled. The port can be customized when |
443 | TCP | HTTPS | Satellite | Capsule | Capsule Configuration management Template retrieval OpenSCAP Remote Execution result upload |
443 | TCP | HTTPS | Amazon EC2, Azure, Google GCE | Compute resources | Virtual machine interactions (query/create/destroy) (optional) |
443 | TCP | HTTPS | Capsule | Content mirroring | Initiation |
443 | TCP | HTTPS | Infoblox DHCP Server | DHCP management | When using Infoblox for DHCP, management of the DHCP leases (optional) |
623 | Client | Power management | BMC On/Off/Cycle/Status | ||
5000 | TCP | HTTPS | OpenStack Compute Resource | Compute resources | Virtual machine interactions (query/create/destroy) (optional) |
5646 | TCP | AMQP | Satellite Server | Katello agent | Forward message to Qpid dispatch router on Capsule (optional) |
5671 | Qpid | Remote install | Send install command to client | ||
5671 | Dispatch router (hub) | Remote install | Forward message to dispatch router on Satellite | ||
5671 | Satellite Server | Remote install for Katello agent | Send install command to client | ||
5671 | Satellite Server | Remote install for Katello agent | Forward message to dispatch router on Satellite | ||
5900 - 5930 | TCP | SSL/TLS | Hypervisor | noVNC console | Launch noVNC console |
7911 | TCP | DHCP, OMAPI | DHCP Server | DHCP |
The DHCP target is configured using
ISC and |
8443 | TCP | HTTPS | Client | Discovery | Capsule sends reboot command to the discovered host (optional) |
9090 | TCP | HTTPS | Capsule | Capsule API | Management of Capsules |
1.7. Enabling Connections from a Client to Satellite Server
Capsules and Content Hosts that are clients of a Satellite Server’s internal Capsule require access through Satellite’s host-based firewall and any network-based firewalls.
Use this procedure to configure the host-based firewall on the Red Hat Enterprise Linux 7 system that Satellite is installed on, to enable incoming connections from Clients, and to make the configuration persistent across system reboots. For more information on the ports used, see Ports and Firewalls Requirements.
Procedure
To open the ports for client to Satellite communication, enter the following command on the base operating system that you want to install Satellite on:
# firewall-cmd \ --add-port="80/tcp" --add-port="443/tcp" \ --add-port="5647/tcp" --add-port="8000/tcp" \ --add-port="8140/tcp" --add-port="9090/tcp" \ --add-port="53/udp" --add-port="53/tcp" \ --add-port="67/udp" --add-port="69/udp"
Make the changes persistent:
# firewall-cmd --runtime-to-permanent
1.8. Verifying Firewall Settings
Use this procedure to verify your changes to the firewall settings.
Procedure
Enter the following command:
# firewall-cmd --list-all
For more information, see Getting Started with firewalld in the Red Hat Enterprise Linux 7 Security Guide.
1.9. Verifying DNS resolution
Verify the full forward and reverse DNS resolution using a fully-qualified domain name to prevent issues while installing Satellite.
Procedure
Ensure that the host name and local host resolve correctly:
# ping -c1 localhost # ping -c1 `hostname -f` # my_system.domain.com
Successful name resolution results in output similar to the following:
# ping -c1 localhost PING localhost (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.043 ms --- localhost ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.043/0.043/0.043/0.000 ms # ping -c1 `hostname -f` PING hostname.gateway (XX.XX.XX.XX) 56(84) bytes of data. 64 bytes from hostname.gateway (XX.XX.XX.XX): icmp_seq=1 ttl=64 time=0.019 ms --- localhost.gateway ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.019/0.019/0.019/0.000 ms
To avoid discrepancies with static and transient host names, set all the host names on the system by entering the following command:
# hostnamectl set-hostname name
For more information, see the Configuring Host Names Using hostnamectl in the Red Hat Enterprise Linux 7 Networking Guide.
Name resolution is critical to the operation of Satellite 6. If Satellite cannot properly resolve its fully qualified domain name, tasks such as content management, subscription management, and provisioning will fail.