Red Hat SummitChapter 8. Networking considerations in Satellite
For the components of Satellite architecture to communicate, the required network ports must be open to enable incoming and outgoing traffic between the components.
8.1. Capsule networking
The communication between Satellite Server and hosts registered to a Capsule Server is routed through that Capsule Server. Capsule Server also provides Satellite services to hosts.
In Figure 8.1, “Satellite topology with hosts connecting to a Capsule”, Capsule Server provides a single endpoint for all host network communications so that in remote network segments, only firewall ports to the Capsule Server itself must be open. Hosts do not need direct access to Satellite Server.
Figure 8.1. Satellite topology with hosts connecting to a Capsule
In Figure 8.2, “Satellite topology with hosts connecting directly to Satellite Server”, hosts need direct network access to Satellite Server. This applies to all Capsule Servers because they are hosts of Satellite Server.
Figure 8.2. Satellite topology with hosts connecting directly to Satellite Server
8.2. Satellite Server port and firewall requirements
The following tables indicate the destination port and the direction of incoming and outgoing traffic for Satellite Server.
| Destination Port | Protocol | Service | Source | Required For | Description |
|---|---|---|---|---|---|
| 53 | TCP and UDP | DNS | DNS Servers and clients | Name resolution | DNS (optional) |
| 67 | UDP | DHCP | Client | Dynamic IP | DHCP (optional) |
| 69 | UDP | TFTP | Client | TFTP Server (optional) | |
| 443 | TCP | HTTPS | Capsule | Red Hat Satellite API | Communication from Capsule |
| 443, 80 | TCP | HTTPS, HTTP | Client | Global Registration | Registering hosts to Satellite Port 443 is required for sending installed packages and traces, registration initiation, and uploading facts.
Port 80 notifies Satellite on the |
| 443 | TCP | HTTPS | Red Hat Satellite | Content Mirroring | Management |
| 443 | TCP | HTTPS | Red Hat Satellite | Capsule API | Smart Proxy functionality |
| 443, 80 | TCP | HTTPS, HTTP | Capsule | Content Retrieval | Content |
| 443, 80 | TCP | HTTPS, HTTP | Client | Content Retrieval | Content |
| 1883 | TCP | MQTT | Client | Pull based REX (optional) | Content hosts for REX job notification (optional) |
| 5910 – 5930 | TCP | HTTPS | Browsers | Compute Resource’s virtual console | |
| 8000 | TCP | HTTP | Client | Provisioning templates | Template retrieval for client installers, iPXE or UEFI HTTP Boot |
| 8000 | TCP | HTTPS | Client | PXE Boot | Installation |
| 8140 | TCP | HTTPS | Client | Puppet agent | Client updates (optional) |
| 9090 | TCP | HTTPS | Red Hat Satellite | Capsule API | Smart Proxy functionality |
| 9090 | TCP | HTTPS | Client | OpenSCAP | Configure Client (if the OpenSCAP plugin is installed) |
| 9090 | TCP | HTTPS | Discovered Node | Discovery | Host discovery and provisioning (if the discovery plugin is installed) |
| 9090 | TCP | HTTPS | Client | Pull based REX (optional) | Content hosts for REX job notification (optional) |
| Destination Port | Protocol | Service | Destination | Required For | Description |
|---|---|---|---|---|---|
| ICMP | ping | Client | DHCP | Free IP checking (optional) | |
| 7 | TCP | echo | Client | DHCP | Free IP checking (optional) |
| 22 | TCP | SSH | Target host | Remote execution | Run jobs |
| 22, 16514 | TCP | SSH SSH/TLS | Compute Resource | Satellite originated communications, for compute resources in libvirt | |
| 53 | TCP and UDP | DNS | DNS Servers on the Internet | DNS Server | Resolve DNS records (optional) |
| 53 | TCP and UDP | DNS | DNS Server | Capsule DNS | Validation of DNS conflicts (optional) |
| 53 | TCP and UDP | DNS | DNS Server | Orchestration | Validation of DNS conflicts |
| 68 | UDP | DHCP | Client | Dynamic IP | DHCP (optional) |
| 80 | TCP | HTTP | Remote repository | Content Sync | Remote repositories |
| 389, 636 | TCP | LDAP, LDAPS | External LDAP Server | LDAP |
LDAP authentication, necessary only if external authentication is enabled. The port can be customized if |
| 443 | TCP | HTTPS | Amazon EC2, Azure, Google GCE | Compute resources | Virtual machine interactions (query/create/destroy) (optional) |
| 443 | TCP | HTTPS | Capsule | Content mirroring | Initiation |
| 443 | TCP | HTTPS | Infoblox DHCP Server | DHCP management | When using Infoblox for DHCP, management of the DHCP leases (optional) |
| 623 | Client | Power management | BMC On/Off/Cycle/Status | ||
| 5000 | TCP | HTTPS | OpenStack Compute Resource | Compute resources | Virtual machine interactions (query/create/destroy) (optional) |
| 5900 – 5930 | TCP | SSL/TLS | Hypervisor | noVNC console | Launch noVNC console |
| 7911 | TCP | DHCP, OMAPI | DHCP Server | DHCP |
The DHCP target is configured using
ISC and |
| 8443 | TCP | HTTPS | Client | Discovery | Capsule sends reboot command to the discovered host (optional) |
| 9090 | TCP | HTTPS | Capsule | Capsule API | Management of Capsules |
8.3. Capsule port and firewall requirements
The following tables indicate the destination port and the direction of incoming and outgoing traffic for Capsule Servers.
ICMP to Port 7 UDP and TCP must not be rejected, but can be dropped. The DHCP Capsule sends an ECHO REQUEST to the Client network to verify that an IP address is free. A response prevents IP addresses from being allocated.
| Destination Port | Protocol | Service | Source | Required For | Description |
|---|---|---|---|---|---|
| 53 | TCP and UDP | DNS | DNS Servers and clients | Name resolution | DNS (optional) |
| 67 | UDP | DHCP | Client | Dynamic IP | DHCP (optional) |
| 69 | UDP | TFTP | Client | TFTP Server (optional) | |
| 443, 80 | TCP | HTTPS, HTTP | Client | Content Retrieval | Content |
| 443, 80 | TCP | HTTPS, HTTP | Client | Content Host Registration | Capsule CA RPM installation |
| 443 | TCP | HTTPS | Red Hat Satellite | Content Mirroring | Management |
| 443 | TCP | HTTPS | Red Hat Satellite | Capsule API | Smart Proxy functionality |
| 443 | TCP | HTTPS | Client | Content Host registration | Initiation Uploading facts Sending installed packages and traces |
| 1883 | TCP | MQTT | Client | Pull based REX (optional) | Content hosts for REX job notification (optional) |
| 8000 | TCP | HTTP | Client | Provisioning templates | Template retrieval for client installers, iPXE or UEFI HTTP Boot |
| 8000 | TCP | HTTP | Client | PXE Boot | Installation |
| 8140 | TCP | HTTPS | Client | Puppet agent | Client updates (optional) |
| 8443 | TCP | HTTPS | Client | Content Host registration | Deprecated and only needed for Client hosts deployed before upgrades |
| 9090 | TCP | HTTPS | Red Hat Satellite | Capsule API | Capsule functionality |
| 9090 | TCP | HTTPS | Client | Register Endpoint | Client registration with Capsule Servers |
| 9090 | TCP | HTTPS | Client | OpenSCAP | Configure Client (if the OpenSCAP plugin is installed) |
| 9090 | TCP | HTTPS | Discovered Node | Discovery | Host discovery and provisioning (if the discovery plugin is installed) |
| 9090 | TCP | HTTPS | Client | Pull based REX (optional) | Content hosts for REX job notification (optional) |
| Destination Port | Protocol | Service | Destination | Required For | Description |
|---|---|---|---|---|---|
| ICMP | ping | Client | DHCP | Free IP checking (optional) | |
| 7 | TCP | echo | Client | DHCP | Free IP checking (optional) |
| 22 | TCP | SSH | Target host | Remote execution | Run jobs |
| 53 | TCP and UDP | DNS | DNS Servers on the Internet | DNS Server | Resolve DNS records (optional) |
| 53 | TCP and UDP | DNS | DNS Server | Capsule DNS | Validation of DNS conflicts (optional) |
| 68 | UDP | DHCP | Client | Dynamic IP | DHCP (optional) |
| 443 | TCP | HTTPS | Satellite | Capsule | Capsule Configuration management Template retrieval OpenSCAP Remote Execution result upload |
| 443 | TCP | HTTPS | Red Hat Portal | SOS report | Assisting support cases (optional) |
| 443 | TCP | HTTPS | Satellite | Content | Sync |
| 443 | TCP | HTTPS | Satellite | Client communication | Forward requests from Client to Satellite |
| 443 | TCP | HTTPS | Infoblox DHCP Server | DHCP management | When using Infoblox for DHCP, management of the DHCP leases (optional) |
| 623 | Client | Power management | BMC On/Off/Cycle/Status | ||
| 7911 | TCP | DHCP, OMAPI | DHCP Server | DHCP |
The DHCP target is configured using
ISC and |
| 8443 | TCP | HTTPS | Client | Discovery | Capsule sends reboot command to the discovered host (optional) |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}