Chapter 4. Installing Capsule Server
Before you install Capsule Server, you should ensure that your environment meets the requirements for installation. Capsule Server has the same requirements for installation as Satellite Server. For more information, see Section 2.1, “System Requirements”.
4.1. Registering Capsule Server to Satellite Server
Before You Begin
- The Satellite Server must have a manifest installed with the appropriate repositories for the organization you intend to subscribe to. The manifest must contain repositories for the Capsule’s base system as well as any clients connected to the Capsule. The repositories must be synchronized. See the Content Management Guide for more information on manifests and repositories.
- The Satellite Server’s base system must be able to resolve the host name of the Capsule Server’s base system and vice versa.
- You must have a Satellite Server user name and password. For more information, see the Red Hat Satellite 6.2 Server Administration Guide.
Register Capsule Server to Satellite Server
Install the Satellite Server’s CA certificate in the Capsule Server.
# rpm -Uvh http://satellite.example.com/pub/katello-ca-consumer-latest.noarch.rpm
Register the Capsule Server with your organization.
# subscription-manager register --org organization_name
4.2. Identifying and Attaching the Capsule Server Subscription
After you have registered the Capsule Server, you need to identify your Capsule Server subscription Pool ID. The Pool ID enables you to attach the required subscription to your Capsule Server. The Capsule Server subscription provides access to the Capsule Server content, as well as Red Hat Enterprise Linux, Red Hat Software Collections (RHSCL), and Red Hat Satellite. This is the only subscription required.
Identify your Capsule Server subscription.
# subscription-manager list --all --available
The command displays output similar to the following:
+-------------------------------------------+ Available Subscriptions +-------------------------------------------+ Subscription Name: Red Hat Satellite Capsule Server Provides: Red Hat Satellite Proxy Red Hat Satellite Capsule Red Hat Software Collections (for RHEL Server) Red Hat Satellite Capsule Red Hat Enterprise Linux Server Red Hat Enterprise Linux High Availability (for RHEL Server) Red Hat Software Collections (for RHEL Server) Red Hat Enterprise Linux Load Balancer (for RHEL Server) SKU: MCT0369 Pool ID: 9e4cc4e9b9fb407583035861bb6be501 Available: 3 Suggested: 1 Service Level: Premium Service Type: L1-L3 Multi-Entitlement: No Ends: 10/07/2022 System Type: Physical
- Make a note of the Pool ID so that you can attach it to your Satellite host. Your Pool ID will be different than the example provided.
Attach your subscription to your Capsule Server, using your Pool ID:
# subscription-manager attach --pool=Red_Hat_Satellite_Capsule_Pool_Id
The outputs displays something similar to the following:
Successfully attached a subscription for: Red Hat Capsule Server
To verify that the subscriptions are successfully attached, run the following command:
# subscription-manager list --consumed
4.3. Configuring Repositories
Disable all existing repositories.
# subscription-manager repos --disable "*"
Enable the Red Hat Satellite, Red Hat Enterprise Linux, and Red Hat Software Collections repositories.
The Red Hat Software Collections repository provides a later version of Ruby required by some Red Hat Satellite features, including the Remote Execution feature.
Ensure the Red Hat Enterprise Linux repository matches the specific version you are using.
If you are using Red Hat Enterprise Linux 6, run this command.
# subscription-manager repos --enable rhel-6-server-rpms \ --enable rhel-6-server-satellite-capsule-6.2-rpms \ --enable rhel-server-rhscl-6-rpms
If you are using Red Hat Enterprise Linux 7, run this command.
# subscription-manager repos --enable rhel-7-server-rpms \ --enable rhel-7-server-satellite-capsule-6.2-rpms \ --enable rhel-server-rhscl-7-rpms
Clear out any metadata left from any non-Red Hat
yum
repositories.# yum clean all
Verify that the repositories have been enabled.
# yum repolist enabled
The following output displays:
Loaded plugins: langpacks, product-id, subscription-manager repo id repo name status !rhel-7-server-rpms/7Server/x86_64 Red Hat Enterprise Linux 7 Server (RPMs) 7,617 !rhel-7-server-satellite-capsule-6.2-rpms/x86_64 Red Hat Satellite Capsule 6.2(for RHEL 7 Server) (RPMs) 176 repolist: 7,793
4.4. Synchronizing Time
You must start and enable a time synchronizer on the host operating system to minimize the effects of time drift. If a system’s time is incorrect, certificate verification can fail.
Two time synchronizers are available: NTP
and chrony
. Each of these has its advantages. chrony
is recommended for systems that are frequently suspended and for systems—such as mobile and virtual systems—that intermittently disconnect from networks and then reestablish network connection. NTP
is recommended for systems that are expected to remain in running states and that are expected to be connected to a network without interruption.
For more information on the differences between NTP
and chrony
, see Differences Between ntpd and chronyd in the Red Hat Enterprise Linux 7 System Administrator’s Guide.
Synchronizing Time by Using NTP
Install ntp.
# yum install ntp
Verify that your NTP server is available.
# ntpdate -q ntp_server_address
Set the system time.
# ntpdate ntp_server_address
Start and enable the ntpd service.
# chkconfig ntpd on
Synchronizing Time by Using chronyd
Install chronyd.
# yum install chrony
Start and enable the chrony service.
# systemctl start chronyd # systemctl enable chronyd
4.5. Installing Capsule Server
Install the installation package.
# yum install satellite-capsule
4.6. Performing Initial Configuration of Capsule Server
This section demonstrates a default installation of Capsule Server, including use of default certificates, DNS, and DHCP configuration. For details of more advanced configuration options, see Section 4.7, “Performing Additional Configuration on Capsule Server”.
4.6.1. Configuring Capsule Server with a Default Server Certificate
You can use the default certificate authority (CA) that comes with Capsule Server, which is used by both the server and the client SSL certificates for the authentication of subservices.
Before You Begin
- You must have attached the required subscription to the Capsule Server.
-
You must have installed the
katello-ca-consumer-latest
package. - You must have registered your Capsule Server to the Satellite Server.
Configure Capsule Server with a Default Server Certificate
Create the certificates archive on Satellite Server.
# capsule-certs-generate \ --capsule-fqdn "mycapsule.example.com" \ --certs-tar "~/mycapsule.example.com-certs.tar"
-
Ensure that the
satellite-installer
package is available on the Capsule Server. - Copy the generated archive .tar file from Satellite Server to Capsule Server.
Enable the certificate based on the needs of your environment. For more information, see
satellite-installer --scenario capsule --help
.# satellite-installer --scenario capsule \ --capsule-parent-fqdn "satellite.example.com" \ --foreman-proxy-register-in-foreman "true" \ --foreman-proxy-foreman-base-url "https://satellite.example.com" \ --foreman-proxy-trusted-hosts "satellite.example.com" \ --foreman-proxy-trusted-hosts "mycapsule.example.com" \ --foreman-proxy-oauth-consumer-key "UVrAZfMaCfBiiWejoUVLYCZHT2xhzuFV" \ --foreman-proxy-oauth-consumer-secret \ "ZhH8p7M577ttNU3WmUGWASag3JeXKgUX" \ --capsule-pulp-oauth-secret "TPk42MYZ42nAE3rZvyLBh7Lxob3nEUi8" \ --capsule-certs-tar "~/mycapsule.example.com-certs.tar"
4.7. Performing Additional Configuration on Capsule Server
4.7.1. Installing the katello Agent
Installing the katello agent is recommended to allow remote updates of clients. The base system of a self-registered Satellite Server or of a Capsule Server is a client of Satellite Server and therefore should also have the katello agent installed.
Before You Begin
- You must have enabled the Satellite Tools repositories in Satellite Server.
- You must have synchronized the Satellite Tools repositories in Satellite Server.
To Install katello-agent:
- Log into the system.
Enable the Satellite tools repository for this version of Satellite.
On Red Hat Enterprise Linux 7, run the following command:
# subscription-manager repos \ --enable=rhel-7-server-satellite-tools-6.2-rpms
On Red Hat Enterprise Linux 6, run the following command:
# subscription-manager repos \ --enable=rhel-6-server-satellite-tools-6.2-rpms
Install the package.
# yum install katello-agent
Ensure the goferd service is running:
On Red Hat Enterprise Linux 6, enter the following command:
# service goferd start
On Red Hat Enterprise Linux 7, enter the following command:
# systemctl start goferd
4.7.2. Enabling Remote Execution on Capsule Server
If you want to run commands on a Capsule Server’s hosts, you must ensure that remote execution is enabled.
Remote execution on external Capsules is disabled by default. To use remote execution on a Capsule Server you need to enable it by running the following command:
# satellite-installer --scenario capsule \ --enable-foreman-proxy-plugin-remote-execution-ssh
4.7.3. Adding Life Cycle Environments to Capsule Servers
If your Capsule Server has content functionality enabled, you must add one or more life cycle environments to it. Adding an environment enables Capsule Server to synchronize content from Satellite Server and provide content to host systems.
Red Hat recommends that you create one or multiple life cycle environments and assign them to your Capsule Server. This ensures that Capsule receives only the repositories contained in Content Views that are promoted to the respective life cycle environments, and results in optimizing the usage of system resources.
Avoid assigning the Library Lifecycle Environment to your Capsule Server as it triggers an automated Capsule sync every time a repository is updated from the CDN. This may consume multiple system resources on Capsules, network bandwidth between Satellite and Capsules, and available disk space on Capsules.
Capsule Server is configured using Satellite Server’s Hammer CLI. You must execute all commands on Satellite Server.
- Log in to the Satellite Server CLI as root.
Display a list of all Capsule Servers and note the ID.
# hammer capsule list
Using the ID, verify the details of your Capsule Server.
# hammer capsule info --id capsule_id_number
Verify the life cycle environments available and note the environment ID.
# hammer capsule content available-lifecycle-environments \ --id capsule_id_number
Available life cycle environments are available for Capsule Server, but not currently attached.
Add the life cycle environment to your Capsule Server.
# hammer capsule content add-lifecycle-environment \ --id capsule_id_number --environment-id environment_id_number
- Repeat for each life cycle environment you want to add to Capsule Server.
To synchronize all content from your Satellite Server environment to Capsule Server, run the following command:
# hammer capsule content synchronize --id capsule_id_number
To synchronize a specific life cycle environment from your Satellite Server to Capsule Server, run the following command:
# hammer capsule content synchronize --id external_capsule_id_number \ --environment-id environment_id_number
For more information on working with Life Cycle Environments, see Life Cycle Environments in the Red Hat Satellite Server Administration Guide.
4.7.4. Enabling Power Management on Managed Hosts
When you enable the baseboard management controller (BMC) module on the Capsule Server, you can use power management commands on managed hosts using the intelligent platform management interface (IPMI) or a similar protocol.
The BMC service on the satellite Capsule Server enables you to perform a range of power management tasks. The underlying protocol for this feature is IPMI; also referred to as the BMC function. IPMI uses a special network interface on the managed hardware that is connected to a dedicated processor that runs independently of the host’s CPUs. In many instances the BMC functionality is built into chassis-based systems as part of chassis management (a dedicated module in the chassis).
For more information on the BMC service, see Configuring an Additional Network Interface in the Red Hat Satellite Host Configuration Guide.
Before You Begin
- All managed hosts must have a network interface, with type BMC. Satellite uses this NIC to pass the appropriate credentials to the host.
Enable Power Management on Managed Hosts
Run the installer with the options to enable BMC.
# satellite-installer --scenario capsule \ --foreman-proxy-bmc "true" \ --foreman-proxy-bmc-default-provider "freeipmi"
4.7.5. Configuring DNS and DHCP on Capsule Server
You can configure DNS, DHCP, and TFTP on Capsule Server.
You can also configure Capsule Server to use external DNS and DHCP services. See Chapter 5, Configuring External Services for more information.
To view a complete list of configurable options, run the satellite-installer --scenario capsule --help
command.
Before You Begin
-
You must have the correct network name (
dns-interface
) for the DNS server. -
You must have the correct interface name (
dhcp-interface
) for the DHCP server.
Configure DNS, DHCP, and TFTP on Capsule Server
Run capsule installer with the options applicable to your environment.
The following example shows full provisioning services:
# satellite-installer --scenario capsule \ --foreman-proxy-tftp=true \ --foreman-proxy-foreman-oauth-key "your_organization_key" \ --foreman-proxy-foreman-oauth-secret "your_organization_secret" \ --capsule-certs-tar "~/capsule.example.com-certs.tar" \ --foreman-proxy-templates=true \ --foreman-proxy-dhcp=true \ --foreman-proxy-dhcp-gateway=192.168.122.1 \ --foreman-proxy-dhcp-nameservers=192.168.122.1 \ --foreman-proxy-dhcp-range="192.168.122.100 192.168.122.200" \ --foreman-proxy-dhcp-interface=eth0 \ --foreman-proxy-dns=true \ --foreman-proxy-dns-forwarders=8.8.8.8 \ --foreman-proxy-dns-interface=eth0 \ --foreman-proxy-dns-zone=example.com # satellite-installer --scenario capsule \ --foreman-proxy-dns true \ --foreman-proxy-dns-interface eth0 \ --foreman-proxy-dns-zone example.com \ --foreman-proxy-dns-forwarders 172.17.13.1 \ --foreman-proxy-dns-reverse 13.17.172.in-addr.arpa \ --foreman-proxy-dhcp true \ --foreman-proxy-dhcp-interface eth0 \ --foreman-proxy-dhcp-range "172.17.13.100 172.17.13.150" \ --foreman-proxy-dhcp-gateway 172.17.13.1 \ --foreman-proxy-dhcp-nameservers 172.17.13.2 \ --foreman-proxy-tftp true \ --foreman-proxy-tftp-servername $(hostname) \ --capsule-puppet true \ --foreman-proxy-puppetca true
4.7.6. Configuring Capsule Server with a Custom Server Certificate
Red Hat Satellite 6 comes with default SSL certificate to enable encrypted communications between the Satellite Server, Capsule Servers, and all hosts. You can replace the default certificate with a custom certificates if required. For example, your company’s security policy might dictate that SSL certificates must be obtained from a specific Certificate Authority.
Prerequisites
- Satellite Server configured with a custom certificate. For more information, see Section 3.5.8, “Configuring Satellite Server with a Custom Server Certificate”.
- Capsule Server installed and registered to the Satellite Server. For more information, see Chapter 4, Installing Capsule Server.
To use a custom certificate on each Capsule Server, complete these procedures:
- Section 4.7.6.1, “Obtain an SSL Certificate for the Capsule Server”
- Section 4.7.6.2, “Validate the Capsule Server’s SSL Certificate”
- Section 4.7.6.3, “Create the Capsule Server’s Certificate Archive File”
- Section 4.7.6.4, “Install the Capsule Server’s Custom Certificate”
- Section 4.7.6.5, “Install the Capsule Server’s New Certificate on All Hosts”
4.7.6.1. Obtain an SSL Certificate for the Capsule Server
This procedure generates PEM encoded certificates. Only PEM encoding must be used for the SSL Certificates.
- Do not use the Satellite Server’s certificate on any Capsule Server as each server’s certificate is unique.
Create a directory to contain all the source certificate files, accessible to only the
root
user.# mkdir
/root/capsule_cert
# cd/root/capsule_cert
In these examples, the directory is
/root/capsule_cert
. If you have multiple Capsule Servers, name the directory to match. For example, if you have Capsule Servers namedcapsule_apac
andcapsule_emea
, you might create directories named capsule_apac and capsule_emea respectively. This is not required, but reduces the risk of using files from one Capsule Server on another Capsule Server.Create a private key with which to sign the Certificate Signing Request (CSR).
NoteIf you already have a private key for the Capsule Server, skip this step.
# openssl genrsa -out
/root/capsule_cert/capsule_cert_key.pem
4096Create a Certificate Signing Request (CSR).
A Certificate Signing Request is a text file containing details of the server for which you are requesting a certificate. For this command, you provide the private key (output by the previous step), answer some questions about the Capsule Server, and the Certificate Signing Request is stored in a file.
NoteThe certificate’s Common Name (CN) must match the fully-qualified domain name (FQDN) of the server on which it is used.
To confirm a server’s FQDN, run the command
hostname -f
on the server.# openssl req -new \ -key /root/capsule_cert/capsule_cert_key.pem \ 1 -out /root/capsule_cert/capsule_cert_csr.pem 2
Example Certificate Signing Request session
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) [XX]:AU State or Province Name (full name) []:Queensland Locality Name (eg, city) [Default City]:Brisbane Organization Name (eg, company) [Default Company Ltd]:Example Organizational Unit Name (eg, section) []:Sales Common Name (eg, your name or your server's hostname) []:capsule.example.com Email Address []:example@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:password An optional company name []:Example
Send the certificate signing request to the Certificate Authority.
When you submit the request, be sure to specify the lifespan of the certificate. The method for sending the certificate signing request varies, so consult the Certificate Authority for the preferred method. In response to the request you can expect to receive a Certificate Authority bundle, and a signed certificate, in separate files.
4.7.6.2. Validate the Capsule Server’s SSL Certificate
On the Satellite Server, validate the Capsule Server’s certificate input files with the katello-certs-check
command. This process requires that you have copied the Capsule Server key, CSR, and SSL certificate from Capsule Server to Satellite Server.
# katello-certs-check \ -c /root/capsule_cert/capsule_cert.pem \ 1 -k /root/capsule_cert/capsule_cert_key.pem \ 2 -r /root/capsule_cert/capsule_cert_csr.pem \ 3 -b /root/capsule_cert/ca_cert_bundle.pem 4
If the certificate is successfully validated, the output will contain the following.
Check private key matches the certificate: [OK] Check ca bundle verifies the cert file: [OK]
Proceed to Section 4.7.6.3, “Create the Capsule Server’s Certificate Archive File”.
4.7.6.3. Create the Capsule Server’s Certificate Archive File
The Capsule Server’s installer requires the server’s certificate be provided in an archive file. To create this file, use the capsule-certs-generate
command on the Satellite Server.
The capsule-certs-generate
command must be run once for every external Capsule Server. In these examples, capsule.example.com
is the example FQDN and capsule_certs.tar
the example archive file’s name. Replace these with values appropriate to your environment, taking care not to overwrite an existing certificate archive file. For example, if you have Capsule Servers named capsule1
and capsule2
, you could name the certificate archive files capsule1_certs.tar
and capsule2_certs.tar
.
-
Copy and paste into a terminal the
capsule-certs-generate
command, as output by thekatello-certs-check
command in Section 3.5.8.2, “Validate the Satellite Server’s SSL Certificate”. -
Edit the values for
--capsule-fqdn
to match the Capsule Server’s FQDN, and--certs-tar
to the file path and name for the certificate archive file. -
If the Capsule Server has not already been installed, remove the
--certs-update-server
parameter. This is used only to update an existing Capsule Server’s certificate. On the Satellite Server, run the resulting command.
Example
capsule-certs-generate
command# capsule-certs-generate --capsule-fqdn "capsule.example.com" \ --certs-tar "/root/capsule_cert/capsule_certs.tar" \ --server-cert "/root/capsule_cert/capsule_cert.pem" \ --server-cert-req "/root/capsule_cert/capsule_cert_csr.pem" \ --server-key "/root/capsule_cert/capsule_cert_key.pem" \ --server-ca-cert "/root/sat_cert/ca_cert_bundle.pem" \ --certs-update-server
On the Satellite Server, copy the certificate archive file to the Capsule Server, providing the
root
user’s password when prompted.In this example the archive file is copied to the
root
user’s home directory, but you may prefer to copy it elsewhere.# scp /root/capsule_cert/capsule_certs.tar root@capsule.example.com:
Proceed to Section 4.7.6.4, “Install the Capsule Server’s Custom Certificate”.
4.7.6.4. Install the Capsule Server’s Custom Certificate
Complete this procedure on the Capsule Server.
To install the Capsule Server’s custom certificates, run the Satellite installer. The command, including parameters, is output by the the capsule-certs-generate
command in Section 4.7.6.3, “Create the Capsule Server’s Certificate Archive File”.
-
Copy and paste the custom
capsule-certs-generate
command but do NOT run it. -
Edit the value for
--capsule-certs-tar
to match the location of the certificates archive file. -
If you want to enable additional features on the Capsule Server, append their parameters to the
satellite-installer
command. For a description of all the installer’s parameters, run the commandsatellite-installer --scenario capsule --help
.
Example custom satellite-installer
command
# satellite-installer --scenario capsule \ --capsule-parent-fqdn "satellite.example.com" \ --foreman-proxy-register-in-foreman "true" \ --foreman-proxy-foreman-base-url "https://satellite.example.com" \ --foreman-proxy-trusted-hosts "satellite.example.com" \ --foreman-proxy-trusted-hosts "capsule.example.com" \ --foreman-proxy-oauth-consumer-key "FeQsbASvCjvvaqE6duKH6SoYZWg4jwjg" \ --foreman-proxy-oauth-consumer-secret "7UhPXFPDBongvdTbNixbsWR5WFZsKEgF" \ --capsule-pulp-oauth-secret "VpQ9587tVmYeuY4Du6VitmZpZE5vy9ac" \ --capsule-certs-tar "/root/capsule_certs.tar"
The satellite-installer
command, as output by the capsule-certs-generate
command, is unique to each Capsule Server. Do not use the same command on more than one Capsule Server.
Do NOT delete the certificates archive file (the .tar file) even after the certificates have been deployed to all relevant hosts. It is required, for example, when upgrading the Capsule Server. If the certificates archive file is not found by the installer, it will fail with a message similar to the following:
[ERROR YYYY-MM-DD hh:mm:ss main] tar -xzf /var/tmp/srvcapsule01.tar returned 2 instead of one of [0]
Proceed to Section 4.7.6.5, “Install the Capsule Server’s New Certificate on All Hosts”.
4.7.6.5. Install the Capsule Server’s New Certificate on All Hosts
Hosts which connect to an external Capsule Server require that server’s custom certificate. Run the following command on all the Capsule Server’s hosts.
Use the Capsule Server’s host name, not that of the Satellite Server.
# yum -y localinstall \
http://capsule.example.com/pub/katello-ca-consumer-latest.noarch.rpm
4.7.7. Restricting Access to mongod
Only the apache
and root
users should be allowed access to the MongoDB database daemon, mongod
, to reduce the risk of data loss.
Restrict access to mongod
on Satellite and Capsule Servers using the following commands.
Configuring the Firewall on Red Hat Enterprise Linux 6
Configure
iptables
service on Satellite and Capsule Servers.# iptables -I OUTPUT -o lo -p tcp -m tcp --dport 27017 -m owner \ --uid-owner apache -j ACCEPT \ && iptables -I OUTPUT -o lo -p tcp -m tcp --dport 27017 -m owner \ --uid-owner root -j ACCEPT \ && iptables -I OUTPUT -o lo -p tcp -m tcp --dport 27017 -j DROP \ && iptables -I OUTPUT -o lo -p tcp -m tcp --dport 28017 -m owner \ --uid-owner apache -j ACCEPT \ && iptables -I OUTPUT -o lo -p tcp -m tcp --dport 28017 -m owner \ --uid-owner root -j ACCEPT \ && iptables -I OUTPUT -o lo -p tcp -m tcp --dport 28017 -j DROP \ && service iptables save
Configuring the Firewall on Red Hat Enterprise Linux 7
Configure the firewall on Satellite and Capsule Servers.
# firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \ tcp -m tcp --dport 27017 -m owner --uid-owner apache -j ACCEPT \ && firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \ tcp -m tcp --dport 27017 -m owner --uid-owner apache -j ACCEPT \ && firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \ tcp -m tcp --dport 27017 -m owner --uid-owner root -j ACCEPT \ && firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \ tcp -m tcp --dport 27017 -m owner --uid-owner root -j ACCEPT \ && firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -o lo -p \ tcp -m tcp --dport 27017 -j DROP \ && firewall-cmd --direct --add-rule ipv6 filter OUTPUT 1 -o lo -p \ tcp -m tcp --dport 27017 -j DROP \ && firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \ tcp -m tcp --dport 28017 -m owner --uid-owner apache -j ACCEPT \ && firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \ tcp -m tcp --dport 28017 -m owner --uid-owner apache -j ACCEPT \ && firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \ tcp -m tcp --dport 28017 -m owner --uid-owner root -j ACCEPT \ && firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \ tcp -m tcp --dport 28017 -m owner --uid-owner root -j ACCEPT \ && firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -o lo -p \ tcp -m tcp --dport 28017 -j DROP \ && firewall-cmd --direct --add-rule ipv6 filter OUTPUT 1 -o lo -p \ tcp -m tcp --dport 28017 -j DROP
Repeat the command adding the
--permanent
option to make the settings persistent.# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 \ -o lo -p tcp -m tcp --dport 27017 -m owner \ --uid-owner apache -j ACCEPT \ && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 \ -o lo -p tcp -m tcp --dport 27017 -m owner \ --uid-owner apache -j ACCEPT \ && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 \ -o lo -p tcp -m tcp --dport 27017 -m owner \ --uid-owner root -j ACCEPT \ && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 \ -o lo -p tcp -m tcp --dport 27017 -m owner \ --uid-owner root -j ACCEPT \ && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 \ -o lo -p tcp -m tcp --dport 27017 -j DROP \ && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 1 \ -o lo -p tcp -m tcp --dport 27017 -j DROP \ && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 \ -o lo -p tcp -m tcp --dport 28017 -m owner \ --uid-owner apache -j ACCEPT \ && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 \ -o lo -p tcp -m tcp --dport 28017 -m owner \ --uid-owner apache -j ACCEPT \ && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 \ -o lo -p tcp -m tcp --dport 28017 -m owner \ --uid-owner root -j ACCEPT \ && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 \ -o lo -p tcp -m tcp --dport 28017 -m owner \ --uid-owner root -j ACCEPT \ && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 \ -o lo -p tcp -m tcp --dport 28017 -j DROP \ && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 1 \ -o lo -p tcp -m tcp --dport 28017 -j DROP