Chapter 1. Preparing your environment for installation


1.1. System Requirements

The following requirements apply to the networked base system:

  • x86_64 architecture
  • The latest version of Red Hat Enterprise Linux 7 Server
  • 4-core 2.0 GHz CPU at a minimum
  • A minimum of 20 GB memory is required for the Satellite Server to function. In addition, a minimum of 4 GB of swap space is also recommended. Satellite running with less memory than the minimum value might not operate correctly.
  • A unique host name, which can contain lower-case letters, numbers, dots (.) and hyphens (-)
  • A current Red Hat Satellite subscription
  • Administrative user (root) access
  • A system umask of 0022
  • Full forward and reverse DNS resolution using a fully-qualified domain name

Before you install Satellite Server or Capsule Server, ensure that your environment meets the requirements for installation.

Satellite Server must be installed on a freshly provisioned system that serves no other function except to run Satellite Server. The freshly provisioned system must not have the following users provided by external identity providers to avoid conflicts with the local users that Satellite Server creates:

  • postgres
  • mongodb
  • apache
  • tomcat
  • foreman
  • foreman-proxy
  • qpidd
  • qdrouterd
  • squid
  • puppet
Note

The Red Hat Satellite Server and Capsule Server versions must match. For example, a Satellite 6.2 Server cannot run a 6.4 Capsule Server and a Satellite 6.4 Server cannot run a 6.2 Capsule Server. Mismatching Satellite Server and Capsule Server versions results in the Capsule Server failing silently.

Note

Self-registered Satellites are not supported.

If you have a large number of content hosts, see Large Deployment Considerations to ensure that your environment is set up appropriately.

For more information on scaling your Capsule Servers, see Capsule Server Scalability Considerations.

Certified hypervisors

Red Hat Satellite is fully supported on both physical systems and virtual machines that run on hypervisors that are supported to run Red Hat Enterprise Linux. For more information about certified hypervisors, see Which hypervisors are certified to run Red Hat Enterprise Linux?

1.2. Storage Requirements and Guidelines

This section lists minimum storage requirements and provides storage guidelines for Satellite Server and Capsule Server installation.

1.2.1. Storage Requirements

The following table details storage requirements for specific directories. These values are based on expected use case scenarios and can vary according to individual environments.

The runtime size was measured with Red Hat Enterprise Linux 5, 6, and 7 repositories synchronized.

Table 1.1. Storage Requirements for a Connected Satellite Server Installation
DirectoryInstallation SizeRuntime Size

/var/cache/pulp/

1 MB

20 GB

/var/lib/pulp/

1 MB

500 GB

/var/lib/mongodb/

3.5 GB

50 GB

/var/lib/qpidd/

25 MB

Not Applicable

/var/log/

10 MB

250 MB

/var/lib/pgsql/

100 MB

10 GB

/var/spool/squid/

0 MB

10 GB

/usr

3 GB

Not Applicable

/opt

3 GB

Not Applicable

/opt/puppetlabs

500 MB

Not Applicable

1.2.2. Storage Guidelines

Consider the following guidelines when installing Satellite Server to increase efficiency.

  • Because most Satellite and Capsule Server data is stored within the /var directory, mounting /var on LVM storage can help the system to scale.
  • For the /var/lib/pulp/ and /var/lib/mongodb/ directories, use high-bandwidth, low-latency storage, and solid state drives (SSD) rather than hard disk drives (HDD). As Red Hat Satellite has many operations that are I/O intensive, using high latency, low-bandwidth storage causes performance degradation. Ensure your installation has a speed in the range 60 - 80 Megabytes per second. You can use the fio tool to get this data. See the Red Hat Knowledgebase solution Impact of Disk Speed on Satellite 6 Operations for more information on using the fio tool.
  • The /var/lib/qpidd/ directory uses slightly more than 2 MB per Content Host managed by the goferd service. For example, 10 000 Content Hosts require 20 GB of disk space in /var/lib/qpidd/.
  • Using the same volume for the /var/cache/pulp/ and /var/lib/pulp/ directories can decrease the time required to move content from /var/cache/pulp/ to /var/lib/pulp/ after synchronizing.

File System Guidelines

  • Use the XFS file system for Red Hat Satellite 6 because it does not have the inode limitations that ext4 does. Because Satellite uses a lot of symbolic links it is likely that your system might run out of inodes if using ext4 and the default number of inodes.
  • Do not use NFS with MongoDB because MongoDB does not use conventional I/O to access data files and performance problems occur when both the data files and the journal files are hosted on NFS. If required to use NFS, mount the volume with the following options in the /etc/fstab file: bg, nolock, and noatime.
  • Do not use the GFS2 file system as the input-output latency is too high.

SELinux Considerations for NFS Mount

When /var/lib/pulp directory is mounted using an NFS share, SELinux blocks the synchronization process. To avoid this, specify the SELinux context of the /var/lib/pulp directory in the file system table by adding the following lines to /etc/fstab:

nfs.example.com:/nfsshare  /var/lib/pulp/content  nfs  context="system_u:object_r:httpd_sys_rw_content_t:s0"  1 2

If NFS share is already mounted, remount it using the above configuration and enter the following command:

# chcon -R system_u:object_r:httpd_sys_rw_content_t:s0 /var/lib/pulp

Duplicated Packages

Packages that are duplicated in different repositories are only stored once on the disk. Additional repositories containing duplicate packages require less additional storage. The bulk of storage resides in the /var/lib/mongodb/ and /var/lib/pulp/ directories. These end points are not manually configurable. Ensure that storage is available on the /var file system to prevent storage problems.

Temporary Storage

The /var/cache/pulp/ directory is used to temporarily store content while it is being synchronized. For content in RPM format, a maximum of 5 RPM files are stored in this directory at any time. After each file is synchronized, it is moved to the /var/lib/pulp/ directory. Up to 8 RPM content synchronization tasks can run simultaneously by default, with each using up to 1 GB of metadata.

Software Collections

Software collections are installed in the /opt/rh/ and /opt/theforeman/ directories.

Write and execute permissions by the root user are required for installation to the /opt directory.

Symbolic links

You cannot use symbolic links for /var/lib/pulp/ and /var/lib/mongodb/,

Synchronized RHEL ISO

If you plan to synchronize RHEL content ISOs to Satellite, note that all minor versions of Red Hat Enterprise Linux also synchronize. You must plan to have adequate storage on your Satellite to manage this.

1.3. Supported Operating Systems

You can install the operating system from disc, local ISO image, kickstart, or any other method that Red Hat supports. Red Hat Satellite Server and Red Hat Satellite Capsule Server are supported only on the latest versions of Red Hat Enterprise Linux 7 Server that is available at the time when Satellite 6.4 is installed. Previous versions of Red Hat Enterprise Linux including EUS or z-stream are not supported.

Red Hat Satellite Server and Red Hat Satellite Capsule Server require Red Hat Enterprise Linux installations with the @Base package group with no other package-set modifications, and without third-party configurations or software not directly necessary for the direct operation of the server. This restriction includes hardening and other non-Red Hat security software. If you require such software in your infrastructure, install and verify a complete working Satellite Server first, then create a backup of the system before adding any non-Red Hat software.

Install Satellite Server and Capsule Server on a freshly provisioned system. Do not register Capsule Server to the Red Hat Content Delivery Network (CDN). Red Hat does not support using the system for anything other than running Satellite.

1.4. Supported Browsers

The following web browsers are fully supported:

  • Firefox versions 39 and later
  • Chrome versions 28 and later

The following web browsers are partially supported. The Satellite web UI interface functions correctly but certain design elements may not align as expected:

  • Firefox version 38
  • Chrome version 27
  • Internet Explorer versions 10 and 11
Note

The web UI and command-line interface for Satellite Server supports English, Portuguese, Simplified Chinese, Traditional Chinese, Korean, Japanese, Italian, Spanish, Russian, French, and German.

1.5. Ports and Firewalls Requirements

For the components of Satellite architecture to communicate, ensure that the required network ports are open and free on the base operating system. You must also ensure that the required network ports are open on any network-based firewalls.

The following tables indicate the destination port and the direction of network traffic. Use this information to configure any network-based firewalls. Note that some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. If possible, disable the application checking and allow open port communication based on the protocol.

Integrated Capsule

Satellite Server has an integrated Capsule and any host that is directly connected to Satellite Server is a Client of Satellite in the context of these tables. This includes the base system on which a Capsule Server is running.

Clients of Capsule

Hosts which are clients of Capsules, other than Satellite’s integrated Capsule, do not need access to Satellite Server. For more information on Satellite Topology, see Capsule Networking in Planning for Red Hat Satellite 6.

Required ports can change based on your configuration.

Table 1.2. Ports for Satellite to Red Hat CDN Communication
PortProtocolServiceRequired For

443

TCP

HTTPS

Subscription Management Services (access.redhat.com) and connecting to the Red Hat CDN (cdn.redhat.com).

Except in the case of a disconnected Satellite, Satellite Server needs access to the Red Hat CDN. For a list of IP addresses used by the Red Hat CDN (cdn.redhat.com), see the Knowledgebase article Public CIDR Lists for Red Hat on the Red Hat Customer Portal.

Table 1.3. Ports for Browser-based User Interface Access to Satellite
PortProtocolServiceRequired For

443

TCP

HTTPS

Browser-based UI access to Satellite

80

TCP

HTTP

Redirection to HTTPS for web UI access to Satellite (Optional)

Table 1.4. Ports for Client to Satellite Communication
PortProtocolServiceRequired For

80

TCP

HTTP

Anaconda, yum, for obtaining Katello certificates, templates, and for downloading iPXE firmware

443

TCP

HTTPS

Subscription Management Services, yum, Telemetry Services, and for connection to the Katello Agent

5647

TCP

amqp

Katello Agent to communicate with Satellite’s Qpid dispatch router

8000

TCP

HTTP

Anaconda to download kickstart templates to hosts, and for downloading iPXE firmware

8140

TCP

HTTPS

Puppet agent to Puppet master connections

9090

TCP

HTTPS

Sending SCAP reports to the Smart Proxy in the integrated Capsule, for the discovery image during provisioning, and for communicating with Satellite Server to copy the SSH keys for Remote Execution (Rex) configuration

5000

TCP

HTTPS

Connection to Katello for the Docker registry

7

TCP and UDP

ICMP

External DHCP on a Client to Satellite network, ICMP ECHO to verify IP address is free (Optional)

53

TCP and UDP

DNS

Client DNS queries to a Satellite’s integrated Capsule DNS service (Optional)

67

UDP

DHCP

Client to Satellite’s integrated Capsule broadcasts, DHCP broadcasts for Client provisioning from a Satellite’s integrated Capsule (Optional)

69

UDP

TFTP

Clients downloading PXE boot image files from a Satellites' integrated Capsule for provisioning (Optional)

Any managed host that is directly connected to Satellite Server is a client in this context because it is a client of the integrated Capsule. This includes the base system on which a Capsule Server is running.

Table 1.5. Ports for Satellite to Capsule Communication
PortProtocolServiceRequired for

443

TCP

HTTPS

Connections to the Pulp server in the Capsule

9090

TCP

HTTPS

Connections to the proxy in the Capsule

80

TCP

HTTP

Downloading a bootdisk (Optional)

Table 1.6. Optional Network Ports
PortProtocolServiceRequired For

22

TCP

SSH

Satellite and Capsule originated communications, for Remote Execution (Rex) and Ansible.

443

TCP

HTTPS

Satellite originated communications, for vCenter compute resource.

5000

TCP

HTTP

Satellite originated communications, for compute resources in OpenStack or for running containers.

22, 16514

TCP

SSH, SSL/TLS

Satellite originated communications, for compute resources in libvirt.

389, 636

TCP

LDAP, LDAPS

Satellite originated communications, for LDAP and secured LDAP authentication sources.

5900 to 5930

TCP

SSL/TLS

Satellite originated communications, for NoVNC console in web UI to hypervisors.

1.6. Enabling Connections from a Client to Satellite Server

Capsules and Content Hosts that are clients of a Satellite Server’s internal Capsule require access through Satellite’s host-based firewall and any network-based firewalls.

Use this section to configure the host-based firewall on the Red Hat Enterprise Linux 7 system that Satellite is installed on, to enable incoming connections from Clients, and to make the configuration persistent across system reboots. For more information on the ports used, see Section 1.5, “Ports and Firewalls Requirements”.

Configuring the Firewall

  1. To open the ports for Client to Satellite communication, enter the following command on the base system that you want to install Satellite on:

    # firewall-cmd \
    --add-port="53/udp" --add-port="53/tcp" \
    --add-port="67/udp" --add-port="69/udp" \
    --add-port="80/tcp"  --add-port="443/tcp" \
    --add-port="5000/tcp" --add-port="5647/tcp" \
    --add-port="8000/tcp" --add-port="8140/tcp" \
    --add-port="9090/tcp"
  2. Make the changes persistent:

    # firewall-cmd --runtime-to-permanent

1.7. Verifying Firewall Settings

You can verify changes to firewall settings using the firewall-cmd command.

To verify firewall settings:

# firewall-cmd --list-all

For more information, see Getting Started with firewalld in the Red Hat Enterprise Linux 7 Security Guide.

1.8. Verifying DNS resolution

Verify the full forward and reverse DNS resolution using a fully-qualified domain name to prevent issues while installing Satellite.

Ensure that the host name and local host resolve correctly.

# ping -c1 localhost
# ping -c1 `hostname -f` # my_system.domain.com

Successful name resolution results in output similar to the following:

# ping -c1 localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.043 ms

--- localhost ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.043/0.043/0.043/0.000 ms

# ping -c1 `hostname -f`
PING hostname.gateway (XX.XX.XX.XX) 56(84) bytes of data.
64 bytes from hostname.gateway (XX.XX.XX.XX): icmp_seq=1 ttl=64 time=0.019 ms

--- localhost.gateway ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.019/0.019/0.019/0.000 ms

To avoid discrepancies with static and transient host names, set all the host names on the system by entering the following command:

# hostnamectl set-hostname name

For more information, see the Configuring Host Names Using hostnamectl in the Red Hat Enterprise Linux 7 Networking Guide.

Warning

Name resolution is critical to the operation of Satellite 6. If Satellite cannot properly resolve its fully qualified domain name, many options fail. Among these options are content management, subscription management, and provisioning.

1.9. Changing Default SELinux ports

Red Hat Satellite 6 uses a set of predefined ports. Because Red Hat recommends that SELinux on Satellite 6 systems be set to permissive or enforcing, if you need to change the port for any service, you also need to change the associated SELinux port type to allow access to the resources. You only need to change these ports if you use non-standard ports.

For example, if you change the Satellite web UI ports (HTTP/HTTPS) to 8018/8019, you need to add these port numbers to the httpd_port_t SELinux port type.

This change is also required for target ports. For example, when Satellite 6 connects to an external source, like Red Hat Virtualization or Red Hat OpenStack Platform.

You only need to make changes to default port assignments once. Updating or upgrading Satellite has no effect on these assignments. Updating only adds default SELinux ports if no assignments exist.

Before You Begin

Changing default ports to user-specified ports

  1. To change the port from the default port to a user-specified port, execute the commands using values that are relevant to your environment. These examples use port 99999 for demonstration purposes.

    Default PortSELinux Command

    80, 443, 8443

    semanage port -a -t http_port_t -p tcp 99999

    8080

    semanage port -a -t http_cache_port_t -p tcp 99999

    8140

    semanage port -a -t puppet_port_t -p tcp 99999

    9090

    semanage port -a -t websm_port_t -p tcp 99999

    69

    semanage port -a -t tftp_port_t -p udp 99999

    53 (TCP)

    semanage port -a -t dns_port_t -p tcp 99999

    53 (UDP)

    semanage port -a -t dns_port_t -p udp 99999

    67, 68

    semanage port -a -t dhcpd_port_t -p udp 99999

    5671

    semanage port -a -t amqp_port_t -p tcp 99999

    8000

    semanage port -a -t soundd_port_t -p tcp 99999

    7911

    semanage port -a -t dhcpd_port_t -p tcp 99999

    5000 on Red Hat Enterprise Linux 7

    semanage port -a -t commplex_main_port_t -p tcp 99999

    22

    semanage port -a -t ssh_port_t -p tcp 99999

    16514 (libvirt)

    semanage port -a -t virt_port_t -p tcp 99999

    389, 636

    semanage port -a -t ldap_port_t -p tcp 99999

    5910 to 5930

    semanage port -a -t vnc_port_t -p tcp 99999

  2. Disassociate the previously used port number and port type.
# semanage port -d -t virt_port_t -p tcp 99999
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.