Chapter 1. Preparing your Environment for Installation
1.1. System Requirements
The following requirements apply to the networked base operating system:
- x86_64 architecture
- The latest version of Red Hat Enterprise Linux 7 Server
- 4-core 2.0 GHz CPU at a minimum
- A minimum of 12 GB RAM is required for Capsule Server to function. In addition, a minimum of 4 GB RAM of swap space is also recommended. Capsule running with less RAM than the minimum value might not operate correctly.
- A unique host name, which can contain lower-case letters, numbers, dots (.) and hyphens (-)
- A current Red Hat Satellite subscription
- Administrative user (root) access
- A system umask of 0022
- Full forward and reverse DNS resolution using a fully-qualified domain name
Before you install Capsule Server, ensure that your environment meets the requirements for installation.
Capsule Server must be installed on a freshly provisioned system that serves no other function except to run Capsule Server. The freshly provisioned system must not have the following users provided by external identity providers to avoid conflicts with the local users that Capsule Server creates:
- postgres
- mongodb
- apache
- qpidd
- qdrouterd
- squid
- foreman-proxy
- puppet
- puppetserver
For more information on scaling your Capsule Servers, see Capsule Server Scalability Considerations.
Certified hypervisors
Capsule Server is fully supported on both physical systems and virtual machines that run on hypervisors that are supported to run Red Hat Enterprise Linux. For more information about certified hypervisors, see Which hypervisors are certified to run Red Hat Enterprise Linux?.
SELinux Mode
SELinux must be enabled, either in enforcing or permissive mode. Installation with disabled SELinux is not supported.
FIPS Mode
You can install Capsule Server on a Red Hat Enterprise Linux system that is operating in FIPS mode. For more information, see Enabling FIPS Mode in the Red Hat Enterprise Linux Security Guide.
1.2. Storage Requirements
The following table details storage requirements for specific directories. These values are based on expected use case scenarios and can vary according to individual environments.
The runtime size was measured with Red Hat Enterprise Linux 6, 7, and 8 repositories synchronized.
| Directory | Installation Size | Runtime Size |
|---|---|---|
| /var/cache/pulp/ | 1 MB | 20 GB (Minimum) |
| /var/lib/pulp/ | 1 MB | 300 GB |
| /var/lib/mongodb/ | 3.5 GB | 50 GB |
| /var/spool/squid/ | 0 GB | 10 GB |
| /opt | 500 MB | Not Applicable |
1.3. Storage Guidelines
Consider the following guidelines when installing Capsule Server to increase efficiency.
-
If you mount the
/tmpdirectory as a separate file system, you must use theexecmount option in the/etc/fstabfile. If/tmpis already mounted with thenoexecoption, you must change the option toexecand re-mount the file system. This is a requirement for thepuppetserverservice to work. -
Because most Capsule Server data is stored in the
/vardirectory, mounting/varon LVM storage can help the system to scale. -
Using the same volume for the
/var/cache/pulp/and/var/lib/pulp/directories can decrease the time required to move content from/var/cache/pulp/to/var/lib/pulp/after synchronizing. -
The
/var/lib/qpidd/directory uses slightly more than 2 MB per Content Host managed by thegoferdservice. For example, 10 000 Content Hosts require 20 GB of disk space in/var/lib/qpidd/. -
Use high-bandwidth, low-latency storage for the
/var/lib/pulp/and/var/lib/mongodb/directories. As Red Hat Satellite has many operations that are I/O intensive, using high latency, low-bandwidth storage causes performance degradation. Ensure your installation has a speed in the range 60 - 80 Megabytes per second. You can use thefiotool to get this data. See the Red Hat Knowledgebase solution Impact of Disk Speed on Satellite Operations for more information on using thefiotool.
File System Guidelines
-
Use the XFS file system for Red Hat Satellite 6 because it does not have the inode limitations that
ext4does. Because Capsule Server uses a lot of symbolic links it is likely that your system might run out of inodes if usingext4and the default number of inodes. -
Do not use NFS with MongoDB because MongoDB does not use conventional I/O to access data files and performance problems occur when both the data files and the journal files are hosted on NFS. If required to use NFS, mount the volume with the following options in the
/etc/fstabfile:bg,nolock, andnoatime. - Do not use NFS for Pulp data storage. Using NFS for Pulp has a negative performance impact on content synchronization.
- Do not use the GFS2 file system as the input-output latency is too high.
Log File Storage
Log files are written to /var/log/messages/, /var/log/httpd/, and /var/lib/foreman-proxy/openscap/content/. You can manage the size of these files using logrotate. For more information, see Log Rotation in the Red Hat Enterprise Linux 7 System Administrator’s Guide.
The exact amount of storage you require for log messages depends on your installation and setup.
SELinux Considerations for NFS Mount
When the /var/lib/pulp directory is mounted using an NFS share, SELinux blocks the synchronization process. To avoid this, specify the SELinux context of the /var/lib/pulp directory in the file system table by adding the following lines to /etc/fstab:
nfs.example.com:/nfsshare /var/lib/pulp/content nfs context="system_u:object_r:httpd_sys_rw_content_t:s0" 1 2
If NFS share is already mounted, remount it using the above configuration and enter the following command:
# chcon -R system_u:object_r:httpd_sys_rw_content_t:s0 /var/lib/pulp
Duplicated Packages
Packages that are duplicated in different repositories are only stored once on the disk. Additional repositories containing duplicate packages require less additional storage. The bulk of storage resides in the /var/lib/mongodb/ and /var/lib/pulp/ directories. These end points are not manually configurable. Ensure that storage is available on the /var file system to prevent storage problems.
Temporary Storage
The /var/cache/pulp/ directory is used to temporarily store content while it is being synchronized. After a full synchronization task is completed, the content is moved to the /var/lib/pulp/ directory.
For content in RPM format, each RPM file is moved to the /var/lib/pulp directory after it is synchronized. A maximum of 5 RPM files are stored in the /var/cache/pulp/ directory at any time. Up to 8 RPM content synchronization tasks can run simultaneously by default, with each using up to 1 GB of metadata.
Software Collections
Software collections are installed in the /opt/rh/ and /opt/theforeman/ directories.
Write and execute permissions by the root user are required for installation to the /opt directory.
Symbolic links
You cannot use symbolic links for /var/lib/pulp/ and /var/lib/mongodb/.
Synchronized RHEL ISO
If you plan to synchronize RHEL content ISOs to Satellite, note that all minor versions of Red Hat Enterprise Linux also synchronize. You must plan to have adequate storage on your Satellite to manage this.
1.4. Supported Operating Systems
You can install the operating system from a disc, local ISO image, kickstart, or any other method that Red Hat supports. Red Hat Capsule Server is supported only on the latest versions of Red Hat Enterprise Linux 7 Server that is available at the time when Capsule Server 6.8 is installed. Previous versions of Red Hat Enterprise Linux including EUS or z-stream are not supported.
Red Hat Capsule Server requires a Red Hat Enterprise Linux installation with the @Base package group with no other package-set modifications, and without third-party configurations or software not directly necessary for the direct operation of the server. This restriction includes hardening and other non-Red Hat security software. If you require such software in your infrastructure, install and verify a complete working Capsule Server first, then create a backup of the system before adding any non-Red Hat software.
Install Capsule Server on a freshly provisioned system.
Do not register Capsule Server to the Red Hat Content Delivery Network (CDN).
Red Hat does not support using the system for anything other than running Capsule Server.
1.5. Ports and Firewalls Requirements
For the components of Satellite architecture to communicate, ensure that the required network ports are open and free on the base operating system. You must also ensure that the required network ports are open on any network-based firewalls.
The installation of a Capsule Server fails if the ports between Satellite Server and Capsule Server are not open before installation starts.
Use this information to configure any network-based firewalls. Note that some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. If possible, disable the application checking and allow open port communication based on the protocol.
Integrated Capsule
Satellite Server has an integrated Capsule and any host that is directly connected to Satellite Server is a Client of Satellite in the context of this section. This includes the base operating system on which Capsule Server is running.
Clients of Capsule
Hosts which are clients of Capsules, other than Satellite’s integrated Capsule, do not need access to Satellite Server. For more information on Satellite Topology, see Capsule Networking in Planning for Red Hat Satellite 6.
Required ports can change based on your configuration.
A matrix table of ports is available in the Red Hat Knowledgebase solution Red Hat Satellite List of Network Ports.
The following tables indicate the destination port and the direction of network traffic:
| Port | Protocol | Service | Required For |
|---|---|---|---|
| 5646 | TCP | amqp | Capsule’s Qpid dispatch router to Qpid dispatch router in Satellite |
| Port | Protocol | Service | Required for |
|---|---|---|---|
| 80 | TCP | HTTP | Anaconda, yum, and for obtaining Katello certificate updates |
| 443 | TCP | HTTPS | Anaconda, yum, Telemetry Services, and Puppet |
| 5647 | TCP | AMQP | Katello agent to communicate with Capsule’s Qpid dispatch router |
| 8000 | TCP | HTTPS | Anaconda to download kickstart templates to hosts, and for downloading iPXE firmware |
| 8140 | TCP | HTTPS | Puppet agent to Puppet master connections |
| 8443 | TCP | HTTPS | Subscription Management Services and Telemetry Services |
| 9090 | TCP | HTTPS | Sending SCAP reports to the Capsule and for the discovery image during provisioning |
| 53 | TCP and UDP | DNS | Client DNS queries to a Capsule’s DNS service (Optional) |
| 67 | UDP | DHCP | Client to Capsule broadcasts, DHCP broadcasts for Client provisioning from a Capsule (Optional) |
| 69 | UDP | TFTP | Clients downloading PXE boot image files from a Capsule for provisioning (Optional) |
| 5000 | TCP | HTTPS | Connection to Katello for the Docker registry (Optional) |
| Port | Protocol | Service | Required For |
|---|---|---|---|
| 7 | TCP and UDP | ICMP | DHCP Capsule to Client network, ICMP ECHO to verify IP address is free (Optional) |
| 68 | UDP | DHCP | Capsule to Client broadcasts, DHCP broadcasts for Client provisioning from a Capsule (Optional) |
| 8443 | TCP | HTTP | Capsule to Client "reboot" command to a discovered host during provisioning (Optional) |
Any managed host that is directly connected to Satellite Server is a client in this context because it is a client of the integrated Capsule. This includes the base operating system on which a Capsule Server is running.
| Port | Protocol | Service | Required For |
|---|---|---|---|
| 22 | TCP | SSH | Satellite and Capsule originated communications, for Remote Execution (Rex) and Ansible. |
| 7911 | TCP | DHCP |
|
A DHCP Capsule sends an ICMP ECHO to confirm an IP address is free, no response of any kind is expected. ICMP can be dropped by a networked-based firewall, but any response prevents the allocation of IP addresses.
1.6. Enabling Connections from Capsule Server to Satellite Server
On Satellite Server, you must enable the incoming connection from Capsule Server to Satellite Server and make this rule persistent across reboots.
Prerequisites
- Ensure that the firewall rules on Satellite Server are configured to enable connections for client to Satellite communication, because Capsule Server is a client of Satellite Server. For more information, see Enabling Connections from a Client to Satellite Server in Installing Satellite Server from a Connected Network.
Procedure
On Satellite Server, enter the following command to open the port for Capsule to Satellite communication:
# firewall-cmd --add-port="5646/tcp"
Make the changes persistent:
# firewall-cmd --runtime-to-permanent
1.7. Enabling Connections from Satellite Server and Clients to a Capsule Server
On the base operating system on which you want to install Capsule, you must enable incoming connections from Satellite Server and clients to Capsule Server and make these rules persistent across reboots.
Procedure
On the base operating system on which you want to install Capsule, enter the following command to open the ports for Satellite Server and clients communication to Capsule Server:
# firewall-cmd --add-port="53/udp" --add-port="53/tcp" \ --add-port="67/udp" --add-port="69/udp" \ --add-port="80/tcp" --add-port="443/tcp" \ --add-port="5000/tcp" --add-port="5647/tcp" \ --add-port="8000/tcp" --add-port="8140/tcp" \ --add-port="8443/tcp" --add-port="9090/tcp"
Make the changes persistent:
# firewall-cmd --runtime-to-permanent
1.8. Verifying Firewall Settings
Use this procedure to verify your changes to the firewall settings.
Procedure
To verify the firewall settings, complete the following step:
Enter the following command:
# firewall-cmd --list-all
For more information, see Getting Started with firewalld in the Red Hat Enterprise Linux 7 Security Guide.
