Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: 6.15.0
Affects Version/s: None
Component/s: Registration
Labels:
- team-triaged
- triaged

Satellite Team:

Rocket
Story Points:
0
Blocked:
False
GitHub Issue:
https://github.com/theforeman/foreman-documentation/pull/2680
Bugzilla Bug:
RHBZ: 2247445
Severity:
Moderate
Sprint:
Sat_docs_1_2024, Sat_docs_2_2024

Release Note Type:
None
Release Note Text:
None
Release Note Status:
None

PX Impact Score:
PX Priority Data:
SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Test Coverage:
None

Market:

Document URL:

I am not sure which would be the right docs but I will pin-point both the related doc links:

https://access.redhat.com/documentation/en-us/red_hat_satellite/6.13/html/installing_satellite_server_in_a_connected_network_environment/preparing_your_environment_for_installation_satellite#Ports_and_Firewalls_Requirements_satellite

https://access.redhat.com/documentation/en-us/red_hat_satellite/6.13/html-single/managing_hosts/index#Registering_Hosts_by_Using_Global_Registration_managing-hosts

Applicable for 6.10+ ( any versions )

Section Number and Name:

1.6. Ports and Firewalls Requirements

3.3. Registering Hosts by Using Global Registration

Describe the issue:

If someone is using "Global Registration" method to register any system directly with Satellite but they have no allowed incoming access to port 80 of satellite, the registration will fail or partially complete.

It would also leave the host in build mode and no host facts would be uploaded back to the satellite.

This is not an issue if the same method is used to register a system through an external capsule server.

Suggestions for improvement:

Ports 443 and 80 -> both are needed for Satellite to be opened

Ports 443, 9090 and 8000 --> are needed for Capsule to be opened.

While customers are aware of the capsule end requirement, Some customers who are not aware of the port 80 requirement of satellite, can often run into problems during registration and most of them want to block any incoming access to port 80. We should clarify somewhere that, an incoming connection to Port 80 is also needed for the Global Registration method to work with Satellite.

( as mentioned earlier, for capsule it is not needed )

NOTE: It's not an unusual thing to block port 80 access to a satellite or capsule.

Additional information:

I will share some technical background as well.

Satellite by default does not have template feature enabled and hence to submit\update build status of a host, This API "GET /unattended/built?token=<token here>" always targets port 80 of satellite over http.

This is the very last step of the Global Registration method and if port 80 is blocked, This step will fail.

For external capsules,
--> Templates feature is enabled
--> So any template retrieval or build status submission happens over port 8000

So port 80 is not directly needed here.

Assignee:: Malhar Jivrajani

Reporter:: RH Bugzilla Integration

QA Contact:: RH Bugzilla Integration

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2023/11/01 10:17 AM

Updated:: 2025/09/14 12:56 AM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates