cancel
Showing results for 
Search instead for 
Did you mean: 
JS_Learning
Starfighter Starfighter
Starfighter
  • 4,323 Views

RH 403: Satellite 6.6: How to find the ports needed to be opened for capsule communication?

 

Hi,

I'm familiar with firewall-cmd to configure. The problem is how to find the ports required to be opened for Satellite, for example for the capsule installation?

I do have the guide, but when there is a generic question like "Configure the firewall rules on the capsule.lab.example.com system.", I'm unable to remember them all.

Is there a way to find a file on the server listing all the required ports?

 

Many thanks,

 

 

0 Kudos
6 Replies
littlebigfab
Starfighter Starfighter
Starfighter
  • 4,307 Views

Hi @JS_Learning ,

To that extent, I always use :

ss -lnptu

ss is the Socket Statistics utility. These arguments stand for:
l: listening
n: numeric (ie: 80 instead of http)
p: program (ie: httpd)
t: tcp
u: user name (ie: apache)

0 Kudos
JS_Learning
Starfighter Starfighter
Starfighter
  • 4,289 Views

Hi Thanks, @littlebigfab 

I actually know about ss (which is better and faster than the old netstat), I don't see how to use it in the context of knowing the ports "prior to Satellite installation".

I mean in the training instructions one has to open the fw ports prior installing. So I don't know if ss would list that. I'm recreating the lab, I will try anyway.

At first I was hoping the required ports are documented in a readme or man page, somewhere...

Thanks again for the suggestion.

Edit: so I just done the training again, and indeed, it asks to know the ports prior installation:

"To perform software deployment, configuration management, and provisioning, Satellite Server requires that the following traffic be allowed:".

I'm just trying to find out if that information exist from within the system, for example if such a question is required for the EX403, then one can find it out.  Having said that, it does not say one should be able to install Satellite in the exams objectives. Anyway, if the information is listed somewhere, for example satellite-installer, then it's good to know.

 

0 Kudos
littlebigfab
Starfighter Starfighter
Starfighter
  • 4,283 Views

Hi @JS_Learning,

OK, sorry, I didn't understand that you needed that prior to the software installation ;)

I used Satellite only in DO405 where it is used as a puppet master and repository. In the corresponding labs, I used ss to retrieve the tcp port in use (8140/tcp), which had to be open in the system's firewall. I thought that might be usefull in your case too.

I haven't taken EX403 ever. However, based on my personal experience with a bunch of other exams, I'd say that you can rely on exam's objectives.

Good luck with your exam !

0 Kudos
JS_Learning
Starfighter Starfighter
Starfighter
  • 4,279 Views

Thanks no worries. SS is good to know too and a good reminder!

In general it's not only about the exam, it's about finding out the information to be able to be autonomous. I call simply copying/paste from instructions being a "clever monkey", I like to avoid that after following trainings.

For example, in order to install a Satellite Capsule, I know that the steps are available from within the system, using the capsule-certs-generate (it will show the user the command to run).

That is why I am asking about the FW port, they must be listed somewhere, I suspect.

FYI, I resumed my training and tried the ss on an already installed Satellite, well it does not even list all ports (for example I doubt goferd is in the training, there's no such ports in ss, since that does not run). So that would result in incomplete FW ports.

If I find where it could be documented from within, I'll add it here.

I'm glad someone replied to help though, it has been a bit quiet around here lately :)

 

 

0 Kudos
JS_Learning
Starfighter Starfighter
Starfighter
  • 4,263 Views

@littlebigfab I have something!

My question was about finding the ports required for Satellite 6, from within the system, to be able to be autonomous.

Well I started doing the RH6.6 Video based course (because the lab is currently not working on the Text based course, I was tired of losing time). The trainer is sharing a much more useful tip:

Instead of adding each ports individually, one can add the relevant service:

firewall-cmd --add-service=RH-Satellite-6

I digged a bit more and found one can:

firewall-cmd --info-service=RH-Satellite-6

ports: 68/udp 5000/tcp 5646-5647/tcp 5671/tcp 8000/tcp 8080/tcp 8140/tcp 9090/tcp

The problem is that does not corresponds to the course ports:

firewall-cmd --add-port="53/udp" --add-port="53/tcp" \
--add-port="67/udp" --add-port="69/udp" \
--add-port="80/tcp" --add-port="443/tcp" \
--add-port="5000/tcp" --add-port="5647/tcp" \
--add-port="8000/tcp" --add-port="8140/tcp" \
--add-port="8443/tcp" --add-port="9090/tcp" --permanent

EDIT: the RH-Satellite-6 service has a configuration file (cat /usr/lib/firewalld/services/RH-Satellite-6.xml) consistent with the ports listed in the course. It seems it changes between RHEL releases. I took my information not from RHEL7, maybe that explains the inconsistency.

Also, I don't know if there is a service for "RH-Capsule" related ports, as I think they are slighty different than RH Satellite.

I'm going to ask to the trainers directly.

 

Having said that, it seems that its much simpler to add the service rather than listing each individual ports.

 

Cheers,

 

littlebigfab
Starfighter Starfighter
Starfighter
  • 4,250 Views

Good job @JS_Learning ! I would not have thought of a firewalld service.

I recently realized too that some video based classrooms bring real value compared to the text training course. It all depends on the proctor I guess. I really love Piotr Baranowski in RH442. He brings real value to the matter from his own personal experience, precious advices and anecdotes, all that with a great personality which makes the course alive ;)

Join the discussion
You must log in to join this conversation.