[Katello] Required ports for Katello agent

Hi,

At the moment I'm just trying to get Content Hosts that live in a DMZ to be
able to connect back to the Katello server.

In particular I'm a little confused about the ports required for the Qpid
connection(s) from the Katello agent.

Initially I had looked at connections from a Content Host back to the
Katello server for a client with the 2.3 version of the Katello agent
installed, I saw a connection on port 5647 and this is what I asked to be
opened on the firewall.

However, when I came to test the Katello agent on an actual DMZ host, the
host in question had the 2.1 Katello agent installed, and tried to connect
back to Katello on port 5671, which didn't get through the firewall.

So, did the port number change between Katello 2.1 and 2.3 somewhere? I see
no mention of this in the release notes…

Cheers,

John

> Hi,
>
> At the moment I'm just trying to get Content Hosts that live in a DMZ to be
> able to connect back to the Katello server.
>
> In particular I'm a little confused about the ports required for the Qpid
> connection(s) from the Katello agent.
>
> Initially I had looked at connections from a Content Host back to the
> Katello server for a client with the 2.3 version of the Katello agent
> installed, I saw a connection on port 5647 and this is what I asked to be
> opened on the firewall.
>
> However, when I came to test the Katello agent on an actual DMZ host, the
> host in question had the 2.1 Katello agent installed, and tried to connect
> back to Katello on port 5671, which didn't get through the firewall.
>
> So, did the port number change between Katello 2.1 and 2.3 somewhere? I see
> no mention of this in the release notes…

It was part of Isolated Capsules that came in 2.2, where a host can be
setup to only talk to its capsule. That required introduction of a new
project called qpid-dispatcher which routes messages around. You'd have
to upgrade the 2.1 agent and have it connect on 5647.

There's a diagram here:
http://www.katello.org/docs/2.2/user_guide/capsules/index.html

OK, so at least it's not a surprise.

We will eventually upgrade all clients to the 2.3 agent, but we have the
Katello agent as a repository in Katello (chicken and egg…) and the
latest CentOS updates have to pass through the environments first…

So, just to confirm, with the 2.3 agent, the only required port for the
broker is 5647?

Cheers,

John

One extra thing: slightly confused by the diagram, as it shows a connection
to RHSM on port 8443, but in our installation with no separate Capsules,
the RHSM connection is to port 443 on the Katello server, not port 8443.

John

> >
> > > Hi,
> > >
> > > At the moment I'm just trying to get Content Hosts that live in a DMZ to
> > be
> > > able to connect back to the Katello server.
> > >
> > > In particular I'm a little confused about the ports required for the
> > Qpid
> > > connection(s) from the Katello agent.
> > >
> > > Initially I had looked at connections from a Content Host back to the
> > > Katello server for a client with the 2.3 version of the Katello agent
> > > installed, I saw a connection on port 5647 and this is what I asked to
> > be
> > > opened on the firewall.
> > >
> > > However, when I came to test the Katello agent on an actual DMZ host,
> > the
> > > host in question had the 2.1 Katello agent installed, and tried to
> > connect
> > > back to Katello on port 5671, which didn't get through the firewall.
> > >
> > > So, did the port number change between Katello 2.1 and 2.3 somewhere? I
> > see
> > > no mention of this in the release notes…
> >
> > It was part of Isolated Capsules that came in 2.2, where a host can be
> > setup to only talk to its capsule. That required introduction of a new
> > project called qpid-dispatcher which routes messages around. You'd have
> > to upgrade the 2.1 agent and have it connect on 5647.
> >
> > There's a diagram here:
> > http://www.katello.org/docs/2.2/user_guide/capsules/index.html
> >
>
> One extra thing: slightly confused by the diagram, as it shows a connection
> to RHSM on port 8443, but in our installation with no separate Capsules,
> the RHSM connection is to port 443 on the Katello server, not port 8443.

Old clients would still talk to 443 on the Katello. If you install the
katello-ca-consumer-latest.noarch.rpm from the casule /pub, you'd talk
to the capsule on 8443, no comms direct to Katello itself.

>
> >
> > > Hi,
> > >
> > > At the moment I'm just trying to get Content Hosts that live in a DMZ to
> > be
> > > able to connect back to the Katello server.
> > >
> > > In particular I'm a little confused about the ports required for the
> > Qpid
> > > connection(s) from the Katello agent.
> > >
> > > Initially I had looked at connections from a Content Host back to the
> > > Katello server for a client with the 2.3 version of the Katello agent
> > > installed, I saw a connection on port 5647 and this is what I asked to
> > be
> > > opened on the firewall.
> > >
> > > However, when I came to test the Katello agent on an actual DMZ host,
> > the
> > > host in question had the 2.1 Katello agent installed, and tried to
> > connect
> > > back to Katello on port 5671, which didn't get through the firewall.
> > >
> > > So, did the port number change between Katello 2.1 and 2.3 somewhere? I
> > see
> > > no mention of this in the release notes…
> >
> > It was part of Isolated Capsules that came in 2.2, where a host can be
> > setup to only talk to its capsule. That required introduction of a new
> > project called qpid-dispatcher which routes messages around. You'd have
> > to upgrade the 2.1 agent and have it connect on 5647.
> >
>
> OK, so at least it's not a surprise.
>
> We will eventually upgrade all clients to the 2.3 agent, but we have the
> Katello agent as a repository in Katello (chicken and egg…) and the
> latest CentOS updates have to pass through the environments first…
>
> So, just to confirm, with the 2.3 agent, the only required port for the
> broker is 5647?

Yup, well that and the HTTP(s) ports for yum itself to do its thing.