Proposal: Align ports for katello/foreman scenarios (9090 vs 8443)


we’ve been using 8443 port for https proxy endpoint for years, katello installation scenario cannot use this port because it is already in use (qpidd I think not sure).

I would like to propose a default change from 8443 to 9090. Reasons:

  • Very confusing for users working with both Foreman or Katello scenarios.
  • Hard to debug - 8443 is also accepting SSL connections with different certificate.
  • Align Foreman vs Katello scenarios, therefore upstream and downstream.

Changing the installer default is definitely not enough, since Puppet would overwrite this setting we need to figure out a way for a smooth upgrade. Register-in-foreman installer step would likely start failing, I am not sure if it is possible to detect parameter change in Puppet and make some action (foreman-rake console command to change ports for all proxies).

I think the cleanest execution would be only do this for new installations, perhaps a bit of Puppet code that would detect if it’s brand new installation or already existing. Could be also somewhere in kafo.


1 Like

Big :+1: for aligning foreman and Katello. I do wonder if we should align Foreman or align Katello.

It’s candlepin.

The biggest downside of 9090 is that it’s already in use by cockpit (

@stbenjam has looked at this before and in he describes some of his previous effort.

1 Like

Thank God I am not alone! :slight_smile:

I think the decision can be done based on what’s easiest and smoothest experience for the upgrade process. Honestly, port numbers below 10000 that’s tight area, we will always hit something. Now after hear that it’s candlepin vs cockpit, I’d vote for changing candlepin because cockpit is definitely more popular and can possibly confuse more users.

We could also move Smart Proxy port somewhere else to >10000.

Yeah, +1 to changing both candlepin and foreman-proxy! Everything wants
to use 8443 :frowning:


A year or more ago, there were discussions around port alignment across services to have more predictability. The RFC that may provide some useful information was at:


In short, one of the options you give is to move Smart Proxy to 9090 which is I think the best option - less users need to do migration. Also, SELinux does not need to be taken into account - it’s a trivial change.

Second point is reverse proxy, I actually vote for keeping it as is on 8443 because we can later decide to create a webUI for proxy and we have a problem.

There is also port 8000 used for template proxy, that can stay as is as well.

The rest of the proposal covers possibility to do bigger changes, I’d rather stick with minimum change which to me looks like 8443 -> 9090 for smart-proxy only.

That would still leave the conflict with cockpit.

This is only relevant in the foreman_proxy_content scenario. For katello candlepin directly serves on port 8443 without a reverse proxy and foreman doesn’t have candlepin nor the reverse proxy at all.

Ah right, cockpit of course. New proposal then based off Eric’s:

  • move proxy to 9070 which seems to be empty
  • create iptables forward rule for existing installations (opt-in)