Preamble:
I have been tasked with setting up management of external laptops running linux (ubuntu) and after looking at other alternatives, ive concluded that i want to use our existing Foreman w/Katello solution for this.
I want to use Ansible for the possibility of running once-off setups like drive encryption etc. I want to use Puppet for general config management, i want to use Katello repos for supplying various packages and i want to use OpenSCAP for compliance reports.
Problem:
Im working on documentation and, i get a bit confused about various aspects of this setup.
The first is which ports are needed for the various services to function.
As mentioned, I have the following services that i want to work:
Ansible/RCE
Content distribution
Puppet
OpenSCAP
From what ive gathered we need to have bi-directional communication on all of these:
TCP 22 - Run Ansible/RCE and get result (??)
TCP 443 - Pull packages from Katello package repos
TCP 8140 - Puppet agent (Facts/Catalog/report)
TCP 9090 - OpenSCAP client (SCAP content/Reports)
The second question revolves around Puppet and Certificates:
I dont want to have anything open directly to the Foreman server, all communication should be between proxy and clients.
For the puppetagent on clients to get a certificate i understand that i will need to run the PuppetCA role on the smart-proxy, but what port will this use? 8443? 443? 8140?
Expected outcome:
I want everything to work as it does internally when servers are communicating directly with the foreman server. I want facts and reports for each client on the foreman server and i want to be able to manage the clients with Puppet and Ansible. Foreman and Proxy versions:
v3.10 Distribution and version:
Rhel 8.9
I have searched the forums and i find some related posts, but nothing conclusive. Ive also read the documentation but im having a hard time finding concrete answers to my questions. Please forgive me if i missed something obvious and do let me know if there is any crucial information i left out.
For most of these things, you need bidirectional communication between foreman and smart proxy. In general that means foreman needs to talk to port 9090 on the machine where the smart proxy is (might be the same machine), smart proxy needs to talk to port 443 on the machine where foreman runs.
You need ssh between smart proxy and the target hosts, but only in one direction - from proxy to hosts.
Clients need to be able to upload their reports to the smart proxy, that should be port 9090.
Yes, i didnt specify for the internal communication (Foreman ↔ SmartProxy), i think im aware of the ports needed there.
I think i got a bit confused when i was searching for answers to these questions last week, and i got tangled up a bit.
Your comment helped me clear that confusion i think.
What is mostly unclear now is if i need to have the PuppetCA role enabled on the smart proxy, or if it can just act as a pure proxy and send related certificate requests/revocations to the internal puppetca(foreman server).
So from what i gather this should be correct…
The smartproxy cant really proxy certificate related stuff and needs to run the puppetca module.
Which wouldnt be a problem, the clients will never connect directly to foreman (or any other proxy).
In the diagram, there’s definitely no connection from the proxy to the client using port 9090. You can use remote execution to execute the scan (so proxy->client on port 22), but the report is then sent back by the client to the proxy separately (so client->proxy on 9090).
The “sync scap content/policies” goes the other way around. When the scan runs on the client, the client asks the proxy for the contents/policy. If the proxy doesn’t have the contents, it pulls them from Foreman and passes them on to the client.
Also in the ansible/remote execution part, the arrow going back from client to proxy goes over the same connection so you don’t actually need port 22 open on the proxy. I think you meant it that way, but it is easy to misread.
That sounds reasonable, but I’m not familiar with it so I can’t vouch for that.
This states that TCP9090 is for “Configure Client (if the OpenSCAP plugin is installed)” (Client->SmartProxy)
I updated my diagram a bit. Im not sure im using the dotted lines correctly, but they signify responses. I removed the port numbers to show that its not its own connection. It might not be 100% correct, but i think its getting close at least.
