Review firewall requirements

[aneta-petrova]

What changes are you introducing?

• Moving the conceptual, referential information (to be used during the planning phase by the architect persona) from the Installation guide to the Planning guide. This includes:
• • Reviewing the contents of this new "networking considerations" section in the Planning guide
• • Moving security considerations to a different place in the Planning guide's table of contents
• Reviewing the procedural information (to be used during the installation phase by the admin persona) in the Installation guide. This includes:
• • Merging existing separate procedures (one for server, one for smart proxy) and three firewalld-related snippets into a single procedure module.
• Fixing various xrefs and links that got broken by all the renaming.

Why are you introducing these changes? (Explanation, links to references, issues, etc.)

This is part of preparing the installation prerequisites for the new installation guide in #4087

Anything else to add? (Considerations, potential downsides, alternative solutions you have explored, etc.)

N/A

Contributor checklists

• I am okay with my commits getting squashed when you merge this PR.
• I am familiar with the contributing guidelines.

Please cherry-pick my commits into:

• Foreman 3.16/Katello 4.18 (Satellite 6.18)
• Foreman 3.15/Katello 4.17
• Foreman 3.14/Katello 4.16 (Satellite 6.17; orcharhino 7.4)
• Foreman 3.13/Katello 4.15 (EL9 only)
• Foreman 3.12/Katello 4.14 (Satellite 6.16; orcharhino 7.2 on EL9 only; orcharhino 7.3)
• Foreman 3.11/Katello 4.13 (orcharhino 6.11 on EL8 only; orcharhino 7.0 on EL8+EL9; orcharhino 7.1 with Leapp)
• Foreman 3.10/Katello 4.12
• Foreman 3.9/Katello 4.11 (Satellite 6.15; orcharhino 6.8/6.9/6.10)
• We do not accept PRs for Foreman older than 3.9.

Review checklists

Tech review (performed by an Engineer who did not author the PR; can be skipped if tech review is unnecessary):

• The PR documents a recommended, user-friendly path.
• The PR removes steps that have been made unnecessary or obsolete.
• Any steps introduced or updated in the PR have been tested to confirm that they lead to the documented end result.

Style review (by a Technical Writer who did not author the PR):

• The PR conforms with the team's style guidelines.
• The PR introduces documentation that describes a user story rather than a product feature.

[github-actions]

The PR preview for 3c96f12 is available at theforeman-foreman-documentation-preview-pr-4210.surge.sh

The following output files are affected by this PR:

• Administering_Project/index-foreman-deb.html
• Administering_Project/index-foreman-el.html
• Administering_Project/index-katello.html
• Administering_Project/index-orcharhino.html
• Administering_Project/index-satellite.html
• Configuring_Load_Balancer/index-katello.html
• Configuring_Load_Balancer/index-satellite.html
• Installing_Proxy/index-foreman-el.html
• Installing_Proxy/index-katello.html
• Installing_Proxy/index-orcharhino.html
• Installing_Proxy/index-satellite.html
• Installing_Server/index-foreman-deb.html
• Installing_Server/index-foreman-el.html
• Installing_Server/index-katello.html
• Installing_Server/index-orcharhino.html
• Installing_Server/index-satellite.html
• Installing_Server_Disconnected/index-satellite.html
• Planning_for_Project/index-foreman-deb.html
• Planning_for_Project/index-foreman-el.html
• Planning_for_Project/index-katello.html
• Planning_for_Project/index-orcharhino.html
• Planning_for_Project/index-satellite.html
• Provisioning_Hosts/index-foreman-deb.html
• Provisioning_Hosts/index-foreman-el.html
• Provisioning_Hosts/index-katello.html

show diff

show diff as HTML

[aneta-petrova]

Hi @ekohl, this is my idea for how to split and organize the docs about ports between Planning and Installation. Can you please take a look? Does this go in the direction that you had in mind?

[ekohl]

For this chapter we run into the naming problem: Capsule in downstream is IMHO something quite different than a Smart Proxy.

My interpretation:

• Smart Proxy: the generic concept that Foreman connects to
• Foreman Proxy: the Ruby implementation of Smart Proxy
• Capsule: The downstream naming for a server that has a few services: Foreman Proxy, Pulp, Apache (for the RHSM registration API). Upstream we sometimes refer to this as Content Proxies: a Proxy with a set of content features.

Now looking ahead we're going to make this a bigger problem. The Insights on Premise is also recognized as a Smart Proxy. Then with pulp_smart_proxy the Pulp server can identify as a Smart Proxy.

In other words: I think soon we need to have the discussion within Red Hat: where do we want to go with this. Do we stop branding Smart Proxy as Capsule?

[aneta-petrova]

I don't think this is actionable right now but it's interesting information so I'll keep this thread open for awareness.

[aneta-petrova]

A tech review should focus on these two things:

1. Sections "Opening required ports" in the server installation guide (https://theforeman-foreman-documentation-preview-pr-4210.surge.sh/nightly/Installing_Server/index-katello.html#opening-required-ports) and the proxy installation guide (https://theforeman-foreman-documentation-preview-pr-4210.surge.sh/nightly/Installing_Proxy/index-katello.html#opening-required-ports). The questions to ask are:

• Does this procedure open all ports required to install a server/proxy?
• Does this procedure perhaps open too many ports? (this is tracked in comment https://github.com/theforeman/foreman-documentation/pull/4210/files#r2321369051)

2. Chapter "Networking considerations in Foreman" in the Planning guide (https://theforeman-foreman-documentation-preview-pr-4210.surge.sh/nightly/Planning_for_Project/index-katello.html#networking-considerations-in-foreman). There is no need to review the tables with ports thoroughly (we have been keeping them up-to-date), which means a reviewer should be fine just reading the accompanying text.

[maximiliankolb]

is there a technical reason to avoid macros in code blocks?

[aneta-petrova]

is there a technical reason to avoid macros in code blocks?

There isn't but I'm trying to get an idea of the required lists of services first. Once I have that, I'll figure out how to include them more efficiently.

[aneta-petrova]

A tech review should focus on these two things:

1. Sections "Opening required ports" in the server installation guide (https://theforeman-foreman-documentation-preview-pr-4210.surge.sh/nightly/Installing_Server/index-katello.html#opening-required-ports) and the proxy installation guide (https://theforeman-foreman-documentation-preview-pr-4210.surge.sh/nightly/Installing_Proxy/index-katello.html#opening-required-ports). The questions to ask are:

• Does this procedure open all ports required to install a server/proxy?

• Does this procedure perhaps open too many ports? (this is tracked in comment https://github.com/theforeman/foreman-documentation/pull/4210/files#r2321369051)

@evgeni After agreeing to resolve the question of which ports need to be opened later (tracked in #4247), do you think the procedure as it is now is okay?

2. Chapter "Networking considerations in Foreman" in the Planning guide (https://theforeman-foreman-documentation-preview-pr-4210.surge.sh/nightly/Planning_for_Project/index-katello.html#networking-considerations-in-foreman). There is no need to review the tables with ports thoroughly (we have been keeping them up-to-date), which means a reviewer should be fine just reading the accompanying text.

@ekohl @evgeni Have either of you had the chance to look at the changes in the Planning guide?

[aneta-petrova]

All those comments about which ports don't need to be open by default are great, thanks a lot, Evgeni and Ewoud! I created #4247 a few days ago so I added them there.

[aneta-petrova]

I created a separate issue to track a team review of the Planning guide.

[aneta-petrova]

two comments, but not blocking, LGTM

Thanks!

@ekohl @maximiliankolb Do you have any further comments?

[maximiliankolb]

I don't quite understand this & it seems rather confusing. "some" sounds bad and unspecific from a security perspective. Does this admonition add any value to users? I am leaning towards no.

Suggested change

	[NOTE]
	====
	Some outgoing traffic returns to {Project} to enable internal communication and security operations.
	====

Was this part of the docs before? If so, feel free to ignore my comment/move this to an GH issue.

[aneta-petrova]

I'd like to resolve this here so that we're sure the reviewed requirements are okay. @evgeni can you shed some light on this? Can we perhaps specify the note? Or is it safe to drop it?

[evgeni]

Well, it was added in #2451 and is frankly a tad confusing.
So strap on your best glasses, we're using a Tardis!

The bug that #2451 was trying to fix (https://bugzilla.redhat.com/show_bug.cgi?id=2233266) was reported against Satellite 6.13, and we look at https://docs.redhat.com/en/documentation/red_hat_satellite/6.13/html/installing_satellite_server_in_a_connected_network_environment/preparing_your_environment_for_installation_satellite#Ports_and_Firewalls_Requirements_satellite we see the following entries with "Satellite" as the destination:

Destination Port	Protocol	Service	Destination	Required For	Description
443	TCP	HTTPS	Satellite	Capsule	Capsule, Configuration management, Template retrieval, OpenSCAP, Remote Execution result upload
5646	TCP	AMQP	Satellite Server	Katello agent	Forward message to Qpid dispatch router on Capsule (optional)
5671			Satellite Server	Remote install for Katello agent	Send install command to client
5671			Satellite Server	Remote install for Katello agent	Forward message to dispatch router on Satellite

(Yes, protocol and service are missing for the last two lines, yes "Satellite" vs "Satellite Server" is inconsistent, have a 🍷 for me please)

Now, it is true that the way Katello agent communication was set up, the Germans would call "from behind, through the chest, into the eye" (Sorry Anet, if you don't have a visual picture of the pain, I either owe you one, or you can count yourself lucky, or both).

Luckily for us, today, stepped out of the Tardis again: Katello agent is a sin of the past and we don't have to care about it anymore and can solely focus on the one remaining entry in todays docs:

Destination Port	Protocol	Service	Destination	Required For	Description
443	TCP	HTTPS	Satellite	Capsule	Capsule, Configuration management, Template retrieval, OpenSCAP, Remote Execution result upload

And the great thing? It's nonsense! I mean, yeah, the external Capsule needs to be able to talk to the Satellite on port 443 (and others!) but that should be covered by "{Project} incoming traffic" and "{SmartProxy} outgoing traffic" and never be part of "{Project} outgoing traffic"

So, my verdict is:

• drop that note
• drop line 65-73 of guides/common/modules/ref_project-server-port-and-firewall-requirements.adoc (| 443 | TCP | HTTPS | {Project} | {SmartProxy} | {SmartProxy} … )

[aneta-petrova]

That was quite the suspenseful read. I wish more comments were like this.

Also, it really helps that you summarized it at the end to tell me what it is that I'm supposed to do 😆 So I removed both the note and the row.

[maximiliankolb]

I like the latest changes to guides/common/modules/con_smart-proxy-networking.adoc 👍

With the note getting dropped based on Evgeni's comment, IMO we're good to go!

[maximiliankolb]

Thanks Anet, LGTM style-wise. Handing over to Evgeni for final tech ACK.

[aneta-petrova]

Merged to "master" and cherry-picked:

69993b2..56f3457 3.16 -> 3.16

Thanks everyone! This one makes me really happy.