diff --git a/guides/common/assembly_major-project-components.adoc b/guides/common/assembly_major-project-components.adoc index 419ad75bda7..e1fdf458368 100644 --- a/guides/common/assembly_major-project-components.adoc +++ b/guides/common/assembly_major-project-components.adoc @@ -12,6 +12,4 @@ include::modules/ref_list-of-key-open-source-components-of-foreman.adoc[leveloff include::modules/con_smartproxy-features.adoc[leveloffset=+1] -include::modules/con_smartproxy-networking.adoc[leveloffset=+1] - include::modules/con_major-project-components-additional-resources.adoc[leveloffset=+1] diff --git a/guides/common/assembly_networking-considerations-in-project.adoc b/guides/common/assembly_networking-considerations-in-project.adoc new file mode 100644 index 00000000000..0dbd60384fb --- /dev/null +++ b/guides/common/assembly_networking-considerations-in-project.adoc @@ -0,0 +1,7 @@ +include::modules/con_networking-considerations-in-project.adoc[] + +include::modules/con_smart-proxy-networking.adoc[leveloffset=+1] + +include::modules/ref_project-server-port-and-firewall-requirements.adoc[leveloffset=+1] + +include::modules/ref_smart-proxy-port-and-firewall-requirements.adoc[leveloffset=+1] diff --git a/guides/common/assembly_planning-project-server-installation.adoc b/guides/common/assembly_planning-project-server-installation.adoc index 5e15761cede..1148f5c7ecf 100644 --- a/guides/common/assembly_planning-project-server-installation.adoc +++ b/guides/common/assembly_planning-project-server-installation.adoc @@ -12,8 +12,6 @@ ifdef::katello,orcharhino,satellite[] include::modules/ref_best-practices-for-optimizing-storage.adoc[leveloffset=+1] endif::[] -include::modules/ref_port-and-firewall-requirements.adoc[leveloffset=+1] - ifeval::["{mode}" == "connected"] include::modules/ref_ipv6-and-ipv4-requirements.adoc[leveloffset=+1] endif::[] diff --git a/guides/common/assembly_preparing-environment-for-capsule-installation.adoc b/guides/common/assembly_preparing-environment-for-capsule-installation.adoc index f06cec81ace..9153538de74 100644 --- a/guides/common/assembly_preparing-environment-for-capsule-installation.adoc +++ b/guides/common/assembly_preparing-environment-for-capsule-installation.adoc @@ -9,21 +9,15 @@ Review the following prerequisites before you install {SmartProxyServer}. include::modules/ref_operating-system-requirements.adoc[leveloffset=+1] -// System Requirements include::modules/ref_system-requirements.adoc[leveloffset=+1] ifdef::katello,satellite[] -// Storage requirements include::modules/ref_capsule-storage-requirements.adoc[leveloffset=+1] include::modules/ref_best-practices-for-optimizing-storage.adoc[leveloffset=+1] endif::[] -// Port and Firewall Requirements -include::modules/ref_smart-proxy-port-and-firewall-requirements.adoc[leveloffset=+1] - -// Enabling Connections from {ProjectServer} and Clients to a {SmartProxyServer} -include::modules/proc_enabling-connections-to-capsule.adoc[leveloffset=+1] +include::modules/proc_opening-required-ports.adoc[leveloffset=+1] ifdef::parent-context[:context: {parent-context}] ifndef::parent-context[:!context:] diff --git a/guides/common/assembly_preparing-environment-for-project-server-installation.adoc b/guides/common/assembly_preparing-environment-for-project-server-installation.adoc index 776eabaa539..06e4d143ebf 100644 --- a/guides/common/assembly_preparing-environment-for-project-server-installation.adoc +++ b/guides/common/assembly_preparing-environment-for-project-server-installation.adoc @@ -2,7 +2,7 @@ include::modules/con_preparing-environment-for-project-server-installation.adoc[] -include::modules/proc_enabling-client-connections-to-project-server.adoc[leveloffset=+1] +include::modules/proc_opening-required-ports.adoc[leveloffset=+1] include::modules/proc_verifying-dns-resolution.adoc[leveloffset=+1] diff --git a/guides/common/modules/con_http-booting-requirements-with-managed-dhcp.adoc b/guides/common/modules/con_http-booting-requirements-with-managed-dhcp.adoc index bc9bf1d63c2..fde94c35681 100644 --- a/guides/common/modules/con_http-booting-requirements-with-managed-dhcp.adoc +++ b/guides/common/modules/con_http-booting-requirements-with-managed-dhcp.adoc @@ -9,7 +9,7 @@ To provision machines through HTTP booting ensure that you meet the following re For HTTP booting to work, ensure that your environment has the following client-side configurations: * All the network-based firewalls are configured to allow clients on the subnet to access the {SmartProxy}. -For more information, see xref:common/modules/con_smartproxy-networking.adoc#{smart-proxy-context}-networking_{context}[]. +For more information, see xref:common/modules/con_networking-considerations-in-project.adoc#networking-considerations-in-{project-context}[]. * Your client has access to the DHCP and DNS servers. * Your client has access to the HTTP UEFI Boot {SmartProxy}. diff --git a/guides/common/modules/con_http-booting-requirements-with-unmanaged-dhcp.adoc b/guides/common/modules/con_http-booting-requirements-with-unmanaged-dhcp.adoc index 9ae958b9ade..2c1eff486e4 100644 --- a/guides/common/modules/con_http-booting-requirements-with-unmanaged-dhcp.adoc +++ b/guides/common/modules/con_http-booting-requirements-with-unmanaged-dhcp.adoc @@ -12,7 +12,7 @@ To provision machines through HTTP booting without managed DHCP ensure that you * Ensure that your client has access to the DHCP and DNS servers. * Ensure that your client has access to the HTTP UEFI Boot {SmartProxy}. * Ensure that all the network-based firewalls are configured to allow clients on the subnet to access the {SmartProxy}. -For more information, see xref:common/modules/con_smartproxy-networking.adoc#{smart-proxy-context}-networking_{context}[]. +For more information, see xref:common/modules/con_networking-considerations-in-project.adoc#networking-considerations-in-{project-context}[]. .Network requirements * An unmanaged DHCP server available for clients. diff --git a/guides/common/modules/con_networking-considerations-in-project.adoc b/guides/common/modules/con_networking-considerations-in-project.adoc new file mode 100644 index 00000000000..473f7c443f4 --- /dev/null +++ b/guides/common/modules/con_networking-considerations-in-project.adoc @@ -0,0 +1,4 @@ +[id="networking-considerations-in-{project-context}"] += Networking considerations in {Project} + +For the components of {Project} architecture to communicate, the required network ports must be open to enable incoming and outgoing traffic between the components. diff --git a/guides/common/modules/con_pxe-booting-requirements.adoc b/guides/common/modules/con_pxe-booting-requirements.adoc index 90b44fabd02..1872a7dc162 100644 --- a/guides/common/modules/con_pxe-booting-requirements.adoc +++ b/guides/common/modules/con_pxe-booting-requirements.adoc @@ -10,7 +10,7 @@ To provision machines using PXE booting, ensure that you meet the following requ .Client requirements * Ensure that all the network-based firewalls are configured to allow clients on the subnet to access the {SmartProxy}. -For more information, see xref:common/modules/con_smartproxy-networking.adoc#{smart-proxy-context}-networking_{context}[]. +For more information, see xref:common/modules/con_networking-considerations-in-project.adoc#networking-considerations-in-{project-context}[]. * Ensure that your client has access to the DHCP and TFTP servers. diff --git a/guides/common/modules/con_smart-proxy-networking.adoc b/guides/common/modules/con_smart-proxy-networking.adoc new file mode 100644 index 00000000000..0cc117301a5 --- /dev/null +++ b/guides/common/modules/con_smart-proxy-networking.adoc @@ -0,0 +1,37 @@ +[id="{smart-proxy-context}-networking"] += {SmartProxy} networking + +The communication between {ProjectServer} and hosts registered to a {SmartProxyServer} is routed through that {SmartProxyServer}. +{SmartProxyServer} also provides {Project} services to hosts. + +ifndef::satellite[] +In a topology with hosts connecting to a {SmartProxyServer}, +endif::[] +ifdef::satellite[] +In xref:{project-context}-topology-with-hosts-connecting-to-a-{smart-proxy-context}[], +endif::[] +{SmartProxyServer} provides a single endpoint for all host network communications so that in remote network segments, only firewall ports to the {SmartProxyServer} itself must be open. +Hosts do not need direct access to {ProjectServer}. + +// TODO: Replace graphic with simpler graphic and reference to "Port and firewall requirements" +ifdef::satellite[] +[id="{project-context}-topology-with-hosts-connecting-to-a-{smart-proxy-context}"] +.{Project} topology with hosts connecting to a {SmartProxy} +image::common/topology-isolated-satellite.png[{ProjectName} topology with a host] +endif::[] + +ifndef::satellite[] +In a topology with hosts connecting directly to {ProjectServer}, +endif::[] +ifdef::satellite[] +In xref:{project-context}-topology-with-hosts-connecting-directly-to-{project-context}-server[], +endif::[] +hosts need direct network access to {ProjectServer}. +This applies to all {SmartProxyServers} because they are hosts of {ProjectServer}. + +// TODO: Replace graphic with simpler graphic and reference to "Port and firewall requirements" +ifdef::satellite[] +[id="{project-context}-topology-with-hosts-connecting-directly-to-{project-context}-server"] +.{Project} topology with hosts connecting directly to {ProjectServer} +image::common/topology-direct-satellite.png[{ProjectName} topology with a direct host] +endif::[] diff --git a/guides/common/modules/con_smartproxy-networking.adoc b/guides/common/modules/con_smartproxy-networking.adoc deleted file mode 100644 index 28ad34f3d7b..00000000000 --- a/guides/common/modules/con_smartproxy-networking.adoc +++ /dev/null @@ -1,36 +0,0 @@ -:_mod-docs-content-type: CONCEPT - -[id="{smart-proxy-context}-networking_{context}"] -= {SmartProxy} networking - -The communication between {ProjectServer} and hosts registered to a {SmartProxyServer} is routed through that {SmartProxyServer}. -{SmartProxyServer} also provides {Project} services to hosts. - -Many of the services that {SmartProxyServer} manages use dedicated network ports. -However, {SmartProxyServer} ensures that all communications from the host to {ProjectServer} use a single source IP address, which simplifies firewall administration. - -.{Project} topology with hosts connecting to a {SmartProxy} -In this topology, {SmartProxy} provides a single endpoint for all host network communications so that in remote network segments, only firewall ports to the {SmartProxy} itself must be open. - -// TODO: Replace graphic with simpler graphic and reference to "Port and firewall requirements" -ifdef::satellite[] -.How {Project} components interact when hosts connect to a {SmartProxy} -image::common/topology-isolated-satellite.png[{ProjectName} topology with a host] -endif::[] - -.{Project} topology with hosts connecting directly to {ProjectServer} -In this topology, hosts connect to {ProjectServer} rather than a {SmartProxy}. -This applies also to {SmartProxies} themselves because the {SmartProxyServer} is a host of {ProjectServer}. - -// TODO: Replace graphic with simpler graphic and reference to "Port and firewall requirements" -ifdef::satellite[] -.How {Project} components interact when hosts connect directly to {ProjectServer} -image::common/topology-direct-satellite.png[{ProjectName} topology with a direct host] -endif::[] - -.Additional resources -* {InstallingServerDocURL}Port_and_firewall_requirements_{project-context}[Ports and firewall requirements] in _{InstallingServerDocTitle}_ -ifdef::satellite[] -* {InstallingServerDisconnectedDocURL}Port_and_firewall_requirements_{project-context}[Ports and firewall requirements] in _{InstallingServerDisconnectedDocTitle}_ -endif::[] -* {InstallingSmartProxyDocURL}{smart-proxy-context}-port-and-firewall-requirements_{smart-proxy-context}[Ports and firewall requirements] in _{InstallingSmartProxyDocTitle}_ diff --git a/guides/common/modules/proc_configuring-capsule-default-certificate.adoc b/guides/common/modules/proc_configuring-capsule-default-certificate.adoc index bf031913579..2173ed5803c 100644 --- a/guides/common/modules/proc_configuring-capsule-default-certificate.adoc +++ b/guides/common/modules/proc_configuring-capsule-default-certificate.adoc @@ -14,7 +14,7 @@ endif::[] * {SmartProxyServer} packages are installed. For more information, see xref:installing-{smart-proxy-context}-server-packages[]. * The required ports are open. -For more information, see xref:{smart-proxy-context}-port-and-firewall-requirements_{context}[]. +For more information, see xref:common/modules/proc_opening-required-ports.adoc#opening-required-ports[]. .Procedure diff --git a/guides/common/modules/proc_deploying-a-custom-ssl-certificate-to-smart-proxy-server.adoc b/guides/common/modules/proc_deploying-a-custom-ssl-certificate-to-smart-proxy-server.adoc index cfff4ed9947..e90d66626fb 100644 --- a/guides/common/modules/proc_deploying-a-custom-ssl-certificate-to-smart-proxy-server.adoc +++ b/guides/common/modules/proc_deploying-a-custom-ssl-certificate-to-smart-proxy-server.adoc @@ -15,7 +15,7 @@ For more information, see xref:Registering_Proxy_to_Server_{smart-proxy-context} * {SmartProxyServer} packages are installed. For more information, see xref:installing-{smart-proxy-context}-server-packages[]. * The required ports are open. -For more information, see xref:{smart-proxy-context}-port-and-firewall-requirements_{context}[]. +For more information, see xref:common/modules/proc_opening-required-ports.adoc#opening-required-ports[]. .Procedure . On your {ProjectServer}, generate a certificate bundle: diff --git a/guides/common/modules/proc_enabling-client-connections-to-project-server.adoc b/guides/common/modules/proc_enabling-client-connections-to-project-server.adoc deleted file mode 100644 index 667a91f12b9..00000000000 --- a/guides/common/modules/proc_enabling-client-connections-to-project-server.adoc +++ /dev/null @@ -1,41 +0,0 @@ -:_mod-docs-content-type: PROCEDURE - -[id="Enabling_Connections_from_a_Client_to_Server_{context}"] -= Enabling connections from a client to {ProjectServer} - -{SmartProxies} and hosts that are clients of a {ProjectServer}'s internal {SmartProxy} require access through {Project}'s host-based firewall and any network-based firewalls. - -Use this procedure to configure the host-based firewall on the system that {Project} is installed on, to enable incoming connections from Clients, and to make the configuration persistent across system reboots. -For more information on the ports used, see {InstallingServerDocURL}Port_and_firewall_requirements_{project-context}[Port and firewall requirements] in _{InstallingServerDocTitle}_. - -include::snip_firewalld.adoc[] - -.Procedure -ifdef::katello,satellite,orcharhino[] -. Open the ports for clients on {ProjectServer}: -+ -[options="nowrap"] ----- -# firewall-cmd \ ---add-port="8000/tcp" \ ---add-port="9090/tcp" ----- -endif::[] -. Allow access to services on {ProjectServer}: -+ -[options="nowrap"] ----- -# firewall-cmd \ ---add-service=dns \ ---add-service=dhcp \ ---add-service=tftp \ ---add-service=http \ ---add-service=https \ -ifndef::katello,satellite,orcharhino[] ---add-service=foreman-proxy \ -endif::[] ---add-service=puppetmaster ----- -include::snip_make-firewall-settings-persistent.adoc[] - -include::snip_verify-firewall-settings.adoc[] diff --git a/guides/common/modules/proc_enabling-connections-to-capsule.adoc b/guides/common/modules/proc_enabling-connections-to-capsule.adoc deleted file mode 100644 index 3945e1f2770..00000000000 --- a/guides/common/modules/proc_enabling-connections-to-capsule.adoc +++ /dev/null @@ -1,40 +0,0 @@ -:_mod-docs-content-type: PROCEDURE - -[id="enabling-connections-to-capsule_{context}"] -= Enabling connections from {ProjectServer} and clients to a {SmartProxyServer} - -On the base operating system on which you want to install {SmartProxy}, you must enable incoming connections from {ProjectServer} and clients to {SmartProxyServer} and make these rules persistent across reboots. - -include::snip_firewalld.adoc[] - -.Procedure -ifdef::katello,satellite,orcharhino[] -. Open the ports for clients on {SmartProxyServer}: -+ -[options="nowrap"] ----- -# firewall-cmd \ ---add-port="8000/tcp" \ ---add-port="9090/tcp" ----- -endif::[] -. Allow access to services on {SmartProxyServer}: -+ -[options="nowrap"] ----- -# firewall-cmd \ ---add-service=dns \ ---add-service=dhcp \ ---add-service=tftp \ -ifdef::katello,satellite,orcharhino[] ---add-service=http \ ---add-service=https \ -endif::[] -ifndef::katello,satellite,orcharhino[] ---add-service=foreman-proxy \ -endif::[] ---add-service=puppetmaster ----- -include::snip_make-firewall-settings-persistent.adoc[] - -include::snip_verify-firewall-settings.adoc[] diff --git a/guides/common/modules/proc_installing-postgresql.adoc b/guides/common/modules/proc_installing-postgresql.adoc index baaf47d9d82..619017050d2 100644 --- a/guides/common/modules/proc_installing-postgresql.adoc +++ b/guides/common/modules/proc_installing-postgresql.adoc @@ -13,8 +13,6 @@ ifndef::foreman-deb[] {Project} supports PostgreSQL version 13. endif::[] -include::snip_firewalld.adoc[] - .Prerequisites * The prepared host has base operating system repositories enabled. * The prepared host has sufficient disk space available for the `{postgresql-lib-dir}` directory. @@ -85,13 +83,20 @@ password_encryption=scram-sha-256 ---- # systemctl enable --now postgresql ---- -. Open the *postgresql* port: +. Update the firewall configuration. +For example, using the `firewall-cmd` command: +.. Open the *postgresql* port: + [options="nowrap" subs="verbatim,quotes"] ---- # firewall-cmd --add-service=postgresql ---- -include::snip_make-firewall-settings-persistent.adoc[] +.. Make the changes persistent: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# firewall-cmd --runtime-to-permanent +---- . Switch to the `postgres` user and start the PostgreSQL client: + [options="nowrap" subs="verbatim,quotes"] diff --git a/guides/common/modules/proc_opening-required-ports.adoc b/guides/common/modules/proc_opening-required-ports.adoc new file mode 100644 index 00000000000..e54a773e019 --- /dev/null +++ b/guides/common/modules/proc_opening-required-ports.adoc @@ -0,0 +1,83 @@ +:_mod-docs-content-type: PROCEDURE + +[id="opening-required-ports"] += Opening required ports + +By opening the required ports, you ensure that the components of {Project} architecture can communicate. +You must also ensure that the required network ports are open on any network-based firewalls. + +[NOTE] +==== +Some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. +If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. +If possible, disable the application checking and allow open port communication based on the protocol. +==== + +ifndef::satellite,orcharhino[] +If you do not use `firewall-cmd` to configure the Linux firewall, implement using the tool of your choice. +endif::[] + +.Procedure +. If you need to prevent the DHCP {SmartProxy} from pinging hosts to check for available IP addresses, disable DHCP IP address pinging: ++ +[options="nowrap", subs="+quotes,attributes"] +---- +# {foreman-installer} --foreman-proxy-dhcp-ping-free-ip false +---- ++ +By default, a DHCP {SmartProxy} performs ICMP ping and TCP echo connection attempts to hosts in subnets with DHCP IPAM set to find out if an IP address considered for use is free. +ifdef::katello,satellite,orcharhino[] +ifeval::["{context}" == "{project-context}"] +. Open the ports for clients on {ProjectServer}: +endif::[] +ifeval::["{context}" == "{smart-proxy-context}"] +. Open the ports for clients on {SmartProxyServer}: +endif::[] ++ +[options="nowrap"] +---- +# firewall-cmd \ +--add-port="8000/tcp" \ +--add-port="9090/tcp" +---- +endif::[] +ifeval::["{context}" == "{project-context}"] +. Allow access to services on {ProjectServer}: +endif::[] +ifeval::["{context}" == "{smart-proxy-context}"] +. Allow access to services on {SmartProxyServer}: +endif::[] ++ +[options="nowrap"] +---- +# firewall-cmd \ +--add-service=dns \ +--add-service=dhcp \ +--add-service=tftp \ +--add-service=http \ +--add-service=https \ +ifndef::katello,satellite,orcharhino[] +--add-service=foreman-proxy \ +endif::[] +--add-service=puppetmaster +---- +. Make the changes persistent: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# firewall-cmd --runtime-to-permanent +---- + +.Verification +* View all firewall zones and allowed services: ++ +[options="nowrap"] +---- +# firewall-cmd --list-all +---- + +.Additional resources +* {PlanningDocURL}networking-considerations-in-{project-context}[Networking considerations in {Project}] +ifndef::foreman-deb[] +* https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/configuring_firewalls_and_packet_filters/using-and-configuring-firewalld_firewall-packet-filters[Using and configuring firewalld in _{RHEL}{nbsp}9 Configuring firewalls and packet filters_] +endif::[] diff --git a/guides/common/modules/proc_registering-capsule-to-satellite-server.adoc b/guides/common/modules/proc_registering-capsule-to-satellite-server.adoc index 8befb2ffb76..0f23a96893a 100644 --- a/guides/common/modules/proc_registering-capsule-to-satellite-server.adoc +++ b/guides/common/modules/proc_registering-capsule-to-satellite-server.adoc @@ -18,6 +18,11 @@ For more information on manifests and repositories, see {ContentManagementDocURL ** Ensure HTTPS connection using client certificate authentication is possible between {SmartProxyServer} and {ProjectServer}. HTTP proxies between {SmartProxyServer} and {ProjectServer} are not supported. ** You must configure the host and network-based firewalls accordingly. -For more information, see {InstallingSmartProxyDocURL}{smart-proxy-context}-port-and-firewall-requirements_{smart-proxy-context}[Port and firewall requirements] in _{InstallingSmartProxyDocTitle}_. +ifeval::["{context}" == "load-balancing"] +For more information, see {InstallingSmartProxyDocURL}opening-required-ports[Opening required ports in _{InstallingSmartProxyDocTitle}_]. +endif::[] +ifeval::["{context}" == "installing-capsule-server"] +For more information, see xref:common/modules/proc_opening-required-ports.adoc#opening-required-ports[]. +endif::[] include::snip_host-registration-steps.adoc[] diff --git a/guides/common/modules/proc_using-novnc-to-access-virtual-machines.adoc b/guides/common/modules/proc_using-novnc-to-access-virtual-machines.adoc index 62434cba8c1..8005bae2857 100644 --- a/guides/common/modules/proc_using-novnc-to-access-virtual-machines.adoc +++ b/guides/common/modules/proc_using-novnc-to-access-virtual-machines.adoc @@ -37,7 +37,6 @@ endif::[] ---- ifndef::satellite,orcharhino[] + -include::snip_firewalld.adoc[] endif::[] . In the {ProjectWebUI}, navigate to *Infrastructure* > *Compute Resources* and select the name of a compute resource. . In the *Virtual Machines* tab, select the name of your virtual machine. diff --git a/guides/common/modules/ref_port-and-firewall-requirements.adoc b/guides/common/modules/ref_project-server-port-and-firewall-requirements.adoc similarity index 71% rename from guides/common/modules/ref_port-and-firewall-requirements.adoc rename to guides/common/modules/ref_project-server-port-and-firewall-requirements.adoc index 84268f73b9d..b5ad3c30cf5 100644 --- a/guides/common/modules/ref_port-and-firewall-requirements.adoc +++ b/guides/common/modules/ref_project-server-port-and-firewall-requirements.adoc @@ -1,27 +1,9 @@ :_mod-docs-content-type: REFERENCE -[id="Port_and_firewall_requirements_{context}"] -= Port and firewall requirements +[id="{project-context}-port-and-firewall-requirements"] += {ProjectServer} port and firewall requirements -For the components of {Project} architecture to communicate, ensure that the required network ports are open and free on the base operating system. -You must also ensure that the required network ports are open on any network-based firewalls. - -Use this information to configure any network-based firewalls. -Note that some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. -If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. -If possible, disable the application checking and allow open port communication based on the protocol. - -.Integrated {SmartProxy} -{ProjectServer} has an integrated {SmartProxy} and any host that is directly connected to {ProjectServer} is a Client of {Project} in the context of this section. -This includes the base operating system on which {SmartProxyServer} is running. - -.Clients of {SmartProxy} -Hosts which are clients of {SmartProxies}, other than {Project}'s integrated {SmartProxy}, do not need access to {ProjectServer}. -For more information on {Project} topology and an illustration of port connections, see {PlanningDocURL}{smart-proxy-context}-networking_planning[{SmartProxy} networking] in _{PlanningDocTitle}_. - -Required ports can change based on your configuration. - -The following tables indicate the destination port and the direction of network traffic: +The following tables indicate the destination port and the direction of incoming and outgoing traffic for {ProjectServer}. .{ProjectServer} incoming traffic [cols="15%,15%,15%,15%,20%,20%",options="header"] @@ -65,17 +47,6 @@ ifndef::satellite[] endif::[] |==== -Any host that is directly connected to {ProjectServer} is a client in this context because it is a client of the integrated {SmartProxy}. -This includes the base operating system on which a {SmartProxyServer} is running. - -A DHCP {SmartProxy} performs ICMP ping or TCP echo connection attempts to hosts in subnets with DHCP IPAM set to find out if an IP address considered for use is free. -This behavior can be turned off using `{foreman-installer} --foreman-proxy-dhcp-ping-free-ip false`. - -[NOTE] -==== -Some outgoing traffic returns to {Project} to enable internal communication and security operations. -==== - .{ProjectServer} outgoing traffic [cols="15%,15%,15%,15%,20%,20%",options="header"] |==== @@ -91,15 +62,6 @@ Some outgoing traffic returns to {Project} to enable internal communication and | 80 | TCP | HTTP | Remote repository | Content Sync | Remote repositories | 389, 636 | TCP | LDAP, LDAPS | External LDAP Server | LDAP | LDAP authentication, necessary only if external authentication is enabled. The port can be customized if `LDAPAuthSource` is defined -| 443 | TCP | HTTPS | {Project} | {SmartProxy} | {SmartProxy} - -Configuration management - -Template retrieval - -OpenSCAP - -Remote Execution result upload | 443 | TCP | HTTPS | Amazon EC2, Azure, Google GCE | Compute resources | Virtual machine interactions (query/create/destroy) (optional) ifdef::satellite[] ifeval::["{mode}" == "connected"] diff --git a/guides/common/modules/ref_smart-proxy-port-and-firewall-requirements.adoc b/guides/common/modules/ref_smart-proxy-port-and-firewall-requirements.adoc index 25c01892479..57b820bbe4f 100644 --- a/guides/common/modules/ref_smart-proxy-port-and-firewall-requirements.adoc +++ b/guides/common/modules/ref_smart-proxy-port-and-firewall-requirements.adoc @@ -1,29 +1,16 @@ :_mod-docs-content-type: REFERENCE -[id="{smart-proxy-context}-port-and-firewall-requirements_{context}"] -= Port and firewall requirements +[id="{smart-proxy-context}-port-and-firewall-requirements"] += {SmartProxy} port and firewall requirements -For the components of {Project} architecture to communicate, ensure that the required network ports are open and free on the base operating system. -You must also ensure that the required network ports are open on any network-based firewalls. +The following tables indicate the destination port and the direction of incoming and outgoing traffic for {SmartProxyServers}. -The installation of a {SmartProxyServer} fails if the ports between {ProjectServer} and {SmartProxyServer} are not open before installation starts. - -Use this information to configure any network-based firewalls. -Note that some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. -If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. -If possible, disable the application checking and allow open port communication based on the protocol. - -.Integrated {SmartProxy} -{ProjectServer} has an integrated {SmartProxy} and any host that is directly connected to {ProjectServer} is a Client of {Project} in the context of this section. -This includes the base operating system on which {SmartProxyServer} is running. - -.Clients of {SmartProxy} -Hosts which are clients of {SmartProxies}, other than {Project}'s integrated {SmartProxy}, do not need access to {ProjectServer}. -For more information on {Project} Topology, see {PlanningDocURL}{smart-proxy-context}-networking_planning[{SmartProxy} networking] in _{PlanningDocTitle}_. - -Required ports can change based on your configuration. - -The following tables indicate the destination port and the direction of network traffic: +[NOTE] +==== +ICMP to Port 7 UDP and TCP must not be rejected, but can be dropped. +The DHCP {SmartProxy} sends an ECHO REQUEST to the Client network to verify that an IP address is free. +A response prevents IP addresses from being allocated. +==== .{SmartProxy} incoming traffic [cols="15%,15%,15%,15%,20%,20%",options="header"] @@ -59,12 +46,6 @@ ifdef::katello,satellite,orcharhino[] endif::[] |==== -Any host that is directly connected to {ProjectServer} is a client in this context because it is a client of the integrated {SmartProxy}. -This includes the base operating system on which a {SmartProxyServer} is running. - -A DHCP {SmartProxy} performs ICMP ping and TCP echo connection attempts to hosts in subnets with DHCP IPAM set to find out if an IP address considered for use is free. -This behavior can be turned off using `{foreman-installer} --foreman-proxy-dhcp-ping-free-ip false`. - .{SmartProxy} outgoing traffic [cols="15%,15%,15%,15%,20%,20%",options="header"] @@ -99,10 +80,3 @@ endif::[] ISC and `remote_isc` use a configurable port that defaults to 7911 and uses OMAPI | 8443 | TCP | HTTPS | Client | Discovery | {SmartProxy} sends reboot command to the discovered host (optional) |==== - -[NOTE] -==== -ICMP to Port 7 UDP and TCP must not be rejected, but can be dropped. -The DHCP {SmartProxy} sends an ECHO REQUEST to the Client network to verify that an IP address is free. -A response prevents IP addresses from being allocated. -==== diff --git a/guides/common/modules/snip_firewalld.adoc b/guides/common/modules/snip_firewalld.adoc deleted file mode 100644 index d9959c14501..00000000000 --- a/guides/common/modules/snip_firewalld.adoc +++ /dev/null @@ -1,3 +0,0 @@ -ifndef::satellite,orcharhino[] -If you do not use `firewall-cmd` to configure the Linux firewall, implement using the command of your choice. -endif::[] diff --git a/guides/common/modules/snip_verify-firewall-settings.adoc b/guides/common/modules/snip_verify-firewall-settings.adoc deleted file mode 100644 index 392789d6fc8..00000000000 --- a/guides/common/modules/snip_verify-firewall-settings.adoc +++ /dev/null @@ -1,11 +0,0 @@ -.Verification -* Enter the following command: -+ -[options="nowrap"] ----- -# firewall-cmd --list-all ----- - -ifndef::foreman-deb[] -For more information, see {RHELDocsBaseURL}9/html/configuring_firewalls_and_packet_filters/using-and-configuring-firewalld_firewall-packet-filters[Using and configuring firewalld] in _{RHEL}{nbsp}9 Configuring firewalls and packet filters_. -endif::[] diff --git a/guides/doc-Planning_for_Project/master.adoc b/guides/doc-Planning_for_Project/master.adoc index 0ef5fe6af6b..675587db809 100644 --- a/guides/doc-Planning_for_Project/master.adoc +++ b/guides/doc-Planning_for_Project/master.adoc @@ -23,14 +23,16 @@ include::common/assembly_tools-for-administration-of-project.adoc[leveloffset=+1 include::common/assembly_supported-usage-and-versions-of-project-components.adoc[leveloffset=+1] -include::common/assembly_deployment-path.adoc[leveloffset=+1] - -include::common/assembly_common-deployment-scenarios.adoc[leveloffset=+1] - ifndef::foreman-deb[] include::common/modules/con_security-considerations.adoc[leveloffset=+1] endif::[] +include::common/assembly_networking-considerations-in-project.adoc[leveloffset=+1] + +include::common/assembly_deployment-path.adoc[leveloffset=+1] + +include::common/assembly_common-deployment-scenarios.adoc[leveloffset=+1] + include::common/assembly_provisioning-requirements.adoc[leveloffset=+1] :!numbered: