From 1c5af479b262ecd2d19e3cb22011a1b17cfe0c5f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Wed, 3 Sep 2025 14:47:39 +0200 Subject: [PATCH 01/22] Move port & firewall to Planning and review it Move port and firewall requirements to Planning Rename port and firewall sections Move proxy networking to firewall considerations Move planning consideration sections before deployment path Split concept information from port reference modules Merge proxy networking with new networking assembly --- .../assembly_major-project-components.adoc | 2 - .../assembly_networking-in-project.adoc | 7 +++ ..._planning-project-server-installation.adoc | 2 - ...-environment-for-capsule-installation.adoc | 3 -- .../modules/con_networking-in-project.adoc | 4 ++ ...nd-firewall-considerations-in-project.adoc | 54 +++++++++++++++++++ .../modules/con_smartproxy-networking.adoc | 36 ------------- ...nfiguring-capsule-default-certificate.adoc | 2 +- ...ssl-certificate-to-smart-proxy-server.adoc | 2 +- ...-client-connections-to-project-server.adoc | 11 ++++ .../proc_enabling-connections-to-capsule.adoc | 8 +++ ...gistering-capsule-to-satellite-server.adoc | 2 +- ...erver-port-and-firewall-requirements.adoc} | 36 +++---------- ...-proxy-port-and-firewall-requirements.adoc | 45 +++++----------- guides/doc-Planning_for_Project/master.adoc | 10 ++-- 15 files changed, 111 insertions(+), 113 deletions(-) create mode 100644 guides/common/assembly_networking-in-project.adoc create mode 100644 guides/common/modules/con_networking-in-project.adoc create mode 100644 guides/common/modules/con_port-and-firewall-considerations-in-project.adoc delete mode 100644 guides/common/modules/con_smartproxy-networking.adoc rename guides/common/modules/{ref_port-and-firewall-requirements.adoc => ref_project-server-port-and-firewall-requirements.adoc} (73%) diff --git a/guides/common/assembly_major-project-components.adoc b/guides/common/assembly_major-project-components.adoc index 419ad75bda7..e1fdf458368 100644 --- a/guides/common/assembly_major-project-components.adoc +++ b/guides/common/assembly_major-project-components.adoc @@ -12,6 +12,4 @@ include::modules/ref_list-of-key-open-source-components-of-foreman.adoc[leveloff include::modules/con_smartproxy-features.adoc[leveloffset=+1] -include::modules/con_smartproxy-networking.adoc[leveloffset=+1] - include::modules/con_major-project-components-additional-resources.adoc[leveloffset=+1] diff --git a/guides/common/assembly_networking-in-project.adoc b/guides/common/assembly_networking-in-project.adoc new file mode 100644 index 00000000000..b91218ea75c --- /dev/null +++ b/guides/common/assembly_networking-in-project.adoc @@ -0,0 +1,7 @@ +include::modules/con_networking-in-project.adoc[] + +include::modules/con_port-and-firewall-considerations-in-project.adoc[leveloffset=+1] + +include::modules/ref_project-server-port-and-firewall-requirements.adoc[leveloffset=+1] + +include::modules/ref_smart-proxy-port-and-firewall-requirements.adoc[leveloffset=+1] diff --git a/guides/common/assembly_planning-project-server-installation.adoc b/guides/common/assembly_planning-project-server-installation.adoc index 5e15761cede..1148f5c7ecf 100644 --- a/guides/common/assembly_planning-project-server-installation.adoc +++ b/guides/common/assembly_planning-project-server-installation.adoc @@ -12,8 +12,6 @@ ifdef::katello,orcharhino,satellite[] include::modules/ref_best-practices-for-optimizing-storage.adoc[leveloffset=+1] endif::[] -include::modules/ref_port-and-firewall-requirements.adoc[leveloffset=+1] - ifeval::["{mode}" == "connected"] include::modules/ref_ipv6-and-ipv4-requirements.adoc[leveloffset=+1] endif::[] diff --git a/guides/common/assembly_preparing-environment-for-capsule-installation.adoc b/guides/common/assembly_preparing-environment-for-capsule-installation.adoc index f06cec81ace..9b29a3862b3 100644 --- a/guides/common/assembly_preparing-environment-for-capsule-installation.adoc +++ b/guides/common/assembly_preparing-environment-for-capsule-installation.adoc @@ -19,9 +19,6 @@ include::modules/ref_capsule-storage-requirements.adoc[leveloffset=+1] include::modules/ref_best-practices-for-optimizing-storage.adoc[leveloffset=+1] endif::[] -// Port and Firewall Requirements -include::modules/ref_smart-proxy-port-and-firewall-requirements.adoc[leveloffset=+1] - // Enabling Connections from {ProjectServer} and Clients to a {SmartProxyServer} include::modules/proc_enabling-connections-to-capsule.adoc[leveloffset=+1] diff --git a/guides/common/modules/con_networking-in-project.adoc b/guides/common/modules/con_networking-in-project.adoc new file mode 100644 index 00000000000..e3cece049bb --- /dev/null +++ b/guides/common/modules/con_networking-in-project.adoc @@ -0,0 +1,4 @@ +[id="networking-in-{project-context}"] += Networking in {Project} + +For the components of {Project} architecture to communicate, the required network ports must be open and free to enable incoming and outgoing traffic between the components. diff --git a/guides/common/modules/con_port-and-firewall-considerations-in-project.adoc b/guides/common/modules/con_port-and-firewall-considerations-in-project.adoc new file mode 100644 index 00000000000..e42efa6a79f --- /dev/null +++ b/guides/common/modules/con_port-and-firewall-considerations-in-project.adoc @@ -0,0 +1,54 @@ +[id="port-and-firewall-considerations-in-{project-context}"] += Port and firewall considerations in {Project} + +The communication between {ProjectServer} and hosts registered to a {SmartProxyServer} is routed through that {SmartProxyServer}. +{SmartProxyServer} also provides {Project} services to hosts. + +Integrated {SmartProxy}:: +Integrated {SmartProxy} is the {SmartProxy} contained in a {ProjectServer}. +A host that is directly connected to a {ProjectServer} is considered a client of its integrated {SmartProxy}. +This includes the base operating system where the server is running. +These clients need direct network access to {ProjectServer}. + +External {SmartProxies}:: +External {SmartProxies} are {SmartProxies} not integrated with the {ProjectServer}. +Hosts that are clients of external {SmartProxies} do not need direct access to the Foreman server itself. + +Many of the services that {SmartProxyServer} manages use dedicated network ports. +However, {SmartProxyServer} ensures that all communications from the host to {ProjectServer} use a single source IP address, which simplifies firewall administration. + +[NOTE] +==== +Some outgoing traffic returns to {Project} to enable internal communication and security operations. +==== + +ifndef::satellite[] +In this topology, +endif::[] +ifdef::satellite[] +In xref:{project-context}-topology-with-hosts-connecting-to-a-{smart-proxy-context}[], +endif::[] +{SmartProxy} provides a single endpoint for all host network communications so that in remote network segments, only firewall ports to the {SmartProxy} itself must be open. + +// TODO: Replace graphic with simpler graphic and reference to "Port and firewall requirements" +ifdef::satellite[] +[id="{project-context}-topology-with-hosts-connecting-to-a-{smart-proxy-context}"] +.{Project} topology with hosts connecting to a {SmartProxy} +image::common/topology-isolated-satellite.png[{ProjectName} topology with a host] +endif::[] + +ifndef::satellite[] +In this topology, +endif::[] +ifdef::satellite[] +In xref:{project-context}-topology-with-hosts-connecting-directly-to-{project-context}-server[], +endif::[] +hosts connect to {ProjectServer} rather than a {SmartProxy}. +This applies also to {SmartProxies} themselves because the {SmartProxyServer} is a host of {ProjectServer}. + +// TODO: Replace graphic with simpler graphic and reference to "Port and firewall requirements" +ifdef::satellite[] +[id="{project-context}-topology-with-hosts-connecting-directly-to-{project-context}-server"] +.{Project} topology with hosts connecting directly to {ProjectServer} +image::common/topology-direct-satellite.png[{ProjectName} topology with a direct host] +endif::[] diff --git a/guides/common/modules/con_smartproxy-networking.adoc b/guides/common/modules/con_smartproxy-networking.adoc deleted file mode 100644 index 28ad34f3d7b..00000000000 --- a/guides/common/modules/con_smartproxy-networking.adoc +++ /dev/null @@ -1,36 +0,0 @@ -:_mod-docs-content-type: CONCEPT - -[id="{smart-proxy-context}-networking_{context}"] -= {SmartProxy} networking - -The communication between {ProjectServer} and hosts registered to a {SmartProxyServer} is routed through that {SmartProxyServer}. -{SmartProxyServer} also provides {Project} services to hosts. - -Many of the services that {SmartProxyServer} manages use dedicated network ports. -However, {SmartProxyServer} ensures that all communications from the host to {ProjectServer} use a single source IP address, which simplifies firewall administration. - -.{Project} topology with hosts connecting to a {SmartProxy} -In this topology, {SmartProxy} provides a single endpoint for all host network communications so that in remote network segments, only firewall ports to the {SmartProxy} itself must be open. - -// TODO: Replace graphic with simpler graphic and reference to "Port and firewall requirements" -ifdef::satellite[] -.How {Project} components interact when hosts connect to a {SmartProxy} -image::common/topology-isolated-satellite.png[{ProjectName} topology with a host] -endif::[] - -.{Project} topology with hosts connecting directly to {ProjectServer} -In this topology, hosts connect to {ProjectServer} rather than a {SmartProxy}. -This applies also to {SmartProxies} themselves because the {SmartProxyServer} is a host of {ProjectServer}. - -// TODO: Replace graphic with simpler graphic and reference to "Port and firewall requirements" -ifdef::satellite[] -.How {Project} components interact when hosts connect directly to {ProjectServer} -image::common/topology-direct-satellite.png[{ProjectName} topology with a direct host] -endif::[] - -.Additional resources -* {InstallingServerDocURL}Port_and_firewall_requirements_{project-context}[Ports and firewall requirements] in _{InstallingServerDocTitle}_ -ifdef::satellite[] -* {InstallingServerDisconnectedDocURL}Port_and_firewall_requirements_{project-context}[Ports and firewall requirements] in _{InstallingServerDisconnectedDocTitle}_ -endif::[] -* {InstallingSmartProxyDocURL}{smart-proxy-context}-port-and-firewall-requirements_{smart-proxy-context}[Ports and firewall requirements] in _{InstallingSmartProxyDocTitle}_ diff --git a/guides/common/modules/proc_configuring-capsule-default-certificate.adoc b/guides/common/modules/proc_configuring-capsule-default-certificate.adoc index bf031913579..0ac6b67b8a5 100644 --- a/guides/common/modules/proc_configuring-capsule-default-certificate.adoc +++ b/guides/common/modules/proc_configuring-capsule-default-certificate.adoc @@ -14,7 +14,7 @@ endif::[] * {SmartProxyServer} packages are installed. For more information, see xref:installing-{smart-proxy-context}-server-packages[]. * The required ports are open. -For more information, see xref:{smart-proxy-context}-port-and-firewall-requirements_{context}[]. +For more information, see xref:common/modules/proc_enabling-connections-to-capsule.adoc#enabling-connections-to-capsule_{context}[]. .Procedure diff --git a/guides/common/modules/proc_deploying-a-custom-ssl-certificate-to-smart-proxy-server.adoc b/guides/common/modules/proc_deploying-a-custom-ssl-certificate-to-smart-proxy-server.adoc index cfff4ed9947..354a196a909 100644 --- a/guides/common/modules/proc_deploying-a-custom-ssl-certificate-to-smart-proxy-server.adoc +++ b/guides/common/modules/proc_deploying-a-custom-ssl-certificate-to-smart-proxy-server.adoc @@ -15,7 +15,7 @@ For more information, see xref:Registering_Proxy_to_Server_{smart-proxy-context} * {SmartProxyServer} packages are installed. For more information, see xref:installing-{smart-proxy-context}-server-packages[]. * The required ports are open. -For more information, see xref:{smart-proxy-context}-port-and-firewall-requirements_{context}[]. +For more information, see xref:common/modules/proc_enabling-connections-to-capsule.adoc#enabling-connections-to-capsule_{context}[]. .Procedure . On your {ProjectServer}, generate a certificate bundle: diff --git a/guides/common/modules/proc_enabling-client-connections-to-project-server.adoc b/guides/common/modules/proc_enabling-client-connections-to-project-server.adoc index 667a91f12b9..08ac20d776a 100644 --- a/guides/common/modules/proc_enabling-client-connections-to-project-server.adoc +++ b/guides/common/modules/proc_enabling-client-connections-to-project-server.adoc @@ -4,12 +4,23 @@ = Enabling connections from a client to {ProjectServer} {SmartProxies} and hosts that are clients of a {ProjectServer}'s internal {SmartProxy} require access through {Project}'s host-based firewall and any network-based firewalls. +For the components of {Project} architecture to communicate, ensure that the required network ports are open and free on the base operating system. +You must also ensure that the required network ports are open on any network-based firewalls. + +The installation of a {SmartProxyServer} fails if the ports between {ProjectServer} and {SmartProxyServer} are not open before installation starts. + +Note that some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. +If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. +If possible, disable the application checking and allow open port communication based on the protocol. Use this procedure to configure the host-based firewall on the system that {Project} is installed on, to enable incoming connections from Clients, and to make the configuration persistent across system reboots. For more information on the ports used, see {InstallingServerDocURL}Port_and_firewall_requirements_{project-context}[Port and firewall requirements] in _{InstallingServerDocTitle}_. include::snip_firewalld.adoc[] +A DHCP {SmartProxy} performs ICMP ping and TCP echo connection attempts to hosts in subnets with DHCP IPAM set to find out if an IP address considered for use is free. +This behavior can be turned off using `{foreman-installer} --foreman-proxy-dhcp-ping-free-ip false`. + .Procedure ifdef::katello,satellite,orcharhino[] . Open the ports for clients on {ProjectServer}: diff --git a/guides/common/modules/proc_enabling-connections-to-capsule.adoc b/guides/common/modules/proc_enabling-connections-to-capsule.adoc index 3945e1f2770..b3e386b1646 100644 --- a/guides/common/modules/proc_enabling-connections-to-capsule.adoc +++ b/guides/common/modules/proc_enabling-connections-to-capsule.adoc @@ -4,6 +4,14 @@ = Enabling connections from {ProjectServer} and clients to a {SmartProxyServer} On the base operating system on which you want to install {SmartProxy}, you must enable incoming connections from {ProjectServer} and clients to {SmartProxyServer} and make these rules persistent across reboots. +For the components of {Project} architecture to communicate, ensure that the required network ports are open and free on the base operating system. +You must also ensure that the required network ports are open on any network-based firewalls. + +The installation of a {SmartProxyServer} fails if the ports between {ProjectServer} and {SmartProxyServer} are not open before installation starts. + +Note that some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. +If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. +If possible, disable the application checking and allow open port communication based on the protocol. include::snip_firewalld.adoc[] diff --git a/guides/common/modules/proc_registering-capsule-to-satellite-server.adoc b/guides/common/modules/proc_registering-capsule-to-satellite-server.adoc index 8befb2ffb76..89df4a757ef 100644 --- a/guides/common/modules/proc_registering-capsule-to-satellite-server.adoc +++ b/guides/common/modules/proc_registering-capsule-to-satellite-server.adoc @@ -18,6 +18,6 @@ For more information on manifests and repositories, see {ContentManagementDocURL ** Ensure HTTPS connection using client certificate authentication is possible between {SmartProxyServer} and {ProjectServer}. HTTP proxies between {SmartProxyServer} and {ProjectServer} are not supported. ** You must configure the host and network-based firewalls accordingly. -For more information, see {InstallingSmartProxyDocURL}{smart-proxy-context}-port-and-firewall-requirements_{smart-proxy-context}[Port and firewall requirements] in _{InstallingSmartProxyDocTitle}_. +For more information, see xref:common/modules/proc_enabling-connections-to-capsule.adoc#enabling-connections-to-capsule_{context}[]. include::snip_host-registration-steps.adoc[] diff --git a/guides/common/modules/ref_port-and-firewall-requirements.adoc b/guides/common/modules/ref_project-server-port-and-firewall-requirements.adoc similarity index 73% rename from guides/common/modules/ref_port-and-firewall-requirements.adoc rename to guides/common/modules/ref_project-server-port-and-firewall-requirements.adoc index 84268f73b9d..84434fe73a6 100644 --- a/guides/common/modules/ref_port-and-firewall-requirements.adoc +++ b/guides/common/modules/ref_project-server-port-and-firewall-requirements.adoc @@ -1,27 +1,14 @@ :_mod-docs-content-type: REFERENCE -[id="Port_and_firewall_requirements_{context}"] -= Port and firewall requirements +[id="{project-context}-port-and-firewall-requirements"] += {ProjectServer} port and firewall requirements -For the components of {Project} architecture to communicate, ensure that the required network ports are open and free on the base operating system. -You must also ensure that the required network ports are open on any network-based firewalls. - -Use this information to configure any network-based firewalls. -Note that some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. -If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. -If possible, disable the application checking and allow open port communication based on the protocol. - -.Integrated {SmartProxy} -{ProjectServer} has an integrated {SmartProxy} and any host that is directly connected to {ProjectServer} is a Client of {Project} in the context of this section. -This includes the base operating system on which {SmartProxyServer} is running. - -.Clients of {SmartProxy} -Hosts which are clients of {SmartProxies}, other than {Project}'s integrated {SmartProxy}, do not need access to {ProjectServer}. -For more information on {Project} topology and an illustration of port connections, see {PlanningDocURL}{smart-proxy-context}-networking_planning[{SmartProxy} networking] in _{PlanningDocTitle}_. +The following tables indicate the destination port and the direction of incoming and outgoing traffic for a {ProjectServer}. +[NOTE] +==== Required ports can change based on your configuration. - -The following tables indicate the destination port and the direction of network traffic: +==== .{ProjectServer} incoming traffic [cols="15%,15%,15%,15%,20%,20%",options="header"] @@ -65,17 +52,6 @@ ifndef::satellite[] endif::[] |==== -Any host that is directly connected to {ProjectServer} is a client in this context because it is a client of the integrated {SmartProxy}. -This includes the base operating system on which a {SmartProxyServer} is running. - -A DHCP {SmartProxy} performs ICMP ping or TCP echo connection attempts to hosts in subnets with DHCP IPAM set to find out if an IP address considered for use is free. -This behavior can be turned off using `{foreman-installer} --foreman-proxy-dhcp-ping-free-ip false`. - -[NOTE] -==== -Some outgoing traffic returns to {Project} to enable internal communication and security operations. -==== - .{ProjectServer} outgoing traffic [cols="15%,15%,15%,15%,20%,20%",options="header"] |==== diff --git a/guides/common/modules/ref_smart-proxy-port-and-firewall-requirements.adoc b/guides/common/modules/ref_smart-proxy-port-and-firewall-requirements.adoc index 25c01892479..1ea15d3cac1 100644 --- a/guides/common/modules/ref_smart-proxy-port-and-firewall-requirements.adoc +++ b/guides/common/modules/ref_smart-proxy-port-and-firewall-requirements.adoc @@ -1,29 +1,21 @@ :_mod-docs-content-type: REFERENCE -[id="{smart-proxy-context}-port-and-firewall-requirements_{context}"] -= Port and firewall requirements +[id="{smart-proxy-context}-port-and-firewall-requirements"] += {SmartProxy} port and firewall requirements -For the components of {Project} architecture to communicate, ensure that the required network ports are open and free on the base operating system. -You must also ensure that the required network ports are open on any network-based firewalls. - -The installation of a {SmartProxyServer} fails if the ports between {ProjectServer} and {SmartProxyServer} are not open before installation starts. - -Use this information to configure any network-based firewalls. -Note that some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. -If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. -If possible, disable the application checking and allow open port communication based on the protocol. - -.Integrated {SmartProxy} -{ProjectServer} has an integrated {SmartProxy} and any host that is directly connected to {ProjectServer} is a Client of {Project} in the context of this section. -This includes the base operating system on which {SmartProxyServer} is running. - -.Clients of {SmartProxy} -Hosts which are clients of {SmartProxies}, other than {Project}'s integrated {SmartProxy}, do not need access to {ProjectServer}. -For more information on {Project} Topology, see {PlanningDocURL}{smart-proxy-context}-networking_planning[{SmartProxy} networking] in _{PlanningDocTitle}_. +The following tables indicate the destination port and the direction of incoming and outgoing traffic for a {SmartProxyServer}. +[NOTE] +==== Required ports can change based on your configuration. +==== -The following tables indicate the destination port and the direction of network traffic: +[NOTE] +==== +ICMP to Port 7 UDP and TCP must not be rejected, but can be dropped. +The DHCP {SmartProxy} sends an ECHO REQUEST to the Client network to verify that an IP address is free. +A response prevents IP addresses from being allocated. +==== .{SmartProxy} incoming traffic [cols="15%,15%,15%,15%,20%,20%",options="header"] @@ -59,12 +51,6 @@ ifdef::katello,satellite,orcharhino[] endif::[] |==== -Any host that is directly connected to {ProjectServer} is a client in this context because it is a client of the integrated {SmartProxy}. -This includes the base operating system on which a {SmartProxyServer} is running. - -A DHCP {SmartProxy} performs ICMP ping and TCP echo connection attempts to hosts in subnets with DHCP IPAM set to find out if an IP address considered for use is free. -This behavior can be turned off using `{foreman-installer} --foreman-proxy-dhcp-ping-free-ip false`. - .{SmartProxy} outgoing traffic [cols="15%,15%,15%,15%,20%,20%",options="header"] @@ -99,10 +85,3 @@ endif::[] ISC and `remote_isc` use a configurable port that defaults to 7911 and uses OMAPI | 8443 | TCP | HTTPS | Client | Discovery | {SmartProxy} sends reboot command to the discovered host (optional) |==== - -[NOTE] -==== -ICMP to Port 7 UDP and TCP must not be rejected, but can be dropped. -The DHCP {SmartProxy} sends an ECHO REQUEST to the Client network to verify that an IP address is free. -A response prevents IP addresses from being allocated. -==== diff --git a/guides/doc-Planning_for_Project/master.adoc b/guides/doc-Planning_for_Project/master.adoc index 0ef5fe6af6b..f18a6b48e35 100644 --- a/guides/doc-Planning_for_Project/master.adoc +++ b/guides/doc-Planning_for_Project/master.adoc @@ -23,14 +23,16 @@ include::common/assembly_tools-for-administration-of-project.adoc[leveloffset=+1 include::common/assembly_supported-usage-and-versions-of-project-components.adoc[leveloffset=+1] -include::common/assembly_deployment-path.adoc[leveloffset=+1] - -include::common/assembly_common-deployment-scenarios.adoc[leveloffset=+1] - ifndef::foreman-deb[] include::common/modules/con_security-considerations.adoc[leveloffset=+1] endif::[] +include::common/assembly_networking-in-project.adoc[leveloffset=+1] + +include::common/assembly_deployment-path.adoc[leveloffset=+1] + +include::common/assembly_common-deployment-scenarios.adoc[leveloffset=+1] + include::common/assembly_provisioning-requirements.adoc[leveloffset=+1] :!numbered: From d8d4888dabe93782496d16ab4abee207bda792e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Thu, 4 Sep 2025 08:32:11 +0200 Subject: [PATCH 02/22] Review port procedure --- ...oc_enabling-client-connections-to-project-server.adoc | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/guides/common/modules/proc_enabling-client-connections-to-project-server.adoc b/guides/common/modules/proc_enabling-client-connections-to-project-server.adoc index 08ac20d776a..a8470007c33 100644 --- a/guides/common/modules/proc_enabling-client-connections-to-project-server.adoc +++ b/guides/common/modules/proc_enabling-client-connections-to-project-server.adoc @@ -3,18 +3,17 @@ [id="Enabling_Connections_from_a_Client_to_Server_{context}"] = Enabling connections from a client to {ProjectServer} -{SmartProxies} and hosts that are clients of a {ProjectServer}'s internal {SmartProxy} require access through {Project}'s host-based firewall and any network-based firewalls. For the components of {Project} architecture to communicate, ensure that the required network ports are open and free on the base operating system. You must also ensure that the required network ports are open on any network-based firewalls. -The installation of a {SmartProxyServer} fails if the ports between {ProjectServer} and {SmartProxyServer} are not open before installation starts. - -Note that some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. +[NOTE] +==== +Some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. If possible, disable the application checking and allow open port communication based on the protocol. +==== Use this procedure to configure the host-based firewall on the system that {Project} is installed on, to enable incoming connections from Clients, and to make the configuration persistent across system reboots. -For more information on the ports used, see {InstallingServerDocURL}Port_and_firewall_requirements_{project-context}[Port and firewall requirements] in _{InstallingServerDocTitle}_. include::snip_firewalld.adoc[] From f3dc17aa49f0c8b3cd732cd1d51ea4040ab05227 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Thu, 4 Sep 2025 09:34:36 +0200 Subject: [PATCH 03/22] Update installing postgresql to work without firewall snippets This ensures the snippets can be deleted when merging the port procedures for installing. --- .../common/modules/proc_installing-postgresql.adoc | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/guides/common/modules/proc_installing-postgresql.adoc b/guides/common/modules/proc_installing-postgresql.adoc index baaf47d9d82..619017050d2 100644 --- a/guides/common/modules/proc_installing-postgresql.adoc +++ b/guides/common/modules/proc_installing-postgresql.adoc @@ -13,8 +13,6 @@ ifndef::foreman-deb[] {Project} supports PostgreSQL version 13. endif::[] -include::snip_firewalld.adoc[] - .Prerequisites * The prepared host has base operating system repositories enabled. * The prepared host has sufficient disk space available for the `{postgresql-lib-dir}` directory. @@ -85,13 +83,20 @@ password_encryption=scram-sha-256 ---- # systemctl enable --now postgresql ---- -. Open the *postgresql* port: +. Update the firewall configuration. +For example, using the `firewall-cmd` command: +.. Open the *postgresql* port: + [options="nowrap" subs="verbatim,quotes"] ---- # firewall-cmd --add-service=postgresql ---- -include::snip_make-firewall-settings-persistent.adoc[] +.. Make the changes persistent: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# firewall-cmd --runtime-to-permanent +---- . Switch to the `postgres` user and start the PostgreSQL client: + [options="nowrap" subs="verbatim,quotes"] From 880a23679e3c2959efaba1ff0bf6efb8002da1dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Thu, 4 Sep 2025 09:37:29 +0200 Subject: [PATCH 04/22] Drop firewall-cmd snippet from provisioning The procedure already shows an alternative. Spelling out that you can use an alternative is redundant. --- .../modules/proc_using-novnc-to-access-virtual-machines.adoc | 1 - 1 file changed, 1 deletion(-) diff --git a/guides/common/modules/proc_using-novnc-to-access-virtual-machines.adoc b/guides/common/modules/proc_using-novnc-to-access-virtual-machines.adoc index 62434cba8c1..8005bae2857 100644 --- a/guides/common/modules/proc_using-novnc-to-access-virtual-machines.adoc +++ b/guides/common/modules/proc_using-novnc-to-access-virtual-machines.adoc @@ -37,7 +37,6 @@ endif::[] ---- ifndef::satellite,orcharhino[] + -include::snip_firewalld.adoc[] endif::[] . In the {ProjectWebUI}, navigate to *Infrastructure* > *Compute Resources* and select the name of a compute resource. . In the *Virtual Machines* tab, select the name of your virtual machine. From 5001a488e7ffb0c0fefdbb17283c0585ae518ddf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Thu, 4 Sep 2025 09:07:49 +0200 Subject: [PATCH 05/22] Merge modules on opening ports --- ...-environment-for-capsule-installation.adoc | 2 +- ...nment-for-project-server-installation.adoc | 2 +- ...ooting-requirements-with-managed-dhcp.adoc | 2 +- ...ting-requirements-with-unmanaged-dhcp.adoc | 2 +- .../modules/con_pxe-booting-requirements.adoc | 2 +- ...nfiguring-capsule-default-certificate.adoc | 2 +- ...ssl-certificate-to-smart-proxy-server.adoc | 2 +- ...-client-connections-to-project-server.adoc | 51 ------------ .../proc_enabling-connections-to-capsule.adoc | 48 ----------- .../modules/proc_opening-required-ports.adoc | 83 +++++++++++++++++++ ...gistering-capsule-to-satellite-server.adoc | 7 +- guides/common/modules/snip_firewalld.adoc | 3 - .../snip_verify-firewall-settings.adoc | 11 --- 13 files changed, 96 insertions(+), 121 deletions(-) delete mode 100644 guides/common/modules/proc_enabling-client-connections-to-project-server.adoc delete mode 100644 guides/common/modules/proc_enabling-connections-to-capsule.adoc create mode 100644 guides/common/modules/proc_opening-required-ports.adoc delete mode 100644 guides/common/modules/snip_firewalld.adoc delete mode 100644 guides/common/modules/snip_verify-firewall-settings.adoc diff --git a/guides/common/assembly_preparing-environment-for-capsule-installation.adoc b/guides/common/assembly_preparing-environment-for-capsule-installation.adoc index 9b29a3862b3..43aab663823 100644 --- a/guides/common/assembly_preparing-environment-for-capsule-installation.adoc +++ b/guides/common/assembly_preparing-environment-for-capsule-installation.adoc @@ -20,7 +20,7 @@ include::modules/ref_best-practices-for-optimizing-storage.adoc[leveloffset=+1] endif::[] // Enabling Connections from {ProjectServer} and Clients to a {SmartProxyServer} -include::modules/proc_enabling-connections-to-capsule.adoc[leveloffset=+1] +include::modules/proc_opening-required-ports.adoc[leveloffset=+1] ifdef::parent-context[:context: {parent-context}] ifndef::parent-context[:!context:] diff --git a/guides/common/assembly_preparing-environment-for-project-server-installation.adoc b/guides/common/assembly_preparing-environment-for-project-server-installation.adoc index 776eabaa539..06e4d143ebf 100644 --- a/guides/common/assembly_preparing-environment-for-project-server-installation.adoc +++ b/guides/common/assembly_preparing-environment-for-project-server-installation.adoc @@ -2,7 +2,7 @@ include::modules/con_preparing-environment-for-project-server-installation.adoc[] -include::modules/proc_enabling-client-connections-to-project-server.adoc[leveloffset=+1] +include::modules/proc_opening-required-ports.adoc[leveloffset=+1] include::modules/proc_verifying-dns-resolution.adoc[leveloffset=+1] diff --git a/guides/common/modules/con_http-booting-requirements-with-managed-dhcp.adoc b/guides/common/modules/con_http-booting-requirements-with-managed-dhcp.adoc index bc9bf1d63c2..be2e2b0ca80 100644 --- a/guides/common/modules/con_http-booting-requirements-with-managed-dhcp.adoc +++ b/guides/common/modules/con_http-booting-requirements-with-managed-dhcp.adoc @@ -9,7 +9,7 @@ To provision machines through HTTP booting ensure that you meet the following re For HTTP booting to work, ensure that your environment has the following client-side configurations: * All the network-based firewalls are configured to allow clients on the subnet to access the {SmartProxy}. -For more information, see xref:common/modules/con_smartproxy-networking.adoc#{smart-proxy-context}-networking_{context}[]. +For more information, see xref:common/modules/con_networking-in-project.adoc#networking-in-{project-context}[]. * Your client has access to the DHCP and DNS servers. * Your client has access to the HTTP UEFI Boot {SmartProxy}. diff --git a/guides/common/modules/con_http-booting-requirements-with-unmanaged-dhcp.adoc b/guides/common/modules/con_http-booting-requirements-with-unmanaged-dhcp.adoc index 9ae958b9ade..e7d6f1ad5af 100644 --- a/guides/common/modules/con_http-booting-requirements-with-unmanaged-dhcp.adoc +++ b/guides/common/modules/con_http-booting-requirements-with-unmanaged-dhcp.adoc @@ -12,7 +12,7 @@ To provision machines through HTTP booting without managed DHCP ensure that you * Ensure that your client has access to the DHCP and DNS servers. * Ensure that your client has access to the HTTP UEFI Boot {SmartProxy}. * Ensure that all the network-based firewalls are configured to allow clients on the subnet to access the {SmartProxy}. -For more information, see xref:common/modules/con_smartproxy-networking.adoc#{smart-proxy-context}-networking_{context}[]. +For more information, see xref:common/modules/con_networking-in-project.adoc#networking-in-{project-context}[]. .Network requirements * An unmanaged DHCP server available for clients. diff --git a/guides/common/modules/con_pxe-booting-requirements.adoc b/guides/common/modules/con_pxe-booting-requirements.adoc index 90b44fabd02..48a68f5ab12 100644 --- a/guides/common/modules/con_pxe-booting-requirements.adoc +++ b/guides/common/modules/con_pxe-booting-requirements.adoc @@ -10,7 +10,7 @@ To provision machines using PXE booting, ensure that you meet the following requ .Client requirements * Ensure that all the network-based firewalls are configured to allow clients on the subnet to access the {SmartProxy}. -For more information, see xref:common/modules/con_smartproxy-networking.adoc#{smart-proxy-context}-networking_{context}[]. +For more information, see xref:common/modules/con_networking-in-project.adoc#networking-in-{project-context}[]. * Ensure that your client has access to the DHCP and TFTP servers. diff --git a/guides/common/modules/proc_configuring-capsule-default-certificate.adoc b/guides/common/modules/proc_configuring-capsule-default-certificate.adoc index 0ac6b67b8a5..2173ed5803c 100644 --- a/guides/common/modules/proc_configuring-capsule-default-certificate.adoc +++ b/guides/common/modules/proc_configuring-capsule-default-certificate.adoc @@ -14,7 +14,7 @@ endif::[] * {SmartProxyServer} packages are installed. For more information, see xref:installing-{smart-proxy-context}-server-packages[]. * The required ports are open. -For more information, see xref:common/modules/proc_enabling-connections-to-capsule.adoc#enabling-connections-to-capsule_{context}[]. +For more information, see xref:common/modules/proc_opening-required-ports.adoc#opening-required-ports[]. .Procedure diff --git a/guides/common/modules/proc_deploying-a-custom-ssl-certificate-to-smart-proxy-server.adoc b/guides/common/modules/proc_deploying-a-custom-ssl-certificate-to-smart-proxy-server.adoc index 354a196a909..e90d66626fb 100644 --- a/guides/common/modules/proc_deploying-a-custom-ssl-certificate-to-smart-proxy-server.adoc +++ b/guides/common/modules/proc_deploying-a-custom-ssl-certificate-to-smart-proxy-server.adoc @@ -15,7 +15,7 @@ For more information, see xref:Registering_Proxy_to_Server_{smart-proxy-context} * {SmartProxyServer} packages are installed. For more information, see xref:installing-{smart-proxy-context}-server-packages[]. * The required ports are open. -For more information, see xref:common/modules/proc_enabling-connections-to-capsule.adoc#enabling-connections-to-capsule_{context}[]. +For more information, see xref:common/modules/proc_opening-required-ports.adoc#opening-required-ports[]. .Procedure . On your {ProjectServer}, generate a certificate bundle: diff --git a/guides/common/modules/proc_enabling-client-connections-to-project-server.adoc b/guides/common/modules/proc_enabling-client-connections-to-project-server.adoc deleted file mode 100644 index a8470007c33..00000000000 --- a/guides/common/modules/proc_enabling-client-connections-to-project-server.adoc +++ /dev/null @@ -1,51 +0,0 @@ -:_mod-docs-content-type: PROCEDURE - -[id="Enabling_Connections_from_a_Client_to_Server_{context}"] -= Enabling connections from a client to {ProjectServer} - -For the components of {Project} architecture to communicate, ensure that the required network ports are open and free on the base operating system. -You must also ensure that the required network ports are open on any network-based firewalls. - -[NOTE] -==== -Some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. -If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. -If possible, disable the application checking and allow open port communication based on the protocol. -==== - -Use this procedure to configure the host-based firewall on the system that {Project} is installed on, to enable incoming connections from Clients, and to make the configuration persistent across system reboots. - -include::snip_firewalld.adoc[] - -A DHCP {SmartProxy} performs ICMP ping and TCP echo connection attempts to hosts in subnets with DHCP IPAM set to find out if an IP address considered for use is free. -This behavior can be turned off using `{foreman-installer} --foreman-proxy-dhcp-ping-free-ip false`. - -.Procedure -ifdef::katello,satellite,orcharhino[] -. Open the ports for clients on {ProjectServer}: -+ -[options="nowrap"] ----- -# firewall-cmd \ ---add-port="8000/tcp" \ ---add-port="9090/tcp" ----- -endif::[] -. Allow access to services on {ProjectServer}: -+ -[options="nowrap"] ----- -# firewall-cmd \ ---add-service=dns \ ---add-service=dhcp \ ---add-service=tftp \ ---add-service=http \ ---add-service=https \ -ifndef::katello,satellite,orcharhino[] ---add-service=foreman-proxy \ -endif::[] ---add-service=puppetmaster ----- -include::snip_make-firewall-settings-persistent.adoc[] - -include::snip_verify-firewall-settings.adoc[] diff --git a/guides/common/modules/proc_enabling-connections-to-capsule.adoc b/guides/common/modules/proc_enabling-connections-to-capsule.adoc deleted file mode 100644 index b3e386b1646..00000000000 --- a/guides/common/modules/proc_enabling-connections-to-capsule.adoc +++ /dev/null @@ -1,48 +0,0 @@ -:_mod-docs-content-type: PROCEDURE - -[id="enabling-connections-to-capsule_{context}"] -= Enabling connections from {ProjectServer} and clients to a {SmartProxyServer} - -On the base operating system on which you want to install {SmartProxy}, you must enable incoming connections from {ProjectServer} and clients to {SmartProxyServer} and make these rules persistent across reboots. -For the components of {Project} architecture to communicate, ensure that the required network ports are open and free on the base operating system. -You must also ensure that the required network ports are open on any network-based firewalls. - -The installation of a {SmartProxyServer} fails if the ports between {ProjectServer} and {SmartProxyServer} are not open before installation starts. - -Note that some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. -If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. -If possible, disable the application checking and allow open port communication based on the protocol. - -include::snip_firewalld.adoc[] - -.Procedure -ifdef::katello,satellite,orcharhino[] -. Open the ports for clients on {SmartProxyServer}: -+ -[options="nowrap"] ----- -# firewall-cmd \ ---add-port="8000/tcp" \ ---add-port="9090/tcp" ----- -endif::[] -. Allow access to services on {SmartProxyServer}: -+ -[options="nowrap"] ----- -# firewall-cmd \ ---add-service=dns \ ---add-service=dhcp \ ---add-service=tftp \ -ifdef::katello,satellite,orcharhino[] ---add-service=http \ ---add-service=https \ -endif::[] -ifndef::katello,satellite,orcharhino[] ---add-service=foreman-proxy \ -endif::[] ---add-service=puppetmaster ----- -include::snip_make-firewall-settings-persistent.adoc[] - -include::snip_verify-firewall-settings.adoc[] diff --git a/guides/common/modules/proc_opening-required-ports.adoc b/guides/common/modules/proc_opening-required-ports.adoc new file mode 100644 index 00000000000..6b1980e4b55 --- /dev/null +++ b/guides/common/modules/proc_opening-required-ports.adoc @@ -0,0 +1,83 @@ +:_mod-docs-content-type: PROCEDURE + +[id="opening-required-ports"] += Opening required ports + +For the components of {Project} architecture to communicate, ensure that the required network ports are open and free on the base operating system. +You must also ensure that the required network ports are open on any network-based firewalls. + +[NOTE] +==== +Some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. +If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. +If possible, disable the application checking and allow open port communication based on the protocol. +==== + +ifndef::satellite,orcharhino[] +If you do not use `firewall-cmd` to configure the Linux firewall, implement using the command of your choice. +endif::[] + +.Procedure +. Optional: If you need to prevent the DHCP {SmartProxy} from pinging hosts to check for available IP addresses, disable DHCP IP address pinging: ++ +[options="nowrap", subs="+quotes,attributes"] +---- +# {foreman-installer} --foreman-proxy-dhcp-ping-free-ip false +---- ++ +By default, a DHCP {SmartProxy} performs ICMP ping and TCP echo connection attempts to hosts in subnets with DHCP IPAM set to find out if an IP address considered for use is free. +ifdef::katello,satellite,orcharhino[] +ifeval::["{context}" == "{project-context}"] +. Open the ports for clients on {ProjectServer}: +endif::[] +ifeval::["{context}" == "{smart-proxy-context}"] +. Open the ports for clients on {SmartProxyServer}: +endif::[] ++ +[options="nowrap"] +---- +# firewall-cmd \ +--add-port="8000/tcp" \ +--add-port="9090/tcp" +---- +endif::[] +ifeval::["{context}" == "{project-context}"] +. Allow access to services on {ProjectServer}: +endif::[] +ifeval::["{context}" == "{smart-proxy-context}"] +. Allow access to services on {SmartProxyServer}: +endif::[] ++ +[options="nowrap"] +---- +# firewall-cmd \ +--add-service=dns \ +--add-service=dhcp \ +--add-service=tftp \ +--add-service=http \ +--add-service=https \ +ifndef::katello,satellite,orcharhino[] +--add-service=foreman-proxy \ +endif::[] +--add-service=puppetmaster +---- +. Make the changes persistent: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# firewall-cmd --runtime-to-permanent +---- + +.Verification +* Enter the following command: ++ +[options="nowrap"] +---- +# firewall-cmd --list-all +---- + +.Additional resources +* {PlanningDocURL}networking-in-a-{project-context}-deployment[Networking in a {Project} deployment] +ifndef::foreman-deb[] +* https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/configuring_firewalls_and_packet_filters/using-and-configuring-firewalld_firewall-packet-filters/9/html/configuring_firewalls_and_packet_filters/using-and-configuring-firewalld_firewall-packet-filters[Using and configuring firewalld in _{RHEL}{nbsp}9 Configuring firewalls and packet filters_] +endif::[] diff --git a/guides/common/modules/proc_registering-capsule-to-satellite-server.adoc b/guides/common/modules/proc_registering-capsule-to-satellite-server.adoc index 89df4a757ef..0f23a96893a 100644 --- a/guides/common/modules/proc_registering-capsule-to-satellite-server.adoc +++ b/guides/common/modules/proc_registering-capsule-to-satellite-server.adoc @@ -18,6 +18,11 @@ For more information on manifests and repositories, see {ContentManagementDocURL ** Ensure HTTPS connection using client certificate authentication is possible between {SmartProxyServer} and {ProjectServer}. HTTP proxies between {SmartProxyServer} and {ProjectServer} are not supported. ** You must configure the host and network-based firewalls accordingly. -For more information, see xref:common/modules/proc_enabling-connections-to-capsule.adoc#enabling-connections-to-capsule_{context}[]. +ifeval::["{context}" == "load-balancing"] +For more information, see {InstallingSmartProxyDocURL}opening-required-ports[Opening required ports in _{InstallingSmartProxyDocTitle}_]. +endif::[] +ifeval::["{context}" == "installing-capsule-server"] +For more information, see xref:common/modules/proc_opening-required-ports.adoc#opening-required-ports[]. +endif::[] include::snip_host-registration-steps.adoc[] diff --git a/guides/common/modules/snip_firewalld.adoc b/guides/common/modules/snip_firewalld.adoc deleted file mode 100644 index d9959c14501..00000000000 --- a/guides/common/modules/snip_firewalld.adoc +++ /dev/null @@ -1,3 +0,0 @@ -ifndef::satellite,orcharhino[] -If you do not use `firewall-cmd` to configure the Linux firewall, implement using the command of your choice. -endif::[] diff --git a/guides/common/modules/snip_verify-firewall-settings.adoc b/guides/common/modules/snip_verify-firewall-settings.adoc deleted file mode 100644 index 392789d6fc8..00000000000 --- a/guides/common/modules/snip_verify-firewall-settings.adoc +++ /dev/null @@ -1,11 +0,0 @@ -.Verification -* Enter the following command: -+ -[options="nowrap"] ----- -# firewall-cmd --list-all ----- - -ifndef::foreman-deb[] -For more information, see {RHELDocsBaseURL}9/html/configuring_firewalls_and_packet_filters/using-and-configuring-firewalld_firewall-packet-filters[Using and configuring firewalld] in _{RHEL}{nbsp}9 Configuring firewalls and packet filters_. -endif::[] From 361c6ec76447769c3d77d556fc752560a757913e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Thu, 4 Sep 2025 11:01:20 +0200 Subject: [PATCH 06/22] Rename networking sections for clarity and consistency --- ...doc => assembly_networking-considerations-in-project.adoc} | 4 ++-- .../con_http-booting-requirements-with-managed-dhcp.adoc | 2 +- .../con_http-booting-requirements-with-unmanaged-dhcp.adoc | 2 +- ...ect.adoc => con_networking-considerations-in-project.adoc} | 4 ++-- guides/common/modules/con_pxe-booting-requirements.adoc | 2 +- ...ations-in-project.adoc => con_smart-proxy-networking.adoc} | 4 ++-- guides/common/modules/proc_opening-required-ports.adoc | 2 +- guides/doc-Planning_for_Project/master.adoc | 2 +- 8 files changed, 11 insertions(+), 11 deletions(-) rename guides/common/{assembly_networking-in-project.adoc => assembly_networking-considerations-in-project.adoc} (56%) rename guides/common/modules/{con_networking-in-project.adoc => con_networking-considerations-in-project.adoc} (64%) rename guides/common/modules/{con_port-and-firewall-considerations-in-project.adoc => con_smart-proxy-networking.adoc} (95%) diff --git a/guides/common/assembly_networking-in-project.adoc b/guides/common/assembly_networking-considerations-in-project.adoc similarity index 56% rename from guides/common/assembly_networking-in-project.adoc rename to guides/common/assembly_networking-considerations-in-project.adoc index b91218ea75c..0dbd60384fb 100644 --- a/guides/common/assembly_networking-in-project.adoc +++ b/guides/common/assembly_networking-considerations-in-project.adoc @@ -1,6 +1,6 @@ -include::modules/con_networking-in-project.adoc[] +include::modules/con_networking-considerations-in-project.adoc[] -include::modules/con_port-and-firewall-considerations-in-project.adoc[leveloffset=+1] +include::modules/con_smart-proxy-networking.adoc[leveloffset=+1] include::modules/ref_project-server-port-and-firewall-requirements.adoc[leveloffset=+1] diff --git a/guides/common/modules/con_http-booting-requirements-with-managed-dhcp.adoc b/guides/common/modules/con_http-booting-requirements-with-managed-dhcp.adoc index be2e2b0ca80..fde94c35681 100644 --- a/guides/common/modules/con_http-booting-requirements-with-managed-dhcp.adoc +++ b/guides/common/modules/con_http-booting-requirements-with-managed-dhcp.adoc @@ -9,7 +9,7 @@ To provision machines through HTTP booting ensure that you meet the following re For HTTP booting to work, ensure that your environment has the following client-side configurations: * All the network-based firewalls are configured to allow clients on the subnet to access the {SmartProxy}. -For more information, see xref:common/modules/con_networking-in-project.adoc#networking-in-{project-context}[]. +For more information, see xref:common/modules/con_networking-considerations-in-project.adoc#networking-considerations-in-{project-context}[]. * Your client has access to the DHCP and DNS servers. * Your client has access to the HTTP UEFI Boot {SmartProxy}. diff --git a/guides/common/modules/con_http-booting-requirements-with-unmanaged-dhcp.adoc b/guides/common/modules/con_http-booting-requirements-with-unmanaged-dhcp.adoc index e7d6f1ad5af..2c1eff486e4 100644 --- a/guides/common/modules/con_http-booting-requirements-with-unmanaged-dhcp.adoc +++ b/guides/common/modules/con_http-booting-requirements-with-unmanaged-dhcp.adoc @@ -12,7 +12,7 @@ To provision machines through HTTP booting without managed DHCP ensure that you * Ensure that your client has access to the DHCP and DNS servers. * Ensure that your client has access to the HTTP UEFI Boot {SmartProxy}. * Ensure that all the network-based firewalls are configured to allow clients on the subnet to access the {SmartProxy}. -For more information, see xref:common/modules/con_networking-in-project.adoc#networking-in-{project-context}[]. +For more information, see xref:common/modules/con_networking-considerations-in-project.adoc#networking-considerations-in-{project-context}[]. .Network requirements * An unmanaged DHCP server available for clients. diff --git a/guides/common/modules/con_networking-in-project.adoc b/guides/common/modules/con_networking-considerations-in-project.adoc similarity index 64% rename from guides/common/modules/con_networking-in-project.adoc rename to guides/common/modules/con_networking-considerations-in-project.adoc index e3cece049bb..8aadb4b738f 100644 --- a/guides/common/modules/con_networking-in-project.adoc +++ b/guides/common/modules/con_networking-considerations-in-project.adoc @@ -1,4 +1,4 @@ -[id="networking-in-{project-context}"] -= Networking in {Project} +[id="networking-considerations-in-{project-context}"] += Networking considerations in {Project} For the components of {Project} architecture to communicate, the required network ports must be open and free to enable incoming and outgoing traffic between the components. diff --git a/guides/common/modules/con_pxe-booting-requirements.adoc b/guides/common/modules/con_pxe-booting-requirements.adoc index 48a68f5ab12..1872a7dc162 100644 --- a/guides/common/modules/con_pxe-booting-requirements.adoc +++ b/guides/common/modules/con_pxe-booting-requirements.adoc @@ -10,7 +10,7 @@ To provision machines using PXE booting, ensure that you meet the following requ .Client requirements * Ensure that all the network-based firewalls are configured to allow clients on the subnet to access the {SmartProxy}. -For more information, see xref:common/modules/con_networking-in-project.adoc#networking-in-{project-context}[]. +For more information, see xref:common/modules/con_networking-considerations-in-project.adoc#networking-considerations-in-{project-context}[]. * Ensure that your client has access to the DHCP and TFTP servers. diff --git a/guides/common/modules/con_port-and-firewall-considerations-in-project.adoc b/guides/common/modules/con_smart-proxy-networking.adoc similarity index 95% rename from guides/common/modules/con_port-and-firewall-considerations-in-project.adoc rename to guides/common/modules/con_smart-proxy-networking.adoc index e42efa6a79f..9adab9acbba 100644 --- a/guides/common/modules/con_port-and-firewall-considerations-in-project.adoc +++ b/guides/common/modules/con_smart-proxy-networking.adoc @@ -1,5 +1,5 @@ -[id="port-and-firewall-considerations-in-{project-context}"] -= Port and firewall considerations in {Project} +[id="{smart-proxy-context}-networking"] += {SmartProxy} networking The communication between {ProjectServer} and hosts registered to a {SmartProxyServer} is routed through that {SmartProxyServer}. {SmartProxyServer} also provides {Project} services to hosts. diff --git a/guides/common/modules/proc_opening-required-ports.adoc b/guides/common/modules/proc_opening-required-ports.adoc index 6b1980e4b55..2b31994c7e9 100644 --- a/guides/common/modules/proc_opening-required-ports.adoc +++ b/guides/common/modules/proc_opening-required-ports.adoc @@ -77,7 +77,7 @@ endif::[] ---- .Additional resources -* {PlanningDocURL}networking-in-a-{project-context}-deployment[Networking in a {Project} deployment] +* {PlanningDocURL}networking-considerations-in-a-{project-context}-deployment[Networking considerations in a {Project} deployment] ifndef::foreman-deb[] * https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/configuring_firewalls_and_packet_filters/using-and-configuring-firewalld_firewall-packet-filters/9/html/configuring_firewalls_and_packet_filters/using-and-configuring-firewalld_firewall-packet-filters[Using and configuring firewalld in _{RHEL}{nbsp}9 Configuring firewalls and packet filters_] endif::[] diff --git a/guides/doc-Planning_for_Project/master.adoc b/guides/doc-Planning_for_Project/master.adoc index f18a6b48e35..675587db809 100644 --- a/guides/doc-Planning_for_Project/master.adoc +++ b/guides/doc-Planning_for_Project/master.adoc @@ -27,7 +27,7 @@ ifndef::foreman-deb[] include::common/modules/con_security-considerations.adoc[leveloffset=+1] endif::[] -include::common/assembly_networking-in-project.adoc[leveloffset=+1] +include::common/assembly_networking-considerations-in-project.adoc[leveloffset=+1] include::common/assembly_deployment-path.adoc[leveloffset=+1] From 27cf6d4feab2710f39d3aefa447552d7f56d855b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Thu, 4 Sep 2025 11:03:42 +0200 Subject: [PATCH 07/22] Tweak non-satellite topology diagram introductions --- guides/common/modules/con_smart-proxy-networking.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/guides/common/modules/con_smart-proxy-networking.adoc b/guides/common/modules/con_smart-proxy-networking.adoc index 9adab9acbba..39e99721743 100644 --- a/guides/common/modules/con_smart-proxy-networking.adoc +++ b/guides/common/modules/con_smart-proxy-networking.adoc @@ -23,7 +23,7 @@ Some outgoing traffic returns to {Project} to enable internal communication and ==== ifndef::satellite[] -In this topology, +In a topology with hosts connecting to a {SmartProxyServer}, endif::[] ifdef::satellite[] In xref:{project-context}-topology-with-hosts-connecting-to-a-{smart-proxy-context}[], @@ -38,7 +38,7 @@ image::common/topology-isolated-satellite.png[{ProjectName} topology with a host endif::[] ifndef::satellite[] -In this topology, +In a topology with hosts connecting directly to {ProjectServer}, endif::[] ifdef::satellite[] In xref:{project-context}-topology-with-hosts-connecting-directly-to-{project-context}-server[], From 8327116346c61281241518bf280ec2dc8dcb0512 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Fri, 5 Sep 2025 08:50:02 +0200 Subject: [PATCH 08/22] Drop comments from preparing for capsule installation --- ...ssembly_preparing-environment-for-capsule-installation.adoc | 3 --- 1 file changed, 3 deletions(-) diff --git a/guides/common/assembly_preparing-environment-for-capsule-installation.adoc b/guides/common/assembly_preparing-environment-for-capsule-installation.adoc index 43aab663823..9153538de74 100644 --- a/guides/common/assembly_preparing-environment-for-capsule-installation.adoc +++ b/guides/common/assembly_preparing-environment-for-capsule-installation.adoc @@ -9,17 +9,14 @@ Review the following prerequisites before you install {SmartProxyServer}. include::modules/ref_operating-system-requirements.adoc[leveloffset=+1] -// System Requirements include::modules/ref_system-requirements.adoc[leveloffset=+1] ifdef::katello,satellite[] -// Storage requirements include::modules/ref_capsule-storage-requirements.adoc[leveloffset=+1] include::modules/ref_best-practices-for-optimizing-storage.adoc[leveloffset=+1] endif::[] -// Enabling Connections from {ProjectServer} and Clients to a {SmartProxyServer} include::modules/proc_opening-required-ports.adoc[leveloffset=+1] ifdef::parent-context[:context: {parent-context}] From bc907f5f9242fb7e43f43955d20b64acf7efcd27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Fri, 5 Sep 2025 08:50:48 +0200 Subject: [PATCH 09/22] Use attribute for server Co-authored-by: Maximilian Kolb --- guides/common/modules/con_smart-proxy-networking.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/common/modules/con_smart-proxy-networking.adoc b/guides/common/modules/con_smart-proxy-networking.adoc index 39e99721743..e550d147301 100644 --- a/guides/common/modules/con_smart-proxy-networking.adoc +++ b/guides/common/modules/con_smart-proxy-networking.adoc @@ -12,7 +12,7 @@ These clients need direct network access to {ProjectServer}. External {SmartProxies}:: External {SmartProxies} are {SmartProxies} not integrated with the {ProjectServer}. -Hosts that are clients of external {SmartProxies} do not need direct access to the Foreman server itself. +Hosts that are clients of external {SmartProxies} do not need direct access to the {ProjectServer} itself. Many of the services that {SmartProxyServer} manages use dedicated network ports. However, {SmartProxyServer} ensures that all communications from the host to {ProjectServer} use a single source IP address, which simplifies firewall administration. From 411b8c15f162ad4b447c4479f48cb066b34bf57e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Fri, 5 Sep 2025 08:59:13 +0200 Subject: [PATCH 10/22] Drop integrated/external proxy definitions Integrated/external proxy was reported as flawed concept that we should get rid of. --- .../modules/con_smart-proxy-networking.adoc | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/guides/common/modules/con_smart-proxy-networking.adoc b/guides/common/modules/con_smart-proxy-networking.adoc index e550d147301..9bfb3d0755c 100644 --- a/guides/common/modules/con_smart-proxy-networking.adoc +++ b/guides/common/modules/con_smart-proxy-networking.adoc @@ -4,19 +4,6 @@ The communication between {ProjectServer} and hosts registered to a {SmartProxyServer} is routed through that {SmartProxyServer}. {SmartProxyServer} also provides {Project} services to hosts. -Integrated {SmartProxy}:: -Integrated {SmartProxy} is the {SmartProxy} contained in a {ProjectServer}. -A host that is directly connected to a {ProjectServer} is considered a client of its integrated {SmartProxy}. -This includes the base operating system where the server is running. -These clients need direct network access to {ProjectServer}. - -External {SmartProxies}:: -External {SmartProxies} are {SmartProxies} not integrated with the {ProjectServer}. -Hosts that are clients of external {SmartProxies} do not need direct access to the {ProjectServer} itself. - -Many of the services that {SmartProxyServer} manages use dedicated network ports. -However, {SmartProxyServer} ensures that all communications from the host to {ProjectServer} use a single source IP address, which simplifies firewall administration. - [NOTE] ==== Some outgoing traffic returns to {Project} to enable internal communication and security operations. @@ -29,6 +16,7 @@ ifdef::satellite[] In xref:{project-context}-topology-with-hosts-connecting-to-a-{smart-proxy-context}[], endif::[] {SmartProxy} provides a single endpoint for all host network communications so that in remote network segments, only firewall ports to the {SmartProxy} itself must be open. +Hosts do not need direct access to the {ProjectServer} itself. // TODO: Replace graphic with simpler graphic and reference to "Port and firewall requirements" ifdef::satellite[] @@ -45,6 +33,7 @@ In xref:{project-context}-topology-with-hosts-connecting-directly-to-{project-co endif::[] hosts connect to {ProjectServer} rather than a {SmartProxy}. This applies also to {SmartProxies} themselves because the {SmartProxyServer} is a host of {ProjectServer}. +Hosts need direct network access to {ProjectServer}. // TODO: Replace graphic with simpler graphic and reference to "Port and firewall requirements" ifdef::satellite[] From f38d86a58d4ab39132ffb0dd687cb54f907e6aee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Wed, 10 Sep 2025 15:47:34 +0200 Subject: [PATCH 11/22] Open ports only for default services --- .../modules/proc_opening-required-ports.adoc | 37 +++++++++++++++++-- 1 file changed, 34 insertions(+), 3 deletions(-) diff --git a/guides/common/modules/proc_opening-required-ports.adoc b/guides/common/modules/proc_opening-required-ports.adoc index 2b31994c7e9..1df0006c173 100644 --- a/guides/common/modules/proc_opening-required-ports.adoc +++ b/guides/common/modules/proc_opening-required-ports.adoc @@ -42,12 +42,16 @@ endif::[] ---- endif::[] ifeval::["{context}" == "{project-context}"] -. Allow access to services on {ProjectServer}: +. Allow access to services on {ProjectServer}. endif::[] ifeval::["{context}" == "{smart-proxy-context}"] -. Allow access to services on {SmartProxyServer}: +. Allow access to services on {SmartProxyServer}. endif::[] +The exact list of services that must be accessible depends on the services you want to enable on the server. + +To allow access to the services that are enabled by default: ++ +ifdef::satellite[] [options="nowrap"] ---- # firewall-cmd \ @@ -56,11 +60,38 @@ endif::[] --add-service=tftp \ --add-service=http \ --add-service=https \ -ifndef::katello,satellite,orcharhino[] --add-service=foreman-proxy \ +---- +endif::[] +ifdef::katello[] +[options="nowrap"] +---- +# firewall-cmd \ +--add-service=http \ +--add-service=https \ +--add-service=foreman-proxy \ +---- +endif::[] +ifdef::orcharhino[] +[options="nowrap"] +---- +# firewall-cmd \ +--add-service=http \ +--add-service=https \ +--add-service=foreman-proxy \ +--add-service=puppetmaster +---- endif::[] +ifdef::foreman-deb,foreman-el[] +[options="nowrap"] +---- +# firewall-cmd \ +--add-service=http \ +--add-service=https \ +--add-service=foreman-proxy \ --add-service=puppetmaster ---- +endif::[] . Make the changes persistent: + [options="nowrap", subs="+quotes,verbatim,attributes"] From 18317ea89d03957f4df23028a33ed5b98b16aec1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Thu, 11 Sep 2025 19:12:12 +0200 Subject: [PATCH 12/22] Revert "Open ports only for default services" This reverts commit 84004ccd00ee944cc099db6f827e22156c484b7f. --- .../modules/proc_opening-required-ports.adoc | 37 ++----------------- 1 file changed, 3 insertions(+), 34 deletions(-) diff --git a/guides/common/modules/proc_opening-required-ports.adoc b/guides/common/modules/proc_opening-required-ports.adoc index 1df0006c173..2b31994c7e9 100644 --- a/guides/common/modules/proc_opening-required-ports.adoc +++ b/guides/common/modules/proc_opening-required-ports.adoc @@ -42,16 +42,12 @@ endif::[] ---- endif::[] ifeval::["{context}" == "{project-context}"] -. Allow access to services on {ProjectServer}. +. Allow access to services on {ProjectServer}: endif::[] ifeval::["{context}" == "{smart-proxy-context}"] -. Allow access to services on {SmartProxyServer}. +. Allow access to services on {SmartProxyServer}: endif::[] -The exact list of services that must be accessible depends on the services you want to enable on the server. + -To allow access to the services that are enabled by default: -+ -ifdef::satellite[] [options="nowrap"] ---- # firewall-cmd \ @@ -60,38 +56,11 @@ ifdef::satellite[] --add-service=tftp \ --add-service=http \ --add-service=https \ +ifndef::katello,satellite,orcharhino[] --add-service=foreman-proxy \ ----- -endif::[] -ifdef::katello[] -[options="nowrap"] ----- -# firewall-cmd \ ---add-service=http \ ---add-service=https \ ---add-service=foreman-proxy \ ----- -endif::[] -ifdef::orcharhino[] -[options="nowrap"] ----- -# firewall-cmd \ ---add-service=http \ ---add-service=https \ ---add-service=foreman-proxy \ ---add-service=puppetmaster ----- endif::[] -ifdef::foreman-deb,foreman-el[] -[options="nowrap"] ----- -# firewall-cmd \ ---add-service=http \ ---add-service=https \ ---add-service=foreman-proxy \ --add-service=puppetmaster ---- -endif::[] . Make the changes persistent: + [options="nowrap", subs="+quotes,verbatim,attributes"] From 63d837aae94e07ac2308f9b2f694da966fe4788f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Thu, 11 Sep 2025 19:14:05 +0200 Subject: [PATCH 13/22] Drop note about configuration-specific ports to be opened --- .../ref_project-server-port-and-firewall-requirements.adoc | 5 ----- .../ref_smart-proxy-port-and-firewall-requirements.adoc | 5 ----- 2 files changed, 10 deletions(-) diff --git a/guides/common/modules/ref_project-server-port-and-firewall-requirements.adoc b/guides/common/modules/ref_project-server-port-and-firewall-requirements.adoc index 84434fe73a6..852e33bc059 100644 --- a/guides/common/modules/ref_project-server-port-and-firewall-requirements.adoc +++ b/guides/common/modules/ref_project-server-port-and-firewall-requirements.adoc @@ -5,11 +5,6 @@ The following tables indicate the destination port and the direction of incoming and outgoing traffic for a {ProjectServer}. -[NOTE] -==== -Required ports can change based on your configuration. -==== - .{ProjectServer} incoming traffic [cols="15%,15%,15%,15%,20%,20%",options="header"] |==== diff --git a/guides/common/modules/ref_smart-proxy-port-and-firewall-requirements.adoc b/guides/common/modules/ref_smart-proxy-port-and-firewall-requirements.adoc index 1ea15d3cac1..97db70fb583 100644 --- a/guides/common/modules/ref_smart-proxy-port-and-firewall-requirements.adoc +++ b/guides/common/modules/ref_smart-proxy-port-and-firewall-requirements.adoc @@ -5,11 +5,6 @@ The following tables indicate the destination port and the direction of incoming and outgoing traffic for a {SmartProxyServer}. -[NOTE] -==== -Required ports can change based on your configuration. -==== - [NOTE] ==== ICMP to Port 7 UDP and TCP must not be rejected, but can be dropped. From f95141e98ff5b6030ccd46baaaa8bb4bee26f3bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Wed, 17 Sep 2025 11:26:43 +0200 Subject: [PATCH 14/22] Fix URL to networking considerations --- guides/common/modules/proc_opening-required-ports.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/common/modules/proc_opening-required-ports.adoc b/guides/common/modules/proc_opening-required-ports.adoc index 2b31994c7e9..e6d269c62b7 100644 --- a/guides/common/modules/proc_opening-required-ports.adoc +++ b/guides/common/modules/proc_opening-required-ports.adoc @@ -77,7 +77,7 @@ endif::[] ---- .Additional resources -* {PlanningDocURL}networking-considerations-in-a-{project-context}-deployment[Networking considerations in a {Project} deployment] +* {PlanningDocURL}networking-considerations-in-{project-context}[Networking considerations in {Project}] ifndef::foreman-deb[] * https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/configuring_firewalls_and_packet_filters/using-and-configuring-firewalld_firewall-packet-filters/9/html/configuring_firewalls_and_packet_filters/using-and-configuring-firewalld_firewall-packet-filters[Using and configuring firewalld in _{RHEL}{nbsp}9 Configuring firewalls and packet filters_] endif::[] From ac2faf260cb4661cd1ad4d86a8eeb9c4eb743c01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Wed, 17 Sep 2025 16:20:24 +0200 Subject: [PATCH 15/22] Simplify introduction --- .../modules/con_networking-considerations-in-project.adoc | 2 +- guides/common/modules/proc_opening-required-ports.adoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/guides/common/modules/con_networking-considerations-in-project.adoc b/guides/common/modules/con_networking-considerations-in-project.adoc index 8aadb4b738f..473f7c443f4 100644 --- a/guides/common/modules/con_networking-considerations-in-project.adoc +++ b/guides/common/modules/con_networking-considerations-in-project.adoc @@ -1,4 +1,4 @@ [id="networking-considerations-in-{project-context}"] = Networking considerations in {Project} -For the components of {Project} architecture to communicate, the required network ports must be open and free to enable incoming and outgoing traffic between the components. +For the components of {Project} architecture to communicate, the required network ports must be open to enable incoming and outgoing traffic between the components. diff --git a/guides/common/modules/proc_opening-required-ports.adoc b/guides/common/modules/proc_opening-required-ports.adoc index e6d269c62b7..e58a7199949 100644 --- a/guides/common/modules/proc_opening-required-ports.adoc +++ b/guides/common/modules/proc_opening-required-ports.adoc @@ -3,7 +3,7 @@ [id="opening-required-ports"] = Opening required ports -For the components of {Project} architecture to communicate, ensure that the required network ports are open and free on the base operating system. +By opening the required ports, you ensure that the components of {Project} architecture can communicate. You must also ensure that the required network ports are open on any network-based firewalls. [NOTE] From f7c282833c3d40026ebdbb9dbf54ddb5a4c3fde2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Wed, 17 Sep 2025 16:22:46 +0200 Subject: [PATCH 16/22] Fix link --- guides/common/modules/proc_opening-required-ports.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/common/modules/proc_opening-required-ports.adoc b/guides/common/modules/proc_opening-required-ports.adoc index e58a7199949..926897da6e9 100644 --- a/guides/common/modules/proc_opening-required-ports.adoc +++ b/guides/common/modules/proc_opening-required-ports.adoc @@ -79,5 +79,5 @@ endif::[] .Additional resources * {PlanningDocURL}networking-considerations-in-{project-context}[Networking considerations in {Project}] ifndef::foreman-deb[] -* https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/configuring_firewalls_and_packet_filters/using-and-configuring-firewalld_firewall-packet-filters/9/html/configuring_firewalls_and_packet_filters/using-and-configuring-firewalld_firewall-packet-filters[Using and configuring firewalld in _{RHEL}{nbsp}9 Configuring firewalls and packet filters_] +* https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/configuring_firewalls_and_packet_filters/using-and-configuring-firewalld_firewall-packet-filters/[Using and configuring firewalld in _{RHEL}{nbsp}9 Configuring firewalls and packet filters_] endif::[] From 1cb0a23266f2ef8cc459f51f2f2510d98b6acb7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Wed, 17 Sep 2025 19:03:34 +0200 Subject: [PATCH 17/22] Rephrase hint about using firewall-cmd Co-authored-by: Ewoud Kohl van Wijngaarden --- guides/common/modules/proc_opening-required-ports.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/common/modules/proc_opening-required-ports.adoc b/guides/common/modules/proc_opening-required-ports.adoc index 926897da6e9..106d3c950a7 100644 --- a/guides/common/modules/proc_opening-required-ports.adoc +++ b/guides/common/modules/proc_opening-required-ports.adoc @@ -14,7 +14,7 @@ If possible, disable the application checking and allow open port communication ==== ifndef::satellite,orcharhino[] -If you do not use `firewall-cmd` to configure the Linux firewall, implement using the command of your choice. +If you do not use `firewall-cmd` to configure the Linux firewall, implement using the tool of your choice. endif::[] .Procedure From 404bfe574827c095b794d13cac150fc4c3da8a91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Wed, 17 Sep 2025 19:14:17 +0200 Subject: [PATCH 18/22] Fix link again --- guides/common/modules/proc_opening-required-ports.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/common/modules/proc_opening-required-ports.adoc b/guides/common/modules/proc_opening-required-ports.adoc index 106d3c950a7..c0621cc0347 100644 --- a/guides/common/modules/proc_opening-required-ports.adoc +++ b/guides/common/modules/proc_opening-required-ports.adoc @@ -79,5 +79,5 @@ endif::[] .Additional resources * {PlanningDocURL}networking-considerations-in-{project-context}[Networking considerations in {Project}] ifndef::foreman-deb[] -* https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/configuring_firewalls_and_packet_filters/using-and-configuring-firewalld_firewall-packet-filters/[Using and configuring firewalld in _{RHEL}{nbsp}9 Configuring firewalls and packet filters_] +* https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/configuring_firewalls_and_packet_filters/using-and-configuring-firewalld_firewall-packet-filters[Using and configuring firewalld in _{RHEL}{nbsp}9 Configuring firewalls and packet filters_] endif::[] From 3c96f12f2982b9b3ecd073a52efd4d49dcdb3766 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Thu, 18 Sep 2025 09:12:50 +0200 Subject: [PATCH 19/22] Apply suggestions from style review Co-authored-by: Maximilian Kolb --- guides/common/modules/con_smart-proxy-networking.adoc | 4 ++-- guides/common/modules/proc_opening-required-ports.adoc | 4 ++-- .../ref_project-server-port-and-firewall-requirements.adoc | 2 +- .../ref_smart-proxy-port-and-firewall-requirements.adoc | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/guides/common/modules/con_smart-proxy-networking.adoc b/guides/common/modules/con_smart-proxy-networking.adoc index 9bfb3d0755c..0f4a8814c84 100644 --- a/guides/common/modules/con_smart-proxy-networking.adoc +++ b/guides/common/modules/con_smart-proxy-networking.adoc @@ -16,7 +16,7 @@ ifdef::satellite[] In xref:{project-context}-topology-with-hosts-connecting-to-a-{smart-proxy-context}[], endif::[] {SmartProxy} provides a single endpoint for all host network communications so that in remote network segments, only firewall ports to the {SmartProxy} itself must be open. -Hosts do not need direct access to the {ProjectServer} itself. +Hosts do not need direct access to {ProjectServer}. // TODO: Replace graphic with simpler graphic and reference to "Port and firewall requirements" ifdef::satellite[] @@ -32,7 +32,7 @@ ifdef::satellite[] In xref:{project-context}-topology-with-hosts-connecting-directly-to-{project-context}-server[], endif::[] hosts connect to {ProjectServer} rather than a {SmartProxy}. -This applies also to {SmartProxies} themselves because the {SmartProxyServer} is a host of {ProjectServer}. +This applies to all {SmartProxyServers} because they are hosts of {ProjectServer}. Hosts need direct network access to {ProjectServer}. // TODO: Replace graphic with simpler graphic and reference to "Port and firewall requirements" diff --git a/guides/common/modules/proc_opening-required-ports.adoc b/guides/common/modules/proc_opening-required-ports.adoc index c0621cc0347..e54a773e019 100644 --- a/guides/common/modules/proc_opening-required-ports.adoc +++ b/guides/common/modules/proc_opening-required-ports.adoc @@ -18,7 +18,7 @@ If you do not use `firewall-cmd` to configure the Linux firewall, implement usin endif::[] .Procedure -. Optional: If you need to prevent the DHCP {SmartProxy} from pinging hosts to check for available IP addresses, disable DHCP IP address pinging: +. If you need to prevent the DHCP {SmartProxy} from pinging hosts to check for available IP addresses, disable DHCP IP address pinging: + [options="nowrap", subs="+quotes,attributes"] ---- @@ -69,7 +69,7 @@ endif::[] ---- .Verification -* Enter the following command: +* View all firewall zones and allowed services: + [options="nowrap"] ---- diff --git a/guides/common/modules/ref_project-server-port-and-firewall-requirements.adoc b/guides/common/modules/ref_project-server-port-and-firewall-requirements.adoc index 852e33bc059..f3d1efef2a1 100644 --- a/guides/common/modules/ref_project-server-port-and-firewall-requirements.adoc +++ b/guides/common/modules/ref_project-server-port-and-firewall-requirements.adoc @@ -3,7 +3,7 @@ [id="{project-context}-port-and-firewall-requirements"] = {ProjectServer} port and firewall requirements -The following tables indicate the destination port and the direction of incoming and outgoing traffic for a {ProjectServer}. +The following tables indicate the destination port and the direction of incoming and outgoing traffic for {ProjectServer}. .{ProjectServer} incoming traffic [cols="15%,15%,15%,15%,20%,20%",options="header"] diff --git a/guides/common/modules/ref_smart-proxy-port-and-firewall-requirements.adoc b/guides/common/modules/ref_smart-proxy-port-and-firewall-requirements.adoc index 97db70fb583..57b820bbe4f 100644 --- a/guides/common/modules/ref_smart-proxy-port-and-firewall-requirements.adoc +++ b/guides/common/modules/ref_smart-proxy-port-and-firewall-requirements.adoc @@ -3,7 +3,7 @@ [id="{smart-proxy-context}-port-and-firewall-requirements"] = {SmartProxy} port and firewall requirements -The following tables indicate the destination port and the direction of incoming and outgoing traffic for a {SmartProxyServer}. +The following tables indicate the destination port and the direction of incoming and outgoing traffic for {SmartProxyServers}. [NOTE] ==== From b5ac66f1239e41c8d17c81467312333a7093ec96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Thu, 18 Sep 2025 09:13:09 +0200 Subject: [PATCH 20/22] Replace SmartProxy with SmartProxyServer --- guides/common/modules/con_smart-proxy-networking.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/common/modules/con_smart-proxy-networking.adoc b/guides/common/modules/con_smart-proxy-networking.adoc index 0f4a8814c84..22316960738 100644 --- a/guides/common/modules/con_smart-proxy-networking.adoc +++ b/guides/common/modules/con_smart-proxy-networking.adoc @@ -15,7 +15,7 @@ endif::[] ifdef::satellite[] In xref:{project-context}-topology-with-hosts-connecting-to-a-{smart-proxy-context}[], endif::[] -{SmartProxy} provides a single endpoint for all host network communications so that in remote network segments, only firewall ports to the {SmartProxy} itself must be open. +{SmartProxyServer} provides a single endpoint for all host network communications so that in remote network segments, only firewall ports to the {SmartProxyServer} itself must be open. Hosts do not need direct access to {ProjectServer}. // TODO: Replace graphic with simpler graphic and reference to "Port and firewall requirements" From 92b73b509a7f562c21a2d7994f6005c746b7fca0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Thu, 18 Sep 2025 09:17:02 +0200 Subject: [PATCH 21/22] Reword description of a smart proxy networking setup --- guides/common/modules/con_smart-proxy-networking.adoc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/guides/common/modules/con_smart-proxy-networking.adoc b/guides/common/modules/con_smart-proxy-networking.adoc index 22316960738..d648e95d073 100644 --- a/guides/common/modules/con_smart-proxy-networking.adoc +++ b/guides/common/modules/con_smart-proxy-networking.adoc @@ -31,9 +31,8 @@ endif::[] ifdef::satellite[] In xref:{project-context}-topology-with-hosts-connecting-directly-to-{project-context}-server[], endif::[] -hosts connect to {ProjectServer} rather than a {SmartProxy}. +hosts need direct network access to {ProjectServer}. This applies to all {SmartProxyServers} because they are hosts of {ProjectServer}. -Hosts need direct network access to {ProjectServer}. // TODO: Replace graphic with simpler graphic and reference to "Port and firewall requirements" ifdef::satellite[] From 7a35aa143ac402fbb9b456a7bc438dadaf618bce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Thu, 18 Sep 2025 11:26:27 +0200 Subject: [PATCH 22/22] Drop obsolete information on outgoing traffic --- guides/common/modules/con_smart-proxy-networking.adoc | 5 ----- ...ef_project-server-port-and-firewall-requirements.adoc | 9 --------- 2 files changed, 14 deletions(-) diff --git a/guides/common/modules/con_smart-proxy-networking.adoc b/guides/common/modules/con_smart-proxy-networking.adoc index d648e95d073..0cc117301a5 100644 --- a/guides/common/modules/con_smart-proxy-networking.adoc +++ b/guides/common/modules/con_smart-proxy-networking.adoc @@ -4,11 +4,6 @@ The communication between {ProjectServer} and hosts registered to a {SmartProxyServer} is routed through that {SmartProxyServer}. {SmartProxyServer} also provides {Project} services to hosts. -[NOTE] -==== -Some outgoing traffic returns to {Project} to enable internal communication and security operations. -==== - ifndef::satellite[] In a topology with hosts connecting to a {SmartProxyServer}, endif::[] diff --git a/guides/common/modules/ref_project-server-port-and-firewall-requirements.adoc b/guides/common/modules/ref_project-server-port-and-firewall-requirements.adoc index f3d1efef2a1..b5ad3c30cf5 100644 --- a/guides/common/modules/ref_project-server-port-and-firewall-requirements.adoc +++ b/guides/common/modules/ref_project-server-port-and-firewall-requirements.adoc @@ -62,15 +62,6 @@ endif::[] | 80 | TCP | HTTP | Remote repository | Content Sync | Remote repositories | 389, 636 | TCP | LDAP, LDAPS | External LDAP Server | LDAP | LDAP authentication, necessary only if external authentication is enabled. The port can be customized if `LDAPAuthSource` is defined -| 443 | TCP | HTTPS | {Project} | {SmartProxy} | {SmartProxy} - -Configuration management - -Template retrieval - -OpenSCAP - -Remote Execution result upload | 443 | TCP | HTTPS | Amazon EC2, Azure, Google GCE | Compute resources | Virtual machine interactions (query/create/destroy) (optional) ifdef::satellite[] ifeval::["{mode}" == "connected"]