网络要求
本节详细说明 SUSE Multi-Linux Manager 的网络和端口要求。
|
IP forwarding will be enabled by containerized installation. This means SUSE Multi-Linux Manager Server and Proxies will behave as a router. This behavior is done by podman directly. Podman containers do not run if IP forwarding is disabled. 您可以考虑根据您的策略实现 SUSE Multi-Linux Manager 环境的网络隔离。 |
1. 完全限定的域名 (FQDN)
SUSE Multi-Linux Manager 服务器必须正确解析其 FQDN。如果无法解析 FQDN,可能会导致许多不同的组件出现严重问题。
2. 主机名和 IP 地址
为确保 SUSE Multi-Linux Manager 域名可由其客户端解析,服务器和客户端计算机都必须连接到一台正常工作的 DNS 服务器。还需要确保正确配置反向查找。
有关设置 DNS 服务器的详细信息,请参见 https://documentation.suse.com/sles/15-SP6/html/SLES-all/cha-dns.html。
3. Reenable router advertisements
When the SUSE Multi-Linux Manager is installed using mgradm install podman or mgrpxy install podman, it sets up Podman which enables IPv4 and IPv6 forwarding. This is needed for communication from the outside of the container.
However, if your system previously had /proc/sys/net/ipv6/conf/eth0/accept_ra set to 1, it will stop using router advertisements. As a result, the routes are no longer obtained via router advertisements and the default IPv6 route is missing.
To recover correct functioning of the IPv6 routing, follow the procedure:
-
Create a file in
/etc/sysctl.d, for example99-ipv6-ras.conf. -
Add the following parameter and value to the file:
net.ipv6.conf.eth0.accept_ra = 2
-
重引导。
4. Deployment behind HTTP or HTTPS OSI level 7 proxy
Some environments enforce internet access through a HTTP or HTTPS proxy. This could be a Squid server or similar. To allow the SUSE Multi-Linux Manager Server internet access in such configuration, you need to configure the following.
-
For operating system internet access, modify
/etc/sysconfig/proxyaccording to your needs:PROXY_ENABLED="no" HTTP_PROXY="" HTTPS_PROXY="" NO_PROXY="localhost, 127.0.0.1" -
For
Podmancontainer internet access, modify/etc/systemd/system/uyuni-server.service.d/custom.confaccording to your needs. For example, set:[Service] Environment=TZ=Europe/Berlin Environment="PODMAN_EXTRA_ARGS=" Environment="https_proxy=user:password@http://192.168.10.1:3128" -
For Java application internet access, modify
/etc/rhn/rhn.confaccording to your needs. On the container host, executemgrctl termto open a command line inside the server container:-
Modify
/etc/rhn/rhn.confaccording to your needs. For example, set:# Use proxy FQDN, or FQDN:port server.satellite.http_proxy = server.satellite.http_proxy_username = server.satellite.http_proxy_password = # no_proxy is a comma seperated list server.satellite.no_proxy =
-
-
On the container host, restart the server to enforce the new configuration:
systemctl restart uyuni-server.service
5. 物理隔离的部署
If you are on an internal network and do not have access to SUSE Customer Center, you can use an Air-gapped Deployment.
在生产环境中,SUSE Multi-Linux Manager 服务器和客户端始终应使用防火墙。有关所需端口的完整列表,请参见 所需的网络端口。
6. 所需的网络端口
本节提供了 SUSE Multi-Linux Manager 中各种通讯使用的端口的综合列表。
您不需要打开所有这些端口。某些端口只有在您使用需要这些端口的服务时才需打开。
6.2. 外部入站服务器端口
必须打开外部入站端口,以在 SUSE Multi-Linux Manager 服务器上配置防火墙用于防范未经授权访问服务器。
打开这些端口将允许外部网络流量访问 SUSE Multi-Linux Manager 服务器。
| Port number | Protocol | Used By | Notes |
|---|---|---|---|
67 |
TCP/UDP |
DHCP |
Required only if clients are requesting IP addresses from the server. |
69 |
TCP/UDP |
TFTP |
Required if server is used as a PXE server for automated client installation. |
80 |
TCP |
HTTP |
Required temporarily for some bootstrap repositories and automated installations. |
443 |
TCP |
HTTPS |
Serves the Web UI, client, and server and proxy ( |
4505 |
TCP |
salt |
Required to accept communication requests from clients. The client initiates the connection, and it stays open to receive commands from the Salt master. |
4506 |
TCP |
salt |
Required to accept communication requests from clients. The client initiates the connection, and it stays open to report results back to the Salt master. |
5556 |
TCP |
Prometheus |
Required for scraping Taskomatic JMX metrics. |
5557 |
TCP |
Prometheus |
Required for scraping Tomcat JMX metrics. |
9100 |
TCP |
Prometheus |
Required for scraping Node exporter metrics. |
9187 |
TCP |
Prometheus |
Required for scraping PostgreSQL metrics. |
9800 |
TCP |
Prometheus |
Required for scraping Taskomatic metrics. |
25151 |
TCP |
Cobbler |
6.3. 外部出站服务器端口
必须打开外部出站端口,以在 SUSE Multi-Linux Manager 服务器上配置防火墙用于限制服务器可访问的内容。
打开这些端口将允许来自 SUSE Multi-Linux Manager 服务器的网络流量与外部服务通讯。
| 端口号 | 协议 | 使用方 | 备注 |
|---|---|---|---|
80 |
TCP |
HTTP |
SUSE Customer Center 需要此端口。 端口 80 不用于为 Web UI 传递数据。 |
443 |
TCP |
HTTPS |
SUSE Customer Center 需要此端口。 |
25151 |
TCP |
Cobbler |
6.4. 内部服务器端口
内部端口由 SUSE Multi-Linux Manager 服务器在内部使用。只能从 localhost 访问内部端口。
大多数情况下无需调整这些端口。
| 端口号 | 备注 |
|---|---|
2828 |
Satellite-search API,由 Tomcat 和 Taskomatic 中的 RHN 应用程序使用。 |
2829 |
Taskomatic API,由 Tomcat 中的 RHN 应用程序使用。 |
8005 |
Tomcat 关机端口。 |
8009 |
Tomcat 到 Apache HTTPD (AJP)。 |
8080 |
Tomcat 到 Apache HTTPD (HTTP)。 |
9080 |
Salt-API,由 Tomcat 和 Taskomatic 中的 RHN 应用程序使用。 |
25151 |
Cobbler 的 XMLRPC API |
32000 |
与运行 Taskomatic 和 satellite-search 的 Java 虚拟机 (JVM) 建立 TCP 连接时使用此端口。 |
32768 和更高的端口用作临时端口。这些端口往往用于接收 TCP 连接。收到 TCP 连接请求后,发送方将选择其中一个临时端口号来与目标端口进行匹配。
可使用以下命令来确定哪些端口是临时端口:
cat /proc/sys/net/ipv4/ip_local_port_range
6.5. 外部入站代理端口
必须打开外部入站端口,以在 SUSE Multi-Linux Manager Proxy 上配置防火墙用于防范未经授权访问代理。
打开这些端口将允许外部网络流量访问 SUSE Multi-Linux Manager Proxy。
| Port number | Protocol | Used By | Notes |
|---|---|---|---|
22 |
Only required if the user wants to manage the proxy host with Salt SSH. |
||
67 |
TCP/UDP |
DHCP |
Required only if clients are requesting IP addresses from the server. |
69 |
TCP/UDP |
TFTP |
Required if the server is used as a PXE server for automated client installation. |
443 |
TCP |
HTTPS |
Web UI, client, and server and proxy ( |
4505 |
TCP |
salt |
Required to accept communication requests from clients. The client initiates the connection, and it stays open to receive commands from the Salt master. |
4506 |
TCP |
salt |
Required to accept communication requests from clients. The client initiates the connection, and it stays open to report results back to the Salt master. |
8022 |
Required for ssh-push and ssh-push-tunnel contact methods. Clients connected to the proxy initiate check in on the server and hop through to clients. |
6.6. 外部出站代理端口
必须打开外部出站端口,以在 SUSE Multi-Linux Manager Proxy 上配置防火墙用于限制代理可访问的内容。
打开这些端口将允许来自 SUSE Multi-Linux Manager Proxy 的网络流量与外部服务通讯。
| Port number | Protocol | Used By | Notes |
|---|---|---|---|
80 |
Used to reach the server. |
||
443 |
TCP |
HTTPS |
Required for SUSE Customer Center. |
4505 |
TCP |
Salt |
Required to connect to Salt master either directly or via proxy. |
4506 |
TCP |
Salt |
Required to connect to Salt master either directly or via proxy. |
6.7. 外部客户端端口
必须打开外部客户端端口,以在 SUSE Multi-Linux Manager 服务器及其客户端之间配置防火墙。
大多数情况下无需调整这些端口。
| Port number | Direction | Protocol | Notes |
|---|---|---|---|
22 |
Inbound |
SSH |
Required for ssh-push and ssh-push-tunnel contact methods. |
80 |
Outbound |
Used to reach the server or proxy. |
|
443 |
Outbound |
Used to reach the server or proxy. |
|
4505 |
Outbound |
TCP |
Required to connect to Salt master either directly or via proxy. |
4506 |
Outbound |
TCP |
Required to connect to Salt master either directly or via proxy. |
9090 |
Outbound |
TCP |
Required for Prometheus user interface. |
9093 |
Outbound |
TCP |
Required for Prometheus alert manager. |
9100 |
Outbound |
TCP |
Required for Prometheus node exporter. |
9117 |
Outbound |
TCP |
Required for Prometheus Apache exporter. |
9187 |
Outbound |
TCP |
Required for Prometheus PostgreSQL. |
6.8. 所需的 URL
SUSE Multi-Linux Manager 必须能够访问某些 URL 才能注册客户端和执行更新。大多数情况下,允许访问以下 URL 便已足够:
-
scc.suse.com -
updates.suse.com -
installer-updates.suse.com -
registry.suse.com -
registry-storage.suse.com
您可以在以下文章中找到有关将指定 URL 及其关联 IP 地址列入白名单的更多详细信息:访问受防火墙和/或代理保护的 SUSE Customer Center 和 SUSE 注册表。
如果您正在使用非 SUSE 客户端,则还可能需要允许访问为这些操作系统提供特定软件包的其他服务器。例如,如果您使用的是 Ubuntu 客户端,则需要能够访问 Ubuntu 服务器。
有关为非 SUSE 客户端排查防火墙访问权限问题的详细信息,请参见 防火墙查错。