Network Requirements
This section details the networking and port requirements for Uyuni.
IP forwarding will be enabled by containerized installation. This means Uyuni Server and Proxies will behave as a router. This behavior is done by podman directly. podman containers do not run if IP forwarding is disabled. Consider achieving network isolation of the Uyuni environment according to your policies. For more information, see https://www.suse.com/support/kb/doc/?id=000020166. |
1. Fully Qualified Domain Name (FQDN)
The Uyuni server must resolve its FQDN correctly. If the FQDN cannot be resolved, it can cause serious problems in a number of different components.
For more information about configuring the hostname and DNS, see https://documentation.suse.com/sles/15-SP4/html/SLES-all/cha-network.html#sec-network-yast-change-host.
2. Hostname and IP Address
To ensure that the Uyuni domain name can be resolved by its clients, both server and client machines must be connected to a working DNS server. You also need to ensure that reverse lookups are correctly configured.
For more information about setting up a DNS server, see https://documentation.suse.com/sles/15-SP4/html/SLES-all/cha-dns.html.
3. Air-gapped Deployment
If you are on an internal network and do not have access to SUSE Customer Center, you can use an Air-gapped Deployment.
In a production environment, the Uyuni Server and clients should always use a firewall. For a comprehensive list of the required ports, see Required Network Ports.
4. Ports
This section contains a comprehensive list of ports that are used for various communications within Uyuni.
You will not need to open all of these ports. Some ports only need to be opened if you are using the service that requires them.
4.1. External Inbound Server Ports
External inbound ports must be opened to configure a firewall on the Uyuni Server to protect the server from unauthorized access.
Opening these ports allows external network traffic to access the Uyuni Server.
Port number | Protocol | Used By | Notes |
---|---|---|---|
22 |
Required for ssh-push and ssh-push-tunnel contact methods. |
||
67 |
TCP/UDP |
DHCP |
Required only if clients are requesting IP addresses from the server. |
69 |
TCP/UDP |
TFTP |
Required if server is used as a PXE server for automated client installation. |
80 |
TCP |
HTTP |
Required temporarily for some bootstrap repositories and automated installations. |
443 |
TCP |
HTTPS |
Serves the Web UI, client, and server and proxy ( |
4505 |
TCP |
salt |
Required to accept communication requests from clients. The client initiates the connection, and it stays open to receive commands from the Salt master. |
4506 |
TCP |
salt |
Required to accept communication requests from clients. The client initiates the connection, and it stays open to report results back to the Salt master. |
25151 |
TCP |
Cobbler |
4.2. External Outbound Server Ports
External outbound ports must be opened to configure a firewall on the Uyuni Server to restrict what the server can access.
Opening these ports allows network traffic from the Uyuni Server to communicate with external services.
Port number | Protocol | Used By | Notes |
---|---|---|---|
80 |
TCP |
HTTP |
Required for SUSE Customer Center. Port 80 is not used to serve the Web UI. |
443 |
TCP |
HTTPS |
Required for SUSE Customer Center. |
25151 |
TCP |
Cobbler |
4.3. Internal Server Ports
Internal port are used internally by the Uyuni Server.
Internal ports are only accessible from localhost
.
In most cases, you will not need to adjust these ports.
Port number | Notes |
---|---|
2828 |
Satellite-search API, used by the RHN application in Tomcat and Taskomatic. |
2829 |
Taskomatic API, used by the RHN application in Tomcat. |
8005 |
Tomcat shutdown port. |
8009 |
Tomcat to Apache HTTPD (AJP). |
8080 |
Tomcat to Apache HTTPD (HTTP). |
9080 |
Salt-API, used by the RHN application in Tomcat and Taskomatic. |
32000 |
Port for a TCP connection to the Java Virtual Machine (JVM) that runs Taskomatic and satellite-search. |
Port 32768 and higher are used as ephemeral ports. These are most often used to receive TCP connections. When a TCP connection request is received, the sender will choose one of these ephemeral port numbers to match the destination port.
You can use this command to find out which ports are ephemeral ports:
cat /proc/sys/net/ipv4/ip_local_port_range
4.4. External Inbound Proxy Ports
External inbound ports must be opened to configure a firewall on the Uyuni Proxy to protect the proxy from unauthorized access.
Opening these ports allows external network traffic to access the Uyuni proxy.
Port number | Protocol | Used By | Notes |
---|---|---|---|
22 |
Required for ssh-push and ssh-push-tunnel contact methods. Clients connected to the proxy initiate check in on the server and hop through to clients. |
||
67 |
TCP/UDP |
DHCP |
Required only if clients are requesting IP addresses from the server. |
69 |
TCP/UDP |
TFTP |
Required if the server is used as a PXE server for automated client installation. |
443 |
TCP |
HTTPS |
Web UI, client, and server and proxy ( |
4505 |
TCP |
salt |
Required to accept communication requests from clients. The client initiates the connection, and it stays open to receive commands from the Salt master. |
4506 |
TCP |
salt |
Required to accept communication requests from clients. The client initiates the connection, and it stays open to report results back to the Salt master. |
4.5. External Outbound Proxy Ports
External outbound ports must be opened to configure a firewall on the Uyuni Proxy to restrict what the proxy can access.
Opening these ports allows network traffic from the Uyuni Proxy to communicate with external services.
Port number | Protocol | Used By | Notes |
---|---|---|---|
80 |
Used to reach the server. |
||
443 |
TCP |
HTTPS |
Required for SUSE Customer Center. |
4.6. External Client Ports
External client ports must be opened to configure a firewall between the Uyuni Server and its clients.
In most cases, you will not need to adjust these ports.
Port number | Direction | Protocol | Notes |
---|---|---|---|
22 |
Inbound |
SSH |
Required for ssh-push and ssh-push-tunnel contact methods. |
80 |
Outbound |
Used to reach the server or proxy. |
|
9090 |
Outbound |
TCP |
Required for Prometheus user interface. |
9093 |
Outbound |
TCP |
Required for Prometheus alert manager. |
9100 |
Outbound |
TCP |
Required for Prometheus node exporter. |
9117 |
Outbound |
TCP |
Required for Prometheus Apache exporter. |
9187 |
Outbound |
TCP |
Required for Prometheus PostgreSQL. |
4.7. Required URLs
There are some URLs that Uyuni must be able to access to register clients and perform updates. In most cases, allowing access to these URLs is sufficient:
-
scc.suse.com
-
updates.suse.com
-
installer-updates.suse.com
-
registry.suse.com
You can find additional details on whitelisting the specified URLs and their associated IP addresses in this article: Accessing SUSE Customer Center and SUSE registry behind a firewall and/or through a proxy.
If you are using non-SUSE clients you might also need to allow access to other servers that provide specific packages for those operating systems. For example, if you have Ubuntu clients, you will need to be able to access the Ubuntu server.
For more information about troubleshooting firewall access for non-SUSE clients, see Troubleshooting Firewalls.