Fixes #29664 - Change default Candlepin port to 23443

[ehelms]

No description provided.

[evgeni]

According to IANA 9443 is "Tungsten HTTPS". I'd prefer if we'd use an unassigned port (or get one assigned? ;))

[ehelms]

Every port has somebody using it. I'm open to suggestions. My goal is just move it off of 8443.

[ekohl]

I don't really see the benefit of this. IMHO the katello change is sufficient. If anything, the puppet-katello change should be Fixes and this a Refs at most.

[ehelms]

I can flip the refs/fixes. The biggest benefit to this is reducing confusion when someone comes to debug an issue and sees conflicting data. Aligning the defaults helps.

[ekohl]

There's some value in that, but I always consider changing defaults a breaking change which has a lot of churn.

[ehelms]

I'll take churn over confusion :) We just need to label this a breaking change? And then merge and do a release and update puppet-katello metadata?

[evgeni]

Every port has somebody using it. I'm open to suggestions. My goal is just move it off of 8443.

Well, yeah, but the IANA has a list of users and IMHO we should try not to conflict with that list. How does 23443 sound to you? That's unassigned.

[ekohl]

I'll take churn over confusion :) We just need to label this a breaking change? And then merge and do a release and update puppet-katello metadata?

Yes.

[ekohl]

Since we have the discussion about the exact ports, cc @lzap for the SELinux policy. Will that need a change?

[ehelms]

23443 works for me, the right amount of 3's and 4's.

[ekohl]

An additional benefit is that it's harder to fat finger 8443 and 23443 than 8443 and 9443.

[evgeni]

ACK

SElinux changes are required, so probably should't be merged until then

[lzap]

Lucky you.

 semanage port -l | grep 23443

Not used. SELinux changes:

• You either ask Candlepin devs to define this port in their policy.
• Or the port must be added into katello-selinux and assigned in katello-selinux-enabled script.

[evgeni]

Given we diverge from candlepin defaults here, k-selinux feels more appropriate?

[lzap]

You know what, here you are:

theforeman/katello-selinux#23

In exchange, please file a PR into https://github.com/theforeman/foreman-documentation there might be some places which need a change:

[lzap@box guides]$ ag 8443
doc-Provisioning_Guide/topics/Introduction.adoc
66:If you use the discovery service, {Project} automatically detects the MAC address of the new host and restarts the host after you submit a request. Note that TCP port 8443 must be reachable by the {SmartProxy} to which the host is attached for {Project} to restart the host.

common/modules/ref_capsule-ports-and-firewalls-requirements.adoc
66:|8443 |TCP |HTTPS |Subscription Management Services and Telemetry Services
84:| 8443 | TCP |HTTP | {SmartProxy} to Client "reboot" command to a discovered host during provisioning (Optional)

common/modules/proc_enabling-connections-to-capsule.adoc
20:--add-port="8443/tcp" --add-port="9090/tcp"

common/attributes.adoc
67::smartproxy_port: 8443
159::smartproxy_port: 8443