Review list of ports that need to be opened when installing

[aneta-petrova]

The following two procedures contain a list of services whose ports must be open for a successful installation:

• https://github.com/theforeman/foreman-documentation/blob/master/guides/common/modules/proc_enabling-client-connections-to-project-server.adoc
• https://github.com/theforeman/foreman-documentation/blob/master/guides/common/modules/proc_enabling-connections-to-capsule.adoc

These lists include some services that actually do not need to be accessible in default scenarios. 

This effort would require two things:

1. Review these lists and make sure the commands open only the ports that are needed for default scenarios.

A few examples:

• The current procedures open the ports for DHCP, DNS, and TFTP but these services are not enabled by default so we shouldn't ask all users to open the ports.
• The current procedures open the ports for puppetmaster but a Katello/Satellite installation doesn't include Puppet by default. However, a Foreman installation does include Puppet by default.
  Installation procedures for specific builds should only include opening ports for the services that are included for that build by default.

2. Ensure that if we drop a service from the installation procedures, users will be told to open the ports later when enabling the respective feature.

An example:

• If we drop the ports for DHCP, DNS, and TFTP from the installation procedures, we must ensure that https://docs.theforeman.org/3.16/Integrating_Provisioning_Infrastructure_Services/index-katello.html tells users to open them when enabling the services.

An existing example of a procedure that starts by allowing access to the required service is https://docs.theforeman.org/3.16/Installing_Proxy/index-katello.html#configuring-pull-based-transport-for-remote-execution_smart-proxy:

foreman-documentation/guides/common/modules/proc_configuring-pull-based-transport-for-remote-execution.adoc

Lines 26 to 38 in 2a33e30

	. Enable the pull-based transport on your {ProductName}:
	+
	[options="nowrap" subs="quotes,attributes"]
	----
	# {foreman-installer} --foreman-proxy-plugin-remote-execution-script-mode pull-mqtt
	----
	. Configure the firewall to allow the MQTT service on port 1883:
	+
	[options="nowrap", subs="+quotes,verbatim,attributes"]
	----
	# firewall-cmd --add-service=mqtt
	----
	include::snip_make-firewall-settings-persistent.adoc[]

(This issue is based on the conversation in #4210 (comment) )

[aneta-petrova]

--add-service=https is not required on Foreman-only proxies because they don't have Apache installed. See #4210 (comment)

--add-service=dns can be moved to the appropriate sections of https://docs.theforeman.org/3.16/Integrating_Provisioning_Infrastructure_Services/index-katello.html. See #4210 (comment)

--add-service=dhcp is only relevant for https://docs.theforeman.org/3.16/Integrating_Provisioning_Infrastructure_Services/index-katello.html#enabling-the-installer-managed-dhcp-service because in other cases the DHCP server is on another machine or managed by the user. See #4210 (comment)

--add-service=tftp is only relevant if the admin follows https://docs.theforeman.org/3.16/Integrating_Provisioning_Infrastructure_Services/index-katello.html#enabling-the-installer-managed-tftp-service and can be moved there. See #4210 (comment)

--add-service=puppetmaster can be moved to https://docs.theforeman.org/3.16/Managing_Configurations_Puppet/index-katello.html#Enabling_Puppet_Integration_managing-configurations-puppet except for non-Katello installs, where it should still be done by default. See #4210 (comment)