linux_wiki:spacewalk

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
linux_wiki:spacewalk [2015/12/21 23:05]
billdozor 		linux_wiki:spacewalk [2016/03/21 22:13]
billdozor [Spacewalk]
Line 4: Line 4:
  
 Spacewalk is a centralized system update and config server.\\ Spacewalk is a centralized system update and config server.\\
-Official Site: https://fedorahosted.org/spacewalk/ +  * Official Site: https://fedorahosted.org/spacewalk/ 
  
 **Checklist** **Checklist**
-  * Spacewalk server installed+  * Distro(s): Enterprise Linux 
 +  * Other: [[https://fedorahosted.org/spacewalk/wiki/HowToInstall|Spacewalk server]] setup
  
 ---- ----
Line 31: Line 32:
   * Register system with the --force option<code bash>   * Register system with the --force option<code bash>
 sw_activation_key="1-my-system-key" sw_activation_key="1-my-system-key"
-rhnreg_ks --force --serverUrl=https://my-spacewalk-server.local/XMLRPC --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT --activationkey=${sw_activation_key}+sw_server="my-spacewalk-server.local" 
 +rhnreg_ks --force --serverUrl=https://${sw_server}/XMLRPC --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT --activationkey=${sw_activation_key}
 </code> </code>
  
 ---- ----
  
-====== rhn_check ======+====== Client Check Ins ======
  
-By default, a system checks into Spacewalk via rhn_check every 4 hours. +  * rhnsd => By default, a system will run the rhnsd daemon. 
- +    * This daemon checks into Spacewalk via rhn_check every 240 mins (4 hours)It is tunable down to minimum of 60 mins (1 hour). 
-If systems are not picking up the scheduled action from the Spacewalk portal in timely manner with the osad (such as config deploy, package upgrade, etc), you can force a group of systems to check in by running the "rhn_checkcommand locally on that system.+  * cron => An alternative is to create cron job to execute every 30 mins and run rhn_check. 
 +    * If you do this, you can disable rhnsd, as it provides no other functionality than to run "run_check"
 +  * osad => Using osad on the client and osa-dispatcher on the server (with a jabberd daemon as well) is also available. 
 +    * **This setup is fragile and not recommended**.
  
 +If you do not want to wait for the next automatic check in (via rhnsd or cron), you can force a group of systems to check in by running the "rhn_check" command locally on that system.\\
 To loop through a group of systems and have them check in: To loop through a group of systems and have them check in:
  
Line 48: Line 54:
 for NODE in $(spacecmd group_listsystems dev); do echo "=>${NODE}"; ssh -qt ${NODE} "sudo /usr/sbin/rhn_check"; done for NODE in $(spacecmd group_listsystems dev); do echo "=>${NODE}"; ssh -qt ${NODE} "sudo /usr/sbin/rhn_check"; done
 </code> </code>
 +
 +----
 +
 +===== rhnsd config =====
 +
 +rhnsd is a daemon that will run rhn_check every 240 mins (by default).
 +
 +Configure: /etc/sysconfig/rhn/rhnsd
 +<code bash>
 +INTERVAL=240
 +</code>
 +  * Change INTERVAL time to check in time in minutes.
 +
 +Ensure it is enabled and started
 +  * EL7<code bash>systemctl enable rhnsd
 +systemctl start rhnsd</code>
 +  * EL6<code bash>chkconfig rhnsd on
 +service rhnsd start</code>
 +
 +----
 +
 +===== rhn_check Cron Job =====
 +
 +The alternative to using rhnsd (if you do not want a daemon running or desire more frequent check ins) is a cron job.
 +
 +Configure: /etc/cron.d/spacewalk-checkin
 +<code bash>
 +# Do not e-mail root/anyone about this job
 +MAILTO=""
 +
 +# .---------------- minute (0 - 59)
 +# |  .------------- hour (0 - 23)
 +# |  |  .---------- day of month (1 - 31)
 +# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
 +# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
 +# |  |  |  |  |
 +# *  *  *  *  * user-name  command to be executed
 +# Check in every 30 mins
 +*/30 * * * * root /usr/sbin/rhn_check
 +</code>
 +
 +Optional: Disable rhnsd
 +  * EL7<code bash>systemctl disable rhnsd
 +systemctl stop rhnsd</code>
 +  * EL6<code bash>chkconfig rhnsd off
 +service rhnsd stop</code>
 +
 +----
 +
 +===== osad =====
 +
 +Another option for client communication is using the osad daemon (xmpp/jabber) on the client and osa-dispatcher on the server.
 +
 +  * This type of setup is very fragile and needs constant babysitting.
 +  * The amount of administration overhead and how often it breaks is not worth the effort for faster execution of scheduled jobs.
 +  * **It is HIGHLY recommended to not go this route** and the rest of this documentation assumes rhnsd or the cron job with rhn_check.
  
 ---- ----
Line 90: Line 152:
 ===== Errata Setup ===== ===== Errata Setup =====
  
-As of 12/15/2015, CentOS does not generate an "updateinfo.xml" file in their repodata directories. This file is responsible for the package to errata mappings. (RHEL, Fedora, EPEL, and supposedly Oracle all do this)+As of 12/15/2015, CentOS does not generate an "updateinfo.xml" file in their repodata directories. This file is responsible for the package to errata mappings. (RHEL, Fedora, EPEL, and Oracle all do this)
  
 For a workaround, use a script to scrape the CentOS mailing archive lists for the errata. For a workaround, use a script to scrape the CentOS mailing archive lists for the errata.
Line 225: Line 287:
 ====== Server Services ====== ====== Server Services ======
  
-Normal Status of Spacewalk Services+Spacewalk server services. 
 + 
 +===== Removing osa/jabber ===== 
 + 
 +We won't be using osa-dispatcher or jabberd services, so these can safely be disabled. 
 +  * EL7<code bash>systemctl disable osa-dispatcher 
 +systemctl disable jabberd 
 +systemctl stop osa-dispatcher 
 +systemctl stop jabberd</code> 
 +  * EL6<code bash>chkconfig osa-dispatcher off 
 +chkconfig jabberd off 
 +service osa-dispatcher stop 
 +service jabberd stop</code> 
 + 
 +Remove osa and jabber from the main spacewalk-service script. 
 +  * Edit the script: vim /usr/sbin/spacewalk-service 
 +  * Find the variable "SERVICES=" and remove "osa-dispatcher" and "jabberd" 
 + 
 +---- 
 + 
 +===== Normal Status of Spacewalk Services ===== 
 + 
 +After removing osa-dispatcher and jabberd, the status output looks like this:
 <code bash> <code bash>
 /usr/sbin/spacewalk-service status /usr/sbin/spacewalk-service status
  
 postmaster (pid  29875) is running... postmaster (pid  29875) is running...
-router (pid 31614) is running... 
-sm (pid 31622) is running... 
-c2s (pid 31630) is running... 
-s2s (pid 31638) is running... 
 tomcat6 (pid 29992) is running...                          [  OK  ] tomcat6 (pid 29992) is running...                          [  OK  ]
 httpd (pid  30115) is running... httpd (pid  30115) is running...
-osa-dispatcher (pid  31659) is running... 
 rhn-search is running (30168). rhn-search is running (30168).
 cobblerd (pid 30204) is running... cobblerd (pid 30204) is running...
Line 242: Line 321:
 </code> </code>
  
----- +  * postmaster => Spacewalk Postgres Database 
- +  * tomcat6 =Spacewalk application 
-===== osa-dispatcher dead but pid file exists ===== +  * httpd =Spacewalk portal website 
- +  rhn-search =Searching functionality within the portal 
-If osa-dispatcher shows the following: +  * cobblerd => Provisioning capability 
-<code bash+  * RHN Taskomatic =Scheduled jobs viewable in the Spacewalk portal
-/etc/init.d/osa-dispatcher status +
- +
-osa-dispatcher dead but pid file exists +
-</code+
- +
-And the following error messages are in its log file: +
-<code bash+
-tail /var/log/rhn/osa-dispatcher.log +
- +
-2015/11/03 07:38:05 -05:00 30144 0.0.0.0: osad/jabber_lib.__init__ +
-2015/11/03 07:38:05 -05:00 30144 0.0.0.0: osad/jabber_lib.setup_connection('Connected to jabber server', 'my-spacewalk-server.local'+
-2015/11/03 07:38:05 -05:00 30144 0.0.0.0: osad/jabber_lib.register('ERROR', 'Invalid password'+
-</code> +
- +
-Fix this by stopping jabberd and osa-dispatcher (osa-dispatcher will probably show "Failed"): +
-<code bash> +
-service jabberd stop +
-service osa-dispatcher stop +
-</code> +
- +
-Remove jabberd database files: +
-<code bash> +
-rm -rf /var/lib/jabberd/db/+
-</code> +
- +
-Start jabberd and osa-dispatcher +
-<code bash> +
-service jabberd start +
-service osa-dispatcher start +
-</code> +
- +
-Logs should now show the "Connected to jabber server" message: +
-<code bash> +
-tail /var/log/rhn/osa-dispatcher.log +
- +
-2015/11/03 08:19:43 -05:00 31657 0.0.0.0: osad/jabber_lib.__init__ +
-2015/11/03 08:19:43 -05:00 31657 0.0.0.0: osad/jabber_lib.setup_connection('Connected to jabber server', 'my-spacewalk-server.local'+
-2015/11/03 08:19:43 -05:00 31657 0.0.0.0: osad/osa_dispatcher.fix_connection('Upstream notification server started on port', 1290) +
-2015/11/03 08:19:43 -05:00 31657 0.0.0.0: osad/jabber_lib.process_forever +
-</code> +
- +
-**Warning** +
-  * After recovering the jabberdb in this way, the osad clients on each system need to re-establish a connection. This is done by stopping the osad service on the clients, removing the osad-auth.conf file and starting osad again. +
-  * From a system that has spacecmd installed:<code bash>for NODE in $(spacecmd system_list); do echo "=>${NODE}"; ssh -qt ${NODE} "sudo /sbin/service osad stop; sudo rm -vf /etc/sysconfig/rhn/osad-auth.conf; sudo /sbin/service osad start"; done</code>+
  
 ---- ----
Line 297: Line 332:
 ====== Spacewalk SSL Certificates ====== ====== Spacewalk SSL Certificates ======
  
-Updating the SSL Certificates on the Spacewalk server is more complex than just updating Apache, as the SSL certs are used for:+The SSL Certificates on the Spacewalk server is used for:
   * Spacewalk Portal (Apache httpd server)   * Spacewalk Portal (Apache httpd server)
-  * Jabber local daemon components communication 
-  * Jabber Spacewalk client to Spacewalk server communication 
- 
-Using the following RPM method will allow you to update all applications correctly at the same time. 
  
 **Before manipulating either client or CA cert** **Before manipulating either client or CA cert**
Line 313: Line 344:
 ===== Client Certificate ===== ===== Client Certificate =====
  
-Client Certificate locations:+Client Certificate default locations:
   * /etc/httpd/conf/ssl.crt/server.crt   * /etc/httpd/conf/ssl.crt/server.crt
   * /etc/httpd/conf/ssl.csr/server.csr   * /etc/httpd/conf/ssl.csr/server.csr
Line 337: Line 368:
   * Install new SSL key pair package   * Install new SSL key pair package
     * <code bash>rpm -ivh /root/ssl-build/my-spacewalk-server/rhn-org-httpd-ssl-key-pair-my-spacewalk-server-1.0-2.noarch.rpm</code>     * <code bash>rpm -ivh /root/ssl-build/my-spacewalk-server/rhn-org-httpd-ssl-key-pair-my-spacewalk-server-1.0-2.noarch.rpm</code>
-  * Stop Spacewalk services, clear jabberd's scratch database, start the services +  * Restart Spacewalk services 
-    * <code bash>spacewalk-service stop +    * <code bash>spacewalk-service restart</code>
-rm -rf /var/lib/jabberd/db/+
-spacewalk-service start</code> +
-  * Force an OSAD client re-authentication on each client<code bash>for NODE in $(spacecmd system_list); do echo "=>${NODE}"; ssh -qt ${NODE} "sudo /sbin/service osad stop; sudo rm -vf /etc/sysconfig/rhn/osad-auth.conf; sudo /sbin/service osad start"; done</code>+
  
 ---- ----
Line 382: Line 410:
   * Update the database   * Update the database
     * <code bash>rhn-ssl-dbstore -vvv --ca-cert /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT</code>     * <code bash>rhn-ssl-dbstore -vvv --ca-cert /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT</code>
-  * Stop the Spacewalk services, clear the jabberd scratch database, start services +  * Restart the Spacewalk services 
-    * <code bash>spacewalk-service stop +    * <code bash>spacewalk-service restart</code>
-rm -rf /var/lib/jabberd/db/+
-spacewalk-service start</code>+
   * **Login to each client and update the CA chain**   * **Login to each client and update the CA chain**
     * <code bash>rpm -ivh https://my-spacewalk-server.local/pub/rhn-org-trusted-ssl-cert-1.0-2.noarch.rpm</code>     * <code bash>rpm -ivh https://my-spacewalk-server.local/pub/rhn-org-trusted-ssl-cert-1.0-2.noarch.rpm</code>
       * Each client will have no communication to the Spacewalk server until this is complete.       * Each client will have no communication to the Spacewalk server until this is complete.
-  * Force an OSAD client re-authentication on each client<code bash>for NODE in $(spacecmd system_list); do echo "=>${NODE}"; ssh -qt ${NODE} "sudo /sbin/service osad stop; sudo rm -vf /etc/sysconfig/rhn/osad-auth.conf; sudo /sbin/service osad start"; done</code> 
  
 ---- ----
  
  • linux_wiki/spacewalk.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)